From tcmay at got.net Wed May 1 00:01:38 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 1 May 1996 15:01:38 +0800 Subject: Why I dislike Java. (was Re: "Scruffies" vs. "Neats") Message-ID: At 8:18 PM 4/30/96, Perry E. Metzger wrote: >Timothy C. May writes: >> Perry, that essay was, as I said, sent out before it was finished. >[...] >> Now, while you may have _anticipated_ the point I was going to make in the >> completed essay, you cannot say I have "mischaracterized" anyone's attitude >> at this point! > >I could only respond to the statments you made, not the ones you could >have made. OK, Perry, I just have to give up on you. It's hopeless. You claim I mischaracterized your position on Java and scruffies/neats when in fact I never mentioned either your name nor the connection of my points to Java. I point this out and you reply with some smartass comment which is completely disingenuos. Just as when you claimed Java applications can't do file i/o, and several people point out that you are wrong and that it is _applets_ that you must have been thinking of (and not even always for applets, by the way). Instead of admitting you were wrong, or misread the post, you just say "Same difference." It's pointless to try to have a discussion with you. Which is too bad. >In any case, I'm not sure that there is such a thing either as a >"Security Scruffy" or a "Security Neat" in the argument about Java; >the breakdown in opinions occurs along very different lines. I suggest you wait until you see what I have to say on this before jumping the gun by assuming you know what it is I'm going to say (or that someone saying "application" must have really meant to say "applet"). --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From angels at wavenet.com Wed May 1 00:05:27 1996 From: angels at wavenet.com (CyberAngels Director : Colin Gabriel Hatcher) Date: Wed, 1 May 1996 15:05:27 +0800 Subject: Freedom and security Message-ID: Mike McNally wrote >What exactly do you consider "security" and "freedom" to mean here? Whose >security? Whose freedom? Every society has a social contract whereby the freedom of the individual is defined within the context of the society. Freedom means your freedom to be who you want to be, think how you want to think, say what you want to say, hold whatever beliefs you wish, balanced against the Community's need for stability. You may demand the freedom to kill those who disagree with you but no community will grant you that freedom. But no one living in a community where murder is outlawed can serious claim that their freedom has been taken away by that particular law. You cannot be free to speak your mind unless there are laws preventing others who disagree with you from killing you. If it were permitted to kill those who disagreed with you, then no one would be free to speak their mind at all, for fear of the consequences. Hence my point about freedom and security - by which I mean personal security. Freedom of speech cannot function without law. >I can take responsibility for ensuring that any Internet communications I >make are protected from inspection or interception by using technological >solutions. I call that "security". If you're interested in "security", >what are you doing to protect my freedom to use encryption and anonymous >remailer technologies? I am not currently aware that either your right to encrypt nor your right to use anon remailers is under threat, so why should I do anything? But while encryption and anon remailing protect *you* from certain threats to your freedom, they are also being used for example to make the international trade in child pornography more effective and less easy to prosecute. The technology itself is neutral and can be used or abused. That is why the focus should be on individual actions rather on the technology. My concern is not so much with network sabotage or infiltration (there are plenty enough organizations addressing that problem) but with personal safety within the Internet community - that means you, not your hard drive. ********************************************************* Colin Gabriel Hatcher - CyberAngels Director angels at wavenet.com "Two people may disagree, but that does not mean that one of them is evil" ********************************************************* From EALLENSMITH at ocelot.Rutgers.EDU Wed May 1 00:09:52 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 1 May 1996 15:09:52 +0800 Subject: "Scruffies" vs. "Neats" Message-ID: <01I460YIKXG08Y50HU@mbcl.rutgers.edu> From: IN%"tcmay at got.net" 30-APR-1996 19:30:55.47 >More recently, the scruffies have embraced neural nets, emergent >computation, stochastic computing, genetic algorithms, and similar >buzzwords. The recent work on "subsumption architectures" (a la Brooks) and >agent architectures is consistent with viewpoint (though elements of logic >are of course involved). One interesting phenomenon is the in-migration of neats into formerly scruffy-only domains. For instance, take a look at the third, fourth, and fifth international conference proceedings on genetic algorithms. You've got scruffies who are just doing what feels right and seeing if it works (my viewpoint) and mathematicians/neats who are trying to derive what _should_ work the best. (Of course, there is the problem with the neat approach that it tends to oversimplify. For instance, many neat-variety equations for genetic algorithms, such as the original version of the Schema Theorem, don't take into account differing types of mutations - from a "don't care" symbol to a 0 or 1 is less of a change from a 0 to a 1.) I will be interested in seeing the more final version of this essay. -Allen From rich at c2.org Wed May 1 00:21:16 1996 From: rich at c2.org (Rich Graves) Date: Wed, 1 May 1996 15:21:16 +0800 Subject: WhoWhere.com v. that stanford.edu loon Message-ID: <199605010257.TAA02118@Networking.Stanford.EDU> -----BEGIN PGP SIGNED MESSAGE----- Monday night, I wrote: >I am confident that the Parsec folks are now acting in good faith, and >that they are now sensitive to the relevant privacy and ethical issues. [parsec.com = whowhere.com] I may have spoken too soon. I might be interested in talking, privately, with their venture capitalists and allies, which include Netscape and InfoSeek. I think if you want a service of this kind, those four11.com guys, who started out with the SLED PGP key certification service, are absolutely terrific. - -rich [not on cypherpunks -- no, not just because I'm throwing a tantrum; I'm honestly embarrassed at my own behavior, and need a break.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMYbSd43DXUbM57SdAQGLGQP/WL/IWBM2rjpChUtn20T+iylKgtvqE3GT nqs45S1M4YAV/0sQcbhjCr9ZDkyH60ei4VpORLaXy+J3EHkEFMO9j0KKGEU9nWAQ T2R7YIIziWkQXDO92M08ezfXlT6hwRKCqf9VhfLl+PGEdBgVfAE2oS8exmQtEkF1 Td89ZQD+VT0= =ddQ0 -----END PGP SIGNATURE----- From pclow at pc.jaring.my Wed May 1 00:22:22 1996 From: pclow at pc.jaring.my (peng-chiew low) Date: Wed, 1 May 1996 15:22:22 +0800 Subject: [Fwd: Cylink can export 128-bit DH?] Message-ID: <3186D86C.49C@pc.jaring.my> An embedded message was scrubbed... From: unknown sender Subject: no subject Date: no date Size: 1066 URL: From EALLENSMITH at ocelot.Rutgers.EDU Wed May 1 00:24:31 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 1 May 1996 15:24:31 +0800 Subject: Calling other code in Java applications and applets Message-ID: <01I4621DGYDY8Y50HU@mbcl.rutgers.edu> From: IN%"shamrock at netcom.com" 30-APR-1996 08:43:38.24 >Presumably, such packages would have to be signed by Sun. Needless to say, >these certificates would cost money. A potentially lucrative source of >revenue for Sun. Nothing wrong with that. Nothing wrong with that, no... as long as Sun isn't (as TCMay speculated indirectly) pressured into not signing such packages if they were crypto-usable. Does Sun currently do much business with the US Government, particularly sections (e.g., the military, law enforcement and intelligence ones) susceptible to being influenced by the NSA? -Allen From jimbell at pacifier.com Wed May 1 00:37:12 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 1 May 1996 15:37:12 +0800 Subject: Former CIA Director and *Strategic Investment* Editor Message-ID: At 06:15 PM 4/30/96 -0400, Black Unicorn wrote: > > >I typoed. > >Virginia should read "Maryland" in my last post. That's okay; it was only a small slip. Small. Maybe the same magnitude as that secretary who said that Vincent Foster's body was first found in "the parking lot" rather than "the park." Right? (I don't really even care about Vincent Foster, BTW.) Jim Bell jimbell at pacifier.com From jimbell at pacifier.com Wed May 1 00:42:16 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 1 May 1996 15:42:16 +0800 Subject: Former CIA Director and *Strategic Investment* Editor Message-ID: At 12:49 PM 4/30/96 -0700, Timothy C. May wrote: > >Looking for conspiracies in the almost certainly accidental drowning of >Colby is an even bigger waste of time than spending vast efforts trying to >show that Vince Foster was killed by the O.T.O. Why are you the second person to use the term "conspiracy" when I didn't mention such a thing? Got "conspiracies" on your brain, Tim? Jim Bell jimbell at pacifier.com From angels at wavenet.com Wed May 1 00:52:01 1996 From: angels at wavenet.com (CyberAngels Director : Colin Gabriel Hatcher) Date: Wed, 1 May 1996 15:52:01 +0800 Subject: Freedom and security Message-ID: >You will pardon my asking this, but, security from what? Who are the >evil Network Terrorists throwing Bit Bombs or whatever? The only >security you need on the internet is keeping your site from being >broken in to, which is mostly a matter of setting it up >properly. What, exactly, is the "Security" that you are offering us? > >Perry I am not offering "you" anything unless you have a problem and are looking for some assistance. Just because you feel safe / immune from becoming a victim of internet crime does not mean that there are no victims at all. Site security is not at all the only problem. Are you not aware of spams and scams going on all the time? Are you not aware that sexual predators operate in IRC? Or that child pornography is a world wide trading game? Have you never heard of email forgeries or impersonation? What about tthe victims of harassment and hatred who don't know how to deal with it? What about all the people who have never heard of killfiles? Who don't know how to report a problem nor who to report it to? Haven't you ever been mail bombed and wished you could find out who did it? Maybe you feel like a veterano and can afford to look condesendingly at all the thousands of fresh-faced netizens just arriving online and say "well if they can't take the heat they should stay out of the fire" - but if we are to call ourselves an emerging "community" then we must take responsibility for our city, and that means caring about other people's problems. The internet is not just a collection of bits and bytes - it's real people doing real things to each other. When your address is forged and you get flamed and bombed, or if you start receiving anonymous death threats, your freedom is under threat. It's not enough to say "Well I just turn off my monitor" The Internet is a city - it needs 911 services and it needs Neighborhood Watches. And neither professional law enforcement nor neighborhood watch are by definition a threat to anyone's freedom. Freedom within the context of Community does not and never has meant the freedom to kill your neighbor, or rob someone, or rape someone, or harm someone. In the context of the internet Community too, freedom is not the individual's right to do whatever he or she likes - because then the Community is no longer free. Freedom is under threat from two directions - from selfish individuals who care little for the Community, and from the over zealousness of governments who seek greater and greater control over individual thought and action. The first step is to acknowledge that we have a problem within the Internet Community - because if we don't address it responsibly then we have only ourselves to blame when the governments try to take it over. We can face our problems or we can deny that they exist. By asking me the question: "What crime?" you are indicating to me that you prefer denial. ********************************************************* Colin Gabriel Hatcher - CyberAngels Director angels at wavenet.com "Two people may disagree, but that does not mean that one of them is evil" ********************************************************* From perry at piermont.com Wed May 1 00:55:01 1996 From: perry at piermont.com (Perry E. Metzger) Date: Wed, 1 May 1996 15:55:01 +0800 Subject: [Fwd: Cylink can export 128-bit DH?] In-Reply-To: <3186D86C.49C@pc.jaring.my> Message-ID: <199605010334.XAA15452@jekyll.piermont.com> peng-chiew low writes: > I understand that ITAR prohibits the export of strong crypto > and that is why I was puzzled that Ms Glenda Barnes, the Director > of Marketing in Cylink, said that Cylink could export the same crypto > (i.e. DES) that was used in the U.S. to local banks here in Malaysia. DES isn't particularly impressive. Now, if they could export 3DES... > She also claimed that Cylink could also export a 128-bit DH key size. > (is it strong enough in the first place? ) No. Perry From unicorn at schloss.li Wed May 1 00:59:48 1996 From: unicorn at schloss.li (Black Unicorn) Date: Wed, 1 May 1996 15:59:48 +0800 Subject: Former CIA Director and *Strategic Investment* Editor In-Reply-To: Message-ID: On Tue, 30 Apr 1996, jim bell wrote: > At 06:15 PM 4/30/96 -0400, Black Unicorn wrote: > > > > > >I typoed. > > > >Virginia should read "Maryland" in my last post. > > That's okay; it was only a small slip. > > Small. Maybe the same magnitude as that secretary who said that Vincent > Foster's body was first found in "the parking lot" rather than "the park." > Right? (I don't really even care about Vincent Foster, BTW.) Give me a break. Take a look at a map. Cobb island is less than 5 miles from the MD/VA border down there and in the middle of a complex and broken shoreline on the Potomac. Whatever. > Jim Bell > jimbell at pacifier.com --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From angels at wavenet.com Wed May 1 01:00:46 1996 From: angels at wavenet.com (CyberAngels Director : Colin Gabriel Hatcher) Date: Wed, 1 May 1996 16:00:46 +0800 Subject: Freedom and security Message-ID: Jim Ray wrote > Freedom is already diminishing at an alarming pace. >That is why cypherpunks spread crypto, and why Libertarians like >me rant. Freedom does not increase through more laws. Nor does freedom increase through less laws or no laws. Freedom increases as respect and care for one another increases. Meanwhile, since we do not live in utopia, all societies at a certain level of economic development and of a certain size of population require law and law enforcement to protect citizens from predators. The Internet is beyond the stage of small communities exercising informal social controls (peer pressure). It's now a major industrial city and will develop law, law enforcement and government, whether anyone likes it or not, not least because the Community will always respond to crime by trying to protect itself. And the crime is already here. The idea that the Internet is not controlled is IMHO one of the biggest myths around. It's like a large group of people are still living in some far-off utopian rural paradise. Does anyone really doubt the extent of State control and power across the Net? My point is that this is inevitable. The Internet is a mirror of the rest of the world, not a new form of society, and I fail to understand why anyone should be surprised that that is the case. >.... laws only breed more laws, which always lead to >less freedom. I disagree with this statement. I do not believe that laws breed more laws nor that laws lead to less freedom. I believe bad laws compromise freedom (eg CDA) while good laws protect freedom. >>I don't believe that security is the enemy of >>freedom. I believe that freedom needs security in order to exist at all. > >Good. Join us in spreading cryptography around, and security will >bloom (along with freedom). Cryptography enhances and protects privacy, which does not inevitably lead to greater security. Security for the sender, yes, in that no one else can read the message, but security for the Community? Doesnt that depend what the message said? The technology itself is neutral. Child pornographers encrypt their hard drives so that law enforcement cannot gather crime evidence - that is certainly a state of greater security for the pornographer, but it does not improve our Community, and as child pornography increases, the law is by definition broken more and more, and so the Community becomes less free than before. And that's not the tyranny of government but the tryanny of criminals. I do in fact support cryptography for personal security, not least because I can ensure that my messages are authenticated. CyberAngels PGP public key will be up on our new website opening very soon. I've had enough of people forging my email. ********************************************************* Colin Gabriel Hatcher - CyberAngels Director angels at wavenet.com "Two people may disagree, but that does not mean that one of them is evil" ********************************************************* From perry at piermont.com Wed May 1 01:08:49 1996 From: perry at piermont.com (Perry E. Metzger) Date: Wed, 1 May 1996 16:08:49 +0800 Subject: Freedom and security In-Reply-To: Message-ID: <199605010333.XAA15444@jekyll.piermont.com> CyberAngels Director : Colin Gabriel Hatcher writes: > Mike McNally wrote > > >What exactly do you consider "security" and "freedom" to mean here? Whose > >security? Whose freedom? > > Every society has a social contract Could you show me a copy? Everyone keeps telling me about this contract, but I can't for the life of me remember signing it. > You may demand the freedom to kill those who disagree with > you but no community will grant you that freedom. I see you've never heard of the Argentine armed forces. > I am not currently aware that either your right to encrypt nor your right > to use anon remailers is under threat, so why should I do anything? But > while encryption and anon remailing protect *you* from certain threats to > your freedom, they are also being used for example to make the > international trade in child pornography more effective and less easy to > prosecute. You start by talking about the social contract and how no one agrees that you should be able to kill people, and then you move straight on to child pornography. I find that interesting. Perry From anonymous-remailer at shell.portal.com Wed May 1 01:12:59 1996 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Wed, 1 May 1996 16:12:59 +0800 Subject: Update II/113- Election Hoax (fwd) Message-ID: <199605010331.UAA26284@jobe.shell.portal.com> ---------- Forwarded message ---------- Date: Tue, 30 Apr 96 13:38 CDT From: sns at borealis.com To: shomronnews at felix.dircon.co.uk Subject: Update II/113- Election Hoax SNS News Service "Election Hoax" April 30, 1996.. 11 Iyar 5756..Volume II, Number 113 ..Update from Israel [snip] Election Hoax According to a report released by the prestigious Jane's Defense Weekly, the new missile agreement between Israel and the United States is politically motivated and does not hold water. Mr. Christopher Fosi, an Editor of the Jane's Defense Weekly, and Mr. Douglas Barry, Aviation and Defense Editor of Flight International Weekly Magazine, stated the Nautilus Anti-Missile System is at least 4 years from being ready. The report states the system is "a poor fit or just does not meet Israel's needs". The report explains that since the Katusha rockets are launched from mobile sites, they can be moved around in a pick-up truck and this is just one reason the system is ineffective. Fosi discounts tests that were carried out in Mexico as not accurate and stated the reasons behind the ceremony surrounding the new missile deal appear to be political in nature, rather than a military-defensive move to protect Israel from Hizbullah rockets. The report also explains that Israel's Arrow Anti-Missile System is also not designed for Katusha rockets and is not an effective deterrent. Despite promises by President Clinton to supply Israel with an operational Nautilus system by late 1997, the two experts state it is not reality. (UPI..4/30, Ma'ariv Newspaper..4/30..Page 2). **** From perry at piermont.com Wed May 1 01:18:02 1996 From: perry at piermont.com (Perry E. Metzger) Date: Wed, 1 May 1996 16:18:02 +0800 Subject: Freedom and security In-Reply-To: Message-ID: <199605010250.WAA15372@jekyll.piermont.com> CyberAngels Director : Colin Gabriel Hatcher writes: > >You will pardon my asking this, but, security from what? Who are the > >evil Network Terrorists throwing Bit Bombs or whatever? The only > >security you need on the internet is keeping your site from being > >broken in to, which is mostly a matter of setting it up > >properly. What, exactly, is the "Security" that you are offering us? > > I am not offering "you" anything unless you have a problem and are looking > for some assistance. Just because you feel safe / immune from becoming a > victim of internet crime does not mean that there are no victims at all. > > Site security is not at all the only problem. Are you not aware of spams > and scams going on all the time? Are you not aware that sexual predators > operate in IRC? I was under the impression that sex involved physical presense. Are you telling me that there are people out there somehow getting the inanimate computers of people on the other side of the net to reach out and rape the people sitting in front of them? > Or that child pornography is a world wide trading game? I must admit to having an odd viewpoint. I don't particularly care about child pornography. Our nation seems to have an obsession with the notion that somewhere out there someone is looking at a picture of a naked boy or something. Myself, well, I am far from convinced that the existance of child pornography is nearly as much of a threat to me as the people who want to dismantle all our freedoms in order to stop it. Most of the child pornography in the U.S. is distributed by the FBI during stings, you know. > Have you never heard of email forgeries or impersonation? Yes. I also happen to have heard that people can impersonate you in real life, too. > What about tthe victims of harassment and hatred who don't know how > to deal with it? What about all the people who have never heard of > killfiles? I suppose they will have to learn, won't they? You realize that you are being extremely unconvincing? > Maybe you feel like a veterano and can afford to look condesendingly at all > the thousands of fresh-faced netizens just arriving online and say "well if > they can't take the heat they should stay out of the fire" - but if we are > to call ourselves an emerging "community" then we must take responsibility > for our city, and that means caring about other people's problems. And thats where CyberAngels, founded by Curtis Sliwa, the man who had himself attacked to get publicity, comes in? Feh. > When your address is forged and you get flamed and bombed, or if you start > receiving anonymous death threats, your freedom is under threat. It's not > enough to say "Well I just turn off my monitor" I've had my address forged. I've been flamed. I've been mailbombed. I've been sent anonymous death threats. I must admit that I largely ignored all these things, and that at no time did I feel my freedom was being threatened nearly as much by these events as it was by Senator Exon. > The Internet is a city - it needs 911 services and it needs Neighborhood > Watches. The internet isn't a city. I live in a city -- a real city. I believe that if I feel that I'm the subject of a serious death threat, there is an actual 911 on my real life telephone to dial and talk to the real life police in my real life city. Thanks, but no thanks. > And neither professional law enforcement nor neighborhood watch > are by definition a threat to anyone's freedom. No, but supporting censorship is. > By asking me the question: "What crime?" you are indicating to me that you > prefer denial. Or, perhaps, that I'm not impressed by opportunistic newcomers with strongly anti-libertarian viewpoints. Perry From mpd at netcom.com Wed May 1 01:19:32 1996 From: mpd at netcom.com (Mike Duvos) Date: Wed, 1 May 1996 16:19:32 +0800 Subject: [RANT] Mr. Scruffy versus Mr. Neat Message-ID: <199605010408.VAA23530@netcom10.netcom.com> "E. ALLEN SMITH" writes: > One interesting phenomenon is the in-migration of neats > into formerly scruffy-only domains. For instance, take a > look at the third, fourth, and fifth international > conference proceedings on genetic algorithms. You've got > scruffies who are just doing what feels right and seeing if > it works (my viewpoint) and mathematicians/neats who are > trying to derive what _should_ work the best. The scruffy/neat competition has been around for a long time in the hard sciences as well. Good examples are the competing notions used by mathematicians and physicists for doing differential geometry, calculus of variations, and field theory, and the physicists who think physicists can do chemistry better than chemists can. Ultimately, there tends to be a merger of notations and approaches. The big Misner, Wheeler, Thorne book on Gravitation, for instance, presented everything both from the view of the physicists, who like to write everything as algebraic equations in terms of components of geometric objects with respect to a basis, and the view of mathematicians, who like abstract maps between abstract geometric objects, and terms like tangent spaces, exterior products, and germs. Usually the scruffies get great results using formal manipulation that horifies the neats, and then the neats come in and do the rigorous proofs that demonstrate that everything the scruffies did was valid. This was certainly the case in quantum mechanics as well, where questionable formal manipulation got the right answers for many years before a rigorous theory of unbounded linear transformations on Hilbert spaces was developed. Indeed, physicists happily computed commutators and anti-commutators of such operators blithely unaware of their domains and ranges long before the equivalent definitions in terms of one parameter Lie groups or projection valued measures were known. While Java is currently a scruffy invention and has yet to recieve the official blessing of the neats, there are a number of things that speak in its favor. First, object-oriented runtime structures such as those used by Java have pretty much been researched to death in various other venues, such as APL, APL2, Smalltalk, and the MIT Lisp Machine project. It is not likely that we will discover some previously unknown mode of corruption in such systems, and defensively coding interpreters for these kinds of languages and verifying them to prove that they contain no errors which could result in the violation of container boundaries is a well-developed art. This doesn't mean that such systems are free of bugs, of course, but it does mean that they are free of the type of really cute bugs that allow users to trick the machine into executing arbitrary machine instructions, or into making disingenuous requests to the kernel. Second, there is quite a bit of experience on the part of OS designers in meeting various levels of MIL Specs for security, and with the standard techniques, such as audit trails, authentication, and ACLs, which are commonly employed to implement the features required. So although the neats have not yet given Java their blessing, it is extremely unlikely we won't manage to create an environment which can safely run untrusted Java code, and filter the program's requests for system services in a way which will block and log any attempts to do nasty things, both for the Applet model, and for more general applications. A prior poster suggested that in the absence of formal proofs of correctness, flaws permitting the exploitation of covert channels and other such things in a language such as Java were "a certainty." I think the situation is more complicated than this suggests, and while I probably wouldn't want an artificial heart with Java software today, I think a lot of the worries will resolve themselves as time passes, and the things we are all discussing are implemented. From grafolog at netcom.com Wed May 1 01:23:03 1996 From: grafolog at netcom.com (Jonathon Blake) Date: Wed, 1 May 1996 16:23:03 +0800 Subject: Former CIA Director and *Strategic Investment* Editor In-Reply-To: Message-ID: Jim: On Tue, 30 Apr 1996, jim bell wrote: > known to be so!) that his neighbor would call the cops just because he, > ONCE, stayed a little longer than normal? I guess you've never had the pleasure of living in a small town. If you had, you'd know just how observant people are, of others habits. > What's wrong with this picture? You ability to see conspiracy where there may be non. xan jonathon grafolog at netcom.com ********************************************************************** * * * Opinions expressed don't necessarily reflect my own views. * * * * There is no way that they can be construed to represent * * any organization's views. * * * ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * ftp://ftp.netcom.com/pub/gr/graphology/home.html * * * * OR * * * * http://members.tripod.com/~graphology/index.html * * * *********************************************************************** From jhmartin at kent.wednet.edu Wed May 1 01:29:03 1996 From: jhmartin at kent.wednet.edu (Jason Martin) Date: Wed, 1 May 1996 16:29:03 +0800 Subject: Calling other code in Java applications and applets Message-ID: <2.2.32.19960501042008.006aaac4@mailhost.kent.wednet.edu> -----BEGIN PGP SIGNED MESSAGE----- At 10:12 AM 4/30/96 -0500, you wrote: >I (and some others, I think) was hoping that it would be possible to build >powerful crypto applets and put them up on web pages. That way everyone >with a java enabled copy of Netscape could use a remailer or send crypted >mail without having to download, install, and configure software. What with the concern of hacked or modified clients, I would think that trusting a java applet someone put on their page would be rather difficult. How could the user know that you weren't really sending their cleartext back to you? >If people have to download and install a plugin to use a java mixmaster >applet, why not just download and install a native mixmaster client? I have not seen a mixmaster client for the PC/Win95 yet. Did I just miss it? >Of course there are other reasons to use java -- platform independence, >for example. Remember that we can't really know if their applet is secure or just a trojan horse. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMYbXgA4CsinapZ9dAQFyzwQAkMX2YOYQ9llJse1CIbhFsUnxYij/5Ny0 H8aqs4jsVjBpcGoER4vHCNnjaFHJPelaN4LArLFvjmWsgOo4yF2MIJyp4AHe+jU3 BhqsTCf6XfG1ydzCF/jFDUc/PHg7cA/gtZS5NnQiIy4ZYok4/x7+zJQCZaS8DZqq /vp2WLw933o= =vdz3 -----END PGP SIGNATURE----- +-------------------------------------------------------+ |If the above is not PGP signed, I MAY not have sent it.| |jhmartin at kent.wednet.edu * Key available via server | | KR Annual Staff | PGP 'crypted mail preferred.| +-------------------------^-----------------------------+ From ml3e+ at andrew.cmu.edu Wed May 1 01:49:44 1996 From: ml3e+ at andrew.cmu.edu (Michael Loomis) Date: Wed, 1 May 1996 16:49:44 +0800 Subject: CryptoAnarchy: What's wrong with this picture? In-Reply-To: Message-ID: Excerpts from internet.cypherpunks: 28-Apr-96 Re: CryptoAnarchy: What's w.. by s1113645 at tesla.cc.uottaw > The result of this might be that the netshore economy might actually > have lower overhead and an easier interface to its users than the > physical world version. If people's easiest intro to economics and the > job market is such a simple anarchy and the place where they get most ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > of their entertainment, education and generally spend most of their lives ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > is such an impossible to regulate environment, what do you think this > bodes for state control? Or people's desire for it? This explains far more of the rhetoric on this mailing list than anything I could possibly write: the young libertarians having lived their teenage years alone in their bedrooms listening to heavy metal music or Rush or Sisters of Mercy through headphones in order to not disturb their fathers and masturbating looking at porno pics and imagining the chicks think just like Ayn Rand have now reached the adult stage in which they don't have to use headphones, they can admit they hate their father, they don't have to pay taxes, and they can spend most of their lives in front of a computer. Michael Loomis "Tax Collector Want to Be for the Welfare State" From snow at smoke.suba.com Wed May 1 02:05:42 1996 From: snow at smoke.suba.com (snow) Date: Wed, 1 May 1996 17:05:42 +0800 Subject: Freedom and security In-Reply-To: <199604301630.MAA14089@jekyll.piermont.com> Message-ID: On Tue, 30 Apr 1996, Perry E. Metzger wrote: > CyberAngels Director : Colin Gabriel Hatcher writes: > > If they were antithetical then as freedom increased security would > > freedom. My concern is that if we ignore security we will have no freedom > > left to protect. > > at different points. I don't believe that security is the enemy of > > freedom. I believe that freedom needs security in order to exist at all. > You will pardon my asking this, but, security from what? Who are the > evil Network Terrorists throwing Bit Bombs or whatever? The only > security you need on the internet is keeping your site from being > broken in to, which is mostly a matter of setting it up > properly. What, exactly, is the "Security" that you are offering us? Let me grab my other .sig here: Postmodernism is the refusal to think--Ron Carrier petro at suba.com Deconstruction is the refusal to believe that anyone else can either Freedom of choice is what you have, freedom from choice is what you want. -- DEVO The last line is the relevant portion here. Just as there is freedom to, there is freedom _from_. I think that the same thing could be said for Security. On one hand you have the security to leave your house, safe in the knowlege that the majority of your stuff will be there when you return, and the security to walk the streets without the fear of getting attacked. On the other hand some would have the security of knowing that _no one_ is downloading dirty pictures, the security that the "wrong" person is not getting their hands on dangerous information etc. With freedom, as we all learned in philosophy 101 (wether in college or just life) there is freedom TO--such as freedom to move to another country, the freedom to exchange ideas without constraint, in other words the freedom to do things--and the freedom FROM--from hunger, from fear, freedom from failure, freedom from being challenged, freedom from choice. People like the CyberAngels, are definately (IMO) on the side of the freedom FROM, rather than freedom TO, and their security is the the enoforced security of a prison, or a police state. True Security, like freedom cannot be enforced or given from without, it must come from within. With freedom this is self-explanatory, no one can set you free, you have to do it. Security is the same way. One must be secure in ones beliefs, or one will be constantly troubled by "threats" to those beliefs. Witness the "Christian Right" in this country. Physcial security works the same way. If one takes care of ones community, working with ones neighbors etc., and applying social pressure to those who potentially threaten your physcial security you will live in a much healthier, and less dangerous enviroment (yeah, this is a little simplestic but you get the idea). Petro, Christopher C. petro at suba.com snow at crash.suba.com From hfinney at shell.portal.com Wed May 1 02:07:26 1996 From: hfinney at shell.portal.com (Hal) Date: Wed, 1 May 1996 17:07:26 +0800 Subject: Why I dislike Java. (was Re: "Scruffies" vs. "Neats") Message-ID: <199605010521.WAA02990@jobe.shell.portal.com> From: "Perry E. Metzger" > > The Web is the universal marketplace these days. Being unable to use > the web is the equivalent of being unable to use the phone. I have > research analysts at large trading houses begging for > Netscape. Unfortunately, these people have a need for top notch > security, because vast amounts of money are at stake. > [...] > Unfortunately, when the same machine runs Netscape so the > trader can read the UUNet/MFS merger press release and also has the > big shiny red "trade!" button on some application, you get nervous. Aren't you holding Java to a higher standard than ordinary applications? If your traders run any software at all on their machines there is the risk of harm. The Netscape binary itself could be hacked to do bad things. Likewise with any other software they run. Wouldn't it be safer to run a Java applet than a typical program from the net? At least applets run in an environment which is designed to restrict the harm they can do. In OS's like Windows 95 there are no such restrictions on programs. Take a specific example: Mixmaster. This is a client for the remailer network. It is reasonably well suited to being implemented as a Java applet given the current restrictions on the language. If you had a choice between downloading and running the client as a program on your PC, versus loading and running it as an applet, which would you prefer? Or if you would do neither, how would you go about acquiring this functionality? Would you forego it forever, or would there come a time, say if no one else reported problems, that you would be willing to run one or the other? What I am really trying to get at is how you balance the risks that come automatically when you interact with the net against the benefits you get by doing so. You have chosen a certain point on the risk-reward continuum, one for which Java applets are apparently on the too-risky side. So I am wondering what principles you use to decide where a proposed application falls. Hal From cp at proust.suba.com Wed May 1 02:08:20 1996 From: cp at proust.suba.com (Alex Strasheim) Date: Wed, 1 May 1996 17:08:20 +0800 Subject: Why I dislike Java. (was Re: "Scruffies" vs. "Neats") In-Reply-To: <199605010033.UAA15101@jekyll.piermont.com> Message-ID: <199605010528.AAA00506@proust.suba.com> > It is difficult. The way Java does this, with the protection relying > solely on the correctness of the runtime (the interpreter isn't > emasculated so flaws in the runtime can cause unexpected behavior) it > is nearly impossible. Humans aren't good enough at designing systems > this century. One thing that I'm sort of fuzzy on is whether or not you feel that this is a problem specific to this one group of products (java) or if it's a problem with the general idea of grabbing and running applets indiscriminently in a protective environment. As some recent posts here have shown, when people start working with java applets, subtle problems (like not being able to put your hands on enough entropy) emerge. It may turn out that after a year or two the list of complaints will be long enough that a demand for a successor to java will emerge. I would have to think that after a bit of practical experience, it will be possible to build a better java. Right now, as near as I can tell, we have two major security complaints with java's design. The first is Perry's point (which I might be munging), that there isn't enough redundancy in the security to protect us if and when human error creeps in. The second is that a rigorous formal analysis of the language hasn't been performed, and that the language as it is currently constituted doesn't lend itself to such an analysis. Can these problems be solved, at least in theory, in a new language? Are there other changes that ought to be considered? Etc. From jimbell at pacifier.com Wed May 1 02:12:30 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 1 May 1996 17:12:30 +0800 Subject: Former CIA Director and *Strategic Investment* Editor Message-ID: At 04:06 AM 5/1/96 +0000, Jonathon Blake wrote: >> known to be so!) that his neighbor would call the cops just because he, >> ONCE, stayed a little longer than normal? > > I guess you've never had the pleasure of living in a small town. > If you had, you'd know just how observant people are, of others > habits. However, you haven't explained why mere "observance" would translate into a call to the cops (if that's what happened; according to the reports it did) under those circumstances. I can observe a lot that doesn't necessarily induce me to drag the cops into it. Initially, I was thinking that perhaps the neighbors might have become suspicious, walked over and saw a capsized canoe. However, according to another item the canoe was over 400 yards from the house, which is sufficiently far to make it difficult to see along many shorelines. Do you have an alternative explanation? >> What's wrong with this picture? > > You ability to see conspiracy where there may be non. It's odd. You're the third person to use the term "conspiracy" when I haven't mentioned the word. Somehow, I think that you guys must be misusing the term "conspiracy" when what you really mean is something else. Why not pick up an OED, an choose a better word. Jim Bell jimbell at pacifier.com Jim Bell jimbell at pacifier.com From mpd at netcom.com Wed May 1 02:29:01 1996 From: mpd at netcom.com (Mike Duvos) Date: Wed, 1 May 1996 17:29:01 +0800 Subject: Lolitas and Cyber Angels Message-ID: <199605010543.WAA01100@netcom8.netcom.com> (CyberAngels Director : Colin Gabriel Hatcher) writes: > Child pornographers encrypt their hard drives so that law > enforcement cannot gather crime evidence - that is certainly > a state of greater security for the pornographer, but it > does not improve our Community, and as child pornography > increases, the law is by definition broken more and more, > and so the Community becomes less free than before. This is silly on several levels. First, given that a finite amount of resources are available to combat the sexual exploitation of children, law enforcement should concentrate their resources on the production of such material, and not on the incidental evidence of its production long after the fact, and in a context completely unrelated to any economic link back to the original producers. Someone who has an encrypted file on their hard drive from some motheaten child porn magazine published 20 years ago is no more guilty of the exploitation of the models portrayed than someone who downloads the Simpson crime scene photos from alt.binaries.pictures.tasteless is guilty of killing Nicole and Ron. If anything, such a picture is little more than historical documentation of a bygone era and an expensive distraction for police officers who might better spend their time. Indeed, if encryption inhibits the ability of the government to create exceptions, based solely on irrational public hysteria, to the First Ammendment right of citizens to communicate amongst themselves on any subject, including via the use of visual material, then encryption is serving a valuable purpose. Now before anyone accuses me of advocating a thriving market in child porn, let me say that I have no objection at all to laws which set a minimum age for working as a performer in the sex industry, and to enthusiastic prosecution of individuals who violate those laws. I just think the police should concentrate their resources on real children experiencing real abuse, and leave their prurient interest in the contents of libraries and other peoples computers behind when they go to work. -- Mike Duvos $ PGP 2.6 Public Key available $ mpd at netcom.com $ via Finger. $ From EALLENSMITH at ocelot.Rutgers.EDU Wed May 1 02:37:18 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 1 May 1996 17:37:18 +0800 Subject: (fwd) Information Infrastructure Project Message-ID: <01I46B3WYFYS8Y54K0@mbcl.rutgers.edu> From: IN%"rre at weber.ucsd.edu" 1-MAY-1996 00:50:15.50 From: Phil Agre =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= This message was forwarded through the Red Rock Eater News Service (RRE). Send any replies to the original author, listed in the From: field below. You are welcome to send the message along to others but please do not use the "redirect" command. For information on RRE, including instructions for (un)subscribing, send an empty message to rre-help at weber.ucsd.edu =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Date: Mon, 29 Apr 1996 17:21:36 EST >From: Tim Leshan To: IIPLIST at ksgrsch.harvard.edu Subject: Workshop Announcement and Call for Papers Information Infrastructure Project Harvard University Commercial Internet Exchange Association (CIX) Internet Society COORDINATION AND ADMINISTRATION OF THE INTERNET Workshop Announcement and Call for Papers This is a first announcement and call for papers and proposals for a workshop to be held at the John F. Kennedy School of Government, Cambridge, MA, USA, on September 8-10, 1996. The workshop will address issues in the international coordination and management of Internet operations. We are seeking papers which address the economic, organizational, legal and technical issues in migrating to internationally sanctioned, industry-supported processes and institutions. What should a fully internationalized Internet look like, and how do we get there from here? Topics to be explored in the workshop and resulting publication include: - policy and management issues concerning: network addresses domain names routing policy settlements interconnect points intercontinental connectivity quality of service standards - legal and institutional structures for supporting core Internet functions; - institutions and policies needed to ensure the future scalability and extensibility of the Internet; - technical and implementation issues presented by heterogeneous national information policies; - the need for data in support of Internet planning, including issues of how data should be collected and maintained; - coordination needed for the deployment of new technology; - international crisis management for the Internet. Although the Internet is already substantially privatized, certain essential functions -- notably the domain name registry, network number assignment, and the routing arbiter -- are still funded by the U.S. Government. Unlike the local telephone exchange, these integrative services are managed by third parties, contributing to an open competitive environment which has helped enable rapid growth of the Internet. Rapid growth, commercialization, and internationalization are putting stress on current institutions and procedures -- which are neither self-sustaining nor officially recognized at the international level. The National Science Foundation plans to phase out support for core administrative services and for international connections, just as it has withdrawn support for production-level backbone services. Conflicts over tradenames and number assignments suggest that international legitimacy is needed for domain name and network number management. Beyond support for essential functions, there are many practical and policy issues where some greater degree of coordination or institutional leadership may be desirable. For example, how can the implementation of new technology and protocols be expedited? What common definitions and guidelines should exist to describe network performance? Should the functions performed by current Internet institutions (such as the Internic, RIPE, APNIC, and the IANA) be brought into a more robust international infrastructure, and if so, how? To what extent are multilateral peering arrangements and settlements needed to encourage continued growth and competition in the Internet access industry? The conference will engage scholars, practitioners and policy makers in examining and discussing these issue. It will bring together stake-holders, academics and individual leaders within and beyond the Internet community to help define the future institutional infrastructure of the Internet. Workshop papers will be revised and edited following the workshop for publication by MIT Press as part of the Harvard Information Infrastructure Project series. Potential participants are encouraged to submit papers that can be developed and revised for publication (copyright assignment is not required). Please send an abstract by June 15, 1996, for review by the program committee. Please direct papers, proposals, and requests for future mailings to: James Keller Information Infrastructure Project Kennedy School of Government, Harvard University 79 JFK Street Cambridge, MA 02138 617-496-4042; Fax: 617-495-5776 jkeller at harvard.edu The Harvard Information Infrastructure Project is a project in the Science, Technology and Public Policy Program at the John F. Kennedy School of Government, with associated activities at the Kennedy School's Center for Business and Government and the Institute for Information Technology Law and Policy at Harvard Law School. This event and publication are funded in part by a grant from the National Science Foundation, Division of Networking and Communications Research and Infrastructure. From unicorn at schloss.li Wed May 1 02:42:10 1996 From: unicorn at schloss.li (Black Unicorn) Date: Wed, 1 May 1996 17:42:10 +0800 Subject: Freedom and security In-Reply-To: Message-ID: On Tue, 30 Apr 1996, CyberAngels Director : Colin Gabriel Hatcher wrote: > Nor does freedom increase through less laws or no laws. Freedom increases > as respect and care for one another increases. Respect maybe, but care? Please. > Meanwhile, since we do not > live in utopia, all societies at a certain level of economic development > and of a certain size of population require law and law enforcement to > protect citizens from predators. I disagree. Law enforcement is only required to the extent the individual is unable to protect him or herself from "predators." Assuming that a certain level of economic development makes this impossible or difficult is, in my view, a long jump. > The Internet is beyond the stage of small communities exercising informal > social controls (peer pressure). It's now a major industrial city and will > develop law, law enforcement and government, whether anyone likes it or > not, not least because the Community will always respond to crime by trying > to protect itself. What you fail to recognize is that the individual is much more empowered on the internet than in other communities. Looking at the internet as a community is a misnomer. It is a community only to the extent people engage themselves in it. You have to live somewhere on the planet. You can't simply unplug from the real world. Participation in a community is mandatory in the real world. Not so with 'cyberspace.' > And the crime is already here. The idea that the > Internet is not controlled is IMHO one of the biggest myths around. It's > like a large group of people are still living in some far-off utopian rural > paradise. Does anyone really doubt the extent of State control and power > across the Net? Yes. Louis Freeh for one. Bill Clinton as another. Senator Exon as a third. Shall I go on? > My point is that this is inevitable. My point is that I believe you are incorrect. > The Internet is a > mirror of the rest of the world, not a new form of society, and I fail to > understand why anyone should be surprised that that is the case. Mostly because many of us don't believe it's true. While I will agree that one sees similarities between socializations on the internet and the real world, making the leap to a "mirror image" is pushing it. > >.... laws only breed more laws, which always lead to > >less freedom. > > I disagree with this statement. I do not believe that laws breed more laws > nor that laws lead to less freedom. I believe bad laws compromise freedom > (eg CDA) while good laws protect freedom. Show me a good law that doesn't reduce freedom. Give me one example please. > >>I don't believe that security is the enemy of > >>freedom. I believe that freedom needs security in order to exist at all. > > > >Good. Join us in spreading cryptography around, and security will > >bloom (along with freedom). > > Cryptography enhances and protects privacy, which does not inevitably lead > to greater security. Your failure to connect privacy with individual security does not commend your argument to the reader. > Security for the sender, yes, in that no one else can > read the message, but security for the Community? Doesnt that depend what > the message said? Since when has community security required censorship? What you are proposing are content based restrictions justified by the 'need' for 'community security' where the definition of 'community' is so vague as to be meaningless and the meaning for 'security' is entirely undefined. One might as well say: We have to protect the hummahrmm from the hurmmms in your message. We're going to pass some laws to do it. > The technology itself is neutral. Child pornographers > encrypt their hard drives so that law enforcement cannot gather crime > evidence - that is certainly a state of greater security for the > pornographer, but it does not improve our Community, Well, that depends, again, on what your community is defined as, what you mean by improve, the assumption that child pornography is detremental to the community, the assumption that child pornography is a crime and the assumption that law enforcement is really interested in reducing crime. > and as child > pornography increases, the law is by definition broken more and more, Uh... so? If I pass a law forbidding nudity at all, including in private, as showering increases the law is by definition broken more and more and so the community becomes less free than before. Now, this is the fault of the showerers, isn't it? This is basically what you say here: > and > so the Community becomes less free than before. And that's not the tyranny > of government but the tryanny of criminals. This is classic left-speak. It's not the government that has taken away rights by passing laws that take away rights, but it's the fault of the criminals (who are ill,mal, or undefined). Blame _them_ for your loss of liberty. Uh huh. This is poor rationalization and after the fact justification. > I do in fact support cryptography for personal security, not least because > I can ensure that my messages are authenticated. CyberAngels PGP public > key will be up on our new website opening very soon. I've had enough of > people forging my email. You disprove your own point. You just struck a blow to 'criminal' mail forgers without the help of law enforcement at all. In fact it is despite attempts to prevent you from using strong cryptography by legislators and the executive that you can accomplish this. Can you also see that your 'community' is improved by the presence of this technology which deters criminal mail forgers? And, imagine that, it was done without the expenditure of tax dollars. Or do I have to spell this out for you? > ********************************************************* > Colin Gabriel Hatcher - CyberAngels Director > angels at wavenet.com > > "Two people may disagree, but > that does not mean that one of them is evil" It does, however, typically mean that at least one of them is wrong. > ********************************************************* --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From cp at proust.suba.com Wed May 1 02:46:44 1996 From: cp at proust.suba.com (Alex Strasheim) Date: Wed, 1 May 1996 17:46:44 +0800 Subject: "Scruffies" vs. "Neats" In-Reply-To: <01I460YIKXG08Y50HU@mbcl.rutgers.edu> Message-ID: <199605010603.BAA00552@proust.suba.com> For whatever it's worth, my position fits into Tim's taxonomy pretty well. I think it's worthwhile to do enough to protect people from their sysadmins, even if it won't protect them from the NSA. The important thing is to take care not to create standards or large user communities that will force more determined people to choose between security and interoperability. For example: a mail system that can only work with small keys ought to be avoided; but a mail system that uses large keys and clients with crummy random number generators ought to be deployed, if it has some significant advantage (like user friendliness) over other systems that currently exist. A java mixmaster applet with a bad random number generator would probably be the best game in town for most people. Is it good enough? No. But is it better than anything that's currently available (in a practical sense) to the typical ms-windows user? Yes. And that's enough reason to deploy it. Unix clients and the mixmaster remailer network are capable of providing much better security to anyone who wants to pursue it -- the poor quality of the java version doesn't impose a ceiling on other users. And a clear path of improvements exists (ie., easy to use dos and mac native code clients, or a better java applet) to pull the low end users up to where the unix users are now. Deployment is the thing that's going to make putting the genie back in the bottle impossible. 10,000,000 people who use a flawed java implementation of some crypto applet are still 10,000,000 people who are going to scream bloody murder if crypto's banned. There is a lot of political value in getting something out there, even if it's less than perfect. (Incidently, I'd like to encourage more people to set up mixmaster remailers. I've had mine (nsa at omaha.com) up for several weeks, and I haven't had a single complaint or hassle from it. That's not at all what I expected -- I figured people would be complaining all the time. If I had known how it would turn out, I would have set it up a long time ago.) From rbersten at ia.com.au Wed May 1 02:46:56 1996 From: rbersten at ia.com.au (Rosanne Bersten) Date: Wed, 1 May 1996 17:46:56 +0800 Subject: Former CIA Director and *Strategic Investment* Editor Message-ID: Has anyone else seen the extraordinarily tasteless press release sent out by Roadshow New media about this? Let me show you: MEDIA RELEASE 30/4/96 Where is William Colby? Rescuers are searching for the former head of the CIA, William Colby, after his mysterious disappearance yesterday. The canoe he had been using was found capsized and abandoned, near his Maryland home. Ironically, Colby's disappearance co-incides with the current release of Spycraft, the CD-ROM game developed with former KGB Major general Oleg Kalugin. ... Is this a publicity stunt from the game's US manufacturer [Activision]? Were some of the secrets given away in the game just a little too close for comfort for the current heads of the CIA? Are the Russians involved? Is it just totally coincidental? Does the Spycraft game itself hold any answers? No doubt police will be looking to the game for clues and have not yet ruled out foul play. Colby and Kalugin both portray themselves within the game and it could prove that Colby solves his own mystery. Spycraft the game is a true-to-life espionage thriller that allows players to experience the danger and excitement of being a real spy caught in a deadly web of international intrigue. Every game element is taken from real-life experience of spymasters Colby and Kalugin. the high level involvement of these espionage experts required that the script be reviewed by the CIA for security clearance. This real life twist to the CD ROM game offers more intrigue for gamers. the Internet facility may provide a solution as players across the world ponder Colby's disappearance. [This is followed by contact details for Roadshow, which, for you non-Australians, is a big games distributor out here] *-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-* + Rosanne Bersten (editor at ia.com.au) - Editor, internet.au magazine + + tel: +61 2 310 1433 * fax: +61 2 310 1315 * http://www.ia.com.au + *-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-* From teddygee at visi.net Wed May 1 02:47:15 1996 From: teddygee at visi.net (Ted Garrett) Date: Wed, 1 May 1996 17:47:15 +0800 Subject: no-cost DH? Message-ID: <199605010552.BAA16867@london.visi.net> -----BEGIN PGP SIGNED MESSAGE----- Mime-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit To: weidai at eskimo.com, cypherpunks at toad.com Date: Wed May 01 01:54:44 1996 It's true as far as I can tell... Cylink is giving away their passport gold SDK for free. You can send mail to pbolton at cylink.com for more information. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMYb8p81+l8EKBK5FAQFrbQf6A5b3apVHHVPVjmOVw3/7SugmYWCmPG1E k3CKhzgBoBldCdQmD0cf6s51yrayahXed+3iVNXvQC/y5l0dVzLY6hrge40NOfdz v7C3frGfMciIYXJs7BYVdv305E5SN9m0GWWepo+vpNVCOLyVuq+4b8kVxQ6XUvQT S1KFJm1Imxc0h9caTPkzflfBR8jO85ILbenlX8wDQZUUnYzMR47JRyXUyXZWX4Wn InQT0KLF0zqf85cMS5dx93wBKof2NJYNuvSXQz4VL7kfxepQUtQON9N7E1dgWXD8 VOUqQu1KArIySBhfMW4pthJR0kJxzu+nOzhEdm/xFoYaWTUb9BEa7g== =/8SM -----END PGP SIGNATURE----- From frantz at netcom.com Wed May 1 03:03:17 1996 From: frantz at netcom.com (Bill Frantz) Date: Wed, 1 May 1996 18:03:17 +0800 Subject: no-cost DH? Message-ID: <199605010642.XAA05601@netcom9.netcom.com> At 1:06 PM 4/30/96 -0700, Wei Dai wrote: >On Tue, 30 Apr 1996, Bill Frantz wrote: > >> Morris (Cylink): Cylink owns the DH patents. We are opening the >> technology with no-cost licenses. Patents should not be used to block >> the technology. > >Does anyone know more about these no-cost licenses? I wouldn't mind >getting free DH a year early... I was just reporting (I hope correctly). You will need to contact Cylink directly. The person speaking was David Morris, Vice President. Regards - Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From frantz at netcom.com Wed May 1 03:05:37 1996 From: frantz at netcom.com (Bill Frantz) Date: Wed, 1 May 1996 18:05:37 +0800 Subject: once again Message-ID: <199605010642.XAA05631@netcom9.netcom.com> At 2:02 PM 4/30/96 -0400, Perry E. Metzger wrote: >I fully understand that Java is a general programming language and can >do I/O. However, "Safe" Java subsets, like the ones used for writing >applets or presumably the ones that would be needed for markets in CPU >cycles, do not do i/o. One could add i/o to the suite, but that would >be dangerous. If I were as worried about Java security as Perry is, I would still consider running Java (or C or C++) programs as part of certain markets in CPU cycles because I would trust their source. (IMHO, much better than trusting every web page I access.) A single example. I could see a network-wide factoring attack on the key NSA uses to GAK the extra bits in Lotus Notes. Such an effort would run a single program, which would be available in source. Depending on the details, I could either compile the program locally, or down load a signed copy of the object code/class file. The same argument applies to rendering e.g. Toy Story. This restriction does not provide for CPU cycle markets in arbitrary programs, but I think that a significant market could still develop under this limit. ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From frantz at netcom.com Wed May 1 03:14:54 1996 From: frantz at netcom.com (Bill Frantz) Date: Wed, 1 May 1996 18:14:54 +0800 Subject: ITARs and the Export of Classes and Methods Message-ID: <199605010642.XAA05623@netcom9.netcom.com> At 11:49 AM 4/30/96 -0700, Timothy C. May wrote: >An interesting situation for the ITARs, if they try to restrict bignum >classes, for example. A class-based system, if done correctly (in whatever >language, e.g., C++ or Java), should have _most_ of the hard crypto work >already implemented in classes and methods (for bignums, modular >exponentiation, etc.), with the final crypto program much more easily >implemented and exported. Certain languages, e.g. Smalltalk, and I believe lisp and scheme, have bignums as a built-in type. (Or more specifically, their integer types are limited in size only by available memory.) I believe these languages are freely exportable. Your problem stays here in the good ol' USA. You can't implement RSA directly in these languages (I assume RSA in perl has the same problem), because of the patent restrictions. Yet another reason to buy a T-shirt. Regards - Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From snow at smoke.suba.com Wed May 1 03:19:50 1996 From: snow at smoke.suba.com (snow) Date: Wed, 1 May 1996 18:19:50 +0800 Subject: Why I dislike Java. (was Re: "Scruffies" vs. "Neats") In-Reply-To: <199605010033.UAA15101@jekyll.piermont.com> Message-ID: On Tue, 30 Apr 1996, Perry E. Metzger wrote: > The Web is the universal marketplace these days. Being unable to use > the web is the equivalent of being unable to use the phone. I have I'm sorry, I don't buy this. Last time I saw any stats, less than 5% of AMERICANS have access to the internet in any form. Even if it has doubled in the last 3 months, that is still only 10%, Now yes, someday what you say may be true, but most people have never seen the web, execpt _maybe_ on TV. My father runs a relatively sucessful business, which he started last year, and he has almost never used a computer more sophisticated than a calculator (I gave him a zenith supersport (8088) laptop that he has turned on ONCE)--he dosen't even believe in Cash Stations). To claim that that being unable to use the web is the equivalent of being unable to use the phone is silly, and to an extent myopic. > research analysts at large trading houses begging for > Netscape. Unfortunately, these people have a need for top notch > security, because vast amounts of money are at stake. There is a simple, but expensive way around this. The rest cut because I am not qualified to comment Petro, Christopher C. petro at suba.com snow at crash.suba.com From frantz at netcom.com Wed May 1 03:20:08 1996 From: frantz at netcom.com (Bill Frantz) Date: Wed, 1 May 1996 18:20:08 +0800 Subject: [LONG] Churchill Club: 20th Anniversary PK Crypto Message-ID: <199605010641.XAA05552@netcom9.netcom.com> > Paul Raines, Project Manager, United States Postal Service described > ... The post office brings four things that private > industry can't: ... (2) ... well established reputation, ... > (4) it can act as a trusted third party. > >Oh. Well that's good to know. > > --MarkM I just report them like I hear them. They are priced higher than Verisign too. Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From wfrench at interport.net Wed May 1 03:25:00 1996 From: wfrench at interport.net (Will French) Date: Wed, 1 May 1996 18:25:00 +0800 Subject: Lolitas and Cyber Angels Message-ID: <199605010716.DAA12911@interport.net> Mike Duvos wrote: > Someone who has an encrypted file on their hard drive from > some motheaten child porn magazine published 20 years ago is > no more guilty of the exploitation of the models portrayed > than someone who downloads the Simpson crime scene photos from > alt.binaries.pictures.tasteless is guilty of killing Nicole > and Ron. I disagree. If (quite hypothetically) I were one of the "models" in such a magazine (I'm 27 now, so I would have been 7 at the time it was published), I would certainly consider anyone posessing a copy, today or 20 years ago, to be exploiting me. However, that doesn't mean I would want them criminalized for it. In fact, my "anyone possessing a copy" above includes the Government (and third parties such as the Guardian Angels) in the course of a kiddie-porn investigation/prosecution. It's a very hard question. And yes, people who download Simpson crime scene photos are exploiting (not killing) Nicole and Ron. When I have been shown these photos, I have quickly averted my eyes. This is simple human decency, not to mention respect for the dead. Will French From teddygee at visi.net Wed May 1 03:25:03 1996 From: teddygee at visi.net (Ted Garrett) Date: Wed, 1 May 1996 18:25:03 +0800 Subject: no-cost DH? Message-ID: <199605010614.CAA18159@london.visi.net> -----BEGIN PGP SIGNED MESSAGE----- Mime-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit To: perry at piermont.com, cypherpunks at toad.com Date: Wed May 01 02:16:17 1996 Sorry, Perry. This time you are wrong. Cylink is giving away their Passport Gold SDK (Security Development Kit). Period. I've just recieved the documentation on the SDK itself, and am expecting shipment of the SDK itself about the middle of May. I was skeptical myself when I read the first post regarding this SDK being released to the public for free, so I called up Cylink. They promptly connected me with Peter Bolton , who has been very helpful in getting this SDK into my hot little hands. Included is, and I quote: "We hold the world-renowned Diffie-Hellman patent used in public key encryption. While developing our industry-leading encryption acceleration engines, we also developed a full suite of services for Diffie-Hellman-based key exchange, government-sanctioned Data Encryption Standard (DES) encryption algorithms, Digital Signature Standard (DSS) document signatures, and the complementary functions you need to incorporate data security into your product. And it's available to you for free: a no-cost toolkit and royalty free license." This is the second paragraph of the fax I received from Cylink after my following up on the free SDK offer. From the rest of the fax, it seems that provisions are included in the SDK for DH, DES, DSS, and SHA. X.509 appears to be in the works. The SDK is purported to interoperate with the Cylink products based on the Secure Enterprise Architecture Stack. I'm pretty dad-blamed excited about this one, boys. I was trying to wait till I was sure to say anything on the list. I'm sure. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMYcBs81+l8EKBK5FAQEfhQf+LJAytjAhEOoD0ai6K0liuyDQkWuMmAxq z5H5KzNXBQn0F+r2ukVEPsX0Ocgfbqp5fo5lRp+hDegM9KRz+MulSmVXEQSdbUPi 6cfq7c0/HhHNkuaJK8xeTOvDlquYLmnDPJJ6KxAcTQvh3ssRJMo9YYWXIF/YlX/J fVZunnwMY9xmIggOfoXIV6ZZvkAUsumA6EgGbKggm2HMh5X4ukWDb3qW2RkKDTlr 8pM8SPRs4IEJFzoXA1FAXafePm1tA2PXhLeOKmwjjZ4R58L6Y4l+eRRsNXIkUGrD 8iY7QUbozhTyTyzRMGzv21g2cOHmfmLblKfJsNQYWFX5yKctla7qyA== =TklH -----END PGP SIGNATURE----- From weidai at eskimo.com Wed May 1 03:40:40 1996 From: weidai at eskimo.com (Wei Dai) Date: Wed, 1 May 1996 18:40:40 +0800 Subject: no-cost DH? In-Reply-To: <199605010614.CAA18159@london.visi.net> Message-ID: On Wed, 1 May 1996, Ted Garrett wrote: > Sorry, Perry. This time you are wrong. Cylink is giving away their > Passport Gold SDK (Security Development Kit). Period. I've just recieved > the documentation on the SDK itself, and am expecting shipment of the SDK > itself about the middle of May. I found some more information about this on Cylink's web site. Check out http://www.cylink.com/products/security/passport/. I'm surprised not to have seen more publicity about this, since it seems to be a fairly big move on Cylink's part. Apparently Cylink is only licensing their SDK at no cost, not the actual patents. Does anyone want to speculate on why they are doing this now? Wei Dai From frantz at netcom.com Wed May 1 03:47:18 1996 From: frantz at netcom.com (Bill Frantz) Date: Wed, 1 May 1996 18:47:18 +0800 Subject: Network Sex Message-ID: <199605010721.AAA09840@netcom9.netcom.com> At 10:50 PM 4/30/96 -0400, Perry E. Metzger wrote: >I was under the impression that sex involved physical presense. In her lecture for ee380 at Stanford, Lisa Palac was asked, Well, just how do you have sex on the net? Her answer indicated that essentially you talk dirty with your partner and masturbate. IMHO netsex eliminates the possibility of sexually transmitted disease. The abstract for her lecture (from http://www-leland.stanford.edu/class/ee380/) is: >Apr 3: Lisa Palac, Author: Sex and the Single Cyberchick > >Speaker: Lisa Palac, Author and Founding Editor, Future Sex Magazine > >Title: Sex and the Single Cyberchick > >Abstract > >This lectures discusses the ways computer technology is fundamentally >changing the sexual landscape. Facts and fictions about cybersex, the >moral panic over porn on the Internet and erotic liberation in the >digital domain. > >Biography > >Lisa Palac is the producer of the erotic virtual audio series >*Cyborgasm*, http://www.iuma.com/cyborgasm and the founding editor >of Future Sex magazine. She is currently writing on a book about sex >and popular culture titled, The Edge of the Bed. > Regards - Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From jsw at netscape.com Wed May 1 05:19:39 1996 From: jsw at netscape.com (Jeff Weinstein) Date: Wed, 1 May 1996 20:19:39 +0800 Subject: Calling other code in Java applications and applets In-Reply-To: <3185E5B6.3EE8@netscape.com> Message-ID: <3187209C.3E5B@netscape.com> Alex Strasheim wrote: > > > Our Navigator 3.0 release will allow java and javascript to call into > > plugins. Since plugins are native code, you will be able to freely mix > > C and Java. Of course you will have to get the user to install your > > plugin on their disk. > > That's the problem, installing the plugin. > > I (and some others, I think) was hoping that it would be possible to build > powerful crypto applets and put them up on web pages. That way everyone > with a java enabled copy of Netscape could use a remailer or send crypted > mail without having to download, install, and configure software. > > If people have to download and install a plugin to use a java mixmaster > applet, why not just download and install a native mixmaster client? > > Of course there are other reasons to use java -- platform independence, > for example. But it's the user's ability to download and run applets just > by jumping to a web page that has everyone excited. With that gone (for > crypto), java loses a lot of its lustre (again, for crypto work). It might be interesting to make a small plugin that just does some core stuff like gathering entropy, mod-exp, and related stuff difficult or too slow in java. I mainly brought it up because people were asking about calling native code from java. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw at netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine. From unicorn at schloss.li Wed May 1 05:34:15 1996 From: unicorn at schloss.li (Black Unicorn) Date: Wed, 1 May 1996 20:34:15 +0800 Subject: Freedom and security In-Reply-To: <199605010250.WAA15372@jekyll.piermont.com> Message-ID: On Tue, 30 Apr 1996, Perry E. Metzger wrote: > Mr. Hatcher wrote: > > Or that child pornography is a world wide trading game? > > I must admit to having an odd viewpoint. I don't particularly care > about child pornography. Our nation seems to have an obsession with > the notion that somewhere out there someone is looking at a picture of > a naked boy or something. Myself, well, I am far from convinced that > the existance of child pornography is nearly as much of a threat to me > as the people who want to dismantle all our freedoms in order to stop > it. Most of the child pornography in the U.S. is distributed by the > FBI during stings, you know. >From what I can tell, your viewpoint is hardly odd. I find child pornography distasteful in a vague and general way, but I am otherwise farily indifferent. This pattern that Mr. Hatcher is showing, demonize an act then show shock when no one else responds to the propaganda; followup by demonizing those not shocked by the demonized act, is a fairly classic tactic. See e.g., Atwood, Orwell, Cambodia. > > Have you never heard of email forgeries or impersonation? > > Yes. I also happen to have heard that people can impersonate you in > real life, too. > > > What about tthe victims of harassment and hatred who don't know how > > to deal with it? What about all the people who have never heard of > > killfiles? > > I suppose they will have to learn, won't they? But Mr. Metzger, that requires _effort_ and decision making. We must save the people from _effort_ and decision making because only _we_ the elite, know what is good for them. > > Maybe you feel like a veterano and can afford to look condesendingly at all > > the thousands of fresh-faced netizens just arriving online and say "well if > > they can't take the heat they should stay out of the fire" - but if we are > > to call ourselves an emerging "community" then we must take responsibility > > for our city, and that means caring about other people's problems. You mean telling other people the only way to solve their problems as if they are unable to do so themselves, or as if other solutions having nothing to do with yours do not exist. By the way, who said we want to call ourselves an emerging 'community' ? > > When your address is forged and you get flamed and bombed, or if you start > > receiving anonymous death threats, your freedom is under threat. It's not > > enough to say "Well I just turn off my monitor" Readers will note a familiar tactic. "Parade of horrors." The advocate will pass a series of examples intended to shock and frighten the reader into accepting the next convenient solution to these problems, which is coincidently provided by the advocate. Readers who have any kind of tie to the real world will note that all these horrors aren't even particularly disturbing and that this betrays poor advocacy skills. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From jsw at netscape.com Wed May 1 05:48:46 1996 From: jsw at netscape.com (Jeff Weinstein) Date: Wed, 1 May 1996 20:48:46 +0800 Subject: Netscape 3 betas In-Reply-To: <199604301453.JAA06960@homeport.org> Message-ID: <318722A5.2455@netscape.com> Adam Shostack wrote: > They include control of caching SSL protected docs, alerts before > showing a cookie or submitting a form via email, control over email > address as ftp password, and, best of all, Java and JavaScript come > turned off by default. One minor correction. Java and JavaScript are Enabled by default. Note that the sense of the options changed from "Disable Java" to "Enable Java". > Nice work! Thanks. > (I'll also offer a pet peeve, which is I can't refuse to accept server > pushes, and the stop button doesn't really seem to affect them. I > should be able to prevent keep-alive if I don't want it.) Its possible that you could configure a null helper app for the multipart/x-mixed-replace content-type, but I've not tried it, and have no idea if it will work. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw at netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine. From cpunk at remail.ecafe.org Wed May 1 07:00:55 1996 From: cpunk at remail.ecafe.org (ECafe Anonymous Remailer) Date: Wed, 1 May 1996 22:00:55 +0800 Subject: [NOISE] Re: Freedom and security Message-ID: <199605011003.LAA03456@pangaea.hypereality.co.uk> On Apr 30 1996 at 19:38:55, angels at wavenet.com wrote: > If it were permitted to kill those who disagreed with you, > then no one would be free to speak their mind at all, for fear > of the consequences. A person's freedom of speech is reduced by being afraid of the consequences of that speech. Likewise, a person's freedom of speech is improved by being less afraid of the consequences. Therefor, we can scrap the first amendment, and just drink plenty of beer. From frissell at panix.com Wed May 1 08:09:23 1996 From: frissell at panix.com (Duncan Frissell) Date: Wed, 1 May 1996 23:09:23 +0800 Subject: Freedom and security Message-ID: <2.2.32.19960501105911.00d4f16c@panix.com> At 07:38 PM 4/30/96 -0700, CyberAngels Director : Colin Gabriel Hatcher wrote: > >Maybe you feel like a veterano and can afford to look condesendingly at all >the thousands of fresh-faced netizens just arriving online and say "well if >they can't take the heat they should stay out of the fire" - but if we are >to call ourselves an emerging "community" then we must take responsibility >for our city, and that means caring about other people's problems. > >The internet is not just a collection of bits and bytes - it's real people >doing real things to each other. > >When your address is forged and you get flamed and bombed, or if you start >receiving anonymous death threats, your freedom is under threat. It's not >enough to say "Well I just turn off my monitor" If these millions of the "Great Unwashed" managed to get *on* the Net in the first place without Fascist assistance, they can figure out how to survive there without Fascist assistance. DCF From asgaard at sos.sll.se Wed May 1 08:13:04 1996 From: asgaard at sos.sll.se (Asgaard) Date: Wed, 1 May 1996 23:13:04 +0800 Subject: Churchill Club: 20th Anniversary PK Crypto In-Reply-To: <199605010641.XAA05552@netcom9.netcom.com> Message-ID: On Tue, 30 Apr 1996, Bill Frantz wrote: > > ... The post office brings four things that private > > industry can't: ... (2) ... well established reputation, ... > > (4) it can act as a trusted third party. > I just report them like I hear them. They are priced higher > than Verisign too. According to your report, the guy made a comparison to MacDonalds, having only 10.000 outfits in the US compared to the Post Office having 50.000. But MacDonalds has a strong international presence while the US Post Office has almost none. And then one could eat a tasty burger, waiting for one's smartcards to get signed by the trustworthy attendants (I mean, they do where uniforms). Asgaard From ddt at lsd.com Wed May 1 11:33:03 1996 From: ddt at lsd.com (Dave Del Torto) Date: Thu, 2 May 1996 02:33:03 +0800 Subject: [LONG] Churchill Club: 20th Anniversary PK Crypto In-Reply-To: <199604300808.BAA17923@netcom9.netcom.com> Message-ID: Nice summary, Bill. Now I don't have to do it. ;) I hope this is OK with you... dave -------------- next part -------------- A non-text attachment was scrubbed... Name: pgp00000.pgp Type: application/octet-stream Size: 324 bytes Desc: "PGP signature" URL: From ddt at lsd.com Wed May 1 11:46:24 1996 From: ddt at lsd.com (Dave Del Torto) Date: Thu, 2 May 1996 02:46:24 +0800 Subject: partial NSA key detected on USPS site Message-ID: Is it too late for April, fooles? From liberty at gate.net Wed May 1 12:14:21 1996 From: liberty at gate.net (Jim Ray) Date: Thu, 2 May 1996 03:14:21 +0800 Subject: Freedom and security Message-ID: <199605011155.HAA41660@osceola.gate.net> -----BEGIN PGP SIGNED MESSAGE----- CyberAngels Director Colin Gabriel Hatcher wrote: >>...Freedom does not increase through more laws. > >Nor does freedom increase through less laws or no laws. You have gotta be kidding me, but let's start by differentiating among laws. I'm a crypto-minarchist, not a crypto-anarchist, so I still have hope for some (MUCH less) government. I think laws against murder are good, and lead to more safety for those not in jail. I think laws against "consensual crimes" are bad, and lead to government/police corruption extending all the way to the top [see sigfile]. When I have to say, "where's the victim?" it's a shitty law. Many laws fail my test. > Freedom increases >as respect and care for one another increases. This is what I called flowery rhetoric in the last post. > Meanwhile, since we do not >live in utopia, all societies at a certain level of economic development >and of a certain size of population require law and law enforcement to >protect citizens from predators. This is what astounds me, the advocates of more government always focus on crimes WITH obvious victims during debates. Once power is achieved, the victimless crime laws get written. I have said I do want murderers, and even some (not all) pedophiles, in jail. If a child pornographer chooses to visit my page and commits a thoughtcrime involving my babypictures, I say leave him alone. If he commits a real crime with an unwilling victim I say punish him even more than the present government punishes him. Libertarians, when we achieve political power, will find ourselves with abundent jail cells left over from the tax-and-spend drugwar to put real criminals (the ones who have an individual victim) in. >[...flowery rhetoric] Does anyone really doubt the extent of State >control and power across the Net? There are certainly enough statists who feel a need to increase it. > > >.... laws only breed more laws, which always lead to >>less freedom. > >I disagree with this statement. I do not believe that laws breed more laws >nor that laws lead to less freedom. I believe bad laws compromise freedom >(eg CDA) while good laws protect freedom. I am heartened by your opposition to the CDA (though I did not notice a Cyberangels voice in the debate/protest leading up to this abominable law...) but I must point out that you offer no good test, like my "where's the victim?" test, to differentiate good laws from bad ones. As to more laws leading to less freedom I stand by my words. Go down to any law library and have a look at the Code of Federal Regulations. As wordy, poorly-written laws proliferate, we all become "criminals," subject to the arbitrary power of the state's prosectors. When the state prosecutors are a partisan Democrat followed by a partisan Republican, and the "criminals" are high-ranking Democrats and Republicans, you end up with a lesser respect for all laws, even the good ones. Again, see my sigfile. Now imagine the Libertarian party was doing the same drug-smuggling...Would the feds [let alone the media] be so silent? I doubt it. >Cryptography enhances and protects privacy, which does not inevitably lead >to greater security. Security for the sender, yes, in that no one else can >read the message, but security for the Community? I find it worrisome that you capitalize the word, despite my rant involving Director Freeh. I repeat: The community is made up of individuals. > Doesnt that depend what >the message said? The technology itself is neutral. Therefore, I guess, the "Community" must forcibly take my key to make sure that last PGPmessage wasn't child porn, right? It is important to make sure I don't commit thoughtcrime. > Child pornographers >encrypt their hard drives so that law enforcement cannot gather crime >evidence - that is certainly a state of greater security for the >pornographer, but it does not improve our Community, and as child >pornography increases, the law is by definition broken more and more, and >so the Community becomes less free than before. And that's not the tyranny >of government but the tryanny of criminals. Look. I don't care if some old man beats off to the tune of baby pictures. There is no victim. If he finds a victim, toss him in the slammer, or kill him. Right now, the tax-and-spend drugwar is creating a revolving-door justice system when it comes to victim crimes, and the people (naturally) disrespect the law. Respect for ALL law, good and bad, is poisoned by this foolishness and when combined with a disrespect for the historical power of juries to nullify shitty laws, and ignorance of history. >I do in fact support cryptography for personal security, not least because >I can ensure that my messages are authenticated. CyberAngels PGP public >key will be up on our new website opening very soon. I've had enough of >people forging my email. Oh, why bother with this self-help, vigilante solution to the need for authentication. Why not just pass another law? PGP is a pain-in-the-ass to install and learn. I'm sure the Congress and President Clinton (who has also experienced e-mail forgery) would support it, and then you won't have to bother learning PGP or reading that awful PGPdoc1 & PGPdoc2. >"Two people may disagree, but >that does not mean that one of them is evil" I think it should be legal for me to sell my body for sex, or put any substance into it I choose, because _I_ own my body. The "Community" may think I'm evil for advocating this immoral misuse of "their" property... At the same time, I may think the "Community" evil for trying to steal/claim my property... Either I'm right and the "Community" is evil, or the other way around. Which one is it? JMR Regards, Jim Ray "My cynical belief is that there is a lack of motivation in either party to fully and properly investigate [Mena] because the results will damage as many Republicans as Democrats." - former prosecutor Charles Black, in April 22, 1996's Wall Street Journal p.A22 Hey kids! Try this fun Westlaw search: mena /p cocaine Best to look in the newspapers, and not the cases! [see above] _______________________________________________________________________ PGP key Fingerprint 51 5D A2 C3 92 2C 56 BE 53 2D 9C A1 B3 50 C9 C8 Public Key id. # E9BD6D35 -- http://www.shopmiami.com/prs/jimray _______________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Freedom isn't Freeh. iQCVAwUBMYdQAW1lp8bpvW01AQHBmwQAmWdWABJpRbg0QzF77vR1ykKN4DOsY4S6 0kRsIEWjm5JDXswnJYy2ZiS/aDLk5mYAzcMh1PR/CrBTdk8McYIkTQCbxxrOfbFx +ySBi9fg22wp1ySjlP+G36W7PKOBDfl6tzOq4ZQA7JFe63HwiLhgBl5TeC9YP96p V1nN3FkwfM4= =AkHe -----END PGP SIGNATURE----- From m5 at vail.tivoli.com Wed May 1 13:30:22 1996 From: m5 at vail.tivoli.com (Mike McNally) Date: Thu, 2 May 1996 04:30:22 +0800 Subject: Freedom and security In-Reply-To: Message-ID: <3187698C.69A2@vail.tivoli.com> CyberAngels Director : Colin Gabriel Hatcher wrote: > > Every society has a social contract... > Somehow, that little paragraph reminded me of the "Soliton bomb" speech in "Plan 9 From Outer Space." I'm outta this one gang. These angel dudes are too weird for me. ______c_____________________________________________________________________ Mike M Nally * Tiv^H^H^H IBM * Austin TX * pain is inevitable m5 at tivoli.com * m101 at io.com * * suffering is optional From droelke at rdxsunhost.aud.alcatel.com Wed May 1 15:03:33 1996 From: droelke at rdxsunhost.aud.alcatel.com (Daniel R. Oelke) Date: Thu, 2 May 1996 06:03:33 +0800 Subject: [Fwd: Cylink can export 128-bit DH?] Message-ID: <9605011318.AA09424@spirit.aud.alcatel.com> > Dear Wei Dai > I understand that ITAR prohibits the export of strong crypto > and that is why I was puzzled that Ms Glenda Barnes, the Director > of Marketing in Cylink, said that Cylink could export the same crypto > (i.e. DES) that was used in the U.S. to local banks here in Malaysia. > She also claimed that Cylink could also export a 128-bit DH key size. > (is it strong enough in the first place? ) > > I'm confused : Either she's pulling wool over the attendees' eyes or > Cylink has got some pretty good connections. > > She could not have been mistaken as she was replying to a specific > question about the ITAR and the export issue of strong crypto. > > Can anyone help? > > There are provisions for exporting DES for banking purposes. Generally it is a hardware card that "can't" be reused outside of the banking transfer machine. I don't know the details of how such licenses are applied for, but I have a friend you used to work in that area. On 128-bit DH - No-where near big enough. Dan ------------------------------------------------------------------ Dan Oelke Alcatel Network Systems droelke at aud.alcatel.com Richardson, TX From jlasser at rwd.goucher.edu Wed May 1 16:17:07 1996 From: jlasser at rwd.goucher.edu (Moltar Ramone) Date: Thu, 2 May 1996 07:17:07 +0800 Subject: Freedom and security In-Reply-To: Message-ID: On Tue, 30 Apr 1996 angels at wavenet.com wrote: > The Internet is beyond the stage of small communities exercising informal > social controls (peer pressure). Disagree strongly. The net is a LARGE number of SMALL communities. This is why spammers are so offensive: they trespass and violate boundries. This is why killfiles were invented. You ask about people who don't know about killfiles. Teach them. This requires no formal organization. > paradise. Does anyone really doubt the extent of State control and power > across the Net? Yes. If there was state control of the Internet, there probably wouldn't be any anonymous remailers. And the Cyberangels would go away. > My point is that this is inevitable. Very few things are inevitable; that's a very strong word. The Cypherpunk Agenda is to provide exactly those tools which make this "inevitable" thing absolutely impossible. > The Internet is a > mirror of the rest of the world, not a new form of society, and I fail to > understand why anyone should be surprised that that is the case. Disagree modestly. > I disagree with this statement. I do not believe that laws breed more laws > nor that laws lead to less freedom. I believe bad laws compromise freedom > (eg CDA) while good laws protect freedom. Have you taken a good hard _honest_ look at the War on Drugs? I also believe that bad laws compromise freedom and good laws protect freedom. One of the problems is that good laws often breed bad laws to patch things up. > Cryptography enhances and protects privacy, which does not inevitably lead > to greater security. Security for the sender, yes, in that no one else can > read the message, but security for the Community? Doesnt that depend what > the message said? No. True security for the community rests in a shared social standard which discourages actions which are harmful to the community or individuals. Security which requires a class of Guardians to protect everyone else is not security. It's safety, but it's temporary safety. Jon Lasser ---------- Jon Lasser (410)494-3072 - Obscenity is a crutch for jlasser at rwd.goucher.edu inarticulate motherfuckers. http://www.goucher.edu/~jlasser/ Finger for PGP key (1024/EC001E4D) - Fuck the CDA. From Clay.Olbon at dynetics.com Wed May 1 17:11:19 1996 From: Clay.Olbon at dynetics.com (Clay Olbon II) Date: Thu, 2 May 1996 08:11:19 +0800 Subject: Freedom and security Message-ID: At 7:38 PM 4/30/96, angels at wavenet.com (CyberAngels Director : Colin Gabriel Hatche wrote: >My concern is not so much with network sabotage or infiltration (there are >plenty enough organizations addressing that problem) but with personal >safety within the Internet community - that means you, not your hard drive. This is a totally facetious point. I am fully capable of protecting myself and my family from ANY threat posed by a single individual over the internet (and from most threats posed in person as well). There is no "personal safety" issue. This is fantasy. When someone dies from an email message, come back and talk to me about security. Until then, the biggest threat to my security on the internet comes from groups such as yours and from the government. In attempting to limit access to anonymous remailers and cryptography, you are attempting to limit my ability to protect myself, while substituting dubious governmental protection. I say dubious, because in the real world, there will always be those who break the law (if cryptography is outlawed...). You do have one point I agree with: >Freedom of speech cannot function without law. This is absolutely correct. There must be a law to protect the freedom of speech, and we have that law, it is called the 1st amendment to the Constitution. I saw a .sig the other day that said "What part of 'Congress shall make no law ... abridging the freedom of speech' do you not understand" (unfortunately I don't remeber whose .sig it was). The self anointed internet censors often try to muck up the basic issue of free speech with the "evil" pornographers and bombmakers theme in an attempt at convincing the public to give up freedom for illusory security. You fall in that net.censor category, in that you are attempting to restrict freedom. Although you may actually believe in what you are doing, you are wrong. Fortunately, I still have the right to disagree strongly. Clay --------------------------------------------------------------------------- Clay Olbon II | Clay.Olbon at dynetics.com Systems Engineer | ph: (810) 589-9930 fax 9934 Dynetics, Inc., Ste 302 | http://www.msen.com/~olbon/olbon.html 550 Stephenson Hwy | PGP262 public key: on web page Troy, MI 48083-1109 | pgp print: B97397AD50233C77523FD058BD1BB7C0 TANSTAAFL --------------------------------------------------------------------------- From tallpaul at pipeline.com Wed May 1 17:47:52 1996 From: tallpaul at pipeline.com (tallpaul) Date: Thu, 2 May 1996 08:47:52 +0800 Subject: Nazis on the Net Message-ID: <199605011556.LAA07882@pipe6.nyc.pipeline.com> I stand behind my original post and the analysis in it. I am amused at the tremendous attempts by people with certain political affinities to bail out Weaver by a series of arguments based either on profound ignorance of political realities or with their own private dictionaries. The whole argument of racism vs. white separatism vs. white suppremicist seems more to come from people who argue whether someone is a Baptist or a Christian or a Southern Baptist or a Protestant. (In mathematical set theory one would trace the fallacy in thinking to the false idea that any given element of a set cannot be the element of more than one set. Thus, if (X is a member of Y) it cannot also be a member of Z.) I understand that James D. is not accusing me of being a "child molester" but merely using it as a reductio ad adsurdem argument. Let me continue in this vein. The issue of child molestation was dragged in and had no relevance on the immediate political isues of Weaver et al. But imagine people are arguing about the deep fundamental differnces between someone who is a "child molester" vs. a "pedophile" vs. a "boy lover." --tallpaul On Apr 22, 1996 22:26:41, 'jamesd at echeque.com' wrote: >Content-Length: 2008 > >"E. ALLEN SMITH" ' wrote: >> > Randy Weaver was neither a neo-Nazi nor a racist. He was >> > (and, so far as I know, still is) a white separatist. >> > (One would think liberals would tolerate this - they >> > tolerate the equally offensive black separatists, >> > after all...). > > >The well known child molester tallpaul wrote: >> Might we know the source of his complete info on Weaver's political and >> racial beliefs. >> >> I see, in essence, three hypothesis: >> >> 1) Cover the ass of a potential neo-Nazi or racist (or both) without any >> reference to what is really true; >> >> 2) Get information from outer space; > > >Well, child-molester-tallpaul, I notice that the liberal lapdog press >calls him White-Separatist-Randy-Weaver as though he was baptized >"white separatist" at birth. > >Presumably if they had one grain of evidence that he was a Nazi or a >white supremacist, they would call him White-supremacist-Randy-Weaver. > >I notice that you have not one grain of evidence that he is a nazi, >just as I have not one grain of evidence that you fuck little boys >up their asses, but you insinuate that he is a Nazi until somehow proven >innocent (and how can anyone prove himself innocent of thought crime), >and you also insinuate that anyone who suggests otherwise must be >a nazi or nazi sympathizer himself. Obvious proof that you are >a homosexual child molester. > >(Note for the seriously humor impaired. I have no more reason >to believe that tallpaul rapes little children than tallpaul >has to believe that Randy Weaver was a white supremacist or >tallpaul has to believe that Allen Smith is a Nazi sympathizer.) >--------------------------------------------------------------------- > | >We have the right to defend ourselves | http://www.jim.com/jamesd/ >and our property, because of the kind | >of animals that we are. True law | James A. Donald >derives from this right, not from the | >arbitrary power of the state. | jamesd at echeque.com > > From pclow at pc.jaring.my Wed May 1 17:50:52 1996 From: pclow at pc.jaring.my (peng-chiew low) Date: Thu, 2 May 1996 08:50:52 +0800 Subject: [Fwd: Cylink can export 128-bit DH?] In-Reply-To: <9605011318.AA09424@spirit.aud.alcatel.com> Message-ID: <31879DD8.3479@pc.jaring.my> Daniel R. Oelke wrote: > There are provisions for exporting DES for banking purposes. > Generally it is a hardware card that "can't" be reused outside > of the banking transfer machine. So far, I've seen DES software from a couple of U.S. companies. The question is "Is it the U.S. domestic DES or "export flavored" DES? As for the hardware, would'nt it be inconsistant if the DES supplied is the Domestic DES? I know DES as a subject here is one big YAWN, but for guys like us in the Asia, it's not. Why? 'Cause the US crypto companies here in Asia keep telling us about how good and wonderful and secure DES is, and that it is THE standard used by the American Banking Association. > On 128-bit DH - No-where near big enough.I would appreciate if someone can email me details about the strenght of DH; whether it's been broken, URLs..ect... Thanks. _______________________________________________________________ " You can fool some people all the time......" From stevenw at best.com Wed May 1 17:53:54 1996 From: stevenw at best.com (Steven Weller) Date: Thu, 2 May 1996 08:53:54 +0800 Subject: Freedom and security Message-ID: >Jim Ray wrote I haven't bothered reading this particular thread up until now, but in my opinion, based on this drivel, you're getting dangerously close to being certified officially by the Cabal as an ignorant kook. >Nor does freedom increase through less laws or no laws. Of course it does. However, to maintain community resposibility must also increase. >Freedom increases >as respect and care for one another increases. Hogwash. That's community again. As respect and care for my neighbor's peace and quiet I lose the freedom to blow leaves on a Sunday morning. This is independent of what the law says. >Meanwhile, since we do not >live in utopia, all societies at a certain level of economic development >and of a certain size of population require law and law enforcement to >protect citizens from predators. Hogwash again. Law and law enforcement only exists due to the failing of such societies. Prisons and executions are the ultimate failure of a society. Their existence (like hierarchical structure) is not a given. But if it is all you know, then of course it's what you assume. And don't forget that it is fundamental that law and law enforcement also protects predators from citizens. Your analysis is rather one-sided. >The Internet is beyond the stage of small communities exercising informal >social controls (peer pressure). How so? >It's now a major industrial city and will It's industry being? >develop law, law enforcement and government, whether anyone likes it or >not, not least because the Community will always respond to crime by trying >to protect itself. True, but there are individuals before community. > And the crime is already here. The idea that the >Internet is not controlled is IMHO one of the biggest myths around. It's >like a large group of people are still living in some far-off utopian rural >paradise. Wait a minute. A large number of people living in a utopian paradise? Surely this is ideal. If there were the crime and activity you describe, then it would not be utopian and would not be paradise. But maybe this is paradise, but only to a criminal. And interesting that you use the world "still". You obviously equate "unorganized" with "backward". You even say "rural". You a city boy by any chance? >Does anyone really doubt the extent of State control and power >across the Net? Excuse me, can someone remind me why we're all here please? > My point is that this is inevitable. The Internet is a >mirror of the rest of the world, not a new form of society, and I fail to >understand why anyone should be surprised that that is the case. You said it. You fail to understand. The reasons are obvious. Your eyes are closed, your mind is shut, and you can hardly be heard over the traffic. >I disagree with this statement. I do not believe that laws breed more laws >nor that laws lead to less freedom. I believe bad laws compromise freedom >(eg CDA) while good laws protect freedom. Freedom for whom? Freedom, like technology, is neutral. Laws are always of the form "You shall" or "You shall not". Laws against mugging (to protect the citizens) do not prevent muggings. They restrict the freedoms of muggers and eventually incarcarate them. The existence of muggers causes people to restrict their own freedom, by not jogging at night etc. Mugging is a social and a community failure. A "good" law against the activity reduces overall freedom while simultaneously failing to address the problem. In short, a simple, ineffective, but visible fix. A perfect business for politicians to be in. >>>I don't believe that security is the enemy of >>>freedom. I believe that freedom needs security in order to exist at all. >> >>Good. Join us in spreading cryptography around, and security will >>bloom (along with freedom). > >Cryptography enhances and protects privacy, which does not inevitably lead >to greater security. Security for the sender, yes, in that no one else can >read the message, but security for the Community? Sure. It means that the community can continue life as normal without realising that the Mayor is gay. She does a fabulous job, everyone gains, the community is very secure. Or shall we throw some FUD into the equation, tell everyone, and have the uproar wreck the community? > Doesnt that depend what >the message said? The technology itself is neutral. Facts are neutral too. It does not depend on the message. >Child pornographers >encrypt their hard drives so that law enforcement cannot gather crime >evidence - that is certainly a state of greater security for the >pornographer, but it does not improve our Community, and as child >pornography increases, the law is by definition broken more and more, and >so the Community becomes less free than before. And that's not the tyranny >of government but the tryanny of criminals. You really have laws on the brain, don't you? Lets see. Breaking laws reduces freedom? This is where you have the wrong end of the stick. Making, not breaking laws reduces freedom. If our mayor friend above looks at 1 naked minor a week, how does this reduce the freedom of her community? What about 100? Much less free obviously. >I do in fact support cryptography for personal security, not least because Does that personal security extend to encrypting your hard drive? What makes you different from Ms. Mayor? >********************************************************* >Colin Gabriel Hatcher - CyberAngels Director >"Two people may disagree, but >that does not mean that one of them is evil" But ignorance plays a big role :-) ------------------------------------------------------------------------- Steven Weller | Weller's three steps to Greatness: | 1. See what others cannot | 2. Think what others cannot stevenw at best.com | 3. Express what others cannot From rlpowell at undergrad.math.uwaterloo.ca Wed May 1 17:54:01 1996 From: rlpowell at undergrad.math.uwaterloo.ca (Robin Powell) Date: Thu, 2 May 1996 08:54:01 +0800 Subject: Freedom and security In-Reply-To: Message-ID: <199605011607.MAA11512@mobius07.math.uwaterloo.ca> Hello, everyone! I'm new list, and I like it already (after 1 day). I apologize in advance for the large amount of quoting I am about to perform. > >You will pardon my asking this, but, security from what? Who are the > >evil Network Terrorists throwing Bit Bombs or whatever? The only > >security you need on the internet is keeping your site from being > >broken in to, which is mostly a matter of setting it up > >properly. What, exactly, is the "Security" that you are offering us? > > > >Perry > > Maybe you feel like a veterano and can afford to look condesendingly at all ^^^^^^^^ What accent is that that you have? > the thousands of fresh-faced netizens just arriving online and say "well if > they can't take the heat they should stay out of the fire" - but if we are > to call ourselves an emerging "community" then we must take responsibility > for our city, and that means caring about other people's problems. Oh!! So YOU'RE one of those people that actually wants computer know-nothings on the net, huh? I can think of few things that bother me more. When a "fresh-faced netizen" asks me where I think they could get an internet account, I reply "What are you going to use it for?". They usually say "I don't know.". I then try to explain ftp and telnet to them and if they don't get it I tell them not to get an account because they wouldn't get any use out of it. If they really want, I give them a place that has e-mail and is fairly cheap. The fact of the matter is that I don't want to share my bandwidth with that type of person. You can call me elitist if you want, and you'd be right. I liked the net more when no-one had heard of it except the type of person who would understand what ftp was in a few seconds of explanation. Or telnet, for that matter. So, to respond to what you actually said, I never claim that the net is an emerging community, because I'm afraid that people whom I don't want on the net will hear me. Besides, community is much too non-anarchist for my taste anyways: the net is just a bunch of information being tweaked by varios people and machines in ways that I happen to (sometimes) find interesting. > The internet is not just a collection of bits and bytes - it's real people > doing real things to each other. I'm sorry, but no. If I come up to you in real life and hit you, that's a real person doing a real thing to another real person. Internet events are movement of information, and that is it. Something that causes harm on the 'net only does so because that same information would do so in real life, i.e. blackmail with the threats issued by e-mail. Mailing them IRL or slipping the note under the door have the same effect, with the same response options: you ignore it, you cave, or you call the police. Same with death threats: you can't kill someone over the net, you can only give them information about you intentions. When someone is actually IRL trying to kill you that, as someone else mentioned, is the domain of the IRL police. > Freedom is under threat from two directions - from selfish individuals who > care little for the Community, and from the over zealousness of governments > who seek greater and greater control over individual thought and action. Only the second one. I have the freedom to read or not read any stuff on the net. If I'm being sent something I don't want to read, I can usually figure this out within a line or two and delete it. No one individual can effect my net freedom (except my sysadmin, who can revoke my account) using means that do not extend into RL. Come to think of it, even governments must extend their activities into RL to enforce their internet restrictions, so they are not restricting the 'net per se, they are threatening real people with real things that they will do to them if they do certain things on the internet. This is the equivalent of threatening to do something under law for any other form of information dissemination (publishing slander, for example). The real world is the real world, the net is the net, and only in people's minds (and in the effects of computers themselves, ie. turning on a sprinkler system) shall the twain meet. > ********************************************************* > Colin Gabriel Hatcher - CyberAngels Director > angels at wavenet.com > > "Two people may disagree, but > that does not mean that one of them is evil" > > ********************************************************* Good argument style, BTW. I just disagree with some of your founding assumptions. -Robin From tcmay at got.net Wed May 1 17:58:46 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 2 May 1996 08:58:46 +0800 Subject: Lolitas and Cyber Angels Message-ID: At 7:16 AM 5/1/96, Will French wrote: > I disagree. If (quite hypothetically) I were one of the >"models" in such a magazine (I'm 27 now, so I would have been 7 >at the time it was published), I would certainly consider anyone >posessing a copy, today or 20 years ago, to be exploiting me. While it may _embarrass_ you, or _mortify_ you, to become aware that these pictures of you as 7-year-old, I find it hard to understand how my possession of one of these pictures can (somehow) reach backward in time and "exploit" that 7-year-old instance of yourself. Whoever took the pictures may or may not have "exploited" you (an overused word), but someone viewing that picture today can hardly be said to be exploiting that 7-year-old. There is a more abstract argument that is made in connection with child porn. Namely, that a "market" is created, and that this market is in itself wrong and improper, and that it abstractly "exploits" an entire abstract class of people, namely, children. By this logic--and I'm not saying I buy this logic--even _drawings_ of nude children, for which there were no live models and hence no possibility of "exploitation" of an actual child, can be considered to be exploitative of an entire class of persons. This area is well trod...are morphs of adult models into apparent Lolitas exploitation? Are drawings exploitation? What about perfectly legal photos from some foreign country? (Will, what if that photo of you as a 7-year-old was taken perfectly legally at Sunny Buns Naturist Park? What if it was taken in Holland or Denmark? Would the fact that you are now embarrassed (em-bare-assed?) by it, or have discovered that certain people are looking at it with prurient interest, be enough to make the law "reach back in time"? As might be imagined, I am uncomfortable with these abstract extensions of the law. If this argument is bought, about children being exploited by drawings or nude photographs, as a _class_ if not as _individuals_, then it follows by the same kind of logic that _women_ may seek to have "Playboy" banned because some of them feel "exploited" as a member of a class. (This is of course being seriously proposed by some women^H^H^H^H^Hwimmin.) --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From tcmay at got.net Wed May 1 18:38:09 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 2 May 1996 09:38:09 +0800 Subject: ITARs and the Export of Classes and Methods Message-ID: At 6:44 AM 5/1/96, Bill Frantz wrote: >At 11:49 AM 4/30/96 -0700, Timothy C. May wrote: >>An interesting situation for the ITARs, if they try to restrict bignum >>classes, for example. A class-based system, if done correctly (in whatever >>language, e.g., C++ or Java), should have _most_ of the hard crypto work >>already implemented in classes and methods (for bignums, modular >>exponentiation, etc.), with the final crypto program much more easily >>implemented and exported. > >Certain languages, e.g. Smalltalk, and I believe lisp and scheme, have >bignums as a built-in type. (Or more specifically, their integer types are >limited in size only by available memory.) I believe these languages are >freely exportable. As it happens, the three languages I am most familiar with and have on my Macintosh at this moment are: Smalltalk, Scheme, and Mathematica. All support bignums (arbitrarily long, limited only by local environment considerations). However, I seem to recall some "not exportable" stickers on at least the Mathematica box. It's not handy, but I recollect one of those black stickers one finds in such cases. (It might be that it contains functions for FFTs, for example, or it might be something else....) >Your problem stays here in the good ol' USA. You can't implement RSA >directly in these languages (I assume RSA in perl has the same problem), >because of the patent restrictions. Yet another reason to buy a T-shirt. About implementing RSA in one of these languages, it's fine if it's done for educational purposes, as Jim Bidzos told me a few years ago. RSA is a programming example in a couple of Mathematica books, for example. Implementing a system and deploying it (as a "system") changes things. But I think we can all agree that we are moving toward a situation where class libraries in languages implement a large fraction of a working cryptographic system, and the pieces only need to be glued together. It gets real hard to control the spread of crypto when this is the case. (It's already hard, but it will get even harder.) With Microsoft deciding to put a Java Virtual Machine in every copy of Windows * shipped, along with similar deals of course already in the works for other major environments, it seems to me that crypto developers should build with this in mind. The NSA must be going nuts thinking about this. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From frantz at netcom.com Wed May 1 19:00:39 1996 From: frantz at netcom.com (Bill Frantz) Date: Thu, 2 May 1996 10:00:39 +0800 Subject: [LONG] Churchill Club: 20th Anniversary PK Crypto Message-ID: <199605011826.LAA12717@netcom8.netcom.com> At 4:14 AM 5/1/96 -0700, Dave Del Torto wrote: >Nice summary, Bill. Now I don't have to do it. ;) I hope this is OK with you... > > > Nice web page. I should have added to the post that people should feel free to re-post within the bounds of good netiquette. Regards - Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From warlord at MIT.EDU Wed May 1 19:04:18 1996 From: warlord at MIT.EDU (Derek Atkins) Date: Thu, 2 May 1996 10:04:18 +0800 Subject: [Fwd: Cylink can export 128-bit DH?] In-Reply-To: <31879DD8.3479@pc.jaring.my> Message-ID: <199605011713.NAA17782@toxicwaste.media.mit.edu> It is legal to export full DES, in binary form, to banks outside the US. In other words, a company in the US can create a financial package that uses DES, even for encryption, and sell it to a bank outside the US. THe caveat is that DES can only be used to encrypt the financial transactions, not arbitrary data. I hope this helps. -derek From iang at cs.berkeley.edu Wed May 1 19:34:20 1996 From: iang at cs.berkeley.edu (Ian Goldberg) Date: Thu, 2 May 1996 10:34:20 +0800 Subject: Calling other code in Java applications and applets In-Reply-To: <3185E5B6.3EE8@netscape.com> Message-ID: <4m8av7$sls@abraham.cs.berkeley.edu> -----BEGIN PGP SIGNED MESSAGE----- In article <3187209C.3E5B at netscape.com>, Jeff Weinstein wrote: > > It might be interesting to make a small plugin that just does some core >stuff like gathering entropy, mod-exp, and related stuff difficult or too >slow in java. I mainly brought it up because people were asking about >calling native code from java. > In an alternate universe in which I didn't have projects to finish, I may be interested in doing something like this. However, I haven't been able to find information on how to write Unix (or preferably portable) plugins. Any hints? - Ian -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMYevHUZRiTErSPb1AQFBygP+Nvsv39AgH9w4Trnf4Io3TnVDBRAt3QxL 2WnuepiDRyMJLxmeyULEIad51ct6CPkDwhs2e/8dTNiEMrDKq3GcbpEOeeM/uHGR NEF8FgVf5IZMnp7Q2pMTWaRbPr7W0sV2S/gnZP1TU15Xlil0wdOQzpUKpOjokAIN RWKxEoeIpE4= =Tpjj -----END PGP SIGNATURE----- From jimbell at pacifier.com Wed May 1 19:43:36 1996 From: jimbell at pacifier.com (jim bell) Date: Thu, 2 May 1996 10:43:36 +0800 Subject: Freedom and security Message-ID: At 08:51 PM 4/30/96 -0700, CyberAngels Director : Colin Gabriel Hatcher wrote: >Jim Ray wrote > >> Freedom is already diminishing at an alarming pace. >>That is why cypherpunks spread crypto, and why Libertarians like >>me rant. Freedom does not increase through more laws. > >Nor does freedom increase through less laws or no laws. I disagree. Plenty of laws do not increase freedom, nor leave it at its former level. They decrease freedom. Moreover, they usually do it without increasing the level of "security" of the ordinary citizen. > Freedom increases >as respect and care for one another increases. Meanwhile, since we do not >live in utopia, all societies at a certain level of economic development >and of a certain size of population require law and law enforcement to >protect citizens from predators. If all the government did was to "protect citizens from predators" the government would be dramatically smaller than it is today. >The Internet is beyond the stage of small communities exercising informal >social controls (peer pressure). It's now a major industrial city and will >develop law, law enforcement and government, whether anyone likes it or >not, Ya wanna play "chicken"? > not least because the Community will always respond to crime by trying >to protect itself. Which "community"? > And the crime is already here. Does the amount of crime which is demonstrably on the Internet, today, actually justify the interest shown by government agencies? Or, more likely, they are merely using whatever crime exists to foist regulations and control for their own hidden agenda? > The idea that the >Internet is not controlled is IMHO one of the biggest myths around. It's >like a large group of people are still living in some far-off utopian rural >paradise. Does anyone really doubt the extent of State control and power >across the Net? To whatever extent that exists, it will be stopped. > My point is that this is inevitable. I have different opinions about what is "inevitable." But I won't get into that right now. > The Internet is a >mirror of the rest of the world, not a new form of society, and I fail to >understand why anyone should be surprised that that is the case. Maybe it really _IS_ a "new form of society"? Maybe that's exactly why the government-and-control-types are terrified. Let it alone a few more years and it'll come back and destroy the control they currently have. > >.... laws only breed more laws, which always lead to >>less freedom. > >I disagree with this statement. I do not believe that laws breed more laws >nor that laws lead to less freedom. I believe bad laws compromise freedom >(eg CDA) while good laws protect freedom. Could you be more specific? And why is the government passing bad laws? Could it be that their goal is not more freedom, but is in fact less? And why should you do anything to support the government that's passing those bad laws? >>Good. Join us in spreading cryptography around, and security will >>bloom (along with freedom). > >Cryptography enhances and protects privacy, which does not inevitably lead >to greater security. Security for the sender, yes, in that no one else can >read the message, but security for the Community? Doesnt that depend what >the message said? I don't think it does. Cumulatively, we're better off if everybody has unbreakable security, because it'll assist the ordinary citizen more than it would assist a hypothetical criminal. > The technology itself is neutral. But government is not neutral. > Child pornographers >encrypt their hard drives so that law enforcement cannot gather crime >evidence - that is certainly a state of greater security for the >pornographer, And less work for agents of the government to do. That's what terrorizes them! > but it does not improve our Community, and as child >pornography increases, the law is by definition broken more and more, and >so the Community becomes less free than before. Laws being broken does not equate to less freedom. The presence of those laws is what produces less freedom. > And that's not the tyranny >of government but the tryanny of criminals. I think the ordinary citizen has far more to fear from the government than the criminals. For one thing, it is the actions of the government (by passing victimless-crime laws) which actually put a great deal of profit into crimes. >I do in fact support cryptography for personal security, not least because >I can ensure that my messages are authenticated. CyberAngels PGP public >key will be up on our new website opening very soon. I've had enough of >people forging my email. Well, then stop sending any. Or get your head straight on this "freedom thing." People will view you as being dangerous if you keep talking the way you have been. Jim Bell jimbell at pacifier.comJim Bell jimbell at pacifier.com From unicorn at schloss.li Wed May 1 19:44:31 1996 From: unicorn at schloss.li (Black Unicorn) Date: Thu, 2 May 1996 10:44:31 +0800 Subject: Freedom and security In-Reply-To: Message-ID: On Wed, 1 May 1996, Steven Weller wrote: > >Jim Ray wrote > > I haven't bothered reading this particular thread up until now, but in my > opinion, based on this drivel, you're getting dangerously close to being > certified officially by the Cabal as an ignorant kook. > > >Nor does freedom increase through less laws or no laws. > > Of course it does. However, to maintain community resposibility must also > increase. Watch your attributation, Jim Ray did not write this. [...] --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From bryce at digicash.com Wed May 1 20:07:34 1996 From: bryce at digicash.com (bryce at digicash.com) Date: Thu, 2 May 1996 11:07:34 +0800 Subject: If the Net were an industrial city... (nee: Freedom and security) In-Reply-To: Message-ID: <199605011811.UAA21763@digicash.com> -----BEGIN PGP SIGNED MESSAGE----- The entity calling itself Steven Weller is alleged to have written: > > >Jim Ray wrote No he didn't. It was CyberAngler (motto: "Trolling For Libertarian Cypherpunks Since Mid-April") that wrote that. Attributions are important-- try not to mess them up again. (> > == CyberAngler) (> == Steven Weller) > >The Internet is beyond the stage of small communities exercising informal > >social controls (peer pressure). > > How so? We aren't convincing him to shut up just by telling him that we've heard his statist spiel before, are we? His point exactly! He is trying to tell us that peer pressure isn't working to shut obnoxious people like him up, so stronger measures are needed. > >It's now a major industrial city and will > > It's industry being? It's a service industry. An information service industry. Journalists, phone-sex whores, business consultants, bankers, brokers and barkers are moving into town, setting up their virtual shops, and catering to the hordes of readers, sightseers, sex-seekers, game-players, businessmen, professionals and amateurs of all stripes that are pouring into town in wave after wave. Granted most of these virtual shops consist of a single ticket-taker's booth and a 10-meter tall neon facade. Granted that the shops occasionally collapse on visitors, that there are no streets, that you can't tell the sellers from the buyers and that few people are able to accept cash. Still, it's a service industry. more later, Bryce -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.1b2 iQB1AwUBMYepE0jbHy8sKZitAQHkqQL+KNFMjTq7GVkySNQ8nxSIeHkRA1wfYDwA G/rWdYK3jZ56QbHqScIxMp8oag7Ur8btthmQe5BhMI/hGQLBdXokJ2Mhw69PM1dJ nIVQ4Zne5d82d+h3Y5bUlVyD3qTT1BR1 =CElr -----END PGP SIGNATURE----- From liberty at gate.net Wed May 1 20:55:56 1996 From: liberty at gate.net (Jim Ray) Date: Thu, 2 May 1996 11:55:56 +0800 Subject: Freedom and security Message-ID: <199605012049.QAA07204@osceola.gate.net> -----BEGIN PGP SIGNED MESSAGE----- Steven Weller wrote: >>Jim Ray wrote > >I haven't bothered reading this particular thread up until now, but in my >opinion, based on this drivel, you're getting dangerously close to being >certified officially by the Cabal as an ignorant kook. > >>Nor does freedom increase through less laws or no laws. [...] Er...I agree with just about all of Mr Weller's comments, but I wish he had been a bit more careful in the attribution department. "Colin Gabriel Hatcher - CyberAngels Director" wrote: "Nor does freedom increase through less laws or no laws." etc. etc. etc., not me. As a partisan Libertarian, I have a reputation to uphold as an officially designated, Cabal-annoying, ignorant kook. :) I'm even in Perry's killfile filter. I actually try to lurk, rather than posting here very frequently, as my thoughts are more relevant to the political ramifications of strong crypto than they are to the implementation of strong crypto. JMR Regards, Jim Ray "My cynical belief is that there is a lack of motivation in either party to fully and properly investigate [Mena] because the results will damage as many Republicans as Democrats." - former prosecutor Charles Black, in April 22, 1996's Wall Street Journal p.A22 _______________________________________________________________________ PGP key Fingerprint 51 5D A2 C3 92 2C 56 BE 53 2D 9C A1 B3 50 C9 C8 Public Key id. # E9BD6D35 -- http://www.shopmiami.com/prs/jimray _______________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Freedom isn't Freeh. iQCVAwUBMYfNiW1lp8bpvW01AQH2CQP+MUwSl9tHZNCiU2m6wTmsbByjDI1kZQTJ v7vKoAc2txNkwBofLCxbxqdPSSYVIDO2x87t2+bn/OcxqMrtIDxi9UpNVYMD7VLM LGi6fgZW3dFPaVEzc2WwXgcZ9Py9sSqaI0giBxyMhUiLko8UmtPW5BYBIWxgXJHm D4ExhNVoCZ0= =QXnq -----END PGP SIGNATURE----- From olmur at dwarf.bb.bawue.de Wed May 1 21:07:23 1996 From: olmur at dwarf.bb.bawue.de (Olmur) Date: Thu, 2 May 1996 12:07:23 +0800 Subject: [Fwd: Cylink can export 128-bit DH?] In-Reply-To: <3186D86C.49C@pc.jaring.my> Message-ID: <199605011200.OAA02248@dwarf.bb.bawue.de> -----BEGIN PGP SIGNED MESSAGE----- >>>>> "p-c l" == peng-chiew low writes: p-c l> Dear Wei Dai I understand that ITAR prohibits the export of p-c l> strong crypto and that is why I was puzzled that Ms Glenda p-c l> Barnes, the Director of Marketing in Cylink, said that Cylink p-c l> could export the same crypto (i.e. DES) that was used in the p-c l> U.S. to local banks here in Malaysia. I'd assume that the magic word here is "banks". It's usually no problem to export strong crypto from US, if it's used only for banking purposes. IBM delivers SmartCards with full Triple-DES to bank-customers in Germany: absolutely no problem. My personal oppinion is, that banks a) don't encrypt arbitrary data, but only specific accounting data b) banks can be quite easily house-searched, if you really want to get a hold on their data Have a nice day, Olmur - -- "If privacy is outlawed, only outlaws will have privacy" --- P. Zimmermann Please encipher your mail! Contact me, if you need assistance. finger -l mdeindl at eisbaer.bb.bawue.de for PGP-key Key-fingerprint: 51 EC A5 D2 13 93 8F 91 CB F7 6C C4 F8 B5 B6 7C -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: latin1 Comment: Processed by Mailcrypt 3.3, an Emacs/PGP interface iQCVAwUBMYdSOQ9NARnYm1I1AQGU3AP9GNkYG6egzW4W640SLqaoYsWnIYyrt1rH QQ6qvoEhc1OPTAlexJkIakaazG/BmWmZcWpLq8otQV5Cd9R4VGBKoPhBJcrfqGmQ aK5qTDjgY4uSUTLZy3oxNYDn0SXyut3zUpds/EFU+qLr9gOwQMwX2adY7WQWApHV CHacD7Z5EEo= =8k4G -----END PGP SIGNATURE----- From frantz at netcom.com Wed May 1 21:22:11 1996 From: frantz at netcom.com (Bill Frantz) Date: Thu, 2 May 1996 12:22:11 +0800 Subject: [Fwd: Cylink can export 128-bit DH?] Message-ID: <199605011919.MAA27020@netcom8.netcom.com> At 12:22 AM 5/2/96 +0700, peng-chiew low wrote: >Daniel R. Oelke wrote: >> There are provisions for exporting DES for banking purposes. >> Generally it is a hardware card that "can't" be reused outside >> of the banking transfer machine. > >So far, I've seen DES software from a couple of U.S. companies. The question >is "Is it the U.S. domestic DES or "export flavored" DES? As for the hardware, >would'nt it be inconsistant if the DES supplied is the Domestic DES? As far as I know, DES is DES, domestic or export. If your DES interoperates with domestic DES (or popular implementations available on non-US servers), then you have DES. >I know DES as a subject here is one big YAWN, but for guys like us in the >Asia, it's not. Why? 'Cause the US crypto companies here in Asia keep telling >us about how good and wonderful and secure DES is, and that it is THE standard >used by the American Banking Association. It is THE standard. The political reasons are complex, but the bottom line is that large governments and other large organizations can brute force 56 bit keys. As far as the US government and the US banking system are concerned, this ability does not reduce bank transaction security since the US government can get the details directly from the bank by legal process. Most cryptographic experts recommend Triple DES, encrypting the data 3 times with 3 different keys. If the middle encryption runs DES in decrypt mode, the system can be made compatible with single DES by using the same key 3 times. The US government has never, to my knowledge, licensed the export of a Triple DES system. ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From drose at azstarnet.com Wed May 1 21:23:26 1996 From: drose at azstarnet.com (drose at azstarnet.com) Date: Thu, 2 May 1996 12:23:26 +0800 Subject: Freedom and security Message-ID: <199605012031.NAA00283@web.azstarnet.com> Re: Colin Gabriel Hatcher - CyberAngels Director On the Internet, no one knows if you're wearing your CyberAngels beanie. (With apologies to _The New Yorker_). From jya at pipeline.com Wed May 1 21:29:13 1996 From: jya at pipeline.com (John Young) Date: Thu, 2 May 1996 12:29:13 +0800 Subject: THR_ill Message-ID: <199605012026.QAA00857@pipe1.nyc.pipeline.com> 5-1-96 FiTi has an 18-page insert on information technology. Its Page One thriller: "Businesses fail to halt 'Ram raiders.' A sprialling crime wave is causing growing concern among law enforcement authorities, insurers and the business community. Computer theft is the fastest-growing crime in the UK. To combat physical computer crime, a wide variety of protection measures have been developed: physical restraints, motion detectors, electronic tagging, dye sprays, invisible identity tags, microdots, smoke bombs, chemical "fingerprints," and software monitors. Beyond the threats of hacking and virus attacks, as much as 2bn pounds a year is lost by computer misuse and "time-wasting surfing the Internet". Some of the new-anti-theft products are on display at Infosec 96, the UK's first big IT security exhibition, at London Olympia this week. The organisers have prepared seven fact sheets dealing with security "hot topics" such as encryption, disaster recovery and virus protection. THR_ill ----- Any London cpunk care to post the seven fact sheets, or send (e-mail or fax) here for show 'boting? From stewarts at ix.netcom.com Wed May 1 21:34:59 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Thu, 2 May 1996 12:34:59 +0800 Subject: [Fwd: Cylink can export 128-bit DH?] Message-ID: <199605012014.NAA05957@toad.com> At 10:20 AM 5/1/96 +0700, peng-chiew low wrote: >I understand that ITAR prohibits the export of strong crypto >and that is why I was puzzled that Ms Glenda Barnes, the Director >of Marketing in Cylink, said that Cylink could export the same crypto >(i.e. DES) that was used in the U.S. to local banks here in Malaysia. The International Trafficking in Arms Regulations laws that prohibit export of strong crypto make exceptions for equipment/software to be used in banks and other financial institutions, as long as the banks behave themselves. Exporting for general use is different. >She also claimed that Cylink could also export a 128-bit DH key size. >(is it strong enough in the first place? ) Sun's original "Secure NFS" used 192-bit DH keys, and was cracked by Brian LaMacchia and Andy Odlyzko; there's a well-known paper about this available somewhere (I think research.att.com?). 192 is way too short. 512 is probably too short. 128 bits is amazingly irresponsible. The attack they use spends most of its time precomputing information about the modulus and generator, and only a small part of the time attacking the specific exponent that was used - this means that an attacker who cracks one exponent using that modulus can easily crack the any others. # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 From anonymous-remailer at shell.portal.com Wed May 1 21:39:07 1996 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Thu, 2 May 1996 12:39:07 +0800 Subject: Sun's Wallet Message-ID: <199605012116.OAA09307@jobe.shell.portal.com> Sydney, Australia, April 30 -- SunSoft will shortly release a workable cash-on-the-Internet program called Wallet, according to James Gosling, Sun vice president, lead engineer and key architect behind the Java cross-platform language. Gosling, on his first visit to Australia, was discussing the future of electronic commerce at a briefing session in Sydney for Australian information technology journalists. ----- San Jose, Calif., April 30 -- VeriSign, a provider of digital authentication services for Internet access and electronic commerce, has announced the opening of its online Digital ID Center. VeriSign claims the center is capable of issuing millions of personal Digital IDs for World Wide Web and Internet e-mail users. Digital IDs use cryptographic techniques to provide a means of authenticating the identity of each party in an electronic transaction. A Digital ID is issued by VeriSign, after background checks are made on an individual or "entity." Once issued, the Digital ID can be used within any enabled application such as Netscape Navigator Internet client software and Netscape SuiteSpot. From llurch at networking.stanford.edu Wed May 1 21:44:11 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Thu, 2 May 1996 12:44:11 +0800 Subject: A survey on online privacy to skew[er] (WhoWhere?) Message-ID: http://www.whowhere.com/survey.html The "Stanford" in the title is obviously just a typo. Be aware that they've been known to aggressively finger, etc. sites that contact their site. I especially like this question, which I swear I am not making up: 30. Search by Affiliation - for example "Working Women", "Lawyers", "Gay and Lesbian", "Hispanics", etc. [Must add] [Nice to add] [Don't care] WhoWhere originally built their database by writing a script to aggressively extract email addresses from the web server of OKRA, a research computer at UC Riverside that had been culling addresses from Usenet and other sources, making them freely available to the Internet community. Two wrongs don't make a right, of course. OKRA has since taken steps to ensure that noone else can extract mass quantities of addresses in the same way. -rich From vznuri at netcom.com Wed May 1 22:04:21 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Thu, 2 May 1996 13:04:21 +0800 Subject: Why I dislike Java. (was Re: "Scruffies" vs. "Neats") In-Reply-To: <199605010033.UAA15101@jekyll.piermont.com> Message-ID: <199605011937.MAA22988@netcom18.netcom.com> PM: >> well, are you saying it would be impossible to do such a thing >> [produce a safe execution environment] in a distributed programming >> language? > >It is difficult. The way Java does this, with the protection relying >solely on the correctness of the runtime (the interpreter isn't >emasculated so flaws in the runtime can cause unexpected behavior) it >is nearly impossible. Humans aren't good enough at designing systems >this century. I agree that designers should start from the assumption that their software will have bugs, not the converse (in fact have been having a long running argument with an academic on this list on this subject, he claims that RCS will not be necessary with good OO programming because OO programming gets rid of virtually all bugs that require re-releases). however, again my main point is that the assumptions Java makes are suitable for its environment. you can't realistically make demands on the language it was not meant to support. >The Web is the universal marketplace these days. Being unable to use >the web is the equivalent of being unable to use the phone. of course others will call you on this. and ideally a future infrastructure for your country would not have the insecurity the internet does. everyone is slowly working toward this goal. but it is an incremental process. Java is an inherent part of that incremental process. no one today can take java and say, "at last!! the net is secure!!". anyone who does this I agree is misguided. > I have >research analysts at large trading houses begging for >Netscape. Unfortunately, these people have a need for top notch >security, because vast amounts of money are at stake. yes, I know that there are banks that don't understand that when something is "secure", it still may not be sufficient for their needs, which may require a whole higher order of security not available. but any consultant worth his salt such as yourself will be able to make a good judgement about the software and hardware they plug in and guide the client. the point is that no one who wrote Java is misleading the public, as you sometimes seem to imply. however there are ways to use Netscape and java that make the insecurity of the internet irrelevant. suppose that you put Java inside an intranet inside a company. you already have a degree of trust over employees. if you can demonstrate that your intranet does not make any additional trust requirements than those you already rely on, then sure, go ahead and use Netscape and Java in an intranet, a semi-secure environment. >So, yes, if you are going to create a product that everyone on earth >has to be able to use, it had damn well not explode in your face every >once in a while. Imagine if all the world's refrigerators had a 1 in >10,000 chance of blowing up on you. "Whats the harm" you say. Well, >most people don't expect that sort of behavior in a friendly consumer >appliance that nice people from Sun and Netscape guarantee is >absolutely positively safe except for all the bugs. people will always put products to use in ways they were not designed. the designers can try to anticipate this as much as possible but should not be responsible for it ultimately. >As I said, the traders don't expect that their phone will explode when >they pick it up, or that every piece of literature they get in the >mail may be coated with contact poison. Well, Java is a silent >killer. It soon is going to be sitting on every desktop at every >company in America and its being sold as the new paper or phone. Its >also sitting on all those PCs running "Quicken" that helpfully now can >do direct electronic funds transfer from your account, etc. If you >don't care about the security of your bank account, well, sure, you >have nothing to worry about. I trust that those who implement bank security, such as yourself, will not use a widget where a gadget is actually called for. really, humanity is not *totally* stupid. there are two classes of people for our purposes: those that build the systems, and those that use them. stupidity on the part of the latter is not a problem if you have good designers; their mistakes are protected against and are not made fatal. stupidity on the part of the former-- well, what can you possibly do to avoid ramifications of bad design? it seems to me if your designers are bad, you can't rely on anything whatsoever. a good designer is not going to use Java in an inappropriate environment. are you complaining that "there are a lot of bonehead designers that create bad systems"? agreed, but what can Java do about it? a tool cannot necessarily prevent its own misuse. in fact Java goes to great lengths to avoid the problems that arise in regular programming languages, such as memory leaks. >In short, my clients need security today. Your home computer probably >needs it soon if not now, and if you think your business can survive a >few days without its computers, please, by all means, run without >security. but Java did not claim to be your savior for security. maybe someone will augment it to the point that you are happy. in the meantime why are you criticizing it for being unable to handle something it was not designed to handle? >Its not Java crashing that I worry about. Its everything else on the >computer and the network it is attached to that needs protection. I see. so Java designers need to solve every security problem on the planet for you not to criticize that language. look, security problems exist and are all over the place, I agree. the internet is insecure. people rely on this insecurity. but again, why are you ranting at Java designers for all these other problems? Java is a step in the right direction. it is a new attitude change. when we do have secure networks in the future, I think people will look back on Java as a milestone, not a trip-up. >Well, sorry, you try to keep it off the desks in the banking industry >if you can. again, if a bonehead designer uses something in the way it was not intended, are you going to blame the person who made the hammer? >Life critical applications or important financial applications are all >around us. You just don't seem to notice. I agree they are all around us. but again, why are you ranting at Java because you don't have tools to make your job a piece of cake? that's what a good designer does-- takes pieces that in themselves may insufficient to accomplish his job, and puts them together in a way that they do. From mpd at netcom.com Wed May 1 22:32:32 1996 From: mpd at netcom.com (Mike Duvos) Date: Thu, 2 May 1996 13:32:32 +0800 Subject: [Fwd: Cylink can export 128-bit DH?] In-Reply-To: <199605011919.MAA27020@netcom8.netcom.com> Message-ID: <199605012312.QAA11109@netcom14.netcom.com> frantz at netcom.com (Bill Frantz) writes: > Most cryptographic experts recommend Triple DES, encrypting > the data 3 times with 3 different keys. It's actually encrypted three times with two keys comprising 112 bits of keyspace, using a decrypt on one key sandwiched between two encrypts using the other. This prevents a "man in the middle" attack, which would be possible if only two DES encryptions were used, one for each key. -- Mike Duvos $ PGP 2.6 Public Key available $ mpd at netcom.com $ via Finger. $ From alanh at widomaker.com Wed May 1 22:37:03 1996 From: alanh at widomaker.com (Alan Horowitz) Date: Thu, 2 May 1996 13:37:03 +0800 Subject: "Colby was my FRIEND how dare you say he wasn't just a nice old guy" Message-ID: >Path: news.widomaker.com!Grouper.Exis.Net!news.cais.net!newsfeed.internetmci.com!in2.uu.net!news.accessone.com!not-for-mail >From: rivero at accessone.com (Michael Rivero) >Newsgroups: alt.conspiracy,alt.current-events.clinton.whitewater,alt.journalism >Subject: Re: CIA DIRECTOR KILLED BY U.S. GOVERNMENT >Date: 1 May 1996 10:46:05 -0700 >Organization: Accessone >Lines: 32 >Message-ID: <4m880t$ecf at pulm1.accessone.com> >References: <4m2i4o$eou at tribune.concentric.net> <3185b042.26181571 at news.i-d.com> <4m5jme$1gqo at mule2.mindspring.com> >NNTP-Posting-Host: pulm1.accessone.com >Xref: news.widomaker.com alt.conspiracy:121455 alt.current-events.clinton.whitewater:42258 alt.journalism:40308 In article <4m5jme$1gqo at mule2.mindspring.com>, Charles Held wrote: >In article <3185b042.26181571 at news.i-d.com>, sdgrant at i-d.com (Steven Grant) wrote: > >=Of course, there are peculiarities about the Colby disappearance: he >=left dirty dishes in the sink, his radio and computer were still on, > >Also his dinner was on the table. > And the door was unlocked. One thing about spooks. They love locks. I mean, they REALLY love locks. Let's see if I have this streight. Colby got up from a working dinner, left the computer on, walked out the door without locking it, got into his canoe without wearing his usual life jacket and vanished from the middle of a placid stream. That about it? You know, maybe just having him vanish WASN'T the best way to deal with internet questions after all. -- PIXELODEON PRODUCTIONS | Hand Hammered Special Effects Mike & Claire - The Rancho Runnamukka http://www.accessone.com/~rivero Will Host A Talk Radio Show For Food. From stevenw at best.com Wed May 1 23:15:25 1996 From: stevenw at best.com (Steven Weller) Date: Thu, 2 May 1996 14:15:25 +0800 Subject: Freedom and security Message-ID: >> >Jim Ray wrote >> >> I haven't bothered reading this particular thread up until now, but in my >> opinion, based on this drivel, you're getting dangerously close to being >> certified officially by the Cabal as an ignorant kook. >> >> >Nor does freedom increase through less laws or no laws. >> >> Of course it does. However, to maintain community resposibility must also >> increase. > > >Watch your attributation, Jim Ray did not write this. You're right. I didn't think he did when I wrote my reply. And I don't now. It was a case of hasty editing without rereading. Apologies to Jim Ray. Should have been: Colin Gabriel Hatcher - CyberAngels Director, net kook. ------------------------------------------------------------------------- Steven Weller | Weller's three steps to Greatness: | 1. See what others cannot | 2. Think what others cannot stevenw at best.com | 3. Express what others cannot From abostick at netcom.com Wed May 1 23:30:53 1996 From: abostick at netcom.com (Alan Bostick) Date: Thu, 2 May 1996 14:30:53 +0800 Subject: The Joy of Java In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- In article , tcmay at got.net (Timothy C. May) wrote: > I think of it (and so do a lot of others) as: [snip] > - a bytecode/virtual machine approach that means the same code can be run > on any platform for which a VM exists (the key to applets, but also the key > to portability...what the world might have looked like for the past 15 > years has the UCSD p-system succeeded instead of MS-DOS) What a horrifying thought! UCSD p-system actually made MS-DOS look good. And you're *advocating* Java? - -- Alan Bostick | They say in online country there is no middle way mailto:abostick at netcom.com | You'll either be a Usenet man or a thug for the CDA news:alt.grelb | Simon Spero (after Tom Glazer) http://www.alumni.caltech.edu/~abostick -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMYe70+VevBgtmhnpAQHqSwL/fUn6cf7YD8fZygWqEt6EY6jBA3++oPK4 j03Q2oMundOrbNZhyyb5dLwpANIfBcf+iw+s20LephsTmIaM7Y161pmgNpeNbvs6 mPVTftkDZ2su3FevG2j1nEH7J0Umlbx4 =XEHR -----END PGP SIGNATURE----- From tcmay at got.net Wed May 1 23:37:02 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 2 May 1996 14:37:02 +0800 Subject: Fire and Forget Message-ID: At 7:26 PM 5/1/96, Black Unicorn wrote: >On Wed, 1 May 1996, Steven Weller wrote: > >> >Jim Ray wrote >> >> I haven't bothered reading this particular thread up until now, but in my >> opinion, based on this drivel, you're getting dangerously close to being >> certified officially by the Cabal as an ignorant kook. >> >> >Nor does freedom increase through less laws or no laws. >> >> Of course it does. However, to maintain community resposibility must also >> increase. > > >Watch your attributation, Jim Ray did not write this. What!!!! Now you tell me, after I spent all that money on a "fire and forget" contract! Well, Jim, all I can say is keep your head down. Sorry! (Seriously, I knew the "Jim Ray wrote" must've been a misattribution, as that is not the kind of stuff Jim writes.) (Oh, and the "fire and forget" contract assassins were well-described by William Gibson in, I believe, "Count Zero.") --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From jimbell at pacifier.com Wed May 1 23:49:22 1996 From: jimbell at pacifier.com (jim bell) Date: Thu, 2 May 1996 14:49:22 +0800 Subject: Burns bill? Message-ID: It has been over a month since we first heard that Burns was going to introduce a bill to free up encryption software exports. It isn't here, yet, as you may have noticed. However, I don't think that's the real problem. The real problem is that we have seen essentially no information on it, and we (by we, I mean the entire Internet community) have not had an opportunity to study it and comment BEFORE it is introduced in Congress. See, the usual practice of introducing it in Congress first and only then letting the public see the bill is, by my way of thinking, an example of extreme rudeness on the part of the politicians. Bills are far easier to change before they've been officially filed, which I suppose is the point. We're not getting the opportunity to fix minor mistakes, or at least make Burns (or any other supporter) aware of them. This is a glaring "take it or leave it" philosophy, one that we should reject. Does he really intend to insult us? I see no reason to believe that Burns should be able to produce an adequate bill with the assistance of only industry lobbyists, but not the help of other citizens of varying degrees of expertise. Burns should immediately release the text of the bill developed up until now, and then wait at least a few weeks before introducing it formally, after changes are proposed, considered, and accepted. Jim Bell jimbell at pacifier.com Jim Bell jimbell at pacifier.com From liberty at gate.net Wed May 1 23:53:57 1996 From: liberty at gate.net (Jim Ray) Date: Thu, 2 May 1996 14:53:57 +0800 Subject: Freedom and security[noise] Message-ID: <199605020023.UAA19294@osceola.gate.net> -----BEGIN PGP SIGNED MESSAGE----- Uni wrote: >On Wed, 1 May 1996, Steven Weller wrote: > >> >Jim Ray wrote >> [...] >Watch your attributation, Jim Ray did not write this. > Now three people, counting me, have corrected him. I feel flattered knowing folks are actually watching what I say so careully. If I'd only known, I would have kept my mouth shut. I had a typospasm earlier today during my pre-coffee jury-nullification rant this AM, so I guess I should also try harder to do my best to take care before hitting the ol' button. Regards, Jim Ray "The FAA, FBI, Customs, CIA, Justice, DEA and the IRS were all involved in Mena. They won't say how they were involved, but they will tell you there is nothing there." -- Bill Plante, CBS News Correspondent, & Michael Singer, Producer, CBS News, New York. in Tuesday, May 3, 1994's Wall Street Journal letters to the editor section. [OK, OK, I know, we aren't Menapunks!] :) JMR _______________________________________________________________________ PGP key Fingerprint 51 5D A2 C3 92 2C 56 BE 53 2D 9C A1 B3 50 C9 C8 Public Key id. # E9BD6D35 -- http://www.shopmiami.com/prs/jimray _______________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Freedom isn't Freeh. iQCVAwUBMYgACm1lp8bpvW01AQF/SQQAivRbyRfl6mMwq73voOfCX+BrQhGEQU6l ZHozejbwpYlWYxJsb/ncFSi5S5DZM7LjpVcY88QFRbGnGRZP1FmaWaktmBSGA/4d XJ8Cr9tnXxlWuvt6j0Gx840NwV5WIGoY88Z+UFyz2RTFYceLqVg4zuiouOri/WEs 17EwaQZcxKE= =RnJd -----END PGP SIGNATURE----- From hoz at univel.telescan.com Thu May 2 00:00:21 1996 From: hoz at univel.telescan.com (rick hoselton) Date: Thu, 2 May 1996 15:00:21 +0800 Subject: If the Net were an industrial city... (nee: Freedom and security) Message-ID: <199605020135.SAA12288@toad.com> At 08:11 PM 5/1/96 +0200, you wrote: > >> >It's now a major industrial city and will >> >> It's industry being? > >It's a service industry. An information service industry. >Journalists, phone-sex whores, business consultants, >bankers, brokers and barkers are moving into town, setting >up their virtual shops, and catering to the hordes of >readers, sightseers, sex-seekers, game-players, businessmen, >professionals and amateurs of all stripes that are pouring >into town in wave after wave. Its also a college town. And a publishing center. Then there's the warehouse district, and the post office. There's also a thriving import-export business. No wonder the political big-shots back in Atomland wish they could annex Cyberspace. I predict that these attempts will succeed about as well as the European colonization of the Americas. (ambiguity intended) >Granted most of these virtual shops consist of a single >ticket-taker's booth and a 10-meter tall neon facade. That's how boom-towns start, allright. >Granted that the shops occasionally collapse on visitors, Yes. >that there are no streets, We have streets all over the place. From here theres a 56Kb lane road that's even fairly well paved. But they mostly lead to "Atomland expatriot hobbyists" and a few service subsistance farms. >that you can't tell the sellers from the buyers It always starts with a barter economy. >... few people are able to accept cash. It will be a while, but someday folks will say: "Save your greenbacks, Atomland will rise again!" and they will be wrong. >Still, it's a service industry. Coming soon.... Virtual Food! Okay, maybe I got a little carried away.... From dlv at bwalk.dm.com Thu May 2 00:18:03 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Thu, 2 May 1996 15:18:03 +0800 Subject: The Joy of Java In-Reply-To: Message-ID: <5y40mD297w165w@bwalk.dm.com> (No cryptorelevance, but neither is anything else on this list anymore) abostick at netcom.com (Alan Bostick) writes: > > to portability...what the world might have looked like for the past 15 > > years has the UCSD p-system succeeded instead of MS-DOS) > > What a horrifying thought! UCSD p-system actually made MS-DOS look good. My recollection is that when IBM first started selling IBM PC, they offered a choice of (at least) 3 operating systems right from the start: UCSD p-system, CP/M-86 or PC-DOS. IBM didn't do anything to prompte PC-DOS over the other two. It won fair and square in the marketplace because the other two were even worse crap. (Later versions of CP/M-86 got much better.) --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From declan+ at CMU.EDU Thu May 2 01:24:08 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Thu, 2 May 1996 16:24:08 +0800 Subject: Freedom and security In-Reply-To: Message-ID: <4lW2rCG00YUz0veFAs@andrew.cmu.edu> Excerpts from internet.cypherpunks: 1-May-96 Re: Freedom and security by Black Unicorn at schloss.li > > Readers will note a familiar tactic. "Parade of horrors." The advocate > will pass a series of examples intended to shock and frighten the reader > into accepting the next convenient solution to these problems, which is > coincidently provided by the advocate. The parade of horrors, aka the four (or more) horsemen of the infocalypse, is a common fear tactic used by those who would to restrict our liberties. The family values groups employed this to great effect during the CDA debate. And as Jim Ray noted, talk is cheap. While the CyberAngels may claim to be against the CDA, the cynic in me says they have to be against it -- even fewer people would take them seriously if they were for it. But I don't recall them doing any _campaiging_ against it. In fact, riding in on those horsemen is a central part of their strategy. After all, if pedophiles/terrorists/child pornographers didn't exist, no need for the CyberAngels, hmm? -Declan PS: Eric Freedman of Hofstra Law School has a wonderful article in an upcoming Iowa Law Review about the death of the "obscenity" standard. I think a similar argument can be applied to child porn. From declan+ at CMU.EDU Thu May 2 01:34:59 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Thu, 2 May 1996 16:34:59 +0800 Subject: Lolitas and Cyber Angels In-Reply-To: <199605010716.DAA12911@interport.net> Message-ID: Excerpts from internet.cypherpunks: 1-May-96 Re: Lolitas and Cyber Angels by Will French at interport.ne > However, that doesn't mean I would want them criminalized for > it. In fact, my "anyone possessing a copy" above includes the > Government (and third parties such as the Guardian Angels) in > the course of a kiddie-porn investigation/prosecution. It's a > very hard question. > > And yes, people who download Simpson crime scene photos are > exploiting (not killing) Nicole and Ron. When I have been shown > these photos, I have quickly averted my eyes. This is simple > human decency, not to mention respect for the dead. Yep, criminalize the act, not a photo of it. While it may be impolite to look at photos of Nicole and Ron, we shouldn't criminalize the mere possession of them. -Declan From richieb at teleport.com Thu May 2 01:43:13 1996 From: richieb at teleport.com (Rich Burroughs) Date: Thu, 2 May 1996 16:43:13 +0800 Subject: CFA: a million geeks? Message-ID: <2.2.32.19960502025511.0069b388@mail.teleport.com> This is an interview I did with Keith Glass about the changes with the Electronic Freedom March. He mentions making crypto an issue there. Rich -----BEGIN PGP SIGNED MESSAGE----- [This is an article from the may96 issue of the web zine _cause for alarm_, http://www.teleport.com/~richieb/cause. It may be redistributed electronically with this header included.] I contacted Keith Glass about an interview shortly after finding out that he had taken over as head of the Electronic Freedom March. The March, an attempt to influence Washington with a critical mass of geeks, was originally scheduled for June. In his response to my email, Keith said that the March was being rescheduled for late September and that he would make a public announcement soon. His subsequent press release said that, "With the current state of the case against the CDA, ACLU vs. Reno, and several organizational factors, it's been concluded that it would be far more effective to focus the political power of the citizens of the Net closer to the November elections." Keith joined me at Club Wired, after a hard day at work. --- CFA: Thanks for coming, Keith :) Keith G: And thus ends another thrilling day, standing for Truth, Justice, and/or the American Way CFA: Heh. Keith G: Hey, a day at the Pentagon is like... a day in hell, only the cooking is worse. CFA: What do you do there BTW? If it's not classified? ;) Keith G: Nope: I work Pollution Preventions and Standardization issues for the Secretary of the Air Force. I'm a contractor, better known as one of the legendary "Beltway Bandits", although **I** prefer the term "Parkway Patriot"...;-) CFA: :) So, let's talk about the March. The new date is Sept. 29, tentatively? Keith G: Tentatively. I'm checking with the Park Service and the Majority Leaders' office in the next few days, to insure we can get a place... CFA: Where will the speakers be at, if you know? I mean human speakers :) Keith G: That depends on where we can locate. Since I'm trying to combine it with some congressional lobbying, I'd LIKE it to be on the west stairs of the Capitol. But the Ellipse, which we had reserved for the original date, would put us in shouting distance of the White House... CFA: *nod* Keith G: Of course, this thing has grown beyond JUST the CDA. In my opinion, it'll be wastepaper by mid-June. . . but we have to fight for crypto rights, and the ill-informed types who foisted the CDA on us will be back next year. This isn't just one battle... this is the start of a whole new political front. CFA: You're going to involve crypto issues? Keith G: Free speech is free speech. If they ban crypto, then they'd better make damned sure that envelopes are banned, too. Encrypted or clear, free speech is an absolute. CFA: *nod* Keith G: We also need to let the Congress know a few things about the Net: according to a pal of mine at CDT, your average Net user makes over $40K, and votes SIGNIFICANTLY more than not-Net-users. We have money, we have votes... it's time to turn that into power. CFA: So, you're in charge of the whole shebang now? Keith G: Yep. John Wash, who started this, got way too bogged down in work, realized it, and handed it off to me last Monday, April 15th... CFA: For those who missed your announcement, why the new date? Keith G: Well, to be honest, when I looked at what we had set up, AND what the Park Service required of us (i.e. portatpotties, medics, security), I saw we needed a LOT more money and organization than was possible for a bunch of part-time activists to get in the time remaining. Secondly, the CDA trial is going FAR faster than anything we had expected: the verdict will be out by mid-June, and from all reports, the Feds have been unusually incompetent in their arguments. So, I thought we should move as close as we can to the election, to (1) maximize our power, politically, (2) get a MUCH better organization in place, and (3) get out of the summer DC sun. This place is AWFUL in the summer... ;) CFA: :) Keith G: We need to let the Congress know that the Net is NOT all porno fiends, militia types exchanging bomb recipes, and all the other net.myths that seem to abound on Capitol Hill. Also, I'd like to work towards a declaration by Congresscritters that Email will be taken just as seriously as snailmail. Right now, most of the time your Congressional Email gets answered by a Bot... and that's the end of it. My friends on the Hill tell me they read email when all else is done... CFA: What about folks who can't make it to DC? Are you encouraging local events? Keith G: Locally, we'd LIKE to get all the people who CAN'T make it, visit their local Congressman and Senators offices' on the Friday before, or Monday after. And lobby, in person... CFA: Right. Keith G: I've gotten word today of a possible parallel EFM in Seattle. If we can get simultaneous marches in several cities, that'd be great. CFA: What can people do to help? It sounds like there's a lot of work to be done. Keith G: What do we need?? I've got webmasters, organizers, publicity types: I need a financial type, and some fund-raisers. We also need sponsors. We have NONE. We've been given a lot of "Sure we'll support you," but when we ask for $$, all of a sudden it gets real quiet. CFA: *nod* Have you had any reports of folks raising funds on the local level? Keith G: Not as yet. We're attempting to formalize a relationship with an existing non-profit, to use as a tax-deductible funding vehicle. We're also looking at selling T-shirts, and I've been approached with several business offers... CFA: Would you encourage local fund-raising for the March? Keith G: Absolutely. CFA: How did you get involved in net.activism? Keith G: How?? I went to the February 10th protest in Lafayette Park (behind the White House) that Tom Edwards put on. My first protest. The rest, well, it just sort of happened... CFA: :) The Feb. 10 protest was about the CDA? Keith G: Yep. Clinton signed it on Black Thursday, the 8th of February. Tom started the whole thing a few days earlier, and we got several hundred to turn out on fairly short notice. CFA: Are there other things that I, as an average net guy, can do to help? Keith G: Average net.guy... hmm... Well, when we get set up, buy a T-shirt, wear it to your Congresscritter's office. Also one or two particularly crafty ideas that I'm working on, but not ready to unveil yet (legal, non-violent, but potentially VERY politically effective...) CFA: Okay :) Keep us posted. Keith G: Oh, it will be on the web site... which I'm getting re-written... HTML 3.0, frames, Java, hot-and-cold running ASCII. CFA: What's the turnout projected for the March? Keith G: Honestly, I don't know. **MY** original projections for the June rally were between 1 and 10K: John Wash kept saying 20K. If we can set up an organization of college students during the summer and have them recruit aggressively when school starts, we could hit 20K. We're also organizing amongst other communities that are more heavily wired than most: my first appointments were a Gay/Lesbian/Bi coordinator... I hope to get some help from the Pagan community as well... I already have plenty of hookups in Fandom... CFA: Cool :) Getting the word out seems very important now, with the changes... Keith G: Exactly. The Web site is among the top 5% hit, I have done my best to get the word out without overly spamming USENET. I know I'm going to about 15 or so lists... CFA: Jon Lebkowsky said you're doing the Club Wired EF forum? May 30? Keith G: Yep. Jon and I finalized that yesterday. CFA: Great. Keith G: Now, to beat that darned cyber-stagefright CFA: :) What about multimedia stuff? Are there plans for video and/or audio from the March? Keith G: We're talking with NetRadio about a simulcast, one gent also is looking into a video feed, on the level of the Fish-cam. CFA: What about the roster of speakers? Any changes? Keith G: Not as yet.... but we're trying to get some bigger names. If anyone has an, ER, PIPELINE to Bill Gates or Mark Andreessen of Netscape, I'd be glad to chat. I'd like to get Barlow of EFF, maybe even Newt... CFA: Yes, a politician would be good. Maybe Leahy... Keith G: Leahy comes to mind. NOT Gore... unless we could boo him offstage... CFA: Heh. Keith G: I am NOT pleased with the two-facedness of the politicos over this whole thing... ESPECIALLY Clinton's, "It's unconstitutional but..." followed by his letter to Exon. Even if I WASN'T Republican, I couldn't vote for Clinton/Gore due to their utter fecklessness over the CDA CFA: The letter to Exon had me fuming, too. I'm getting tired of settling for the lesser evil... Keith G: Right: vote for the GREATER evil... dread Chthulu in 96 !!! CFA: :) Well, anything else you want to add before I let you get some rest? Keith G: Nothing I can think of... our website is http://www.efm.org, and I'll post announcements to alt.censorship, comp.org.eff.talk, alt.activism, alt.wired, at minimum. CFA: Okay. Thanks for coming to talk :) Keith G: Anytime... --- rich burroughs (april 26, 1996) -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMYgTA4T0GKfZRA/9AQH8OwP+NjWJAuYHWRbMdDCVt6Wj6Nh3ZxJIj0lU DUXM8eJKEzI/CdOVGCUHYB7w3cQlCT6q1oNgiuiMGrWsd66WLR12Xmm/Zx1/pme4 egB5SB4Wuc96ZJ89q2qwuHG8V9FBzD2HJxFYLdHdadWMNpj5cM/DV1G1vCvFREz1 cSA5AsbCnuI= =SXzn -----END PGP SIGNATURE----- ______________________________________________________________________ Rich Burroughs richieb at teleport.com http://www.teleport.com/~richieb See my Blue Ribbon Page at http://www.teleport.com/~richieb/blueribbon New EF zine "cause for alarm" - http://www.teleport.com/~richieb/cause From declan+ at CMU.EDU Thu May 2 02:24:47 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Thu, 2 May 1996 17:24:47 +0800 Subject: CryptoAnarchy: What's wrong with this picture? In-Reply-To: Message-ID: <4lW2t9G00YUz8veH1d@andrew.cmu.edu> Excerpts from internet.cypherpunks: 1-May-96 Re: CryptoAnarchy: What's w.. by Michael Loomis at andrew.cm > "Tax Collector Want to Be for the Welfare State" I can confirm this. Michael and I have had many an argument about taxes. I tend to approach the argument from a libertarian perspective. He, on the other hand, thinks the current tax setup is just about right, and is a fan of the IRS. Not kidding, Declan From raph at cs.berkeley.edu Thu May 2 03:02:24 1996 From: raph at cs.berkeley.edu (Raph Levien) Date: Thu, 2 May 1996 18:02:24 +0800 Subject: [Fwd: Cylink can export 128-bit DH?] In-Reply-To: <199605011919.MAA27020@netcom8.netcom.com> Message-ID: <3188382C.9778B7@cs.berkeley.edu> Mike Duvos wrote: > > frantz at netcom.com (Bill Frantz) writes: > > > Most cryptographic experts recommend Triple DES, encrypting > > the data 3 times with 3 different keys. > > It's actually encrypted three times with two keys comprising > 112 bits of keyspace, using a decrypt on one key sandwiched > between two encrypts using the other. This prevents a "man > in the middle" attack, which would be possible if only two > DES encryptions were used, one for each key. Not quite. Double DES is subject to a "meet in the middle" attack (not a "man in the middle"). Here's how it works: Let's say you've got unlimited storage, and you're doing a known plaintext attack, so you've got both the ciphertext and the plaintext in your hand. Then, just do all 2^56 decryptions of the ciphertext, and all 2^56 encryptions of the plaintext. Then, compare the two lists to see if you've got a match. Since it's DES, you can save a factor of two in both time and space, because it's got the complementation property. Assuming unlimited storage, three keys (168 bits) are equivalent to two. However, since 2^55 is a lot of disk space, in practice a real attacker will trade off space for time (it can be done). Thus, using three keys is more work for the attacker than using two. So, modern cryptographic usage is exactly as Bill said - three keys, three encryptions. For example, S/MIME recommends the use of DES-EDE3-CBC (the middle encryption is technically a decryption, although it doesn't really make any difference). Glad I could be of service. Raph From unicorn at schloss.li Thu May 2 03:08:14 1996 From: unicorn at schloss.li (Black Unicorn) Date: Thu, 2 May 1996 18:08:14 +0800 Subject: CryptoAnarchy: What's wrong with this picture? In-Reply-To: <4lW2t9G00YUz8veH1d@andrew.cmu.edu> Message-ID: On Wed, 1 May 1996, Declan B. McCullagh wrote: > Excerpts from internet.cypherpunks: 1-May-96 Re: CryptoAnarchy: What's > w.. by Michael Loomis at andrew.cm > > "Tax Collector Want to Be for the Welfare State" > > I can confirm this. Michael and I have had many an argument about taxes. > I tend to approach the argument from a libertarian perspective. > > He, on the other hand, thinks the current tax setup is just about right, > and is a fan of the IRS. I must assume either 1) He is not intimately familiar with the system of U.S. taxation (even if he is pro-high-tax, calling the current system 'just about right' is folly). 2) He believes it important to have a confusing and inefficent tax system for some other reason. I always tell people who feel tax avoidance is "bad" and that using the rules to minimize your tax exposure is a bad thing that I can easily structure their finances such that 90% of their net income goes to the IRS every year and still not break any rules. > Not kidding, > > Declan --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From roy at sendai.cybrspc.mn.org Thu May 2 03:11:28 1996 From: roy at sendai.cybrspc.mn.org (Roy M. Silvernail) Date: Thu, 2 May 1996 18:11:28 +0800 Subject: The Joy of Java In-Reply-To: <5y40mD297w165w@bwalk.dm.com> Message-ID: <960501.232814.1p1.rnr.w165w@sendai.cybrspc.mn.org> -----BEGIN PGP SIGNED MESSAGE----- In list.cypherpunks, dlv at bwalk.dm.com writes: > (No cryptorelevance, but neither is anything else on this list anymore) (but then, some of us have no life... ) > My recollection is that when IBM first started selling IBM PC, they > offered a choice of (at least) 3 operating systems right from the > start: UCSD p-system, CP/M-86 or PC-DOS. IBM didn't do anything > to prompte PC-DOS over the other two. It won fair and square in > the marketplace because the other two were even worse crap. (Later > versions of CP/M-86 got much better.) Also remember that UCSD P-system was around $800 and CP/M-86 was over $100, while PC-DOS was somewhere under $50. This was the early-mid 80's, and the dealer had just hit the purchaser for $1200-$1500 for the computer with _no_ OS included. It's no surprise that the least expensive OS won. - -- Roy M. Silvernail [ ] roy at cybrspc.mn.org PGP Public Key fingerprint = 31 86 EC B9 DB 76 A7 54 13 0B 6A 6B CC 09 18 B6 Key available from pubkey at cybrspc.mn.org -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMYg6vhvikii9febJAQFIYwQAhf/NINh9Qmdc2Et9gflbwg8Lg38e7FJQ znkK43Qz2ySYgPy6l9lkNeJqP0kCjAiObhLI8BWM88BU9/Q64Kp99qhoEnbZmxfy ezAmRpNNeviro+Cj0wvGElbwo7UQ3q8347BuWaOjXCTE5zyELifZPGONTd019oz1 NrmWo8Y9P10= =K9m8 -----END PGP SIGNATURE----- From mpd at netcom.com Thu May 2 03:13:44 1996 From: mpd at netcom.com (Mike Duvos) Date: Thu, 2 May 1996 18:13:44 +0800 Subject: The Joy of Java In-Reply-To: <5y40mD297w165w@bwalk.dm.com> Message-ID: <199605020542.WAA17712@netcom8.netcom.com> > My recollection is that when IBM first started selling IBM PC, they offered > a choice of (at least) 3 operating systems right from the start: UCSD p-system, > CP/M-86 or PC-DOS. IBM didn't do anything to prompte PC-DOS over the other > two. It won fair and square in the marketplace because the other two were > even worse crap. (Later versions of CP/M-86 got much better.) When the first IBM PC came out, I ran QNX on it, a Unix clone from a company called "Quantum." It did full pre-emptive multitasking, had a nice C compiler, and shared code between tasks, all on a little 8088 with two floppies and no hard drive and 768k of ram. We even had "talk", and I could chat with people who dialed the modem I had hooked to my serial port, and they could log in and do work on my system at the same time I did. When MS-DOS first appeared, the quantum people kindly provided DOS emulation for QNX and I could simply type "DOS", and read DOS disks and run DOS programs. Ultimately, however, as new and "improved" versions of DOS appeared, with obtuse features, and almost every app using them, I finally bowed to the march of progress and installed DOS 3.1 on my system. A giant leap backwards into the dark ages. QNX is still around, by the way, and I believe its primary market is now embedded real-time systems, where its highly responsive and optimized kernel can be exploited. Whenever I think of how nice QNX was, I recall Bill Gates' comment about the true power in the software industry being not technical excellence, but being big and strong enough to set industry-wide standards and enforce them by fiat. It's now over 10 years later, and DOS still can't multitask. Obviously there's no accounting for taste. -- Mike Duvos $ PGP 2.6 Public Key available $ mpd at netcom.com $ via Finger. $ From ddt at lsd.com Thu May 2 04:29:42 1996 From: ddt at lsd.com (Dave Del Torto) Date: Thu, 2 May 1996 19:29:42 +0800 Subject: [LONG] Churchill Club: 20th Anniversary PK Crypto In-Reply-To: <199605011826.LAA12717@netcom8.netcom.com> Message-ID: At 11:29 am -0700 5/1/96, Bill Frantz wrote: >At 4:14 AM 5/1/96 -0700, Dave Del Torto wrote: >>Nice summary, Bill. Now I don't have to do it. ;) I hope this is OK with >>you... >> >> >> > >Nice web page. I should have added to the post that people should feel >free to re-post within the bounds of good netiquette. V2 now includes your comprehensive notes in HTML. :) dave -------------- next part -------------- A non-text attachment was scrubbed... Name: pgp00001.pgp Type: application/octet-stream Size: 324 bytes Desc: "PGP signature" URL: From mpd at netcom.com Thu May 2 05:08:25 1996 From: mpd at netcom.com (Mike Duvos) Date: Thu, 2 May 1996 20:08:25 +0800 Subject: [Fwd: Cylink can export 128-bit DH?] In-Reply-To: <3188382C.9778B7@cs.berkeley.edu> Message-ID: <199605020644.XAA23770@netcom8.netcom.com> Raph Levien writes: > Double DES is subject to a "meet in the middle" attack (not a "man in > the middle"). Yes, a silly mistake on my part, which shows I should proofread even the little messages before posting them. :) Gleeful readers are filling my mailbox hoping to be the first to point out this unfortunate error. > Thus, using > three keys is more work for the attacker than using two. So, modern > cryptographic usage is exactly as Bill said - three keys, three > encryptions. For example, S/MIME recommends the use of DES-EDE3-CBC (the > middle encryption is technically a decryption, although it doesn't > really make any difference). S/MIME aside, I was under the impression that the term "Triple-DES" referred to the encrypt-decrypt-encrypt operation using two distinct keys, proposed by some for adoption as the successor to single DES. Has this usage now changed in favor of the three key version? -- Mike Duvos $ PGP 2.6 Public Key available $ mpd at netcom.com $ via Finger. $ From steve at miranova.com Thu May 2 05:57:25 1996 From: steve at miranova.com (Steven L Baur) Date: Thu, 2 May 1996 20:57:25 +0800 Subject: The Joy of Java In-Reply-To: <5y40mD297w165w@bwalk.dm.com> Message-ID: >>>>> "Dimitri" == Dimitri Vulis writes: Dimitri> (No cryptorelevance, but neither is anything else on this Dimitri> list anymore) Ditto. I've tried to apply some Java relevance though. Dimitri> abostick at netcom.com (Alan Bostick) writes: >> > to portability...what the world might have looked like for the past 15 >> > years has the UCSD p-system succeeded instead of MS-DOS) >> What a horrifying thought! UCSD p-system actually made MS-DOS look good. Dimitri> My recollection is that when IBM first started selling IBM Dimitri> PC, they offered a choice of (at least) 3 operating systems Dimitri> right from the start: UCSD p-system, CP/M-86 or PC-DOS. IBM Dimitri> didn't do anything to prompte PC-DOS over the other two. It Dimitri> won fair and square in the marketplace because the other two Dimitri> were even worse crap. (Later versions of CP/M-86 got much Dimitri> better.) This is half incorrect. PC DOS was released with a lead time of about 9 months prior to the release of the other O/Ses. This was enough to give it a market share it has never looked back on. There was plenty of speculation in PC Magazine and Byte that this was *exactly* what IBM intended all along. It helped that the alternatives were delivered as virtual cripples with no support software as well. The P-System released for IBM PCs was less functional than the Apple ][ version that ran on 64 or 128k with bank switching, even by the time of DOS 2.0. About the only application it ever really had was Context MBA which was quickly overtaken by Lotus 1-2-3 & company. I wrote three disk device drivers for the Apple ][ UCSD P-System based on documentation of dubious origin, and hated every second of it. Much of the interface was hidden, and (on a 6502 remember) reserved all of the precious 0 page for its own use. It was a half-interesting idea, but definitely in the same class with PC-DOS -- How Not to Write an Operating System. The Java relevance would be that given the current lead in marketing Sun has, even if a technically superior solution arose right now, it might have enough of a disadvantage in lead to never catch up and become popular. Technically superior products don't always win, look at MS DOS/Windows/NT/95 and VMS, albeit from opposite ends of the technical superiority spectrum. -- steve at miranova.com baur Unsolicited commercial e-mail will be proofread for $250/hour. Andrea Seastrand: For your vote on the Telecom bill, I will vote for anyone except you in November. From jsw at netscape.com Thu May 2 07:53:15 1996 From: jsw at netscape.com (Jeff Weinstein) Date: Thu, 2 May 1996 22:53:15 +0800 Subject: Calling other code in Java applications and applets In-Reply-To: <3185E5B6.3EE8@netscape.com> Message-ID: <31887DD0.300F@netscape.com> Ian Goldberg wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > In article <3187209C.3E5B at netscape.com>, > Jeff Weinstein wrote: > > > > It might be interesting to make a small plugin that just does some core > >stuff like gathering entropy, mod-exp, and related stuff difficult or too > >slow in java. I mainly brought it up because people were asking about > >calling native code from java. > > > In an alternate universe in which I didn't have projects to finish, I may > be interested in doing something like this. However, I haven't been able > to find information on how to write Unix (or preferably portable) plugins. > > Any hints? You can get the unix plugin SDK from ftp://ftp20.netscape.com/sdk/unix/ --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw at netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine. From an572010 at anon.penet.fi Thu May 2 08:12:39 1996 From: an572010 at anon.penet.fi (Skipjack Sally) Date: Thu, 2 May 1996 23:12:39 +0800 Subject: aufweidersehn, * grave$ Message-ID: <9605020805.AB15301@anon.penet.fi> Glad that lying anti-racist jerk is leaving. With all his/her's nyms, rc graves is impossible to trust. Mike Beebe, Beowulf, ezundel, nietzsche, ernstzundel and others to make transparent trolls the ignorant anti-racist makes up. Mike Beebe: Posted that he WILL murder David Irving, simply because Irving was rejected by St Martins Press because of "controversial material." Noticeable about capitali$t graves, he dissmisses EVERY attempt to censor racists with a "who cares," "there just a bunch of weinies," "if you can be heard *somewhere* without being arrested, it's not censorship," etc. He seems to imply that merely because racists are powerless, we are not worthy of protection. I suppose if you have enough money, you can PURCHASE your freedom, if not, tough shit. We free-speachers don't need a character who defends the prosecutors when racists are sued or imprisoned in Canada, UK, and Germany, merely for printing racist leaflets. == sub-sub-Commandant --****ATTENTION****--****ATTENTION****--****ATTENTION****--***ATTENTION*** Your e-mail reply to this message WILL be *automatically* ANONYMIZED. Please, report inappropriate use to abuse at anon.penet.fi For information (incl. non-anon reply) write to help at anon.penet.fi If you have any problems, address them to admin at anon.penet.fi From perry at piermont.com Thu May 2 12:26:34 1996 From: perry at piermont.com (Perry E. Metzger) Date: Fri, 3 May 1996 03:26:34 +0800 Subject: [Fwd: Cylink can export 128-bit DH?] In-Reply-To: <199605012312.QAA11109@netcom14.netcom.com> Message-ID: <199605021252.IAA20759@jekyll.piermont.com> Mike Duvos writes: > frantz at netcom.com (Bill Frantz) writes: > > > Most cryptographic experts recommend Triple DES, encrypting > > the data 3 times with 3 different keys. > > It's actually encrypted three times with two keys comprising > 112 bits of keyspace, using a decrypt on one key sandwiched > between two encrypts using the other. This prevents a "man > in the middle" attack, which would be possible if only two > DES encryptions were used, one for each key. Many 3DES implementations actually do use 3 different keys. Surprisingly, the strength of 3DES with 3 keys is around the strength you would naively expect 3DES with 2 keys to have, and 3DES with 2 keys is slightly weaker than you would expect... .pm From trei at process.com Thu May 2 13:49:24 1996 From: trei at process.com (Peter Trei) Date: Fri, 3 May 1996 04:49:24 +0800 Subject: [History] USPS tried to monopolize email? (c. 1981) Message-ID: <199605021342.GAA20932@toad.com> Since I saw Paul Raine's presentation on proposed USPS electronic timestamping and CA services (btw, they are also proposing to archive business e-correspondence for a fee), I've been trying to recall a nasty little episode from about 15 years ago. Paul was adamant that the USPS would never seek a monopoly position on any e-service. However, back in the early 80's (It had to be in the 1980-83 range, I suspect 1981) I clearly remember a proposal that the USPS be granted the monopoly status as email carrier that it then and still enjoys for first class mail. As I recall, the proposal would require email to be routed to the nearest post office to the destination, and there printed and delivered as paper mail. Needless to say, this did not happen. I am not certain, but would not be at all surprised, if this suggestion actually emanated from the letter carrier's union. I remember a line from some official, along the lines of "We don't know exactly what this thing [email] is, but we own it!" I know that I am not hallucinating this, but the above is pretty much all I recall. Anyone else have more details? Peter Trei trei at process.com From jamesd at echeque.com Thu May 2 16:06:44 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Fri, 3 May 1996 07:06:44 +0800 Subject: aufweidersehn, * grave$ Message-ID: <199605021530.IAA18089@dns2.noc.best.net> Some anonymous illiterate racist socialist wrote: > Noticeable about capitali$t graves, he dissmisses EVERY attempt > to censor racists with a "who cares," "there just a bunch > of weinies," "if you can be heard *somewhere* without being > arrested, it's not censorship," etc. In defense of Rich, note that we libertarians accused him of being a socialist, and this anonymous socialist accuses him of being a capitalist. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From jya at pipeline.com Thu May 2 18:58:10 1996 From: jya at pipeline.com (jya at pipeline.com) Date: Fri, 3 May 1996 09:58:10 +0800 Subject: KEY_lok Message-ID: <199605021653.MAA12641@pipe4.nyc.pipeline.com> 5-2-96 FiTi reports at length on its investigation of a $19 million fraud and conspiracy involving smart cards using the Fiat-Shamir algorithm for encrypting UK video. Most of the detailed, complicated report is about the financial and tax-evasive shenanigan's of firms jointly providing the cards to BSkyB sat-tv. Adi Shamir's work is featured but he does not appear to be at fault, although a central role was played by News Data Security Products (10% owned by Shamir). The report does not get into the technology of crypto, but shows its keylock appeal for criminal conspiracies. KEY_lok From wombat at mcfeely.bsfs.org Thu May 2 19:18:48 1996 From: wombat at mcfeely.bsfs.org (Rabid Wombat) Date: Fri, 3 May 1996 10:18:48 +0800 Subject: [getting off topic] Re: Freedom and security In-Reply-To: Message-ID: On Wed, 1 May 1996, Moltar Ramone wrote: > On Tue, 30 Apr 1996 angels at wavenet.com wrote: > > > The Internet is beyond the stage of small communities exercising informal > > social controls (peer pressure). > I disagree. It is your community, and your involvement can still make a difference. When all you do is turn away, or complain to the authorities, rather than becomming involved, the "crime rate" goes up, and the authorities respond by raising taxes, passing laws, and putting more police on the streets. Most spammers just don't know any better. One of the sites I manage started choking on spam that was a "mailing list" of a few hundred email addresses in the "cc:" field. A polite email message to the offender, and another to their ISP, was all that was needed to stop the problem. Took much less time than reading this thread. :) > Disagree strongly. The net is a LARGE number of SMALL communities. This > is why spammers are so offensive: they trespass and violate boundries. > This is why killfiles were invented. You ask about people who don't know > about killfiles. Teach them. This requires no formal organization. > > > paradise. Does anyone really doubt the extent of State control and power > > across the Net? > > Yes. If there was state control of the Internet, there probably wouldn't > be any anonymous remailers. And the Cyberangels would go away. > I doubt this. One can still get a "blind" post office box rather easily. Why would the 'net be any different? > > My point is that this is inevitable. > > Very few things are inevitable; that's a very strong word. The Cypherpunk > Agenda is to provide exactly those tools which make this "inevitable" > thing absolutely impossible. > You're taking a stand on the minority side of a viewpoint; society can, and might, fight back by making your tools themselves illegal, rather than the uses you put them to. At least in the U.S., you can fall back on the Bill of Rights, but the CDA is a prime example of the erosian of even our most fundamental protection. > > The Internet is a > > mirror of the rest of the world, not a new form of society, and I fail to > > understand why anyone should be surprised that that is the case. > > Disagree modestly. > > > I disagree with this statement. I do not believe that laws breed more laws > > nor that laws lead to less freedom. I believe bad laws compromise freedom > > (eg CDA) while good laws protect freedom. > The problem is that we're running a bit short on the "good laws" side, at least here in the U.S. Election-year stupidity has again set in, and our (mostly uninformed) leaders are racing to anything involving regulation of the 'net, as it's a sure way to get into the public eye. Take the "minor bit" as an example of a hasty and ill-thought-out p.r. stunt ... > Have you taken a good hard _honest_ look at the War on Drugs? I also > believe that bad laws compromise freedom and good laws protect freedom. > One of the problems is that good laws often breed bad laws to patch > things up. > > > Cryptography enhances and protects privacy, which does not inevitably lead > > to greater security. Security for the sender, yes, in that no one else can > > read the message, but security for the Community? Doesnt that depend what > > the message said? > If I send snail, there are "rules" governing who can open the envelope. If I'm suspected of criminal activity, the community has recourse. The 'net is different. The envelope is always open. I suppose this falls right into the trap of giving the govt. key escrow, which I'm against, but that's another story ... > No. True security for the community rests in a shared social standard > which discourages actions which are harmful to the community or > individuals. Security which requires a class of Guardians to protect > everyone else is not security. It's safety, but it's temporary safety. > Jon Lasser > ---------- > Jon Lasser (410)494-3072 - Obscenity is a crutch for > jlasser at rwd.goucher.edu inarticulate motherfuckers. > http://www.goucher.edu/~jlasser/ > Finger for PGP key (1024/EC001E4D) - Fuck the CDA. > > From m5 at vail.tivoli.com Thu May 2 19:26:11 1996 From: m5 at vail.tivoli.com (Mike McNally) Date: Fri, 3 May 1996 10:26:11 +0800 Subject: [getting off topic] Re: Freedom and security In-Reply-To: Message-ID: <3188FCD2.3885@vail.tivoli.com> Rabid Wombat wrote: > If I send snail, there are "rules" governing who can open the envelope. > If I'm suspected of criminal activity, the community has recourse. If you don't encrypt or otherwise secure sensitive surface mail the same way you would e-mail, you deserve what you get. The community, of course, is in the same state with secure snail-mail case as it is with PGP-encrypted e-mail. Which reminds me of something I've been meaning to ask about. I read (probably in WiReD) about a bar-code-like (well, not *much* like, but ink-on-paper similar) technique for rendering data onto paper with enhanced properties of storage efficiency, resistance to degradation through photocopying, and ease of recovery via ordinary scanning. The stuff looks like bunches of little lines at different angles, I think. Anyway, what I'm curious about is whether encode/decode (i.e., print and scan) software is available. ______c_____________________________________________________________________ Mike M Nally * Tiv^H^H^H IBM * Austin TX * pain is inevitable m5 at tivoli.com * m101 at io.com * * suffering is optional From jimbell at pacifier.com Thu May 2 19:45:42 1996 From: jimbell at pacifier.com (jim bell) Date: Fri, 3 May 1996 10:45:42 +0800 Subject: No Subject Message-ID: If anybody wants to join me in expressing displeasure at being left out of the crafting of this "Burns bill" which ostensibly loosens up export controls on encryption software, here is his address. conrad_burns at burns.senate.govJim Bell jimbell at pacifier.com From karlton at netscape.com Thu May 2 19:57:48 1996 From: karlton at netscape.com (Phil Karlton) Date: Fri, 3 May 1996 10:57:48 +0800 Subject: [Fwd: Cylink can export 128-bit DH?] In-Reply-To: <3188382C.9778B7@cs.berkeley.edu> Message-ID: <3188F5EB.41C6@netscape.com> > Has this usage now changed in favor of the three key version? I cannot speak for the general case, but in SSL 3, the 3DES_EDE_CBC cipher uses three keys. PK -- Philip L. Karlton karlton at netscape.com Principal Curmudgeon http://home.netscape.com/people/karlton Netscape Communications They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. - Benjamin Franklin From jimbell at pacifier.com Thu May 2 20:31:57 1996 From: jimbell at pacifier.com (jim bell) Date: Fri, 3 May 1996 11:31:57 +0800 Subject: [History] USPS tried to monopolize email? (c. 1981) Message-ID: At 09:51 AM 5/2/96 -6, Peter Trei wrote: > I've been trying to recall a nasty little episode from about 15 years ago. > Paul was adamant that the USPS would never seek a monopoly >position on any e-service. > > However, back in the early 80's (It had to be in the 1980-83 range, >I suspect 1981) I clearly remember a proposal that the USPS be >granted the monopoly status as email carrier that it then and >still enjoys for first class mail. As I recall, the proposal would >require email to be routed to the nearest post office to the >destination, and there printed and delivered as paper mail. > > Needless to say, this did not happen. There was a service of this kind, that was implemented about that time frame (1982?). Don't recall the name. However, I don't think they got any kind of explicit monopoly. It wasn't particularly successful, as I recall, probably because of the low penetration of computers into business during that time frame. But it was probably intended as a way around the "chicken-and-egg" problem that you can't use email unless the the recipient does, etc. Recall that the use of faxes "exploded" in about 1985: Before this, faxes were rare and they were probably primarily used for inter-office communication. (If only 10% of the businesses own faxes, then only (10%x10%=1% of communications can be completed by fax; If 90% have faxes, 90%x90%=81% can be.) After this, and by about 1986 or so, just about every ad in industry-type magazines listed a fax number for communications. We're seeing an echo of this for e-mail, 10 years later. Within a year, it'll be rare to see an ad that _doesn't_ list an email address. Jim Bell jimbell at pacifier.com From iang at cs.berkeley.edu Thu May 2 20:40:57 1996 From: iang at cs.berkeley.edu (Ian Goldberg) Date: Fri, 3 May 1996 11:40:57 +0800 Subject: Unix plugins for Netscape (Was: Calling other code in Java applications and applets) In-Reply-To: <3185E5B6.3EE8@netscape.com> Message-ID: <4masb1$uu6@abraham.cs.berkeley.edu> -----BEGIN PGP SIGNED MESSAGE----- In article <31887DD0.300F at netscape.com>, Jeff Weinstein wrote: >Ian Goldberg wrote: >> >> -----BEGIN PGP SIGNED MESSAGE----- >> >> In article <3187209C.3E5B at netscape.com>, >> Jeff Weinstein wrote: >> > >> > It might be interesting to make a small plugin that just does some core >> >stuff like gathering entropy, mod-exp, and related stuff difficult or too >> >slow in java. I mainly brought it up because people were asking about >> >calling native code from java. >> > >> In an alternate universe in which I didn't have projects to finish, I may >> be interested in doing something like this. However, I haven't been able >> to find information on how to write Unix (or preferably portable) plugins. >> >> Any hints? > > You can get the unix plugin SDK from ftp://ftp20.netscape.com/sdk/unix/ > I downloaded this, and I notice you don't have a "makefile.linux". Is that just because no one's bothered to make one, or does Linux Atlas actually not support plugins at all? (Quickly checking the binary...) I see that Linux Atlas is still a.out. Ick. That would make supporting plugins pretty tough. If it were in ELF, things would be _way_ easier; in fact, I'd probably say trivial (but that's just me). I'd venture a guess that most people who have a Linux box sufficiently cool to run netscape at all, have the ability to run ELF. In fact, there are probably a lot of people (like everyone who bought Slackware 3.0 or a recent RedHat) for which netscape is the _only_ a.out binary on their system. The reason I'm pointing this out is (obviously) because Linux is my main development platform, and I'd like to be able to try writing plugins for things like crypto and ecash. - Ian "Add me to the 'Make an ELF Linux binary!!!' list..." -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMYj0bEZRiTErSPb1AQGWrAP/Qny7XJzKfqTj2QOQc8+QLs+utu0xA45O +MTxJEHPmdijIxei3TGiJTJP46eYR0RJ8O+uoAB0pTE5UKnUyiwpS3eG6FUpw2FB mQtbhGMeX1oG3v/XHG0LAPPcEf0gW/MxcSMHHKuDlSxfpn4tkSPj79XHKjYOmS4M 6nZMxi4m3us= =U2/t -----END PGP SIGNATURE----- From talon57 at well.com Thu May 2 20:41:24 1996 From: talon57 at well.com (Brian D Williams) Date: Fri, 3 May 1996 11:41:24 +0800 Subject: disclosure Message-ID: <199605021816.LAA27417@well.com> >From cypherpunks-errors at toad.com Tue Apr 30 23:58:28 1996 >Date: Wed, 1 May 1996 00:52:03 -0500 (CDT) >From: snow >To: "Perry E. Metzger" >cc: "L. Detweiler" , cypherpunks at toad.com ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >Subject: Re: Why I dislike Java. (was Re: "Scruffies" vs. "Neats") >MIME-Version: 1.0 >Content-Type: TEXT/PLAIN; charset=US-ASCII >Sender: owner-cypherpunks at toad.com >Precedence: bulk Game, set, match...... From alano at teleport.com Thu May 2 20:46:26 1996 From: alano at teleport.com (Alan Olsen) Date: Fri, 3 May 1996 11:46:26 +0800 Subject: aufweidersehn, * grave$ Message-ID: <2.2.32.19960502175519.00c9e3a0@mail.teleport.com> At 08:05 AM 5/2/96 UTC, Skipjack Sally wrote: >Noticeable about capitali$t graves, he dissmisses EVERY attempt >to censor racists with a "who cares," "there just a bunch >of weinies," "if you can be heard *somewhere* without being >arrested, it's not censorship," etc. He seems to imply that >merely because racists are powerless, we are not worthy of >protection. I suppose if you have enough money, you can >PURCHASE your freedom, if not, tough shit. You do not need protection against speech, you need protection against ACTS. Speech in and of itself does not harm anyone. >We free-speachers don't need a character who defends the >prosecutors when racists are sued or imprisoned in Canada, >UK, and Germany, merely for printing racist leaflets. You claim to believe in free speech, but only for yourself it seems. You seem to desire the punishment of some speech, but not others. Who decides in this case? You? Me? The amorphious blob known as "Government"? I prefer the racists being able to speak in public because it gives people the chance to counter their lies with arguments. Truncheons just create marters and sympathy for their cause. Actually, I believe that the people who have been crying for the racists to be silenced have given them more free advertising than they could possibly get on their own. In the black and white thinking patterns of today, and the resistance to authority that is growing in the world, cries for censorship make those groups more attractive to those looking for a "cause". --- Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "We had to destroy the Internet in order to save it." - Sen. Exon From steve at miranova.com Thu May 2 20:54:41 1996 From: steve at miranova.com (Steven L Baur) Date: Fri, 3 May 1996 11:54:41 +0800 Subject: Freedom and security In-Reply-To: Message-ID: >>>>> "Steven" == Steven Weller writes: >>> >Jim Ray wrote >>> >>> I haven't bothered reading this particular thread up until now, but in my >>> opinion, based on this drivel, you're getting dangerously close to being >>> certified officially by the Cabal as an ignorant kook. >>> >>> >Nor does freedom increase through less laws or no laws. >>> >>> Of course it does. However, to maintain community resposibility must also >>> increase. >> >> >> Watch your attributation, Jim Ray did not write this. Steven> You're right. I didn't think he did when I wrote my reply. And Steven> I don't now. It was a case of hasty editing without Steven> rereading. Apologies to Jim Ray. Steven> Should have been: Steven> Colin Gabriel Hatcher - CyberAngels Director, net kook. Gabriel, were you watching this closely? This is a great working example of all the policing the Internet needs. You didn't mention the spread of misinformation[*] as one of the NetCrimes you were looking out for, but it is a far worse ``offense'' than anything you pointed out earlier (mailbombing, forging etc. are defeated by proper security and administrative procedures). [*] Misinformation in the sense that it is patently wrong, with the facts readily available to anyone with half a clue (this is not meant as a slur towards Steven Weller, he apologized and corrected himself), and not propaganda. Much like the Good Times Virus warning. Propaganda is free speech, which must be defeated by more free speech if it is to be defeated. -- steve at miranova.com baur Unsolicited commercial e-mail will be proofread for $250/hour. Andrea Seastrand: For your vote on the Telecom bill, I will vote for anyone except you in November. From editor at cdt.org Thu May 2 20:59:00 1996 From: editor at cdt.org (Bob Palacios) Date: Fri, 3 May 1996 11:59:00 +0800 Subject: CDT Policy Post 2.15 - Legislation Challenges Clinton's Grip on US Crypto Policy Message-ID: ----------------------------------------------------------------------------- _____ _____ _______ / ____| __ \__ __| ____ ___ ____ __ | | | | | | | | / __ \____ / (_)______ __ / __ \____ _____/ /_ | | | | | | | | / /_/ / __ \/ / / ___/ / / / / /_/ / __ \/ ___/ __/ | |____| |__| | | | / ____/ /_/ / / / /__/ /_/ / / ____/ /_/ (__ ) /_ \_____|_____/ |_| /_/ \____/_/_/\___/\__, / /_/ \____/____/\__/ The Center for Democracy and Technology /____/ Volume 2, Number 15 ---------------------------------------------------------------------------- A briefing on public policy issues affecting civil liberties online ---------------------------------------------------------------------------- CDT POLICY POST Volume 2, Number 15 May 2, 1996 CONTENTS: (1) New Bill Challenges Clinton's Iron Grip on US Encryption Policy * Senators Go Online To Discuss Bill, Seek Input from Netizens * Broad Public Interest/Industry Coalition Announces Support for Encryption Export Relief, Announces Public Education Campaign (2) Background on the Encryption Policy Debate * Why should Internet Users Care About this Issue? * Pointers to More Information on the Encryption Policy Debate (3) Subscription Information (4) About CDT, contacting us ** This document may be redistributed freely with this banner in tact ** Excerpts may be re-posted with permission of ----------------------------------------------------------------------------- (1) NEW EXPORT CONTROL REPEAL BILL CHALLENGES CLINTON ADMINISTRATION'S GRIP ON US ENCRYPTION POLICY In a move to replace the Cold War-era regulations on encryption with policies that make sense for the global Internet, Senators Burns (R-MT), Dole (R-KS), Leahy (D-VT), Pressler (R-SD), Wyden (D-OR), and others today introduced legislation to roll back the restrictions prohibiting the export of strong encryption technology. This historic legislation promises to inject the debate over privacy and security on the Internet into the 1996 presidential campaign. The bill, entitled the "Promotion of Commerce On-Line in the Digital Era (Pro-CODE) Act of 1996", is designed to encourage the widespread availability of strong, easy-to-use privacy and security technologies for the Internet. It is similar to a bill introduced in March by Senators Leahy and Burns, though the new bill does not contain criminal provisions or provisions imposing liability for third party key holders. Over 25 public interest organizations, and computer and communications companies, including Microsoft, Netscape, America Online, EFF, VTW, and Americans for Tax Reform, expressed support for this effort in a letter sent today to the sponsors of the bill. A list of signatories and excerpts of the letter are included below. Among other things, the "Pro-CODE" would: * Allow the export of "generally available" or "public domain" encryption software such as PGP and popular World Wide Web browsers without requiring NSA authority. * Allow the export of encryption hardware and software not available in the "mass market" or "public domain" under an export scheme that would allow up to roughly DES-strength (i.e., 56 bit key-length) security. if a product of similar strength is commercially available from a foreign supplier * Prohibit the government from imposing mandatory key-escrow encryption schemes domestically, or from restricting the sale of commercial encryption products within the United States * Prohibit the Department of Commerce from imposing government designed standards for encryption technologies (such as Clipper and Clipper II). For more information, including the text of the bill, analysis, and relevant background materials, visit CDT's Cryptography Policy Issues Page at (http://www.cdt.org/crypto/). CDT commends Senators Burns, Dole, Leahy, Wyden, Pressler, and the other sponsors of this proposal for their efforts to bring strong privacy and security technologies into the hands of Internet users, and for creating an opportunity for a national debate on the need to reform US policy towards encryption. We look forward to working with these and other members of Congress, the computer and communications industry, public interest groups, and the Internet Community as the bill makes its way through Congress. ------------------------------------------------------------------------------ * SENATORS TO GO ONLINE TO DISCUSS BILLS, TAKE COMMENTS FROM NETIZENS In an effort to bring the Internet Community into the debate and encourage members of Congress to work with the Net.community on vital Internet policy issues, Senator Burns and Senator Leahy will participate in live, online discussions of the new legislation. CDT and VTW, who are helping to coordinate these events, will publish the transcripts of the sessions and encourage Netizens to participate. Please join Senator Burns live online to discuss the Pro-CODE bill on: * MONDAY, MAY 6 AT 9:00 PM ET IN AMERICA ONLINE'S NEWS ROOM AUDITORIUM Note that you will have to join AOL participate in this chat. (If you aren't currently an AOL member, you can obtain the software by either a) finding one of those pervasive free floppy disks, or b) by using ftp to get it from ftp.aol.com (ftp://www.aol.com/) * MONDAY, MAY 13 AT 9:00 ET AT HotWired's CLUB WIRED Visit http://www.hotwired.com/ for more information. Senator Leahy will also conduct sessions on America Online and HotWired in the next several weeks, dates and times are TBA (visit http://www.crypto.com for updates) ----------------------------------------------------------------------------- * BROAD COALITION OF BUSINESSES, PUBLIC INTEREST GROUPS ANNOUNCE SUPPORT FOR ENCRYPTION EXPORT RELIEF, LAUNCH PUBLIC EDUCATION EFFORT In a letter sent to Senators Burns (R-MT), Dole (R-KS), Leahy (D-VT), Pressler (R-SD) Wyden (D-OR), Murray (D-WA) and the other sponsors of the Pro-CODE proposal, a broad coalition of computer and communications companies, public interest and privacy organizations across the political spectrum announced support for legislative efforts to relax encryption export controls as well as plans to conduct a broad effort to raise public awareness on the need to reform encryption policy. The letter states, "Current U.S. Export controls and other regulations on encryption technologies are stifling electronic commerce on the Internet, handicapping U.S. industry in the global marketplace, and preventing computer users from protecting their privacy online." The full text of the letter is available at CDT's Crypto issues web page (http://www.cdt.org/crypto/). Some of the 25 groups joining the effort include the American Bankers Association, Americans for Tax Reform, America Online, Bellcore, Business Software Alliance, CDT, Compuserve, EFF, the Institute for Justice, Lotus, The Media Institute, Microsoft, Netscape, Novell, Oracle Corp., Pacific Telesis, People for the American Way, Prodigy, Securities Industry Association, Software Publishers Association, Sybase, the Telecommincations Industry Association, the Voters Telecommunications Watch (VTW), and others. The groups also announced a large-scale public education campaign designed to raise public awareness of the importance of encryption to US competitiveness and individual privacy, including an "encryption education day" to be held in California's Silicon Valley in early July. The event will bring together industry leaders, members of Congress, encryption experts, and others to discuss the need to reform US encryption policy. Similar events, to be held throughout the US and on the Net, are also being planned. ------------------------------------------------------------------------------- (2) BACKGROUND ON THE ENCRYPTION POLICY DEBATE * Why is this issue important to Internet users? Encryption technologies are the locks and keys of the Information age. Encryption technology allows vital personal and commercial communications to travel securely over insecure and inexpensive communications networks like the Internet. For far too long, the debate over US encryption policy has been dominated by the NSA, FBI, and Clinton Administration, who continue to insist that privacy, security, and the competitive advantage of the US computer and communications industry must take a back seat to national security and law enforcement interests. While encryption products like PGP do allow the most computer-savvy among us to communicate securely, there are few strong, widely available, easy-to-use encryption applications available to Internet users. This is due in part to the Federal regulations which prohibit the export of strong encryption. As a result of these laws, US companies tend to build only one version of an encryption product, with relatively weak encryption, in order to sell to the global market. This results in the limited availability of strong encryption for domestic Internet users. Worse, the Clinton Administration has attempted to leverage the desire of US companies to sell strong encryption overseas to include features in products that will allow the Federal Government easy access to the plain text of encrypted communications. The Administration has used the standards promotion power of the National Institute of Standards and Technology (NIST) to serve the narrow interests of the NSA as compared to the broader interest of Internet users and US businesses. These "key-escrow" proposals, known as Clipper and Clipper II, have met with stiff resistance from civil libertarians, Internet users, and the US computer and communications industries. While legitimate law enforcement and national security issues are important factors in this debate, the need for individual privacy and security for personal and commercial communications and data is vital to the future of the Internet and other interactive communications technologies. As a result, the outcome of this policy debate will have tremendous implications on your privacy and the future of the Internet. ------------------------------------------------------------------------------ FOR MORE INFORMATION ON THIS ISSUE For more information on the Encryption Policy Debate, please visit CDT's encryption policy issues page at http://www.cdt.org/crypto/ You can also join CDT, VTW, EFF, EPIC, People for the American Way, Wired Magazine, and others in an online campaign to promote secure communications online. For more information, visit: * The Encryption Policy Resource Page -- http://www.crypto.com/ * The Internet Privacy Coalition Page -- http://www.privacy.org/ipc * EFF's Crypto Page -- http://www.eff.org/ * EPIC's Crypto Page -- http://www.epic.org/crypto * VTW's Crypto Page -- http://www.vtw.org/ ----------------------------------------------------------------------- (3) SUBSCRIPTION INFORMATION Be sure you are up to date on the latest public policy issues affecting civil liberties online and how they will affect you! Subscribe to the CDT Policy Post news distribution list. CDT Policy Posts, the regular news publication of the Center For Democracy and Technology, are received by more than 9,000 Internet users, industry leaders, policy makers and activists, and have become the leading source for information about critical free speech and privacy issues affecting the Internet and other interactive communications media. To subscribe to CDT's Policy Post list, send mail to policy-posts-request at cdt.org with a subject: subscribe policy-posts If you ever wish to remove yourself from the list, send mail to the above address with a subject of: unsubscribe policy-posts ----------------------------------------------------------------------- (4) ABOUT THE CENTER FOR DEMOCRACY AND TECHNOLOGY/CONTACTING US The Center for Democracy and Technology is a non-profit public interest organization based in Washington, DC. The Center's mission is to develop and advocate public policies that advance democratic values and constitutional civil liberties in new computer and communications technologies. Contacting us: General information: info at cdt.org World Wide Web: URL:http://www.cdt.org/ FTP URL:ftp://ftp.cdt.org/pub/cdt/ Snail Mail: The Center for Democracy and Technology 1634 Eye Street NW * Suite 1100 * Washington, DC 20006 (v) +1.202.637.9800 * (f) +1.202.637.0968 ----------------------------------------------------------------------- End Policy Post 2.15 5/2/96 ----------------------------------------------------------------------- From iang at cs.berkeley.edu Thu May 2 21:09:07 1996 From: iang at cs.berkeley.edu (Ian Goldberg) Date: Fri, 3 May 1996 12:09:07 +0800 Subject: [Fwd: Cylink can export 128-bit DH?] In-Reply-To: <199605011919.MAA27020@netcom8.netcom.com> Message-ID: <4masts$uvh@abraham.cs.berkeley.edu> -----BEGIN PGP SIGNED MESSAGE----- In article <199605011919.MAA27020 at netcom8.netcom.com>, Bill Frantz wrote: >At 12:22 AM 5/2/96 +0700, peng-chiew low wrote: >>Daniel R. Oelke wrote: >>> There are provisions for exporting DES for banking purposes. >>> Generally it is a hardware card that "can't" be reused outside >>> of the banking transfer machine. >> >>So far, I've seen DES software from a couple of U.S. companies. The question >>is "Is it the U.S. domestic DES or "export flavored" DES? As for the hardware, >>would'nt it be inconsistant if the DES supplied is the Domestic DES? > >As far as I know, DES is DES, domestic or export. If your DES >interoperates with domestic DES (or popular implementations available on >non-US servers), then you have DES. Not quite. CDMF key shortening was designed by IBM to shrink a 56-bit DES key to 40 bits, suitable for export. See AC2, page 366. I heard a rumour that CDMF is in SET, but I'm not sure how much that makes sense. - Ian -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMYj2w0ZRiTErSPb1AQFuSgP9EhcSgF/DVC1BFd8DPPUeD6C27HyR+Wqj YgXXhemNgni3WGi0v7jDnhqiId0YcRpzVnlywkKvd2O6dLZVMEavL+7qytTRlo/E iu5twOAc39JXkSj9pjpyvzChaiooujHyHKCqnCNG37Ggm4jTdHY+y59zmxy8wNka iiXVOurajKE= =1DPi -----END PGP SIGNATURE----- From jya at pipeline.com Thu May 2 21:32:36 1996 From: jya at pipeline.com (jya at pipeline.com) Date: Fri, 3 May 1996 12:32:36 +0800 Subject: EET on PGP API Quash Message-ID: <199605021908.PAA29631@pipe1.nyc.pipeline.com> [Thanks to BC] Electronic Engineering Times, April 29, 1996, page 4 State Dept. Tries To Quash API's for PGP cryptography By Loring Wirbel Washington -- The Justice Department may have halted attempts to bring criminal charges against Phil Zimmermann, author of the Pretty Good Privacy (PGP) public-key cryptography algorithms, but the State Department is taking an increasingly hard line on PGP. Where once the State had restricted itself to warning developers against exporting source code with PGP file-encryption routines, it is now arguing that application programming interfaces (API) allowing PGP program insertion should be subject to control under arms-trading statutes. Warning letters sent out in the last few weeks reflect the bizarre status of cryptography algorithms in the government's Export Control Act. Under the International Traffic in Arms Regulations (ITAR) promulgated under the act, the government can restrict any encryption programs the National Security Agency (NSA) is uncomfortable with. The new moves represent the first time State has tried to extend ITAR to software that only provides hooks for encryption packages, however. "There is some room to maneuver and make strong arguments that the rules on crypto APIs have some serious ambiquities," said Kenneth Bass, an attorney specializing in export control with the Washington law firm of Venable Attorneys at Law. Bass said several companies have received warning letters from State, but most do not want to do battle with the Federal government. Meanwhile, wildly differing rulings in the U.S. District Courts on the West and East coasts send mixed messages about software embedding crypto algorithms. In refusing to dismiss developer Daniel Bernstein's suit against the State Department, Judge Marilyn Hall Patel of San Francisco ruled in early April that source code can be protected free speech. "The particular language one chooses does not change the nature of the language for First Amendment purposes," Patel said. "This court can find no meaningful difference between computer languages ... and German or French; ... whether source code or object code is also functional is immaterial." Bernstein seeks to establish that his zero-delay private-key program, Snuffle, is not subject to ITAR. Opposite Rationale But on March 22, Judge Charles Richey of Washington dismissed Philip Karn's suit against State using almost exactly the opposite rationale. Karn, an employee of Qualcomm Inc. (San Diego), challenged a ruling that the floppy disks accompanying some editions of Bruce Schneier's book, *Applied Cryptography*, could be barred from export. Judge Richey said the government was free to view implemented source code as a munition that could be banned, and said Defense Department decisions regarding materials covered under export control were precluded from judicial review. Karn appealed to the U.S. Circuit Court of Appeals on April 19. "The stage is being set for some very basic issues on souce code and free speech to be decided," said attorney Bass. So far the API issue has not spurred any suits. Network Telesystems Inc. (Santa Clara, Calif.) a TCP/IP stack specialist and the one company that has admitted receiving a warning from State, said that a PGP API is not central enough to its business to warrant making its preservation a federal case. Company president John Davidson said Network Telesystems elected to make its new e-mail package, Confidante, "PGP ready" by including a PGP API instead of licensing the code. Davidson said the warning must have been the result of government officials seeing the press release on the package, which has not yet shipped, or a short article in a national magazine. "We thought it was a misunderstanding at first, since we had no resident PGP code," Davidson said. "It didn't seem possible that the government could really be talking about an interface." One computer-security expert said off the record that "NSA has told State to watch out for any APIs outside NSA's own effort to define a crypto API." NSA is embracing the API work of companies like RSA Data Security Inc., the source said, "but Zimmermann's PGP work has always been a freelance effort, so a compromise is not seen as necessary." ----- From steve at miranova.com Thu May 2 21:38:29 1996 From: steve at miranova.com (Steven L Baur) Date: Fri, 3 May 1996 12:38:29 +0800 Subject: Sun's Wallet In-Reply-To: <199605012116.OAA09307@jobe.shell.portal.com> Message-ID: > Sydney, Australia, April 30 -- SunSoft will shortly > release a workable cash-on-the-Internet program called > Wallet > Once issued, the Digital ID can > be used within any enabled application such as Netscape > Navigator Internet client software and Netscape > SuiteSpot. Will it be supported by ApacheSSL? -- steve at miranova.com baur Unsolicited commercial e-mail will be proofread for $250/hour. Andrea Seastrand: For your vote on the Telecom bill, I will vote for anyone except you in November. From alano at teleport.com Thu May 2 21:46:17 1996 From: alano at teleport.com (Alan Olsen) Date: Fri, 3 May 1996 12:46:17 +0800 Subject: [Linux] Unix plugins for Netscape (Was: Calling other code in Java applications and applets) Message-ID: <2.2.32.19960502195251.00c80164@mail.teleport.com> At 10:45 AM 5/2/96 -0700, Ian Goldberg wrote: >I'd venture a guess that most people who have a Linux box sufficiently cool >to run netscape at all, have the ability to run ELF. In fact, there are >probably a lot of people (like everyone who bought Slackware 3.0 or a recent >RedHat) for which netscape is the _only_ a.out binary on their system. In order to run any of the recient kernels you HAVE to be running ELF. (Or have your copy of GCC upgraded to 2.7.0 or higher.) The docs make no mention of it, but it barfs on the make if you do not have it. (There are three flags that are not supported under the old versions of GCC.) > - Ian "Add me to the 'Make an ELF Linux binary!!!' list..." Are they keeping a list? As for Linux, last I heard it was still on the semi-supported list. (The dropping of BSD on the fasttrack server pisses me off as well, but that is another matter...) I would like to get a version of the Linux binary that supports 128 bit SSL. (As well as the ELF binaries.) --- Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "We had to destroy the Internet in order to save it." - Sen. Exon From vznuri at netcom.com Thu May 2 21:58:15 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Fri, 3 May 1996 12:58:15 +0800 Subject: proposed anti-pseudospoofing law in Georgia Message-ID: <199605021952.MAA18471@netcom16.netcom.com> this law got a little notice here although I didn't notice people considering its identity aspects in particular. this proposed law in Georgia would make it illegal to have a login name other than your legal name, as I understand it. I consider it rather silly, naive, and unenforcable, but it does suggest a few things: 1. lawmakers are starting to notice the internet bigtime. 2. its starting to freak them out. 3. the identity issues raised by cyberspace have significant social implications and will not go away quietly. 4. there are some legitimate reasons to require ID in some places in cyberspace. of course I will be flamed on 4, but my position is, has always been the following: both anonymous and "identified" communication have their places. I am not suggesting that either one is superior a priori. however each has different uses. some things that are possible in one are not possible in the other, etc. I think it is reasonable for people who create/maintain forums or other cyberspace services to demand, and be able to enforce, that you use your real identity if they choose. likewise, you are free not to join these place or use these services. I think anyone should be free to create alternatives that spit in the face of these restrictions. let the market decide what is most viable in given situations. I suspect that we are going to see some laws being passed trying to regulate cyberspace that are really ridiculous. it will take the lawmakers awhile to figure out what they can and can't get away with and when their opinions are or are not relevant to what happens. meanwhile, if the internet really is robust, their irrelevant posturings should not make much difference, although I am *not* advocating that people resign themselves to these laws, only that if they pass the situation is not necessarily catastrophic or apocalyptic. ------- Forwarded Message - ------- Forwarded Message Date: Tue, 30 Apr 1996 11:31:52 -0400 (EDT) From: merkaba at styx.ios.com Reply-To: snetnews at xbn.shore.net To: Multiple recipients of list SNETNEWS Subject: INTERNET POLICE (fwd) - - ---------- Forwarded message ---------- Date: Fri, 26 Apr 1996 21:44:53 -0400 From: Ronald Pearce To: merkaba at styx.ios.com Subject: INTERNET POLICE > >It is being dubbed the Internet Police Law. Georgia's state government is >beginning to catch a little net-heat because of a new law signed by the >Governor last week which, according to some, CRIMINALIZES the use of e-mail >addresses which don't properly identify a person, as well as the practice of >linking to another web page by name without first obtaining permission to >link. > >If anyone cares to see information and commentary on this new law, feel free >to browse over to www.kuesterlaw.com. I would love to know what everyone >thinks about the constitutionality of this bill, as well as any other comments. > >Thanks. >jk >Jeffrey R. Kuester, Esq. Patent, Copyright, & Trademark Law >6445 Powers Ferry Road, Suite 230, Atlanta, Georgia 30339 >Ph (770) 951-2623 Fax (770) 612-9713 >E-mail: kuester at kuesterlaw.com >WWW: http://www.KUESTERLAW.com (The Technology Law Resource) > >--------------------------------------------------------------- - - -> SNETNEWS Mailing List & Fidonet Echo - - -> Post to: listserv at xbn.shore.net - - -> subscribe snetnews - ------- End of Forwarded Message ------- End of Forwarded Message From jeffb at sware.com Thu May 2 22:21:49 1996 From: jeffb at sware.com (Jeff Barber) Date: Fri, 3 May 1996 13:21:49 +0800 Subject: [Linux] Unix plugins for Netscape (Was: Calling other code In-Reply-To: <2.2.32.19960502195251.00c80164@mail.teleport.com> Message-ID: <199605022050.QAA15445@jafar.sware.com> Alan Olsen writes: > I would like to get a version > of the Linux binary that supports 128 bit SSL. (As well as the ELF binaries.) I got a 128bit copy of Netscape 2.0 for Unix a few weeks ago (yes, all the Unix versions come on one CDROM). Under the Linux directory, there was no executable but there was a README file claiming that there is a 128bit version available from one of the Linux-associated vendors (Caldera I think?). I haven't followed up on it, and don't have a CDROM drive available right now to check this. -- Jeff From rodger at interramp.com Thu May 2 22:30:26 1996 From: rodger at interramp.com (Will Rodger) Date: Fri, 3 May 1996 13:30:26 +0800 Subject: Sen. Patrick Leahy's PGP key now avail. Message-ID: Wanna write the good Senator on the occasion of his newest bill? His pub key's out there. (URL is http://bs.mit.edu:8001/pks-commands.html#submit/ ) Will Rodger From reagle at MIT.EDU Thu May 2 22:41:47 1996 From: reagle at MIT.EDU (Joseph M. Reagle Jr.) Date: Fri, 3 May 1996 13:41:47 +0800 Subject: Best Digital Signature Lib from a WEB server Message-ID: <9605022208.AA09593@rpcp.mit.edu> Can anyone recommend a signature implementation for cgi/forms? For instance, someone registers on a WEB site and gets a signed receipt back. (No cookies or such, because the receipt will be show to 3rd party members.) I'm thinking in terms of self-labeling and PICS like work. The PICS Label Syntax and Communication Protocols mentions that Jim Bidzos has agree to allow RSAREF to be available to PICS developers at no cost. Has anyone tried this, or actually implemented a scheme like this? _______________________ Regards, I, man, am regal; a German am I Joseph Reagle http://farnsworth.mit.edu/~reagle/home.html reagle at mit.edu E0 D5 B2 05 B6 12 DA 65 BE 4D E3 C1 6A 66 25 4E From joelm at eskimo.com Thu May 2 22:41:53 1996 From: joelm at eskimo.com (Joel McNamara) Date: Fri, 3 May 1996 13:41:53 +0800 Subject: Announce: Windows PGP QuickStart Message-ID: <199605022225.PAA27781@mail.eskimo.com> Due to a fair amount of demand from Private Idaho users who had novice friends that wanted to use PGP, but were frustrated at the installation and configuration process of the DOS version, I wrote a Windows utility called PGP QuickStart. This is an extremely simple app that handholds the user from downloading PGP with their Web browser to creating their key rings. It automatically unzips the files, creates the appropriate directory, and modifies the AUTOEXEC.BAT file. The user just follows easy to understand dialog boxes and clicks buttons. This is not a full-featured front-end. Its purpose is only to simplify the PGP installation process so a user can later use Private Idaho or any of the other Windows shells that are available. Obviously, most people on the list aren't going to have much personal use for this app. However, it is perfect for recommending to PC users who want to get started with crypto, but may be a little bit intimidated. The beta version is located at: http://www.eskimo.com/~joelm/pi.html Comments to: joelm at eskimo.com As with Private Idaho, this utility is free... From jimbell at pacifier.com Thu May 2 22:54:49 1996 From: jimbell at pacifier.com (jim bell) Date: Fri, 3 May 1996 13:54:49 +0800 Subject: CDT Policy Post 2.15 - Legislation Challenges Clinton's Grip on US Crypto Policy Message-ID: > The Center for Democracy and Technology Volume 2, Number 15 >Among other things, the "Pro-CODE" would: >* Allow the export of "generally available" or "public domain" > encryption software such as PGP and popular World Wide Web browsers > without requiring NSA authority. > >* Allow the export of encryption hardware and software not available in > the "mass market" or "public domain" under an export scheme that would > allow up to roughly DES-strength (i.e., 56 bit key-length) security. > if a product of similar strength is commercially available from a > foreign supplier What, exactly, is the point of such a provision that would limit key length? Since the classifications of encryption export software seem to allow any keylength, why should there be an exception for others? I think they should give specific examples of hardware or software whose export would not be allowed, and more particularly an explanation why an exception is needed in those cases. We really need to know what they're thinking about, here. It isn't obvious why, and generally I've found that whenever laws carve out exceptions, there are substantial reasons for those exceptions, although not necessarily "good" reasons. Notice, for example, that there appears to be a distinction between hardware and software. (although, in the bill, it does list both hardware and software.) As we all should understand, the distinction ought to be meaningless, but one of our goals should be to allow the unrestricted export of good-encryption telephones which have their encryption done in hardware. That doesn't appear to be the case, and I think this is a telling limitation. The law will practically guarantee that no factories to build good crypto phones get sited in the US. However, a look at the actual bill shows nothing which specifically limits things to 56-bit keys, although it seems to make an unusual distinction, allowing exports "in any foregin country to which those exports of computers software and computer hardware of similar capability are permitted for use by financial institutions..." The problem, as I see it, is that this is practically an open invitation to foreign countries to pass laws which are specifically intended to restrict encryption. We should not be encouraging them to do this. Some explanation is definitely in order! BTW, that brings us to another issue: The bill should specifically prohibit restrictions on the IMPORTATION of any kind of encryption systems, either hardware and software. >* Prohibit the government from imposing mandatory key-escrow encryption > schemes domestically, or from restricting the sale of commercial > encryption products within the United States Redundant. The 1st amendment should already do this. I have no objection to them re-stating Constitutional protections, but it should label them as such. >* Prohibit the Department of Commerce from imposing government designed > standards for encryption technologies (such as Clipper and Clipper > II). Ditto. But more importantly, I think it ought to be prohibited from even _encouraging_ the use of such systems, which as we all know the government can do by abusing its power. It should be prohibited from spending any money to develop those standards, as well as prohibiting government from encouraging the use of those standards, etc. All in all, a substantial improvement over the Leahy bill, but it could still use a little work. Jim Bell jimbell at pacifier.com Jim Bell jimbell at pacifier.com From shabbir at vtw.org Thu May 2 22:57:02 1996 From: shabbir at vtw.org (Shabbir J. Safdar) Date: Fri, 3 May 1996 13:57:02 +0800 Subject: VTW: Senate attacks Clinton encryption export policy Message-ID: <199605021909.PAA09024@panix3.panix.com> ======================================================================== __ _________ __ \ \ / /_ _\ \ / / Voters Telecommunications Watch \ \ / / | | \ \ /\ / / (vtw at vtw.org) \ V / | | \ V V / May 2, 1996 \_/ |_| \_/\_/ Redistribute only until 5/28/96 SENATORS FIRE BROADSIDE SALVO AT CLINTON ADMINISTRATION'S HEINOUS AND ANTIQUATED ENCRYPTION EXPORT POLICIES Please widely redistribute this document with this banner intact until May 28, 1996 ________________________________________________________________________ CONTENTS The Latest News Chronology of the 1996 Crypto Bills For More Information ________________________________________________________________________ THE LATEST NEWS Today, a core contingent of the US Senate proposed legislation that would free public domain software such as Phil Zimmerman's PGP (Pretty Good Privacy), allow for the export of products that have competitive encryption abroad, and limit the government's ability to propose another Clipper-style standard. The latest proposal, sponsored by Sen. Burns (R-MT) is the third in a series of bills this year that blatantly attack the Clinton Administration's policies of restricting the export of encryption that is already found outside the United States. Text of the legislation is now available on http://www.crypto.com/ and http://www.vtw.org/ as soon as we get it. In another bold move, Senators Conrad Burns (R-MT) and Patrick Leahy (D-VT) have scheduled online chats to discuss this legislation with the people who understand the issue the best: the net community. As a part of the Whistlestop96 campaign by VTW and CDT (Center for Democracy and Technology) to bring members of Congress in touch with the net community during the 1996 campaigns, Senators Burns and Leahy will be attending live online chat sessions on HotWired and America Online. The schedule as currently available is: Sen. Burns America Online, News Room auditorium: Monday May 6, 9pm EST Hotwired: Monday May 13, 9pm EST Sen. Leahy America Online: date not yet available Hotwired: date not yet available In addition, volunteers have begun maintaining a resource page at http://www.crypto.com/ with a corresponding mailing list for encryption policy news. You can subscribe to it from the WWW page http://www.crypto.com/ or by sending mail to majordomo at panix.com. ________________________________________________________________________ CHRONOLOGY OF THE 1996 ENCRYPTION BILLS May 2, '96 Bi-partisan group of Senators introduce PRO-CODE Act, which would free public-domain encryption software (such as PGP) for export, free much commercial encryption for export, and reduce the government's ability to push Clipper proposals down the throats of an unwilling public. Original sponsors include: Senators Burns (R-MT), Dole (R-KS), Faircloth (R-NC), Leahy (D-VT), Murray (D-WA), Nickles (R-OK), Pressler (R-SD), and Wyden (D-OR). Mar 5, '96 Sen. Leahy (D-VT) and Rep. Goodlatte (R-VA) introduce bills to liberalize cryptography exports. Cosponsoring this legislation on the Senate side at Sen. Burns (R-MT) and Sen. Murray (D-WA). On the House side are the following cosponsors: DeLay, Campbell, Eshoo, Moorhead, Doolittle, Barr, Ewing, Mica, Everett, Bono, Lofgren, and McKeon. ________________________________________________________________________ FOR MORE INFORMATION ABOUT ENCRYPTION Encryption Policy Resource Page: http://www.crypto.com/ Voters Telecommunications Watch: http://www.vtw.org/ Internet Privacy Coalition: http://www.privacy.org/ ======================================================================== From richieb at teleport.com Thu May 2 23:07:21 1996 From: richieb at teleport.com (Rich Burroughs) Date: Fri, 3 May 1996 14:07:21 +0800 Subject: proposed anti-pseudospoofing law in Georgia Message-ID: <2.2.32.19960502222125.007306a0@mail.teleport.com> At 12:52 PM 5/2/96 -0700, "Vladimir Z. Nuri" wrote: [snip] >this proposed law in Georgia >would make it illegal to have a login name other than >your legal name, as I understand it. [snip] More than proposed. It was signed by Gov. Zell Miller on April 18, and is now the law in GA. see http://www.clark.net/pub/rothman/ga.htm and http://www.gahouse.com/docs/whatsnew/parsons.htm Rich ______________________________________________________________________ Rich Burroughs richieb at teleport.com http://www.teleport.com/~richieb See my Blue Ribbon Page at http://www.teleport.com/~richieb/blueribbon New EF zine "cause for alarm" - http://www.teleport.com/~richieb/cause From razz at eden.rutgers.edu Thu May 2 23:08:51 1996 From: razz at eden.rutgers.edu (HardWorkingStudent) Date: Fri, 3 May 1996 14:08:51 +0800 Subject: unsescribe Message-ID: unsescribe razz at eden.rutgers.edu unsuscribe razz at eden.rutgers.edu From brucem at wichita.fn.net Thu May 2 23:20:57 1996 From: brucem at wichita.fn.net (Bruce M.) Date: Fri, 3 May 1996 14:20:57 +0800 Subject: The Joy of Java In-Reply-To: <5y40mD297w165w@bwalk.dm.com> Message-ID: On Wed, 1 May 1996, Dr. Dimitri Vulis wrote: > My recollection is that when IBM first started selling IBM PC, they offered > a choice of (at least) 3 operating systems right from the start: UCSD p-system, > CP/M-86 or PC-DOS. IBM didn't do anything to prompte PC-DOS over the other > two. It won fair and square in the marketplace because the other two were > even worse crap. (Later versions of CP/M-86 got much better.) I always had been under the impression that they charged a hundred dollars or more for CPM as opposed to DOS which was also a major reason for its popularity. Bruce Marshall From frantz at netcom.com Thu May 2 23:28:27 1996 From: frantz at netcom.com (Bill Frantz) Date: Fri, 3 May 1996 14:28:27 +0800 Subject: [Fwd: Cylink can export 128-bit DH?] Message-ID: <199605022252.PAA01524@netcom8.netcom.com> At 10:55 AM 5/2/96 -0700, Ian Goldberg wrote: >Bill Frantz wrote: >>As far as I know, DES is DES, domestic or export. If your DES >>interoperates with domestic DES (or popular implementations available on >>non-US servers), then you have DES. > >Not quite. CDMF key shortening was designed by IBM to shrink a 56-bit DES >key to 40 bits, suitable for export. See AC2, page 366. I heard a rumour >that CDMF is in SET, but I'm not sure how much that makes sense. I can find no evidence in Draft 2/23/96 of SET for 40bit DES keys. (BTW, I would not call CDMF DES, but this may be merely quibbling.) On page 31, it says, "The DES key format follows FIPS 46: it contains 56 bits of keying material and eight optional check bits." Since SET is very careful to not deal with anything but the financial aspects of online commerce, they can probably get a license for export under the current rules. (SET only includes a SHA hash of the "contract", calculated by both the cardholder and the merchant in its encrypted content. Both versions must match for the transaction to be authorized.) Regards - Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From perry at piermont.com Thu May 2 23:32:10 1996 From: perry at piermont.com (Perry E. Metzger) Date: Fri, 3 May 1996 14:32:10 +0800 Subject: Why I dislike Java. (was Re: "Scruffies" vs. "Neats") In-Reply-To: <199605010521.WAA02990@jobe.shell.portal.com> Message-ID: <199605030034.UAA21754@jekyll.piermont.com> Hal writes: > From: "Perry E. Metzger" > > Unfortunately, when the same machine runs Netscape so the > > trader can read the UUNet/MFS merger press release and also has the > > big shiny red "trade!" button on some application, you get nervous. > > Aren't you holding Java to a higher standard than ordinary applications? > If your traders run any software at all on their machines there is the > risk of harm. The Netscape binary itself could be hacked to do bad > things. Likewise with any other software they run. At one of my clients, there is a software testing lab where all software that is placed on the trading floor is rigorously tested for months before it is put out on the users desktop -- it is, indeed, tested in conjunction with all other products the user would be using. No software is deployed before rigorous testing occurs. By the time the thing is put out, it is known to a high degree of certainty that it will not cause damage. This wasn't even something I requested -- they had this in place before I got there. This isn't that unusual on Wall Street, either -- I know of a number of firms with similar "integration labs", "test labs", etc. Netscape with Java cannot be so tested because important components come down off the net. So no, I'm not holding Netscape with Java to a higher standard. I'm very much holding it to the same standard. Perry From perry at piermont.com Thu May 2 23:47:03 1996 From: perry at piermont.com (Perry E. Metzger) Date: Fri, 3 May 1996 14:47:03 +0800 Subject: Burns Bill In-Reply-To: <199605022252.PAA01532@netcom8.netcom.com> Message-ID: <199605030018.UAA21700@jekyll.piermont.com> Bill Frantz writes: > A quick read thru the text of the bill (via http://www.cdt.org/crypto/) > shows none of the principle objectionable features of the Lehey bill. > (Standards for key escrow agents, and additional criminal penalties for > using encryption to hinder an investigation.) > > This bill has some obscure, to me, exceptions. The most troubling of which > I think means (IANAL) that export can be restricted if there is a > reasonable expectation that the hard/software will be reexported to one of > the countries on the extreme bad boys list. I will point out that as things stand under U.S. law you aren't even allowed to export toilet paper if the expectation is that the ultimate customer is on the extreme bad boys list. Although as a libertarian I find any such provision distasteful I cannot see that we are badly off if the rules for exporting crypto and exporting toilet paper are roughtly similar. > in any case, it is not clear how passage of the bill could possibly > make things worse. I think that is key. Perry From perry at piermont.com Thu May 2 23:56:37 1996 From: perry at piermont.com (Perry E. Metzger) Date: Fri, 3 May 1996 14:56:37 +0800 Subject: Why I dislike Java. (was Re: "Scruffies" vs. "Neats") In-Reply-To: <199605010528.AAA00506@proust.suba.com> Message-ID: <199605030038.UAA21763@jekyll.piermont.com> Alex Strasheim writes: > One thing that I'm sort of fuzzy on is whether or not you feel that this > is a problem specific to this one group of products (java) or if it's a > problem with the general idea of grabbing and running applets > indiscriminently in a protective environment. I believe that it is possible to design environments in which you can safely run applet like things. However, 1) I am not sure that such an environment is needed for most of what Java does in the Netscape environment, so given the dangers I'm not sure the price is worth paying, 2) Java does not possess the characteristics such an environment needs, and 3) It is pretty clear that much of what the Java designers want to do could not be done in such an environment. > Right now, as near as I can tell, we have two major security complaints > with java's design. The first is Perry's point (which I might be > munging), that there isn't enough redundancy in the security to protect us > if and when human error creeps in. The second is that a rigorous formal > analysis of the language hasn't been performed, and that the language as > it is currently constituted doesn't lend itself to such an analysis. I would very much prefer a language who's security did not require such analysis. Java, sadly, does require such an analysis because it requires perfect implementation for its security model to work. In a restricted execution environment that was designed with defense in depth in mind, such an analysis would be a bonus, but not strictly required. Perry From perry at piermont.com Fri May 3 00:01:56 1996 From: perry at piermont.com (Perry E. Metzger) Date: Fri, 3 May 1996 15:01:56 +0800 Subject: Conrad_Burns@burns.senate.gov: Open Letter to Internet Community From Senator Burns Message-ID: <199605030022.UAA21727@jekyll.piermont.com> Yes, I know this will probably be forwarded five hundred times. However, I thought I ought to try to be the first. ------- Forwarded Message Date: Thu, 2 May 1996 19:39:04 -0400 From: Conrad_Burns at burns.senate.gov To: Multiple recipients of list Subject: Open Letter to Internet Community From Senator Burns OPEN LETTER TO THE INTERNET COMMUNITY May 2, 1996 Dear friends: As an Internet user, you are no doubt aware of some of the hurdles the federal government has put up that limit the growth and full potential of exciting, emerging technologies. One of the most egregious of these has been the governmentally set limits on so-called "encryption" technologies. Today I am introducing a bill to address this major problem for businesses and users of the Internet. If the telecommunications law enacted this year is a vehicle to achieve real changes in the ways we interact with each other electronically, my bill is the engine that will allow this vehicle to move forward. The bill would promote the growth of electronic commerce, encourage the widespread availability to strong privacy and security technologies for the Internet, and repeal the out-dated regulations prohibiting the export of encryption technologies. This legislation is desperately needed because the Clinton administration continues to insist on restricting encryption exports, without regard to the harm this policy has on American businesses' ability to compete in the global marketplace or the ability of American citizens to protect their privacy online. Until we get the federal government out of the way and encourage the development of strong cryptography for the global market, electronic commerce and the potential of the Internet will not be realized. The last thing the Net needs are repressive and outdated regulations prohibiting the exports of strong privacy and security tools and making sure that the government has copies of the keys to our private communications. Yet this is exactly the situation we have today. My new bill, the Promotion of Commerce On-Line in the Digital Era (Pro-CODE) Act of 1996, would: - Allow for the unrestricted export of "mass-market" or "public-domain" encryption programs, including such products as Pretty Good Privacy and popular World Wide Web browsers. - Require the Secretary of Commerce to allow the unrestricted export of other encryption technologies if products of similar strength are generally available outside the United States. - Prohibit the federal government from imposing mandatory key-escrow encryption policies on the domestic market and limit the authority of the Secretary of Commerce to set standards for encryption products. Removing export controls will dramatically increase the domestic availability of strong, easy-to-use privacy and security products and encourage the use of the Internet as a forum of secure electronic commerce. It will also undermine the Clinton Administration's "Clipper" proposals which have used export restrictions as leverage to impose policies that guarantee government access to our encryption keys. The Pro-CODE bill is similar to a bill I co-authored with Senator Patrick Leahy of Vermont, except that it highlights the importance of encryption to electronic commerce and the need to dramatically change current policy to encourage its growth. My bill does not add any new criminal provisions and does not establish legal requirements for key-escrow agents. Over the coming months, I plan to hold hearings on this bill and encourage a public debate on the need to change the Clinton Administration's restrictive export control policies. I will need your support as we move forward towards building a global Internet that is good for electronic commerce and privacy. I look forward to working with the Internet community, online activists, and the computer and communications industry as this proposal moves through Congress. I'd like to hear from you, so please join me on two upcoming online events to talk about the new bill. The first is on America Online in the News Room auditorium at 9 p.m. Eastern Daylight Time on May 6. The second will be on Hotwired's Chat at 9 p.m. EDT on May 13. In the meantime, I need your help in supporting the effort to repeal cryptography export controls. You can find out more by visiting my web page http://www.senate.gov/~burns/. There you will find a collection of encryption education resources that my Webmaster has assembled. I trust that the entire Internet community, from the old-timers to those just starting to learn about encryption, will find this information useful. This bill is vital to all Americans, from everyday computer users and businesses to manufacturers of computer software and hardware. I very much look forward to working with you on this issue. Conrad Burns United States Senator ------- End of Forwarded Message From perry at piermont.com Fri May 3 00:11:21 1996 From: perry at piermont.com (Perry E. Metzger) Date: Fri, 3 May 1996 15:11:21 +0800 Subject: [RANT] Mr. Scruffy versus Mr. Neat In-Reply-To: <199605010408.VAA23530@netcom10.netcom.com> Message-ID: <199605030025.UAA21735@jekyll.piermont.com> Mike Duvos writes: > While Java is currently a scruffy invention and has yet to > recieve the official blessing of the neats, there are a number of > things that speak in its favor. I would like to re-emphasize that given its design, Java was, if anything, created by "neats". The problem is that its model requires perfection to assure security, instead of conservative design which assumes there may be design flaws and produces "defense in depth". Perry From frantz at netcom.com Fri May 3 00:14:43 1996 From: frantz at netcom.com (Bill Frantz) Date: Fri, 3 May 1996 15:14:43 +0800 Subject: Burns Bill Message-ID: <199605022252.PAA01532@netcom8.netcom.com> A quick read thru the text of the bill (via http://www.cdt.org/crypto/) shows none of the principle objectionable features of the Lehey bill. (Standards for key escrow agents, and additional criminal penalties for using encryption to hinder an investigation.) This bill has some obscure, to me, exceptions. The most troubling of which I think means (IANAL) that export can be restricted if there is a reasonable expectation that the hard/software will be reexported to one of the countries on the extreme bad boys list. This provision could possibly be construed to affect FTP sites, but in any case, it is not clear how passage of the bill could possibly make things worse. Its provisions preventing the Secretary of Commerce from developing standards for anyone except government agencies, and forbidding mandatory GAK/key escrow are very welcome. ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From minow at apple.com Fri May 3 00:26:10 1996 From: minow at apple.com (Martin Minow) Date: Fri, 3 May 1996 15:26:10 +0800 Subject: EET on PGP API Quash Message-ID: > ... the State Department is taking > an increasingly hard line on PGP. Where once the State had > restricted itself to warning developers against exporting > source code with PGP file-encryption routines, it is now > arguing that application programming interfaces (API) > allowing PGP program insertion should be subject to control > under arms-trading statutes. It would seem that any computer system that permits the use of an externally-supplied computer program (i.e., Windows, DOS, MacOS, Unix, Java, Microsoft Word macro languange) would fall under this restriction. I wonder how much thought went into this decision. Martin Minow From vax at linkdead.paranoia.com Fri May 3 00:53:10 1996 From: vax at linkdead.paranoia.com (VaX#n8) Date: Fri, 3 May 1996 15:53:10 +0800 Subject: encrypted Unix backup software Message-ID: <199605030102.UAA06977@linkdead.paranoia.com> Okay, before you flame me and tell me to pipe it through a symmetric cipher filter, hear me out. Tape handling is hairy, depending on what kind of functionality you want. A regular filter may write(2) in strangely sized blocks, not working very well with your tape drive. Mostly though, things get difficult when you have to/want to deal with multiple tapes. Although I could probably hack up "catblock" to do the job, and use a line of the form dump -0uBf ... | symmetric_cipher | catblock blockfactor > /dev/tape if there exists something which already does this job, or something like it, I'd like to know. Now that I think about it, maybe this is the cleanest way. PS: If there is a place where I can get reviews of the crypto software that is out there, that'd be fab because csua just has a TON of stuff! The "security-faq" is pretty good -- I want more! :) Keep codin' From dan at vplus.com Fri May 3 01:15:00 1996 From: dan at vplus.com (Dan Weinstein) Date: Fri, 3 May 1996 16:15:00 +0800 Subject: Sen. Patrick Leahy's PGP key now avail. In-Reply-To: Message-ID: <318980a4.4746046@mail.vplus.com> On Thu, 2 May 1996 17:36:13 -0400, you wrote: >Wanna write the good Senator on the occasion of his newest bill? His pub >key's out there. (URL is http://bs.mit.edu:8001/pks-commands.html#submit/ Is he the first Senator/Congressman to publicly release a PGP key? Dan Weinstein djw at vplus.com http://www.vplus.com/~djw PGP public key is available from my Home Page. All opinions expressed above are mine. "I understand by 'freedom of Spirit' something quite definite - the unconditional will to say No, where it is dangerous to say No. Friedrich Nietzsche From 103007.3426 at compuserve.com Fri May 3 01:15:47 1996 From: 103007.3426 at compuserve.com (Sally D. McMillan) Date: Fri, 3 May 1996 16:15:47 +0800 Subject: (fwd) E-Commerce Info. Needed Message-ID: <960503034747_103007.3426_GHU46-1@CompuServe.COM> I am writing a paper on electronic commerce, and I wonder if anyone happens to know of interesting URLs addressing the subject, including security issues? If you know of a good location for electronic commerce/security information, please email me directly at the following address: 103007.3426 at compuserve.com THANKS A LOT!! Sally From tcmay at got.net Fri May 3 01:18:42 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 3 May 1996 16:18:42 +0800 Subject: Sen. Patrick Leahy's PGP key now avail. Message-ID: At 9:36 PM 5/2/96, Will Rodger wrote: >Wanna write the good Senator on the occasion of his newest bill? His pub >key's out there. (URL is http://bs.mit.edu:8001/pks-commands.html#submit/ >) Why does anyone need his public key to communicate with Senator Leahy? If it's for sender-anonymity, this does not do it, though other tools (remailers) do. Unless the information is "secret," why bother? It adds extra time at his office's end (you don't think Leahy types in his password to PGP do you?), and it accomplishes little. >From a personal viewpoint, I'm glad my key is no longer very accessible. I used to get PGP-encrypted messages which had no earthly reason to be encrypted, except that people apparently wanted to practice their PGP skills. (For those who sent me items that had a reason to be encrypted, you know who you are and you know this comment does not apply to you.) --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From perry at piermont.com Fri May 3 01:28:23 1996 From: perry at piermont.com (Perry E. Metzger) Date: Fri, 3 May 1996 16:28:23 +0800 Subject: no-cost DH? In-Reply-To: Message-ID: <199605030048.UAA21799@jekyll.piermont.com> Wei Dai writes: > Apparently Cylink is only licensing their SDK at no cost, not the actual > patents. Does anyone want to speculate on why they are doing this now? To make as much money as they can in the short time they have available. .pm From Conrad_Burns at burns.senate.gov Fri May 3 01:43:04 1996 From: Conrad_Burns at burns.senate.gov (Conrad_Burns at burns.senate.gov) Date: Fri, 3 May 1996 16:43:04 +0800 Subject: Open Letter to Internet Community From Senator Burns Message-ID: <9604028310.AA831091003@smtpgwyo.senate.gov> OPEN LETTER TO THE INTERNET COMMUNITY May 2, 1996 Dear friends: As an Internet user, you are no doubt aware of some of the hurdles the federal government has put up that limit the growth and full potential of exciting, emerging technologies. One of the most egregious of these has been the governmentally set limits on so-called "encryption" technologies. Today I am introducing a bill to address this major problem for businesses and users of the Internet. If the telecommunications law enacted this year is a vehicle to achieve real changes in the ways we interact with each other electronically, my bill is the engine that will allow this vehicle to move forward. The bill would promote the growth of electronic commerce, encourage the widespread availability to strong privacy and security technologies for the Internet, and repeal the out-dated regulations prohibiting the export of encryption technologies. This legislation is desperately needed because the Clinton administration continues to insist on restricting encryption exports, without regard to the harm this policy has on American businesses' ability to compete in the global marketplace or the ability of American citizens to protect their privacy online. Until we get the federal government out of the way and encourage the development of strong cryptography for the global market, electronic commerce and the potential of the Internet will not be realized. The last thing the Net needs are repressive and outdated regulations prohibiting the exports of strong privacy and security tools and making sure that the government has copies of the keys to our private communications. Yet this is exactly the situation we have today. My new bill, the Promotion of Commerce On-Line in the Digital Era (Pro-CODE) Act of 1996, would: - Allow for the unrestricted export of "mass-market" or "public-domain" encryption programs, including such products as Pretty Good Privacy and popular World Wide Web browsers. - Require the Secretary of Commerce to allow the unrestricted export of other encryption technologies if products of similar strength are generally available outside the United States. - Prohibit the federal government from imposing mandatory key-escrow encryption policies on the domestic market and limit the authority of the Secretary of Commerce to set standards for encryption products. Removing export controls will dramatically increase the domestic availability of strong, easy-to-use privacy and security products and encourage the use of the Internet as a forum of secure electronic commerce. It will also undermine the Clinton Administration's "Clipper" proposals which have used export restrictions as leverage to impose policies that guarantee government access to our encryption keys. The Pro-CODE bill is similar to a bill I co-authored with Senator Patrick Leahy of Vermont, except that it highlights the importance of encryption to electronic commerce and the need to dramatically change current policy to encourage its growth. My bill does not add any new criminal provisions and does not establish legal requirements for key-escrow agents. Over the coming months, I plan to hold hearings on this bill and encourage a public debate on the need to change the Clinton Administration's restrictive export control policies. I will need your support as we move forward towards building a global Internet that is good for electronic commerce and privacy. I look forward to working with the Internet community, online activists, and the computer and communications industry as this proposal moves through Congress. I'd like to hear from you, so please join me on two upcoming online events to talk about the new bill. The first is on America Online in the News Room auditorium at 9 p.m. Eastern Daylight Time on May 6. The second will be on Hotwired's Chat at 9 p.m. EDT on May 13. In the meantime, I need your help in supporting the effort to repeal cryptography export controls. You can find out more by visiting my web page http://www.senate.gov/~burns/. There you will find a collection of encryption education resources that my Webmaster has assembled. I trust that the entire Internet community, from the old-timers to those just starting to learn about encryption, will find this information useful. This bill is vital to all Americans, from everyday computer users and businesses to manufacturers of computer software and hardware. I very much look forward to working with you on this issue. Conrad Burns United States Senator From shamrock at netcom.com Fri May 3 01:51:43 1996 From: shamrock at netcom.com (Lucky Green) Date: Fri, 3 May 1996 16:51:43 +0800 Subject: Win 95 partition encryptor? Message-ID: What's our current favorite utility to encrypt an entire extended partition under Win 95? Should be as transparent as possible, easy to use, have automatic timeout, etc. Solid crypto, of course. TIA, Disclaimer: My opinions are my own, not those of my employer. -- Lucky Green PGP encrypted mail preferred. From rmfan at alpha.c2.org Fri May 3 01:54:14 1996 From: rmfan at alpha.c2.org (Remailer Fan) Date: Fri, 3 May 1996 16:54:14 +0800 Subject: Sen. Patrick Leahy's Pubkey Message-ID: <199605030232.TAA13008@infinity.c2.org> He even self-signed it. -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCNAzFymr0AAAEEANJxXN9TRI8tHscJ52bTT70Ou8vH0+Xmx19UHnFUaLLNErjO 3Pwr2t6qgnPWI6QRGMUu6boDFMarX0BaWGFUtQ21rNwpU2qtNnQo3M5Ax2rD4Ssi feJuRnsWNO8HVXMbHkGJ3fWqXfRrnEz9IPnz7RekGm3o156DeBM5YGSLu9/1AAUR tC5QYXRyaWNrIExlYWh5IDxzZW5hdG9yX2xlYWh5QGxlYWh5LnNlbmF0ZS5nb3Y+ iQCVAwUQMXU9PRM5YGSLu9/1AQFgeAP+LirgSxbJSmx933EdsrW7NO66D2HotVEE q6jhRxFmCht29R43DF2XtxHWddJE4FFLQ7JneWS3aYuf8Ucx8voWdrOlgeo5kadv HZGrThaKGdWREVF2VwYIuJcR0P0Mp2RZGmKtc9H08EImcHIqC8LFc1Mbfs2XvVZC ASjDvnBc4wI= =wNg+ -----END PGP PUBLIC KEY BLOCK----- Remailer fan. From perry at piermont.com Fri May 3 01:58:55 1996 From: perry at piermont.com (Perry E. Metzger) Date: Fri, 3 May 1996 16:58:55 +0800 Subject: encrypted Unix backup software In-Reply-To: <199605030102.UAA06977@linkdead.paranoia.com> Message-ID: <199605030255.WAA21987@jekyll.piermont.com> VaX#n8 writes: > Although I could probably hack up "catblock" to do the job, and use > a line of the form > dump -0uBf ... | symmetric_cipher | catblock blockfactor > /dev/tape > if there exists something which already does this job, or something like it, > I'd like to know. dd is the program you are looking for. Perry From frantz at netcom.com Fri May 3 02:28:48 1996 From: frantz at netcom.com (Bill Frantz) Date: Fri, 3 May 1996 17:28:48 +0800 Subject: Burns Bill Message-ID: <199605030527.WAA15747@netcom8.netcom.com> At 8:18 PM 5/2/96 -0400, Perry E. Metzger wrote: >Bill Frantz writes: >> in any case, it is not clear how passage of the bill could possibly >> make things worse. > >I think that is key. I fully agree. ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From wombat at mcfeely.bsfs.org Fri May 3 02:29:28 1996 From: wombat at mcfeely.bsfs.org (Rabid Wombat) Date: Fri, 3 May 1996 17:29:28 +0800 Subject: [Complete NOISE] Re: aufweidersehn, * grave$ In-Reply-To: <199605021530.IAA18089@dns2.noc.best.net> Message-ID: On Thu, 2 May 1996 jamesd at echeque.com wrote: > Some anonymous illiterate racist socialist wrote: > > Noticeable about capitali$t graves, he dissmisses EVERY attempt > > to censor racists with a "who cares," "there just a bunch > > of weinies," "if you can be heard *somewhere* without being > > arrested, it's not censorship," etc. > > In defense of Rich, note that we libertarians accused > him of being a socialist, and this anonymous socialist > accuses him of being a capitalist. What's in a name (or a nym) ? ;) -r.w. Capitalist-diseased-marsupial (and proud of it) (A consortium of Fed. Reserve insiders, AT&T, and Popeye's Fried Chicken execs control the world. Anyone ranting against other forms of government is wasting their time. Long live the Illuminati!) From ses at tipper.oit.unc.edu Fri May 3 02:31:39 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Fri, 3 May 1996 17:31:39 +0800 Subject: unsescribe In-Reply-To: Message-ID: On Thu, 2 May 1996, HardWorkingStudent wrote: > unsescribe razz at eden.rutgers.edu > unsuscribe razz at eden.rutgers.edu unsescribe is not a valid use of the 'ses' service mark. Please report for termination immediately. (Of course, if actually you want to be terminated, you might find it less painful to send a message to majordomo at toad.com containing the body unsubscribe cypherpunks Simon --- They say in online country So which side are you on boys There is no middle way Which side are you on You'll either be a Usenet man Which side are you on boys Or a thug for the CDA Which side are you on? National Union of Computer Operatives; Hackers, local 37 APL-CPIO From llurch at networking.stanford.edu Fri May 3 02:34:53 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Fri, 3 May 1996 17:34:53 +0800 Subject: SF South Bay: So WhoWhere wants to meet with people interested in online privacy and security... Message-ID: The people who run www.whowhere.com (a knockoff on the excellent www.four11.com, with a database partly based on a script they wrote to extract addresses from okra.ucr.edu) want to discuss how they can serve the Internet community better while protecting privacy. I suggested "shut down your site and become cloistered monks," but they didn't find that consistent with their business plan. So they suggested we do lunch early next week. Either Monday or Tuesday would work, and we'd be meeting in downtown Palo Alto. Anybody else interested in coming? For a good demonstration of why WhoWhere? is not necessarily the greatest thing since spice racks, look up "Louis Freeh," "Fuck You," "Asshole," "System Privileged User," and "Stephen Hawking." I keep telling them that they'd better remove this last, but they don't consider it a priority. -rich http://www-leland.stanford.edu/~llurch/ P.S. Yes, I just resubscribed. I just love you too much to stay away. P.P.S. If anyone wants to carpool from the Palo Alto vicinity to Joe & Cindy's beach volleyball shindig this Sunday with an alleged FUCKING STATIST CAPITALIST SOCIALIST NAZI J*W ANARCHIST, send me a note. From frantz at netcom.com Fri May 3 03:04:30 1996 From: frantz at netcom.com (Bill Frantz) Date: Fri, 3 May 1996 18:04:30 +0800 Subject: Why I dislike Java. (was Re: "Scruffies" vs. "Neats") Message-ID: <199605030527.WAA15760@netcom8.netcom.com> At 8:34 PM 5/2/96 -0400, Perry E. Metzger wrote: >At one of my clients, there is a software testing lab where all >software that is placed on the trading floor is rigorously tested for >months before it is put out on the users desktop -- it is, indeed, >tested in conjunction with all other products the user would be >using. No software is deployed before rigorous testing occurs. By the >time the thing is put out, it is known to a high degree of certainty >that it will not cause damage. My clients have a similar testing setup for new communications software. It is one way they are able to offer a reliable service to their clients. >I would very much prefer a language who's security did not require >such analysis. Java, sadly, does require such an analysis because it >requires perfect implementation for its security model to work. In a >restricted execution environment that was designed with defense in >depth in mind, such an analysis would be a bonus, but not strictly >required. All secure systems require perfect implementation of the security kernel. Java has a very large security kernel, since it's kernel includes the kernel in the underlying operating system. As such, it is probably not suited for high security environments.* However, it may well be secure enough for individuals to run on their private machines. * If a Java equipped browser is run in a operating system provided secure environment, this restriction may not apply. Such an operating system would have to provide Orange Book A or B level features (mandatory security). ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From stewarts at ix.netcom.com Fri May 3 03:11:32 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Fri, 3 May 1996 18:11:32 +0800 Subject: Sen. Patrick Leahy's PGP key now avail. Message-ID: <199605030428.VAA02635@toad.com> At 10:23 PM 5/2/96 -0400, perry at piermont.com wrote: >Timothy C. May writes: >> Why does anyone need his public key to communicate with Senator Leahy? If >> it's for sender-anonymity, this does not do it, though other tools >> (remailers) do. Unless the information is "secret," why bother? > >I would answer Tim, but I suspect that he would ignore something I >might say. I will therefore quote Philip Zimmermann. > Perhaps you think your E-mail is legitimate enough that encryption is > unwarranted. If you really are a law-abiding citizen with nothing to > hide, then why don't you always send your paper mail on postcards? > Why not submit to drug testing on demand? Why require a warrant for > police searches of your house? Are you trying to hide something? ..... >Never thought I would see the day where Tim stopped being a >Cypherpunk. Everyone mark your calendars. One of the most important parts of any security analysis is the threat models. In this case, we're talking about sending email _to_the_government_. There may be something you want to tell the Senator or his staff that you want kept private from the public or from rest of the government, and Tim's phrase "Unless the information is 'secret'" seems to cover that. Maybe you want to say "My company lost $X to competitor Y"; that's private. Maybe you want to say "The FBI is reading your email, y'know..." Maybe you want to attach a $20 MarkTwain DigiCash campaign contribution. But usually, telling the government something is fairly similar to publishing it, in terms of expectation of privacy, even in a republic. The tradeoff is between using PGP to make a point, and getting the staff to read it. Typically, Congressional Staffs are Your Friends, at least more directly than the Congresscritters themselves. Lobby _them_; making their job easier is a good start. Maybe the right thing to do is include the digicash, encrypt the message, and attach a note indicating that the enclosed digicash is for the staff member who decrypts the note and gives it to the Senator :-) # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 begin 777 goodtimes =96-H;R!H879I;F<@9V]O9"!T:6UE At 5:50 PM 5/2/96 -0700, Timothy C. May wrote: >Why does anyone need his public key to communicate with Senator Leahy? If >it's for sender-anonymity, this does not do it, though other tools >(remailers) do. I can think of two good reasons for Senator Leahy to publish his key: (1) To show his support for the right to use encryption. (2) To sign open letters to the Internet community. I will be really impressed when he gets some big-name signatures on his key. e.g. Matt Blase, Ron Rivist, PRZ, Tim May. ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From jimbell at pacifier.com Fri May 3 03:41:32 1996 From: jimbell at pacifier.com (jim bell) Date: Fri, 3 May 1996 18:41:32 +0800 Subject: EET on PGP API Quash Message-ID: At 02:22 PM 5/2/96 -0700, Martin Minow wrote: >> ... the State Department is taking >> an increasingly hard line on PGP. Where once the State had >> restricted itself to warning developers against exporting >> source code with PGP file-encryption routines, it is now >> arguing that application programming interfaces (API) >> allowing PGP program insertion should be subject to control >> under arms-trading statutes. > >It would seem that any computer system that permits the use >of an externally-supplied computer program (i.e., Windows, >DOS, MacOS, Unix, Java, Microsoft Word macro languange) would >fall under this restriction. > >I wonder how much thought went into this decision. Not much. I seem to recall a quote from Dorothy Denning a couple of months ago where she actually held out API's as a way to get around the ITAR restrictions. It sounds to me like even that was too much for them! In any case, this position is very desperate. Those of us who recall old Altair computers remember a time where even a "file" was a foreign concept. Files are, arguably, a standardized format on which encryption programs work. Are they going to stop the export of MSDOS? Jim Bell jimbell at pacifier.comJim Bell jimbell at pacifier.com From wombat at mcfeely.bsfs.org Fri May 3 03:42:20 1996 From: wombat at mcfeely.bsfs.org (Rabid Wombat) Date: Fri, 3 May 1996 18:42:20 +0800 Subject: [getting off topic] Re: Freedom and security In-Reply-To: <3188FCD2.3885@vail.tivoli.com> Message-ID: On Thu, 2 May 1996, Mike McNally wrote: > Rabid Wombat wrote: > > > If I send snail, there are "rules" governing who can open the envelope. > > If I'm suspected of criminal activity, the community has recourse. > > If you don't encrypt or otherwise secure sensitive surface mail the same > way you would e-mail, you deserve what you get. The community, of course, > is in the same state with secure snail-mail case as it is with PGP-encrypted > e-mail. > Yes, I CAN encrypt. The point being discussed is whether society should allow me to do so, and if I have the RIGHT to do so. Classic freedom of individual vs. rights of society. Plato, Aristotle, Montesquieu, etc. etc. Can't swing a dead marsupial without hittin' a philosopher on 'punks these days. > Which reminds me of something I've been meaning to ask about. I read > (probably in WiReD) about a bar-code-like (well, not *much* like, but > ink-on-paper similar) technique for rendering data onto paper with > enhanced properties of storage efficiency, resistance to degradation > through photocopying, and ease of recovery via ordinary scanning. The > stuff looks like bunches of little lines at different angles, I think. > Anyway, what I'm curious about is whether encode/decode (i.e., print > and scan) software is available. > Ah, the modern day version of the Rosetta Stone, unearthed in post-nuclear holocaust Peoria ... > ______c_____________________________________________________________________ > Mike M Nally * Tiv^H^H^H IBM * Austin TX * pain is inevitable > m5 at tivoli.com * m101 at io.com * > * suffering is optional > From jsw at netscape.com Fri May 3 03:51:52 1996 From: jsw at netscape.com (Jeff Weinstein) Date: Fri, 3 May 1996 18:51:52 +0800 Subject: Why I dislike Java. (was Re: "Scruffies" vs. "Neats") In-Reply-To: <199605010521.WAA02990@jobe.shell.portal.com> Message-ID: <3189A993.A19@netscape.com> Perry E. Metzger wrote: > Netscape with Java cannot be so tested because important components > come down off the net. So no, I'm not holding Netscape with Java to a > higher standard. I'm very much holding it to the same standard. The Netscape Administration Kit will allow a site security admin to create a configuration that disables Java, and does not allow the user to enable it. If your customers require netscape, perhaps this is an option that will make you more comfortable. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw at netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine. From shamrock at netcom.com Fri May 3 03:52:54 1996 From: shamrock at netcom.com (Lucky Green) Date: Fri, 3 May 1996 18:52:54 +0800 Subject: Sun's Wallet Message-ID: At 11:18 5/2/96, Steven L Baur wrote: >> Sydney, Australia, April 30 -- SunSoft will shortly >> release a workable cash-on-the-Internet program called >> Wallet > >> Once issued, the Digital ID can >> be used within any enabled application such as Netscape >> Navigator Internet client software and Netscape >> SuiteSpot. > >Will it be supported by ApacheSSL? The Java Wallet is supposed to work with any Java enabled browser. The wallet takes care of moving all the data even through firewalls, so I would assume it just piggy-backs on http. Note that anyone can create a Wallet "cassette" for their own present of future payment system. In order for the cassette to work with the wallet, it needs to be signed by Java Soft. Java Soft will charge for the sigs. Last I heard, the exact fee was still undecided. Disclaimer: My opinions are my own, not those of my employer. -- Lucky Green PGP encrypted mail preferred. From jimbell at pacifier.com Fri May 3 03:56:13 1996 From: jimbell at pacifier.com (jim bell) Date: Fri, 3 May 1996 18:56:13 +0800 Subject: proposed anti-pseudospoofing law in Georgia Message-ID: At 12:52 PM 5/2/96 -0700, Vladimir Z. Nuri wrote: >this proposed law in Georgia >would make it illegal to have a login name other than >your legal name, as I understand it. >I consider it rather silly, naive, and unenforcable, >but it does suggest a few things: > >1. lawmakers are starting to notice the internet bigtime. Yes, they are. >2. its starting to freak them out. Apparently, very much so. >3. the identity issues raised by cyberspace have significant >social implications and will not go away quietly. Not if legislators keep pushing their luck... >4. there are some legitimate reasons to require ID in some places >in cyberspace. Only as far as is mutually agreed. If two people want to do business, we can reasonably expect that they will do so under whatever conditions they can agree to. If one of those conditions is that they require ID from the other, fine. The problem comes when third parties (like, for instance, government) requires it; that's wrong. >meanwhile, if the internet really is robust, their irrelevant >posturings should not make much difference, although I am *not* >advocating that people resign themselves to these laws, only that >if they pass the situation is not necessarily catastrophic or >apocalyptic. I don't think it's apocalyptic. But that's because I think there's a permanent solution to their meddling. Jim Bell jimbell at pacifier.com Jim Bell jimbell at pacifier.com From stewarts at ix.netcom.com Fri May 3 04:15:24 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Fri, 3 May 1996 19:15:24 +0800 Subject: Why I dislike Java. (was Re: "Scruffies" vs. "Neats") Message-ID: <199605030343.UAA01908@toad.com> At 08:34 PM 5/2/96 -0400, Perry wrote: >At one of my clients, there is a software testing lab where all >software that is placed on the trading floor is rigorously tested for Definitely - aside from severe dangers like automated theft or incorrect output, even software that takes a PC down for 5 minutes during the trading day every once in a while can cost big money to a brokerage firm. >Netscape with Java cannot be so tested because important components >come down off the net. So no, I'm not holding Netscape with Java to a >higher standard. I'm very much holding it to the same standard. Netscape now lets you turn off Java and Javascript. An ideal would be to support running applications signed by your choice of application-certifiers, which is BTW likely to be much more restrictive that your list of key-certifiers if you're in a paranoid business like brokerages and airlines. # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 begin 777 goodtimes =96-H;R!H879I;F<@9V]O9"!T:6UE -=> Note: Forwarded (from: netmail) by Terry Liberty-Parker using timEd. Originally from Matthew Gaylor (1:382/87.0) to terry liberty-parker. Original dated: May 01 '96, 13:50 e-Id: From: freematt at coil.com (Matthew Gaylor) From: angels at wavenet.com (CyberAngels Director : Colin Gabriel Hatcher) Subject: CYBERANGELS Thanks for your interest in our group. We apologize for any delay in answering your enquiry. Our service is not automated, and we have a huge quantity of enquiries to deal with. Briefing papers about our work are still in preparation. Keep in touch with us till then. If you have any personal problems on the Internet, or if you find an interesting and relevant website, then write and tell us. We will shortly be opening a new WWW site, and we will send a release when that is ready. Till then, take care, and keep your eyes open while you are cruising! Let us know if you find any material or activity that you think should be investigated! Let us know also if you find any interesting websites that share our mission! You are now on our rmailing list! Stand by for regular information and alerts for CyberAngels missions. Gabriel ************************************************************** THE INTERNET IS OUR NEIGHBORHOOD - LET'S LOOK AFTER IT! CYBERANGELS - WHO ARE WE? We are an all-volunteer Internet safety patrol and monitoring project started in June 1995 by senior members of the world famous crime prevention organization The International Alliance of Guardian Angels. CyberAngels membership currently numbers more than 1000 users worldwide in15 countries, who share a common mission - to be a Cyberspace Neighborhood Watch and to fight Internet crime. Our numbers are growing daily. We are working to make the Internet a safer and more enjoyable place to work and play, by being role models for self-regulation and responsibility. We are dedicated: TO FIGHT CRIME ON THE INTERNET in particular criminal activity where there are clear personal victims and/or at-risk users. TO PROTECT OUR CHILDREN FROM ONLINE CRIMINAL ABUSE by fighting against the trade in child pornography and by working to deter sexual predators online. TO GIVE SUPPORT, ADVICE AND ASSISTANCE TO INTERNET VICTIMS OF HATE MAIL, HARASSMENT AND SEXUAL ABUSE ONLINE by referring them to professional assistance and by helping to guide them through the compaints and reporting processes. TO PROMOTE, PRESERVE AND PROTECT NETIQUETTE that is, the rules of polite conduct that govern our use of the Internet. We believe in courtesy and respect for others. We support Internet Service Providers who have clearly defined Terms of Service for the User, and who are prepared to enforce it. TO HELP TO PRESERVE INTERNET FREEDOM OF SPEECH by showing Governments that the Internet Community is prepared to take both responsibililty and actions to preserve the personal safety of all its members, and particularly its children. HOW DO WE FIGHT CRIME ON THE INTERNET? Crime on the Internet is a tiny percentage of everything that is there. But it is real and it is claiming victims with increasing regularity. We believe that we the Net Community should take the responsibility for the problem - after all it is our fellow users who are the criminals - and also that we should assume the responsibility for crime prevention measures. CyberAngels don't just talk about it. WE ACT. EDUCATION / ADVICE / CYBERSTREETSMARTS The Internet to us is like a vast city: public and private areas, kids and adult areas, safe areas and crime areas. To travel it safely you need some CyberStreetsmarts. One of our main methods of crime prevention on the Net is by educating users about the possible problems they may encounter, and how to avoid them Education means educating parents realistically about the Internet so that they areaware of the dangers, but are not overreacting. It's important that parents and kids cooperate in this area. The Internet is such a wonderful learning environment that we wish to encourage kids to use it - but adults must take responsibility for making sure our kids do not wander into areas that are not appropriate. We act as an advisory service for any user with problems of personal safety and / or personal security on the Net. This advice ranges from how to deal with mailbombs, forged email, mailing list spams, virii, impersonation and other electronic sabotage and harassment methods, to information about how to deal with hate mail, sexual harassment, kids' safety online and unsolicited email. Many users do not know how to report abuse nor to whom they should report it. CyberAngels can usually help. SAFETY PATROLS CyberAngels volunteers run regular Safety Patrols on the Net. Safety Patrols on the Internet means cruising the electronic highways, keeping your eyes open for problems. The main areas we patrol are the Usenet (Newsgroups) and the live channels (IRC / Chat rooms etc). We read Newsgroups, especially the binaries groups on the Usenet, and if we find images of child pornography posted up there we refer those files to federal law enforcement authorities, eg US Customs Service. We also check out fraud schemes on the Usenet, and if necessary report them to the National Fraud Centre. We also keep track of Spam developments - who is mass mailing unsolicited mail and what they are offering. We travel the live channels of IRC / MUDS or the chat rooms in the big Providers, looking out for sexual predators searching for children, or pedophiles trading child pornography in the live talk areas. This is a major source of child pornography on the Net. If we find it we report it to Sysadmins and Federal authorities. We cruise the World Wide Web, checking sites to make sure child pornography is not being used to attract visitors, and checking that a site that says it is Kidsafe really is suitable for children. We visit and read websites and FTP sites of Racist and other Hate Organizations, keeping a check on their activities. There is a very close relationship between Racist material and Racist activities (eg Hate mail and harassment, violent threats and intimidation). We don't believe in the philosophy that "anything goes" on the Net. The Internet is a society and in societies where "anything goes" then crime and violence dominate, and the stronger consume the weaker. The Internet is a newly developing global nation - and we need Cyberspace law and law enforcement if users rights are to be protected. We believe in FREEDOM AND JUSTICE UNDER LAW. And although we recognize the problems of how National Laws can be applied to an International society, we believe that the first step is that Netizens CARE about Cybercrime and the victims of Cybercrime. YOU CAN HELP US! WE NEED VOLUNTEERS! The Internet Community is huge - a worldwide network of around 40 million people, 11 million Websites, 3500 Service Providers - and it's growing every day. The more volunteers we have, the more effective we can be. And by giving a little of your time to looking after the welfare of the Net, you can make a real difference! Anyone can be a CyberAngel. The only requirement is that you commit a minimum of 2 hours per week to the project. No previous experience or special skills are necessary, .although a computer and an Internet account would be useful! :) Being a CyberAngel involves no risk or danger. You are volunteering only to be eyes watching the Net, looking out for the welfare of others. CAN YOU HELP US? You may be able to help us in other ways - we are a Division of Guardian Angels and we are a 501 (C)(3) Non-profit organization. Our membership is voluntary and we are in desperate need of more resources. All of your donations are tax-deductible. You can help us by donating money, computers, Internet access accounts, design skills, or websites. Alternatively you may like to consider sponsoring our work on the Internet. Contact us for details. * Cyberangels support SAFESURF in their campaign for child safe areas on the Net * Cyberangels support WEBSAFE and their work with kids, teens and parents. * Cyberangels support the BLUE RIBBON Freedom of Speech campaign * Cyberangels support PICS, other rating systems and screening software *Cyberangels support CYBERSPACE LAW AND LAW ENFORCEMENT. CYBERSPACE NEEDS CYBERANGELS! ********************************************************* Colin Gabriel Hatcher - CyberAngels Director angels at wavenet.com "Freedom and justice, under law" ********************************************************* **************************************************************************** Subscribe to Freematt's Alerts: Pro-Individual Rights Issues Send a blank message to: freematt at coil.com with the words subscribe FA on the subject line. List is private and moderated (7-20 messages per week) Matthew Gaylor,1933 E. Dublin-Granville Rd.,#176, Columbus, OH 43229 **************************************************************************** ___ -- |Fidonet: Terry Liberty-Parker 1:382/804 |Internet: Terry.Liberty-Parker at 804.ima.infomail.com | | Standard disclaimer: The views of this user are strictly their own. From jimbell at pacifier.com Fri May 3 04:26:38 1996 From: jimbell at pacifier.com (jim bell) Date: Fri, 3 May 1996 19:26:38 +0800 Subject: The Joy of Java Message-ID: At 04:43 PM 5/2/96 -0500, Bruce M. wrote: >On Wed, 1 May 1996, Dr. Dimitri Vulis wrote: > >> My recollection is that when IBM first started selling IBM PC, they offered >> a choice of (at least) 3 operating systems right from the start: UCSD p-system, >> CP/M-86 or PC-DOS. IBM didn't do anything to prompte PC-DOS over the other >> two. It won fair and square in the marketplace because the other two were >> even worse crap. (Later versions of CP/M-86 got much better.) > > I always had been under the impression that they charged a hundred >dollars or more for CPM as opposed to DOS which was also a major reason >for its popularity. >Bruce Marshall The story I heard (about 1983) was that IBM had pulled a rather fast one on Digital Research, the source of CP/M for 8080's and CP/M 86. They lured DR into an exclusive contract in which they offered to pay a percentage of the sales to DR on CP/M 86 for the IBM PC, but then deliberately offered it at such a high price (about $250 or so) that "nobody" wanted it. Because the contract was "exclusive" even Digital Research was locked out of the market. By the time that contract expired the market was firmly in the hands of MSDOS. In effect, DR had sold the entire market for a song. Had they been more careful it might have been a horse race. This was identified as an intentional tactic of IBM, BTW. Jim Bell jimbell at pacifier.comJim Bell jimbell at pacifier.com From stewarts at ix.netcom.com Fri May 3 04:34:42 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Fri, 3 May 1996 19:34:42 +0800 Subject: encrypted Unix backup software Message-ID: <199605030343.UAA01915@toad.com> At 08:02 PM 5/2/96 -0500, VaX#n8 wrote: >Okay, before you flame me and tell me to pipe it through >a symmetric cipher filter, hear me out. Tape handling is >hairy, depending on what kind of functionality you want. A regular >filter may write(2) in strangely sized blocks, not working very well >with your tape drive. > >Mostly though, things get difficult when you have to/want to deal with >multiple tapes. > >Although I could probably hack up "catblock" to do the job, and use >a line of the form >dump -0uBf ... | symmetric_cipher | catblock blockfactor > /dev/tape >if there exists something which already does this job, or something like it, >I'd like to know. Now that I think about it, maybe this is the cleanest way. Yup. It's a classic Unix tools approach - let each piece do what it does best, and use a standard simple interface between tools. You don't need to write "catblock", though - there's the "dd" command designed for just such applications (well, designed for the way those applications looked 20 years ago, when you needed to do things like EBCDIC conversion and line-length padding to deal with IBM tapes, and the syntax has a certain evil OS360 JCL look to it :-) Newer versions may handle multiple tapes a bit better. # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 begin 777 goodtimes =96-H;R!H879I;F<@9V]O9"!T:6UE At 5:06 AM 5/3/96, Bill Stewart wrote: >One of the most important parts of any security analysis is the >threat models. In this case, we're talking about sending email >_to_the_government_. > >There may be something you want to tell the Senator or his staff that >you want kept private from the public or from rest of the government, >and Tim's phrase "Unless the information is 'secret'" seems to cover that. >Maybe you want to say "My company lost $X to competitor Y"; that's private. >Maybe you want to say "The FBI is reading your email, y'know..." >Maybe you want to attach a $20 MarkTwain DigiCash campaign contribution. And besides my explicit mention of "unless secret," which I suspect is not the case in the context of "communicating with Sen. Leahy," I also explicity mentioned that it is unlikely Sen. Leahy is doing the reading of e-mail or the encrypting. The PGP key is really "Leahy's office key." I'd say it's 99.95% likely that the PGP key was generated by a staffer--the resident e-mail geek--and that only staffers know how to use PGP. (In fact, probably only the one staffer who generated the key and knows the passphrase....) This gives new meaning to "man in the channel." When you send an encrypted message to "Senator Leahy," be sure to tell "Mitch" it's urgent that the Senator see it! (Don't misunderstand me, anyone. I'm not expecting perfect security, and the fact that secretaries and staffers may likely be the actual "keepers of the keys" is hardly new or surprising. They've always served this role. And until this changes, with PGP getting easier to use or with a more conventional key arrangement, I expect few senators will be typing in PGP stuff. (By "more conventional" I mean a model where some token or object is used, as with the crypto ignition keys, which I can imagine _some_ Senators actually carry and use, depending on their connections to the intelligence and military establishment. Or biometric security, etc.) >But usually, telling the government something is fairly similar to >publishing it, in terms of expectation of privacy, even in a republic. >The tradeoff is between using PGP to make a point, and getting the staff >to read it. Typically, Congressional Staffs are Your Friends, at least >more directly than the Congresscritters themselves. Lobby _them_; >making their job easier is a good start. I agree. My main point was that staffers are already extremely pressed for time, often quickly sorting incoming constituent mail into "yes" or "no" piles for later counting on some issue. It's unlikely in the extreme that a PGP-encrypted mail message will be looked at, unless the staffer thinks it must be spook-related. When the staffer finds it's just a position advocacy letter, and that he spent time decrypting it, it'll likely have the opposite effect we want. And it _still_ won't be the "real" Senator Leahy doing the decrypting! So, what is accomplished except "feel good" thoughts? --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From perry at piermont.com Fri May 3 04:46:07 1996 From: perry at piermont.com (Perry E. Metzger) Date: Fri, 3 May 1996 19:46:07 +0800 Subject: Sen. Patrick Leahy's PGP key now avail. In-Reply-To: Message-ID: <199605030223.WAA21946@jekyll.piermont.com> Timothy C. May writes: > Why does anyone need his public key to communicate with Senator Leahy? If > it's for sender-anonymity, this does not do it, though other tools > (remailers) do. > > Unless the information is "secret," why bother? I would answer Tim, but I suspect that he would ignore something I might say. I will therefore quote Philip Zimmermann. Perhaps you think your E-mail is legitimate enough that encryption is unwarranted. If you really are a law-abiding citizen with nothing to hide, then why don't you always send your paper mail on postcards? Why not submit to drug testing on demand? Why require a warrant for police searches of your house? Are you trying to hide something? You must be a subversive or a drug dealer if you hide your mail inside envelopes. Or maybe a paranoid nut. Do law-abiding citizens have any need to encrypt their E-mail? What if everyone believed that law-abiding citizens should use postcards for their mail? If some brave soul tried to assert his privacy by using an envelope for his mail, it would draw suspicion. Perhaps the authorities would open his mail to see what he's hiding. Fortunately, we don't live in that kind of world, because everyone protects most of their mail with envelopes. So no one draws suspicion by asserting their privacy with an envelope. There's safety in numbers. Analogously, it would be nice if everyone routinely used encryption for all their E-mail, innocent or not, so that no one drew suspicion by asserting their E-mail privacy with encryption. Think of it as a form of solidarity. Never thought I would see the day where Tim stopped being a Cypherpunk. Everyone mark your calendars. Perry From llurch at networking.stanford.edu Fri May 3 04:46:21 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Fri, 3 May 1996 19:46:21 +0800 Subject: [Complete NOISE] Re: aufweidersehn, * grave$ In-Reply-To: <199605030508.WAA04132@dns1.noc.best.net> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- [ObCpherpunkRelevance: there's a good bit about bizness views of privacy and anonymity on the Internet on the home page of the class that gave birth to that Spawn of Satan WhoWhere?. See especially the Bulletins. The class lives at http://gsb-www.stanford.edu/class/M395/home.html] ROTFL!!!!! Many thanks to jamesd at echeque.com for forwarding me Skippy's original message. > Glad that lying anti-racist jerk is leaving. With all his/her's > nyms, rc graves is impossible to trust. Mike Beebe, Beowulf, > ezundel, nietzsche, ernstzundel and others to make transparent > trolls the ignorant anti-racist makes up. I've never even heard of Mike Beebe, but I'll look him up on DejaNews. Boewulf is the nym of a very real racist who is so over-the-top silly (and 1/4 Jewish) that some people don't believe he's for real. I once claimed to be "Beowulf" for laughs. "Nietzsche at gnn.com" was a real racist who spammed widely in early January with a message smearing MLK; he later posted a lot to news.groups about the rec.music.white-power troll, but seems to have closed his account once the free hours ran out. ezundel at alpha.c2.org is a friend of mine who reposts Ingrid's stuff to alt.fan.ernst-zundel. ernztzundl at aol.com was a really annoying AOL troll who has thankfully gone away. I've got enough email between him and me to prove that we're different people, and of course he knew a lot about DC that I couldn't. Wow. At first I didn't believe that Skippy "or" Dave Harmon were anything but anti-racist spoofs, and I'm still not entirely convinced, but they're so consistently malicious that they must have something against me. I swear that "Skippy" isn't me, but on second thought, I wouldn't really mind if other people thought I was harassing myself. That would be poetic justice indeed. Maybe if we don't believe he exists, he'll go away. So, Skippy, did you forge an unsubscribe message for tallpaul, or was that someone else? I'll take my answer OFF THE LIST, PLEASE. - -rich -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMYmgIY3DXUbM57SdAQGmwQP+MTp0UTFkSiMKYeIbmQGpAEaC/oMns0ly Md9IPXBraHAQsxAfWOKME4DUXMaDmL0nUPJ41lRjLH2UjaLYkjE7qEzTWAazLb9+ Ub/EwTNlqitSoOSdkxxQkgX/GXNffRr08pPUpYgcPIcrWelou6MnE2hgmf8aR2bz gM5eIm1A3Og= =rO9a -----END PGP SIGNATURE----- From mixmaster at remail.ecafe.org Fri May 3 04:50:04 1996 From: mixmaster at remail.ecafe.org (Ecafe Mixmaster Remailer) Date: Fri, 3 May 1996 19:50:04 +0800 Subject: No Subject Message-ID: <199605030525.GAA21397@pangaea.hypereality.co.uk> > From: Brian D Williams > Date: Thu, 2 May 1996 11:16:35 -0700 > > >From cypherpunks-errors at toad.com Tue Apr 30 23:58:28 1996 > >Date: Wed, 1 May 1996 00:52:03 -0500 (CDT) > >From: snow > >To: "Perry E. Metzger" > >cc: "L. Detweiler" , cypherpunks at toad.com > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > >Subject: Re: Why I dislike Java. (was Re: "Scruffies" vs. "Neats") > >MIME-Version: 1.0 > >Content-Type: TEXT/PLAIN; charset=US-ASCII > >Sender: owner-cypherpunks at toad.com > >Precedence: bulk > > Game, set, match...... No, probably done intentionally. Note the lower-case snow... From jimbell at pacifier.com Fri May 3 05:24:30 1996 From: jimbell at pacifier.com (jim bell) Date: Fri, 3 May 1996 20:24:30 +0800 Subject: Bit tax again? Message-ID: I hesitate to write about this, but the old "bit tax" idea has surfaced again, this time reported in Electronic Engineering Times, page 1, April 29, 1996 issue. I include the article below. My comments will follow in another note shortly! Europe: Try to send it, we'll tax your bits By Peter Clarke Brussels, Belgium-- A report prepared for the European Commission (EC) urges it to consider levying a "bit tax" on information sent over the Internet and other networks. The recommendation runs counter to the reining sentiment among U.S. regulators, who have sought to avoid being cast as "bit cops." The EC report reasons that the value of the average cyberspace transaction will increase as time goes by, resulting in fewer physical transactions. The upshot, the report says, will be a shrinking government tax base. Evidence of such a trend may already have surfaced: Use fo the Internet to import goods and services electronically from outside the continent has allowed some Europeans to avoid payments under Europe's value-added-tax (VAT) system. Luc Soete--director of the Maastricht Economic Research Institute on Innovation and Technology (Limburg, Netherlands) and chairman of the high Level Expert Group (HLEG) that prepared the report on the social aspects of the information society--has examples at the read to prove the potential of Internet commerce to erode the tax base. Soete observed last week that sending his group's report by mail or courier, rather than electronically, would involve taxes on fuel purchases and on the profits fo the companies involved in physically shuttling the document to recipients. "As society moves toward the information society, tax revenue needs to shift emphasis from material goods to virtual goods and services," he said. I think we will see a very rapid introduction [of such a tax structure] in one or two years' time." Soete said he believes the tax "can be introduced in a very straightforward way. Every telephone operator and service provider has a record of the bytes moved. They can be the tax collectors." He acknowledged the prevailing "negative view about a bit tax" and attributed it in part of "concern that it could inhibit adoption of information technology. But once people have the technology, not many would go back. Whether the tax is 1 cent per bit or 1 cent per kbit is, of course, completely open." At the same time, U.S. regulators, who hope to expand Internet access to schools, libraries and low-income individuals, have resisted efforts to cast them in the role of bit cops charged with monitoring Internet traffic. Free Internet The Federal Communications Commission, which has conducted a series of highly profitable spectrum auctions for wireless and satellite services, last week proposed reserving some wireless spectrum for free Internet access for schools and libraries. Soete last week cast the bit tax as a progressive levy that would fall hardest on big business and that would not deter private individuals from joining the information society. Indeed, the potential of the information revolution to further polarize society is among the concerns expressed in the report. Soete believes the bit-tax should be used to fund social security or welfare. "Labor can no longer be the source of revenue for social security," he said. Steve Kennedy, business-development manager at the Internet service provider Demon Internet Ltd. (London) doesn't share Soete's positive view of the bit tax. "Such a tax would be very difficult to monitor and police," Kennedy asserted. "We transfer about 1.5 Gbytes of data a day, but we don't keep a lot of customer information. Who's going to pay for the equipment and software to log all this?" He added that if his company was "simply taxed on the data transfer, we would have to pass it on to the customers, and that would penalize the small user." The HLEG report is lavelled as an interim document that is intended to generate public comment. The final report will be published by year's end. The interim report can be accessed from http://www.ispo.cec.be/hleg/hleg.htmlJim Bell jimbell at pacifier.com From rusty at hodge.com Fri May 3 06:28:02 1996 From: rusty at hodge.com (Rusty H. Hodge) Date: Fri, 3 May 1996 21:28:02 +0800 Subject: Sen. Patrick Leahy's PGP key now avail. In-Reply-To: <199605030428.VAA02635@toad.com> Message-ID: It's really annoying when people send files to a mailing list. It's totally fucking annoying when they do it with each message they post. Please rethink this. From unicorn at schloss.li Fri May 3 08:17:00 1996 From: unicorn at schloss.li (Black Unicorn) Date: Fri, 3 May 1996 23:17:00 +0800 Subject: Sen. Patrick Leahy's PGP key now avail. In-Reply-To: Message-ID: On Thu, 2 May 1996, Timothy C. May wrote: > At 5:06 AM 5/3/96, Bill Stewart wrote: > I'd say it's 99.95% likely that the PGP key was generated by a staffer--the > resident e-mail geek--and that only staffers know how to use PGP. (In fact, > probably only the one staffer who generated the key and knows the > passphrase....) While I believe this correct, it's worth noting that Leahy is fairly "into" the technology. He finds it entertaining and "fun." All of this mostly thanks to his one time counsel John Podesta. Thanks Mr. Podesta! He's one of the more interested congress critters. > So, what is accomplished except "feel good" thoughts? Admittedly, not much. I'm at least pleased he has a decently on the ball staff however who can tell him what the issues are. > --Tim May > > Boycott "Big Brother Inside" software! > We got computers, we're tapping phone lines, we know that that ain't allowed. > ---------:---------:---------:---------:---------:---------:---------:---- > Timothy C. May | Crypto Anarchy: encryption, digital money, > tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero > W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, > Licensed Ontologist | black markets, collapse of governments. > "National borders aren't even speed bumps on the information superhighway." > > > > > --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From root at bitbucket.edmweb.com Fri May 3 09:17:33 1996 From: root at bitbucket.edmweb.com (Steve) Date: Sat, 4 May 1996 00:17:33 +0800 Subject: Has Tim turned anti-PGP? In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- > Unless the information is "secret," why bother? It adds extra time at his > office's end (you don't think Leahy types in his password to PGP do you?), > and it accomplishes little. I agree with you to this point... Personally, I don't encrypt or even sign anything I send out, unless there is a reason to. For most of the mail I send out, I don't care if third parties read it, and most of it is so unimportant that if it were altered (highly unlikely) I wouldn't care. In fact, I can't recall the last time I encrypted a message (but I've signed a couple recently). > >From a personal viewpoint, I'm glad my key is no longer very accessible. I > used to get PGP-encrypted messages which had no earthly reason to be > encrypted, except that people apparently wanted to practice their PGP Now that's just plain un-cypherpunk of you. If people want to use PGP, let them use PGP! There are so many scripts etc. out there to make using PGP almost transparent, so decrypting your mail shouldn't be any harder than pressing a couple keys and typing in your passphrase. (I know, the passphrase is the killer.) Whatever happened to "Cypherpunks write code" and getting crypto out there? It's not enough for it to just be out there, people have to feel free to use it. Making your pgp key "no longer very accessible" doesn't exactly support that goal. Sorry if this is the 1001st reply you recieve. ===================================================================== | Steve Reid - SysAdmin & Pres, EDM Web (http://www.edmweb.com/) | | Email: steve at edmweb.com Home Page: http://www.edmweb.com/steve/ | | PGP Fingerprint: 11 C8 9D 1C D6 72 87 E6 8C 09 EC 52 44 3F 88 30 | | -- Disclaimer: JMHO, YMMV, IANAL. -- | ===================================================================:) -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQEVAwUBMYncPdtVWdufMXJpAQGowggAivgMhFbR1nMKFz7wWC6h4atBBVHD+jmP TIf/eBNj0UWXYywgfGdjS+UlrRC+u91nRmon6cWcZ7Zg5ctl0uNH6Ts162q3F3pH GjoismTYqVFhQZMNwGI60mXUqoQShfmQz9GUX/gU9HWta7pY7xOGVwJJwL5jkAHW ru1GtkLKVzr1ajYW+mg8Zrh+XsFTa8ruFEqN/eCx/AtOIXEmACj4qiwtDTC4WNXQ uDWjwSeDmtn1uS121PkUdw18uzl7mV7TpBbUJojWQACC+tW5GXeyh+2aziP8WIpM qqQyOQJ1UYzTIlXb8IBefwdsPlvKBvEaJdpmtwYLteCHMpsqSvGovQ== =dEm6 -----END PGP SIGNATURE----- From ml3e+ at andrew.cmu.edu Fri May 3 11:13:28 1996 From: ml3e+ at andrew.cmu.edu (Michael Loomis) Date: Sat, 4 May 1996 02:13:28 +0800 Subject: CryptoAnarchy: What's wrong with this picture? In-Reply-To: Message-ID: Excerpts from internet.cypherpunks: 2-May-96 Re: CryptoAnarchy: What's w.. by Black Unicorn at schloss.li > I must assume either > > 1) He is not intimately familiar with the system of U.S. taxation (even if > he is pro-high-tax, calling the current system 'just about right' is > folly). No tax system will ever been perfect, but income taxation is a good system of taxation. Income taxation inevitably requires some accounting costs, but these costs should be going down with advances in computing technology and other technology. The goal should be to minimize these costs. I would further suggest it is remarkably childish to think that a political system will not cause some unfairness in the tax code, because it is the nature of democracy to generate some unfairness. As long as the unfairness is kept within reasonable bounds as in the case of the 1986 tax reform, I don't see that this unfairness as a killing objection to income taxation. Of course, unlike most of the readership of this list, I believe that democracy is a good thing. The one concession that I will make is the possibility that crypto technologies could make income taxation an adventure in unfairness and ultimately futility. While, I prefer income taxation, VATs or sales taxes are an acceptable subsitute and one can certainly run a reasonable sized government on them. Outside of crypto-cyber-carrots, I have strong doubts that crypto of any form or sophistication will be able to circumvent consumption taxation. Consumption taxation would, of course, include a tax on the amount of information coming into your computer. I don't think that the government will have any problem determining the quantity of the information & since it will be encrypted anyway, I don't see the privacy worries. Michael Loomis "La haine de l'autorite' est le fle'au de nos jours." Joseph de Maistre From JeanPaul.Kroepfli at ns.fnet.fr Fri May 3 11:20:35 1996 From: JeanPaul.Kroepfli at ns.fnet.fr (Jean-Paul Kroepfli) Date: Sat, 4 May 1996 02:20:35 +0800 Subject: PGP API & PGP 3.0 Message-ID: <01BB38EE.654DF3C0@JPKroepsli.S-IP.EUnet.fr> I'm considering the use of PGP for bank operation in central Europe (and yes, also in France, but there -normaly- only for interbank fund transfers). I have seen the PGP API stuff, but I don't know where and I haven't seen any commentaries by users. I don't know the current state of the PGP 3.0 effort and the intermediate results, nor the respective relation of PGP API and PGP 3.0 (which has also an API). Thanks for your advice, Jean-Paul ~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~- Jean-Paul et Micheline Kroepfli (our son: Nicolas and daughter: Celine) eMail: JeanPaul.Kroepfli at utopia.fnet.fr Also Compuserve and MSNetwork Phone: +33 81 55 52 59 (F) PostMail: F-25640 Breconchaux (France) or: +41 21 843 27 36 (CH) or: CP 138, CH-1337 Vallorbe Fax: +33 81 55 52 62 (Switzerland) Zephyr(r) : InterNet, Communication, Security and Cryptography consulting PGP Fingerprint : 19 FB 67 EA 20 70 53 89 AF B2 5C 7F 02 1F CA 8F "The InterNet is the most open standard since air for breathing" From Pierre.Oberholzer at PM.CO.CH-GEN.LANDISGYR.LG-CH.CH Fri May 3 13:04:27 1996 From: Pierre.Oberholzer at PM.CO.CH-GEN.LANDISGYR.LG-CH.CH (Pierre Oberholzer) Date: Sat, 4 May 1996 04:04:27 +0800 Subject: (fwd) E-Commerce Info. Needed In-Reply-To: <960503034747_103007.3426_GHU46-1@CompuServe.COM> Message-ID: <0054131403051996/A13135/PBMS01/11A51B8D3400*@MHS> * I am writing a paper on electronic commerce, and I wonder if anyone happens to * know of interesting URLs addressing the subject, including security issues? * If you know of a good location for electronic commerce/security information, * please email me directly * at the following address: * 103007.3426 at compuserve.com * THANKS A LOT!! Sally * If you get any information, please let me know. I am also quite interested in the subject. Pierre Oberholzer From jya at pipeline.com Fri May 3 13:32:37 1996 From: jya at pipeline.com (jya at pipeline.com) Date: Sat, 4 May 1996 04:32:37 +0800 Subject: Dole Backs Crypto Export Message-ID: <199605031309.JAA16482@pipe2.nyc.pipeline.com> Financial Times, May 3, 1996, p. 7. Dole backs removal of software export ban By Louise Kehoe in San Francisco Senator Bob Dole, the presumptive Republican presidential candidate, yesterday threw his support behind proposed legislation to remove US export restrictions on computer software used to encode Internet messages. The new Security and Freedom through Encryption bill introduced yesterday by several Republican senators and congressmen, also rejects a controversial Clinton administration proposal to enable law enforcement agencies to unlock encoded electronic messages. For Senator Dole, the encryption bill provides an opportunity to seek support from Silicon Valley high-tech leaders many of whom backed Mr Bill Clinton in 1992, and to boost his election campaign efforts in California. "The administration's misguided proposal on encryption amounts to a pair of cement shoes for Silicon Valley," said Senator Dole. "It seems to me that a new pair of track shoes might be a better answer. The administration's big brother proposal will literally destroy America's computer industry," he said. Encryption software is currently classified as "munitions" and exports are strictly limited by the US state department. US and other western intelligence and law enforcement agencies are opposed to the commercial use of the most powerful encryption methods which they argue could be used to mask criminal or terrorist activities by effectively preventing wire-taps. However, US software companies maintain that the current export restrictions threaten US pre-eminence in the world software market. A study by the Computer Systems Policy Project, a computer industry group, estimated that within four years the US economy would lose $60bn in revenues and roughly 216,000 jobs as a result of encryption export controls. Moreover, current regulations, which allow export only of "weak" encryption, are unacceptable because such encoding has been demonstrated to be ineffective. Last year, for example students in France were able to break encryption which is used in the export version of Netscape Communication's popular Internet browser software. The limited availability of strong encryption software is also blocking the progress of electronic commerce on the Internet, US computer experts argue, because companies and individuals are reluctant to make electronic payments over the Internet without assurance of security. ----- From perry at piermont.com Fri May 3 15:37:54 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sat, 4 May 1996 06:37:54 +0800 Subject: Why I dislike Java. (was Re: "Scruffies" vs. "Neats") In-Reply-To: <3189A993.A19@netscape.com> Message-ID: <199605031303.JAA24332@jekyll.piermont.com> Jeff Weinstein writes: > Perry E. Metzger wrote: > > Netscape with Java cannot be so tested because important components > > come down off the net. So no, I'm not holding Netscape with Java to a > > higher standard. I'm very much holding it to the same standard. > > The Netscape Administration Kit will allow a site security admin > to create a configuration that disables Java, and does not allow the > user to enable it. If your customers require netscape, perhaps this > is an option that will make you more comfortable. It certainly makes me feel more comfortable. The problem I have is that I expect that increasingly pages will arise for which information can only be extracted with the use of Java. Some flunky from some desk will will come up and scream "what do you mean I can't get a copy of Foo Corporation's merger press release because we won't run some program! Thats bullshit! Do you know how much money the risk arb desk pulls in, you twit! This must never happen again! Fix it immediately!" Luckily things aren't quite at that stage yet, but its only a matter of time. When you create a tool like this, you have a certain degree of, dare I say it, community responsibility. Once you've hyped the tool enough and made it ubiquitous, people at some point are going to claim that they *need* it, at which point the security people have no choice but to do something that gives them nightmares. Perry From liberty at gate.net Fri May 3 16:17:18 1996 From: liberty at gate.net (Jim Ray) Date: Sat, 4 May 1996 07:17:18 +0800 Subject: CryptoAnarchy: What's wrong with this picture? Message-ID: <199605031414.KAA32390@osceola.gate.net> -----BEGIN PGP SIGNED MESSAGE----- [I must *try* to quit rising to all this bloody bait, but:] Michael Loomis wrote: >[..."unfairness is kept within reasonable bounds"..."reasonable > sized government"...] I'm sure that we all agree on the meaning of the term, "reasonable." >Consumption taxation would, of course, >include a tax on the amount of information coming into your computer. I >don't think that the government will have any problem determining the >quantity of the information & since it will be encrypted anyway, I don't >see the privacy worries. This would give a whole new meaning to the term "mailbomb," no? JMR Regards, Jim Ray "The FAA, FBI, Customs, CIA, Justice, DEA and the IRS were all involved in Mena. They won't say how they were involved, but they will tell you there is nothing there." -- Bill Plante, CBS News Correspondent, & Michael Singer, Producer, CBS News, New York. in Tuesday, May 3, 1994's Wall Street Journal letters to the editor section. _______________________________________________________________________ PGP key Fingerprint 51 5D A2 C3 92 2C 56 BE 53 2D 9C A1 B3 50 C9 C8 Public Key id. # E9BD6D35 -- http://www.shopmiami.com/prs/jimray _______________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Freedom isn't Freeh. iQCVAwUBMYoTt21lp8bpvW01AQE4WQP+KQyztz4V6jfYvboOrDhLLuItlTzkLmIv 6TfM3/7O+fLoNcyKXGOEmgc5y7j0/IiiXJJtMsDCsfH/ONpyEAY1GRnfREgMv9HW OezSVVhYd/xoKg6pouAaWgZ2cD3RlH8SeE7LqCkeZhAXdcXHiNIAK8mAv78Eln0y KjzImXWG9dw= =ieam -----END PGP SIGNATURE----- From jpps at voicenet.com Fri May 3 16:36:43 1996 From: jpps at voicenet.com (Jack P. Starrantino) Date: Sat, 4 May 1996 07:36:43 +0800 Subject: Sen. Patrick Leahy's PGP key now avail. In-Reply-To: Message-ID: <199605031509.LAA12680@omni2.voicenet.com> Tim May wrote: > Unless the information is "secret," why bother? ... I think its worth the bother as a necesary step in the process of making email match people's naive expections: that they are sending sealed letters, not postcards. I think it's particularly valuble in this case to reinforce the point in the Senator's mind that some of us want envelopes for our email, and that we require the technology needed to acomplished this. jps -- Jack P. Starrantino jpps at voicenet.com http://www.voicenet.com From jseiger at cdt.org Fri May 3 16:54:43 1996 From: jseiger at cdt.org (Jonah Seiger) Date: Sat, 4 May 1996 07:54:43 +0800 Subject: Burns Bill Message-ID: Bill Frantz writes: > A quick read thru the text of the bill (via http://www.cdt.org/crypto/) > shows none of the principle objectionable features of the Lehey bill. > (Standards for key escrow agents, and additional criminal penalties for > using encryption to hinder an investigation.) > > This bill has some obscure, to me, exceptions. The most troubling of which > I think means (IANAL) that export can be restricted if there is a > reasonable expectation that the hard/software will be reexported to one of > the countries on the extreme bad boys list. I will point out that as things stand under U.S. law you aren't even allowed to export toilet paper if the expectation is that the ultimate customer is on the extreme bad boys list. Although as a libertarian I find any such provision distasteful I cannot see that we are badly off if the rules for exporting crypto and exporting toilet paper are roughtly similar. > in any case, it is not clear how passage of the bill could possibly > make things worse. I think that is key. Perry * PROTECT THE INTERNET AND THE FUTURE OF FREE SPEECH IN THE INFORMATION AGE * Join the legal challenge against the Communications Decency Act! For More Information, Visit the CIEC Web Page http://www.cdt.org/ciec/ or email -- Jonah Seiger, Policy Analyst Center for Democracy and Technology 1634 Eye Street NW, Suite 1100 Washington, DC 20006 (v) +1.202.637.9800 PGP Key via finger (f) +1.202.637.0968 http://www.cdt.org/ http://www.cdt.org/homes/jseiger/ From jamesd at echeque.com Fri May 3 16:57:31 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Sat, 4 May 1996 07:57:31 +0800 Subject: CryptoAnarchy: What's wrong with this picture? Message-ID: <199605031505.IAA15514@dns1.noc.best.net> At 07:05 AM 5/3/96 -0400, Michael Loomis wrote: >No tax system will ever been perfect, but income taxation is a good >system of taxation. Income taxation inevitably requires some accounting >costs, but these costs should be going down with advances in computing >technology and other technology. The income tax necessarily violates privacy in ways that were thought outrageous a few when it was first introduced. There were numerous cartoons on the subject, but people accepted it because only the rights of a tiny handful of very rich people were going to to be violated. (I hear the same argument all the time on the privacy list, where lots of people want the government to have root access to the computers of the evil capitalist overlords in order that the government can protect their privacy.) As our capacity to protect our privacy and still engage in complex extended transactions improves, I expect that once again the income tax will come to be seen as an intolerable and utterly unacceptable violation of peoples rights and future generations will be amazed at our ignorant barbarity. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From gary at systemics.com Fri May 3 16:58:07 1996 From: gary at systemics.com (Gary Howland) Date: Sat, 4 May 1996 07:58:07 +0800 Subject: encrypted Unix backup software In-Reply-To: <199605030102.UAA06977@linkdead.paranoia.com> Message-ID: <318A2206.69D8BD19@systemics.com> VaX#n8 wrote: > > Okay, before you flame me and tell me to pipe it through > a symmetric cipher filter, hear me out. Tape handling is > hairy, depending on what kind of functionality you want. A regular > filter may write(2) in strangely sized blocks, not working very well > with your tape drive. This is what I use: tar -c --block-compress --sparse --atime-preserve --use-compress-program /usr/local/bin/destape . and /usr/local/bin/destape looks like this: #!/usr/local/bin/bash if [ -z "$1" ] then gzip | /usr/local/bin/des -bE3 else /usr/local/bin/des -bD3 | gzip -d fi I also back up the des/gzip/tar to unencrypted to the start of the tape too. Gary -- pub 1024/C001D00D 1996/01/22 Gary Howland Key fingerprint = 0C FB 60 61 4D 3B 24 7D 1C 89 1D BE 1F EE 09 06 From warlord at MIT.EDU Fri May 3 18:15:09 1996 From: warlord at MIT.EDU (Derek Atkins) Date: Sat, 4 May 1996 09:15:09 +0800 Subject: PGP API & PGP 3.0 In-Reply-To: <01BB38EE.654DF3C0@JPKroepsli.S-IP.EUnet.fr> Message-ID: <9605031622.AA27676@bart-savagewood.MIT.EDU> The PGP Library is currently under development. I have a draft API document, but it is not complete (I still need to finish documenting the key management functions). I'd like to get it to a state where I can "publically" release it soon -- then again I've been saying that for a while. If you have more questions, you can contact me personally via email. -derek From sameer at c2.org Fri May 3 18:44:18 1996 From: sameer at c2.org (sameer at c2.org) Date: Sat, 4 May 1996 09:44:18 +0800 Subject: proposed anti-pseudospoofing law in Georgia In-Reply-To: <199605021952.MAA18471@netcom16.netcom.com> Message-ID: <199605031638.JAA24955@atropos.c2.org> "anti-psuedospoofing". He really has given up pretending not to be detweiler. -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion, Inc. FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.net/ (or login as "guest") sameer at c2.net From reagle at MIT.EDU Fri May 3 19:19:31 1996 From: reagle at MIT.EDU (Joseph M. Reagle Jr.) Date: Sat, 4 May 1996 10:19:31 +0800 Subject: Here is some E-Commerce Info. Message-ID: <9605031640.AA16752@rpcp.mit.edu> At 11:47 PM 5/2/96 EDT, Sally D. McMillan wrote: >I am writing a paper on electronic commerce, and I wonder if anyone happens to >know of interesting URLs addressing the subject, including security issues? >If you know of a good location for electronic commerce/security information, >please email me directly >at the following address: >103007.3426 at compuserve.com >THANKS A LOT!! Sally Tons of it on every topic: http://ccs.mit.edu/15967/groups.html _______________________ Regards, Men govern nothing with more difficulty than their tongues, and can moderate their desires more than their words. -Spinoza Joseph Reagle http://farnsworth.mit.edu/~reagle/home.html reagle at mit.edu E0 D5 B2 05 B6 12 DA 65 BE 4D E3 C1 6A 66 25 4E From pjm at spe.com Fri May 3 19:34:47 1996 From: pjm at spe.com (Patrick May) Date: Sat, 4 May 1996 10:34:47 +0800 Subject: SF South Bay: So WhoWhere wants to meet with people interested in online privacy and security... In-Reply-To: Message-ID: <199605031729.KAA00641@gulch.spe.com> Rich Graves writes: > For a good demonstration of why WhoWhere? is not necessarily the greatest > thing since spice racks, look up "Louis Freeh," "Fuck You," "Asshole," > "System Privileged User," and "Stephen Hawking." I keep telling them that > they'd better remove this last, but they don't consider it a priority. If you want further evidence of their technical skills, look up my name. I'm responsible for the corp at spe.com account. WhoWhere has therefore decided that I am responsible for every "corp" account in their database and has attached my name to each and every one. I informed them of this several weeks ago but they are evidently not interested in cleaning up their service. Being both socially and technically challenged, perhaps they want your Fucking Statist input on obtaining a government grant for a clue-free business. pjm From EALLENSMITH at ocelot.Rutgers.EDU Fri May 3 20:50:54 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 4 May 1996 11:50:54 +0800 Subject: Why I dislike Java. (was Re: "Scruffies" vs. "Neats") Message-ID: <01I49T6J284A8Y56P8@mbcl.rutgers.edu> From: "Perry E. Metzger" >It certainly makes me feel more comfortable. The problem I have is >that I expect that increasingly pages will arise for which information >can only be extracted with the use of Java. Some flunky from some desk >will will come up and scream "what do you mean I can't get a copy of >Foo Corporation's merger press release because we won't run some >program! Thats bullshit! Do you know how much money the risk arb desk >pulls in, you twit! This must never happen again! Fix it immediately!" Might I suggest setting up another computer with Java enabled, and _without_ the critical applications? Somehow, I think they can afford an extra computer for each desk - it wouldn't have to be a high-capability one. That would also cure having to have Netscape and other high-network-access programs on the same computers as the critical applications. (Of course, some of the critical applications may also need to access the Internet... but they probably wouldn't need http capability.) Of course, feel free to tell me that I don't know what I'm talking about. -Allen From brerrabbit at alpha.c2.org Fri May 3 21:22:32 1996 From: brerrabbit at alpha.c2.org (brerrabbit at alpha.c2.org) Date: Sat, 4 May 1996 12:22:32 +0800 Subject: CryptoAnarchy: What's wrong with this picture? Message-ID: <199605031831.LAA15730@infinity.c2.org> -----BEGIN PGP SIGNED MESSAGE----- Sandy Sandfort wrote: >A couple of generations ago, only multinationals and the super >rich could avail themselves of offshore banks, asset protection >trust, foreign incorporation, etc. Fifteen years ago, I was >helping members of the upper middle class do the same think. > >Today, virtually anyone on this list can afford these techniques. >Non-US people have been using them for years. The reason middle >class Americans aren't savvy that yet are ignorance and inertia. >Everyday, Americans are becoming less parochial (due in part, >ironically, to government hysteria about money laundering) about >such possibilities. As the Clintons and Doles turn up the tax >and regulatory heat, they will also overcome their inertia. Do tell. How would someone, just for instance, who is considering leaving a "permanent" job for the higher compensation available to contractors and consultants be able to structure a business in such a way as to benefit from these techniques? If we assume a rate of between $60/hour and $125/hour (typical in Boston, New York, and the Silicon Valley), how much can one save? How much effort and money is required? How much risk is involved? There are many books on the shelves claiming to show how to avoid taxes using these techniques. Most of them have the smell of "dangerous crackpot" about them. Can you recommend any in particular? If this is too far off topic for cypherpunks I'd be interested in learning of a more appropriate forum. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMYpJ68NGLex6dhF9AQHKLgQAh2/j23rG3RP0VFNVcsNIUphgWjTG0mlE ojXWJ29el616YCfKHpwXzT2v9+wThdQByp047qf8zXGqsjuf5ld2rkWxgap840JH S4Wf1GkxdcCFM9Vq3Ks955YtWdWIz4PrngxEpPU6lmXTIY2Vk17HTRJoZBKJLwW0 iAPchDVd+kg= =7bKv -----END PGP SIGNATURE----- From perry at piermont.com Fri May 3 21:40:41 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sat, 4 May 1996 12:40:41 +0800 Subject: Why I dislike Java. (was Re: "Scruffies" vs. "Neats") In-Reply-To: <01I49T6J284A8Y56P8@mbcl.rutgers.edu> Message-ID: <199605032013.QAA24832@jekyll.piermont.com> "E. ALLEN SMITH" writes: > Might I suggest setting up another computer with Java enabled, and > _without_ the critical applications? Somehow, I think they can afford an > extra computer for each desk Money is not a problem, but space is. There is never any room on a trading floor. Space is at an amazing premium. Perry From tcmay at got.net Fri May 3 21:43:47 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 4 May 1996 12:43:47 +0800 Subject: Why Leahy is No Friend of Ours Message-ID: At 8:34 AM 5/3/96, Black Unicorn wrote: >On Thu, 2 May 1996, Timothy C. May wrote: >> I'd say it's 99.95% likely that the PGP key was generated by a staffer--the >> resident e-mail geek--and that only staffers know how to use PGP. (In fact, >> probably only the one staffer who generated the key and knows the >> passphrase....) > >While I believe this correct, it's worth noting that Leahy is fairly >"into" the technology. He finds it entertaining and "fun." All of this >mostly thanks to his one time counsel John Podesta. Thanks Mr. Podesta! > >He's one of the more interested congress critters. > >> So, what is accomplished except "feel good" thoughts? > >Admittedly, not much. I'm at least pleased he has a decently on the ball >staff however who can tell him what the issues are. "Decently on the ball"? I hope you are being ironic. Leahy is no friend of ours. Recall that he chaired the hearings on the FBI's "Digital Telephony" massive wiretap proposal, and co-sponsored the legislation (with former FBI agent Don Edwards). This "sleeping giant" of legislation is still out there, and has not been consigned to the junk heap. It becomes operative--that is, the $10,000 per day penalties for noncompliance with the law mandating telecom systems be DT-compliant--in October 1997. (There is ongoing discussion of whether the $500 million to be paid to the phone companies is going to be allocated, and whether those companies (such as "Tim's Cheap Internet Phone Company") which fail to get some of this lucre as it is handed out are then exempt....the consensus seems to be that some of the $500 million will be allocated as a sop to the phone companies, but that large numbers of smaller companies will still be expected to be compliant when a wiretap order is presented to them. This even if they never got a dime. The implications for the Internet and for increasingly popular "Internet phone" systems are interesting. As I understand the DT language, such systems would have to be made compliant with wiretap requests, or face the $10K/day penalties. This could force many ISPs, in the U.S. of course, to take steps to immediately restrict certain programs, or even [speculatively] force them to become compliant by some form of key escrow, where they would keep a copy of a key for presentation to law enforcement. [More speculation by me: the combination of the Wiretap Act, the Anti-Terrorism Act, and the still-ongoing work on key escrow (TIS is still pushing their system, Lotus hasn't backed down, Denning still says it's needed, etc.) could mean that ISPs move to restrict use of crypto in various ways, possibly mandating escrowed encryption. Several of us (Black Unicorn, Duncan Frissell, me, etc.) may point out the practical difficulties involved in such enforcement, and the longterm dim prospects for success. But the fact is that ISPs are a kind of "choke point" for halting certain things. I have a feeling I know what my ISP will say if he gets a court order and a $10,000 per day penalty faces him. Those who access the Net directly, through their own companies and/or by having boxes hanging directly on the Net, will be less vulnerable to this kind of pressure. But the Netcoms, PSI, Earthlinks, AOLs, and such will likely run into trouble the first time a court order is presented to make certain Internet phone conversations tappable.... (I have long argued for this view that certain "choke points" will be identified. These are the points of leverage--often companies--which law enforcement can lean on. Whit Diffie made similar points a few years ago, that drug laws were "enforced" inside companies (who previously didn't care whether employees smoked dope on their time off, so long as they did the job), with urine tests, threats of civil forfeiture of company assets if even small amounts of drugs were found in the possession of employees, etc. The "War on Drugs" effectively pressed companies into service as soldiers.) Sure, a few services will decide to fight such penalties in court and seek to have Digital Telephony thrown out in court. Deep pockets will be required. Maybe they'll prevail. Maybe the Burns Bill will collide with Digital Telephony. Unclear at this time. But no Congressman who co-sponsors such legislation as the "National Wiretap Initiative," with its "1% of the engineering capacity" requirements and other such Big Brother Surveillance State clauses, is a friend of ours. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From vboykod at eldorado.stern.nyu.edu Fri May 3 22:04:42 1996 From: vboykod at eldorado.stern.nyu.edu (Victor Boyko) Date: Sat, 4 May 1996 13:04:42 +0800 Subject: The Joy of Java In-Reply-To: Message-ID: <9605031933.AA24575@eldorado.stern.nyu.edu> >>>>> "Dan" == Dan Busarow writes: Dan> At Usenix 96 in San Diego it was pointed out that applets are Dan> an abberation. This is a complete language designed to Dan> displace C++, Visual Basic and other OO languages. Thinking Dan> of Java as simpy a Web enhancement tool is short sighted. Dan> Personally it is more attractive than C++ for product Dan> development and we are trying to get it on FreeBSD, SCO Dan> UnixWare and SCO OSR5. Using Java for applets _only_ is like Dan> @#$% your mother... Most of us are not into it. I have been doing work in Java for the past half a year or so (most recent project: implementing SSL 3.0). I can't say I don't like it at all, but I like C++ much more. Here are my thoughts about the issue. Since there is a subjective component to choosing a programming language, flamewars are very likely to erupt when you say "Language A is much better than Language B", but it may still be interesting to read others' opinions. As I see it, Java as a language is basically (C++) + (garbage collection) - (templates) - (operator overloading) - (multiple inheritance) - ... Garbage collection is a very useful thing in many cases (though in some it may be a great slowdown), but there is no real reason not to incorporate GC into a C++ implementation, or at least give the user an option of doing it. On the other hand, templates are an extremely useful feature, since they allow huge amounts of code reuse (Wei Dai's crypto++ library is a great example of the use of templates). They also enable a C++ programmer to do such things as run-time array boundary checking (refuting one of the traditional arguments about the dangers of C++), or a type which is a subrange of another. Java programs can have some template-like functionality through the use of the Object class, but that is very limited. For instance, compare the following hypothetical Java code List l; l.append(new Integer(1)); l.append(new Integer(2)); int x = ((Integer)(l.head())).intValue(); with this C++ List l; l.append(1); l.append(2); int x = l.head(); The second version is clearly more readable. It would also be more efficient since no run-time conversions would be done. There are also situations in which templates would work, but Objects would not. For instance, it is very easy in C++ to make a template class Range that would be a subrange [min, max] of type, and would do run-time checks for any assignments. There is no way you can do this in Java. Java also lacks operator overloading. 'V = M*W + A' (where V, W, and A are vectors, and M is a matrix) is much easier to read than 'V = Vector.add(Matrix.multiply(M, W), A)'. The same would apply to a big integer class. The lack of multiple inheritance is somewhat alleviated with the use of interfaces, but there are cases where this is not enough. The crypto++ library uses a lot of nontrivial multiple inheritance. Another strange deficiency of Java is that there is only one way to pass parameters. All class parameters are passed by reference, while all primitive-type parameters are passed by value. What if you need to pass an integer by reference? Also, when you pass a class parameter, the method can modify it arbitrarily, since Java does not allow constant variables. As for the usual complaint "C++ has pointers which are unsafe!!!", the following can be said. First, Java has pointers too: all class objects are actually pointers to data, so, for instance, "A = B" in Java would mean "Make A a pointer to the same location as B", not the traditional meaning "Make A a copy of B". Second, when it is said that C++ pointers are unsafe, usually two things are meant: C++ allows you to cast a pointer of one type to a pointer of another type, and C++ allows for pointer arithmetic. Both of these features are not needed in virtually all programs (they were probably retained only for C compatibility), except those that interface with the low-level system calls. Also, both of them can only be invoked explicitly. Thus, the programmer which uses them has only himself to blame if anything goes wrong. In summary, I don't see Java as the new great language that is going to replace C++ in the standalone application arena, even if Java ran as fast as C++. It is true that Java has a nice standard library (including threads), but there is no reason whatsoever why a library with a very similar interface could not be written in C++. On the other hand, considering Java as a language specifically for applets is a completely different matter. Here it does not compete with C++. The competitors -- Safe-Perl, Python, and Safe-TCL (and perhaps some Scheme-like languages) -- don't stand a chance without being supported by Netscape. Thus I would say that Java became so popular for the following reasons: - It was developed by Sun. - It was licensed by Netscape. - It is C++ -like. - JDK (and its source) were made freely available. Constructive comments and discussion of this issue would be appreciated, but send the flames to /dev/null. Sincerely, Victor Boyko -- Victor Boyko http://galt.cs.nyu.edu/students/vb1890/ To get my PGP key, finger or send e-mail with subject "send pgp key". From richieb at teleport.com Fri May 3 22:14:18 1996 From: richieb at teleport.com (Rich Burroughs) Date: Sat, 4 May 1996 13:14:18 +0800 Subject: Conrad_Burns@burns.senate.gov: Open Letter to Internet Community From Senator Burns Message-ID: <2.2.32.19960503200718.00724dc4@mail.teleport.com> At 01:45 PM 5/3/96 -0500, John Deters wrote: [snip] >I agree that this could be the single most important piece of legislation to >affect the cypherpunks ever -- firmly defining the legal status of >encryption (and in our favor, no less!) [snip] I sent email today to Senators Burns and Leahy thanking them for their work on this issue, and I'm asking others who support their efforts to do the same. They've got some hard work ahead of them to get this bill through, I think, and I wanted to let them know their efforts are appreciated. I also pointed out to Senator Leahy, politely but firmly, my concern over this provision in the ECPA (which he mentioned in his letter, so I'm assuming he considers it still on the table): "Whoever willfully endeavors by means of encryption to obstruct, impede, or prevent the communication of information in furtherance to a felony which may be prosecuted in a court of the United States, to an investigative or law enforcement officer shall- "(1) in the case of a first conviction, be sentenced to imprisonment for not more than 5 years, fined under this title, or both; or "(2) in the case of a second or subsequent conviction, be sentenced to imprisonment for not more than 10 years, fined under this title, or both." >] (2) Miniaturization, disturbed computing, and > ^^^^^^^^^^^^^^^^^^^^ >] reduced transmission costs make communication via >] electronic networks a reality. > >I think "disturbed computing" pretty much sums up this list, if not the >entire net! :-) :) Rich ______________________________________________________________________ Rich Burroughs richieb at teleport.com http://www.teleport.com/~richieb See my Blue Ribbon Page at http://www.teleport.com/~richieb/blueribbon New EF zine "cause for alarm" - http://www.teleport.com/~richieb/cause From sameer at c2.org Fri May 3 22:19:13 1996 From: sameer at c2.org (sameer at c2.org) Date: Sat, 4 May 1996 13:19:13 +0800 Subject: Why I dislike Java. (was Re: "Scruffies" vs. "Neats") In-Reply-To: Message-ID: <199605031937.MAA10801@clotho.c2.org> > Does it prevent the user from downloading an unrestricted copy from > Netscape's ftp site or installing one brought from home? > No, but that's what policies like "We find Netscape 2.0 on your machine and you are fired the next day" are for. (I know of one major silicon valley computer manufacturer with such a policy. Others probably exist as well.) -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion, Inc. FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.net/ (or login as "guest") sameer at c2.net From EALLENSMITH at ocelot.Rutgers.EDU Fri May 3 22:20:10 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 4 May 1996 13:20:10 +0800 Subject: Why I dislike Java. (was Re: "Scruffies" vs. "Neats") Message-ID: <01I49Y21S0J88Y56P8@mbcl.rutgers.edu> From: IN%"perry at piermont.com" 3-MAY-1996 16:14:04.28 >Money is not a problem, but space is. There is never any room on a >trading floor. Space is at an amazing premium. Would switchable monitors, mice, and keyboards be a possible solution (with placement of the CPUs in another location), or are your users too permanently technically incompetent? I would hope the latter would not be the case given the technological nature of the modern trading field. -Allen From shamrock at netcom.com Fri May 3 22:25:47 1996 From: shamrock at netcom.com (Lucky Green) Date: Sat, 4 May 1996 13:25:47 +0800 Subject: Why I dislike Java. (was Re: "Scruffies" vs. "Neats") Message-ID: At 23:37 5/2/96, Jeff Weinstein wrote: >Perry E. Metzger wrote: >> Netscape with Java cannot be so tested because important components >> come down off the net. So no, I'm not holding Netscape with Java to a >> higher standard. I'm very much holding it to the same standard. > > The Netscape Administration Kit will allow a site security admin >to create a configuration that disables Java, and does not allow the >user to enable it. If your customers require netscape, perhaps this >is an option that will make you more comfortable. Does it prevent the user from downloading an unrestricted copy from Netscape's ftp site or installing one brought from home? Disclaimer: My opinions are my own, not those of my employer. -- Lucky Green PGP encrypted mail preferred. From vznuri at netcom.com Fri May 3 22:28:39 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Sat, 4 May 1996 13:28:39 +0800 Subject: Why I dislike Java. (was Re: "Scruffies" vs. "Neats") In-Reply-To: <199605030038.UAA21763@jekyll.piermont.com> Message-ID: <199605032009.NAA22938@netcom16.netcom.com> Perry, perhaps you might be interested in outlining how Java designers might incorporate the concept of "defense in depth" that allows for even buggy implementations to have security. again, your criticisms of it sound like they might potentially be ameliorated by a secure implementation of Java. remember, Java is a language, not necessarily an implentation. designers have some way in the way they actually implement the language. an implementation with the zillions of firewalls or whatever you are advocating for the financial industry might actually emerge. but again, the Java designers never claimed that "Perry Metzger will be able to use Java in his mission critical funds transfer application". your ranting against it has decreased noticably in intensity but I don't think it was ever justified in the first place. From tcmay at got.net Fri May 3 22:47:11 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 4 May 1996 13:47:11 +0800 Subject: Message-ID: At 5:02 PM 5/3/96, nmunro at technews.com wrote: >subsribe neil >munro OK, I will "subsribe" you. On the off chance that you meant "subscribe", instructions follow at the end of this message. The Cypherpunks list is handled with the "Majordomo" automated list handler. All commands must be addressed to majordomo at toad.com, not to the readers of the Cypherpunks list. How to subscribe to the Cypherpunks mailing list: send a message to "majordomo at toad.com" with the body message "subscribe cypherpunks". To unsubscribe, send the message "unsubscribe cypherpunks" to the same address. For help, send "help cypherpunks". Don't send these requests to the Cypherpunks list itself. And be aware that the list generates between 40 and 100 messages a day. From frantz at netcom.com Fri May 3 22:49:58 1996 From: frantz at netcom.com (Bill Frantz) Date: Sat, 4 May 1996 13:49:58 +0800 Subject: [RANT]Re: CryptoAnarchy: What's wrong with this picture? Message-ID: <199605031826.LAA17003@netcom8.netcom.com> At 7:05 AM 5/3/96 -0400, Michael Loomis wrote: >No tax system will ever been perfect, but income taxation is a good >system of taxation. Income taxation inevitably requires some accounting >costs, but these costs should be going down with advances in computing >technology and other technology... My principle objection to the income tax is not the money, but the bookkeeping. When I am earning the money to pay my taxes, at least I am working at jobs that maximize my enjoyment and earnings. When I do the bookkeeping, I am doing a job I hate. (I'd rather be digging out septic tanks.) I have no choice but to do that job. Fortunately, I have a wonderful wife who does the bookkeeping. However, come tax time, she spends far too many evenings and weekends glued to the bookkeeping. ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From perry at piermont.com Fri May 3 22:57:16 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sat, 4 May 1996 13:57:16 +0800 Subject: Why I dislike Java. (was Re: "Scruffies" vs. "Neats") In-Reply-To: <01I49Y21S0J88Y56P8@mbcl.rutgers.edu> Message-ID: <199605032050.QAA24948@jekyll.piermont.com> "E. ALLEN SMITH" writes: > From: IN%"perry at piermont.com" 3-MAY-1996 16:14:04.28 > > >Money is not a problem, but space is. There is never any room on a > >trading floor. Space is at an amazing premium. > > Would switchable monitors, mice, and keyboards be a possible solution > (with placement of the CPUs in another location), or are your users too > permanently technically incompetent? The users can't afford not to have the numbers they are watching not in front of them, even for brief periods. Its a real problem. And yes, this isn't a joke. They all eat lunch on the trading floor so they don't have to leave their desks. They race back and forth to the bathroom. The environment is tough. .pm From jad at dsddhc.com Fri May 3 22:57:39 1996 From: jad at dsddhc.com (John Deters) Date: Sat, 4 May 1996 13:57:39 +0800 Subject: Conrad_Burns@burns.senate.gov: Open Letter to Internet Community From Senator Burns Message-ID: <2.2.32.19960503184538.00380e00@labg30> At 08:22 PM 5/2/96 -0400, Perry Metzger forwarded the following to the list: [deleted] > In the meantime, I need your help in supporting the effort to repeal > cryptography export controls. You can find out more by visiting my > web page http://www.senate.gov/~burns/. There you will find a > collection of encryption education resources that my Webmaster has > assembled. I trust that the entire Internet community, from the > old-timers to those just starting to learn about encryption, will find > this information useful. [deleted] > Conrad Burns > United States Senator I agree that this could be the single most important piece of legislation to affect the cypherpunks ever -- firmly defining the legal status of encryption (and in our favor, no less!) However, did anyone actually read it (it's at http://www.cdt.org/crypto/pro_CODE_bill.html )? Here's a nice bit of section 2: ]SEC.2.FINDING;PURPOSE ] ] (a) FINDINGS. - The Congress finds the following: ] ] (1) The ability to digitize information makes ] carrying out tremendous amounts of commerce and ] personal communication electronically possible. ] (2) Miniaturization, disturbed computing, and ^^^^^^^^^^^^^^^^^^^^ ] reduced transmission costs make communication via ] electronic networks a reality. I think "disturbed computing" pretty much sums up this list, if not the entire net! :-) -j -- J. Deters >From our _1996_Conflict_of_Interest_Statement_, re: our No Gift policy: "If you receive any alcoholic beverages, for example, a bottle of wine, you must give the gift to your location Human Resources Manager." This memo is from the Senior V.P. of Human Resources. +---------------------------------------------------------+ | NET: jad at dsddhc.com (work) jad at pclink.com (home) | | PSTN: 1 612 375 3116 (work) 1 612 894 8507 (home) | | ICBM: 44^58'33"N by 93^16'42"W Elev. ~=290m (work) | | PGP Key ID: 768 / 15FFA875 | +---------------------------------------------------------+ From perry at piermont.com Fri May 3 22:58:08 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sat, 4 May 1996 13:58:08 +0800 Subject: Why I dislike Java. (was Re: "Scruffies" vs. "Neats") In-Reply-To: <01I49YKIF9PQ8Y56P8@mbcl.rutgers.edu> Message-ID: <199605032136.RAA25079@jekyll.piermont.com> "E. ALLEN SMITH" writes: > >And yes, this isn't a joke. They all eat lunch on the trading floor so > >they don't have to leave their desks. They race back and forth to the > >bathroom. The environment is tough. > > I should have remembered this from reading Liar's Poker; thank you. > (One wonders if any of them will start using catheters...) Don't suggest it too loudly. .pm From llurch at networking.stanford.edu Fri May 3 23:09:59 1996 From: llurch at networking.stanford.edu (Richard Charles Graves) Date: Sat, 4 May 1996 14:09:59 +0800 Subject: L. Detweiler is a CyberAngel Message-ID: <199605031809.LAA21643@Networking.Stanford.EDU> ROTFL. From http://snyside.sunnyside.com/cpsr/nii/cyber-rights/Library/Announcements/CyberAngels-Safesurf Special mention must go to an ongoing debate about anonymous remailers, which was an area where we were less informed. Thanks to an154280 at anon.penet.fi for lots of very helpful suggestions. For those of you interested in the debate about anonymity we have two suggestions: firstly we have a HUGE FAQ on "Identity, Privacy and Anonymity on the InterNet", written by L.Detweiler, and if any of you want it, please write to us and ask for it (WARNING it is 138k!) Secondly you can write to help at anon.penet.fi for their FAQ on their anonymous service, which is also very educational. From EALLENSMITH at ocelot.Rutgers.EDU Fri May 3 23:22:11 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 4 May 1996 14:22:11 +0800 Subject: L. Detweiler is a CyberAngel Message-ID: <01I49ZPY3HNK8Y56P8@mbcl.rutgers.edu> From: IN%"llurch at networking.stanford.edu" "Richard Charles Graves" 3-MAY-1996 17:30:30.47 >Subject: L. Detweiler is a CyberAngel >ROTFL. From >http://snyside.sunnyside.com/cpsr/nii/cyber-rights/Library/Announcements/CyberAngels-Safesurf >Special mention must go to an ongoing debate about anonymous remailers, which >was an area where we were less informed. Thanks to an154280 at anon.penet.fi >for lots of very helpful suggestions. For those of you interested in the >debate about anonymity we have two suggestions: firstly we have a HUGE FAQ >on "Identity, Privacy and Anonymity on the InterNet", written by L.Detweiler, >and if any of you want it, please write to us and ask for it (WARNING it is >138k!) Secondly you can write to help at anon.penet.fi for their FAQ on their >anonymous service, which is also very educational. I had noticed that earlier, yes... see why I think they know less about the Net than even _I_ do? -Allen From mkj at october.segno.com Fri May 3 23:27:36 1996 From: mkj at october.segno.com (mkj at october.segno.com) Date: Sat, 4 May 1996 14:27:36 +0800 Subject: CryptoAnarchy: Late Comments. Message-ID: <199605032031.AA03254@october.segno.com> I'm amazed at the long thread my naive "CypherAnarchy" question generated -- not to mention the astonishing range of perspectives, spanning from the unusual to the bizarre. (Yes, that was a joke.) I haven't joined in much up to now, simply because it has taken me some time to digest it all. But now that the thread seems to be winding down, I have extracted a couple of interesting points for additional comments. "Snow" discusses nations without borders, then asks: > Are these the deep waters you refer to? In part, yes. But I think the possible definitions of "nation" and "government" are diffusing even more broadly than you suggest. A paragraph which I edited from my original message went something like: "Suppose a large multinational company finds a way to increase profits by cutting labor costs. To what extent does this resemble a global 'tax increase' on the world population?" A line of thought which (skipping over a lot of boring intermediate stuff) led me eventually to the questions, "What are taxes?" and "What is wealth?" Clearly, when the government exacts payment of taxes from us, it is more than just a screwy method of recycling used currency! Taxation, to oversimplify quite a bit, is essentially compelled labor. But it is even more than that. Taxes must be paid in dollars, and the U.S. government maintains tight and detailed controls over what types of labor and value can be converted into dollars, by whom, and how. Therefore taxation is also compelled *behavior*. It keeps us locked into roles which government has significant power to shape. In fact, due in part to tax policies, important traditional American lifestyle values such as "being independent" and "living off the land" have become damn near impossible today (while "normal" forms of employment frequently entail the waiver of important Constitutional rights). Once taxation is seen as compelled behavior, it is natural to ask how many other legal controls on behavior might have the effect, at least in part, of a sort of hidden tax. The military draft? Seizures of property in criminal cases? Obviously. But what about regulations on industry? Suppose Congress passes a bill which consolidates some segment of the military industry. Or suppose a government reserves to itself some of the most profitable lines of business, such as drugs and gambling. To what extent do these actions resemble taxes? My point being, there is more than one way to skin a cat, and clearly more than one way to increase government wealth. Cryptography may be able to hide value transactions when they take the symbolic form of money, but can crypto hide value in all its phases? If not, then crypto will change only the forms, not the essence, of taxation. It cannot shield us, for example, from outright forced labor (such as compulsory military service) or increased criminal penalties, etc. A final thought: Just as TV is in the business of selling eyes and ears to advertisers, the U.S. government has long been involved in some activities which might, to the cynical eye (such as my own), resemble the selling of "exploitation rights" over its population to the highest bidders. Note that such a strategy could do a complete end-run around any tax collection problems caused by cryptography! "Snow" also wrote: > Fine. So change the tactics. Instead of "Rising Up", simply use an > ages old an respected solution. Take out the leaders. Note, I am > _not_ suggesting Mr. Bells assination politics, rather, given a > violent revolution, or the beginings of one, shorten it by taking > those who make the policies you disagree with. But who the hell ARE the real leaders, and how are we supposed to find them? Hint: I don't think they're the people on TV! Politicians today aren't leaders, they are the heads of an unseen Gorgon: If you cut one politician down, two identical copies will spring forth in that same place! --- mkj From weidai at eskimo.com Fri May 3 23:33:01 1996 From: weidai at eskimo.com (Wei Dai) Date: Sat, 4 May 1996 14:33:01 +0800 Subject: The Joy of Java In-Reply-To: <9605031933.AA24575@eldorado.stern.nyu.edu> Message-ID: On Fri, 3 May 1996, Victor Boyko wrote: > I have been doing work in Java for the past half a year or so (most > recent project: implementing SSL 3.0). I can't say I don't like it at > all, but I like C++ much more. Here are my thoughts about the issue. > Since there is a subjective component to choosing a programming > language, flamewars are very likely to erupt when you say "Language A > is much better than Language B", but it may still be interesting to > read others' opinions. I agree completely with Victor's analysis. I usually try to avoid me-too posts, but I've been meaning to write an explanation of why I haven't started using Java and am not planning to port my Crypto++ library to Java, so this saves me the effort. Wei Dai From m5 at vail.tivoli.com Fri May 3 23:35:37 1996 From: m5 at vail.tivoli.com (Mike McNally) Date: Sat, 4 May 1996 14:35:37 +0800 Subject: SF South Bay: So WhoWhere wants to meet with people interested in online privacy and security... In-Reply-To: Message-ID: <318A5300.7EED@vail.tivoli.com> > Rich Graves writes: > > For a good demonstration of why WhoWhere? is not necessarily the greatest > > thing since spice racks, look up "Louis Freeh," "Fuck You,"... ... making for the funniest Web moment of my week: "Want to know more about Fuck You?" ______c_____________________________________________________________________ Mike M Nally * Tiv^H^H^H IBM * Austin TX * pain is inevitable m5 at tivoli.com * m101 at io.com * * suffering is optional From frantz at netcom.com Fri May 3 23:39:39 1996 From: frantz at netcom.com (Bill Frantz) Date: Sat, 4 May 1996 14:39:39 +0800 Subject: Why I dislike Java. (was Re: "Scruffies" vs. "Neats") Message-ID: <199605031825.LAA16991@netcom8.netcom.com> At 9:03 AM 5/3/96 -0400, Perry E. Metzger wrote: >... The problem I have is >that I expect that increasingly pages will arise for which information >can only be extracted with the use of Java. Some flunky from some desk >will will come up and scream "what do you mean I can't get a copy of >Foo Corporation's merger press release because we won't run some >program! Thats bullshit! Do you know how much money the risk arb desk >pulls in, you twit! This must never happen again! Fix it immediately!" Unfortunately the market decided that function and price were more important than security. (I know, I spent 10 years developing and trying to sell an OS with strong security features.) The only thing I can suggest to you is, spend the bucks, desk real estate, confusion etc. and have two machines; a secure/reliable one and an insecure/unreliable one. Make sure OS manufacturers like Apple and Microsoft know that you want to be able to disable the build in Java they have announced. You may be able to develop a way of transferring the clipboard between the machines so the dancing Java displayed economic numbers can be easily and safely transferred to the secure machine's analysis program. Regards - Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From vince at offshore.com.ai Fri May 3 23:48:52 1996 From: vince at offshore.com.ai (Vincent Cate) Date: Sat, 4 May 1996 14:48:52 +0800 Subject: Known Arms Traffickers Message-ID: I have added a checkbox to my arms-trafficker page so that if you want to be added to a list of "Known Arms Traffickers" you can be. The URL is: http://online.offshore.com.ai/arms-trafficker/ The page that says: "Click here to become an International Arms Trafficker" -- Vince From andrew_loewenstern at il.us.swissbank.com Fri May 3 23:50:05 1996 From: andrew_loewenstern at il.us.swissbank.com (Andrew Loewenstern) Date: Sat, 4 May 1996 14:50:05 +0800 Subject: ITARs and the Export of Classes and Methods In-Reply-To: <199605010642.XAA05623@netcom9.netcom.com> Message-ID: <9605032128.AA00701@ch1d157nwk> Bill Franz writes: > Certain languages, e.g. Smalltalk, and I believe lisp and > scheme, have bignums as a built-in type. (Or more specifically, > their integer types are limited in size only by available > memory.) I believe these languages are freely exportable. The Python programming language has built-in support for multiple bignum packages (including the GNU MPZ library). It also has MD5 built-in. Andrew Kuchling also has written a nice crypto package that gives you access to a lot of good crypto primitives. The language was written in the Netherlands, is free to use for any purpose (commercial or otherwise), easily runs on EVERYTHING (Mac, DOS, Windoze, NT, just about any flavor of unix, etc...), is embeddable, and has a Nutshell book about to be published. Check it out... andrew From perry at piermont.com Fri May 3 23:51:33 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sat, 4 May 1996 14:51:33 +0800 Subject: Why I dislike Java. (was Re: "Scruffies" vs. "Neats") In-Reply-To: <199605032009.NAA22938@netcom16.netcom.com> Message-ID: <199605032042.QAA24915@jekyll.piermont.com> "L.Detweiler" writes: > but again, the Java designers never claimed that > "Perry Metzger will be able to use Java in his mission critical > funds transfer application". And, Detweiler, I keep saying that I don't care about not being able to use it there -- the problem is even having a copy of Netscape with Java enabled on the same machine as a trading system. One instance of Netscape running Java can endanger an entire trading floor. .pm From adam at lighthouse.homeport.org Fri May 3 23:52:20 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Sat, 4 May 1996 14:52:20 +0800 Subject: Why I dislike Java. (was Re: "Scruffies" vs. "Neats") In-Reply-To: <199605032013.QAA24832@jekyll.piermont.com> Message-ID: <199605040150.UAA23886@homeport.org> Hospitals are similar, in space, although not time constraints. An operating theatre needs to be kept reasonable sterile, and the larger the area, the more difficult it is to do that. Perry E. Metzger wrote: | "E. ALLEN SMITH" writes: | > Might I suggest setting up another computer with Java enabled, and | > _without_ the critical applications? Somehow, I think they can afford an | > extra computer for each desk | | Money is not a problem, but space is. There is never any room on a | trading floor. Space is at an amazing premium. | | Perry | -- "It is seldom that liberty of any kind is lost all at once." -Hume From snow at smoke.suba.com Fri May 3 23:56:37 1996 From: snow at smoke.suba.com (snow) Date: Sat, 4 May 1996 14:56:37 +0800 Subject: your mail In-Reply-To: <199605030525.GAA21397@pangaea.hypereality.co.uk> Message-ID: On Fri, 3 May 1996, Ecafe Mixmaster Remailer wrote: > > From: Brian D Williams > > Date: Thu, 2 May 1996 11:16:35 -0700 > > >From cypherpunks-errors at toad.com Tue Apr 30 23:58:28 1996 > > >Date: Wed, 1 May 1996 00:52:03 -0500 (CDT) > > >From: snow ^^^^^^^^^^^^^^^^^^^^^^^^^^ > > >To: "Perry E. Metzger" > > >cc: "L. Detweiler" , cypherpunks at toad.com > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > Game, set, match...... > > No, probably done intentionally. Note the lower-case snow... That would be me. snow at crash.suba.com is an account set up expressly for this list, so I didn't bother to set up a complete identy for it. I started here after Detweiler did whatever he did. Petro, Christopher C. petro at suba.com snow at crash.suba.com From adam at lighthouse.homeport.org Sat May 4 00:02:46 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Sat, 4 May 1996 15:02:46 +0800 Subject: Why I dislike Java. (was Re: "Scruffies" vs. "Neats") In-Reply-To: <3189A993.A19@netscape.com> Message-ID: <199605040141.UAA23833@homeport.org> I saw this on your pages. Where can I get the beta, and will it work with my firewall so I can 'force' all users to upgrade to a version that understands it? Adam Jeff Weinstein wrote: | Perry E. Metzger wrote: | > Netscape with Java cannot be so tested because important components | > come down off the net. So no, I'm not holding Netscape with Java to a | > higher standard. I'm very much holding it to the same standard. | | The Netscape Administration Kit will allow a site security admin | to create a configuration that disables Java, and does not allow the | user to enable it. If your customers require netscape, perhaps this | is an option that will make you more comfortable. -- "It is seldom that liberty of any kind is lost all at once." -Hume From ses at tipper.oit.unc.edu Sat May 4 00:03:50 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Sat, 4 May 1996 15:03:50 +0800 Subject: Why I dislike Java. (was Re: "Scruffies" vs. "Neats") In-Reply-To: <199605031825.LAA16991@netcom8.netcom.com> Message-ID: On Fri, 3 May 1996, Bill Frantz wrote: > At 9:03 AM 5/3/96 -0400, Perry E. Metzger wrote: > >... The problem I have is > >that I expect that increasingly pages will arise for which information > >can only be extracted with the use of Java. Some flunky from some desk > >will will come up and scream "what do you mean I can't get a copy of > >Foo Corporation's merger press release because we won't run some > >program! Thats bullshit! Do you know how much money the risk arb desk > >pulls in, you twit! This must never happen again! Fix it immediately!" > > to sell an OS with strong security features.) The only thing I can suggest > to you is, spend the bucks, desk real estate, confusion etc. and have two > machines; a secure/reliable one and an insecure/unreliable one. Make sure As far as I can tell, Perry's requirements are that *no* uncertified "code" should be running anywhere inside the firewall, whether it be a java applet or a game disk brought in by a temp in settlements. One application of Solid Oak could be used to help out here; many applets are not custom written for a single page, but are instead just instances of fairly standard code. If this code is signed for by the software house that produced the applet, then the code can be accepted or rejected based on a approved vendors list. This works for most medium security applications There are situations where this is not enough; normally these organisations will have there own security divisions capable of doing there own evaluations. In these cases, the local security division could sign the code, and the application on the desk be configured to only run applets authenticated by the local security team. Simon --- We are a bunch of hackers, networked through the soil Fighting for the TCP we gained by honest toil And when our bytes were threatened, then the cry rose near and far "Hurrah for the Buggy GNU Hack that comes in lots of tars" From markm at voicenet.com Sat May 4 00:05:59 1996 From: markm at voicenet.com (Mark M.) Date: Sat, 4 May 1996 15:05:59 +0800 Subject: Has Tim turned anti-PGP? In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Fri, 3 May 1996, Steve wrote: > > Unless the information is "secret," why bother? It adds extra time at his > > office's end (you don't think Leahy types in his password to PGP do you?), > > and it accomplishes little. > > I agree with you to this point... Personally, I don't encrypt or even sign > anything I send out, unless there is a reason to. For most of the mail I > send out, I don't care if third parties read it, and most of it is so > unimportant that if it were altered (highly unlikely) I wouldn't care. In > fact, I can't recall the last time I encrypted a message (but I've signed > a couple recently). Since I use UNIX, I have set up the mailing program so that it actually takes extra effort to not sign something. I have nothing to lose by signing my e-mail messages. Yes, I know that not everyone in the world uses UNIX and I don't know if there is a transparent mailing interface for Windoze or Macintosh. As for encryption, I encrypt a lot of my messages because if I only encrypted "secret" messages, that would automatically draw suspicion to every encrypted message that I send. I also always use ssh to log into my UNIX shell account. I know the probability of someone intercepting my password is low, but again I have nothing to lose. > Now that's just plain un-cypherpunk of you. If people want to use PGP, let > them use PGP! There are so many scripts etc. out there to make using PGP > almost transparent, so decrypting your mail shouldn't be any harder than > pressing a couple keys and typing in your passphrase. (I know, the > passphrase is the killer.) As I said above, there is plenty of integration between PGP and UNIX mailers, but such is not the case for Windoze and Macintosh. - -- Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xf9b22ba5 http://www.voicenet.com/~markm/ | bd24d08e3cbb53472054fa56002258d5 "The concept of normalcy is just a conspiracy of the majority" -me -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMYpgfbZc+sv5siulAQFF1QP8DHrxzW3pkBxmHzWqUy5N79f3ECr2JJZa IFwwFnbj9T5d2ueqG7Ec7sGLk/HE4CfPky4WfZrRzJ3tNYOcgegYdKmvJ7Dv6W8z A5QSRtDo6YMko43goQgglXzuYDN65sBwwpIHoA6Qm2mjwSykBnmwrUJexOvR0aw9 gYBwt7pLYL0= =LdvT -----END PGP SIGNATURE----- From EALLENSMITH at ocelot.Rutgers.EDU Sat May 4 00:06:32 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 4 May 1996 15:06:32 +0800 Subject: Freedom and Security Message-ID: <01I49XXMDSMO8Y56P8@mbcl.rutgers.edu> From: angels at wavenet.com (CyberAngels Director : Colin Gabriel Hatcher) >Site security is not at all the only problem. Are you not aware of spams >and scams going on all the time? Are you not aware that sexual predators >operate in IRC? Or that child pornography is a world wide trading game? >Have you never heard of email forgeries or impersonation? What about tthe >victims of harassment and hatred who don't know how to deal with it? What >about all the people who have never heard of killfiles? Who don't know how >to report a problem nor who to report it to? Haven't you ever been mail >bombed and wished you could find out who did it? I find it interesting that Mr. Hacher is claiming spams as a reason for CyberAngel activities. I had sent him several examples of spams, to which he replied with messages showing a distinct lack of knowledge (thinking I could filter out messages from the address - which was a mailing list to which I wish to subscribe, for instance). He then noticed my piece in CuDigest suggesting that spams and other Internet abuse would be something proper for the CyberAngels to be involved with - instead of the censorship they advocate. After noticing this, he wrote me back, told me that spams were not something that they were concerned with - they weren't a _real_ problem like pornography - and legally enjoined me not to send mail to the CyberAngels. (I would thus appreciate someone forwarding this mail to Mr. Hatcher; he is not visibly on the list. In case anyone is wondering, I forwarded _at most_ one copy of each message that I had received via email; I most certainly did not mailbomb him.) As has been previously pointed out, it is not possible for "sexual predators" to commit actual crimes - as opposed to utilizing freedom of speech and freedom of press - over the internet. There are four points that may be made regarding child pornography: A. What is defined as child pornography may vary from place to place. As an example, I believe the pornographic videos involving Traci Lords (who was below the age of 18 when they were made) are legal to posess in most of Europe. This difference is similar to that in ages for statutory rape; Mississipi, for instance has one of 12. (I view this as too low, in case anyone is wondering.) B. Even if something is claimed to be child pornography, it may not actually have involved the use of children. Makeup, plastic surgery, and digital editing are all involved in the creation of such faked child pornography; the latter two are advancing at a rapid rate. While the offering of such as "child pornography" is a variety of fraud if compensation is involved, somehow I doubt the CyberAngels would be much interested in getting someone prosecuted for it. C. As has been pointed out by others, even if actual child pornography is on the Net, it is not in and of itself doing any harm to children. It is the production of actual child pornography that does so. While it may be argued that giving child pornography a market value will encourage its production, two counterarguments may be made to this point. First, much of the sexually explicit images on the net are in violation of copyright; I do not believe that the CyberAngels are trying to get people prosecuted for this. Second, driving a market underground tends to raise prices - look at the Drug War; thus, any reduction in supply due to illegality of the market will simply compensate the producers more. D. As has been pointed out, the use of child pornography is a classic "Horseman" (of the Four). In other words, the CyberAngels are using child pornography as a red herring for their even more objectionable activities. >Maybe you feel like a veterano and can afford to look condesendingly at all >the thousands of fresh-faced netizens just arriving online and say "well if >they can't take the heat they should stay out of the fire" - but if we are >to call ourselves an emerging "community" then we must take responsibility >for our city, and that means caring about other people's problems. I have no objection to the CyberAngels assisting victims of alleged harrasment with such mechanisms as kill files; I have some doubt as to their technical ability in this area. I object, however, to their more proactive activities, such as "patrolling" and soliciting people to make complaints about usages of free speech ("harrassment"). These involve either attempts to cut off someone's Internet access at the ISP's level or, worse, attempts to attract governmental attention. The first may be the right of the ISP, unless it is governmental or has a previous contract agreement stating otherwise; it would still be preferable if others such as the CyberAngels were to learn the basic lesson of "mind your own business." Bringing goverment into the matter may both result in a violation of individual civil liberties and may result in increased governmental control over the Internet. As has been pointed out by others, the Cypherpunks are doing things to help other people on the Internet in areas such as mail forgery/impersonation and mail-bombing. (A properly run anonymous remailer will not forward a mail bomb any more than a properly run post office will.) I sincerely doubt whether the CyberAngels are actually doing anything about these problems as opposed to their fetish of pornography. >When your address is forged and you get flamed and bombed, or if you start >receiving anonymous death threats, your freedom is under threat. It's not >enough to say "Well I just turn off my monitor" >The Internet is a city - it needs 911 services and it needs Neighborhood >Watches. And neither professional law enforcement nor neighborhood watch >are by definition a threat to anyone's freedom. Freedom within the context >of Community does not and never has meant the freedom to kill your >neighbor, or rob someone, or rape someone, or harm someone. In the context >of the internet Community too, freedom is not the individual's right to do >whatever he or she likes - because then the Community is no longer free. By definition? Probably not... although it depends on the definition. Some implementations of such activities - such as the CyberAngels and their current and proposed activities - are such. Freedom is the right to do what will not trespass on another's freedom; I defy you to show how having pornography available, including "obscene" material, trespasses on the freedoms of others. I also defy you to show how having fully anonymous remailers available is a violation of anyone's liberties. >Freedom is under threat from two directions - from selfish individuals who >care little for the Community, and from the over zealousness of governments >who seek greater and greater control over individual thought and action. >The first step is to acknowledge that we have a problem within the Internet >Community - because if we don't address it responsibly then we have only >ourselves to blame when the governments try to take it over. We can face >our problems or we can deny that they exist. And how, pray tell, will bringing such alleged problems to the attention of government - as has been an activity of the CyberAngels - avoid increased governmental intervention? >By asking me the question: "What crime?" you are indicating to me that you >prefer denial. No. We have a disagreement about what is crime - what is an exercise of individual civil liberties, and what is a violation of them. >"Two people may disagree, but >that does not mean that one of them is evil" That depends on what they disagree. I believe we disagree in ways that include enough fundamental freedoms that calling you evil is proper from my viewpoint. -Allen From EALLENSMITH at ocelot.Rutgers.EDU Sat May 4 00:08:07 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 4 May 1996 15:08:07 +0800 Subject: PICS & CyberAngels Message-ID: <01I4A3GEC4UU8Y56P8@mbcl.rutgers.edu> In view of the discussion of the possibility of PICS being required by law, plus that about the CyberAngels, I thought people might find it interesting that the CyberAngels home page has on it as one of their "responsibilities" making sure that all pages with sexual content - that pornography fetish again - have PICS or other (such as Safesurf...) ratings that would permit censorship of them. If parents want to keep their children from seeing sexual material, that's the problem of the parents - it shouldn't be the problem of anyone else. If something I put out offends someone (e.g., some political speech I've made), that's the problem of the person it offends. Sexual material is no different. -Allen From llurch at networking.stanford.edu Sat May 4 00:12:17 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sat, 4 May 1996 15:12:17 +0800 Subject: An interesting front end for the replay remailer Message-ID: These folks' politics don't make much sense to me (but I gather that they really, really don't like Jehova's Witnesses); it's their setting up an "alternative" front end for the replay remailer that caught my interest. http://www.nano.no/~telemark/anon.html One could say that this makes a case for PGP-signing web pages, but on the other hand, the remailers don't and shouldn't care about content, so who cares if someone "misappropriates" a remailer. What are they "taking" anyway? -rich From tcmay at got.net Sat May 4 00:13:10 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 4 May 1996 15:13:10 +0800 Subject: WhoWhere is a Fucked-Up Operation Message-ID: At 5:29 PM 5/3/96, Patrick May wrote: >Rich Graves writes: > > For a good demonstration of why WhoWhere? is not necessarily the greatest > > thing since spice racks, look up "Louis Freeh," "Fuck You," "Asshole," > > "System Privileged User," and "Stephen Hawking." I keep telling them that > > they'd better remove this last, but they don't consider it a priority. > > If you want further evidence of their technical skills, look up >my name. I'm responsible for the corp at spe.com account. WhoWhere has >therefore decided that I am responsible for every "corp" account in >their database and has attached my name to each and every one. I >informed them of this several weeks ago but they are evidently not >interested in cleaning up their service. > > Being both socially and technically challenged, perhaps they want >your Fucking Statist input on obtaining a government grant for a >clue-free business. I agree with my namesake that WhoWhere is one incredibly fucked-up operation. I tried to add an entry for myself, and my entry has (after several days) not made it. (I tried to be truthful, including such things as "felon" for what I do...perhasp their Thought Police considered my entry a joke, suggesting that they must be applying their own judgment to entries.) I then figured that some of their "automatically generated" entries for "Timothy C. May" needed correction. Not suprisingly, the system asked for a password, so I was unable to correct their defective entries for me. Fuck em. Then burn the body. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From sandfort at crl.com Sat May 4 00:14:42 1996 From: sandfort at crl.com (Sandy Sandfort) Date: Sat, 4 May 1996 15:14:42 +0800 Subject: CryptoAnarchy: What's wrong with this picture? Message-ID: <2.2.32.19960503224906.006ed628@popmail.crl.com> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ C'punks, At 11:31 AM 5/3/96 -0700, brerrabbit at alpha.c2.org wrote: >Do tell. How would someone, just for instance, who is considering >leaving a "permanent" job for the higher compensation available to >contractors and consultants be able to structure a business in such a >way as to benefit from these techniques? If we assume a rate of >between $60/hour and $125/hour (typical in Boston, New York, and the >Silicon Valley), how much can one save? How much effort and money is >required? How much risk is involved? > >There are many books on the shelves claiming to show how to avoid >taxes using these techniques. Most of them have the smell of >"dangerous crackpot" about them. Can you recommend any in particular? 1) Read as wide a variety of the stuff out there you can (even the books by "dangerous crackpots"). 2) Take a vacation to a tax haven you like because of what you've read about it. 3) Open a bank account with an established bank. 4) Ask your banker to recommend a trustworthy lawyer. 5) Tell the lawyer what you want to accomplish and do what he or she says, if it makes sense to you. 6) DON'T talk to anyone else--especially in your home country--about what you have done, are doing or are planning to do. 7) As your resources increase, repeat steps 2-5 in other tax havens. Don't put all your eggs in one basket if you have enough to spread around. 8) Send me $1000. If you follow my steps 1-7, you will save many times that amount. S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From unicorn at schloss.li Sat May 4 00:14:42 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sat, 4 May 1996 15:14:42 +0800 Subject: Why Leahy is No Friend of Ours In-Reply-To: Message-ID: On Fri, 3 May 1996, Timothy C. May wrote: > At 8:34 AM 5/3/96, Black Unicorn wrote: > >While I believe this correct, it's worth noting that Leahy is fairly > >"into" the technology. He finds it entertaining and "fun." All of this > >mostly thanks to his one time counsel John Podesta. Thanks Mr. Podesta! > > > >He's one of the more interested congress critters. > > > >> So, what is accomplished except "feel good" thoughts? > > > >Admittedly, not much. I'm at least pleased he has a decently on the ball > >staff however who can tell him what the issues are. > > "Decently on the ball"? I hope you are being ironic. Not at all. (Did you mean sarcastic?) His staff are some of the most astute people on the hill technologically. That their view might tend to the statist side disturbs me, but I wasn't talking about their politics. On the hill a competent and fairly reasonable enemy is much less a problem than an incompetent publicity seeker. > Leahy is no friend of ours. Recall that he chaired the hearings on the > FBI's "Digital Telephony" massive wiretap proposal, and co-sponsored the > legislation (with former FBI agent Don Edwards). I remember, I was sitting at the hearings. One should bear in mind that it was Specter who pushed for hearings originally, and Specter who was giving with one hand and taking with the other all through the process. I won't say I'm happy with Leahy for the legislation, but that doesn't change the fact that he has a clue. In my view the legislation would have been much worse and Clipper more imposing had Leahy not been involved. Mind you, I never said Leahy was a giant in the movement for crypto and privacy interests, just that I was glad someone had a clue. > This "sleeping giant" of legislation is still out there, and has not been > consigned to the junk heap. It becomes operative--that is, the $10,000 per > day penalties for noncompliance with the law mandating telecom systems be > DT-compliant--in October 1997. [...] > Several of us (Black Unicorn, Duncan Frissell, me, etc.) may point out the > practical difficulties involved in such enforcement, and the longterm dim > prospects for success. But the fact is that ISPs are a kind of "choke > point" for halting certain things. I have a feeling I know what my ISP will > say if he gets a court order and a $10,000 per day penalty faces him. Those > who access the Net directly, through their own companies and/or by having > boxes hanging directly on the Net, will be less vulnerable to this kind of > pressure. But the Netcoms, PSI, Earthlinks, AOLs, and such will likely run > into trouble the first time a court order is presented to make certain > Internet phone conversations tappable.... Agreed. > (I have long argued for this view that certain "choke points" will be > identified). [...] > Sure, a few services will decide to fight such penalties in court and seek > to have Digital Telephony thrown out in court. Deep pockets will be > required. Maybe they'll prevail. Maybe the Burns Bill will collide with > Digital Telephony. Unclear at this time. > > But no Congressman who co-sponsors such legislation as the "National > Wiretap Initiative," with its "1% of the engineering capacity" requirements > and other such Big Brother Surveillance State clauses, is a friend of ours. Again, I never called him a friend, but I still submit to you, that his influence in the legislative process blunted some of the highly offensive positions. Sometimes you have to expect legislators to make compromises. It's a fact of the "democratic process" that Mr. Loomis is so very fond of. The result is that to gain influence over a given area of legislative intent and effort, you sometimes have to sleep with whores (and occasionally they have VD). > --Tim May --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From mccoy at communities.com Sat May 4 00:15:31 1996 From: mccoy at communities.com (Jim McCoy) Date: Sat, 4 May 1996 15:15:31 +0800 Subject: PGP API & PGP 3.0 Message-ID: Derek Atkins (warlord at mit.edu) writes: > The PGP Library is currently under development. I have a draft API > document, but it is not complete (I still need to finish documenting > the key management functions). I'd like to get it to a state where I > can "publically" release it soon -- then again I've been saying that > for a while. Yeah... I was thinking a few months ago that it would be fun to set up an idea-futures claim regarding which would appear in a usable fashion first (if ever): PGP 3.0 and it's library or the GNU Hurd... jim From tcmay at got.net Sat May 4 00:20:08 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 4 May 1996 15:20:08 +0800 Subject: Why Leahy is No Friend of Ours Message-ID: At 11:31 PM 5/3/96, Black Unicorn wrote: >> "Decently on the ball"? I hope you are being ironic. > >Not at all. (Did you mean sarcastic?) His staff are some of the most "irony n. 1. the expression of one's meaning by language of the opposite or a different tendency, e.g., adoption of a laudatory tone for the purpose of ridicule." --Oxford I was actually being facetious (one of the several sub-classes of irony) when I asked if you were being ironic, to make a point. On your other points, we mostly agree. I was just emphasizing the Senator Patrick Leahy pushed the bill that make the Surveillance State a reality. This should _never_ be forgotten. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From llurch at networking.stanford.edu Sat May 4 00:20:55 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sat, 4 May 1996 15:20:55 +0800 Subject: CryptoAnarchy: What's wrong with this picture? In-Reply-To: Message-ID: On Fri, 3 May 1996, Michael Loomis wrote: > circumvent consumption taxation. Consumption taxation would, of course, > include a tax on the amount of information coming into your computer. I > don't think that the government will have any problem determining the > quantity of the information & since it will be encrypted anyway, I don't > see the privacy worries. Traffic analysis (though remailers would help). And what about mailbombing? If you're mailbombed, does your tax bill skyrocket? I think information has to be free (of tax, anyway), because there is no way to prove the utlility of information. -rich From EALLENSMITH at ocelot.Rutgers.EDU Sat May 4 00:21:19 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 4 May 1996 15:21:19 +0800 Subject: Why Leahy is No Friend of Ours Message-ID: <01I4A4XI53G48Y56P8@mbcl.rutgers.edu> From: IN%"tcmay at got.net" 3-MAY-1996 19:48:00.78 >Leahy is no friend of ours. Recall that he chaired the hearings on the >FBI's "Digital Telephony" massive wiretap proposal, and co-sponsored the >legislation (with former FBI agent Don Edwards). Fascinating. I'd still say to use PGP when sending mail when possible in order to give the NSA more to worry about in traffic analysis. However, it does look like Leahy isn't exactly a governmental type to whom I wish to send an encouraging message. This may explain the problems with his initial bill on cryptography export. >The implications for the Internet and for increasingly popular "Internet >phone" systems are interesting. As I understand the DT language, such >systems would have to be made compliant with wiretap requests, or face the >$10K/day penalties. This could force many ISPs, in the U.S. of course, to >take steps to immediately restrict certain programs, or even >[speculatively] force them to become compliant by some form of key escrow, >where they would keep a copy of a key for presentation to law enforcement. >[More speculation by me: the combination of the Wiretap Act, the >Anti-Terrorism Act, and the still-ongoing work on key escrow (TIS is still >pushing their system, Lotus hasn't backed down, Denning still says it's >needed, etc.) could mean that ISPs move to restrict use of crypto in >various ways, possibly mandating escrowed encryption. Why do you think I enquired about encryption in the Internet Phone software in Netscape? Deployment of such as soon as possible - with the encrypted version being the default, or even automatic - would be a decided help. >Several of us (Black Unicorn, Duncan Frissell, me, etc.) may point out the >practical difficulties involved in such enforcement, and the longterm dim >prospects for success. But the fact is that ISPs are a kind of "choke >point" for halting certain things. I have a feeling I know what my ISP will >say if he gets a court order and a $10,000 per day penalty faces him. Those >who access the Net directly, through their own companies and/or by having >boxes hanging directly on the Net, will be less vulnerable to this kind of >pressure. But the Netcoms, PSI, Earthlinks, AOLs, and such will likely run >into trouble the first time a court order is presented to make certain >Internet phone conversations tappable.... One question is whether the ISP will be able to detect whether someone is violating such a law. -Allen From adam at lighthouse.homeport.org Sat May 4 00:24:01 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Sat, 4 May 1996 15:24:01 +0800 Subject: Dole Backs Crypto Export In-Reply-To: <199605031309.JAA16482@pipe2.nyc.pipeline.com> Message-ID: <199605040139.UAA23812@homeport.org> If Dole proves this isn't Clintonesque pandering by getting the bill through as Senate Majority Leader, I'll hold my nose and vote for him for President. Adam jya at pipeline.com wrote: | Financial Times, May 3, 1996, p. 7. | Dole backs removal of software export ban | By Louise Kehoe in San Francisco | | Senator Bob Dole, the presumptive Republican presidential | candidate, yesterday threw his support behind proposed | legislation to remove US export restrictions on computer | software used to encode Internet messages. | For Senator Dole, the encryption bill provides an | opportunity to seek support from Silicon Valley high-tech | leaders many of whom backed Mr Bill Clinton in 1992, and to | boost his election campaign efforts in California. -- "It is seldom that liberty of any kind is lost all at once." -Hume From jimbell at pacifier.com Sat May 4 00:25:29 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 4 May 1996 15:25:29 +0800 Subject: Bit tax again? Message-ID: >Europe: Try to send it, we'll tax your bits > >By Peter Clarke >The EC report reasons that the value of the average cyberspace transaction >will increase as time goes by, resulting in fewer physical transactions. >The upshot, the report says, will be a shrinking government tax base. >Evidence of such a trend may already have surfaced: Use fo the Internet to >import goods and services electronically from outside the continent has >allowed some Europeans to avoid payments under Europe's value-added-tax >(VAT) system. This is a poor reason to adopt a so-called "bit tax." One obvious problem is that a 1-kilobyte letter in which I order thousands of dollars worth of goods is simply not comparable (in "value") to a 1-megabyte telephone conversation (the amount of data transferred, in one direction, in a 2-minute phone call.) If they want to implement a "bit tax" to replace lost revenue, they're left with either taxing bits so high that they recoup the "lost" revenue in the 1-kbyte letter, or reducing the "bit tax" to the level which makes transmission of low-profit items like Internet phone calls, GIFs, or audio files possible. The former won't do any good; the latter is totally unacceptable. Governments may be worried about losing tax revenue, in general, but they are (as usual) FOS. The development of information technology may reduce tax revenues, but if it does, it does this by bypassing the use of services that would have otherwise been necessary. To use the example in the article, if I buy something over the Internet, as opposed to physically driving 20 miles to get it, and it is (efficiently) shipped to me by some method such as UPS, that represents a substantial reduction in the amount of gas I use, the wear and tear on my car, usage of roads, etc. _IF_ taxes exist to pay for some of these kinds of costs, _if_ a more efficient system of product-ordering is developed to eliminate these costs, then (logically) the need for those services is reduced. That means that taxes should drop accordingly. > Soete observed last week that >sending his group's report by mail or courier, rather than electronically, >would involve taxes on fuel purchases and on the profits fo the companies >involved in physically shuttling the document to recipients. Soete proves my point. There is a decreasing need for those delivery services, now, so it is logical that costs should be reduced proportionately, including taxes. However, if we look at the situation by pessimistically assuming that the government wants to maintain its revenue no matter what, it's obvious that Soete's position is "logical" from his limited standpoint. The problem is that carried to its ultimate extreme, if technology completely eliminated the need for the services that governments currently provide, those same governments would still want the same amount of revenue! This kind of thinking only makes sense to governement employees. >"As society moves toward the information society, tax revenue needs to shift >emphasis from material goods to virtual goods and services," he said. I >think we will see a very rapid introduction [of such a tax structure] in one >or two years' time." This quote seems to assume that tax revenues should be just about as constant and unavoidable as death and...uh...taxes. I would sure like to see some hint of recognition that tax revenues SHOULD fall as a consequence of technological progress. >Soete said he believes the tax "can be introduced in a very straightforward >way. Every telephone operator and service provider has a record of the >bytes moved. They can be the tax collectors." This is probably the most outrageous and hilarious thing he is saying. If anything, practically no software today has any ability to collect the kind of information he thinks is already being collected. > >He acknowledged the prevailing "negative view about a bit tax" and >attributed it in part of "concern that it could inhibit adoption of >information technology. That's a straw man. What a "bit tax" would do is to skew the market in favor of "low-bit" services, and against high ones. Sending a GIF or an audio file would become cost-prohibitive, while email would stay cheap. While, arguably, there are reasons to charge more for more bits (more transmission capacity is necessary), the amount of that extra charge would probably be exceedingly small if it were "fair." > But once people have the technology, not many >would go back. Whether the tax is 1 cent per bit or 1 cent per kbit is, of >course, completely open." He completely misunderstands the inability of the system to know the "value" of a given transmitted bit, and without this information the only system left is a flat tax-per-bit which would be entirely impractical. >Soete last week cast the bit tax as a progressive levy that would fall >hardest on big business and that would not deter private individuals from >joining the information society. This is bullshit. He's just trying to sucker the great unwashed into believing that taxing the Internet is a way to make the other guy pay the toll. It won't work. >Soete believes the bit-tax should be used to fund social security or >welfare. Not a prayer! He's trying to get the geezers to look upon the Internet as a cash cow. Jim Bell jimbell at pacifier.com From anon-remailer at utopia.hacktic.nl Sat May 4 00:30:01 1996 From: anon-remailer at utopia.hacktic.nl (Name Withheld by Request) Date: Sat, 4 May 1996 15:30:01 +0800 Subject: What are the Feds looking at now :) Message-ID: <199605032150.XAA15313@utopia.hacktic.nl> This message was observed to flow to firewalls mailing today... could this mean mean something is going on?? anon >Return-Path: firewalls-owner at GreatCircle.COM >Received: from miles.greatcircle.com by relay2.UU.NET with ESMTP > (peer crosschecked as: miles.greatcircle.com [198.102.244.34]) > id QQaodh13554; Fri, 3 May 1996 15:23:00 -0400 (EDT) >Received: (majordom at localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA12439 for firewalls-outgoing; Fri, 3 May 1996 11:25:42 -0700 (PDT) >Received: from justice.usdoj.gov (justice.usdoj.gov [149.101.1.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA12425 for ; Fri, 3 May 1996 11:25:37 -0700 (PDT) >Received: by justice.usdoj.gov id aa17656; 3 May 96 14:07 EDT >From: >To: Firewalls at GreatCircle.COM >Subject: Firewalls-Digest V5 #289 >X-Mailer: SCO Portfolio 2.0 >Date: Fri, 3 May 1996 14:03:09 -0400 (EDT) >Message-ID: <9605031403.aa16958 at justice.usdoj.gov> >Sender: firewalls-owner at GreatCircle.COM >Precedence: bulk > >I am looking for a list of all the Internet >Service Providers world-wide. Can anyone point me >in the right direction? > >Thanks in advance, > >Mary L. Casey, Program Analyst >Information Management & > Security Staff >Information Resources Management >Justice Management Division >U.S. Dept of Justice From vznuri at netcom.com Sat May 4 00:33:10 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Sat, 4 May 1996 15:33:10 +0800 Subject: proposed anti-pseudospoofing law in Georgia In-Reply-To: <199605031638.JAA24955@atropos.c2.org> Message-ID: <199605032000.NAA22247@netcom16.netcom.com> > "anti-psuedospoofing". pardon me, I thought that was the correct term. I saw someone like Hal Finney or TCM (PM? EH?) use it here as I recall. it's hard to remember. if there is a more correct term I will be happy to use that in the future. From EALLENSMITH at ocelot.Rutgers.EDU Sat May 4 00:36:12 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 4 May 1996 15:36:12 +0800 Subject: PICS required by laws Message-ID: <01I4A37X6Y0W8Y56P8@mbcl.rutgers.edu> From: IN%"sjb at universe.digex.net" "Scott Brickner" 16-APR-1996 19:02:13.04 >The sorts of organizations that form the core of the internet, and are >involved in this network layer censorship scheme, just *aren't* the >sort of "subversives" (or "patriots", take your pick) that would try to >bypass the system. I am not quite certain if the model of [content provider]-[ISP]-[Phones]-[ISP]-[ISP]-[user] is going to work much longer. That routes the material through quite a few too many bottlenecks, among them the phone lines. I could reasonably easily sign up with two ISPs and start myself as a router (with a good computer and the right software), from what I know of the subject; with ecash routing of messages, this might get quite common (and profitable). When you've got a few large organizations doing the routing, what you've said is _probably_ correct. When you've got a lot of people doing it out of their garages, then it isn't. -Allen From nmunro at technews.com Sat May 4 00:42:53 1996 From: nmunro at technews.com (nmunro at technews.com) Date: Sat, 4 May 1996 15:42:53 +0800 Subject: No Subject Message-ID: <199605031559.LAA26245@relay1.smtp.psi.net> subsribe neil munro From rah at shipwright.com Sat May 4 00:48:08 1996 From: rah at shipwright.com (Robert Hettinga) Date: Sat, 4 May 1996 15:48:08 +0800 Subject: e$: The Wealth of Nation-States In-Reply-To: Message-ID: At 7:05 AM -0400 5/3/96, Michael Loomis wrote: > No tax system will ever been perfect, but income taxation is a good > system of taxation. Income taxation inevitably requires some accounting > costs, but these costs should be going down with advances in computing > technology and other technology. Cashflow taxation, like the income tax, is a good *industrial* system of taxation. It operates very well in the hierarchical communications network of an industrial economy, especially in a world of expensive automated processors. It favors unsecure transactions on secure, closed networks. SWIFT (the interbank funds transfer system), NASDAQ (the "over-the-counter" equity market system), and NIDS (the old National Institutional Delivery System, where institutional trades were settled), are all just closed networks, "clubs" as Eric Hughes calls them. Expensive bulletin boards. However, in a world of ubiquitous, exponentially increasing semiconductor switches of financial information, all using strong cryptography on geodesic public networks, you get the virtual end of intercompany book-entry transaction processing. Instead of swapping book-entries across secure links, economic entities will eventually trade using anonymous digital bearer certificates across insecure links, usually in an auction market of some kind, settling all of their transactions for cash at the time of the transaction. It's economics, actually. As Moore's law progresses, the size of a given economic entity, especially the financial intermediaries responsible for underwriting and clearing certificates, gets increasingly smaller, until someday it's an automated bot of some kind. At the same time, the cost of maintaining a spaghetti-bowl of audit trails between all of those entities becomes increasingly harder to sustain, and not just in computing resources. It's also in time value of money. You collect the time value of your money while it's "in transit": while it's actually sitting in your bank account waiting to be paid to the other party of a trade. Unpaid bills, check float, and unrevolved monthly credit card balances are all good examples of this. As financial entities get smaller, more ubiquitous, and more competitive, margins shrink and this becomes much more important. Kind of like gravity and mass. Insignificant at one size, virtually the only force at the other extreme of the scale. Because it settles instantly, without any float, cash literally becomes king in this environment. All of this is just as well. Strong cryptography makes the point moot. Not only do you have internet-level anonymizing protocols, but you also have the certificate protocols themselves. You can't know who you're doing business with, anyway. When you don't have book-entries (cashflows) to tax, you can't tax book-entries, which means nation-states can't have income, value-added, sales, excise, import, export, or any other transaction tax, because they just can't see any of those transactions behind a wall of strong cryptography. Fortunately, the nice thing about these certificate-based technologies is that as they become more prevalent, the need for nation-states to apply force to guarantee the honesty of the trading parties diminishes. The need for force doesn't go away; physical security is always necessary, just like air is. However, it is no longer so necessary to use it to deal with repudiated trades in a large number of markets, especially those for money and information. At the transaction level, the protocol breaks if the requisite conditions of the transaction aren't met. At the relationship level, if someone repudiates a trade, they can be shunned. As Moore's law collapses the size of the trades themselves, the abundance of competing entities in a given certificate-based market reduces the risk of repudiation point-failure in that market effectively to zero. Which means, you don't have to pay Uncle to keep trading partners honest anymore. Which, as we saw before, is a good thing, because you couldn't find them, anyway. ;-). Given that the modern nation-state is a hierarchical industrial organization anyway, -- a literal "force trust", to misapropriate ninteenth century parlance -- it seems that its inability to finance itself in a geodesic market seems inevitable. Competitive markets for all the services it performs will eventually emerge. We live in interesting times. Cheers, Bob Hettinga ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "If they could 'just pass a few more laws', we would all be criminals." --Vinnie Moscaritolo The e$ Home Page: http://thumper.vmeng.com/pub/rah/ From root at edmweb.com Sat May 4 00:50:49 1996 From: root at edmweb.com (Steve Reid) Date: Sat, 4 May 1996 15:50:49 +0800 Subject: "Bit Tax" proposed by satan@hell.gov In-Reply-To: <199605031414.KAA32390@osceola.gate.net> Message-ID: >Consumption taxation would, of course, >include a tax on the amount of information coming into your computer. I >don't think that the government will have any problem determining the >quantity of the information & since it will be encrypted anyway, I don't >see the privacy worries. The problem with a tax on data is that it would be *extremely* unfair. It would be like a tax on atoms. With a tax on atoms, the tax on a bag of groceries would be hundreds of times greater than the tax on a diamond ring, because there are more atoms in a bag of groceries Bits are the digital equivalent of atoms. With a tax on bits, the tax on the download of an up-to-date virus scanner would be hundreds of times greater than the tax on an emailed business contract. If this bit tax thing were attempted, the amount of time people spend online would be determined entirely by their income; if you can't afford the tax, you can't use the net. Conversely, with employment moving to the net, people's income would be determined by how much time they spend working on the net. That creates a nasty catch-22; if you can't afford to use the net, you can't get a job; and if you can't get a job, you can't afford to use the net. I understand some ISPs currently charge for data, but it's very cheap (My company pays around $20 per gigabyte). The amount of taxation needed to sustain a government would be hundreds of times greater. And of course, taxing on data would discourage new technology, since new technology usually requires a lot more bandwidth. People wouldn't use the new technology because it could easily quadruple (or more) their taxes. This bit tax idea must have come directly from satan at hell.gov. ====================================================================== | Steve Reid - SysAdmin & Pres, EDM Web (http://www.edmweb.com/) | | Email: steve at edmweb.com Home Page: http://www.edmweb.com/steve/ | | PGP (2048/9F317269) Fingerprint: 11C89D1CD67287E68 C09EC52443F8830 | | -- Disclaimer: JMHO, YMMV, IANAL. -- | ====================================================================:) From unicorn at schloss.li Sat May 4 00:53:20 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sat, 4 May 1996 15:53:20 +0800 Subject: Why Leahy is No Friend of Ours In-Reply-To: Message-ID: On Fri, 3 May 1996, Timothy C. May wrote: [Well deserved irony lecture deleted] > On your other points, we mostly agree. > > I was just emphasizing the Senator Patrick Leahy pushed the bill that make > the Surveillance State a reality. This should _never_ be forgotten. Agreed. I never meant to imply otherwise. > > --Tim May > --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From EALLENSMITH at ocelot.Rutgers.EDU Sat May 4 01:09:37 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 4 May 1996 16:09:37 +0800 Subject: Freedom and security Message-ID: <01I49Z07F3IC8Y56P8@mbcl.rutgers.edu> From: IN%"liberty at gate.net" 1-MAY-1996 10:34:38.08 To: IN%"angels at wavenet.com" CC: IN%"cypherpunks at toad.com" Subj: RE: Freedom and security Received: from toad.com by mbcl.rutgers.edu (PMDF #12194) id <01I46RO3HOSG8WWQG0 at mbcl.rutgers.edu>; Wed, 1 May 1996 10:09 EDT Received: (from majordom at localhost) by toad.com (8.7.5/8.7.3) id EAA25573 for cypherpunks-outgoing; Wed, 1 May 1996 04:56:52 -0700 (PDT) Received: from osceola.gate.net (root at osceola.gate.net [199.227.0.18]) by toad.com (8.7.5/8.7.3) with SMTP id EAA25568 for ; Wed, 1 May 1996 04:56:44 -0700 (PDT) Received: from miafl2-7.gate.net (miafl2-7.gate.net [199.227.2.134]) by osceola.gate.net (8.6.12/8.6.9) with SMTP id HAA41660; Wed, 1 May 1996 07:55:34 -0400 Date: Wed, 01 May 1996 07:55:25 -0400 From: liberty at gate.net (Jim Ray) Subject: RE: Freedom and security Sender: owner-cypherpunks at toad.com To: angels at wavenet.com (CyberAngels Director : Colin Gabriel Hatcher) Cc: cypherpunks at toad.com Message-id: <199605011155.HAA41660 at osceola.gate.net> X-Envelope-to: eallensmith Content-type: text/plain; charset="us-ascii" X-Sender: liberty at pop.gate.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- CyberAngels Director Colin Gabriel Hatcher wrote: >>...Freedom does not increase through more laws. > >Nor does freedom increase through less laws or no laws. You have gotta be kidding me, but let's start by differentiating among laws. I'm a crypto-minarchist, not a crypto-anarchist, so I still have hope for some (MUCH less) government. I think laws against murder are good, and lead to more safety for those not in jail. I think laws against "consensual crimes" are bad, and lead to government/police corruption extending all the way to the top [see sigfile]. When I have to say, "where's the victim?" it's a shitty law. Many laws fail my test. > Freedom increases >as respect and care for one another increases. This is what I called flowery rhetoric in the last post. > Meanwhile, since we do not >live in utopia, all societies at a certain level of economic development >and of a certain size of population require law and law enforcement to >protect citizens from predators. This is what astounds me, the advocates of more government always focus on crimes WITH obvious victims during debates. Once power is achieved, the victimless crime laws get written. I have said I do want murderers, and even some (not all) pedophiles, in jail. If a child pornographer chooses to visit my page and commits a thoughtcrime involving my babypictures, I say leave him alone. If he commits a real crime with an unwilling victim I say punish him even more than the present government punishes him. Libertarians, when we achieve political power, will find ourselves with abundent jail cells left over from the tax-and-spend drugwar to put real criminals (the ones who have an individual victim) in. >[...flowery rhetoric] Does anyone really doubt the extent of State >control and power across the Net? There are certainly enough statists who feel a need to increase it. > > >.... laws only breed more laws, which always lead to >>less freedom. > >I disagree with this statement. I do not believe that laws breed more laws >nor that laws lead to less freedom. I believe bad laws compromise freedom >(eg CDA) while good laws protect freedom. I am heartened by your opposition to the CDA (though I did not notice a Cyberangels voice in the debate/protest leading up to this abominable law...) but I must point out that you offer no good test, like my "where's the victim?" test, to differentiate good laws from bad ones. As to more laws leading to less freedom I stand by my words. Go down to any law library and have a look at the Code of Federal Regulations. As wordy, poorly-written laws proliferate, we all become "criminals," subject to the arbitrary power of the state's prosectors. When the state prosecutors are a partisan Democrat followed by a partisan Republican, and the "criminals" are high-ranking Democrats and Republicans, you end up with a lesser respect for all laws, even the good ones. Again, see my sigfile. Now imagine the Libertarian party was doing the same drug-smuggling...Would the feds [let alone the media] be so silent? I doubt it. >Cryptography enhances and protects privacy, which does not inevitably lead >to greater security. Security for the sender, yes, in that no one else can >read the message, but security for the Community? I find it worrisome that you capitalize the word, despite my rant involving Director Freeh. I repeat: The community is made up of individuals. > Doesnt that depend what >the message said? The technology itself is neutral. Therefore, I guess, the "Community" must forcibly take my key to make sure that last PGPmessage wasn't child porn, right? It is important to make sure I don't commit thoughtcrime. > Child pornographers >encrypt their hard drives so that law enforcement cannot gather crime >evidence - that is certainly a state of greater security for the >pornographer, but it does not improve our Community, and as child >pornography increases, the law is by definition broken more and more, and >so the Community becomes less free than before. And that's not the tyranny >of government but the tryanny of criminals. Look. I don't care if some old man beats off to the tune of baby pictures. There is no victim. If he finds a victim, toss him in the slammer, or kill him. Right now, the tax-and-spend drugwar is creating a revolving-door justice system when it comes to victim crimes, and the people (naturally) disrespect the law. Respect for ALL law, good and bad, is poisoned by this foolishness and when combined with a disrespect for the historical power of juries to nullify shitty laws, and ignorance of history. >I do in fact support cryptography for personal security, not least because >I can ensure that my messages are authenticated. CyberAngels PGP public >key will be up on our new website opening very soon. I've had enough of >people forging my email. Oh, why bother with this self-help, vigilante solution to the need for authentication. Why not just pass another law? PGP is a pain-in-the-ass to install and learn. I'm sure the Congress and President Clinton (who has also experienced e-mail forgery) would support it, and then you won't have to bother learning PGP or reading that awful PGPdoc1 & PGPdoc2. >"Two people may disagree, but >that does not mean that one of them is evil" >I think it should be legal for me to sell my body for sex, or put >any substance into it I choose, because _I_ own my body. An excellent example to use with regards to the CyberAngels, given that the Guardian Angels are very definitely pro-drug-war. This is informative about the CyberAngels, especially considering their association with SafeSurf. Their parental-censorship system includes the ability to filter out many articles disagreeing with their position on the Drug War - namely those citing that certain presently illegal substances (e.g., marijuana) are much less dangerous than the government wishes people to believe. While I do not approve of minors using addictive drugs (including nicotine), enabling their parents to cut off political speech of which the parent and the CyberAngels disapprove is hardly an increase in the real freedom of anyone. -Allen From EALLENSMITH at ocelot.Rutgers.EDU Sat May 4 01:14:31 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 4 May 1996 16:14:31 +0800 Subject: Edited Edupage, 25 April 1996 Message-ID: <01I4A0JNONWQ8Y56P8@mbcl.rutgers.edu> From: IN%"educom at elanor.oit.unc.edu" 25-APR-1996 21:40:28.52 >FCC BOOSTS PROSPECT FOR SUPERNETS >The Federal Communications Commission may reserve a band of radio >frequencies to allow free and unlicensed transmissions at 25 megabit speeds >of large volumes of data within a group of buildings. These so-called >"supernet" wireless services, which would operate at no more than one watt >of power in order to avoid interfering with neighboring supernets, could >then be connected by high-speed phone lines to the Internet, thus largely >bypassing local phone companies to get Net access. (New York Times 25 Apr >96 C1) If these are not covered by the regulations against encryption in the use of packet radio, this would seem to be an opening for such. Indeed, encryption of radio messages would appear to be rather critical for security. >HARDWARE SOLUTION TO E-COMMERCE SECURITY >VLSI Technology and Tandem Computer's Atalla are developing chip-level >security products to protect electronic transactions over the Internet and >intranets. The products will incorporate DES, RSA and other encryption >technology, and the companies hope their joint venture will establish a >hardware-based security standard for electronic commerce. (Information Week >15 Apr 96 p34) >INTERNET PHONE FACES REGULATORY FIGHT >The Canadian communications regulatory agency says companies offering online >phone services must pay a fee to local phone companies to help keep local >phone rates low. ShadowTel, the small Ontario company which recently >announced it planned to offer telephone service on the Internet, appears >headed toward a fight with federal regulators over whether it must pay a >special fee to Canada's phone companies. (Toronto Globe & Mail 25 Apr 96 B10) The usual egalitarian excuse to limit markets from doing what is right. -Allen >Edupage ... is what you've just finished reading. To subscribe to Edupage: >send mail to: listproc at educom.unc.edu with the message: subscribe edupage >Pierre Boulle (if your name is Pierre Boulle; otherwise, substitute your >own name). ... To cancel, send a message to: listproc at educom.unc.edu with >the message: unsubscribe edupage. (If you have subscription problems, send >mail to educom at educom.unc.edu.) From x at x.x Sat May 4 01:17:39 1996 From: x at x.x (The Unix Cypherpunk) Date: Sat, 4 May 1996 16:17:39 +0800 Subject: CryptoAnarchy: What's wrong with this picture? In-Reply-To: Message-ID: <199605040212.EAA01278@utopia.hacktic.nl> >>>>> "Rich" == Rich Graves writes: > On Fri, 3 May 1996, Michael Loomis wrote: >> circumvent consumption taxation. Consumption taxation would, of course, >> include a tax on the amount of information coming into your computer. I >> don't think that the government will have any problem determining the >> quantity of the information & since it will be encrypted anyway, I don't >> see the privacy worries. What a wonderful idea! Everybody would Win with this. Rich> Traffic analysis (though remailers would help). What do you have to hide? Rich> And what about mailbombing? If you're mailbombed, does your tax bill Rich> skyrocket? Of course. The Government is much wiser at spending your money than you are. Since most mailbombing can be source blocked, the funds raised from a mailbombing can be used on a Federal Training program for computer administrators because you obviously cannot take care of yourself. Sites with mailing lists are not exempt, neither are Usenet sites. The user fees can be raised to pay the taxes. Mailing lists shouldn't be free anyway. The Usenet Oracle will be taxed too. It's too dangerous for a site to be giving out free advice without some kind of Government Regulation. Rich> I think information has to be free (of tax, anyway), because there is no Rich> way to prove the utlility of information. It doesn't matter. It's a conspiracy by Netscape and Microsoft. Since taxation will be based on volume of information it follows logically that browsing the web with Lynx or images turned off is income tax evasion. (Using gzip for FTP is also tax evasion). It's your duty as a law-abiding taxpaying citizen-unit to Pay Your Fair Share, and that means browsing the Web with Netscape with all the extensions turned on. Be patriotic! Put lots of 100k GIFs on your Home Page to Reduce The Deficit! Browse the WWW with Netscape for America! Don't do it for yourself, Do It For Your Children; their future is at stake. Microsoft is feeling threatened on its own turf by people FTPing free Unix instead of paying big bucks for broken software. What's good for Microsoft is Good For America. Let's keep American Jobs At Home. We can't have some upstart foreigner in Finland putting an honest American company to shame. FTP file transfers of Linux must be taxed. Just to be fair, this tax ought to apply to everyone in the world. Why should taxpaying American citizens have to pay the US government to visit Yahoo when people in Europe get to see it for free? Level the playing field. - The Unix Cypherpunk From erc at dal1820.computek.net Sat May 4 01:24:53 1996 From: erc at dal1820.computek.net (Ed Carp) Date: Sat, 4 May 1996 16:24:53 +0800 Subject: Freedom and Security In-Reply-To: <01I49XXMDSMO8Y56P8@mbcl.rutgers.edu> Message-ID: <199605032127.RAA04670@dal1820.computek.net> Rather than repeat the whole argument, I'd like to point out something: > C. As has been pointed out by others, even if actual child pornography > is on the Net, it is not in and of itself doing any harm to children. It is > D. As has been pointed out, the use of child pornography is a classic > "Horseman" (of the Four). In other words, the CyberAngels are using child > pornography as a red herring for their even more objectionable activities. > to learn the basic lesson of "mind your own business." Bringing goverment into > the matter may both result in a violation of individual civil liberties and > may result in increased governmental control over the Internet. > >The Internet is a city - it needs 911 services and it needs Neighborhood > >Watches. And neither professional law enforcement nor neighborhood watch > >are by definition a threat to anyone's freedom. Freedom within the context > >Freedom is under threat from two directions - from selfish individuals who > >care little for the Community, and from the over zealousness of governments > >who seek greater and greater control over individual thought and action. The 'threat' is non-existent - it's no longer a threat, but reality. Why do you think that the government was so desperate to slide the CDA through? Folks like the "CyberAngels" are the best friend of an intrusive government - they give them an excuse. While before the CDA the government could read what they liked over the net, they really couldn't do much about it, because if they did, the ACLU and friends would've swooped down like a pack of starving dogs and devoured them alive (not that that would've been a *bad* thing, mind you). Now, there's no excuse, and nothing to stop them - they have the *LAW* on their side. The CDA just makes it legal. The government is actually very interested in the USPS and others providing service over the net, because it makes their jobs a hell of a lot easier. This "child pornography" argument is just a red herring - there has ALWAYS been this type of thing around, and always will be. I notice much is made regarding legislating morality, but nothing is being said about the millions of tons of cocaine and heroin that the government brings in and sells to folks. When people realize that the drug laws and this absurd "war on drugs" is just to drive the competition out of business - well, it's not going to be pretty. And how about the enormous amounts of money made with the child slavery rings? There is a LOT more of that going on than this "child porno" stuff - just ask Interpol. As to the argument that we need cops and such - well, we did just fine for many years self-policing ourselves. The spammer and such was either shouted down with mailbombs or just plain ignored. Now, Suzie Q. gets an account, gets on IRC, and gets messaged by some freshman with no life, gets upset, and suddenly it's a federal case, attendant with the press smelling blood in the water, the morality cops like CyberAngels coming out of the woodwork in an attempt to get press, and the government rubbing their collective hands together, knowing that crap like this is just one more small step towards a police state. I heard someone the other day say "what do you call it when only the police have guns? - a police state!" Made me think. -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 214/993-3935 voicemail/digital pager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes The mark of a good conspiracy theory is its untestability. -- Andrew Spring From tcmay at got.net Sat May 4 01:53:34 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 4 May 1996 16:53:34 +0800 Subject: proposed anti-pseudospoofing law in Georgia Message-ID: At 8:00 PM 5/3/96, Vladimir Z. Nuri wrote: >> "anti-psuedospoofing". > >pardon me, I thought that was the correct term. I saw someone >like Hal Finney or TCM (PM? EH?) use it here as I recall. >it's hard to remember. if there is a more correct term I will >be happy to use that in the future. Larry, as you certainly know, I am also known as "Nick Szabo" and "Robert Hettinga," Hal Finney is just another name for "Eric Hughes" and "Sandy Sandfort," and "Perry Metzger" actually a pseudonym shared by both me and John Gilmore. On occasion we meet to do a Vulcan mind-meld and adopt new identities. --Medusa From tcmay at got.net Sat May 4 02:05:36 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 4 May 1996 17:05:36 +0800 Subject: "Bit Tax" proposed by satan@hell.gov Message-ID: At 11:13 PM 5/3/96, Steve Reid wrote: >The problem with a tax on data is that it would be *extremely* unfair. Chill out, it's not a real proposal. >It would be like a tax on atoms. With a tax on atoms, the tax on a bag of >groceries would be hundreds of times greater than the tax on a diamond >ring, because there are more atoms in a bag of groceries > >Bits are the digital equivalent of atoms. With a tax on bits, the tax on >the download of an up-to-date virus scanner would be hundreds of times >greater than the tax on an emailed business contract. > >If this bit tax thing were attempted, the amount of time people spend >online would be determined entirely by their income; if you can't afford "Yeah, my tax guy really saved me a lot last year...he knows some really great data compression algorithms." --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From anon-remailer at utopia.hacktic.nl Sat May 4 02:32:11 1996 From: anon-remailer at utopia.hacktic.nl (Anonymous) Date: Sat, 4 May 1996 17:32:11 +0800 Subject: No Subject Message-ID: <199605040605.IAA19372@utopia.hacktic.nl> what is currently the best remailer-in-a-box out there? From EALLENSMITH at ocelot.Rutgers.EDU Sat May 4 02:38:45 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 4 May 1996 17:38:45 +0800 Subject: Freedom and Security Message-ID: <01I49YEWVI5M8Y56P8@mbcl.rutgers.edu> Again, I would appreciate it if someone would forward this message to Mr. Hatcher. From: IN%"angels at wavenet.com" 1-MAY-1996 09:47:03.01 >Every society has a social contract whereby the freedom of the individual >is defined within the context of the society. Freedom means your freedom >to be who you want to be, think how you want to think, say what you want to >say, hold whatever beliefs you wish, balanced against the Community's need >for stability. You may demand the freedom to kill those who disagree with >you but no community will grant you that freedom. But no one living in a >community where murder is outlawed can serious claim that their freedom has >been taken away by that particular law. You cannot be free to speak your >mind unless there are laws preventing others who disagree with you from >killing you. If it were permitted to kill those who disagreed with you, >then no one would be free to speak their mind at all, for fear of the >consequences. Quite simply, if freedom is defined by a social contract, then there would be no need for a Bill of Rights. Protected freedoms are there because even a democratically elected government - the closest thing to a determiner of the "social contract" in the real world - cannot be trusted. For instance, the current social contract in Germany would apper to say that some political speech - that of neo-Nazis - is not permitted, and that this is not a violation of freedoms. It is reasonably evident that this is not the case by any true definition of freedom. Certainly, if someone can murder you for speaking your mind, your freedom of speech may be restricted. But I again defy you to come up with how many of the activities you oppose are violations of anyone's freedoms, as opposed to violations of what most people happen to want. >I am not currently aware that either your right to encrypt nor your right >to use anon remailers is under threat, so why should I do anything? But >while encryption and anon remailing protect *you* from certain threats to >your freedom, they are also being used for example to make the >international trade in child pornography more effective and less easy to >prosecute. The technology itself is neutral and can be used or abused. >That is why the focus should be on individual actions rather on the >technology. It would appear that you are incorrect with regards to the right to encrypt and anonymous remailers; such regulations and laws as ITAR restrict this, as do some movements toward mandatory government-access-to-keys (the eventual intended result of Clipper, which has certainly not disappeared from the intentions of law enforcement and espionage agencies). I have previously pointed out the ways in which the child pornography argument does not work, and is only an excuse. >My concern is not so much with network sabotage or infiltration (there are >plenty enough organizations addressing that problem) but with personal >safety within the Internet community - that means you, not your hard drive. I am not physically attached to the Internet; it is not possible for my safety - as opposed to my hard drive's safety if I connected it - to be compromised by the Internet. -Allen From vznuri at netcom.com Sat May 4 02:40:04 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Sat, 4 May 1996 17:40:04 +0800 Subject: Why I dislike Java. (was Re: "Scruffies" vs. "Neats") In-Reply-To: <199605032042.QAA24915@jekyll.piermont.com> Message-ID: <199605040620.XAA15527@netcom9.netcom.com> >> but again, the Java designers never claimed that >> "Perry Metzger will be able to use Java in his mission critical >> funds transfer application". > >I keep saying that I don't care about not being able >to use it there -- the problem is even having a copy of Netscape with >Java enabled on the same machine as a trading system. One instance of >Netscape running Java can endanger an entire trading floor. right. substitute "unapproved software" wherever you use the term "Java" and you will see that at the heart of it you don't really have a real case against Java in particular. what is your point? that someone suitably paranoid would never come close to running Java on their machine? I fully agree with you there. oh, I should think that a suitably paranoid sysadmin will be sure to create an oppressive, straightjacket environment in which "unapproved software" would be squelched or would never have a chance to run in the first place. it seems to me if you have to worry about it happening, you've already lost. in fact the NSA thrives on solving these kinds of problems. I once worked with a guy that emanated out of that black hole, and I found him highly capable of squelching any possible incongruous or creative thought that crossed his path, in the same way that state-of-the-art software is routinely denied employees of companies out of security paranoia. if you want to live in the world, you will always face some kind of insecurity. freedom and restriction are mutually exclusive. if you are against freedom in software choice by end users in an environment you control, well, what does Java have to do with that? its just another insignificant program on the long list of software you don't allow. although, I suppose, a particularly scary one at that--one that denies the whole paradigm of control by a central authority over software to obtain security, offering a contrary solution that may be workable in the long run, and might even flourish. From mrm at netcom.com Sat May 4 02:51:16 1996 From: mrm at netcom.com (Marianne Mueller) Date: Sat, 4 May 1996 17:51:16 +0800 Subject: Calling other code in Java applications and applets In-Reply-To: <4m8av7$sls@abraham.cs.berkeley.edu> Message-ID: <199605040637.XAA13509@netcom20.netcom.com> > Jeff Weinstein wrote: > > > > It might be interesting to make a small plugin that just does some core > >stuff like gathering entropy, mod-exp, and related stuff difficult or too > >slow in java. I mainly brought it up because people were asking about > >calling native code from java. > > > In an alternate universe in which I didn't have projects to finish, I may > be interested in doing something like this. However, I haven't been able > to find information on how to write Unix (or preferably portable) plugins. > > Any hints? > > - Ian I don't have any hints, but I think people need to be aware up front that calling native code from a Java applet disables any security that might otherwise be enforced for the applet. It's OK to do this, as long as you understand up front how things work. One of the restrictions on applets is that they can't load DLLs or .so's. People get around that restriction by choosing to install a DLL on the local machine in such a way that the applet can invoke methods defined in that DLL (or .so) By choosing to do that, they're deliberately saying "it's OK, I understand this native method might do anything at all on the machine and it's OK by me" Marianne From EALLENSMITH at ocelot.Rutgers.EDU Sat May 4 02:55:44 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 4 May 1996 17:55:44 +0800 Subject: Why I dislike Java. (was Re: "Scruffies" vs. "Neats") Message-ID: <01I49YKIF9PQ8Y56P8@mbcl.rutgers.edu> From: IN%"perry at piermont.com" 3-MAY-1996 16:49:35.61 >The users can't afford not to have the numbers they are watching not >in front of them, even for brief periods. Its a real problem. Hmm.... has anyone ever created a specialized computer (or computer running a specialized program) that would put multiple screens on the same screen, perhaps with some GUI manipulation capabilities? If they're trying to read Netscape material while watching the other numbers, they're then in the exact same situation from their viewpoint. >And yes, this isn't a joke. They all eat lunch on the trading floor so >they don't have to leave their desks. They race back and forth to the >bathroom. The environment is tough. I should have remembered this from reading Liar's Poker; thank you. (One wonders if any of them will start using catheters...) -Allen From unicorn at schloss.li Sat May 4 03:21:12 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sat, 4 May 1996 18:21:12 +0800 Subject: CryptoAnarchy: What's wrong with this picture? In-Reply-To: Message-ID: On Fri, 3 May 1996, Michael Loomis wrote: > Excerpts from internet.cypherpunks: 2-May-96 Re: CryptoAnarchy: What's > w.. by Black Unicorn at schloss.li > > I must assume either > > > > 1) He is not intimately familiar with the system of U.S. taxation (even if > > he is pro-high-tax, calling the current system 'just about right' is > > folly). > > No tax system will ever been perfect, but income taxation is a good > system of taxation. Bear in mind that the current system imposes more than just income tax and that the United States, unlike most other countries, taxes worldwide income and compensates with an immensely complicated foreign tax credit system. > Income taxation inevitably requires some accounting > costs, but these costs should be going down with advances in computing > technology and other technology. The goal should be to minimize these > costs. Accounting costs as a result of income taxation do not bother me. Accounting costs as a result of a deduction based, multi-tiered, progressive, and supplimented system of income taxation are silly. The income tax system in the United States has been driven since the post war period by the effort to implement policy through the congress' power to tax rather then the simple need for funds. Allowing special interest groups to drive a system of taxation is hardly fitting the goal of "minimizing these costs." The income tax system in the United States thus fails even your test. Exercise for the reader: How many de fact laws are implemented by an tax which would be unconstitutional to pass directly? > I would further suggest it is remarkably childish to think that > a political system will not cause some unfairness in the tax code, > because it is the nature of democracy to generate some unfairness. I don't recall ever asserting this. > As > long as the unfairness is kept within reasonable bounds as in the case > of the 1986 tax reform, I don't see that this unfairness as a killing > objection to income taxation. Then the issue that divides us is the definition of fairness. > Of course, unlike most of the readership > of this list, I believe that democracy is a good thing. That's a pretty arrogant (and fairly incorrect) assumption. [...] > sized government on them. Outside of crypto-cyber-carrots, I have > strong doubts that crypto of any form or sophistication will be able to > circumvent consumption taxation. Sorry, I just don't agree with you here. If black markets exist, even florish, without crypto, how exactly is it that you think they will not be easier to run and maintain and shield from discovery in the presence of encryption? The amount of resources which would have to be dedicated to tax compliance enforcement under your scheme would be staggering. I don't doubt that taxation (if it comes to this) will go down kicking and screaming, but if you can think of a way to regulate offshore markets in information futures without invading the country hosting the exchange (note that there is a case that even this can be defended against by the market) I'd like to hear it. > Consumption taxation would, of course, > include a tax on the amount of information coming into your computer. I > don't think that the government will have any problem determining the > quantity of the information & since it will be encrypted anyway, I don't > see the privacy worries. You don't see the privacy worries in mandating data providers to count bits and report to a central authority on their findings? It's clear you're unconvertable. We should take this discussion (if it continues) to e-mail. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From jamesd at echeque.com Sat May 4 03:21:27 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Sat, 4 May 1996 18:21:27 +0800 Subject: CryptoAnarchy: What's wrong with this picture? Message-ID: <199605040652.XAA09692@dns1.noc.best.net> >1) Read as wide a variety of the stuff out there you can > (even the books by "dangerous crackpots"). >2) Take a vacation to a tax haven you like because of what > you've read about it. What tax havens would you like, if you did business in tax havens, which of course you do not ;-) --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From unicorn at schloss.li Sat May 4 03:39:29 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sat, 4 May 1996 18:39:29 +0800 Subject: CryptoAnarchy: What's wrong with this picture? In-Reply-To: <199605031831.LAA15730@infinity.c2.org> Message-ID: On Fri, 3 May 1996 brerrabbit at alpha.c2.org wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > Sandy Sandfort wrote: > >A couple of generations ago, only multinationals and the super > >rich could avail themselves of offshore banks, asset protection > >trust, foreign incorporation, etc. Fifteen years ago, I was > >helping members of the upper middle class do the same think. > > > >Today, virtually anyone on this list can afford these techniques. > >Non-US people have been using them for years. The reason middle > >class Americans aren't savvy that yet are ignorance and inertia. > >Everyday, Americans are becoming less parochial (due in part, > >ironically, to government hysteria about money laundering) about > >such possibilities. As the Clintons and Doles turn up the tax > >and regulatory heat, they will also overcome their inertia. > > Do tell. How would someone, just for instance, who is considering > leaving a "permanent" job for the higher compensation available to > contractors and consultants be able to structure a business in such a > way as to benefit from these techniques? If we assume a rate of > between $60/hour and $125/hour (typical in Boston, New York, and the > Silicon Valley), how much can one save? How much effort and money is > required? How much risk is involved? Actually, I disagree with Mr. Sandfort on this one. Taxation of International Income is a tremendously complicated field. (You can get an LL.M. in international taxation alone for example). While many on the list may be clever enough to find the resources to properly structure businesses such to limit their tax exposure, the real need is to research tax law, not tax technique. This is a dynamic and ever changing field and I cannot condone going it alone. Tax consultants charge $150 an hour (though I would be surprised to find an international tax consultant worth his or her salt who was this cheap) because they can. I've been doing international issues for years and I still get surprised occasionally. So do experts who have been doing it for decades. If your simply looking to pick a jurisdiction, that's not so hard. Neither is simply using a tax haven in simple ways or concealing skimmed or cash assets. Actually structuring an internatinal business endeavor is a whole different ball game. Are you looking to avoid or evade taxes? Are you willing to relocate? Renounce your U.S. (?) citizenship? Can you do your consulting from an offshore office? Will you be in the United States for more than 182 days a year? I could go on for pages with questions like these that will significantly change the solutions for you. Blame Mr. Loomis' "fair and reasonable" taxation system for the fact that I could also easily bill you $5000 for basic and rudimentary consultation. > There are many books on the shelves claiming to show how to avoid > taxes using these techniques. Most of them have the smell of > "dangerous crackpot" about them. Can you recommend any in particular? Absolutely essential core reading includes: Graetz, Federal Income Taxation, Third Edition and Code Suppliment for 1996. The text is 1100+ pages, the code 2025 pages. Lind, Schwarz et. al., Fundamentals of Corporate Taxation, Third Edition. This text is 790 pages with a ~50 page yearly suppliment. Gustafson, Pugh, Taxation of International Transactions 4th Edition, with International Income Taxation Code and Regulations suppliment and current tax law suppliment. The text is 860 pages, the code and regulations book 2604 pages and the current suppliment for 1996 is 100 pages. Any book more than a few years old or without a yearly or (as with the better publications quarterly) suppliment, is useless. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From blake at bcdev.com Sat May 4 05:44:49 1996 From: blake at bcdev.com (Blake Coverett) Date: Sat, 4 May 1996 20:44:49 +0800 Subject: Calling other code in Java applications and applets Message-ID: <01BB397D.395BE6C0@bcdev.com> > I don't have any hints, but I think people need to be aware up front > that calling native code from a Java applet disables > any security that might otherwise be enforced for the applet. This, of course, presumes that the native code in question is less robust/trust-worthy than that Java runtime and the browser. It's not obvious to me why this should be the case. regards, -Blake (who figures its all a reputation thing again) From root at edmweb.com Sat May 4 06:54:16 1996 From: root at edmweb.com (Steve Reid) Date: Sat, 4 May 1996 21:54:16 +0800 Subject: What are the Feds looking at now :) In-Reply-To: <199605032150.XAA15313@utopia.hacktic.nl> Message-ID: > This message was observed to flow to firewalls mailing today... > could this mean mean something is going on?? > >From: > >I am looking for a list of all the Internet > >Service Providers world-wide. Can anyone point me > >in the right direction? Hmm... This person doesn't seem to realize the size of the internet, or it's decentralized nature. I wouldn't worry about this guy. Even if such a list existed, he wouldn't know what to do with it. "C:\>type isplist.txt"... heheh... :) (Yes, I know some people compile lists of ISPs, but those lists cover only the tip of the iceburg. And yes, I also know that the root nameservers have massive databases, but they don't provide much info beyond the domain names and IP addresses.) ====================================================================== | Steve Reid - SysAdmin & Pres, EDM Web (http://www.edmweb.com/) | | Email: steve at edmweb.com Home Page: http://www.edmweb.com/steve/ | | PGP (2048/9F317269) Fingerprint: 11C89D1CD67287E6 8C09EC52443F8830 | | -- Disclaimer: JMHO, YMMV, IANAL. -- | ====================================================================:) From rah at shipwright.com Sat May 4 07:25:39 1996 From: rah at shipwright.com (Robert Hettinga) Date: Sat, 4 May 1996 22:25:39 +0800 Subject: proposed anti-pseudospoofing law in Georgia In-Reply-To: Message-ID: > Larry, as you certainly know, I am also known as "Nick Szabo" and "Robert > Hettinga," Hal Finney is just another name for "Eric Hughes" and "Sandy > Sandfort," and "Perry Metzger" actually a pseudonym shared by both me and > John Gilmore. > > On occasion we meet to do a Vulcan mind-meld and adopt new identities. Ah. Well, I suppose that beats the "Diamond Age" method... Cheers, Tim May AKA Bob Hettinga AKA Nick Szabo ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "If they could 'just pass a few more laws', we would all be criminals." --Vinnie Moscaritolo The e$ Home Page: http://thumper.vmeng.com/pub/rah/ From unicorn at schloss.li Sat May 4 07:27:33 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sat, 4 May 1996 22:27:33 +0800 Subject: CryptoAnarchy: What's wrong with this picture? In-Reply-To: <199605040652.XAA09692@dns1.noc.best.net> Message-ID: On Fri, 3 May 1996 jamesd at echeque.com wrote: > >1) Read as wide a variety of the stuff out there you can > > (even the books by "dangerous crackpots"). > >2) Take a vacation to a tax haven you like because of what > > you've read about it. > > What tax havens would you like, if you did business in tax > havens, which of course you do not ;-) What's your anticipated application? --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From vax at linkdead.paranoia.com Sat May 4 08:33:58 1996 From: vax at linkdead.paranoia.com (VaX#n8) Date: Sat, 4 May 1996 23:33:58 +0800 Subject: encrypted Unix backup software In-Reply-To: <199605030425.XAA05924@primus.paranoia.com> Message-ID: <199605031253.HAA09103@linkdead.paranoia.com> In message <199605030425.XAA05924 at primus.paranoia.com>, Bill Stewart writes: >>Although I could probably hack up "catblock" to do the job, and use >>a line of the form >>dump -0uBf ... | symmetric_cipher | catblock blockfactor > /dev/tape >Yup [agrees on cmdline] >You don't need to write "catblock", though - there's the "dd" command >designed for just such applications... >Newer versions may handle multiple tapes a bit better. Hmm, I've got this a few times from people and I just wanted to clear up a few points. 1) BSD dd doesn't treat EOT specially: /* ... If a partial write, and it's a character device, just warn. If a tape device, quit. ... */ GNU dd (from what I remember) doesn't, either. 2) "dd" will only work safely across all tape types and all size pipes using the degenerate form "dd ibs=1 obs=(your_bf_here) conv=sync ...". I'll hack up catblock today. Who says we don't code :) From sandfort at crl.com Sat May 4 12:44:38 1996 From: sandfort at crl.com (Sandy Sandfort) Date: Sun, 5 May 1996 03:44:38 +0800 Subject: CryptoAnarchy: What's wrong with this picture? In-Reply-To: Message-ID: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks I wrote in reference: > > >Today, virtually anyone on this list can afford these techniques. > Actually, I disagree with Mr. Sandfort on this one. > > Taxation of International Income is a tremendously complicated field. > (You can get an LL.M. in international taxation alone for example). > If your simply looking to pick a jurisdiction, that's not so hard. > Neither is simply using a tax haven in simple ways or concealing skimmed > or cash assets. Actually structuring an internatinal business endeavor is > a whole different ball game. We don't really disagree. What Black Unicorn writes is quite correct IF ONE IS CONCERNED WITH LEGAL CORRECTNESS. Not everyone on this list could afford to do completely legal international tax structuring. I still stand by my statement, however, that most list members could afford to use offshore techniques. (If you have a ton of money, by all means, hire Black Unicorn or someone similarly situated, to help you with your planning. Big money is a big target, andy you definitely need to have all your i's dotted and t's crossed. S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From sandfort at crl.com Sat May 4 12:46:46 1996 From: sandfort at crl.com (Sandy Sandfort) Date: Sun, 5 May 1996 03:46:46 +0800 Subject: CryptoAnarchy: What's wrong with this picture? In-Reply-To: <199605040652.XAA09692@dns1.noc.best.net> Message-ID: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks, On Fri, 3 May 1996 jamesd at echeque.com wrote: > What tax havens would you like, if you did business in tax > havens, which of course you do not ;-) I haven't done any sort of survey lately, but I think the following jurisdictions are all good bets: BANKING Cayman Islands, Liechtenstein, Isle of Man, Canada(!) for some purposes, United States for non-US people and or nominee offshore corporations owned by anyone. CORPS./TRUSTS English speaking Caribbean countries, Hongkong in certain circumstances, Liechtenstein for its trust-like entities. LIVING Most anywhere that you like and that isn't your country of citizenship. If I had the bucks, I would seriously look at Campione d'Italia. I'd be curious to hear what Duncan Frissell and Black Unicorn had to say on this question. S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From mjenkins at algebra.com Sat May 4 13:13:09 1996 From: mjenkins at algebra.com (Mike Jenkins) Date: Sun, 5 May 1996 04:13:09 +0800 Subject: LACC: proposed anti-pseudospoofing law in Georgia In-Reply-To: <199605021952.MAA18471@netcom16.netcom.com> Message-ID: <199605041518.KAA05839@manifold.algebra.com> Can you please post the text of the bill? Thank you, ... Vladimir Z. Nuri wrote: > > this law got a little notice here although I didn't notice people > considering its identity aspects in particular. > > this proposed law in Georgia > would make it illegal to have a login name other than > your legal name, as I understand it. > > I consider it rather silly, naive, and unenforcable, > but it does suggest a few things: > > 1. lawmakers are starting to notice the internet bigtime. > 2. its starting to freak them out. > 3. the identity issues raised by cyberspace have significant > social implications and will not go away quietly. > 4. there are some legitimate reasons to require ID in some places > in cyberspace. > > of course I will be flamed on 4, but my position is, has always > been the following: both anonymous and "identified" communication > have their places. I am not suggesting that either one is superior > a priori. however each has different uses. some things that > are possible in one are not possible in the other, etc. > > I think it is reasonable > for people who create/maintain forums or other cyberspace services > to demand, and be able to enforce, that you use your real > identity if they choose. likewise, you are free not to join these > place or use these services. I think anyone should be free > to create alternatives that spit in the face of these restrictions. > let the market decide what is most viable in given situations. > > I suspect that we are going to see some laws being passed trying > to regulate cyberspace that are really ridiculous. it will take > the lawmakers awhile to figure out what they can and can't get away with > and when their opinions are or are not relevant to what happens. > > meanwhile, if the internet really is robust, their irrelevant > posturings should not make much difference, although I am *not* > advocating that people resign themselves to these laws, only that > if they pass the situation is not necessarily catastrophic or > apocalyptic. > > > ------- Forwarded Message > > > - ------- Forwarded Message > > Date: Tue, 30 Apr 1996 11:31:52 -0400 (EDT) > From: merkaba at styx.ios.com > Reply-To: snetnews at xbn.shore.net > To: Multiple recipients of list SNETNEWS > Subject: INTERNET POLICE (fwd) > > > > > - - ---------- Forwarded message ---------- > Date: Fri, 26 Apr 1996 21:44:53 -0400 > From: Ronald Pearce > To: merkaba at styx.ios.com > Subject: INTERNET POLICE > > > > >It is being dubbed the Internet Police Law. Georgia's state government is > >beginning to catch a little net-heat because of a new law signed by the > >Governor last week which, according to some, CRIMINALIZES the use of e-mail > >addresses which don't properly identify a person, as well as the practice of > >linking to another web page by name without first obtaining permission to > >link. > > > >If anyone cares to see information and commentary on this new law, feel free > >to browse over to www.kuesterlaw.com. I would love to know what everyone > >thinks about the constitutionality of this bill, as well as any other comments. > > > >Thanks. > >jk > >Jeffrey R. Kuester, Esq. Patent, Copyright, & Trademark Law > >6445 Powers Ferry Road, Suite 230, Atlanta, Georgia 30339 > >Ph (770) 951-2623 Fax (770) 612-9713 > >E-mail: kuester at kuesterlaw.com > >WWW: http://www.KUESTERLAW.com (The Technology Law Resource) > > > >--------------------------------------------------------------- > > > > > - - -> SNETNEWS Mailing List & Fidonet Echo > - - -> Post to: listserv at xbn.shore.net > - - -> subscribe snetnews > > > > - ------- End of Forwarded Message > > > ------- End of Forwarded Message > > From jimbell at pacifier.com Sat May 4 13:56:07 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 5 May 1996 04:56:07 +0800 Subject: Edited Edupage, 25 April 1996 Message-ID: At 05:55 PM 5/3/96 EDT, E. ALLEN SMITH wrote: >From: IN%"educom at elanor.oit.unc.edu" 25-APR-1996 21:40:28.52 > >>FCC BOOSTS PROSPECT FOR SUPERNETS >>The Federal Communications Commission may reserve a band of radio >>frequencies to allow free and unlicensed transmissions at 25 megabit speeds >>of large volumes of data within a group of buildings. These so-called >>"supernet" wireless services, which would operate at no more than one watt >>of power in order to avoid interfering with neighboring supernets, could >>then be connected by high-speed phone lines to the Internet, thus largely >>bypassing local phone companies to get Net access. (New York Times 25 Apr >>96 C1) > > If these are not covered by the regulations against encryption in >the use of packet radio, this would seem to be an opening for such. Indeed, >encryption of radio messages would appear to be rather critical for security. FAIK, the prohibition on encryption applies only to hams transmitting on amateur radio frequencies. It wouldn't cover this kind of thing. I agree that encryption is going to be vital in this case, say 1024-bit RSA or better. Thus encrypted, it would be even better if the there was also a law which prohibited _the government_ from picking up these transmissions or attempting to decrypt them. Another useful purpose of such a "supernet" would be alternative telephone system competition. At this data rate, we're talking about the equivalent of 500+ simultaneous phone call capacity. That's enough to serve perhaps 5000 homes or more. >>HARDWARE SOLUTION TO E-COMMERCE SECURITY >>VLSI Technology and Tandem Computer's Atalla are developing chip-level >>security products to protect electronic transactions over the Internet and >>intranets. The products will incorporate DES, RSA and other encryption >>technology, and the companies hope their joint venture will establish a >>hardware-based security standard for electronic commerce. (Information Week >>15 Apr 96 p34) Remember, however, that VLSI technology is the company that built Clipper... Jim Bell jimbell at pacifier.com From norm at netcom.com Sat May 4 13:56:08 1996 From: norm at netcom.com (Norman Hardy) Date: Sun, 5 May 1996 04:56:08 +0800 Subject: URLs for Capabilities Message-ID: I am preparing a talk for this morning at CP in PaloAlto. Here are some relavant URLs. http://www.agorics.com/agorics http://www.agorics.com/agorics/allkey.html http://www.cis.upenn.edu/~KeyKOS/ From jordan at Have.You.Seen.My.Infomercial.COM Sat May 4 14:03:48 1996 From: jordan at Have.You.Seen.My.Infomercial.COM (Jordan Hayes) Date: Sun, 5 May 1996 05:03:48 +0800 Subject: CryptoAnarchy: What's wrong with this picture? Message-ID: <199605041609.JAA21395@Thinkbank.COM> From unicorn at schloss.li Fri May 3 23:23:21 1996 Accounting costs as a result of a deduction based, multi-tiered, progressive, and supplimented system of income taxation are silly. By the way, the IRS (in spite of it's shortcomings) is (by far) the most efficient tax collecting organization among the major economic powers. It costs roughly $0.50 per $100 collected. Canada is second at about $1, Germany (for instance) is at about $7, mostly because they don't have payroll deductions. /jordan From abostick at netcom.com Sat May 4 14:08:19 1996 From: abostick at netcom.com (Alan Bostick) Date: Sun, 5 May 1996 05:08:19 +0800 Subject: Why I dislike Java. In-Reply-To: <199605031303.JAA24332@jekyll.piermont.com> Message-ID: <723ix8m9LAhG085yn@netcom.com> -----BEGIN PGP SIGNED MESSAGE----- In article <199605031303.JAA24332 at jekyll.piermont.com>, "Perry E. Metzger" wrote: > Jeff Weinstein writes: > > > > The Netscape Administration Kit will allow a site security admin > > to create a configuration that disables Java, and does not allow the > > user to enable it. If your customers require netscape, perhaps this > > is an option that will make you more comfortable. > > It certainly makes me feel more comfortable. The problem I have is > that I expect that increasingly pages will arise for which information > can only be extracted with the use of Java. Some flunky from some desk > will will come up and scream "what do you mean I can't get a copy of > Foo Corporation's merger press release because we won't run some > program! Thats bullshit! Do you know how much money the risk arb desk > pulls in, you twit! This must never happen again! Fix it immediately!" > > Luckily things aren't quite at that stage yet, but its only a matter > of time. When you create a tool like this, you have a certain degree > of, dare I say it, community responsibility. Once you've hyped the > tool enough and made it ubiquitous, people at some point are going to > claim that they *need* it, at which point the security people have no > choice but to do something that gives them nightmares. This, it seems to me, is the key issue. The Security Department isn't going to have time to test and certify the applet code for Foo Corporation's fancy merger press release; the risk arb desk is going to need to see it *right now*. I hate saying things like "the answer is to educate the users" because it is as close to a cop-out as you can get. But educating the users has to be at least part of the answer - and not just the users. The publicity and shareholder relations offices at Foo Corporation need to know that putting out information for Wall Street needs to be in a form that Wall Street can deal with safely. If Java doesn't belong on the trading floor, it doesn't belong in a press release either. I suspect that the best way to get the message across would be for a major security disaster - a big-time hack or perhaps just a Java-caused system failure - to take place. (A near-future Wall Street techno-thriller about such a hack *might* do the trick, but there's no guarantee it wouldn't just vanish into the science fiction midlist.) - -- Alan Bostick | "The thing is, I've got rhythm but I don't have mailto:abostick at netcom.com | music, so I guess I could ask for a few more news:alt.grelb | things." (overheard) http://www.alumni.caltech.edu/~abostick -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMYuB3uVevBgtmhnpAQGDXwMAv6fD4svaKKAPgcyyfRF6NONf/hira2Ao Ix052uZ2SGd+xkuE1rqqm4BGY1AulLJWU7pSPN6KgbZ6mJO4+nF7xaUbavBHArGZ R1gwfRtyzEumpknhYqV9IV4IE+UNRi9C =39Ub -----END PGP SIGNATURE----- From jordan at Thinkbank.COM Sat May 4 14:25:22 1996 From: jordan at Thinkbank.COM (Jordan Hayes) Date: Sun, 5 May 1996 05:25:22 +0800 Subject: CryptoAnarchy: What's wrong with this picture? Message-ID: <9605041621.AA17975@blood.Thinkbank.COM> From sandfort at crl.com Fri May 3 21:52:50 1996 At 11:31 AM 5/3/96 -0700, brerrabbit at alpha.c2.org wrote: >Do tell. How would someone, just for instance, who is considering >leaving a "permanent" job for the higher compensation available to >contractors and consultants be able to structure a business in such a >way as to benefit from these techniques? 2) Take a vacation to a tax haven you like because of what you've read about it. I'm confused as to how "merely" putting your after-tax (you *will* declare this consulting revenue on your Schedule C, won't you?) bucks in an offshore account will "save" you money. This only "works" if you are able to use what you've taken away to advantage; you may generate a tax "savings" on those gains. Oh, and it also only works if you are willing to expose yourself to being arrested at some point for tax evasion. This is silly; there are legitimate reasons for structuring business efforts in other tax juristictions. Avoiding income tax on your primary source income isn't one of them. My answer to the original question: save your $1k you'd send to Sandy for the "advice" (plus travel associated with finding your 'haven') and open a SEP. /jordan From pete at loshin.com Sat May 4 14:37:19 1996 From: pete at loshin.com (Pete Loshin) Date: Sun, 5 May 1996 05:37:19 +0800 Subject: Why I dislike Java. (was Re: "Scruffies" vs. "Neats") Message-ID: <01BB39B7.AF3F9A00@ploshin.tiac.net> E. Allen Smith wrote: > From: IN%"perry at piermont.com" 3-MAY-1996 16:49:35.61 > > >The users can't afford not to have the numbers they are watching not > >in front of them, even for brief periods. Its a real problem. > > Hmm.... has anyone ever created a specialized computer (or computer > running a specialized program) that would put multiple screens on the same > screen, perhaps with some GUI manipulation capabilities? If they're trying to > read Netscape material while watching the other numbers, they're then in the > exact same situation from their viewpoint. Actually, this is the kind of application that seems ideal for X-Windows. There are a lot more, but it has never really caught on in the PC world, which is a shame since it makes much more sense than many of the solutions people have come up with over the years. -Pete Loshin From declan+ at CMU.EDU Sat May 4 15:00:19 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Sun, 5 May 1996 06:00:19 +0800 Subject: PICS & CyberAngels In-Reply-To: <01I4A3GEC4UU8Y56P8@mbcl.rutgers.edu> Message-ID: Excerpts from internet.cypherpunks: 3-May-96 PICS & CyberAngels by "E. ALLEN SMITH"@ocelot. > In view of the discussion of the possibility of PICS being required > by law, plus that about the CyberAngels, I thought people might find it > interesting that the CyberAngels home page has on it as one of their > "responsibilities" making sure that all pages with sexual content - that > pornography fetish again - have PICS or other (such as Safesurf...) ratings > that would permit censorship of them. Indeed. Under SafeSurf, I've rated the fight-censorship mailing list archive site as suitable for all ages, which I believe it is, though the CyberAngels think otherwise. I wonder what will happen now? SafeSurf is supposedly sending me "an end-user license agreement" to sign... -Declan From vznuri at netcom.com Sat May 4 15:05:45 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Sun, 5 May 1996 06:05:45 +0800 Subject: PICS & CyberAngels In-Reply-To: <01I4A3GEC4UU8Y56P8@mbcl.rutgers.edu> Message-ID: <199605041600.JAA01162@netcom14.netcom.com> EAS: > In view of the discussion of the possibility of PICS being required >by law, plus that about the CyberAngels, I thought people might find it >interesting that the CyberAngels home page has on it as one of their >"responsibilities" making sure that all pages with sexual content - that >pornography fetish again - have PICS or other (such as Safesurf...) ratings >that would permit censorship of them. > If parents want to keep their children from seeing sexual material, >that's the problem of the parents - it shouldn't be the problem of anyone else. >If something I put out offends someone (e.g., some political speech I've made), >that's the problem of the person it offends. Sexual material is no different. this seems to suggest a misunderstanding of PICS either by you or the "CyberAngels". PICS does not require any particular action by page owners and is entirely based on that principle (there is a pretty good argument it would be unconstitutional, impractical, idiotic, etc. if it didn't). it defines a standard by which ratings servers and queries are constructed and formatted. anyone can rate any information. if the CyberAngels want to rate all kinds of pages in cyberspace and set up their own rating service, more power to them. the ratings do not restrict those who do not choose the restrictions. I hope we can get a new conventional wisdom going, in which people who rant about saving children from the evils of cyberspace are told to shut up and go start their own rating service. they can blacklist as many sites as they want. but the real test will be whether anyone CARES what they think. From WlkngOwl at UNiX.asb.com Sat May 4 15:24:26 1996 From: WlkngOwl at UNiX.asb.com (Deranged Mutant) Date: Sun, 5 May 1996 06:24:26 +0800 Subject: NOISE.SYS v0.5.5 (Beta) Message-ID: <199605041752.NAA06501@unix.asb.com> Latest NOISE.SYS (/dev/random for DOS) is available, with incomplete docs. Reply with a subject "send noise" (or you can wait a few days for it to appear on an ftp site). The file's about 80k, includes '386 assembler source. --- No-frills sig. Key-ID: 5D3F2E99 1996/04/22 wlkngowl at unix.asb.com (root at magneto) AB1F4831 1993/05/10 Deranged Mutant Send a message with the subject "send pgp-key" for a copy of my key. From minow at apple.com Sat May 4 15:27:01 1996 From: minow at apple.com (Martin Minow) Date: Sun, 5 May 1996 06:27:01 +0800 Subject: Calling other code in Java applications and applets Message-ID: Marianne Mueller (mrm at netcom.com) writes that > >people need to be aware up front >that calling native code from a Java applet disables >any security that might otherwise be enforced for the applet. > Would it be more accurate to state that native code called by a Java applet disables Java virtual machine security, but is still bound by security policies enforced by the operating system itself? It would be most unfortunate if a browser run by an unprivileged user could attain "root" privileges by running a Java applet that called an appropriate (or inappropriate) native method. Of course, on inherently unprotected systems (PC's), there is indeed no protection. Perhaps Java will cause vendors to improve overall operating system robustness. Martin Minow minow at apple.com From sandfort at crl.com Sat May 4 15:46:38 1996 From: sandfort at crl.com (Sandy Sandfort) Date: Sun, 5 May 1996 06:46:38 +0800 Subject: CryptoAnarchy: What's wrong with this picture? In-Reply-To: <9605041621.AA17975@blood.Thinkbank.COM> Message-ID: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punk: On Sat, 4 May 1996, Jordan Hayes wrote: > I'm confused as to how "merely" putting your after-tax (you *will* > declare this consulting revenue on your Schedule C, won't you?) bucks > in an offshore account will "save" you money. This only "works" if you > are able to use what you've taken away to advantage; you may generate a > tax "savings" on those gains. Oh, and it also only works if you are > willing to expose yourself to being arrested at some point for tax > evasion. The proper way to punctuate the foregoing paragraph is to end it with a period after "I'm confused." > This is silly; there are legitimate reasons for structuring business > efforts in other tax juristictions. Avoiding income tax on your > primary source income isn't one of them. This is Jordan's value judgment. Your mileage may vary. S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From mrm at netcom.com Sat May 4 16:07:28 1996 From: mrm at netcom.com (Marianne Mueller) Date: Sun, 5 May 1996 07:07:28 +0800 Subject: Calling other code in Java applications and applets In-Reply-To: Message-ID: <199605041755.KAA26669@netcom20.netcom.com> > >people need to be aware up front > >that calling native code from a Java applet disables > >any security that might otherwise be enforced for the applet. > > > > Would it be more accurate to state that native code called by a > Java applet disables Java virtual machine security, but is still > bound by security policies enforced by the operating system itself? > > It would be most unfortunate if a browser run by an unprivileged > user could attain "root" privileges by running a Java applet that > called an appropriate (or inappropriate) native method. yes, that's exactly the case. I wouldn't call it the virtual machine security, though, but the application security, since the applet restrictions are enforced at the application level by the SecurityManager. (the browser is the application in this case) Whether or not this is a problem depends on the quality of implementation of the DLL, and whether or not you care about this level of insecurity, given that the browser and other software runing on the machine may or may not be secure. People routinely "click here" to download and install some plug-in, so probably those folks are willing to place their bets and take their chances. Note that in all this I'm not claiming that the Java setup as currently implemented is without bugs. I'm just talking about the model. As far as the Java applet sandbox goes, I think we can do a better job of specifying a minimal TCB and enforcing the applet restrictions at the application level. There are people who think that the sandbox model itself is not do-able. I think reasonable people can disagree on that point. > > Of course, on inherently unprotected systems (PC's), there is > indeed no protection. Perhaps Java will cause vendors to improve > overall operating system robustness. > If there's a market for security, then vendors will respond to that. I think it's interesting that the internet might provide that market demand. Other people on this list who have worked on secure products can probably testify as to whether or not customers were willing to wait longer and pay more for higher quality, more secure software, or if they're more interested in buying something today that provides some needed feature. I'm not saying this is good or bad - I'm just observing that market forces are real. Another way of saying this is, perhaps software that previously was only deployed in special-purpose applications will move into consumer mainstream. Marianne From nobody at ee.siue.edu Sat May 4 16:10:20 1996 From: nobody at ee.siue.edu (Anonymous) Date: Sun, 5 May 1996 07:10:20 +0800 Subject: Justice Department looking for ISP's Message-ID: <199605041827.NAA15073@shiva.ee.siue.edu> >From: >To: Firewalls at GreatCircle.COM >Subject: Firewalls-Digest V5 #289 >Date: Fri, 3 May 1996 14:03:09 -0400 (EDT) >Sender: firewalls-owner at GreatCircle.COM > >I am looking for a list of all the Internet >Service Providers world-wide. Can anyone point me >in the right direction? > >Thanks in advance, > >Mary L. Casey, Program Analyst >Information Management & > Security Staff >Information Resources Management >Justice Management Division >U.S. Dept of Justice From jimbell at pacifier.com Sat May 4 16:15:49 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 5 May 1996 07:15:49 +0800 Subject: "Bit Tax" proposed by satan@hell.gov Message-ID: At 09:53 PM 5/3/96 -0700, Timothy C. May wrote: >At 11:13 PM 5/3/96, Steve Reid wrote: > >>The problem with a tax on data is that it would be *extremely* unfair. > >Chill out, it's not a real proposal. I just read the first few pages of the url, and skimmed a few more, and it's obviously a pile of socialist, politically-correct, statist liberal claptrap. They're more interested in maintaining their little interdependant world than anything else. Jim Bell jimbell at pacifier.com Jim Bell jimbell at pacifier.com From mrm at netcom.com Sat May 4 16:24:48 1996 From: mrm at netcom.com (Marianne Mueller) Date: Sun, 5 May 1996 07:24:48 +0800 Subject: Calling other code in Java applications and applets In-Reply-To: <01BB397D.395BE6C0@bcdev.com> Message-ID: <199605041734.KAA24761@netcom20.netcom.com> No that wasn't my point (that the native code is less trustworthy than the Java runtime.) My point was just that any security measures that restrict applets do not restrict anything that an applet causes to happen via a native method. For example one security restriction is that applets aren't allowed to read files. If an applet calls a native method then that native method can read any files it wants. I'm talking about the model, not about the quality of implementation. I'm not saying it's a bad or untrustworthy thing to do (call native methods), I just thought it was worthwhile to point out that once you call a DLL from an applet, you have effectively chosen to disable the application level SecurityManager. It's your call as to whether this is a problem or not. Marianne From blake at bcdev.com Sat May 4 16:59:24 1996 From: blake at bcdev.com (Blake Coverett) Date: Sun, 5 May 1996 07:59:24 +0800 Subject: Calling other code in Java applications and applets Message-ID: <01BB39CB.CF21E530@bcdev.com> > For example one security restriction is that applets aren't allowed > to read files. If an applet calls a native method then that native > method can read any files it wants. I'm talking about the model, > not about the quality of implementation. I'm not saying it's > a bad or untrustworthy thing to do (call native methods), I just > thought it was worthwhile to point out that once you call a DLL > from an applet, you have effectively chosen to disable the application > level SecurityManager. It's your call as to whether this is a problem > or not. I was right in the first message... it is a reputation thing. We don't disagree on any of the fact here, just on their implications. I see this from the point of view of the author of these native methods, cypherpunk still do write code sometimes. From that point of view where is the difference between calling my native code methods and calling the java.awt.*, or netscape.* methods that are native code? Yes, either can do anything they want, irregardless of the SecurityManager. For J. Random User on the net, Sun/Netscape's reputations are fairly strong and mine is non-existent. For the corporate IS folks to whom I contract this situation is reversed. (Despite impressive IPOs I still get a lot of friction about 'programs downloaded from the net'.) -Blake From cp at proust.suba.com Sat May 4 17:15:09 1996 From: cp at proust.suba.com (Alex Strasheim) Date: Sun, 5 May 1996 08:15:09 +0800 Subject: Why I dislike Java. In-Reply-To: <723ix8m9LAhG085yn@netcom.com> Message-ID: <199605041918.OAA04031@proust.suba.com> > I hate saying things like "the answer is to educate the users" because > it is as close to a cop-out as you can get. But educating the users has > to be at least part of the answer - and not just the users. The > publicity and shareholder relations offices at Foo Corporation need to > know that putting out information for Wall Street needs to be in a form > that Wall Street can deal with safely. If Java doesn't belong on the > trading floor, it doesn't belong in a press release either. > > I suspect that the best way to get the message across would be for a > major security disaster - a big-time hack or perhaps just a Java-caused > system failure - to take place. If Perry and a couple of his competitors got together, called themselves a professional organization, and issued a press release and guidelines, they'd probably be able to have a big impact. I'll bet they could get it picked up in the WSJ, and probably some other papers as well. "People in environments where security matters (like finance and banking) shouldn't use java or javascript. If you want to use the web to reach these people, don't use java or javascript in your pages." As stupid as it sounds, sending letters to the people who maintain the www faqs might be helpful to. Most web designers would probably follow guidelines if they knew what they were. I'll bet that a lot of people who write web books will take a look at the faqs, and you might get wider coverage through them. From richieb at teleport.com Sat May 4 17:44:07 1996 From: richieb at teleport.com (Rich Burroughs) Date: Sun, 5 May 1996 08:44:07 +0800 Subject: Justice Department looking for ISP's In-Reply-To: <199605041827.NAA15073@shiva.ee.siue.edu> Message-ID: On Sat, 4 May 1996, Anonymous wrote: > >From: > >To: Firewalls at GreatCircle.COM > >Subject: Firewalls-Digest V5 #289 > >Date: Fri, 3 May 1996 14:03:09 -0400 (EDT) > >Sender: firewalls-owner at GreatCircle.COM > > > >I am looking for a list of all the Internet > >Service Providers world-wide. Can anyone point me > >in the right direction? Isn't that at ftp.fuck-the-doj.com, in /dev/null? Rich ______________________________________________________________________ Rich Burroughs richieb at teleport.com http://www.teleport.com/~richieb See my Blue Ribbon Page at http://www.teleport.com/~richieb/blueribbon New EF zine "cause for alarm" - http://www.teleport.com/~richieb/cause From stewarts at ix.netcom.com Sat May 4 18:37:18 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sun, 5 May 1996 09:37:18 +0800 Subject: LACC: proposed anti-pseudospoofing law in Georgia Message-ID: <199605042134.OAA17584@toad.com> At 10:18 AM 5/4/96 -0500, you wrote: >Can you please post the text of the bill? It was posted to cyberia-l on April 19th, among other dates, by Mike Godwin, titled "Georgia's amazing new internet law". Use altavista to find it. It's probably on www.eff.org also. # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 # goodtimes signature virus innoculation From jlasser at rwd.goucher.edu Sat May 4 18:46:37 1996 From: jlasser at rwd.goucher.edu (Moltar Ramone) Date: Sun, 5 May 1996 09:46:37 +0800 Subject: CryptoAnarchy: What's wrong with this picture? In-Reply-To: <2.2.32.19960503224906.006ed628@popmail.crl.com> Message-ID: On Fri, 3 May 1996, Sandy Sandfort wrote: > >There are many books on the shelves claiming to show how to avoid > >taxes using these techniques. Most of them have the smell of > >"dangerous crackpot" about them. Can you recommend any in particular? > > 1) Read as wide a variety of the stuff out there you can > (even the books by "dangerous crackpots"). > 2) Take a vacation to a tax haven you like because of what > you've read about it. > 3) Open a bank account with an established bank. > 4) Ask your banker to recommend a trustworthy lawyer. > 5) Tell the lawyer what you want to accomplish and do > what he or she says, if it makes sense to you. > 6) DON'T talk to anyone else--especially in your home > country--about what you have done, are doing or > are planning to do. > 7) As your resources increase, repeat steps 2-5 in > other tax havens. Don't put all your eggs in one > basket if you have enough to spread around. > > 8) Send me $1000. If you follow my steps 1-7, you will > save many times that amount. There's the rub... step 8 violates step 6. If following your directions indicates a moral obligation to pay, doing so would violate your directives and make one _not_ obligated to pay... :-) Jon Lasser ---------- Jon Lasser (410)494-3072 - Obscenity is a crutch for jlasser at rwd.goucher.edu inarticulate motherfuckers. http://www.goucher.edu/~jlasser/ Finger for PGP key (1024/EC001E4D) - Fuck the CDA. From unicorn at schloss.li Sat May 4 18:56:30 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sun, 5 May 1996 09:56:30 +0800 Subject: CryptoAnarchy: What's wrong with this picture? In-Reply-To: Message-ID: On Sat, 4 May 1996, Sandy Sandfort wrote: > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > SANDY SANDFORT > . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . > > C'punks > > I wrote in reference: > > > > >Today, virtually anyone on this list can afford these techniques. > > > Actually, I disagree with Mr. Sandfort on this one. > > > > Taxation of International Income is a tremendously complicated field. > > (You can get an LL.M. in international taxation alone for example). > > If your simply looking to pick a jurisdiction, that's not so hard. > > Neither is simply using a tax haven in simple ways or concealing skimmed > > or cash assets. Actually structuring an internatinal business endeavor is > > a whole different ball game. > > We don't really disagree. What Black Unicorn writes is quite > correct IF ONE IS CONCERNED WITH LEGAL CORRECTNESS. Not everyone > on this list could afford to do completely legal international > tax structuring. I still stand by my statement, however, that > most list members could afford to use offshore techniques. (If > you have a ton of money, by all means, hire Black Unicorn or > someone similarly situated, to help you with your planning. > Big money is a big target, andy you definitely need to have all > your i's dotted and t's crossed. Agreed. But for small "salt away" applications, the market is quite available to all participants, however limited their resources may be. I think I must have been reading you wrong. > S a n d y --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From unicorn at schloss.li Sat May 4 19:33:08 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sun, 5 May 1996 10:33:08 +0800 Subject: CryptoAnarchy: What's wrong with this picture? In-Reply-To: Message-ID: On Sat, 4 May 1996, Sandy Sandfort wrote: > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > SANDY SANDFORT > . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . > > C'punks, > > On Fri, 3 May 1996 jamesd at echeque.com wrote: > > What tax havens would you like, if you did business in tax > > havens, which of course you do not ;-) > > I haven't done any sort of survey lately, but I think the > following jurisdictions are all good bets: > > BANKING Cayman Islands, Liechtenstein, Isle of Man, > Canada(!) for some purposes, United States > for non-US people and or nominee offshore > corporations owned by anyone. > > CORPS./TRUSTS English speaking Caribbean countries, Hongkong > in certain circumstances, Liechtenstein for > its trust-like entities. > > LIVING Most anywhere that you like and that isn't your > country of citizenship. If I had the bucks, I > would seriously look at Campione d'Italia. > > I'd be curious to hear what Duncan Frissell and Black Unicorn > had to say on this question. Again, my answers tend to be application specific. If you are simply trying to protect assets from creditors, I suggest using at least two jurisdictions, maybe more if you can, and "chain" your bank transactions just like you would chain remailers. Creditors with the means to go looking can find a great deal even in "banking secrecy jurisdictions." I tend not to trust the Cayman Islands, but that's more my paranoia and "sixth sense" then anything else. Take that concern with appropriate grains of salt. I've not been pleased with Switzerland lately. Liechtenstein is wonderful if you have a good deal of cash, but it can be less interesting for smaller depositors. I suggest Verwaltungs und Privat Bank AG (VP Bank Liechtestein) for smaller depositors, and Bank in Liechtenstein (BIL) for larger depositors. (Disclaimer: I hold interests in both these institutions). Isle of Man has become somewhat less interesting to me because of the UK's willingness to participate in mutual assistance treaties with the United States. Still, for banking and asset protection from private plaintiffs, it's secrecy is good. Other jurisdictions I would suggest simply for banking secrecy from private plaintiffs would include Vanautu (Though I would note that there is a bit of instability there currently. It seems the locals dislike the english governor a great deal and have begun to sound meanacing about it). While Vanautu has passed a money laundering law, if your application is not otherwise criminal it's still an excellent option. For Corporations I would suggest jurisdictions that permit bearer stock to be issued. Panama (yes, still), Vanautu, Isle of Man, Cayman Islands. I can give a more specific list for people who are serious about their interest. Many of the British protectorates are very attractive. Living? Again, application specific. Do you sail? Ski? It's important to recognize that general advice which does not tune itself to your specific needs can be worse than useless. Ignore almost everything I said above if your expected threat model is anything more than low to moderately determined private plaintiffs (divorce, personal injury, typical small to medium business law suits are all fairly harmless with mere secret banking, but determined attackers with more resources and government attackers have a great deal more resources). > > S a n d y > --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From unicorn at schloss.li Sat May 4 19:36:05 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sun, 5 May 1996 10:36:05 +0800 Subject: CryptoAnarchy: What's wrong with this picture? In-Reply-To: <9605041621.AA17975@blood.Thinkbank.COM> Message-ID: On Sat, 4 May 1996, Jordan Hayes wrote: > From sandfort at crl.com Fri May 3 21:52:50 1996 > > At 11:31 AM 5/3/96 -0700, brerrabbit at alpha.c2.org wrote: > > >Do tell. How would someone, just for instance, who is considering > >leaving a "permanent" job for the higher compensation available to > >contractors and consultants be able to structure a business in such a > >way as to benefit from these techniques? > > 2) Take a vacation to a tax haven you like because of what > you've read about it. > > I'm confused as to how "merely" putting your after-tax (you *will* > declare this consulting revenue on your Schedule C, won't you?) bucks > in an offshore account will "save" you money. This only "works" if you > are able to use what you've taken away to advantage; you may generate a > tax "savings" on those gains. Incorrect. There are many options for after-tax funds (including investing in offshore corporations with active business income derived elsewhere, offshore mutual funds, offshore funds in general, and the advantage of extremely high interest rates in some jurisdictions). The real trick is to structure things to take advantage of pre-tax funds. This is complex, but certainly possible. Did you know, for example, that foreign tax credits can offset U.S. source income and can be carried back two and forward 5 years? > Oh, and it also only works if you are > willing to expose yourself to being arrested at some point for tax > evasion. Incorrect. There are many legitimate applications for placing funds offshore that permit an individual to reduce his taxes legally. > This is silly; there are legitimate reasons for structuring business > efforts in other tax juristictions. Avoiding income tax on your > primary source income isn't one of them. False. Avoiding tax is as legal as the constitution. You mean evading tax by failing to file truthful returns or otherwise concealing income. > My answer to the original question: save your $1k you'd send to Sandy > for the "advice" (plus travel associated with finding your 'haven') and > open a SEP. Poor advice. My advice to you, study tax a bit more carefully. > /jordan --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From unicorn at schloss.li Sat May 4 19:40:49 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sun, 5 May 1996 10:40:49 +0800 Subject: CryptoAnarchy: What's wrong with this picture? In-Reply-To: <199605041609.JAA21395@Thinkbank.COM> Message-ID: On Sat, 4 May 1996, Jordan Hayes wrote: > From unicorn at schloss.li Fri May 3 23:23:21 1996 > > Accounting costs as a result of a deduction based, > multi-tiered, progressive, and supplimented system of income > taxation are silly. > > By the way, the IRS (in spite of it's shortcomings) is (by far) the > most efficient tax collecting organization among the major economic > powers. It costs roughly $0.50 per $100 collected. Canada is second > at about $1, Germany (for instance) is at about $7, mostly because they > don't have payroll deductions. An organization that is efficent at enforcing a immensely complex set of regulations incomprehensible to joe sixpack is not a good thing. Recall also that the IRS enforces the rules and intrepretations that it predominately creates. Our discussion is about the costs born by the citizen, I don't much care how much the IRS is getting paid for its services. > > /jordan > --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From adept at cep.yale.edu Sat May 4 20:11:37 1996 From: adept at cep.yale.edu (Ben) Date: Sun, 5 May 1996 11:11:37 +0800 Subject: Gemplus' Crypto Cards Message-ID: Does anyoneknow anything about the Gemplus Smart Card systems? Specifically: http://www.gemplus.com/gpr400.html They claim that they're secure and can do things like 40Mbits/second in a PCMCIA form factor for Digital signatures and other uses. Thanks! Ben. From sandfort at crl.com Sat May 4 20:31:53 1996 From: sandfort at crl.com (Sandy Sandfort) Date: Sun, 5 May 1996 11:31:53 +0800 Subject: CryptoAnarchy: What's wrong with this picture? In-Reply-To: Message-ID: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks, On Sat, 4 May 1996, Moltar Ramone wrote: > On Fri, 3 May 1996, Sandy Sandfort wrote: > > > 6) DON'T talk to anyone else--especially in your home > ... > > 8) Send me $1000. If you follow my steps 1-7, you will > > save many times that amount. > > There's the rub... step 8 violates step 6. If following your directions > indicates a moral obligation to pay, doing so would violate your > directives and make one _not_ obligated to pay... :-) Not so. Just send postal money orders totalling US$1000 to: Sandy Sandfort Simple Access One Sutter St., #500 San Francisco, CA 94104 USA Have it made out to me, or leave the payee blank and sign it with an illegible scrawl. Include a for-this-purpose-only public key, and I'll give you more advice through the remailer of your choice. Q.E.D. I'm shocked that I would have to explain this to a member of this list. S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From EALLENSMITH at ocelot.Rutgers.EDU Sat May 4 21:06:14 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sun, 5 May 1996 12:06:14 +0800 Subject: PICS & CyberAngels Message-ID: <01I4BI00JHYU8Y53GG@mbcl.rutgers.edu> From: IN%"declan+ at CMU.EDU" "Declan B. McCullagh" 4-MAY-1996 12:28:04.26 >Indeed. Under SafeSurf, I've rated the fight-censorship mailing list >archive site as suitable for all ages, which I believe it is, though the >CyberAngels think otherwise. I wonder what will happen now? SafeSurf is >supposedly sending me "an end-user license agreement" to sign... I believe this is another case, like that of the SafeSurf dislike of the mention of illegal drugs in any but the standard PDFA (sp?) manner, in which the Guardian Angels' politics are coming through. They may claim to be anti-CDA, but given their harrassment of various sexually-oriented businesses ("cleaning up Times Square" et al) their real opinions seem to be showing through. They'd make themselves even more unpopular if they were honest about it, of course. I have no doubt that, if the CDA is upheld (God forbid), they'll be secretly reporting violations to the DOJ. They already appear to have a policy of reporting allegedly "obscene" material. -Allen P.S. Feel free, anyone, to forward this (and my other stuff on the CyberAngels) to them. I'd like to see their defense, unless they're going to admit they don't have any. From mech at eff.org Sat May 4 21:06:51 1996 From: mech at eff.org (Stanton McCandlish) Date: Sun, 5 May 1996 12:06:51 +0800 Subject: Why Leahy is No Friend of Ours In-Reply-To: Message-ID: <199605050003.RAA11588@eff.org> Timothy C. May typed: > But no Congressman who co-sponsors such legislation as the "National > Wiretap Initiative," with its "1% of the engineering capacity" requirements > and other such Big Brother Surveillance State clauses, is a friend of ours. No legislator at all is our friend. The legislature is a gateway - we push an issue thru it into the politico-legal system, and other groups push their own issues back through the gateway at us. Whoever pushes more, and times their pushing with when the gate is open, wins. This isn't about making chums. Leahy is a gatekeeper, like any other legislator. We don't have to like him, just get him to open the gate for us, and close it for our opponents. -- Stanton McCandlish
mech at eff.org

Electronic Frontier Foundation

Online Activist From EALLENSMITH at ocelot.Rutgers.EDU Sat May 4 21:09:18 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sun, 5 May 1996 12:09:18 +0800 Subject: The Decense Project Message-ID: <01I4BIYA0TSC8Y53GG@mbcl.rutgers.edu> From: IN%"rjc at clark.net" "Ray Cromwell" 10-FEB-1996 23:32:12.32 >The first piece of the Decense software is designed to provide "penet" like >double-blind anonymous transactions for the http protocol. It is written >as a cgi-bin script which provides a seamless mapping between anonymous >ids and remote web servers. Servers running Decense can be chained like >anonymous remailers to increase site level security. [...] >http:////decense// I had one idea that you might want to keep in mind. Most web robots (e.g., Altavista's) try to avoid cgi scripts. Since I would assume that one would wish these to be indexed (information being available doesn't do much good if nobody can find it), this could be a problem. Setting up as to fool the web robots (especially making sure that the Decense urls aren't in the site's robots.txt file) into thinking this is a normal page with an appropriate link would appear to be a good idea. Now, of course the site running Decense would probably not like too much traffic (the reason for most sites not running anonymizing proxies, which should be combined with Decense), I would suggest that the system be set up to receive ecash from the web sites linked (or from the user, although that would remove the web robot access unless you could verify that it was a known indexing robot.) The MarkTwain pickiness on merchants may be a problem on this, depending on what links are available. One idea on getting around this would be to go through the European bank offering ecash; I don't know if their setup is compatible with the MarkTwain ecash, however. Lucky Green? Indeed, setting this up in a European country with good anti-censorship laws would be preferable in any event; the Scandinavian countries might work well. The greater tolerance for some such material in Europe is why I would think that the European bank might be more flexible. (I would be curious if a U.S. business could get a merchant agreement with the European bank; Lucky Green?). -Allen From EALLENSMITH at ocelot.Rutgers.EDU Sat May 4 21:13:42 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sun, 5 May 1996 12:13:42 +0800 Subject: the cost of untracability? Message-ID: <01I4BJ9ZW1RE8Y53GG@mbcl.rutgers.edu> From: IN%"frantz at netcom.com" 13-APR-1996 01:00:57.74 >At 7:42 PM 4/12/96 -0400, E. ALLEN SMITH wrote: >> Another method would be for ecash to have a label on it as to when >>the issuer would redeem it. Until then, if you want cash from it, find >>someone else to trade to. ... >And if you are using a "first to clear gets the money" system like >Digicash, the holders can race to see who gets the money. What I had in mind is that the bank would still process the ecash if you sent it to them - for an equal quantity of ecash with the same label. If you want to convert it into a normal bank account or other ecash, you have to send it to the bank at the time of labeling, or trade it to someone else. If you trade it to someone else, they will want to send it to the bank to change it for more ecash _before_ sending you your compensation. Admittedly, all this then gets into the standard digital receipt, etcetera problems. -Allen From EALLENSMITH at ocelot.Rutgers.EDU Sat May 4 21:18:36 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sun, 5 May 1996 12:18:36 +0800 Subject: A MODEST PROPOSAL (fwd) Message-ID: <01I4BJDD33KW8Y53GG@mbcl.rutgers.edu> From: IN%"stewarts at ix.netcom.com" "Bill Stewart" 13-APR-1996 02:38:40.77 >>From: "E. ALLEN SMITH" >> In other words, majordomo is broken. I should have suspected as much, >No, it's not broken, it just interacts badly with anon.penet.fi. >Of the two of them, majordomo is doing the obvious unsurprising thing, >while anon.penet.fi needs a bit more complicated support because of >difficulties with its implication and the workarounds it uses. >Somebody did comment that they modified majordomo to handle this, >but presumably vanilla majordomo can at least pattern-match block an######, >and if it can't, you can always pre-process with egrep or sed. The reason I say majordomo is broken is that it shows up with the address of the original sender, not the address of the list, as the From address. Other mailing list software does not do this. -Allen From EALLENSMITH at ocelot.Rutgers.EDU Sat May 4 21:21:44 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sun, 5 May 1996 12:21:44 +0800 Subject: PICS & CyberAngels Message-ID: <01I4BHSBIAK08Y53GG@mbcl.rutgers.edu> From: IN%"vznuri at netcom.com" "Vladimir Z. Nuri" 4-MAY-1996 11:59:26.15 >this seems to suggest a misunderstanding of PICS either by you or >the "CyberAngels". PICS does not require any particular action by page owners >and is entirely based on that principle (there is a pretty good >argument it would be unconstitutional, impractical, idiotic, etc. if >it didn't). it defines a standard by >which ratings servers and queries are constructed and formatted. >anyone can rate any information. if the CyberAngels want to rate >all kinds of pages in cyberspace and set up their own rating service, >more power to them. the ratings do not restrict those who do not >choose the restrictions. The instructions in question, at http://www.safesurf.com/cyberangels/#look, are for their "volunteers" to report - including to both the page's ISP and to government - any page with sexual content that doesn't have a PICS such that it can be censored. In other words, they want to try to kick off systems - including potentially via legal action such as nonsense like "corrupting a minor" or whatever - any pages that don't set themselves up to be censored. That would include by government such as China, as well as by fundamentalist parents. Given their approval of Detweiler, you're making it more and more likely that you're him.... -Allen From EALLENSMITH at ocelot.Rutgers.EDU Sat May 4 21:23:51 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sun, 5 May 1996 12:23:51 +0800 Subject: Kid Gloves or Megaphones Message-ID: <01I4BJ3PYULW8Y53GG@mbcl.rutgers.edu> From: IN%"shamrock at netcom.com" 21-MAR-1996 21:29:06.87 >It is true that the issuer is unable to discover that double blinding is >being used. The real problem with the protocol is that it requires >payor/payee collusion, which may make it difficult to execute. Can the payee discover that the payor isn't colluding before the bank can figure out who the payee is? -Allen From EALLENSMITH at ocelot.Rutgers.EDU Sat May 4 21:31:36 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sun, 5 May 1996 12:31:36 +0800 Subject: [Political Rant] Was: examples of mandatory content rating? Message-ID: <01I4BKO04WVI8Y53GG@mbcl.rutgers.edu> From: IN%"hal9001 at panix.com" "Robert A. Rosenberg" 15-APR-1996 03:46:01.05 >At 18:52 4/14/96, E. ALLEN SMITH wrote: >>I'm not sure if the major use for ratings may not be searching for >>material that the raters don't like. I'd be interested in many things the >>fundys don't like, for instance. One could even do this via one of the >>"services" that mails out listings of places to be locked from kids - just >>sign up one of your anonymous employees, and get the data and put it on your >>anonymous web access site. Doing so - if you don't admit you've done it - may >>be cheaper than doing the research yourself. Of course, you'll need to check >>out each such site to make sure that it isn't a decoy that they've inserted. >When you do the checking, make sure it is from an IPN that does not point >back at you (or at least only points to a Server Supplied not a Dedicated >IPN). You might also want to watch out for "Canary Trap" Decoys (where each >list has an unique set of Decoys [or at least one unique Decoy] so they can >tell which copy was compromised). I'm assuming that the Decoy is a "valid" >[possibly virtual] domain address which is being logged. The way to get around the second problem is to sign up with such a "service" twice, then filter out anything not appearing on both. Since at least some of the parental censorship "services" have customization for the parent, doing more than one would also be a means to pick up more specific evaluations of the sites in question. -Allen From unicorn at schloss.li Sat May 4 21:34:14 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sun, 5 May 1996 12:34:14 +0800 Subject: errata In-Reply-To: Message-ID: After a quick proof read I went and submitted the uncorrected article anyway. [Duh, too many festivities last night]. On Sat, 4 May 1996, Black Unicorn wrote: > Other jurisdictions I would suggest simply for banking secrecy from > private plaintiffs would include Vanautu (Though I would note that there > is a bit of instability there currently. It seems the locals dislike the > english governor a great deal and have begun to sound meanacing about it). > While Vanautu has passed a money laundering law, if your application is > not otherwise criminal it's still an excellent option. Vanuatu is the correct spelling. > Ignore almost everything I said above if your expected threat model is > anything more than low to moderately determined private plaintiffs > (divorce, personal injury, typical small to medium business law suits are > all fairly harmless with mere secret banking, but determined attackers > with more resources and government attackers have a great deal more > resources). The end should have read: "But determined attackers with more resources and government attackers with immense resources require the use of more intensive efforts and a lot more money." --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From jsw at netscape.com Sat May 4 21:50:09 1996 From: jsw at netscape.com (Jeff Weinstein) Date: Sun, 5 May 1996 12:50:09 +0800 Subject: Why I dislike Java. (was Re: "Scruffies" vs. "Neats") In-Reply-To: Message-ID: <318BF5E8.2A78@netscape.com> Lucky Green wrote: > > At 23:37 5/2/96, Jeff Weinstein wrote: > >Perry E. Metzger wrote: > >> Netscape with Java cannot be so tested because important components > >> come down off the net. So no, I'm not holding Netscape with Java to a > >> higher standard. I'm very much holding it to the same standard. > > > > The Netscape Administration Kit will allow a site security admin > >to create a configuration that disables Java, and does not allow the > >user to enable it. If your customers require netscape, perhaps this > >is an option that will make you more comfortable. > > Does it prevent the user from downloading an unrestricted copy from > Netscape's ftp site or installing one brought from home? Yes. One of the things that you can configure is an addition to the user agent string, so xyz corp can make it Mozilla/3.0XYZ. You can then configure your proxies and servers to only accept clients with that string. Note that this is not 100% hack proof. Someone on your network who knew what they were doing could circumvent this by hacking their own browser, but it will keep normal users from subverting the system. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw at netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine. From EALLENSMITH at ocelot.Rutgers.EDU Sat May 4 22:20:44 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sun, 5 May 1996 13:20:44 +0800 Subject: Smartcards are coming to the US Message-ID: <01I4BLCKMH628Y53GG@mbcl.rutgers.edu> From: IN%"shamrock at netcom.com" 21-APR-1996 21:08:17.34 >At 15:15 4/21/96, Brad Dolan wrote: >>Saw a CNN story Friday about an interesting special debit card >>application in Mexico. They're being issued to poor Mexicans, who can >>use them to buy tortillas and a few other foodstuffs. The cards are tied to >>a behavior-control database and failure to send kids to school, get >>mandatory medical exams/treatments/vaccinations, etc. results in card >>deactivation. >My first response was: he is making this up. But it shoudn't come as a >surprise to any reader of this list. Expect to see more of it. Ever read _The Bell Curve_? -Allen From EALLENSMITH at ocelot.Rutgers.EDU Sat May 4 22:32:27 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sun, 5 May 1996 13:32:27 +0800 Subject: Bank transactions on Internet Message-ID: <01I4BKYQ0HBO8Y53GG@mbcl.rutgers.edu> From: IN%"watt at sware.com" "Charles Watt" 16-APR-1996 13:06:06.52 >First, the U.S. banking system is very nice to account holders. The banks, >rather than the customers, assume all risk associated with security problems >in telephone banking, ATMs, etc... Internet banking is no different, which >explains why so few banks have jumped onto the net with real transactions. >If an SFNB customer should lose any funds due to a security problem, SFNB >pays, not the customer. That would depend on whether the customer can prove a security problem, because otherwise you're going to get a lot of con artists making a lot of money off of you. >Second, in order to break the SSL-protected password of an SFNB account >holder, you need access to the encrypted data. This is not easy to obtain >over the Internet, and would generally require illegal activity in order >to gain control of a host within the Internet infrastructure or collusion >with the account holder. Should an attacker crack the key and obtain >the account number and password of an SFNB account holder, they are clearly >warned upon login that they are engaging in illegal activity. Once they One, ever heard of a packet sniffer? If the account holder is on an Intranet, then someone within it could easily get such information. Two, somehow I suspect that the penalties for computer breakins are significantly less than those for bank fraud/grand theft; they aren't going to matter if you're willing to take the risk. >have logged in, there is no way to transfer money out of the account >without leaving a target address and phone number for the recipient. >Furthermore, any payment to an individual or unknown entity would be >made in the form of a physical check that would have to be cashed at >a physical bank. The whole process is heavily audited with real-time >audit filtering and pattern matching capabilities -- SFNB is, afterall, >running on a military grade secure operating system (see SWP at >www.secureware.com). Any security system that is deployed should be >compared against the value you are trying to protect. It seems like a >pretty big risk to an attacker -- and I assure you SFNB will prosecute. Target address and phone number? Make fake ID, get yourself a PO box and a telephone forwarding/answering service (giving the PO box as the address), then target it there. Use the fake ID at a check-cashing place. You can make the fake ID in whatever name you want, which makes it easier. >Finally, I whole-heartedly agree that 40-bit encryption is far too weak >for many applications, and that the current export limitations are absurd. I'm glad you realize that. I've edited out what look to be improvements, which I hope for your stockholders' sake you've implemented. -Allen From alano at teleport.com Sat May 4 22:41:45 1996 From: alano at teleport.com (Alan Olsen) Date: Sun, 5 May 1996 13:41:45 +0800 Subject: Yahoo Internet Life on E-Cash Message-ID: <2.2.32.19960505013016.00d0de3c@mail.teleport.com> The latest issue of "Yahoo Internet Life" has a listing of e-cash sites. There are only five of them, but what do you expect... The sites are referenced and reviewed at: http://www.zdnet.com/yil/content/profit/shop/cash1.html --- | Remember: Life is not always champagne. Sometimes it is REAL pain. | |"The moral PGP Diffie taught Zimmermann unites all| Disclaimer: | | mankind free in one-key-steganography-privacy!" | Ignore the man | |`finger -l alano at teleport.com` for PGP 2.6.2 key | behind the keyboard.| | http://www.teleport.com/~alano/ | alano at teleport.com | From EALLENSMITH at ocelot.Rutgers.EDU Sat May 4 23:25:17 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sun, 5 May 1996 14:25:17 +0800 Subject: Money Laundering Conference with Government Types Message-ID: <01I4BK4HNTUE8Y53GG@mbcl.rutgers.edu> I thought people might find interesting the following conference that I located at http://www.oceanlaw.com/20/conf/ml.htm. Know thine enemy, and all that. It has a section on Digital Cash (note the title includes "Cyberpayments"). -Allen [IMAGE] _OCEANA PUBLICATIONS, INC._ _in cooperation with the_ _Centre for International Financial Crimes Studies_ _Centre for Government Responsibility, College of Law, University of Florida_ [IMAGE] [IMAGE] [IMAGE] Money Laundering, Cyberpayments, Forfeiture, The Global Mafias, Offshore Investments, Securities, Corporate Security and International Financial Crimes [IMAGE] _A Unique Opportunity For_ Bankers * Compliance Officers Investors * Public Officials Accountants * Money Transmitters International Bankers * Attorneys Law Enforcement Officials * Securities Brokers _CLE/CPE Credit_ An Invitation from Fletcher N. Baldwin, Jr., Professor of Law and Director of the Centre for International Financial Crimes Studies, and Robert J. Munro, Program Coordinator and Co-Director of the Centre for International Financial Crimes Studies. _It's not enough to BE clean -- You must also LOOK clean._ Money Laundering and Asset Forfeiture are critical consequences for the banks, attorneys, securities dealers and corporations, both domestic and international, who may be inadvertently in non-compliance. _Our program will give you:_ A clear understanding_ _of the _existing, new and pending initiatives_ against Money Laundering. The necessary skills to _build or objectively trouble-shoot your own compliance program_ by enhancing your knowledge of your customers. _The latest Money Laundering schemes and how they are created_ to circumvent regulatory and compliance initiatives -- which may put you and/or your clients at risk. The skills to _develop strategies which identify and secure your assets _ and presence in the global banking community. An understanding of the _complex and subtle variances which exist in different countries and regions_. __Full Access to the Experts!__ Our program has been designed to afford you interaction with our international faculty of experts, and to ensure you a full-range perspective on the latest issues surrounding Money Laundering, Asset Forfeiture and White Collar Crime. _Ask questions and probe the speakers further_ -- each panel will open up into a question and answer discussion -- learn from the leading decision makers! _Make sure that specific interests are addressed!_ Submit questions in advance to ensure coverage, your confidentiality is guaranteed. Join our _Open Forum_ discussions for a dynamic _exchange of ideas. _ Make sure your position is heard! MONEY LAUNDERING, CYBERPAYMENTS, FORFEITURE, THE GLOBAL MAFIAS, OFFSHORE INVESTMENTS, SECURITIES, CORPORATE SECURITY AND INTERNATIONAL FINANCIAL CRIMES WEDNESDAY, MAY 15, 1996 6:00-8:00 PM _PRE-CONFERENCE REGISTRATION, MARRIOTT MARQUIS IN NEW YORK CITY, NY_ THURSDAY, MAY 16, 1996 7:30 AM _REGISTRATION AND CONTINENTAL BREAKFAST_ 8:15 _WELCOMING REMARKS AND INTRODUCTION_ Professor Fletcher N. Baldwin Robert M. Morgenthau The Hon. Jack B. Weinstein 8:35 _CYBERPAYMENTS, SMART CARDS, DIGITAL CASH, CYBERBANKING AND ECONOMIC CRIME_ _* The Electronic/Criminal Threat to Bankers, Business, and Securities Firms_ * INVESTIGATIVE TECHNIQUES AND "STING" OPERATIONS * EMERGING PATTERNS OF MONEY LAUNDERING SPEAKERS: Dan Soto, Moderator Thomas Firnhaber Bob Kaimin Ezra C. Levine 9:30 _COFFEE BREAK_ 9:45 _THE GLOBAL MAFIAS, MONEY LAUNDERING AND POLITICAL CORRUPTION_ * STRATEGIC ALLIANCES BETWEEN THE MAFIAS * THE EASTERN EUROPE AND RUSSIAN MAFIAS * ASIAN ORGANIZED CRIME: THE TRIADS AND THE YAKUSA _*The Drug Cartels and Narco-States in Central and South America and Russia_ * THE DECLINE OF NATION-STATES * POLITICAL INTEGRITY _Speakers_: Dr. Barry A. K. Rider, Moderator Ronald K. Noble Professor Fletcher N. Baldwin, Jr. 10:45 _OFFSHORE DOMICILES AND TAX PLANNING_ * INTERNATIONAL AND ESTATE TAX PLANNING * ASSET PROTECTION PLANNING * COMPARISON OF OFFSHORE DOMICILES _ __Speaker:_ Walter H. Diamond David Neufeld 12:00 _LUNCHEON_ 1:30 _KEYNOTE SPEAKER: RAYMOND W. KELLY; FORMER NEW YORK CITY POLICE COMMISSIONER, AND PRESIDENT, INVESTIGATIVE GROUP INTERNATIONAL, NY (INVITED) _ 2:15 _WHAT TO LOOK FOR IN A BSA AUDIT AND FEDERAL INVESTIGATIONS: OPERATIONAL DEFENSES FOR BANKERS, TRANSMITTERS, AND BUSINESSES_ * KNOW YOUR CUSTOMER * THE NEW CURRENCY TRANSACTION REPORT * SUSPICIOUS ACTIVITY REPORT * EXEMPTIONS REQUIREMENTS: MANDATORY OR DISCRETIONARY * BSA EXAMINATION MANUAL * CMP DELEGATED AUTHORITY * BSA EXAMINATIONS: TEST DRIVEN; PROCEDURES REVIEW * UPDATE ON WIRE TRANSFERS REGULATIONS * STATE OF NEW YORK REVIEW _ __Speakers:_ Susan Galli_, _Moderator Richard A. Small John Shockey 3:30 _COFFEE BREAK_ 3:45 _CORPORATE AND BANK SECURITY, INTELLIGENCE AND COUNTER-INTELLIGENCE _ _ __Speakers:_ Dr. Barry A. K. Rider, Moderator Michael F. Zeldin 4:30 _OPEN FORUM AND EXCHANGE OF IDEAS _ 5:15 _COCKTAIL RECEPTION (CASH BAR)_ FRIDAY, MAY 17, 1996 7:30 AM _CONTINENTAL BREAKFAST_ 8:00 _WORKSHOP FOR BANKERS AND MONEY TRANSMITTERS: REPORTING REQUIREMENTS, CTR FORM, CMIR FORM, FORM 8300, SUSPICIOUS ACTIVITY REPORT, WIRE TRANSFERS_ SPEAKERS: Amy G. Rudnick Ezra C. Levine 8:45 _A REGULATOR'S ROLE IN SUPERVISION OF BANKS AGAINST MONEY LAUNDERING _ SPEAKER: William A. Ryback 9:30 _NEW YORK - ORGANIZED AND ECONOMIC CRIME_ SPEAKERS: Mary Jo White John Moscow James D. Herbert 10:30 _COFFEE BREAK_ 10:45 _SECURITIES FRAUD, MONEY LAUNDERING, INSIDER DEALING AND MARKET MANIPULATION_ _ __Speakers:_ William McLucas G. Philip Rutledge Dr. Barry A. K. Rider 10:45_ OPEN FORUM AND EXCHANGE OF IDEAS_ 12:00 _LUNCHEON_ 1:15 _KEYNOTE SPEAKER: STANLEY E. MORRIS, DIRECTOR, FINANCIAL CRIMES ENFORCEMENT NETWORK, U. S. TREASURY, WASHINGTON, DC_ 2:00_ STRATEGIES TO FIND AND RECOVER ASSETS WITH FOCUS ON INSURANCE AND BUSINESS FRAUD_ _ __Speaker:_ Dr. Barry A. K. Rider 2:45_ COFFEE BREAK_ 3:00_ BANK SECRECY ACT: 1996 UPDATE_ * 1995-1996 STATUTORY AND REGULATORY CHANGES * PROPOSED CHANGES IN 1996 _ __Speakers:_ Peter Djinis Dan Soto 3:30 _UPDATE ON FOREIGN BANKING ISSUES_ SPEAKER: William A. Ryback 4:00 _THE FAIRNESS OF CIVIL FORFEITURE AND DOUBLE JEOPARDY ISSUES: A REVIEW OF RECENT AND UPCOMING U.S. SUPREME COURT DECISIONS ON FORFEITURE AND MONEY LAUNDERING_ * DEGEN V. UNITED STATES, 95-173 (CERT. GRANTED, JAN. 12, 1996) * UNITED STATES V. URSERY, 95-345 (CERT. GRANTED, JAN. 12, 1996) _* United States v. $405,089.23/100, 95-346 (Cert. granted, Jan. 12, 1996)_ * BENNIS V. MICHIGAN, ARGUED NOVEMBER 29, 1995 * LIBRETTI V. UNITED STATES, 64 U.S.L.W. 4005 (NOV. 7, 1995) _ __Speaker:_ Professor Fletcher N. Baldwin, Jr. 4:30 _OPEN FORUM AND EXCHANGE OF IDEAS_ CLOSING REMARKS: PROFESSOR FLETCHER N. BALDWIN, JR. 5:15 _ADJOURNMENT_ DISTINGUISHED FACULTY _Professor Fletcher N. Baldwin, Jr._, Conference Chairperson, Professor of Law and Director of the Centre for International Financial Crimes Studies, College of Law, University of Florida, Gainesville, FL, Co-Author, Money Laundering, Asset Forfeiture and International Financial Crimes _Walter H. Diamond_, United Nations Tax Treaty and Free Trade Zone Advisor, Senior Vice- President, Offshore Institute, Editor, Economist, Author, International Tax Treaties of All Nations _Peter Djinis_, Director, Office of Regulatory and Enforcement, Law Enforcement, Under Secretary for Enforcement, Department of the Treasury, Washington, DC _Thomas Firnhaber_, Policy Advisor, Office of Financial Institutions Policy, FinCEN, U.S. Treasury, Washington, DC _Susan Galli_, Vice President, Citibank, N.A., New York, NY _James D. Herbert_, Chief, Organized Crime Strike Force Unit, U.S. Attorney's Office,Boston, MA _Bob Kaimin_, Senior Advisor, Federal Reserve System, Washington, DC _Raymond W. Kelly_, U.S. Treasury Under Secretary for Enforcement Nominee, Former New York City Police Commissioner, and President, Investigative Group International, New York, NY _Ezra C. Levine_, Attorney at Law, Howrey & Simon, Ad hoc Industry Group of Nonbank Money Transmitters, Washington, DC _William McLucas_, Director of Enforcement, Securities and Exchange Commission, Washington, DC _Robert M. Morgenthau_, District Attorney, New York, NY _Stanley Morris_, Director, Financial Crimes Enforcement Network, U.S. Treasury, Washington, DC _John Moscow_, Assistant District Attorney, County of New York, NY _Dr. Robert J. Munro_, Conference Co-Chairman and Program Coordinator, Co-Director of the Centre for International Financial Crimes Studies, College of Law, University of Florida, Gainesville, FL, Co-Author, Money Laundering, Asset Forfeiture and International Financial Crimes _David Neufeld_, Attorney at Law, Hill Wallach, Princeton, NJ _Dr. Barry A. K. Rider_, Director, Institute of Advanced Legal Studies, University of London Fellow of Jesus College, Cambridge University, England _Amy G. Rudnick_, Of Counsel, Gibson, Dunn & Crutcher, Washington, DC _G. Philip Rutledge_, Deputy Chief Counsel, Pennsylvania Securities Commission, Philadelphia, PA _William A. Ryback_, Associate Director for International Supervision, Federal Reserve Board of Governors, Washington, DC _John Shockey_, Special Assistant, Enforcement and Compliance Division, U.S. Office of the Comptroller of Currency, Washington, DC _Richard A. Small_, Special Counsel, Division of Banking, Supervision and Regulation, Board of Governors, Federal Reserve System, Washington, DC _Dan Soto_, Senior Special Examiner, Division of Banking, Supervision and Regulation, Board of Governors, Federal Reserve System, Washington, DC _The Hon. Jack B. Weinstein_, Senior Federal Judge of the Southern District of New York, NY _Mary Jo White_, U.S. Attorney, Southern District of New York, NY _Michael F. Zeldin_, Managing Director and General Counsel, Decision Strategies, Washington, DC and Former Chief, Money Laundering Section, Department of Justice, Washington, DC CONFERENCE DETAILS _Marriott Marquis, New York, New York_ - A block of rooms has been reserved at a discounted nightly rate of $189. To register at the hotel please contact the reservations department at1-800-843-4898 (local number is 212-398-1900) or fax to 212-704-8969, and mention the group name: "Money Laundering/Oceana.". The New York Marriott Marquis is located at1535 Broadway, New York City, New York, 10036. _Travel Discounts (Hotel, Airfare)_ - For travel discount information contact Chappaqua Travel at 1-800-666-5161 or 914-238-5151 or fax to 914-238-5533. Please refer to the group name: "Money Laundering/Oceana." _Tax Deduction of Expenses_ - An income tax deduction may be allowed for expenses of education (including travel, meals & lodging) undertaken to maintain and improve professional skills (see Treasury Ref. 1-162-5; Coughlin v. Commissioner, 203 F. 2d 307). Co-sponsor of the Conference is the Centre for International Financial Crimes Studies, Center for Government Responsibility, College of Law, University of Florida, Gainesville, Florida. _Continuing Education Credit: _ __Attorneys, Accountants, Bankers, Fraud Investigators__ - Continuing Legal Education Credits where applicable, are available upon request. For specific information about CLE or other professional accreditation, contact Robert Munro, University of Florida at 904-392-0417,_ prior_ to the conference. _Cancellations Policy_ - Refunds for registrations cancelled up to ten working days before the Conference will be reduced by a non-refundable administration fee of $125. _Program Confirmation_ - Written confirmation of your registration will be sent to you upon receipt. Please bring it with you to the Conference as proof of registration. If you do not receive the confirmation notice prior to the Conference, please call Oceana at (914) 693-8100 at least 48 hours in advance to confirm that your registration was received. _Conference Course Materials _- Course materials, developed and prepared by the Conference Faculty Sponsors, are included with the price of registration. _Payment_ - Registration Fees are payable by CREDIT CARD (American Express/Mastercard/Visa), CHECK (Payable to Oceana Publications, Inc., payable in U.S. dollars and drawn on a bank physically located in the U.S.), or by WIRE TRANSFER_ _(add $25 to the registration fees for banking processing charges and make payment to Bank of New York, 138 Mamaroneck Ave., White Plains, NY 10601 USA; Account # 670-9198651; Bank of New York ABA # 021000018.) Registration fees do not include transportation or hotel accommodations. Conference fees do include scheduled breakfasts, coffee breaks and luncheons as well as course materials. DON'T MISS OUT ON THIS INCREDIBLE OPPORTUNITY. REGISTER NOW -- SEATING IS LIMITED! CALL OCEANA'S INTERNATIONAL SEMINARS DIVISION _toll free at 1-800-831-0758 or 1-914-693-8100 (outside the U.S.) for more information._ From vboykod at eldorado.stern.nyu.edu Sat May 4 23:28:33 1996 From: vboykod at eldorado.stern.nyu.edu (Victor Boyko) Date: Sun, 5 May 1996 14:28:33 +0800 Subject: Why I dislike Java. (was Re: "Scruffies" vs. "Neats") In-Reply-To: <01I49T6J284A8Y56P8@mbcl.rutgers.edu> Message-ID: <9605050131.AA01873@eldorado.stern.nyu.edu> >>>>> "Allen" == "E ALLEN SMITH" writes: Allen> Might I suggest setting up another computer with Java Allen> enabled, and _without_ the critical applications? Somehow, Allen> I think they can afford an extra computer for each desk - Allen> it wouldn't have to be a high-capability one. That would Allen> also cure having to have Netscape and other Allen> high-network-access programs on the same computers as the Allen> critical applications. (Of course, some of the critical Allen> applications may also need to access the Internet... but Allen> they probably wouldn't need http capability.) Of course, Allen> feel free to tell me that I don't know what I'm talking Allen> about. And I suppose the next thing you are going to suggest is to get an extra firewall just for the Java-enabled machines. This is just a waste of money and resources. I firmly believe that access and security control should be left to the operating system: OS's have been designed with that task in mind for decades, while 'secure' virtual machines, AFAIK, only appeared recently. Also, the OS uses hardware (supervisor mode bit) to protect the kernel from unauthorized access, while a Java interpreter could only do it in software. Why not make Netscape SUID root and have it spawn a separate process just for running Java as user nobody? Communication between the processes could be done through sockets (it is better not to share any address space). Then you could at least be sure it could not read or write any unprotected files and directories. Most OS's don't restrict network access for processes, but this should be easy to add: just have additional flags in the process descriptor and have all system calls related to the network check those flags. I understand that the above does not apply to Win95 and Mac. There is only one thing I can say to those unfortunate enough to use them: install UNIX!!! Linux for PC has been available for a while, and Linux for PowerPC should come out this Summer. (And yes, I know that UNIX's sometimes have security bugs too, but there are much fewer of them than in Netscape's Java interpreter, and they are usually fixed sooner. Also, UNIX has been around for 25 years, while Java-enabled Netscape for less than a year.) Any constructive comments or criticism about UNIX and Java security is welcome. Send flames to /dev/null. -- Victor Boyko http://galt.cs.nyu.edu/students/vb1890/ To get my PGP key, finger or send e-mail with subject "send pgp key". From EALLENSMITH at ocelot.Rutgers.EDU Sat May 4 23:29:43 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sun, 5 May 1996 14:29:43 +0800 Subject: Tracking Internet Infrastructure Message-ID: <01I4BK6JR82Y8Y53GG@mbcl.rutgers.edu> From: IN%"rre at weber.ucsd.edu" 14-APR-1996 07:00:37.86 From: Phil Agre =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= This message was forwarded through the Red Rock Eater News Service (RRE). Send any replies to the original author, listed in the From: field below. You are welcome to send the message along to others but please do not use the "redirect" command. For information on RRE, including instructions for (un)subscribing, send an empty message to rre-help at weber.ucsd.edu =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Date: Fri, 12 Apr 1996 22:35:54 -0400 (EDT) From: Gordon Cook Tracking Internet Infrastructure: A Handbook on Business, Technology & Structural Issues Reshaping the Landscape of the Commercial Internet An Anthology of Recent Articles from The COOK Report The Internet has undergone huge changes in the year since the NSFnet backbone service was turned off. It has become a much larger, more stratified, and more expensive entity within which to operate. Since last September we have published a series of articles examining these changes in depth. We have concluded that it might be useful to gather them together into a single volume which is titled Tracking Internet Infrastructure: an organized, indexed Handbook on Internet Infrastructure Issues. This Handbook covers the following critical range of issues: * interviews with key industry players about viable Internet business models, * the hierarchical organization of ISPs through CIDR and routing pressures, * to the viability of the NAPS; * to renumbering and ownership of IP addresses; * to strains on backbone routers and backbone network redesign with switched cores; * to industry views on quality of service issues; to issues of settlements and route charging; * to issues of bandwidth availability in network design; and to ATM as technology savior or dinosaur. The rest of this message contains: (1) Our introduction to the Handbook (2) The Handbook table of contents (3) Description of the Handbook's audience (4) Price and ordering information 1. Introduction A Summary of the Operational Environment Power Consolidates at the Top of a Hierarchical Internet Less than three years ago, at about one twentieth its current size, the topology of the Internet was relatively flat. Service providers could attach to each other via the NSFnet backbone or CIX router and, for the most part, they could consider themselves plugged directly into the Internet with no one up stream of them. This meant that no one was in a position to dictate to them a multiplicity of rules, regulations and costs as part of providing Internet service. One paid the leased line costs for one's own backbone and, in the case of research and education, was connected to the NSFnet backbone for free. The R&E networks paid ANS a transit fee for their commercial customers. If the service provider were commercial, it joined the Commercial Internet Exchange and interconnected at the CIX router for the princely sum of $45,000 a year ($10,000 membership fee, $5,000 port fee and about $20,000 for T-1 line to the CIX. Or one was a downstream customer of Sprint and relied on Sprint to deliver one's packets to the CIX router without having to pay the CIX membership fee. Over the period of about a year Sprint, by allowing ISPs to resell connectivity, and by giving all ISPs downstream of it connectivity to the rest of the Internet Universe, created a situation where customers of Sprint received most of the benefits given those ISPs that connected directly to the CIX router. Some ISPs were shocked in mid summer of 1994 when the CIX proposed that those packets of SprintUs resellers who didn't pay the CIX fee would be blocked. Since then, as the Internet has grown by more than an order of magnitude in size, the importance of the NSFnet and CIX interconnects has either disappeared or faded. A very hierarchical Internet has emerged. One can have several levels of upstream service providers. Such service provision ends at a traffic exchange point known either as a NAP or a MAE. Address space in the form of IP numbers is no longer handed out the interNIC to all ISPs. To get address space direct from the interNIC, you have to do one of two things: (1) show that you have no one up stream. The only way to do that is to directly connect to a NAP or MAE and preferably to more than one. This level of the hierarchy is reached by perhaps 40 of about 2,400 ISPs nation wide. Or (2) an ISP can multi-home (take a connection from two different backbone providers). Perhaps four to five hundred ISPs are multi-homed. But even a multi-homed ISP is unlikely to get interNIC address space, unless it can demonstrate a rapid rate of growth. Connecting at a NAP or MAE, in an effort to put one's own operating environment under one's direct control, is very expensive. Unlike the $45,000 CIX fee the minimum annual cost is $100,000 and up. Once there, providers have to pay additional sums of money to those still higher in the hierarchy to see that their packets are delivered. These sums of money are known as transit fees. Multi-homing is obviously much less expensive. But even at traffic exchange points (NAPs or MAEs) there are additional hierarchies. Some find others who will peer with them. That is to say, they will engage in cost-free transit for a certain percentage of those attached. Those at the peak of the hierarchy are the six service providers who are believed to engage in cost free peering and transit with each other - MCI, SPRINT, UUNET, ANS, PSI and AGIS. These six operate the default free core of the American Internet. Exchange of routing information among them is supposed to be complete, so that none need say: if your routers don't have address XYZ, send packets by default to the next large central player, in the hope that his routers will know. Virtually everyone else is, in one sense or another, a customer of these top six. BBN is a special case. MCI carries all of BBN's routes. Consequently in this sense BBN which is as large as UUNET and certainly much larger than AGIS, is a customer of MCI. We expect this to change by year's end when AT&T fully deploys the network for its partnership with BBN. [Editor's Note: when we fact checked this assertion with sources at BBN we were told that BBN is putting its own national T-3 backbone in place, that significant parts are now operational, that it is at MAE East, MAE West and the Sprint NAP, that it peers with PSI, UUNET, ANS and others, and that its transit relationship with MCI is to reach MCI customers and any Internet sites not directly reachable via its peers.] Those who are able to buy transit at a NAP gain by this action gain the ability to ensure it to their downstream (ISP) customers. In other words transit rights are generally resellable. In this sense, those who purchase transit at the NAPs or MAEs are as fully connected to the core Internet as the big six - with one critical exception. They are renting their core connectivity for a hefty monthly price and without the protection of a long term lease. Readers however should avoid generalizations. Transit agreements are very private, never talked about openly and vary widely on a case-by-case basis. IP Numbers and Other Indicators of Hierarchy Another way of describing the top of the hierarchy is to point out that all six get their IP numbers directly from the interNIC and hand out numbers lower on down in the IP hierarchy to those connected to them. But this hierarchy is not uniformly rigid. The rule of thumb of your upstream provider as a source of IP numbers has some notable exceptions. For example: of the remaining approximately 35 providers which are directly connected to one or more of the major NAPs or MAEs, most get some of their IP numbers direct from the interNIC while others are derived from being attached at some point or in some way to one or more of the central seven. Finally, as we indicated above, the several hundred ISPs who are multi-homed also get their numbers from the interNIC, as may ISPs who can demonstrate extremely rapid downstream growth. An ISP without IP addresses is worthless, since the only thing making it possible to connect an individual to the Internet is the IP number that tells others how to find him. The hierarchy of the Internet is now such that about 80% of service providers must get their addresses directly from their backbone vendors who are often also their competitors. These address blocks are referred to as CIDR blocks. We have recently written extensively about them. Until the fall of 1995 large ISPs were able to connect to one or two NAPs and sometimes negotiate cost free peering. As an option they could then buy transit to the other five from one of the big six. During the past 90 days this has changed. Reports reaching us indicate that cost free peering is available only to those connecting at T-3 speed to three or more NAPS a task that will cost an ISP well over $300,000 a year. But even those who do this will find that there is nothing that will force everyone at each NAP to which they connect to peer with them. If one or more of the majors refuses to peer with a newcomer, that newcomer will have to buy transit to that major from one of those with which it peers or be in the awkward position of being unable to reach a significant part of the Internet. For most of 1995 an ISP connecting to a NAP could by transit for $5 to 15 thousand dollars a month from one of the seven. But reports reaching us now indicate that the six have effectively eliminated the purchase of transit from them as an option for domestic ISPs. These developments effectively shut off connection to a major NAP as a means for an ISP to operate from the top of the Internet hierarchy. The only ISPs that may even attempt to do so now are those with upwards of $500,000 a year to spend on the adventure. In the meantime the NAPs themselves are developing a hierarchy. MAEs either are opening or have opened in Los Angeles, Texas, Chicago and New York. Without the presence of at least the big six at these NAPs, all they are good for is exchanging local traffic among local ISPs and keeping loads on long haul backbones down. The Issue of IP Portability When a customer changes phone service from AT&T to MCI, or visa versa, that customer does not have to change phone numbers. Although the portability of IP address assignments from CIDR blocks has been discouraged it has never been prohibited. But last month a new internet draft (draft-ietf-cidrd-addr-ownership-07.txt) by Yakov Rekhter and Tony Li of Cisco was published. This draft created much debate in mid February when it was put forth by the CIDRD Working Group for elevation to best current practice. Such elevation would put IETF approval behind the practice of a service provider insisting on the return of address space when a customer left. If such a customer were to go to a different service provider for a new connection, every one attached to that customer's network would be forced to renumber their own networks. For a network of any size renumbering would be expensive and, if that network were involved in anything approaching a mission critical application, would become unthinkable. This would very likely mean that any customers buying leased lines to connect a network larger than a few dozen hosts in size will find themselves well-advised to purchase only from an ISP directly attached to one or more of the MAEs/NAPs -- and, therefore, in direct control of its address space. Furthermore, the safest and most conservative action with be to connect to the six providers who are part of the default free backbone. Certainly we suspect that the auto industry would tell its suppliers not to connect outside the direct NAP connected top tier. While there are technical reasons for this policy (fear of the collapse of internet routing if it is not carried out), it is ironic that such policy would greatly accelerate the Internet's stratification into a business service and a consumer service, for those who are there to explore, just for the fun of it. There is also an anti-competitive aspect to implementing such policy, in that large organization customers, which embed non-transferable IP addresses into their network hosts are really locking themselves to a single provider. Should a provider's service becomes "less than optimal," we are sure that providers are aware that the cost associated with renumbering in order to change vendors, limits their customer's options. While network address translation devices (NATs) do exist and will give some customers an alternative, they are by no means regarded as a perfect answer to these difficult problems. It is beginning to appear that, the more the Internet increases in size, the faster that power flows upwards into the hands of a few who, since they are both operators and rule makers for the commercial Internet, would find themselves singled out for accusations of blatant conflict of interest in most other situations. Under these conditions where the fox is essentially in charge of the hen house. Given the nature of a large portion of the customer base (ie large industry and educational networks), we wonder how long customers will suffer these burdens without demanding regulatory relief. 2. Contents: Tracking Internet Infrastructure: Editor's Introduction A Summary of the Operational Environment p. 1 Part One: Internet Business Models Some Large Providers Seek Forum to Push for Internet Service Model Change (Sept. 95) p. 8 Interview with Vint Cerf: Discussion Needed of Benefits Derived from Backbone Resources (Sept.95) p. 12 PSI Satisfied with Cooperative Best Effort Internet Business Model Interview with Bill Schrader(Oct. 95) p. 17 Thoughts on Internet Business Models by Sean Doran (Oct. 95) p. 20 Zero Sum Internet Business Models Vie with Internet Cooperative Culture (Oct. 95) p. 24 Routing Arbiter & Charging for Routing Announcements: Potential Operational and Financial Impacts Assessed (Jan. 96) p. 33 Part Two: Internet Architecture Change & Network Stratification Evolution in CIDR Rules In 1995 Makes Most IP Numbers non Transportable (Sept. 95) p. 43 Constraints of Growth: Provider Based CIDR Likely to Impede Smaller Players Interview with Dave Crocker and Noel Chiappa (Nov. 95) p. 46 Pace of Internet Stratification Increases -- IETF Internet Draft Suggests That Customer Network Renumbering Be Accepted As "Best Current Practice" (Mar. 96) p. 54 Part Three: Backbone Routing Versus Switching Continued Exponential Growth Stresses Internet Backbone Routing Infrastructure (Dec. 95) p. 62 Part Four: Institutions - Sprint; IETF, ISOC, and the NAPs SprintLink Experiencing Employee Attrition - Executives Slow to Provide Staffing Resources Needed for Continued Major Growth (Sept. 95) p. 81 National Science Foundation Domain Name Charges Financial Implications for Network Solutions NSF Rationale Behind Actions Interview with Don Mitchell (Oct. 95) p. 85 Internet Society: Role of Charter Members a Contentious Issue (Nov. 95) p. 87 Transition Pains at the Internet Society (Feb. 96) p. 88 Interview with Paul Mockapetris Who Considers Future of IETF & Finds Software Patents a Growing Obstacle (Jan. 96) p. 89 Interview with Tony Rutkowski Who Finds Internet International Coordinating Group Desirable (Mar. 96) p. 93 No Room at Sprint's Pennsauken NAP (Jan. 96) p. 96 Part Five: Quality of Service Automotive Industry Will Seek Internet Service Provider Certification (Feb. 96) p. 102 Steve Wolff Sees Convergence Between Internet and Telephony (Feb. 96) p. 107 Part Six: ATM and the Technology of Bandwidth on Demand Can Bandwidth Supply Keep Pace With Demand? ATM to the Rescue? An Introduction to a Series of Articles on Role of ATM in the Internet (Mar. 96) p. 111 ATM: Grand Unifying Technology or Brain-Damaged Transport Product? (April 96) p. 114 Bandwidth & Resource Reservation as Factors in Ones Network Provisioning Philosophy -- Can Bandwidth Ever Be Too Cheap to Meter? (April 96) p. 117 Interview with Bellcore's Dave Sincoskie Who Discusses the Internet Future of ATM & Outlines BellcoreUs Interest in Building Network of Interconnected ATM NAPs (March 96) p. 120 InternetMCI Bets its Future on ATM Data Services Marketing & Data Services Engineering Vice Presidents Explain MCI Strategy. Interview with Stephen von Rump and Steve Tabaska (April 96) p. 124 Interview with BBN's John Curran: Has the Internet Derailed ATM? (May 96) p. 132 Index p. 140 3. The Audience for the Handbook Within the national Internet service provider community, Tracking Internet Infrastructure is intended to educate strategists with the complexities facing their engineering and operations staff. Among smaller ISPs it should serve as a tool to bring owner-operators, who are busy 18 hours a day ordering lines, installing them and servicing their customers, up to speed on the changes going on in the environment in which they must operate. LECs and other phone companies will find it useful. Finally familiarity with the issues discussed within the Handbook will provide corporate MIS people with a valuable knowledge base from which to negotiate with their present or future internet service providers. However, since these infrastructure issues are also critical to the continued growth and success of the industry, this Handbook is expected to be a tool for use by those in the banking and investment community. If those in the financial community understand the changing technical and power relationships in the industry, they will be able to improve the quality of their investment decision making. It should also be useful to corporate strategic planners who will be advising their companies' decision making in vertical industry applications. 4. This handbook may be purchased in several ways: A. Single Copy GBC Bound, double sided xeroxed. $275.00 B. Site license: Set of single sided original 600 dpi laser written pages suitable for purchasing organization to reproduce as many copies as it wishes for its employees only. $750 C. A current subscriber without a site license may upgrade to a site license and pay an additional price of $275 to receive the report with full site license privileges. D. A current subscriber with a $650 site license or higher may purchase the report with full site license privileges for $275. To order contact Gordon Cook by phone (609) 882-2572 or email: cook at cookreport.com. ********************************************************************* Gordon Cook, Editor & Publisher Subscriptions: Individ-ascii $85 The COOK Report on Internet Individ. hard copy $150 431 Greenway Ave, Ewing, NJ 08618 USA Small Corp & Gov't $200 (609) 882-2572 Corporate $350 Internet: cook at cookreport.com Corporate Site Lic. $650 http://pobox.com/cook/ for new COOK Report Glossary of Internet terms ********************************************************************* From vboykod at eldorado.stern.nyu.edu Sat May 4 23:48:51 1996 From: vboykod at eldorado.stern.nyu.edu (Victor Boyko) Date: Sun, 5 May 1996 14:48:51 +0800 Subject: Why I dislike Java. (was Re: "Scruffies" vs. "Neats") In-Reply-To: <01I4BN143E1S8Y56PB@mbcl.rutgers.edu> Message-ID: <9605050200.AA01957@eldorado.stern.nyu.edu> >>>>> "Allen" == "E ALLEN SMITH" writes: Allen> Why bother, if they don't have any critical stuff on Allen> them? But you certainly would not want the Java machines to be behind the same firewall as the non-Java ones, since then the firewall would be useless (see http://www.cs.princeton.edu/sip/pub/secure96.html). And you would probably want to have a second firewall anyway, since the machine running Netscape can contain confidential information downloaded from the net. Also, if Netscape is used to access password protected (or SSL encrypted) documents/forms, an attacker with access to the non-secure machine can get many kinds of secret information, including passwords and credit card numbers. -Victor -- Victor Boyko http://galt.cs.nyu.edu/students/vb1890/ To get my PGP key, finger or send e-mail with subject "send pgp key". From tcmay at got.net Sun May 5 00:28:08 1996 From: tcmay at got.net (Timothy C. May) Date: Sun, 5 May 1996 15:28:08 +0800 Subject: Why I Pay Too Much in Taxes Message-ID: At 10:24 PM 5/4/96, Black Unicorn wrote: >An organization that is efficent at enforcing a immensely complex set of >regulations incomprehensible to joe sixpack is not a good thing. As if anybody didn't already know, the tax code is incomprehensible to more than just "Joe Sixpack." I find it imcomprehensible, with "carryback callback offshore allowances" and "alternative minimum taxes" and all that garbage. I started using "Macintax" many years ago, then decided to wing it manually for many years, but have recently gone back to the Intuit product (called Macintax, but a cross with TurboTax). I answer a bunch of questions it asks me, making educated guesses where I don't understand something, and then I do the process a _second_ time, usually with different results. I use the lower tax bill of the two and send that instance in. Sometimes the IRS and its partners (the Franchise Tax Board, where California taxes are approaching what Federal rates for most people were a scant decade or two ago) tells me I underpaid and must send in additional taxes, penalties, interest charges, etc. (They won't prosecute for such minor things, so long as the money is paid and there was no gross hiding of income.) I am gradually losing all track of what is going on, and I suspect I'm not alone (my friends who use tax preparers, human ones, report the same situation). It seems to me that Jordan was referring to the compliance rate and the cost of the overhead, not considering the overall tax burden. (Italy is a fascinating example. The country appears to be moderately poor, based on tax receipts, but spending is quite high...it is clear that a large fraction of Italy's overall income is unreported.) Not wanting to join in this bashing of taxes--my views are clear, as evidenced in the title of this thread--but I have to point out that I paid approximately 60% of everything I made last year to the tax collectors! This counts the Federal income tax (about 32%), the California income tax (about 11%), the "self-employment tax" (FICA) for some consulting I did (15%), property tax on my old residence ($2200), property tax on my new residence ($4200), sales tax on purchases (8.25%), gasoline taxes (about 30-40 cents per gallon), a special tax on my Ford Explorer ($300), and probably some miscellaneous other taxes I have neglected. And of course the corporations that pay me dividends and whose stock price shows gains have _already_ paid roughly 45% or so in taxes, depending on how clever they were at allocating costs to minimize taxes. This is the famous "double taxation" of corporate earnings one hears about. Intel, for example, pays 45% of its considerable income in taxes, sends some of the remaining profits to me in the form of capital gains and dividends, and I then pay another 40% or so in income taxes on this share. The math is pretty simple...there ain't much left over. (The much-derided Laffer Curve is actually quite important here...when overall tax rates get high enough, people choose to do less work. Some of us even retire early.) Considering that a growing fraction of the population is not working at all, and is living on "entitlements" that they essentially get from me, and considering that the American Revolution was at least partly in response to the perception that taxes collected by King George were a bit too high (at a _tiny fraction_ of the amount I cited above), the resentment many of us feel is understandable. One area where I mostly agree with Jordan Hayes and disagree with Sandy, Uni, and Duncan, is that I don't think it's as easy as they sometimes claim it is to avoid taxes by the offshore stratagems they espouse. Believe me, I looked into this a while back (it is never illegal to investigate ways to minimize tax burdens), and even considered moving out of the U.S. to a tax haven of some sort. It turns out, as it does for many people I know, that my assets are relatively traceable. Salaries and even consulting fees are reported assiduously. Stocks can certainly be moved offshore, but the IRS obviously knows where they are (the institutions that keep records of stock ownership will tell them, for one thing...this may take a few years for the records to catch up, but they ultimately will). Certainly I could liquidate one form of my assets (stocks, real estate, etc.) and simply move the money out of the country. Tax evasion is always an option. But the price paid if one gets caught tends to be rather high. (Despite what you hear anecdotally about the IRS "settling" for pennies on the dollar.) Call me a skeptic. I will do my best not to be drawn into a debate that has been held here several times before. If Sandy, Duncan, etc., believe it is so easy to avoid taxes--on the resources we are talking about, not sheltering small amounts--or if they claim that I am obviously not following their advice, I'll let them make these claims without any attempt to rebut them. I've been there and done that before. I have no doubt that "tax planning" works for some people, and I think certain people like Vince Cate may do well in places like Anguilla, essentially starting a business from scratch. I even have longterm hopes for tax havens, cyberspace tax havens, anonymous systems, etc. But this ain't happening soon. But I see no clear way that X shares of Apple, Y shares of Sun, Z shares of Intel, etc. can be converted into other forms without taxes being paid, or evaded. (Evaded, not avoided.) I recall Sandy claiming some scheme where I would use my shares as collateral and borrow tax-free against them. Sure, it's what I do everyday with my margin account. But to ultimately pay off a margin debt by selling assets involves taking capital gains (if there were any, of course--a safe bet in the last 10 years), and at this point the IRS and California Franchise Tax Board want their 40-45% cut. Not being prepared to risk imprisonment for tax evasion, and being desirous of living in the United States rather than on a coral atoll, I answer the questions that Macintax asks me, gulp when I see the final figure, and write out a check (which I then have to sell even more stock to cover...perpetuating the cycle). --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From jimbell at pacifier.com Sun May 5 00:35:06 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 5 May 1996 15:35:06 +0800 Subject: Money Laundering Conference with Government Types Message-ID: At 08:26 PM 5/4/96 EDT, E. ALLEN SMITH wrote: > I thought people might find interesting the following conference >that I located at http://www.oceanlaw.com/20/conf/ml.htm. Know thine enemy, >and all that. It has a section on Digital Cash (note the title includes >"Cyberpayments"). > -Allen > > An Invitation from Fletcher N. Baldwin, Jr., Professor of Law and > Director of the Centre for International Financial Crimes Studies, and > Robert J. Munro, Program Coordinator and Co-Director of the Centre for > International Financial Crimes Studies. > > _It's not enough to BE clean -- You must also LOOK clean._ > > Money Laundering and Asset Forfeiture are critical consequences for > the banks, attorneys, securities dealers and corporations, both > domestic and international, who may be inadvertently in > non-compliance. _Our program will give you:_ I wonder how long it's going to take before these "money-launderers" learn that by taking, say, 10% of the amount of money they launder in one year, they can eliminate the people trying to stop them. Forever. Jim Bell jimbell at pacifier.comJim Bell jimbell at pacifier.com From jamesd at echeque.com Sun May 5 00:58:25 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Sun, 5 May 1996 15:58:25 +0800 Subject: CryptoAnarchy: What's wrong with this picture? Message-ID: <199605050410.VAA14391@dns2.noc.best.net> At 01:54 AM 5/4/96 -0400, Black Unicorn wrote: > Actually, I disagree with Mr. Sandfort on this one. > > Taxation of International Income is a tremendously complicated field. > (You can get an LL.M. in international taxation alone for example). I do not believe the IRS particularly cares what all those tons of tax legislation books say, and I am sure they do not know. Unicorn seems to be thinking in terms of constructing magic pieces of paper that will protect you from the bad boys, whereas Sandy is thinking in terms of making sure the bad boys cannot find your money. While doubtless magic bits of paper are useful to some extent if you are a genuinely multinational corporation, if the bad boys see smaller fry carefully concocting magic paper they will say "ah, tax haven", jump on you like a ton of bricks, extort information from anyone in their jurisdiction as to where your money is (which is why Sandy recommends a lawyer who works OUTSIDE the jurisdiction) and confiscate all your assets and not give them back until you can prove you have paid taxes on everything you might possibly have earned and some things you could not possibly have earned. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From tcmay at got.net Sun May 5 01:00:00 1996 From: tcmay at got.net (Timothy C. May) Date: Sun, 5 May 1996 16:00:00 +0800 Subject: Reputation Webs and Java/Applet Security Message-ID: At 7:10 PM 5/4/96, Blake Coverett wrote: >I was right in the first message... it is a reputation thing. We don't >disagree on any of the fact here, just on their implications. > >I see this from the point of view of the author of these native methods, >cypherpunk still do write code sometimes. From that point of view >where is the difference between calling my native code methods and >calling the java.awt.*, or netscape.* methods that are native code? Yes, >either can do anything they want, irregardless of the SecurityManager. > >For J. Random User on the net, Sun/Netscape's reputations are >fairly strong and mine is non-existent. For the corporate IS folks to >whom I contract this situation is reversed. (Despite impressive IPOs >I still get a lot of friction about 'programs downloaded from the net'.) By the way, I think "reputation webs" may get one of their earliest uses in this situation, with applets or chunks of code being "vouched for" by testing or credentialling agencies, analogous to Good Housekeeping Seals and Underwriter's Laboratories. (This model applies to more than just Java applets, of course. To some extent, reviews of programs and testing of snippets of code has always involved this "reputation rating" process...I'm just suggesting it could be implemented in-line with the runtime environment....) While we often talk about the human example, where we want to do nifty things like rank and rate the postings of J. Random User by what others we trust (or don't trust) are saying, the fact is that most people are willing to see what J. Random User is writing and judge for themselves. Hence, reputation markets (what I'm calling "reputation webs," as with "webs of trust") have been slow to take off in human communication circles. (At least automated, that is.) For Java applets, once digital signatures are supported we have the possibility of automating the checking of who has said good things about the applets, who has said bad things, how much faith we place in these opinions, and so on. Almost a class hierarchy in itself (though mix-ins might be useful, as the hierarchy is not strictly single-inheritance, it seems). Thus, the "Wall Street Testing Agency," with various stringent policies about what applets can do and what they must not be allowed to do, may have ratings of applets, keeping even Perry happy. Someone at a Wall Street firm could then screen out applets based on these ratings. Others might have completely different criteria. (And the web could change dynamically, as the user's environment changed. For example, a PC used largely for games will likely have a different model of whom to trust than a workstation used for high finance. And one could imagine moving sensitive files to a removable disk, popping out this disk, and then altering the settings to reflect a lower perceived risk.) Virus checking is to some extent already in this model, with "well-regarded" virus checkers acting as a gatekeeper of sorts. One might even (hopefully!) be able to integrate this directly into one's programming environment. Maybe the "SecurityManager" class could be turned into a "ReputationManager" class, with today's "SecurityManager" being just one of many possible configurations (e.g., the one JavaSoft is recommending). And the NSA and NCSC might have their own "Orange Book" sorts of requirements. Let a thousand flowers bloom...but keep track of their reputations. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From tcmay at got.net Sun May 5 01:25:51 1996 From: tcmay at got.net (Timothy C. May) Date: Sun, 5 May 1996 16:25:51 +0800 Subject: PGP, Inc. Message-ID: (I've been missing some e-mail, for various reasons, including a 20 MB mailbomb from some German critic of my views, but I think I would've seen this discussed more than I have.) Phil Zimmermann is apparently forming a Bay Area company, to be known as PGP Inc., with venture funding from one of the Seybold clan, according to an article by Simson Garfinkel in today's SJMN. (Which says the announcement was actually made last Tuesday....) Jonathan Seybold, Dan Lynch (a founder of Cybercash), Tom Steding (ex-Novell) are some of the names involved. Initial products will include PGP and PGPfone. No mention of programmers, jobs available, etc., except that they "will begin hiring shortly." And the connection with ViaCrypt and RSADSI seems unclear to me. Anybody else have any more information? If this whole thing is a spoof, it made it into the SJMN. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From qut at netcom.com Sun May 5 02:03:30 1996 From: qut at netcom.com (Dave Harman) Date: Sun, 5 May 1996 17:03:30 +0800 Subject: Why I Pay Too Much in Taxes In-Reply-To: Message-ID: <199605050534.WAA14061@netcom14.netcom.com> > Not wanting to join in this bashing of taxes--my views are clear, as > evidenced in the title of this thread--but I have to point out that I paid > approximately 60% of everything I made last year to the tax collectors! > This counts the Federal income tax (about 32%), the California income tax > (about 11%), the "self-employment tax" (FICA) for some consulting I did > (15%), property tax on my old residence ($2200), property tax on my new > residence ($4200), sales tax on purchases (8.25%), gasoline taxes (about > 30-40 cents per gallon), a special tax on my Ford Explorer ($300), and > probably some miscellaneous other taxes I have neglected. > > And of course the corporations that pay me dividends and whose stock price > shows gains have _already_ paid roughly 45% or so in taxes, depending on > how clever they were at allocating costs to minimize taxes. This is the > famous "double taxation" of corporate earnings one hears about. Intel, for > example, pays 45% of its considerable income in taxes, sends some of the > remaining profits to me in the form of capital gains and dividends, and I > then pay another 40% or so in income taxes on this share. The math is > pretty simple...there ain't much left over. (The much-derided Laffer Curve > is actually quite important here...when overall tax rates get high enough, > people choose to do less work. Some of us even retire early.) Although your viewpoint is well expressed, I feel you've overlooked the possibility of socialism to solve the high tax outrages detailed. Socialism, a truly progressive economic system, would have an actual graduated income tax, to discourage useless make-work by the rich. There are so many other benefits to patriotic socialism, it would take a book the size of Das Kapitol just to list them. For instance: Taxes on trade, will act as a tonic on the national economy. The tax on trade, of course, prevents it; relieving the national security apparatus of 90% of its reason for being. The state itself as a unifying theme, rather than patho meanderings like crime, anti-racism, and religion. Tcmay, you've already acted on your socialistic urges without even knowing it; your successfully operating a free people's spontaneous propaganda bureau. Please develop this further and thumb your nose at the members of your class. From frantz at netcom.com Sun May 5 02:38:55 1996 From: frantz at netcom.com (Bill Frantz) Date: Sun, 5 May 1996 17:38:55 +0800 Subject: Senator Leahy's Public Key Message-ID: <199605050623.XAA17801@netcom8.netcom.com> The more I think about Senator Leahy's public key, the more I keep coming back to a point I only alluded to before. How do we know the key is actually his key? The key is only self signed. It could be a fake. If, as I have assumed, its primary use will be to sign public statements posted to the net, how will we know they are actually from Senator Leahy, and not some impostor? I strongly urge the senator to join the web of trust and get some other signatures on his key. ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From stewarts at ix.netcom.com Sun May 5 03:38:32 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sun, 5 May 1996 18:38:32 +0800 Subject: A MODEST PROPOSAL (fwd) Message-ID: <199605050754.AAA02842@toad.com> At 08:05 PM 5/4/96 EDT, "E. ALLEN SMITH" wrote: > The reason I say majordomo is broken is that it shows up > with the address of the original sender, not the address of the list, > as the From address. Other mailing list software does not do this. I think that's user-settable, but there is no ideal approach. Cypherpunks tried several different approaches to addresses, and settled on this one as causing the least overall problems. The big advantage is that replies go to the original sender by default rather than to the list (which reduces the amount of personal mail going to the list, winning both on noise-reduction and embarassment-reduction); the disadvantage is that bouncemail goes to the original sender, rather than the list or the list-manager (bouncemail to the sender is annoying, but minor; bouncemail to the list is extremely annoying, as well as potentially causing mail loops, which are an extreme lossage. Bouncemail to the list-manager is ideal (not that the list-manager usually reads it), but it's hard to get without reducing replies directly to originators, as well as increasing replies accidentally going to the list-manager. # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 # goodtimes signature virus innoculation From lwp at conch.aa.msen.com Sun May 5 04:19:02 1996 From: lwp at conch.aa.msen.com (Lou Poppler) Date: Sun, 5 May 1996 19:19:02 +0800 Subject: WWW proxies? In-Reply-To: Message-ID: <87CjxMz2Bg3W083yn@mail.msen.com> On Fri, 26 Apr 1996 19:13:06 -0400 (EDT), Black Unicorn wrote: } } Has anyone developed such a beast yet? I know of two anonymizing web proxies. See: http://hplyot.obspm.fr:6661/ and: http://anonymizer.cs.cmu.edu:8080/ I think both sites offer source for what they are doing. I've used the Observatory de Paris site a few times as http_proxy. Last I checked, the Carnegie-Mellon site only serves requests from *.cmu.edu clients. :::::::::::::::::::::::::::::::::::::: Recently seen on a California :: Lou Poppler :: license plate on a VW beetle: :: http://www.msen.com/~lwp/ :: :::::::::::::::::::::::::::::::::::::: "FEATURE" From dan at dpcsys.com Sun May 5 04:30:55 1996 From: dan at dpcsys.com (Dan Busarow) Date: Sun, 5 May 1996 19:30:55 +0800 Subject: Why I dislike Java. (was Re: "Scruffies" vs. "Neats") In-Reply-To: <9605050131.AA01873@eldorado.stern.nyu.edu> Message-ID: On Sat, 4 May 1996, Victor Boyko wrote: > I understand that the above does not apply to Win95 and Mac. There is > only one thing I can say to those unfortunate enough to use them: > install UNIX!!! Linux for PC has been available for a while, and Linux Even though Victor likes C++, I share his sentiment that a lot of people would be happier with Unix if only the marketing forces hadn't driven them into the clutches of the Dark Lord. Since this has already degenerated into a religious argument (actually it started as one), I'll throw this in FreeBSD and/or NetBSD are the way to go. Actual facts follow. FreeBSD is "free" Just like Linux, you can get FreeBSD off the 'Net for free. You can also buy a CDROM for < 100USD, just like Linux. FreeBSD has solid networking code Since it is built on 4.4BSD its TCP/IP implementation has had more bashing than anything else around. It works. It's fast. FreeBSD has source available If you want the full source, or just the kernel source, grab it. If all you need is a running system, don't bother. Most people don't need kernel or utility, e.g cat or ls, source. FreeBSD has a *single* source This may seem to be a disadvantage to some. But when the core team releases a new version of FreeBSD you can be certain that it has been widely tested and is at worst a _small_ step forward, not backwards or sideways. It might even be a _big_ step forward. If they disappear, you still have the source (assuming it was important enough for you to grab it). For me it boils down to the networking code. I need it to work reliably and fast. FreeBSD delivers, Linux promises. ObCrypto: pgpsendmail is a standard package with FreeBSD (and probably Linux too :) Dan -- Dan Busarow DPC Systems Dana Point, California From stewarts at ix.netcom.com Sun May 5 06:17:02 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sun, 5 May 1996 21:17:02 +0800 Subject: WWW proxies? Message-ID: <199605051004.DAA04246@toad.com> At 12:30 AM 5/5/96 -0400, you wrote: >} Has anyone developed such a beast yet? > >I know of two anonymizing web proxies. See: >http://hplyot.obspm.fr:6661/ and: >http://anonymizer.cs.cmu.edu:8080/ anonymizer has moved to www.anonymizer.com:8080 (hosted on c2.org.) There's also the Great Web Canadianizer, if you don't mind reading pre-hosed web pages, eh? Anonymizer does a better job, fixing up things like REMOTE-HOST, REMOTE-ADDR and HTTP-COOKIE which pass some information about the originating system. HTTP-DONUT, eh? Also, Netscape 3.0 is a bit quieter than earlier versions. # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 # goodtimes signature virus innoculation From proff at suburbia.net Sun May 5 06:40:09 1996 From: proff at suburbia.net (Julian Assange) Date: Sun, 5 May 1996 21:40:09 +0800 Subject: A MODEST PROPOSAL (fwd) In-Reply-To: <199605050754.AAA02842@toad.com> Message-ID: <199605051031.UAA18746@suburbia.net> > > At 08:05 PM 5/4/96 EDT, "E. ALLEN SMITH" wrote: > > The reason I say majordomo is broken is that it shows up > > with the address of the original sender, not the address of the list, > > as the From address. Other mailing list software does not do this. Majordomo is good for small lists. For anything larger, its lack of heuristics makes it a real liability. I've converted all my lists over to SmartMail (with some minor changes to the SmartMail code). If anyone wants a copy let me know. -- "I mean, after all; you have to consider we're only made out of dust. That's admittedly not much to go on and we shouldn't forget that. But even considering, I mean it's sort of a bad beginning, we're not doing too bad. So I personally have faith that even in this lousy situation we're faced with we can make it. You get me?" - Leo Bulero/PKD +---------------------+--------------------+----------------------------------+ |Julian Assange RSO | PO Box 2031 BARKER | Secret Analytic Guy Union | |proff at suburbia.net | VIC 3122 AUSTRALIA | finger for PGP key hash ID = | |proff at gnu.ai.mit.edu | FAX +61-3-98199066 | 0619737CCC143F6DEA73E27378933690 | +---------------------+--------------------+----------------------------------+ From frissell at panix.com Sun May 5 07:26:34 1996 From: frissell at panix.com (Duncan Frissell) Date: Sun, 5 May 1996 22:26:34 +0800 Subject: Why I Pay Too Much in Taxes Message-ID: <2.2.32.19960505112614.0097f498@panix.com> At 08:31 PM 5/4/96 -0700, Timothy C. May wrote: >Not being prepared to risk imprisonment for tax evasion, and being desirous >of living in the United States rather than on a coral atoll, I answer the >questions that Macintax asks me, gulp when I see the final figure, and >write out a check (which I then have to sell even more stock to >cover...perpetuating the cycle). > >--Tim May The Transaction Records Clearinghouse has expanded their site on actual IRS criminal prosecutions into a neat table (for 1994) which shows: odds of referral (per million pop) 17 odds of conviction (per million pop) 8 odds of prison (per million pop) 4 # of referrals for prosecution 4,542 # convicted after prosecution 1,991 # sentenced to prison terms 957 population of federal district 260,340,990 http://www.trac.syr.edu/tracirs/analysis/IRS017tab.html For comparison, the annual risk of being murdered is about 80 per million (8 per 100,000). In addition, only 40% of the above refferals are for ordinary tax fraud and evasion. Sixty percent are for drug and money laundering kinds of offenses. Even though the population of those who regularly violate federal tax laws is smaller (20 million?) the records show that even for this population the odds of being convicted are approximately the odds of being nurdered. http://www.trac.syr.edu/tracirs/analysis/IRS019page.html Shows that the *median* prison sentence and *median* fine after conviction is Zero in both cases. DCF From vince at offshore.com.ai Sun May 5 08:53:31 1996 From: vince at offshore.com.ai (Vincent Cate) Date: Sun, 5 May 1996 23:53:31 +0800 Subject: Web page for breaking commercial encryption? Message-ID: I am looking for a web page that shows how to break the encryption in many commercial products. I have seen information on breaking a number of different products, but I can't find a web page that collects these methods into one place. Seems there should be such a page. Is there such a web page? If not, is anyone willing to start one and give me a URL? :-) Thanks, -- Vince PS This is just for a link in my web page, no I did not forget my lotus notes password or something. :-) From gary at systemics.com Sun May 5 09:33:42 1996 From: gary at systemics.com (Gary Howland) Date: Mon, 6 May 1996 00:33:42 +0800 Subject: Kid Gloves or Megaphones In-Reply-To: <01I4BJ3PYULW8Y53GG@mbcl.rutgers.edu> Message-ID: <318CAAD4.15FB7483@systemics.com> E. ALLEN SMITH wrote: > > From: IN%"shamrock at netcom.com" 21-MAR-1996 21:29:06.87 > > >It is true that the issuer is unable to discover that double blinding is > >being used. The real problem with the protocol is that it requires > >payor/payee collusion, which may make it difficult to execute. > > Can the payee discover that the payor isn't colluding before the bank > can figure out who the payee is? > -Allen Of course. With the modified protocol the payor has no choice in the matter. It's a case of giving the payor a blinded unsigned coin and demanding he get the bank to sign it - if he doesn't do this the payee will notice immediately. Even with payor and bank collusion there is nothing that can be done to identify the payee. Gary -- pub 1024/C001D00D 1996/01/22 Gary Howland Key fingerprint = 0C FB 60 61 4D 3B 24 7D 1C 89 1D BE 1F EE 09 06 From vince at offshore.com.ai Sun May 5 09:49:16 1996 From: vince at offshore.com.ai (Vincent Cate) Date: Mon, 6 May 1996 00:49:16 +0800 Subject: Web page for breaking commercial encryption? In-Reply-To: Message-ID: So with a bit more time in Alta Vista I found it. And it is a nice page. Has 12 commercial products and how to break them. Check out: http://www.hiwaay.net/bokler/bsw_crak.html -- Vince From jk at stallion.ee Sun May 5 10:43:14 1996 From: jk at stallion.ee (=?ISO-8859-1?Q?J=FCri_Kaljundi?=) Date: Mon, 6 May 1996 01:43:14 +0800 Subject: Why I Pay Too Much in Taxes In-Reply-To: Message-ID: Sat, 4 May 1996, Timothy C. May wrote: > Not wanting to join in this bashing of taxes--my views are clear, as > evidenced in the title of this thread--but I have to point out that I paid > approximately 60% of everything I made last year to the tax collectors! > This counts the Federal income tax (about 32%), the California income tax > (about 11%), the "self-employment tax" (FICA) for some consulting I did > (15%), property tax on my old residence ($2200), property tax on my new > residence ($4200), sales tax on purchases (8.25%), gasoline taxes (about > 30-40 cents per gallon), a special tax on my Ford Explorer ($300), and > probably some miscellaneous other taxes I have neglected. Here in Estonia there was a proposal made in the parliament to remove taxation on corporate income (right now there is a proportional corporate income tax of 26%), which should bring more foreign investments into Estonia and also make Estonian economy develop faster. Estonia I think is one of few countries where there is a possibility of accepting this kind of law. Of course European countries, USA and different international financial organisations are very against this kind of law. This law would apply both to companies and to self-employed private persons (farmers for example). Other main taxes in Estonia are 26% proportional income tax for private persons and 18% sales tax. There is also 33% tax on salaries paid which includes social security and medical insurance. Of course the government taxation is not working very effectively and a big percentage of private persons and companies pay much less than what they are supposed to. I believe this is common to many young Eastern and Central European countries. Off-shore companies are also popular, including Delaware, where people as I understand just do not pay the taxes they are supposed to. Also many people use one-time off-shore corporations for just one bigger business deal. Juri Kaljundi jk at stallion.ee AS Stallion From shamrock at netcom.com Sun May 5 11:03:50 1996 From: shamrock at netcom.com (Lucky Green) Date: Mon, 6 May 1996 02:03:50 +0800 Subject: CryptoAnarchy: What's wrong with this picture? Message-ID: At 17:17 5/4/96, Moltar Ramone wrote: [...] >> 6) DON'T talk to anyone else--especially in your home >> country--about what you have done, are doing or >> are planning to do. [...] >> 8) Send me $1000. If you follow my steps 1-7, you will >> save many times that amount. > >There's the rub... step 8 violates step 6. If following your directions >indicates a moral obligation to pay, doing so would violate your >directives and make one _not_ obligated to pay... :-) No contradiction here. Just make the payment to Sandy anonymously. Disclaimer: My opinions are my own, not those of my employer. -- Lucky Green PGP encrypted mail preferred. From shamrock at netcom.com Sun May 5 11:03:56 1996 From: shamrock at netcom.com (Lucky Green) Date: Mon, 6 May 1996 02:03:56 +0800 Subject: Kid Gloves or Megaphones Message-ID: At 19:58 5/4/96, E. ALLEN SMITH wrote: >From: IN%"shamrock at netcom.com" 21-MAR-1996 21:29:06.87 > >>It is true that the issuer is unable to discover that double blinding is >>being used. The real problem with the protocol is that it requires >>payor/payee collusion, which may make it difficult to execute. > > Can the payee discover that the payor isn't colluding before the bank >can figure out who the payee is? Yes, since the payee determines the serial numbers of the coins during intitiation of the protocol. It is the payee that also assembles the final coins. If the serial numbers are a match and the signature of the bank verifies, then the protocol has been completed. Disclaimer: My opinions are my own, not those of my employer. -- Lucky Green PGP encrypted mail preferred. From joelm at eskimo.com Sun May 5 12:27:54 1996 From: joelm at eskimo.com (Joel McNamara) Date: Mon, 6 May 1996 03:27:54 +0800 Subject: Web page for breaking commercial encryption? Message-ID: <199605051540.IAA00176@mail.eskimo.com> Bokler's Guide to Cracker Software is pretty comprehensive: http://www.hiwaay.net/bokler/bsw_crak.html >I am looking for a web page that shows how to break the encryption in many >commercial products. I have seen information on breaking a number of >different products, but I can't find a web page that collects these methods >into one place. Seems there should be such a page. Is there such a web >page? If not, is anyone willing to start one and give me a URL? :-) > >Thanks, > > -- Vince From raph at cs.berkeley.edu Sun May 5 12:48:47 1996 From: raph at cs.berkeley.edu (Raph Levien) Date: Mon, 6 May 1996 03:48:47 +0800 Subject: PGP, Inc. In-Reply-To: Message-ID: <318CBD1E.333AE622@cs.berkeley.edu> Timothy C. May wrote: > > (I've been missing some e-mail, for various reasons, including a 20 MB > mailbomb from some German critic of my views, but I think I would've seen > this discussed more than I have.) > > Phil Zimmermann is apparently forming a Bay Area company, to be known as > PGP Inc., with venture funding from one of the Seybold clan, according to > an article by Simson Garfinkel in today's SJMN. (Which says the > announcement was actually made last Tuesday....) > > Jonathan Seybold, Dan Lynch (a founder of Cybercash), Tom Steding > (ex-Novell) are some of the names involved. Initial products will include > PGP and PGPfone. > > No mention of programmers, jobs available, etc., except that they "will > begin hiring shortly." > > And the connection with ViaCrypt and RSADSI seems unclear to me. I doubt that the new company will have any connection with ViaCrypt. It's been well known for quite some time that relations between Phil Zimmermann and ViaCrypt have been, well, strained. I have no idea about RSADSI. > Anybody else have any more information? > > If this whole thing is a spoof, it made it into the SJMN. Word of this has been buzzing for a few months. I first heard about it at Sandy's party, for instance, and then there was that (somewhat distorted) Usenet post by Vesselin Bontchev. Having a PGP Inc. could be either fantastic or a disaster. Phil has shown remarkably bad business judgement in the past, so hopefully they have installed real managers and will allow Phil to take a figurehead role, which is one thing he's fairly good at. The main problem with PGP has been that there just haven't been enough people working on it. The PGP development process isn't very conducive to volunteers, either. I know I'm not the only one who joined the team, enthusiastic to get 3.0 off the ground, only to leave shortly thereafter, frustrated by lack of progress, lack of clear direction, and a design that was growing increasingly more complex without solving some of the most basic problems for users. Since Derek has joined the team, things are a little better, although I still feel that there just isn't enough humanpower on the team. An influx of money may very well change that. Let's hope so. Meanwhile, the biggest threat against PGP is S/MIME. In the time that the PGP team farted around trying to define an API for 3.0, the S/MIME people (starting more or less from scratch), came up with a new message format, significant improvements to the X.509 certification hierarchy, got major support from many, many vendors, and got the damn thing implemented. S/MIME products will begin shipping early this summer. Recently, I've been spending more or less equal amounts of time in the PGP and S/MIME worlds. The difference is startling. S/MIME gives the impression that it's _happening._ From PGP, I mostly get the message, "wait for 3.0, when that comes out it will solve your problems." The corporate world must feel this just as intensely as I do. For a typical example of PR journalism that nonetheless captures the feelings of the people in corporations who are actually deploying crypto, see: http://www.deming.com/press/cw040896.htm The final paragraph reads: "Observers say SMIME's capabilities will let it replace software based on the PGP code, which is widely used. Unlike SMIME, which uses a structured certificate heirarchy, PGP relies on pre-certification of clients and servers for authentication, a limitation SMIME doesn't face." The gravest weakness of S/MIME, on the other hand, is the fact that it defaults to 40-bit encryption, without any way of automatically upgrading the quality. I estimate that this will result in a few percent of all S/MIME messages being encyrpted with anything better. This estimate is based on deployment figures from SSL. For example, Sameer Parekh determined that 94.5% percent of the accesses to his SSL-enabled Web server used 40-bit encryption. There are two reasons to believe that S/MIME will do even worse. First, SSL _does_ have an automatic negotiation mechanism to select the best cipher, which S/MIME lacks. Second, most SSL servers deployed are configured for 128-bit ciphers, thus it is only necessary that one client has 128-bit encryption for that to be selected. However, for S/MIME, both the sender's and the receiver's clients must have 128-bit encryption. If _either_ one is "export grade", then 40-bits must be used. Thus, it's a reasonable guess that almost all S/MIME messages that pass through the wires will offer "virtually no protection," to quote a phrase from a paper co-authored by the principal designer of S/MIME's encryption algorithms (http://www.bsa.org/policy/encryption/cryptographers.html). Best of luck for PGP Inc. Raph From jimbell at pacifier.com Sun May 5 12:58:40 1996 From: jimbell at pacifier.com (jim bell) Date: Mon, 6 May 1996 03:58:40 +0800 Subject: Why I Pay Too Much in Taxes Message-ID: At 07:26 AM 5/5/96 -0400, Duncan Frissell wrote: >Even though the population of those who regularly violate federal tax laws >is smaller (20 million?) the records show that even for this population the >odds of being convicted are approximately the odds of being nurdered. Hmmmm. Now that's a crime I hadn't heard of. Tell me more! Jim Bell jimbell at pacifier.com From shamrock at netcom.com Sun May 5 13:05:42 1996 From: shamrock at netcom.com (Lucky Green) Date: Mon, 6 May 1996 04:05:42 +0800 Subject: WWW proxies? Message-ID: At 0:30 5/5/96, Lou Poppler wrote: >On Fri, 26 Apr 1996 19:13:06 -0400 (EDT), >Black Unicorn wrote: >} >} Has anyone developed such a beast yet? > >I know of two anonymizing web proxies. See: >http://hplyot.obspm.fr:6661/ and: >http://anonymizer.cs.cmu.edu:8080/ > >I think both sites offer source for what they are doing. >I've used the Observatory de Paris site a few times as http_proxy. >Last I checked, the Carnegie-Mellon site only serves requests from >*.cmu.edu clients. Of course these sites are in an ideal position to log their user's every move. With so many users making all their http requests through a single site, the commercial value of the information that could be gained by logging traffic at the site is tremendous. Only when a network of anonymizing sites is connected through something like PipeNet and the users are either PipeNet nodes themselves, or at least randomly use various PipeNet nodes for their http connections, does the security of the user increase. With only one hop, IMHO, the potential risk outweighs the potential benefit. I'd advise against using such single-hop http anonymizers. YMMV. Disclaimer: My opinions are my own, not those of my employer. -- Lucky Green PGP encrypted mail preferred. From geoff at commtouch.co.il Sun May 5 14:08:10 1996 From: geoff at commtouch.co.il (geoff) Date: Mon, 6 May 1996 05:08:10 +0800 Subject: Pronto Secure - second call for beta testers Message-ID: <19960505171159096.AAA215@geoff.commtouch.co.il> -----BEGIN PGP SIGNED MESSAGE----- Mime-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit To: cypherpunks at toad.com Date: Sun May 05 18:17:49 1996 As the release date for Pronto Secure approaches, Commtouch has decided to increase the number of beta testers reviewing the product. We believe that scrutiny of the product by members of this list will help us to release a safe and secure E-mail client. Pronto Secure is an Internet E-Mail client for Windows, which uses external security providers to enhance e-mail with cryptographic security features. The current version relies on the proven security facilities of PGP to provide encryption, authentication, integrity and key management features. Product requirements: - - MS-Windows 3.1 / Windows for Workgroups 3.11 / Windows 95 / Windows NT - - Winsock 3.11 compliant environment (TCP/IP stack) - - Installed version of PGP. We plan to make the next beta of Pronto Secure available via FTP by the end of this week. Parties interested in joining the beta-test program are invited to send me pgp-signed e-mail requesting download instructions. Beta-testers who provide us with feed-back will be eligible to receive a free final release version of the product. - ----------------------------------------------------------------- Geoff Klein email: geoff at commtouch.co.il Product Manager - Pronto Secure http: //www.commtouch.com - ----------------------------------------------------------------- CommTouch SW Inc, U.S CommTouch, Israel 298 S. Sunnyvale Avenue #209 10 Technology Ave Sunnyvale, CA. 94086 Ein Vered, 40696 Tel: (408) 245-8682 Tel: 972(9)963445 Fax: 972(9)961053 - ----------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBMYy4jkLv5OMYFK1FAQEN+QQArOQs8TLNdexZ2TmYDl2ZvA+mowEC0w11 YtZCjXVQmu3TO+81uqH8bkLm2kX9K82s/p/KSDt+uNyO8NnafQHUPW+55zmPo93D g+jlJ5oZVoctoqAxSWW/6TEJLcruF0C3wLneXUVhvym5Rnbgs3HjIjxc+FdXGPs8 9cXFLxdb+dc= =j18d -----END PGP SIGNATURE----- From tcmay at got.net Sun May 5 14:13:40 1996 From: tcmay at got.net (Timothy C. May) Date: Mon, 6 May 1996 05:13:40 +0800 Subject: Religious Wars Considered OK Message-ID: I think the "religious war" involving Java, C++, applets, security models, Unix, and Netscape is _fine_ for this list. A heretical view, perhaps, to applaud a religious war, but the topics are certainly germane to this list. Some may argue that "comp.lang.java.advocacy" or "comp.lang.flames" are better places to have this debate, but I think not. Here on this list we have Netscape represented, users of major tools to develop crypto applications, and many with concerns about security. That Victor Boyko wrote such a concise summary of his objections to Java vis-a-vis C++, and that Wei Dai was planning to write such a summary until he saw Victor's summary, says that debate is robust. So long as the "religious war" does not devolve to mere invocations of deities, we're OK. In fact, to tell the truth, call this debate a "religious war" is probably incorrect. Few debates are more important than this one. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From unicorn at schloss.li Sun May 5 14:14:19 1996 From: unicorn at schloss.li (Black Unicorn) Date: Mon, 6 May 1996 05:14:19 +0800 Subject: Money Laundering Conference with Government Types In-Reply-To: Message-ID: On Sat, 4 May 1996, jim bell wrote: > At 08:26 PM 5/4/96 EDT, E. ALLEN SMITH wrote: > > _It's not enough to BE clean -- You must also LOOK clean._ > > > > Money Laundering and Asset Forfeiture are critical consequences for > > the banks, attorneys, securities dealers and corporations, both > > domestic and international, who may be inadvertently in > > non-compliance. _Our program will give you:_ > > I wonder how long it's going to take before these "money-launderers" learn > that by taking, say, 10% of the amount of money they launder in one year, > they can eliminate the people trying to stop them. Forever. Been done. See e.g., Pablo Escobar. Visit his new residence at Santa Cisto Graveyards. > Jim Bell > jimbell at pacifier.comJim Bell > jimbell at pacifier.com MPD acting up? :) --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From unicorn at schloss.li Sun May 5 14:17:45 1996 From: unicorn at schloss.li (Black Unicorn) Date: Mon, 6 May 1996 05:17:45 +0800 Subject: CryptoAnarchy: What's wrong with this picture? In-Reply-To: <199605050410.VAA14391@dns2.noc.best.net> Message-ID: On Sat, 4 May 1996 jamesd at echeque.com wrote: > At 01:54 AM 5/4/96 -0400, Black Unicorn wrote: > > Actually, I disagree with Mr. Sandfort on this one. > > > > Taxation of International Income is a tremendously complicated field. > > (You can get an LL.M. in international taxation alone for example). > > I do not believe the IRS particularly cares what all those tons of > tax legislation books say, and I am sure they do not know. > > Unicorn seems to be thinking in terms of constructing magic pieces > of paper that will protect you from the bad boys, whereas Sandy is > thinking in terms of making sure the bad boys cannot find your money. The issue at hand was legal and non-tax evasion type advantages. If by "bad-boys" you mean private plaintiff's, then your position might apply to the question at hand. If, on the otherhand, it refers to the IRS or government types, it won't. The IRS may or may not know what's in the tax legislation books, or the code or the regulations which the treasury itself submits. This is not the point. The point, in legal tax avoidance cases, (as distinguished from illegal ones) is that _you the taxpayer_ know, and can defend your actions during process. > While doubtless magic bits of paper are useful to some extent if > you are a genuinely multinational corporation, if the bad boys > see smaller fry carefully concocting magic paper they will say > "ah, tax haven", jump on you like a ton of bricks, extort information > from anyone in their jurisdiction as to where your money is (which > is why Sandy recommends a lawyer who works OUTSIDE the jurisdiction) > and confiscate all your assets and not give them back until you can > prove you have paid taxes on everything you might possibly have > earned and some things you could not possibly have earned. Again, the author was not asking for tax evasion advice, but tax avoidance advice. In any event, I'm not talking about technicalities or "magic pieces of paper," but rather utilizing the loopholes that are built into the tax process to your advantage. There are small loopholes in which you might get your head stuck, and larger ones that pose little or no risk, and still larger and intended policy oriented ones which are literally sanctioned by the authorities. Many of these are as available to the small taxpayer as to a MNE. God knows I've written enough about illegal asset concealing, but that's not the issue here. Replies to e-mail would probably be prudent. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From unicorn at schloss.li Sun May 5 14:53:54 1996 From: unicorn at schloss.li (Black Unicorn) Date: Mon, 6 May 1996 05:53:54 +0800 Subject: Senator Leahy's Public Key In-Reply-To: <199605050623.XAA17801@netcom8.netcom.com> Message-ID: On Sat, 4 May 1996, Bill Frantz wrote: > The more I think about Senator Leahy's public key, the more I keep coming > back to a point I only alluded to before. > > How do we know the key is actually his key? > > The key is only self signed. It could be a fake. If, as I have assumed, > its primary use will be to sign public statements posted to the net, how > will we know they are actually from Senator Leahy, and not some impostor? > > I strongly urge the senator to join the web of trust and get some other > signatures on his key. I'll visit his office and ask if he wants he key signed this week. > > > ------------------------------------------------------------------------ > Bill Frantz | The CDA means | Periwinkle -- Computer Consulting > (408)356-8506 | lost jobs and | 16345 Englewood Ave. > frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA > > > --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From unicorn at schloss.li Sun May 5 15:22:48 1996 From: unicorn at schloss.li (Black Unicorn) Date: Mon, 6 May 1996 06:22:48 +0800 Subject: Why I Pay Too Much in Taxes In-Reply-To: Message-ID: On Sat, 4 May 1996, Timothy C. May wrote: [Much about Mr. May's taxes and methods of filing as well as interesting discussion about entitlements and taxes deleted] > One area where I mostly agree with Jordan Hayes and disagree with Sandy, > Uni, and Duncan, is that I don't think it's as easy as they sometimes claim > it is to avoid taxes by the offshore stratagems they espouse. Believe me, I > looked into this a while back (it is never illegal to investigate ways to > minimize tax burdens), and even considered moving out of the U.S. to a tax > haven of some sort. You don't have to disagree with me here. I've said this all along. It can be expensive and difficult to set up a system to reduce tax offshore. But the expense is mostly in setup costs and very front ended. Once a structure is in place, it's not that hard to continue to benefit. > It turns out, as it does for many people I know, that my assets are > relatively traceable. Salaries and even consulting fees are reported > assiduously. Stocks can certainly be moved offshore, but the IRS obviously > knows where they are (the institutions that keep records of stock ownership > will tell them, for one thing...this may take a few years for the records > to catch up, but they ultimately will). I have to strongly disagree here. But now you're talking about evasion, not avoidance. It's trivial to hide stock ownership from the IRS. This is perhaps one of the easiest things one can do. Consulting fees? These too can be concealed. It takes more work, but its possible. > Certainly I could liquidate one form of my assets (stocks, real estate, > etc.) and simply move the money out of the country. Tax evasion is always > an option. But the price paid if one gets caught tends to be rather high. Were you to liquidate and move out of the country and renounce citizenship, and consult from abroad, and if you did this properly with your t's crossed, you could very easily and legally avoid (not evade) U.S. tax. The question is whether this is an option for you or not for other practical reasons. > (Despite what you hear anecdotally about the IRS "settling" for pennies on > the dollar.) The IRS almost never settles like this. Not in my experience anyhow, unless they have a feeling that an aggressive auditor was over zealous with your returns (and this should have been caught before you get to the settlement phase in any event). > Call me a skeptic. You're a skeptic, but a reasonable skeptic. You have an idea about what you're willing to spend, and what your willing to "pay." Your decision seems to be (quite logically) based on those factors. > I will do my best not to be drawn into a debate that has been held here > several times before. If Sandy, Duncan, etc., believe it is so easy to > avoid taxes--on the resources we are talking about, not sheltering small > amounts--or if they claim that I am obviously not following their advice, > I'll let them make these claims without any attempt to rebut them. I've > been there and done that before. I'll not claim its easy, and I know too little about your financial situation to make specific recommendations. (This is not, by the way, an invitation for discloseure of anyone's financial dealings). I will say it's possible, and your mileage will depend on several factors. How much you're willing to spend. What you're willing to risk. How risky you want to get. etc. etc. The nature of some people's business makes it costly, others, who have mostly passive income, have an easier time of it. > I have no doubt that "tax planning" works for some people, and I think > certain people like Vince Cate may do well in places like Anguilla, > essentially starting a business from scratch. I even have longterm hopes > for tax havens, cyberspace tax havens, anonymous systems, etc. But this > ain't happening soon. Here I'm not so sure I agree. Several of us are working on making it happen, soon. > But I see no clear way that X shares of Apple, Y shares of Sun, Z shares of > Intel, etc. can be converted into other forms without taxes being paid, or > evaded. (Evaded, not avoided.) Expatriate, have your expatriation pass the "Furstenburg" test and be certified as being made for non-tax avoidance reasons, and you will pay $0.00 in capital gains when you liquidate. Should you be unable to pass the "Furstenburg" test, you can still enjoy your dividens for 10 years before liquidating tax free. If you don't want to wait 10 years, you can do a installment sale of your stock via an exchange mechanism, tax free. All 100% legal, until the Clinton "Death on expatriation" tax reform bill passes and is signed. > I recall Sandy claiming some scheme where I > would use my shares as collateral and borrow tax-free against them. Sure, > it's what I do everyday with my margin account. But to ultimately pay off a > margin debt by selling assets involves taking capital gains (if there were > any, of course--a safe bet in the last 10 years), and at this point the IRS > and California Franchise Tax Board want their 40-45% cut. I don't know what Mr. Sandfort suggested exactly, but I suspect he was talking about an exchange of stock for debt instruments. In some cases such an exchange can be a non-realization event. A form of this is one way IPO execs still get cash from their options without being able to exercise them and thus avoid the time restrictions on sale of stock and condequently, often the realization of such sale. I have to brush up on my U.S. tax to tell you exactly when this works. Let me know if anyone is interested. > Not being prepared to risk imprisonment for tax evasion, and being desirous > of living in the United States rather than on a coral atoll, I answer the > questions that Macintax asks me, gulp when I see the final figure, and > write out a check (which I then have to sell even more stock to > cover...perpetuating the cycle). Coral Atolls are not the only jurisdictions you can live in and enjoy low or no tax. Consider Monoco, Liechtenstein and Panama for starters. Imprisonment is another matter. None of my clients have ever gone to prison, only one has ever been audited. (Issue was recommended for referal then dropped for lack of evidence) Then again, I don't have as many clients now as I once did. Is it easy to minimize taxation? No. The United States has intentionally made it so. Is it impossible? No. Never will be. Part of the problem is inertia. There is a (not unreasonable) view that taxes to the extent that the U.S. imposes them are a fact of life and that no efforts can mitigate them which will not cost more to implement than will be saved. The truth of this view varies in degree with each taxpayer. As to the future, I predict powerful tax evasion options at the click of a WWW button in 2-3 years. Not that I would ever advise anyone to break U.S. law. > --Tim May --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From jamesd at echeque.com Sun May 5 15:25:02 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Mon, 6 May 1996 06:25:02 +0800 Subject: Kid Gloves or Megaphones Message-ID: <199605051818.LAA13740@dns2.noc.best.net> >>It is true that the issuer is unable to discover that double blinding is >>being used. The real problem with the protocol is that it requires >>payor/payee collusion, which may make it difficult to execute. At 07:58 PM 5/4/96 EDT, E. ALLEN SMITH wrote: > Can the payee discover that the payor isn't colluding before the bank >can figure out who the payee is? If the payor is not colluding, then the payee will immediately discover he has not been paid, because the checksums are wrong, and his software says "bad payment" If the payor is colluding, then no matter what he reveals to the bank, the bank cannot discover the payee. Note that with payee anonymity, the payee does not have to promptly check in his money, so the bank has no hope of narrowing the search by coincidence in time. But if the payee is colluding, then the payor can be detected by coincidence in time. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From jamesd at echeque.com Sun May 5 15:27:53 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Mon, 6 May 1996 06:27:53 +0800 Subject: CryptoAnarchy: What's wrong with this picture? Message-ID: <199605051818.LAA13734@dns2.noc.best.net> At 07:53 AM 5/4/96 -0700, Sandy Sandfort wrote: > What Black Unicorn writes is quite > correct IF ONE IS CONCERNED WITH LEGAL CORRECTNESS. And if the IRS is concerned with legal correctness. I note that a number of ingenious and popular tax minimization gimmicks have in the end failed to benefit anyone other than their promoters. When you need a pallet and a forklift truck to carry the tax code, it does not matter much what the books say. The more bits of paper you send the IRS, the more they know about you. The more they know about you, the more they can shake you down. Sending ingenious and unusual bits of paper crafted by a clever lawyer merely alerts them to the smell of money. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From markm at voicenet.com Sun May 5 15:50:13 1996 From: markm at voicenet.com (Mark M.) Date: Mon, 6 May 1996 06:50:13 +0800 Subject: WWW proxies? In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Sun, 5 May 1996, Lucky Green wrote: > Of course these sites are in an ideal position to log their user's every > move. With so many users making all their http requests through a single > site, the commercial value of the information that could be gained by > logging traffic at the site is tremendous. > > Only when a network of anonymizing sites is connected through something > like PipeNet and the users are either PipeNet nodes themselves, or at least > randomly use various PipeNet nodes for their http connections, does the > security of the user increase. > > With only one hop, IMHO, the potential risk outweighs the potential > benefit. I'd advise against using such single-hop http anonymizers. YMMV. The same is also true for cpunk and penet-style remailers that do not use encryption. You always have to trust remailer operators regardless of whether encryption is used or not. The situation will become much better when there is some way to chain proxies and encrypt to each individual proxy. If the operator of a proxy is more trustworthy than the operators of any sites you visit using the proxy, then you have nothing to lose. - -- Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xf9b22ba5 http://www.voicenet.com/~markm/ | bd24d08e3cbb53472054fa56002258d5 "The concept of normalcy is just a conspiracy of the majority" -me -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMYz1ZLZc+sv5siulAQEgXgQAhuCV9a++OqPl/eyjlF2oPusD8284meQw tnoBp5sNZBISxjeqS1IXSyJjXmkFavwGTBzvKIoLVEirgU+wMtvpLXHQQxTsy9GA vjRE2Zu11U0dhiOhHKCQ6mLIv54Rxm6lm7o7zgBvj/cMEJ5FdCoLmmayqPAfBmbg XfTuNc+VhHM= =Ru/5 -----END PGP SIGNATURE----- From declan+ at CMU.EDU Sun May 5 16:12:18 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Mon, 6 May 1996 07:12:18 +0800 Subject: F-C CDA Dispatch #9: Battle of the Briefs Message-ID: <8lXD6G200YUzMAJ2ZD@andrew.cmu.edu> ----------------------------------------------------------------------------- Fight-Censorship Dispatch #9 ----------------------------------------------------------------------------- The CDA Challenge: Battle of the Briefs ----------------------------------------------------------------------------- By Declan McCullagh / declan at well.com / Redistribute freely ----------------------------------------------------------------------------- In this update: Anti-porn groups egg on the Justice Department Confusion in the ranks: What's indecent? Theocratic right cites Rimm study in pro-CDA journal article Broad coalition files pro-ACLU brief What's next? MAY 4, 1996 -- The CDA is a "work of art" that "is sensitive to the First Amendment," Bruce Taylor and Cathy Cleaver argue in an amicus brief supporting the DoJ filed in Philadelphia earlier this week. The two longtime anti-pornsters submitted this weighty 85-page legal document -- complete with over 100 pages of attachments including Jake Baker's notorious snuff story -- on Monday, the same day the ACLU, ALA, and the DoJ submitted their post-trial briefs, findings of fact, and proposed conclusions of law. I had asked Enough is Enough! to FedEx me the Taylor/Cleaver draft, but The Brucester himself showed up at my office with a copy the next afternoon, chipper and grinning and bouncing about. ("Hide your porn!" he yelled as he walked in.) Taylor was in town for smut-research and he clearly was proud of his completed legal object d'art. What else could it be, with such delectable oeuvres as this: Expecting children to locate hidden Easter eggs sounds reasonable and enjoyable, unless those who have hidden the eggs are aware that they are rotten. No reasonable person, who cares about the well-being of children, would leave it up to children to find and dispose of rotten eggs. In the world of online communications, parents will be left as children, hunting frantically for thousands upon thousands of rotten eggs in a cyberworld of indecency, scurrying to find all of them before children are contaminated. [p35] The arguments advanced in the brief -- a joint venture of Morality in Media, the National Law Center for Children and Families, the Family Research Council, Enough is Enough!, and the National Coalition for the Protection of Children and Families -- center around one concept: indecency means pornography. That idea stinks like, well, a rotten egg. Their argument, which mirrors the DoJ's, goes as follows: 1. The CDA merely "updates" and "amends" Federal obscenity statutes and dial-a-porn laws. 2. All the CDA does is require adults who use "patently offensive" sexual expression to "put electronic blinder racks" in front of their "pornography." 3. The test for "indecency" is not vague or overbroad and does not apply to "serious works of literature, art, science, and politics." 4. What is indecent "is well known to the public and the operators of mass communications media facilities." (If "indecency" is too vague, the CDA is unconstitutional.) 5. The court has an obligation "to interpret these sections narrowly." That is, the three-judge panel should *reinterpret* the CDA to affect only "prurient pornography." Taylor calls this "judicial narrowing," and when I spoke with him he insisted that it was what the court will do. Equating "indecency" with "pornography" is misleading, since courts have held that George Carlin's monologue and Allen Ginsberg's poetry can be regulated as indecent. As cyberlibertarian attorney Harvey Silverglate writes on the fight-censorship mailing list: My objection to the current debate is that they talk of "smut." My client, Allen Ginsberg, wants to broadcast some of the finest poetry written this century in this country. The "family values" brief concludes: Purely selfish motivations based on one's desire to rebel against the "government" and be free from society's code of conduct in "cyberspace" is NOT a legal justification that should be accepted by the courts... Criminal laws against distributing pornography to children have literally saved countless lives. These lives are needed not for any threat posed by men of good will, but rather by those who would exploit the vulnerable and impressionable for their personal gain... Senators Exon and Coats deserve thanks from every family in America and the CDA deserves to be upheld. Do I detect some pride of CDA authorship from Taylor and Cleaver? Though the Hon. Jim Exon *does* deserve our thanks -- for retiring. +-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+ CONFUSION IN THE RANKS: WHAT'S INDECENT? +-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+ The Justice Department and their anti-porn crusading allies can't even agree on who should be locked up under the CDA. On page 27 of his brief, Bruce Taylor cites the Amateur Action images and Jake Baker's explicit rape-and-murder story as examples of net.materials that are harmful to minors and that show "callous disregard for public decency." The EFF, a plaintiff in the ACLU coalition lawsuit, has Baker's story on its web site and has made it clear in an affidavit that they distribute such material online in the context of legal discussions. But the DoJ says in their post-trial brief filed on Monday: "It can be said that none of the plaintiffs' Web sites appear to engage in the type of speech which Congress has targeted in the CDA." So does Baker's story violate the CDA or not? Do you believe Taylor, a former Cleveland city prosecutor, a former senior trial attorney in the Child Exploitation and Obscenity Section of the Criminal Division of the DoJ -- a guy who crows that he played "a central role in the development and passage" of the CDA? Or the DoJ attorneys, who are charged with enforcing it?? Even the DoJ's own witnesses can't come up with a good working definition, as the ACLU illustrates in their post-hearing brief: The responses offered by government witnesses Schmidt and Olsen to the Court's questions illustrated just how freewheeling the subjective, discretionary judgments of police and prosecutors would be... Dr. Olsen opined that any of "the seven dirty words" made famous by the Pacifica decision, or their synonyms, could be subject to [the CDA] and should therefore be "tagged," as should nudes even if displayed on a museum web site. +-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+ THEOCRATIC RIGHT CITES RIMM STUDY IN PRO-CDA JOURNAL ARTICLE +-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+ Thanks to the American Center for Law and Justice, Marty Rimm's bogus cyberporn study just won't die. The ACLJ is a legal advocacy group for the theocratic right -- Pat Robertson's response to the ACLU. Says Robertson: "Someone has got to stop the ACLU in court, and that's what we're going to do." They're trying -- the ACLJ submitted Yet Another amicus brief over a week ago supporting the Justice Department's defense of the CDA. In the latest issue of the Journal of Technology Law and Policy, the ACLJ defends the CDA and uncritically cites Rimm's discredited study. A clue to the quality, honesty, and integrity of the ACLJ's scholarship can be found in the way the group argues that Rimm's "research" and TIME magazine's cover story provide evidence of "smutty sex and scatologica" and justification for net-regulation: {17} On June 26, 1995, Senator Charles Grassley spoke in support of his legislation, the "Protection of Children from Computer Pornography Act of 1995. [20] Speaking to the motivation for his bill, which would have amended the federal criminal code, Senator Grassley warned the Senate of "the availability and the nature of cyberporn." He advised the Senate on a Carnegie Mellon University study of visual images available on the Internet... Note the ACLJ's convenient fiction of the "Carnegie Mellon Study." The group never reveals that Rimm was an undergraduate passing himself off as a faculty member, that his study has no credibility outside theocratic right lobby groups, that the study itself is fraudulent, and that CMU is investigating Rimm for ethical violations. Somehow I'm not surprised that the authors of the ACLJ article, Jay Alan Sekulow and James Matthew Henderson, overlooked those details. Sekulow did not respond to email inquiries. +-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+ BROAD COALITION FILES PRO-ACLU BRIEF +-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+ Last month a broad coalition of professional groups, academics, ISPs, and individuals opposed to the CDA submitted a Brief of Amici Curiae in support of the ACLU lawsuit and motion for a preliminary injunction. That brief is now online. Represented by the Philadelphia law firm of Schnader, Harrison, Segal & Lewis, the coalition includes the Authors Guild, American Society of Journalists and Authors, Feminists for Free Expression, Palmer Museum of Art, Philadelphia Magazine, Psinet, Inc., and the Reporters Committee for Freedom of the Press. Some of my favorite excerpts: It is not only speakers on the Internet who feel the chill posed by the CDA. The millions who access speech on the Internet feel it as well. [...] Recipients of speech are equally entitled to protection under the First Amendment. That protection is afforded "to the communication, to its source and to its recipients both." Virginia State Board of Pharmacy v. Virginia Citizens Consumer Council, 425 U.S. 748, 756 (1976). Abuses involving "indecent" and "patently offensive" behavior also are perpetrated today, and the Internet is the quickest and most effective tool for exposing them. One wonders whether the disappearances or indeed the Holocaust would have occurred so brazenly if the Internet had been reporting on them twenty or sixty years ago. +-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+ WHAT'S NEXT? +-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+ The closing arguments for our case are scheduled for May 10, when the plaintiffs and the DoJ will present an expected four hours of closing arguments. The three-judge panel likely will issue a decision three or four weeks later, and appeals from either side go directly to the Supreme Court. What happens if we lose? The ACLU's Ann Beeson said on HotWired's Club Wired last week: Losing the facial challenge would not by any means end the matter -- that is, we could still argue that the CDA is unconstitutional "as applied" to particular defendants that DOJ decided to prosecute. Of course, in the meantime we'd still see a huge chill on protected speech... It is clear that we have the facts on our side -- the much harder question is the law itself, and unfortunately, it is a rare day that a federal court will overturn an Act of Congress. (But I remain cautiously optimistic.) If you're near Philly, stop by the Federal courthouse at 7th and Market Streets at 9:30 am on Friday. The courtroom will be packed. Stay tuned for more reports. ----------------------------------------------------------------------------- We're back in court on May 10 for closing arguments. Mentioned in this CDA update: Excerpts from DoJ and anti-porn groups' CDA briefs: Transcript of Olsen's "-L18" description and other testimony: More on ACLJ and Rimm study: Jake Baker story on EFF's web site: At 01:15 PM 5/5/96 -0400, Black Unicorn wrote: >On Sat, 4 May 1996, jim bell wrote: >> > Money Laundering and Asset Forfeiture are critical consequences for >> > the banks, attorneys, securities dealers and corporations, both >> > domestic and international, who may be inadvertently in >> > non-compliance. _Our program will give you:_ >> >> I wonder how long it's going to take before these "money-launderers" learn >> that by taking, say, 10% of the amount of money they launder in one year, >> they can eliminate the people trying to stop them. Forever. > >Been done. See e.g., Pablo Escobar. Nah, what happened to Escobar was a business falling-out. His business partners, the thugs in the US and Colombian governments, provided the illegality of drugs, a necessary element in keeping profits up. Escobar provided the drug trafficking, a necessary element in keeping thug...er...police employment high. It was a great system; worked for years and is still generally operational. Escobar must have done something to upset the arrangement, like refusing to pay off his handlers or maybe going out of business, etc. Jim Bell jimbell at pacifier.com From cea01sig at gold.ac.uk Sun May 5 19:17:57 1996 From: cea01sig at gold.ac.uk (Sean Gabb) Date: Mon, 6 May 1996 10:17:57 +0800 Subject: Free Life #26 now available. Message-ID: 22:09 05/05/1996 The article below, is taken from the latest issue of Free Life, the journal that I edit. Comments always welcome! Sean Gabb Editor Free Life A R T I C L E B E G I N S ===================================================================== A TIME TO BE DEPRESSED As I write, news is coming though on the wireless of a mad gunman in Tasmania. Twenty people are said to have been killed, and many more wounded. It will not have the same effect on opinion in this country as the Dunblane massacre, but it will add to the existing reaction. There will be more encouragement of people to hand in their guns at the local Police Station. There will be a toughening of the draft Firearms Bill promised for the early summer. Whether this really will ban the keeping of guns at home, it will certainly make them harder for ordinary people to obtain. To do so, of course, will not reduce the number of criminal shootings. There might be fewer Thomas Hamiltons - though I do not think there are many of these already. But there will be no fewer armed robbers and gangland "executioners". Indeed, so far as these might be deterred even by a public so little armed as ours currently is, there will be more of them. The real effect of a new Firearms Act will be to mark another stage in the collapse of English freedom. The more disarmed we are, the more armed criminals can move among us like a fox among chickens. The more this happens, the more we shall cry for protection to the authorities that disarmed us in the first place. In the short term, this will mean more powers of arrest and search, and more video cameras in the streets. In the medium term, it will mean identity cards. In the longer term, it will mean electronic tagging and surveillance, and efforts to isolate and remove whatever gene might be supposed to incline one to criminal behaviour. Now, given the elegance of this scheme, it is hard not to believe in conspiracies. It is even tempting to believe in them. They not only explain, but also give comfort. For all their cunning and malevolence, conspirators have the disadvantage of being a minority. They can be exposed, and thereby frustrated. Inside every conspiracy theorist is an optimist, never more than three steps from utopia. However, the truth is more depressing. There are surely people now calling for greater gun control who know that it cannot work as promised, and who do so for motives that range from the selfish to the sinister. But these people are not the source of the problem. The real source is a wilfully ignorant public. There are millions of people in this country who take it as common sense that limiting the availability of guns will also reduce the amount of armed crime; and who will not listen when told otherwise. And this does not stand alone. It is just another instance of the more general belief, that government action is the answer to every misfortune. The belief would be funny were its effects not so dangerous. A few children are bitten by dogs. As if this were a new and alarming thing, the public demands and the politicians supply the most imbecile law of the decade. A ferry sinks because someone left the door open. Half the passengers are too drunk to notice what is happening, and some of them drown. The result - actual controls that make crossing the Channel less of an adventure, and a demand for controls that would make it far more expensive. A Minister tells us that most eggs are bad. After the first wild panic, the Government has to make a food handling law that shuts down thousands of catering businesses, and makes food poisoning more rather than less common. Last month, the public got into a sweat about guns. Then it turned to mad cows. From today, it will be thinking about guns again. Of course, nations have flourished with far greater handicaps than the Dangerous Dogs Act and the prohibition of wooden chopping boards. I will even say that nearly eighty years of gun control have not yet turned this country into a police state; and another Firearms Act will not do so purely on its own. Bad laws are often tolerable while the structure of laws as a whole remains stable. But what we have here is a state of mind that throws up one bad law after another - a state of mind that will accept no restraints on its behaviour. It is no good to say that a particular freedom or rule of Common Law is worth preserving. It is no good saying that it has been established for hundreds of years. If it gets in the way of whatever "tough new law" is currently in fashion, it will be swept aside without regrets or second thoughts. Here is the true engine of collapse. Here is why the latest instalment of gun control will not terminate in itself, but lead on to worse. And here is what I find so depressing about it all. For I have no answers to give. I do not know why the British public has become so childish, nor what to do about it. I can only say that, unless some other cause can be made to intervene, things will end very badly. Sean Gabb ====================================================================== $$$$$$ $$$$$ $$$$$$ $$$$$$ $$ $$ $$$$$$ $$$$$$ $$ $$ $ $$ $$ $$ $$ $$ $$ $$ $$ $ $$ $$ $$ $$ $$ $$ $$$$ $$$$ $$$$ $$$$ $$ $$ $$$$ $$$$ $$ $$ $ $$ $$ $$ $$ $$ $$ $$ $$ $ $$ $$ $$ $$ $$ $$ $$ $$ $ $$$$$$ $$$$$$ $$$$$$ $$ $$ $$$$$$ A Journal of Classical Liberal and Libertarian Thought Production: Editorial: c/o the Libertarian Alliance 123a Victoria Way 25 Chapter Chambers Charlton London SW1P 4NN London SE7 7NX Tel: **181 858 0841 Fax: **171 834 2031 E-mail: cea01sig at gold.ac.uk EDITOR OF FREE LIFE: SEAN GABB ====================================================================== FOR LIFE, LIBERTY AND PROPERTY ====================================================================== From unicorn at schloss.li Sun May 5 19:21:09 1996 From: unicorn at schloss.li (Black Unicorn) Date: Mon, 6 May 1996 10:21:09 +0800 Subject: Money Laundering Conference with Government Types In-Reply-To: <01I4BK4HNTUE8Y53GG@mbcl.rutgers.edu> Message-ID: On Sat, 4 May 1996, E. ALLEN SMITH wrote: > I thought people might find interesting the following conference > that I located at http://www.oceanlaw.com/20/conf/ml.htm. Know thine enemy, > and all that. It has a section on Digital Cash (note the title includes > "Cyberpayments"). > -Allen I think that should be http://www.oceanalaw.com/20/conf/ml.htm ^ --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From jleonard at divcom.umop-ap.com Sun May 5 19:59:08 1996 From: jleonard at divcom.umop-ap.com (Jon Leonard) Date: Mon, 6 May 1996 10:59:08 +0800 Subject: CryptoAnarchy: What's wrong with this picture? Message-ID: <9605052229.AA12098@divcom.umop-ap.com> Jon Lasser wrote: > On Fri, 3 May 1996, Sandy Sandfort wrote: [snip] > > 6) DON'T talk to anyone else--especially in your home > > country--about what you have done, are doing or > > are planning to do. [snip] > > 8) Send me $1000. If you follow my steps 1-7, you will > > save many times that amount. > > There's the rub... step 8 violates step 6. If following your directions > indicates a moral obligation to pay, doing so would violate your > directives and make one _not_ obligated to pay... :-) Obviously we should send Sandy $1000 whether or not we follow the other steps, in order to defeat traffic analysis. Jon Leonard From anon-remailer at utopia.hacktic.nl Sun May 5 20:03:58 1996 From: anon-remailer at utopia.hacktic.nl (Anonymous) Date: Mon, 6 May 1996 11:03:58 +0800 Subject: No Subject Message-ID: <199605052155.XAA01260@utopia.hacktic.nl> Any idea on best remailer? alpha.c2.org is a roller coaster. From wlkngowl at unix.asb.com Sun May 5 20:30:45 1996 From: wlkngowl at unix.asb.com (Mutatis Mutantdis) Date: Mon, 6 May 1996 11:30:45 +0800 Subject: NOISE.SYS v0.5.5-Beta (DOS) available Message-ID: <199605052155.RAA20467@unix.asb.com> NOISE.SYS v0.5.5 should be up at ftp.funet.fi in the /pub/crypt/random/noise055.zip. NOISE.SYS is a /dev/random-type driver for DOS systems. Many changes in this version, including a larger output buffer, a newer (and better) API, nice installation messages, improved (?) entropy estimation method, and the possibility of sampling video retrace intervals (you'll have to rebuild the source with that option enabled though). This installation only has the barebones documentation for now. A newer release will eventually have some nice technotes and other goodies. From Chris.Claborne at SanDiegoCA.NCR.com Sun May 5 20:49:02 1996 From: Chris.Claborne at SanDiegoCA.NCR.com (Chris Claborne) Date: Mon, 6 May 1996 11:49:02 +0800 Subject: San Diego Cypherpunks Physical Meeting Message-ID: <2.2.32.19960505184409.006579e0@opus.SanDiegoCA.ATTGIS.com> San Diego Area CPUNKS symposium Thursday, May 9, 1996 Invitation to all Cypherpunks to join the San Diego crowd at "The Mission Cafe & Coffee Shop" were I hope to get an update of Lance Cottrell's anonymous e-mail server, "mixmaster", exchange keys, and discuss other topical CP stuff. There's always the semi-topical discussions; Internet Service Provider in San Diego (providing, anonymous remailers and other privacy services), stelth communications, latest Cypherpunk goings-on, Internet happenings. Don't forget to bring your public key fingerprint. If you can figure out how to get it on the back of a business card, that would be cool. Place: The Mission Cafe & Coffee Shop 3795 Mission Bl in Mission Beach. 488-9060 Time:1800 Their Directions: 8 west to Mission Beach Ingram Exit Take west mission bay drive Go right on Mission Blvd. On the corner of San Jose and mission blvd. It is located between roller coaster and garnett. It's kind of 40s looking building... funky looking (their description, not mine) They serve stuff to eat, coffee stuff, and beer. See you there! New guy, bring your key fingerprint. Drop me a note if you plan to attend. 2 -- C -- ... __o .. -\<, Chris.Claborne at SanDiegoCA.ATTGIS.Com ...(*)/(*). CI$: 76340.2422 http://bordeaux.sandiegoca.attgis.com/ PGP Pub Key fingerprint = A8 FA 55 92 23 20 72 69 52 AB 64 CC C7 D9 4F CA Avail on Pub Key server. Dreams. They're just screen savers for the brain. From unicorn at schloss.li Sun May 5 20:56:29 1996 From: unicorn at schloss.li (Black Unicorn) Date: Mon, 6 May 1996 11:56:29 +0800 Subject: your mail In-Reply-To: <199605052155.XAA01260@utopia.hacktic.nl> Message-ID: On Sun, 5 May 1996, Anonymous wrote: > Any idea on best remailer? > > alpha.c2.org is a roller coaster. > Try fingering: remailer-list at kiwi.cs.berkeley.edu --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From attila at primenet.com Sun May 5 21:43:52 1996 From: attila at primenet.com (attila) Date: Mon, 6 May 1996 12:43:52 +0800 Subject: Why Leahy is No Friend of Ours Message-ID: <199605052255.PAA00702@primenet.com> ** Reply to note from Stanton McCandlish 05/04/96 5:03pm -0700 = To: tcmay at got.net (Timothy C. May) = Date: Sat, 4 May 1996 17:03:31 -0700 (PDT) = = Timothy C. May typed: = = > But no Congressman who co-sponsors such legislation as the "National = > Wiretap Initiative," with its "1% of the engineering capacity" requirements = > and other such Big Brother Surveillance State clauses, is a friend of ours. = = No legislator at all is our friend. The legislature is a gateway - we push = an issue thru it into the politico-legal system, and other groups push = their own issues back through the gateway at us. Whoever pushes more, and = times their pushing with when the gate is open, wins. = = This isn't about making chums. Leahy is a gatekeeper, like any other = legislator. We don't have to like him, just get him to open the gate for us, = and close it for our opponents. = _all_ politicians face reelection, all politicians must raise money --special interest groups control large blocks of money, or as Mark Twain put it: "Congress is the only natural criminal class in America." or Will Rogers: "Circus? Why would I want to go to the circus when Congress is in session?" the Federal government as a whole certainly is not the friend of the people --we have not had a free election since Lincoln in 1860, with the possible exception of JFK, whose only true claim to greatness was issuing Treasury notes in May '63 --which circulated only until he was assassinated. how many _truly_ "populist" presidents have we elected? Jackson, Lincoln, JFK? Despite the immense fortune (from Joe's questionable endeavors); the social connections, even if he was Irish-Catholic; and some "ideals" (not necessarily mutually mine), JFK was _not_ a product of the establishment, nor the "real" political machine until he "captured" it. I was a _paid_ "consultant" in the JFK '60 campaign, and again for Teddy in '62 --no amount of pain will acquire further discussion of political campaign ethics.... "mech" is correct, IMHO, in the gatekeeper analogy. Therefore, *personal* villification of our "enemies" is counterproductive to our efforts. unicorn stated: "Mind you, I never said Leahy was a giant in the movement for crypto and privacy interests, just that I was glad someone had a clue." is not our task to educate the Congress critter? Is it not better to deal with the critter if he, or his staff, is at least aware of the issues? again, unicorn further stated v/v Leahy: "His staff are some of the most astute people on the hill technologically. That their view might tend to the statist side disturbs me, but I wasn't talking about their politics. On the hill a competent and fairly reasonable enemy is much less a problem than an incompetent publicity seeker." generally speaking, communication is _not_ facilitated by punching your intended correspondent in the nose. extremist demands are dismissed as such. maybe I might prefer to clean the house that greed and control built; but, practically, we either work within the system as erudite and rational "educators," or the class is ignored, if not labelled "dangerously subversive" --which means we will be first on the roundup.... however, all of the above ignores reality: the Federal Reserve Bank, a quasi-government agency with private owners, represents the power. JFK recognized the inherent impossibility of debt reduction when even your interest is borrowed. The Fed also represents the international big money pool, and the means of historical revisionism and the consolidation of power. the "ruling class" underestimated the explosion of the Net, just like China underestimated the fax. Now the ruling class is playing catch up, and attempting to sandbag the Net --they probably will not succeed as the Net will go underground around the world --technology is moving faster than regulations. they may kill mainstream information privacy, but the innovation of the underground will outpace their regulations. Secondly, regulations which are despised are ignored and confronted --sure, a few high profile cases will go forward for intimidation --was PKZ granted "Constitutional due process?" --or should I phrase that: "...any due process?" unless we are willing to patiently and persistently educate the governing class, no matter how "ignorant" they may appear from our perspective of inalienable rights, the "enlightened" position is dismissed as revolutionary excess, and labelled subversive to the US government. --and, not only must we educate the governing class, but we must educate the people, and the people's media to prevent the governed from surrendering their inalienable rights for a little security. "They that give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." --Ben Franklin (Historical Review of PA -1759) and, the bottom line is: "It is not the function of our Government to keep the citizen from falling into error; it is the function of the citizen to keep the Government from falling into error." --Robert H. Jackson (1892-1954), U.S. Judge -- Overseeing first-rate programmers is a managerial challenge roughly comparable to herding cats. cc: Tim May Black Unicorn Cypherpunks From llurch at networking.stanford.edu Sun May 5 23:04:45 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Mon, 6 May 1996 14:04:45 +0800 Subject: L. Detweiler is a CyberAngel In-Reply-To: <199605051439.RAA10317@clipper.cs.kiev.ua> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- A few days ago, I forwarded along an excerpt from a recent CyberAngels mailing where they had favorably cited a HUGE FAQ on remailers by one L. Detweiler. So far, four different people (or nyms) have asked me for a copy of my remailer FAQ. Um... I believe you can get it at http://www.csn.net/~ldetweil/ - -rich (the truth is out!) -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMY1TpY3DXUbM57SdAQEfgwP/a6gAKZXtsDG/rG5E+y0whaCF7qh51FCM aa9Hr4w/v085MJ3vHmH9TtLgSvxh1mLHuzBs2X/bNh3cFaiA3qAZ5OgDZPbo/58Z MCOlSHjPrJ+y7p56KJmUosN2VZKugeiUIvQyRT3c1b2pKcAuJf0dxKUOWCQvoi1Q SUd3/d7bFR4= =YXxJ -----END PGP SIGNATURE----- From blancw at accessone.com Sun May 5 23:04:47 1996 From: blancw at accessone.com (blanc) Date: Mon, 6 May 1996 14:04:47 +0800 Subject: FW: Why I Pay Too Much in Taxes Message-ID: <01BB3AB0.AC7ABA80@blancw.accessone.com> From: Black Unicorn (in reply to TCMay): > I have no doubt that "tax planning" works for some people, and I think > certain people like Vince Cate may do well in places like Anguilla, > essentially starting a business from scratch. I even have longterm hopes > for tax havens, cyberspace tax havens, anonymous systems, etc. But this > ain't happening soon. Here I'm not so sure I agree. Several of us are working on making it happen, soon. .................................................................................................. I have a great idea - let's start a closed, elite mailing list for "Offshorepunks". Uni, Sandy, & Duncan et al could "show us how it's done". .. Blanc From shamrock at netcom.com Sun May 5 23:22:36 1996 From: shamrock at netcom.com (Lucky Green) Date: Mon, 6 May 1996 14:22:36 +0800 Subject: WWW proxies? Message-ID: At 14:37 5/5/96, Mark M. wrote: >The same is also true for cpunk and penet-style remailers that do not use >encryption. You always have to trust remailer operators regardless of whether >encryption is used or not. You have to trust *one* of the remailer operators in the chain. If there is no chain, you have to trust the sole remailer's ISP as well. >The situation will become much better when there >is some way to chain proxies and encrypt to each individual proxy. That's why we need PipeNet. Disclaimer: My opinions are my own, not those of my employer. -- Lucky Green PGP encrypted mail preferred. From alanh at infi.net Sun May 5 23:28:56 1996 From: alanh at infi.net (Alan Horowitz) Date: Mon, 6 May 1996 14:28:56 +0800 Subject: Why I Pay Too Much in Taxes In-Reply-To: Message-ID: << " I paid approximately 60%...." >> didn't the feudal vassels only pay 33% ? To paraphrase - I forget which Presidential candidate of yore - "are you better off than you were a thousand years ago?" ANd that's not even counting the interest you pay on your mortgage. Count that, and the vassels were head and shoulders above Californians. From unicorn at schloss.li Sun May 5 23:30:41 1996 From: unicorn at schloss.li (Black Unicorn) Date: Mon, 6 May 1996 14:30:41 +0800 Subject: Key Message-ID: -----BEGIN PGP SIGNED MESSAGE----- The below is the key I will be using to sign documents I submit to cypherpunks. It's also headed for the keyservers and available by finger. - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCNAzGNKP8AAAEEAMNzMyNHEhxQsKjvvKNbODkcb9bTlTWn5mUl++lHE+fWsdBr iSnl0MyXHtRPsz3GarHMIdtszdZtPoX1mvSIZ34RE10kzdcw7rheuPjWXlY9gZ7Q VNAn/tXClUoCposaUfI72nclJk4DRhip59WIi3ZNH6gDjjR3dmqgui0rHO4JAAUR tDdCbGFjayBVbmljb3JuIERvY3VtZW50IFNpZ25pbmcgS2V5IDx1bmljb3JuQHNj aGxvc3MubGk+iQCVAwUQMY1Xnmqgui0rHO4JAQHqtQQAihgWtmSsAn02Kddj25tH mDd7nnlfFvzyNYDOLNhzZlRlE75ur32wuAIaMo3LsNmlEUmZkFZPRZ9NOr5pR/Lw bMq/xJK060cyEWYEdy7u4Lbbn/7ANKUfhMKqsWjPVEeL3vxOgbsVgXyxD/5rDxL8 tvr1ZlnKfIj9v8LUO128TUWJARUDBRAxjWRQLWieb05oXTkBAfbeCACzNI/pmMPu IlLfEN/Fu5IAVD72btGQz+5uS9dX2pzTIZCkmHra1w/qLOAmQwQtChuMdqHd1no9 /FX6I3t7/AWbglxFtmb7D/fCA8GAozZpPrOwM6jt/qkVjOo3adowv/n152lf2jOZ 7Gjk2AQuEYXZsCxZqPNwAS82gzm7vFhSU63yltpTWgeaesgapUhpDzGxNe+K3fya hXiklRZp3U19rOFNvdjgGy1Cm3HNVgTXjaYnB9o1yVAE5Eazu7U2XRYz/RWzVDSf HM1fJaGJwhyDsFIIsZUFTLJtoX4OF34GDR0ucjQJGaa33j1hPaSgtH0x/GuJ7pQL AZniS4SliZac =8GgR - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMY1o7y1onm9OaF05AQGe2QgAqlY0DRLJVW5puVHYMYc+LpKk+f9SGFEY VvfIjt3R8lAk3ku+f0Nn9MPSZc31UEZQHkeE7zvctzYtyvQrhxtod+uyX/1YgBct e1mphAPe/G+SWAnAUmSF6QFhmN9ORFcHbwM5TJI2cJxedbkvvUW5gwvCkdqJ1SLz Wi6oJwYPjs4Nnvs6zSN0zKpXd+/FS20h+dTyIX9R0WMkkaWYfqQwzC9o4v2Ru2FT ylxZvFudDhibtUUr6MVawJaAZi99ISEmfFe4T+8kkEQfL6762/lcTmckSG7a7jPR Fiy/1v0jj9ReNFQ5KL7KPX484h414GUdKAwBnfEERU+mNERNG4EcYg== =O1go -----END PGP SIGNATURE----- --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From unicorn at schloss.li Sun May 5 23:32:41 1996 From: unicorn at schloss.li (Black Unicorn) Date: Mon, 6 May 1996 14:32:41 +0800 Subject: PGP and Pine? Message-ID: Is there a package that integrates PGP and Pine nicely? --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From sandfort at crl.com Mon May 6 00:05:08 1996 From: sandfort at crl.com (Sandy Sandfort) Date: Mon, 6 May 1996 15:05:08 +0800 Subject: CryptoAnarchy: What's wrong with this picture? In-Reply-To: <9605052229.AA12098@divcom.umop-ap.com> Message-ID: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks, On Sun, 5 May 1996, Jon Leonard wrote: > Obviously we should send Sandy $1000 whether or not we follow the > other steps, in order to defeat traffic analysis. Now you're talking. Defeat traffic analysis, yeah, that's the ticket. S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From jonwienk at ix.netcom.com Mon May 6 00:17:37 1996 From: jonwienk at ix.netcom.com (Jonathan L Wienke) Date: Mon, 6 May 1996 15:17:37 +0800 Subject: Good mail program, Netcom settings Message-ID: <199605060229.TAA15402@dfw-ix12.ix.netcom.com> I just switched ISP's to Netcom, and I HATE their web browser and REALLY hate their mail program. Can anyone direct me to a good mail program that will allow me to download my mail and read/reply to it offline, as well as the NETCOM compatibility settings necessary to make it work? Even Netscape would be preferable to the status quo, if I had the proper settings (DNS IP address, mail server address, etc). Please respond by email to avoid further list noise. Jonathan Wienke From alano at teleport.com Mon May 6 00:21:23 1996 From: alano at teleport.com (Alan Olsen) Date: Mon, 6 May 1996 15:21:23 +0800 Subject: Why I Pay Too Much in Taxes Message-ID: <2.2.32.19960506030904.00b2c604@mail.teleport.com> At 09:48 PM 5/5/96 -0400, Alan Horowitz wrote: ><< " I paid approximately 60%...." >> > > >didn't the feudal vassels only pay 33% ? To paraphrase - I forget >which Presidential candidate of yore - "are you better off than you were >a thousand years ago?" I asked my wife about this (she is a midaeval history buff) and her response was "depends on the time and king". She proceeded to list off the long list of taxes that vassels could be expected to pay. The current taxes in California do not come close to the arbitrary and intrusive taxes imposed in feudal times. Taxes could be levied at any time the lord demanded. (Check into the custom of "Tallage".) Of course this did not include the tithes to the church (which were manditory) or any of the special taxes for wars, ransoms, and the like... >ANd that's not even counting the interest you pay on your mortgage. Count >that, and the vassels were head and shoulders above Californians. I suggest reading what life in that time was really like. It makes California seem like a Libretarians paradise in comparison. (For example, unmarried villein women were taxed due to the assumption that their being unchaste lessened their value to the lord. Sounds like something Pat Buchannon would like to bring back...) --- Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "We had to destroy the Internet in order to save it." - Sen. Exon From alano at teleport.com Mon May 6 00:25:15 1996 From: alano at teleport.com (Alan Olsen) Date: Mon, 6 May 1996 15:25:15 +0800 Subject: [NOISE] CryptoAnarchy: What's wrong with this picture? Message-ID: <2.2.32.19960506030905.00b3fab8@mail.teleport.com> At 05:37 PM 5/5/96 -0700, Sandy Sandfort wrote: >On Sun, 5 May 1996, Jon Leonard wrote: > >> Obviously we should send Sandy $1000 whether or not we follow the >> other steps, in order to defeat traffic analysis. > >Now you're talking. Defeat traffic analysis, yeah, that's the >ticket. I thought that was what the guys sitting in the semi-concealed cars next to the freeway were for... ]:> --- | Remember: Life is not always champagne. Sometimes it is REAL pain. | |"The moral PGP Diffie taught Zimmermann unites all| Disclaimer: | | mankind free in one-key-steganography-privacy!" | Ignore the man | |`finger -l alano at teleport.com` for PGP 2.6.2 key | behind the keyboard.| | http://www.teleport.com/~alano/ | alano at teleport.com | From EALLENSMITH at ocelot.Rutgers.EDU Mon May 6 01:25:44 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Mon, 6 May 1996 16:25:44 +0800 Subject: Money Laundering Conference with Government Types Message-ID: <01I4D5XMLHW08Y56Y1@mbcl.rutgers.edu> From: IN%"unicorn at schloss.li" "Black Unicorn" 5-MAY-1996 18:25:57.83 >I think that should be >http://www.oceanalaw.com/20/conf/ml.htm ^ Yes; thank you. Weird spelling. -Allen From shamrock at netcom.com Mon May 6 02:00:10 1996 From: shamrock at netcom.com (Lucky Green) Date: Mon, 6 May 1996 17:00:10 +0800 Subject: FW: Why I Pay Too Much in Taxes Message-ID: At 18:27 5/5/96, blanc wrote: >I have a great idea - let's start a closed, elite mailing list for >"Offshorepunks". >Uni, Sandy, & Duncan et al could "show us how it's done". The list already exists. It was supposed to contain essays by Sandy and Duncan. It was called "Privacy 101". After two articles hyping the great info about to follow... nothing. Utter silence. [What ever happend, anyway?] Disclaimer: My opinions are my own, not those of my employer. -- Lucky Green PGP encrypted mail preferred. From tcmay at got.net Mon May 6 02:14:21 1996 From: tcmay at got.net (Timothy C. May) Date: Mon, 6 May 1996 17:14:21 +0800 Subject: WWW proxies? Message-ID: At 6:37 PM 5/5/96, Mark M. wrote: >The same is also true for cpunk and penet-style remailers that do not use >encryption. You always have to trust remailer operators regardless of whether >encryption is used or not. The situation will become much better when there >is some way to chain proxies and encrypt to each individual proxy. If the >operator of a proxy is more trustworthy than the operators of any sites you >visit using the proxy, then you have nothing to lose. We haven't talked about traffic analysis of remailers and Web proxies much lately, so it bears repeating that: -- this is a little-studied subject -- that nobody has done--to my knowledge--a fairly detailed study of the traffic analysis that is possible -- that a model is lacking (I don't mean we don't have some ideas of what's important, but that we haven't filled in the details, figured out what sorts of correlations an analyst can make by looking at packet sizes, sending times, delivery times, etc.) -- the real world situation with remailers is that message volume is probably way too low for comfort (my presentation on remailers at the first CP meeting outlined a need for about 10 mixes, each mixing at least 10 messages of the same size before remailing...and 20 mixes each mixing 30 or more messages is much better...we are most likely far, far below this, for nearly all remailed messages. Fortunately, most remailed messages are either not critical or are being done for novelty, harassment, flaming, etc.). -- with Web proxies, the problem of traffic analysis (even with encryption, which I am taking for granted) becomes astronomically larger...all those commands sent to the site and stuff returned, and all in a "reasonable" amount of time! (How many of us will use a Web proxy in our current mode if we have to wait minutes to hours between actions? I'm not saying what the response times will be, as this will depend on mixing ratios, desired security, etc. But it is likely that "fast response" is counterproductive to the avoiding of traffic analysis.) (PipeNet-type schemes may help, depending on a bunch of details. So would "local mixes in cabinets," meaning, Web anonymizers with high bandwidth that do their mixing locally. They have to be "trusted," to some extent, but would help a lot. There are some gotchas.) -- I certainly believe the NSA has put at least an analyst or two on this problem, and probably long ago put together some models. We have a very long way to go before remailer networks are really up to snuff. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From mcguirk at indirect.com Mon May 6 02:17:08 1996 From: mcguirk at indirect.com (Dan McGuirk) Date: Mon, 6 May 1996 17:17:08 +0800 Subject: PGP and Pine? In-Reply-To: Message-ID: On Sun, 5 May 1996, Black Unicorn wrote: > Is there a package that integrates PGP and Pine nicely? I haven't found one, but according to the Pine developers, PGP support is going to be included in the next version (3.92). From jordan at Thinkbank.COM Mon May 6 02:23:57 1996 From: jordan at Thinkbank.COM (Jordan Hayes) Date: Mon, 6 May 1996 17:23:57 +0800 Subject: PGP and Pine? Message-ID: <9605060440.AA22456@blood.Thinkbank.COM> That reminds me that I have been meaning to send out what I use for PGP and ucbmail. First of all, since you can ~| outgoing messages, I don't need any support for sending. For receiving, there's two ways to 'edit' messages: 'e' invokes $EDITOR and 'v' invokes $VISUAL on a message. I actually use 'v' so I set $EDITOR (in my .mailrc) to ~/bin/mypgp which looks like this: #!/bin/csh pgp -f < $* | more So to read a PGP'd message, I just type 'e' ... Anyone else do something interesting with ucbmail? /jordan From mcguirk at indirect.com Mon May 6 02:33:08 1996 From: mcguirk at indirect.com (Dan McGuirk) Date: Mon, 6 May 1996 17:33:08 +0800 Subject: WWW proxies? In-Reply-To: Message-ID: On Sun, 5 May 1996, Lucky Green wrote: > At 0:30 5/5/96, Lou Poppler wrote: > >On Fri, 26 Apr 1996 19:13:06 -0400 (EDT), > >Black Unicorn wrote: > >} > >} Has anyone developed such a beast yet? Here's a simple one in 3 lines of perl. It only supports HTTP GET, and it ignores all of the MIME headers on the original request. It requires the LWP perl module, but the RSA code requires dc, so I guess it's fair :) #!/usr/bin/perl5 --# HTTP proxy, GET/http only; usage: 'lwp-proxy ' use LWP::Simple;sub w{wait;}$SIG{'CHLD'}='w';$SIG{'CLD'}='w';socket(S,2,1,6); bind(S,pack(Sna4x8,2,$ARGV[0]));listen(S,5);while(1){accept(N,S);if(!fork){ open(STDERR,">&N");chop($r=);$r=~s/^GET //i;select(N);getprint($r);exit;}} From shamrock at netcom.com Mon May 6 02:55:00 1996 From: shamrock at netcom.com (Lucky Green) Date: Mon, 6 May 1996 17:55:00 +0800 Subject: Why I Pay Too Much in Taxes Message-ID: At 21:48 5/5/96, Alan Horowitz wrote: ><< " I paid approximately 60%...." >> > > >didn't the feudal vassels only pay 33% ? To paraphrase - I forget >which Presidential candidate of yore - "are you better off than you were >a thousand years ago?" > >ANd that's not even counting the interest you pay on your mortgage. Count >that, and the vassels were head and shoulders above Californians. Generally, the feudal subjects paid the Tithe. Yes, Robin Hood and his men fought the evil Sheriff of Nottingham for his crushing 10% tax. :-) [My last post in this off-topic thread.] Disclaimer: My opinions are my own, not those of my employer. -- Lucky Green PGP encrypted mail preferred. From sandfort at crl.com Mon May 6 03:28:02 1996 From: sandfort at crl.com (Sandy Sandfort) Date: Mon, 6 May 1996 18:28:02 +0800 Subject: Why I Pay Too Much in Taxes In-Reply-To: Message-ID: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks, On Sun, 5 May 1996, Alan Horowitz wrote: > didn't the feudal vassels only pay 33% ? Actually, no. When I used to edit a magazine, I commissioned an article about how much "tax" slaves, serfs, etc. paid. That is, how much of what they produced, did they get to keep; how much went to their masters. The surprising, cross-cultural answer my researcher/writer found was that they got to keep everthing they produced except 5-10%. That's a lot better, percentage-wise, than for modern "tax slaves." S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From jimbell at pacifier.com Mon May 6 03:38:42 1996 From: jimbell at pacifier.com (jim bell) Date: Mon, 6 May 1996 18:38:42 +0800 Subject: FW: Why I Pay Too Much in Taxes Message-ID: At 06:27 PM 5/5/96 -0700, blanc wrote: >From: Black Unicorn (in reply to TCMay): > >> I have no doubt that "tax planning" works for some people, and I think >> certain people like Vince Cate may do well in places like Anguilla, >> essentially starting a business from scratch. I even have longterm hopes >> for tax havens, cyberspace tax havens, anonymous systems, etc. But this >> ain't happening soon. > >Here I'm not so sure I agree. Several of us are working on making it >happen, soon. >.................................................................................................. > > >I have a great idea - let's start a closed, elite mailing list for "Offshorepunks". >Uni, Sandy, & Duncan et al could "show us how it's done". Let's turn this around, shall we? I have a theory that within the next few years, one of the biggest users of these off-shore accounts will be government employees who see their worlds crashing down around them, and they want to be able to escape the country with their loot. Maybe the most useful task we could accomplish would be to identify them for later targeting. Jim Bell jimbell at pacifier.com From jk at stallion.ee Mon May 6 08:18:39 1996 From: jk at stallion.ee (=?ISO-8859-1?Q?J=FCri_Kaljundi?=) Date: Mon, 6 May 1996 23:18:39 +0800 Subject: PGP and Pine? In-Reply-To: Message-ID: Sun, 5 May 1996, Dan McGuirk wrote: > I haven't found one, but according to the Pine developers, PGP support is > going to be included in the next version (3.92). Well the current version is 3.93 already, 3.92 was released long time ago. Can't see any special PGP support in those versions. J�ri Kaljundi jk at stallion.ee AS Stallion From bryce at digicash.com Mon May 6 12:02:33 1996 From: bryce at digicash.com (bryce at digicash.com) Date: Tue, 7 May 1996 03:02:33 +0800 Subject: PGP and Pine? In-Reply-To: <9605060440.AA22456@blood.Thinkbank.COM> Message-ID: <199605061109.NAA13436@digicash.com> -----BEGIN PGP SIGNED MESSAGE----- > That reminds me that I have been meaning to send out what I use for PGP > and ucbmail. First of all, since you can ~| outgoing messages, I don't > need any support for sending. For receiving, there's two ways to > 'edit' messages: 'e' invokes $EDITOR and 'v' invokes $VISUAL on a > message. I actually use 'v' so I set $EDITOR (in my .mailrc) to > ~/bin/mypgp which looks like this: > > #!/bin/csh > pgp -f < $* | more > > So to read a PGP'd message, I just type 'e' ... > > Anyone else do something interesting with ucbmail? I suppose my BAP scripts would work with it. (BAP basically does just what you describe above, with a few added features.) Let me know if you want a free copy of BAP. Regards, Bryce -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.1b2 iQB1AwUBMY3d2UjbHy8sKZitAQG/KAMAjaBf7qYa3ZY6i67h7dheohPOxTYe5rZ2 WUj+c/0YqZ8B0Acj/qEbriSTsJlCJEZoJ2KJFHhWJVctOGk+hg4l8ER3FNNB8lbY KcHhi2sakDi+4O6TfPggIQSHVX2svnoB =4Ksy -----END PGP SIGNATURE----- From jamesd at echeque.com Mon May 6 13:33:40 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Tue, 7 May 1996 04:33:40 +0800 Subject: Why I Pay Too Much in Taxes Message-ID: <199605061419.HAA02540@dns2.noc.best.net> At 11:16 PM 5/5/96 -0700, Sandy Sandfort wrote: >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > SANDY SANDFORT > . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . > >C'punks, > >On Sun, 5 May 1996, Alan Horowitz wrote: > >> didn't the feudal vassels only pay 33% ? > >Actually, no. When I used to edit a magazine, I commissioned an >article about how much "tax" slaves, serfs, etc. paid. That is, >how much of what they produced, did they get to keep; how much >went to their masters. The surprising, cross-cultural answer my >researcher/writer found was that they got to keep everthing they >produced except 5-10%. That's a lot better, percentage-wise, >than for modern "tax slaves." In the early feudal period, ordinary knights did not live well. They were only moderately better off than peasants, and yet to support one knight, you needed a startlingly large number of peasants, a fact that kings were continually unhappy about and continually trying to fix. While it is difficult to assess the tax rate, because taxes were in kind, it was clearly very low by modern standards. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From maldrich at grci.com Mon May 6 13:47:16 1996 From: maldrich at grci.com (Mark O. Aldrich) Date: Tue, 7 May 1996 04:47:16 +0800 Subject: L. Detweiler is a CyberAngel In-Reply-To: Message-ID: On Sun, 5 May 1996, Rich Graves wrote: > > I believe you can get it at http://www.csn.net/~ldetweil/ > Is this stuff collected and published by LD himself, of is someone just fronting it? The tone of the prose seems a little weird, but I wasn't on c'punks during his heyday, so I can't tell. It seems a little too self-effacing at times for the style of a net.loon. ------------------------------------------------------------------------- | Liberty is truly dead |Mark Aldrich | | when the slaves are willing |GRCI INFOSEC Engineering | | to forge their own chains. |maldrich at grci.com | | STOP THE CDA NOW! |MAldrich at dockmaster.ncsc.mil | |_______________________________________________________________________| |The author is PGP Empowered. Public key at: finger maldrich at grci.com | | The opinions expressed herein are strictly those of the author | | and my employer gets no credit for them whatsoever. | ------------------------------------------------------------------------- From raph at CS.Berkeley.EDU Mon May 6 14:54:51 1996 From: raph at CS.Berkeley.EDU (Raph Levien) Date: Tue, 7 May 1996 05:54:51 +0800 Subject: List of reliable remailers Message-ID: <199605061350.GAA27915@kiwi.cs.berkeley.edu> I operate a remailer pinging service which collects detailed information about remailer features and reliability. To use it, just finger remailer-list at kiwi.cs.berkeley.edu There is also a Web version of the same information, plus lots of interesting links to remailer-related resources, at: http://www.cs.berkeley.edu/~raph/remailer-list.html This information is used by premail, a remailer chaining and PGP encrypting client for outgoing mail. For more information, see: http://www.c2.org/~raph/premail.html For the PGP public keys of the remailers, finger pgpkeys at kiwi.cs.berkeley.edu This is the current info: REMAILER LIST This is an automatically generated listing of remailers. The first part of the listing shows the remailers along with configuration options and special features for each of the remailers. The second part shows the 12-day history, and average latency and uptime for each remailer. You can also get this list by fingering remailer-list at kiwi.cs.berkeley.edu. $remailer{"extropia"} = " cpunk pgp special"; $remailer{"portal"} = " cpunk pgp hash"; $remailer{"alumni"} = " cpunk pgp hash"; $remailer{"bsu-cs"} = " cpunk hash ksub"; $remailer{"c2"} = " eric pgp hash reord"; $remailer{"penet"} = " penet post"; $remailer{"hacktic"} = " cpunk mix pgp hash latent cut post ek"; $remailer{"flame"} = " cpunk mix pgp. hash latent cut post reord"; $remailer{"rahul"} = " cpunk pgp hash filter"; $remailer{"mix"} = " cpunk mix pgp hash latent cut ek ksub reord ?"; $remailer{"ford"} = " cpunk pgp hash ksub ek"; $remailer{"robo"} = " cpunk hash mix"; $remailer{"replay"} = " cpunk mix pgp hash latent cut post ek"; $remailer{"rmadillo"} = " mix cpunk pgp hash latent cut ek"; $remailer{"ecafe"} = " cpunk mix"; $remailer{"wmono"} = " cpunk mix pgp. hash latent cut"; $remailer{"shinobi"} = " cpunk mix hash latent cut ek reord"; $remailer{"amnesia"} = " cpunk mix pgp hash latent cut ksub"; $remailer{"gondolin"} = " cpunk mix pgp hash latent cut ek reord"; $remailer{"tjava"} = " cpunk mix pgp hash latent cut"; $remailer{"pamphlet"} = " cpunk pgp hash latent cut ?"; $remailer{'alpha'} = ' alpha pgp'; $remailer{'gondonym'} = ' alpha pgp'; $remailer{"lead"} = " cpunk pgp hash latent cut ek"; $remailer{"treehole"} = " cpunk pgp hash latent cut ek"; $remailer{"nemesis"} = " cpunk pgp hash latent cut"; $remailer{"exon"} = " cpunk pgp hash latent cut ek"; $remailer{"vegas"} = " cpunk pgp hash latent cut"; $remailer{"haystack"} = " cpunk mix pgp hash latent cut ek"; $remailer{"ncognito"} = " mix cpunk latent"; catalyst at netcom.com is _not_ a remailer. lmccarth at ducie.cs.umass.edu is _not_ a remailer. usura at replay.com is _not_ a remailer. Groups of remailers sharing a machine or operator: (c2 robo alpha) (gondolin gondonym) (flame hacktic replay) (alumni portal) Use "premail -getkeys pgpkeys at kiwi.cs.berkeley.edu" to get PGP keys for the remailers. Fingering this address works too. Note: The remailer list now includes information for the alpha nymserver. Last update: Mon 6 May 96 6:45:06 PDT remailer email address history latency uptime ----------------------------------------------------------------------- shinobi remailer at shinobi.alias.net *-*--*+***+* 38:35 99.99% alpha alias at alpha.c2.org +-+++--+.+++ 1:16:28 99.99% hacktic remailer at utopia.hacktic.nl +******++*** 8:55 99.98% portal hfinney at shell.portal.com ####*-##-### 11:44 99.93% haystack haystack at holy.cow.net #+*-**-*#*# 21:39 99.90% lead mix at zifi.genetics.utah.edu ++++++++++++ 38:55 99.88% ecafe cpunk at remail.ecafe.org #* -####*# 30:12 99.76% mix mixmaster at remail.obscura.com __._.--++++ 13:34:46 99.68% extropia remail at miron.vip.best.com -----_.--.- 11:22:42 99.61% exon remailer at remailer.nl.com ##****+***** 2:29 99.53% flame remailer at flame.alias.net -+++ .----+ 6:11:21 99.42% alumni hal at alumni.caltech.edu +*## +#-### 20:24 99.35% penet anon at anon.penet.fi _...____ . 54:35:54 99.35% c2 remail at c2.org +++++- +++++ 1:18:29 98.98% amnesia amnesia at chardos.connix.com --______. - 49:22:17 98.80% vegas remailer at vegas.gateway.com #- .---###** 4:29:32 98.30% replay remailer at replay.com ****+ +*** 5:21 93.85% treehole remailer at mockingbird.alias.net +-----+ 2:56:21 90.38% History key * # response in less than 5 minutes. * * response in less than 1 hour. * + response in less than 4 hours. * - response in less than 24 hours. * . response in more than 1 day. * _ response came back too late (more than 2 days). cpunk A major class of remailers. Supports Request-Remailing-To: field. eric A variant of the cpunk style. Uses Anon-Send-To: instead. penet The third class of remailers (at least for right now). Uses X-Anon-To: in the header. pgp Remailer supports encryption with PGP. A period after the keyword means that the short name, rather than the full email address, should be used as the encryption key ID. hash Supports ## pasting, so anything can be put into the headers of outgoing messages. ksub Remailer always kills subject header, even in non-pgp mode. nsub Remailer always preserves subject header, even in pgp mode. latent Supports Matt Ghio's Latent-Time: option. cut Supports Matt Ghio's Cutmarks: option. post Post to Usenet using Post-To: or Anon-Post-To: header. ek Encrypt responses in reply blocks using Encrypt-Key: header. special Accepts only pgp encrypted messages. mix Can accept messages in Mixmaster format. reord Attempts to foil traffic analysis by reordering messages. Note: I'm relying on the word of the remailer operator here, and haven't verified the reord info myself. mon Remailer has been known to monitor contents of private email. filter Remailer has been known to filter messages based on content. If not listed in conjunction with mon, then only messages destined for public forums are subject to filtering. Raph Levien From jya at pipeline.com Mon May 6 15:51:38 1996 From: jya at pipeline.com (John Young) Date: Tue, 7 May 1996 06:51:38 +0800 Subject: ATF_ear Message-ID: <199605061549.PAA06105@pipe1.t2.usa.pipeline.com> 5-6-96. WaPo reports on ATF and LEAs being ostracized by benign feds and citizens fearful of being housed with them. ATF_ear From jya at pipeline.com Mon May 6 16:18:11 1996 From: jya at pipeline.com (John Young) Date: Tue, 7 May 1996 07:18:11 +0800 Subject: IRI_spy Message-ID: <199605061549.PAA06043@pipe1.t2.usa.pipeline.com> 5-6-96. WaPo reports on ID by iris scanning and other biometrics spying by NSA and the 200-member Biometrics Consortium. The consortium's espionage site: http://www.vitro.bloomington.in.us:8080/~BC/ IRI_spy From jya at pipeline.com Mon May 6 16:22:16 1996 From: jya at pipeline.com (John Young) Date: Tue, 7 May 1996 07:22:16 +0800 Subject: OCT_pus Message-ID: <199605061526.PAA03975@pipe1.t2.usa.pipeline.com> 5-6-96. Time: "Master of the Game. The formidable John Deutch is becoming the most powerful CIA chief ever." This power didn't fall accidentally into Deutch's lap; he has lobbied hard for it. While he mouthed technocratic demurrals before the Senate committee, promising not to be too "intrusive" and humbly noting that "my Cabinet colleagues have concerns about how future DCI's would, over the long term, play a role in this concurrence," it was clearly time for the winner to take all. The CIA is already upgrading many of its techniques: breaking into computer systems, intercepting faxes, experimenting with dead drops in cyberspace to receive secrets. The big-ticket spending that is out of control has been satellites. The CIA wants to build $1 billion-apiece "8X" spy satellites to photograph targets, even though it has sitting in warehouses about half a dozen satellites that have the capacity to take pictures for the next decade. But satellites may simply not be that useful. A secret CIA study recently concluded that satellites provide less than 10% of the valuable signal intelligence collected from such rogue states as Iraq and Iran. Most such data are scooped up by ground stations or via phone taps. There is deep anxiety at Langley that Deutch's grab for power is designed to advance his own career. OCT_pus ----- William Safire adds to this in 5-6-96 NYT: www.nytimes.com. From unicorn at schloss.li Mon May 6 16:34:42 1996 From: unicorn at schloss.li (Black Unicorn) Date: Tue, 7 May 1996 07:34:42 +0800 Subject: Key Message-ID: On Sun, 5 May 1996, Lance Cottrell wrote: > Why did you decide to create this additional key. What role are you > reserving the other one for? It's more convenient for me to sign on a multi-user system. As I don't want to compromise my main key, a lower security document signing key would seem in order. Feel free to copy this to the list. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From anonymous-remailer at shell.portal.com Mon May 6 17:07:37 1996 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Tue, 7 May 1996 08:07:37 +0800 Subject: UK IP Censorship Message-ID: <199605061552.IAA15075@jobe.shell.portal.com> Financial Times, 6 May 1996 Internet provider to launch censorship By James Mackintosh in London Unipalm Pipex, the biggest provider of Internet access to British businesses, has acceded to government calls for voluntary censorship in a significant boost to ministerial attempts to restrict access to electronic pornography. Pipex is to block much of the worst child pornography from subscribers and will also be supplying new software to allow companies to limit the parts of the Internet - the international computer network - accessible by staff. The decision is likely to have far-reaching implications for the Internet in Britain because Mr Peter Dawe, managing director of Pipex, is also political officer of the Internet Service Providers' Association, the body negotiating a voluntary code of conduct with the government. Until recently Mr Dawe was opposed to any form of censorship. But he has now decided to stop supplying discussion groups - which are devoted to pictures of young children. The software package will allow subscribers to block parts of the Internet considered unsuitable, making them accessible only with a password. As a result, parents will be able to control which parts of the Internet are available to children, and managers to ensure staff are not breaking the law. However, Mr Dawe emphasised the impossibility of completely blocking offensive parts of the Internet. Pipex - the UK arm of UUNet of the US - does not expect a backlash from users over the censorship. Mr Dawe said he was sure Pipex's corporate users "would be horrified" at what is available on the Internet. He said that if pornographic pictures were found on office computers, companies could be open to prosecution. Cambridge-based Pipex, which claims more than 60 per cent of the UK's corporate Internet users, selected which news groups to block after seeking the advice of police at Scotland Yard in London. The Obscene Publications Squad confirmed that child pornography on the Internet had already become a serious problem. "The majority of the people we deal with have used news groups," he said. Child pornography had become available to people who a few years ago would not have known how to find it. The approach Pipex has taken fits with the government's preferred option of a voluntary code of conduct for Internet providers, leaving censorship matters to users. --- From fair at clock.org Mon May 6 18:06:48 1996 From: fair at clock.org (Erik E. Fair (Time Keeper)) Date: Tue, 7 May 1996 09:06:48 +0800 Subject: [History] USPS tried to monopolize email? (c. 1981) Message-ID: The U.S. Postal Service's first attempt at E-mail was called "E-COM" (ca. 1984), and it amounted to an electronic submission system for mail that would then be printed, stuffed into envelopes, and delivered in the usual way - but done so at the regional centers. It was geared toward 3rd class mass mailings, and was a dismal failure. While it was cheaper than standard 3rd class mailings, the mailings were output on Printronix dot-matrix line printers, and they looked terrible. Who knows? If they'd invested in laser printers instead... Some of you who were on the UUCP/USENET at the time may remember a small company on the UUCP network in Rockville, MD called "netword", which would accept E-mail for E-COM and deliver it for free; the deal was that the input batches to E-COM had to be of a certain size, and the "netword" folks rounded out their batches with the stuff from the net. Eventually, E-COM was sold (I seem to recall the Netword people bidding on it), and it disappeared shortly thereafter. I know about this story because Netword was a customer of another company which has also since disappeared: Dual Systems of Berkeley, California, makers of a Motorola 68000-based, Version 7 (and later System V) UNIX system on the S-100 (IEEE-696) bus. I worked for Dual from March '83 to June '85 - my first job out of college. Erik Fair fair at clock.org From loki at infonex.com Mon May 6 18:16:23 1996 From: loki at infonex.com (Lance Cottrell) Date: Tue, 7 May 1996 09:16:23 +0800 Subject: Why I Pay Too Much in Taxes Message-ID: One should also note that the surplus beyond subsistence was much smaller at that time. A more useful figure might be the percent tax on surplus. If the serf was taxed at 10%, but only had a 5% surplus above survival needs, then he was in a difficult position. Unfortunately I see no chance of an agreement on how to define surplus. -Lance At 7:20 AM 5/6/96, jamesd at echeque.com wrote: >At 11:16 PM 5/5/96 -0700, Sandy Sandfort wrote: >>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> SANDY SANDFORT >> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . >> >>C'punks, >> >>On Sun, 5 May 1996, Alan Horowitz wrote: >> >>> didn't the feudal vassels only pay 33% ? >> >>Actually, no. When I used to edit a magazine, I commissioned an >>article about how much "tax" slaves, serfs, etc. paid. That is, >>how much of what they produced, did they get to keep; how much >>went to their masters. The surprising, cross-cultural answer my >>researcher/writer found was that they got to keep everthing they >>produced except 5-10%. That's a lot better, percentage-wise, >>than for modern "tax slaves." > > >In the early feudal period, ordinary knights did not live well. >They were only moderately better off than peasants, and yet to support one >knight, you needed a startlingly large number of peasants, a fact >that kings were continually unhappy about and continually trying >to fix. > >While it is difficult to assess the tax rate, because taxes were >in kind, it was clearly very low by modern standards. > --------------------------------------------------------------------- > | >We have the right to defend ourselves | http://www.jim.com/jamesd/ >and our property, because of the kind | >of animals that we are. True law | James A. Donald >derives from this right, not from the | >arbitrary power of the state. | jamesd at echeque.com ---------------------------------------------------------- Lance Cottrell loki at obscura.com PGP 2.6 key available by finger or server. Mixmaster, the next generation remailer, is now available! http://www.obscura.com/~loki/Welcome.html or FTP to obscura.com "Love is a snowmobile racing across the tundra. Suddenly it flips over, pinning you underneath. At night the ice weasels come." --Nietzsche ---------------------------------------------------------- From EALLENSMITH at ocelot.Rutgers.EDU Mon May 6 18:19:51 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Tue, 7 May 1996 09:19:51 +0800 Subject: Arguments _against_ privacy, anyone? Message-ID: <01I4DWLF4PF48Y583T@mbcl.rutgers.edu> From: IN%"rre at weber.ucsd.edu" 6-MAY-1996 01:21:22.00 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= This message was forwarded through the Red Rock Eater News Service (RRE). Send any replies to the original author, listed in the From: field below. You are welcome to send the message along to others but please do not use the "redirect" command. For information on RRE, including instructions for (un)subscribing, send an empty message to rre-help at weber.ucsd.edu =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Date: Sun, 5 May 96 02:28 PDT From: privacy at vortex.com (PRIVACY Forum) Subject: PRIVACY Forum Digest V05 #10 PRIVACY Forum Digest Sunday, 5 May 1996 Volume 05 : Issue 10 ----------------------------------------------------------------------------- Date: Sun, 21 Apr 1996 15:58:03 -0700 (PDT) From: Phil Agre Subject: Call for bad arguments against privacy In my online newsletter, The Network Observer, I periodically summarize and rebut bad arguments against a broad right to privacy. At the end of this message I've included a partial list of the arguments I have discussed so far. I would like to gather another batch of arguments, probably for the July 1996 issue of TNO, and I am hoping that you can help me. Please send me any bad arguments against privacy rights that you have encountered, even if you can't quite figure out what's wrong with them, and even if you don't have a specific example ready to hand. Arguments concerning specific issues such as government records, medical privacy, and video surveillance are particularly welcome. Once I finish this next set of arguments and rebuttals, I'll gather the whole set into a "handbook" that can be distributed freely on the Internet. Thanks very much. Phil Agre Encl: The Network Observer can be found on the Web at: http://communication.ucsd.edu/pagre/tno.html The privacy articles can be found indexed a little ways down the page. Here are most of the arguments that I have discussed in past issues: * "We've lost so much of our privacy anyway." * "Privacy is an obsolete Victorian hang-up." * "Ideas about privacy are culturally specific and it is thus impossible to define privacy in the law without bias." * "We have strong security on our data." * "National identity cards protect privacy by improving authentication and data security." * "Informational privacy can be protected by converting it into a property right." * "We have to balance privacy against industry concerns." * "Privacy paranoids want to turn back the technological clock." * "Most people are privacy pragmatists who can be trusted to make intelligent trade-offs between functionality and privacy." * "Our lives will inevitably become visible to others, so the real issue is mutual visibility, achieving a balance of power by enabling us to watch the people who are watching us." * "Once you really analyze it, the concept of privacy is so nebulous that it provides no useful guidance for action." * "People *want* these systems, as indicated by the percentage of them who sign up for them once they become available." * "Concern for privacy is anti-social and obstructs the building of a democratic society." * "Privacy regulation is just one more category of government interference in the market, which after all is much better at weighing individuals' relative preferences for privacy and everything else than bureaucratic rules could ever be." * "There's no privacy in public." * "We favor limited access." * "Privacy in these systems has not emerged as a national issue." [ Submissions that would be interesting to the general readership of the PRIVACY Forum would also be very welcome here. -- MODERATOR ] ------------------------------ End of PRIVACY Forum Digest 05.10 ************************ From EALLENSMITH at ocelot.Rutgers.EDU Mon May 6 18:44:12 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Tue, 7 May 1996 09:44:12 +0800 Subject: Nando.net on expatriate tax issue Message-ID: <01I4DYJWM3NG8Y583T@mbcl.rutgers.edu> From: IN%"unicorn at schloss.li" "Black Unicorn" 29-APR-1996 02:16:40.69 >On Sun, 28 Apr 1996, E. ALLEN SMITH wrote: > >Billionaires' tax loophole could complicate passage of health reform >What precisely does this reporter think is being "tightened" in his or her >version of the House bill? (Note that in current law there is no $500,000 >floor). In fact the reporter hasn't bothered to describe what the >provision really does. (Imposes a expatriation is taxable event >analysis). Talk about a snow job. I won't say it is or is not advertant, >but it's bloody annoying. Fascinating. One wonders how the House managed to convince the CBO that it would gain money... it did. > >The House version would be extremely difficult to enforce and would allow > >patient expatriates to avoid the tax by holding their assets for 10 years > >before selling, they say. In the interim, they could raise cash by > >borrowing against the assets. >Which is the law today. What is with this guy? Get your facts straight >media. I have relatives who went to journalism school during the Depression. I begin to see why they complain about modern media, and why Heinlein said that Time _never_ got the story right on anything he saw in person. Modern journalism schools are going more and more to communication theory courses as opposed to how to write and how to get the facts straight. -Allen From jim at ACM.ORG Mon May 6 18:52:06 1996 From: jim at ACM.ORG (Jim Gillogly) Date: Tue, 7 May 1996 09:52:06 +0800 Subject: L. Detweiler is a CyberAngel [NOISE] In-Reply-To: Message-ID: <199605061714.KAA15944@mycroft.rand.org> "Mark O. Aldrich" writes: >Is this stuff collected and published by LD himself, of is someone just >fronting it? The tone of the prose seems a little weird, but I wasn't on >c'punks during his heyday, so I can't tell. It seems a little too >self-effacing at times for the style of a net.loon. LD isn't a loon, in my opinion. He has a strongly-held but consistent opinion on matters of computer privacy. His "loon" reputation (and election, IIRC) stems from back in the days when he was making his points by performance art and example, rather than by reasoned argumentation and exposition. People looking at the performance art and taking it at face value have been confused by the underlying message and annoyed by the medium -- not everyone appreciates a cyber-Mapplethorpe. Jim Gillogly Trewesday, 16 Thrimidge S.R. 1996, 17:09 From EALLENSMITH at ocelot.Rutgers.EDU Mon May 6 19:11:50 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Tue, 7 May 1996 10:11:50 +0800 Subject: CryptoAnarchy: What's wrong with this picture? Message-ID: <01I4DYBJO0NA8Y583T@mbcl.rutgers.edu> From: IN%"s1113645 at tesla.cc.uottawa.ca" 29-APR-1996 02:04:15.24 To: IN%"EALLENSMITH at mbcl.rutgers.edu" "E. ALLEN SMITH" CC: IN%"cypherpunks at toad.com" Subj: RE: CryptoAnarchy: What's wrong with this picture? Received: from tesla.cc.uottawa.ca by mbcl.rutgers.edu (PMDF #12194) id <01I43C5TODPC8WWL2O at mbcl.rutgers.edu>; Sun, 28 Apr 1996 23:12 EDT Received: by tesla.cc.uottawa.ca (AIX 3.2/UCB 5.64/4.03) id AA25041; Sun, 28 Apr 1996 23:17:36 -0400 Date: Sun, 28 Apr 1996 23:17:36 -0400 (EDT) From: s1113645 at tesla.cc.uottawa.ca Subject: RE: CryptoAnarchy: What's wrong with this picture? In-reply-to: <01I43B16HT2U8Y53CU at mbcl.rutgers.edu> Sender: s1113645 at tesla.cc.uottawa.ca To: "E. ALLEN SMITH" Cc: cypherpunks at toad.com Reply-to: s1113645 at tesla.cc.uottawa.ca Message-id: X-Envelope-to: EALLENSMITH Content-type: TEXT/PLAIN; CHARSET=US-ASCII Mime-Version: 1.0 On Sun, 28 Apr 1996, E. ALLEN SMITH wrote: >> Currently, yes... but the divide between rich and poor is growing. >> (So long as this divide is determined by merit, and the poor still have >> enough to survive, I'd call this a good trend. So would various other >> people on this list, perhaps without my caveats.) In other words, the >> middle class is going >I agree with your caveat. It's where the anarchists get me skeptical. The poor still having enough to survive is the most significant reason I'm not an anarcho-capitalist. There are a few others, but that's the main one. >Someone sent me some US income tax figures. It would seem that the vast >majority of personal taxes are paid by the rich and high-end upper-middle. >So I'll eat my words and agree with you, talking about the rich makes >quite a bit of sense. I sort of do wonder how many of those "corporations" >are small businesses and individuals working as companies. Time for me to >go find a national stats book. Despite its agreeing with my point (thank you), I'm not sure if I'd consider income taxes to be enough of the story to go by them alone. Federal level, yes; state & local, probably not. I am willing to bet that property taxes are mainly paid by the relatively wealthy, given how much of personal capital tends to get tied up in a home. Sales taxes are more evenly distributed. However, the economic changes I discuss should result in this becoming true, even if it might not be completely true currently. >Of course only talking about the rich makes things so much easier. Yes. In a capitalist society based on merit, the rich are the ones who matter in the long run. -Allen From raph at cs.berkeley.edu Mon May 6 19:21:34 1996 From: raph at cs.berkeley.edu (Raph Levien) Date: Tue, 7 May 1996 10:21:34 +0800 Subject: PGP and Pine? In-Reply-To: Message-ID: <318E2988.6EB26FF6@cs.berkeley.edu> J�ri_Kaljundi wrote: > > Sun, 5 May 1996, Dan McGuirk wrote: > > > I haven't found one, but according to the Pine developers, PGP support is > > going to be included in the next version (3.92). > > Well the current version is 3.93 already, 3.92 was released long time ago. > Can't see any special PGP support in those versions. There are hooks in 3.92 that can be used to add PGP support. The next version of premail, 0.44, exploits these hooks. Unfortunately, there's a bug in Pine 3.93 that prevents it from working correctly. In addition, the hooks were not made to be MIME-aware, so it only handles vanilla PGP messages, not PGP/MIME. Version 0.44 of premail will be released soon. I have a patch for Pine, and there are alpha testers who are playing with the code now. It's fairly high on my list of priorities to get the integration with Pine to be really smooth. Raph From EALLENSMITH at ocelot.Rutgers.EDU Mon May 6 19:45:00 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Tue, 7 May 1996 10:45:00 +0800 Subject: CryptoAnarchy: What's wrong with this picture? Message-ID: <01I4DYNHXPW28Y583T@mbcl.rutgers.edu> From: IN%"unicorn at schloss.li" "Black Unicorn" 29-APR-1996 02:21:27.65 To: IN%"jimbell at pacifier.com" "jim bell" CC: IN%"cypherpunks at toad.com" "Cypherpunks" Subj: RE: CryptoAnarchy: What's wrong with this picture? Received: from toad.com by mbcl.rutgers.edu (PMDF #12194) id <01I43INDKHI88WWLV8 at mbcl.rutgers.edu>; Mon, 29 Apr 1996 02:18 EDT Received: (from majordom at localhost) by toad.com (8.7.5/8.7.3) id TAA27441 for cypherpunks-outgoing; Sun, 28 Apr 1996 19:17:23 -0700 (PDT) Received: from polaris.mindport.net (unicorn at polaris.mindport.net [205.219.167.2]) by toad.com (8.7.5/8.7.3) with SMTP id TAA27428 for ; Sun, 28 Apr 1996 19:17:12 -0700 (PDT) Received: from localhost (unicorn at localhost) by polaris.mindport.net (8.6.12/8.6.12) with SMTP id AAA07591; Mon, 29 Apr 1996 00:15:56 -0400 Date: Mon, 29 Apr 1996 00:15:56 -0400 (EDT) From: Black Unicorn Subject: RE: CryptoAnarchy: What's wrong with this picture? In-reply-to: Sender: owner-cypherpunks at toad.com To: jim bell Cc: Cypherpunks Reply-to: Black Unicorn Message-id: X-Envelope-to: eallensmith Content-type: TEXT/PLAIN; charset=US-ASCII Posted-Date: Mon, 29 Apr 1996 00:15:56 -0400 X-Sender: unicorn at polaris.mindport.net MIME-Version: 1.0 Precedence: bulk On Sun, 28 Apr 1996, jim bell wrote: [...] >While strong cryptography is powerful, and secure communications >liberating, unplugging the phones would about cripple that 'weapon' for a >while. Any group rebelling based only on high technology communication is >an extremely vulnerable group, both to widespread denial of service, and >more specific 'surgical' attacks. (Motorola stock anyone?) Wouldn't that partially depend on: A. the level of backups - packet radio as a backup for phones, for instance... a reason I've been forwarding the stuff on radio to here. B. the necessity to the government of keeping what else may depend on those phones - the economy - going. -Allen From cert-it at dsi.unimi.it Mon May 6 19:46:28 1996 From: cert-it at dsi.unimi.it (cert-it at dsi.unimi.it) Date: Tue, 7 May 1996 10:46:28 +0800 Subject: STEL b5 released Message-ID: <199605061700.TAA25866@idea.sec.dsi.unimi.it> -----BEGIN PGP SIGNED MESSAGE----- STEL beta5 has been released. 1. WHAT IS STEL? STEL is a free telnet surrogate which provides strong mutual authentication, encryption, secure file transfer, automatic s/Key password generation, centralization and management of s/Key passwords and more. 2. WHERE IS STEL AVAILABLE? STEL is available as: ftp://idea.sec.dsi.unimi.it/cert-it/stel.tar.gz Please note that ftp.dsi.unimi.it is not supporting security stuff anymore. All the security archive has been moved to idea.sec.dsi.unimi.it. 3. WHAT IS THE STATUS OF STEL? The latest version of STEL is beta 5. It has been (quite) extensively tested on the following systems: hpux sunos4 solaris24 solaris25 irix linux aix It has been reported to work (but no testing) on: ultrix freebsd bsdi Bug reports, comments and suggestions should be sent to: stel-authors at idea.sec.dsi.unimi.it - -- ******************************************************** ******** Computer Emergency Response Team ITALY ******** ******************************************************** E-mail: cert-it at idea.dsi.unimi.it Mailing list: unix-security-request at idea.sec.dsi.unimi.it Ftp: ftp://idea.sec.dsi.unimi.it WWW: http://idea.sec.dsi.unimi.it - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.3 mQBNAi1eowgAAAECAOTEMFRZHfBb+ndAmdk3vl20EpynEWwB3ZJo/ocZUXgSjBKS op11p19WyyTV9eW2Sosu9GoC4i7VLDiuFRfmKZUABRG0HkNFUlQtSVQgPGNlcnQt aXRAZHNpLnVuaW1pLml0PokAVQIFEC1epVbakBlHrAS41wEBnskB/iXnREAs044y ngOa8uJtYwFaDKc15GUKx9VV2klikcoWKPgaD6WjFs82HmdY86IQL2bFTi8FTKS2 2auGllxW2zaJAJUCBRAtXqV3kbMTtv2Q670BAccAA/sFW+OVkfr8FnClSAlD7fQc /PL0y8qDF4hYx3tIw1utM5zRGlti+KIOpuUIkQpIX4j8f9lIe/cihL5rlusQFsX4 d7cEJWW8GUM3+/mv89jM0ds6IX9KjfJAQPvPFr5rlRgmHdVm9K4ugCTkOzGsv1E4 o5+ZCN5dJW0+EbmjoghwoA== =WPYC - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQBVAwUBMY4wESw4rhUX5imVAQFs1gIAuYqr5IAWRoFQzm71sWdBJCOKTCq/G4ti eucdKJ+5FlmyeQUavWseepozKF019KXElfoHkDVdjl8bnyhFIm7u1w== =nQd0 -----END PGP SIGNATURE----- From shamrock at netcom.com Mon May 6 19:49:16 1996 From: shamrock at netcom.com (Lucky Green) Date: Tue, 7 May 1996 10:49:16 +0800 Subject: WWW proxies? Message-ID: At 11:31 5/6/96, sameer wrote: >> site, the commercial value of the information that could be gained by >> logging traffic at the site is tremendous. > > The commercial value of being honest is greater. In your evaluation, perhaps. In the mind of every web proxy site? Doubtful. In fact, a former client of mine seriously considered offering an "anonymous" web proxy for the sole reason to be able to capture the traffic stats. Disclaimer: My opinions are my own, not those of my employer. -- Lucky Green PGP encrypted mail preferred. From unicorn at schloss.li Mon May 6 19:49:33 1996 From: unicorn at schloss.li (Black Unicorn) Date: Tue, 7 May 1996 10:49:33 +0800 Subject: ATF_ear In-Reply-To: <199605061549.PAA06105@pipe1.t2.usa.pipeline.com> Message-ID: > ATF_ear > From EALLENSMITH at ocelot.Rutgers.EDU Mon May 6 20:06:41 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Tue, 7 May 1996 11:06:41 +0800 Subject: alias servers (al la alias.c2.org) Message-ID: <01I4DXULRMKS8Y583T@mbcl.rutgers.edu> From: IN%"des at juno.com" 27-APR-1996 04:36:45.71 >On Fri, 26 Apr 1996 20:30:38 -0400 (EDT) Black Unicorn > writes: >>Is anyone besides c2.org running an alias server? >There's a few of them - nym.gondolin.org, nym.alias.net, and >alias.alias.net are the others that leap to mind just now. >Of course, having just previewed the Juno "free-email" >service, I might count it also. How much information do they actually want, and how much do they check? I seem to recall that they wanted some info for giving to the advertisers and for targeting the advertising. -Allen From admin at anon.penet.fi Mon May 6 20:12:11 1996 From: admin at anon.penet.fi (admin at anon.penet.fi) Date: Tue, 7 May 1996 11:12:11 +0800 Subject: Anonymous info Message-ID: <9605061617.AA25267@anon.penet.fi> You have requested information about your account at anon.penet.fi. Your code name is: Your real e-mail address is: Your nickname is: <> Your password is: <> Regards, admin at anon.penet.fi From frissell at panix.com Mon May 6 20:33:31 1996 From: frissell at panix.com (Duncan Frissell) Date: Tue, 7 May 1996 11:33:31 +0800 Subject: Why I Pay Too Much in Taxes Message-ID: <2.2.32.19960506200557.00730d48@popserver.panix.com> At 03:49 PM 5/6/96 EDT, E. ALLEN SMITH wrote: >From: IN%"frissell at panix.com" "Duncan Frissell" 5-MAY-1996 08:56:32.33 > >>Even though the population of those who regularly violate federal tax laws >>is smaller (20 million?) the records show that even for this population the >>odds of being convicted are approximately the odds of being murdered. > > However, are you controlling for level of income? The IRS is a lot >more worried about TCMay committing tax fraud than they are about me committing >tax fraud; my income taxes are a lot closer to 0 than his. > -Allen > Actually, as a percentage of income, tax evasion is probably more prevalent among the poor than the rich. Because they are less exposed. Studies of spending show that the poorest 20% of Americans spend twice their reported income. DCF From EALLENSMITH at ocelot.Rutgers.EDU Mon May 6 20:42:27 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Tue, 7 May 1996 11:42:27 +0800 Subject: Why I Pay Too Much in Taxes Message-ID: <01I4E307ZW1Q8Y583T@mbcl.rutgers.edu> From: IN%"frissell at panix.com" "Duncan Frissell" 5-MAY-1996 08:56:32.33 >Even though the population of those who regularly violate federal tax laws >is smaller (20 million?) the records show that even for this population the >odds of being convicted are approximately the odds of being nurdered. However, are you controlling for level of income? The IRS is a lot more worried about TCMay committing tax fraud than they are about me committing tax fraud; my income taxes are a lot closer to 0 than his. -Allen From EALLENSMITH at ocelot.Rutgers.EDU Mon May 6 20:43:18 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Tue, 7 May 1996 11:43:18 +0800 Subject: Police tactics question Message-ID: <01I4E2S0NTES8Y583T@mbcl.rutgers.edu> I've often heard of the police/postmaster mailing someone child pornography prior to going in and busting them for possession of it. What are the legal matters in such cases? Thanks, -Allen From EALLENSMITH at ocelot.Rutgers.EDU Mon May 6 21:05:14 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Tue, 7 May 1996 12:05:14 +0800 Subject: Why I Pay Too Much in Taxes Message-ID: <01I4E43Y5Z5S8Y583T@mbcl.rutgers.edu> From: IN%"frissell at panix.com" "Duncan Frissell" 6-MAY-1996 16:04:24.96 >Actually, as a percentage of income, tax evasion is probably more prevalent >among the poor than the rich. Because they are less exposed. Studies of >spending show that the poorest 20% of Americans spend twice their reported >income. Quite. The poor can get away with this for multiple reasons, including being on more of a cash-based economy. But the largest reason is probably that the IRS doesn't care nearly as much about each individual at the low end of the income ladder as they do about any evasion involving a lot of money. Now, the low end tax evasion probably costs the government a lot more than the rich does... but it's also a lot harder to pursue. -Allen From EALLENSMITH at ocelot.Rutgers.EDU Mon May 6 21:07:15 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Tue, 7 May 1996 12:07:15 +0800 Subject: Why Leahy is No Friend of Ours Message-ID: <01I4E3O2J8068Y583T@mbcl.rutgers.edu> From: IN%"attila at primenet.com" "attila" 5-MAY-1996 21:36:54.93 > how many _truly_ "populist" presidents have we elected? Given the numbers of times that a democracy has done more harm than good to civil liberties (Prohibition, the election of Islamic Fundamentalists in Algeria, etcetera), we don't _want_ a "populist"/demagogue president. We want someone in charge (to whatever degree that someone has to be in charge) who will respect civil liberties. The masses aren't going to elect such a person; they prefer protection to liberty and always will. > "They that give up essential liberty to obtain a little > temporary safety deserve neither liberty nor safety." > --Ben Franklin (Historical Review of PA -1759) > > and, the bottom line is: > > "It is not the function of our Government to keep the citizen > from falling into error; > it is the function of the citizen to keep the Government > from falling into error." > --Robert H. Jackson (1892-1954), U.S. Judge Quite. -Allen From EALLENSMITH at ocelot.Rutgers.EDU Mon May 6 21:07:49 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Tue, 7 May 1996 12:07:49 +0800 Subject: Why I Pay Too Much in Taxes Message-ID: <01I4E344DD6S8Y583T@mbcl.rutgers.edu> From: IN%"jk at stallion.ee" "=?ISO-8859-1?Q?J=FCri_Kaljundi?=" 5-MAY-1996 11:47:15.29 >Here in Estonia there was a proposal made in the parliament to remove >taxation on corporate income (right now there is a proportional corporate >income tax of 26%), which should bring more foreign investments into >Estonia and also make Estonian economy develop faster. Estonia I think is >one of few countries where there is a possibility of accepting this kind >of law. Of course European countries, USA and different international >financial organisations are very against this kind of law. This law would >apply both to companies and to self-employed private persons (farmers for >example). Let me guess the reason for the objection... it would make siting an offshore-type company in Estonia to avoid taxes possible. -Allen From EALLENSMITH at ocelot.Rutgers.EDU Mon May 6 21:09:05 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Tue, 7 May 1996 12:09:05 +0800 Subject: Kid Gloves or Megaphones Message-ID: <01I4E3EH7JHS8Y583T@mbcl.rutgers.edu> From: IN%"jamesd at echeque.com" 5-MAY-1996 14:18:14.34 >>From: Lucky Green >>>It is true that the issuer is unable to discover that double blinding is >>>being used. The real problem with the protocol is that it requires >>>payor/payee collusion, which may make it difficult to execute. >At 07:58 PM 5/4/96 EDT, E. ALLEN SMITH wrote: >> Can the payee discover that the payor isn't colluding before the bank >>can figure out who the payee is? >If the payor is not colluding, then the payee will immediately discover >he has not been paid, because the checksums are wrong, and his software >says "bad payment" >If the payor is colluding, then no matter what he reveals to the bank, >the bank cannot discover the payee. Note that with payee anonymity, >the payee does not have to promptly check in his money, so the bank >has no hope of narrowing the search by coincidence in time. >But if the payee is colluding, then the payor can be detected by >coincidence in time. The other messages on this appear to be saying about the same thing, with the exception of this last part. _Except_ for that, the payor/payee collusion part doesn't appear to be a problem on the anonymnity side of things. I would guess that Lucky Green's comment was then that there was an additional complexity for payor and payee. -Allen From sameer at c2.org Mon May 6 21:14:01 1996 From: sameer at c2.org (sameer) Date: Tue, 7 May 1996 12:14:01 +0800 Subject: WWW proxies? In-Reply-To: Message-ID: <199605061831.LAA29568@infinity.c2.org> > site, the commercial value of the information that could be gained by > logging traffic at the site is tremendous. The commercial value of being honest is greater. -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion, Inc. FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.net/ (or login as "guest") sameer at c2.net From reagle at rpcp.mit.edu Mon May 6 21:20:01 1996 From: reagle at rpcp.mit.edu (Joseph M. Reagle Jr.) Date: Tue, 7 May 1996 12:20:01 +0800 Subject: Police report body found during Colby search Message-ID: <9605061902.AA08036@rpcp.mit.edu> WASHINGTON (Reuter) - A body was found Monday in the area where former CIA Director William Colby went missing after going canoeing on April 27, Maryland Department of Natural Resources police said. There was no immediate confirmation that the body was that of Colby, a spokeswoman said. ``Yes, a body was found,'' she said. The search had been under way in the area of Colby's weekend home at Cobb Neck in southern Maryland on a tributary of the Potomac River. Colby, who served as director of the CIA in the 1970s, was reported missing after his swamped canoe was found and he had not returned to his home. A CNN producer reported that a male body was found washed up on the shore of the Wicomico River about 20 yards from where the canoe was found. While there was no immediate identification of the body, CNN said ``officials have confirmed it was a male body and they say everything fits -- it looks like Colby.'' His disappearance had touched off an air and water search that included divers and specially trained dogs but the probe turned up no sign of a body in the cold, murky waters. From cynthia at usenix.org Mon May 6 21:46:57 1996 From: cynthia at usenix.org (Cynthia Deno) Date: Tue, 7 May 1996 12:46:57 +0800 Subject: Security Solutions at USENIX SECURITY Symposium Message-ID: <9605061900.AA14590@usenix.ORG> 6th UNIX Security Symposium Focusing on Applications of Cryptography July 22-25, 1996 Fairmont Hotel, San Jose, California Sponsored by the USENIX Association, the UNIX and Advanced Computing Systems Professional and Technical Association Co-sponsored by UniForum In cooperation with: The Computer Emergency Response Team (CERT) and IFIP WG 11.4 The Symposium is offering day-long tutorials, refereed papers, panel presentations, invited talks, a vendor display, and Birds-of-a-Feather sessions. Practical solutions, especially cryptographic approaches, to UNIX security will be described, dissected, and expanded. Ron Rivest of MIT delivers the Keynote Address to kick off the intensive Technical Sessions. New research on public key issues, electronic commerce, safe working areas, and secure communication will be examined in 21 peer-reviewed technical presentations. UniForum is sponsoring panel discussions on Security and Privacy; Electronic Commerce, Cryptography Infrastructure, and Cryptography and the Law. There will also be sessions on the latest version of PGP, Internet Firewalls, and the C2Net Privacy model. Tutorial topics include: Implementing Cryptography; World Wide Web and Internet Security; A Comparison of UNIX Security Tools; and Security for Software Developers. Three new features have been added this year. An informal Vendor Display will allow hands-on demonstration of security products. (Vendors may call Cynthia Deno at 408 335 9445 or email to display at usenix.org.) USENIX is sponsoring a secure Internet connection in the Terminal Room. And, USENIX members will be able to sign up for the PGP Key Signing Service. For the complete program and registration materials, visit our Web site: http://www.usenix.org; send email to: info at usenix.org (your message should contain the line "send security conference"); or contact the USENIX Conference office at 714 588 8649. /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/- | Cynthia Deno | | | Tel: 408 335 9445 | USENIX | | Fax: 408 335 5327 | The UNIX and Advanced Computing Systems | | cynthia at USENIX.org | Technical and Professional Association | | Check out USENIX on the Net..........http://www.USENIX.org | /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/- From sjb at universe.digex.net Mon May 6 21:49:02 1996 From: sjb at universe.digex.net (Scott Brickner) Date: Tue, 7 May 1996 12:49:02 +0800 Subject: PICS required by laws In-Reply-To: <01I4A37X6Y0W8Y56P8@mbcl.rutgers.edu> Message-ID: <199605061824.OAA10053@universe.digex.net> "E. ALLEN SMITH" writes: > I am not quite certain if the model of >[content provider]-[ISP]-[Phones]-[ISP]-[ISP]-[user] is going to work much >longer. That routes the material through quite a few too many bottlenecks, >among them the phone lines. I could reasonably easily sign up with two ISPs >and start myself as a router (with a good computer and the right software), >from what I know of the subject; with ecash routing of messages, this might >get quite common (and profitable). > When you've got a few large organizations doing the routing, what >you've said is _probably_ correct. When you've got a lot of people doing it >out of their garages, then it isn't. > -Allen The problem is that it requires the cooperation of both of your ISPs. You'll never receive packets to route from either of them unless you have some sort of contract in place. In the scenario I outlined, the "common carrier" status of the ISPs is contingent on their following the censorship protocol, so their contract will require that you, too, follow it. The network layer isn't the geodesic Bob H likes to talk about. That doesn't happen until the transport layer (one higher). It's a heirarchical star, with a relatively small number of big ISPs acting as the hub, several groups of regional ISPs acting as local arms, and many local ISPs acting as the end-points. Even in the face of a "digital silk road", this isn't likely to change. The cost of operating a router is proportional to the number of connections it has. The vast majority of traffic doesn't have stringent enough delay requirements that it'll be willing to pay the additional cost of going through a very highly connected router. Therefore the hierarchical star configuration is near-optimal for normal traffic (and pretty much all of the stuff that they claim they want to censor). From EALLENSMITH at ocelot.rutgers.edu Mon May 6 21:56:18 1996 From: EALLENSMITH at ocelot.rutgers.edu (E. ALLEN SMITH) Date: Tue, 7 May 1996 12:56:18 +0800 Subject: Internet telephony report Message-ID: <01I4DX1OFOLG8Y583T@mbcl.rutgers.edu> While they _probably_ aren't going to start trying to charge for Internet phone service, the FCC still thinks it should be able to regulate the Internet - with the egalitarian excuse of equal access as among the reasons. Hmph... bureaucracy. -Allen From: IN%"rre at weber.ucsd.edu" 6-MAY-1996 03:21:47.24 From: Phil Agre =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= This message was forwarded through the Red Rock Eater News Service (RRE). Send any replies to the original author, listed in the From: field below. You are welcome to send the message along to others but please do not use the "redirect" command. For information on RRE, including instructions for (un)subscribing, send an empty message to rre-help at weber.ucsd.edu =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Date: Tue, 30 Apr 1996 From: "Craig A. Johnson" To: "Multiple recipients of list cyber-rights at cpsr.org" Subject: cr> Regulating the Internet It is highly recommended that those who are concerned about the coming communications regulatory regime read the FCC's recent NPRMs on "universal service" and "interconnection." --caj @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ANALYSIS: FREE NET TELEPHONY + by Craig A. Johnson American Reporter Correspondent Washington 4/29/96 net-regulation 1023/$10.23 THE REGULATORS MEET THE INTERNET by Craig A. Johnson American Reporter Correspondent WASHINGTON -- Fears of Rambo-like regulation have spawned a sort of spring fever in the online world, with presumptive alarms and bulletins ricocheting all over the Net. Will the Federal Communications Commission (FCC) choke the Internet's wide-open pathways with regulatory underbrush? Will the petition filed by the Americas' Carriers Telecommunications Association (ACTA) on March 4 be granted, stopping Internet telephony or mandating access charges? (AR, No. 245 ) Or, even more catastrophically, will the Net somehow be swept under the FCC regime for telecommunications carriers? The answers, according to sources both inside and outside of the FCC, for the time being, are a qualified no. On April 19, the FCC gave its tentative response on the Net telephony problem, partially assuaging worries that new regulations will require access charges and tariffing for long distance voice over the Internet. Although the soft no from the FCC was reassuring, the wall protecting Internet voice as an "information service" has scores of cracks and may still crumble under the blows of a regulatory hammer. The issue was addressed in the FCC's Notice of Proposed Rulemaking (NPRM) on "interconnection," or more formally, "implementation of the local competition provisions in the Telecommunications Act of 1996." The NPRM is as interesting for what it does not say as for what it does. Generally, it poses a lot of questions, on which parties will file comments, and on the basis of which the FCC will finalize rules in August. The agency sees the proceeding and the consequent rules as establishing "the 'new regulatory paradigm' that is essential to achieving Congress' policy goals." The visible fractures in the old regulatory regime stood out prominently in the interconnection notice. Two aspects of the proceeding, in particular, directly relate to Internet access and pricing regimes. First, the FCC made it clear that current access charges and interconnection regulations are "enforceable until they are superseded." The FCC said, in regulatory-ese, that it wanted comments on "any aspect of this Notice that may affect existing 'equal access and nondiscriminatory interconnection restrictions and obligations (including receipt of compensation).'" Translated, this means that Net telephone providers and users can breathe a little more easily for the time being. But, the call for comments on the existing "restrictions and guidelines" should not be taken for granted. It is precisely these regulations -- which exempt "enhanced service" providers, like Internet and online service providers from paying access charges for their usage of the facilities and network components of local exchange carriers (LECs) -- which are on the table in this proceeding and related ones. A second aspect of the interconnection proceeding relates directly to definitions. The Commission asks for comment "on which carriers are included under" the definition of "telecommunications carriers" offered in the Telecommunications Act of 1996. Critically, the agency asks: "How does the provision of an information service [as conventionally defined in the law and prior regulations], in addition to an unrelated telecommunications service, affect the status of a carrier as a 'telecommunications carrier?'" This is a call for commenters to address the issue of whether "information service providers," such as ISPs, who also provide "telecommunications services," should be treated as "telecommunications carriers" and therefore be subject to all, some, or none of the requirements of common carriers, including the payment of access charges and the filing of tariffs. In practical terms the FCC is asking the online community to persuade them that ISPs who permit Internet audio streaming applications, such as long distance voice, should not be considered under the same rules applying to "telecommunications providers." The FCC emphasizes that the interconnection rulemaking "is one of a number of interrelated proceedings," and explains that the answer to how, in which ways, and to what extent the Internet will be regulated will be a product of "the interrelationship between this proceeding, our recently initiated proceeding to implement the comprehensive universal service provisions of the 1996 Act and our upcoming proceeding to reform our Part 69 access charge rules." This should be seen as a warning flag that issues concerning access charges for the Internet have yet to be even taken up by the Commission, and will be one of the outcomes of several complex proceedings, with public comments invited from all consumer and business interests. The FCC NPRM and order establishing the joint federal-state universal service board, issued on March 8, for example, emphasizes the provision in the Telecommunications Act of 1996 which stipulates that "[a]ccess to advanced telecommunications and information services should be provided in all regions of the country." The FCC says that "commenters may wish to discuss Internet access availability, data transmission capability, ... enhanced services, and broadband services." In both this and the interconnection notices, the agency emphasizes its statutory authority to regulate the Internet. The news so far is relatively positive. The FCC claims it doesn't want to prematurely slap regulations on the Net which may stunt its remarkable growth and vitality. But the handwriting is on the wall -- in several different hands and scrawled over cracks. Arguments for Internet volume-based or per-packet pricing will be surely surface in comments in the FCC proceedings. The old argument for the "modem tax," which says that data bits should be priced differently than voice bits, will likely rear its scarred head. Internet access is on the charts and in the dockets at the Commission. It should have the same pride of place for all Internet activists and user group communities. The FCC is asking the Internet and computer user and business communities to wake up to an emergent regulatory regime in which the old comfortable dualities such as "information services" and "telecommunications services" -- which in the past have insulated the Internet from regulation -- may not be easily parsed. In short, the agency is begging for help in drafting the cyber-roadmaps for the future. (Note: Both the universal service NPRM and order and the interconnection NPRM can be accessed via the FCC's Web page -- http://www.fcc.gov. Many of the comments for the universal service proceedings are also now available at the site.) -30- (Craig Johnson writes on cyber rights issues for WIRED.) The American Reporter "The Internet Daily Newspaper" Copyright 1995 Joe Shea, The American Reporter All Rights Reserved The American Reporter is published daily at 1812 Ivar Ave., No. 5, Hollywood, CA 90028 Tel. (213)467-0616, by members of the Society of Professional Journalists (SPJ) Internet discussion list. It has no affiliation with the SPJ. Articles may be submitted by email to joeshea at netcom.com. Subscriptions: Reader: $10.00 per month ($100 per year) and $.01 per word to republish stories, or Professional: $125.00 per week for the re-use of all American Reporter stories. We are reporter-owned. URL: http://www.newshare.com/Reporter/today.html Archives: http://www.newshare.com/Reporter/archives/ For more info on AR: http://oz.net/~susanh/arbook.html @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ~ CYBER-RIGHTS ~ ~=-=-=-=-=-=-=-=~=-=-=-=-=-=-=-=-=~-~=-=-=-=-=-=-=-=~=-=-=-=-=-=-=-=- Visit The Cyber-Rights Library, accessible via FTP or WWW at: ftp://www.cpsr.org/cpsr/nii/cyber-rights/Library/ http://www.cpsr.org/cpsr/nii/cyber-rights/Library/ You are encouraged to forward and cross-post list traffic, pursuant to any contained copyright & redistribution restrictions. ~=-=-=-=-=-=-=-=~=-=-=-=-=-=-=-=-=~-~=-=-=-=-=-=-=-=~=-=-=-=-=-=-=-=- From vznuri at netcom.com Mon May 6 22:11:09 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Tue, 7 May 1996 13:11:09 +0800 Subject: misunderstandings of PICS In-Reply-To: <01I4BHSBIAK08Y53GG@mbcl.rutgers.edu> Message-ID: <199605061948.MAA15630@netcom3.netcom.com> EAS > The instructions in question, at >http://www.safesurf.com/cyberangels/#look, are for their "volunteers" to report >- including to both the page's ISP and to government - any page with sexual >content that doesn't have a PICS such that it can be censored. In other words, >they want to try to kick off systems - including potentially via legal action >such as nonsense like "corrupting a minor" or whatever - any pages that don't >set themselves up to be censored. That would include by government such as >China, as well as by fundamentalist parents. but you still don't understand what I stated. the above does not make any sense relative to the PICS system. it would be like saying, "we are going to report anyone who doesn't have a SMTP that bans dirty email". SMTP does not ban dirty email by definition. PICS does not censor material by definition. please read the PICS proposal (sorry the URL is not handy, could someone post it?) the CyberAngels and you clearly do not understand how PICS works, even after I tried to explain what point you do not grasp that is inherent to its design. notice that you are propagating the lack of knowledge through your own message, demonstrating nicely how a little knowledge is a dangerous thing (it seems that ignorance spreads as easily or more easily than knowledge does). PICS *doesn't*involve*the*page*designer*. this is an absolutely key component of its design. it exists indepedent of page creators. if page creators are suddenly being pressured to format their pages in some way, then PICS has failed in some of its key design goals. there are some *optional* ways that page designers can invoke PICS principles as I understand, but they make no sense to me. (it would be equivalent to someone rating their own material, something I think is going to be far from the main use of ratings in the future) the basic design of early versions of PICS is the following: rating servers rate *URLS*. whenever someone wants to grab a URL, if they have installed software such as SurfWatch, that software can query the rating server for any ratings on that URL and decide to display or reject display of the page accordingly. these ratings may be made by different organizations. they may be contradictory. this is a basic part of the design of PICS. notice again this basic distinction between *mandatory rating capability* and *mandatory rating compliance*. (sorry can't think of a better term). PICS does not require the page designer to do anything, yet it still allows the rating of their information by third parties. in a sense, the concept of mandatory rating capability (such that the cyberangels seem to be talking about makes no sense relative to PICS. it already allows anything to be rated through no action or inaction of anyone. the concept of "mandatory" does not apply to anything within PICS relative to *content* of pages. the only thing that is mandatory with PICS is that rating servers follow the standards for formatting the ratings. but anything can be contained in those ratings. the market will decide. please try to understand the difference between the two things below: 1. everything in cyberspace must have the capability of being rated. 2. everything in cyberspace must be rated by government agency X, and no pages are allowed to be transferred that do not have acceptable ratings. the second is censorship. the first is free choice. the first is what PICS aims for. notice it accomplishes this through absolutely no action on the part of page designers. by the fact that they have a URL, the PICS standard uses that URL as a reference. perhaps you could do a public service to the CyberAngels to help them understand what PICS is and why they don't seem to understand its basic concepts. please, I hope that people can begin to see why PICS is *not* a censorship standard, and that it could actually be a powerful weapon in forestalling *real* censorship attempts, which always involve restrictions in actual communication not at the choice of (i.e. outside the control of) the *recipient* of that information. From EALLENSMITH at ocelot.Rutgers.EDU Mon May 6 22:16:38 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Tue, 7 May 1996 13:16:38 +0800 Subject: PICS required by laws Message-ID: <01I4E5BWF1628Y583T@mbcl.rutgers.edu> From: IN%"sjb at universe.digex.net" "Scott Brickner" 6-MAY-1996 14:23:50.08 >The problem is that it requires the cooperation of both of your ISPs. >You'll never receive packets to route from either of them unless you >have some sort of contract in place. In the scenario I outlined, the >"common carrier" status of the ISPs is contingent on their following >the censorship protocol, so their contract will require that you, too, >follow it. How difficult would it be to set up a router protocol to automatically select any from a series of other routers that announced itself willing (for a certain amount of ecash, perhaps)? I had thought that this was pretty close to the case in any event, for small networks anyway - and connections between small networks can interconnect into one large network. >Even in the face of a "digital silk road", this isn't likely to >change. The cost of operating a router is proportional to the number >of connections it has. The vast majority of traffic doesn't have >stringent enough delay requirements that it'll be willing to pay the >additional cost of going through a very highly connected router. >Therefore the hierarchical star configuration is near-optimal for >normal traffic (and pretty much all of the stuff that they claim they >want to censor). Directly proportional? I'd think there would have to be somewhat of a fixed cost involved. The question is whether the fixed cost (including the cost of a router to handle the ever-increasing bandwidth) is dropping faster than the cost of the number of connections. And your "normal traffic" doesn't seem to be including Internet Phone, which I can see being a major source of bandwidth in the future. -Allen From vznuri at netcom.com Mon May 6 22:17:52 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Tue, 7 May 1996 13:17:52 +0800 Subject: PICS: cyberratings, not censorship Message-ID: <199605062039.NAA20150@netcom2.netcom.com> some more information on PICS for the interested. I am a strong advocate of this system because even though it involves ratings, I see it as expressly and vehemently anti-censorship. this will be difficult to understand for some people who equate ratings with censorship, and it will require some major education to help people see why this is not the case with PICS (platform independent content selection). why is PICS *not* censorship? because of its key design goals: 1) people are free to choose what ratings they use. whoever sets up the system decides. i.e. parents might pick a particular rating agency for their family. people might even use a combination of ratings. i.e. weigh the Christian Zealots 50%, and the People for the Improvement of Cyberspace 50%, etc 2) ratings are not merely for blacking out pages. they can be for finding "neat" pages (Point Communications 5%, etc), or "child friendly" or whatever 3) ratings can be created by anyone, including gov't agencies, individuals, foreign governments, religious fanatics, etc., and moreover they can be in any form whatsoever, they are merely seen as information-- the market will decide which ones are useful and which ones are worthless, and whether to create standards in various specific categories. regarding the CyberAngels, I think it would be an excellent project to have them while away their lifetimes going through the web and applying their official "cyberangel rating" to every page they encounter. it would be a valuable public service, and they'd probably get a real kick out of it (hmmm, perhaps "control-freak-ecstasy"?). it gives them a chance to put their brains and hands where their mouths are, so to speak. next time you hear someone rant about pornography in cyberspace, or censorship, or whatever, (whether it is Gore's wife or some nobody on an obscure mailing list), tell them to set up their own PICS rating service and shut up. if you hear someone whine that no one is listening to their rating service or using their ratings, tell them that it's an excellent existence proof that no one truly cares what they think, and for them to jam it down anyone's throat (via legislation or whatever) only proves how manipulative, desperate, and out-of-touch-with-reality they are. truly, I hope that some day the universal and accepted response to seeing something you don't like on the internet will be to start or join a rating service, and NOT to try to pass a bill in congress that attempts to regulate cyberspace (@#$%^&*). will there ever be a day in the future in which, e.g., the Iranian governments of the world decide to start a Moslem Cyberspace Blacklisting Service instead of the less-efficient and less-effective method of Lucrative Blasphemer Assassination Grants? help support this proposal and perhaps it will happen. ------- Forwarded Message Date: Mon, 06 May 1996 10:54:56 -0400 To: pics-info at ... From: Paul Resnick Subject: vac-wg Announcing PICS 1.1! Version 1.1 of the PICS technical specifications are now available from the PICS web page (http://w3.org/PICS). The direct URLs for the two documents are: http://www.w3.org/pub/WWW/PICS/services.html http://www.w3.org/pub/WWW/PICS/labels.html We plan to submit them as informational RFCs in the near future. These documents are now frozen. If significant new features are specified in the future, there will be a higher version number. Three cheers! - ------------------------------------------------------------ Paul Resnick AT&T Research Public Policy Research Room 2C-430B 908-582-5370 (voice) 600 Mountain Avenue 908-582-4113 (fax) P.O. Box 636 Murray Hill, NJ 07974-0636 From EALLENSMITH at ocelot.Rutgers.EDU Mon May 6 22:19:09 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Tue, 7 May 1996 13:19:09 +0800 Subject: misunderstandings of PICS Message-ID: <01I4E4S4ZWSE8Y583T@mbcl.rutgers.edu> From: IN%"vznuri at netcom.com" "Vladimir Z. Nuri" 6-MAY-1996 15:47:46.22 >but you still don't understand what I stated. the above does not make >any sense relative to the PICS system. it would be like saying, "we >are going to report anyone who doesn't have a SMTP that bans dirty >email". SMTP does not ban dirty email by definition. PICS does not >censor material by definition. please read the PICS proposal (sorry the >URL is not handy, could someone post it?) See below; I had read this _before_ posting on the CyberAngels and PICS. >PICS *doesn't*involve*the*page*designer*. this is an absolutely >key component of its design. it exists indepedent of page creators. >if page creators are suddenly being pressured to format their >pages in some way, then PICS has failed in some of its key design >goals. there are some *optional* ways that page designers can invoke >PICS principles as I understand, but they make no sense to me. (it >would be equivalent to someone rating their own material, something >I think is going to be far from the main use of ratings in the future) From: IN%"frantz at netcom.com" 16-APR-1996 20:19:13.88 >From http://www.w3.org/pub/WWW/PICS/iacwc.htm >... PICS specifies three ways to distribute labels. The first is to embed >labels in HTML documents. This method will be helpful for those who wish to >label content they have created. > >The second method is for a client to ask an http server to send labels along >with the documents it requests. The server would most likely offer the >publishers' labels, but a server could also redistribute labels from third >parties that it cooperates with. [Client sends URL of label service to browser >which responds with that service's label. bf] > >The third way to distribute labels is through a label bureau that dispenses >only labels. A bureau could distribute labels created by one or more labeling >services. A client asks the bureau for certain services' labels of specific >resources. This is most likely to be used for third-party labels. In other words, the CyberAngels want to eliminate any pages that contain material they think minors shouldn't see that aren't self-rated with a PICS self-rating (the first of the three types) intended to block minors from seeing it. Yes, this is an abuse of the market oriented variety of PICS; they obviously don't know and/or don't care. If you want to convince them otherwise, start cc:ing your messages (and forwarding mine, on this I give you permission) on PICS and the CyberAngels to angels at wavenet.com. Incidentally, their pressure (especially the legal variety - acting as informants) could also include against an ISP that doesn't do the second for material the CyberAngels don't like. -Allen From EALLENSMITH at ocelot.Rutgers.EDU Mon May 6 22:40:04 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Tue, 7 May 1996 13:40:04 +0800 Subject: Edited Edupage, 5 May 1996 Message-ID: <01I4E5FJVT688Y583T@mbcl.rutgers.edu> From: IN%"educom at elanor.oit.unc.edu" 6-MAY-1996 14:32:36.01 >EU TAKES A CLOSER LOOK AT THE INTERNET >European Union culture and telecommunications ministers met last week to >discuss ways of controlling access to the Internet to prevent criminal >activity and protect children. "Many member states perceive the need now >for some discipline, some kind of regulatory framework or code of ethics," >says the Italian telecommunications minister. Some European governments, >such as Germany and Great Britain, have already adopted Internet-related >laws and others are considering it. (Wall Street Journal 3 May 96 B5B) We've heard a lot on the German one. What's the Great Britain one look like? >CANADIAN SATELLITES TARGETED >The race into space with direct broadcast satellite TV has created a >regulatory black hole that the U.S. government is struggling to fill. A >plan by Telesat Canada to finance its $1.6-billion satellite program by >leasing capacity to American broadcasters has prompted the Federal >Communications Commission to hold special hearings in Washington to >investigate whether it can regulate the use of Canadian satellites. >(Toronto Financial Post 4 May 96 p1) Of course they're going to try to control it. -Allen >*************************************************************** >Edupage ... is what you've just finished reading. To subscribe to Edupage: >send mail to: listproc at educom.unc.edu with the message: subscribe edupage >Smokey Robinson (if your name is Smokey Robinson; otherwise, substitute >your own name). ... To cancel, send a message to: listproc at educom.unc.edu >with the message: unsubscribe edupage. (If you have subscription problems, >send mail to educom at educom.unc.edu.) From EALLENSMITH at ocelot.Rutgers.EDU Mon May 6 22:42:22 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Tue, 7 May 1996 13:42:22 +0800 Subject: A MODEST PROPOSAL (fwd) Message-ID: <01I4E2XUW8RC8Y583T@mbcl.rutgers.edu> From: IN%"stewarts at ix.netcom.com" "Bill Stewart" 5-MAY-1996 03:53:29.33 >I think that's user-settable, but there is no ideal approach. I certainly hope it's user-settable, and settable by each mailing list. >The big advantage is that replies go to the original sender by default >rather than to the list (which reduces the amount of personal mail going >to the list, winning both on noise-reduction and embarassment-reduction); That's what I suspected the reason was. Sort of like having mail instead of post as a default in USENET. >the disadvantage is that bouncemail goes to the original sender, rather >than the list or the list-manager (bouncemail to the sender is annoying, >but minor; bouncemail to the list is extremely annoying, as well as >potentially causing mail loops, which are an extreme lossage. Bouncemail >to the list-manager is ideal (not that the list-manager usually reads it), >but it's hard to get without reducing replies directly to originators, >as well as increasing replies accidentally going to the list-manager. I've been looking into procmail as a mail filtering mechanism for a list. It appears possible to handle at least some of the bouncemail via sending it to the list-manager (looking for things like priority: list/bulk/junk, for instance). Any further suggestions? Incidentally, I've been having problems locating the list-manager guides for majordomo; yes, I've tried Alta Vista. All I seem to be able to locate are A. the guides for users - not much use; and B. the FAQ. Sameer? -Allen From jleonard at divcom.umop-ap.com Mon May 6 22:56:13 1996 From: jleonard at divcom.umop-ap.com (Jon Leonard) Date: Tue, 7 May 1996 13:56:13 +0800 Subject: Why I Pay Too Much in Taxes In-Reply-To: <199605061419.HAA02540@dns2.noc.best.net> Message-ID: <9605062040.AA18344@divcom.umop-ap.com> James A. Donald wrote: > At 11:16 PM 5/5/96 -0700, Sandy Sandfort wrote: > >On Sun, 5 May 1996, Alan Horowitz wrote: > >> didn't the feudal vassels only pay 33% ? > > > >Actually, no. When I used to edit a magazine, I commissioned an > >article about how much "tax" slaves, serfs, etc. paid. That is, > >how much of what they produced, did they get to keep; how much > >went to their masters. The surprising, cross-cultural answer my > >researcher/writer found was that they got to keep everthing they > >produced except 5-10%. That's a lot better, percentage-wise, > >than for modern "tax slaves." > > In the early feudal period, ordinary knights did not live well. > They were only moderately better off than peasants, and yet to support one > knight, you needed a startlingly large number of peasants, a fact > that kings were continually unhappy about and continually trying > to fix. > > While it is difficult to assess the tax rate, because taxes were > in kind, it was clearly very low by modern standards. Things are sufficiently different that such a comparison might not be meaningful anyway. For example, subtracting subsistence level food, and then figuring tax rates would give a different answer. The amount of work it takes to provide basic needs now is clearly very low by historical standards. Government is big by historical standards. I'll object to only one of those. Jon Leonard From EALLENSMITH at ocelot.Rutgers.EDU Mon May 6 22:58:31 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Tue, 7 May 1996 13:58:31 +0800 Subject: More on spectrum allocation Message-ID: <01I4E3Q7ZPT88Y583T@mbcl.rutgers.edu> I'm not sure how much our emphasis on individuals will go along with Phil Agre's (and CPSR's, of which he's a prominent member) emphasis on communities. -Allen From: IN%"rre at weber.ucsd.edu" 30-APR-1996 01:47:55.85 From: Phil Agre [The Apple proposal to the FCC is an important initiative for community networking, and may set a precedent for much more dramatic restructuring of telecommunications infrastructure in the future.] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= This message was forwarded through the Red Rock Eater News Service (RRE). Send any replies to the original author, listed in the From: field below. You are welcome to send the message along to others but please do not use the "redirect" command. For information on RRE, including instructions for (un)subscribing, send an empty message to rre-help at weber.ucsd.edu =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Date: Fri, 26 Apr 1996 16:24:44 -0400 From: Heather Boyles To: Multiple recipients of list Subject: FARNET's Washington Update FARNET's Washington Update --- April 26, 1996 IN THIS ISSUE: o 1996 Appropriations stalemate finally ends while FY97 appropriations round heats up o FCC proposes free spectrum for community networking ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^ 1996 APPROPRIATIONS STALEMATE FINALLY ENDS WHILE FY97 APPROPRIATIONS ROUND HEATS UP After months of negotiations and two partial government shutdowns, the President and the Republican Congress finally came to agreement this week on an omnibus spending bill for the remaining five months of FY96. The bill includes appropriations for the NSF and Commerce among several other agencies. At the same time, authorization and appropriations bills are being worked through committees in the House for FY97 which begins on Oct. 1. The final FY96 budget for NSF came to $3.22B --- $40M above what the House and Senate had previously agreed upon this year. However, this week also saw the House Science Committee authorize NSF spending for FY97 at only $3.25B, a $75M cut from NSF's $3.325 request, which would give NSF less than a 1% raise over FY96. NSF has generally faired well amidst Republican (specifically House Science Committee Chair Robert Walker (PA)) efforts to cut science spending for all but what they define as "basic science." Democrats protested that the omnibus science authorization bill passed out of the committee this week was done too hastily, bypassing subcommittees for a one-day full committee session. Ranking Science Committee member George Brown (D-CA) complained that, among other things, "The Republican bill would eliminate the Social Science directorate....[and make] arbitrary personnel cuts at the National Science Foundation." The Commerce Department's TIIAP (Information Infrastructure Grants) program scraped by with an (anticipated) $21.5M for FY96. FCC PROPOSES FREE SPECTRUM FOR COMMUNITY NETWORKING Apple's NII Band petition which was filed almost a year ago at the FCC will finally see some action there. The FCC today released a Notice of Proposed Rulemaking that proposes to make 350 megahertz of spectrum available for use by unlicensed equipment termed "NII/SUPERNet" devices. The Commission voted 4-0 to release the proposal. The proposal comes after Apple Computer petitioned the FCC last year to create a "NII Band" that would permit high-speed data communications available to anyone without licensing or air-time charges. The FCC's NPRM would make spectrum from 5.25-5.35 GHz and 5.725-5.875 GHz available to devices that would fall under Part 15 of FCC rules, mandating only minimum technical standards and a basic "listen-before-talk" protocol standard. The FCC would also place power and out-of-band emissions limits on the devices, thus allowing only short-range (probably indoor or within campus) networking. The Apple petition last year advocated allowing users to use the devices for long-range (community-based with particularly emphasis on rural areas) communications. A rival group called the WINForum (made up of a number of telecommunications companies) balked at the idea of long-range use of the spectrum (which might cut into their businesses). Apple's long-range proposal may not be dead yet though. Commissioner Ness, in a separate statement on the NPRM, said she was "intrigued by the Apple long-haul proposal, which contemplates low-cost broadband links from homes to schools and libraries," but pointed to a number of questions that would need to be resolved before the Commission could proceed with such a proposal. The FCC clearly sees this proposal as an effort to help fulfill the President's promise to connect every school in the country to the "information superhighway." The NII/SUPERNet proposal is aimed at helping schools and other institutions do that without having to go to the expense of wiring entire buildings. Furthermore, the proposal may help take the wind out of the sails of those who have recently been pressuring the FCC to include inside wiring of schools in the universal service mechanism for schools and libraries - the Snowe-Rockefeller-Kerry provisions from the new telecom law. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Written from FARNET's Washington office, "FARNET's Washington Update" is a service to FARNET members and other interested subscribers. We gratefully acknowledge EDUCOM's NTTF and the Coalition for Networked Information for additional support. If you would like more information about the Update or would like to offer comments or suggestions, please contact Heather Boyles at heather at farnet.org. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< Heather Boyles Director, Policy and Special Projects phone: (202) 331-5342 FARNET, Inc. fax: (202) 872-4318 1112 16th Street, NW Suite 600 email: heather at farnet.org Washington, DC 20036 web: http://www.farnet.org -- Stanton McCandlish

mech at eff.org

Electronic Frontier Foundation

Online Activist From EALLENSMITH at ocelot.Rutgers.EDU Mon May 6 23:04:37 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Tue, 7 May 1996 14:04:37 +0800 Subject: PGP, Inc. Message-ID: <01I4E39N3LA28Y583T@mbcl.rutgers.edu> From: IN%"raph at cs.berkeley.edu" "Raph Levien" 5-MAY-1996 13:47:16.83 > "Observers say SMIME's capabilities will let it replace software > based on the PGP code, which is widely used. Unlike SMIME, which uses > a structured certificate heirarchy, PGP relies on pre-certification > of clients and servers for authentication, a limitation SMIME doesn't > face." Can one use a web-of-trust for S/MIME, for the cases when a structured hierarchy is exactly the _wrong_ thing to use? I'd think so, but I don't know anything about it. > Thus, it's a reasonable guess that almost all S/MIME messages that >pass through the wires will offer "virtually no protection," to quote a >phrase from a paper co-authored by the principal designer of S/MIME's >encryption algorithms >(http://www.bsa.org/policy/encryption/cryptographers.html). A public breaking of some S/MIME messages would work to discourage this unsafe mechanism. One wonders if PGP Inc. could sponsor some variety of contest? -Allen From EALLENSMITH at ocelot.Rutgers.EDU Mon May 6 23:06:56 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Tue, 7 May 1996 14:06:56 +0800 Subject: More on Internet connections Message-ID: <01I4E4CDI28M8Y583T@mbcl.rutgers.edu> From: IN%"rre at weber.ucsd.edu" 6-MAY-1996 01:36:44.84 From: Phil Agre Subject: Options for Internet and Broadband Access =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= This message was forwarded through the Red Rock Eater News Service (RRE). Send any replies to the original author, listed in the From: field below. You are welcome to send the message along to others but please do not use the "redirect" command. For information on RRE, including instructions for (un)subscribing, send an empty message to rre-help at weber.ucsd.edu =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Date: Fri, 3 May 1996 10:05:08 EST From: Tim Leshan To: IIPLIST at ksgrsch.harvard.edu Subject: Announcement and Call for Participation Freedom Forum Harvard Information Infrastructure Project National Economic Council U.S. Department of Energy "THE FIRST 100 FEET" OPTIONS FOR INTERNET AND BROADBAND ACCESS October 29-30, 1996 The Freedom Forum Arlington, Virginia Announcement and Call for Participation This conference looks at options for Internet and broadband access from the perspective of home owners, apartment complexes, and small businesses. It will evaluate opportunities and obstacles for "bottom-up" infrastructure development and the implications for traditional and alternative providers at the neighborhood, regional, and national levels. We are seeking original analysis, position papers, and background material for use in the conference program, on the project website, and in a book to be published in early 1997. The conference challenges business and policymakers to rethink fundamental issues in telecommunications policy by recasting the "problem of the last 100 feet" as "opportunities for the first 100 feet." This paradigm shift suggests consumer/property owner investment as an answer to the dilemma of whether there should be one or two wires into the home. The conference will survey alternative options for local connection to the Internet from the perspective of homeowners with high-end needs for data communications, apartment owners, small businesses, and others with an interest in investing in end-user equipment and real estate. It will consider prospects for broadly distributed infrastructure investment and potential roles for utility companies, special assessment districts, municipalities, PCS providers, CAPs, IXCs, LMDS operators, and Internet access providers, as well as telcos and cable companies. It will consider strategies and policies for local interconnection and interoperability among Internet access providers. The conference will investigate constraints on and incentives for user infrastructure investment at federal, state, and local levels; whether and how trenching, conduit, and right- of-ways should be unbundled to promote consumer/property owner investment and competition among heterogeneous providers; and the need for and feasibility of interconnection at third-party or publicly maintained neighborhood access points. It will look at synergy with other policy goals and economic interests, such as intelligent transportation systems (ITS) and energy demand management. Finally, in assessing user investment as a driver for two-way broadband, it asks how scenarios for Internet access will affect broadband scenarios by stimulating demand for high-bandwidth connectivity. Rationale The growth of the Internet has been propelled in significant part by user investments in infrastructure: computers, internal wiring, and the connection (dial-up line, leased line, microwave link) to the Internet service provider. This "bottom-up" investment minimizes the investment burden facing service providers, since customers share the cost of the infrastructure and providers have no obligation to develop the infrastructure out to all potential users. Barriers to entry for service providers are low, and users retain flexibility in choosing among providers. The rapidly growing mass of Internet users, applications, and resources is now shaping demand for underlying infrastructure, so that plans for new infrastructure are driven increasingly by data rather than voice and video. There are opportunities to attract new customers instead of competing head- on for old ones. Unlike voice and video, there are incremental upgrade paths for data users and demand for upgraded access is readily stimulated by experience. Higher bandwidth connections are desired by a wide spectrum of users, from those who work at home to recreational users of the World Wide Web. The value of continuous, rather than dial-up connection to the Internet, is less widely appreciated because it is a qualitative improvement. Continuous connectivity (which can be provided by unswitched technologies) obviates tying up a telephone line, enables instant delivery of email and other time-sensitive information, and allows small businesses to advertise and publish directly to the net. Most importantly, it can enable real-time energy management with attendant cost savings that can support major infrastructure investment, which the advent of residential "wheeling" may induce consumers to make on their own. A personal computer or an inexpensive router could serve as a gateway extending Internet functions to other computers in the home, manage utility demand, operate security systems, and control any lights, sound equipment, and other household appliances. As telecommunications and electric utilities are deregulated, investment decisions will devolve into the hands of consumers, where they can be made with greater knowledge of particular benefits and tradeoffs. At the same time, new technologies, such as wireless and data transmission over power lines, will increase consumer options. There may be a variety of options for configuring "the last mile," with different balances between user-provided and centrally provided facilities. Homeowners and small businesses may have opportunities to connect to different suppliers at the curb, on the roof, on the side of the house, or somewhere in between. The early government role and subsequent commercial practices have facilitated interconnection of Internet service providers, but the limited choices at the local level -- the "last mile" as well as the "last 100 feet" -- may make interconnection an issue. At present, many local Internet access providers do not interconnect directly and traffic is sometimes routed to one of the few national exchange points hundreds of miles away. Opportunities for interconnection, along with policies on access, may determine whether intermediary transport providers, such as utility companies, emerge to link homeowner facilities at the curb with high-bandwidth Internet service providers. This analysis of "the first hundred feet" recognizes that need and demand will naturally vary greatly from home to home and from neighborhood to neighborhood. Much depends on whether there are business or telecommuting needs that can be met by individual investments in upgraded access. While this analysis looks to the Internet, it raises the issue of how the bottom-up model will affect the traditional model of a centrally provided universal service. Given basic technology that is non- proprietary and virtually commoditized, some argue that Internet service is becoming the common denominator platform on which all other services can be carried. The absence of service class priority has hampered use of real-time voice and video on the Internet, but this will soon change with the implementation of protocols that allow bandwidth reservation and packet-level service priority (RSVP and IPv6). **** We encourage submission of position papers as well independent analysis. It is expected that papers will be posted for review and revised promptly after the conference for non-exclusive publication. (The book will be part of the Harvard Information Infrastructure Project series published by MIT Press.) To ensure consideration for the program, please submit abstracts or outlines by June 20, 1996. Please direct submissions and requests for future mailings to: Tim Leshan Coordinator, Information Infrastructure Project Kennedy School of Government, Harvard University 79 JFK Street Cambridge, MA 02138 617-496-1389; Fax: 617-495-5776 leshan at ksgrsch.harvard.edu For additional information and updates see http://ksgwww.harvard.edu/iip/first.html Tim Leshan IIP Project Coordinator http://ksgwww.harvard.edu/iip/ From rishab at dxm.org Mon May 6 23:07:08 1996 From: rishab at dxm.org (Rishab Aiyer Ghosh) Date: Tue, 7 May 1996 14:07:08 +0800 Subject: New Internet peer-reviewed journal released Message-ID: <199605062013.NAA24470@nic.cerf.net> New Internet Journal Released Paris, France, 1996 May 6: Coinciding with the opening of the International World Wide Web Conference, a new journal dedicated to the Internet was released today by Munksgaard International Publishers. The journal is called "First Monday" and it is a peer-reviewed, electronic journal dedicated to the Internet, and only available on the Internet. It is the first electronic journal from Munksgaard, publishers of over seventy scientific journals in dentistry, medicine, and other fields. "First Monday" will appear on the first Monday of each month. Each issue will contain five to six full-length articles, plus regular features such as interviews and reviews. The inaugural May issue contains articles by notable specialists such as David Johnson and David Post, co-directors of the Cyberspace Law Institute, and John Seely Brown, vice-president and chief scientist of Xerox Corporation and director of Xerox Palo Alto Research Center. The journal is available at http://www.firstmonday.dk The editorial team of "First Monday" is widely experienced in computing, telecommunications, and the Internet. Chief and Managing Editor is Edward J. Valauskas, author and editor of several widely recognized books on computing and the Internet, including "Internet Troubleshooter" and "Internet Initiative." He is joined by Esther Dyson as Consulting Editor and Rishab Aiyer Ghosh as Inter-national Editor. Esther Dyson is president of EDventure Holdings in New York City and chairperson of the Electronic Frontier Foundation. Rishab Ghosh, based in New Delhi, is editor and publisher of the Indian Techonomist, a newsletter on India's information industry. The editorial board of "First Monday" includes Vinton G. Cerf, founding President of the Internet Society and is currently Senior Vice-President at MCI; Ed Krol of the University of Illinois, author of several books including the highly popular "The Whole Internet User's Guide & Catalog"; Bonnie Nardi of Apple Computer, author of the book "A Small Matter of Programming" and editor of "Context and Consciousness"; Rich Wiggins of Michigan State University, author of "The Internet for Everyone"; Tony Durham, Multimedia Editor of the Times Higher Education Supplement in London and a member of the team which has developed THESIS, the newspaper's Internet service; Ian Peter, consultant in information technology, media and communications policy, based in Australia; and Robert Hettinga, a digital commerce consultant in Boston. "First Monday" publishes articles on the Internet and the Global Information Infrastructure. It follows the political and regulatory regimes affecting the Internet, and examines economic, technical and social aspects of the use of the Internet on a global scale. There will also be reports on the use of the Internet in specific communities, the development of Internet software and hardware, and the content of the Internet. "First Monday" was released today on diskette, distributed at the International World Wide Web Conference in Paris, and on the First Monday Internet server at http://www.firstmonday.dk. In the future it will appear in three formats: as an electronic mail posting to subscribers; on the World Wide Web; and as an annual CD-ROM archiving all articles that have appeared in "First Monday." Munksgaard was founded in 1917. Over the years Munksgaard has expanded to become a publishing house that is internationally recognized for its scientific journals devoted to servicing the international scientific and scholarly communities. Editorial Office: Editor-in-Chief: Edward J. Valauskas (valauskas at firstmonday.dk) First Monday is published monthly by: Munksgaard International Publishers Nxrre Sxgade 35, P.O. Box 2148 DK- 1016 Copenhagen K Denmark e-mail: publishers at firstmonday.dk From vitamin at best.com Mon May 6 23:13:20 1996 From: vitamin at best.com (vit) Date: Tue, 7 May 1996 14:13:20 +0800 Subject: No Subject Message-ID: <199605062154.OAA10770@dns2.noc.best.net> :: Encrypted: PGP -----BEGIN PGP MESSAGE----- Version: 2.6.3 hEwDKlkQ745WINUBAfsH7B6NGAXK+c8CX1dS/KhyQqmQL9p8ooDnz0RiY+E62khg gIJAZ9HZSG+BGnJ6xebCKJU7zSMM8B/WzfYzzo3hpgAAAgPUxGgzy3fxGdV/vaFI CwkkWsrDP50PPQCkVWrLg33Pp3yDl92/QPnVwQBtTWLHq5LC2RdFsVzk657VVriN qXFhWwWgFlk6RWK4WDDj/fwUSzWQy5OojW9vQmUvyS0u416Y/DbpNDy4TGs+UC0G cGWcOEtTiBtSMG+qLIWCh7PDkmscf6Ze3Gy+zhTrjZ0PixZ9yRsTbMYwcqo5Gd/O c9x9E6Zf+vlNINzY2kbFt7Xbk0tbyjVFXFX4FKe6R2Ee6pvpRdDFmBYca2sfmSr/ imTrhmzpu/FrVOGB+L/VT7A2t6NzDyNitOHu70uxaeQaettNkSa63ObUbK1G8Toc 6jYGv4d7GvtXL50a+P5oFq+3qGgTeHX99Pz6M9SgCBXWbCFA4J0TEBN6CD4MVgZE qJFOqoA/zAg6l0YHOZFnyXiEcUqnd1o8AyHzRQGoVnTbmnlTof0zkqHzHgYGU8Qd HAi2Ev+usDUCzbHwAncA4moOM4bHQcT14vv6RZWTcrt3eA4ad9vsr8YlEkbM3Rjd 6S0HGBWsjRPopdfGaCFT1EDmHDm9uDjq7WqbH8/76CwFeEQNU7j9milBo4LKe/xh uUN8jq6oQVl5jBgxhK481pNxutXJWYjEv1+YdT1enKPG7A9PUtYlNGlrWcQqJiqs r7a8rnxDF4/7cSjZLEybdEgd4k+mSA== =kMl/ -----END PGP MESSAGE----- From gary at systemics.com Mon May 6 23:14:57 1996 From: gary at systemics.com (Gary Howland) Date: Tue, 7 May 1996 14:14:57 +0800 Subject: Announce: Cryptographic extensions for Perl Message-ID: <199605062209.AAA24372@internal-mail.systemics.com> CRYPTOGRAPHIC EXTENSIONS FOR PERL _________________________________________________________________ DESCRIPTION This library contains a suite of cryptographic extensions for Perl. Also included are some extensions that have a cryptographic relevance, such as the Compress::Zlib modules, and the TrulyRandom module. These modules have been developed as extensions for performance reasons. Now available for download at http://www.systemics.com/software/ FEATURES All of the following have been implemented as Perl extensions in C: * BigInteger module (based on code from Eric Young). This module implements arbitrary length integers and some associated mathematical functions. * Compress::Zlib module (by Paul Marquess). A Perl interface to Jean-loup Gailly's and Mark Adler's info-zip zlib compression library. * Crypt::DES module (DES implementation by Eric Young). * Crypt::IDEA module. * Crypt::MD5 module (by Neil Winton and Data Security, Inc.) * Crypt::PRSG - Pseudo random sequence generator This module implements a 160 bit LFSR for use in generating pseudo random sequences. * Crypt::SHA module (by Uwe Hollerbach and based on code from NIST and Peter C. Gutmann) * Utils::TrulyRandom module, based on code from Don Mitchell and Matt Blaze (AT&T). This module generates "truly random" numbers, based on interrupt timing discrepancies. COPYRIGHT This library includes (or is derived from) software developed by (and owned by) the following: * Jean-loup Gailly and Mark Adler * Peter C. Gutmann * Uwe Hollerbach * Paul Marquess * Don Mitchell and Matt Blaze (AT&T) * NIST * RSA Data Security, Inc. * Systemics Ltd * Neil Winton * Eric Young Also planned for release: * Cryptographic library for Perl * PGP library for Perl * Cryptographic extensions for Java (native code) * Cryptographic library for Java * PGP library for Java From jimbell at pacifier.com Mon May 6 23:18:25 1996 From: jimbell at pacifier.com (jim bell) Date: Tue, 7 May 1996 14:18:25 +0800 Subject: CryptoAnarchy: What's wrong with this picture? Message-ID: At 01:44 PM 5/6/96 EDT, E. ALLEN SMITH wrote: > >On Sun, 28 Apr 1996, jim bell wrote: > >[...] > >>While strong cryptography is powerful, and secure communications >>liberating, unplugging the phones would about cripple that 'weapon' for a >>while. Any group rebelling based only on high technology communication is >>an extremely vulnerable group, both to widespread denial of service, and >>more specific 'surgical' attacks. (Motorola stock anyone?) > > Wouldn't that partially depend on: > A. the level of backups - packet radio as a backup for phones, >for instance... a reason I've been forwarding the stuff on radio to here. > B. the necessity to the government of keeping what else may >depend on those phones - the economy - going. > -Allen The attribution above is in error. I didn't type those lines above.Jim Bell jimbell at pacifier.com From frantz at netcom.com Mon May 6 23:19:06 1996 From: frantz at netcom.com (Bill Frantz) Date: Tue, 7 May 1996 14:19:06 +0800 Subject: misunderstandings of PICS Message-ID: <199605062224.PAA08149@netcom8.netcom.com> At 4:40 PM 5/6/96 -0400, E. ALLEN SMITH wrote: >From: IN%"frantz at netcom.com" 16-APR-1996 20:19:13.88 >>From http://www.w3.org/pub/WWW/PICS/iacwc.htm >>The second method is for a client to ask an http server to send labels along >>with the documents it requests. The server would most likely offer the >>publishers' labels, but a server could also redistribute labels from third >>parties that it cooperates with. [Client sends URL of label service to browser >>which responds with that service's label. bf] OBCRYPTO: PICS envisions that ratings distributed by this second method will be digitally signed by the 3rd party rating service. ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From reagle at rpcp.mit.edu Mon May 6 23:19:10 1996 From: reagle at rpcp.mit.edu (Joseph M. Reagle Jr.) Date: Tue, 7 May 1996 14:19:10 +0800 Subject: Georgia Internet Message-ID: <9605061903.AA08069@rpcp.mit.edu> X-within-URL: http://www.clark.net/pub/rothman/ga.htm [IMAGE] Needed: a first-rate lawyer who'll fight the Internet Police law in court. Click below on the "How We Can Educate" link for more info on constructive actions. Return to NetWorld! Book | Other Musing on Intellectual Property How We Can Educate Pols, Olympic Boosters and Other Georgians | Links of Interest Contest: Write the Best "Night the Lights Went Out in Georgia" Parody The Internet Police Law: The Day the Sites Went Out in Georgia? David H. Rothman | rothman at clark.net Linking your Web site to anyone else's without permission? Be glad you're not in Georgia--or be worried if you are. Gov. Zell Miller on the morning of April 18 signed into a law a piece of imbecility that the Marietta Daily Journal had dubbed the Internet Police bill. House Bill 1630 may prevent Webfolk from linking from their homepages against the wishes of the linkees--at least if the other guys' names or logos are used. Is 1630 a belated April Fool's joke? I've heard of Net-dumb pols, but Georgia has out-Exoned Exon--and maybe even out-Doled Dole. Shari Steele, an attorney with the Electronic Frontier Foundation, wrote Gov. Miller before the signing: "The language of the bill would make it illegal to create a button on our web site with Wired's 'trade name' or 'logo' without first obtaining 'permission or authorization' from Wired magazine." Whoops: oh, please, Wired--don't sue me. Actually that would be the state's job; you see, the law would let Georgia throw your posterior in jail for up to a year. Live out of state? As of this writing it was unclear how much of a danger extradition would pose--maybe none, given the lunacy of the law. Then again, there are rumors that California and other states may replicate Georgia's stupidity. The morning the Guv signed the bill, I dropped by the State of Georgia Home Page. Under "Search Engines and other Web Services" I saw a link to Yahoo. I'm glad the Georgia folks can use Yahoo from down there, rather than having to start their own. Imagine Yahoo needing permission for every link with a trademarked name. And what about a page displaying the results of a Lycos search? Now that would be fun. Can you imagine the Lycos computer e-mailing every site brought up--asking permission--before it listed Web addresses? I visited Zell Miller's Web area. Without the least irony, a headline read: "Governor Miller's Technology Initiatives Thrive." The page bragged about computers in classrooms. Just don't let the little brats grow up to start Yahoo Kudzu. According to the EFF, the same law might make it illegal even to mention a company's name on the Web without permission. True? Just imagine what this could mean to an online newspaper reviewing another publication's Web site. Already a software company outside Georgia has used existing intellectual property law to bully a reviewer. I've said it once, and I'll say it again: The media are damned fools if they support intellectual property zealotry of the kind we've seen out of Capitol Hill recently. Goodbye, First Amendment. These are national issues, alas, not just problems with the Georgia drinking water. If nothing else, I suspect that the good folks at the AT&T Business Network--the ones who run LeadStory.com, a collection of the day's hottest stories from online newspapers--may have some thoughts on the Georgia bill. To add to the fun, when I dropped by Cox Newspapers' big Web site for the Atlanta Journal-Constitution, I saw a "Surf Less. Know More" ad from LeadStory.com. At the Atlanta site's Net News I just happened to read a report on a trademark infringement suit that BellSouth had filed against the an Internet directory called the Real InterNet Pages. Hmmm. Any connections here with the new law? And simply because BellSouth's print directories use the trademarked phrase "The Real Yellow Pages," is the company entitled to www.realpages.com--the smaller company's existing Web address? The Real InterNet Pages, after all, isn't saying, "www.realyellowpages.com." In any event one would hardly confuse the Real InterNet Pages with BellSouth; the pigmy tells visitors to its home page: "Not Affiliated, Associated or Connected with BellSouth or any BellSouth-related company." Coincidentally or not, the Internet Police bill was introduced by Don Parsons, a Net-innocent employee of BellSouth. According to the Conservative Policy Caucus in the Georgia House: "During floor debate, Rep. Parsons could not explain the concept of a link on a home page. It was clear to many that he had no idea of what the Internet was all about. Supposedly, his desire was to prevent 'misrepresentation' on the Internet. Parsons admitted that he had never been on the Internet, except looking over a colleague's shoulder at work." One can understand, then, why many Netfolks wonder if Parsons' employer has encouraged him to squelch competition at a time when the Baby Bells envision a Web full of Yellow Pages. Bell South vehemently denies a connection between it and the Parsons bill. Whatever the case, however, the legislation would help the Parsons' employer. Oh, I've read Parsons' stated reasons for his law. But in guarding against fraud and protecting intellectual property rights, do we really want to toss out the First Amendment? Jeff Kuester, a Net-hip attorney of intellectual property in Atlanta, says: "We should certainly strive for effective protection of intellectual property on the Web, but not by destroying this crucial part of the information superhighway. These links let people move seamlessly from Web site to Web site. They're as crucial to the Web as bridges are to our nation's system of concrete-and-asphalt roads. If nothing else, we should avoid denying Netizens the free speech guaranteed outside cyberspace." While Parsons has denied that his law would make unauthorized links illegal, its wording would suggest otherwise. Criticizing Parsons' work, the Conservative Policy Caucus quotes the essence of HB1630 as it could affect links, and I'll pass on a rough extract with some tweaks of my own for the sake of clarity and precision: "It shall be unlawful for any person...knowingly to transmit any data through a computer network...if such data uses any individual name, trade name, registered trademark, logo, legal or official seal or copyrighted symbol to falsely state or imply that such person...has permission or is legally authorized to use such trade name, registered trademark..." Granted, some might say that you could assume implied consent if any material is up on an open medium like the Web and you want to link to it with appropriate identification by name. But the law is still a big threat, given the new legal liabilities it creates for journalists, publishers, activists and many others. Suppose your story online won't read like a puff piece. Will you need your target's goodwill before you can link to the site of a polluter or other recipient of negative publicity? And what about linking privately? Suppose you're on a local area network in the newsroom and want to share information with colleagues by way of an internal Web page. Will you require at least your target's tacit consent before you can do so? Exactly what does HB1630 mean by "a computer network," just the external variety? Not in my extract above was this additional language: "for the purpose of setting up, maintaining, operating, or exchanging data with an electronic mailbox, home page, or any other electronic information storage bank or point of access to electronic information." Sounds as if the Internet Police law won't delight the Society for Professional Journalists, Investigative Reporters and Editors or the Reporter's Committee for Freedom of the Press. Bill 1630 also contains other goodies, according to the valuable April 17 issue of EFFector Online and the EFF's Steele. For example, Ms. Steele says the bill could criminalize the use of pseudonyms; I'd suspect that's of interest to, say, American Online or to safety-minded parents who want their children to log on with fake names. Besides, just what's a "false" name? Ms. Steele writes of someone with the user name of "elvis" and says: "Even my own user ID, which is ssteele, does not clearly distinguish me from others with the last name of Steele and the first initial 'S.'" I myself am another good example of the identity issues that arise on a global computer network. My publisher insisted on calling my book NetWorld!, and it was logical for me to set up a NetWorld! Web site but guess what? If you do an Alta Vista search, you'll also find thousands of "NetWorld" mentions from unrelated "NetWorld" sites and the rest of the Web. Among the others are Peter's Networld from Peter Heneback, a Swedish foreign exchange student at West Anchorage High School in Alaska; NETWorld Market Place; NetWorld Publishing; NetWorld Systems; Networld +Interop, which, yes, has been known to hold expos down in Atlanta; and NetWorld Limited, a Hong Kong consulting company. And I'm to worry about other "NetWorlds" and "Networlds" from Alaska to Atlanta and Asia? While trademark law has its place, we need to allow for reasonable interpretations. I asked Prima Publishing to consult an attorney before it used NetWorld! on pulped wood. No problem, I heard. But what happens to my book's online version if I'm in Georgia and trademark fanatics prevail in court? There and elsewhere, politicians keep babbling that they'll get government off our backs. What bilge. If Georgia politicans respect citizens' rights, why is the high-tech community talking of a lawsuit against the Internet Police law? Alas, the Georgia state legislature won't meet again until next year, but meanwhile Zell Miller might speak out against his baby before it frightens away millions of dollars of high-tech business. Perhaps he can at least promise to ask his attorney general not to enforce the Internet Police law. As long as the law is still alive, I myself will do everything I can to warn Netfolks that Georgia is a risky place for them to do business right now. Meanwhile, I suspect that the Internet Police law will be like Jim Exon's Communications Decency Act. Many people will just ignore it, furthering breaking down the respect of Generation Net for politicians and bureaucrats in general. Return to Top of Page [IMAGE] HOW TO PROTEST THE SILLINESS _______________________________________________________________ The Internet Police bill--effective July 1, 1996--passed at least partly because politicians kowtowed to Big Bucks. Tell them they were wrong, that the bill will cost Georgia, that it's about as good for the state as Sherman's March was, that you'll tell your high-tech employer to stay the hell out of Georgia to avoid net.stupid regulations, that you'll think twice about attending the Olympics or buying goods that carry the Olympic logo. Let Georgia pols know that most Web sites thrive because of the ease of linking, not in spite of it. Time Magazine has zillions of links all over the Net. And without bureaucratic intervention, Netfolks already enjoy a wealth of phone- and Net-directories such as Yahoo's. Tell the Georgians that the Internet Police bill is a creature of special interests such as phone companies and, yes, politicians trying to crimp uppity rivals, including those in the Conservative Caucus. Some establishmentarians hated the idea of the conservatives' using the official Georgia seal on their Web site. This issue transcends ideology--my own politics are progressive. Protesting, you should avoid obscenity. Be angry in a rational and responsible way. Don't justify the anti-Net stereotypes that technophobes love. Georgia contacts [IMAGE] Gov. Zell Miller. I'd include an email address for Gov. Miller, but I couldn't find one--maybe I'm looking in the wrong locations on the Web, or perhaps in the wrong universe. His office phone number is 404-656-1776. Fax: 404-656-5948. Snail: Governor Zell Miller, State Capitol, Atlanta, Georgia 30334. It's just as well, actually, that you not use electronic mail since I doubt that the governor's office is that Net Aware. Otherwise why the Exon would he have signed this turkey? [IMAGE] Conservative Policy Caucus of the Georgia House of Representatives. You can email Georgia Representative Mitchell Kaye, the Webmaster, at webmaster at gahouse.com. Click here for Kaye's report on Parsons and the anti-Net law. Arm the Caucus with letters it can use to fight this atrocity. What the Net needs now, says Representative Kaye, is a court injunction against enforcement of the law. Anyone know a first-rate lawyer willing to work pro bono and make a name for himself or herself? If so, e-mail or phone Mitchell Kaye (770-998-2399), the legislator who so far has spent the most time and energy fighting the Internet Police law. Perhaps this case could be a natural for a group such as the American Civil Liberties Union or the Interactive Services Assocation, whose members include American Online, CompuServe and Prodigy, among others. One legislator has talked of corrective legislation, but according to Kaye's current thinking, a court challenge at this point would be more effective, since other politicians could water down a bill. At any rate, a bill couldn't be formally introduced until January 1996; and, says, Kaye, a court case could be the best approach. Stay tuned. Foes of the law are still sorting out their options as far as the best way to proceed. [IMAGE] E-mail addresses of members of the Georgia House, via the Conservative Policy Caucus. Remember, some of the people listed may be supporters of the Police Bill. [IMAGE] Names, addresses, home, office, and FAX numbers of state legislators. Click here and scroll down the list for contact information for Georgia House Speaker Thomas B. Murphy. Do not harass him--it'll just backfire. If you can manage, try instead to educate him; see if you can't save your anger for posts on the Net. [IMAGE] Don Parsons' phone number (770-728-8506) and FAX number (770-528-5754) and other contact info. Again, please avoid harassment! But do give him a piece of your mind; ideally you can fax Parsons, then email a cc: to Rep. Mitchell Kaye (mkaye at gahouse.com), a vehement critic of the Net Police law. First, read Don Parsons' defense of his baby. Among other things he writes that "Internet users - consumers, children, business people, clergy, etc., - have a right to expect that the Internet pages they visit are what they are presented to be." My response? Word on the Net circulates pretty quickly about frauds, and existing laws cover many situations. New, Internet-specific laws--against fraud or copyright violations--need to be much better crafted than HB1630 was. Above all, they must be infinitely more respectful of the First Amendment. [IMAGE] Georgia Attorney General Michael Bowers. His phone number is 404-656-4585; his fax number, 404-657-8733; and his snail address is: Judicial Building, Atlanta, Georgia 30334. [IMAGE] State of Georgia Home Page. Poke around. Look for pressure points--people associated with tourism and other business. See below. [IMAGE] Georgia Department of Industry, Trade & Tourism, "Georgia's official state agency for developing new jobs and creating capital investment." Sign the guest book; register your company's lack of interest in relocating there while the Internet Police bill is in effect. Use the "Description of Business" field and ask that the Webmaster forward your opinion to policymakers. [IMAGE] Yahoo listings for 1996 Olympic Games. Use the "mailto's" (where you click to start writing a letter) and sign the guest books with protests against Georgia's medieval information policies. [IMAGE] 1996 Olympic Games Home Page. Give 'em a piece of your mind on the feedback page. [IMAGE] BellSouth's Olympic links. Yes, BellSouth is an official sponsor. So if the Olympic folks take awhile to get the point, you'll know why. Of course you might try complaining to BellSouth itself--the president is Carl E. Swearington, telephone 770-391-2424; fax, 770-399-6355. [IMAGE] Cable News Network (CNN), whose Web site will be directly affected by the imbecility out of the state legislature. The feedback address is cnn.feedback at cnn.com. Give 'em permission to use your name and address on the feedback page. Oh, and while you're at it, you might ask CNN to forward your sentiments to Scott Woelfel, editor in chief of CNN Interactive. Tell him it's ok to link to this page, and suggest that the video part of CNN just might want to warn the world about the Internet Police bill. [IMAGE] E-mail, fax and snail addresses and phone numbers for the Georgia media--including the Atlanta papers and the Associated Press down there. From the Conservative Caucus. [IMAGE] Georgia Media List from Harden Political InfoSystems. Newspapers, magazines and broadcasters. Looks extremely comprehensive. [IMAGE] Thinking Right, a reader comment area of the Atlanta Journal. Speak up! Let Atlanta know that Georgia's on your mind! The "Piney Pete Sez" column of April 20 says of the Internet Police bill: "What prompted this action was not widespread abuse. It was one little gadfly, Rep. Mitchell Kaye, who's been using the great seal of Georgia on his conservative Website. Needless to say, Kaye is a Republican and consequently shut out of any highway largess, concrete or electronic." Return to Top of Page [IMAGE] MORE LINKS _______________________________________________________________ [IMAGE] Full text of the Internet Police bill. [IMAGE] Electronic Frontier Foundation. [IMAGE] April 17 EFF newsletter with details on the Internet Police bill. [IMAGE] Bell South Denies Lobbying for the Police Law. Rep. Don Parsons, sponsor of House Bill 1630, works for BellSouth; but the company wrote attorney Jeff Kuester a letter saying Parsons does not serve as a lobbyist--and that the actual lobbyists were "totally unaware" of the company's suit against the Real InterNet Pages. The letter said, "Bell South did not draft, sponsor, promote or lobby for 1630. Bell South took no position on the legislation whatsoever other than, when it was brought to our attention, to recommend an exemption from liability for telephone companies and Internet access providers who provide transmission services for their customers." BellSouth did say that "it is probably probably overkill and unduly complicating to make the act of trademark infringement, misrepresentation and passing off on the Internet a crime under state law." The company also offered observations on the law's effects on links--thoughts with which the Electronic Frontier Foundation would undoubtedly disagree. [IMAGE] The Prize-winning Web Page of Jeff Kuester, the Net-hip intellectual property attorney mentioned earlier, who also has an engineering background and is active in groups such as IEEE. You can bet that like Kuester, scads of other Georgians love the Net and are just as surprised and disappointed by the Internet Police law as the rest of us were. He has a page with relevant links about the law. Kuester (kuester at kuesterlaw.com) is working to bring state pols up to speed on Net law and technology, and he would like to expand his efforts at the national level. Send him a note if you're interested in helping out. A good cause! Note, too, the existence of a Congressional Internet Caucus. Education of policymakers is the best protection against Net-stupid legislation like HB1630. Perhaps even Parsons will see the light someday. Meanwhile, if you want to check out some first-class resources on the Net and intellectual property law, drop on by Kuester's site! [IMAGE] The Real InterNet Pages, the Net directory that the $18-billion BellSouth conglomerate is suing for alleged trademark infringement. BellSouth holds a trademark on the phrase "The Real Yellow Pages," but does that automatically entitle the company to "realpages.com" on the Net? Read why a BellSouth triumph could hurt you. The boys at realpages.com have put together a nice Web page with a yellow background ("we don't think they own the color yellow either"). E-mail your support to Don Madey at dmadey at realpages.com. Any lawyers out there willing to do pro bono? Publicity from such a case could be an excellent career-enhancer. [IMAGE] c|net News Article on the Police Law. [IMAGE] Georgia Cyberphobes, the Augusta Chronicle's editorial against the Net police bill--written just before Gov. Miller signed it. The Chronicle didn't see the HR1630's trademark-related language as a threat but objected to the attack on online anonymity. It called for Miller to vero the bill. [IMAGE] Editor and Publisher. He explains how links help electronic newspapers. Note: The just-supplied link will soon disappear, but when that happens, you might be able to find the column in his archives. Return to Top of Page [IMAGE] YOUR OWN "NIGHT THE LIGHTS WENT OUT" PARODY? I'M LOOKING FOR THE RIGHT ONE _______________________________________________________________ Who can come up with the best "Night the Lights Went Out in Georgia" parody-in the spirit of this site? Give it a shot. May 18 is the contest deadline, and I may extend it if Netfolks are too angry to concentrate long enough come up with a quotable parody. No prizes, just some exquisite notoriety. Please do not enter, of course, if you mind having scads of other Web sites link to your words. -David H. Rothman, rothman at clark.net _______________________________________________________________ Top of Page | Return to NetWorld! [IMAGE] Linking Encouraged. No Permission Needed from Me, Especially if You're in Georgia!  \ \ \ \ \ \ \ \ \ | / / / / / / / / / / _______ ________ _____ _____ _____ /// \\\ ||| \\\ /// \\\ |||\\\///||| ||| ~~ ||| /// ||| ||| ||| \\// ||| ||| __ |||~~~\\\ |||~~~||| ||| ~~ ||| \\\ /// ||| \\\ ||| ||| ||| ||| ~~~~~~~ ~~~ ~~~ ~~~ ~~~ ~~~ ~~~ / / / / / / / / / | \ \ \ \ \ \ \ \ \ \ C y b e r s p a t i a l R e a l i t y A d v a n c e m e n t M o v e m e n t --****ATTENTION****--****ATTENTION****--****ATTENTION****--***ATTENTION*** Your e-mail reply to this message WILL be *automatically* ANONYMIZED. Please, report inappropriate use to abuse at anon.penet.fi For information (incl. non-anon reply) write to help at anon.penet.fi If you have any problems, address them to admin at anon.penet.fi From frantz at netcom.com Mon May 6 23:23:46 1996 From: frantz at netcom.com (Bill Frantz) Date: Tue, 7 May 1996 14:23:46 +0800 Subject: Internet telephony report Message-ID: <199605062043.NAA24796@netcom8.netcom.com> At 12:58 PM 5/6/96 -0400, E. ALLEN SMITH wrote: > While they _probably_ aren't going to start trying to charge for >Internet phone service, the FCC still thinks it should be able to regulate >the Internet - with the egalitarian excuse of equal access as among the >reasons. Hmph... bureaucracy. Well, now we know where they are going to levy the taxes when most commerce goes on the net. They'll hit up the guys with lots of cable/fiber etc. :-) ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From wlkngowl at UNiX.asb.com Mon May 6 23:24:00 1996 From: wlkngowl at UNiX.asb.com (Mutatis Mutantdis) Date: Tue, 7 May 1996 14:24:00 +0800 Subject: Bug in NOISE.SYS v0.5.5 w/fix... Message-ID: <199605062324.TAA08083@unix.asb.com> There's a bug in the API in NOISE.SYS v0.5.5. I've uploaded a fix as noise056.zip to ftp.funet.fi, so keep an eye out for it. The fix is easy. In the file "multiplex.inc" you'll see the @ReturnOk LABEL where it restores the ds, si and bp registers... at the @ReturnErr hook it only fixes the ds and si registers. Add a "pop bp" appropriately and remake the file. Sorry for the inconvenience. --Rob From frantz at netcom.com Mon May 6 23:24:34 1996 From: frantz at netcom.com (Bill Frantz) Date: Tue, 7 May 1996 14:24:34 +0800 Subject: misunderstandings of PICS Message-ID: <199605062215.PAA07291@netcom8.netcom.com> At 12:48 PM 5/6/96 -0700, Vladimir Z. Nuri wrote: >please read the PICS proposal (sorry the >URL is not handy, could someone post it?) http://www.w3.org/pub/WWW/PICS/ ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From sameer at c2.org Mon May 6 23:26:32 1996 From: sameer at c2.org (sameer at c2.org) Date: Tue, 7 May 1996 14:26:32 +0800 Subject: WWW proxies? In-Reply-To: Message-ID: <199605062058.NAA00289@clotho.c2.org> > In your evaluation, perhaps. In the mind of every web proxy site? Doubtful. > > In fact, a former client of mine seriously considered offering an > "anonymous" web proxy for the sole reason to be able to capture the traffic > stats. I will crush other such sites. -sameer, who will take over the world. From rah at shipwright.com Mon May 6 23:35:09 1996 From: rah at shipwright.com (Robert Hettinga) Date: Tue, 7 May 1996 14:35:09 +0800 Subject: Is the network layer geodesic? In-Reply-To: <01I4A37X6Y0W8Y56P8@mbcl.rutgers.edu> Message-ID: At 2:24 PM -0400 5/6/96, Scott Brickner wrote: > The network layer isn't the geodesic Bob H likes to talk about. That > doesn't happen until the transport layer (one higher). It's a > heirarchical star, with a relatively small number of big ISPs acting as > the hub, several groups of regional ISPs acting as local arms, and many > local ISPs acting as the end-points. Actually, I once lapsed and *did* say the "h" word about the network layer around here about 6 months ago, and I got slapped severely around the head and sholders, by Gilmore, if memory serves. Knowing enough not to argue with my elders and betters, :-), I immediately recanted and now assert geodecity(!) until proven otherwise. If I remember right, Gilmore said something about a monstorous preponderence of packet traffic still being handled by relatively beensy direct lines... Cheers, Bob Hettinga ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "If they could 'just pass a few more laws', we would all be criminals." --Vinnie Moscaritolo The e$ Home Page: http://thumper.vmeng.com/pub/rah/ From declan+ at CMU.EDU Mon May 6 23:46:14 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Tue, 7 May 1996 14:46:14 +0800 Subject: The FBI/NSA's new escrow argument, DC crypto panel Message-ID: <4lXbBH200YUzQWhWh_@andrew.cmu.edu> I just came back from the Online Services Industry conference held today in Washington, DC at the Georgetown Four Seasons. It was very much a DC thing, organized by Congressmen Jack Fields and Rick White (of the Internet Caucus). The fourth panel was "Law Enforcement and Encryption in Cyberspace," with this set of characters: * Edward Allen, supervisory special agent/section chief, FBI * Clinton Brooks, advisor to the director, NSA * Dorothy Denning, professor, Georgetown University * Bruce Heiman, attorney, Preston Gates Ellis & Rouvelas Meeds * Jim Lucier, director of economic research, Americans for Tax Reform * Marc Rotenberg, director, EPIC I was expecting fireworks, or at least a few sparks, but the panel fizzled. Both sides recounted the same threadbare policy positions we've heard for years, with one exception: the Administration's new argument against lifting crypto export controls. Allen and Brooks claimed that "there needs to be a balanced approach," arguing that other nations are relying on the U.S. to maintain export restrictions to prevent it from falling into the grasping fingers of overseas terrorists. (And yes, they mentioned child pornographers too.) The FBI's Allen said: "We have talked to our foreign law enforcement counterparts who are concerned with exporting strong crypto. Crime is increasing internationally... There is not an international free market for crypto. To a great degree, other nations have been relying on U.S. export controls to maintain stasis. What bothers me about efforts being proposed legally is that we're moving forward without understanding what we're getting into... The efforts can go to order or chaos. We're in a period where it could go to chaos." Denning recounted the tale of a New York state police bust that seized a computer with PGP, but no files were encrypted: "They hadn't used it. It was too much trouble." She said that if PGP is more "integrated," more criminals will use it. "We need to balance interests and provide for legitimate law enforcement access. Many businesses are supportive of this," said Denning. After Rotenberg and the other half of the panel rebutted, Brock Meeks asked the first question: Isn't it possible that the government may eventually ban non-third-party escrowed crypto, in a compromise move? The FBI's Allen ducked, clumsily. Meeks pressed and Brooks from the NSA allowed: "Over time, if there are advocates and society says we have to go further then we may have to." -Declan From EALLENSMITH at ocelot.Rutgers.EDU Tue May 7 00:03:41 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Tue, 7 May 1996 15:03:41 +0800 Subject: WWW proxies? Message-ID: <01I4E52631IS8Y583T@mbcl.rutgers.edu> From: IN%"tcmay at got.net" 6-MAY-1996 01:41:12.77 >-- that a model is lacking (I don't mean we don't have some ideas of what's >important, but that we haven't filled in the details, figured out what >sorts of correlations an analyst can make by looking at packet sizes, >sending times, delivery times, etc.) Hmm... I wonder if genetic algorithms would be a good way to analyze traffic. Admittedly, this may be a matter of my having a (potential) hammer and seeing things to bash with it. >-- the real world situation with remailers is that message volume is >probably way too low for comfort (my presentation on remailers at the first >CP meeting outlined a need for about 10 mixes, each mixing at least 10 >messages of the same size before remailing...and 20 mixes each mixing 30 or >more messages is much better...we are most likely far, far below this, for >nearly all remailed messages. Fortunately, most remailed messages are >either not critical or are being done for novelty, harassment, flaming, >etc.). It should be possible, given a model, to add onto existing remailers a routine that automatically forwards random messages through a random string of remailers and back to itself (or into a /dev/null address; I can see advantages and disadvantages in the resulting loss of information) at a random frequency whose bounds are dependant upon current traffic levels at that remailer. This might be supplemented by information based on statistics gotten from other remailers. I would suggest Raph Levien (sp?)'s remailer list as a basis for the random string of remailers. >(PipeNet-type schemes may help, depending on a bunch of details. So would >"local mixes in cabinets," meaning, Web anonymizers with high bandwidth >that do their mixing locally. They have to be "trusted," to some extent, >but would help a lot. There are some gotchas.) There is unfortunately a balance between what an operator will be able to take - in regards to bandwidth - and what is needed for a web anonymizer or remailer to work. For remailers, this requirement is greatly decreased by the lack of immediacy needed. -Allen From tcmay at got.net Tue May 7 00:19:28 1996 From: tcmay at got.net (Timothy C. May) Date: Tue, 7 May 1996 15:19:28 +0800 Subject: Why I Pay Too Much in Taxes Message-ID: At 8:05 PM 5/6/96, Duncan Frissell wrote: >> However, are you controlling for level of income? The IRS is a lot >>more worried about TCMay committing tax fraud than they are about me >>committing >>tax fraud; my income taxes are a lot closer to 0 than his. >> -Allen >> > >Actually, as a percentage of income, tax evasion is probably more prevalent >among the poor than the rich. Because they are less exposed. Studies of >spending show that the poorest 20% of Americans spend twice their reported >income. Indeed, I am extremely limited in how I can avoid complete traceability of my major income sources. Not rich enough to shelter income in a really big time way (and even these shelters are harder and harder to find...near-billionaire Justin Dart renounced his U.S. citizenship and became a citizen of Belize to avoid huge U.S. taxes). And too rich to "forget to report" income from mowing lawns, tips, freelance car body repair, etc. Caught right in the middle where the computers file reports automatically with the IRS."You can run, but you can't hide." By the way, as long as I've added another comment to this not-very-relevant thread (but one which has generated a lot of comments, so it's hard to hard folks aren't interested), I should mention that I left out the effects of INFLATION in my "60%" figure. To wit, imagine buying an asset (stock, real estate, etc.) for, say, $10,000 in 1982, selling it for $20,000 in 1995, and having to pay $3600 in taxes on this "gain," much of which was erased by the effects of inflation. (I don't have a convenient chart of the cumulative inflation over this period, but I'd guess it's between 60% and 90%. Meaning, a 1995 dollar is worth about half to two-thirds of a 1982 dollar.) Also, the effect of inflation has been to inflate salaries and thus inflate people into higher tax brackets, even when their "real wages" have not gone up. If we ever get really bad inflation again (>10% per year, as we had in the late 70s, early 90s), or, God forbid, hyper-inflation, the tax system will likely not survive in anything near its current form. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From unicorn at schloss.li Tue May 7 00:36:28 1996 From: unicorn at schloss.li (Black Unicorn) Date: Tue, 7 May 1996 15:36:28 +0800 Subject: CryptoAnarchy: What's wrong with this picture? In-Reply-To: <01I4DYNHXPW28Y583T@mbcl.rutgers.edu> Message-ID: On Mon, 6 May 1996, E. ALLEN SMITH wrote: > On Sun, 28 Apr 1996, jim bell wrote: > > [...] > > >While strong cryptography is powerful, and secure communications > >liberating, unplugging the phones would about cripple that 'weapon' for a > >while. Any group rebelling based only on high technology communication is > >an extremely vulnerable group, both to widespread denial of service, and > >more specific 'surgical' attacks. (Motorola stock anyone?) Watch your attributation. This is my quote. > > Wouldn't that partially depend on: > A. the level of backups - packet radio as a backup for phones, > for instance... a reason I've been forwarding the stuff on radio to here. > B. the necessity to the government of keeping what else may > depend on those phones - the economy - going. > -Allen > --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From vznuri at netcom.com Tue May 7 00:41:36 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Tue, 7 May 1996 15:41:36 +0800 Subject: misunderstandings of PICS In-Reply-To: <01I4E4S4ZWSE8Y583T@mbcl.rutgers.edu> Message-ID: <199605062253.PAA15378@netcom22.netcom.com> EAS: now that you quote the PICS standard instead of CyberAngels in referring to PICS, I think we are getting somewhere. >... PICS specifies three ways to distribute labels. The first is to embed >labels in HTML documents. This method will be helpful for those who wish to >label content they have created. right. as I said, I think this will be the less important area of the PICS proposal. in fact, I think it is a bit misleading to say, "the first is..", because the other methods are really what PICS was trying to achieve, in my opinion (this is just my perception, I don't know if the writer would agree. these kinds of issues are still being worked out). one useful idea related to "self-rating" is to allow the user to create a sort of "abstract" or "keywords" that could be incorporated into the rating system. such an idea is not prohibited by the existing proposal and in fact fits into it nicely imho. but again, I believe that the "self-rating" concept of PICS 1) is not the key design goal of PICS, and 2) will not be a major use of the service in the long run in comparison to "rating services", and 3) because it requires action on the part of the page designer, it is less desirable for this reason, and in fact another major aspect of PICS insists that no action on the part of the page designer should be possible (that which is relative to URLS) 4) the designers intended that self-rating be voluntary. hence any coercion of requiring people embed certain kinds of labels is wholly rejected by the proposal. but OK, I see that the CyberAngels have focused on a part of the PICS proposal that can be twisted into their own unique interpretation. I see you/they have a semi-valid concept here. frankly, it only suggests to me how dangerous the "self-rating" concept is, and perhaps that it should be downplayed in the PICS proposal imho. (any PICS designers out there listening?) >In other words, the CyberAngels want to eliminate any pages that >contain material they think minors shouldn't see that aren't self-rated with >a PICS self-rating (the first of the three types) intended to block minors >from seeing it. this is only how a bonehead would view cyberspace. it's an old view of how information should be regulated. it's taking the metaphor, "records should have a little sticky sticker that tells whether it has explicit content". for someone who think that cyberspace is made out of atoms, not bits, it seems eminently sensible. but it is wholly ridiculous and unnecessary. the cyberangels should clarify their position. who decides what is rated what? it is amazing how many people who are favor of some kind of censorship scheme evade the issue of SUBJECTIVITY, as if a government organization can precisely determine what is acceptable to children. it reminds of how those in law enforcement talk about CRIMINALS when often they are actually referring to SUSPECTS. the distinction is absolutely critical in civilized society. imagine what effect a politician's speech would be if he said, "we have to CRACK DOWN ON CRIMINALS!!!" vs. "we have to CRACK DOWN ON ALL THE CRIME SUSPECTS!!" I highly recommend that everyone make this mental substitution whenever you hear someone ranting about "criminals" and see what a different tone their words take!! > Yes, this is an abuse of the market oriented variety of PICS; >they obviously don't know and/or don't care. If you want to convince them >otherwise, start cc:ing your messages (and forwarding mine, on this I give you >permission) on PICS and the CyberAngels to angels at wavenet.com. it's impossible to fully get rid of ignorance. all that can be done is for proposals to be written as clearly as possible. since you are so interested and brought it up, I think you ought to do it. I am doing all that I care to do in posting to this group. you have given me reason to write on the issue. >Incidentally, their pressure (especially the legal variety - acting as >informants) could also include against an ISP that doesn't do the second for >material the CyberAngels don't like. right. again, that's why I think the "self-rating" idea should be minimized in the PICS proposal as the last one listed, and the market-oriented ones listed first. I also would like to see terminology that the proposal is expressly against mandatory kinds of practices such as requiring page writers to include certain tags based on some agency's opinion etc. it seems so ridiculous at times that people are on such different wavelengths that the proposals have to reject all this explicitly, but of course that's the same idea behind the Bill of Rights. I do hope the CyberAngels seize on the other aspects of PICS that would effectively let them put CyberAngel stickers on every single page in cyberspace, if they have the attention span to actually pull this off. From declan+ at CMU.EDU Tue May 7 00:42:13 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Tue, 7 May 1996 15:42:13 +0800 Subject: Police tactics question In-Reply-To: <01I4E2S0NTES8Y583T@mbcl.rutgers.edu> Message-ID: Excerpts from internet.cypherpunks: 6-May-96 Police tactics question by "E. ALLEN SMITH"@ocelot. > I've often heard of the police/postmaster mailing someone child > pornography prior to going in and busting them for possession of it. What are > the legal matters in such cases? According to Bruce "Comstock was an amateur" Taylor, it's only legal for the Feds to let child porn out of their hands if they can monitor it. That is, they can let the postman deliver it to you, but they'll lie in wait and grab you when you tear open the envelope. -Declan From llurch at networking.stanford.edu Tue May 7 00:54:30 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Tue, 7 May 1996 15:54:30 +0800 Subject: UK IP Censorship In-Reply-To: <199605061552.IAA15075@jobe.shell.portal.com> Message-ID: On Mon, 6 May 1996 anonymous-remailer at shell.portal.com wrote: > Financial Times, 6 May 1996 > > Internet provider to launch censorship > > By James Mackintosh in London [...] > > Pipex - the UK arm of UUNet of the US - does not expect a > backlash from users over the censorship. Let's see to it that they're wrong. [ObFUCKING-STATIST: while the article is newbiegarbled, as far as I can tell, they're only blocking specific newsgroups, and not any IP routes, which would be worse. IMO, ISPs have the right to block certain newsgroups, as long as they tell customers what they're doing. HOWEVER, if Pipex is as big an uber-ISP and news feeder of ISPs as UUNet is here, then they've clearly gone over the line as far as I'm concerned. I don't care if AOL blocks alt.sex.kiddie-porn, because the kiddie-porners can simply move to a real ISP; but the big players have more of an obligation to act as content-neutral common carriers.] -rich From JMKELSEY at delphi.com Tue May 7 01:06:54 1996 From: JMKELSEY at delphi.com (JMKELSEY at delphi.com) Date: Tue, 7 May 1996 16:06:54 +0800 Subject: Escrowing signing vs. encryption keys Message-ID: <01I4EDQIJ1MA9C1W4G@delphi.com> -----BEGIN PGP SIGNED MESSAGE----- [ To: cypherpunks ## Date: 05/06/96 06:55 pm ## Subject: Escrowing signing vs. encryption keys. ] >Date: Thu, 25 Apr 1996 21:06:37 -0700 >From: Hal >Subject: Re: US law - World Law - Secret Banking >Baker's problem was that the keys would be used for signing as well >as for encryption. He said that in the U.S. they had been careful >to separate these functions in their plans. That's why we have DSS >for signatures and Clipper (Capstone, Skipjack, etc.) for >encryption. Only the Clipper keys get escrowed. The DSS keys are >kept private. >Privacy, on the other hand, at least from the point of view of >someone like Baker, is not as important. His people eavesdropped >all the time, and it wasn't that bad. So from his perspective it is >reasonable that a possibly insecure escrow system is acceptable for >encryption, but not for signatures. And that is apparently a >principle behind the US crypto policies as they have unfolded over >the last few years. There is another angle to this. If extralegal key escrow accesses are occurring, it will probably take a long time to come out, if it ever does. There's a good chance that anyone successfully eavesdropping on people by use of the key escrow mechanism will simply keep quiet about it, and while the victim may *suspect* what's happened, they won't be able to prove it. However, forged signatures *will* be noticed directly, and there will be high-profile court cases about them. Even if untrue, serious allegations of forged signatures based on escrowed signing keys will make it into the papers, and cause all kinds of chaos. Presumably, this is seen by the Feds to balance out the downside that, if I have the ability to do secure signatures with certificates, I can always use Diffie-Hellman to establish a secure session with someone else. >Hal --John Kelsey, jmkelsey at delphi.com / kelsey at counterpane.com PGP 2.6 fingerprint = 4FE2 F421 100F BB0A 03D1 FE06 A435 7E36 -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMY6Vh0Hx57Ag8goBAQHI2gP/bUhtWnIjWX8xKJ44IcmdG9OqbO7PaB1B 9iu7GYFzQXLgsMdc9Opzm64W7F+NrBlE1PjOCj965bK7MC9+Lz176Bo5nBHGMktP pALZcRvm6bmNMls49abvucVr8Xm2SbDOnsp5z4NHVUuNGdXi+J5tDVR2vYqIQjh5 GmZk9fVkQUM= =r6zZ -----END PGP SIGNATURE----- From dan at dpcsys.com Tue May 7 01:07:50 1996 From: dan at dpcsys.com (Dan Busarow) Date: Tue, 7 May 1996 16:07:50 +0800 Subject: misunderstandings of PICS In-Reply-To: <199605061948.MAA15630@netcom3.netcom.com> Message-ID: On Mon, 6 May 1996, Vladimir Z. Nuri wrote: > but you still don't understand what I stated. the above does not make > any sense relative to the PICS system. it would be like saying, "we > are going to report anyone who doesn't have a SMTP that bans dirty > email". SMTP does not ban dirty email by definition. PICS does not > censor material by definition. please read the PICS proposal (sorry the > URL is not handy, could someone post it?) The executive summary is at: A more complete overview is available at: The first, unfortunately, mentions self-rating prominently. The second mentions self-rating almost as an aside. Looks like they needed a bullet point for the short version. Dan -- Dan Busarow DPC Systems Dana Point, California From EALLENSMITH at ocelot.Rutgers.EDU Tue May 7 01:24:46 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Tue, 7 May 1996 16:24:46 +0800 Subject: CryptoAnarchy: What's wrong with this picture? Message-ID: <01I4EBAJKN5W8Y58HH@mbcl.rutgers.edu> From: IN%"jimbell at pacifier.com" "jim bell" 6-MAY-1996 19:08:19.78 >At 01:44 PM 5/6/96 EDT, E. ALLEN SMITH wrote: > >>On Sun, 28 Apr 1996, jim bell wrote: >> >>[...] >> >>>While strong cryptography is powerful, and secure communications >>>liberating, unplugging the phones would about cripple that 'weapon' for a >>>while. Any group rebelling based only on high technology communication is >>>an extremely vulnerable group, both to widespread denial of service, and >>>more specific 'surgical' attacks. (Motorola stock anyone?) >The attribution above is in error. I didn't type those lines above. Whoops. Sorry, I believe that was Black Unicorn. My apologies to both of you. -Allen From fair at clock.org Tue May 7 01:27:45 1996 From: fair at clock.org (Erik E. Fair (Time Keeper)) Date: Tue, 7 May 1996 16:27:45 +0800 Subject: Is the network layer geodesic? Message-ID: The principle problem is that public exchange points do not scale beyond current LAN technology (i.e. half-duplex 100 Mb/s FDDI or Ethernet), and how many DS3 (T3; 45Mb/s full-duplex!) pipes does it take to fill that up? Two. Now, drop a DEC GIGAswitch in there (16 FDDI ports, 3.2Gb/s backplane), and now you can have sixteen peers on the exchange. Last count I saw, there are 1,800 ISPs operating in the USA alone, and *everyone* want to be at the exchange points. Oops. How many exchange points are there? Well: NSF Network Access Points (NAPs): New York (well, Pennsauken, NJ; Sprint), Chicago (Ameritech), San Francisco (Pac*Bell) MAE-EAST (D.C.), MAE-WEST (Mountain View-San Jose), MAE-LA, CIX (San Jose) FIX-EAST (D.C.), FIX-WEST (Mountain View; just for the Feds) SWAB (D.C., but almost no one left there). There are probably a few new ones that are forming that I am unaware of as yet, but the point is that they're small-fry. There are also probably exchange points outside the USA, but I bet they're being held up with PTT B.S. The Internet is amorphous. It ain't a star, exactly, but it still not too far from that. However, to get away from this situation into the rich and more fully amorphous connectivity we used to take for granted in the UUCP network, we're going to have to see a lot more cooperation on the part of the small ISPs in agreeing to talk *directly* to each other to exchange traffic, and more small exchange points, instead of the small number of large ones. Of course, this means that you, Mr. or Ms. Discriminating Internet Consumer, must educate yourself a little, and ask interesting questions like, "why do my packets have to go to California to get across town to the ISP my friend uses?" If the customers ask, the ISPs will serve. They just gotta know what you want (and you have to be willing, of course, to pay for it). Erik Fair From froomkin at law.miami.edu Tue May 7 01:27:47 1996 From: froomkin at law.miami.edu (Michael Froomkin) Date: Tue, 7 May 1996 16:27:47 +0800 Subject: Police tactics question In-Reply-To: <01I4E2S0NTES8Y583T@mbcl.rutgers.edu> Message-ID: One of my students has written a paper that may answer some of your questions, Online Stings: High Tech Entrapment or Innovative Law Enforcement?, by Jeffrey D. Weinstock http://www.law.miami.edu/~froomkin/seminar/papers/weinstock.htm other student papers on Internet topics can be found at: http://www.law.miami.edu/~froomkin/seminar/papers/ Note: these are *student* papers. Not everything in them is exactly right. And no, I won't tell you their grades. On Mon, 6 May 1996, E. ALLEN SMITH wrote: > I've often heard of the police/postmaster mailing someone child > pornography prior to going in and busting them for possession of it. What are > the legal matters in such cases? > Thanks, > -Allen > [The above may have been dictated with Dragon Dictate/Win 2.01 voice recognition. Be alert for unintentional strange word substitutions.] A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) Associate Professor of Law | U. Miami School of Law | froomkin at law.miami.edu P.O. Box 248087 | http://www.law.miami.edu/~froomkin Coral Gables, FL 33124 USA | It's warm here. From Chris.Claborne at SanDiegoCA.ncr.com Tue May 7 01:28:53 1996 From: Chris.Claborne at SanDiegoCA.ncr.com (Chris Claborne) Date: Tue, 7 May 1996 16:28:53 +0800 Subject: STEL b5 released Message-ID: <2.2.32.19960506235221.006606b4@opus.SanDiegoCA.ATTGIS.com> Just a FYI :) From: cert-it at dsi.unimi.it -----BEGIN PGP SIGNED MESSAGE----- STEL beta5 has been released. 1. WHAT IS STEL? STEL is a free telnet surrogate which provides strong mutual authentication, encryption, secure file transfer, automatic s/Key password generation, centralization and management of s/Key passwords and more. 2. WHERE IS STEL AVAILABLE? STEL is available as: ftp://idea.sec.dsi.unimi.it/cert-it/stel.tar.gz Please note that ftp.dsi.unimi.it is not supporting security stuff anymore. All the security archive has been moved to idea.sec.dsi.unimi.it. 3. WHAT IS THE STATUS OF STEL? The latest version of STEL is beta 5. It has been (quite) extensively tested on the following systems: hpux sunos4 solaris24 solaris25 irix linux aix It has been reported to work (but no testing) on: ultrix freebsd bsdi Bug reports, comments and suggestions should be sent to: stel-authors at idea.sec.dsi.unimi.it - -- ******************************************************** ******** Computer Emergency Response Team ITALY ******** ******************************************************** E-mail: cert-it at idea.dsi.unimi.it Mailing list: unix-security-request at idea.sec.dsi.unimi.it Ftp: ftp://idea.sec.dsi.unimi.it WWW: http://idea.sec.dsi.unimi.it - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.3 mQBNAi1eowgAAAECAOTEMFRZHfBb+ndAmdk3vl20EpynEWwB3ZJo/ocZUXgSjBKS op11p19WyyTV9eW2Sosu9GoC4i7VLDiuFRfmKZUABRG0HkNFUlQtSVQgPGNlcnQt aXRAZHNpLnVuaW1pLml0PokAVQIFEC1epVbakBlHrAS41wEBnskB/iXnREAs044y ngOa8uJtYwFaDKc15GUKx9VV2klikcoWKPgaD6WjFs82HmdY86IQL2bFTi8FTKS2 2auGllxW2zaJAJUCBRAtXqV3kbMTtv2Q670BAccAA/sFW+OVkfr8FnClSAlD7fQc /PL0y8qDF4hYx3tIw1utM5zRGlti+KIOpuUIkQpIX4j8f9lIe/cihL5rlusQFsX4 d7cEJWW8GUM3+/mv89jM0ds6IX9KjfJAQPvPFr5rlRgmHdVm9K4ugCTkOzGsv1E4 o5+ZCN5dJW0+EbmjoghwoA== =WPYC - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQBVAwUBMY4wESw4rhUX5imVAQFs1gIAuYqr5IAWRoFQzm71sWdBJCOKTCq/G4ti eucdKJ+5FlmyeQUavWseepozKF019KXElfoHkDVdjl8bnyhFIm7u1w== =nQd0 -----END PGP SIGNATURE----- ... __o .. -\<, Chris.Claborne at SanDiegoCA.ATTGIS.Com ...(*)/(*). CI$: 76340.2422 http://bordeaux.sandiegoca.attgis.com/ PGP Pub Key fingerprint = A8 FA 55 92 23 20 72 69 52 AB 64 CC C7 D9 4F CA Avail on Pub Key server. Dreams. They're just screen savers for the brain. From stewarts at ix.netcom.com Tue May 7 01:29:46 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Tue, 7 May 1996 16:29:46 +0800 Subject: Why I Pay Too Much in Taxes Message-ID: <199605062359.QAA09585@toad.com> At 11:16 PM 5/5/96 -0700, Sandy wrote: >Actually, no. When I used to edit a magazine, I commissioned an >article about how much "tax" slaves, serfs, etc. paid. That is, >how much of what they produced, did they get to keep; how much >went to their masters. The surprising, cross-cultural answer my >researcher/writer found was that they got to keep everthing they >produced except 5-10%. That's a lot better, percentage-wise, >than for modern "tax slaves." It was fairly common for serfs to have to provide direct manual labor on their landlord's farm for 1-2 days per week, depending on the lord, plus of course if there was a war you often got drafted (depending on how much you were needed as a farm laborer.) # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 # goodtimes signature virus innoculation From shabbir at vtw.org Tue May 7 01:31:42 1996 From: shabbir at vtw.org (Shabbir J. Safdar) Date: Tue, 7 May 1996 16:31:42 +0800 Subject: INFO: Transcript of crypto chat with Sen. Burns at www.crypto.com Message-ID: <199605070252.WAA08448@panix3.panix.com> ------ ======================================================================== __ _________ __ \ \ / /_ _\ \ / / Voters Telecommunications Watch \ \ / / | | \ \ /\ / / (vtw at vtw.org) \ V / | | \ V V / May 6, 1996 \_/ |_| \_/\_/ Redistribute only until 5/28/96 TRANSCRIPT OF ONLINE CHAT WITH SENATOR BURNS (R-MT) AVAILABLE AT ENCRYPTION POLICY RESOURCE CENTER (HTTP://WWW.CRYPTO.COM) SENATOR BURNS IS SCHEDULED TO APPEAR AT HOTWIRED: MONDAY 5/13/96 9PM EST Please widely redistribute this document with this banner intact until May 28, 1996 ________________________________________________________________________ CONTENTS The Latest News Schedule of upcoming chats related to encryption About VTW and Whistlestop96 ________________________________________________________________________ THE LATEST NEWS Senator Burns went online tonight and discussed encryption and his new bill, PRO-CODE, with Internet users in America Online's News Room auditorium. The full transcript of this session is available at http://www.crypto.com/. Some highlights from the fifty minute discussion: Question : Senator Burns, As a small business in Montana that provides web-space to local Montana businesses, I'm concerned that the lack of privacy and security on the Net will keep many of my potential customers from purchasing online. How will this bill help? Sen Burns : That's exactly why I introduced this bill. Right now I don't think any of us feel safe transmitting our credit card numbers over the Internet, and many companies who have workers around the nation or world are worried about how they can safely send sensitive information back and forth between them. If we can raise their level of security, we can guarantee that that information will be sent without unwanted eyes looking in. Question : What do you think the Administration, FBI, and NSA reaction to your bill will be? Have you already heard from them? (I run an ISP in Missoula, Montana.) Sen Burns : We expect them to have some concern with this, and we will work with them but we have to undertsnad that the people we are concerned with can already gain encryption that is already longer than 40 bits on teh international market. The transcript is the property of America Online, who retains the copyright. ________________________________________________________________________ SCHEDULE OF UPCOMING CHATS RELATED TO ENCRYPTION Sen. Burns Hotwired: Monday May 13, 9pm EST Sen. Leahy America Online: date not yet available Hotwired: date not yet available You can connect to AOL over the Internet through a SLIP/PPP connection or by dialing up one of their services. Download the AOL client software from URL:ftp://ftp.aol.com/ and install it. HotWired's Club Wired is easy to reach. Go to the WWW page URL:http://www.hotwired.com/club/ and follow the instructions. ________________________________________________________________________ ABOUT VTW AND WHISTLESTOP96 VTW (Voters Telecommunications Watch) is an Internet-based grass-roots advocacy group concentrating on issues of civil liberties and telecommunications. Whistlestop96 is VTW's project to bring more members of Congress and Congressional candidates to online chats to talk about core Internet issues with net users. We do not accept unsolicited donations at this time. If you want to help, register to vote at URL:http://www.vtw.org/ivoter/ . For more information on encryption policy, please see the following resources: Encryption Policy Resource Page: http://www.crypto.com/ Internet Privacy Coalition: http://www.privacy.org/ ...run by these fine organizations: Center for Democracy and Technology: http://www.cdt.org/ Electronic Frontier Foundation: http://www.eff.org/ Electronic Privacy Information Center: http://www.epic.org/ Voters Telecommunications Watch: http://www.vtw.org/ ________________________________________________________________________ Copyright 1994-1996, Voters Telecommunications Watch ======================================================================== From dsmith at midwest.net Tue May 7 01:34:32 1996 From: dsmith at midwest.net (David E. Smith) Date: Tue, 7 May 1996 16:34:32 +0800 Subject: alias servers (al la alias.c2.org) Message-ID: <199605062345.SAA03281@cdale1.midwest.net> -----BEGIN PGP SIGNED MESSAGE----- > How much information do they actually want, and how much do they > check? I seem to recall that they wanted some info for giving to the > advertisers and for targeting the advertising. > -Allen ["They (TM)" being Juno, the free email people] Basic marketing stuff: (I just abbreviated from their survey, which you can go back and change at any time :) Full address, phone numbers optional. How often do you use this computer, and for what? Which of the following (shopping, bill paying, horoscope, etc...) would you do online if you could? Which online services (AOHell, CI$, MSN, etc. ) have you used/do you use? What is your profession? What is your income level? What about children? Which major appliances/ electronics do you use? What magazines do you read? What about your free time? What hobbies/other interests have you? (Optional question: have you traded any securities in the past twelve months?) OTOH, there is nothing at all preventing you from completing all of this with your favorite pseudonym's information; Juno says that they can't/don't verify all of this, since they just don't have the resources or the inclination. Besides, the ads are cute - so far, I've gotten ads for Welch's grape juice, an Okidata laser printer, Columbia House record club, and Snapple. I already buy from three of those four, so I guess they're preaching to the choir :) dave -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMY6S1jVTwUKWHSsJAQEcywf+NgrPzFH002OEwtNOoQozidxHN2V8KmlK +//dLmTz2YkKr1Nrndb1QUHxYYP4n0Bdp0s4Y/GOh30gTKN71WFpa8+wOyEP/kOC 6iaz7KfC9PKBrxWSmpUOeDjnxL3YBzP2LcCvB057gB5Tvrwx6qC9pZ5W6cYnjg9w 77b6EKSP75Seh7jOVDmcEbfSJBOQoTqhjOQhrKHg1uoMvJnojlTGk3HZirr1bDsP 4mISloHVxuJGcg5SDAiOHQu/NG1fRITckV00M9t/YFV3E9BtraJX4AvbBK5zttoJ 2V/ExGvkAVF+VV85tj8OFjms6uzUFzxEQYtlQRz+Ku205uv4A6ZJWg== =Sj/T -----END PGP SIGNATURE----- From alex at proust.suba.com Tue May 7 01:58:40 1996 From: alex at proust.suba.com (Alex Strasheim) Date: Tue, 7 May 1996 16:58:40 +0800 Subject: fixing netscape Message-ID: <199605070349.WAA01122@proust.suba.com> http://reality.sgi.com/grafica/framefree This doesn't have any direct crypto relevance -- it's a program that improves navigator binaries by modifying them so they won't understand frames. I'm a little surprised that we didn't think of this when we were waiting for Jeff to allow us to turn off javascript. -- Alex Strasheim, alex at proust.suba.com From jimbell at pacifier.com Tue May 7 02:20:08 1996 From: jimbell at pacifier.com (jim bell) Date: Tue, 7 May 1996 17:20:08 +0800 Subject: More on Internet connections Message-ID: >From: IN%"rre at weber.ucsd.edu" 6-MAY-1996 01:36:44.84 >From: Phil Agre > "THE FIRST 100 FEET" > OPTIONS FOR INTERNET AND BROADBAND ACCESS > This conference looks at options for Internet and broadband >access from the perspective of home owners, apartment complexes, >and small businesses. It will evaluate opportunities and >obstacles for "bottom-up" infrastructure development and the >implications for traditional and alternative providers at the >neighborhood, regional, and national levels. We are seeking >original analysis, position papers, and background material for >use in the conference program, on the project website, and in a >book to be published in early 1997. > > The conference challenges business and policymakers to >rethink fundamental issues in telecommunications policy by >recasting the "problem of the last 100 feet" as "opportunities >for the first 100 feet." This paradigm shift suggests >consumer/property owner investment as an answer to the dilemma of >whether there should be one or two wires into the home. I'm glad to see that somebody's addressing this issue. It seems to me that if all the people on a given suburban block want some sort of low-cost, alternative method to access networks, they should be able to install some sort of centralized switchbox and run the cabling themselves down their back fence. Where is industry on this sort of thing? Why can't we buy such a thing? Jim Bell jimbell at pacifier.com From stewarts at ix.netcom.com Tue May 7 02:20:51 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Tue, 7 May 1996 17:20:51 +0800 Subject: alias servers (al la alias.c2.org) Message-ID: <199605070519.WAA13048@toad.com> >>Of course, having just previewed the Juno "free-email" >>service, I might count it also. > > How much information do they actually want, and how much do they >check? I seem to recall that they wanted some info for giving to the >advertisers and for targeting the advertising. They don't want that much information, nor do they really check it; the big thing they're doing is sending you advertisements and probably selling your name, but they may have privacy policies. The big negative about using them as alias servers is that you have to use _their_ software and dial up to them; you can't get your mail by POP (though you can argue that it's harder to trace that way), and you have to use their silly advertisement-displaying user interface (shades of Prodigy!). I assume that behind their silly interface is a standard network protocol, which somebody can decipher and figure out how to use SLIP or PPP or X.3/X.28/X.29 or whatever instead. # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 # goodtimes signature virus innoculation From somogyi at digmedia.com Tue May 7 02:25:43 1996 From: somogyi at digmedia.com (Stephan Somogyi) Date: Tue, 7 May 1996 17:25:43 +0800 Subject: WhoWhere Robot? Message-ID: My web server was just hit by a machine that reverse-resolved to a Japanese academic domain with an agent claiming to be "WhoWhere Robot"; this bot is not listed in the List of Robots. Does anyone know whether this has any relationship to the www.whowhere.com people? ________________________________________________________________________ Stephan Somogyi Mr Gyroscope Digital Media From rah at shipwright.com Tue May 7 02:27:55 1996 From: rah at shipwright.com (Robert Hettinga) Date: Tue, 7 May 1996 17:27:55 +0800 Subject: Police tactics question In-Reply-To: <01I4E2S0NTES8Y583T@mbcl.rutgers.edu> Message-ID: At 7:09 PM -0400 5/6/96, Declan B. McCullagh wrote: > According to Bruce "Comstock was an amateur" Taylor, it's only legal for No, no, no, no, no.... It's Bruce "Penis with a Blister" Taylor. Remember? Cheers, Bob Hettinga ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "If they could 'just pass a few more laws', we would all be criminals." --Vinnie Moscaritolo The e$ Home Page: http://thumper.vmeng.com/pub/rah/ From hoz at univel.telescan.com Tue May 7 02:32:33 1996 From: hoz at univel.telescan.com (rick hoselton) Date: Tue, 7 May 1996 17:32:33 +0800 Subject: Disappearing Cryptography Message-ID: <199605070248.TAA11302@toad.com> A book by Peter Wayner (pcw at access.digex.com), of interest to cypherpunks. (OK, cypherpunks mailing list subscribers then) There is more info at Peter's home page: http://www.access.digex.net/~pcw/pcwpage.html but I couldn't get to it when I tried just now. I got my copy from Border's in Houston on Sunday. He describes mimic functions, a particular interest of mine. He also covers basic encryption, error correction, secret sharing, compression, context free grammers, anonymous remailers, reversible computing, etc. There is an evaluation of several stego packages, and an inclusive (there isn't enough published about steganography to call it extensive) bibliography. The presentation is at an introductory, but not trivial level. I wish there had been more technical explanations, but I suppose the author would have lost a sizable fraction of an already tiny audience. By the way, "the people who participate on the cypherpunks mailing list" get a nice "thankyou" in the preface. Rick F. Hoselton (who doesn't claim to present opinions for others) From unicorn at schloss.li Tue May 7 02:38:57 1996 From: unicorn at schloss.li (Black Unicorn) Date: Tue, 7 May 1996 17:38:57 +0800 Subject: CryptoAnarchy: What's wrong with this picture? In-Reply-To: <01I4DYNHXPW28Y583T@mbcl.rutgers.edu> Message-ID: > > On Sun, 28 Apr 1996, jim bell wrote: > > [...] > > >While strong cryptography is powerful, and secure communications > >liberating, unplugging the phones would about cripple that 'weapon' for a > >while. Any group rebelling based only on high technology communication is > >an extremely vulnerable group, both to widespread denial of service, and > >more specific 'surgical' attacks. (Motorola stock anyone?) Watch your attributation, this is my quote. > > Wouldn't that partially depend on: > A. the level of backups - packet radio as a backup for phones, > for instance... a reason I've been forwarding the stuff on radio to here. > B. the necessity to the government of keeping what else may > depend on those phones - the economy - going. > -Allen > --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From rah at shipwright.com Tue May 7 02:39:16 1996 From: rah at shipwright.com (Robert Hettinga) Date: Tue, 7 May 1996 17:39:16 +0800 Subject: Press Release: Ecash to be Issued by Deutsche Bank Message-ID: --- begin forwarded text Date: Tue, 7 May 1996 00:25:44 +0200 From: press at digicash.com To: ecash at digicash.com Subject: Press Release: Ecash to be Issued by Deutsche Bank Sender: owner-ecash at digicash.com Precedence: bulk Please find attached today's press release on our cooperation with Deutsche Bank. If you need any further information, please contact us at: press at digicash.com Kindest regards, Paul Dinnissen DigiCash BV --------------------------- PRESS RELEASE --------------------------- Release date: Tuesday, May 7, 1996 Amsterdam, The Netherlands ============================================== DigiCash's Ecash to be Issued by Deutsche Bank ============================================== DigiCash and Deutsche Bank are to launch a joint pilot project to test the use of electronic cash on the Internet. This will enable Deutsche Bank's clients to pay for information (ranging from magazine articles to stock quotes), services (from database searches to help desk support) and tangible goods (from mail order to pizzas) using any personal computer with access to the Internet. This new service will provide merchants and even private individuals with the solutions needed for doing business on the Internet. The project's technology is based on the ecash system, which won DigiCash the European Commission's 1995 Information Technology European Award (ITEA'95) for innovative technology. Ecash has been tested for several years and was used last autumn to issue the first ecash dollars in the USA. Apart from a PC, users do not need any special hardware or cards. They simply connect to Deutsche Bank's Internet site and download digital ecash coins onto their PC's hard disk, thereby debiting their accounts. These coins can later be used as needed to pay on the Internet withby a single mouse-click. "In launching this pilot project, Deutsche Bank aims to test the possibilities of innovative payment forms and procedures and to expand their range of Internet services" says Dr. Wolfgang Johannsen, Head of Deutsche Bank's Department for Technological Development. "Ecash is a digital form of cash that works on the Internet where paper cash can't" according to Dr. David Chaum, founder and CEO of DigiCash. "Like cash, it offers consumers true privacy in what they buy. Yet, users can always recover their money if their computer crashes, and also prove who received their electronic cash in payment, making it unsuitable for criminal use. Thus ecash brings an improved form of cash to cyberspace, where it can be expected to catalyze an enormous growth in electronic commerce." DigiCash and Deutsche Bank see this launch as a major step towards the adoption of true electronic cash on the Internet. Contact DigiCash Amsterdam: Contact Deutsche Bank: Mr. Paul Dinnissen Mr. Schumacher / Mr. Thoma Tel: +31 20 665 2611 Tel: +49 69 910 33406 / 33405 Fax: +31 20 665 1126 Fax: +49 69 910 33422 / 38689 email: press at digicash.com http://www.digicash.com/ http://www.deutsche-bank.de/ (DigiCash and ecash are registered trademarks and should always be referred to as such) * * * DigiCash Backgrounder ===================== History and Mission ------------------- Since beginning operation in April 1990, DigiCash's mission and primary activity has been: to develop and license payment technology products--chip card, software only, and hybrid--that both show the true capability of technology to protect the interests of all participants and are competitive in the market. Founder ------- Dr. David Chaum, managing director of DigiCash, received his Ph.D. in Computer Science from the University of California at Berkeley, then taught at New York University Graduate School of Business Administration and at the University of California, and headed the Cryptography Group at CWI, the Dutch nationally funded center for research in mathematics and computer science, before taking his current position. He has published over 45 original technical articles on cryptography and also founded the International Association for Cryptologic Research. DigiCash Products ----------------- Blue: smart card technology for EMV & prepaid with dynamic public key. Conforms to joint Europay, MasterCard, Visa specifications; multiple applications, including loyalty and closed systems; superior data integrity in case of malicious/accidental interference or interruption; requires only the smallest and most proven chips, e.g. SC-24 or ST601; mask technology licensing. CAFE: smart card and card-accepting electronic wallet project. Consortium of 12 other members founded and chaired by Dr. Chaum of DigiCash; simulation, mask and first readers developed by DigiCash; technology trial at the EC headquarters building in participation with related open special interest group and partially funded by the EC. DyniCash: highway-speed road-toll collection system using smart cards. Chip card inserts into battery-powered dashboard unit; reflective backscatter microwave technology by industry leader Amtech; prepaid mode has user privacy; open and/or closed pricing schemes; tested extensively in Japan; non-exclusive licensing of the payment technology. Ecash: software only electronic cash system for internet/email. Users download software that can make and receive payments; protects users' money like travellers checks and privacy like coins; now operational after testing by over twenty thousand users world-wide; Macintosh, MS-Windows and X-Windows; any WWW browser; currently Mark Twain Bank currently issues ecash in US dollars and Mearita/EUnet issues digital Finnish marks; Posten has announced their license and intention to issue Swedish Kroner. Facility Card: complete facility management smart-card/reader system. Cash replacement, access control, and time/attendance system; now in schools, hospitals, industry, offices, recreation; interfaces to vending, point-of-sale, access control, copiers, phones, gaming; downloadable & upgradeable readers work on-line and/or off-line; sold through VAR's; over 100k cards in use in the Netherlands; Mars Electronics International will launch it globally in 1996. Ecash Backgrounder ================== How does ecash work? -------------------- Using ecash is likeas easy as using a virtual ATM (Automatic Teller Machine). When you connect over the Internet and authenticate your ownership of the account, you can withdraw money electronically. Instead of giving you bank notes, you are given digital coins which your software can store on your PC's hard disk. When you want to make a payment, you simply confirm the amount, payee and description of goods, with a mouse click you tell your ecash software to transfer coins of the correct value from your PC direct to the payee. Merchants, (ranging from casual participants in the global Internet bazaar to mega-retailers) can then deposit the digital coins into their ecash accounts. Behind the user interface, your computer actually creates 'serial' numbers for the electronic coins based on a random `seed'. Then it hides them in special encryption `envelopes', sends them to the electronic bank for `signature' and, when they are returned, removes the `envelopes' (retaining the bank's validating digital signature on the `serial' numbers). This way, when the bank (eventually) receives your coins, it cannot recognize them as coming from any particular withdrawal or account, because all coins are hidden from the bank during the withdrawal process. Therefore the bank cannot know when or where you shop, who you pay or what you buy. The `serial' number' of each signed coin is unique, so that the bank can be sure that it never accepts the same coin twice. If you wish to identify the recipient of any of your payments, you may reveal the unique coin number and use your ecash software to prove that you created it and get the bank to confirm who deposited it. Your software can also re-create the `serial' numbers and `envelopes' from the `seed' that you wrote down when installing your account, thereby allowing all your coins to be re-created if your PC fails. How safe is ecash? ------------------ Security is fundamental to electronic cash. The cryptographic coding that protects every 5 cent ecash payment is the same as that routinely relied upon for authenticating requests to move huge sums between banks and even for national security. But in principle ecash goes beyond such communications security to achieve true multiparty security: no one (buyer, seller, bank) can cheat anyone else, no matter how they might modify their own software. Even if two parties collude, they cannot cheat the third. Replacing paper and coins with ecash would make life much harder for criminals. Because the payer's computer chooses the `serial' numbers of the coins (as mentioned above), he or she can later irrefutably identify blackmarketeers, extortionists, and acceptors of bribes--were they to accept ecash. Paper notes, briefcases full of which can be passed from hand to hand without leaving any record, allow money laundering and tax evasion today. With ecash, however, all the amounts each person receives are known to their bank. Significant criminal activity could thus be thwarted by completely replacing paper money; moreover, the privacy whichof ecash offers would be essential to widespread acceptance of any electronic payment system. ------------------------- END PRESS RELEASE ------------------------- --- end forwarded text ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "If they could 'just pass a few more laws', we would all be criminals." --Vinnie Moscaritolo The e$ Home Page: http://thumper.vmeng.com/pub/rah/ From jonl at well.com Tue May 7 02:43:37 1996 From: jonl at well.com (Jon Lebkowsky) Date: Tue, 7 May 1996 17:43:37 +0800 Subject: clambake Message-ID: <199605070410.VAA00280@well.com> Electronic Frontiers Forum, Thursday, May 9 Join Jerod Pore, keeper of the electronic Factsheet Five and way informed observer of the Church of Scientology's Internet bucket brigade, for an informal clambake around the virtual campfire. Those waves keep rollin' in... you can hear the ocean roar... *** Access info: Chats are at 7PM PDT Each Thursday Electronic Frontiers Forum at Club Wired, HotWired http://www.hotwired.com/eff Access to the Electronic Frontiers Forum in Club Wired at HotWired is by telnet to chat.wired.com:2428, or you can go to http://www.hotwired.com/club and click on "Enter Club Wired." The Electronic Frontiers Forum is on channel 03 (Cafe Wired). A login is required, but free and easy to get (go to http://www.hotwired.com/reception/form.html). -- Jon Lebkowsky http://www.well.com/~jonl Electronic Frontiers Forum, 7PM PST Thursdays From jimbell at pacifier.com Tue May 7 03:13:54 1996 From: jimbell at pacifier.com (jim bell) Date: Tue, 7 May 1996 18:13:54 +0800 Subject: The FBI/NSA's new escrow argument, DC crypto panel Message-ID: At 05:46 PM 5/6/96 -0400, Declan B. McCullagh wrote: >I just came back from the Online Services Industry conference held today >in Washington, DC at the Georgetown Four Seasons. It was very much a DC >thing, organized by Congressmen Jack Fields and Rick White (of the >Internet Caucus). > >The fourth panel was "Law Enforcement and Encryption in Cyberspace," >with this set of characters: > > * Edward Allen, supervisory special agent/section chief, FBI > * Clinton Brooks, advisor to the director, NSA > * Dorothy Denning, professor, Georgetown University > * Bruce Heiman, attorney, Preston Gates Ellis & Rouvelas Meeds > * Jim Lucier, director of economic research, Americans for Tax Reform > * Marc Rotenberg, director, EPIC >The FBI's Allen said: "We have talked to our foreign law enforcement >counterparts who are concerned with exporting strong crypto. Crime is >increasing internationally... There is not an international free market >for crypto. To a great degree, other nations have been relying on U.S. >export controls to maintain stasis. What bothers me about efforts being >proposed legally is that we're moving forward without understanding what >we're getting into... The efforts can go to order or chaos. We're in a >period where it could go to chaos." Maybe there's a sort of backhanded solution to this. I recall the story that, in the early 1970's, it was sport in MIT's AI Labs to try to crash the Unix computer. More and more protections were added, which eventually were worked around with more failures. Eventually, they found a beautiful solution: Add a command to the operating system, "Crash the computer!" which did exactly this. Suddenly, this goal became devalued, and nobody wanted to crash the computer anymore. Okay, what if a foreign distributor (very tiny, perhaps) was set up that loudly proclaimed that it would sell any crypto only legally available in the US, but had been smuggled out by people unknown and sent to it anonymously. (It would verify the genuineness by sending it back into the US, for verification, etc.) It announces that it is pleased to sell to everybody ESPECIALLY "terrorists, child-pornographers, drug smugglers, and other criminals." To keep from angering the software writers themselves, it would pay appropriate royalties to those whose works they had sold, but obviously they wouldn't ask permission to do this. At that point, any argument against the export of such software will fail, because the software already has a willing supplier overseas. Yes, this is the way it already it, sorta, but the difference is that there is nobody who enthusiastically claims that this is exactly what they're doing. Representatives of such a distributor can be called upon to appear at any debates, hearings, or other activities in order to spoil the arguments of Denning et al. Jim Bell jimbell at pacifier.com From dlv at bwalk.dm.com Tue May 7 03:13:59 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Tue, 7 May 1996 18:13:59 +0800 Subject: UK IP Censorship In-Reply-To: Message-ID: Rich Graves writes: > On Mon, 6 May 1996 anonymous-remailer at shell.portal.com wrote: > > Pipex - the UK arm of UUNet of the US - does not expect a > > backlash from users over the censorship. > > Let's see to it that they're wrong. > > [ObFUCKING-STATIST: while the article is newbiegarbled, as far as I can > tell, they're only blocking specific newsgroups, and not any IP routes, > which would be worse. IMO, ISPs have the right to block certain > newsgroups, as long as they tell customers what they're doing. HOWEVER, if > Pipex is as big an uber-ISP and news feeder of ISPs as UUNet is here, then > they've clearly gone over the line as far as I'm concerned. I don't care > if AOL blocks alt.sex.kiddie-porn, because the kiddie-porners can simply > move to a real ISP; but the big players have more of an obligation to act > as content-neutral common carriers.] UUNET in the US also blocks Usenet newsgroups it doesn't like. They're real unethical and dishonorable scumbags. Should we invent a protocol to encrypt the Newsgroups: header and hide the newsgroups that David Lawrence (spit) censors? :-) --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From reagle at mit.edu Tue May 7 04:06:41 1996 From: reagle at mit.edu (Joseph M. Reagle Jr.) Date: Tue, 7 May 1996 19:06:41 +0800 Subject: Georgia Internet Police Message-ID: <9605062120.AA09638@rpcp.mit.edu> X-within-URL: http://www.clark.net/pub/rothman/ga.htm [IMAGE] Needed: a first-rate lawyer who'll fight the Internet Police law in court. Click below on the "How We Can Educate" link for more info on constructive actions. Return to NetWorld! Book | Other Musing on Intellectual Property How We Can Educate Pols, Olympic Boosters and Other Georgians | Links of Interest Contest: Write the Best "Night the Lights Went Out in Georgia" Parody The Internet Police Law: The Day the Sites Went Out in Georgia? David H. Rothman | rothman at clark.net Linking your Web site to anyone else's without permission? Be glad you're not in Georgia--or be worried if you are. Gov. Zell Miller on the morning of April 18 signed into a law a piece of imbecility that the Marietta Daily Journal had dubbed the Internet Police bill. House Bill 1630 may prevent Webfolk from linking from their homepages against the wishes of the linkees--at least if the other guys' names or logos are used. Is 1630 a belated April Fool's joke? I've heard of Net-dumb pols, but Georgia has out-Exoned Exon--and maybe even out-Doled Dole. Shari Steele, an attorney with the Electronic Frontier Foundation, wrote Gov. Miller before the signing: "The language of the bill would make it illegal to create a button on our web site with Wired's 'trade name' or 'logo' without first obtaining 'permission or authorization' from Wired magazine." Whoops: oh, please, Wired--don't sue me. Actually that would be the state's job; you see, the law would let Georgia throw your posterior in jail for up to a year. Live out of state? As of this writing it was unclear how much of a danger extradition would pose--maybe none, given the lunacy of the law. Then again, there are rumors that California and other states may replicate Georgia's stupidity. The morning the Guv signed the bill, I dropped by the State of Georgia Home Page. Under "Search Engines and other Web Services" I saw a link to Yahoo. I'm glad the Georgia folks can use Yahoo from down there, rather than having to start their own. Imagine Yahoo needing permission for every link with a trademarked name. And what about a page displaying the results of a Lycos search? Now that would be fun. Can you imagine the Lycos computer e-mailing every site brought up--asking permission--before it listed Web addresses? I visited Zell Miller's Web area. Without the least irony, a headline read: "Governor Miller's Technology Initiatives Thrive." The page bragged about computers in classrooms. Just don't let the little brats grow up to start Yahoo Kudzu. According to the EFF, the same law might make it illegal even to mention a company's name on the Web without permission. True? Just imagine what this could mean to an online newspaper reviewing another publication's Web site. Already a software company outside Georgia has used existing intellectual property law to bully a reviewer. I've said it once, and I'll say it again: The media are damned fools if they support intellectual property zealotry of the kind we've seen out of Capitol Hill recently. Goodbye, First Amendment. These are national issues, alas, not just problems with the Georgia drinking water. If nothing else, I suspect that the good folks at the AT&T Business Network--the ones who run LeadStory.com, a collection of the day's hottest stories from online newspapers--may have some thoughts on the Georgia bill. To add to the fun, when I dropped by Cox Newspapers' big Web site for the Atlanta Journal-Constitution, I saw a "Surf Less. Know More" ad from LeadStory.com. At the Atlanta site's Net News I just happened to read a report on a trademark infringement suit that BellSouth had filed against the an Internet directory called the Real InterNet Pages. Hmmm. Any connections here with the new law? And simply because BellSouth's print directories use the trademarked phrase "The Real Yellow Pages," is the company entitled to www.realpages.com--the smaller company's existing Web address? The Real InterNet Pages, after all, isn't saying, "www.realyellowpages.com." In any event one would hardly confuse the Real InterNet Pages with BellSouth; the pigmy tells visitors to its home page: "Not Affiliated, Associated or Connected with BellSouth or any BellSouth-related company." Coincidentally or not, the Internet Police bill was introduced by Don Parsons, a Net-innocent employee of BellSouth. According to the Conservative Policy Caucus in the Georgia House: "During floor debate, Rep. Parsons could not explain the concept of a link on a home page. It was clear to many that he had no idea of what the Internet was all about. Supposedly, his desire was to prevent 'misrepresentation' on the Internet. Parsons admitted that he had never been on the Internet, except looking over a colleague's shoulder at work." One can understand, then, why many Netfolks wonder if Parsons' employer has encouraged him to squelch competition at a time when the Baby Bells envision a Web full of Yellow Pages. Bell South vehemently denies a connection between it and the Parsons bill. Whatever the case, however, the legislation would help the Parsons' employer. Oh, I've read Parsons' stated reasons for his law. But in guarding against fraud and protecting intellectual property rights, do we really want to toss out the First Amendment? Jeff Kuester, a Net-hip attorney of intellectual property in Atlanta, says: "We should certainly strive for effective protection of intellectual property on the Web, but not by destroying this crucial part of the information superhighway. These links let people move seamlessly from Web site to Web site. They're as crucial to the Web as bridges are to our nation's system of concrete-and-asphalt roads. If nothing else, we should avoid denying Netizens the free speech guaranteed outside cyberspace." While Parsons has denied that his law would make unauthorized links illegal, its wording would suggest otherwise. Criticizing Parsons' work, the Conservative Policy Caucus quotes the essence of HB1630 as it could affect links, and I'll pass on a rough extract with some tweaks of my own for the sake of clarity and precision: "It shall be unlawful for any person...knowingly to transmit any data through a computer network...if such data uses any individual name, trade name, registered trademark, logo, legal or official seal or copyrighted symbol to falsely state or imply that such person...has permission or is legally authorized to use such trade name, registered trademark..." Granted, some might say that you could assume implied consent if any material is up on an open medium like the Web and you want to link to it with appropriate identification by name. But the law is still a big threat, given the new legal liabilities it creates for journalists, publishers, activists and many others. Suppose your story online won't read like a puff piece. Will you need your target's goodwill before you can link to the site of a polluter or other recipient of negative publicity? And what about linking privately? Suppose you're on a local area network in the newsroom and want to share information with colleagues by way of an internal Web page. Will you require at least your target's tacit consent before you can do so? Exactly what does HB1630 mean by "a computer network," just the external variety? Not in my extract above was this additional language: "for the purpose of setting up, maintaining, operating, or exchanging data with an electronic mailbox, home page, or any other electronic information storage bank or point of access to electronic information." Sounds as if the Internet Police law won't delight the Society for Professional Journalists, Investigative Reporters and Editors or the Reporter's Committee for Freedom of the Press. Bill 1630 also contains other goodies, according to the valuable April 17 issue of EFFector Online and the EFF's Steele. For example, Ms. Steele says the bill could criminalize the use of pseudonyms; I'd suspect that's of interest to, say, American Online or to safety-minded parents who want their children to log on with fake names. Besides, just what's a "false" name? Ms. Steele writes of someone with the user name of "elvis" and says: "Even my own user ID, which is ssteele, does not clearly distinguish me from others with the last name of Steele and the first initial 'S.'" I myself am another good example of the identity issues that arise on a global computer network. My publisher insisted on calling my book NetWorld!, and it was logical for me to set up a NetWorld! Web site but guess what? If you do an Alta Vista search, you'll also find thousands of "NetWorld" mentions from unrelated "NetWorld" sites and the rest of the Web. Among the others are Peter's Networld from Peter Heneback, a Swedish foreign exchange student at West Anchorage High School in Alaska; NETWorld Market Place; NetWorld Publishing; NetWorld Systems; Networld +Interop, which, yes, has been known to hold expos down in Atlanta; and NetWorld Limited, a Hong Kong consulting company. And I'm to worry about other "NetWorlds" and "Networlds" from Alaska to Atlanta and Asia? While trademark law has its place, we need to allow for reasonable interpretations. I asked Prima Publishing to consult an attorney before it used NetWorld! on pulped wood. No problem, I heard. But what happens to my book's online version if I'm in Georgia and trademark fanatics prevail in court? There and elsewhere, politicians keep babbling that they'll get government off our backs. What bilge. If Georgia politicans respect citizens' rights, why is the high-tech community talking of a lawsuit against the Internet Police law? Alas, the Georgia state legislature won't meet again until next year, but meanwhile Zell Miller might speak out against his baby before it frightens away millions of dollars of high-tech business. Perhaps he can at least promise to ask his attorney general not to enforce the Internet Police law. As long as the law is still alive, I myself will do everything I can to warn Netfolks that Georgia is a risky place for them to do business right now. Meanwhile, I suspect that the Internet Police law will be like Jim Exon's Communications Decency Act. Many people will just ignore it, furthering breaking down the respect of Generation Net for politicians and bureaucrats in general. Return to Top of Page [IMAGE] HOW TO PROTEST THE SILLINESS _______________________________________________________________ The Internet Police bill--effective July 1, 1996--passed at least partly because politicians kowtowed to Big Bucks. Tell them they were wrong, that the bill will cost Georgia, that it's about as good for the state as Sherman's March was, that you'll tell your high-tech employer to stay the hell out of Georgia to avoid net.stupid regulations, that you'll think twice about attending the Olympics or buying goods that carry the Olympic logo. Let Georgia pols know that most Web sites thrive because of the ease of linking, not in spite of it. Time Magazine has zillions of links all over the Net. And without bureaucratic intervention, Netfolks already enjoy a wealth of phone- and Net-directories such as Yahoo's. Tell the Georgians that the Internet Police bill is a creature of special interests such as phone companies and, yes, politicians trying to crimp uppity rivals, including those in the Conservative Caucus. Some establishmentarians hated the idea of the conservatives' using the official Georgia seal on their Web site. This issue transcends ideology--my own politics are progressive. Protesting, you should avoid obscenity. Be angry in a rational and responsible way. Don't justify the anti-Net stereotypes that technophobes love. Georgia contacts [IMAGE] Gov. Zell Miller. I'd include an email address for Gov. Miller, but I couldn't find one--maybe I'm looking in the wrong locations on the Web, or perhaps in the wrong universe. His office phone number is 404-656-1776. Fax: 404-656-5948. Snail: Governor Zell Miller, State Capitol, Atlanta, Georgia 30334. It's just as well, actually, that you not use electronic mail since I doubt that the governor's office is that Net Aware. Otherwise why the Exon would he have signed this turkey? [IMAGE] Conservative Policy Caucus of the Georgia House of Representatives. You can email Georgia Representative Mitchell Kaye, the Webmaster, at webmaster at gahouse.com. Click here for Kaye's report on Parsons and the anti-Net law. Arm the Caucus with letters it can use to fight this atrocity. What the Net needs now, says Representative Kaye, is a court injunction against enforcement of the law. Anyone know a first-rate lawyer willing to work pro bono and make a name for himself or herself? If so, e-mail or phone Mitchell Kaye (770-998-2399), the legislator who so far has spent the most time and energy fighting the Internet Police law. Perhaps this case could be a natural for a group such as the American Civil Liberties Union or the Interactive Services Assocation, whose members include American Online, CompuServe and Prodigy, among others. One legislator has talked of corrective legislation, but according to Kaye's current thinking, a court challenge at this point would be more effective, since other politicians could water down a bill. At any rate, a bill couldn't be formally introduced until January 1996; and, says, Kaye, a court case could be the best approach. Stay tuned. Foes of the law are still sorting out their options as far as the best way to proceed. [IMAGE] E-mail addresses of members of the Georgia House, via the Conservative Policy Caucus. Remember, some of the people listed may be supporters of the Police Bill. [IMAGE] Names, addresses, home, office, and FAX numbers of state legislators. Click here and scroll down the list for contact information for Georgia House Speaker Thomas B. Murphy. Do not harass him--it'll just backfire. If you can manage, try instead to educate him; see if you can't save your anger for posts on the Net. [IMAGE] Don Parsons' phone number (770-728-8506) and FAX number (770-528-5754) and other contact info. Again, please avoid harassment! But do give him a piece of your mind; ideally you can fax Parsons, then email a cc: to Rep. Mitchell Kaye (mkaye at gahouse.com), a vehement critic of the Net Police law. First, read Don Parsons' defense of his baby. Among other things he writes that "Internet users - consumers, children, business people, clergy, etc., - have a right to expect that the Internet pages they visit are what they are presented to be." My response? Word on the Net circulates pretty quickly about frauds, and existing laws cover many situations. New, Internet-specific laws--against fraud or copyright violations--need to be much better crafted than HB1630 was. Above all, they must be infinitely more respectful of the First Amendment. [IMAGE] Georgia Attorney General Michael Bowers. His phone number is 404-656-4585; his fax number, 404-657-8733; and his snail address is: Judicial Building, Atlanta, Georgia 30334. [IMAGE] State of Georgia Home Page. Poke around. Look for pressure points--people associated with tourism and other business. See below. [IMAGE] Georgia Department of Industry, Trade & Tourism, "Georgia's official state agency for developing new jobs and creating capital investment." Sign the guest book; register your company's lack of interest in relocating there while the Internet Police bill is in effect. Use the "Description of Business" field and ask that the Webmaster forward your opinion to policymakers. [IMAGE] Yahoo listings for 1996 Olympic Games. Use the "mailto's" (where you click to start writing a letter) and sign the guest books with protests against Georgia's medieval information policies. [IMAGE] 1996 Olympic Games Home Page. Give 'em a piece of your mind on the feedback page. [IMAGE] BellSouth's Olympic links. Yes, BellSouth is an official sponsor. So if the Olympic folks take awhile to get the point, you'll know why. Of course you might try complaining to BellSouth itself--the president is Carl E. Swearington, telephone 770-391-2424; fax, 770-399-6355. [IMAGE] Cable News Network (CNN), whose Web site will be directly affected by the imbecility out of the state legislature. The feedback address is cnn.feedback at cnn.com. Give 'em permission to use your name and address on the feedback page. Oh, and while you're at it, you might ask CNN to forward your sentiments to Scott Woelfel, editor in chief of CNN Interactive. Tell him it's ok to link to this page, and suggest that the video part of CNN just might want to warn the world about the Internet Police bill. [IMAGE] E-mail, fax and snail addresses and phone numbers for the Georgia media--including the Atlanta papers and the Associated Press down there. From the Conservative Caucus. [IMAGE] Georgia Media List from Harden Political InfoSystems. Newspapers, magazines and broadcasters. Looks extremely comprehensive. [IMAGE] Thinking Right, a reader comment area of the Atlanta Journal. Speak up! Let Atlanta know that Georgia's on your mind! The "Piney Pete Sez" column of April 20 says of the Internet Police bill: "What prompted this action was not widespread abuse. It was one little gadfly, Rep. Mitchell Kaye, who's been using the great seal of Georgia on his conservative Website. Needless to say, Kaye is a Republican and consequently shut out of any highway largess, concrete or electronic." Return to Top of Page [IMAGE] MORE LINKS _______________________________________________________________ [IMAGE] Full text of the Internet Police bill. [IMAGE] Electronic Frontier Foundation. [IMAGE] April 17 EFF newsletter with details on the Internet Police bill. [IMAGE] Bell South Denies Lobbying for the Police Law. Rep. Don Parsons, sponsor of House Bill 1630, works for BellSouth; but the company wrote attorney Jeff Kuester a letter saying Parsons does not serve as a lobbyist--and that the actual lobbyists were "totally unaware" of the company's suit against the Real InterNet Pages. The letter said, "Bell South did not draft, sponsor, promote or lobby for 1630. Bell South took no position on the legislation whatsoever other than, when it was brought to our attention, to recommend an exemption from liability for telephone companies and Internet access providers who provide transmission services for their customers." BellSouth did say that "it is probably probably overkill and unduly complicating to make the act of trademark infringement, misrepresentation and passing off on the Internet a crime under state law." The company also offered observations on the law's effects on links--thoughts with which the Electronic Frontier Foundation would undoubtedly disagree. [IMAGE] The Prize-winning Web Page of Jeff Kuester, the Net-hip intellectual property attorney mentioned earlier, who also has an engineering background and is active in groups such as IEEE. You can bet that like Kuester, scads of other Georgians love the Net and are just as surprised and disappointed by the Internet Police law as the rest of us were. He has a page with relevant links about the law. Kuester (kuester at kuesterlaw.com) is working to bring state pols up to speed on Net law and technology, and he would like to expand his efforts at the national level. Send him a note if you're interested in helping out. A good cause! Note, too, the existence of a Congressional Internet Caucus. Education of policymakers is the best protection against Net-stupid legislation like HB1630. Perhaps even Parsons will see the light someday. Meanwhile, if you want to check out some first-class resources on the Net and intellectual property law, drop on by Kuester's site! [IMAGE] The Real InterNet Pages, the Net directory that the $18-billion BellSouth conglomerate is suing for alleged trademark infringement. BellSouth holds a trademark on the phrase "The Real Yellow Pages," but does that automatically entitle the company to "realpages.com" on the Net? Read why a BellSouth triumph could hurt you. The boys at realpages.com have put together a nice Web page with a yellow background ("we don't think they own the color yellow either"). E-mail your support to Don Madey at dmadey at realpages.com. Any lawyers out there willing to do pro bono? Publicity from such a case could be an excellent career-enhancer. [IMAGE] c|net News Article on the Police Law. [IMAGE] Georgia Cyberphobes, the Augusta Chronicle's editorial against the Net police bill--written just before Gov. Miller signed it. The Chronicle didn't see the HR1630's trademark-related language as a threat but objected to the attack on online anonymity. It called for Miller to vero the bill. [IMAGE] Editor and Publisher. He explains how links help electronic newspapers. Note: The just-supplied link will soon disappear, but when that happens, you might be able to find the column in his archives. Return to Top of Page [IMAGE] YOUR OWN "NIGHT THE LIGHTS WENT OUT" PARODY? I'M LOOKING FOR THE RIGHT ONE _______________________________________________________________ Who can come up with the best "Night the Lights Went Out in Georgia" parody-in the spirit of this site? Give it a shot. May 18 is the contest deadline, and I may extend it if Netfolks are too angry to concentrate long enough come up with a quotable parody. No prizes, just some exquisite notoriety. Please do not enter, of course, if you mind having scads of other Web sites link to your words. -David H. Rothman, rothman at clark.net _______________________________________________________________ Top of Page | Return to NetWorld! [IMAGE] Linking Encouraged. No Permission Needed from Me, Especially if You're in Georgia! _______________________ Regards, Men govern nothing with more difficulty than their tongues, and can moderate their desires more than their words. -Spinoza Joseph Reagle http://farnsworth.mit.edu/~reagle/home.html reagle at mit.edu E0 D5 B2 05 B6 12 DA 65 BE 4D E3 C1 6A 66 25 4E From attila at primenet.com Tue May 7 04:13:59 1996 From: attila at primenet.com (attila) Date: Tue, 7 May 1996 19:13:59 +0800 Subject: Arguments _against_ privacy, anyone? Message-ID: <199605070555.WAA18449@primenet.com> Date: Sun, 21 Apr 1996 15:58:03 -0700 (PDT) ***where do some of these people get off the bus? >From: Phil Agre Subject: Call for bad arguments against privacy * "We've lost so much of our privacy anyway." ***and that justifies stripping you of the rest, correct? * "Privacy is an obsolete Victorian hang-up." ***arrest that man for public nudity! * "Ideas about privacy are culturally specific and it is thus impossible to define privacy in the law without bias." ***let me ask you, boy, just what the fuck you mean? * "We have strong security on our data." ***yawn... * "National identity cards protect privacy by improving authentication and data security." ***you must like to mutilate your body when they insert the chip? * "Informational privacy can be protected by converting it into a property right." ***yes, if you not consider that the concept of property rights, i.e. title, must be defined byins contents? * "We have to balance privacy against industry concerns." ***what's good for General Motors is good for the country. * "Privacy paranoids want to turn back the technological clock." ***yes, number 4078956898346, your comment has been registered. * "Most people are privacy pragmatists who can be trusted to make intelligent trade-offs between functionality and privacy." ***yes, just like people are inherently good, unless the issue is money. * "Our lives will inevitably become visible to others, so the real issue is mutual visibility, achieving a balance of power by enabling us to watch the people who are watching us." ***yes, you do not throw stones at others who live in glass houses. * "Once you really analyze it, the concept of privacy is so nebulous that it provides no useful guidance for action." ***oh, it is better that government take no action??? * "People *want* these systems, as indicated by the percentage of them who sign up for them once they become available." ***dale carnegie: will you ever quit selling your ideas! * "Concern for privacy is anti-social and obstructs the building of a democratic society." ***aaaah, taxation by representation? * "Privacy regulation is just one more category of government interference in the market, which after all is much better at weighing individuals' relative preferences for privacy and everything else than bureaucratic rules could ever be." ***huuh? * "There's no privacy in public." ***no? try screaming 'rape' in NYC * "We favor limited access." ***to just the thought police? * "Privacy in these systems has not emerged as a national issue." -- Overseeing first-rate programmers is a managerial challenge roughly comparable to herding cats. cc: Cypherpunks Phil Agre From attila at primenet.com Tue May 7 04:20:09 1996 From: attila at primenet.com (attila) Date: Tue, 7 May 1996 19:20:09 +0800 Subject: Arguments _against_ privacy, anyone? Message-ID: <199605070552.WAA04190@primenet.com> Date: Sun, 21 Apr 1996 15:58:03 -0700 (PDT) ***where do some of these people get off the bus? >From: Phil Agre Subject: Call for bad arguments against privacy * "We've lost so much of our privacy anyway." ***and that justifies stripping you of the rest, correct? * "Privacy is an obsolete Victorian hang-up." ***arrest that man for public nudity! * "Ideas about privacy are culturally specific and it is thus impossible to define privacy in the law without bias." ***let me ask you, boy, just what the fuck you mean? * "We have strong security on our data." ***yawn... * "National identity cards protect privacy by improving authentication and data security." ***you must like to mutilate your body when they insert the chip? * "Informational privacy can be protected by converting it into a property right." ***yes, if you not consider that the concept of property rights, i.e. title, must be defined byins contents? * "We have to balance privacy against industry concerns." ***what's good for General Motors is good for the country. * "Privacy paranoids want to turn back the technological clock." ***yes, number 4078956898346, your comment has been registered. * "Most people are privacy pragmatists who can be trusted to make intelligent trade-offs between functionality and privacy." ***yes, just like people are inherently good, unless the issue is money. * "Our lives will inevitably become visible to others, so the real issue is mutual visibility, achieving a balance of power by enabling us to watch the people who are watching us." ***yes, you do not throw stones at others who live in glass houses. * "Once you really analyze it, the concept of privacy is so nebulous that it provides no useful guidance for action." ***oh, it is better that government take no action??? * "People *want* these systems, as indicated by the percentage of them who sign up for them once they become available." ***dale carnegie: will you ever quit selling your ideas! * "Concern for privacy is anti-social and obstructs the building of a democratic society." ***aaaah, taxation by representation? * "Privacy regulation is just one more category of government interference in the market, which after all is much better at weighing individuals' relative preferences for privacy and everything else than bureaucratic rules could ever be." ***huuh? * "There's no privacy in public." ***no? try screaming 'rape' in NYC * "We favor limited access." ***to just the thought police? * "Privacy in these systems has not emerged as a national issue." -- Overseeing first-rate programmers is a managerial challenge roughly comparable to herding cats. cc: Cypherpunks Phil Agre From attila at primenet.com Tue May 7 04:22:25 1996 From: attila at primenet.com (attila) Date: Tue, 7 May 1996 19:22:25 +0800 Subject: Why Leahy is No Friend of Ours Message-ID: <199605070553.WAA04253@primenet.com> Addressed to: E. ALLEN SMITH Cypherpunks ** Reply to note from E. ALLEN SMITH 05/06/96 8:47pm = To: attila at primenet.com = = From: IN%"attila at primenet.com" "attila" 5-MAY-1996 21:36:54.93 = = > how many _truly_ "populist" presidents have we elected? = = SMITH: = Given the numbers of times that a democracy has done more harm than = good to civil liberties (Prohibition, the election of Islamic Fundamentalists = in Algeria, etcetera), we don't _want_ a "populist"/demagogue president. We = want someone in charge (to whatever degree that someone has to be in charge) = who will respect civil liberties. The masses aren't going to elect such a = person; they prefer protection to liberty and always will. = = ATTILA: democracy is _never_ the ideal government. the difference in the American government is that it is a _republic_. the problem with a republic in the techno age is that the press and/or advertising creates the images --and can be bought, stolen, coerced, etc. my intent is to "lament" that the American voters do not influence the choice of candidates --who are vetted my money, or money's interests. most mat not wish to consider the hidden importance of the CFR and related groups --it is not a conspiracy; it is just another group with an agenda --except they have the money and influence to _buy_ the agenda over time --amd on their schedule. = > ATTILA: = > "They that give up essential liberty to obtain a little = > temporary safety deserve neither liberty nor safety." = > --Ben Franklin (Historical Review of PA -1759) = > = > and, the bottom line is: = > = > "It is not the function of our Government to keep the citizen = > from falling into error; = > it is the function of the citizen to keep the Government = > from falling into error." = > --Robert H. Jackson (1892-1954), U.S. Judge = = Quite. = -Allen -- Overseeing first-rate programmers is a managerial challenge roughly comparable to herding cats. From attila at primenet.com Tue May 7 04:23:45 1996 From: attila at primenet.com (attila) Date: Tue, 7 May 1996 19:23:45 +0800 Subject: Arguments _against_ privacy, anyone? Message-ID: <199605070538.WAA22719@primenet.com> Date: Sun, 21 Apr 1996 15:58:03 -0700 (PDT) ***where do some of these people get off the bus? >From: Phil Agre Subject: Call for bad arguments against privacy * "We've lost so much of our privacy anyway." ***and that justifies stripping you of the rest, correct? * "Privacy is an obsolete Victorian hang-up." ***arrest that man for public nudity! * "Ideas about privacy are culturally specific and it is thus impossible to define privacy in the law without bias." ***let me ask you, boy, just what the fuck you mean? * "We have strong security on our data." ***yawn... * "National identity cards protect privacy by improving authentication and data security." ***you must like to mutilate your body when they insert the chip? * "Informational privacy can be protected by converting it into a property right." ***yes, if you not consider that the concept of property rights, i.e. title, must be defined byins contents? * "We have to balance privacy against industry concerns." ***what's good for General Motors is good for the country. * "Privacy paranoids want to turn back the technological clock." ***yes, number 4078956898346, your comment has been registered. * "Most people are privacy pragmatists who can be trusted to make intelligent trade-offs between functionality and privacy." ***yes, just like people are inherently good, unless the issue is money. * "Our lives will inevitably become visible to others, so the real issue is mutual visibility, achieving a balance of power by enabling us to watch the people who are watching us." ***yes, you do not throw stones at others who live in glass houses. * "Once you really analyze it, the concept of privacy is so nebulous that it provides no useful guidance for action." ***oh, it is better that government take no action??? * "People *want* these systems, as indicated by the percentage of them who sign up for them once they become available." ***dale carnegie: will you ever quit selling your ideas! * "Concern for privacy is anti-social and obstructs the building of a democratic society." ***aaaah, taxation by representation? * "Privacy regulation is just one more category of government interference in the market, which after all is much better at weighing individuals' relative preferences for privacy and everything else than bureaucratic rules could ever be." ***huuh? * "There's no privacy in public." ***no? try screaming 'rape' in NYC * "We favor limited access." ***to just the thought police? * "Privacy in these systems has not emerged as a national issue." -- Overseeing first-rate programmers is a managerial challenge roughly comparable to herding cats. cc: Cypherpunks Phil Agre From stewarts at ix.netcom.com Tue May 7 04:24:45 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Tue, 7 May 1996 19:24:45 +0800 Subject: fixing netscape Message-ID: <199605070634.XAA14016@toad.com> At 10:49 PM 5/6/96 -0500, you wrote: >http://reality.sgi.com/grafica/framefree > >This doesn't have any direct crypto relevance -- it's a program >that improves navigator binaries by modifying them so they won't >understand frames. I'm a little surprised that we didn't think >of this when we were waiting for Jeff to allow us to turn off >javascript. Ouch - that's a slightly scary piece of code, though it should probably work ok if you get the details correct for your operating system. It patches the binary to xxxxxx out the strings "frameset" and "noframes"; I suppose you could do something similar to kill Java. I'd been expecting maybe a web proxy that would eat frame requests, which could be adapted to kill of Javascripts as well. # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 # goodtimes signature virus innoculation From attila at primenet.com Tue May 7 04:27:58 1996 From: attila at primenet.com (attila) Date: Tue, 7 May 1996 19:27:58 +0800 Subject: Arguments _against_ privacy, anyone? Message-ID: <199605070529.WAA25038@primenet.com> Date: Sun, 21 Apr 1996 15:58:03 -0700 (PDT) ***where do some of these people get off the bus? >From: Phil Agre Subject: Call for bad arguments against privacy * "We've lost so much of our privacy anyway." ***and that justifies stripping you of the rest, correct? * "Privacy is an obsolete Victorian hang-up." ***arrest that man for public nudity! * "Ideas about privacy are culturally specific and it is thus impossible to define privacy in the law without bias." ***let me ask you, boy, just what the fuck you mean? * "We have strong security on our data." ***yawn... * "National identity cards protect privacy by improving authentication and data security." ***you must like to mutilate your body when they insert the chip? * "Informational privacy can be protected by converting it into a property right." ***yes, if you not consider that the concept of property rights, i.e. title, must be defined byins contents? * "We have to balance privacy against industry concerns." ***what's good for General Motors is good for the country. * "Privacy paranoids want to turn back the technological clock." ***yes, number 4078956898346, your comment has been registered. * "Most people are privacy pragmatists who can be trusted to make intelligent trade-offs between functionality and privacy." ***yes, just like people are inherently good, unless the issue is money. * "Our lives will inevitably become visible to others, so the real issue is mutual visibility, achieving a balance of power by enabling us to watch the people who are watching us." ***yes, you do not throw stones at others who live in glass houses. * "Once you really analyze it, the concept of privacy is so nebulous that it provides no useful guidance for action." ***oh, it is better that government take no action??? * "People *want* these systems, as indicated by the percentage of them who sign up for them once they become available." ***dale carnegie: will you ever quit selling your ideas! * "Concern for privacy is anti-social and obstructs the building of a democratic society." ***aaaah, taxation by representation? * "Privacy regulation is just one more category of government interference in the market, which after all is much better at weighing individuals' relative preferences for privacy and everything else than bureaucratic rules could ever be." ***huuh? * "There's no privacy in public." ***no? try screaming 'rape' in NYC * "We favor limited access." ***to just the thought police? * "Privacy in these systems has not emerged as a national issue." -- Overseeing first-rate programmers is a managerial challenge roughly comparable to herding cats. cc: Cypherpunks Phil Agre From attila at primenet.com Tue May 7 04:28:20 1996 From: attila at primenet.com (attila) Date: Tue, 7 May 1996 19:28:20 +0800 Subject: Why Leahy is No Friend of Ours Message-ID: <199605070529.WAA25075@primenet.com> Addressed to: E. ALLEN SMITH Cypherpunks ** Reply to note from E. ALLEN SMITH 05/06/96 8:47pm = To: attila at primenet.com = = From: IN%"attila at primenet.com" "attila" 5-MAY-1996 21:36:54.93 = = > how many _truly_ "populist" presidents have we elected? = = SMITH: = Given the numbers of times that a democracy has done more harm than = good to civil liberties (Prohibition, the election of Islamic Fundamentalists = in Algeria, etcetera), we don't _want_ a "populist"/demagogue president. We = want someone in charge (to whatever degree that someone has to be in charge) = who will respect civil liberties. The masses aren't going to elect such a = person; they prefer protection to liberty and always will. = = ATTILA: democracy is _never_ the ideal government. the difference in the American government is that it is a _republic_. the problem with a republic in the techno age is that the press and/or advertising creates the images --and can be bought, stolen, coerced, etc. my intent is to "lament" that the American voters do not influence the choice of candidates --who are vetted my money, or money's interests. most mat not wish to consider the hidden importance of the CFR and related groups --it is not a conspiracy; it is just another group with an agenda --except they have the money and influence to _buy_ the agenda over time --amd on their schedule. = > ATTILA: = > "They that give up essential liberty to obtain a little = > temporary safety deserve neither liberty nor safety." = > --Ben Franklin (Historical Review of PA -1759) = > = > and, the bottom line is: = > = > "It is not the function of our Government to keep the citizen = > from falling into error; = > it is the function of the citizen to keep the Government = > from falling into error." = > --Robert H. Jackson (1892-1954), U.S. Judge = = Quite. = -Allen -- Overseeing first-rate programmers is a managerial challenge roughly comparable to herding cats. From attila at primenet.com Tue May 7 04:31:59 1996 From: attila at primenet.com (attila) Date: Tue, 7 May 1996 19:31:59 +0800 Subject: Why Leahy is No Friend of Ours Message-ID: <199605070555.WAA18489@primenet.com> Addressed to: E. ALLEN SMITH Cypherpunks ** Reply to note from E. ALLEN SMITH 05/06/96 8:47pm = To: attila at primenet.com = = From: IN%"attila at primenet.com" "attila" 5-MAY-1996 21:36:54.93 = = > how many _truly_ "populist" presidents have we elected? = = SMITH: = Given the numbers of times that a democracy has done more harm than = good to civil liberties (Prohibition, the election of Islamic Fundamentalists = in Algeria, etcetera), we don't _want_ a "populist"/demagogue president. We = want someone in charge (to whatever degree that someone has to be in charge) = who will respect civil liberties. The masses aren't going to elect such a = person; they prefer protection to liberty and always will. = = ATTILA: democracy is _never_ the ideal government. the difference in the American government is that it is a _republic_. the problem with a republic in the techno age is that the press and/or advertising creates the images --and can be bought, stolen, coerced, etc. my intent is to "lament" that the American voters do not influence the choice of candidates --who are vetted my money, or money's interests. most mat not wish to consider the hidden importance of the CFR and related groups --it is not a conspiracy; it is just another group with an agenda --except they have the money and influence to _buy_ the agenda over time --amd on their schedule. = > ATTILA: = > "They that give up essential liberty to obtain a little = > temporary safety deserve neither liberty nor safety." = > --Ben Franklin (Historical Review of PA -1759) = > = > and, the bottom line is: = > = > "It is not the function of our Government to keep the citizen = > from falling into error; = > it is the function of the citizen to keep the Government = > from falling into error." = > --Robert H. Jackson (1892-1954), U.S. Judge = = Quite. = -Allen -- Overseeing first-rate programmers is a managerial challenge roughly comparable to herding cats. From attila at primenet.com Tue May 7 04:35:28 1996 From: attila at primenet.com (attila) Date: Tue, 7 May 1996 19:35:28 +0800 Subject: Why Leahy is No Friend of Ours Message-ID: <199605070532.WAA28709@primenet.com> Addressed to: E. ALLEN SMITH Cypherpunks ** Reply to note from E. ALLEN SMITH 05/06/96 8:47pm = To: attila at primenet.com = = From: IN%"attila at primenet.com" "attila" 5-MAY-1996 21:36:54.93 = = > how many _truly_ "populist" presidents have we elected? = = SMITH: = Given the numbers of times that a democracy has done more harm than = good to civil liberties (Prohibition, the election of Islamic Fundamentalists = in Algeria, etcetera), we don't _want_ a "populist"/demagogue president. We = want someone in charge (to whatever degree that someone has to be in charge) = who will respect civil liberties. The masses aren't going to elect such a = person; they prefer protection to liberty and always will. = = ATTILA: democracy is _never_ the ideal government. the difference in the American government is that it is a _republic_. the problem with a republic in the techno age is that the press and/or advertising creates the images --and can be bought, stolen, coerced, etc. my intent is to "lament" that the American voters do not influence the choice of candidates --who are vetted my money, or money's interests. most mat not wish to consider the hidden importance of the CFR and related groups --it is not a conspiracy; it is just another group with an agenda --except they have the money and influence to _buy_ the agenda over time --amd on their schedule. = > ATTILA: = > "They that give up essential liberty to obtain a little = > temporary safety deserve neither liberty nor safety." = > --Ben Franklin (Historical Review of PA -1759) = > = > and, the bottom line is: = > = > "It is not the function of our Government to keep the citizen = > from falling into error; = > it is the function of the citizen to keep the Government = > from falling into error." = > --Robert H. Jackson (1892-1954), U.S. Judge = = Quite. = -Allen -- Overseeing first-rate programmers is a managerial challenge roughly comparable to herding cats. From attila at primenet.com Tue May 7 05:06:18 1996 From: attila at primenet.com (attila) Date: Tue, 7 May 1996 20:06:18 +0800 Subject: Why Leahy is No Friend of Ours Message-ID: <199605070538.WAA22765@primenet.com> Addressed to: E. ALLEN SMITH Cypherpunks ** Reply to note from E. ALLEN SMITH 05/06/96 8:47pm = To: attila at primenet.com = = From: IN%"attila at primenet.com" "attila" 5-MAY-1996 21:36:54.93 = = > how many _truly_ "populist" presidents have we elected? = = SMITH: = Given the numbers of times that a democracy has done more harm than = good to civil liberties (Prohibition, the election of Islamic Fundamentalists = in Algeria, etcetera), we don't _want_ a "populist"/demagogue president. We = want someone in charge (to whatever degree that someone has to be in charge) = who will respect civil liberties. The masses aren't going to elect such a = person; they prefer protection to liberty and always will. = = ATTILA: democracy is _never_ the ideal government. the difference in the American government is that it is a _republic_. the problem with a republic in the techno age is that the press and/or advertising creates the images --and can be bought, stolen, coerced, etc. my intent is to "lament" that the American voters do not influence the choice of candidates --who are vetted my money, or money's interests. most mat not wish to consider the hidden importance of the CFR and related groups --it is not a conspiracy; it is just another group with an agenda --except they have the money and influence to _buy_ the agenda over time --amd on their schedule. = > ATTILA: = > "They that give up essential liberty to obtain a little = > temporary safety deserve neither liberty nor safety." = > --Ben Franklin (Historical Review of PA -1759) = > = > and, the bottom line is: = > = > "It is not the function of our Government to keep the citizen = > from falling into error; = > it is the function of the citizen to keep the Government = > from falling into error." = > --Robert H. Jackson (1892-1954), U.S. Judge = = Quite. = -Allen -- Overseeing first-rate programmers is a managerial challenge roughly comparable to herding cats. From attila at primenet.com Tue May 7 05:15:27 1996 From: attila at primenet.com (attila) Date: Tue, 7 May 1996 20:15:27 +0800 Subject: Arguments _against_ privacy, anyone? Message-ID: <199605070532.WAA28666@primenet.com> Date: Sun, 21 Apr 1996 15:58:03 -0700 (PDT) ***where do some of these people get off the bus? >From: Phil Agre Subject: Call for bad arguments against privacy * "We've lost so much of our privacy anyway." ***and that justifies stripping you of the rest, correct? * "Privacy is an obsolete Victorian hang-up." ***arrest that man for public nudity! * "Ideas about privacy are culturally specific and it is thus impossible to define privacy in the law without bias." ***let me ask you, boy, just what the fuck you mean? * "We have strong security on our data." ***yawn... * "National identity cards protect privacy by improving authentication and data security." ***you must like to mutilate your body when they insert the chip? * "Informational privacy can be protected by converting it into a property right." ***yes, if you not consider that the concept of property rights, i.e. title, must be defined byins contents? * "We have to balance privacy against industry concerns." ***what's good for General Motors is good for the country. * "Privacy paranoids want to turn back the technological clock." ***yes, number 4078956898346, your comment has been registered. * "Most people are privacy pragmatists who can be trusted to make intelligent trade-offs between functionality and privacy." ***yes, just like people are inherently good, unless the issue is money. * "Our lives will inevitably become visible to others, so the real issue is mutual visibility, achieving a balance of power by enabling us to watch the people who are watching us." ***yes, you do not throw stones at others who live in glass houses. * "Once you really analyze it, the concept of privacy is so nebulous that it provides no useful guidance for action." ***oh, it is better that government take no action??? * "People *want* these systems, as indicated by the percentage of them who sign up for them once they become available." ***dale carnegie: will you ever quit selling your ideas! * "Concern for privacy is anti-social and obstructs the building of a democratic society." ***aaaah, taxation by representation? * "Privacy regulation is just one more category of government interference in the market, which after all is much better at weighing individuals' relative preferences for privacy and everything else than bureaucratic rules could ever be." ***huuh? * "There's no privacy in public." ***no? try screaming 'rape' in NYC * "We favor limited access." ***to just the thought police? * "Privacy in these systems has not emerged as a national issue." -- Overseeing first-rate programmers is a managerial challenge roughly comparable to herding cats. cc: Cypherpunks Phil Agre From attila at primenet.com Tue May 7 06:10:28 1996 From: attila at primenet.com (attila) Date: Tue, 7 May 1996 21:10:28 +0800 Subject: Why Leahy is No Friend of Ours Message-ID: <199605070558.WAA25921@primenet.com> Addressed to: E. ALLEN SMITH Cypherpunks ** Reply to note from E. ALLEN SMITH 05/06/96 8:47pm = To: attila at primenet.com = = From: IN%"attila at primenet.com" "attila" 5-MAY-1996 21:36:54.93 = = > how many _truly_ "populist" presidents have we elected? = = SMITH: = Given the numbers of times that a democracy has done more harm than = good to civil liberties (Prohibition, the election of Islamic Fundamentalists = in Algeria, etcetera), we don't _want_ a "populist"/demagogue president. We = want someone in charge (to whatever degree that someone has to be in charge) = who will respect civil liberties. The masses aren't going to elect such a = person; they prefer protection to liberty and always will. = = ATTILA: democracy is _never_ the ideal government. the difference in the American government is that it is a _republic_. the problem with a republic in the techno age is that the press and/or advertising creates the images --and can be bought, stolen, coerced, etc. my intent is to "lament" that the American voters do not influence the choice of candidates --who are vetted my money, or money's interests. most mat not wish to consider the hidden importance of the CFR and related groups --it is not a conspiracy; it is just another group with an agenda --except they have the money and influence to _buy_ the agenda over time --amd on their schedule. = > ATTILA: = > "They that give up essential liberty to obtain a little = > temporary safety deserve neither liberty nor safety." = > --Ben Franklin (Historical Review of PA -1759) = > = > and, the bottom line is: = > = > "It is not the function of our Government to keep the citizen = > from falling into error; = > it is the function of the citizen to keep the Government = > from falling into error." = > --Robert H. Jackson (1892-1954), U.S. Judge = = Quite. = -Allen -- Overseeing first-rate programmers is a managerial challenge roughly comparable to herding cats. From attila at primenet.com Tue May 7 06:23:32 1996 From: attila at primenet.com (attila) Date: Tue, 7 May 1996 21:23:32 +0800 Subject: Arguments _against_ privacy, anyone? Message-ID: <199605070558.WAA25884@primenet.com> Date: Sun, 21 Apr 1996 15:58:03 -0700 (PDT) ***where do some of these people get off the bus? >From: Phil Agre Subject: Call for bad arguments against privacy * "We've lost so much of our privacy anyway." ***and that justifies stripping you of the rest, correct? * "Privacy is an obsolete Victorian hang-up." ***arrest that man for public nudity! * "Ideas about privacy are culturally specific and it is thus impossible to define privacy in the law without bias." ***let me ask you, boy, just what the fuck you mean? * "We have strong security on our data." ***yawn... * "National identity cards protect privacy by improving authentication and data security." ***you must like to mutilate your body when they insert the chip? * "Informational privacy can be protected by converting it into a property right." ***yes, if you not consider that the concept of property rights, i.e. title, must be defined byins contents? * "We have to balance privacy against industry concerns." ***what's good for General Motors is good for the country. * "Privacy paranoids want to turn back the technological clock." ***yes, number 4078956898346, your comment has been registered. * "Most people are privacy pragmatists who can be trusted to make intelligent trade-offs between functionality and privacy." ***yes, just like people are inherently good, unless the issue is money. * "Our lives will inevitably become visible to others, so the real issue is mutual visibility, achieving a balance of power by enabling us to watch the people who are watching us." ***yes, you do not throw stones at others who live in glass houses. * "Once you really analyze it, the concept of privacy is so nebulous that it provides no useful guidance for action." ***oh, it is better that government take no action??? * "People *want* these systems, as indicated by the percentage of them who sign up for them once they become available." ***dale carnegie: will you ever quit selling your ideas! * "Concern for privacy is anti-social and obstructs the building of a democratic society." ***aaaah, taxation by representation? * "Privacy regulation is just one more category of government interference in the market, which after all is much better at weighing individuals' relative preferences for privacy and everything else than bureaucratic rules could ever be." ***huuh? * "There's no privacy in public." ***no? try screaming 'rape' in NYC * "We favor limited access." ***to just the thought police? * "Privacy in these systems has not emerged as a national issue." -- Overseeing first-rate programmers is a managerial challenge roughly comparable to herding cats. cc: Cypherpunks Phil Agre From John at loverso.southborough.ma.us Tue May 7 12:30:33 1996 From: John at loverso.southborough.ma.us (John Robert LoVerso) Date: Wed, 8 May 1996 03:30:33 +0800 Subject: fixing netscape In-Reply-To: <199605070349.WAA01122@proust.suba.com> Message-ID: <07May96.082945@LoVerso.Southborough.MA.US> It's a shame he wrote all that C code when this suffices perl -i.orig -pe ' s/\bnoframes\b/nofraMes/g; s/\bframeset\b/fraMeset/g' netscape* also, you don't need to xxxx out the tags; Netscape downcases incoming HTML and then uses strcmp(). John From Clay.Olbon at dynetics.com Tue May 7 13:19:18 1996 From: Clay.Olbon at dynetics.com (Clay Olbon II) Date: Wed, 8 May 1996 04:19:18 +0800 Subject: Why I Pay Too Much in Taxes Message-ID: At 4:20 PM 5/6/96, E. ALLEN SMITH wrote: >From: IN%"frissell at panix.com" "Duncan Frissell" 6-MAY-1996 16:04:24.96 > >>Actually, as a percentage of income, tax evasion is probably more prevalent >>among the poor than the rich. Because they are less exposed. Studies of >>spending show that the poorest 20% of Americans spend twice their reported >>income. > > Quite. The poor can get away with this for multiple reasons, including >being on more of a cash-based economy. But the largest reason is probably >that the IRS doesn't care nearly as much about each individual at the low >end of the income ladder as they do about any evasion involving a lot of money. >Now, the low end tax evasion probably costs the government a lot more than >the rich does... but it's also a lot harder to pursue. > -Allen There are a couple of main reasons that the poor spend more than their reported income. First, many of the elderly are included in the "poorest 20%", since this is based on income alone and not net worth. Many of the elderly are spending down their retirement savings. Another factor, of course, is that welfare, food stamps, free/subsidized housing and other transfer payments are not included in income calculations. I have seen reports that show that in many states, this is equivalent to a full-time job paying ~$9/hr. Not showing these as income helps keep the "official" poverty rate high. I'm not sure if social security is included in income calculations for "poverty rate" purposes, anyone know? Clay --------------------------------------------------------------------------- Clay Olbon II | Clay.Olbon at dynetics.com Systems Engineer | ph: (810) 589-9930 fax 9934 Dynetics, Inc., Ste 302 | http://www.msen.com/~olbon/olbon.html 550 Stephenson Hwy | PGP262 public key: on web page Troy, MI 48083-1109 | pgp print: B97397AD50233C77523FD058BD1BB7C0 TANSTAAFL --------------------------------------------------------------------------- From Clay.Olbon at dynetics.com Tue May 7 13:23:32 1996 From: Clay.Olbon at dynetics.com (Clay Olbon II) Date: Wed, 8 May 1996 04:23:32 +0800 Subject: Why I Pay Too Much in Taxes Message-ID: At 5:34 PM 5/6/96, Timothy C. May wrote: >Also, the effect of inflation has been to inflate salaries and thus inflate >people into higher tax brackets, even when their "real wages" have not gone >up. This used to be true. A bill passed during the Reagan administration indexed the brackets to inflation to remedy this situation. I don't know how succesful the bill was in eliminating "bracket creep", but that was the stated purpose. >If we ever get really bad inflation again (>10% per year, as we had in the >late 70s, early 90s), or, God forbid, hyper-inflation, the tax system will >likely not survive in anything near its current form. Hopefully the system won't survive no matter what the inflation rate is. Clay From unicorn at schloss.li Tue May 7 17:07:47 1996 From: unicorn at schloss.li (Black Unicorn) Date: Wed, 8 May 1996 08:07:47 +0800 Subject: Why I Pay Too Much in Taxes In-Reply-To: Message-ID: On Mon, 6 May 1996, Timothy C. May wrote: > By the way, as long as I've added another comment to this not-very-relevant > thread (but one which has generated a lot of comments, so it's hard to hard > folks aren't interested), I should mention that I left out the effects of > INFLATION in my "60%" figure. [...] > Also, the effect of inflation has been to inflate salaries and thus inflate > people into higher tax brackets, even when their "real wages" have not gone > up. > > If we ever get really bad inflation again (>10% per year, as we had in the > late 70s, early 90s), or, God forbid, hyper-inflation, the tax system will > likely not survive in anything near its current form. Section 1(f) of the Federal Income Tax Code provides: (f) Adjustments in Tax Tables so that Inflation Will Not Result in Tax Increases.- (1) In General.- Not later than December 15 of 1993, and each subsequent calender year, the Secretary shall prescribe tables which shall apply in lieu of the tables contained in [the tables which define the tax brackets] with respect to taxable years beginning in the succeeding calander year. (2) Method of prescribing tables.- [The tables] shall be prescribed- (A) by increasing the minimum and maximum dollar amounts for each rate bracket for which a tax is imposed under such table by the cost-of-living adjustment for such calender year, (B) by not changing the rate applicable to any rate bracket as adjusted under subparagraph (A), and (C) by adjusting the amounts setting forth the tax to the extent necessary to reflect the adjustments in the rate brackets. [deletions] This, at least, has been considered. > > --Tim May > --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From raph at cs.berkeley.edu Tue May 7 17:16:27 1996 From: raph at cs.berkeley.edu (Raph Levien) Date: Wed, 8 May 1996 08:16:27 +0800 Subject: PGP, Inc. In-Reply-To: <01I4E39N3LA28Y583T@mbcl.rutgers.edu> Message-ID: <318F622D.5ABACBD6@cs.berkeley.edu> E. ALLEN SMITH wrote: > > Can one use a web-of-trust for S/MIME, for the cases when a structured > hierarchy is exactly the _wrong_ thing to use? I'd think so, but I don't know > anything about it. The S/MIME spec indicates the use of X.509v3 certificates, which, in turn, are explicitly allowed to contain trust roots originating in the client's local configuration. In other words, yes, the spec allows for a Web of trust. The big question, of course, is how easy the key management will be in such a case. Everything I've seen points to key management being super-easy if you use VeriSign certs, and probably just as bad as PGP otherwise. Unlike PGP, most e-mail clients will probably not come configured with the capablity to sign other keys - in the X.500 world, e-mail clients and "certification authorities" are two separate applications. But it's too early to tell. There's a lot of ferment happening here. Raph From Ryan.Russell at sybase.com Tue May 7 17:19:41 1996 From: Ryan.Russell at sybase.com (Ryan Russell/SYBASE) Date: Wed, 8 May 1996 08:19:41 +0800 Subject: Is the network layer geodesic? Message-ID: <9605071548.AA20120@notesgw2.sybase.com> Actually, MAE-WEST and much of the MCI net is now OC-3, and the remaining DS3 lines will be upgraded soon. And yes, it still doesn't take many T3's to fill that up, but don't forget that networks are designed with serious overbooking in mind, and IP's back-off algorithm seems to work real well in this situation. Ryan ---------- Previous Message ---------- To: rah cc: cypherpunks From: fair @ clock.org ("Erik E. Fair" (Time Keeper)) @ smtp Date: 05/06/96 07:58:46 PM Subject: Re: Is the network layer geodesic? The principle problem is that public exchange points do not scale beyond current LAN technology (i.e. half-duplex 100 Mb/s FDDI or Ethernet), and how many DS3 (T3; 45Mb/s full-duplex!) pipes does it take to fill that up? Two. Now, drop a DEC GIGAswitch in there (16 FDDI ports, 3.2Gb/s backplane), and now you can have sixteen peers on the exchange. Last count I saw, there are 1,800 ISPs operating in the USA alone, and *everyone* want to be at the exchange points. Oops. How many exchange points are there? Well: NSF Network Access Points (NAPs): New York (well, Pennsauken, NJ; Sprint), Chicago (Ameritech), San Francisco (Pac*Bell) MAE-EAST (D.C.), MAE-WEST (Mountain View-San Jose), MAE-LA, CIX (San Jose) FIX-EAST (D.C.), FIX-WEST (Mountain View; just for the Feds) SWAB (D.C., but almost no one left there). There are probably a few new ones that are forming that I am unaware of as yet, but the point is that they're small-fry. There are also probably exchange points outside the USA, but I bet they're being held up with PTT B.S. The Internet is amorphous. It ain't a star, exactly, but it still not too far from that. However, to get away from this situation into the rich and more fully amorphous connectivity we used to take for granted in the UUCP network, we're going to have to see a lot more cooperation on the part of the small ISPs in agreeing to talk *directly* to each other to exchange traffic, and more small exchange points, instead of the small number of large ones. Of course, this means that you, Mr. or Ms. Discriminating Internet Consumer, must educate yourself a little, and ask interesting questions like, "why do my packets have to go to California to get across town to the ISP my friend uses?" If the customers ask, the ISPs will serve. They just gotta know what you want (and you have to be willing, of course, to pay for it). Erik Fair From llurch at networking.stanford.edu Tue May 7 17:33:13 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Wed, 8 May 1996 08:33:13 +0800 Subject: WhoWhere Robot? In-Reply-To: Message-ID: I would not be surprised. Please give me more information. I'm meeting with them at 1pm PST today. -rich On Mon, 6 May 1996, Stephan Somogyi wrote: > My web server was just hit by a machine that reverse-resolved to a > Japanese academic domain with an agent claiming to be "WhoWhere Robot"; > this bot is not listed in the > List of > Robots. > > Does anyone know whether this has any relationship to the > www.whowhere.com people? > > ________________________________________________________________________ > Stephan Somogyi Mr Gyroscope Digital Media > > From tcmay at got.net Tue May 7 18:07:42 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 8 May 1996 09:07:42 +0800 Subject: Why I Pay Too Much in Taxes Message-ID: At 1:17 PM 5/7/96, Clay Olbon II wrote: >At 5:34 PM 5/6/96, Timothy C. May wrote: >>Also, the effect of inflation has been to inflate salaries and thus inflate >>people into higher tax brackets, even when their "real wages" have not gone >>up. > >This used to be true. A bill passed during the Reagan administration >indexed the brackets to inflation to remedy this situation. I don't know >how succesful the bill was in eliminating "bracket creep", but that was the >stated purpose. No, it _still_ is true. One bill during one administration does not a major change make. Look at the actual rates, average salaries, increases, etc. (Sure, there have been all sorts of rate increases, decreases, changes, loopholes added, loopholes subtracted, etc. But the fact is that the average starting salary for an EE was about $12,000 a year in 1975 and more than 30,000 in 1995, with about the same buying power but with tax _rates_ dramatically higher.) --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From dik at vol.it Tue May 7 18:28:33 1996 From: dik at vol.it (R.D. Contarino) Date: Wed, 8 May 1996 09:28:33 +0800 Subject: (fwd) E-Commerce Info. Needed In-Reply-To: <960503034747_103007.3426_GHU46-1@CompuServe.COM> Message-ID: <199605071856.LAA28110@toad.com> > > I am writing a paper on electronic commerce, and I wonder if anyone happens to > know of interesting URLs addressing the subject, including security issues? > If you know of a good location for electronic commerce/security information, > please email me directly > at the following address: > 103007.3426 at compuserve.com > THANKS A LOT!! Sally > try www.verifone.com ... as "Business Wire" reported yesterday, << HP and Verifone Form alliance to market omnihost/hp9000 Payment processing solutions; targetting financial-services institutions >> Bye Dario -- R. D. Contarino Video On Line Sys. Adm. Dep. e-mail: dik at vol.it From reagle at MIT.EDU Tue May 7 19:27:12 1996 From: reagle at MIT.EDU (Joseph M. Reagle Jr.) Date: Wed, 8 May 1996 10:27:12 +0800 Subject: misunderstandings of PICS Message-ID: <9605071933.AA18725@rpcp.mit.edu> At 04:40 PM 5/6/96 EDT, E. ALLEN SMITH wrote: > In other words, the CyberAngels want to eliminate any pages that >contain material they think minors shouldn't see that aren't self-rated with >a PICS self-rating (the first of the three types) intended to block minors >from seeing it. Yes, this is an abuse of the market oriented variety of PICS; >they obviously don't know and/or don't care. If you want to convince them >otherwise, start cc:ing your messages (and forwarding mine, on this I give you >permission) on PICS and the CyberAngels to angels at wavenet.com. I didn't see the cyberangel proposal, but how is this an abuse? Regardless, it's a waste of time, browsers will have the option of "If not PICS labled, don't return." They're better off advising people to flip that switch if this is such a big concern. _______________________ Regards, Men govern nothing with more difficulty than their tongues, and can moderate their desires more than their words. -Spinoza Joseph Reagle http://farnsworth.mit.edu/~reagle/home.html reagle at mit.edu E0 D5 B2 05 B6 12 DA 65 BE 4D E3 C1 6A 66 25 4E From hfinney at shell.portal.com Tue May 7 19:36:18 1996 From: hfinney at shell.portal.com (Hal) Date: Wed, 8 May 1996 10:36:18 +0800 Subject: Transitive trust and MLM Message-ID: <199605071750.KAA03884@jobe.shell.portal.com> -----BEGIN PGP SIGNED MESSAGE----- I have a few thoughts relating to the "web of trust" versus hierarchical key certificate systems. This description is pretty elementary and is intended more for people who have not been familiar with the issues before. First some background. The problem to be solved is how to know that a particular public key is actually associated with a particular person. This actually gets into some fuzzy philosophical areas in terms of what we mean by a person and what this association involves, but let's avoid those and just consider the specific question of binding a key to a particular email address and/or user name. Most of the "corporate" systems being advanced today use a hierarchical approach. One or a small number of trusted key certification authorities (CAs) are at the root of a tree. The root CA issues key signatures binding keys to ID's. However usually these are not the ID's of end users, but rather of other lower-level CA's who will be associated with some smaller domain. These may sign yet other CA's keys, until the whole world is partitioned into small enough pieces that the lowest level CA's actually sign user keys. This is often mapped onto a corporate model where a company has a master CA key which gets signed by the root CA (or perhaps by a lower level CA between the root and corporate level), and which then, depending on the company size, may directly sign the keys of employees, or at the other extreme will sign keys for a division, which will sign them for a department, which will sign them for a group, which will then sign the employee's keys. Similar structures can be used for educational institutions as well. The idea behind this is that at each level only a relatively small number of keys are needed, and the signatures are on entities closely related to the key doing the signing. So the key signer is in a position to verify the accuracy of the signatures he is making. PGP uses a completely different system which Phil Zimmermann calls the "web of trust". It also uses the idea of key signatures, but there is no hierarchy. Instead, each person individually decides which other signers he will trust. A key which has a signature from a trusted signer is accepted as validated. PGP also allows people to specify other signers as partially trusted. A key will be accepted if it has multiple signatures by partially trusted signers. It is important to eliminate a common misconception about the web of trust. Suppose Alice signs Bob's key, and Bob signs Clara's, and Clara signs Don's key. Suppose further that Alice trusts Bob and Bob trusts Clara as key signers, but that Alice doesn't know Clara. In terms of PGP's web of trust, this does not give a chain from Alice to Don which lets her trust his key. Alice has to have a signature on Don's key by someone she trusts. In this case, since she doesn't know Clara she presumably can't trust her, and hence Clara's signature on Don's key is worthless to Alice. I had many discussions with Phil during the time when he was developing this concept, and he was adamant about the importance of this point. The phrase he used was "trust is not transitive". Transitivity is a mathematical property where if A has some relation to B, and B has the same relation to C, then A has that relation to C. For example, "greater than" is transitive with respect to numbers. But trust in general cannot be considered to be transitive in this sense, as Phil saw it. Asking Alice to trust Bob to sign keys is one thing. But asking her to trust everyone that Bob trusts as a key signer is something else. That requires a lot more insight into the mind of the other person, to judge not only whether he is careful about his key signatures, but whether he is careful about judging how careful other people are about key signatures. The situation reminds me of a maxim of multi-level marketing (MLM) companies like Amway. These businesses typically sell a product, but they use a pyramid scheme for distribution where people not only sell the product, but try to recruit others to sell for them. Each person not only gets profit for the sales he makes, but he gets a share of the profit for sales made by the people he recruited, and a further smaller share of the profits from the people they recruit, and so on. If he gets a large enough "downline" of people selling below him then he can actually retire and just live off the profits they are producing. At least, that is part of the sales pitch for these outfits. To achieve success, though, the saying goes like this: You not only have to sell; you not only have to teach your people to sell; but you have to teach your people to teach people to sell. Only once you have developed this skill do you have a chance of having really big success in MLM. The idea is that being a good salesman is not enough. You have to recruit people and teach them to be good sellers, but that is not enough either. You also have to take your recruits and teach them not only to be good sellers, but also teach them how to pass this knowledge on down the line so that the whole downline thrives. (It does seem strange that the saying stops where it does. Don't you also have to teach your people to teach people to teach people to sell, etc.? I think though the human mind starts to lose track of what these increasingly abstract goals would mean. Stopping where they do conveys the idea that the teaching must be carried on indefinately at each level.) The analogy to transitivity of trust is this. If you want to have transitive trust, you have to be sure the other person knows how to securely sign keys. But you also have to make sure he knows how to make sure that the next person knows how to securely sign keys. And further you have to make sure he knows how to make sure the next guy knows how to make sure, and so on. Note too that the hierarchical structure of the MLM is similar to that used in traditional hierarchical key CA's. So this points out one of the big problems with these systems, which is the requirement to have transitive trust. Just trusting the root CA is not enough. You have to trust that it makes sure that all the CA's whose keys it signs will be careful, as well. And further it has to make sure that each lower-level CA will pass on the need for care to all the CA's below it. At the time this concept was created, several years ago, users of the net largely consisted of students and employees of national labs and large corporations. The hierarchical idea mapped pretty well into the large bureaucracies which ran these places. But today things are different. It's hard to see how a hierarchy would work for the subscribers to AOL or MSN. So instead one idea is to flatten the hierarchy. Instead of a CA giving out perhaps a few dozen key signatures, it might give out hundreds of thousands. Obviously this is a totally different concept in terms of the checking possible and the security of the resulting signatures. At least there is less delegation and transfers of trust. But the logistical problems can be very large. PGP takes care to avoid transitive trust. When you mark various key signers as trusted, it is very careful to strip out that information when you extract a key for sending to someone else. Phil had another reason for this beyond the general difficulties mentioned above. The basic problem is the social implication of trusting or not trusting another person as a key signer. Revealing that information could cause difficulties. People might be offended to learn that someone else doesn't trust them. Worse, people might feel pressure to trust someone else if this were public knowledge. Maybe the other person is in a position of power where publically offering trust would be valuable. These kinds of social interactions could ruin the meaning of the trust markings. So PGP doesn't allow it at all. However the problem is then that with PGP it is hard to find someone you trust who can reliably sign the keys of people you want to communicate with. In a small group with many social interactions it can work OK, but if you see a random posting by someone who sounds interesting, the chances that you know someone who has signed his key are very small. So I don't think that the web of trust in practice works very well, at least for a lot of the communication that people do. Unfortunately we are left with a choice between three not very good possibilities: accept transitive trust and hierarchical key CA structures; use very flat hierarchies where one signer validates huge numbers of keys; or accept that only a small number of keys can be validated by key signatures. I think all these are troublesome and in fact it makes me question the whole notion of key signatures. Hal Finney -----BEGIN PGP SIGNATURE----- Version: 2.6 iQBVAwUBMY+NZxnMLJtOy9MBAQEE6gIAro4leHAsPn6OaqDreXY9/zhhOgQjLKTB YzESC3lmIDEo1TnSGeibh2pM4N+VfO6ReqB5GQP0vxss2Rb3Ud2yug== =KFDL -----END PGP SIGNATURE----- From unicorn at schloss.li Tue May 7 19:36:18 1996 From: unicorn at schloss.li (Black Unicorn) Date: Wed, 8 May 1996 10:36:18 +0800 Subject: Why I Pay Too Much in Taxes In-Reply-To: Message-ID: On Tue, 7 May 1996, Timothy C. May wrote: > At 1:17 PM 5/7/96, Clay Olbon II wrote: > >At 5:34 PM 5/6/96, Timothy C. May wrote: > >>Also, the effect of inflation has been to inflate salaries and thus inflate > >>people into higher tax brackets, even when their "real wages" have not gone > >>up. > > > >This used to be true. A bill passed during the Reagan administration > >indexed the brackets to inflation to remedy this situation. I don't know > >how succesful the bill was in eliminating "bracket creep", but that was the > >stated purpose. > > No, it _still_ is true. One bill during one administration does not a major > change make. I'm not sure I understand what you mean. I sent the text of the law to the list. The position that you take (that increse in inflation can send you into the next tax bracket) is incorrect. > Look at the actual rates, average salaries, increases, etc. > > (Sure, there have been all sorts of rate increases, decreases, changes, > loopholes added, loopholes subtracted, etc. But the fact is that the > average starting salary for an EE was about $12,000 a year in 1975 and more > than 30,000 in 1995, with about the same buying power but with tax _rates_ > dramatically higher.) The bill took effect in 1993. (1992?) Rates will not change with respect to inflation (to the extent that inflation is accurately measured by the CPI). I believe an exception was made for the top bracket in 1994, but I don't recall how it was implemented. > --Tim May --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From msmith at rebound.slc.unisys.com Tue May 7 19:47:48 1996 From: msmith at rebound.slc.unisys.com (msmith) Date: Wed, 8 May 1996 10:47:48 +0800 Subject: UK IP Censorship In-Reply-To: <199605061552.IAA15075@jobe.shell.portal.com> Message-ID: <199605072010.UAA14295@rebound.slc.unisys.com> Anonymous said: > > Financial Times, 6 May 1996 > > Internet provider to launch censorship > > By James Mackintosh in London > > Unipalm Pipex, the biggest provider of Internet access to > British businesses, has acceded to government calls for > voluntary censorship in a significant boost to ministerial > attempts to restrict access to electronic pornography. [ deletia ] Well, time to start posting dirty pictures to rec.arts.tv.uk. -- Matt Smith - msmith at unislc.slc.unisys.com "Nothing travels faster than light, with the possible exception of bad news, which follows its own rules." - Douglas Adams, "Mostly Harmless" Disclaimer: I came up with these ideas, so they're MINE! From eb at comsec.com Tue May 7 19:56:59 1996 From: eb at comsec.com (Eric Blossom) Date: Wed, 8 May 1996 10:56:59 +0800 Subject: [JKinney@commprod.com: Security Engineer Needed for a Project] Message-ID: <199605072034.NAA17147@comsec.com> Hi, Here's an opportunity for somebody who knows something about NetWare. I don't know anything other than what is posted below. Call or write Don Wagner for more info. Eric Blossom ---------------------------------------------------------------- X-Mailer: Novell GroupWise 4.1 Date: Tue, 07 May 1996 13:00:05 -0500 From: Jim Kinney To: eb at comsec.com Cc: dwagner at commprod.com Subject: Security Engineer Needed for a Project Eric: Listed below is a description of a Network Security Specialist that we have a requirement for on one of our Defense contracts. This work would be performed either in Indy or Pensacola, FL. Can you please forward this to the CypherPunks or other appropriate mail group for distribution? +++++++++++++++++++++++++++++++++++++++++++++ Novell NetWare Security Specialist The Novell NetWare expert shall have expert knowledge in NetWare 4.x internals and NetWare 4.x security. The individual shall have programming experience writing applications to access NetWare security functions that alter NetWare attributes like rights, passwords and access list, etc. This individual shall be knowledgeable about the various NetWare-related configuration parameters, including those associated with IPX/SPX, NUC, NVT and SAP. This individual shall have extensive C and Assembly language programming experience using DOS and/or Windows that interfaces with Novell NetWare Application Programming Interface (API) or NetWare Loadable Module (NLM) APT. Lacking these specific skills, this individual shall be knowledgeable with NetWare internals and have experience in both application and system programming. This individual shall be knowledgeable about LAN analysis techniques, hardware, memory configurations, NETBIOS protocols, BTREIVE, and other NetWare or Windows APIs. +++++++++++++++++++++++++++++++++++++++++++++++ Anyone interested should respond to: Attn: Mr. Don Wagner CPI 7301 E. 90th St. Indianapolis, IN 46256 Fax: 317-842-0278 email: dwagner at commprod.com Thanks in advance for your help. jk From vznuri at netcom.com Tue May 7 20:01:42 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Wed, 8 May 1996 11:01:42 +0800 Subject: Transitive trust and MLM In-Reply-To: <199605071750.KAA03884@jobe.shell.portal.com> Message-ID: <199605072011.NAA15883@netcom5.netcom.com> HF: a very brilliant and thoughtful essay that sparks many ideas for me. I am sure you will be flamed, or someone will want to, for your analogy of hierarchical CA's to MLM, but imho you are right on there!! a beautiful analogy to help the public see why hierchical CA's are not very pretty. what amazed me is that you didn't introduce the concept of a graph. clearly, the web of trust and the hierarchical CA are actually just different kinds of graphs. (for the uninitiated, a graph is a network consisting of nodes and edges.) the hierarchical CA is a tree. PRZ's "web of trust" is a graph that is not treelike. the point you make about his trust being "non transitive" is actually saying (as I understand it) that trust only propagates to adjacent edges in the trust graph, but not further. that is, say A trusts B, and B trusts C. a "trust link" exists between A and B and B and C. but a trust link does not exist between A and C. interestingly, beginning CS students learn to create a "transitive closure" of a graph by drawing all the missing links. this is effectively what is going on in a Hierarchical CA. a path of links implies a link between all the nodes in that path. your point that the "trust graph" is the most problematic area of cryptography at this point is really right on the nail. we all have to realize that Public Key Cryptography solved one vexing problem, the requirement of the preexistence of a secret channel. but it does not solve another problem-- ensuring that keys are associated with the individuals one communicates with. what I was thinking as I read your essay was that perhaps some new metrics are called for. it seems to me that people are hitting a brick wall in thinking, "trust is something that is either there or it isn't". I think in the graph situation what we really have is information about the "strength" of a trust link between nodes. the problem then can be generalized: suppose I have a graph of edges, and numerical weights that represent the trust between entities represented by the nodes of the graph. the question is, suppose A wishes to know the strength of his trust from himself to some other entity C. it should be clear that this is in fact a variation of the "shortest path" problem. it suggests a straightforward depth- or breadth-first search. the code could tell you the "strongest trust path" between you and some entity using some heuristic, such that the trust between you and this person is the average of the trust of all the traversed links, or something like that. I am not saying this is the correct formula: it would be interesting to try to find other formulas that are "correct" in the sense that they truly model trust. (another obvious formula would decrease the trust strength dramatically if any link in the chain were weak.) I would be interested to hear what people think a correct "trust formula" should be. in fact what you have delineated HF, are two extreme trust formulas at different ends of the spectrum. (hope I get this right) 1. the HCA (hierarchical certification authority scheme). all trust links are 0 or 1. (0 is the same as no link). the trust between entity A and entity B is 1 if a path exists between them, 0 otherwise. 2. the PRZ scheme. all links are 0 or 1. a trust exists between A and B if B is adjacent to A, 0 otherwise. it seems to me that possibly neither is "correct", and that perhaps a "correct" formula may not even exist. there are clearly other variations. I'm being a bit sloppy, and I'd be happy for anyone to hammer out these ideas with more rigor. what might be ideal is if every person could choose to use whatever trust algorithm they desired. (that is, a system that supported *both* HCA and PRZ is easily conceivable, with the consumer determining how he wishes to use the "trust data", although PRZ complicates this by insisting that some trust data must be secret) and as I wrote, other possible algorithms, with some obvious defects: 3. trust is measured as 0 to 1, or perhaps -1 to 1. the trust between A and B is the highest average possible in the path between A and B. ("optimistic") 4. or, trust is measured as the worst average possible. ("pessimistic") 5. trust is the product of trust values. etc. what we have is a graph in which some links are explicitly given, and we have to "derive" some of the implied links based on our knowledge of "trust properties" and the given trust values. it is quite interesting that in fact the problem of "secrecy" is replaced by that of "trust" by PKC, and that to adequately solve the "trust" problem, we must try to figure out what its actual properties are. how does human trust work? how should it work? are there ways to formalize or optimize the informal "algorithms" that people use to deal with trust issues? we are getting into some deep psychological issues. can trust be quantified? also, there are some other obvious computational problems that immediately ensue. how can we efficiently store all this graph information? is there a way to distribute it over a network? how can we efficiently respond to "trust queries"? etc. it seems to me that both PRZ's scheme and the HCA scheme are only the very first, most basic ideas of how to tackle these complex issues and that we are likely to see new variations by others. it is quite possible that some cpunks may help immensely in refining the field. here is another idea: it appears what we have is a trust graph in which some people may want to selectively reveal or conceal their trust. this complicates things because now the algorithms may or may not run on the "open trust" values, or the "secret/hidden values", etc. ugh!!! the trust network itself is subject to the kind of secrecy and hiding that is associated with the original problem it tries to solve (i.e. conveying secret information). hence it seems to me a good "trust network system" would support some things: 1. allow efficient trust queries, without severe problems associated with "nearness" of the participants. 2. allow individual users to decide how they wish to use the system, possibly supporting *both* HCA and PRZ etc. (we all seem to be working from the assumption they are mutually exclusive. but do they really have to be? is there really a "best" algorithm, or is the best situation to actually allow different algorithms for different situations?) 3. allow people to selectively reveal or conceal their trust values. 4. be distributed. 5. not rely on a central authority. etc.-- additions, anyone? it appears there is a rich vein of memes in all this beyond the basic territory explored by PRZ and HCA for someone to mine. in fact I'm surprised their aren't more academic papers out on this subject that tackle some of the things I am referring to above (alternate trust algorithms, trust as a network, etc.) maybe someone would like to work up some alternative prototypes ala the way remailers were developed in this "community". From joelm at eskimo.com Tue May 7 20:14:54 1996 From: joelm at eskimo.com (Joel McNamara) Date: Wed, 8 May 1996 11:14:54 +0800 Subject: MS Personal Effects Exchange Message-ID: <199605071921.MAA16627@mail.eskimo.com> Interesting proposal from Microsoft regarding digital certificates (containing keys and a variety of other information) that can be moved from one computer to another. A typical marketing response viewing Navigator supports certificates and Explorer doesn't. If certificates really take off, that 80 to 90% of the market that currently uses Netscape is going to be hesitant to switch over to Explorer. Love the name. Aren't personal effects what are left over after they body-bag you or what the the cops call the contents of your pockets after you're busted... Details at: http://www.microsoft.com/INTDEV/SECURITY/BRINK009.HTM From pcw at access.digex.net Tue May 7 20:21:12 1996 From: pcw at access.digex.net (Peter Wayner) Date: Wed, 8 May 1996 11:21:12 +0800 Subject: RSAREF and the Mac... Message-ID: <199605072103.RAA27829@access5.digex.net> Has anyone ported RSAREF to Metrowerks's compiler for the Mac? The PGP project has converted it to run with Think C, but what about Metrowerks? Also, where can I get plain RSAREF? I couldn't find it at www.rsa.com. Do I need to sign something? Thanks, Peter Wayner From vznuri at netcom.com Tue May 7 20:24:58 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Wed, 8 May 1996 11:24:58 +0800 Subject: misunderstandings of PICS In-Reply-To: <9605071940.AA18800@rpcp.mit.edu> Message-ID: <199605072019.NAA16493@netcom5.netcom.com> > Two may be quite successfully accomplished using PICS. Europe >(Germany and Nazis) and China/Singapore could make quite effective use of >PICS if they require that all browsers in their country be sold with their >rating (censorship) system included (and if they mandate that government >label bureaus _must_ be used.) well, in any case the idea that there should ever be any pressure of page designers to include certain tags I find wholly inconsistent with the original PICS proposal and rather abhorrent. unfortunately it may be unavoidable. > The reason self-rating is mentioned is to forestall the fear of >mandated/arbitrary third party rating. Rather than some MPAA like system >being imposed by the govt., the self-rating was a better political/strategic >position. Also, self rating scales well until third party label bureaus are >sufficiently developed. my fear is that the supposed "failure" of self-ratings could be twisted by its opponents as evidence that it is inadequate to deal with the real problem. in other words, they might say, "look, the self-rating thing clearly doesn't work, people don't label their stuff right even when they are pressured to, therefore we must now have a government agency with mandatory controls. forget the 'rating server' idea, ratings by people within cyberspace just don't work". I am not against self-ratings, I'm just saying that they seem to be the area most ripe for being misunderstood by the public, or lead to undesirable situations, and this is already happening. its quite scary to me that the things that the designers were trying to accomplish with the system might be totally reversed and corrupted in practice to accomplish something they wouldn't have wanted in their worst nightmares. I'd like to see an effort to work against this to the greatest degree possible. From anonymous-remailer at shell.portal.com Tue May 7 20:25:01 1996 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Wed, 8 May 1996 11:25:01 +0800 Subject: No Subject Message-ID: <199605071754.KAA04543@jobe.shell.portal.com> Why not digitial "bearer" instruments be non-negotiable without a given signature? I suppose these wouldn't be "bearer" but whatever we call them, doesn't this solve the double spending problem somewhat? For example. Why not have the bank issue the note to an anonymous entity who has a public key on record with the bank. In the absence of a signature from the related secret key, the instrument will not be honored. The instrument can be converted to a bearer instrument by the holder at any time by signing it over to noone as opposed to signing it over to a named party or key. (Much like making a check payable to "cash") The double spending problem is solved to the degree the key of the intended payee is secure. No? From anonymous-remailer at shell.portal.com Tue May 7 20:49:44 1996 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Wed, 8 May 1996 11:49:44 +0800 Subject: money laundering conference Message-ID: <199605072054.NAA22977@jobe.shell.portal.com> OTC 05/06 1518 ADVISORY/International Money Laundering ... (May 6) BUSINESS WIRE -May 6, 1996--With attendees coming from across the United States and from Latin and South America, more than 200 people are expected to participate in the Third International Money Laundering Conference May 15 and 16 in Miami. The likely attendance is the largest since the conference was first held in 1993. "New federal rules and laws, as well as concerns about emerging techniques to launder money, such as using the Internet, are generating intense interest," said Charles A. Intriago, publisher of Money Laundering Alert and a leading authority on the subject. Money Laundering Alert is co-sponsoring the conference with America Lawyer Media, which publishes American Lawyer magazine and operates the Court TV network. ALM also publishes the Daily Business Review in South Florida. This year's conference will include panel discussions on sush topics as ways to detect and counter new forms of money laundering including so-called "cyberlaundering" and trade laundering; the "alphabet soup" of world money control rules, laws and organizations; cooperative blueprints for financial institutions and governments to prevent money laundering; hidden traps in U.S. laws, new suspicious reporting rules and the workings of the U.S. Office of Foreign Assets Control. Speakers include officials from the IRS, SEC, FBI, Federal Reserve, Office of the Comptroller, Justice Department and other government agencies, as well as private-sector bankers, lawyers and academic experts. Among the panelists this year are Senior U.S. District Judge William M. Hoeveler of Miami, the presiding judge in the federal government's money laundering case against former Panamanian dictator Manuel Noriega, Gerald F. McDowell, chief, asset forfeiture and money laundering section of the U.S. Justice Department, Richard A. Small, special counsel, Federal Reserve Board, and John J. Byrne, senior legislative counsel for the American Bankers Association. The two-day session will be held at the Hyatt Regency Hotel in downtown Miami. Information on conference attendance can be obtained by calling Money Laundering Alert at 800/232-3652, or 305/530-0500 (Fax 305/530-9434). Reservations can be made by calling the Hyatt at 305/358-1234. There are still a limited number of places available. Limited sponsorships for conference events are also available. Credentials for accredited members of the media will be extended. The conference is drawing interest from news media in this country, South America and Europe. --30--jd/mi CONTACT: Alert Publications Wendy Brown, 305/530-0500 or Daily Business Review Martin Donsky, 305/347-6617 KEYWORD: FLORIDA INDUSTRY KEYWORD: BANKING PUBLISHING ADVISORY REPEATS: New York 212-575-8822 or 800-221-2462; Boston 617-236-4266 or 800-225-2030; SF 415-986-4422 or 800-227-0845; LA 310-820-9473 BW URL: http://www.businesswire.com From reagle at mit.edu Tue May 7 20:50:52 1996 From: reagle at mit.edu (Joseph M. Reagle Jr.) Date: Wed, 8 May 1996 11:50:52 +0800 Subject: Police tactics question Message-ID: <9605071934.AA18729@rpcp.mit.edu> At 11:26 PM 5/6/96 -0400, Michael Froomkin wrote: >One of my students has written a paper that may answer some of your >questions, Online Stings: High Tech Entrapment or Innovative Law >Enforcement?, by Jeffrey D. Weinstock >http://www.law.miami.edu/~froomkin/seminar/papers/weinstock.htm Also, I'll stick in a plug for a paper I wrote a year ago for Mitch Kapor's "Political Economy of the Digital Infrastructure" class at the Media Lab: Entrapment in Cyberspace -- On The Likelihood of Digital Stings http://farnsworth.mit.edu/~reagle/career/stuff/sting.html _______________________ Regards, Men govern nothing with more difficulty than their tongues, and can moderate their desires more than their words. -Spinoza Joseph Reagle http://farnsworth.mit.edu/~reagle/home.html reagle at mit.edu E0 D5 B2 05 B6 12 DA 65 BE 4D E3 C1 6A 66 25 4E From reagle at mit.edu Tue May 7 20:54:30 1996 From: reagle at mit.edu (Joseph M. Reagle Jr.) Date: Wed, 8 May 1996 11:54:30 +0800 Subject: misunderstandings of PICS Message-ID: <9605071940.AA18800@rpcp.mit.edu> At 12:48 PM 5/6/96 -0700, you wrote: >PICS *doesn't*involve*the*page*designer*. this is an absolutely >key component of its design. This isn't exactly true (as you indicate later). PICS labels can be incorporated into the html tag by the content creator, it can be sent by way of the http server (using the 'get') or it can be collected from a third party label bureau. >I think is going to be far from the main use of ratings in the future) However, self rating will be a significant use in the future, and it is the only way PICS is being used effectively today (at RSAC). >may be made by different organizations. they may be contradictory. >this is a basic part of the design of PICS. True. >2. everything in cyberspace must be rated by government agency X, >and no pages are allowed to be transferred that do not have >acceptable ratings. > >the second is censorship. the first is free choice. the first >is what PICS aims for. notice it accomplishes this through absolutely >no action on the part of page designers. by the fact that they >have a URL, the PICS standard uses that URL as a reference. Two may be quite successfully accomplished using PICS. Europe (Germany and Nazis) and China/Singapore could make quite effective use of PICS if they require that all browsers in their country be sold with their rating (censorship) system included (and if they mandate that government label bureaus _must_ be used.) The reason self-rating is mentioned is to forestall the fear of mandated/arbitrary third party rating. Rather than some MPAA like system being imposed by the govt., the self-rating was a better political/strategic position. Also, self rating scales well until third party label bureaus are sufficiently developed. _______________________ Regards, Men govern nothing with more difficulty than their tongues, and can moderate their desires more than their words. -Spinoza Joseph Reagle http://farnsworth.mit.edu/~reagle/home.html reagle at mit.edu E0 D5 B2 05 B6 12 DA 65 BE 4D E3 C1 6A 66 25 4E From tcmay at got.net Tue May 7 21:11:07 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 8 May 1996 12:11:07 +0800 Subject: Why I Pay Too Much in Taxes Message-ID: At 8:46 PM 5/7/96, Black Unicorn wrote: >I'm not sure I understand what you mean. I sent the text of the law to >the list. The position that you take (that increse in inflation can send >you into the next tax bracket) is incorrect. I wrote my comment before I saw your message. Does this make it clearer? I agree that the fewer brackets have lessened the problem in the last couple of years, but, then, inflation has not been an issue in the last couple of years. (I seem to recall an explicit statement that the brackets would not be adjusted upward, as the bill called for, because the inflation rate had been below the threshold....). In any case, my larger point has been about the effect over the last decade or so, where significant numbers of people are now up at the 40-45% marginal tax rate (Federal plus state, in many states). ... >Rates will not change with respect to inflation (to the extent that >inflation is accurately measured by the CPI). > >I believe an exception was made for the top bracket in 1994, but I don't >recall how it was implemented. The top marginal rate was increased. As I recall, from around 38% to around 42%. (As the money runs out, as the so-called trust funds turn out to be empty, as "entitlements" expand, and as more and more people are too poorly-educated and -motivated to succeed in high-paying jobs, I expect the top marginal rate to continue to be ratcheted upward. Until other forces come into play, of course.) --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From msmith at rebound.slc.unisys.com Tue May 7 21:15:55 1996 From: msmith at rebound.slc.unisys.com (msmith) Date: Wed, 8 May 1996 12:15:55 +0800 Subject: Police tactics question In-Reply-To: <01I4E2S0NTES8Y583T@mbcl.rutgers.edu> Message-ID: <199605072045.UAA14348@rebound.slc.unisys.com> > I've often heard of the police/postmaster mailing someone child > pornography prior to going in and busting them for possession of it. What are > the legal matters in such cases? Well, that's how they busted the Amateur Action BBS from what I remember. Basically they mail you the porno, arrest you as soon as you pick up the box, and then that gives them probably cause to get a warrant to rip apart your computer and charge you with other things. The charges that were filed against Robert Thomas (sysop of the AA BBS) for picking up that box were eventually cleared, but he was convicted of other charges apparently. So it's more used as a tool to find other charges. Those charges are eventually dropped. > Thanks, > -Allen -- Matt Smith - msmith at unislc.slc.unisys.com "Nothing travels faster than light, with the possible exception of bad news, which follows its own rules." - Douglas Adams, "Mostly Harmless" Disclaimer: I came up with these ideas, so they're MINE! From EALLENSMITH at ocelot.Rutgers.EDU Tue May 7 21:25:41 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 8 May 1996 12:25:41 +0800 Subject: Police tactics question Message-ID: <01I4FM57A02G8Y59D8@mbcl.rutgers.edu> From: IN%"froomkin at law.miami.edu" "Michael Froomkin" 6-MAY-1996 23:23:44.91 >One of my students has written a paper that may answer some of your >questions, Online Stings: High Tech Entrapment or Innovative Law >Enforcement?, by Jeffrey D. Weinstock >http://www.law.miami.edu/~froomkin/seminar/papers/weinstock.htm Thank you; I found it using Alta Vista earlier. >Note: these are *student* papers. Not everything in them is exactly right. >And no, I won't tell you their grades. Any egregrious errors in that one? -Allen From msmith at rebound.slc.unisys.com Tue May 7 21:26:01 1996 From: msmith at rebound.slc.unisys.com (msmith) Date: Wed, 8 May 1996 12:26:01 +0800 Subject: Senator Leahy's Public Key In-Reply-To: <199605050623.XAA17801@netcom8.netcom.com> Message-ID: <199605071951.TAA14244@rebound.slc.unisys.com> Bill Frantz said: > The more I think about Senator Leahy's public key, the more I keep coming > back to a point I only alluded to before. > > How do we know the key is actually his key? > > The key is only self signed. It could be a fake. If, as I have assumed, > its primary use will be to sign public statements posted to the net, how > will we know they are actually from Senator Leahy, and not some impostor? > > I strongly urge the senator to join the web of trust and get some other > signatures on his key. Actually, I've been thinking about this, and how do we *really* know that *anyone's* keys are actually theirs? I'm new to this list and have been collecting some of the keys from people who post with PGP signatures, but even at that, I never certify them myself because I am not 100% absolutely certain that the key in question belongs to that person. After all, what if some clever hacker dropped in and replaced someone's .plan file, or edited their index.html file? There's no real way to be absolutely certain. How certain are we that the keyservers are 100% bulletproof? Hell, I could call Joe Schmoe up and say "tell me your fingerprint", but how do I *really* know I'm talking to Joe unless I knew him before getting his signature? Just some thoughts about some of the basic flaws in this sort of system. BTW, I collect the signatures because I have a patched version of Elm which goes out and automatically tries to verify all PGP signed messages, and it's kind of annoying when it can't find the signature (all sorts of junk goes sprawling up my screen). > Bill Frantz | The CDA means | Periwinkle -- Computer Consulting > (408)356-8506 | lost jobs and | 16345 Englewood Ave. > frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA -- Matt Smith - msmith at unislc.slc.unisys.com "Nothing travels faster than light, with the possible exception of bad news, which follows its own rules." - Douglas Adams, "Mostly Harmless" Disclaimer: I came up with these ideas, so they're MINE! From alex at proust.suba.com Tue May 7 21:29:37 1996 From: alex at proust.suba.com (Alex Strasheim) Date: Wed, 8 May 1996 12:29:37 +0800 Subject: ecash payee anonymity, cpunk archives Message-ID: <199605072236.RAA02543@proust.suba.com> A while back someone posted a note saying that an ecash protocol garaunteeing payee as well as payer anonymity had been devised. Did that ever get posted here? The last message I saw said that it would be posted soon. Also, I missed whatever discussion there was about why the archives got shut down. Was it a copyright thing? A lack of resources? No one to volunteer? -- Alex Strasheim, alex at proust.suba.com From EALLENSMITH at ocelot.Rutgers.EDU Tue May 7 21:31:44 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 8 May 1996 12:31:44 +0800 Subject: Police tactics question Message-ID: <01I4FN0D5W6Q8Y59D8@mbcl.rutgers.edu> From: IN%"reagle at mit.edu" "Joseph M. Reagle Jr." 7-MAY-1996 15:31:28.97 > Also, I'll stick in a plug for a paper I wrote a year ago for Mitch >Kapor's "Political Economy of the Digital Infrastructure" class at the Media >Lab: >Entrapment in Cyberspace -- On The Likelihood of Digital Stings >http://farnsworth.mit.edu/~reagle/career/stuff/sting.html Actually, I found that one also. Nice things, web search robots. Thanks, -Allen From EALLENSMITH at ocelot.Rutgers.EDU Tue May 7 21:47:55 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 8 May 1996 12:47:55 +0800 Subject: misunderstandings of PICS Message-ID: <01I4FO6FNHVA8Y59D8@mbcl.rutgers.edu> From: IN%"vznuri at netcom.com" "Vladimir Z. Nuri" 6-MAY-1996 18:53:10.45 >but OK, I see that the CyberAngels have focused on a part of the >PICS proposal that can be twisted into their own unique interpretation. >I see you/they have a semi-valid concept here. frankly, it only suggests >to me how dangerous the "self-rating" concept is, and perhaps that >it should be downplayed in the PICS proposal imho. (any PICS designers >out there listening?) The simplest cure for this, and one that would be effective - unlike implorings by the PICS designers - would simply be to not have inclusion of a rating in a page as part of the protocol. In other words, if you want a rating, get it from an agency. >> Yes, this is an abuse of the market oriented variety of PICS; >>they obviously don't know and/or don't care. If you want to convince them >>otherwise, start cc:ing your messages (and forwarding mine, on this I give >>you permission) on PICS and the CyberAngels to angels at wavenet.com. >since you are so interested and brought it up, I think you ought to >do it. I am doing all that I care to do in posting to this group. you >have given me reason to write on the issue. As I have previously stated, I irritated Mr. Hatcher by trying to get the CyberAngels to concentrate on spamming and other actual dangers to the Net, as opposed to their censorship efforts. (I count acting as an informant for governmental censorship a variety of censorship). Consequently, I have been asked not to mail to them. >Incidentally, their pressure (especially the legal variety - acting as >informants) could also include against an ISP that doesn't do the second for >material the CyberAngels don't like. >I do hope the CyberAngels seize on the other aspects of PICS that would >effectively let them put CyberAngel stickers on every single page in >cyberspace, if they have the attention span to actually pull this off. Quite. Anything that both the CyberAngels and, say, the Christian Coalition rate as unsuitable for minors is likely to be interesting. -Allen From EALLENSMITH at ocelot.Rutgers.EDU Tue May 7 21:56:19 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 8 May 1996 12:56:19 +0800 Subject: Freedom of Information Act Message-ID: <01I4FMARJF1A8Y59D8@mbcl.rutgers.edu> IIRC, the FOI act has come up here before. Possibly this list may provide some answers. -Allen From: IN%"rre at weber.ucsd.edu" 7-MAY-1996 00:36:11.83 From: Phil Agre =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= This message was forwarded through the Red Rock Eater News Service (RRE). Send any replies to the original author, listed in the From: field below. You are welcome to send the message along to others but please do not use the "redirect" command. For information on RRE, including instructions for (un)subscribing, send an empty message to rre-help at weber.ucsd.edu =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Date: Thu, 2 May 1996 17:23:13 -0400 Sender: State and Local Freedom of Information Issues From: "Barbara C. Fought" Subject: how-tos for FOI-L I've gotten several questions lately about the correct address for this mailing list discussion. It changed a year ago. Some of you may want to unsubscribe for the summer. Or put this on digest (all messages once a week) or vacation stop. Save this message for future reference. For any change in service you send an e-mail message to: listserv at listserv.syr.edu In the body of the message you type one of the following, depending on what you want to do: WHAT YOU WANT COMMAND (put in body of email TO DO message, not in the subject line) subscribe subscribe FOI-L firstname lastname unsubscribe unsubscribe FOI-L get a digest set FOI-L digest vacation stop set FOI-L nomail resume delivery set FOI-L mail list of subscribers review FOI-L _____________________________________________________________________________ Barbara Croll Fought Asst. Prof., Broadcast Journalism list manager, FOI-L S.I.Newhouse School, Syracuse University bcfought at mailbox.syr.edu 215 University Place voice: 315/443-4054 fax: 315/443-3946 Syracuse, NY 13244-2100 _____________________________________________________________________________ From EALLENSMITH at ocelot.Rutgers.EDU Tue May 7 21:59:17 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 8 May 1996 12:59:17 +0800 Subject: Transitive trust and MLM Message-ID: <01I4FPJAW6Q08Y59D8@mbcl.rutgers.edu> From: IN%"hfinney at shell.portal.com" "Hal" 7-MAY-1996 18:58:41.28 >Unfortunately we are left with a choice between three not very good >possibilities: accept transitive trust and hierarchical key CA >structures; use very flat hierarchies where one signer validates huge >numbers of keys; or accept that only a small number of keys can be >validated by key signatures. I think all these are troublesome and in >fact it makes me question the whole notion of key signatures. I think the web-of-trust without transitivity of _some_ trust is too limited. If a lot of completely-trusted key signators have signed a key, and that person's key is self-signed and has signed the keys of those key then keys signed with that person's key are significantly more likely to be good than those without this signature. I wouldn't count the person as a completely-trusted signator, but I wouldn't count them at 0 either. However, the above is just my opinion. Have any studies been done of the likelihood of a key to be later discovered to not match up to the claimed nym? I suspect there isn't adequate data as yet, but it could still be a good thing to check. -Allen From frantz at netcom.com Tue May 7 22:06:36 1996 From: frantz at netcom.com (Bill Frantz) Date: Wed, 8 May 1996 13:06:36 +0800 Subject: Transitive trust and MLM Message-ID: <199605072229.PAA28013@netcom8.netcom.com> At 10:50 AM 5/7/96 -0700, Hal wrote: >Unfortunately we are left with a choice between three not very good >possibilities: accept transitive trust and hierarchical key CA >structures; use very flat hierarchies where one signer validates huge >numbers of keys; or accept that only a small number of keys can be >validated by key signatures. I think all these are troublesome and in >fact it makes me question the whole notion of key signatures. Some of the solution to this problem may come from the answer to the question, "What am I trusting the receiver with?" I can see a number of possibilities: (1) I just want an envelope so casual eavesdroppers can't read the mail. Given the people Rich Graves has been dealing with, I see this as a powerful reason to encrypt all private email, just as you might send all private postal mail in envelopes rather than on postcards. In this case, I don't need a lot of confidence. Yes, a man-in-the-middle (MIM) can read the mail, just as the post office can open the envelope. However, the rest of the world won't see it unless the MIM wants to get caught. End-to-end, out of band acknowledgements can ensure that the message gets thru. (If the people I'm going to the mountains with don't pick me up, and I got in-band acknowledgements, I WILL suspect a MIM.) (2) I am sending someone else's secrets to a perfect stranger. An example might be sending company confidential information to a researcher another company R&D center half way around the world. In this case, I want to get the key from a location approved by the owner of the secret, making the problem the companies and not mine. (3) I am sending information which, if released, might cause significant harm to me or someone close to me. I can't see sending information of this nature to someone I don't know really well. In this case, out-of-band key fingerprint exchanges will work well. Regards - Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From smith at sctc.com Tue May 7 22:07:33 1996 From: smith at sctc.com (Rick Smith) Date: Wed, 8 May 1996 13:07:33 +0800 Subject: Security Scruffies vs Neats, revisited Message-ID: This is an attempt to restart the discussion in a slightly different direction. I've been giving the topic some thought since Tim's truncated essay appeared. But when I re-read it just now, I realized that I read in my own interpretation of "scruffy" and "neat" to this. IMHO, the critical property of AI scruffies is that they believe in the value of some notion of emergent behavior -- if you build it right, it'll surprise you and do something clever and unexpected to fulfill its objectives. The "neats" have to know exactly why the behavior emerged, but the scruffy methodology almost never allows such a detailed analysis to succeed. Intuitively, I tend to think of scruffies as trying to build biological processes or concepts into computers. The goal seeking built into IP packets, for instance. The Internet is an impossible artifact, if you view distributed computing with '70s blinders. Nobody would want to cede control so much to largely autonomous routers. Once you drop an IP packet into the "system" it generally gets to its destination or dies of old age trying. When I try to apply this style of thinking to security, I find myself going towards layered defenses. These goal seeking, semi biological processes are somewhat failure prone, so you probably need a set of them to make things "safe." Falling back to biology, we see "security" in the various defensive mechanisms developed in plants and animals. But now things start to break down. "Security" these days means more than defense -- it means access control. "Let me in" as well as "Keep them out." How do you "tune" or "train" a semi-biological mechanism to exert such fine control? It's not clear to me that you can. When I read Kevin Kelley's book "Out Of Control" I kept wondering who wanted to live with his semi-biological toasters and heating plants, tolerating burned toast and frozen bathrooms until the devices finally "learned" how to behave. (but I shouldn't get started on that book -- I once wrote 20 pages of notes about how bogus I thought it was). In other words, the problem may be with the concept of security itself. Defense seems to be a biological concept, but security is not. It's too artificial, involving the reflection of some abstract and arbitrary human intent. Constructing a subsumption device to collect pop cans is one thing, but building one to construct a cuckoo clock (or play doorman) is something else. Rick. From nobody at replay.com Tue May 7 22:13:00 1996 From: nobody at replay.com (Anonymous) Date: Wed, 8 May 1996 13:13:00 +0800 Subject: Why I Pay Too Much in Taxes Message-ID: <199605072244.AAA02953@utopia.hacktic.nl> Timothy C. May wrote: >Indeed, I am extremely limited in how I can avoid complete traceability of >my major income sources. Not rich enough to shelter income in a really big >time way That's just lack of creativity. Try this: Get a friend of yours to setup a consulting company and hire you (and maybe a few more people who pay too much taxes,acting like a mixmaster). The company pays you salary to cover your cost of living. Anything above that, i.e. money that you would otherwise save, is paid to an offshore company as license fees (or something, this is the creative part). This is really legal as long as you don't receive any money from offshore without paying the taxes. If you borrow the money back it gets a little fuzzy. Thousands of people in upper middle class are doing exactly this, so the mixmaster is really in place already. The local mix is just an extra precaution for deniability (it was my friends company, I had no idea what he was up to!). For the friend to accept the (very minor) risk of jail, he/she should probably be much poorer than you, or have a *lot* of clients, to make his pay outweight the risk. By the way, are there any PGP encrypted mailing lists for discussing serious tax fraud? Mr.X From anonymous-remailer at shell.portal.com Tue May 7 22:13:52 1996 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Wed, 8 May 1996 13:13:52 +0800 Subject: No Subject Message-ID: <199605072251.PAA01721@jobe.shell.portal.com> No one answered me. What's the best remailer-in-a-box. I'd like to run one. I would think people would be falling over eachother to tell me. From EALLENSMITH at ocelot.Rutgers.EDU Tue May 7 22:14:46 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 8 May 1996 13:14:46 +0800 Subject: Attorney-Client / Nyms Message-ID: <01I4FNT4BGR48Y59D8@mbcl.rutgers.edu> From: IN%"unicorn at schloss.li" "Black Unicorn" 29-APR-1996 02:21:48.23 >On Sun, 28 Apr 1996, E. ALLEN SMITH wrote: >> Given discussions as to attorneys holding passphrases, et al, perhaps >> a tutorial from the lawyers on the list (yourself and others, since >> disagreements among J.D.'s have been known to happen) on what attorney-client >> confidentiality does cover? >Proposed FRE 503 probably has the best codification of the prevailing >common law on the subject. I reproduce it in part below. Typos are mine. Thank you. >Note the confidentiality requirement. A client is estopped from claiming >privilege if he discloses the content of the communication to a third >party not connected to the attorney-client relationship. Understandable. >The identity of the client and the existance of the attorney client >relationship are not confidential. There are some exceptions. What are the exceptions? >Communications regarding future crimes or frauds are not protected. I kind of knew that already... as should others. >Stolen property may be held by an attorney for a reasonable time for >inspection purposes, but must be returned to the rightful owner or the >attorney will be a receiver of stolen goods and participating in an >ongoing crime. Privilege will thus not apply. In re Ryder, 263 F.Supp. >360 (E.D.Va 1967). (Some courts will permit the attorney to refuse to >disclose the source from which he obtained the property, however). >Consider this in the context of trade secrets. A good point... although if it hasn't been proven whether something is stolen (e.g., an encrypted piece of data sent to the attorney), I would hope that privilege would still obtain. Of course, there would be the question (also important for First Amendment issues) of whether information that the recipient can't understand is communication. >All states have laws against destroying or concealing evidence. The >attorney who advises his client to destroy evidence is a co-consiprator. >Privilege does not apply. Clark v. State, 261 S.W.2d 339 (Crim. App Tex. >1953). (Interesting to wonder if advising a client to encrypt evidence is >'concealing' it). A good question. Of course, again there's the point of what if the attorney has investigated the matter and decided that no crime is being committed, but that the material should be destroyed because it could be embarrasing, lead to other problems (e.g., civil lawsuits), etcetera. If a court later decides that the attorney was wrong, would privilege still obtain, and would the attorney be a co-conspirator? I would hope the answers would be yes and no. >> Most of them aren't anonymous, either... although that does give me >> the thought of going to one outside the US and its reporting requirements. >> They'd know who I was (or at least the address it was going to), but at >> least nobody else would know. Any suggestions, since you've been writing of >> the joys of nymdom recently? >I suggest you use a forwarding service, sign up with your nym name, and >provide the address of a P.O. box for them to forward to, also in the name >of your nym. The P.O. box signed up in the name of the nym would be a problem, however, given the current laws on ID necessary for this. Of course, this assumes not using fake ID (including that of a fictitious employer). I've gotten a couple of P.O. boxes in my own name recently (not wanting to disclose my current address), and they did want a couple pieces of ID. I should check what ID they will accept. -Allen From jya at pipeline.com Tue May 7 22:16:35 1996 From: jya at pipeline.com (John Young) Date: Wed, 8 May 1996 13:16:35 +0800 Subject: INF_rno Message-ID: <199605072123.VAA05561@pipe3.t1.usa.pipeline.com> 5-7-96. NYT and WSJ report on Inferno, Lucent's (Bell Labs) new all-platform network OS, and its Limbo programming language. Dennis Richie says, "Inferno is a unique network operating system that adapts to whatever you plug into it -- from a high-end work station to an inexpensive hand-held device. Imagine the ease and flexibility of a world in which you can get your E-mail virtually anywhere, from any machine -- on your PC at the office, from a screen phone in an airport, on your TV at home, or on a hotel-room TV." Dan Stanzione adds, "With Inferno, any device can communicate and share information with any device over any network." It is designed to coexist with Java and DOS. INF_rno From rah at shipwright.com Tue May 7 22:17:50 1996 From: rah at shipwright.com (Robert Hettinga) Date: Wed, 8 May 1996 13:17:50 +0800 Subject: ecash payee anonymity, cpunk archives In-Reply-To: <199605072236.RAA02543@proust.suba.com> Message-ID: At 6:36 PM -0400 5/7/96, Alex Strasheim wrote: > Also, I missed whatever discussion there was about why the archives got > shut down. Was it a copyright thing? A lack of resources? No one to > volunteer? Which reminds me... Anybody know offhand which countries *aren't* signatories to the (Berne?) copyright conventions? Cheers, Bob Hettinga ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "If they could 'just pass a few more laws', we would all be criminals." --Vinnie Moscaritolo The e$ Home Page: http://thumper.vmeng.com/pub/rah/ From reagle at mit.edu Tue May 7 22:29:58 1996 From: reagle at mit.edu (Joseph M. Reagle Jr.) Date: Wed, 8 May 1996 13:29:58 +0800 Subject: misunderstandings of PICS Message-ID: <9605072131.AA20062@rpcp.mit.edu> At 01:19 PM 5/7/96 -0700, you wrote: >well, in any case the idea that there should ever be any pressure >of page designers to include certain tags I find wholly inconsistent >with the original PICS proposal and rather abhorrent. unfortunately >it may be unavoidable. I understand at one level, but not the visceral response. >my fear is that the supposed "failure" of self-ratings could be twisted >by its opponents as evidence that it is inadequate to deal with the >real problem. I think your fears are a little too paranoid here, but maybe they aren't. The question is how much of this hoopola stems from fundamentalist thought police, or concerned but ignorant parents/congressmen. If self-labeling worked (which I see few cases in which it wouldn't) I can't see the concerned but ignorant being unhappy. Rather they'd be a bit better educated and feeling pretty secure their kids won't get their hands on naughty material. And then if self labeling had some failures, that's an incentive for others to provide third party services (as others have argued). PICS had to sell itself to the net as much as to the masses. Self-labeling appeals to the net, it may appeal to the masses, but there are other things in there to sweeten the deal for them if not. >I am not against self-ratings, I'm just saying that they seem to >be the area most ripe for being misunderstood by the public, or >lead to undesirable situations, and this is already happening. Then we should help educate the public. I dislike dumbing the net down for the masses. The real question here -- as far as the public having a fit -- is the use of digital signatures in the labels. I expect we will not see signatures used in the first generation of label services or ?compliant? browsers. Just like ecommerce, it takes a break or catastrophe to get people to move in a constructful manner on the security front. _______________________ Regards, Men govern nothing with more difficulty than their tongues, and can moderate their desires more than their words. -Spinoza Joseph Reagle http://farnsworth.mit.edu/~reagle/home.html reagle at mit.edu E0 D5 B2 05 B6 12 DA 65 BE 4D E3 C1 6A 66 25 4E From jimbell at pacifier.com Tue May 7 22:42:19 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 8 May 1996 13:42:19 +0800 Subject: Why I Pay Too Much in Taxes Message-ID: <199605080005.RAA09126@pacifier.com> At 04:46 PM 5/7/96 -0400, Black Unicorn wrote: >On Tue, 7 May 1996, Timothy C. May wrote: > >> At 1:17 PM 5/7/96, Clay Olbon II wrote: >> >At 5:34 PM 5/6/96, Timothy C. May wrote: >> >>Also, the effect of inflation has been to inflate salaries and thus inflate >> >>people into higher tax brackets, even when their "real wages" have not gone >> >>up. >> > >> >This used to be true. A bill passed during the Reagan administration >> >indexed the brackets to inflation to remedy this situation. I don't know >> >how succesful the bill was in eliminating "bracket creep", but that was the >> >stated purpose. >> >> No, it _still_ is true. One bill during one administration does not a major >> change make. > >I'm not sure I understand what you mean. I sent the text of the law to >the list. The position that you take (that increse in inflation can send >you into the next tax bracket) is incorrect. You seem to be forgetting that one of the provisions of (I believe) the 1986 tax act was that capital gains would be indexed for inflation. However, the sleazy politicians only scheduled it (the indexing process) for about 1990 or so, and by 1990 they managed to get that idiot Bush to agree to drop it. I don't know the details, but this is yet another of the reasons I have no qualms about advocating a system for solving the "politician problem" by putting them 6 feet under. Lawyers who profit from an abusive system may disagree, of course. Jim Bell jimbell at pacifier.com From EALLENSMITH at ocelot.Rutgers.EDU Tue May 7 22:43:40 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 8 May 1996 13:43:40 +0800 Subject: Why I Pay Too Much in Taxes Message-ID: <01I4FOV28VPS8Y59D8@mbcl.rutgers.edu> From: IN%"tcmay at got.net" 7-MAY-1996 00:45:56.61 >By the way, as long as I've added another comment to this not-very-relevant >thread (but one which has generated a lot of comments, so it's hard to hard >folks aren't interested), I should mention that I left out the effects of >INFLATION in my "60%" figure. Actually, inflation is relevant in a different way. In a system under which a democratic (or otherwise popularly-influenced) government has some control over the money supply, some inflation can be used as an invisible tax going from those who save (primarily those of the middle class and above) to those whose jobs are affected first by economic downturns (primarily those of the middle class and below). This has relevance, in regards to privately produced currencies and digital cash. -Allen From jlasser at rwd.goucher.edu Tue May 7 22:51:49 1996 From: jlasser at rwd.goucher.edu (Moltar Ramone) Date: Wed, 8 May 1996 13:51:49 +0800 Subject: "bearer" certificates In-Reply-To: <199605071754.KAA04543@jobe.shell.portal.com> Message-ID: On Tue, 7 May 1996 anonymous-remailer at shell.portal.com wrote: > Why not digitial "bearer" instruments be non-negotiable without > a given signature? > > I suppose these wouldn't be "bearer" but whatever we call them, > doesn't this solve the double spending problem somewhat? [ ... ] > The instrument can be converted to a bearer instrument by the holder > at any time by signing it over to noone as opposed to signing it over > to a named party or key. (Much like making a check payable to "cash") Not with a MITM. Mallet just signs the certificate first and turns it in, before the other entity even receives it. The bank has no way to tell which of those two certificates would be invalid... and the anonymous entity gets screwed. Signed bearer certificates are great for non-anonymous communication... ---------- Jon Lasser (410)494-3072 - Obscenity is a crutch for jlasser at rwd.goucher.edu inarticulate motherfuckers. http://www.goucher.edu/~jlasser/ Finger for PGP key (1024/EC001E4D) - Fuck the CDA. From EALLENSMITH at ocelot.Rutgers.EDU Tue May 7 22:53:19 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 8 May 1996 13:53:19 +0800 Subject: alias servers (al la alias.c2.org) Message-ID: <01I4FOXQ4H1Y8Y59D8@mbcl.rutgers.edu> From: IN%"stewarts at ix.netcom.com" "Bill Stewart" 7-MAY-1996 01:18:29.63 >The big negative about using them as alias servers is that you have >to use _their_ software and dial up to them; you can't get your mail >by POP (though you can argue that it's harder to trace that way), >and you have to use their silly advertisement-displaying user interface >(shades of Prodigy!). I assume that behind their silly interface >is a standard network protocol, which somebody can decipher and >figure out how to use SLIP or PPP or X.3/X.28/X.29 or whatever instead. Quite. There was a proposal a bit ago for someone to figure out how the user interface worked and to put together a batch-filing remailer to use their system. I haven't heard anything further on this. -Allen From unicorn at schloss.li Tue May 7 22:54:48 1996 From: unicorn at schloss.li (Black Unicorn) Date: Wed, 8 May 1996 13:54:48 +0800 Subject: Why I Pay Too Much in Taxes In-Reply-To: Message-ID: On Tue, 7 May 1996, Timothy C. May wrote: > At 8:46 PM 5/7/96, Black Unicorn wrote: > > >I'm not sure I understand what you mean. I sent the text of the law to > >the list. The position that you take (that increse in inflation can send > >you into the next tax bracket) is incorrect. > > I wrote my comment before I saw your message. Does this make it clearer? It does. My apologies. > I agree that the fewer brackets have lessened the problem in the last > couple of years, but, then, inflation has not been an issue in the last > couple of years. (I seem to recall an explicit statement that the brackets > would not be adjusted upward, as the bill called for, because the inflation > rate had been below the threshold....). Any increse less than $50 in the bracket rates is rounded down to the next multiple of $50 under Section 1(f)(6)(A). I do also recall a threshold statement of some sort, but I always thought it refered to the $50 rounding exception. > In any case, my larger point has been about the effect over the last decade > or so, where significant numbers of people are now up at the 40-45% > marginal tax rate (Federal plus state, in many states). Agreed. And many states do not adjust taxation brackets for inflation. > ... > >Rates will not change with respect to inflation (to the extent that > >inflation is accurately measured by the CPI). > > > >I believe an exception was made for the top bracket in 1994, but I don't > >recall how it was implemented. > > The top marginal rate was increased. As I recall, from around 38% to > around 42%. My 1994-1995 code indicates 39.6% for single heads of households with incomes over $250,000. (Pay $77,299, plus 39.6% of the excess over $250,000). That was for the 1994 tax year. If there was an explicit raise, I haven't heard (though this isn't too surprising, I haven't paid much attention to domestic U.S. tax rates lately). There is a phaseout of personal exemptions and deductions for the highest bracket which can effectively bring the tax rate above 40%. Is this what you mean? (Or have I been sleeping through the tax legislation process?) > (As the money runs out, as the so-called trust funds turn out to be empty, > as "entitlements" expand, and as more and more people are too > poorly-educated and -motivated to succeed in high-paying jobs, I expect the > top marginal rate to continue to be ratcheted upward. Until other forces > come into play, of course.) Agreed. As per other forces, I can't see any given the Forbes fall and the lack of interest in a flat reform measure. I do, however, predict that compliance will begin to fall much more dramatically following any explicit raise above 40%. > > --Tim May > --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From unicorn at schloss.li Tue May 7 22:56:46 1996 From: unicorn at schloss.li (Black Unicorn) Date: Wed, 8 May 1996 13:56:46 +0800 Subject: MLM and Web of Trust Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Tue, 7 May 1996, Hal wrote: > I have a few thoughts relating to the "web of trust" versus > hierarchical key certificate systems. This description is pretty > elementary and is intended more for people who have not been familiar > with the issues before. First some background. [Excellent background deleted] [Trust is not transitive.] > The [trust is not transitive] situation reminds me of a maxim of > multi-level marketing (MLM) companies like Amway. These businesses > typically sell a product, but they use a pyramid scheme for distribution > where people not only sell the product, but try to recruit others to > sell for them. [...] > To achieve success, though, the saying goes like this: You not only > have to sell; you not only have to teach your people to sell; but you > have to teach your people to teach people to sell. [...] > The analogy to transitivity of trust is this. If you want to have > transitive trust, you have to be sure the other person knows how to > securely sign keys. But you also have to make sure he knows how to > make sure that the next person knows how to securely sign keys. And > further you have to make sure he knows how to make sure the next guy > knows how to make sure, and so on. [PGP avoids transitive trust because of this problem and others] Ok, so if the problem is with transitive trust and not the technical issue of security of signatures, why not a hybrid of the vertical and web models? PGP's primary problem in my view is that signatures are not flexible enough, or they are too flexible. A signauture can mean anything. When I sign a document signed by Bob, does that mean that I am vouching for Bob as the author of this document, or that I agree with the document, or that I certify that the document (regardless of my belief in its points) merely passed by my desk on this date? Similarly, when I sign a key. Am I of the opinion that the "real name" associated with this person is the only person in possession of the key, of the opinion that this person is indeed (insert real name here) or am I siging off on the e-mail address? It seems to me that two things need to happen to improve the web of trust. First, signatures have to be application specific. Sure you can put the words "This signature means that I believe XYZPDQ etc." at the bottom of that which you are signing, but this method both lacks any kind of standardization and further requires some sophisticated logical thinking and a lot of planing by the average user. I'd much rather see signature applications integrated in the software in a simple way. PGP currently asks: READ CAREFULLY: Based on your own direct first-hand knowledge, are you absolutely certain that you are prepared to solemnly certify that the above public key actually belongs to the user specified by the above user ID (y/N)? Why should PGP not also ask: READ CAREFULLY: Based on your own direct first-hand knowledge, are you absolutely certain that you are prepared to solemnly certify that the above document is accurate in all respects (y/N)? or READ CAREFULLY: Based on your own direct first-hand knowledge, are you absolutely certain that you are prepared to solemnly certify that the above user is a careful and competent individual with the skill and means to secure his secret key (y/N)? or READ CAREFULLY: Based on your own direct first-hand knowledge, are you absolutely certain that you are prepared to solemnly certify documents signed by the above key are from the internet address associated with it (y/N)? or READ CAREFULLY: Based on your own direct first-hand knowledge, are you absolutely certain that you are prepared to solemnly certify that the above financial transaction corresponds to your exact wishes (y/N)? or READ CAREFULLY: Based on your own direct first-hand knowledge, are you absolutely certain that you are prepared to solemnly certify that the above user is not only a trusted introducer, but is fit in your estimation to gague the security and signing skills of other users and vouch for their fitness as trusted introducers (y/N)? It seems to me that integrating these issues, having a developer think them out ahead of time for the user would be a valuable thing. This solves, to some degree, Mr Finney's "AOL" problem. (Wherein he expresses concern over the differing skills of internet users and the ways these difference complicate the web of trust). Part of having an effective web of trust is defining exactly what a certification means. I don't think the web of trust fails because it is non-vertical, but because it fails to define what certificates mean. It _imposes_ (or at least suggests) horizontal decision or treatment of a certificate when it may be prudent for novice or moderately skilled users to treat them vertically. Yet to simply switch to a vertical scheme will frustrate expert users who wish to maintain the flexibility of a horizontal one for whatever reason. (They don't trust institutions, prefer to have more stringent or otherwise non-standard certification policies, etc.) Using certification that allows either (but perhaps defaults to vertical) can easily be envisaged. Software could be configued to trust only a institutional certifier to designate trusted introducers as a default, (Perhaps an online security mutiple test would be a good way for such an institution to make the determination?) and yet users who wanted other schemes could select the more expert options and designate their own introducers and introducer introducers. READ CAREFULLY: Do you trust the above user to (enter all that apply): A) Introduce other keys for the purposes of secure communications and document certification with those keys? B) Vouch for the security consciousness of other users? C) Vouch for the fitness of other users to certify introducers for your web of trust? D) Vouch for the financial fitness of other users? (etc.) Really it's no more than an extension of the "trust bit" that is already in PGP signatures to other areas. In addition I think it's important to extend this kind of flexibility to all manner of signing activites. I revoked a key some time ago because it was getting old and because 2048 bit keys were made available. That revocation certificate could mean anything. It could mean I KNOW it was compromised, it could mean I suspected it was, it could mean I found my secring.pgp file on a multiuser system where I did not myself put it, it could mean I left a disk with my secring.pgp on it in a library, or it could mean the key expired. How are you to know unless I write up a complicated statement and sign it and take pains to publish it all over creation? Why doesn't PGP simply ask: Are you: A) Certain this key is compromised? B) Of the view that it is probably compromised? C) Worried it might be compromised? D) Revoking this key because it is expired? E) Issuing a general/non-specific revocation? Again, standardized, easy for the user to understand, easy to distribute, and very clarifying. Someone could easily write a module which defined and updated these differing trust issues for PGP and users could pick the codes they prefered. (A trust model flash rom?) fincer - Certification with respect to financial integrity ident1 - Certification with respect to true name identity ident2 - Certification with respect to accuracy of e-mail account secrt2 - Certification with respect to the users ability to keep a secret. etc. Don't force clever and sophisticated users to bow to a vertical system when they don't have/want to. > Hal Finney - --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMY/SZmqgui0rHO4JAQFkfwP/XqGH79Z0HX0fF8FvtrxAZB5JbnaMi3K4 gwt1zlQD8ni3n8+6fD887u6vyqxwty8AuQ4BwdxfPfFNecfgcZ8BHv8F1aMopV1x 4clVrHknaKo1BR83MEiEpN74yFebj0fsTlLxijLDbUA5z33Spmcn5Eek21nv4yXR W1ZWUd5uSIk= =vpLU -----END PGP SIGNATURE----- From jimbell at pacifier.com Tue May 7 23:08:40 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 8 May 1996 14:08:40 +0800 Subject: Why I Pay Too Much in Taxes Message-ID: <199605080206.TAA24111@pacifier.com> At 09:30 PM 5/7/96 -0400, Black Unicorn wrote: >On Tue, 7 May 1996, jim bell wrote: > >> At 04:46 PM 5/7/96 -0400, Black Unicorn wrote: > >> >I'm not sure I understand what you mean. I sent the text of the law to >> >the list. The position that you take (that increse in inflation can send >> >you into the next tax bracket) is incorrect. >> >> You seem to be forgetting that one of the provisions of (I believe) the 1986 >> tax act was that capital gains would be indexed for inflation. However, >> the sleazy politicians only scheduled it (the indexing process) for about >> 1990 or so, and by 1990 they managed to get that idiot Bush to agree to drop >> it. > >Considering that there is one bracket for capital gains income (namely >28%) what does this have to do with bouncing you into the next income tax >bracket? Well, you can play all the word-games you want, but many people use the term "tax bracket" to mean the amount of tax they pay as a proportion of income. (Too bad the IRS hasn't yet defined the term "income"!) Since inflationary gains on assets shouldn't be counted as "income" at all, people end up paying a larger proportion of their income as taxes due to this. Go ahead, play games, but ultimately the amount they write on the check will be increased as a result of inflation. I doubt whether they would be in any mood to accept a picky technical definition. It is these people that will eventually decide that it's better to pay money to go to government employees' detriment, rather than benefit. Jim Bell jimbell at pacifier.com From EALLENSMITH at ocelot.Rutgers.EDU Tue May 7 23:09:10 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 8 May 1996 14:09:10 +0800 Subject: Escrowing signing vs. encryption keys Message-ID: <01I4FP585MH88Y59D8@mbcl.rutgers.edu> From: IN%"JMKELSEY at delphi.com" 7-MAY-1996 01:22:19.14 >this is seen by the Feds to balance out the downside that, if I have >the ability to do secure signatures with certificates, I can always >use Diffie-Hellman to establish a secure session with someone else. This apparant opinion on their part is made more understandable with the headaches involved in using Diffie-Hellman, as I understand it (multiple back-and-forth transfers, et al). -Allen From unicorn at schloss.li Tue May 7 23:20:42 1996 From: unicorn at schloss.li (Black Unicorn) Date: Wed, 8 May 1996 14:20:42 +0800 Subject: Why I Pay Too Much in Taxes In-Reply-To: <199605080206.TAA24111@pacifier.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Tue, 7 May 1996, jim bell wrote: > >Considering that there is one bracket for capital gains income (namely > >28%) what does this have to do with bouncing you into the next income tax > >bracket? > > Well, you can play all the word-games you want, but many people use the term > "tax bracket" to mean the amount of tax they pay as a proportion of income. 1) Read original message. 2) Determine what was meant by "tax bracket." 3) Revisit question as to who is playing "word games." 4) Take reply to e-mail. > Jim Bell > jimbell at pacifier.com - --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Autodocument signed iQCVAwUBMZAHsmqgui0rHO4JAQFMLwP9EsmJ/xC8E6jkdj/0r35Kq676yxi4YAcb 6s/aWLzJZo56KMJT7cZsGT8fzdm4tBFZumKDNY8FwAg9VW7gsG6qeYg4DpqRapyz TeN6qRfzemZrdzUT5r4Fd3TSnNZhvdk1kKKQpnqfPmosX4AcLj9uCwZfm8TPRS7X BAf3WrFd5LQ= =8uWq -----END PGP SIGNATURE----- From jimbell at pacifier.com Tue May 7 23:51:33 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 8 May 1996 14:51:33 +0800 Subject: Police tactics question Message-ID: <199605080158.SAA22331@pacifier.com> At 03:33 PM 5/7/96 -0400, Joseph M. Reagle Jr. wrote: >At 11:26 PM 5/6/96 -0400, Michael Froomkin wrote: >>One of my students has written a paper that may answer some of your >>questions, Online Stings: High Tech Entrapment or Innovative Law >>Enforcement?, by Jeffrey D. Weinstock >>http://www.law.miami.edu/~froomkin/seminar/papers/weinstock.htm > > Also, I'll stick in a plug for a paper I wrote a year ago for Mitch >Kapor's "Political Economy of the Digital Infrastructure" class at the Media >Lab: > > >Entrapment in Cyberspace -- On The Likelihood of Digital Stings Here's a question: Why can't we do stings OF POLICE, not by police? If they can mail porno to people and have them arrested, why can't we identify thug-types on the net, email them porno (perhaps from out of the country, to keep the sender legal) and then break into their houses and arrest them? What? What's sauce for the goose ISN'T sauce for the gander? Jim Bell jimbell at pacifier.com From iang at cs.berkeley.edu Wed May 8 00:01:40 1996 From: iang at cs.berkeley.edu (Ian Goldberg) Date: Wed, 8 May 1996 15:01:40 +0800 Subject: ecash moneychangers (Was: Kid Gloves or Megaphones) In-Reply-To: <199605051818.LAA13740@dns2.noc.best.net> Message-ID: <4mordl$1pe@abraham.cs.berkeley.edu> -----BEGIN PGP SIGNED MESSAGE----- In article <199605051818.LAA13740 at dns2.noc.best.net>, wrote: > >>>It is true that the issuer is unable to discover that double blinding is >>>being used. The real problem with the protocol is that it requires >>>payor/payee collusion, which may make it difficult to execute. > >At 07:58 PM 5/4/96 EDT, E. ALLEN SMITH wrote: >>=09Can the payee discover that the payor isn't colluding before the bank >>can figure out who the payee is? > >If the payor is not colluding, then the payee will immediately discover >he has not been paid, because the checksums are wrong, and his software >says "bad payment" > >If the payor is colluding, then no matter what he reveals to the bank, >the bank cannot discover the payee. Note that with payee anonymity, >the payee does not have to promptly check in his money, so the bank >has no hope of narrowing the search by coincidence in time. > >But if the payee is colluding, then the payor can be detected by=20 >coincidence in time. Ah, but if we have the capability to do the fully-anon protocol, we can suddenly do change-making stations. The change problem is similar to the problem described above: what if the payor wants to buy something, but doesn't have the right change? Going to the bank to get change will give away who he is. The solution: go to your local moneychanger. A moneychanger accepts, say, a coin for $0.02 and two blinded half-coins for $0.01 each. He deposits the $0.02, and if it clears, has the bank sign the half-coins, which he returns to the payor (he'll probably blind and unblind those half-coins, too). The payor now has the right change, and all the bank can see is that the moneychanger deposited a $0.02 coin and withdrew 2 $0.01 coins. Of course, the moneychanger may charge the payor an extra bit for the privilege. In the case of the fully-anon protocol, the payee gives a blinded half-coin to the payor. The payor then, as above, sends it (and a service fee) to the moneychanger, who sends it to the bank (or maybe another moneychanger... echos of remailers...), yadda yadda. A moneychanger is a very useful construct for protecting _payor_ privacy when exact change isn't handy. Note also that with a system like this, there's no real reason for the payor to even _have_ an account with the bank... If (when) the ecash library is released, this will all become pretty straightforward to implement. - Ian "who thinks he understands the ecash protocol, right down to the wire" -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMY/wwkZRiTErSPb1AQEFuAP/WSOBZ1GrK7SVn3s823fgIlQw5TLgvGgX MJtpsYiF5bREL/8Rcz96YZxw7ZeWYiTbTB+LFb4gqvCQg4/1xnybINYvmowxgPVr w0WrJ1ZkwgYoEzGFBlXhS4+jH3RGHk2tiB9TB9irjrsv7lK2sBR7ZL1k3sF93LSs 8kLCK/iiF5M= =PV1S -----END PGP SIGNATURE----- From EALLENSMITH at ocelot.Rutgers.EDU Wed May 8 00:02:41 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 8 May 1996 15:02:41 +0800 Subject: Transitive trust and MLM Message-ID: <01I4FWT0RUI88Y59HH@mbcl.rutgers.edu> From: IN%"frantz at netcom.com" 7-MAY-1996 23:02:33.09 >Some of the solution to this problem may come from the answer to the >question, "What am I trusting the receiver with?" I can see a number of >possibilities: I think you've forgotten to allow for the signature use. I may want to know if someone who's posting is indeed the usual/proper person posting from that address, and in most situations without transitivity I won't be able to tell. -Allen From EALLENSMITH at ocelot.Rutgers.EDU Wed May 8 00:16:28 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 8 May 1996 15:16:28 +0800 Subject: Is the network layer geodesic? Message-ID: <01I4FP905KBM8Y59D8@mbcl.rutgers.edu> From: IN%"fair at clock.org" "Erik E. Fair" 7-MAY-1996 02:06:23.16 >The Internet is amorphous. It ain't a star, exactly, but it still not too >far from that. However, to get away from this situation into the rich and >more fully amorphous connectivity we used to take for granted in the UUCP >network, we're going to have to see a lot more cooperation on the part of >the small ISPs in agreeing to talk *directly* to each other to exchange >traffic, and more small exchange points, instead of the small number of >large ones. One thing that may make a difference in this is that the major providers are getting overloaded. We're currently having problems here (in terms of slowdowns, failures to connect, et al) because MCI's trunk lines are majorly overloaded, and that's who _all_ the local ISPs go through. I am currently attempting to persuade them to at least get contacts with another ISP (and to serve as a router) in order to speed up local stuff. -Allen From unicorn at schloss.li Wed May 8 00:19:21 1996 From: unicorn at schloss.li (Black Unicorn) Date: Wed, 8 May 1996 15:19:21 +0800 Subject: Why I Pay Too Much in Taxes In-Reply-To: <199605072244.AAA02953@utopia.hacktic.nl> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Wed, 8 May 1996, Anonymous wrote: > Timothy C. May wrote: > >Indeed, I am extremely limited in how I can avoid complete traceability of > >my major income sources. Not rich enough to shelter income in a really big > >time way > > That's just lack of creativity. Try this: > > Get a friend of yours to setup a consulting company and > hire you (and maybe a few more people who pay too much > taxes,acting like a mixmaster). The company pays you salary > to cover your cost of living. Anything above that, i.e. > money that you would otherwise save, is paid to an offshore > company as license fees (or something, this is the creative > part). Where does the company get the funds to pay you? As the source of personal services income is the site of the preformance of services, your salary will be taxible at U.S. rates. Licensing fees hoarded into an offshore holding company will be taxed yearly regardless of their distribution as dividens (if the money is invested as equity) and the principal taxed on repayment if characterized as debt. It will not, of course be legally yours if deposited without either classification. > This is really legal as long as you don't receive any money > from offshore without paying the taxes. If you borrow the > money back it gets a little fuzzy. Except that it is going to cause your friend who set it up to incur the penalities that surround classification of his company as a Foreign Personal Holding Company. If he is a U.S. citizen, he can deduct the costs of sending you salary, but that means he still has to pay about 60% of what goes out. (Revisit the double taxation issue). > Thousands of people in upper middle class are doing exactly > this, so the mixmaster is really in place already. The local > mix is just an extra precaution for deniability (it was my > friends company, I had no idea what he was up to!). > > For the friend to accept the (very minor) risk of jail, > he/she should probably be much poorer than you, or have > a *lot* of clients, to make his pay outweight the risk. What pay? I don't get it. Where does this friend gets his money? > By the way, are there any PGP encrypted mailing lists for > discussing serious tax fraud? If such a list existed, would we tell an anonymous poster/fed? If your above scheme is intended merely to conceal funds it is a fairly poor example as it depends on the secrecy of each and every 'employee' of the company. > > Mr.X > -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Autodocument signed iQCVAwUBMZAMNGqgui0rHO4JAQEV5gP+KRMrGMiqhcWznJs/tOw/gmW7GupfLGN1 UIliPgELUDK1YdRG/LLzKNp5xz9CM7WNNg4gNBEMxkVlCBMumDP7RRcAosWuyxy7 6QwBd/uul9MynZqAoDMI3Tant9j4XpFZOeg7LkvJ0wAJU5jin7JSsrJfQLPEvT4+ +jsRcmJxSB4= =MUh4 -----END PGP SIGNATURE----- --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From unicorn at schloss.li Wed May 8 00:21:47 1996 From: unicorn at schloss.li (Black Unicorn) Date: Wed, 8 May 1996 15:21:47 +0800 Subject: No Subject Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Tue, 7 May 1996, E. ALLEN SMITH wrote: > From: IN%"unicorn at schloss.li" "Black Unicorn" 29-APR-1996 02:21:48.23 > > >On Sun, 28 Apr 1996, E. ALLEN SMITH wrote: > > >> Given discussions as to attorneys holding passphrases, et al, perhaps > >> a tutorial from the lawyers on the list (yourself and others, since > >> disagreements among J.D.'s have been known to happen) on what attorney-client > >> confidentiality does cover? > > >Proposed FRE 503 probably has the best codification of the prevailing > >common law on the subject. I reproduce it in part below. Typos are mine. > > Thank you. Sure. > >The identity of the client and the existance of the attorney client > >relationship are not confidential. There are some exceptions. > > What are the exceptions? When a client wishes to make anonymous restitution. Baird v. Koerner, 279 F.2d 623 (9th Cir. 1960) (Wherein attorney was retained to organize anonymous payment of delinquent taxes and IRS demmanded identification of clients by attorney). The so called "missing link" exception, where where disclosure of the identity of client, in conjunction with already available information, would have the effective result of disclosing a privileged communication or violating the privilege against self incrimination. In re Grand Jury Proceedings, 517 F.2d 666 (5th Cir. 1975); C.f., U.S. v Pape, 144 F.2d 778 (2nd Cir. 1944) (Holding that client's identity was not so protected, but which may or may not still be good law); See Generally, Cleary et al, McCormick on Evidence (3rd edition 1984). > >Stolen property may be held by an attorney for a reasonable time for > >inspection purposes, but must be returned to the rightful owner or the > >attorney will be a receiver of stolen goods and participating in an > >ongoing crime. Privilege will thus not apply. In re Ryder, 263 F.Supp. > >360 (E.D.Va 1967). (Some courts will permit the attorney to refuse to > >disclose the source from which he obtained the property, however). > >Consider this in the context of trade secrets. > > A good point... although if it hasn't been proven whether something is > stolen (e.g., an encrypted piece of data sent to the attorney), I would hope > that privilege would still obtain. Of course, there would be the question > (also important for First Amendment issues) of whether information that the > recipient can't understand is communication. Generally speaking, if the attorney believes or should reasonably know that the item was stolen, privilege will not apply. > >All states have laws against destroying or concealing evidence. The > >attorney who advises his client to destroy evidence is a co-consiprator. > >Privilege does not apply. Clark v. State, 261 S.W.2d 339 (Crim. App Tex. > >1953). (Interesting to wonder if advising a client to encrypt evidence is > >'concealing' it). > > A good question. Of course, again there's the point of what if the > attorney has investigated the matter and decided that no crime is being > committed, but that the material should be destroyed because it could be > embarrasing, lead to other problems (e.g., civil lawsuits), etcetera. If a > court later decides that the attorney was wrong, would privilege still obtain, > and would the attorney be a co-conspirator? I would hope the answers would be > yes and no. First question, I can think of few attornies who would actually advise a client to destroy something that might even one day possibly be evidence. Well, let me rephrase that. I can think of few attornies who would actually advise a client to destroy something that might even one day possibly be evidence if they thought they might be caught. Second question, If the court thinks it was a crime and evidence was destroyed it doesn't much matter what the attorney thought at the time. I'll have to check, but this is probably a "reasonably forseeable" question. On Confidentiality: See Generally, Fred Zacharias, Rethinking Confidentiality, 74 Iowa L. Rev. 351 (1989); Fred Zacharias, Rethinking Confidentiality II, 75 Iowa L. Rev. 601 (1990); Geoffrey Hazard, A Historical Perspective on the Attorney Client Privilege, 66 Calif. L. Rev. 1061 (1978); Developments in the Law: Privileged Communications, 98 Harv. L. Rev. 1450 (1985). -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMY//fmqgui0rHO4JAQGDXQQAvSuhnF5SAHTfGd/EhDH2DMNKd8IquqED FGvD0QrEU+3jzNlNKouqnG0SSsP6ILDpUnwDr6ZvGSrc147Kvf37fP6EIMeqGG6A 7wFfrDrr7Lo/96VXnY6Sd9mI5evxDoUDPr6PS+1rbW2le5s8q0mI6C+cFXM5TDEo jY4mQqePufc= =syxB -----END PGP SIGNATURE----- --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From jimbell at pacifier.com Wed May 8 01:01:12 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 8 May 1996 16:01:12 +0800 Subject: ecash payee anonymity, cpunk archives Message-ID: <199605080413.VAA03119@pacifier.com> At 05:36 PM 5/7/96 -0500, Alex Strasheim wrote: >A while back someone posted a note saying that an ecash protocol >garaunteeing payee as well as payer anonymity had been devised. I think that was about a week before Colby disappear, wasn't it? B^) Jim Bell jimbell at pacifier.com From unicorn at schloss.li Wed May 8 01:01:19 1996 From: unicorn at schloss.li (Black Unicorn) Date: Wed, 8 May 1996 16:01:19 +0800 Subject: Why I Pay Too Much in Taxes In-Reply-To: <199605080005.RAA09126@pacifier.com> Message-ID: On Tue, 7 May 1996, jim bell wrote: > At 04:46 PM 5/7/96 -0400, Black Unicorn wrote: > >I'm not sure I understand what you mean. I sent the text of the law to > >the list. The position that you take (that increse in inflation can send > >you into the next tax bracket) is incorrect. > > You seem to be forgetting that one of the provisions of (I believe) the 1986 > tax act was that capital gains would be indexed for inflation. However, > the sleazy politicians only scheduled it (the indexing process) for about > 1990 or so, and by 1990 they managed to get that idiot Bush to agree to drop > it. Considering that there is one bracket for capital gains income (namely 28%) what does this have to do with bouncing you into the next income tax bracket? > I don't know the details, but this is yet another of the reasons I have > no qualms about advocating a system for solving the "politician problem" by > putting them 6 feet under. And yet another reason you cite which is based on incorrect facts. > > Lawyers who profit from an abusive system may disagree, of course. > So may all individuals who have a clue. > Jim Bell > jimbell at pacifier.com --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From frantz at netcom.com Wed May 8 01:09:37 1996 From: frantz at netcom.com (Bill Frantz) Date: Wed, 8 May 1996 16:09:37 +0800 Subject: Transitive trust and MLM Message-ID: <199605080409.VAA06882@netcom8.netcom.com> At 11:13 PM 5/7/96 -0400, E. ALLEN SMITH wrote: >From: IN%"frantz at netcom.com" 7-MAY-1996 23:02:33.09 > >>Some of the solution to this problem may come from the answer to the >>question, "What am I trusting the receiver with?" I can see a number of >>possibilities: > > I think you've forgotten to allow for the signature use. I may want to >know if someone who's posting is indeed the usual/proper person posting from >that address, and in most situations without transitivity I won't be able to >tell. Indeed, signing is something I shouldn't forget (having harassed Senator Leahy on the same subject). I will offer two observations on the subject: (1) Many posts signed by the same key define a personality. The key is "key", not the email address, but they become associated. (2) When in doubt, ask the poster via private email. This method reduces to the levels of trust I described in, "What am I trusting the receiver with?" N.B. I don't sign my posts because I want "implausible deniability". Regards - Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From tcmay at got.net Wed May 8 02:50:57 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 8 May 1996 17:50:57 +0800 Subject: Dempster-Shafer Theory and Belief Networks (Re: Transitive trust) Message-ID: At 5:50 PM 5/7/96, Hal wrote: .... >It is important to eliminate a common misconception about the web of >trust. Suppose Alice signs Bob's key, and Bob signs Clara's, and >Clara signs Don's key. Suppose further that Alice trusts Bob and Bob >trusts Clara as key signers, but that Alice doesn't know Clara. In >terms of PGP's web of trust, this does not give a chain from Alice to >Don which lets her trust his key. Alice has to have a signature on >Don's key by someone she trusts. In this case, since she doesn't know >Clara she presumably can't trust her, and hence Clara's signature on >Don's key is worthless to Alice. ... >Unfortunately we are left with a choice between three not very good >possibilities: accept transitive trust and hierarchical key CA >structures; use very flat hierarchies where one signer validates huge >numbers of keys; or accept that only a small number of keys can be >validated by key signatures. I think all these are troublesome and in >fact it makes me question the whole notion of key signatures. An interesting and thought-provoking essay. I've never been comfortable with the term "trust," and tend to think in terms of a related but subtly different term, "belief." "Do I _believe_ this person is who he says he is?" "Do I _believe_ this applet I am downloading will not erase my hard disk?" "Do I _believe_ MacWarehouse will ship the product I ordered last week?" "Do I _believe_ the Russians when they say they are destroying warheads?" (and recall Reagan's very accurate "Trust, but verify). (and so on, for many examples where "believe" means something more than "trust") Obviously, in many cases belief and trust are closely related, and saying I believe Eric Hughes is the same as saying I trust Eric Hughes, at least in some context. But belief also invokes other mechanisms, including independent verification (as with multiply connected graphs), "commonsense and sanity" tests, etc. And beliefs are in some sense what we are really talking about. There is no simple scalar quantity called "trust" (at least not one I can imagine), but different agents will have different beliefs about different things. One set of beliefs about signatures on keys has a lot of similarities to the "web of trust." In fact, imagine this "diminishing wavefront of belief" example: "I believe that Eric Hughes is who he says he is, and that the key he signed for me represents his signature. Further, he told me he believes Peter Wayner to be who he says he is [many philosophical issues of identity elided here], and that he believes because of several cross-checks he has made that Peter's signature as stored at the MIT site is in fact that of the journalist Peter Wayner. Because Eric believes Peter, and I believe Eric, I tend to believe Peter's signature. Peter says he believes Joe Blow, but neither Eric nor I have checked this, nor have we talked to Peter about how confidant he is, or why he believes this, so I have to say I'm not ready to say I believe in Joe Blow's signature." Can this be more mechanized? Can numbers be attached, and perhaps propagated? (I mentioned "diminishing wavefront of belief," because implicit in this viewpoint, inevitably (and rightly, I think), is the notion that "distant relations" have low probabilities of belief, all other things being equal. (All other things are not equal, in many cases, and there may be multiple paths to a person. As supporting evidence mounts, so does the confidence level, or belief. I believe [no pun intended] that some of the work in classical AI on belief networks, aka Bayesian networks, is relevant. Reasoning in such networks, where different beliefs are held about events, causes of events, reasons for things happening, etc., seems quite similar to what we have in webs of trust. In particular, one form of belief representation seems especially relevant: Dempster-Shafer theory. A nice summary is contained in a wonderful book, "Artificial Intelligence: A Modern Approach," Stuart Russell and Peter Norvig, 1995. On p. 462 they write: "The Dempster-Shafer theory is designed to deal with the distinction between _uncertainty_ and _ignorance_. Rather than computing the probability of a proposition, it computes the probability that the evidence supports the proposition. This measure of belief is call a _belief function_, written Bel(X). "We return to coin flipping for an example of belief functions. Suppose a shady character comes up to you and offers to bet you $10 that his coin will come up on heads on the next flip. Given that the coin may or may not be fair, what belief should you ascribe to the event of it coming up heads? Dempster-Shafer theory says that because you have no evidence either way, you have to say that the Bel(Heads) = 0, and also that the Bel(Not-Heads) = 0. This makes Dempster-Shafer reasoning systems skeptical in a way that has some intuitive appeal. Now suppose you have an expert at your disposal who testifies with 90% certainty that the coin is fair (i.e., he is 90% sure that P(Heads) = 0.5). Then Dempster-Shafer theory gives Bel(Heads) = 0.9 x 0.5 = 0.45 and likewise Bel(Not-Heads) = 0.45. There is still a 0.1 "gap" that is not accounted for by the evidence. "Dempster's rule" (Dempster, 1968) shows how to combine evidence to give new values for Bel, and Shafer's work extends this into a complete computational model." See why it looks promising? If it isn't clear, imagine the above example rewritten slightly: "We return to key signing for an example of belief functions. Suppose a shady character comes up to you and claims that he has a list of signatures he believes in. Given that you may or may not believe him, what belief should you ascribe to the validity of his list? Dempster-Shafer theory says that because you have no evidence either way, you have to say that the Bel(List) = 0, and also that the Bel(Not-List) = 0. This makes Dempster-Shafer reasoning systems skeptical in a way that has some intuitive appeal. Now suppose you have an expert at your disposal who testifies with 90% certainty that the shady stranger is to be believed ("trusted"). Then Dempster-Shafer theory gives Bel(List) = 0.9 x 1.0 = 0.9 and likewise Bel(Not-List) = 0.10. "Dempster's rule" (Dempster, 1968) shows how to combine evidence to give new values for Bel, and Shafer's work extends this into a complete computational model." By converting the problem of "trust" to one of "belief," and accepting that there may be "gaps," Dempster-Shafer theory has been useful in many situations for analyzing changes of belief...seems to be similar to what we face in the "web of trust." (I believe the results will be similar to Phil's heuristic that "trust is not transitive" and my point about a "diminishing wavefront of belief." One way this may be mechanized is to ask people who sign keys to make an estimate of their "belief" in each key, so that we might get something like: Bel-sub-May(Hughes) = 0.98 Bel-sub-May(Finney) = 0.96 Bel-sub-May(Wayner) = 0.70 .... Bel-sub-May(tallpaul) = 0.05 ... and so on, where "Bel-sub-May" means the belief I (May) have in some signature being properly done...FOR WHATEVER REASONS I MAY HAVE! Likewise, Hal Finney may have pretty good confidence that I am a careful checker of such things, so maybe he ascribes Bel-sub-Finney(May) to be 0.80. (The careful reader will have noticed that I switch between talking about belief in signatures and belief in methodology. It may be possible to handle these differently, but I think in a real sense they are best handled as the same thing. Thus, I am saying to Hal, "I place these amounts of trust (belief, really) in these signatures," and Hal says to me, "Well, based on past experience, I tend to believe you, at least with 80% confidence, so I'll take your estimates and pass them on, normalized by my belief factor." Not perfect, but then how can it ever be, due to the semantics of probabalistic belief.) Hierarchical systems are not necessarily any better, in that a hierarchical system may just be Bill Gates saying: Bel-sub-any_employee(Gates) = 1.0 (Thus, every employee is told to believe any statement by Bill Gates, including passing on belief in the statements of his designated key authorities!) By the way, the work on back propagation in belief networks looks to be very promising vis-a-vis the "reputations" we so often talk about. In the example above, where "suppose you have an expert at your disposal who testifies with 90% certainty that the coin is fair," imagine the results of many coin tosses. If the coin tosses turn out to be 900 heads and 100 tails, then one might expect the "belief" in the "expert" will decline rapidly. Like a bad consultant, or bad advice. Dempster-Shafer theorists have done a lot of work on how to actually compute using these belief probabilities, how to propagate beliefs, and what the limits are. Seems pretty applicable to studying webs of trust (which are actually "belief networks"). Thanks, Hal, for stimulating this discussion. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From anonymous-remailer at shell.portal.com Wed May 8 03:21:16 1996 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Wed, 8 May 1996 18:21:16 +0800 Subject: (fwd) Christopher Ruddy on Colby 5/7/96 (fwd) Message-ID: <199605080546.WAA27143@jobe.shell.portal.com> Theories on cause of Colby death abound By Christopher Ruddy FOR THE TRIBUNE-REVIEW WASHINGTON - The body of "the Old Gray Man of the CIA," William Colby, has been found in waters near his weekend home, but theories about his demise continue to thrive. Colby, who served as CIA director under Presidents Nixon and Ford, disappeared April 28. Maryland authorities found his body Monday morning after it washed ashore. This followed an intensive search of the Wimcoico River near Colby's home in Rock Point, Md. Local police believe his body was lost in the cloudy waters of the Wicomico while canoeing, a favorite pastime of Colby's. At 76, Colby was physically fit and, after surviving parachute drops behind Nazi lines in War World II and stints in Vietnam, he was a cautious, careful and cunning man who lived up to his James Bond super-spy credentials. Last week, The New York Post's irreverent Page Six raised concerns about Colby's disappearance and apparent death with an article headlined "Conspiracy Crowd Snatches Colby." "The theory among conspiracy-minded, cloak-and-dagger buffs is that Colby was assassinated so he wouldn't spill any more agency secrets," the gossip page began. Agency insiders reportedly resented Colby for talking to Congress about the "family jewels" - supposed illegal operations the agency conducted in the decades before Watergate. As a result, Colby lost the support of agency insiders and the Ford administration. President Ford fired Colby on Halloween 1975. Some theorists point to the similar circumstances surrounding the 1978 death of CIA deputy director John A. Paisley. Paisley's sailboat was found adrift in the Chesapeake Bay just 15 miles from Colby's home. His body was discovered days later. He died of an apparent gunshot behind his ear. His body had been weighted with diving belts. Since no blood was found on the boat, authorities theorized Paisley first jumped into the water and then fired the shot into his head. However, murder was never ruled out in the case. While some refuse to believe 20-year-old grudges could have led to Colby's demise, others, including Fred Davis, the Maryland county sheriff in charge of the probe, still find the death suspicious and haven't ruled out foul play Already, the death has been the buzz of talk radio and the Internet. Pittsburgh's Jim Quinn on WRRK-FM joked that Colby's body will rise to the top as soon as "someone cuts the concrete slabs tied to his feet." New York shock-jock Don Imus, whose recent roast of the Clintons caused a stir, started off one of his morning programs wondering what the "Whitewater" connection was with Colby's death - a reference, no doubt, to the high number of deaths likened to a web of Arkansas scandal. Even though Imus didn't realize it, Colby did have a Whitewater connection. For the past two years, he has been a contributing editor with a monthly financial newsletter, Strategic Investment. Co-edited by James Dale Davidson and former Times of London editor Lord William Rees Mogg, Strategic is read by more than 100,000 subscribers worldwide and has been closely monitoring the Whitewater scandal. Davidson has written in the newsletter that Vincent Foster, former White House deputy counsel, was murdered and that significant evidence links the Clintons to drug trafficking, murder and organized crime in their home state of Arkansas. Foster was found shot to death more than two years ago in Fort Marcy Park near Washington, D.C. The Wall Street Journal editorialized that it was glad to see James Davidson "pushing the envelope" on the Whitewater scandal. Colby began taking a more active role in the newsletter in February, writing a weekly column on geo-political matters and their effects on investments in Strategic Weekly Briefings - a facsimile newsletter tailored for high-income investors. Colby traveled with Davidson several times to Asia, leading groups of investors. In his columns, Colby never touched upon the Clintons or the Whitewater affair. His name and former association with the CIA was no doubt a real credibility boost for the newsletter and was touted throughout the newsletter and its promotional brochures (which often detailed the newsletter's reporting of the darker side of Whitewater). "I find the death suspicious for a lot of reasons," Davidson told the Tribune-Review. He does not link his Whitewater coverage to the death, but points to problems associated with Colby's disappearance. "It's not clear how his life jacket and paddle, which he always took canoeing with him, disappeared,''he said. Davidson also is disturbed by an early Associated Press report quoting Mrs. Colby as having spoken with her husband on the day of the death. The AP reported that Colby said he was not feeling well, but planned to go canoeing anyway. In a statement this week, Mrs. Colby, who was in Texas when she spoke to her husband for the last time, said he was feeling fine, and never mentioned any plans to go canoeing. Davidson described Colby as a "charming and fit" man who had great stamina traveling. "He was a New Deal Democrat like many who started in the OSS (the forerunner to the CIA)," Davidson remarked. According to Davidson, one of his staff members contacted local police who said they were perplexed as to where the AP got the original report on Colby's conversation with his wife. Some old Cold Warriors recollect Colby's longstanding feud with James Jesus Angleton, the longtime head of the CIA's counterintelligence division. Angleton believed the CIA had been infiltrated by KGB moles; Colby believed Angleton had become symptomatic of Cold War paranoia and forced his ouster in 1974. After his dismissal, a bitter Angleton told associates he believed that Colby had been recruited by the KGB and was a long-term asset of the Soviets. Angelton's supporters noted Colby's association with far left committees - including ones supported by the Institute for Policy Studies - after Colby departed from the CIA. Colby also called for near unilateral disarmament - an immediate 50 percent reduction in the American defense budget during the height of East-West tensions. One friend of Colby's scoffed at such notions and suggested that his espousal of unorthodox views were not based on a longtime hidden ideology, but may be explained by his desire to live down an undesirable reputation he acquired in Vietnam for heading up the controversial Operation Phoenix, a program to eradicate peasant support of the Viet Cong, for which Colby had been branded by war protesters as a war criminal. From llurch at networking.stanford.edu Wed May 8 03:43:30 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Wed, 8 May 1996 18:43:30 +0800 Subject: Transitive trust and MLM In-Reply-To: <199605072229.PAA28013@netcom8.netcom.com> Message-ID: On Tue, 7 May 1996, Bill Frantz wrote: > Some of the solution to this problem may come from the answer to the > question, "What am I trusting the receiver with?" I can see a number of > possibilities: > > (1) I just want an envelope so casual eavesdroppers can't read the mail. > Given the people Rich Graves has been dealing with, I see this as a > powerful reason to encrypt all private email, just as you might send all > private postal mail in envelopes rather than on postcards. Oh, those WhoWhere? guys are just a bunch of pussycats. The fact that you're sending postcards is only a problem if you don't want them to be read. It's more the email I receive that I worry about, so all my friends use the address rich at alpha.c2.org now. You should only worry about men in the middle when you're playing volleyball. The endpoints are usually far more vulnerable. -rich http://www-leland.stanford.edu/~llurch/ From llurch at networking.stanford.edu Wed May 8 04:05:21 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Wed, 8 May 1996 19:05:21 +0800 Subject: Chat with WhoWhere.com Message-ID: -----BEGIN PGP SIGNED MESSAGE----- So we did lunch. They even paid. I had a turkey club sandwich and a strawberry/banana smoothie. At this time, I cannot discuss (publicly) much of what was said, but I can say that some progress was made. * There is not currently a "deny" list. I.e., if you ask WhoWhere to delete your name, address, and phone number, they will usually do it within 48 hours, but it is entirely possible that an automated process will reenter your address the next day. They agree that this is something that should be fixed. * They do indeed run an undocumented web spider to search for email addresses. Soon, they will register it on the WebCrawler page and follow the Robot Exclusion Standard. However, they were not interested in shutting the robot down, or sharing the source code. * They deny association with the "WhoWhere Robot" probes operating out of Japan and Australia. I expressed concern that someone may have stolen their spider somehow. They'll look into it. * The person I talked to agreed that WhoWhere's initially writing programs to brute-force tens of thousands of addresses out of the okra.ucr.edu service was improper. I expressed concerns that the current version of their web crawler appeared to have no safeguards against a recurrence. * Certain other allegations were confirmed, denied, or confidential. * WhoWhere does seem to take concerns about the inappropriate disclosure of information that was never intended to be publicly available seriously. :-) * They do indeed have formal business relationships with ABI, InfoSeek, Switchboard, and Netscape (details on the Netscape relationship are not publicly available). * I did not feel at all threatened by remarks made as we were leaving. - -rich -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMZAs/Y3DXUbM57SdAQE7KQP/cvth6OaIopocvHM9dIEwkwDnEYqY5gZ0 QlJk00imT3nzBQTXffqZdq8I8lEpYhshibe0VPzAK0KgUthzE7/hyb12DKBQuNYz mGqkQRNcY0r9Fcg6dbl+pBPltf3XgOE7one1uziRvd12uL9skEyTMBcR41WiFs84 f+uKBfGD2qk= =hROh -----END PGP SIGNATURE----- From loki at infonex.com Wed May 8 04:57:18 1996 From: loki at infonex.com (Lance Cottrell) Date: Wed, 8 May 1996 19:57:18 +0800 Subject: remailer-in-a-box Message-ID: At 3:51 PM 5/7/96, anonymous-remailer at shell.portal.com wrote: >No one answered me. >What's the best remailer-in-a-box. >I'd like to run one. I would think people would be falling >over eachother to tell me. The reason for the quiet may be twofold. First, I and many others delete unread list messages with out subjects. Second, remailer-in-a-box does not really exist. Mixmaster, and most of the other remailers are fairly easy to set up for anyone with UNIX experience. I run Mixmaster + Ghio + reorder scripts. -Lance ---------------------------------------------------------- Lance Cottrell loki at obscura.com PGP 2.6 key available by finger or server. Mixmaster, the next generation remailer, is now available! http://www.obscura.com/~loki/Welcome.html or FTP to obscura.com "Love is a snowmobile racing across the tundra. Suddenly it flips over, pinning you underneath. At night the ice weasels come." --Nietzsche ---------------------------------------------------------- From nobody at replay.com Wed May 8 05:29:22 1996 From: nobody at replay.com (Anonymous) Date: Wed, 8 May 1996 20:29:22 +0800 Subject: Why I Pay Too Much in Taxes Message-ID: <199605080632.IAA24692@utopia.hacktic.nl> Black Unicorn wrote: >Where does the company get the funds to pay you? >From Tim's day work. It's a consulting company, i.e. it sells his services to whomever is employing him today. The whole idea was to hide Tim's income sources, or that's what he asked for anyway. You can hide your income by putting it in another jurisdiction. >What pay? I don't get it. Where does this friend gets his money? As a cut from the money Tim's employer gives him. >> By the way, are there any PGP encrypted mailing lists for >> discussing serious tax fraud? > >If such a list existed, would we tell an anonymous poster/fed? >If your above scheme is intended merely to conceal funds it is a fairly >poor example as it depends on the secrecy of each and every 'employee' of >the company. No it doesn't. One person knows where they money went when it left the country (and he is getting paid for the risk of doing time). Nobody knows where the funds are concealed. Probably in a trust that you can access when you are on vacation abroad. Mr.X. From snow at smoke.suba.com Wed May 8 06:21:04 1996 From: snow at smoke.suba.com (snow) Date: Wed, 8 May 1996 21:21:04 +0800 Subject: Why I Pay Too Much in Taxes In-Reply-To: Message-ID: On Sun, 5 May 1996, Alan Horowitz wrote: > << " I paid approximately 60%...." >> > didn't the feudal vassels only pay 33% ? To paraphrase - I forget > which Presidential candidate of yore - "are you better off than you were > a thousand years ago?" The very fact that we are having this conversation in this manner would indicate to me that yes, we are. From frissell at panix.com Wed May 8 07:58:35 1996 From: frissell at panix.com (Duncan Frissell) Date: Wed, 8 May 1996 22:58:35 +0800 Subject: Why I Pay Too Much in Taxes Message-ID: <2.2.32.19960508101653.00985b20@panix.com> At 04:46 PM 5/7/96 -0400, Black Unicorn wrote: >I'm not sure I understand what you mean. I sent the text of the law to >the list. The position that you take (that increse in inflation can send >you into the next tax bracket) is incorrect. I believe Tim was making the generic point that in spite of loads of "tax reform" average total taxes paid in the US are higher than they have ever been. Yesterday was "Tax Freedom Day" and was the latest it has been. DCF From frissell at panix.com Wed May 8 09:01:34 1996 From: frissell at panix.com (Duncan Frissell) Date: Thu, 9 May 1996 00:01:34 +0800 Subject: Why I Pay Too Much in Taxes Message-ID: <2.2.32.19960508103911.0096c07c@panix.com> At 09:16 PM 5/7/96 -0400, Black Unicorn wrote: >My 1994-1995 code indicates 39.6% for single heads of households with >incomes over $250,000. (Pay $77,299, plus 39.6% of the excess over >$250,000). That was for the 1994 tax year. > >If there was an explicit raise, I haven't heard (though this isn't too >surprising, I haven't paid much attention to domestic U.S. tax rates >lately). > Don't forget the 1.?% percent Medicare Tax that was uncapped in one of the tax laws and now applies to all earned income no matter how high. DCF From pcw at access.digex.net Wed May 8 11:27:53 1996 From: pcw at access.digex.net (Peter Wayner) Date: Thu, 9 May 1996 02:27:53 +0800 Subject: Disappearing Cryptography Message-ID: >A book by Peter Wayner (pcw at access.digex.com), >of interest to cypherpunks. >(OK, cypherpunks mailing list subscribers then) > >There is more info at Peter's home page: >http://www.access.digex.net/~pcw/pcwpage.html >but I couldn't get to it when I tried just now. Yes, my service provider, DIGEX, is really terrible about providing access to my net page. I'm sorry about this, but if you need more information, feel free to write me. > >I got my copy from Border's in Houston on Sunday. > >He describes mimic functions, a particular interest of >mine. He also covers basic encryption, error correction, >secret sharing, compression, context free grammers, >anonymous remailers, reversible computing, etc. > >There is an evaluation of several stego packages, and >an inclusive (there isn't enough published about >steganography to call it extensive) bibliography. > >The presentation is at an introductory, but not trivial >level. I wish there had been more technical explanations, >but I suppose the author would have lost a sizable fraction >of an already tiny audience. > Yes, this was one dilemma I faced with writing the text and I decided that a "Scientific American" level text would be more likely to appeal to more people. In fact, my hope is that many people will be interested in a presentation of this level because of the political implications. If you can't find the information, you can't censor it. I think, though, that there will be plenty of meat on the bones of this book for many people. Anyone who reads cypherpunks carefully and works through the mathematical details won't find much new here, but I don't know if there is much else out there. The proceedings from the information hiding workshop in Cambridge will generate some more papers, but that's in the future. >By the way, "the people who participate on the cypherpunks >mailing list" get a nice "thankyou" in the preface. Of course this should be repeated and amplified. Many people post great stuff to the cypherpunks list. I couldn't have done it without you. My only regret is that the best people on the list might not learn much new from the book. Sigh. > >Rick F. Hoselton (who doesn't claim to present opinions for >others) From adam at lighthouse.homeport.org Wed May 8 12:53:15 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Thu, 9 May 1996 03:53:15 +0800 Subject: Remailer in a box Message-ID: <199605081333.IAA11436@homeport.org> You should at least bother to read the list before claiming no one answered. Adam >From adam Sat May 4 09:43:26 1996 >Subject: Re: your mail >To: anon-remailer at utopia.hacktic.nl (Anonymous) >Date: Sat, 4 May 1996 09:43:26 -0500 (EST) >Cc: cypherpunks at toad.com >In-Reply-To: <199605040605.IAA19372 at utopia.hacktic.nl> from >"Anonymous" at May 4 >, 96 08:05:07 am >X-Mailer: ELM [version 2.4 PL24 ME8b] >Content-Type: text >Content-Length: 329 >Status: RO > >Mixmaster with my install script. Get mixmaster from www.obscura.com, >my installer by sending me mail with a subject line: >get mix-installer > >Adam <>----- Forwarded message from anonymous-remailer at shell.portal.com ----- <> <>From cypherpunks-errors at toad.com Tue May 7 22:11:26 1996 <>Date: Tue, 7 May 1996 15:51:06 -0700 <>Message-Id: <199605072251.PAA01721 at jobe.shell.portal.com> <>To: cypherpunks at toad.com <>From: anonymous-remailer at shell.portal.com <>Comments: This message is NOT from the person listed in the From <> line. It is from an automated software remailing service operating at <> that address. <> THE PORTAL SYSTEM DOES NOT CONDONE OR APPROVE OF THE CONTENTS OF THIS <> POSTING. Please report problem mail to . <>Sender: owner-cypherpunks at toad.com <>Precedence: bulk <> <> <>No one answered me. <>What's the best remailer-in-a-box. <>I'd like to run one. I would think people would be falling <>over eachother to tell me. <> From jay_haines at connaught-usa.com Wed May 8 13:15:02 1996 From: jay_haines at connaught-usa.com (Jay Haines) Date: Thu, 9 May 1996 04:15:02 +0800 Subject: remailer-in-a-box Message-ID: Reply to: RE>>remailer-in-a-box >>No one answered me. >>What's the best remailer-in-a-box. >>I'd like to run one. I would think people would be falling >>over eachother to tell me. >The reason for the quiet may be twofold. First, I and many others delete >unread list messages with out subjects. Second, remailer-in-a-box does not >.really exist. Mixmaster, and most of the other remailers are fairly easy to. >set up for anyone with UNIX experience. I run Mixmaster + Ghio + reorder >scripts. > -Lance Does one exist for the MAC? If not, would anyone be interested enough to see one developed? From warlord at MIT.EDU Wed May 8 15:00:59 1996 From: warlord at MIT.EDU (Derek Atkins) Date: Thu, 9 May 1996 06:00:59 +0800 Subject: Senator Leahy's Public Key In-Reply-To: <199605071951.TAA14244@rebound.slc.unisys.com> Message-ID: <9605081459.AA20668@bart-savagewood.MIT.EDU> > Actually, I've been thinking about this, and how do we *really* know that > *anyone's* keys are actually theirs? I'm new to this list and have been > collecting some of the keys from people who post with PGP signatures, but > even at that, I never certify them myself because I am not 100% absolutely > certain that the key in question belongs to that person. After all, what > if some clever hacker dropped in and replaced someone's .plan file, or > edited their index.html file? There's no real way to be absolutely > certain. This is exactly what the web of trust is about. The fact is that you can't trust the Keyservers (they were never designed to be trusted); you can't trust .plan files; you can't trust index.html files. However you can trust signatures made by trusted keys. That is why the web of trust works. For example, I've met in person with a lot of people and we've signed each others' keys. We've used various methods to "prove" identity. Sometimes it's been a long time of personal interactions (close friends). Sometimes it's been a number of certifying documents, IDs, etc. Sometimes it's been a piece of knowledge that I know the other has but no one else has. The point is that once I'm attached to the web of trust I have a means to verify other keys. I can set up a CA that way (MIT has one) -- there is a keysigner that will use out-of-band means to verify the identity of a user and then use that to sign a PGP key in that person's name. > How certain are we that the keyservers are 100% bulletproof? Hell, I > could call Joe Schmoe up and say "tell me your fingerprint", but how do I > *really* know I'm talking to Joe unless I knew him before getting his > signature? As I said already, the keyservers are not bulletproof. In fact, they were never designed to be trusted. They were designed to be an untrusted key distribution system. The end-user is still supposed to verify the signatures on they keys received from the keyserver. As for calling up Joe Schmoe, how did you get his number? Did you look it up in a phone book? Call directory assistance? These are other means of identification, too. You just need to look at it from a different angle. -derek From shamrock at netcom.com Wed May 8 15:04:51 1996 From: shamrock at netcom.com (Lucky Green) Date: Thu, 9 May 1996 06:04:51 +0800 Subject: PGP, Inc. Message-ID: At 7:46 5/7/96, Raph Levien wrote: [...] > The S/MIME spec indicates the use of X.509v3 certificates, which, in >turn, are explicitly allowed to contain trust roots originating in the >client's local configuration. In other words, yes, the spec allows for a >Web of trust. > The big question, of course, is how easy the key management will be >in such a case. Everything I've seen points to key management being >super-easy if you use VeriSign certs, and probably just as bad as PGP >otherwise. Unlike PGP, most e-mail clients will probably not come >configured with the capablity to sign other keys - in the X.500 world, >e-mail clients and "certification authorities" are two separate >applications. Since VeriSign is going to issue certs for nyms for free, the only requirement being uniqueness, using their certs might not prove much of a problem. Disclaimer: My opinions are my own, not those of my employer. -- Lucky Green PGP encrypted mail preferred. From Clay.Olbon at dynetics.com Wed May 8 16:37:09 1996 From: Clay.Olbon at dynetics.com (Clay Olbon II) Date: Thu, 9 May 1996 07:37:09 +0800 Subject: misunderstandings of PICS Message-ID: At 5:31 PM 5/7/96, Joseph M. Reagle Jr. wrote (in part): >>my fear is that the supposed "failure" of self-ratings could be twisted >>by its opponents as evidence that it is inadequate to deal with the >>real problem. > > I think your fears are a little too paranoid here, but maybe they >aren't. The question is how much of this hoopola stems from fundamentalist >thought police, or concerned but ignorant parents/congressmen. If >self-labeling worked (which I see few cases in which it wouldn't) I can't >see the concerned but ignorant being unhappy. Rather they'd be a bit better >educated and feeling pretty secure their kids won't get their hands on >naughty material. And then if self labeling had some failures, that's an >incentive for others to provide third party services (as others have >argued). PICS had to sell itself to the net as much as to the masses. >Self-labeling appeals to the net, it may appeal to the masses, but there are >other things in there to sweeten the deal for them if not. I disagree - paranoia is warranted here. One problem with our legislative process is that is is vulnerable to emotional issues. It is very easy to bring up issues that sound horrible (child porn, terrorist info, flag burning), then create legislation controlling them. Being opposed to this legislation for whatever reason brands you as "anti-family" or "soft on crime". It is clear to me that improperly labeled material will be paraded before congress and the media as justification for stricter control over this material. Congressmen, not wanting to face attack ads claiming that they support pornography (or terrorism, or whatever), will pass silly laws such as the CDA. It has happened before, it is naive to think that it will not happen again. There are only three solutions: 1) Vote in congressmen that support the first amendment. 2) Hope that judges protect our rights. 3) Deploy technological solutions that make any laws passed ineffectual. The first solution is improbable and the second is risky. Only the third solution actually provides a method where we can really have an impact. I think PICS is a great idea, and I think it may have an impact on judicial decisions. It should be implemented because it puts the control over information where it belongs, in the hands of the end-user. I would hope that it is a good-enough solution to avoid further control over the internet, but I have my doubts. Remember, if congress can try and legislate against something as innocuous as flag burning, what else would they be willing to do to curb our right to free speech? Clay --------------------------------------------------------------------------- Clay Olbon II | Clay.Olbon at dynetics.com Systems Engineer | ph: (810) 589-9930 fax 9934 Dynetics, Inc., Ste 302 | http://www.msen.com/~olbon/olbon.html 550 Stephenson Hwy | PGP262 public key: on web page Troy, MI 48083-1109 | pgp print: B97397AD50233C77523FD058BD1BB7C0 TANSTAAFL --------------------------------------------------------------------------- From tcmay at got.net Wed May 8 16:39:13 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 9 May 1996 07:39:13 +0800 Subject: Mandatory Voluntary Self-Ratings Message-ID: At 9:31 PM 5/7/96, Joseph M. Reagle Jr. wrote: >thought police, or concerned but ignorant parents/congressmen. If >self-labeling worked (which I see few cases in which it wouldn't) I can't >see the concerned but ignorant being unhappy. Rather they'd be a bit better Regarding this "(which I see few cases in which it wouldn't)" point, I have a different view. Should "voluntary self-criticism" become widespread, I expect to rate all of my posts as suitable for children of all ages, suitable for hypersensitive feminists, suitable for Jews and Gentiles alike, and so on. Regardless of whether I'm advocating post-birth abortions or forced encheferation of Muslim girls. Then we'll see what happens. (This is an old debate, here and on the Cyberia-l list, to wit, what happens when people/perverts/libertarians choose to subvert the voluntary ratings by deliberately mis-rating their stuff? Or what if they genuinely believe, a la NAMBLA, that youngsters should be exposed to certain things?) I believe the whole debate about PICs-type ratings and other "voluntary self-labeling" has taken us astray. I don't see calls for authors to voluntarily self-rate their print works, nor do I see calls for newspapers to have articles rated. Nor speech in general. However, the drumbeat of "V-Chip" advocacy is now spilling over into cyberspace. I say it's a waste of our time to even be thinking or worrying about how to implement an infrastructure for ratings. In fact, building such an infrastructure could make later imposition of "mandatory voluntary ratings" (Orwell would be unsurprised) a greater likelihood. --Tim May THE X-ON CONGRESS: INDECENT COMMENT ON AN INDECENT SUBJECT, by Steve Russell, American Reporter Correspondent....You motherfuckers in Congress have dropped over the edge of the earth this time... "the sorriest bunch of cocksuckers ever to sell out the First Amendment" or suggesting that "the only reason to run for Congress these days is to suck the lobbyists' dicks and fuck the people who sent you there," ....any more than I care for the language you shitheads have forced me to use in this essay...Let's talk about this fucking indecent language bullshit. From vznuri at netcom.com Wed May 8 17:27:34 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Thu, 9 May 1996 08:27:34 +0800 Subject: misunderstandings of PICS In-Reply-To: <9605072131.AA20062@rpcp.mit.edu> Message-ID: <199605081817.LAA02530@netcom7.netcom.com> > >>well, in any case the idea that there should ever be any pressure >>of page designers to include certain tags I find wholly inconsistent >>with the original PICS proposal and rather abhorrent. unfortunately >>it may be unavoidable. > > I understand at one level, but not the visceral response. > I see I should have been even more specific. what I mean is that I think it is great to encourage page writers to include tags. what I find somewhat abhorrent is pressure on them to include particular tags that imply certain kinds of judgements. in other words, yes, please use the tags. but don't pressure individuals by sending them nasty email, "you should have included a sex: 10 tag in your page and you didn't!! your page clearly has a sex: 10 value!! how can you not do this!! I am going to email your administrator!! I hope you get kicked out of cyberspace!!" >>I am not against self-ratings, I'm just saying that they seem to >>be the area most ripe for being misunderstood by the public, or >>lead to undesirable situations, and this is already happening. > > Then we should help educate the public. I dislike dumbing the net >down for the masses. me too. but as the cyberangels demonstrate, the public can easily misunderstand virtually anything, esp. well written technical proposals, and it takes a lot of effort to create a presentation that is free of ambiguity. > > The real question here -- as far as the public having a fit -- is >the use of digital signatures in the labels. I expect we will not see >signatures used in the first generation of label services or ?compliant? >browsers. Just like ecommerce, it takes a break or catastrophe to get people >to move in a constructful manner on the security front. yes, it is a bit disappointing how slowly digital signatures are catching on in some ways and the herculean effort it will take to implement it nicely. this problem was particularly difficult with the rating system, because you have multiple signatures: a signature by the creator and by the rater. the rater signs not only his rating but links that signature to a document signed by the author. (a sort of recursive signing.) furthermore in electronic documents you often have pieces that are altered and theoretically have to be signed by the transit mechanisms, such as headers in email messages or newsgroup posts. to fully implement digital signatures well in cyberspace will be far from trivial. in some ways we don't have a very robust ground to build on. for example, even though mail headers are supposedly standardized there is still a lot of variation in the way some clients treat the different fields (trivial example: not correctly interpreting the reply-to, errors-to, etc.) From reagle at rpcp.mit.edu Wed May 8 18:07:01 1996 From: reagle at rpcp.mit.edu (Joseph M. Reagle Jr. by way of "Joseph M. Reagle Jr." ) Date: Thu, 9 May 1996 09:07:01 +0800 Subject: FBI probes CompuServe adult programming Message-ID: <9605081845.AA29915@rpcp.mit.edu> COLUMBUS, Ohio, May 8 (UPI) -- The FBI, acting on a complaint from a Christian morals watchdog group, Wednesday sought to determine whether CompuServe Inc. has violated a new law against indecency. FBI agents said they were attempting to determine whether CompuServe's Entertainment Drive, which contains some adult material, violates the Communications Decency Act. The law prohibits offering pornography to on-line users, especially minors. CompuServe, headquartered in Upper Arlington, noted parents can now block their children from reaching any adult-oriented content. Users must use a password to reach certain restricted areas. ``At this time we are not doing anything,'' CompuServe spokeswoman Daphne Kent told the Columbus Dispatch. ``We cooperate fully with any law enforcement agency, but we have not had talks with (the FBI) at this time.'' The FBI started the investigation after the Justice Department determined a complaint from the American Family Association had merit. A spokesman said American Family made CompuServe a target because the on-line service is one of the world's largest such businesses and offers sexually oriented content. American Family, based in Tupelo, Miss., also objects to CompuServe's MacGlamour Forum, which contains adult pictures and movies. From vznuri at netcom.com Wed May 8 18:31:06 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Thu, 9 May 1996 09:31:06 +0800 Subject: self-ratings vs. market ratings In-Reply-To: Message-ID: <199605081856.LAA06645@netcom7.netcom.com> TCM >Should "voluntary self-criticism" become widespread, I expect to rate all >of my posts as suitable for children of all ages, suitable for >hypersensitive feminists, suitable for Jews and Gentiles alike, and so on. >Regardless of whether I'm advocating post-birth abortions or forced >encheferation of Muslim girls. heh. I had a feeling you or someone else would would say this. as I wrote, I don't like the self-rating idea very much for the reasons you bring up and because of the pressure on authors to rate their material in certain ways. but I can see how self-ratings might coexist with a market rating system. >I believe the whole debate about PICs-type ratings and other "voluntary >self-labeling" has taken us astray. whoa, keep in mind that PICS involves "market ratings" as well. in my mind this is the key part of the proposal and most important element as I have been writing. although others have suggested they saw it exactly the opposite. we will see what happens in practice. >I don't see calls for authors to voluntarily self-rate their print works, >nor do I see calls for newspapers to have articles rated. in a sense this happens at the beginning of works. recall in Huck Finn how Mark Twain warned against what people should not read the book. columnists will sometimes say, "this is about [x], don't read it if you don't like [x]". but I agree it is somewhat silly at times for authors to rate their articles. but keep in mind we are using the word "ratings" in a very general sense. it makes total sense for authors to decide the "keywords" for their articles, for example-- and in the PICS rating system, such a use is possible. >I say it's a waste of our time to even be thinking or worrying about how to >implement an infrastructure for ratings. hmmmmmmmm, I seem to recall earlier letters in which you advocated a market-type rating system in which services could rate things, in the way that stocks are now rated, doctors/lawyers could be rated, etc.-- let a thousand ratings services bloom. (or maybe we were talking about reputations. in my mind, they are mostly interchangeable--hence my interest in "rating" systems). perhaps in the future people should be very careful to distinguish their opinions on "self-ratings" vs. "market ratings" because people seem to be conflating the two and have widely divergent opinions. also I want the reader to keep in mind that PICS supports both (and therefore to criticize it on the ground of one alone is not wholly sensible). I point out that market ratings exist and are everywhere around us. a credit rating is in fact a kind of "market rating" in the sense I am using the word-- rating of some "thing" or "person" by another entity. In fact, building such an >infrastructure could make later imposition of "mandatory voluntary ratings" >(Orwell would be unsurprised) a greater likelihood. my fear too. hopefully, designers can try to oppose it in their writings ala the Bill of Rights. but it is always the case that powerful technology capable of great good can be twisted into great evil by the evilminded. if the system is always championed as voluntary by definition, I can't see too many sinister scenarios taking place. the problem would be if people gradually lost this understanding over time. unfortunately there is ample precedent for that kind of thing again in our government, where the concept of "of, by, and for the people" seems to have become blurry, to say the least. From raph at cs.berkeley.edu Wed May 8 18:41:34 1996 From: raph at cs.berkeley.edu (Raph Levien) Date: Thu, 9 May 1996 09:41:34 +0800 Subject: Transitive trust and MLM Message-ID: <3190E8A7.6501A85@cs.berkeley.edu> I'm really glad to see this thread. I think this is a problem that is well worth thinking about. I think what is really called for is a model of when keys are likely to be bogus, and when signatures, etc., are likely to be correct. Before going into the math, I'll go through some examples. Any key that's "well connected" in the MIT keyring is likely to be good. Specifically, if it's signed by lots of people, and each of those people is reachable from my trust root, then I'm pretty much willing to believe the key is good. Unfortunately, there are a fair number of reasons why a key may be bad. A really _cool_ thing to do with a compromised machine would be to sign a big bunch of bogus keys. Given how easy it is to compromise a machine, this is a very real worry. I don't know if this attack has been realized yet, but it's best to assume it could be and will be. Another weakness is the "clueless user" who signs keys gotten from the Net, or otherwise not properly verified. I don't claim to know all of the vulnerabilities, but I do think it would be a good idea to quantify them before designing a key distribution system. Hal calls into question the value of signed keys. To me, this points to the pressing need for better manual verification of keys, by communicating secure hashes through the phone and on physical channels, including business cards. These channels are more secure than the Net, are more convenient for all but the most hardcore net.heads, and would actually work quite well, I think. But I do think it would be nice to have access to "probably good" keys for casual e-mail. With luck, a densely connected Web of manually obtained keys can serve as a good foundation for the latter. Now for the mathematical model. Signatures can bind keys to e-mail addresses, or act as assertions that the signed public key is trusted to transitively sign other keys. Let's assume that each signature has a certain probability p of being good, and a 1-p probability of being bogus, and that all probabilities are independent. These are probably bad assumptions in the real world, but that's the difference between theory and practice. Now we can actually evaluate the probability of a given key being good. Consider a Monte Carlo process in which each edge in the graph is present with probability 1-p. For each run, we determine whether the recipient's public key (actually the binding between public key and recipient's e-mail address) is reachable from our trust root. The probability over a large number of runs is (given our assumptions) the probability of the key being good. One encouraging consequence of this model is that densely connected subgraphs can result in highly trusted keys even if p itself is quite small. In a clique of size k, the trust is (very) roughly 1-(1-p)^k. For example, if p is a mere 50%, then in a clique of size 10, each key in the clique is trusted with a probability of 99.9%. This computation is (I think) known as the network reachability problem, and is probably quite hard to evaluate. In practice, you'd probably want to compute upper and lower bounds instead, Let's see if we can come up with a model that preserves this property of giving high trust values to densely connected keys, yet is also highly resistant to (some plausible model) of attacks against the Web of trust. Raph From blancw at microsoft.com Wed May 8 18:46:50 1996 From: blancw at microsoft.com (Blanc Weber) Date: Thu, 9 May 1996 09:46:50 +0800 Subject: self-ratings vs. market ratings Message-ID: >From: Vladimir Z. Nuri (in response to Tim May) > >hmmmmmmmm, I seem to recall earlier letters in which you advocated >a market-type rating system in which services could rate things, >in the way that stocks are now rated, doctors/lawyers >could be rated, etc.-- let a thousand ratings services bloom. >(or maybe we were talking about reputations. in my mind, they are >mostly interchangeable--hence my interest in "rating" systems). ..................................................................... In consideration of the difference between "ratings" and "reputation": I think of a rating as something which is attached to something "pre-knowledge", whereas a reputation is something which develops over time & based upon informed knowledge ("after-knowledge"). A rating is applied to something (a service or whatever) by only those few individuals who are acquainted with what they are rating. A reputation is accumulated by the impressions made upon larger numbers of individuals - a general population not necessarily employed to collect these impressions - but who have nevertheless sufficient exposure to and acquaintanceship with the person/service/etc. to make an informed conclusion about it. A rating can make a statement on what something "is" or is expected to be (eg, general in content vs explicitly sexual), where a reputation reflects on past behavior. .. Blanc From sandfort at crl.com Wed May 8 21:22:21 1996 From: sandfort at crl.com (Sandy Sandfort) Date: Thu, 9 May 1996 12:22:21 +0800 Subject: HAVE YOU HAD YOUR (TAX) BREAK TODAY? Message-ID: <2.2.32.19960508195420.0071aa04@popmail.crl.com> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ C'punks, As of 1 May, there is yet another reason to do your offshore business in Liechtenstein. On that date the country's first McDonald's opened in the town of Treisen. Liechtenstein is the 95th country to have a McDonald's. It was not reported whether or not the Princely family was at the VIP party that marked the gala opening, or if mutual recognition would be exchanged with McDonaldland. S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From iang at cs.berkeley.edu Wed May 8 21:47:59 1996 From: iang at cs.berkeley.edu (Ian Goldberg) Date: Thu, 9 May 1996 12:47:59 +0800 Subject: ecash payee anonymity, cpunk archives In-Reply-To: <199605072236.RAA02543@proust.suba.com> Message-ID: <4mr5ad$4ia@abraham.cs.berkeley.edu> -----BEGIN PGP SIGNED MESSAGE----- In article <199605072236.RAA02543 at proust.suba.com>, Alex Strasheim wrote: >A while back someone posted a note saying that an ecash protocol >garaunteeing payee as well as payer anonymity had been devised. > >Did that ever get posted here? The last message I saw said that it would >be posted soon. I don't recall if an "official" explanation of the protocol got posted here, but it's being discussed in another thread (search for "moneychangers"). - Ian -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMZEYg0ZRiTErSPb1AQFHSwP8D+sHW+SXTWrnOmHEdgzU9+qYBjaHktjz pdXIY6eQ+/vbnEdpLle04KYrJf1GA2l0Ind6CxiVwCX442bX4JLYvfoEEkieheJS NVkDPWfT5rfItrznB49DJ5EC//QjQg8+AhUKLpfRFO0wxIMnTPfVfVkLZBQ820E0 3O0A5PkcfEg= =AIhA -----END PGP SIGNATURE----- From gary at systemics.com Wed May 8 22:11:32 1996 From: gary at systemics.com (Gary Howland) Date: Thu, 9 May 1996 13:11:32 +0800 Subject: No Subject Message-ID: <199605082014.WAA06482@internal-mail.systemics.com> CRYPTOGRAPHIC EXTENSIONS FOR JAVA _________________________________________________________________ DESCRIPTION This library contains a suite of cryptographic classes for Java. All of the classes have been implemented in native code for performance reasons, and have been tested on Windows 95, Windows NT and Solaris. Download in source or binary form at http://www.systemics.com/software/ FEATURES All of the following have been implemented using native methods: * BigInteger class (based on code from Eric Young). This class implements arbitrary length integers and some associated mathematical functions. * DES class (based on code from Eric Young) * IDEA class * MD5 class (based on code from RSA Data Security, Inc.) * SHA class (based on code from NIST and Peter C. Gutmann) COPYRIGHT This library includes (or is derived from) software developed by (and owned by) the following: * Peter C. Gutmann * NIST * RSA Data Security, Inc. * Systemics Ltd * Eric Young Also planned for release: * Cryptographic library for Java * PGP library for Java * Cryptographic library for Perl * PGP library for Perl From m5 at vail.tivoli.com Wed May 8 22:20:49 1996 From: m5 at vail.tivoli.com (Mike McNally) Date: Thu, 9 May 1996 13:20:49 +0800 Subject: remailer@utopia.hacktic.nl down In-Reply-To: <199605082121.XAA24292@basement.replay.com> Message-ID: <319121CB.135D@vail.tivoli.com> Alex de Joode wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Due to recent events the Hacktic Foundation has decided to > discontinue its remailing operations, the remailer that is > operated by the Hacktic Foundation will cease to exist May > 20th. Co$, I'll wager. Just shows to go ya. ______c_____________________________________________________________________ Mike M Nally * Tiv^H^H^H IBM * Austin TX * pain is inevitable m5 at tivoli.com * m101 at io.com * * suffering is optional From usura at basement.replay.com Wed May 8 22:42:31 1996 From: usura at basement.replay.com (Alex de Joode) Date: Thu, 9 May 1996 13:42:31 +0800 Subject: remailer@utopia.hacktic.nl down Message-ID: <199605082121.XAA24292@basement.replay.com> -----BEGIN PGP SIGNED MESSAGE----- Release date: Wednesdag, May 8, 1996 Amsterdam, The Netherlands General announcement, Due to recent events the Hacktic Foundation has decided to discontinue its remailing operations, the remailer that is operated by the Hacktic Foundation will cease to exist May 20th. Please update your reply blocks if you use the above mentioned remailer for your nym reply block. bEST Regards, -AJ- -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQCVAwUBMZCdsVnfdBSNVpE9AQF85wQAuDfE3icuDCzA99biqd9qk6VK8zUEFvEp OgZvqfGD8OxG8ElnFMQk2VMHskUK8QxidO+zKPUZrJNd4eBSiFSNIK7BAox1xMQm hUGTzLEBBGc3Hxg4pYc3Y2A7PDhU7GJusCZmk89zPUI4ouN+CHYQnZ4PMggB1Hmo coambU0vmD4= =ZdIS -----END PGP SIGNATURE----- From alanh at infi.net Wed May 8 22:50:54 1996 From: alanh at infi.net (Alan Horowitz) Date: Thu, 9 May 1996 13:50:54 +0800 Subject: Mandatory Voluntary Self-Ratings In-Reply-To: Message-ID: The one I like is the FCC regulation which makes it mandatory for radio stations to preface their EBS test with the phrase, "This station, in VOLUNTARY compliance with...." From hoz at univel.telescan.com Wed May 8 23:10:50 1996 From: hoz at univel.telescan.com (rick hoselton) Date: Thu, 9 May 1996 14:10:50 +0800 Subject: self-ratings Message-ID: <199605082327.QAA26350@toad.com> Timothy C. May writes: >Should "voluntary self-criticism" become widespread, I expect to rate all >of my posts as suitable for children of all ages, suitable for >hypersensitive feminists, suitable for Jews and Gentiles alike, and so on. >Regardless of whether I'm advocating post-birth abortions or forced >encheferation of Muslim girls. Not me. If someone doesn't want to be offended, then I would rather they never read anything from me, ever. I share family, race, culture, and backround with my father, and there have been times when I offended him unintentionally. One person liked me enough to marry me, but I occasionally offended her, too. Imagine how easily I might offend a stranger. Better to take no chances at all. If somebody wants a rating system, then they should just consider everything I have to say as "X-rated" in EVERY category, just to be safe. And that's a policy that everyone on the net should follow. If this self rating system becomes mandatory, I think the cypherpunks should cooperate fully, by notifying ALL sites that are not self-X-rated if they can find ANYTHING that ANYONE might EVER find offensive. Better safe than sorry. Nobody will be prosecuted for saying they have an offensive site, even if they don't. Imagine a prosecutor trying to prove that NOBODY could POSSIBLY be offended by my newsgroup postings! But many people will be prosecuted for not identifying their sites as offensive. Now, if everyone follows my advice, the net may become very boring for those who have their filters set on, but congress will NEVER make "being boring" against the law. If mandatory-self-rating ever becomes the law, cypherpunks can definitely promote true justice by strictly interpreting it and supporting it completely. From unicorn at schloss.li Wed May 8 23:12:25 1996 From: unicorn at schloss.li (Black Unicorn) Date: Thu, 9 May 1996 14:12:25 +0800 Subject: Why I Pay Too Much in Taxes In-Reply-To: <199605080632.IAA24692@utopia.hacktic.nl> Message-ID: On Wed, 8 May 1996, Anonymous wrote: > Black Unicorn wrote: > >Where does the company get the funds to pay you? > > From Tim's day work. It's a consulting company, i.e. it sells his > services to whomever is employing him today. The whole idea > was to hide Tim's income sources, or that's what he asked for anyway. Uh, so the whole of this plan relies on. 1) The secrecy of the company. 2) The secrecy of every 'employee' in the country 3) Mr. May's ability to conceal his domestic spending. > You can hide your income by putting it in another jurisdiction. Do you understand how naive this sounds? Do you understand the extent to which you are over simplifying the situation? > >What pay? I don't get it. Where does this friend gets his money? > > As a cut from the money Tim's employer gives him. The plot thickens. Do you know that there is imposed on U.S. citizens (corporations included) a withholding tax for payments to foreign entities subject to U.S. taxation? In this case the people paying the offshore company for Mr. May's services are also subject to reporting requirements and a 30% withholding tax for which they will be held liable. This adds the requirement that the individuals or corporations receiving Mr. May's service be involved in this conspiracy. If they could have been, why do you need the offshore connection? Why not just conspire with them to pay Mr. May in cash and not report it? > >> By the way, are there any PGP encrypted mailing lists for > >> discussing serious tax fraud? > > > >If such a list existed, would we tell an anonymous poster/fed? > > >If your above scheme is intended merely to conceal funds it is a fairly > >poor example as it depends on the secrecy of each and every 'employee' of > >the company. > > No it doesn't. One person knows where they money went when it left the > country (and he is getting paid for the risk of doing time). Nobody knows > where the funds are concealed. Probably in a trust that you can access > when you are on vacation abroad. Puhlease. Continue your participation in such a plan. I will send you cigs. > Mr.X. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From stewarts at ix.netcom.com Wed May 8 23:45:51 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Thu, 9 May 1996 14:45:51 +0800 Subject: remailer-in-a-box Message-ID: <199605082339.QAA26674@toad.com> >At 3:51 PM 5/7/96, anonymous-remailer at shell.portal.com wrote: >>No one answered me. >>What's the best remailer-in-a-box. >>I'd like to run one. I would think people would be falling >>over eachother to tell me. I was running a modified ghio2-based remailer until I shut it down because of spammers. You should be able to get the code off my web page, or send me email and I'll forward it. # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 # goodtimes signature virus innoculation From seth at hygnet.com Wed May 8 23:47:26 1996 From: seth at hygnet.com (Seth I. Rich) Date: Thu, 9 May 1996 14:47:26 +0800 Subject: self-ratings vs. market ratings In-Reply-To: Message-ID: <199605082343.TAA11006@arkady.hygnet.com> > In consideration of the difference between "ratings" and "reputation": > > I think of a rating as something which is attached to something > "pre-knowledge", whereas a reputation is something which develops over > time & based upon informed knowledge ("after-knowledge"). Perhaps a `rating' is discrete, applied to a specific instance (a web page, a graphic image, a film), while a `reputation' could crudely be compiled by summing one's ratings? (I know this is very flawed, but it could be a starting point for perspective.) Seth --------------------------------------------------------------------------- Seth I. Rich - seth at hygnet.com "Info-Puritan elitist crapola!!" Systems Administrator / Webmaster, HYGNet (pbeilard at direct.ca) Rabbits on walls, no problem. From declan+ at CMU.EDU Wed May 8 23:58:30 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Thu, 9 May 1996 14:58:30 +0800 Subject: IP network #s in france In-Reply-To: <199605082309.QAA15108@infinity.c2.org> Message-ID: Excerpts from internet.cypherpunks: 8-May-96 IP network #s in france by sameer at c2.org > Anyone have a list of all the ip network #s in France? It > would be most appreciated. Yeah, check out the thread on fight-censorship (http://fight-censorship.dementia.org/top/) about how the French paramilitary police arrested two local ISP-businessmen 'cuz their news spools had alt.sex.pedophilia and whatnot. I spoke with someone from the French embassy today about this. They say it was in the course of a child porn investigation. More to come later. -Declan From stewarts at ix.netcom.com Thu May 9 00:07:06 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Thu, 9 May 1996 15:07:06 +0800 Subject: MD5 weaknesses Message-ID: <199605090034.RAA27901@toad.com> Perry Metzger posted a note to coderpunks about >A paper by Hans Dobbertin dated May 2 in private circulation has found >an easy method for generating collisions (not pseudocollisions as was >done in previous work) in the MD5 compression function. I was told >that this was public information. And somebody provided a URL to http://www.cs.ucsd.edu/users/bsy/dobbertin.ps The coderpunks discussion has been titled Re: Favorate flavor of hash? for which I suppose there are alternative interpretations :-) # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 # goodtimes signature virus innoculation From sameer at c2.org Thu May 9 00:15:34 1996 From: sameer at c2.org (sameer at c2.org) Date: Thu, 9 May 1996 15:15:34 +0800 Subject: COMMUNITY CONNEXION ANNOUNCES UNCENSORED USENET ACCESS TO THE FRENCH INTERNET COMMUNITY Message-ID: <199605082348.QAA05536@atropos.c2.org> For Immediate Release - May 9, 1996 Contact: Sameer Parekh 510-601-9777x3 COMMUNITY CONNEXION ANNOUNCES UNCENSORED USENET ACCESS TO THE FRENCH INTERNET COMMUNITY Berkeley, CA - Community ConneXion, Inc., today announced that it will for a limited time offer free Usenet access to anyone in France. The announcement comes in the wake of the arrest of two managers for French Internet service providers. The two managers at WorldNet and FranceNet are being held responsible for the pornographic material distributed on the "alt.binaries" newsgroups. They face up to three years in jail. In response to these arrests, the Association of French Internet Professionals (AFPI) has called for a complete blackout of French newsgroups and many providers in France have cut off news service entirely. Community ConneXion, Inc., has announced free Usenet access to the French in response to the resulting blackout. "'The Internet views censorship as damage, and routes around it,'" said Community ConneXion President Sameer Parekh, quoting a famous saying on the net, "The Internet transcends national boundaries. This promotion makes that fact obvious." Community ConneXion offers full Internet access to its customers, with no content-based restrictions on materials its customers may read or make available on the Internet. During this limited time promotion, people connected to the Internet in France may access a full uncensored Usenet feed merely by pointing their newsreaders at news.c2.net. People in other countries may also get access to a full uncensored Usenet feed by purchasing service from Community ConneXion. Information on how to sign up for service with C2.NET is available at http://www.c2.net/. Community ConneXion, Inc. is the leading provider of privacy on the Internet. Dedicated to uncompromising security, they provide anonymous and pseudonymous Internet services, including secure web services. Information is available at their web site at http://www.c2.net/, or contact Sameer Parekh at 510-601-9777x3. From byrd at ACM.ORG Thu May 9 00:26:56 1996 From: byrd at ACM.ORG (Jim Byrd) Date: Thu, 9 May 1996 15:26:56 +0800 Subject: hacktic.nl is down!! Message-ID: <2.2.32.19960509002810.006bdb58@tiac.net> I just heard on IRC channel #scientology from Karen Spaink that hacktic.nl will be down as of 5/20 because of pressure from Scientology. I don't have any more details yet. From jimbell at pacifier.com Thu May 9 00:30:00 1996 From: jimbell at pacifier.com (jim bell) Date: Thu, 9 May 1996 15:30:00 +0800 Subject: Leahy bill dead? Message-ID: <199605082328.QAA06492@pacifier.com> Maybe this seems a bit redundant, but is it generally agreed "out there" that the Leahy bill is dead? When originally proposed, the conventional wisdom around here was that the Clinton Maladministration was going to be dead-set against it. (Not a bad guess...) It was also claimed that it couldn't be changed to fix it. (although one of the nyms that claimed this hasn't been seen around here since then...) Since then, most if not all of the people and groups who might otherwise have been in favor of it have, likewise, turned against it. And while the Burns bill isn't totally out of the woods, I assume "we" (the people on the right side of the cryto argument) can all agree that it is at least better than Leahy's booby-trap. So does that spell the end of the Leahy bill? The reason I mention this is because it was my suspicion that, contrary to conventional wisdom, the "anti-crypto" faction designed the Leahy bill to be as anti-crypto as they felt they could pass, including just enough bait to get us to take the hook. Obviously, that tactic failed. However, if I'm right we'll seem some life in the carcass yet. Obviously, this is a highly longshot prediction. "Nobody" is supposed to be for the Leahy bill now. But I'm reminded of the last 20 minutes of the movie, "Terminator"... Jim Bell jimbell at pacifier.com From sameer at c2.org Thu May 9 00:40:15 1996 From: sameer at c2.org (sameer) Date: Thu, 9 May 1996 15:40:15 +0800 Subject: IP network #s in france Message-ID: <199605082309.QAA15108@infinity.c2.org> Anyone have a list of all the ip network #s in France? It would be most appreciated. -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion, Inc. FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.net/ (or login as "guest") sameer at c2.net From cme at acm.org Thu May 9 00:52:48 1996 From: cme at acm.org (Carl Ellison) Date: Thu, 9 May 1996 15:52:48 +0800 Subject: ENIGMA Message-ID: >From: danmec at inet.uni-c.dk >Date: Wed, 08 May 1996 13:05:24 +0200 >Subject: ENIGMA >To: cme at ACM.ORG > >X-Personal_name: Rag > >You may be interested in knowing that a 4 rotor U-boot ENIGMA is up for sale >at Sotheby's in London 30th May. > +--------------------------------------------------------------------------+ | Carl M. Ellison cme at acm.org http://www.clark.net/pub/cme | | PGP: E0414C79B5AF36750217BC1A57386478 & 61E2DE7FCB9D7984E9C8048BA63221A2 | | "Officer, officer, arrest that man! He's whistling a dirty song." | +---------------------------------------------- Jean Ellison (aka Mother) -+ From root at edmweb.com Thu May 9 00:55:27 1996 From: root at edmweb.com (Steve Reid) Date: Thu, 9 May 1996 15:55:27 +0800 Subject: Transitive trust Message-ID: Submitted for your (dis)approval... -----BEGIN PGP SIGNED MESSAGE----- > And beliefs are in some sense what we are really talking about. There is no > simple scalar quantity called "trust" (at least not one I can imagine), but > different agents will have different beliefs about different things. One > set of beliefs about signatures on keys has a lot of similarities to the > "web of trust." In fact, imagine this "diminishing wavefront of belief" [butchered for brevity] > Can this be more mechanized? Can numbers be attached, and perhaps > propagated? (I mentioned "diminishing wavefront of belief," because > implicit in this viewpoint, inevitably (and rightly, I think), is the > notion that "distant relations" have low probabilities of belief, all other > things being equal. I think we need to make a distinction between belief in identity and trust in competence. Currently, signing a key *only* means that you believe that the person is who they say they are. It should also be possible to state that you believe a person is competent enough to use proper care when signing other keys. Obviously, you wouldn't competence-sign someone's key unless you've known them for quite some time. The "competence web-of-trust" would grow very slowly. This competence-web-of-trust would have to remain tightly-knit, as you wouldn't want to trust anyone more than a couple links down the chain. While the web-of-competence would grow slowly, this small group of people could identity-sign a lot of keys. I know this might sound a bit like a hierarchical structure of trusted people (which it *could* be) it's really more like a web, and anyone could create their own web-of-competence, and the webs could eventually be linked together. Creating a web-of-competence would take a long time, and a lot of effort. But, signing could actually become a paid service, which would give people incentive to gain trust (by being paranoid when it comes to key signing). The most widely trusted people could charge significant amounts of money for the time needed to verify a person's credentials. Of course, there aren't currently many people out there worth paying an arm and a leg to get them to sign your key, but I could see people paying $5-$500 to have their key identity-signed by someone like PRZ. Having a key competence-signed by someone like PRZ would obviously cost a lot more than identity-signing, since it would take a lot more time to gain that much trust. It would not be unlike paying for an education, and with identity-signings being worth $5-$500 or more, it could be a worthwhile investment. Having a key competence-signed by more than one person would increase the value of your key, and once there are a couple good signatures on your key, other people would be more willing to competence-sign it, because there would be less risk involved (risk to their reputation). There would probably have to be more than one level of competence signing. It should be possible to say "I trust this person to use care when identity-signing other keys", and it should also be possible to say "I trust this person to use care when competence-signing other keys". That second type of signature would be *very* valuable, and it would be necessary to have that and possibly even higher levels of trust in order to make the web-of-competance a reasonably large size. When you sign a key, you are placing your reputation on the line, so you must be certain that the level of trust you're placing is appropriate. But what happens when someone goes rogue and ignores credentials, and signs keys of anyone who is willing to pay the price? You would regret signing the rogue person's key. So, IT SHOULD BE POSSIBLE TO REVOKE TRUST, in order to protect your own reputation. PGP currently only allows a person to revoke their own key. Most people would revoke their key if it were stolen, to protect their own reputation. However, some people may be unwilling or unable to revoke their own key, and if you signed that key, your reputation may be affected. Clearly, it should be possible to remove your signature from someone's key. Revoking trust has it's own little problem: Some people might accept cash and sign a key, then revoke the trust in the key, keeping the cash. Easily fixed: the people who have signed the con man's key could revoke the trust in that key, bringing an abrupt end to the con man's key-signing days. What it all comes down to is reputation. Protect your reputation, and you could make a living on your reputation alone. ====================================================================== | Steve Reid - SysAdmin & Pres, EDM Web (http://www.edmweb.com/) | | Email: steve at edmweb.com Home Page: http://www.edmweb.com/steve/ | | PGP (2048/9F317269) Fingerprint: 11C89D1CD67287E6 8C09EC52443F8830 | | -- Disclaimer: JMHO, YMMV, IANAL. -- | ====================================================================:) -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQEVAwUBMZEckdtVWdufMXJpAQFSwAgAnhCALlQdfyYJ+Cp3WSXqMiOLG8ubtFJB jUWyXyd3T0u8RxwraIq4emxW4HZZNMBNKet4rZzkA9VqAZ3+p9337jUS6XBuE56V IRLhQy80TyrqwQVpSKXXOmPlZdmhzAF/OJE4LZF4gMh5RIANFTUXzBkVSJ8FsB1C KXjgzk1E+5hdQ0FrwaAc9LIrq6UokhO7pIKb5tlmntXHhtDm+yLpm5QvrCxwnBad 3KlxAtWvQYVQTb5a9bhgnFXVRDjh/lQ1bxncJ1ap1oJP0E6nMfHq282G8UxnrUuY qyksNGJDgWElExzXKntdyqP+bOiIn4jwVyjBcrBZS9V3GxWOPZz4ew== =Z66X -----END PGP SIGNATURE----- From stewarts at ix.netcom.com Thu May 9 01:02:06 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Thu, 9 May 1996 16:02:06 +0800 Subject: California AB3320 Regulating Internet Sales - Speier Message-ID: <199605090019.RAA27557@toad.com> ftp://www.leginfo.ca.gov/pub/bill/asm/ab_3301-3350/ab_3320_bill_960502_amend ed_asm Jackie Speier's at it again! Now she's proposing AB3320, a bill to regulate sales of goods and services to protect consumers on the Internet. It's in its third revision, and much improved, but still obviously doesn't get it - the bill talks a lot about physical delivery of services or tangible goods (use or copying of information appears to fall through the rather wide cracks here) and providing written notices and toll-free telephone numbers, not quite realizing that an electronic mail address would do fine. The original bill was a proposal to require computer BBSs that charge for their services to register with the State at a cost of $50. It was marked up into a hybrid bill, and then into current form. I'm not sure what Assemblymember Speier is trying to accomplish, but she's clearly thrashing around trying to define it and do _something_ helpful to consumers. Those of you in her district may wish to get in touch with her and help her understand the Net and electronic commerce and international connectivity and such. Alternatively, if your Senator or Assemblymember is on the committee, you may want to talk to him/her. Here's the current bill status, according to leginfo. MEASURE : A.B. No. 3320 AUTHOR(S) : Speier. TOPIC : Telephone, mail order, and catalog sales: Internet. HOUSE LOCATION : ASM +LAST AMENDED DATE : 05/02/96 LAST HIST. ACT. DATE: 05/06/96 LAST HIST. ACTION : Re-referred to Com. on C.P.,G.E. & E.D. COMM. LOCATION : ASM CONSUMER PRO., GOVT. EFFICIENCY, ECON. DEVELOPMENT COMM. ACTION DATE : 05/07/96 COMM. ACTION : Do pass as amended. COMM. VOTE SUMMARY : Ayes: 09 Noes: 00 PASS 31 DAYS IN PRINT : 03/26/96 TITLE : An act to amend Section 17538 of the Business and Professions Code, relating to sales. ======= Here's a quote some of you privacy supporters may enjoy.... (The {- -} and {+ +} are some kind of addition/deletion markup.) =============== (d) Any {- person -} {+ vendor +} subject to this section who uses the Internet to conduct sales or leases of goods or services shall provide {- an -} {+ a conspicuous +} on-screen notice that discloses the procedures for resolving billing, sales, and service disputes, including the {- person's -} {+ vendor's +} return policy, {- and -} the address where the {- person -} {+ vendor +} may be contacted {+ , and a toll-free telephone number or other cost-free method to communicate the buyer's request for a full refund. Any vendor conducting business from an electronic e-mail or other electronic address shall disclose the legal name and address of that business in writing on any transaction form provided to the buyer +} From EALLENSMITH at ocelot.Rutgers.EDU Thu May 9 01:12:49 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Thu, 9 May 1996 16:12:49 +0800 Subject: Penet-style web remailer? Message-ID: <01I4H71YTSLW8Y5AFU@mbcl.rutgers.edu> As a result of scanning through the Nando Times' (http://www.nando.net/nt/) Infotech section, I came across a piece on email with the following address: http://noah.pair.com/anon.html. It appears to be sort of a penet-style anonymous remailer, only without return messages. Anyone know anything else about it? Of course, given the number of web interfaces to fully anonymous remailers, I wouldn't encourage anyone to use it. -Allen From erice at internic.net Thu May 9 01:15:26 1996 From: erice at internic.net (Eric Eden) Date: Thu, 9 May 1996 16:15:26 +0800 Subject: Senator Leahy's Public Key In-Reply-To: <9605081459.AA20668@bart-savagewood.MIT.EDU> Message-ID: <199605090116.VAA25790@ops.internic.net> > > This is exactly what the web of trust is about. The fact is that you > can't trust the Keyservers (they were never designed to be trusted); > you can't trust .plan files; you can't trust index.html files. > However you can trust signatures made by trusted keys. That is why > the web of trust works. > For example, I've met in person with a lot of people and we've signed > each others' keys. We've used various methods to "prove" identity. > Sometimes it's been a long time of personal interactions (close > friends). Sometimes it's been a number of certifying documents, IDs, > etc. Sometimes it's been a piece of knowledge that I know the other > has but no one else has. What if you needed to set up a key server for a mass base of customers... Obviously, authenticating them via e-mail would be difficult, verifying them in person would be harder. Would there be any reasonable way to verify hundreds or thousands of customers? Any manual method would be highly undesirable, right? Imagine the labor involved....but lets pretend that the labor is not the deciding factor. What would be the best way to verify the customers keys if you couldn't visit each customer in person? For example, would a photo copy of a drivers license be enough? > The point is that once I'm attached to the web of trust I have a means > to verify other keys. I can set up a CA that way (MIT has one) -- > there is a keysigner that will use out-of-band means to verify the > identity of a user and then use that to sign a PGP key in that > person's name. This is a good idea. The obvious question is: Would using an "out-of-band means" be worth the time and trouble if you had to scale the project to a commercial level? Would it be a show stopper if the keys weren't verified? > As I said already, the keyservers are not bulletproof. In fact, they > were never designed to be trusted. They were designed to be an > untrusted key distribution system. The end-user is still supposed to > verify the signatures on they keys received from the keyserver. Last thought...if the end-user verifies the signature, is that enough protection? Eric From dlv at bwalk.dm.com Thu May 9 01:58:23 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Thu, 9 May 1996 16:58:23 +0800 Subject: Internet/Obscenity Legal Gathering in NYC Message-ID: I haven't seen this announcement reposted to this mailing list, and I think it's of sufficient interest to warrant reposting: Newsgroups: misc.legal,alt.censorship,misc.legal.moderated,talk.politics,alt.privacy From: ra at panix.com (Ron Abramson) Subject: Free program on net censorship in NYC Message-ID: Date: Mon, 6 May 1996 17:49:08 GMT Announcement: Free Program On Net Censorship in New York City, May 22 at 7:30 P.M. -------------------------------------------- THE FIRST AMENDMENT IN CYBERSPACE: Regulating the On-Line Dissemination of "Indecent Material" This program will address the issue of the First Amendment as applied to the Internet and On-line services. Special focus will be given to the new federal law which is intended to regulate the dissemination of "Indecent Material" via these mediums. The Association of the Bar of the City of New York 42 W 44TH Street, New York, New York (Bet. 5th and 6th Avenues) (212) 382-6600 Wednesday, May 22, 1996, 7:30 till 9 P.M. Moderator: CHARLES R. NESSON Weld Professor of Law, Harvard law School Panelists: ROBERT FLORES Senior Trial Attorney, Child Exploitation and Obscenity Section, U.S. Department of Justice MICHAEL GODWIN General Counsel, Electronic Frontier Foundation STEPHEN M. HEATON General Counsel, Compuserve, Inc. NORMAN REDLICH Wachtell, Lipton Rosen & Katz, former Dean, New York University School of Law BRUCE TAYLOR President and Chief Counsel, National Center for Children and Families Co-sponsored by: Committee on Computer Law, Joseph P. Zammit, Chair Committee on Lectures and Continuing Education, Normal L. Green, Chair Members of the Association, their guests and all other interested persons are invited to attend. No fees or reservations are required. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From rodger at interramp.com Thu May 9 02:00:28 1996 From: rodger at interramp.com (Will Rodger) Date: Thu, 9 May 1996 17:00:28 +0800 Subject: FBI, DoJ deny invesitgation of CompuServe Message-ID: -----BEGIN PGP SIGNED MESSAGE----- on 5-8, Joseph Reagle posted: > COLUMBUS, Ohio, May 8 (UPI) -- The FBI, acting on a complaint from a >Christian morals watchdog group, Wednesday sought to determine whether >CompuServe Inc. has violated a new law against indecency. > FBI agents said they were attempting to determine whether >CompuServe's Entertainment Drive, which contains some adult material, >violates the Communications Decency Act. The law prohibits offering >pornography to on-line users, especially minors. > Reuters, however, just moved a story saying the FBI and Dept. of Justice denied there was *any* investigation ongoing. The agencies were responding to the original stroy which ran in the Columbus Dispatch, Such denials are *extremely* rare; agenices almost always refuse to confirm or deny investigations. Those of you with access to AOL can check the story out in technology news. Will Rodger -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMZEUDEcByjT5n+LZAQFt0gf+MnIkM51VD9wlVwNG6KFTZGeYsJMFVViZ 5uRA6na7R9jNSL9u4zxJjYJxPkEDUO64z87ZV2tODXTOJdFfencOycCsy+oDR0da 1fObsFCqZN1Rh2ZNspgG4TpTLZVUn/naiZoA4jyFlRyXV8qa19Zwro5S0a9JfHj9 xofxhBwCb/Sdw4kKDRgqfnehrKVlIRaQw3kR9TetF+Olm2czF2iIoeQTlwUR7y10 SY+vqxApyACLTkwfPP/Y/H/uwMFTQbcMPCbI7yoK/AnPRywC0pV//b6JkSaMvcm3 ZhdyiUkpY6gRr0MAB4fwe2ho/zRLXj7bEQ2pSQJcRSpm2Tl+Zq4U9w== =ffRy -----END PGP SIGNATURE----- From EALLENSMITH at ocelot.Rutgers.EDU Thu May 9 02:00:53 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Thu, 9 May 1996 17:00:53 +0800 Subject: Remailer in a box Message-ID: <01I4H8DYPYFS8Y5AFU@mbcl.rutgers.edu> Questions. How much memory does the Mixmaster remailer take up? What accesses/permissions/etcetera on a machine do I need to have in order to have it running on an account? Has anyone set up one such that it will only remail from & to a set of addresses (e.g., other remailers)? I, for instance, wouldn't be willing to deal with the hassles involved with running a remailer that was either what the end user would see (thus getting potentially deluged with help questions) or the end mailer (thus getting potentially in problems if someone abuses the remailer)... but I (and others) might if it was set up just for chaining. (Yes, I know I'd need a UNIX account... I'm looking into that.) Speaking of UNIX, does anyone have any existing programs to automatically mail out at random intervals a looping or /dev/null directed message through the remailers, in order to increase security against traffic analysis? Thanks, -Allen From iang at cs.berkeley.edu Thu May 9 02:12:54 1996 From: iang at cs.berkeley.edu (Ian Goldberg) Date: Thu, 9 May 1996 17:12:54 +0800 Subject: "Architectural considerations for cryptanalytic hardware" paper on the web Message-ID: <199605090024.RAA00415@abraham.cs.berkeley.edu> -----BEGIN PGP SIGNED MESSAGE----- For anyone who was interested in Dave's and my hardware project (Architectural considerations for cryptanalytic hardware), it's done (thank goodness). You're free to check it out at http://www.cs.berkeley.edu/~iang/isaac/hardware/ in either HTML or PostScript. Thanks to cypherpunks Eric Hughes and Bruce Koball, and to Altera people Clive McCarthy and Stephen Smith. - Ian "...pray for an 'A' for us..." -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMZE64UZRiTErSPb1AQHczwP+IF47Zg4VpecVFj+ei0AAr2h9ZVTV01nb lsUXAwWpKla2LJ+sJGrSQmpu0Sd/wkIIGeTWnbCLiR+d4pdbKN2nwfHp6evjzEnw luWWeuCFq51L0AViBGyu2r11IiAPGGIXWclb8dqqjL1YLtnJ/CCXXRbSGbJ7YdqO 6GBAMv13IgA= =5IGV -----END PGP SIGNATURE----- From dsmith at midwest.net Thu May 9 02:32:42 1996 From: dsmith at midwest.net (David E. Smith) Date: Thu, 9 May 1996 17:32:42 +0800 Subject: [off-topic] *.alias.net disappeared? Message-ID: <199605090041.TAA11044@cdale1.midwest.net> -----BEGIN PGP SIGNED MESSAGE----- I'm sorry for posting this to the list, but I've no other apparent way of getting in touch with these parties. The alias.alias.net and nym.alias.net servers have disappeared; in fact, nothing in *.alias.net is still in any DNS that I can find. Have these sites disappeared, or am I just in a very bad corner of the 'net? dave -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMZFB9TVTwUKWHSsJAQHfigf9F52pD+b+bUzK9GYVh4LgP988wG1e7VIp rF9ouG2AOw+ipLQliv/cbgS9DiOg3/8IIvIZnfhZo8M1oFJ0LaaOh3BH0rsMh0RP elkFtoAaGojcP04x/LvRm/S+NaZRfK+iIoFRxiI50rCYgXcQR9OmqwdtQ9I92k7L jlASFwAWAJqdE6uhGxgMOAoPcLP5R+qBB83BsJguAnMBGmrPco8zfMtaRFhdjn74 xS8DXSjfqktPGZRnyqH/mddV1P2dLpPFEMS+V79ZrcARQ9IEQzb0zWSx5ET+wza+ x8cnRhBUhkybmLM+H54YSEDlv0asWWJNBUev1sb64PV3VMMhyJAwjg== =kZSL -----END PGP SIGNATURE----- --- David Smith, Box 324, Cape Girardeau MO USA 63702 http://www.prairienet.org/~dsmith des at juno.com Reality is only for those lacking in true imagination From qut at netcom.com Thu May 9 02:46:36 1996 From: qut at netcom.com (Dave Harman) Date: Thu, 9 May 1996 17:46:36 +0800 Subject: remailer@utopia.hacktic.nl down In-Reply-To: <319121CB.135D@vail.tivoli.com> Message-ID: <199605090211.TAA22230@netcom4.netcom.com> > > Alex de Joode wrote: > > > > -----BEGIN PGP SIGNED MESSAGE----- > > > Due to recent events the Hacktic Foundation has decided to > > discontinue its remailing operations, the remailer that is > > operated by the Hacktic Foundation will cease to exist May > > 20th. > > Co$, I'll wager. Just shows to go ya. Perhaps Co$ was behind the recent spamming of alt.politics.white-power. Scientology is virulently anti-racist. From minow at apple.com Thu May 9 02:56:02 1996 From: minow at apple.com (Martin Minow) Date: Thu, 9 May 1996 17:56:02 +0800 Subject: DigiCash agreement with Deutsche Bank Message-ID: According to an article in a Swedish newspaper, Svenska Dagbladet (http://www.svd.se/svd/ettan/ettan.html), DigiCash has closed an agreement with Germany's largest bank, Deutsche Bank, that will permit commerce on the Internet using digital cash. The system will be tested first internally within Deutsche Bank to check the security of the system, followed by a limited rollout this autumn, with major distribution expected early next year. A customer of the bank can "click on the DigiCash icon and confirm the amount of German Marks required. The digital money is automatically downloaded to the customer's computer and stored on disk in various amounts." To purchase something from a homepage, the customer's computer sends "digital cash" to the seller. The seller confirms via the bank within two seconds that payment was made. Translated (quickly) and summarized by Martin Minow minow at apple.com From qut at netcom.com Thu May 9 03:14:26 1996 From: qut at netcom.com (Dave Harman) Date: Thu, 9 May 1996 18:14:26 +0800 Subject: hacktic.nl is down!! In-Reply-To: <2.2.32.19960509002810.006bdb58@tiac.net> Message-ID: <199605090206.TAA21691@netcom4.netcom.com> > > I just heard on IRC channel #scientology from Karen Spaink that hacktic.nl > will be down as of 5/20 because of pressure from Scientology. > > I don't have any more details yet. Also the spam from anti-racist assholes in alt.politics.white-power. From chad at CS.Berkeley.EDU Thu May 9 03:52:17 1996 From: chad at CS.Berkeley.EDU (Chad Owen Yoshikawa) Date: Thu, 9 May 1996 18:52:17 +0800 Subject: Java Hole: Web Graffiti & Covert Channels Message-ID: <199605090210.TAA00650@whenever.CS.Berkeley.EDU> -------------------------------------------------------- Web Graffiti & High Bandwidth Covert Channels Using Java -------------------------------------------------------- While developing a chat server using Java as a frontend, we've been exploiting what we think is a new Java security hole in Java-enabled browsers such as Netscape. The hole allows for opening sockets to arbitrary ports on web servers that serve Trojan-horse applets. We've also used a known security hole (covert channels) first mentioned in work by the SIP group at Princeton to create what we call 'Web Graffiti' - the dynamic insertion of text, graphics, applets, into HTML pages. Both of these attacks are three-party attacks and require Trojan- horse applets. For a draft of a paper that is work in progress, point your browser to: http://whenever.CS.Berkeley.EDU/graffiti/ Chad Yoshikawa Brent Chun chad at cs.berkeley.edu bnc at cs.berkeley.edu From watson at tds.com Thu May 9 03:52:36 1996 From: watson at tds.com (watson at tds.com) Date: Thu, 9 May 1996 18:52:36 +0800 Subject: Dempster-Shafer...(re: Transitive Message-ID: tcmay's approach is elegant, and it's refreshing to find a practical use for AI approaches. I think it needs one more step, though. If we learn to quantify our trust in a key, we still need to know what the threshold should be for a given application. Maybe I can get by with a 0.05 Bel for posting to cypherpunks, but maybe I want a 0.95 for a monetary transaction. Seems to need a comprehensive risk management approach, From tcmay at got.net Thu May 9 05:08:09 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 9 May 1996 20:08:09 +0800 Subject: Senator Leahy's Public Key Message-ID: At 1:16 AM 5/9/96, Eric Eden wrote: >What if you needed to set up a key server for a mass base of customers... >Obviously, authenticating them via e-mail would be difficult, verifying >them in person would be harder. Would there be any reasonable way to "Verifying them in person" would, in fact, be essentially impossible. Few sources of documentation mean much, in fact. Consider that I joined Intel in 1974 and was never once asked for any form of identification...I just showed up for work under my assumed name, Tim May, and no one was the wiser. Ask yourself this: Have you _ever_ really "verified" the identity of your girlfriend, your friends, your co-workers? (I mean this not to pose an existential riddle of no real significance, but to remind people how seldom we ever actually try to verify that people are "really" who they say they are.) ... >pretend that the labor is not the deciding factor. What would be the >best way to verify the customers keys if you couldn't visit each >customer in person? Representatives from my ISP, got.net, have attended some of my parties...and they _still_ don't know that I am _actually_ Irving J. Schlublutz, temporarily masquerading as "Tim May."\ >For example, would a photo copy of a drivers license be enough? For which purposes? DLs are notoriously easy to forge. I think $25 is the going price. (And DLs which would fool people like us are probably doable on any H-P color inkjet printer.) My point in all this being that "proofs of identity" aren't all they're cracked up to be. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From loki at infonex.com Thu May 9 05:09:50 1996 From: loki at infonex.com (Lance Cottrell) Date: Thu, 9 May 1996 20:09:50 +0800 Subject: [off-topic] *.alias.net disappeared? Message-ID: John Perry (perry at jpunix.com) was running the alias.net services. Because of work commitments, he was not able to continue to run alias.net -Lance At 6:53 PM 5/8/96, David E. Smith wrote: >-----BEGIN PGP SIGNED MESSAGE----- > >I'm sorry for posting this to the list, but I've >no other apparent way of getting in touch with >these parties. > >The alias.alias.net and nym.alias.net servers >have disappeared; in fact, nothing in *.alias.net >is still in any DNS that I can find. > >Have these sites disappeared, or am I just in >a very bad corner of the 'net? > >dave > >-----BEGIN PGP SIGNATURE----- >Version: 2.6.2 > >iQEVAwUBMZFB9TVTwUKWHSsJAQHfigf9F52pD+b+bUzK9GYVh4LgP988wG1e7VIp >rF9ouG2AOw+ipLQliv/cbgS9DiOg3/8IIvIZnfhZo8M1oFJ0LaaOh3BH0rsMh0RP >elkFtoAaGojcP04x/LvRm/S+NaZRfK+iIoFRxiI50rCYgXcQR9OmqwdtQ9I92k7L >jlASFwAWAJqdE6uhGxgMOAoPcLP5R+qBB83BsJguAnMBGmrPco8zfMtaRFhdjn74 >xS8DXSjfqktPGZRnyqH/mddV1P2dLpPFEMS+V79ZrcARQ9IEQzb0zWSx5ET+wza+ >x8cnRhBUhkybmLM+H54YSEDlv0asWWJNBUev1sb64PV3VMMhyJAwjg== >=kZSL >-----END PGP SIGNATURE----- >--- David Smith, Box 324, Cape Girardeau MO USA 63702 >http://www.prairienet.org/~dsmith des at juno.com >Reality is only for those lacking in true imagination ---------------------------------------------------------- Lance Cottrell loki at obscura.com PGP 2.6 key available by finger or server. Mixmaster, the next generation remailer, is now available! http://www.obscura.com/~loki/Welcome.html or FTP to obscura.com "Love is a snowmobile racing across the tundra. Suddenly it flips over, pinning you underneath. At night the ice weasels come." --Nietzsche ---------------------------------------------------------- From sameer at c2.org Thu May 9 05:34:01 1996 From: sameer at c2.org (sameer at c2.org) Date: Thu, 9 May 1996 20:34:01 +0800 Subject: [off-topic] *.alias.net disappeared? In-Reply-To: Message-ID: <199605090443.VAA09257@clotho.c2.org> alias.net is alive and well. It is being hosted at NS.C2.ORG. >From whois: Domain servers in listed order: NS.C2.ORG 140.174.185.10 ULTIMA.ORG 140.174.184.10 PANGAEA.ANG.ECAFE.ORG 194.129.42.2 NS2.INFONEX.NET 206.170.114.3 > John Perry (perry at jpunix.com) was running the alias.net services. Because > of work commitments, he was not able to continue to run alias.net > > -Lance > > At 6:53 PM 5/8/96, David E. Smith wrote: > >-----BEGIN PGP SIGNED MESSAGE----- > > > >I'm sorry for posting this to the list, but I've > >no other apparent way of getting in touch with > >these parties. > > > >The alias.alias.net and nym.alias.net servers > >have disappeared; in fact, nothing in *.alias.net > >is still in any DNS that I can find. > > > >Have these sites disappeared, or am I just in > >a very bad corner of the 'net? > > > >dave > > > >-----BEGIN PGP SIGNATURE----- > >Version: 2.6.2 > > > >iQEVAwUBMZFB9TVTwUKWHSsJAQHfigf9F52pD+b+bUzK9GYVh4LgP988wG1e7VIp > >rF9ouG2AOw+ipLQliv/cbgS9DiOg3/8IIvIZnfhZo8M1oFJ0LaaOh3BH0rsMh0RP > >elkFtoAaGojcP04x/LvRm/S+NaZRfK+iIoFRxiI50rCYgXcQR9OmqwdtQ9I92k7L > >jlASFwAWAJqdE6uhGxgMOAoPcLP5R+qBB83BsJguAnMBGmrPco8zfMtaRFhdjn74 > >xS8DXSjfqktPGZRnyqH/mddV1P2dLpPFEMS+V79ZrcARQ9IEQzb0zWSx5ET+wza+ > >x8cnRhBUhkybmLM+H54YSEDlv0asWWJNBUev1sb64PV3VMMhyJAwjg== > >=kZSL > >-----END PGP SIGNATURE----- > >--- David Smith, Box 324, Cape Girardeau MO USA 63702 > >http://www.prairienet.org/~dsmith des at juno.com > >Reality is only for those lacking in true imagination > > ---------------------------------------------------------- > Lance Cottrell loki at obscura.com > PGP 2.6 key available by finger or server. > Mixmaster, the next generation remailer, is now available! > http://www.obscura.com/~loki/Welcome.html or FTP to obscura.com > > "Love is a snowmobile racing across the tundra. Suddenly > it flips over, pinning you underneath. At night the ice > weasels come." > --Nietzsche > ---------------------------------------------------------- > > -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion, Inc. FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.net/ (or login as "guest") sameer at c2.net From loki at infonex.com Thu May 9 05:40:48 1996 From: loki at infonex.com (Lance Cottrell) Date: Thu, 9 May 1996 20:40:48 +0800 Subject: Transitive trust and MLM Message-ID: At 11:32 AM 5/8/96, Raph Levien wrote: > One encouraging consequence of this model is that densely connected >subgraphs can result in highly trusted keys even if p itself is quite >small. In a clique of size k, the trust is (very) roughly 1-(1-p)^k. For >example, if p is a mere 50%, then in a clique of size 10, each key in >the clique is trusted with a probability of 99.9%. > This computation is (I think) known as the network reachability >problem, and is probably quite hard to evaluate. In practice, you'd >probably want to compute upper and lower bounds instead, > > Let's see if we can come up with a model that preserves this property >of giving high trust values to densely connected keys, yet is also >highly resistant to (some plausible model) of attacks against the Web of >trust. > >Raph I like this. The most obvious attack on key signatures is to cross sign a huge number of bogus keys, is of no benefit. As the density of this bugus-clique increases, it comes closer and closer to acting as a single entity for trust calculations. Then your trust calculation for any key in the clique is simply your trust of the real key which signed all the bogus ones. It should be no time at all before most reputable key signers cut all links to that key. Another nice property of this calculation of probability is that it automatically drops off exponentially with the number of links (at least along any one chain). We need to think about how much we want multiplicity of paths to bolster our trust. Here is the scenario I want to avoid: Mallet creates a large number of keys: A, B, C[...]. C is a large set of keys. A is the Key Mallet uses publicly. It has a few signatures. B is the key Mallet uses to sign keys who's trust he wants to boost. In addition to signing B with A, Mallet also signes all the C[i] with A, and signs B with all the C[i]. This multiplicity of paths should not boost the trust in any key which is reached through this complex. In general it may be difficult to decipher which paths you want to follow in multiply (and cyclically) connected paths. I suppose one approach to this would be to pick various ways of calculating trust, and see if anyone can come up examples to attacks to exploit them. -Lance ---------------------------------------------------------- Lance Cottrell loki at obscura.com PGP 2.6 key available by finger or server. Mixmaster, the next generation remailer, is now available! http://www.obscura.com/~loki/Welcome.html or FTP to obscura.com "Love is a snowmobile racing across the tundra. Suddenly it flips over, pinning you underneath. At night the ice weasels come." --Nietzsche ---------------------------------------------------------- From loki at infonex.com Thu May 9 06:13:41 1996 From: loki at infonex.com (Lance Cottrell) Date: Thu, 9 May 1996 21:13:41 +0800 Subject: Remailer in a box Message-ID: At 6:55 PM 5/8/96, E. ALLEN SMITH wrote: > Questions. How much memory does the Mixmaster remailer take up? My remailer (with source code and spooled messages) is 1.4M. >What >accesses/permissions/etcetera on a machine do I need to have in order to have >it running on an account? It will run out of any account. A procmail script could be used to direct the mail to Mixmaster (or the front end scripts). If you use the account for other things, you can have the procmail script only forward the Mixmaster messages. >Has anyone set up one such that it will only remail >from & to a set of addresses (e.g., other remailers)? I, for instance, wouldn't >be willing to deal with the hassles involved with running a remailer that was >either what the end user would see (thus getting potentially deluged with help >questions) or the end mailer (thus getting potentially in problems if someone >abuses the remailer)... but I (and others) might if it was set up just for >chaining. (Yes, I know I'd need a UNIX account... I'm looking into that.) This could be done with a trivial modification to the source and destination blocking lists (just change the sense of the checking). Cyberpass (www.cyberpass.net) offers UNIX accounts without dialin access for $7 per month. These are available anonymously, and can be paid for with ecash. > Speaking of UNIX, does anyone have any existing programs to >automatically mail out at random intervals a looping or /dev/null directed >message through the remailers, in order to increase security against traffic >analysis? > Thanks, > -Allen Yes, but I only give it to remailer operators. The "bramble" might get flooded otherwise. Operators see the repercussions of their actions. -Lance ---------------------------------------------------------- Lance Cottrell loki at obscura.com PGP 2.6 key available by finger or server. Mixmaster, the next generation remailer, is now available! http://www.obscura.com/~loki/Welcome.html or FTP to obscura.com "Love is a snowmobile racing across the tundra. Suddenly it flips over, pinning you underneath. At night the ice weasels come." --Nietzsche ---------------------------------------------------------- From hrwatchnyc at igc.apc.org Thu May 9 06:28:25 1996 From: hrwatchnyc at igc.apc.org (hrwatchnyc at igc.apc.org) Date: Thu, 9 May 1996 21:28:25 +0800 Subject: Cyberspace--Silencing the Net Message-ID: <199605081501.IAA13984@igc2.igc.apc.org> EFFORTS TO CENSOR THE INTERNET EXPAND U.S. a Miserable Role Model with Passage of Communications Decency Act May 10, 1996 (New York) Governments around the world, claiming they want to protect children, thwart terrorists or silence racists and hate mongers, are rushing to eradicate freedom of expression on the Internet. "The U.S. Congress and the Clinton administration, reacting to recent hysteria over cyberporn,' led the way by passing the Communications Decency Act," says Karen Sorensen, Human Rights Watch on-line research associate. "It is particularly crucial now, in the early stages of vast technological change, that all governments reaffirm their commitment to respect the rights of citizens to communicate freely, and for the United States as the birthplace of the Internet, to be a model for free speech, not censorship," she adds. Human Rights Watch is a plaintiff in the lawsuit brought by the American Civil Liberties Union challenging the CDA on constitutional grounds. The hearings in the lawsuit, which was filed in U.S. Federal District Court on February 8 (the day it was signed into law) end today in Philadelphia, Pennsylvania. The judges are expected to rule shortly thereafter. In addition, Human Rights Watch is calling on the nations participating in the G7 Ministerial Conference on the Information Society and Development to be held in South Africa from May 13-15, 1996, to repudiate the international trend toward censorship and to express unequivocal support for free expression guarantees on-line. Among the G7 countries Britain, Canada, France, Germany, Italy, Japan, and the United States only the U.S. has actually passed legislation curtailing freedom of expression on-line. The trend toward restricting on-line communication is growing, according to Silencing the Net: The Threat to Freedom of Expression On-line, which documents restrictions that have been put in place in at least twenty countries, including the following: -- China, which requires users and Internet Service Providers (ISPs) to register with authorities; -- Vietnam and Saudi Arabia, which permit only a single, government- controlled gateway for Internet service; -- United States, which has enacted new Internet-specific legislation that imposes more restrictive regulations on electronic expression than those currently applied to printed expression; -- India, which charges exorbitant rates for international access through the state-owned phone company; -- Germany, which has cut off access to particular host computers or Internet sites; -- Singapore, which has chosen to regulate the Internet as if it were a broadcast medium, and requires political and religious content providers to register with the state; and -- New Zealand, which classifies computer disks as publications and has seized and restricted them accordingly. Human Rights Watch recommends principles for international and regional bodies and nations to follow when formulating public policy and laws affecting the Internet, sets forth the international legal principles governing on-line expression, and, examines some of the current attempts around the globe to censor on-line communication. The 24-page report is available via e-mail at sorensk at hrw.org or from the Human Rights Gopher: URL: gopher://gopher.humanrights.org:5000/11/int/hrw/general Paper copies of Silencing the Net are available from the Publications Department, Human Rights Watch, 485 Fifth Avenue, New York, NY 10017-6104 for $3.60 (domestic), $4.50 (international). Visa/MasterCard accepted. Human Rights Watch Human Rights Watch is a nongovernmental organization established in 1978 to monitor and promote the observance of internationally recognized human rights in Africa, the Americas, Asia, the Middle East and among the signatories of the Helsinki accords. It is supported by contributions from private individuals and foundations worldwide. It accepts no government funds, directly or indirectly. The staff includes Kenneth Roth, executive director; Cynthia Brown, program director; Holly J. Burkhalter, advocacy director; Barbara Guglielmo, finance and administration director; Robert Kimzey, publications director; Jeri Laber, special advisor; Gara LaMarche, associate director; Lotte Leicht, Brussels office director; Juan Mndez, general counsel; Susan Osnos, communications director; Jemera Rone, counsel; and Joanna Weschler, United Nations representative. Robert L. Bernstein is the chair of the board and Adrian W. DeWind is vice chair. Human Rights Watch 485 Fifth Avenue New York, NY 10017-6104 TEL: 212/972-8400 FAX: 212/972-0905 E-mail: hrwnyc at hrw.org 1522 K Street, N.W. Washington D.C. 20005 TEL: 202/371-6592 FAX: 202/371-0124 E-mail: hrwdc at hrw.org From hugh at ecotone.toad.com Thu May 9 07:57:43 1996 From: hugh at ecotone.toad.com (Hugh Daniel) Date: Thu, 9 May 1996 22:57:43 +0800 Subject: MEETING: Cypherpunks May 11th San Francisco Bay Area Meeting Message-ID: <199605091007.DAA24110@ecotone.toad.com> The monthly meeting of any Cypherpunks in the San Francisco Bay area will happen this Saturday May 11th, 12:00 noon till about dinner time (say 18:00, 6pm). We are going to try meeting in back of the Tresidder Union at Stanford University in the court yard (by the elevator tower). Tresidder Union is a little (peninsula) west of the Stanford main Quad, there is a parking lot just p-west of of the Union that you can park in on weekends. The best automotive access is from the west via Junipero Serra Blvd. (also called Foothill Expressway, Santa Cruz Ave & Alameda De Las Pulgus) into the 'back' of the Stanford Campus, look it up on a map folks. For some semi-useful maps try: http://www.stanford.edu/home/visitors/maps.html There is a chance we will get a room to meet in, in that case there will be a sign/person telling you where to go. If not there is a raised area in the court yard (under the tree) that will be the gathering area. In the case of rain (and no room) we will meet in the pub in the (peninsula) south west corner of the Union. If you have things you want to talk about at this meeting, or can help in some way please email me. ||ugh Daniel hugh at toad.com Vague Agenda: 12:00 Meeting intro, Hugh Daniel on Crypto GUI's and toolkits to build them. Discussion on Crypto GUI design. 12:30 Review of various Crypto GUI's (lead by Hugh Daniel) Various Java applets CyberCash Wallet Various Graphic PGP Shells Skey Others? Please email examples of good or bad Crypto GUI's to demo at the meeting. I have a FreeBSD/Windross-95 laptop to demo them on (we could use a larger display then my laptop screen). 13:30 Norm Hardy on Keys(capabilities), what they are, how they can make things secure if done right, and what the functional difference might look like to an end user. 14:30 Break 15:00 Electronic Communities presentation on "E", an extension of Java to provide Keys(capabilities) in a commercial environment. 16:00 Marianne Mueller & John Gilmore report on the recent Java Security workshop. 17:00 Open for breaking issues, future meeting planing etc. 18:00 Break for dinner. At 20:00 there will be a PenSFA party ( PenSFA is the Peninsula Area Science Fiction Assn.) in San Carlos (12 miles up Alameda De Las Pulgus). Talk to me at the meeting for more info. For dinner I will suggest 'Thai City', about a 2 kilometers south of Page Mill at 4329 El Camino Real. It is on the Peninsula East side of the road, white building with a purple stripe around it and some {}`s (really). +1 415 493 0643 From manus at manus.org Thu May 9 08:02:15 1996 From: manus at manus.org (DrG) Date: Thu, 9 May 1996 23:02:15 +0800 Subject: Internet/Obscenity Legal Gathering in NYC In-Reply-To: Message-ID: On Wed, 8 May 1996, Dr. Dimitri Vulis wrote: > I haven't seen this announcement reposted to this mailing list, and I think > it's of sufficient interest to warrant reposting: > > Newsgroups: misc.legal,alt.censorship,misc.legal.moderated,talk.politics,alt.privacy > From: ra at panix.com (Ron Abramson) > Subject: Free program on net censorship in NYC > Message-ID: > Date: Mon, 6 May 1996 17:49:08 GMT > > Announcement: Free Program On Net Censorship > in New York City, May 22 at 7:30 P.M. > -------------------------------------------- > > THE FIRST AMENDMENT IN CYBERSPACE: Regulating the On-Line > Dissemination of "Indecent Material" > > This program will address the issue of the First Amendment as > applied to the Internet and On-line services. Special focus > will be given to the new federal law which is intended to > regulate the dissemination of "Indecent Material" via these > mediums. > Now just WHY do these assholes wast everybodies time talking about something that everybody KNOWS is unconstitutional? These fucking lawyers just pull the stunts so they can go and have lunch in a tax-deductable manner, and meet the requirements for some CLE hours that is mandated by the State. This whole affair will be a sham as usual. > The Association of the Bar of the City of New York > 42 W 44TH Street, New York, New York (Bet. 5th and 6th Avenues) > (212) 382-6600 > This New York Bar has the WORST reputation of any local association that I know. Last year they discussed the legalization of crack and other hard drugs in a "drug-law revamping" seminar, and Mayor Guliani almost SHIT! > Wednesday, May 22, 1996, 7:30 till 9 P.M. > > Moderator: > CHARLES R. NESSON > Weld Professor of Law, Harvard law School > > Panelists: > ROBERT FLORES > Senior Trial Attorney, Child Exploitation and Obscenity > Section, U.S. Department of Justice > See, the "kid-porn" is the whole fucking issue here, and they are going to go trying to regulate text because if this concern. > MICHAEL GODWIN > General Counsel, Electronic Frontier Foundation > That guy is an asshole. The whole EFF is a joke! > STEPHEN M. HEATON > General Counsel, Compuserve, Inc. > Censorous bastard. > NORMAN REDLICH > Wachtell, Lipton Rosen & Katz, former Dean, > New York University School of Law > > BRUCE TAYLOR > President and Chief Counsel, National Center for > Children and Families > See, this porn issue is diluting everything. > Co-sponsored by: > Committee on Computer Law, Joseph P. Zammit, Chair > Committee on Lectures and Continuing Education, > Normal L. Green, Chair > Yes, to get "continuing legal education" credits for just BULLSHITTING about something these lawyers are all incompetent at. > Members of the Association, their guests and all other > interested persons are invited to attend. > > No fees or reservations are required. > > > --- > > Dr. Dimitri Vulis > Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps > Go to this meeting and ask these fucking dumb lawyers how the fuck they expect to enforce a law against US citizens that they cannot enforce against Canadian or Mexican citizens. The whole fucking concept of trying to regulate cyberspace by the laws of any one country is ABSURD! Then ask them if any of them know who tale or speedbump is. If they do not know that, they have no reason even talking about cyberspace. -DrG From CHusa at CRTINC.COM Thu May 9 09:27:52 1996 From: CHusa at CRTINC.COM (Husa, Carl (MSX)) Date: Fri, 10 May 1996 00:27:52 +0800 Subject: FW: Science Project Fair Message-ID: >---------- >From: Beverly. Ferguson[SMTP:103014.3727 at CompuServe.COM] >Sent: Wednesday, May 08, 1996 9:38 PM >To: KOMBUCHA DIGEST; PARACELSUS DIGEST >Subject: Science Project Fair > > >Originally Posted To: > >>Date: Fri, 3 May 1996 09:58:55 -0400 >>Sender: Methods of Teaching Mathematics >>From: Peggy R Shearin >>Subject: Science Fair Project > >>>Hi, our names are Stevie and Amanda. We are in the 5th grade at >>>the Phillipston Memorial school, Phillipston, Massachusetts, USA. >>>We are doing a science project on the Internet. We want to see >>>how many responses we can get back in two weeks. (We are only >>>sending out 2 letters). > >>>Please respond and then send this letter to anyone you >>>communicate with on the Internet. > >>>Respond to smc at tiac.net. >>>^^^^^^^^^^^^^^^^^^^^^^^ > >>>1. Where do you live (state and country)? > > >>>2. From whom did you get this letter? > > >>>Thank you, >>>Stevie and Amanda > >------------------------------ > > From camcc at abraxis.com Thu May 9 10:58:15 1996 From: camcc at abraxis.com (camcc at abraxis.com) Date: Fri, 10 May 1996 01:58:15 +0800 Subject: Penet-style web remailer? Message-ID: <2.2.32.19960509120014.0068d0b0@smtp1.abraxis.com> At 09:17 PM 5/8/96 EDT, you wrote: > http://noah.pair.com/anon.html. It appears to be >sort of a penet-style anonymous remailer, only without return messages. Anyone >know anything else about it? -----BEGIN PGP SIGNED MESSAGE----- I have tried noah.pair.com in several tests and for seemingly secure communications with good results. In addition I have carried on an e-mail conversation with him. Give him a try. Alec camcc at abraxis.com -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMZHduCKJGkNBIH7lAQF8HgQArQRgSTMWL0WcAkv9Byk1ZghBYsI9AxRF mxE3nGnHu4H8dhMQXZtUOoY0LN7GkdcCYH8LBab91XwaJCYp3j5WqVt4xPP+feF5 hUTch6VUb/dPB1VYEfHjwNXPAhkOuM2Noarq3cFqbhJNK4UkC1IzNhy1rrhE2yZ+ Yyzv8ppwe4g= =d9bl -----END PGP SIGNATURE----- From betsys at cs.umb.edu Thu May 9 13:14:38 1996 From: betsys at cs.umb.edu (Elizabeth Schwartz) Date: Fri, 10 May 1996 04:14:38 +0800 Subject: "Bit Tax" proposed by satan@hell.gov In-Reply-To: Message-ID: <199605091326.AA05762@xt.cs.umb.edu> > >>The problem with a tax on data is that it would be *extremely* unfair. > > > >Chill out, it's not a real proposal. > It has no chance of flying because it would penalize people for downloading advertising onto their machines. All those nifty marketing graphics. Big business, little business, political campaign material; there's no chance at all. From perry at alpha.jpunix.com Thu May 9 14:36:56 1996 From: perry at alpha.jpunix.com (John A. Perry) Date: Fri, 10 May 1996 05:36:56 +0800 Subject: hacktic.nl is down!! In-Reply-To: <199605090206.TAA21691@netcom4.netcom.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Wed, 8 May 1996, Dave Harman wrote: > > I just heard on IRC channel #scientology from Karen Spaink that hacktic.nl > > will be down as of 5/20 because of pressure from Scientology. > > > > I don't have any more details yet. > > Also the spam from anti-racist assholes in alt.politics.white-power. I just spoke to Alex de Joode. Hacktic is in fact going down due to the Co$. I've been asked to remove the hacktic remailer from mixmaster's type2.list. John Perry - KG5RG - perry at alpha.jpunix.com - PGP-encrypted e-mail welcome! WWW - http://www.jpunix.com PGP 2.62 key for perry at jpunix.com is on the keyservers. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Processed by mkpgp2.0, a Pine/PGP interface. iQCVAwUBMZH4OlOTpEThrthvAQGUxAQAgQGmOlMtCpMEzW4zowR8DFDc4szdlFJN 4Bv5B9cqTuRmsoxni+tVx8f/ilwos+7fWzFAh0ocSKOmYnRDYndeeYYtNG/hUgYO 5nw2KpHyST4/HaseTvGU2fQh+0Rwqh8DieTVE2/rW+JTUf9RXLGW2GIf+ET/U8Pt h0SnXGTE+sU= =A4iN -----END PGP SIGNATURE----- From msmith at rebound.slc.unisys.com Thu May 9 16:25:19 1996 From: msmith at rebound.slc.unisys.com (Matt Smith) Date: Fri, 10 May 1996 07:25:19 +0800 Subject: Senator Leahy's Public Key In-Reply-To: <9605081459.AA20668@bart-savagewood.MIT.EDU> Message-ID: <199605091408.OAA17613@rebound.slc.unisys.com> -----BEGIN PGP SIGNED MESSAGE----- > > Actually, I've been thinking about this, and how do we *really* know that > > *anyone's* keys are actually theirs? I'm new to this list and have been > > collecting some of the keys from people who post with PGP signatures, but > > even at that, I never certify them myself because I am not 100% absolutely > > certain that the key in question belongs to that person. After all, what > > if some clever hacker dropped in and replaced someone's .plan file, or > > edited their index.html file? There's no real way to be absolutely > > certain. > > This is exactly what the web of trust is about. The fact is that you > can't trust the Keyservers (they were never designed to be trusted); > you can't trust .plan files; you can't trust index.html files. > However you can trust signatures made by trusted keys. That is why > the web of trust works. > > For example, I've met in person with a lot of people and we've signed > each others' keys. We've used various methods to "prove" identity. > Sometimes it's been a long time of personal interactions (close > friends). Sometimes it's been a number of certifying documents, IDs, > etc. Sometimes it's been a piece of knowledge that I know the other > has but no one else has. The problem is entering this "Web of trust". You have to know someone who is already in The Web in order to start signing your keys. I don't know anyone around here who uses PGP but me. That's why I've been getting keys off of this list. Gotta start somewhere, however, I feel that this is a very shaky way to start. > The point is that once I'm attached to the web of trust I have a means > to verify other keys. I can set up a CA that way (MIT has one) -- > there is a keysigner that will use out-of-band means to verify the > identity of a user and then use that to sign a PGP key in that > person's name. I agree that once the WOT is set up, everything should work hunky dory, but introducing yourself into this web isn't an easy thing. Since we know that the keyservers aren't bulletproof, how many keys do I grab from there in order to start my keyring? One? Ten? 500? Statistically speaking, how many of those have been compromised and can no longer be trusted? > You just need to look at it from a different angle. That's what I'm trying to do. Maybe I'm just looking at it all backwards or something, but it's something I've been thinking about since I've been collecting keys lately. > -derek - -- Matt Smith - msmith at unislc.slc.unisys.com "Nothing travels faster than light, with the possible exception of bad news, which follows its own rules." - Douglas Adams, "Mostly Harmless" Disclaimer: I came up with these ideas, so they're MINE! -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMZH8YcWUKiYjg/fZAQFk+QQA047pGZizSijPPBksY8nmZTQLdwaOene4 uO5p/ykHfPull03gzvYJ8ueDLlmttqSaf6y2e63RDgLNh5m8K0q88vOzkd0qQ+qf LxC2ZVmGk3eIsRG9KLFdRMrPsJ0hmo/AfZ8DwF6SUz8+KXbxIHcN0LjTx4XBKIqz wkpcnF0nLAM= =Gd3m -----END PGP SIGNATURE----- From lzirko at isdn.net Thu May 9 17:39:09 1996 From: lzirko at isdn.net (Lou Zirko) Date: Fri, 10 May 1996 08:39:09 +0800 Subject: Remailer fot NT Message-ID: <199605091429.JAA14103@rex.isdn.net> -----BEGIN PGP SIGNED MESSAGE----- Mime-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit To: cypherpunks at toad.com Date: Thu May 09 09:28:20 1996 Does anyone know of a remailer that runs undet NT. If not, any source that might be ripe for a port. Lou Z. Lou Zirko (502)383-2175 Zystems lzirko at isdn.net "We're all bozos on this bus" - Nick Danger, Third Eye -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQEVAwUBMZIBJBKvccEAmlQ9AQGs5Af+I8BfY640aj/e483mDzbdHOioEaPrQmZ1 R8rA7H0Kg29VU4/4f+Y5J66ZshMVr4ojOYzj8/H7mrsCjsZPx7MjBqiIH1pbUouG ky0NvGLw+HeBRWZz1OSElDUYE+QMHnMr2CxYnaepS/91erJmpt0xE5/oXVohEQOq q/ARLWAYw4FJ6n7cgDDfkcxp5scHthLsAzMCbuHxfsvzAm/1LdU/QFvUWG2+BNv3 4Hx2TWasGWaSfX/+zZGuXHA123JW2frE98o+nRORcM5y7kCOaXPP69xp+aAJsGdh wf7M/ekRhBjfJgdOLtgID+zKBJbZEHA3kGgCmHdz1ynoWiXnMcTlcw== =bWV8 -----END PGP SIGNATURE----- From tqdb at wichita.fn.net Thu May 9 17:56:26 1996 From: tqdb at wichita.fn.net (TQDB) Date: Fri, 10 May 1996 08:56:26 +0800 Subject: Looking for someone to speak on JAVA security issues (fwd) Message-ID: ---------- Forwarded message ---------- Date: Thu, 09 May 1996 03:25:29 -0700 From: The Dark Tangent To: dc-stuff at fc.net Subject: Looking for someone to speak on JAVA security issues If you or someone you know has seen a Java security expert who would speak at DEF CON, please have them contact me! -- Hey! All my mail is sniffed! Don't forget to PGP important stuff. PGP Key (2.3a & 2.6) on key servers or mail me. Voice (AT&T) 0-700-TANGENT DEF CON mailing list, mail: majordomo at fc.net with "subscribe dc-announce" in the body. DEF CON FTP: ftp.fc.net /pub/defcon http://www.defcon.org From 72124.3234 at compuserve.com Thu May 9 23:51:44 1996 From: 72124.3234 at compuserve.com (Kent Briggs) Date: Fri, 10 May 1996 14:51:44 +0800 Subject: hks newsgroup Message-ID: <960509153645_72124.3234_EHJ151-2@CompuServe.COM> hks.lists.cypherpunks has shown no new articles in the past three weeks. I've resubscribed to the mailing list but have seen no mention of the newsgroup's status. What happened to hks and is it ever coming back up? Kent From tcmay at got.net Fri May 10 00:19:57 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 10 May 1996 15:19:57 +0800 Subject: Dempster-Shafer...(re: Transitive Message-ID: At 5:18 AM 5/9/96, watson at tds.com wrote: >tcmay's approach is elegant, and it's refreshing to find a practical use >for AI approaches. I think it needs one more step, though. If we learn >to quantify our trust in a key, we still need to know what the threshold >should be for a given application. Maybe I can get by with a 0.05 Bel >for posting to cypherpunks, but maybe I want a 0.95 for a monetary >transaction. Seems to need a comprehensive risk management approach, [was the rest accidentally cut off?] Anyway, I agree that a more comprehensive system is needed. But even attaching belief estimates to keys, for example, goes a long way in letting others than do some transitive calculations. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From reagle at MIT.EDU Fri May 10 00:22:17 1996 From: reagle at MIT.EDU (Joseph M. Reagle Jr.) Date: Fri, 10 May 1996 15:22:17 +0800 Subject: Applicable Models for Trust Calculations (Re: Dempster-Shafer Theory and Belief Networks (Re: Transitive trust)) Message-ID: <9605091628.AA10495@rpcp.mit.edu> At 09:51 PM 5/7/96 -0700, Timothy C. May wrote: >In particular, one form of belief representation seems especially relevant: >Dempster-Shafer theory. Two quick things: (more in my forthcoming thesis) 1. It is very instructive to consider systems for considering trust and belief (and Dempster-Shafer is a rather nice one). However, these systems (my own decision analysis discussion to a degree, but less so with respect to information gathering) and Dempster-Shafer in particular require the events to be independent: "Further, Dempster-Shafer theory provides rules for combining probabilities and thus for propagating measures through the system. This fourth point is possibly the most attractive, but it is also one of the most controversial since the propagation method is an extension of the multiplication rule for independent events. Since many of the applications involve events that are surely dependent, that rule is, by classical statistical criteria, inapplicable. The tendency to assume that events are independent unless proven otherwise has stimulated a large proportion of the criticism of probability approaches; as it stands, Dempster-Shafer theory suffers the same ill" [Shapiro (ed.) Encyclopedia of Aritificial Intelligence. /Reasoning, Default./ p 846.] The very term "Web of Trust" makes one pause with respect to independent events. 2. Just as a comment, it seems there are different meaning of "transitiviy" in related but different disciplines, for instance in value and utility functions, one requires transitivity, but in a way different from what Hal discusses: "For any three possible set os of consequences, X1, X2, and X3, if X1 > X2 and X2 > X3 then the preference is transitive such that X1 > X3." [deNeufville, R. Applied Systems Analysis: Engineering Planning and Technology Management, 1990, p 313.] This refers to a single person's preferences (rather than 3 individuals in a "network.") _______________________ Regards, Men govern nothing with more difficulty than their tongues, and can moderate their desires more than their words. -Spinoza Joseph Reagle http://farnsworth.mit.edu/~reagle/home.html reagle at mit.edu E0 D5 B2 05 B6 12 DA 65 BE 4D E3 C1 6A 66 25 4E From merriman at arn.net Fri May 10 01:23:21 1996 From: merriman at arn.net (David K. Merriman) Date: Fri, 10 May 1996 16:23:21 +0800 Subject: Mandatory Voluntary Self-Ratings Message-ID: <2.2.32.19960509025839.0068623c@arn.net> -----BEGIN PGP SIGNED MESSAGE----- At 11:17 AM 05/9/96 -0400, Joseph M. Reagle Jr. wrote: >> I've figured out where my differences between myself and others >lay. The _only_ system and service that I am aware of that is distributing >PICS labels is RSAC. (http://www.rsac.org) They are what one could call an >objective and non-arbitrary content rating system rather than an >"appropriateness" system. "Appropriateness" systems will be valuable 3rd >party systems when the vigilantes and fundamentalists wish to create label >bureaus. For self labeling, if many people (main stream people) are going to >use that system within their browser, it will have to have mind share. If >it's going to have mind share, I think it would be advantegeous to it to be >a descriptive label rather than "appropriate." Hence, much of the concerns >I'm hearing aren't so worrisome to me. SurfWatch is offering self-rating via a web page at their site. It spits back the appropriate 'meta' tags to embed in an html document. Dave Merriman -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMZFQ+MVrTvyYOzAZAQFM+gP/edsvNSSkeiyZVBuJyWYCK82J7O1zG5O8 jI5cGj22R/qSPAhhpZj6pLFxvoKnuUc7P+8QzAao1ccxihZpy5ZW3fzM/+pyn6dW B126/l4R+SRCrDiPV+5HeXyBTXAiWYMjRAuv2nZtHVIiLjQrjziwrug4H/4U26GP NEbKT8Uqwno= =UAbu -----END PGP SIGNATURE----- ------------------------------------------------------------- "Giving money and power to government is like giving whiskey and car keys to teenage boys." P. J. O'Rourke (b. 1947), U.S. journalist. <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> http://www.shellback.com/personal/merriman/index.htm From bryce at digicash.com Fri May 10 01:24:10 1996 From: bryce at digicash.com (bryce at digicash.com) Date: Fri, 10 May 1996 16:24:10 +0800 Subject: www.cdnow.com accepts ecash Message-ID: <199605091714.TAA06142@digicash.com> -----BEGIN PGP SIGNED MESSAGE----- Cool. Get your fresh CD's via WWW and UPS. Pay with Mark Twain ecash. This is the first thing (excepting, of course, BAP, cyberbuck gambling, and pornography) that I actually want to buy with ecash. And I spend time crawling www.cdnow.com even when I don't want to spend money, just to read the words and look at the pictures. http://www.cdnow.com/ This has been a public service announcement. CDNow is not paying me. (Although, of course, they are welcome to send me some free CD's in return for my kind words...) Bryce Disclaimer: NO. I'm not speaking for anyone else. Not even the company mentioned in the From: line. PGP sig follows -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.1b2 iQB1AwUBMZIn9EjbHy8sKZitAQELPAL9G6lYkqhbTdYrt0YFe4VjF9jyyjxznCi2 SY3f86o2XvD86AMUQkVT31GhQAmGC6TN2cJ0pQDRpHfh5Qk+IZFgd3iyEEZqzrmc UztgRNEhaIFgYXjV33gzRE5sk+fnpQaL =H96X -----END PGP SIGNATURE----- From rpowell at algorithmics.com Fri May 10 01:56:04 1996 From: rpowell at algorithmics.com (Robin Powell) Date: Fri, 10 May 1996 16:56:04 +0800 Subject: Why I Pay Too Much in Taxes In-Reply-To: Message-ID: <96May9.133344edt.20486@janus.algorithmics.com> >>>>> Black Unicorn writes: >> By the way, are there any PGP encrypted mailing lists for >> discussing serious tax fraud? > If such a list existed, would we tell an anonymous poster/fed? Well, if such a list does exist, I would like to know about it. -Robin From rpowell at algorithmics.com Fri May 10 04:01:53 1996 From: rpowell at algorithmics.com (Robin Powell) Date: Fri, 10 May 1996 19:01:53 +0800 Subject: remailer@utopia.hacktic.nl down In-Reply-To: <199605090211.TAA22230@netcom4.netcom.com> Message-ID: <96May9.135632edt.20486@janus.algorithmics.com> >>>>> qut at netcom.com (Dave Harman) writes: >> >> Alex de Joode wrote: >> > >> > -----BEGIN PGP SIGNED MESSAGE----- >> >> > Due to recent events the Hacktic Foundation has decided to >> > discontinue its remailing operations, the remailer that is >> > operated by the Hacktic Foundation will cease to exist May >> > 20th. >> >> Co$, I'll wager. Just shows to go ya. > Perhaps Co$ was behind the recent spamming of > alt.politics.white-power. Scientology is > virulently anti-racist. Interesting, given that Massah Elron (L. Ron Hubbard) was virulently racist. -Robin From vznuri at netcom.com Fri May 10 04:12:06 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Fri, 10 May 1996 19:12:06 +0800 Subject: self-ratings vs. market ratings In-Reply-To: Message-ID: <199605091813.LAA24532@netcom12.netcom.com> BW: >I think of a rating as something which is attached to something >"pre-knowledge", whereas a reputation is something which develops over >time & based upon informed knowledge ("after-knowledge"). you are free to assume any connotation you like. but in my view they are pretty much interchangeable. they are both "meta information"-- information about other things or information. a credit rating is in fact a "credit reputation"-- it is a built up credit history over time. maybe you would prefer the term "credit reputation"? >A rating is applied to something (a service or whatever) by only those >few individuals who are acquainted with what they are rating. > >A reputation is accumulated by the impressions made upon larger numbers >of individuals - a general population not necessarily employed to >collect these impressions - but who have nevertheless sufficient >exposure to and acquaintanceship with the person/service/etc. to make an >informed conclusion about it. > >A rating can make a statement on what something "is" or is expected to >be (eg, general in content vs explicitly sexual), where a reputation >reflects on past behavior. oh, ok, a reputation would refer to a person, and a rating might refer to a thing. a valid distinction, but not necessary for a system that is purely electronic. people and things could be rated interchangeably. but of course in the "people" case you are going to get a lot more political fire. issues like libel and defamation come up. it will be interesting to see how they are resolved. again, I suspect in the future the distinctions you refer to are going to blur. there will just be ratings of all kinds of things, including people. some ratings will be based on expert opinions, some will be based ona consensus of opinions measured somehow ("reputation"), some will be purely objective such as "score on last driving exam", etc. of course all kinds of nasty issues like privacy etc. rear their head. I don't claim to have an answer or clearcut guidelines for all this. From vznuri at netcom.com Fri May 10 04:34:31 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Fri, 10 May 1996 19:34:31 +0800 Subject: Mandatory Voluntary Self-Ratings In-Reply-To: <9605091517.AA09590@rpcp.mit.edu> Message-ID: <199605091846.LAA28295@netcom12.netcom.com> JR: > I've figured out where my differences between myself and others >lay. The _only_ system and service that I am aware of that is distributing >PICS labels is RSAC. (http://www.rsac.org) They are what one could call an >objective and non-arbitrary content rating system rather than an >"appropriateness" system. I don't like the use of the term "objective" here. (I object!!) this is the point that I brought up in an earlier post: some people seem to think that a label like "sex: moderate" is in fact an "objective" label. but it is a subjective judgement. perhaps a judgement like "child approved" is more subjective than "sex: moderate", but they are both value judgements. "objective" is a pretty important term to apply to anything, including ratings. I'd like to see it reserved for systems that require no human judgement whatsoever, i.e. are automated. for example, I would say that a engine that creates ratings based on keywords found in a document would be "objective". but anything that involves a human decision cannot be called "objective" in my view. the RSAC system seems somewhat reasonable to me. it appears to predate PICS somewhat and picked up on it once it was available. this from the web site you mention, in the press releases section: > The RSACi rating system is a fully-automated, paperless system that > relies on a quick, easy-to-use questionnaire that the Web master > completes at RSAC's homepage for free. The questionnaire runs through > a series of highly specific questions about the level, nature and > intensity of the sex, nudity, violence, offensive language (vulgar or > hate-motivated) found within the Web master's site. > > Once completed, the questionnaire is then submitted electronically to > the RSAC Web Server, which tabulates the results and produces the html > advisory tags that the Web master then places on their Web site/page. > > A standard Internet browser, or blocking device that has been > configured to read the RSACi system can recognize these tags, enabling > parents who use the browser to either allow or restrict their > children's access to any single rating or combination of ratings. now, it seems that the author might as well put the tags in his material himself instead of going through this submission process. furthermore I again object that this be called an "objective" system. first, the author of the page has to properly answer the questionaire. secondly, we are talking about the author himself, not an impartial third party. even if the the rating party was not the author, I would hesitate to call it "objective". (unfortunately "objective" is a term applied to things like newspapers that have detectable slants. what I guess is that we have an objective-subjective continuum, and imho only purely computational, algorithmic processes are truly "objective"). also, above we have the claim it is "fully automated". what??? it sounded to me like the page designer has to submit a special form to this service and then go and grab the tags to manually put in his own page? this is "fully automated"??? I'm glad that RSAC is doing what they are doing, but the above system is not objective, and neither is it a "market rating" in the sense I described-- a third-party rating by someone other than the creator or author of the document. also, JR, you say the system does not determine "appropriateness". but in my view it does indirectly. an author can "falsify" his submission to say that his page has no sex or violence. (who is to say he is wrong? the internet ratings police?) this will implicitly determine the "appropriateness" of his page for people who screen their browswers based on the keywords that were affected. in general, I think all the examples I have seen so far show the superiority of a third-party market-rating system over self-ratings. self ratings can be corrupted and falsified by creators. third-party ratings are more useful imho because you have a third party with their own agenda, and you implicitly agree to their agenda. you don't know the agenda of the author of the document, but you do, roughly, of the rating service. (i.e. they might be "Christian Coalition, Atheist Zealots", or whatever) self-ratings have the problem that people are going to pressure page writers to include certain kinds of tags. third-party ratings have no such deficiency. in fact the system is invisible to the page creator, as it should be. (in my view ratings and the content should be made as independent from each other as possible in the sense that ratings are not tied up in the content itself) if the above is any measure, RSAC press releases are awfully misleading based on their uses of terminology and I hope they get their act together in this regard. if there is a market-driven RSAC rating thing going on not described in the above article, I'd like to see it. but the above excerpt does not describe a market-driven system. From steve at miranova.com Fri May 10 04:55:35 1996 From: steve at miranova.com (Steven L Baur) Date: Fri, 10 May 1996 19:55:35 +0800 Subject: self-ratings In-Reply-To: <199605082327.QAA26350@toad.com> Message-ID: >>>>> "rick" == rick hoselton writes: rick> Now, if everyone follows my advice, the net may become very rick> boring for those who have their filters set on, but congress rick> will NEVER make "being boring" against the law. You overestimate the collective intelligence of the U.S. Congress. -- steve at miranova.com baur Unsolicited commercial e-mail will be proofread for $250/hour. Andrea Seastrand: For your vote on the Telecom bill, I will vote for anyone except you in November. From reagle at MIT.EDU Fri May 10 05:27:14 1996 From: reagle at MIT.EDU (Joseph M. Reagle Jr.) Date: Fri, 10 May 1996 20:27:14 +0800 Subject: Mandatory Voluntary Self-Ratings Message-ID: <9605092113.AA13795@rpcp.mit.edu> > I see it as an author provided a value added service to his content >same as anyone else. In fact, 3rd party services may have problems with large and dynamic WEB sites (in which case they just might rate it high, and rate the whole directory.) (I was thinking about this with regards to incorporating rating systems into WEB site managements tools and apps...) If MICS and signatures do become prevalent, an easy way I can defeat ratings I don't like (or to keep from others rating me) is to repeatedly change my content in some simple way, throwing off their MICS. _______________________ Regards, Men govern nothing with more difficulty than their tongues, and can moderate their desires more than their words. -Spinoza Joseph Reagle http://farnsworth.mit.edu/~reagle/home.html reagle at mit.edu E0 D5 B2 05 B6 12 DA 65 BE 4D E3 C1 6A 66 25 4E From EALLENSMITH at ocelot.Rutgers.EDU Fri May 10 05:32:09 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Fri, 10 May 1996 20:32:09 +0800 Subject: Compu$erve, Netscape offering Lotus Notes competitor Message-ID: <01I4IDJBJNH48Y5B50@mbcl.rutgers.edu> There is no mention in either of these articles about what encryption protection will be used; it does appear that Netscape Navigator software will be used, which does have some protections (very little for the out-of-US stuff, of course). Jeff? -Allen >Copyright 1996 Nando.net >Copyright 1996 Bloomberg >COLUMBUS, Ohio (May 9, 1996 12:41 p.m. EDT) -- CompuServe Corp. this fall >will offer corporate customers Netscape Communications Corp. software used >to share documents over computer networks. >The move presents another challenge to International Business Machines >Corp.'s Lotus Notes software, whose popularity has declined as companies opt >for cheaper Internet software capable of many of the features Notes offers. >Using Netscape's software, company employees and partners in distant offices >can exchange and work on documents at the same time. Netscape also is >developing audio and video technology that will let employees talk to each >other. [...] >Columbus, Ohio-based CompuServe already offers Lotus Notes and decided to >strike an agreement with Netscape because customers were asking for a >similar, cheaper product. [...] >CompuServe will offer Netscape's server software, used to relay information, >and Internet browsing software. Terms of the marketing and development >agreement weren't disclosed. >Netscape's software is based on technology it acquired with the purchase >last year of Collabra Software Inc. [...] >Copyright 1996 Nando.net >Copyright 1996 Reuter Information Service >COLUMBUS, Ohio (May 9, 1996 12:47 p.m. EDT) - CompuServe Corp. and Netscape >Communications Corp. said Thursday they will jointly create a managed >intranet service that will allow a company's employees to communicate over >in-house computer networks. [...] >Intranets refer to private corporate networks that are designed to make use >of Internet software tools. >Under the strategic partnership, the two firms will offer so-called >groupware, a category of software that allows employees to share >applications and electronic mail. They will manage such networks on behalf >of corporate customers. >Customers will have access to features such as electronic mail, online >discussion groups and document-sharing that allow them to share and >co-develop information in new ways. >The service is slated to be available this fall, using Netscape's Navigator >browser and server software. From loki at obscura.com Fri May 10 05:52:45 1996 From: loki at obscura.com (Lance Cottrell) Date: Fri, 10 May 1996 20:52:45 +0800 Subject: Remailer in a box In-Reply-To: <01I4IDYWGXEQ8Y5B50@mbcl.rutgers.edu> Message-ID: On Thu, 9 May 1996, E. ALLEN SMITH wrote: > From: IN%"loki at infonex.com" 9-MAY-1996 00:59:47.21 > > >Cyberpass (www.cyberpass.net) offers UNIX accounts without dialin access > >for $7 per month. These are available anonymously, and can be paid for with > >ecash. > > After taking a look at www.cyberpass.net, I can see why you're > encoraging people to use it - about like Sameer encouraging people to use > c2.org. Guilty > Your work on remailers does give you some reputation capital, however. > The signup form isn't very clear about anonymnity, BTW - I suggest dividing it > into optional and mandatory sections, and stating what will be the policy for > a lack of the optional ones. What's the 17- vs 18 differentiation for? > Thanks, > -Allen > I am not pushing the anonymous accounts until my laywer finishes the user agreement for them. It is a bit of a tricky document (Sameer, want a copy when it is done?). The whole site is days away from a complete redesign, so I am not putting much effort into the current interface. Thanks for the suggestions though. The >= 18 condition is to cover my butt. Since minors can not be parties to contracts, I have no protection with them as clients. I am only a provider for adults, and they take full responsibility for any children allowed to use the connection. Fuck the CDA, but keep an eye on its claws. -Lance ------------------------------------- Lance Cottrell loki at infonex.com President Infonex Internet Services http://www.Infonex.com ------------------------------------- From reagle at mit.edu Fri May 10 05:53:09 1996 From: reagle at mit.edu (Joseph M. Reagle Jr.) Date: Fri, 10 May 1996 20:53:09 +0800 Subject: Mandatory Voluntary Self-Ratings Message-ID: <9605091517.AA09590@rpcp.mit.edu> >Date: Wed, 08 May 1996 19:34:50 -0400 >To: tcmay at got.net (Timothy C. May) >From: "Joseph M. Reagle Jr." >Subject: Re: Mandatory Voluntary Self-Ratings > >At 09:58 AM 5/8/96 -0700, you wrote: >>At 9:31 PM 5/7/96, Joseph M. Reagle Jr. wrote: > >>Should "voluntary self-criticism" become widespread, I expect to rate all >>of my posts as suitable for children of all ages, suitable for >>hypersensitive feminists, suitable for Jews and Gentiles alike, and so on. >>Regardless of whether I'm advocating post-birth abortions or forced >>encheferation of Muslim girls. > > I've figured out where my differences between myself and others lay. The _only_ system and service that I am aware of that is distributing PICS labels is RSAC. (http://www.rsac.org) They are what one could call an objective and non-arbitrary content rating system rather than an "appropriateness" system. "Appropriateness" systems will be valuable 3rd party systems when the vigilantes and fundamentalists wish to create label bureaus. For self labeling, if many people (main stream people) are going to use that system within their browser, it will have to have mind share. If it's going to have mind share, I think it would be advantegeous to it to be a descriptive label rather than "appropriate." Hence, much of the concerns I'm hearing aren't so worrisome to me. > > I'll have more on that when a case study I'm working on with some colleagues for a Sloan on ecommerce course at MIT is finished.. (in about a week, and I should then be making that and my thesis available.) > >>I say it's a waste of our time to even be thinking or worrying about how to >>implement an infrastructure for ratings. In fact, building such an >>infrastructure could make later imposition of "mandatory voluntary ratings" >>(Orwell would be unsurprised) a greater likelihood. > > Maybe, maybe not, hard to say... This or the -L18, both are easy for an ignornant legislator to approve. > _______________________ Regards, Men govern nothing with more difficulty than their tongues, and can moderate their desires more than their words. -Spinoza Joseph Reagle http://farnsworth.mit.edu/~reagle/home.html reagle at mit.edu E0 D5 B2 05 B6 12 DA 65 BE 4D E3 C1 6A 66 25 4E From unicorn at schloss.li Fri May 10 06:01:44 1996 From: unicorn at schloss.li (Black Unicorn) Date: Fri, 10 May 1996 21:01:44 +0800 Subject: Why I Pay Too Much in Taxes In-Reply-To: <96May9.133344edt.20486@janus.algorithmics.com> Message-ID: On Thu, 9 May 1996, Robin Powell wrote: > >>>>> Black Unicorn writes: > > >> By the way, are there any PGP encrypted mailing lists for > >> discussing serious tax fraud? > > > If such a list existed, would we tell an anonymous poster/fed? > > Well, if such a list does exist, I would like to know about it. > > -Robin > Again, in the absence of any credentials or recommendation, I can't see how the moderators/originators/managers of such a list would disclose the details of its publication. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From blancw at MICROSOFT.com Fri May 10 06:05:22 1996 From: blancw at MICROSOFT.com (Blanc Weber) Date: Fri, 10 May 1996 21:05:22 +0800 Subject: self-ratings vs. market ratings Message-ID: >From: Vladimir Z. Nuri > >you are free to assume any connotation you like. but in my view >they are pretty much interchangeable. they are both "meta >information"-- information about other things or information. ............................................................... The fact that I, like others, am "free to assume" any connotation means that there easily can exist confusion surrounding the definitions of these terms, and that this can then create controversy in discussions over what anyone means when they make references to them. Those who intend to apply these concepts must determine what they think they are doing (rating content, or establishing someone's reputation?) and must communicate it to others clearly so as to be definitely understood, else risk further compounding of confusion. The word & the concept of "reputation" has been in use for much longer than "rating". In the most recent applications of the term "rating", the idea has evolved to include such things as electronic web page content. It refers to a deliberate, conscious intent to establish a measure, an estimate, or evaluation, of something that an individual or group presents (information) or provides (service). The rating is intentionally applied and is intended to be used for communicating to those who are seeking this specific kind of information, where a reputation evolves "on its own", so to speak, as a coincidence of being generally known. "Reputation" is more a passive reference to the past, where "rating" is actively in regard of a present condition (with future expectations). [These are just comments I have on this subject; I myself don't pay much attention to ratings, as my own measures of things & people tend to be quite different from most, and therefore not very useful for my purposes. So that's all I have to say about it, "Vlad".] .. Blanc > From cwe at it.kth.se Fri May 10 06:06:53 1996 From: cwe at it.kth.se (Christian Wettergren) Date: Fri, 10 May 1996 21:06:53 +0800 Subject: Runtime info flow in Java Message-ID: <199605091506.RAA29550@piraya.electrum.kth.se> Hi! I'm presenting my licentiate research proposal next week, and I thought that some of you might find it interesting. I'd like to find others that are working with similar projects, to have some people to discuss with. The actual proposal is available at http://www.it.kth.se/~cwe/phd/licprop.ps I've included an abstract below. Comments are most welcome. Regards, Christian Wettergren KTH/Teleinformatics. Licentiate Thesis Proposal Seminar ================================== Title: "Runtime Information Flow Analysis and Security" Candidate: Christian Wettergren Time: Wednesday, 15th May, 15:00--16:00 Place: Room Telegrafen, Dept. of Teleinformatics, KTH, Electrum Bldg., lift B, 5th floor, Kistagangen 16, 16440 Kista, Sweden Committee: Gerald Maguire, KTH/Teleinformatics Sead Muftic, SU/DSV Enn Tuygu, KTH/Teleinformatics Abstract: Today's computer security systems are fragile and brittle. I believe this statement to be consistent with practical experiences. One can for example observe the regularity of alerts from CERT. Many of the problems are caused by data-driven bugs in application programs. It is important to find a security paradigm that is more stable for the communicative and networked world of tomorrow. I propose a new way of doing information flow analysis of programs. This information flow analysis is done in runtime, and will provide detailed information about influences of the process to the access control decision process. The information flow is based on sets of subjects instead of preallocated security classes, thus decoupling the flow analysis from the access control. The runtime analysis is performed by special code that is run along with the original program. It shadows the computation and keeps track of the information flows within the program. A special compiler emits this shadow code. I will implement such a compiler for the Java language. Issues about the compiler and the shadow code will be discussed in the thesis. The thesis will also investigate the behaviour of the shadow code for programs with different communication patterns. For more information contact Christian Wettergren, +46 (0)8-751 14 91, cwe at it.kth.se. You can also retrieve the licentiate thesis proposal from http://www.it.kth.se/~cwe/phd/licprop.ps. From reagle at MIT.EDU Fri May 10 06:13:31 1996 From: reagle at MIT.EDU (Joseph M. Reagle Jr.) Date: Fri, 10 May 1996 21:13:31 +0800 Subject: Mandatory Voluntary Self-Ratings Message-ID: <9605092107.AA13747@rpcp.mit.edu> Couple quick things: At 11:46 AM 5/9/96 -0700, you wrote: >I don't like the use of the term "objective" here. (I object!!) No, it isn't the best term, there is some bias which can be an issue with dealing with this at the international level, but I think there are solutions to that... >a judgement like "child approved" is more subjective than "sex: moderate", >but they are both value judgements. It doesn't even say "sex: moderate", but "(s 3)", and then the parent can consult a chart that is a summary of the questions that directly ask about the content: VIOLENCE ALL (0) HARMLESS CONFLICT; SOME DAMAGE TO OBJECTS 1 CREATURES INJURED OR KILLED; DAMAGE TO OBJECTS; FIGHTING 2 HUMANS INJURED OR KILLED WITH SMALL AMOUNT OF BLOOD 3 HUMANS INJURED OR KILLED, BLOOD AND GORE 4 HUMANS INJURED OR KILLED, BLOOD AND GORE WANTON AND GRATUITOUS VIOLENCE TORTURE; RAPE So we can argue about "objective," but this is _atleast_ very "non-arbitrary" and the process (if people are non-malicious) is deterministic. >now, it seems that the author might as well put the tags in his material >himself instead of going through this submission process. This is a significant issue. >also, above we have the claim it is "fully automated". what??? it >sounded to me like the page designer has to submit a special form >to this service and then go and grab the tags to manually put in his own >page? this is "fully automated"??? Try it for your own page and see! >also, JR, you say the system does not determine "appropriateness". >but in my view it does indirectly. an author can "falsify" his submission >to say that his page has no sex or violence. (who is to say he is >wrong? the internet ratings police?) this will implicitly determine >the "appropriateness" of his page for people who screen their >browswers based on the keywords that were affected. People who misuse the system can be fined. (By using the system one also has to "AGREE"). However, the status of this contract is up at grabs IMHO since they relied on trade mark to enforce their system (the pic on a box). Now, gifs and the like (banners) may still be of issue, but the real meat here is a system (s 3 l 2 v 0), there is no IP protection for this, and if there aren't signatures, this can be a serious problem. >creator, as it should be. (in my view ratings and the content should >be made as independent from each other as possible in the sense >that ratings are not tied up in the content itself) I see it as an author provided a value added service to his content same as anyone else. _______________________ Regards, Men govern nothing with more difficulty than their tongues, and can moderate their desires more than their words. -Spinoza Joseph Reagle http://farnsworth.mit.edu/~reagle/home.html reagle at mit.edu E0 D5 B2 05 B6 12 DA 65 BE 4D E3 C1 6A 66 25 4E From EALLENSMITH at ocelot.Rutgers.EDU Fri May 10 06:14:59 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Fri, 10 May 1996 21:14:59 +0800 Subject: Remailer in a box Message-ID: <01I4IDYWGXEQ8Y5B50@mbcl.rutgers.edu> From: IN%"loki at infonex.com" 9-MAY-1996 00:59:47.21 >Cyberpass (www.cyberpass.net) offers UNIX accounts without dialin access >for $7 per month. These are available anonymously, and can be paid for with >ecash. After taking a look at www.cyberpass.net, I can see why you're encoraging people to use it - about like Sameer encouraging people to use c2.org. Your work on remailers does give you some reputation capital, however. The signup form isn't very clear about anonymnity, BTW - I suggest dividing it into optional and mandatory sections, and stating what will be the policy for a lack of the optional ones. What's the 17- vs 18 differentiation for? Thanks, -Allen From EALLENSMITH at ocelot.Rutgers.EDU Fri May 10 06:20:32 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Fri, 10 May 1996 21:20:32 +0800 Subject: Applicable Models for Trust Calculations (Re: Dempster-ShaferTheory and Belief Networks (Re: Transitive trust)) Message-ID: <01I4III0F1I08Y5BAX@mbcl.rutgers.edu> From: IN%"reagle at MIT.EDU" "Joseph M. Reagle Jr." 9-MAY-1996 18:30:11.78 >The very term "Web of Trust" makes one pause with respect to independent >events. Quite. Keys signed by an individual who turns out to be untrustworthy may very well be keys of nyms of that individual; under many circumstances, all are trustworthy or none are trustworthy. -Allen From EALLENSMITH at ocelot.Rutgers.EDU Fri May 10 06:21:16 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Fri, 10 May 1996 21:21:16 +0800 Subject: Remailer in a box Message-ID: <01I4IDOS8GT88Y5B50@mbcl.rutgers.edu> From: IN%"loki at infonex.com" 9-MAY-1996 00:59:47.21 >This could be done with a trivial modification to the source and >destination blocking lists (just change the sense of the checking). In other words, just change them from blocking to allowance? How much technical knowledge does this take? I can see doing the incoming with procmail. >Cyberpass (www.cyberpass.net) offers UNIX accounts without dialin access >for $7 per month. These are available anonymously, and can be paid for with >ecash. Interesting. Having ones at other than c2.org is useful for backup purposes. >Yes, but I only give it to remailer operators. The "bramble" might get >flooded otherwise. Operators see the repercussions of their actions. Does it use how busy the remailer is to determine the approximate frequency of the messages, or does it just keep on going with whatever you tell it? Thanks, -Allen From EALLENSMITH at ocelot.Rutgers.EDU Fri May 10 06:21:22 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Fri, 10 May 1996 21:21:22 +0800 Subject: Cyberspace--Silencing the Net Message-ID: <01I4IEFM2UW88Y5B50@mbcl.rutgers.edu> Interesting that they're a very liberal organization with the guts - unlike, say, CPSR - to condem German censorship of Neo-Nazis. Their information on that is incomplete, however; Declan and Rich may wish to contact them and give them the whole story. -Allen From sameer at c2.org Fri May 10 06:26:23 1996 From: sameer at c2.org (sameer at c2.org) Date: Fri, 10 May 1996 21:26:23 +0800 Subject: Remailer in a box In-Reply-To: Message-ID: <199605092243.PAA07816@atropos.c2.org> > > Interesting. Having ones at other than c2.org is useful for backup > > purposes. > > Also useful for chaining purposes. -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion, Inc. FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.net/ (or login as "guest") sameer at c2.net From loki at obscura.com Fri May 10 06:30:07 1996 From: loki at obscura.com (Lance Cottrell) Date: Fri, 10 May 1996 21:30:07 +0800 Subject: Remailer in a box In-Reply-To: <01I4IDOS8GT88Y5B50@mbcl.rutgers.edu> Message-ID: On Thu, 9 May 1996, E. ALLEN SMITH wrote: > From: IN%"loki at infonex.com" 9-MAY-1996 00:59:47.21 > > >This could be done with a trivial modification to the source and > >destination blocking lists (just change the sense of the checking). > > In other words, just change them from blocking to allowance? How much > technical knowledge does this take? I can see doing the incoming with procmail. It is fairly simple. There are just two subroutines which check the two lists, and return a flag indicating whether to trash the message. Just change it only send if a match is found. It is just a simple strstr in a text file. > > >Cyberpass (www.cyberpass.net) offers UNIX accounts without dialin access > >for $7 per month. These are available anonymously, and can be paid for with > >ecash. > > Interesting. Having ones at other than c2.org is useful for backup > purposes. > Can't let Sameer be the ONLY privacy provider on the Internet ;) > >Yes, but I only give it to remailer operators. The "bramble" might get > >flooded otherwise. Operators see the repercussions of their actions. > > Does it use how busy the remailer is to determine the approximate > frequency of the messages, or does it just keep on going with whatever you > tell it? > Thanks, > -Allen > The pinger is completely autonomous. It just sends chained messages through random chains at random times. There are a handfull of these running now. They make up a fair fraction of all Mixmaster remailer traffic (it is impossible to know exactly how much). -Lance ------------------------------------- Lance Cottrell loki at infonex.com President Infonex Internet Services http://www.Infonex.com ------------------------------------- From EALLENSMITH at ocelot.Rutgers.EDU Fri May 10 06:31:33 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Fri, 10 May 1996 21:31:33 +0800 Subject: Mandatory Voluntary Self-Ratings Message-ID: <01I4II05OT188Y5BAX@mbcl.rutgers.edu> From: IN%"tcmay at got.net" 8-MAY-1996 16:30:16.71 >Then we'll see what happens. (This is an old debate, here and on the >Cyberia-l list, to wit, what happens when people/perverts/libertarians >choose to subvert the voluntary ratings by deliberately mis-rating their >stuff? Or what if they genuinely believe, a la NAMBLA, that youngsters >should be exposed to certain things?) I don't agree with NAMBLA, BTW, in case anyone is wondering... >I say it's a waste of our time to even be thinking or worrying about how to >implement an infrastructure for ratings. In fact, building such an >infrastructure could make later imposition of "mandatory voluntary ratings" >(Orwell would be unsurprised) a greater likelihood. Quite. There's also the misuse of it by other countries to do filtration (Chinese firewall et al). While this isn't an argument that having it is something that shouldn't be permitted, it's a consideration that those constructing some such system should keep in mind. I haven't seen any evidence that either RCIS (sp?) or SafeSurf have done so. -Allen From EALLENSMITH at ocelot.Rutgers.EDU Fri May 10 06:34:49 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Fri, 10 May 1996 21:34:49 +0800 Subject: Publicity on PICS Message-ID: <01I4ID8CLHOK8Y5B50@mbcl.rutgers.edu> The following may give an example of how companies and governments want PICS to be used, instead of how it should be used (market-based ratings not for censorship). -Allen >Copyright 1996 Nando.net >Copyright 1996 Reuter Information Service >PARIS (May 9, 1996 12:41 p.m. EDT) -- A consortium of leading computer firms >launched a global rating system Thursday enabling parents to shield their >children from sexually explicit and violent material on the Internet. >The firms also hope the system will protect them from angry governments who >blame the largely unpoliced international computer network for bringing >pornographic material across their electronic borders. >"We do believe it will provide legal protection in a situation where adult >material is being distributed to minors," said Andrew Gray, European general >manager of CompuServe. "It will very much strengthen our position in these >kind of situations." >The system, an industry standard known as PICS -- for Platform for Internet >Content Selection -- has been in the works for nearly a year, and will take >several more months to become a useful tool for parents and educators, its >primary targets. >Under the system, 39 internet-related firms including giants America Online, >CompuServe, Microsoft, Prodigy and Netscape Communications will soon give >their customers software enabling them to block access to material they >judge objectionable on the Internet's Worldwide Web. >The software will enable parents and teachers to filter out pages according >to their own choice of level of violence, sex, nudity and language. >At the same time, providers will be urged to rate their pages by filling out >an electronic questionnaire resulting in a "grade" for each site, on a scale >ranging from zero, the most innocuous, to four for each category. What was I saying about pressure to rate? >The system depends for its ratings on voluntary compliance by Internet >providers. However parents will also have the option of simply blocking out >all unrated pages, simply by checking an electronic box on their computer >screens. This is, of course, assuming that "Internet content providers" won't simply rate their pages as suitable for all ages. [...] >But there is no way to use the system to seek out pornography or violence on >the web, officials insisted. Yeah, right. >"To content-providers, I would say, 'Rate your sites' To parents I would >say, 'Set the levels for your children.' And to governments, I would say >humbly, 'Think again before censoring the net,"' Stephen Balkam, executive >director of the Recreational Software Advisory Council, told a news >conference. Note again the pressure for self-rating. >"CompuServe supports selection and not censorship, empowerment and not >restriction," Gray said, announcing that his firm would begin distributing >the necessary software to customers in July. >Netscape, whose Netscape Navigator Internet-browsing software is the most >widely used in the world, will begin offering a new version incorporating >the ratings capability by the end of the year, Technology Director Martin >Haeberli said. >"Parents and educators must have some way, some tool, to enable them to >moderate what is available," Haeberli said. Only if you approve of parental censorship. >Internet firms around the globe have been under the gun from governments to >better police their offerings that offend local sensibilities, which vary >considerably from country to country. >A strength of PICS is that "it allows as many countries as would like to set >up a rating system," said Jim Miller, a research scientist who helped >develop the system. Adhering to the system would still be up to individual >households, however. Whatever became of market-ratings? Admittedly, they may mean that each country will be encouraged to given an example system... but I still don't like the idea of government involvement. [...] From adam at lighthouse.homeport.org Fri May 10 06:43:10 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Fri, 10 May 1996 21:43:10 +0800 Subject: remailer-in-a-box In-Reply-To: Message-ID: <199605100044.TAA17401@homeport.org> Jay Haines wrote: | Does one exist for the MAC? If not, would anyone be interested enough to see | one developed? One doesn't exist; I think it would be great to see one. I'd offer to be a beta site. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From Clay.Olbon at dynetics.com Fri May 10 07:24:44 1996 From: Clay.Olbon at dynetics.com (Clay Olbon II) Date: Fri, 10 May 1996 22:24:44 +0800 Subject: FW: Science Project Fair Message-ID: Deja vu all over again. This was forwarded to me by someone within my company a while back. I may be cynical, but the chances of this being a hoax are just too high - it is simply too easy to send out a message like this to get an email address mailbombed. I recommend against replying to this. Clay At 7:20 AM 5/9/96, Husa, Carl (MSX) wrote: >>---------- >>From: Beverly. Ferguson[SMTP:103014.3727 at CompuServe.COM] >>Sent: Wednesday, May 08, 1996 9:38 PM >>To: KOMBUCHA DIGEST; PARACELSUS DIGEST >>Subject: Science Project Fair >> >> >>Originally Posted To: >> >>>Date: Fri, 3 May 1996 09:58:55 -0400 >>>Sender: Methods of Teaching Mathematics >>>From: Peggy R Shearin >>>Subject: Science Fair Project >> >>>>Hi, our names are Stevie and Amanda. We are in the 5th grade at >>>>the Phillipston Memorial school, Phillipston, Massachusetts, USA. >>>>We are doing a science project on the Internet. We want to see >>>>how many responses we can get back in two weeks. (We are only >>>>sending out 2 letters). >> >>>>Please respond and then send this letter to anyone you >>>>communicate with on the Internet. >> >>>>Respond to smc at tiac.net. >>>>^^^^^^^^^^^^^^^^^^^^^^^ >> >>>>1. Where do you live (state and country)? >> >> >>>>2. From whom did you get this letter? >> >> >>>>Thank you, >>>>Stevie and Amanda >> >>------------------------------ >> >> From EALLENSMITH at ocelot.Rutgers.EDU Fri May 10 07:33:45 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Fri, 10 May 1996 22:33:45 +0800 Subject: Transitive trust and MLM Message-ID: <01I4IHRSE6Q88Y5BAX@mbcl.rutgers.edu> From: IN%"llurch at networking.stanford.edu" "Rich Graves" 8-MAY-1996 04:33:21.44 >The fact that you're sending postcards is only a problem if you don't want >them to be read. It's more the email I receive that I worry about, so all >my friends use the address rich at alpha.c2.org now. How would this help? Whoever's wanting to monitor you will just monitor rich at alpha.c2.org's incoming mail. -Allen From reagle at MIT.EDU Fri May 10 07:41:10 1996 From: reagle at MIT.EDU (Joseph M. Reagle Jr.) Date: Fri, 10 May 1996 22:41:10 +0800 Subject: Mandatory Voluntary Self-Ratings Message-ID: <9605100005.AA15315@rpcp.mit.edu> At 06:46 PM 5/9/96 EDT, you wrote: > While that they aren't going for "this isn't appropriate" is to their >credit, they do have a lot of problems with the nonsensical nature of some >of their ratings; take a look at the definitions, for instance. (It's also >obvious that they simply copied them from their ratings of video games. A lot >of their HTML references for the definitions are messed up, incidentally.) I would agree the questions seem too video game orientated, and I don't like some of the questions either. However, it is a fair effort, and I don't think if something is questionable (for instance, someone errs by labeling someone that is 18 years old as a teenager) the whole system falls to pieces. Or some crucial piece of information on my home page, that some child might have seen, but won't be seen because I labeled a character in one of my stories as a teenager even if he/she was a teenager. I'm sure this is something that could go on for a very long time in some cypherpunk thread (something I'm not interested in argueing about), but there is no such thing as a perfectly objective or unbiased system. For instance, I don't like the distinctions other systems make for homosexuality, but I also understand some parents may wish to screen on it... _______________________ Regards, Men govern nothing with more difficulty than their tongues, and can moderate their desires more than their words. -Spinoza Joseph Reagle http://farnsworth.mit.edu/~reagle/home.html reagle at mit.edu E0 D5 B2 05 B6 12 DA 65 BE 4D E3 C1 6A 66 25 4E From EALLENSMITH at ocelot.Rutgers.EDU Fri May 10 07:44:32 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Fri, 10 May 1996 22:44:32 +0800 Subject: Transitive trust and MLM Message-ID: <01I4IICIVOMA8Y5BAX@mbcl.rutgers.edu> From: IN%"raph at cs.berkeley.edu" "Raph Levien" 8-MAY-1996 23:28:14.30 > Now we can actually evaluate the probability of a given key being >good. Consider a Monte Carlo process in which each edge in the graph is >present with probability 1-p. For each run, we determine whether the >recipient's public key (actually the binding between public key and >recipient's e-mail address) is reachable from our trust root. The >probability over a large number of runs is (given our assumptions) the >probability of the key being good. > One encouraging consequence of this model is that densely connected >subgraphs can result in highly trusted keys even if p itself is quite >small. In a clique of size k, the trust is (very) roughly 1-(1-p)^k. For >example, if p is a mere 50%, then in a clique of size 10, each key in >the clique is trusted with a probability of 99.9%. Hmm.... I've got the problem with this that the measure you're using is really good for creating an _upper bound_ for how trustworthy a given key is - not for how trustworthy it actually is. In other words, a key that has your, Lance Cottrell (sp?), Black Unicorn's, and TCMay's signatures on it is pretty reliably determined (at least to me) as being that of whom they say it is - but that isn't equivalent to how good the person is at determining other key linkages. It's an upper bound on how good the person is - if you don't trust a key as not having been compromised (due to a lack of key signatures), you aren't going to rate it highly as an introducer. The interesting question is what relation to this upper bound (and to other characteristics of the web, such as the degree of mutual signatures in a chain) the actual introducer trustworthiness has. -Allen From EALLENSMITH at ocelot.Rutgers.EDU Fri May 10 07:48:43 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Fri, 10 May 1996 22:48:43 +0800 Subject: Mandatory Voluntary Self-Ratings Message-ID: <01I4IG2VJRNI8Y5B50@mbcl.rutgers.edu> From: IN%"reagle at MIT.EDU" "Joseph M. Reagle Jr." 9-MAY-1996 15:07:09.24 > I've figured out where my differences between myself and others >lay. The _only_ system and service that I am aware of that is distributing >PICS labels is RSAC. (http://www.rsac.org) They are what one could call an >objective and non-arbitrary content rating system rather than an >"appropriateness" system. "Appropriateness" systems will be valuable 3rd >party systems when the vigilantes and fundamentalists wish to create label >bureaus. For self labeling, if many people (main stream people) are going to >use that system within their browser, it will have to have mind share. If >it's going to have mind share, I think it would be advantegeous to it to be >a descriptive label rather than "appropriate." Hence, much of the concerns >I'm hearing aren't so worrisome to me. While that they aren't going for "this isn't appropriate" is to their credit, they do have a lot of problems with the nonsensical nature of some of their ratings; take a look at the definitions, for instance. (It's also obvious that they simply copied them from their ratings of video games. A lot of their HTML references for the definitions are messed up, incidentally.) A. In regards to aggressive violence, they appear to rate self-defense as aggressive violence. B. They do _not_ rate depictions of violent games such as football and rugby as aggressive violence. C. They define any sex between someone under 18 and someone above 18 as a "sex crime" - despite that the age for statutory rape varies considerably, and is usually _below_ 18. They're thus defining it in the same category as rape. D. They define bestiality, even if consensual, as a "sex crime." Again, they're thus defining it in the same category as rape. E. They define "Any portrayal (words, speech, pictures, etc.) which strongly denigrates, defames, or otherwise devalues on the basis of race, ethnicity, religion, nationality, gender, sexual oriention, or disability" as "hate speech." This has to be the most PC definition I've seen in a while. If I mention that someone is a Scientologist, and that their opinions are likely to be unjustified because of this, then I've committed "hate speech" under this definition. If I say that someone who is less intelligent - a disability - is of lesser value in the long run, I've committed "hate speech" under this definition. In other words, they're encouraging parents and others to block out speech that isn't PC. I will give them credit for mentioning "honkey" as an epithet; most PC types seem to cheer on non-white racists like the Nation of Islam. (There, I just committed hate speech against the Nation of Islam - I attempted to bring down their reputation.) F. They also define any "hate speech" that "advocates violence or harm" as "Extreme Hate Speech" - which gets the highest rating. Somehow, I doubt that they're going to want to rate pro-Affirmative-Action speech - advocating harm to those not in the protected groups - as "Extreme Hate Speech." In other words, while they've got some good ideas (as you point out, unlike the SafeSurf system they don't attempt to have a category for "overall appropriate range"), they've got a lot more messed-up ones. I don't think I'll be rating any of my content with them anytime soon, thank you very much. They'd misclassify it as "hate speech" or "extreme hate speech" or some such nonsense. -Allen From ncognito at gate.net Fri May 10 08:35:20 1996 From: ncognito at gate.net (Ben Holiday) Date: Fri, 10 May 1996 23:35:20 +0800 Subject: remailer-in-a-box In-Reply-To: Message-ID: > At 3:51 PM 5/7/96, anonymous-remailer at shell.portal.com wrote: > >No one answered me. > >What's the best remailer-in-a-box. > >I'd like to run one. I would think people would be falling > >over eachother to tell me. > > The reason for the quiet may be twofold. First, I and many others delete > unread list messages with out subjects. Aye.. >Second, remailer-in-a-box does not > really exist. Mixmaster, and most of the other remailers are fairly easy to > set up for anyone with UNIX experience. I run Mixmaster + Ghio + reorder > scripts. I wrote a one part shell script which will run on most unix systems. It will install a working type-1 ghio remailer on most shell accounts in about 20seconds. It wont do reordering or Mix but its effortless . Below is the readme and the shell script.. if you just want a remailer and you want it NOW, export this message, cut this text and the text of the readme file out, and then follow the directions below. Yippy. --Ben __________________________________ REAME.build-remailer __________________________________ This is the 10 second remailer package. The idea is from Sameer, and the C source is from Matt Ghio. This script will install a bare-bones cypherpunk style remailer on your shell account. Making it work is simple: 1) Type: chmod 700 build-remailer 2) Type: build-remailer 3) Enter the email address of the remailer. This is optional. You may use any address you like, or you may enter none at all. If you don't enter an email address here the address "nobody at foo.com" will appear in all outbound mail from the mailer, and also in the mailers help files. 4) If no errors are generated, then your all set. Send some mail to yourself to test that it is working. Refer to the remailers help file for details. ___________________________ build-remailer --------------------------- ----CUT HERE----CUT HERE----CUT HERE----CUT HERE----CUT HERE---- echo "Warning: This will DESTROY your existing .forward file." echo "Type CTRL-C Now To Abort. I'll wait 10 Seconds For You." sleep 10s echo "Ok, here we go." echo -e "\n" echo "Getting Variables:" xspool=$MAIL echo "Found Mailspool as: $xspool" xsendmail=`which sendmail` echo "Found Sendmail as: $xsendmail" xls=`which ls` echo "Found ls as: $xls" xdir=$HOME/.mailx echo "Installing in: $xdir" mkdir $xdir echo "Enter the email address of the mailer now." echo "You can leave this blank if you want." read xaddr if [ `echo $xaddr | wc -w` -eq 0 ] then xaddr="nobody at nowhere.com" fi cd $xdir > remailer.c echo "Building C Source." echo " #define DIR \"$xdir\" #define ANONFROM \"From: $xaddr (Anonymous)\\n\" #define REMAILERFROM \"From: $xaddr (Remailer)\\n\" #define REMAILERADDRESS \"$xaddr\" #define RETURN \"xaddr\" #define DISCLAIMER \"Comments: Please report misuse of this automated remailing service to <$xaddr>\\n\" #define NONANONDISC \"Comments: This message was forwarded by an automated remailing service. No attempt was made to verify the sender's identity. Please report misuse to <$xaddr>\\n\" #define SPOOL \"$xspool\" #define SPAM_THRESHOLD 25 #define WAIT_SEC 30 #define DEFAULT_LATENCY 0 #define PGP \"/usr/local/bin/pgp\" #define PGPPASS \"password\" #define PGPPATH DIR #define INEWS \"/usr/lib/news/inews\" #define NNTPSERVER \"127.0.0.1\" #define LS \"$xls\" #define SENDMAIL \"$xsendmail\" #define BLOCKFROM \"source.block\" #define BLOCKTO \"dest.block\" #define INQUEUE \"in.queue\" #define OUTQUEUE \"out.queue\" #define TEMPDIR \"temp\" #define HELPFILE \"remailer-help\" #define STATSDATA \"statsdata\" #include #include #include #include #include /* some os need this one also */ /*File io stuff:*/ #include #include #include FILE *infile; FILE *outfile; FILE *tempfile; FILE *file2; char from[256]=\"\"; char from_address[256]=\"\"; char cutmarks[256]=\"\"; int anon_flag=0; int help_flag=0; int stat_flag=0; int pgp_flag=0; char replykey[80]=\"\"; char idbuf[17]; int idcount=0; struct timeval tp; unsigned long latime; int blockflag; void getfrom(char *input){ int x=0,y=0; while(input[x]!=':'){x=x+1;} x=x+1; while(input[x]<=32){x=x+1;} while(input[x]>32){ from_address[y]=input[x]; x=x+1;y=y+1; } from_address[y]=0; x=0; /* look for

*/ while(input[x]>31&&input[x]!='<'){x=x+1;} if(input[x]=='<'){ y=0;x=x+1; while(input[x]>32&&input[x]!='>'){ from_address[y]=input[x]; x=x+1;y=y+1; } from_address[y]=0; } } void block_addr(char address[],char *file) { char input[256]; int match=0; int x,y,z; int exclude; FILE *killfile; chdir(DIR); if(killfile=fopen(file,\"r\")){ while(fscanf(killfile,\"%s\",input)>0) { if (input[0]!='#'&&input[0]>32) { x=0;exclude=0;z=0; if (input[0]=='!') {exclude=1;z++;} while(address[x]!=0) { y=0; while ((address[x+y]|32)==(input[y+z]|32)&&input[y+z]!='*' &&input[y+z]!=0&&address[x+y]!=0) { y++; } if (input[y+z]==0) match=(1^exclude); if (input[y+z]=='*') {z=z+y+1;x=x+y;} else x++; } } } fclose(killfile); } if (match==1) address[0]=0; } int search(char str1[],char str2[]) { int x=0; int y=0; int match=0; while(str2[x]!=0) { y=0; while ((str2[x+y]==str1[y]||str2[x+y]==(str1[y]-32))&&str2[x+y]!=0) { y++; if (str1[y]==0) match=1; } x++; } return(match); } void scanline(char input[],char resend_address[]) { int x,y,z; int resend_flag=0; int cutmarks_flag=0; int post_flag=0; int latent_plusflag; int latent_randflag; int latent_h; int latent_m; int latent_s; /* Pass thru Subject, Content-Type, and In-Reply-To lines */ if ((input[0]=='S'||input[0]=='s')&&input[1]=='u'&&input[2]=='b') { /* if the subject line is blank, drop it */ if (input[8]!=0&&input[9]!=0) fprintf(outfile,\"%s\",input); /* and handle special case subjects for help and stats */ if (search(\"remailer-stat\",input)) { latime=tp.tv_sec; /* No latency */ stat_flag=1; } if (search(\"remailer-help\",input)||search(\"remailer-info\",input)) { latime=tp.tv_sec; /* No latency */ help_flag=1; } } if ((input[0]=='C'||input[0]=='c')&&input[1]=='o'&&input[2]=='n') { fprintf(outfile,\"%s\",input); } if ((input[0]=='I'||input[0]=='i')&&input[1]=='n'&&input[2]=='-') { fprintf(outfile,\"%s\",input); } /* Save the from line in case non-anonymous posting is requested */ if ((input[0]=='F'||input[0]=='f')&&input[1]=='r'&&input[2]=='o') { getfrom(input);block_addr(from_address,BLOCKFROM); if(from_address[0]==0) blockflag=1; /* Source block */ block_addr(input,BLOCKTO); strcpy(from,input); } /* Fuzzy Match headers */ x=0; /* Remail-To? */ while (input[x]!=0&&(input[x]!=32||x<=2)&&input[x]!=10&&x<256) { if (input[x]=='R'||input[x]=='r') { while (input[x]!=0&&input[x]!=32&&input[x]!=10&&x<256) { if (input[x]=='M'||input[x]=='m') { while (input[x]!=0&&input[x]!=10&&x<256) { if ((input[x]=='T'||input[x]=='t') && (input[x+1]=='O'||input[x+1]=='o')) { while (input[x]!=0&&input[x]!=':'&&input[x]!=32 &&input[x]!=10&&x<256) x++; if (input[x]==':') { resend_flag=1; anon_flag=1; x=256; } } else x++; } } else x++; } } else x++; } /* Anon-To? */ x=0; while (input[x]!=0&&(input[x]!=32||x<=2)&&input[x]!=10&&x<256) { if (input[x]=='A'||input[x]=='a') { x++; if (input[x]=='N'||input[x]=='n') { while (input[x]!=0&&input[x]!=10&&x<256) { if ((input[x]=='T'||input[x]=='t') && (input[x+1]=='O'||input[x+1]=='o')) { while (input[x]!=0&&input[x]!=':'&&input[x]!=32 &&input[x]!=10&&x<256) x++; if (input[x]==':') { resend_flag=1; anon_flag=1; } x=256; } else x++; } } } else x++; } /* Post? */ x=0; while (input[x]!=0&&input[x]!=32&&input[x]!=10&&x<256) { if (input[x]=='P'||input[x]=='p') { x++; if (input[x]=='O'||input[x]=='o') { x++; if (input[x]=='S'||input[x]=='s') { post_flag=1; /* Post-To ? */ while (input[x]!=0&&input[x]!=32&&input[x]!=10&&x<256) { if (input[x]=='T'||input[x]=='t') { x++; if (input[x]=='O'||input[x]=='o') { x++; if (input[x]==':') { resend_flag=1; } } } else x++; } x=256; } } } else x++; } /* soda.berkeley style Send-To ? */ x=0; while (input[x]!=0&&input[x]!=32&&input[x]!=10&&x<256) { if (input[x]=='S'||input[x]=='s') { x++; if (input[x]=='E'||input[x]=='e') { x++; if (input[x]=='N'||input[x]=='n') { x++; if (input[x]=='D'||input[x]=='d') { while (input[x]!=0&&input[x]!=32&&input[x]!=10&&x<256) { if (input[x]=='T'||input[x]=='t') { x++; if (input[x]=='O'||input[x]=='o') { x++; if (input[x]==':') resend_flag=1; } } else x++; } } } } } else x++; } /* Check for PGP... I got a little sloppy here...ohwell*/ if(input[0]=='E'&&input[1]=='n'&&input[2]=='c' &&input[3]=='r'&&input[4]=='y'&&input[5]=='p' &&input[6]=='t'&&input[7]=='e'&&input[8]=='d') { resend_flag=0; pgp_flag=1; } if(input[0]=='E'&&input[1]=='n'&&input[2]=='c' &&input[3]=='r'&&input[4]=='y'&&input[5]=='p' &&input[6]=='t'&&input[7]=='-') { x=0;y=0; while(input[x]!=':'){x=x+1;} x=x+1; if(input[x]==32){x=x+1;} z=x; while(input[x]>32){ replykey[y]=input[x]; x=x+1;y=y+1; } replykey[y]=0; } if(input[0]=='C'&&input[1]=='u'&&input[2]=='t') { cutmarks_flag=1; } if(resend_flag){ x=2;y=0; /* x=2 in case Extropians-style ::Header */ while(input[x]!=':'){x=x+1;} x=x+1; while(input[x]<=32){x=x+1;} z=x; if (post_flag==0) { while(input[x]>32){ resend_address[y]=input[x]; x=x+1;y=y+1; } resend_address[y]=0; x=0; /* look for
*/ while(input[x]>31&&input[x]!='<'){x=x+1;} if(input[x]=='<'){ y=0;x=x+1; while(input[x]>32&&input[x]!='>'){ resend_address[y]=input[x]; x=x+1;y=y+1; } resend_address[y]=0; } /* Print out new To: line */ fprintf(outfile,\"To: \"); while(input[z]>0){ fprintf(outfile,\"%c\",input[z]); z=z+1; } block_addr(resend_address,BLOCKTO); } if (post_flag) { fprintf(outfile,\"Newsgroups: \"); while(input[z]>0){ fprintf(outfile,\"%c\",input[z]); z=z+1; } resend_address[0]='p'; resend_address[1]='o'; resend_address[2]='s'; resend_address[3]='t'; resend_address[4]=0; block_addr(input,BLOCKTO);if (input[0]==0) resend_address[0]=0; } } if(cutmarks_flag){ x=0;y=0; while(input[x]!=':'){x=x+1;} x=x+1; if(input[x]==32){x=x+1;} z=x; while(input[x]>32){ cutmarks[y]=input[x]; x=x+1;y=y+1; } cutmarks[y]=0; } if((input[0]|32)=='l'&&(input[1]|32)=='a'&&(input[2]|32)=='t') { x=0; while(input[x]!=':'){x=x+1;} x=x+1; if(input[x]==32){x=x+1;} latent_plusflag=0;latent_randflag=0; latent_h=0;latent_m=0;latent_s=0; while((input[x]<'0'||input[x]>'9')&&input[x]>=32) { if (input[x]=='+') latent_plusflag=1; if ((input[x]=='r')||(input[x]=='R')) latent_randflag=1; x++; } while (input[x]>='0'&&input[x]<='9') { latent_h=(latent_h*10)+(input[x]-48); x++; } if(input[x]==':') { x++; while (input[x]>='0'&&input[x]<='9') { latent_m=(latent_m*10)+(input[x]-48); x++; } if(input[x]==':') { x++; while (input[x]>='0'&&input[x]<='9') { latent_s=(latent_s*10)+(input[x]-48); x++; } } } while(input[x]>=32) { if (input[x]=='+') latent_plusflag=1; if ((input[x]=='r')||(input[x]=='R')) latent_randflag=1; x++; } latime=(latent_h*3600+latent_m*60+latent_s); if(latent_plusflag==0) { /* Not Supported - Is this really necessary? */ } if(latent_randflag&&(latime>1)) { /* Simple randomizer */ latime=abs((tp.tv_sec^latime)+tp.tv_usec+(getpid()*latime))%(latime+1); } latime+=tp.tv_sec; } } char* genid() { /* Generate ascii id from process id and time with shuffle */ unsigned long int id1,id2; int x=0; id1=getpid()|(idcount<<16); id2=tp.tv_sec; idcount++; for(x=32;x--;){ id1+=1234567890; id1^=0xABCDEF12; id1=(id1<<1)|(id1>>31); id2^=id1; id2+=0x12345678; id2^=0x9ABCDEF0; id2=(id2<<31)|(id2>>1); id1^=id2; } for(x=0;x<8;x++) { idbuf[x]=65+(id1&15); id1=id1>>4; } for(x=8;x<16;x++) { idbuf[x]=65+(id2&15); id2=id2>>4; } idbuf[16]=0; return(idbuf); } /* Re-encrypt messages for use with reply-blocks */ void reencrypt(){ char input[256]; int pipefd[2]; int pipe2fd[2]; input[255]=0; pipe(pipefd); pipe(pipe2fd); if(!fork()) { dup2(pipefd[0],0); dup2(pipe2fd[1],1); close(pipefd[1]); close(pipe2fd[0]); chdir(DIR); execl(PGP,\"pgp\",\"-fcta\",\"+BATCHMODE\",\"+ARMORLINES=0\",\"-z\",replykey,(char *)0); } close(pipefd[0]);close(pipe2fd[1]); file2=fdopen(pipefd[1],\"w\"); while(fgets(input,255,infile)) { fprintf(file2,\"%s\",input); } fclose(file2); file2=fdopen(pipe2fd[0],\"r\"); while(fgets(input,255,file2)) { fprintf(outfile,\"%s\",input); } fclose(file2); } void updatestats(int inccnt,int incpgp,int inclat,int incpost) { int m[24]; int ccm=0; int p[24]; int ccpgp=0; int l[24]; int ccl=0; int u[24]; int ccnews=0; char month[24][5]; int date[24]; int hour=0; int currenthour; FILE *datafile; int x; int y; struct tm *timestr; timestr=localtime(&(tp.tv_sec)); if(datafile=fopen(STATSDATA,\"r\")){ fscanf(datafile,\"%d\",&hour); fscanf(datafile,\"%d %d %d %d\",&ccm,&ccpgp,&ccl,&ccnews); for(x=0;x<24;x++) { fscanf(datafile,\"%s %d %d %d %d %d\", month[x],&date[x],&m[x],&p[x],&l[x],&u[x]); } fclose(datafile); }else{ for(x=0;x<24;x++) { strcpy(month[x],\"---\"); date[x]=0;m[x]=0;p[x]=0;l[x]=0;u[x]=0; } } currenthour=(*timestr).tm_hour; x=hour%24; while (x!=currenthour) { if (x>0) { strcpy(month[x],month[x-1]); date[x]=date[x-1]; }else{ if((*timestr).tm_mon==0) strcpy(month[0],\"Jan\"); if((*timestr).tm_mon==1) strcpy(month[0],\"Feb\"); if((*timestr).tm_mon==2) strcpy(month[0],\"Mar\"); if((*timestr).tm_mon==3) strcpy(month[0],\"Apr\"); if((*timestr).tm_mon==4) strcpy(month[0],\"May\"); if((*timestr).tm_mon==5) strcpy(month[0],\"Jun\"); if((*timestr).tm_mon==6) strcpy(month[0],\"Jul\"); if((*timestr).tm_mon==7) strcpy(month[0],\"Aug\"); if((*timestr).tm_mon==8) strcpy(month[0],\"Sep\"); if((*timestr).tm_mon==9) strcpy(month[0],\"Oct\"); if((*timestr).tm_mon==10) strcpy(month[0],\"Nov\"); if((*timestr).tm_mon==11) strcpy(month[0],\"Dec\"); date[0]=(*timestr).tm_mday; } m[x]=0; p[x]=0; l[x]=0; u[x]=0; x++;if (x>23) x=0; } if (hour!=currenthour) { m[hour]=ccm; p[hour]=ccpgp; l[hour]=ccl; u[hour]=ccnews; ccm=0; ccpgp=0; ccl=0; ccnews=0; } ccm+=inccnt; ccpgp+=incpgp; ccl+=inclat; ccnews+=incpost; if(datafile=fopen(STATSDATA,\"w\")){ fprintf(datafile,\"%d\\n\",currenthour); fprintf(datafile,\"%d %d %d %d\\n\",ccm,ccpgp,ccl,ccnews); for(x=0;x<24;x++) { fprintf(datafile,\"%s %d %d %d %d %d\\n\", month[x],date[x],m[x],p[x],l[x],u[x]); } fclose(datafile); } else fprintf(stderr,\"remailer: can't write file %s\\n\",STATSDATA); } void viewstats() { int m[24]; int ccm; int p[24]; int ccpgp; int l[24]; int ccl; int u[24]; int ccnews; char month[24][5]; int date[24]; int hour; int currenthour; FILE *datafile; int x; int y; datafile=fopen(STATSDATA,\"r\"); fscanf(datafile,\"%d\",&hour); fscanf(datafile,\"%d %d %d %d\",&ccm,&ccpgp,&ccl,&ccnews); for(x=0;x<24;x++) { fscanf(datafile,\"%s %d %d %d %d %d\", month[x],&date[x],&m[x],&p[x],&l[x],&u[x]); } fclose(datafile); fprintf(outfile,\"Subject: Re: Remailer Statistics\\n\"); fprintf(outfile,\"\\n\"); fprintf(outfile,\"Statistics for last 24 hours from anonymous remailer at\\n\"); fprintf(outfile,\"e-mail address: %s\\n\",REMAILERADDRESS); fprintf(outfile,\"\\n\"); fprintf(outfile, \"Number of messages per hour from %s %d %d:00 to %s %d %d:59\\n\", month[23],date[23],hour,month[0],date[0],(hour+23)%24); fprintf(outfile,\"\\n\"); for(x=0;x<24;x++) { fprintf(outfile,\" %2d:00 (%2d) \",x,m[x]); if (m[x]>0) { y=0;while((ySPAM_THRESHOLD) exit(0); #endif for(x=0;filename[x]>32;x++){} filename[x]=0; if(!(infile=fopen(filename,\"r\"))){} /* Open the output file */ chdir(DIR); mkdir(OUTQUEUE,0700); /* Create it if it doesn't exist */ if(chdir(OUTQUEUE)) {fprintf(stderr,\"remailer: Error - can't chdir to %s\\n\",OUTQUEUE);exit(1);} if(!(outfile=fopen(filename,\"w\"))) {fprintf(stderr,\"remailer: can't write output file, message left in %s\\n\",INQUEUE);exit(1);} /* Create blank space for fields in output file */ latime=0;resend_address[0]=0;resend_address[255]=0; fwrite(&latime,sizeof(long),1,outfile); fwrite(resend_address,256,1,outfile); /* Initialize latency time & misc */ latime=tp.tv_sec; from[0]=0;cutmarks[0]=0;replykey[0]=0; anon_flag=0;help_flag=0;stat_flag=0;pgp_flag=0;blockflag=0; #ifdef DEFAULT_LATENCY /* Randomly reorder messages if DEFAULT_LATENCY is set */ if(DEFAULT_LATENCY>1) { latime=tp.tv_sec+abs(tp.tv_sec+tp.tv_usec+getpid())%(DEFAULT_LATENCY+1); } #endif /* Scan headers */ fgets(input,255,infile); while(input[0]!=10) { scanline(input,resend_address); input[0]=10;input[1]=0; fgets(input,255,infile); } fgets(input,255,infile); /* end of headers, skip a line */ /* if first line is blank, skip it and look for a :: on the next line */ if(resend_address[0]==0&&input[0]<32) fgets(input,255,infile); /* Also skip \"blank\" lines with a space in them: */ if(resend_address[0]==0){ for(x=0;(input[x]<=32)&&(input[x]);x++){} if(input[x]==0) fgets(input,255,infile); } /* Scan :: headers, if applicable */ if(input[0]==':'&&input[1]==':') { while(input[0]!=10) { scanline(input,resend_address); input[0]=10;input[1]=0; fgets(input,255,infile); } fgets(input,255,infile); } /* or scan for headers anyway for idiots who forget the double colon */ if(resend_address[0]==0) { scanline(input,resend_address); if(resend_address[0]!=0) { fgets(input,255,infile); while(input[0]!=10) { scanline(input,resend_address); input[0]=10;input[1]=0; fgets(input,255,infile); } } fgets(input,255,infile); } /* Exec PGP? */ if (pgp_flag) { fclose(outfile); chdir(DIR);chdir(OUTQUEUE); unlink(filename); pipe(pipefd); pipe(pipe2fd); if(!fork()) { dup2(pipefd[0],0); dup2(pipe2fd[1],1); close(pipefd[1]); close(pipe2fd[0]); chdir(DIR); #ifdef PGPPATH strcpy(envstr,\"PGPPATH=\"); strcat(envstr,PGPPATH); putenv(envstr); #endif execl(PGP,\"pgp\",\"-f\",\"-z\",PGPPASS,(char *)0); } close(pipefd[0]);close(pipe2fd[1]); fseek(infile,0,0); outfile=fdopen(pipefd[1],\"w\"); while((fgets(input,255,infile)>0) &&(strcmp(input,\"-----BEGIN PGP MESSAGE-----\\n\")!=0)) {} fprintf(outfile,\"%s\",input); while(fgets(input,255,infile) &&(strcmp(input,\"-----END PGP MESSAGE-----\\n\")!=0)) { fprintf(outfile,\"%s\",input); } fprintf(outfile,\"%s\",input); fclose(outfile); file2=fdopen(pipe2fd[0],\"r\"); chdir(DIR);chdir(INQUEUE); outfile=fopen(genid(),\"w\"); fprintf(outfile,\"\\n\"); while(fgets(input,255,file2)) { fprintf(outfile,\"%s\",input); } fclose(file2); /* Append rest of message to decrypted reply-block */ while(fgets(input,255,infile)) { fprintf(outfile,\"%s\",input); } fclose(infile);fclose(outfile); unlink(filename);/* Remove the original message from in.queue */ chdir(DIR); updatestats(0,1,0,0); goto in_loop; } if (from[0]==0) anon_flag=1; if (anon_flag) { fprintf(outfile,ANONFROM); fprintf(outfile,DISCLAIMER); }else{ fprintf(outfile,\"%s\",from); fprintf(outfile,NONANONDISC); } /* Paste in ## headers if present */ if(input[0]=='#'&&input[1]=='#') { /* Kill Reply-To lines with blocked addresses to prevent mailbombs via alt.test */ while(fgets(input,255,infile)>0&&input[0]>31) { if ((input[0]=='R'||input[0]=='r')&&input[1]=='e'&&input[2]=='p') { block_addr(input,BLOCKTO);if (input[0]!=0) fprintf(outfile,\"%s\",input); /* Block ## pasted Newsgroups: */ }else if((input[0]|32=='n')&&input[1]=='e'&&input[2]=='w'&&input[3]=='s') { block_addr(input,BLOCKTO);if (input[0]!=0) fprintf(outfile,\"%s\",input); }else fprintf(outfile,\"%s\",input); } fprintf(outfile,\"\\n\"); }else{ fprintf(outfile,\"\\n%s\",input); if(replykey[0]>0&&input[0]=='*'&&input[1]=='*') { reencrypt(); } } /* Copy message */ stop=0; while(fgets(input,255,infile)>0&&(!stop)) { if (cutmarks[0]!=0) { x=0; while(cutmarks[x]==input[x]&&input[x]!=0&&cutmarks[x]!=0) { x++; } if (cutmarks[x]==0) stop=1; } if (!stop) fprintf(outfile,\"%s\",input); if(replykey[0]>0&&input[0]=='*'&&input[1]=='*') { reencrypt(); } } /* If help or stats were requested, set destination address to reply to sender */ if((resend_address[0]==0)&&(help_flag||stat_flag)){ strcpy(resend_address,from_address); } else {help_flag=0;stat_flag=0;} /* Save time and destination address in binary data table at begining of file */ if (blockflag) resend_address[0]=0; fseek(outfile,0,0); fwrite(&latime,sizeof(long),1,outfile); fwrite(resend_address,256,1,outfile); if(help_flag||stat_flag){ chdir(DIR); fprintf(outfile,\"%s\",REMAILERFROM); if(help_flag) { if(file2=fopen(HELPFILE,\"r\")){ while(fgets(input,255,file2)){ for(x=0;input[x];x++){ if(input[x]=='['&&input[x+1]=='a'&&input[x+2]=='d' &&input[x+3]=='d'&&input[x+4]=='r'&&input[x+5]==']') { fprintf(outfile,\"%s\",REMAILERADDRESS);x=x+5; } else { fprintf(outfile,\"%c\",input[x]); } } } fclose(file2); } else resend_address[0]=0; } if(stat_flag) {viewstats();} } fclose(outfile); chdir(DIR);chdir(INQUEUE); /* Second message? Put message following cutmarks into inqueue */ if (stop==1&&input[0]==':'&&input[1]==':') { outfile=fopen(genid(),\"w\"); fprintf(outfile,\"\\n::\\n\"); while(fgets(input,255,infile)>0) { fprintf(outfile,\"%s\",input); } fclose(outfile); } /* Write non-remailer messages into operator's mailbox */ if (resend_address[0]==0&&from[0]!=0){ fseek(infile,0,0); outfile=fopen(SPOOL,\"a\"); while(fgets(input,255,infile)) { fprintf(outfile,\"%s\",input); } fclose(infile); fprintf(outfile,\"\\n\"); fclose(outfile); unlink(filename); chdir(DIR);chdir(OUTQUEUE); unlink(filename); }else{ fclose(infile); unlink(filename); if(strcmp(resend_address,\"null\")==0 ||strcmp(resend_address,\"/dev/null\")==0) resend_address[0]=0; if(resend_address[0]==0){ /* drop empty messages */ chdir(DIR);chdir(OUTQUEUE); unlink(filename); }else{ chdir(DIR); if((latime-tp.tv_sec)>2) updatestats(0,0,1,0); updatestats(1,0,0,0); /* Add one remailed message to stats */ } } /* Deliver messages in out.queue */ gettimeofday(&tp,0); chdir(DIR);chdir(OUTQUEUE); pipe(pipefd); filename[0]=0; if(!fork()) { dup2(pipefd[1],1); close(pipefd[0]); execl(LS,\"ls\",\"-1\",(char *)0); } x=0;close(pipefd[1]); file2=fdopen(pipefd[0],\"r\"); while(fgets(filename,256,file2)&&filename[0]!=0) { for(x=0;filename[x]>32;x++){} filename[x]=0; if(infile=fopen(filename,\"r\")){ fread(&latime,sizeof(long),1,infile); fread(resend_address,256,1,infile); if (latime<=tp.tv_sec) { pipe(pipe2fd);/*pipe(pipe3fd);*/ if(!fork()) { /*Child*/ dup2(pipe2fd[0],0);close(pipe2fd[1]); /*dup2(pipe3fd[1],1);close(pipe3fd[0]);*/ if(strcmp(resend_address,\"post\")){ execl(SENDMAIL,SENDMAIL, #ifdef RETURN \"-f\",RETURN, #endif resend_address,(char *)0); exit(0); }else{ #ifdef INEWS #ifdef NNTPSERVER strcpy(envstr,\"NNTPSERVER=\"); strcat(envstr,NNTPSERVER); putenv(envstr); #endif execl(INEWS,\"inews\",\"-h\",(char *)0); #endif exit(0); } }else{ /*Parent*/ close(pipe2fd[0]);/*close(pipe3fd[1]);*/ outfile=fdopen(pipe2fd[1],\"w\"); if(strcmp(resend_address,\"post\")){ /* We are talking to sendmail */ while(fgets(input,255,infile)>0) { fprintf(outfile,\"%s\",input); } fclose(outfile); /* At this point, it's a safe bet that sendmail will deliver the message, so the remailer can delete its copy. If sendmail execution had failed for some reason, this process would have been killed by a SIGPIPE */ unlink(filename); }else{ /* We are talking to inews */ #ifdef INEWS while(fgets(input,255,infile)>0) { fprintf(outfile,\"%s\",input); } /* There should be a way to analyze the response from inews and requeue messages that could not be posted due to server failure. Now, the messages just get deleted :( */ unlink(filename); #else /* If posting is not allowed, delete the failed message */ unlink(filename); #endif } } #ifdef WAIT_SEC sleep(WAIT_SEC); #endif gettimeofday(&tp,0); } fclose(infile); } } fclose(file2); goto in_loop; } " | tee -a remailer.c > /dev/null echo "Spawning compile in background." gcc -o RM remailer.c 2> /dev/null & echo "Building help-file." echo " Subject: Instructions for using anonymous remailer This message is being sent to you automatically in response to the message you sent to $xaddr with subject \"remailer-help\". I have an automated mail handling program installed here which will take any message with the proper headers and automatically re-send it anonymously. You can use this by sending a message to $xaddr, with the header Anon-To: containing the address that you want to send anonymously to. (Only one recipient address is permitted.) If you can't add headers to your mail, you can place two colons on the first line of your message, followed by the Anon-To line. Follow that with a blank line, and then begin your message. For Example: > From: joe at site.com > To: $xaddr > Subject: Anonymous Mail > > :: > Anon-To: beth at univ.edu > > This is some anonymous mail. The above would be delivered to beth at univ.edu anonymously. All headers in the original message are removed, with the exception of the Subject (and Content-Type, if present). She would not know that it came from Joe, nor would she be able to reply to the message. However, if Beth suspected that Joe had sent the message, she could compare the time that the message was received with the times that Joe was logged in. However, this problem can be avoided by instructing the remailer to delay the message, by using the Latent-Time header: > From: joe at site.com > To: $xaddr > Subject: Anonymous Mail > > :: > Anon-To: beth at univ.edu > Latent-Time: +1:00 > > This is some anonymous mail. The above message would be delayed one hour from when it is sent. It is also possible to create a random delay by adding an r to the time (ie +1:00r), which would have the message be delivered at a random time, but not more than an hour. Another problem is that some mailers automatically insert a signature file. Of course, this usually contains the senders email address, and so would reveal their identity. The remailer software can be instructed to remove a signature file with the header \"Cutmarks\". Any line beginning with the same text at in the cutmarks header, and any lines following it will be removed. > From: sender at origin.com > To: $xaddr > Subject: Anonymous Mail > > :: > Anon-To: recipient at destination.com > Cutmarks: -- > > This line of text will be in the anonymous message. > -- > This line of text will not be in the anonymous message. The remailer can also be used to make posts to usenet. To do this, use Anon-Post-To. Non-Anonymous posts can be made by using Post-To. > From: poster at origin.com > To: $xaddr > Subject: Anonymous Post > > :: > Anon-Post-To: alt.test > > This is an anonymous message When posting test messages, please use the appropriate newsgroups (alt.test, misc.test). You can add additional headers to the output message by preceeding them with ## > From: chris at nifty.org > To: $xaddr > Subject: Nifty Anon Msg > > :: > Anon-To: andrew at hell.edu > > ## > Reply-To: acs-314159 at chop.ucsd.edu > > A Message with a reply address. By seperating messages with cutmarks, you can send more than one message at once: > From: me at mysite > To: $xaddr > Subject: message 1 > > :: > Anon-To: recipient1 at site1.org > Cutmarks: -- > > Message one. > -- > :: > Anon-To: recipient2 at site2.org > > ## > Subject: message 2 > > Message two. The two messages will be delivered seperately. For added security, you can encrypt your messages to the remailer with PGP. The remailer software will decrypt the message and send it on. Here is the remailer's public key: -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.3a mQCKAi3vhFUAAAED6KSE5JwFAstBYAUEASfQCEr1wA+1YsWZl7nlNBA8Xq4YSwl eLCy9oiTDisxsxxxcbQdMtBTFcgQ2GVq7NhhjCEQkRzFRzPOG87T+0aUSufqD2R PYnwacPDpiTUe/TobHMs/Ov+yDuji0bIacveflubU8DvHLjHgI58Jgk1AAURtCR bm9ueW1vdXMgUmVtYWlsZXIgPGdoaW9Aa2Fpd2FuLmNvbT= =v5cv -----END PGP PUBLIC KEY BLOCK----- To utilize this feature, create a message with two colons on the first line, then the Anon-To line, then any other headers, such as cutmarks or latency, then a blank line, and then the message. Encrypt this with the remailer's public key. Then send it to the remailer, adding the header \"Encrypted: PGP\". If you forget this, the remailer won't know that it needs to be decrypted. Also be sure to use the -t option with PGP, or the linefeeds might not be handled properly. > To: $xaddr > From: me at mysite.org > > :: > Encrypted: PGP > > -----BEGIN PGP MESSAGE----- > Version: 2.3a > > hIkCuMeAjnwmCTUBA+dfWcFk/fLRpm4ZM7A23iONxkOGDL6D0FyRi/r0P8+pH2gf > HAi4+1BHUhXDCW2LfLfay5JwHBNMtcdbgXiQVXIm0cHM0zgf9hBroIM9W+B2Z07i > 6UN3BDhiTSJBCTZUGQ7DrkltbgoyRhNTgrzQRR8FSQQXSo/cf4po0vCezKYAAABP > smG6rgPhdtWlynKSZR6Gd2W3S/5pa+Qd+OD2nN1TWepINgjXVHrCt0kLOY6nVFNQ > U7lPLDihXw/+PPJclxwvUeCSygmP+peB1lPrhSiAVA== > =da+F > -----END PGP MESSAGE----- Any unencrypted text after the PGP message is also remailed. This is to allow sending to someone who is anonymous. If you create a PGP-encrypted message to yourself via my remailer, and then you give it to someone, they can send you a message by sending the encrypted message to the remailer. The remailer will then decrypt it and send it to you. The message gets anonymized in the process, so the sender will need to include a return address if he wants a reply. Messages sent this way can be encrypted using the Encrypt-Key: feature. Any text following a line beginning with ** will be encrypted with this key. For example, if you put in your PGP message: > :: > Anon-To: you at yourhost.org > Encrypt-Key: your_password > > ** The appended message after the ** will be encrypted with the key \"your_password\", using PGP's conventional encryption option. Abuse Policy: I consider the following to be inappropriate use of this anonymous remailer, and will take steps to prevent anyone from doing any of the following: - Sending messages intended primarilly to be harassing or annoying. - Use of the remailer for any illegal purpose. If you don't want to receive anonymous mail, send me a message, and I will add your email address to the block list. You can get a list of statistics on remailer usage by sending mail to $xaddr with Subject: remailer-stats " | tee -a remailer-help > /dev/null cd $HOME echo "|$xdir/RM" > .forward echo -e "\n" echo " Ok, i've installed a very basic type one remailer. If you want to support Mixmaster, PGP, or other features, check the source code in $xdir/remailer.c and make appropriate changes, then type: \"gcc -o RM remailer.c\" If you don't care to support these features, then your remailer should now be fully functional. " From EALLENSMITH at ocelot.Rutgers.EDU Fri May 10 10:12:57 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 11 May 1996 01:12:57 +0800 Subject: PGP, Inc. Message-ID: <01I4IHTM3WME8Y5BAX@mbcl.rutgers.edu> From: IN%"shamrock at netcom.com" 8-MAY-1996 11:06:21.74 >Since VeriSign is going to issue certs for nyms for free, the only >requirement being uniqueness, using their certs might not prove much of a >problem. I can see some fascinating legal questions with what, exactly, a VeriSign certificate obligates the company for. Digital signature laws should get interesting - any application of this to the Utah one? -Allen From stewarts at ix.netcom.com Fri May 10 11:25:57 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sat, 11 May 1996 02:25:57 +0800 Subject: time services on the Net Message-ID: <199605100039.RAA00738@toad.com> At 11:11 AM 5/7/96 -0400, you wrote: >I'm in need of a time service available over the Internet. >Time-stamping is a plus, but the actual time (GMT, local, ...) >is more important. Does anyone have, or know of where I >can find, a list of these services? Check out http://www.clock.org/clock.org.html and http://tycho.usno.navy.mil/ for more information. There are some standard TCP/IP protocols for time. You can check the RFCs for more information on them, and look in whatever your operating system calls the "services" file. There's a simple "daytime" protocol which gives the time in hours:minutes:seconds at 1-second resolution, in ASCII or binary, over TCP or UDP. It's dumb, but it works fine if that's enough resolution for you, and there are programs to set your system clock based on it, such as rdate for Suns and wsntime for Winsock. There's a far fancier protocol called NTP, the Network Time Protocol, which is a multi-tiered time protocol with servers and clients and mutual agreement and adjustment for round-trip delay and such. Depending on the quality of your network connections, it can be accurate to very fine time resolutions. It's good form for ISPs to support NTP, both to keep their clocks synchronized and to feed time to their clients, but not all of them do that. It's also good form for ISPs to keep _all_ their machines in sync, not just most of them, as occasionally happens at (ahem) some large well-known ISPs, especially if they're going to bill for prime/nonprime time... Another motivation is so that tycho.usno.navy.mil and its friends tick and tock.usno.navy.mil only get hit by a few thousand ISPs instead of potentially millions of individuals. Ask your ISP's administrators what they do about clock sync, unless of course you _are_ the administrator, or your ISP takes three weeks to respond to tech support questions like the (ahem) large well-known ISP not named above. I currently use wsntime to sync off cesium.clock.org because my ISP has reconfigured their time service and takes weeks to respond to tech support quetions, but I was using the ISP directly for a while. # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 # goodtimes signature virus innoculation From EALLENSMITH at ocelot.Rutgers.EDU Fri May 10 11:33:29 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 11 May 1996 02:33:29 +0800 Subject: Remailer in a box Message-ID: <01I4IIMHQ67Y8Y5BAX@mbcl.rutgers.edu> From: IN%"loki at obscura.com" "Lance Cottrell" 9-MAY-1996 18:58:23.21 On Thu, 9 May 1996, E. ALLEN SMITH wrote: >> After taking a look at www.cyberpass.net, I can see why you're >> encoraging people to use it - about like Sameer encouraging people to use >> c2.org. >Guilty No problem. Modesty is an overrated virtue. >I am not pushing the anonymous accounts until my laywer finishes the user >agreement for them. It is a bit of a tricky document (Sameer, want a copy >when it is done?). The whole site is days away from a complete redesign, >so I am not putting much effort into the current interface. Thanks for >the suggestions though. I suspect that the legal types on cypherpunks would be interested in seeing it. Quite welcome on the suggestions. >The >= 18 condition is to cover my butt. Since minors can not be parties >to contracts, I have no protection with them as clients. I am only a >provider for adults, and they take full responsibility for any children >allowed to use the connection. Fuck the CDA, but keep an eye on its claws. I see your difficulty. It is an additional one with respect to anonymous accounts. Hmm... you could put the burden on other ISPs by only having anonymous accounts via telnet access - and not accepting such from k12.edu domains. Bit of a limit, though. -Allen From E.J.Koops at kub.nl Fri May 10 13:26:30 1996 From: E.J.Koops at kub.nl (Bert-Jaap Koops) Date: Sat, 11 May 1996 04:26:30 +0800 Subject: Crypto Law Survey - updated Message-ID: I have just updated my survey of cryptography regulations worldwide. I have included the developments of the past few months and added a number of links to more detailed resources and full texts. http://cwis.kub.nl/~frw/people/koops/lawsurvy.htm Please reset old pointers to this URL. Comments, as always, will be appreciated. Bert-Jaap Koops --------------------------------------------------------------------- Bert-Jaap Koops tel +31 13 466 8101 Center for Law and Informatization facs +31 13 466 8102 Tilburg University e-mail E.J.Koops at kub.nl -------------------------------------------------- Postbus 90153 | This world's just mad enough to have been made | 5000 LE Tilburg | by the Being his beings into being prayed. | The Netherlands | (Howard Nemerov) | --------------------------------------------------------------------- http://cwis.kub.nl/~frw/people/koops/bertjaap.htm --------------------------------------------------------------------- From reagle at mit.edu Fri May 10 14:24:26 1996 From: reagle at mit.edu (Joseph M. Reagle Jr.) Date: Sat, 11 May 1996 05:24:26 +0800 Subject: Publicity on PICS Message-ID: <9605100621.AA17939@rpcp.mit.edu> At 05:25 PM 5/9/96 EDT, you wrote: > The following may give an example of how companies and governments want >PICS to be used, instead of how it should be used (market-based ratings not >for censorship). It is _very_ confusing to follow though. >>CompuServe, Microsoft, Prodigy and Netscape Communications will soon give >>their customers software enabling them to block access to material they >>judge objectionable on the Internet's Worldwide Web. Consider that Compuserve had a deal with SurfWatch, which was incorporated in it "Internet" in a box, with a lot of Spry goodies. Now Surfwatch has been purchased by Spyglass (a competitor or Spry). Also, Compuserve offers RSACi services through CyberPatrols RSACi compliance (got some weird derivitive and cross-liscencing works going on here!) and urges its users and 3rd party people to use RSACi... _______________________ Regards, Men govern nothing with more difficulty than their tongues, and can moderate their desires more than their words. -Spinoza Joseph Reagle http://farnsworth.mit.edu/~reagle/home.html reagle at mit.edu E0 D5 B2 05 B6 12 DA 65 BE 4D E3 C1 6A 66 25 4E From shamrock at netcom.com Fri May 10 14:30:22 1996 From: shamrock at netcom.com (Lucky Green) Date: Sat, 11 May 1996 05:30:22 +0800 Subject: PGP, Inc. Message-ID: At 19:37 5/9/96, E. ALLEN SMITH wrote: >From: IN%"shamrock at netcom.com" 8-MAY-1996 11:06:21.74 > >>Since VeriSign is going to issue certs for nyms for free, the only >>requirement being uniqueness, using their certs might not prove much of a >>problem. > > I can see some fascinating legal questions with what, exactly, a >VeriSign certificate obligates the company for. Digital signature laws should >get interesting - any application of this to the Utah one? VeriSign is going to offer four levels of certs. The first requires only uniqueness. For the other three levels, VeriSign will require more and better assurances of the correctness of True Name stated on the cert. I don't know what form these assurances are supposed to take. Disclaimer: My opinions are my own, not those of my employer. -- Lucky Green PGP encrypted mail preferred. From EALLENSMITH at ocelot.Rutgers.EDU Fri May 10 14:32:09 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 11 May 1996 05:32:09 +0800 Subject: PGP, Inc. Message-ID: <01I4IPAJCSGG8Y5AJT@mbcl.rutgers.edu> From: IN%"shamrock at netcom.com" 9-MAY-1996 23:02:01.67 >At 19:37 5/9/96, E. ALLEN SMITH wrote: >> I can see some fascinating legal questions with what, exactly, a >>VeriSign certificate obligates the company for. Digital signature laws should >>get interesting - any application of this to the Utah one? >VeriSign is going to offer four levels of certs. The first requires only >uniqueness. For the other three levels, VeriSign will require more and >better assurances of the correctness of True Name stated on the cert. I >don't know what form these assurances are supposed to take. The first level, in other words, is less of a certification than a PGP key with self-signature and signature from one other person. It doesn't have _any_ effort to verify that the email address stated on it is the actual email address of that nym. Or am I misinterpreting you? -Allen From shamrock at netcom.com Fri May 10 14:49:43 1996 From: shamrock at netcom.com (Lucky Green) Date: Sat, 11 May 1996 05:49:43 +0800 Subject: PGP, Inc. Message-ID: At 23:10 5/9/96, E. ALLEN SMITH wrote: > The first level, in other words, is less of a certification than a PGP >key with self-signature and signature from one other person. It doesn't have >_any_ effort to verify that the email address stated on it is the actual email >address of that nym. Or am I misinterpreting you? I was on a panel with a representative from VeriSign at Interop in Las Vegas. He said that uniqueness was the only requirement for the first level of cert. I don't have any information beyond that. Disclaimer: My opinions are my own, not those of my employer. -- Lucky Green PGP encrypted mail preferred. From nelson at crynwr.com Fri May 10 14:54:54 1996 From: nelson at crynwr.com (nelson at crynwr.com) Date: Sat, 11 May 1996 05:54:54 +0800 Subject: Remailer in a box In-Reply-To: <01I4IIMHQ67Y8Y5BAX@mbcl.rutgers.edu> Message-ID: <19960510033729.30653.qmail@ns.crynwr.com> E. ALLEN SMITH writes: > I see your difficulty. It is an additional one with respect to > anonymous accounts. Hmm... you could put the burden on other ISPs by only > having anonymous accounts via telnet access - and not accepting such from > k12.edu domains. Bit of a limit, though. 1) New .edu registrations are restricted to colleges, but you have rogues like sidwell.edu (Chelsea's Quaker school), plus the odd 17-year-old attending college like I did. 2) .k12.STATE.us is safe enough to restrict, except that some people are staff members who will be unhappy. Of course, those people can just change their DNS so it responds to a PTR request with a.root-servers.net. So naturally you don't let the students manage your servers (although frankly, the staff members have little time or knowledge to do it themselve; most would be happy to find a trustworthy student). Even so, said smart student will discover that it's possible to spoof the DNS by spamming a client with responses. That's particularly easy since the source of the packet will likely be the same subnet that the smart student. You can't use the DNS for authentication of any type, particularly if a Damoclean CDA is hanging over your head. -russ http://www.crynwr.com/~nelson Crynwr Software | Crynwr Software sells packet driver support | PGP ok 11 Grant St. | +1 315 268 1925 voice | It's no mistake to err on Potsdam, NY 13676 | +1 315 268 9201 FAX | the side of freedom. From HABIB at KLSE.COM.MY Fri May 10 16:09:52 1996 From: HABIB at KLSE.COM.MY (MOHAMED HABIB MOHAMED EUSOFF) Date: Sat, 11 May 1996 07:09:52 +0800 Subject: Dear friends, Message-ID: Dear friends, I am searching for NETWORK SECURITY white paper, documents and hacking uitlities. Maybe you guys/gals can shed some light on this. TQ. See You. From qut at netcom.com Fri May 10 16:29:33 1996 From: qut at netcom.com (Dave Harman) Date: Sat, 11 May 1996 07:29:33 +0800 Subject: Cyberspace--Silencing the Net In-Reply-To: <01I4IEFM2UW88Y5B50@mbcl.rutgers.edu> Message-ID: <199605100159.SAA00942@netcom16.netcom.com> > Interesting that they're a very liberal organization with the guts - > unlike, say, CPSR - to condem German censorship of Neo-Nazis. Their information > on that is incomplete, however; Declan and Rich may wish to contact them and > give them the whole story. > -Allen What organization are you referring to that doesn't like censorship of racists? And how has CPSR acted to appear soft on censorship? Anyone can find out more about national socialist ideology through Nizkor, which has megs of racist essays in our own words. A recommended directory is: ftp://nizkor.almanac.bc.ca/pub/people/k/kleim.milton/ __ qut, cryptoracist From qut at netcom.com Fri May 10 16:40:12 1996 From: qut at netcom.com (Dave Harman) Date: Sat, 11 May 1996 07:40:12 +0800 Subject: remailer@utopia.hacktic.nl down In-Reply-To: <96May9.135632edt.20486@janus.algorithmics.com> Message-ID: <199605100215.TAA04043@netcom16.netcom.com> > >>>>> qut at netcom.com (Dave Harman) writes: > > >> Alex de Joode wrote: > >> > > >> > Due to recent events the Hacktic Foundation has decided to > >> > discontinue its remailing operations, the remailer that is > >> > operated by the Hacktic Foundation will cease to exist May > >> > 20th. > >> > >> Co$, I'll wager. Just shows to go ya. > > > Perhaps Co$ was behind the recent spamming of > > alt.politics.white-power. Scientology is > > virulently anti-racist. > > Interesting, given that Massah Elron (L. Ron Hubbard) was virulently > racist. Just check out www.theta.com for examples of wiesenthalien anti-racism. Oh, in what way was Elrom racist? (he's not anti-asian or anti-semitic, for instance) __ qut, cypheracist From tcmay at got.net Fri May 10 16:52:07 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 11 May 1996 07:52:07 +0800 Subject: Mandatory Voluntary Self-Ratings Message-ID: At 11:40 PM 5/9/96, E. ALLEN SMITH wrote: >From: IN%"tcmay at got.net" 8-MAY-1996 16:30:16.71 > >>Then we'll see what happens. (This is an old debate, here and on the >>Cyberia-l list, to wit, what happens when people/perverts/libertarians >>choose to subvert the voluntary ratings by deliberately mis-rating their >>stuff? Or what if they genuinely believe, a la NAMBLA, that youngsters >>should be exposed to certain things?) > > I don't agree with NAMBLA, BTW, in case anyone is wondering. No need for people to point this out, as my point was an hypothetical, to show that there simply _is no objective standard_ in such matters. For every proposed "ratings" system that involves value judgments about who should see something, I can think of examples where a quite opposite view is held. I still think we are being led down a dangerous path in trying to architect ratings systems. As I said, we don't rate written words (at least I don't), we don't rate newspapers, etc. If a system gets built into the WWW, as with proposals for PICS, it _will_ be used by those who want to control content. We should think twice before helping in any way. (No, I'm not _against_ private ratings services...but this has little to do with _me_, and I won't participate. More importantly, I won't have my content have any kind of tag attached! Thus, the PICS thing looks intrusive to me, and not at all what I think of as a "private ratings service." I'll elaborate if my point is unclear.) --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From EALLENSMITH at ocelot.Rutgers.EDU Fri May 10 16:53:19 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 11 May 1996 07:53:19 +0800 Subject: Remailer in a box Message-ID: <01I4IJHU767U8Y5BAX@mbcl.rutgers.edu> From: IN%"loki at obscura.com" "Lance Cottrell" 9-MAY-1996 20:11:17.14 >I don't know about posting the agreement. My lawyer may not want to see all >his hard work in the public domain. I will ask. Thanks. Incidentally, one thing that I noticed in your listing of services was email to fax. In some circumstances (such as anonymous accounts), the other way around would be useful. Even for a non-anonymous account, there have been times when I've wished I could give someone a FAX number and have it emailed. Admittedly, there is the problem of optical character recognition et al; perhaps this could be handled via temporary web pages with a password emailed to an account on the same system? Sameer may also want to look into this. I've seen some information about such systems on the net; one in New York appears to include voicemail to email services, although I don't know how as yet. -Allen From EALLENSMITH at ocelot.Rutgers.EDU Fri May 10 16:55:42 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 11 May 1996 07:55:42 +0800 Subject: Mandatory Voluntary Self-Ratings Message-ID: <01I4IIX2U9TG8Y5BAX@mbcl.rutgers.edu> From: IN%"reagle at mit.edu" "Joseph M. Reagle Jr." 9-MAY-1996 20:02:59.66 > I would agree the questions seem too video game orientated, and I >don't like some of the questions either. However, it is a fair effort, and I I will also give them credit for a fair effort. However, it's one that can stand a _lot_ of improvement... like all the rest. > I'm sure this is something that could go on for a very long time in >some cypherpunk thread (something I'm not interested in argueing about), but >there is no such thing as a perfectly objective or unbiased system. For I will be interested in seeing a response from the admin address I cc'd it to. >instance, I don't like the distinctions other systems make for >homosexuality, but I also understand some parents may wish to screen on it... I understand why parents may wish to screen on it; I still disapprove of giving them the ability to do so. Am I in favor of governmental or other coercive suppression of systems that do so? No, not at all. But I still will do my best to discourage them - such as by not rating or mis-rating pages. -Allen From llurch at networking.stanford.edu Fri May 10 17:09:55 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sat, 11 May 1996 08:09:55 +0800 Subject: Transitive trust and MLM In-Reply-To: <01I4IHRSE6Q88Y5BAX@mbcl.rutgers.edu> Message-ID: On Thu, 9 May 1996, E. ALLEN SMITH wrote: > From: IN%"llurch at networking.stanford.edu" "Rich Graves" 8-MAY-1996 > 04:33:21.44 > > >The fact that you're sending postcards is only a problem if you don't want > >them to be read. It's more the email I receive that I worry about, so all > >my friends use the address rich at alpha.c2.org now. > > How would this help? Whoever's wanting to monitor you will just > monitor rich at alpha.c2.org's incoming mail. To do that they would need to crack one or more of the accounts with access to the alpha server, which would probably leave evidence, or run a packet sniffer nearby. Ironically, I am more confident of the security of alpha.c2.org than I am of my own machine. The threat profile is people who have forwarded mail with envelope and Received: headers indicating that the source is my mail spool to a mailing list. Twice. I know that I'm surrounded by insecure, non-firewalled UNIX boxes that could be running packet sniffers, and that is something I cannot fix unless I want to trade gloriously fast and reliable Ethernet connectivity for a modem. My correspondents do not have PGP and are not likely to get it. So, a public alpha nym helps in this (perhaps unique) case. rich at alpha.c2.org also works as a permanent address (knock on wood). -rich From EALLENSMITH at ocelot.Rutgers.EDU Fri May 10 17:11:16 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 11 May 1996 08:11:16 +0800 Subject: Nazis on the Net Message-ID: <01I4IYQTKD4K8Y5BI4@mbcl.rutgers.edu> From: IN%"tallpaul at pipeline.com" 1-MAY-1996 13:19:10.69 >I stand behind my original post and the analysis in it. >I am amused at the tremendous attempts by people with certain political >affinities to bail out Weaver by a series of arguments based either on Actually, the political affinities seem rather to be on the other foot. Every organization I know of that calls Weaver a racist, as opposed to a separatist, also tries to deny exactly how wrongful the government's actions were at Ruby Ridge. The biggest example of this is the US government, but organizations such as the American Jewish Committee are also guilty of this apologia. If you don't believe me on this (Rich, for instance, had doubted that anyone was defending the actions at Ruby Ridge), I suggest reading "A Force Upon the Plain", which is by the AJC's person on hate groups. In it, he calls the actions of the USG at Ruby Ridge as, at worst, a mistake - and a more justifiable mistake in his view than Weaver's not showing up for his court hearing. In almost all cases in the chapter on Ruby Ridge, he states the government's side of the story as fact, and uses quotes - prominently labelled as from "white supremacists" - to describe the Weavers' side of the story. >profound ignorance of political realities or with their own private >dictionaries. If you believe that my definition of racism is out of my "own private dictionary," I invite you to see Webster's Second College Edition New World Dictionary of the English Language: Racism. 1. Same as racialism (sense 1). 2. Any program or practice of racial discrimination, segregation, persecution, and domination, based on racialism. Racialism. 1. A doctrine or teaching, without scientific support, that claims to find racial differences in character, intelligence, etcetera, that asserts the superiority of one race over another or others, and that seeks to maintain the supposed purity of a race or the races. 2. same as racism (sense 2). The second definition of racism is actually _more_ restrictive than my definition. I call someone practicing "racial discrimination, segregation, persecution, _and_ domination" a racist, whether or not they believe in some superiority of some race. I do appreciate the inclusion in Webster's of "without scientific support," since I am a scientist. >The whole argument of racism vs. white separatism vs. white suppremicist >seems more to come from people who argue whether someone is a Baptist or a >Christian or a Southern Baptist or a Protestant. (In mathematical set >theory one would trace the fallacy in thinking to the false idea that any >given element of a set cannot be the element of more than one set. Thus, if >(X is a member of Y) it cannot also be a member of Z.) I regard racism and racial supremacism as two sides of the same thing. Racial separatism overlaps with racism, but someone who practices one is not necessarily in favor of the other. I do not dispute that someone who is a racial separatist can also be a racist, and indeed often is. I simply am not willing to condem someone as a racist when the only organizations calling him such have clear motives to call what happened at Ruby Ridge something other than premeditated murder. >I understand that James D. is not accusing me of being a "child molester" >but merely using it as a reductio ad adsurdem argument. >Let me continue in this vein. >The issue of child molestation was dragged in and had no relevance on the >immediate political isues of Weaver et al. >But imagine people are arguing about the deep fundamental differnces >between someone who is a "child molester" vs. a "pedophile" vs. a "boy >lover." The analogy works quite well, in some ways. A pedophile who carries out his (usually his) desires is a child molester. A boy lover may be a pedophile, and may if a pedophile be a child molester. But I have known someone who had sexual attractions to underage boys but controlled them - he regarded carrying out such urges as wrong (I agree with him, if anyone is wondering). I would not call him a child molester. -Allen From EALLENSMITH at ocelot.Rutgers.EDU Fri May 10 17:47:51 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 11 May 1996 08:47:51 +0800 Subject: Mandatory Voluntary Self-Ratings Message-ID: <01I4ILRRY69S8Y5AJT@mbcl.rutgers.edu> From: IN%"vznuri at netcom.com" "Vladimir Z. Nuri" 9-MAY-1996 21:07:58.36 >From: "Joseph M. Reagle Jr." >> I've figured out where my differences between myself and others >>lay. The _only_ system and service that I am aware of that is distributing >>PICS labels is RSAC. (http://www.rsac.org) They are what one could call an >>objective and non-arbitrary content rating system rather than an >>"appropriateness" system. Actually, SafeSurf (of CyberAngels association - an indicator of problems right then and there) is doing so also. >now, it seems that the author might as well put the tags in his material >himself instead of going through this submission process. furthermore I think they want the ability to track who's putting their ratings into their web pages. They don't check very well, though; when I wanted to see what the questionarre was like, I simply put in a fake email address (which could have been a nym's address), a fake web page, and a pseudonym. Their user agreement asks you to achnowledge a license giving them the right to examine any web page to which you attach a rating; however, I don't see anything preventing someone from simply duplicating it without going through the system. >also, JR, you say the system does not determine "appropriateness". >but in my view it does indirectly. an author can "falsify" his submission >to say that his page has no sex or violence. (who is to say he is >wrong? the internet ratings police?) this will implicitly determine >the "appropriateness" of his page for people who screen their >browswers based on the keywords that were affected. As I've stated above, they claim that they will check to see. The SafeSurf page, as well as recruiting the CyberAngels to check, also claims that A. The "Internet community" will punish someone for fake ratings B. Anyone putting a too-low rating on a page with sexual content will be prosecuted (apparantly for "contributing to the delinquency of a minor" or some such nonsense) >if there is a market-driven RSAC rating thing going on not described >in the above article, I'd like to see it. but the above excerpt does >not describe a market-driven system. No, it isn't. For a market-driven system to emerge, we're going to have to have one or both of two things: A. Raters being paid by the people who post web pages. Not likely. B. Raters being paid by the people who get the ratings. More likely. Neither the RSAC or SafeSurf systems does either of these. -Allen From blancw at MICROSOFT.com Fri May 10 17:50:38 1996 From: blancw at MICROSOFT.com (Blanc Weber) Date: Sat, 11 May 1996 08:50:38 +0800 Subject: self-ratings vs. market ratings Message-ID: Not an extremely important point, but I just re-read my earlier message and realized that my sentence below didn't exactly state what I meant: "I myself don't pay much attention to ratings, as my own measures of things & people tend to be quite different from most, and therefore not very useful for my purposes." I meant that the the *ratings* would not be very useful for my purposes (at least, not the ratings as I've heard proposed so far.) I probably wouldn't have the same values or concerns of those who feel the need to apply them; I wouldn't judge the material by the same standards (raters are looking principally to create a means to censor material, and I myself am not concerned about passive text&graphics. When Java applets begin to coerce cybersurfers into complicity, I'll start worrying about it.) One more word about automating ratings: The more automated that filtering becomes, so that the viewer (be it an adult or a child) requires less and less personal involvement in evaluating what is appropriate (or even interesting) for themselves, the more weak & piddly (ignorant & psychologically dependent) those people could become, falling into the habit of having others - or an automatic robocop - do their content-filtering for them. Not a good system to introduce into a dynamic world-order. Like all automatic things, it can encourage intellectual lassitude. Like all tools, this one can also be misemployed. But, of course, surfers can make a cultural decision: sex&violence? or namby-pamby? :>) .. Blanc One voice among many. From sunder at dorsai.dorsai.org Fri May 10 18:17:22 1996 From: sunder at dorsai.dorsai.org (Ray Arachelian) Date: Sat, 11 May 1996 09:17:22 +0800 Subject: Transitive trust In-Reply-To: Message-ID: On Wed, 8 May 1996, Steve Reid wrote: > When you sign a key, you are placing your reputation on the line, so you > must be certain that the level of trust you're placing is appropriate. > But what happens when someone goes rogue and ignores credentials, and > signs keys of anyone who is willing to pay the price? You would regret > signing the rogue person's key. So, IT SHOULD BE POSSIBLE TO REVOKE > TRUST, in order to protect your own reputation. > PGP currently only allows a person to revoke their own key. Most people > would revoke their key if it were stolen, to protect their own > reputation. However, some people may be unwilling or unable to revoke > their own key, and if you signed that key, your reputation may be > affected. Clearly, it should be possible to remove your signature from > someone's key. But it is - it's a pain in the ass, but you can always revoke your own key and generate a new one, then sign everyone's keys whom you've signed as trusted, EXCEPT the one you wish to revoke. > What it all comes down to is reputation. Protect your reputation, and > you could make a living on your reputation alone. Ah, but first you have to build yourself a reputation before you can live off it alone. :) That includes doing cool things other than building reputations by signing keys. ========================================================================== + ^ + | Ray Arachelian |FH| KAOS KERAUNOS KYBERNETOS |==/|\== \|/ |sunder at dorsai.org|UE|__Nothing_is_true,_all_is_permitted!_|=/\|/\= <--+-->| --------------- |CC|What part of 'Congress shall make no |=\/|\/= /|\ | Just Say |KD|law abridging the freedom of speech' |==\|/== + v + | "No" to the NSA!|TA| do you not understand? |======= ===================http://www.dorsai.org/~sunder/========================= Obscenity laws are the crutches of inarticulate motherfuckers-Fuck the CDA From byrd at acm.org Fri May 10 18:35:10 1996 From: byrd at acm.org (Jim Byrd) Date: Sat, 11 May 1996 09:35:10 +0800 Subject: remailer@utopia.hacktic.nl down Message-ID: <2.2.32.19960510135123.006a4d98@tiac.net> At 07:15 PM 5/9/96 -0700, qut at netcom.com (Dave Harman) wrote: > >Oh, in what way was Elrom racist? (he's not anti-asian or anti-semitic, >for instance) > One famous comment of L. Ron Hubbard was that blacks were too stupid to move the needle on the e-meter. Another comment was that the problem with China is that there are too many "chinks" in it. All this, and much more, is documented in "A Piece of Blue Sky" by John Atack (and in other places). From jya at pipeline.com Fri May 10 18:41:03 1996 From: jya at pipeline.com (John Young) Date: Sat, 11 May 1996 09:41:03 +0800 Subject: PTO_lop Message-ID: <199605101513.PAA03205@pipe2.t2.usa.pipeline.com> 5-10-96. WaPo: "Copyright Comes to the Internet. IBM's 'Cryptolope' Technology Collects the Fees." Describes IBM's InfoMarket system for secure electronic payments and copyright protection through use of keys to gain access to documents. PTO_lop ----- Note: Pipeline is suffering "technological" growing pains at PSI's VA switches, so they say (or maybe plummeting stock and insider dumps): incoming and outgoing mail oft delayed up to 24+. From adam at lighthouse.homeport.org Fri May 10 18:50:05 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Sat, 11 May 1996 09:50:05 +0800 Subject: PGP, Inc. In-Reply-To: <01I4IPAJCSGG8Y5AJT@mbcl.rutgers.edu> Message-ID: <199605101639.LAA19438@homeport.org> They claim to make an effort that the email address is unique, and that Verisign!!'s shamrock at netcom.com will only be issued once. Adam E. ALLEN SMITH wrote: | | | From: IN%"shamrock at netcom.com" 9-MAY-1996 23:02:01.67 | | >At 19:37 5/9/96, E. ALLEN SMITH wrote: | >> I can see some fascinating legal questions with what, exactly, a | >>VeriSign certificate obligates the company for. Digital signature laws should | >>get interesting - any application of this to the Utah one? | | >VeriSign is going to offer four levels of certs. The first requires only | >uniqueness. For the other three levels, VeriSign will require more and | >better assurances of the correctness of True Name stated on the cert. I | >don't know what form these assurances are supposed to take. | | The first level, in other words, is less of a certification than a PGP | key with self-signature and signature from one other person. It doesn't have | _any_ effort to verify that the email address stated on it is the actual email | address of that nym. Or am I misinterpreting you? | -Allen | -- "It is seldom that liberty of any kind is lost all at once." -Hume From crypto at nas.edu Fri May 10 18:51:10 1996 From: crypto at nas.edu (CRYPTO) Date: Sat, 11 May 1996 09:51:10 +0800 Subject: The National Research Council Study of National... Message-ID: <9604108317.AA831753761@nas.edu> Subject: The National Research Council Study of National Cryptography Policy Please post this message widely I am writing to let interested parties know about the imminent release of the NRC's study of national cryptography policy. If all goes well, we hope to release it on May 30, 1996. However, prior to that time, we won't be able to comment on its contents. For current information on release, visit the web site http://www2.nas.edu/cstbweb/220a.html When you visit that site, you'll have the opportunity to be put onto a mailing list so that we can inform you by e-mail when the report is available in print and/or electronically, as well as any public events associated with the report (e.g., public briefings). Herb Lin Cryptography Policy Study Director Computer Science and Telecommunications Board National Academy of Sciences/National Research Council 202-334-2605 From jya at pipeline.com Fri May 10 18:57:44 1996 From: jya at pipeline.com (John Young) Date: Sat, 11 May 1996 09:57:44 +0800 Subject: REF_orm Message-ID: <199605101512.PAA03049@pipe2.t2.usa.pipeline.com> 5-10-96. WaPo: "House Panel Approves Intelligence Reforms." Reports on the House intelligence committee's differences with the Senate and White House reforms. Also, it reports on Freeh's testimony yesterday at a hearing about the need for new federal laws to protect against economic espionage. He cites spying by 23 foreign governments and methods used. REF_orm ----- Note: Pipeline is suffering "technological" growing pains at PSI's VA switches, so they say (or maybe plummeting stock and insider dumps): incoming and outgoing mail oft delayed up to 24+. From abostick at netcom.com Fri May 10 19:14:32 1996 From: abostick at netcom.com (Alan Bostick) Date: Sat, 11 May 1996 10:14:32 +0800 Subject: Are remailers designed to be knocked down? Message-ID: -----BEGIN PGP SIGNED MESSAGE----- The Scientology wars are spilling over into alt.usenet.kooks again, and Keith Henson had this odd thing to say. I thought Cypherpunk discussion of Keith's thesis would be interesting. hkhenson at netcom.com (Keith Henson) wrote: > henry (henri at netcom.com) wrote: > : if the remailers are merely toys, capable of being knocked > : down like dominoes by some fringe-cult of psychopathic dimwits, > : it's better to find that out now than wait for a situation > : where someone's life or death could be determined by the > : security of remailer-chaining and encryption against a > : determined opponent. > > Ah, but the remailers are *designed* to be knocked down. The > are not expected to last if they are being used for serious > causes. But the package for doing another one and getting it > hooked into the network is easy to install--even in a user > act. Knocking out a remailer will usually halt the effort to > get back at the person/persons who were spilling the beans. > Social factors involved here. If any of you would like to > help, offer to run a remailer for a while. Consider it a > temporary civic duty. Keith Henson > > Alan Bostick | "The thing is, I've got rhythm but I don't have mailto:abostick at netcom.com | music, so I guess I could ask for a few more news:alt.grelb | things." (overheard) http://www.alumni.caltech.edu/~abostick -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMZNwT+VevBgtmhnpAQGY2gMAsH/PpktUfimgjZ6zz/48hhAp0wra6BKb FhwYMB5NAsmeMwz2dqv+ZCvO7LID1tM7ez1rjHOVvC7aSQPSe1mF8ShaxYdSVtcP ZqHhC145IiAZ715FZzHzjoCjfD0yHK/s =aa0n -----END PGP SIGNATURE----- From adam at lighthouse.homeport.org Fri May 10 19:15:26 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Sat, 11 May 1996 10:15:26 +0800 Subject: Why I Pay Too Much in Taxes In-Reply-To: Message-ID: <199605101434.JAA19161@homeport.org> If it was a government sting operation the detials might be easily found. The kind of information we're discussing is clearly of high value to a great many people in the 60% bracket. Looking for it for free...Well, you may get what you pay for. I think that there is a high amount of value in a high volume, low overhead sort of tax avoidance operation. Right now, moving money overseas is expensive, and there is a high service fee. Reducing the up front costs that someone has to pay to get started is a market opportunity. As is producing accessible information about how to get started. While Unicorn may be correct in suggesting three or four volumes of tax law to get started properly, thats like suggesting Bach and Comer for someone who wants to get on the internet. When it was needed, there were far fewer people here. As to the obvious rejoinder of, 'as soon as its obvious, its illegal,' if enough people start to do it, theres a large lobby for keeping it legal. And if the overhead is low, all of those people have lots of money to spend keeping it legal and cheap. Adam Black Unicorn wrote: | On Thu, 9 May 1996, Robin Powell wrote: | | > >>>>> Black Unicorn writes: | > | > >> By the way, are there any PGP encrypted mailing lists for | > >> discussing serious tax fraud? | > | > > If such a list existed, would we tell an anonymous poster/fed? | > | > Well, if such a list does exist, I would like to know about it. | > | > -Robin | > | | Again, in the absence of any credentials or recommendation, I can't see | how the moderators/originators/managers of such a list would disclose the | details of its publication. | | --- | My preferred and soon to be permanent e-mail address:unicorn at schloss.li | "In fact, had Bancroft not existed, potestas scientiae in usu est | Franklin might have had to invent him." in nihilum nil posse reverti | 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information | Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com | -- "It is seldom that liberty of any kind is lost all at once." -Hume From qut at netcom.com Fri May 10 19:16:54 1996 From: qut at netcom.com (Dave Harman) Date: Sat, 11 May 1996 10:16:54 +0800 Subject: remailer@utopia.hacktic.nl down In-Reply-To: <2.2.32.19960510135123.006a4d98@tiac.net> Message-ID: <199605101725.KAA04013@netcom16.netcom.com> > At 07:15 PM 5/9/96 -0700, qut at netcom.com (Dave Harman) wrote: > > > >Oh, in what way was Elrom racist? (he's not anti-asian or anti-semitic, > >for instance) > > > One famous comment of L. Ron Hubbard was that blacks were too stupid to move > the needle on the e-meter. Translation: He couldn't find enough blacks willing to part with enough money. > Another comment was that the problem with China is that there are too many > "chinks" in it. China's protectionist trade policy forbid investment by Co$. Otherwise, he would have praised the chinese for servility. > All this, and much more, is documented in "A Piece of Blue Sky" by John > Atack (and in other places). No racism, just capitali$m and its value system. From timd at consensus.com Fri May 10 19:39:10 1996 From: timd at consensus.com (Tim Dierks) Date: Sat, 11 May 1996 10:39:10 +0800 Subject: PGP, Inc. Message-ID: At 11:10 PM 5/9/96, E. ALLEN SMITH wrote: >From: IN%"shamrock at netcom.com" 9-MAY-1996 23:02:01.67 > >>At 19:37 5/9/96, E. ALLEN SMITH wrote: >>> I can see some fascinating legal questions with what, exactly, a >>>VeriSign certificate obligates the company for. Digital signature laws should >>>get interesting - any application of this to the Utah one? > >>VeriSign is going to offer four levels of certs. The first requires only >>uniqueness. For the other three levels, VeriSign will require more and >>better assurances of the correctness of True Name stated on the cert. I >>don't know what form these assurances are supposed to take. > > The first level, in other words, is less of a certification than a PGP >key with self-signature and signature from one other person. It doesn't have >_any_ effort to verify that the email address stated on it is the actual email >address of that nym. Or am I misinterpreting you? The only effort they make is that when using the email-based CA, it mails the certificate to the address within, so it's not trivial to get a cert for an address that you don't have access to. (I'm not saying it's impossible, or even hard, just that it requires some skill and effort). - Tim Tim Dierks -- timd at consensus.com -- www.consensus.com Head of Thing-u-ma-jig Engineering, Consensus Development From EALLENSMITH at ocelot.Rutgers.EDU Fri May 10 19:41:07 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 11 May 1996 10:41:07 +0800 Subject: Edited Edupage, 9 May 1996 Message-ID: <01I4IN4IEJBK8Y5AJT@mbcl.rutgers.edu> From: IN%"educom at elanor.oit.unc.edu" 9-MAY-1996 22:01:14.77 >REGIONAL BELLS WANT RATE HIKES FOR WIRING SCHOOLS >The United States Telephone Association would like to raise the average U.S. >monthly phone bill by about $10 over the next five years to pay for wiring >schools and libraries with new lines for phones and computers, and to >subsidize poor and rural customers. The proposal assumes an $11 billion >cost for wiring schools and libraries, with local phone companies paying >about a third to a half of that. The rest would come from a surcharge on >other services, such as cellular. "No single industry should be held >responsible for fulfilling this major goal," says USTA's president. "Each >has a role and should make a significant contribution to the national >education technology mandate." (Investor's Business Daily 8 May 96 A7) The "subsidize poor and rural customers" line makes me glad I don't have a phone line. >ALLIANCE SEEKS ELECTRONIC SECURITY >An alliance of software companies has established the Electronic Licensing >and Security Initiative to develop a system that uses electronic tokens >linked to a software package to securely track software rentals, licenses >and purchases. The group also plans to develop an electronic clearinghouse >to provide and track licenses. Several major software producers, including >Microsoft, IBM and AT&T have said they will support the Initiative's >technology. (Wall Street Journal 6 May 96 B6) Anyone know how this is supposed to work? It sounds like a non-anonymous digital cash system, in essence. >IBM'S INFOMARKET TOLL BOOTH >IBM has persuaded some 30 companies, including Eastman Kodak, Xerox, >Reuters, America Online and Yahoo!, to use its new infoMarket >electronic-content clearinghouse for displaying and distributing their >wares. The infoMarket concept requires customers to pay for only what they >use, with the content providers controlling the information and setting >their own prices. "Charging only for what you want is a very attractive >scheme," says one electronic database provider. The system is based on >"Cryptolopes" -- secure electronic packaging that, when opened, bind the >user to a contractual agreement regarding the use of the content. If the >content is distributed beyond that agreement, the technology can track its >usage and bill the original purchaser for subsequent viewings. "It's a >complete break from all other ways information has been published on the Net >to date," says an industry consultant. "It turns pass-along from a business >threat to a business opportunity." (Business Week 13 May 96 p114) Again, it's not clear how this is supposed to work. It does remind me of that information-network thing that was promoted on the Extropian lists, except that didn't have any provisions on reuse. -Allen >*************************************************************** >Edupage ... is what you've just finished reading. To subscribe to Edupage: >send mail to: listproc at educom.unc.edu with the message: subscribe edupage >Alfred North Whitehead (if your name is Alfred North Whitehead; otherwise, >substitute your own name). ... To cancel, send a message to: >listproc at educom.unc.edu with the message: unsubscribe edupage. (If you >have subscription problems, send mail to educom at educom.unc.edu.) From loki at obscura.com Fri May 10 19:49:23 1996 From: loki at obscura.com (Lance Cottrell) Date: Sat, 11 May 1996 10:49:23 +0800 Subject: Remailer in a box In-Reply-To: <01I4IIMHQ67Y8Y5BAX@mbcl.rutgers.edu> Message-ID: On Thu, 9 May 1996, E. ALLEN SMITH wrote: > From: IN%"loki at obscura.com" "Lance Cottrell" 9-MAY-1996 18:58:23.21 > > On Thu, 9 May 1996, E. ALLEN SMITH wrote: > > >I am not pushing the anonymous accounts until my laywer finishes the user > >agreement for them. It is a bit of a tricky document (Sameer, want a copy > >when it is done?). The whole site is days away from a complete redesign, > >so I am not putting much effort into the current interface. Thanks for > >the suggestions though. > > I suspect that the legal types on cypherpunks would be interested in > seeing it. Quite welcome on the suggestions. > > >The >= 18 condition is to cover my butt. Since minors can not be parties > >to contracts, I have no protection with them as clients. I am only a > >provider for adults, and they take full responsibility for any children > >allowed to use the connection. Fuck the CDA, but keep an eye on its claws. > > I see your difficulty. It is an additional one with respect to > anonymous accounts. Hmm... you could put the burden on other ISPs by only > having anonymous accounts via telnet access - and not accepting such from > k12.edu domains. Bit of a limit, though. > -Allen > I expect the majority of our anonymous account to be telnet. We are setting up the contract to make it clear that any contract signed with a minor is invalid, and that any access of our system by that individual is actually illegal (various statutes on misuse of computer resources are quoted). I don't know about posting the agreement. My lawyer may not want to see all his hard work in the public domain. I will ask. -Lance ------------------------------------- Lance Cottrell loki at infonex.com President Infonex Internet Services http://www.Infonex.com ------------------------------------- From frissell at panix.com Fri May 10 20:05:07 1996 From: frissell at panix.com (Duncan Frissell) Date: Sat, 11 May 1996 11:05:07 +0800 Subject: Why I Pay Too Much in Taxes Message-ID: <2.2.32.19960510184531.0073678c@popserver.panix.com> At 01:32 PM 5/9/96 -0400, Black Unicorn wrote: >> >> By the way, are there any PGP encrypted mailing lists for >> >> discussing serious tax fraud? >> >> > If such a list existed, would we tell an anonymous poster/fed? >> >> Well, if such a list does exist, I would like to know about it. >> >> -Robin >> > >Again, in the absence of any credentials or recommendation, I can't see >how the moderators/originators/managers of such a list would disclose the >details of its publication. Such a list could be published openly in any case since discussing techniques of tax fraud is legal. Even advocay would be legal in almost all cases. (Since tax fraud is a non-violent crime, you don't have any of these 'agitating an angry mob' scenarios.) As long as you avoided conspiring with anyone, you can discuss techniques all you like. Some *participants* might like to subscribe anonymously however. DCF From corbet at stout.atd.ucar.edu Fri May 10 20:31:53 1996 From: corbet at stout.atd.ucar.edu (Jonathan Corbet) Date: Sat, 11 May 1996 11:31:53 +0800 Subject: True Names Message-ID: <199605102012.OAA13961@atd.atd.ucar.EDU> I was wandering around in Amazon Books, http://www.amazon.com/, when I stumbled across an interesting entry for Vernor Vinge: "True Names: And the Opening of the Cyberspace Frontier". It's due out in August. It would appear that True Names is finally being reissued? Since I've never been able to get my hands on a copy of True Names to read, I would be pleased by this. Anybody know any more? jon Jonathan Corbet National Center for Atmospheric Research, Atmospheric Technology Division corbet at stout.atd.ucar.edu http://www.atd.ucar.edu/rdp/jmc.html From maldrich at grci.com Fri May 10 20:34:42 1996 From: maldrich at grci.com (Mark O. Aldrich) Date: Sat, 11 May 1996 11:34:42 +0800 Subject: Free demo disk of "distorted number" crypto Message-ID: C'punks: I got a call from a group in Maryland called "Marketing Technologies, Inc." They are starting to distribute free demo copies of a new crypto technology created by "Blackstar, Inc." The crypto product, called "Supercrypt," is based upon "distorted number generation." This does not appear to be the product sold under the same name by Computer Elektronik Infosys. Naturally, I enquired as to where the algorithms had been published in the technical literature, but the sales rep indicated that, while copyrighted, Blackstar does not yet hold a patent so they are concerned about releasing the details. She described the product as using a "proprietary" algorithm. If you'd like to get a demo copy of the software, call Marketing Technologies at 301.588.1971. You'll probably be speaking with Linda Greenwald, who's got _some_ information available, but not anything that's technical. They are also offering a technical write-up via fax-back at 301.588.2162. Note that I'm not endorsing this product, I'm just relaying information that may be of interest. If anything, you can get a copy of a new toy to muck with in your spare(?) time. No, they are not yet on the Internet. I'll relay my experiences with the product after I get it. ------------------------------------------------------------------------- | Liberty is truly dead |Mark Aldrich | | when the slaves are willing |GRCI INFOSEC Engineering | | to forge their own chains. |maldrich at grci.com | | STOP THE CDA NOW! |MAldrich at dockmaster.ncsc.mil | |_______________________________________________________________________| |The author is PGP Empowered. Public key at: finger maldrich at grci.com | | The opinions expressed herein are strictly those of the author | | and my employer gets no credit for them whatsoever. | ------------------------------------------------------------------------- From richieb at teleport.com Fri May 10 20:36:37 1996 From: richieb at teleport.com (Rich Burroughs) Date: Sat, 11 May 1996 11:36:37 +0800 Subject: remailer@utopia.hacktic.nl down Message-ID: <2.2.32.19960510171253.00760f44@mail.teleport.com> At 07:15 PM 5/9/96 -0700, qut at netcom.com (Dave Harman) wrote: [snip] >Oh, in what way was Elrom racist? (he's not anti-asian or anti-semitic, >for instance) [snip] Chris Owen has written an essay about Hubbard's support of the racist South African govt. http://www.demon.co.uk/castle/audit/aprtheid.html He quotes Hubbard as writing: "Just as individuals can be seen by observing nations, so we see the African tribesman, with his complete contempt for truth and his emphasis on brutality and savagery for others but not himself, is a no-civilization." Rich ______________________________________________________________________ Rich Burroughs richieb at teleport.com http://www.teleport.com/~richieb See my Blue Ribbon Page at http://www.teleport.com/~richieb/blueribbon New EF zine "cause for alarm" - http://www.teleport.com/~richieb/cause From gep2 at computek.net Fri May 10 20:41:55 1996 From: gep2 at computek.net (by way of frantz@netcom.com Bill Frantz) Date: Sat, 11 May 1996 11:41:55 +0800 Subject: Internet en danger Message-ID: <199605100300.UAA23831@netcom8.netcom.com> You think we're having problems here in the USA with the idiotic CDA, right? I just received the following message from a colleague and friend who operates a large ISP in Paris, France. The translation is mine, and I can't assure its total accuracy, (anyone who sees an error on my part, please correct it for me). I'm leaving the original French so that the original intent of the message can be viewed. <---- Begin Forwarded Message ----> Return-Path: opinions at storm.certix.fr Date: Thu, 9 May 1996 19:42:12 +0200 From: Communication client To: gep2 at storm.certix.fr Subject: Internet en danger > Cher(e)s abonne(e)s, Dear Subscribers, > Nous n'avons malheureusement plus la possibilite de vous laisser acceder au service de News. Exception faite des news world-net.communnaute, world-net.support, fr.network.internet. Unfortunately, we no longer have the possibility to let you access Usenet. The only exceptions are the newsgroups "world-net.communnaute", "world-net.support", and "fr.network.internet". > En effet, la justice francaise rend actuellement World-Net responsable de tout ce qui est diffuse sur Internet ; j'ai ete personnellement, en tant que responsable de World-Net, mis en examen hier parce que des images a caractere pedophile, venant de l'autre bout du monde etaient accessibles par notre service de News. Aujourd'hui les news, demain peut-etre le web. The French courts currently hold World-Net responsible for everything which is distributed on the Internet; I was personally, as director of World-Net, interrogated yesterday because some pedophile images, coming from the other end of the world, were accessible through our News server. Today Usenet, tomorrow perhaps the Web. > La majorite d'entre vous connait le fonctionnement du reseau Internet et sait bien que World-Net n'est que votre transporteur sur ce reseau. Cependant nous n'avons pas le choix. The majority of you understand the functioning of the Internet network and clearly realize that World-Net provides merely your access to this network. It's not a matter of our choice. > Nous diffuserons sur notre serveur Web l'ensemble des informations citees dans la presse et a la television concernant ce dossier. We will distribute via our Web server complete information as cited in the press and on television concerning this whole affair. > Si vous voulez soutenir World-NET, envoye un mail de soutien a opinions at worldnet.net. If you want to support World-NET, send a mail message of support to "opinions at worldnet.net". > Sebastien Socchard Directeur de World-Net. (director of World-Net) >Ci-joint le communique de presse de l'A.F.P.I., que nous remercions pour leur soutient : Here is the press release from the A.F.P.I., which we thank for their support: >COMMUNIQUE DE PRESSE DE L'A.F.P.I. Association Fran�aise des Professionnels d'Internet PRESS RELEASE FROM THE A.F.P.I. French Association of Internet Professionals > Mardi 7 Mai 1996 Tuesday, May 7, 1996 > Affaire: Newsgroups/Pedophilie/Internet: deux dirigeants en gardes a vue. Affair: Newsgroups/Pedophilia/Internet: Two directors > Resume: "Nous demandons a l'ensemble des providers >fran�ais et des administrateurs des reseaux d'universites de fermer l'acces a tous les Newsgroups, afin que plus un seul Newsgroup ne soit accessible du territoire fran�ais, du moins tant que les fournisseurs d'acces n'auront pas en France un statut clair". Summary: "We ask all French ISPs and administrators of University networks to close access to all Usenet newsgroups, such that no longer will even one single Newsgroup will be accessible from French territory, at least until French ISPs have a clear legal position within France." > Depuis 48h00 les deux dirigeants des societes FranceNet et WorldNet sont en garde a vue pour avoir simplement fait leur metier consistant a fournir l'acces a l'Internet... Since about 48 hours, two directors of French companies, "FranceNet" and "WorldNet" are for having simply done their job, consisting of providing access to the Internet... > En effet, la Section de Recherches de Paris de la gendarmerie Nationale a procede lundi a leurs arrestations et a la saisie de leurs materiels, pour avoir diffuse au travers des Newsgroups des images pedophiles. Ces Newsgroups et les images qu'ils abritent, sont tous produits a l'etranger et rapatries comme le font la plupart des fournisseurs d'acces fran�ais via les serveurs de News de Transpac, filiale de France Telecom. The Research Section in Paris of the National Gendarmes started on Monday their arrests and seizures of equipment, for having distributed pedophile images through the Usenet newsgroups. These Newsgroups and the images they contained (?) are all originated abroad and brought into France as is done by the majority of French access providers via the News servers of Transpac, which is a subsidiary of France Telecom. > Alors que la justice, dans une affaire similaire mais liee cette fois a des contenus racistes ou revisionnistes presents sur l'internet, ne s'est pas encore prononces a l'encontre de neuf fournisseurs d'acces, alors que le ministere des Postes et des Telecommunication, au travers de son ministre Fran�ois Fillon assurait encore recemment qu'en aucun cas les fournisseurs d'acces ne pouvaient �tre tenus pour responsables des contenus qu'ils ne produisaient pas et qui circulaient sur l'internet, alors que le lieutenant-colonel Browne, commandant la SR de Paris, reconnait lui meme que les serveurs en question recevaient, stockaient et distribuaient (tout comme Transpac) mais ne produisaient pas ces Newsgroups, deux hommes, deux chefs d'entreprises sont aujourd'hui en prison simplement parce que les autorites n'ont toujours rien compris a l'Internet et a son fonctionnement. The [French] courts, in a similar case but this time based on racist or revisionist contents present on the Internet, have not yet passed their judgement regarding nine ISPs, although the Ministry of Post and Telecommunications, through its minister Francois Fillon, stated again recently that in no case can access providers be held responsible for content that they do not produce and which circulates via the Internet, and although Lieutenant-Colonel Browne, commander of the Research Section in Pairs, admitted himself that the servers in question receive, store, and distribute (the same as Transpac), but do not produce these Newsgroups, two men, two company directors, are today in prison simply because the authorities still haven't understood anything about the Internet and its functioning. >La plupart des providers rapatrient de 6 a 8 000 Newsgroups chaque jour, soit plusieurs centaines de milliers de messages, pouvant egalement contenir des images. Parmi ces messages ils y a incontestablement des contenus contraire a la loi fran�aise (sans doute moins de 5%), tout comme il peut en circuler par la poste, ou dans les soutes a bagage d'Air France. Il est materiellement impossible pour un provider de controler l'ensemble du contenu des messages des Newsgroups, il lui est eventuellement possible de supprimer l'acces a ceux dont le titre est de fa�on evidente contraire a la loi (ex.alt.binaries.pedophilia...), ce qui n'empechera pas le lendemain de voir surgir un nouvel intitule pour remplacer le Newsgroup censure. Depuis plusieurs mois deja les membres de l'AFPI (Association des Professionnels de l'Internet) dont FranceNet est l'un des fondateurs, ont spontanement decide de supprimer l'acces a une vingtaine de Newsgroups dont le simple libelle ne laissait aucun doute quant au caractere illegal de leurs contenus. The majority of providers import from six to eight thousand Newsgroups each day, therefore several hundred thousand messages, any of which could also contain images. Among these messages there are incontestably some contents which are contrary to French law (no doubt less than 5%), just as they could circulate through the mails, or in the baggage holds of Air France. It is materially impossible for a provider to check the contents of all Newsgroup messages; it is possible to block access to those whose title is clearly contrary to the law (e.g. alt.binaries.pedophilia...), which wouldn't prevent the following day to see a new group appear to replace the censored one. Since several months already, the members of the AFPI (Association of Internet Professionals), of which FranceNet is one of the founders, have spontaneously decided to suppress the access of about twenty Newsgroups whose title left no doubt as to the illegal character of their contents. > Aujourd'hui ce sont les Newsgroups qui sont vises, demain ce sera sans doute le tour du Web. Si les fournisseurs d'acces, qui nous ne le repeterons jamais assez, ne sont que de simples transporteurs facilitant l'acces a un reseau, peuvent �tre emprisonnes, avec comme simple piece a conviction un contenu produit au Canada ou en Australie, nous allons assister purement et simplement a la mort de l'internet en France. Today it is the Newsgroups which are wiped out, tomorrow it will be doubtless the Web's turn. If access providers, which we can never emphasize enough, are but the simple transporters facilitating access to a network, can be imprisoned, due to the singular cause of an item produced in Canada or in Australia, we are going to see, purely and simply, the death of the Internet in France. >En signe d'indignation, de protestation et de solidarite envers nos confreres FranceNet et Worldnet, le fournisseur d'acces ImagiNet, egalement membre fondateur de l'AFPI, a decide de fermer purement et simplement l'acces a tous les Newsgroups. Nous demandons a l'ensemble des providers fran�ais et des administrateurs des reseaux d'universites d'en faire autant afin que plus un seul Newsgroup ne soit accessible du territoire fran�ais, du moins tant que les fournisseurs d'acces n'auront pas en France un statut clair. As a symbol of indignation, of protest, and of solidarity with our brothers at FranceNet and WorldNet, the access provider ImagiNet, also a founding member of the AFPI, has decided to purely and simply close access to all newsgroups. We ask all French ISPs and administrators of University networks to do the same, such that no longer will as much as a single Newsgroup will be accessible from French territory, at least until access providers in France have a clear legal status. >Nous esperons sincerement que cet appel sera suivit par l'ensemble des prestataires de connexion internet. We sincerely hope that this call will be followed by all Internet access providers. >Nous nous excusons aupres de nos abonnes pour la gene ainsi occasionnee par une telle decision, mais nous savons que vous la comprendrez et que la majorite d'entre vous nous soutiendrons dans cette action. We ask the understanding of our subscribers for the inconvenience caused by such a decision, but we know that you will understand and that the majority of you support us in this action. > Patrick Robin President d'ImagiNet. robin at imaginet.fr Tel 43 38 10 24 <---- End Forwarded Message ----> Please feel free to forward this message to all appropriate venues. "If we don't all hang together, we shall assuredly all hang separately." ---Thomas Jefferson (?) Gordon Peterson http://www.computek.net/public/gep2/ From perry at piermont.com Fri May 10 21:01:36 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sat, 11 May 1996 12:01:36 +0800 Subject: Free demo disk of "distorted number" crypto In-Reply-To: Message-ID: <199605102015.QAA04435@jekyll.piermont.com> "Mark O. Aldrich" writes: > technology created by "Blackstar, Inc." The crypto product, called > "Supercrypt," is based upon "distorted number generation." My shock-proof bull detector is starting to beep. Its sometimes wrong, but its right more often... .pm From eli+ at GS160.SP.CS.CMU.EDU Fri May 10 21:16:36 1996 From: eli+ at GS160.SP.CS.CMU.EDU (eli+ at GS160.SP.CS.CMU.EDU) Date: Sat, 11 May 1996 12:16:36 +0800 Subject: Transitive trust and MLM In-Reply-To: <+cmu.andrew.internet.cypherpunks+IlYDbnW00UfAI10=1K@andrew.cmu.edu> Message-ID: <199605100209.TAA14299@cygnus.com> In article <+cmu.andrew.internet.cypherpunks+IlYDbnW00UfAI10=1K at andrew.cmu.edu> Raph writes: > Now for the mathematical model. Signatures can bind keys to e-mail >addresses, or act as assertions that the signed public key is trusted to >transitively sign other keys. Let's assume that each signature has a >certain probability p of being good, and a 1-p probability of being >bogus, and that all probabilities are independent. These are probably >bad assumptions in the real world, but that's the difference between >theory and practice. I'm not happy with the independence assumption. Let's say I create a keypair, put "president at whitehouse.gov" in the name field, and try to get people to sign it as valid. (I don't know what you're asserting when you sign a key, but I'd say you're at least binding the key to the name and address attached to it.) Each signature has an /a priori/ probability p of correctly indicating validity, but these probilities are not independent at all: this key isn't valid, period. If one certifying signature is incorrect, all others on the same key must be, and vice versa -- about as correlated as they come. > Now we can actually evaluate the probability of a given key being >good. Consider a Monte Carlo process in which each edge in the graph is >present with probability 1-p. For each run, we determine whether the >recipient's public key (actually the binding between public key and >recipient's e-mail address) is reachable from our trust root. >The probability over a large number of runs is (given our assumptions) the >probability of the key being good. There are two separate problems: 1) key reachability -- do I think I can trust this key? 2) key validity -- is this key really okay? The graph reachability problem asks whether there exists a valid path. This is what you want for the key reachability problem. But the key validity problem should be asking whether all paths are valid; a single invalid path to me (posing as the Prez, remember) means that I get to read your mail to Bill (big deal, eh?). So you'd need to turn it around, and ask whether there exists an invalid path. From your use of "1-p" for the probability, you may have been thinking along these lines already. So an edge (u,v) in G indicates that u trusts v. With probability q = 1-p, Mallet is able to fool v. That is, Pr[(u,v) in G'] = q. Then we ask whether there's a path from s to t in G' -- that is, from you to the key you pulled off the net. If one exists, you lose. To limit transitivity, constrain the path length. This limits key reachability too, but I think we agree that it's essential in the real world. (It should also make the math simpler!) The model generalizes to non-binary conceptions of trust, but I don't think these can rehabilitate transitivity. Hmm, there are some possible approaches, though. These probabilities q are somewhat dependent: if I'm smart about whom I trust, all of the q_(me, v) values will be somewhat lower, and vice versa. I think they're mostly independent, though. But this is an improvised model; poke holes in it. -- . Eli Brandt usual disclaimers . . eli+ at cs.cmu.edu PGP key on request . . violation of 18 U.S.C. 1462: "fuck". From maldrich at grci.com Fri May 10 21:43:58 1996 From: maldrich at grci.com (Mark O. Aldrich) Date: Sat, 11 May 1996 12:43:58 +0800 Subject: Free demo disk of "distorted number" crypto In-Reply-To: <199605102015.QAA04435@jekyll.piermont.com> Message-ID: On Fri, 10 May 1996, Perry E. Metzger wrote: > > "Mark O. Aldrich" writes: > > technology created by "Blackstar, Inc." The crypto product, called > > "Supercrypt," is based upon "distorted number generation." > > My shock-proof bull detector is starting to beep. Its sometimes wrong, > but its right more often... Yeah, I know. Mine went off when I got the voice mail. But, I'll give 'em the benefit of the doubt (for the time being). Apparently, Blackstar is one guy and he's been working on this for a couple of years. He could be misguided or he could be the next Whitfield Diffie, who knows. Crypto breakthroughs have to come from _someone_, and they aren't always necessarily the dudes in the think tanks and universities. We'll see what shows up in the mail. ------------------------------------------------------------------------- | Liberty is truly dead |Mark Aldrich | | when the slaves are willing |GRCI INFOSEC Engineering | | to forge their own chains. |maldrich at grci.com | | STOP THE CDA NOW! |MAldrich at dockmaster.ncsc.mil | |_______________________________________________________________________| |The author is PGP Empowered. Public key at: finger maldrich at grci.com | | The opinions expressed herein are strictly those of the author | | and my employer gets no credit for them whatsoever. | ------------------------------------------------------------------------- From root at edmweb.com Fri May 10 21:45:09 1996 From: root at edmweb.com (Steve Reid) Date: Sat, 11 May 1996 12:45:09 +0800 Subject: Transitive trust In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- > > affected. Clearly, it should be possible to remove your signature from > > someone's key. > But it is - it's a pain in the ass, but you can always revoke your own > key and generate a new one, then sign everyone's keys whom you've signed > as trusted, EXCEPT the one you wish to revoke. PITA, indeed... Not only do you have to re-sign everyone's keys, you also have to have your key re-signed. When simply changing keys (eg. for a larger keysize) it's usually sufficent to sign your new key with your old one, but if you're revoking your old key, the signature won't really mean anything. I suppose you could sign a message with your old key, saying "I'm switching keys, here is my new key, please sign it.", and after you have some signatures on the new key, revoke the old key. > > What it all comes down to is reputation. Protect your reputation, and > > you could make a living on your reputation alone. > Ah, but first you have to build yourself a reputation before you can live > off it alone. :) That includes doing cool things other than building > reputations by signing keys. I agree, but in the context of key signing, your key signing reputation is all that really matters. I would accept a key signed by Bozo the Clown, if Bozo did the proper research into the keys he signs and has never signed a bogus key. Of course, being well-known for other reasons would help people to remember your name. :) ====================================================================== | Steve Reid - SysAdmin & Pres, EDM Web (http://www.edmweb.com/) | | Email: steve at edmweb.com Home Page: http://www.edmweb.com/steve/ | | PGP (2048/9F317269) Fingerprint: 11C89D1CD67287E6 8C09EC52443F8830 | | -- Disclaimer: JMHO, YMMV, IANAL. -- | ====================================================================:) -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQEVAwUBMZLVpdtVWdufMXJpAQHrsgf/d2SiWQ1rDdduGlQc0zUPGIa05E4RTTZ5 ixX3h5bMU6ZARtJByRLsg0pof8quWA9AaE3FDgMPrN/5nejvKEMwY6OE6XpPGOxw YbQD5+DRYNiQ7jAxIkF3eASbta9E2VbuKdEDAi6fMUS6gGQSlLeRnMT6Vn+YWQHX Nbc9yIgx086+w0T8vED9AhKL0DK8sQdKNYV6OXnhw8O0WmADMxj5tox7W3i/9ygP GdouA9iEKt1i00z0s/fQnxxGf45SYKD7pwGEGnQ9zXkQ34NVCo2f0Ge0F7aAkK/2 OZlAVQYLTs82Skmt+dU3wr2vsfmI+qPukakoyk1JoDP2OkZ+oqY89Q== =74c6 -----END PGP SIGNATURE----- From bdodds at jyacc.com Fri May 10 21:50:09 1996 From: bdodds at jyacc.com (brian dodds) Date: Sat, 11 May 1996 12:50:09 +0800 Subject: will the real Irving J. Schlublutz please stand up? was: Senator Leahy's Public Key In-Reply-To: Message-ID: On Thu, 9 May 1996, Timothy C. May wrote: > My point in all this being that "proofs of identity" aren't all they're > cracked up to be. i think a related point is one we all know well, that being if there is a will, there is a way.. we've seen it with phoney physicians and specialists, even, with certificates and physicians' licenses.. if someone wants to intercept corespondence and impersonate another person, it is easy enough if that person has the time and impetus.. by the way, hi to everyone, as this is my first post (and admittedly low in interesting content).. bri.. --bdodds at jyacc.com brian dodds, systems administration, jyacc, inc. wellesley, ma --617.431.7431x125 opinions expressed within are not necessarily my own or anyone elses.. From EALLENSMITH at ocelot.Rutgers.EDU Fri May 10 22:39:21 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 11 May 1996 13:39:21 +0800 Subject: Remailer in a box Message-ID: <01I4JS197RN48Y5C3E@mbcl.rutgers.edu> From: IN%"sameer at c2.org" 10-MAY-1996 06:48:23.53 > Also useful for chaining purposes. Yes, for the cryptographic purposes. It doesn't make much difference on the juristictional end of things - I'd need to locate a UNIX account in another country for that. Hmm... possible. -Allen From abacard at well.com Fri May 10 22:40:29 1996 From: abacard at well.com (Andre Bacard) Date: Sat, 11 May 1996 13:40:29 +0800 Subject: Bill Frantz, Churchill Club, Privacy Message-ID: <199605102242.PAA06840@well.com> Bill Frantz wrote an excellent review of the recent "Churchill Club: 20th Anniversary of Public Key Crypto" dinner & forum at the San Francisco Airport Marriott Hotel, an event which I attended. Bill's summary particularly caught my attention: Impressions: In conversation afterwards, I noted that discussion of personal privacy seemed to be politically incorrect in this group. Unless it directly supported corporate commerce, we didn't discuss it. It's worth noting that "privacy" and "security" -- in the practical Big Brother and corporate worlds -- are often opposites. In many instances, (personal) "privacy" shields individuals from organizations; whereas, "security" protects organizations from individuals. For example, when a corporation proudly announces that it has installed greater "security," it invariably means that the corporation has stepped up ways to spy upon employees. For obvious reasons, it is "politically incorrect" to discuss these issues in many quarters of society. See you in the future, Andre Bacard ====================================================================== abacard at well.com Bacard wrote "The Computer Privacy Stanford, California Handbook" [Intro by Mitchell Kapor]. "Playboy" Interview (See Below) Published by Peachpit Press, (800) http://www.well.com/user/abacard 283-9444, ISBN # 1-56609-171-3. ======================================================================= From EALLENSMITH at ocelot.Rutgers.EDU Fri May 10 22:46:55 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 11 May 1996 13:46:55 +0800 Subject: Transitive trust Message-ID: <01I4JT3ZWQSI8Y5C3E@mbcl.rutgers.edu> From: IN%"sunder at dorsai.dorsai.org" "Ray Arachelian" 10-MAY-1996 16:37:22.44 >But it is - it's a pain in the ass, but you can always revoke your own >key and generate a new one, then sign everyone's keys whom you've signed >as trusted, EXCEPT the one you wish to revoke. Well... that has the problem that all the signatures on your old key won't transfer, so far as I know. Now, this may have the good effect of decreasing the effective reputation of anyone who goofs and needs to revoke a signature (and of causing people to check more carefully when first signing)... but it's also a motivation not to check carefully _after_ the first time (you might need to revoke it). This balance is also present about other reasons to revoke a key - on the one hand, someone who frequently revokes keys may not be keeping up with them very well, and thus should not be trusted. On the other hand, it may be someone who changes them on a regular basis for security (a reason to keep a master key to sign your key with & vice-versa, then get signatures on it) or someone who is keeping a sharp eye out for violations and will revoke a key whenever they suspect a problem. -Allen From jsimmons at goblin.punk.net Fri May 10 22:53:42 1996 From: jsimmons at goblin.punk.net (Jeff Simmons) Date: Sat, 11 May 1996 13:53:42 +0800 Subject: Hacktic remailer shutdown Message-ID: <199605102223.PAA22489@goblin.punk.net> Is there any information available on why the Hacktic remailer was shut down? -- Jeff Simmons "You guys, I don't hear any noise. jsimmons at goblin.punk.net Are you sure you're doing it right?" From EALLENSMITH at ocelot.Rutgers.EDU Fri May 10 23:05:16 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 11 May 1996 14:05:16 +0800 Subject: self-ratings vs. market ratings Message-ID: <01I4JSVMGPKS8Y5C3E@mbcl.rutgers.edu> From: IN%"blancw at MICROSOFT.com" "Blanc Weber" 10-MAY-1996 16:21:20.63 >The more automated that filtering becomes, so that the viewer (be it an >adult or a child) requires less and less personal involvement in >evaluating what is appropriate (or even interesting) for themselves, the >more weak & piddly (ignorant & psychologically dependent) those people >could become, falling into the habit of having others - or an automatic >robocop - do their content-filtering for them. Not a good system to >introduce into a dynamic world-order. Like all automatic things, it can >encourage intellectual lassitude. Like all tools, this one can also be >misemployed. >But, of course, surfers can make a cultural decision: sex&violence? or >namby-pamby? :>) A good point. Something to keep in mind with the CyberAngels' liking for ratings - remember "angels at wavenet.com"'s rantings about "elites"? -Allen From andrew_loewenstern at il.us.swissbank.com Fri May 10 23:06:17 1996 From: andrew_loewenstern at il.us.swissbank.com (Andrew Loewenstern) Date: Sat, 11 May 1996 14:06:17 +0800 Subject: PGP, Inc. In-Reply-To: <01I4IPAJCSGG8Y5AJT@mbcl.rutgers.edu> Message-ID: <9605101850.AA01792@ch1d157nwk> > The first level, in other words, is less of a > certification than a PGP key with self-signature and > signature from one other person. It doesn't have _any_ effort > to verify that the email address stated on it is the actual > email address of that nym. Or am I misinterpreting you? All the first level cert means, and nothing more, is "The name associated with this key is unique among the first level keys certified by Verisign." No effort is made to 'verify' the name. If you register your pseudonym with all of the high-profile CA's that allow it, before you first use the nym, it becomes much harder to spoof your nym's key. Assuming, of course, that it is customary for nym's to get their keys certified and for people to check them. Bill Stewart, I believe, informally operates a CA that will sign unique nyms keys. andrew From frissell at panix.com Fri May 10 23:13:01 1996 From: frissell at panix.com (Duncan Frissell) Date: Sat, 11 May 1996 14:13:01 +0800 Subject: Remailer in a box Message-ID: <2.2.32.19960510192405.0074a060@popserver.panix.com> At 08:25 PM 5/9/96 EDT, E. ALLEN SMITH wrote: > Thanks. > Incidentally, one thing that I noticed in your listing of services >was email to fax. In some circumstances (such as anonymous accounts), the other >way around would be useful. Even for a non-anonymous account, there have been >times when I've wished I could give someone a FAX number and have it emailed. Already online in NYC, London, etc. See http://www.jfax.co.uk/. Faxes are forwarded via Mime. Cheap. Also someone else offering fax and voicemail over the web in Atlanta but I lost that URL. Others should follow. DCF From EALLENSMITH at ocelot.Rutgers.EDU Fri May 10 23:24:24 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 11 May 1996 14:24:24 +0800 Subject: Transitive trust and MLM Message-ID: <01I4JTAAHSC88Y5C3E@mbcl.rutgers.edu> From: IN%"eli+ at GS160.SP.CS.CMU.EDU" 10-MAY-1996 17:48:49.87 >Each signature has an /a priori/ probability p of correctly indicating >validity, but these probilities are not independent at all: this key >isn't valid, period. If one certifying signature is incorrect, all >others on the same key must be, and vice versa -- about as correlated >as they come. The different paths going through those different signatures will be correlated/non-independent, yes.... but that isn't the problem unless you're considering multiple paths (in a more complicated version). >To limit transitivity, constrain the path length. This limits key >reachability too, but I think we agree that it's essential in the real >world. (It should also make the math simpler!) The model generalizes >to non-binary conceptions of trust, but I don't think these can >rehabilitate transitivity. Hmm, there are some possible approaches, >though. IIRC, there have been some sociological studies showing that _everyone_ is linked through 6 or so people. Now, there's the question of whether you _need_ to be linked to _everyone_ - just everyone with whom you want to do business (e.g., excluding authoritarian types doing a sting). It does come back to the elite vs masses distinction; I see nothing wrong (and am in favor of) separation of the elite from the masses. -Allen From jimbell at pacifier.com Fri May 10 23:25:45 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 11 May 1996 14:25:45 +0800 Subject: Edited Edupage, 9 May 1996 Message-ID: <199605102309.QAA13309@pacifier.com> At 10:08 PM 5/9/96 EDT, E. ALLEN SMITH wrote: >From: IN%"educom at elanor.oit.unc.edu" 9-MAY-1996 22:01:14.77 > >>REGIONAL BELLS WANT RATE HIKES FOR WIRING SCHOOLS >>The United States Telephone Association would like to raise the average U.S. >>monthly phone bill by about $10 over the next five years to pay for wiring >>schools and libraries with new lines for phones and computers, and to >>subsidize poor and rural customers. The proposal assumes an $11 billion >>cost for wiring schools and libraries, with local phone companies paying >>about a third to a half of that. The rest would come from a surcharge on >>other services, such as cellular. "No single industry should be held >>responsible for fulfilling this major goal," says USTA's president. "Each >>has a role and should make a significant contribution to the national >>education technology mandate." (Investor's Business Daily 8 May 96 A7) > > The "subsidize poor and rural customers" line makes me glad I don't >have a phone line. As might be expected, the math on this just doesn't seem to work out. If we assume that the average school has 500 students, and 1/2 of the telephone-using households have at least one kid in school (on average) then 1000 telephone households at $120 extra per year, or $120,000 per school, is available to wire it. That's a HELL of a lot of wire!!! And that's just for a single year. Why not just teach a few high school students wiring, pay them 2x the minimum wage, and give them a good summer job doing the wiring? As for subsidizing rural customers... Why not just install a cellular telephone site in an area that's too dispersed for efficient wireline telephones? And most of these people are probably already in an area served by cellular. Jim Bell jimbell at pacifier.com From EALLENSMITH at ocelot.Rutgers.EDU Fri May 10 23:30:22 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 11 May 1996 14:30:22 +0800 Subject: Clinton Administration against Internet Phone regulation Message-ID: <01I4JV643L8G8Y5C3E@mbcl.rutgers.edu> Of course, there's the question of whether they'd have the same opinion on services routing stuff from the Internet to phones & vice-versa. Still, it's nice to see them having a bit of sense. -Allen >White House: No Need To Regulate Voice software > WASHINGTON - The Clinton administration has recommended that the > Federal Communications Commission not regulate firms that sell > software that enables voice communications by users of the Internet. > The Commerce Department letter to FCC Chairman Reed Hundt was in [...] > Larry Irving, head of the department's National Telecommunications and > Information Administration, argued that the software companies that > are the object of ACTA's petition provide no communications services, > but merely offer goods that enable individuals to engage in voice > communications. > Irving said those companies "are no more providing > telecommunications services than are the vendors of the telephone > handsets, fax machines and other customer premises equipment that make > communications possible." > Copyright, Reuters Ltd. All rights reserved From corey at hedgehog.mcom.com Fri May 10 23:30:52 1996 From: corey at hedgehog.mcom.com (Corey Bridges) Date: Sat, 11 May 1996 14:30:52 +0800 Subject: C'punks on c|net Message-ID: <2.2.32.19960510232453.00c7a678@pdmail2.mcom.com> I haven't been able to plow through the C'punks mail in a while, so I don't know if the small news broke that I mentioned this list on TV. For what it's worth, here's what happened: At the c|net Awards for Internet Excellence last week, Netscape won for best server. David Pann (marketing), Mike McCool (engineering), and I (documentation/user interface) accepted on behalf of the company. We each got a chance to make acceptance speeches. (It was tres Academy Awards.) My speech was as follows: "I'll keep this short. I'd like to thank the Cypherpunks for their eternal vigilance." Which was received by the audience with a collective gasp. The live event was simulcast on the Web, and the TV version was shown over the weekend on the TV show "c|net Central." Corey Bridges Netscape Communications Corporation http://home.netscape.com/people/corey 415-937-2978 (New number!) From jf_avon at citenet.net Fri May 10 23:32:19 1996 From: jf_avon at citenet.net (Jean-Francois Avon) Date: Sat, 11 May 1996 14:32:19 +0800 Subject: [hrdware] anti-Tempest video settings Message-ID: <9605102331.AA09365@cti02.citenet.net> Hi again. Is there anybody that have any idea about a color setting that would make it more difficult to detect by a Tempest attack? (I assume that Tempest cannot discriminate between various color guns and signals in the monitor... Maybe I am completely wrong...) Like, for example : background: G255 B0 R0 text: G0 B255 R0 Theses colors are not that bad to look at. I realize that Tempest is sensitive to actual electrical values rather than logical values. Anybody has any idea about settings that could fool Tempest? Crypto Relevancy: I was writing a passphrase file to later be secsplitted and I suddenly got all sweaty and nervous ... :-) Ciao all JFA PGP key ID# C58ADD0D at: http://w3.citenet.net/users/jf_avon Key Fingerprint: 529645E8205A8A5E F87CC86FAEFEF891 Unsollicited commercial e-mail will be proofread at US165 $/h Any sender of such material will be considered as to have ac- cepted the above mentionned terms. From EALLENSMITH at ocelot.Rutgers.EDU Fri May 10 23:42:48 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 11 May 1996 14:42:48 +0800 Subject: Why I Pay Too Much in Taxes Message-ID: <01I4JVOF385S8Y5AN2@mbcl.rutgers.edu> From: IN%"frissell at panix.com" "Duncan Frissell" 10-MAY-1996 19:11:58.23 >Such a list could be published openly in any case since discussing >techniques of tax fraud is legal. Even advocay would be legal in almost all >cases. (Since tax fraud is a non-violent crime, you don't have any of these >'agitating an angry mob' scenarios.) As long as you avoided conspiring with >anyone, you can discuss techniques all you like. Some *participants* might >like to subscribe anonymously however. There are, however, some possible difficulties with this. A. If the Feds know about some scheme, they are more likely to be able to thwart it. The extent to which this is true, of course, depends on the method(s) being used. B. Sting operations. These are arguments for the list being closed in format, with some form of security check. The major problem with this is that the security check will break the anonymnity of participants... you may not want to trust whoever is doing the checking, even if they're public (as they should be for this). -Allen From lzirko at isdn.net Fri May 10 23:59:38 1996 From: lzirko at isdn.net (Lou Zirko) Date: Sat, 11 May 1996 14:59:38 +0800 Subject: Open Group issues first new Internet security standards Message-ID: <199605102337.SAA14631@rex.isdn.net> -----BEGIN PGP SIGNED MESSAGE----- Mime-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit To: cypherpunks at toad.com Date: Fri May 10 18:35:00 1996 Story at: http://www.infoworld.com/cgi-bin/displayStory.pl?960510.opengroup.htm Lou Zirko Lou Zirko (502)383-2175 Zystems lzirko at isdn.net "We're all bozos on this bus" - Nick Danger, Third Eye -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQEVAwUBMZPS9BKvccEAmlQ9AQF11Af+ICe2kFCFVo7oxTD6q5BTikFxlITSNwrS q88PturM07k788l0CgHEXR+GV4dyNB24Xgi2ZViyfOPeTHuKtVmpdr9w3T46Lo8d ixtuKWqpjY4W8n39LU8WlR6ULja43Qb9jPCal2AcXJALAdm/D72NVrr4ATwItYOI KeibIIevzTj68Un1/sEmlEQik1sqmMdNvEr4M3ePBnEhvbgjl7gk8T/XBPVjHMes 0e/gLtTbQ5WzuzC/rmpyoMBR20KUp83wSq5F1OtNTv33rmwhF08ZJdH/InO+L006 oLOVdeqBh/eB3ae2dpV3aApQMa3QNpHTgL9D1sokfoXdMZYt+MxJgg== =IfyX -----END PGP SIGNATURE----- From sandfort at crl.com Sat May 11 00:17:09 1996 From: sandfort at crl.com (Sandy Sandfort) Date: Sat, 11 May 1996 15:17:09 +0800 Subject: will the real Irving J. Schlublutz please stand up? was: Senator Leahy's Public Key Message-ID: <2.2.32.19960510225842.006e1618@popmail.crl.com> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ C'punks, >On Thu, 9 May 1996, Timothy C. May wrote: >i think a related point is one we all know well, that being if there is a >will, there is a way.. we've seen it with phoney physicians and >specialists, even, with certificates and physicians' licenses.. if someone >wants to intercept corespondence and impersonate another person, it is >easy enough if that person has the time and impetus.. When I was a teenager I read /The Great Impostor/, the autobiography of Fred Demara(sp?). It was an eye-opener. Demara posed as all sorts of people. He didn't read any books on the subject of identity, he just invented his own techniques. Because he was always learning, he was always getting caught. Each failure, however, just made his next effort that much better. Read it if you can find it; it's facinating. S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From EALLENSMITH at ocelot.Rutgers.EDU Sat May 11 00:22:36 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 11 May 1996 15:22:36 +0800 Subject: Remailer in a box Message-ID: <01I4JSRBVRZQ8Y5C3E@mbcl.rutgers.edu> I've been able to locate the following on the Web in regards to fax and voicemail to Internet. The first is the one you were thinking of; the third was mailed to me by a helpful individual (thanks). http://www.faxweb.net/ Allows 1/4 size web page looking, then download full via special software for Windows. Not sure why demands special software to do the web page - should be able to download normally then auto-delete (or charge more for memory space usage). Email used for notification. Requires a credit card. http://www.jfax.net/ Emails you with a compressed file containing the fax. JFAX software for Windows or Mac used to decompress it. Requires a credit card. http://www.vix.com/hylafax/ Software to enable fax reception and translation either into PostScript or TIFF/S (sp?). This may be the most practical for anonymous use; can TIFF/S and Postscript be easily translated into a jpg or gif file? Those are the easiest viewers to locate. -Allen From llurch at networking.stanford.edu Sat May 11 00:25:27 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sat, 11 May 1996 15:25:27 +0800 Subject: PGP, Inc. In-Reply-To: Message-ID: [Actually talking about VeriSign certs] On Thu, 9 May 1996, Lucky Green wrote: > At 23:10 5/9/96, E. ALLEN SMITH wrote: > >> The first level, in other words, is less of a certification than a >>PGP key with self-signature and signature from one other person. It >>doesn't have _any_ effort to verify that the email address stated on it >>is the actual email address of that nym. Or am I misinterpreting you? For the first level, this is correct. I didn't even see an AUP discouraging spoofing. > I was on a panel with a representative from VeriSign at Interop in Las > Vegas. He said that uniqueness was the only requirement for the first level > of cert. I don't have any information beyond that. Just visit www.verisign.com with the Netscape 3.x beta and see. -rich From perry at piermont.com Sat May 11 00:30:28 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sat, 11 May 1996 15:30:28 +0800 Subject: Bill Frantz, Churchill Club, Privacy In-Reply-To: <199605102242.PAA06840@well.com> Message-ID: <199605110022.UAA04819@jekyll.piermont.com> Andre Bacard writes: > It's worth noting that "privacy" and "security" -- in the practical Big > Brother and corporate worlds -- are often opposites. In many instances, > (personal) "privacy" shields individuals from organizations; whereas, > "security" protects organizations from individuals. For example, when a > corporation proudly announces that it has installed greater "security," > it invariably means that the corporation has stepped up ways to spy upon > employees. I would say this is very much untrue in the computer world. Security implies things like encrypting links, using cryptographic authentication of logins, installing firewalls, etc. -- not mass employee surveillance. Perry From dan at vplus.com Sat May 11 00:49:55 1996 From: dan at vplus.com (Dan Weinstein) Date: Sat, 11 May 1996 15:49:55 +0800 Subject: PGP, Inc. In-Reply-To: Message-ID: <3193e30f.2723100@mail.vplus.com> On Fri, 10 May 1996 10:22:24 -0700, timd at consensus.com wrote: > >The only effort they make is that when using the email-based CA, it mails >the certificate to the address within, so it's not trivial to get a cert >for an address that you don't have access to. (I'm not saying it's >impossible, or even hard, just that it requires some skill and effort). I don't believe this is correct. They send you information after you have created the cert verifying that you set it up, but nothing requires a response and the key is transfered via http. Dan Weinstein djw at vplus.com http://www.vplus.com/~djw PGP public key is available from my Home Page. All opinions expressed above are mine. "I understand by 'freedom of Spirit' something quite definite - the unconditional will to say No, where it is dangerous to say No. Friedrich Nietzsche From timd at consensus.com Sat May 11 00:59:37 1996 From: timd at consensus.com (Tim Dierks) Date: Sat, 11 May 1996 15:59:37 +0800 Subject: PGP, Inc. Message-ID: At 5:48 PM 5/10/96, Dan Weinstein wrote: >On Fri, 10 May 1996 10:22:24 -0700, timd at consensus.com wrote: >> >>The only effort they make is that when using the email-based CA, it mails >>the certificate to the address within, so it's not trivial to get a cert >>for an address that you don't have access to. (I'm not saying it's >>impossible, or even hard, just that it requires some skill and effort). > >I don't believe this is correct. They send you information after you >have created the cert verifying that you set it up, but nothing >requires a response and the key is transfered via http. If you'll examine my message, you'll see I was referring to the email-based S/MIME class 1 CA. Best, - Tim Dierks Tim Dierks -- timd at consensus.com -- www.consensus.com Head of Thing-u-ma-jig Engineering, Consensus Development From frantz at netcom.com Sat May 11 01:02:13 1996 From: frantz at netcom.com (Bill Frantz) Date: Sat, 11 May 1996 16:02:13 +0800 Subject: Dear friends, Message-ID: <199605110149.SAA18276@netcom8.netcom.com> At 10:02 AM 5/10/96 +0800, MOHAMED HABIB MOHAMED EUSOFF wrote: >I am searching for NETWORK SECURITY white paper, documents and hacking >uitlities. Maybe you guys/gals can >shed some light on this. Wietse Venema and Dan farmer recomended RFC1244 in their Security Auditing and Risk Analysis class. Available from ftp:ftp://munnari.oz.au/rfc/rfc1244.Z ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From raph at cs.berkeley.edu Sat May 11 01:09:44 1996 From: raph at cs.berkeley.edu (Raph Levien) Date: Sat, 11 May 1996 16:09:44 +0800 Subject: PGP, Inc. In-Reply-To: Message-ID: <3193E226.575E651C@cs.berkeley.edu> Tim Dierks wrote: > > The only effort they make is that when using the email-based CA, it mails > the certificate to the address within, so it's not trivial to get a cert > for an address that you don't have access to. (I'm not saying it's > impossible, or even hard, just that it requires some skill and effort). For example, see http://www.digicrime.com/id.html . I believe they got these certificates using the Web, rather than e-mail. I think with e-mail, you'd actually have to be running a packet sniffer or doing an active attack such as DNS spoofing. However, the Web is much, much more convenient. In any case, the page I referenced above is worthwhile reading. Raph From llurch at networking.stanford.edu Sat May 11 01:22:52 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sat, 11 May 1996 16:22:52 +0800 Subject: [Yadda Yadda Heil Dave] Re: remailer@utopia.hacktic.nl down In-Reply-To: <199605100215.TAA04043@netcom16.netcom.com> Message-ID: On Thu, 9 May 1996, Dave wrote: > > > Perhaps Co$ was behind the recent spamming of > > > alt.politics.white-power. Scientology is > > > virulently anti-racist. > > > > Interesting, given that Massah Elron (L. Ron Hubbard) was virulently > > racist. > > Just check out www.theta.com for examples of wiesenthalien anti-racism. Also on www.theta.com find examples of Scientology's commitment to human rights, free speech on the Internet, responsible business and medical practices, and Freedom*. -rich http://www.c2.org/~rich/Not_By_Me_Not_My_Views/rebuttal.html * - Freedom is a registered trademark of the Religious Technology Center From llurch at networking.stanford.edu Sat May 11 01:47:44 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sat, 11 May 1996 16:47:44 +0800 Subject: Are remailers designed to be knocked down? In-Reply-To: Message-ID: On Fri, 10 May 1996, Alan Bostick wrote: > The Scientology wars are spilling over into alt.usenet.kooks again, and > Keith Henson had this odd thing to say. I thought Cypherpunk discussion > of Keith's thesis would be interesting. > > hkhenson at netcom.com (Keith Henson) wrote: > > > > Ah, but the remailers are *designed* to be knocked down. The > > are not expected to last if they are being used for serious > > causes. But the package for doing another one and getting it > > hooked into the network is easy to install--even in a user > > act. Knocking out a remailer will usually halt the effort to > > get back at the person/persons who were spilling the beans. > > Social factors involved here. If any of you would like to > > help, offer to run a remailer for a while. Consider it a > > temporary civic duty. Keith Henson I think this is reasonable. I would HOPE that a remailer under heavy attack would be able to shut down, publicly, before it was taken over by the legal authorities or other armed thugs. -rich From qut at netcom.com Sat May 11 02:33:07 1996 From: qut at netcom.com (Dave Harman) Date: Sat, 11 May 1996 17:33:07 +0800 Subject: Rich is leaving for thetapunks In-Reply-To: Message-ID: <199605110235.TAA21673@netcom6.netcom.com> > On Thu, 9 May 1996, Dave wrote: > > > > > Perhaps Co$ was behind the recent spamming of > > > > alt.politics.white-power. Scientology is > > > > virulently anti-racist. > > > > > > Interesting, given that Massah Elron (L. Ron Hubbard) was virulently > > > racist. > > > > Just check out www.theta.com for examples of wiesenthalien anti-racism. > > Also on www.theta.com find examples of Scientology's commitment to human > rights, free speech on the Internet, responsible business and medical > practices, and Freedom*. What are you doing HERE when you obviously belong THERE? > -rich > http://www.c2.org/~rich/Not_By_Me_Not_My_Views/rebuttal.html > > * - Freedom is a registered trademark of the Religious Technology Center > > -- God grant me the serenity to accept the things I cannot change, the courage to change the things I can, and the wisdom to know the difference From llurch at networking.stanford.edu Sat May 11 02:38:35 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sat, 11 May 1996 17:38:35 +0800 Subject: [Yadda Yadda Heil Dave] Re: Rich is leaving for thetapunks In-Reply-To: <199605110235.TAA21673@netcom6.netcom.com> Message-ID: If I didn't know him better, I'd have thought that Dave had entirely missed my sarcasm. Thanks for the laugh, Skippy! -rich FUCKING SCIENTOLOGIST* * - FUCKING SCIENTOLOGIST is a registered trademark of the Religious Technology Center On Fri, 10 May 1996, Dave Harman wrote: > > On Thu, 9 May 1996, Dave wrote: > > > > > > > Perhaps Co$ was behind the recent spamming of > > > > > alt.politics.white-power. Scientology is > > > > > virulently anti-racist. > > > > > > > > Interesting, given that Massah Elron (L. Ron Hubbard) was virulently > > > > racist. > > > > > > Just check out www.theta.com for examples of wiesenthalien anti-racism. > > > > Also on www.theta.com find examples of Scientology's commitment to human > > rights, free speech on the Internet, responsible business and medical > > practices, and Freedom*. > > What are you doing HERE when you obviously belong THERE? > > > -rich > > http://www.c2.org/~rich/Not_By_Me_Not_My_Views/rebuttal.html > > > > * - Freedom is a registered trademark of the Religious Technology Center > > -- > God grant me the serenity to accept > the things I cannot change, > the courage to change the things I can, > and the wisdom to know the difference From qut at netcom.com Sat May 11 02:51:35 1996 From: qut at netcom.com (Dave Harman) Date: Sat, 11 May 1996 17:51:35 +0800 Subject: remailer@utopia.hacktic.nl down In-Reply-To: <2.2.32.19960510171253.00760f44@mail.teleport.com> Message-ID: <199605110128.SAA14287@netcom6.netcom.com> > At 07:15 PM 5/9/96 -0700, qut at netcom.com (Dave Harman) wrote: > [snip] > >Oh, in what way was Elrom racist? (he's not anti-asian or anti-semitic, > >for instance) > [snip] > > Chris Owen has written an essay about Hubbard's support of the racist South > African govt. Along with Israel, Reaganites, etc. Racism? Just capitali$m in it's international arena. > http://www.demon.co.uk/castle/audit/aprtheid.html Just skimmed through it. Black scientologists should read it. More than ever, it points out how Elron sought corrupt officials, to make deals with, subsequently praising them for their venality. South Africa never was racist, but just cared about diamonds and gold. Cheap labor from apartheid, akin to cheap labor from immigration. > He quotes Hubbard as writing: > > "Just as individuals can be seen by observing nations, so we see the African > tribesman, with his complete contempt for truth and his emphasis on > brutality and savagery for others but not himself, is a no-civilization." TRIBESMAN. No doubt he would have a favorable opinion of Idi Amin, Mugabe(sp), and any other rich black, as long as they are willing to part with some of their money. From vznuri at netcom.com Sat May 11 02:56:17 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Sat, 11 May 1996 17:56:17 +0800 Subject: self-ratings vs. market ratings In-Reply-To: Message-ID: <199605110413.VAA08876@netcom13.netcom.com> >I meant that the the *ratings* would not be very useful for my purposes >(at least, not the ratings as I've heard proposed so far.) I probably >wouldn't have the same values or concerns of those who feel the need to >apply them; I wouldn't judge the material by the same standards (raters >are looking principally to create a means to censor material, and I >myself am not concerned about passive text&graphics. one point about the ratings systems is that they are not simply for rejecting or approving pages. they might be used to point out "neat places". now, have you ever gone through a list of "cool links" anywhere in cyberspace? I suspect such lists are very likely going to be kept on rating servers in the not-to-distant future. PICS is a very flexible architecture and I hope it will be used in many ingenious ways not previously foreseen. also, keep in mind that in the short term, ratings refer to web pages, but in the long term future, I can see them rating all kinds of other things in cyberspace and the real world. again, PICS supports this right off the bat. it is not constrained to web pages. >The more automated that filtering becomes, so that the viewer (be it an >adult or a child) requires less and less personal involvement in >evaluating what is appropriate (or even interesting) for themselves, the >more weak & piddly (ignorant & psychologically dependent) those people >could become, falling into the habit of having others - or an automatic >robocop - do their content-filtering for them. but in a sense, this is what you do whenever you read a book or a newspaper. you are reading information screened by someone else. not so much with books that are unique, but you can see how this applies with like a collection of essays for example. but I agree with your implications. ratings are not a substitute for personal judgement. they are meant to be a method to aid thinking, not to replace it, imho. From vznuri at netcom.com Sat May 11 03:30:56 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Sat, 11 May 1996 18:30:56 +0800 Subject: Publicity on PICS In-Reply-To: <01I4ID8CLHOK8Y5B50@mbcl.rutgers.edu> Message-ID: <199605110425.VAA28304@netcom20.netcom.com> >>At the same time, providers will be urged to rate their pages by filling out >>an electronic questionnaire resulting in a "grade" for each site, on a scale >>ranging from zero, the most innocuous, to four for each category. > > What was I saying about pressure to rate? this is really horrible. I hope that no precedent of having internet providers involvement in ratings is *ever* established. this proposal reeks. separate ratings from content and delivery. >>The system depends for its ratings on voluntary compliance by Internet >>providers. ugggghghghghg. not my ideal use of PICS. I hope that people don't begin to believe that PICS is this system. >>But there is no way to use the system to seek out pornography or violence on >>the web, officials insisted. I don't know why that would be a problem. >>"To content-providers, I would say, 'Rate your sites' To parents I would >>say, 'Set the levels for your children.' And to governments, I would say >>humbly, 'Think again before censoring the net,"' Stephen Balkam, executive >>director of the Recreational Software Advisory Council, told a news >>conference. > > Note again the pressure for self-rating. "content-providers" != internet providers. that former is OK. the latter is a horrible nightmare. please, please, please, I hope this system is not asking/demanding people who run hardware & communication services to get into the rating business. such a thing is atrocious and odious and exactly what should be avoided. >>A strength of PICS is that "it allows as many countries as would like to set >>up a rating system," said Jim Miller, a research scientist who helped >>develop the system. Adhering to the system would still be up to individual >>households, however. > > Whatever became of market-ratings? Admittedly, they may mean that each >country will be encouraged to given an example system... but I still don't >like the idea of government involvement. the government becomes just another rating agency. I don't like it either. but as long as we emphasize, "the individual always has the ultimate decision", which fortunately this press release does, little can go awry, hopefully. From vznuri at netcom.com Sat May 11 03:36:39 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Sat, 11 May 1996 18:36:39 +0800 Subject: Mandatory Voluntary Self-Ratings In-Reply-To: Message-ID: <199605110435.VAA29286@netcom20.netcom.com> >For every proposed "ratings" system that involves value judgments about who >should see something, I can think of examples where a quite opposite view >is held. true. hence you use a service whose opinions you agree with. there is no canonical, ultimate, "true" ratings service. hence my dislike of self-ratings that seem to presume the opposite is true. (i.e. rate the page "what it actually is") >I still think we are being led down a dangerous path in trying to architect >ratings systems. As I said, we don't rate written words (at least I don't), >we don't rate newspapers, etc. all kinds of things are now rated in the world. stocks are rated. movies are rated. books are rated. they are rated in various other books, such as "top books on [x]". >If a system gets built into the WWW, as with proposals for PICS, it _will_ >be used by those who want to control content. We should think twice before >helping in any way. I agree with your hesitation totally. I can easily see how the system would be twisted in unspeakable ways. but I can see a lot of very powerful positive uses too. as long as the best attempts are made to discourage the former and encourage the latter... again, there is a question that the future might turn out to be more orwellian if no action is taken by internet designers whatsoever. I tend to believe that view. >(No, I'm not _against_ private ratings services...but this has little to do >with _me_, and I won't participate. More importantly, I won't have my >content have any kind of tag attached! notice that what you demand is wholly irrelevant. if you put something out in the public, in a world of free speech, anyone is free to rate your posting, or your opinions, etc.-- they just set a system that refers to the message-id of your posts or something. if what you are instead saying is that you will never insert your own tags into your content, well that is something you have control over. but you have absolutely no control over what people "attach" to your posts in a "virtual" sense. anyone could set up the TCMay Rating Service and register ratings on everything you post in public. > Thus, the PICS thing looks intrusive >to me, and not at all what I think of as a "private ratings service." I'll >elaborate if my point is unclear.) I would definitely be interested in an elaboration, although you don't have to quote me if it makes you retch . the only thing I see intrusive about PICS is the self-rating scheme. the third-party rating scheme seems pretty "unintrusive" and invisible in my view. From caj at tdrs.com Sat May 11 03:43:25 1996 From: caj at tdrs.com (Craig A. Johnson) Date: Sat, 11 May 1996 18:43:25 +0800 Subject: cr> ACLU v. RENO: Trial Update 5/10/96 Message-ID: <1101788478546.LTK.023@cpsr.org> This just in from the ACLU! I was in Philly today folks, and I can tell you, the update below is an understatement; it was a rout! The ACLU and the ALA, with ample help from the judges and Government counsel, literally pulled the legs off the Government case! I'll be posting my own version on this by Monday. Suddenly, there is a new light in cyberspace! Craig @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ACLU V. RENO: TRIAL UPDATE AT CLOSING ARGUMENTS, ACLU CALLS ON COURT TO PROTECT FREE SPEECH IN CYBERSPACE FOR IMMEDIATE RELEASE Contact: Emily Whitfield Friday, May 10, 1996 212-944 -9800, x426 emilyaclu at aol.com PHILADELPHIA-- A three-judge panel heard closing arguments today regarding a law that would criminalize free speech in cyberspace. Plaintiffs and defendants each had approximately two hours to make their case and answer questions from the judges. Much of the government's argument today hinged on a proposal requiring Internet users to identify so-called indecent or patently offensive words or images with an electronic"tag." But by the end of the day, government lawyers conceded -- under pointed questioning from the judges -- that it would be impossible to implement this scheme given the technology currently available. That concession alone, the ACLU said, could justify granting plaintiff's motion for a preliminary injunction against the censorship provisions of the Communications Decency Act, which criminalizes making available to minors "indecent" or "patently offensive" speech online. "It's about time that the government conceded what the cyberspace community has known all along -- that this is an unworkable law," said Christopher Hansen, who presented oral arguments for the ACLU. "And even if it were feasible, it is constitutionally unthinkable to give the government the power to restrict valuable speech, or to compel people to pejoratively label their speech." Government lawyers also acknowledged today that the law criminalizes speech of value -- e.g., artistic, literary or medical information -- not just "pornography" or other prurient words or images that aren't covered under existing obscenity laws. In fact, as Hansen pointed out to the Court, Congress made sure that the Communications Decency Act applied specifically to libraries and educational institutions, and rejected several opportunities to make any exceptions for valuable speech. Such an omission might have been a "legislative craftsmanship problem," suggested Anthony Coppolino, one of the lawyers appearing for the Department of Justice. But that argument was met with skepticism from the judges. "The government is basically saying eetrust me' when it comes to determining what kind of online words and images will be considered eeindecent' or eepatently offensive,'" said Marjorie Heins, a lawyer on the ACLU v. Reno team. "But they were not able to offer a coherent explanation as to what those terms mean." The risk involved to individuals in making such a determination is especially grave when criminal penalties are involved, the ACLU emphasized. The CDA provides for penalties of up to two years in jail and $250,000 in fines. Addressing this issue, Judge Stewart Dalzell asked the government how it would view an individual such as ACLU plaintiff Kiyoshi Kuromiya, who has vowed to maintain his website no matter what. Kuromiya has testified that his website, the Critical Path AIDS Project, provides "lifesaving" information on safer sex practices -- some of it necessary sexually explicit -- aimed at reaching teens around the world. Justice Department lawyer Jason Baron responded that if Mr. Kuromiya didn't want to comply, "he can take the consequences." Overall, the ACLU said, plaintiffs succeeded in making three essential points to the court: -- The Communications Decency Act is a criminal statute with criminal penalties. -- The law is aimed specifically at speech that is constitutionally protected. -- The government's tagging scheme would force every American to censor him/herself to avoid risk of criminal prosecution. Plaintiffs also reminded the Court that the censorship law applies not only to websites, but to newsgroups, chat rooms, mail exploders, and other fora that constitute a vital part of the Internet. The ACLU has asserted in its brief -- and the government largely conceded today -- that various schemes for self-censorship would be unworkable in these environments as well. At the conclusion of today's proceedings, Chief Judge Dolores K. Sloviter said that the Court would issue a ruling "in due course." Under expedited provisions, any appeal on rulings regarding the new censorship law will be made directly to the U.S. Supreme Court. ACLU v. Reno, which was filed the day the Communications Decency Act was signed into law, was consolidated on February 26 with a second case brought by the American Library Association and 26 co-plaintiffs, known as the Citizens Internet Empowerment Coalition. Lawyers for the ACLU appearing before the judges are Christopher Hansen, Marjorie Heins, Ann Beeson, and Stefan Presser, legal director of the ACLU of Pennsylvania. Attorney Bruce J. Ennis presented oral arguments today on behalf of the ALA/CIEC coalition. -end- @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ~ CYBER-RIGHTS ~ ~=-=-=-=-=-=-=-=~=-=-=-=-=-=-=-=-=~-~=-=-=-=-=-=-=-=~=-=-=-=-=-=-=-=- Visit The Cyber-Rights Library, accessible via FTP or WWW at: ftp://www.cpsr.org/cpsr/nii/cyber-rights/Library/ http://www.cpsr.org/cpsr/nii/cyber-rights/Library/ You are encouraged to forward and cross-post list traffic, pursuant to any contained copyright & redistribution restrictions. ~=-=-=-=-=-=-=-=~=-=-=-=-=-=-=-=-=~-~=-=-=-=-=-=-=-=~=-=-=-=-=-=-=-=- From djw at vplus.com Sat May 11 04:07:31 1996 From: djw at vplus.com (Dan Weinstein) Date: Sat, 11 May 1996 19:07:31 +0800 Subject: PGP, Inc. Message-ID: <199605110530.WAA12458@ns1.vplus.com> On 10 May 96 at 18:12, you wrote: > At 5:48 PM 5/10/96, Dan Weinstein wrote: > >On Fri, 10 May 1996 10:22:24 -0700, timd at consensus.com wrote: > >> > >>The only effort they make is that when using the email-based CA, > >>it mails the certificate to the address within, so it's not > >>trivial to get a cert for an address that you don't have access > >>to. (I'm not saying it's impossible, or even hard, just that it > >>requires some skill and effort). > > > >I don't believe this is correct. They send you information after > >you have created the cert verifying that you set it up, but nothing > >requires a response and the key is transfered via http. > > If you'll examine my message, you'll see I was referring to the > email-based S/MIME class 1 CA. > > Best, > - Tim Dierks > > Tim Dierks -- timd at consensus.com -- www.consensus.com > Head of Thing-u-ma-jig Engineering, Consensus Development Oops, sorry about that. Dan Weinstein djw at vplus.com http://www.vplus.com/~djw PGP public key is available from my Home Page. All opinions expressed above are mine. "I understand by 'freedom of Spirit' something quite definite - the unconditional will to say No, where it is dangerous to say No. Friedrich Nietzsche From llurch at networking.stanford.edu Sat May 11 04:16:36 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sat, 11 May 1996 19:16:36 +0800 Subject: Reminder/details on May 11th SF Bay Area Meeting Message-ID: Tomorrow, noon, Tresidder patio at Stanford. If you have the bandwidth, you can get a DETAILED look at EXACTLY where we'll sit through http://www-tour.stanford.edu:1081/cgi-bin/campus-click.prl/jmtl Tresidder is at B4; a closeup picture of the benches where we'll sit is at http://www-tour.stanford.edu:1081/cgi-bin/ctour.prl/00075.10/jmtl Different versions of the JPEGs are appropriate for monitors with different gamma settings. (Why yes, as a matter of fact, we *did* have far too much time on our hands.) If people are really nice, we might sneak into my office for Ethernet connectivity and presentation hardware. I suppose it's probably too late to offer to drive people from the PA CalTrain station to campus, but you could page me. If you were counting on the shuttle, sorry, it doesn't run tomorrow. It's about a 25-minute walk. There will also be a "Spring Faire" and a "Powwow" on campus this weekend, so count on a little traffic. Nowhere near as bad as a football game, mind you. Hugh Daniel wrote: >For dinner I will suggest 'Thai City', about a 2 kilometers >south of Page Mill at 4329 El Camino Real. It is on the >Peninsula East side of the road, white building with a purple >stripe around it and some {}`s (really). +1 415 493 0643 Thai City is excellent (and cheap). -rich From vznuri at netcom.com Sat May 11 04:18:42 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Sat, 11 May 1996 19:18:42 +0800 Subject: Mandatory Voluntary Self-Ratings In-Reply-To: <01I4ILRRY69S8Y5AJT@mbcl.rutgers.edu> Message-ID: <199605110420.VAA27663@netcom20.netcom.com> [ratings] > For a market-driven system to emerge, we're going to >have to have one or both of two things: > A. Raters being paid by the people who post web pages. Not likely. > B. Raters being paid by the people who get the ratings. More likely. >Neither the RSAC or SafeSurf systems does either of these. > -Allen ug. I see that "market driven" didn't make a lot of sense the way I used it. I was not talking about money. I was using it in the sense of "third-party ratings" vs. "self-ratings". maybe the latter terminology is better. I'd like to point out that market-driven systems, in the sense you use of the economy supporting the creation of the ratings, already exist in cyberspace. examples: 1. point communications top 5%. people effectively pay this company to find the "cool web sites" by buying their book or whatever. 2. surfwatch. as I understand it they have already rated many sites out there on the internet and are using a proprietary system that mimics a rating server. people are essentially paying for them to rate web sites through the purchase price of the software. other examples probably exist. From vznuri at netcom.com Sat May 11 04:21:44 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Sat, 11 May 1996 19:21:44 +0800 Subject: Mandatory Voluntary Self-Ratings In-Reply-To: <9605092113.AA13795@rpcp.mit.edu> Message-ID: <199605110408.VAA08516@netcom13.netcom.com> JR > In fact, 3rd party services may have problems with large and dynamic >WEB sites (in which case they just might rate it high, and rate the whole >directory.) (I was thinking about this with regards to incorporating rating >systems into WEB site managements tools and apps...) If MICS and signatures >do become prevalent, an easy way I can defeat ratings I don't like (or to >keep from others rating me) is to repeatedly change my content in some >simple way, throwing off their MICS. the idea with the rating system is that the rating signs the signature of the page, which is itself digitally hashed or something. in other words, the rating is on the "state" of a page at some time. the system would at least be able to detect a change in the state of a page, and inform the user that a rating may no longer be valid due to obsolescence. but you are correct that page changes are probably more problematic for market ratings than self-ratings. it is true that BOTH self-ratings and market ratings have major problems associated with them. the question is, which has the fewest for a given situation? if page designers are going to maliciously misuse rating systems, then the market type system is superior. the market system does suffer from the problem that it is less decentralized. however it is possible that some rating services might be able to economically justify entire armies of rating teams. it is clear some key questions about ratings are as follows: 1. what pressure or coercion, if any, will be placed on page designers and by whom for certain self-ratings? 2. will self-ratings be deliberately misused by people protesting the system? will it be a problem? 3. will page revisions make market ratings unviable? all of these will become more apparent as implementatoins proliferate more widely. again, PICS supports both in theory, so I have no objections to PICS and am fact have been supporting it here. I suggest that we let the market decide which works better-- market ratings or self-ratings. I suspect they will both coexist in the future. trying to a priori argue which will be more problematic seems a bit naive to me. market ratings might make more sense on more formal pages, such as reference material that is likely to be steady over time. self-ratings would be a good fallback if no other information is available. as far as page changes, I don't think the web has a good mechanism for handling changes in its contents right now. improved methods of handling this kind of thing in the future may make the rating problem less difficult. for example, if there was a "systemized" way that a web page could point to a new address it has relocated to, so that everyone that runs their "checker" programs and hits the old page would update the link, etc., this could be incorporated into the rating system to handle one common kind of change. another possibility is for people to put in information into their pages about expected "shelf-life"-- this would help ratings agencies avoid rating places that are not stable. From tcmay at got.net Sat May 11 04:22:52 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 11 May 1996 19:22:52 +0800 Subject: will the real Irving J. Schlublutz please stand up? was: Senator Leahy'sPublic Key Message-ID: At 10:58 PM 5/10/96, Sandy Sandfort wrote: >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > SANDY SANDFORT >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > >C'punks, > >>On Thu, 9 May 1996, Timothy C. May wrote: > >>i think a related point is one we all know well, that being if there is a >>will, there is a way.. we've seen it with phoney physicians and >>specialists, even, with certificates and physicians' licenses.. if someone >>wants to intercept corespondence and impersonate another person, it is >>easy enough if that person has the time and impetus.. Actually, neither I nor Irving J. Schlublutz wrote this. (Careful reading of the ">" marks makes this clear, but not all readers take the time to do this, and the "Timothy C. May wrote" is misleading.) --Tim Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From llurch at networking.stanford.edu Sat May 11 04:28:51 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sat, 11 May 1996 19:28:51 +0800 Subject: Hacktic remailer shutdown In-Reply-To: <199605102223.PAA22489@goblin.punk.net> Message-ID: On Fri, 10 May 1996, Jeff Simmons wrote: > Is there any information available on why the Hacktic remailer was shut > down? Church of Scientology. Someone posted too many Secret Scriptures, it seems. The details, nobody has shared. Conspiracy theories, galore, but I have faith in their judgement and commitment to free speech and anonymity. I'm sure it was a tough decision. Btw, I don't believe it has shut down yet. Rather, the operators announced that due to "recent events," there would be a planned shutdown on May 20th. I *would* like to know if the mail2news gateway is going down in addition to the remailer. I'm assuming that it is. -rich From blancw at accessone.com Sat May 11 05:14:29 1996 From: blancw at accessone.com (blanc) Date: Sat, 11 May 1996 20:14:29 +0800 Subject: self-ratings vs. market ratings Message-ID: <01BB3ED3.D79972C0@blancw.accessone.com> >From Vladimir Z. Nuri (just when I thought it was over): ".......PICS is a very flexible architecture and I hope it will be "used in many ingenious ways not previously foreseen." Guess so. . How long do "cool sites" stay "hot"? . How long would web pages rated "sexual content" keep that rating? . Many sites are casually rated as "cool" for the fun of it. . Why are controversial pages rated? . What motivated Yahoo to begin featuring Top 5 Sites of the Week? . What motivates those who are calling for mandatory rating? "but in a sense, this is what you do whenever you read a book or a newspaper. you are reading information screened by someone else." You could say that *all* communication is a rating, then. All evaluations are ratings (as are all emotions, and all modifying terms in grammar. Art is a rating on life, as love is a rating on others). But an individual must decide how much screening they can tolerate before they become useless to themselves (or: *whose* rating is important?) Many things help us to make judgements, to aid us in arriving at conclusions. Ratings present the conclusion itself: rather than assisting, by reasoning and discussion (or argument) in the development of judgement, they present a final evaluation. They leave out the middle, where the work of thought takes place. "ratings are not a substitute for personal judgement. they are meant to be a method to aid thinking, not to replace it, imho." They can do that, in a very reduced, limited way. I myself think that even short descriptions are more informative and useful. You can reduce communication to such constricted labels that it loses all meaning. Or as Beavis n Butthead would posit: uh - uh; uh - uh (hee-hee. It just occurred to me how dogs mark their territory. You could call *that* a rating, too. THIS site is MINE, honey!!) .. Blanc From jsw at netscape.com Sat May 11 07:05:40 1996 From: jsw at netscape.com (Jeff Weinstein) Date: Sat, 11 May 1996 22:05:40 +0800 Subject: [Fwd: Re: PGP, Inc.] Message-ID: <3194593C.E86@netscape.com> I meant to send this along to the list as well as Raph. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw at netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine. To: Raph Levien Subject: Re: PGP, Inc. From: Jeff Weinstein Date: Sat, 11 May 1996 02:07:40 -0700 Organization: Netscape Communications Corp. References: <3193E226.575E651C at cs.berkeley.edu> Reply-To: jsw at netscape.com Raph Levien wrote: > > Tim Dierks wrote: > > > > The only effort they make is that when using the email-based CA, it mails > > the certificate to the address within, so it's not trivial to get a cert > > for an address that you don't have access to. (I'm not saying it's > > impossible, or even hard, just that it requires some skill and effort). > > For example, see http://www.digicrime.com/id.html . I believe they got > these certificates using the Web, rather than e-mail. > > I think with e-mail, you'd actually have to be running a packet sniffer > or doing an active attack such as DNS spoofing. However, the Web is > much, much more convenient. > > In any case, the page I referenced above is worthwhile reading. It is certainly possible to put e-mail 'into the loop' when issuing certs via the web. With Netscape Navigator 3.0 there is no requirement that the cert be issued immediately when requested. I expect that some cert vendors who are issuing low assurance certs will e-mail the requestor a password that they can use to retrieve their cert. This at least provides some(not total) assurance that the requestor can receive e-mail at the address in the cert. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw at netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine. From jsw at netscape.com Sat May 11 07:08:06 1996 From: jsw at netscape.com (Jeff Weinstein) Date: Sat, 11 May 1996 22:08:06 +0800 Subject: Compu$erve, Netscape offering Lotus Notes competitor In-Reply-To: <01I4IDJBJNH48Y5B50@mbcl.rutgers.edu> Message-ID: <31946164.42A7@netscape.com> E. ALLEN SMITH wrote: > > There is no mention in either of these articles about what encryption > protection will be used; it does appear that Netscape Navigator software will > be used, which does have some protections (very little for the out-of-US stuff, > of course). Jeff? I don't really know any details about this deal, but it looks like they are just using our normal software (Navigator, HTTP server, NNTP server, etc.) I don't know how many of compuserve's customers are outside the US & Canada, but any that are will be subject to normal export restrictions (limited to 40-bit RC4). US and Canadian customers should be able to use US versions that have 3DES and 128-bit RC4. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw at netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine. From nobody at c2.org Sat May 11 07:10:17 1996 From: nobody at c2.org (Anonymous User) Date: Sat, 11 May 1996 22:10:17 +0800 Subject: Why I Pay Too Much in Taxes Message-ID: <199605111005.DAA28141@infinity.c2.org> -----BEGIN PGP SIGNED MESSAGE----- Black Unicorn wrote: >In this case the people paying the offshore company for Mr. May's services >are also subject to reporting requirements and a 30% withholding tax for >which they will be held liable. Nobody pays offshore for Mr. May. They pay a domestic corporation for his services. The corporation pays Mr. May a sufficient taxable salary for his domestic expenses. Anything above that (i.e. money that Mr. May don't need right now) is paid to the offshore entity as (for instance) deductible license fees. The payment should probably go to a jurisdiction with a double taxation agreement with the US, like Holland or Ireland. In Ireland it's easy to setup a tax free corporation that sends all it's income to an offshore trust, where the money stays until Mr. May needs them. >This adds the requirement that the individuals or corporations receiving >Mr. May's service be involved in this conspiracy. If they could have >been, why do you need the offshore connection? Why not just conspire with >them to pay Mr. May in cash and not report it? They just deal with the vice president of a typical domestic consulting corporation. That the CEO of the company is an alcoholic living on a park bench (for the ultra cheep setup) is nobody's business. He's on permanent vacation for all they care. >If your above scheme is intended merely to conceal funds it is a fairly >poor example as it depends on the secrecy of each and every 'employee' of >the company. Only one individual and he's too drunk to remember anything. >Continue your participation in such a plan. I will send you cigs. Thanks, but I can afford Cuban cigars. I'm selling setup's like the above for a very nice fee. And this is the kiddie version of serious tax planning. After all, Mr.May would still pay taxes on his domestic spending. X -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQEUAwUBMZJGdFtwWVJrMFYlAQFcAgf2JtuGoc+NE+rl+ZJV5B8PBg2N+u8gpRvt biX+y3asBIkynniRRga9kS00601AHgRQlEkH46BY179PhUNdVV+Q4cv3h4TQ3azl dENuanxLE1xJZnROfkbxNDyg71yogaUGC8dMlQs2vRZ31OdlPnz5E0WafPX4TDNy jI6FZsdYQeqLcFH6xzDS15pLAvh9NXAklzHBGLafuzzDQaVBO9GHRf/MCU5FzXJE KosQ3P2n/qb73kbFOxu7mebR3Emf3sAYRfmlqpe8bHM47Sy34hbPutvzMMIrrF+t dPQHbHDWGgaoEQ6mDhOdqmlZSjdObNmMcll4snoaiU02HsYNo0rc =+nH5 -----END PGP SIGNATURE----- From stewarts at ix.netcom.com Sat May 11 08:21:10 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sat, 11 May 1996 23:21:10 +0800 Subject: Penet-style web remailer? Message-ID: <199605111054.DAA20508@toad.com> At 09:17 PM 5/8/96 EDT, "E. ALLEN SMITH" wrote: > As a result of scanning through the Nando Times' > (http://www.nando.net/nt/) Infotech section, I came across a piece on email > with the following address: http://noah.pair.com/anon.html. It appears to > be sort of a penet-style anonymous remailer, only without return messages. > Anyone know anything else about it? Of course, given the number of web > interfaces to fully anonymous remailers, I wouldn't encourage anyone > to use it. Well, if you look at the remailer part of the web page, it's just one of many web pages that are a form interface to a remailer CGI program. Basically a friendly way to use a standard 1-way Cypherpunks remailer. The guts of the page (from View Source) are use replay's CGI and the ecafe remailer:
to:
subject:
There is an amusing stealthed message at the bottom of the page, designed to attract high relevancy ratings from spiders..... # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 # goodtimes signature virus innoculation From stewarts at ix.netcom.com Sat May 11 08:37:39 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sat, 11 May 1996 23:37:39 +0800 Subject: Penet-style web remailer? Message-ID: <199605111059.DAA20623@toad.com> > http://noah.pair.com/anon.html. Oh, forgot to add that it's also got a mailto: for anon at noah.pair.com, so it is running its own remailer as well as pointing to another remailer's CGI. # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 # goodtimes signature virus innoculation From matts at pi.se Sat May 11 08:39:36 1996 From: matts at pi.se (Matts Kallioniemi) Date: Sat, 11 May 1996 23:39:36 +0800 Subject: Remailer in a box Message-ID: <2.2.32.19960511105220.003ad7d0@mail.pi.se> -----BEGIN PGP SIGNED MESSAGE----- At 17:39 1996-05-10 EDT, E. ALLEN SMITH wrote: >Yes, for the cryptographic purposes. It doesn't make much difference >on the juristictional end of things - I'd need to locate a UNIX account >in another country for that. Hmm... possible. > -Allen Anybody who want's an anonymous shell account in Sweden, send me MTB ecash and I'll get an account opened for you with a local ISP. Sweden has the best Internet access outside North America. A 34 Mbps line to the US, soon to be upgraded to 155 Mbps! Matts - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3i mQENAzEfDgAAAAEIAOSUUb2IOrKOOVhkoagTe4Feo14Ltmyo8ihpkmkUUE62Ydb5 La6Q6HRj6X51fFWIPp+1IM+GNTbb/OmZOo2vhseYbofJBZB+TwasX0HU5EyzJIGS 2R/T7DSzcv+XbLdwfLXBeAQomt3ETKIN9dCkUy9oMiHhvNbgLG6KLvzE5QP8O4Re /QnIxoWX/k9EpJjR21K4EUncBahWzqL6oWKLKf4GyrA7NMQoaWazvfPIkGyhP8v2 qPIBbePcYD0COd8vHLvw45rv3hjRc1b/l4kcZ4ZMiLDfLkd3tHqbYrJA3grAQeiS LZ+y/O2X04/zrLO5ieExfjyL6zDUFUWFZTKJRBEABRG0H01hdHRzIEthbGxpb25p ZW1pIDxtYXR0c0BwaS5zZT6JARUDBRAxHw5YFUWFZTKJRBEBAQSpB/9rzmQ96pFD 6wYUMOsOBO+3SxZzk2mYA0AGcmpy9nd8fij70Vfvx2na/oslH2V/KEXlLXJz7EZm WdVkDub+JMQsBODK50rD5KTZ6vmLzAXuTzJM9SKUsPBAJxul2f287SP2kI2T/LS9 iTkuWdZjPLKAZJ/ga4+M31m3eNiJeBTcris0ET51qMt+blzipu6y1LvhOj80IInh bZLge+YBHAzVaK8NdbD3OWlnVat57ImPiBsfeJ0Y6v6YC3YepbyQZDGb1/Gi+do2 OIWr3OfYyVwzzcDclZ/tme7+2h2u1CHDBJNcOcOdk9fwX/4tdUIXnV60g0dM49MN h54S0VAVF9K1 =O083 - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQEVAwUBMZRwuhVFhWUyiUQRAQFZvQgAyVhiQ+rDLsaR82GnhJL0MT+imIdJJYmw MDrKFQ3ddMSFqqskIF+ZHwnVmNPek2b/f17gnamTWE5qxxHWszUA5AeA0q1Jz8dm HeMp3j1rbLvBFdUoZImK+YhNCjUcregc3Ud0rBunYrRDIsrkdHbWuGjcQkIr3V56 9LFC9xyJ6WYrn8/DvcArSbYlU6btrq8oaE29AxcWyw3ehrV4+TMKBOEHjUkssnzW Qptx/+daXOwB1qml86jDThL7VdvM6EiMr+DmyGKnZGsms2FsOhnBGlYq1fOS9XnA ik2+yLmH59O+wDtXEsuOd4NR8Ufmg38AvRAbULdP9XA2jiBmH6VODg== =ADJC -----END PGP SIGNATURE----- From jk at stallion.ee Sat May 11 10:24:23 1996 From: jk at stallion.ee (=?ISO-8859-1?Q?J=FCri_Kaljundi?=) Date: Sun, 12 May 1996 01:24:23 +0800 Subject: distinctive properties of ecash, netbill, cybercash and iKP In-Reply-To: <161@fzl.win-uk.net> Message-ID: Sat, 11 May 1996, Jon Moore wrote: > Bert-Jan said: > > >=B7 Monetary value: it must be backed by either cash (currency), bank > >authorized credit, or a bank-certified cashier's check, so that it is > >easily accepted by others. > > The banks/cash-issuing corporations are likely to support anything > that is secure enough, and looks like a runner, because any e-money > scheme is profitable to them (they earn interest on the > corresponding real cash while the e-money is in circulation). This is one question why the central bank in Estonia (I am not sure about other countries) does not allow issuing e-cash here in Estonia. While the banks issue e-cash to people, they get some real cash from people. This leads to actually doubleing the money in circulation, each monetary unit, either dollar or kroon, can at the same time be used by owner of e-cash and at the same time by the bank. The central banks are afraid that when the amount of e-cash in circulation gets big, this could lead to devalvation of money, especially a small country like Estonia is afraid of such development. Anonymity of monetary transactions is another thing that Bank of Estonia has declared illegal. Juri Kaljundi jk at stallion.ee AS Stallion From alanh at infi.net Sat May 11 10:59:03 1996 From: alanh at infi.net (Alan Horowitz) Date: Sun, 12 May 1996 01:59:03 +0800 Subject: Why I Pay Too Much in Taxes In-Reply-To: <01I4JVOF385S8Y5AN2@mbcl.rutgers.edu> Message-ID: There's no particular need for tax fraud, except by little guys. The big guys have lots of legal techniques. A prime example was the notorious $1000->$100,000 cattle futures transaction that Hillary Rodham Clinto did, just before entering the White House. Clearly, it wasn't an investment: it was a scheme to let some rich Arkansas guy pay a bribe - legally. A cooperative broker sets up a "short" position and a "long" position on a trade - then the positions get assigned, after the market has made its move, such that the guy "loses" the $100k and Hillary "has a profit". From usura at replay.com Sat May 11 12:22:33 1996 From: usura at replay.com (Alex de Joode) Date: Sun, 12 May 1996 03:22:33 +0800 Subject: Hacktic remailer shutdown Message-ID: <199605111518.RAA18105@basement.replay.com> -rich sez: : > Is there any information available on why the Hacktic remailer was shut : > down? : Church of Scientology. Someone posted too many Secret Scriptures, it : seems. The details, nobody has shared. Conspiracy theories, galore, but I : have faith in their judgement and commitment to free speech and anonymity. : I'm sure it was a tough decision. : Btw, I don't believe it has shut down yet. Rather, the operators announced : that due to "recent events," there would be a planned shutdown on May : 20th. : I *would* like to know if the mail2news gateway is going down in addition : to the remailer. I'm assuming that it is. utopia.hacktic.nl is currently MX'ed to basement.replay.com, and the mail2news gateway has been installed there to. mail2news at utopia.hacktic.nl will work as long as utopia is MX'ed so one better use the one installed directly by mailing your posts to mail2news at basement.replay.com. bEST Regards, -- -AJ- From unicorn at schloss.li Sat May 11 12:54:49 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sun, 12 May 1996 03:54:49 +0800 Subject: Why I Pay Too Much in Taxes In-Reply-To: <199605111005.DAA28141@infinity.c2.org> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Sat, 11 May 1996, Anonymous User wrote: > Black Unicorn wrote: > >In this case the people paying the offshore company for Mr. May's services > >are also subject to reporting requirements and a 30% withholding tax for > >which they will be held liable. > > Nobody pays offshore for Mr. May. Except see footnote 1. > They pay a domestic corporation for his > services. The corporation pays Mr. May a sufficient taxable salary for his > domestic expenses. Footnote 1: > Anything above that (i.e. money that Mr. May don't need > right now) is paid to the offshore entity as (for instance) deductible license > fees. Looks like someone paying offshore for Mr. May to me. Again, 30% withholding requirement unless you intend to hide it. The only way to avoid this is to conceal Mr. May's involvement. I really suggest you read some U.S. tax code provisions. > The payment should probably go to a jurisdiction with a double taxation > agreement with the US, like Holland or Ireland. In Ireland it's easy to setup > a tax free corporation that sends all it's income to an offshore trust, where > the money stays until Mr. May needs them. Such a jurisdiction will have extensive information sharing provisions with the United States. If you're planning on secrecy, avoid jurisdictions with tax treaties. Also note that payments to an account for which Mr. May is the beneficiary can trigger realization in several circumstances. In this case the offshore entity can easily be classified as a Foreign Personal Holding Company. The resulting assets will be taxed per Subpart F income. (i.e. without regard to their distribution). If the offshore entity is held by U.S. stockholders it is going to cause major problems. If not it still has major problems. What you fail to mention is that in the event Mr. May actually holds the assets until his retirement, he will still have to deal with realization and full taxation when he taps into the funds. You also fail to mention the reporting requirements for U.S. citizens holding offshore assets of significant size. Because this plan can't seem to decide if it is secret or not, it has serious shortcomings. > >This adds the requirement that the individuals or corporations receiving > >Mr. May's service be involved in this conspiracy. If they could have > >been, why do you need the offshore connection? Why not just conspire with > >them to pay Mr. May in cash and not report it? > > They just deal with the vice president of a typical domestic consulting > corporation. That the CEO of the company is an alcoholic living on a park > bench (for the ultra cheep setup) is nobody's business. He's on permanent > vacation for all they care. The example given looked to take advantage of large numbers of fictitious employees all participating in the endeavor. This is foolish. Even in your example above, secrecy is poorly thought out. Either it is a tax avoidance plan, or it is a tax evasion plan. Which is it? Practically speaking I think you have merely altered the plan to adjust for my comments and are stuck between both fact scenerios now. > >If your above scheme is intended merely to conceal funds it is a fairly > >poor example as it depends on the secrecy of each and every 'employee' of > >the company. > > Only one individual and he's too drunk to remember anything. See above. See also foreign personal holding company and passive income provisions. Wherever Mr. May sends his money it is still subject to taxation in the United States if Mr. May is a citizen. Structuring the payments to an offshore entity in an attempt to avoid taxation on those payments is an attempt to get the IRS to honor form over substance. Good luck. > >Continue your participation in such a plan. I will send you cigs. > > Thanks, but I can afford Cuban cigars. I'm selling setup's like the above for > a very nice fee. Caveat emptor. (What's the name of your firm by the way? Or do you prefer to keep it concealed? I would think you'd advertize it here if you had anything worth selling). Your ilk, (other examples of which can be found in the back of The Economist, and Soldier of Fortune), are a small step above "get rich quick" types. Off the shelf companies and trusts have their uses but anyone proposing to sell a standard tax avoidance/evasion setup off the shelf should trigger major alarm bells. Cuban's will serve you better in a federal country club than cigs, this I admit. > And this is the kiddie version of serious tax planning. After > all, Mr.May would still pay taxes on his domestic spending. I think calling this any kind of version of serious tax planning is inaccurate. > X -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Autodocument signed iQCVAwUBMZSsC2qgui0rHO4JAQEzTAP+NAB9nNODHqI/mcEepuEFK1352dw1veKR FVWpF7LPUXWxAbgrx/i7NV8F1t3N+AKYOm1f6SGRaF9a15kBDB66uPLBPU62tyLN go8QWrmJIk/fi1l2lfQUdXMklg1mEAgnjFkybRVsG4AQn3VsSvdhMCJ+myepeUoT Ag1u3Cdm8oA= =EwSG -----END PGP SIGNATURE----- --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From ses at tipper.oit.unc.edu Sat May 11 15:47:41 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Sun, 12 May 1996 06:47:41 +0800 Subject: The perfect IPO Message-ID: Secure Fingerprint verification over the World Wide Web in Java. So cutting edge, I haven't even installed powerpoint yet. Simon --- Cause maybe (maybe) | In my mind I'm going to Carolina you're gonna be the one that saves me | - back in Chapel Hill May 16th. And after all | Email address remains unchanged You're my firewall - | ........First in Usenet......... From bryce at digicash.com Sat May 11 16:58:19 1996 From: bryce at digicash.com (bryce at digicash.com) Date: Sun, 12 May 1996 07:58:19 +0800 Subject: need nym-differentiation, perpetual motion, and FTL travel please Message-ID: <199605111821.UAA06757@digicash.com> -----BEGIN PGP SIGNED MESSAGE----- Hi. I was thinking as I stood in the lunch line talking with Arnaud that what I like about pseudonymity is the part about being free from the threat of violence. I _don't_ like the part about being able to have multiple identities nearly as much. It would really please me if I could figure out a way to reliably determine that Alicenym is not the same human as Bobnym without compromising the anonymity of the human(s) behind Alicenym and Bobnym. (Since if their anonymity was thus compromisable, they would be susceptible to the threat of violence.) Unfortunately I can't think of a good way to have both pseudonymity and nym-differentiation. I think that it is possible, however. Can anyone suggest a mechanism? Regards, Bryce -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.1b2 iQB1AwUBMZTal0jbHy8sKZitAQFn0gL+M5h/G1WlI6DMF2ZqQhllx+YDu23HGVdp VJbSd0VuBvqKLtDeJ+css9uZ90nUDcsqT8Dws1xxdU+ejSe2Zh3HYLip3+L3LmWV YDf446Pfswgkgs20HRyPzBs2B8c8JpNm =xJYR -----END PGP SIGNATURE----- From abostick at netcom.com Sat May 11 17:00:00 1996 From: abostick at netcom.com (Alan Bostick) Date: Sun, 12 May 1996 08:00:00 +0800 Subject: distinctive properties of ecash, netbill, cybercash and iKP In-Reply-To: Message-ID: <+kMlx8m9LQfO085yn@netcom.com> -----BEGIN PGP SIGNED MESSAGE----- In article , =?ISO-8859-1?Q?J=FCri_Kaljundi?= wrote: > > Sat, 11 May 1996, Jon Moore wrote: > > The banks/cash-issuing corporations are likely to support anything > > that is secure enough, and looks like a runner, because any e-money > > scheme is profitable to them (they earn interest on the > > corresponding real cash while the e-money is in circulation). > > This is one question why the central bank in Estonia (I am not sure about > other countries) does not allow issuing e-cash here in Estonia. While the > banks issue e-cash to people, they get some real cash from people. This > leads to actually doubleing the money in circulation, each monetary unit, > either dollar or kroon, can at the same time be used by owner of e-cash > and at the same time by the bank. The central banks are afraid that when > the amount of e-cash in circulation gets big, this could lead to > devalvation of money, especially a small country like Estonia is afraid of > such development. Good heavens! Are checking accounts illegal in Estonia, then? The exact same argument applies to them. > > Anonymity of monetary transactions is another thing that Bank of Estonia > has declared illegal. Cash is illegal, too! How does the economy in Estonia work these days? Barter? - -- Alan Bostick | "The thing is, I've got rhythm but I don't have mailto:abostick at netcom.com | music, so I guess I could ask for a few more news:alt.grelb | things." (overheard) http://www.alumni.caltech.edu/~abostick -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMZTKJ+VevBgtmhnpAQHHpQMAmpLtHIXNIHSxBnAtZMz2mlVoI7i+765r i9Cv6J0TA3OWd1LqFnrOSlpL9SIjAAxn0bwSZFERwfzetyIxya5ctyWRUOjbQtI3 ApL5XhskucNEq9Z5cWl0wQRwptivCCLl =rvLb -----END PGP SIGNATURE----- From richieb at teleport.com Sat May 11 17:11:08 1996 From: richieb at teleport.com (Rich Burroughs) Date: Sun, 12 May 1996 08:11:08 +0800 Subject: [Yadda Yadda Heil Dave] Re: Rich is leaving for thetapunks Message-ID: <2.2.32.19960511190720.00753268@mail.teleport.com> At 08:04 PM 5/10/96 -0700, you wrote: >If I didn't know him better, I'd have thought that Dave had entirely >missed my sarcasm. Thanks for the laugh, Skippy! LOL. Dave, don't believe what you read on theta.com... ;) >-rich > FUCKING SCIENTOLOGIST* > > * - FUCKING SCIENTOLOGIST is a registered trademark of the Religious > Technology Center You know it. All of you copyright terrorists who keep infringing on RTC's trademarks by using the word Freed*m will pay, too, I can assure you... Rich ______________________________________________________________________ Rich Burroughs richieb at teleport.com http://www.teleport.com/~richieb See my Blue Ribbon Page at http://www.teleport.com/~richieb/blueribbon New EF zine "cause for alarm" - http://www.teleport.com/~richieb/cause From perry at piermont.com Sat May 11 17:31:06 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sun, 12 May 1996 08:31:06 +0800 Subject: need nym-differentiation, perpetual motion, and FTL travel please In-Reply-To: <199605111821.UAA06757@digicash.com> Message-ID: <199605111906.PAA07461@jekyll.piermont.com> bryce at digicash.com writes: > Unfortunately I can't think of a good way to have both > pseudonymity and nym-differentiation. I think that it is > possible, however. Can anyone suggest a mechanism? Terminals which genetically sample their users? Seriously, the problem, as stated, is thoroughly impossible to solve in the real world. Anyone can pretend to be anyone in the non-cyberspace world -- how can you stop them on the net? .pm From bryce at digicash.com Sat May 11 17:40:51 1996 From: bryce at digicash.com (bryce at digicash.com) Date: Sun, 12 May 1996 08:40:51 +0800 Subject: need nym-differentiation, perpetual motion, and FTL travel please In-Reply-To: <199605111906.PAA07461@jekyll.piermont.com> Message-ID: <199605111923.VAA07367@digicash.com> -----BEGIN PGP SIGNED MESSAGE----- The entity calling itself "Perry Metzger" is alleged to have written: > bryce at digicash.com writes: > > Unfortunately I can't think of a good way to have both > > pseudonymity and nym-differentiation. I think that it is > > possible, however. Can anyone suggest a mechanism? > > Terminals which genetically sample their users? I hate hardware solutions. I'm a software guy. :-) > Seriously, the problem, as stated, is thoroughly impossible to solve > in the real world. Anyone can pretend to be anyone in the > non-cyberspace world -- how can you stop them on the net? Okay having said I couldn't think of a good way, I'll go ahead and suggest a way. Let's assume that it is possible to stop people from pretending to be anyone in Real Life(tm). (It is possible.) Now let's collect N people and form a Dining-Cryptographers' net. Once the Dining-Cryptographers' net is up-and-running let's put out a call for each of the N participants to announce a public key which will be their nym from now on. Assuming that you get N public keys, you can have _some_ degree of assurance that there is a one-to-one mapping between pubkeys/nyms and humans on the DC-Net. Voila. It's weak and complicated, so I wouldn't call it a "good way", but it _is_ a way to have both pseudonymity and nym-differentiation. Now that I've done this part, would someone else handle the perpetual motion, FTL travel, cold fusion and so forth? Thanks. Regards, Bryce -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.1b2 iQB1AwUBMZTpGUjbHy8sKZitAQHK5QMAyYqR6Nv8j2HOMdq2JbTj1ZOiYhN2nbP9 WIwI92NyKVuv+i/PwGk8kkCsaGpq2n89/9JV2uKxvCN12m5on+rWwbDZeWUaHtgg t7UXyGCV7bF8gauFvT1z2JMLmBzumZ4Q =fnkf -----END PGP SIGNATURE----- From perry at piermont.com Sat May 11 18:08:34 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sun, 12 May 1996 09:08:34 +0800 Subject: need nym-differentiation, perpetual motion, and FTL travel please In-Reply-To: <199605111923.VAA07367@digicash.com> Message-ID: <199605111942.PAA07516@jekyll.piermont.com> bryce at digicash.com writes: > Okay having said I couldn't think of a good way, I'll go > ahead and suggest a way. > > Let's assume that it is possible to stop people from > pretending to be anyone in Real Life(tm). (It is possible.) How? Identity police taking genetic samples from every person on the planet six times a day? Even that can't prevent me from going to a corner pay phone and calling someone and saying I am Ignatz Ratkin. > Now let's collect N people and form a Dining-Cryptographers' > net. Once the Dining-Cryptographers' net is up-and-running > let's put out a call for each of the N participants to > announce a public key which will be their nym from now on. > Assuming that you get N public keys, you can have _some_ > degree of assurance that there is a one-to-one mapping > between pubkeys/nyms and humans on the DC-Net. And how do you catch the person who tries to send out two keys? .pm From dlv at bwalk.dm.com Sat May 11 18:32:44 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Sun, 12 May 1996 09:32:44 +0800 Subject: distinctive properties of ecash, netbill, cybercash and iKP In-Reply-To: <+kMlx8m9LQfO085yn@netcom.com> Message-ID: abostick at netcom.com (Alan Bostick) writes: > > > > This is one question why the central bank in Estonia (I am not sure about > > other countries) does not allow issuing e-cash here in Estonia. While the > > banks issue e-cash to people, they get some real cash from people. This > > leads to actually doubleing the money in circulation, each monetary unit, > > either dollar or kroon, can at the same time be used by owner of e-cash > > and at the same time by the bank. The central banks are afraid that when > > the amount of e-cash in circulation gets big, this could lead to > > devalvation of money, especially a small country like Estonia is afraid of > > such development. > > Good heavens! Are checking accounts illegal in Estonia, then? The exact > same argument applies to them. Well, checking accounts and travellers checks are all part of the M1 money supply. :-) --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From bryce at digicash.com Sat May 11 20:02:48 1996 From: bryce at digicash.com (bryce at digicash.com) Date: Sun, 12 May 1996 11:02:48 +0800 Subject: found nym-differentiation! Still need perpetual motion, FTL travel, cold fusion In-Reply-To: <199605111942.PAA07516@jekyll.piermont.com> Message-ID: <199605112023.WAA08121@digicash.com> -----BEGIN PGP SIGNED MESSAGE----- - -----BEGIN PGP SIGNED MESSAGE----- The entity calling itself "Perry Metzger" is alleged to have written: > bryce at digicash.com writes: > > Okay having said I couldn't think of a good way, I'll go > > ahead and suggest a way. > > > > Let's assume that it is possible to stop people from > > pretending to be anyone in Real Life(tm). (It is possible.) > > How? Identity police taking genetic samples from every person on the > planet six times a day? Sure: genetic samples and biometric ID in general, collected by identity police, by "IsAPerson" credential-distribution organizations, and by your friends and family who hang out with you all the time. This prevents, for example, me from pretending to be Arnaud Sahuguet when I'm talking to Berry Schoenmakers, since Berry has gathered a lot of biometric information about Arnaud and about me, such as how we look, sound and (?) smell. That kind of impersonation-prevention within a given set of people is all I need to bootstrap my cool nyms-without- doublenyms system described below. (As an aside Berry can also differentiate Arnaud from me by non-biometric information like the fact that Arnaud speaks better French than I do. On the net, however, it is easier to pretend to speak French.) > > Now let's collect N people and form a Dining-Cryptographers' > > net. Once the Dining-Cryptographers' net is up-and-running > > let's put out a call for each of the N participants to > > announce a public key which will be their nym from now on. > > Assuming that you get N public keys, you can have _some_ > > degree of assurance that there is a one-to-one mapping > > between pubkeys/nyms and humans on the DC-Net. > > And how do you catch the person who tries to send out two keys? Simple as pie, because of some of the properties of DC-Nets. If someone sends out the wrong number of pubkeys, then everyone will know, right? So when that happens everyone just reveals their shared-secret data from the DC-Net session. This makes everything that happened during that session public. The disruptor is kicked out of the nym club and we back up a step and generate new pubkeys for ourselves. I'm getting rather interested in DC-Nets. I don't suppose anyone has gone ahead and invented a protocol for DC-Net conversations? It is a _really_ interesting problem, because of the strange requirements of DC-Nets (such as having denial-of-service prevention in the networking layer, and the fact that it is shared-media even up at the network layer) and because of their efficiency (/scaleability) problems. Regards, Bryce - -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.1b2 iQB1AwUBMZT2+EjbHy8sKZitAQHOtQL8CFAwvqo3H8+jKGdjeqi7tgjMUyWaYBoA rBzj4vF9VisC2a7Q/bM4iwQD8mahz1EDidhcncWqTxAWXv+vq/Wf3Yhdy7Kb+168 4AuNLpFHLQRhu+0ijuWB77oiKb7jHHk2 =q/v1 - -----END PGP SIGNATURE----- -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.1b2 iQB1AwUBMZT3J0jbHy8sKZitAQGrDgL9H1Z8QGNlPB6/thmGxSLu/Tna86aG1/WT /tuGUK4vGAqMAR7M2freIgsqC3iQFO4nHqXzPyT46OJZlpJAUS4zzaE9gvgX7V/T fn9eo75v9HfPRo6eY9VTh/gQP1PdW3gK =zEyz -----END PGP SIGNATURE----- From EALLENSMITH at ocelot.Rutgers.EDU Sat May 11 20:09:21 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sun, 12 May 1996 11:09:21 +0800 Subject: Publicity on PICS Message-ID: <01I4L8WIK8YI8Y5CGR@mbcl.rutgers.edu> Whoops... I misread the press release from the ACLU. The judges haven't made such a decision yet, unfortunately. Sorry. -Allen From perry at piermont.com Sat May 11 20:56:28 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sun, 12 May 1996 11:56:28 +0800 Subject: found nym-differentiation! Still need perpetual motion, FTL travel, cold fusion In-Reply-To: <199605112023.WAA08121@digicash.com> Message-ID: <199605112302.TAA07610@jekyll.piermont.com> bryce at digicash.com writes: > > How? Identity police taking genetic samples from every person on the > > planet six times a day? > > Sure: genetic samples and biometric ID in general, collected > by identity police, I doubt that will work even were it implemented. Every phone on the planet and terminal would need to constantly do biometric analysis of every user, and even then people could program their terminals to lie. > > > Now let's collect N people and form a Dining-Cryptographers' > > > net. Once the Dining-Cryptographers' net is up-and-running > > > let's put out a call for each of the N participants to > > > announce a public key which will be their nym from now on. > > > Assuming that you get N public keys, you can have _some_ > > > degree of assurance that there is a one-to-one mapping > > > between pubkeys/nyms and humans on the DC-Net. > > > > And how do you catch the person who tries to send out two keys? > > Simple as pie, because of some of the properties of DC-Nets. > If someone sends out the wrong number of pubkeys, then > everyone will know, right? So when that happens everyone > just reveals their shared-secret data from the DC-Net > session. And if several people lie about their shared secrets? Really, you aren't thinking nearly deviously enough. Perry From ses at tipper.oit.unc.edu Sat May 11 21:14:35 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Sun, 12 May 1996 12:14:35 +0800 Subject: need nym-differentiation, perpetual motion, and FTL travel please In-Reply-To: <199605111821.UAA06757@digicash.com> Message-ID: This is one of the features in the forthcoming release of Comparichino, the worlds first java compatible internet-secure biometric device. nyms are generated by xoring your key fingerprint with your index fingerprint. Simon --- Cause maybe (maybe) | In my mind I'm going to Carolina you're gonna be the one that saves me | - back in Chapel Hill May 16th. And after all | Email address remains unchanged You're my firewall - | ........First in Usenet......... From EALLENSMITH at ocelot.Rutgers.EDU Sat May 11 21:20:35 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sun, 12 May 1996 12:20:35 +0800 Subject: Penet-style web remailer? Message-ID: <01I4LAJIIHO48Y5CGR@mbcl.rutgers.edu> From: IN%"stewarts at ix.netcom.com" "Bill Stewart" 11-MAY-1996 06:53:43.98 >Well, if you look at the remailer part of the web page, it's just >one of many web pages that are a form interface to a remailer CGI program. >Basically a friendly way to use a standard 1-way Cypherpunks remailer. Yes... but he does appear to keep track of the log file; he had up the name of someone who allegedly misused it a few days ago. He states: "If this remailer is used for something illegal, it can be traced. Also, if people use it to insult me, I will probably want to look in the logs and find out who it is!" >There is an amusing stealthed message at the bottom of the page, >designed to attract high relevancy ratings from spiders..... Have people never heard of the "keyword" meta header? -Allen From mixmaster at remail.ecafe.org Sat May 11 21:22:41 1996 From: mixmaster at remail.ecafe.org (Ecafe Mixmaster Remailer) Date: Sun, 12 May 1996 12:22:41 +0800 Subject: Why I Pay Too Much in Taxes Message-ID: <199605112205.XAA27784@pangaea.hypereality.co.uk> Black Unicorn wrote: >Looks like someone paying offshore for Mr. May to me. Again, 30% >withholding requirement unless you intend to hide it. You just don't get it, do you. The offshore payment is for licensing (or computer operations, consulting advice, buying worthless software, investment in penny stocks, use your imagination...) It has NOTHING to do with Mr.May. Those payments are something that the (drunk) CEO decided on and he is completely responsible for it. Why he ordered all those expensive services before he left on permanent vacation is anybody's guess. >The only way to avoid this is to conceal Mr. May's involvement. Right! >Also note that payments to an account for which Mr. May is the >beneficiary can trigger realization in several circumstances. The beneficiary is a trustee that doesn't ask too many questions. There are plenty of those available. >You also fail to mention the reporting requirements for U.S. citizens >holding offshore assets of significant size. "Laws are for people who can't think for themselves." >Either it is a tax avoidance plan, or it is a tax evasion plan. >Which is it? A little of both, to confuse the enemy. >Practically speaking I think you have merely altered the plan to >adjust for my comments and are stuck between both fact scenarios now. Nothing altered. I just didn't explain it in too much detail before. There are still details left out (like how to find a cooperative CEO, offshore bank and trustee). This is an extremely cheep setup. For most high bracket wage earners it could break even in the first month or two. Once the structure is in place it doesn't cost any more. To stop paying taxes completely you would need to lower your taxable profile slowly. If you already have enough money in the bank for your living style, you could take out a significantly smaller salary. If the tax man asks what happened to your high income, you explain that you lost your old job and had to accept a less attractive offer. That can happen to anybody. >I would think you'd advertize it here if you had anything worth selling The problem with selling services like this is that any buyer with half a brain worries that it is a sting operation. Therefore the customers are mostly friends and acquaintances. >Off the shelf companies and trusts have their uses but anyone proposing >to sell a standard tax avoidance/evasion setup off the shelf should >trigger major alarm bells. I agree completely. This is not an advertisement, just a chat on the theory of tax planning in the modern day of worldwide strong encryption. Today it is easier to communicate with an offshore trustee than it has ever been before. Just keep your pass phrase away from the tax man and you'll be fine. X From EALLENSMITH at ocelot.Rutgers.EDU Sat May 11 21:22:44 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sun, 12 May 1996 12:22:44 +0800 Subject: Mandatory Voluntary Self-Ratings Message-ID: <01I4L9W7VMMW8Y5CGR@mbcl.rutgers.edu> From: IN%"vznuri at netcom.com" "Vladimir Z. Nuri" 11-MAY-1996 03:38:35.85 >the idea with the rating system is that the rating signs the signature >of the page, which is itself digitally hashed or something. in other >words, the rating is on the "state" of a page at some time. the system >would at least be able to detect a change in the state of a page, >and inform the user that a rating may no longer be valid due to obsolescence. >but you are correct that page changes are probably more problematic >for market ratings than self-ratings. One wonders what their hashing method would be. If it's not very cryptographically secure, one could (via selection of image file names, comments, etcetera) cause it to be the same hash for a very different set of images. (A Fun With Animals page from riding lesson photos to bestiality, for instance.) >2. will self-ratings be deliberately misused by people protesting the >system? will it be a problem? And how are you defining "misuse"? If the system is not good, then rating something differently than how the system says it should be is using it properly, not improperly. -Allen From EALLENSMITH at ocelot.Rutgers.EDU Sat May 11 21:34:22 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sun, 12 May 1996 12:34:22 +0800 Subject: Publicity on PICS Message-ID: <01I4L80J7EDS8Y5CGN@mbcl.rutgers.edu> From: IN%"reagle at mit.edu" "Joseph M. Reagle Jr." 10-MAY-1996 02:18:58.44 >From: IN%"EALLENSMITH at mbcl.rutgers.edu" "E. ALLEN SMITH" > It is _very_ confusing to follow though. >>CompuServe, Microsoft, Prodigy and Netscape Communications will soon give >>their customers software enabling them to block access to material they >>judge objectionable on the Internet's Worldwide Web. > Consider that Compuserve had a deal with SurfWatch, which was >incorporated in it "Internet" in a box, with a lot of Spry goodies. Now >Surfwatch has been purchased by Spyglass (a competitor or Spry). Also, >Compuserve offers RSACi services through CyberPatrols RSACi compliance (got >some weird derivitive and cross-liscencing works going on here!) and urges >its users and 3rd party people to use RSACi... I don't suppose that someone at Netscape can give us more information on this than is currently out there? All we've seen so far are the press reports, which are often inaccurate. -Allen From EALLENSMITH at ocelot.Rutgers.EDU Sat May 11 21:35:12 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sun, 12 May 1996 12:35:12 +0800 Subject: Mandatory Voluntary Self-Ratings Message-ID: <01I4LA5X6L8E8Y5CGR@mbcl.rutgers.edu> From: IN%"vznuri at netcom.com" "Vladimir Z. Nuri" 11-MAY-1996 04:32:46.80 >From: TCMay >>If a system gets built into the WWW, as with proposals for PICS, it _will_ >>be used by those who want to control content. We should think twice before >>helping in any way. >I agree with your hesitation totally. I can easily see how the system >would be twisted in unspeakable ways. but I can see a lot of very >powerful positive uses too. as long as the best attempts are made to >discourage the former and encourage the latter... again, there is a >question that the future might turn out to be more orwellian if no >action is taken by internet designers whatsoever. I tend to believe >that view. It currently appears that both groups doing PICS ratings are doing it in a way that very much promotes unethical usage (by those wishing to control content). This does not bode well for future uses of it. >>(No, I'm not _against_ private ratings services...but this has little to do >>with _me_, and I won't participate. More importantly, I won't have my >>content have any kind of tag attached! >notice that what you demand is wholly irrelevant. if you put something >out in the public, in a world of free speech, anyone is free to >rate your posting, or your opinions, etc.-- they just set a system >that refers to the message-id of your posts or something. >if what you are instead saying is that you will never insert your >own tags into your content, well that is something you have control >over. but you have absolutely no control over what people "attach" >to your posts in a "virtual" sense. anyone could set up the >TCMay Rating Service and register ratings on everything you post in >public. However, one can do things to disrupt the rating system. Until we've got true AI, a web spider will be able to find and classify a newly-re-URLed page a lot faster than the rating people are able to find it - especially if one goes ahead and submits the web page to all the search engines every time you reclassify it. A search engine could turn over all new pages to be rated - but that would slow them down a lot, and other search engines would be used more because they'd be more up to date. If you have some ratings services that you like - market-determined ones, for instance - you can let them know the new URL also. The above is a bit harder for ratings of USENET posts and mailing list messages, but there are so many of those that they'll be hard for a rating service to keep up with. -Allen From EALLENSMITH at ocelot.Rutgers.EDU Sat May 11 21:52:45 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sun, 12 May 1996 12:52:45 +0800 Subject: Publicity on PICS Message-ID: <01I4L8TE6OIS8Y5CGR@mbcl.rutgers.edu> From: IN%"vznuri at netcom.com" "Vladimir Z. Nuri" 11-MAY-1996 00:25:38.47 >From: IN%"EALLENSMITH at mbcl.rutgers.edu" "E. ALLEN SMITH" >>>The system depends for its ratings on voluntary compliance by Internet >>>providers. >ugggghghghghg. not my ideal use of PICS. I hope that people don't >begin to believe that PICS is this system. Oh? Look at the second method listed for means of getting PICS ratings. >From the ISP, essentially. >>>But there is no way to use the system to seek out pornography or violence on >>>the web, officials insisted. >I don't know why that would be a problem. That they mentioned this is perhaps an indication that they aren't exactly on the side of anyone except pro-censorship parents. >>>"To content-providers, I would say, 'Rate your sites' To parents I would >>>say, 'Set the levels for your children.' And to governments, I would say >>>humbly, 'Think again before censoring the net,"' Stephen Balkam, executive >>>director of the Recreational Software Advisory Council, told a news >>>conference. >> >> Note again the pressure for self-rating. >"content-providers" != internet providers. that former is OK. the >latter is a horrible nightmare. please, please, please, I'd call both a problem, when you're using a system that is meant for censorship purposes as opposed to finding-stuff purposes. If it's a system for finding stuff, then the content provider should be involved; it will vary whether the ISP should be involved (that can be left up to the individual ISP). >> Whatever became of market-ratings? Admittedly, they may mean that each >>country will be encouraged to given an example system... but I still don't >>like the idea of government involvement. >the government becomes just another rating agency. I don't like it either. >but as long as we emphasize, "the individual always has the ultimate >decision", which fortunately this press release does, >little can go awry, hopefully. They try to emphasize individual - or actually, parental - decision, but they seem to have entirely forgotten about the use of this system by governmental censors. It can be used for such either for preemptive censorship (a Chinese firewall) or for spotting people to arrest when you start up censorship. If the government gets involved in doing a rating system, then it can better start doing things like mandating that particular material be rated or you're up on "corrupting a minor". The recent CDA decision (thank you, all plaintiffs, lawyers, judges, and God) does emphasize that mandatory rating isn't constitutional... but A. the Supreme Court may not be as sensible (God forbid) and B. other countries may have other ideas. -Allen From jf_avon at citenet.net Sat May 11 22:59:55 1996 From: jf_avon at citenet.net (Jean-Francois Avon) Date: Sun, 12 May 1996 13:59:55 +0800 Subject: Again: [hrdware] anti-Tempest video settings Message-ID: <9605120112.AA02225@cti02.citenet.net> > It won't make any diifference to the potential attacker. > His aim is to recover the text/shapes of what you are displaying. He > is not generally concerned with the "niceness" of the display, but > rather the contents. But of course. But what I want to know is: is there some combination of display colors that will be visible for the eye, but not for the Tempest equipment? > Also, many guns - red, blue, green actually do > radiate on slightly different frequencies, allowing differentiation > of signals - due to the slightly different physical geometry of the > guns themselves. That might answer it. I suppose that if some "stealth" settings exists, they are highly hardware dependent. My question was not "would it work in all instances?" but rather "had this tactic been implemented successfully in *some* instances?" Or, to the contrary, is it reasonable to assume that modern Tempest equipment can work around theses impediments almost all of the time, therefore making any attempts at this futile? Regards JFA PGP key ID# C58ADD0D at: http://w3.citenet.net/users/jf_avon Key Fingerprint: 529645E8205A8A5E F87CC86FAEFEF891 Unsollicited commercial e-mail will be proofread at US165 $/h Any sender of such material will be considered as to have ac- cepted the above mentionned terms. From daemon at anon.penet.fi Sun May 12 00:28:35 1996 From: daemon at anon.penet.fi (daemon at anon.penet.fi) Date: Sun, 12 May 1996 15:28:35 +0800 Subject: Reply to anonymous ping. Message-ID: <9605120249.AA10440@anon.penet.fi> Your code name is: an611909 at anon.penet.fi. From daemon at anon.penet.fi Sun May 12 01:02:58 1996 From: daemon at anon.penet.fi (System Daemon) Date: Sun, 12 May 1996 16:02:58 +0800 Subject: Anonymous code name allocated. Message-ID: <9605120249.AA10423@anon.penet.fi> You have sent a message using the anon.penet.fi anonymous forwarding service. You have been allocated the code name an611909. You can be reached anonymously using the address an611909 at anon.penet.fi. If you want to use a nickname, please send a message to nick at anon.penet.fi, with a Subject: field containing your nickname. For instructions, send a message to help at anon.penet.fi. From alanh at infi.net Sun May 12 01:31:36 1996 From: alanh at infi.net (Alan Horowitz) Date: Sun, 12 May 1996 16:31:36 +0800 Subject: Why I Pay Too Much in Taxes In-Reply-To: <199605112205.XAA27784@pangaea.hypereality.co.uk> Message-ID: Wage earners - people who are the subjects of W-2 forms - are the class of individuals who can't benefit from offshore maneuvers. I believe the entry costs for a reliable offshore structure from a reliable vendor - ie, one who keeps up with court cases and the Code of Federal Regulations on a daily basis - is $50-100k. Ok for guys who own a Dart Inmdustries, but not the unwashed masses. From jf_avon at citenet.net Sun May 12 01:38:31 1996 From: jf_avon at citenet.net (Jean-Francois Avon) Date: Sun, 12 May 1996 16:38:31 +0800 Subject: [hrdware] Is Tempest detecting only video? Message-ID: <9605120409.AA09887@cti02.citenet.net> On 11 May 96 at 20:35, jim bell wrote: > I'm waiting for cheap flat-panel displays for desktop computers > to arrive, because they will probably be almost impossible to > detect usably by Tempest systems. Does Tempest detects only the emission from the electron gun in the monitor or can it get a usable "lock" on some other signals generated within a computer? As an example, can it grab the keystrokes? If the answer is yes, can it do it: a) rarely b) occasionally c) most of the time d) almost all of the time e) never Could somebody knowledgeable in Tempest can rate the various emissions from a computer? (such as: keyboard, COM port, modem, lpt, video signal(from the card), disk write, monitor emission, network comms, etc) Ciao JFA Just curious... PGP key ID# C58ADD0D at: http://w3.citenet.net/users/jf_avon Key Fingerprint: 529645E8205A8A5E F87CC86FAEFEF891 Unsollicited commercial e-mail will be proofread at US165 $/h Any sender of such material will be considered as to have ac- cepted the above mentionned terms. From jf_avon at citenet.net Sun May 12 01:58:47 1996 From: jf_avon at citenet.net (Jean-Francois Avon) Date: Sun, 12 May 1996 16:58:47 +0800 Subject: Again: [hrdware] anti-Tempest video settings Message-ID: <9605120422.AA10235@cti02.citenet.net> On 12 May 96 at 13:51, Julian Assange wrote: > Equipment > capable of the latter would be extremely complicated and expensive > to design and produce; Even too expensive for entities with the power of taxation? > I suspect there has been no call for it to > date, given that if you are dealing with a target who understands > the risks of van-eck they usually have shielding and or a faraday > cage. You have a point for big outfits. But for small companies or cypherpunks on a restricted budget, they also know that there is most likely *no* shielding of any sort... Regards jfa Why is it that govt employees makes the best spouses? Because after they come back from work, they are not tired and they already read the newspapers. PGP key ID# C58ADD0D at: http://w3.citenet.net/users/jf_avon Key Fingerprint: 529645E8205A8A5E F87CC86FAEFEF891 Unsollicited commercial e-mail will be proofread at US165 $/h Any sender of such material will be considered as to have ac- cepted the above mentionned terms. From proff at suburbia.net Sun May 12 01:59:29 1996 From: proff at suburbia.net (Julian Assange) Date: Sun, 12 May 1996 16:59:29 +0800 Subject: Again: [hrdware] anti-Tempest video settings In-Reply-To: <9605120112.AA02225@cti02.citenet.net> Message-ID: <199605120351.NAA01349@suburbia.net> > Or, to the contrary, is it reasonable to assume that modern Tempest equipment can > work around theses impediments almost all of the time, therefore > making any attempts at this futile? > > Regards Make a grey-scale cable by merging the RGB lines (AND the RGB return lines). Do not use a standard grey scale cable, these are typically intensity on green, which you do not want. Connect the cable and start playing with your colour scheme. The effect you want to achieve is one where all colours have the same intensity. When that happens your whole screen should be the a uniform grey area. Revert to the regular cable and save your palette configuration. I imagine this would be effective against all of the middle range van-eck monitoring equipment. It will not be effective against equipment that looks for phase distortion and signatures in an attempt to discriminate against the three signals. Equipment capable of the latter would be extremely complicated and expensive to design and produce; I suspect there has been no call for it to date, given that if you are dealing with a target who understands the risks of van-eck they usually have shielding and or a faraday cage. -- "Of all tyrannies a tyranny sincerely exercised for the good of its victims may be the most oppressive. It may be better to live under robber barons than under omnipotent moral busybodies, The robber baron's cruelty may sometimes sleep, his cupidity may at some point be satiated; but those who torment us for own good will torment us without end, for they do so with the approval of their own conscience." - C.S. Lewis, _God in the Dock_ +---------------------+--------------------+----------------------------------+ |Julian Assange RSO | PO Box 2031 BARKER | Secret Analytic Guy Union | |proff at suburbia.net | VIC 3122 AUSTRALIA | finger for PGP key hash ID = | |proff at gnu.ai.mit.edu | FAX +61-3-98199066 | 0619737CCC143F6DEA73E27378933690 | +---------------------+--------------------+----------------------------------+ From jimbell at pacifier.com Sun May 12 02:23:01 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 12 May 1996 17:23:01 +0800 Subject: Again: [hrdware] anti-Tempest video settings Message-ID: <199605120337.UAA32475@pacifier.com> At 08:02 PM 5/11/96 +0000, Jean-Francois Avon wrote: >Or, to the contrary, is it reasonable to assume that modern Tempest equipment can >work around theses impediments almost all of the time, therefore >making any attempts at this futile? It's probably worth investigating. Chances are good that as long as the total beam current remains as constant as possible, the signal will be much harder to interpret. One way to investigate this comparatively easily is to measure the total power consumption of a monitor when the screen is filled with different colors at different saturations, etc. Supply the AC to the monitor through a 1-ohm resistor, measure the AC voltage across the resistor to 1 mv accuracy or better, and you have a pretty good way to distinguish different beam currents. I'm waiting for cheap flat-panel displays for desktop computers to arrive, because they will probably be almost impossible to detect usably by Tempest systems. Jim Bell jimbell at pacifier.com From weidai at eskimo.com Sun May 12 02:23:58 1996 From: weidai at eskimo.com (Wei Dai) Date: Sun, 12 May 1996 17:23:58 +0800 Subject: Crypto++ 2.1 Message-ID: Crypto++ 2.1 has just been released. You can find download instructions on the Crypto++ home page at http://www.eskimo.com/~weidai/cryptlib.html. Crypto++ is a free C++ class library of cryptographic primitives. Changes made in version 2.1 include: - added Tiger, HMAC, GOST, RIPE-MD160, LUCELG, LUCDIF, XOR-MAC, OAEP, PSSR, SHARK - added precomputation to DH, ElGamal, DSA, and elliptic curve algorithms - optimizations in elliptic curves over GF(p) - changed Rabin to use OAEP and PSSR - changed many classes to allow copy constructors to work correctly - improved exception generation and handling This is likely to be the last major revision of Crypto++. Future versions will probably only be released for bug fixes and compliance to new standards. Wei Dai P.S. A new set of benchmarks done using Crypto++ 2.1 is available at http://www.eskimo.com/~weidai/benchmarks.txt. From sandfort at crl.com Sun May 12 03:56:41 1996 From: sandfort at crl.com (Sandy Sandfort) Date: Sun, 12 May 1996 18:56:41 +0800 Subject: Why I Pay Too Much in Taxes In-Reply-To: Message-ID: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks, On Sat, 11 May 1996, Alan Horowitz wrote: > Wage earners - people who are the subjects of W-2 forms - are the class of > individuals who can't benefit from offshore maneuvers. Not true. While they may not be able to use offshore techniques for their wage-slave jobs (though even that isn't always so), such techniques can be used to put money beyond the reach of their governments, to invest after-tax dollars and to engage in economic activities which might run afoul of home country laws and regulations. S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From matts at pi.se Sun May 12 03:57:26 1996 From: matts at pi.se (Matts Kallioniemi) Date: Sun, 12 May 1996 18:57:26 +0800 Subject: Remailer in a box Message-ID: <2.2.32.19960512073424.0091dd8c@mail.pi.se> At 00:24 1996-05-12 -0700, Lucky Green wrote: >May I suggest convincing that Swedish ISP to offer up a signup form >accepting Ecash? They probably will once the Post Bank gets going with ecash. Until then there are legal difficulties. Swedish online merchants can't even accept credit cards. They need an order in hand writing or voice before they can charge the card. My offer was to open an account with any ISP, whether they accept ecash or not. I think that improves the anonymity of the account. Matts From shamrock at netcom.com Sun May 12 03:59:49 1996 From: shamrock at netcom.com (Lucky Green) Date: Sun, 12 May 1996 18:59:49 +0800 Subject: found nym-differentiation! Still need perpetual motion, FTL travel, coldfusion Message-ID: At 19:02 5/11/96, Perry E. Metzger wrote: >I doubt that will work even were it implemented. Every phone on the >planet and terminal would need to constantly do biometric analysis of >every user, and even then people could program their terminals to lie. Telling your terminal to lie will be rather difficult once the CPU refuses to run an OS with out propper signatures. The OS in turn won't run applications without such signatures. All commercial software has to undergo code review by CAs. Your machine won't even run anything but approved software. Should you think about keeping an old machine around that does, my advice would be: don't. At least not unless you are willing to face the ten years prison term mandatory for such a computer crime. Disclaimer: My opinions are my own, not those of my employer. -- Lucky Green PGP encrypted mail preferred. From shamrock at netcom.com Sun May 12 04:02:41 1996 From: shamrock at netcom.com (Lucky Green) Date: Sun, 12 May 1996 19:02:41 +0800 Subject: distinctive properties of ecash, netbill, cybercash and iKP Message-ID: At 16:40 5/11/96, J�ri Kaljundi wrote: >This is one question why the central bank in Estonia (I am not sure about >other countries) does not allow issuing e-cash here in Estonia. While the >banks issue e-cash to people, they get some real cash from people. This >leads to actually doubleing the money in circulation, each monetary unit, >either dollar or kroon, can at the same time be used by owner of e-cash >and at the same time by the bank. The central banks are afraid that when >the amount of e-cash in circulation gets big, this could lead to >devalvation of money, especially a small country like Estonia is afraid of >such development. That's simply silly. The same argument would hold true for travelers checks. Are Estonian banks allowed to issue them? I thought so. Disclaimer: My opinions are my own, not those of my employer. -- Lucky Green PGP encrypted mail preferred. From shamrock at netcom.com Sun May 12 04:03:33 1996 From: shamrock at netcom.com (Lucky Green) Date: Sun, 12 May 1996 19:03:33 +0800 Subject: Remailer in a box Message-ID: At 12:52 5/11/96, Matts Kallioniemi wrote: >-----BEGIN PGP SIGNED MESSAGE----- > >At 17:39 1996-05-10 EDT, E. ALLEN SMITH wrote: >>Yes, for the cryptographic purposes. It doesn't make much difference >>on the juristictional end of things - I'd need to locate a UNIX account >>in another country for that. Hmm... possible. >> -Allen > >Anybody who want's an anonymous shell account in Sweden, send me MTB ecash >and I'll get an account opened for you with a local ISP. Sweden has the best >Internet access outside North America. A 34 Mbps line to the US, soon to be >upgraded to 155 Mbps! May I suggest convincing that Swedish ISP to offer up a signup form accepting Ecash? Disclaimer: My opinions are my own, not those of my employer. -- Lucky Green PGP encrypted mail preferred. From furballs at netcom.com Sun May 12 04:51:38 1996 From: furballs at netcom.com (Paul S. Penrod) Date: Sun, 12 May 1996 19:51:38 +0800 Subject: Why I Pay Too Much in Taxes In-Reply-To: Message-ID: On Sat, 11 May 1996, Alan Horowitz wrote: > There's no particular need for tax fraud, except by little guys. The big > guys have lots of legal techniques. A prime example was the notorious > $1000->$100,000 cattle futures transaction that Hillary Rodham Clinto > did, just before entering the White House. Clearly, it wasn't an > investment: it was a scheme to let some rich Arkansas guy pay a bribe - > legally. A cooperative broker sets up a "short" position and a "long" > position on a trade - then the positions get assigned, after the market > has made its move, such that the guy "loses" the $100k and Hillary "has > a profit". > The technique is called "parking", and it has been illegal for many years. Basically it requires at least 2 people to conduct the "resource shifting". Two accounts are established, one takes all losses against a commodity and the other gets the wins. This is rolled over almost exponetially by "pyramiding" contracts on margin. As such, the person or institution who requires the "loss" handles the losing account directly. The other account may or may not be handled by the first party, but they have access to it, or use an intermediary such as a broker to funnel the "wins" accordingly. ...Paul From bryce at digicash.com Sun May 12 05:03:57 1996 From: bryce at digicash.com (bryce at digicash.com) Date: Sun, 12 May 1996 20:03:57 +0800 Subject: found nym-differentiation! Still need perpetual motion, FTL travel, cold fusion In-Reply-To: <199605112302.TAA07610@jekyll.piermont.com> Message-ID: <199605120836.KAA15055@digicash.com> -----BEGIN PGP SIGNED MESSAGE----- The entity calling itself "Perry Metzger" is alleged to have written: (> Bryce wrote:) > > Simple as pie, because of some of the properties of DC-Nets. > > If someone sends out the wrong number of pubkeys, then > > everyone will know, right? So when that happens everyone > > just reveals their shared-secret data from the DC-Net > > session. > > And if several people lie about their shared secrets? If some of your N participants are going to collude to share their nyms then it is manifestly impossible to stop them. But that doesn't bother me. The purpose of this scheme is to create N nyms for N people and be sure that each of then N people who wanted a nym got one. If you are sure that each of the N people wanted a nym, then you can be sure you have a one-to-one mapping between people and nyms, but unconditional untraceability from nyms to people. But perhaps what you were talking about was a denial-of-service attack on the DC-Net's network layer. That has been addressed extensively in Chaum's original "Dining Cryptographers" paper. Chaum's method for dealing with denial-of-service attacks is typically brilliant, but even so it is an unwieldly and expensive (in terms of computation and bandwidth) proposition. I recommend "Dining Cryptographers" to everyone, and I hope that someone who reads it will come up with a better solution. Regards, Bryce -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.1b2 iQB1AwUBMZWjDEjbHy8sKZitAQEjvAMAq2wCpK+yGUf21bASjiaOYDAPNF8C/ogn HAqVnOYmYQMLUTqff7E+oC8uyUj+uoaQ0Fev8uzQdZZROXtbXx+Ej7gBzBFDrbp1 9mohBEWgbYS28hJH9+X3aoyYm/9wT+HX =xA+6 -----END PGP SIGNATURE----- From adam at rosa.com Sun May 12 06:16:04 1996 From: adam at rosa.com (Adam philipp) Date: Sun, 12 May 1996 21:16:04 +0800 Subject: Again: [hrdware] anti-Tempest video settings Message-ID: <2.2.16.19960512030421.3ae77464@sirius.infonex.com> At 08:02 PM 5/11/96 +0000, you wrote: >But of course. But what I want to know is: is there some >combination of >display colors that will be visible for the eye, but not for the >Tempest equipment? I am not an electrical engineer and do not play one in real life. However in my on TEMPEST I heard nothing about varying colors to reduce RF radiation from a monitor. Just set up a Faraday cage, much simpler. >That might answer it. I suppose that if some "stealth" settings >exists, they are highly hardware dependent. Better to get TEMPEST rated hardware then... check government surplus... I've had reports of TEMPEST class computer cases being sold with power supplies real cheap... >My question was not "would it work in all instances?" but rather >"had this tactic been implemented successfully in *some* instances?" Not that I have ever heard... Hopefully I am not feeding this troll too much. >Or, to the contrary, is it reasonable to assume that modern Tempest equipment can >work around theses impediments almost all of the time, therefore >making any attempts at this futile? No modern equipment can detect radiation that does NOT leave a Faraday cage. Adam, Esq. -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\ | My PGP key is available on my |Unauthorized interception violates | | home page: http://www.rosa.com |federal law (18 USC Section 2700 et| |=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-|seq.). In any case, PGP encrypted | |SUB ROSA...see home page... |communications are preferred for | | -=[ FUCK THE CDA]=- |sensitive materials. | \=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-/ If A is a success in life, then A = x + y + z. Work is x; y is play; and z is keeping your mouth shut. Albert Einstein (1879-1955) From daemon at anon.penet.fi Sun May 12 07:47:09 1996 From: daemon at anon.penet.fi (daemon at anon.penet.fi) Date: Sun, 12 May 1996 22:47:09 +0800 Subject: Reply to anonymous ping. Message-ID: <9605121128.AA11689@anon.penet.fi> Your code name is: an611909 at anon.penet.fi. From mixmaster at remail.obscura.com Sun May 12 09:12:37 1996 From: mixmaster at remail.obscura.com (Mixmaster) Date: Mon, 13 May 1996 00:12:37 +0800 Subject: Why I Pay Too Much in Taxes Message-ID: <199605121210.FAA14392@sirius.infonex.com> -----BEGIN PGP SIGNED MESSAGE----- Alan Horowitz wrote: >Wage earners - people who are the subjects of W-2 forms - are the class of >individuals who can't benefit from offshore maneuvers. Just go to your boss and tell him that you have an offer from a consulting company. You'd be happy to continue working for him until he finds a replacement (which could take decades) for 90% of your old pre-tax salary. You should get a big smile in return. >I believe the entry costs for a reliable offshore structure from a >reliable vendor - ie, one who keeps up with court cases and the Code of >Federal Regulations on a daily basis - is $50-100k. Ok for guys who own >a Dart Inmdustries, but not the unwashed masses. And I believe that you don't need that. Going to a major offshore vendor makes you vulnerable to traffic analysis (most of them can't spell Mixmaster). You can get a better setup for $2999 than you get if you spend $50k. Or do it yourself for $1k. Start by reading everything from Scope (www.britnet.co.uk/scope). The books you find there cover everything you need to know in perfect detail. Thanks to Philip Zimmermann and Lance Cottrell the balance of power between the state and the little guy has changed completely. It's good to see that both of them are going into mass market business. Perhaps they can get some of the billions of dollars they deserve. X -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQEVAwUBMZWVpFtwWVJrMFYlAQFZ/wgAkqLlArXuoPS9PwM/Zd1fmEg5ttB7xeid Cmbt+R8Jt53NFITCy1DpbNOTzSdPW4wjSV4HKg6R5TvkcvbxFPA+PzBhzVsgGKdV GFdYNoIMlbAH5xw6A4+8zsPOeqRDo6WOMccteSctUd8sydCgr/5qw5TfU9aqq5Rq tawYii4tJ8Za+SiI8PZj6JtljeHplZduTVYmwtOcanFl4/Gi9Zpu/GKXYga+P4ob rswnh3NDRBHgNDUkn+79lztDGKYoTLhif+Ayem4aFoOjjiIM4QLg61teSw0zxTeH zJ2c623rI/2XaaqFmiXguHIKSNDLKq5obqJ0PhmnTI577Xz8TvzbrQ== =jC/p -----END PGP SIGNATURE----- From reagle at MIT.EDU Sun May 12 13:23:02 1996 From: reagle at MIT.EDU (Joseph M. Reagle Jr.) Date: Mon, 13 May 1996 04:23:02 +0800 Subject: Mandatory Voluntary Self-Ratings Message-ID: <9605121608.AA04469@rpcp.mit.edu> At 07:58 PM 5/9/96 -0700, you wrote: >For every proposed "ratings" system that involves value judgments about who >should see something, I can think of examples where a quite opposite view >is held. Yes, but it is possible to have "descriptive" systems. Of course, to make them easy, things are aggregated into groups, and these groupings have a value judgement. But it is possible to have rating systems that don't tell you diddley about who sees it. _______________________ Regards, Men govern nothing with more difficulty than their tongues, and can moderate their desires more than their words. -Spinoza Joseph Reagle http://farnsworth.mit.edu/~reagle/home.html reagle at mit.edu E0 D5 B2 05 B6 12 DA 65 BE 4D E3 C1 6A 66 25 4E From reagle at MIT.EDU Sun May 12 13:47:58 1996 From: reagle at MIT.EDU (Joseph M. Reagle Jr.) Date: Mon, 13 May 1996 04:47:58 +0800 Subject: self-ratings vs. market ratings Message-ID: <9605121608.AA04472@rpcp.mit.edu> At 06:04 PM 5/10/96 EDT, E. ALLEN SMITH wrote: >From: IN%"blancw at MICROSOFT.com" "Blanc Weber" 10-MAY-1996 16:21:20.63 > >>The more automated that filtering becomes, so that the viewer (be it an >>adult or a child) requires less and less personal involvement in >>evaluating what is appropriate (or even interesting) for themselves, the >>more weak & piddly (ignorant & psychologically dependent) those people >>could become, falling into the habit of having others - or an automatic >>robocop - I was talking about this with one of the other students giving the presentation on RSACi yesterday at Sloan. I was argueing how vice tends to be associated with radicalism and how it seems to break people out of their exclusive communities... (nevermind, it was a weird complex discussion.) Regardless, I ran a roundtable on a topic similar to this. The problem of information sharing agents evolving into exclusive communities over time. _______________________________________________ Date: Wed, 14 Feb 1996 20:25:20 -0500 To: roundtable at rpcp.mit.edu From: "Joseph M. Reagle Jr." Subject: Roundtable 2/21: M. Van Alstyne - COMMUNICATION NETWORKS AND THE RISE OF AN INFORMATION ELITE COMMUNICATION NETWORKS AND THE RISE OF AN INFORMATION ELITE Do Computers Help the Rich Get Richer? Marshall Van Alstyne (MIT Sloan School) CAMBRIDGE ROUNDTABLE Wed, Feb. 21, at 1:00 E40-212 Several researchers have suggested that information resources are not created equal and that information processing capacity is not distributed uniformly. In 1995, for example, only 17% of the adult population in the US and Canada, roughly 35 million people had any form of access to electronic services. But what if access were universal? If each enterprise and individual were granted a digital portal onto a National Information Infrastructure, would equal access to channels mean equal access to information? One unfortunate answer is no. Circumstances exist under which a telecommunications policy of universal access could lead to an increase in the gap between the information "haves" and the "have-nots." Policy needs to provide incentives for information sharing and not just access to channels, otherwise results might be reversed from those originally intended. We present a formal theory of information sharing in groups which shows why the information rich might get richer still, why there might be balkanization of groups on the internet, why different objectives within a group will motivate sharing or shut it down, and why it's not just what you know but whom you know. One of the advantages of the model is that there are several explicit parameters that can be altered to illustrate different effects of different policies. For anyone who is interested, the first draft of the paper is available from URL: http://web.mit.edu/marshall/www/home.html _______________________ Regards, Men govern nothing with more difficulty than their tongues, and can moderate their desires more than their words. -Spinoza Joseph Reagle http://farnsworth.mit.edu/~reagle/home.html reagle at mit.edu E0 D5 B2 05 B6 12 DA 65 BE 4D E3 C1 6A 66 25 4E From proff at suburbia.net Sun May 12 13:58:00 1996 From: proff at suburbia.net (Julian Assange) Date: Mon, 13 May 1996 04:58:00 +0800 Subject: Again: [hrdware] anti-Tempest video settings In-Reply-To: <2.2.16.19960512030421.3ae77464@sirius.infonex.com> Message-ID: <199605121612.CAA04055@suburbia.net> > >display colors that will be visible for the eye, but not for the > >Tempest equipment? > I am not an electrical engineer and do not play one in real life. However in > my on TEMPEST I heard nothing about varying colors to reduce RF radiation > from a monitor. Just set up a Faraday cage, much simpler. Varying the colours does not reduce RF radiation. It just obfuscates it by making the radation given off by the three colour beems and their cables equal in extant (at least, far more equal). Remember the Black button on the Black console in the Black ship that lights up Black? -- "Of all tyrannies a tyranny sincerely exercised for the good of its victims may be the most oppressive. It may be better to live under robber barons than under omnipotent moral busybodies, The robber baron's cruelty may sometimes sleep, his cupidity may at some point be satiated; but those who torment us for own good will torment us without end, for they do so with the approval of their own conscience." - C.S. Lewis, _God in the Dock_ +---------------------+--------------------+----------------------------------+ |Julian Assange RSO | PO Box 2031 BARKER | Secret Analytic Guy Union | |proff at suburbia.net | VIC 3122 AUSTRALIA | finger for PGP key hash ID = | |proff at gnu.ai.mit.edu | FAX +61-3-98199066 | 0619737CCC143F6DEA73E27378933690 | +---------------------+--------------------+----------------------------------+ From minow at apple.com Sun May 12 14:02:57 1996 From: minow at apple.com (Martin Minow) Date: Mon, 13 May 1996 05:02:57 +0800 Subject: distinctive properties of ecash, netbill, cybercash and iKP Message-ID: > >> >> Anonymity of monetary transactions is another thing that Bank of Estonia >> has declared illegal. > >Cash is illegal, too! How does the economy in Estonia work these days? >Barter? If you think about it, anonymous cash transactions above a certain limit ($4,000?) are illegal in the United States, too. Martin Minow minow at apple.com From minow at apple.com Sun May 12 14:44:08 1996 From: minow at apple.com (Martin Minow) Date: Mon, 13 May 1996 05:44:08 +0800 Subject: Notes from the SF Physical Cypherpunks meeting Message-ID: Here are my notes -- without significant editing or correction -- from Saturday's (96.05.11) cypherpunks meeting in Palo Alto. Discussion of crypto user interfaces (particularly NetScape and e-mail) -- How to tell user that "installation" not secure in a decent GUI? -- Expectation of what leaves user machine. -- Vendor's "shouldn't distinguish products on security: security is the bedrock of our industry." (Quote from some industry person who was not present to defend this thesis). -- Someday, there will be a "Word virus that attacks your CyberCash wallet." -- If the message is insecure with respect to the user's expectation, there should be a user-visible window border (or similar): NetScape's little key isn't good enough. Did you know that the netscape key has 1 tooth for 40-bit, and 2 teeth for 120 bit encryption? -- Signed code is the new industry meme. Bonded agents who certify signed code. Do you know how much bonding costs, and how little it offers? -- Security dialogs need a help button that explains security. -- Error messages (of all kinds) should have a url that gives more info. Can be a file:// or http:// for local help. Eudora and Netscape will provide S/Mime. PGP is going nowhere, S/Mime becoming ubiquitous (Eudora, future Netscape) S/Mimepretty good. 2 Flaws: signature's name is not encrypted. Major flaw: encryption defaults to 40-bit. No good way to negotiate for stronger encryption. c2.org: 90% of all connections are 40-bit RC2. Need to publish negotiation info so that sender and receiver can agree on crypto strength. PGP lost in Eudora/Netscape: ongoing legal problems with Phil Zimmerman. Strong concern that companies can't use PGP without problems with RSA. Do they need Viacrypt. Web of trust: not working. Hard to map an e-mail address to a key. Hal Finney's Java implementation not sufficient for signature distribution. S/Mime will support Verisign. Verisign certificates have "trust" level: class 1 is untrusted (equivalent to PGP self-signed?) Next Netscape beta will have five additional non-verisign CA's: ---- Crypto toolkit: need certification for code fragments. Need "web of trust" for software validation. There will be a zillion Java applet's out there: how do you know one does what you claim it do? When will Java signed classes/signed applets be released. Two weeks. Hmm, Java One conference is in two weeks. Surely a coincidence. You can sign a class by signing the class file (zip), then archiving it together with the source and then sign the combined archive. I think that Stuffit (on the Macintosh) supports signed archives if PowerTalk is provided. ----- Norm Hardy talked about the E programming language from Electric communities. (Java with capabilities). [[These are notes, and occasionally incoherent, for which I humbly apologize.]] Capabilities. Should be able to import code and run it even when you don't trust the code. Java-type scheme can succeed. No short description. Here are some of the reasons you should believe it: -- History: late 50's Algol 60. Code shouldn't be able to escape it's storage. Compilers and hardware thought this was not sufficiently important to do this. Not implemented on actual compilers or hardware (hmm, Burrows 5000, Basic timesharing systems offer counter-examples). Intent was to be neat and modular, not to be secure against intruders. Garbage collectors forced better, formal, theory of storage. Gave us storage security. Multics gave cross-trust subroutine calls. KEYCOS Started in TimeShare, early 1970's. Ran customers (competitors) on the same machine. Machine code didn't get in other people's way. Customers needed to interact. NCSC (part of NSA) looked at this, recommended B3 rating. Archtecture was good for A1 (next to top, as good as it comes). Needed rewriting by cleared people, needed formal proofs. NSA judging systems to protect NSA secrets. Main idea: programs have rapid communication, with strong security properties that they themselves arrange. HYDRA earliest system (Bill Wulf). KEYCOS improved on HYDRA. Capability: designates something and conveys authority to that thing Can't pull this apart: can't access without having capability. Can't get information, can't affect its state. No specific superuser state: privileged programs have different set of capabilities, not necessarily all. COM e-mail/bbs system (Sweden) -- operator could backup e-mail, but not read it. Object oriented programming system is a capability system. Crypto (public-private key) similar to capabilities. Public key is a capability. Private key is the thing that the key designates. Access lists: people access data. However, it's really the computer program that accesses the data on the person's behalf. Access control lists (VMS, Mac filesharing) -- more prevalent than you might expect, but can be made unobtrusive. Few people notice that Mac filesharing has access control lists. Contraxt Unix and capability system. On Unix, programmer gives a filename to the shell, shell tells the compiler. Compiler opens the file. Capability: give "read" capability to shell, shell gives it to compiler. Compiler uses capability to access data. Cannot hide capability from programmer. When you build something (create something), you have to present a "space bank" (sub-pool). You can buy space bank, determine the amount of free space, zap parts of it, etc. Money object: can do in Java -- two classes: mint, pot. Pot has two private fields, mint reference, value. Pot method: produce a sibling pot with same mint object and no value. Transfer -- if two pots refer to the same mint, transfer value between them. I own program, you own data. I don't trust your data, you don't trust my program. I want to allow you to run your data on my program. Factory (mutually trusted). Give access to code to factory. Give you access to factory. You invoke factory, factory creates object that can execute code on data, but lacks capability to send data. Capability architectures (narrower sense): for A to affect B, necessary and sufficent for A to have capability for B. Can't add onto Unix since old, non-capability mechanisms are still there. Get capabilities two ways: create object, gets ownership to message. Can pass capability in a message. Give to subcontractor only narrow capabilities it needs. Build system so capabilities can be very narrow. Can grant capability "Q := zero" -- receiver executes capability, but never know name of variable. Algol call by name -- caller passes a "thunk" to the subroutine. Subroutine executes the thunk that carries out the caller's computation. Debugger subject to same capability restrictions. Keeper -- computational resources become capabilities -- meters grant ability to use cpu time. Meter has "amount of ticks" -- when hits zero, task is suspended. Attached to another program with role of meter keeper. Meter keeper can decide to replenish meter. Can allocate budget (rate-based) -- useful for real-time app's. Jewel manual (agorics web site). Market-based control Scott Clearwater. Fractional (Fractal) reserve bank. http://www.agorics.com/agorics. Can grant subsets of own capabilities. Can (by prior arrangement) revoke capabilities. Language-based vs OS based. Can run large parts of o.s. in capability model. Get some advantages, but there are pitfalls. Capability systems can protect against denial of service. Can administrate cpu/space usage. Language-based systems can message across trust boundaries quickly. O.S. based may need many machine cycles. Crypo-based capability may need millions (exponent). ---- Marianne Mueller. Reported on Java Security Workshop. [[Dumb jokes self-censored to protect the guilty.]] Java team interested in security -- nobody is specifically Mr. Security. Everybody's responsiblity. 1st Morning. Status + foodfight: Steve Bellovin: Java is a virus. Venting. We all got minimal trusted computing base (with verifying, formally) religion. Need better formal model of the language. with better specificiation, can get better testing. Need better test suites to ensure that Microsoft implements the same model as Netscape. VM spec, language spec, also working on policy spec (what the sandbox policy actually is). Funding an outside security group. 1st Afternoon. Paul Karger, Mark Schaffer. How to use capabilities with Java. "If you do capabilities, make sure it does these 15 properties. " 2nd Morning. Proposal to do code signing. Afternoon, continued to discuss code signing and key management. Discussed trust models. Butler Lamson and Ron Rivest paper on Rivest's home page (on capabilities). Lamson now working for Microsoft. IEEE symposium on security and privacy. Security theory people. Princeton stuff. Security folk all over the Princeton folk -- think they're just a bunch of hackers. Java folk impressed; find Princeton stuff useful. Working on crypto API's. Sun lobbying govenment to free crypto API's. Signing classes, applets, applications (application is classes + data). Microsoft coming out this summer. Code signing very important. Needs very soon. Hard to do real capabilities on Java. Transitive closure is very difficult. ----- Transcribed in real-time by Martin Minow minow at apple.com From sameer at c2.org Sun May 12 15:11:30 1996 From: sameer at c2.org (sameer at c2.org) Date: Mon, 13 May 1996 06:11:30 +0800 Subject: Notes from the SF Physical Cypherpunks meeting In-Reply-To: Message-ID: <199605121701.KAA16317@atropos.c2.org> > > c2.org: 90% of all connections are 40-bit RC2. The number is 94.5%, and it's RC4, not RC2. RC2 is not in any SSLv2 products. -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion, Inc. FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.net/ (or login as "guest") sameer at c2.net From jf_avon at citenet.net Sun May 12 16:27:11 1996 From: jf_avon at citenet.net (Jean-Francois Avon) Date: Mon, 13 May 1996 07:27:11 +0800 Subject: Why I Pay Too Much in Taxes Message-ID: <9605121826.AB04463@cti02.citenet.net> > Thanks to Philip Zimmermann and Lance Cottrell the balance of power > between the state and the little guy has changed completely. It's > good to see that both of them are going into mass market business. > Perhaps they can get some of the billions of dollars they deserve. Thumbs up! JFA DePompadour, Societe d'Importation Ltee Limoges porcelain, Silverware and mouth blown crystal glasses JFA Technologies, R&D consultants. Physists, technologists and engineers. PGP keys at: http://w3.citenet.net/users/jf_avon ID# C58ADD0D : 529645E8205A8A5E F87CC86FAEFEF891 Unsollicited commercial e-mail will be proofread at US165 $/h Any sender of such material will be considered as to have ac- cepted the above mentionned terms. From ses at tipper.oit.unc.edu Sun May 12 17:13:32 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Mon, 13 May 1996 08:13:32 +0800 Subject: Notes from the SF Physical Cypherpunks meeting In-Reply-To: Message-ID: any more details about what was said about java code-signing? Simon --- Cause maybe (maybe) | In my mind I'm going to Carolina you're gonna be the one that saves me | - back in Chapel Hill May 16th. And after all | Email address remains unchanged You're my firewall - | ........First in Usenet......... From alanh at infi.net Sun May 12 18:41:52 1996 From: alanh at infi.net (Alan Horowitz) Date: Mon, 13 May 1996 09:41:52 +0800 Subject: Why I Pay Too Much in Taxes In-Reply-To: <199605121210.FAA14392@sirius.infonex.com> Message-ID: On Sun, 12 May 1996, Mixmaster wrote: > Just go to your boss and tell him that you have an offer from a > consulting company. You'd be happy to continue working for him > until he finds a replacement (which could take decades) for 90% > of your old pre-tax salary. You should get a big smile in return. THe IRS is very aggressive about making sure that employment taxes are paid. If your boss has the right to tell you _how_ to do your work, he is your boss, not your consulting client. It doesn't matter, whether your boss choses to exercise his supervisory powers or not. If he has the _right_ to do so - you are an employee. This has been wrung out in the courts many times. From jeremiah at Aldus.NorthNet.org Sun May 12 19:25:02 1996 From: jeremiah at Aldus.NorthNet.org (Jeremiah Harmsen) Date: Mon, 13 May 1996 10:25:02 +0800 Subject: No Subject Message-ID: <01BB4025.07A45B40@ppp-18.saranac.northnet.org> From matts at pi.se Sun May 12 19:32:22 1996 From: matts at pi.se (Matts Kallioniemi) Date: Mon, 13 May 1996 10:32:22 +0800 Subject: Notes from the SF Physical Cypherpunks meeting Message-ID: <2.2.32.19960512200212.00912c48@mail.pi.se> At 09:29 1996-05-12 -0700, Martin Minow wrote: >COM e-mail/bbs system (Sweden) -- operator could backup >e-mail, but not read it. Sure. The database was encrypted by using XOR with the string "KOM". That was the sorry state of encryption in the early eighties. Matts From EALLENSMITH at ocelot.Rutgers.EDU Sun May 12 20:43:16 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Mon, 13 May 1996 11:43:16 +0800 Subject: Cybercash snake oil merchant Message-ID: <01I4MLT1GBSG8Y5CN9@mbcl.rutgers.edu> I've located a new snake oil merchant, by the name of cybank. Their url is http://www.cybank.net, and they're claiming things like "public key encryption has been broken." Well, yes... if you use a too-short key length. -Allen From anonymous-remailer at shell.portal.com Sun May 12 20:53:46 1996 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Mon, 13 May 1996 11:53:46 +0800 Subject: KWTX (fwd) Message-ID: <199605122100.OAA11829@jobe.shell.portal.com> ---------- Forwarded message ---------- Subject: KWTX Vincent Miller / April 25, 1996 International Society for Individual Liberty (ISIL) Update Letter --------------------excerpt------------------------------------ The Onslaught Against American Liberties Escalates The US Justice Department is currently suing radio station KWTX in Texas over what they term "malicious disregard for the truth in reporting on Waco". If convicted the station will be both civilly and criminally liable for any alleged harm caused to property or government agents. This is of course ironic. In a sea of federal propaganda, and self-serving FBI-ATF press releases, the small radio and TV stations (and the Internet) were the Only source of real information about what actually happened at Waco. Even before this case has been heard the judge revealed his bias by stating that he thought the conduct of the station was "outrageous." Source: CBS Evening News with Dan Rather (Apr 19th). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ISIL, 1800 Market Street, San Francisco, CA 94102 415-864-0952, fax 415-864-7506 This organization gives permission to reprint provided that proper credit is given. -------------------------------------------------------------------- From jya at pipeline.com Sun May 12 21:24:54 1996 From: jya at pipeline.com (John Young) Date: Mon, 13 May 1996 12:24:54 +0800 Subject: FYB_oss Message-ID: <199605122203.WAA26085@pipe2.t1.usa.pipeline.com> 5-12-96. NYPaper: "Who's Reading Your E-Mail? Maybe the Boss. More Companies Say Messages Are Their Property." Reports on various spying policies and employee rights. Quotes PRZ demurring: "You don't check your constitutional rights at the door." Notes Apple's snooping not. And, scare-escrowing, it asks, "what happens if an employee encrypts important company documents, and then dies [or is fired or extorts]. How will the company get to vital information." FYB_oss From tomw at netscape.com Sun May 12 21:58:09 1996 From: tomw at netscape.com (Tom Weinstein) Date: Mon, 13 May 1996 12:58:09 +0800 Subject: Notes from the SF Physical Cypherpunks meeting Message-ID: <31966CD7.794B@netscape.com> sameer at c2.org wrote: > > > c2.org: 90% of all connections are 40-bit RC2. > > The number is 94.5%, and it's RC4, not RC2. RC2 is not in any > SSLv2 products. The domestic version of Netscape has always done RC2. The export version of Netscape 3.0 now does 40-bit RC2 in SSL v2 mode. -- One tag to rule them all, One tag to find them; One tag | Tom Weinstein to bring them all, and in the source tree bind them. | tomw at netscape.com From tcmay at got.net Mon May 13 01:00:17 1996 From: tcmay at got.net (Timothy C. May) Date: Mon, 13 May 1996 16:00:17 +0800 Subject: Civil liberties of employees (Re: FYB_oss) Message-ID: At 10:03 PM 5/12/96, John Young wrote: > 5-12-96. NYPaper: > > "Who's Reading Your E-Mail? Maybe the Boss. More Companies > Say Messages Are Their Property." > > Reports on various spying policies and employee rights. > Quotes PRZ demurring: "You don't check your constitutional > rights at the door." Notes Apple's snooping not. > Actually, one _does_ check one's Constitutional rights "at the door" (of an employer), and the confusion over this issue is pervasively destroying real Constitutional rights. For instance, if I hire someone, I can require him or her to wear a uniform, to not wear blue jeans to work, to not smoke (or even to smoke, if this is what the job involves), to take off his or her clothes, to tap dance, to not say anything to my customers, and on and on. If the government required these behaviors, this would be a legitimate issue, but not if employers set these conditions as terms of continued employment. If an employer says that all messages will be read by him, this is not a violation of anyone's "civil liberties." (And, on a practical note, companies are often held responsible for the messages emanating on company time from employees, so there are actual reasons why such monitoring may be necessary.) An employee who dislikes the terms of his employment is of course free, in our society, to leave. The Constitution is about what the government can and cannot require, not about what I as an employer can require. This point is frequently confusing to people who, in my opinion, haven't thought about it. Thus, a "Hooters girl" suddenly decides she doesn't like "displaying herself" to men and announces that her civil liberties are being violated by being told to wear skimpy outfits. (I haven't read Zimmermann's comments in full, to get the full context, but I doubt we'll agree on such things. His achievement with PGP was considerable, but I know from first-hand experience that his political views are very non-libertarian and are, in fact, counter to liberty.) --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From tcmay at got.net Mon May 13 02:15:32 1996 From: tcmay at got.net (Timothy C. May) Date: Mon, 13 May 1996 17:15:32 +0800 Subject: Notes from the SF Physical Cypherpunks meeting Message-ID: I'd like to thank Martin Minow for his summary of what happened at yesterday's Bay Area Cypherpunks meeting (note that it was Bay Area, held at Stanford, not "SF"). Clarifications and corrections are starting to come in, which is fine. But these clarifications and corrections should not dissuade Martin or anyone else from doing such summaries. This meeting was somwhat languid, I think because of the outdoor (and warm!) location at Tresidder Union at Stanford University...normally our meetings have been held in the cool corporate environs of Cygnus, Silicon Graphics, or Sun, but Stanford is the likely meeting place for upcoming gatherings. (For one thing, an outdoor gathering at Stanford makes it unnecessary for a corporate type to be there. We are also too big a group--about 20-40, typically--to meet in a coffee shop or pizza joint.) For whatever reason, only a handful of such summaries have ever been done in the three and a half years our group and other groups have been having physical meetings. (I did a couple, but not for the past couple of years.) Anyway, well done! --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From frantz at netcom.com Mon May 13 02:48:18 1996 From: frantz at netcom.com (Bill Frantz) Date: Mon, 13 May 1996 17:48:18 +0800 Subject: Notes from the SF Physical Cypherpunks meeting Message-ID: <199605130329.UAA28692@netcom8.netcom.com> I would also like to thank martin for his notes. I was unable to attend the meeting and the notes are the best I can do. A small correction and some pointers: At 9:29 AM 5/12/96 -0700, Martin Minow wrote: >KEYCOS Started in TimeShare, early 1970's. Ran customers (competitors) The correct spellings are KeyKOS and Tymshare. That may help people searching for other information. URLs for KeyKOS information are: http://www.cis.upenn.edu/~KeyKOS/ http://www.agorics.com/agorics/allkey.html Also, a system being built on similar ideas is described at: http://www.cis.upenn.edu/~eros ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From perry at piermont.com Mon May 13 02:51:27 1996 From: perry at piermont.com (Perry E. Metzger) Date: Mon, 13 May 1996 17:51:27 +0800 Subject: found nym-differentiation! Still need perpetual motion, FTL travel, cold fusion In-Reply-To: Message-ID: <199605130232.WAA10281@jekyll.piermont.com> Lucky Green writes: > At 19:02 5/11/96, Perry E. Metzger wrote: > > >I doubt that will work even were it implemented. Every phone on the > >planet and terminal would need to constantly do biometric analysis of > >every user, and even then people could program their terminals to lie. > > Telling your terminal to lie will be rather difficult once the CPU refuses > to run an OS with out propper signatures. Oh, sure. How, exactly, could you do that? I can't think of a way to build a CPU to do such a thing. What would it do? I mean, if it checked a signature before booting, you could just halt the clock, reach in to RAM, and alter the contents of the OS after boot. Its both meaningless and impossible for it to check signatures on individual instructions. Perry From 6886 at mne.net Mon May 13 03:15:56 1996 From: 6886 at mne.net (SpyKing) Date: Mon, 13 May 1996 18:15:56 +0800 Subject: R U Bugged How To Debugging Video Message-ID: <9605130344.AA10252@mne.com> R-U Bugged? "How-To" De-Bugging Video Are you a target of electronic surveillance? Do you suspect someone is invading your privacy? The first "Do-it-Yourself" De-Bugging video available to the general public... Over 100,000 bugs were planted in the US last year...Could you find one in your home or office? This video will teach you how! Simple step-by-step instructions...Produced by an expert with 25 years in the business... Guaranteed to help safeguard your privacy Demonstrations of sophisticated and inexpensive commercially available bugging devices and how to find them... If you're serious about privacy, you can't afford to miss this video... Mention electronic eavesdropping, wiretaps or "bugging" and most people think of the police or secret agents...Who, you might ask would want to bug an office, a boardroom, a research lab or for that matter, someone's bedroom? The answer: More people than you might ever imagine, according to experts. With the cost of eavesdropping electronics falling sharply each year, it has become very easy for a jealous spouse, business competitor, or disgruntled employee to eavesdrop on just about anyone. Experts estimate that last year, over 100,000 bugs were planted in businesses alone! No one knows exactly how many were planted by jealous lovers, spouses, or worse by stalkers, but it should be at the very least an equal amount...Very few of these eavesdropping targets ever knew they were being spied on. Is there any way to know if one's home or business has been bugged? Yes. You can bring in a professional "sweeper", TSCM Expert", "De-Bugger". With his electronic equipment, he can find and deactivate those bugging devices. That will cost you $500 to $1000. to start! The average home or business can cost thousands of dollars... But what if you've been bugged and you can't afford an expert? That's where a brand new do-it yourself video comes into the picture. Titled "R-U-Bugged" this video was produced for the non-technical person by an expert with over 25 years of international experience in electronic countermeasures. It fully explains eavesdropping devices, how they work and how to find them... It shows simple step by step "how to" basics that anyone can understand. If you think that bugging equipment is only found in the latest adventure of 007, you're mistaken...This video shows how common and inexpensive equipment, readily available at almost any electronics store, can compromise your privacy... "R-U-Bugged" is available and in stock for $59.95 + $5.95 shipping & handling. Foreign orders please add $14.95 S & H . Playing time: 90 minutes Send or Money Order to: Codex Publishing 286 Spring Street New York, NY 10013 Tel: 212-989-9898 Sorry, No C.O.D.'s or credit cards... Check out our WEB SITE - The Codex Privacy Page URL: http://www.thecodex.com Home of The Codex Surveillance & Privacy Newsletter DataScan - Diagnostic TEMPEST Evaluation System Technical Surveillance CounterMeasures (TSCM) Forensic Audio Restoration & Audio Tape Enhancement -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.7.1 mQCNAzDgc7MAAAEEAK1gzGapvWKn287T8QPYphpIzF6+uHAyf/shVPbrGD/f5v8i sgMOSC5x05w9xyijpzx2ua5i4eXXzjiq257y7oJy60TEFWRHYqGJtZRpqlh9DKjD 0EA5dVitmEgKNot3rmcF9amBxUP2RwIq2nzHfgiLGB3obqeKYp0MXw7qZrH7AAUR tB5TcHlLaW5nIDxzcHlraW5nQG5vdmFsaW5rLmNvbT4==UBv6 -----END PGP PUBLIC KEY BLOCK----- From EALLENSMITH at ocelot.Rutgers.EDU Mon May 13 03:18:58 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Mon, 13 May 1996 18:18:58 +0800 Subject: Administration letter vs ACTA petition Message-ID: <01I4MWMC3JJK8Y5CQA@mbcl.rutgers.edu> From: IN%"rre at weber.ucsd.edu" 12-MAY-1996 23:22:09.31 From: Phil Agre =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= This message was forwarded through the Red Rock Eater News Service (RRE). Send any replies to the original author, listed in the From: field below. You are welcome to send the message along to others but please do not use the "redirect" command. For information on RRE, including instructions for (un)subscribing, send an empty message to rre-help at weber.ucsd.edu =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Date: Wed, 8 May 1996 21:13:48 -0400 From: "Thomas A. Kalil" To: Multiple recipients of list Subject: Administration opposes ACTA petition May 8, 1996 The Honorable Reed Hundt Chairman Federal Communication Commission Room 814 1919 M Street, N.W. Washington D.C. 20554 Re: RM 8775 Dear Chairman Hundt: This letter addresses the petition for rulemaking filed before the Commission by America's Carriers Telecommunication Association (ACTA) in March 1996. ACTA asks the Commission to: (1) order Internet software providers to "immediately stop their unauthorized provisioning of telecommunications software"; 2) confirm the Commission's authority over interstate and international telecommunications services offered over the Internet; and 3) institute rules to govern the use of the Internet for providing telecommunications services. On behalf of the Administration, NTIA strongly urges the Commission to deny the ACTA Petition. The Petition not only mischaracterizes the existing law, but also reflects a fundamental misunderstanding of the way in which the Internet operates and of the services now making use of the Internet. ACTA requests that the Commission stop firms such as the Respondents from selling software that enables "a computer with Internet access to be used as a long distance telephone, carrying voice transmissions, at virtually no charge for the call" [ACTA Petition at i]. ACTA asserts that such firms are common carrier providers of telecommunications services that should not be allowed to operate without first obtaining a certificate from the Commission [ACTA Petition at 6-7]. That argument is wrong. The Respondents provide their customers with goods, not services. Although the software that those firms sell does enable individuals to originate voice communications, all of the actions needed to initiate such communications are performed by the software users, rather than the vendors. At no time do the Respondents engage in the "transmission" of information, which, according to the Telecommunications Act of 1996, is the sine qua non of both a telecommunications service and a telecommunications carrier. [See Telecommunications Act of 1996, Pub. L. No. 104-104, 110 Stat. 56, 3(a) amending Section 153 of the Communications Act of 1934 to add new definitions of "telecommunications," "telecommunications service," and "telecommunications carrier."] In that critical sense, the Respondents are no more providing telecommunications services than are the vendors of the telephone handsets, fax machines, and other customer premises equipment that make communications possible. ACTA also asks the Commission for a declaratory ruling "confirming its authority over interstate and international telecommunications services using the Internet." [ACTA Petition at 6. While ACTA claims the Commission has jurisdiction to regulate the Internet pursuant to Section 1 of the Communications Act, citing United States v. Southwestern Cable Co., 392 U.S. 157 (1968), ACTA also acknowledges that such jurisdiction is limited to actions ancillary to the effective performance of its specific responsibilities under other parts of the Act. Id. at 5,7-8. ACTA suggests that unregulated growth of the Internet presents "unfair competition" to Title II regulated interexchange carriers that "could, if left unchecked, eventually create serious economic hardship on all existing participants in the long distance marketplace" and could be "detrimental to the health of the nation's telecommunications industry and the maintenance of the nation's telecommunications infrastructure." Id. at 4, 5. Voice telephony via the Internet, however, is still a limited and cumbersome capability: both parties to the call need computers and must have compatible software. Moreover, there is no assurance that a call placed will be completed or not interrupted. While the technology involved may improve rapidly, presently there is no credible evidence to justify Commission regulation of the Internet.] In fact, as the Federal Networking Council pointed out in comments filed on May 4, there are no telecommunications services currently being offered via the Internet. The services that now involve the Internet are more likely to be "enhanced," or information services over which the Commission has disclaimed jurisdiction under the Communications Act. The Commission decision in the 1980's not to regulate enhanced services was a wise one that has conferred substantial benefits on American consumers. The Telecommunications Act of 1996 in no way requires a change in that decision. The Internet now connects more than 10 million computers, tens of millions of users, and is growing at a rate of 10-15 percent a month. This growth has created opportunities for entrepreneurs to develop new services and applications such as videoconferencing, multicasting, electronic payments, networked virtual reality, and intelligent agents. Perhaps more importantly, it creates a growing number of opportunities for consumers to identify new communication and information needs and to meet those needs. The Commission should not risk stifling the growth and use of this vibrant technology in order to prevent some undemonstrated harm to long distance service providers. If Internet-based services eventually develop to an extent that raises concerns about harm to consumers or the public interest, the Commission would have ample time to more fully address the issue. Now is not that time. NTIA, therefore, urges the Commission to reject the ACTA petition without delay. Larry Irving Assistant Secretary for Communications and Information cc: The Honorable James H. Quello The Honorable Rachelle B. Chong The Honorable Susan Ness From unicorn at schloss.li Mon May 13 03:26:23 1996 From: unicorn at schloss.li (Black Unicorn) Date: Mon, 13 May 1996 18:26:23 +0800 Subject: Why I Pay Too Much in Taxes In-Reply-To: <199605121210.FAA14392@sirius.infonex.com> Message-ID: On Sun, 12 May 1996, Mixmaster wrote: > if you spend $50k. Or do it yourself for $1k. Start by reading > everything from Scope (www.britnet.co.uk/scope). The books you find ^^^^^ > there cover everything you need to know in perfect detail. Woops. What dwindling credibility you had in my view is now gone. Poof and -PLOINK-. (I suggest cypherpunks so interested pursue other options). > > X > --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From jamesd at echeque.com Mon May 13 04:17:04 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Mon, 13 May 1996 19:17:04 +0800 Subject: Why does the state still stand: Message-ID: <199605130214.TAA23835@dns2.noc.best.net> I intend to post this to a bunch of rant newsgroups. It is the common wisdom of cypherpunks: Any corrections or objections? ************************************************************************* Why does the state still stand? At 07:26 AM 5/5/96 -0400, Duncan Frissell wrote: > Even though the population of those who regularly violate > federal tax laws is smaller (20 million?) the records show > that even for this population the odds of being convicted are > approximately the odds of being murdered. > > http://www.trac.syr.edu/tracirs/analysis/IRS019page.html Now if the state had to compel everyone to write a check for ten thousand dollars every quarter, or to make little trip to the IRS with a brown paper bag full of hundred dollar bills, there would be massive tax resistance, massive state violence to enforce taxes, and the many individual violent conflicts with the state would swiftly become collective armed revolution. The state can get away with this extraordinary and exorbitant tax rate, because for the most part it does not apply coercion directly to individual people. Instead it disrupts the large scale institutions that we have created to facilitate large scale cooperation. Now it is easy to coerce the transactions in physical marketplace, or a physical large scale factory or office, because the state can easily find the market place and see what people are doing in it, far easier than it can find individual people and see what each person is doing overall, and if people do not play by the state's rules it can easily send in the bad boys to close down the marketplace. Thus the state obstructs the large scale specialization of labor, and charges us a high price to participate in that specialization. The state can do this effectively because such specialization depends on large numbers of people regularly meeting face to face in recognizable physical places: company offices, stock exchanges, and the like. The state can extract this tax because it can send the bad boys into any such meeting place and close it down. It is this, rather than direct coercion of taxpayers that enables it to charge such savage and extraordinary taxes. Any attempt to directly coerce taxpayers on this scale would swiftly lead to rivers of blood. Electronic marketplaces are less easy to coerce. Note how states find themselves largely powerless before the international money market. This has caused a substantial retreat of the state in many countries throughout the world. The socialists complain because the World bank asks the Ukraine and Belarus to be slightly less socialist, but the international money market will not touch such governments with a ten foot pole, while it will roll over like a puppy for governments such as Estonia and Tunisia which really are dismantling socialism. The challenge then is to move the meetings that make specialization of labor possible to the net, thus making us less easy for the state to coerce. The anarcho socialists have one half of an important truth: In order to smash the state, we must first transform capitalism. Right now not much is happening. Ecash today is rather like email eight years ago. You had a bunch of email systems none of which would talk to each other and none of which were very easy to use and all of which cost too much. Most good groupware, for example source code control programs, is designed, perhaps intentionally, in ways that make it only useful for intranets, not for WANs. That is to say only useful inside the kind of corporations that presently exist. Also, to be useful in a post corporate economy, a source code control tool would need to have better view control, since the boss cannot simply announce. "OK, we are now in alpha, so we shall now have feature freeze on the product." Instead somebody has to announce "I have constructed and will maintain a feature frozen buildable source code view." We would be vastly further ahead on PGP 3.0 and on ecash if we had a tool like that. How then did we solve the email problem? The email problem was not a problem that big corporations were capable of solving. Whenever one network, such as Compuserv, negotiated with another network, such as AOL they could never agree about settlements. How much would compuserv charge AOL to deliver AOL customers mail to Compuserv customers, and how much would AOL charge Compuserve to deliver Compuserve customers mail to AOL customers. And how would it be metered, and what software standards would be used to enable the metering, and the lawyers would talk to the accountants, and the accountants to the software guys, and up and down the corporate hierarchy it would go, and back and forth between corporations. Eventually, on the internet, the custom and expectation grew up that you did not charge for delivering mail to your customers, largely due to the influence, and the moral and political outlook, of the IETF. Problem solved: Nothing to negotiate; Nothing to be metered. Turned out it was a moral and political problem, not a pricing problem. Now right now we are in the same pickle with electronic transactions as we once were with email. We have a bunch of proprietary systems with proprietary software and proprietary money that do not talk to each other. Worse, anonymous ecash is patented by Chaum. This is an algorithm for how people structure promises to pay, and is therefor even less well suited to be intellectual property than most software patents. As a result anyone who wants to make an agreement with Chaum to implement anonymous electronic cash faces a lot of cost and delay. Such agreements are difficult to make and implement. What we need in addition to our existing electronic cash mechanisms is a general mechanism for exchanging and transferring promises to pay, so that Betty can exchange a promise by John to pay in system X for a promise by Sam to pay in system Y. Such a system must make every man their own bank and their own credit agency, and must not be tied to any one proprietary institution that issues promises to pay. Now once we have that, it will cobble all the different ecash systems together, just as the internet cobbled all the email systems together, and we will start to make some real progress in moving the institutions that facilitate large scale specialization of labor to the net. Right now nothing much is happening, despite the fact that several big names have issued ecash systems. Now in order to create such a system we need a patent free public key system: (Rabin will be free from the DH patent in one year) and we need a satisfactory public key management system, one that can couple to standard databases. Lots of folk are twiddling their thumbs waiting for Phil Zimmermann to issue the PGP 3.0 key management system. Possibly someone will issue a PGP key management system that works with the Microsoft Crypt API. The Microsoft default key management system is crummy, and is limited to keys small enough for the NSA to break. So guys, that is the plan: We destroy the state through higher mathematics. We do this by replacing the current institutional mechanisms of corporations with cryptographic mechanisms. This will give more people the opportunity to evade and resist taxes. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From jimbell at pacifier.com Mon May 13 04:34:31 1996 From: jimbell at pacifier.com (jim bell) Date: Mon, 13 May 1996 19:34:31 +0800 Subject: Accidental subscriber needs help off of list. Message-ID: <199605130323.UAA15286@pacifier.com> I'm just another subscriber to the list; I can't see any indication that you've sent your message to the list itself. I will forward this response to the list; somebody should see it and be able to help. At 11:08 PM 5/12/96 EDT, Jeff D. Mendelson wrote: >Dear Sir, > >My name is Jeff and I was accidently placed on your Cyberpunk mailing list. I >am currently being bombarded with e-mail from your list with information that I >am not interested in. Compuserve has not been able to help me get my name off >of this list. And since I am new at Internet e-mail, I am at a loss of what to >do. > >Can you please send me exact instructions on removing my name from this mailing >list? Thank you very much for your time. You don`t know how much I would >appreciate it. > >Sincerely, > >Jeff M. >74407.350 at compuserve.com > > > Jim Bell jimbell at pacifier.com From EALLENSMITH at ocelot.Rutgers.EDU Mon May 13 04:35:07 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Mon, 13 May 1996 19:35:07 +0800 Subject: Civil liberties of employees (Re: FYB_oss) Message-ID: <01I4N2O1M45S8Y59U9@mbcl.rutgers.edu> From: IN%"tcmay at got.net" 13-MAY-1996 00:55:07.93 >Actually, one _does_ check one's Constitutional rights "at the door" (of an >employer), and the confusion over this issue is pervasively destroying real >Constitutional rights. >For instance, if I hire someone, I can require him or her to wear a >uniform, to not wear blue jeans to work, to not smoke (or even to smoke, if >this is what the job involves), to take off his or her clothes, to tap >dance, to not say anything to my customers, and on and on. If the >government required these behaviors, this would be a legitimate issue, but >not if employers set these conditions as terms of continued employment. In general, I agree... but one important point to make is the contract. If the contract says that you can require the employee to tap dance, then you can require the employee to tap dance. If the contract _doesn't_ require the employee to get shot, then the employee can refuse to get shot (including shooting back if you try it anyway, bringing in law enforcement, etcetera.) The problem is that current contracts don't (usually) cover employee privacy in its electronic aspects. They don't say whether or not the employer can read your email. Thus, it's up in the air. If it says the employer can, then the employer should be able to. If it says the employer can't, then the employer shouldn't be able to - including via the employee using PGP to encrypt the mail. -Allen From EALLENSMITH at ocelot.Rutgers.EDU Mon May 13 05:15:44 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Mon, 13 May 1996 20:15:44 +0800 Subject: Mandatory Voluntary Self-Ratings Message-ID: <01I4N5QTJZZK8Y59U9@mbcl.rutgers.edu> It is interesting to note from the CIEC trial bulletin (which they won't let me quote part of, according to their initial notice - stupid policy) and other sources that the conservatives won't let people just rate "objectionable" material in order to keep it from them. They want it off the net/world whether or not it's rated. Thus, the idea that vznuri and others (such as the various proponents of its current use) have that PICS can save the net from the conservatives et al doesn't work. Nice idea (maybe), but no cigar. -Allen From grafolog at netcom.com Mon May 13 05:40:05 1996 From: grafolog at netcom.com (Jonathon Blake) Date: Mon, 13 May 1996 20:40:05 +0800 Subject: Why I Pay Too Much in Taxes In-Reply-To: Message-ID: Black Unicorn: On Sun, 12 May 1996, Black Unicorn wrote: > > everything from Scope (www.britnet.co.uk/scope). The books you find > ^^^^^ > (I suggest cypherpunks so interested pursue other options). I figured Scope was one of those to be read if you come across them, but nothing earth shattering books. The catagory described as the radically wrong, but maybe they have a useful idea. xan jonathon grafolog at netcom.com xan jonathon grafolog at netcom.com ********************************************************************** * * * Opinions expressed don't necessarily reflect my own views. * * * * There is no way that they can be construed to represent * * any organization's views. * * * ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * ftp://ftp.netcom.com/pub/gr/graphology/home.html * * * * OR * * * * http://members.tripod.com/~graphology/index.html * * * *********************************************************************** From draven at infi.net Mon May 13 07:39:18 1996 From: draven at infi.net (Greg Morgan) Date: Mon, 13 May 1996 22:39:18 +0800 Subject: Any DLL's that handle Public Key Encryption or Key Exchange? Message-ID: <31970890.114066924@infi.net> I'm in the process of writing a freeware IRC client in Visual Basic 3 and wanted to encorporate a secure variant of DCC chat. Trouble is I can't find a precompiled library that has either RSA or DH in it. This doesn't do me much good as I don't even own a Windows C compiler... (is that a crime in some countries? :) ) I'll appreciate any help you folks could give.. Greg Morgan Vice President: Crescent Moon Productions draven at infi.net PGP Public Key via E-Mail From A.Back at exeter.ac.uk Mon May 13 10:29:36 1996 From: A.Back at exeter.ac.uk (A.Back at exeter.ac.uk) Date: Tue, 14 May 1996 01:29:36 +0800 Subject: tamper proofed cpus & police states (was Re: found nym-differentiation!...) In-Reply-To: <199605130232.WAA10281@jekyll.piermont.com> Message-ID: <523.199605131151@olib> On tamper proofing cpus as a tool of a police state... A cpu which was tamper proofed and had public key crypto for key receipt (so that it could receive software which it's owner could not decrypt), and could decrypt instructions on the fly using a symmetric key stream cipher to execute them would be a start. Of course this assumes that tamper proofing is ultimately possible... but perhaps as fabrication technology progresses this might be possible due to quantum effects (if you even look at one particle in the internals of the cpu, it self destructs -- gross speculation as I know next to nothing about cpu fab, but perhaps someone who does know about chip fab would care to comment on whether the job of tamper proofing is headed in the favour the breaker or the other way around). Such a tamper proof cpu would also be excellent for the copyright warriors, you would buy your copy of microsoft word, microsoft would encrypt it for your cpus public key and send it to you. The software would be useless on any cpu but your own, and without breaking the tamper proofing, or cryptanlysing the keys you wouldn't be able to copy the software. Still what about using software from the FSF? Or that you wrote your self? Or that PRZ wrote? How would a police state disable this? They could make the system so that it would only run software signed by the NSA software authorisation service :-) Any software to be vetted and only runable on once authorised. Development machines would need to be strictly licensed. But even then you could probably write PGP in microsoft word basic if you really had to (?) Checking for non-approved crypto in communication beween machines would ultimately fail though because even if a rabid police state required only standard formats you could super encrypt or use steganography and then superencrypt in your word basic implementation of PGP. The legal requirement for standardised communications encodings, and the NSA software authorisation aren't going to happen any time soon IMO. Tamper resistant CPUs with public key and on the fly decryption of memory accesses feasible I suppose for software copyright, might even have some positive uses like providing a framework in which to embed chaum's observers for off-line anonymous ecash. If the option was selectable per thread so that you could run both encrypted and normal code on it, and when in encrypted mode it would not allow any debug modes it would seem feasible enough for copyright purposes. All pretty negative aspects IMO though. Adam -- #!/bin/perl -sp0777i At 10:08 PM 5/9/96 EDT, E. ALLEN SMITH wrote: >From: IN%"educom at elanor.oit.unc.edu" 9-MAY-1996 22:01:14.77 > >>REGIONAL BELLS WANT RATE HIKES FOR WIRING SCHOOLS >>The United States Telephone Association would like to raise the average U.S. >>monthly phone bill by about $10 over the next five years to pay for wiring >>schools and libraries with new lines for phones and computers, and to >>subsidize poor and rural customers. The proposal assumes an $11 billion >>cost for wiring schools and libraries, with local phone companies paying >>about a third to a half of that. The rest would come from a surcharge on >>other services, such as cellular. "No single industry should be held >>responsible for fulfilling this major goal," says USTA's president. "Each >>has a role and should make a significant contribution to the national >>education technology mandate." (Investor's Business Daily 8 May 96 A7) OK, someone tell me why the END USERS don't pay for this! If a school wants to be wired, the local school board can pay for it (and the local taxpayers can vote for the millage increase). If you don't think every five year old needs a net connection (maybe because you are afraid of them seeing nekkid ladies, or because you just think teachers should teach and not rely on technology to do their jobs for them), you can vote against spending the money. As for subsidizing rural customers, those people made a choice to live in a rural area, for whatever reason. I see no reason to subsidize that choice. Unless of course they want to pay higher taxes to subsidize the costs for my living in the city. Clay From rpowell at algorithmics.com Mon May 13 12:21:57 1996 From: rpowell at algorithmics.com (Robin Powell) Date: Tue, 14 May 1996 03:21:57 +0800 Subject: Why I Pay Too Much in Taxes In-Reply-To: Message-ID: <96May13.091247edt.20481@janus.algorithmics.com> >>>>> Black Unicorn writes: > On Sun, 12 May 1996, Mixmaster wrote: >> if you spend $50k. Or do it yourself for $1k. Start by reading >> everything from Scope (www.britnet.co.uk/scope). The books you find > ^^^^^ >> there cover everything you need to know in perfect detail. > Woops. What dwindling credibility you had in my view is now gone. > Poof and -PLOINK-. > (I suggest cypherpunks so interested pursue other options). Any particular reason why this statement lost that person's credibility for you that you'd like to share with us? Have someone say, "Man, that site sucks!" is of very little use without knowing what the problem is so we can avoid it in the future. -Robin From a.brown at nexor.co.uk Mon May 13 13:31:07 1996 From: a.brown at nexor.co.uk (Andy Brown) Date: Tue, 14 May 1996 04:31:07 +0800 Subject: S-Tools 4 now available Message-ID: <01BB40CF.624B4A90@mirage.nexor.co.uk> Hi, S-Tools version 4 is now available from the following URL: ftp://idea.sec.dsi.unimi.it/pub/security/crypt/code/s-tools4.zip You will need either Windows 95 or Windows NT (at least v3.51) to use this, and all further releases of S-Tools (Win32s is not sufficient). This latest release fixes all reported bugs in v3, and adds compression before encryption before hiding, drag-and-drop operation and a multi- threaded working model. Further information can be found in the on-line help. Regards, - Andy From remailer at 2005.bart.nl Mon May 13 13:36:11 1996 From: remailer at 2005.bart.nl (Senator Exon) Date: Tue, 14 May 1996 04:36:11 +0800 Subject: Fingerprinting annoyance Message-ID: <199605131344.PAA05388@spoof.bart.nl> in connection with a character and fitness report i have been asked to supply a review board with a set of my fingerprints i have never been fingerprinted before i am not very keen on the idea now of course refusing will attract suspicion short of getting someone else to put their fingers in ink for me does anyone have a cute method by which to obscure my prints on those cute little cards without it being obvious? i can fill out and manipulate the card myself i just need a working method. is there no privacy advocate who can help me? From buster at klaine.pp.fi Mon May 13 13:40:57 1996 From: buster at klaine.pp.fi (Kari Laine) Date: Tue, 14 May 1996 04:40:57 +0800 Subject: NSA Budget In-Reply-To: <199604090146.CAA03627@pangaea.hypereality.co.uk> Message-ID: >Is there a public release of the NSA's annual Budget. >If so is there a quarterly release. -Erinn *Which* one of them you are interested - one for the public - one for the foes - one for the allies - one for the .... Why don't you call them up and ask nicely ----- Yes, there are annual and quarterly reports released to the public which describe in meticulous detail expenditures for Original text for the good reporting practises was really enjoyable reading. Kari From Clay.Olbon at dynetics.com Mon May 13 13:53:57 1996 From: Clay.Olbon at dynetics.com (Clay Olbon II) Date: Tue, 14 May 1996 04:53:57 +0800 Subject: web proxy article in Unix Review Message-ID: I just finished Richard Morin's Internet Notebook column in Unix Review. This month's column was entitled "Censorship-Thwarting Tools". It discusses a prototype web proxy called Rover (http://www.cfcl.com/tin/P/9606.nph-rover). And gives some sites (http://www.cfcl.com/tin/P/9606.rovers.html). The best part of the article is a discussion at the end that describes enhancements - to include encrypted links. It was great to see these issues discussed in a "mainstream" computer publication. BTW, Richard's columns are available on-line at http://www.cfcl.com/tin. The article I referenced is 9606. The on-line version is not as complete as the one in Unix Review however. Clay From raph at CS.Berkeley.EDU Mon May 13 16:02:48 1996 From: raph at CS.Berkeley.EDU (Raph Levien) Date: Tue, 14 May 1996 07:02:48 +0800 Subject: List of reliable remailers Message-ID: <199605131356.GAA13754@kiwi.cs.berkeley.edu> I operate a remailer pinging service which collects detailed information about remailer features and reliability. To use it, just finger remailer-list at kiwi.cs.berkeley.edu There is also a Web version of the same information, plus lots of interesting links to remailer-related resources, at: http://www.cs.berkeley.edu/~raph/remailer-list.html This information is used by premail, a remailer chaining and PGP encrypting client for outgoing mail. For more information, see: http://www.c2.org/~raph/premail.html For the PGP public keys of the remailers, finger pgpkeys at kiwi.cs.berkeley.edu This is the current info: REMAILER LIST This is an automatically generated listing of remailers. The first part of the listing shows the remailers along with configuration options and special features for each of the remailers. The second part shows the 12-day history, and average latency and uptime for each remailer. You can also get this list by fingering remailer-list at kiwi.cs.berkeley.edu. $remailer{"extropia"} = " cpunk pgp special"; $remailer{"portal"} = " cpunk pgp hash"; $remailer{"alumni"} = " cpunk pgp hash"; $remailer{"bsu-cs"} = " cpunk hash ksub"; $remailer{"c2"} = " eric pgp hash reord"; $remailer{"penet"} = " penet post"; $remailer{"hacktic"} = " cpunk mix pgp hash latent cut post ek"; $remailer{"flame"} = " cpunk mix pgp. hash latent cut post reord"; $remailer{"rahul"} = " cpunk pgp hash filter"; $remailer{"mix"} = " cpunk mix pgp hash latent cut ek ksub reord ?"; $remailer{"ford"} = " cpunk pgp hash ksub ek"; $remailer{"robo"} = " cpunk hash mix"; $remailer{"replay"} = " cpunk mix pgp hash latent cut post ek"; $remailer{"rmadillo"} = " mix cpunk pgp hash latent cut ek"; $remailer{"ecafe"} = " cpunk mix"; $remailer{"wmono"} = " cpunk mix pgp. hash latent cut"; $remailer{"shinobi"} = " cpunk mix hash latent cut ek reord"; $remailer{"amnesia"} = " cpunk mix pgp hash latent cut ksub"; $remailer{"gondolin"} = " cpunk mix pgp hash latent cut ek reord"; $remailer{"tjava"} = " cpunk mix pgp hash latent cut"; $remailer{"pamphlet"} = " cpunk pgp hash latent cut ?"; $remailer{'alpha'} = ' alpha pgp'; $remailer{'gondonym'} = ' alpha pgp'; $remailer{"lead"} = " cpunk pgp hash latent cut ek"; $remailer{"treehole"} = " cpunk pgp hash latent cut ek"; $remailer{"nemesis"} = " cpunk pgp hash latent cut"; $remailer{"exon"} = " cpunk pgp hash latent cut ek"; $remailer{"vegas"} = " cpunk pgp hash latent cut"; $remailer{"haystack"} = " cpunk mix pgp hash latent cut ek"; $remailer{"ncognito"} = " mix cpunk latent"; catalyst at netcom.com is _not_ a remailer. lmccarth at ducie.cs.umass.edu is _not_ a remailer. usura at replay.com is _not_ a remailer. Groups of remailers sharing a machine or operator: (c2 robo alpha) (gondolin gondonym) (flame hacktic replay) (alumni portal) Use "premail -getkeys pgpkeys at kiwi.cs.berkeley.edu" to get PGP keys for the remailers. Fingering this address works too. Note: The remailer list now includes information for the alpha nymserver. Last update: Mon 13 May 96 6:45:35 PDT remailer email address history latency uptime ----------------------------------------------------------------------- mix mixmaster at remail.obscura.com ++++++++++++ 4:10:52 100.00% alpha alias at alpha.c2.org +.+++++++++* 49:42 99.99% haystack haystack at holy.cow.net -*#*##+--++* 18:17 99.98% exon remailer at remailer.nl.com *******+***# 2:48 99.98% lead mix at zifi.genetics.utah.edu ++++++++++++ 37:55 99.97% amnesia amnesia at chardos.connix.com _. --+----++ 12:19:41 99.83% flame remailer at flame.alias.net ---+---+-+++ 2:44:17 99.81% c2 remail at c2.org +++++++++++* 46:01 99.75% alumni hal at alumni.caltech.edu #-### #*#### 7:16 99.69% vegas remailer at vegas.gateway.com ###**-***##* 1:07:26 99.64% ecafe cpunk at remail.ecafe.org ###*###+## # 7:38 99.60% portal hfinney at shell.portal.com #-## -# #### 5:07 99.57% shinobi remailer at shinobi.alias.net ***+**+* +** 37:06 99.26% penet anon at anon.penet.fi _ .____. 66:02:55 99.01% replay remailer at replay.com +********+* 5:20 98.53% treehole remailer at mockingbird.alias.net ---+++-+-- 2:07:49 86.55% extropia remail at miron.vip.best.com --.---- 8:00:07 48.50% History key * # response in less than 5 minutes. * * response in less than 1 hour. * + response in less than 4 hours. * - response in less than 24 hours. * . response in more than 1 day. * _ response came back too late (more than 2 days). cpunk A major class of remailers. Supports Request-Remailing-To: field. eric A variant of the cpunk style. Uses Anon-Send-To: instead. penet The third class of remailers (at least for right now). Uses X-Anon-To: in the header. pgp Remailer supports encryption with PGP. A period after the keyword means that the short name, rather than the full email address, should be used as the encryption key ID. hash Supports ## pasting, so anything can be put into the headers of outgoing messages. ksub Remailer always kills subject header, even in non-pgp mode. nsub Remailer always preserves subject header, even in pgp mode. latent Supports Matt Ghio's Latent-Time: option. cut Supports Matt Ghio's Cutmarks: option. post Post to Usenet using Post-To: or Anon-Post-To: header. ek Encrypt responses in reply blocks using Encrypt-Key: header. special Accepts only pgp encrypted messages. mix Can accept messages in Mixmaster format. reord Attempts to foil traffic analysis by reordering messages. Note: I'm relying on the word of the remailer operator here, and haven't verified the reord info myself. mon Remailer has been known to monitor contents of private email. filter Remailer has been known to filter messages based on content. If not listed in conjunction with mon, then only messages destined for public forums are subject to filtering. Raph Levien From maldrich at grci.com Mon May 13 17:32:03 1996 From: maldrich at grci.com (Mark O. Aldrich) Date: Tue, 14 May 1996 08:32:03 +0800 Subject: Free demo disk of "distorted number" crypto In-Reply-To: Message-ID: On Fri, 10 May 1996, William Ono wrote: > On Fri, 10 May 1996, Mark O. Aldrich wrote: > > > technical. They are also offering a technical write-up via fax-back at > > 301.588.2162. > > I just called that number, but got no answer after ten rings. Could you > please verify it? I just checked it. It's working. It answered with the "menu" after two rings. Anyone else try using this thing? ------------------------------------------------------------------------- | Liberty is truly dead |Mark Aldrich | | when the slaves are willing |GRCI INFOSEC Engineering | | to forge their own chains. |maldrich at grci.com | | STOP THE CDA NOW! |MAldrich at dockmaster.ncsc.mil | |_______________________________________________________________________| |The author is PGP Empowered. Public key at: finger maldrich at grci.com | | The opinions expressed herein are strictly those of the author | | and my employer gets no credit for them whatsoever. | ------------------------------------------------------------------------- From anonymous-remailer at shell.portal.com Mon May 13 18:33:17 1996 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Tue, 14 May 1996 09:33:17 +0800 Subject: Report on Smart cards Message-ID: <199605131336.GAA18614@jobe.shell.portal.com> Financial Times, 13 May 1996 Smart cards poised to mark revolution in data protection The poor image of the technology as "Big Brother's little helper" may be altogether undeserved, says Alan Cane The smart card -- a piece of plastic the size of a credit card with a computer embedded in it -- offers numerous benefits, but will force a re-evaluation of attitudes to privacy and data protection, says Demos, the independent think-tank. Its report, one of the first to analyse policy issues raised by the rapid proliferation of smart cards in areas such as finance, health and public administration, warns that the benefits will only accrue when people are confident the technology will not become "Big Brother s little helper", as the authors put it. Helpfully, Demos suggests policies to sidestep what it sees as a "sterile confrontation" between civil libertarians and authoritarian government and business interests in promoting the benefits of smart cards. "We have argued that people will trust in these technologies when they can choose anonymity where they want it and have greater control over the use of personal information held about them," say the authors. What distinguishes the smart card from other information technologies and gives it its power is the capacity to concentrate and manipulate a huge amount of information in a tiny space. A reading device is necessary to view the information, but smart cards compute as well as store data. Software can be incorporated to encode the data, rendering it unreadable to anyone without the right key. What can smart cards be used for? Their main use now is as telephone cards for public pay-phones, but they have the potential to identify individuals, to act as an electronic wallet for cashless shopping, and to provide a secure and portable information store. Medical histories could be stored on a smart card, for example, ready for recall by a doctor. Visionaries talk of virtually unlimited amounts of information distributed through society in a variety of forms -- the credit card model has been adopted for convenience rather than because of limitations inherent in microcomputers. Badges, pins and jewelry could all become "smart" accessories in the future. However, this sort of crystalgazing raises questions. For example, what information should be stored on a smart device? Who should be able to read it? The Demos researchers are critical of suggestions by Michael Howard, Britain's home secretary, that a smart card could be used as a national identity card: a government-issued, multi-functional card, with the populace having little or no choice about which applications were available on the card -- and perhaps no say about the privacy system employed. Regulation of the privacy system -- encryption -- is important. It is comparatively easy to devise encryption methods which are almost impossible to break within a reasonable period. That worries governments fearful of being unable to unpick communications from terrorists and the like. The US has attempted to forbid the export of the more powerful US cryptography systems. The Demos researchers argue that such tactics are counter-productive. They favour a private "key escrow", a system where cryptography users deposit the key to their system with a trusted private registry, approved and regulated by governments. "Government law enforcement agencies would have to obtain a court order on the basis that they had strong reason to believe that an individual or company that had escrowed their keys ... was guilty of some crime". The report proposes a radical reform of data protection legislation through some 10 supplementary conditions. Data users, for example, would have to get express consent from individuals for the use to which they would want to put the data. Rules on disclosure to third parties would be tightened, so that data users would have to receive specific permission from a data protection registrar in order to gain access to specific information. It argues that individuals should be able to choose the card they want, and decide what information and applications will be loaded. "Where [Michael Howard's] card is an essentially authoritarian instrument, our proposal is for a more market-based instrument in which the role of government is to align the incentives within the market to ensure privacy, trust and individual access and control," says the report. - On the Cards, by Perri 6 and Ivan Briscoe. Demos, 9 Bridewell Place, London EC4V 6AP. UK9.95. ----- From jamesd at echeque.com Mon May 13 19:12:59 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Tue, 14 May 1996 10:12:59 +0800 Subject: Mandatory Voluntary Self-Ratings Message-ID: <199605131648.JAA12444@dns2.noc.best.net> At 03:45 AM 5/13/96 EDT, E. ALLEN SMITH wrote: > the conservatives won't let people just rate > "objectionable" material in order to keep it from them. They want it off the > net/world whether or not it's rated. In the course of channel surfing, I have once or twice come across the Christians ranting about pornography. They have both legitimate and illegimate complaints, but mainly they emphasize the legitimate complaint. PICS addresses this legitimate complaint. Should cut the volume down considerably, or else force them to drop the hypocrisy, if indeed they are hypocrites. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From tcmay at got.net Mon May 13 19:36:27 1996 From: tcmay at got.net (Timothy C. May) Date: Tue, 14 May 1996 10:36:27 +0800 Subject: Civil liberties of employees (Re: FYB_oss) Message-ID: At 6:15 AM 5/13/96, E. ALLEN SMITH wrote: >From: IN%"tcmay at got.net" 13-MAY-1996 00:55:07.93 > >>Actually, one _does_ check one's Constitutional rights "at the door" (of an >>employer), and the confusion over this issue is pervasively destroying real >>Constitutional rights. > >>For instance, if I hire someone, I can require him or her to wear a >>uniform, to not wear blue jeans to work, to not smoke (or even to smoke, if >>this is what the job involves), to take off his or her clothes, to tap >>dance, to not say anything to my customers, and on and on. If the >>government required these behaviors, this would be a legitimate issue, but >>not if employers set these conditions as terms of continued employment. > > In general, I agree... but one important point to make is the contract. >If the contract says that you can require the employee to tap dance, then you >can require the employee to tap dance. If the contract _doesn't_ require the Sure, I agree that _contracts_ can make a difference. But note that contracts are not a requirement of employment: I can, for example, hire someone to rake my leaves. If he decides that manual labor violates his "civil rights," I can give him the boot. No muss, no fuss, no contracts. (But contracts are of course possible. Enforcement of the terms is another matter. By the way, I think enforcement of such contracts should be handled outside the normal legal system, and paid for by the parties using the system.) --Tim Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From carboy at carboy.com Mon May 13 19:52:39 1996 From: carboy at carboy.com (Michael E. Carboy) Date: Tue, 14 May 1996 10:52:39 +0800 Subject: PGPShell & Eudora Message-ID: <2.2.32.19960513154430.00685318@mail.hooked.net> While trying to solve a corrupted clearsig problem with Eudora 2.2 and PGPShell, I noticed comments in the c-punks archives on this same problem. I wanted to pass on that Aegis Research's PGPShell "Beta4" version solves the problem and does "preprocess" the message before signing so that Eudora won't wreck it. The shell can be downloaded at http://aegisrc.com. It is self-extracting and, if installed in your existing PGPShell directory will create a subdirectory named "Pretty~1" (no, I am not kidding) and then install the new .exe there. Regards, MEC Michael E. Carboy carboy at hooked.net carboy at carboy.com Key fingerprint = C9 E9 79 12 43 76 A2 DB 1A 72 FD 04 F2 03 6F 8A -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCNAzDwxdIAAAEEAMmDaOXoZczvK4R7vH7ql+0sY/oHyqdtsjuOG8jbObnFjh2N jh3TAxyXGb83xmsm6Eb6muXf6oZJdTIzO7UuSwKh+afLg6un+LU7S/VTFTUf4QNq T1e2jZxcr33SFUxiKN7q83GkZhHyY1EeM/O8pGX+JhMANMv7gf9JSEYWhfvhAAUT tCVNaWNoYWVsIEUuIENhcmJveSA8Y2FyYm95QGhvb2tlZC5uZXQ+iQCVAwUQMPDG Lv9JSEYWhfvhAQF2VQQAqMj60pWt3+jZow8q/DFiM9Jw73rii2deJwfdju9vGWgU S6Se5TegVYlti8mWLF+mRSldEnRIKZs7mycW9YlVmfxa+uM2sTceoDIACkZy1MWF ULLeIzFDreR2YZLAVMQ4ToWTkRS2T+/jM8RQEMakPCYDIKBzCIuRQ7J+jmpR+Fs= =79nx -----END PGP PUBLIC KEY BLOCK----- From nobody at replay.com Mon May 13 20:30:13 1996 From: nobody at replay.com (Name Withheld by Request) Date: Tue, 14 May 1996 11:30:13 +0800 Subject: Why I Pay Too Much in Taxes Message-ID: <199605131815.UAA04830@basement.replay.com> -----BEGIN PGP SIGNED MESSAGE----- Robin Powell wrote: >>>>>> Black Unicorn writes: > > On Sun, 12 May 1996, Mixmaster wrote: > >> if you spend $50k. Or do it yourself for $1k. Start by reading > >> everything from Scope (www.britnet.co.uk/scope). The books you find > > ^^^^^ > >> there cover everything you need to know in perfect detail. > > > Woops. What dwindling credibility you had in my view is now gone. > > Poof and -PLOINK-. > > > (I suggest cypherpunks so interested pursue other options). > >Any particular reason why this statement lost that person's >credibility for you that you'd like to share with us? Have someone >say, "Man, that site sucks!" is of very little use without knowing >what the problem is so we can avoid it in the future. The reason should be obvious from the earlier discussion. Mr. Unicorn is in the deluxe tax planning business. He is worried that his costomers will stop paying $50-100k for his services if they find out that they just need to spend $100 in the book store for even better advice. X -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQEVAwUBMZdmjVtwWVJrMFYlAQG/7Qf/Znhd2nJlWsKCsgQ0GYBbxcYJLqHL+4tw Dmco49A17P3wbukKxMxY/5qkNEFZTBfLZXsH+pmkWNncv+5OYrMqjusV1OnAB8Ab 3eDWrNH3i7ga6yf1AHPg54nwOBFXDgMNG3U76tQwSb9NWF7YCMah+3TEtBlNi5/9 nSnq7fLKQjc3wT37DwaZHxbOOSloEPuJKD3WTxdCvfkL4lu9HcAFN2oBjag3XDu/ ikpxNJzRsYwzpCOgMX4cXxDY3E5cHKrxdi1XRj1cfgIR//C1kqnV9VgWpfbm/qBh PT8GFdjLT/r9y1t4TUhjJC7GPWhIbFDwjsTFD/bATWwsnfQ8pTTHPQ== =XDO+ -----END PGP SIGNATURE----- From eli+ at GS160.SP.CS.CMU.EDU Mon May 13 22:51:46 1996 From: eli+ at GS160.SP.CS.CMU.EDU (eli+ at GS160.SP.CS.CMU.EDU) Date: Tue, 14 May 1996 13:51:46 +0800 Subject: Transitive trust and MLM In-Reply-To: <+cmu.andrew.internet.cypherpunks+UlYwNe:00UfAM107VG@andrew.cmu.edu> Message-ID: <199605131833.LAA14629@toad.com> In article <+cmu.andrew.internet.cypherpunks+UlYwNe:00UfAM107VG at andrew.cmu.edu> EALLENSMITH at ocelot.Rutgers.EDU writes: > The different paths going through those different signatures will be >correlated/non-independent, yes.... but that isn't the problem unless you're >considering multiple paths (in a more complicated version). To determine key validity, you do have to consider all paths. If a single trusted path to the bad key exists, the attacker wins. > IIRC, there have been some sociological studies showing that _everyone_ >is linked through 6 or so people. Milgram's "small world" experiments used a much looser sort of "link" than we want here. It would be certainly interesting to know how large a difference this makes. > Now, there's the question of whether you _need_ to be linked to everyone - > [...] I see nothing wrong (and am in favor of) separation of the > elite from the masses. Gee, let me guess which group you're in... I'll go with "people I want to talk to" versus "people I don't want to talk to", thanks. It's true that you don't need to talk to everybody. The problem is that I might want to talk to people whom I don't know personally, but know by reputation, or by function ("DEA Rat Hotline" -- well, maybe not). -- . Eli Brandt usual disclaimers . . eli+ at cs.cmu.edu PGP key on request . . violation of 18 U.S.C. 1462: "fuck". From frantz at netcom.com Tue May 14 00:21:48 1996 From: frantz at netcom.com (Bill Frantz) Date: Tue, 14 May 1996 15:21:48 +0800 Subject: Civil liberties of employees (Re: FYB_oss) Message-ID: <199605132039.NAA02439@netcom8.netcom.com> At 9:34 AM 5/13/96 -0700, Timothy C. May wrote: >Sure, I agree that _contracts_ can make a difference. But note that >contracts are not a requirement of employment: I can, for example, hire >someone to rake my leaves. If he decides that manual labor violates his >"civil rights," I can give him the boot. No muss, no fuss, no contracts. But there is a very clear contract here. He rakes your leaves and you pay him the agreed amount. If he does not rake, he is in default and you don't pay him. If he rakes and you don't pay him, you are in default and he can probably collect thru small claims court. I have done consulting work here in Silicon Valley based on such contracts. (The value was low and I had assurance, from a mutual friend, that I was contracting with a man of honor. I did the work and got paid.) IMHO, it beats the hell out of 3 months dealing with corporate legal. ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From sandfort at crl.com Tue May 14 00:25:54 1996 From: sandfort at crl.com (Sandy Sandfort) Date: Tue, 14 May 1996 15:25:54 +0800 Subject: Civil liberties of employees (Re: FYB_oss) Message-ID: <2.2.32.19960513203844.006d3684@popmail.crl.com> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ C'punks, At 09:34 AM 5/13/96 -0700, Timothy C. May wrote: >Sure, I agree that _contracts_ can make a difference. But note that >contracts are not a requirement of employment: I can, for example, hire >someone to rake my leaves. If he decides that manual labor violates his >"civil rights," I can give him the boot. No muss, no fuss, no contracts. There is an implicit contract. Most human interactions are conducted with implicit rather than explicit contracts, but with contracts none the less. Even "explicit" contracts are usually more implicit than you might think. S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From maldrich at grci.com Tue May 14 00:35:44 1996 From: maldrich at grci.com (Mark O. Aldrich) Date: Tue, 14 May 1996 15:35:44 +0800 Subject: Fingerprinting annoyance In-Reply-To: <199605131344.PAA05388@spoof.bart.nl> Message-ID: On Mon, 13 May 1996, Senator Exon wrote: > i can fill out and manipulate the card myself i just need a > working method. > is there no privacy advocate who can help me? > I think most privacy advocates would advise, "Refuse to submit." It sounds like you're looking for more of a hack on the fingerprinting process. Normally, you're not going to be allowed to manipulate the card yourself. You're going to have to be printed by a "tech" (read: trusted by big brother) who's going to ensure that those prints are really yours. Sort of like a key certificate. If you really can dork the card, have ten different people volunteer one print each. There's no way that they'll ever be able to use that as evidence in a court or for any other purpose, either. Another fun thing to do is to use prints from dead people. A friend who works in a hospital can help. Medical students can sometimes get access to dead bodies, but many used for teaching purposes (the bodies, not the students) already have the skin removed, thus they have no prints. Best to examine those dead digits yourself before sneaking in the card and ink. I also understand that taking prints from a corpse can be difficult, so plan on having a friend help or on having some rigging equipment to get the appropriate positioning for the body. Pre-detached or detachable limbs would be helpful. If you're forced to do this in person with a tech, you can continuously "fight" the grip they have on your hand and smudge the card. However, they'll not submit the card until the prints are "good," so this sort of betrays your intent of at least appearing to cooperate with them. In the law enforcement community, they are taught how to take prints by force but it's unlikely that your tech will attempt any such technique. You can mutilate the tips of your fingers so that prints cannot be acquired, but this hurts. Badly. You could get some false latex coverings for your finger tips, but they'd have to be damn good to fool a tech. Likely to cost big bucks, too. I know of no chemical or physical "pre-treatment" that can be used to hack the ink transference process. Perhaps one of the chemists here on the list might know of some good technique. If you want professional help, I've heard talk of a fingerprint expert in California who offers expert testimony in courts, and so forth. His name is Greg Moore. He is, however, a retired cop. I do not know how willing he'd be to give you expert advice on hacking a fingerprint card, but it's worth a try. He would most likely at least answer some questions about the fingerprinting process, depending upon how pleading and helpless you can sound. You can reach him at gmoore at lightlink.satcom.net. He may be willing to help you for free, or perhaps for a fee. ------------------------------------------------------------------------- | Liberty is truly dead |Mark Aldrich | | when the slaves are willing |GRCI INFOSEC Engineering | | to forge their own chains. |maldrich at grci.com | | STOP THE CDA NOW! |MAldrich at dockmaster.ncsc.mil | |_______________________________________________________________________| |The author is PGP Empowered. Public key at: finger maldrich at grci.com | | The opinions expressed herein are strictly those of the author | | and my employer gets no credit for them whatsoever. | ------------------------------------------------------------------------- From alanh at infi.net Tue May 14 00:42:15 1996 From: alanh at infi.net (Alan Horowitz) Date: Tue, 14 May 1996 15:42:15 +0800 Subject: Fingerprinting annoyance In-Reply-To: Message-ID: He who wants an Other Guy to certify him as a good guy is a supplicant. If the Other Guy wants you to get naked and stand on your hands in front of the Dutch Queen's front lawn, then that's their rule and you make your choice about obeying. If the Other Guy wants your fingerprints so he can check whether you're escaped from prison for a mail fraud conviction, well: that's their rule. If you want the Other Guy to certify your good character, then give your fingerprints. If you don't like it, then ply your trade without their peice of paper. You don't have a God-given right to have the peice of paper. Your customers and clients can decide if they still want to hire you. From editor at cdt.org Tue May 14 00:42:57 1996 From: editor at cdt.org (Bob Palacios) Date: Tue, 14 May 1996 15:42:57 +0800 Subject: CDT Policy Post 2.18 - Join Sen. Burns online TONIGHT (5/13) at 9:00 ET Message-ID: ----------------------------------------------------------------------------- _____ _____ _______ / ____| __ \__ __| ____ ___ ____ __ | | | | | | | | / __ \____ / (_)______ __ / __ \____ _____/ /_ | | | | | | | | / /_/ / __ \/ / / ___/ / / / / /_/ / __ \/ ___/ __/ | |____| |__| | | | / ____/ /_/ / / / /__/ /_/ / / ____/ /_/ (__ ) /_ \_____|_____/ |_| /_/ \____/_/_/\___/\__, / /_/ \____/____/\__/ The Center for Democracy and Technology /____/ Volume 2, Number 18 ---------------------------------------------------------------------------- A briefing on public policy issues affecting civil liberties online ---------------------------------------------------------------------------- CDT POLICY POST Volume 2, Number 18 May 13, 1996 CONTENTS: (1) Join Senator Burns online TONIGHT (5/13) at 9:00 ET to discuss Privacy and Security on the Net (2) Subscription Information (3) About CDT, contacting us ** This document may be redistributed freely with this banner in tact ** Excerpts may be re-posted with permission of ----------------------------------------------------------------------------- (1) JOIN SENATOR BURNS ON HOTWIRED TONIGHT (5/13) AT 9:00 ET ON TO DISCUSS PRIVACY AND SECURITY ON THE NET Senator Conrad Burns (R-MT) will hold a second online 'town meeting' tonight to discuss recently introduced encryption legislation. The Promotion of Commerce Online in the Digital Era (Pro-CODE) Act of 1996 (S.1726), sponsored by Sen. Burns, Sen. Patrick Leahy (D-VT) and others, seeks to relax outdated and restrictive export controls on encryption. This online chat is the second chance in as many weeks for Netizens to participate in a discussion regarding this important legislation. We hope many concerned Internet users will take advantage of this rare opportunity to interact with a U.S. Senator who is leading the fight on an issue of great importance to the Net.community. DETAILS ON TONIGHT'S EVENT: * Monday May 13, at 9:00 pm ET (6:00 pm Pacific) on HotWired's "Wireside Chat". URL: http://www.hotwired.com/wiredside/ To participate, you must be a registered HotWired member (there is no charge for registration). You must also have RealAudio(tm) and a telnet application properly configured to work with your browser. Tonight's town meeting is the second in a series of planned events, and is part of a broader project coordinated by CDT and the Voters Telecommunications Watch (VTW) designed to bring the Internet Community into the debate and encourage members of Congress to work with the Net.community on vital Internet policy issues. Events with other members of Congress working on Internet Policy Issues are currently being planned. Stay tuned for future announcements. ---------------------------------------------------------------------------- FOR MORE INFORMATION ON THE ENCRYPTION POLICY DEBATE For more information on the Encryption Policy Debate, please visit CDT's encryption policy issues page at http://www.cdt.org/crypto/ You can also join CDT, VTW, EFF, EPIC, People for the American Way, Wired Magazine, and others in an online campaign to promote secure communications online. For more information, visit: * The Encryption Policy Resource Page -- http://www.crypto.com/ * The Internet Privacy Coalition Page -- http://www.privacy.org/ipc * EFF's Crypto Page -- http://www.eff.org/ * EPIC's Crypto Page -- http://www.epic.org/crypto * VTW's Crypto Page -- http://www.vtw.org/ ----------------------------------------------------------------------------- (2) SUBSCRIPTION INFORMATION Be sure you are up to date on the latest public policy issues affecting civil liberties online and how they will affect you! Subscribe to the CDT Policy Post news distribution list. CDT Policy Posts, the regular news publication of the Center For Democracy and Technology, are received by more than 9,000 Internet users, industry leaders, policy makers and activists, and have become the leading source for information about critical free speech and privacy issues affecting the Internet and other interactive communications media. To subscribe to CDT's Policy Post list, send mail to policy-posts-request at cdt.org with a subject: subscribe policy-posts If you ever wish to remove yourself from the list, send mail to the above address with a subject of: unsubscribe policy-posts ----------------------------------------------------------------------- (3) ABOUT THE CENTER FOR DEMOCRACY AND TECHNOLOGY/CONTACTING US The Center for Democracy and Technology is a non-profit public interest organization based in Washington, DC. The Center's mission is to develop and advocate public policies that advance democratic values and constitutional civil liberties in new computer and communications technologies. Contacting us: General information: info at cdt.org World Wide Web: URL:http://www.cdt.org/ FTP URL:ftp://ftp.cdt.org/pub/cdt/ Snail Mail: The Center for Democracy and Technology 1634 Eye Street NW * Suite 1100 * Washington, DC 20006 (v) +1.202.637.9800 * (f) +1.202.637.0968 ----------------------------------------------------------------------- End Policy Post 2.18 5/13/96 ----------------------------------------------------------------------- From llurch at networking.stanford.edu Tue May 14 00:50:14 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Tue, 14 May 1996 15:50:14 +0800 Subject: Fingerprinting annoyance In-Reply-To: <199605131344.PAA05388@spoof.bart.nl> Message-ID: On Mon, 13 May 1996, Senator Exon wrote: > in connection with a character and fitness report i have been > asked to supply a review board with a set of my fingerprints > i have never been fingerprinted before > i am not very keen on the idea now > of course refusing will attract suspicion Honorable Senator, if you wish to work for the government (or certain other orgs with a big impact on the public, or in certain highly sensitive posts, like armed security guard), then you simply have to put up with this. Especially if you're working for *my* government, or flying *my* airplane, or guarding *my* money, it's not in my interest to help you. So... don't work for the government. Work for yourself, or for someone who treats you like a grownup. Liberty ain't always free and easy. > short of getting someone else to put their fingers in ink for > me does anyone have a cute method by which to obscure my prints > on those cute little cards without it being obvious? Sneak into a morgue (I assume you wouldn't even consider involving a third party who isn't already dead). See to it that you're never fingerprinted a second time. Actually, if you simply give them a mirror image of your prints, some matching techniques might fail... -rich From rah at shipwright.com Tue May 14 01:51:30 1996 From: rah at shipwright.com (Robert Hettinga) Date: Tue, 14 May 1996 16:51:30 +0800 Subject: DCSB: The FSTC Electronic Check Project Message-ID: -----BEGIN PGP SIGNED MESSAGE----- The Digital Commerce Society of Boston Presents Frank Jaffe, of The Bank of Boston and The Financial Services Technology Consortium (FSTC) "The FSTC Electronic Check Project" Tuesday, June 4, 1996 12 - 2 PM The Downtown Harvard Club of Boston One Federal Street, Boston, MA Frank Jaffe is a Senior Systems Consultant in the Applied Technology Group at the Bank of Boston. Frank is currently the project manager for the FSTC Electronic Check project which involves over 30 companies. Frank has played a leadership role in planning the amalgamation of Bank of Boston's five major retail computer systems into a single, common software system; acting as project leader for a new teller system, and leading the screen phone R&D project in cooperation with Northern Telecom and Bellcore. The FSTC Electronic Check project will develop an enhanced all-electronic replacement to the paper check. Electronic checks will be used like paper checks, by businesses and consumers, and will use existing inter-bank clearing systems. Like its paper counterpart, the Electronic Check represents a self contained "information object," which has all of the information necessary to complete a payment. Likewise, paper checkbooks are replaced by portable Electronic Checkbooks; pens & signatures are replaced by signature card functions and digital signatures using advanced cryptographic techniques; stamps and envelopes by electronic mail or other communications options such as the World Wide Web over the Internet. The fully automated processing capabilities of Electronic Checks opens the possibility of other types of financial instruments, such as electronic cashiers, travelers, and certified checks. Electronic check writing and processing will be integrated into existing applications, from cash registers to personal checkbook managers to large corporate accounting systems, to greatly increase the convenience, and reduce the costs, of writing, accepting, and processing checks. This meeting of the Digital Commerce Society of Boston will be held on Tuesday, June 4, 1996 from 12pm - 2pm at the Downtown Branch of the Harvard Club of Boston, One Federal Street. The price for lunch is $27.50. This price includes lunch, room rental, and the speaker's lunch. ;-). The Harvard Club *does* have dress code: jackets and ties for men, and "appropriate business attire" for women. We need to receive a company check, or money order, (or if we *really* know you, a personal check) payable to "The Harvard Club of Boston", by Saturday, May 4, or you won't be on the list for lunch. Checks payable to anyone else but The Harvard Club of Boston will have to be sent back. Checks should be sent to Robert Hettinga, 44 Farquhar Street, Boston, Massachusetts, 02131. Again, they *must* be made payable to "The Harvard Club of Boston". If anyone has questions, or has a problem with these arrangements (We've had to work with glacial A/P departments more than once, for instance), please let us know via e-mail, and we'll see if we can work something out. Planned speakers for the following few months are: July Pete Loshin Author, "Electronic Commerce" August Duane Hewitt Idea Futures We are actively searching for future speakers. If you are in Boston on the first Tuesday of the month, and you would like to make a presentation to the Society, please send e-mail to the DCSB Program Commmittee, care of Robert Hettinga, rah at shipwright.com . For more information about the Digital Commerce Society of Boston, send "info dcsb" in the body of a message to majordomo at ai.mit.edu . If you want to subscribe to the DCSB e-mail list, send "subscribe dcsb" in the body of a message to majordomo at ai.mit.edu . Looking forward to seeing you there! Cheers, Robert Hettinga Moderator, The Digital Commerce Society of Boston -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMZec9fgyLN8bw6ZVAQHb/wP9FrQXK4sCBRnfqNt2bJTzWX5BpxDC4NXY RZjQfNP6coAvjh1nc1gNVHcFFgCB2Mh8Mmt876gJr48JUfWpMIQ3XW4CKuqjY6NQ Bw/SRarICPNLSCMbsdX2kHYwi1OuMwkVYm9rXotF4byrDItdxursXacxvvdYyW/u mZMx+eXWq1E= =hXUa -----END PGP SIGNATURE----- ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "If they could 'just pass a few more laws', we would all be criminals." --Vinnie Moscaritolo The e$ Home Page: http://thumper.vmeng.com/pub/rah/ ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "If they could 'just pass a few more laws', we would all be criminals." --Vinnie Moscaritolo The e$ Home Page: http://thumper.vmeng.com/pub/rah/ From jonl at well.com Tue May 14 01:58:54 1996 From: jonl at well.com (Jon Lebkowsky) Date: Tue, 14 May 1996 16:58:54 +0800 Subject: Senator Burns at HotWired Today Message-ID: <199605132212.PAA14057@well.com> Monday, 13 May 6 p.m. PDT Senator Conrad Burns in WiredSide Chat Senator Conrad Burns (R-Montana) has recently introduced legislation to make it easier for netizens to get strong, easy-to-use privacy and security tools for the Internet. The Pro-CODE bill (S. 1726) aims a silver bullet straight at the heart of the Clinton administration's unworkable Clipper and Clipper II schemes by rolling back Cold War-era regulations on the export of strong cryptography. Join us Monday, 13 May at 6 p.m. (Tuesday 01:00 GMT) to talk technology with Washington. -- Jon Lebkowsky http://www.well.com/~jonl Electronic Frontiers Forum, 7PM PST Thursdays From mellman at niia.net Tue May 14 02:03:11 1996 From: mellman at niia.net (Mathew Ellman) Date: Tue, 14 May 1996 17:03:11 +0800 Subject: TO ALL MEMBERS Message-ID: <199605132111.QAA00205@silver.niia.net> TO ALL MEMBERS, IM TIRED OF ALL THIS SHIT I HAVE UNSUBSCRIBED MANY TIMES AND ALL I GET IS SOME STUPID ASS REPLY ABOUT CLOSED LIST OR ADDRESS NOT MATCHING AND I GET NO REPLY SO UNLESS YOU ALL WANT TO GET A BUNCH OF UN WANTED BULLSHIT (LIKE THE SHIT IM GETING FROM YOU ) I SUGEST SOMEONE FIND A WAY TO GET ME THE FUCK OFF THIS LIST . I HAVE GOT IN TOUCH WITH THE PESON THE REPLY TELL ME TO AND NO REPLY. IM TIRED OF ALL THIS SHIT. From abostick at netcom.com Tue May 14 02:30:09 1996 From: abostick at netcom.com (Alan Bostick) Date: Tue, 14 May 1996 17:30:09 +0800 Subject: TO ALL MEMBERS In-Reply-To: <199605132111.QAA00205@silver.niia.net> Message-ID: <3o8lx8m9LQzC085yn@netcom.com> -----BEGIN PGP SIGNED MESSAGE----- In article <199605132111.QAA00205 at silver.niia.net>, Mathew Ellman wrote: > TO ALL MEMBERS, > IM TIRED OF ALL THIS SHIT I HAVE UNSUBSCRIBED MANY TIMES AND ALL I > GET IS SOME STUPID ASS REPLY ABOUT CLOSED LIST OR ADDRESS NOT MATCHING AND I > GET NO REPLY SO UNLESS YOU ALL WANT TO GET A BUNCH OF UN WANTED BULLSHIT > (LIKE THE SHIT IM GETING FROM YOU ) I SUGEST SOMEONE FIND A WAY TO GET ME > THE FUCK OFF THIS LIST . I HAVE GOT IN TOUCH WITH THE PESON THE REPLY TELL > ME TO AND NO REPLY. IM TIRED OF ALL THIS SHIT. > > To: majordomo at c2.org Subject: subscribe clueless mellman at niaa.net subscribe clueless mellman at niaa.net - -- Alan Bostick | "The thing is, I've got rhythm but I don't have mailto:abostick at netcom.com | music, so I guess I could ask for a few more news:alt.grelb | things." (overheard) http://www.alumni.caltech.edu/~abostick -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMZfKfuVevBgtmhnpAQGHgQMAjE9RlL3Ivsvew2tpuAHUzbWwXRA76gBX +o2ShOZFYJcxOb0Hw4nimCV+avuulztxJcPecAFimQ12qUOmLTs654I+Iy8tIAYm uLEtUbs66aghUMHrb01fvclbn2bgX2Hq =KMy4 -----END PGP SIGNATURE----- From roy at sendai.cybrspc.mn.org Tue May 14 02:33:55 1996 From: roy at sendai.cybrspc.mn.org (Roy M. Silvernail) Date: Tue, 14 May 1996 17:33:55 +0800 Subject: S-Tools 4 now available In-Reply-To: <01BB40CF.624B4A90@mirage.nexor.co.uk> Message-ID: <960513.174125.5s4.rnr.w165w@sendai.cybrspc.mn.org> -----BEGIN PGP SIGNED MESSAGE----- In list.cypherpunks, a.brown at nexor.co.uk writes: > S-Tools version 4 is now available from the following URL: > > ftp://idea.sec.dsi.unimi.it/pub/security/crypt/code/s-tools4.zip > > You will need either Windows 95 or Windows NT (at least v3.51) to use > this, and all further releases of S-Tools (Win32s is not sufficient). I suppose this is market pressure, but it means you are alienating a number of potential users (including myself). Some of us are working toward being Microsoft-free, you know. - -- Roy M. Silvernail [ ] roy at cybrspc.mn.org PGP Public Key fingerprint = 31 86 EC B9 DB 76 A7 54 13 0B 6A 6B CC 09 18 B6 Key available from pubkey at cybrspc.mn.org -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMZe7HBvikii9febJAQFcfgP/dd8au1P5by9VtL+Ozaf3D3tunlFUPS9m 1TaO6d369eDnetZR2pdmhEFPZgl8VBmoeBi9yOiZK+Nzw4V/r+5y3FUtiVl8wHsx 5y+6GNl8LNgGlnDFxuP144rvzXfNl0REDNzc4DCpOr0nz3zc8h7gdRiGpnOW45/A tNw3TMJB4N0= =oqqi -----END PGP SIGNATURE----- From furballs at netcom.com Tue May 14 03:01:57 1996 From: furballs at netcom.com (Paul S. Penrod) Date: Tue, 14 May 1996 18:01:57 +0800 Subject: Fingerprinting annoyance In-Reply-To: <199605131344.PAA05388@spoof.bart.nl> Message-ID: On Mon, 13 May 1996, Senator Exon wrote: > in connection with a character and fitness report i have been > asked to supply a review board with a set of my fingerprints > i have never been fingerprinted before > i am not very keen on the idea now > of course refusing will attract suspicion > short of getting someone else to put their fingers in ink for > me does anyone have a cute method by which to obscure my prints > on those cute little cards without it being obvious? > i can fill out and manipulate the card myself i just need a > working method. > is there no privacy advocate who can help me? > First off, if you were born in the US, they have your feet and/or hand prints on record. Secondly, fingerprints are not an absolute proof positive means of identification. They are sufficiently unique enough that it satisfies the statistical error acceptability for many governmental agencies. I wouldn't worry about it personally. There are more effective ways of getting around such things if you really need to. If you don't have any historical baggage, then don't make waves. ...Paul From reagle at MIT.EDU Tue May 14 03:10:11 1996 From: reagle at MIT.EDU (Joseph M. Reagle Jr.) Date: Tue, 14 May 1996 18:10:11 +0800 Subject: Interest to punks in latest CACM Message-ID: <9605140451.AA17668@rpcp.mit.edu> A Meeks article I think that would benefit some cypherpunks... - politics/effectiveness "Comparing Information Without Leaking It" - Fagin, Naor, Winkler - crypto/protocol "A Reengineerings Framework for Evaluating a Financial Imaging System" - certificate processing workflow redesign. _______________________ Regards, Men govern nothing with more difficulty than their tongues, and can moderate their desires more than their words. -Spinoza Joseph Reagle http://farnsworth.mit.edu/~reagle/home.html reagle at mit.edu E0 D5 B2 05 B6 12 DA 65 BE 4D E3 C1 6A 66 25 4E From minow at apple.com Tue May 14 03:40:52 1996 From: minow at apple.com (Martin Minow) Date: Tue, 14 May 1996 18:40:52 +0800 Subject: Notes from the SF Physical Cypherpunks meeting Message-ID: Thanks to everyone who took the trouble to correct errors in my notes from Saturday's Cypherpunks meeting. They were written for my own benefit -- and for the benefit of some friends who couldn't be there. Since I can give away information without losing it (to misquote Thomas Jefferson), I'm happy to share it with the cypherpunks. A comment from Matts Kallioniemi might be worth some further discussion: >>COM e-mail/bbs system (Sweden) -- operator could backup >>e-mail, but not read it. > >Sure. The database was encrypted by using XOR with the string >"KOM". That was the sorry state of encryption in the early eighties. > Encrypting the database with a fixed string offers a good example of how "locks keep honest people honest." This would prevent an operator from unintentionally reading a message in case it was revealed by, perhaps, a disk sector editor or crash dump. I suspect that the state of encryption in Sweden in the early eighties was somewhat stronger than XOR (wasn't Hagelin a Swede who moved to Switzerland to start Crypto AG?), but not necessarily visible to the general public. The Swedish government has a rather strong tradition of protection of individual privacy (encrypting COM e-mail is one example). For example, the initial Swedish implementation of a national criminal database in the mid 1970's (equivalent to the US NCIC) used dialback telexes to prevent unauthorized (and untracked) access. A recent newspaper article noted that some police officers were being investigated for unauthorized access to the personal information of a collegue who had complained of sexual harassment. Martin Minow minow at apple.com From declan+ at CMU.EDU Tue May 14 03:42:51 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Tue, 14 May 1996 18:42:51 +0800 Subject: CDA Dispatch #10: Last Day in Court Message-ID: <8lZzYJ_00YUv4zWlUt@andrew.cmu.edu> ----------------------------------------------------------------------------- Fight-Censorship Dispatch #10 ----------------------------------------------------------------------------- The CDA Challenge: Last Day in Court ----------------------------------------------------------------------------- By Declan McCullagh / declan at well.com / Redistribute freely ----------------------------------------------------------------------------- In this dispatch: The DoJ's flimsy, cheesy, flawed defense Judges question DoJ investigation of CompuServe "The Newspaper Decency Act" http://pathfinder.com/Netly/daily/960513.html The Netly News May 13, 1996 PHILADELPHIA -- Anyone want to bet on the outcome of the Communications Decency Act? I attended the whole thing, which ended Friday in a Philadelphia federal court, and here's the McCullagh Morning Line: 3:1 that the CDA gets struck down as unconstitutional. It can't possibly be upheld -- not from what I understand about the First Amendment, not from what I heard of the flimsy, cheesy Justice Department case (and I heard the whole flimsy, cheesy defense) and certainly not from how the judges were acting on the last day of the hearing. Members of the three-judge panel practically laughed in exasperation at Justice Department wafflings. As you probably recall, The American Civil Liberties Union and American Library Association coalition challenged the so-called Decency Act on the grounds that it would unconstitutionally chill free speech online. The CDA would criminalize "indecent" speech on the Net, invoking a standard -- indecency -- that's yet to be defined. Not for lack of trying, of course. DoJ attorney Tony Coppolino danced a nimble flamenco around the legal meaning of "indecency" and what may or may not be prosecuted under the CDA, arguing on Friday that indecency is a "medium-dependent standard." That is, he said, it can be read to apply mostly to hardcore porn, not literature, and would leave most Web-based jottings alone. But he admitted: "We can't provide assurance that a prosecutor won't take on an absurd case." Dolores Sloviter, chief judge of the Third Circuit Court of Appeals, jumped down his throat: "I've been taking the position for 17 years that people should know what they can be prosecuted for. Doesn't that present a problem?" she asked. "I still don't understand" what indecency means under the CDA, she said. "We've been trying to get at this for 40 minutes," grumbled Judge Stewart Dalzell. Later Dalzell grilled DoJ attorney Jason Baron over the Justice Department's decision to "review" a complaint lodged by the American Family Association against CompuServe's new adults-only service. (The AFA is the most virulent "family values" group involved in the fight over the CDA. Only a week after the law was passed, the AFA said it didn't go far enough.) Dalzell stressed that CompuServe had employed every blocking and parental control mechanism possible under current technology -- but that didn't stop the FBI from investigating the Columbus, Ohio-based corporation. "What more could CompuServe have done?" Dalzell asked. Baron cavilled. "The Justice Department was concerned this may be obscenity," he claims. The distinction between obscenity, which is illegal, and indecency, which is still undefined, is important, and that was a nice try by Baron. Unfortunately for him, the CompuServe forum in question has only Playboy-style centerfolds -- softcore stuff that the DoJ's own attorney Coppolino admitted earlier is not obscene. Clearly, the Government had no business looking into the CompuServe matter. Indeed, outside the courtroom at the end of the day, the ALA's Bruce Ennis charged that the government violated a restraining order barring them from investigating alleged CDA violations. "We were very upset. We think this violated the court order," said Ennis. "We went to court yesterday and asked for a clarification. That's now pending." The only defense against prosecution and conviction that the government offered was requiring credit cards before providing access to "indecent" speech on web sites -- a solution that Baron admitted isn't exactly practical for individual speakers. When Baron trotted out Dan Olsen's -L18 self-tagging scheme as an alternative, even the normally quiescent Judge Ronald Buckwalter noticed: "It's not available now. It's a hypothetical." Judge Sloviter added it was "the product of Mr. Olsen's creative imagination." In final arguments, Chris Hansen from the ACLU said not only would a requirement for -L18-style self-labelling "violate the prohibition against compelled speech," there is no tagging technology "that applies to Usenet newsgroups and mailing lists." The most unusual sideshows of the last day of the hearing was when government attorneys were forced to defend free speech in print. Would a "Newspaper Decency Act" banning violence on the top of the front page be constitutional? asked Judge Dalzell, waving a copy of the Philadelphia Inquirer with a photograph of a Liberian prisoner being executed. "My ten-year old son is a rabid Phillies fan" and came across this image, he said. (We must confess to missing the logic here: Are Phillies fans particularly sensitive to violence?) "The print medium enjoys the greatest protections -- the Internet is becoming more television-like," replied Coppolino, trying to dodge the question. The Philadelphia court is expected to issue a decision by mid-June. Both the plaintiffs and the Department of Justice have said they will appeal to the Supreme Court, which may decide to hear the case after it reconvenes in early October. Assuming the Justice Department loses, will they really appeal to the Supreme Court? If so, I object to my tax money being wasted on this crap. --By Declan McCullagh ----------------------------------------------------------------------------- Mentioned in this article: DoJ refers American Family Association's CDA complaint to the FBI: AFA "charges" CompuServe with violating the CDA: FBI finally rebuffs the AFA, when pressed: Excerpts from DoJ and anti-porn groups' CDA briefs: Transcript of Olsen's "-L18" description and other testimony: Mike Godwin on indecency vs. obscenity: This and previous Fight-Censorship Dispatches are available at: To subscribe to the fight-censorship announcement mailing list for future Fight-Censorship Dispatches and related discussions, send "subscribe fight-censorship-announce" in the body of a message addressed to: majordomo at vorlon.mit.edu Other relevant web sites: ----------------------------------------------------------------------------- From vznuri at netcom.com Tue May 14 04:18:11 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Tue, 14 May 1996 19:18:11 +0800 Subject: PRZ /PGP In-Reply-To: Message-ID: <199605140557.WAA02396@netcom22.netcom.com> TCM >(I haven't read Zimmermann's comments in full, to get the full context, but >I doubt we'll agree on such things. His achievement with PGP was >considerable, but I know from first-hand experience that his political >views are very non-libertarian and are, in fact, counter to liberty.) hmmmmm, surely you don't think you can get away without anyone requesting an elaboration on this.... maybe post the comments through a remailer if necesary actually, I agree with this, but probably for other reasons. it is well known (i.e. reported in articles) that Zimmermann was considering moving out of the country to australia or canada during the 80's because of the Reagan cold war situation. well, I don't blame him, but can he really cloak himself in the mantle of a national patriot after this kind of thinking? it may also be that Zimmermann has a set of beliefs that he champions in front of the public, but that his private ideology is more radical. I tend to get this impression. he is very, very careful about his public image and his reputation. I suspect that Zimmermann's star is on the way to fading out, at the moment, for some various reasons. I only write this because of a letter I read ealier from Raph Levien that tended to confirm some of my suspicions. 1. he has a "I want it all" or "I want to win while everyone else loses" ideology. this is what it took to write PGP when no one else had ever even heard of public key crypto. but suddenly when crypto becomes mainstream, the pioneers are often pushed to the sidelines unless they adapt. 2. he attained much of his accomplishments via the work of others. there is no problem with this, but the issue of due compensation arises when he begins to sell this labor. frankly I don't think PRZ is into "sharing". this is the first point in a different context. 3. PRZ is actually somewhat anti-business in some ways. he came from the outside, challenging the "establishment" during nuclear war protests. he can put on a business suit but I suspect there is a lot of different thinking going on beneath the exterior. 4. PRZ has a bad track record as far as meeting deadlines. it is not how his brain works. but this is how business works. with public domain software, no one rants at you if you don't come out with something when you say you will, or even if you don't even say when you are going to be ready. but when money is involved, this is the very first thing you have to be accountable for, no excuses. 5. etc. now, I am trying to be as generous as possible here. I really admire PRZ and think he has an incredibly enviable feather in his cap with PGP, a very significant accomplishment. but PGP can only be seen as a stepping stone unless he adopts an aggressive strategy to stick his work into the standards of tomorrow. PRZ has shown a great unwillingness to do this. unless PRZ's personality changes in some fundamental way that I think is highly unlikely, I think he will sentence himself to obscurity in the face of a zillion people working on the same ideas. obscurity is not a bad thing, really. PRZ has reached the point where he has enough security to last him the rest of his lifetime. From tcmay at got.net Tue May 14 04:23:47 1996 From: tcmay at got.net (Timothy C. May) Date: Tue, 14 May 1996 19:23:47 +0800 Subject: Fingerprinting annoyance Message-ID: At 6:26 PM 5/13/96, Mark O. Aldrich wrote: >On Mon, 13 May 1996, Senator Exon wrote: > > >> i can fill out and manipulate the card myself i just need a >> working method. >> is there no privacy advocate who can help me? >> > >I think most privacy advocates would advise, "Refuse to submit." It >sounds like you're looking for more of a hack on the fingerprinting process. And if you are working for me, and I ask for a fingerprint, and you refuse or "smear" the results (repeatedly, as the first smearing I may just take as your token protest and have you printed again), you'll be out the door by the end of the day. (Personally, I've never worked for a company which demands fingerprints, but I've worked for companies which demanded ID badges and signatures, and these are effectively as intrusive. And I suspect that my former employers are now using thumbprints, and maybe full prints.) What one "doesn't like" and considers an "invasion of privacy" varies from person to person. Some people think having their picture taken is a stealing of their soul. Others fear nefarious things will be done with the DNA from their blood samples. Trying to convince a company that photo ID badges and fingerprints are Bad Things is perhaps admirable, just realize that in a free society that employer is under no obligation to hire someone who refuses to go along with the company's security policies. (This relates to the "civil rights" thread.) >of like a key certificate. If you really can dork the card, have ten >different people volunteer one print each. There's no way that they'll >ever be able to use that as evidence in a court or for any other purpose, >either. A stupid idea. As the employer, I wouldn't have to prove it a court of law...suspicion alone that some of my employees were fucking up a security system might be enough for me to either a. promote them to the Tiger Team, or b. fire their asses. (I just can't understand where this pervasive meme is coming from here on this list, the notion that employers are severely limited in what they can do to employees unless they can "prove it in court. Like it or not, most employees in the United States are still employed "at will," and are not covered by employment contracts such as some executives and the like get.) >If you're forced to do this in person with a tech, you can continuously >"fight" the grip they have on your hand and smudge the card. However, Sure. It makes it easy for the employer to simply say "Next candidate." --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From tcmay at got.net Tue May 14 04:25:23 1996 From: tcmay at got.net (Timothy C. May) Date: Tue, 14 May 1996 19:25:23 +0800 Subject: Civil liberties of employees (Re: FYB_oss) Message-ID: Professor Froomkin and I have many disagreements about the nature and direction of laws in the U.S. I think I was careful to couch my points in terms of what the law should be, not what it currently is. For example, I think it fully Constitutional to choose not to serve blacks in one's home, business, church, or whatever. Until fairly recently, the courts saw it this way as well. (I'm not referring to state-sponsored discrimination, such as keeping blacks and women from voting, or visiting government-paid-for facilities, etc) [This is a provocative statement to many. I can elaborate if there is real interest. Suffice it to say that if I operated a bookstore, or gym, or restaurant, or whatever, I would not personally choose to discriminate thusly. Though I might with regard to other (unspecified here) so-called minority groups. And it would be my free right to choose whom to hire, whom to do business with, whom to serve, and so on. It's pretty clear in the Constitution, as I see it, that the government is not empowered to tell people whom they may associate with and whom they _must_ associate with. Again, the so-called Civil Rights Movement, which had good origins in overturning clearly unconstitutional laws about voting (Jim Crow laws), state-enforced segregation, etc., has been carried to the point of interfering with the right of free association.] The current interpretation of the law makes it a crime for a restaurant to allow smoking (at least in many--and increasing--locales). The current interpretation (henceforth shortened to "CI" for brevity) says that a church may not discriminate on the basis of religious affiliation, and hence must not discriminate against Satanists. The CI says that a health club may not discriminate against women (but, interestingly, many health clubs here in my state of California are "women-only"). The CI says that if a white person uses the term "nigger" he may be convicted, in some jurisdictions, of a "hate crime," but if the coloreds use the term, it's OK. [Here in Santa Cruz, the term "black" has fallen into disfavor, and is dubbed a label of the whitemale patriarchy. Thus, we have "lesbians of color," "students of color," "queers of color," etc. As one leading thinker puts it, "all wymyn are people of color." Therefore, colored people, or coloreds, for short. We have come full circle.] >The issue here isn't a constitutional issue. It's a *statutory* right. >And a real one. Sex discrimination in employment is prohibited by law. >We can call this a "civil right" or something else, but the if the facts >alleged in the case to which TCM refers are as claimed, they seem to have >a fairly good case under the law as it stands. And there's a lot more >than skimpy outfits at issue, including a refusal to hire men for what are >allegedly food service jobs (gender may only be a determination of >employment if it is a bona fide occupational qualfiication, e.g. policing >the showers in the gym; gender is not a BFOQ for food service jobs.) It is not the business of any regulatory agency to _second-guess_ why I want my girls at my Hooters to wear skimpy outfits. In fact, there is no real doubt why the girls are dressed as they are. (Hint: the name.) The girls can choose to work for me, or not. No slavery is involved. (Of course, I also favor legalization of indentured servitude. The military is allowed to buy X years of labor by paying for a student's education, so why not IBM? It might actually help the unemployment crisis we are now in.) In any case, I choose to focus on politico-jurisprudential issues, of what the law _should_ be, not what the current mess says is the law. As Roseanne Barr--not one of my favorites--recently so cogently observed: "Heidi Fleiss is going to prison, OJ Simpson is playing golf in Brentwood...we're living in Dante's Inferno." --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From furballs at netcom.com Tue May 14 04:27:14 1996 From: furballs at netcom.com (Paul S. Penrod) Date: Tue, 14 May 1996 19:27:14 +0800 Subject: Fingerprinting annoyance In-Reply-To: Message-ID: On Mon, 13 May 1996, Mark O. Aldrich wrote: > On Mon, 13 May 1996, Senator Exon wrote: > > > > i can fill out and manipulate the card myself i just need a > > working method. > > is there no privacy advocate who can help me? > > > > I think most privacy advocates would advise, "Refuse to submit." It > sounds like you're looking for more of a hack on the fingerprinting process. You can refuse, and the service or permit applied for will be witheld. Not very productive. > > Normally, you're not going to be allowed to manipulate the card yourself. > You're going to have to be printed by a "tech" (read: trusted by big > brother) who's going to ensure that those prints are really yours. Sort > of like a key certificate. If you really can dork the card, have ten > different people volunteer one print each. There's no way that they'll > ever be able to use that as evidence in a court or for any other purpose, > either. > > Another fun thing to do is to use prints from dead people. A > friend who works in a hospital can help. Medical students can sometimes > get access to dead bodies, but many used for teaching purposes (the > bodies, not the students) already have the skin removed, thus they have no > prints. Best to examine those dead digits yourself before sneaking in the > card and ink. I also understand that taking prints from a corpse can be > difficult, so plan on having a friend help or on having some rigging > equipment to get the appropriate positioning for the body. Pre-detached > or detachable limbs would be helpful. > > If you're forced to do this in person with a tech, you can continuously > "fight" the grip they have on your hand and smudge the card. However, > they'll not submit the card until the prints are "good," so this sort of > betrays your intent of at least appearing to cooperate with them. In the > law enforcement community, they are taught how to take prints by force > but it's unlikely that your tech will attempt any such technique. > I know of no such instance (other than some informal "fingerprint the kiddies for safety" schtick) where it's a do-it--yourself operation. While the methods listed are clever, they and many other finaglings are the main reason it's done in the "light of day" by a tech. > You can mutilate the tips of your fingers so that prints cannot be > acquired, but this hurts. Badly. Doesn't always work. Partials can be extrapolated to yield a relative match. > > You could get some false latex coverings for your finger tips, but they'd > have to be damn good to fool a tech. Likely to cost big bucks, too. Wont work. The hands are checked first for signs of tampering. > > I know of no chemical or physical "pre-treatment" that can be used to > hack the ink transference process. Perhaps one of the chemists here on > the list might know of some good technique. Pineapple juice and other weak acidic subtances ruin the ridges on the finger tips causing them to smear or not show at all. Unfortunately, this takes a period of time and constant handling of such items. > > If you want professional help, I've heard talk of a fingerprint expert in > California who offers expert testimony in courts, and so forth. His name > is Greg Moore. He is, however, a retired cop. I do not know how willing > he'd be to give you expert advice on hacking a fingerprint card, but it's > worth a try. He would most likely at least answer some questions about > the fingerprinting process, depending upon how pleading and helpless you > can sound. You can reach him at gmoore at lightlink.satcom.net. He > may be willing to help you for free, or perhaps for a fee. > There may be a book or to on the subject. The local library may carry refernce or other materials on police, detective and forensics. You can also try Revolution Books in Seattle WA. They deal in the esoteric. ...Paul From llurch at networking.stanford.edu Tue May 14 04:30:06 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Tue, 14 May 1996 19:30:06 +0800 Subject: Transitive trust and MLM In-Reply-To: <199605131833.LAA14629@toad.com> Message-ID: On Mon, 13 May 1996 eli+ at GS160.SP.CS.CMU.EDU wrote: > EALLENSMITH at ocelot.Rutgers.EDU writes: > > Now, there's the question of whether you _need_ to be linked to everyone - > > [...] I see nothing wrong (and am in favor of) separation of the > > elite from the masses. > > Gee, let me guess which group you're in... I'll go with "people I want > to talk to" versus "people I don't want to talk to", thanks. That sounds sincere coming from someone who calls himself "eli+" :-) > It's true that you don't need to talk to everybody. The problem is > that I might want to talk to people whom I don't know personally, but > know by reputation, or by function ("DEA Rat Hotline" -- well, maybe > not). Yes, that is a problem. That problem is one of the reasons that public key encryption was invented, actually. The way to know whether an untrusted key really belongs to someone is to wait for the response. Which means don't spill all the beans at once. -rich From EALLENSMITH at ocelot.Rutgers.EDU Tue May 14 04:30:35 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Tue, 14 May 1996 19:30:35 +0800 Subject: Civil liberties of employees (Re: FYB_oss) Message-ID: <01I4OG5LPHSK8Y5BUB@mbcl.rutgers.edu> From: IN%"tcmay at got.net" 13-MAY-1996 17:56:08.53 What others have said in regards to implicit contracts is about what I would have, with the addition that the inclusion of some third party should occur to handle the cases when the contract (explicit or implicit) doesn't cover something. Such a third party would preferably be an arbitration agency chosen by the other parties to the contract, but can be a government if they didn't chose one or the agency isn't available for some reason. >(But contracts are of course possible. Enforcement of the terms is another >matter. By the way, I think enforcement of such contracts should be handled >outside the normal legal system, and paid for by the parties using the >system.) One organization that I would like to see develop is one specializing in the enforcement of extralegal/illegal contracts. Payments to a legal form of such an organization should be tax-deductible, just as payments to private security guards should be tax-deductible; you're doing the government's work for it, so you shouldn't have to pay the government for it. Cryptography can be used to reduce the necessity for such in many cases, or at least reduce the work involved - which should reduce the fees that such an organization should need to pay. One aspect of this is digital receipts; I need to take a look at Applied Cryptography to check out the discussion there on them. Anyplace else I should look? -Allen From froomkin at law.miami.edu Tue May 14 04:39:13 1996 From: froomkin at law.miami.edu (Michael Froomkin) Date: Tue, 14 May 1996 19:39:13 +0800 Subject: Civil liberties of employees (Re: FYB_oss) In-Reply-To: Message-ID: On Sun, 12 May 1996, Timothy C. May wrote: > Actually, one _does_ check one's Constitutional rights "at the door" (of an > employer), and the confusion over this issue is pervasively destroying real > Constitutional rights. Yes and no...and kinda no. Yes: your employer can require as conditions of employment many many things that the government could never require, e.g. the many examples Tim gives. No: The constitution prohibits slavery. This is in fact the *ONLY* part of the constitution that *directly* regulates private behavior (everything else either empowers or disempowers the goverment). Hency your employer cannot enslave you constitionally. And "sorta no": The constitution empowers congress to legislate in many areas. Congress has legislated many "civil rights" that do not arise directly from the Constitution, but rather from Congress's use of the powers delegated to it under that document. Thus, an unsuspecting reader might be mislead when TCM serves up the bait by writing... [...] > > The Constitution is about what the government can and cannot require, not > about what I as an employer can require. This point is frequently confusing > to people who, in my opinion, haven't thought about it. Thus, a "Hooters > girl" suddenly decides she doesn't like "displaying herself" to men and > announces that her civil liberties are being violated by being told to wear > skimpy outfits. > > The issue here isn't a constitutional issue. It's a *statutory* right. And a real one. Sex discrimination in employment is prohibited by law. We can call this a "civil right" or something else, but the if the facts alleged in the case to which TCM refers are as claimed, they seem to have a fairly good case under the law as it stands. And there's a lot more than skimpy outfits at issue, including a refusal to hire men for what are allegedly food service jobs (gender may only be a determination of employment if it is a bona fide occupational qualfiication, e.g. policing the showers in the gym; gender is not a BFOQ for food service jobs.) [I am away from Miami from May 8 to May 28. I will have no Internet connection from May 22 to May 29; intermittent connections before then.] A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) Associate Professor of Law | U. Miami School of Law | froomkin at law.miami.edu P.O. Box 248087 | http://www.law.miami.edu/~froomkin Coral Gables, FL 33124 USA | It's warm there. From llurch at networking.stanford.edu Tue May 14 04:42:59 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Tue, 14 May 1996 19:42:59 +0800 Subject: Fingerprinting annoyance In-Reply-To: Message-ID: On Mon, 13 May 1996, Mark O. Aldrich wrote: > Pre-detached > or detachable limbs would be helpful. I nominate this for quote of the week. In general, my answer remains, "Do you really want to work for an organization that would make you do this? What are they going to make you do next?" -rich From EALLENSMITH at ocelot.Rutgers.EDU Tue May 14 04:43:08 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Tue, 14 May 1996 19:43:08 +0800 Subject: Transitive trust and MLM Message-ID: <01I4OGDUWTCA8Y5BUB@mbcl.rutgers.edu> From: IN%"eli+ at GS160.SP.CS.CMU.EDU" 13-MAY-1996 19:59:41.90 >EALLENSMITH at ocelot.Rutgers.EDU writes: >> The different paths going through those different signatures will be >>correlated/non-independent, yes.... but that isn't the problem unless you're >>considering multiple paths (in a more complicated version). >To determine key validity, you do have to consider all paths. If a >single trusted path to the bad key exists, the attacker wins. Hmm.... a useful distinction in this is between multiple paths with no common elements except the beginning and end and ones with common elements. The sections of the ones with common elements that have no common elements can probably be treated as a subset of the larger path - a virtual link, if you will - with its values (trustworthiness et al) determined by the paths contained within it. >> IIRC, there have been some sociological studies showing that _everyone_ >>is linked through 6 or so people. >Milgram's "small world" experiments used a much looser sort of "link" >than we want here. It would be certainly interesting to know how >large a difference this makes. Milgram? Thanks, I'll check for that name. >It's true that you don't need to talk to everybody. The problem is >that I might want to talk to people whom I don't know personally, but >know by reputation, or by function ("DEA Rat Hotline" -- well, maybe >not). I'm not disputing that... just that you don't need to be able to go through the web to reach everyone who's got a key. Admittedly, the subsection of people who have keys are more likely (through being more technologically sophisticated et al, on average) to be useful to contact than those who don't. -Allen From unicorn at schloss.li Tue May 14 04:44:57 1996 From: unicorn at schloss.li (Black Unicorn) Date: Tue, 14 May 1996 19:44:57 +0800 Subject: Fingerprinting annoyance In-Reply-To: <199605131344.PAA05388@spoof.bart.nl> Message-ID: On Mon, 13 May 1996, Senator Exon wrote: > in connection with a character and fitness report i have been > asked to supply a review board with a set of my fingerprints > i have never been fingerprinted before > i am not very keen on the idea now > of course refusing will attract suspicion > short of getting someone else to put their fingers in ink for > me does anyone have a cute method by which to obscure my prints > on those cute little cards without it being obvious? > i can fill out and manipulate the card myself i just need a > working method. > is there no privacy advocate who can help me? This all depends on your application. If you're trying to avoid specific identification when you are already a suspect of some crime or some such, you're in trouble. Short of finding a dead person with no print record himself and no prior history, you don't have many options. Using someone else's prints risks you acquiring their criminal record of past present and future. If, on the other hand, you are seeking to preemptively foil later computer checks of your prints you are in luck. Most fingerprint indexing schemes rely on specific features in prints which are ranked and reduced to a checksum of sorts. To foil a massive nation wide computer search which may flag your prints, you have to be sure that the checksum of the prints you submit and the actual checksum of your real prints are two significantly different values. Generally speaking fingerprint requirements that are not related to national security issues permit you to submit a card with the signature of a "law enforcement officer" who made the prints. I assume that this is the case with your situation. In this event you can indeed do the prints yourself. Simply use a foam (not felt) ink pad to make the print impressions on the card. Sign whatever name you feel sounds official. (The GPO prints out standard cards for this exact purpose, I assume you have one already). Before doing your own prints, go out and buy some superglue (gel is best) and the finest sewing needle you can find. Those places which are covered in superglue will repel the ink and leave a blank spot when your finger is rolled across paper or the card. By applying a very small amount of superglue to the high ranking features of your fingerprints using the needle as a sort of paintbrush, you can alter the computer checksum of your prints without attracting undue attention to the visual appearance of the prints you submit. Think of it as the ability to erace certain features of your prints. Obviously it is important to know which features are significant to the indexing system. I'm not enough of an expert to know myself how to describe them to you nor do I know for certain the most recent ranking systems of features. This is a tedious process and causes hand cramps. It is, however, extremely effective when properly done. Any national computer search trying to locate the identity of your real prints will likely skip right by your earlier submitted and distorted prints. A visual inspection, however, is unlikely to be fooled. Some others have given you the advice that you should simply "refuse to submit" prints. I disagree. A distorted record, especially if you create one pre-emptively, will be especially beneficial while a refusal will simply attract attention. I recognize that some of the people on the list here are a bit more "in your face" about their politics, but it is, for example, hard to practice law without a professional license. All the constitutional arguments in the world don't mean anything when it comes to actually making a living without a required professional license. I compare it to the ease with which one submits a fake social security number rather than simply refuse to submit one at all. A fake one wont raise any eyebrows, refusal will. "What do you have to hide anyhow? Eh?" Best of luck. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From ethridge at onramp.net Tue May 14 04:56:42 1996 From: ethridge at onramp.net (Allen Ethridge) Date: Tue, 14 May 1996 19:56:42 +0800 Subject: Fingerprinting annoyance In-Reply-To: Message-ID: <199605140009435096233@stemmons34.onramp.net> > On Mon, 13 May 1996, Senator Exon wrote: > > in connection with a character and fitness report i have been > > asked to supply a review board with a set of my fingerprints > > i have never been fingerprinted before > > i am not very keen on the idea now > > of course refusing will attract suspicion > Honorable Senator, if you wish to work for the government (or certain > other orgs with a big impact on the public, or in certain highly sensitive > posts, like armed security guard), then you simply have to put up with > this. Especially if you're working for *my* government, or flying *my* > airplane, or guarding *my* money, it's not in my interest to help you. > So... don't work for the government. Work for yourself, or for someone who > treats you like a grownup. Liberty ain't always free and easy. I can't speak to the honorable senator Exon's situation, but my brother is being required to provide his fingerprints to prove that he is fit to be the legal guardian of his wife's daughter. And it isn't his wife, currently the sole legal guardian, who is questioning his fitness or demanding his fingerprints. And on another thread, if rights are simply restrictions on the government and not attributes (inate, even) of the individual, then they are meaningless. -- if not me, then who? mailto:ethridge at onramp.net http://rampages.onramp.net/~ethridge/ From EALLENSMITH at ocelot.Rutgers.EDU Tue May 14 05:03:25 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Tue, 14 May 1996 20:03:25 +0800 Subject: Civil liberties of employees (Re: FYB_oss) Message-ID: <01I4OJI9UR748Y5BUB@mbcl.rutgers.edu> From: IN%"froomkin at law.miami.edu" "Michael Froomkin" 14-MAY-1996 03:24:06.58 >On Sun, 12 May 1996, Timothy C. May wrote: >> Actually, one _does_ check one's Constitutional rights "at the door" (of an >> employer), and the confusion over this issue is pervasively destroying real >> Constitutional rights. >Yes and no...and kinda no. Umm... you would appear to be discussing the current legal situation, whereas TCMay was discussing what the situation _should_ be. In the limits you discuss, the civil liberties of the _employer_ are being seriously trampled upon. -Allen From cwe at it.kth.se Tue May 14 05:04:50 1996 From: cwe at it.kth.se (Christian Wettergren) Date: Tue, 14 May 1996 20:04:50 +0800 Subject: Notes from the SF Physical Cypherpunks meeting In-Reply-To: Message-ID: <199605140714.JAA23406@piraya.electrum.kth.se> [I've cc:ed this note to one of the designers of KOM, Jacob Palme. Hi Jacob! -cwe] | Thanks to everyone who took the trouble to correct errors in my | notes from Saturday's Cypherpunks meeting. They were written | for my own benefit -- and for the benefit of some friends who | couldn't be there. Since I can give away information without | losing it (to misquote Thomas Jefferson), I'm happy to share it | with the cypherpunks. | | A comment from Matts Kallioniemi might be worth some further discussion: | | >>COM e-mail/bbs system (Sweden) -- operator could backup | >>e-mail, but not read it. | > | >Sure. The database was encrypted by using XOR with the string | >"KOM". That was the sorry state of encryption in the early eighties. | > | | Encrypting the database with a fixed string offers a good example | of how "locks keep honest people honest." This would prevent an | operator from unintentionally reading a message in case it was | revealed by, perhaps, a disk sector editor or crash dump. | | I suspect that the state of encryption in Sweden in the early | eighties was somewhat stronger than XOR (wasn't Hagelin a Swede who | moved to Switzerland to start Crypto AG?), but not necessarily | visible to the general public. | | The Swedish government has a rather strong tradition of protection | of individual privacy (encrypting COM e-mail is one example). | For example, the initial Swedish implementation of a national | criminal database in the mid 1970's (equivalent to the US NCIC) used | dialback telexes to prevent unauthorized (and untracked) access. | A recent newspaper article noted that some police officers were | being investigated for unauthorized access to the personal information | of a collegue who had complained of sexual harassment. | | Martin Minow | minow at apple.com | | | | | | From EALLENSMITH at ocelot.Rutgers.EDU Tue May 14 05:05:18 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Tue, 14 May 1996 20:05:18 +0800 Subject: Mandatory Voluntary Self-Ratings Message-ID: <01I4OGVSC1B88Y5BUB@mbcl.rutgers.edu> From: IN%"jamesd at echeque.com" 13-MAY-1996 23:52:07.00 At 03:45 AM 5/13/96 EDT, E. ALLEN SMITH wrote: >> the conservatives won't let people just rate >> "objectionable" material in order to keep it from them. They want it off the >> net/world whether or not it's rated. >In the course of channel surfing, I have once or twice come across >the Christians ranting about pornography. They have both legitimate >and illegimate complaints, but mainly they emphasize the legitimate >complaint. PICS addresses this legitimate complaint. I've never heard a fundamentalist (there are other Christians than fundamentalists, BTW) ranting about how they can be exposed to pornography; it's always others they claim to be upset about. I was raised a Southern Baptist, so I suspect I'm familiar with fundys. -Allen From dm at amsterdam.lcs.mit.edu Tue May 14 05:06:32 1996 From: dm at amsterdam.lcs.mit.edu (David Mazieres) Date: Tue, 14 May 1996 20:06:32 +0800 Subject: THE ONLY WAY TO UNSUBSCRIBE In-Reply-To: <199605132111.QAA00205@silver.niia.net> Message-ID: <199605140646.CAA22566@amsterdam.lcs.mit.edu> > From: Mathew Ellman > Date: Mon, 13 May 1996 16:11:54 -0500 > > TO ALL MEMBERS, > IM TIRED OF ALL THIS SHIT I HAVE UNSUBSCRIBED MANY TIMES AND ALL I > GET IS SOME STUPID ASS REPLY ABOUT CLOSED LIST OR ADDRESS NOT MATCHING AND I > GET NO REPLY SO UNLESS YOU ALL WANT TO GET A BUNCH OF UN WANTED BULLSHIT > (LIKE THE SHIT IM GETING FROM YOU ) I SUGEST SOMEONE FIND A WAY TO GET ME > THE FUCK OFF THIS LIST . I HAVE GOT IN TOUCH WITH THE PESON THE REPLY TELL > ME TO AND NO REPLY. IM TIRED OF ALL THIS SHIT. As many of you know, the secret to getting off the cypherpunks mailing list is closely guarded and only even understood by a few, highly skilled cryptographers. The problem is that if there were any simple way of sending a simple mail message saying, "hey get me off this list", then the NSA could simply forge this message for every member of the list thereby suppressing all the subversive information discussed on this mailing list. An alternative would be to require a cryptographically signed unsubscribe message. However, even then we would run the risk of the NSA cracking our private keys with their superior technology. Moreover, President Clinton has made it illegal to use cyptography in many countries other than the United States, so that foreigners would still not be able to unsubscribe. This leaves only one solution, and has resulted in the cypherpunks philosophy: "Once a cypherpunk, always a cypherpunk." Anyone who joins the cypherpunk mailing list must remain on the mailing list for the rest of his existence. Unbeatable, you may think. How can I get off the mailing list if there is no way to unsubscribe? Well, I will now reveal the secret of leaving the cypherpunks mailing. Before reading further, however, I must ask that you become a US citizen or permanent resident if you are not one already. You must also agree not to discuss this information with any foreigners, as providing any kind of assistance to non-US cryptographers is a federal crime for American cicizens. Now, though you must remain a cypherpunk for the rest of your existence, you will be removed from the mailing list when you cease to exist. The trick to unsubscribing is therefore to convince the cypherpunks majordomo and the NSA that you non longer exist, when in fact you really do. Though for years cypherpunks have thought this ment cancelling one's E-mail account, there is, in fact, a second, secret escape route from cypherpunks: exit code 67. That's right, if your local mailer exits with code 67 on receipt of each cypherpunks mail message, you will suddenly seem to have disappeared. The cypherpunks will simply believe that the NSA finally got to you, and that nothing more can be done to communicate with you. All the while, though, you can continue exchanging private E-mail on topics other than cryptography. How then, do you use exit code 67? First, you must create a file called "cypherpunks-filter" which contains the following: #!/bin/csh setenv PATH /bin:/usr/bin set username=`id | sed -e 's/).*//' -e 's/.*(//'` set homedir=~$username set tmpfile=$homedir/.mailtmp.$$ cat > $tmpfile if ( { egrep -q '^Sender: owner-cypherpunks at toad.com' \ $tmpfile } ) then rm -f $tmpfile exit 67 endif (rm -f $tmpfile; exec /bin/mail -d $username) < $tmpfile Then, create a file called ".forward" in your home directory. In this file, place the following line: |"IFS=' '&&exec csh /path/to/cypherpunks-filter #yourlogname" You must replace '/path/to/cypherpunks-filter' with the actual path of the the file you just created, and you must replace `yourlogname' with your actual log name. After you have done this, you will stop receivingn all cypherpunks E-mail. Eventually, you will even be removed from the mailing list. Be aware, however, that this procedure is illegal in Georgia unless you first legally change your name to "Mailler Daemon". From grafolog at netcom.com Tue May 14 05:12:15 1996 From: grafolog at netcom.com (Jonathon Blake) Date: Tue, 14 May 1996 20:12:15 +0800 Subject: Fingerprinting annoyance In-Reply-To: Message-ID: Paul: On Mon, 13 May 1996, Paul S. Penrod wrote: > There may be a book or to on the subject. The local library may carry > refernce or other materials on police, detective and forensics. You << From the 1990 Loompanics Unlimited Catalog >> The Fingerprint Identification System How Intelligence Agents Change Their Fingerprints Loompanics Unlimited P O Box 1197 Port Townsend WA 98368 xan jonathon grafolog at netcom.com ********************************************************************** * * * Opinions expressed don't necessarily reflect my own views. * * * * There is no way that they can be construed to represent * * any organization's views. * * * ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * ftp://ftp.netcom.com/pub/gr/graphology/home.html * * * * OR * * * * http://members.tripod.com/~graphology/index.html * * * *********************************************************************** From llurch at networking.stanford.edu Tue May 14 05:35:58 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Tue, 14 May 1996 20:35:58 +0800 Subject: Fingerprinting annoyance In-Reply-To: <199605140009435096233@stemmons34.onramp.net> Message-ID: On Tue, 14 May 1996, Allen Ethridge wrote: > I can't speak to the honorable senator Exon's situation, but my brother > is being required to provide his fingerprints to prove that he is fit to > be the legal guardian of his wife's daughter. And it isn't his wife, > currently the sole legal guardian, who is questioning his fitness or > demanding his fingerprints. It's times like those that Jim Bell makes some sense. SOME. -rich From don at cs.byu.edu Tue May 14 06:19:15 1996 From: don at cs.byu.edu (Don) Date: Tue, 14 May 1996 21:19:15 +0800 Subject: Accidental subscriber needs help off of list. In-Reply-To: <199605130323.UAA15286@pacifier.com> Message-ID: > >...and I was accidently placed on your Cyberpunk mailing Uh huh.... unless someone's got a web page that autosubscribes people (and if there is, please turn it off) I somehow doubt the accuracy of this description. PS: does anyone know when nntp.hks.net will get cypherpunks working again? Noise like what I'm writing now is *much* easier to skip via nntp... Don From EALLENSMITH at ocelot.Rutgers.EDU Tue May 14 07:00:11 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Tue, 14 May 1996 22:00:11 +0800 Subject: Copyright law - potential limits on encryption? Message-ID: <01I4OJOW9SEE8Y5BUB@mbcl.rutgers.edu> I thought the following from CPSR had some relevance, insofar as part of what the proposed law is trying to outlaw are "devices needed for making use of encrypted information." The accusations of corporate benefit are irrelevant, of course. -Allen From: akrause at Sunnyside.COM (Audrie Krause) Subject: Action Alert: Copyright Cyber-rights moderator Andy Oram and online activist Jim Warren have forwarded alerts regarding pending Congressional action on copyright legislation. At this late date, the best course of action is a phone call or fax. You can reach all members of Congress through the capitol switchboard: (202) 224-3121. Email messages to Congress are *not* particularly effective. Detailed information follows from both Jim and Andy. Audrie ---------------------------- >From Jim Warren: Check out the examples, below, of how your net access to *any* information will soon be repressed, prohibited and/or criminalized for corporate benefit. THIS REALLY IS AS BAD AS IT SOUNDS. Although this happens to come from the Americal Library Association and is thus focused on library concerns with the Beltway ripoff-artists' pervasive copy-suppression legislation that is being rammed through Congress, *everyone* online and on computers needs to be aware of this impending repression. I donno who Clinton's Copyright Office and Gingrich-Dole's Congress are representing, but they sure as hell aren't representing the *public's* interests. Howl now to your(?) "representatives" ... or bend over for the corporate hustlers, henceforth. --jim, a disloyal subject of the Washington Royalty Jim Warren, GovAccess list-owner/editor, advocate & columnist (jwarren at well.com) 345 Swett Rd., Woodside CA 94062; voice/415-851-7075; fax/<# upon request> ------------------------ >Date: Fri, 10 May 1996 17:58:00 -0400 >Sender: owner-ala-wo at ala1.ala.org >From: ALAWASH E-MAIL (ALAWASH E-MAIL) >To: ala-wo at ala.org >Subject: ALAWON, Vol. 5, No. 24 - ACTION ITEM (220 lines) > > >ALAWON Volume 5, Number 24 >ISSN 1069-7799 May 10, 1996 > American Library Association Washington Office Newsline > > > URGENT: IMMINENT CONGRESSIONAL ACTION ON NII COPYRIGHT >LEGISLATION THREATENS TO LEAVE LIBRARIES AND SCHOOLS IN THE LURCH > >IMMEDIATE ACTION NEEDED: Your immediate faxes and calls to key >House Committee Members critical. > >BACKGROUND: >The House is rushing the "NII Copyright Protection Act" bill to >"mark up" in the House Courts and Intellectual Property >Subcommittee on Wednesday of next week, May 15! The House >completed its hearings in February on this bill. (Earlier >ALAWON's have described in detail the "NII Copyright Protection >Act" taken from the Administration's "White Paper" and introduced >in Congress last September.) > >Worse yet, the Courts and Intellectual Property Subcommittee is >also considering wrapping the Copyright Term Extension Act (which >would lengthen the term of copyright protection by 20 years) into >the "NII Copyright" package on May 15. That action could short-circuit >negotiations between ALA and copyright owners that began >last October to craft an exemption from the term extension for >libraries, archives and non-profit educational institutions. If >approved in its current form, the bill would: > >*** make it a copyright violation to simply browse the Net >without a license from copyright owners; > >*** subject computer system operators -- such as on-line services >and networks at schools and libraries -- to potentially crippling >liability for the copyright violations of their users, even if >the operator; > >*** cripple "distance education" efforts especially vital to >rural communities and the disabled; and > >*** make it illegal to manufacture, import or distribute devices >and software (including computers and VCRs) needed by industry, >schools and libraries to make "fair use" of encrypted information >by overruling long-standing Supreme Court precedent. > >The Senate is moving deliberately on this tremendously imbalanced >package and has indicated that changes in it need to be made to >protect libraries and schools. The Senate Judiciary Committee, >which just held the first of its own (non-joint) hearings on this >bill on May 7, and is taking a far more deliberate approach to >these complicated issues. > >In fact, Chairman Hatch appeared open at the hearing to many of >the proposals backed by libraries and educational groups put >forward by Prof. Robert Oakley (of AALL) on behalf of the Digital >Future Coalition, in which ALA has been very active. (The DFC >was given one of only five total witness slots at this important >hearing held coincidentally on ALA's annual Legislative Day.) >Sen. Hatch also indicated that he would hold at least one >additional hearing which is likely to include a "library" >witness. > >ACTION NEEDED NOW: >Please immediately fax a letter to AND CALL all Members of the >House Intellectual Property Subcommittee listed below who >represent you or an institution with which you are affiliated. >These contacts must be made NO LATER THAN Tuesday, May 14 and >preferably sooner. Contact info and a sample letter follow. > >For more information about the bill, the dangers it poses and the >constructive solutions offered, please see the DIGITAL FUTURE >COALITION WEBSITE at http://www.ari.net/dfc > >*************************************************************** >Using appropriate style for addressing Congress, please address >all letters to Members, as listed below e.g., "2346 RHOB" for >"Rayburn House Office Building", LHOB=Longworth and CHOB=Cannon) >+ Washington, DC 20515. > >Info appears as: > >Member and Home City >Address Phone Fax > >Carlos Moorhead Glendale, CA >2346 RHOB 225-4176 226-1279 > >F. James Sensenbrenner Brookfield, WI >2332 RHOB 225-5101 225-3190 > >George Gekas Harrisburg, PA >2410 RHOB 225-4315 225-8440 > >Howard Coble Asheboro, NC >403 CHOB 225-3065 225-8611 >Elton Gallegly Oxnard, CA >2441 RHOB 225-5811 225-1100 > >Charles Canady Lakeland, FL >1222 LHOB 225-1252 225-2279 > >Bob Goodlatte Roanoke, NC >123 CHOB 225-5431 225-9681 > >Martin Hoke Fairview Park, OH >212 CHOB 225-5871 226-0994 > >Sonny Bono Palm Springs, CA >512 CHOB 225-5330 225-2961 > >John Conyers, Jr. Detroit, MI >2426 RHOB 225-5126 225-0072 > >Patricia Schroeder Denver, CO >2307 RHOB 225-4431 225-5842 > >Howard Berman Mission Hills, CA >2231 RHOB 225-4695 225-5279 > >Rick Boucher Abingdon, VA >2245 RHOB 225-3861 225-0442 > >Jerry Nadler New York, NY >109 CHOB 225-5635 225-6923 > >Xavier Becerra Los Angeles, CA >1119 LHOB 225-6235 225-2202 > >Xavier Becerra Los Angeles, CA >1119 LHOB 225-6235 225-2202 > > SAMPLE LETTER > **************************************************************** > > [DATE] > >[Hon. ____________________ >United States House of Representatives] >__# __ ____ Office Building >Washington, D.C. 20515 > >Dear Representative__________: > > As a member of the American Library Association and an >active {your connection to libraries and their work, e.g., >librarian, trustee, volunteer, etc.}, I am writing today to ask >that you do everything in your power to assure that two bills now >pending before the House Courts and Intellectual Property Subcom- >mittee are not voted out of Committee unless and until they are >amended to help libraries serve the public in the following ways. > > First, the "NII Copyright Protection Act of 1995" (H.R. >2441) must be changed to permit libraries to use the latest >technologies to preserve crumbling older works and to have >sufficient copies of those works on hand to guarantee their >survival. Provisions that will continue to foster "distance >education" also are critically important. More broadly, balance >must be restored to the legislation by adopting a series of >amendments proposed by the Digital Future Coalition (DFC), many >of which are based on a strong commitment to the Fair Use >Doctrine. I share that commitment. If Congress is to update >copyright law for the digital age, the rights of copyright owners >and the needs of information users must both be fully respected >and advanced. I support the DFC's package of amendments to the >Copyright Act, particularly those related to Sections 106, 107 >and 108. > > Second, and just as critically, the "Copyright Term >Extension Act"(H.R. 989) must also be rebalanced to protect and >foster library preservation efforts and education at all levels. >In its current form, this bill would extend the length of >copyright in published materials by 20 years. It would also >lengthen the term of copyright for unpublished works by 10 years. >In other words, the bill will impose a 10 or 20 year moratorium >on works entering the public domain. The costs of tracking down >the owners of these works (often 100 or more years old) imposes >costs on libraries better spent on serving the public. ALA's >representatives in Washington have been negotiating a suitable >amendment to this bill with major copyright industries since >December of last year. The Register of Copyrights is mediating >those talks. Please do everything that you can to allow that >process, which I am told is going well, to bear fruit. Premature >action on this bill would be disastrous for libraries and >schools. > > Thank you very much for helping libraries make the most of >new technology and the Internet to bring the benefits of >information technology to all Americans, and especially those in >[INSERT THE NAME OF YOUR STATE, CITY OR COUNTY REPRESENTED BY THE >MEMBER TO WHOM YOU'RE WRITING]. ALA's Washington Office staff >would be pleased to provide you or your office with more >information. They can be reached at 202-628-8410. > > Sincerely, > >_________________________________________________________________ >ALAWON is a free, irregular publication of the American Library >Association Washington Office. To subscribe, send the message >"subscribe ala-wo [your_firstname] [your_lastname]" to @ala.org>. ALAWON archives gopher.ala.org; select Washington >Office Newsline. Web page HTTP://www.ala.org/alawashington.html. > >ALA Washington Office 202.628.8410 (V) >1301 Pennsylvania Ave., NW, #403 202.628.8419 (F) >Washington, DC 20004-1701 Lynne E. Bradley, Editor > >Contributor to this issue: Adam M. Eisgrau > > >All materials subject to copyright by the American Library >Association may be reprinted or redistributed for noncommercial >purposes with appropriate credits. --------------- >From Andy Oram: (Introduction from moderator: the message below does not explain how all the awful consequences it predicts could stem from some extensions to copyright law. I think the worrisome section of the bill is the one prohibiting "any device, product, or component incorporated into a device" that can circumvent copyright. Despite language about its "primary purpose," such language could be used against legitimate computer and communications equipment.--Andy) Sender: John Whiting <100707.731 at CompuServe.COM> ---------- Forwarded Message ---------- From: Labor Committee on the Middle East, INTERNET:melblcome at igc.apc.org TO: Democracy Now and Then, INTERNET:DEMOCRACY-NOW at IGC.APC.ORG Forum KPFA, INTERNET:FREEKPFA at COCO.CA.ROP.EDU (unknown), INTERNET:PACNEWS at AOL.COM (unknown), INTERNET:PNN at IGC.APC.ORG DATE: 12/05/96 02:35 RE: Action Needed on Intellectual Property Bill URGENT MESSAGE: Below is an alert regarding the May 15 Mark-up of HR 2441. Please post this text on your Web Sites and forward it to all interested parties. Specific efforts should be made to have people in the districts of members of the IP Subcommittee contact their representatives. A link to the DFC Web Site can be made by linking your Web Site to http://www.ari.net/dfc -- a thumbnail graphic for the link can be found at http://www.ari.net/tlogo.gif Suggested text for letters to Representatives will follow shortly. ************************************************************** YOUR IMMEDIATE FAXES AND CALLS TO CONGRESS NEEDED TO SLOW IMMINENT ACTION ON BADLY FLAWED CYBERSPACE COPYRIGHT BILL Congressional contacts urgently needed NO LATER THAN Tuesday, May 14.................. Next Wednesday, May 15, the House Judiciary Committee's Intellectual Property Subcommittee is scheduled to consider amendments to, and vote on approval of HR 2441, the "National Information Infrastructure Act of 1995." Such approval, if given, would give an important boost to passage of a legislative package heavily backed by -- and tilted in favor of -- the movie, recording, and publishing industries (and other large "content providers"). If passed in its current form, the bill would: *** make it a copyright violation to simply browse the Net without a license from copyright owners; *** subject computer system operators -- such as on-line services and networks at schools and libraries -- to potentially crippling liability for the copyright violations of their users, even if the operator; *** cripple "distance education" efforts especially vital to rural communities and the disabled; and *** make it illegal to manufacture, import or distribute devices and software (including computers and VCRs) needed by industry, schools and libraries to make "fair use" of encrypted information by overruling long-standing Supreme Court precedent. WRITE AND CALL MEMBERS OF THE HOUSE JUDICIARY INTELLECTUAL SUBCOMMITTEE AND KEY FULL COMMITTEE MEMBERS NOW (list and information below)!!! Tell them that: ** These issues, and the healthy development of the Net are of critical concern to you, AND ** The May 15 meeting of the Intellectual Property Subcommittee is **too soon**. Congress should take the time needed to understand and adequately deal with **all ** of the complicated issues raised by HR 2441 before it takes action. For more information about the bill, the dangers it poses and the constructive solutions offered, please see the DIGITAL FUTURE COALITION Website at http://www.ari.net/dfc. Please get your faxes and calls to the following members of Congress, especially those Members who represent you, NO LATER THAN Tuesday, May 14: [DATE] The Honorable {name} United States House of Representative __#__ ____ Office Building Washington, D.C. 20515 Dear Representative__________: I am writing today to ask that you do everything in your power to assure that no action is taken by the House Subcommittee on Intellectual Property on the "NII Copyright Protection Act of 1995" (HR 2441) until a broad consensus can be reached on how to resolve a number of issues of critical mportance to me and, in my view, the future of the Internet. As I understand it, this bill in its current form, would seriously undermine the ability of businesses, inventors, schools and librraies to make full use of the Internet's great potential. Specifically, H.R. 2441 would : * make it a copyright violation to simply browse the Net without a license from copyright owners; * subject computer system operators -- such as on-line services and networks at schools and libraries -- to potentially crippling liability for the copyright violations of their users, even if the operator has no knowledge of such violations; * thwart "distance education" efforts especially vital to rural communities and the disabled; and * make it illegal to manufacture, import or distribute devices and software (including computers and VCRs) needed by industry, schools and libraries to make "fair use" of encrypted information by overruling long- standing Supreme Court precedent. Please don't allow the fears of major copyright owning industries to cripple the Internet for the rest of America. I urge you and other members of the House Judiciary Committee to take the time necessary to understand and thoroughly debate all of the proposed amendments to H.R. 2441, including those proposed by the Digital Future Coalition. Thank you very much for helping make the most of new technology and the Internet to bring the benefits of information technology to all Americans, and especially those in [INSERT THE NAME OF THE DISTRICT/CITY]. Sincerely, ALERT (fwd) END ~=-=-=-=-=-=-=-=~=-=-=-=-=-=-=-=-=~-~=-=-=-=-=-=-=-=~=-=-=-=-=-=-=-=-=~ Posted by Andrew Oram - andyo at ora.com - Moderator: CYBER-RIGHTS (CPSR) Cyber-Rights: http://www.cpsr.org/cpsr/nii/cyber-rights/ ftp://www.cpsr.org/cpsr/nii/cyber-rights/Library/ CyberJournal: (WWW or FTP) --> ftp://ftp.iol.ie/users/rkmoore Materials may be reposted in their _entirety_ for non-commercial use. ~=-=-=-=-=-=-=-=~=-=-=-=-=-=-=-=-=~-~=-=-=-=-=-=-=-=~=-=-=-=-=-=-=-=-=~ -- Audrie Krause CPSR Executive Director PO Box 717 * Palo Alto, CA * 94302 Phone: (415) 322-3778 * Fax: (415) 322-4748 * * E-mail: akrause at cpsr.org * * * Web Page: http://www.cpsr.org/home.html * From EALLENSMITH at ocelot.Rutgers.EDU Tue May 14 07:59:32 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Tue, 14 May 1996 22:59:32 +0800 Subject: Fingerprinting annoyance Message-ID: <01I4ONUV5GI88Y5D1N@mbcl.rutgers.edu> From: IN%"tcmay at got.net" 14-MAY-1996 04:46:37.08 >Trying to convince a company that photo ID badges and fingerprints are Bad >Things is perhaps admirable, just realize that in a free society that >employer is under no obligation to hire someone who refuses to go along >with the company's security policies. (This relates to the "civil rights" >thread.) While in general I agree, he never said it was a company. If it was a government, for instance, I can see it as being ethical; the same for a government-caused requirement (like the drug war nonsense) or a government-supported company (like Airbus in Europe, or others supported by tarrifs.) Since he didn't say, I forbode to answer (mine would have been about like uni's one of superglue, although I haven't heard the needle idea before. -Allen From mhw at wittsend.com Tue May 14 13:08:34 1996 From: mhw at wittsend.com (Michael H. Warfield) Date: Wed, 15 May 1996 04:08:34 +0800 Subject: Accidental subscriber needs help off of list. In-Reply-To: Message-ID: Don enscribed thusly: > > >...and I was accidently placed on your Cyberpunk mailing > Uh huh.... "Accidentally" I would find hard to believe. "Maliciously" is much more likely. > unless someone's got a web page that autosubscribes people (and if there > is, please turn it off) I somehow doubt the accuracy of this description. I didn't catch the original message so maybe there is more to the matter that what appear from the one line quote. There is a problem right now with jerks maliciously subscribing people to lists they've never heard of. I'm associated with several lists over at iss.net and I don't know how many times we've seen Newt Gingrich subcribed to all of our lists. I don't think its and accident and I don't think Newt is really all that interrested in everything we offer. A very high percentage of our unsubscribe requests include a message saying "How did I get on this list". I'm also seeing some indication that this may be extending to some of the downstream remailers and exploders. How would one get unsubscribed from a list if they can't even determine where they're subscribed at? Many mailing lists are now requiring request confirmations before they will add or remove someone's subscription. We're still considering it. It may prove to be the only viable solution to deal with the plague. > PS: does anyone know when nntp.hks.net will get cypherpunks working again? > Noise like what I'm writing now is *much* easier to skip via nntp... > Don Mike -- Michael H. Warfield | (770) 985-6132 | mhw at WittsEnd.com (The Mad Wizard) | (770) 925-8248 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! From trei at process.com Tue May 14 14:28:50 1996 From: trei at process.com (Peter Trei) Date: Wed, 15 May 1996 05:28:50 +0800 Subject: [NOISE] Re: Notes from the SF Physical Cypherpunks meeting Message-ID: <199605141322.GAA12489@toad.com> > From: minow at apple.com (Martin Minow) > Subject: Re: Notes from the SF Physical Cypherpunks meeting [...] > The Swedish government has a rather strong tradition of protection > of individual privacy (encrypting COM e-mail is one example). [...] > Martin Minow > minow at apple.com Huh? 'a rather strong tradition of protection of individual privacy'? In Sweden, for many years you could (and for all I know, still) go to a public records office and look up all kinds of personal data on anyone, without restriction - you could, for example, find out your co-workers exact salaries if you were curious. My understanding is that Sweden's postion vis-a-vis the Internet has been particularly clueless, with international email technically a crime, and government officials who regard modems as criminal tools. I hope things have improved. Peter Trei (former resident alien in Sweden) ptrei at acm.org From unicorn at schloss.li Tue May 14 15:21:44 1996 From: unicorn at schloss.li (Black Unicorn) Date: Wed, 15 May 1996 06:21:44 +0800 Subject: Fingerprinting annoyance In-Reply-To: Message-ID: On Mon, 13 May 1996, Paul S. Penrod wrote: > > > On Mon, 13 May 1996, Senator Exon wrote: > > > in connection with a character and fitness report i have been > > asked to supply a review board with a set of my fingerprints > > i have never been fingerprinted before > > i am not very keen on the idea now > > of course refusing will attract suspicion > > short of getting someone else to put their fingers in ink for > > me does anyone have a cute method by which to obscure my prints > > on those cute little cards without it being obvious? > > i can fill out and manipulate the card myself i just need a > > working method. > > is there no privacy advocate who can help me? > > > > First off, if you were born in the US, they have your feet and/or hand > prints on record. Incorrect. Several states do not bother to print infants at birth. Several hospitals do not bother to follow state guidelines in those states which do so require. It is one of the great advantages of the United States that no standardized procedure for person identification exists. Seals and certificates vary from jurisdiction to jurisdiction. Cross the border to a state and a hospital birth annoucement is enough for a drivers license, cross again and 4 pieces and a note from mom isn't enough. Be careful with disinformation please. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From unicorn at schloss.li Tue May 14 16:06:09 1996 From: unicorn at schloss.li (Black Unicorn) Date: Wed, 15 May 1996 07:06:09 +0800 Subject: Fingerprinting annoyance In-Reply-To: Message-ID: On Mon, 13 May 1996, Paul S. Penrod wrote: > > > On Mon, 13 May 1996, Mark O. Aldrich wrote: > > > On Mon, 13 May 1996, Senator Exon wrote: > > > > > > > i can fill out and manipulate the card myself i just need a > > > working method. > > > is there no privacy advocate who can help me? [...] > > If you're forced to do this in person with a tech, you can continuously > > "fight" the grip they have on your hand and smudge the card. However, > > they'll not submit the card until the prints are "good," so this sort of > > betrays your intent of at least appearing to cooperate with them. In the > > law enforcement community, they are taught how to take prints by force > > but it's unlikely that your tech will attempt any such technique. > > > > I know of no such instance (other than some informal "fingerprint the > kiddies for safety" schtick) where it's a do-it--yourself operation. Not _technically_ perhaps. But in most cases it's a go-down-to-the-police-station-and-have-them-sign-the-card operation. Who is it that can tell a random signature from a police signature exactly? Like I said, standard print cards are available at the GPO. > While the methods listed are clever, they and many other finaglings are > the main reason it's done in the "light of day" by a tech. Or _theoretically_ done in the light of day by a tech. > > You can mutilate the tips of your fingers so that prints cannot be > > acquired, but this hurts. Badly. > > Doesn't always work. Partials can be extrapolated to yield a relative match. Depends on what you are looking to do. If your goal is to deter random searching through a national database, mutilation will probably be very effective. If they have the prints of the murderer (you) and you're a suspect, mutilation aside from actually removing the fingers isn't going to do anything. > > > > You could get some false latex coverings for your finger tips, but they'd > > have to be damn good to fool a tech. Likely to cost big bucks, too. > > Wont work. The hands are checked first for signs of tampering. See above about tech end around. > > > > I know of no chemical or physical "pre-treatment" that can be used to > > hack the ink transference process. Perhaps one of the chemists here on > > the list might know of some good technique. > > Pineapple juice and other weak acidic subtances ruin the ridges on the > finger tips causing them to smear or not show at all. Unfortunately, this > takes a period of time and constant handling of such items. This is interesting. I suspect that you'd have to have major damage to the ridges however. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From reagle at MIT.EDU Tue May 14 16:13:08 1996 From: reagle at MIT.EDU (Joseph M. Reagle Jr.) Date: Wed, 15 May 1996 07:13:08 +0800 Subject: (legal) Re: CDA Dispatch #10: Last Day in Court Message-ID: <9605141430.AA20216@rpcp.mit.edu> [Regarding ACLU v. Reno] At 11:08 PM 5/13/96 -0400, Declan B. McCullagh wrote: > The Philadelphia court is expected to issue a decision by mid-June. > Both the plaintiffs and the Department of Justice have said they will > appeal to the Supreme Court, which may decide to hear the case after > it reconvenes in early October. Assuming the Justice Department loses, > will they really appeal to the Supreme Court? If so, I object to my > tax money being wasted on this crap. Perhaps someone with a better legal understanding of court cases could help me out. I understood from a law course I took that appeals could only be filed with respect to process rather than result. One cannot appeal a decision, rather one has to appeal the manner in which it was reached (if witnesses were biased, important evidence was suppressed, etc.) I was rather surprised by this, but obviously this doesn't prevent people from appealing willy-nilly because they just fabricate some reason why the process was corrupted. However, in a venue such as this, what basis can one appeal on? On the ACLU side I can actually see an appeal with respect to the constitutionality (but I'm not quite sure what) and on the Reno side I don't see what they could appeal. Was some evidence poorly presented? It isn't like there are any witnesses to lead. _______________________ Regards, Men govern nothing with more difficulty than their tongues, and can moderate their desires more than their words. -Spinoza Joseph Reagle http://farnsworth.mit.edu/~reagle/home.html reagle at mit.edu E0 D5 B2 05 B6 12 DA 65 BE 4D E3 C1 6A 66 25 4E From unicorn at schloss.li Tue May 14 16:30:57 1996 From: unicorn at schloss.li (Black Unicorn) Date: Wed, 15 May 1996 07:30:57 +0800 Subject: Fingerprinting annoyance In-Reply-To: Message-ID: On Mon, 13 May 1996, Timothy C. May wrote: > At 6:26 PM 5/13/96, Mark O. Aldrich wrote: > >On Mon, 13 May 1996, Senator Exon wrote: > > > > > >> i can fill out and manipulate the card myself i just need a > >> working method. > >> is there no privacy advocate who can help me? > >> > > > >I think most privacy advocates would advise, "Refuse to submit." It > >sounds like you're looking for more of a hack on the fingerprinting process. > > And if you are working for me, and I ask for a fingerprint, and you refuse > or "smear" the results (repeatedly, as the first smearing I may just take > as your token protest and have you printed again), you'll be out the door > by the end of the day. On the other hand, if more subtle doctoring escapes your notice.... > (Personally, I've never worked for a company which demands fingerprints, > but I've worked for companies which demanded ID badges and signatures, and > these are effectively as intrusive. And I suspect that my former employers > are now using thumbprints, and maybe full prints.) I disagree. ID badges and signatures are identification surely, but the manner and process by which fingerprints are collected and used is certainly more intrusive. There is no, for example, national database of signatures or corporate ID cards. > Trying to convince a company that photo ID badges and fingerprints are Bad > Things is perhaps admirable, just realize that in a free society that > employer is under no obligation to hire someone who refuses to go along > with the company's security policies. (This relates to the "civil rights" > thread.) Which is why clandestine methods are more effective. Sure, the employer can fire you if they find you out, but they have to find you out first. This is why "in your face"ers like Mr. Bell and others tend to fail in their efforts. They take the wrecking ball approach rather than run around the stone in the river. > >of like a key certificate. If you really can dork the card, have ten > >different people volunteer one print each. There's no way that they'll > >ever be able to use that as evidence in a court or for any other purpose, > >either. > > A stupid idea. As the employer, I wouldn't have to prove it a court of > law...suspicion alone that some of my employees were fucking up a security > system might be enough for me to either a. promote them to the Tiger Team, > or b. fire their asses. I think the concept was that it should be done in a way so as to reduce attention. 10 dead men's prints (provided none were fugitives) might be an interesting way to go about it. Certainly less obvious than smearing. > (I just can't understand where this pervasive meme is coming from here on > this list, the notion that employers are severely limited in what they can > do to employees unless they can "prove it in court. Like it or not, most > employees in the United States are still employed "at will," and are not > covered by employment contracts such as some executives and the like get.) > > >If you're forced to do this in person with a tech, you can continuously > >"fight" the grip they have on your hand and smudge the card. However, > > Sure. It makes it easy for the employer to simply say "Next candidate." Seems to me that the issue here is not getting fired, but what the collected identification information will be used for in future. I consider spoofing prints and other biometric type information legitimate if the motive is to avoid later identification for purposes not related to the employment for which identification was required. All this "suck it up and get printed" talk has me somewhat disconcerted with the list. Have many here not consistantly indicated that privacy is something that must be self assured? Isn't this the list that is so paranoid about what might be done with escrowed keys? Who might bribe the keepers into releasing such information? What might it be used for? What about corporations selling information about employees? How are fingerprints any easier? One can thing of countless examples in history (carefully avoiding Godwin's Law in the process) where once legitimate record keeping and registration was perverted for illicit, even evil use. I think that unless proper means are taken to safeguard information, social security number, license plates, and fingerprint records included, that the individual is perfectly within rights to take his or her own safeguarding initiatives. Where those methods are not intended to simply evade prosecution, but rather to foil extreme recordkeeping, I believe them legitimate. > --Tim May --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From williams at mackinfo.com Tue May 14 17:00:21 1996 From: williams at mackinfo.com (Matthew Williams) Date: Wed, 15 May 1996 08:00:21 +0800 Subject: Fingerprinting annoyance Message-ID: <139DC126BB3@server_0.mackinfo.com> > Date sent: Mon, 13 May 1996 23:19:12 -0400 (EDT) > From: Black Unicorn <...> > > I compare it to the ease with which one submits a fake social security > number rather than simply refuse to submit one at all. A fake one wont > raise any eyebrows, refusal will. Although knowingly providing a fake social security number when one has any expectation of gain is, I believe, a felony. 42 USC. sec. 408. Matt +--------------------------------------------------------------------+ Matthew Williams williams at mackinfo.com 215-884-8123 voice 215-886-5030 fax "The most obscene thing I have found on the Internet is the CDA." +--------------------------------------------------------------------+ From jya at nyc.pipeline.com Tue May 14 18:53:01 1996 From: jya at nyc.pipeline.com (John Young) Date: Wed, 15 May 1996 09:53:01 +0800 Subject: FAC_ial Message-ID: <199605141457.OAA26059@pipe2.t1.usa.pipeline.com> 5-14-96. FiTi: Reports on "Photobook," a "visual intelligence" comp.sys for facial recognition designed by Alex Pentland at MIT's Media Lab to "identify people who use multiple identifications to commit fraud." BT, the US Army, Kodak and Sensormatic are nibbling and the White House is ogling it to "combat terrorism." Also: The program could help find missing children, verify indentification for electronic purchases and track down on-line pornographers. Although the Big Brother aspect may be troubling to some, to others it will provide comforting security. FAC_ial From eric at sac.net Tue May 14 19:25:20 1996 From: eric at sac.net (Eric Hughes) Date: Wed, 15 May 1996 10:25:20 +0800 Subject: Traffic analysis by FBI against Earth First Message-ID: <2.2.32.19960514155857.0069bd4c@flamingo.remailer.net> Remember the phrase "social networks analysis". The FBI seems to use it as a term of art. I'm right now listening to Judy Bari on the pirate radio station in Berkeley (104.1 FM). She's being interviewed over the telephone and talking about her court case against the FBI relating to the coverup of the bombing that she's being charged for. (It was under her own car seat, for those of you who know nothing about this.) In any case, there have been depositions and discoveries in this case, and one of the revelations was that there was a document the FBI seized (under circumstances I'm not familiar with) with which they wanted to perform a social networks analysis upon. It was the interviewer's phone and addess book. Eric From Doug.Hughes at Eng.Auburn.EDU Tue May 14 19:44:35 1996 From: Doug.Hughes at Eng.Auburn.EDU (Doug Hughes) Date: Wed, 15 May 1996 10:44:35 +0800 Subject: Edited Edupage, 9 May 1996 In-Reply-To: Message-ID: > >OK, someone tell me why the END USERS don't pay for this! > >If a school wants to be wired, the local school board can pay for it (and >the local taxpayers can vote for the millage increase). If you don't think >every five year old needs a net connection (maybe because you are afraid of >them seeing nekkid ladies, or because you just think teachers should teach >and not rely on technology to do their jobs for them), you can vote against >spending the money. > >As for subsidizing rural customers, those people made a choice to live in a >rural area, for whatever reason. I see no reason to subsidize that choice. >Unless of course they want to pay higher taxes to subsidize the costs for >my living in the city. > > Clay > > I wouldn't normally respond to such an offtopic post, but this post is so egregious I couldn't let it pass. Who says they make a choice to live in rural areas? Do they also choose not to have enough money to pay for shoes? So, because they live in a poor district they are not entitled to the same level of education as a rich city suburb? The illiteracy rate in Alabama is 40%! This is just plain sick! I don't think that every school needs a net connection, I think they need better teachers. But the statement that we shouldn't subsidize rural customers because they CHOOSE to live there (even though some are poor and can't afford to live anywhere else) is just plain fallacious. Just because you choose to live in the city does not mean people always choose to live where they live. Education is one thing (perhaps the only thing) that deserves to be subsidized in this country. We're rapidly falling behind. I don't agree with the $10. I'd need convincing that every school needs a net connection when the students can't read, but the tone of the above message is callous, besides being wrong. -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug at eng.auburn.edu Pro is to Con as progress is to congress From tcmay at got.net Tue May 14 19:50:51 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 15 May 1996 10:50:51 +0800 Subject: Nature of Rights Message-ID: At 5:09 AM 5/14/96, Allen Ethridge wrote: >And on another thread, if rights are simply restrictions on the >government and not attributes (inate, even) of the individual, then they >are meaningless. I presume you're speaking about my point.... This is generally not the place to have long debates about the nature of government and of civil rights, but it bears mentioning that the Constitution of the United States _is_ primarily about the delineation of the role of government, not of private entities, corporations, clubs, social groups, etc. Thus, "Congress shall make no law regarding the establishment of religion" refers to freedom from coercion by government about religion, and to separation of church and state. It has nothing to do with whether you or I feel our "rights" within the First Unified Temple of Baal are being properly respected. And so on for various other enumerated rights, including the right of free speech, the right to keep and bear arms, the right of free association, and so on. As nearly every argument in this area points out, your right to free speech does not mean you get to use my newspaper, nor my public address system, nor my computer service. The so-called innate or intrinsic rights ("life, liberty, and the pursuit of happiness") are basically bromides. Philosophical arguing points for a view of government as being limited in scope. Converting a slogan like this to assume this means government will guarantee jobs for all, or will provide two cars in every driveway, or whatever, has been fraught with problems. Not the least of which are that such goals are inimical to the actual, enumerated rights. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From tcmay at got.net Tue May 14 20:10:30 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 15 May 1996 11:10:30 +0800 Subject: Civil liberties of employees (Re: FYB_oss) Message-ID: At 7:29 AM 5/14/96, E. ALLEN SMITH wrote: >From: IN%"froomkin at law.miami.edu" "Michael Froomkin" 14-MAY-1996 03:24:06.58 >>Yes and no...and kinda no. > > Umm... you would appear to be discussing the current legal situation, >whereas TCMay was discussing what the situation _should_ be. In the limits >you discuss, the civil liberties of the _employer_ are being seriously >trampled upon. Exactly. As I described in another post last night, this is the point. I've mostly given up on trying to change the existing laws and political system...it is too far down the path de Tocqueville described a century and a half ago (roughly, "America's great experiment with democracy will last only until the populace discovers it can pick the pockets of others at the ballot box."). Strong cryptography at least returns "freedom of association" to us, albeit not with True Names, and may return other freedoms to us as well. By bypassing democracy, the true enemy of liberty. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From maldrich at grci.com Tue May 14 20:27:14 1996 From: maldrich at grci.com (Mark O. Aldrich) Date: Wed, 15 May 1996 11:27:14 +0800 Subject: More involuntary c'punk subscriptions on the way? Message-ID: In the May '96 issue of Computer Security Alert, Padgett Peterson provides an explanation of how mail bombing is done. It's on page 3 under the "E-mail Security" column with the headline "Mad Bombers on the Net." In the article, Padgett explains the three "stages" of mail bombing: First is to send ungodly amounts of mail from you to the target, the next is to post something offensive under a forged ID to one or more of the "less ruly" [his words] USENET groups, such as alt.2600 or alt.tasteless [his citations], and the third is to subscribe people to mailing lists against their will using forged e-mail. Naturally, Padgett (bless his twisted little mind) indicates that the most severe results can be achieved by sending forged subscription requests to "the larger listservers such as cypherpunks", that generate in excess of a hundred messages a day. Since hackers and wannabes probably read INFOSEC publications with more zeal than do INFOSEC practitioners, I'd say we're likely to be in for even more of the "I don't want to be on this list" sorts of traffic. And Padgett, next time you get interviewed on mail bombing by the press, why don't you point them to "The KISS Army Mailing List," or something of that sort? ------------------------------------------------------------------------- | Liberty is truly dead |Mark Aldrich | | when the slaves are willing |GRCI INFOSEC Engineering | | to forge their own chains. |maldrich at grci.com | | STOP THE CDA NOW! |MAldrich at dockmaster.ncsc.mil | |_______________________________________________________________________| |The author is PGP Empowered. Public key at: finger maldrich at grci.com | | The opinions expressed herein are strictly those of the author | | and my employer gets no credit for them whatsoever. | ------------------------------------------------------------------------- From tcmay at got.net Tue May 14 20:42:53 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 15 May 1996 11:42:53 +0800 Subject: (legal) Re: CDA Dispatch #10: Last Day in Court Message-ID: At 2:30 PM 5/14/96, Joseph M. Reagle Jr. wrote: > Perhaps someone with a better legal understanding of court cases >could help me out. I understood from a law course I took that appeals could >only be filed with respect to process rather than result. One cannot appeal >a decision, rather one has to appeal the manner in which it was reached (if >witnesses were biased, important evidence was suppressed, etc.) I was rather >surprised by this, but obviously this doesn't prevent people from appealing >willy-nilly because they just fabricate some reason why the process was >corrupted. > > However, in a venue such as this, what basis can one appeal on? On >the ACLU side I can actually see an appeal with respect to the >constitutionality (but I'm not quite sure what) and on the Reno side I don't >see what they could appeal. Was some evidence poorly presented? It isn't >like there are any witnesses to lead. IANALBIGCTV (I am not a lawyer but I get Court TV), but _Constitutional_ issues are always available for appeal (though of course not always accepted for appeal). For instance, if the lowest level of the court system tells a newspaper it may not publish a story, this is automatically appealable to the next level up, even if all sides agree the first trial was a model of proper trial procedure. To a large extent, this is what the Appeals process, including the Supreme Court, is all about. The Supreme Court does more than just clean up sloppy mistakes made by lower courts, it establishes the "basic interpretation" of the Constitution and legislation. In this case, it is the basic constitutionality of the Communications Decency Act itself that is at issue, not the specific application of it to a specific case (and even then, it could be challenged on constitutional issues...in this case, it is going directly through the process to the Supreme Court for review). (Another way this case is not like a simple court case is that the government side gets to appeal a loss; in a conventional criminal trial, a la OJ, the government does not get to appeal a loss. I'm sure the lawyers and law professors out there can say more about the distinction, about when and under what circumstances the prosecution side gets "another bite of the apple," and about what the terms of appeals may be.) --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From haystack at cow.net Tue May 14 21:17:39 1996 From: haystack at cow.net (Bovine Remailer) Date: Wed, 15 May 1996 12:17:39 +0800 Subject: Civil liberties of employees (Re: FYB_oss) Message-ID: <9605141836.AA01074@cow.net> [Wildly off-topic...] Michael Froomkin wrote: ... >...And there's a lot more >than skimpy outfits at issue, including a refusal to hire men for what are >allegedly food service jobs (gender may only be a determination of >employment if it is a bona fide occupational qualfiication, e.g. policing >the showers in the gym; gender is not a BFOQ for food service jobs.) Being a "Hooters Girl" is not a typical "allegedly food service" job. [Because it's an election-year] the EEOC dropped the case, but not before Tom Hazlett did an *excellent* piece on it in REASON. _Corporate Rakeovers_, Feb. 1996 p. 66 From jamesd at echeque.com Tue May 14 21:23:15 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Wed, 15 May 1996 12:23:15 +0800 Subject: PRZ /PGP Message-ID: <199605141831.LAA22230@dns1.noc.best.net> At 10:57 PM 5/13/96 -0700, Vladimir Z. Nuri wrote: [Stupid trolling on reagan and the cold war deleted] > > it may also be that Zimmermann has a set of beliefs that he > champions in front of the public, but that his private ideology > is more radical. Zimmermann is in favor of liberty. Some of his ideas about how people can and should deal with each other to avoid violating each others rights are badly mistaken, but one of his ideas about liberty is spot on. [lots more trolling deleted] > 4. PRZ has a bad track record as far as meeting deadlines. No software project has ever come in on schedule or within budget. Yours will not be the first. [Even more moronic trolling deleted] --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From ravage at ssz.com Tue May 14 21:23:56 1996 From: ravage at ssz.com (Jim Choate) Date: Wed, 15 May 1996 12:23:56 +0800 Subject: Defeating fingerprints Message-ID: <199605141903.OAA05327@einstein.ssz.com> Forwarded message: > With regards to filling in your own card, what about using a disappearing > ink?? Then your prints would disappear! You could even do your name, > right infront of them, and it would disappear, leaving these anynonomous > prints behind!! While the ink does become transparent/translucent I am shure the FBI chem lab won't have a problem finding traces of the chemical. This would make for jim dandy evidence in court. > Or you could make an inkpad that is damp with sodium hydroxide (lye) > instead of ink. That way, you could lightly roll your fingers in it, > like it was ink, and then wait a minute, and wipe it off. That way, the > only skin being eaten away, would be the ridges of the fingerprints. Do > this enought times, and the rigdes will end up the same height as the > valleys, and will then essentially be flat. Burglars and safecrackers sand the ridges off. Jim Choate From hkhenson at netcom.com Tue May 14 21:25:42 1996 From: hkhenson at netcom.com (Keith Henson) Date: Wed, 15 May 1996 12:25:42 +0800 Subject: crosspost re remailers Message-ID: <199605141901.MAA02888@netcom.netcom.com> Sorry to send this in blind. Over a year ago I switched from watching the "mutitions" R&D works to being an observer/participant on a small "test war." Once in a while, I send in a report. If you have comments which you want me to see, email them. Thanks, Keith Henson ******* Subject: Re: <<< Repost the NOTS everywhere! >>> Newsgroups: alt.religion.scientology,comp.org.eff.talk,alt.censorship References: <4ml2cv$c52 at utopia.hacktic.nl> <4mrsf0$esn at news.bridge.net> <4ms9na$l24 at Networking.Stanford.EDU> <4msu79$jdi at news.bridge.net> <4nae9i$bf7 at news2.texas.net> Organization: NETCOM On-line Communication Services (408 261-4700 guest) Distribution: inet Hoyos (hoyos at millenium.texas.net) wrote: : henry (henri at netcom.com) wrote: : : >What I find disturbing is certain people who were visibly outraged by : : >Steven Fishman's "outings" are supportive of the remailer abuse, _as_well_ : : remailer ABUSE? how is it remailer ABUSE to use them for their : : intended purposes. : Remailers exist to destroy copyrights? I always thought they were around : to ensure a certain amount of anonymity, not to permit people to destroy : copyrights and get away with it. Hoyos, you *can't* destroy copyright, period. Trade secrets are another matter, and I suppose you can make a case that the ability of a certain powerful cult to extract money or labor from the gulible has been reduced. I know some of the people who wrote the first cypherpunk remailers. They have been watching the uses to which the remailers have been put. The long drawn out battle between the CoS and the Net has been of as much interest to them as the performance of large guns at the front was to Krup. I can't speak for all of them--actually, I can't speak for *any* of them, but the ones who have said anything about the recent uses of the remailers do not seem unhappy. There may be some discussion related to this on the cypherpunks mailing list. But if you sign up, be prepaired for a flood. Keith Henson Crossposted to cypherpunks From jay_haines at connaught-usa.com Tue May 14 21:30:20 1996 From: jay_haines at connaught-usa.com (Jay Haines) Date: Wed, 15 May 1996 12:30:20 +0800 Subject: RSAREF for Mac? Message-ID: Subject: Time: 1:24 PM OFFICE MEMO RSAREF for Mac? Date: 5/14/96 It seems that I have seen this question asked before, but as I had no need for the answer at that time, I trashed it. So, without further ado: Can anyone point in the direction of RSAREF for the Macintosh? expectantly, (no, i'm not pregnant,) Jay From tcmay at got.net Tue May 14 21:39:40 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 15 May 1996 12:39:40 +0800 Subject: Fingerprinting annoyance Message-ID: At 3:22 PM 5/14/96, Matthew Williams wrote: >> Date sent: Mon, 13 May 1996 23:19:12 -0400 (EDT) >> From: Black Unicorn > ><...> > >> >> I compare it to the ease with which one submits a fake social security >> number rather than simply refuse to submit one at all. A fake one wont >> raise any eyebrows, refusal will. > >Although knowingly providing a fake social security number when one >has any expectation of gain is, I believe, a felony. > >42 USC. sec. 408. Indeed. Plus, should one "just make a number up," odds are good that it "won't compute," that is, that it will either collide with an existing number (and identity, and reported income) or that it will fail the checksum/allocation tests. (That is, not all xxx-yy-zzzz numbers are valid SS numbers. See Chris Hibbert's "Structure of Social Security Numbers" FAQ, at http://snyside.sunnyside.com/cpsr/privacy/ssn/oldSSN/ssn.structure.html for details.) The IRS imposes penalties for faking SS numbers. (Not to mention the punishment meted out by the Sturmgruppenfuhrers of the SS!) A simple transposition of two digits may not get you zapped, but a large-scale transposition or outright falsification will. If and when they catch up with you. I'm all for avoiding taxes, but this is not a cost-effective way to do it. --Tim Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From SBinkley at atitech.ca Tue May 14 21:39:46 1996 From: SBinkley at atitech.ca (Scott Binkley) Date: Wed, 15 May 1996 12:39:46 +0800 Subject: Fingerprinting annoyance In-Reply-To: <84A0994A02502C79@-SMF-> Message-ID: <85A0994A01502C79@-SMF-> With regards to filling in your own card, what about using a disappearing ink?? Then your prints would disappear! You could even do your name, right infront of them, and it would disappear, leaving these anynonomous prints behind!! Or you could make an inkpad that is damp with sodium hydroxide (lye) instead of ink. That way, you could lightly roll your fingers in it, like it was ink, and then wait a minute, and wipe it off. That way, the only skin being eaten away, would be the ridges of the fingerprints. Do this enought times, and the rigdes will end up the same height as the valleys, and will then essentially be flat. Just a thought, but I'd like to hear if anyone would think either ideas would work. /sb From sporter at electriciti.com Tue May 14 22:07:33 1996 From: sporter at electriciti.com (Sig Porter) Date: Wed, 15 May 1996 13:07:33 +0800 Subject: Senator Leahy's Public Key Message-ID: > Date: Sun, 5 May 1996 13:23:09 -0400 (EDT) > From: Black Unicorn .... > I'll visit his office and ask if he wants he key signed this week. So? ------------------------------------- Sig Porter sporter at electriciti.com finger for pgp key From maldrich at grci.com Tue May 14 22:08:02 1996 From: maldrich at grci.com (Mark O. Aldrich) Date: Wed, 15 May 1996 13:08:02 +0800 Subject: Fingerprinting annoyance In-Reply-To: Message-ID: On Mon, 13 May 1996, Timothy C. May wrote: > At 6:26 PM 5/13/96, Mark O. Aldrich wrote: > >On Mon, 13 May 1996, Senator Exon wrote: > > > >> i can fill out and manipulate the card myself i just need a > >> working method. > > >of like a key certificate. If you really can dork the card, have ten > >different people volunteer one print each. There's no way that they'll > >ever be able to use that as evidence in a court or for any other purpose, > >either. > > A stupid idea. As the employer, I wouldn't have to prove it a court of > law...suspicion alone that some of my employees were fucking up a security > system might be enough for me to either a. promote them to the Tiger Team, > or b. fire their asses. I think the assertion that Tim is making in regard to an "employer" in the traditional work-at-will sense is correct, but it's not the one I was addressing. If an employer seeks prints and you don't want to give them, then don't work there. If, however, the point of gathering the prints is to record them in the FBI's database, and Senator Exon is worried about later committing a crime and having print records used to identify him, then using the prints of ten different people will muck up such a process. Senator Exon did not fully explain the situation as to whether or not the certification sought will result in fingerprints simply being _checked_, or if they will be _recorded_ for later use, nor did he specify to which outcome he objects, if not both. > > (I just can't understand where this pervasive meme is coming from here on > this list, the notion that employers are severely limited in what they can > do to employees unless they can "prove it in court. Like it or not, most > employees in the United States are still employed "at will," and are not > covered by employment contracts such as some executives and the like get.) I think it comes from some of the statutes being placed on employers. The citizens have repeatedly used the legal machine to force employers to have to compete is less than a pure, capitalistic environment. Monitoring employees is one area that's caused some states to pass laws regulating this notion - they have rejected the "if you don't like it, don't take the job" premise you've stated here. Likewise, the minimum wage is a similar legislative action we've taken to stop employers from using a "if you won't work under these conditions, you don't have a job" requisite. The "pure" capitalistic approach would be "if you won't work for $1.00 per hour, take a hike up the street." We've said that this is illegal (at least in most cases), and we force employers to pay every employee at least some arbitrary sum greater than than amount. Thus, the meme may be the simple extrapolation of these ideals into areas over which they do not yet have legal impact. > > >If you're forced to do this in person with a tech, you can continuously > >"fight" the grip they have on your hand and smudge the card. However, > > Sure. It makes it easy for the employer to simply say "Next candidate." Unless they want you badly enough. I've been able to avoid a number of situations because it was not cost effective for them to secure the services of someone less qualified. Policy is great until it gets in the way of people making money - almost anything can be "waived" if they want you to help them make money, and their greed outweighs their sense of duty to comply with a given so-called "security" policy. ------------------------------------------------------------------------- | Liberty is truly dead |Mark Aldrich | | when the slaves are willing |GRCI INFOSEC Engineering | | to forge their own chains. |maldrich at grci.com | | STOP THE CDA NOW! |MAldrich at dockmaster.ncsc.mil | |_______________________________________________________________________| |The author is PGP Empowered. Public key at: finger maldrich at grci.com | | The opinions expressed herein are strictly those of the author | | and my employer gets no credit for them whatsoever. | ------------------------------------------------------------------------- From tcmay at got.net Tue May 14 22:20:32 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 15 May 1996 13:20:32 +0800 Subject: Edited Edupage, 9 May 1996 Message-ID: At 3:57 PM 5/14/96, Doug Hughes wrote: >I wouldn't normally respond to such an offtopic post, but this post is >so egregious I couldn't let it pass. Who says they make a choice to live >in rural areas? Do they also choose not to have enough money to pay >for shoes? So, because they live in a poor district they are not entitled Your shoe example is apt. Fact is, we *don't* pay for people's shoes. Why should we pay for their Net access when we don't pay for their shoes, or their food, or their electricity, or their phone bill, or their cable t.v. subscription? Many of these things seem like higher priorities than being able to "surf the Net." (It is true that we as a society--wrongly in my opinion, but this is another topic--give people various handouts. These handouts can be used to buy things, presumably including a $20/month unlimited access Internet account.) >to the same level of education as a rich city suburb? The illiteracy >rate in Alabama is 40%! This is just plain sick! I don't think that >every school needs a net connection, I think they need better teachers. But "Better teachers"? I doubt this changes anything. Only a cultural change will. (Why is it that dirt-poor "boat people" who floated into San Francisco Bay on inner tubes had children go from nearly zero English to 99% literacy in less than 5 years? Often in crowded schools, too. Think about it.) >Education is one thing (perhaps the only thing) that deserves to be >subsidized in this country. We're rapidly falling behind. Actually, the subcultures in American society which value learning and achievement are doing extremely well. Hand a motivate kid a book and he'll learn. Hand a gang-banger a book and he'll pull out a gun and kill you for the thrill of it. As a result, some subcultures are headed for the scrap heap. Think of it as evolution in action. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From Majordomo at c2.org Tue May 14 22:22:38 1996 From: Majordomo at c2.org (Majordomo at c2.org) Date: Wed, 15 May 1996 13:22:38 +0800 Subject: Welcome to clueless Message-ID: <199605141836.LAA11869@infinity.c2.org> -- Welcome to the clueless mailing list! If you ever want to remove yourself from this mailing list, you can send mail to "Majordomo at c2.org" with the following command in the body of your email message: unsubscribe clueless cypherpunks at toad.com Here's the general information for the list you've subscribed to, in case you don't already have it: Welcome to clueless! You have subscribed to the forefront of online unsubscribe education. The clueless list is dedicated to fostering new and creative unsubscribe methods and promoting passionate and caustic discussion of same. We welcome all manner of discussion on the best ways to unsubscribe from mailing lists and particularly mailing lists to which you have not intentionally subscribed or have grown bored of. We recognize that unsubscribing is a complicated and involved process, and that often it is much more difficult than subscribing. You are not alone. HERE'S THE BOTTOM LINE: Mailing lists were founded by interest groups who need a CAPTIVE audience. Making it easy to unsubscribe is not in their interest. They want EVERY SINGLE person they can find to be CORRUPTED by their brainwashing ideas. You're dealing with the SCUM OF THE PLANET. The speed and power of the internet threaten to DESTROY your mind and CRIPPLE your fingers. You need WORLD CLASS unsubscribe powers to protect yourself. The founder of the list, fed up with the complexity and spelling challenges of unsubscribing, started a small distribution list of like minded individuals in 1981. Meeting in secret and developing their methods covertly, the clueless members grew in size until, in 1994, their ranks were too large to support with a mere pine mailing program. The clueless list was born. With the advent of the clueless list, attempts to obscure the unsubscribe process are now futile. The elders of the clueless list have perfected the most AMAZING AND EFFECTIVE unsubscribe methods known anywhere in the world. They are 100% ASSURED to unsubscribe you 100% of the time WITH AMAZING accuracy and speed. The BEST unsubscribing system in the WORLD for FAST learning and ULTRA-CONFIDENCE in the world of mailing lists. Have faith! You will learn how to unsubscribe quickly. You will learn how any person of any size can unsubscribe from any list with a single e-mail message. We promise. You will not forget how either. Trust us. FAQ: What kind of questions should I ask? Anything that has to do with mailing lists, or any question you may have about e-mail at all. Mostly anything goes. There are several people willing to engage you in discussions on the subject here. The first rule is that there are no stupid questions. What should I post? There is only one effective post limitation. Unsubscribe solutions or suggestions that are less than 2 lines long are unwelcome. Who is the list owner? The list owner prefers to remain anonymous. Should he or she be identified publically, the torrents of requests for the release his or her amazing secret and TOTALLY FOOLPROOF unsubscribe methods would be oppressive. Good luck, and welcome to the list. If you are clueless, or you know someone who is, you can get assistance by sending mail to clueless-request at c2.org saying "help". The "clueless" mailing list is for people who need to learn to read instructions on mailing list managers, and haven't figured out that they can unsubscribe from lists using the same automated list-manager software that they used to subscribe. It's also helpful for people who don't know standard Internet mailing list conventions that "foolist-request" provides information or services for "foolist", or who complain to a mailing list because the listserv/majordomo server wasn't a human and didn't respond to English-language requests. And it's a nice place to meet other clueless people! For further reference, you can find more information about "RTFM" on the Web from www.altavista.digital.com , www.yahoo.com , and many other fine search engines near you. From SBinkley at atitech.ca Tue May 14 22:26:17 1996 From: SBinkley at atitech.ca (Scott Binkley) Date: Wed, 15 May 1996 13:26:17 +0800 Subject: TO ALL MEMBERS In-Reply-To: Message-ID: <57A3994A01502C79@-SMF-> -----BEGIN PGP SIGNED MESSAGE----- In article <199605132111.QAA00205 at silver.niia.net>, Mathew Ellman wrote: > TO ALL MEMBERS, > IM TIRED OF ALL THIS SHIT I HAVE UNSUBSCRIBED MANY TIMES AND ALL I > GET IS SOME STUPID ASS REPLY ABOUT CLOSED LIST OR ADDRESS NOT MATCHING AND I > GET NO REPLY SO UNLESS YOU ALL WANT TO GET A BUNCH OF UN WANTED BULLSHIT > (LIKE THE SHIT IM GETING FROM YOU ) I SUGEST SOMEONE FIND A WAY TO GET ME > THE FUCK OFF THIS LIST . I HAVE GOT IN TOUCH WITH THE PESON THE REPLY TELL > ME TO AND NO REPLY. IM TIRED OF ALL THIS SHIT. > > To: majordomo at c2.org Subject: subscribe clueless mellman at niaa.net subscribe clueless mellman at niaa.net - -- Alan Bostick | "The thing is, I've got rhythm but I don't have mailto:abostick at netcom.com | music, so I guess I could ask for a few more news:alt.grelb | things." (overheard) http://www.alumni.caltech.edu/~abostick -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMZfKfuVevBgtmhnpAQGHgQMAjE9RlL3Ivsvew2tpuAHUzbWwXRA76gBX +o2ShOZFYJcxOb0Hw4nimCV+avuulztxJcPecAFimQ12qUOmLTs654I+Iy8tIAYm uLEtUbs66aghUMHrb01fvclbn2bgX2Hq =KMy4 -----END PGP SIGNATURE----- - Send "help" to majordomo at c2.org for information. From declan+ at CMU.EDU Tue May 14 22:29:25 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Wed, 15 May 1996 13:29:25 +0800 Subject: [NOISE] Re: Notes from the SF Physical Cypherpunks meeting In-Reply-To: <199605141322.GAA12489@toad.com> Message-ID: Excerpts from internet.cypherpunks: 14-May-96 [NOISE] Re: Notes from the .. by "Peter Trei"@process.com > My understanding is that Sweden's postion vis-a-vis the Internet has > been particularly clueless, with international email technically a crime, > and government officials who regard modems as criminal tools. I have some info on current Swedish legislative proposals at http://www.cs.cmu.edu/~declan/international/ -Declan From EALLENSMITH at ocelot.Rutgers.EDU Tue May 14 22:49:43 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 15 May 1996 13:49:43 +0800 Subject: Fingerprinting annoyance Message-ID: <01I4PB3QYPL88Y5E3V@mbcl.rutgers.edu> From: IN%"unicorn at schloss.li" "Black Unicorn" 14-MAY-1996 13:05:37.99 >On Mon, 13 May 1996, Paul S. Penrod wrote: >> Pineapple juice and other weak acidic subtances ruin the ridges on the >> finger tips causing them to smear or not show at all. Unfortunately, this >> takes a period of time and constant handling of such items. >This is interesting. I suspect that you'd have to have major damage to >the ridges however. One idea I've had is dermabrasion of the fingertips. There could be some problems with this, however, in that dermabrasion works best on areas well-supplied with blood vessels and various other healing-promoting characteristics; thus, it is customarily used only on the face. It would be interesting to see if angiogenesis (blood vessel growing) and other growth factors could be used in order to have dermabrasion on other parts of the body without scarring (the normal consequence of using it in other areas); this would have cosmetic as well as identity-related applications. I haven't found any research on this subject on Medline. -Allen From ses at tipper.oit.unc.edu Tue May 14 23:29:55 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Wed, 15 May 1996 14:29:55 +0800 Subject: Negative side-effect of the coderpunks split In-Reply-To: Message-ID: Ever since most of the hard crypto content moved to coderpunks, there have been a lot of totally non-crypto political postings that make my skin crawl. In general, the only thing that cypherpunks have in common is a belief that privacy is a good thing, strong cryptography is a good way to improve privacy, and that cryptography with _manadatory_ key escrow is not strong. Stuff on the CDA yes. Stuff on the CBA no. Use of crypto for on-line tax filing yes. Generic Tax Evadance stuff not really. I kinda miss the Perrygrams :) ----- Cause maybe (maybe) | In my mind I'm going to Carolina you're gonna be the one that saves me | - back in Chapel Hill May 16th. And after all | Email address remains unchanged You're my firewall - | ........First in Usenet......... From SBinkley at atitech.ca Tue May 14 23:40:45 1996 From: SBinkley at atitech.ca (Scott Binkley) Date: Wed, 15 May 1996 14:40:45 +0800 Subject: [NOISE] Re: Notes from the SF P In-Reply-To: <81A0994A02502C79@-SMF-> Message-ID: <54A3994A01502C79@-SMF-> > From: minow at apple.com (Martin Minow) > Subject: Re: Notes from the SF Physical Cypherpunks meeting [...] > The Swedish government has a rather strong tradition of protection > of individual privacy (encrypting COM e-mail is one example). [...] > Martin Minow > minow at apple.com Huh? 'a rather strong tradition of protection of individual privacy'? In Sweden, for many years you could (and for all I know, still) go to a public records office and look up all kinds of personal data on anyone, without restriction - you could, for example, find out your co-workers exact salaries if you were curious. My understanding is that Sweden's postion vis-a-vis the Internet has been particularly clueless, with international email technically a crime, and government officials who regard modems as criminal tools. I hope things have improved. Peter Trei (former resident alien in Sweden) ptrei at acm.org - Send "help" to majordomo at c2.org for information. From furballs at netcom.com Tue May 14 23:51:12 1996 From: furballs at netcom.com (Paul S. Penrod) Date: Wed, 15 May 1996 14:51:12 +0800 Subject: Fingerprinting annoyance In-Reply-To: Message-ID: On Mon, 13 May 1996, Rich Graves wrote: > On Tue, 14 May 1996, Allen Ethridge wrote: > > > I can't speak to the honorable senator Exon's situation, but my brother > > is being required to provide his fingerprints to prove that he is fit to > > be the legal guardian of his wife's daughter. And it isn't his wife, > > currently the sole legal guardian, who is questioning his fitness or > > demanding his fingerprints. > > It's times like those that Jim Bell makes some sense. SOME. > > -rich > DON'T encourage him... :-) ...Paul From unicorn at schloss.li Tue May 14 23:55:24 1996 From: unicorn at schloss.li (Black Unicorn) Date: Wed, 15 May 1996 14:55:24 +0800 Subject: Senator Leahy's Public Key In-Reply-To: Message-ID: On Tue, 14 May 1996, Sig Porter wrote: > > Date: Sun, 5 May 1996 13:23:09 -0400 (EDT) > > From: Black Unicorn > .... > > I'll visit his office and ask if he wants he key signed this week. > > So? I've been tied up so far. I'll post the list with my results. > ------------------------------------- > Sig Porter sporter at electriciti.com > finger for pgp key > --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From nneel at ionet.net Wed May 15 00:14:15 1996 From: nneel at ionet.net (The Steel Wolf) Date: Wed, 15 May 1996 15:14:15 +0800 Subject: Mailing list Message-ID: <199605142234.RAA02330@ion3.ionet.net> I would like to be added to the Cypherpunk mailing list, please. From ethridge at Onramp.NET Wed May 15 00:25:44 1996 From: ethridge at Onramp.NET (Allen Ethridge) Date: Wed, 15 May 1996 15:25:44 +0800 Subject: PRZ /PGP In-Reply-To: <199605140557.WAA02396@netcom22.netcom.com> Message-ID: <19960514182933135274@central28.onramp.net> Vladimir wrote: > > . . . > > 4. PRZ has a bad track record as far as meeting deadlines. > it is not how his brain works. but this is how business > works. with public domain software, no one rants at you > if you don't come out with something when you say you will, > or even if you don't even say when you are going to be > ready. but when money is involved, this is the very > first thing you have to be accountable for, no excuses. I don't mean to be too rude, but what planet do you live on? Freeware authors are regularly criticized for delays, at least on the Mac newsgroups. And nearly everybody in software development misses deadlines. Where I've worked, us low level grunts (the guys and gals with no rights, 'cause we signed them away in our contracts) make our plans based on the assumption that the schedule will slip. Management always manages to meet the schedule by changing plans at the last minute - lengthening the deadline or removing committed features that didn't make it. If the software business had to meet deadlines to survive computers would have ceased to exist several years ago. Would it be unfair of me to assume that the rest of your points regarding PRZ are just as specious? -- if not me, then who? mailto:ethridge at onramp.net http://rampages.onramp.net/~ethridge/ From EALLENSMITH at ocelot.Rutgers.EDU Wed May 15 00:34:01 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 15 May 1996 15:34:01 +0800 Subject: Fingerprinting annoyance Message-ID: <01I4PAYQGM928Y5E3V@mbcl.rutgers.edu> From: IN%"unicorn at schloss.li" "Black Unicorn" 14-MAY-1996 12:45:16.88 >It is one of the great advantages of the United States that no >standardized procedure for person identification exists. Seals and >certificates vary from jurisdiction to jurisdiction. Cross the border to >a state and a hospital birth annoucement is enough for a drivers license, >cross again and 4 pieces and a note from mom isn't enough. Are there any good reference works on how such requirements vary between states? I know Loompanics has some works on the subject of identity, but I don't know how reliable they are. -Allen From vznuri at netcom.com Wed May 15 00:43:59 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Wed, 15 May 1996 15:43:59 +0800 Subject: mailing list infrastructure In-Reply-To: Message-ID: <199605142011.NAA29073@netcom7.netcom.com> >Since hackers and wannabes probably read INFOSEC publications with more >zeal than do INFOSEC practitioners, I'd say we're likely to be in for even >more of the "I don't want to be on this list" sorts of traffic. the mailing list infrastructure of cyberspace is at an incredibly immature stage of development imho, and this is a good example of its lack of refinement. there is wide open room for improvement and a lot of demand as well imho. one possible short-term solution is to do the following: have the mailing list send a secret password to the subscription address before starting the list. the person replies with the secret password to confirm they wanted the subscription. it's a tedious two-stage process, but in some cases it may be appropriate. as far as long-term solutions go, I'd like to see some serious thought about the following problems: 1. how do people avoid getting mail from entities they don't want, but at the same time get mail from entities they do. note this problem is far larger than that of mere mailing lists. 2. how can good cyberspatial forums be constructed that are bulletproof against pranks. 3. how can these forums be integrated with future software such as Netscape to give a good interface to the user. I think there is room for an enterprising cyberspace company to work on these problems and make a lot of money for succeeding. for example, imagine a system similar to Yahoo that catalogs the massive amounts of email mailing lists out there. "been done"? no, sorry, I don't think so. there is a list by DeSilva or someone that is pretty good, but I think only scratches the surface of public mailing lists. a yahoo-like indexing system merely for "cyberspace mailing lists" I think might be a profitable endeavor to pursue. another neat thing would be to have a "mailing list manager" built into software. instead of this ridiculous concept of people hand-typing and sending commands to listservers (all of which have different syntaxes and behavior etc.) I would like to see a "mailing list standard". a standard way that a mailing list operates (as far as dealing with headers, errors, subscribing, unsubscribing, etc.). then I would like to see a gui interface that handles all the options. you just see a group somewhere and a button that you press to "subscribe". the software would automatically separate your mailing list traffic into separate folders. it would keep track of what lists you are on, and all you would have to do is look at that list and hit an "unsubscribe" button corresponding to a group you are currently in, whenever you wanted to. I really think that the above capabilities are going to prove very valuable in the future and are the logical next step in "civilizing cyberspace" after the web and netscape have overtaken the planet. if I get some positive feedback from this message that others are interested, I might go to the trouble to write up some preliminary ideas on a standard. it really bugs me that this area hasn't been standardized by this point, nor does there seem to be any activity by any groups towards doing so. From unicorn at schloss.li Wed May 15 00:48:00 1996 From: unicorn at schloss.li (Black Unicorn) Date: Wed, 15 May 1996 15:48:00 +0800 Subject: Fingerprinting annoyance In-Reply-To: Message-ID: On Tue, 14 May 1996, Timothy C. May wrote: > At 3:22 PM 5/14/96, Matthew Williams wrote: > >> Date sent: Mon, 13 May 1996 23:19:12 -0400 (EDT) > >> From: Black Unicorn > > > ><...> > > > >> > >> I compare it to the ease with which one submits a fake social security > >> number rather than simply refuse to submit one at all. A fake one wont > >> raise any eyebrows, refusal will. > > > >Although knowingly providing a fake social security number when one > >has any expectation of gain is, I believe, a felony. > > > >42 USC. sec. 408. Note the key provisons, for gain, and when submitted to those entitled to the number legally. > > Indeed. > > Plus, should one "just make a number up," odds are good that it "won't > compute," that is, that it will either collide with an existing number (and > identity, and reported income) or that it will fail the checksum/allocation > tests. This is obvious. Some thought has to go into generation, and you correctly point out the key place to look here: > (That is, not all xxx-yy-zzzz numbers are valid SS numbers. See Chris > Hibbert's "Structure of Social Security Numbers" FAQ, at > http://snyside.sunnyside.com/cpsr/privacy/ssn/oldSSN/ssn.structure.html > for details.) > > The IRS imposes penalties for faking SS numbers. (Not to mention the > punishment meted out by the Sturmgruppenfuhrers of the SS!) We weren't discussing the IRS specifically, but I will address them. Consider the context I used the social security number example in, that being something which was used for that which it was not originally intended and in which most of the entities who do use them are not legally entitled to demand them. Social security numbers are used so frequently as identification because each person is only supposed to have one, and no two people are to have the same one. The fact is that one can quite easily survive without ever even having a social security number. A friend of mine was a trust fund kid and never held a job a day in his life. He would file every year and leave the taxpayer identification number blank. He paid all his taxes on trust income and personal investment income etc., but never bothered to fill in the number. The IRS took his checks quite happily and continues to send him a bit of paper every year complaining that he hasn't given them one. I believe it's been running like that for 20 years now. Another individual I knew sent a completely made up number on his first tax return and just stuck by it for life. Every year he'd get two notices in the mail. I gave him a buzz and he faxed me copies which I now reproduce for you. Notice 1: Dear Taxpayer: Thank you for the information you gave us on June 22, 1975 (The letter is dated 1992) about your name and social security number. However, the information still doesn't agree with that give us by the Social Security Administration. The Internal Revenue Service can't correct this problem for you. Only the Social Security Administration can issue social security numbers or correct records relating to them. Please contact the nearest Social Security Administration office. Be sure to take proof of your age and identity. If you are foreign-born, you also must give proof of U.S. citizenship or alien status. If you are 18 years of age or older and have never had a social security number, you must fill out the application in person. According to the law, any person who files a return must include an identifying number on it. A social security number is used for this purpose. If you have questions about this letter, please write us at the above address. If you prefer, you may call the IRS telephone number listed in your local directory. An employee there may be able to help you, but this office is most familiar with your case. Notice 2: Dear Taxpayer: Our records indicate the Social Security number xxx-xx-xxxx (used in filing your return) has also been used by another taxpayer. Please verify your social security number by sending a copy of your Social Security Card. If you do not have a Social Security card [go get one]. Thank you for your patience and cooperation. According to him he now has a total of 24 such notices, all nearly exactly alike. Funny, he keeps getting refunds though. > A simple transposition of two digits may not get you zapped, but a > large-scale transposition or outright falsification will. If and when they > catch up with you. Given the above, I'm not too concerned for my friends. > I'm all for avoiding taxes, but this is not a cost-effective way to do it. Looks cost effective to me. Costs about what it does to feed you long enough to throw the junk mail away. Again, this is all beyond the original point. Even conceeding for a moment that the IRS and your bank may be entitled to your social security number 'by law.' Your school, your library, your favorate shop, your local radio shack are not. If they ask for it, which they often do, make something up. Don't be fooled by morons who tell you about the 50 million different people who you are required to surrender your SSN to on demand either. IRS and those entities which must report to the IRS are about the only universally recognized groups which can exert any authority in demanding your SSN. Some states have provisions requiring it for driver's licenses, others don't care. The question is not who is entitled to it now, but who is going to get it later and what can you do about it? > --Tim --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From eli at UX3.SP.CS.CMU.EDU Wed May 15 00:53:50 1996 From: eli at UX3.SP.CS.CMU.EDU (Eli Brandt) Date: Wed, 15 May 1996 15:53:50 +0800 Subject: Transitive trust and MLM In-Reply-To: Message-ID: <199605142031.NAA19800@toad.com> > That sounds sincere coming from someone who calls himself "eli+" :-) Nah, that would be "eli++". Or better, "++eli". Actually, this keeps CMU's overly-clever mail system from delivering my mail to an "Edward Lawrence Immelmann" -- it prefers initials to login names. > > It's true that you don't need to talk to everybody. The problem is > > that I might want to talk to people whom I don't know personally, but > > know by reputation, or by function ("DEA Rat Hotline" -- well, maybe > > not). > > Yes, that is a problem. That problem is one of the reasons that public key > encryption was invented, actually. But PK doesn't make the key distribution problem go away. This thread has been about a particular approach to PK key distribution, the web of trust, and how to model its behavior. > The way to know whether an untrusted key really belongs to someone is to > wait for the response. Which means don't spill all the beans at once. Generally insufficient. If someone is going to go to the trouble of a key-substitution attack, they're going to take the time to compose a plausible response. This approach is useful if the intended recipient *is* well-known to you. -- Eli Brandt eli+ at cs.cmu.edu From mccoy at communities.com Wed May 15 01:19:49 1996 From: mccoy at communities.com (Jim McCoy) Date: Wed, 15 May 1996 16:19:49 +0800 Subject: Rural Datafication (Was Re: Edited Edupage, 9 May 1996) Message-ID: Tim May writes: > At 3:57 PM 5/14/96, Doug Hughes wrote: > > >I wouldn't normally respond to such an offtopic post, but this post is > >so egregious I couldn't let it pass. Who says they make a choice to live > >in rural areas? Do they also choose not to have enough money to pay > >for shoes? So, because they live in a poor district they are not entitled > > Your shoe example is apt. Fact is, we *don't* pay for people's shoes. Why > should we pay for their Net access when we don't pay for their shoes, or > their food, or their electricity, or their phone bill, or their cable t.v. > subscription? Many of these things seem like higher priorities than being > able to "surf the Net." Well, this sort of subsidization is in the grand tradition of the Rural Electrification Act of the new deal era and it seems to have worked out pretty well. The point being that we, as a social group, benefit when everyone has access to certain pieces of the general infrastructure: if everyone has electricity then appliance manufacturers can sell to everyone, etc. This is particularly true when it comes to services like electricity, phones, etc. where it is much easier to wire up the cities than areas with a lower population density. BTW, while there may have been a decent argument against the electrification act, I think that you are paddling upstream when it comes to net connections. The value of your net connection (or any connection to the net) _increases_ according to the number of people who are connected to the network. Unlike all of the other rural subsidies you pay for as an urban dweller (with the possible exception of the phone subsidy), this is one which has direct benefit to you. Oh yeah, and you are already subsidizing their phone bill (at least the increased cost of running a line out to them and maintaining that line), and their electricity bill, and satellite TV took care of any need to run cable TV lines out there or else you would also be subsidizing their cable TV by now. So what was your point? jim From froomkin at law.miami.edu Wed May 15 01:27:47 1996 From: froomkin at law.miami.edu (Michael Froomkin) Date: Wed, 15 May 1996 16:27:47 +0800 Subject: (legal) Re: CDA Dispatch #10: Last Day in Court In-Reply-To: <9605141430.AA20216@rpcp.mit.edu> Message-ID: On Tue, 14 May 1996, Joseph M. Reagle Jr. wrote: > [Regarding ACLU v. Reno] > > Perhaps someone with a better legal understanding of court cases > could help me out. I understood from a law course I took that appeals could > only be filed with respect to process rather than result. One cannot appeal False. > a decision, rather one has to appeal the manner in which it was reached (if > witnesses were biased, important evidence was suppressed, etc.) I was rather > surprised by this, but obviously this doesn't prevent people from appealing > willy-nilly because they just fabricate some reason why the process was > corrupted. I have no idea how you got this idea. It is not so. It sounds like a highly garbled version of the rule for the appeal from a **jury verdict**. In such cases you can only appeal the result absent a claim of procedural or substantive legal error if it is so obviously and horribly wrong that no rational jury could possibly have come to that conclusion on the evidence. In a jury trial therefore the usual method of appeal is to find either an error in the procedure or an error of law in the jury instruction, or in the rare case to challenge the law itself as unconstitutional. None of this, however, applies to the CDA case, which is a direct challenge to the Constitutional validity of the law, and which is being tried before a special three-judge panel of the district court, sitting without a jury, pursuant to the special procedure set out in the bill itself. This procedure is used with some regularity for caseds where congress realizes that the validity of the law is likely to be questioned. > > However, in a venue such as this, what basis can one appeal on? On > the ACLU side I can actually see an appeal with respect to the > constitutionality (but I'm not quite sure what) and on the Reno side I don't > see what they could appeal. Was some evidence poorly presented? It isn't > like there are any witnesses to lead. You can appeal directly on the merits. And you do so. The higher court decides all questions of law de novo (ie pays no deference ot tyhe decision of the court below beyond whatever persuasive power it may have), but must accept the factual record as presented ("found") by the court below. Thus the importance of the trial testimony at this stage. [I am away from Miami from May 8 to May 28. I will have no Internet connection from May 22 to May 29; intermittent connections before then.] A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) Associate Professor of Law | U. Miami School of Law | froomkin at law.miami.edu P.O. Box 248087 | http://www.law.miami.edu/~froomkin Coral Gables, FL 33124 USA | It's warm there. From hfinney at shell.portal.com Wed May 15 02:00:21 1996 From: hfinney at shell.portal.com (Hal) Date: Wed, 15 May 1996 17:00:21 +0800 Subject: Why does the state still stand: Message-ID: <199605142335.QAA13553@jobe.shell.portal.com> James Donald writes a very interesting essay but I want to clarify one aspect. Let me quote just the summary: > So guys, that is the plan: We destroy the state through higher mathematics. > We do this by replacing the current institutional mechanisms of corporations > with cryptographic mechanisms. This will give more people the opportunity > to evade and resist taxes. I think the intention then is to create "fully anonymous" companies. These would be organizations whose principals and employees are known only by pseudonyms, even to each other. Their only contact is electronic, via an anonymous network. And the employees are paid in anonymous ecash, which they don't pay taxes on since it is unreported income. These companies produce products or services which they offer for sale across the net. They accept payment in ecash, either from end users or from other companies. Such companies would be illegal, with everyone involved subject to criminal penalties for tax evasion (and no doubt a myriad of other violations). But because the anonymity is protected cryptographically, the government is helpless to learn the true identities of anyone involved. The companies continue to successfully sell their products and services, advertising and recruiting openly from anonymous sources, and there is nothing the government can do about it. This is, I think, the model we have been talking about for several years on this list. There are obvious and non-obvious problems which many people have brought up over the years. It is still not clear to me that it can really work in this form. Still it will be interesting to see when someone actually tries to do this, to see how it works. James mentioned the issue of groupware to allow these people to coordinate their efforts. That is an interesting aspect that we haven't considered much. One trend which may be relevant is the increase in telecommuting. Once people are accustomed to working mostly from home, interacting with co-workers and management by email, they would be good candidates for recruitment by the anonymous firm. It might be interesting to make a list of all the problems people can think of why this idea won't work, paired with proposed solutions and workarounds - sort of a mini FAQ for this important (some might say ultimate) cypherpunk model. Hal From tcmay at got.net Wed May 15 02:33:43 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 15 May 1996 17:33:43 +0800 Subject: Rural Datafication (Was Re: Edited Edupage, 9 May 1996) Message-ID: At 1:27 AM GMT 5/15/96, Jim McCoy wrote: >BTW, while there may have been a decent argument against the electrification >act, I think that you are paddling upstream when it comes to net connections. >The value of your net connection (or any connection to the net) _increases_ >according to the number of people who are connected to the network. Unlike Au contraire! Speaking for myself, the value of _my_ net connection has been going _down_ these past few years as more yahoos (TM of The Yahoo Corporation) got connected and as congestion clogged the networks. So, on this basis alone I am opposed to the "Rural Datafication" public works project! But seriously, Internet connections are already quite cheap. We've had this debate a couple of times before here on Cypherpunks, and each time many of us remain unconvinced that something like Net connections, which are so well-handled by private enterprise and which depend so heavily on technological innovation, are best handled by a socialized effort. There are deep reasons why such government-led programs tend to freeze progress...this is a longstanding debate topic in many forums, so I won't argue this point right now. ... >Oh yeah, and you are already subsidizing their phone bill (at least the >increased cost of running a line out to them and maintaining that line), and >their electricity bill, and satellite TV took care of any need to run cable >TV lines out there or else you would also be subsidizing their cable TV by >now. So what was your point? In point of fact, whether or not these things (electricity, phones) *are* in fact being subsidized by urban dwellers (and there is some doubt that this is the case, as it's frequently _much_ cheaper to string electrical and phone lines in rural areas than in congested urban areas), this is no reason to socialize Internet connections. (And my local ISP is certainly not being taxed to pay for lines in Mendota and East Gittyup, and I won't vote for any scheme which taxes _me_ to subsidize those locales.) Socializing Net connections would likely have various bad side effects, such as freezing the state of development of certain services. (And socializing access also plays into the hands of those who seek "democratic control" of content, always a bad thing.) By not socializing the deployment of Net connections, the eventual (and ever-evolving) solutions can be cleaner and better than if the deployment is done by government action, or with government complicity. Look at cable t.v. for an example of how local community government sought "universal access" by granting franchises for universal connections and forcing cable companies to provide service to uneconomical areas. The result is that most community cable systems are very limited, with a decaying infrastructure and heavy price regulation. (I should remind readers that a "Datification" program also implies rate regulation, endless hearings before rate increases are granted, and so forth. Before deregulation of several industries, this was how things happened. In cable t.v., it still happens this way.) A consequence is that many customers leapfrog right over local cable and go directly for satellite dishes. While the local community cable systems and their government partners could (and did) keep out other cable competitors, this became less and less possible with satellite dishes. Zoning laws were used to limit BUDs (Big Ugly Dishes, the big 8-foot and larger C-band dishes). But as the Ku-band dishes (mentioned favorably in my 1988 Crypto Anarchist Manifesto, interestingly enough) became available, even the most restrictive zoning ordinances became unenforceable....dishes could be in attics, on balconies, even covered with fake boulders! The cable companies and "community access" adovcates are having conniption fits. (This is having yet another interesting side effect: the wealthy who can afford digital DSS dishes are suddenly very uninterested in local cable problems, and the impetus for improvement is lost. Obviously the "poor" are then left with a decaying, outmoded infrastructure. Even as a Darwinian, I have to feel for them. They got sold a bill of goods, about how awarding "the franchise" to TCI or Sonic or Galactronic Cable would result in "universal access," and now they're stuck.) In my own case, I skipped cable and installed a DSS dish...150 or more channels, at least 20 movies on at any given time (not even counting the Pay Per View movies, of which there are at least 30-40), financial news, CNN, etc. Plus, a digital output connector for (Real Soon Now, they claim) a PageSat-type Usenet and Web page feed, using phone links for the back link. I submit this as an example of where the free market is providing a better solution than "community access cable" did. In fact, the socialization of cable held cable back. I don't want "Rural Datification" when there is no compelling need, and a lot of free market alternatives emerging. I doubt many farmers or Montana cabin dwellers want it either. --Tim Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From ethridge at Onramp.NET Wed May 15 02:37:02 1996 From: ethridge at Onramp.NET (Allen Ethridge) Date: Wed, 15 May 1996 17:37:02 +0800 Subject: Nature of Rights In-Reply-To: Message-ID: <199605142259371109420@lbj15.onramp.net> Tim May wrote: > At 5:09 AM 5/14/96, Allen Ethridge wrote: > >And on another thread, if rights are simply restrictions on the > >government and not attributes (inate, even) of the individual, then they > >are meaningless. > I presume you're speaking about my point.... Yes. > This is generally not the place to have long debates about the nature of > government and of civil rights, . . . Yes. > . . . > As nearly every argument in this area points out, your right to free speech > does not mean you get to use my newspaper, nor my public address system, > nor my computer service. > The so-called innate or intrinsic rights ("life, liberty, and the pursuit > of happiness") are basically bromides. Philosophical arguing points for a > view of government as being limited in scope. > Converting a slogan like this to assume this means government will > guarantee jobs for all, or will provide two cars in every driveway, or > whatever, has been fraught with problems. Not the least of which are that > such goals are inimical to the actual, enumerated rights. Nice straw men, but not quite to the point. I was thinking more along the lines of the often overlooked 9th and 10th Amendments. And, as you mentioned in another post, I was discussing the way things should be, not the way they are. -- if not me, then who? mailto:ethridge at onramp.net http://rampages.onramp.net/~ethridge/ From EALLENSMITH at ocelot.Rutgers.EDU Wed May 15 03:30:32 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 15 May 1996 18:30:32 +0800 Subject: Rural Datafication (Was Re: Edited Edupage, 9 May 1996) Message-ID: <01I4PSMZ91SW8Y5ADD@mbcl.rutgers.edu> From: IN%"mccoy at communities.com" 15-MAY-1996 00:55:57.23 >BTW, while there may have been a decent argument against the electrification >act, I think that you are paddling upstream when it comes to net connections. >The value of your net connection (or any connection to the net) _increases_ >according to the number of people who are connected to the network. Unlike >all of the other rural subsidies you pay for as an urban dweller (with the >possible exception of the phone subsidy), this is one which has direct benefit >to you. If it was a direct benefit, we'd chose it freely without being drafted by the use of phone bills. Look at Juno et al - that's a circumstance in which interconnection is taking place via the free market. Moreover, you're assuming that there's some reason that I _want_ to be connected to those with insufficient education, etcetera to move out of the rural areas we're talking about. I know these places; I grew up in a town surrounded by hillbillies (Middlesboro, KY). Believe me, I have no desire to have further contact with them - via the net or any other method. >Oh yeah, and you are already subsidizing their phone bill (at least the >increased cost of running a line out to them and maintaining that line), and >their electricity bill, and satellite TV took care of any need to run cable >TV lines out there or else you would also be subsidizing their cable TV by >now. So what was your point? My tax dollars (and that's what the proposed phone bill changes are in many ways - they're government requirements for people to pay money) are also paying for a lot of other things I don't approve of, such as the drug war. This isn't a reason to fund more of it. -Allen From jf_avon at citenet.net Wed May 15 03:32:10 1996 From: jf_avon at citenet.net (Jean-Francois Avon) Date: Wed, 15 May 1996 18:32:10 +0800 Subject: Edited Edupage, 9 May 1996 Message-ID: <9605150233.AA20633@cti02.citenet.net> On 14 May 96 at 10:57, Doug Hughes wrote: > I wouldn't normally respond to such an offtopic post, but this post > is so egregious I couldn't let it pass. You should have... > Who says they make a choice > to live in rural areas? Why? were they lobotomized? > Do they also choose not to have enough money > to pay for shoes? You got to choose to do what is needed to live a better life. And most of them ain't doing what it takes. > So, because they live in a poor district they are > not entitled to the same level of education as a rich city suburb? > The illiteracy rate in Alabama is 40%! This is just plain sick! When I was a kid, everything that had characters printed on it was readable. Who is *preventing* them from reading? > But the statement that we shouldn't subsidize > rural customers because they CHOOSE to live there (even though some > are poor and can't afford to live anywhere else) is just plain > fallacious. Please, substantiate your claims with in-context arguments. > Just because you choose to live in the city does not > mean people always choose to live where they live. Who cast their feet in concrete blocks? > Education is one > thing (perhaps the only thing) that deserves to be subsidized in > this country. I think that it should not be subsidized. If you feel like subsidising education, then by all means, do it. But why should you stick a gun in my back to do the same? What if I do not want to do the same as you? > the tone of > the above message is callous, besides being wrong. In *my* opinion, it is right on the money. But if you can stand reality, then I understand why you rant... BTW, I do not understand the "logics" that want to bring everybody down because some individuals are down. This is a system that punish achievement for being achievement and value meekness for itself. A total, anti-life aberration. JFA The damn collectivists, thoses with the psycho-epistomology of a leech and lamprey, be absolutely damned! DePompadour, Societe d'Importation Ltee Limoges porcelain, Silverware and mouth blown crystal glasses JFA Technologies, R&D consultants. Physists, technologists and engineers. PGP keys at: http://w3.citenet.net/users/jf_avon ID# C58ADD0D : 529645E8205A8A5E F87CC86FAEFEF891 Unsollicited commercial e-mail will be proofread at US165 $/h Any sender of such material will be considered as to have ac- cepted the above mentionned terms. From perry at piermont.com Wed May 15 03:33:24 1996 From: perry at piermont.com (Perry E. Metzger) Date: Wed, 15 May 1996 18:33:24 +0800 Subject: Negative side-effect of the coderpunks split In-Reply-To: Message-ID: <199605150443.AAA00194@jekyll.piermont.com> Simon Spero writes: > Ever since most of the hard crypto content moved to coderpunks, there have > been a lot of totally non-crypto political postings that make my skin > crawl. [...] > I kinda miss the Perrygrams :) Well, there aren't going to be any more of them. Lots of people complained. "You're a fascist" they said. "We can post whatever we want, and you can't stop us. Nya Nya Nya." The intellectual level of of the counterarguments was more or less that possessed by six year olds, but it didn't matter -- they not only claimed their right to piss in the communal coffee pot if they wanted to, but they went on to exercise this right. Well, now they all get to drink it. Some of the people who couldn't help but take a leak in the well whenever they passed it by got upset that coderpunks drew off all the crypto talk. Well, actually, there was no crypto talk left. It would have been nice to keep one list, but some people insisted on exercising their right to be stupid in public over and over again and it got to be too much. It used to be that I turned to cypherpunks first to get news of breaking cryptography policy interest and breaking cryptography information. Now there doesn't seem to be anyone left here who gives a damn about cryptography -- even big news like MD5 getting nuked doesn't make it above the noise levels. I'm expecting that I'll unsubscribe from this thalidimide parody of a cryptography mailing list within a few weeks. Perhaps I'll start an alternative place to discuss cryptography policy that explicitly has the policy of tossing off people who want to post irrelevancies. I suppose then the rest of the crowd can just turn the filters up or whatever it is claimed one is supposed to do to find something worth reading in the cesspit. Perry From EALLENSMITH at ocelot.Rutgers.EDU Wed May 15 03:42:49 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 15 May 1996 18:42:49 +0800 Subject: Fingerprinting annoyance Message-ID: <01I4POL8JRWW8Y5EB6@mbcl.rutgers.edu> From: IN%"unicorn at schloss.li" "Black Unicorn" 14-MAY-1996 13:21:35.36 >All this "suck it up and get printed" talk has me somewhat disconcerted >with the list. Have many here not consistantly indicated that privacy is >something that must be self assured? In most cases, such invasions of privacy are voluntary on the employee's part - because he/she chose to be employed there. There are some cases in which the employee doesn't have much other choice: A. The employer is required by the government to collect this information. Such requirements can be direct (laws to do this or else) or indirect (laws to do this or not get government contracts - rather like Clinton's attempt to force contractors to give in to all union demands by forbidding replacement workers). B. The employer is a monopsonic or ogliosonic buyer of the services that the employee can practically provide. While an ogliosonic or monopsonic corporation (including a group of employers that has decided to all follow one policy on such cases) isn't a full-scale government, it's still got enough power to qualify for limits in my book. C. The employer is a government, and thus shouldn't be allowed to go beyond the minimal necessary intrusion to do its job of protecting individual choices. >I think that unless proper means are taken to safeguard information, >social security number, license plates, and fingerprint records included, >that the individual is perfectly within rights to take his or her own >safeguarding initiatives. Social security numbers and license plates are forced upon one by a government. One did not choose to have these pieces of identification; these are therefore exceptions to the above rule. >Where those methods are not intended to simply evade prosecution, but >rather to foil extreme recordkeeping, I believe them legitimate. I would hope that you would also count evading illegitimate prosecution (drug laws, censorship laws, et al) as legitimate uses of them. I would. -Allen From reagle at mit.edu Wed May 15 03:51:47 1996 From: reagle at mit.edu (Joseph M. Reagle Jr.) Date: Wed, 15 May 1996 18:51:47 +0800 Subject: (legal) Re: CDA Dispatch #10: Last Day in Court Message-ID: <9605150217.AA26984@rpcp.mit.edu> At 06:06 PM 5/14/96 -0400, you wrote: >You can appeal directly on the merits. And you do so. The higher court >decides all questions of law de novo (ie pays no deference ot tyhe >decision of the court below beyond whatever persuasive power it may >have), but must accept the factual record as presented ("found") by the >court below. Thus the importance of the trial testimony at this stage. Ok, thank you for clarifying that. One question regarding the "de novo," if a lower court decides to restrict its ruling to a specific aspect of the case ("indecency") can the higher court broaden the scope of its ruling, or must its ruling be with specific regards to the scope of the lower court. (I don't know if the appeal can be on the basis of the scope.) BTW: This is what a lawyer/professor was able to tell me. As you can see I was thinking of a garbled version of a jury trial: I'm not familiar with the case, so I cannot speak to its specifics, however here is the general concept of appeals in the U.S. Courts: At the trial of any case there are two categories of issues to be resolved--those called "factual" issues and those called "legal" issues. Only legal issues are subject to appeal in a higher court. If there is a jury trial, the "facts" are what the jury decides (including, en route to their decision, which witnesses to believe) and this is called the verdict. The verdict per se is not subject to appeal. The "law" is what the judge decides, and can include matters of procedure as well as matters of substance. Typically these are decisions about what evidence to admit, what instructions to give to the jury, what motions to grant or deny, etc. All of this is subject to appeal. If the appeal necessitates a new trial, the new jury starts over with new testimony, and reaches its own conclusion on the facts--but this is not really an "appeal" of the first jury's verdict. If there is no jury at the first trial, the trial judge wears both hats, finding the facts and making conclusions of law--but keeping these decisions separate in his or her opinion. Only the judge's conclusions of law in such trials are subject to appeal. _______________________ Regards, Men govern nothing with more difficulty than their tongues, and can moderate their desires more than their words. -Spinoza Joseph Reagle http://farnsworth.mit.edu/~reagle/home.html reagle at mit.edu E0 D5 B2 05 B6 12 DA 65 BE 4D E3 C1 6A 66 25 4E From shabbir at vtw.org Wed May 15 04:00:39 1996 From: shabbir at vtw.org (Voters Telecommunications Watch) Date: Wed, 15 May 1996 19:00:39 +0800 Subject: (ALERT) Senators who introduce new crypto bill need support (5/14/96) Message-ID: <199605150201.WAA20600@panix3.panix.com> ======================================================================== Campaign for Secure Communications Online May 13, 1996 BI-PARTISAN SENATORS INTRODUCE NEW CRYPTO BILL S.1726 PROMISES TO FREE ENCRYPTION FROM COLD WAR REGULATORY STRANGLEHOLD Please widely redistribute this document with this banner intact until June 15, 1996 ________________________________________________________________________ CONTENTS The Latest News What You Can Do Now Crypto Factoid Chronology of Crypto Export Liberalization Bill For More Information ________________________________________________________________________ THE LATEST NEWS In an effort to improve privacy and security on the Internet, a bi-partisan group of legislators recently introduced a bill to encourage the widespread availability of strong, easy-to-use encryption technologies. The bill, known as the Promotion of Commerce Online in the Digital Era (Pro-CODE) act of 1996 (S. 1726), would relax Cold War era export controls which have constrained the development and use of strong privacy and security technologies. Encryption is one of the technologies that will allow us to visualize a secure Internet, an Internet useful for conducting all sorts of private business from communicating with one's doctor, loved one, or spouse, to checking one's bank balance. S.1726 is sponsored by Senators Burns (R-MT), Leahy (D-VT), Pressler (R-SD), Wyden (D-OR), Ashcroft (R-MO), Dole (R-KS), Faircloth (R-NC), McCain (R-AZ), and Murray (D-WA). The Pro-CODE Act resolves to: 1. Allow for the *unrestricted* export of "mass-market" or "public-domain" encryption programs, including such products as Pretty Good Privacy and popular World Wide Web browsers. 2. Requires the Secretary of Commerce to allow the less restricted export of other encryption technologies if products of similar strength are generally available outside the United States, roughly up to DES strength. 3. Prohibits the federal government from imposing mandatory key-escrow encryption policies on the domestic market and limiting the authority of the Secretary of Commerce to set standards for encryption products. A copy of the legislation can be found at each of the WWW sites listed at the bottom in the "For More Information" Section. ________________________________________________________________________ WHAT YOU CAN DO NOW As more and more people come online, the need for - and lack of - strong privacy and security is becoming increasingly critical. This legislation represents an important step towards ensuring that the Internet develops into a secure, trusted medium for political, commercial, and private speech. The co-sponsors of S. 1726 have taken a political risk and are challenging the White House, the NSA (National Security Agency, and the FBI (Federal Bureau of Investigation) in a policy battle to protect your privacy. They need your support. Please familiarize yourself with the bill (pointers to background information are listed below), and then take a moment to call, write, or fax the sponsors of the bill and thank them for their leadership on this issue. 1. Call/Fax/Email Senate sponsors and thank them P ST Name and Address Phone Fax = == ======================== ============== ============== R MT Burns, Conrad R. 1-202-224-2644 1-202-224-8594 conrad_burns at burns.senate.gov D VT Leahy, Patrick J. 1-202-224-4242 1-202-224-3595 senator_leahy at leahy.senate.gov R SD Pressler, Larry 1-202-224-5842 1-202-224-1259 larry_pressler at pressler.senate.gov D OR Wyden, Ron 1-202-224-5244 1-202-228-2717 R MO Ashcroft, John 1-202-224-6154 na john_ashcroft at ashcroft.senate.gov R KS Dole, Robert 1-202-224-6521 1-202-228-1245 R NC Faircloth, D. M. 1-202-224-3154 1-202-224-7406 senator at faircloth.senate.gov R AZ McCain, John 1-202-224-2235 1-202-224-2862 senator_mccain at mccain.senate.gov D WA Murray, Patty 1-202-224-2621 1-202-224-0238 senator_murray at murray.senate.gov 2. Use sample communication SAMPLE PHONE CALL You: Sen:Hello, Senator Mojo's office! You:Hi, I'd like to thank the Senator for helping to introduce legislation to lift the export controls on encryption. I won't use Clipper and don't think there's enough strong encryption on the Internet to protect my messages. Strong, non-Clipper encryption is needed to secure communications with my doctor, bank, spouse, and attorney. Sen:Ok, thanks! 3. Let VTW know what sort of response you got Just drop us a line at vtw at vtw.org and let us know how your phone call went! 4. Forward this to your friends and colleagues. Unlike the debate over free speech, many netizens still do not know much about the issues of security and privacy on the Internet. Take the time to explain to a friend why security on the Internet is important. ________________________________________________________________________ CRYPTO FACTOID According to a 1993 study of encryption products worldwide, there are 193 products in 18 countries overseas that are sold with DES-strength encryption built into them. American companies and American programmers are today restricted from selling products with DES-strength encryption to the overseas market, or even distributing them domestically on the Internet. It is becoming extremely difficult for American companies to compete in the global market against competitors who do not labor under such restrictions. Source: Joint study with Dr. Lance Hoffman, Trusted Information Systems (http://www.tis.com), and the Software Publishers Association (http://www.spa.org). Study updated December 1995 and is available at http://www.tis.com/crypto/survey.html. ________________________________________________________________________ CHRONOLOGY OF THE 1996 CRYPTO BILLS 5/2/96 Bi-partisan group of Senators introduce Pro-CODE Act, which would free public-domain encryption software (such as PGP) for export, free much commercial encryption for export, and reduce the government's ability to push Clipper proposals down the throats of an unwilling public. Original sponsors include: Senators Burns (R-MT), Dole (R-KS), Faircloth (R-NC), Leahy (D-VT), Murray (D-WA), Pressler (R-SD), and Wyden (D-OR). 3/5/96 Sen. Leahy (D-VT) and Rep. Goodlatte (R-VA) announce encryption bills (S.1587/H.R.3011) that significantly relax export restrictions on products with encryption functionality in them, as well as free public domain software such as PGP (Pretty Good Privacy). ________________________________________________________________________ FOR MORE INFORMATION There are many excellent resources online to get up to speed on crypto including the following WWW sites: www.privacy.org www.crypto.com www.eff.org www.cdt.org www.epic.org www.vtw.org Please visit them often. Several organizations are working hard to support your right to have access to strong, effective encryption. We have all collaborated on this alert, funneling it through a single editor. Please address any press queries DIRECTLY to the organizations directly. The editors *do not* speak for the coalition as a whole. Here is an alphabetical list of the coalition members: American Civil Liberties Union Center for Democracy and Technology Computer Professionals for Electronic Frontier Foundation Social Responsibility HotWired / Wired Magazine Electronic Privacy Information Center People for the American Way *Voters Telecommunications Watch *Editors ________________________________________________________________________ End alert ======================================================================== From snow at smoke.suba.com Wed May 15 04:03:24 1996 From: snow at smoke.suba.com (snow) Date: Wed, 15 May 1996 19:03:24 +0800 Subject: Fingerprinting annoyance In-Reply-To: Message-ID: On Mon, 13 May 1996, Mark O. Aldrich wrote: > On Mon, 13 May 1996, Senator Exon wrote: > > i can fill out and manipulate the card myself i just need a > > working method. > > is there no privacy advocate who can help me? > > You can mutilate the tips of your fingers so that prints cannot be > acquired, but this hurts. Badly. I thought Old School bank robbers used sand paper to remove their prints before a "job". Would this mung the prints enough? Petro, Christopher C. petro at suba.com snow at crash.suba.com From llurch at networking.stanford.edu Wed May 15 04:03:26 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Wed, 15 May 1996 19:03:26 +0800 Subject: crosspost re remailers In-Reply-To: <199605141901.MAA02888@netcom.netcom.com> Message-ID: On Tue, 14 May 1996, Keith Henson wrote: > was to Krup. I can't speak for all of them--actually, I can't speak > for *any* of them, but the ones who have said anything about the > recent uses of the remailers do not seem unhappy. There may be > some discussion related to this on the cypherpunks mailing list. Actually, there hasn't really been any discussion on cypherpunks, which I find a little surprising. I'd have thought that a remailer going down because of political/legal pressure would raise more of a ruckus. People seem jaded, but I'm not sure why. I posted a half dozen articles to comp.org.eff.talk, more to stimulate discussion than to argue a position. We trolled up a statement from Hal Finney to the effect that remailers might need to be restricted in order to save them -- which I found to be rather provocative, but nobody said anything. Anybody? -rich From sameer at c2.org Wed May 15 04:09:35 1996 From: sameer at c2.org (sameer at c2.org) Date: Wed, 15 May 1996 19:09:35 +0800 Subject: crosspost re remailers In-Reply-To: Message-ID: <199605150639.XAA08616@atropos.c2.org> > anything. Anybody? > I'm still waiting for my subpoena. I feel like a failure without it. -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion, Inc. FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.net/ (or login as "guest") sameer at c2.net From blancw at accessone.com Wed May 15 04:10:14 1996 From: blancw at accessone.com (blanc) Date: Wed, 15 May 1996 19:10:14 +0800 Subject: Why does the state still stand: Message-ID: <01BB41E0.DE17C4C0@blancw.accessone.com> From: Hal [on the idea of companies operating fully anonymously] It might be interesting to make a list of all the problems people can think of why this idea won't work, paired with proposed solutions and workarounds - sort of a mini FAQ for this important (some might say ultimate) cypherpunk model. ..................................................................... I think this is a much needed discussion - in particular as it comes at a time when Uni is is "somewhat disconcerted" at the defeatist attitude of some cypherpunks and since TCMay is getting ready to read us the Cypherpunks Bill of Rights regarding the subsidizatoin of other's people's cyber existence (heh). 3 problems which immediately come to mind: . What if someone, hired on one occasion but fired at another, decides in anger to "turn coat" and report everyone to the IRS (or other fine government agency)? . What if a company does not pay as expected - other than adopting Assassination Politics, what method could an employee use towards getting their expected remuneration for work done? . Wouldn't everyone need to have two jobs (or source of regularly accepted cash), in order to be able to pay for services where suppliers do not accept virtual cash transactions? (TCM has mentioned before about the need to pay for some things in tiny quantities - like quarters for a phone call, etc.) .. Blanc From jimbell at pacifier.com Wed May 15 04:14:05 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 15 May 1996 19:14:05 +0800 Subject: Why does the state still stand: Message-ID: <199605150503.WAA23902@pacifier.com> At 04:35 PM 5/14/96 -0700, Hal wrote: >I think the intention then is to create "fully anonymous" companies. >These would be organizations whose principals and employees are known >only by pseudonyms, even to each other. Their only contact is >electronic, via an anonymous network. And the employees are paid in >anonymous ecash, which they don't pay taxes on since it is unreported >income. > >These companies produce products or services which they offer for sale >across the net. They accept payment in ecash, either from end users or >from other companies. > >Such companies would be illegal, with everyone involved subject to >criminal penalties for tax evasion (and no doubt a myriad of other >violations). But because the anonymity is protected cryptographically, >the government is helpless to learn the true identities of anyone >involved. The companies continue to successfully sell their products >and services, advertising and recruiting openly from anonymous sources, >and there is nothing the government can do about it. The goal, obviously, is to make the cost of collection of $1 in taxes sufficiently expensive so that they can't do it economically. But let me draw an analogy: The easiest form of shooting is paper target practice: The target is fixed. More difficult is trap and skeet, where the target moves. More difficult still is hunting, where the target (animals) is at least somewhat intelligent and usually very mobile, as well as camouflaged. This is analogous to encryption. But the most difficult form of shooting is war, in which the "target" can shoot back. If a computer model could be constructed of it, I think you'd find that the most effective way to avoid taxation is to invest money to target those doing the collection. In fact, I'll go so far as to say that it would probably cost less than 10 cents to prevent the collection of $1 worth of tax, and probably closer to a penny. Any analysis of the destruction of the state is incomplete without considering such a scenario. Jim Bell jimbell at pacifier.com From sameer at c2.org Wed May 15 04:31:47 1996 From: sameer at c2.org (sameer at c2.org) Date: Wed, 15 May 1996 19:31:47 +0800 Subject: PRZ /PGP In-Reply-To: <19960514182933135274@central28.onramp.net> Message-ID: <199605150636.XAA08535@atropos.c2.org> > Freeware authors are regularly criticized for delays, at least > on the Mac newsgroups. And nearly everybody in software development > misses deadlines. Where I've worked, us low level grunts (the guys and I'm sorry, but if you're getting paid for work, then it should be delivered on time (or close to on time). Whether or not the work you getting paid to do is going to be distributed for free or not is beside the point. -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion, Inc. FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.net/ (or login as "guest") sameer at c2.net From qut at netcom.com Wed May 15 04:35:57 1996 From: qut at netcom.com (Be Good) Date: Wed, 15 May 1996 19:35:57 +0800 Subject: Defeating fingerprints In-Reply-To: <199605141903.OAA05327@einstein.ssz.com> Message-ID: <199605150643.XAA24223@netcom16.netcom.com> > Forwarded message: > > > With regards to filling in your own card, what about using a disappearing > > ink?? Then your prints would disappear! You could even do your name, > > right infront of them, and it would disappear, leaving these anynonomous > > prints behind!! > > While the ink does become transparent/translucent I am shure the FBI chem > lab won't have a problem finding traces of the chemical. This would make for > jim dandy evidence in court. > > > Or you could make an inkpad that is damp with sodium hydroxide (lye) > > instead of ink. That way, you could lightly roll your fingers in it, > > like it was ink, and then wait a minute, and wipe it off. That way, the > > only skin being eaten away, would be the ridges of the fingerprints. Do > > this enought times, and the rigdes will end up the same height as the > > valleys, and will then essentially be flat. Won't work. Regular old soda lye is not really that corrosive to the skin. I've handled plain lye many times and only hurts a little if a grain gets up my fingernail. > Burglars and safecrackers sand the ridges off. This sounds like it'd work, but quite tedious. > Jim Choate -- God grant me the serenity to accept the things I cannot change, the courage to change the things I can, and the wisdom to know the difference From alanh at infi.net Wed May 15 04:44:22 1996 From: alanh at infi.net (Alan Horowitz) Date: Wed, 15 May 1996 19:44:22 +0800 Subject: mailing list infrastructure In-Reply-To: <199605142011.NAA29073@netcom7.netcom.com> Message-ID: << Secret password sent by listserv, scheme >> This is how it is done in the Philippines. From erc at dal1820.computek.net Wed May 15 04:45:54 1996 From: erc at dal1820.computek.net (Ed Carp) Date: Wed, 15 May 1996 19:45:54 +0800 Subject: Why does the state still stand: In-Reply-To: <199605150503.WAA23902@pacifier.com> Message-ID: <199605150545.BAA23645@dal1820.computek.net> > doing the collection. In fact, I'll go so far as to say that it would > probably cost less than 10 cents to prevent the collection of $1 worth of > tax, and probably closer to a penny. Any analysis of the destruction of the > state is incomplete without considering such a scenario. That's why terrorism is so effective. It only takes a few pounds of Sentex or C-4 to produce millions of dollars of damage. It only takes the T's getting lucky *once* - we have to be lucky *all the time*. Now, take that scenario and turn it around. It only takes a little effort to frustrate the IRS, the FBI, or whoever your target happens to be. The problem, however, is twofold - (1) the government will play mind games on the rest of the population to make you look like a terrorist, or whatever turns the populace against you, and (2) the government tends to use a sledgehammer to crack a walnut. They don't care what kind of collateral damage they inflict (witness Waco and Ruby Ridge) as long as they can make their point. -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 214/993-3935 voicemail/digital pager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes The mark of a good conspiracy theory is its untestability. -- Andrew Spring From jimbell at pacifier.com Wed May 15 04:52:42 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 15 May 1996 19:52:42 +0800 Subject: Past one terabit/second on fiber Message-ID: <199605150618.XAA28824@pacifier.com> In the April 1996 issue of Fiber Optic Product news, there is an article on a Lucent Technologies (formerly Bell Labs...no relation...sigh...) product which wavelength-multiplexes quantity 8, 2.5 Gb/second signals on a single fiber, for a total of 20 Gb/sec. This is a real, purchaseable system. On the same page is a somewhat more experimental system, done by Corning and Siemens, in which eight channels at 10 Gb/sec each were transmitted on a single Corning fiber. "Wow", I said. Far faster than the 2.5 Gb/sec transmission that is currently fairly standard for long-haul fiber trunks. I wasn't prepared, however, for page 38, in an article titled "Research Teams Achieve 1 Trillion bits a Second." In fact, three separate groups did this. I copy the article below. CP relevance? Well, the justification the government uses to regulate the airwaves, via the FCC, is that the available bandwidth is limited, which it is. But that argument has never been true with fiber, at least in theory, and is becoming even less true in practice. For example, that recent flap over Internet-based long-distance telephone interconnects (LD companies don't want competition) is based on the fact that the normal providers of these services want to get their dime a minute rates come hell or high water. Sure, that's a might cheaper than it was a decade ago. But with fiber transmission probably less than 1/100th the cost of older coaxial transmission systems, per connection, it is unclear why they're even continuing to meter LD phone calls. Even if we only consider that 20 Gb/second fiber from Lucent, that is equivalent to about 300,000 simultaneous voice calls. With a standard, 36-fiber cable, that represents 18x300,000 two-way calls, or about 4.8 million calls. This is probably far greater than the maximum number of people on LD in the US at any given time, and that's just a single cable trunk. If we assume that the fiber cable costs $1/meter per fiber, and the cost of trenching, burial, and interconnects raise this to $10/meter/fiber, and if we generously assume that the average LD call goes 3000 miles (5,000,000m), that call occupies 1/150,000th of a $50 million fiber for a few minutes. If we suppose that the fiber has to gross $100,000,000 per year to pay for itself, and even if it's only operating at an average 10% load level(both assumptions are pessimistic, that only works out to a cost of 1.3 cents per minute per call. That's why these LD phone companies are so scared: If we can transmit Internet on fiber, that fiber can accept this extra traffic at very low marginal cost. Part of article follows: "Research teams Achieve 1 Trillion bits a second" Debra Norman, Editor in Chief. Three research teams achieved their ultimate goal by sending the most information possible over optical fiber. The scientists, including a 12-member group from AT&T Research, Bell Laboratories, Lucent Technologies, reported in post-deadline papers at the Optical Fiber Conference held recently in San Jose, Calif., that they had sent one terabit of information over non-zero-dispersion fiber in a second's time. In short, it is similar to transmitting the contents of 1,000 copies of a 30-volume encyclopedia in one second. The researchers had not expected to send that much data until at least the year 2000. In the paper, the group described a 1 Tb/s transmission experiment that utilized WDM [wavelength division multiplexing] and polarization multiplexing. The outputs of 25 lasers were multiplexed using star couplers and waveguide grating routers. The wavelengths ranged from 1542 nm (channel 1) to 1561.2 nm (channel 25) with 100 GHz channel spacing. All lasers were external-cavity lasers except for channel 16, which used a DFB laser. Four of the laser outputs (channels 10,11,17, and 25) were amplified and filtered before multiplexing. The multiplexed wavelengths were then amplified and propagatedthrough an polarization beamsplitter to align al the polarizations. Polarization controllers at the output of each laser allowed independent polarization control for each source. The 25 co-polarized wavelengths were split by a 3-dB coupler, separatedly modulated by LiNbO3 Mach-Zehnder modulators, and then recombined with orthogonal polarizations in a PBS. The modulators have a small-signal bandwidth of 18 GHz and built-in polarizers. The 20 Gb/s NRZ drive signals were produced by electronically multiplexing two 10-Gb/s 215-1 pseudorandom bit streams using a commercial GaAs multiplexer. Two other groups from Japan, Fujitsu and Nippon Telephone and Telegraph Co., also submitted papers reporting that they reached the terabit mark. All three groups achieved the record with different experiments. Scientists from NTT demonstrated 100 Gb/s x 10 channel (1 Tb/s), error-free transmission of all the 10 channels over a 40 km dispersion-shifted fiber using a low-noise single supercontinuum WDM source fitted with a newly developed arrayed-waveguide grating demultiplexer/multiplexer. By fully utilizing the super-broad bandwidth of the SC spectra over 200 nm, up to 5 Tb/s would be possible. Fujitsu researchers achieved 1.1 Tb/s (55 wavelengths x 20 Gb/s) WDM transmission over 150 km of 1.3 mm [?] zero-dispersion singlemode fiber using preemphasis and dispersion compensating fiber with a negative dispersion slope. BER [bit error rate] degradation was not observed in any channel, even without channel-by-channel dispersion adjustment. [end of quoted portion] Jim Bell jimbell at pacifier.com From qut at netcom.com Wed May 15 04:58:36 1996 From: qut at netcom.com (Be Good) Date: Wed, 15 May 1996 19:58:36 +0800 Subject: SEVERE undercapacity, we need more remailer servers FAST In-Reply-To: Message-ID: <199605150708.AAA26485@netcom16.netcom.com> > On Tue, 14 May 1996, Keith Henson wrote: > > > was to Krup. I can't speak for all of them--actually, I can't speak > > for *any* of them, but the ones who have said anything about the > > recent uses of the remailers do not seem unhappy. There may be > > some discussion related to this on the cypherpunks mailing list. > > Actually, there hasn't really been any discussion on cypherpunks, which I > find a little surprising. I'd have thought that a remailer going down > because of political/legal pressure would raise more of a ruckus. People > seem jaded, but I'm not sure why. > > I posted a half dozen articles to comp.org.eff.talk, more to stimulate > discussion than to argue a position. We trolled up a statement from Hal > Finney to the effect that remailers might need to be restricted in order > to save them -- which I found to be rather provocative, but nobody said > anything. Anybody? The remailer capacity is quite underdone, there aren't really that many remailer servers out there. Only TWO servers outside the US. Only ONE server making direct posts to netnews. And what, two or three nym servers? Obviously this is severe undercapacity and we need to start up MUCH more servers and FAST, ESPECIALLY in foriegn countries. IMHO, trying to make it more user friendly to use remailers is pointless considering the limited number of servers to use. I'm CLUELESS about this stuff, I'd love to help, at least by distributing code and exact intructions to make it as easy as possible to encourage clueless types to start it up. So what is the expense of setting up a full-featured server like hacktic? Mr. Graves should start up a new server, and tcmay is rich, so he has no excuse. -- God grant me the serenity to accept the things I cannot change, the courage to change the things I can, and the wisdom to know the difference From carboy at carboy.com Wed May 15 05:54:40 1996 From: carboy at carboy.com (Michael E. Carboy) Date: Wed, 15 May 1996 20:54:40 +0800 Subject: PGPShell & Eudora Message-ID: <2.2.32.19960515052506.00683f54@mail.hooked.net> While trying to solve a corrupted clearsig problem with Eudora 2.2 and PGPShell, I noticed comments in the c-punks archives on this same problem. I wanted to pass on that Aegis Research's PGPShell "Beta4" version solves the problem and does "preprocess" the message before signing so that Eudora won't wreck it. The shell can be downloaded at http://aegisrc.com. It is self-extracting and, if installed in your existing PGPShell directory will create a subdirectory named "Pretty~1" (no, I am not kidding) and then install the new .exe there. Regards, MEC Michael E. Carboy carboy at hooked.net carboy at carboy.com Key fingerprint = C9 E9 79 12 43 76 A2 DB 1A 72 FD 04 F2 03 6F 8A -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCNAzDwxdIAAAEEAMmDaOXoZczvK4R7vH7ql+0sY/oHyqdtsjuOG8jbObnFjh2N jh3TAxyXGb83xmsm6Eb6muXf6oZJdTIzO7UuSwKh+afLg6un+LU7S/VTFTUf4QNq T1e2jZxcr33SFUxiKN7q83GkZhHyY1EeM/O8pGX+JhMANMv7gf9JSEYWhfvhAAUT tCVNaWNoYWVsIEUuIENhcmJveSA8Y2FyYm95QGhvb2tlZC5uZXQ+iQCVAwUQMPDG Lv9JSEYWhfvhAQF2VQQAqMj60pWt3+jZow8q/DFiM9Jw73rii2deJwfdju9vGWgU S6Se5TegVYlti8mWLF+mRSldEnRIKZs7mycW9YlVmfxa+uM2sTceoDIACkZy1MWF ULLeIzFDreR2YZLAVMQ4ToWTkRS2T+/jM8RQEMakPCYDIKBzCIuRQ7J+jmpR+Fs= =79nx -----END PGP PUBLIC KEY BLOCK----- From ddt at lsd.com Wed May 15 07:22:15 1996 From: ddt at lsd.com (Dave Del Torto) Date: Wed, 15 May 1996 22:22:15 +0800 Subject: [NOISE] Unsub Kit Message-ID: Grin-noise of the Day. Typos are (sic) as found. Reply-noise to me, not the list (please). Don't forget to rinse and repeat. dave ................................. cut here ................................. From: KJ Fisher > someonme get me off this fucking mailing list First, ask your Internet Provider to mail you an Unsubscribing Kit. Then follow these directions. The kit will most likely be the standard no-fault type. Depending on requirements, System A and/or System B can be used. When operating System A, depress lever and a plastic dalkron unsubscriber will be dispensed through the slot immediately underneath. When you have fastened the adhesive lip, attach connection marked by the large "X" outlet hose. Twist the silver- coloured ring one inch below the connection point until you feel it lock. The kit is now ready for use. The Cin-Eliminator is activated by the small switch on the lip. When securing, twist the ring back to its initial condition, so that the two orange lines meet. Disconnect. Place the dalkron unsubscriber in the vacuum receptacle to the rear. Activate by pressing the blue button. The controls for System B are located on the opposite side. The red release switch places the Cin-Eliminator into position; it can be adjusted manually up or down by pressing the blue manual release button. The opening is self- adjusting. To secure after use, press the green button, which simultaneously activates the evaporator and returns the Cin-Eliminator to its storage position. You may log off if the green exit light is on over the evaporator . If the red light is illuminated, one of the Cin-Eliminator requirements has not been properly implemented. Press the "List Guy" call button on the right of the evaporator . He will secure all facilities from his control panel. To use the Auto-Unsub, first undress and place all your clothes in the clothes rack. Put on the velcro slippers located in the cabinet immediately below. Enter the shower, taking the entire kit with you. On the control panel to your upper right upon entering you will see a "Shower seal" button. Press to activate. A green light will then be illuminated immediately below. On the intensity knob, select the desired setting. Now depress the Auto-Unsub activation lever. Bathe normally. The Auto-Unsub will automatically go off after three minutes unless you activate the "Manual off" override switch by flipping it up. When you are ready to leave, press the blue "Shower seal" release button. The door will open and you may leave. Please remove the velcro slippers and place them in their container. If you prefer the ultrasonic log-off mode, press the indicated blue button. When the twin panels open, pull forward by rings A & B. The knob to the left, just below the blue light, has three settings, low, medium or high. For normal use, the medium setting is suggested. After these settings have been made, you can activate the device by switching to the "ON" position the clearly marked red switch. If during the unsubscribing operation, you wish to change the settings, place the "manual off" override switch in the "OFF" position. You may now make the change and repeat the cycle. When the green exit light goes on, you may log off and have lunch. Please close the door behind you. From EALLENSMITH at ocelot.Rutgers.EDU Wed May 15 07:23:56 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 15 May 1996 22:23:56 +0800 Subject: Java & signed applets Message-ID: <01I4PWRN40EO8Y5DM8@mbcl.rutgers.edu> This has some mention of signed applets et al, so I thought it was applicable. -Allen From: IN%"rre at weber.ucsd.edu" 11-MAY-1996 23:06:27.24 From: Phil Agre =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= This message was forwarded through the Red Rock Eater News Service (RRE). Send any replies to the original author, listed in the From: field below. You are welcome to send the message along to others but please do not use the "redirect" command. For information on RRE, including instructions for (un)subscribing, send an empty message to rre-help at weber.ucsd.edu =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Date: Sat, 11 May 1996 15:59:13 -0400 (EDT) From: "Home Page Press, Inc." To: staff at hpp.com Subject: JAVA BLACK WIDOWS - SUN DECLARES WAR JAVA BLACK WIDOWS - SUN DECLARES WAR Sun Microsystems' has declared war on Black Widow Java applets on the Web. This is the message from Sun in response to an extensive Online Business Consultant (OBC/May 96) investigation into Java security. OBC's investigation and report was prompted after renowned academics, scientists and hackers announced Java applets downloaded from the WWW presented grave security risks for users. Java Black Widow applets are hostile, malicious traps set by cyberthugs out to snare surfing prey, using Java as their technology. OBC received a deluge of letters asking for facts after OBC announced a group of scientists from Princeton University, Drew Dean, Edward Felten and Dan Wallach, published a paper declaring "The Java system in its current form cannot easily be made secure." The paper can be retrieved at http://www.cs.princeton.edu/sip/pub/secure96.html. Further probing by OBC found that innocent surfers on the Web who download Java applets into Netscape's Navigator and Sun's HotJava browser, risk having "hostile" applets interfere with their computers (consuming RAM and CPU cycles). It was also discovered applets could connect to a third party on the Internet and, without the PC owner's knowledge, upload sensitive information from the user's computer. Even the most sophisticated firewalls can be penetrated . . . "because the attack is launched from behind the firewall," said the Princeton scientists. One reader said, "I had no idea that it was possible to stumble on Web sites that could launch an attack on a browser." Another said, "If this is allowed to get out of hand it will drive people away from the Web. Sun must allay fears." The response to the Home Page Press hostile applet survey led to the analogy of Black Widow; that the Web was a dangerous place where "black widows" lurked to snare innocent surfers. As a result the Princeton group and OBC recommended users should "switch off" Java support in their Netscape Navigator browsers. OBC felt that Sun and Netscape had still to come clean on the security issues. But according to Netscape's Product Manager, Platform, Steve Thomas, "Netscape wishes to make it clear that all known security problems with the Navigator Java and JavaScript environment are fixed in Navigator version 2.02." However, to date, Netscape has not answered OBC's direct questions regarding a patch for its earlier versions of Navigator that supported Java . . . the equivalent of a product recall in the 3D world. Netscape admits that flaws in its browsers from version 2.00 upwards were related to the Java security problems, but these browsers are still in use and can be bought from stores such as CompUSA and Cosco. A floor manager at CompUSA, who asked not to be named, said "its news to him that we are selling defective software. The Navigator walks off our floor at $34 a pop." OBC advised Netscape the defective software was still selling at software outlets around the world and asked Netscape what action was going to be taken in this regard. Netscape has come under fire recently for its policy of not releasing patches to software defects; but rather forcing users to download new versions. Users report this task to be a huge waste of time and resources because each download consists of several Mbytes. As such defective Navigators don't get patched. OBC also interviewed Sun's JavaSoft security guru, Ms. Marianne Mueller, who said "we are taking security very seriously and working on it very hard." Mueller said the tenet that Java had to be re-written from scratch or scrapped "is an oversimplification of the challenge of running executable content safely on the web. Security is hard and subtle, and trying to build a secure "sandbox" [paradigm] for running untrusted downloaded applets on the web is hard." Ms. Mueller says Sun, together with their JavaSoft (Sun's Java division) partners, have proposed a "sandbox model" for security in which "we define a set of policies that restrict what applets can and cannot do---these are the boundaries of the sandbox. We implement boundary checks---when an applet tries to cross the boundary, we check whether or not it's allowed to. If it's allowed to, then the applet is allowed on its way. If not, the system throws a security exception. "The 'deciding whether or not to allow the boundary to be crossed' is the research area that I believe the Princeton people are working on," said Mueller. "One way to allow applets additional flexibility is if the applet is signed (for example, has a digital signature so that the identity of the applet's distributor can be verified via a Certificate Authority) then allow the applet more flexibility. "There are two approaches: One approach is to let the signed applet do anything. A second approach is to do something more complex and more subtle, and only allow the applet particular specified capabilities. Expressing and granting capabilities can be done in a variety of ways. "Denial of service is traditionally considered one of the hardest security problems, from a practical point of view. As [Java's creator] James Gosling says, it's hard to tell the difference between an MPEG decompressor and a hostile applet that consumes too many resources! But recognizing the difficulty of the problem is not the same as 'passing the buck.' We are working on ways to better monitor and control the use (or abuse) of resources by Java classes. We could try to enforce some resource limits, for example. These are things we are investigating. "In addition, we could put mechanisms in place so that user interface people (like people who do Web browsers) could add 'applet monitors' so that browser users could at least see what is running in their browser, and kill off stray applets. This kind of user interface friendliness (letting a user kill of an applet) is only useful if the applet hasn't already grabbed all the resources, of course." The experts don't believe that the problem of black widows and hostile applets is going to go away in a hurry. In fact it may get worse. The hackers believe that when Microsoft releases Internet Explorer 3.00 with support for Java, Visual Basic scripting and the added power of its ActiveX technology, the security problem will become worse. "There is opportunity for abuse, and it will become an enormous problem," said Stephen Cobb, Director of Special Projects for the National Computer Security Association (NCSA). "For example, OLE technology from Microsoft [ActiveX] has even deeper access to a computer than Java does." JavaSoft's security guru Mueller agreed on the abuse issue: "It's going to be a process of education for people to understand the difference between a rude applet, and a serious security bug, and a theoretical security bug, and an inconsequential security-related bug. In the case of hostile applets, people will learn about nasty/rude applet pages, and those pages won't be visited. I understand that new users of the Web often feel they don't know where they're going when they point and click, but people do get a good feel for how it works, pretty quickly, and I actually think most users of the Web can deal with the knowledge that not every page on the web is necessarily one they'd want to visit. Security on the web in some sense isn't all that different from security in ordinary life. At some level, common sense does come into play. "Many people feel that Java is a good tool for building more secure applications. I like to say that Java raises the bar for security on the Internet. We're trying to do something that is not necessarily easy, but that doesn't mean it isn't worth trying to do. In fact it may be worth trying to do because it isn't easy. People are interested in seeing the software industry evolve towards more robust software---that's the feedback I get from folks on the Net." # # # The report above may be reprinted with credit provided as follows: Home Page Press, Inc., http://www.hpp.com and Online Business Consultant� Please refer to the HPP Web site for additional information about Java and OBC. =========================================================== ............Home Page Press, Inc. http://www.hpp.com home of Go.Fetch� ........Free TEXT version - Online Business Today email: obt.text at hpp.com ....Free PDF version - Online Business Today email: obt.pdf at hpp.com OBC / Online Business Consultant, $595/year email: obc at hpp.com From rah at shipwright.com Wed May 15 10:34:35 1996 From: rah at shipwright.com (Robert Hettinga) Date: Thu, 16 May 1996 01:34:35 +0800 Subject: Leaflet for First Monday Message-ID: --- begin forwarded text Date: Wed, 15 May 1996 12:32:45 +0200 (METDST) From: Erik Barfoed Subject: Leaflet for First Monday To: tony durham , robert hettinga , ed krol , bonnie nardi , ian peter , rich wiggins , vint cerf , Ed Valauskas , Esther Dyson , Rishab Aiyer Ghosh MIME-Version: 1.0 Dear Everybody Once again I forward you the plain text version of the First Monday leaflet, which I kindly urge you to distribute. Best regards Pernille Hammels| Editor Journals Division e-mail: journals at inet.uni-c.dk Content-Type: TEXT/PLAIN; charset=US-ASCII; name="fmleaf.txt" Content-ID: Content-Description: Leaflet for First Monday CALL FOR PAPERS Editor-in-Chief Edward J. Valauskas, Internet Mechanics, Chicago, IL, USA (valauskas at firstmonday.dk) Consulting Editor Esther Dyson EDventure Holdings, New York, NY, USA (dyson at firstmonday.dk) International Editor Rishab Aiyer Ghosh, The Indian Techonomist, New Delhi, India (ghosh at firstmonday.dk) Editorial Board Vinton G. Cerf, Senior, Vice-Presiden at MCI Tony Durham, The Times Higher Education Supplement, UK Robert A. Hettinga, Shipwright Development Corp., USA Ed Krol, University of Illinois, USA Bonnie Nardi, Apple Computer, USA Ian Peter, Ian Peter and Associates Cathsworth Island, Australia Rich Wiggins, Michigan State University, USA First Monday is a peer-reviewed journal on the Internet - about the Internet. This scientific journal expands the frontiers of academic publishing by combining the tradi-tional values of peer-reviewing and strict quality control with a new way of publishing on the World Wide Web. Aim and Scope The aim of First Monday is to publish original articles about the Internet and the Global Information Infrastructure. First Monday will: - follow the political and regulatory regimes affecting the Internet - examine the use of the Internet on a global scale, by analyzing economic, technical, and social factors - analyze research and development of Internet software and hardware - study the use of the Internet in specific communities - report on standards - discuss the content of the Internet First Monday will appear in three formats 1. Monthly Mail from a Mail Server First Monday will appear first of all as an electronic mail posting from the First Monday listserver. This issue of First Monday will be sent to the subscribers on the first monday of every month as an ASCII text file. It will include all the articles of each issue and pointers to information resources located at various Web, Gopher, and other sites. 2. Web Site This is the place where subscribers - and newcomers - can read about the journal, learn how to subscribe, read previously published articles, and submit manu-scripts and other materials for publication. This Web Site will also provide access to objects and files that are part of the articles. These objects and files can be downloaded. All back issues of First Monday will also be available for downloading. 3. Annual CD-ROM First Monday will also appear as an annual CD-ROM, containing all articles published in a given year. This CD-ROM will be offered at a low price to subscribers at the end of the year. Will paper versions be available? First Monday is an experiment in electronic publishing, exploring the possibilities of communicating in this Internet medium. At the insistence of subscribers, we can offer printing, but only on-demand. Process The flow of a typical article, from author to publication: - An author is contacted by an Editor to write an _article, or - An author submits an article to a Editor by electronic mail. The article is forwarded by electronic mail to the Editorial Office in Chicago. - The Editorial Office starts the peer-review process by forwarding the article to reviewers by electronic mail. The Editorial Office is responsible for tracking the article, handling comments from editors and _reviewers to authors, editing, and creating a final accepted article. - This initial peer-reviewing process is private. - Articles that are accepted for publication are distributed to all subscribers in the monthly mail, and posted on the First Monday Web Site. The Web Site version of the article is likely to contain objects (illustrations, programs, and other digital items) that are not included in the monthly mailing of the plain ASCII text. - All articles published in First Monday will be included in an annual archival CD-ROM. This CD-ROM will be offered to subscribers at a low price. How to submit articles To submit an article to First Monday, simply send it _by electronic mail to the Editorial Office (Edward J. Valauskas), valauskas at firstmonday.dk. Preference will be given to articles which take advantage of the Internet, using graphics, programs, HTML features and components, and other features not pos-sible in print. The text of the article (exclusive of any other objects like pictures, tables et cetera) should not exceed 30.000 characters. Format The manuscript must be in its final form, as a plain ASCII text, suited for distribution in the monthly e-mail. If an Internet resource is cited, just type in the URL. _Manuscripts can be marked up in HTML, as long as the tags are recognizable by most popular Web browsers. Non-text objects, like pictures, programs, spreadsheets, audio files, and full motion video files, can be part of an article. These non-text objects must be forwarded as binary files to the Editorial Office. Non-text should conform to well established de facto standards on the net: PDF, GIF, JPEG et cetera. Priority will be given to particular items of a high scientific standard, and articles with a relevant timeframe can be published at short notice as a rapid publication. Only original papers written in English will be considered for publication. Copyright Authors submitting a paper to First Monday automatically agree to assign copyright to Munksgaard International Publishers if and when the manuscript is accepted for publication. The articles published in First Monday are protected by copyright, which covers translation rights and the right to reproduce and distribute all of the articles in the journal. Authors submitting a paper to First Monday do so in the understanding that online publishing on the Internet is a new opportunity and challenge, but also a step into a new territory, where authors and publishers do not always have the means to protect against unauthorized copying or editing of copyright protected works.  --- end forwarded text ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "If they could 'just pass a few more laws', we would all be criminals." --Vinnie Moscaritolo The e$ Home Page: http://thumper.vmeng.com/pub/rah/ From rah at shipwright.com Wed May 15 14:07:20 1996 From: rah at shipwright.com (Robert Hettinga) Date: Thu, 16 May 1996 05:07:20 +0800 Subject: DCSB: The FSTC Electronic Check Project Message-ID: Notice the corrected reservation deadline date (now June 1st, 1996) :-) Sorry about that... Cheers, Bob Hettinga -----BEGIN PGP SIGNED MESSAGE----- The Digital Commerce Society of Boston Presents Frank Jaffe, of The Bank of Boston and The Financial Services Technology Consortium (FSTC) "The FSTC Electronic Check Project" Tuesday, June 4, 1996 12 - 2 PM The Downtown Harvard Club of Boston One Federal Street, Boston, MA Frank Jaffe is a Senior Systems Consultant in the Applied Technology Group at the Bank of Boston. Frank is currently the project manager for the FSTC Electronic Check project which involves over 30 companies. Frank has played a leadership role in planning the amalgamation of Bank of Boston's five major retail computer systems into a single, common software system; acting as project leader for a new teller system, and leading the screen phone R&D project in cooperation with Northern Telecom and Bellcore. The FSTC Electronic Check project will develop an enhanced all-electronic replacement to the paper check. Electronic checks will be used like paper checks, by businesses and consumers, and will use existing inter-bank clearing systems. Like its paper counterpart, the Electronic Check represents a self contained "information object," which has all of the information necessary to complete a payment. Likewise, paper checkbooks are replaced by portable Electronic Checkbooks; pens & signatures are replaced by signature card functions and digital signatures using advanced cryptographic techniques; stamps and envelopes by electronic mail or other communications options such as the World Wide Web over the Internet. The fully automated processing capabilities of Electronic Checks opens the possibility of other types of financial instruments, such as electronic cashiers, travelers, and certified checks. Electronic check writing and processing will be integrated into existing applications, from cash registers to personal checkbook managers to large corporate accounting systems, to greatly increase the convenience, and reduce the costs, of writing, accepting, and processing checks. This meeting of the Digital Commerce Society of Boston will be held on Tuesday, June 4, 1996 from 12pm - 2pm at the Downtown Branch of the Harvard Club of Boston, One Federal Street. The price for lunch is $27.50. This price includes lunch, room rental, and the speaker's lunch. ;-). The Harvard Club *does* have dress code: jackets and ties for men, and "appropriate business attire" for women. We need to receive a company check, or money order, (or if we *really* know you, a personal check) payable to "The Harvard Club of Boston", by Saturday, June 1, or you won't be on the list for lunch. Checks payable to anyone else but The Harvard Club of Boston will have to be sent back. Checks should be sent to Robert Hettinga, 44 Farquhar Street, Boston, Massachusetts, 02131. Again, they *must* be made payable to "The Harvard Club of Boston". If anyone has questions, or has a problem with these arrangements (We've had to work with glacial A/P departments more than once, for instance), please let us know via e-mail, and we'll see if we can work something out. Planned speakers for the following few months are: July Pete Loshin Author, "Electronic Commerce" August Duane Hewitt Idea Futures We are actively searching for future speakers. If you are in Boston on the first Tuesday of the month, and you would like to make a presentation to the Society, please send e-mail to the DCSB Program Commmittee, care of Robert Hettinga, rah at shipwright.com . For more information about the Digital Commerce Society of Boston, send "info dcsb" in the body of a message to majordomo at ai.mit.edu . If you want to subscribe to the DCSB e-mail list, send "subscribe dcsb" in the body of a message to majordomo at ai.mit.edu . Looking forward to seeing you there! Cheers, Robert Hettinga Moderator, The Digital Commerce Society of Boston -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMZnOlvgyLN8bw6ZVAQEm8gP/deJ/J0ncmiUTJo82jeGMRp38q+8u+/LH zUZ3dgOCXFM9Nldni/EM0nKiRAgPJTqlcGkrE6Q44s2+ZSPtTiop2Tbx+3xoCW9t zTeKoLoTLgcS7LYS1b/VpcJqN9+q7gGxqmyAd88yZei+i4ZHw6kUGB6MyeHMPq+t CSrEOkkikXE= =SWUd -----END PGP SIGNATURE----- ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "If they could 'just pass a few more laws', we would all be criminals." --Vinnie Moscaritolo The e$ Home Page: http://thumper.vmeng.com/pub/rah/ From daemon at anon.penet.fi Wed May 15 14:15:15 1996 From: daemon at anon.penet.fi (daemon at anon.penet.fi) Date: Thu, 16 May 1996 05:15:15 +0800 Subject: Anonymous password assignment failure (no password) Message-ID: <9605151414.AA26451@anon.penet.fi> You have requested the assignment of a new password However, your message text didn't contain any password. Remember that passwords should only contain letters and numbers. From droelke at rdxsunhost.aud.alcatel.com Wed May 15 14:30:39 1996 From: droelke at rdxsunhost.aud.alcatel.com (Daniel R. Oelke) Date: Thu, 16 May 1996 05:30:39 +0800 Subject: Defeating fingerprints Message-ID: <9605151406.AA08123@spirit.aud.alcatel.com> > > Burglars and safecrackers sand the ridges off. > > This sounds like it'd work, but quite tedious. > Two words - "power tools" !!! ;-) I've sanded my finger tips down rather well with a belt sander and a fine grit belt on numerous occasions. While I've speculated that I probably wouldn't leave much of a finger print, I've never actually tried to take prints after such an operation. Dan ------------------------------------------------------------------ Dan Oelke Alcatel Network Systems droelke at aud.alcatel.com Richardson, TX From anonymous-remailer at shell.portal.com Wed May 15 15:19:50 1996 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Thu, 16 May 1996 06:19:50 +0800 Subject: Micro$oft Online Banking Strategy Message-ID: <199605151423.HAA11700@jobe.shell.portal.com> Extract from Micro$oft WinNews Volume 3, #17: >>>>>>> MICROSOFT ONLINE BANKING STRATEGY Microsoft announced that 58 financial institutions have committed to offering online banking using Microsoft Money through a group of leading banking-software vendors and banking-processing companies. To further help banks build their online-banking services, Microsoft is readying software-component technology for performing secure, ATM-like transactions using popular World Wide Web browsers, including Microsoft Internet Explorer and Netscape Navigator. These tools to facilitate browser-based banking are scheduled to be available by the end of the year. In addition, the Microsoft Windows NT Server network operating system includes embedded support for Internet publishing, helping facilitate an end-to-end Internet banking solution. Press release: http://www.microsoft.com/corpinfo/press/1996/may96 /hmbankpr.htm <<<<<<< From msmith at rebound.slc.unisys.com Wed May 15 15:40:54 1996 From: msmith at rebound.slc.unisys.com (Matt Smith) Date: Thu, 16 May 1996 06:40:54 +0800 Subject: distributed keys Message-ID: <199605151447.OAA17650@rebound.slc.unisys.com> Has anyone heard of an algorithm for managing keys automatically in a distributed system? For instance, if some low level security were to be implemented in a a networking stack where authentication was to be implemented, you would want to have each node have it's own signature so that signature checking can take place when one node connects to another node. The trick is then getting every node's keys distributed to every other node. Here are some ideas that I had, but neither is very desireable: - Manual distribution. User configures every node's key into every node. Configuration becomes a major hassle and mistakes are a pain to debug. An advantagous side effect is the user can configure which machines can talk to which machines if they're feeling particularly facist. - At connection time, each node determines whether or not it has the other node's key. If not, a symmetric key is generated via DH and public keys are exchanged. The problem comes in if someone is spoofing the machine to begin with. Then you'll have the wrong public key. Chicken, egg. Egg, chicken. - Having a certifying node which every other node has the public key to and who has everyone else's public key. Requests are made of this server. The trick is making this server secure and forcing the user to devote resources to this endeavour. Thoughts? -- Matt Smith - msmith at unislc.slc.unisys.com "Nothing travels faster than light, with the possible exception of bad news, which follows its own rules." - Douglas Adams, "Mostly Harmless" Disclaimer: I came up with these ideas, so they're MINE! From Doug.Hughes at Eng.Auburn.EDU Wed May 15 16:01:31 1996 From: Doug.Hughes at Eng.Auburn.EDU (Doug Hughes) Date: Thu, 16 May 1996 07:01:31 +0800 Subject: Edited Edupage, 9 May 1996 In-Reply-To: <9605150233.AA20633@cti02.citenet.net> Message-ID: "Jean-Francois Avon" wrote: >On 14 May 96 at 10:57, Doug Hughes wrote: > > >> Who says they make a choice >> to live in rural areas? > >Why? were they lobotomized? No, because they are too poor to live in your neighborhood. Sure, they can live in the same geographic region, but it's still rural and poor. People live where they can afford to live. > >> Do they also choose not to have enough money >> to pay for shoes? > >You got to choose to do what is needed to live a better life. And >most of them ain't doing what it takes. > Are you saying those poor people in rural West Virgina only live there because they are not trying hard enough to get out? (I'm using rural West Virgina as an example. Many people do get a good education and move elsewhere, but not all) Don't bother answering. If you think this is the case, that is your opinion, but I disagree. >> So, because they live in a poor district they are >> not entitled to the same level of education as a rich city suburb? >> The illiteracy rate in Alabama is 40%! This is just plain sick! > >When I was a kid, everything that had characters printed on it was >readable. Who is *preventing* them from reading? environment, lack of education, lack of money, lots of factors. Nobody is holding a gun to anybody's head saying "Don't Read". But improving literacy is a goal that needs to be undertaken. Do you not agree that low literacy is a bad thing and needs to be taken care of? If not, why not? Naturally, you can't force someone to read who doesn't want to. But, why, given a good learning environment and an inspiring teacher would you not want to? > >> But the statement that we shouldn't subsidize >> rural customers because they CHOOSE to live there (even though some >> are poor and can't afford to live anywhere else) is just plain >> fallacious. >Please, substantiate your claims with in-context arguments. > Some people on this list argue that the current representative govt system is bad, and that true democracy is better. You can't have true democracy without education. (You can, but it would be very bad). True democracy relies on people being educated, the more the better. (Actually, education benefits the entire society.) >> Just because you choose to live in the city does not >> mean people always choose to live where they live. >Who cast their feet in concrete blocks? > Where is somebody making less than $5000/year going to move to? (Answer: somewhere rural and poor). Or, if you prefer, they can move into tax-payer subsidized housing? (I'd prefer not, thanks) > >> Education is one >> thing (perhaps the only thing) that deserves to be subsidized in >> this country. >I think that it should not be subsidized. >If you feel like subsidising education, then by all means, do it. >But why should you stick a gun in my back to do the same? What if I >do not want to do the same as you? > Then you will be living in a country with lower education standards, increasing illiteracy, and a pretty pitiful base with a declining socio-economic structure. Are you arguing that people are not equal and those with more money should of necessity get better education? Because that's what it sounds like to me. If not, perhaps you would care to clarify. You can vote that poor people shouldn't be educated at all, but that would be worse than paying for them to be more educated. >> the tone of >> the above message is callous, besides being wrong. >In *my* opinion, it is right on the money. But if you can stand >reality, then I understand why you rant... > >BTW, I do not understand the "logics" that want to bring everybody >down because some individuals are down. This is a system that punish >achievement for being achievement and value meekness for itself. >A total, anti-life aberration. > You don't understand at all. It's not about being people down, it's about bringing them 'UP'. It's about devaluing lack of education and striving to improve it. I'm not talking about welfare, medicare, or any other big govt entitlements. I'm not talking about being meek. I'm talking about learning to read and multiply 4*9. I'm not getting into this anymore. It's totally off topic of the list, but I felt I had to respond to your let-the-poor-be-poor-and-uneducated posting. We're straying far off even my point. My point was not that I agree with subsidizing internet connections for every school in america. I'd have to be convinced that that is a good thing. However, making sure everybody has a good education is of paramount importance to any society. It's going to cost some tax dollars, but, in my opinion it would be money well spent (unlike building the rural Appalachia country music museum - which was completely wasted money). I also point out that there are poor people out there that can't afford to move from rural out-lands, unless you want them to move into govt subsidized housing. I'd gladly take the former, wouldn't you? Not posting any more on this. -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug at eng.auburn.edu Pro is to Con as progress is to congress From daemon at anon.penet.fi Wed May 15 16:16:29 1996 From: daemon at anon.penet.fi (daemon at anon.penet.fi) Date: Thu, 16 May 1996 07:16:29 +0800 Subject: Anonymous message failed (wrong password) Message-ID: <9605151433.AA01155@anon.penet.fi> The message you sent to the anonymous server could not be processed, as your password (in the X-Anon-Password: header) didn't match the one stored in the server. Either you have made a mistake, or somebody has used your account and changed the password. If the latter is the case, please contact admin at anon.penet.fi. You can check your current password by sending an (empty) message to send-password at anon.penet.fi. Contents of failed message: ------------------------- X-Envelope-To: Received: from mail.crl.com(165.113.1.22) by anon.penet.fi via anonsmtp (V1.3mjr) id sma008018; Sun May 12 06:14:37 1996 Received: from crl2.crl.com by mail.crl.com with SMTP id AA19905 (5.65c/IDA-1.5 for ); Sat, 11 May 1996 23:10:02 -0700 Received: by crl2.crl.com id AA10484 (5.65c/IDA-1.5 for nick at anon.penet.fi); Sat, 11 May 1996 22:56:53 -0700 Date: Sat, 11 May 1996 22:56:53 -0700 Message-Id: <199605120556.AA10484 at crl2.crl.com> To: nick at anon.penet.fi Subject: Cyber An at rchy From: cypherpunks at toad.com x-anon-password: have-fun From froomkin at law.miami.edu Wed May 15 16:41:15 1996 From: froomkin at law.miami.edu (Michael Froomkin) Date: Thu, 16 May 1996 07:41:15 +0800 Subject: (legal) Re: CDA Dispatch #10: Last Day in Court In-Reply-To: <9605150217.AA26984@rpcp.mit.edu> Message-ID: On Tue, 14 May 1996, Joseph M. Reagle Jr. wrote: > Ok, thank you for clarifying that. One question regarding the "de > novo," if a lower court decides to restrict its ruling to a specific aspect > of the case ("indecency") can the higher court broaden the scope of its > ruling, or must its ruling be with specific regards to the scope of the > lower court. (I don't know if the appeal can be on the basis of the scope.) If the legal issue was presented for decision below, and forms a part of the notice of appeal, then it is properly preented to the court of appeal, regardless of what the court below actually did. Any other rule would allow a trial court to prevent issues from being reviewed. The Supreme Court has been known, however, to decide issues that went beyond the strict confines of these limits. Even things that weren't argued by the parties.... If the appellate decision requires more facts in order to apply the legal principle decided by the higher court, it has the option of remanding the case to the trial court for more fact-finding in light of the legal rules explicated by the higher court. [...] [I am away from Miami from May 8 to May 28. I will have no Internet connection from May 22 to May 29; intermittent connections before then.] A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) Associate Professor of Law | U. Miami School of Law | froomkin at law.miami.edu P.O. Box 248087 | http://www.law.miami.edu/~froomkin Coral Gables, FL 33124 USA | It's warm there. From jyacc!aspen!bdodds at uunet.uu.net Wed May 15 17:12:49 1996 From: jyacc!aspen!bdodds at uunet.uu.net (brian dodds) Date: Thu, 16 May 1996 08:12:49 +0800 Subject: Past one terabit/second on fiber In-Reply-To: <199605150618.XAA28824@pacifier.com> Message-ID: On Tue, 14 May 1996, jim bell wrote: > But with > fiber transmission probably less than 1/100th the cost of older coaxial > transmission systems, per connection, it is unclear why they're even > continuing to meter LD phone calls. especially when 1Tb fiber is in practice - our phone calls will take only nanoseconds! :) anything included in that as to why they used a dfb laser for channel 16? or is it something obvious i'm missing? i notice they're still using the encyclopedia/second benchmark.. bri.. --bdodds at jyacc.com brian dodds, systems administration, jyacc, inc. wellesley, ma --617.431.7431x125 opinions expressed within are not necessarily my own or anyone elses.. From black at eng.usf.edu Wed May 15 17:23:31 1996 From: black at eng.usf.edu (James Black) Date: Thu, 16 May 1996 08:23:31 +0800 Subject: PRZ /PGP In-Reply-To: <199605150636.XAA08535@atropos.c2.org> Message-ID: Hello, On Tue, 14 May 1996 sameer at c2.org wrote: > > Freeware authors are regularly criticized for delays, at least > > on the Mac newsgroups. And nearly everybody in software development > > misses deadlines. Where I've worked, us low level grunts (the guys and > > I'm sorry, but if you're getting paid for work, then it should > be delivered on time (or close to on time). Whether or not the work > you getting paid to do is going to be distributed for free or not is > beside the point. In my case what seems to happen often is that my boss(es) will make some minor change (to them) that requires making many changes to the code, and so it takes me longer than I expected, or my homework load gets very heavy for a few days (when projects are due :) and I have less time to finish the program. Just why I sometimes go over-deadline. ========================================================================== James Black (Comp Sci/Elec Eng Senior) e-mail: black at eng.usf.edu http://www.eng.usf.edu/~black/index.html "An idea that is not dangerous is unworthy of being called an idea at all." Oscar Wilde ************************************************************************** From frissell at panix.com Wed May 15 17:43:56 1996 From: frissell at panix.com (Duncan Frissell) Date: Thu, 16 May 1996 08:43:56 +0800 Subject: SS Follies Message-ID: <2.2.32.19960515150703.00749624@popserver.panix.com> >>Although knowingly providing a fake social security number when one >>has any expectation of gain is, I believe, a felony. >> >>42 USC. sec. 408. > >Indeed. Except that this only applies to official uses. Obtaining a gain from a particular SS "account". I don't think it applies if you lie to your employer. >Plus, should one "just make a number up," odds are good that it "won't >compute," that is, that it will either collide with an existing number (and >identity, and reported income) or that it will fail the checksum/allocation >tests. No checksums involved (scheme invented in the '30s before that sort of thing) but there are unused ranges and geographical ranges. Freeware program like ssn.exe (available in all the usual places) will let you vet numbers. >The IRS imposes penalties for faking SS numbers. (Not to mention the >punishment meted out by the Sturmgruppenfuhrers of the SS!) If you use a "wrong" SS# on a W-4 form you will (some of the time but not always) receive a computer generated note from the SS warning you that your earnings have not been deposited into the proper account and if you don't correct the error you may lose benefits. Further action almost never occurs. Obviously more of a problem if done on 1040 forms. >A simple transposition of two digits may not get you zapped, but a >large-scale transposition or outright falsification will. If and when they >catch up with you. In the case of a school or cable TV company or something that wants the SS# to use for ID or credit purposes, nothing bad is likely to happen even if you are "caught". The SS doesn't verify SS#s for the credit agencies these days so they've had to build their own databases. If caught by private parties, all you have to do is say, "the SS# is Mark of the Beast mentioned in Revelations. It is part of a Satan-inspired One-World-Government Plot to establish *His* rule over the earth. I will not abide it." They leave you alone after that. Civilians are remarkably easy to cow if you express strong opinions. Real dialog from September 1983 in a Midwest State: Officious Intermeddler: "Why aren't you in school?" 12-year-old girl: "My daddy doesn't believe in sending me to those schools. He says they're controlled by Communists." Almost real dialog from the Spring of 1996: Parent: "My child has no SS# because (he/she) has lived overseas for (his/her) entire life." College admissions bureau-rat: "But how can (he/she) have a Passport without an SS#?" Parent: "That's our problem, not yours unless you've joined the State Department in the last 15 minutes." Most SS# problems occur in cases where one interacts with official persons. Since it is rarely necessary to interact with official persons, one can easily minimize these problems. Don't return their phone calls to your voice mail. Don't go to their offices. Like Rumpole of the Baily with his letters from Inland Revenue, drop their notes into the circular file. Don't ask, don't tell. Very little prison time has (yet) been served for SS# fraud. This may change if the "Immigration in the National Interest Act of 1996" passes since it increases penalties for uttering false documents in some cases. It doesn't apply to your interactions with your cable company. DCF From jrichard at slonet.org Wed May 15 18:24:22 1996 From: jrichard at slonet.org (Josh Richards) Date: Thu, 16 May 1996 09:24:22 +0800 Subject: SEVERE undercapacity, we need more remailer servers FAST In-Reply-To: <199605150708.AAA26485@netcom16.netcom.com> Message-ID: On Wed, 15 May 1996, Be Good wrote: > > The remailer capacity is quite underdone, there aren't really > that many remailer servers out there. Only TWO servers outside > the US. Only ONE server making direct posts to netnews. And > what, two or three nym servers? Obviously this is severe > undercapacity and we need to start up MUCH more servers and > FAST, ESPECIALLY in foriegn countries. [..] > > I'm CLUELESS about this stuff, I'd love to help, at least by > distributing code and exact intructions to make it as easy > as possible to encourage clueless types to start it up. > > So what is the expense of setting up a full-featured server > like hacktic? Mr. Graves should start up a new server, and > tcmay is rich, so he has no excuse. Exactly. I'd like to here some remarks from people who have ran remailers regarding what kind of bend it has put on their bandwidth and servers. I just happen to Admin. several servers on the other side of a leased line... Josh Richards (jrichard at slonet.org) (jrichard at fix.net) SLO Street Tech Development (Computer Services) From droelke at rdxsunhost.aud.alcatel.com Wed May 15 18:36:26 1996 From: droelke at rdxsunhost.aud.alcatel.com (Daniel R. Oelke) Date: Thu, 16 May 1996 09:36:26 +0800 Subject: Past one terabit/second on fiber Message-ID: <9605151544.AA08243@spirit.aud.alcatel.com> > > In the April 1996 issue of Fiber Optic Product news, there is an article on > a Lucent Technologies (formerly Bell Labs...no relation...sigh...) product > which wavelength-multiplexes quantity 8, 2.5 Gb/second signals on a single > fiber, for a total of 20 Gb/sec. This is a real, purchaseable system. On > the same page is a somewhat more experimental system, done by Corning and > Siemens, in which eight channels at 10 Gb/sec each were transmitted on a > single Corning fiber. > > "Wow", I said. Far faster than the 2.5 Gb/sec transmission that is > currently fairly standard for long-haul fiber trunks. The ads say they are selling it - that doesn't mean shipping it... yet at least. (Note that my employer is a direct competitor of Lucent so I have a vested interest in setting the facts straight) > I wasn't prepared, however, for page 38, in an article titled "Research > Teams Achieve 1 Trillion bits a Second." In fact, three separate groups did > this. I copy the article below. Yes - this is still very much a lab situation only though. It will be quite a few years before we hit that in real systems. [...] > > Even if we only consider that 20 Gb/second fiber from Lucent, that is > equivalent to about 300,000 simultaneous voice calls. An OC48 signal (~2.5 Gb/sec) will handle 48 T3's or 48 * 672 voice calls. Multiply by 8 for 20 Gb/second and you get 258048 voice calls. Pretty close to 300k I guess. > With a standard, > 36-fiber cable, that represents 18x300,000 two-way calls, or about 4.8 > million calls. This is probably far greater than the maximum number of > people on LD in the US at any given time, and that's just a single cable trunk. I don't know that any number fiber cable is "standard" but 36-fiber cable is not unusual. To find the capacity of a cable, you have to cut the number of fibers in half (as you did) because generally each fiber is used only for a single direction of traffic. You then have to cut it in half again because phone companies have everything redundant. So, for a connection between two cities, there are generally 2 cables in different locations (so one backhoe doesn't get both), with on average only 1/2 the fibers in each carrying paying traffic. > If we assume that the fiber cable costs $1/meter per fiber, and the cost of > trenching, burial, and interconnects raise this to $10/meter/fiber, and if > we generously assume that the average LD call goes 3000 miles (5,000,000m), > that call occupies 1/150,000th of a $50 million fiber for a few minutes. If > we suppose that the fiber has to gross $100,000,000 per year to pay for > itself, and even if it's only operating at an average 10% load level(both > assumptions are pessimistic, that only works out to a cost of 1.3 cents per > minute per call. That's why these LD phone companies are so scared: If we > can transmit Internet on fiber, that fiber can accept this extra traffic at > very low marginal cost. I can't vouch much for your cost numbers - other than to apply the factor of 2 adjustment noted above. I would add that much of a phone companies cost is in billing and customer service, etc. Not the cost of installing and maintaining the fiber and equipement. This is how the smaller carriers buy lots of bandwidth off of the big guys, and remove all the billing, etc. problems to themselves. They big guys are still making money selling the bandwidth, and the little guy makes his profit by selling for slightly less than the big guy and somehow making his billing, customer service, etc. cost him less. Internet telephony should make the use of bandwidth even more efficient - thereby cutting costs. The big guys who own the fibers will still make money - the pipes that carry internet traffic are still needed. But the little guys will get squeezed out. (until they become ISPs ;-). Internet traffic could theoretically be carried over this large amount of protection fiber (mentioned above) that is out there for a much lower marginal cost than the current T3 or OC3 pipes that are being used. The only "problem" being that these are lower priority channels, so that if a failure occurs anywhere, the traffic on them is dropped. Most customers are demanding high uptimes so much that the idea of a very lost cost, but much less reliable service hasn't caught on yet. Dan ------------------------------------------------------------------ Dan Oelke Alcatel Network Systems droelke at aud.alcatel.com Richardson, TX From tcmay at got.net Wed May 15 19:12:31 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 16 May 1996 10:12:31 +0800 Subject: Edited Edupage, 9 May 1996 Message-ID: At 2:09 PM 5/15/96, Doug Hughes wrote: >environment, lack of education, lack of money, lots of factors. Nobody >is holding a gun to anybody's head saying "Don't Read". But improving >literacy is a goal that needs to be undertaken. Do you not agree that >low literacy is a bad thing and needs to be taken care of? If not, why >not? Naturally, you can't force someone to read who doesn't want to. No, I don't think "low literacy" in some subcultures is something that "needs to be taken care of." If members of that subculture think it a bad thing that their kids (not to mention themselves) are not readers and are not sufficiently literate to thrive in a high-tech world, then they need to take steps to change the basic values of their subculture. As I mentioned, many subcultures--too numerous to name, actually--have a strong belief in literacy, learning, and success, and are doing extremely well in modern American society. Other subcultures do not, and are seeing the fruits of their bad values realized. (One notable subculture currently has 40% of its adult male population either in prison, on parole, under indictment, or otherwise involved with the legal system in a debilitating way. This same subculture now has close to an 85% illegitimacy rate.) There is nothing "I" can do about such subcultures. Loads of tax dollars have not helped. As Charles Murray points out in "Losing Ground," the loads of tax dollars and special giveaways to some subcultures have very likely made the situation much worse than it was 30-40 years ago when the programs started. >Some people on this list argue that the current representative govt >system is bad, and that true democracy is better. You can't have true >democracy without education. (You can, but it would be very bad). >True democracy relies on people being educated, the more the better. >(Actually, education benefits the entire society.) "True democracy" is actually much worse than what we have now. The advantage of what we are doing with strong cryptography is that it undermines democracy. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From dsmith at midwest.net Wed May 15 19:32:26 1996 From: dsmith at midwest.net (David E. Smith) Date: Thu, 16 May 1996 10:32:26 +0800 Subject: (Fwd) New Anonymous Remailer Message-ID: <199605151619.LAA21672@cdale1.midwest.net> ------- Forwarded Message Follows ------- From: privacy at interlink-bbs.com Subject: New Anonymous Remailer Date: Wed, 15 May 1996 06:34:02 GMT To: info-pascal at ARL.MIL You may be familiar with anon.penet.fi, which give you an anonymous account. Our service allows YOU to choose what the return address will be! Please write for more info. From unicorn at schloss.li Wed May 15 19:54:04 1996 From: unicorn at schloss.li (Black Unicorn) Date: Thu, 16 May 1996 10:54:04 +0800 Subject: SS Follies In-Reply-To: <2.2.32.19960515150703.00749624@popserver.panix.com> Message-ID: On Wed, 15 May 1996, Duncan Frissell wrote: > Almost real dialog from the Spring of 1996: > > Parent: "My child has no SS# because (he/she) has lived overseas for > (his/her) entire life." > > College admissions bureau-rat: "But how can (he/she) have a Passport > without an SS#?" > > Parent: "That's our problem, not yours unless you've joined the State > Department in the last 15 minutes." Not to mention that an SS# is not required to receive a U.S. Passport. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From perry at piermont.com Wed May 15 19:56:52 1996 From: perry at piermont.com (Perry E. Metzger) Date: Thu, 16 May 1996 10:56:52 +0800 Subject: Edited Edupage, 9 May 1996 In-Reply-To: Message-ID: <199605151612.MAA02550@jekyll.piermont.com> As long as this is now CypherCesspit and not CypherPunks, I might as well play the game. Doug Hughes writes: > >If you feel like subsidising education, then by all means, do it. > >But why should you stick a gun in my back to do the same? What if I > >do not want to do the same as you? > > Then you will be living in a country with lower education standards, > increasing illiteracy, and a pretty pitiful base with a declining > socio-economic structure. What, like the one we live in NOW? As I said, things have gotten steadily worse since Horace Mann invented the modern government socialization institution we call the "public school". (It was originally created to force the horrible subhuman Irish and Germans to send their kids to places where good protestant values would be inculcated into them, not as a way to increase the literacy rate. Check on your own if you don't believe me.) Every year since World War II, expenditures in real dollars have increased per pupil at the government schools. Every year, average class size has gone down in the government schools. Indeed, year after year, the demands of the education mafia are always met. Who, after all, would dare deny anything to the poor children. Of course, almost every year, educational quality has declined. Has it occurred to you that something is probably wrong with your world model when in spite of the fact that everything the education mafia asks for is granted they can't deliver the goods? Maybe if New York City spends $20,000 a year per student instead of the $10,000 they spend now things will get better? One wonders why the parochial schools get away with spending only $2500 and yet deliver a better education. > >> So, because they live in a poor district they are > >> not entitled to the same level of education as a rich city suburb? > >> The illiteracy rate in Alabama is 40%! This is just plain sick! > > > >When I was a kid, everything that had characters printed on it was > >readable. Who is *preventing* them from reading? > > environment, lack of education, lack of money, lots of factors. I learned to read outside of school. I realize I had a privileged background -- my parents being literate and all -- but in fact I'll note that my parents claim that they didn't teach me to read, the goddamnoisybabblebox did. One day I just started reading at them and they were shocked as could be. Perhaps its this sort of thing, and the fact that the literacy rate was higher BEFORE public education, that lead me to believe that we don't need any more "assistance" from the friendly neighborhood government. We need less, a lot less, and as fast as possible. > Nobody is holding a gun to anybody's head saying "Don't Read". But > improving literacy is a goal that needs to be undertaken. Do you not > agree that low literacy is a bad thing and needs to be taken care > of? I agree that it is bad that some people do not know how to read, but the cost is mostly paid for by them except when society decides to "help the unfortunate". Even then, it is the illiterate who can't get a job, not me. Literacy is a private good, not a public good. If you would like to see an improvement in literacy I therefore have a simple solution. Eliminate public schools. The literacy rate has been in steady decline since Horace Mann's lovely innovation. With only private schools available, teachers will live in terror of being fired for being ineffective. Schools that don't teach children the skills their poor parents scrimp and save for will lose their students. Incompetant fools will no longer be tolerated. The schools will cease to spend time teaching random socialist fluff and will become businesses hired to inculcate skills like reading, mathematics and reasoning ability -- or they will be fired. I live in hope that some day schools will be forced to go begging for students, and will find themselves faced with questions like "if Johnson Elementary across town can teach my kid for $500 less a year and teach him to read a year earlier in a safer environment, why the hell should I pay incompetant dweebs like you?" I long for the day when Albert Shanker and the entire teachers union hierarchy is forced to sweep streets for lack of any other job that anyone will offer them. So, yes, I want to see education improved. The answer in my mind is to fire the entire government. > I'd have to be convinced that that is a good thing. However, making > sure everybody has a good education is of paramount importance to > any society. It's going to cost some tax dollars, but, in my opinion > it would be money well spent Housing is of paramount importance to society. Do you feel that you would like to live in government housing projects over a privately owned apartment? Food is of paramount importance to society. Why do we have no government run feeding stations to replace these evil supermarkets, then? Heat is of paramount importance to society -- in New England you can't survive the winter without it. Why, then, do we not have government operated and financed oil companies to replace the evil private ones. Communications are of primary importance to society. Would you swap our phone system for the phone system in Greece, or even the one in France, which are publically subsidized and run by the government? Do you prefer using the U.S. Postal Service, or Federal Express when you absolutely positively have to get the package there? If you had a choice, would you go to a V.A."hospital" or see a private physician? In short, why do you think the government, which fucks* up everything it touches, and which has controlled education for a century, is the answer to fixing the education problem, when it so obviously is the CAUSE of the education problem? (*intentionally placed to provide CDA fodder.) > Some people on this list argue that the current representative govt > system is bad, and that true democracy is better. Actually, I believe most people on this list argue for no government or so little that its decisions hardly matter. Perry From frantz at netcom.com Wed May 15 20:21:06 1996 From: frantz at netcom.com (Bill Frantz) Date: Thu, 16 May 1996 11:21:06 +0800 Subject: crosspost re remailers Message-ID: <199605151759.KAA02013@netcom8.netcom.com> At 10:30 PM 5/14/96 -0700, Rich Graves wrote: >Actually, there hasn't really been any discussion on cypherpunks, which I >find a little surprising. I'd have thought that a remailer going down >because of political/legal pressure would raise more of a ruckus. People >seem jaded, but I'm not sure why. I thought the statement that remailers are supposed to be ephemeral and common was the answer. If one is shut down, a dozen spring up in its place. Advertising new remailers does become an issue. What mechanisms are in place for new remailers to advertise themselves? I find it interesting that this remailer is being shut down by private action and not by government. (Yes, they are threatening government action, but if they couldn't do that they would find some other threat.) ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From frantz at netcom.com Wed May 15 20:23:13 1996 From: frantz at netcom.com (Bill Frantz) Date: Thu, 16 May 1996 11:23:13 +0800 Subject: distributed keys Message-ID: <199605151800.LAA02200@netcom8.netcom.com> At 8:47 AM 5/15/96 -0600, Matt Smith wrote: >Has anyone heard of an algorithm for managing keys automatically in a >distributed system? > >For instance, if some low level security were to be implemented in a >a networking stack where authentication was to be implemented, you would want >to have each node have it's own signature so that signature checking can >take place when one node connects to another node. The trick is then >getting every node's keys distributed to every other node. > >... > (4) Have a machine responsible for generating the public-private keys for each node. It has its own public-private key pair. It uses it's private key to sign each node's public key. Every node gets three keys: it's public and private keys, and the public key generating machine. When nodes make contact they exchange signed public keys and verify the signature of their partner's key with the public key of the generating machine. This is a simple certificate hierarchy scheme as seen in SET, the US Post Office CA system, and VeriSign. Note that the generating machine does not need to be on any network. In fact, it could spend most of its time locked up in a safe since it is only needed when generating new keys. ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From unicorn at schloss.li Wed May 15 20:25:35 1996 From: unicorn at schloss.li (Black Unicorn) Date: Thu, 16 May 1996 11:25:35 +0800 Subject: Why does the state still stand: In-Reply-To: <01BB41E0.DE17C4C0@blancw.accessone.com> Message-ID: On Tue, 14 May 1996, blanc wrote: > From: Hal [on the idea of companies operating fully anonymously] > > It might be interesting to make a list of all the problems people can > think of why this idea won't work, paired with proposed solutions and > workarounds - sort of a mini FAQ for this important (some might say > ultimate) cypherpunk model. > ..................................................................... > > I think this is a much needed discussion - in particular as it comes at a time when Uni is is "somewhat disconcerted" at the defeatist attitude of some cypherpunks and since TCMay is getting ready to read us the Cypherpunks Bill of Rights regarding the subsidizatoin of other's people's cyber existence (heh). > > 3 problems which immediately come to mind: > > . What if someone, hired on one occasion but fired at another, decides in anger to "turn coat" and report everyone to the IRS (or other fine government agency)? The entire organization would clearly have to be double blinded. If this can be done for mailing lists (which I believe it can) it can be done for corporations too. The real trick is getting the costs of anonymous (and I mean secure anonymous) communications low enough. > > . What if a company does not pay as expected - other than adopting > Assassination Politics, what method could an employee use towards > getting their expected remuneration for work done? If payment is made weekly, it should be made in advance to an escrow agent who would issue a certificate that the payment for employee r2dd54 has been received. The payment would then not be released to anyone without the consent of the corporation and the employee. Obviously the escrow agent would have to be trusted. This prevents an anonymous employee from running off with money without working and prevents an anonymous corporation from screwing the employee. Even if a payment gets hung up in a dispute, it's only for a week. You could break the payments into monthly, or bi yearly or however you like. > . Wouldn't everyone need to have two jobs (or source of regularly > accepted cash), in order to be able to pay for services where suppliers > do not accept virtual cash transactions? (TCM has mentioned before about > the need to pay for some things in tiny quantities - like quarters for a > phone call, etc.) This is what unemployment is for. No reported income = no job = get portions of your previously paid tax back before you die. In addition, why not exchange virutal cash for spending money offshore and have it forwarded to you? It's not hard to hide the kind of small pure cash transactions that day to day living requires (Food, telephone, etc). The only problem is the large purchases which require reportable type transactions. For these a company running at a constant net operating loss could be formed to purchase cars for resale (funny how no one ever buys them) and manage property (which no one seems to ever lease). > .. > Blanc --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From jamesd at echeque.com Wed May 15 20:27:59 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Thu, 16 May 1996 11:27:59 +0800 Subject: Why does the state still stand: Message-ID: <199605151707.KAA25775@dns2.noc.best.net> At 10:01 PM 5/14/96 -0700, blanc wrote: >3 problems which immediately come to mind: > >. What if someone, hired on one occasion but fired at another, > decides in anger to > "turn coat" and report everyone to the > IRS (or other fine government agency)? I expect that as corporations move to the net, they will not have the highly centralized structure of existing corporations. In any case this structure is in large part imposed by the state in order to facilitate tax collection. For example the existence of the "Human resources department" is largely the result of state coercion of corporations. In web businesses ones primary relationship will be with ones immediate coworkers, rather than the greater corporation. They will consist rather of a network of relationships -- contracting will move up, and the Keiretsu structure will move down. I expect the institutional structure will resemble that of the mafia -- a loose confederation of networks rather than tight whole. Thus defection by one party can only cause limited damage. In my judgement the Keiretsu form of economic organization is growing in large part because of improved communications and lowered communication costs. The Keiretsu form does not in itself facilitate tax evasion, but it does mean that the state has to apply coercion more directly to more people in order to collect taxes, and that its coercion has to be more visibly arbitrary and disruptive. >. What if a company does not pay as expected - other than adopting > Assassination Politics, what method could an employee use towards > getting their expected remuneration for work done? In order to do business, one will need a good name (or good nym). If one does not have a good name, one will be poor. That is why I said "every man his own credit bureau". >. Wouldn't everyone need to have two jobs (or source of regularly > accepted cash), in order to be able to pay for services where > suppliers do not accept virtual cash transactions? (TCM has > mentioned before about the need to pay for some things > in tiny quantities - like quarters for a phone call, etc.) Existing forms of ecash are costly and inconvenient, hence unsuitable for spending in tiny quantities. I expect that in the not very distant future every shop will offer its own cash, and that some of these will be in the form of millicents -- suitable for automatic lightly supervised transactions between computers. I expect the transaction cost advantage will eventually be on the side of electronic money, rather than physical money. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From ses at tipper.oit.unc.edu Wed May 15 20:35:03 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Thu, 16 May 1996 11:35:03 +0800 Subject: PRZ /PGP In-Reply-To: Message-ID: A deadline is a wish your heart makes... --- Cause maybe (maybe) | In my mind I'm going to Carolina you're gonna be the one that saves me | - back in Chapel Hill May 16th. And after all | Email address remains unchanged You're my firewall - | ........First in Usenet......... From hfinney at shell.portal.com Wed May 15 20:41:45 1996 From: hfinney at shell.portal.com (Hal) Date: Thu, 16 May 1996 11:41:45 +0800 Subject: SEVERE undercapacity, we need more remailer servers FAST Message-ID: <199605151758.KAA25847@jobe.shell.portal.com> The problem that I think the Scientology postings raise is that the remailers cannot really be used to post copyrighted material. That is what got the netherlands hacktic remailer shut down. This shows, BTW, that being outside the United States is no guarantee of immunity. Most Western countries support copyrights. Maybe the operators can try to plead that they are like "common carriers" and should not be blamed for what people post. Still it is going to take deep pockets at best to prevail in this dispute, and it isn't even clear that the remailer will win. Maybe the lawyers on the list could comment on legal liability of a remailer used to repeatedly post copyrighted material, whether Scientology scriptures or Microsoft Word binaries. I don't see how it can happen. (This ties in, BTW, with my posting yesterday about problems with the "anonymous company" concept. It is not clear that any of the technologies we have discussed will allow continuous, long-term and reliable broadcasting of illegal material.) Presently all the remailers operate for free, which makes it even harder to justify taking the chance of facing an expensive lawsuit. On the other hand, at least if no commercial gain is involved the operator might escape some forms of damages if he loses. A for-pay remailer which is posting copyrighted material could be in even more trouble, it seems to me. Again, legal opinions would be welcome. This was the basis for my suggestion that remailers may have to stop supporting posting of messages, and instead be used for private mail between consenting individuals. Granted, this would probably eliminate 99% of non-cover remailer traffic. But I would argue that as long as the core functionality is there of letting people communicate with each other anonymously and consensually, we would still offer an important service. After all, what is the purpose of anonymous remailers? It isn't really to allow harrassing and abusive messages to be sent to one's enemies. And it isn't to defeat intellectual property laws by proving that no one can stop this material from being posted (remailers can't succeed in doing this, as I said above). Rather, I view remailers as a natural extension of encryption. Encryption hides the contents of the messages you send from eavesdroppers. But they can still see who you are communicating with. Remailers extend privacy protection beyond "what you say" to "who you say it to". When used with pseudonym servers and some of the extensions we have discussed here over the years (maildrops, etc.), they can allow the anonymous two-way communication that is needed for real privacy. This has nothing to do with tweaking Microsoft or Scientology by posting information they own. If people want to do that, they need to find another method. Maybe they can get usenet shut down if they try hard enough. I don't know how that battle is going to come out. But I don't see the remailers as playing an important role there. Hal From jf_avon at citenet.net Wed May 15 20:52:01 1996 From: jf_avon at citenet.net (Jean-Francois Avon) Date: Thu, 16 May 1996 11:52:01 +0800 Subject: Rural Datafication (Was Re: Edited Edupage, 9 May 1996) Message-ID: <9605151815.AA25152@cti02.citenet.net> On 14 May 96 at 19:35, Timothy C. May wrote: > (This is having yet another interesting side effect: the wealthy who > can afford digital DSS dishes are suddenly very uninterested in > local cable problems, and the impetus for improvement is lost. > Obviously the "poor" are then left with a decaying, outmoded > infrastructure. Even as a Darwinian, I have to feel for them. They > got sold a bill of goods, about how awarding "the franchise" to TCI > or Sonic or Galactronic Cable would result in "universal access," > and now they're stuck.) Hey Tim, where are your badwith-saving manners? You should simply have said : "You asked for it, brother..." ? ;-) Regards! JFA DePompadour, Societe d'Importation Ltee Limoges porcelain, Silverware and mouth blown crystal glasses JFA Technologies, R&D consultants. Physists, technologists and engineers. PGP keys at: http://w3.citenet.net/users/jf_avon ID# C58ADD0D : 529645E8205A8A5E F87CC86FAEFEF891 Unsollicited commercial e-mail will be proofread at US165 $/h Any sender of such material will be considered as to have ac- cepted the above mentionned terms. From jf_avon at citenet.net Wed May 15 21:08:21 1996 From: jf_avon at citenet.net (Jean-Francois Avon) Date: Thu, 16 May 1996 12:08:21 +0800 Subject: Why does the state still stand: Message-ID: <9605151745.AA23065@cti02.citenet.net> On 15 May 96 at 0:45, Ed Carp wrote: > The problem, however, is twofold - (1) the government will > play mind games on the rest of the population to make you look like > a terrorist, or whatever turns the populace against you, Well, first of all, we should find how much of the population *really* believe in what govt says. There is a difference between the politically correct opinion that Joe & Jane Public give to a poll interviewer and what they really think. Second, you suppose that Joe & Jane Public really like and approve what they understand from what the medias say. And finally third, this system does not work according to the will of a majority. It wouldn't take too many peoples who believe that the medias and their perceived lack of integrity is widely responsible for the way the world goes right now, to have a substantial prize put on the head of the medias. Therefore, any journalist with two+ working neurons will realize that sticking to the most objective facts available would be the best way to build a great reputation while sticking to govt propaganda would be a great way to attract a prize on his head. > and (2) the > government tends to use a sledgehammer to crack a walnut. They > don't care what kind of collateral damage they inflict (witness Waco > and Ruby Ridge) as long as they can make their point. If peoples decided to put a prize on the medias or some jounalists *before* they do on the govt, it might very well undercut many of the counterattack any govt might have. Among the ways a govt would have to circumvent that might be: - create their own medias and have tight security and anonymity - forbid the press from reporting certain events - etc. (Again, many counter arguments have as a basic premise that the populace is stupid. I do not believe the contrary, I simply say that I do not know. Future will show.) So, to see how AP will make the system evolve, you have to assess the communication capabilities of govt vs the individual. This is central to AP and the nature of actual govts. This is *why* the internet is *so* dangerous to any govts that seek to either retain or increase their power, even if it actually touches only but a tiny portion of world population. For the first time in the history of humanity, we have a peer to peer communication capability and an individual-to-world broadcasting capability that is not controllable in practice by any other entity (such as law, high finance, etc) The explains fully why the various govts what to find a way to enforce internet laws, breakable crypto schemes and non-anonymous protocols. JFA PLEASE NOTE: THIS POST DOES NOT MEAN THAT I ENDORSE MR. BELL'S SYSTEM. MY RATIONNAL CONCLUSIONS ABOUT IT'S INTERNAL MECHANICS AND IT'S INTRINSIC LOGICS DOES NOT MEAN THAT I LIKE NOR ENDORSE THE SYSTEM. I SIMPLY CONCLUDED THAT IT IS IMPOSSIBLE TO PREVENT THE SYSTEM FROM BEING IMPLEMENTED. IMO, IT IS UNAVOIDABLE. DePompadour, Societe d'Importation Ltee Limoges porcelain, Silverware and mouth blown crystal glasses JFA Technologies, R&D consultants. Physists, technologists and engineers. PGP keys at: http://w3.citenet.net/users/jf_avon ID# C58ADD0D : 529645E8205A8A5E F87CC86FAEFEF891 From furballs at netcom.com Wed May 15 21:52:08 1996 From: furballs at netcom.com (Paul S. Penrod) Date: Thu, 16 May 1996 12:52:08 +0800 Subject: Fingerprinting annoyance In-Reply-To: Message-ID: On Tue, 14 May 1996, Black Unicorn wrote: > On Mon, 13 May 1996, Paul S. Penrod wrote: > > > > > > > On Mon, 13 May 1996, Senator Exon wrote: > > > > > in connection with a character and fitness report i have been > > > asked to supply a review board with a set of my fingerprints > > > i have never been fingerprinted before > > > i am not very keen on the idea now > > > of course refusing will attract suspicion > > > short of getting someone else to put their fingers in ink for > > > me does anyone have a cute method by which to obscure my prints > > > on those cute little cards without it being obvious? > > > i can fill out and manipulate the card myself i just need a > > > working method. > > > is there no privacy advocate who can help me? > > > > > > > First off, if you were born in the US, they have your feet and/or hand > > prints on record. > > Incorrect. > Several states do not bother to print infants at birth. > Several hospitals do not bother to follow state guidelines in those states > which do so require. Which ones specifically? > > It is one of the great advantages of the United States that no > standardized procedure for person identification exists. Seals and > certificates vary from jurisdiction to jurisdiction. Cross the border to > a state and a hospital birth annoucement is enough for a drivers license, > cross again and 4 pieces and a note from mom isn't enough. > > Be careful with disinformation please. > My point is not about the variance of seals and certificates (I have at least 6 different ones prove it from 4 different states). That is a given. It is that prints have been a generally accepted practice for some time now. IF you want to make the case and go back to the early days (pre-WWII), then people like attila and a few others don't have them - and I'll concede the point on that basis. The information I received has come from inquiries to folks I know within the AMA, several different hospital adminstration staff in various states - whose job it is to handle such affairs, and few other people who make it their business to know such trivia. IF the information is in error, I'll gladly accept correct input. Next time, don't be so quick to accuse without inquirying to context. I'm not J.Bell. ...Paul From furballs at netcom.com Wed May 15 22:16:14 1996 From: furballs at netcom.com (Paul S. Penrod) Date: Thu, 16 May 1996 13:16:14 +0800 Subject: Fingerprinting annoyance In-Reply-To: Message-ID: On Tue, 14 May 1996, Black Unicorn wrote: > On Mon, 13 May 1996, Paul S. Penrod wrote: > > > > > > > On Mon, 13 May 1996, Senator Exon wrote: > > > > > in connection with a character and fitness report i have been > > > asked to supply a review board with a set of my fingerprints > > > i have never been fingerprinted before > > > i am not very keen on the idea now > > > of course refusing will attract suspicion > > > short of getting someone else to put their fingers in ink for > > > me does anyone have a cute method by which to obscure my prints > > > on those cute little cards without it being obvious? > > > i can fill out and manipulate the card myself i just need a > > > working method. > > > is there no privacy advocate who can help me? > > > > > > > First off, if you were born in the US, they have your feet and/or hand > > prints on record. Secondly, fingerprints are not an absolute proof > > positive means of identification. They are sufficiently unique enough > > that it satisfies the statistical error acceptability for many > > governmental agencies. > > > > I wouldn't worry about it personally. There are more effective ways of > > getting around such things if you really need to. If you don't have any > > historical baggage, then don't make waves. > > More effective? Why not share them with the list? The guy obviously IS > worried about it, and maybe reasonably so. > Yes. No, and for obvious reasons. If the guy is worried because he is paranoid, then that is his reality. It's not as difficult as you might think to find someone if you really want to - with or without fingerprints. If he is paranoid because he has baggage, then that is also his problem. We live by our own choices everyday - both good and bad. There are some consequences that take time to catch up with us, and some of those are unavoidable. If the job is worth it to him, then he will submit - otherwise there are lots of other places to work that don't require printing. ...Paul From mccoy at communities.com Wed May 15 22:19:33 1996 From: mccoy at communities.com (Jim McCoy) Date: Thu, 16 May 1996 13:19:33 +0800 Subject: [NOISE] Re: Edited Edupage, 9 May 1996 Message-ID: Doug Hughes writes: > "Jean-Francois Avon" wrote: [... regarding the unfortunate poor who Mr. Avon hates...] > >You got to choose to do what is needed to live a better life. And > >most of them ain't doing what it takes. > > Are you saying those poor people in rural West Virgina only live > there because they are not trying hard enough to get out? Yes he is. They are poor and it is all their fault. [flame-bait approaching...] There are two kinds of libertarians, those who hate the poor and those who don't. I always seem to meet the former, I am beginning to suspect the latter don't exist. [...] > >> Education is one > >> thing (perhaps the only thing) that deserves to be subsidized in > >> this country. > >I think that it should not be subsidized. > >If you feel like subsidising education, then by all means, do it. > >But why should you stick a gun in my back to do the same? What if I > >do not want to do the same as you? > > > Then you will be living in a country with lower education standards, > increasing illiteracy, and a pretty pitiful base with a declining > socio-economic structure. Are you arguing that people are not equal > and those with more money should of necessity get better education? Yes, he is. It is times like this that I must count myself among the pitchfork and torch wielding mob, if only because I have been cursed with a small amount of compassion for those who were not as lucky as I. BTW Mr. Avon, the reason we, the unruly mob of collectivists, socialists, and [insert libertarian/anarchist buzzword here] should stick a gun in your back and make you cough up money for education is because we can. If you don't want to do so, they why don't _you_ move? Are your feet cast in concrete blocks? Welcome to the real world. jim From jf_avon at citenet.net Wed May 15 22:24:08 1996 From: jf_avon at citenet.net (Jean-Francois Avon) Date: Thu, 16 May 1996 13:24:08 +0800 Subject: Why does the state still stand: Message-ID: <9605151745.AB23065@cti02.citenet.net> On 14 May 96 at 22:01, blanc wrote: > From: Hal [on the idea of companies operating fully anonymously] > > It might be interesting to make a list of all the problems people > can think of why this idea won't work, paired with proposed > solutions and workarounds - sort of a mini FAQ for this important > (some might say ultimate) cypherpunk model. > .................................................................... > > > I think this is a much needed discussion - in particular as it > comes at a time when Uni is is "somewhat disconcerted" at the > defeatist attitude of some cypherpunks and since TCMay is getting > ready to read us the Cypherpunks Bill of Rights regarding the > subsidizatoin of other's people's cyber existence (heh). > > 3 problems which immediately come to mind: > > . What if someone, hired on one occasion but fired at another, > decides in anger to "turn coat" and report everyone to the IRS (or > other fine government agency)? > > . What if a company does not pay as expected - other than adopting > Assassination Politics, what method could an employee use towards > getting their expected remuneration for work done? The nature of anonimity, IMO, precludes any legal mechanism since the anonymity structure was established precisely to avoid any legal consequences. Here, I might be tempted to differeciate between two cases: 1) the entity who wants to get out of the reach of the governmental system 2) the entity who wants to get out of the reach of everybody (to con others) The only problem is, how will you differentiate between 1) and 2) *before* a conflict arises? The involved party would then have to resort to use some sort of unofficial tribunal. It would create a set of parrallel law system, and as much of them as there would be groups doing business together. Again, depending on the context, AP might wery well be the only solution or be no workable solution at all. But here, I think that AP would be the single most important factor ruling the socio-economical behavior of individuals or entities in the world. It already works that way in many countries of the world, especially in south america. In many places, you don't screw around too much or you get killed. As a friend of mine who lived in the jungle told me "if a guy fools around with you wife, you just shut up and take it, but if a guy fools around with your girlfriend, you have the sorcerer mix you a beverage... One of my friend had one and he died within ten days..." He said: "This system might very well go against our common moral principles, but in theses places, you can leave anything on the public place for several days and when you come back, it'll still be there. In theses countries, when you give your word, it *is* binding. Most business deals are simply verbal and there is an astonishing low level of defaulting on them. Thoses who tend to default dishonestly tend very much to die quickly. In thoses countries, no con man ever survives." > . Wouldn't everyone need to have two jobs (or source of regularly > accepted cash), in order to be able to pay for services where > suppliers do not accept virtual cash transactions? (TCM has > mentioned before about the need to pay for some things in tiny > quantities - like quarters for a phone call, etc.) Any physical currency can be made traceable (put a chemical or radioactive tracer or a zillion other tricks...) JFA PLEASE NOTE: THIS POST DOES NOT MEAN THAT I ENDORSE MR. BELL'S SYSTEM. MY RATIONNAL CONCLUSIONS ABOUT IT'S INTERNAL MECHANICS AND IT'S INTRINSIC LOGICS DOES NOT MEAN THAT I LIKE NOR ENDORSE THE SYSTEM. I SIMPLY CONCLUDED THAT IT IS IMPOSSIBLE TO PREVENT THE SYSTEM FROM BEING IMPLEMENTED. IMO, IT IS UNAVOIDABLE. DePompadour, Societe d'Importation Ltee Limoges porcelain, Silverware and mouth blown crystal glasses JFA Technologies, R&D consultants. Physists, technologists and engineers. PGP keys at: http://w3.citenet.net/users/jf_avon ID# C58ADD0D : 529645E8205A8A5E F87CC86FAEFEF891 From ses at tipper.oit.unc.edu Wed May 15 22:28:53 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Thu, 16 May 1996 13:28:53 +0800 Subject: distributed keys In-Reply-To: <199605151447.OAA17650@rebound.slc.unisys.com> Message-ID: On Wed, 15 May 1996, Matt Smith wrote: > > - Having a certifying node which every other node has the public key to and > who has everyone else's public key. Requests are made of this server. > The trick is making this server secure and forcing the user to devote > resources to this endeavour. This is the usual approach; if you use certificates, the private key for the certification agency doesn't have to be (and shouldn't) be accessible online; thus, even if the machine serving the certificates is compromised, Mallet won't be able to issue false certificates. --- Cause maybe (maybe) | In my mind I'm going to Carolina you're gonna be the one that saves me | - back in Chapel Hill May 16th. And after all | Email address remains unchanged You're my firewall - | ........First in Usenet......... From pjb at ny.ubs.com Wed May 15 22:34:50 1996 From: pjb at ny.ubs.com (Paul J. Bell) Date: Thu, 16 May 1996 13:34:50 +0800 Subject: Fingerprinting annoyance Message-ID: <9605151843.AA27573@sherry.ny.ubs.com> Sometimes it has nothing to do with the employer. For example, for those of us who work on Wall Street, that is to say, in the financial services industry, the SEC requires that all employees submit to a background check, drug test and fingerprint check (National Agency Check) before you can be hired. Failure to require these checks, and to refuse employment to those that don't pass these test, results in a very large fine for the employer. This is not a one-time thing. You must undergo these test everytime you change jobs, even when moving from one firm to another in the same business. Many of us find this an onerous process, but for the compensation, (top grade Sys Admins and developers can make >$250,000 per year), many of us put up with it. This, BTW, does not apply just to traders, etc, but to everyone. Not only must you put up with all this bull shit, but you must also deal, on a daily basis, with some of the biggest assholes on the face of the earth. Suffering fools is just the beginning. We do it all for, $$$, of course. As someone once said, we are all whores, it's just a matter of determining our price. Cheers, -paul > From cypherpunks-errors at toad.com Wed May 15 03:05:51 1996 > Date: Mon, 13 May 1996 22:28:38 -0700 > X-Sender: tcmay at mail.got.net > Mime-Version: 1.0 > Content-Type> : > text/plain> ; > charset="us-ascii"> > To: cypherpunks at toad.com > From: tcmay at got.net (Timothy C. May) > Subject: Re: Fingerprinting annoyance > Sender: owner-cypherpunks at toad.com > Content-Length: 3095 > > At 6:26 PM 5/13/96, Mark O. Aldrich wrote: > >On Mon, 13 May 1996, Senator Exon wrote: > > > > > >> i can fill out and manipulate the card myself i just need a > >> working method. > >> is there no privacy advocate who can help me? > >> > > > >I think most privacy advocates would advise, "Refuse to submit." It > >sounds like you're looking for more of a hack on the fingerprinting process. > > And if you are working for me, and I ask for a fingerprint, and you refuse > or "smear" the results (repeatedly, as the first smearing I may just take > as your token protest and have you printed again), you'll be out the door > by the end of the day. > > (Personally, I've never worked for a company which demands fingerprints, > but I've worked for companies which demanded ID badges and signatures, and > these are effectively as intrusive. And I suspect that my former employers > are now using thumbprints, and maybe full prints.) > > What one "doesn't like" and considers an "invasion of privacy" varies from > person to person. Some people think having their picture taken is a > stealing of their soul. Others fear nefarious things will be done with the > DNA from their blood samples. > > Trying to convince a company that photo ID badges and fingerprints are Bad > Things is perhaps admirable, just realize that in a free society that > employer is under no obligation to hire someone who refuses to go along > with the company's security policies. (This relates to the "civil rights" > thread.) > > > >of like a key certificate. If you really can dork the card, have ten > >different people volunteer one print each. There's no way that they'll > >ever be able to use that as evidence in a court or for any other purpose, > >either. > > A stupid idea. As the employer, I wouldn't have to prove it a court of > law...suspicion alone that some of my employees were fucking up a security > system might be enough for me to either a. promote them to the Tiger Team, > or b. fire their asses. > > (I just can't understand where this pervasive meme is coming from here on > this list, the notion that employers are severely limited in what they can > do to employees unless they can "prove it in court. Like it or not, most > employees in the United States are still employed "at will," and are not > covered by employment contracts such as some executives and the like get.) > > >If you're forced to do this in person with a tech, you can continuously > >"fight" the grip they have on your hand and smudge the card. However, > > Sure. It makes it easy for the employer to simply say "Next candidate." > > > --Tim May > > Boycott "Big Brother Inside" software! > We got computers, we're tapping phone lines, we know that that ain't allowed. > ---------:---------:---------:---------:---------:---------:---------:---- > Timothy C. May | Crypto Anarchy: encryption, digital money, > tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero > W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, > Licensed Ontologist | black markets, collapse of governments. > "National borders aren't even speed bumps on the information superhighway." > > > > > From jf_avon at citenet.net Wed May 15 22:42:18 1996 From: jf_avon at citenet.net (Jean-Francois Avon) Date: Thu, 16 May 1996 13:42:18 +0800 Subject: (Fwd) Mail Delivery Failure. Message-ID: <9605151817.AA25239@cti02.citenet.net> On 14 May 96 at 19:35, Timothy C. May wrote: > (This is having yet another interesting side effect: the wealthy who > can afford digital DSS dishes are suddenly very uninterested in > local cable problems, and the impetus for improvement is lost. > Obviously the "poor" are then left with a decaying, outmoded > infrastructure. Even as a Darwinian, I have to feel for them. They > got sold a bill of goods, about how awarding "the franchise" to TCI > or Sonic or Galactronic Cable would result in "universal access," > and now they're stuck.) Hey Tim, where are your bandwith-saving manners? You should simply have said : "You asked for it, brother..." ? ;-) Regards! JFA DePompadour, Societe d'Importation Ltee Limoges porcelain, Silverware and mouth blown crystal glasses JFA Technologies, R&D consultants. Physists, technologists and engineers. PGP keys at: http://w3.citenet.net/users/jf_avon ID# C58ADD0D : 529645E8205A8A5E F87CC86FAEFEF891 Unsollicited commercial e-mail will be proofread at US165 $/h Any sender of such material will be considered as to have ac- cepted the above mentionned terms. From rpowell at algorithmics.com Wed May 15 22:42:26 1996 From: rpowell at algorithmics.com (Robin Powell) Date: Thu, 16 May 1996 13:42:26 +0800 Subject: (Fwd) New Anonymous Remailer In-Reply-To: <199605151619.LAA21672@cdale1.midwest.net> Message-ID: <96May15.164558edt.20485@janus.algorithmics.com> Allow me to be the first ( I hope) to point out stupidity: >>>>> "David E. Smith" writes: > ------- Forwarded Message Follows ------- > From: privacy at interlink-bbs.com > Subject: New Anonymous Remailer > Date: Wed, 15 May 1996 06:34:02 GMT > To: info-pascal at ARL.MIL ^^^^^^^ Do we se a problem here? No? Then read on... > You may be familiar with anon.penet.fi, which give you an > anonymous account. > Our service allows YOU to choose what the return address will be! > Please write for more info. Well, well, well. Let's see: Yes, we are familiar with anon.penet.fi... And all of the better options available. Yes, we have pseudonymous accounts. No, we will not write for more info. Why not? Gee, maybe because you are posting to a group that advocates strong privacy, something that the US gov't has always frowned upon? Maybe because you're asking us to respond to a .mil site with an obviously contrived address? Are .mil sites not US military? I think so. Where do some people get off? -Robin PS: If .mil sites are, in fact, some country code, please ignore this message and do not propogate the thread. If you feel you must flame, send it to me directly. From jimbell at pacifier.com Wed May 15 22:44:16 1996 From: jimbell at pacifier.com (jim bell) Date: Thu, 16 May 1996 13:44:16 +0800 Subject: Past one terabit/second on fiber Message-ID: <199605151935.MAA15182@pacifier.com> At 10:44 AM 5/15/96 CDT, Daniel R. Oelke wrote: >> "Wow", I said. Far faster than the 2.5 Gb/sec transmission that is >> currently fairly standard for long-haul fiber trunks. > >The ads say they are selling it - that doesn't mean shipping it... yet >at least. (Note that my employer is a direct competitor of Lucent >so I have a vested interest in setting the facts straight) Yes, I should clarify that the article indicated that the whole system will be available in the "second quarter of 1996." They say the fiber itself, "TrueWave" is available now. > >> I wasn't prepared, however, for page 38, in an article titled "Research >> Teams Achieve 1 Trillion bits a Second." In fact, three separate groups did >> this. I copy the article below. > >Yes - this is still very much a lab situation only though. >It will be quite a few years before we hit that in real systems. True. In fact, it may be that we simply don't need that rate of transmission yet. Maybe somebody familiar with routers can tell us what kind of CPU horsepower would be required to do that effectively. Economics dictates that such an extraordinarily fast and multiplexed system would only be used when it is cheaper than the alternative, using multiple lower-speed fibers. If anything, I think the main impediment to the use of the higher rates is fact that fiber signals must be broken down whereever the fiber is terminated, and the cost of that termination would be astronomical if it had to handle 1 Tb/s. Chances are good that one of the few places that such a system would be economical would be long-haul undersea cables where breakouts are rare and terminations are few. >> Even if we only consider that 20 Gb/second fiber from Lucent, that is >> equivalent to about 300,000 simultaneous voice calls. > >An OC48 signal (~2.5 Gb/sec) will handle 48 T3's or 48 * 672 voice calls. >Multiply by 8 for 20 Gb/second and you get 258048 voice calls. >Pretty close to 300k I guess. I was figuring they'd cut out silences...as well as echo-suppression cutouts. Do they still do this? Given modern fiber's capacity, I wonder if they bother. >I don't know that any number fiber cable is "standard" but >36-fiber cable is not unusual. To find the capacity of a cable, you >have to cut the number of fibers in half (as you did) because >generally each fiber is used only for a single direction of traffic. >You then have to cut it in half again because phone companies have >everything redundant. So, for a connection between two cities, >there are generally 2 cables in different locations (so one backhoe >doesn't get both), with on average only 1/2 the fibers in each carrying >paying traffic. There's also a lot of 'dark fiber' out there, right? Fiber laid as part of a cable but not activated, because it's not yet needed. I got a look at a segment of the operation that laid a cable from Seattle (Vancouver BC?) to around San Francisco, about 5 years ago. Got a chance to talk to an engineer, and ask a bunch of technical questions. They laid three smaller (2" or so) plastic tubes in a larger outer tube, and the engineer said they'd later blow a cable through a single tube with compressed air. He said they had no current plans to fill the other two tubes, because of lack of need. And at the rate the fiber companies are improving transmission rates, it is unclear whether they will ever run out of capacity in such situations. >> If we assume that the fiber cable costs $1/meter per fiber, and the cost of >> trenching, burial, and interconnects raise this to $10/meter/fiber, and if >> we generously assume that the average LD call goes 3000 miles (5,000,000m), >> that call occupies 1/150,000th of a $50 million fiber for a few minutes. If >> we suppose that the fiber has to gross $100,000,000 per year to pay for >> itself, and even if it's only operating at an average 10% load level(both >> assumptions are pessimistic, that only works out to a cost of 1.3 cents per >> minute per call. That's why these LD phone companies are so scared: If we >> can transmit Internet on fiber, that fiber can accept this extra traffic at >> very low marginal cost. > >I can't vouch much for your cost numbers - other than to apply the >factor of 2 adjustment noted above. My numbers are not totally a WAG (wild-ass guess) but they are probably out of date even if they had any resemblence to the truth a few years ago. I'd appreciate hearing more accurate figures if you know them. Don't divulge company secrets or anything; I'm only interested in ballpark figures for the industry as a whole. > I would add that much of a >phone companies cost is in billing and customer service, etc. >Not the cost of installing and maintaining the fiber and equipement. This suggests that there would be a market for a LD phone company that charged, say, a yearly payment of $200-300 for essentially unlimited use. (The main impediment to this would be regulatory; as I understand it LD companies have to pay local telco's for connections on a per-minute connect basis. Is that right? This needs to get fixed.) Their billing costs would be very small. >Internet telephony should make the use of bandwidth even more >efficient - thereby cutting costs. The big guys who own >the fibers will still make money - the pipes that carry internet >traffic are still needed. But the little guys will get squeezed out. >(until they become ISPs ;-). Internet traffic could theoretically >be carried over this large amount of protection fiber (mentioned above) >that is out there for a much lower marginal cost than the current >T3 or OC3 pipes that are being used. The only "problem" being that these >are lower priority channels, so that if a failure occurs anywhere, >the traffic on them is dropped. Most customers are demanding >high uptimes so much that the idea of a very lost cost, >but much less reliable service hasn't caught on yet. I think the market will have to migrate towards such services. A backup fiber is an asset whose capacity can be easily "mined" for a substantial payback. True, its availability is not particularly reliable, but that's exactly what the Internet was intended to be able to use, right? I suspect that the real reason Internet hasn't migrated to such transmission systems is simply that its needs still don't demand anywhere close to the current-available fiber technology. However, if traffic is tripling per year we'll need to see a substantial migration to full-fiber links within 3-5 years. Jim Bell jimbell at pacifier.com From frantz at netcom.com Wed May 15 23:24:30 1996 From: frantz at netcom.com (Bill Frantz) Date: Thu, 16 May 1996 14:24:30 +0800 Subject: Why does the state still stand: Message-ID: <199605152154.OAA24839@netcom8.netcom.com> At 1:04 PM 5/15/96 -0400, Black Unicorn wrote: >On Tue, 14 May 1996, blanc wrote: > >> From: Hal [on the idea of companies operating fully anonymously] >> >> It might be interesting to make a list of all the problems people can >> think of why this idea won't work, paired with proposed solutions and >> workarounds - sort of a mini FAQ for this important (some might say >> ultimate) cypherpunk model. >> ..................................................................... >> >> I think this is a much needed discussion - in particular as it comes at a >>time when Uni is is "somewhat disconcerted" at the defeatist attitude of some >>cypherpunks and since TCMay is getting ready to read us the Cypherpunks Bill >>of Rights regarding the subsidizatoin of other's people's cyber existence >>(heh). >> >> 3 problems which immediately come to mind: >> >> . What if someone, hired on one occasion but fired at another, decides >in anger to "turn coat" and report everyone to the IRS (or other fine >government agency)? > >The entire organization would clearly have to be double blinded. If this >can be done for mailing lists (which I believe it can) it can be done for >corporations too. The real trick is getting the costs of anonymous (and I >mean secure anonymous) communications low enough. If all you need to do is beat the cost of commuting 20 miles/day, no problem. >> . What if a company does not pay as expected - other than adopting >> Assassination Politics, what method could an employee use towards >> getting their expected remuneration for work done? > >If payment is made weekly, it should be made in advance to an escrow agent >who would issue a certificate that the payment for employee r2dd54 has >been received. The payment would then not be released to anyone without >the consent of the corporation and the employee. > >Obviously the escrow agent would have to be trusted. > >... > >Even if a payment gets hung up in a dispute, it's only for a week. You could require daily payment and forgo the escrow agent. (Assuming you are willing to risk a day's pay as an experiment in reputation.) Note that AP won't work if everyone is anonymous because you won't have a target. What may be a problem for such a company is a social problem. All the creative groups I have worked with have had close personal relations. (Although they have not had wide agreement on significant non-work subjects!) I don't know if good, creative, group-produced products can be built without such a relationship. Does anyone know of an example of such a product from an "anonymous" environment? ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From vipul at pobox.com Wed May 15 23:31:53 1996 From: vipul at pobox.com (Vipul Ved Prakash) Date: Thu, 16 May 1996 14:31:53 +0800 Subject: Securing CDROM from piracy Message-ID: <199605142323.EAA00118@fountainhead.net> We have developed a multimedia resource that will be cut on a CD-ROM for retailling. Since we don't have our own distributers newtwork we will be collobarating with another firm for distribution. Is there any way of making sure that the guy doesnt pull a fast on on us? Can we ensure that he cannot duplicate the thing and start selling it without sharing the profit. Or alternatively is there any protocol we could follow that will ensure a fair game? Vipul -- .od8888bo. \|/ .d%::::88::888b. (@ @) .d888::::::::8:888%. ------------------oOO-(_)-OOo----------------- 88888:::::::88888::%. You walk across with your flowers in your hand d888888:::88;888888::b Trying to tell me no one understands 888888888:888888888888 Trade in your hours for a hand full of dimes Y8888888::::::888888%P Gonna make it baby in our prime. '8888888:::::::8888:%' ---------------------------------------------- '88888888:::888888%' Vipul Ved Prakash Fax : +91-11-3328849 '8888888::88888%' Positive Ideas. Internet : vipul at pobox.com '"Y88%B8P"' ---------------------------------------------- From jf_avon at citenet.net Thu May 16 00:32:47 1996 From: jf_avon at citenet.net (Jean-Francois Avon) Date: Thu, 16 May 1996 15:32:47 +0800 Subject: Why does the state still stand: Message-ID: <9605152158.AA06933@cti02.citenet.net> On 15 May 96 at 17:32, Black Unicorn wrote: > I disagree. The key is prior or on site clearing. Anonymous > businesses will have to depend more on reputation, and even > reputation has its limits when it comes to parties that obviously > have no accountabilty at all. > > Participants in such a market will have to be wary of the "last > shot" or "last round" problem. (Specifically that one party to the > transaction may no longer wish to participate in the market, and not > need to and thus is free to screw the market, "cash in" his > reputation and retire on the proceeds as a result. > > Still, escrows or multiple escrows will be the answer here. > > Again, depending on the context, AP might wery well be the only > > solution or be no workable solution at all. > > Now, tell me how AP is a solution if everyone in the corporation is > double blinded? Who do anonymous parties put out betting pools on? Agreed. I just supposed there might be some of the involved entities that are not totally anonymous. I don't think that you'd deliver completely anonymously a bulldozer or any other physical goods to some "anonymous" address. Somehow, if the transaction involves anything physical, there is potential for a anonimity breach. > > Any physical currency can be made traceable (put a chemical or > > radioactive tracer or a zillion other tricks...) > > And so? Because I possess or have received cash from someone does > not mean that it is mine, nor that I earned it, nor that I am not > merely holding it, nor that I am not acting as trustee. Agreed too. But still, it might attract troublemakers. > Income tax and currency taxes depend on realization events. Even in > the strictest sense, realization is a thin and vague concept. Since I am not a layer, would you care to elaborate a bit more on that? > Your only remaining option is to tax possession of currency. Good > luck. Why? Don't they already do that through Tax on Capital? > Again, who are you going to kill? Nobody. I thought that through you long law studies, you did learn to read... Or is it my english that is too imperfect? Dear Unicorn, what in the hell makes you concludes that my "disclaimer" means that I am going to kill somebody? I just say that after having turned the idea around for some time, I see it as ineluctable that *some* groups will implement it. Just bring me *one* single fact of reality that will show me that it is not possible to implement and you will have made my day. Even if it is implemented for any entirely wrong reason, I do not think that we can prevent it's implementation. BTW, since I was off from CPunks for a while, would you please tell me if you published the suite of you writings on assets concealement? I would then proceed to get it from the archives if it was published. Regards. JFA DePompadour, Societe d'Importation Ltee Limoges porcelain, Silverware and mouth blown crystal glasses JFA Technologies, R&D consultants. Physists, technologists and engineers. PGP keys at: http://w3.citenet.net/users/jf_avon ID# C58ADD0D : 529645E8205A8A5E F87CC86FAEFEF891 Unsollicited commercial e-mail will be proofread at US165 $/h Any sender of such material will be considered as to have ac- cepted the above mentionned terms. From jamesd at echeque.com Thu May 16 00:34:22 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Thu, 16 May 1996 15:34:22 +0800 Subject: SEVERE undercapacity, we need more remailer servers FAST Message-ID: <199605152129.OAA17878@dns2.noc.best.net> At 10:58 AM 5/15/96 -0700, Hal wrote: > The problem that I think the Scientology postings raise is that the > remailers cannot really be used to post copyrighted material. The major battle the net has faced is with the church of scientology. In this battle the net is clearly in the right, and the church clearly in the wrong, regardless of what copyright law says. Retreat on this issue would be politicaly inadvisable, for it would radically weaken us in the next battle, which will doubtless concern much more vital matters than a band of con men. What do I need to do to support a remailer that posts to non binary newsgroups? (I do not have root control on a unix machine other than my employers machine, for which I am unlikely to receive approval to use in this fashion.) --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From furballs at netcom.com Thu May 16 00:36:40 1996 From: furballs at netcom.com (Paul S. Penrod) Date: Thu, 16 May 1996 15:36:40 +0800 Subject: Fingerprinting annoyance In-Reply-To: Message-ID: On Tue, 14 May 1996, Black Unicorn wrote: > On Mon, 13 May 1996, Paul S. Penrod wrote: > > > > > > > On Mon, 13 May 1996, Mark O. Aldrich wrote: > > > > > On Mon, 13 May 1996, Senator Exon wrote: > > > > > > > > > > i can fill out and manipulate the card myself i just need a > > > > working method. > > > > is there no privacy advocate who can help me? > > [...] > > > > If you're forced to do this in person with a tech, you can continuously > > > "fight" the grip they have on your hand and smudge the card. However, > > > they'll not submit the card until the prints are "good," so this sort of > > > betrays your intent of at least appearing to cooperate with them. In the > > > law enforcement community, they are taught how to take prints by force > > > but it's unlikely that your tech will attempt any such technique. > > > > > > > I know of no such instance (other than some informal "fingerprint the > > kiddies for safety" schtick) where it's a do-it--yourself operation. > > Not _technically_ perhaps. But in most cases it's a > go-down-to-the-police-station-and-have-them-sign-the-card operation. Who > is it that can tell a random signature from a police signature exactly? > Like I said, standard print cards are available at the GPO. Thats fine, but tell me it's going to play at the clearance level...It won't. > > > While the methods listed are clever, they and many other finaglings are > > the main reason it's done in the "light of day" by a tech. > > Or _theoretically_ done in the light of day by a tech. > > > > You can mutilate the tips of your fingers so that prints cannot be > > > acquired, but this hurts. Badly. > > > > Doesn't always work. Partials can be extrapolated to yield a relative match. > > Depends on what you are looking to do. If your goal is to deter random > searching through a national database, mutilation will probably be very > effective. If they have the prints of the murderer (you) and you're a > suspect, mutilation aside from actually removing the fingers isn't going > to do anything. If there is a serious crime involved, partials are sufficient to make the "guest list" if there are other mitigating factors to even suspect you might be involved. That's doesn't mean you'll make it to the top, but it can certainly cause some painful scrutiny. > > > > > > > You could get some false latex coverings for your finger tips, but they'd > > > have to be damn good to fool a tech. Likely to cost big bucks, too. > > > > Wont work. The hands are checked first for signs of tampering. > > See above about tech end around. Again, process will work, but not allowed in context of clearance. > > > > > > > I know of no chemical or physical "pre-treatment" that can be used to > > > hack the ink transference process. Perhaps one of the chemists here on > > > the list might know of some good technique. > > > > Pineapple juice and other weak acidic subtances ruin the ridges on the > > finger tips causing them to smear or not show at all. Unfortunately, this > > takes a period of time and constant handling of such items. > > This is interesting. I suspect that you'd have to have major damage to > the ridges however. > There needs to be suffcient damage to the ridges by some chemical or mechanical means (sand paper, concrete, brick, etc.) to remove the distiguishing ridges, and not replace them with a traceable pattern of any kind. Scraping the fingertips runs the risk of leaving trace marks that are just as good as the ridges you tried to remove - even better if you've left finger prints as a result. The point to the game is not to search any database, but to produce a verifiable match with evidence at the scene of any crime. In the case of a clearance, it is to start or validate an identification process. IF validation is unobtainable via fingerprints, then the issuing body can employ other means (such as retinal scans) or deny clearance all together. ...Paul From frissell at panix.com Thu May 16 00:39:51 1996 From: frissell at panix.com (Duncan Frissell) Date: Thu, 16 May 1996 15:39:51 +0800 Subject: SS Follies Message-ID: <2.2.32.19960515204207.00750b30@popserver.panix.com> At 01:49 PM 5/15/96 -0400, Black Unicorn wrote: > >Not to mention that an SS# is not required to receive a U.S. Passport. Also, even native born US citizens may hold other passports. From unicorn at schloss.li Thu May 16 00:39:55 1996 From: unicorn at schloss.li (Black Unicorn) Date: Thu, 16 May 1996 15:39:55 +0800 Subject: Why does the state still stand: In-Reply-To: <9605151745.AB23065@cti02.citenet.net> Message-ID: On Wed, 15 May 1996, Jean-Francois Avon wrote: > On 14 May 96 at 22:01, blanc wrote: > > > 3 problems which immediately come to mind: > > > > . What if someone, hired on one occasion but fired at another, > > decides in anger to "turn coat" and report everyone to the IRS (or > > other fine government agency)? > > > > . What if a company does not pay as expected - other than adopting > > Assassination Politics, what method could an employee use towards > > getting their expected remuneration for work done? > > The nature of anonimity, IMO, precludes any legal mechanism since the > anonymity structure was established precisely to avoid any legal > consequences. > > Here, I might be tempted to differeciate between two cases: > 1) the entity who wants to get out of the reach of the governmental > system > 2) the entity who wants to get out of the reach of everybody (to con > others) > > The only problem is, how will you differentiate between 1) and 2) > *before* a conflict arises? > > The involved party would then have to resort to use > some sort of unofficial tribunal. It would create a set of parrallel > law system, and as much of them as there would be groups doing > business together. I disagree. The key is prior or on site clearing. Anonymous businesses will have to depend more on reputation, and even reputation has its limits when it comes to parties that obviously have no accountabilty at all. Participants in such a market will have to be wary of the "last shot" or "last round" problem. (Specifically that one party to the transaction may no longer wish to participate in the market, and not need to and thus is free to screw the market, "cash in" his reputation and retire on the proceeds as a result. Still, escrows or multiple escrows will be the answer here. > Again, depending on the context, AP might wery well be the only > solution or be no workable solution at all. Now, tell me how AP is a solution if everyone in the corporation is double blinded? Who do anonymous parties put out betting pools on? [As AP has been discredited in this application, your argument for it is deleted.] > > . Wouldn't everyone need to have two jobs (or source of regularly > > accepted cash), in order to be able to pay for services where > > suppliers do not accept virtual cash transactions? (TCM has > > mentioned before about the need to pay for some things in tiny > > quantities - like quarters for a phone call, etc.) > > Any physical currency can be made traceable (put a chemical or > radioactive tracer or a zillion other tricks...) And so? Because I possess or have received cash from someone does not mean that it is mine, nor that I earned it, nor that I am not merely holding it, nor that I am not acting as trustee. Income tax and currency taxes depend on realization events. Even in the strictest sense, realization is a thin and vague concept. Your only remaining option is to tax possession of currency. Good luck. > JFA [...] > THE SYSTEM FROM BEING IMPLEMENTED. IMO, IT IS UNAVOIDABLE. Again, who are you going to kill? > > DePompadour, Societe d'Importation Ltee > Limoges porcelain, Silverware and mouth blown crystal glasses > > JFA Technologies, R&D consultants. > Physists, technologists and engineers. > > PGP keys at: http://w3.citenet.net/users/jf_avon > ID# C58ADD0D : 529645E8205A8A5E F87CC86FAEFEF891 > --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From jamesd at echeque.com Thu May 16 01:02:35 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Thu, 16 May 1996 16:02:35 +0800 Subject: Why does the state still stand: Message-ID: <199605152108.OAA16104@dns2.noc.best.net> "James A. Donald " is alleged to have written: > > Existing forms of ecash are costly and inconvenient, hence unsuitable > > for spending in tiny quantities. At 10:59 PM 5/15/96 +0200, bryce at digicash.com wrote: > Excuse me? Here James, have a penny. I see I am out of date. I guess it is time to sign up with the Mark Twain bank. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From lyalc at ozemail.com.au Thu May 16 01:03:46 1996 From: lyalc at ozemail.com.au (Lyal Collins) Date: Thu, 16 May 1996 16:03:46 +0800 Subject: Java & signed applets In-Reply-To: <01I4PWRN40EO8Y5DM8@mbcl.rutgers.edu> Message-ID: <319B436D.507E@ozemail.com.au> Signing anything is somewaht a waste of time, unless the verification siftware is highly trusted, and there is good intergity/authenticity control of the root public key(s). So, in geneal - ho hum - until trusted hardware is available on the desktop. lyal -- All mistakes in this message belong to me - you should not use them! From bryce at digicash.com Thu May 16 01:03:47 1996 From: bryce at digicash.com (bryce at digicash.com) Date: Thu, 16 May 1996 16:03:47 +0800 Subject: Why does the state still stand: In-Reply-To: <199605151707.KAA25775@dns2.noc.best.net> Message-ID: <199605152059.WAA10819@digicash.com> -----BEGIN PGP SIGNED MESSAGE----- The entity who calls itself "James A. Donald " is alleged to have written: > > Existing forms of ecash are costly and inconvenient, hence unsuitable > for spending in tiny quantities. Excuse me? Here James, have a penny. - -----BEGIN ECASH PAYMENT----- oLmQgwABTaGgiqCukIFPkIECkIEBkIEEkIEBkYQxmiZEkIQxrJtEkIFPkoFAlJR9 yFLULqd42MJyDwR0ruJbWY5+uZSUo+mMUWbmdjpzJNZ9FGwRyEPh9iqQgRCSlEhl cmUgaXMgbXkgb25lIGNlbnQukoCUgJCBApGEAAAAAJCBAKGguKCrkIIBwJPgI5bU zb3E4EjtpuGYz+mutWIDdy7q8vMW9FtgCDNAsaakvTK1vyHv+qeVyu9im5u7eRoA ElARFDxpszgN6MV0jpYebNwHuCLHZgCmRVd9uKvV5RQgDHrgzrfpZqzeP+WWk+AI FXnhJgU1PoFlndx3LwCbM9D6c4afILXuqSSsz2viGDR0mT1VRaqaZTrTtdkWKkTq xh1vqh190ajm10SPQMMvujBMzDGiqZocPDKneSMKVww3Nuw74vXH+Z8yKCcgW5GQ gQGhoaE= - -----END ECASH PAYMENT----- That took me all of about 5 seconds. If you had Mark Twain ecash it would take you less time to accept that penny that it takes you to read "----BEGIN ECASH PAYMENT-----" with your slow human eyes. Regards, Bryce P.S. That is my "lucky penny"! It was given to me by Lucky Green when he was working for Mark Twain Bank and I was establishing my cybershop. We used it to test my shop. If nobody takes it (it is marked so that anyone can pick it up, not just James), I'm taking it back in a day or two. -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: http://www.c2.net/~bryce -- 'BAP' Easy-PGP v1.1b2 iQB1AwUBMZpFwEjbHy8sKZitAQGBTwL/UUWMOb3llDMPfzLGrF7TIli1DUUg7cyU xvhcuThdu39ZpcB0pESgzyefmR+vxJfniSVzc2GTitlipau9N8HHeESD12lrZ5M8 b1BO5x46/507/K1/dV491Ut27tCbgqHI =6nOu -----END PGP SIGNATURE----- From root at edmweb.com Thu May 16 01:15:55 1996 From: root at edmweb.com (Steve Reid) Date: Thu, 16 May 1996 16:15:55 +0800 Subject: Why does the state still stand: In-Reply-To: <01BB41E0.DE17C4C0@blancw.accessone.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- > What if someone, hired on one occasion but fired at another, decides in > anger to "turn coat" and report everyone to the IRS (or other fine > government agency)? They can't, if the company doesn't use True Names. > What if a company does not pay as expected - other than adopting > Assassination Politics, what method could an employee use towards getting > their expected remuneration for work done? This is a serious problem... An employee could, of course, state his/her case to Usenet and other places and bring down the reputation of the company. Problem is, would people believe him/her? And if people would believe, what's to stop someone from deciding to "turn coat" like you said above, except instead of reporting to the IRS, they spread lies to the world? Assasination Politics won't work if you can't locate the physical person, but reputation assassination would probably be a fairly simple matter. Another problem with reputations is that people are stuck until they get a good one. A bad rep can always start over. In fact, a person/company can look perfectly nice, but use a different identity for dirty work. Naturally, you'd only trust dealings that involve a "nice" identity. Problem is, young people who are just starting out have a no-reputation identity, and would be treated the same as the no-reputation identities that are used for screwing people over. Reputations could be very hard to create, and very easy to destroy. Well-known good reputations would be powerful and fairly hard to destroy, so it's possible that the big reputations might try to crush little reputations in an effort to gain some sort of reputation monopoly. Maybe. > Wouldn't everyone need to have two jobs (or source of regularly accepted > cash), in order to be able to pay for services where suppliers do not > accept virtual cash transactions? (TCM has mentioned before about the need > to pay for some things in tiny quantities - like quarters for a phone > call, etc.) This is not a problem. I believe some of the ecash banks are already exchanging ecash for physical cash. It's a needed service, so there will always be people willing to do it. I do not advocate tax evasion or any other illegal activity. I'm just looking through a hazy crytal ball to see one possible future. ===================================================================== | Steve Reid - SysAdmin & Pres, EDM Web (http://www.edmweb.com/) | | Email: steve at edmweb.com Home Page: http://www.edmweb.com/steve/ | | PGP (2048/9F317269) Fingerprint: 11C89D1CD67287E68C09EC52443F8830 | | -- Disclaimer: JMHO, YMMV, TANSTAAFL, IANAL. -- | ===================================================================:) -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQEVAwUBMZo5k9tVWdufMXJpAQEkhggApuaYGCbl0qcYhnlN/KshtT4HKhHyBh5J jK4gO9bsJ0Gwl0WYYhGZ/Vuc1QVl9+9YzHMEDwR1S4ldY7ZnbqUIV4tJ3k0SNbmZ tKZE6yC+x4RgTjc/Qu4yy0dEsfaeNIY+xKQTgFNh4zY4ACuhYRv/KL5e3JWG1EtM BwglvOUBVWcHBwB3F0XXwzkRTF7ZaZC4XEJBUWOBAFRrC+u9ELTTL7FcJcLFxBoV QqgWbEBeS1Ej00l5H6Tk9GPGoWAENFA4fXHQeaOBlbo7EmvSCaM5sY1ds75PtMHz 5Wo/yh2P7M7eQ3Y2MhuU/5lmJH3bKk9/PU6bsvBCP3CTGDoimfHOUA== =P86h -----END PGP SIGNATURE----- From EALLENSMITH at ocelot.Rutgers.EDU Thu May 16 01:17:32 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Thu, 16 May 1996 16:17:32 +0800 Subject: Why does the state still stand: Message-ID: <01I4QPUDNJ2S8Y5DBN@mbcl.rutgers.edu> From: IN%"hfinney at shell.portal.com" "Hal" 15-MAY-1996 00:14:06.38 >I think the intention then is to create "fully anonymous" companies. >These would be organizations whose principals and employees are known >only by pseudonyms, even to each other. Their only contact is >electronic, via an anonymous network. And the employees are paid in >anonymous ecash, which they don't pay taxes on since it is unreported >income. The anonymous network would appear to be a possible weak point. If governments keep shutting down remailers and other such devices, then it won't work. Therefore, I've been doing some preliminary work in this area. My first result is as follows. One subject that has come up recently is that of remailer operations in countries outside the United States, so as to chain them to produce jurisdictional headaches. The following is a preliminary list of companies and organizations that might be used to run an out-of-US remailer, assuming telnetting to a UNIX shell. In selecting these, I generally excluded: ones in authoritarian countries (e.g., China and Singapore); ones that appear to be government-run; ones where they didn't appear to understand English very well; ones in the European Community (except for a few such as Malta that don't cooperate very well with the European Community); ones that charge for mail volume; and ones that stated they did not run shell accounts. I did not include offshore.com.ai in Anguilla due to its high cost; I consider anything over 25$ a month to be impractical. _Country/Area_ _Name_ _Email_ Anguilla Cable & Wireless webmaster at candw.com.ai Antigua Cable & Wireless scholla at candw.ag Barbados CaribSurf webmaster at caribsurf.com Denmark cybernet.dk info at cybernet.dk Finland Clinet Ltd clinet at clinet.fi Finland Net People Ltd helpdesk at netppl.fi Finland Xgateway Finland Ltd* pal at xgw.fi Iceland Multimedia Consumer Services mmedia at mmedia.is Isle of Man Advanced Systems Consultants** info at advsys.co.uk Jamaica InfoChannel icquery at infochan.com Liechtenstein Ping Services afink at ping.ch Liechtenstein Online Store AG webmaster at onlinestore.com Malaysia MIMOS mal at mimos.my Malta maltaNET info at maltanet.omnes.net Sweden FX AB fx at uni-x.se Sweden Internet One** Support at one.se Sweden Kajplats 305 info at kajen.malmo.se * = This organization has on its main page a link to a document called the "Declaration of an Independent Internet." It thus may be possible to persuade them to support a remailer at reduced or no charge as part of this. ** = This organization's main page has the EFF blue ribbon, unlike others. I would appreciate comment on all aspects of this list. These include: additional companies and countries to add; companies or countries to take off (international politics & law is not my subject); and suggestions about where to look for more (it is quite possible that I did not locate all the lists of out-of-US ISPs). Once I have some feedback on which ones to check with, I'll email them and ask about prices (in US dollars), further information on policies, etcetera. -Allen From jimbell at pacifier.com Thu May 16 01:28:24 1996 From: jimbell at pacifier.com (jim bell) Date: Thu, 16 May 1996 16:28:24 +0800 Subject: Past one terabit/second on fiber Message-ID: <199605152051.NAA21380@pacifier.com> At 11:10 AM 5/15/96 -0400, brian dodds wrote: >On Tue, 14 May 1996, jim bell wrote: > >> But with >> fiber transmission probably less than 1/100th the cost of older coaxial >> transmission systems, per connection, it is unclear why they're even >> continuing to meter LD phone calls. > >especially when 1Tb fiber is in practice - our phone calls will take only >nanoseconds! :) Reminds me of an old joke: "This computer's so fast it does an infinite loop in 5 seconds!" >anything included in that as to why they used a dfb laser for channel 16? >or is it something obvious i'm missing? They probably just wanted to establish that it could be done, to show that this wasn't dependant on high-cost laser systems. External cavity lasers raise cost and size substantially, but in a laboratory setting they're the most convenient to use. >i notice they're still using the encyclopedia/second benchmark.. It's an old habit, I suppose. It's hard to explain "one trillion", at least to non-tech types. A good modern replacement might be to say, "200 CDROM's per second", except that even today most people don't know how much storage a CDROM represents. "16 million one-way phone calls" is also helpful as a benchmark. Jim Bell jimbell at pacifier.com From jamesd at echeque.com Thu May 16 01:36:11 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Thu, 16 May 1996 16:36:11 +0800 Subject: crosspost re remailers Message-ID: <199605152129.OAA17876@dns2.noc.best.net> At 10:30 PM 5/14/96 -0700, Rich Graves wrote: > > I'd have thought that a remailer going down > > because of political/legal pressure would raise more of a ruckus. At 11:02 AM 5/15/96 -0700, Bill Frantz wrote: > I thought the statement that remailers are supposed to be ephemeral > and common was the answer. Exactly so: Some nyms are valuable, most are valueless by design. All remailers should be valueless by design. The penet.fi remailer design is unsatisfactory precisely because it penet.fi is valuable, hence a target. If it gets shut down a lot of people lose their nyms, causing much inconvenience. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From EALLENSMITH at ocelot.Rutgers.EDU Thu May 16 01:44:46 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Thu, 16 May 1996 16:44:46 +0800 Subject: Why does the state still stand: Message-ID: <01I4QRA5NDSG8Y5DBN@mbcl.rutgers.edu> From: IN%"blancw at accessone.com" "blanc" 15-MAY-1996 03:52:18.03 >. What if someone, hired on one occasion but fired at another, decides = >in anger to "turn coat" and report everyone to the IRS (or other fine = >government agency)? Well, full anonymnity should stop this one from being a problem, although one should still consider topics such as forensic stylometry - if someone squeals and starts keeping messages (plus any earlier kept innocently), it may be possible to figure out who's who from these. I'm currently checking into forensic stylometry; I can see the possibility of programs to run stylometry on one's own email/posting, with suggestions for alternative vocabulary, etcetera when you fall into too much of a pattern. A related problem is that of government agents signing on. Both of the above are made more acute by the possibility that some information, if revealed, might enable the government to disrupt activities - even if it doesn't enable prosecution. Making sure that the participants have a strong stake in behaving properly - e.g., shares in the outcome, ecash deposits, and - most importantly in dissuading governmental intervention - reputation riding on it. The last is most important in dissuading governmental intervetion because of the reserves of wealth the government is likely to have for some time; they can afford to pay (using your and my tax dollars) for the short-term costs to a subject. Paying for longer-term costs (e.g., the loss of the ability to work due to reputational diminishment) is not as practical, and is usually only done for very important cases (e.g., the Witness Protection Program). An additional aspect of the last is that if someone has a poor (or no) reputation, you shouldn't trust them with much damaging information or responsibility. If government agents keep blowing various covers, none of their covers will have much reputation capital. >. What if a company does not pay as expected - other than adopting = >Assassination Politics, what method could an employee use towards = >getting their expected remuneration for work done? A combination of escrow agencies and reputation capital appears to work here. It does have the problem for escrow agencies that they will either have to be above-board - and thus subject to governmental pressure - or anonymous - and thus not particularly trustworthy until they've built up reputation capital. But how do they build up reputation capital in the first place? Hmm.... what one needs is a way to transfer reputation from a public, identifiable source to a new pseudonymous source. Some cryptographic thought on this idea has been had; I will leave it up to the experts to discuss it. >. Wouldn't everyone need to have two jobs (or source of regularly = >accepted cash), in order to be able to pay for services where suppliers = >do not accept virtual cash transactions? (TCM has mentioned before about = >the need to pay for some things in tiny quantities - like quarters for a = >phone call, etc.) Intersections between the virtual and regularly accepted cash economies are an interesting subject; Sasha has written about this before on here. Essentially, money-changing is likely to be a significant enough source of profit that someone will be willing to do it. Now, regularly accepted cash will have the limit that the IRS et al will want to know its source. Thus, one should probably use as little of it as possible, and that only in untraceable ways - investments et al should be done via virtual cash. There is the problem of that one has a certain minimal reasonable spending, for the source of which the IRS is likely to look. -Allen From EALLENSMITH at ocelot.Rutgers.EDU Thu May 16 01:47:33 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Thu, 16 May 1996 16:47:33 +0800 Subject: Rural Datafication (Was Re: Edited Edupage, 9 May 1996) Message-ID: <01I4QQHYPQUY8Y5DBN@mbcl.rutgers.edu> From: IN%"tcmay at got.net" 15-MAY-1996 02:31:15.60 >A consequence is that many customers leapfrog right over local cable and go >directly for satellite dishes. While the local community cable systems and >their government partners could (and did) keep out other cable competitors, >this became less and less possible with satellite dishes. Zoning laws were >used to limit BUDs (Big Ugly Dishes, the big 8-foot and larger C-band >dishes). But as the Ku-band dishes (mentioned favorably in my 1988 Crypto >Anarchist Manifesto, interestingly enough) became available, even the most >restrictive zoning ordinances became unenforceable....dishes could be in >attics, on balconies, even covered with fake boulders! The courts are also (sensibly) seeing zoning laws attempting to outlaw such small dishes as being completely ridiculous. >In my own case, I skipped cable and installed a DSS dish...150 or more >channels, at least 20 movies on at any given time (not even counting the >Pay Per View movies, of which there are at least 30-40), financial news, >CNN, etc. Plus, a digital output connector for (Real Soon Now, they claim) >a PageSat-type Usenet and Web page feed, using phone links for the back >link. I submit this as an example of where the free market is providing a >better solution than "community access cable" did. In fact, the >socialization of cable held cable back. I've gone even farther than that - I don't bother with having a TV, I just get my info from the net. There is the problem with the satellite net links that it tends to concentrate data production & distribution into relatively few hands, from which it can easier be taken by government and other forces. Larger corporation, despite the influence their size gives them, can be easier to pressure than the small ones. Look at Compuserve in Germany, for instance - they were having pressure from Christian Coalition types, etcetera, and used the German investigation as an excuse. On the other hand, this is also a very good argument against rural subsidies being necessary - if people want net access and are educated and smart enough to afford it (and thus be able to use it properly), they can get it even if they're in the wilds of Montana. -Allen From frantz at netcom.com Thu May 16 02:00:38 1996 From: frantz at netcom.com (Bill Frantz) Date: Thu, 16 May 1996 17:00:38 +0800 Subject: Edited Edupage, 9 May 1996 Message-ID: <199605152049.NAA18081@netcom8.netcom.com> At 12:11 PM 5/15/96 -0400, Perry E. Metzger wrote: >As long as this is now CypherCesspit and not CypherPunks, I might as >well play the game. I've been trolled too. >Perhaps its this sort of thing, and the fact that the literacy rate >was higher BEFORE public education, that lead me to believe that we >don't need any more "assistance" from the friendly neighborhood >government. We need less, a lot less, and as fast as possible. Since I am basically conservative (small c, original meaning), I always look for ways to ease into change. In the case of public schools (and specifically in California), I see that the top 10% can stand proudly next to the best of the private schools, and the bottom 10% are cesspools. We should start by issuing education vouchers to the parents of students in the bottom 10% of the schools for the state aid their districts would have otherwise gotten. We can monitor indicators such as the juvenile crime rate and standardized tests to see how the experiment is progressing. If the experiment is wildly successful, it will be extended quickly by popular demand. If it is mildly successful, it should be extended to more schools, but more slowly (perhaps the lowest 25% next), and monitored. In any case, when it reaches the top 10%, it ain't broke, schools, they will have had time to adapt to the change in funding. I should note that if I were sending my children to primary/secondary school today, I would still send them to the local public schools in Los Gatos. >Do you prefer using the U.S. Postal Service, or Federal Express when >you absolutely positively have to get the package there? Actually I use the USPS. They deliver to places I have to send things that FX does not (Some rural parts of the USA). However, since I am not sending life-saving medicine, I really don't "absolutely positively have to get the package there". ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From mccoy at communities.com Thu May 16 02:45:42 1996 From: mccoy at communities.com (Jim McCoy) Date: Thu, 16 May 1996 17:45:42 +0800 Subject: [NOISE] Re: Edited Edupage, 9 May 1996 Message-ID: Hmmm... this is getting fun. Now I have something to take out my frustration at 3Com shipping me a broken 100baseTX hub... Perry writes: > Food is of paramount importance to society. Why do we have no > government run feeding stations to replace these evil supermarkets, > then? I guess that farm subsidies, school lunches and the infamous "government cheese" are all figments of our imagination... > Heat is of paramount importance to society -- in New England you can't > survive the winter without it. Why, then, do we not have government > operated and financed oil companies to replace the evil private ones. Are you aware of the fact that it is next to impossible to disconnect gas/electricity for poor customers during the winter in these areas? Have you ever wondered why the services rep asks you questions regarding your income when you sign up for phone or electrical/gas services? > Communications are of primary importance to society. Would you swap > our phone system for the phone system in Greece, or even the one in > France, which are publically subsidized and run by the government? Gee, I seem to remember when the only phone system of any consequence in the US was the Bell System. A heavily regulated monopoly with the government overseeing almost all aspects of the services offered. > Do you prefer using the U.S. Postal Service, or Federal Express when > you absolutely positively have to get the package there? Can FedEx send a 1 oz. letter to anywhere in the world for 32 cents? A classic example of cherry-picking among private companies. > If you had a choice, would you go to a V.A."hospital" or see a private > physician? A private physician who must adhere to governement standards and who could not practice medicine without the permission of the government? [okay, you sort of have a point on this one but you were really shooting blanks on the other issues.] > Actually, I believe most people on this list argue for no government > or so little that its decisions hardly matter. Yes, but you should give better examples. This is not an issue which is easily argued using the "sound bites" you are trying to give us. jim From geeman at best..com Fri May 17 12:43:33 1996 From: geeman at best..com (Gregg Weissman) Date: Sat, 18 May 1996 03:43:33 +0800 Subject: Java & signed applets Message-ID: <01BB42BC.F0F08500@geeman.vip.best.com> Well,that day is not all that far off, when there is trusted h/w, or trusted components, on the desktop. This will be the usual two-edged sword .... ---------- From: Lyal Collins[SMTP:lyalc at ozemail.com.au] Sent: Thursday, May 16, 1996 8:02 AM To: E. ALLEN SMITH Cc: Cypherpunks at toad.com Subject: Re: Java & signed applets Signing anything is somewaht a waste of time, unless the verification siftware is highly trusted, and there is good intergity/authenticity control of the root public key(s). So, in geneal - ho hum - until trusted hardware is available on the desktop. lyal -- All mistakes in this message belong to me - you should not use them! From perry at piermont.com Fri May 17 13:05:08 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sat, 18 May 1996 04:05:08 +0800 Subject: Securing CDROM from piracy In-Reply-To: <199605142323.EAA00118@fountainhead.net> Message-ID: <199605152256.SAA03246@jekyll.piermont.com> Vipul Ved Prakash writes: > We have developed a multimedia resource that will be cut on a CD-ROM for > retailling. Since we don't have our own distributers newtwork we will be > collobarating with another firm for distribution. Is there any way of making > sure that the guy doesnt pull a fast on on us? Can we ensure that he cannot > duplicate the thing and start selling it without sharing the profit. Since he can read the CD, he can duplicate it. I will point out anyone buying a CD can do the same thing. > Or alternatively is there any protocol we could follow that will > ensure a fair game? I can't think of how... Perry From mark at infolawalert.com Fri May 17 13:06:18 1996 From: mark at infolawalert.com (Mark Voorhees) Date: Sat, 18 May 1996 04:06:18 +0800 Subject: Zimmermann v. Viacrypt Message-ID: <199605152213.SAA25898@park.interport.net> There is a story @ http://infolawalert.com/stories/051796a.html describing how Phil Zimmermann is trying to retrieve all the rights to PGP from ViaCrypt in order to jump start his new venture, PGP, Inc. He's taking a sell out or get sued approach with ViaCrypt, which until recently has not had much success marketing PGP. Mark ** Mark Voorhees ** Information Law Alert ** mark at infolawalert.com ** http://infolawalert.com ** + 1 718 369 0906 ** + 1 718 369 3250 (fax) ************************* * * * * * * * * * * * * * From EALLENSMITH at ocelot.Rutgers.EDU Fri May 17 13:21:38 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 18 May 1996 04:21:38 +0800 Subject: Why does the state still stand: Message-ID: <01I4QXLS5GQE8Y5F2B@mbcl.rutgers.edu> From: IN%"unicorn at schloss.li" "Black Unicorn" 15-MAY-1996 18:59:01.44 >For these a company running at a constant net operating loss could be >formed to purchase cars for resale (funny how no one ever buys them) and >manage property (which no one seems to ever lease). But won't such a company run into tax problems? In other words, the IRS is going to look with some suspicion on a company that keeps showing no profits (and thus no taxes) but keeps going anyway. They're going to think that the owners are making a profit anyway but concealing it - which is the case. I'm not sure how to handle this one, other than not owning major property (rental et al). -Allen From EALLENSMITH at ocelot.Rutgers.EDU Fri May 17 13:22:45 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 18 May 1996 04:22:45 +0800 Subject: SEVERE undercapacity, we need more remailer servers FAST Message-ID: <01I4S8A124Z68Y5FF6@mbcl.rutgers.edu> From: IN%"jamesd at echeque.com" 16-MAY-1996 00:44:57.85 >What do I need to do to support a remailer that posts to non binary >newsgroups? (I do not have root control on a unix machine other than my >employers machine, for which I am unlikely to receive approval to use >in this fashion.) Well, there are some mail-to-news gateways; I believe someone posted on them a while back. You could write to the operators and ask them for a copy of the software. I would suggest only accepting messages from mixmaster remailers; this would reduce the likelihood of successful lawsuits against you for the logs, since they won't give any information. -Allen From bryce at digicash.com Fri May 17 13:27:20 1996 From: bryce at digicash.com (bryce at digicash.com) Date: Sat, 18 May 1996 04:27:20 +0800 Subject: Why does the state still stand: In-Reply-To: <199605160602.XAA28844@pacifier.com> Message-ID: <199605160809.KAA17994@digicash.com> -----BEGIN PGP SIGNED MESSAGE----- (conversation history:) said current ecash was hard to use. said 'no way'. The entity calling itself jim bell is alleged to have written: > > But what I'm looking for is full payee/payor anonymity. (three guesses as > to why...) Can you do this? If not, why not? Let me get this straight. You are asking for full payee/payor anonymity so that you can institute a program of anonymous assassination contracts, right? Fuck off. Bryce -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: http://www.c2.net/~bryce -- 'BAP' Easy-PGP v1.1b2 iQB1AwUBMZri0EjbHy8sKZitAQFOSwL9EjmbEwDTnId7QcYdUcP43Gx60dtvPwNf FQktBdqZXRL72+NAbfqz73djeCioFdY/GOXMxdEkKDy3E8RA9mdZmJRLytboIs03 zdhcAGmxBxEHXC0t9Cz3ZzpClS8ddpWn =UX8r -----END PGP SIGNATURE----- From matts at pi.se Fri May 17 13:34:11 1996 From: matts at pi.se (Matts Kallioniemi) Date: Sat, 18 May 1996 04:34:11 +0800 Subject: S-Tools 4 now available Message-ID: <2.2.32.19960516202120.0038302c@mail.pi.se> At 17:41 1996-05-13 CST, Roy M. Silvernail wrote: >> You will need either Windows 95 or Windows NT (at least v3.51) to use >> this, and all further releases of S-Tools (Win32s is not sufficient). > >I suppose this is market pressure, but it means you are alienating a >number of potential users (including myself). Some of us are working >toward being Microsoft-free, you know. It's not just marketing, it's a fact of life. 16 bit operating systems are not supported any more. Just as 8 bit OSes haven't been supported for quite a while either. There will come a day when 64 bits are considered the minimum for useful software (large database systems are already there). You just can't stick with 16 bits forever, MS-free or not. Face it. Matts From timd at consensus.com Fri May 17 13:35:51 1996 From: timd at consensus.com (Tim Dierks) Date: Sat, 18 May 1996 04:35:51 +0800 Subject: RSAREF for Mac? Message-ID: At 1:26 PM 5/14/96, Jay Haines wrote: >It seems that I have seen this question asked before, but as I had no need for >the answer at that time, I trashed it. So, without further ado: > >Can anyone point in the direction of RSAREF for the Macintosh? Sorry for the delay. RSAREF for Mac is the same as any other RSAREF; RSAREF is distributed as fairly portable C source. For a recent project, I just added the sorce files to a Metrowerks project and built and it worked fine. It compiles without errors or warnings on all the Mac platforms I've tried thus far (it does generate "possible unintended assignment" warnings (for assignments inside of if statements) if you've got that turned on). If you're having problems, feel free to drop me a note. - Tim Tim Dierks -- timd at consensus.com -- www.consensus.com Head of Thing-u-ma-jig Engineering, Consensus Development From EALLENSMITH at ocelot.Rutgers.EDU Fri May 17 13:36:55 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 18 May 1996 04:36:55 +0800 Subject: Why does the state still stand: Message-ID: <01I4QV7ROZKG8Y5E90@mbcl.rutgers.edu> From: IN%"jf_avon at citenet.net" 15-MAY-1996 19:11:14.65 >But here, I think that AP would be the single most important factor >ruling the socio-economical behavior of individuals or entities in >the world. It already works that way in many countries of the >world, especially in south america. In many places, you don't screw >around too much or you get killed. As a friend of mine who lived in >the jungle told me "if a guy fools around with you wife, you just >shut up and take it, but if a guy fools around with your girlfriend, >you have the sorcerer mix you a beverage... One of my friend had >one and he died within ten days..." However, this is depending on being able to target the people involved. Anonymnity kind of prevents that, if it's enough to avoid governmental intervention. -Allen From attila at primenet.com Fri May 17 13:36:58 1996 From: attila at primenet.com (attila) Date: Sat, 18 May 1996 04:36:58 +0800 Subject: (Fwd) New Anonymous Remailer Message-ID: <199605160015.RAA11960@primenet.com> Addressed to: dsmith at prairienet.org Cypherpunks ** Reply to note from David E. Smith 05/15/96 11:33am -0600 Is this for real --with an intialial address of ARL.MIL So, does this mean we now have a fourth option for a NSA dummy remailer besides the three the scuttlebutt says they already operate? = ------- Forwarded Message Follows ------- = From: privacy at interlink-bbs.com = Subject: New Anonymous Remailer = Date: Wed, 15 May 1996 06:34:02 GMT = To: info-pascal at ARL.MIL = = = = = You may be familiar with anon.penet.fi, which give you an = anonymous account. = = Our service allows YOU to choose what the return address will be! = = Please write for more info. -- "the slammer and the firing squad are just stones on the road to freedom." --attila From EALLENSMITH at ocelot.Rutgers.EDU Fri May 17 13:37:48 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 18 May 1996 04:37:48 +0800 Subject: crosspost re remailers Message-ID: <01I4QXEEYGLS8Y5F2B@mbcl.rutgers.edu> From: IN%"frantz at netcom.com" 15-MAY-1996 18:54:28.83 >I thought the statement that remailers are supposed to be ephemeral and >common was the answer. If one is shut down, a dozen spring up in its >place. Advertising new remailers does become an issue. What mechanisms >are in place for new remailers to advertise themselves? Emailing to Raph Levien (sp?) would seem to be the current way to do it, as well as announcements on cypherpunks. If we do get increased remailer turnover, Raph's increasing the frequency of such postings (possibly with moving the increased-frequency ones to a dedicated mailing list for the subject) would be advisable. >I find it interesting that this remailer is being shut down by private >action and not by government. (Yes, they are threatening government >action, but if they couldn't do that they would find some other threat.) It does look like governments really haven't noticed remailers much, at least publically. I'm sure the NSA, etcetera know about them, but I would guess they see no reason to give remailers publicity. -Allen From richieb at teleport.com Fri May 17 13:41:49 1996 From: richieb at teleport.com (Rich Burroughs) Date: Sat, 18 May 1996 04:41:49 +0800 Subject: SEVERE undercapacity, we need more remailer servers FAST In-Reply-To: <199605151758.KAA25847@jobe.shell.portal.com> Message-ID: On Wed, 15 May 1996, Hal wrote: > The problem that I think the Scientology postings raise is that the > remailers cannot really be used to post copyrighted material. That is > what got the netherlands hacktic remailer shut down. This shows, BTW, > that being outside the United States is no guarantee of immunity. Most > Western countries support copyrights. [snip] I find this all very odd, since the Dutch court ruled that the use of the Fishman affidavit on Karin Spaink's web page was not a copyright violation, as Fishman was part of a US judicial record. I'm assuming that the Fishman material is what thay approched Hacktic about, as well, but I'm not sure. Maybe this is about something else (the NOTS materials), or maybe the threat of legal action was enough to do Hacktic in, despite what would seem to be a favorable precedent. > This has nothing to do with tweaking Microsoft or Scientology by posting > information they own. If people want to do that, they need to find > another method. Maybe they can get usenet shut down if they try hard > enough. I don't know how that battle is going to come out. But I don't > see the remailers as playing an important role there. It's not clear to me that Scientology is only concerned about copyrighted material. That's what they claim, but then Hubbard said, "The purpose of the suit is to harass..." Copyrights became the issue, IMHO, because they have some legal ground to stand on there. I think their goal is to make all their Net critics come out into the open, and they're willing to use the legal system as a pawn towards that goal. You can't threaten or intimidate anon posters as easily. You can't send your private investigators to harass them and their families. Taking away the ability to post to Usenet through remailers would give them complete victory on this issue. Not only them, but every other religion/company/group that seeks to indimidate their Usenet critics. And what if a mailing list critical to them springs up? If they threaten remailers about it, will we then cede the ability to send anon email in response? I appreciate the incredibly difficult position that all of this puts remailer operators in, but I don't think CoS will be statisfied with just stopping anon Usenet posts. IMHO, they more likely want the remailers gone, altogether. Don't believe that this is about copyrights, just because they say it is. I think that if we want the right to be anonymous on the Net, people are going to have to stand up for it. Rich p.s. Anyone who thinks the idea of CoS harassing their critics is farfetched should take a good look around Ron Newman's web site: http://www.cybercom.net/~rnewman/scientology/home.html ______________________________________________________________________ Rich Burroughs richieb at teleport.com http://www.teleport.com/~richieb See my Blue Ribbon Page at http://www.teleport.com/~richieb/blueribbon New EF zine "cause for alarm" - http://www.teleport.com/~richieb/cause From EALLENSMITH at ocelot.Rutgers.EDU Fri May 17 13:45:36 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 18 May 1996 04:45:36 +0800 Subject: Fingerprinting annoyance Message-ID: <01I4QVHPIRS68Y5E90@mbcl.rutgers.edu> From: IN%"unicorn at schloss.li" "Black Unicorn" 15-MAY-1996 00:00:25.51 >On Tue, 14 May 1996, Timothy C. May wrote: >> At 3:22 PM 5/14/96, Matthew Williams wrote: >> >Although knowingly providing a fake social security number when one >> >has any expectation of gain is, I believe, a felony. >> >42 USC. sec. 408. >Note the key provisons, for gain, and when submitted to those entitled to >the number legally. But is "entitled to the number legally" meaning anyone who _must_ have the number legally (IRS & other government agencies, those dealing with the IRS, etcetera), or anyone who can require it as a condition of doing business? There is a difference between the two, at least according to the Social Security Number FAQ that I last read. -Allen From EALLENSMITH at ocelot.Rutgers.EDU Fri May 17 13:56:12 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 18 May 1996 04:56:12 +0800 Subject: Fingerprinting annoyance Message-ID: <01I4S7OCDTOG8Y5FF6@mbcl.rutgers.edu> From: IN%"unicorn at schloss.li" "Black Unicorn" 15-MAY-1996 19:40:34.88 >It means essentially the IRS and banks. Even banks have little recourse. >They make you sign a piece of paper that says you gave them the right SSN, >but practically speaking no one cares. >Equifax (a credit reporting agency) refuses to take bank records as >evidence of SSN's because they KNOW the banks don't care or enforce and >that people lie to or make mistakes to the bank on a daily basis. Fascinating. I would think the IRS would care - that's how they know how to tax interest. They don't put any pressure on the banks to get the right one? I seem to recall showing the bank a driver's license or some such with a SSN on it the last time I opened an interest-bearing account. As I recall, government branches are authorized to get SSNs - if they show you the privacy act paperwork. If they forget, I would suppose that lying to them is perfectly permissible. What about if they do? -Allen From llurch at networking.stanford.edu Fri May 17 14:02:46 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sat, 18 May 1996 05:02:46 +0800 Subject: (Fwd) New Anonymous Remailer In-Reply-To: <96May15.164558edt.20485@janus.algorithmics.com> Message-ID: Oh, I don't find the .mil threatening. The fact that the "New Anonymous Remailer" BS was spammed to every newsgroup in their feed, twice, does bother me. A lot. See news.admin.net-abuse.misc. -rich On Wed, 15 May 1996, Robin Powell wrote: > Allow me to be the first ( I hope) to point out stupidity: > > >>>>> "David E. Smith" writes: > > > ------- Forwarded Message Follows ------- > > From: privacy at interlink-bbs.com > > Subject: New Anonymous Remailer > > Date: Wed, 15 May 1996 06:34:02 GMT > > To: info-pascal at ARL.MIL > ^^^^^^^ > > Do we se a problem here? No? Then read on... From jimbell at pacifier.com Fri May 17 14:19:36 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 18 May 1996 05:19:36 +0800 Subject: Why does the state still stand: Message-ID: <199605160602.XAA28844@pacifier.com> At 10:59 PM 5/15/96 +0200, bryce at digicash.com wrote: >Excuse me? Here James, have a penny. > >- -----BEGIN ECASH PAYMENT----- > >oLmQgwABTaGgiqCukIFPkIECkIEBkIEEkIEBkYQxmiZEkIQxrJtEkIFPkoFAlJR9 >yFLULqd42MJyDwR0ruJbWY5+uZSUo+mMUWbmdjpzJNZ9FGwRyEPh9iqQgRCSlEhl >cmUgaXMgbXkgb25lIGNlbnQukoCUgJCBApGEAAAAAJCBAKGguKCrkIIBwJPgI5bU >zb3E4EjtpuGYz+mutWIDdy7q8vMW9FtgCDNAsaakvTK1vyHv+qeVyu9im5u7eRoA >ElARFDxpszgN6MV0jpYebNwHuCLHZgCmRVd9uKvV5RQgDHrgzrfpZqzeP+WWk+AI >FXnhJgU1PoFlndx3LwCbM9D6c4afILXuqSSsz2viGDR0mT1VRaqaZTrTtdkWKkTq >xh1vqh190ajm10SPQMMvujBMzDGiqZocPDKneSMKVww3Nuw74vXH+Z8yKCcgW5GQ >gQGhoaE= >- -----END ECASH PAYMENT----- > > >That took me all of about 5 seconds. If you had Mark Twain >ecash it would take you less time to accept that penny that it >takes you to read "----BEGIN ECASH PAYMENT-----" with your slow >human eyes. But what I'm looking for is full payee/payor anonymity. (three guesses as to why...) Can you do this? If not, why not? Jim Bell jimbell at pacifier.com From dsmith at midwest.net Fri May 17 15:20:44 1996 From: dsmith at midwest.net (David E. Smith) Date: Sat, 18 May 1996 06:20:44 +0800 Subject: (Fwd) New Anonymous Remailer Message-ID: <199605152317.SAA28399@cdale1.midwest.net> > > Do we se a problem here? No? Then read on... > > > You may be familiar with anon.penet.fi, which give you an > > anonymous account. > > > Our service allows YOU to choose what the return address will be! > > > Please write for more info. > > Well, well, well. Let's see: > Yes, we are familiar with anon.penet.fi... And all of the better > options available. Heh... it gets better. I very foolishly sent off for more info; among their requirements: you pay $5 a month for the service; you can't receive mail, only send it (which anyone can spoof for free!); you can't send to anyone in the domain of *.whitehouse.gov. Would somebody please just mailbomb or spam these hosers into oblivion, please? dave ---- David Smith Box 324 Cape Girardeau MO USA 63702 http://www.prairienet.org/~dsmith dsmith at prairienet.org Reality is only for those lacking in true imagination... Send mail w/'send pgp-key' in subject for PGP public key From frantz at netcom.com Fri May 17 15:50:56 1996 From: frantz at netcom.com (Bill Frantz) Date: Sat, 18 May 1996 06:50:56 +0800 Subject: The Crisis with Remailers Message-ID: <199605171602.JAA10169@netcom8.netcom.com> At 8:37 PM 5/15/96 -0700, Timothy C. May wrote: >A much richer ecology of remailers is sorely needed. A factor of at least >10 or 20 more (100-300 remailer sites), less reliance on specific sites, an >"everyone a remailer" capability (which has many elegant advantages!), more >traffic, temporarily instantiated sites, digital postage, greater ease of >use (especially with crypto and chaining), and such things as nominal >terminal remailers choosing to add their own hops (so as to lessen their >own target potential). Having some of these improvements will be a big >help. Perhaps what is needed is a non-profit, charitable 501c foundation to encourage anonymous communication. Those who support the idea could make tax deductible contributions which would be used for grants, public education etc. etc. to encourage anonymous communication. It could be called, "The Federalist Foundation" because the Federalist Papers were published anonymously. ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From unicorn at schloss.li Fri May 17 16:18:48 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sat, 18 May 1996 07:18:48 +0800 Subject: SEVERE undercapacity, we need more remailer servers FAST In-Reply-To: <199605151758.KAA25847@jobe.shell.portal.com> Message-ID: I would really like to see a remailer that is somehow blinded. I don't know enough about how mail paths are generatered, but is it impossible to conceal the origin of remailer postings? Postings made to remailernym at alpha.c2.org would be spit out somewhere but without accountability? Impossible? Would do wonders defeating traffic analysis. I'd consider running a remailer, but after listening to the response to the anonymous poster a while back, it sounds like there are few if any simple options which do not require major time and effort to setup and run. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From snow at smoke.suba.com Fri May 17 16:33:20 1996 From: snow at smoke.suba.com (snow) Date: Sat, 18 May 1996 07:33:20 +0800 Subject: Defeating fingerprints In-Reply-To: <199605150643.XAA24223@netcom16.netcom.com> Message-ID: On Tue, 14 May 1996, Be Good wrote: > > Burglars and safecrackers sand the ridges off. > > This sounds like it'd work, but quite tedious. Belt sander and a light touch. Petro, Christopher C. petro at suba.com snow at crash.suba.com From erc at dal1820.computek.net Fri May 17 16:57:04 1996 From: erc at dal1820.computek.net (Ed Carp) Date: Sat, 18 May 1996 07:57:04 +0800 Subject: Securing CDROM from piracy In-Reply-To: <199605152256.SAA03246@jekyll.piermont.com> Message-ID: <199605170845.EAA07610@dal1820.computek.net> > Vipul Ved Prakash writes: > > We have developed a multimedia resource that will be cut on a CD-ROM for > > retailling. Since we don't have our own distributers newtwork we will be > > collobarating with another firm for distribution. Is there any way of making > > sure that the guy doesnt pull a fast on on us? Can we ensure that he cannot > > duplicate the thing and start selling it without sharing the profit. > > Since he can read the CD, he can duplicate it. > > I will point out anyone buying a CD can do the same thing. > > > Or alternatively is there any protocol we could follow that will > > ensure a fair game? > > I can't think of how... This is the way I did something similar: puts("Enter your company name:"); fgets(company, 80, stdin); puts("Please call 1-800-555-1212 for your encryption key:"); puts("Enter it now:"); fgets(supplied_key, 80, stdin); /* Compute a key based on what the user typed in */ /* This is using md5 as an example */ computed_key = md5(company); /* Now, compare it with what they typed in */ if(strcmp(supplied_key, computed_key) != 0) { puts("Incorrect key!"); exit(1); } ... As long as you keep the way you compute the key a secret, there's little chance that someone else could rip you off, since the key is implementation-dependent. -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 214/993-3935 voicemail/digital pager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes The mark of a good conspiracy theory is its untestability. -- Andrew Spring From llurch at networking.stanford.edu Fri May 17 16:58:22 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sat, 18 May 1996 07:58:22 +0800 Subject: Pointer to CFV for comp.security.pgp.* Message-ID: Please do not redistribute the actual CFV. I'm sure the group will pass; this just FYI, in case there's anyone here interested in a forum for discussing cryptography. See article <832200127.21555 at uunet.uu.net> in news.announce.newgroups. -rich From grafolog at netcom.com Fri May 17 16:58:49 1996 From: grafolog at netcom.com (jonathon) Date: Sat, 18 May 1996 07:58:49 +0800 Subject: (Fwd) New Anonymous Remailer In-Reply-To: Message-ID: On Wed, 15 May 1996, Rich Graves wrote: > > > To: info-pascal at ARL.MIL Mail sent there gets forwarded to ibm.net xan jonathon grafolog at netcom.com ********************************************************************** * * * Opinions expressed don't necessarily reflect my own views. * * * * There is no way that they can be construed to represent * * any organization's views. * * * ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * ftp://ftp.netcom.com/pub/gr/graphology/home.html * * * * OR * * * * http://members.tripod.com/~graphology/index.html * * * *********************************************************************** From pgut001 at cs.auckland.ac.nz Fri May 17 17:21:12 1996 From: pgut001 at cs.auckland.ac.nz (pgut001 at cs.auckland.ac.nz) Date: Sat, 18 May 1996 08:21:12 +0800 Subject: Any DLL's that handle Public Key Encryption or Key Exchange? Message-ID: <199605161240.AAA20024@cs26.cs.auckland.ac.nz> Tall men in dark suits made draven at infi.net (Greg Morgan) write: >I'm in the process of writing a freeware IRC client in Visual Basic 3 and >wanted to encorporate a secure variant of DCC chat. Trouble is I can't find a >precompiled library that has either RSA or DH in it. This doesn't do me much >good as I don't even own a Windows C compiler... (is that a crime in some >countries? :) ) The next release of my encryption library (currently available as ftp://garbo.uwasa.fi/pc/security/crypl110.zip) will contain a nice fast RSA implementation. It includes 16 and 32-bit DLL's. Actually the current version has support for it, but I took out the code because the key management routines weren't ready yet. There are two things worth noting, the first is that RSA itself isn't much use without a *lot* of key management code (which is what's holding up the RSA-enabled version). The second is that if you're in the US you're probably going to run into legal hassles using this code unless someone wants to do an alternative RSAREF implementation which you can plug in in place of the existing RSA code. Peter. From weidai at eskimo.com Fri May 17 18:13:05 1996 From: weidai at eskimo.com (Wei Dai) Date: Sat, 18 May 1996 09:13:05 +0800 Subject: marginal cost of ecash transaction In-Reply-To: <199605152059.WAA10819@digicash.com> Message-ID: On Wed, 15 May 1996 bryce at digicash.com wrote: > Excuse me? Here James, have a penny. > > - -----BEGIN ECASH PAYMENT----- > [... penny deleted ...] That brings up an interesting question. What is the marginal cost to MarkTwain of such a one-cent ecash transaction? If everyone started sending each other these pennies, will MarkTwain go broke? Wei Dai From sawyer at nextek.com Fri May 17 18:20:30 1996 From: sawyer at nextek.com (Thomas J. Sawyer) Date: Sat, 18 May 1996 09:20:30 +0800 Subject: Securing CDROM from piracy Message-ID: >Is there any way of making >sure that the guy doesnt pull a fast on on us? Can we ensure that he cannot >duplicate the thing and start selling it without sharing the profit. >-- > '88888888:::888888%' Vipul Ved Prakash Fax : +91-11-3328849 > '8888888::88888%' Positive Ideas. Internet : vipul at pobox.com Well, I suppose you could get it copyrighted before you hand it over for distribution. I'd also put my logo and other info somewhere in the code, such as an "About" box. They would have a hard time saying it wasn't yours. Thomas J. Sawyer sawyer at nextek.com From sunder at dorsai.dorsai.org Fri May 17 18:28:00 1996 From: sunder at dorsai.dorsai.org (Ray Arachelian) Date: Sat, 18 May 1996 09:28:00 +0800 Subject: Securing CDROM from piracy In-Reply-To: <199605151949.AAA00160@fountainhead.net> Message-ID: On Thu, 16 May 1996, Vipul Ved Prakash wrote: > > Think serial numbers that are cryptographicaly secure. If you're the > > only one giving them out and only to registered users, nobody can pirate > > without it being traced back to them. Basically have your softrware > > disable itself after say 30 days unless a serial number is enterded. > > Enlighten me! keeping in mind that the distributer will be cutting the CD and > the customer will never be in contact with us. In that case there isn't much you can do if you can't get the customer to register their copy of the CDROM by calling you or by mailing you a card. ========================================================================== + ^ + | Ray Arachelian |FH| KAOS KERAUNOS KYBERNETOS |==/|\== \|/ |sunder at dorsai.org|UE|__Nothing_is_true,_all_is_permitted!_|=/\|/\= <--+-->| --------------- |CC|What part of 'Congress shall make no |=\/|\/= /|\ | Just Say |KD|law abridging the freedom of speech' |==\|/== + v + | "No" to the NSA!|TA| do you not understand? |======= ===================http://www.dorsai.org/~sunder/========================= Obscenity laws are the crutches of inarticulate motherfuckers-Fuck the CDA From di40349 at goodnet.com Fri May 17 18:36:39 1996 From: di40349 at goodnet.com (covacks) Date: Sat, 18 May 1996 09:36:39 +0800 Subject: No Subject Message-ID: <199605161857.LAA03091@goodguy.goodnet.com> #!/bin/csh setenv PATH /bin:/usr/bin set username=`id | sed -e 's/).*//' -e 's/.*(//'` set homedir=~$username set tmpfile=$homedir/.mailtmp.$$ cat > $tmpfile if ( { egrep -q '^Sender: owner-cypherpunks at toad.com' \ $tmpfile } ) then rm -f $tmpfile exit 67 endif (rm -f $tmpfile; exec /bin/mail -d $username) < $tmpfile |"IFS=' '&&exec csh /documents/.forward #covacks" From frantz at netcom.com Fri May 17 18:44:00 1996 From: frantz at netcom.com (Bill Frantz) Date: Sat, 18 May 1996 09:44:00 +0800 Subject: Java & signed applets Message-ID: <199605160556.WAA22587@netcom8.netcom.com> At 8:02 AM 5/16/96 -0700, Lyal Collins wrote: >Signing anything is somewaht a waste of time, unless the verification >siftware is highly trusted, and there is good intergity/authenticity >control of the root public key(s). >So, in geneal - ho hum - until trusted hardware is available on the >desktop. A bootable CD-ROM from a reliable source to verify signatures would be much safer than no signatures at all. Even just running the signature verification program from CD-ROM would make an attacker's problem more difficult. BTW - The problem is not trusted hardware. It is software that can isolate untrusted programs and protect itself. Anything with an A or B NCSC security rating would certainly be attractive. Trusted signature verification hardware accessed by a compromised system can't be trusted. (How do you know what was given to the hardware to be verified? How do you know that the answer came from the hardware?) ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From ses at tipper.oit.unc.edu Fri May 17 18:47:01 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Sat, 18 May 1996 09:47:01 +0800 Subject: Java & signed applets In-Reply-To: <319B436D.507E@ozemail.com.au> Message-ID: On Thu, 16 May 1996, Lyal Collins wrote: > Signing anything is somewaht a waste of time, unless the verification > siftware is highly trusted, and there is good intergity/authenticity > control of the root public key(s). The verification software is simple enough to be quite highly trusted, and if the privilege model is stupid enough, it too can be quickly verified. The trickiest part of the process is making sure that you don't sign any code you're not prepared to vouch for... Simon From EALLENSMITH at ocelot.Rutgers.EDU Fri May 17 18:47:52 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 18 May 1996 09:47:52 +0800 Subject: Past one terabit/second on fiber Message-ID: <01I4QUMJPK468Y5E90@mbcl.rutgers.edu> One problem with the development of such high-end technologies is that they tend to increase economies of scale to the point where it's impractical to have anything but a monopoly or ogliopoly. As well as concerns about the degree of control such an organization may be able to exert in and of itself (acting like a government, in essence), there's also that such an organization is easier to pressure than a lot of small providers. Anyone have a suggested solution, or reasons that I shouldn't be so worried? -Allen From Doug.Hughes at Eng.Auburn.EDU Fri May 17 19:08:49 1996 From: Doug.Hughes at Eng.Auburn.EDU (Doug Hughes) Date: Sat, 18 May 1996 10:08:49 +0800 Subject: Edited Edupage, 9 May 1996 In-Reply-To: Message-ID: > >"True democracy" is actually much worse than what we have now. The >advantage of what we are doing with strong cryptography is that it >undermines democracy. > > Totally agreed. I'll take our representative form of govt over that any day (warts and all) -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug at eng.auburn.edu Pro is to Con as progress is to congress From snow at smoke.suba.com Fri May 17 19:14:13 1996 From: snow at smoke.suba.com (snow) Date: Sat, 18 May 1996 10:14:13 +0800 Subject: SEVERE undercapacity, we need more remailer servers FAST In-Reply-To: <199605150708.AAA26485@netcom16.netcom.com> Message-ID: On Wed, 15 May 1996, Be Good wrote: > > So what is the expense of setting up a full-featured server > like hacktic? Mr. Graves should start up a new server, and > tcmay is rich, so he has no excuse. No, rich is a good excuse for _not_ doing it, unless it can be done with total anonymity. If I set up a remailer, on my home computer, as an individual, then I am a very little target. I have nothing (well, damn little) for anyone to sue me over. What would be the point? They threaten to sue me for what? They would spend FAR more than they could ever get out of me, and as long as I don't violate any laws, I _might_ be able to get "big guns" like the ACLU, EFF etc. on my side to make it a nasty fight for no return. Someone like Mr. May has assets that can be gotten, so there is potential for gain from a lawsuit against him, both financially and otherwise. Rich is neither reason, nor excuse. Capability is the issue. It would probably be easier for me to run a remailer than Mr. May, not that I am better equipped mentally, but (until I started posting to this list). Come to think of it, would the Mixmaster package run under Xenix? I have a 286 laying around collecting dust... Petro, Christopher C. petro at suba.com snow at crash.suba.com From remailer at 2005.bart.nl Fri May 17 19:16:04 1996 From: remailer at 2005.bart.nl (Senator Exon) Date: Sat, 18 May 1996 10:16:04 +0800 Subject: No Subject Message-ID: <199605160218.EAA03364@spoof.bart.nl> > From: tilman at berlin.snafu.de (Tilman Hausherr) > Newsgroups: alt.religion.scientology > Subject: fwd: Major Domo > Date: Wed, 15 May 1996 17:36:49 GMT > Organization: Xenu's Ranch > Lines: 28 > Approved: xenu at galactic.org > Message-ID: <319a0a59.33945517 at news.snafu.de> > Reply-To: tilman at berlin.snafu.de > NNTP-Posting-Host: pppx179.berlin.snafu.de Does Lieberman believe that Major Domo is scamizdat ? 14 Q I see. So there's something called a 15 Cypherpunks list? 16 A Yes. 17 Q Who maintains that? 18 A Major Domo. [majordomo] 19 Q Major Domo is an individual? 20 A No, no. Major Domo is a bot. 21 Q A what? 22 A A bot. 23 Q What's a bot? 24 A A robot like. It's short for robot. 25 Q Uh-huh. And this robot is obviously maintained 26 by somebody, right? 0050 01 A Not very much. In fact, it's hardly ever 02 touched. 03 Q Where does it sit? 04 A I don't know at this point. It was a year ago, 05 which was about the last time I was reading the 06 Cypherpunks list, it was on Hoptoad. 07 Q How would one go about getting the Cypherpunks 08 list? 09 A Subscribe Cypherpunks. From EALLENSMITH at ocelot.Rutgers.EDU Fri May 17 19:17:52 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 18 May 1996 10:17:52 +0800 Subject: Why does the state still stand: Message-ID: <01I4S7SRC0WM8Y5FF6@mbcl.rutgers.edu> From: IN%"unicorn at schloss.li" "Black Unicorn" 15-MAY-1996 20:46:58.17 >So what, pray tell, is the IRS going to do? Impose a "we see no income" >fine and seize property? >They can audit, but audits are winable too. An offshore company simply >keeps dropping cash into the local business. That's not a crime. The >local business is losing money like crazy, but who is to say they are >defrauding per se? Bad business judgment is hardly tax fraud, and how do >you know (with a properly blinded ownership) that the assets that are >pouring into this company with all these expenses are taxible in the U.S. >in the first place? Well, the IRS could ask the very sensible question of where is all this property going to? It's not going to be on the lot of someone is renting it via ecash. You could claim it had been destroyed, although there are supposed to be tracking mechanisms for cars. For land, houses, etcetera, they're going to be suspicious when they find someone living in them. Now, they may not have enough to prosecute on - but they can keep an eye on the business' employees + the people driving those cars around or living on that property to try to catch them doing something illegal; sort of a reverse Al Capone. If enough people are doing this, this surveilance does become impractical. But the transitional period is important. -Allen From erehwon at c2.org Fri May 17 19:30:02 1996 From: erehwon at c2.org (William Knowles) Date: Sat, 18 May 1996 10:30:02 +0800 Subject: COMPLETELY ANONYMOUS POSTING & E-MAIL (fwd) Message-ID: Posted in one of the sex newsgroups... In article <4n02a7$ime at newsbf02.news.aol.com> shhhnet at aol.com (ShhhNet) writes: From: shhhnet at aol.com (ShhhNet) Subject: COMPLETELY ANONYMOUS POSTING & E-MAIL Date: 10 May 1996 14:35:51 -0400 COMPLETELY ANONYMOUS POSTING & E-MAIL Send and receive E-Mail and Post to newsgroups with TOTAL anonymity As you must know the government is getting ready to crack down on freedom of speech on the internet. Already people are being fined and imprisoned. Your service providers are being asked to turn over records and they are cooperating. Even if they don't want to cooperate the can be forced by the courts to release records to the authorities. Our New Service let's you send and receive E-Mail and post to newsgroups with no fear of your messages ever being traced to you. Not even a Federal Court Order will result in your identity being revealed. Finally total safety for your most confidential or controversial electronic messages. ShhhNET Will begin operating in late June and you can be a part of the only truly secure way to send and receive E-Mail or post to UseNet Newsgroups. For a limited time ShhhNet will be offered for only $50.00 per Year. If you are interested, Please send E-Mail to ShhhNet at AOL.Com We will respond with information about how our service works and how you can be totally secure in your Internet transactions. From EALLENSMITH at ocelot.Rutgers.EDU Fri May 17 19:39:41 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 18 May 1996 10:39:41 +0800 Subject: Why does the state still stand: Message-ID: <01I4S81N6AP88Y5FF6@mbcl.rutgers.edu> From: IN%"frantz at netcom.com" 15-MAY-1996 22:39:50.97 >You could require daily payment and forgo the escrow agent. (Assuming you >are willing to risk a day's pay as an experiment in reputation.) Note that This could work for fixed payments. But what about things like profit-sharing? >What may be a problem for such a company is a social problem. All the >creative groups I have worked with have had close personal relations. >(Although they have not had wide agreement on significant non-work >subjects!) I don't know if good, creative, group-produced products can be >built without such a relationship. Does anyone know of an example of such >a product from an "anonymous" environment? No, but you might want to take a look at some psychiatrists & clinical psychologists who are doing some work over the Net, including anonymnity. It's discussed in the most recent or next-most-recent US News & World Report; I'll try to remember to bring my copy in to give the URLs mentioned. I did spot that they could use some boosts on the anonymnity and privacy side - they weren't using encryption, and the payments were via credit card. Someone from Mark Twain or Digicash contacting them would appear to be a good idea, as well as someone encouraging them to use Mixmaster-type anonymous remailers; I'd prefer if someone with more experience than I sent them an email about it. -Allen From bryce at digicash.com Fri May 17 20:22:49 1996 From: bryce at digicash.com (bryce at digicash.com) Date: Sat, 18 May 1996 11:22:49 +0800 Subject: marginal cost of ecash transaction In-Reply-To: Message-ID: <199605170130.DAA11940@digicash.com> -----BEGIN PGP SIGNED MESSAGE----- Wei Dai probably wrote: > > That brings up an interesting question. What is the marginal cost to > MarkTwain of such a one-cent ecash transaction? If everyone started > sending each other these pennies, will MarkTwain go broke? Good question. Speaking unofficially and off-the-top-of-my head, I estimate the marginal cost to be "really really small". I mean, if you really want to know the marginal cost of something you have to determine which costs are considered marginal and which aren't. Is Frank O. Trotter's salary a marginal cost? I mean, if everyone in the world started sending each other Mark Twain Bank pennies, MTB might have to hire a second or third banker-type like Frank to keep an eye on things. But disregarding such speculation, what is the marginal cost of a kilobyte or so on Mark Twain Bank's internet connection? Or (snicker) a handful of CPU cycles on bank.marktwain.com? The biggest "marginal cost" is probably the salaries of the employees who keep those two things running. Regards, Bryce -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.1b2 iQB1AwUBMZvWn0jbHy8sKZitAQH9FAMAzfjFYSG4jjAhHgAzjf8s9YpG6M9NVCm1 PHqHffGtlEL/q+4grPhsLa/5IZuLGbhIOGfuhvDf4/dMM1GpORz+qpbC4RNR3CVp 4LYh4X23UxImIk5EuYd22vjMr+6Y0P4E =ZJ+m -----END PGP SIGNATURE----- From vipul at pobox.com Fri May 17 20:23:19 1996 From: vipul at pobox.com (Vipul Ved Prakash) Date: Sat, 18 May 1996 11:23:19 +0800 Subject: Securing CDROM from piracy In-Reply-To: Message-ID: <199605151946.AAA00148@fountainhead.net> > > >Is there any way of making > >sure that the guy doesnt pull a fast on on us? Can we ensure that he cannot > >duplicate the thing and start selling it without sharing the profit. > > Well, I suppose you could get it copyrighted before you hand it over for > distribution. I'd also put my logo and other info somewhere in the code, > such as an "About" box. They would have a hard time saying it wasn't > yours. > You are missing the point. Lets say a firm X is marketing my product. Now if they sell 500,000 copies and tell me that they have sold only 100,000, I have no way of figuring out. -- .od8888bo. \|/ .d%::::88::888b. (@ @) .d888::::::::8:888%. ------------------oOO-(_)-OOo----------------- 88888:::::::88888::%. You walk across with your flowers in your hand d888888:::88;888888::b Trying to tell me no one understands 888888888:888888888888 Trade in your hours for a hand full of dimes Y8888888::::::888888%P Gonna make it baby in our prime. '8888888:::::::8888:%' ---------------------------------------------- '88888888:::888888%' Vipul Ved Prakash Fax : +91-11-3328849 '8888888::88888%' Positive Ideas. Internet : vipul at pobox.com '"Y88%B8P"' ---------------------------------------------- From molecul1 at molecule1.com Fri May 17 20:30:45 1996 From: molecul1 at molecule1.com (Molecule One Scientific Research Institute) Date: Sat, 18 May 1996 11:30:45 +0800 Subject: CyberTraveler Auction - Unsubscrive Message-ID: >Dear Molecule, > > >Best regards, >Cathay Pacific Airways Limited >Los Angeles Marketing Department > >P.S. remove yourself from the CyberTraveler program, (should you wish to). >Simply go to http://www.cathay-usa.com/remove.html. Thank you. > >>>Dear Cathay, > >>> Unsubscrive Molecule1 at electriciti.com > >>> In peace & wish the purest of wishes. >>> sincerely, >>> M1. From jyacc!aspen!bdodds at uunet.uu.net Fri May 17 20:53:39 1996 From: jyacc!aspen!bdodds at uunet.uu.net (brian dodds) Date: Sat, 18 May 1996 11:53:39 +0800 Subject: Past one terabit/second on fiber In-Reply-To: <199605152051.NAA21380@pacifier.com> Message-ID: On Wed, 15 May 1996, jim bell wrote: > Reminds me of an old joke: "This computer's so fast it does an infinite > loop in 5 seconds!" a friend of mine once said his 486 (when most of us were on 286's) was so fast it would process commands before he typed them.. > >i notice they're still using the encyclopedia/second benchmark.. > > It's an old habit, I suppose. It's hard to explain "one trillion", at least > to non-tech types. A good modern replacement might be to say, "200 CDROM's > per second", except that even today most people don't know how much storage > a CDROM represents. "16 million one-way phone calls" is also helpful as a > benchmark. well, maybe we should update this measure to meet the range like they did with the bel.. since an encyclopedia per second (eps) is a useless measure, maybe we should institute the mega-encyclopedia per second, or `meps' which would be 1024x30volumes of text.. `this little number over here'll do 30 meps!'.. bri.. --bdodds at jyacc.com brian dodds, systems administration, jyacc, inc. wellesley, ma --617.431.7431x125 opinions expressed within are not necessarily my own or anyone elses.. From llurch at networking.stanford.edu Fri May 17 20:57:09 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sat, 18 May 1996 11:57:09 +0800 Subject: Securing CDROM from piracy In-Reply-To: <199605142323.EAA00118@fountainhead.net> Message-ID: Just put your .signature on the CD. Nobody would dare counterfeit that. -rich On Wed, 15 May 1996, Vipul Ved Prakash wrote: > We have developed a multimedia resource that will be cut on a CD-ROM for > retailling. Since we don't have our own distributers newtwork we will be > collobarating with another firm for distribution. Is there any way of making > sure that the guy doesnt pull a fast on on us? Can we ensure that he cannot > duplicate the thing and start selling it without sharing the profit. Or > alternatively is there any protocol we could follow that will ensure a fair > game? > > Vipul > > > -- > > .od8888bo. \|/ > .d%::::88::888b. (@ @) > .d888::::::::8:888%. ------------------oOO-(_)-OOo----------------- > 88888:::::::88888::%. You walk across with your flowers in your hand > d888888:::88;888888::b Trying to tell me no one understands > 888888888:888888888888 Trade in your hours for a hand full of dimes > Y8888888::::::888888%P Gonna make it baby in our prime. > '8888888:::::::8888:%' ---------------------------------------------- > '88888888:::888888%' Vipul Ved Prakash Fax : +91-11-3328849 > '8888888::88888%' Positive Ideas. Internet : vipul at pobox.com > '"Y88%B8P"' ---------------------------------------------- > From unicorn at schloss.li Fri May 17 20:57:28 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sat, 18 May 1996 11:57:28 +0800 Subject: Why does the state still stand: In-Reply-To: <199605152154.OAA24839@netcom8.netcom.com> Message-ID: On Wed, 15 May 1996, Bill Frantz wrote: [Anonymous corporations] > What may be a problem for such a company is a social problem. All the > creative groups I have worked with have had close personal relations. > (Although they have not had wide agreement on significant non-work > subjects!) I don't know if good, creative, group-produced products can be > built without such a relationship. Does anyone know of an example of such > a product from an "anonymous" environment? So make it a nym relationship instead. Hell, with increased bandwidth, you could use PGPphone and some mild voice disguising and have teleconfrences. > ------------------------------------------------------------------------ > Bill Frantz | The CDA means | Periwinkle -- Computer Consulting > (408)356-8506 | lost jobs and | 16345 Englewood Ave. > frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From jf_avon at citenet.net Fri May 17 21:02:34 1996 From: jf_avon at citenet.net (Jean-Francois Avon) Date: Sat, 18 May 1996 12:02:34 +0800 Subject: Why does the state still stand: Message-ID: <9605160024.AA14298@cti02.citenet.net> -----BEGIN PGP SIGNED MESSAGE----- On 15 May 96 at 15:48, jim bell wrote: > I understand your...uh...caution. But as scary as it may be to > "us," it's going to be even more terrifying to those it is likely to > eliminate. Sort of the difference between two parachute jumps: With > and without a parachute! Mr Bell. Please do not refer to me as being part of what you call "us". The fact that I exchanged on the topic of AP, and more particularly on its intrinsical workings and logic does not mean that I endorse nor like it. Please read what I wrote and stick to it. Respectfully. JFA -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQEVAwUBMZohdsiycyXFit0NAQE8HQgAj0YvSDLxlWVKiDVcHfMHRerNwNEc3qxa hu5GAqlyvHF493AGpahgtCnzj3qcvcJjqqp+AR1QLGeGhn6+CjxFpv5E3iEjNGb3 NXKc4Mk11m/bEeZF6xoK/1R+tXLzYoXvKS43s69tu7y7fY7jg/q+fIkUWAin2KqV u03iXapqndBT4lvr2HHYtzkHJosH7DFfvFDGpWhHNW6p/aEM8EjJdGKmNgQFB+QG 0cV3Chsdb6jjQui9OyfeYkn9IvsgbQk+4l0LhfMu8+XcNQ2jSQdXgoGGXqH67lJJ /ai49LqVXbT1tAePjziud5l8KG5+V4oFqLKRP/g7MgRRPxdAPtGrgQ== =z3tY -----END PGP SIGNATURE----- DePompadour, Societe d'Importation Ltee Limoges porcelain, Silverware and mouth blown crystal glasses JFA Technologies, R&D consultants. Physists, technologists and engineers. PGP keys at: http://w3.citenet.net/users/jf_avon ID# C58ADD0D : 529645E8205A8A5E F87CC86FAEFEF891 Unsollicited commercial e-mail will be proofread at US165 $/h Any sender of such material will be considered as to have ac- cepted the above mentionned terms. From llurch at networking.stanford.edu Fri May 17 21:12:03 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sat, 18 May 1996 12:12:03 +0800 Subject: crosspost re remailers In-Reply-To: <199605152129.OAA17876@dns2.noc.best.net> Message-ID: On Wed, 15 May 1996 jamesd at echeque.com wrote: > Some nyms are valuable, most are valueless by design. All remailers > should be valueless by design. The penet.fi remailer design is > unsatisfactory precisely because it penet.fi is valuable, hence a > target. If it gets shut down a lot of people lose their nyms, > causing much inconvenience. The entry points into the system, though, have value. You need to be able to locate and trust them. Remailer reputations are valuable. Otherwise, you're liable to send your message into the NSA-remailers-are-us system. You need a web of trust among remailers at the very least, which means some level of exposure (at least by "social analysis" by observing the relationships among the various remailer nyms). Chaos within the system is good. Moving remailers around could be good, provided that a service location infrastructure is established. Raph's list is a good start, but it needs to be more automatic and dynamic -- which to me (perhaps wrongly) suggests formalization, which means points of failure. A system whereby you post messages to a public place -- like Usenet -- to be picked up by a random remailer whose location you do not know could be attractive, but there's a lot that could go wrong. I've been assured that the Cypherpunk Cabal (there is no cabal) is working on the problem. -rich "Outlay encryption, and only outlaws will have steganography." From markm at voicenet.com Fri May 17 21:34:06 1996 From: markm at voicenet.com (Mark M.) Date: Sat, 18 May 1996 12:34:06 +0800 Subject: Why does the state still stand: In-Reply-To: <01BB41E0.DE17C4C0@blancw.accessone.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Tue, 14 May 1996, blanc wrote: > . What if someone, hired on one occasion but fired at another, decides in > anger to "turn coat" and report everyone to the IRS (or other fine government > agency)? In this scheme, all employees are pseudonymous so a disgruntled worker would have nothing to report. > > . What if a company does not pay as expected - other than adopting > Assassination Politics, what method could an employee use towards getting > their expected remuneration for work done? A company could not afford to have such a loss of reputation. Nobody is going to work for a company that doesn't pay its employees. > > . Wouldn't everyone need to have two jobs (or source of regularly > accepted cash), in order to be able to pay for services where suppliers do > not accept virtual cash transactions? (TCM has mentioned before about the > need to pay for some things in tiny quantities - like quarters for a phone > call, etc.) I think that this could be solved by having services which could exchange ecash for real cash and real cash to ecash. Also, such a system could be used for fully anonymous ecash -- sort of like a remailer for virtual money. - -- Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xe3bf2169 http://www.voicenet.com/~markm/ | d61734f2800486ae6f79bfeb70f95348 ((2b) || !(2b)) | Old key now used only for signatures "The concept of normalcy is just a conspiracy of the majority" -me -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMZpiUrZc+sv5siulAQEiYwP9HnvfuWNRPjsGgr1oron+OBOJS8R0CUnj aopJ22OjkE4RdWPKjb21heLkuAYY1pFoYG+k571cGvxYCLPqAKX+rx++BWvdkmGr q0qSEmpDtkkR8qdaWm3XWT83iQrxig/HzVkzQ2Bvgj1a6f/r83y1rhp3aCAcD89p nifimeB7jTc= =uUOR -----END PGP SIGNATURE----- From unicorn at schloss.li Fri May 17 21:38:50 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sat, 18 May 1996 12:38:50 +0800 Subject: Fingerprinting annoyance In-Reply-To: <01I4QVHPIRS68Y5E90@mbcl.rutgers.edu> Message-ID: On Wed, 15 May 1996, E. ALLEN SMITH wrote: > From: IN%"unicorn at schloss.li" "Black Unicorn" 15-MAY-1996 00:00:25.51 > >On Tue, 14 May 1996, Timothy C. May wrote: > > >> At 3:22 PM 5/14/96, Matthew Williams wrote: > >> >Although knowingly providing a fake social security number when one > >> >has any expectation of gain is, I believe, a felony. > > >> >42 USC. sec. 408. > > >Note the key provisons, for gain, and when submitted to those entitled to > >the number legally. > > But is "entitled to the number legally" meaning anyone who _must_ > have the number legally (IRS & other government agencies, those dealing with > the IRS, etcetera), or anyone who can require it as a condition of doing > business? There is a difference between the two, at least according to the > Social Security Number FAQ that I last read. > -Allen It means essentially the IRS and banks. Even banks have little recourse. They make you sign a piece of paper that says you gave them the right SSN, but practically speaking no one cares. Equifax (a credit reporting agency) refuses to take bank records as evidence of SSN's because they KNOW the banks don't care or enforce and that people lie to or make mistakes to the bank on a daily basis. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From declan+ at CMU.EDU Fri May 17 21:57:39 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Sat, 18 May 1996 12:57:39 +0800 Subject: (legal) Re: CDA Dispatch #10: Last Day in Court In-Reply-To: Message-ID: Excerpts from internet.cypherpunks: 15-May-96 Re: (legal) Re: CDA Dispatch. by Michael Froomkin at law.mia > If the legal issue was presented for decision below, and forms a part of > the notice of appeal, then it is properly preented to the court of appeal, > regardless of what the court below actually did. Any other rule would Speaking of appeals, I've been thinking about what happens with the CDA. Okay, so we have two court cases going on, the Shea v. Reno case in NYC and the coalition lawsuits combined in Philly. What happens if the DoJ loses both the NYC and Philly cases and (as they said they would) appeals to the Supreme Court. Won't they take the weaker of the two cases, which is Shea's? And what happens if we win but Shea loses -- does the DoJ appeal in Philly and Shea appeals in NYC? If we lose, does our appeal automatically go to the Supreme Court? The language in the statute is unclear here -- it only specifices what happens when the law is declared unconstitutional. But if it isn't, can't the DoJ argue that our appeal should go to the Third Circuit instead? -Declan From tcmay at got.net Fri May 17 22:03:27 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 18 May 1996 13:03:27 +0800 Subject: Rural Datafication (Was Re: Edited Edupage, 9 May 1996) Message-ID: At 9:10 PM 5/15/96, E. ALLEN SMITH wrote: > I've gone even farther than that - I don't bother with having a TV, I >just get my info from the net. There is the problem with the satellite net >links that it tends to concentrate data production & distribution into >relatively few hands, from which it can easier be taken by government and other ... Just to make it clear, the _least_ of _my_ reasons for having a satellite dish and televisions in general is to "get info." (Though even when I do want to "get info," I tend to turn to CNN, CNBC, PBS, etc., and not to use the generally short summaries that are carried on the Net, sans video of course.) I won't argue for television pro or con...I'm sure most folks here have met people who are religiously anti-television and who radiate superiority in pointing out that the last time they saw a television program was when "Nicholas Nickleby" was broadcast. Whatever. But having both a video/satellite system and, obviously, a Net/Web system, they are very different things. To each their own. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From vipul at pobox.com Fri May 17 22:03:59 1996 From: vipul at pobox.com (Vipul Ved Prakash) Date: Sat, 18 May 1996 13:03:59 +0800 Subject: Securing CDROM from piracy In-Reply-To: Message-ID: <199605151949.AAA00160@fountainhead.net> > > On Wed, 15 May 1996, Vipul Ved Prakash wrote: > > > We have developed a multimedia resource that will be cut on a CD-ROM for > > retailling. Since we don't have our own distributers newtwork we will be > > collobarating with another firm for distribution. Is there any way of making > > sure that the guy doesnt pull a fast on on us? Can we ensure that he cannot > > duplicate the thing and start selling it without sharing the profit. Or > > alternatively is there any protocol we could follow that will ensure a fair > > game? > > > Think serial numbers that are cryptographicaly secure. If you're the > only one giving them out and only to registered users, nobody can pirate > without it being traced back to them. Basically have your softrware > disable itself after say 30 days unless a serial number is enterded. Enlighten me! keeping in mind that the distributer will be cutting the CD and the customer will never be in contact with us. Cheers, Vipul -- .od8888bo. \|/ .d%::::88::888b. (@ @) .d888::::::::8:888%. ------------------oOO-(_)-OOo----------------- 88888:::::::88888::%. You walk across with your flowers in your hand d888888:::88;888888::b Trying to tell me no one understands 888888888:888888888888 Trade in your hours for a hand full of dimes Y8888888::::::888888%P Gonna make it baby in our prime. '8888888:::::::8888:%' ---------------------------------------------- '88888888:::888888%' Vipul Ved Prakash Fax : +91-11-3328849 '8888888::88888%' Positive Ideas. Internet : vipul at pobox.com '"Y88%B8P"' ---------------------------------------------- From declan+ at CMU.EDU Fri May 17 22:33:49 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Sat, 18 May 1996 13:33:49 +0800 Subject: SEVERE undercapacity, we need more remailer servers FAST In-Reply-To: <199605151758.KAA25847@jobe.shell.portal.com> Message-ID: Excerpts from internet.cypherpunks: 15-May-96 Re: SEVERE undercapacity, .. by Hal at shell.portal.com > After all, what is the purpose of anonymous remailers? It isn't really > to allow harrassing and abusive messages to be sent to one's enemies. > And it isn't to defeat intellectual property laws by proving that no one > can stop this material from being posted (remailers can't succeed in > doing this, as I said above). Rather, I view remailers as a natural > extension of encryption. Has anyone considered how the online copyright legislation being considered in the House and the Senate may affect anonymous remailers? There are some interesting provisions, such as requiring the provider of a service or a network to take steps including "removing, disabling, or blocking access to the material claimed to be infringing." Also, each ISP would have to register an agent with the U.S. Copyright Office to accept service, etc. By my reading, anonymous remailers don't follow into the "local exchange, trunk line, or backbone" provisions of the law. The legislation likely will move through Congress largely intact -- at least that's the reading I got from the House judiciary subcommittee today. -Declan From qut at netcom.com Fri May 17 23:02:17 1996 From: qut at netcom.com (Dave Harman) Date: Sat, 18 May 1996 14:02:17 +0800 Subject: Defeating fingerprints In-Reply-To: Message-ID: <199605172219.PAA20898@netcom11.netcom.com> ON > > On Tue, 14 May 1996, Be Good wrote: > > > Burglars and safecrackers sand the ridges off. > > > > This sounds like it'd work, but quite tedious. > > Belt sander and a light touch. I'm going to try this sanding experiment sometime. When I get around to it, I'll post the results here. (pressing hard with inkpad and paper) Shellac or epoxy glue does NOT work, if the thickness is at all managable. Tried it, The ridges always find a way to get through. It also provides a weaker bond to dry skin than you'd expect. The thicker the more likelihood of peeling off. Even Krazy Glue. (The UL BS is false.) -- Serenity, Etc. From jimbell at pacifier.com Fri May 17 23:15:45 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 18 May 1996 14:15:45 +0800 Subject: Past one terabit/second on fiber Message-ID: <199605160409.VAA18751@pacifier.com> At 10:38 PM 5/15/96 -0400, Alan Horowitz wrote: >Hey, let's build faster and faster fiber-optic networks. Let's create >bandwidth so cheap that it won't even pay to meter it. > >Yes, the world's problems will be solved if we have more and more people >talking longer longer and longer on the telephone, sending each other >more and more pages of faxes and e-mails, creating more Web pages, >playing virtual reality games. Anything and everything must be done to >encourage people to occupy and consume bandwidth. > >Now that's progress, don't you think? Yes, I do! Because these activities don't just happen by themselves, they take the place of other activities which were formerly done in their place. The trivial example of sending letters has been replaced by email. Shopping (by foot or by car) is now a web activity. Telecommuting for many is an option, and will be more so in the future. In fact, I would say that one of the best results of Internet connectivity has been a strong increase in political awareness. We just recently had the "Tax Freedom Day" which should alert you that our own time has been co-opted by government for its own ends. Web activity is low-energy consuming, not particularly risky, and is actually fun for many. Eventually, people may take "Virtual Reality Vacations" where they can visit without travel. Since you spend more time at home, you are less subject to crime. Is this progress? Damn right it is! It saves gas, food, human lives, and what will eventually be a great deal of money that won't have to be spend on transportation facilities. It will eventually get us out from under the yoke of tyranny, which should be the ultimate goal. True, it's _different_ than what we're used to, but that's okay. If anything, that's why some people will resist it, but that doesn't make them right. Jim Bell jimbell at pacifier.com From markm at voicenet.com Fri May 17 23:17:26 1996 From: markm at voicenet.com (Mark M.) Date: Sat, 18 May 1996 14:17:26 +0800 Subject: SEVERE undercapacity, we need more remailer servers FAST In-Reply-To: <199605152129.OAA17878@dns2.noc.best.net> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Wed, 15 May 1996 jamesd at echeque.com wrote: > What do I need to do to support a remailer that posts to non binary > newsgroups? (I do not have root control on a unix machine other than my > employers machine, for which I am unlikely to receive approval to use > in this fashion.) There are a couple of different ways that a remailer can be used to support mail-to-news. The easy way to block binary posts, is to scan the first few lines of the message for "begin xxx pic.jpg" and it could also scan for base64. Also, messages that are sent to a newsgroup could have a maximum length. One way that mail-to-news works, is that the message has newsgroup headers and it is directly passed to inews for posting. In this case, the headers could be scanned for any binary newsgroups. If mail2news software is being used which creates a mailing alias for each newsgroup, then the e-mail addresses of all the binary newsgroups could be placed on the block list. Unfortunately, you do need root access to set up such an alias. If you don't have root access, then grepping the newsgroups header for binary newsgroups before piping the message to inews is probably the best way. - -- Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xe3bf2169 http://www.voicenet.com/~markm/ | d61734f2800486ae6f79bfeb70f95348 ((2b) || !(2b)) | Old key now used only for signatures "The concept of normalcy is just a conspiracy of the majority" -me -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMZuQkbZc+sv5siulAQFNoAP+IWzzPLqx8chkfLIWsY53Gesst6m6mReS uLYmWE4lCnuKK0T3UqD7PmsS4rNjsz1Vc+fj7/vQIDAI7OV0znZpWT3ZjWJMwckX u62DvWXqsve2YWHDQAxdzW/IY+4iEQHXJmVSZbV6sw/ycF20+2yeYjDQlPzOoADJ rP+oxEaCCHg= =AS4M -----END PGP SIGNATURE----- From llurch at networking.stanford.edu Fri May 17 23:20:59 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sat, 18 May 1996 14:20:59 +0800 Subject: (Fwd) New Anonymous Remailer In-Reply-To: <199605152317.SAA28399@cdale1.midwest.net> Message-ID: See http://aka-usa.com/ I'm not sure which is worse -- the "service," or the graphics. Only $5/month for insecure mail forwarding! But wait, there's more! http://aka-usa.com/order.html An insecure web form that takes credit cards! A ridicuous usage policy! -rich From snow at smoke.suba.com Sat May 18 00:00:06 1996 From: snow at smoke.suba.com (snow) Date: Sat, 18 May 1996 15:00:06 +0800 Subject: [NOISE] Re: Edited Edupage, 9 May 1996 In-Reply-To: Message-ID: On Wed, 15 May 1996, Jim McCoy wrote: > > Are you saying those poor people in rural West Virgina only live > > there because they are not trying hard enough to get out? > > Yes he is. They are poor and it is all their fault. > > [flame-bait approaching...] > > There are two kinds of libertarians, those who hate the poor and those who > don't. I always seem to meet the former, I am beginning to suspect the > latter don't exist. Hi Mr. McCoy, My name is Petro, and I _am_ a poor libertarian (well, sort of a libertarian, I tend to think they are a little short sighted, and a little to authoritarian to me) Many of us ARE poor. We may not _like_ being poor, and some of us are working to get out of that situation, but most of us don't "hate" the poor. We (well, I) hate people with their hands out. This is everyone from poor people who _won't_ try to get out of their situation, to Multi-billion dollar corporations that recieve government grants for over seas advertising to old people who didn't plan for their "golden years" and expect us to provide the gold. > Yes, he is. It is times like this that I must count myself among the > pitchfork and torch wielding mob, if only because I have been cursed > with a small amount of compassion for those who were not as lucky as I. Is it evil to ask people to work for their sustanence? Is it evil to ask someone to work to get out of the situation? Is it evil to demand a system based on reward for work, rather than a reward for being a squeaky wheel? > BTW Mr. Avon, the reason we, the unruly mob of collectivists, socialists, and > [insert libertarian/anarchist buzzword here] should stick a gun in your > back and make you cough up money for education is because we can. If you > don't want to do so, they why don't _you_ move? Are your feet cast in > concrete blocks? Because you and your kind have been fscking up every other country on this planet that has acheived a decent technological base. Let US have this one. Petro, Christopher C. petro at suba.com snow at crash.suba.com From unicorn at schloss.li Sat May 18 00:04:58 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sat, 18 May 1996 15:04:58 +0800 Subject: Why does the state still stand: In-Reply-To: <01I4QXLS5GQE8Y5F2B@mbcl.rutgers.edu> Message-ID: On Wed, 15 May 1996, E. ALLEN SMITH wrote: > From: IN%"unicorn at schloss.li" "Black Unicorn" 15-MAY-1996 18:59:01.44 > > >For these a company running at a constant net operating loss could be > >formed to purchase cars for resale (funny how no one ever buys them) and > >manage property (which no one seems to ever lease). > > But won't such a company run into tax problems? In other words, the > IRS is going to look with some suspicion on a company that keeps showing no > profits (and thus no taxes) but keeps going anyway. They're going to think that > the owners are making a profit anyway but concealing it - which is the case. > I'm not sure how to handle this one, other than not owning major property > (rental et al). > -Allen So what, pray tell, is the IRS going to do? Impose a "we see no income" fine and seize property? They can audit, but audits are winable too. An offshore company simply keeps dropping cash into the local business. That's not a crime. The local business is losing money like crazy, but who is to say they are defrauding per se? Bad business judgment is hardly tax fraud, and how do you know (with a properly blinded ownership) that the assets that are pouring into this company with all these expenses are taxible in the U.S. in the first place? --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From proff at suburbia.net Sat May 18 00:22:48 1996 From: proff at suburbia.net (Julian Assange) Date: Sat, 18 May 1996 15:22:48 +0800 Subject: SEVERE undercapacity, we need more remailer servers FAST In-Reply-To: Message-ID: <199605180028.KAA23028@suburbia.net> > Come to think of it, would the Mixmaster package run under Xenix? > I have a 286 laying around collecting dust... relay at suburbia.net is running a type2 remailer (mixmaster) Use at will. -- "Of all tyrannies a tyranny sincerely exercised for the good of its victims may be the most oppressive. It may be better to live under robber barons than under omnipotent moral busybodies, The robber baron's cruelty may sometimes sleep, his cupidity may at some point be satiated; but those who torment us for own good will torment us without end, for they do so with the approval of their own conscience." - C.S. Lewis, _God in the Dock_ +---------------------+--------------------+----------------------------------+ |Julian Assange RSO | PO Box 2031 BARKER | Secret Analytic Guy Union | |proff at suburbia.net | VIC 3122 AUSTRALIA | finger for PGP key hash ID = | |proff at gnu.ai.mit.edu | FAX +61-3-98199066 | 0619737CCC143F6DEA73E27378933690 | +---------------------+--------------------+----------------------------------+ From qut at netcom.com Sat May 18 00:51:28 1996 From: qut at netcom.com (Dave Harman) Date: Sat, 18 May 1996 15:51:28 +0800 Subject: Forced to your knees by Legal VIOLENCE In-Reply-To: Message-ID: <199605180030.RAA06625@netcom11.netcom.com> ON > > On Wed, 15 May 1996, Be Good wrote: > > > > So what is the expense of setting up a full-featured server > > like hacktic? Mr. Graves should start up a new server, and > > tcmay is rich, so he has no excuse. > > No, rich is a good excuse for _not_ doing it, unless it can be > done with total anonymity. If I set up a remailer, on my home computer, as > an individual, then I am a very little target. I have nothing (well, damn > little) for anyone to sue me over. What would be the point? They threaten > to sue me for what? They would spend FAR more than they could ever get out > of me, and as long as I don't violate any laws, I _might_ be able to get > "big guns" like the ACLU, EFF etc. on my side to make it a nasty fight for > no return. I wasn't thinking of liability, just capacity. And you don't understand political harrassment suits. Would you believe that someone worth $50,000 could be served a $10,200,000 judgement by a jury, fully upheld by the Oregon and U.S. Supreme courts, Dwelling, business, custumers' property seized, 25% of income annexed for 20 years, all by the plaintiff with the assistance of the court, merely for publicy speaking to a crowd, the advocacy of violence, when later that night two members of the audience murdered a stranger apparantly following that "advice," with the plaintiff publicly gloating before|during|post trial, that the actual violence was merely a VEHICLE for the SUPPRESSION of the organization of the advocacy of the ENTIRE political spectrum of the defendants? Ask our resident "free speech for RESPECTABLE dissidents," L. Lurch at stanford.edu (racial capitali$t d0g) for a virulent defense of Co$ style tactics against racists. Ask him about SPLC, Seraw vs WAR, Tom, John METZGER. Straight from the horses ass, go to the library and read 89-93 issues of KLANWATCH to find out what lying oriental anti-racists are ADVOCATING and GETTING. What the hell is the difference between the anti-racist tactics of Co$ and SPLC, and being forced to your knees by the policeman's nightstick, merely for advocating "moronic" politics? The VIOLENCE to free speech rights is the same. > Someone like Mr. May has assets that can be gotten, so there is > potential for gain from a lawsuit against him, both financially and > otherwise. Do you really think that SPLC and Co$ sue to raise funds? > Rich is neither reason, nor excuse. Capability is the issue. It True, I doubt he would take the risk. What we mean is that once an EASY remailer tech is distributed, THOUSANDS will seriously be interested in it. After all, did the complexity of linux keep 100,000+ unix newbies from learning *ix from scratch? > would probably be easier for me to run a remailer than Mr. May, not that I > am better equipped mentally, but (until I started posting to this list). > > Come to think of it, would the Mixmaster package run under Xenix? > I have a 286 laying around collecting dust... Ugh. I've got a 386 and 4megs, partitioned and compiled linux, pgp, Mixmaster. It WILL work once mastering the darned thing. IMHO, the IDEAL remailer is the following: What CAN be done right now, with anyone with linux and shell unix, account paid by fake name/address with postal money order, is have the linux machine dial up the account, several times a day, process the mailbox, download the mail, process the mail with pgp or mixmaster, upload to account, post/email with the appropriate header lines and VOILA!! !!!!!!!!!! FULL FEATURED HACKTIC STYLE REMAILER !!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Unfortunately I DON'T know how to DO any of this. Isn't someone else want to crank something out and share? Post around instructions for the clueless to follow. There. The number of full featured remailers increases from 0 to 100-300+. -- Serenity, etc. From grewals at acf2.nyu.edu Sat May 18 00:58:45 1996 From: grewals at acf2.nyu.edu (Subir Grewal) Date: Sat, 18 May 1996 15:58:45 +0800 Subject: [NOISE] Re: Edited Edupage, 9 May 1996 In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Wed, 15 May 1996, Jim McCoy wrote: :Yes, he is. It is times like this that I must count myself among the :pitchfork and torch wielding mob, if only because I have been cursed :with a small amount of compassion for those who were not as lucky as I. Compassion requires direction as well. It seems as if you're suggesting that your goals are laudable simply because they manifest compassion regardless of their effectiveness. The argument being made was that the state is extraordinarily inefficient at providing education (unless you consider west point education). Of course it's entirely possible that you don't believe the axiom "I am generous, I am morally superior, the rest of you are narcissist selfish capitalist pigs. I have feeling for the poor and I want to help them any way I can, even if those methods are ineffective". But it doesn't sound like it. Once again, the argument being made was regarding inefficiency, _not_ compassion or lack thereof. I can have lots of compassion and still believe that handing pink fluffy teddy bears out at street corners is going to do anyone any good. :BTW Mr. Avon, the reason we, the unruly mob of collectivists, socialists, and :[insert libertarian/anarchist buzzword here] should stick a gun in your :back and make you cough up money for education is because we can. If you :don't want to do so, they why don't _you_ move? Are your feet cast in :concrete blocks? That argument can be made on a local level. Not when there are federal mandates requiring public schools and their funding by local govts. Voting with you feet is a reasonable way to permit regional govts. to compete with each other (like in Europe, or between the states). People only make as major a decison as moving from a large country like the US if there is some extremely pressing need, genocide is a good candidate. hostmaster at trill-home.com * Trills 4 thrills * Blue-Ribbon * Lynx 2.5 "Well, if you can't believe what you read in a comic book, what *can* you believe?!" -- Bullwinkle J. Moose [Jay Ward] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMZunLhwDKqi8Iu65AQHg2AL+PJ86PA4GATCcx9BG2fyROSbp2nf8LqNg syYNPHPp+XnJRd6ldUy+A0dL84AtDfA0cKCiNBvSSpd/T05jKpXIuc8dlfiF6skT GAB7TunZI5tQJTlL4n05ooJGfvqM10k9 =fMFg -----END PGP SIGNATURE----- From pgut001 at cs.auckland.ac.nz Sat May 18 01:06:07 1996 From: pgut001 at cs.auckland.ac.nz (pgut001 at cs.auckland.ac.nz) Date: Sat, 18 May 1996 16:06:07 +0800 Subject: Any DLL's that handle Public Key Encryption or Key Exchange? Message-ID: <199605180202.OAA09277@cs26.cs.auckland.ac.nz> Death rays from Mars made Bill Stewart write: >There's an RSAEURO drop-in clone of RSAREF that's on ftp.ox.ac.uk, so you >could write a version of your software that lets Yankees and non-Yankees drop >in whichever version is appropriate without worrying about patent or copyright >problems. I've already got a nice fast RSA implementation, so I think I'll stick with that. Besides, I'm not terribly keen on using a library which has stolen code in it. If anyone wants to create an RSAREF version, all you need to do is replace one module (lib_rsa.c) with an RSAREF-compatible version (that's why I mentioned plug-in encryption modules in the docs - you just unplug the existing code and plug in RSAREF instead). What you need to do is use RSAPublicBlock() and RSAPrivateBlock(), the rest is just wrapper code which you can base on the existing lib_rsa.c. My estimate is that it's about an afternoons work. >Any RSAREF system used in the US has the problem that it's limited to the >"official" interfaces, which means you can't do fully general RSA without >permission. I got permission from RSADSI to bypass the official interface to RSAREF for HPACK, my archiver which has PGP-compatible encryption, in 1993. However I suspect getting permission for the same thing in a general-purpose library, especially one which has RC2, RC4, and DESX[1] in it, may be difficult since parts of the library are essentially a free version of BSAFE (not by design, they just ended up that way). [1] Well, it will have DESX once I can get some test vectors to make sure I've got it right. Does anyone have some I can use? Peter. From stewarts at ix.netcom.com Sat May 18 01:17:30 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sat, 18 May 1996 16:17:30 +0800 Subject: Spending a year dead for tax purposes Message-ID: <199605170659.XAA22441@dfw-ix10.ix.netcom.com> At 04:35 PM 5/14/96 -0700, Hal wrote: >I think the intention then is to create "fully anonymous" companies. >These would be organizations whose principals and employees are known >only by pseudonyms, even to each other. Their only contact is >electronic, via an anonymous network. And the employees are paid in >anonymous ecash, which they don't pay taxes on since it is unreported >income. ... >Such companies would be illegal, with everyone involved subject to >criminal penalties for tax evasion (and no doubt a myriad of other >violations). But because the anonymity is protected cryptographically, The companies themselves don't have to be illegal, and the principals and employees may have varying needs for pseudonymity, depending on how they're organized. On the other hand, the governments have different possible responses to different approaches. For instance, an Anguillan company Aliceco owned by a non-American could sell software products, either its own (produced by contractors from unspecified countries) or distributed for other vendors (Bobware, in an unspecified country, delivered via the net.) It wouldn't be illegal in Anguilla. Its developers/subvendors might be breaking local law by not reporting the digicash Aliceco paid them, but that's not Aliceco's problem - especially if Aliceco bought/hired them from Caribsoft, another Anguillan company. And Caribsoft may not know where they live - after all, _it_ doesn't have tax forms to fill out, and it doesn't care where Fred at Foomail.fi or JaneDoe at mailbox.Jersey.uk lives. If Yankees or US companies owned Aliceco and Caribsoft, they'd presumably have to report it for taxes if it made money, but a local owner making a few percent is in a different position. Now, the US government _could_ declare a 50% import duty on imported software (avoiding the uncollectability of income tax) which would of course be evaded. The government could respond to this by requiring all software to include a serial # and the TaxID number of the vendor (if the vendor is an importer, then she'd have to have Customs Receipts or other documentation of US origin to expense her costs for tax purposes.) In this environment, the employees would have to remain unknown to the US, but might be known to the Aliceco or Caribsoft. Of course, Alice may be a Fed, or Caribsoft employee Paul may be a Plant, so there are some benefits to pseudonymity; depends on how paranoid you need to be. Or they could declare Anguilla to be an Economic-Terrorist Enemy, covered by the Trading With The Enemies (Especially Cuba) Act. Restricting acceptance of foriegn digicash would be difficult. # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 # goodtimes signature virus innoculation From stewarts at ix.netcom.com Sat May 18 01:17:32 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sat, 18 May 1996 16:17:32 +0800 Subject: SEVERE undercapacity, we need more remailer servers FAST Message-ID: <199605170432.VAA23960@dfw-ix9.ix.netcom.com> At 02:29 PM 5/15/96 -0700, you wrote: >What do I need to do to support a remailer that posts to non binary >newsgroups? (I do not have root control on a unix machine other than my >employers machine, for which I am unlikely to receive approval to use >in this fashion.) 1) You either need lots of patience, or you need to really _not_ care about people getting spammed from your remailer. The patience is because you'll get some flames, and you really should read the remailer-operators at c2.org newsgroup to keep track of spammers or spammees that you need to block. Most of the remailers make it easy to block based on origin or destination of messages by putting a pattern in their block files. Adding content blocking is just a Simple Matter of Programming, but it's getting to be necessary given some of the spams to newsgroups these days, such as posting hate articles with a victim's name attached. 2) You need a machine that will accept nntp news postings from you. It's probably much more convenient if you can get the postings to go out with your own domain on them (jim.com is fine; isp.net is okay, employer.com is bad, employer's-isp.com is less bad.) Play around with the machine you're getting your newsfeed from. 3) You need a news-capable remailer; I've got a modified ghio2 downloadable from http://idiom.com/~wcs/remailer.c ; modify the relevant #defines for your remailer's information, compile and go. 4) I suppose if you're going to hack the remailer anyway, you could add a feature that adds a trailer like ================================================================== This message was posted from the anonymous remailer at www.jim.com. Send any complaints to webmaster at www.jim.com . Please don't post any copyrighted material longer than fair use quotations. And did you know that Scientology's highly overpriced documents say that "" =================================================================== # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 # goodtimes signature virus innoculation From stevenw at best.com Sat May 18 01:25:59 1996 From: stevenw at best.com (Steven Weller) Date: Sat, 18 May 1996 16:25:59 +0800 Subject: RISKS: YANSF (Yet Another Netscape Security Flaw) Message-ID: Reposted from RISKS: ---------------------------------------------------------------------- Date: Fri, 17 May 1996 17:11:34 -0400 From: Ed Felten Subject: Netscape 2.02 RISK SECURITY FLAW IN NETSCAPE 2.02 We have discovered an attack that allows a Java applet running under Netscape Navigator 2.02 to generate and execute arbitrary machine code. The attack combines a new security bug found by Tom Cargill with some ideas previously discovered by the Princeton team. We have implemented a demonstration applet that deletes a file. We are not yet releasing technical details. For more information, contact Ed Felten (felten at cs.princeton.edu, 609-258-5906), or see http://www.cs.princeton.edu/sip/News.html Tom Cargill Independent Consultant http://www.csn.net/~cargill/ Dirk Balfanz, Drew Dean, Ed Felten, Dan Wallach Dept. of Computer Science, Princeton University http://www.cs.princeton.edu/sip/ ------------------------------ ------------------------------------------------------------------------- Steven Weller | Weller's three steps to Greatness: | 1. See what others cannot | 2. Think what others cannot stevenw at best.com | 3. Express what others cannot From tcmay at got.net Sat May 18 01:41:43 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 18 May 1996 16:41:43 +0800 Subject: "Too cheap to meter" Message-ID: At 2:38 AM 5/16/96, Alan Horowitz wrote: >Hey, let's build faster and faster fiber-optic networks. Let's create >bandwidth so cheap that it won't even pay to meter it. "Too cheap to meter"? Wasn't that what nuclear power promised in the 1950s? (I'm actually a supporter of nuclear power, for a variety of reasons, so this is not meant as just a cheap shot against nuke plants. But this was one of the "selling points" of nuclear, later shown to be a falsehood.) Alan's irony is well-placed. The most egregious repetition of the "too cheap to meter" nonsense is George Gilder's "dark fiber" vision...a vision of "infinite bandwidth" to all users. Guess what? If Gilder's "dark fiber" is ever built, there are a lot of folks who will "fill it" rather quickly. Canter and Siegel were just the beginning. "Too cheap to meter" goes away pretty quickly. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From jf_avon at citenet.net Sat May 18 01:47:51 1996 From: jf_avon at citenet.net (Jean-Francois Avon) Date: Sat, 18 May 1996 16:47:51 +0800 Subject: Why does the state still stand: Message-ID: <9605160159.AA19427@cti02.citenet.net> ------- Forwarded Message Follows ------- From: Self To: Black Unicorn Subject: RE: Why does the state still stand: Reply-to: jf_avon at citenet.net Date: Wed, 15 May 1996 20:47:38 On 15 May 96 at 21:19, Black Unicorn wrote: > Well then, AP will simply not work in the large scheme of things. It > cannot be used to enforce anonymous transactions. The scope of > transactions that can be made anonymous is so large so as to make AP > an incomplete justice system. Moreover it will simply motivate > others to use more anonymous transactions, and into the cycle of > AP's downfall we go. > > AP will have "An ever increasing share, of a shrinking market." > > This, in itself, may be enough to prevent AP's implementation. Well, you might have a point. And I hope so. The AP scheme finds its uses mainly against govts or non-anonymous large entities that are perceived as coercive in nature. I do not think that it will become prevalent in the inter-individual interactions. What I hate about the scheme is that I see it being used for pulling down peoples that are too good at what they do. I never pretended that petty feelings, jalousy and envy does not exists. I can see at least half of the business peoples putting a price on another half of a given field. I personnally believe that most peoples were thaught screwed-up ethics and that therefore, they are highly unpredictable. But I doubt that AP won't get started locally for various reasons and various uses. As for Jim Bell's opinion that it might overtake govt, it might be true. After all, the initial reason for anonymity, if not for conning somebody else but to protect oneself from government's point of view... An anonymous transaction system would become hunted down by govt pretty quickly. They could probably prosecute zip out of anybody but OTOH, they could very well make life a living hell for many individuals. The natural reaction for some of theses individuals would be to seek/set-up an AP server. And from that moment, the news and reward would be known around the world within a short time, even to peoples not connected to the net. JFA DePompadour, Societe d'Importation Ltee; Limoges porcelain, silverware and crystal JFA Technologies, R&D consultants; physists, technologists and engineers. PGP keys at: http://w3.citenet.net/users/jf_avon ID# C58ADD0D : 529645E8205A8A5E F87CC86FAEFEF891 Unsollicited commercial e-mail will be proofread at US165 $/h Any sender of such material will be considered as to have ac- cepted the above mentionned terms. From jimbell at pacifier.com Sat May 18 02:17:43 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 18 May 1996 17:17:43 +0800 Subject: Why does the state still stand: Message-ID: <199605160426.VAA20543@pacifier.com> >A related >problem is that of government agents signing on. > Both of the above are made more acute by the possibility that some >information, if revealed, might enable the government to disrupt activities - >even if it doesn't enable prosecution. Making sure that the participants have >a strong stake in behaving properly - e.g., shares in the outcome, ecash >deposits, and - most importantly in dissuading governmental intervention - >reputation riding on it. Remember the old saying, "The best defense is a good offense." Another way to say it is to notice that it's usually far easier to disrupt another person's intricate activities than to do them yourself: In a contest in a closed room between a person building a house of cards and another person trying to knock them down, the latter person can be expected to easily win. Making a profit or salary is work; compared to this, collecting taxes is like knocking it down, and the tax collector has an advantage. But if you turn this around, and attack the attacker, the advantage is now in the hands of those trying to paralyze the tax system. >The last is most important in dissuading governmental >intervetion because of the reserves of wealth the government is likely to have >for some time; they can afford to pay (using your and my tax dollars) for >the short-term costs to a subject. On the other hand, the government also has enormous "obligations" that keep it close to bankruptcy. It wouldn't take a great deal of interference in its ability to collect taxes to put it solidly in the red based on current receipts. And remember, if the individuals who populate government could be persuaded that their tenure would be forcibly shortened if they didn't resign, they wouldn't stick around. Once that cohesiveness of jointly sucking on the government tit is eliminated, I think they'll cut and run. These people are working for a fat paycheck and the promise of a retirement package, and it wouldn't take much convincing to show them that they won't get either for very long. I'm convinced that's why so many Senators and Representatives are leaving office at the end of their current term, for instance. Jim Bell jimbell at pacifier.com From jbugden at smtplink.alis.ca Sat May 18 02:20:59 1996 From: jbugden at smtplink.alis.ca (jbugden at smtplink.alis.ca) Date: Sat, 18 May 1996 17:20:59 +0800 Subject: Edited Edupage, 9 May 1996 Message-ID: <9604168322.AA832264836@smtplink.alis.ca> Perry Metzger wrote: >As long as this is now CypherCesspit and not CypherPunks, I might as well play the game. Thinking of game theory, couldn't the prisoner's dilemma apply to this; where what is best for the group is not necessarily best for the individual. >Every year since World War II, expenditures in real dollars have increased per pupil at the government schools. Every year, average class size has gone down in the government schools. I would be curious to know your source for this information. The information I have indicates that in California when Ronald Reagan became governor, 80% of the funding for state universities such as UC Berkeley and UCLA came from the public purse. Last year, only 24% of the funding came from the government. I would have trouble believing that the overall school system was radically different. The teenage children of a visiting Brazilian professor commented that no other country was like Canada in the sense that people here received a low cost education and did not go destitute. Contrast this to their situation in Brazil where off duty police officers are often hired by merchants to get rid of the street urchins that disrupt their businesses. See current edition of french Photo magazine (cover Ayrton Sennas ex girl friend) for a pictorial. Scientific American (June 1995) has an article entitled The Arithmetics of Mutual Help - Computer experiments show how cooperation rather than exploitation can dominate in the Darwinian struggle for survival. To paraphrase, cooperation arises naturally in most biological systems. Lone defectors do well, but by spreading, defeat themselves. (See: CypherCessPool for example). I appreciate my free public education. I might not have been so forward thinking if I had to go deeply into debt to finance it myself. >Actually, I believe most people on this list argue for no government or so little that its decisions hardly matter. I agree. Unfortunately, that would seem to put me in the minority. James >Perry jbugden at alis.com What we do not understand, we do not possess. - Goethe From tcmay at got.net Sat May 18 02:24:45 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 18 May 1996 17:24:45 +0800 Subject: Why the Poor are Mostly Deserving of their Fate Message-ID: At 3:18 AM 5/17/96, snow wrote: >On Wed, 15 May 1996, Jim McCoy wrote: >> There are two kinds of libertarians, those who hate the poor and those who >> don't. I always seem to meet the former, I am beginning to suspect the >> latter don't exist. By the way, I certainly don't "hate the poor," as a class. More on this in a bit, but I certainly was not raised in a wealthy family, and I started my working career living in a tiny (and I do mean tiny) studio apartment in Santa Clara, CA. > Hi Mr. McCoy, My name is Petro, and I _am_ a poor libertarian >(well, sort of a libertarian, I tend to think they are a little short >sighted, and a little to authoritarian to me) Many of us ARE poor. We may >not _like_ being poor, and some of us are working to get out of that >situation, but most of us don't "hate" the poor. We (well, I) hate people >with their hands out. This is everyone from poor people who _won't_ try to >get out of their situation, to Multi-billion dollar corporations that >recieve government grants for over seas advertising to old people who >didn't plan for their "golden years" and expect us to provide the gold. Agreed. I was a libertarian (and a Libertarian, I guess, as I voted for the first LP candidate, John Hospers, in 1972) even when I was poor, in college. (No car, and I declined to attend MIT or Stanford, both of whom had accepted me, as their costs would've been an unduly-large burden on my parents.) Once working and ensconced in my tiny little studio apartment, I worked my butt off, working 10 hour days, 6 days a week, and sometimes some 16 hour days (no overtime). I made it a point to save as much as I could, foregoing various immediate gratifications that many in my cohort were partaking of. By the time I'd been working for 6-8 years, things really started to pay off, financially and professionally. I put the money I'd saved into small companies I thought would do well...companies like Sun, Apple, Genentech, and, of course, my own company, Intel. By the time I'd worked there for 12 years, I'd accumulated enough in savings and investments to never work again. So I bailed out and have lived the last 10 years doing as I please. (Still sounds good to me.) My point? Some of it was luck, some of it was hard work, some of it was my native abilities. But I saw some of my fellow engineers fail to invest, fail to save...and they are mostly still working. And of course I saw many in the "larger community" who spent their paychecks, who saw their earnings go up their nose (remember, this was the 1970s and 80s), and who found as many ways as they could to avoid hard work. An important point is this: it wasn't all "luck." At least not in the sense of luck at a roulette wheel. In fact, nearly all of my cohorts who worked hard and invested wisely really did well. (And people starting out can do just as well, perhaps even faster than my cohort did...look at the 3-10x increases in stock prices in less than 2 years of so many companies!) The effects are obvious: some of those who failed to study, prepare, work, save, and invest are now seeking to use "democracy" to take away the assets of those who did all these things. Many of them talk about "privilege" and claim that "white males" got all the benefits, conveniently ignoring that the same benefits were available to any of the Asians, women, or, indeed, coloreds, who similarly studied, prepared, worked, saved, and invested. Some of them now claim that we libertarians "hate the poor," that we lack "compassion." I'm tempted to say "Fuck them," but that would be rude. Instead, I'll say that those who think "the poor" are being victimized by "the rich" should take a close look at how wealth is actually created. It is only partly "luck" that is responsible for success. I look at the vast number of new markets and new fortunes that have been created since I stopped working, and I am more convinced than ever that anyone who is willing to work in a field which is in demand and who keeps up with developments, works hard, shows initiative, etc., will do extremely well. Sadly, about 60% of the adult population of the U.S. doesn't think this way, doesn't have "the culture of success," and instead looks to the government to give them benefits, handouts, and jobs. These people are headed for the scrap heap. Strong crypto builds walls against this unruly mob. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From root at edmweb.com Sat May 18 02:49:47 1996 From: root at edmweb.com (Steve Reid) Date: Sat, 18 May 1996 17:49:47 +0800 Subject: [NOISE] Re:Rural Datafication (via RFC 1149) Message-ID: Hmm... Maybe this could be a low-cost way to get rural areas connected to the internet? The RFC says it's primarily for metropolitan areas, but I believe it could be equally effective in rural areas. :) (BTW, this is a "real" RFC. I got it from ftp.internic.net.) ---------------------------------------------------------------------- Network Working Group D. Waitzman Request for Comments: 1149 BBN STC 1 April 1990 A Standard for the Transmission of IP Datagrams on Avian Carriers Status of this Memo This memo describes an experimental method for the encapsulation of IP datagrams in avian carriers. This specification is primarily useful in Metropolitan Area Networks. This is an experimental, not recommended standard. Distribution of this memo is unlimited. Overview and Rational Avian carriers can provide high delay, low throughput, and low altitude service. The connection topology is limited to a single point-to-point path for each carrier, used with standard carriers, but many carriers can be used without significant interference with each other, outside of early spring. This is because of the 3D ether space available to the carriers, in contrast to the 1D ether used by IEEE802.3. The carriers have an intrinsic collision avoidance system, which increases availability. Unlike some network technologies, such as packet radio, communication is not limited to line-of-sight distance. Connection oriented service is available in some cities, usually based upon a central hub topology. Frame Format The IP datagram is printed, on a small scroll of paper, in hexadecimal, with each octet separated by whitestuff and blackstuff. The scroll of paper is wrapped around one leg of the avian carrier. A band of duct tape is used to secure the datagram's edges. The bandwidth is limited to the leg length. The MTU is variable, and paradoxically, generally increases with increased carrier age. A typical MTU is 256 milligrams. Some datagram padding may be needed. Upon receipt, the duct tape is removed and the paper copy of the datagram is optically scanned into a electronically transmittable form. Discussion Multiple types of service can be provided with a prioritized pecking order. An additional property is built-in worm detection and eradication. Because IP only guarantees best effort delivery, loss of a carrier can be tolerated. With time, the carriers are self- Waitzman [Page 1] RFC 1149 IP Datagrams on Avian Carriers 1 April 1990 regenerating. While broadcasting is not specified, storms can cause data loss. There is persistent delivery retry, until the carrier drops. Audit trails are automatically generated, and can often be found on logs and cable trays. Security Considerations Security is not generally a problem in normal operation, but special measures must be taken (such as data encryption) when avian carriers are used in a tactical environment. Author's Address David Waitzman BBN Systems and Technologies Corporation BBN Labs Division 10 Moulton Street Cambridge, MA 02238 Phone: (617) 873-4323 EMail: dwaitzman at BBN.COM Waitzman [Page 2] From jimbell at pacifier.com Sat May 18 02:49:53 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 18 May 1996 17:49:53 +0800 Subject: Past one terabit/second on fiber Message-ID: <199605160153.SAA05576@pacifier.com> At 07:09 PM 5/15/96 EDT, E. ALLEN SMITH wrote: > One problem with the development of such high-end technologies is that >they tend to increase economies of scale to the point where it's impractical to >have anything but a monopoly or ogliopoly. As well as concerns about the degree >of control such an organization may be able to exert in and of itself (acting >like a government, in essence), there's also that such an organization is >easier to pressure than a lot of small providers. Anyone have a suggested >solution, or reasons that I shouldn't be so worried? I think there are a number of reasons you shouldn't have to worry, at least about these technologies per se. What these technologies do is dramatically lower the cost of supplying the service, both allowing the usual providers to cut prices and in fact forcing them (via the market) to do so. Fiber, for example, lasts "forever," and effectively has an unlimited bandwith compared to most needs, which means that it has little cost other than the initial installation, amortized over time. You might as well forget about this 1 Tb/s fiber, for example. In order to justify such a thing, you need to have 1 Tb/s of information that you want to take from "here" to "there". A city of 1 million people would have to have a 1 Mbit/sec/person data appetite to fill that fiber, and you'd have to have a huge data infrastructure just to collect all that data in the same place. (Which would, in itself, require a mass of fibers of lower capacities.) There would probably be no need for this, either, since the data would probably not all be coming from/going to the same location. Probably the only place where 1 Tb/s fiber will be needed in the next 20+ years is undersea links, and even that is questionable. There's also the "all the eggs in one basket" problem. Send your data on 12, 80 Gb/s fibers and you have substantial redundancy. Send it on one fiber and you're more subject to downtime due to individual component failure. Secondly, fiber can be upgraded in an exceedingly economical, though granular way. As I observed a few years ago, a given cable way initially had only a single cable installed though it had capacity for three. And some of the fibers installed were probably not used immediately, due to lack of need. Finally, the fiber was probably only driven initially at a comparatively low speed (maybe 400 megabits/s, for example) but could have been later upgraded to 2.5 Gb/s, or perhaps even higher. Upgrading under those conditions is extremely cheap. The main thing we need to worry about is allowing those people with the fiber to exert influence over us to an extent greater than the cost of supplying that data-transmission service would reasonably allow. (The nosy landlord problem.) Ideally, they'd provide the fiber, we'd pay for it at a reasonable rate, and they'd be satisfied. The alternative, a busybody policy, is only practical to force on customers when the product being supplied is supply-limited. Since fiber cost is dropping like a rock, and capacity will outstrip demand for the forseeable future, there is no reason we should be limited to deal with only one organization. Jim Bell jimbell at pacifier.com From tcmay at got.net Sat May 18 02:50:18 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 18 May 1996 17:50:18 +0800 Subject: Java & signed applets Message-ID: At 3:02 PM 5/16/96, Lyal Collins wrote: >Signing anything is somewaht a waste of time, unless the verification >siftware is highly trusted, and there is good intergity/authenticity >control of the root public key(s). >So, in geneal - ho hum - until trusted hardware is available on the >desktop. Unless I am misunderstanding your message (terseness has its disadvantages), this is not really true. * Checking the signature on a signed applet is a kind of "sanity check" on the source of the software. It is rather unlikely, I think, that a malicious agent will corrupt or infect one's verification software so as to make untrusted applets looks trusted. (Ignoring what "trust" means for now.) * To wit, if you (Lyal Collins) run a signature verification applet downloaded, say, from Sun, and some time has passed and you have heard no reports that, say, Silicon Graphics broke into Sun and replaced all of Sun't applets with a malicious version, and if you have checked Sun's signature against published values (that is, you have used a public key widely disseminated, and not repudiated), then you can very probably "trust" this signature-checking procedure. (One can construct fanciful scenarios in which one's OS has been corrupted, one's microprocessor has been replaced, etc., but these are clearly fringe events. All security is economics....) (Note: I expect at least one person to argue that this is indeed a concern. Again, look to economics. How do you _really_ know that your "mother" is really your mother, and not a stranger who entered your life minutes after your birth? How do you _really_ know that a vending machine of Cokes is not able to detect your presence and give you a poisoned can of Coke?) * If one's basic signature-checking hardware and software is not compromised, signature checking works. If it _is_ compromised, you've got bigger problems. And no cryptographic system can really handle this issue. Oh, and I disagree also with the last point: "So, in geneal - ho hum - until trusted hardware is available on the desktop." What, for example, is "trusted hardware"? How does a user ever know that his hardware was not compromised at the chip factory, for example? (Not that I think this is a reasonable thing to worry about at this point, given much larger problems all around us, but I mention it to show that one gets caught in a recursive process in which one can of course never be absolutely certain of anything. The Solipsist view of things is internally consistent.) So, I'll take my chances that applet signing will be a welcome extra level of protection against malicious applets. Others are free, of course, to instead worry that their machines are insecure and the signature-checking software has cleverly been replaced by some agent trying to get them to download a malicious applet. (Of course, if They can corrupt one's crypto software, they can do all sorts of other bad things, and probably don't need to wait for you to download an applet to start doing them.) --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From jimbell at pacifier.com Sat May 18 02:53:08 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 18 May 1996 17:53:08 +0800 Subject: Past one terabit/second on fiber Message-ID: <199605180328.UAA23861@newmail.pacifier.com> At 09:23 PM 5/17/96 -0400, Alan Horowitz wrote: > >> >Now that's progress, don't you think? >> >> Yes, I do! Because these activities don't just happen by themselves, they >> take the place of other activities which were formerly done in their place. >> The trivial example of sending letters has been replaced by email. > > E-mail is cool. E-mail is lovely. I use it enthusiatically. It is >not the same thing as sitting down with a fountain pen and and some fine >stationary. I feel sorry for your significant other if your loveletters >go by e-mail. So you've found one specific instance where you don't think it's appropriate to send email. Big deal! Try again. >Yes, let's get people away from reading books. Hey, there's computer >games to play, burn that library down, will you? Want people to read books? Okay, first put the hurdle in front of them that they must go to the library. (This is particularly a hurdle for children, when not in school, because they can't drive.) Then, if the book(s) they want to read is already checked out, make them wait 1+ months until it returns. Make them come back to the library to get it, and make them return it the same way. See why some people DON'T read books? >Quantity of life is not the same as quality of life. You're misrepresenting form over substance. Information is no more valuable or trustworthy on paper than on electrons. Jim Bell jimbell at pacifier.com From tcmay at got.net Sat May 18 02:58:02 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 18 May 1996 17:58:02 +0800 Subject: The Crisis with Remailers Message-ID: At 9:29 PM 5/15/96, jamesd at echeque.com wrote: >Some nyms are valuable, most are valueless by design. All remailers >should be valueless by design. The penet.fi remailer design is >unsatisfactory precisely because it penet.fi is valuable, hence a >target. If it gets shut down a lot of people lose their nyms, >causing much inconvenience. I agree with this point, and the similar points made by Hal Finney and by several others. We have far too few remailers, they are too tempting as targets, the use of "mail-to-News" gateways is formally separable from the function as a remailer, and there is generally a stagnation in the deployment of new and varied kinds of remailers and their modes of operation. We used to discuss remailer architecture, topology, functionality, and "ideal behavior" quite a bit a few years ago, but seldom do here on the Cypherpunks list anymore. Various reasons: same old discussions, commercialization of Mixmaster-type remailers (so I hear, and Lance Cottrell can clarify this if this is indeed a factor) may be inhibiting free discussion of planned features, and perhaps the discussion is going on elsewhere (on remailerpunks, or the remailer operator's list). (I'm surprised there have been no "Master's Thesis"-level analyses of remailers and the modeling of them. I had expected by now at least a couple of such studies. Even better, some even more advanced studies. The "theory of remailers" was partly laid out by Chaum in his 1981 "Untraceable E-Mail" short article--at the CSUA site at Berkeley, last I checked--but much has happened since then. A practical analysis is needed. Note: the recent paper on remailers by the SAI researcher and another is _not_ what I meant...that was just put together from Raph's page, other sources, and a few days worth of Web searches, as near as I can tell.] A much richer ecology of remailers is sorely needed. A factor of at least 10 or 20 more (100-300 remailer sites), less reliance on specific sites, an "everyone a remailer" capability (which has many elegant advantages!), more traffic, temporarily instantiated sites, digital postage, greater ease of use (especially with crypto and chaining), and such things as nominal terminal remailers choosing to add their own hops (so as to lessen their own target potential). Having some of these improvements will be a big help. In the past we have discussed many ideas related to this; I sure don't have the energy right now to recapitulate the points made over the years. Cf. my Cyphernomicon for some general features, at least as of mid-94. Also, the archives, if they ever become available again. Yes, things are stagnating at this time. Not because we discuss "off-topic" things (as we sure did in 1992-3, for example!), but for various other reasons. I suspect the enemies of remailers will sense victory and will try to force the remaining remailers to shut down or at the least to severely restrict operations. From a high of perhaps 25 remailers, we may soon be down to less than a dozen. These remaining sites will feel even more pressure. The upcoming War on Intellectual Property Piracy, with opening shots against China already fired, will put even more heat on remailers. (A remailer can't just "block" copyrighted material. It ain't practical. And digital mixes (remailers) should not, obviously, be looking at content of packets mailed. (Only the last, plaintext, message can be looked at if things are done right, but I surmise from comments by remailer operators that a lot of the traffic is not encrypted at all, and that the operators do in fact take a few peeks at what's flowing through their systems....more evidence that we are very far indeed from Chaum's ideal digital mixes.) Yes, a crisis has been brewing for months. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From rah at shipwright.com Sat May 18 02:58:20 1996 From: rah at shipwright.com (Robert Hettinga) Date: Sat, 18 May 1996 17:58:20 +0800 Subject: HUGE denial of service attack against any ecash customer!!! Message-ID: Ian Goldberg seems to be on a roll. First he figured out how to find out how anyone can determine anyone else's ecash mint balances, and now he does this. The man's a genius. If you don't believe it, ask me, I'll tell you. ;-). Cheers, Bob Hettinga --- begin forwarded text To: ecash at digicash.com Path: not-for-mail From: iang at cs.berkeley.edu (Ian Goldberg) Newsgroups: isaac.lists.ecash Subject: HUGE denial of service attack against any ecash customer!!! Date: 15 May 1996 16:09:29 -0700 Organization: ISAAC Group, UC Berkeley Lines: 42 Sender: owner-ecash at digicash.com Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- (Again Cc:'d to ecash-feedback, hoping for a security prize. I wonder who's keeping track... Also Cc:'d to cypherpunks, for fun...) So I had some more free time... (Dave cringes when I say that.) Here's a cute one: Give me an account number, and I can prevent it from being used until an arbitrary time in the future (of my choosing). How? Simple. Send a deposit message with 0 coins (well, any message will work, I think, but this is one of the simplest messages there is) with a timestamp of some future time. Messages stamped prior to that (such as everything coming from the actual user for that account, until the time comes) will be politely discarded. (Actually, I think the last reply to a withdrawal request is continually resent, but I'm not exactly sure of this.) In any case, the actual user will be unable to withdraw money from his mint until the time sent in the denial-of-service message. (Unless he forward-dates his computer's clock, or something...) I've tested this against myself and Sameer (with his cooperation, of course). Anyone else want to be locked out for an hour? (Actually, I could pretty effectively lock out _everyone_ for an arbitrarily long time, it seems...) - Ian "Right. I want the sources to the client and the server released. Now." :-) -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMZpj3kZRiTErSPb1AQF0SAQAmOEZJTg0v3utWFodDXZ4iv4xa7I+QbNQ Nlsbkug8dtkdf+Jboe+vBtrs5IWSSff8bWntGwfODckct26NwzpVM9bUIXohVoRQ jOkRT9a8m/X00jUAoFOTq5O5Rz87a3Uw8MGFugP5Y4DCk+UqnTA70cuozyOCgb8m 8oke89V9Q0E= =ARMe -----END PGP SIGNATURE----- --- end forwarded text ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "If they could 'just pass a few more laws', we would all be criminals." --Vinnie Moscaritolo The e$ Home Page: http://thumper.vmeng.com/pub/rah/ From attila at primenet.com Sat May 18 03:01:08 1996 From: attila at primenet.com (attila) Date: Sat, 18 May 1996 18:01:08 +0800 Subject: SEVERE undercapacity, we need more remailers Message-ID: <199605180409.VAA08193@primenet.com> Addressed to: Black Unicorn Cypherpunks ** Reply to note from Black Unicorn 05/15/96 6:29pm -0400 = I would really like to see a remailer that is somehow blinded. = on a message basis --it is not really possible if the logs are maintained or the fed are already monitoring the stream --which is probable if they are after something --and it will increase geometically if we get Bubba again. there are a number of very sophisticated ways to play the game, but each requires a real "Web of Silence" --what makes your counterpart reliable? where do we establish that "Web of Trust" which everyone bandies about. who are the two plants for our current chain? or is this just another case of sowing dissension by the feds? I only know two or three at most of the players on the remailers at all --and that is a passing knowledge, not acquaintance. = I don't know enough about how mail paths are generatered, but is it = impossible to conceal the origin of remailer postings? = impossible to conceal each orientation, but I have been playing with several easy techniques which are sufficiently obfuscatory that the Feds will not have the horsepower to break them unless someone provides them with the methodology --that in itself violates how we (cp) have always insisted on 'post it' and get on with the attempted destruction. even if they break the methodology, they gain very little v. the technique. = Postings made to remailernym at alpha.c2.org would be spit out = somewhere but = without accountability? = sure, possible if you wish to play the game with a "Web of silence." = Impossible? Would do wonders defeating traffic analysis. = no, not impoosible. just who wants to be responsible for something the NSA assholes can not own --and compromise? they get down right shitty when they kick your door down in the middle of the night as take your carcass away --if nothing else works, off to Springfield you go --without charges --lest we forget the crippled president or Hustler magazine --that is what they did to him _before_ they convicted him, _and_ after. = I'd consider running a remailer, but after listening to the response to = the anonymous poster a while back, it sounds like there are few if any = simple options which do not require major time and effort to setup and = run. = you can run it out of your client account on an IAP --there's nothing special about it in a simplified form. I could support a remailer point if I could manage to get the necessary "Web of Silence" counterparts --one them preferable foreign. BTW, it does not need to be complex to add another level of confusion. usually the best offensives are the simplest. == = Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com = is this subtle, crass, or just not? -- Overseeing first-rate programmers is a managerial challenge roughly comparable to herding cats. From jimbell at pacifier.com Sat May 18 03:02:02 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 18 May 1996 18:02:02 +0800 Subject: Why does the state still stand: Message-ID: <199605152248.PAA09484@pacifier.com> At 12:34 PM 5/15/96 +0000, Jean-Francois Avon wrote: >On 15 May 96 at 0:45, Ed Carp wrote: > >> The problem, however, is twofold - (1) the government will >> play mind games on the rest of the population to make you look like >> a terrorist, or whatever turns the populace against you, > >Well, first of all, we should find how much of the population >*really* believe in what govt says. There is a difference between >the politically correct opinion that Joe & Jane Public give to a >poll interviewer and what they really think. > >Second, you suppose that Joe & Jane Public really like and approve what >they understand from what the medias say. I think that Ed Carp recognizes that these caveats were somewhat valid based on a pre-Internet era, when control of news and information was relatively centralized in newspapers and TV networks. Then, you were told what to think (although it wasn't quite phrased this way) and few people got an alternative story. But as you correctly point out, it is getting harder to pull the wool over the eyes of the public when they can get alternative information. >And finally third, this system does not work according to the will >of a majority. It wouldn't take too many peoples who believe that the >medias and their perceived lack of integrity is widely responsible >for the way the world goes right now, to have a substantial prize put >on the head of the medias. >Therefore, any journalist with two+ working neurons will realize >that sticking to the most objective facts available would be the best >way to build a great reputation while sticking to govt propaganda >would be a great way to attract a prize on his head. I don't think anybody in the media is going to have the guts to stick with the government as it sinks into the depths, torpedoed by its own technological inventions. The big names can just resign and keep their wealth; the small fish have no long-term credibility or hope to achieve the levels of their predecessors. >So, to see how AP will make the system evolve, you have to assess >the communication capabilities of govt vs the individual. This is >central to AP and the nature of actual govts. This is *why* the >internet is *so* dangerous to any govts that seek to either retain or >increase their power, even if it actually touches only but a tiny >portion of world population. > >For the first time in the history of humanity, we have a peer to >peer communication capability and an individual-to-world broadcasting >capability that is not controllable in practice by any other entity >(such as law, high finance, etc) > > >The explains fully why the various govts what to find a way to >enforce internet laws, breakable crypto schemes and non-anonymous >protocols. I expect that few government workers have any idea how dangerous the net is going to be to them in the next few years. The various proposals we've been seeing, such as Clipper and others, are probably the product of a very few strategists who began worrying in the early 1990's about the fate of centralized government systems. It will be interesting, someday, to talk to these people who monitor us, and ask them when they thought their position was hopeless. >JFA >PLEASE NOTE: THIS POST DOES NOT MEAN THAT I ENDORSE MR. BELL'S >SYSTEM. MY RATIONNAL CONCLUSIONS ABOUT IT'S INTERNAL MECHANICS >AND IT'S INTRINSIC LOGICS DOES NOT MEAN THAT I LIKE NOR ENDORSE >THE SYSTEM. I SIMPLY CONCLUDED THAT IT IS IMPOSSIBLE TO PREVENT >THE SYSTEM FROM BEING IMPLEMENTED. IMO, IT IS UNAVOIDABLE. I understand your...uh...caution. But as scary as it may be to "us," it's going to be even more terrifying to those it is likely to eliminate. Sort of the difference between two parachute jumps: With and without a parachute! Jim Bell jimbell at pacifier.com From hfinney at shell.portal.com Sat May 18 03:02:04 1996 From: hfinney at shell.portal.com (Hal) Date: Sat, 18 May 1996 18:02:04 +0800 Subject: Why does the state still stand: Message-ID: <199605161419.HAA05109@jobe.shell.portal.com> From: "E. ALLEN SMITH" > I did not > include offshore.com.ai in Anguilla due to its high cost; I consider anything > over 25$ a month to be impractical. > > _Country/Area_ _Name_ _Email_ > Anguilla Cable & Wireless webmaster at candw.com.ai > [...] Thanks very much for making this list. However I would not be so quick to reject http://offshore.com.ai. It is run by long-time Cypherpunk Vince Cate, apparently specifically for the kinds of purposes we are discussing. His project was discussed in a recent issue of Wired, I think the May issue. (I have no contact with Cate, and have never met him as far as I can recall.) For doing something like running a remailer which will post material which is illegal and/or copyrighted in the U.S., you are going to need a service which can stand up to pressure. Presumably some monetary incentive is going to be a necessity. Of course by this standard $25 a month is pretty inconsequential. One issue is whether these banking-secrecy countries like Anguilla are followers of the Berne convention or other international copyright regulations. Banking secrecy and software piracy don't necessarily go hand in hand. I hear a lot about copyright violations in China but not in the Caribbean. So actually it isn't clear that this country is the right location for a remailer that can post arbitrary material. As for the costs to the remailer operator, he simply passes those on to his customers. I think in the long run onshore remailers will be forced to take measures to restrict copyright-violating posts. So if your choice is between paying nothing and not getting your whistle-blowing message posted, or paying $10 and getting it out on the nets, then hopefully it is worth that much to you. We have discussed for-pay remailers and the consensus has been that no one would use them when others run for free. However now I think the false premise is being exposed, that free remailers simply will not be able to run in the current mode for much longer. Once a single remailer operator has been fined thousands of dollars because somebody posted some copyrighted message, I don't think you will find many people eager to sign up as operators. So this dream of a volatile collection of remailers popping up and going away just doesn't work in my view. Why would anyone offer a service knowing that he was exposing himself to liability like this? It would be just a game of Russian roulette, waiting to see whether it is your remailer which gets the bullet in the form of a post which violates the copyright of someone with deep pockets. Hal From ben at bb-soft.com Sat May 18 03:15:51 1996 From: ben at bb-soft.com (Benjamin Brochet) Date: Sat, 18 May 1996 18:15:51 +0800 Subject: crosspost re remailers Message-ID: <1379719292-14657485@bb-soft.com> WHO IS THE MODERATOR OF THIS LIST ? I've been victim of a spoofing from a german.... he suscribed me to 2200 mailing list... also I'd to be unsuscribed from your list ! --------------------------------------------------- IBB Software - Benjamin Brochet - Solutions InternetI I Creation - Hebergement - Consulting - Formations I I I I http://www.bb-soft.com - ftp.bb-soft.com I I info at bb-soft.com I --------------------------------------------------- From Clay.Olbon at dynetics.com Sat May 18 03:16:04 1996 From: Clay.Olbon at dynetics.com (Clay Olbon II) Date: Sat, 18 May 1996 18:16:04 +0800 Subject: Edited Edupage, 9 May 1996 Message-ID: At 1:32 PM 5/15/96, Jim McCoy wrote: >There are two kinds of libertarians, those who hate the poor and those who >don't. I always seem to meet the former, I am beginning to suspect the >latter don't exist. I think there is a great deal of misunderstanding here. I can speak for no one other than myself, but I don't "hate the poor", nor do I feel no compassion towards misfortunate people. However, I have to be realistic - I approach problems analytically, not emotionally. My emotions tell me that spending more money is a good thing. My reason tells me that we have "been there, done that" and it DOESN'T WORK. After spending more than a trillion $$ on the "War on Poverty" we are worse off than we were before. Can anyone point to ANY evidence that this money was well spent? If not, then why should we spend more? It is time to look for new solutions. At 9:09 AM 5/15/96, Doug Hughes wrote: >Where is somebody making less than $5000/year going to move to? >(Answer: somewhere rural and poor). Or, if you prefer, they can >move into tax-payer subsidized housing? (I'd prefer not, thanks) Why wouldn't your income change when you move? In my area, you can make over $6/hour working at McDonalds ($12K/year). I know several people who work two jobs. I know of families (almost all immigrants BTW) that work their tails off running small businesses. It isn't about education, it is about hard work. Of course hard-work can help to get a good education. also Doug Hughes: >environment, lack of education, lack of money, lots of factors. Nobody >is holding a gun to anybody's head saying "Don't Read". But improving >literacy is a goal that needs to be undertaken. Do you not agree that >low literacy is a bad thing and needs to be taken care of? If not, why >not? Naturally, you can't force someone to read who doesn't want to. >But, why, given a good learning environment and an inspiring teacher >would you not want to? So how do we go about makeing education better? More money doesn't work, having a net connection probably won't help, even having more computers doesn't make a substantial difference. It all comes down to the fact that people need to be responsible for their own actions. Nowadays, you can grow up illiterate, and expect to get food stamps, free housing, welfare, etc, the cash equivalent of which approaches $20K/year in many places. Or you can become a capitalist and make big $$ selling "illegal substances". These "consequences" are the result of people with good intentions, thinking with their emotions instead of their minds. Maybe it is time to become callous and see how that works. Can things get much worse? Clay --------------------------------------------------------------------------- Clay Olbon II | Clay.Olbon at dynetics.com Systems Engineer | ph: (810) 589-9930 fax 9934 Dynetics, Inc., Ste 302 | http://www.msen.com/~olbon/olbon.html 550 Stephenson Hwy | PGP262 public key: on web page Troy, MI 48083-1109 | pgp print: B97397AD50233C77523FD058BD1BB7C0 TANSTAAFL --------------------------------------------------------------------------- From nobody at c2.org Sat May 18 03:16:25 1996 From: nobody at c2.org (Anonymous User) Date: Sat, 18 May 1996 18:16:25 +0800 Subject: SMTP Server for sending to anonymous remailers? Message-ID: <199605180530.WAA03258@infinity.c2.org> Does anyone know of an anonymous remailer that has an SMTP server (hopefully unlogged) that I can specify in a special variant of the "sendmail.cf" sendmail configuration file for sending mail to anonymous servers? I use a PPP connection, and right now I'm using my ISP's default server and I don't like the idea of logs being kept, even though the messages themselves are chained/encrypted. Maybe I'm "paranoid", but if I wasn't, I probably wouldn't bother with PGP, C'punk remailers, etc. From unicorn at schloss.li Sat May 18 03:29:48 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sat, 18 May 1996 18:29:48 +0800 Subject: Fingerprinting annoyance In-Reply-To: Message-ID: On Wed, 15 May 1996, Paul S. Penrod wrote: > On Tue, 14 May 1996, Black Unicorn wrote: > > Paul S. Penrod wrote: > > > I know of no such instance (other than some informal "fingerprint the > > > kiddies for safety" schtick) where it's a do-it--yourself operation. > > > > Not _technically_ perhaps. But in most cases it's a > > go-down-to-the-police-station-and-have-them-sign-the-card operation. Who > > is it that can tell a random signature from a police signature exactly? > > Like I said, standard print cards are available at the GPO. > > Thats fine, but tell me it's going to play at the clearance level...It > won't. Agreed. I never claimed this. > > > Doesn't always work. Partials can be extrapolated to yield a > > > relative match. > > > > Depends on what you are looking to do. If your goal is to deter random > > searching through a national database, mutilation will probably be very > > effective. If they have the prints of the murderer (you) and you're a > > suspect, mutilation aside from actually removing the fingers isn't going > > to do anything. > > If there is a serious crime involved, partials are sufficient to make the > "guest list" if there are other mitigating factors to even suspect you > might be involved. That's doesn't mean you'll make it to the top, but it > can certainly cause some painful scrutiny. Again, it depends on the degree of "mutilation." Distortion of major features is fairly effective even against partial attempts which are matched by computer. [Laytex] > > > Wont work. The hands are checked first for signs of tampering. > > > > See above about tech end around. > > Again, process will work, but not allowed in context of clearance. Concur. > Scraping the fingertips runs the risk of leaving trace marks that are > just as good as the ridges you tried to remove - even better if you've > left finger prints as a result. The point to the game is not to search > any database, but to produce a verifiable match with evidence at the > scene of any crime. In the case of a clearance, it is to start or > validate an identification process. IF validation is unobtainable via > fingerprints, then the issuing body can employ other means (such as > retinal scans) or deny clearance all together. Careful. Even Central Intelligence Agency print requirements are for criminal background check only. They will run through FBI files and so forth and keep the prints for their records, but they are rarely if ever used as identification verification per se. This is because not everyone in the world has fingerprint files floating around. If you are getting printed for the first time ever and you distory or mutilate, there's nothing to compare to. Further, if you just distort, you're prints later might not match well when computer searches a nationwide database (which excludes CIA employees in any event). It's all about application. To repeat, if you're looking to "estlablish" a false print index, distortion is a good way to do it. If you're looking to evade a search which has already narrowed you down well, hack off some fingers. > ...Paul --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From unicorn at schloss.li Sat May 18 03:40:24 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sat, 18 May 1996 18:40:24 +0800 Subject: Fingerprinting annoyance In-Reply-To: Message-ID: On Wed, 15 May 1996, Paul S. Penrod wrote: > > > On Tue, 14 May 1996, Black Unicorn wrote: > > > On Mon, 13 May 1996, Paul S. Penrod wrote: [...] > > > First off, if you were born in the US, they have your feet and/or hand > > > prints on record. > > > > Incorrect. > > Several states do not bother to print infants at birth. > > Several hospitals do not bother to follow state guidelines in those states > > which do so require. > > Which ones specifically? Illinois doesn't much care. Michigan had no requirement at all, some hospitals did, some didn't bother to print infants at birth. This was usually to avoid baby switching and such and records were dumped later on. Wisc. never much seemed to care until about 5 years ago when someone tried to pass a law. I don't think it ever passed, but I'm not sure. There is no standard consensus on this. In Illinois it was estimated last year that 9% of births were outside of hospitals. Thousands if not millions of people have no prints on record. How large precisely do you think the FBI's national records are? FBI + Local law enforcement? FBI + Local + administrative? I'd be very surprised to find out it was larger than 100 million, or ~1/3 of the U.S. population (any number of which might be records of dead people). > > It is one of the great advantages of the United States that no > > standardized procedure for person identification exists. Seals and > > certificates vary from jurisdiction to jurisdiction. Cross the border to > > a state and a hospital birth annoucement is enough for a drivers license, > > cross again and 4 pieces and a note from mom isn't enough. > > > > Be careful with disinformation please. > > > > My point is not about the variance of seals and certificates (I have at > least 6 different ones prove it from 4 different states). That is a > given. It is that prints have been a generally accepted practice for some > time now. IF you want to make the case and go back to the early days > (pre-WWII), then people like attila and a few others don't have them - > and I'll concede the point on that basis. Again, the point is that states can't decide if they want the task of printing and sorting and collecting and storing such records. It's not cheap. Even if it were, some states just don't care. If you're trying to tell me that few if any unsolved cases involving "unmatched" prints were committed by people younger than 55-60, I think you might reconsider. That's what your "everyone since WWII" statement implies. If that is so, why does the FBI maintain thousands of active "waiting for print-person link" records for unsolved cases? Either 1. - Not everyone born is printed or 2. - Hospitals who print don't bother to submit to state or federal agencies because they (a) are not required to (b) don't much care. The answer is actually (3) all of the above. > The information I received has come from inquiries to folks I know within > the AMA, several different hospital adminstration staff in various states > - whose job it is to handle such affairs, and few other people who make > it their business to know such trivia. IF the information is in error, > I'll gladly accept correct input. Next time, don't be so quick to accuse > without inquirying to context. I'm not J.Bell. Again, even what the AMA says has little to do with state and individual hospital practice. Of the printing that goes on, most infant identification is done for internal hospital records, and most involves ONLY foot prints. > ...Paul > --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From unicorn at schloss.li Sat May 18 03:50:29 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sat, 18 May 1996 18:50:29 +0800 Subject: Why does the state still stand: In-Reply-To: <9605160023.AA14246@cti02.citenet.net> Message-ID: On Wed, 15 May 1996, Jean-Francois Avon wrote: > On 15 May 96 at 18:42, Black Unicorn wrote: > > > Potential, but you can manage risk with things like dead drops from > > trusted parties to forwarding agents to offshore drops to.... > > I can just visualize a trusted party dropping discretely a bright > yellow Caterpillar D-12 in a dead letter box... ROTFL! When the NSA ordered large workstations from a supplier they had the supplier leave them at a motel parking lot in Maryland. Many such stories exist in the intelligence community. That's standard procedure for some appropriations where the instalation location is secret and the vendor is untrusted or marginally trusted. If you have two trusted parties, and the transaction is secret then unless you have a mole or something else, who is going to say the item was sold? Leave semi-trailer in truck stop parking lot, second cab comes and picks it up and drives away. This too hard to comprehend? > Sorry, but I couldn't resist. I just *love* silly humor... > > > Realization means that their is a changing of hands or of forms of > > assets. Income tax and taxes on currency now are dependent on such > > transactions. Someone already noted the problems with just taxing > > possession on a given date of e.g., inventory. To tax efficiently > > you have to tax an event of transfer. > > Why? is it because of the nature of a transfer, it lend itself more > to reporting and detecting? Or is it simply because of the legal > system structure? All three. > > That's that anonymous transactions are for. > > If anonymous transactions are feasible, so will be the AP scheme... > AP can be, in a way, characterized as a weapon because it behaves > like one. And no weapon in the history of humanity remained unused. No. I have an anonymous transaction with you. You feel I cheated you. Who are you going to direct the massive jaugernaut of the AP machine against? Eh? > > I forwarded two large segments of the work to the list, yes. If > > you, or anyone else on the list, would like copies, let me know. > > Theses were the first two that constitued part 1 of 4. I wondered if > you posted the other parts. If so, tell me so I can get to the > archives. No, and I don't believe I will be posting them. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From EALLENSMITH at ocelot.Rutgers.EDU Sat May 18 03:54:53 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 18 May 1996 18:54:53 +0800 Subject: SEVERE undercapacity, we need more remailer servers FAST Message-ID: <01I4QY0BQT188Y5F2B@mbcl.rutgers.edu> From: IN%"hfinney at shell.portal.com" "Hal" 15-MAY-1996 19:23:06.71 >Maybe the operators can try to plead that they are like "common carriers" >and should not be blamed for what people post. Still it is going to take >deep pockets at best to prevail in this dispute, and it isn't even clear >that the remailer will win. Maybe the lawyers on the list could comment >on legal liability of a remailer used to repeatedly post copyrighted >material, whether Scientology scriptures or Microsoft Word binaries. I >don't see how it can happen. Part of this problem may be solved through the proper decisions on the liability of ISPs for material on them. The concept would seem to be extensible. If a country has A. good laws on the subject and B. a pretty good court system - e.g., one in which it's difficult to sue and easy to defend - that country would seem to be suitable for setting up a remailer front end. Other remailers can just be used for chaining, and can't be proven to have carried a message (even unknowingly) without defeat of the remailer system via traffic analysis. (A reason for remailer operators to run automatic mailing scripts, BTW.) >This was the basis for my suggestion that remailers may have to stop >supporting posting of messages, and instead be used for private mail >between consenting individuals. Granted, this would probably eliminate >99% of non-cover remailer traffic. But I would argue that as long as the >core functionality is there of letting people communicate with each other >anonymously and consensually, we would still offer an important service. In other words, a remailer that would only forward mail to someone if the email address in question gave consent? Mailing lists and mail-to-news gateways can still be signed up by their operators under such a system, and it's possible the remailer might be charged along with the operator if copyrighted material was posted. >Encryption hides the contents of the messages you send from >eavesdroppers. But they can still see who you are communicating with. >Remailers extend privacy protection beyond "what you say" to "who you say >it to". When used with pseudonym servers and some of the extensions we >have discussed here over the years (maildrops, etc.), they can allow the >anonymous two-way communication that is needed for real privacy. How much use is a pseudonym if you can't practically use it for building reputation capital? It's hard to do that when you can't send to anyone but individuals, instead of to publically available sources. One idea would be bonded pseudonyms. If you put up an adequate bond to the remailer front end operator (to A. pay fines and B. cover any legal fees), then you get to send to public fora. This would also be profitable for the remailer operator, if he/she got to keep the interest (assuming deposit into some investment). -Allen From hector at DB.Stanford.EDU Sat May 18 03:57:29 1996 From: hector at DB.Stanford.EDU (Hector Garcia-Molina) Date: Sat, 18 May 1996 18:57:29 +0800 Subject: SIFT service moving to Reference.COM Message-ID: <199605162214.PAA18034@Coke.Stanford.EDU> Dear SIFT Subscriber: Stanford University is pleased to announce a new partnership with InReference, Inc. which will significantly enhance your service. Under the terms of the agreement, Stanford is transferring the SIFT service to InReference. InReference will make the SIFT functionality available through its Reference.COM service (http://www.reference.com/). To minimize the disruption in your service, your queries will be automatically migrated to Reference.COM. The service will remain free of charge. We believe InReference is an excellent home for SIFT. The Company has the infrastructure and support necessary to provide you with a high quality service. In addition, InReference has added many interesting new features to the service: * More Content - 6+ month archive of more than 13,000 news-groups. - The Internet's largest archive of publicly-accessible mailing lists (soon to exceed 1,000). * Advanced Search Capabilities - Powerful filtering: Interactively refine your search using message header fields such as author, organization, conversational thread, newsgroup/e-mail list. - Query Templates: Identifying and entering the right newsgroups and mailing lists to search can be tedious. InReference has formulated a few query templates which pre-select the right newsgroups and lists for a particular topic. * Web and E-mail Accessible - Submit queries and receive results via e-mail or at the Reference.COM web site. You will receive a welcome notification from InReference in June, along with an (initial) username and password. In most cases, this should be identical to your existing SIFT username/password. Thank you for your ongoing interest in SIFT. Sincerely, Tak Yan, SIFT Architect Hector Garcia-Molina, Principal Investigator, Digital Library Project Department of Computer Science Stanford University Q: Who is InReference? A: InReference is a startup located in the NASA Ames Technology Commercialization Center in Silicon Valley. InReference has strategic partnerships with a number of well-known companies. These partnerships help provide the infrastructure to supply you with a first rate service: database technology from Oracle, search engines from Verity, servers from Sun, high speed Internet access from Pacific Bell, and high speed RAID storage from Storage Computer. InReference also has a great team of programmers dedicated to providing a quality service. Our technical team includes Eric Allman, the creator/developer of sendmail and Professor Hector Garcia-Molina, Principal Investigator of the Digital Library Project at Stanford University. Q: How will people access the Reference.COM service? A: Queries can be submitted and the results retrieved via the web (http://www.reference.com) or by e-mail. See their web page for details. Q: If it's free of charge, how does InReference pay for the service? A: Through the generosity of strategic partners, and advertising. Q: Is InReference's query syntax the same as SIFT's? A: No. To provide additional functionality, InReference has extended and changed the SIFT query syntax. Send e-mail to info at reference.com if you have further questions. Q: How do I discontinue my service? A: There is syntax to support an array of account management activities, including account termination. From unicorn at schloss.li Sat May 18 04:12:05 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sat, 18 May 1996 19:12:05 +0800 Subject: Senator, your public key please? Message-ID: -----BEGIN PGP SIGNED MESSAGE----- I was running around the hill all morning and I thought I would drop in on Leahy to see what his key signing policies were. I gave Leahy a buzz to see if I could catch him in person but unfortunately it's a busy day on the hill and he sent me off to Beryl Howell instead. Ms. Howell is Senior Counsel for the minority staff of the Antitrust Subcommittee and handles all of Leahy's encryption gofering. I'd dealt with her on a limited basis once before, and I got a good 10 minutes to discuss some issues before she had to run off elsewhere. The issues she brought up were interesting. Firstly, Leahy wasn't advised to issue a public key, it was entirely his idea. No staff suggestion there. Secondly, the Ethics Committee was very interested in the issue. As of now they have ruled that "exchanging" PGP signatures is an "exchange in kind" and an ethics violation. Ms. Howell expressed exasperation over this lunacy, but put it much this way: "No, you guys don't understand what the issues are here, but I don't have 3 hours to explain it all to you either." Apparently the ethics committee is concerned that a signature from Leahy's key will constitute some sort of endorsement and the "you sign mine and I'll sign yours" looks like influence peddling. Part of the problem was that several politically oriented groups approached Leahy's office and descended like vultures on a carcass, all of them wanting to certify his key. No signing from Senator's keys for the time being. She said the ethics committee went so far as to prohibit them from soliciting signatures from others as well. Her conservative (and reasonable) interpretation was that she couldn't hand over a fingerprint of the key for signing purposes. As things stand now Ms. Howell intends to try and educate some of the key Ethics members over the August break and have a decent signing policy after the break itself. Welcome to the hill. Those of you who haven't might want to check out the May 2, 1996 version of the Promotion of Commerce on-line in the Digital Era (Pro-Code) bill. Nice choice snippet: The current strength of encryption the U.S. government will allow out of the country is so week that, according to a January 1996 study conducted by world-renowned cryptographers, a pedestrian hacker can crack the codes in a matter of hours. A foreign intelligence agency can crack the current 40-bit codes in seconds. Also: "Encryption expert Matt Blaze, in a recent letter to me, noted that current U.S. regulations governing the use and export of encryption are having a "deleterious effect... on our country's ability to develop a reliable and trustworthy information infrastructure." See: http://www.senate.gov/~leahy/ For some reason http:/www.leahy.senate.gov/ is also listed. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Autodocument signed iQCVAwUBMZtRLWqgui0rHO4JAQHRywQAgClfWZTLDCusKaAlefg53DShaCII6+vF O4X9a6vCZDWtIE0Nu7Nx/75K6zDo7AdjfqfYcAdLq4WW4F0FBH7u55+MYKUjDJ3X YFuxk9aPQSJzkgITK4EzGfHNswONkybuhAGo/6mcvJ8E2QW5rxUKRFxh7BLo7fmV CrEpvhzsycU= =uWRd -----END PGP SIGNATURE----- --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From root at edmweb.com Sat May 18 04:19:30 1996 From: root at edmweb.com (Steve Reid) Date: Sat, 18 May 1996 19:19:30 +0800 Subject: CSIS Supports Crypto (fwd) Message-ID: For what it's worth... ---------- Forwarded message ---------- Date: Thu, 16 May 96 20:00:38 EDT From: David Jones To: efc-talk at insight.dcss.McMaster.CA Subject: CSIS: growing threat of economic espionage CSIS warns that Economic Espionage is growing - Strong encryption may be one line of defence - by David Jones OTTAWA -- The Canadian Security Intelligence Service, CSIS, wants Canadian corporations and government departments to be aware of the growing problem of "economic espionage". This is distinct from "industrial espionage", which is just company-on-company spying; "economic espionage" is state-sponsored. I spoke briefly with Ted Flanagan, who is the National Coordinator for Economic Security and Proliferation Issues, for CSIS. After hearing him make his pitch on the TV news, I wanted to ask him about a possible conflict between, on the one hand, Canadian law enforcement, which seems reluctant to see strong encryption become widely used and, on the other hand, CSIS, which seems to be implying that government departments and private companies should take active steps to protect themselves, including the use of strong encryption. Here's a few of his comments, (paraphrased) It's sometimes surprising for people to hear that foreign states do have significant resources and can easily monitor telecommunications, *globally*. Companies have to be mindful of this. Encryption may not be necessary for everything, but for particular aspects of their business communications, such as bid proposals, online transactions, it may be appropriate. Obviously there is a law enforcement concern about criminal activity being shielded by the use of encryption, but encryption is now a commonplace and commercially available fact of life. The technology exists and if individuals are going to use it for illicit purposes, then they're going to use it. The reality, though, is that the Canadian government does have a security policy and they do have encryption requirements. Encryption is the sort of thing that an awful lot of Canadian companies are also using, depending on their resources and needs. We're working with a community who we feel have a legitimate requirement to ensure that proprietary information is protected. There's no way to reverse the trend of having commercially available software for encryption. So the bottom line for cops seems to be: Encryption is here to stay; get used to it. Ted Flanagan also explained CSIS's mandate. It doesn't deal with law enforcement per se, but it is concerned with national security. It advises government departments and alerts private organizations to potential threats. It operates within Canada in a "defensive" capacity. There's been some speculation that Canada needs an "offensive" intelligence agency that would be able to take steps in foreign countries to further our national interests. (Heck, if they're spying on us, maybe we should spy on them!) Don't bother signing up to be the next Canadian James Bond, though. There's no political support for such an agency any time soon. Part of the problem with raising corporate awareness of the threat of espionage is that serious incidents are often hushed up because of the damage that negative publicity would cause to the reputation of a big Canadian company. CSIS tries to work with companies on a confidential basis and keeps a private database of incidents they learn about. So, next time you read a newspaper article about two teenage boys getting busted for running a BBS with pirated software, keep in mind that elsewhere there's *real* cyber-crime that is going down, ... and although you may never hear about it, it's happening on a scale that makes those BBS pirates look like, well, mischievous children. Here's a random excerpt from the CSIS 1995 Annual Report "A foreign government is believed to have tasked its intelligence service to gather specific information. The intelligence service in turn contracted with computer hackers to help meet the objective, in the course of which the hackers penetrated databases of two Canadian companies. These activities resulted in the compromise of the companies' numerous computer systems, passwords, personnel, and research files." URL = http://www.csis-scrs.gc.ca/eng/publicrp/pub1995e.html#economic - - From furballs at netcom.com Sat May 18 04:20:29 1996 From: furballs at netcom.com (Paul S. Penrod) Date: Sat, 18 May 1996 19:20:29 +0800 Subject: Fingerprinting annoyance In-Reply-To: Message-ID: On Wed, 15 May 1996, Black Unicorn wrote: > On Wed, 15 May 1996, Paul S. Penrod wrote: > > On Tue, 14 May 1996, Black Unicorn wrote: > > > Paul S. Penrod wrote: > <...> > > > > Doesn't always work. Partials can be extrapolated to yield a > > > > relative match. > > > > > > Depends on what you are looking to do. If your goal is to deter random > > > searching through a national database, mutilation will probably be very > > > effective. If they have the prints of the murderer (you) and you're a > > > suspect, mutilation aside from actually removing the fingers isn't going > > > to do anything. > > > > If there is a serious crime involved, partials are sufficient to make the > > "guest list" if there are other mitigating factors to even suspect you > > might be involved. That's doesn't mean you'll make it to the top, but it > > can certainly cause some painful scrutiny. > > Again, it depends on the degree of "mutilation." Distortion of major > features is fairly effective even against partial attempts which are > matched by computer. Agreed, but there are other factors to consider. For example, it is not everyday that someone runs their fingers over sandpaper (via sander or not). This may indeed destroy the tell-tale finger print initially, but it leaves a distinguishing pattern, that can be matched to other evidence such as blood, DNA, fiber, etc. In some instances like this, the computer is useless to match finger prints, and balance of the decision rests with incriminating evidence. To wit: the "mutilated pattern" provides key identification if a good print is lifted and matched directly to the suspect - even though a copy of the "new" print doesn't exist. > > [Laytex] The smart ones use this for starters.. > > > > > Wont work. The hands are checked first for signs of tampering. > > > > > > See above about tech end around. > > > > Again, process will work, but not allowed in context of clearance. > > Concur. > > > Scraping the fingertips runs the risk of leaving trace marks that are > > just as good as the ridges you tried to remove - even better if you've > > left finger prints as a result. The point to the game is not to search > > any database, but to produce a verifiable match with evidence at the > > scene of any crime. In the case of a clearance, it is to start or > > validate an identification process. IF validation is unobtainable via > > fingerprints, then the issuing body can employ other means (such as > > retinal scans) or deny clearance all together. > > Careful. Even Central Intelligence Agency print requirements are for > criminal background check only. They will run through FBI files and so > forth and keep the prints for their records, but they are rarely if ever > used as identification verification per se. > > This is because not everyone in the world has fingerprint files floating > around. If you are getting printed for the first time ever and you > distory or mutilate, there's nothing to compare to. Further, if you just > distort, you're prints later might not match well when computer searches a > nationwide database (which excludes CIA employees in any event). > > It's all about application. I never maintained that the CIA or other body employs more than the standard issue. What I am saying is that there are other methods out there to validate means believed to be compromised - should a situation warrant such invasive techniques. I have never encountered any situation that called for anything other than fingerprints - even inside DoD (which in my opinion can be far more paranoid than the agencies). > > To repeat, if you're looking to "estlablish" a false print index, > distortion is a good way to do it. > Agreed. > If you're looking to evade a search which has already narrowed you down > well, hack off some fingers. > whatever... ...Paul From jimbell at pacifier.com Sat May 18 04:20:36 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 18 May 1996 19:20:36 +0800 Subject: "Too cheap to meter" Message-ID: <199605180723.AAA25334@newmail.pacifier.com> At 06:54 PM 5/17/96 -0700, Timothy C. May wrote: >At 2:38 AM 5/16/96, Alan Horowitz wrote: >>Hey, let's build faster and faster fiber-optic networks. Let's create >>bandwidth so cheap that it won't even pay to meter it. > "Too cheap to meter" goes away pretty quickly. Don't be so sure about that, Tim. While it is probably true that service must be rationed, one way to do that is simply to charge based on the data rate of your modem. When, soon, fiber normally runs at that 20 Gb/sec rate of this new AT+T fiber, that represents about 700,000 connections at 28.8kbps, solid. Based on normal statistical useage, it's probably closer to 3-4 million connections. And that's only one fiber. Data-transmission companies need to make money, but they don't necessarily have to make that money by measuring actual transmitted data. This is similar to cable-TV companies who (with the exception of pay-per-view) don't charge based on how long you watch TV. The reason, obviously, is that it is no more expensive for them if you watch your TV 24 hours per day, than 5 minutes per day. Since fiber optic systems don't wear out with usage, and their capacities are exceedingly large, it would certainly be possible for these companies to start charging based entirely on maximum transfer speed. Jim Bell jimbell at pacifier.com From unicorn at schloss.li Sat May 18 04:22:44 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sat, 18 May 1996 19:22:44 +0800 Subject: Why does the state still stand: In-Reply-To: <9605152158.AA06933@cti02.citenet.net> Message-ID: On Wed, 15 May 1996, Jean-Francois Avon wrote: > On 15 May 96 at 17:32, Black Unicorn wrote: > > > > Again, depending on the context, AP might wery well be the only > > > solution or be no workable solution at all. > > > > Now, tell me how AP is a solution if everyone in the corporation is > > double blinded? Who do anonymous parties put out betting pools on? > > Agreed. I just supposed there might be some of the involved entities > that are not totally anonymous. I don't think that you'd deliver > completely anonymously a bulldozer or any other physical goods to > some "anonymous" address. Somehow, if the transaction involves > anything physical, there is potential for a anonimity breach. Potential, but you can manage risk with things like dead drops from trusted parties to forwarding agents to offshore drops to.... > > Income tax and currency taxes depend on realization events. Even in > > the strictest sense, realization is a thin and vague concept. > > Since I am not a layer, would you care to elaborate a bit more on > that? Realization means that their is a changing of hands or of forms of assets. Income tax and taxes on currency now are dependent on such transactions. Someone already noted the problems with just taxing possession on a given date of e.g., inventory. To tax efficiently you have to tax an event of transfer. I'm not going to spend hours typing in all the kinds of realization the U.S. system employs. > > > Your only remaining option is to tax possession of currency. Good > > luck. > > Why? Don't they already do that through Tax on Capital? > No. The tax is a tax on Capital _Gains_. Even this is not taxed until the gain is "realized" (the stock sold or exchanged.. etc.) There is an exception for Personal Holding Companies, or Subpart F income for example, but that's only to the extent there has still been a gain. If you taxed currency based merely on possession, then do you just tax on the first of every year? That makes it so that if I have $10,000 under my bed, I pay tax on it one year, then I pay tax on it again the next year. Boy, talk about an incentive not to save. There goes the banking industry. > > > Again, who are you going to kill? > > Nobody. I thought that through you long law studies, you did learn > to read... Or is it my english that is too imperfect? Relax, I wasn't calling you a murderer, I was pointing out, a second time, that in anonymous corporations there was no one to kill. "Who are you going to put pools on?" > Dear Unicorn, what in the hell makes you concludes that my > "disclaimer" means that I am going to kill somebody? I just say that > after having turned the idea around for some time, I see it as > ineluctable that *some* groups will implement it. > Just bring me > *one* single fact of reality that will show me that it is not > possible to implement and you will have made my day. Give me context. It's possible to kill the president too. That doesn't mean it will become the basis of government. > Even if it is > implemented for any entirely wrong reason, I do not think that we > can prevent it's implementation. That's that anonymous transactions are for. > BTW, since I was off from CPunks for a while, would you please tell > me if you published the suite of you writings on assets concealement? > I would then proceed to get it from the archives if it was published. I forwarded two large segments of the work to the list, yes. If you, or anyone else on the list, would like copies, let me know. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From jf_avon at citenet.net Sat May 18 04:26:48 1996 From: jf_avon at citenet.net (Jean-Francois Avon) Date: Sat, 18 May 1996 19:26:48 +0800 Subject: Rural Datafication (Was Re: Edited Edupage, 9 May 1996) Message-ID: <9605152310.AA10372@cti02.citenet.net> On 15 May 96 at 15:03, Jim McCoy wrote: > US decided (via it's legislative system, regardless of whether or > not it was the "smart" thing to do) a long time ago that it was a > worthwhile goal to give everyone, regardless of where they lived, > equal access to certain parts of the national infrastructure. The US decided that the end justifies any means, and thus decided to > Actually they would put your money where your mouth is. If such > subsidies were not given then rural dwellers (those people who grow > all the food that keeps you alive...) would just add the cost to > food production and therefore add to the cost of what you eat. They are free to charge more. Oh, I forgot, prices are regulated... When grand'pa came to Canada in 1912 with his parents and his 11 brothers and sisters, he and they did not have a penny, nor did they speak the language nor had access to any socialistic programs. When he and his sister and brothers died, most of them were wealthy. And all they did all their life was to grow vegetables. They had very good reputations and I do not know any story of any one of them being con men. ` > It is rather amazing how this posting has drawn all of the militant > libertarians out of the closet. Why assume that I hid in some closet? I did not militate either. I do not endorse libertarian ideas. I've never read any "libertarian" litterature. I only read a bit of Ayn Rand, and the regular Objectivists will tell you that they are *not* libertarians. Actually they object to the libertarian doctrine. And again, I am no objectivist. Many of them refuse to talk to me. > > If there was such a perceived advantage, they would make it their > > priority. Parents would be willing to buy the necessary hardware > > and then, put the little extra that is required to connect. > > Remember, the costliest part of the internet is the hardware to > > run Netscape. >From a consumer standpoint, it is. Unless I am wrong. Can you bring up figures? > You have obviously never had anything to do with connecting people > to the internet, have you? After spending the last four years prior > to my current job bulding one of the largest ISPs in Texas I can > promise you that getting the dedicated line from one location across > a LATA into another where connectivity is a non-metered local phone > call from your subscribers is a very costly affair (the line charges > are per-mile, and here in the US you may have to run your wire > 100-250 miles to get to the next LATA) Why don't you just use a microwave link? Oh, I forget, the FCC might not permit it... And then, why don't you just get together all the bunch of peoples and decide to obtain a right of way for a community cable that would carry data? And while you are at it, maybe you can try a fiberoptic company to subsidize you, tax-deductible from their income... It's worth a shot! Oh, but again, the FCC and half a dozen other ministry might object. You don't find enough donations? No problems, simply sell your project, aided by your reputation, to every neighboor. Simply issue shares to raise money... Oh, again, I forgot, the SEC would object... How does a data link cost compare (long term and short term) to the initial expense of purchasing a computer? Like, since you mentionned it, how much did your project cost per user? > You seem to be falling into > the same line of thinking which most annoys me about Libertarians, You are too sensitive... :-) > you ignore the cost of building and maintaining the infrastructure > in the first place Not at all. We only realize that the cost of building infrastructures in *this* statist world is almost not affordable. Why don't you read about railroad history and come back later? JFA DePompadour, Societe d'Importation Ltee Limoges porcelain, Silverware and mouth blown crystal glasses JFA Technologies, R&D consultants. Physists, technologists and engineers. PGP keys at: http://w3.citenet.net/users/jf_avon ID# C58ADD0D : 529645E8205A8A5E F87CC86FAEFEF891 Unsollicited commercial e-mail will be proofread at US165 $/h Any sender of such material will be considered as to have ac- cepted the above mentionned terms. From EALLENSMITH at ocelot.Rutgers.EDU Sat May 18 04:27:48 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 18 May 1996 19:27:48 +0800 Subject: Why does the state still stand: Message-ID: <01I4SAIWANV28Y5EUK@mbcl.rutgers.edu> From: IN%"hfinney at shell.portal.com" "Hal" 16-MAY-1996 10:21:05.33 >From: "E. ALLEN SMITH" >> I did not >> include offshore.com.ai in Anguilla due to its high cost; I consider anything >> over 25$ a month to be impractical. >Thanks very much for making this list. However I would not be so quick >to reject http://offshore.com.ai. It is run by long-time Cypherpunk >Vince Cate, apparently specifically for the kinds of purposes we are >discussing. His project was discussed in a recent issue of Wired, I >think the May issue. (I have no contact with Cate, and have never met >him as far as I can recall.) I was originally creating this as a list of places for me to look at for sponsoring a remailer, and then decided that the list might find it useful. I would find over 25$ a month impractical. However, in the 2nd edition I'll include http://offshore.com.ai, with a note on the cost (and on Vince Cate's political orientation.) >For doing something like running a remailer which will post material >which is illegal and/or copyrighted in the U.S., you are going to need a >service which can stand up to pressure. Presumably some monetary >incentive is going to be a necessity. Of course by this standard $25 a >month is pretty inconsequential. Yes. As I recall, there's supposed to be an ecash library coming out soon. I trust that someone involved in remailers is planning on making up one that charges ecash once those facilities are available? There's also the deposit idea for ones that serve an end-posting function; I didn't have this in mind when I created the list initially, again. >One issue is whether these banking-secrecy countries like Anguilla are >followers of the Berne convention or other international copyright >regulations. Banking secrecy and software piracy don't necessarily go >hand in hand. I hear a lot about copyright violations in China but not >in the Caribbean. So actually it isn't clear that this country is the >right location for a remailer that can post arbitrary material. Good point. I'll try to look up on the Berne convention. >As for the costs to the remailer operator, he simply passes those on to >his customers. I think in the long run onshore remailers will be forced >to take measures to restrict copyright-violating posts. So if your >choice is between paying nothing and not getting your whistle-blowing >message posted, or paying $10 and getting it out on the nets, then >hopefully it is worth that much to you. >We have discussed for-pay remailers and the consensus has been that no >one would use them when others run for free. However now I think the >false premise is being exposed, that free remailers simply will not be >able to run in the current mode for much longer. Once a single remailer >operator has been fined thousands of dollars because somebody posted some >copyrighted message, I don't think you will find many people eager to >sign up as operators. So this dream of a volatile collection of >remailers popping up and going away just doesn't work in my view. Why >would anyone offer a service knowing that he was exposing himself to >liability like this? It would be just a game of Russian roulette, >waiting to see whether it is your remailer which gets the bullet in the >form of a post which violates the copyright of someone with deep >pockets. I've discussed this somewhat above, but whether one needs to charge may depend on how one runs the remailer. If it only sends to other known remailers (ideally only to other mixmaster remailers), and the traffic analysis defeating features work properly, then it's going to be hard to charge you for some mail going through the net that may not have even gone through you. In other words, we may get a division into two types of remailers: A. those that charge, and do send messages other than to other remailers; these may also be nym servers demanding a deposit, with a confirmation as to who's who via signatures B. those that don't charge, and don't send messages other than to other anonymous remailers. A combination of the above could certainly work, also; just charge for messages going to other than other remailers. -Allen From banisar at epic.org Sat May 18 04:42:10 1996 From: banisar at epic.org (Dave Banisar) Date: Sat, 18 May 1996 19:42:10 +0800 Subject: AST II Conference Message-ID: Panel suggestions are always welcome -d ------- Preliminary Conference Announcement ADVANCED SURVEILLANCE TECHNOLOGIES II Sponsored by Privacy International Electronic Privacy Information Center September 16, 1996 Citadel Ottawa Hotel and Convention Centre Ottawa, Canada ---------------------------------------------------------------------------- The rapid evolution of technology is leading to the creation of a seamless web of surveillance across much of the world. Powerful technologies originally developed for the military are being adopted by law enforcement and civilian agencies, and private companies to monitor entire populations. This has been further fueled by the end of the Cold War and increasing demands for greater bureaucratic efficiency. Existing laws and regulations have failed to keep up with these developments. This one day conference will examine a range of advanced surveillance technologies and their impact on privacy and other civil liberties. It will explore the process of planning and implementation of the technologies, their operating conditions, and the people and organizations responsible for them. The conference will also examine possible technical, regulatory and legal responses. The conference will also address in detail the findings of Privacy International's "Big Brother Incorporated" report which examined the international trade in surveillance technology and the involvement of the arms industry. ---------------------------------------------------------------------------- PARTIAL LIST OF SPEAKERS Phil Agre, University of California, San Diego Dave Banisar, Electronic Privacy Information Center Colin Bennett, University of Victoria Simon Davies, London School of Economics & Director, Privacy International Wayne Madsen, Author, Handbook of Personal Data Protection Bruce Schneier, Counterpane Systems & Author, Applied Cryptography CONFERENCE SUBJECTS * Artificial Intelligence Systems * Biometric Identification * Digital Cash * Information Superhighways * Information Warfare * Infrared and Passive Millimeter Wave Detectors * Intelligent Transportation Systems * Other New Technologies ---------------------------------------------------------------------------- MORE INFORMATION More information on the conference will be available at the Privacy International mailing list at pi-news at privacy.org (subject: subscribe) or at the PI Home Page at http://www.privacy.org/pi/conference/ottawa/ ---------------------------------------------------------------------------- HOTEL The Conference will take place at Ottawa Citadel Hotel in Ottawa, Canada. A block of rooms has been reserved at the hotel at a discounted rate of CAN $81.00/night for a single $91/night for a double. The hotel should be contacted directly for reservations, mentioning the AST II Conference to get the special rates and early reservation is recommended. The address is Ottawa Citadel Hotel, 101 Lyon St., Ottawa, Canada K1R 5T9, attention reservations, fax 613-237-2351, phone 613-237-3600. In North America you can call toll free at 1-800-567-3600. ---------------------------------------------------------------------------- OTHER EVENTS THAT WEEK There are several other conferences in Ottawa that week. On Tuesday, September 17, Industry Canada will be sponsoring a one day Symposium and Demonstration of privacy enhancing technologies. On September 18 - 20, the Privacy Commissioner of Canada will be hosting the 18th International Privacy and Data Protection Conference. Contact: 613-995-2410 or email jroy at nstn.ca. ---------------------------------------------------------------------------- REGISTRATION Registration Fees [] Standard - $250 CAN ($175 US) [] Non-profit organizations/Educational - $125 CAN ($75 US) Information Name: ___________________________________________________________ Organization: ______________________________________________________ Address: _________________________________________________________ __________________________________________________________________ Phone/Fax: _________________________________________________________ Electronic Mail:_____________________________________________________ Credit card Number/Expiration Date: _________________________________ (Do Not Email!) Fax Registration form and credit card number to +1 202.547.5482 Send Check or Money Order in $US made out to Privacy International to: Privacy International Washington Office 666 Pennsylvania Ave, SE, Suite 301 Washington, DC 20003 USA 1-202-544-9240 (phone) 1-202-547-5482 (fax) pi at privacy.org(email) ---------------------------------------------------------------------------- _________________________________________________________________________ Subject: AST II Conference _________________________________________________________________________ David Banisar (Banisar at epic.org) * 202-544-9240 (tel) Electronic Privacy Information Center * 202-547-5482 (fax) 666 Pennsylvania Ave, SE, Suite 301 * HTTP://www.epic.org Washington, DC 20003 * ftp/gopher/wais cpsr.org From unicorn at schloss.li Sat May 18 04:49:27 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sat, 18 May 1996 19:49:27 +0800 Subject: your mail In-Reply-To: <199605160218.EAA03364@spoof.bart.nl> Message-ID: On Thu, 16 May 1996, Senator Exon wrote: > 14 Q I see. So there's something called a > 15 Cypherpunks list? > 16 A Yes. > 17 Q Who maintains that? > 18 A Major Domo. > [majordomo] > 19 Q Major Domo is an individual? > 20 A No, no. Major Domo is a bot. > 21 Q A what? > 22 A A bot. > 23 Q What's a bot? > 24 A A robot like. It's short for robot. > 25 Q Uh-huh. And this robot is obviously maintained > 26 by somebody, right? > 0050 > 01 A Not very much. In fact, it's hardly ever > 02 touched. > 03 Q Where does it sit? > 04 A I don't know at this point. It was a year ago, > 05 which was about the last time I was reading the > 06 Cypherpunks list, it was on Hoptoad. > 07 Q How would one go about getting the Cypherpunks > 08 list? > 09 A Subscribe Cypherpunks. Forwarded to : clueless at c2.org --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From walrus at ans.net Sat May 18 04:57:13 1996 From: walrus at ans.net (michael shiplett) Date: Sat, 18 May 1996 19:57:13 +0800 Subject: The Crisis with Remailers In-Reply-To: <199605171622.MAA20895@dal1820.computek.net> Message-ID: <199605171754.NAA02553@fuseki.aa.ans.net> "ec" == Ed Carp writes: ec> I think it would help tremendously if elm or pine were hacked to ec> allow for remailing. Even better would be some sort of dynamic ec> remailer addressing - sendmail certainly doesn't allow for this ec> capability. :( I think we need something similar to dynamic ec> routing for remailers. I do agree extending commonly used mailers would be helpful. Emacs + mailcrypt (with or without MH & mh-e) already provide the means to chain one's message through type 1 or mixmaster type 2 remailers. mailcrypt will even choose arbitrary remailer routing for you based on information gathered from Raph Levien's remailer list. Unforunately this is not a turnkey solution and requires more configuration than most users probably want. michael mailcrypt home page: http://cag-www.lcs.mit.edu/mailcrypt/ From an616864 at anon.penet.fi Sat May 18 05:00:04 1996 From: an616864 at anon.penet.fi (an616864 at anon.penet.fi) Date: Sat, 18 May 1996 20:00:04 +0800 Subject: test Message-ID: <9605171052.AA20849@anon.penet.fi> test --****ATTENTION****--****ATTENTION****--****ATTENTION****--***ATTENTION*** Your e-mail reply to this message WILL be *automatically* ANONYMIZED. Please, report inappropriate use to abuse at anon.penet.fi For information (incl. non-anon reply) write to help at anon.penet.fi If you have any problems, address them to admin at anon.penet.fi From furballs at netcom.com Sat May 18 05:05:56 1996 From: furballs at netcom.com (Paul S. Penrod) Date: Sat, 18 May 1996 20:05:56 +0800 Subject: Fingerprinting annoyance In-Reply-To: Message-ID: On Wed, 15 May 1996, Black Unicorn wrote: > On Wed, 15 May 1996, Paul S. Penrod wrote: > > > > > > > On Tue, 14 May 1996, Black Unicorn wrote: > > > > > On Mon, 13 May 1996, Paul S. Penrod wrote: > > [...] > > > > > First off, if you were born in the US, they have your feet and/or hand > > > > prints on record. > > > > > > Incorrect. > > > Several states do not bother to print infants at birth. > > > Several hospitals do not bother to follow state guidelines in those states > > > which do so require. > > > > Which ones specifically? > > Illinois doesn't much care. Michigan had no requirement at all, some > hospitals did, some didn't bother to print infants at birth. This was > usually to avoid baby switching and such and records were dumped later on. > Wisc. never much seemed to care until about 5 years ago when someone tried > to pass a law. I don't think it ever passed, but I'm not sure. There is > no standard consensus on this. > > In Illinois it was estimated last year that 9% of births were outside of > hospitals. Thank you for the information. I was unware of this. > > Thousands if not millions of people have no prints on record. How large > precisely do you think the FBI's national records are? FBI + Local law > enforcement? FBI + Local + administrative? Ofcourse this will be the case until the Beltway decides for our benefit and protection that we must all be tagged like the family pet. These are the same folks who are currently operating under the premise of "give us your guns, then we'll lock up the criminals". Even if they decide to play the "stamp the hand" game, the logistics of creating and coordinating the data flow of such a system are dubious at best. The IRS still hasn't figured out how to put together a working computer model (and I would hazard to guess they own the largest of the large - outside of Langley). > > I'd be very surprised to find out it was larger than 100 million, or ~1/3 > of the U.S. population (any number of which might be records of dead > people). The government and local agencies do not have to have everyone's prints (of any kind) directly on file. In order to play the game, they must exist in some form, and the people responsible for managing such activities should be educated enough to know where to look. It devolves quickly to a data warehousing problem that becomes tedious to solve, but not impossible. > > > > It is one of the great advantages of the United States that no > > > standardized procedure for person identification exists. Seals and > > > certificates vary from jurisdiction to jurisdiction. Cross the border to > > > a state and a hospital birth annoucement is enough for a drivers license, > > > cross again and 4 pieces and a note from mom isn't enough. > > > > > > Be careful with disinformation please. > > > > > > > My point is not about the variance of seals and certificates (I have at > > least 6 different ones prove it from 4 different states). That is a > > given. It is that prints have been a generally accepted practice for some > > time now. IF you want to make the case and go back to the early days > > (pre-WWII), then people like attila and a few others don't have them - > > and I'll concede the point on that basis. > > Again, the point is that states can't decide if they want the task of > printing and sorting and collecting and storing such records. It's not > cheap. Even if it were, some states just don't care. > > If you're trying to tell me that few if any unsolved cases involving > "unmatched" prints were committed by people younger than 55-60, I think > you might reconsider. That's what your "everyone since WWII" statement > implies. If that is so, why does the FBI maintain thousands of active > "waiting for print-person link" records for unsolved cases? I'm not interested in unsolved cases (crimes) that involve unmatched prints. It really is irrelevant to the discussion. There are too many other mitigating factors that influence the course of such an investigation. Again, I will state, it's a data warehousing problem to locate such information (presuming it exists). You have to know where to look before chasing down the most likely candidate. > > Either 1. - Not everyone born is printed or 2. - Hospitals who print don't > bother to submit to state or federal agencies because they (a) are not > required to (b) don't much care. > > The answer is actually (3) all of the above. Agreed. > > > The information I received has come from inquiries to folks I know within > > the AMA, several different hospital adminstration staff in various states > > - whose job it is to handle such affairs, and few other people who make > > it their business to know such trivia. IF the information is in error, > > I'll gladly accept correct input. Next time, don't be so quick to accuse > > without inquirying to context. I'm not J.Bell. > > Again, even what the AMA says has little to do with state and individual > hospital practice. Of the printing that goes on, most infant > identification is done for internal hospital records, and most involves > ONLY foot prints. > Agreed, however, I didn't think I represented a hands only premise. ...Paul From tcmay at got.net Sat May 18 05:06:29 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 18 May 1996 20:06:29 +0800 Subject: Reputations Message-ID: At 8:09 PM 5/15/96, Steve Reid wrote: >Another problem with reputations is that people are stuck until they get a >good one. A bad rep can always start over. In fact, a person/company can >look perfectly nice, but use a different identity for dirty work. Sure. And they do this today (use cut-outs or subcontractors to limit reputational damage or liability). >Naturally, you'd only trust dealings that involve a "nice" identity. Not necessarily. Many people play the numbers, implicitly trusting the Mafia to pay off on bets they win. (Many don't think the Mafia has a very "nice" identity, but your mileage may vary.) In fact, nearly all of the alleged problems with anonymous systems, especially the issues of defections, trust, expectation of payoff, etc., have parallels in other "extra-legal" situations. For example, the Mafia and other extra-legal or criminal operations. Do they sometimes defect (welsh)? Sure. Do they sometimes screw over the little guy? Sure. Do people trust them just enough to keep dealing with them voluntarily? Sure. (Before anyone mentions it, there are of course cases where people are forced to deal with criminal gangs nonvoluntarily, such as with shakedowns, hijackings of trucks, etc. But a large fraction of the dealings with the Mafia, Jamaican gangs, Russian mob, etc., are for market reasons, where a market need for drugs, girls, cheap cigarettes, gambling, loans, etc., is being filled by players who are outside the normal legal marketplace.) >Problem is, young people who are just starting out have a no-reputation >identity, and would be treated the same as the no-reputation identities >that are used for screwing people over. Sure, newcomers always have it rough. Whether the newcomer is Nancy the Nym, or Eustace T. Collins, III, Esq., just starting out in a law firm, the newcomer has little positive reputation. (It varies, and the degree may mean something, just as Nancy the Nym may have some reputation capital to show.) I mentioned "postive reputation." There is a real cost in throwing out, say, 30 years of accumulated reputation capital, and this will not be done lightly by many. Thus, in a given transaction, a lot may be at stake. (I don't mean for this brief article to be an essay on the many fascinating issues surrounding reputation and reputation capital. Cf. my Cyphernomicon for much more on this topic.) >Reputations could be very hard to create, and very easy to destroy. As in real life. People can destroy their reputations by being careless. (I disagree with your implied point that the opinions of others can easily destroy a reputation. In real life, it usually takes a lot more than just bad-mouthing. Even in nym-space, the same is apparently true.) >Well-known good reputations would be powerful and fairly hard to destroy, >so it's possible that the big reputations might try to crush little >reputations in an effort to gain some sort of reputation monopoly. Maybe. Implausible as a central problem, but all things will likely happen. This happens occasionally in the real world, as when a Big Reputation (e.g., Bill Clinton) belittles and marginalizes a Small Reputation (e.g., Paula Jones). There's a vast amount of stuff to think about with reputations. I applaud Steve for doing some thinking, but I don't think he's yet uncovered anything especially unique or worrisome. As a last point, see especially the role of anonymous escrow agents. A number of years ago the example I usually used was "Ace Escrow--You Slay, We Pay," to illustrate that an anonymous escrow holder (holding untraceable e-cash deposited by the purchaser of a murder contract) could pay off a murderer who presented certain evidence, all without any of the parties having any idea whatsover whom the other parties were. The problem is then one of whether the escrow company will simply pocket the money and not pay off. First, it can be set up (I think) that the e-cash is uncashable by the escrow company...but I'm not sure this is needed. A better solution is to rely on the basic nature of escrow or bonding services: their reputation capital is much more valuable to them than anything to be gained by defecting and burning their clients. Except if they are about to retire anyway...as with the bonded courier who defects to Rio de Janeiro with a bag of diamonds....the trick is to spread the escrow money around to multiple escrow agents, and to rely on "escrow testing services" which periodically ping or test the services.... There are many issues here. I'm not advocating murder markets, just noting that they provide an easy to understand and fairly "pure" example. If it can be done with murders for hire, it can be done with nearly anything. A few years ago, many valuable ideas were contributed in this area by Dave Ross, Phil Salin, Dean Tribble, Hal Finney, and Robin Hanson. You might search for their articles. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From rpowell at algorithmics.com Sat May 18 05:12:22 1996 From: rpowell at algorithmics.com (Robin Powell) Date: Sat, 18 May 1996 20:12:22 +0800 Subject: S-Tools 4 now available In-Reply-To: <2.2.32.19960516202120.0038302c@mail.pi.se> Message-ID: <96May17.122715edt.20484@janus.algorithmics.com> >>>>> Matts Kallioniemi writes: > It's not just marketing, it's a fact of life. 16 bit operating systems are not > supported any more. Just as 8 bit OSes haven't been supported for quite > a while either. There will come a day when 64 bits are considered the > minimum for useful software (large database systems are already there). > You just can't stick with 16 bits forever, MS-free or not. Face it. EXCUSE ME? I hate all MS products. I run my Amiga 3000. My OS has been 32-bit since nineteen eighty fucking nine! Stick that in your pipe and smoke it. -Robin From jya at pipeline.com Sat May 18 05:24:24 1996 From: jya at pipeline.com (John Young) Date: Sat, 18 May 1996 20:24:24 +0800 Subject: RUL_net Message-ID: <199605170114.BAA08578@pipe5.t1.usa.pipeline.com> May-June, 1996, Harvard Business Review. Two related articles which examine c'punks interests -- proposed business regulation of the Net; on-line security; copyright; encryption; authentication; E-cash; electronic commerce; protected communities to escape "frontier anarchy." Executive summaries by HBR: "Ruling the Net." Debora Spar and Jeffrey J. Bussgang The Internet promises a radical new world of business. But for many companies, it has yet to deliver. Although doing business in cyberspace may be novel and exhilarating, it can also be frustrating, confusing, and even unprofitable. Debora Spar and Jeffrey Bussgang argue that the problems companies face have little to do with a lack of technology or imagination. Their problems stem instead from a lack of rules. Without the order that rules create, business cannot be conducted. The authors explain why the informal rules that have developed on the Internet since the 1960s are no longer sufficient. Businesses thinking of allowing millions of dollars of transactions to occur on the wide-open Net need specific assurances. They require clear definitions of property rights, a safe and useful means of exchange, and a way to locate and punish violators of on-line rules. The authors believe that the key to commerce on the Internet lies in the creation of managed on-line communities. Such communities can be formed by service providers -- entities that will restrict on-line options, fine-tune offerings to match a select group of users, and provide some means of recourse in cases of fraud or abuse. Under those conditions, they will draw new companies on-line and increase the productivity of those already there. And, say the authors, the rewards for service providers will be substantial: Companies that make the rules on the Internet's emerging frontier have the opportunity to reap the greatest profits. [40 kb] "The Real Value of On-Line Communities." Arthur Armstrong and John Hagel III The notion of community has been at the heart of the Internet since its early days, when scientists used it to share data, collaborate on research, and exchange messages. But how can businesses best use its community-building capabilities? Not merely by putting their products or services on-line, the authors contend. Real value will come from providing people with the ability to interact with one another -- from satisfying their multiple social needs as well as their commercial needs. Companies that create strong on-line communities will command customer loyalty to a degree hitherto undreamed of and, consequently, will generate strong economic returns. The authors present four different types of community: communities of transaction, interest, fantasy, and relationship. Examples of each type already can be found on the Internet or through on-line services, but the successful community of the future will incorporate all four -- or as many as possible. As for economic value, the authors see four ways for a company to generate returns: through usage fees, content fees, transactions and advertising, and synergies with other parts of its business. In the near future, new business definitions may emerge around the notion of owning a specific customer segment across the full range of its interests and needs; owning specific products and services may no longer be so important. The authors urge businesses marketing to consumers to make the small investment required to "buy an option" on electronic communities in order to understand both their potential value and the radical changes they may cause. [33 kb] RUL_net (for the 2) ----- Reprints of "Ruling," No. 96309 and "Real Value," No. 96301 may be ordered from HBR for $5.00 each by email to: custserv at cchbspub.harvard.edu From EALLENSMITH at ocelot.Rutgers.EDU Sat May 18 05:25:35 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 18 May 1996 20:25:35 +0800 Subject: Why does the state still stand: Message-ID: <01I4S9MPMI7K8Y5EUK@mbcl.rutgers.edu> Here's a partial copy (edited to stay within fair use) of the U.S. News & World Report article I mentioned, off of their web site. -Allen _UPSET? TRY CYBERTHERAPY_ _AN ONLINE VISIT TO THE PSYCHOLOGIST MAY PROVIDE AN ANSWER, CHEAP_ Got the blues? Can't stop scarfing down bags of potato chips? Your spouse is always hostile, and you and the kids are, too? Therapy might help--at $125 a session. Or you could test a '90s solution: E-mail your way to mental health for a fraction of the cost. In the past year, angst has become a thriving niche on the World Wide Web. Many psychologists who are setting up home pages see electronic consultation as a way to plump up incomes hit by managed care and to attract new patients to the office. For the most part, these cyberpractitioners are careful to warn potential patients that the medium doesn't allow for detailed probing. "I give advice like Ann Landers and Dear Abby do," explains Dorothy Litwin, a New York psychologist who specializes in substance abuse, women's issues and couples therapy. Litwin is one of five women who joined forces about a year ago to form an electronic practice, Shrink-Link (address, box, Page 83). Four are New York State-licensed psychologists; one is a psychiatrist. Each has her own regular practice and specializes in a particular area of psychotherapy. For $20--you pay upfront by typing in your credit card number--you can send off your 200-word (or less) question; it is then routed to the appropriate therapist. Within 72 hours (often within 24 hours), you get back two or three paragraphs of privately E-mailed advice. _ The short answer._ The cybercouch is most effective at giving people who can clearly identify the dilemma (my daughter is anorexic; I'm deep in debt and can't stop spending) a start toward a solution. A typical Shrink-Link question: "My 5-year-old was diagnosed with attention deficit disorder (ADD) in 1993 and has been on Ritalin ever since. She has been having trouble falling asleep for the past several months and has been moodier than usual of late. What do you think?" The gist of the response: "Some trial and error is often required before the correct dosage and timing are found, and symptoms such as sleep disturbance and moodiness often occur in the interim. Moreover, since children's rates of metabolism change, dosages often need to be adjusted. Even if the dosage is correct, the behavior irregularities you describe could be caused by administering the drug too late in the afternoon or by a host of other factors, such as nighttime fears. These possibilities need to be ruled out one by one until the culprit is found." The advice could well be to seek face-to-face counseling. E-mail exchanges are no basis for a diagnosis, for example, warns Marlene Maheu, a San Diego clinical psychologist who headed the American Psychological Association's subcommittee that recently looked into the ethics of cybertherapy. "It's impossible to get an anonymous patient's complete family history in a 200-word question," she says. And without such cues as voice tone, facial expressions and body language, how can a therapist be sure what the problems really are? "Smiley screen faces are a poor substitute for real communication," agrees Leonard Holmes, a therapist based in Newport News, Va., who says his online services are not therapy but "E-mail discussions." ("It's a bit more private than a call-in radio show," he notes.) Holmes charges $1.50 per minute and will spend as much time "with" a patient as the patient desires. Maheu's subcommittee and other psychology professionals worry that a lack of standards makes people seeking online help vulnerable. "When you are answering questions by E-mail, it's tempting to stray beyond your area of expertise," says Maheu. "The APA's ethical principles prohibit that." Critics also worry that confidentiality is at risk. While patients remain anonymous, a hacker could conceivably identify them. And these Internet sessions aren't encrypted. "You have no way of knowing who is printing the E-mail message out or where it is stored," says Thomas Nagy, a psychologist and Stanford University School of Medicine psychiatry professor. Nagy also worries that people with really significant problems will stop with an online Band-Aid. Troubling, too, is the fact that patients may know little about the therapist and his or her qualifications. Many sites don't disclose details about the counselors' experience and where they earned their credentials. Leonard Holmes, by contrast, provides a complete biography on his Web page that includes his educational background, what state he is licensed in, as well as areas of expertise. That way, interested patients can check out his professional background before a session. [...] BY KERRY HANNON _A few routes to mental health_ _Shrink-Link_ (http://www.westnet.com/shrink). These New York women-- four psychologists and one psychiatrist--offer E-mail advice for $20 a pop. _Leonard Holmes_ (http://www.psychology.com/holmes.htm). Holmes is a therapist in Newport News, Va., who answers E-mail questions for $1.50 per minute and provides links to other sites. [...] _________________________________________________________________ CREDITS Send comments to webmaster at usnews.com Copyright U.S. News & World Report, Inc. All rights reserved. This site is engineered by AGTinteractive [IMAGE] From hieronym at desk.nl Sat May 18 05:25:38 1996 From: hieronym at desk.nl (t byfield) Date: Sat, 18 May 1996 20:25:38 +0800 Subject: Senator, your public key please? In-Reply-To: Message-ID: 6:01 PM +0200 5/16/96, Black Unicorn: > Secondly, the Ethics Committee was very interested in the issue. As of > now they have ruled that "exchanging" PGP signatures is an "exchange in > kind" and an ethics violation. Ms. Howell expressed exasperation over > this lunacy, but put it much this way: "No, you guys don't understand > what the issues are here, but I don't have 3 hours to explain it all to > you either." Apparently the ethics committee is concerned that a > signature from Leahy's key will constitute some sort of endorsement and the > "you sign mine and I'll sign yours" looks like influence peddling. And, in fact, according the general outlines of the "reputation" schemes advanced hereabouts, they're right: that's why they call it "reputation _capital_," mais oui? There's no reason that webs of trust of well-signed keys couldn't be very fluidly incorporated into patronage networks, for example, or that their incorporation would affect network dynamics in any notable way. One doesn't need to understand political theory or economy in any analytical sense to become part of a patronage network, and one doesn't need to understand cryptography to know what a key is vaguely enough to be swayed by someone waving a "well-signed" key around--in fact, _not_ understanding cryptography will lead people to be wowed by such keys. Most people don't understand cryptography, and most will continue not to understand it. So in the pristine realm of mathematics, the Ethics Committee may be wrong, but in the real world of sloppy thinking they're basically right. Basically. If my key was signed _only_ by the CEOs of the top 10 Fortune 500 companies, a few dozen heads of state, bigwig spooks from around the world, the pope and a dozen cardinals, it's not too hard to imagine how I could open a few doors with that key--and make a buck or two in the process. After all, Uni, what _does_ a signature signify? You were asking some very pointed questions about that quite recently. Ted From remailer at 2005.bart.nl Sat May 18 05:28:36 1996 From: remailer at 2005.bart.nl (Senator Exon) Date: Sat, 18 May 1996 20:28:36 +0800 Subject: Past one terabit/second on fiber[PHONE GEEK TALK] Message-ID: <199605171728.TAA09634@spoof.bart.nl> > No comment :-) And I certainly don't presume to speak for Lucent.... And to think that some of Lucent's next fiber products will include some technology developed by cypherpunks. From stewarts at ix.netcom.com Sat May 18 05:30:18 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sat, 18 May 1996 20:30:18 +0800 Subject: Defeating fingerprints [NOISE] Message-ID: <199605180704.AAA25160@toad.com> Topic that won't die, I guess. There's a nail-polish variant called "ridge filler" that may help fill things in, and Plastic Wood comes in pink enough colors it may get you through a trip to the CA Motor Vehicle Department registration, though it won't stop an intelligent person looking at your fingers. [And no, I didn't think of it; I'd been dealing with the question of exactly what citizenship papers were required for the thugs. On the other hand, when my father-in-law moved to Hawaii many years ago, the law required that you provide either a SSN or a thumbprint when you apply, and the clerks were really annoyed that he made them do a thumbprint instead of just writing down an SSN.] # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 # goodtimes signature virus innoculation From cardinpa at cardin.com Sat May 18 05:33:05 1996 From: cardinpa at cardin.com (Paul Cardin) Date: Sat, 18 May 1996 20:33:05 +0800 Subject: Level30 Newsletter Message-ID: <2.2.32.19960515164701.0069d9b8@cardin.com> * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * Please Note: Every effort has been made to post this announcement only in those groups and lists where there should be a natural interest in its subject matter. We apologize in advance if any readers believe it to be off-topic or otherwise inappropriate. It is a single post and it will not be repeated or followed with others. Thank you. * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ANNOUNCING LEVEL30 An Important New Internet Newsletter Dealing With Pornography and Censorship Issues * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * No matter what side of these issues you are on... DO NOT IGNORE THIS NEWSLETTER! * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * About the Cost - FREE About the Subscription - To receive this biweekly (or more frequently) newsletter, simply send an e-mail message To: majordomo at databack.com Subject: (leave blank) Message: subscribe level30 About the Purpose - To instruct families on how to safely use the Internet, and to inform families, law enforcement, the media and other interested Internet organizations about breaking news in the fight to keep illegal pornography and child pornography OFF the Internet. About the Title - This is the Offense Level mandated by the United States Sentencing Commission for the trafficking of child pornography often found on the Internet in Usenet newsgroups. (Base offense level - 17; if the material involves a prepubescent minor, increase by 2 levels; if the offense involves distribution, increase by at least 5 levels; if the offense involves material that portrays sadistic or masochistic conduct or other depictions of violence, increase by 4 levels; and if a computer was used to transport or ship the visual depiction, increase by 2 levels.) (The Sentencing Table can be found at http://www.ussc.gov.) About the Author - Paul D. Cardin, P.A **Member of the Board of Directors of Oklahomans for Children And Families (OCAF). **Author of The Agincourt Project - the electronic expose that explains how Internet Service Providers (ISPs) are responsible for the distribution of illegal pornography and child pornography throughout America. (You may obtain a copy of The Agincourt Project via autoresponder e-mail by sending a blank e-mail message to noporn at mailback.com). ** Architect of the most effective and successful campaign in the United States today to stop the electronic distribution of illegal pornography and child pornography. ** National Directorship soon to be announced. About the Regular Features - **America's Most Wanted - A list of public corporations that are the enemies of America's children and families because of their continued electronic distribution of illegal pornography and child pornography. **(Your State Here)'s Most Wanted - A state by state list of ISPs that are the enemies of children and families because of their continued electronic distribution of illegal pornography and child pornography. **Commentary - Incisive and hard hitting analysis of the legal and constitutional issues facing the Internet today. ** Battle Reports - Updates from the front lines, from "war correspondents" across the country. ***** The court battles over the Communications Decency Amendment. ***** The status of OCAF against the Oklahoma ISPs. ***** The status of Loving v. Boren - is it a ridiculous waste of taxpayers money or will it be the definitive Internet court ruling? *****The status of other important electronic obscenity court cases. *****The status of battles yet to be engaged. About Special Reports - **Testimonies from the victims of pornography. ** Profiles of the men and women who are engaged in the battle to free our society from its plague. **Interviews with law enforcement officers, prosecutors, and ISPs. * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * The Top Ten Reasons TO SUBSCRIBE To "Level30" - **Reason #10 - You are an INTERNET SERVICE PROVIDER who wants to stop violating federal and state obscenity and child pornography laws. **Reason #9 - You are a LAW ENFORCEMENT OFFICER or PROSECUTOR who wants to learn how to stop ISPs from violating federal and state obscenity and child pornography laws ** Reason #8 - You are a PUBLIC OFFICIAL who wants to learn how to keep illegal pornography and child pornography off of publicly owned and operated computer systems. ** Reason #7 - You are a UNIVERSITY OFFICIAL or LIBRARY OFFICIAL who wants to learn how to keep illegal pornography and child pornography off of your university or library computer system. **Reason #6 - You are a SCHOOL OFFICIAL or TEACHER who wants to learn how to keep illegal pornography and child pornography off of your school's computer system. **Reason #5 - You belong to a CHILD ADVOCACY or WOMEN's RIGHTS group and you want to learn how to fight illegal pornography and child pornography on the Internet. **Reason #4 - You belong to a CHURCH or RELIGIOUS GROUP and you want to learn how to fight illegal pornography and child pornography on the Internet. **Reason #3 - You are a CORPORATE EXECUTIVE or PR OFFICER who wants to learn how to avoid extremely damaging publicity for your company. **Reason #2 - You are a REPORTER who wants to stay one step ahead of numbers 3 through 10 above And, finally....... **Reason #1 - You are a PARENT or GRANDPARENT who wants to learn more about how to keep the Internet safe for your children and/or grandchildren. SUBSCRIBE TODAY From jimbell at pacifier.com Sat May 18 05:36:58 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 18 May 1996 20:36:58 +0800 Subject: Why does the state still stand: Message-ID: <199605171736.KAA19396@newmail.pacifier.com> At 10:09 AM 5/16/96 +0200, bryce at digicash.com wrote: > > The entity calling itself jim bell > is alleged to have written: >> >> But what I'm looking for is full payee/payor anonymity. (three guesses as >> to why...) Can you do this? If not, why not? > > >Let me get this straight. You are asking for full payee/payor >anonymity so that you can institute a program of anonymous >assassination contracts, right? It's not just for me. I seem to recall a comment around here (Tim May, perhaps?) who said that when he first read of digital cash in the late 1980's, the feature of payee anonymity was present, and that he was surprised later to see early implementations not containing this. Deal with the devil? Any "complete" digital cash implementation has to provide for payee anonymity. Jim Bell jimbell at pacifier.com From ses at tipper.oit.unc.edu Sat May 18 05:38:47 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Sat, 18 May 1996 20:38:47 +0800 Subject: [NOISE] Hackers soundtrack Message-ID: Update on an old thread... Apparently it was released last week in England, so it may be available in some import racks. Simon From jf_avon at citenet.net Sat May 18 05:40:25 1996 From: jf_avon at citenet.net (Jean-Francois Avon) Date: Sat, 18 May 1996 20:40:25 +0800 Subject: [long irrelevant post] Edited Edupage, 9 May 1996 Message-ID: <9605152312.AA10462@cti02.citenet.net> Apologies to other CPunks. I hate theses posts, but I just couldn't let it pass by. On 15 May 96 at 9:09, Doug Hughes wrote: > No, because they are too poor to live in your neighborhood. > Sure, they can live in the same geographic region, but it's still > rural and poor. People live where they can afford to live. Just like volition-free cows? > Are you saying those poor people in rural West Virgina only live > there because they are not trying hard enough to get out? Maybe they lack the knowledge. But does that justify turning me into a milk cow for them? Should I break my leg because somebody else did? Should the common euphemism "to provide" justify the common euphemism "to redistribute wealth"? Or in straight talk, should we distribute free-lunches that were took away at the point of a gun from peoples who produced them by their own work? > >> So, because they live in a poor district they are > >> not entitled to the same level of education as a rich city > >> suburb? Not because they don't live in a rich suburb, simply because they cannot pay for it. Breathing air does not entitle you to anything that is produced by another breather of air... > environment, lack of education, lack of money, lots of factors. Who is responsible for it, who should be considered "response-able"? > Nobody is holding a gun to anybody's head saying "Don't Read". Here is an example of "creative mis-reading". What I meant by gun is why hold a gun to *my* head for having them to read? > improving literacy is a goal that needs to be undertaken. You are free to donate as much of your *own personnal* earnings to them. Feel free to do! I, for one, like to help kids to learn to read, to use a microscope, to learn chemistry and physics and maths and sciences in general. I always give my time to any kid that needs help, wether he is 5 years old in first grade or 25 in university. But why stick a gun in my back to get part of my paycheck? > agree that low literacy is a bad thing Yes, absolutely. > and needs to be taken care > of? At whose expense? > But, why, given a good learning environment and an > inspiring teacher would you not want to? You'd be surprized how so many peoples just don't care. We have here a *free* education system up to high school. Then college, which is not very expensive. Then university that cost around 2000$(US) per year. But still, we have one of the highest rate of dropping out in the world. And all collectivists their with grand schemes wonder why... > But the statement that > we shouldn't subsidize >> rural customers because they CHOOSE to > live there (even though some >> are poor and can't afford to live > anywhere else) is just plain >> fallacious. Agreed. But you are building a worst straw man. The only reason is that we should not turn some productive individuals into a milk cow for thoses that are less productive. And the source of the whealth necessary for your grand schemes are those most productive individuals turned into sacrificial animals. Under any governmental red tape pile of paper lies a GUN. > Some people on this list argue that the current representative govt > system is bad, and that true democracy is better. But again, some other peoples think that true democracy, i.e. the dictature of the majority, wouldn't be better, mainly because the issues are too numerous and the individual's knowledge is too limited. Some Cypherpunks want, is "Live and let live", some other "Live and let die" and a few even proposed "Live and let live, of get killed" or "mind your own business or get a prize on your head"... > True democracy relies on people being educated, the more the > better. (Actually, education benefits the entire society.) > >> Just because you choose to live in the city does not > >> mean people always choose to live where they live. > >Who cast their feet in concrete blocks? > Where is somebody making less than $5000/year going to move to? > (Answer: somewhere rural and poor). Or, if you prefer, they can > move into tax-payer subsidized housing? (I'd prefer not, thanks) I lived on that for several years. It was not easy but I could still learn and read. Actually, it is almost the sole thing I did during theses years. And I am not talking about our almost free education system. > >> Education is one > >> thing (perhaps the only thing) that deserves to be subsidized in > >> this country. > >I think that it should not be subsidized. > >If you feel like subsidising education, then by all means, do it. > >But why should you stick a gun in my back to do the same? What if > >I do not want to do the same as you? > Then you will be living in a country with lower education standards, > increasing illiteracy, and a pretty pitiful base with a declining > socio-economic structure. > Are you arguing that people are not equal Absolutely. Why is it that my friends always got straight A's while I got C's or D's... > and those with more money should of necessity get better education? What somersault of rationalization made you conclude that? Thoses with more money can *afford* more. Only that fact. > You can vote that poor people shouldn't be > educated at all What you are telling here is that education is *only* a direct function of wealth and that wealth is strictly a direct function of education. I am sorry to tell you that reality clearly show that this basic premise is not true. > You don't understand at all. It's not about being people down, it's > about bringing them 'UP'. Dear Doug, would you please tell me where you will take the ressources to bring peoples up? I have no objection if you were setting up some sort of charity fund. > I'm not talking about being meek. > I'm talking about learning to read and multiply 4*9. It was done in the days of non-mandatory, non-subsidized education. Actually, the country (USA) had it's biggest growing period in thoses days. The improvement slowed down with the advent of collectivist schemes. > I'm not getting into this anymore. It's totally off topic of the > list, but I felt I had to respond to your > let-the-poor-be-poor-and-uneducated posting. Not at all. The essence of my post is "do not treat productive individual as sacrificial animal for the unearned benefit of the less productives". You see, I do not believe in sacrifice nor in original sin... > We're straying far off even my point. My point was not that I agree > with subsidizing internet connections for every school in america. > I'd have to be convinced that that is a good thing. However, making > sure everybody has a good education is of paramount importance to > any society. I am of the opinion that giving the country a thorough coverage of the net is of paramount importance. But I do not think that the govt is thinking the same, notwithstanding what it says. I suggest you try to set up a foundation to promote the private setup of inter-villages links in rural areas. It would be great. But to tax for that, to confiscate money from producers against their best judgment and will? OTOH, you might be operationnally (while not ethically) right. I'd rather be taxed for the installation of the net than for some museum... JFA DePompadour, Societe d'Importation Ltee Limoges porcelain, Silverware and mouth blown crystal glasses JFA Technologies, R&D consultants. Physists, technologists and engineers. PGP keys at: http://w3.citenet.net/users/jf_avon ID# C58ADD0D : 529645E8205A8A5E F87CC86FAEFEF891 Unsollicited commercial e-mail will be proofread at US165 $/h Any sender of such material will be considered as to have ac- cepted the above mentionned terms. From molecul1 at molecule1.com Sat May 18 05:41:24 1996 From: molecul1 at molecule1.com (Molecule One Scientific Research Institute) Date: Sat, 18 May 1996 20:41:24 +0800 Subject: CyberTraveler Auction - Unsubscrive MoleKule's. Message-ID: >This is an automated reply to your e-mail request. > >The only way to remove yourself from our CyberTraveler >program is to go to > >http://www.cathay-usa.com/remove.html (make sure you spell this exactly like >this) > > >and follow the easy instructions. > > >Thank you for your participation. > > > >At 06:45 PM 5/16/96 -0700, you wrote: >>>Dear Molecule, >>> >>> >>>Best regards, >>>Cathay Pacific Airways Limited >>>Los Angeles Marketing Department >>> >>>P.S. remove yourself from the CyberTraveler program, (should you wish to). >>>Simply go to http://www.cathay-usa.com/remove.html. Thank you. >>> >>>>>Dear Cathay, >>> >>>>> Unsubscrive Molecule1 at electriciti.com >>> >>>>> In peace & wish the purest of wishes. >> >>>>> sincerely, >>>>> M1. >> >> >>>>> Peace Cathay, >>>>> Please note molecul1 at electriciti.com is now molecul1 at molecule1.com. >>>>> It is also 1996 & the people love to dance the world over. Peace Cathay, M1. From llurch at networking.stanford.edu Sat May 18 05:51:52 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sat, 18 May 1996 20:51:52 +0800 Subject: [Yadda Yadda Heil Dave] Re: Forced to your knees by Legal VIOLENCE In-Reply-To: <199605180030.RAA06625@netcom11.netcom.com> Message-ID: I responded to Skippy's on-topic, more or less substantive questions about remailers in Message-ID This has absolutely nothing to do with crypto, but that's what I subscribed to coderpunks for. On Fri, 17 May 1996, Dave Harman wrote: > Ask our resident "free speech for RESPECTABLE dissidents," > L. Lurch at stanford.edu (racial capitali$t d0g) > for a virulent defense of Co$ style tactics against racists. > Ask him about SPLC, Seraw vs WAR, Tom, John METZGER. I grew up 15 minutes from Metzger and played soccer with one of his kids, and he threatened some friends of mine. I've talked to his sidekick Wyatt Kaldenberg about other things, and defended their absolute right to free speech on occasion. But other than that, I don't know much about Metzger. Skippy seems to have this illusion that I'm some big bad anti-racist, which I find amusing. Another WAR/CoS mal-analogy one could scrawl is that Metzger has paid about as much of the judgement awarded to the murder victim's family as CoS has paid to Wollersheim. But I wouldn't follow that line of reasoning myself, since I'm no fan of the SPLC. Maybe they did a good thing in the Seraw murder case, but their current suit agaist Pierce's neo-Nazi National Alliance seems rather SLAPP-ish to me. I'm sure Morty would try to justify going after deep-pocket racists by saying that they deserve it because the $4.5 million or so that The Order White Nationalist Revolutionary [cough] Movement liberated from banks and convenience stores has never been recovered, but he's wrong. Sure Bobby claimed to be doing those robberies in the name of the Aryan Cause, but it looks like he really spent the money on himself, just like any other "political" crook (the Contras, the FMLN, Sendero, the Machateros, the US Congress, etc). The SPLC probably has a web server somewhere with more details, but there's a minimal amount of information about the case at: http://www.almanac.bc.ca/cgi-bin/ftp.pl?people/m/metzger.tom http://www.almanac.bc.ca/cgi-bin/ftp.pl?orgs/american/war Tom Metzger's web page (sorry, it's actually John Metzger's web page, which happens to carry all sorts of stuff from Tom -- you see, facing a $10 court judgement upheld by the Supreme Court, Tom has sworn an oath of poverty to avoid giving the Zionist Occupational Government any more blood money) is at: http://www.free.cts.com/crash/m/metzger/ -rich http://www.c2.org/~rich/Not_By_Me_Not_My_Views/rebuttal.html From unicorn at schloss.li Sat May 18 05:56:13 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sat, 18 May 1996 20:56:13 +0800 Subject: Defeating fingerprints In-Reply-To: <199605172219.PAA20898@netcom11.netcom.com> Message-ID: On Fri, 17 May 1996, Dave Harman wrote: > Shellac or epoxy glue does NOT work, if the thickness is at all managable. > Tried it, The ridges always find a way to get through. > It also provides a weaker bond to dry skin than you'd expect. > The thicker the more likelihood of peeling off. > Even Krazy Glue. (The UL BS is false.) Use krazy glue gel. Works wonderfully for me. > > -- > Serenity, Etc. > --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From stewarts at ix.netcom.com Sat May 18 06:06:54 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sat, 18 May 1996 21:06:54 +0800 Subject: Past one terabit/second on fiber[PHONE GEEK TALK] Message-ID: <199605170553.WAA22076@dfw-ix6.ix.netcom.com> >>> "Wow", I said. Far faster than the 2.5 Gb/sec transmission that is >>> currently fairly standard for long-haul fiber trunks. >>The ads say they are selling it - that doesn't mean shipping it... yet >>at least. (Note that my employer is a direct competitor of Lucent >>so I have a vested interest in setting the facts straight) No comment :-) And I certainly don't presume to speak for Lucent.... Traditional fiber-optic technology is a hybrid between electrical and optical components - big hulking multiplexers feed a high-speed electrical signal to a laser, which sends optical pulses down the fiber. Every N km, a regenerator reads the photons, decides if it saw a 0 or 1, and feeds that as an electrical signal to an output laser. Repeat as needed. The means that if you want to upgrade the signal speed, you not only need to replace the muxes and lasers, you need to replace all the regens. That's more of a problem for long-distance companies than locals (the common FT Series G 1.7 Gb system uses them every 40 km.) The new optical amplifiers not only go farther (e.g. 120 km), but they do everything optically instead of dropping down to electrical so they support a wide range of data speeds. I don't know that they can support the 1Tb experimental stuff, but they work fine for the 8-color x 2.5Gb Dense Wavelength Division Multiplexing stuff AT&T will be using. This means that the first time you do an upgrade, you need to rip out a bunch of regens, splice around 2/3 of them, replace 1/3 with opamps, and optionally replace the equipment at the ends with even bigger hulkinger multiplexers. Depending on capacity needs, you may not fire up all 8 colors at once. The next time you want to upgrade the same route, replace the muxes if you didn't, or fire up more colors, or upgrade to the new Year 2005 model. And since you've got to pick _some_ framing technology, it might as well be SONET, which lets you build self-healing rings if you want (the FDDI-like configuration, which not everyone uses, burns half the capacity on restoration circuits, more than some of the less-healable SONET configurations or mux-based restoration like AT&T's FASTAR.) AT&T has announced that they'll be pouring lots of capital into this over the next few years, partly to keep up with demand, and partly to deploy SONET rings for faster restoration. >I was figuring they'd cut out silences...as well as echo-suppression >cutouts. Do they still do this? Given modern fiber's capacity, I wonder >if they bother. Voice compression and silence suppression aren't done domestically (at least by most carriers.) Undersea cables still use this, though I don't know how much it's done on the newer fiber cables. Of course, people running private networks do whatever they want, and for overseas connections, people are often willing to trade lower-voice-quality compression for the cost savings, especially if the PTT on the far end is expensive. >>I don't know that any number fiber cable is "standard" but >>36-fiber cable is not unusual. To find the capacity of a cable, you >>have to cut the number of fibers in half (as you did) because >>generally each fiber is used only for a single direction of traffic. >>You then have to cut it in half again because phone companies have >>everything redundant. A fairly common configuration for FT Series G is 8 fiber pairs (one fiber for each direction), with 7 in service and 1 protection pair to recover from mux-card and regen failures and other single-fiber hits. To restore whole-bundle hits (e.g. backhoe fade), some of the 7 pairs are typically dedicated to restoration - though seldom half. The restoration pairs are often used for short-time reserved applications such as TV connections for sports events, videoconferencing, or other applications where someone needs a lot of bandwidth for a short time and is willing to be pre-empted or blocked if there's a failure. >There's also a lot of 'dark fiber' out there, right? Fiber laid as >part of a cable but not activated, because it's not yet needed. That's _highly_ location and company dependent. Long-haul connections are likely to be used efficiently, because you can get economies of scale and because growth will fill them up (e.g. across the Rockies). Short-haul connections (e.g. around town) are more likely to have dark fiber because the big costs are digging up streets and paying for government officials\\\\\\\\ licenses and permits rather than the costs of the fiber you're putting in a trench once you dig it. And the short-haul doesn't need regens, and often uses lower bandwidth than the fiber can handle (OC3 muxes are much cheaper than OC48, though per-Mbps they cost more.) And of course, _everybody_ seems to want a T3 to the Bay Area or other Internet-heavy locations. >> I would add that much of a >>phone companies cost is in billing and customer service, etc. >>Not the cost of installing and maintaining the fiber and equipement. > >This suggests that there would be a market for a LD phone company that >charged, say, a yearly payment of $200-300 for essentially unlimited use. (The main >impediment to this would be regulatory; as I understand it LD companies have >to pay local telco's for connections on a per-minute connect basis. Is that >right? This needs to get fixed.) Their billing costs would be very small. There's a lot of cost in switching equipment as well. A feature-rich voice telecom switch costs _far_ more per 64kbps voice circuit than the 1/(24*28*36=24192) fraction of a fiber that carries it. And big muxes, while cheaper than voice switches, are still expensive. >>Internet telephony should make the use of bandwidth even more >>efficient - thereby cutting costs. The big guys who own >>the fibers will still make money - the pipes that carry internet >>traffic are still needed. But the little guys will get squeezed out. >>(until they become ISPs ;-). Internet traffic could theoretically >>be carried over this large amount of protection fiber (mentioned above) >>that is out there for a much lower marginal cost than the current >>T3 or OC3 pipes that are being used. In addition to Internet telephony, ATM switch makers are doing voice compression, and some of the fiber vendors are starting to use their equipment to offer business voice services. And voice-over-frame-relay, which has more delay and therefore doesn't handle voice as well, also is getting some market, especially internationally. Pricing is a really difficult problem - if you price bandwidth proportional to the 64kbps voice circuits, it's either too expensive for most businesses to buy much or priced too low to make money on switched voice. But if you price high-speed circuit bandwidth much cheaper than proportional, it becomes cost-effective to buy customer-premises equipment and bulk bits and run your own phone services. Phone companies have been worrying about this for video services for years, but fortunately Moore's Law and research have let compression improve enough that you can run cheap video on 2*64kbps and good video on 6*64kbps, so they haven't been killed. But Internet and similar data needs are starting to demand high bandwidth at low costs, and the market will have to catch up somehow. # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 # goodtimes signature virus innoculation From jya at pipeline.com Sat May 18 06:14:04 1996 From: jya at pipeline.com (John Young) Date: Sat, 18 May 1996 21:14:04 +0800 Subject: GEK_cod Message-ID: <199605171630.QAA18952@pipe2.t1.usa.pipeline.com> 5-17-96. WaPo: "The Code Of the Geeks." A longish lifestyles profile of Robert Hayden and his Geek Code -- "a series of letters usually found on the bottom of e-mail messages that, when deciphered, offer a snapshot of the user's geekiness." It's a way for geeks to scope out one another. But Hayden says it's a part of his effort to take the eek out of geek -- to turn what's largely thought of as a negative stereotype into something positive. "Gates had an opportunity to be one and he gave it up. That happened when he decided that making money is more important than making good computer code. One geek trait is that you take pride in your work and it's my opinion that Microsoft hasn't produced a lot that's to be proud of." "In a nutshell, a nerd is somebody who lets technology run their life and a geek is a person who runs their life with technology." GEK_cod From sawyer at nextek.com Sat May 18 06:24:09 1996 From: sawyer at nextek.com (Thomas J. Sawyer) Date: Sat, 18 May 1996 21:24:09 +0800 Subject: Securing CDROM from piracy Message-ID: >> >> >Is there any way of making >> >sure that the guy doesnt pull a fast on on us? Can we ensure that he cannot >> >duplicate the thing and start selling it without sharing the profit. >> >> Well, I suppose you could get it copyrighted before you hand it over for >> distribution. I'd also put my logo and other info somewhere in the code, >> such as an "About" box. They would have a hard time saying it wasn't >> yours. >> >You are missing the point. Lets say a firm X is marketing my product. Now if >they sell 500,000 copies and tell me that they have sold only 100,000, I have >no way of figuring out. > > '88888888:::888888%' Vipul Ved Prakash Fax : +91-11-3328849 > '8888888::88888%' Positive Ideas. Internet : vipul at pobox.com Ok, I see what your looking for now. How about tracking the number of product registrations, either via a mail-in card or fax? I'm assuming that since this is a product to be sold, not given away, that persons purchasing the program would most likely take the time to fill out a product registration card and send it in. Since not everyone fills these cards out, it is not a 100% accurate method, but if there were any major discrepancies, then you would be aware of it. Thomas J. Sawyer sawyer at nextek.com From mccoy at communities.com Sat May 18 06:31:31 1996 From: mccoy at communities.com (Jim McCoy) Date: Sat, 18 May 1996 21:31:31 +0800 Subject: found nym-differentiation! Still need perpetual motion, FTL travel, cold fusion Message-ID: Bryce wrote: > > "Perry Metzger" is alleged to have written: > (> Bryce wrote:) > > > > Simple as pie, because of some of the properties of DC-Nets. > > > If someone sends out the wrong number of pubkeys, then > > > everyone will know, right? So when that happens everyone > > > just reveals their shared-secret data from the DC-Net > > > session. > > > > And if several people lie about their shared secrets? This is what secure bit-commitment is for. The refinements to the DC-net protocol since Chaum's original paper make this a non-issue if you are willing to spend the CPU cycles to do all of the necessary work. > If some of your N participants are going to collude to share > their nyms then it is manifestly impossible to stop them. > But that doesn't bother me. The purpose of this scheme is > to create N nyms for N people and be sure that each of then > N people who wanted a nym got one. If you are sure that > each of the N people wanted a nym, then you can be sure you > have a one-to-one mapping between people and nyms, but > unconditional untraceability from nyms to people. Or, to rephrase the question in a manner which my lead you to the solutions which already exists for this problem: You have an anonymous access channel in which you need to do frame reservation such that each member can reserve one and only one frame for the transmission phase which follows frame reservation. You are both talking about disrupter detection in an anonymous channel and it has already been solved... > But perhaps what you were talking about was a > denial-of-service attack on the DC-Net's network layer. > That has been addressed extensively in Chaum's original > "Dining Cryptographers" paper. Chaum's method for dealing > with denial-of-service attacks is typically brilliant, but > even so it is an unwieldly and expensive (in terms of > computation and bandwidth) proposition. I recommend "Dining > Cryptographers" to everyone, and I hope that someone who > reads it will come up with a better solution. They already have. Actually, the trap method in Chaum's original paper is both expensive and flawed. Get a copy of EuroCrypt 89 and read the DC nets papers in there by B. den Bos and by Michael Waidner. If you are in the Bay Area I have a copy of Pfitzmann and Waidner's "Dining Cryptographers in the Disco: Unconditional Sender and Recipient Anonymity with Computational Serviceability" which I would be happy to make copies of. This is probably the most comprehensively secure DC-net scheme I am aware of; although, like most Crypto papers, it is way more complicated and computationally expensive than necessary for real life. jim From erc at dal1820.computek.net Sat May 18 06:35:40 1996 From: erc at dal1820.computek.net (Ed Carp) Date: Sat, 18 May 1996 21:35:40 +0800 Subject: The Crisis with Remailers In-Reply-To: Message-ID: <199605171622.MAA20895@dal1820.computek.net> > A much richer ecology of remailers is sorely needed. A factor of at least > 10 or 20 more (100-300 remailer sites), less reliance on specific sites, an > "everyone a remailer" capability (which has many elegant advantages!), more > traffic, temporarily instantiated sites, digital postage, greater ease of > use (especially with crypto and chaining), and such things as nominal > terminal remailers choosing to add their own hops (so as to lessen their > own target potential). Having some of these improvements will be a big > help. I think it would help tremendously if elm or pine were hacked to allow for remailing. Even better would be some sort of dynamic remailer addressing - sendmail certainly doesn't allow for this capability. :( I think we need something similar to dynamic routing for remailers. -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 214/993-3935 voicemail/digital pager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes The mark of a good conspiracy theory is its untestability. -- Andrew Spring From sinclai at ecf.toronto.edu Sat May 18 06:46:18 1996 From: sinclai at ecf.toronto.edu (SINCLAIR DOUGLAS N) Date: Sat, 18 May 1996 21:46:18 +0800 Subject: Defeating fingerprints In-Reply-To: <199605172219.PAA20898@netcom11.netcom.com> Message-ID: <96May18.012757edt.10522@cannon.ecf.toronto.edu> > Shellac or epoxy glue does NOT work, if the thickness is at all managable. Not that random playing with carcinogenic chemicals is a good idea, but... I've found that if you use just one reagent from epoxy glue, the collagen in your skin will disolve. You can sculpt it into whatever shape you want, and it will stay that way for an hour or so. I don't remember if it was the resin or the hardener though. This was regular 5 minute epoxy. From mark at infolawalert.com Sat May 18 06:55:10 1996 From: mark at infolawalert.com (Mark Voorhees) Date: Sat, 18 May 1996 21:55:10 +0800 Subject: Zimmermann v. ViaCrypt??? Message-ID: <199605171721.NAA17938@park.interport.net> Read http://infolawalert.com/stories/051796a.html for a story on how Phil Zimmermann is trying to retrieve all the rights to PGP from ViaCrypt in order to jump start his new venture, PGP, Inc. He's taking a sell out or get sued approach with ViaCrypt, which until recently has not had much success marketing PGP. Mark PS--Apologies in advance if this has been posted before. From weidai at eskimo.com Sat May 18 06:55:34 1996 From: weidai at eskimo.com (Wei Dai) Date: Sat, 18 May 1996 21:55:34 +0800 Subject: anonymous companies In-Reply-To: <199605171837.LAA09867@dns1.noc.best.net> Message-ID: On Fri, 17 May 1996 jamesd at echeque.com wrote: > In some businesses we can solve this problem by cryptographic control > mechanisms, such as open books banking. In others, such as net startups, > I see no solution other than increased reliance on personal individual > capital. I've seen the phrase "open books" used several times in the past on this list. Can anyone explain what it means or provide some references? Wei Dai From cp at proust.suba.com Sat May 18 06:58:09 1996 From: cp at proust.suba.com (Alex Strasheim) Date: Sat, 18 May 1996 21:58:09 +0800 Subject: SEVERE undercapacity, we need more remailer servers FAST In-Reply-To: Message-ID: <199605171818.NAA03531@proust.suba.com> > > The problem that I think the Scientology postings raise is that the > > remailers cannot really be used to post copyrighted material. That is > > what got the netherlands hacktic remailer shut down. This shows, BTW, > > that being outside the United States is no guarantee of immunity. Most > > Western countries support copyrights. > [snip] > > I find this all very odd, since the Dutch court ruled that the use of the > Fishman affidavit on Karin Spaink's web page was not a copyright > violation, as Fishman was part of a US judicial record. I'm assuming > that the Fishman material is what thay approched Hacktic about, as well, but > I'm not sure. Maybe this is about something else (the NOTS materials), or > maybe the threat of legal action was enough to do Hacktic in, despite what > would seem to be a favorable precedent. The problem is more funadmental than copyrights or the specifics of this case. It might be true that Hacktic could win in court, but why should Hacktic take the chance? Or spend the money to prove their case? The remailer net won't stand up to challenges of any strength because no one gets anything for running a remailer. It doesn't matter if the challenges are strong enough to win, or if they ultimately have any merit. If you don't get anything for winning and you'll get burned if you lose, the expected value of the game is negative no matter how unlikely losing is. If you want the remailer system to stand up you have to make the expected value positive. The expected value of bookmaking is positive, even though it's illegal to take sports bets in most states. As a consequence it's not hard to find someone to take a bet. Individual bookies may come and go, but the system will always be there. If the expected value of running a remailer was positive, the remailer system would thrive even if it was illegal to run one. To make the expected value positive, you have to (a) make it profitable to run a remailer, and (b) set up a protocol that gives someone who runs one a fighting chance of not getting busted. (a) is easy enough in theory, but I don't know how you could do (b), at least not if you wanted to let people do public things with the remailers (like post to usenet). From frissell at panix.com Sat May 18 07:02:06 1996 From: frissell at panix.com (Duncan Frissell) Date: Sat, 18 May 1996 22:02:06 +0800 Subject: Why the Poor are Mostly Deserving of their Fate In-Reply-To: Message-ID: It was understandable to be poor when all the world was poor. It is understandable to be poor in those nations today that make the accumulation of wealth a crime for most people. It is not understandable to be poor (for long) in the US where one can reliably get out of poverty simply by doing three simple things: 1) get a high school diploma 2) get married 3) get any job Only about 2 tenths of 1% of those who satisfy those three requirements incomes below the official poverty line. Like most libertarians, I dislike the government. I don't care what a person's income is. When I was self-supporting on an income of $200 a month in 1979, I was below the poverty level for a single person myself. I am not enamored of the rich or poor members of the dependendant classes of course. I try and keep in mind that 80-90% of the "take" in government programs for the "poor" goes to unpoor government employees. DCF From alanh at infi.net Sat May 18 08:19:38 1996 From: alanh at infi.net (Alan Horowitz) Date: Sat, 18 May 1996 23:19:38 +0800 Subject: Past one terabit/second on fiber In-Reply-To: <199605150618.XAA28824@pacifier.com> Message-ID: Hey, let's build faster and faster fiber-optic networks. Let's create bandwidth so cheap that it won't even pay to meter it. Yes, the world's problems will be solved if we have more and more people talking longer longer and longer on the telephone, sending each other more and more pages of faxes and e-mails, creating more Web pages, playing virtual reality games. Anything and everything must be done to encourage people to occupy and consume bandwidth. Now that's progress, don't you think? From cmcurtin at fahlgren.com Sat May 18 08:38:22 1996 From: cmcurtin at fahlgren.com (C Matthew Curtin) Date: Sat, 18 May 1996 23:38:22 +0800 Subject: S-Tools 4 now available In-Reply-To: <2.2.32.19960516202120.0038302c@mail.pi.se> Message-ID: <199605181037.GAA10219@goffer.ee.net> >>>>> "Matts" == Matts Kallioniemi writes: Matts> At 17:41 1996-05-13 CST, Roy M. Silvernail wrote: >> I suppose this is market pressure, but it means you are >> alienating a number of potential users (including myself). Some of >> us are working toward being Microsoft-free, you know. Matts> It's not just marketing, it's a fact of life. 16 bit operating Matts> systems are not supported any more. Just as 8 bit OSes haven't Matts> been supported for quite a while either. There will come a day Matts> when 64 bits are considered the minimum for useful software Matts> (large database systems are already there). Matts> You just can't stick with 16 bits forever, MS-free or not. Face Matts> it. What does being MS-Free have to do with 16-bit operating systems? I'm another MS-free potential user, and I'm always in either 32 or 64-bit land. Live free or die. C Matthew Curtin Just Another Hacker http://users1.ee.net/cmcurtin/ PGP Public Key ID: cmcurtin at ee.net From attila at primenet.com Sat May 18 08:39:55 1996 From: attila at primenet.com (attila) Date: Sat, 18 May 1996 23:39:55 +0800 Subject: S-Tools 4 now available [for MS only?] Message-ID: <199605180409.VAA08135@primenet.com> Addressed to: Matts Kallioniemi roy at sendai.cybrspc.mn.org (Roy M. Silvernail) cypherpunks at toad.com ** Reply to note from Matts Kallioniemi 05/16/96 10:21pm +0200 = Date: Thu, 16 May 1996 22:21:20 +0200 = To: roy at sendai.cybrspc.mn.org (Roy M. Silvernail), cypherpunks at toad.com = From: Matts Kallioniemi = = Subject: Re: S-Tools 4 now available roy is a microsofter --of course, is it written for microsquish and their compiler/api fad of the month? is source code available, or is the code non-portable outside the limited interpreters and compilers of MS? 32 bit is obsolete --64 bits is the standard. after all there are other systems except MS. I have a simple policy regarding MS --I just don't! -- "Bill Gates is greedy because he has amassed a fortune of US$ 15,000,000,000 ($15 billion) but the US Government is a helpful Village because it takes US$ 1,400,000,000,000 ($1.4 trillion) from us each year and does good things with it." --Hillary Clinton From WlkngOwl at unix.asb.com Sat May 18 08:44:11 1996 From: WlkngOwl at unix.asb.com (Deranged Mutant) Date: Sat, 18 May 1996 23:44:11 +0800 Subject: "Too cheap to meter" Message-ID: <199605181102.HAA26641@unix.asb.com> On 17 May 96 at 18:54, Timothy C. May wrote: [..] > Alan's irony is well-placed. The most egregious repetition of the "too > cheap to meter" nonsense is George Gilder's "dark fiber" vision...a vision > of "infinite bandwidth" to all users. > > Guess what? If Gilder's "dark fiber" is ever built, there are a lot of > folks who will "fill it" rather quickly. Canter and Siegel were just the > beginning. "Too cheap to meter" goes away pretty quickly. Remember not-so-many-years-ago when 640k PCs were awsome and a 40MB HD was unfillable? A better phrase is "if you build it, they will fill it (eventually)". Rob. --- No-frills sig. Key-ID: 5D3F2E99 1996/04/22 wlkngowl at unix.asb.com (root at magneto) AB1F4831 1993/05/10 Deranged Mutant Send a message with the subject "send pgp-key" for a copy of my key. From qut at netcom.com Sat May 18 08:44:55 1996 From: qut at netcom.com (Dave Harman) Date: Sat, 18 May 1996 23:44:55 +0800 Subject: [Yadda Yadda Heil Dave] Re: Forced to your knees by Legal VIOLENCE In-Reply-To: Message-ID: <199605181058.DAA24165@netcom11.netcom.com> > I responded to Skippy's on-topic, more or less substantive questions about > remailers in Message-ID > > This has absolutely nothing to do with crypto, but that's what I > subscribed to coderpunks for. > > On Fri, 17 May 1996, Dave Harman wrote: > > > Ask our resident "free speech for RESPECTABLE dissidents," > > L. Lurch at stanford.edu (racial capitali$t d0g) > > for a virulent defense of Co$ style tactics against racists. > > Ask him about SPLC, Seraw vs WAR, Tom, John METZGER. > > I grew up 15 minutes from Metzger and played soccer with one of his kids, > and he threatened some friends of mine. I've talked to his sidekick Wyatt > Kaldenberg about other things, and defended their absolute right to free > speech on occasion. But other than that, I don't know much about Metzger. > Skippy seems to have this illusion that I'm some big bad anti-racist, > which I find amusing. Another non-rebutted rebuttal. I care nothing about yours or Metzgers personal life, this is FAR ramnificated severity. And, the anology I made CLEARLY was the similarity between Co$ and SPLC; And the VICTIMS: WAR and Wollersheim,Fishman,etc. CO$ AND WAR DON'T HAVE THE SLIGHTEST RESEMBLANCE!!!: > Another WAR/CoS mal-analogy one could scrawl is that Metzger has paid > about as much of the judgement awarded to the murder victim's family as > CoS has paid to Wollersheim. But I wouldn't follow that line of reasoning > myself, since I'm no fan of the SPLC. Maybe they did a good thing in the And, the anology I made CLEARLY was the similarity between Co$ and SPLC; And the VICTIMS: WAR and Wollersheim,Fishman,etc. CO$ AND WAR DON'T HAVE THE SLIGHTEST RESEMBLANCE!!!: > Seraw murder case, but their current suit agaist Pierce's neo-Nazi > National Alliance seems rather SLAPP-ish to me. I'm sure Morty would try SPLC vs WAR set the SHOCKING precedent. > to justify going after deep-pocket racists by saying that they deserve it > because the $4.5 million or so that The Order White Nationalist > Revolutionary [cough] Movement liberated from banks and convenience stores > has never been recovered, but he's wrong. Sure Bobby claimed to be doing ADL claimed $50,000 was funneled to NA from the beginning. No proof whatsoever, as they havn't pressed the matter to proceedings. > those robberies in the name of the Aryan Cause, but it looks like he > really spent the money on himself, just like any other "political" crook > (the Contras, the FMLN, Sendero, the Machateros, the US Congress, etc). You mean he laundered the money right before his death, and his hiers got it all? WOW! What a Don! > The SPLC probably has a web server somewhere with more details, but > there's a minimal amount of information about the case at: > > http://www.almanac.bc.ca/cgi-bin/ftp.pl?people/m/metzger.tom > http://www.almanac.bc.ca/cgi-bin/ftp.pl?orgs/american/war These say nothing. SPLC has avoided the net, because it's two periodicals are so embarrassing to the anti-racists. You need to go to the library and check up on Klanwatch for the years 89-93 for the sordid details. > Tom Metzger's web page (sorry, it's actually John Metzger's web page, > which happens to carry all sorts of stuff from Tom -- you see, facing a > $10 court judgement upheld by the Supreme Court, Tom has sworn an oath of $10,200,000!!!! 25% of income confiscated for 20 years!!! > poverty to avoid giving the Zionist Occupational Government any more > blood money) is at: Ignoroid, ALL the Metzger funds are being transfered with the large mulatto Seraw family as sole beneficiary. Co$/SPLC political harassment cases are NOT done to raise funds, but suppress organisation. > http://www.free.cts.com/crash/m/metzger/ > > -rich > http://www.c2.org/~rich/Not_By_Me_Not_My_Views/rebuttal.html > > -- God grant me the serenity to accept the things I cannot change, the courage to change the things I can, and the wisdom to know the difference From jimbell at pacifier.com Sat May 18 09:01:46 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 19 May 1996 00:01:46 +0800 Subject: SEVERE undercapacity, we need more remailer servers FAST Message-ID: <199605160502.WAA24002@pacifier.com> At 02:29 PM 5/15/96 -0700, jamesd at echeque.com wrote: >At 10:58 AM 5/15/96 -0700, Hal wrote: >> The problem that I think the Scientology postings raise is that the >> remailers cannot really be used to post copyrighted material. > >The major battle the net has faced is with the church of scientology. >In this battle the net is clearly in the right, and the church clearly >in the wrong, regardless of what copyright law says. The copyright issue is probably irrelevant to the Scientology dispute, anyway. The material on which the copyright is claimed almost certainly wasn't marked, appropriately, as it would have had to be for the copyright to be valid. While current law no longer requires the "circle-C" notation long used for this purpose, the material involved is far more than old enough to have been subject to this requirement, and once a copyright is lost (or not claimed) I believe it couldn't be regained. The threat to remailers is one of the many reasons the Leahy bill sucked, and that would have made it worse by imposing criminal sanctions on this kind of thing. Ironically, with the way remailers are used, it would actually have been possible for some copyright holder to fabricate a violation of copyright law by posting his own material through remailers, and then sue the final remailer, or have its owner prosecuted. I'm glad the people around here finally saw the light. Jim Bell jimbell at pacifier.com From iang at cs.berkeley.edu Sat May 18 09:16:23 1996 From: iang at cs.berkeley.edu (Ian Goldberg) Date: Sun, 19 May 1996 00:16:23 +0800 Subject: HUGE denial of service attack against any ecash customer!!! Message-ID: <199605152309.QAA23293@abraham.cs.berkeley.edu> -----BEGIN PGP SIGNED MESSAGE----- (Again Cc:'d to ecash-feedback, hoping for a security prize. I wonder who's keeping track... Also Cc:'d to cypherpunks, for fun...) So I had some more free time... (Dave cringes when I say that.) Here's a cute one: Give me an account number, and I can prevent it from being used until an arbitrary time in the future (of my choosing). How? Simple. Send a deposit message with 0 coins (well, any message will work, I think, but this is one of the simplest messages there is) with a timestamp of some future time. Messages stamped prior to that (such as everything coming from the actual user for that account, until the time comes) will be politely discarded. (Actually, I think the last reply to a withdrawal request is continually resent, but I'm not exactly sure of this.) In any case, the actual user will be unable to withdraw money from his mint until the time sent in the denial-of-service message. (Unless he forward-dates his computer's clock, or something...) I've tested this against myself and Sameer (with his cooperation, of course). Anyone else want to be locked out for an hour? (Actually, I could pretty effectively lock out _everyone_ for an arbitrarily long time, it seems...) - Ian "Right. I want the sources to the client and the server released. Now." :-) -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMZpj3kZRiTErSPb1AQF0SAQAmOEZJTg0v3utWFodDXZ4iv4xa7I+QbNQ Nlsbkug8dtkdf+Jboe+vBtrs5IWSSff8bWntGwfODckct26NwzpVM9bUIXohVoRQ jOkRT9a8m/X00jUAoFOTq5O5Rz87a3Uw8MGFugP5Y4DCk+UqnTA70cuozyOCgb8m 8oke89V9Q0E= =ARMe -----END PGP SIGNATURE----- From jf_avon at citenet.net Sat May 18 09:17:27 1996 From: jf_avon at citenet.net (Jean-Francois Avon) Date: Sun, 19 May 1996 00:17:27 +0800 Subject: Why does the state still stand: Message-ID: <9605160023.AA14246@cti02.citenet.net> On 15 May 96 at 18:42, Black Unicorn wrote: > Potential, but you can manage risk with things like dead drops from > trusted parties to forwarding agents to offshore drops to.... I can just visualize a trusted party dropping discretely a bright yellow Caterpillar D-12 in a dead letter box... ROTFL! Sorry, but I couldn't resist. I just *love* silly humor... > Realization means that their is a changing of hands or of forms of > assets. Income tax and taxes on currency now are dependent on such > transactions. Someone already noted the problems with just taxing > possession on a given date of e.g., inventory. To tax efficiently > you have to tax an event of transfer. Why? is it because of the nature of a transfer, it lend itself more to reporting and detecting? Or is it simply because of the legal system structure? > Give me context. It's possible to kill the president too. That > doesn't mean it will become the basis of government. I think that Mr. Bell defined the context quite well and thoroughly. And, as he said, the president is unlikely to be the target of choice because it is not the most efficient one. Who cares about the president? Who is he without the govt machine? > That's that anonymous transactions are for. If anonymous transactions are feasible, so will be the AP scheme... AP can be, in a way, characterized as a weapon because it behaves like one. And no weapon in the history of humanity remained unused. > I forwarded two large segments of the work to the list, yes. If > you, or anyone else on the list, would like copies, let me know. Theses were the first two that constitued part 1 of 4. I wondered if you posted the other parts. If so, tell me so I can get to the archives. Regards. JFA DePompadour, Societe d'Importation Ltee Limoges porcelain, Silverware and mouth blown crystal glasses JFA Technologies, R&D consultants. Physists, technologists and engineers. PGP keys at: http://w3.citenet.net/users/jf_avon ID# C58ADD0D : 529645E8205A8A5E F87CC86FAEFEF891 Unsollicited commercial e-mail will be proofread at US165 $/h Any sender of such material will be considered as to have ac- cepted the above mentionned terms. From frantz at netcom.com Sat May 18 09:40:58 1996 From: frantz at netcom.com (Bill Frantz) Date: Sun, 19 May 1996 00:40:58 +0800 Subject: Why does the state still stand: Message-ID: <199605162310.QAA06491@netcom8.netcom.com> At 6:44 PM 5/16/96 -0400, E. ALLEN SMITH wrote: >From: IN%"frantz at netcom.com" 15-MAY-1996 22:39:50.97 > >>You could require daily payment and forgo the escrow agent. (Assuming you >>are willing to risk a day's pay as an experiment in reputation.) Note that > > This could work for fixed payments. But what about things like >profit-sharing? I think building trust in this kind of thing is a big problem. There are so many ways you can get ripped off. Failure to distribute. Fake costs in the accounting. Off record sales of the product. Phantom partners who do nothing but funnel profits to someone. etc. etc. etc. A fully anonymous audit may be what is needed, unless you are able to build enough trust in an individual nym that you won't get ripped off. Anyone got a protocol for fully anonymous auditing? ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From jya at pipeline.com Sat May 18 09:43:13 1996 From: jya at pipeline.com (John Young) Date: Sun, 19 May 1996 00:43:13 +0800 Subject: NYT on Netscape Flaw Message-ID: <199605181156.LAA22255@pipe5.t2.usa.pipeline.com> The New York Times, May 18, 1996, pp. 31, 43. New Netscape Software Flaw Is Discovered By John Markoff Computer science researchers at Princeton University said yesterday that they had discovered a new and potentially serious flaw in the Netscape Communicatlons Corporation's Navigator software, the leading program used to browse the World Wide Web of the Internet. The flaw, which was found in recent versions of the Netscape software that support Sun Microsystems' Java programming language, could allow people to write destructive or malicious programs and potentially destroy or steal data or otherwise tamper with a computer that was connected to the Internet and used the Navigator program. Netscape executives said that the researchers had been in touch with them about the problem on Thursday and that the software company was in the process of producing a new version of the Navigator program that would protect against potential attacks. This is the third flaw in the Navigator program discovered in recent months by the Princeton group. Netscape has been under tremendous scrutiny over the security of its popular software since the fall, when a group of researchers at the University of California at Berkeley discovered a flaw in the Netscape security system. In the most recent case, Thomas Cargill, an independent software consultant working with the Princeton group, discovered a problem in the way Netscape has used the Java language in its Navigator program. The group disclosed a similar flaw in March in the Netscape Navigator that would permit a Java program to run illicitly on a computer that was running the Netscape program and perform damaging operations. "Netscape has fixed a series of problems, and the overall security of their system has improved, but there is still some reason for concern," said Prof. Edward Felton, the leader of the Princeton group, which includes two graduate students, Drew Dean and Dean Wallach. Programs that are known as viruses and worms are a serious threat to computer networks because they can move from machine to machine quickly, carrying out destructive applications. Sun Microsystems' Java language has been designed to limit what a virus can do once it is transferred across the Internet. But the security mechanisms only work if the virus's code can be restricted in a safety "box" constructed out of software. Netscape's executives acknowledged yesterday that the Princeton University team had on both occasions been able to find doors that let program code out of the safety box. "We're trying to create a sandbox which has rooms where only certain things happen," said Jeff Trehaft, Netscape's director of security. "What happened is that the Princeton team found a door and it turned out that there weren't adequate protections surrounding the door." The company said it was in the process of posting on the Internet a new version of the most recent test version of its next-generation Internet program, version 3.0 beta. The program contains a special fix to prevent the new attack. He said Netscape had not yet posted a fix for the most recent commercial release of its software, version 2.02, but was instead encouraging customers to use the 3.0 beta software. Since the Berkeley researchers discovered the first security flaw the company has offered a $1,000 "bugs bounty" to programmers who are able to locate security flaws. [End] From blancw at MICROSOFT.com Sat May 18 10:24:02 1996 From: blancw at MICROSOFT.com (Blanc Weber) Date: Sun, 19 May 1996 01:24:02 +0800 Subject: Edited Edupage, 9 May 1996 Message-ID: Just had to say this, on two statements from Doug Hughes: >1. You don't understand at all. It's not about being people down, it's about bringing them 'UP'. >2. ...making sure everybody has a good education is of paramount importance to any society. ...................................................................... These sentiments are noble and on the face of them sound agreeably empathetic with Mankind. But what would be required to bring people "up" (in spite of themselves) and compose them into someone's idea of a good citizen in a great society, would be to own them and thus to have the right to turn them and shape them into what they "ought to be", so that they may function on the same level as "everybody else". Alternatively they could be set free (from tyrants & such - and we all know who they are) to attend to the project of constructing a life, to seek after creative solutions to the problems of existence on their own chosen level of effort & ambition. Which is what this American society was supposed to be about, I've read. (Other countries have their own well-known methods of solving this "problem".) .. Blanc I hope I'm not the only one here who thinks so. From erc at dal1820.computek.net Sat May 18 10:42:30 1996 From: erc at dal1820.computek.net (Ed Carp) Date: Sun, 19 May 1996 01:42:30 +0800 Subject: Spending a year dead for tax purposes In-Reply-To: <199605170659.XAA22441@dfw-ix10.ix.netcom.com> Message-ID: <199605171624.MAA21076@dal1820.computek.net> > Now, the US government _could_ declare a 50% import duty on imported software > (avoiding the uncollectability of income tax) which would of course be evaded. > The government could respond to this by requiring all software > to include a serial # and the TaxID number of the vendor > (if the vendor is an importer, then she'd have to have Customs Receipts > or other documentation of US origin to expense her costs for tax purposes.) > > In this environment, the employees would have to remain unknown to the US, > but might be known to the Aliceco or Caribsoft. Of course, Alice may be a Fed, > or Caribsoft employee Paul may be a Plant, so there are > some benefits to pseudonymity; depends on how paranoid you need to be. > > Or they could declare Anguilla to be an Economic-Terrorist Enemy, > covered by the Trading With The Enemies (Especially Cuba) Act. > Restricting acceptance of foriegn digicash would be difficult. Or they could distribute software electronically and require digital cash as payment, avoiding the whole issue. -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 214/993-3935 voicemail/digital pager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes The mark of a good conspiracy theory is its untestability. -- Andrew Spring From sawyer at nextek.com Sat May 18 10:48:54 1996 From: sawyer at nextek.com (Thomas J. Sawyer) Date: Sun, 19 May 1996 01:48:54 +0800 Subject: Securing CDROM from piracy Message-ID: >> >> >Is there any way of making >> >sure that the guy doesnt pull a fast on on us? Can we ensure that he cannot >> >duplicate the thing and start selling it without sharing the profit. >> >> Well, I suppose you could get it copyrighted before you hand it over for >> distribution. I'd also put my logo and other info somewhere in the code, >> such as an "About" box. They would have a hard time saying it wasn't >> yours. >> >You are missing the point. Lets say a firm X is marketing my product. Now if >they sell 500,000 copies and tell me that they have sold only 100,000, I have >no way of figuring out. > > '88888888:::888888%' Vipul Ved Prakash Fax : +91-11-3328849 > '8888888::88888%' Positive Ideas. Internet : vipul at pobox.com Ok, I see what your looking for now. How about tracking the number of product registrations, either via a mail-in card or fax? I'm assuming that since this is a product to be sold, not given away, that persons purchasing the program would most likely take the time to fill out a product registration card and send it in. Since not everyone fills these cards out, it is not a 100% accurate method, but if there were any major discrepancies, then you would be aware of it. Thomas J. Sawyer sawyer at nextek.com From llurch at networking.stanford.edu Sat May 18 10:48:58 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sun, 19 May 1996 01:48:58 +0800 Subject: "Too cheap to meter" In-Reply-To: Message-ID: On Fri, 17 May 1996, Timothy C. May wrote: > At 2:38 AM 5/16/96, Alan Horowitz wrote: > >Hey, let's build faster and faster fiber-optic networks. Let's create > >bandwidth so cheap that it won't even pay to meter it. > > "Too cheap to meter"? Wasn't that what nuclear power promised in the 1950s? > > (I'm actually a supporter of nuclear power, for a variety of reasons, so > this is not meant as just a cheap shot against nuke plants. But this was > one of the "selling points" of nuclear, later shown to be a falsehood.) Actually, nuclear power, per se, is damn cheap. It's the collateral effects (real, i.e., waste disposal and keeping fissile materials secure from terrorists, and imagined, i.e., overregulation) that are so expensive. Just like the net. We could have a virtually free flow of information, but that's not exactly what the gubmint wants, is it. Not to mention that it's not exactly what we want, either -- Canter & Siegel are only the tip of the iceberg of the Tragedy of the Commons we'd see on a truly free network. We don't need the CDA or anything quite that stupid, but I'll drink to overpriced, arbitrarily restricted net access any day. -rich From llurch at networking.stanford.edu Sat May 18 11:02:33 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sun, 19 May 1996 02:02:33 +0800 Subject: SEVERE undercapacity, we need more remailer servers FAST In-Reply-To: <199605170432.VAA23960@dfw-ix9.ix.netcom.com> Message-ID: On Thu, 16 May 1996, Bill Stewart wrote: > 4) I suppose if you're going to hack the remailer anyway, > you could add a feature that adds a trailer like > ================================================================== > This message was posted from the anonymous remailer at www.jim.com. > Send any complaints to webmaster at www.jim.com . > Please don't post any copyrighted material longer than fair use quotations. > And did you know that Scientology's highly overpriced documents say that > "" > =================================================================== Once I was more or less done laughing and got off the floor, it occurred to me that this could provide a revenue stream for anonymous remailers. You'd charge advertisers sub-pennies for these little trailers. I understand that Sameer is getting very little Ecash for his remail/by-www.html, but maybe if he sold advertising space? Sure it's crass, but it supposedly works for Juno, the "free email" service... -rich From blancw at accessone.com Sat May 18 11:15:38 1996 From: blancw at accessone.com (blanc) Date: Sun, 19 May 1996 02:15:38 +0800 Subject: FW: anonymous companies Message-ID: <01BB444D.D20F28C0@blancw.accessone.com> From: Wei Dai A company implies a particular kind of persistent structure, with a hiearchy of owners, managers, and employees. It is far from clear to me that this is the most likely organizational form in an anonymous digital economy. One possible alternative is to have no persistent organizations. Teams form spontaneously to work on individual projects. Each individual member jointly negotiates a contract with every other member, and these contracts are enforced through some arbitration system. ......................................................................................... This "virtual corporation" is something that I've read about (about 2 years ago) which is an idea already in use - someone has an idea for a kayak design, then he contracts out to other individuals all the different kinds of work he needs done to get it built. As soon as the project is complete, the company dissolves. But here is where I think the problems with an attempt at total anonymity will occur, as has been mentioned: where the virtual meets the actual, where the anonymous electronic interaction must meet the solid real to complete the transaction. The work of constructing physical things must be accomplished in an actual location. If the place is rented, rather than owned, the renter will be able to identify the rentee. Solid objects like kayaks need materials for construction. Someone must 1) get the particular kind of material which the kayak design requires, and 2) make it available for distribution to those who will want to use it. Material or parts buyers must be able to examine the stuff to make a purchasing decision. These must be delivered to an actual physical location. If large trucks are rented to deliver these things, then the drivers must know where that location actually is to deliver them. Once the kayaks are constructed, they also must be delivered to the owner or to a store or storage building. They must be inspected for quality and meeting design specifications. They must be sold where individuals can look at the kayak, perhaps sit inside, and compare it with other models elsewhere (I don't think just looking at a photo on a web page will do for every purchasing decision). Back stock requires storage and probably someone to guard the building. Perhaps the kayak purchaser will want lessons on using the thing, in an actual river. In all these situations, decisions must be made which require a physical presence and interaction with the material of construction, with the object of attention. This is a point where anonymity would be very difficult and loss of confidence possible (if someone reneged on their agreements). I can imagine total anonymity used most successfully when it is limited to activities which are totally electronic in nature, like programming, web design or ecash transfers. The more that a virtual company requires physical contact with the construction, storage, and movement of physical goods, and the more time that it engages the individuals involved, the more difficult it will be to keep away from everyone the knowledge of who is who in relation to those things and where everything is located in physical space. I was thinking that I couldn't see purchasing groceries anonymously (if I made the purchases myself). Perhaps with a certain kind of store design.....still, it would be difficult. *Someone* would see me walking out with the groceries (why does this sound so funny). .. Blanc From weidai at eskimo.com Sat May 18 11:18:53 1996 From: weidai at eskimo.com (Wei Dai) Date: Sun, 19 May 1996 02:18:53 +0800 Subject: anonymous companies In-Reply-To: <199605142335.QAA13553@jobe.shell.portal.com> Message-ID: On Tue, 14 May 1996, Hal wrote: > It might be interesting to make a list of all the problems people can > think of why this idea won't work, paired with proposed solutions and > workarounds - sort of a mini FAQ for this important (some might say > ultimate) cypherpunk model. I'll just give one problem: the principal-agent problem. How do owners of the company make sure the managers operate the company in their best interest? Solution: reputation. If the managers don't do the right things, the owners arrange so that the managers lose reputation and won't get hired in the future. Unfortunately the science of reputation is not so advanced that we know this will actually work. Solution: smart contracts. This is Nick Szabo's idea of building contractual obligations into cryptographic protocols so that the parties have no choice but to fullfil them. But again we don't know whether this will actually work for this problem. A company implies a particular kind of persistent structure, with a hiearchy of owners, managers, and employees. It is far from clear to me that this is the most likely organizational form in an anonymous digital economy. One possible alternative is to have no persistent organizations. Teams form spontaneously to work on individual projects. Each individual member jointly negotiates a contract with every other member, and these contracts are enforced through some arbitration system. I'm not saying this is somehow better than the anonymous company model. It has just as many problems for which no easy solutions exist. I'm just pointing out that the properties of anonymous relationships differ quite radically from our current ones, and that these differences may be large enough so that the social and economic structures in such an anonymous digital world may not merely be analogs of currently common structures. Wei Dai From jamesd at echeque.com Sat May 18 11:19:00 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Sun, 19 May 1996 02:19:00 +0800 Subject: anonymous companies Message-ID: <199605171837.LAA09867@dns1.noc.best.net> At 06:42 PM 5/16/96 -0700, Wei Dai wrote: > > I'll just give one problem: the principal-agent problem. How do owners of > the company make sure the managers operate the company in their best > interest? Actually looting of companies happens a lot right now today, and very seldom leads to criminal charges. Twice I have lost a job because the company I worked for went under, apparently due to looting. > Solution: reputation. If the managers don't do the right things, the > owners arrange so that the managers lose reputation and won't get hired in > the future. Unfortunately the science of reputation is not so advanced > that we know this will actually work. At present venture capitalists seem to rely on the sniff-their-arses method. They talk to people and try and get a feel as to whether they are planning a robbery. This method is obviously likely to be less effectual as businesses move to the net. This problem is probably the major reason why Net startups are physically located in Silicon valley, rather than world wide or nation wide. Of course the problem is that if the venture capitalists can find them to sniff their arses, the bad boys can also find them to shake them down. In some businesses we can solve this problem by cryptographic control mechanisms, such as open books banking. In others, such as net startups, I see no solution other than increased reliance on personal individual capital. Athenian capitalism worked largely on personal capital. Because of their terrible arithmetic system, bookkeeping was really bad, and in consequence stock investments tended to go sour. Socrates lost a bundle in this fashion, which may explain his lack of enthusiasm for capitalists. > Solution: smart contracts. This is Nick Szabo's idea of building > contractual obligations into cryptographic protocols so that the parties > have no choice but to fullfil them. But again we don't know whether this > will actually work for this problem. It will work for many particular cases of this problem. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From unicorn at schloss.li Sat May 18 11:26:17 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sun, 19 May 1996 02:26:17 +0800 Subject: A cryptographic alternative to escrow agents (Matts' half coin) In-Reply-To: <2.2.32.19960517185942.003ae7a4@mail.pi.se> Message-ID: On Fri, 17 May 1996, Matts Kallioniemi wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > > Black Unicorn wrote (was: Why does the state still stand) > > >> . What if a company does not pay as expected - other than adopting > >> Assassination Politics, what method could an employee use towards > >> getting their expected remuneration for work done? > > > >If payment is made weekly, it should be made in advance to an escrow agent > >who would issue a certificate that the payment for employee r2dd54 has > >been received. The payment would then not be released to anyone without > >the consent of the corporation and the employee. > > > >Obviously the escrow agent would have to be trusted. > > It should be possible to avoid that trusted escrow agent using blinded > ecash and Matts' half coin algorithm. > > Bob wants to buy a $100 service from Alice. Alice wants to get paid if she > performs the service. > > Bob and Alice each create half of a $300 ecash coin. They send their half > coins to the ecash mint for signing, with instructions to withdraw $200 > from Bob's account and $100 from Alice's account for the signing of a > $300 coin. > > When the mint has received both half coins, it signs the complete coin, > withdraws the money and returns the signature to both Alice and Bob. > Nobody can now use the coin alone because they don't know the other half > of the random coin number. The mint is the escrow agent. It still (obviously) needs to be trusted. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From qut at netcom.com Sat May 18 11:34:50 1996 From: qut at netcom.com (Dave Harman) Date: Sun, 19 May 1996 02:34:50 +0800 Subject: COMPLETELY ANONYMOUS POSTING & E-MAIL (fwd) [What BS] In-Reply-To: Message-ID: <199605172142.OAA14815@netcom11.netcom.com> ON > > Posted in one of the sex newsgroups... > > > In article <4n02a7$ime at newsbf02.news.aol.com> shhhnet at aol.com (ShhhNet) writes: > From: shhhnet at aol.com (ShhhNet) > Subject: COMPLETELY ANONYMOUS POSTING & E-MAIL > Date: 10 May 1996 14:35:51 -0400 > > COMPLETELY ANONYMOUS POSTING & E-MAIL > Send and receive E-Mail and Post to newsgroups with TOTAL anonymity > > As you must know the government is getting ready to crack down on freedom > of speech on the internet. Already people are being fined and imprisoned. > Your service providers are being asked to turn over records and they are > cooperating. Even if they don't want to cooperate the can be forced by > the courts to release records to the authorities. > Our New Service let's you send and receive E-Mail and post to newsgroups > with no fear of your messages ever being traced to you. Not even a > Federal Court Order will result in your identity being revealed. Finally > total safety for your most confidential or controversial electronic > messages. > > ShhhNET Will begin operating in late June and you can be a part of the > only truly secure way to send and receive E-Mail or post to UseNet > Newsgroups. For a limited time ShhhNet will be offered for only $50.00 > per Year. If you are interested, Please send E-Mail to ShhhNet at AOL.Com > We will respond with information about how our service works and how you > can be totally secure in your Internet transactions. HOW BOGUS. NO FURTHUR COMMENT OR FOLLOW=UP NESSESSARY. -- SERENITY, ETC. From mark at infolawalert.com Sat May 18 11:53:36 1996 From: mark at infolawalert.com (Mark Voorhees) Date: Sun, 19 May 1996 02:53:36 +0800 Subject: Zimmermann v. ViaCrypt?? Message-ID: <199605161604.MAA22380@park.interport.net> There is a story @ http://infolawalert.com/stories/051796a.html describing how Phil Zimmermann is trying to retrieve all the rights to PGP from ViaCrypt in order to jump start his new venture, PGP, Inc. He's taking a sell out or get sued approach with ViaCrypt, which until recently has not had much success marketing PGP. Mark From matts at pi.se Sat May 18 12:04:22 1996 From: matts at pi.se (Matts Kallioniemi) Date: Sun, 19 May 1996 03:04:22 +0800 Subject: A cryptographic alternative to escrow agents (Matts' half coin) Message-ID: <2.2.32.19960517185942.003ae7a4@mail.pi.se> -----BEGIN PGP SIGNED MESSAGE----- Black Unicorn wrote (was: Why does the state still stand) >> . What if a company does not pay as expected - other than adopting >> Assassination Politics, what method could an employee use towards >> getting their expected remuneration for work done? > >If payment is made weekly, it should be made in advance to an escrow agent >who would issue a certificate that the payment for employee r2dd54 has >been received. The payment would then not be released to anyone without >the consent of the corporation and the employee. > >Obviously the escrow agent would have to be trusted. It should be possible to avoid that trusted escrow agent using blinded ecash and Matts' half coin algorithm. Bob wants to buy a $100 service from Alice. Alice wants to get paid if she performs the service. Bob and Alice each create half of a $300 ecash coin. They send their half coins to the ecash mint for signing, with instructions to withdraw $200 from Bob's account and $100 from Alice's account for the signing of a $300 coin. When the mint has received both half coins, it signs the complete coin, withdraws the money and returns the signature to both Alice and Bob. Nobody can now use the coin alone because they don't know the other half of the random coin number. Next, Alice delivers the service to Bob. If Bob is satisfied with the service, he and Alice write a message to the mint requesting that the complete coin be credited with $100 to Bob's account and $200 to Alice'. Alice has now been paid. If Bob refuses to pay, Alice will never give him her half coin and he loses $200, but he got a $100 service, resulting in a net loss of $100. If Alice refuses to deliver the service, Bob keeps his half coin and she loses $100. Both participants lose $100 each if they don't complete the deal. That way they have the same incentive to come to an agreement. To simplify the messages to the mint you could use two coins. One for $100 and one for $200. That way there would be a one-to-one relation between deposits, withdrawals and coins. The algorithm described above (Matts' half coin) is copyrighted by yours truly Matts Kallioniemi. Patents pending. Matts Kallioniemi -----BEGIN PGP SIGNATURE----- iQEVAwUBMZzMVBVFhWUyiUQRAQHs8Af/TQf8zLYfwictsXoqvOahCvQ1aJ4F6Dem w6PARUXIhb0XWIFYRZSiXGsRoUVpWiWtupSIf7PHG/dkGfAamvq0wgQpEJm3+7IP 6qSaOYovKnY19GxTo9QHkyHQ8LFu+CSVJMMPoZtX6tCJX62VkFuJapI1CLQOPb78 Ntqf8kNiX1/IpOfrqiF0Fx1YV2nTno417q4vaJYnZWQFJ+sYf5q0NG0xahDPlwUx I11AtFcpIGOCHek3GGAgH9KYSt6UpAOmk57bSne5+zMN5U78cGDsizLYm+MDtzAx Nt4FYoeYxM0gKs529ruUgTdfZNqVtsXjjeNlbVBi4hyfczs3b3I7ug== =oLLR -----END PGP SIGNATURE----- From richieb at teleport.com Sat May 18 12:08:48 1996 From: richieb at teleport.com (Rich Burroughs) Date: Sun, 19 May 1996 03:08:48 +0800 Subject: SEVERE undercapacity, we need more remailer servers FAST Message-ID: <2.2.32.19960517171832.00ab0b9c@mail.teleport.com> At 10:02 PM 5/15/96 -0800, jim bell wrote: [snip] >The copyright issue is probably irrelevant to the Scientology dispute, >anyway. The material on which the copyright is claimed almost certainly >wasn't marked, appropriately, as it would have had to be for the copyright >to be valid. While current law no longer requires the "circle-C" notation >long used for this purpose, the material involved is far more than old >enough to have been subject to this requirement, and once a copyright is >lost (or not claimed) I believe it couldn't be regained. I think you're wrong about that. You're confusing copyrights and trademarks, I believe. It's a trademark that you lose by not asserting it or defending it. Someone please correct me if I have this wrong :) There have been claims that the copyrights were not transferred properly from Hubbard to RTC, but they have yet to be proven in court. CoS won against Arnie Lerma in a summary judgement. Copyrights were definitely the issue in that decision. >The threat to remailers is one of the many reasons the Leahy bill sucked, >and that would have made it worse by imposing criminal sanctions on this >kind of thing. Ironically, with the way remailers are used, it would >actually have been possible for some copyright holder to fabricate a >violation of copyright law by posting his own material through remailers, >and then sue the final remailer, or have its owner prosecuted. The ugly provision in the Leahy bill had to do with obstruction of criminal investigations, didn't it? The CoS copyright cases have all been civil. I don't see how it applies. >I'm glad the people around here finally saw the light. That part of the bill stunk, I agree... Rich ______________________________________________________________________ Rich Burroughs richieb at teleport.com http://www.teleport.com/~richieb See my Blue Ribbon Page at http://www.teleport.com/~richieb/blueribbon New EF zine "cause for alarm" - http://www.teleport.com/~richieb/cause From jya at pipeline.com Sat May 18 12:14:56 1996 From: jya at pipeline.com (John Young) Date: Sun, 19 May 1996 03:14:56 +0800 Subject: RUL_net Message-ID: <199605171635.QAA19173@pipe2.t1.usa.pipeline.com> May-June, 1996, Harvard Business Review. Two related articles which examine c'punks interests -- proposed business regulation of the Net; on-line security; copyright; encryption; authentication; E-cash; electronic commerce; protected communities to escape "frontier anarchy," and more. Executive summaries by HBR: "Ruling the Net." Debora Spar and Jeffrey J. Bussgang The Internet promises a radical new world of business. But for many companies, it has yet to deliver. Although doing business in cyberspace may be novel and exhilarating, it can also be frustrating, confusing, and even unprofitable. Debora Spar and Jeffrey Bussgang argue that the problems companies face have little to do with a lack of technology or imagination. Their problems stem instead from a lack of rules. Without the order that rules create, business cannot be conducted. The authors explain why the informal rules that have developed on the Internet since the 1960s are no longer sufficient. Businesses thinking of allowing millions of dollars of transactions to occur on the wide-open Net need specific assurances. They require clear definitions of property rights, a safe and useful means of exchange, and a way to locate and punish violators of on-line rules. The authors believe that the key to commerce on the Internet lies in the creation of managed on-line communities. Such communities can be formed by service providers -- entities that will restrict on-line options, fine-tune offerings to match a select group of users, and provide some means of recourse in cases of fraud or abuse. Under those conditions, they will draw new companies on-line and increase the productivity of those already there. And, say the authors, the rewards for service providers will be substantial: Companies that make the rules on the Internet's emerging frontier have the opportunity to reap the greatest profits. [40 kb] "The Real Value of On-Line Communities." Arthur Armstrong and John Hagel III The notion of community has been at the heart of the Internet since its early days, when scientists used it to share data, collaborate on research, and exchange messages. But how can businesses best use its community-building capabilities? Not merely by putting their products or services on-line, the authors contend. Real value will come from providing people with the ability to interact with one another -- from satisfying their multiple social needs as well as their commercial needs. Companies that create strong on-line communities will command customer loyalty to a degree hitherto undreamed of and, consequently, will generate strong economic returns. The authors present four different types of community: communities of transaction, interest, fantasy, and relationship. Examples of each type already can be found on the Internet or through on-line services, but the successful community of the future will incorporate all four -- or as many as possible. As for economic value, the authors see four ways for a company to generate returns: through usage fees, content fees, transactions and advertising, and synergies with other parts of its business. In the near future, new business definitions may emerge around the notion of owning a specific customer segment across the full range of its interests and needs; owning specific products and services may no longer be so important. The authors urge businesses marketing to consumers to make the small investment required to "buy an option" on electronic communities in order to understand both their potential value and the radical changes they may cause. [33 kb] RUL_net (for the 2, in 4 parts) ----- Reprints of "Ruling," No. 96309 and "Real Value," No. 96301 may be ordered from HBR for $5.00 each by email to: custserv at cchbspub.harvard.edu From merriman at amaonline.com Sat May 18 12:22:55 1996 From: merriman at amaonline.com (David K. Merriman) Date: Sun, 19 May 1996 03:22:55 +0800 Subject: Defeating fingerprints Message-ID: <2.2.32.19960518003504.0068cd08@mail1.amaonline.com> -----BEGIN PGP SIGNED MESSAGE----- At 03:19 PM 05/17/96 -0700, you wrote: >ON >> >> On Tue, 14 May 1996, Be Good wrote: >> > > Burglars and safecrackers sand the ridges off. >> > >> > This sounds like it'd work, but quite tedious. >> >> Belt sander and a light touch. > >I'm going to try this sanding experiment sometime. >When I get around to it, I'll post the results here. >(pressing hard with inkpad and paper) > >Shellac or epoxy glue does NOT work, if the thickness is at all managable. >Tried it, The ridges always find a way to get through. >It also provides a weaker bond to dry skin than you'd expect. >The thicker the more likelihood of peeling off. >Even Krazy Glue. (The UL BS is false.) Krazy glue _will_ glue fingers, if applied properly. I proved this to a fellow sailor in 1976 by gluing his thumb and forefinger around a JP-5 vent pipe aboard the U.S.S. Enterprise. Some folks might want to try liquid latex, contact adhesive, silicon sealers (RTV), or similar products. Soft, flexible, relatively convenient when applied, and can be 'layered' to the desired thickness. Liquid latex can usually be found in hobby/craft stores. Dave Merriman PS - Pls note new email address; old ISP proved to be unreliable. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMZ0MlcVrTvyYOzAZAQEkiAP7BCf2mrem6K6N/5dcbUeGLCUu/un2yEst nks1RZBUUeV8q2fojxm6d9y+WJI6NXDJWARkSCCt0YphA7oGQtJwiNzI08NWD5Ed EHM+yXW7BM+z68eZ+kIL8UNW/64CkGCoMZNkRW2v5ZKMqYOFri6qdgKFm7D40JIN z0BL1+dkLVE= =Z73q -----END PGP SIGNATURE----- ------------------------------------------------------------- "Giving money and power to government is like giving whiskey and car keys to teenage boys." P. J. O'Rourke (b. 1947), U.S. journalist. <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> http://www.shellback.com/personal/merriman/index.htm From frantz at netcom.com Sat May 18 12:48:47 1996 From: frantz at netcom.com (Bill Frantz) Date: Sun, 19 May 1996 03:48:47 +0800 Subject: anonymous companies Message-ID: <199605180506.WAA03476@netcom8.netcom.com> On Tue, 14 May 1996, Hal wrote: > It might be interesting to make a list of all the problems people can > think of why this idea won't work, paired with proposed solutions and > workarounds - sort of a mini FAQ for this important (some might say > ultimate) cypherpunk model. Another interesting question is how you do personnel selection for an anonymous enterprise. One possibility would be anonymous reputation passing, but I don't know any protocols for this. A participant would also want to take any positive reputation accruing away when the enterprise finished. (And the rest of us would want any negative reputation to stick as well.) ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From unicorn at schloss.li Sat May 18 12:53:01 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sun, 19 May 1996 03:53:01 +0800 Subject: anonymous companies In-Reply-To: <199605171837.LAA09867@dns1.noc.best.net> Message-ID: On Fri, 17 May 1996 jamesd at echeque.com wrote: > At 06:42 PM 5/16/96 -0700, Wei Dai wrote: > > > > I'll just give one problem: the principal-agent problem. How do owners of > > the company make sure the managers operate the company in their best > > interest? > > Actually looting of companies happens a lot right now today, and very > seldom leads to criminal charges. Twice I have lost a job because the > company I worked for went under, apparently due to looting. Be careful to distingiush "owner" from "employee." All to common a mistake I fear. Until someone passes a constitutional right to not be fired, well, you're employeed at the will and by the good grace of the owners and your boss. > > Solution: reputation. If the managers don't do the right things, the > > owners arrange so that the managers lose reputation and won't get hired in > > the future. Unfortunately the science of reputation is not so advanced > > that we know this will actually work. > > At present venture capitalists seem to rely on the sniff-their-arses > method. They talk to people and try and get a feel as to whether they > are planning a robbery. This method is obviously likely to be less > effectual as businesses move to the net. And even this is vulnerable to "last round" problems. > In some businesses we can solve this problem by cryptographic control > mechanisms, such as open books banking. I really wish someone would publish a paper on this. (hint hint). > In others, such as net startups, > I see no solution other than increased reliance on personal individual > capital. Still, vulnerable to last round problems. > Athenian capitalism worked largely on personal capital. Because of their > terrible arithmetic system, bookkeeping was really bad, and in consequence > stock investments tended to go sour. Socrates lost a bundle in this > fashion, which may explain his lack of enthusiasm for capitalists. He also made a killing on predicting crops by his knowledge of the weather. Go with what you know. If you aren't a good corporate analyist, that's what mutual fund managers are for. > > Solution: smart contracts. This is Nick Szabo's idea of building > > contractual obligations into cryptographic protocols so that the parties > > have no choice but to fullfil them. But again we don't know whether this > > will actually work for this problem. > > It will work for many particular cases of this problem. But what happens when there are nuances or circumstances which contracts do not anticipate? This "complete" reliablity is also a curse for flexibility which fast moving entities need to survive. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From alanh at infi.net Sat May 18 12:57:03 1996 From: alanh at infi.net (Alan Horowitz) Date: Sun, 19 May 1996 03:57:03 +0800 Subject: Past one terabit/second on fiber In-Reply-To: <199605160409.VAA18751@pacifier.com> Message-ID: > >Now that's progress, don't you think? > > Yes, I do! Because these activities don't just happen by themselves, they > take the place of other activities which were formerly done in their place. > The trivial example of sending letters has been replaced by email. E-mail is cool. E-mail is lovely. I use it enthusiatically. It is not the same thing as sitting down with a fountain pen and and some fine stationary. I feel sorry for your significant other if your loveletters go by e-mail. Yes, let's get people away from reading books. Hey, there's computer games to play, burn that library down, will you? Quantity of life is not the same as quality of life. From richieb at teleport.com Sat May 18 13:11:42 1996 From: richieb at teleport.com (Rich Burroughs) Date: Sun, 19 May 1996 04:11:42 +0800 Subject: SEVERE undercapacity, we need more remailer servers FAST Message-ID: <2.2.32.19960517170447.00a9b780@mail.teleport.com> At 07:38 PM 5/16/96 -0500, snow wrote: [snip] > No, rich is a good excuse for _not_ doing it, unless it can be >done with total anonymity. If I set up a remailer, on my home computer, as >an individual, then I am a very little target. I have nothing (well, damn >little) for anyone to sue me over. What would be the point? They threaten >to sue me for what? They would spend FAR more than they could ever get out >of me, and as long as I don't violate any laws, I _might_ be able to get >"big guns" like the ACLU, EFF etc. on my side to make it a nasty fight for >no return. [snip] This assumes that they are trying to win. Hubbard said, "The purpose of the suit is to harass..." CoS has a huge legal coffer, and they've used it against people who weren't rich before. They're not after the money from the lawsuits, IMHO -- it's miniscule compared to the amount they make in their bait-and-switch scheme (where they sell people on Dianetics and then lead them down the path to ridiculous OT powers). That's what they're fighting to protect. >From this perspective, the person without money is a much easier target, IMHO -- they don't have the resources to fight back against sustained and intense legal pressure (as well as illegal harassment by PI's and other agents) and will probably cave. That's the return. Judge Brinkema, in an opinion last November in the "Church's" case against the Washington Post, DGS, and Arnie Lerma, wrote: "The Court finds that the motivation of plaintiff in filing this lawsuit against the Post is reprehensible. Although the RTC brought the complaint under traditional secular concepts of copyright and trade secret law, it has become clear that a much broader motivation prevailed--the stifling of criticism and dissent of the religious practices of Scientology and the destruction of its opponents. L. Ron Hubbard, the founder of Scientology, has been quoted as looking upon law as a tool to [h]arass and discourage rather than to win. The law can be used very easily to harrass and enough harrassment on somebody who is simply on the thin edge anyway, well knowing that he is not authorized, will generally be sufficient to cause his professional decease. If possible, of course, ruin him utterly." CoS are the biggest threat to the remailers right now, and it's a mistake to view their use of the legal system based on how you or I might use it -- their purpose is to crush their opposition by whatever means necessary. They have to handle things that way, because Hubbard said so. Paulette Cooper, whose "crime" was writing a book critical of CoS, had 19 lawsuits filed against her at the same time by the "Church." Your plan would work if tons of people set up remailers, but barring that, rich people are actually worse targets for CoS, IMHO, as they have the resources to fight back, especially if the suit doesn't have any merits. And the support of the "big guns" is definitely dicey -- they've not provided counsel for any defendant in a CoS case, AFAIK. Groups like ACLU and EFF don't have the resources to deal with every problem they'd like to, and people shouldn't expect to be rescued by them (you said _might_, I know :) I would encourage anyone who is concerned about the remailers, that doesn't have much info on CoS' legal tactics, to spend some time on alt.religion.scientology or on Ron Newman's excellent web site http://www.cybercom.net/~rnewman/scientology/home.html (he has a ton of info there and you can do Excite searches). I think that if people are not willing to stand up to CoS, the remailers are history. Rich ______________________________________________________________________ Rich Burroughs richieb at teleport.com http://www.teleport.com/~richieb See my Blue Ribbon Page at http://www.teleport.com/~richieb/blueribbon New EF zine "cause for alarm" - http://www.teleport.com/~richieb/cause From ravage at ssz.com Sat May 18 13:15:37 1996 From: ravage at ssz.com (Jim Choate) Date: Sun, 19 May 1996 04:15:37 +0800 Subject: Remailers & what they get out of it... Message-ID: <199605171909.OAA09791@einstein.ssz.com> Forwarded message: > From: Alex Strasheim > Subject: Re: SEVERE undercapacity, we need more remailer servers FAST > Date: Fri, 17 May 1996 13:18:24 -0500 (CDT) > > The remailer net won't stand up to challenges of any strength because no > one gets anything for running a remailer. It doesn't matter if the > challenges are strong enough to win, or if they ultimately have any merit. > If you don't get anything for winning and you'll get burned if you lose, > the expected value of the game is negative no matter how unlikely losing > is. As long as the remailer is run a 'grins & giggles' affair you are right. The moment they are run as a business enterprise then the game changes. Several of the Austin Cypherpunks and myself have set up a remailer here in Austin (kourier.ssz.com) using MixMaster. The intent is that once we get out of testing the software and other mods we are in the middle of we will have a commercialy viable service. I am currently discussing with a couple of local lawyers possible strategies we can employ if CoS or others start legal motions. The idea that we are exploring is a defence by offence. One aspect is 'work in progress' protection of both our development mods as well as our customers work. I also hope to build part of the defence on the fact that to bring the remailer down denies access to the public key-server which is integrated into the remailer as a value-added service. (NOTE: don't waste your time trying to get to kourier over the next few weeks. A more public announcement is in the works) To me the biggest problem with the crypto work right now is that not enough professionals are involved. If more remailers and such were initiated as a business there would be legal avenues to explore. Also, in this vain is the apparent lack of support for commercial ventures by developers of such apps as MixMaster (whose license explicity prohibits commercial use). And for the record, yes, we expect to charge real $$$ for access. Our current plan is $10/month for each account. Money orders prefered. We have at this point pondered e-cash methods but it doesn't seem popular enough at this juncture. > If you want the remailer system to stand up you have to make the expected > value positive. The expected value of bookmaking is positive, even though > it's illegal to take sports bets in most states. As a consequence it's > not hard to find someone to take a bet. Individual bookies may come and > go, but the system will always be there. If the expected value of running > a remailer was positive, the remailer system would thrive even if it was > illegal to run one. > > To make the expected value positive, you have to (a) make it profitable to > run a remailer, and (b) set up a protocol that gives someone who runs one > a fighting chance of not getting busted. (a) is easy enough in theory, > but I don't know how you could do (b), at least not if you wanted to let > people do public things with the remailers (like post to usenet). > I agree with (a) completely. The way to make a remailer profitable is to charge for access. As to (b), step one is get a lawyer on board from the get go. One aspect of (b) is that it should be no more illegal for me to allow my users to post to usenet anonymously via my guest account than to do it via a remailer. In fact, one could argue that if anonymous remailers are truly illegal then so are 'guest' or other demo accounts on systems that don't get personal info (and verified at that) prior to accessing any system services. This means that systems such as l0pht.com or ssz.com are illegal to operate. Jim Choate \\///// "Don't have a cow, man" | | / (.) (.) ===========================oOO==(_)==OOo========================== Tivoli an IBM company CyberTects: SSZ Customer Support Engineer SOHO Consulting/VR/Robotics 9442 Capitol of Texas Highway North 1647 Rutland Suite 500 #244 Austin, TX 78759 Austin, TX 78758 Email: jchoate at tivoli.com Email: ravage at ssz.com Phone: (512) 436-8893 Phone: (512) 259-2994 Fax: (512) 345-2784 Fax: n/a WWW: www.tivoli.com WWW: www.ssz.com Modem: n/a Modem: (512) 836-7374 Pager: n/a Pager: n/a Cellular: n/a Cellular: n/a =================================================================== From ponder at wane-leon-mail.scri.fsu.edu Sat May 18 13:15:55 1996 From: ponder at wane-leon-mail.scri.fsu.edu (P.J. Ponder) Date: Sun, 19 May 1996 04:15:55 +0800 Subject: key signing at cyberpayments? Message-ID: if anyone is attending the cyberpayments conference in Dallas June 17th or so and is interested in PGP key signing, please advise in private mail or to the list. Thank you. -- pj ponder From stewarts at ix.netcom.com Sat May 18 13:16:43 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sun, 19 May 1996 04:16:43 +0800 Subject: Any DLL's that handle Public Key Encryption or Key Exchange? Message-ID: <199605172034.NAA11507@toad.com> At 12:40 AM 5/17/96 +1200, pgut001 at cs.auckland.ac.nz wrote: > The second is that if you're in the US you're probably going to run >into legal hassles using this code unless someone wants to do an >alternative RSAREF implementation which you can plug in in place of the >existing RSA code. There's an RSAEURO drop-in clone of RSAREF that's on ftp.ox.ac.uk, so you could write a version of your software that lets Yankees and non-Yankees drop in whichever version is appropriate without worrying about patent or copyright problems. Any* RSAREF system used in the US has the problem that it's limited to the "official" interfaces, which means you can't do fully general RSA without permission. (* There was one RSAREF version that didn't insist on this in its license; don't remember which one.) # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 # goodtimes signature virus innoculation From bobpal at cdt.org Sat May 18 13:24:02 1996 From: bobpal at cdt.org (Bob Palacios) Date: Sun, 19 May 1996 04:24:02 +0800 Subject: CDT Policy Post 2.19 - 27 Reps Urge President to Abandon Key-Escrow EncryptionPolicy Message-ID: ----------------------------------------------------------------------------- _____ _____ _______ / ____| __ \__ __| ____ ___ ____ __ | | | | | | | | / __ \____ / (_)______ __ / __ \____ _____/ /_ | | | | | | | | / /_/ / __ \/ / / ___/ / / / / /_/ / __ \/ ___/ __/ | |____| |__| | | | / ____/ /_/ / / / /__/ /_/ / / ____/ /_/ (__ ) /_ \_____|_____/ |_| /_/ \____/_/_/\___/\__, / /_/ \____/____/\__/ The Center for Democracy and Technology /____/ Volume 2, Number 19 ---------------------------------------------------------------------------- A briefing on public policy issues affecting civil liberties online ---------------------------------------------------------------------------- CDT POLICY POST Volume 2, Number 19 May 17, 1996 CONTENTS: (1) 27 Representatives Urge President Clinton to Abandon Key-Escrow Encryption Policy (2) Join Sen Leahy At HotWired, Wed 5/22 to Discuss His Crypto Bill (3) Subscription Information (4) About CDT, contacting us ** This document may be redistributed freely with this banner in tact ** Excerpts may be re-posted with permission of ----------------------------------------------------------------------------- (1) 27 REPRESENTATIVES URGE PRESIDENT CLINTON TO ABANDON KEY-ESCROW POLICY A bi-partisan group of 27 Congressmen, led by Reps. Bob Goodlatte (R-VA) and Tom Campbell (R-CA) on Wednesday (5/15) sent a letter to President Clinton urging the President to abandon the Administration's key-escrow encryption proposal and "instead immediately liberalize export controls on non-key escrow encryption technology." Expressing "serious concerns" about the impact of current U.S. encryption policy on individual privacy and US competitiveness, the bi-partisan group wrote: "The ability of companies and individuals to ensure that the information they send over communications and computer networks is secure is a prerequisite to exploiting the potential of the Global Information Infrastructure." The letter was signed by several prominent members from both parties, including Bob Goodlatte (R-VA), Tom Campbell (R-CA), Anna Eshoo (D-CA), Rick Boucher (D-VA), Bob Barr (R-GA), Pat Schroeder (D-CO), Carlos Moorehead (R-CA), and 20 other members. The bi-partisan call to President Clinton to abandon the Administration's key escrow policy is yet another encouraging sign of increasingly strong Congressional support for reform of US encryption policy. Congress is currently considering several bills designed to encourage the widespread availability privacy-protecting technologies for the Internet by lifting export controls on strong encryption: * HR 3011, the "Security and Freedom Through Encryption (SAFE) Act of 1996", sponsored by over 30 members including Reps Goodlatte (R-VA), Campbell (R-CA), Eshoo (D-CA), Boucher (D-VA). * S. 1726, the "Promotion of Commerce On-Line in the Digital Era (Pro- CODE) act of 1996, sponsored by Senators Burns (R-MT), Leahy (D-VT), Pressler (R-SD), Dole (R-KS), Wyden (D-OR), and Murray (D-WA) * S. 1587, the "Encrypted Communications Privacy Act of 1996", also sponsored by Senators Burns and Leahy. Hearings on HR 3011 (Rep Goodlatte's bill) and the Burns/Leahy S. 1726 (Pro-CODE) are expected in June. INTERNET SECURITY DAY - A NATIONAL DISCUSSION ON THE NEED TO REFORM US ENCRYPTION POLICY In July, CDT and over 25 other organizations will hold a daylong education event in California's Silicon Valley in July. The "Internet Security Day" will bring together industry leaders, members of Congress, encryption experts, and others to discuss the need to reform US encryption policy. Similar events, to be held throughout the US and on the Net, are also being planned. Sponsors of the event include the Voters Telecommunications Watch (VTW), EFF, Americans for Tax Reform, AT&T, Pacific Telesis, America Online, Netscape, the Business Software Alliance, the Software Publishers Association, and several others. FOR MORE INFORMATION ON THE ENCRYPTION POLICY DEBATE & TEXT OF THE LETTER Background information on the encryption policy debate, full text of the various legislative proposals, detailed analysis, the text of the Goodlatte/Campbell letter, information on the July Silicon Valley event, and transcripts from online appearances by Senators on the Encryption issue, can be found at CDT's Cryptography Issues Page: URL:http://www.cdt.org/crypto/ Or at the Encryption Policy Resource Page: URL:http://www.crypto.com/ --------------------------------------------------------------------- (2) SENATORS GO ONLINE TO DISCUSS PRIVACY AND SECURITY ONLINE Senator Patrick Leahy (D-VT), the "Senior Senator from Cyberspace", ardent proponent of Net.Freedom and co-sponsor of 2 bills to repeal encryption export controls, will hold an online "town meeting" on Wednesday May 22 to discuss privacy and security online. DETAILS ON THE EVENT * Wednesday May 22, 4 - 5 pm ET (1 pm Pacific) on HotWired URL: http://www.hotwired.com/wiredside/ To participate, you must be a registered HotWired member (there is no charge for registration). You must also have RealAudio(tm) and a telnet application properly configured to work with your browser. Please visit http://www.hotwired.com/wiredside/ for information on how you can easily register for Hotwired and obtain RealAudio. Wednesday's town meeting is another in a series of planned events, and is part of a broader project coordinated by CDT and the Voters Telecommunications Watch (VTW) designed to bring the Internet Community into the debate and encourage members of Congress to work with the Net.community on vital Internet policy issues. Events with other members of Congress working on Internet Policy Issues are currently being planned. Please check http://www.crypto.com for announcements of future events ------------------------------------------------------------------------ (3) SUBSCRIPTION INFORMATION Be sure you are up to date on the latest public policy issues affecting civil liberties online and how they will affect you! Subscribe to the CDT Policy Post news distribution list. CDT Policy Posts, the regular news publication of the Center For Democracy and Technology, are received by more than 9,000 Internet users, industry leaders, policy makers and activists, and have become the leading source for information about critical free speech and privacy issues affecting the Internet and other interactive communications media. To subscribe to CDT's Policy Post list, send mail to policy-posts-request at cdt.org with a subject: subscribe policy-posts If you ever wish to remove yourself from the list, send mail to the above address with a subject of: unsubscribe policy-posts ----------------------------------------------------------------------- (4) ABOUT THE CENTER FOR DEMOCRACY AND TECHNOLOGY/CONTACTING US The Center for Democracy and Technology is a non-profit public interest organization based in Washington, DC. The Center's mission is to develop and advocate public policies that advance democratic values and constitutional civil liberties in new computer and communications technologies. Contacting us: General information: info at cdt.org World Wide Web: URL:http://www.cdt.org/ FTP URL:ftp://ftp.cdt.org/pub/cdt/ Snail Mail: The Center for Democracy and Technology 1634 Eye Street NW * Suite 1100 * Washington, DC 20006 (v) +1.202.637.9800 * (f) +1.202.637.0968 ----------------------------------------------------------------------- End Policy Post 2.19 5/17/96 ----------------------------------------------------------------------- From snow at smoke.suba.com Sat May 18 13:33:00 1996 From: snow at smoke.suba.com (snow) Date: Sun, 19 May 1996 04:33:00 +0800 Subject: SEVERE undercapacity, we need more remailer servers FAST In-Reply-To: Message-ID: On Wed, 15 May 1996, Black Unicorn wrote: > > I would really like to see a remailer that is somehow blinded. > I don't know enough about how mail paths are generatered, but is it > impossible to conceal the origin of remailer postings? > Postings made to remailernym at alpha.c2.org would be spit out somewhere but > without accountability? > > Impossible? Would do wonders defeating traffic analysis. > > I'd consider running a remailer, but after listening to the response to > the anonymous poster a while back, it sounds like there are few if any > simple options which do not require major time and effort to setup and > run. I was thinking about this last night, hence my question about running mixmaster under Xenix (or minux for that matter). How about this as an idea: Get a few (3 to 5) accounts in a high density market (i.e. lots of ISP's locally) set up a unix machine on a cheap machine. Have the anon messages get sent to the pop accounts. Once an hour (or less depending on budget) have the unix box poll the different pop accounts mix the messages and resend them the next hour. This could be further obfuscated by batching the messages up and posting a whole chunk of messages to a different similar remailer else where, or by just plopping an encrypted tar'd file on a ftp site where another remailer grabs them and splits and remails them. Petro, Christopher C. petro at suba.com snow at crash.suba.com From froomkin at law.miami.edu Sat May 18 13:34:15 1996 From: froomkin at law.miami.edu (Michael Froomkin) Date: Sun, 19 May 1996 04:34:15 +0800 Subject: (legal) Re: CDA Dispatch #10: Last Day in Court In-Reply-To: Message-ID: On Wed, 15 May 1996, Declan B. McCullagh wrote: > Speaking of appeals, I've been thinking about what happens with the CDA. > Okay, so we have two court cases going on, the Shea v. Reno case in NYC > and the coalition lawsuits combined in Philly. > > What happens if the DoJ loses both the NYC and Philly cases and (as they > said they would) appeals to the Supreme Court. Won't they take the > weaker of the two cases, which is Shea's? If they lose they are almost certain to appeal both cases. If they don't appeal a loss, it means that plaintiffs won, i.e. get what they asked for. The government isn't going to sit still for that while another case is proceeding. > > And what happens if we win but Shea loses -- does the DoJ appeal in > Philly and Shea appeals in NYC? > No problem with two sides each appealing different verdicts to the supreme court. That's what it's for - to sort things out and make the circuits consistent. > If we lose, does our appeal automatically go to the Supreme Court? The > language in the statute is unclear here -- it only specifices what > happens when the law is declared unconstitutional. But if it isn't, > can't the DoJ argue that our appeal should go to the Third Circuit > instead? Sorry, I don't recall the language well enough and I'm on the road. I thought it went to the Supremes no mater what; that's the usual practice, but i could be wrong. there is a procedure for by-passing the Court of Appeal in urgent cases. Also, if one case is on a slow track and the other one is on a fast track, there are procedures for getting involved, at least as amici, in the fast track case. [I am away from Miami from May 8 to May 28. I will have no Internet connection from May 22 to May 29; intermittent connections before then.] A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) Associate Professor of Law | U. Miami School of Law | froomkin at law.miami.edu P.O. Box 248087 | http://www.law.miami.edu/~froomkin Coral Gables, FL 33124 USA | It's warm there. From tcmay at got.net Sat May 18 13:43:06 1996 From: tcmay at got.net (Timothy C. May) Date: Sun, 19 May 1996 04:43:06 +0800 Subject: Past one terabit/second on fiber Message-ID: At 11:08 PM 5/15/96, E. ALLEN SMITH wrote: > One problem with the development of such high-end technologies is that >they tend to increase economies of scale to the point where it's impractical to >have anything but a monopoly or ogliopoly. As well as concerns about the degree >of control such an organization may be able to exert in and of itself (acting >like a government, in essence), there's also that such an organization is >easier to pressure than a lot of small providers. Anyone have a suggested >solution, or reasons that I shouldn't be so worried? Personally, I'm not terribly worried by such concentrations (for reasons I'll mention at the end). But I'll note that Eric Fair's recent post described the far-from-geodesic traffic situation, with a relatively small number of "super-nodes" (like "MAE-West" and her sisters) handling huge fractions of traffic. These super-nodes are obvious points of attack (in the nuclear war--or terrorist--scenario oft-cited as the motivation for packet-switching) and lessen the "geodesic" nature of the Net. Economies of scale may be pushing us away from the "full-distributed" geodesic nature toward super-nodes. The reason I am not really too worried is that encryption and remailers allow a kind of "meta-geodesic" network to be (virtually) layered on top of the physical network. (In the famous network hierarchy of network levels, it seems we can add a new level.) --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From unicorn at schloss.li Sat May 18 14:00:52 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sun, 19 May 1996 05:00:52 +0800 Subject: Senator, your public key please? In-Reply-To: Message-ID: On Sat, 18 May 1996, t byfield wrote: > 6:01 PM +0200 5/16/96, Black Unicorn: > > > Secondly, the Ethics Committee was very interested in the issue. As of > > now they have ruled that "exchanging" PGP signatures is an "exchange in > > kind" and an ethics violation. Ms. Howell expressed exasperation over > > this lunacy, but put it much this way: "No, you guys don't understand > > what the issues are here, but I don't have 3 hours to explain it all to > > you either." Apparently the ethics committee is concerned that a > > signature from Leahy's key will constitute some sort of endorsement and the > > "you sign mine and I'll sign yours" looks like influence peddling. > > And, in fact, according the general outlines of the "reputation" > schemes advanced hereabouts, they're right: that's why they call it > "reputation _capital_," mais oui? Well, this depends on what we assume a signature does. > There's no reason that webs of trust of well-signed keys couldn't be > very fluidly incorporated into patronage networks, for example, or that > their incorporation would affect network dynamics in any notable way. One > doesn't need to understand political theory or economy in any analytical > sense to become part of a patronage network, and one doesn't need to > understand cryptography to know what a key is vaguely enough to be swayed > by someone waving a "well-signed" key around--in fact, _not_ understanding > cryptography will lead people to be wowed by such keys. I'm not sure I agree with this "mysticism" of key signatures. The Senator can sign an autograph if he likes, why not a key? > Most people don't > understand cryptography, and most will continue not to understand it. So in > the pristine realm of mathematics, the Ethics Committee may be wrong, but > in the real world of sloppy thinking they're basically right. Basically. "They are corrected because everyone else is an idiot." Is that about the thrust of your argument? While technically it may have some merit, I think its highly dangerous to legislate and regulate based on assumptions about what people _may_ think. > If my key was signed _only_ by the CEOs of the top 10 Fortune 500 > companies, a few dozen heads of state, bigwig spooks from around the > world, the pope and a dozen cardinals, it's not too hard to imagine how I > could open a few doors with that key--and make a buck or two in the process. This depends on the intrepretation of the meaning of signature. > After all, Uni, what _does_ a signature signify? You were asking some > very pointed questions about that quite recently. Precisely, and in the absence of an answer to this question which is more substantial I think assuming that Senators and CEO's intended to vouch for your financial or character reputation is stretching it a bit. But hey, I'm not on the Ethics Committee. > > Ted > > > --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From llurch at networking.stanford.edu Sat May 18 14:24:56 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sun, 19 May 1996 05:24:56 +0800 Subject: Forced to your knees by Legal VIOLENCE In-Reply-To: <199605180030.RAA06625@netcom11.netcom.com> Message-ID: On Fri, 17 May 1996, Dave Harman wrote: > IMHO, the IDEAL remailer is the following: > > What CAN be done right now, with anyone with linux and shell unix, > account paid by fake name/address with postal money order, > is have the linux machine dial up the account, several times a day, > process the mailbox, download the mail, process the mail with pgp or > mixmaster, upload to account, post/email with the appropriate > header lines and VOILA!! > > !!!!!!!!!! FULL FEATURED HACKTIC STYLE REMAILER !!!!!!!!!!!!!!!!!!!!!!!!!!!!!! > > Unfortunately I DON'T know how to DO any of this. > Isn't someone else want to crank something out and share? > Post around instructions for the clueless to follow. Actually, you can be even more clueless than that and still run a remailer, pretty much as you describe. See: http://www.c2.org/~winsock/ But that requires MicroSnot software rather than Linux, and of course, your ISP is liable to shut you down, without notice, as soon as they realize what you're doing. The service location and survivability problems remain. The POP/SMTP remailer idea has a lot of promise forprospective remailer operators who are clueless and/or lack a full-time net connection, but you still need to be upfront with your ISP about the fact that you're running a remailer. The best ISPs will let you. I'm quite impressed with Portal (or does Hal have something on them?), but I doubt Netcom would let you into the remailer racket. c2.org, of course, has enough remailers on it already, but I did play with the WinSock Remailer for a bit. It should be quite trivial to hack something like it together for Linux. Just run fetchmail or whatever as a POP client, pipe the mail spool to your mixmaster, and SMTP away. -rich http://www.almanac.bc.ca/cgi-bin/ftp.pl?people/m/metzger.tom http://www.almanac.bc.ca/cgi-bin/ftp.pl?orgs/american/war http://www.free.cts.com/crash/m/metzger/ From vznuri at netcom.com Sat May 18 14:25:53 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Sun, 19 May 1996 05:25:53 +0800 Subject: The Crisis with Remailers In-Reply-To: Message-ID: <199605171738.KAA05800@netcom9.netcom.com> so list attention turns once again to a looming remailer "crisis"... where are there so few remailers? the reasons are pretty obvious. these problems have been transparently apparent from the very beginning. 1. there is no economic incentive. as soon as there is a good economic incentive to run remailers, you will see them proliferate. but currently they have no virtually no value to the creator. it's like building a house for other people to live in out of humanitarianism. note that with web pages, you are buying free publicity for your company. but in fact you are typically buying yourself *negative* publicity by running a remailer. what is the current incentive to run remailers? answer: adulation by other cypherpunks. hmmm, not necessarily all that motivating to very many. 2. there is no good way to deal with spams or other so-called "abuse" I commend the remailer operators for starting a mailing list to deal with spam. but the solution remains essentially "stop spam by hand". spammers still have the ability to be a serious threat to the network. this has been a threat from the beginning and has never been resolved. note that "spam avoidance" is a very, very difficult problem that plagues far more than remailers, such as mailing lists and usenet. but it is particularly acute with remailers. 3. liability there is a lot of liability to the operator of a remailer, and again, this risk is totally unsupportable from their current returns (nil). Hal Finney recently suggested restricting posts from remailers to avoid copyright liability. this will limit the liability and risk but does not totally remove it. 4. no need for a network in fact there is not really a need for a remailer network on one level. there is only a need if the service is not available. why is there only one anon.penet.fi? well, because of the above reasons, and also by the fact that only one is sufficient to serve all of cyberspace, virtually. what I mean is that there is easily enough traffic to justify another anon.penet.fi type remailer, but it's not totally critical (i.e. to the point that someone puts their resources where their mouth is) as long as anon.penet.fi is running. 5. etc. == if people want to know why remailers haven't proliferated in the same way that other cyberspace infrastructure has in the past, such as news servers and web sites, you have to focus on the above issues. remailers are NOT like other cyberspace services. they are a tremendous burden to run, instead of being of high use to the maintainer (even though they don't generate cash) in the way a web page or usenet server is. the main problem, getting cash for the service, is slowly dissolving to the point that it will not be an obstacle. I predict that remailers (and many other unusual services) may begin to proliferate at that point-- but not as much as other areas of cyberspace such as the web. remailers are always going to be plagued by the other problems I mentioned above unless some really brilliant genius comes along to solve what seems to be the unsolvable. another tact the cypherpunks might take to get anonymity into the cyberspace infrastructure is to target forum architecture. instead of trying to create remailers that "feed into" other networks, why not build in remailers into those networks themselves? I am thinking of the way NNTP could be a massive anonymous remailer network, and that in fact it was once but that this was purposely designed against in the protocol (preventing people from anonymously submitting articles to NNTP hosts). I propose that as long as there are serious elements involved in building up cyberspace that are hostile to anonymity, you are not going to see it flourish in the way other services have. it seems to me the major obstacles to widespread anonymity are perceptual, not technological. if people can find a way to handle the above issues and still provide anonymity, it will spread. otherwise, I doubt it will ever become very "mainstream". perhaps the above problems are intrinsic to anonymity, which would be a pity in my view. BTW, TCM laments that he hasn't seen master's thesis on remailers. I consider Lance Cottrell's mixmaster work to be really on that level, and highly commendable. LC has really advanced remailer technology by tremendous leaps and bounds since putting his mind to it. also Levien's remailer page is another very outstanding service. it is possible that all the real research into remailers is being done at the NSA seriously, though, I think cpunks have an opportunity to do some introspection here. it seems a pretty good rule in cyberspace that "cool and useful services flourish and grow". witness Usenet and the web. why haven't the cpunks been able to tap into that kind of exponential force with remailers? the problems are not merely technological. I would say the technological problems associated with the remailers are the most straightforward to solve. its the complex social issues that are seemingly insurmountable. I really believe that if anyone wants to get more anonymity in cyberspace, they must deal head on with the sociological "anonymity taboo" in society. why is there a taboo in society against anonymity? could it be there are some good reasons for it? is it possible to create a "socially acceptable" anonymity? of course this line of thinking is going to be utterly repulsive to some on this list, but I contend it is essential to remailer growth strategy. of course if people don't want remailers to ever go "mainstream" anyway, well then there is no problem. the remailer network still has an "underground" feeling to it and perhaps that will always be part of its draw, and its actual structure. From stewarts at ix.netcom.com Sat May 18 14:30:01 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sun, 19 May 1996 05:30:01 +0800 Subject: SEVERE undercapacity, we need more remailer servers FAST Message-ID: <199605172034.NAA11515@toad.com> At 06:29 PM 5/15/96 -0400, Black Unicorn wrote: >I would really like to see a remailer that is somehow blinded. >I don't know enough about how mail paths are generatered, but is it >impossible to conceal the origin of remailer postings? One reason for remailers is that concealing message origin is difficult and unreliable, and making smtp servers that include all the information they can find about the origin of a message into the message is easy, so it's tough to lie about where you are. Remailers solve that by removing the header information from messages they receive and shipping out the message body with new headers, so anyone who traces all the "Received:" headers gets pointed to the remailer. >Postings made to remailernym at alpha.c2.org would be spit out somewhere but >without accountability? alpha.c2.org keeps encrypted reply blocks that it can't decrypt; it sends messages to some other remailer that can decrypt them, and only sends messages encrypted. That means that anybody who does succeed in stealing or subpoenaing alpha's user information has to go to each of the other remailers it uses for delivery as well - and alpha doesn't have any keys to steal. >I'd consider running a remailer, but after listening to the response to >the anonymous poster a while back, it sounds like there are few if any >simple options which do not require major time and effort to setup and >run. Setting up a remailer is easy, if you've got a Unix machine, and I'd guess that the Winsock Remailer is probably easy for Windows. If you don't support mail-to-news yourself, and you block mail to other mail-to-news gateways, you cut out lots of flame potential, which keeps the work of running it fairly low. (My remailer is based on ghio2, which has traps to detect high-volume spam, which has shut it down a couple of times. Cleaning them up is annoying.) You do need to stay on remailer-operators at c2.org to get notices of individuals who are being spammed or harassed so you can block mail to them, but that's typically 5-10 minutes/week. If you've got a Unix machine, you can also do a web-based remailer easily (users fill out a form with their mail, which goes to a CGI script.) If you're willing to use somebody else's script, e.g. replay.com, you can just put up the web page anywhere and won't need Unix, and they can handle most of the spam-blocking. This isn't very secure unless you're using SSL or other secure HTTP protocol, which I don't think any of the current web-remailers do. Some folks have put advertising on their remailer pages, which starts to be one economic model that can encourage people to run them, if you can find advertisers who _want_ the image this gives them. (This is fine for c2.org and maybe Digicash banks or tax-haven consultants, some political ranters, and maybe phone-sex or other services that don't have to worry about lowered reputations if somebody uses the remailer to spam the alt.sex newsgroups with phone-sex ads :-) # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 # goodtimes signature virus innoculation From drosoff at arc.unm.edu Sat May 18 14:37:34 1996 From: drosoff at arc.unm.edu (David Rosoff) Date: Sun, 19 May 1996 05:37:34 +0800 Subject: Why is hacktic going down? Message-ID: <199605160225.UAA27876@laguna.arc.unm.edu> Does anyone know the reasons for the shutting down of the hacktic remailer? And also, are the other remailers at utopia.hacktic.nl going down with the remailer at remailer at utopia.hacktic.nl? Thanks David From dlv at bwalk.dm.com Sat May 18 14:38:43 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Sun, 19 May 1996 05:38:43 +0800 Subject: The Crisis with Remailers In-Reply-To: <199605171738.KAA05800@netcom9.netcom.com> Message-ID: "Vladimir Z. Nuri" writes: > 1. there is no economic incentive. So, add the code to mixmaster (and even the old style remailers) to collect e-cash as it passes on the anonymous message. Then this will be a good way to accumulate some e-cash, and a number of people will try running remailers for this very purpose. Witness the recent Usenet spam by someone advertizing a for-pay remailer. > 2. there is no good way to deal with spams or other so-called "abuse" Nor should there be. What's one person's abuse is another person's free speech. Internet traffic should not be censored based on contents. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From tcmay at got.net Sat May 18 14:45:53 1996 From: tcmay at got.net (Timothy C. May) Date: Sun, 19 May 1996 05:45:53 +0800 Subject: Is Chaum's System Traceable or Untraceable? Message-ID: At 6:35 PM 5/17/96, jim bell wrote: >At 10:09 AM 5/16/96 +0200, bryce at digicash.com wrote: >>Let me get this straight. You are asking for full payee/payor >>anonymity so that you can institute a program of anonymous >>assassination contracts, right? > >It's not just for me. I seem to recall a comment around here (Tim May, >perhaps?) who said that when he first read of digital cash in the late >1980's, the feature of payee anonymity was present, and that he was >surprised later to see early implementations not containing this. Yes, this was I (or "me"). I first read of Chaum's work in late '85, in his CACM article, and then "rediscovered" it when I was doing some review work for Phil Salin's AMIX information market startup in 1987. Certainly the text of Chaum's articles implied both payer and payee anonymity, though certain details may've been unclear to some of us. When Chaum unveiled his "payer is anonymous, but payee is traceable," some of us were surprised. (On the other hand, I have had a longstanding faith that the system can be made to be both payer- and payee-anonymous. Moneychangers, for example.) >Deal with the devil? > >Any "complete" digital cash implementation has to provide for payee anonymity. > I agree with Jim Bell on this completely. I don't know if Chaum has been seduced by the Dark Side, or is looking to get digicash widely deployed by "respectable" institutions, or is telling the truth (that his system _never_ provided for real untraceability), but I know that Cypherpunks should always strive for full untraceability. One-sided traceability is not enough. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From wlkngowl at unix.asb.com Sat May 18 14:52:47 1996 From: wlkngowl at unix.asb.com (Mutatis Mutantdis) Date: Sun, 19 May 1996 05:52:47 +0800 Subject: NOISE.SYS Info Distribution List Message-ID: <199605160708.DAA29012@unix.asb.com> I've set up a distribution list for NOISE.SYS. If you want to receive periodic announcements about new versions, bugs, related utilities, etc., reply to with the subject "add noise.sys-list" (NOISE.SYS is a crypto-quality RNG device for MS-DOS, similar to the random.c implementation for Linux. The latest version is 0.5.6-Beta.) Rob (aka "Deranged Mutant") From jimbell at pacifier.com Sat May 18 15:12:13 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 19 May 1996 06:12:13 +0800 Subject: Senator, your public key please? Message-ID: <199605181633.JAA09614@newmail.pacifier.com> At 12:01 PM 5/16/96 -0400, Black Unicorn wrote: > >Secondly, the Ethics Committee was very interested in the issue. As of >now they have ruled that "exchanging" PGP signatures is an "exchange in >kind" and an ethics violation. Ms. Howell expressed exasperation over >this lunacy, but put it much this way: "No, you guys don't understand >what the issues are here, but I don't have 3 hours to explain it all to >you either." Apparently the ethics committee is concerned that a >signature from Leahy's key will constitute some sort of endorsement and the >"you sign mine and I'll sign yours" looks like influence peddling. > >Part of the problem was that several politically oriented groups >approached Leahy's office and descended like vultures on a carcass, >all of them wanting to certify his key. > >No signing from Senator's keys for the time being. She said the ethics >committee went so far as to prohibit them from soliciting signatures from >others as well. Her conservative (and reasonable) interpretation was that >she couldn't hand over a fingerprint of the key for signing purposes. > >As things stand now Ms. Howell intends to try and educate some of the key >Ethics members over the August break and have a decent signing policy >after the break itself. > >Welcome to the hill. Gee, isn't it too bad that nobody has thought of a solution for all these politician-problems? B^) Jim Bell jimbell at pacifier.com From adam at lighthouse.homeport.org Sat May 18 15:13:04 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Sun, 19 May 1996 06:13:04 +0800 Subject: distributed keys In-Reply-To: <199605151447.OAA17650@rebound.slc.unisys.com> Message-ID: <199605181807.NAA01201@homeport.org> Since no one seemed to mention them, check out Photuris and SKIP. Both are key management proposals for IPsec. Adam Matt Smith wrote: | | | Has anyone heard of an algorithm for managing keys automatically in a | distributed system? | | For instance, if some low level security were to be implemented in a | a networking stack where authentication was to be implemented, you would want | to have each node have it's own signature so that signature checking can | take place when one node connects to another node. The trick is then | getting every node's keys distributed to every other node. | | Here are some ideas that I had, but neither is very desireable: | | - Manual distribution. User configures every node's key into every node. | Configuration becomes a major hassle and mistakes are a pain to debug. | An advantagous side effect is the user can configure which machines can | talk to which machines if they're feeling particularly facist. | | - At connection time, each node determines whether or not it has the other | node's key. If not, a symmetric key is generated via DH and public keys | are exchanged. The problem comes in if someone is spoofing the machine | to begin with. Then you'll have the wrong public key. Chicken, egg. | Egg, chicken. | | - Having a certifying node which every other node has the public key to and | who has everyone else's public key. Requests are made of this server. | The trick is making this server secure and forcing the user to devote | resources to this endeavour. | | Thoughts? | | -- | Matt Smith - msmith at unislc.slc.unisys.com | "Nothing travels faster than light, with the possible exception of bad news, | which follows its own rules." - Douglas Adams, "Mostly Harmless" | Disclaimer: I came up with these ideas, so they're MINE! | -- "It is seldom that liberty of any kind is lost all at once." -Hume From jf_avon at citenet.net Sat May 18 15:33:41 1996 From: jf_avon at citenet.net (Jean-Francois Avon) Date: Sun, 19 May 1996 06:33:41 +0800 Subject: Why the Poor are Mostly Deserving of their Fate Message-ID: <9605181737.AB07651@cti02.citenet.net> On 18 May 96 at 4:30, Duncan Frissell wrote: > 1) get a high school diploma > 2) get married > 3) get any job > > Only about 2 tenths of 1% of those who satisfy those three > requirements incomes below the official poverty line. > I try and keep in mind that 80-90% of the "take" in government > programs for the "poor" goes to unpoor government employees. > DCF Hi DCF. Can you please tell me where I can get such kind of information? Is there any databank of such facts? Would be great fun to have! Regards! JFA DePompadour, Societe d'Importation Ltee; Limoges porcelain, silverware and crystal JFA Technologies, R&D consultants; physists, technologists and engineers. PGP keys at: http://w3.citenet.net/users/jf_avon ID# C58ADD0D : 529645E8205A8A5E F87CC86FAEFEF891 Unsollicited commercial e-mail will be proofread at US165 $/h Any sender of such material will be considered as to have ac- cepted the above mentionned terms. From hendersn at zeta.org.au Sat May 18 15:41:28 1996 From: hendersn at zeta.org.au (Zed) Date: Sun, 19 May 1996 06:41:28 +0800 Subject: NOTS posted to alt.religion.scientology Message-ID: <199605181653.CAA08185@godzilla.zeta.org.au> Maybe this is about something else (the NOTS materials), or >maybe the threat of legal action was enough to do Hacktic in, despite what >would seem to be a favorable precedent. It wasn't the Fishman Affidavit that was posted - it was the NOTS materials. The Affidavit material has been in a public court record for some years now, and was an important factor in the favourable Dutch ruling. The NOTS have never been subject to public scrutiny. In fact, the Church claims them as trade secrets as well as copyrighted materials. That may or may not have changed now that the NOTS have been viewed by who knows how many people. >It's not clear to me that Scientology is only concerned about copyrighted >material. That's what they claim, but then Hubbard said, "The purpose of >the suit is to harass..." Copyrights became the issue, IMHO, because they >have some legal ground to stand on there. Damn right! > >I think their goal is to make all their Net critics come out into the >open, and they're willing to use the legal system as a pawn towards that >goal. You can't threaten or intimidate anon posters as easily. You can't >send your private investigators to harass them and their families. The Church dislikes anonymous remailers intensely, despite exploiting their advantages themselves. The few comments that their PR reps have made indicate that the Church wants some way of stripping someone's anonymity away if they "abuse" this anonymity. I dislike that idea intensely. Everyone remember anon.penet.fi? >I appreciate the incredibly difficult position that all of this puts >remailer operators in, but I don't think CoS will be statisfied with just >stopping anon Usenet posts. IMHO, they more likely want the remailers gone, >altogether. Don't believe that this is about copyrights, just because >they say it is. Like it or not, posting the NOTS _is_ a violation of copyright. While many people think the Church of $cientology is abusing Intellectual Property laws in order to keep their secret materials secret, the remailers have the ability to violate _anyone's_ copyrights. I can imagine a scenario in which the NSA starts spamming wholesale copyrighted works anonymously in order to give the Government a compelling reason to legislate against anonymous remailers. >Rich Zed(hendersn at zeta.org.au) "Don't hate the media, become the media" - Jello Biafra PGP key on request From jamesd at echeque.com Sat May 18 15:46:31 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Sun, 19 May 1996 06:46:31 +0800 Subject: anonymous companies Message-ID: <199605181709.KAA20680@dns2.noc.best.net> >> At 06:42 PM 5/16/96 -0700, Wei Dai wrote: >> > I'll just give one problem: the principal-agent problem. How do owners of >> > the company make sure the managers operate the company in their best >> > interest? >On Fri, 17 May 1996 jamesd at echeque.com wrote: >> Actually looting of companies happens a lot right now today, and very >> seldom leads to criminal charges. Twice I have lost a job because the >> company I worked for went under, apparently due to looting. At 08:37 AM 5/18/96 -0400, Black Unicorn wrote: > Be careful to distingiush "owner" from "employee." All to common a > mistake I fear. > Until someone passes a constitutional right to not be fired, well, you're > employeed at the will and by the good grace of the owners and your boss. I was of course referring to looting by the management, not the shareholders, as should have been obvious from context. >> In others, such as net startups, >> I see no solution other than increased reliance on personal individual >> capital. >Still, vulnerable to last round problems. Reread: Your above statement makes no sense in context. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From bryce at digicash.com Sat May 18 15:48:28 1996 From: bryce at digicash.com (bryce at digicash.com) Date: Sun, 19 May 1996 06:48:28 +0800 Subject: two people Message-ID: <199605181717.TAA01827@digicash.com> -----BEGIN PGP MESSAGE----- Version: 2.6.2i Comment: Auto-encrypted under Unix with 'BAP' Easy-PGP v1.1b2 hIwDRlGJMStI9vUBBADB86shewyP/nKrX6+5WtnyfT3w5CN+47WPMI6xIcjb+nMn 6NjUCqYvVPQ1aiKz7gBHbTppK2PFhtiXQxEYFmkYVRPhmzz9mjmE2YY4Z69pJ327 0foMCiPPkh5clvMSNt6LWyF22zZieTHasjP6piN1PqmYwjrDzjCjiRHWqhJdK4SM AzkQQNw+syLRAQP+JxWZwMY1iJn3QnVsBOO0btqVWlhW0Eg9Q353upSctWyhY1+k cw1vuR9ttnXnxh9Lm0S9+iUtF/J1TIZEiVN4o3myi5sgWE6US9J+ZK3AQ5ROcqR6 XLScIQ1rXXv7GCwulc2GdgiTmwPyeECPI+x06gqQjd2JnltTDf+99ZUIqR6EjAME kJHpt/K8BQED/ioL9DhMO4WXN3cuqG25BItw0sSdD/8jEGRFCDRCBw3nbrMrTYYX fiswrRYb+HUVKYUVo2pXfb8RPKOFHRGzLey1czt6fVZsY9I8sco7UFTZOAxv84ti jwAvGqokSeh4JCYbjC65y3shy9lEqNAcAOAdfVEvd+RqIZR6lrJtTbVdpgAABm7E +ORNEyT55xlCCTr88wt7FVFwBqanG6mG6sVbgd9S8yogQfqhu+HIYgCOIYSTYNJJ LyOV+8CwfQXXO8pdyMdNIZXCTIeAqzicT0gwlAc8uXYBQuQj3rvAb0xM69PPILfy vn2I0ubt/v10+2pa0GCK71HCBivy9nO1Iy1kUS7LCB1WCnVZaYm8x4he9pBSfreG nrEyvdHCDkVgE3W+0c30FJYi7bL2zQHVpjDTIzIhdFZppJ6//x4BTNBoZHHyc9TV oGe1O4t71qTcJ4VYsTEMLDl5rDJ2mPAGLrIHD6ZPp0WInqdUPhWpMyWovX+ca5FP H6nDD0VQkGTfwOzYH3PkMGZp49PSiSCJ17DmVUkGf6cfDeZdCw0M3MLcGDteEfBt /lj+fl+UC9J51r6f6F788c1qiRaQe8CAMwFK42b6PC4QV/00usNlgutxstiq3suO BJ9BcLbrIFKUMtIRLpXiQo85RAZuqqMv1aZMKULjzGFgVTrpOaDpHYG8aqlMtiOn DTKRQgcM2k5HUs/09GVCFBUycOAMHDHFLUdnkAQ/JoD2kqxev9XXIel8/JxqsF93 LbdKmokTaWvOTfaWkpJ40pukhl769NYMI0YBgs0sTjpXUgu2aLIoSxzyxG+n38c1 Ny3sCRBqcWCnDnJRGJDR1biBq14wzIAG6pzaBojn3mqo128s2v2QSWFrS5vVVfwj tQWRRpogJPt5HOOf2T2x7+e0c9R7VDJv0FEvEE9GniLrhQart9mmlSIq4S4XFMHe PxhWZSPFUsbMtursGKe/aSgXBrbqtLkDdB/dLjR9OpSceue2eXMES6VlhA78qZ1Y rC36ioweKHfCF/DPYKlCkJThsAr7KN9VNiNBNwy2dW2bmG3BCkO+ngqFiVSQNtq9 OuYN9knPNgNhKdIFQFi6pTd19L/EW2wIs8SXz+7F3EYdHu9N+F9+9izQsrmzm1+e /FxX4aWbOw85TnaTQhrrr6+ylFxFswjYcUvhZkZFzkgtK7wOzcHVPZb0+XJajW7U 4z4JZvhfrDFXODsp9kJkJK2IargWEsZESS8IytShI3gKr2BLLkGtIWROntE3L31C EvKd8eTym/owFByvNku27ESRdWsomnDK0vdgPK9i1IN2SCXdIZiPfY3hW1nwrUU7 XfzlaDmowCfzKfhuW4RC6KQ1Bc8o3X7J8RsEWenGpNeX+LRoGrpOfi+wURZb75ph E9Q9DB7Lp+VG7/7uHnFSC3D8r+ypFEgS0kmbtgHtxwFNlngr1fT7k1KJW+pBxgoq Vqz6J7LLHNh+MlhGMGwQhBQ9+4BofXko88aIZYuz9G7Y3l2E9WjL86siCuuGQpI8 HU/m4NosIPeZjNfKuk8f+T5aJGj+XTW3r1z60IQqmmAf0ATH3gJi6eaURrFgmwXD 2D5lrToQIAVM77Rz8bY3jQclPDses+p+j9QuuoKBTxmUfa+YFR6/e0eotddULr31 bBzX24SGBzXJ3uX3ySZJ2LEcrMg5HZiGDWGdvF31uhUsyvpPz5trLOINZQYGu41D Sf7NVrBB0NXHJQ+144V9jxH8cuk3hcIJwhyKFrOSclhSQ5nztGCPuqG+POn/AH9Q VeR40j0WrHwG63wV4rldTnaIoYsmW4DO2VvNp2eFPSQalOyHNzWE2kQtmnex+XZZ l3Dt4FUiRhvim7S05vNrdOvwMfnL2+8M3QBJ0v1MHTc4pAmYyyO/c1wBxbKg5YD9 w5VUEtwu4IAmnnpgdK1/6opBPbPehXE6UX6Os5fFLwMRUfhdTFAOl9HMiWz6U0V2 Isx8hmMCix+/MCkYqzoxtxCLVNe53dhpAdKTJ2yZDAl7dR4WqhX0bIMXeIWQZOaE S8DsrAtP385LdMNH+EYQrJuSQl4TKkRGAKTbsvjjFN3z6t3vGXK178vQe5MUTDZE fh6qhfGBY/DLU5aq3eIhofZPcCiyeI+6wDWh2rcqyPjxynT3IoXQxJQwMyjGMScd eLPQ776ZH1pNSDlQ3NO4yIGV0vwfaeq0bnCw6ypH4aHb8BMsdmkSYUOpAOFcj8US htdxAGXQhxjABEwAppfScZBV74hUxYUtF2HETpUzS7gwlhkTqwI9Yg2X9abK/lIy vYMCCe45t/4LmGufQrvKcIvvHOerB2kVlhDv4RhRE04G9S1QnO2u2L0djzT6KmBF GvwnfTjBNqpvAOxlKw== =aXfK -----END PGP MESSAGE----- From jimbell at pacifier.com Sat May 18 15:49:07 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 19 May 1996 06:49:07 +0800 Subject: CDT Policy Post 2.19 - 27 Reps Urge President to Abandon Key-Escrow Encryption Policy Message-ID: <199605181744.KAA10141@newmail.pacifier.com> At 03:35 PM 5/17/96 -0400, Bob Palacios wrote: > CDT POLICY POST Volume 2, Number 19 May 17, 1996 > >The bi-partisan call to President Clinton to abandon the Administration's >key escrow policy is yet another encouraging sign of increasingly strong >Congressional support for reform of US encryption policy. Congress is >currently considering several bills designed to encourage the widespread >availability privacy-protecting technologies for the Internet by lifting >export controls on strong encryption: > >* HR 3011, the "Security and Freedom Through Encryption (SAFE) Act of > 1996", sponsored by over 30 members including Reps Goodlatte (R-VA), > Campbell (R-CA), Eshoo (D-CA), Boucher (D-VA). > >* S. 1726, the "Promotion of Commerce On-Line in the Digital Era (Pro- > CODE) act of 1996, sponsored by Senators Burns (R-MT), Leahy (D-VT), > Pressler (R-SD), Dole (R-KS), Wyden (D-OR), and Murray (D-WA) > >* S. 1587, the "Encrypted Communications Privacy Act of 1996", also > sponsored by Senators Burns and Leahy. > >Hearings on HR 3011 (Rep Goodlatte's bill) and the Burns/Leahy S. 1726 >(Pro-CODE) are expected in June. You know, I really would appriciate it if CDT didn't present S1587 as if it is just another "relax restrictions on encryption" bill. We raked that bill over the coals, found it seriously flawed, and generally pro-encryption people don't seem to be defending it at all. It contained many aspects which have the prospect of future danger to the use of encryption. And, S. 1726 seems to contain most of the desireable aspects of S.1587, and few of the negatives. Add to that the fact that Leahy (as described above) seems to be supporting S. 1726, there is no need to make it appear to an uninformed person that S. 1587 that it is anything other than a mistake. Jim Bell jimbell at pacifier.com From shabbir at vtw.org Sat May 18 15:50:21 1996 From: shabbir at vtw.org (Voters Telecommunications Watch) Date: Sun, 19 May 1996 06:50:21 +0800 Subject: Crypto-News: Congress tells Clinton "Dump key escrow/Clipper schemes" (5/17/96) Message-ID: <199605171739.NAA29941@panix3.panix.com> ============================================================================= ____ _ _ _ / ___|_ __ _ _ _ __ | |_ ___ | \ | | _____ _____ | | | '__| | | | '_ \| __/ _ \ _____| \| |/ _ \ \ /\ / / __| | |___| | | |_| | |_) | || (_) |_____| |\ | __/\ V V /\__ \ \____|_| \__, | .__/ \__\___/ |_| \_|\___| \_/\_/ |___/ |___/|_| TWENTY-SEVEN MEMBERS OF THE HOUSE OF REPRESENTATIVES URGE CLINTON TO ABANDON KEY ESCOW AND "IMMEDIATELY LIBERALIZE EXPORT CONTROLS ON ENCRYPTION PROGRAMS AND PRODUCTS" Date: May 17, 1996 URL:http://www.crypto.com/ crypto-news at panix.com If you redistribute this, please do so in its entirety, with the banner intact. ----------------------------------------------------------------------------- Table of Contents News Text of letter from House members to President Clinton Text of press release from Rep. Goodlatte How to receive crypto-news ----------------------------------------------------------------------------- NEWS Today a band of twenty-seven House members signed a letter to President Clinton urging him to abandon key escrow schemes, and immediately liberalize export controls on encryption programs and products. The letter argues that "a key escrow approach will not adequately address security concerns", citing security as a "prerequisite to exploiting the potential of the Global Information Infrastructure." Rep. Goodlatte led many of the signatories on the letter to introduce and cosponsor H.R. 3011, the Security and Freedom through Encryption (SAFE) Act" earlier this year, which liberalizes export controls on encryption products. Copies of the letter to the President, the press release, and H.R. 3011 can be found on the Encryption Policy Resource Page at http://www.crypto.com/ ----------------------------------------------------------------------------- TEXT OF LETTER FROM HOUSE MEMBERS TO PRESIDENT CLINTON Congress of the United States Washington, DC 20515 May 15, 1996 The Honorable William J. Clinton The White House Washington, D.C. 20500 Dear Mr. President: We are writing to ask you not to proceed with your Administration's key escrow encryption policy proposal and instead to immediately liberalize export controls on non-key escrow encryption programs and products. Many of us have sponsored H.R. 3011, the "Security and Freedom Though Encryption (SAFE) Act" which would ensure the continued ability of Americans to use and sell good encryption and would permit the export of generally available software with encryption capabilities and other such software and hardware under license when certain conditions are met. We understand that the Administration has developed a key escrow encryption proposal and is not at this time willing to ease export restrictions on encryption programs and products which are widely available from domestic and foreign companies and the Internet. We share the concerns of a wide range of businesses and privacy interests that a key escrow approach will not adequately address security concerns. The ability of companies and individuals to ensure that the information they send over communications and computer networks is secure is a prerequisite to exploiting the potential of the Global Information Infrastructure. For example, U.S. small businesses are beginning to harness the Internet to enter foreign markets. The Internet in effect lowers the barriers to entry for these companies. But they will not be able to rely on the Internet if their information is not secure. We also have serious concerns about the impact of the Administration's policy on the U.S. economy and job creation. (Indeed, it is our strong belief the U.S. economic interests must be a primary consideration in encryption policy discussions with other countries, the OECD, and in other forums. It is not clear that this has been the case in the discussions held up to this point). A recent report entitled "A Study of the International Market for Computer Software With Encryption" prepared by the U.S. Department of Commerce and the National Security Agency indicated that U.S. companies will lose market share given the availability of stronger encryption products overseas. The Computer Systems Policy Project estimates that unless the U.S. relaxes out-of-date export controls, the U.S. technology industry will lose $60 billion in revenues and 200,000 jobs by the year 2000. As Congress begins to consider H.R. 3011 we would greatly appreciate knowing whether the Administration plans to publish a final rule implementing a key escrow encryption proposal or, alternatively, will relax export controls on encryption programs and products which do not have a key escrow feature. Sincerely, Tom Campbell Bob Goodlatte Anna Eshoo Eliot Engel Zoe Lofgren Bob Barr Carlos Moorhead Patricia Schroeder Barney Frank Sam Gejdenson Howard Coble Rick Boucher Fred Heineman Sonny Bono Vernon Ehlers Randy Cunningham Charlie Norwood Randy Tate Donald Manzullo Helen Chenoweth Thomas Davis Roscoe Bartlett Sam Farr Ken Calvert Linda Smith Joseph Moakley Lynn Woolsey ----------------------------------------------------------------------------- TEXT OF PRESS RELEASE FROM REP. GOODLATTE NEWS FROM: Congressman Bob Goodlatte Virginia's 6th District 123 Cannon HOB Washington, D.C. 25515 Phone: (202) 225-5431 DATE: May 16, 1996 CONTACT: Doug Clark 202-225-5431 REP. GOODLATTE ASKS PRESIDENT NOT TO PROCEED WITH ENCRYPTION POLICY Congressman Bob Goodlatte (R-VA), lead sponsor of S.A.F.E., the Security and Freedom Through Encryption Act, was joined by Tom Campbell (R-CA), Zoe Lofgren (D-CA), Anne Eshoo (D-CA), Bob Barr (R-GA), Eliot Engle (D-NY), and a bipartisan group of 21 of their colleagues in the House in writing President Clinton asking him not to proceed with his Administration's key escrow encryption policy proposal and instead to immediately liberalize export controls on non-key escrow encryption programs and products. "I have received recent information that the Administration is circulating yet another version of a key escrow proposal for comments from selected individuals. In my opinion this proposal is a non-starter and will not do. It's just a back door approach for more big government intrusion into every American's privacy," said Goodlatte. ----------------------------------------------------------------------------- HOW TO RECEIVE CRYPTO-NEWS To subscribe to crypto-news, sign up from our WWW page (http://www.crypto.com) or send mail to majordomo at panix.com with "subscribe crypto-news" in the body of the message. ----------------------------------------------------------------------------- End crypto-news ============================================================================= From tcmay at got.net Sat May 18 16:06:00 1996 From: tcmay at got.net (Timothy C. May) Date: Sun, 19 May 1996 07:06:00 +0800 Subject: Senator, your public key please? Message-ID: At 8:10 AM 5/18/96, t byfield wrote: > There's no reason that webs of trust of well-signed keys couldn't be >very fluidly incorporated into patronage networks, for example, or that >their incorporation would affect network dynamics in any notable way. One Keys, key signings, and webs of trust can be used in all sorts of ways. And I expect the "burrowcrats" will try to regulate the use. Imagine, for example, if I use a "web of trust" to help me decide who's trustworthy enough to negotiate the sale of my house to. Further imagine that I want to see keys signed by Tom Metzger, my buddy from the Aryan Nations. Guess what? No blacks will have their keys signed, and hence I'll have to tell them, "Sorry, you're just not in my web of trust." (Now, this is a hypothetical, meant to show that use of a web of trust can trigger such decisions, and could thus trigger legal challenges.) The web of trust may not be transitive, but the "web of taint" may be more so. New forms of blackballing, blacklisting, redlining, etc. And I fully expect that who signs one's keys, and whose signatures are found on one's keys, may become a political and legal issue in the coming years. What if, for example, Sen. Leahy _did_ end up in the web of trust for Aryan Nation? Even if he never intended it, this could have some severe PR repercussions. An exciting new world we're entering. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From mcguirk at indirect.com Sat May 18 16:26:25 1996 From: mcguirk at indirect.com (Dan McGuirk) Date: Sun, 19 May 1996 07:26:25 +0800 Subject: [NOISE] Hackers soundtrack In-Reply-To: Message-ID: On Fri, 17 May 1996, Simon Spero wrote: > Update on an old thread... > > Apparently it was released last week in England, so it may be available > in some import racks. The album "Music For The Jilted Generation" by The Prodigy has a lot of the best stuff from the soundtrack, too... From jimbell at pacifier.com Sat May 18 16:30:52 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 19 May 1996 07:30:52 +0800 Subject: SEVERE undercapacity, we need more remailer servers FAST Message-ID: <199605181752.KAA10188@newmail.pacifier.com> At 06:44 PM 5/17/96 -0500, snow wrote: > How about this as an idea: > > Get a few (3 to 5) accounts in a high density market (i.e. lots of >ISP's locally) set up a unix machine on a cheap machine. Have the anon >messages get sent to the pop accounts. Once an hour (or less depending on >budget) have the unix box poll the different pop accounts mix the messages >and resend them the next hour. > This could be further obfuscated by batching the messages up and >posting a whole chunk of messages to a different similar remailer else >where, or by just plopping an encrypted tar'd file on a ftp site where >another remailer grabs them and splits and remails them. It seems to me that if we consider that there are two separate functions remailers provide: 1. Anonymization. 2. Jurisdiction swapping Then perhaps one way to improve the robustness of remailers against copyright-type legal attacks is to provide remailers with temporary (1-2 week) remail-only sites. All material would be processed by the front end, then delivered in bulk to the other site. This sounds similar to the idea you described. That way, the remailer's "front end" can stay around for years, developing reputation. Any attack on copyright would simply be an attack on the back end, which wouldn't last anyway. Jim Bell jimbell at pacifier.com From jf_avon at citenet.net Sat May 18 16:33:58 1996 From: jf_avon at citenet.net (Jean-Francois Avon) Date: Sun, 19 May 1996 07:33:58 +0800 Subject: (Fwd) Mail Delivery Failure. Message-ID: <9605181736.AB07651@cti02.citenet.net> On 15 May 96 at 19:01, Mark M. wrote: > > . What if a company does not pay as expected - > > A company could not afford to have such a loss of reputation. > Nobody is going to work for a company that doesn't pay its > employees. Yes, but anonymity would prevent the easy build-up of reputation too: If Joe Anon9876 say: "company ANON1234 Inc screwed me, how peoples will know that it is not a unscrupulous competitor trying to damage their reputation? Now, if Joe Anon9876 decides to disclose to the public that his real name is John Doe to give more weight to his denounciation, and depending on wether or not his bosses *are* or are not crooks, he might very well get some sort of "prediction" on his head. Now, Jim Bell's servers don't have to be completely public. Suppose some servers were built so that the donation address would be known but the list of donation would be kept secret: Such server could thrive. Most "donation" here would not be 2 bucks but rather 20,000 bucks to ensure that the contract would get taken up promptly. And since the targets would not be published, there would be not even a hint that company ANON1234 *might* have put a contract on John Doe (Now, aka Joe Anon9876) . The fact that an open AP server exists makes the later possibility also possible. To have access to the target list would require to be member of a *very* close circle, or maybe, actually, just en employee of ANON_KILLERS4567_Inc. Reputation is standing on the fact that an entity disclose it's existence, accepts to act in full view of significant others, and is prepared to show evidence of good conduct to said significant others. And also on the fact that a challenger to the reputation have to put his own on the opposite platter of the balance. Anonymity makes it hard to do. JFA DePompadour, Societe d'Importation Ltee; Limoges porcelain, silverware and crystal JFA Technologies, R&D consultants; physists, technologists and engineers. PGP keys at: http://w3.citenet.net/users/jf_avon ID# C58ADD0D : 529645E8205A8A5E F87CC86FAEFEF891 Unsollicited commercial e-mail will be proofread at US165 $/h Any sender of such material will be considered as to have ac- cepted the above mentionned terms. From mix at anon.lcs.mit.edu Sat May 18 16:55:17 1996 From: mix at anon.lcs.mit.edu (lcs Mixmaster Remailer) Date: Sun, 19 May 1996 07:55:17 +0800 Subject: None In-Reply-To: <199605180530.WAA03258@infinity.c2.org> Message-ID: <199605181820.OAA12969@anon.lcs.mit.edu> > Does anyone know of an anonymous remailer that has an SMTP server > (hopefully unlogged) that I can specify in a special variant of the > "sendmail.cf" sendmail configuration file for sending mail to > anonymous servers? > > I use a PPP connection, and right now I'm using my ISP's default > server and I don't like the idea of logs being kept, even though the > messages themselves are chained/encrypted. > > Maybe I'm "paranoid", but if I wasn't, I probably wouldn't bother > with PGP, C'punk remailers, etc. Anon.lcs.mit.edu does not perform ident lookups, does not add Received: headers, and runs at log level 1 (only "Serious system failures and potential security problems" logged, according to the sendmail manual). This is useful for testing things out anonymously, but I don't understand why you would want to use it an a regular basis. Why don't you send your mail directly from your home machine to the first remailer hop? Nothing is forcing you to send outgoing mail through your ISP's mail server or any other one particular mail server. Why would you want to do that in the first place? From sameer at c2.org Sat May 18 16:55:43 1996 From: sameer at c2.org (sameer) Date: Sun, 19 May 1996 07:55:43 +0800 Subject: Is Chaum's System Traceable or Untraceable? In-Reply-To: Message-ID: <199605181841.LAA17739@infinity.c2.org> > > (On the other hand, I have had a longstanding faith that the system can be > made to be both payer- and payee-anonymous. Moneychangers, for example.) You don't need faith. You don't need moneychangers, even. You just need to pay attention when Ian posts to cypherpunks. -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion, Inc. FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.net/ (or login as "guest") sameer at c2.net From zalchgar at juno.com Sat May 18 17:19:08 1996 From: zalchgar at juno.com (zalchgar) Date: Sun, 19 May 1996 08:19:08 +0800 Subject: Netscape 128-bit Message-ID: <19960518.122709.15078.0.zalchgar@juno.com> Do you have to buy the 128 domestic version of Netscape? They used to make it available on their FTP sites, but now they are all 40-bit exportable versions. If you don't have to buy it what is the procedure to get it? -Erinn L.T From bruce at aracnet.com Sat May 18 17:45:37 1996 From: bruce at aracnet.com (Bruce Baugh) Date: Sun, 19 May 1996 08:45:37 +0800 Subject: Remailers vs Nyms - conflicting assumptions? Message-ID: <2.2.32.19960518184824.006cded8@mail.aracnet.com> I've been enjoying the discussion of "disposable" remailers, but I note a problem. If this has been addressed before, well, now it's being noted again. In my (admittedly limited) experience with nym servers, the reply path is fixed - it goes through specified hops. This creates A Problem when any one of the remailers involved goes down. There's no way for the mail to get through. There's not even a way for the nym holder to verify that there is a site down, as opposed to some more transitory problem, without information from an external source. This seems to me a fairly serious weakness, given prevailing governmental attitudes. What would it take to create a nym server that could route around the death or disability of any given mailer? -- Bruce Baugh bruce at aracnet.com http://www.aracnet.com/~bruce From remailer at yap.pactitle.com Sat May 18 17:48:20 1996 From: remailer at yap.pactitle.com (Yap Remailer) Date: Sun, 19 May 1996 08:48:20 +0800 Subject: None In-Reply-To: <199605171754.NAA02553@fuseki.aa.ans.net> Message-ID: <199605181915.MAA13072@yap.pactitle.com> > From: michael shiplett > Date: Fri, 17 May 1996 13:54:51 -0400 > > I do agree extending commonly used mailers would be helpful. > > Emacs + mailcrypt (with or without MH & mh-e) already provide the > means to chain one's message through type 1 or mixmaster type 2 > remailers. mailcrypt will even choose arbitrary remailer routing for > you based on information gathered from Raph Levien's remailer > list. Unforunately this is not a turnkey solution and requires more > configuration than most users probably want. > > michael Mailcrypt support for type 2 remailers doesn't really work very well. You can't specify more than one recipient. You can't post to a newsgroup with the "post: news.group" destination. And somehow not all the right headers end up making it into the next message. A better emacs interface to mixmaster remailers is definitely needed. From loki at infonex.com Sat May 18 18:11:42 1996 From: loki at infonex.com (Lance Cottrell) Date: Sun, 19 May 1996 09:11:42 +0800 Subject: The Crisis with Remailers Message-ID: At 8:37 PM 5/15/96, Timothy C. May wrote: >We used to discuss remailer architecture, topology, functionality, and >"ideal behavior" quite a bit a few years ago, but seldom do here on the >Cypherpunks list anymore. Various reasons: same old discussions, >commercialization of Mixmaster-type remailers (so I hear, and Lance >Cottrell can clarify this if this is indeed a factor) may be inhibiting >free discussion of planned features, and perhaps the discussion is going on >elsewhere (on remailerpunks, or the remailer operator's list). > The commercialization of Mixmaster fell through some time ago. It is back to being completely free of encumberments. A second implementation is also in the works (by a better programmer than I). -Lance ---------------------------------------------------------- Lance Cottrell loki at obscura.com PGP 2.6 key available by finger or server. Mixmaster, the next generation remailer, is now available! http://www.obscura.com/~loki/Welcome.html or FTP to obscura.com "Love is a snowmobile racing across the tundra. Suddenly it flips over, pinning you underneath. At night the ice weasels come." --Nietzsche ---------------------------------------------------------- From vznuri at netcom.com Sat May 18 18:21:06 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Sun, 19 May 1996 09:21:06 +0800 Subject: The Crisis with Remailers In-Reply-To: Message-ID: <199605182006.NAA13449@netcom12.netcom.com> >> 2. there is no good way to deal with spams or other so-called "abuse" > > Nor should there be. What's one person's abuse is another person's >free speech. Internet traffic should not be censored based on contents. pardon me, but a rather shallow response. you simply cannot ignore the spam problem by saying, "censorship is not acceptable". this is not a solution. there is definitely a spam problem in cyberspace, and it definitely has not been solved. (by "solve" I mean, a solution that is acceptable to most while at the same time preserving "freedom of speech") when you say, "internet traffic should not be censored based on contents" you have something that sounds like Jefferson wrote, but in fact in practice sounds like someone who has never designed a serious technological device that resists negative uses by design and not by dreamy assumption. what is the actual application of your insistence? this reminds me of the vagueness of marx saying, "if people would only do it my way, we would have a utopian government". apparently either people never figured out what he was really talking about, or he was wrong. perhaps after someone continues to send you a recurrent mailbomb of 100 MB per day do your site for 1 year, you will still insist that "internet traffic should not be censored"... whoever creates/funds the infrastructure can use it any way they so choose. a usenet adminstrator has absolutely no obligation to dedicate vast amount of his costly computer resources in cpu time or space to material he does not wish to even spit on. the fact that he is forced to in many situations shows how little choice the software gives its users. the spam problem will only be solved once people begin to realize what kind of a problem it is. the same problem that allows spam to explode all over Usenet is the principle that gives you chain letters and unsolicited junk email to your mailbox. it is the same problem. a solution might be possible if people put their minds to it instead of wallowing in irrational emotionalism about censorship. the spam problem is critical to anonymity. it would seem if you can't even solve the spam problem with identified communication, you are surely not going to solve it with anonymous communication. hence my comments from here from time to time that the technological problems of anonymity are not the true obstacle to widespread use. there are deeper problems that cpunks skirt around but fail to grasp because of numerous prejudices. From nsyfrig at condor.depaul.edu Sat May 18 18:22:05 1996 From: nsyfrig at condor.depaul.edu (Nathan Syfrig) Date: Sun, 19 May 1996 09:22:05 +0800 Subject: Why does the state still stand: In-Reply-To: <199605181326.JAA05100@pair> Message-ID: I normally don't read or post to this list, so I'm hoping e$pam will pick up any relevant replies or people Cc: me personally (information overload). My ignorance is probably showing, but it seems that we have a real fundamental problem here. IP numbers of re-mailers, whether free or commercial, are easily identified and therefore become easy sniffing targets. This means that the choke points currently used to censor and otherwise restrict information can easily come into play - i.e. ISP's (we've already seen censorship being applied to at the ISP level, so we have sufficient aggregation to filter and sniff). Therefore, in the abscence of roving remailer destinations that change quick enough to evade some sniffing (notice, I didn't say avoid), it seems that there really is no anonymity. Even if we could randomize destinations (a la Pirate Radio with roving dial locations), that would defeat the purpose - the ability to allow anybody to use anonymous remailers. So, if we feel this capability is important (and I do), how do we solve the problem? Nathan (usual "views are my own" diatribe here) On Sat, 18 May 1996, e$pam wrote: > Forwarded by Robert Hettinga > > ----------------------------------------------------------------------- > Date: Thu, 16 May 1996 07:19:39 -0700 > From: Hal > To: EALLENSMITH at ocelot.Rutgers.EDU > Subject: Re: Why does the state still stand: > Cc: cypherpunks at toad.com > Sender: owner-cypherpunks at toad.com > Precedence: bulk > > > From: "E. ALLEN SMITH" > > I did not > > include offshore.com.ai in Anguilla due to its high cost; I consider anything > > over 25$ a month to be impractical. > > > > _Country/Area_ _Name_ _Email_ > > Anguilla Cable & Wireless webmaster at candw.com.ai > > [...] > > Thanks very much for making this list. However I would not be so quick > to reject http://offshore.com.ai. It is run by long-time Cypherpunk > Vince Cate, apparently specifically for the kinds of purposes we are > discussing. His project was discussed in a recent issue of Wired, I > think the May issue. (I have no contact with Cate, and have never met > him as far as I can recall.) > > For doing something like running a remailer which will post material > which is illegal and/or copyrighted in the U.S., you are going to need a > service which can stand up to pressure. Presumably some monetary > incentive is going to be a necessity. Of course by this standard $25 a > month is pretty inconsequential. > > One issue is whether these banking-secrecy countries like Anguilla are > followers of the Berne convention or other international copyright > regulations. Banking secrecy and software piracy don't necessarily go > hand in hand. I hear a lot about copyright violations in China but not > in the Caribbean. So actually it isn't clear that this country is the > right location for a remailer that can post arbitrary material. > > As for the costs to the remailer operator, he simply passes those on to > his customers. I think in the long run onshore remailers will be forced > to take measures to restrict copyright-violating posts. So if your > choice is between paying nothing and not getting your whistle-blowing > message posted, or paying $10 and getting it out on the nets, then > hopefully it is worth that much to you. > > We have discussed for-pay remailers and the consensus has been that no > one would use them when others run for free. However now I think the > false premise is being exposed, that free remailers simply will not be > able to run in the current mode for much longer. Once a single remailer > operator has been fined thousands of dollars because somebody posted some > copyrighted message, I don't think you will find many people eager to > sign up as operators. So this dream of a volatile collection of > remailers popping up and going away just doesn't work in my view. Why > would anyone offer a service knowing that he was exposing himself to > liability like this? It would be just a game of Russian roulette, > waiting to see whether it is your remailer which gets the bullet in the > form of a post which violates the copyright of someone with deep > pockets. > > Hal > > > > -------------------------------------------------- > The e$ lists are brought to you by: > > Take Your Business Online with Intertrader Ltd, Edinburgh, U.K. > Visit http://www.intertrader.com or email info at intertrader.com > > Making Commerce Convenient (tm) - Oki Advanced Products - Marlboro, MA > Value-Checker(tm) smart card reader= http://www.oki.com/products/vc.html > > Where people, networks and money come together: Consult Hyperion > http://www.hyperion.co.uk info at hyperion.co.uk > > See your name here. Be a charter sponsor for e$pam, e$, and Ne$ws! > See http://thumper.vmeng.com/pub/rah/ or e-mail rah at shipwright.com > for details... > ------------------------------------------------- > From loki at infonex.com Sat May 18 18:44:45 1996 From: loki at infonex.com (Lance Cottrell) Date: Sun, 19 May 1996 09:44:45 +0800 Subject: SEVERE undercapacity, we need more remailer servers FAST Message-ID: They are not very hard to set up and run. I think any blinding is likely to be simple header faking. Totally insignificant security compared to something like Mixmaster. I proposed a system some time back based on message pools, but it attracted little interest. The down side of the proposal is the large amount of bandwidth required. Each remailer has to receive all messages for all remailers in the pool. The upside of the proposal was that it allowed secure reply blocks (ones that can't simply be tracked forward). -Lance >I would really like to see a remailer that is somehow blinded. > >I don't know enough about how mail paths are generatered, but is it >impossible to conceal the origin of remailer postings? > >Postings made to remailernym at alpha.c2.org would be spit out somewhere but >without accountability? > >Impossible? Would do wonders defeating traffic analysis. > >I'd consider running a remailer, but after listening to the response to >the anonymous poster a while back, it sounds like there are few if any >simple options which do not require major time and effort to setup and >run. > >--- >My preferred and soon to be permanent e-mail address:unicorn at schloss.li >"In fact, had Bancroft not existed, potestas scientiae in usu est >Franklin might have had to invent him." in nihilum nil posse reverti >00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information >Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com ---------------------------------------------------------- Lance Cottrell loki at obscura.com PGP 2.6 key available by finger or server. Mixmaster, the next generation remailer, is now available! http://www.obscura.com/~loki/Welcome.html or FTP to obscura.com "Love is a snowmobile racing across the tundra. Suddenly it flips over, pinning you underneath. At night the ice weasels come." --Nietzsche ---------------------------------------------------------- From fotiii at crl.com Sat May 18 18:49:13 1996 From: fotiii at crl.com (Frank O. Trotter, III) Date: Sun, 19 May 1996 09:49:13 +0800 Subject: marginal cost of ecash transaction Message-ID: <199605181957.AA09490@mail.crl.com> Ecash Marginal Costs Ecash transaction costs are a cost-accountants brain tease. Here's my take on the topic (this will likely display why I trade currency and bonds and market payment systems and don't do cost accounting, but since I do have overall responsibility for the cost and revenue of ecash it does matter quite a lot to me directly). Hardware - We own and have paid for boxes to run the system. Once we run out of space or CPU power we have to buy more. Thus we have a step function that could be allocated across the transactions being done at a particular time, but is in fact not really marginal. Our experience suggests that the steps are quite high. Telco - Same as above to a degree - we pay for telco and a variety of connection "items". If the volume goes off scale we have to upgrade, making this another step function. It is a periodic bill, and can change, so it is not strictly a "sunk" cost like hardware. People - Here is the likely marginal cost. Bryce correctly notes that when we have to hire a variety of people to take care of more volume we have what can look like a marginal cost. But this is not marginal by transaction, it is marginal by manual or semi-manual item like account set up, money transfer, email or phone conversations, etc. It is entirely concievable that the one penny transactions described in previous posts create no need for additional people, and conversely a high dollar corporate transaction book might suggest a lot of hand holding and manual costs. You should look at most of this cost / benefit stuff on an account basis, not on a transaction basis. The regular banking costs of mailing statements (still required), collecting desposits, producing payments outside of ecash, etc are in fact the bigger parts of the cost. There are also asssociated costs on accounts of holding reserves with the Fed, paying FDIC insurance where appropriate, and explaining the system and its implications to our own executive staff, regulators, and accountants. In all the system and the attending transactions are not considered marginal at this time by me. In time, interbank clearing and currency stuff will generate genuine marginal costs. We have sunk and ongoing hard costs, and perhaps someday some revenue and balances to offset the costs. To my analysis the marginal costs revolve around the manual functions that could become a huge factor depending on the profile of customer that becomes the main user. If they are substantially inactive in manual operations, we may have low marginal costs, if they all need a lot of handholding and manual transactions then each account will cost a lot to handle. Hardware needs, of course, vary with the style of transaction. Marcel made a quick pass at this in a recent post to the ecash list. Just a start off the top of my head. FOT Frank O. Trotter, III - fotiii at crl.com www.marktwain.com - Fax: +1 314 569-4906 -------------------------------------------- From bryce at digicash.com Sat May 18 18:52:36 1996 From: bryce at digicash.com (bryce at digicash.com) Date: Sun, 19 May 1996 09:52:36 +0800 Subject: Is Chaum's System Traceable or Untraceable? Message-ID: <199605182017.WAA07561@digicash.com> -----BEGIN PGP SIGNED MESSAGE----- You know, even though current ecash uses on-line clearing, it is only necessary for the _payee_ to be on-line at that time. Thus it is entirely possible with current ecash for a payer to load his portable computer up at home with e-coins and then make a purchase a convenience store on the way to work _without_ having a networkable computer. Well-- I mean the computer needs to communicate with the convenience store, but it doesn't need full-scale Internet access. Does anyone on cpunks or ecash have an Apple Newton? I know that they come with infrared-- what are the specs on that communications device? And about the Newton itself: can it compile ANSI C code? How much RAM? Permanent storage? Speed of crypto operations? Thanks, Bryce #include /* I don't speak for anyone but myself. */ - -----BEGIN GOODTIMES VIRUS INNOCULATION----- Copy me into your .sig for added protection! - ----- END GOODTIMES VIRUS INNOCULATION----- -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.1b2 iQB1AwUBMZ4wY0jbHy8sKZitAQG/TAMAlF1WftbM8UT1+AUvZJBuX7BimZUOtRqg 2vWYVW2ADuKvntXdsDV0NqSq05/sqDZmhh/iOUmB6bWl22FUrwBbzk2gedUbB1w2 330B6pa1IU1Q5IluNIE2IKFkMZ/KHJ9m =5W5l -----END PGP SIGNATURE----- From bryce at digicash.com Sat May 18 18:54:11 1996 From: bryce at digicash.com (bryce at digicash.com) Date: Sun, 19 May 1996 09:54:11 +0800 Subject: Senator, your public key please? In-Reply-To: Message-ID: <199605182038.WAA09047@digicash.com> -----BEGIN PGP SIGNED MESSAGE----- The entity calling itself Tim May is alleged to have written: > > Keys, key signings, and webs of trust can be used in all sorts of ways. > > And I expect the "burrowcrats" will try to regulate the use. > > Imagine, for example, if I use a "web of trust" to help me decide who's > trustworthy enough to negotiate the sale of my house to. > > Further imagine that I want to see keys signed by Tom Metzger, my buddy > from the Aryan Nations. Guess what? No blacks will have their keys signed, > and hence I'll have to tell them, "Sorry, you're just not in my web of > trust." > > (Now, this is a hypothetical, meant to show that use of a web of trust can > trigger such decisions, and could thus trigger legal challenges.) > > The web of trust may not be transitive, but the "web of taint" may be more so. > > New forms of blackballing, blacklisting, redlining, etc. > > And I fully expect that who signs one's keys, and whose signatures are > found on one's keys, may become a political and legal issue in the coming > years. > > What if, for example, Sen. Leahy _did_ end up in the web of trust for Aryan > Nation? Even if he never intended it, this could have some severe PR > repercussions. > > An exciting new world we're entering. All of these are products of misconceptions between using the WoT to certify identities, versus using it to certify how much you trust a person to certify someone else's identify, versus using it to certify arbitrary other qualities about a person. For example, there is no reason why the hypothetical racist "Tom Metzger" would sign no black people's keys. A key signature (PGP style) is just an assertion about the identity of someone. Haven't racists engraved markings on people's clothes, buildings, land, bodies and other belongings in order to identify the owners? So why not do the same for keys. This is illustrative of how much confusion reigns about keys, certs, nyms, signatures and cetera right now. I hope that TCMay is pointing out how _most_ people lack a proper understanding of the differences, rather than reflecting his own lack of understanding. Phil Zimmermann was confused about this, I think, when he wrote "Trust is not transitive.". Some kinds of trust _are_ transitive (with a coefficient, of course). Hm. I wonder if there are kinds of trust whose transitivity coefficient is 1? Regards, Bryce #include /* I don't speak for anyone but myself. */ - -----BEGIN GOODTIMES VIRUS INNOCULATION----- Copy me into your .sig for added protection! - ----- END GOODTIMES VIRUS INNOCULATION----- -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: http://www.c2.net/~bryce/ -- 'BAP' Easy-PGP v1.1b2 iQB1AwUBMZ41LkjbHy8sKZitAQHvRwL/Qakezx7VlPRahLnHx/7vuK56pLOScjeH uxF7fX7mXRHKThcnM4fcU/nJ4I6xGNjvYi8RZpSTnhIzUUEiBrDPKE6M1lcqbynC 1H8/L50tGljPyBsJFfIvdHQ3vGKKUtwH =iG/i -----END PGP SIGNATURE----- From bdolan at use.usit.net Sat May 18 18:56:09 1996 From: bdolan at use.usit.net (Brad Dolan) Date: Sun, 19 May 1996 09:56:09 +0800 Subject: "Too cheap to meter" In-Reply-To: Message-ID: On Fri, 17 May 1996, Timothy C. May wrote: > Alan's irony is well-placed. The most egregious repetition of the "too > cheap to meter" nonsense is George Gilder's "dark fiber" vision...a vision > of "infinite bandwidth" to all users. > > Guess what? If Gilder's "dark fiber" is ever built, there are a lot of > folks who will "fill it" rather quickly. Canter and Siegel were just the > beginning. "Too cheap to meter" goes away pretty quickly. > > --Tim May The same George Gilder that is Newt's buddy? And part-owner of Valujet? bd From vznuri at netcom.com Sat May 18 18:58:00 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Sun, 19 May 1996 09:58:00 +0800 Subject: TCM: mafia as a paradigm for cyberspace In-Reply-To: Message-ID: <199605181943.MAA11760@netcom12.netcom.com> TCM >In fact, nearly all of the alleged problems with anonymous systems, >especially the issues of defections, trust, expectation of payoff, etc., >have parallels in other "extra-legal" situations. For example, the Mafia >and other extra-legal or criminal operations. ah, and therein lies the rub. why do you hold up the mafia as an example of how cyberspace might work in the future? it's no wonder that people are intimidated by some cpunk ideas. do you really consider the mafia a good example of how you would like "cyberspatial reality" to operate? it seems to me that people developing future infrastructure for cyberspace ought to be more concerned about making mafia-like roles less easy, not more easy. but obviously this is just yammering on my part, because I and others on the list know you better than that. this of course is not the first time you have held up the mafia as a glowing paradigm, and the reason I am now commenting on it. I recall a rather stunning message some time ago in which you talked endearingly (well, as much as it is possible for you to do so) of mafia informants being hunted down through information warfare, and why this was quite fitting because of the way the government uses the same manipulation via witness relocation. (well, not quite like that, but the logic was hard to follow) >Do they sometimes defect (welsh)? Sure. Do they sometimes screw over the >little guy? Sure. Do people trust them just enough to keep dealing with >them voluntarily? Sure. not in a civilized society. good g*d, you consider the mafia a model of good business? are you aware of what goes on in Italy and Columbia, and you are becoming a mafia apologist? the basic rule of thumb if you are operating in a mafia-like organization is "only deal with people you can manipulate or rub out without consequence", quite the opposite in legitimate business. > (Before anyone mentions it, there are of course >cases where people are forced to deal with criminal gangs nonvoluntarily, >such as with shakedowns, hijackings of trucks, etc. But a large fraction of >the dealings with the Mafia, Jamaican gangs, Russian mob, etc., are for >market reasons, where a market need for drugs, girls, cheap cigarettes, >gambling, loans, etc., is being filled by players who are outside the >normal legal marketplace.) an interesting thesis, quite revealing. "the mafia is fulfilling a valid market purpose. the killings & violence are just minor secondary issues." I believe in contrast I would define the mafia exactly the opposite. the violence and terror is the key part of the mafia agenda. the activities they involve themselves in are secondary to promoting the basic agenda of obtaining money in any way possible. how can you portray the mafia as an honorable business? what you will find, I think, is that the "professionalism" that was supposedly a part of the mafia is crumbling into total anarchy. the mafia is undergoing a transformation in which many of their sacred taboos, such as mafia wives not being involved, not killing certain people, etc.-- are dissolving. there is no honor among thieves. of course I highly doubt you will respond to my points, because you will realize your error of revealing too much of your true opinion. best to hide in the woodwork and post a few more bland messages and everyone will forget my blasphemous challenge in a few days beneath the froth. >A number of years ago the example I usually used was "Ace Escrow--You Slay, >We Pay," to illustrate that an anonymous escrow holder (holding untraceable >e-cash deposited by the purchaser of a murder contract) could pay off a >murderer who presented certain evidence, all without any of the parties >having any idea whatsover whom the other parties were. what amazes me about people who tend to have a warped mindset is that they think new technology, such as cyberspace, creates a new morality. suddenly murdering, violence, drug dealing, or whatever are supposedly thrust into some new reality in which old rules no longer apply. you and Jim Bell are unbelievably similar, as much as either of you would hate to admit it. its just a cloak, in my opinion, for trying to evade culpability. the ultimate utopia for some on this list would be a world in which they can be held accountable for absolutely nothing, by absolutely no one. "anarchy" is as good a word as our reality can come close to, although I believe such a reality would be far more sinister than that adjective connotes. > The problem is then >one of whether the escrow company will simply pocket the money and not pay >off. First, it can be set up (I think) that the e-cash is uncashable by >the escrow company...but I'm not sure this is needed. A better solution is >to rely on the basic nature of escrow or bonding services: their reputation >capital is much more valuable to them than anything to be gained by >defecting and burning their clients. Except if they are about to retire >anyway...as with the bonded courier who defects to Rio de Janeiro with a >bag of diamonds....the trick is to spread the escrow money around to >multiple escrow agents, and to rely on "escrow testing services" which >periodically ping or test the services.... think about it really hard, TCM. work out those difficult problems associated with trying to kill people and get away with it, using new sexy advances in technology and theory. you have a very good start after years of deep thinking. why, if you can come up with such creative and compelling ideas on DC nets and remailers, surely you can solve this problem. it is a problem that begs for resolution. how many people have yearned for such a capability over the centuries!! maybe talk to Jim Bell some more. perhaps eventually you will perfect the method of perpetrating the perfect killing!! I really do admire you, because killing people without getting caught is surely a great unrecognized art, and one of the most unappreciated and misunderstood. something that has only been a dream to the blighted wretches prior to our glorious new phases of cyberspatial technology, which makes human morality completely obsolete. surely once all these difficult issues can be resolved (and surely they can, with such great minds as RSA or Chaum walking around the planet) there will be some excellent business opportunities for some lucrative ventures and profits. interesting investment possibilities. surely you will keep us informed of any future developments so we can invest wisely as you have done for so long. >There are many issues here. I'm not advocating murder markets, just noting >that they provide an easy to understand and fairly "pure" example. If it >can be done with murders for hire, it can be done with nearly anything. right, oh well, thanks for the entertainment. usually you have to go to a theater to get the "chills up the spine" effect. kinda slick one can get it in cyberspace. you're right, this cyberspace stuff has a lot of possibilities. From umwalber at cc.UManitoba.CA Sat May 18 19:08:48 1996 From: umwalber at cc.UManitoba.CA (Sean A. Walberg) Date: Sun, 19 May 1996 10:08:48 +0800 Subject: Netscape 128-bit Message-ID: <199605182012.PAA29570@electra.cc.umanitoba.ca> Unfortunately, you have to buy it. I got a email from their Customer service department about that yesterday. Sean > Do you have to buy the 128 domestic version of Netscape? They used to > make it available on their FTP sites, but now they are all 40-bit > exportable versions. If you don't have to buy it what is the procedure > to get it? > > -Erinn L.T > > =================] Will work for RAM [================== | Sean A. Walberg | PGP key | C programmers | | Computer Engineering ][ | on | do it in | | umwalber at cc.umanitoba.ca | servers | libraries! | =============] http://www.escape.ca/~sean [============= From loki at infonex.com Sat May 18 19:09:37 1996 From: loki at infonex.com (Lance Cottrell) Date: Sun, 19 May 1996 10:09:37 +0800 Subject: SEVERE undercapacity, we need more remailer servers FAST Message-ID: It seems very reasonable to allow posting only through nym-servers. That gives a point at which payment can be received, and an account which can be removed for abuse. Since the nym is password protected, it also help build the reputation of the nym. -Lance At 5:46 PM 5/15/96, E. ALLEN SMITH wrote: >From: IN%"hfinney at shell.portal.com" "Hal" 15-MAY-1996 19:23:06.71 > >>Maybe the operators can try to plead that they are like "common carriers" >>and should not be blamed for what people post. Still it is going to take >>deep pockets at best to prevail in this dispute, and it isn't even clear >>that the remailer will win. Maybe the lawyers on the list could comment >>on legal liability of a remailer used to repeatedly post copyrighted >>material, whether Scientology scriptures or Microsoft Word binaries. I >>don't see how it can happen. > > Part of this problem may be solved through the proper decisions on >the liability of ISPs for material on them. The concept would seem to be >extensible. If a country has A. good laws on the subject and B. a pretty good >court system - e.g., one in which it's difficult to sue and easy to defend - >that country would seem to be suitable for setting up a remailer front end. >Other remailers can just be used for chaining, and can't be proven to have >carried a message (even unknowingly) without defeat of the remailer system >via traffic analysis. (A reason for remailer operators to run automatic >mailing scripts, BTW.) > >>This was the basis for my suggestion that remailers may have to stop >>supporting posting of messages, and instead be used for private mail >>between consenting individuals. Granted, this would probably eliminate >>99% of non-cover remailer traffic. But I would argue that as long as the >>core functionality is there of letting people communicate with each other >>anonymously and consensually, we would still offer an important service. > > In other words, a remailer that would only forward mail to someone if >the email address in question gave consent? Mailing lists and mail-to-news >gateways can still be signed up by their operators under such a system, and >it's possible the remailer might be charged along with the operator if >copyrighted material was posted. > >>Encryption hides the contents of the messages you send from >>eavesdroppers. But they can still see who you are communicating with. >>Remailers extend privacy protection beyond "what you say" to "who you say >>it to". When used with pseudonym servers and some of the extensions we >>have discussed here over the years (maildrops, etc.), they can allow the >>anonymous two-way communication that is needed for real privacy. > > How much use is a pseudonym if you can't practically use it for >building reputation capital? It's hard to do that when you can't send to anyone >but individuals, instead of to publically available sources. > One idea would be bonded pseudonyms. If you put up an adequate bond to >the remailer front end operator (to A. pay fines and B. cover any legal fees), >then you get to send to public fora. This would also be profitable for the >remailer operator, if he/she got to keep the interest (assuming deposit into >some investment). > -Allen ---------------------------------------------------------- Lance Cottrell loki at obscura.com PGP 2.6 key available by finger or server. Mixmaster, the next generation remailer, is now available! http://www.obscura.com/~loki/Welcome.html or FTP to obscura.com "Love is a snowmobile racing across the tundra. Suddenly it flips over, pinning you underneath. At night the ice weasels come." --Nietzsche ---------------------------------------------------------- From rodger at interramp.com Sat May 18 19:12:44 1996 From: rodger at interramp.com (Will Rodger) Date: Sun, 19 May 1996 10:12:44 +0800 Subject: Interactive Week exclusive - White House to launch "Clipper III" Message-ID: The White House is about to answer recent attempts to liberalize encryption exports with a proposal of its own. Documents obtained by Interactive Week show the Ciinton Administration has been lobbying key Republican committee members to compromise on encryption through a policy that looks very much like previous commerical key escrow efforts. This time, however, the administration has proposed a new, licensed network of certification authorities and escrow agents to control access to strong encryption abroad. The newest proposal is contained in a 24-page White Paper, a draft of which hit Capitol Hill earlier this week. Much of the administration's "key management infrastructure" assumes a similar network of certification authorities abroad. CAs would link public keys to their owners, and could serve as escrow agents for users' private keys, as well. The two would not have to be under the same roof, however. An overarching "Policy Approving Authority" would supervise all subordinate CAs and escrow agents. Since US escrow of exported products pose well-known problems for privacy and business concerns, the US is proposing foreign governments get into the act as well. If other governments acted as escrow agents, the Clinton White House argues, interlocking agreements among governments would protect all their common security concerns while giving non-US citiczens access to US encryption products. The ultimate goal, the White House says, is to allow export of anything at all, so long as keys are escrowed with an agent of its approval. The White House is evidenty relying on OECD initiatives for much of this to happen. Specifically, the "Clipper III" paper says that: U.S. companies can export software programs that use keys that are 64 bits of data long, if they agree to escrow keys that unlock the encryption in the U.S. or with an appropriate agency abroad. Manufacturers can export hardware that use 80-bit keys to encrypt data, if keys are escrowed. Large U.S. companies can escrow keys and not rely on third parties. Reaction is as before. Civil libertarians are already denouncing the White Paper, while pro-escrow forces are praising it. Staffers to Commerce and Judiciary committee call it the same old proposal, but with a large bureaucracy behind it. Quoted in the Interactive Week article: David Sobel of Electronic Privacy Information Center, Dorothy Denning og Georgetown U. and Stewart Baker, former NSA counsel. Hill staffers also quoted on background. The URL for the complete article is: http://www.zdnet.com/intweek/daily/960518y.html Will Rodger Washington Bureau Chief Interactive Week From qut at netcom.com Sat May 18 19:40:16 1996 From: qut at netcom.com (Dave Harman) Date: Sun, 19 May 1996 10:40:16 +0800 Subject: SEVERE undercapacity, we need more remailer servers FAST In-Reply-To: Message-ID: <199605182050.NAA14663@netcom9.netcom.com> You write: ! On Wed, 15 May 1996, Black Unicorn wrote: ! > ! > I would really like to see a remailer that is somehow blinded. ! > I don't know enough about how mail paths are generatered, but is it ! > impossible to conceal the origin of remailer postings? ! > Postings made to remailernym at alpha.c2.org would be spit out somewhere but ! > without accountability? ! > ! > Impossible? Would do wonders defeating traffic analysis. ! > ! > I'd consider running a remailer, but after listening to the response to ! > the anonymous poster a while back, it sounds like there are few if any ! > simple options which do not require major time and effort to setup and ! > run. ! ! I was thinking about this last night, hence my question about ! running mixmaster under Xenix (or minux for that matter). ! ! How about this as an idea: ! ! Get a few (3 to 5) accounts in a high density market (i.e. lots of ! ISP's locally) set up a unix machine on a cheap machine. Have the anon ! messages get sent to the pop accounts. Once an hour (or less depending on ! budget) have the unix box poll the different pop accounts mix the messages ! and resend them the next hour. YES YES YES!!!!!! SLIP/PPP/SHELL IT DOESN'T MATTER, DOWNLOAD MAIL, PROCESS, UPLOAD, MAIL, POST!!!!! LINUX MODEM/CUA1 OR SLIP/PPP!!!!!!!! PAID WITH *FAKE* NAME/ADDRESS WITH POSTAL MONEY ORDER!!!!!! I SUCK, I DON'T CODE!!!!!! IF THEY WONT GIVE YOU "FROM: " AND 50 POSTS/500 EMAILS A DAY GET ONE THAT WILL!!!!!! THIS IS A CYPHER EMERGENCY!!!!!!!! WE NEED 1,000 SERVERS F A S T!!!!!!!!!!!!!! POSTAL COUPONS AND FOREIGN ACCOUNTS!!!!!!!!!!!!! WE NEED SERVERS NOT CLIENTS!!!!!!! ! This could be further obfuscated by batching the messages up and ! posting a whole chunk of messages to a different similar remailer else ! where, or by just plopping an encrypted tar'd file on a ftp site where ! another remailer grabs them and splits and remails them. THE USER/CLIENT DOES THIS SORT OF STUFF!!!!!!!!!!!! WE DON'T NEED ANYTHING BUT 1,000 WORLD HACKTIC STYLE REMAILERS!!!!!!!!!!! From qut at netcom.com Sat May 18 20:06:28 1996 From: qut at netcom.com (Dave Harman) Date: Sun, 19 May 1996 11:06:28 +0800 Subject: "Too cheap to meter" In-Reply-To: Message-ID: <199605182056.NAA15181@netcom9.netcom.com> You write: ! On Fri, 17 May 1996, Timothy C. May wrote: ! ! > At 2:38 AM 5/16/96, Alan Horowitz wrote: ! > >Hey, let's build faster and faster fiber-optic networks. Let's create ! > >bandwidth so cheap that it won't even pay to meter it. ! > ! > "Too cheap to meter"? Wasn't that what nuclear power promised in the 1950s? ! > ! > (I'm actually a supporter of nuclear power, for a variety of reasons, so ! > this is not meant as just a cheap shot against nuke plants. But this was ! > one of the "selling points" of nuclear, later shown to be a falsehood.) ! ! Actually, nuclear power, per se, is damn cheap. It's the collateral ! effects (real, i.e., waste disposal and keeping fissile materials secure ! from terrorists, and imagined, i.e., overregulation) that are so ! expensive. ! ! Just like the net. We could have a virtually free flow of information, but ! that's not exactly what the gubmint wants, is it. Not to mention that it's ! not exactly what we want, either -- Canter & Siegel are only the tip of ! the iceberg of the Tragedy of the Commons we'd see on a truly free ! network. ! ! We don't need the CDA or anything quite that stupid, but I'll drink to ! overpriced, arbitrarily restricted net access any day. CAPITALISTS' SUCK ! -rich From loki at infonex.com Sat May 18 20:14:21 1996 From: loki at infonex.com (Lance Cottrell) Date: Sun, 19 May 1996 11:14:21 +0800 Subject: The Crisis with Remailers Message-ID: -----BEGIN PGP SIGNED MESSAGE----- At 9:00 AM 5/18/96, Dr. Dimitri Vulis wrote: >"Vladimir Z. Nuri" writes: >> 1. there is no economic incentive. > >So, add the code to mixmaster (and even the old style remailers) to >collect e-cash as it passes on the anonymous message. Then this will >be a good way to accumulate some e-cash, and a number of people will >try running remailers for this very purpose. Witness the recent >Usenet spam by someone advertizing a for-pay remailer. > I was invited to the digicash API design meeting precisely to make sure it could be used in remailers. It will not be using the current API. The problem is that Mixmaster requires exact knowledge of the size of every object in the message, to maintain constant message size. I could set aside room for one, two, three coins, but there is no guarantee that the payment will be made with only that many coins. The current API is going to be high level. It will does not allow the program to know anything about the internals of the payment. I need to be able to specify payment of amount X using no more than N coins. As soon as I have that level of control, you will see postage in Mixmaster. -Lance -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMZ40x/Pzr81BVjMVAQFdTQf/VtRl3MEm+YfIYxsJdEhnv9lsL26S00oG RTvJiVbzyriGmWBhQY14ITQjnPrNNnRYfrmxVT2nRAEpfC8a63TqD5BN2eeUOSWU g/eagI3mWqlQssjCpeOEq6pzBcvKCTu2nECfAWCVN87MA7thq4Xj3haFjv+NP2K6 i8Bq/JRz6oaq35Bz0lqskBemiUOLXJOUK93LXFpw3VlTces+vDMSCWXwtkhAOLLO yav12MbRJRt/heUotsl6wzp2tdEV4xlsciedUOfk8fQVDSvh31J2xyvaupepHosC UUCz3sc8f4icWXCtBkimLyzgp/pNg7E9rN//Ps8ZzQquKPcr/7GtAQ== =BC1f -----END PGP SIGNATURE----- ---------------------------------------------------------- Lance Cottrell loki at obscura.com PGP 2.6 key available by finger or server. Mixmaster, the next generation remailer, is now available! http://www.obscura.com/~loki/Welcome.html or FTP to obscura.com "Love is a snowmobile racing across the tundra. Suddenly it flips over, pinning you underneath. At night the ice weasels come." --Nietzsche ---------------------------------------------------------- From hieronym at desk.nl Sat May 18 20:35:24 1996 From: hieronym at desk.nl (t byfield) Date: Sun, 19 May 1996 11:35:24 +0800 Subject: Senator, your public key please? In-Reply-To: Message-ID: 10:16 AM +0200 5/18/96, Black Unicorn: <...> > Well, this depends on what we assume a signature does. <...> > This depends on the intrepretation of the meaning of signature. > > > After all, Uni, what _does_ a signature signify? You were asking some > > very pointed questions about that quite recently. > > Precisely, and in the absence of an answer to this question which is more > substantial I think assuming that Senators and CEO's intended to vouch for > your financial or character reputation is stretching it a bit. But hey, > I'm not on the Ethics Committee. Surely you don't conclude from the fact that _you_ think I'm stretching it that most others would think so as well... My point wasn't that the committee was "right" in any elegant sense but, rather, that their misperceptions are almost certainly indicative of the kinds of misperceptions that will propagate far and wide--and be effective--as public-key encryption becomes more common. Humanity managed to get by for centuries laboring under the delusion that cheese produces worms: the fact that they were wrong doesn't make those centuries of fact go away. Ted From escali_m at worldnet.fr Sat May 18 20:45:30 1996 From: escali_m at worldnet.fr (Marc Escalier) Date: Sun, 19 May 1996 11:45:30 +0800 Subject: PLEASE HELP ME GO OUT OF THIS LIST!!!!!! Message-ID: <199605182114.XAA07062@storm.certix.fr> how to go out of this list. please help me, it would be VERY NICE. From tcmay at got.net Sat May 18 20:54:30 1996 From: tcmay at got.net (Timothy C. May) Date: Sun, 19 May 1996 11:54:30 +0800 Subject: "Too cheap to meter" Message-ID: At 8:03 PM 5/18/96, Brad Dolan wrote: >On Fri, 17 May 1996, Timothy C. May wrote: > >> Alan's irony is well-placed. The most egregious repetition of the "too >> cheap to meter" nonsense is George Gilder's "dark fiber" vision...a vision >> of "infinite bandwidth" to all users. >> >> Guess what? If Gilder's "dark fiber" is ever built, there are a lot of >> folks who will "fill it" rather quickly. Canter and Siegel were just the >> beginning. "Too cheap to meter" goes away pretty quickly. >> >> --Tim May > > >The same George Gilder that is Newt's buddy? And part-owner of Valujet? I don't know about the ValuJet part, but the Newt part is right. George Gilder is an interesting thinker, and has written a bunch of books and articles on the implications of technology, microcircuitry, and networks. One of his books was, for example, "Microcosm." I'm sure a search of his name will produce an abundance of information. My criticism of his "dark fiber" advocacy is that it smacks of the typical "techno-Rapture" point of view, epitomized by the "too cheap too meter!" gushings of the 1950s and the "nanotechnology will rebuild our bodies out of diamond and we'll live forever" gushings of today. Fiber optics is a Big Deal, make no mistake about it. But the notion that the bandwidth will be so high that everyone can be hooked up to the same "party line" (the core idea of the "dark fiber" thesis) and just drop stuff in and pull stuff out...well, think of how such a channel can be flooded. (So, is it really "free" or not? Obviously it can't be. If it is, I can think of many who will choose to flood it, for their own reasons.) --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From dlv at bwalk.dm.com Sat May 18 20:55:00 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Sun, 19 May 1996 11:55:00 +0800 Subject: The Crisis with Remailers In-Reply-To: <199605182006.NAA13449@netcom12.netcom.com> Message-ID: Having exchanged e-mail in the past with Lance Deitweller, I have to conclude that Vladimir Z. Nuri is NOT Lance, since Lance is actually pretty sharp. "Vladimir Z. Nuri" writes: > >> 2. there is no good way to deal with spams or other so-called "abuse" > > > > Nor should there be. What's one person's abuse is another person's > >free speech. Internet traffic should not be censored based on contents. > > pardon me, but a rather shallow response. One of the reasons why I don't like Sovoks is that when they're at loss for words, they resort to name-calling. Your rants hardly deserve any response other than *plonk*, and you have the gall to bitch that it's "shallow"? > you simply cannot ignore the spam problem Just watch me ignore it, just as my site ignores all cancels. > there is definitely > a spam problem in cyberspace, Not for me. Not for most sysadmins or readers who have better things to do than worry that someone posted something inappropriate to Usenet. Read Dave Hayes's FAQ. > perhaps after someone continues to send you a recurrent mailbomb of > 100 MB per day do your site for 1 year, you will still insist that > "internet traffic should not be censored"... I said: "Internet traffic should not be censored BASED ON CONTENTS." If the above actually casued my site problems based on the volume, it would result in reprecussions for the perpetrator, irrespective of contents. All of the so-called "spam" combined is a miniscule percentage of Usenet traffic, less than almost any single alt.binaries. newsgroup. It can be easily ignored using a newsreader that processes NoCeM's. > the spam problem will only be solved once people begin to realize what > kind of a problem it is. I.e., not a problem, except for some anal-retentive control freaks longing for their beloved Soviet Union, and their ilk on news.admin.net-abuse.*. I'm a news admin. You're not and you don't know what you're talking about. > there are deeper problems that cpunks skirt around but fail to grasp > because of numerous prejudices. You have a problem with other people saying something that you can't control. With this attitude, I suggest you limit your reading to soc.culture.russian.moderated. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From iang at cs.berkeley.edu Sat May 18 20:59:17 1996 From: iang at cs.berkeley.edu (Ian Goldberg) Date: Sun, 19 May 1996 11:59:17 +0800 Subject: My meeting with Chaum (Also: ecash full anonymity and a legal question) In-Reply-To: Message-ID: <4nlfee$vcj@abraham.cs.berkeley.edu> -----BEGIN PGP SIGNED MESSAGE----- In article , Timothy C. May wrote: >I first read of Chaum's work in late '85, in his CACM article, and then >"rediscovered" it when I was doing some review work for Phil Salin's AMIX >information market startup in 1987. > >Certainly the text of Chaum's articles implied both payer and payee >anonymity, though certain details may've been unclear to some of us. > >When Chaum unveiled his "payer is anonymous, but payee is traceable," some >of us were surprised. > >(On the other hand, I have had a longstanding faith that the system can be >made to be both payer- and payee-anonymous. Moneychangers, for example.) > >>Deal with the devil? >> >>Any "complete" digital cash implementation has to provide for payee anonymity. >> > >I agree with Jim Bell on this completely. I don't know if Chaum has been >seduced by the Dark Side, or is looking to get digicash widely deployed by >"respectable" institutions, or is telling the truth (that his system >_never_ provided for real untraceability), but I know that Cypherpunks >should always strive for full untraceability. > >One-sided traceability is not enough. > So here's the deal with ecash "as it works today": If a payment is made with ecash through some anonymous channel (like a remailer or a post to alt.anonymous.messages), neither the payee or the payor can directly identify the other (that is to say, neither's identity need be stored in, or used to construct, the payment). _However_, in the current implementation, the payor can collude with the bank to reveal the payee's identity. More specifically, the payor can produce the "blinding factor" he used when he withdrew the coins from the bank, which he later gave to the payee, who deposited them. The bank can use this information to figure out what the unblinded coin looked like, and then check its logs to find out who deposited that coin (remember that with the current implementation, when a coin is paid to someone, he must immediately deposit it, or risk losing the money if the payor tries to cancel the payment or spend it again). Note that the act of giving up the blinding factor will reveal _both_ parties in the transaction. That is, in order to reveal the payee, the payor must identify himself. (Not a big deal in the case of LEO...) This is because what is being identified is a "link" between a blinded coin that was withdrawn from the payor's account to the unblinded coin that was deposited to the payee's account. The way "full anonymity" works is that the coin is blinded by _both_ the payor and the payee before being withdrawn from the bank. That way, in order to reveal the link between the payor and the payee, _all three_ of the bank, the payor, and the payee must collude. This is not a big deal (the reasons for which are left as an exercise). Relevance: The ecash "concept" (numbers that _are_ money) produces an inherently bearer instrument (modulo double spending protection). The current software implements payor-side blinding only, in order to appease the Powers That Be. There's no reason why, given the information currently available, and even better when the library is released, with a weekend's work (a week if you're slow), you couldn't produce the handful of functions you'd need to implement the fully-anonymous protocol, REGARDLESS of whether you had access to the source to the current client or the library. The reson I bring this up is that yesterday, I had a 2.5-hour chat with David Chaum. These seemed to be the important bits: o The current plan is to release a lowish-level, binary-only library, as well as highish-level source which calls that library, and implements the published high-level API (http://www.digicash.com/api/). Release date: RSN. o The source to the current client, and the low-level library will _not_ be released. Dr. Chaum's main reason was that releasing the source would make it "too easy" to implement full anonymity, which he sees the various regulators seeing as a Bad Thing(TM). I disagreed. With the recent release of the byte-level encoding (http://www.cs.berkeley.edu/~iang/ecash/), it would be not too much work for a sufficiently motivated person to do, with or without the source. In fact, it's unclear the source to the low-level library is really all that helpful in this respect. o He doesn't really want there to be an independent implementation of the ecash library, with full source available, also for the above reasons. The phrase "The worst thing you could do would be to go to Canada, write the library, and publish it on the net." came up. In both this and the above case, he didn't believe that availability of source code for security analysis (everyone runs code they didn't write) was an important issue. As far as I could tell, he was thinking like a Cryptographer (not surprising, as that's what he is (and a damn fine one, at that)): he wanted to have a way to verify that the _protocols_ were behaving correctly; that is, they were not leaking private information, and that money wasn't being lost. The issue of buffer overruns causing the security of my entire machine to be compromised wasn't important. o Similarly, the source to the mint will not be published. Notwithstanding that the last few bugs I found in ecash were with the mint software, of which I've never seen source nor object code, again, thinking like a Cryptographer, he insisted that the system was designed so that no matter how one person cheats, the others can't be affected. That may be true in theory, but in practice, if there's a fingerd-style hole in the mint software, and someone manages to steal the mint's private key, and makes counterfeit ecash, does that really not affect me, a customer? If I'm going to be buying into this system, I would like to have some assurance of its security, and it is well-known that the best way to do that is to have open source. So: a question to legal-types, maybe: I am, in fact, going to Canada, and was considering writing a version of the library while I was there. Now, Chaum has a patent on 2 lines of code (blinding the coin before it goes to the bank, and unblinding the value returns). Believe it or not, I would like to stay within the law. Would my writing a library that worked perfectly well with the current system, but just didn't do blinding (and thus has no anonymity) be "contributory infringement" or something like that (noting that it would likely be trivial for someone to add in the relevant 2 lines)? Would it matter (either including the 2 lines or not) if I'd: (a) sell it (b) give it away on the net (c) give it just to a few people (d) only use it myself? Remember also that this would be done in Canada, just to make the question tougher... - Ian "I didn't rant nearly so much as I thought I would..." -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMZ5Ay0ZRiTErSPb1AQFujwQAiQy1nr7pkbk4jQ2wOJREkNFLpEJ33aO3 GoTo0LOa1ej+j/t7AkoGXmc+Udd+HD4VSkEvJE0dwMHkvbb+1DReFhpZ+F7xwf5d 8t9XLKMlL7HbQAxD1Vc2LjgooQxeOoQHyG64ovhPcEwU4v5jF0PWnYex++SKO2Bn ytYOChOmJ9Q= =mN0s -----END PGP SIGNATURE----- From tcmay at got.net Sat May 18 21:13:29 1996 From: tcmay at got.net (Timothy C. May) Date: Sun, 19 May 1996 12:13:29 +0800 Subject: Senator, your public key please? Message-ID: At 8:38 PM 5/18/96, bryce at digicash.com wrote: ...(my points elided)... >All of these are products of misconceptions between using the >WoT to certify identities, versus using it to certify how much >you trust a person to certify someone else's identify, versus >using it to certify arbitrary other qualities about a person. Bryce, we've differed several times before about the web of trust, especially "man-in-the-middle" issues. This looks to be the same sort of issue. I personally don't see key-signings as mainly useful for verifying the "true name" of someone whose key I sign. (I don't check birth certificates, passports, driver's licenses, etc.) Rather, I view _my_ key signings as forms of vouching, or endorsement. Not of all views, naturally, but as a statement that the person whose key I am signing is someone I know and "trust" (in the sense that the key belongs to the person I "know." Thus, I know Eric Hughes, even though he may actually be Fritz Kacynski, drop-out math student. > >For example, there is no reason why the hypothetical racist "Tom >Metzger" would sign no black people's keys. A key signature >(PGP style) is just an assertion about the identity of someone. >Haven't racists engraved markings on people's clothes, >buildings, land, bodies and other belongings in order to >identify the owners? So why not do the same for keys. Sure, he could do it. I'm saying that there's also a significant chance he has no black friends or no blacks he deals with on a regular enough basis to even be _asked_ to "vouch" for them, much less _agree_ to sign their keys. (This is the way it really does work in the real world, at least for many of us. People who ask me to sign their keys from afar will get no response from me. I don't even care if they fax me their birth certificates, etc. Only people I have met or interacted with directly, or who seem to be known by enough of my friends, get their keys signed.) Now I can certainly see other folks signing keys on a different basis: upon presentation of a valid passport, comparison of footprint with that on birth certificate, etc. Such "credentialling agencies" will be valuable players (to some) in the ecosystem of key-signers. I'm just saying that I'm certainly not in the business of checking credentials for free, and hence only sign keys for people I know fairly well, or who know my own friends fairly well. >This is illustrative of how much confusion reigns about keys, >certs, nyms, signatures and cetera right now. > > >I hope that TCMay is pointing out how _most_ people lack a >proper understanding of the differences, rather than reflecting >his own lack of understanding. Bryce, I respect your views on this and MITM issues, but the fact that we view things differently (and that Phil Z. views things differently from you, and perhaps from me) should not always be ascribed by you as "reflecting lack of understanding." >Phil Zimmermann was confused about this, I think, when he wrote >"Trust is not transitive.". Some kinds of trust _are_ >transitive (with a coefficient, of course). Hm. I wonder if >there are kinds of trust whose transitivity coefficient is 1? Well, I wrote up my thoughts on how work on "belief networks" is less confusing that the term "web of trust." I believe different agents will use these belief networks in different ways. Some will be focused on the issue of True Names and will calculate beliefs on the basis of how much they think the key-signers are being diligent enough in checking identities. Others will use belief networks to convey trust that one is not a government agent (a practical example being the use of PGP and webs of trust in the jungles of Burma, where I am quite sure the "keyrings" did not deliberately include government agents, regardless of how well they "proved" their identity! There is no single ontological interpretation of belief networks. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From frantz at netcom.com Sat May 18 21:50:32 1996 From: frantz at netcom.com (Bill Frantz) Date: Sun, 19 May 1996 12:50:32 +0800 Subject: Senator, your public key please? Message-ID: <199605182241.PAA22909@netcom8.netcom.com> At 10:44 AM 5/18/96 -0700, Timothy C. May wrote: >What if, for example, Sen. Leahy _did_ end up in the web of trust for Aryan >Nation? Even if he never intended it, this could have some severe PR >repercussions. It could happen today. All anyone has to do is down-load his key, sign it, and then up-load it again. This is exactly analogous to slanderous attack on someone's reputation. As soon as people realize that the mere fact that a key has a signature does not mean that the key-owner solicited the signature, the problem goes away. ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From frantz at netcom.com Sat May 18 21:53:23 1996 From: frantz at netcom.com (Bill Frantz) Date: Sun, 19 May 1996 12:53:23 +0800 Subject: crosspost re remailers Message-ID: <199605182241.PAA22866@netcom8.netcom.com> At 7:07 AM 5/18/96 +0200, Benjamin Brochet wrote: >WHO IS THE MODERATOR OF THIS LIST ? > >I've been victim of a spoofing from a german.... he suscribed me to 2200 >mailing list... also I'd to be unsuscribed from your list ! > There is no moderator. I am just a subscriber like yourself (except I asked for it.) Did you get a welcome message which included information like the following? >If you ever want to remove yourself from this mailing list, >you can send mail to "Majordomo at toad.com" with the following command >in the body of your email message: > > unsubscribe cypherpunks ben at bb-soft.com (Benjamin Brochet) > ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From cea01sig at gold.ac.uk Sat May 18 22:02:07 1996 From: cea01sig at gold.ac.uk (Sean Gabb) Date: Sun, 19 May 1996 13:02:07 +0800 Subject: Why the Poor are Mostly Deserving of their Fate In-Reply-To: Message-ID: On Sat, 18 May 1996, Duncan Frissell wrote: > It was understandable to be poor when all the world was poor. It is > understandable to be poor in those nations today that make the > accumulation of wealth a crime for most people. It is not understandable > to be poor (for long) in the US where one can reliably get out of poverty > simply by doing three simple things: > > 1) get a high school diploma > 2) get married > 3) get any job > > Only about 2 tenths of 1% of those who satisfy those three requirements > incomes below the official poverty line. > > Like most libertarians, I dislike the government. I don't care what a > person's income is. When I was self-supporting on an income of $200 a > month in 1979, I was below the poverty level for a single person myself. > I am not enamored of the rich or poor members of the dependendant classes > of course. > > I try and keep in mind that 80-90% of the "take" in government > programs for the "poor" goes to unpoor government employees. > > DCF > I've done all these things - and rather more in the way of education. But while I don't fall on or near the poverty line, I'm still poor as a church mouse. What am I doing wrong? Sean Gabb. From rah at shipwright.com Sat May 18 22:09:40 1996 From: rah at shipwright.com (Robert Hettinga) Date: Sun, 19 May 1996 13:09:40 +0800 Subject: Rumor: DSS Broken? Message-ID: This is a rumor. It is only a rumor. If you don't want to read a rumor, please hit your "d" key now... A wierd thing happened to me today. I was talking to someone who was talking to someone (have I said this is a rumor yet?) who was solicited for comment by a Very Famous Reporter about the fact that DSS, the Digital Signature Standard, promulgated by NIST, I believe, had been broken. I seem to remember people scoffing about it here when it came out, so news of it's breaking is probably not a big deal to some of us. However, I understand that people are shipping product and offering consulting services based on DSS, and if the rumor is in fact true, there may be more fun and games in the press about it... Cheers, Bob Hettinga ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "If they could 'just pass a few more laws', we would all be criminals." --Vinnie Moscaritolo The e$ Home Page: http://thumper.vmeng.com/pub/rah/ From GreggMan at aol.com Sat May 18 22:11:30 1996 From: GreggMan at aol.com (GreggMan at aol.com) Date: Sun, 19 May 1996 13:11:30 +0800 Subject: Fwd: Floodgate Message-ID: <960518185143_304084674@emout19.mail.aol.com> Isn't this WONDERFUL!?!? ;) ------------------------------------------------- --------------------- Forwarded message: From: worldnet at mail.netfree.com (Prime Data WorldNet Systems) Reply-to: worldnet at mail.netfree.com To: (Floodgate)@emin31.mail.aol.com Date: 96-05-12 18:38:29 EDT BULK E-MAIL SOFTWARE 1996 is going to be your best year yet! Last year I developed a new marketing strategy. The people I've already taught this to have more leads than they can deal with! Most are making more money than they've ever made in their life! This is the same software that all the bulk emailing services use! ------------------------------------------------------------------- FLOODgate Bulk E-mail Loader for Windows Version 4.10a now Supports 12 File Formats including AOL ------------------------------------------------------------------- SEND OUT 500+ MARKETING LETTERS EVERY SINGLE DAY! Or... every few days. Or 50,000 or 100,000 every day!! In fact, when I send out 500 marketing letters each day, it doesn't take long before I'm completely swamped with e-mail inquiries and phone calls. This is very easy to do. And each one of these bulk mailings costs me nothing. I can teach you how to do this and provide you with the tools you'll need. Every single day our mailboxes are stuffed, with new inquiries, questions, and that wonderful phrase, "I've just sent you an order." Floodgate is a bulk e-mail loader. It allows you to easily build huge targeted mailing lists. Use these lists to send your marketing letter, or your clients marketing letter, to 100,000's of people. As you know, there is no charge to send e-mail, via the Internet. If you'd like to hear more about FLOODGATE, simply send an E-Mail to my autoresponder at info at netfree.com and in the message area type ONLY the following words, nothing more: get Floodgate You will receive our documents pertaining to Floodgate within seconds. Regards, Vernon Hale Prime Data Systems Bowling Green, Ky From markm at voicenet.com Sat May 18 22:32:18 1996 From: markm at voicenet.com (Mark M.) Date: Sun, 19 May 1996 13:32:18 +0800 Subject: Reputation and anonymous companies In-Reply-To: <9605181736.AB07651@cti02.citenet.net> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Sat, 18 May 1996, Jean-Francois Avon wrote: > Yes, but anonymity would prevent the easy build-up of reputation too: > > If Joe Anon9876 say: "company ANON1234 Inc screwed me, how peoples > will know that it is not a unscrupulous competitor trying to damage > their reputation? > > Now, if Joe Anon9876 decides to disclose to the public that his real > name is John Doe to give more weight to his denounciation, and > depending on wether or not his bosses *are* or are not crooks, he > might very well get some sort of "prediction" on his head. > > Now, Jim Bell's servers don't have to be completely public. Suppose > some servers were built so that the donation address would be known > but the list of donation would be kept secret: Such server could > thrive. Most "donation" here would not be 2 bucks but rather 20,000 > bucks to ensure that the contract would get taken up promptly. And > since the targets would not be published, there would be not even a > hint that company ANON1234 *might* have put a contract on John Doe > (Now, aka Joe Anon9876) . The fact that an open AP server exists > makes the later possibility also possible. To have access to the > target list would require to be member of a *very* close circle, or > maybe, actually, just en employee of ANON_KILLERS4567_Inc. You are right about the anonymity part -- I hadn't thought about it that much. However, how would AP solve anything? If the company is completely anonymous, then nobody would know who to kill. Every worker including the president would be pseudonymous. - -- Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xe3bf2169 http://www.voicenet.com/~markm/ | d61734f2800486ae6f79bfeb70f95348 ((2b) || !(2b)) | Old key now used only for signatures "The concept of normalcy is just a conspiracy of the majority" -me -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMZ5nkLZc+sv5siulAQHr9AP9HhipvicY7kr2WZ/Y2yKYrVMQOEXCTHLO 9jnrl5ujC7+2HheGszgJ7FsI9O8eTyM1Z/Q/jEmHDx0etVa7ffVndZSC2l2WqpoG fIfz4Ua7PHReiu0pZbfWqY//00OgJP/smzGo06ZndCX5Osu4R+dHUd7LhYqsm9Jv R/pMNOnrJco= =XKTM -----END PGP SIGNATURE----- From cea01sig at gold.ac.uk Sat May 18 22:34:48 1996 From: cea01sig at gold.ac.uk (Sean Gabb) Date: Sun, 19 May 1996 13:34:48 +0800 Subject: Gabb on Gun Control (again) Message-ID: 23:29 18/05/1996 This is the second version of a piece that has already been published on the Internet. I offer it again because of the Supplement that I have just added at the end. Sean Gabb cea01sig at gold.ac.uk 0181 858 0841 =============================================================== GOLDSMITHS' COLLEGE DOES NOT NECESSARILY AGREE WITH A WORD OF THE FOLLOWING =============================================================== Putting the Case Against Gun Control: Reflections on an Outrageously Effective Television Performance - May 2nd 1996 by Sean Gabb (Published as Tactical Notes No. 17 by the Libertarian Alliance, London, May 1996, ISBN 1 85637 343 6) 2nd edition Last 2nd May, a Thursday, I was invited to Scotland to sit on the panel in Words with Wark, a television discussion show which replaces Question Time there once every month. The researchers, it seems, had been unable to find anyone in the country to denounce gun control, and so had to make do with an English accent. Having found me, though, they did their best to keep me happy. I was offered a taxi from South East London to Heathrow, which I only turned down because public transport is faster during the day. I was given a business class seat on a flight to Glasgow - cost L120 - and a first class railway sleeper back down to Euston - cost L85. Then there was a stretched Rover to Ayr Town Hall, where the programme was to be recorded. Adding my fee - which I could probably have doubled had I been inclined - I may have cost them more than the average MP. Nice work when you can get it. On the panel with me was the Editor of The Sunday Mail, and a journalist whose name I never caught but who looked just like someone I knew and loathed at university, and Guy Savage, representing the Shooters' Rights Association. These first two were there to argue for a ban on the private ownership of guns, the third to claim that the Firearms Acts 1920 to 1988 strike a fair balance between competing interests, and that this should not be upset just because a pair of lunatics in Dunblane and Tasmania had decided to shoot lots of people. In the studio audience were four politicians - Sir Michael Hirst, Chairman of the Scottish Conservative Party, Margaret Ewing, from the Scottish Nationalists, and two others whose names I again missed but which are not worth looking up. I have no idea how many people watch Words with Wark. But I imagine the BBC had given me a seven figure audience to regale with my opinions. And my opinion is that gun control is wrong in any form. I believe that an adult should be able to walk into a gun shop and, without showing any permit or identification, be able to buy as many guns and as much ammunition as he can afford; and that he should be able to carry this round with him in public and use it to defend his life and property. This is not a popular view, I grant. On the other hand, I doubt if many armed criminals would take more notice of a gun ban than they do of the present controls. And it is worth asking how many people Michael Ryan could have killed had anyone else in Hungerford High Street been carrying a gun. As the Americans say, "God made men equal, and Smith & Wesson make damn sure it stays that way". I earned my fee by saying all this in the studio. I am sure I pleased the researchers. They spend much of their lives talking to people who say the most outrageous things on the telephone, but who then lose heart in the studio and agree with everyone else. The audience was another matter. Speaking on the Kilroy programme here in London, I could probably have made people bounce up and down on their seats with rage. Just as likely, there would have been a few Dunblane parents to sob pathetically into the cameras. Speaking in Ayr, the response I got was a shocked silence. I looked out into a sea of faces that reminded me of nothing so much as the Jewish audience in Mel Brooks' The Producers, during the opening number from Springtime for Hitler. At last, someone who claimed to be a minister of religion and a father of two denounced me for pulling God into politics - as if that were not what He is there for. Someone else who said he fought in Korea claimed I was so plainly unbalanced that I should never be let near a gun. As soon as what passed for debate had started again, I took care to score a big "own" goal. An Olympic shooter spoke, followed by a clay pigeon shooter. They were not against a gun ban - so long as their guns were left out of it. No said I, this would never do. The purpose of guns was to kill people. The only matter of importance was to make sure they were used to kill the right people, namely burglars and street criminals. From the look on the Olympic man's face, he was thinking of quite another category of people to kill. Twenty minutes pass very quickly in a television studio. I had barely warmed up before my panel was ejected, to make way for the politicians to come on and bore everyone stiff with rail privatisation and nursery vouchers. Afterwards in the reception, I found myself shunned like the lepers of old. The locals turned their backs on me. Sir Michael Hirst looked straight through me as I sidled up to him with my glass of orange juice - so much for the party of individual freedom! Guy Savage muttered that my comments had been "unconstructive". On the ride back to Glasgow, he pointedly ignored me, talking to the driver instead about negative equity. This was a shame. On the ride over, he had been very friendly, sharing with me his vast knowledge of the present law on guns, and even agreeing to address a Libertarian Alliance conference on the right to keep and bear arms. Realising that my presence was not desired, I pretended to sleep all the way back. On the whole, I did pretty well. One of the great falsehoods of modern life is that arguments are won by being "moderate" - by conceding the other side's point and then haggling over the details. They are not. The gun lobby, for example, spent nearly half a million after Hungerford trying to stop the Firearms Bill that resulted from it. I imagine most of the cash went straight to a gang of sleazy PR hacks, who organised a few lunches with politicians too corrupt even to stay bought. What little found its way into the media was one long grovel, by clay pigeon and Olympic shooters begging for laws that would hurt only other gun owners. They rolled over and showed their bellies to Douglas Hurd. Not surprisingly, he gave them all a good, hard kicking. Arguments are won by being honest - by saying what you believe as clearly as possible, as often as possible, and never mind how "unconstructive" it seems in the short term. Doing so has three effects. First, it shifts the middle ground in a debate. This is valuable in a country where being moderate is so in fashion. For this middle ground is not an independent point of view, but can be pulled sharply to and fro by what is happening at the extremes. Before about 1975, for example, the public spectrum on economic policy stretched between Soviet communism and social democracy. Accordingly, the moderates were all pink socialists. Now there are libertarians demanding a total free market, the moderates have become blue social democrats. And, though important, the collapse of the Soviet Union was not entirely to blame for this - in those countries without a libertarian fringe, after all, the consensus is still decidedly pink. In my own case, had I not been in that studio, the spectrum would have stretched between a total ban and the status quo; and anyone trying to sound moderate would have had to favour many more controls. As it was, Mr Savage came across as the centrist - a fact recognised by the people who did not shun him as they did me, and a fact worth noting by the Shooters' Rights Association if it ever wants to live up to its name. Second, it gets converts. Granted, my audience in the studio was full of glum blockheads. But there must have been dozens of people at home who were hearing what I said for the first time and who agreed with every word of it. Most of these will stay at home. Others - one or two, perhaps - will become committed libertarian activists. They will join the Libertarian Alliance. They will hand out its publications. They will write for it. They will appear in television studios, putting the libertarian case on whatever they have been called in to discuss. Moreover, even the blockheads have a function. If they can remember what I said in the studio - not hard, bearing in mind how clear I was - they will spread it by explaining to friends and relations how scandalised they were by it. Sooner or later, the message will reach someone who is not at all scandalised; and another convert will have been made. And that is how intellectual revolutions get under way. With his claim that Hungerford and Dunblane were "failures of policing", and the like, I doubt if Mr Savage enthused anyone to go out and do something against the gun grabbers. Third, it establishes a position. Unusual ideas are generally ignored at first. Then, if they continue being put, they are laughed at. Then they must be argued with. Occasionally, they become the common sense of the next generation. That is how it was with socialism in this country. More recently, it was like that with monetarism and council house sales. I do not know if my dream of abolishing gun control will be so lucky. But, to be sure, no one will take notice of it unless someone goes to the trouble of clearly arguing for it. Yes, I did pretty well in Scotland. I may do even better the next time I am allowed into a television or wireless studio. Supplement - Saturday May 18th I was allowed back yesterday morning. I cast the first version of the above onto the Internet on May 10th. The following morning, Jim Hawkins of BBC Radio Northampton replied by e-mail. He had read my pamphlet and liked it, and he wanted me to repeat it on his programme on Friday the 17th. So there I sat for an hour yesterday morning, telling another million people why the gun control laws should be abolished. I was against Anne Pearson (at least, that is how her name sounded) of the Snowdrop Campaign - this being a group set up after Dunblane to press for a total ban on handguns. Though honest, she was not very bright, and I went through her like a hot knife through butter. When I accused her of wanting to live in a slave state, she answered "Yes, I do". When I further accused her of trusting no one else with guns because she felt unable to trust herself with one, she started to panic. When I repeated my wish that someone else in Hungerford had been armed, she referred to my appearance on Words with Wark, saying only that I had worried her then, and I worried her now. I said much else, ranging from the Jews in Nazi Germany ("what if they had been able to shoot back?"), to Waco ("men, women and children murdered by the American Government"). In short, I indeed did even better this time than last - and if anyone doubts this, I have a tape to proves it. Enough of boasting, however. The reason for this Supplement is to emphasise that extremism does work. Consider: First, it was extremism that got me on Words with Wark, and an extremist report of what I did there that got me on the Jim Hawkins show. It annoys me that I can never make the national press - versions of my pamphlet, for example, came straight back to me from The Spectator and The Sunday Telegraph, as if wafted on cries of horror. Nevertheless, the electronic media can hardly get enough of me and Brian Micklethwait and the rest of us. Whether or not we can ever win it, we lack no opportunity for putting the libertarian case. Second, it is extremism that makes us so effective in debate. The gun grabbers and other enemies of freedom have so far had an easy ride in the media. They have only had to argue with cowards and fools who, worried not to upset anyone, have failed to make most of the good points. They have never known principled, uncompromising opposition. Faced with it, they behave like rabbits faced with a new strain of myxomatosis: they have no defences. If Mrs Pearson was out of her depth with me, so at present are all of her colleagues. They have ready answers to the whinings of the clay pigeon lobby, but none to anyone who asserts a right of self defence against "burglars, armed robbers and other trash". Third, extremism really does shift the middle ground. In the main pamphlet above, I was unable to give examples from my own experience. Since yesterday morning, I can. Someone from a shooting club called in, and said "I want to take a middle view between the speakers". He then argued against any change in the gun laws. Without me there, he could never have got away with that. He would have been denounced as a potential Thomas Hamilton, trying to save his penis extension. Half an hour of me, and Mrs Pearson nearly embraced him. Guy Savage and the Shooters' Rights Association - again, please take note. In a few minutes, I will send this revised pamphlet to Brian, for publishing by the Libertarian Alliance. Before he even sees it, though, it will be all over the Internet - there to be read by anyone else who happens to have a studio to fill. From markm at voicenet.com Sat May 18 22:49:16 1996 From: markm at voicenet.com (Mark M.) Date: Sun, 19 May 1996 13:49:16 +0800 Subject: Why does the state still stand: In-Reply-To: <199605161419.HAA05109@jobe.shell.portal.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Thu, 16 May 1996, Hal wrote: > We have discussed for-pay remailers and the consensus has been that no > one would use them when others run for free. However now I think the > false premise is being exposed, that free remailers simply will not be > able to run in the current mode for much longer. Once a single remailer > operator has been fined thousands of dollars because somebody posted some > copyrighted message, I don't think you will find many people eager to > sign up as operators. So this dream of a volatile collection of > remailers popping up and going away just doesn't work in my view. Why > would anyone offer a service knowing that he was exposing himself to > liability like this? It would be just a game of Russian roulette, > waiting to see whether it is your remailer which gets the bullet in the > form of a post which violates the copyright of someone with deep > pockets. It is possible for someone to operate an anonymous remailer anonymously. Just get a UNIX shell account under a fake name, pay with cash, and set up the remailing software. The identity of the operator of such a remailer would be difficult, if not impossible, to discover. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xe3bf2169 http://www.voicenet.com/~markm/ | d61734f2800486ae6f79bfeb70f95348 ((2b) || !(2b)) | Old key now used only for signatures "The concept of normalcy is just a conspiracy of the majority" -me -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMZ5ts7Zc+sv5siulAQH2QwQAn0xEONohrZ0Eoj5MMxL8NS/i/G48U5nR 1uLI2PXeBBbCSJQ5SXxp/4JoOZR13NkaIhAwBaCAcJRRV1AKa+f9xuK4wwbrqElg ud24RRn7zf7H4HPkFSZF8uqQK/y7jjsJdhvtlVytyAKp4TnnkuGH8K1b44aW5OgM wgbaT6UNiCw= =Y4kV -----END PGP SIGNATURE----- From jimbell at pacifier.com Sat May 18 22:53:44 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 19 May 1996 13:53:44 +0800 Subject: Interactive Week exclusive - White House to launch "Clipper III" Message-ID: <199605190024.RAA12629@newmail.pacifier.com> At 04:09 PM 5/18/96 -0400, Will Rodger wrote: >The White House is about to answer recent attempts to liberalize encryption >exports with a proposal of its own. > >Documents obtained by Interactive Week show the Ciinton Administration has >been lobbying key Republican committee members to compromise on encryption >through a policy that looks very much like previous commerical key escrow >efforts. Typical boneheaded government! At it yet again, I see. I'd feel inclined to say something like "I predict that they will fail" but that might be misinterpreted. This most recent outrage wouldn't even be compatible with the Leahy bill, bad as it was. Even so, I was pleased to see that we had already managed to educate a number of people in Congress who already know that this plan is DOA. That's progress, I guess. Jim Bell jimbell at pacifier.com From jimbell at pacifier.com Sat May 18 23:59:38 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 19 May 1996 14:59:38 +0800 Subject: TCM: mafia as a paradigm for cyberspace Message-ID: <199605190202.TAA13237@newmail.pacifier.com> At 12:43 PM 5/18/96 -0700, Vladimir Z. Nuri wrote: >what amazes me about people who tend to have a warped mindset is that >they think new technology, such as cyberspace, creates a new morality. >suddenly murdering, violence, drug dealing, or whatever are supposedly >thrust into some new reality in which old rules no longer apply. >you and Jim Bell are unbelievably similar, as much as either of you >would hate to admit it. I resent that implication! Tim May is always far more restrained, introspective, controlled, and cautious than I. He approaches the subject of cyber-anarchy with nervous concern, I'm the one who jumps in with unrestricted glee. Jim Bell jimbell at pacifier.com From qut at netcom.com Sun May 19 00:03:37 1996 From: qut at netcom.com (Dave Harman) Date: Sun, 19 May 1996 15:03:37 +0800 Subject: Why does the state still stand: In-Reply-To: Message-ID: <199605190204.TAA17028@netcom8.netcom.com> > It is possible for someone to operate an anonymous remailer anonymously. > Just get a UNIX shell account under a fake name, pay with cash, and set up > the remailing software. The identity of the operator of such a remailer > would be difficult, if not impossible, to discover. Thousands of users want to do just that, but can't code, which is currently nessessary for effiency and security. Do you want to help us out? I can do casual business and legal research, but source code is as good as cyphertext to me. > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > markm at voicenet.com | finger -l for PGP key 0xe3bf2169 > http://www.voicenet.com/~markm/ | d61734f2800486ae6f79bfeb70f95348 > ((2b) || !(2b)) | Old key now used only for signatures > "The concept of normalcy is just a conspiracy of the majority" -me From nobody at c2.org Sun May 19 00:04:21 1996 From: nobody at c2.org (Anonymous User) Date: Sun, 19 May 1996 15:04:21 +0800 Subject: Sendmail Question (was: SMTP Server for sending to anonymous remailers?) Message-ID: <199605190151.SAA16705@infinity.c2.org> lcs Mixmaster Remailer wrote: > > Does anyone know of an anonymous remailer that has an SMTP server > > (hopefully unlogged) that I can specify in a special variant of the > > "sendmail.cf" sendmail configuration file for sending mail to > > anonymous servers? > > > > I use a PPP connection, and right now I'm using my ISP's default > > server and I don't like the idea of logs being kept, even though the > > messages themselves are chained/encrypted. > > > > Maybe I'm "paranoid", but if I wasn't, I probably wouldn't bother > > with PGP, C'punk remailers, etc. > > Anon.lcs.mit.edu does not perform ident lookups, does not add > Received: headers, and runs at log level 1 (only "Serious system > failures and potential security problems" logged, according to the > sendmail manual). > > This is useful for testing things out anonymously, but I don't > understand why you would want to use it an a regular basis. Why don't > you send your mail directly from your home machine to the first > remailer hop? Nothing is forcing you to send outgoing mail through > your ISP's mail server or any other one particular mail server. Why > would you want to do that in the first place? What settings do you use in sendmail.cf to accomplish this (sending it directly)? Is that the default behavior? Specifically, what goes on the "DR" and "DV" lines? When I send mail from my PPP account to my work account, I always seem to end up with a "Received: >From by " line. I'm ass-u-ming that if the host name shows up in the headers, it's passing through that machine and is potentially being logged. From qut at netcom.com Sun May 19 00:05:53 1996 From: qut at netcom.com (Dave Harman) Date: Sun, 19 May 1996 15:05:53 +0800 Subject: WELCOME TO THE NEW ROMAN EMPIRE Message-ID: <199605190143.SAA14185@netcom3.netcom.com> > On Sat, 18 May 1996, Duncan Frissell wrote: > > > It was understandable to be poor when all the world was poor. It is > > understandable to be poor in those nations today that make the > > accumulation of wealth a crime for most people. It is not understandable > > to be poor (for long) in the US where one can reliably get out of poverty > > simply by doing three simple things: > > > > 1) get a high school diploma EVERYONE GETS A HIGH SCHOOL DIPLOMA --> HIGH SCHOOL DIPLOMAS BECOME WORTHLESS EVERYONE GETS A PHD --> PHDS BECOME WORTHLESS > > 2) get married EVERYONE GETS MARRIED --> MARRIAGE BECOMES SPIRITUALLY BANKRUPT > > 3) get any job EVERYONE GETS A JOB --> EVERYONE TAKES THE PAYCUT > > Only about 2 tenths of 1% of those who satisfy those three requirements > > incomes below the official poverty line. HOW DO YOU EXPLAIN THE TENS OF MILLIONS IN APPALACHIA WHO GRADUATED MARRIED AND WORK IN POVERTY > > Like most libertarians, I dislike the government. I don't care what a > > person's income is. When I was self-supporting on an income of $200 a > > month in 1979, I was below the poverty level for a single person myself. > > I am not enamored of the rich or poor members of the dependendant classes > > of course. IT DOESNT MATTER WHAT THE GOVERNMENT IS DOING WRONG ITS BRAIN IS BUSINESS > > I try and keep in mind that 80-90% of the "take" in government > > programs for the "poor" goes to unpoor government employees. IT DOESNT MATTER WHAT THE GOVERNMENT IS DOING WRONG ITS BRAIN IS BUSINESS > > DCF > > > I've done all these things - and rather more in the way of education. But > while I don't fall on or near the poverty line, I'm still poor as a church > mouse. What am I doing wrong? YOUR WHITE LIKE THE 100000000S SUFFERING IN POVERTY IN THE NEW ROMAN EMPIRE > Sean Gabb. From snow at smoke.suba.com Sun May 19 00:19:34 1996 From: snow at smoke.suba.com (snow) Date: Sun, 19 May 1996 15:19:34 +0800 Subject: "Too cheap to meter" In-Reply-To: <199605182056.NAA15181@netcom9.netcom.com> Message-ID: On Sat, 18 May 1996, Dave Harman wrote: > > CAPITALISTS' SUCK Capitalists took this 'net from a government/educational /military-industrial complex playground to what it is today. I prefer being able to use it without being apart of any of the above. HTH. HAND. Petro, Christopher C. petro at suba.com snow at crash.suba.com From snow at smoke.suba.com Sun May 19 00:42:26 1996 From: snow at smoke.suba.com (snow) Date: Sun, 19 May 1996 15:42:26 +0800 Subject: TCM: mafia as a paradigm for cyberspace In-Reply-To: <199605181943.MAA11760@netcom12.netcom.com> Message-ID: On Sat, 18 May 1996, Vladimir Z. Nuri wrote: > an interesting thesis, quite revealing. "the mafia is fulfilling a > valid market purpose. the killings & violence are just minor secondary > issues." I believe in contrast I would define the mafia exactly > the opposite. the violence and terror is the key part of the mafia agenda. > the activities they involve themselves in are secondary to promoting > the basic agenda of obtaining money in any way possible. how can you Replace "mafia" with government, and "money" with power/control. > what amazes me about people who tend to have a warped mindset is that > they think new technology, such as cyberspace, creates a new morality. > suddenly murdering, violence, drug dealing, or whatever are supposedly > thrust into some new reality in which old rules no longer apply. > you and Jim Bell are unbelievably similar, as much as either of you > would hate to admit it. its just a cloak, in my opinion, for trying > to evade culpability. the ultimate utopia for some on this list would > be a world in which they can be held accountable for absolutely nothing, > by absolutely no one. "anarchy" is as good a word as our reality can > come close to, although I believe such a reality would be far more > sinister than that adjective connotes. Who says a _new_ morality? Maybe it is just a wider expresion of an already extant morality. If you will accept the defination of Murder being "immoral killing", then most people really don't have a problem with killing. They just draw the line between murder and killing in different places. To me, killing is justified in 2 circumstances. 1) If the [man animal]s threat potential exceeds a certain limit (variable) or 2) food/warmth is needed and will be derived from said killing. To kill randomly or indiscrimantely, wether man or animal is Murder (i.e. immoral killing) to me this _does_ include trophy hunting, but not if you utilize the animal for food etc. Where humans are concerned, killing them for food is rarely an issue, but they often present some sort of threat potential. Certain pepole in government approach this threat potential. Thus, to me, killing them isn't immoral, but it could _legally_ (i.e. a different defination) be murder. As far as I am concerned there really is no difference between the government and the mafia. Both use the same threat to accomplish their ends, the Mafia is just more honest about it. Both suck. Out loud. The mafia just tends to be better run, and less invasive personally until you violate their rules. > think about it really hard, TCM. work out those difficult problems > associated with trying to kill people and get away with it, using > new sexy advances in technology and theory. you Why do you need new technology? The old stuff works just great. You just need the new stuff to hide you from the feds. > maybe talk to Jim Bell some more. perhaps > eventually you will perfect the method of perpetrating the perfect > killing!! I really do admire you, because killing people without > getting caught is surely a great unrecognized art, and one of the > most unappreciated and misunderstood. Happens all the time. > something that has only been a dream to the blighted > wretches prior to our glorious new phases of cyberspatial technology, > which makes human morality completely obsolete. I am getting the impression that this last sentence was a little sarcastic? Petro, Christopher C. petro at suba.com snow at crash.suba.com From snow at smoke.suba.com Sun May 19 00:42:30 1996 From: snow at smoke.suba.com (snow) Date: Sun, 19 May 1996 15:42:30 +0800 Subject: SEVERE undercapacity, we need more remailer servers FAST In-Reply-To: <199605182050.NAA14663@netcom9.netcom.com> Message-ID: On Sat, 18 May 1996, Dave Harman wrote: > YES YES YES!!!!!! > SLIP/PPP/SHELL IT DOESN'T MATTER, DOWNLOAD MAIL, PROCESS, UPLOAD, MAIL, POST!!!!! > LINUX MODEM/CUA1 OR SLIP/PPP!!!!!!!! > PAID WITH *FAKE* NAME/ADDRESS WITH POSTAL MONEY ORDER!!!!!! Don't yell at me. I get very pissed when people yell at me. Yelling at people only closes their minds. > I SUCK, I DON'T CODE!!!!!! We could care less about your sex life, and I can't code well either. What one has to do with the other is beyond me. Besides, I don't think it takes a whole lot of coding beyond: patch < the.patch | make all or whatever. The difficult part (if any) is the adminstration. > IF THEY WONT GIVE YOU "FROM: " AND 50 POSTS/500 EMAILS A DAY GET ONE THAT WILL!!!!!! > THIS IS A CYPHER EMERGENCY!!!!!!!! > WE NEED 1,000 SERVERS F A S T!!!!!!!!!!!!!! > POSTAL COUPONS AND FOREIGN ACCOUNTS!!!!!!!!!!!!! > WE NEED SERVERS NOT CLIENTS!!!!!!! > THE USER/CLIENT DOES THIS SORT OF STUFF!!!!!!!!!!!! > WE DON'T NEED ANYTHING BUT 1,000 WORLD HACKTIC STYLE REMAILERS!!!!!!!!!!! And a clue as to the location of the caps lock key. Does this mean I have to give up my title as resident idiot? Petro, Christopher C. petro at suba.com snow at crash.suba.com From root at edmweb.com Sun May 19 00:58:54 1996 From: root at edmweb.com (Steve Reid) Date: Sun, 19 May 1996 15:58:54 +0800 Subject: The Crisis with Remailers In-Reply-To: <199605171738.KAA05800@netcom9.netcom.com> Message-ID: > 1. there is no economic incentive. [snip] > typically buying yourself *negative* publicity by running a remailer. As you said, ecash postage could turn that around. The negative publicity part is probably the result of the general public's negative perceptions about anonymity. People seem to forget that anyone can drop a letter into the mailbox with no return address. Did the Unabomber bring negative publicity to the postal service, causing people to demand that return addresses become a requirement? :-/ > 2. there is no good way to deal with spams or other so-called "abuse" Unfortunately, abuse is also a factor in people's negative perceptions about anonymity. I wonder, would the average spammer be less likely to spam if he had to PGP-encrypt messages to the remailer? I know we want to make remailers easy to use and not limit them to the technologically elite, but requring encryption would have the added benefit of improving security. I believe some remailers already require encryption; have any Spam Statistics been gathered? Ecash postage might discourage the average spammer, unless that spammer has deep pockets. With postage, the only spam I can think of that would gain money or break even is a commercial advertisment, and there's no point to using remailers for commercial ads anyways, since people need to know how to contact the business. > 3. liability Liability depends on the jurisdiction, doesn't it? It would be ideal if all remailers were in countries where there are no laws that would affect remailers. Reducing liability also has the added benefit of protecting anonymity, since if the mailer can't be siezed, that does prevent log files (if any) from being siezed. Do any such countries exist??? Also, if a remailer could be set up to _only_ remail to other remailers, that would greatly reduce liability. Obviously we'd still need _some_ remailers that can deliver to the intended destination... I think a lot of people would be more willing to run remailers if it didn't mean that mailing list/usenet spam would have their name attached. Remailers can already be set up _not_ to send to certain addresses, so I think there's no reason that they couldn't be set to deliver _only_ to other remailers. [kersnip] > are perceptual, not technological. if people can find a way > to handle the above issues and still provide anonymity, it will > spread. otherwise, I doubt it will ever become very "mainstream". > perhaps the above problems are intrinsic to anonymity, which would > be a pity in my view. [butchered for brevity] > of course if people don't want remailers to ever go "mainstream" > anyway, well then there is no problem. the remailer network still > has an "underground" feeling to it and perhaps that will always > be part of its draw, and its actual structure. Right now, I think, remailers don't need to be mainstream, they just need to be there when people need them. And I think they can become mainstream, if you consider that anon.penet.fi is quite popular. Just my two bits. ===================================================================== | Steve Reid - SysAdmin & Pres, EDM Web (http://www.edmweb.com/) | | Email: steve at edmweb.com Home Page: http://www.edmweb.com/steve/ | | PGP (2048/9F317269) Fingerprint: 11C89D1CD67287E68C09EC52443F8830 | | -- Disclaimer: JMHO, YMMV, TANSTAAFL, IANAL. -- | ===================================================================:) From qut at netcom.com Sun May 19 01:40:47 1996 From: qut at netcom.com (Dave Harman) Date: Sun, 19 May 1996 16:40:47 +0800 Subject: The Crisis with Remailers In-Reply-To: <199605171738.KAA05800@netcom9.netcom.com> Message-ID: <199605190238.TAA20368@netcom8.netcom.com> ! so list attention turns once again to a looming remailer "crisis"... PLEASE TURN YOUR ATTENTION TO THE CONTINUING CRYPTO EMERGENCY ! where are there so few remailers? the reasons are pretty obvious. ! these problems have been transparently apparent from the very ! beginning. ! ! 1. there is no economic incentive. ! ! as soon as there is a good economic incentive to run remailers, you ! will see them proliferate. but currently they have no virtually ! no value to the creator. it's like building a house for other people ! to live in out of humanitarianism. note that with web pages, you ! are buying free publicity for your company. but in fact you are ! typically buying yourself *negative* publicity by running a remailer. ! ! what is the current incentive to run remailers? answer: adulation ! by other cypherpunks. hmmm, not necessarily all that motivating ! to very many. WORKS FOR MEEEE ! 2. there is no good way to deal with spams or other so-called "abuse" NETNEWS SPAM IS CAUSED BY MODERATION GET RID OF MODERATION TO END SPAM ONCE AND FOR ALL ! I commend the remailer operators for starting a mailing list to ! deal with spam. but the solution remains essentially "stop ! spam by hand". spammers still have the ability to be a serious ! threat to the network. this has been a threat from the beginning ! and has never been resolved. note that "spam avoidance" is a ! very, very difficult problem that plagues far more than remailers, ! such as mailing lists and usenet. but it is particularly acute ! with remailers. USENET SPAM SAVES DISK SPACE ADMINS LOVE IT ! 3. liability ! ! there is a lot of liability to the operator of a remailer, and ! again, this risk is totally unsupportable from their current ! returns (nil). Hal Finney recently suggested restricting posts ! from remailers to avoid copyright liability. this will limit ! the liability and risk but does not totally remove it. THE BEST STUFF IS CUMMING FROM CRYPTO WANNA BEE ON INSIDE TRACK FOR CLEAR TEXT TEEN NUDES ! 4. no need for a network ! ! in fact there is not really a need for a remailer network on one ! level. there is only a need if the service is not available. why ! is there only one anon.penet.fi? well, because of the above reasons, ! and also by the fact that only one is sufficient to serve all of ! cyberspace, virtually. what I mean is that there is easily enough ! traffic to justify another anon.penet.fi type remailer, but it's ! not totally critical (i.e. to the point that someone puts their ! resources where their mouth is) as long as anon.penet.fi is running. THERE IS EXTREME UNDERCAPACITY FOR CRYPTO AND ANONYMINITY ! 5. etc. ETC ! == ! ! if people want to know why remailers haven't proliferated in ! the same way that other cyberspace infrastructure has in the ! past, such as news servers and web sites, you have to focus on ! the above issues. remailers are NOT like other cyberspace services. ! they are a tremendous burden to run, instead of being of high ! use to the maintainer (even though they don't generate cash) ! in the way a web page or usenet server is. INCORPORATE AND SELL ADVERTISING SPACE IN THE SIG THE COOLEST PEOPLE GET ANONYMOUS MAIL POSTS THERE IS A VAST UNTAPPED SOURCE OF REVENUE GUNS DRUGS CRYPTO PYRO PORN PERSONALS ETC INFORMATION WANTS TO BE PAID FOR ! the main problem, getting cash for the service, is slowly dissolving ! to the point that it will not be an obstacle. I predict that ! remailers (and many other unusual services) may begin to proliferate ! at that point-- but not as much as other areas of cyberspace such ! as the web. remailers are always going to be plagued by the other ! problems I mentioned above unless some really brilliant genius ! comes along to solve what seems to be the unsolvable. INCORPORATE AND SELL ADVERTISING SPACE IN THE SIG THE COOLEST PEOPLE GET ANONYMOUS MAIL POSTS THERE IS A VAST UNTAPPED SOURCE OF REVENUE GUNS DRUGS CRYPTO PYRO PORN PERSONALS ETC INFORMATION WANTS TO BE PAID FOR ! another tact the cypherpunks might take to get anonymity into ! the cyberspace infrastructure is to target forum architecture. ! instead of trying to create remailers that "feed into" other ! networks, why not build in remailers into those networks themselves? ! I am thinking of the way NNTP could be a massive anonymous ! remailer network, and that in fact it was once but that this ! was purposely designed against in the protocol (preventing people ! from anonymously submitting articles to NNTP hosts). BUT IN THE MEAN TIME WE WANT MORE SERVERS ! I propose that as long as there are serious elements involved ! in building up cyberspace that are hostile to anonymity, you ! are not going to see it flourish in the way other services have. ! it seems to me the major obstacles to widespread anonymity ! are perceptual, not technological. if people can find a way WE WANT OTHERS TO DO THE WORK FOR US ! to handle the above issues and still provide anonymity, it will ! spread. otherwise, I doubt it will ever become very "mainstream". ! perhaps the above problems are intrinsic to anonymity, which would ! be a pity in my view. ! ! BTW, TCM laments that he hasn't seen master's thesis on remailers. ! I consider Lance Cottrell's mixmaster work to be really on that ! level, and highly commendable. LC has really advanced remailer ! technology by tremendous leaps and bounds since putting his mind ! to it. also Levien's remailer page is another very outstanding ! service. it is possible that all the real research into remailers ! is being done at the NSA ! ! seriously, though, I think cpunks have an opportunity to do some ! introspection here. it seems a pretty good rule in cyberspace that ! "cool and useful services flourish and grow". witness Usenet ! and the web. why haven't the cpunks been able to tap into that ! kind of exponential force with remailers? the problems are not ! merely technological. I would say the technological problems ! associated with the remailers are the most straightforward to ! solve. its the complex social issues that are seemingly insurmountable. ! ! I really believe that if anyone wants to get more anonymity in ! cyberspace, they must deal head on with the sociological ! "anonymity taboo" in society. why is there a taboo in society ! against anonymity? could it be there are some good reasons for it? ! is it possible to create a "socially acceptable" anonymity? of ! course this line of thinking is going to be utterly repulsive ! to some on this list, but I contend it is essential to remailer ! growth strategy. ! ! of course if people don't want remailers to ever go "mainstream" ! anyway, well then there is no problem. the remailer network still ! has an "underground" feeling to it and perhaps that will always ! be part of its draw, and its actual structure. ANYONE FUCK WITH MY REMAILER AND I SUMMON TEN SKINHEADS TO BREAK OFF THEIR DICK From steve at miranova.com Sun May 19 01:47:26 1996 From: steve at miranova.com (Steven L Baur) Date: Sun, 19 May 1996 16:47:26 +0800 Subject: PLEASE HELP ME GO OUT OF THIS LIST!!!!!! In-Reply-To: <199605182114.XAA07062@storm.certix.fr> Message-ID: The Internet Oracle has pondered your question deeply. Your question was: > unsuscrive me from this list And in response, thus spake the Oracle: } After serious contemplation on The Oracle's behalf and with his trusted } associates (read=lawyers), we have decided to deny you of this } privilege. I, being the supreme knower of all, know that hidden deep } inside of you there is this funny person waiting to escape from his dull } and dreary daily life. You will remain on this list until further } notice. Do not attempt to manually unsuscribe, as this will result in } physical bodily harm. Trespassers WILL be shot. } } You owe the Oracle a Freudian couch. -- steve at miranova.com baur Unsolicited commercial e-mail will be proofread for $250/hour. Andrea Seastrand: For your vote on the Telecom bill, I will vote for anyone except you in November. From raph at cs.berkeley.edu Sun May 19 01:50:37 1996 From: raph at cs.berkeley.edu (Raph Levien) Date: Sun, 19 May 1996 16:50:37 +0800 Subject: Remailers vs Nyms - conflicting assumptions? In-Reply-To: <2.2.32.19960518184824.006cded8@mail.aracnet.com> Message-ID: <319E9122.287B3BEF@cs.berkeley.edu> Bruce Baugh wrote: > > I've been enjoying the discussion of "disposable" remailers, but I note a > problem. If this has been addressed before, well, now it's being noted again. > > In my (admittedly limited) experience with nym servers, the reply path is > fixed - it goes through specified hops. This creates A Problem when any one > of the remailers involved goes down. There's no way for the mail to get > through. There's not even a way for the nym holder to verify that there is a > site down, as opposed to some more transitory problem, without information > from an external source. > > This seems to me a fairly serious weakness, given prevailing governmental > attitudes. > > What would it take to create a nym server that could route around the death > or disability of any given mailer? Well, that would be a serious problem. The big question is: who decides the routing? With the existing nym setup, the client decides the entire route. The nymserver knows only the first hop. For the nymserver to be able to route around damage, it would have to know that there is damage, and that implies knowing the route. One fix for the problem is just to refresh your nym regularly. If you are lucky enough to be using premail, then just run "premail -makenym nym at alpha". I'm considering adding code that automatically figures out which nyms need to be refreshed when a remailer drops in the reliability ratings and automatically does it, but that probably won't make it into the next release of premail. The fact that you can refresh nyms makes the problem you bring up much less severe. Raph From stewarts at ix.netcom.com Sun May 19 01:57:23 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sun, 19 May 1996 16:57:23 +0800 Subject: Rumor: DSS Broken? Message-ID: <199605190144.SAA15990@toad.com> >I was talking to someone who was talking to someone (have I said this is a >rumor yet?) who was solicited for comment by a Very Famous Reporter about >the fact that DSS, the Digital Signature Standard, promulgated by NIST, I >believe, had been broken. MD5 is at least weakened, maybe broken; there's an abstract by Hans Dobbertin that says something about generating collisions, and gives an example (though the abstract doesn't say how general the method is.) It does appear that the method can't generate collisions of arbitary form (i.e. the original string was "11111111MySecretKey0..0Message11111111" and the string that has the same hash is 'posk cpidjuwfviejwvijevijefivjefvjifejvij viaA" DSS is known to have subliminal channels - in addition to signing a message, you can embed bits that can be viewed by someone who knows the key, so the digital signature on your passport/healthcare/workauthorization smartcard can also hide data saying "Jew. Not Gay. Commie. Failed drug test once." This was discovered/published by Gus Simmons, and is in Applied Crypto; there are several channels with varying amounts of data, computation requirements, and such. # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 # goodtimes signature virus innoculation From WlkngOwl at unix.asb.com Sun May 19 02:19:04 1996 From: WlkngOwl at unix.asb.com (Deranged Mutant) Date: Sun, 19 May 1996 17:19:04 +0800 Subject: The Crisis with Remailers Message-ID: <199605190450.AAA12788@unix.asb.com> On 18 May 96 at 13:06, Vladimir Z. Nuri wrote: > >> 2. there is no good way to deal with spams or other so-called "abuse" > > > > Nor should there be. What's one person's abuse is another person's > >free speech. Internet traffic should not be censored based on contents. > > pardon me, but a rather shallow response. [stuff i kind of agree with deleted] I have my own mini-solutions... for personal mail, I use a kill file. For Usenet (when I'm really stuck with too much free time and actually read it) FreeAgent and Agent have some ignore thread/kill-file abilities (my setup only retrieves headers... so I have that luxury for now). How to deal with the problem as an admin is an entirely different story. Solutions? --- No-frills sig. Key-ID: 5D3F2E99 1996/04/22 wlkngowl at unix.asb.com (root at magneto) AB1F4831 1993/05/10 Deranged Mutant Send a message with the subject "send pgp-key" for a copy of my key. From jpps at voicenet.com Sun May 19 02:21:40 1996 From: jpps at voicenet.com (jpps at voicenet.com) Date: Sun, 19 May 1996 17:21:40 +0800 Subject: Fingerprinting annoyance Message-ID: <199605190320.XAA01262@laura.voicenet.com> Senator Exon wrote: > ... i just need a working method. Clorox can take them off. Applied sparingly it could be used to obsure portions of the whorls. jps -- Jack P. Starrantino jpps at voicenet.com http://www.voicenet.com/~jpps From tcmay at got.net Sun May 19 02:28:32 1996 From: tcmay at got.net (Timothy C. May) Date: Sun, 19 May 1996 17:28:32 +0800 Subject: PLEASE HELP ME GO OUT OF THIS LIST!!!!!! Message-ID: At 9:14 PM 5/18/96, Marc Escalier wrote: >how to go out of this list. >please help me, it would be VERY NICE. Thanks to recent legal inquiries by the Church of Scientology, they have determined that Major Domo, believed to be an army officer stationed at Fort George Meade, Maryland, is the control officer for the Cypherpunks mailing list. The Scientologists have determined that Major Domo works in "Terminal Operations Access Division," or "T.O.A.D." By sending a message to majordomo at toad.com, with the body messsage of "unsubscribe cypherpunks" (without the quote marks), Major Domo may choose to take pity on you and remove you. Of course, his superior, Colonel Mode, may insist you remain on the list. --Klaus! von Future Prime THE X-ON CONGRESS: INDECENT COMMENT ON AN INDECENT SUBJECT, by Steve Russell, American Reporter Correspondent....You motherfuckers in Congress have dropped over the edge of the earth this time... "the sorriest bunch of cocksuckers ever to sell out the First Amendment" or suggesting that "the only reason to run for Congress these days is to suck the lobbyists' dicks and fuck the people who sent you there," ....any more than I care for the language you shitheads have forced me to use in this essay...Let's talk about this fucking indecent language bullshit. From bruce at aracnet.com Sun May 19 03:13:22 1996 From: bruce at aracnet.com (Bruce Baugh) Date: Sun, 19 May 1996 18:13:22 +0800 Subject: The Crisis with Remailers Message-ID: <2.2.32.19960519053907.006ceda4@mail.aracnet.com> At 01:06 PM 5/18/96 -0700, Dimitri Vulis wrote: >hence my comments from here from time to time that the technological >problems of anonymity are not the true obstacle to widespread use. >there are deeper problems that cpunks skirt around but fail to grasp >because of numerous prejudices. While I hate to lend support to anyone as much a twit as Vulis is, he's got a point here. I don't think most cypherpunks realize how anonymity is perceived out in the net at large. Take news.groups, a fairly important group I happen to read regularly. With the exception of Rich Graves' presence, _all_ the uses I see there are for cowardly abuse in a way that lets the poster escape having to answer for his views. I'm not talking about presenting important information where wrong-headed authorities could engage in reprisals, either, but baseless accusations of theft, child abuse, and just plain torrents of obscenity. That's _all_ it's used for (again, with the exception of Rich). There's a problem here. It's one thing to say that the benefits of anonymity outweigh the problems. I'm inclined to that view myself. But it's much harder to defend that view in a forum where anonymity is used so commonly for problematic ends, and to offer anything in the way of constructive solutions. It would be pleasing to see more cypherpunks actively dealing with these problems out there in net.land. -- Bruce Baugh bruce at aracnet.com http://www.aracnet.com/~bruce From tcmay at got.net Sun May 19 03:18:27 1996 From: tcmay at got.net (Timothy C. May) Date: Sun, 19 May 1996 18:18:27 +0800 Subject: Interactive Week exclusive - White House to launch "Clipper III" Message-ID: Bottom Line: In a way, I am hoping that "Clipper III" is proposed, as it will energize us once again. Historically, the "Cypherpunks antibodies" have had their most vigorous growth when faced with a government antigen. At 8:09 PM GMT 5/18/96, Will Rodger wrote: >The White House is about to answer recent attempts to liberalize encryption >exports with a proposal of its own. > >Documents obtained by Interactive Week show the Ciinton Administration has >been lobbying key Republican committee members to compromise on encryption >through a policy that looks very much like previous commerical key escrow >efforts. ... >The URL for the complete article is: >http://www.zdnet.com/intweek/daily/960518y.html > >Will Rodger >Washington Bureau Chief >Interactive Week Many thanks to Will for passing this on the Cypherpunks list. Our opposition to Clipper I and Clipper II was strong and, I expect, will continue with CIII. A question for Will Rodger: Is this "White Paper" ("The newest proposal is contained in a 24-page White Paper, a draft of which hit Capitol Hill earlier this week") related in any way to the one being prepared by Herb Lin and a bunch of other folks? It was due out about this time, and the topic seems similar. A bunch of us gave input to Herb and his panel at the CFP in '95...if this is the same White Paper, looks like we might just as well have saved our breath. I read the stuff at the URL, and at first blush it looks to say nothing about _domestic_ (within the U.S. and Canada) encryption. I'll be anxious to see what the White Paper says about domestic encryption. (To be clear, there are currently _no_ laws whatsoever about the types of crypto a citizen (or resident alien, or, for all intents and purposes, anyone) may use, nor about the key length, nor about any form of GAK, etc. Even Clipper I did not actually mandate allowable forms of crypto, though many of us thought that this was the desired end-state, down the road. So, I am tentatively assuming that Clipper III, if passed, will not diretly impinge on domestic encryption policy, about which the government currently says nothing.) However, as with other proposed crypto laws and "trial balloons," there are several questions which arise: 1. Will there be pressures put on the browser companies (Netscape, Microsoft, etc.) and the e-mail companies (Qualcomm, Microsoft, Claris, Lotus, etc.) to produce a "world version" that meets export standards with a single shrink-wrapped package? (Recall that last fall some of the various companies stated as their goal having a single package that could be shipped worldwide. Some of them claimed having two versions, a domestic U.S. version and an international version, was too onerous. I am skeptical of this, given that they have multiple platforms to support, multiple operating systems, etc. But they claim it is.) 2. Interoperability. How will U.S. users exchange messages with international users? Will a U.S. user have to register with the Authorities to get the proper credentials, protocols, etc.? Will the U.S.-sold versions of Netscape or Explorer, for example, contain the international GAKed versions for use with international users? 3. With products like PGP, there are already international users (lots of them). Thus, no "export laws" are involved. So, will I be able to communicate with them using my existing PGP methods? (If not, then my right to use an encryption product is in fact being limited, contrary to the putative wording of what Clipper III is supposed to be. To make this clear, I'm _already_ communicating with PGP, so no "export version" is needed.) And if U.S. users can continue to interoperate with international users as they are now doing, this puts the lie to claims about how key escrow will be useful for law enforcement. 4. And of course there is always the issue of _superencryption_. How a GAKked program can detect that superencryption is being used has never been adequately explained (to my satisfaction at least). Entropy measures won't do it, and forbidding any encryption of messages already containing "BEGIN PGP" will clearly just be a klugey bandaid. 5. What about U.S.-based corporations with offshore offices? Is a company supposed to replace its entire intranet corporate network with a GAKked system if even a single user is outside the U.S.-Canada? (I fear that this is indeed the proposal. The effect will then be to make all corporations GAKked.) 6. What about U.S. persons travelling abroad? 7. What about packets zinging around the world? Lots of complications if GAK is insisted upon. And lots of new avenues for "packet laundering." 8. The issue of why other countries would insist that their citizens GAK their keys when U.S. citizens don't have to!! ("Yes, Herr Glomlutz, we are insisting that all Germans using Netscape 4.0 must deposit their keys mit der Key Authority. No, we are not requiring our own citizens to do this." I don't think this will fly too well.) I can't see how other countries will go along with this. And what about the usual problem of "rogue nations" like Iraq, Iran, North Korea, Israel, and Liberia? 9. Many other issues. (They never answered the similar questions raised the last time, so I doubt they will this time.) Clipper III, if it turns out to be another worthless proposal which is laughed out of Washington, will be no real threat. If Clipper III actually outlaws or places limits on domestic use of crypto (as I think it must, else it can be too easily circumvented completely), then it will be a rallying cry which will likely see our membership increase still further, the anti-Washington rhetoric escalate, and likely some new developments in the war. In a way, I am hoping that "Clipper III" is proposed, as it will energize us once again. Historically, the "Cypherpunks antibodies" have had their most vigorous growth when faced with a government antigen. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From WlkngOwl at unix.asb.com Sun May 19 03:40:50 1996 From: WlkngOwl at unix.asb.com (Deranged Mutant) Date: Sun, 19 May 1996 18:40:50 +0800 Subject: Confusing MD5 and DSS? (was Rumor: DSS Broken?) Message-ID: <199605190720.DAA02505@unix.asb.com> On 18 May 96 at 19:30, Robert Hettinga wrote: [..] > I was talking to someone who was talking to someone (have I said this is a > rumor yet?) who was solicited for comment by a Very Famous Reporter about > the fact that DSS, the Digital Signature Standard, promulgated by NIST, I > believe, had been broken. Hm. Isn't there supposed to be a "TM" after "Very Famous Reporter"? There was a recent "So..." thread on coderpunks about some collisions found for MD5... as reporters are wont to, perhaps MD5 got confused with SHS which got further confused with DSS? Just speculation upon speculation. Rob. --- No-frills sig. Key-ID: 5D3F2E99 1996/04/22 wlkngowl at unix.asb.com (root at magneto) AB1F4831 1993/05/10 Deranged Mutant Send a message with the subject "send pgp-key" for a copy of my key. From loki at infonex.com Sun May 19 03:55:42 1996 From: loki at infonex.com (Lance Cottrell) Date: Sun, 19 May 1996 18:55:42 +0800 Subject: Sendmail Question (was: SMTP Server for sending to anonymous remailers?) Message-ID: At 6:51 PM 5/18/96, Anonymous User wrote: >lcs Mixmaster Remailer wrote: > >> > Does anyone know of an anonymous remailer that has an SMTP server >> > (hopefully unlogged) that I can specify in a special variant of the >> > "sendmail.cf" sendmail configuration file for sending mail to >> > anonymous servers? > >What settings do you use in sendmail.cf to accomplish this (sending >it directly)? Is that the default behavior? Specifically, what >goes on the "DR" and "DV" lines? When I send mail from my PPP >account to my work account, I always seem to end up with a "Received: >>From by " line. I'm >ass-u-ming that if the host name shows up in the headers, it's >passing through that machine and is potentially being logged. Basically, the only reason your ISP's machines would appear in your sendmail.cf is because you are using them for mail forwarding. When I was connected over PPP (24 hours) I had my Linux box send the mail directly. If you just want to avoid your ISP's logs, then replace their mail server with some other server in your sendmail.cf. You should ask the owner of the server you want to use. If you use popmail (like Eudora), then just tell it the server to use in "SMTP Host". -Lance ---------------------------------------------------------- Lance Cottrell loki at obscura.com PGP 2.6 key available by finger or server. Mixmaster, the next generation remailer, is now available! http://www.obscura.com/~loki/Welcome.html or FTP to obscura.com "Love is a snowmobile racing across the tundra. Suddenly it flips over, pinning you underneath. At night the ice weasels come." --Nietzsche ---------------------------------------------------------- From tim at dierks.org Sun May 19 03:57:43 1996 From: tim at dierks.org (Tim Dierks) Date: Sun, 19 May 1996 18:57:43 +0800 Subject: Rumor: DSS Broken? Message-ID: At 6:41 PM 5/18/96, Bill Stewart wrote: >>I was talking to someone who was talking to someone (have I said this is a >>rumor yet?) who was solicited for comment by a Very Famous Reporter about >>the fact that DSS, the Digital Signature Standard, promulgated by NIST, I >>believe, had been broken. > >MD5 is at least weakened, maybe broken; there's an abstract by Hans Dobbertin >that says something about generating collisions, and gives an example DSS uses SHA, which isn't affected by the Dobbertin finding. I believe that you would have to solve the discrete logarithm problem to break DSS; this would imply being able to break Diffie-Hellman and a number of other crypto algorithms. (However, I'm not certain that it's been shown that breaking DSS is equivalent to breaking discrete logarithms.) - Tim Tim Dierks - Software Haruspex - tim at dierks.org "That's the trouble with technology. It attracts people who have nothing to say." - Muffey Kibbey, mother [Wall Street Journal, May 10 1996] From blancw at accessone.com Sun May 19 03:59:36 1996 From: blancw at accessone.com (blanc) Date: Sun, 19 May 1996 18:59:36 +0800 Subject: The Crisis with Remailers Message-ID: <01BB451A.0F4D21C0@blancw.accessone.com> From: Bruce Baugh >hence my comments from here from time to time that the technological >problems of anonymity are not the true obstacle to widespread use. >there are deeper problems that cpunks skirt around but fail to grasp >because of numerous prejudices. While I hate to lend support to anyone as much a twit as Vulis is, he's got a point here. I don't think most cypherpunks realize how anonymity is perceived out in the net at large. ...................................................................... Bruce: Vulis is not the twit who wrote that paragraph. Vulis is not Vlad. Vulis: "Vlad" is not Vlad. You all need to go out to LD's web site and refresh your memory. .. Blanc From tcmay at got.net Sun May 19 04:08:15 1996 From: tcmay at got.net (Timothy C. May) Date: Sun, 19 May 1996 19:08:15 +0800 Subject: Instant Remailers Message-ID: At 12:38 AM 5/19/96, Mark M. wrote: >It is possible for someone to operate an anonymous remailer anonymously. >Just get a UNIX shell account under a fake name, pay with cash, and set up >the remailing software. The identity of the operator of such a remailer >would be difficult, if not impossible, to discover. I'm always surprised that this hasn't been happening; maybe it will when the new clients become available. (Doesn't Sameer's system offer such accounts? Couldn't there be dozens of remailers based at c2.org? Of the 16 Type-1 remailers listed in one of Raph's recent reports, only 2 were at c2.org.) Now, can a site which "offers" such accounts be held liable? If the site drops an account when presented with _appropriate_ legal papers (a court order, such as an injunction), and if it takes a "hands-off" policy with respect to what customers run in their accounts, then it ought to be safe from actual liability. (I am not a lawyer, but it seems that having no prior knowledge of acts committed, and complying with court orders, reduces the likelihood of successful suits to near zero. Note that Netcom did _not_ cancel the COS-related accounts, and so extended its legal hassles.) The advantage of "pliable" remailers (which go away when hit) is that: Cost of preparing case to stop a remailer >> cost of setting up a new remailer Thus, it might cost the Church of Scientology $10,000 in various fees to get "account42666 at c2.org" to stop remailing, but only $20 (or even less) to create "account98410 at c2.org." Ideally, such remailers should require no involvement at all by the account holder. Just a "start" command, by the account holder. (Not the site administrator, as this could be construed as involvement by him.) But an "instant remailer" (just add water) is needed. Recent questions here on the list about what it takes to run a remailer may mean some advice is needed. Running a remailer function should never be thought of as being the same as running a site. Most of the existing remailers are certainly not being run on machines _owned_ by those running the remailers. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From tcmay at got.net Sun May 19 04:14:43 1996 From: tcmay at got.net (Timothy C. May) Date: Sun, 19 May 1996 19:14:43 +0800 Subject: The Crisis with Remailers Message-ID: More on what is adding to the current crisis: * Fact: For _most_ people, there is no compelling (or even casual) need for remailers. (No, I'm not arguing against remailers. Just pointing out a basic economic fact, to be factored in.) * Fact: The value of having remailers goes up when certain kinds of activities (which do not yet exist in any significant form) become more available. * Fact: The danger to remailer operators goes up when these kinds of activities become more widespread. (Another way of putting these last two points is this: The more valuable a remailing function is, the more danger or liability a remailer faces.) * Fact: Most remailers are being operated in the United States, and by persons with only casual commitment to their continued operation. ("Casual" should not be construed in a derogatory way.) * Fact: There have been no definitive court rulings in the U.S. clarifying the role of remailers. (In fact, no court cases involving remailers at all, yet.) Until this is decided, remailer sites which appear to be the emanation point (the last link) for the posting of, say, copyrighted material, will find themselves ordered to cease and desist. (The Church of Scientology involvement is beside the point. Brad Templeton of Clarinet would likely do much the same thing if Clarinet-carried articles were being posted to Usenet through remailers. So would "Time," and so, probably, would "Wired." We always knew that _something_ like this would put remailers to a severe test.) Conclusions: - Remailers will continue to disappear as pressures are applied. Absent a basic court ruling that remailer operators are not responsible or liable for what is sent through their sites, they will fall under attack. Once one falls, and a new site is used, it will become the target. - Very few ordinary people use remailers. This will change as remailers continue to get easier to use, but clearly most people feel little need/threat. - Ironically, if some sort of more restrictive regime comes to the fore, and more people feel the need to use remailers (e.g., CDA is upheld and abortion information becomes illegal to send over the Net), then this will make the operators of remailers feel even more heat. Is there an "equilibrium" point in all this, a "market clearing" point at which remailers are badly enough needed, despite threats and pressures, so as to provide a market for them? An interesting question. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From john at ktb.net Sun May 19 04:18:32 1996 From: john at ktb.net (John Schofield) Date: Sun, 19 May 1996 19:18:32 +0800 Subject: Cheap remailers Message-ID: <2.2.32.19960519073129.006cb6a8@mail.ktb.net> There's been much talk on this list about the need for cheap remailers, and I wanted to announce (unofficially) one of the least expensive remailer setups I've seen. The code is written by Jim Cannell, with documentation by me. It's designed as a remailer for Fidonet-technology systems. Fidonet Anonymous ReMailer runs under standard DOS, and is quite easy to install and run. The average Fidonet sysop should be able to get it up and running in about 15 minutes. With Internet gateway software and a UUCP account, it works quite well as an Internet remailer. I'm running a beta-test version at remail at sprawl.ktb.net. Please feel free to use it. Help files are available, but are oriented towards Fidonet users. Still, you should be able to puzzle it out. It will only be up for a month longer, because I'm leaving the country for two months, but Jim should keep you posted after the public release on what Fidonet remailers are operating. Requirements for running a Fidonet Anonymous ReMailer: 286-clone or better, with a 2400bps modem or better. Fidonet Anonymous Remailer (free) telephone line (a dedicated line is good, but not necessary) Fidonet mail tosser (free or inexpensive shareware) Fidonet Mailer (free or inexpensive shareware) Most people probably won't be running Fidonet Anonymous Remailer with quite this inexpensive a setup. I'm running on a 486-50, two dedicated phone lines, and two 28.8k bps modems. If all I was running was the remailer, I certainly wouldn't need that much hardware. The remailer will be released with full source When It's Ready, and any Fidonet node (there are more than 20,000) will be able to run the software and act as a remailer. The UUCP feed is not necessary for Internet connectivity -- any Fidonet node can send and receive e-mail from the Internet through standard gateways. However, operating your own gateway makes it much more fast and reliable. I pay $20/month for my UUCP feed. Fidonet can't compete with the Internet in terms of features, activity, or much else -- but for dirt-cheap bare-bones networking, you can't beat it. John ______________________________________________________________________________ ac086 at lafn.org john at ktb.net library at c2.org (They're all me.) PGP Public Key available by e-mailing PGPKEY at sprawl.ktb.net or by fingering library at c2.org. Check out the Digital Library at http://www.c2.org/~library/ From mcarpent at mailhost.tcs.tulane.edu Sun May 19 04:46:07 1996 From: mcarpent at mailhost.tcs.tulane.edu (Matthew Carpenter) Date: Sun, 19 May 1996 19:46:07 +0800 Subject: Is Chaum's System Traceable or Untraceable? In-Reply-To: <199605182017.WAA07561@digicash.com> Message-ID: <199605190626.BAA62897@rs5.tcs.tulane.edu> bryce at digicash.com writes: > > You know, even though current ecash uses on-line clearing, it is > only necessary for the _payee_ to be on-line at that time. Thus > it is entirely possible with current ecash for a payer to load > his portable computer up at home with e-coins and then make a > purchase a convenience store on the way to work _without_ having > a networkable computer. Well-- I mean the computer needs to > communicate with the convenience store, but it doesn't need > full-scale Internet access. > > > Does anyone on cpunks or ecash have an Apple Newton? I know > that they come with infrared-- what are the specs on that > communications device? And about the Newton itself: can it > compile ANSI C code? How much RAM? Permanent storage? Speed > of crypto operations? Don't know about the Newton, but one of the first things I thought of when I picked up a Pilot a week ago was that it would make an excellent ecash "wallet". (For those who don't know, the Pilot is the pocket sized PDA from Palm/USRobotics: 11.9 x 8.1 x 1.8 cm (4.7 x 3.2 x.7 inches), 165 g (5.7 ounces) with batteries. See http://www.usr.com/palm or http://www.webcom.com/cyniche/ppage1.htm for more info). The Pilot isn't as powerful as the Newton, but it is designed to allow for painless synchronization/communication with the user's desktop computer, and it is a lot more convenient to pack around than the Newton and most other small computing devices. Below I've outlined a procedure which seems like it would work very well for the Pilot or other PDA's, palmtops, etc. Before I head out to go shopping I stop by the ATM to get some money. But in this case the 'ATM' is just an application on my home computer which asks me how much money I want to transfer to my PDA. The program generates appropriate ecash coins, like the penny Bryce posted to cypherpunks a few days back, and automatically downloads a copy of them to the PDA. These probably need to be encrypted, so that if my "wallet" is stolen my money isn't lost. This is just like using an ATM, just "Please insert your PDA, and enter your PIN," but done without having to find an ATM and wait in line. So now I head out shopping and find something I absolutely must buy. My PDA asks me for the amount of the purchase (or is told by the merchant's system and then asks for confirmation), and the 'PIN' I used to encrypt the coins. It then selects the appropriate coin(s) for payment, decrypts them, and sends them to the merchant's computer using IR, a smart card emulater, or whatever (the Pilot doesn't have IR built in, but it does have a RS-232 port so IR could be added). My PDA receives back any coins as change if needed, and logs info about the transaction for my financial records. When I get back home I 'deposit' my change using the same ATM interface. This also removes from my home computer the copies of the coins I spent, and automatically updates the transaction records on my PC. So are there any flaws with above procedure? It seems to place minimal strain on the PDA. All you need on the PDA is some straight forward encryption and communications routines, along with a fairly simple user interface. Of course, since the SDK for the Pilot isn't out yet, it is hard to tell how well this would work in reality; and I may be misunderstanding the ecash protocols. But I would really, really love to see something like this available. > > > Thanks, > > Bryce > > #include /* I don't speak for anyone but myself. */ > - -----BEGIN GOODTIMES VIRUS INNOCULATION----- > Copy me into your .sig for added protection! > - ----- END GOODTIMES VIRUS INNOCULATION----- --Matt -- mcarpent at mailhost.tcs.tulane.edu PGP mail preferred, finger for public key. From dlv at bwalk.dm.com Sun May 19 08:01:31 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Sun, 19 May 1996 23:01:31 +0800 Subject: The Crisis with Remailers In-Reply-To: <01BB451A.0F4D21C0@blancw.accessone.com> Message-ID: blanc writes: > Bruce: Vulis is not the twit who wrote that paragraph. Vulis is not Vlad. > > Vulis: "Vlad" is not Vlad. Blanc: Bruce is a twit. (The AIDS virus has eaten to much of his brain that he can't remember who's who. Very funny. :-) --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From vince at offshore.com.ai Sun May 19 08:38:55 1996 From: vince at offshore.com.ai (Vincent Cate) Date: Sun, 19 May 1996 23:38:55 +0800 Subject: DataHaven Backup and Offshore Email Message-ID: Offshore Information Services announces accounts for datahaven backup purposes. For $168/year you can have 10 MB of disk in a datahaven country to use for backup of important information. Also, we have POP email accounts for $168/year. For full details of our services check out: http://online.offshore.com.ai/services.html -- Vince From rah at shipwright.com Sun May 19 08:49:27 1996 From: rah at shipwright.com (Robert Hettinga) Date: Sun, 19 May 1996 23:49:27 +0800 Subject: Rumor: DSS Broken? In-Reply-To: <199605190149.VAA18805@maildeliver3.tiac.net> Message-ID: At 9:41 PM -0400 5/18/96, Bill Stewart wrote: > MD5 is at least weakened, maybe broken; there's an abstract by Hans Dobbertin > that says something about generating collisions, and gives an example > (though the abstract doesn't say how general the method is.) That's what I get for not reading the DSS stuff when it came out. I'd heard lots about the MD5 stuff, but I didn't put the two together. It also looks like I'm behind in my reading. Time to buy another edition of Applied Cryptography... Cheers, Bob Hettinga ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "If they could 'just pass a few more laws', we would all be criminals." --Vinnie Moscaritolo The e$ Home Page: http://thumper.vmeng.com/pub/rah/ From aurele at alpha.c2.org Sun May 19 10:26:03 1996 From: aurele at alpha.c2.org (aurele at alpha.c2.org) Date: Mon, 20 May 1996 01:26:03 +0800 Subject: SMTP Server for sending to anonymous remailers? In-Reply-To: <199605180530.WAA03258@infinity.c2.org> Message-ID: <199605191334.PAA29896@spoof.bart.nl> > Does anyone know of an anonymous remailer that has an SMTP server > (hopefully unlogged) that I can specify in a special variant of the > "sendmail.cf" sendmail configuration file for sending mail to > anonymous servers? Why don't you specify the first remailer of your chain as SMTP server ? From matts at pi.se Sun May 19 10:39:22 1996 From: matts at pi.se (Matts Kallioniemi) Date: Mon, 20 May 1996 01:39:22 +0800 Subject: crosspost re remailers Message-ID: <2.2.32.19960519134432.0039a654@mail.pi.se> At 15:43 1996-05-18 -0700, Bill Frantz wrote: >At 7:07 AM 5/18/96 +0200, Benjamin Brochet wrote: >>WHO IS THE MODERATOR OF THIS LIST ? >> >>I've been victim of a spoofing from a german.... he suscribed me to 2200 >>mailing list... also I'd to be unsuscribed from your list ! >> > >There is no moderator. I am just a subscriber like yourself (except I >asked for it.) Did you get a welcome message which included information >like the following? If he was indeed subscribed to 2200 mailing lists, you can assume that he didn't read all the "welcome messages." For people who are stuck with old fashioned mail systems (no filters, no macro language) this is a serious problem. It would be rude to call the victims clueless and subscribe them to even more "clueless mailing lists." Matts From dlv at bwalk.dm.com Sun May 19 10:48:50 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Mon, 20 May 1996 01:48:50 +0800 Subject: The Crisis with Remailers In-Reply-To: <2.2.32.19960519053907.006ceda4@mail.aracnet.com> Message-ID: Bruce Baugh writes: > While I hate to lend support to anyone as much a twit as Vulis is, he's got Please refrain from posting your shit to the cypherpunks mailing list. > Take news.groups, a fairly important group I happen to read regularly. With You misspelled "impotent". Now go away. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From ses at tipper.oit.unc.edu Sun May 19 11:09:19 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Mon, 20 May 1996 02:09:19 +0800 Subject: Is Chaum's System Traceable or Untraceable? In-Reply-To: <199605181841.LAA17739@infinity.c2.org> Message-ID: On Sat, 18 May 1996, sameer wrote: > > > > (On the other hand, I have had a longstanding faith that the system can be > > made to be both payer- and payee-anonymous. Moneychangers, for example.) I don't know if Ian ever posted his scheme on cypherpunks? There are some obvious approaches that were discussed here about six months ago; they involve collaboration between payer and payee (the payee has to supply the payee with the blinded serial numbers, which can then be reblinded by the payer for transmission). This scheme can't be used with the ecash API, and I believe is not looked on kindly when applying for ecash licences. It makes you a lot more vulnerable to traffic analysis Simon From matts at pi.se Sun May 19 11:41:04 1996 From: matts at pi.se (Matts Kallioniemi) Date: Mon, 20 May 1996 02:41:04 +0800 Subject: SEVERE undercapacity, we need more remailer servers FAST Message-ID: <2.2.32.19960519152746.00392f04@mail.pi.se> At 18:29 1996-05-15 -0400, Black Unicorn wrote: > >I would really like to see a remailer that is somehow blinded. > >I don't know enough about how mail paths are generatered, but is it >impossible to conceal the origin of remailer postings? IP spoofing would do this nicely.Since SMTP doesn't require any significant responses, you can send blind and fake your IP address. To do that you need root access on your mailer machine and an ISP that doesn't sniff and filter its network for spoofing attacks. See ftp://info.cert.org/pub/cert_advisories/CA-95:01.IP.spoofing for a good description of spoofing attacks and defenses. If you're not up to writing spoofing code into your (re-)mailer, then an easier solution is to send everything through anon.lcs.mit.edu after you have removed all headers that point at you. Matts From camcc at abraxis.com Sun May 19 12:27:58 1996 From: camcc at abraxis.com (camcc at abraxis.com) Date: Mon, 20 May 1996 03:27:58 +0800 Subject: News from Burma Message-ID: <2.2.32.19960519154011.006bbe78@smtp1.abraxis.com> -----BEGIN PGP SIGNED MESSAGE----- ASIA 'Excommunication' An anglo-Burmese businessman friendly with pro-democracy leader Aung San Suu Kyi has been sentenced to thre years in jail for owning unauthorized telephones and fax machines. James Leander Nichols, also known as Leo Nicholas, was punished for having two fax machines and a telephone switchboard with nine lines in his home, a spokesman for Suu Kyi's political party said. In an effort to discourage contact between Burmese citizens and the outside world, Burma's military government requires people to get permission to own a fax machine, satellite dish, or sophisticated phone system. News Services The Atlanta Constitution/The Atlanta Journal Alec -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMZ9ArCKJGkNBIH7lAQFrrAQAw7g/OeEU0IbK+4haxL4r7CWez9R1MqH6 W0Zq1l59XlRDkCCPj34HqrXGchg1Wnnw6LMK7B41JMRl68jvkVLmLnZ9FHwehZ9V R2WzRM+VzHwcpxQ4Fha1pwdq4Lm5naeS+3FiTQDcbTATT7hpBSiLOXhMNSlxFcBP G2KtNA2iZAM= =g8jc -----END PGP SIGNATURE----- From rodger at interramp.com Sun May 19 12:36:38 1996 From: rodger at interramp.com (Will Rodger) Date: Mon, 20 May 1996 03:36:38 +0800 Subject: Interactive Week exclusive - White House to launch "Clipper III" Message-ID: On 5/18, Tim May wrote: >A question for Will Rodger: Is this "White Paper" ("The newest proposal is >contained in a 24-page White Paper, a draft of which hit Capitol Hill >earlier this week") related in any way to the one being prepared by Herb >Lin and a bunch of other folks? It was due out about this time, and the >topic seems similar. A bunch of us gave input to Herb and his panel at the >CFP in '95...if this is the same White Paper, looks like we might just as >well have saved our breath. Don't know. This did have full input from security agencies, however. >I read the stuff at the URL, and at first blush it looks to say nothing >about _domestic_ (within the U.S. and Canada) encryption. I'll be anxious >to see what the White Paper says about domestic encryption. > No restrictions domestically nor in Canada. Even so, these CAs and the policy body above it clearly give the govt. more of a role in controlling crypto. >However, as with other proposed crypto laws and "trial balloons," there are >several questions which arise: > >1. Will there be pressures put on the browser companies (Netscape, >Microsoft, etc.) and the e-mail companies (Qualcomm, Microsoft, Claris, >Lotus, etc.) to produce a "world version" that meets export standards with >a single shrink-wrapped package? > >(Recall that last fall some of the various companies stated as their goal >having a single package that could be shipped worldwide. Some of them >claimed having two versions, a domestic U.S. version and an international >version, was too onerous. I am skeptical of this, given that they have >multiple platforms to support, multiple operating systems, etc. But they >claim it is.) > >2. Interoperability. How will U.S. users exchange messages with >international users? Will a U.S. user have to register with the Authorities >to get the proper credentials, protocols, etc.? No indications they would. Idea is each authority could talk to the other and request escrowed keys or info. a la interpol. Of course, as today, there's no guarantee that agreements will always be in place, nor honored. > >3. With products like PGP, there are already international users (lots of >them). Thus, no "export laws" are involved. So, will I be able to >communicate with them using my existing PGP methods? Under the White Paper, yes. > >And if U.S. users can continue to interoperate with international users as >they are now doing, this puts the lie to claims about how key escrow will >be useful for law enforcement. Which makes it look a lot like the old proposal. > >4. And of course there is always the issue of _superencryption_. How a >GAKked program can detect that superencryption is being used has never been >adequately explained (to my satisfaction at least). Entropy measures won't >do it, and forbidding any encryption of messages already containing "BEGIN >PGP" will clearly just be a klugey bandaid. > >5. What about U.S.-based corporations with offshore offices? Is a company >supposed to replace its entire intranet corporate network with a GAKked >system if even a single user is outside the U.S.-Canada? If it's legal now, the paper suggests it should be legal in the future. > >6. What about U.S. persons travelling abroad? > >7. What about packets zinging around the world? Lots of complications if >GAK is insisted upon. And lots of new avenues for "packet laundering." > >8. The issue of why other countries would insist that their citizens GAK >their keys when U.S. citizens don't have to!! >("Yes, Herr Glomlutz, we are insisting that all Germans using Netscape 4.0 >must deposit their keys mit der Key Authority. No, we are not requiring our >own citizens to do this." I don't think this will fly too well.) > >I can't see how other countries will go along with this. The Paper is quite unclear on this, as well. Presumabyt other countries will have equally spiffy stuff they will require be escrowed for export under COCOM. ALl of this, of course, assumes cooperation from OECD, et al. > >And what about the usual problem of "rogue nations" like Iraq, Iran, North >Korea, Israel, and Liberia? Same as before. > >9. Many other issues. (They never answered the similar questions raised the >last time, so I doubt they will this time.) > > >Clipper III, if it turns out to be another worthless proposal which is >laughed out of Washington, will be no real threat. If Clipper III actually >outlaws or places limits on domestic use of crypto (as I think it must, >else it can be too easily circumvented completely), then it will be a >rallying cry which will likely see our membership increase still further, >the anti-Washington rhetoric escalate, and likely some new developments in >the war. Stay tuned.... Will Rodger Washington Bureau Chief Interactive Week. From grafolog at netcom.com Sun May 19 12:41:19 1996 From: grafolog at netcom.com (jonathon) Date: Mon, 20 May 1996 03:41:19 +0800 Subject: Reputation and anonymous companies In-Reply-To: Message-ID: Mark: On Sat, 18 May 1996, Mark M. wrote: > However, how would AP solve anything? If the company is completely anonymous, > then nobody would know who to kill. Every worker including the president would Do a textual analysis of everything the anonymous id that you want terminated with extreme prejudice. It will provide you with the information you need, to find out the person's "real" identity. xan jonathon grafolog at netcom.com From markm at voicenet.com Sun May 19 12:51:29 1996 From: markm at voicenet.com (Mark M.) Date: Mon, 20 May 1996 03:51:29 +0800 Subject: Instant Remailers In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Sun, 19 May 1996, Timothy C. May wrote: > I'm always surprised that this hasn't been happening; maybe it will when > the new clients become available. > > (Doesn't Sameer's system offer such accounts? Couldn't there be dozens of > remailers based at c2.org? Of the 16 Type-1 remailers listed in one of > Raph's recent reports, only 2 were at c2.org.) I would be a little worried about many remailers being run at one site. If the ISP is ever shut down, then a lot of remailers will go down. This would be an ideal "choke point" for the feds. > [...] > > Ideally, such remailers should require no involvement at all by the account > holder. Just a "start" command, by the account holder. (Not the site > administrator, as this could be construed as involvement by him.) > > But an "instant remailer" (just add water) is needed. Recent questions here > on the list about what it takes to run a remailer may mean some advice is > needed. > > Running a remailer function should never be thought of as being the same as > running a site. Most of the existing remailers are certainly not being run > on machines _owned_ by those running the remailers. Such a program would certainly be feasible. I might try writing something like it. - -- Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xe3bf2169 http://www.voicenet.com/~markm/ | d61734f2800486ae6f79bfeb70f95348 ((2b) || !(2b)) | Old key now used only for signatures "The concept of normalcy is just a conspiracy of the majority" -me -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMZ8x+rZc+sv5siulAQFNvwP/U6XRcE+/ad3CC3YSCigvwDIYlLjPyNsC e9TnKrc56Z1KidIyGmHFS4siyZIjdritA+sEqPOID1OT6b9sQx1YPmOeMeCaWAHE 5AtMrZ+zzpY8bdQh8Vwk8j2T5vKsza+tkuEP3AxnJzCrIPfIQjWRp/f5oz6WE0tj tXu2QPFEliE= =W2kT -----END PGP SIGNATURE----- From snow at smoke.suba.com Sun May 19 12:56:39 1996 From: snow at smoke.suba.com (snow) Date: Mon, 20 May 1996 03:56:39 +0800 Subject: The Crisis with Remailers In-Reply-To: Message-ID: On Sat, 18 May 1996, Steve Reid wrote: > I wonder, would the average spammer be less likely to spam if he had to > PGP-encrypt messages to the remailer? I know we want to make remailers Some of the technically less sophisticated would. But these people hardly ever use remailers anyway. > Also, if a remailer could be set up to _only_ remail to other remailers, > that would greatly reduce liability. Obviously we'd still need _some_ > remailers that can deliver to the intended destination... I think a lot > of people would be more willing to run remailers if it didn't mean that > mailing list/usenet spam would have their name attached. The way I am thinking of setting one up would work as the front end would accept the mail, and the back end, a seperate account would send it. By using multiple back ends, traffic analysis would be made marginally less easy, and there would be less complaints about the front end. Petro, Christopher C. petro at suba.com snow at crash.suba.com From camcc at abraxis.com Sun May 19 13:58:52 1996 From: camcc at abraxis.com (camcc at abraxis.com) Date: Mon, 20 May 1996 04:58:52 +0800 Subject: Sendmail Question (was: SMTP Server for sending to anonymous remailers?) Message-ID: <2.2.32.19960519164228.006c2528@smtp1.abraxis.com> -----BEGIN PGP SIGNED MESSAGE----- At 12:09 AM 5/19/96 -0700, you wrote: >If you use popmail (like Eudora), then just tell it the server to use in >"SMTP Host". > > -Lance > I have been following this with no little interest. Using Eudora Pro when I attempt to replace host: smtp1.abraxis.com with *SMTP Host*, I receive the message *Attempting to resolve host: SMTP Host*, and dat's all until I stop the send command. Thanks Alec -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMZ9PJyKJGkNBIH7lAQGamwP/e1L3bWlOxCLfcEcSCUK7L2NPyDn3lNoe n4omNWrcUUOzBpQXg2fxPgmfsBDvao84neqbnkLv4HlPdFqDT/WgbNKzaJILYazS 2W2XsuDY5fxDNizKPmv+BSiPCYCMqCdD96g+Pl52Im1F6D9oEYkbe1Kvpb+iZTOj UyQUePJKtbk= =70bm -----END PGP SIGNATURE----- From farber at central.cis.upenn.edu Sun May 19 15:04:44 1996 From: farber at central.cis.upenn.edu (Dave Farber) Date: Mon, 20 May 1996 06:04:44 +0800 Subject: Interactive Week exclusive - White House to launch "Clipper III" Message-ID: <2.2.32.19960519171540.00c99260@linc.cis.upenn.edu> The "White Paper" (if it exists) from the White House is different from the National Research Report. The NRC is independant from the White House and the Government. Dave >From my IP mailing list: Date: Fri, 10 May 1996 08:50:41 -0700 Reply-To: farber at central.cis.upenn.edu (Dave Farber) To: interesting-people at eff.org (interesting-people mailing list) Subject: The National Research Council Study of National Cryptography Policy Please post this message widely I am writing to let interested parties know about the imminent release of the NRC's study of national cryptography policy. If all goes well, we hope to release it on May 30, 1996. However, prior to that time, we won't be able to comment on its contents. For current information on release, visit the web site http://www2.nas.edu/cstbweb/220a.html When you visit that site, you'll have the opportunity to be put onto a mailing list so that we can inform you by e-mail when the report is available in print and/or electronically, as well as any public events associated with the report (e.g., public briefings). Herb Lin Cryptography Policy Study Director Computer Science and Telecommunications Board National Academy of Sciences/National Research Council 202-334-2605 From tcmay at got.net Sun May 19 15:06:20 1996 From: tcmay at got.net (Timothy C. May) Date: Mon, 20 May 1996 06:06:20 +0800 Subject: Why the Poor are Mostly Deserving of their Fate Message-ID: At 10:32 PM 5/18/96, Sean Gabb wrote: >On Sat, 18 May 1996, Duncan Frissell wrote: > >> It was understandable to be poor when all the world was poor. It is >> understandable to be poor in those nations today that make the >> accumulation of wealth a crime for most people. It is not understandable >> to be poor (for long) in the US where one can reliably get out of poverty >> simply by doing three simple things: >> >> 1) get a high school diploma >> 2) get married >> 3) get any job >> >> Only about 2 tenths of 1% of those who satisfy those three requirements >> incomes below the official poverty line. >I've done all these things - and rather more in the way of education. But >while I don't fall on or near the poverty line, I'm still poor as a church >mouse. What am I doing wrong? * Point Number One: Sean Gabb ^^ * Point Number Two:"...not understandable to be poor (for long) in the US" ^^ Q.E.D. Actually, I think Duncan's "high school + marriage + any job" point is a bit simplistic, and I'm surprised about the ".02%" estimate. As someone else noted, there are a lot of folks in the rural South, Appalachia, and other places, who graduated from high school, are still married, and have some sort of job, and yet who make $6-8 an hour or less. I think more is needed. I would have added "savings/investment" and "hard work." Those who can force themselves to set money aside for investment get the compounded returns later on. And of course hard work--including taking a second job, having the extended family work, etc.--is also key. (Many immigrant Asians arrive penniless in the U.S., then get help from immigrant Asian who arrived earlier, live in crowded houses and apartments, have 4-6 wage-earners in a household, save as much as they can, and then open a small business. Success is almost inevitable. Hence the cycle continues. This tradition of the various Asian subcultures is almost completely lacking in certain other subcultures in America. More's the pity.) Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From anonymous-remailer at shell.portal.com Sun May 19 15:40:55 1996 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Mon, 20 May 1996 06:40:55 +0800 Subject: No Subject Message-ID: <199605191754.KAA10185@jobe.shell.portal.com> Cypherpunks is not a political newsgroup. From: camcc at abraxis.com X-Sender: camcc at smtp1.abraxis.com Date: Sun, 19 May 1996 11:40:11 -0400 To: cypherpunks at toad.com Subject: News from Burma Sender: owner-cypherpunks at toad.com -----BEGIN PGP SIGNED MESSAGE----- ASIA 'Excommunication' An anglo-Burmese businessman friendly with pro-democracy leader Aung San Suu Kyi has been sentenced to thre years in jail for owning unauthorized telephones and fax machines. James Leander Nichols, also known as Leo Nicholas, was punished for having two fax machines and a telephone switchboard with nine lines in his home, a spokesman for Suu Kyi's political party said. In an effort to discourage contact between Burmese citizens and the outside world, Burma's military government requires people to get permission to own a fax machine, satellite dish, or sophisticated phone system. News Services The Atlanta Constitution/The Atlanta Journal Alec From bruce at aracnet.com Sun May 19 17:41:34 1996 From: bruce at aracnet.com (Bruce Baugh) Date: Mon, 20 May 1996 08:41:34 +0800 Subject: Remailers vs Nyms - conflicting assumptions? Message-ID: <2.2.32.19960519194934.006a9ff0@mail.aracnet.com> At 08:10 PM 5/18/96 -0700, Raph Levien wrote: >The fact that you can refresh nyms makes the problem you bring up much >less severe. Certainly refreshing it every few weeks/months is a good idea anyway. It's just that I (at least) seem to have this remarkable knack for having important mail try to get me immediately after a nym server goes down and before I get the news. That's happened to me three times in the last year. Refreshing deals with the long-term problem, but not with the short-term one. Maybe I need to settle for a higher level of mail loss than I'm comfortable with, but precisely because I'm not comfortable with it, I do remain interested in alternatives. -- Bruce Baugh bruce at aracnet.com http://www.aracnet.com/~bruce From middle-man-admin at alpha.c2.org Sun May 19 17:50:03 1996 From: middle-man-admin at alpha.c2.org (middle-man-admin at alpha.c2.org) Date: Mon, 20 May 1996 08:50:03 +0800 Subject: Instant Remailers Message-ID: <199605191942.MAA28284@infinity.c2.org> On Sun, 19 May 1996, Timothy C. May wrote: > >It is possible for someone to operate an anonymous remailer anonymously. > >Just get a UNIX shell account under a fake name, pay with cash, and set up > >the remailing software. The identity of the operator of such a remailer > >would be difficult, if not impossible, to discover. > > I'm always surprised that this hasn't been happening; maybe it will when > the new clients become available. I'm currently working on a version of Mixmaster that allows an individual to run a remailer anonymously. The idea is to set up the primary address of the remailer as a nym. That was easy. I've almost finished the modifications to Mixmaster to allow it to call Raph Levien's premail package. I've set it up to cause all outgoing mail to chain through 2 more random remailers before the message is delivered to the destination. This effectively allows me to operate as a "hidden remailer-in-the-middle". I'll provide more details when I finish the code and it's been thoroughly tested. middle-man-admin From anonymous-remailer at shell.portal.com Sun May 19 18:11:59 1996 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Mon, 20 May 1996 09:11:59 +0800 Subject: Cathy - Sunday, May 19 Message-ID: <199605192012.NAA26058@jobe.shell.portal.com> "Cathy" cartoon today has a bit of positive(?) well, at least it's not negative, PR about anonymity. Funny From vince at offshore.com.ai Sun May 19 19:42:33 1996 From: vince at offshore.com.ai (Vincent Cate) Date: Mon, 20 May 1996 10:42:33 +0800 Subject: rsa2d.gif - machine readable rsa for printing in magazines etc Message-ID: I now have a cute 2 inch wide by 1 inch high graphic that is the 3 line RSA Perl program in a 2D barcode. When printed on anything (postcard, magazine, etc) you have a machine readable encryption program, or to the US government, a munition! http://online.offshore.com.ai/arms-trafficker/rsa2d.html Now what to do with this? Anyone want to place an add in a newspaper or magazine? How about selling munitions postcards? Another T-shirt? Should be fun for something. -- Vince From vznuri at netcom.com Sun May 19 20:16:45 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Mon, 20 May 1996 11:16:45 +0800 Subject: The Crisis with Remailers In-Reply-To: Message-ID: <199605192015.NAA15002@netcom17.netcom.com> [remailer incentives] >As you said, ecash postage could turn that around. The negative publicity >part is probably the result of the general public's negative perceptions >about anonymity. not!!! I should have made this clear, but imho no matter how favorably the public sees anonymity, I still believe there will be little incentive to run remailers until there is some kind of ecash scheme. you are going to have "bad" uses of anonymity going on as long as you provide the capability. ask the remailer operators to estimate how much of their mail is simply taunts between college students or sexual harassment. I doubt you will ever be able to evade this. what cpunks might investigate is an idea of having a pseudonym server that somehow automatically registers complaints and stamps messages with known reputation levels. >People seem to forget that anyone can drop a letter into the mailbox with >no return address. Did the Unabomber bring negative publicity to the >postal service, causing people to demand that return addresses become a >requirement? :-/ agreed, but the subject at hand was not whether anonymity is good or bad, but whether there is some incentive to run remailers. >Liability depends on the jurisdiction, doesn't it? It would be ideal if >all remailers were in countries where there are no laws that would affect >remailers. Reducing liability also has the added benefit of protecting >anonymity, since if the mailer can't be siezed, that does prevent log >files (if any) from being siezed. by liability I am also referring to a situation in which the internet provider is pressured to quit the service by *anyone* not necessarily agents of the government. past examples are strong evidence that it does not at all require a government to shut down a remailer via pressure. anon.penet.fi at one point was pressured to shut down by "a well known net celebrity" >Remailers can already be set up _not_ to send to certain addresses, so I >think there's no reason that they couldn't be set to deliver _only_ to >other remailers. hee, hee. I think you need to think that out a bit more. >Right now, I think, remailers don't need to be mainstream, they just need >to be there when people need them. And I think they can become mainstream, >if you consider that anon.penet.fi is quite popular. well, the issue we were addressing is why remailers haven't proliferated like other services. it is true that the usage of them has probably gone up exponentially, or at least very significantly. but they don't seem to have multiplied in number in the same way. growth in # of remailers has been linear at best. I would be interested if any longtime remailer operators posted statistics about the amount of mail going through their services. From declan+ at CMU.EDU Sun May 19 20:45:29 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Mon, 20 May 1996 11:45:29 +0800 Subject: Cypherpunks, a political "newsgroup?" In-Reply-To: <199605191754.KAA10185@jobe.shell.portal.com> Message-ID: Excerpts from internet.cypherpunks: 19-May-96 by anonymous-remailer at shell > Cypherpunks is not a political newsgroup. Hah! Most everything that's discussed here has political overtones. I, for one, appreciated in the info on the Burmese businessman and forwarded it to fight-censorship. I'll link it in to http://www.cs.cmu.edu/~declan/international/ when I get a chance. -Declan From declan+ at CMU.EDU Sun May 19 20:57:25 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Mon, 20 May 1996 11:57:25 +0800 Subject: Apple Newton specs: RAM, infrared, speed Message-ID: >From a friend who's one of the best Newton developers around. An unsolicited plug: check out his company's web site at http://www.newts.com/ -Declan ---------- Forwarded message begins here ---------- Date: Sun, 19 May 1996 11:56:52 -0700 (MST) To: "Declan B. McCullagh" From: dan at newts.com (Dan Rowley) Subject: Re: Fwd: Is Chaum's System Traceable or Untraceable? >>Does anyone on cpunks or ecash have an Apple Newton? I know that they come with infrared-- what are the specs on that communications device? And about the Newton itself: can it compile ANSI C code? How much RAM? Permanent storage? Speed of crypto operations? Dec - The Newton's infrared is essentially the SHARP "ASK" protocol, which is the same as used by the sharp wizard. It is *not* IrDA compatible, and Apple claims that it's a hardware problem not a software problem. The Newton cannot currently compile ANSI C unless you have very close ties to Apple (internal code development is in C), but they will be releasing C tools for the Newton within a couple of months. The C, of course, is not directly compiled on the Newton, but on a host Mac. The Newton ships with between 1 and 2 megs of internal RAM, but can be expanded with FLASH or SRAM cards, but there's only one slot, so putting in a modem could be tough.. ;) The permanent storage *is* RAM. It's all flash. As for speed, it depends on whether you do it in NewtonScript or C. NewtonScript is compiled to P-Code that runs on a virtual machine, and is really not too bad. you can also compile to straight ARM code if you want. The next Newton to come out will be based on the DEC StrongARM which I understand is blindingly fast.. Hope this helps Dan -------- Dan Rowley Innovative Computer Solutions Developers of fine software for the Newton Now, also developers for Be! From jamesd at echeque.com Sun May 19 21:30:34 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Mon, 20 May 1996 12:30:34 +0800 Subject: 'Excommunication' Message-ID: <199605192314.QAA07523@dns1.noc.best.net> At 10:54 AM 5/19/96 -0700, anonymous-remailer at shell.portal.com wrote: > Cypherpunks is not a political newsgroup. Nor was "excommunication" a political posting: There was no indication in the posting as to whether the Burmese regime was left or right or fascist or whatever. What the "Excommunication" post was about was the fact that good communications undermine the state, and repressive states fear them for that reason. This is exactly the sort of post that should be on cypherpunks. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From mpd at netcom.com Sun May 19 21:45:06 1996 From: mpd at netcom.com (Mike Duvos) Date: Mon, 20 May 1996 12:45:06 +0800 Subject: Why the Poor are Mostly Deserving of their Fate In-Reply-To: Message-ID: <199605191958.MAA18081@netcom12.netcom.com> On Sat, 18 May 1996, Duncan Frissell wrote: > It was understandable to be poor when all the world was poor. It is > understandable to be poor in those nations today that make the > accumulation of wealth a crime for most people. It is not understandable > to be poor (for long) in the US where one can reliably get out of poverty > simply by doing three simple things: > 1) get a high school diploma While "basic skills" come in useful, is the much touted high school diploma really a competent measure of these? The diplomas are handed out to pretty much anyone who sits through 13 years of public schooling without complaining too loudly, shooting a teacher, or blowing up the school. Reading and the ability to do simple math are not much of a requirement anymore. The NEA would love to have a system where ones public school experience follows one everywhere like an unofficial government dossier, and employers are free to examine grades and the opinions of teachers on ones good citizen-unit-ness, denying employment to everyone who doesn't toe the line. I think the privacy implications of a vicious education-based class system, rather than a web of providers of educational services, held accountable by demanding clients, are fairly apparent to everyone. > 2) get married Well, of course one gets a certain amount of economic power by breeding and then sending the wife and the kiddies out to work in the mines. Not my cup of tea, however. > 3) get any job Oh come now. There are plenty of toothless rural people who can read and write, and even have families and jobs. They don't have much of anything else. You have heard of the "working poor", haven't you? Permit me to make a giant leap here and suggest that whether one is poor pretty much depends upon the market which competes for ones services. The major problem (or feature, if you are an employer) of the jobs market is that one is essentially competing with a large number of other people to see who will take the least amount of money to work themselves into an early grave. No matter what the value added by ones work to the product being produced, such a market is essentially a bottomless pit, especially if others doing the competing are hungry and desperate. It's kind of like Harlan Ellison's description of the ultimate television game show. You bring out a small boy and a dog, and the contestants vie amongst each other to see who will take the least amount of money to shoot the dog in front of the boy. The key to escaping poverty would therefore seem to be to compete in a market based on the value of what one produces (i.e. entrepreneurship, small business, consulting), or to compete in a market where the others competing with one are all fat, happy, and fairly affluent (i.e. very specialized technical skills). The success of the Asian community in stressing small business and higher education would seem to be an excellent example of this model in action. I'm not convinced one can escape poverty by simply being a high school educated hard-working person who is eager to please. Perhaps this was once the case, but I think the economy is a bit too tightly stretched these days for such truisms to have any validity. -- Mike Duvos $ PGP 2.6 Public Key available $ mpd at netcom.com $ via Finger. $ From cea01sig at gold.ac.uk Sun May 19 23:01:24 1996 From: cea01sig at gold.ac.uk (Sean Gabb) Date: Mon, 20 May 1996 14:01:24 +0800 Subject: Why the Poor are Mostly Deserving of their Fate In-Reply-To: Message-ID: On Sun, 19 May 1996, Timothy C. May wrote: > At 10:32 PM 5/18/96, Sean Gabb wrote: > >On Sat, 18 May 1996, Duncan Frissell wrote: > > > >> It was understandable to be poor when all the world was poor. It is > >> understandable to be poor in those nations today that make the > >> accumulation of wealth a crime for most people. It is not understandable > >> to be poor (for long) in the US where one can reliably get out of poverty > >> simply by doing three simple things: > >> > >> 1) get a high school diploma > >> 2) get married > >> 3) get any job > >> > >> Only about 2 tenths of 1% of those who satisfy those three requirements > >> incomes below the official poverty line. > > >I've done all these things - and rather more in the way of education. But > >while I don't fall on or near the poverty line, I'm still poor as a church > >mouse. What am I doing wrong? > > > * Point Number One: Sean Gabb > ^^ > * Point Number Two:"...not understandable to be poor (for long) in the US" > ^^ > Q.E.D. Ah, fair point. England is not exactly a land of opportunity. If it were, there wouldn't be an America. Perhaps my Irish ancestors should have gone west rather than east. Sean Gabb. > > > Actually, I think Duncan's "high school + marriage + any job" point is a > bit simplistic, and I'm surprised about the ".02%" estimate. As someone > else noted, there are a lot of folks in the rural South, Appalachia, and > other places, who graduated from high school, are still married, and have > some sort of job, and yet who make $6-8 an hour or less. > > I think more is needed. I would have added "savings/investment" and "hard work." > > Those who can force themselves to set money aside for investment get the > compounded returns later on. And of course hard work--including taking a > second job, having the extended family work, etc.--is also key. > > (Many immigrant Asians arrive penniless in the U.S., then get help from > immigrant Asian who arrived earlier, live in crowded houses and apartments, > have 4-6 wage-earners in a household, save as much as they can, and then > open a small business. Success is almost inevitable. Hence the cycle > continues. This tradition of the various Asian subcultures is almost > completely lacking in certain other subcultures in America. More's the > pity.) > > > Boycott "Big Brother Inside" software! > We got computers, we're tapping phone lines, we know that that ain't allowed. > ---------:---------:---------:---------:---------:---------:---------:---- > Timothy C. May | Crypto Anarchy: encryption, digital money, > tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero > W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, > Licensed Ontologist | black markets, collapse of governments. > "National borders aren't even speed bumps on the information superhighway." > > > > > From alano at teleport.com Sun May 19 23:16:50 1996 From: alano at teleport.com (Alan Olsen) Date: Mon, 20 May 1996 14:16:50 +0800 Subject: Message-ID: <2.2.32.19960520014251.00b78800@mail.teleport.com> At 10:54 AM 5/19/96 -0700, anonymous-remailer at shell.portal.com wrote: >Cypherpunks is not a political newsgroup. ROTFLMAO!!! Since *WHEN*? (Actually the above is right -- sort of. This is not a newsgroup, it is a mailing list.) One of the reasons I read this list is for the political content. The quoted article was information I was interested in reading, and as far as I am concerned (as if anyone cares), on topic. You are new here, aren't you... ]:> --- | Remember: Life is not always champagne. Sometimes it is REAL pain. | |"The moral PGP Diffie taught Zimmermann unites all| Disclaimer: | | mankind free in one-key-steganography-privacy!" | Ignore the man | |`finger -l alano at teleport.com` for PGP 2.6.2 key | behind the keyboard.| | http://www.teleport.com/~alano/ | alano at teleport.com | From stewarts at ix.netcom.com Sun May 19 23:21:12 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Mon, 20 May 1996 14:21:12 +0800 Subject: The Crisis with Remailers Message-ID: <199605200114.SAA10149@toad.com> At 12:00 PM 5/18/96 EDT, dlv at bwalk.dm.com (Dr. Dimitri Vulis) wrote: >> 2. there is no good way to deal with spams or other so-called "abuse" >Nor should there be. What's one person's abuse is another person's >free speech. Internet traffic should not be censored based on contents. I disagree - when I was running a remailer, I found several varieties of abuse, and some of them were worth blocking. Usenet, in particular, is divided into newsgroups so material can be directed to the groups where the readers want to find it, which is filtering, not censorship. * The most common was spammers sending lots of mail to a specific person who didn't want it; that's easy to block, and keeping up with that was a major part of traffic on the remailer-operators news groups. * Another was spammers who were sending out large volumes of spam; my remailer would shut down if it got too much volume (operator-settable), but usually I blocked senders like this based on remailer-operators notices from other remailers that were being spammed through. * Another was inappropriate news postings; most of the complaints I got were from phone sex ads in the pictures newsgroups, where they're unwanted (as opposed to misc.forsale or other group where they're in scope). They're a minor annoyance, and I didn't censor them; there'd probably be less of them from 2-way remailers, since people who objected could spam back. In general, these were posted to many newsgroups, and reducing the number of newsgroups that a message could be crossposted to would probably have helped, though it might have just resulted in multiple postings. * The nastiest spam, which I wasn't able to block, was to sign someone else's name on flamebait hate postings. Blocking by content (e.g. blocking postings with the address of someone who had complained) would cut down on repeat postings, but it only takes one or two postings to get thousands of flames sent to the victim. The damage could be reduced by putting disclaimer notices at the beginning and end of the text, reminding the reader that it may be a forgery, etc.; simple mail headers don't seem to get the attention of enough readers, even those whose newsreader software doesn't discard them. Similar spams can be done to mailing lists... # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 # goodtimes signature virus innoculation From stewarts at ix.netcom.com Sun May 19 23:42:45 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Mon, 20 May 1996 14:42:45 +0800 Subject: Remailers vs Nyms - conflicting assumptions? Message-ID: <199605192354.QAA08487@toad.com> >Refreshing deals with the long-term problem, but not with the short-term >one. Maybe I need to settle for a higher level of mail loss than I'm >comfortable with, but precisely because I'm not comfortable with it, I do >remain interested in alternatives. The alternative is constant monitoring, though of course this risks traffic analysis. If you ping yourself daily, using some random-path random-delay chain of encrypted remailers, then you can tell if your nym still works. To reduce traffic analysis, the remailer system needs lots of remailers and lots of cover traffic, and you need to use the remailers a lot so your mail to them doesn't look regularly scheduled. # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 # goodtimes signature virus innoculation From stewarts at ix.netcom.com Mon May 20 00:08:16 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Mon, 20 May 1996 15:08:16 +0800 Subject: crosspost re remailers Message-ID: <199605200149.SAA10873@toad.com> At 01:00 AM 5/16/96 -0700, Rich Graves wrote: >The entry points into the system, though, have value. You need to be able >to locate and trust them. Remailer reputations are valuable. Otherwise, >you're liable to send your message into the NSA-remailers-are-us system. >You need a web of trust among remailers at the very least, which means >some level of exposure (at least by "social analysis" by observing the >relationships among the various remailer nyms). There are two ways around this problem - chaining remailers, and encryption. As long as one remailer on the chain from your source to your destination is not compromised, you can send mail encrypted to each remailer in the chain (i.e. send Alice's Remailer the message E(Alice, E(Bob, E(Carol, message)))) and the message won't be compromised, though it may be blocked. For reply-style remailers, chaining is much harder, at least if you use a non-stealth encryption system like PGP or RIPEM which reveals the recipient's public key in the headers, and if the remailers don't include a public key to encrypt the message contents with as well as a key to encrypt the connection to the next remailer with. (Otherwise, if the sender encrypts a message to NymA at Alice, and Alice encrypts it with Bob's key and sends it to Bob, Bob decrypts it, encrypts with Carol's key, and sends.... Zed decrypts it, encrypts it with your key, and sends it to you, then any node compromised by Bad Guys will see a message encyrpted to NymA. >Chaos within the system is good. Moving remailers around could be good, >provided that a service location infrastructure is established. >Raph's list is a good start, but it needs to be more automatic and dynamic -- >which to me (perhaps wrongly) suggests formalization, which means points >of failure. It would be much easier if there were a DNS hack that lets you connect to dns.remailer.net:registry, which takes your IP address and serves it as remailerN.remailer.net until you log off (using a short DNS expiration time). This does provide a large number of interesting attacks on the system - denial of service is easy (make lots of connections, filling all ports), and it's easy to add subverted remailers (just connect!) It also doesn't spoof reverse lookups unless your system is able to handle multiple IP addresses (which requires cooperation from your ISP's routers, unless remailer.net is also running a packet laundry, which increases its targetness.) Signed DNS responses would help some attacks, once that's standardized. Does anyone have any ideas on how to do this correctly? # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 # goodtimes signature virus innoculation From camcc at abraxis.com Mon May 20 00:22:06 1996 From: camcc at abraxis.com (camcc at abraxis.com) Date: Mon, 20 May 1996 15:22:06 +0800 Subject: Burmese Excommunication Message-ID: <2.2.32.19960520014352.00683f44@smtp1.abraxis.com> -----BEGIN PGP SIGNED MESSAGE----- At 10:54 AM 5/19/96 -0700, you wrote: >Cypherpunks is not a political newsgroup. > I agree; I am concerned, however, when I read that any government, theirs or ours, acts or prepares to act to stop or stifle the free traffic of information. Your point is well taken; my post was intended for information and perhaps discussion value. Take it as you choose. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMZ/M2CKJGkNBIH7lAQHZZAP+KVLlk6REEaL4sskjV7mM28uMOOzGLxxf 3lf3UZGheizpgx6Ms3QpOyJpAADg365R4Lsgusynih49PM2EF+LLs1fNu6dUxbTm beXwK1UJBiBQhglL6pG5tKbjf8vQTdZWOBkEIVLjw4vsPQJlsRlAc8jkijJ/sq/+ uYd0Rof3boY= =adoY -----END PGP SIGNATURE----- From stewarts at ix.netcom.com Mon May 20 00:39:23 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Mon, 20 May 1996 15:39:23 +0800 Subject: Too cheap to meter Message-ID: <199605200239.TAA12059@toad.com> >At 07:09 PM 5/15/96 EDT, E. ALLEN SMITH wrote: >> One problem with the development of such high-end technologies is that >>they tend to increase economies of scale to the point where it's impractical to >>have anything but a monopoly or ogliopoly. As well as concerns about the degree >>of control such an organization may be able to exert in and of itself (acting >>like a government, in essence), there's also that such an organization is >>easier to pressure than a lot of small providers. Anyone have a suggested >>solution, or reasons that I shouldn't be so worried? The nice thing about economies of scale is that they make it possible to do things that used to be too expensive with older technology. For instance, the Internet has problems now because the Network Access Point capacities are really too low to let everyone connect to them, so there are limited numbers of powerful ISPs feeding the rest of us: the DEC Gigaswitches handle 16 users, and the FDDI-based systems don't have the capacity to support more than a couple T3-capable ISPs. Faster technology may let more people on. Faster technology also changes the balance between communications and computing - it's really hard to _do_ anything with 1Tb/s other than shove packets around between multiplexers. On the other hand, if the NSA (or NASA or Yoyodyne or some other surrogate) is on a FDDI NAP, they can promiscuously receive all the packets that go by and sniff for interesting addresses. Jim Bell: >You might as well forget about this 1 Tb/s fiber, for example. In order to >justify such a thing, you need to have 1 Tb/s of information that you want >to take from "here" to "there". A city of 1 million people would have to It's true that that's about 10 million simultaneous voice calls, which is enough for about 60 million typical business phones if they all went through the fiber, which they wouldn't, since they're mostly local. It's alternatively enough for 10,000 uncompressed TV-quality video streams, if you like variety in your television networks. Or 20,000 T3s. One major effect that happens if bandwidth becomes cheap (and I'm not sure that the mux costs for a system that size would really let it be cheap) is that it becomes cost-effective for far more people to get into the phone basis, bypassing the current local phone companies. The last mile to your house may still be expensive (that's also changing), but the last mile to any large office building or apartment complex isn't, for voice. > ....eggs in one basket... For redundancy, you'd probably use 4 fibers in a FDDI-like ring. Most of the major long-distance carriers are deploying their SONET as fully redundant rings, though one or two of them may still be considering non-fully-redundant SONET configurations, and even the carriers who are doing the Right Thing may do the Cheap Thing transitionally. # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 # goodtimes signature virus innoculation From jimbell at pacifier.com Mon May 20 01:07:30 1996 From: jimbell at pacifier.com (jim bell) Date: Mon, 20 May 1996 16:07:30 +0800 Subject: Rumor: DSS Broken? Message-ID: <199605200308.UAA03511@newmail.pacifier.com> At 08:33 AM 5/19/96 -0400, Robert Hettinga wrote: >At 9:41 PM -0400 5/18/96, Bill Stewart wrote: >> MD5 is at least weakened, maybe broken; there's an abstract by Hans Dobbertin >> that says something about generating collisions, and gives an example >> (though the abstract doesn't say how general the method is.) > >That's what I get for not reading the DSS stuff when it came out. I'd heard >lots about the MD5 stuff, but I didn't put the two together. > >It also looks like I'm behind in my reading. Time to buy another edition >of Applied Cryptography... It should occur to all of us that if the NSA was actually doing the job we are vastly over-paying them to do, it is THEY who should be finding, exposing, and correcting these kinds of cryptography faults. Has anybody ever heard any evidence that the NSA has ever acted in this sort of responsible role? Another question: If the government provided DSS, and it's now toast, and it provided Clipper... Somebody ought to ask The Wicked.... er... Dorothy Denning how she thinks we should be willing to trust the government's vetting of anything like Clipper when DSS may be flawed...and the government didn't find the error! Think about it. Jim Bell jimbell at pacifier.com From jf_avon at citenet.net Mon May 20 01:28:14 1996 From: jf_avon at citenet.net (Jean-Francois Avon) Date: Mon, 20 May 1996 16:28:14 +0800 Subject: Virtual machines? Message-ID: <9605200344.AA02438@cti02.citenet.net> Hi. Pardon my ignorance, but I had a few questions haunting me since a while. Is there a way to have a remailer de-localize itself and relocalize itself over the internet? For example, could there be several machines around the worlds that, when you send an e-mail to it, is routed to differents physical places of the world depending on where the actual remailer process is actually running? Could there be such a thing as a virtual machine runing a remailer that gets to hop from physical machine to physical machine around the world? Just an idea to avoid jurisdiction problems. Just asking, probably quite futilely... Thanks JFA DePompadour, Societe d'Importation Ltee; Limoges porcelain, silverware and crystal JFA Technologies, R&D consultants; physists, technologists and engineers. PGP keys at: http://w3.citenet.net/users/jf_avon ID# C58ADD0D : 529645E8205A8A5E F87CC86FAEFEF891 Unsollicited commercial e-mail will be proofread at US165 $/h Any sender of such material will be considered as to have ac- cepted the above mentionned terms. From perry at piermont.com Mon May 20 01:29:11 1996 From: perry at piermont.com (Perry E. Metzger) Date: Mon, 20 May 1996 16:29:11 +0800 Subject: WELCOME TO THE NEW ROMAN EMPIRE In-Reply-To: <199605190143.SAA14185@netcom3.netcom.com> Message-ID: <199605200050.UAA15010@jekyll.piermont.com> Dave Harman writes: > EVERYONE GETS A HIGH SCHOOL DIPLOMA --> HIGH SCHOOL DIPLOMAS BECOME WORTHLESS > EVERYONE GETS A PHD --> PHDS BECOME WORTHLESS Will someone please buy this man a shift key and some Thorazine? .pm From jf_avon at citenet.net Mon May 20 01:44:24 1996 From: jf_avon at citenet.net (Jean-Francois Avon) Date: Mon, 20 May 1996 16:44:24 +0800 Subject: Assassination Politics 1-3 Message-ID: <9605200337.AB02122@cti02.citenet.net> On 19 May 96 at 20:31, you, Pat Trainor, wrote: > On Sun, 19 May 1996, Jean-Francois Avon wrote: > > Back to AP, I did not invent the scheme nor do I approve or like > > it a lot. But I find it very interesting to discuss. > > > > The author of AP is Jim Bell . > > That was what I was interested in. You see, I read a story exactly > along the same lines a long time ago, and I thought the group would > like to know just what happenned during that 'scheme'. > > > I would gladly read the long letter that you wrote. > > Here's the text, and if you didn't see it posted, please repost > with a cc to Mr. Bell. If you did see it, then just erase.. But the > damnest thing that my email is so squirrely!! > > Thanks again!! > > (if anyone wrote me in a reply, I never got it. ISP is putting a new > T1 in, and this is causing errors in traffic I'm told.) > > >From ptrainor at aura.title14.com Sun May 19 20:23:48 1996 > Date: Thu, 16 May 1996 22:09:16 -0400 > From: Pat Trainor > To: jimbell > Newsgroups: talk.politics.crypto, talk.politics.libertarian, > alt.politics.libertarian, alt.society.anarchy, alt.privacy, > alt.security.pgp, alt.activism, alt.anarchism, alt.cyberpunk, > alt.politics.datahighway > Subject: Re: Insurable Interest Assassination Politics 1-3 > > On Thu, 9 May 1996, jimbell wrote: > > > > How will this be enforced, someone with more resources, > > >money, drugs, guns, better planned religion, icbms, will start to > > >gather "like minded individuals" and start to tell others how to > > >live., some will join them, others will fight, and we're back > > >where we started. > > > > No, because any threatening individual or group will be "predicted > > to death" posthaste. > > I haven't followed this thread from the beginning, but I recognize > the theme. I read _eons_ ago a short story in which this exact > mechanism was used to enforce a leaderless society. Now I'm no > economist, nor historian (future or otherwise) but I do vividly > remember this story. > It was in a science-fiction compilation, as I was very prone to > read (Nebula Awards, etc..) in my early days in the military and > before. > > My question would be: have you ever read a story with this precice > theme? The assisns looked like (sorry) Star Wars storm troopers in > white, air conditioned suits. They were not anonymous, except that > you couldn't see their faces (is that enough?). > > The story treated the same (apparently) hypothesis you mention. The > 'Assassin's Guild' I think was the title. Irrelevant to AP since nobody knows anybody, nor what anybody else do. > One of the problems in the model I read about was that the area to > be policed was too large to allow an elite minority to cover > properly, or even effectively. Again, irrelevant to AP. This scheme suppose some clan against another (the govt). Re-read Jim Bell's essay and you'll realize that it wouldn't work that way at all. > It was a situation of ratios. To be superior, even with a > technological edge, you need numbers. You have to offset the balance > somehow. Population control was attempted by the guild in the end as > a measure to increase the odds in their favor. This caused an > understandably intense reaction with the masses, who were ultimately > those being served. Not in AP. Because the aim when using AP against government or any other entity is not to get rid of it by killing it's members, but rather to get rid of it by scaring any individual that would participate to it. > Another problem was that the technology required for a large > coordinated effort required organization of a military nature (rank, > etc..). This was necessary due to the myriad of decisions that had > to be made. . Re-read the essay again. > Surveillance was the issue. In order for the Guild to be able to > identify a problem, an immense amount of surveillance was required. > Again the technology and the infrastructure required to support it. Are you saying that problems are difficults to identify? > The decision had to be made by superiors who were in touch with all > the information from all areas under surveillance to make the > ultimate decision. There needed to be, effectively, a steering > committee to determine if the proposed action was both affordable > and warranted. To Cypherpunks: I did not write the following paragraph. It was probably from Jim Bell, but I only guess. To: Pat Trainor: Ask Jim Bell to send you his paper. I'm sure he will do it wilfully. Pat Trainor wrote: >somebody wrote: > > To the eventual outcome. The system's inevitable. Read the > > essay; it explains why. I'll forward it to you; I assume it's no > > longer available on your newsfeed. > > I wouldn't mind reading it, it sounds a lot like what I'm > describing. > > > They might be wrong. I might be right. > > The Assassin's Guild was bought into in phases by the ruling > elements of all major powers only after they had all lost their > ability to maintain an effective repel borders and the place (earth) > was a mess. > > Realistically, you can't build from the ashes any faster than > anyone else is. And human nature doesn't change because of a new > caveat in religion or 'law'. A human will always be a human, > regardless of what law they proport to follow or heed. > > > Thomas Edison tried hundreds of differnet materials to make light > > bulb filaments before he found one that would work. > > Actually he directed experiments! :) But this statement reminded me > of the 'Infinite Number of Monkeys' theory, except applied to 'self > rule', well, I guess not, well..? > > > And BTW, we're already all "in fear of our lives." You know, > > muggings and carjackings. How is my system worse, > > quantitatively? > > Actually, you'll find folks doing the most desparate things in a > desparate world. If you try to forge order out of chaos, you quickly > find that the order you are trying to enforce feeds the chaos. You > create your own increasing difficulty by default. A society (or > group of societies) in anarchy will fear order. This, coupled with > the fact that you have to create from the same resoucres the masses > have access to, makes your efforts incredibly difficult. You will > never find a unified agreement among a society that can't feed or > cloth itself. If you do, you instantly become what you are telling > the people you are trying to prevent. Folks will see through this > veil and vanquish such an effort favoring a predictable anarchy over > a concerted organized rule. > > > >To change the world you have to understand the rules, > > > > But you don't necessarily have to _follow_ the rules! > > That's a good point, and one I think I've shown means that you will > always have rules. Sometimes yours, sometimes theirs, if lucky a bit > of both.. But they will be there. We are a self-righteous > pack-oriented species. We thrive on group individuality! That must > be why psychologists make so much money! > > > The system I've described will work even if only a small > > proportion of the population uses it, at first. That's what makes > > it so amazing, really. > > Again, I'd appreciate a look at your paper. > > Now for the subtle problems pointed out accurately in the > Assassin's Guild. As a strategic planner for a living, I have > learned to live by a good rule: Make your best estimates for a > project's completion, then double them. > > A support structure required for the Assassin's Guild required > things you would never immediately think of. Support from several > areas are required. Remember, you are basically operating a country > with soft borders covering all areas, no matter how distant. > > For solely the guild's efforts, no others, a few of the things > required are: > > Manufacturing > Fabrication > Research & Developement > Quality Assurance > Medical > Clothing > Shelter > Food > Recreation > Self-Rule > Coordination > Information Exchange > Communication > Information Retrieval > Surveillance > Commerce > Expansion > Earth Sciences > > The trouble is, each and every one of the above is subject to > espionage, revolution, corruption, pranks, etc.. Therefore each must > be treated with complete encapsulation within the guild. The only > way to exclude interference from within or without, was to closely > monitor each and every aspect of the guild's organization. > Self-policing. > > When you start visualizing what the organization would actually be > running (never mind the seemingly impossible task of starting the > organization from scratch), it seems a very impractical proposition. > > Plus, the guild found all the military stuff laying around pretty > useful.. Folks were NOT excited about another police state.. > > Anyhow, sorry for the long post, but I thought perhaps you'd enjoy > the problems the Assassin's Guild had, and compare it to your own > model. > > later! > > pat > :) > > Pat Trainor * WARNING: THE OPINIONS I EXPRESS MAY NOT BE MY OWN > * finger for key: ptrainor at aura.title14.com > http://www.title14.com/ > Key fingerprint = 4B 14 97 D7 11 41 35 76 28 43 1E E3 2E E3 81 > D6 "Winning may not be everything, but losing is NOTHING!" -Ed > Bighead > > > DePompadour, Societe d'Importation Ltee; Limoges porcelain, silverware and crystal JFA Technologies, R&D consultants; physists, technologists and engineers. PGP keys at: http://w3.citenet.net/users/jf_avon ID# C58ADD0D : 529645E8205A8A5E F87CC86FAEFEF891 Unsollicited commercial e-mail will be proofread at US165 $/h Any sender of such material will be considered as to have ac- cepted the above mentionned terms. From snow at smoke.suba.com Mon May 20 01:46:00 1996 From: snow at smoke.suba.com (snow) Date: Mon, 20 May 1996 16:46:00 +0800 Subject: SEVERE undercapacity, we need more remailer servers FAST In-Reply-To: <2.2.32.19960519152746.00392f04@mail.pi.se> Message-ID: On Sun, 19 May 1996, Matts Kallioniemi wrote: > > IP spoofing would do this nicely.Since SMTP doesn't require any > significant responses, you can send blind and fake your IP address. > To do that you need root access on your mailer machine and an > ISP that doesn't sniff and filter its network for spoofing attacks. It is my understanding that IP spoofing will become much more difficult, if not impossible when IP6/whatever gets put into place. It seems to me that IP spoofing is not a long term option. Deep Thought Question for the Constitutional Scholars: What chance would a remailer operator have in the court system today positing the following set of circumstances: 1. Case is concerns retrans of either copyrighted/trade secret material (i.e. CO$ shit) or basically anything _but_ child porn or a murder contract. 2. Remailer operator did not violate any laws. 3. Remailer operator has big enough legal guns (ala EFF & ACLU etc.) to back him. I realize that this would be a civil case rather than a criminal one, maybe it would have to be child porn or something illegal to get that far, but if I were to set up a remailer under my real name, and the CO$ came after me, given that I had the financial backup to carry the case to trial, what are my chances? Would it be worth it to do a Scopes Monkey Trial like case on this, get someone willing to take the chance, and establish that it _is_ legal to run a remailer? I might be willing to be the test case for this, but I would need to know the ramifications, and I would need to get my wifes approval for this, and I don't want to expose Suba to any liability in this. (So relax Alex). Petro, Christopher C. petro at suba.com snow at crash.suba.com From jimbell at pacifier.com Mon May 20 02:04:03 1996 From: jimbell at pacifier.com (jim bell) Date: Mon, 20 May 1996 17:04:03 +0800 Subject: Cypherpunks, a political "newsgroup?" Message-ID: <199605200308.UAA03514@newmail.pacifier.com> At 06:09 PM 5/19/96 -0400, Declan B. McCullagh wrote: >Excerpts from internet.cypherpunks: 19-May-96 by anonymous-remailer at shell >> Cypherpunks is not a political newsgroup. > >Hah! Most everything that's discussed here has political overtones. I, >for one, appreciated in the info on the Burmese businessman and >forwarded it to fight-censorship. I'll link it in to >http://www.cs.cmu.edu/~declan/international/ when I get a chance. I happen to agree. Information privacy, security, and freedom are definitely "on-topic" around here. Jim Bell jimbell at pacifier.com From remailer at 2005.bart.nl Mon May 20 02:23:56 1996 From: remailer at 2005.bart.nl (Senator Exon) Date: Mon, 20 May 1996 17:23:56 +0800 Subject: Toastmasters?Incorporating Message-ID: <199605200437.GAA20138@spoof.bart.nl> How do corporations work, in terms of liability? If the cost of incorporating isn't forbidding, I would think a remailer operator might consider incorporating a company, and making the remailer a function of that company. That way, any losses are restricted to the total value of the corporation; that is, nothing. Any flaws? There must be something wrong with it somewhere. Thanks. From middle-man-admin at alpha.c2.org Mon May 20 02:25:02 1996 From: middle-man-admin at alpha.c2.org (middle-man-admin at alpha.c2.org) Date: Mon, 20 May 1996 17:25:02 +0800 Subject: New Remailer (hidden) Message-ID: <199605200332.UAA10885@infinity.c2.org> NOTICE: A new type of remailer has just gone into business! It's called a "hidden remailer-in-the-middle". The address is middle-man at alpha.c2.org. This new type of remailer uses a combination of Lance Cottrell's Mixmaster remailer and Raph Levien's premail program. Advantages: * The remailer is completely hidden. Attempting to discover the actual identity of the remailer site is virtually impossible. * The remailer uses both Type-I and Type-II remailer technology for handling remailer traffic. * Random remailer chains are selected separately for every outgoing message. * The remailer is designed to answer to a chained nym. * All Mixmaster administrative commands are also chained through multiple remailers. (i.e. remailer-help, remailer-key) How it works: The actual address of the remailer is hidden behind a chained nym. The plan is for the reply-block for middle-man to change approximately every 48-72 hours. This will be transparent to the net but will help to foil traffic analysis. The new remailer operates under a modified Mixmaster. The code has been modified so that outgoing messages are passed to premail to allow padding of extra remailer chains. Each outgoing message will have two type-I remailers randomly padded to the end of the chain based on the current status od Raph Levien's remailer reliability list. If you have any questions or would like more information, please contact middle-man-admin at alpha.c2.org. middle-man-admin at alpha.c2.org From snow at smoke.suba.com Mon May 20 02:28:54 1996 From: snow at smoke.suba.com (snow) Date: Mon, 20 May 1996 17:28:54 +0800 Subject: The Crisis with Remailers In-Reply-To: <199605192015.NAA15002@netcom17.netcom.com> Message-ID: On Sun, 19 May 1996, Vladimir Z. Nuri wrote: > not!!! I should have made this clear, but imho no matter how favorably > the public sees anonymity, I still believe there will be little > incentive to run remailers until there is some kind of ecash Sometimes "Just Because" is enough. There are people running them right now with no incentive. As long as there isn't a _huge_ disincentive to run one, there will be several running, if only because there are people who _want_ to use one, so they run one. > scheme. you are going to have "bad" uses of anonymity going on as > long as you provide the capability. ask the remailer operators to > estimate how much of their mail is simply taunts between college > students or sexual harassment. I doubt you will ever be able to > evade this. If they know the answer to this question, then they are treading a dangerous ground. > by liability I am also referring to a situation in which the > internet provider is pressured to quit the service by *anyone* not > necessarily agents of the government. past examples are strong evidence > that it does not at all require a government to shut down a remailer > via pressure. anon.penet.fi at one point was pressured to shut down > by "a well known net celebrity" Did penet.fi fold? Apparently not. Petro, Christopher C. petro at suba.com snow at crash.suba.com From EALLENSMITH at ocelot.Rutgers.EDU Mon May 20 02:31:35 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Mon, 20 May 1996 17:31:35 +0800 Subject: The Crisis with Remailers Message-ID: <01I4WS2XKN788Y5FKU@mbcl.rutgers.edu> From: IN%"frantz at netcom.com" 17-MAY-1996 15:56:36.35 >Perhaps what is needed is a non-profit, charitable 501c foundation to >encourage anonymous communication. Those who support the idea could make >tax deductible contributions which would be used for grants, public >education etc. etc. to encourage anonymous communication. It could be >called, "The Federalist Foundation" because the Federalist Papers were >published anonymously. Hmm... I wonder if it would be good for this Foundation to itself operate some for-pay remailers, in order to make some money from sources besides contributions? Possible disadvantages: A. It could get sued, and thus lose funds B. If its prices were set too low, it could wind up driving other remailers out of the market (combination of low price with likelihood to still be there), and thus become a vulnerable point. -Allen From timd at consensus.com Mon May 20 02:35:02 1996 From: timd at consensus.com (Tim Dierks) Date: Mon, 20 May 1996 17:35:02 +0800 Subject: Rumor: DSS Broken? Message-ID: At 8:32 PM 5/19/96, Bill Stewart wrote: >On the other hand, NIST has been saying that DSS isn't covered by any patents, >which the PKP folks had some very negative, skeptical comments about, >before PKP fell apart; it probably still is covered by the Cylink/Stanford >patents until they expire next year, though it's not covered by RSA. >The patent licensing hassles probably have kept a lot of people from using it, >except for specific sales to the government. Not to mention the Schnorr patent, which is good until 2008. NIST has claimed DSA doesn't infringe upon patents, but they won't necessarily help you in court, let alone indemnify you. I think everyone is using RSA because it's easy, safe and already widely deployed. Since you've got to buy a BSAFE license to do any interesting commercial cryptography anyway, why go through the hassle of another algorithm? Cylink is pushing DSA, however, because with DSA + Diffie-Hellman, you get both encryption and signing, thus providing a similar set of capabilities to RSA. Note, also that a DSA implementation might be usable as to do ElGamal or RSA encryption; I don't know whether generally available commercial / exportable implementations can or not. [Applied Cryptography, 2nd ed., 490-491] - Tim PS - Anyone know what the ASN.1 AlgorithmIDs and public key formats are for DSS? I'd like to add support for DSS X.509 certs to my X.509 library. Even better would be a couple of such certificates so I can test. PPS - Any chance the original rumor surrounded RCA/Hughes' DSS satellite TV system, and not the Digital Signature Standard, and we've all been barking up the wrong tree? Tim Dierks - Software Haruspex - tim at dierks.org "That's the trouble with technology. It attracts people who have nothing to say." - Muffey Kibbey, mother [Wall Street Journal, May 10 1996] From EALLENSMITH at ocelot.Rutgers.EDU Mon May 20 02:37:32 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Mon, 20 May 1996 17:37:32 +0800 Subject: Defeating fingerprints Message-ID: <01I4WSZWZK348Y5FKU@mbcl.rutgers.edu> From: IN%"sinclai at ecf.toronto.edu" "SINCLAIR DOUGLAS N" 18-MAY-1996 04:15:33.26 >Not that random playing with carcinogenic chemicals is a good idea, but... >I've found that if you use just one reagent from epoxy glue, the collagen >in your skin will disolve. You can sculpt it into whatever shape you want, >and it will stay that way for an hour or so. I don't remember if it was >the resin or the hardener though. This was regular 5 minute epoxy. I somehow doubt that the collagen is dissolving. You may be loosening the keratinized dead skin cells and pushing them around, and then they flake off in some length of time (probably speeded up by this treatment). Any signs of redness, etcetera in the skin afterwards? Unusual sensitivity of the fingertips, especially to pain? One thing to keep in mind is that fingerprints aren't just from the whorl pattern that you see. They're also from that the sebaceous (oil) glands in the skin are arranged along those whorls. You need a pretty resistant barrier to stop these. I've been told by the son of a cop that the combination of a pair of latex gloves with a couple layers of cotton gloves stops both the oils and the normal pressure patterns. -Allen From alanh at infi.net Mon May 20 02:40:13 1996 From: alanh at infi.net (Alan Horowitz) Date: Mon, 20 May 1996 17:40:13 +0800 Subject: WELCOME TO THE NEW ROMAN EMPIRE In-Reply-To: <199605200050.UAA15010@jekyll.piermont.com> Message-ID: > > EVERYONE GETS A HIGH SCHOOL DIPLOMA --> HIGH SCHOOL DIPLOMAS BECOME WORTHLESS > > EVERYONE GETS A PHD --> PHDS BECOME WORTHLESS > > Will someone please buy this man a shift key and some Thorazine? Yeah, next thing ya know, somebody will be claiming that Physics PHds can't get work now, and that MD's being out of work is right around the corner. (Newly minted board-eligible Pathologists have it worst, right now). From stewarts at ix.netcom.com Mon May 20 02:50:43 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Mon, 20 May 1996 17:50:43 +0800 Subject: Rumor: DSS Broken? Message-ID: <199605200334.UAA13431@toad.com> At 08:05 PM 5/19/96 -0800, Jim Bell wrote: >It should occur to all of us that if the NSA was actually doing the job we >are vastly over-paying them to do, it is THEY who should be finding, >exposing, and correcting these kinds of cryptography faults. They may have; they're just kind of selective in who they expose them to :-) Also, there are expert cryptographers outside the NSA, and outside the US; you might check where Dobbertin lives. And this is a Good Thing. >Another question: If the government provided DSS, and it's now toast, SHA-1 isn't toast; it's MD5 that might be at least a bit crunchy. (The NSA gave us SHA, and later added a correction that appears to make it stronger, unless there's something really subtle and nasty inside.) DSS isn't toast either, though the subliminal-channel stuff makes it necessary to look very carefully at any applications to find out what else is being done with them, which you can't always do. One of the purposes of DSS appears to be that it provides signatures without providing encryption, so the Feds can trust the Public to have it. Except of course that subliminal channels _do_ toast that part of it. On the other hand, NIST has been saying that DSS isn't covered by any patents, which the PKP folks had some very negative, skeptical comments about, before PKP fell apart; it probably still is covered by the Cylink/Stanford patents until they expire next year, though it's not covered by RSA. The patent licensing hassles probably have kept a lot of people from using it, except for specific sales to the government. # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 # goodtimes signature virus innoculation From EALLENSMITH at ocelot.Rutgers.EDU Mon May 20 02:51:31 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Mon, 20 May 1996 17:51:31 +0800 Subject: SEVERE undercapacity, we need more remailer servers FAST Message-ID: <01I4WUJDSY8C8Y5FKU@mbcl.rutgers.edu> From: IN%"llurch at networking.stanford.edu" "Rich Graves" 18-MAY-1996 09:07:35.05 >On Thu, 16 May 1996, Bill Stewart wrote: >> ================================================================== >> This message was posted from the anonymous remailer at www.jim.com. >> Send any complaints to webmaster at www.jim.com . >> Please don't post any copyrighted material longer than fair use quotations. >> And did you know that Scientology's highly overpriced documents say that >> "" >> =================================================================== >Once I was more or less done laughing and got off the floor, it occurred >to me that this could provide a revenue stream for anonymous remailers. >You'd charge advertisers sub-pennies for these little trailers. I >understand that Sameer is getting very little Ecash for his >remail/by-www.html, but maybe if he sold advertising space? It's an interesting idea. One wonders if EFF would be interested in such a sponsorship? One could even add, say, an ACLU promotion to the end of messages without getting cash from the ACLU - this might encourage them to give more backing in case of a legal dispute. (You scratch my back, I scratch yours... I'm not meaning to be offensive to the ACLU, BTW.) -Allen From stewarts at ix.netcom.com Mon May 20 02:51:36 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Mon, 20 May 1996 17:51:36 +0800 Subject: News from Burma Message-ID: <199605200004.RAA08693@toad.com> At 10:54 AM 5/19/96 -0700, an anonymous entity wrote: >Cypherpunks is not a political newsgroup. Cypherpunks is a _highly_ political newsgroup, it's just focussed on enabling technology and not too worried about political agreement. In this case, there are folks in Burma using PGP, and the cypherpunks goals of creating the ability to have private communications make it relevant to discuss societies where you can be busted for simply possessing communications technology even if the Thugs can't tell what you're saying on it. And a 9-line PBX may be usable as a telephone remailer... # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 # goodtimes signature virus innoculation From jad at dsddhc.com Mon May 20 02:52:25 1996 From: jad at dsddhc.com (John Deters) Date: Mon, 20 May 1996 17:52:25 +0800 Subject: Sendmail Question (was: SMTP Server for sending to anonymous remailers?) Message-ID: <2.2.32.19960519234923.002f39e8@labg30> At 12:42 PM 5/19/96 -0400, you wrote: >At 12:09 AM 5/19/96 -0700, you wrote: >>If you use popmail (like Eudora), then just tell it the server to use in >>"SMTP Host". >> -Lance >I have been following this with no little interest. Using Eudora Pro when I >attempt to replace host: smtp1.abraxis.com with *SMTP Host*, I receive the >message *Attempting to resolve host: SMTP Host*, and dat's all until I stop >the send command. > >Thanks > >Alec Alec, What he meant was that you should replace the contents of the SMTP server's field with the address of the first remailer in your chain. For example, if I wanted to send this through the Holy Cow remailer, I'd put this in the SMTP server field: haystack at holy.cow.net Remember, though, that several things OUT OF YOUR CONTROL have to happen for your mail to be anonymised successfully. First, if you are behind a "firewall" (i.e. doing this at work through your work's net connection) your firewall may be implementing what is known as a "proxy." That means even though you're using the SMTP protocol, you may not be *directly* talking to the SMTP client of the remailer. It may "look" like you're able to SMTP out to whoever you want to send mail, but in reality, the firewall can intercept your request, and "pretend" to be some other SMTP server. It then accepts your outgoing mail, and forwards it to the real destination. Abraxis sells firewalls. Also, your firewall may be configured to not pass SMTP out at all, but rather to require you to send any SMTP traffic directly to it. That means you can not change your SMTP server to anything outside of your local net. In either case, firewalls are certainly capable (and employers within their rights, but that's another useless thread) to log and/or read your mail. Anonymity lost, at least to your employer. Finally, the anonymous remailer may (or may not) have some kind of logging turned on. I don't know why they would (what's the value if they do) but if some law enforcement agency orders them to discreetly monitor traffic, you lose again. Unless you PGP encrypt your mail to the remailers before it leaves your machine for the big bad net, someone else can read it. And, no matter what, persons unknown can tell that your machine sent some message to the remailer. (This is known as "traffic analysis".) Therefore, I'd *highly* recommend not e-mailing anything illegal over the net, remailer or no. -j, annoying, yes. Illegal or harassing, no. -- J. Deters >From Senator C. Burns' Pro-CODE bill, which I support and you can find at: http://www.senate.gov/member/mt/burns/general/billtext.htm " (2) Miniaturization, disturbed computing, and reduced transmission costs make communication via electronic networks a reality." +---------------------------------------------------------+ | NET: jad at dsddhc.com (work) jad at pclink.com (home) | | PSTN: 1 612 375 3116 (work) 1 612 894 8507 (home) | | ICBM: 44^58'33"N by 93^16'42"W Elev. ~=290m (work) | | PGP Key ID: 768 / 15FFA875 | +---------------------------------------------------------+ From stewarts at ix.netcom.com Mon May 20 02:52:47 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Mon, 20 May 1996 17:52:47 +0800 Subject: Is Chaum's System Traceable or Untraceable? Message-ID: <199605192319.QAA07738@toad.com> At 10:10 AM 5/19/96 -0400, Simon Spero wrote: >> > (On the other hand, I have had a longstanding faith that the system can be >> > made to be both payer- and payee-anonymous. Moneychangers, for example.) .. >This scheme can't be used with the ecash API, and I believe is not looked >on kindly when applying for ecash licences. It makes you a lot more >vulnerable to traffic analysis There are at least two reasons for wanting payee anonymity - general privacy - criminal activities, e.g. ransom, where payee doesn't trust payer. In the latter case, the facts that collaboration is required, special software is needed, and licenses are violated are not really a problem - the Bad Guy can give the payer the code along with the ransom note, and doesn't care about the license. Traffic analysis is a concern, but you're probably not going to collect ransom from the same person on a regular basis, and for blackmail, you can keep changing the payment address, and you're a bit less worried about the payer's location being noticed than if you were collaborating in something like tax evasion. # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 # goodtimes signature virus innoculation From EALLENSMITH at ocelot.Rutgers.EDU Mon May 20 02:55:31 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Mon, 20 May 1996 17:55:31 +0800 Subject: SEVERE undercapacity, we need more remailer servers FAST Message-ID: <01I4WUETAM528Y5FKU@mbcl.rutgers.edu> What countries are noticeable for being anti-Scientology? They would appear to be good locations for special-purpose remailer ultimate-output ends. -Allen From 103007.3426 at compuserve.com Mon May 20 02:55:49 1996 From: 103007.3426 at compuserve.com (Sally D. McMillan) Date: Mon, 20 May 1996 17:55:49 +0800 Subject: 5 MINUTE CYPHERPUNKS SURVEY Message-ID: <960520052137_103007.3426_GHU38-1@CompuServe.COM> Hi! Im writing a paper for school on E-commerce and would like to include a brief section on the role of Cypherpunks in E-commerce. If you would, please email me your responses to the following questions. Some of these questions are broad, but please limit your response to each question to 0-100 words. Also, I am NOT attempting to stereotype the Cypherpunks, but am instead interested to learn whether there is a shared view among them. THANKS! PS- PLEASE RESPOND TO MY EMAIL DIRECTLY by FRIDAY, 5/24/96 : 103007.3426 at compuserve.com 1. Would you call yourself a Cypherpunk? (Y, N, Not Sure) 2. What is the role of Cypherpunks in the DEVELOPMENT of secure E-commerce transactions? 3. What is the role of Cypherpunks in the MAINTENANCE of secure E-commerce transactions? 4. Why do Cypherpunks care about E-commerce? (Please limit to 100 words or fewer.) 5. What is a punk? What is a Cypherpunk? Can you distinguish between those who are up to no good, trying to crack security and those who try to crack security in order to maintain it? Do Cypherpunks, in your opinion, fall into either category? 6. What is the greatest security threat to E-commerce transactions? 7. On a scale of 1-10, how dangerous is it to give your credit card number to a vendor over the internet? (Please provide one number only for this answer.) 8. On a scale of 1-10, how would you rank your own knowledge of E-commerce and related security issues? (Please provide one number only for this answer.) May I quote part of or all of your answers in my paper? Would you like to be referenced by name, email address, or as Anonymous? Please provide pertinent details. THANK YOU FOR FILLING OUT THIS QUESTIONNAIRE! Please forward your responses to me at: 103007.3426 at compuserve.com From stewarts at ix.netcom.com Mon May 20 02:57:45 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Mon, 20 May 1996 17:57:45 +0800 Subject: New Remailer (hidden) Message-ID: <199605200544.WAA16819@toad.com> Cool. I've got a test message going now. Does your remailer accept PGP-encrypted email? It's really critical for high-security applications, at least for first remailer hops, but your key's not on the MIT keyserver. BTW, how do we know you're not a plant? :-) Aside from having an interesting nym, you've probably got the first remailer that makes it difficult to tell who's running it. You could be Sameer, or you could be Louis Freeh, but we don't know. At least folks like Xenon were known to be real people.... Even if you _are_ a plant, of course, we can still use your system, but I'd want to do encrypted email through other remailers on one end or the other. # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 # goodtimes signature virus innoculation From EALLENSMITH at ocelot.Rutgers.EDU Mon May 20 03:02:49 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Mon, 20 May 1996 18:02:49 +0800 Subject: anonymous companies Message-ID: <01I4WV3W0UHO8Y5FKU@mbcl.rutgers.edu> From: IN%"unicorn at schloss.li" "Black Unicorn" 18-MAY-1996 11:16:57.48 > At 06:42 PM 5/16/96 -0700, Wei Dai wrote: > > Solution: smart contracts. This is Nick Szabo's idea of building > > contractual obligations into cryptographic protocols so that the parties > > have no choice but to fullfil them. But again we don't know whether this > > will actually work for this problem. >But what happens when there are nuances or circumstances which contracts >do not anticipate? This "complete" reliablity is also a curse for >flexibility which fast moving entities need to survive. That's an argument for combining them with escrow agencies. If the escrow agency is less likely to need to intervene, then they'll charge less... the principle of insurance company risk estimation. -Allen From EALLENSMITH at ocelot.Rutgers.EDU Mon May 20 03:03:04 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Mon, 20 May 1996 18:03:04 +0800 Subject: Why does the state still stand: Message-ID: <01I4WSQY7EH68Y5FKU@mbcl.rutgers.edu> From: IN%"jimbell at pacifier.com" "jim bell" 18-MAY-1996 02:54:47.09 >On the other hand, the government also has enormous "obligations" that keep >it close to bankruptcy. It wouldn't take a great deal of interference in >its ability to collect taxes to put it solidly in the red based on current >receipts. And remember, if the individuals who populate government could be >persuaded that their tenure would be forcibly shortened if they didn't >resign, they wouldn't stick around. Once that cohesiveness of jointly >sucking on the government tit is eliminated, I think they'll cut and run. >These people are working for a fat paycheck and the promise of a retirement >package, and it wouldn't take much convincing to show them that they won't >get either for very long. I'm convinced that's why so many Senators and While quite a lot of people in the government are working just for the paycheck, there are also some idealists - and some who are working for a "power paycheck" rather than a "cash paycheck." I'm willing to bet that that's the case with the NSA and its _general_ opposition to cryptography. You'll have three basic groups: A. Those who are idealists. This can be divided into two categories. 1. Those who idealize the power of government, such as via a devotion to democracy. These oppose cryptography because it weakens the government. 2. Those who are primarily interested in protecting America from everyone else. These promote cryptography, and need to be supported. 3. Those who (stupidly) believe in the US government enough to "just follow orders," as the Nuremberg phrase goes. If you can get the type 2 idealists in power, these will do the right thing. B. Those who want power. These oppose cryptography because they will lose power if it is widely implemented. C. Those who are just there to get a paycheck. These will act in most situations about like an idealist of type 3, but when push comes to shove won't be willing to back it up seriously. I'd appreciate feedback from anyone who's dealt with the intelligence community more than I have (not particularly difficult) to confirm or deny the above classification system, and give some idea as to the proportions within the NSA, government in general, etcetera. -Allen From EALLENSMITH at ocelot.Rutgers.EDU Mon May 20 03:13:09 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Mon, 20 May 1996 18:13:09 +0800 Subject: Edited Edupage, 16 May 1996 Message-ID: <01I4WRKPGQXS8Y5FKU@mbcl.rutgers.edu> From: IN%"educom at elanor.oit.unc.edu" 16-MAY-1996 23:29:38.03 >AOL TEAMS UP FOR E-COMMERCE >America Online has cut deals to license encryption, digital signature, and >electronic transaction and funds transfer technologies from a variety of >companies, including CyberCash, IBM infoMarket, RSA Data Security, Terisa >Systems and VeriSign. "These new relationships will provide the building >blocks for a secure electronic commerce platform," says AOL's VP of product >marketing. The online service plans to integrate the electronic commerce >technologies into both its online service and its Global Network Navigator >Internet access service. (Investor's Business Daily 16 May 96 A9) Well, at least they're making moves to get cryptography to the AOL masses.... although somehow I suspect that they'll roll over and play dead for any and all GAK pressure, and won't use any variety of truly anonymous digital cash. >ATTEMPT TO BLOCK USE OF CANADIAN SATELLITES >MCI Communications, AT&T and EchoStar Satellite all have filed additional >complaints this week with the FCC about proposals made by rivals >Tele-Communications Inc. and TelQuest Ventures that cite Ottawa's refusal to >allow American companies to beam their programs into the United States as >cause for the FCC to deny the application. (Toronto Financial Post 16 May 96 >p3) An ex-FCC official says the American regulator is unlikely to approve >the use of four Canadian satellites by US-based TelQuest Ventures and >Tele-Communications Inc. to beam signals to the American market unless >Canada's market is opened up to U.S. services. (Montreal Gazette 15 May 96 G3) One wonders what the FCC would do if they weren't US-based companies, and if it weren't from satellites from such an interlocked-with-the-US country as Canada. -Allen >Edupage is written by John Gehl (gehl at educom.edu) & Suzanne Douglas >(douglas at educom.edu). Voice: 404-371-1853, Fax: 404-371-8057. >*************************************************************** >Edupage ... is what you've just finished reading. To subscribe to Edupage: >send mail to: listproc at educom.unc.edu with the message: subscribe edupage >Jack Kerouac (if your name is Jack Kerouac; otherwise, substitute your own >name). ... To cancel, send a message to: listproc at educom.unc.edu with the >message: unsubscribe edupage. (If you have subscription problems, send >mail to educom at educom.unc.edu.) From ses at tipper.oit.unc.edu Mon May 20 03:35:20 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Mon, 20 May 1996 18:35:20 +0800 Subject: Apple Newton specs: RAM, infrared, speed In-Reply-To: Message-ID: I just got back to Chapel Hill, dug up my NTK docs, and you go and do this :-) Newton script is not a particularly ideal language for crypto (or networking). It's byte code interpreted, and more annoyingly, has 30 bit integers. The C++ compiler has been promised for a while, but it looks like it may actually appear soon (the new newtons seem to be doing really well on word-of-mouth- at the moment I guess apple will do anything that will get the cash flowing :-( Simon // newt & BEboy On Sun, 19 May 1996, Declan B. McCullagh wrote: > >From a friend who's one of the best Newton developers around. An > unsolicited plug: check out his company's web site at > http://www.newts.com/ > > -Declan > > ---------- Forwarded message begins here ---------- > > Date: Sun, 19 May 1996 11:56:52 -0700 (MST) > To: "Declan B. McCullagh" > From: dan at newts.com (Dan Rowley) > Subject: Re: Fwd: Is Chaum's System Traceable or Untraceable? > > >>Does anyone on cpunks or ecash have an Apple Newton? I know > that they come with infrared-- what are the specs on that > communications device? And about the Newton itself: can it > compile ANSI C code? How much RAM? Permanent storage? Speed > of crypto operations? > > Dec - > The Newton's infrared is essentially the SHARP "ASK" protocol, > which is the same as used by the sharp wizard. It is *not* IrDA > compatible, and Apple claims that it's a hardware problem not a software > problem. The Newton cannot currently compile ANSI C unless you have very > close ties to Apple (internal code development is in C), but they will be > releasing C tools for the Newton within a couple of months. The C, of > course, is not directly compiled on the Newton, but on a host Mac. The > Newton ships with between 1 and 2 megs of internal RAM, but can be expanded > with FLASH or SRAM cards, but there's only one slot, so putting in a modem > could be tough.. ;) The permanent storage *is* RAM. It's all flash. As > for speed, it depends on whether you do it in NewtonScript or C. > NewtonScript is compiled to P-Code that runs on a virtual machine, and is > really not too bad. you can also compile to straight ARM code if you want. > The next Newton to come out will be based on the DEC StrongARM which I > understand is blindingly fast.. > > Hope this helps > > Dan > > -------- > Dan Rowley > Innovative Computer Solutions > Developers of fine software for the Newton > Now, also developers for Be! > > From jf_avon at citenet.net Mon May 20 03:36:46 1996 From: jf_avon at citenet.net (Jean-Francois Avon) Date: Mon, 20 May 1996 18:36:46 +0800 Subject: (Fwd) Re: TCM: mafia as a paradigm for cyberspace Message-ID: <9605200337.AA02122@cti02.citenet.net> Sorry Vlad Z. Nuri, but this message was intended for Cypherpunks, to be cc'd to you. Unfortunately, I wrongly addressed it. To CPunks: the reply that should have hit CPunks: ============================================================ To: jf_avon at citenet.net Subject: Re: TCM: mafia as a paradigm for cyberspace Date sent: Sun, 19 May 96 19:52:45 -0700 From: "Vladimir Z. Nuri" there is no ethical basis for killing. please kindly keep your trash out of my mailbox I've evaluated all sides of the story, and am not influenced by corrupt machiavellianism ============================================================= -------Original Message Follows ------- From: Self To: "Vladimir Z. Nuri" Subject: Re: TCM: mafia as a paradigm for cyberspace Reply-to: jf_avon at citenet.net Date: Sun, 19 May 1996 01:59:00 On 18 May 96 at 12:43, Vladimir Z. Nuri wrote: > maybe talk to Jim Bell some more. perhaps > eventually you will perfect the method of perpetrating the perfect > killing!! I really do admire you, because killing people without > getting caught is surely a great unrecognized art, and one of the > most unappreciated and misunderstood. something that has only been a > dream to the blighted wretches prior to our glorious new phases of > cyberspatial technology, which makes human morality completely > obsolete. I think that you are writing way out of context. First, wether or not the AP scheme is used for the control of government, as Jim Bell pushes it, does not mean that it will not be implemented for other purposes, such as killing successful businessman or your neighboor's son who is screwing your wife (noticed that she smiles all the time since a while? ) . Second, everybody like Jim Bell who is pushing the AP scheme is doing so on ethical basis: that the coercion the government imposes on to the individuals by regulations, and guns backed taxation justifies the killings. I have to see yet any cypherpunks who seems to agree with AP that envision another use than govt control. Third, you will notice that even Jim Bell discusses issues of anonymous transactions and businesses that, if conducted properly, makes the AP scheme irrelevant. So, it seems that AP is only a tool instead of being an end in itself. Fourth, you lack some basic psychological insight: intrinsic murderers do enjoy the knowledge of the details of their actions and the derived perception of power. AP prevents that by anonymising everything: a donator cannot know if he caused the death of somebody (unless he spends several tens of grands himself, but then, there are other, more satisfying ways for a power seeker to fullfill his passions...) . You seems to oppose the proposed violence entailed by AP but you positively blank out what everybody who reflected on AP put in the opposite pan of the balance, i.e. the ethical standards of contemporary govt actions. And you'll also note that the anonymity issue generate more interest from more CPunks because it (hopefully) will acheive the same goal without any killing. Until you accept to evaluate both side of the story, your recriminations opinions are as evident as the magnetic monopole... jfa DePompadour, Societe d'Importation Ltee; Limoges porcelain, silverware and crystal JFA Technologies, R&D consultants; physists, technologists and engineers. PGP keys at: http://w3.citenet.net/users/jf_avon ID# C58ADD0D : 529645E8205A8A5E F87CC86FAEFEF891 Unsollicited commercial e-mail will be proofread at US165 $/h Any sender of such material will be considered as to have ac- cepted the above mentionned terms. From EALLENSMITH at ocelot.Rutgers.EDU Mon May 20 03:56:23 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Mon, 20 May 1996 18:56:23 +0800 Subject: SEVERE undercapacity, we need more remailers Message-ID: <01I4WUZKQ6ZC8Y5FKU@mbcl.rutgers.edu> It occurs to me that a certain number of companies have schemes that could easily be used to set up anonymous, transient mailing output ends on anonymous remailers. These are AOL (with its famed lack of true credit card verification) and free email services such as Juno. The idea would be to have a remailer address that took in mailings, then sent any that were to go other than to another remailer via a temporary account. Now, this would have the potential problem of decreasing remailer reputation among those in such companies; for AOL, it would also decrease the chance of anyone paying attention to the remailed messages (people deleting stuff from @aol.com automatically, etcetera). -Allen From stewarts at ix.netcom.com Mon May 20 04:32:30 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Mon, 20 May 1996 19:32:30 +0800 Subject: Senator Leahy, your public key please? Message-ID: <199605200524.WAA16354@toad.com> Senator Leahy is the first member of Congress to publicize a PGP key. (There are already fake keys for Bill and Hillary Clinton and Al Gore.) A Washington-area Cypherpunk recently visited Senator Leahy's office and asked if he could verify that the PGP key posted to the net for Senator Leahy was correct*, so he could sign it; while it would be difficult to fake responses to the "PGP Public Key" entry on his web page, it could be done, and a fake key could be publicized in other ways. He was told that there's some Congressional silliness about the issue - what's the political implication of having someone sign your key? Postmaster at senate.gov is fine, but are there ethics questions if ACT UP, Big Oil or the Christian Coalition signs it, or if Newt Gingrich or your party's Majority Leader refuses to sign it - are those endorsements? Tim May pointed out that you don't _need_ anybody's permission to sign their key; just do it and send to the keyserver. Even if they don't like you. >What if, for example, Sen. Leahy _did_ end up in the web of trust for Aryan >Nation? Even if he never intended it, this could have some severe PR >repercussions. >An exciting new world we're entering. It's really hard to get handed a straight line like this and have to pass it up, but I'm _not_ going to create an Aryan Nations key, and I'm _not_ going to send it to keyserver at canopener.worms.mit.edu. Black Unicorn's experience at Senator Leahy's office implies there are too many clueless Congresscritters around who would recognize the political potential and make a Law to Do Something about it, just as Georgia recently made a law against making links to people's web sites without their permission. While the Republicans in Congress, having somehow found themselves on the side of Free Speech with Leahy against Clinton's administration, may be able to pass laws reducing the government's encryption-export and wiretapping efforts, a good scare like this could make it more difficult. Sigh. :-) I haven't Cc:d this to Leahy - Should I? Meanwhile, what should we do about PGP key signatures? PGP 3.x is still being developed, and keyservers can be updates as needed. While I agree that keyservers don't need to validate keys - that's a job for the web of trust, and the keyserver-admin could sign keys if he/she/it wanted to - it may make sense for the keyservers to only accept keys in messages signed by the key itself. (Just signing the key doesn't help much here; you need to sign the key-plus-signatures.) Does it make sense to include some similar capability in PGP itself? Leahy has at least signed his own key... # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 # goodtimes signature virus innoculation From cpunk at remail.ecafe.org Mon May 20 04:36:34 1996 From: cpunk at remail.ecafe.org (ECafe Anonymous Remailer) Date: Mon, 20 May 1996 19:36:34 +0800 Subject: Instant Remailers Message-ID: <199605200437.FAA28623@pangaea.hypereality.co.uk> Someone said: > >It is possible for someone to operate an anonymous remailer anonymously. > >Just get a UNIX shell account under a fake name, pay with cash, and set up > >the remailing software. The identity of the operator of such a remailer > >would be difficult, if not impossible, to discover. Then someone else said: > (Doesn't Sameer's system offer such accounts? Couldn't there be dozens of > remailers based at c2.org? Of the 16 Type-1 remailers listed in one of > Raph's recent reports, only 2 were at c2.org.) This happened. Remember robo at c2.org? Whatever happened to it? (Anyone ever figure out who the real operator was?) From EALLENSMITH at ocelot.Rutgers.EDU Mon May 20 04:49:22 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Mon, 20 May 1996 19:49:22 +0800 Subject: The Crisis with Remailers Message-ID: <01I4WVQJYM428Y5FKU@mbcl.rutgers.edu> From: IN%"loki at infonex.com" 18-MAY-1996 20:02:12.04 >I was invited to the digicash API design meeting precisely to make sure it >could be used in remailers. It will not be using the current API. The >problem is that Mixmaster requires exact knowledge of the size of every >object in the message, to maintain constant message size. I could set aside >room for one, two, three coins, but there is no guarantee that the payment >will be made with only that many coins. The current API is going to be high >level. It will does not allow the program to know anything about the >internals of the payment. I need to be able to specify payment of amount X >using no more than N coins. As soon as I have that level of control, you >will see postage in Mixmaster. Good. I can see doing a limited postage now, actually, with relatively simple modifications - the postage goes to the initial remailer front end and to the remailer that sends out the message to something other than another remailer. -Allen From EALLENSMITH at ocelot.Rutgers.EDU Mon May 20 04:49:44 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Mon, 20 May 1996 19:49:44 +0800 Subject: Remailers & what they get out of it... Message-ID: <01I4WUPVKJ9E8Y5FKU@mbcl.rutgers.edu> From: IN%"ravage at ssz.com" "Jim Choate" 18-MAY-1996 09:43:06.96 >As long as the remailer is run a 'grins & giggles' affair you are right. There is the increase in reputation capital in _some_ quarters possible through running a remailer. (On the other hand, in authoritarian quarters, it would tend to decrease one's reputation capital...) >To me the biggest problem with the crypto work right now is that not enough >professionals are involved. If more remailers and such were initiated as >a business there would be legal avenues to explore. Also, in this vain is >the apparent lack of support for commercial ventures by developers of such >apps as MixMaster (whose license explicity prohibits commercial use). It prohibits commercial use? That's silly. Is it a holdover from when the idea was to turn Mixmaster into a company? >And for the record, yes, we expect to charge real $$$ for access. Our >current plan is $10/month for each account. Money orders prefered. We have >at this point pondered e-cash methods but it doesn't seem popular enough >at this juncture. How would you be doing this? Only remailing from accounts that have paid up, or what? -Allen From EALLENSMITH at ocelot.Rutgers.EDU Mon May 20 04:58:19 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Mon, 20 May 1996 19:58:19 +0800 Subject: Is Chaum's System Traceable or Untraceable? Message-ID: <01I4WVDLFCHK8Y5FKU@mbcl.rutgers.edu> From: IN%"tcmay at got.net" 18-MAY-1996 14:30:54.29 >I agree with Jim Bell on this completely. I don't know if Chaum has been >seduced by the Dark Side, or is looking to get digicash widely deployed by >"respectable" institutions, or is telling the truth (that his system >_never_ provided for real untraceability), but I know that Cypherpunks >should always strive for full untraceability. Given what I've picked up (including what institutions he's chosen to deal with, the behavior of these institutions - MTB's dropping of merchants disapproved of by Mrs. Grundy et al, and other information), I am willing to bet that the second is the priority. Once his patents run out, all bets are off... but it looks like he's wanting to get ecash accepted before then. Otherwise, everyone may be using various non-anonymous (or GAKed anonymous) methods like credit card encryption. Unless I'm reading the ecash protocols wrong, using the current version of the software some degree of payee anonymnity is possible. -Allen From EALLENSMITH at ocelot.Rutgers.EDU Mon May 20 05:20:56 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Mon, 20 May 1996 20:20:56 +0800 Subject: A cryptographic alternative to escrow agents (Matts' half coin) Message-ID: <01I4WV612VG28Y5FKU@mbcl.rutgers.edu> From: IN%"unicorn at schloss.li" "Black Unicorn" 18-MAY-1996 11:46:08.35 >The mint is the escrow agent. It still (obviously) needs to be trusted. The mint will need to be trustworthy anyway; otherwise, you can get a "final round" problem in which they print up lots of ecash and spend it before the value completely plummets, or they get lots of requests to cash existing ecash in. -Allen From llurch at networking.stanford.edu Mon May 20 05:44:44 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Mon, 20 May 1996 20:44:44 +0800 Subject: Cypherpunks, a political "newsgroup?" In-Reply-To: Message-ID: On Sun, 19 May 1996, Declan B. McCullagh wrote: > Excerpts from internet.cypherpunks: 19-May-96 by anonymous-remailer at shell > > Cypherpunks is not a political newsgroup. > > Hah! Most everything that's discussed here has political overtones. I, > for one, appreciated in the info on the Burmese businessman and > forwarded it to fight-censorship. I'll link it in to > http://www.cs.cmu.edu/~declan/international/ when I get a chance. Me Too! I can't speak for the old Perry, but I think the Burma thing (government outlawing communications technology) was perfectly on topic for this list. I was also inclined to offer to help, if there's anything you think I could do. I know a couple of grad students who are very interested in the Burmese political situation, and if there's anything useful that can be done technologically, I'd like to help. The Hack China Contest isn't going very well, but perhaps Burma will be easier. -rich From tcmay at got.net Mon May 20 05:52:27 1996 From: tcmay at got.net (Timothy C. May) Date: Mon, 20 May 1996 20:52:27 +0800 Subject: SEVERE undercapacity, we need more remailer servers FAST Message-ID: At 6:07 AM 5/20/96, E. ALLEN SMITH wrote: > What countries are noticeable for being anti-Scientology? They would >appear to be good locations for special-purpose remailer ultimate-output ends. But any country that is "anti-Scientology" is likely to be repressive in various ways we would find inimical to our goals. Germany is a prime example: yes, they have placed restrictions on the CoS, but they have also ordered crackdowns on Internet sites. Whatever one may think of Scientology, or Catholicism, or Baalism, or whatever, crackdowns by the government ("anti-Scientology," "anti-Catholic," etc.) is not a good thing. (The issue of how believable the claims of CoS are is no more relevant than similarly outlandish claims that taking communion is eating the flesh of JC. And the issue of CoS seeking legal actions against those they claim are violating their copyrights is separable from their religious status. As I have said many times, "Newsweek" would likely take similar actions in similar circumstances.) --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From llurch at networking.stanford.edu Mon May 20 06:14:56 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Mon, 20 May 1996 21:14:56 +0800 Subject: WELCOME TO THE NEW ROMAN EMPIRE In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- (I really don't think a [NOISE] tag is necessary; do you?) On Sun, 19 May 1996, Alan Horowitz wrote: [ALL CAPS is by Skippy ] > > > EVERYONE GETS A HIGH SCHOOL DIPLOMA --> HIGH SCHOOL DIPLOMAS BECOME > > > WORTHLESS EVERYONE GETS A PHD --> PHDS BECOME WORTHLESS > > > > Will someone please buy this man a shift key and some Thorazine? > > Yeah, next thing ya know, somebody will be claiming that Physics PHds > can't get work now, and that MD's being out of work is right around the > corner. (Newly minted board-eligible Pathologists have it worst, right now). Funny, I just watched an out-of-work physics PhD talk about a related subject on 60 Minutes. Confirmed what I already thought about him, Mike, and Morris (they're all idiots). Skippy is just playing around with markov again. He trolls in waves: humor -> trust -> confrontation -> outbust -> quiet -> lather, rinse, repeat. If you have any serious questions about Skippy and friends, please encrypt your message with the key that follows. I'll probably have something interesting (and on-topic) to share for the putative June 8th SF area cypherpunks meeting (we'll have a real room). - -rich - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCNAzE4pKQAAAEEAMUH20RG0Uh0KXcIu5gTFM6NgHoDW5fBewmO4HvYwgBa8deq BwMbKW7bhbiG8uvFtvvhYbN/77DSDT8pTnUZkUtpUQsPNPTUSIUJsAQc9ndJBu7w KjWjwyg3kc4MDHq349nAdBuynVcOMZ46Q5lIaxQIsPTPRI57GUCtQY1pkqtNAAUR tD5SaWNoIEdyYXZlcyBTZWN1cmUgT2ZmbGluZSA8cmljaC5ncmF2ZXNARm9yc3l0 aGUuU3RhbmZvcmQuRURVPokAlQMFEDFAYCxpqHkdFx/OXQEBiV0EAIGcpREw66qj TT3+3QRz1c4mBwoDhmzDqPBvXegt7zvZ1OyT7aqZGTnqodXLtnCNyzMyOHrXTUBL NCTgSFM0H6QRsoBt0xzbiW+XWHHiuQgHJtdyTg40iFQsNrZj7Va+qiS3W7e5w8wh DW6qsulbxyudZtISANBrlhQnz/B5Xpn9iQCVAwUQMTim643DXUbM57SdAQFZOAQA wdu9vyKI+lMPBGlagfQ62Og01JzKh3L/LM32UUpmi35AKSc0EGIG5GV5zOFA9BsT gHzrL9msRvWx6uUzvEDE8BzMHTrf41mr6Btq+S5O8VrAnfYNdXMeRUG9sJHGOaY+ wETLEImZr7Ljam57g1ZNgBaERdrbpGoTomoVEnEGlwyJAJUDBRAxOKaEJ7zIom1K rF0BAQTGBACZqNPEMVIQctVzWTw7NeyanLenm8mx+FXul+9FSxczrbJT3Q6i+MLv EPop41NGUfIrhazW7SFtT0v5ewaGRz8NBkWJNMRWoe7oW/CRmwR63BjlYubS4LuS 7xJeSqaBU/033E13oV8H2dBrx/BaxpCdK5mU+d58ZOeo9hqcw3ZF44kAlQMFEDE4 pm0UgSBs4SlmTQEBlLUEANGLCXSDx4T/FcFg9Q94ADAb1Gn9D9YBiaBjozfdZ+Ve Y/WeofLomelBHqUCaw77UFT1Fmq0Wyw5ym7eHCSb/cR9E2g4LTZpVdGF8nFZbX+N yqvTSxEsaP2Psdlpvwj3eGQ/hTdm12bX7XhJF1j5q4i0kh7c+d+a9rrDd39jGEjT iQCVAwUQMTimUNlBWyzhG2y5AQEXkAP/UdPPZU6WvAHI+JjrVIZRKgs3f5qt7ADI K7NIm1aQRVmIDBTICY/2tkMmLdqR+MW2n6AkrSkB7P+vvz1rK2LSsERBHK1rjgZt z77v2NnEVr5McAhgGX9uWUbmgXghMCtJwnaKCpSpFs31E2TxLRBmb6fwwAzfEfYq OMSiMND6lfKJAJUDBRAxOKYx5PUudM+LRA0BAasdA/0bLGOIUDk2RbFG0jW5Rw/N RiExtU5SSmOUo6FsOgHDmbL/jJIrWQS6TacJM1IiK7ECd72mkLm4NDwVUhJmNyHn uqOL+HvhLp9zTp9K72PsDHnCGYYJG3atk2c05iQ0tK8WBMR1sUwAWHulCjfKCg5f K2ydt9o6lQNdENQm9xj9LIkAlQMFEDE4piIaFuRhG5FXbQEB7dYEAJ3U3/MtK3DX 5gtms2iF66Kei+5TBnhQOeBVEP3PZPGdwazbotHbgiCQYEPPN1S2nF7e9mJj/UDe XX7sMvnPDJXZe+nzlidywETzeQinQ6mz9rQ9yuRHbWLq6ufH7CUi+rniCM5z/i1G sGOI6NenzUHb4y9K8fx3O04OsE8z85GuiQCVAwUQMTik/0CtQY1pkqtNAQFucQP/ Vc3fsN6gClxDSLpq+Gbxhy5eFmCLuFRZcxbS+qTQo3DDS1q6AQ7lMQ7TZSngmHLE 59a85+iEdafrODldoG/PfgRjaqROSHXzD65SoUYECdtvN2JrFdSPRUde8UesMDhv 4Z2ZK8LzXuj9+jDV6bp0vvmlzan4KwwCSAeXA+enDCe0RUtleSAweENDRTdCNDlE IHByaW50IEVEIENBIDY3IDk4IEFEIDJBIDYyIDJBICAwMSAxNyA3OCBBOCAzMyBG MiA2RCBFMLQxTm9ybWFsbHkgdXNlIGtleSAweENDRTdCNDlEIGZvciBsbHVyY2hA bmV0d29ya2luZw== =MFwF - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMaAp2Y3DXUbM57SdAQEsiAP8CdB4xC1wHHf0rCa2Fr020FzH7U35SMQV s4bITaBovLyXPm+yyDcruxa7kdrHNDkvM3QY6qe+Hde3R+7N3/tg66L4J78Fu184 RJBF6A4RkmEutoUKn3+ydRmVk+J7LWDZL+0IDc2sgk51vJiUSLrgExnXEIgC38GP KYU319Xjv3U= =axFz -----END PGP SIGNATURE----- From qut at netcom.com Mon May 20 06:53:40 1996 From: qut at netcom.com (Dave Harman) Date: Mon, 20 May 1996 21:53:40 +0800 Subject: Virtual machines? In-Reply-To: <9605200344.AA02438@cti02.citenet.net> Message-ID: <199605200932.CAA23030@netcom23.netcom.com> ! Hi. ! ! Pardon my ignorance, but I had a few questions haunting me since a ! while. ! ! Is there a way to have a remailer de-localize itself and relocalize ! itself over the internet? ! ! For example, could there be several machines around the worlds that, ! when you send an e-mail to it, is routed to differents physical ! places of the world depending on where the actual remailer process is ! actually running? Could there be such a thing as a virtual machine ! runing a remailer that gets to hop from physical machine to physical ! machine around the world? ! ! Just an idea to avoid jurisdiction problems. This is just what crypto remailers do. Public key encryption with To: 's encrypted at each hop threading through several servors. This is why we need 1,000 servors created quickly, throughout the far corners of the internet, to make it a safer, as far as liability is concerned, to admin them. The last full featured remailer servor closes this May 20. Qut From mix at anon.lcs.mit.edu Mon May 20 07:07:23 1996 From: mix at anon.lcs.mit.edu (lcs Mixmaster Remailer) Date: Mon, 20 May 1996 22:07:23 +0800 Subject: The Crisis with Remailers Message-ID: <199605200640.CAA00544@anon.lcs.mit.edu> -----BEGIN PGP SIGNED MESSAGE----- > not!!! I should have made this clear, but imho no matter how favorably > the public sees anonymity, I still believe there will be little > incentive to run remailers until there is some kind of ecash > scheme. I hope this is not true. Some of us simply believe it is important to help people with unpopular opinions speak without fear of harassment. I for one will continue to operate a free remailer even if the technology becomes available to charge for the service. I hope others will, too. Some people do care about things other than money. I hope the reason there aren't more remailers out there is simply that it is sort of a pain to set one up, rather than simply because nobody cares. > >People seem to forget that anyone can drop a letter into the mailbox with > >no return address. Did the Unabomber bring negative publicity to the > >postal service, causing people to demand that return addresses become a > >requirement? :-/ > > agreed, but the subject at hand was not whether anonymity is good or bad, > but whether there is some incentive to run remailers. Well, wanting there to be remailers is a good incentive to run one. Another good incentive is if you ever want to send a truly sensitive anonymous message. If you chain through your own remailer, then you can be absolutely sure that at least one remailer in your chain is not run by "bad guys." > I would be interested if any longtime remailer operators posted > statistics about the amount of mail going through their services. Usage statistics are publicly available from mixmaster remailers by sending mail with subject "remailer-stats". Whenever I've checked, the number of messages through the lcs mixmaster remailer has been around 300/day. This is neither a longtime remailer nor a particularly accurate statistic, but it should give you some idea. mix-admin at anon.lcs.mit.edu -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMZ//ZETBtHVi58fRAQHePQP+JQcCu/zDfhRB1BLOea+OSENfM6qRxj0h KlYtV5O+IgcmlfZ+vupbtds6IrL8GN5YAQ7kpLoSCIUPC3+r4X0ppJjqgETEYI23 cJoZU9tG3Csj+KNSRn7tDjXdPFcGooqemvhV5SERiQEkAYqzRBDCcd7VQTOGgls5 TTRHxUQ1F+c= =DOAo -----END PGP SIGNATURE----- From frantz at netcom.com Mon May 20 07:36:25 1996 From: frantz at netcom.com (Bill Frantz) Date: Mon, 20 May 1996 22:36:25 +0800 Subject: Rumor: DSS Broken? Message-ID: <199605200803.BAA11630@netcom8.netcom.com> At 8:05 PM 5/19/96 -0800, jim bell wrote: >At 08:33 AM 5/19/96 -0400, Robert Hettinga wrote: >>At 9:41 PM -0400 5/18/96, Bill Stewart wrote: >>> MD5 is at least weakened, maybe broken; there's an abstract by Hans >>>Dobbertin >>> that says something about generating collisions, and gives an example >>> (though the abstract doesn't say how general the method is.) >> >>That's what I get for not reading the DSS stuff when it came out. I'd heard >>lots about the MD5 stuff, but I didn't put the two together. >> >>It also looks like I'm behind in my reading. Time to buy another edition >>of Applied Cryptography... > >It should occur to all of us that if the NSA was actually doing the job we >are vastly over-paying them to do, it is THEY who should be finding, >exposing, and correcting these kinds of cryptography faults. Has anybody >ever heard any evidence that the NSA has ever acted in this sort of >responsible role? I was rather impressed by NSA's role in the creation of DES. The strengthened it against an attack which was not publicly known, and didn't, in the process, reveal the attack. (See AC2.) ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From qut at netcom.com Mon May 20 08:02:22 1996 From: qut at netcom.com (Dave Harman) Date: Mon, 20 May 1996 23:02:22 +0800 Subject: Incorporating In-Reply-To: <199605200437.GAA20138@spoof.bart.nl> Message-ID: <199605201016.DAA26766@netcom23.netcom.com> ! How do corporations work, in terms of liability? If the cost of ! incorporating isn't forbidding, I would think a remailer operator might An excellent idea for reducing civil liabilty. It's easy and cheap to incorporate a delaware for-profit corporation. Following certain practices, vastly increases your legal status. Such as the corporate boilerplate of: Stock certificates; Proper titles and roles that are duly recorded; Proper minutes, meetings, accounting; Good Articles of Incorporation. In other words, Sameer the $USER is very different from President/Chairman Sameer Parekh of C2, Inc. A non-profit corporation is considably different, and for certain reasons, would not be as good as for-profit for potentially shielding civil liability. (Unfortunately, case law suggests that.) ! consider incorporating a company, and making the remailer a function of ! that company. That way, any losses are restricted to the total value of ! the corporation; that is, nothing. Any flaws? There must be something ! wrong with it somewhere. Less freedom than the sole-proprietor. Following the corporate protocols. ! Thanks. Thank you for your contribution, Qut From bryce at digicash.com Mon May 20 08:54:31 1996 From: bryce at digicash.com (bryce at digicash.com) Date: Mon, 20 May 1996 23:54:31 +0800 Subject: Senator, your public key please? In-Reply-To: Message-ID: <199605201050.MAA13366@digicash.com> -----BEGIN PGP SIGNED MESSAGE----- TCMay probably wrote something like: > > At 8:38 PM 5/18/96, bryce at digicash.com wrote: > > ...(my points elided)... > > >All of these are products of misconceptions between using the > >WoT to certify identities, versus using it to certify how much > >you trust a person to certify someone else's identify, versus > >using it to certify arbitrary other qualities about a person. > > Bryce, we've differed several times before about the web of trust, > especially "man-in-the-middle" issues. This looks to be the same sort of > issue. Indeed we have, and it verged on philosophical territory, and I would really enjoy discussing the issue again with you sometime, although perhaps we've gotten about as much as we can get out of it in e-mail. But I think that _this_ issue is a lot simpler, and a lot easier for us to agree on. To wit: > I personally don't see key-signings as mainly useful for verifying the > "true name" of someone whose key I sign. (I don't check birth certificates, > passports, driver's licenses, etc.) > > Rather, I view _my_ key signings as forms of vouching, or endorsement. Not > of all views, naturally, but as a statement that the person whose key I am > signing is someone I know and "trust" (in the sense that the key belongs to > the person I "know." Thus, I know Eric Hughes, even though he may actually > be Fritz Kacynski, drop-out math student. Sure. For my part, _I_ personally don't see key-signings as mainly useful for verifying the "true name" of someone. Rather I view _my_ key signings as verifying that (for one reason or other), I believe the owner of the key to be the originator of the information that is published under that key (= nym). All I am saying by talking of "misconceptions between using the WoT to certify identities, versus using it to certify [...] other qualities", is that each of these different uses of key- signings are.. well.. _different_, and they shouldn't be mistaken for one another. Unfortunately PGP 2 only allows one kind of certificate. The "key-signature". To PRZ and most other people, it is a certificate asserting a mapping between a key and a true name. To me it is as I described above. To TCMay, it is a kind of endorsement. It's just too bad that PGP 2 doesn't have different _kinds_ of certificates to represent these different assertions. Until a certificate technology like that is implemented, and probably even after that time, we need to avoid confusing these various meanings for "key-signatures". > I believe different agents will use these belief networks in different > ways. Some will be focused on the issue of True Names and will calculate > beliefs on the basis of how much they think the key-signers are being > diligent enough in checking identities. Others will use belief networks to > convey trust that one is not a government agent (a practical example being > the use of PGP and webs of trust in the jungles of Burma, where I am quite > sure the "keyrings" did not deliberately include government agents, > regardless of how well they "proved" their identity! > > There is no single ontological interpretation of belief networks. Well here we have that epistemological issue again. I believe that there is a single "proper" or "best" ontological interpretation of many or most belief networks. (At least, of the belief networks that we care about.) But skipping that issue, my point in this post is just that there should be informtion encoded in these belief nets/WoT's which differentiates the different kinds. Note that it is possible to differentiate between two meanings without admitting that their meanings are meaningfully ascertainable by humans... > Bryce, I respect your views on this and MITM issues, but the fact that we > view things differently (and that Phil Z. views things differently from > you, and perhaps from me) should not always be ascribed by you as > "reflecting lack of understanding." Hey, maybe I should be more humble, or more gentle, but this is the Internet, you know? Here, I'll present a representation of my internal Bayesian belief network with explicit mention of the certainty qualifications: "A. Since Tim and I view things differently with respect to this subject, one of us is wrong. A's certainty: 0.95 B. I am right. B's certainty: 0.93 C. (from A,B) Tim is wrong. C's certainty: (from A,B) 0.93*0.95=0.8835" Now more seriously, the alacrity with which I bring up disagreements with Tim should in fact be construed as a measure of my _respect_ for his opinions and for his mind, rather that as a lack of respect for same. Regards, Bryce -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: http://www.c2.net/~bryce/ -- 'BAP' Easy-PGP v1.1b2 iQB1AwUBMaBOXEjbHy8sKZitAQGqOQMAg5PBy6raiNd2gyy35h9F5CDGxmFTprE9 Ff55OWlPlY/+LM55+Vby94QJ6Df+pNby8yLmRudGZA7OXNeFArKu11AQyd3OXm6N mY9RobZQ+t5aawB9CMtGnsR8NvC/LJU0 =wKml -----END PGP SIGNATURE----- From qut at netcom.com Mon May 20 08:59:46 1996 From: qut at netcom.com (Dave Harman) Date: Mon, 20 May 1996 23:59:46 +0800 Subject: CAPITALISTS' SUCK In-Reply-To: <199605200028.UAA14968@jekyll.piermont.com> Message-ID: <199605201107.EAA07682@netcom23.netcom.com> ! Date: Sun, 19 May 1996 20:28:04 -0400 ! From: "Perry E. Metzger" ! ! >Dave Harman writes: ! > ! > CAPITALISTS' SUCK ! ! What witty social commentary. Information wants to be free. From qut at netcom.com Mon May 20 09:40:55 1996 From: qut at netcom.com (Dave Harman) Date: Tue, 21 May 1996 00:40:55 +0800 Subject: WELCOME TO THE NEW ROMAN EMPIRE In-Reply-To: Message-ID: <199605201123.EAA12454@netcom23.netcom.com> ! [ALL CAPS is by Rich Graves ] ! > > > EVERYONE GETS A HIGH SCHOOL DIPLOMA --> HIGH SCHOOL DIPLOMAS BECOME ! > > > WORTHLESS EVERYONE GETS A PHD --> PHDS BECOME WORTHLESS ! ! Skippy is just playing around with markov again. He trolls in waves: ! humor -> trust -> confrontation -> outbust -> quiet -> lather, rinse, ! repeat. Skippy does not even know what Markov3 does. ! If you have any serious questions about Skippy and friends, please encrypt ! your message with the key that follows. I'll probably have something ! interesting (and on-topic) to share for the putative June 8th SF area ! cypherpunks meeting (we'll have a real room). Skippy doesn't have any friends, so there's no one to answer the questions. Qut may attend the meeting to verify the racial compositions of the group. Results will be reported here. Qut From paul.elliott at hrnowl.lonestar.org Mon May 20 10:12:52 1996 From: paul.elliott at hrnowl.lonestar.org (Paul Elliott) Date: Tue, 21 May 1996 01:12:52 +0800 Subject: PGP MIME INTERNET DRAFT considered harmful. Message-ID: <31a0442b.flight@flight.hrnowl.lonestar.org> -----BEGIN PGP SIGNED MESSAGE----- Summary: The PGP MIME INTERNET DRAFT, draft-elkins-pem-pgp-03.txt, contains a design error with respect to signatures on binary data. This error results from the failure to recognize the distinction between those features of MIME which are necessary to represent complex data and those features of MIME that are used to transport the data. The design error will result in the following negative results if PGP-MIME is widely used with binary data. (1) Huge unnecessary inefficiency whenever binary data is sent signed and encrypted. (2) The signatures on PGP MIMEd objects can not be extracted from a MIME context and used where MIME programs are not available. (3) Many users will rightly refuse to sign the entities the PGP-MIME draft envisions. This reduces the utility of PGP-MIME. (4) If users do sign these files, they will be signing data for which there are no commonly available inspection tools. This will eventually result in a security breach. - ---------------------------------------------------------------------- The problem is that when binary data is to be signed the data is to be PGPed _after_ base64 has been applied and the MIME headers added. This is required by the draft: > >3. Content-Transfer-Encoding restrictions > > Multipart/signed and multipart/encrypted are to be treated by agents > as opaque, meaning that the data is not to be altered in any way > [1]. However, many existing mail gateways will detect if the next > hop does not support MIME or 8-bit data and perform conversion to > either Quoted-Printable or Base64. This presents serious problems > for multipart/signed, in particular, where the signature is > invalidated when such an operation occurs. For this reason it is > necessary to REQUIRE that ALL data signed according to this protocol > be constrained to 7 bits (8-bit data should be encoded using either > Quoted-Printable or Base64). Note that this also includes the case > where a signed object is also encrypted (see section 6). This > restriction will increase the likelihood that the signature will be > valid upon receipt. > > Data that is only to be encrypted is allowed to contain 8-bit > characters and therefore need not be converted to a 7-bit format. > > In this the draft follows RFC1847. [Encrypted & Signed binary data.] Now when there is a data path for PGP's cyphertext, PGP provides a binary data path for its plain text. Thus, the inner base64 that PGP MIME internet draft requires is totally unnecessary. It will cause a 30% increase in the size of those messages that are encrypted and signed and large amounts of CPU time will be used applying & removing the base64. It is worth noting that huge amounts of binary data will be transferred by MIME, so the above represents a significant problem. [Signed binary data.] Now let us consider the question of what PGP-MIME draft requires users to sign. Suppose we want to send a signed .gif file to a sysop. The sysop wants to store the .gif in his download section. Suppose the sysop wants to store the signature as a detached signature so that people who download it can check the authorship. But the signature proposed by the PGP-MIME draft is useless for this purpose. It has MIME headers attached and it has been base64'ed. People who download such a file from a BBS have no use for it, unless they have MIME. Or suppose we send as signed .gif file to the maintainer of a WEB page. He stores the .gif on an insecure UNIX system connected to the internet. Suppose, a year later the maintainer wants to check if the .gif has been tampered with. Can the maintainer store the signature on a floppy and use the signature for later checking? No, the only way the signatures specified by the draft can be used, would be to add MIME headers and apply base64. The maintainer will have to store the entire MIME message, .gif and all if he wants to check the signature later. Or let us consider an .gif artist. The artist has a policy of only signing works that he can be proud of. He does not sign his sketches, because he does not want sketches to tarnish his reputation. Before signing and releasing a work, he examines it with several different gif viewers and paint programs. But what does the draft PGP-MIME want the artist to sign? It wants him to sign a file that has been base64'ed and with mime headers added. The artist can not examine the file to be signed with any of his gif viewers or paint programs. Everyone's mother has told them to "Never sign anything unless you have read the fine print first." But here we have a file that has been scrambled so that it can not be inspected with the commonly available tools. The artist refuses to sign. Not only does he not know what he is signing, but the base64 offends his artistic standards. Who can be proud of base64? Necessary perhaps, but lets face it, base64 is an horrible kludge built to meet the deficiencies of a network. If users get in the habit of signing binary files which represent multimedia data, and which can not be examined with commonly available inspection tools, it is inevitable and predictable that sooner or later this will cause some kind of negative security event. Now there is some justification for the way the draft handles text. Different operating systems and machine architectures represent text in different ways, so that it is necessary that digital signatures be taken over some "canonical" format so that signatures will check on different operating systems. Even after text has been mangled by Quoted-Printable it can still be read after a fashion by the person asked to sign it. Operating systems and machine architectures also differ in the way they represent binary data. The differences in the ways integers, floating point numbers and other such thingies are represented are well known. However, such differences must be handled at the application level. The location within a file of integers, floating points, etc must be set by the application programmer/designer. PGP, MIME, and base64 can not deal with these differences, because the location of integers and floats can not be specified in advance for an arbitrary data file. Thus, from the point of view of PGP and base64, these differences do not exist and binary data may as well be a stream of bytes. Thus, in the case of binary data, base64 is not more "canonical" than the original data. There is no good reason to sign the base64 rather than the original data. Once a file has been base64ed, the file can not be examined with the usual inspection tools. The draft has chosen to treat text and binary data similarly. This results in negative results mentioned above, but the developer and draft author do not have to deal with any logic to handle text and binary data separately. User utility and security have been sacrificed for the convenience of simplicity for the draft author and the PGP-MIME developer. The typical user of MIME software is not necessarily technically sophisticated. When the deficiencies and disasters associated with software patterned on this draft become apparent, not everyone will know exactly which software component is at fault. The problems associated with the draft (or its successors) may adversely affect the reputation of PGP. Now some descendant of the draft could become a standard or the draft could become a de-facto standard through wide-spread use. Such a standard could become a barrier to the acceptance of other software without the draft's deficiencies. Thus, the draft could permanently inflict poor software on the world. (Look at the memory architecture of the IBMPC for one example. Or look at the MSDOS operating system for another example.) The draft should be withdrawn. People should rethink and create a better plan to combine the benefits of PGP and MIME. It should accommodate the user who wishes to mail a generally usable PGP signature (that is, one that can be used outside the context of MIME) along with multimedia binary data. It should not ask a user to apply a signature to any data that cannot be examined with commonly available tools. It should not require anyone to sign an artifact of a data transfer system such as base64. It should not require any additional space overhead (more than that which may be necessary for transport) when signing and encrypting. - -- Paul Elliott Telephone: 1-713-781-4543 Paul.Elliott at hrnowl.lonestar.org Address: 3987 South Gessner #224 Houston Texas 77063 -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: cp850 iQCVAgUBMaBPRPBUQYbUhJh5AQH2hwP+J1ADSzD3Yx4gvUIvAwN+EDikIN2IaHhM j+znIlt9QPzl5SSp44H+JnhoivhKR3562ACI1nexNMZ9E2MrPNioiGmrmz0uGwM6 Px/k2HbioQrgqmmP0IO/98cTZGA71pK7iNk7AZbWpEW4XfWkyRDW9hQzrCEZXXw8 jQwM/VHUPl8= =BvoZ -----END PGP SIGNATURE----- From unicorn at schloss.li Mon May 20 10:59:30 1996 From: unicorn at schloss.li (Black Unicorn) Date: Tue, 21 May 1996 01:59:30 +0800 Subject: Toastmasters? In-Reply-To: <199605200437.GAA20138@spoof.bart.nl> Message-ID: On Mon, 20 May 1996, Senator Exon wrote: > How do corporations work, in terms of liability? If the cost of > incorporating isn't forbidding, I would think a remailer operator might > consider incorporating a company, and making the remailer a function of > that company. That way, any losses are restricted to the total value of > the corporation; that is, nothing. Any flaws? There must be something > wrong with it somewhere. All the corporate officers are public knowledge. The corporate veil can pretty easily be perferated if there is a willful attempt to avoid liability when conduct gets above a certain threshold. This would be pretty easy to show in the event the corporation never made dime one and never intended to. Using corporations as a shield is, in my view, less desireable than having blinded remailers. > > Thanks. > > > --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From unicorn at schloss.li Mon May 20 11:07:00 1996 From: unicorn at schloss.li (Black Unicorn) Date: Tue, 21 May 1996 02:07:00 +0800 Subject: anonymous companies In-Reply-To: <01I4WV3W0UHO8Y5FKU@mbcl.rutgers.edu> Message-ID: On Mon, 20 May 1996, E. ALLEN SMITH wrote: > From: IN%"unicorn at schloss.li" "Black Unicorn" 18-MAY-1996 11:16:57.48 > > > At 06:42 PM 5/16/96 -0700, Wei Dai wrote: > > > Solution: smart contracts. This is Nick Szabo's idea of building > > > contractual obligations into cryptographic protocols so that the parties > > > have no choice but to fullfil them. But again we don't know whether this > > > will actually work for this problem. > > >But what happens when there are nuances or circumstances which contracts > >do not anticipate? This "complete" reliablity is also a curse for > >flexibility which fast moving entities need to survive. Careful, I didn't write any of this. > > That's an argument for combining them with escrow agencies. If the > escrow agency is less likely to need to intervene, then they'll charge less... > the principle of insurance company risk estimation. > -Allen > --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From perry at alpha.jpunix.com Mon May 20 11:33:03 1996 From: perry at alpha.jpunix.com (John A. Perry) Date: Tue, 21 May 1996 02:33:03 +0800 Subject: New type2.list/pubring.mix Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hello Everyone, WOW! It was apparently an exciting weekend while I was gone. I'm sorry the shinobi remailer announced it's retirement but the exciting thing seems to be this mysterious "middle-man" remailer. If it works as the maintainer says, we can have a whole new avenue for setting up undetectable remailers. Anyway, I've updated the type2.list/pubring.mix combination on jpunix.com to reflect the retirement of shinobi and the creation of the middle-man remailer. The lists are available by anon FTP as well as http://www.jpunix.com. John Perry - KG5RG - perry at alpha.jpunix.com - PGP-encrypted e-mail welcome! WWW - http://www.jpunix.com PGP 2.62 key for perry at jpunix.com is on the keyservers. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMaBlT1OTpEThrthvAQHpwAP+I4XqvV7PqkY2q+6cnYiPerqByfYEQa8Y 22efJIGNN4SwHFptI5Hf2sTcT03G5stFXeDbt6GkJYozHfp860Ms00LusYcZhVr2 I8YJc6SzzWqYQnorJE72aausb9f5D1R7eq+2zza0QL7JTOTGVYyA4k/r6pzhf/xU DrQJDFjhEH0= =fU3G -----END PGP SIGNATURE----- From paul at ljl.COM Mon May 20 12:46:03 1996 From: paul at ljl.COM (Paul Robichaux) Date: Tue, 21 May 1996 03:46:03 +0800 Subject: Interactive Week exclusive - White House to launch "ClipperIII" In-Reply-To: Message-ID: >1. Will there be pressures put on the browser companies (Netscape, >Microsoft, etc.) and the e-mail companies (Qualcomm, Microsoft, Claris, >Lotus, etc.) to produce a "world version" that meets export standards with >a single shrink-wrapped package? Qualcomm has elected not to directly support PGP in the past, and it would appear that NSA & State have broadly construed the ITAR sections on crypto capability to mean that apps which can plug in crypto modules are themselves not exportable (cf. Kerberos bones and the whole rationale behind the MS CryptoAPI.) However, Eudora 3.0 includes a plugin architecture for translators. These translators can be used in a variety of ways, including for message compression, foreign-language translation, and signatures. In fact, one of the sample "translators" provided provides a "sign with PGP" icon in the message composition window. Click it, put in your passphrase, and off you go-- much easier than any of the existing solutions. The plugin technology is such that it would be easy to write signature & encryption plugins to use your choice of technology: Fortezza, Entrust, PGP, IPG, or whatever. In fact, you might see Fortezza and Entrust plugins later this summer :) Several 'punks have speculated in the past about whether a general-purpose plugin architecture that could be used for crypto would subject the product to ITAR. Since I very seriously doubt Qualcomm would design & ship this capability without finding out whether such an architecture would render their product unexportable, my assumption is that (at least for now) there is no world version requirement-- but vendors still have to face the hassles of keeping, selling, and maintaining two separate versions. Ask Netscape how much fun _that_ is. -Paul -- Paul Robichaux LJL Enterprises, Inc. paul at ljl.com Be a cryptography user. Ask me how. -------------- next part -------------- A non-text attachment was scrubbed... Name: pgp00002.pgp Type: application/octet-stream Size: 284 bytes Desc: "PGP signature" URL: From jk at stallion.ee Mon May 20 15:39:15 1996 From: jk at stallion.ee (=?ISO-8859-1?Q?J=FCri_Kaljundi?=) Date: Tue, 21 May 1996 06:39:15 +0800 Subject: My meeting with Chaum (Also: ecash full anonymity and a legal question) In-Reply-To: <199605182128.OAA32155@abraham.cs.berkeley.edu> Message-ID: Sat, 18 May 1996, Ian Goldberg wrote: > I am, in fact, going to Canada, and was considering writing a version of > the library while I was there. Now, Chaum has a patent on 2 lines of > code (blinding the coin before it goes to the bank, and unblinding the > value returns). Believe it or not, I would like to stay within the law. BTW why isn't some other company besides DigiCash selling similar software product as the Ecash mint & client? Are there some international patents or trade secrets involved? There is a real market for similar software solution and it should not be too hard to write, considering it is a financial system and there is big money involved. Public domain ecash software would be an interesting effort to accomplish. In case of full source availability it should be possible to develop commercial systems based on public software, it might even be more secure than commercial software which source is available for review to only certain persons. There is also a problem with Digicash licencing: they licence only to banks, and usually only to one bank in each country. I believe there are also many companies that are not banks, who would also like to issue ecash for specific purposes. Setting up an separate company issuing electronic cash, not connected to any of the existing banks, is something that probably will happen sooner or later. Of course there are problems of legislation and clients trusting the company, but those are not problems that the software manufacturer like Digicash should decide. J�ri Kaljundi jk at stallion.ee AS Stallion From raph at CS.Berkeley.EDU Mon May 20 15:52:49 1996 From: raph at CS.Berkeley.EDU (Raph Levien) Date: Tue, 21 May 1996 06:52:49 +0800 Subject: List of reliable remailers Message-ID: <199605201350.GAA01121@kiwi.cs.berkeley.edu> I operate a remailer pinging service which collects detailed information about remailer features and reliability. To use it, just finger remailer-list at kiwi.cs.berkeley.edu There is also a Web version of the same information, plus lots of interesting links to remailer-related resources, at: http://www.cs.berkeley.edu/~raph/remailer-list.html This information is used by premail, a remailer chaining and PGP encrypting client for outgoing mail. For more information, see: http://www.c2.org/~raph/premail.html For the PGP public keys of the remailers, finger pgpkeys at kiwi.cs.berkeley.edu This is the current info: REMAILER LIST This is an automatically generated listing of remailers. The first part of the listing shows the remailers along with configuration options and special features for each of the remailers. The second part shows the 12-day history, and average latency and uptime for each remailer. You can also get this list by fingering remailer-list at kiwi.cs.berkeley.edu. $remailer{"extropia"} = " cpunk pgp special"; $remailer{"portal"} = " cpunk pgp hash"; $remailer{"alumni"} = " cpunk pgp hash"; $remailer{"c2"} = " eric pgp hash reord"; $remailer{"penet"} = " penet post"; $remailer{"flame"} = " cpunk mix pgp. hash latent cut post reord"; $remailer{"mix"} = " cpunk mix pgp hash latent cut ek ksub reord ?"; $remailer{"replay"} = " cpunk mix pgp hash latent cut post ek"; $remailer{"ecafe"} = " cpunk mix"; $remailer{"amnesia"} = " cpunk mix pgp hash latent cut ksub"; $remailer{'alpha'} = ' alpha pgp'; $remailer{"lead"} = " cpunk pgp hash latent cut ek"; $remailer{"treehole"} = " cpunk pgp hash latent cut ek"; $remailer{"exon"} = " cpunk pgp hash latent cut ek"; $remailer{"vegas"} = " cpunk pgp hash latent cut"; $remailer{"haystack"} = " cpunk mix pgp hash latent cut ek"; catalyst at netcom.com is _not_ a remailer. lmccarth at ducie.cs.umass.edu is _not_ a remailer. usura at replay.com is _not_ a remailer. Groups of remailers sharing a machine or operator: (c2 alpha) (flame replay) (alumni portal) Use "premail -getkeys pgpkeys at kiwi.cs.berkeley.edu" to get PGP keys for the remailers. Fingering this address works too. Note: The remailer list now includes information for the alpha nymserver. Last update: Mon 20 May 96 6:47:47 PDT remailer email address history latency uptime ----------------------------------------------------------------------- lead mix at zifi.genetics.utah.edu ++++++++++++ 39:10 99.99% alpha alias at alpha.c2.org +++++-*-++-+ 1:14:55 99.99% exon remailer at remailer.nl.com +****+****** 4:01 99.99% mix mixmaster at remail.obscura.com +++++++++-++ 2:00:18 99.99% haystack haystack at holy.cow.net --++*--*#### 45:13 99.98% flame remailer at flame.alias.net +-++++++++++ 1:33:36 99.94% vegas remailer at vegas.gateway.com **##**--*#*# 22:41 99.92% portal hfinney at shell.portal.com ##########+ 4:00 99.90% ecafe cpunk at remail.ecafe.org +## ##*-#### 9:39 99.89% c2 remail at c2.org ++++* +-++-* 1:08:50 99.83% amnesia amnesia at chardos.connix.com ---+++----+ 4:41:28 99.75% replay remailer at replay.com ***+**+*+*** 5:18 99.65% alumni hal at alumni.caltech.edu *#####*##* + 4:36 99.56% treehole remailer at mockingbird.alias.net +--..+---+-+ 2:53:30 99.47% penet anon at anon.penet.fi . __-_ -_ 54:09:03 98.83% extropia remail at miron.vip.best.com ____-* .. 26:11:30 80.57% History key * # response in less than 5 minutes. * * response in less than 1 hour. * + response in less than 4 hours. * - response in less than 24 hours. * . response in more than 1 day. * _ response came back too late (more than 2 days). cpunk A major class of remailers. Supports Request-Remailing-To: field. eric A variant of the cpunk style. Uses Anon-Send-To: instead. penet The third class of remailers (at least for right now). Uses X-Anon-To: in the header. pgp Remailer supports encryption with PGP. A period after the keyword means that the short name, rather than the full email address, should be used as the encryption key ID. hash Supports ## pasting, so anything can be put into the headers of outgoing messages. ksub Remailer always kills subject header, even in non-pgp mode. nsub Remailer always preserves subject header, even in pgp mode. latent Supports Matt Ghio's Latent-Time: option. cut Supports Matt Ghio's Cutmarks: option. post Post to Usenet using Post-To: or Anon-Post-To: header. ek Encrypt responses in reply blocks using Encrypt-Key: header. special Accepts only pgp encrypted messages. mix Can accept messages in Mixmaster format. reord Attempts to foil traffic analysis by reordering messages. Note: I'm relying on the word of the remailer operator here, and haven't verified the reord info myself. mon Remailer has been known to monitor contents of private email. filter Remailer has been known to filter messages based on content. If not listed in conjunction with mon, then only messages destined for public forums are subject to filtering. Raph Levien From anonymous-remailer at shell.portal.com Mon May 20 16:15:59 1996 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Tue, 21 May 1996 07:15:59 +0800 Subject: No Subject Message-ID: <199605201440.HAA27297@jobe.shell.portal.com> I like the idea about bed hopping. But have we worried about AIDS (VIRUS)? >Hi. > >Pardon my ignorance, but I had a few questions haunting me since a >while. > >Is there a way to have a remailer de-localize itself and relocalize >itself over the internet? > >For example, could there be several machines around the worlds that, >when you send an e-mail to it, is routed to differents physical >places of the world depending on where the actual remailer process is >actually running? Could there be such a thing as a virtual machine >runing a remailer that gets to hop from physical machine to physical >machine around the world? > >Just an idea to avoid jurisdiction problems. > >Just asking, probably quite futilely... > >Thanks > >JFA > > DePompadour, Societe d'Importation Ltee; Limoges porcelain, silverware and crystal > JFA Technologies, R&D consultants; physists, technologists and engineers. > > PGP keys at: http://w3.citenet.net/users/jf_avon > ID# C58ADD0D : 529645E8205A8A5E F87CC86FAEFEF891 > Unsollicited commercial e-mail will be proofread at US165 $/h > Any sender of such material will be considered as to have ac- > cepted the above mentionned terms. > From perry at piermont.com Mon May 20 17:51:42 1996 From: perry at piermont.com (Perry E. Metzger) Date: Tue, 21 May 1996 08:51:42 +0800 Subject: WELCOME TO THE NEW ROMAN EMPIRE In-Reply-To: <199605201123.EAA12454@netcom23.netcom.com> Message-ID: <199605201541.LAA17549@jekyll.piermont.com> Dave Harman writes: > Qut may attend the [cypherpunks] meeting to verify the racial > compositions of the group. Why? You have something against black people? .pm From jya at pipeline.com Mon May 20 18:08:45 1996 From: jya at pipeline.com (John Young) Date: Tue, 21 May 1996 09:08:45 +0800 Subject: RAC_ket Message-ID: <199605201544.PAA00135@pipe6.t1.usa.pipeline.com> 5-19-96. WaPo: "From Out Of the Shadows." Book review. Spies Without Cloaks: The KGB's Successors By Amy Knight Princeton University Press. 318 pp. $24.95 Knight suggests that Russia's new security forces are not only continuing the same kinds of skulduggery as they undertook in the past but are now also expertly manipulating public opinion in Russia and the rest of the world to obscure and disguise what they do. What Knight suggests is that the old client-master relationship between Russia's elite and the KGB has not only been reversed but may even have vanished, because these "children of the KGB" have subsumed large chunks of Russia's economy and government. If *Spies Without Cloaks* is correct, much of Russia today is little more than a mutant KGB, the communist ideology it once served now replaced by ruthless devotion to great-power politics and bottom-line capitalism. The book is worth reading for its applicability to the transformation of the US and international intelligence "communities" into free-market racketeering of espionage technologies and expertise and insider secrets -- as WaPo reported May 2 on high-tech intel patrons Perry and Deutch. RAC_ket From anonymous-remailer at shell.portal.com Mon May 20 18:17:48 1996 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Tue, 21 May 1996 09:17:48 +0800 Subject: Feds Web Crypto Message-ID: <199605201549.IAA00569@jobe.shell.portal.com> Washington Post, May 20, 1996 Feds on the Web Federal agencies' efforts to link up with the citizenry over the World Wide Web take a step forward today. Officials plan to announce a pilot program in which 1,000 to 2,000 people will try their hands at secure Web transactions with federal agencies. It's set to start later this month. The vision for the "Paperless Transactions for the Public Project": a taxpayer files a return to the Internal Revenue Service over Web links that use advanced cryptography to confirm to the agency that the return's really coming from the right party. Or, a retiree goes into a Social Security Administration computer to check benefit information. VIPs, civil servants and ordinary folks are to be issued special "key cards" to take part in the test, which will use cryptography from Frontier Technologies Corp., a Wisconsin networking company. Officials promise the vision is not that far away. -- From iang at cs.berkeley.edu Mon May 20 18:28:32 1996 From: iang at cs.berkeley.edu (Ian Goldberg) Date: Tue, 21 May 1996 09:28:32 +0800 Subject: Is Chaum's System Traceable or Untraceable? In-Reply-To: <199605182017.WAA07561@digicash.com> Message-ID: <199605201610.JAA03504@abraham.cs.berkeley.edu> -----BEGIN PGP SIGNED MESSAGE----- In article <199605190626.BAA62897 at rs5.tcs.tulane.edu>, Matthew Carpenter wrote: >My PDA receives >back any coins as change if needed, and logs info about the transaction >for my financial records. > >When I get back home I 'deposit' my change using the same ATM interface. >This also removes from my home computer the copies of the coins I spent, >and automatically updates the transaction records on my PC. > >So are there any flaws with above procedure? Yup; with the current protocols, there's no way to do change. For the shop to pay you change, besides suddenly losing your anonymity as a payee, you would have to go online immediately to clear the coins, which assumedly is infeasable. However, if you use the "fully anonymous" protocol, change becomes trivial. You don't have to go online; the payer (the shop) does, which it assumedly already is. Another benefit is that coins received in this way as change are immediately spendable by you, without having to go online in between. The "fully anonymous" protocol turns out to be _exactly_ what is needed for situations like this. - Ian "this is one of those 'pay attention' posts Sameer mentioned..." -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMaCZaUZRiTErSPb1AQGnTgQAs/chMFt8PNJafSsgoLMOpPQgdevgbH6+ kRR/iSlj2B2kbuD0SPDa7lgvKVjjQWlaQ+AtZq/C6BFqn07/C7E23PZNY648OGpP eT1uD3ioRDd3C4rt9hDOHd1KWdllM75zLuwLY9XO4YWeDhExwakc6/Ze9cOgfh/e nusZy3Naanw= =iCNw -----END PGP SIGNATURE----- From mark at unicorn.com Mon May 20 19:10:43 1996 From: mark at unicorn.com (Rev. Mark Grant, ULC) Date: Tue, 21 May 1996 10:10:43 +0800 Subject: Ooops Message-ID: I see my brilliant idea has already been suggested. Remind me never to post when I'm a hundred messages behind in future... Mark From richieb at teleport.com Mon May 20 19:46:49 1996 From: richieb at teleport.com (Rich Burroughs) Date: Tue, 21 May 1996 10:46:49 +0800 Subject: SEVERE undercapacity, we need more remailer servers FAST Message-ID: <2.2.32.19960520181550.006864b8@mail.teleport.com> At 01:08 AM 5/20/96 -0700, tcmay at got.net (Timothy C. May) wrote: [snip] >And the issue of CoS seeking legal actions against those they claim are >violating their copyrights is separable from their religious status. Not at all. Their actions are based on their religious doctrines, as passed down by Hubbard. "Always attack, never defend." Their claims of copyright violation are part of an ongoing effort to silence those who criticize their illegal and immoral practices. They should be examined in that context. > As I >have said many times, "Newsweek" would likely take similar actions in >similar circumstances.) AFAIK, "Newsweek" does not file lawsuits just for the purpose of harassment, as Hubbard counselled his followers to do. AFAIK, "Newsweek" does not hire PIs to harass those who criticize them. Tim, do you think "Newsweek" articles have ever been posted to the Net? If so, did the magazine sue everyone who posted them? The "Church" doesn't even want to admit that fair use is a possibility. "Newsweek" is also not a non-profit coporation. Not only is CoS tax exempt, but they claim to have "trade secrets" as well. That's having your cake and eating it... Rich ______________________________________________________________________ Rich Burroughs richieb at teleport.com http://www.teleport.com/~richieb See my Blue Ribbon Page at http://www.teleport.com/~richieb/blueribbon New EF zine "cause for alarm" - http://www.teleport.com/~richieb/cause From mark at unicorn.com Tue May 21 00:00:27 1996 From: mark at unicorn.com (Rev. Mark Grant, ULC) Date: Tue, 21 May 1996 15:00:27 +0800 Subject: Long-Lived Remailers Message-ID: With regard to the problems of remailers being shut down when we want long-lived addresses, wouldn't seperating the input and output be one possibility? That is (like Hal's Alumni remailer) you'd send mail to 'remailer at anon.ai' and it would be forwarded via a disposable account elsewhere. All messages would appear to come from 'disposable at foo.com' and if that account was shut down a new one could be opened to replace it while incoming mail simply backed up at the main remailer account. The only potential problem I could see would be that the disposable ISP might have logs which could track the outgoing messages back to the other account. You'd also obviously need to open the disposable account anonymously or using an ISP who'd protect your identity. Mark From frantz at netcom.com Tue May 21 00:03:27 1996 From: frantz at netcom.com (Bill Frantz) Date: Tue, 21 May 1996 15:03:27 +0800 Subject: The Crisis with Remailers Message-ID: <199605201722.KAA05155@netcom8.netcom.com> At 1:01 AM 5/20/96 -0400, E. ALLEN SMITH wrote: >From: IN%"frantz at netcom.com" 17-MAY-1996 15:56:36.35 > >>Perhaps what is needed is a non-profit, charitable 501c foundation to >>encourage anonymous communication. Those who support the idea could make >>tax deductible contributions which would be used for grants, public >>education etc. etc. to encourage anonymous communication. It could be >>called, "The Federalist Foundation" because the Federalist Papers were >>published anonymously. > > Hmm... I wonder if it would be good for this Foundation to itself >operate some for-pay remailers, in order to make some money from sources >besides contributions? Possible disadvantages: > A. It could get sued, and thus lose funds > B. If its prices were set too low, it could wind up driving other >remailers out of the market (combination of low price with likelihood to still >be there), and thus become a vulnerable point. In general, I think this foundation should limit itself to: (1) Supporting the creation of techniques for anonymous communication (e.g remailers, nym servers etc.) This could include grants for theoretical work and grants for the production of out-of-the-box public domain systems. (2) Public education on the need and value of anonymous communication. (3) Demonstration projects to help create a market where none exists. Whenever there is a market, the foundation, like governments, should not participate as a competitor. ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From jf_avon at citenet.net Tue May 21 00:03:35 1996 From: jf_avon at citenet.net (Jean-Francois Avon) Date: Tue, 21 May 1996 15:03:35 +0800 Subject: AP Message-ID: <9605201825.AA00501@cti02.citenet.net> On 20 May 96 at 10:28, Jim Ray wrote: > >A long time ago (few hours) JFA replied to Vlad Z. Nuri (but > >Jim Ray seemed to indicate that >his other name was L. > >Detweiller) : > >I think that you are writing way out of context. > > >First, wether or not the AP scheme is used for the control of > >government, as Jim Bell pushes it, does not mean that it will not > >be implemented for other purposes, such as killing successful > >businessman or your neighboor's son who is screwing your wife > >(noticed that she smiles all the time since a while? ) . > >Second, > >everybody like Jim Bell who is pushing the AP scheme is >doing so > >on ethical basis: that the coercion the government imposes >on to > >the individuals by regulations, and guns backed taxation >justifies > >the killings. I have to see yet any cypherpunks who >seems to > >agree with AP that envision another use than govt control. > > > I disagree BECAUSE of the other likely uses, & see below. Just the one I pointed out in theses two paragraphs. I don't like the scheme either. > >And you'll also note that the anonymity issue generate more > >interest from more CPunks because it (hopefully) will acheive the > >same goal without any killing. > > our > anonymity-baby threatens to have govt. kill it in the crib, It is not yours, it only *is*. > with the support of the people. Here, again, Jim Bell would probably say that this sentence proves him right... > I have not respected a US > president in my lifetime, yet I get _pissed_ when they get > shot/shot at. I somehow agree with you here. > Killing seems to be a first resort for some, > and IMO ends do not justify means. Well, here, you are threading on a very difficult path. Of course, the ends does never justifies the means in an *uncoerced* context. But what JB says, is that AP would be a justified "self defense" against coercion. It is only that the self-defense uses statistics. You'll note that the psycho-epistemology necessary to commit murder is quite close to the one necessary to coerce poeples to pay taxes. Thus, he might pretend (JB) to only turn the living expression of an idea against itself. Personnally? I still was not able to sort it out... Ciao JFA DePompadour, Societe d'Importation Ltee; Limoges porcelain, silverware and crystal JFA Technologies, R&D consultants; physists, technologists and engineers. PGP keys at: http://w3.citenet.net/users/jf_avon ID# C58ADD0D : 529645E8205A8A5E F87CC86FAEFEF891 Unsollicited commercial e-mail will be proofread at US165 $/h Any sender of such material will be considered as to have ac- cepted the above mentionned terms. From tcmay at got.net Tue May 21 00:03:53 1996 From: tcmay at got.net (Timothy C. May) Date: Tue, 21 May 1996 15:03:53 +0800 Subject: The Ontology of Nyms, Trust, Belief, etc. Message-ID: [I've changed the thread name from "Sen. Leahy..."] At 10:50 AM 5/20/96, bryce at digicash.com wrote: >Indeed we have, and it verged on philosophical territory, and >I would really enjoy discussing the issue again with you >sometime, although perhaps we've gotten about as much as we can >get out of it in e-mail. Yes, I also enjoyed the MITM ontological debate--up to a point. Technology reifies what were once philosophical abstractions, and brings them to the fore. >Unfortunately PGP 2 only allows one kind of certificate. The >"key-signature". To PRZ and most other people, it is a >certificate asserting a mapping between a key and a true name. >To me it is as I described above. To TCMay, it is a kind of >endorsement. It's just too bad that PGP 2 doesn't have >different _kinds_ of certificates to represent these different >assertions. Until a certificate technology like that is >implemented, and probably even after that time, we need to >avoid confusing these various meanings for "key-signatures". I agree with this point, that the "scalar" nature of key-signings is not very rich. A Digression on Tensors: The next step up would presumably be "vector" signings, where one has multiple attributes, just as with ratings, reviews, etc. And the step after that would be "tensor" signings--it's perhaps a leap into the abyss, but tensors have an interesting property that a value in one direction, for example, and a value in another direction, say, do not "vector add" to some resultant value. While "wind" acts as a vector field, with a north wind and and a west wind giving a northwest resultant, think of "stress" (as in a crystal, a piece of glass, a structural member): stress in one direction is independent of stress in another direction, and they don't add as vectors do. Hence, the "stress-energy tensor" is needed to describe the stress in a material...or the gravitational field! (This is just a conjecture that this model might be useful at some point. Near term, I think even having "user-defined" belief fields would be a useful step. And I don't think it needs to be hacked into a next version of PGP...it seems better to add these things on later.) >Now more seriously, the alacrity with which I bring up >disagreements with Tim should in fact be construed as a measure >of my _respect_ for his opinions and for his mind, rather that >as a lack of respect for same. Thanks, and I promise I'll respect you in the morning, too. (g) That several of us (and probably many of those who aren't commenting) have differing interpretations of key signings, trust, belief, identity, proof, etc., is not surprising to me. (I didn't put "Licensed Ontologist" in my .sig for nothing. Actually, it's also meant as a tweak of some local Santa Cruzans who want professions licensed by the State and ordered to report various forms of physical, psychic, and existential "abuse" to the proper licensing authorities. I get a great rise out of them (in scruz.general) by announcing that "my clinic" refuses to narc out its patients to the authorities...I love getting threats from them saying that they plan to contact Sacramento to "have your license revoked." Predictably, and sadly, I've never gotten a call from any state authorities on this...I can always hope.) --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From hfinney at shell.portal.com Tue May 21 00:04:37 1996 From: hfinney at shell.portal.com (Hal) Date: Tue, 21 May 1996 15:04:37 +0800 Subject: An alternative to remailer shutdowns Message-ID: <199605202202.PAA27515@jobe.shell.portal.com> -----BEGIN PGP SIGNED MESSAGE----- Several remailers have shut down recently. This may be in part a byproduct of the ongoing struggle between dissidents and adherents of the Church of Scientology. Also, levels of abuse seem to be increasing in general as more people come on the net and learn to use the remailers. Since by their very nature remailers prevent accountability, there is nothing to stop one or more persons from sending illegal material which will cause the remailers to be threatened by legal actions. I was contacted by the FBI on Friday due to some threatening mail which was apparently sent through my remailer. According to 18 USC 875(c), "Whoever transmits in interstate commerce any communication containing any threat to kidnap any person or any threat to injure the person of another, shall be fined not more than $1,000 or imprisoned not more than five years, or both." I may not be able to continue operating either of my remailers (alumni.caltech.edu and shell.portal.com) for much longer due to this kind of abuse. Shutting down remailers not only reduces the number available for general use, it also causes problems for people who are using the remailers to manage pseudonyms. If their reply chains used a remailer which shuts down they have to reconstruct the chains, which is at least a nuisance. There was also a posting recently to comp.org.eff.talk by Jonathon Cline, jcline at trumpet.aix.calpoly.edu, about efforts to set up fully anonymous nym based mailing lists. He mentioned that the decrease in the number of remailers is causing problems with their plans. An alternative I am considering would reduce the utility of the remailer while still allowing these "consensual" uses to continue. Presently the remailers deal with abuse via "block lists", sets of addresses that mail can't be sent to. Generally these are created when someone complains about some mail they have received. By setting up blocking, at least they will not get harrassing anonymous mail once they have complained. But in some cases, as in the case that is causing me headaches now, even one message is too much. My thought is to turn the block list concept on its head, and make it a "permit list". Simply, the remailer will only send mail to people who have voluntarily indicated their willingness to receive it. Someone who has not sent in a message granting this permission will not be sent mail. For larger forums such as newsgroups and mailing lists, permission may be granted by some consensus mechanism. Most would be blocked, but a few like alt.anonymous.messages and the cypherpunks list would be permitted, and others could be added if they wished. This should hopefully essentially eliminate complaints about abuse, much more effectively than the current method of block lists. People who want to test the remailer by sending mail to themselves, as most people do when they are learning, can simply register themselves on the permit list. People who want to receive anonymous mail, or participate in anonymous mailing lists, can register themselves. People who want to use nyms can register themselves. People who run other remailers can register. It's all voluntary, and if someone does get some objectionable message at least they will know that they granted permission. They can always ask to be taken off the list. Feedback welcome - Hal Finney -----BEGIN PGP SIGNATURE----- Version: 2.6 iQBVAwUBMaDr2BnMLJtOy9MBAQHWBAIAlh2uIanxTnI+GBqZ1zWcBE/AgF2TtQA/ TztTYczW7FI8ktAa3WVtsUkJeIOYxUDfC2jLvhHuGMXhEPs+jVijJg== =QajL -----END PGP SIGNATURE----- From elkins at aero.org Tue May 21 00:05:27 1996 From: elkins at aero.org (Michael Elkins) Date: Tue, 21 May 1996 15:05:27 +0800 Subject: PGP MIME INTERNET DRAFT considered harmful. In-Reply-To: <832582505snx@hrnowl.lonestar.org> Message-ID: <199605201710.KAA23072@muddcs.cs.hmc.edu> [Note: CC'd to the pgp-mime list.] Paul Elliott writes: > [Encrypted & Signed binary data.] > Now when there is a data path for PGP's cyphertext, PGP provides a > binary data path for its plain text. Thus, the inner base64 that PGP > MIME internet draft requires is totally unnecessary. It will cause a 30% > increase in the size of those messages that are encrypted and signed and > large amounts of CPU time will be used applying & removing the base64. This design decision actually serves a purpose. The scenario is as follows: Suppose you are a company which has west-coast and east-coast offices, and the only connectivity which exists is via the open Internet. Suppose further that you wished to send out a company memorandum to all the employees. Obviously you will want to sign and encrypt your message. However, one it reaches your offices, you would like to have the encryption "layer" stripped leaving just the signed message. Now, if when you generated that message you did not restrict yourself to 7 bits, there is a likely probability given todays software, that you are not going to be able to transmit that message over an SMTP framework. Now, this does present some bloat for people who do not strip the encryption, but it seems far better to design the protocol such that this case will work. > [Signed binary data.] > Now let us consider the question of what PGP-MIME draft requires users > to sign. Suppose we want to send a signed .gif file to a sysop. The > sysop wants to store the .gif in his download section. Suppose the sysop > wants to store the signature as a detached signature so that people who > download it can check the authorship. But the signature proposed by the > PGP-MIME draft is useless for this purpose. It has MIME headers attached > and it has been base64'ed. People who download such a file from a BBS > have no use for it, unless they have MIME. [...several other examples deleted...] PGP/MIME is _not_ meant to be used in this fashion! It never was! PGP/MIME is only to be used for transport, not for long term storage. If you need a persistent signature, you should generate a detached signature as an attachment. > If users get in the habit of signing binary files which represent > multimedia data, and which can not be examined with commonly available > inspection tools, it is inevitable and predictable that sooner or later > this will cause some kind of negative security event. By this argument nobody should bother signing e-mail or news posts. I haven't seen any good tools to handle this easily for PC's and Macs. New proposals have to be made before the tools become available. This draft is the result of experience with what does and doesn't work. For example, the application/pgp content-type which many people like is horribly broken for what it's probably used for 95% of the time. > There is no good reason to sign the base64 rather than the original > data. Once a file has been base64ed, the file can not be examined > with the usual inspection tools. Yes, base64 is just another stream of bytes, but there are FEW places on the Internet SMTP framework that can support BINARY transport. BINARY streams often contain very long lines which existing software simply can't handle. There is also another reason to sign the encoded version. Remember that it also includes the content headers of that part. This is very important especially for automated processing of messages. > The typical user of MIME software is not necessarily technically > sophisticated. When the deficiencies and disasters associated with > software patterned on this draft become apparent, not everyone will know > exactly which software component is at fault. The problems associated > with the draft (or its successors) may adversely affect the reputation > of PGP. Bad implementations can always adversely affect your reputation, even if the theory behind it is solid. The average non-technical user which you have been describing in this message will should not even be aware of the underlying details if the implementation is done correctly. > The draft should be withdrawn. People should rethink and create a better > plan to combine the benefits of PGP and MIME. You are more than welcome to submit your proposal the the pgp-mime mailing list. [send mail to pgp-mime-request at lists.uchicago.edu with a subject of "subscribe"] We've seen a lot of different proposals go by, and none of them have stood up to PGP/MIME. From my point of view, most of the problems that people have with the draft is their failure to understand what it is to be used for. Many people have the impression that PGP/MIME is meant to be the end-all-be-all for PGP. But it's not! PGP/MIME is meant to securely transmit messages across the Internet in a manner which all platforms can use. PGP/MIME is text based because most transport systems in use are. Nowhere is anyone saying "thou shalt not use PGP without MIME." I think if more people understood that, we wouldn't have so many objections to it. > It should not require any additional space overhead (more than that > which may be necessary for transport) when signing and encrypting. The note in parens is interesting. What you consider overhead I consider necessary for transport. me From iang at cs.berkeley.edu Tue May 21 00:05:48 1996 From: iang at cs.berkeley.edu (Ian Goldberg) Date: Tue, 21 May 1996 15:05:48 +0800 Subject: The Crisis with Remailers In-Reply-To: Message-ID: <4nq6qp$3fl@abraham.cs.berkeley.edu> -----BEGIN PGP SIGNED MESSAGE----- In article , Lance Cottrell wrote: >At 9:00 AM 5/18/96, Dr. Dimitri Vulis wrote: >>"Vladimir Z. Nuri" writes: >>> 1. there is no economic incentive. >> >>So, add the code to mixmaster (and even the old style remailers) to >>collect e-cash as it passes on the anonymous message. Then this will >>be a good way to accumulate some e-cash, and a number of people will >>try running remailers for this very purpose. Witness the recent >>Usenet spam by someone advertizing a for-pay remailer. >> > >I was invited to the digicash API design meeting precisely to make sure it >could be used in remailers. It will not be using the current API. The >problem is that Mixmaster requires exact knowledge of the size of every >object in the message, to maintain constant message size. I could set aside >room for one, two, three coins, but there is no guarantee that the payment >will be made with only that many coins. The current API is going to be high >level. It will does not allow the program to know anything about the >internals of the payment. I need to be able to specify payment of amount X >using no more than N coins. As soon as I have that level of control, you >will see postage in Mixmaster. > > -Lance I mentioned this to Chaum, and he didn't really seem agree with the need for something lower-level... Another problem with postage in Mixmaster: the minimum ecash payment is $0.01. Do we want to charge that much for email? Need we consider micropayments? - Ian -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMaCeeUZRiTErSPb1AQE4AgP+NvB6MjqSeF74NEeakj+u+99oZwBcFHuP ESwbu/QiRiiolU8beC341p0HL40KHdCyfx7rfQUDOIAXzGnLaoBCjVSw/DotAlAD UuB6NI9TXhv7j5dIywOdyYAp6SU10IKDLEuA6lkQ+jg71fXteoFF0o2nTpGaPcaU Zqv9/UZmglI= =1Ffr -----END PGP SIGNATURE----- From weidai at eskimo.com Tue May 21 00:05:59 1996 From: weidai at eskimo.com (Wei Dai) Date: Tue, 21 May 1996 15:05:59 +0800 Subject: encrypted open books In-Reply-To: <199605201958.MAA28257@dns1.noc.best.net> Message-ID: On Mon, 20 May 1996 jamesd at echeque.com wrote: > Look up cypernomicon, "open encrypted books" There is indeed a short section in the Cyphernomicon about encrypted open books. Unfortunately it doesn't describe it in detail, and since the hks.net archive is down, I can't look up Eric Hughes' original e-mail on the topic. If anyone has a copy of it in his personal archive, please repost it. I'm sure other people would be interested as well. Here is the section from Cyphernomicon: 12.16.1. Encrypted open books, or anonymous auditing - Eric Hughes has worked on a scheme using a kind of blinding to do "encrypted open books," whereby observers can verify that a bank is balancing its books without more detailed looks at individual accounts. (I have my doubts about spoofs, attacks, etc., but such are always to be considered in any new protocol.) - "Kent Hastings wondered how an offshore bank could provide assurances to depositors. I wondered the same thing a few months ago, and started working on what Perry calls the anonymous auditing problem. I have what I consider to be the core of a solution. ...The following is long.... [TCM Note: Too long to include here. I am including just enough to convince readers that some new sorts of banking ideas may come out of cryptography.] "If we use the contents of the encrypted books at the organizational boundary points to create suitable legal opbligations, we can mostly ignore what goes on inside of the mess of random numbers. That is, even if double books were being kept, the legal obligations created should suffice to ensure that everything can be unwound if needed. This doesn't prevent networks of corrupt businesses from going down all at once, but it does allow networks of honest businesses to operate with more assurance of honesty." [Eric Hughes, PROTOCOL: Encrypted Open Books, 1993-08-16] Wei Dai From iang at cs.berkeley.edu Tue May 21 00:06:51 1996 From: iang at cs.berkeley.edu (Ian Goldberg) Date: Tue, 21 May 1996 15:06:51 +0800 Subject: Interesting bit in the US ecash License Agreement... Message-ID: <199605202023.NAA04344@abraham.cs.berkeley.edu> -----BEGIN PGP SIGNED MESSAGE----- Here's a bit of the US license agreement for the ecash software that some of you may have missed: > The downloaded software is licensed only for and will be used only for > your internal testing as part of the aforementioned experiment, subject > to all the terms and conditions of this Agreement, and will not be > sublicensed or made available to any third party or used directly or > indirectly for revenue generating or commercial purposes. Note that last clause. It seems (probably due to the client using RSAREF, or something like that) that using the ecash software "directly or indirectly for revenue generating or commercial purposes" is illegal. Someone might want to fix that... - Ian "read _before_ you sign" -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMaDUdUZRiTErSPb1AQERugQAx200/FFgIyC6/bBMoKUqlNFy97dcyo3K Zh40GsltK03Pdv551lZAjZ0T5wtjJBlhpCFgECiPRsU0D7TxYgbkQcGpKl0HwFn1 fCIjPAbcKPgnhq6/Emu4MAywqiB38MX3K5bXH13N2NVu27aucP5Xm/K4iTcGSBRT Sz5rQxa6cQ4= =S+zL -----END PGP SIGNATURE----- From unicorn at schloss.li Tue May 21 00:07:43 1996 From: unicorn at schloss.li (Black Unicorn) Date: Tue, 21 May 1996 15:07:43 +0800 Subject: anonymous companies In-Reply-To: Message-ID: On Mon, 20 May 1996, Black Unicorn wrote: > On Mon, 20 May 1996, E. ALLEN SMITH wrote: > > > From: IN%"unicorn at schloss.li" "Black Unicorn" 18-MAY-1996 11:16:57.48 > > > > > At 06:42 PM 5/16/96 -0700, Wei Dai wrote: > > > > Solution: smart contracts. This is Nick Szabo's idea of building > > > > contractual obligations into cryptographic protocols so that the parties > > > > have no choice but to fullfil them. But again we don't know whether this > > > > will actually work for this problem. > > > > >But what happens when there are nuances or circumstances which contracts > > >do not anticipate? This "complete" reliablity is also a curse for > > >flexibility which fast moving entities need to survive. > > Careful, I didn't write any of this. Woops, yes I did. Sorry everyone. > > > > > That's an argument for combining them with escrow agencies. If the > > escrow agency is less likely to need to intervene, then they'll charge less... > > the principle of insurance company risk estimation. > > -Allen > > > > --- > My preferred and soon to be permanent e-mail address:unicorn at schloss.li > "In fact, had Bancroft not existed, potestas scientiae in usu est > Franklin might have had to invent him." in nihilum nil posse reverti > 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information > Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com > > --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From llurch at networking.stanford.edu Tue May 21 00:09:08 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Tue, 21 May 1996 15:09:08 +0800 Subject: WELCOME TO THE NEW ROMAN EMPIRE In-Reply-To: <199605201123.EAA12454@netcom23.netcom.com> Message-ID: On Mon, 20 May 1996, Dave Harman wrote: > Qut may attend the meeting to verify the racial compositions of the group. > Results will be reported here. Please do. I'll buy you a beer. From jf_avon at citenet.net Tue May 21 00:09:23 1996 From: jf_avon at citenet.net (Jean-Francois Avon) Date: Tue, 21 May 1996 15:09:23 +0800 Subject: Virtual machines? Message-ID: <9605201823.AA00349@cti02.citenet.net> On 20 May 96 at 2:32, Dave Harman wrote: > ! Is there a way to have a remailer de-localize itself and > ! relocalize itself over the internet? > ! > ! For example, could there be several machines around the worlds > ! that, when you send an e-mail to it, is routed to differents > ! physical places of the world depending on where the actual > ! remailer process is actually running? Could there be such a thing > ! as a virtual machine runing a remailer that gets to hop from > ! physical machine to physical machine around the world? > ! > ! Just an idea to avoid jurisdiction problems. > This is just what crypto remailers do. > Public key encryption with To: 's encrypted at each hop threading > through several servors. Just to let you know: this is *not* what I meant. I did not speak of the location of the message, but of the location of the *remailer* itself. DePompadour, Societe d'Importation Ltee; Limoges porcelain, silverware and crystal JFA Technologies, R&D consultants; physists, technologists and engineers. PGP keys at: http://w3.citenet.net/users/jf_avon ID# C58ADD0D : 529645E8205A8A5E F87CC86FAEFEF891 Unsollicited commercial e-mail will be proofread at US165 $/h Any sender of such material will be considered as to have ac- cepted the above mentionned terms. From richieb at teleport.com Tue May 21 00:09:37 1996 From: richieb at teleport.com (Rich Burroughs) Date: Tue, 21 May 1996 15:09:37 +0800 Subject: SEVERE undercapacity, we need more remailer servers FAST Message-ID: <2.2.32.19960520184232.0076cc40@mail.teleport.com> At 09:53 AM 5/20/96 -0700, jamesd at echeque.com wrote: >At 02:08 AM 5/20/96 EDT, you wrote: >> What countries are noticeable for being anti-Scientology? >> They would appear to be good locations for special-purpose >> remailer ultimate-output ends. > >Scientology was illegal in Australia last time I heard. They declared >that you could not be a religion and charge a fee for religious service >the way that Scientology charges. They then defined them as practicing >medicine, and hit them with snake oil laws. And Germany, or course, as Tim mentioned. CoS suckered the US State Dept. into putting pressure on the Germans, and the Scientologists on a.r.s. have made plenty of Nazi allusions when discussing the German "bigotry." I know that there was a big crackdown in England while Hubbard was still alive, though the anti-Scientology laws there were rescinded some time ago, I believe. At one point foreign Scientologists weren't allowed into the country. There may still be a lot of anti-CoS sentiment there. Ironically, if someone had asked me this questions a few weeks ago, I probably would have answered, "The Netherlands." Rich p.s. I'm a bit more caught up on my facts now. The NOTS materials (newer than the OT materials in the Fishman affidavit) were posted to a.r.s. through hacktic recently. I'm assuming that was the cause of the CoS pressure to shut them down. The NOTS materials were not in the public record (like parts of the old OT materials were, as they were evidence in the Fishman case), so the court's ruling in the case against Karin Spaink and her ISP, XS4ALL, wouldn't seem to apply towards their being posted. IANADL (I am not a Dutch lawyer...) ______________________________________________________________________ Rich Burroughs richieb at teleport.com http://www.teleport.com/~richieb See my Blue Ribbon Page at http://www.teleport.com/~richieb/blueribbon New EF zine "cause for alarm" - http://www.teleport.com/~richieb/cause From sameer at c2.org Tue May 21 00:09:48 1996 From: sameer at c2.org (sameer at c2.org) Date: Tue, 21 May 1996 15:09:48 +0800 Subject: The Crisis with Remailers In-Reply-To: <4nq6qp$3fl@abraham.cs.berkeley.edu> Message-ID: <199605201740.KAA07336@clotho.c2.org> > > Another problem with postage in Mixmaster: the minimum ecash payment is > $0.01. Do we want to charge that much for email? Need we consider > micropayments? > one cent could well be too low. -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion, Inc. FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.net/ (or login as "guest") sameer at c2.net From bogus@does.not.exist.com Tue May 21 00:10:27 1996 From: bogus@does.not.exist.com () Date: Tue, 21 May 1996 15:10:27 +0800 Subject: No Subject Message-ID: <199605202103.OAA04342@netcom2.netcom.com> ! With regard to the problems of remailers being shut down when we want ! long-lived addresses, wouldn't seperating the input and output be one ! possibility? That is (like Hal's Alumni remailer) you'd send mail to ! 'remailer at anon.ai' and it would be forwarded via a disposable account ! elsewhere. All messages would appear to come from 'disposable at foo.com' and ! if that account was shut down a new one could be opened to replace it ! while incoming mail simply backed up at the main remailer account. ! ! The only potential problem I could see would be that the disposable ISP ! might have logs which could track the outgoing messages back to the other ! account. You'd also obviously need to open the disposable account ! anonymously or using an ISP who'd protect your identity. That's silly. The problem isn't liability but lack of popular knowledge on setting up a remailer. The more remailers, the liability is reduced. GOALS 2000: 2,000 QUT From tim at dierks.org Tue May 21 00:10:35 1996 From: tim at dierks.org (Tim Dierks) Date: Tue, 21 May 1996 15:10:35 +0800 Subject: Is Chaum's System Traceable or Untraceable? Message-ID: At 9:10 AM 5/20/96, Ian Goldberg wrote: >In article <199605190626.BAA62897 at rs5.tcs.tulane.edu>, >Matthew Carpenter wrote: >>My PDA receives >>back any coins as change if needed, and logs info about the transaction >>for my financial records. >> >>When I get back home I 'deposit' my change using the same ATM interface. >>This also removes from my home computer the copies of the coins I spent, >>and automatically updates the transaction records on my PC. >> >>So are there any flaws with above procedure? > >Yup; with the current protocols, there's no way to do change. For the shop >to pay you change, besides suddenly losing your anonymity as a payee, you >would have to go online immediately to clear the coins, which assumedly >is infeasable. > >However, if you use the "fully anonymous" protocol, change becomes trivial. >You don't have to go online; the payer (the shop) does, which it assumedly >already is. Another benefit is that coins received in this way as change >are immediately spendable by you, without having to go online in between. > >The "fully anonymous" protocol turns out to be _exactly_ what is needed >for situations like this. Not that full anonymity isn't a Good Thing, but couldn't this be solved by having the merchant (who presumably is on-line) provide PDA <-> mint connectivitiy for the purposes of getting change, exchanging coins, etc.? My assumption is that all the ecash protocols are not subject to a MITM attack, which I would just presume to be good practice. Also, given the fully anonymous protocol as you've described it (both payor and payee blind the coins), what's to prevent the merchant from depositing your change before he gives it to you? Unless your PDA is online, you'll be home before you find out the hot dog vendor shorted you. (It's my understanding that the current digicash system does not support Chaum's method of revealing the identity of double-spenders). - Tim Tim Dierks -- timd at consensus.com -- www.consensus.com Head of Thing-u-ma-jig Engineering, Consensus Development From andrew_loewenstern at il.us.swissbank.com Tue May 21 00:18:51 1996 From: andrew_loewenstern at il.us.swissbank.com (Andrew Loewenstern) Date: Tue, 21 May 1996 15:18:51 +0800 Subject: Senator, your public key please? In-Reply-To: <199605182038.WAA09047@digicash.com> Message-ID: <9605202045.AA00456@ch1d157nwk> T.C. May (tcmay at got.net) writes : > The web of trust may not be transitive, but the "web of taint" > may be more so. > > New forms of blackballing, blacklisting, redlining, etc. > > And I fully expect that who signs one's keys, and whose > signatures are found on one's keys, may become a political > and legal issue in the coming years. > > What if, for example, Sen. Leahy _did_ end up in the web of > trust for Aryan Nation? Even if he never intended it, this > could have some severe PR repercussions. bryce at digicash.com writes: > For example, there is no reason why the hypothetical racist > "Tom Metzger" would sign no black people's keys. A key > signature (PGP style) is just an assertion about the identity > of someone. Haven't racists engraved markings on people's > clothes, buildings, land, bodies and other belongings in order > to identify the owners? So why not do the same for keys. Your local KCA (KKK Certification Authority) could as easily issue a "This key is owned by a Nigger." certificate for a public key as TRW could issue a "This key is owned by a Deadbeat." certificate. Presumably, future versions of PGP and other public-key crypto systems will support free-form certificate generation and not the quasi-fixed-definition signatures currently found in PGP. You can be sure that there will be rallying cries for laws to be passed to ensure the accuracy of statements made in key certificates, that characters are not defamed, that libel is not committed, etc... Lots of the same issues involving any other type of speech and the international and sometimes untraceable nature of the Net. What do you do about a signature on your key, posted anonymously to the net, which names you as one of the Four Horsemen(*tm)? How will current laws relating to credit-rating bureaus and the like be applied to key certificates? Will the MIT key-server be fined for supplying along with public keys any signatures older than 7 years? As the potential value (positive or negative) of certificates on public keys increases, expect the TrueIdentity crowd to suggest that their vision of the future will also help prevent certificate abuse. For key signatures to be useful, the protocols must allow for the attachment and distribution of certificates against the will of the key-holder. In doing so there will always be the possibility of abuse. andrew From shamrock at netcom.com Tue May 21 00:20:57 1996 From: shamrock at netcom.com (Lucky Green) Date: Tue, 21 May 1996 15:20:57 +0800 Subject: My meeting with Chaum (Also: ecash full anonymity and a legal question) Message-ID: At 17:13 5/20/96, J�ri Kaljundi wrote: >BTW why isn't some other company besides DigiCash selling similar software >product as the Ecash mint & client? Not that I am aware of. David Chaum (DigiCash) holds the patents on the blinding technology that lies at the core of Ecash. >Public domain ecash software would be an interesting effort to accomplish. >In case of full source availability it should be possible to develop >commercial systems based on public software, it might even be more secure >than commercial software which source is available for review to only >certain persons. Coin based software that uses blinding would infringe on DC's patents. >There is also a problem with Digicash licensing: they licence only to >banks, and usually only to one bank in each country. That is not the case. At this time, there is only one Ecash issuing bank in each country that has an Ecash issuing bank. There is no reason why there might not be several Ecash issuing banks in a given country in the future. >I believe there are >also many companies that are not banks, who would also like to issue ecash >for specific purposes. Such companies could negotiate a deal with one of the current Ecash issuers in which the company gets exclusive use of one of the many currencies that all Ecash mints are capable of issuing. Disclaimer: My opinions are my own, not those of my employer. -- Lucky Green PGP encrypted mail preferred. From raph at cs.berkeley.edu Tue May 21 00:22:02 1996 From: raph at cs.berkeley.edu (Raph Levien) Date: Tue, 21 May 1996 15:22:02 +0800 Subject: New Remailer (hidden) In-Reply-To: <199605200543.WAA21312@infinity.c2.org> Message-ID: <31A09511.31855596@cs.berkeley.edu> Bill Stewart wrote: > > Cool. I've got a test message going now. > Does your remailer accept PGP-encrypted email? > It's really critical for high-security applications, > at least for first remailer hops, but your key's not on > the MIT keyserver. At present, middleman accepts only Mixmaster format messages. Obviously, if it also supported type-1 messages, it would be important to accept PGP encrypted messages as well. > BTW, how do we know you're not a plant? :-) > Aside from having an interesting nym, > you've probably got the first remailer that > makes it difficult to tell who's running it. > You could be Sameer, or you could be Louis Freeh, > but we don't know. At least folks like Xenon were > known to be real people.... I am able to vouch for the fact that middleman is not a plant. > Even if you _are_ a plant, of course, we can still use > your system, but I'd want to do encrypted email through > other remailers on one end or the other. Always a good idea. Raph From tcmay at got.net Tue May 21 00:22:42 1996 From: tcmay at got.net (Timothy C. May) Date: Tue, 21 May 1996 15:22:42 +0800 Subject: Religions, Scientology, and Ritual Cannibalism Message-ID: At 4:53 PM 5/20/96, jamesd at echeque.com wrote: >At 01:08 AM 5/20/96 -0700, Timothy C. May wrote: >> But any country that is "anti-Scientology" is likely to be >> repressive in various ways we would find inimical to our goals. >> [...] >> >> (The issue of how believable the claims of CoS are is no more relevant than >> similarly outlandish claims that taking communion is eating the flesh of >> JC.) > >The Australian law is (or was) based on the idea that if you charged someone >$2500 for eating the flesh of christ, it then becomes legitimate for the >government to check out whether or not the customer was getting actual >flesh of Christ. This seems to me a lot less repressive than the American >FDA. Caveat: I'm an atheist, a non-believer in the supernatural. When I die, my CPU and consciousness will vanish. If there are various gods and goddesses, sprites, trolls, Supreme Being(s), I see no evidence of them. Having said this, I don't want _any_ government intervening in religion, for any purposes. If the Church of Zed says that one's tithing to the Church will buy one eternal salvation and healthy gums, I don't want some government demanding to see "proof." (Inasmuch as at most one religion is right, this makes the remaining N - 1 religions automatically fraudulent in some sense. This is why the "Schelling point" in mostly-free societies is "we won't interfere with religions and their various bizarre claims...caveat emptor.") As far as I'm concerned, if a church can convince some yokels to pay $2500 for getting to eat a couple of pounds of Jesus every year (cooked, or Jesus tartare?), I'd say they've got a pretty good racket going. More supernatural power to them, I say! (And if the Clams can convince some out-of-work actors in Hollywood to pay $250,000 to be e-metered, have their engrams analyzed, and eventually "go clear," it seems like L. Ron made good on his bar bet with Heinlein that he could invent a new religion and make millions of buck. As another SF put it, "think of it as evolution in action.) --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From bogus@does.not.exist.com Tue May 21 00:22:51 1996 From: bogus@does.not.exist.com () Date: Tue, 21 May 1996 15:22:51 +0800 Subject: No Subject Message-ID: <199605202038.NAA29092@netcom2.netcom.com> ! On Mon, 20 May 1996, Dave Harman wrote: ! ! > Qut may attend the meeting to verify the racial compositions of the group. ! > Results will be reported here. ! ! Please do. I'll buy you a beer. Qut has some skills in determining persentages of oriental race. It is widely suspected rich at c2.org of being an oriental. Thank you for the offer of a beer, however we boycott Coors because of Jewish connections. Qut From jamesd at echeque.com Tue May 21 00:24:33 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Tue, 21 May 1996 15:24:33 +0800 Subject: SEVERE undercapacity, we need more remailer servers FAST Message-ID: <199605201654.JAA14797@dns1.noc.best.net> At 01:08 AM 5/20/96 -0700, Timothy C. May wrote: > But any country that is "anti-Scientology" is likely to be > repressive in various ways we would find inimical to our goals. > [...] > > (The issue of how believable the claims of CoS are is no more relevant than > similarly outlandish claims that taking communion is eating the flesh of > JC.) The Australian law is (or was) based on the idea that if you charged someone $2500 for eating the flesh of christ, it then becomes legitimate for the government to check out whether or not the customer was getting actual flesh of Christ. This seems to me a lot less repressive than the American FDA. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From jamesd at echeque.com Tue May 21 00:24:55 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Tue, 21 May 1996 15:24:55 +0800 Subject: SEVERE undercapacity, we need more remailer servers FAST Message-ID: <199605201654.JAA14790@dns1.noc.best.net> At 02:08 AM 5/20/96 EDT, you wrote: > What countries are noticeable for being anti-Scientology? > They would appear to be good locations for special-purpose > remailer ultimate-output ends. Scientology was illegal in Australia last time I heard. They declared that you could not be a religion and charge a fee for religious service the way that Scientology charges. They then defined them as practicing medicine, and hit them with snake oil laws. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From vznuri at netcom.com Tue May 21 00:24:59 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Tue, 21 May 1996 15:24:59 +0800 Subject: (Fwd) Re: TCM: mafia as a paradigm for cyberspace In-Reply-To: <9605200337.AA02122@cti02.citenet.net> Message-ID: <199605201934.MAA28228@netcom20.netcom.com> Jean-Francois Avon appears to be a new vocal proponent for Jim Bell's "assassination politics". he quotes my private mail in his latest sniveling defense. >Second, everybody like Jim Bell who is pushing the AP scheme is doing >so on ethical basis: that the coercion the government imposes on to >the individuals by regulations, and guns backed taxation justifies the >killings. I have to see yet any cypherpunks who seems to agree with >AP that envision another use than govt control. right, and Hitler didn't have any other use for his government other than to bring utopia to the masses, and used all the ovens for cooking pizzas (after all, what else could an oven be used for?!?!?). the above sentence I find absolutely abhorrent: it justifies killing, not merely because of the effect (the sort of "ends-justifies-the-means" argument used by most here), but that in addition it is supposedly "ethical". ethical?!?!? for g*d's sakes, promote your depraved scheme under any other heading, but do not claim it is "ethical" unless you want to further demonstrate how far from morality you have twisted your brain. the assassination politics is quite Hitleresque at its root. "kill our enemies, and everything will be better. it is our enemies that are the root of all evil in the world. extinguish them, and you solve all problems automatically" such is the total moral perversion of the thinking behind "assassination politics". most of the adherents work from the following argument, nicely summarized by JFA above: 1. the government is corrupt 2. therefore, it is okay to kill people who further that corruption. wow, what brilliant logic. I must admit it proves to be superior to that embodied by any second grader, a high accomplishment for its proponents. there is a trite saying, "two wrongs do not make a right" (trite because most have mastered the simple truth of it in their pre-teen years). a concept not grasped by some second-graders. some require a lifetime of lessons to comprehend it in the end.. I'm very disappointed that others have not chased Assassination Politics proponents to take their trash somewhere else. of course the real situation is that those that started this list have sympathies for this kind of thinking, so no such thing will happen. to Jim Bell and Avon: please read Machiavelli. read about ancient assassination clubs and the history of bloody politics. if you want to seriously further your ideas, start a web site with ample historical research. your ideas are not new whatsoever. if you really wish to become masters of assassination abilities, study carefully the errors of those who have come before you. write a long treatise with lots of footnotes to past assassination difficulties and how you would advance past them. I tell you flat out that any respectable assassin would be quite embarrassed to be associated with you at the moment because of your arrogance and ignorance. I wish you the best of luck From dlv at bwalk.dm.com Tue May 21 00:29:22 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Tue, 21 May 1996 15:29:22 +0800 Subject: Toastmasters? In-Reply-To: Message-ID: Black Unicorn writes: > On Mon, 20 May 1996, Senator Exon wrote: > > > How do corporations work, in terms of liability? If the cost of > > incorporating isn't forbidding, I would think a remailer operator might > > consider incorporating a company, and making the remailer a function of > > that company. That way, any losses are restricted to the total value of > > the corporation; that is, nothing. Any flaws? There must be something > > wrong with it somewhere. > > All the corporate officers are public knowledge. You seem to be confused. If the corporation isn't publicly traded, why should any information other than the address for service of process be public? > The corporate veil can pretty easily be perferated if there is a willful > attempt to avoid liability when conduct gets above a certain threshold. > > This would be pretty easy to show in the event the corporation never made > dime one and never intended to. What if the corporation intends to collect e-cash for operating the remailer? (Of course, one can still be sued...) --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From rah at shipwright.com Tue May 21 00:34:01 1996 From: rah at shipwright.com (Robert Hettinga) Date: Tue, 21 May 1996 15:34:01 +0800 Subject: Electronic Banking and Commerce Conference Message-ID: --- begin forwarded text From: "Ledig, Robert" To: "'ecash mailing list'" Subject: Electronic Banking and Commerce Conference Date: Mon, 20 May 96 12:22:00 edt Encoding: 279 TEXT Sender: owner-ecash at digicash.com Precedence: bulk Status: U 21st Century Banking Alert No. 96-5-20 May 20, 1996 ELECTRONIC BANKING AND COMMERCE CONFERENCE TO BE HELD IN WASHINGTON, D.C. ON JUNE 7, 1996 _________________________*________________________ FRIED, FRANK, HARRIS, SHRIVER & JACOBSON ARTHUR ANDERSEN LLP and THE SECURA GROUP * * * Present A One-Day Conference ELECTRONIC BANKING AND COMMERCE: FINDING YOUR PLACE IN THE FUTURE * * * June 7, 1996 8:00 a.m. to 5:45 p.m. Renaissance Hotel Washington, D.C. _________________________*________________________ ABOUT THE CONFERENCE Background 1996 is likely to be a pivotal year for the introduction of electronic banking and commerce in the United States. Among the major developments that will mark 1996 as an historic year in this field are: The Federal Reserve Board proposes the first major regulatory initiative to address the treatment of stored value products. Stored value cards are introduced to the public in a television commercial seen by millions during the Super Bowl followed by a high visibility pilot project during the Atlanta Summer Olympics. Visa and Mastercard reach agreement on protocol for secure transmission of credit card information over the Internet. Electronic cash becomes available for transmission over the Internet. Banks and software providers engage in a major effort to attract bank customers to on-line banking services. Usage of the World Wide Web for product marketing expands exponentially. Landmark telecommunications reform legislation is enacted. These developments present both an opportunity and a challenge for banks, financial services firms, technology providers and a wide range of commercial enterprises. The construction of the electronic financial services delivery system of the 21st Century will be driven by technology and will require a comprehensive reevaluation and realignment of consumer preferences, privacy, security, costs and conveniences. Simultaneously, these new delivery systems will be directly affected by emerging government regulation related to law enforcement, monetary policy, bank regulation and consumer protection. The conference is designed to provide participants with a broad insight into these factors, to hear from the leaders who will drive this process and thus offer participants a basis for evaluating the near and long term prospects for the banking industry and other financial services providers in the new world of electronic commerce. About the Sponsors Fried, Frank, Harris, Shriver & Jacobson is a nationally recognized law firm with over 400 lawyers in New York, Washington, D.C., Los Angeles, London and Paris. The firm's financial services practice is led by Thomas P. Vartanian, who has written and spoken widely on electronic banking and commerce issues and is a member of the editorial board of the Electronic Banking and Commerce Report. The firm offers the 21st Century Banking Alert Page*, which can be found on the World Wide Web at http//:www.ffhsj.com/bancmail/bancpage.htm. Arthur Andersen LLP is a unit of Andersen Worldwide, the leading professional services organization in the world with over 360 offices in more than 70 countries and over $8 billion in revenues. Arthur Andersen's Financial Markets Practice has a dedicated, international team of over 5,000 professionals who provide a full range of assurance, risk management, business consulting, economic and financial consulting and tax advisory services to over 10,000 financial services institutions in banking, capital markets and insurance. The Secura Group is among the nation's preeminent financial services consulting firms, offering strategic planning, financial advisory, organizational and management consulting, risk management, and regulatory counseling services to financial institutions throughout the United States. Headquartered in Washington, D.C., Secura also maintains offices in Boston, Chicago, Dallas, Los Angeles, New York and San Francisco. _________________________*________________________ PROGRAM 8:00 a.m. Breakfast Remarks by Daniel Eldridge, Vice President, DigiCash 9:00 a.m. Program Overview Dorsey L. Baskin, Jr., Partner, Arthur Andersen LLP Thomas P. Vartanian, Partner, Fried, Frank, Harris, Shriver & Jacobson 9:15 a.m. What New Technology Means for Banks How will technology affect the competitive position between depository institutions? How much of a threat do banks face from non-bank competitors? What approaches are available to banks? John P. Danforth, Managing Director, The Secura Group Charles M. Nathan, Partner, Fried, Frank, Harris, Shriver & Jacobson Thomas P. Vartanian, Partner, Fried, Frank, Harris, Shriver & Jacobson Richard M. Whiting, Senior Director for Regulatory Affairs and General Counsel, The Bankers Roundtable 10:35 a.m. What New Technology Means for Non-Banks What are the prospects for Internet commerce? When does a non-bank become a bank? How will non-banks work with banks? Implications of the new telecommunications legislation. Robert H. Ledig, Partner, Fried, Frank, Harris, Shriver & Jacobson Robert J. Lesko, Managing Partner, Financial Services Industry, ATT Solutions Thomas Nelson, Manager, Arthur Andersen LLP Phoebe Simpson, Analyst, Jupiter Communications 11:50 a.m. On-line Banking Options available to banks. Web site banking. Key considerations and risks for banks. Dorsey L. Baskin, Jr., Partner, Arthur Andersen LLP Lance Conn, Counsel, AOL Services 12:30 p.m. Lunch Remarks by Tim Jones, Chief Executive, Mondex 2:00 p.m. Stored Value Products and Smart Cards The Federal Reserve Board's proposed revision to Regulation E. Deposit insurance issues. Design and structure of these products. William F. Keenan, Senior Vice President, Marketing and Business Development, NatWest Bank (Delaware) Jeffrey M. Kopchik, Senior Policy Analyst, Federal Deposit Insurance Corporation 3:00 p.m. Electronic Money Understanding the various models for electronic money. Legal and competitive issues. Credit card usage on the Internet. Jim Richardson, Senior Manager, Arthur Andersen LLP Frank O. Trotter, III, Senior Vice President and Director, International Markets Division, Mark Twain Bank Peter Wayner, Author, Digital Cash: Commerce On The Net 4:00 p.m. Public Policy Perspectives Implications for law enforcement. Systemic risks associated with electronic banking and commerce. Impact on the competitive position of banks and non-banks. Consumer interests in the new technology. Michael ter Maat, Ph.D., Senior Economist, American Bankers Association Stephen R. Kroll, Legal Counsel, Financial Crimes Enforcement Network, U.S. Department of the Treasury Anne Wallace, Attorney-Advisor, Financial Management Service, U.S. Department of the Treasury, Janlori Goldman, Deputy Director, Center for Democracy and Technology 5:20 p.m. Open Discussion Period 5:45 p.m. Reception _________________________*________________________ Additional Program Information Conference attendees will receive a copy of DigitalCash: Commerce On The Net, a leading book on electronic money, along with a set of program materials. Continuing legal education credit is being applied for in numerous jurisdictions. If you have specific CLE questions, please contact Debbie Rizzo at (202) 639-7201. A limited number of rooms will be available for a special rate at the Renaissance Hotel, 999 Ninth Street, N.W., Washington, D.C. For reservations, please call the hotel directly at (202) 898-9000 (Ext. 3400) and reference Electronic Banking and Commerce. For further information on the conference, please contact Bob Ledig at 21stCen at ffhsj.com or (202) 639-7016. FAX REGISTRATION FORM To register, please fax this form to Debbie Rizzo at (202) 639-7008, or call her at (202) 639-7201. The fee for the conference is $235 if paid in advance ($295 at the conference location). Early registration is recommended as seating is limited. I/we will be attending the Electronic Banking and Electronic Commerce conference. _______________________________________________________________ Name(s) _______________________________________________________________ Title(s) _______________________________________________________________ Organization Name _______________________________________________________________ Address _______________________________________________________________ Telephone and Fax Numbers Credit Card Information: Visa Mastercard (Circle One) ___________________________________________________________________ Account No. ___________________________________________________________________ Expiration Date __________________________________________________________________ Signature If paying by check, please make payable to Fried, Frank, Harris, Shriver & Jacobson and mail to Debbie Rizzo at Fried, Frank, Harris, Shriver & Jacobson, Suite 800, 1001 Pennsylvania Avenue, N.W., Washington, D.C. 20004-2505. Thomas P. Vartanian Robert H. Ledig David L. Ansell Washington, D.C. 202-639-7200 Visit the 21st Century Banking Alert Page on the World Wide Web at http://www.ffhsj.com/bancmail/bancpage.htm Copyright 1996. Fried, Frank, Harris, Shriver & Jacobson. All rights reserved. 21st Century Banking Alert is a trademark and servicemark of Fried, Frank, Harris, Shriver & Jacobson. --- end forwarded text ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "If they could 'just pass a few more laws', we would all be criminals." --Vinnie Moscaritolo The e$ Home Page: http://thumper.vmeng.com/pub/rah/ From frantz at netcom.com Tue May 21 00:48:27 1996 From: frantz at netcom.com (Bill Frantz) Date: Tue, 21 May 1996 15:48:27 +0800 Subject: Is Chaum's System Traceable or Untraceable? Message-ID: <199605201902.MAA16278@netcom8.netcom.com> At 9:10 AM 5/20/96 -0700, Ian Goldberg wrote: >However, if you use the "fully anonymous" protocol, change becomes trivial. >You don't have to go online; the payer (the shop) does, which it assumedly >already is. Another benefit is that coins received in this way as change >are immediately spendable by you, without having to go online in between. Perhaps I am confused, but I see no need for change in the fully anonymous protocol. I see the fully anonymous protocol as: (1) The payee generates a coin for the amount of purchase, blinds it and gives it to the payer. (2) The payer blinds it again and gives it to the bank, which signs it debiting the payer's account. (3) The payer removes his blinding and gives the signed coin to the payee. (4) The payee removes his blinding and deposits the coin. Step 1 could be called a request for payment (an invoice), step 2 a withdrawal, step 3 the payment, and step 4 a deposit. Is there another version which allows the payee to have an unconnected wallet of coins and get change in return? ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From ravage at ssz.com Tue May 21 01:03:43 1996 From: ravage at ssz.com (Jim Choate) Date: Tue, 21 May 1996 16:03:43 +0800 Subject: An alternative to remailer shutdowns (fwd) Message-ID: <199605202328.SAA14914@einstein.ssz.com> Forwarded message: > Date: Mon, 20 May 1996 15:02:08 -0700 > From: Hal > Subject: An alternative to remailer shutdowns > was apparently sent through my remailer. According to 18 USC 875(c), > "Whoever transmits in interstate commerce any communication containing > any threat to kidnap any person or any threat to injure the person of > another, shall be fined not more than $1,000 or imprisoned not more > than five years, or both." I may not be able to continue operating > either of my remailers (alumni.caltech.edu and shell.portal.com) for > much longer due to this kind of abuse. There should be a section in there dealing with 'knowingly'. If not then we should immediately bring charges against any and all newspapers who have ever printer a ransom letter, or perhaps even the Unibomber Manifesto since there is clear evidence of 'threat to injure the person of another'. Jim Choate From msmith at rebound.slc.unisys.com Tue May 21 01:06:34 1996 From: msmith at rebound.slc.unisys.com (Matt Smith) Date: Tue, 21 May 1996 16:06:34 +0800 Subject: (fwd) Re: Spoofed Flame Email (was Re: Clinton & the net) (fwd) Message-ID: <199605202111.VAA03440@rebound.slc.unisys.com> -----BEGIN PGP SIGNED MESSAGE----- Found on sci.crypt. Most of you have probably already seen it, but I sent it here for those who didn't Matt - --- [ begin forwarded message ] --- From: ebright at coil.com (Jim Ebright) Newsgroups: alt.privacy,alt.privacy.clipper,alt.security,alt.security.pgp,comp.org.cpsr.talk,comp.org.eff.talk,sci.crypt,alt.culture.internet,alt.culture.usenet Subject: Re: Spoofed Flame Email (was Re: Clinton & the net) Date: 17 May 1996 09:48:57 -0400 Organization: Central Ohio Internet Link, Inc. (614)242-3814 Lines: 65 Distribution: inet Message-ID: <4ni049$o4o at bronze.coil.com> References: <4mrt2u$li0 at newsserv.cs.sunysb.edu> NNTP-Posting-Host: bronze.coil.com Xref: news.cc.utah.edu alt.privacy:9606 alt.privacy.clipper:1204 alt.security:11072 alt.security.pgp:20972 comp.org.cpsr.talk:5281 comp.org.eff.talk:27326 sci.crypt:11937 alt.culture.internet:11856 alt.culture.usenet:21781 In article , Michael Deindl wrote: ... > >IMO anonymous remailers are a very good addition to the net. >Unfortunately some users are a destructive addition to the net and >abuse them. Oh, yes, and of course all these evil kiddy-porn dealers >use them, too. And after all: a good citizen has nothing to hide and >doesn't need anonymous-remailers.... > >(For the clueless: the last 2 sentences are sarcasm/irony) > I thought this excerpt taken from comp.risks would be interesting here... I snarfed it off a webpage where the user thought the comments about insecure keys was interesting.... I find the anon-remailer comments the most interesting... [From the RISKS digest] Date: Fri, 8 Mar 1996 14:37:14 -0500 (EST) From: Frank Sudia Subject: CIA & NSA Run Remailers (Viktor Mayer-Schoenberger via Lisa Pease) >Date: Mon, 4 Mar 1996 16:52:42 -0800 (PST) >From: Lisa Pease >To: jfk-conspiracy >Subject: CIA & NSA run remailers (fwd) I attended last week's ``Information, National Policies, and International Infrastructure" Symposium at Harvard Law School, organized by the Global Information Infrastructure Commission, the Kennedy School, and the Institute for Information Technology Law & Policy of Harvard Law School. During the presentation by Paul Strassmann, National Defense University, and William Marlow, Science Applications International Corporation, entitled ``Anonymous Remailers as Risk-Free International Infoterrorists'', the question was raised from the audience (Professor Charles Nesson, Harvard Law School) -- in a rather extended debate -- whether the CIA and similar government agencies are involved in running anonymous remailers, as this would be a perfect target to scan possibly illegal messages. Both presenters explicitly acknowledged that a number of anonymous remailers in the US are run by government agencies scanning traffic. Marlow said that the government runs at least a dozen remailers and that the most popular remailers in France and Germany are run by the respective government agencies in these countries. In addition, they mentioned that the NSA has successfully developed systems to break encrypted messages will less than 1000-bit [public] keys and strongly suggested using at least 1024-bit keys. They said that they themselves use 1024-bit keys. I ask Marlow afterwards if these comments were off or on record, he paused then said that he can be quoted. So I thought I pass that on. It seems interesting enough, don't you think? Viktor Mayer-Schoenberger, Information Law Project, Austrian Institute for Legal Policy - -- A/~~\A Jim Ebright NET Security: http://www.coil.com/~ebright/security.html ((0 0))_______ mailto:ebright at coil.com "I used to hunt elephants but I \ / the \ don't do that anymore. There aren't enough of them" - Newt (--)\ OSU | Gingrich to Andy Lodge, Theo.Roosevelt Cons. Award winner. - -- Matt Smith - msmith at unislc.slc.unisys.com "Nothing travels faster than light, with the possible exception of bad news, which follows its own rules." - Douglas Adams, "Mostly Harmless" Disclaimer: I came up with these ideas, so they're MINE! -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMaDf7MWUKiYjg/fZAQEGggQArICNll7falgyuk93xY7NjWIeFxDhjj7f 8s8W2+8kVZ7G6ACDyGiw+iFBI8miI93i35PGAKjuPR0HnkihJF3OYXof6/pJJ2gr 3Xq7gkRRb2rAtU1Yklj+BK9jhqSBxCFhBnisW/PVfQCTer59M9ndT/5gKTLUVxjv BtBFoZ7ygi8= =DEhb -----END PGP SIGNATURE----- From jya at pipeline.com Tue May 21 01:13:24 1996 From: jya at pipeline.com (John Young) Date: Tue, 21 May 1996 16:13:24 +0800 Subject: Byte on E-Money Message-ID: <199605202149.VAA02924@pipe3.t1.usa.pipeline.com> June Byte features "Electric Money," by Udo Flohr. He reviews the key areas of security, authentication, anonymity and divisibility; examines the products of DigiCash, DEC, MS, RSA, IBM and others offering E-cash, digital checks, digital bank checks, smart cards and electronic coupons and tokens, with side glances at Europes's CAFE and Oscar. Peter Wayner guarantees "How to Make a Million Dollars" by minting electric money. From harmon at tenet.edu Tue May 21 01:15:37 1996 From: harmon at tenet.edu (Dan Harmon) Date: Tue, 21 May 1996 16:15:37 +0800 Subject: Dave Harman Message-ID: Please, Do not confuse me with Dave Harman!!! He is not my evil twin. Dan Harmon From unicorn at schloss.li Tue May 21 01:20:38 1996 From: unicorn at schloss.li (Black Unicorn) Date: Tue, 21 May 1996 16:20:38 +0800 Subject: Toastmasters? In-Reply-To: Message-ID: On Mon, 20 May 1996, Dr. Dimitri Vulis wrote: > Black Unicorn writes: > > > On Mon, 20 May 1996, Senator Exon wrote: > > > > > How do corporations work, in terms of liability? If the cost of > > > incorporating isn't forbidding, I would think a remailer operator might > > > consider incorporating a company, and making the remailer a function of > > > that company. That way, any losses are restricted to the total value of > > > the corporation; that is, nothing. Any flaws? There must be something > > > wrong with it somewhere. > > > > All the corporate officers are public knowledge. > > You seem to be confused. If the corporation isn't publicly traded, why should > any information other than the address for service of process be public? Ask every state which has such reporting requirements (which is every state in the union). If you wanted to form an offshore corporation you'd have to form an exempted one. > > > The corporate veil can pretty easily be perferated if there is a willful > > attempt to avoid liability when conduct gets above a certain threshold. > > > > This would be pretty easy to show in the event the corporation never made > > dime one and never intended to. > > What if the corporation intends to collect e-cash for operating the remailer? That would clearly change the analysis. > (Of course, one can still be sued...) > > --- > > Dr. Dimitri Vulis > Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps > --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From alanh at infi.net Tue May 21 01:28:44 1996 From: alanh at infi.net (Alan Horowitz) Date: Tue, 21 May 1996 16:28:44 +0800 Subject: Incorporating In-Reply-To: <199605201016.DAA26766@netcom23.netcom.com> Message-ID: Corporations are creations of the Sovereign; for this reason they have no rights. Certainly not a right to Not Act As A Witness Against Oneself. From jf_avon at citenet.net Tue May 21 01:33:10 1996 From: jf_avon at citenet.net (Jean-Francois Avon) Date: Tue, 21 May 1996 16:33:10 +0800 Subject: AP Message-ID: <9605202031.AA06468@cti02.citenet.net> On 20 May 96 at 14:51, Jim Ray wrote: > [He IS L.D., nobody else would say "anti-psuedospoofing."] Since I hit C'punks around 6 months ago, I have no idea who this mythical figure is, alhought I see the name pop-up occasionnally. Is there a Detweiller FAQ somewhere? > Why be Jimbellish just before an election. If AP is inevitable, OK, > but why emphasis on murder when the press hates the 'Net? The people > will support it because jimbell comes off as a LOON, and people > dislike loons, and vote against them. Interesting. Has AP ever popped-up in the conventional medias? Then, again, I know an awfull lot of people who would applaude Bell. But most of them are not computer litterate. They are from another generation, not brainwashed by "Don't ask what your country can do for you; ask what you can do for your country"... > I'm 35, and I may actually die before I do. I hope not. [Black humor] any AP proponents with an eye (or a buck) on you? :) > >You'll note that the psycho-epistemology necessary to > >commit murder is quite close to the one necessary to coerce poeples > >to pay taxes. > > This kind of thinking might authorize a massive Cherokee > massacre if it spread, IMO. Please, do point out the similarities and the differences... I think that the context is very different. > We must reach the "quit stealing" > phase beore nuts can fantasize about a revenge phase which > likely will never be. Are you talking of an open war a la Bosnia? > We must either leave some wrongs in the > past or be cursed with them forever. This is what I was talking about taking things out of context. Since you agree on that, the Cherokee thing is ruled out. But govt action are a matter of the present and future. Some peoples see it as legitimate self-defense. Among the peoples who do not object to be coerced to pay taxex for services are two groups the one that: a) figure out that they get more than they pay and b) want to pay, even if they realize they get less than they pay for. the a) group is much bigger than b). At least by an order of magnitude. Now, in a world where the govt would not use coercion on economical and fiscal matters, b) would keep giving. But what a) would do? What they've already done since a hundred years: push for legislation that favor them. > Bottom line for me: "Two wrongs don't make a right." Please state the basic premise that make you declare what is "wrong" in the context of AP. I am not bugging you simply to do so. For example, do you think that, for ethical reasons, you are not only justified but actually *obligated* to use physical violence in certain contexts? I guess not. But many peoples think they have to... I think that you simply try to evade the necessity of defining for yourself what exactly is what the govt is doing. Personnally, I did not reach any conclusions yet. > We must, as > Libertarians, face the fact that taxation we object to is not seen > by many people as coercive. General opinion is not what define truth nor reality. If I refuse to pay my taxes, they'll use physical violence to get what they want. You might object that I enjoyed the benefits of the spending of taxes, but I am yet to see any contract that I entered with "society". > Even then, I prefer the judicial process to the oligarchy > this scheme would entail This scheme is *not* an oligarchy. Pay a visit to any good dictionary near you. Words have precise meaning and it is *much* better to stick to it... Actually, since it is ruled by money, it might be a "buckarchy", but again, everybody can spare a few bucks, so it might be a democracy too if you insist on twisting the meaning of words. > and I think I'd be an easy target for > wealthy statists, who could also use the system. At first look, of course. But operationnally, you have to consider the mind of the statist to figure out the likeliness of their using the system? I do not deny that it is very likely that a few statists will use the system. But most won't because they don't like to slain their milk cows. Remember, we are idea-processing machines. > If Bell could post > fewer times, he'd be more convincing. He is in many killfiles. JMR Many peoples cannot stand to see any opinions that differs from theirs. But why care at all be read by such peoples? DePompadour, Societe d'Importation Ltee; Limoges porcelain, silverware and crystal JFA Technologies, R&D consultants; physists, technologists and engineers. PGP keys at: http://w3.citenet.net/users/jf_avon ID# C58ADD0D : 529645E8205A8A5E F87CC86FAEFEF891 Unsollicited commercial e-mail will be proofread at US165 $/h Any sender of such material will be considered as to have ac- cepted the above mentionned terms. From steve at miranova.com Tue May 21 01:45:07 1996 From: steve at miranova.com (Steven L Baur) Date: Tue, 21 May 1996 16:45:07 +0800 Subject: The Crisis with Remailers In-Reply-To: Message-ID: >>>>> "Steve" == Steve Reid writes: Steve> Ecash postage might discourage the average spammer, unless that Steve> spammer has deep pockets. With postage, the only spam I can Steve> think of that would gain money or break even is a commercial Steve> advertisment, and there's no point to using remailers for Steve> commercial ads anyways, since people need to know how to Steve> contact the business. It isn't spam if they're paying for the traffic. Commercial advertisement through electronic mail is only evil because it is forced on someone against their wishes and on their dime. The current situation is much like a telemarketer calling long distance collect with billing done automatically, and you can't hang up until they're done with their spiel. If it were standard practice for email recipients to charge the sender an ecash fee (waived if they thought the mail worth their time), it would make things much more interesting. -- steve at miranova.com baur Unsolicited commercial e-mail will be proofread for $250/hour. Andrea Seastrand: For your vote on the Telecom bill, I will vote for anyone except you in November. From jimbell at pacifier.com Tue May 21 01:48:33 1996 From: jimbell at pacifier.com (jim bell) Date: Tue, 21 May 1996 16:48:33 +0800 Subject: The Crisis with Remailers Message-ID: <199605210341.UAA25423@mail.pacifier.com> At 09:32 AM 5/20/96 -0700, Ian Goldberg wrote: >I mentioned this to Chaum, and he didn't really seem agree with the need for >something lower-level... > >Another problem with postage in Mixmaster: the minimum ecash payment is >$0.01. Do we want to charge that much for email? Need we consider >micropayments? Absolutely! Given the exponentially increasing rate of data transmission ease, and corresponding cost reduction per bit, any "reasonable" minimum payment today becomes an unreasonable one tomorrow, and a hilariously outrageous one 10 years from now. Suppose the US Government had put a "information storage tax" on hard disks in about 1980, of about $10 per megabyte which would have worked out to be about 1/20 of the retail value at that time. Today, a 1.6 gigabyte hard disk would cost about $1850, which would be $250 for the drive and $1600 for the tax... Any more questions? Many months ago, I suggested using the idea of "probabilistic payments," in which a person could make a very tiny purchase with a large coin, by in effect "gambling" with the payment: You could buy a 0.1-cent email with a 1-cent coin, in which the likelihood of actually paying is 10%. Statistically, both myself and the vendor will be happy in the long run. An advantage of this system is that the payments can be made arbitrarily small and of indefinite granularity: I can pay you 0.3156893 cents with only 1-cent coins. I would be surprised if I was the first to think of such a system, at least in the ecash world, but I never heard anything to the contrary. Jim Bell jimbell at pacifier.com From jamesd at echeque.com Tue May 21 01:50:14 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Tue, 21 May 1996 16:50:14 +0800 Subject: encrypted open books (Was why does the state still stand) Message-ID: <199605202207.PAA05112@dns1.noc.best.net> On Mon, 20 May 1996 jamesd at echeque.com wrote: >> Look up cypernomicon, "open encrypted books" At 01:30 PM 5/20/96 -0700, Wei Dai wrote: > There is indeed a short section in the Cyphernomicon about encrypted open > books. Unfortunately it doesn't describe it in detail, An organization, such as a bank, issues signed, non anonymous promises to pay to various nyms -- in other words bank accounts, or interest bearing bonds, or some such. A nym would like to know what the total amount of such signed obligation is, so that he can be sure it is less than the total value of the institutions good name and readily findable and confiscatable assets. But we do not want a bunch of outsiders getting a list of lots of private information about who owns what, (such as auditors who are usually in the pockets of the tax collectors). The institution needs to be able to prove that it only owes total amount X in this form, without letting Tom, Dick, and Harry know who it owes amount X to, and why. To do this it organizes its accounts in a binary tree, and constructs a one way checksum tree checksum, revealing to each custom the part of the tree he is on, all the way up to the root, which must be the same for all customers, and must be placed in some public place, so that any customer can tell that his account is included in the total openly admitted obligations of the institution, and any customer can, by revealing secret information, prove that he is one of the people that the institution has publicly admitted owing money to. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From shabbir at vtw.org Tue May 21 01:53:08 1996 From: shabbir at vtw.org (Voters Telecommunications Watch) Date: Tue, 21 May 1996 16:53:08 +0800 Subject: INFO: Sen. Burns tells White House "Three strikes and you're out" Message-ID: <199605210251.WAA25215@panix3.panix.com> ============================================================================= ____ _ _ _ / ___|_ __ _ _ _ __ | |_ ___ | \ | | _____ _____ | | | '__| | | | '_ \| __/ _ \ _____| \| |/ _ \ \ /\ / / __| | |___| | | |_| | |_) | || (_) |_____| |\ | __/\ V V /\__ \ \____|_| \__, | .__/ \__\___/ |_| \_|\___| \_/\_/ |___/ |___/|_| SENATOR BURNS (R-MT) TELLS THE WHITE HOUSE "THREE STRIKES AND YOU'RE OUT" OF THE ENCRYPTION DEBATE BURNS SAYS CLIPPER III PLAN IS A "SWING AND A MISS" Date: May 20, 1996 URL:http://www.crypto.com/ crypto-news at panix.com If you redistribute this, please do so in its entirety, with the banner intact. ----------------------------------------------------------------------------- Table of Contents News Text of press release from Senator Burns (R-MT) How to receive crypto-news ----------------------------------------------------------------------------- NEWS The hemorrhaging of the White House publicity campaign surrounding the Clipper III proposal that started in Interactive Week and the House of Representatives continues today in the Senate. Earlier today we received the attached press release from Senator Burns' (R-MT) office. Although this author has not yet seen the proposal, it is wonderful to see Congress leading the fight against the White House on this issue. >From the recent slew of encryption legislation (H.R. 3011, S.1587, & S.1726), it's clear that Congress understands that the best people in the world to sort out this issue are the public and industry. The three Clipper plans have been hatched by a secretive Executive agency without considering the needs of the public and industry. This is the start of a highly-charged tug-of-war between Congress and the White House over who holds the keys to your privacy: you, or the government? Congress says you, the White House says the government. It's crucial that we support Congress as they go head-to-head with the White House. Keep an eye out for the first leaks and analyses of the Clipper III report that will undoubtedly appear on the net soon. DON'T FORGET! Senator Patrick Leahy (D-VT) will be on HotWired *THIS WEDNESDAY*, May 22nd at 4pm EST at http://www.hotwired.com/wiredside/ You can tune in and listen to the chat with the RealAudio software (http://www.realaudio.com). You can ask questions of the Senator through a moderator and get real, immediate responses. ----------------------------------------------------------------------------- TEXT OF PRESS RELEASE FROM SENATOR BURNS (R-MT) [Note that feedback to Senator Burns can be sent via email at conrad_burns at burns.senate.gov -Shabbir] For immediate release: Contact: Matt Raymond Monday, May 20, 1996 (202) 224-8150 Randall Popelka (202) 224-6137 Burns: Clipper III Strikes Out New Clinton Computer "Wiretap" Plan Circulates With Few Changes WASHINGTON, D.C. _ Montana Senator Conrad Burns today criticized the Clinton administration's latest computer security proposal as yet another government-driven mandate and urged swift passage of Burns' "Pro-CODE" bill, which addresses export of encryption technology and prohibits mandatory decryption-key escrow. Burns reacted to the circulation of a draft administration proposal entitled "Achieving Privacy, Commerce, Security and Public Safety in the Global Information Infrastructure." The proposal, dated May 10 and dubbed "Clipper III" by critics, moves toward the loosening and possibly eventual elimination of export controls on encryption technologies, but only if companies and individuals surrender a copy of their code keys to a government-approved third party. "It's three strikes and you're out at the old ball game, and I would say that the third version of the administration's Clipper Chip proposal is a swing and a miss," Burns said. "It's time to quit relying on government mandates for what is truly a matter of great concern to the private sector: the expansion of commerce on the Internet and other computer networks. "The administration has been using export restrictions as a billy club to force American companies into accepting government control over the keys to their computer files and transmissions. At least this new proposal admits that the current 40-bit limit on exports is outdated and a poor guarantee of electronic security and integrity, but it again operates from the standpoint that the government, and not the private sector, knows best when it comes to key strength and control over those keys. "We can only stick our heads in the sand for so long. It is important to point out that the criminals and trouble-makers who are apparently targets of this plan are unlikely to enroll in any key-escrow system. Law-abiding businesses and individuals would suffer at the hands of this misguided proposal. "While this may appear to be a compromise of the administration's earlier positions, we have to remember that an executive action can be reversed just as quickly after an election year. It is crucial that we pass legislation to codify a solution to the administration's current outdated export policies, and to ensure that the government won't force anyone to give up the keys to their computers." ----------------------------------------------------------------------------- HOW TO RECEIVE CRYPTO-NEWS To subscribe to crypto-news, sign up from our WWW page (http://www.crypto.com) or send mail to majordomo at panix.com with "subscribe crypto-news" in the body of the message. ----------------------------------------------------------------------------- End crypto-news ============================================================================= From bogus@does.not.exist.com Tue May 21 02:12:35 1996 From: bogus@does.not.exist.com () Date: Tue, 21 May 1996 17:12:35 +0800 Subject: No Subject Message-ID: <199605210419.VAA11932@netcom22.netcom.com> ! > The Australian law is (or was) based on the idea that if you charged ! > someone $2500 for eating the flesh of christ, it then becomes ! > legitimate for the government to check out whether or not the ! > customer was getting actual flesh of Christ. ! ! Well, although it makes for an expensive steak, it is still quite ! cheap considering that in the days of JC, they did not have ! refregirators. Must have gone to great pains to preserve the stuff! Mohels suckle the blood from infants with vino as chaser. The origion of lycanthropy. Love, Qut From ravage at ssz.com Tue May 21 02:17:43 1996 From: ravage at ssz.com (Jim Choate) Date: Tue, 21 May 1996 17:17:43 +0800 Subject: An alternative to remailer shutdowns (fwd) Message-ID: <199605210413.XAA15795@einstein.ssz.com> Forwarded message: > From hfinney at shell.portal.com Mon May 20 22:32:43 1996 > Date: Mon, 20 May 1996 20:33:33 -0700 > From: Hal > Message-Id: <199605210333.UAA04650 at jobe.shell.portal.com> > To: cypherpunks at toad.com, ravage at ssz.com > Subject: Re: An alternative to remailer shutdowns (fwd) > > I think Jim is right about the knowledge requirement, which although not > stated explicitly in the statute, has been held by the courts to be an > essential element. My point in quoting is more to show an example of the > kinds of clearly illegal postings which operators have to deal with. > The point I was trying to make was that if this position is the official position of the FBI then they are guilty of the crime because they posted the Unabomber Manifesto in toto on their webpage which is accessible inter-state. From declan+ at CMU.EDU Tue May 21 02:23:28 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Tue, 21 May 1996 17:23:28 +0800 Subject: Feds Web Crypto In-Reply-To: <199605201549.IAA00569@jobe.shell.portal.com> Message-ID: <4lcGWn200YUzIZ89B3@andrew.cmu.edu> Excerpts from internet.cypherpunks: 20-May-96 Feds Web Crypto by anonymous-remailer at shell > Washington Post, May 20, 1996 > > Feds on the Web Speaking of the Washinton Post, if anyone wants to try out their web site, which is in beta test right now, go to: http://www.washingtonpost.com/ Username: wash Password: post -Declan From jf_avon at citenet.net Tue May 21 02:26:40 1996 From: jf_avon at citenet.net (Jean-Francois Avon) Date: Tue, 21 May 1996 17:26:40 +0800 Subject: SEVERE undercapacity, we need more remailer servers FAS Message-ID: <9605210205.AA23433@cti02.citenet.net> On 20 May 96 at 9:53, jamesd at echeque.com wrote: > The Australian law is (or was) based on the idea that if you charged > someone $2500 for eating the flesh of christ, it then becomes > legitimate for the government to check out whether or not the > customer was getting actual flesh of Christ. Well, although it makes for an expensive steak, it is still quite cheap considering that in the days of JC, they did not have refregirators. Must have gone to great pains to preserve the stuff! Or did I misunderstood a few things? JFA Le mur est jaune, la banane est jaune, donc la banane est mure! From declan+ at CMU.EDU Tue May 21 02:29:22 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Tue, 21 May 1996 17:29:22 +0800 Subject: SEVERE undercapacity, we need more remailer servers FAST In-Reply-To: <01I4WUETAM528Y5FKU@mbcl.rutgers.edu> Message-ID: Excerpts from internet.cypherpunks: 20-May-96 Re: SEVERE undercapacity, w.. by "E. ALLEN SMITH"@ocelot. > What countries are noticeable for being anti-Scientology? They would > appear to be good locations for special-purpose remailer ultimate-output ends. Actually, in addition to Germany behind hostile, I believe that a bunch of Scientos were locked up in Spain recently... Funny that. I was talking to one of the CoS vice presidents last week, who told me she just returned from a half year in Spain. :) -Declan From markm at voicenet.com Tue May 21 02:37:33 1996 From: markm at voicenet.com (Mark M.) Date: Tue, 21 May 1996 17:37:33 +0800 Subject: L.D. FAQ In-Reply-To: <9605202031.AA06468@cti02.citenet.net> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Mon, 20 May 1996, Jean-Francois Avon wrote: > On 20 May 96 at 14:51, Jim Ray wrote: > > > [He IS L.D., nobody else would say "anti-psuedospoofing."] > Since I hit C'punks around 6 months ago, I have no idea who this > mythical figure is, alhought I see the name pop-up occasionnally. > > Is there a Detweiller FAQ somewhere? Yes. It is somewhere on L.D.'s page at http://www.csn.net/~ldetweil/ . - -- Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xe3bf2169 http://www.voicenet.com/~markm/ | d61734f2800486ae6f79bfeb70f95348 ((2b) || !(2b)) | Old key now used only for signatures "The concept of normalcy is just a conspiracy of the majority" -me -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMaEL1LZc+sv5siulAQGQzQQAiY0ysWfoeKpQkZYSTJB4oF+6coTxulf5 ARL5zcdz2dc+ifTgO9fbwa48eXlzoTCh1zW6R5h12rmQYaN1ZLDfPiufWv8CYqrl MvFXzoyjNIYYv6pvM68O6ECrZ+KYa4dbG28tM08NnVYfQsAcZW+WdQlWMc/3ZViU dPfwsVyXgxo= =+TaH -----END PGP SIGNATURE----- From declan+ at CMU.EDU Tue May 21 02:42:30 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Tue, 21 May 1996 17:42:30 +0800 Subject: Interactive Week exclusive - White House to launch "Clipper III" In-Reply-To: Message-ID: <0lcI5du00YUzIZ8_JC@andrew.cmu.edu> Excerpts from internet.cypherpunks: 18-May-96 Interactive Week exclusive .. by Will Rodger at interramp.co > The White House is about to answer recent attempts to liberalize encryption > exports with a proposal of its own. [...] > The newest proposal is contained in a 24-page White Paper, a draft of which > hit Capitol Hill earlier this week. Kudos to Will for running this story. Today I snagged a copy of the White Paper, which comes with 12 pages of tortured crypto-justifications and 12 pages of appendices, with darling hierarchial diagrams of how U.S. and foreign certification authorities will interact. (Hint: The PAA, or Policy Approving Authority, is at the root of each country's or region's certification hierarchy.) It's very anti-anonymity: "Without a KMI of trusted certifying authorities, users cannot know with whom they are dealing on the network..." And not very cypherpunkly: "A number of principles need to be accepted by government, industry and other users... Self escrow will be permitted under specific circumstances. The escrow agent must meet performance requirements for law enforcement access." Basically, what the White Paper does is pay lip service to free market competition and suggests loads of government/industry initiatives, but it's always with the gummit wearing the steel gauntlet beneath the felt gloves. It concludes by promising industry a transition into unlimited key-lengthy export, provided they follow the rules: "As trusted partners, industry and government can share expertise and tackle intractable problems such as the insecure operating system. In times past, the cryptographic algorithm was the core of the solution: now it is the easy part. The debate over algorithms and bit lengths should end: it is time for industry and govenrments to work together to secure the GII in such a way that does not put the world at risk." -Declan From loki at infonex.com Tue May 21 02:51:07 1996 From: loki at infonex.com (Lance Cottrell) Date: Tue, 21 May 1996 17:51:07 +0800 Subject: The Crisis with Remailers Message-ID: At 10:40 AM 5/20/96, sameer at c2.org wrote: >> >> Another problem with postage in Mixmaster: the minimum ecash payment is >> $0.01. Do we want to charge that much for email? Need we consider >> micropayments? >> > > one cent could well be too low. > An interesting problem with anonymous postage is that it is likely to kill cover traffic generators. -Lance ---------------------------------------------------------- Lance Cottrell loki at obscura.com PGP 2.6 key available by finger or server. Mixmaster, the next generation remailer, is now available! http://www.obscura.com/~loki/Welcome.html or FTP to obscura.com "Love is a snowmobile racing across the tundra. Suddenly it flips over, pinning you underneath. At night the ice weasels come." --Nietzsche ---------------------------------------------------------- From unicorn at schloss.li Tue May 21 02:55:46 1996 From: unicorn at schloss.li (Black Unicorn) Date: Tue, 21 May 1996 17:55:46 +0800 Subject: WELCOME TO THE NEW ROMAN EMPIRE In-Reply-To: <199605201541.LAA17549@jekyll.piermont.com> Message-ID: On Mon, 20 May 1996, Perry E. Metzger wrote: > > Dave Harman writes: > > Qut may attend the [cypherpunks] meeting to verify the racial > > compositions of the group. > > Why? You have something against black people? I think it was Asians which upset him. > > .pm > --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From declan+ at CMU.EDU Tue May 21 02:56:17 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Tue, 21 May 1996 17:56:17 +0800 Subject: SEVERE undercapacity, we need more remailer servers FAST In-Reply-To: <01I4WUETAM528Y5FKU@mbcl.rutgers.edu> Message-ID: Excerpts from internet.cypherpunks: 20-May-96 Re: SEVERE undercapacity, w.. by "E. ALLEN SMITH"@ocelot. > What countries are noticeable for being anti-Scientology? They would > appear to be good locations for special-purpose remailer ultimate-output ends. Germany is the first one that comes to mind. -Declan From tcmay at got.net Tue May 21 03:07:36 1996 From: tcmay at got.net (Timothy C. May) Date: Tue, 21 May 1996 18:07:36 +0800 Subject: Remailers, Copyright, and Scientology Message-ID: At 6:15 PM 5/20/96, Rich Burroughs wrote: >At 01:08 AM 5/20/96 -0700, tcmay at got.net (Timothy C. May) wrote: >[snip] >>And the issue of CoS seeking legal actions against those they claim are >>violating their copyrights is separable from their religious status. > >Not at all. Their actions are based on their religious doctrines, as passed >down by Hubbard. "Always attack, never defend." Their claims of copyright >violation are part of an ongoing effort to silence those who criticize their >illegal and immoral practices. They should be examined in that context. I don't care what their motivations, religious or other, are. As I see it, some people here (including some good friends of mine, by the way) are caught up in a religious war. Those opposed to CoS are "outing" putative CoS secrets by aggressive use of remailers. The CoS is fighting back. Is anyone surprised? >> As I >>have said many times, "Newsweek" would likely take similar actions in >>similar circumstances.) > >AFAIK, "Newsweek" does not file lawsuits just for the purpose of harassment, >as Hubbard counselled his followers to do. AFAIK, "Newsweek" does not hire >PIs to harass those who criticize them.\ Well, I have heard Brad Templeton (Hi, Brad!, when you find this reference to yourself with Alta Vista) say several times why he and his company, Clarinet, aggressively go after those he thinks are infringing. Brad has to protect his copyrights, or the transitive copyrights of AP, Reuters, etc., that he acquires through licensing. And as I recall, a whole bunch of people have gotten "cease and desist" letters. Even some friends of mine. This gets less attention than do similar letters sent to Grady Ward and Keith Henson, for example, because Grady, Keith, and others are caught up in a Holy War against L. Ron, and the Battles with the Clams are more interesting to most of us than some otherwise-obscure copyright infringement filed by "Newsweek." (Having worked at Intel for a number of years, let me assure you right away that if remailers were used to post internal Intel documents--and I don't mean stuff like the "unauthorized opcodes"--that Intel would come down on the remailer sites and anyone else they could reach like two galaxies colliding. By the way, I expect something like this to happen eventually.) --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From markm at voicenet.com Tue May 21 03:19:53 1996 From: markm at voicenet.com (Mark M.) Date: Tue, 21 May 1996 18:19:53 +0800 Subject: An alternative to remailer shutdowns In-Reply-To: <199605202202.PAA27515@jobe.shell.portal.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Mon, 20 May 1996, Hal wrote: > I was contacted by the FBI on Friday due to some threatening mail which > was apparently sent through my remailer. According to 18 USC 875(c), > "Whoever transmits in interstate commerce any communication containing > any threat to kidnap any person or any threat to injure the person of > another, shall be fined not more than $1,000 or imprisoned not more > than five years, or both." I may not be able to continue operating > either of my remailers (alumni.caltech.edu and shell.portal.com) for > much longer due to this kind of abuse. > [...] > > My thought is to turn the block list concept on its head, and make it a > "permit list". Simply, the remailer will only send mail to people who > have voluntarily indicated their willingness to receive it. Someone who > has not sent in a message granting this permission will not be sent > mail. For larger forums such as newsgroups and mailing lists, permission > may be granted by some consensus mechanism. Most would be blocked, but a > few like alt.anonymous.messages and the cypherpunks list would be > permitted, and others could be added if they wished. > > This should hopefully essentially eliminate complaints about abuse, > much more effectively than the current method of block lists. People > who want to test the remailer by sending mail to themselves, as most > people do when they are learning, can simply register themselves on the > permit list. People who want to receive anonymous mail, or participate > in anonymous mailing lists, can register themselves. People who want > to use nyms can register themselves. People who run other remailers > can register. It's all voluntary, and if someone does get some > objectionable message at least they will know that they granted > permission. They can always ask to be taken off the list. One problem I see with this is that if even one remailer operated using the block lists instead of permit lists, then every other remailer in the chain could hypothetically be held accountable for the contents of the message. This idea of permit lists makes sense, but I am not sure it would really solve anything. - -- Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xe3bf2169 http://www.voicenet.com/~markm/ | d61734f2800486ae6f79bfeb70f95348 ((2b) || !(2b)) | Old key now used only for signatures "The concept of normalcy is just a conspiracy of the majority" -me -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMaE8jrZc+sv5siulAQGFwwQAprIIgRZKkOuLfYOM4+or6igApgppMm/2 8zMKgQeOPd7bXhbs7hCp4Rg+E1CHZTNsTwE3lmPNBxzDXNIpLxumCVnyXDpvO64Z ypKxGwjGun9FLFKpDIUP/pVv0oK1oN6Lw8xqeS1Id7RTWAYERAj20R5MRKe7TRL6 FNzPGzPFdRs= =q4QF -----END PGP SIGNATURE----- From jimbell at pacifier.com Tue May 21 03:22:14 1996 From: jimbell at pacifier.com (jim bell) Date: Tue, 21 May 1996 18:22:14 +0800 Subject: Is Chaum's System Traceable or Untraceable? Message-ID: <199605210341.UAA25407@mail.pacifier.com> At 09:10 AM 5/20/96 -0700, Ian Goldberg wrote: >>So are there any flaws with above procedure? > >Yup; with the current protocols, there's no way to do change. For the shop >to pay you change, besides suddenly losing your anonymity as a payee, you >would have to go online immediately to clear the coins, which assumedly >is infeasable. > >However, if you use the "fully anonymous" protocol, change becomes trivial. >You don't have to go online; the payer (the shop) does, which it assumedly >already is. Another benefit is that coins received in this way as change >are immediately spendable by you, without having to go online in between. > >The "fully anonymous" protocol turns out to be _exactly_ what is needed >for situations like this. Wouldn't it be interesting if someday, somebody paying for something with digital cash asked the shopkeeper "Why can't you give me change for my purchase?" and the answer was, "If we could give you change, you could overthrow all the governments in the world." Jim Bell jimbell at pacifier.com From dlv at bwalk.dm.com Tue May 21 03:32:33 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Tue, 21 May 1996 18:32:33 +0800 Subject: Assassination politics Message-ID: So, how would I go about betting that a certain AIDS patient in Seattle area won't have his legs broken? :-) --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From hfinney at shell.portal.com Tue May 21 03:51:38 1996 From: hfinney at shell.portal.com (Hal) Date: Tue, 21 May 1996 18:51:38 +0800 Subject: An alternative to remailer shutdowns (fwd) Message-ID: <199605210333.UAA04650@jobe.shell.portal.com> From: Jim Choate > > From: Hal > > "Whoever transmits in interstate commerce any communication containing > > any threat to kidnap any person or any threat to injure the person of > > another, shall be fined not more than $1,000 or imprisoned not more > > than five years, or both." > > There should be a section in there dealing with 'knowingly'. If not then we > should immediately bring charges against any and all newspapers who have > ever printer a ransom letter, or perhaps even the Unibomber Manifesto since > there is clear evidence of 'threat to injure the person of another'. I think Jim is right about the knowledge requirement, which although not stated explicitly in the statute, has been held by the courts to be an essential element. My point in quoting is more to show an example of the kinds of clearly illegal postings which operators have to deal with. Hal From admin at anon.penet.fi Tue May 21 03:52:47 1996 From: admin at anon.penet.fi (admin at anon.penet.fi) Date: Tue, 21 May 1996 18:52:47 +0800 Subject: Anonymous info Message-ID: <9605210131.AA28441@anon.penet.fi> You have requested information about your account at anon.penet.fi. Your code name is: Your real e-mail address is: Your nickname is: <> Your password is: <> Regards, admin at anon.penet.fi From minow at apple.com Tue May 21 04:01:56 1996 From: minow at apple.com (Martin Minow) Date: Tue, 21 May 1996 19:01:56 +0800 Subject: "Very Famous Reporter" Message-ID: >From a message by Robert Hettinga: >> I was talking to someone who was talking to someone (have I said this is a >> rumor yet?) who was solicited for comment by a Very Famous Reporter ... At a lecture about his recent book, John Markoff, the New York Times' Silicon Valley reporter, said (and I quote from memory): "The most dangerous animal on earth is a reporter on deadline." Martin Minow minow at apple.com From jsw at netscape.com Tue May 21 04:12:03 1996 From: jsw at netscape.com (Jeff Weinstein) Date: Tue, 21 May 1996 19:12:03 +0800 Subject: Unix plugins for Netscape (Was: Calling other code in Java applications and applets) In-Reply-To: <3185E5B6.3EE8@netscape.com> Message-ID: <31A168B8.235F@netscape.com> Ian Goldberg wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > In article <31887DD0.300F at netscape.com>, > Jeff Weinstein wrote: > >Ian Goldberg wrote: > >> > >> -----BEGIN PGP SIGNED MESSAGE----- > >> > >> In article <3187209C.3E5B at netscape.com>, > >> Jeff Weinstein wrote: > >> > > >> > It might be interesting to make a small plugin that just does some core > >> >stuff like gathering entropy, mod-exp, and related stuff difficult or too > >> >slow in java. I mainly brought it up because people were asking about > >> >calling native code from java. > >> > > >> In an alternate universe in which I didn't have projects to finish, I may > >> be interested in doing something like this. However, I haven't been able > >> to find information on how to write Unix (or preferably portable) plugins. > >> > >> Any hints? > > > > You can get the unix plugin SDK from ftp://ftp20.netscape.com/sdk/unix/ > > > I downloaded this, and I notice you don't have a "makefile.linux". Is that > just because no one's bothered to make one, or does Linux Atlas actually > not support plugins at all? (Quickly checking the binary...) I see that > Linux Atlas is still a.out. Ick. That would make supporting plugins > pretty tough. If it were in ELF, things would be _way_ easier; in fact, > I'd probably say trivial (but that's just me). > > I'd venture a guess that most people who have a Linux box sufficiently cool > to run netscape at all, have the ability to run ELF. In fact, there are > probably a lot of people (like everyone who bought Slackware 3.0 or a recent > RedHat) for which netscape is the _only_ a.out binary on their system. > > The reason I'm pointing this out is (obviously) because Linux is my main > development platform, and I'd like to be able to try writing plugins > for things like crypto and ecash. > > - Ian "Add me to the 'Make an ELF Linux binary!!!' list..." Ask and ye shall receive. 3.0b4 for Linux is in elf format. Sorry, but I don't know what the deal is with plugins on linux. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw at netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine. From tcmay at got.net Tue May 21 04:15:41 1996 From: tcmay at got.net (Timothy C. May) Date: Tue, 21 May 1996 19:15:41 +0800 Subject: An alternative to remailer shutdowns (fwd) Message-ID: At 3:33 AM 5/21/96, Hal wrote: >From: Jim Choate >> There should be a section in there dealing with 'knowingly'. If not then we >> should immediately bring charges against any and all newspapers who have >> ever printer a ransom letter, or perhaps even the Unibomber Manifesto since >> there is clear evidence of 'threat to injure the person of another'. > >I think Jim is right about the knowledge requirement, which although not >stated explicitly in the statute, has been held by the courts to be an >essential element. My point in quoting is more to show an example of the >kinds of clearly illegal postings which operators have to deal with. "Scienter" is the legal term for having knowledge. This is one reason we often talk about the dangers of remailers looking at what flows through their systems. Not so much to establish "common carrier" status, especially as that kind of status is just not something one sets out to establish!, but because the protection of being ignorant gets tossed out as soon as one admits to screening, or editing. This is not perfectly accurate in all situations. A bookstore owner is generally not held liable for the contents of the books in his store, even though he makes certain choices about what to carry and what not to carry. A magazine editor is more often held liable for content of articles (e.g., infringing materials, libel, etc.). We discussed this many times when I was on the Cyberia list. As best I could figure things out, the bookstore owner is excused from liability because we can't expect he'll have actually read the books in his store, even if chooses which ones to carry, but we expect that the editor of "The New Republic" has personally looked at all of the articles, or had a staff of underlings do so. BTW, I think that remailer operators don't fit either the publishing or bookstore models. While it is tempting to compare them to telephones, I think a better comparison is to *package delivery services* like the U.S. Postal Service, UPS, Federal Express, Airborne, etc. As we have discussed *so many* times (:-}), these package delivery services cooperate in various ways with law enforcement investigations, e.g., shipping of drugs by FedEx, but they are not held liable for illegal materials delivered or for crimes committed with the aid of their services. (And these delivery services DO NOT always insist on valid return addresses, in case anyone brings this up. Letters can be dropped in mailboxes, obviously, and pre-paid mailers are available. When I've used FedEx, I don't recall any checks of my identity.) --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From loki at infonex.com Tue May 21 04:17:15 1996 From: loki at infonex.com (Lance Cottrell) Date: Tue, 21 May 1996 19:17:15 +0800 Subject: Remailers & what they get out of it... Message-ID: At 11:17 PM 5/19/96, E. ALLEN SMITH wrote: >From: IN%"ravage at ssz.com" "Jim Choate" 18-MAY-1996 09:43:06.96 >>To me the biggest problem with the crypto work right now is that not enough >>professionals are involved. If more remailers and such were initiated as >>a business there would be legal avenues to explore. Also, in this vain is >>the apparent lack of support for commercial ventures by developers of such >>apps as MixMaster (whose license explicity prohibits commercial use). > > It prohibits commercial use? That's silly. Is it a >holdover from when the idea was to turn Mixmaster into a company? > Mixmaster is licensed under the GNU copyleft. -Lance ---------------------------------------------------------- Lance Cottrell loki at obscura.com PGP 2.6 key available by finger or server. Mixmaster, the next generation remailer, is now available! http://www.obscura.com/~loki/Welcome.html or FTP to obscura.com "Love is a snowmobile racing across the tundra. Suddenly it flips over, pinning you underneath. At night the ice weasels come." --Nietzsche ---------------------------------------------------------- From anonymous-remailer at shell.portal.com Tue May 21 04:22:26 1996 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Tue, 21 May 1996 19:22:26 +0800 Subject: DOS/WINDOWS Mixmaster Client Message-ID: <199605210105.SAA10207@jobe.shell.portal.com> Anyone know if there is a DOS or Windows version of the mixmaster client? From llurch at networking.stanford.edu Tue May 21 04:28:21 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Tue, 21 May 1996 19:28:21 +0800 Subject: An alternative to remailer shutdowns In-Reply-To: <0lcIFJS00YUzEZ8AMk@andrew.cmu.edu> Message-ID: On Tue, 21 May 1996, Declan B. McCullagh wrote: > An alternative I am considering would reduce the utility of the remailer > while still allowing these "consensual" uses to continue. Presently the > remailers deal with abuse via "block lists", sets of addresses that mail > can't be sent to. Generally these are created when someone complains > about some mail they have received. By setting up blocking, at least > they will not get harrassing anonymous mail once they have complained. > But in some cases, as in the case that is causing me headaches now, even > one message is too much. > > My thought is to turn the block list concept on its head, and make it a > "permit list". Simply, the remailer will only send mail to people who > have voluntarily indicated their willingness to receive it. How would you know that the message you received is actually from them? I don't see how this would really help. I like the "knock-knock" approach, though it would of necessity impose load. If someone has an anonymous message waiting, send them a simple note with instructions on how to retrieve it. From: Anonymous Remailer To: random person An anonymous message is waiting for you. If you wish to receive this message, simply send an email message with [some unique string, maybe an MD5 hash of the actual message] in the body of a message to hfinney at shell.portal.com. The simplest way to do this is to reply to this message, quoting this text. I certainly think that limiting newsgroup posting would be prudent. It's inexcusable that it's possible to use anonymous remailers to post *forgeries* (see the smoking flames cross-posted to alt.syntax.tactical). -rich From root at edmweb.com Tue May 21 04:32:58 1996 From: root at edmweb.com (Steve Reid) Date: Tue, 21 May 1996 19:32:58 +0800 Subject: Hiding remailers behind nymservers...? Message-ID: -----BEGIN PGP SIGNED MESSAGE----- This 'middle-man' remailer... What does it really accomplish? Sure, the operator is hidden, but that's only because of his/her nym at c2.org... AFAICS, the 'middle-man' has just taken the liability off himself and put it on the unhidden remailers. Why not just use the existing unhidden remailers??? I think this is similar to the idea that came up about having some (but not all) remailers only deliver to other remailers, for use as any link in a chain except the last link. The operator doesn't have his email address attached to spam, and there's very little liability because Co$ and other pressure groups will always(?) go after the last remailer in the chain, since that's the only one they can know was involved. I think the pseudonymously hidden remailer is an interesting idea, but I don't think it offers anything over the unhidden remailers, since it's still depending on the unhidden ones.. If you want to aviod liability, what's wrong with running a remailer that only delivers to other remailers, as I mentioned above? Am I missing something here? ===================================================================== | Steve Reid - SysAdmin & Pres, EDM Web (http://www.edmweb.com/) | | Email: steve at edmweb.com Home Page: http://www.edmweb.com/steve/ | | PGP (2048/9F317269) Fingerprint: 11C89D1CD67287E68C09EC52443F8830 | | -- Disclaimer: JMHO, YMMV, TANSTAAFL, IANAL. -- | ===================================================================:) -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQEVAwUBMaEhlNtVWdufMXJpAQEUbwf9F1081yRIazOUcr/z+ifihD5PLTr70V9X zvp13QXvPVao5Jg1N83Tfrar7zQYnvHU2RYPVBLecxZAY0hhbRRhOF/GVhkfcm2g ehNuQdTxilVTRbCez49zLpXxQEKvnullLYOZY3qv1xe9MaqjuS5C73c3H5oNhQTz B79cdvLynsIrhXD5oLyZyUxX/fggsFIfQsAh6a1KAdC0OclF1/dm1WeJKADSMFq4 bBt5BZcd410tfwpy+VTD5TUt7tb2wAOv56tVKVcPIXPZ04hr4Nlww6pQ+dtR4/B0 j1lzfrdDxos6h33abB9TpKrfo8uBsGxlkGyefqre+qvfexZwv/Wpmg== =sJVW -----END PGP SIGNATURE----- From wmono at direct.ca Tue May 21 04:33:41 1996 From: wmono at direct.ca (William Ono) Date: Tue, 21 May 1996 19:33:41 +0800 Subject: An alternative to remailer shutdowns In-Reply-To: Message-ID: On Mon, 20 May 1996, Don may have written: > Re: "permitted" list > > Addresses must be hashed. That makes sense. I don't think the processing time is very significant here. Even using somewhere where collisions can be created is not much of a problem, as email addresses tend to be picky for syntax. > Possibly auto-added to the list when mail comes > from that address. How would mail spoofing be prevented? Sending mail with a given From: address is laughably trivial, even making Recieved: look feasable is easy. Having people PGP-sign their 'add' requests might work, but then anybody can create any keys with any email address attached to it. Asking the remailer operator to verify each key would be unimaginable. Sending back acknowlegements suffers from storage problems, processing power problems, and also makes it significantly easier for traffic analysis. (One mail in, one mail out, one mail in, lots of mails out. Pairs of mails roughly corresponding.) On the whole, I think the idea of 'permit lists' is good, but not one that is very workable under the current "structure". IANACoNE (cryptologist or network expert) -- ** NOTE NEW KEY ** As of 08/28/95! Old key 0x2902B621 COMPROMISED! William Ono PGP Key: F3F716BD fingerprint = A8 0D B9 0F 40 A7 D6 64 B3 00 04 74 FD A7 12 C9 = fingerprint PGP-encrypted mail welcome! "640k ought to be enough for everybody." From tcmay at got.net Tue May 21 04:39:20 1996 From: tcmay at got.net (Timothy C. May) Date: Tue, 21 May 1996 19:39:20 +0800 Subject: The Crisis with Remailers Message-ID: At 5:25 AM 5/21/96, Lance Cottrell wrote: >An interesting problem with anonymous postage is that it is likely to kill >cover traffic generators. > I doubt it. It's easy enough for remailers to, for example, pass out free tokens to other remailer operators. (Jukebox and other coin-op concessions often pass out tokens (slugs, or marked coins) to storeowners and bartenders to use to stimulate the market.) --Tim Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From tcmay at got.net Tue May 21 04:43:46 1996 From: tcmay at got.net (Timothy C. May) Date: Tue, 21 May 1996 19:43:46 +0800 Subject: PROTOCOL: Encrypted Open Books Message-ID: Wei Dai wrote: "There is indeed a short section in the Cyphernomicon about encrypted open books. Unfortunately it doesn't describe it in detail, and since the hks.net archive is down, I can't look up Eric Hughes' original e-mail on the topic. If anyone has a copy of it in his personal archive, please repost it. I'm sure other people would be interested as well." Your wish is my command! >Date: Mon, 16 Aug 93 13:57:51 -0700 >From: Eric Hughes >To: cypherpunks at toad.com >Subject: PROTOCOL: Encrypted Open Books >Status: OR > >Kent Hastings wondered how an offshore bank could provide assurances >to depositors. I wondered the same thing a few months ago, and >started working on what Perry calls the anonymous auditing problem. I >have what I consider to be the core of a solution. > >All the following protocols and ideas are in the public domain. > >The following is long. > >My notation here will also be much less formal than I am capable of; I >don't want to make the uninitiated read TeX. > >The basic idea is that summation can be performed encrypted by using >exponentiation in a finite field. That is, if I represent an amount x >by g^x and an amount y by g^y, then I can compute the sum of x and y >by multiplying g^x and g^y, getting g^(x+y). Very basic. > >So let us take a very simple version of this protocol, which leaves >out many desiderata. If a shared funds account, say, has a bunch of >transactions made on it, then we can publish each of those amounts x_i >(for the non-TeX'd, underscore means subscript) encrypted as g^(x_i). >I know what my transaction number, i, is, and what the amount was, so >I can verify that my transaction appeared in the public list. We also >publish the beginning and ending balances, givings use a total >difference X. Now anyone can verify that g^X equals g^(Sum_i x_i). >That is, everyone can verify that the aggregate effect of the >transactions is what is claimed without revealing the amounts of any >of them. > >What does this protocol reveal? It reveals the number of transactions >on each account and thus the total number of transactions. It is also >subject to known plaintext attack. If I get an account on this system >and make one transaction in each amount, I can decrypt by table lookup >the whole transaction flow. The total number of transaction accounts >is also revealed, or, for a bank, the number of customers. > >We can easily solve the known plaintext attack by blinding each >transaction. Instead of publishing pairs , we have for >each transaction a blinding factor r_i and publish triples > > > >The notation has grown. g is a generator of a finite field G, and h >is a generator of a different finite field H. > >We also publish R = Sum_i r_i in addition to X = Sum_i x_i. > >What is the public verification procedure? Basically the same as the >first case, but in addition taking into account the blinding factors. > >Step 1. Calculate Product_i h^(r_i) and make sure that it equals h^R. >This validates the blinding factors. > >Step 2. Calculate Product_i g^(x_i + r_i) and make sure that it >equals g^(X+R). This, given the validity of the blinding factors, >validates the actual transactions. > >How does this resist known plaintext attack? Since the blinding >factors r_i are flatly distributed over their range (caveat! you pick >the order of G smaller than of H to assure this), the x_i + r_i sum >acts exactly as a one-time pad to encrypt the amount. In summary, >what is going on here is that both the messages (amounts) and the keys >(the blinding factors) are being sent out as images of one-way >functions (exponentiations) that preserve exactly the relationships >that we want. > >There's more. For a real business, we want to keep double entry books >and not just single entry accounts as above. By extending the number >of terms in the transaction, we can do that too. In double entry >bookkeeping, the total amounts for each transaction must sum to zero >over the various accounts being transacted upon; I say this knowing >that when you print out the information for an accountant you'll have >to do some sign twiddling for the asset and liability/equity halves of >the books. Also, a single transaction may involve more than two >accounts, even if in practice most involve only two. > >The basic idea here is that each transaction is a set of the above >transactions whose sum must be zero. So for a transaction i, we publish >a set of triples, indexed by j, > > < T_i,j, g^( m_i,j + r_i,j ), h^( r_i,j ) > > >where the subscripts are doubly indexed and where T_i,j represents the >account that amount m_i,j is changing. Now we can perform, on each >transaction, the following very similar verification procedure for >each fixed i. > >Step 1. Verify that Product_j h^( r_i,j ) = 1. This verifies that >the blinding factors sum to zero. > >Step 2. Verify that Product_j g^( m_i,j + r_i,j ) = 1. Since the >blinding factors sum to zero, this ensures that the transaction >amounts sum to zero. > >Not that both of these sums are done over j, not i. In other words, >we validate each transaction individually. > >Now we also publish aggregate changes in the public accounts just as >before. The holders of private accounts know what how their accounts >have changed. Then we can use the the single account verification >method as above to verify that the totals match. Everyone can verify >that the public accounts match, and the holders of private accounts >can verify that they match. > >To summarize: The transactions are doubly indexed. If you group by >transaction, then you verify that each transaction sums to zero. If >you group by account, then you verify that the change in that account >is as expected, be it public or private. > >In the scenario that Kent originally proposed, one of the public >accounts would be a gold account, which through independent public >auditing would be verified to be accurate. I personally would not use >gold but rather denominate certain accounts in shares of mutual funds, >which are resistant to the currency inflations of mining and stockpile >sales. > >What information is still being disclosed? The most worrisome to me >is that the total number of transactions per account is revealed, that >is, aggregate activity, but not total money flux. I have an insight >that may allow the _account_ to be blinded as well as the amounts, and >be revealed in aggregate just as the amounts are, but I have not >worked out the details because I am not fully up to speed on the >relevant math. > >BEGIN BIG MATH >I only expect a few people to follow the next paragraphs, so if you >don't understand it, skip it. > >Here's the idea. The modular exponentiation is performed in a finite >ring. We choose a ring that has lots of distinct prime ideals of >sufficiently large order. To each account we assign one ideal. We >represent dollar amounts as elements of this ideal; since the ideal is >prime, this is straightforward. The property of the ideal we use is >that the sum of any two elements of the ideal is also in the ideal. >Hence by partitioning the ring, we also partition the computation of >the accounts. We are blinding the transcations by account because we >rely on the fact that blinding is not an intra-ideal operation, and >thus does not preserve that invariant, which would otherwise be >public. > >We must be careful not to allow operations that would result in an >element which was in the intersection of two ideals. This requires >upper bounds both on the transaction amount and on the number of >transactions per cycle. There might be rings of order p^n+1 which >would be suitable for this operations, but I am not sure of the >security of the discrete log in such cases, except for p=2, in which >case it is bad. > >END OF BIG MATH > >The protocol as specified, though, is useful as it stands. I have not >specified all the details. For example the blinding factors should >likely be created in a cooperative protocol at the point of >transaction; blinding factors for intra-bank transactions should not >contain subliminal channels. Certificates of deposit and withdrawal >should be tied to the published transaction information. Etc. >Remember, this is the core of an idea. > >One criticism I do wish to address now. I don't think it matters if >the bank manufactures fake transactions. The customer can reveal the >sum of all the blinding factors for transactions on that account, in >public, and can thus prove what should have been there. Since the >blinding factors were committed to in public, there is a strong >assurance that these blinding factors are what they are claimed to be. >This in itself can be made into an actual proof of liability. Note >that even this revelantion does not compromise individual >transactions. It only reveals the aggregate value change, which is >exactly what is at issue with the bank. > >On the other hand, all of the bank assets that are held external to >that organization can be externally audited in the same way. The >other institutions that hold money might be persuaded to undertake a >legal obligation to honor what the encrypted open books say they >should have; this may not be difficult because they can verify that >their record of the transactions matches what has been published. > >If we use the contents of the encrypted books at the organizational >boundary points to create suitable legal opbligations, we can mostly >ignore what goes on inside of the mess of random numbers. That is, >even if double books were being kept, the legal obligations created >should suffice to ensure that everything can be unwound if needed. >This doesn't prevent networks of corrupt businesses from going down >all at once, but it does allow networks of honest businesses to >operate with more assurance of honesty. > >Eric From tcmay at got.net Tue May 21 04:44:41 1996 From: tcmay at got.net (Timothy C. May) Date: Tue, 21 May 1996 19:44:41 +0800 Subject: Long-Lived Remailers Message-ID: At 4:56 PM 5/20/96, Rev. Mark Grant, ULC wrote: >With regard to the problems of remailers being shut down when we want >long-lived addresses, wouldn't seperating the input and output be one >possibility? That is (like Hal's Alumni remailer) you'd send mail to >'remailer at anon.ai' and it would be forwarded via a disposable account >elsewhere. All messages would appear to come from 'disposable at foo.com' and >if that account was shut down a new one could be opened to replace it >while incoming mail simply backed up at the main remailer account. This is a very good idea. It keeps the advantages of having persistent accounts (which other users, chaining programs, etc. can use) while making it appear that the mail is coming from another account. "Security through obscurity," I hear you snort. Well, not really. The _legal_ account is the one that an unhappy recipient sees on the "From:" line. The Church of Scientology sees "disposable at foo.com" and fires off a letter to foo.com requesting that foo.com cause this account to disappear. So it does, but "transient at bar.com" picks up the slack. An idea worth trying, of formally/legally separating the functions. Of course, in some sense this is a special case of having disposable accounts for "instant remailers" (see recent thread on this). >The only potential problem I could see would be that the disposable ISP >might have logs which could track the outgoing messages back to the other >account. You'd also obviously need to open the disposable account >anonymously or using an ISP who'd protect your identity. Traffic analysis will be quite easy to do, of course, as all mail sent to the persistent address comes out of the "disposable at foo.com" address. Q.E.D. (Hal, to use him as the example, could start using his own choice of remailer hops to accomplish much the same result. We've talked about this for a long time, too. If I ran a remailer, I think I'd route *all* traffic leaving my site through at least one other remailer...kind of a "hot potato" effect. Of course, if _everyone_ did this, an infinite loop would result. Lots of interesting twists, though, as messages could be set to "leak out" of the loops.) But this scheme, here, and Mark's scheme, are variants on the idea of trying to make the remailers less clearly-identifiable targets. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From llurch at networking.stanford.edu Tue May 21 04:48:36 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Tue, 21 May 1996 19:48:36 +0800 Subject: WELCOME TO THE NEW ROMAN EMPIRE In-Reply-To: <199605201541.LAA17549@jekyll.piermont.com> Message-ID: Since we've already descended into the gutter, I might as well chime in with the standard: Dave Harman is, as far as I can tell, a troller whose only interest is in causing fights. Some people think he's a racist, but I think he's just an asshole with no convictions of any kind. http://www.almanac.bc.ca/cgi-bin/ftp.pl?people/h/harman.david -rich On Mon, 20 May 1996, Perry E. Metzger wrote: > Dave Harman writes: > > Qut may attend the [cypherpunks] meeting to verify the racial > > compositions of the group. > > Why? You have something against black people? > > .pm From root at edmweb.com Tue May 21 04:52:14 1996 From: root at edmweb.com (Steve Reid) Date: Tue, 21 May 1996 19:52:14 +0800 Subject: The Crisis with Remailers In-Reply-To: <199605192015.NAA15002@netcom17.netcom.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- > [remailer incentives] > >As you said, ecash postage could turn that around. The negative publicity > >part is probably the result of the general public's negative perceptions > >about anonymity. > not!!! I should have made this clear, but imho no matter how favorably > the public sees anonymity, I still believe there will be little > incentive to run remailers until there is some kind of ecash > scheme. Re-read that first sentence I wrote: "As you said, ecash postage could turn that around." You made yourself clear; I wasn't arguing against the value of ecash postage, I was agreeing with it. The negative publicity associated with anonymity (and thus remailers) will make remailers less valuable to their operators. That is, the operators will want more ecash to make the venture worth the negative publicity. I think there are a lot more people who would be willing to run a remailer as a hobby, if there weren't that negative publicity issue. I probably would... But negative publicity is a liability in itself, in a way. I agree that ecash postage would probably provide the biggest boost to remailers, but I don't think we should underestimate the negative effects of the bad publicity and liability. > you are going to have "bad" uses of anonymity going on as > long as you provide the capability. ask the remailer operators to > estimate how much of their mail is simply taunts between college > students or sexual harassment. I doubt you will ever be able to > evade this. Yes, there will be (and are) bad uses. And I do agree that most of the anonymous posts right now are probably not what the cpunks intended to allow. But I think people would be more willing to accept remailers, warts and all, if they didn't have preconceptions about anonymity. > what cpunks might investigate is an idea of having a pseudonym > server that somehow automatically registers complaints and stamps > messages with known reputation levels. If a message is actually anonymous, then there is no way to attach any sort of reputation. Pseudonymity is a completely seperate matter. If spammers don't want to have complaints tagged to them (which they probably don't), they won't use a pseudonymous remailer, they'll use an anonymous remailer. Anon.penet.fi may be an exception, but I believe that's only because it's easy to use. > >People seem to forget that anyone can drop a letter into the mailbox with > >no return address. Did the Unabomber bring negative publicity to the > >postal service, causing people to demand that return addresses become a > >requirement? :-/ > agreed, but the subject at hand was not whether anonymity is good or bad, > but whether there is some incentive to run remailers. Again, public perception about anonymity is an issue, because remailers (and remailer operators) will have a certain stigma attached. Liability might also be related to the public perception. If everyone accepted anonymous remailers the same as they accept that people can mail letters without a return address, then I think nobody would be able to take legal action against remailer operators, just as nobody (AFAIK) has taken legal action against the US Postal Service for their 'involvement' in the unabomber case. > >Liability depends on the jurisdiction, doesn't it? It would be ideal if > >all remailers were in countries where there are no laws that would affect > >remailers. Reducing liability also has the added benefit of protecting > >anonymity, since if the mailer can't be siezed, that does prevent log > >files (if any) from being siezed. > by liability I am also referring to a situation in which the > internet provider is pressured to quit the service by *anyone* not > necessarily agents of the government. past examples are strong evidence > that it does not at all require a government to shut down a remailer > via pressure. anon.penet.fi at one point was pressured to shut down > by "a well known net celebrity" I think the non-governmental interference is a very interesting point, but I still think jurisdiction is an issue. The Co$ (AFAIK) always had a legal leg to stand on because of copyright law. If the remailers were in a country where it would not be affected by copyright laws, the Co$ would probably have been as ineffective as a person saying "Shut down your remailer because someone has been using it to advocate nose-picking." > >Remailers can already be set up _not_ to send to certain addresses, so I > >think there's no reason that they couldn't be set to deliver _only_ to > >other remailers. > hee, hee. I think you need to think that out a bit more. You snipped the paragraph before that one, and I guess you didn't read it... There was the sentence, "Obviously we'd still need _some_ remailers that can deliver to the intended destination". Remailers that deliver only to other remailers can be used for chaining purposes and nothing else. Such remailers could be used for any link in the chain, _except_ the last link, since the last link has to be able to deliver to the destination email address. This has the advantage that the operators of those remailers won't have their names attached to spam (I think I mentioned that) and so they won't recieve a gazillion complaints about the spam. It would also mean less liability to those operators, since the first target of pressure groups would surely be (and mostly is) the remailer who's name is attached to the offending post. Of course, this won't help the remailers that are the last link in the chain, but it would provide more remailers for chaining purposes. > well, the issue we were addressing is why remailers haven't proliferated > like other services. it is true that the usage of them has probably > gone up exponentially, or at least very significantly. but they don't > seem to have multiplied in number in the same way. growth in # of > remailers has been linear at best. I think remailers are only a niche thing. When people start using the internet and some sort of untraceable packet forwarding service in their everyday work, and discover that they can evade taxes that way, then people will start moving towards it in droves, simply because it would mean that they could work for less pay (pleasing their employer) and yet have more take-home cash. I don't think _remailers_ will ever have this sort of popularity, because they don't allow TCP-like stream connections needed for web connections, PGPfone, etc. BTW, I'm fairly certain that an anonymous/pseudonymous packet forwarding service could be created to handle TCP connections... It should already be possibe... It would require few additions to the TCP stack software to allow encrypted connections, and some way to have TCP connections inside TCP connections. And of course, servers would be required. ===================================================================== | Steve Reid - SysAdmin & Pres, EDM Web (http://www.edmweb.com/) | | Email: steve at edmweb.com Home Page: http://www.edmweb.com/steve/ | | PGP (2048/9F317269) Fingerprint: 11C89D1CD67287E68C09EC52443F8830 | | -- Disclaimer: JMHO, YMMV, TANSTAAFL, IANAL. -- | ===================================================================:) -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQEVAwUBMaEZpdtVWdufMXJpAQFRyQf/cq3xcuEJcAY/HOmbCMZ/JcxkSkUFuSHC dsmQG463UtF7W2hC7DDk8Y+Q1BcNTL96OaHPuPUU1lgyKEDBHXRcGLVkhX7UmBN1 MBfpB9ljBz+XMGAx7yR5ARmO37K133dmVJyXRtbLR0UC64wFFfTN9khlZS6HoCmC ODItgkdI1uJeP6u00vKm6eMZ6OCKvzC6ABkEhr02npdRjTCW2iqhMZdXGsElkiLC SsK0sNbAb/tGj6alrNDa6m1eisuTXxaRNoncMRdhSjHfOoPma2Z93EB+Mky7zl1/ 0OSpNJyI3UXU9rIXhvkAdquczq71IycWHtp5TscF5E0qNYoA7NhVhQ== =zMEN -----END PGP SIGNATURE----- From tcmay at got.net Tue May 21 05:01:51 1996 From: tcmay at got.net (Timothy C. May) Date: Tue, 21 May 1996 20:01:51 +0800 Subject: Senator, your public key please? Message-ID: At 8:45 PM 5/20/96, Andrew Loewenstern wrote: ... >Your local KCA (KKK Certification Authority) could as easily issue a "This >key is owned by a Nigger." certificate for a public key as TRW could issue a >"This key is owned by a Deadbeat." certificate. Presumably, future versions >of PGP and other public-key crypto systems will support free-form certificate >generation and not the quasi-fixed-definition signatures currently found in >PGP. Indeed, this is one of the things I was referring to. To wit, that one can possibly (emphasis on "possibly," modulo legal actions, a la my point) use "Metzger's Web of Trust" to effectively discriminate. (ObCaveat: I personally think a free society cannot/should not outlaw discrimination in any form, save that by government.) >You can be sure that there will be rallying cries for laws to be passed to >ensure the accuracy of statements made in key certificates, that characters >are not defamed, that libel is not committed, etc... Lots of the same issues >involving any other type of speech and the international and sometimes >untraceable nature of the Net. What do you do about a signature on your key, >posted anonymously to the net, which names you as one of the Four >Horsemen(*tm)? By the way, this issue has some echoes of another technogical issue: the use of neural nets for loan approval software. Turns out that when a bunch of things are entered into a NN loan package, including the all-important default rate, the applicant's age, income, race, sex, education, employment history, credit history, etc., that NN loan packages "end up" rejecting many black applicants, more so than white or Asian applicants. (The NN "concluded" that blacks were higher risks for default than whites/Asians.) Even if no human being ever entered his or her biases and prejudices, the NN spit out this result. I recall there being talk about requiring "equality of outcomes," and that such NNs might have to have deliberately-biased inputs fed in, but I don't know what ever happened to this issue. In any case, I think this sort of issue, and the semi-related issue of "discrimination via key signatures," to be likely important issues in the courts in the coming years. --Tim Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From bryce at digicash.com Tue May 21 05:27:34 1996 From: bryce at digicash.com (bryce at digicash.com) Date: Tue, 21 May 1996 20:27:34 +0800 Subject: Senator, your public key please? In-Reply-To: <9605202045.AA00456@ch1d157nwk> Message-ID: <199605210815.KAA11605@digicash.com> -----BEGIN PGP SIGNED MESSAGE----- The entity knows as Andrew Loewenstern probably wrote: > > You can be sure that there will be rallying cries for laws to be passed to > ensure the accuracy of statements made in key certificates, that characters > are not defamed, that libel is not committed, etc... Lots of the same issues > involving any other type of speech and the international and sometimes > untraceable nature of the Net. What do you do about a signature on your key, > posted anonymously to the net, which names you as one of the Four > Horsemen(*tm)? Hey, does that little symbol stand for "Timothy May-mark"? I didn't know he had started laying claim to memes that he helped propagate... But back to the actual subject, I can't imagine that an _anonymous signature_ will have any credence at all. Regards, Bryce -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.1b2 iQB1AwUBMaF7g0jbHy8sKZitAQFZUwL/dq4oX/MXqvJFp/VGv5hIOpbawnz8oSnA Vv5lIKperoZXg39ukzRjLRqzuursIlzeI23/aXSLRFKKZtVU/XFTeuZTor282aqB n49lduz070amEZFLCwXCO3iSksk0Y3wv =TGjr -----END PGP SIGNATURE----- From jsw at netscape.com Tue May 21 05:30:24 1996 From: jsw at netscape.com (Jeff Weinstein) Date: Tue, 21 May 1996 20:30:24 +0800 Subject: [Linux] Unix plugins for Netscape (Was: Calling other code in Java applications and applets) In-Reply-To: <2.2.32.19960502195251.00c80164@mail.teleport.com> Message-ID: <31A16949.759@netscape.com> Alan Olsen wrote: > Are they keeping a list? As for Linux, last I heard it was still on the > semi-supported list. (The dropping of BSD on the fasttrack server pisses me > off as well, but that is another matter...) I would like to get a version > of the Linux binary that supports 128 bit SSL. (As well as the ELF binaries.) Caldera is selling and supporting navigator for linux as part of their network desktop product. If you want a 128-bit version, you would probably be best off lobbying them for it. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw at netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine. From tcmay at got.net Tue May 21 06:46:26 1996 From: tcmay at got.net (Timothy C. May) Date: Tue, 21 May 1996 21:46:26 +0800 Subject: An alternative to remailer shutdowns Message-ID: At 5:47 AM 5/21/96, Rich Graves wrote: >On Tue, 21 May 1996, Declan B. McCullagh wrote: ^^^^^^^^^^^^^^^^^^^ > >> An alternative I am considering would reduce the utility of the remailer >> while still allowing these "consensual" uses to continue. Presently the >> remailers deal with abuse via "block lists", sets of addresses that mail >> can't be sent to. Generally these are created when someone complains >> about some mail they have received. By setting up blocking, at least >> they will not get harrassing anonymous mail once they have complained. >> But in some cases, as in the case that is causing me headaches now, even >> one message is too much. >> >> My thought is to turn the block list concept on its head, and make it a >> "permit list". Simply, the remailer will only send mail to people who >> have voluntarily indicated their willingness to receive it. You reply-quote process must have been hit with an alpha particle, because all of this was written by Hal Finney, not Declan. --Tim Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From WlkngOwl at unix.asb.com Tue May 21 06:48:27 1996 From: WlkngOwl at unix.asb.com (Deranged Mutant) Date: Tue, 21 May 1996 21:48:27 +0800 Subject: Rumor: DSS Broken? Message-ID: <199605211006.GAA23157@unix.asb.com> On 19 May 96 at 21:48, Tim Dierks wrote: [..] > PPS - Any chance the original rumor surrounded RCA/Hughes' DSS satellite TV > system, and not the Digital Signature Standard, and we've all been barking > up the wrong tree? Hm. Check the cable/satellite tv newsgroups. Rob. --- No-frills sig. Key-ID: 5D3F2E99 1996/04/22 wlkngowl at unix.asb.com (root at magneto) AB1F4831 1993/05/10 Deranged Mutant Send a message with the subject "send pgp-key" for a copy of my key. From grafolog at netcom.com Tue May 21 06:52:30 1996 From: grafolog at netcom.com (jonathon) Date: Tue, 21 May 1996 21:52:30 +0800 Subject: An alternative to remailer shutdowns In-Reply-To: Message-ID: On Mon, 20 May 1996, Rich Graves wrote: > On Tue, 21 May 1996, Declan B. McCullagh wrote: > I like the "knock-knock" approach, though it would of necessity impose > load. If someone has an anonymous message waiting, send them a simple note > with instructions on how to retrieve it. That way you could also charge the recipient to retrieve a message. How about a farthing to recieve a message, and two farthings to send a message, no charge to mixmaster recipients or originators? xan jonathon grafolog at netcom.com ********************************************************************** * * * Opinions expressed don't necessarily reflect my own views. * * * * There is no way that they can be construed to represent * * any organization's views. * * * ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * * * http://members.tripod.com/~graphology/index.html * * * *********************************************************************** From llurch at networking.stanford.edu Tue May 21 07:02:32 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Tue, 21 May 1996 22:02:32 +0800 Subject: An alternative to remailer shutdowns In-Reply-To: Message-ID: On Tue, 21 May 1996, jonathon wrote: > On Mon, 20 May 1996, Rich Graves wrote: > > On Tue, 21 May 1996, Declan B. McCullagh did NOT write: [Oops, I was replying to Declan's forward of Hal Finney's message, and got the attribution wong. The path cypherpunks -> fight-censorship -> me is often faster than cypherpunks -> me, probably because unsubscribing and resubscribing put me way down on the list. Sorry. This was Hal.] > > I like the "knock-knock" approach, though it would of necessity impose > > load. If someone has an anonymous message waiting, send them a simple note > > with instructions on how to retrieve it. > > That way you could also charge the recipient to retrieve > a message. > > How about a farthing to recieve a message, and > two farthings to send a message, no charge to > mixmaster recipients or originators? That sounds like a great opportunity for denial-of-service attacks. No, thank you. A flat fee for a special-delivery service profile (gimme $5/month and you get messages automatically, without the confirmation) would be fine, but I can't see paying per piece to *receive* anonymous messages. -rich From bryce at digicash.com Tue May 21 07:12:10 1996 From: bryce at digicash.com (bryce at digicash.com) Date: Tue, 21 May 1996 22:12:10 +0800 Subject: The Crisis with Remailers In-Reply-To: <4nq6qp$3fl@abraham.cs.berkeley.edu> Message-ID: <199605210808.KAA11113@digicash.com> -----BEGIN PGP SIGNED MESSAGE----- The entity known as Ian Goldberg is alleged to have written: > > Another problem with postage in Mixmaster: the minimum ecash payment is > $0.01. Do we want to charge that much for email? Need we consider > micropayments? The above, as stated, is inaccurate. The "minimum ecash payment" is not known at this time, although we think it might be greater than 2^-32 US Dollars. :-) Regards, Bryce #include /* Not speaking for anyone else at this time. */ - -----BEGIN GOODTIMES VIRUS INNOCULATION----- Copy me into your .sig for added protection! - ----- END GOODTIMES VIRUS INNOCULATION----- -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.1b2 iQB1AwUBMaF58kjbHy8sKZitAQGDngMAqACaQA9rMDMq644cSVvtUtxnpV2jIlpC cCMwZKCFZEiBIy0Y1wN5uiITSQSJASUEh+4xZ5GZfT6ngn4etIgg1Np735G+nZ1j O4dP0QdRVr2ULARIPdZ2fjUV31iSWiXc =d9ic -----END PGP SIGNATURE----- From ravage at ssz.com Tue May 21 09:35:53 1996 From: ravage at ssz.com (Jim Choate) Date: Wed, 22 May 1996 00:35:53 +0800 Subject: Hiding remailers behind nymservers...? (fwd) Message-ID: <199605211157.GAA16464@einstein.ssz.com> Forwarded message: > Date: Mon, 20 May 1996 18:53:15 -0700 (PDT) > From: Steve Reid > Subject: Hiding remailers behind nymservers...? > > This 'middle-man' remailer... What does it really accomplish? Sure, the > operator is hidden, but that's only because of his/her nym at c2.org... > AFAICS, the 'middle-man' has just taken the liability off himself and put > it on the unhidden remailers. Why not just use the existing unhidden > remailers??? > The first thing it accomplishes in my mind is establishing pre-meditation to conspire to the commission of a felony. Jim From matts at pi.se Tue May 21 10:07:07 1996 From: matts at pi.se (Matts Kallioniemi) Date: Wed, 22 May 1996 01:07:07 +0800 Subject: The Crisis with Remailers Message-ID: <2.2.32.19960521121126.00371160@mail.pi.se> At 10:08 1996-05-21 +0200, bryce at digicash.com wrote: >The "minimum ecash payment" is not known at this time, >although we think it might be greater than 2^-32 US Dollars How do you create such tiny payments? When I try (2.1.5a MT) to pay $.001 I receive the warning "Too many digits after '.'!" and even though it's just a warning I can't do the payment. Assuming that you had a client that allows tiny amounts, how would you represent a tenth of a cent in binary? To to it exactly would require an infinite number of coins... Matts From bigmac at digicash.com Tue May 21 10:12:24 1996 From: bigmac at digicash.com (Marcel van der Peijl) Date: Wed, 22 May 1996 01:12:24 +0800 Subject: The Crisis with Remailers Message-ID: <199605211223.OAA23368@digicash.com> > How do you create such tiny payments? When I try (2.1.5a MT) > to pay $.001 I receive the warning "Too many digits after '.'!" and > even though it's just a warning I can't do the payment. > Assuming that you had a client that allows tiny amounts, how would > you represent a tenth of a cent in binary? To to it exactly would > require an infinite number of coins... The minimum denomination for each currency is (sort of) configurable. For instance, for Belgian Franks the minimum is 1 (and no '.'). If a bank requested a currency capable of handling a mimimum of 0.00005 we could make that happen real easy. Note that with the maximum coin size 2^15 times minimum amount, the maximum coin would get a lot smaller, so that it would become more impractical to pay large amounts in that currency. On the longer term we can of course even change - the 2^15 maximum - maximum number of coins per message (currently 75) if the requirements were there. // Marcel van der Peijl, DigiCash bv, http://www.digicash.com/~bigmac/ // ----------------- insert subliminal message here ------------------ From WlkngOwl at unix.asb.com Tue May 21 10:31:03 1996 From: WlkngOwl at unix.asb.com (Deranged Mutant) Date: Wed, 22 May 1996 01:31:03 +0800 Subject: CAPITALISTS' SUCK Message-ID: <199605211245.IAA24492@unix.asb.com> On 20 May 96 at 4:07, Dave Harman wrote: [..] > ! >Dave Harman writes: > ! > > ! > CAPITALISTS' SUCK > ! > ! What witty social commentary. > > Information wants to be free. Information doesn't want to be free (or anything else) anymore than the stapler on my desk wants to be free. The day that abstract qualities like "information" or "color" have desires would be an interesting day indeed. And that has little to do with who or what the capitalist down the street is sucking. --Mutant Rob From matts at pi.se Tue May 21 12:15:01 1996 From: matts at pi.se (Matts Kallioniemi) Date: Wed, 22 May 1996 03:15:01 +0800 Subject: The Crisis with Remailers Message-ID: <2.2.32.19960521135644.00354324@mail.pi.se> At 15:34 1996-05-21 +0200, bryce at digicash.com wrote: >Well how do we represent 0.01 U.S. Dollars in Mark Twain >Ecash(tm)? Easy-- we take a few bits of data, interpret it as >an unsigned binary number, and then say "this number is how >many U.S. pennies this coin is worth." Now we're back to pennies again. I was more interested in your earlier claim of tiny payments, on the order of $2^-32. >Actually it can sometimes get more complicated than that, and >there are some details about how the forthcoming ecashlib >handles this to be found at "http://www.digicash.com/api". Will the api make it possible to create coins of arbitrary value? Is the mint software (and the bank accountants) capable of doing floating point arithmetic? Matts From bryce at digicash.com Tue May 21 12:24:31 1996 From: bryce at digicash.com (bryce at digicash.com) Date: Wed, 22 May 1996 03:24:31 +0800 Subject: The Crisis with Remailers In-Reply-To: <2.2.32.19960521121126.00371160@mail.pi.se> Message-ID: <199605211334.PAA25526@digicash.com> -----BEGIN PGP SIGNED MESSAGE----- Matts Kallionieme wrote: > > At 10:08 1996-05-21 +0200, bryce at digicash.com wrote: > >The "minimum ecash payment" is not known at this time, > >although we think it might be greater than 2^-32 US Dollars > > How do you create such tiny payments? When I try (2.1.5a MT) > to pay $.001 I receive the warning "Too many digits after '.'!" and > even though it's just a warning I can't do the payment. The Ecash(tm) coins minted by the Mark Twain Bank have a base value of 0.01 U.S. Dollar. So in using those coins, you can't spend less than 0.01 U.S. Dollar unless you adopt some protocol like only pay every tenth time, or only pay on a 1-in-10 random chance every time, or something. But _Ecash(tm)_ itself does not have that restriction. Different coinages of Ecash(tm), issued by different banks, may have different base values. > Assuming that you had a client that allows tiny amounts, how would > you represent a tenth of a cent in binary? To to it exactly would > require an infinite number of coins... Well how do we represent 0.01 U.S. Dollars in Mark Twain Ecash(tm)? Easy-- we take a few bits of data, interpret it as an unsigned binary number, and then say "this number is how many U.S. pennies this coin is worth." Actually it can sometimes get more complicated than that, and there are some details about how the forthcoming ecashlib handles this to be found at "http://www.digicash.com/api". Regards, Bryce -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.1b2 iQB1AwUBMaHGZ0jbHy8sKZitAQE9qAMAuE5d4Ratp3l/6nGHkUQCDbT4z/kLPFCc FFnNVV1N7v3Dyk1MBxm1gr+i3U5uzjbbopnZzhHKgujKIbvjRTXp89CMT30jAKR4 70WIIsJ/PWQ6b+1U2Hve6UDb98lfohvh =QVQU -----END PGP SIGNATURE----- From jya at pipeline.com Tue May 21 12:32:34 1996 From: jya at pipeline.com (John Young) Date: Wed, 22 May 1996 03:32:34 +0800 Subject: NIST Draft Key Escrow Paper Message-ID: <199605211425.OAA22632@pipe5.t1.usa.pipeline.com> [Forward] From: Elaine Frye Subject: draft key escrow paper May 20, 1996 Note To: Key Escrow Distribution List From: Ed Roback, NIST Subject: Release of DRAFT Key Escrow Paper FYI, today the Interagency Working Group (IWG) on Cryptography Policy released a DRAFT paper entitled "Enabling Privacy, Commerce, Security and Public Safety in the Global Information Infrastructure." The DRAFT paper discusses a voluntary draft key management infrastructure, supported by private sector key management organizations, that would permit users and manufacturers free choice of encryption algorithms, facilitate international interoperability, preserve law enforcement access, and, most importantly, provide strong system security and integrity. FYI, the paper was released by the IWG co-chairs Ed Appel (NSC) and Bruce McConnell (OMB). Comments on the draft paper are being solicited. No deadline is specified. At present, I do not have an electronic copy of the draft (25 pp). Copies are available through the OMB publications office at 202-395-7332. I anticipate that the document will soon be available widely on the net and will forward you a web address when available. ***************************************************** Elaine Frye Computer Security Division National Institute of Standards and Technology Bldg. 820, M.S. Room 426 Gaithersburg, MD 20899-0001 Voice: 301/975-2819 Fax: 301/948-1233 ***************************************************** From ravage at ssz.com Tue May 21 12:38:28 1996 From: ravage at ssz.com (Jim Choate) Date: Wed, 22 May 1996 03:38:28 +0800 Subject: MixMaster fair use Message-ID: <199605211400.JAA16693@einstein.ssz.com> Hi all, Perhaps I am confused about what MixMaster's license allows. I have joined the confusing part (for me anyway)... README.no-export : All the files in this archive contain crpytographic code which is restricted by the ITAR regulations on munitions. These files may only be retrieved by US citizens, and only on condition of agreement not to export any of this software or dats, and to extract a similar agreement from any person they may transfer it to. To access the export-controled materials on this site, you must agree to "THE AGREEMENT" below. If your email address ends in one of the following: .edu .com .edu. .gov .mil .org .net .us .ca Do this by sending "THE AGREEMENT", exactly as it appears, to mix-request at jpunix.com If it does not, but you qualify to retrieve Mixmaster under "THE AGREEMENT", then send mail to perry at alpha.jpunix.com, explaining your situation. In either case you will be sent a message containing the name of a hidden directory in which you will find the controlled software. The name of the directory changes frequently, so you must get the name each time you want to access the hidden directory. -John A. Perry 5/6/95 -------------------------------------------------- THE AGREEMENT: I am a citizen or national of the United States, or of Canada, or have been lawfully admitted for permanent residence in the United States under the Immigration and Naturalization Act. I agree not to export Mixmaster, or RSAREF or any other software in this archive, in violation of the export control laws of the United States of America as implemented by the United States Department of State Office of Defense Trade Controls. Before I download Mixmaster, I will read and agree to the terms and conditions of the RSAREF license (in ftp://ftp.jpunix.com/pub/rsalicen.txt). I will use Mixmaster solely for non-commercial purposes. ---------------------------------------------------------- Directory name last changed at: Wed May 1 09:00:01 CDT 1996 End README.no-export What confuses me is the part above that states that I agree to use Mixmaster for solely non-commercial use. This is NOT GNU or copyleft. Jim Choate From ravage at ssz.com Tue May 21 12:42:36 1996 From: ravage at ssz.com (Jim Choate) Date: Wed, 22 May 1996 03:42:36 +0800 Subject: Remailer extensions Message-ID: <199605211417.JAA16736@einstein.ssz.com> Hi all, In pondering the last few days of discussion it occurs to me that a test might be possible. In short: Is it legal for a business to anonymously remail physical mail? The process I propose is as follows: 1. Some party mails an envelope to 'Remailers-R-Us'. 2. Inside that envelope is the real mail addressed and stamped along with say a $1 money order for processing. 3. The people at Remailers-R-Us simply take the dollar and deposit it in the bank while depositing the letter they received in the local mail drop. Now the Remailers-R-Us obviously can't open the mail since that would be tampering. To this end I make reference to some comments I made about a year ago regarding the results of encrypting every stage of the remailer sequence. To wit, the only way to guarantee protection is if the remialer is not able to read the actual contents of the mail, even if they were so disposed. I would also like to point out (the obvious I admit) that the founding fathers apparently embarced anonymous distribution via their 'publius' handle. It seems to me that a federal prosecutor would have a hard time claiming there was no precedence for such actions. Such a claim to my way of thinking would be fundamental in any attempted prosecution for anonymous remailing. Also, as far as I can find out, there was no persecution of the newspapers for printing this material anonymously, they apparently were not held to task for the content. This seems to indicate that English commen law of that day (and its descendants here today) embraced anonymous speech as well. Jim Choate From rah at shipwright.com Tue May 21 12:57:44 1996 From: rah at shipwright.com (Robert Hettinga) Date: Wed, 22 May 1996 03:57:44 +0800 Subject: "Very Famous Reporter" In-Reply-To: Message-ID: At 1:22 AM -0400 5/21/96, Martin Minow wrote: > At a lecture about his recent book, John Markoff, the New York Times' > Silicon Valley reporter, said (and I quote from memory): > > "The most dangerous animal on earth is a reporter on deadline." Oh, the irony of that remark... In the meantime, it appears that I have egg on my face, as no story has emerged... By the way, did I say it was a rumor? ;-). Cheers, Bob Hettinga ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "If they could 'just pass a few more laws', we would all be criminals." --Vinnie Moscaritolo The e$ Home Page: http://thumper.vmeng.com/pub/rah/ From mark at unicorn.com Tue May 21 13:26:48 1996 From: mark at unicorn.com (Rev. Mark Grant, ULC) Date: Wed, 22 May 1996 04:26:48 +0800 Subject: MixMaster fair use Message-ID: On Tue, 21 May 1996, Jim Choate wrote: > What confuses me is the part above that states that I agree to use Mixmaster > for solely non-commercial use. This is NOT GNU or copyleft. Isn't that because it uses RSAREF? AFAIR the RSAREF license says you can't use any RSAREF applications commercially without paying license fees. Mark From mark at unicorn.com Tue May 21 13:29:48 1996 From: mark at unicorn.com (Rev. Mark Grant, ULC) Date: Wed, 22 May 1996 04:29:48 +0800 Subject: An alternative to remailer shutdowns Message-ID: On Mon, 20 May 1996, Rich Graves wrote: > On Tue, 21 May 1996, Declan B. McCullagh wrote: > I like the "knock-knock" approach, though it would of necessity impose > load. If someone has an anonymous message waiting, send them a simple note > with instructions on how to retrieve it. I have a partial implementation of this for Mixmaster if anyone wants to try integrating it into the main code. It works (or worked) for single packet messages but I never finished the multi-packet code. Of course, if Mixmaster is being rewritten anyway then it won't be much use. AFAIR it also relies on the 'In-Reply-To:' field in the header working correctly. Mark From rpowell at algorithmics.com Tue May 21 13:35:48 1996 From: rpowell at algorithmics.com (Robin Powell) Date: Wed, 22 May 1996 04:35:48 +0800 Subject: Is Chaum's System Traceable or Untraceable? In-Reply-To: <199605181841.LAA17739@infinity.c2.org> Message-ID: <96May21.105344edt.20485@janus.algorithmics.com> >>>>> sameer writes: >> >> (On the other hand, I have had a longstanding faith that the system can be >> made to be both payer- and payee-anonymous. Moneychangers, for example.) > You don't need faith. You don't need moneychangers, even. You > just need to pay attention when Ian posts to cypherpunks. I don't see how Ian's stuff allows this. BTW, I went to school with him and will re-iterate what others have said: he's a pretty amazing guy. Didn't talk much, though :-) (this was back at the University of Waterloo). -Robin From mark at unicorn.com Tue May 21 13:44:54 1996 From: mark at unicorn.com (Rev. Mark Grant, ULC) Date: Wed, 22 May 1996 04:44:54 +0800 Subject: Long-Lived Remailers Message-ID: On Tue, 21 May 1996, Timothy C. May wrote: > Traffic analysis will be quite easy to do, of course, as all mail sent to > the persistent address comes out of the "disposable at foo.com" address. > Q.E.D. Yeah, but the attack model I was assuming was lawyers rather than intelligence agencies. The NSA could probably easily link the two together, but the Church of Foobar(tm) probably couldn't. They'd only have access to the logs on the ISP and the information you gave when you signed up, not the raw packets on the Net. Mark From ravage at ssz.com Tue May 21 14:00:41 1996 From: ravage at ssz.com (Jim Choate) Date: Wed, 22 May 1996 05:00:41 +0800 Subject: MixMaster fair use (fwd) Message-ID: <199605211531.KAA16886@einstein.ssz.com> Forwarded message: > Date: Tue, 21 May 1996 16:06:07 +0100 (BST) > From: "Rev. Mark Grant, ULC" > Subject: Re: MixMaster fair use > > On Tue, 21 May 1996, Jim Choate wrote: > > > What confuses me is the part above that states that I agree to use Mixmaster > > for solely non-commercial use. This is NOT GNU or copyleft. > > Isn't that because it uses RSAREF? AFAIR the RSAREF license says you can't > use any RSAREF applications commercially without paying license fees. > But, it doesn't say word one about RSAREF not being used, it specificaly mentions Mixmaster. Jim Choate From bryce at digicash.com Tue May 21 14:15:45 1996 From: bryce at digicash.com (bryce at digicash.com) Date: Wed, 22 May 1996 05:15:45 +0800 Subject: The Crisis with Remailers In-Reply-To: <2.2.32.19960521135644.00354324@mail.pi.se> Message-ID: <199605211544.RAA04042@digicash.com> -----BEGIN PGP SIGNED MESSAGE----- Matts Kallionieme : (> > == Bryce ) > > >Actually it can sometimes get more complicated than that, and > >there are some details about how the forthcoming ecashlib > >handles this to be found at "http://www.digicash.com/api". > > Will the api make it possible to create coins of arbitrary value? Is > the mint software (and the bank accountants) capable of doing > floating point arithmetic? Matts, you don't want to do floating point for money, because floating point doesn't give you good control of precision. If you want to know how it _is_ done, RTFAPI ("read the fantastic API.") Scan for "EC_Coinage". Keep in mind that only Ecash(tm) Mints can create Ecash(tm) coins and choose what values the coins have. I'm glad you are asking these questions. Perhaps this will be the start of the Ecash(tm) API FAQ. Regards, Bryce (I'm getting tired of typing "(tm)". I'm going to make a macro that appends "(tm)" to every instance of "Ecash" as I type it...) - -----BEGIN GOODTIMES VIRUS INNOCULATION----- Copy me into your .sig for added protection! - ----- END GOODTIMES VIRUS INNOCULATION----- -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.1b2 iQB1AwUBMaHk8UjbHy8sKZitAQFWcwMAsIK/HDloWq9LslPcQd3R0h6tOx1sH6I0 Ngc8jkSBsDPVL28I0tvimHLfMInq9EEPoOvwUjFQ8cmKTeVJVSRyYDCyQVTSbfWa 2gA8mjBTcCw5QrEYQAP74Dg0Os+iSwB5 =K79Z -----END PGP SIGNATURE----- From declan at well.com Tue May 21 14:25:48 1996 From: declan at well.com (Declan McCullagh) Date: Wed, 22 May 1996 05:25:48 +0800 Subject: NIST Draft Key Escrow Paper Message-ID: Contrary to what the attached note says, there is no draft copy available yet. OMB publications at the number below says: "We're just finding out about the report. We're not sure if they're going to give us copies or not." -Declan > [Forward] > > From: Elaine Frye > Subject: draft key escrow paper > > May 20, 1996 > > Note > > To: Key Escrow Distribution List > > From: Ed Roback, NIST > > Subject: Release of DRAFT Key Escrow Paper > > FYI, today the Interagency Working Group (IWG) on > Cryptography Policy released a DRAFT paper entitled > "Enabling Privacy, Commerce, Security and Public Safety in > the Global Information Infrastructure." > > The DRAFT paper discusses a voluntary draft key management > infrastructure, supported by private sector key management > organizations, that would permit users and manufacturers > free choice of encryption algorithms, facilitate > international interoperability, preserve law enforcement > access, and, most importantly, provide strong system > security and integrity. FYI, the paper was released by the > IWG co-chairs Ed Appel (NSC) and Bruce McConnell (OMB). > > Comments on the draft paper are being solicited. No > deadline is specified. > > At present, I do not have an electronic copy of the draft > (25 pp). Copies are available through the OMB publications > office at 202-395-7332. I anticipate that the document > will soon be available widely on the net and will forward > you a web address when available. > > > ***************************************************** > Elaine Frye > Computer Security Division > National Institute of Standards and Technology > Bldg. 820, M.S. Room 426 > Gaithersburg, MD 20899-0001 > Voice: 301/975-2819 Fax: 301/948-1233 > ***************************************************** > From jya at pipeline.com Tue May 21 14:30:31 1996 From: jya at pipeline.com (John Young) Date: Wed, 22 May 1996 05:30:31 +0800 Subject: NIST Draft Key Escrow Paper Message-ID: <199605211555.PAA28564@pipe5.t1.usa.pipeline.com> We've just heard back from Ed Roback of NIST that he'll fax us a copy of the Draft Key Escrow Paper, which we'll scan and send to Pat Farrell for his Web site. I'll ask Pat to announce it's availability when ready. From proff at suburbia.net Tue May 21 14:38:59 1996 From: proff at suburbia.net (Julian Assange) Date: Wed, 22 May 1996 05:38:59 +0800 Subject: CAPITALISTS' SUCK In-Reply-To: <199605211245.IAA24492@unix.asb.com> Message-ID: <199605211519.BAA11670@suburbia.net> > On 20 May 96 at 4:07, Dave Harman wrote: > > [..] > > ! >Dave Harman writes: > > ! > > > ! > CAPITALISTS' SUCK > > ! > > ! What witty social commentary. > > > > Information wants to be free. > > Information doesn't want to be free (or anything else) anymore than > the stapler on my desk wants to be free. > > The day that abstract qualities like "information" or "color" have > desires would be an interesting day indeed. Nonsense. Mathematics wants to be rational. Symmetry wants to be self-similar. Memes want to be free. -- "Of all tyrannies a tyranny sincerely exercised for the good of its victims may be the most oppressive. It may be better to live under robber barons than under omnipotent moral busybodies, The robber baron's cruelty may sometimes sleep, his cupidity may at some point be satiated; but those who torment us for own good will torment us without end, for they do so with the approval of their own conscience." - C.S. Lewis, _God in the Dock_ +---------------------+--------------------+----------------------------------+ |Julian Assange RSO | PO Box 2031 BARKER | Secret Analytic Guy Union | |proff at suburbia.net | VIC 3122 AUSTRALIA | finger for PGP key hash ID = | |proff at gnu.ai.mit.edu | FAX +61-3-98199066 | 0619737CCC143F6DEA73E27378933690 | +---------------------+--------------------+----------------------------------+ From adam at lighthouse.homeport.org Tue May 21 15:14:07 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Wed, 22 May 1996 06:14:07 +0800 Subject: The Crisis with Remailers In-Reply-To: Message-ID: <199605211737.MAA11905@homeport.org> Lance Cottrell wrote: | | An interesting problem with anonymous postage is that it is likely to kill | cover traffic generators. | Postage is most needed at the point of delivery. That is the node that will be taking the heat/paying the lawyers. I'd operate a remailer if I was never the last node, becuase I don't have a site that can take the heat/seizure of machines for me. If we pay those final nodes to do more, than intermediate nodes can still carry cover traffic for free. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From bruce at aracnet.com Tue May 21 15:29:48 1996 From: bruce at aracnet.com (Bruce Baugh) Date: Wed, 22 May 1996 06:29:48 +0800 Subject: An alternative to remailer shutdowns Message-ID: <2.2.32.19960521162219.006baee0@mail.aracnet.com> At 03:02 PM 5/20/96 -0700, Hal wrote: >My thought is to turn the block list concept on its head, and make it a >"permit list". Simply, the remailer will only send mail to people who >have voluntarily indicated their willingness to receive it. On the whole, I like it. The problem comes when someone is trying communicate anonymously with some other person who doesn't have a clue about the whole thing. It would be neat to have soem way of generating a message to the effect "Someone is trying to communicate anonymously with you. [short explanation of good and bad uses of anonymity] If you would like to receive this message, [instructions about permitting]" Unfortunately, I don't know how one could separate those messages from all the rest of the traffic. -- Bruce Baugh bruce at aracnet.com http://www.aracnet.com/~bruce From droelke at rdxsunhost.aud.alcatel.com Tue May 21 15:34:19 1996 From: droelke at rdxsunhost.aud.alcatel.com (Daniel R. Oelke) Date: Wed, 22 May 1996 06:34:19 +0800 Subject: The Crisis with Remailers Message-ID: <9605211627.AA04637@spirit.aud.alcatel.com> tcmay at mail.got.net wrote: > > At 5:25 AM 5/21/96, Lance Cottrell wrote: > > >An interesting problem with anonymous postage is that it is likely to kill > >cover traffic generators. > > > > I doubt it. It's easy enough for remailers to, for example, pass out free > tokens to other remailer operators. > > (Jukebox and other coin-op concessions often pass out tokens (slugs, or > marked coins) to storeowners and bartenders to use to stimulate the > market.) > Wouldn't the "income" from other cover generators help cover the cost of a remailer running its own cover generator? Also - remailers could possibly give postage free service to traffic for other remailers.... i.e. only the last node (who has the most exposure anyways) would require payment. Dan ------------------------------------------------------------------ Dan Oelke Alcatel Network Systems droelke at aud.alcatel.com Richardson, TX From hendersn at zeta.org.au Tue May 21 15:35:19 1996 From: hendersn at zeta.org.au (Zed) Date: Wed, 22 May 1996 06:35:19 +0800 Subject: SEVERE undercapacity, we need more remailer servers FAST Message-ID: <199605211643.CAA17096@godzilla.zeta.org.au> >At 02:08 AM 5/20/96 EDT, you wrote: >> What countries are noticeable for being anti-Scientology? >> They would appear to be good locations for special-purpose >> remailer ultimate-output ends. > >Scientology was illegal in Australia last time I heard. Not at the moment. It was only banned in one state(can't remember which one) and that ban was lifted some time ago. > They declared >that you could not be a religion and charge a fee for religious service >the way that Scientology charges. It was tried, but didn't work. The final court ruling was that Australian Government wasn't allowed to decide what did or didn't constitute a genuine religious practice. $cientology can charge what it likes. > They then defined them as practicing >medicine, and hit them with snake oil laws. And the religion cover let them skip away unharmed. The Church's "benefits" are spiritual in nature(allegedly) and therefore not subject to medical regulations. Now to try to get this back on-topic, there was one NOTS document which was posted anonymously before the whole pack made it to alt.religion.scientology. It described a process(or "ritual" if you prefer) designed to help _physical_ affliction. It _may_ violate an FDA ruling prohibiting the Church from practising medicine. It is _definitely_ a violation of copyright to post it and one person, Keith Henson, is getting sued for quoting it. Now, was sending this NOTS document through an anonymous remailer a good or a bad thing to do? Zed(hendersn at zeta.org.au) "Don't hate the media, become the media" - Jello Biafra PGP key on request From tcmay at got.net Tue May 21 15:53:40 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 22 May 1996 06:53:40 +0800 Subject: Hiding remailers behind nymservers...? (fwd) Message-ID: At 11:57 AM 5/21/96, Jim Choate wrote: >Forwarded message: > >> Date: Mon, 20 May 1996 18:53:15 -0700 (PDT) >> From: Steve Reid >> Subject: Hiding remailers behind nymservers...? >> >> This 'middle-man' remailer... What does it really accomplish? Sure, the >> operator is hidden, but that's only because of his/her nym at c2.org... >> AFAICS, the 'middle-man' has just taken the liability off himself and put >> it on the unhidden remailers. Why not just use the existing unhidden >> remailers??? >> > >The first thing it accomplishes in my mind is establishing pre-meditation to >conspire to the commission of a felony. No, think of scienter again. And creating something or some service that _may_ be used in connection with a crime does not make the creator a conspirator, unless it can be shown that he was involved in the planning of the crime used with his thing or service. For example, if I open up a car rental place and one of my cars is used in a bank robbery, was I involved in a "pre-meditation to conspire to the commission of a felony."? Clearly not. (And before anyone brings up "required ID" at car rental agencies, such ID is not required by any local, state, or national laws, so far as I have ever heard. It is perfectly legal for me to rent things to people without demanding credentials. A sufficiently large deposit may be enough. ID is often used to satisfy insurance requirements, and to help in collecting any unreturned items.) Now it may be that operating a remailer may be interpreted by some courts as being a "public nuisance," a theory I credit to Brad Templeton, but this has not yet come even close to happening. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From jimbell at pacifier.com Tue May 21 15:54:34 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 22 May 1996 06:54:34 +0800 Subject: An alternative to remailer shutdowns (fwd) Message-ID: <199605211725.KAA01106@mail.pacifier.com> At 06:28 PM 5/20/96 -0500, Jim Choate wrote: > >Forwarded message: > >> Date: Mon, 20 May 1996 15:02:08 -0700 >> From: Hal >> Subject: An alternative to remailer shutdowns > >> was apparently sent through my remailer. According to 18 USC 875(c), >> "Whoever transmits in interstate commerce any communication containing >> any threat to kidnap any person or any threat to injure the person of >> another, shall be fined not more than $1,000 or imprisoned not more >> than five years, or both." I may not be able to continue operating >> either of my remailers (alumni.caltech.edu and shell.portal.com) for >> much longer due to this kind of abuse. > >There should be a section in there dealing with 'knowingly'. If not then we >should immediately bring charges against any and all newspapers who have >ever printer a ransom letter, or perhaps even the Unibomber Manifesto since >there is clear evidence of 'threat to injure the person of another'. But even "knowingly" needs to be carefully defined. A remailer operator today KNOWS that his system COULD be used for illegal activities; he merely doesn't know that they are, currently. I think that the definition should be so narrow that it is impossible for a third party (or the government itself) to incriminate the remailer operator by having his system forward arguably illegal or copyright-violating material. Jim Bell jimbell at pacifier.com From liberty at gate.net Tue May 21 15:56:55 1996 From: liberty at gate.net (Jim Ray) Date: Wed, 22 May 1996 06:56:55 +0800 Subject: Private e-mail...[was Re: AP] Message-ID: <199605211545.LAA11970@osceola.gate.net> -----BEGIN PGP SIGNED MESSAGE----- Must ALL my e-mail be re-posted to this damn list? I will AGAIN remind careful readers: _Anything_ that does not begin with the words: -----BEGIN PGP SIGNED.... and end with my little play on the sound of J. Edgar Freeh's name may *or may not* be from me, and is more likely to simply be from someone:a) clue-impaired and b) noisy. Actual Jim Ray posts also tend to have fewer typos, and be both more detailed and shorter than this did, because I proof them and I tend not to proofread private e-mail. I will now clutter the list to respond to this nitwit's moronic claims in public, please direct all Perrygrams to [GROAN!--Why me???] Oh yeah. Ray's Corrolary to Murphy:"You will be spared _NOTHING_." I'll attempt to cut as much as possible to put wasted space to a minimum. My apologies to those not interested, who are advised to hit delete now (I'd imagine that includes many or most of you). JMR jf_avon at citenet.net for some strange reason posted: ... >Is there a Detweiller FAQ somewhere? There's even a page, near the top of my page. He's also mentioned under "don't feed the animals" in the welcome message. He is intelligent, and he's quieter than he used to be, perhaps taking his meds. >Interesting. Has AP ever popped-up in the conventional medias? AFAIK not yet, but I could be wrong. If I were Slick Willie, it would have been all over the place by now. [BTW, for the record, I don't make a habit of calling those who would advocate violence "loon" in a public forum. There are thus self-preservation advantages to actually convincing the clueless to lurk, look at message headers, and read "Netiquet" before posting. ] >Then, again, I know an awfull lot of people who would applaude Bell. >But most of them are not computer litterate. They are from another >generation, not brainwashed by "Don't ask what your country can >do for you; ask what you can do for your country"... How do these people vote, though? [Prediction: majority statist.] You can't complain when the govt. gives what you ask for... [Absent the unConstitutional ballot-laws we are blessed with here in Florida.] >> I'm 35, and I may actually die before I do. I hope not. [Sniped to convey no context whatsoever] I was talking about the very low odds of me someday actually *respecting* a living US President, for those of you without telepathy skills. I *would* feel old by haing this revealed, but I just learned of a cypherpunk _grandmother_! [No, I won't say who.] >[Black humor] any AP proponents with an eye (or a buck) on you? :) Possibly. Bell insists Libertarians like me shouldn't worry. I worry, because statists' money spends just as well as mine. Tim joked a while back about putting a "fire-and-forget" K out on me when I was *last* misquoted as the "Cyberangel." I seem to attract this crap, but I assure you it's NOT AT ALL deliberate. All is forgiven, no apology needed, just please try to be careful and remember the other 1000+ subscribers. ... >> This kind of thinking might authorize a massive Cherokee >> massacre if it spread, IMO. > >Please, do point out the similarities and the differences... I think >that the context is very different. Not really, only the time in history. Their property was 100% taken, and they were marched to OK from GA. The IRS may be bad...but they aren't THAT bad...[disclaimer: I am (a tiny) part Cherokee, and I hate the IRS (a lot).] ... > >Are you talking of an open war a la Bosnia? Hopefully not. It is what I fear. >> We must either leave some wrongs in the >> past or be cursed with them forever. > >This is what I was talking about taking things out of context. Since >you agree on that, the Cherokee thing is ruled out. But govt action >are a matter of the present and future. Some peoples see it as >legitimate self-defense. I disagree on ruling Cherokees out, _I_ decide what I rule out, not you. The legitimate *peaceful* self defense options have not yet been adequately explored, IMO. >... >> Bottom line for me: "Two wrongs don't make a right." > >Please state the basic premise that make you declare what is "wrong" >in the context of AP. "Thou shalt not kill..." [pretty basic stuff here...] > I am not bugging you simply to do so. For >example, do you think that, for ethical reasons, you are not only >justified but actually *obligated* to use physical violence in >certain contexts? I guess not. No, just not as a first-resort in non-life-threatening contexts. > But many peoples think they have >to... If they break my door down and want my gun or PGPkey, I may shoot. No matter who does this, they could die if they go far enough. I will not seek to kill anyone from afar, though, and I'd have to feel in immediate fear for my life before I can morally justify killing another person. Luckily, it hasn't happened so far. >I think that you simply try to evade the necessity of defining for >yourself what exactly is what the govt is doing. Taxation is theft, I fail to see your point. Murder isn't the sole, or even first, option to prevent theft when you can do things like lock your doors. [encrypt] Did the OKCity bombing reduce the size of government, or increase it? (As I predicted, increase. I hate it when I'm right.) Violence begats violence. Always. ... >General opinion is not what define truth nor reality. If I refuse >to pay my taxes, they'll use physical violence to get what they >want. You might object that I enjoyed the benefits of the spending >of taxes, but I am yet to see any contract that I entered with >"society". > At this point, as an individual protest, a (suicidal) "freeman" like stand is justified if you like the idea of being a dead hero. I don't. Yet. There are other options. But general opinion _does_ define political reality, so best that there be more responsible uses of anonymity at this very delicate point in the remailernet's political life. There seem to be less. ...me -- [AssPol would have to entail an oligarchy...] >This scheme is *not* an oligarchy. Pay a visit to any good dictionary >near you. Words have precise meaning and it is *much* better to >stick to it... I said entail, *you* read a dictionary. The scheme relies on $, and more $ gives you more "votes" on who to kill. Oligarchy, a rule by the rich. I stuck exactly to it. Read more carefully in the *non-header* part of messages, too. >Actually, since it is ruled by money, it might be a "buckarchy", but >again, everybody can spare a few bucks, so it might be a democracy >too if you insist on twisting the meaning of words. HUH???? "buckarchy" isn't in my dictionary...I neither twisted *nor invented* any words. Democracy is also a legitimate fear, and the operative word in your statement is "might." Well, might NOT also... I happen to prefer a constitutional republic to democracy anyway. Tim May has written well on this, and on why. [Hi Tim.] >> and I think I'd be an easy target for >> wealthy statists, who could also use the system. > >At first look, of course. But operationnally, you have to consider the >mind of the statist to figure out the likeliness of their using the >system? I do not deny that it is very likely that a few statists will >use the system. But most won't because they don't like to slain >their milk cows. That's not how I view statists. Your faith is admirable, but I won't share it soon. Hitler, Stalin, Clinton, Bush, Biden, Dole, etc. - they all would just as soon see me as hamburger as milk cow. As hamburger I'm no longer such a smart-ass under their skins. I have seen how history describes the minds of statists who don't get their way & it's not pretty. _Many_ statists have the $ to kill me, without AP, this would make me cheap and compromise the privacy of the remailernet [probably] or just cause remailers to be outlawed. If I operated a remailer, and you bought or sold 500 lbs of cannabis through it, I would try to cooperate to the minimum possible extent of the law, ad perhaps go to jail for contempt, it depends. If you tried AP, I would let the BATF (yes, I hate them, too) log all your use (while trying to somehow protect my innocent users' privacy). I again boil it down to my Jim Ray test:"Where's the victim?" >> If Bell could post >> fewer times, he'd be more convincing. He is in many killfiles. >> JMR And now, it's likely that I am, too. Allow me to reduce noise even furter by preemptively saying "Plonk" right now, so it doesn't need to be announced twice on the poor, groaning list. >Many peoples cannot stand to see any opinions that differs from >theirs. But why care at all be read by such peoples? It's not that, I was speaking of post-frequency-noise. I had seen the idea before Jimbell ever had it, in Tim May's Cyphernomicon. Tim has interesting, different things to say. Jimbell doesn't. Whether I agree has nothing at all to do with repetitiousness. I will try VERY hard not to post again on this. Please help by letting me have the last word (for once). How's this: Unsollicited[sic] public posting of private e-mail will be refuted at US165 $/h Any sender of such material will be considered as to have accepted the above mentionned[sic] terms. JMR PS, while I am making non-crypto-noise anyway... ================================================ Tim also wrote [in another message/thread]: <...> >(ObCaveat: I personally think a free society cannot/should not outlaw >discrimination in any form, save that by government.) Which is exactly the opposite of what we are faced with right now. Gee, I wonder why race relations are doing so poorly nowadays? We need more government intervention in this vital area... Jim Ray -- DNRC Minister of Encryption Advocacy. "Your federal government needs your money so that it can perform vital services for you that you would not think up in a million years." -- Dave Barry ___________________________________________________________________ PGP id.E9BD6D35 51 5D A2 C3 92 2C 56 BE 53 2D 9C A1 B3 50 C9 C8 http://www.shopmiami.com/prs/jimray ___________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Freedom isn't Freeh. iQCVAwUBMaHkdG1lp8bpvW01AQFJzAP6A0Vc25O61daOa6hnnZ8b0iSA5KYCS++q zYXWrpYWujH6L8qF0USTkJ7Su1rVW3ge4GSsBMflwp8fp4Wh2By3PafX1CPF7TTl a2Ns6eCO8SeUu4oGWnTQ2xeNR7ic07b2k+yuAVooR0f7qZQbE7SI7YHx/jhpz4Cp AtBuBs9hYLo= =FMxv -----END PGP SIGNATURE----- From andrew_loewenstern at il.us.swissbank.com Tue May 21 16:03:30 1996 From: andrew_loewenstern at il.us.swissbank.com (Andrew Loewenstern) Date: Wed, 22 May 1996 07:03:30 +0800 Subject: Anonymous info In-Reply-To: <9605210131.AA28441@anon.penet.fi> Message-ID: <9605211725.AA00712@ch1d157nwk> admin at anon.penet.fi writes: > You have requested information about your account at anon.penet.fi. > Your code name is: > Your real e-mail address is: I guess the latest fun thing for |<-rad d00ds to do is to post flame-bait to Usenet with a forged penet address that points to a mailing list... andrew (Does the Family Research Council have a mailing list, and does it forward messages from non-subscribers? :-) From jf_avon at citenet.net Tue May 21 16:04:01 1996 From: jf_avon at citenet.net (Jean-Francois Avon) Date: Wed, 22 May 1996 07:04:01 +0800 Subject: AP Message-ID: <9605211558.AA12519@cti02.citenet.net> On 20 May 96 at 22:59, Jim Ray wrote: > >Is there a Detweiller FAQ somewhere? > > There's even a page I found one out. Interesting. Vlad might very well fit the profile. > >Interesting. Has AP ever popped-up in the conventional medias? > > AFAIK not yet, but I could be wrong. If I were Slick W., > it would. I don't think Slick W. will make it pop-up. They know damn well that no matter what the media might pretend the population thinks, there will be enough peoples more than willing to spend a few bucks to cause major joepardy. > >Then, again, I know an awfull lot of people who would applaude > >Bell. But most of them are not computer litterate. They are from > >another generation, not brainwashed by "Don't ask what your country > >can do for you; ask what you can do for your country"... > > How do these people vote, though? [Prediction: majority statist.] > you can't complain when the govt. gives what you ask for... Theses peoples refuse to register their guns, although it is mandatory in canada (to be registered within 7(?) years...) > Possibly. Bell insists Libertarians like me shouldn't worry. > I worry, because statists' money spends just as well as mine. > Tim joked a while back about putting a "fire-and-forget" K > out on me when I was misquoted as the "Cyberangel." So, are you saying that you chose to not endorse Bell's system because you fear you'd be a target? Just asking... > >> >You'll note that the psycho-epistemology necessary to > >> >commit murder is quite close to the one necessary to coerce > >> >poeples to pay taxes. > >> > >> This kind of thinking might authorize a massive Cherokee > >> massacre if it spread, IMO. > > > >Please, do point out the similarities and the differences... I > >think that the context is very different. > > Not really, only the time in history. Their property was > 100% taken, and they were marched to OK from GA. The IRS > may be bad...but they aren't THAT bad...[disclaimer: I > am (a tiny) part Cherokee. You did not answer my question: When our local Mohawks accuse the white peoples to have stolen their land, I ask "when did I do that? I can't remember..." I refuse to be held responsible for things that were done several hundred years ago. Period. As I said, I *never*, not even in my early years, believed in original sin. > >Are you talking of an open war a la Bosnia? > > Hopefully not. What I meant is "do you believe that the AP scheme can lead to such events?" I personnally believe that in the event AP is used against govt, no statist will be able to retaliate. They might possibly make a few examples, but nobody will get fooled. Anyways, since the system is completely delocalized, there is no target to aim at. And furthermore, I think JB is right in saying that the middle-management level is much more likely to be hit first. But thoses affluent statists are not middle-management. You have to figure out who will be targeted, and what are their means of reprisal. > and the legitimate self defense > options which are peaceful have not been adequately explored. IMO Well, pardon my lack of imagination but I never found out too many effective ones. I'll be delighted to consider any alternative you propose. Encryption and anonymity tools *are* widely discussed and could make AP obsolete (hopefully). > >> Bottom line for me: "Two wrongs don't make a right." > > > >Please state the basic premise that make you declare what is > >"wrong" in the context of AP. > "Thou shalt not kill..." [pretty basic stuff here...] I am sorry, but I do not accept that as a valid argument. What if somebody came to take away your means of feeding your kids? What if somebody was menacing you or your kids? There are instances, as you seem to agree, when killing is justified. What is meant by the sentence is: Thou shalt not initiate lethal violence. > >but actually *obligated* to use physical violence in > >certain contexts? I guess not. > > No, just not as first resort. > > > But many peoples think they have > >to... > > If they break my door down and want my gun or PGPkey, I shoot. > No matter who, Jim Bell or Bill Clinton, they may die if they > go far enough. I will not seek to kill anyone from afar, though, and > I'd have to feel in fear of my life. This is the dilemna that peoples in pre-war germany faced. I met a wonderfull old german gentleman who worked on the german radar during the war. I asked him about how Hitler was perceived by the general thinking population. He said that 60% of the population tought very little of him, and did not agree with war. Theses were the educated germans. But at the same time, since Hitler rallied the other 40% of the population, the thugs at heart, they lived in constant fear. Nobody dared to say anything because nobody came back from some interrogations... And I was told the exact same thing by a previous girlfriend of mine, doing her PhD in chemistry. She was iranian. She had an irakian boyfriend for a while. They were madly in love. but what a fuss it made... Anyhow, she told me that while in high school, seven of her schoolmate, sixteen years old girls, were taken from the classes by Khomeiny's political police. Nobody, friends nor family, heard of them ever again. AP simply turn the ethics of assasins toward other like minded. Unfortunately, it can turn said mind toward valuable peoples too. And this is good reason to object. > >I think that you simply try to evade the necessity of defining for > >yourself what exactly is what the govt is doing. > Taxation is theft, I fail to see your point. Well, depends. If you agreed to be taxed, then, maybe not. But suppose it is: what are the essentials of theft and what are the justified actions againts it? Now, does a kid stealing apples the same as the state stealing individual's earned wealth ? Does the same measure apply? Is the offense comparable? (You must first define the exact context of each) > Murder isn't the sole, or even first, option to prevent theft when > you can do things like lock doors. [encrypt] In the case of govt, it have the legal monopoly on the use of violence. And it does not seem to hate using it. But if you shoot some govt official who decided that he wanted you PGP key or your gun, you'll pay for it dearly even if you win in court. The most precious thing in life is time. And the way we found, as rationnal animals, to exchange time is to condense time into money. Money is an abstraction for productive time of our life. The govt is working very hard, at the victims expense, to make anything that can act as a lock illegal. And they enforce that with guns. So, do not surprize yourself if many people find AP fully justified or is the only way left to them. I do not advocate AP, notwithstanding what some others pretend (LD?). I think that inducing the death of govt as we know it by financial starvation through encrypted transactions is the way. But I also think that AP is impossible to prevent from happening because so much peoples agree with the preceding paragraph. > >> Even then, I prefer the judicial process to the oligarchy > >> this scheme would entail > > > >This scheme is *not* an oligarchy. Pay a visit to any good > >dictionary near you. Words have precise meaning and it is *much* > >better to stick to it... > > I said entail, *you* read a dictionary. The scheme relies on $, and > more $ gives you more votes on who to kill. Oligarchy, a rule by the > rich. I stuck exactly to it. Read more carefully. Sorry, I don't have an english-french dictionnary. But I think it means "might lead to" or "might imply". Grand Larousse en 5 Volumes, Vol 4, p. 2229 : (I translate from french) Oligarchy: noun, feminine. (gr: oligarkhia) 1) political system in which power is held by a small number of individuals who constitutes either the intellectual elite (aristocracy) or the owning minority (plutocracy ?), theses two aspect often coinciding. 2) when a minority accaparates a power or an authority. I have to do some more thinking on that. I concede that I used the wrong words. To me, even if AP would fit the operationnal definition of oligarchy, it is not. Maybe because the definition had as a basic premise that it is impossible to structure power without communication. I think that anonymity technologies might force a re-definition of the word in more precise terms. In AP, it is completely different in the sense that nobody agrees to the ideas of other peoples. They simply pass *their own* judgment using *their own* reason and make *their own* decision to put a few bucks on this or that head. In oligarchy, the "intellectual elite" share some common premises, ideas. In AP, although you can derive a probability distribution of the values held by the anonymous donators, they do not actively share ideas. And neither do the assassins. There is no collusion, no exchange of information, no peer pressure, no conspiracy, no nothing. The only factor is the wealth a given donator is willing to donate. And this makes it a "buckarchy", i.e. the ideas and values of peoples who made it to wealth are statistically more likely to be implemented. But again, it is only a statistical, macroscopical truth. Only, theses peoples achieved wealth by sticking to a certain type of values (considering that it takes years to build a reputation and seconds to destroy it); they must have a stong tendency toward a set of values that are pro-freedom, pro-economy, and pro-productivity. Laissez-faire, the french expression, means "let do". > >> and I think I'd be an easy target for wealthy statists, > >>who could also use the system. But OTOH, if you remain silent, you'll attract no one. > >At first look, of course. But operationnally, you have to consider > >the mind of the statist to figure out the likeliness of their using > >the system? I do not deny that it is very likely that a few > >statists will use the system. But most won't because they don't > >like to slain their milk cows. > > That's not how I view statists. your faith is admirable, but > I won't share it soon. Faith: zero, zip, none... > hitler, Stalin, Clinton, they all > would see me as hamburger just as soon as milkcow IMO. I > have seen how history describes the minds of statists who > don't get their way, it's not pretty. (Did you read the complete AP essay?) Yes. But you also have to recognize that *never* in the history of mankind a media like the net ever existed. The net is, IMO, a turning point in the history of humanity, just as the discovery of toolmaking was. I think it will change the human history even more than the invention of the printing press. > Many statists have > the $ to kill me without AP, this would make me cheap and > compromise the privacy of the remailernet probably, or just > cause them to be outlawed. A few questions here: Why any statists would want to target *you*? There are plenty of guys like you who hates the guts of govt, have big mouths, and they don't get offed. By being a C'punk, it is even more dangerous for them: if they try to make an example by killing you, the others CPunks will go underground, set up AP remailers and get rid of them. At least, they recognize that the last thing to do in such circumstances, is to make martyrs. Compare the number of active posters to the number of readers, and you'll see that a lot of C'punks stay in the shadow, without making any waves. Now, to deal with that volume of e-mail, one must have *some* sort of interest. Unless the silent majority *all* work for NSA... Ciao JFA PLEASE NOTE: THIS POST DOES NOT MEAN THAT I ENDORSE MR. BELL'S SYSTEM. MY RATIONNAL CONCLUSIONS ABOUT IT'S INTERNAL MECHANICS AND IT'S INTRINSIC LOGICS DOES NOT MEAN THAT I LIKE NOR ENDORSE THE SYSTEM. I SIMPLY CONCLUDED THAT IT IS IMPOSSIBLE TO PREVENT THE SYSTEM FROM BEING IMPLEMENTED. IMO, IT IS UNAVOIDABLE. DePompadour, Societe d'Importation Ltee Limoges porcelain, Silverware and mouth blown crystal glasses JFA Technologies, R&D consultants. Physists, technologists and engineers. PGP keys at: http://w3.citenet.net/users/jf_avon ID# C58ADD0D : 529645E8205A8A5E F87CC86FAEFEF891 From camcc at abraxis.com Tue May 21 16:05:26 1996 From: camcc at abraxis.com (camcc at abraxis.com) Date: Wed, 22 May 1996 07:05:26 +0800 Subject: The Crisis with Remailers Message-ID: <2.2.32.19960521165841.00689290@smtp1.abraxis.com> At 10:40 AM 5/20/96 -0700, you wrote: > one cent could well be too low. I have been a client of the c2.org pre/re mailer on several occasions. What with all the discussion of remailers falling away (or being pushed), I am concerned that the 10 cent fee I, and hopefully others, have been paying in e-cash is not sufficient to keep c2.og's remailer in operation. I would be willing to pay, say for discussions sake, the postal rate for the convenience and security it offers. Alec Every suceeding scientific discovery makes greater nonsense camcc at abraxis.com of old-time conceptions of sovereignty. A. Eden PGP Fingerprint: Key ring: 'c:\pgp\pubring.pgp', looking for user ID "0x41207EE5". Type bits/keyID Date User ID pub 1024/41207EE5 1996/04/08 Alec McCrackin Key fingerprint = 09 13 E1 CB B3 0C 88 D9 D7 D4 10 F0 06 7D DF 31 Alec McCrackin From jimbell at pacifier.com Tue May 21 16:05:49 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 22 May 1996 07:05:49 +0800 Subject: Rumor: DSS Broken? Message-ID: <199605211740.KAA02723@mail.pacifier.com> At 08:32 PM 5/19/96 -0700, Bill Stewart wrote: >At 08:05 PM 5/19/96 -0800, Jim Bell wrote: >>It should occur to all of us that if the NSA was actually doing the job we >>are vastly over-paying them to do, it is THEY who should be finding, >>exposing, and correcting these kinds of cryptography faults. > >They may have; they're just kind of selective in who they expose them to :-) Yes...but... How can the NSA serve two masters? If the NSA has the American public's best interests at heart, then it should have revealed the flaw if it knew of it. (Otherwise, it can't be trusted...) If it did not, then it likewise should admit to this to show that their trustworthiness and reliability isn't particularly high and we shouldn't trust their opinions on Clipper etc. It is at least arguable that the NSA might have a vested interest in allowing an enemy to continue to use a flawed encryption system, as in Enigma. However, MD5 produces what ought to be secure hashes, right? A flaw in MD5 allows the person knowing the secret flaw to fake a file that produces a similar hash. What interest could the NSA possibly have in allowing such faked files to be produced? Is this part of the NSA's job description? >Also, there are expert cryptographers outside the NSA, and outside the US; >you might check where Dobbertin lives. And this is a Good Thing. Yes, it is. But I'd like to think that the NSA isn't acting as if WE are the "enemy." Jim Bell jimbell at pacifier.com From matts at pi.se Tue May 21 16:12:25 1996 From: matts at pi.se (Matts Kallioniemi) Date: Wed, 22 May 1996 07:12:25 +0800 Subject: The Crisis with Remailers Message-ID: <2.2.32.19960521175237.0036cc44@mail.pi.se> At 17:44 1996-05-21 +0200, bryce at digicash.com wrote: >Matts, you don't want to do floating point for money, because >floating point doesn't give you good control of precision. Yes I do. Several major currency traders in Sweden keep all their money in 64 bit floating point storage. I think that DigiCash will go floating point (get real?) when you start doing currency. If you sell 1 DEM, you don't want to get paid in cents, you want to get paid in 10-15 decimal places. That's where the currency action is right now, and before Ecash(tm) is fully deployed we'll probably see traders going for 15-20 decimal places. Floating point is the way to do it, but are your accountants ready for it? >Keep in mind that only Ecash(tm) Mints can create Ecash(tm) >coins and choose what values the coins have. Sorry, I thought that the client created the coins and the mint just signed them. I guess I should go back to RTFAPI. Regards, Matts From tcmay at got.net Tue May 21 16:14:17 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 22 May 1996 07:14:17 +0800 Subject: Long-Lived Remailers Message-ID: At 3:00 PM 5/21/96, Rev. Mark Grant, ULC wrote: >On Tue, 21 May 1996, Timothy C. May wrote: > >> Traffic analysis will be quite easy to do, of course, as all mail sent to >> the persistent address comes out of the "disposable at foo.com" address. >> Q.E.D. > >Yeah, but the attack model I was assuming was lawyers rather than >intelligence agencies. The NSA could probably easily link the two >together, but the Church of Foobar(tm) probably couldn't. They'd only have >access to the logs on the ISP and the information you gave when you signed >up, not the raw packets on the Net. The traffic analysis on this fixed mapping system needs no access to packets and is childishly simple. Let's call the first site "Alice" and the emanation site "Bob." That is, all messages sent to the persistent site Alice appear to come from the site Bob. The Church of Clams can simply send messages addressed to themselves through the Alice remailer and see immediately that they appear to come from Bob. Q.E.D. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From jimbell at pacifier.com Tue May 21 16:17:42 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 22 May 1996 07:17:42 +0800 Subject: An alternative to remailer shutdowns Message-ID: <199605211741.KAA02765@mail.pacifier.com> At 03:02 PM 5/20/96 -0700, Hal wrote: >I was contacted by the FBI on Friday due to some threatening mail which >was apparently sent through my remailer. According to 18 USC 875(c), >"Whoever transmits in interstate commerce any communication containing >any threat to kidnap any person or any threat to injure the person of >another, shall be fined not more than $1,000 or imprisoned not more >than five years, or both." I may not be able to continue operating >either of my remailers (alumni.caltech.edu and shell.portal.com) for >much longer due to this kind of abuse. You may recall that when the Leahy encryption bill was proposed, and many people around here were fawning all over it, I raised the issue that it would allow the govt to harrass and prosecutor encrypted remailer operators since their use of encryption allows investigations to be thwarted. What you've just seen, while not directly involving encryption, is the analogous version of such harassment with simple remailers. If there is any need for laws or regulations here, it is one to explicitly exempt remailers from responsibility for email they forward, or decrypt and then forward. (It isn't clear, for example, why a remailer is any more responsible for the contents of a message than any other point on the Internet chain.) Obligatory AP reference: If AP was up and functioning, there wouldn't be a government to fund an FBI to pay agents to come and harass you for forwarding a message that they've probably misinterpreted anyway. Jim Bell jimbell at pacifier.com From tcmay at got.net Tue May 21 16:34:19 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 22 May 1996 07:34:19 +0800 Subject: Are there laws against remailing messages? Message-ID: [I've changed the thread title.] At 2:17 PM 5/21/96, Jim Choate wrote: >In pondering the last few days of discussion it occurs to me that a test >might be possible. In short: > >Is it legal for a business to anonymously remail physical mail? ... >I would also like to point out (the obvious I admit) that the founding >fathers apparently embarced anonymous distribution via their 'publius' >handle. It seems to me that a federal prosecutor would have a hard time >claiming there was no precedence for such actions. Such a claim to my way >of thinking would be fundamental in any attempted prosecution for anonymous >remailing. Also, as far as I can find out, there was no persecution of the >newspapers for printing this material anonymously, they apparently were not >held to task for the content. This seems to indicate that English commen law >of that day (and its descendants here today) embraced anonymous speech as >well. Several points: * The Supreme Court formally decided many years ago that leaflets, fliers, articles, handouts, etc., cannot be required to be identified. (Some state had tried to require that leaflets be identifed with the name of the author or distributing group. I don't have the case name handy, but it's pretty famous and is cited in all the books on cyberspace law...I may even have a mention of it by name in the Cyphernomicon.) * This ruling, which is certainly fully consistent with the First Amendment, should of course apply to electronic forms of leaflets, fliers, articles, handouts, etc. Unless, of course, there is an upheld interpretation that the Net is different from print media, which I think it clearly is not. * As to laws against receiving a letter and then resending it to somone else...how could that be a crime? What I receive in my mail is my business. What I do with what I receive in the mail is also my business. Demanding that I process letters or notes to me in certain ways and not in other ways would be interfering with my communications. (Quibblers will likely cite FCC and election campaign laws as a counterexample. Wrongly, I think. Another debate.) * Now if I start doing this remailing on a large-scale basis, various business regulations, tax laws, etc., obviously come into effect. "Remailings Etc." will have to satisfy various regulators, tax collectors, OSHA inspectors, etc...all the things that make it so hard to start a small business in America. However, I can't think of any obvious laws which ban receiving a package or letter, removing the outer addressing, removing the payment, and then resending it. (Not saying there aren't such regulations, though I think they are clearly unconstitutional. The "regulate commerce" language which is frequently cited as justification for meddling in business should not be able to turn a business into a lawbreaker for doing what individuals can do.) In summary, what I receive in my mail, physical or electronic, is for me to do with as I wish. This includes sending it on to another site, commenting on it (*), etc. (* A finesse I thought of a few years ago is this: If remailing is ever banned or if remailers are held liable, use _quotes_. That is, I say: ---- To: foo at bar.baz From: Tim-Remailer at black.net Subject: Ever seen anything like this? Somebody sent me this: ---- Now, what's a law against remailers going to do? Hold me liable for passing a message on and asking for comment? (Yes, I think this is a pretty transparently cute ploy to circumvent laws about remailings. But it shows, I think, the can of worms that gets opened should such a law ever get passed and then upheld. It would place limits not only on what one could "remail without comment," but on what one could _include_ in one's own messages!) --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From loki at infonex.com Tue May 21 16:47:24 1996 From: loki at infonex.com (Lance Cottrell) Date: Wed, 22 May 1996 07:47:24 +0800 Subject: The Crisis with Remailers Message-ID: At 10:36 AM 5/21/96, Adam Shostack wrote: >Lance Cottrell wrote: >| >| An interesting problem with anonymous postage is that it is likely to kill >| cover traffic generators. >| > >Postage is most needed at the point of delivery. > >That is the node that will be taking the heat/paying the lawyers. I'd >operate a remailer if I was never the last node, becuase I don't have >a site that can take the heat/seizure of machines for me. If we pay >those final nodes to do more, than intermediate nodes can still carry >cover traffic for free. > >Adam > >-- >"It is seldom that liberty of any kind is lost all at once." > -Hume This is true. It is also something which would be easy to build into Mixmaster. The Message payload has a much looser format than the rest of the message. The postage could simply be prepended to the subject and destination fields (which are already variable length). Time to actually look at the API :) -Lance ---------------------------------------------------------- Lance Cottrell loki at obscura.com PGP 2.6 key available by finger or server. Mixmaster, the next generation remailer, is now available! http://www.obscura.com/~loki/Welcome.html or FTP to obscura.com "Love is a snowmobile racing across the tundra. Suddenly it flips over, pinning you underneath. At night the ice weasels come." --Nietzsche ---------------------------------------------------------- From jimbell at pacifier.com Tue May 21 16:47:35 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 22 May 1996 07:47:35 +0800 Subject: Rumor: DSS Broken? Message-ID: <199605210341.UAA25393@mail.pacifier.com> At 01:05 AM 5/20/96 -0700, Bill Frantz wrote: >At 8:05 PM 5/19/96 -0800, jim bell wrote: >>It should occur to all of us that if the NSA was actually doing the job we >>are vastly over-paying them to do, it is THEY who should be finding, >>exposing, and correcting these kinds of cryptography faults. Has anybody >>ever heard any evidence that the NSA has ever acted in this sort of >>responsible role? > >I was rather impressed by NSA's role in the creation of DES. The >strengthened it against an attack which was not publicly known, and didn't, >in the process, reveal the attack. (See AC2.) Isn't this partly bad, at least? Sure, if DES was a working, operational cryptosystem revealing the attack immediately might be arguably irresponsible. But since it was merely a design, exposing the flaw didn't help the enemy or hurt "us." Had DES been in use, the NSA could merely have stated, publicly, that "We see a flaw in DES, and we will tell you all about it in 5 years. Enclosed is an encrypted description of the problem, encrypted using a single key system with a 128-bit key. Save it for your files. In five (5) years we will publish the key to decrypt that file, and you will then know what we know now." At that point, anybody who then was using DES would have a five year warning to replace it. And the NSA would be unable to change the contents of what they were revealing, because they would only be withholding the key. Also, exposing the flaw in DES could have alerted the developers of other cryptosystems to watch for the same attack on their systems. All in all, I don't think the NSA's near-silence on DES is unambiguously commendable. Jim Bell jimbell at pacifier.com From frantz at netcom.com Tue May 21 16:58:40 1996 From: frantz at netcom.com (Bill Frantz) Date: Wed, 22 May 1996 07:58:40 +0800 Subject: Rumor: DSS Broken? Message-ID: <199605211817.LAA00206@netcom8.netcom.com> At 8:39 PM 5/20/96 -0800, jim bell wrote: >At 01:05 AM 5/20/96 -0700, Bill Frantz wrote: >>I was rather impressed by NSA's role in the creation of DES. The >>strengthened it against an attack which was not publicly known, and didn't, >>in the process, reveal the attack. (See AC2.) > >Isn't this partly bad, at least? Given NSA's responsibilities to: (1) Break foreign crypto systems. (2) Make US crypto systems unbreakable. (3) Never Say Anything. I find it remarkable they were that open. They had a technique which helped them with 1. They didn't want to reveal it or foreign systems would be changed hurting NSA's pursuit of 1. They had a (small, DES was public and therefore could be used by foreigners) obligation thru 2 to help with DES. They honored 3 by saying as little as possible, while still strengthening DES. >All in all, I don't think the NSA's near-silence on DES is unambiguously >commendable. If they were cypherpunks, or academic cryptologists I would agree. However, their responsibilities do not involve publishing, so I can't fault the way they skated thru the maze of conflicting responsibilities given what we know. I can not fault them for following their charter. (Faulting their charter is a different matter.) When designing crypto systems, it is worthwhile to consider NSA as the opponent, because as far as I know, they are the best there is. If your system is secure from NSA, then it is secure from everyone except insiders. However the government always skates between the horns of the dilemma that acting on the results of NSA intercepts may cause their opponents the change their crypto systems, cutting off the intercepts. This logic says the government can always act on the results of 40 bit key intercepts because everyone knows they are insecure. If they acted on a 56 bit key intercept, it would make concrete what we already know theoretically. If they acted on a 96 bit key intercept, people would abandon the underlying crypto system because of the unfeasibility of brute forcing a 96 bit key. (When considering what to abandon, the random process used to generate the 96 bits should be at least as suspect as the crypto system.) ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From mark at unicorn.com Tue May 21 17:03:19 1996 From: mark at unicorn.com (Rev. Mark Grant, ULC) Date: Wed, 22 May 1996 08:03:19 +0800 Subject: Long-Lived Remailers Message-ID: On Tue, 21 May 1996, Timothy C. May wrote: > The Church of Clams can simply send messages addressed to themselves > through the Alice remailer and see immediately that they appear to come > from Bob. Good point... oops ;-)... Mark From loki at infonex.com Tue May 21 17:04:23 1996 From: loki at infonex.com (Lance Cottrell) Date: Wed, 22 May 1996 08:04:23 +0800 Subject: MixMaster fair use Message-ID: The problem is RSAREF. I can't chose license terms for that. -Lance At 7:00 AM 5/21/96, Jim Choate wrote: >Hi all, > >Perhaps I am confused about what MixMaster's license allows. I have joined >the confusing part (for me anyway)... > >README.no-export : > >All the files in this archive contain crpytographic code which is >restricted by the ITAR regulations on munitions. >These files may only be retrieved by US citizens, and only on condition of >agreement not to export any of this software or dats, and to extract >a similar agreement from any person they may transfer it to. > >To access the export-controled materials on >this site, you must agree to "THE AGREEMENT" >below. If your email address ends in one of the following: > >.edu .com .edu. .gov .mil .org .net .us .ca > >Do this by sending "THE AGREEMENT", >exactly as it appears, to > > mix-request at jpunix.com > > >If it does not, but you qualify to retrieve >Mixmaster under "THE AGREEMENT", then send mail >to perry at alpha.jpunix.com, explaining your >situation. > >In either case you will be sent a message containing >the name of a hidden directory in which you will >find the controlled software. The name of the directory >changes frequently, so you must get the name >each time you want to access the hidden directory. > > -John A. Perry 5/6/95 > >-------------------------------------------------- > THE AGREEMENT: >I am a citizen or national of the United States, >or of Canada, or have been lawfully admitted for permanent >residence in the United States under the >Immigration and Naturalization Act. > >I agree not to export Mixmaster, or RSAREF >or any other software in this archive, >in violation of the export >control laws of the United States of America as implemented >by the United States Department of State Office of >Defense Trade Controls. > >Before I download Mixmaster, I will read >and agree to the terms and conditions of the RSAREF >license (in ftp://ftp.jpunix.com/pub/rsalicen.txt). > >I will use Mixmaster solely for non-commercial purposes. >---------------------------------------------------------- > >Directory name last changed at: Wed May 1 09:00:01 CDT 1996 > > >End README.no-export > > >What confuses me is the part above that states that I agree to use Mixmaster >for solely non-commercial use. This is NOT GNU or copyleft. > > > > > Jim Choate ---------------------------------------------------------- Lance Cottrell loki at obscura.com PGP 2.6 key available by finger or server. Mixmaster, the next generation remailer, is now available! http://www.obscura.com/~loki/Welcome.html or FTP to obscura.com "Love is a snowmobile racing across the tundra. Suddenly it flips over, pinning you underneath. At night the ice weasels come." --Nietzsche ---------------------------------------------------------- From loki at obscura.com Tue May 21 17:29:47 1996 From: loki at obscura.com (Lance Cottrell) Date: Wed, 22 May 1996 08:29:47 +0800 Subject: The Crisis with Remailers In-Reply-To: Message-ID: On Tue, 21 May 1996, Timothy C. May wrote: > At 6:16 PM 5/21/96, Lance Cottrell wrote: > > >I had thought of that. Unfortunately, if the coin is of a special form > >which identifies the message as being a cover message, then they are of no > >use against the attacker who is running a remailer. The cover messages > >really have to be indistinguishable from real messages, even to the > >remailers. One could do some kind of accounting, where every remailer would > >refund to the traffic generators their share of the postage, but there is a > >lot of trust required for that system since it is impossible (very > >difficult) to verify. > > First, it's not clear to me that "The cover messages really have to be > indistinguishable from real messages, even to the remailers." > > The "slug messages" will be indistinguishable to all outside observers. I think the "enemy controled remailer" is an important part of the threat model. In many ways it is easier to do than to monitor all the traffic. > Only by colluding with other remailers will Alice be able to tell Bob, > Charles, etc. which were slugs and which were not. True, but it is folly to think that only one remailer would be compromised. > Second, I was thinking of the model in which all remailer usage is by > tokens or slugs, anyway, in which case Alice would not know if an incoming > message was by a "paying customer" or by one of the other remailers. There has been a lot of discussion of this. It is difficult to make slugs which can be purchased in bulk (since you want to buy them using anonymous mail), can not be used to connect messages from a one person, and do not infringe on Chaum's patents. It is not acceptable for a remailer to see a message and know which other messages came from that same person. If it is ever the first remailer, it knows who you are. If it is the last, it knows who you mailed to. There has been discussion of secondary markets for the slugs, but I don't think it is going to happen. > This discussion belongs on the list, not in private e-mail. Oops, I must have hit the wrong key. I ment to have a copy go to the list. > --Tim -Lance ------------------------------------- Lance Cottrell loki at infonex.com President Infonex Internet Services http://www.Infonex.com ------------------------------------- From richieb at teleport.com Tue May 21 17:33:43 1996 From: richieb at teleport.com (Rich Burroughs) Date: Wed, 22 May 1996 08:33:43 +0800 Subject: [NOISE] Re: An alternative to remailer shutdowns In-Reply-To: <199605211741.KAA02765@mail.pacifier.com> Message-ID: On Tue, 21 May 1996, jim bell wrote: [snip] > You may recall that when the Leahy encryption bill was proposed... [snip] Blah, blah, blah. This situation has nothing to do with the Leahy bill. As you mentioned, crypto is not the issue here. It's whether we get to have remailers, period -- encrypted or not. Why must you persist in bringing the bill up, constantly, whether it applies to the situation being discussed or not? Your gonna hurt your arm, reaching around to pat yourself on the back like that ;) Rich ______________________________________________________________________ Rich Burroughs richieb at teleport.com http://www.teleport.com/~richieb See my Blue Ribbon Page at http://www.teleport.com/~richieb/blueribbon New EF zine "cause for alarm" - http://www.teleport.com/~richieb/cause From richieb at teleport.com Tue May 21 17:42:56 1996 From: richieb at teleport.com (Rich Burroughs) Date: Wed, 22 May 1996 08:42:56 +0800 Subject: SEVERE undercapacity, we need more remailer servers FAST (fwd) Message-ID: [Zed, sorry to send this twice -- forgot to add the list address, and I have additional info...] On Wed, 22 May 1996, Zed wrote: [snip] > Now to try to get this back on-topic, there was one NOTS document which was > posted anonymously before the whole pack made it to > alt.religion.scientology. It described a process(or "ritual" if you prefer) > designed to help _physical_ affliction. It _may_ violate an FDA ruling > prohibiting the Church from practising medicine. It is _definitely_ a > violation of copyright to post it and one person, Keith Henson, is getting > sued for quoting it. Now, was sending this NOTS document through an > anonymous remailer a good or a bad thing to do? I'm confused. I thought Keith had admitted posting the document, but claimed that the materials describe illegal acts (as you mentioned) and that posting is in the public interest, or something like that. How are they suing him if he posted anon? I've been away from a.r.s. for a while, but I'm back there now and am trying to get back up to speed... Bye :) Rich p.s. Okay, I hit Ron Newman's web page, and it seems my suspicion was correct. Here's a quote from Keith's post, which contained NOTS 34 -- he posted it from his own account, not via a remailer: : I had not been inclined to look at this : material before (it's *boring*), but your TRO inspired me. Assuming : this is real, I can see why the "Church" of Scientology is trying to : suppress this material. If carried out, the instructions in this : particular bulletin amount to *criminal* acts, to wit, the practice of : medicine without a license. I reproduce this widely available : document in its entirety for your edification. Had he posted it through a remailer, I think it would have been well justified. He was obviously blowing the whistle on what he saw as illegal activities. That's a much different matter than posting the entire NOTs series, though. The wholesale copying is what most people seem to object to, though my observations tell me that the "Church" objects to any copying, even for fair use... ______________________________________________________________________ Rich Burroughs richieb at teleport.com http://www.teleport.com/~richieb See my Blue Ribbon Page at http://www.teleport.com/~richieb/blueribbon New EF zine "cause for alarm" - http://www.teleport.com/~richieb/cause From jimbell at pacifier.com Tue May 21 19:01:29 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 22 May 1996 10:01:29 +0800 Subject: AP Message-ID: <199605211950.MAA11596@mail.pacifier.com> At 04:28 PM 5/20/96 +0000, Jean-Francois Avon wrote: [quoting Jim Ray>>] >Interesting. Has AP ever popped-up in the conventional medias? Other than the article I quote in its entirety in Part 8 of AP, an article from the Asahi Evening News (an english-language daily newspaper in Japan), no. >Then, again, I know an awfull lot of people who would applaude Bell. >But most of them are not computer litterate. They are from another >generation, not brainwashed by "Don't ask what your country can >do for you; ask what you can do for your country"... Unfortunately, it generally takes knowledge of at least computer networking, with a little knowledge of encryption and a vaguely passing familiarity with digital cash, to understand AP with enough detail to be useful. But I'm constantly amazed at how many people really APPRECIATE the idea, and its ramifications. >> This kind of thinking might authorize a massive Cherokee >> massacre if it spread, IMO. > >Please, do point out the similarities and the differences... I think >that the context is very different. If anything, I think AP would have allowed Indians to defend themselves, had they had access to it. >> We must, as >> Libertarians, face the fact that taxation we object to is not seen >> by many people as coercive. I don't think this is necessary: They need not see that something is wrong to be deterred by the possibility of their agents getting killed doing something that they see as "non-coercive." >> Even then, I prefer the judicial process to the oligarchy >> this scheme would entail > >This scheme is *not* an oligarchy. Pay a visit to any good dictionary >near you. Words have precise meaning and it is *much* better to >stick to it... > >Actually, since it is ruled by money, it might be a "buckarchy", but >again, everybody can spare a few bucks, so it might be a democracy >too if you insist on twisting the meaning of words. Yes, I think it would be a good idea to name the resulting society... Jim Bell jimbell at pacifier.com From pfarrell at netcom.com Tue May 21 19:02:57 1996 From: pfarrell at netcom.com (Pat Farrell) Date: Wed, 22 May 1996 10:02:57 +0800 Subject: Enabling Privacy, Commerce, Security and Public Safety Message-ID: <199605212018.NAA07009@netcom3.netcom.com> in the Global Information Infrastructure Thanks to Ed Roback, John Young, and "DN", the NIST draft report is now available. URL: http://www.isse.gmu.edu/~pfarrell/nist/kmi.html I will work on making it prettier this evening, but I figured that people want to get it as soon as possible. Also, as of a couple of hours ago, the paper copy of this was _not_ available at the OMB publications office (the address in Ms. Frye's posting.) I recommend not trying to call them, as after you spend time working through their flooded inbasket, you still won't get it. So, if you want hard copy, print my file :-) Pat Pat Farrell grad student http://www.isse.gmu.edu/students/pfarrell Infor. Systems and Software Engineering, George Mason University, Fairfax, VA PGP key available via finger or request #include standard.disclaimer From jquinby at fivepaces.com Tue May 21 19:06:02 1996 From: jquinby at fivepaces.com (Jay Quinby) Date: Wed, 22 May 1996 10:06:02 +0800 Subject: Remailer extensions Message-ID: <2.2.32.19960521195600.006f300c@mailhost> >At 09:17 AM 5/21/96 -0500, you wrote: >> >>Hi all, >> >>In pondering the last few days of discussion it occurs to me that a test >>might be possible. In short: >> >>Is it legal for a business to anonymously remail physical mail? >> >>The process I propose is as follows: >> >>1. Some party mails an envelope to 'Remailers-R-Us'. >> >>2. Inside that envelope is the real mail addressed and stamped along >> with say a $1 money order for processing. >> >>3. The people at Remailers-R-Us simply take the dollar and deposit it >> in the bank while depositing the letter they received in the local >> mail drop. This is my first post to the list. Aren't there mail drops already in operation that do just this? I seem to recall that the only way to get QSL cards (non-radio folks bear with me) from pirate SW stations was to go via their mail drops. The section of Monitoring Times magazine that deals in pirate radio has a list of mail drops used by the stations (or it used to, anyway). Seems like I saw them in the classifieds of Rolling Stone or some such place. -JQ |<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>| |James Quinby | Atlanta, GA | PADI/153KHz-896MHz/PGP262/EADBGE| Phl4:8-13| |jquinby at fivepaces.com (work) | Own a 45 MPH couch potato:- | |jrq at ix.netcom.com (home) | Adopt a greyhound today. Write for details.| |<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>| |Public key fingerprint: 9ACC4C28478018E1 372DC06A9452A477, MIT's keyserver| |*****Opinions expressed are mine. They are *not* those of my employer*****| |<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>| From ncognito at gate.net Tue May 21 19:07:53 1996 From: ncognito at gate.net (Ben Holiday) Date: Wed, 22 May 1996 10:07:53 +0800 Subject: An alternative to remailer shutdowns In-Reply-To: Message-ID: After pondering a bit it seems to me that the "knock knock" remailer approach (only send anon-mail if the recipient agrees to receive it) could be made feasable pretty easily. Rather than hold the mail while waiting for a consent to release, you could simply encrypt the peice of mail with a symetric algorythm on its final hop, and send the encrypted mail to the recipient. At this point there are 2 options, which I havnt examined closely: The first is that you require them to send a request for their "consent-code" which can be used to decrypt the mail. Under this arrangment you could possibly provide for a user to specify a specific consent code, so that 2 party's who had previously agreed to communicate could avoid "knocking". If you strip the subject, then it would be all but impossible for a person to include the consent code in the actual peice of mail. The second is to simply include the consent-code along with the encrypted peice of mail and a legal notice stating that decryption of the mail constitutes your consent to receive the mail, as well as your agreement to hold the remailer-operator harmless should the mail be found to be in some way offensive. Further, the recipient would agree to be solely liable for the contents of the mail, etc etc.. I leave the actual agreement to the net.lawyers to figure out. As far as I can tell an agreement of this form would be at least as valid as the software licenses ("NOTICE: Opening this envelope constitutes your agreement to the terms.. blah blah blah") that are commonly used today. Also would seem to be a similar concept to "Opening the case of this device void's your warranty" stickers on appliances. Under this approach persons would receive mail whether they'd consented or not (unless they requested to be blocked). But it would be difficult for anyone to raise any serious legal issues about something they havnt read, and impossible for them to make noise about what they read, after the implied consent they gave when decrypting. Under both approaches it would be wise to have a list of addresses who've already consented, which would contain all of the known remailers.. whether or not an operator chose to have names besides remailers in the list would be at his/her discretion. Ben.. From alex at proust.suba.com Tue May 21 19:23:40 1996 From: alex at proust.suba.com (Alex Strasheim) Date: Wed, 22 May 1996 10:23:40 +0800 Subject: mixmaster nsa@omaha.com going down Jun 4th. Message-ID: <199605211959.OAA05920@proust.suba.com> I'm closing my mixmaster, nsa at omaha.com, on the 4th of June. There wasn't an incident that triggered this, but Hal's post about the FBI sort of spooked me, as have the lawsuits. I don't have a lot of assets myself, but I do have partners. My lawyer tells me that there's no reliable way to separate my personal net activities from those of the company my parnters and I own, and that I could even be exposing my parnters to personal liability. I can't speak for anyone else, but for me the problem with running a remailer is that it's an inherently altruistic enterprise. That in itself wouldn't be so bad, but the liability makes the extent of the altruism open ended. If I knew that the worst case scenario would be $1k or even a $5k personal loss I could do it, but an open ended liability that's shared by my partners is unacceptable. I'm sorry for the inconvenience this will cause. -- Alex Strasheim, alex at proust.suba.com From declan+ at CMU.EDU Tue May 21 20:10:01 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Wed, 22 May 1996 11:10:01 +0800 Subject: NIST Draft Key Escrow Paper In-Reply-To: Message-ID: Excerpts from internet.cypherpunks: 21-May-96 Re: NIST Draft Key Escrow P.. by Declan McCullagh at well.co > OMB publications at the number below says: "We're just finding out about > the report. We're not sure if they're going to give us copies or not." I have it on *very* good authority :) that EPIC will have the draft white paper on their web site by this evening. -Declan From declan at well.com Tue May 21 20:11:37 1996 From: declan at well.com (Declan McCullagh) Date: Wed, 22 May 1996 11:11:37 +0800 Subject: NIST Draft Key Escrow Paper Message-ID: >We've just heard back from Ed Roback of NIST that he'll fax us a copy of >the Draft Key Escrow Paper, which we'll scan and send to Pat Farrell for >his Web site. I'll ask Pat to announce it's availability when ready. To follow up: I think EPIC is putting last week's draft online, not this week's. -Declan From andrew_loewenstern at il.us.swissbank.com Tue May 21 22:10:50 1996 From: andrew_loewenstern at il.us.swissbank.com (Andrew Loewenstern) Date: Wed, 22 May 1996 13:10:50 +0800 Subject: An alternative to remailer shutdowns In-Reply-To: Message-ID: <9605212257.AA00853@ch1d157nwk> Ben Holiday writes: > As far as I can tell an agreement of this form would be at > least as valid as the software licenses ("NOTICE: Opening this > envelope constitutes your agreement to the terms.. blah blah > blah") that are commonly used today. IANAL, but I have one, and he said (a couple of years ago) that these shrinkwrap contracts are practically worthless without a signature. At least this was how things were being handled in some districts. Anyone care to comment? crypto relevance: Can RSADSI __really__ enforce the silly "thou shalt not call certain functions" restrictions in their 'license'? I doubt it, but I would love for someone to prove me wrong. andrew From jimbell at pacifier.com Tue May 21 22:12:02 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 22 May 1996 13:12:02 +0800 Subject: Remailer extensions Message-ID: <199605212152.OAA26404@mail.pacifier.com> At 09:17 AM 5/21/96 -0500, Jim Choate wrote: >In pondering the last few days of discussion it occurs to me that a test >might be possible. In short: > >Is it legal for a business to anonymously remail physical mail? > >The process I propose is as follows: > >1. Some party mails an envelope to 'Remailers-R-Us'. > >2. Inside that envelope is the real mail addressed and stamped along > with say a $1 money order for processing. > >3. The people at Remailers-R-Us simply take the dollar and deposit it > in the bank while depositing the letter they received in the local > mail drop. I can't say whether this is "legal" (it probably is) but I believe that this was a fairly common practice in the 1960's in the US, when people were dodging the draft, running away from home to join a commune, etc. Such services were advertised in various magazines, and operated on the principles you described. Jim Bell jimbell at pacifier.com From jimbell at pacifier.com Tue May 21 22:14:13 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 22 May 1996 13:14:13 +0800 Subject: Long-Lived Remailers Message-ID: <199605212328.QAA03415@mail.pacifier.com> At 10:29 AM 5/21/96 -0700, Timothy C. May wrote: >At 3:00 PM 5/21/96, Rev. Mark Grant, ULC wrote: >>Yeah, but the attack model I was assuming was lawyers rather than >>intelligence agencies. The NSA could probably easily link the two >>together, but the Church of Foobar(tm) probably couldn't. They'd only have >>access to the logs on the ISP and the information you gave when you signed >>up, not the raw packets on the Net. > >The traffic analysis on this fixed mapping system needs no access to >packets and is childishly simple. > >Let's call the first site "Alice" and the emanation site "Bob." > >That is, all messages sent to the persistent site Alice appear to come from >the site Bob. > >The Church of Clams can simply send messages addressed to themselves >through the Alice remailer and see immediately that they appear to come >from Bob. Tim, I think you missed his (and my) point. The purpose of such a split is not to disguise the link between Alice and Bob; the point is to prevent legal attacks on the remailer by putting the transmission part (Bob) in a country which is hard to reach. Logically, an attacker could easily determine that sending a message to Alice would have it come back from Bob, but the converse would not be true: A message which came from Bob would not necessarily have come from Alice. Besides, any legal attack would require a substantial investment that would make harassment suits pointless. Add to this the fact that "Bob" might only last a few weeks... An organization like COS would be faced with no good target. Jim Bell jimbell at pacifier.com From ethridge at Onramp.NET Tue May 21 22:17:17 1996 From: ethridge at Onramp.NET (Allen Ethridge) Date: Wed, 22 May 1996 13:17:17 +0800 Subject: Remailers, Copyright, and Scientology In-Reply-To: Message-ID: <199605211936447595590@central10.onramp.net> > At 6:15 PM 5/20/96, Rich Burroughs wrote: > >At 01:08 AM 5/20/96 -0700, tcmay at got.net (Timothy C. May) wrote: > >[snip] > >>And the issue of CoS seeking legal actions against those they claim are > >>violating their copyrights is separable from their religious status. > > > >Not at all. Their actions are based on their religious doctrines, as passed > >down by Hubbard. "Always attack, never defend." Their claims of copyright > >violation are part of an ongoing effort to silence those who criticize their > >illegal and immoral practices. They should be examined in that context. > > I don't care what their motivations, religious or other, are. > > As I see it, some people here (including some good friends of mine, by the > way) are caught up in a religious war. Those opposed to CoS are "outing" > putative CoS secrets by aggressive use of remailers. The CoS is fighting > back. Is anyone surprised? I've been following alt.religion.scientology mostly for entertainment reasons, and occasionally to correct some of the false statements about psychiatry made by Scientologists. There's more to the story than you appear to be aware of. The extra-legal actions didn't originate with the alleged copyright violations, nor are the legal actions of the cult limited to protecting their copyrights. Now that the cypherpunks have been brought to their attention it's entirely possible that the major posters on this newsgroup will become the subject of Scientology's, or rather Religious Technology Center's legal actions. I believe the original legal action relates to the posting of court documents that contained cult scripture. And the cease and desist letters are sent for what are clearly fair use extracts. If someone were to be so unkind as to post a certain six sentences to this newsgroup we might see toad.com shut down. Yes, the cult does have a legitimate interest in protecting their copyrights. No, the cult does not have a valid reason for using the heavy-handed legal tactics of which they are so fond. -- if not me, then who? mailto:ethridge at onramp.net http://rampages.onramp.net/~ethridge/ From tcmay at got.net Tue May 21 22:21:43 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 22 May 1996 13:21:43 +0800 Subject: The Crisis with Remailers Message-ID: At 7:02 PM 5/21/96, Lance Cottrell wrote: >> This discussion belongs on the list, not in private e-mail. > >Oops, I must have hit the wrong key. I ment to have a copy go to the list. > Oops again, Lance, for you, as you posted my private response to you publically! No harm done, but my "this discussion belongs on the list" was an indication of why I was being very terse in my comments. (I take more time when I know a bunch of people are reading my stuff than when I am just talking to one person, and when we may have some private shorthand comments.) So, everyone, please ignore everything Lance quoted of mine in his message and wait for the comments I will make to the list as a whole. (Or don't, as the shelf life of threads really does match the "thread du jour" name some of us use.) --Tim Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From droelke at rdxsunhost.aud.alcatel.com Tue May 21 22:24:20 1996 From: droelke at rdxsunhost.aud.alcatel.com (Daniel R. Oelke) Date: Wed, 22 May 1996 13:24:20 +0800 Subject: An alternative to remailer shutdowns Message-ID: <9605212220.AA05507@spirit.aud.alcatel.com> Ben Holiday wrote: > > After pondering a bit it seems to me that the "knock knock" remailer > approach (only send anon-mail if the recipient agrees to receive it) could > be made feasable pretty easily. > > Rather than hold the mail while waiting for a consent to release, you > could simply encrypt the peice of mail with a symetric algorythm on its > final hop, and send the encrypted mail to the recipient. > > At this point there are 2 options, which I havnt examined closely: The > first is that you require them to send a request for their "consent-code" > which can be used to decrypt the mail. Under this arrangment you could > possibly provide for a user to specify a specific consent code, so that 2 > party's who had previously agreed to communicate could avoid "knocking". > If you strip the subject, then it would be all but impossible for a person > to include the consent code in the actual peice of mail. This could be done with no "storage" as well, by a slightly different method and still require end reciepient acknowledgement. The end reciepient could be required to reply and include the encrypted message. The remailer would then decrypt the message and send back the plaintext. Only storage would be the key vs. a message id database. > The second is to simply include the > consent-code along with the encrypted peice of mail and a legal notice > stating that decryption of the mail constitutes your consent to receive > the mail, as well as your agreement to hold the remailer-operator harmless > should the mail be found to be in some way offensive. Further, the > recipient would agree to be solely liable for the contents of the mail, > etc etc.. I leave the actual agreement to the net.lawyers to figure out. By reduction - you could just do a rot13 on the message and append the "legal notice". If all the information for decoding a message is present in that message, is a different encoding mechanism really any different from straight ASCII text? (i.e. Netscape 9.13 might have auto decoding built it....) Then, the user doesn't do anything "extra" - does this invalidate the notice? I might be wrong, but I don't think that this second method would gain you anything in the 2 situations where operators will get hassled. 1) Posting of copyrighted material - the lawyers will at least harass you no matter what kind of legal notice is up front. 2) Mailing of "harassing" information - the person still gets unwanted email, and has no way to stop it. > [... legal ideas deleted ...] Heaven forbid that I use spammers as an idea base, but to borrow something from them.... Set up the headers on an anonymous message such that a Reply would result in the user automatically being placed on the "deny" list. This means that only 1 message gets through.... but, as Hal has noted, that might be 1 message too many. Similarily, a message sent to the user could be the "knock", and then a reply would automatically add the user to the "allow" list as well as forward the message.... just an automatination of the "knock" idea. Dan ------------------------------------------------------------------ Dan Oelke Alcatel Network Systems droelke at aud.alcatel.com Richardson, TX From gelmanl at gwis2.circ.gwu.edu Tue May 21 22:25:30 1996 From: gelmanl at gwis2.circ.gwu.edu (Lauren Amy Gelman) Date: Wed, 22 May 1996 13:25:30 +0800 Subject: NIST Draft Key Escrow Paper In-Reply-To: Message-ID: On Tue, 21 May 1996, Declan McCullagh wrote: > >We've just heard back from Ed Roback of NIST that he'll fax us a copy of > >the Draft Key Escrow Paper, which we'll scan and send to Pat Farrell for > >his Web site. I'll ask Pat to announce it's availability when ready. > > To follow up: > > I think EPIC is putting last week's draft online, not this week's. > > -Declan > > It is this weeks draft, keystroked, and its at http://www.epic.org/crypto/key_escrow/white_paper.html Lauren Gelman gelman at epic.org From declan at well.com Tue May 21 22:25:35 1996 From: declan at well.com (Declan McCullagh) Date: Wed, 22 May 1996 13:25:35 +0800 Subject: NIST Draft Key Escrow Paper Message-ID: The *most recent* draft version of the white paper -- not the early 5/10 version that I quoted from but the one publicly released yesterday -- is available at http://www.epic.org/ We should thank the good folks at EPIC, those swell touch-typists, for taking the time to put the paper online, along with their comments on it. -Declan >Date: Tue, 21 May 1996 15:55:08 GMT >To: declan at well.com (Declan McCullagh) >Subject: Re: NIST Draft Key Escrow Paper >From: jya at pipeline.com (John Young) >Cc: cypherpunks at toad.com, pfarrell at netcom.com >X-PipeUser: jya >X-PipeHub: pipeline.com >X-PipeGCOS: (John Young) > >We've just heard back from Ed Roback of NIST that he'll fax us a copy of >the Draft Key Escrow Paper, which we'll scan and send to Pat Farrell for >his Web site. I'll ask Pat to announce it's availability when ready. > From jya at pipeline.com Tue May 21 22:25:56 1996 From: jya at pipeline.com (John Young) Date: Wed, 22 May 1996 13:25:56 +0800 Subject: NIST Draft Key Escrow Paper Message-ID: <199605212010.UAA18657@pipe3.t2.usa.pipeline.com> Thanks to prompt faxing by Ed Roback of NIST, we have transcribed and sent to Pat Farrell the Draft Key Escrow Paper entitled "Enabling Privacy, Commerce, Security and Public Safety in the Global Information Infrastructure," 25 pages (50 kb). Pat will shortly announce its availability on his Web site. Much easier to grab it from Pat, but for anyone without Web access, we'll E-mail it. Send a blank message to jya at pipeline.com with the subject KMI_txt. Here's the cover letter of the report: ____________________________________________________________ Executive Office of the President Office of Management and Budget Washington, D.C. 20503 May 20, 1996 MEMORANDUM FOR INTERESTED PARTIES SUBJECT: Draft Paper, "Enabling Privacy, Commerce, Security and Public Safety in the Global Information Infrastructure" FROM: Bruce W. McConnell [Initials] Edward J. Appel [Initials] Co-Chairs, Interagency Working Group on Cryptography Policy Attached for your review and comment is a draft paper entitled "Enabling Privacy, Commerce, Security and Public Safety in the Global Information Infrastructure." It presents a vision and course of action for developing a cryptographic infrastructure that will protect valuable information on national and international networks. The draft paper is the result of the many discussions we have had with interested parties concerning the use of encryption. While those discussions have explored the use of both key recoverable encryption and non-recoverable encryption, the draft paper addresses an infrastructure which uses key recoverable encryption. We believe such a key management infrastructure, voluntary and supported by *private sector* key management organizations, is the prospect of the near future. It would permit users and manufacturers free choice of encryption algorithm, facilitate international interoperability, preserve law enforcement access, and, most importantly, provide strong system security and integrity. Recognizing that a robust infrastructure is not yet a reality, we are also considering measures to liberalize export policy for some non-escrowed products. Appendix II of the draft paper begins to summarize current policy, and we intend to expand and improve that section. We believe that clearly articulating such a vision will accelerate the ability of the United States to realize the full advantages of the global network for commerce, security and public safety. However, such a vision cannot become a reality unless it is widely shared. Therefore, rather than being a finished product, the attached paper is a draft which we ask you to help us improve. We hope it will contribute to constructive discussion and promote a clearer understanding of each others' needs and concerns regarding the use of encryption. We welcome your comments and look forward to further discussion. Written comments may be sent to our attention, Room 10236, NEOB, Washington, D.C. 20503. ____________________________________________________________ From sobel at epic.org Tue May 21 22:27:38 1996 From: sobel at epic.org (David Sobel) Date: Wed, 22 May 1996 13:27:38 +0800 Subject: NIST Draft Key Escrow P Message-ID: Declan McCullagh wrote: >The *most recent* draft version of the white paper -- not the early 5/10 >version that I quoted from but the one publicly released yesterday -- is >available at http://www.epic.org/ > >We should thank the good folks at EPIC, those swell touch-typists, for >taking the time to put the paper online, along with their comments on it. > >-Declan And EPIC's thanks to Pat Farrell, who actually made the *appendices* available online as well. Having found Pat's work, we've now appended the appendices (?) to our version of the paper. - David From snow at smoke.suba.com Tue May 21 22:33:24 1996 From: snow at smoke.suba.com (snow) Date: Wed, 22 May 1996 13:33:24 +0800 Subject: An alternative to remailer shutdowns (fwd) In-Reply-To: <199605202328.SAA14914@einstein.ssz.com> Message-ID: On Mon, 20 May 1996, Jim Choate wrote: > Forwarded message: > > Date: Mon, 20 May 1996 15:02:08 -0700 > > From: Hal > > Subject: An alternative to remailer shutdowns > > was apparently sent through my remailer. According to 18 USC 875(c), > > "Whoever transmits in interstate commerce any communication containing > > any threat to kidnap any person or any threat to injure the person of > > another, shall be fined not more than $1,000 or imprisoned not more > > than five years, or both." I may not be able to continue operating > > either of my remailers (alumni.caltech.edu and shell.portal.com) for > > much longer due to this kind of abuse. > > There should be a section in there dealing with 'knowingly'. If not then we > should immediately bring charges against any and all newspapers who have > ever printer a ransom letter, or perhaps even the Unibomber Manifesto since > there is clear evidence of 'threat to injure the person of another'. And the postoffice for transmitting both his bombs, and his manifesto, and the phone company for all of the times they have transmitted threats interstate &etc. Petro, Christopher C. petro at suba.com snow at crash.suba.com From jimbell at pacifier.com Tue May 21 22:36:58 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 22 May 1996 13:36:58 +0800 Subject: (Fwd) Re: TCM: mafia as a paradigm for cyberspace Message-ID: <199605211950.MAA11604@mail.pacifier.com> At 12:34 PM 5/20/96 -0700, Vladimir Z. Nuri wrote: >>Second, everybody like Jim Bell who is pushing the AP scheme is doing >>so on ethical basis: that the coercion the government imposes on to >>the individuals by regulations, and guns backed taxation justifies the >>killings. I have to see yet any cypherpunks who seems to agree with >>AP that envision another use than govt control. > >right, and Hitler didn't have any other use for his government other >than to bring utopia to the masses, and used all the ovens for cooking >pizzas (after all, what else could an oven be used for?!?!?). > >the above sentence I find absolutely abhorrent: it justifies killing, >not merely because of the effect (the sort of "ends-justifies-the-means" >argument used by most here), but that in addition it is >supposedly "ethical". ethical?!?!? Then you've obviously dramatically mis-read my ideas. I don't claim that _EVERYBODY_ who will fall victim will "deserve" it by your or my opinions, or by generally-agreed-upon philosophy like the libertarian's "Non-Initiation of Force Principle" (NIOFP). Rather, I claim that the justification for any given killing must (and will, or won't, depending) come from some external fact having nothing to do with AP. For example, if you believe in NIOFP, then anyone who violates it has initiated force, and the victim of such force (or, perhaps, anyone else?) can legitimately use a system like AP to fight back. If you _don't_ believe in libertarian philsophy, obviously you won't necessarily agree with AP, but the source of your agreement is that, not something inherently wrong with AP. >the assassination politics is quite Hitleresque at its root. >"kill our enemies, and everything will be better. it is our enemies >that are the root of all evil in the world. extinguish them, and >you solve all problems automatically" THat's a false claim. If the "enemies" are enemies because of what they've actually done wrong, say violate your rights, then it should be your right to stop them. The method you choose shouldn't matter. >there is a trite saying, "two wrongs do not make a right" (trite >because most have mastered the simple truth of it in their pre-teen >years). a concept not grasped by some second-graders. some >require a lifetime of lessons to comprehend it in the end.. You seem to be assuming that if there are TWO "wrongs" here. But I've tried to make it abundantly clear that justification for the self-defense comes from the initial "wrong." Where, then, is the SECOND "wrong"? What, exactly, makes it wrong? If a person can't get justice any other way (not to be confused with merely a chance at justice) then why deny that person his rights? I acknowledge that if there is no initial "wrong" (the target didn't actually do anything wrong) then the act of targeting him is, itself, wrong, but you're apparently unwilling to back up this hypothetical. >I'm very disappointed that others have not chased Assassination >Politics proponents to take their trash somewhere else. of course >the real situation is that those that started this list have >sympathies for this kind of thinking, so no such thing will happen. It should be obvious to anyone around here that if AP "works," it will work regardless of whether it meets with your approval or any other subset of humankind. That makes it worthy of discussion even if you don't like it. >to Jim Bell and Avon: please read Machiavelli. read about ancient >assassination clubs and the history of bloody politics. if you want >to seriously further your ideas, start a web site with ample >historical research. your ideas are not new whatsoever. Your objections are invalid. The mere fact that SOME organized killing systems occurred in the past has essentially no relationship to the system I describe. The prospect of perfect anonymity, allowing the system to be open to anyone who chooses to contribute, will make it vastly different from anything that came before. Jim Bell jimbell at pacifier.com From jimbell at pacifier.com Tue May 21 22:37:32 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 22 May 1996 13:37:32 +0800 Subject: AP Message-ID: <199605211950.MAA11610@mail.pacifier.com> At 02:21 PM 5/20/96 +0000, Jean-Francois Avon wrote: >On 20 May 96 at 10:28, Jim Ray wrote: >> >And you'll also note that the anonymity issue generate more >> >interest from more CPunks because it (hopefully) will acheive the >> >same goal without any killing. >> > >> our >> anonymity-baby threatens to have govt. kill it in the crib, > >It is not yours, it only *is*. > >> with the support of the people. > >Here, again, Jim Bell would probably say that this sentence proves >him right... Absolutely! Even these days, what passes for "the support of the people" is simply the generally-agreed-upon position of the news media, which the public is supposed to accept as their opinion. Before alternative sources of information such as the Internet appeared, TV stations and print media could just about mold public opinion any way they wanted, within limits. >> I have not respected a US president in my lifetime, yet I get _pissed_ when they get >> shot/shot at. > >I somehow agree with you here. I could say, "I don't want to see any president get shot," but that's simply because I want them to resign instead. And it really isn't the president, per se, who is the problem: It's the entire political system which chooses the candidates, from which the public is only given a one-of-two choice in the matter. If the system were cleaned up, and massively reduced in power, we could have a figurehead president that nobody would even dream of harming, because he exercises no abusive power. And in any case, since I think it is legitimate for "us" (everyone else in the world) to pay for the death of (say) Saddam Hussein or Moammar Khadafi, it would be selfish of me to suppose that any system which could easily achieve that could somehow be tuned to ensure that "our" presidents are somehow immune. I would much rather see _all_ the leadership under the risk of the gun than none of it. >> Killing seems to be a first resort for some, >> and IMO ends do not justify means. > >Well, here, you are threading on a very difficult path. Of course, >the ends does never justifies the means in an *uncoerced* context. >But what JB says, is that AP would be a justified "self defense" >against coercion. That's right. However, I've noticed that the people who object to AP rarely want to talk about the self-defense aspect of the situation; they want to assume that nobody has done anything wrong enough to justify AP from being used against them. Jim Bell jimbell at pacifier.com From blancw at MICROSOFT.com Tue May 21 22:37:40 1996 From: blancw at MICROSOFT.com (Blanc Weber) Date: Wed, 22 May 1996 13:37:40 +0800 Subject: Interactive Week exclusive - White House to launch "Clipper III" Message-ID: >From: Declan B. McCullagh >... Self escrow will be permitted under specific circumstances. The >escrow >agent must meet performance requirements for law enforcement access." .................................................................. (So I guess it wouldn't be kosher to use the Mafia....) .. Blanc > From vznuri at netcom.com Tue May 21 22:38:06 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Wed, 22 May 1996 13:38:06 +0800 Subject: The Crisis with Remailers In-Reply-To: Message-ID: <199605211948.MAA11490@netcom19.netcom.com> > >It isn't spam if they're paying for the traffic. Commercial >advertisement through electronic mail is only evil because it is >forced on someone against their wishes and on their dime. The current >situation is much like a telemarketer calling long distance collect >with billing done automatically, and you can't hang up until they're >done with their spiel. > >If it were standard practice for email recipients to charge the sender >an ecash fee (waived if they thought the mail worth their time), it >would make things much more interesting. a very interesting proposal (I believe Bill Gates may have even suggested this in his book), but keep in mind you seem to be mixing different ideas here. there is a cost involved in delivering a message associated with pure communications costs. then there may be a cost imposed on someone to obtain the attention. the latter is arbitrary. the former is pretty well established based on internet infrastructure. what you might keep in mind is the following: in a public forum, where "spam" was originally invented, who decides how much it costs to post? now lets say we could quantify the communications costs. ok fine, this comes out to $.05/msg (a large example number). that is still economically viable for someone to "spam". to a mail marketer this would be a really great deal. hence a system that only charges communications fees is unlikely to prevent spam, imho. furthermore, in a public forum, you aren't very easily going to be able to implement "arbitrary" charges like I wrote about. so charging for email to one's mailbox is one possible way to deal with spam, but it's hard to see how one could apply this to public forums. and in many ways, the spam problem is most difficult to solve there. but I like the thinking on methods of trying to solve the spam problem. I do believe it is solvable. it's just that its such an insanely difficult problem to solve. it's a good example of a problem that gets worse when the span of the software grows larger. From jf_avon at citenet.net Tue May 21 22:38:25 1996 From: jf_avon at citenet.net (Jean-Francois Avon) Date: Wed, 22 May 1996 13:38:25 +0800 Subject: Rumor: DSS Broken? Message-ID: <9605212127.AA01697@cti02.citenet.net> -----BEGIN PGP SIGNED MESSAGE----- On 21 May 96 at 10:39, jim bell wrote: > It is at least arguable that the NSA might have a vested interest in > allowing an enemy to continue to use a flawed encryption system, as > in Enigma. Is is arguable? Maybe, but only if you specify the exact context. The Enigma stuff happened when the world was as war, and the peoples that would have used such things in the same context as DES is used now were non-existent. The case of covering-up knowledge of DES and Enigma are quite different because happening in different *contexts* . But maybe the govt is keeping the population in ignorance, not telling them that a war *is* going on *now* ? JFA Some peoples believe that words have an intrinsic meaning outside of their appropriate context. You can usually find specimens of this group either in political circles or in Voodoo ceremonies. -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQEVAwUBMaH8NciycyXFit0NAQEIzAgAkDMyygi1ifl7ey580gvOMRreUnhbNUp4 vL19wWfvEtPr+svUMhV1px6TGDpJepdheqjyUwB3Qk4t0KHdEn0j35RviKznaD0X bUKBamIVRbTNtgvmm0LOmdykeywtNgZmFx9tvKKwF6cQTZ8e4uqfYp8dqjCuIG8j xmiJDoaDF9M5h40gCs95/DEwM3XX7O+FS7HSXBQ57vP4Y3N86OawTPe4Zx6Gxfeb qCYiEp0R0/5XjbzGUCJQrct3kjq7t8l3mQwhUc/UktMK1DacVs2QqqgqYCVEVYMg zfTg/5DdlBm+ozsomtnpByMsJ1kR3VZx8KeO9rX+SlZgNidE7hKSlw== =v+6X -----END PGP SIGNATURE----- DePompadour, Societe d'Importation Ltee; Limoges porcelain, silverware and crystal JFA Technologies, R&D consultants; physists, technologists and engineers. PGP keys at: http://w3.citenet.net/users/jf_avon ID# C58ADD0D : 529645E8205A8A5E F87CC86FAEFEF891 I reserve the right to post publicly any private e-mail sent to me. Unsollicited commercial e-mail will be proofread at US165 $/h Any sender of such material will be considered as to have ac- cepted the above mentionned terms. From snow at smoke.suba.com Tue May 21 22:39:23 1996 From: snow at smoke.suba.com (snow) Date: Wed, 22 May 1996 13:39:23 +0800 Subject: (Fwd) Re: TCM: mafia as a paradigm for cyberspace In-Reply-To: <199605201934.MAA28228@netcom20.netcom.com> Message-ID: On Mon, 20 May 1996, Vladimir Z. Nuri wrote: > the assassination politics is quite Hitleresque at its root. > "kill our enemies, and everything will be better. it is our enemies > that are the root of all evil in the world. extinguish them, and > you solve all problems automatically" It is more the MAD theory brought down to the personal level. The government has the power and authority to kill anyone of us, AP brings out into the open the fact that WE ALL HAVE THAT POWER. KIlling people is (physically) very easy, AP turns the THREAT back on those who hold the power. Note: I don't necessarily think that AP is a good idea. I think that people should do their own dirty work. > such is the total moral perversion of the thinking behind > "assassination politics". most of the adherents work from the > following argument, nicely summarized by JFA above: > > 1. the government is corrupt > > 2. therefore, it is okay to kill people who further that corruption. > > wow, what brilliant logic. I must admit it proves to be superior to > that embodied by any second grader, a high accomplishment for its > proponents. How about this: Goverments, and the people in them are corrupt. This corruption, caused by acts of these people, lead to oppression and death. By THEIR MORALITY oppression and killing are ok, so it is ok to use their tools agaisnt them. > there is a trite saying, "two wrongs do not make a right" (trite > because most have mastered the simple truth of it in their pre-teen > years). a concept not grasped by some second-graders. some > require a lifetime of lessons to comprehend it in the end.. Putting people in cages is wrong. Stealing is wrong. Is putting people in cages for stealing wrong? > carefully the errors of those who have come before you. write > a long treatise with lots of footnotes to past assassination > difficulties and how you would advance past them. I tell > you flat out that any respectable assassin would be quite embarrassed > to be associated with you at the moment because of your arrogance > and ignorance. I might be wrong here, but I don't think that Mr. Bell actually wants anyone actually shot, well, maybe he does, but what he wants is to have the same power over members of governments than they have over him. Petro, Christopher C. petro at suba.com snow at crash.suba.com From dsmith at midwest.net Tue May 21 22:53:40 1996 From: dsmith at midwest.net (David E. Smith) Date: Wed, 22 May 1996 13:53:40 +0800 Subject: Long-Lived Remailers Message-ID: <199605212215.RAA13102@cdale1.midwest.net> An NSA operative with the code name 'tcmay at got.net' wrote... > Let's call the first site "Alice" and the emanation site "Bob." > > That is, all messages sent to the persistent site Alice appear to come from > the site Bob. > > The Church of Clams can simply send messages addressed to themselves > through the Alice remailer and see immediately that they appear to come > from Bob. Unless Alice will automatically rotate between some random set of Bob1, Bob2, Bob3... It also wouldn't be too difficult to set up a message that goes through several points before emerging at a randomly-chosen exitpoint, including a completely independent remailer. Actually, there's an Idea. Set up a single address; use added headers in the style of: :: Remailers-To-Chain: 7 Remailers-To-Avoid: remailer at nsa.gov Final-Destination: tcmay at got.net Each remailer could construct a message that decrements the remailers counter, preserving the other headers. The usual caveat on encrypting at each step would apply; but since remailers' pubkeys are available, that's a trivial concern. A lot more could be done with this general concept. One immediate problem is that the frontend address is a target, even though it can't be obviously connected to any objectionable messages. Packet sniffing is always a concern, etc etc... Flame away. dave ---- David Smith Box 324 Cape Girardeau MO USA 63702 http://www.prairienet.org/~dsmith dsmith at prairienet.org Reality is only for those lacking in true imagination... Send mail w/'send pgp-key' in subject for PGP public key From tcmay at got.net Tue May 21 22:55:56 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 22 May 1996 13:55:56 +0800 Subject: NSA's Dual Missions Message-ID: At 6:39 PM 5/21/96, jim bell wrote: >Yes...but... How can the NSA serve two masters? If the NSA has the >American public's best interests at heart, then it should have revealed the >flaw if it knew of it. (Otherwise, it can't be trusted...) Reminder: the NSA ostensibly has dual missions. First, the gathering of signals and communications intelligence. Second, the securing of American signals and communcations. This second mission is primarily military, diplomatic, and other governmental communications, but has also been extended to assisting in the securing of commercial communications. NSA's (and its daughter org, the NCSC's) involvement in DES fits in here. Some years back there was the "Commercial COMSEC Endorsement" program. Anyway, Bamford describes the dual missions, albeit for the world of 1982 and earlier. --Tim Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From tcmay at got.net Tue May 21 23:02:54 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 22 May 1996 14:02:54 +0800 Subject: Long-Lived Remailers Message-ID: At 11:31 PM 5/21/96, David E. Smith wrote: >Unless Alice will automatically rotate between some random set >of Bob1, Bob2, Bob3... It also wouldn't be too difficult >to set up a message that goes through several points before >emerging at a randomly-chosen exitpoint, including a >completely independent remailer. Sure, Alice can always herself add remailer steps. I explicitly mentioned this in my message last night, when I wrote: "(Hal, to use him as the example, could start using his own choice of remailer hops to accomplish much the same result. We've talked about this for a long time, too...." But this is just using more remailers. We know this works. What Mark Grant was suggesting was something different, a kind of "disposable final emanation point," designed to go away easily under legal pressures. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From ncognito at gate.net Tue May 21 23:13:48 1996 From: ncognito at gate.net (Ben Holiday) Date: Wed, 22 May 1996 14:13:48 +0800 Subject: An alternative to remailer shutdowns In-Reply-To: <9605212219.AA05501@spirit.aud.alcatel.com> Message-ID: On Tue, 21 May 1996, Daniel R. Oelke wrote: > > Ben Holiday wrote: > > At this point there are 2 options, which I havnt examined closely: The > > first is that you require them to send a request for their "consent-code" > > which can be used to decrypt the mail. Under this arrangment you could > > This could be done with no "storage" as well, by a slightly > different method and still require end reciepient acknowledgement. > The end reciepient could be required to reply and include the encrypted > message. The remailer would then decrypt the message and send back the > plaintext. Only storage would be the key vs. a message id database. Well, if we've gone that far, why not attach an encrypted copy of the key to the peice of mail, and eliminate all storage from the r-ops machine? > > The second is to simply include the > > consent-code along with the encrypted peice of mail and a legal notice > > stating that decryption of the mail constitutes your consent to receive > > the mail, as well as your agreement to hold the remailer-operator harmless > > By reduction - you could just do a rot13 on the message and > append the "legal notice". If all the information for decoding > a message is present in that message, is a different encoding > mechanism really any different from straight ASCII text? > (i.e. Netscape 9.13 might have auto decoding built it....) > Then, the user doesn't do anything "extra" - does this invalidate > the notice? Donno. IANAL. :) > I might be wrong, but I don't think that this second method would > gain you anything in the 2 situations where operators will get > hassled. 1) Posting of copyrighted material - the lawyers will > at least harass you no matter what kind of legal notice is up front. > 2) Mailing of "harassing" information - the person still gets > unwanted email, and has no way to stop it. [RANT MODE ON- skip to the next paragraph if you dont like politiks] Here we are back at step one again. In the end, it would seem that there isn't much that can be done about the worst forms of abuse, without filtering mail for content. However, someone pointed out that other package delivery services have acheived freedom from responsibilty for the content of the packages they deliver - and I beleive that a part of the explanation for this lies in the fact that they /do/ make attempts to limit abuse in-so-far as they are able. Part of limiting the remailers liability is tied up with legitimizing them as a useful service, and establishing to the public that we are concerned with abuse. Too many people beleive that the whole point of a remailer is to facilitate illegal and abusive communication, and unless that changes we can expect to be dealt with as criminals at worst, or at best as purposfully negligent. I'm not certain what the solution is, but I am certain that doing nothing isnt it... [RANT MODE OFF--] One idea that came up a while back was a sort of limited tracking of mail -- an example would be keeping a hash of the email address where mail was received from for 48 hours, with the hash value being attached to the peice of mail as a header. This would accomplish two things: We could source block an address without knowing the source; and if push came to shove an address could be backtracked to its original source, provided a complaint was made in time, and that the Bad Guy sent another mail from the same address. I think that legally there would be a good argument that the remailer ops had made a reasonable attempt and holding lawbreakers accountable, while still preserving the anonymity of non-abusers. Just a thought.. Ben. From snow at smoke.suba.com Tue May 21 23:20:02 1996 From: snow at smoke.suba.com (snow) Date: Wed, 22 May 1996 14:20:02 +0800 Subject: SEVERE undercapacity, we need more remailer servers FA In-Reply-To: <199605210104.UAA27801@cdale1.midwest.net> Message-ID: On Mon, 20 May 1996, David E. Smith wrote: > > I realize that this would be a civil case rather than a criminal > > one, maybe it would have to be child porn or something illegal to get that > > far, but if I were to set up a remailer under my real name, and the CO$ > > wifes approval for this, and I don't want to expose Suba to any liability > > in this. (So relax Alex). > > If you don't get the necessary approvals for that, I'd be I have approval to find out more information. NO, I GET TO BE THE MARTYR. > will at least get me away from my ex-girlfriend :) Sometimes it seems like it would be worth it. > Lest you jump for that delete key now, I'm serious. We'll see. Petro, Christopher C. petro at suba.com snow at crash.suba.com From root at edmweb.com Tue May 21 23:22:24 1996 From: root at edmweb.com (Steve Reid) Date: Wed, 22 May 1996 14:22:24 +0800 Subject: Long-Lived Remailers In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- > That is, all messages sent to the persistent site Alice appear to come from > the site Bob. > The Church of Clams can simply send messages addressed to themselves > through the Alice remailer and see immediately that they appear to come > from Bob. But this does not prove that _all_ messages from Bob came from Alice. The only messages the Church can prove went through Alice, are the messages they themselves sent through Alice. It would not help the Church to say "We know our trade-secret Mystical Clam Chowder Recipie went through the Alice remailer, because we sent it through that remailer ourselves." Also, Alice could also demonstrate sending a message through Bob without using the Alice remailer at all. I am assuming that in this hypothetical situation, remailers themselves are not illegal, but the owners are held responisble for what goes through them. I am also assuming that Bob does not have any records that show the offending message coming from Alice. ===================================================================== | Steve Reid - SysAdmin & Pres, EDM Web (http://www.edmweb.com/) | | Email: steve at edmweb.com Home Page: http://www.edmweb.com/steve/ | | PGP (2048/9F317269) Fingerprint: 11C89D1CD67287E68C09EC52443F8830 | | -- Disclaimer: JMHO, YMMV, TANSTAAFL, IANAL. -- | ===================================================================:) -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQEVAwUBMaJ+cttVWdufMXJpAQHcAwf/Z+H1K5eT4s8lrBOwbTYg7d/WDZdeCGp+ BlFforZbh50xlt1ekM/cuYN23iOyQMX/eqgCSmTcwgYKWIu6YEAQYLLJsSKsuyFj dVTdA2rbD5hhkh9cNfVH5KGlvHb4LIUE0Zif2oMJEHaYq81i2h1AIfXIQsg0EA3s JAIDW7tThzfG10ezMspVSXSZ1zfi7Hr3F8/weaObOE02sB1GbL/HxK/1gGZUT21W dpvT4Llfif8ElsmbogmnSL4jZEsabcfCa+fej5SsBP/ewiJOmlwyf5XkUZBxIR28 VKaZ99FA2ohKbE62DPlajFLQ1s1JZIztRD0W3u89xGgU7wAkYSGa4g== =GuP+ -----END PGP SIGNATURE----- From tcmay at got.net Tue May 21 23:23:28 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 22 May 1996 14:23:28 +0800 Subject: The Twilight of the Remailers? Message-ID: At 7:59 PM 5/21/96, Alex Strasheim wrote: >I'm closing my mixmaster, nsa at omaha.com, on the 4th of June. > >There wasn't an incident that triggered this, but Hal's post about the FBI >sort of spooked me, as have the lawsuits. I don't have a lot of assets >myself, but I do have partners. My lawyer tells me that there's no >reliable way to separate my personal net activities from those of the >company my parnters and I own, and that I could even be exposing my >parnters to personal liability. > >I can't speak for anyone else, but for me the problem with running a >remailer is that it's an inherently altruistic enterprise. That in itself >wouldn't be so bad, but the liability makes the extent of the altruism >open ended. If I knew that the worst case scenario would be $1k or even a >$5k personal loss I could do it, but an open ended liability that's shared >by my partners is unacceptable. > >I'm sorry for the inconvenience this will cause. Between Hacktic going down, Hal's comments that he may shut down his two sites, and this, plus others who are more quietly making plans to shut down, I think the thread title "The Remailer Crisis" is more apt than ever. As to potential liability, it is very likely to be vastly more than the examples Alex cites, of $1K or "even a $5k personal loss." Lawyers don't get out of bed in the morning for such insignificant sums. Keith Henson has been a friend of mine for the past dozen years (and I actually met him first in 1976), and he has kept me informed of his fight with the CoS. He's being sued for $100,000 by the CoS. (And they asked him a lot of questions about remailers, and who runs them. He didn't tell them much.) I can't say whether they are likely to win their suit, or what the judgment might be. But make no mistake about it, if the CoS wins and Keith is ordered to pay.... It's one reason I won't run a remailer that can ever be traced back to me. (I also don't have a box on the Net and don't really trust running remailers on machines someone else has root to. And I'm not a Unix person. And....) I figure that there are some, such as Detweiler, maybe government types, maybe others, who would make efforts to "take me down." Posting some child porn through my site to a Usenet group and then alerting the media would pretty much do it. (Or if binaries are not allowed, posting solicitations. Or if Usenet posting is not allowed...well, there are still ways...) "The Twilight of the Remailers"? Ironically, "copyright violation" and "clam secrets" were not even on the list of "the Four Horsemen of the Infocalypse" that we thought would really put remailers under some extreme pressure. If the Scienotologists can shut down many of the remailers, imagine what the Horsemen will do! --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From unicorn at schloss.li Tue May 21 23:28:23 1996 From: unicorn at schloss.li (Black Unicorn) Date: Wed, 22 May 1996 14:28:23 +0800 Subject: Hiding remailers behind nymservers...? (fwd) In-Reply-To: Message-ID: On Tue, 21 May 1996, Timothy C. May wrote: [...] > Now it may be that operating a remailer may be interpreted by some courts > as being a "public nuisance," a theory I credit to Brad Templeton, but this > has not yet come even close to happening. Brad might be on the mark. One famous case ended in the result of declaring a union leader a public nusiance. > --Tim May --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From pfarrell at netcom.com Tue May 21 23:31:34 1996 From: pfarrell at netcom.com (Pat Farrell) Date: Wed, 22 May 1996 14:31:34 +0800 Subject: alternative sites for NIST GAK 3 draft Message-ID: <199605212318.QAA07251@netcom13.netcom.com> The computer at, and link to, www.isse.gmu.edu are slow and old. If you have trouble, copies are also at: http://www.epic.org/crypto/key_escrow/white_paper.html and http://www.eff.org/pub/Privacy/Key_escrow/Clipper_III Other related stuff at eff.org will go here when available. (c.f. .../Key_escrow/Clipper_II and .../Key_escrow/Clipper, predictably). Pat Pat Farrell Grad Student http://www.isse.gmu.edu/~pfarrell Info. Systems & Software Engineering, George Mason University, Fairfax, VA PGP key available on homepage #include From snow at smoke.suba.com Tue May 21 23:35:32 1996 From: snow at smoke.suba.com (snow) Date: Wed, 22 May 1996 14:35:32 +0800 Subject: Rumor: DSS Broken? In-Reply-To: <199605211740.KAA02723@mail.pacifier.com> Message-ID: On Tue, 21 May 1996, jim bell wrote: > >Also, there are expert cryptographers outside the NSA, and outside the US; > >you might check where Dobbertin lives. And this is a Good Thing. > > Yes, it is. But I'd like to think that the NSA isn't acting as if WE are > the "enemy." I'd like to beleive that Santa will bring me Sparc20. Petro, Christopher C. petro at suba.com snow at crash.suba.com From llurch at networking.stanford.edu Tue May 21 23:35:50 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Wed, 22 May 1996 14:35:50 +0800 Subject: An alternative to remailer shutdowns In-Reply-To: Message-ID: On Tue, 21 May 1996, Ben Holiday wrote: > After pondering a bit it seems to me that the "knock knock" remailer > approach (only send anon-mail if the recipient agrees to receive it) could > be made feasable pretty easily. > > Rather than hold the mail while waiting for a consent to release, you > could simply encrypt the peice of mail with a symetric algorythm on its > final hop, and send the encrypted mail to the recipient. Interesting idea, but anything requiring specific software on the user's end is a losing proposition IMO. remailer-operators at c2.org removed cuz I ain't one. -rich From tcmay at got.net Tue May 21 23:37:44 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 22 May 1996 14:37:44 +0800 Subject: Remailers, Copyright, and Scientology Message-ID: At 12:36 AM 5/22/96, Allen Ethridge wrote: >I've been following alt.religion.scientology mostly for entertainment >reasons, and occasionally to correct some of the false statements about >psychiatry made by Scientologists. There's more to the story than you >appear to be aware of. The extra-legal actions didn't originate with >the alleged copyright violations, nor are the legal actions of the cult >limited to protecting their copyrights. Now that the cypherpunks have >been brought to their attention it's entirely possible that the major >posters on this newsgroup will become the subject of Scientology's, or >rather Religious Technology Center's legal actions. Ironically, CoS was trying to determine my name, from Keith. If I'm subpoenaed, I think I'll tell them to fuck off. I'm not a party to the CoS business in any way, save for whatever influence I may have had when the first remailers were implemented several years ago (by others, not me) and whatever ideas I may have discussed here on this list. >Yes, the cult does have a legitimate interest in protecting their >copyrights. No, the cult does not have a valid reason for using the >heavy-handed legal tactics of which they are so fond. I'm not a defender of CoS, let's make this clear. I knew they were flakes since I first heard of them back around 1967, before most of you were even born. But there is an ongoing, vitriolic battle between the CoS and its critics, and the remailers are one of the main "weapons" being used. I take no sides whatsoever, merely noting that it is, in Bill Stewart's words, "unsurprising" that CoS lawyers are taking the steps they are taking. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From bogus@does.not.exist.com Tue May 21 23:51:32 1996 From: bogus@does.not.exist.com () Date: Wed, 22 May 1996 14:51:32 +0800 Subject: No Subject Message-ID: <199605220243.TAA00264@netcom5.netcom.com> ! Theses peoples refuse to register their guns, although it is ! mandatory in canada (to be registered within 7(?) years...) There has been total firearm registration since 1968. ! > >> >You'll note that the psycho-epistemology necessary to ! > >> >commit murder is quite close to the one necessary to coerce ! > >> >poeples to pay taxes. You'll note that the psycho-epistemology necessary to commit murder is quite close to the one necessary to coerce poeples to pay rent. ! > Not really, only the time in history. Their property was ! > 100% taken, and they were marched to OK from GA. The IRS ! > may be bad...but they aren't THAT bad...[disclaimer: I ! > am (a tiny) part Cherokee. Consider that many whites feel guilty if they feel they don't have any afro-asian bloodlines. Consider the dangers of anti-racism to your self-esteem. ! You did not answer my question: When our local Mohawks accuse the ! white peoples to have stolen their land, I ask "when did I do that? ! I can't remember..." I refuse to be held responsible for things that ! were done several hundred years ago. Period. As I said, I *never*, ! not even in my early years, believed in original sin. Then you hold irresponsible refusals. ! > >Are you talking of an open war a la Bosnia? ! > ! > Hopefully not. Who can tell how far the anti-racists will go to establish their power cult. ! > and the legitimate self defense ! > options which are peaceful have not been adequately explored. IMO Racism. ! > >> Bottom line for me: "Two wrongs don't make a right." ! > > ! > >Please state the basic premise that make you declare what is ! > >"wrong" in the context of AP. They Always lie on racial issues. ! I am sorry, but I do not accept that as a valid argument. What if ! somebody came to take away your means of feeding your kids? ! What if somebody was menacing you or your kids? ! There are instances, as you seem to agree, when killing is justified. ! What is meant by the sentence is: Thou shalt not initiate lethal ! violence. Racism. ! > Taxation is theft, I fail to see your point. Well, depends. Anti-racism is theft. From EALLENSMITH at ocelot.Rutgers.EDU Wed May 22 00:17:37 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 22 May 1996 15:17:37 +0800 Subject: Senator, your public key please? Message-ID: <01I4ZHDZ4B2S8Y5IL9@mbcl.rutgers.edu> From: IN%"unicorn at schloss.li" "Black Unicorn" 18-MAY-1996 14:43:54.95 >Well, this depends on what we assume a signature does. Quite. I've been considering what the _current_ (as opposed to the proposed) system of keys actually does. Signing a key says two things: A. I think that everyone who has the corresponding private key is willing, or was willing at some point, for all the others also with the private key to encrypt and decrypt using it. E.g., it hasn't been stolen; I'd thus be more willing to sign a security-conscious person's key (e.g., Perry) than a security-unconscious person's key (e.g., my mother). B. If there's a true email address attached, unless I'm doing this as a joke, I think that at least one entity capable of receiving (and probably sending) mail at that address has the corresponding private key. Neither of these appear to imply much patronage, unless Senators aren't allowed to send letters of reference for security-related jobs. (I'd think the Army could consult a Senator on whether to give someone a clearance...) -Allen From mp at psyche.the-wire.com Wed May 22 00:19:17 1996 From: mp at psyche.the-wire.com (M. Plumb) Date: Wed, 22 May 1996 15:19:17 +0800 Subject: Canada allows crypto exports Message-ID: Several months ago I filed a set of export applications requesting permission to export cryptographic software from Canada. I learned a few things from these applications, my conversations with people at Export Controls, and my own careful reading of Canada's export laws. There are a few countries to which you may not export anything, without a permit. You need a permit to export most cryptographic software. It is legal to export Canadian software, even cryptographic software, which has no restrictions on distribution (this must be explicitly stated, not just implied by being available for public FTP). No paperwork needs to be filled out. Cryptographic software of U.S. origin may be exported, but you need to file paperwork. Cryptographic software from other countries may be exported without any paperwork. These are the Canadian rules. Canada interprets and enforces the U.S. export laws when they think it is necessary. While the U.S. government has sometimes objected to a Canadian interpretation, no Canadian exporter, acting with Canadian permission, has been charged by the U.S. government. The export of cryptographic software from Canada is under review right now. All of this could change at any time. A complete explanation of the process, and results is available from the Electronic Frontier Canada's web site at: Marc Plumb mp at the-wire.com May 21, 1996 From ncognito at gate.net Wed May 22 00:19:19 1996 From: ncognito at gate.net (Ben Holiday) Date: Wed, 22 May 1996 15:19:19 +0800 Subject: The Twilight of the Remailers? In-Reply-To: Message-ID: On Tue, 21 May 1996, Timothy C. May wrote: > Keith Henson has been a friend of mine for the past dozen years (and I > actually met him first in 1976), and he has kept me informed of his fight > with the CoS. He's being sued for $100,000 by the CoS. (And they asked him > a lot of questions about remailers, and who runs them. He didn't tell them > much.) > > I can't say whether they are likely to win their suit, or what the judgment > might be. But make no mistake about it, if the CoS wins and Keith is > ordered to pay.... > Thanks for the encouraging words. As the mailers drop off, its seeming more and more likely that my mailer will need to be temporarily offed also. (I would like to stress temporarily.) Unfortunately, fewer remailers means that the mailers that are left will be bearing an exponentially increasing amount of risk, not to mention the increase in traffic levels overall. The suggestion of inverting the sense of destination blocking seems the most feasable on a short term level... and will most likely be the route that I take for the near future. The remailer at this account will remain up temporarily, pending further notice. From EALLENSMITH at ocelot.Rutgers.EDU Wed May 22 00:31:51 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 22 May 1996 15:31:51 +0800 Subject: Instant Remailers Message-ID: <01I4ZI9MJ3AY8Y5IL9@mbcl.rutgers.edu> From: IN%"tcmay at got.net" 19-MAY-1996 08:03:24.32 >At 12:38 AM 5/19/96, Mark M. wrote: >>It is possible for someone to operate an anonymous remailer anonymously. >>Just get a UNIX shell account under a fake name, pay with cash, and set up >>the remailing software. The identity of the operator of such a remailer >>would be difficult, if not impossible, to discover. >Now, can a site which "offers" such accounts be held liable? If the site >drops an account when presented with _appropriate_ legal papers (a court >order, such as an injunction), and if it takes a "hands-off" policy with >respect to what customers run in their accounts, then it ought to be safe >from actual liability. Depending on the site (e.g., governmental), it may be ethical not to bother letting the site owner know that you're doing so anonymously. The ethics of this would also vary depending on whether the site owner is legally required to get ID or not. >Ideally, such remailers should require no involvement at all by the account >holder. Just a "start" command, by the account holder. (Not the site >administrator, as this could be construed as involvement by him.) >But an "instant remailer" (just add water) is needed. Recent questions here >on the list about what it takes to run a remailer may mean some advice is >needed. Quite. I'd appreciate it. -Allen From EALLENSMITH at ocelot.Rutgers.EDU Wed May 22 00:32:21 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 22 May 1996 15:32:21 +0800 Subject: Senator, your public key please? Message-ID: <01I4ZHNMMHLM8Y5IL9@mbcl.rutgers.edu> From: IN%"frantz at netcom.com" 18-MAY-1996 21:54:01.23 >This is exactly analogous to slanderous attack on someone's reputation. As >soon as people realize that the mere fact that a key has a signature does >not mean that the key-owner solicited the signature, the problem goes away. This is interesting in light of social networks analysis as applied to the web of trust (one interesting web-reference on such analysis is at http://www.mpi-fg-koeln.mpg.de/~lk/netvis.html; as well as some examples - use a graphics-capable web browser - it has some links to a FTP site with programs). One method of such analysis uses what is sometimes called "gravity;" under it, positions move to be close to those to which they are linked. This can be one-way or two-way; the above fact may imply that signing someone's key should move one closer to that person - and not the other way around. Of course, when analyzing the result, one should keep in mind that one may not have beneficial intent when signing a key; LD's signatures are examples. Thus, closeness on such a network may imply a high degree of relationship, but not a high degree of _positive_ relationship. -Allen From jimbell at pacifier.com Wed May 22 00:50:01 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 22 May 1996 15:50:01 +0800 Subject: Remailers, Copyright, and Scientology Message-ID: <199605220346.UAA17821@mail.pacifier.com> At 07:36 PM 5/21/96 -0500, Allen Ethridge wrote: >Yes, the cult does have a legitimate interest in protecting their >copyrights. I'm wondering whether they properly handled the copyright status of some of those (silly) texts. While it is somewhat nice of you (in regards to them) to say what you did, it is possible that they lost their copyrights decades ago by printing them (even internally) without the (then) appropriate "circle-C" copyright notice. Chances are good that none of this material could survive a genuine copyright test case today. Jim Bell jimbell at pacifier.com From EALLENSMITH at ocelot.Rutgers.EDU Wed May 22 00:55:23 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 22 May 1996 15:55:23 +0800 Subject: MixMaster fair use Message-ID: <01I4ZJ03692E8Y5IL9@mbcl.rutgers.edu> From: IN%"loki at infonex.com" 21-MAY-1996 17:19:02.59 >The problem is RSAREF. I can't chose license terms for that. Oof... I see the problem. No, it's not you, it's them. I've forgotten exactly what claims RSA has; patent (when does it expire?), copyright (can it be rewritten), or trade secret (wasn't it broken?)? Without some form of getting around this (or licensing from them), usage for pay will be kind of difficult. -Allen From jimbell at pacifier.com Wed May 22 00:57:51 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 22 May 1996 15:57:51 +0800 Subject: NIST Draft Key Escrow Paper Message-ID: <199605220249.TAA14476@mail.pacifier.com> A few comments on the NIST draft. SUBJECT: Draft Paper, "Enabling Privacy, Commerce, Security and Public Safety in the Global Information Infrastructure" FROM: Bruce W. McConnell [Initials]
Edward J. Appel [Initials]
Co-Chairs, Interagency Working Group on Cryptography Policy > It would permit users and manufacturers free >choice of encryption algorithm, facilitate international >interoperability, preserve law enforcement access, and, most >importantly, provide strong system security and integrity. What if we don't WANT to "preserve law enforcement access"? What if we believe that, as individuals and as a society, we would be safer and better off to emasculate the government-employed thugs? > Recognizing that a robust infrastructure is not yet a >reality, we are also considering measures to liberalize export >policy for some non-escrowed products. Why restrict it at all? >Enabling Privacy, Commerce, Security and Public Safety in the >Global Information Infrastructure Too bad they weren't more honest and said, "Government employee safety." >Government >and industry must work together to create a security >management infrastructure and attendant products that >incorporate robust cryptography without undermining national >security and public safety. I don't believe this. Do you? > A policy for escrow of >cryptographic keys which provides a basis for bilateral and >multilateral government agreements must be determined so that >industry can produce products for worldwide interoperability. WRONG! This is NOT necessary in the least. Just allow free export, period. >Industry will participate in defining algorithms and protocol >standards, and will develop key escrow encryption products >suitable for the protection of both government and private >sector information and which will assure timely, lawful, >government decryption access. If this system is "voluntary" then why the "assure" part? > Government will help set >standards for the Key Management Infrastructure (KMI) and >deliver a market for robust security products. In other words, it will shell out stolen tax dollars to willing co-conspirators. No thank you! A KMI >infrastructure and attendant key escrow products will provide >many benefits, both domestic and internationally, as the US >begins to realize the advantages of the global network for improve commerce, security and public safety. Most if not all of these advantages have no need for a "key management infrastructure." > The nation's commerce is moving to >networking. With these enormous changes, means must be found >to responsibly raise the quality of cryptographic services >without jeopardizing effective law enforcement, imperilling >public safety. I wish they'd be a bit more honest and use "government safety" instead of "public safety." > Industry and government must partner in the development >of a public key-based key management infrastructure and >attendant products that will assure participants can transmit >and receive information electronically with confidence in the >information's integrity, authenticity, and origin and which >will assure timely lawful government access. Why, exactly, "must" industry do this? This whole system is supposed to be "voluntary," right? There is a more compelling rationale for the government to be a partner in the development of the KMI. Not only has the Information Age sparked fundamental changes in the way we interact, but reliance on information systems makes our institutions vulnerable to an unprecedented degree. Aha! "our institutions vulnerable to an unprecented degree?" You're catching on! But it's primarily the GOVERNMENT institutions which are going to be vulnerable. > Almost all >institutions upon which public safety and national security >depend, ranging from the power grid to military command and >control, are at severe risk because of their presence in and >dependence upon a global information infrastructure. Yes, you guys know you're gonna get your statist butts kicked, right out the door. (In case you couldn't imagine it, I'm grinning right now...) > Additionally, the widespread >use of encryption without safety features such as key recovery >can pose serious risks to society. No, not a risk to "society". A risk to government and its agents. > It will put at risk >important law enforcement and national security investigations >where electronic surveillance and search and seizure are >essential in preserving and prosecuting crimes, and more >importantly, in saving human life. I choose to forgo these investigations and their advantages. > Participation in the KMI will be voluntary. Key escrow in > the KMI will occur naturally through mutually trusted > authorities. What do you mean, "Voluntary"? >+ There will be a transition period during which legacy > equipments which do not support key recovery can be used > to communicate with users in emerging full featured KMIs. Huh? If this system is really "voluntary," this last paragraph doesn't make sense. > Self-escrow will be permitted under specific > circumstances.(1) Huh? What is the word "voluntary" supposed to mean, with relation to these statements? > Export controls on Key Escrow products will be relaxed > progressively as the infrastructure matures. Why not eliminate escrow controls on all products? (1) The escrow agency must meet performance requirements for law enforcement access. Again, whither "voluntary"?

> To participate in the network a user needs a public key >certificate signed by a CA which "binds" the user's identity >to their public key. That's simply wrong. No certification is needed to use public-key encryption, as users of PGP well know. > One condition of obtaining a certificate >is that sufficient information (e.g., private keys or other >information as appropriate) has been escrowed with a certified >escrow authority to allow access to a user's data or >communications.(3) (As noted before, this might be the CA or >an independent escrow authority). The certificate creation >process is pictured above. Sounds like more abuse of the word, "voluntary." > For users to have confidence in the KMI, CAs must meet >minimum standards for security, performance, and liability. A >Policy Approving Authority (PAA) certifies CAs for operation. >The PAA sets rules and responsibilities for ensuring the >integrity of the CAs. The PAA is also responsible for setting >CA performance criteria to meet law enforcement needs. "Voluntary"? > If law enforcement has obtained legal authority to access >a user's encrypted data or communications, it would certify >that authorization to the escrow authority. The escrow >authority will then relinquish information sufficient to >access the user's communication. "Voluntary"? What if the user has already come to an agreement with the escrow authority that under no circumstances should any key be disclosed? What if the user only gives the escrow authority an encrypted key? >III. Some Issues > Difficult issues include i) how to refine the application >of export controls, ii) whether and to what extent to permit ?self-escrow, More "voluntary" abuse... >Export Controls > The task, then, is to find a method of applying >export controls that meets the interest of national security, >public safety, privacy, and competitiveness. Uh, have you forgotten about "individual freedom"? > Freedom to choose any mutually trusted certificate >authority may accommodate the above interests. How about "freedom to choose NO trusted certificate authority"? >(4) In addition, >allowing ready export of products of any bit length to markets >where the key management infrastructure, which complies with >statuatory constraints, is in place to permit government >access to keys, would provide both a level market for U.S. >manufacturers and higher quality security products for users. I don't want a "level playing field" here. I want a free, unrestricted, and open playing field. >Products that meet defined performance requirements and which >will not operate until the key is escrowed with an appropriate >certificate authority will address commercial, public safety >and national security needs. But they won't address individual freedom needs. (4) A mutually trusted authority is an escrow agent trusted by users to store keys and trusted by law enforcement to provive access upon certification of lawful authority. How can I trust any organization that will compromise my privacy on request by the government thugs? >Transition > We are working toward a policy that permits licensing of >key recovery encryption systems regardless of algorithm, bit >length, or whether implemented in hardware or software, once >needed infrastructure and government-to-government agreements >are in place. Don't bother. I have an easier system already. "Free and unencumbered exports for all software and hardware." There, that's easy. > In the interim we recognize that the policy must >make it worthwhile for manufacturers and users to invest in >escrowed KMI. In other words, you want to misuse the power of government to bribe them into cooperation. With these objectives in mind, and consistent >with applicable statutes, But ignoring most of the US Constitution... the interim policy will consider:

Prior to formal government-to-government agreements: >+ Permitting export of products that use an escrowed KMI to > approved markets, e.g., Europe or Australia, consistent > with the policies of the destination country. What if "the politcies of the destination country" don't ask for ANY escrow system? Are you saying you'll support free export in those cases? > Continuing and expanding the administration's previously > announced key escrow initiative by permitting the export > of 64 bit S/W or 80 bit H/W key escrow products that meet > defined performance requirements, after one-time review, > to any destination if keys will be escrowed in the U.S., > or in foreign countries with which the U.S. has a > govvernment-to-government key escrow agreement. Not acceptable. How about 128-bit, non-escrowed softeware? That would be a good start. > Permitting the export of other products on a case-by-case > determination that such exports are consistent with US > interests. Maybe you meant, "government interests"? > The proposals for an interim export control policy are >founded on the assumption that the products will require the >use of an escrowed KMI in a country with which the U.S. has a >government-to-government agreement. Aha! So you're assuming THEIR country's thugs and OUR country's thugs will gang up on us? > The interim policy also reflects a judgment that overseas >escrow of key will generally be permissible with suitable >government-to-government arrangements. There is a concern that >U.S. products with keys escrowed in the U.S. will not be >saleable overseas. Hence, it may be possible to permit >overseas escrow in Europe, even before government-to- >government arrangments are completed. This exception is >possible since the European countries are already moving to >implement key escrow systems and we can reasonably expect to >enter into law enforcement agreements in the near term. Danger Will Robinson! Danger! >The >OECD's goal of negotiating multilateral cryptography >guidelines by 31 December 1996 is further evidence of European >intent and momentum in infrastructure development. YES! Gotta make sure you don't get your collective butts kicked out of power , huh? The interim policy reflects a differentiation between hardware and software products, i.e., hardware products with greater bit lengths are treated more favorably under this policy. Hardware implementations of products permit more confident binding between encryption and the key management, limiting the risk that the encryption can be easily stripped from the key management and used independently of key recovery. Uh, where's that "voluntary"? >Software does not provide similar protection. This >said, the interim policy to permit export of 64 bit software >key recovery products would reflect a significant increase >over the bit length restrictions applicable to non-key >recovery products. Self-Escrow

> Self-escrow will be a principal concern of many large >corporations that want to provide corporate data recovery, >protect against loss of proprietary data from use of an >outside escrow agent, and simply for reasons of efficiency and >cost. Hence, self-escrow must be considered as an acceptable >option. How about "non-escrow"? > A solution is a national policy which allows CAs for an >organization to serve as escrow authorities if they can meet >necessary performance requirements. These requirements should >be determined by government in consultation with industry and >should address timeliness, security, confidentiality of >requests for, or release of, keys, and independence of the >escrow authority from the rest of the organization. To this >end, the government should seek legislation that would shield >organization certificate authorities from internal pressures >in the course of law enforcement investigations. In other words, you don't want "honesty" to affect the snitches? >Legislation > There is some consensus that the ultimate legislative >package should include provisions to criminalize the >unauthorized disclosure/use of escrowed key, provisions to >authorize civil actions by victims against those responsible >for the unauthorized disclosure/use of escrowed key, >provisions specifying the circumstances in which escrowed key >may be requested and released (e.g., death of a family member >or employee), and establishing liability protection for >certificate authorities who exercizes due prudence in the >fulfillment of their performance obligations. What about requirements that people whose keys are requested be notified immediately of such a request and are given an opportunity to challenge it, or even better given an opportunity to demand that the key is erased, or given an opportunity to FAIL to provide a decrypt key to unlock the escrowed decrypt key? >Government to Government Agreements > > There is an expressed need by all govenments to have >access to information affecting their own security Finally they admit it! > To demonstrate resolve and good faith, the United States >Government should immediately: > The only way the US government could demonstrate "good faith" is to disband itself immediately. 6. Negotiate with other governments arrangements for access to escrowed keys consistent with national sovereignty, national security, and public safety.

As trusted partners, industry and government can share expertise and tackle intractable problems such as the insecure operating system. In times past, the cryptographic algorithm was the core of the solution: now it is the easy part. The debate over algorithms and bit lengths should end: it is time for industry and governments to work together to secure the GII in such a way that does not put the world at risk. We agree that "the debate over algorithms and bit lengths should end." We just think it should end with complete and total elimination of export restrictions. Period!

Key Recovery Performance Criteria

Key recovery provides for backup storage of a user's private keys. This backup capability helps ensure the availability of a user's data even after it has been encrypted. It also provides for an effective means for law enforcement access. Key recovery requirements whould be viewed from the perspective of the individual, the corporation, or governments that require access. Most of the criteria to be discussed have a dimension for key recovery on an individual basis as well as from a corporate or government perspective. The criteria can be grouped into three categories. + Confidentiality - Confidentiality must be maintained on all requests for release of key recovery information. WHY? If the system is VOLUNTARY.... [is there some reason that the bozo didn't include an email address?] Jim Bell jimbell at pacifier.com From EALLENSMITH at ocelot.Rutgers.EDU Wed May 22 01:13:46 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 22 May 1996 16:13:46 +0800 Subject: SEVERE undercapacity, we need more remailer servers FAST Message-ID: <01I4ZJRNMRX68Y5IL9@mbcl.rutgers.edu> From: IN%"tcmay at got.net" 20-MAY-1996 06:17:52.64 >But any country that is "anti-Scientology" is likely to be repressive in >various ways we would find inimical to our goals. Germany is a prime >example: yes, they have placed restrictions on the CoS, but they have also >ordered crackdowns on Internet sites. >Whatever one may think of Scientology, or Catholicism, or Baalism, or >whatever, crackdowns by the government ("anti-Scientology," >"anti-Catholic," etc.) is not a good thing. I do not disagree with that countries shouldn't place any more restrictions on Scientology than they do on any other profit-making business. It's simply that a remailer operator would be more likely to win in court in such a country; if Scientology isn't _allowed_ in a country, this isn't good but they at least can't exactly do any nuisance suits. To a lesser degree, they might be suable back very easily if the judge & jury were sympathetic. I got the basic idea from the regulatory arbitrage section in your Cyphernomicon, as it happens. -Allen From EALLENSMITH at ocelot.Rutgers.EDU Wed May 22 01:14:46 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 22 May 1996 16:14:46 +0800 Subject: Senator Leahy, your public key please? Message-ID: <01I4ZITDBFUO8Y5IL9@mbcl.rutgers.edu> From: IN%"stewarts at ix.netcom.com" "Bill Stewart" 20-MAY-1996 03:34:34.06 >While I agree that keyservers don't need to validate keys - that's a >job for the web of trust, and the keyserver-admin could sign keys >if he/she/it wanted to - it may make sense for the keyservers to only >accept keys in messages signed by the key itself. (Just signing the key >doesn't help much here; you need to sign the key-plus-signatures.) >Does it make sense to include some similar capability in PGP itself? I would suggest that the keyserver should simply keep track (via keeping the signatures) of which signatures were with the key holder's permission (signed by the key holder) and which aren't. This won't be necessary for mutually-signing keys, of course. -Allen From snow at smoke.suba.com Wed May 22 01:33:46 1996 From: snow at smoke.suba.com (snow) Date: Wed, 22 May 1996 16:33:46 +0800 Subject: Long-Lived Remailers In-Reply-To: Message-ID: On Tue, 21 May 1996, Timothy C. May wrote: > At 3:00 PM 5/21/96, Rev. Mark Grant, ULC wrote: > >On Tue, 21 May 1996, Timothy C. May wrote: > >> Traffic analysis will be quite easy to do, of course, as all mail sent to > >> the persistent address comes out of the "disposable at foo.com" address. > >> Q.E.D. > > > >Yeah, but the attack model I was assuming was lawyers rather than > >intelligence agencies. The NSA could probably easily link the two > >together, but the Church of Foobar(tm) probably couldn't. They'd only have > >access to the logs on the ISP and the information you gave when you signed > >up, not the raw packets on the Net. > > The traffic analysis on this fixed mapping system needs no access to > packets and is childishly simple. > > Let's call the first site "Alice" and the emanation site "Bob." > > That is, all messages sent to the persistent site Alice appear to come from > the site Bob. > > The Church of Clams can simply send messages addressed to themselves > through the Alice remailer and see immediately that they appear to come > from Bob. Randomize the output remailer? Sometimes Alice exits Bob, Sometimes Charlie, sometimes Tom etc. Petro, Christopher C. petro at suba.com snow at crash.suba.com From tcmay at got.net Wed May 22 01:40:11 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 22 May 1996 16:40:11 +0800 Subject: Canada allows crypto exports Message-ID: At 1:30 AM 5/22/96, M. Plumb wrote: >Several months ago I filed a set of export applications requesting >permission to export cryptographic software from Canada. I learned a >few things from these applications, my conversations with people at >Export Controls, and my own careful reading of Canada's export laws. > > There are a few countries to which you may not export anything, > without a permit. Except for trading with Cuba, same countries U.S. specifies. > You need a permit to export most cryptographic software. As per arrangements with U.S. > Cryptographic software of U.S. origin may be exported, but you > need to file paperwork. Canada is the 51st state, or possibly only a terrritory or possession. > Cryptographic software from other countries may be exported without > any paperwork. As with the U.S. > These are the Canadian rules. Canada interprets and enforces the > U.S. export laws when they think it is necessary. While the U.S. > government has sometimes objected to a Canadian interpretation, no > Canadian exporter, acting with Canadian permission, has been charged > by the U.S. government. Despite the above, just how could a Canadian exporter, in Canada, be "charged" by the U.S. government? Please explain. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From EALLENSMITH at ocelot.Rutgers.EDU Wed May 22 01:49:03 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 22 May 1996 16:49:03 +0800 Subject: Remailers vs Nyms - conflicting assumptions? Message-ID: <01I4ZI1ZZULS8Y5IL9@mbcl.rutgers.edu> From: IN%"raph at cs.berkeley.edu" "Raph Levien" 19-MAY-1996 05:46:40.03 >Bruce Baugh wrote: >> What would it take to create a nym server that could route around the death >> or disability of any given mailer? >Well, that would be a serious problem. The big question is: who decides >the routing? With the existing nym setup, the client decides the entire >route. The nymserver knows only the first hop. For the nymserver to be >able to route around damage, it would have to know that there is damage, >and that implies knowing the route. Could a reply block be restructured so as to have a series of binary/trinary/whatever decisions embedded in it, in encrypted form? In other words, the remailer doing the remailing knows (transiently, hopefully) to whom it's sending. It would have a choice of two remailers to use for this, and would wipe the other reply block (replacing it with random gibberish). If two were down, it could do a random choice; if one was down, it would send it via that one; if both were down, you get the same situation as currently. Now, one problem that I can see is increasing the length of the reply block-perhaps greatly if it was done enough. Given the need for fixed lengths (e.g., Mixmaster) to really get around traffic analysis, this could be a problem. There's also the question (to be left up to the user) of whether you should try any remailers again in the chain if the choice had earlier said no. If the answer was yes, then you'd have a greater chance of it hitting a remailer that didn't realize another remailer was down. If the answer was no, traffic analysis would be helped by knowing - if a remailer was subverted - that it was less likely that a particular remailer was going to be used. Indeed, with subversion you could choose the easier-to-trace remailer to send messages through when you had a choice. -Allen From mpd at netcom.com Wed May 22 01:49:05 1996 From: mpd at netcom.com (Mike Duvos) Date: Wed, 22 May 1996 16:49:05 +0800 Subject: The Twilight of the Remailers? In-Reply-To: Message-ID: <199605220316.UAA18744@netcom2.netcom.com> tcmay at got.net (Timothy C. May) writes: > Between Hacktic going down, Hal's comments that he may shut > down his two sites, and this, plus others who are more > quietly making plans to shut down, I think the thread title > "The Remailer Crisis" is more apt than ever. > As to potential liability, it is very likely to be vastly > more than the examples Alex cites, of $1K or "even a $5k > personal loss." Lawyers don't get out of bed in the morning > for such insignificant sums. Yet fully anonymous mailing has always been supported by the Post Office. You may put anything, or nothing, as the return address on an item to be mailed, and drop it in the dead of night into one of millions of conveniently provided bins located almost everywhere. All for the quite reasonable price of thirty-two cents. It is interesting that the above model doesn't seem to survive parallel translation across the manifold to the TCP/IP arena. One reason for this is that there is no Postal Equivalent of Usenet. If anonymously mailed items magically appeared as articles in tomorrow's paper, for instance, one might expect significant heat to be generated, as well as calls for the elimination of anonymous mailboxes, and the association of a valid ID with each item mailed. The other reason is that the network of anonymous Postal mailboxes is so vast, and specific individuals are not associated with particular mailboxes. There is no way for someone like Hal to have rhetorical responsibility, for instance, if the Unabomber plops his latest exploding package into a particular box. > It's one reason I won't run a remailer that can ever be > traced back to me. (I also don't have a box on the Net and > don't really trust running remailers on machines someone > else has root to. And I'm not a Unix person. And....) Of course, Unix people can send anonymous mail without the use of remailers. Spoof an Ident or an IP, stuff it in some kind person's sendmail port, and "Voila!", the mail is on its way. Perhaps we need a remailer that automates this process. Current remailers all identify the sender quite clearly with a message such as the following... "This message was mailed by an automatic posting service. The sender takes no responsibility for its contents, but if you want to sue someone for an unspeakable amount of money, my name is Hal." It is clear that this model for remailers fails miserably if any significant amount of legal heat is applied. Contrast this with a DC-Net of boxes which can covertly inject packets into the Net, in some untracable manner. Now we have no identifiable "Hal" to be harrassed, and no one for the Clams to aim their lawyers at. Perhaps we could also do something with Mobile Agents, which could carry an encrypted message and stuff it into the Net from some random location. We are certainly at the point where the notion of a "remailer" as an identifiable source of traffic run by a specific individual is about to bite the dust. > Ironically, "copyright violation" and "clam secrets" were > not even on the list of "the Four Horsemen of the > Infocalypse" that we thought would really put remailers > under some extreme pressure. If the Scienotologists can shut > down many of the remailers, imagine what the Horsemen will > do! I think it's time for a slight leap forward in the technology that is employed to provide the functionality formerly known as "remailing." A little increase in reliablity might not hurt either. My current success rate for getting something through a remailer chain is about 50%, and that's using Ralph's reliable remailer list as a guide. Time for a brainstorming session. -- Mike Duvos $ PGP 2.6 Public Key available $ mpd at netcom.com $ via Finger. $ From EALLENSMITH at ocelot.Rutgers.EDU Wed May 22 01:59:30 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 22 May 1996 16:59:30 +0800 Subject: An alternative to remailer shutdowns Message-ID: <01I4ZLEKOSPG8Y5IL9@mbcl.rutgers.edu> From: IN%"llurch at networking.stanford.edu" "Rich Graves" 21-MAY-1996 03:48:35.01 >I certainly think that limiting newsgroup posting would be prudent. It's >inexcusable that it's possible to use anonymous remailers to post >*forgeries* (see the smoking flames cross-posted to alt.syntax.tactical). Hmm? Aside from the very basic "forgery" of adding someone else's name to a post (which only the veriest idiot will pay attention to, especially if the remailer operator adds adequate warning labels outside the headers), what forgeries are possible? -Allen From EALLENSMITH at ocelot.Rutgers.EDU Wed May 22 02:05:37 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 22 May 1996 17:05:37 +0800 Subject: FTC online workshop on privacy Message-ID: <01I4ZKWPMI7K8Y5IL9@mbcl.rutgers.edu> Pointing out encryption, anonymnity, etcetera as means couldn't hurt... BTW, at the end of the message is something from this Adam Starchild fellow, with a web address for "Asset Protection & Becoming Judgement Proof." I'd be interested in a review of it. -Allen From: IN%"rre at weber.ucsd.edu" 22-MAY-1996 01:05:58.45 From: Phil Agre =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= This message was forwarded through the Red Rock Eater News Service (RRE). Send any replies to the original author, listed in the From: field below. You are welcome to send the message along to others but please do not use the "redirect" command. For information on RRE, including instructions for (un)subscribing, send an empty message to rre-help at weber.ucsd.edu =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Date: Sun, 19 May 1996 14:41:06 -0700 From: Adam Starchild To: privacy at ftc.gov Subject: FTC Workshop on Consumer Privacy in Cyberspace FEDERAL TRADE COMMISSION WORKSHOP ON CONSUMER PRIVACY IN CYBERSPACE TO BE HELD IN JUNE 1996 The Federal Trade Commission's Bureau of Consumer Education will hold a public workshop on June 4 and 5 to focus on privacy issues in the online marketplace. The development of technologies such as the Internet and the World Wide Web has allowed online businesses to collect and use personal information about consumers, often without consumers' knowledge or consent. The workshop will examine consumer privacy issues in this new marketplace, consumer and business education about the use of personal information online, and ways to enhance the growth of the online marketplace by fostering consumer confidence. Workshop topics will include the use of consumer information, the use of medical and financial information online, the collection and use of information about children, electronic approaches to protecting consumer privacy online, and the European Union's directive on the protection of personal data. The workshop will be open to the public and will be held on June 4, 1996 from 9:00AM to 5:00PM in Room 432 of the FTC headquarters building, 6th Street and Pennsylvania Avenue, N.W., in Washington, D.C. On June 5, 1996 the workshop will be held from 9:00AM to 12:30PM in Room 332 of the FTC headquarters building. The Bureau invites representatives of consumer groups, industry, government agencies, and other groups to take part in the workshop. Any person wishing to be considered for participation in the public workshop must file a written request, on or before May 24, 1996, to Martha Landesberg, Division of Credit Practices, Bureau of Consumer Protection, Federal Trade Commission, Washington, DC 20580. Posted by Adam Starchild Asset Protection & Becoming Judgement Proof at http://www.catalog.com/corner/taxhaven The privacy list is run automatically by the Majordomo list manager. Send a "help" command to majordomo at ftc.gov for assistance. From EALLENSMITH at ocelot.Rutgers.EDU Wed May 22 02:17:04 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 22 May 1996 17:17:04 +0800 Subject: The Crisis with Remailers Message-ID: <01I4ZJKR871W8Y5IL9@mbcl.rutgers.edu> From: IN%"bruce at aracnet.com" "Bruce Baugh" 19-MAY-1996 04:10:44.56 >a point here. I don't think most cypherpunks realize how anonymity is >perceived out in the net at large. >Take news.groups, a fairly important group I happen to read regularly. With >the exception of Rich Graves' presence, _all_ the uses I see there are for >cowardly abuse in a way that lets the poster escape having to answer for his >views. I'm not talking about presenting important information where >wrong-headed authorities could engage in reprisals, either, but baseless >accusations of theft, child abuse, and just plain torrents of obscenity. Would you suspect that having more warning labels (before & after, not just in the headers) would help with any negative reputation thus generated? >That's _all_ it's used for (again, with the exception of Rich). >There's a problem here. It's one thing to say that the benefits of anonymity >outweigh the problems. I'm inclined to that view myself. But it's much >harder to defend that view in a forum where anonymity is used so commonly >for problematic ends, and to offer anything in the way of constructive >solutions. It would be pleasing to see more cypherpunks actively dealing >with these problems out there in net.land. You might try pointing out that the only remailing that people see is for allegedly illegitimate reasons. Psychiatrists who are beginning to interact with patients over the net certainly have a good cause to use such remailers... including to prevent governmental tapping, given A. authoritarian governments such as China (blackmail for espionage purposes, for instance); and B. insane U.S. legal decisions like the one I heard about on NPR on 5-21, in which a judge ruled that there was no confidentiality protection prohibiting turning over psychiatric notes. One wonders what that judge's reaction (and the lawyer who asked for the notes) would be to having their confidential documents put into public view... I see no reason to give lawyers more of a privilege than religious/psychiatric individuals. -Alle From jf_avon at citenet.net Wed May 22 02:28:56 1996 From: jf_avon at citenet.net (Jean-Francois Avon) Date: Wed, 22 May 1996 17:28:56 +0800 Subject: Message-ID: <9605220544.AA08574@cti02.citenet.net> On 21 May 96 at 19:43, Bad Message trolled: > ! Theses peoples refuse to register their guns, although it is > ! mandatory in canada (to be registered within 7(?) years...) > > There has been total firearm registration since 1968. Absolute BS. Since the late seventies, the mandatory registration of all firearms purchased is in effect and you must hold a valid (in french) A.A.A.F. But you did not have to report firearms you already owned. But with our new law, you *have* to register them within 7 years. And apparently, you have to show proof of ownership of a registered firearm to buy ammunitions. But I must read about this aspect a little more... jfa DePompadour, Societe d'Importation Ltee; Limoges porcelain, silverware and crystal JFA Technologies, R&D consultants; physists, technologists and engineers. PGP keys at: http://w3.citenet.net/users/jf_avon ID# C58ADD0D : 529645E8205A8A5E F87CC86FAEFEF891 I reserve the right to post publicly any private e-mail sent to me. Unsollicited commercial e-mail will be proofread at US165 $/h Any sender of such material will be considered as to have ac- cepted the above mentionned terms. From frantz at netcom.com Wed May 22 02:38:51 1996 From: frantz at netcom.com (Bill Frantz) Date: Wed, 22 May 1996 17:38:51 +0800 Subject: Long-Lived Remailers Message-ID: <199605220513.WAA14446@netcom8.netcom.com> At 4:07 PM 5/21/96 -0700, Timothy C. May wrote: >Sure, Alice can always herself add remailer steps. I explicitly mentioned >this in my message last night, when I wrote: "(Hal, to use him as the >example, could start using his own choice of remailer hops to accomplish >much the same result. We've talked about this for a long time, too...." > >But this is just using more remailers. We know this works. What Mark Grant >was suggesting was something different, a kind of "disposable final >emanation point," designed to go away easily under legal pressures. Ideally the final emanation point will be epherimal indeed. Perhaps only a few minutes or an hour or two. That will protect Alice against attacks of the form, "I sent something to Alice and it was posted from the same place as that attack on my dictitorial rule." ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From EALLENSMITH at ocelot.Rutgers.EDU Wed May 22 02:46:57 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 22 May 1996 17:46:57 +0800 Subject: Hiding remailers behind nymservers...? (fwd) Message-ID: <01I4ZND2NC7O8Y5IL9@mbcl.rutgers.edu> From: IN%"tcmay at got.net" 21-MAY-1996 15:27:09.74 >Now it may be that operating a remailer may be interpreted by some courts >as being a "public nuisance," a theory I credit to Brad Templeton, but this >has not yet come even close to happening. Interesting. Let me guess, on the copyright grounds? Kinko's and library copy machines appear to do fine with warning labels; some equivalent should be possible. -Allen From EALLENSMITH at ocelot.Rutgers.EDU Wed May 22 03:10:47 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 22 May 1996 18:10:47 +0800 Subject: Toastmasters? Message-ID: <01I4ZL1QWZX08Y5IL9@mbcl.rutgers.edu> From: IN%"unicorn at schloss.li" "Black Unicorn" 20-MAY-1996 22:30:15.23 >Ask every state which has such reporting requirements (which is every >state in the union). >If you wanted to form an offshore corporation you'd have to form an >exempted one. IIRC, there was some discussion of some form of blind trusts a bit back... it was used under English common law to enable stuff before the actual invention of corporations. The ownership of the stock of such an offshore company by one or more such trusts might get around such problems, especially if the trusts had those (very interesting) flight provisions I believe you mentioned a bit back. >That would clearly change the analysis. RE: making a profit. Well, yes, it is a pretty good argument that you aren't just going for lack of liability, since that's part of what corporations are _for_... -Allen From EALLENSMITH at ocelot.Rutgers.EDU Wed May 22 03:14:44 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 22 May 1996 18:14:44 +0800 Subject: An alternative to remailer shutdowns Message-ID: <01I4ZLADUW968Y5IL9@mbcl.rutgers.edu> From: IN%"markm at voicenet.com" "Mark M." 21-MAY-1996 02:41:22.53 >One problem I see with this is that if even one remailer operated using the >block lists instead of permit lists, then every other remailer in the chain >could hypothetically be held accountable for the contents of the message. >This idea of permit lists makes sense, but I am not sure it would really solve >anything. Well, that would depend on the traffic analysis defeating features not working right. Admittedly, for the next-to-last or so remailer, they may not work well enough anyway... but proof beyond a reasonable doubt would be difficult. Civil suits unfortunately don't follow that standard (even for the punishment done through punitive damages), but they do require some proof. -Allen From EALLENSMITH at ocelot.Rutgers.EDU Wed May 22 03:25:51 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 22 May 1996 18:25:51 +0800 Subject: An alternative to remailer shutdowns Message-ID: <01I4ZNUW8BCQ8Y5IL9@mbcl.rutgers.edu> From: IN%"droelke at rdxsunhost.aud.alcatel.com" 21-MAY-1996 22:04:32.30 >Heaven forbid that I use spammers as an idea base, but >to borrow something from them.... Set up the headers >on an anonymous message such that a Reply would result in >the user automatically being placed on the "deny" list. Automatically placing someone on the deny list from an email to an address added to the _body_ would be a good thing, in this context, although would mean having to have more than one email address for the remailer. -Allen From EALLENSMITH at ocelot.Rutgers.EDU Wed May 22 03:42:10 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 22 May 1996 18:42:10 +0800 Subject: The Crisis with Remailers Message-ID: <01I4ZN90KWLQ8Y5IL9@mbcl.rutgers.edu> From: IN%"adam at lighthouse.homeport.org" "Adam Shostack" 21-MAY-1996 15:23:24.24 >Lance Cottrell wrote: Oops, I just misremembered your name. Sorry. >| >| An interesting problem with anonymous postage is that it is likely to kill >| cover traffic generators. >| >Postage is most needed at the point of delivery. >That is the node that will be taking the heat/paying the lawyers. I'd >operate a remailer if I was never the last node, becuase I don't have >a site that can take the heat/seizure of machines for me. If we pay >those final nodes to do more, than intermediate nodes can still carry >cover traffic for free. One difficulty with this on cover traffic is that one use of it is to send to dummy addresses, with mail that looks PGP encrypted but is actually garbage. Perhaps mail received without postage should be replaced with garbage by the remailer, then sent to a dummy address chosen by the remailer? -Allen From EALLENSMITH at ocelot.Rutgers.EDU Wed May 22 03:46:22 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 22 May 1996 18:46:22 +0800 Subject: An alternative to remailer shutdowns (fwd) Message-ID: <01I4ZLWBOJD08Y5IL9@mbcl.rutgers.edu> From: IN%"tcmay at got.net" 21-MAY-1996 05:18:04.13 >This is one reason we often talk about the dangers of remailers looking at >what flows through their systems. Not so much to establish "common carrier" >status, especially as that kind of status is just not something one sets >out to establish!, but because the protection of being ignorant gets tossed >out as soon as one admits to screening, or editing. Exactly how little can a remailer log and still keep adequate functionality? I may be setting up one or two Mixmaster-type to-other-remailers-only remailers sometime this summer (with one at Lance Cottrell's company so I can get his help easier...), so it is a practical question.... and one the answer to which may depend on whether one is remailing to another remailer, or to a public setting, or to an email address, or from an email address, etcetera. -Allen From EALLENSMITH at ocelot.Rutgers.EDU Wed May 22 03:47:22 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 22 May 1996 18:47:22 +0800 Subject: Senator, your public key please? Message-ID: <01I4ZOC70QOE8Y5IL9@mbcl.rutgers.edu> From: IN%"frantz at netcom.com" 22-MAY-1996 01:45:15.84 >Perhaps what is needed is anti-gravity for those signitures that are not >desired by the key owner. The resulting map should show the closeness of >the relationship. I could see two different maps, one with such a feature (eliminating relationships, or causing to repulse those which weren't with permissions - via signing the signatures, or via mutual signing, as mentioned before by you and me), and the other with all links. Both would give some interesting interpretations. One other way to use this would be to try out different transitivity of trust measurements and see what produced the most logical result while still (via other analysis) avoiding spoofing/MITM problems. -Allen From EALLENSMITH at ocelot.Rutgers.EDU Wed May 22 03:59:16 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 22 May 1996 18:59:16 +0800 Subject: Advanced Surveillance Technologies Conference II Message-ID: <01I4ZP1Q5GPS8Y5IL9@mbcl.rutgers.edu> From: IN%"rre at weber.ucsd.edu" 22-MAY-1996 03:08:05.95 From: Phil Agre =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= This message was forwarded through the Red Rock Eater News Service (RRE). Send any replies to the original author, listed in the From: field below. You are welcome to send the message along to others but please do not use the "redirect" command. For information on RRE, including instructions for (un)subscribing, send an empty message to rre-help at weber.ucsd.edu =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Date: 15 May 1996 13:06:53 -0500 From: "Dave Banisar" To: "Privacy International" Subject: AST II Conference Preliminary Conference Announcement ADVANCED SURVEILLANCE TECHNOLOGIES II Sponsored by Privacy International Electronic Privacy Information Center September 16, 1996 Citadel Ottawa Hotel and Convention Centre Ottawa, Canada ---------------------------------------------------------------------------- The rapid evolution of technology is leading to the creation of a seamless web of surveillance across much of the world. Powerful technologies originally developed for the military are being adopted by law enforcement and civilian agencies, and private companies to monitor entire populations. This has been further fueled by the end of the Cold War and increasing demands for greater bureaucratic efficiency. Existing laws and regulations have failed to keep up with these developments. This one day conference will examine a range of advanced surveillance technologies and their impact on privacy and other civil liberties. It will explore the process of planning and implementation of the technologies, their operating conditions, and the people and organizations responsible for them. The conference will also examine possible technical, regulatory and legal responses. The conference will also address in detail the findings of Privacy International's "Big Brother Incorporated" report which examined the international trade in surveillance technology and the involvement of the arms industry. ---------------------------------------------------------------------------- PARTIAL LIST OF SPEAKERS Phil Agre, University of California, San Diego Dave Banisar, Electronic Privacy Information Center Colin Bennett, University of Victoria Simon Davies, London School of Economics & Director, Privacy International Wayne Madsen, Author, Handbook of Personal Data Protection Bruce Schneier, Counterpane Systems & Author, Applied Cryptography CONFERENCE SUBJECTS * Artificial Intelligence Systems * Biometric Identification * Digital Cash * Information Superhighways * Information Warfare * Infrared and Passive Millimeter Wave Detectors * Intelligent Transportation Systems * Other New Technologies ---------------------------------------------------------------------------- MORE INFORMATION More information on the conference will be available at the Privacy International mailing list at pi-news at privacy.org (subject: subscribe) or at the PI Home Page at http://www.privacy.org/pi/conference/ottawa/ ---------------------------------------------------------------------------- HOTEL The Conference will take place at Ottawa Citadel Hotel in Ottawa, Canada. A block of rooms has been reserved at the hotel at a discounted rate of CAN $81.00/night for a single $91/night for a double. The hotel should be contacted directly for reservations, mentioning the AST II Conference to get the special rates and early reservation is recommended. The address is Ottawa Citadel Hotel, 101 Lyon St., Ottawa, Canada K1R 5T9, attention reservations, fax 613-237-2351, phone 613-237-3600. In North America you can call toll free at 1-800-567-3600. ---------------------------------------------------------------------------- OTHER EVENTS THAT WEEK There are several other conferences in Ottawa that week. On Tuesday, September 17, Industry Canada will be sponsoring a one day Symposium and Demonstration of privacy enhancing technologies. On September 18 - 20, the Privacy Commissioner of Canada will be hosting the 18th International Privacy and Data Protection Conference. Contact: 613-995-2410 or email jroy at nstn.ca. ---------------------------------------------------------------------------- REGISTRATION Registration Fees [] Standard - $250 CAN ($175 US) [] Non-profit organizations/Educational - $125 CAN ($75 US) Information Name: ___________________________________________________________ Organization: ______________________________________________________ Address: _________________________________________________________ __________________________________________________________________ Phone/Fax: _________________________________________________________ Electronic Mail:_____________________________________________________ Credit card Number/Expiration Date: _________________________________ (Do Not Email!) Fax Registration form and credit card number to +1 202.547.5482 Send Check or Money Order in $US made out to Privacy International to: Privacy International Washington Office 666 Pennsylvania Ave, SE, Suite 301 Washington, DC 20003 USA 1-202-544-9240 (phone) 1-202-547-5482 (fax) pi at privacy.org(email) ---------------------------------------------------------------------------- From fletch at ain.bls.com Wed May 22 04:15:40 1996 From: fletch at ain.bls.com (Mike Fletcher) Date: Wed, 22 May 1996 19:15:40 +0800 Subject: Cutting down remailer abuse [ Was Re: An alternative ... ] In-Reply-To: Message-ID: <9605220533.AA14419@outland.ain_dev> > One idea that came up a while back was a sort of limited tracking of mail > -- an example would be keeping a hash of the email address where mail was > received from for 48 hours, with the hash value being attached to the > peice of mail as a header. > > This would accomplish two things: We could source block an address without > knowing the source; and if push came to shove an address could be > backtracked to its original source, provided a complaint was made in time, > and that the Bad Guy sent another mail from the same address. I think > that legally there would be a good argument that the remailer ops had made > a reasonable attempt and holding lawbreakers accountable, while still > preserving the anonymity of non-abusers. This would have two problems (I think :): 1) How do you tell that the source address isn't a remailer? If things go to the disposeable remailer heads (Aren't those bad for the environment or something? :), you might wind up blocking part of the remailer chain. 2) Depending on the strength the hash function, there's a trail that you submitted traffic into the remailer network for that 48 hours. Not that sendmail/packet sniffing wouldn't show the same thing w/o IP layer encryption . . . . Now if there was a DC net you could submit traffic/noise into that would deliver into the remailer net . . . . --- Fletch __`'/| fletch at ain.bls.com "Lisa, in this house we obey the \ o.O' ______ 404 713-0414(w) Laws of Thermodynamics!" H. Simpson =(___)= -| Ack. | 404 315-7264(h) PGP Print: 8D8736A8FC59B2E6 8E675B341E378E43 U ------ From frantz at netcom.com Wed May 22 04:18:10 1996 From: frantz at netcom.com (Bill Frantz) Date: Wed, 22 May 1996 19:18:10 +0800 Subject: Senator, your public key please? Message-ID: <199605220544.WAA17527@netcom8.netcom.com> At 11:35 PM 5/21/96 -0400, E. ALLEN SMITH wrote: >From: IN%"frantz at netcom.com" 18-MAY-1996 21:54:01.23 > >>This is exactly analogous to slanderous attack on someone's reputation. As >>soon as people realize that the mere fact that a key has a signature does >>not mean that the key-owner solicited the signature, the problem goes away. > > This is interesting in light of social networks analysis as applied >to the web of trust (one interesting web-reference on such analysis is at >http://www.mpi-fg-koeln.mpg.de/~lk/netvis.html; as well as some examples - use >a graphics-capable web browser - it has some links to a FTP site with >programs). One method of such analysis uses what is sometimes called "gravity;" >under it, positions move to be close to those to which they are linked. This >can be one-way or two-way; the above fact may imply that signing someone's key >should move one closer to that person - and not the other way around. Of >course, when analyzing the result, one should keep in mind that one may not >have beneficial intent when signing a key; LD's signatures are examples. Thus, >closeness on such a network may imply a high degree of relationship, but not >a high degree of _positive_ relationship. Perhaps what is needed is anti-gravity for those signitures that are not desired by the key owner. The resulting map should show the closeness of the relationship. ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From EALLENSMITH at ocelot.Rutgers.EDU Wed May 22 04:22:28 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 22 May 1996 19:22:28 +0800 Subject: Senator, your public key please? Message-ID: <01I4ZLQFIGAM8Y5IL9@mbcl.rutgers.edu> From: IN%"tcmay at got.net" 21-MAY-1996 04:37:46.63 >(ObCaveat: I personally think a free society cannot/should not outlaw >discrimination in any form, save that by government.) Agreed. >By the way, this issue has some echoes of another technogical issue: the >use of neural nets for loan approval software. Turns out that when a bunch >of things are entered into a NN loan package, including the all-important >default rate, the applicant's age, income, race, sex, education, employment ^^^^ >history, credit history, etc., that NN loan packages "end up" rejecting >many black applicants, more so than white or Asian applicants. (The NN >"concluded" that blacks were higher risks for default than whites/Asians.) >Even if no human being ever entered his or her biases and prejudices, the >NN spit out this result. >I recall there being talk about requiring "equality of outcomes," and that >such NNs might have to have deliberately-biased inputs fed in, but I don't >know what ever happened to this issue. The obvious solution in the above case is not to feed in the race information for governmental decision-making. I recall a similar issue when NN's were used for college admissions... while they didn't feed in the applicant's race, they did feed in the applicant's name, and the length of it turned out to have some correlations. (Why they were feeding in the name in the first place is another question entirely, although NN's and GA's tend to work the best when you don't understand the system at hand - which also tends to mean that you shouldn't try to interpret what information is necessary.) >In any case, I think this sort of issue, and the semi-related issue of >"discrimination via key signatures," to be likely important issues in the >courts in the coming years. It's related to that of the outlawing of IQ testing because of (I'd say for environmental reasons) blacks having lower IQ scores on average. The civil rights crowd are arguing for the PC egalitarian viewpoint that everyone _should_ be the exact same in capabilities (for some absurd view of "fairness"), and so want people treated the exact same despite obvious differences and the validity of such tests. -Allen From EALLENSMITH at ocelot.Rutgers.EDU Wed May 22 04:51:44 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 22 May 1996 19:51:44 +0800 Subject: Long-Lived Remailers Message-ID: <01I4ZMFV9HH88Y5IL9@mbcl.rutgers.edu> From: IN%"tcmay at got.net" 21-MAY-1996 05:37:17.56 >At 4:56 PM 5/20/96, Rev. Mark Grant, ULC wrote: >>With regard to the problems of remailers being shut down when we want >>long-lived addresses, wouldn't seperating the input and output be one >>possibility? That is (like Hal's Alumni remailer) you'd send mail to >>'remailer at anon.ai' and it would be forwarded via a disposable account >>elsewhere. All messages would appear to come from 'disposable at foo.com' and >>if that account was shut down a new one could be opened to replace it >>while incoming mail simply backed up at the main remailer account. >This is a very good idea. Agreed. >Traffic analysis will be quite easy to do, of course, as all mail sent to >the persistent address comes out of the "disposable at foo.com" address. >Q.E.D. As has been pointed out since your message, one could logically have multiple remailers all using the same output account for messages. Extensions on this idea would be having them use it only for ones going to other than another remailer, to prevent the traffic from being noticed (if lots of traffic to remailers is coming out of one account, someone's going to notice...). Several people could run such output accounts, sending encrypted data on how to access the latest one(s) to (a subset of) remailer operators. (I say a subset in order to stop the NSA from running a remailer and letting, say, AOL know about each new output account on AOL. If some remailer or group of remailers wasn't told about a new output account, and the output account lasted statistically significantly longer (controlling for level of output), then that'd be cause for suspicion.) Which one was used for any given message through a particular remailer could be randomly chosen from those that remailer knew. Another aspect of this is that it would spread out the cost of operating the output account. One way to deal with this would be to have the postage going to the output account owner instead of to the remailer, or two items of postage (one to the remailer, one to the output account owner), or three items of postage (one to the first remailer in the chain, one to the last, and one to the output account). >(Hal, to use him as the example, could start using his own choice of >remailer hops to accomplish much the same result. We've talked about this >for a long time, too. If I ran a remailer, I think I'd route *all* traffic >leaving my site through at least one other remailer...kind of a "hot >potato" effect. Of course, if _everyone_ did this, an infinite loop would result. Lots of interesting twists, though, as messages could be set to "leak out" of the loops.) Oh? What's this idea? -Allen From EALLENSMITH at ocelot.Rutgers.EDU Wed May 22 05:00:40 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 22 May 1996 20:00:40 +0800 Subject: Long-Lived Remailers Message-ID: <01I4ZO8U2J4O8Y5IL9@mbcl.rutgers.edu> From: IN%"dsmith at prairienet.org" 22-MAY-1996 01:33:37.30 >Actually, there's an Idea. Set up a single address; use added >headers in the style of: >:: >Remailers-To-Chain: 7 >Remailers-To-Avoid: remailer at nsa.gov >Final-Destination: tcmay at got.net >Each remailer could construct a message that decrements the >remailers counter, preserving the other headers. The >usual caveat on encrypting at each step would apply; but since >remailers' pubkeys are available, that's a trivial concern. Well, if you use this for the entirety of the chain, you'll be giving away the cleartext at each step. Not too good of an idea. You won't want the mails to an output location to themselves go through remailers; you'd want multiple remailers going to the same output location (or group of output locations, which is probably preferable) via a more direct means such as POP. Otherwise, you've simply got the same old - but good nonetheless - of adding on new full remailers to the end of a chain, which doesn't avoid problems for the full remailer at the end. (Re: TCMay's post in response to yours.) -Allen From loki at infonex.com Wed May 22 05:04:40 1996 From: loki at infonex.com (Lance Cottrell) Date: Wed, 22 May 1996 20:04:40 +0800 Subject: Long-Lived Remailers Message-ID: At 5:39 PM 5/21/96, snow wrote: > > Randomize the output remailer? Sometimes Alice exits Bob, >Sometimes Charlie, sometimes Tom etc. > > >Petro, Christopher C. >petro at suba.com >snow at crash.suba.com A list of reliable back end remailers (output) could be kept, and automatically used by the front end remailers. This would allow the back end remailers to be highly transient, but keep the remailers used in chains stable. A remailer would randomly choose one of the 99% reliable back end remailers for each outgoing message. This could be done even more disposably using alpha type nyms. Speaking of which, it looks like my nym server is working: alias at alias.cyberpass.net Send to help at alias.cyberpass.net for instructions and the key. -Lance ---------------------------------------------------------- Lance Cottrell loki at obscura.com PGP 2.6 key available by finger or server. Mixmaster, the next generation remailer, is now available! http://www.obscura.com/~loki/Welcome.html or FTP to obscura.com "Love is a snowmobile racing across the tundra. Suddenly it flips over, pinning you underneath. At night the ice weasels come." --Nietzsche ---------------------------------------------------------- From EALLENSMITH at ocelot.Rutgers.EDU Wed May 22 05:57:49 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 22 May 1996 20:57:49 +0800 Subject: Bit tax proposal? Message-ID: <01I4ZMQQODUA8Y5IL9@mbcl.rutgers.edu> From: IN%"rre at weber.ucsd.edu" 22-MAY-1996 01:51:18.54 From: Phil Agre This message was forwarded through the Red Rock Eater News Service (RRE). Send any replies to the original author, listed in the From: field below. You are welcome to send the message along to others but please do not use the "redirect" command. For information on RRE, including instructions for (un)subscribing, send an empty message to rre-help at weber.ucsd.edu =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Date: Sat, 11 May 1996 16:59:22 -0400 (EDT) From: Arthur Cordell SCENARIOS FOR THE FUTURE: WORK AND EDUCATION The First of Four Sessions Leading to the World Leadership Conference "New Taxes for a New Economy" September 14, 1995 Victoria University, in the University of Toronto Arthur J. Cordell Special Advisor Information Technology Policy Department of Industry Ottawa* *The views expressed are those of the author alone and are not necessarily those of any department or agency of government. ======================== It's a pleasure to be part of the panel this evening. Ran told us about the problematique and Sally told us about one way to re-engage people with the economy and society in general. I am proposing one way to get at the productivity of the new economy so that income can be distributed to those who are no longer working. My talk is "New Taxes For A New Economy." Many of the ideas expressed by me this evening first appeared in a paper that Ran Ide and I co-authored for a meeting of the Club of Rome last year. Called The New Wealth of Nations,the paper dealt with ways of getting at the productivity of information technologies. Creating a new source of revenues that can be used in a variety of ways, including re-distribution as income. First a bit of history. As you all know in the not too distant past-- before 1900--most people worked in agriculture. When automation of one sort or another took place, people moved off the land to the new jobs opening up in manufacturing. Over the next decades automation of one sort or another took place and people moved to the new jobs opening up in the service sector. Now that the service sector is itself being automated, it is not clear where workers go. Where do people find work in an increasingly automated world? My view is that information technology is like no other. It is energy saving, capital saving and labour saving. It is also distance insensitive. It can replace people in a great number of functions. Remembering, deciding, judging, estimating, counting, etc., can all be done by information technologies, and can be done better, faster and cheaper than by people. So I think that we are going into a time of innovation and greatly increased productivity throughout the economy. Jobs will grow, but at a much slower rate. A short-hand way of saying this is that we'll be seeing 'jobless growth.' Rather than seeing this as a disaster, I prefer to see it as an opportunity. After all the industrial revolution--the development of steam power, electricity, the internal combustion engine--was all about eliminating work, not creating work. The industrial revolution was about releasing people from dangerous, hard and mind-numbing work. You know in the 'old days' a job was a means to an end because that is how people got income. In the past few decades job creation has become an end in itself because this is how income can be distributed. While there are many important social and psychological benefits in having a job---job creation can be a very costly way to distribute income. So in the debate and discussion about the future of work my position is that the issue is income, not jobs. In my view we need to get consensus on a positive vision of the New Economy. One possible positive vision is that the New Economy will be one where few people work in traditional ways. It will be an economy that is VERY infotech intensive and highly productive--but the new wealth created by the productivity is distributed as income in new and novel ways. Anything wrong with aiming toward this sort of outcome? But how do we get income to people who are no longer working in the traditional areas of society? I think that we have to go back and take a closer look at the tax system. If everything else is changing with information technologies and the New Economy, I think the tax system itself deserves a closer look. Today in Canada we are wringing our hands at the lack of tax revenues. Some of the tax concerns pre-date the 'new economy' and carry over from the recent past: tax breaks to small business; a growing underground economy based on cash; transnational companies who 'transfer price' in ways so that profits are declared in low tax areas of the world; the rise of tax havens. The tax base is also threatened by the labour displacing capacity of new technologies. More and more services are the result of people interacting with computer-based interfaces including touch-tone phones connected to digital networks. As do it yourself banking, shopping, libraries, etc., take hold, the number of people displaced increases. Although this adds to the over-all productivity of the system, the workers who lose jobs no longer pay taxes, rather they make demands on the system for income support of one kind or another. What happens to the productivity gains created by digital networks? Some gains show up in profits, some show up in lowered prices, some goes to domestic labour and some to domestic capital--some is 'lost' in the networks. In some cases off-shore capital benefits from productivity advances. While part of the increased productivity may show up in earnings to firms adopting the technology, to banks, to telecom firms or other network operators, it appears that some of the productivity gains just disappear. It is either a non-monetary item (eg., time saved in using ATMs for banking) or the productivity is diffused over so many domestic and foreign players that it is not appropriated effectively, if at all. The challenge is to access the new productivity. There is a strong case to be made that government has not fully accessed the new wealth. That government has not yet realized where and how wealth creation is taking place. That government has not yet figured out a way to tax and re-distribute some of the new wealth created by global digital networks. By viewing the new economy through the prism and mindset of the old economy we are unable to see just how wealthy and productive the economy has truly become. Outdated ways of looking at the economy have led us to neglect the new wealth. We are neglecting the new productive capacity created by and carried on global networks. Digital networks that provide so much of the new wealth also provide a way for us, through our governments, to get at some of the productive potential of a knowledge-based economy. Over two hundred years ago Adam Smith wrote about the Wealth of Nations. He concluded that wealth was based on the division of labour and the extent of the market. Today we can add something else to society's production function: knowledge, information and communications. The new wealth of nations is to be found in the trillions of digital bits of information pulsing through global networks. These are the physical/electronic manifestation of the many transactions, conversations, voice and video messages and programs that, taken together record the process of production, distribution and consumption in the new economy. Digital flows are the new element of production whether in the form of entertainment such as movies and video games; or, in the form of financial management such as electronic commerce for business and automatic tellers for the average citizen; or, in systems designed to control aircraft traffic in the skies and baggage distribution on the ground below; or, in managing the maze of telephone calls, faxes, e-mail and charge card accounts that characterize life in this latter part of the twentieth century. The suggested new tax is a turnover tax on interactive digital traffic. This new tax would be similar to a gasoline tax or paying a toll on a bridge or toll road or having a license plate on a car. These current excise and indirect taxes apply by weight of truck, by amount of gas used, not on the value of the commodity carried by the truck. Moving from the old highway to the metaphor of the new highway, my proposal is to tax the digital traffic on the Information Highway. Proposed is an easily administered tax on each digital bit of information. A 'bit tax.' Whether the digital bit is part of a foreign exchange transaction, a business teleconference, an Internet e-mail or file transfer, electronic check clearance or an ATM transaction, each bit is a physical manifestation of the new economy at work. Whether the tax is levied on the traffic carried by a fibre optic cable or on micro-wave or whether the tax is levied on interactive satellite traffic, the bit tax presents a way of accessing the new wealth being created by the New Economy. The bit tax would be applied to value added interactive digital transactions. Interactivity makes the transaction valuable. A broadcast message may or may not add value, that is if it is heard. An interactive transaction: a conversation, data search, accessing an ATM--is an activity you choose to do because it does something for you. You get something for doing it, you get something out of doing it: otherwise you wouldn't be do doing it. It is this new value, this new productivity that is creating so much new wealth in networks. All interactive digital information would be subject to the new tax. Thus digital broadcast and digital radio (all 'one to many' broadcasts) would be exempted from the tax. Digital broadcasts of one to few eg., TV broadcast to a few stations for later rebroadcast, or newspaper transmission by satellite to remote printing plants are interactive (because they are 'addressable') and would be subject to the bit tax. The bit tax would not be a user pay tax. Increased use by a region would however result in higher bit taxes. So without getting into too complex a discussion, one could imagine that at the local level an average of digital traffic would be measured by designated region (this could be by area code, metro area, province or state, or nation). This statistical average would provide the basis for the bit tax rate at the designated local level. Leased lines would pay some percentage of the carrying capacity of the line while long distance public lines would be metered by usage patterns. To summarize: the implementation of the tax would fit into three broad categories: 1. Long-distance lines (general public), a tax directly proportional to digital flows between major long-distance nodes in the country. 2. Leased lines (private lines), a fixed rate dependent on the bit-carrying capacity of the line. 3. Local Traffic, a variable rated based on a statistical average of gross information flows captured at each local switch using software already in place. The bit tax will be transparent. It will be something metered 'out there' and remitted to governments. It will vary with the collective usage of networks. Use of the system by any one individual will not affect the amount of taxes being collected. So it won't be a user-pay tax. At what rate should nations tax digital bits? How would the new taxes be collected? For sake of argument, the bit tax could be .000001 cents per bit. Automatically collected it would cause fewer collection problems than most other direct or indirect taxes. Collected by the telecom carriers, satellite networks and cable systems the revenues would flow directly to the national revenue service of the respective country. Much work has to be done on the burden or incidence of this new tax. Is the tax progressive or regressive? Will it be absorbed by the carriers or will it be passed on to consumers? Can one nation enact a bit tax or does it have to a collaborative venture? Perhaps through the OECD or the G-7 group of nations. And what about the tax rate itself? Is it too high or not high enough? If the tax of .000001 cents per bit yields too much revenue, then it can always be adjusted. The 'bit tax' is one way to begin to deal with the dilemma of increasing productivity and declining employment. It represents a new tax base that is at the heart of the new economy. It is also a new tax base that is growing. It is a tax base that can be easily identified, one where collection is in few hands. In the New Economy it would be a tax that is difficult to avoid. At a European Community meeting last year, the US Ambassador to the US mission, Stuart Eizenstat, said the issues surrounding the quality and quantity of available jobs in the New Economy will not be solved by a conference here or a workshop there. He noted that we are facing a major change in our economies. The change will not be easy or smooth: just as the cold war took many years to resolve peacefully, so too will the transition to the new economy take years of discussion, dialogue and new methods of conflict resolution. So the bit tax itself is just a modest beginning. We need to go further: to re-think the notion of employment as a method of income distribution; to re-think the quest for ever more energy-intensive economic growth in a time of environmental limits. We need to re-think much of our economic theory. But as a modest beginning, the bit tax is one way for all of society to profit and benefit from the development of new technology. The bit tax can help provide the new fiscal framework to distribute the productivity of the new economy as income when the job link is disconnected...When Jobless Growth becomes the rule. Thank-you for your attention. I look forward to your questions, comments and discussion. From loki at infonex.com Wed May 22 06:28:09 1996 From: loki at infonex.com (Lance Cottrell) Date: Wed, 22 May 1996 21:28:09 +0800 Subject: An alternative to remailer shutdowns Message-ID: Might Rot13 be enough? It would prevent accidental viewing. -Lance At 12:39 PM 5/21/96, Ben Holiday wrote: >After pondering a bit it seems to me that the "knock knock" remailer >approach (only send anon-mail if the recipient agrees to receive it) could >be made feasable pretty easily. > >Rather than hold the mail while waiting for a consent to release, you >could simply encrypt the peice of mail with a symetric algorythm on its >final hop, and send the encrypted mail to the recipient. > >At this point there are 2 options, which I havnt examined closely: The >first is that you require them to send a request for their "consent-code" >which can be used to decrypt the mail. Under this arrangment you could >possibly provide for a user to specify a specific consent code, so that 2 >party's who had previously agreed to communicate could avoid "knocking". >If you strip the subject, then it would be all but impossible for a person >to include the consent code in the actual peice of mail. > >The second is to simply include the >consent-code along with the encrypted peice of mail and a legal notice >stating that decryption of the mail constitutes your consent to receive >the mail, as well as your agreement to hold the remailer-operator harmless >should the mail be found to be in some way offensive. Further, the >recipient would agree to be solely liable for the contents of the mail, >etc etc.. I leave the actual agreement to the net.lawyers to figure out. > >As far as I can tell an agreement of this form would be at least as valid >as the software licenses ("NOTICE: Opening this envelope constitutes your >agreement to the terms.. blah blah blah") that are commonly used today. >Also would seem to be a similar concept to "Opening the case of this >device void's your warranty" stickers on appliances. > >Under this approach persons would receive mail whether they'd consented or >not (unless they requested to be blocked). But it would be difficult for >anyone to raise any serious legal issues about something they havnt read, >and impossible for them to make noise about what they read, after the >implied consent they gave when decrypting. > >Under both approaches it would be wise to have a list of addresses who've >already consented, which would contain all of the known remailers.. >whether or not an operator chose to have names besides remailers in the >list would be at his/her discretion. > >Ben.. ---------------------------------------------------------- Lance Cottrell loki at obscura.com PGP 2.6 key available by finger or server. Mixmaster, the next generation remailer, is now available! http://www.obscura.com/~loki/Welcome.html or FTP to obscura.com "Love is a snowmobile racing across the tundra. Suddenly it flips over, pinning you underneath. At night the ice weasels come." --Nietzsche ---------------------------------------------------------- From loki at infonex.com Wed May 22 06:35:41 1996 From: loki at infonex.com (Lance Cottrell) Date: Wed, 22 May 1996 21:35:41 +0800 Subject: MixMaster fair use Message-ID: At 9:14 PM 5/21/96, E. ALLEN SMITH wrote: >From: IN%"loki at infonex.com" 21-MAY-1996 17:19:02.59 > >>The problem is RSAREF. I can't chose license terms for that. > > Oof... I see the problem. No, it's not you, it's them. I've forgotten >exactly what claims RSA has; patent (when does it expire?), copyright (can >it be rewritten), or trade secret (wasn't it broken?)? Without some form of >getting around this (or licensing from them), usage for pay will be kind of >difficult. > -Allen It is patent on RSA, which expires in 2000 as I remember. It can be licensed, but it is not cheap. I don't know how they would handle a free program which people pay to use. -Lance ---------------------------------------------------------- Lance Cottrell loki at obscura.com PGP 2.6 key available by finger or server. Mixmaster, the next generation remailer, is now available! http://www.obscura.com/~loki/Welcome.html or FTP to obscura.com "Love is a snowmobile racing across the tundra. Suddenly it flips over, pinning you underneath. At night the ice weasels come." --Nietzsche ---------------------------------------------------------- From gnu at toad.com Wed May 22 06:38:50 1996 From: gnu at toad.com (John Gilmore) Date: Wed, 22 May 1996 21:38:50 +0800 Subject: Clipper III analysis Message-ID: <199605220903.CAA09525@toad.com> I just read over the Clipper-III paper. Here's the main scoop. The Government is trying to force key escrow on the world by incorporating it into key certification systems. They are playing on public ignorance of key certification, and are trying in some cases to deliberately mislead people into thinking that key certification and key escrow are the same thing. Key certification is a way for a third party to declare that a particular public key "belongs to" a particular identity. E.g. that key 85197FB5 really belongs to John Gilmore. In PGP, people who know you can "sign" your key to make this declaration. Then, anyone who trusts those people will know that your key is really yours. When they encrypt mail with public key 85197FB5, they can believe that only John Gilmore can read it. Key certification NEVER involves giving anyone a copy of your *private* key. Your private key is, and always should be, private to yourself and nobody else. Key escrow is a way for governments to get access to your private key and read your private communications whenever they don't like what you are doing or saying. Or for any other reason. So far, the only government that is really pushing for this is the US government. Their published policies for when they will access your key are disturbingly non-specific. I believe this is to cover for access by the spy agencies such as NSA, which the public would not sanction if it knew their current policies. Even if the published policy for accessing your escrowed keys required that a judge issue a warrant based on probable cause to believe a crime has been committed -- which it doesn't -- that provides no protection from a government that feels free to make any harmless act into a crime. As in the Soviet Union, lofty principles can be written into the legal documents, but somehow citizens end up without enforceable rights anyway. I don't want to see my country go this route, though it's obviously 80% of the way there already. Because large-scale key certification systems will to some degree involve centralization, they provide pressure points where the government can try to force people to do bad things. (One thing that has kept the Internet free is that there was no central place to sue, arrest, threaten, or otherwise terrorize into submission.) In this case, the bad thing they'll try to force is that the central certification authorities will refuse to certify your key as yours, even though they know it's yours, unless you first give the government a copy of your private key. Foreign relations are important to this policy, since if a significant number of countries don't adopt this model then it won't work. (Those countries will build good crypto and export it, and it will leak out around the world because of the worldwide demand for real privacy.) The US is working hard in the OECD, the European Community, and in one-on-one discussions with other governments, to convince them all to impose key escrow on their citizens. That's the scenario laid out by the Clipper-III paper. It's a pretty good strategy on their part. Our job is to make it come out some other way. John Gilmore PS: The whole paper is at http://www.eff.org/pub/Privacy/Key_escrow/ Clipper_III/960520_nist_clipper3_paper.draft. From jimbell at pacifier.com Wed May 22 07:31:50 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 22 May 1996 22:31:50 +0800 Subject: TCM: mafia as a paradigm for cyberspace Message-ID: <199605220934.CAA29479@mail.pacifier.com> At 03:55 PM 5/21/96 -0500, snow wrote: >On Mon, 20 May 1996, Vladimir Z. Nuri wrote: > >> the assassination politics is quite Hitleresque at its root. >> "kill our enemies, and everything will be better. it is our enemies >> that are the root of all evil in the world. extinguish them, and >> you solve all problems automatically" > > It is more the MAD theory brought down to the personal level. With all due respect, I think that comparison is a bit flawed. MAD (mutual assured destruction) is based on a model where you know the enemy (country) attacking you, in the national model by sophisticated radar systems. It is also based on the (reasonable) assumption that there is no way to pre-emptively attack in such a way as to defeat the ability of the enemy to counter-attack. With AP, and a world populated by 5 billion people, there is no way to know, for sure, who is targeting you. You may _guess_, and you may be right, but such a guess must be based on external information that you've received elsewhere. With AP, you CAN attack and destroy an individual in such a way he doesn't know who hit him. A crook who has victimized many people would be an excellent example of a target who can't know, because he has many enemies. A person who has just jilted a rich lover and has no other enemies would be the opposite. I contend that the kind of targets which are the most "deserving" will tend to be those who don't know who's targeting them. Those that are least deserving will have a good clue about who's giving them the finger. Since such prices are publicly known, a donor would have to be particularly careful about targeting a generally good, well-liked person, if that person could reasonably guess who's naming him. This is one of the many reasons I have a fair degree of confidence that AP will do a lot of good, and very little bad. > The >government has the power and authority to kill anyone of us, AP brings out >into the open the fact that WE ALL HAVE THAT POWER. KIlling people is >(physically) very easy, AP turns the THREAT back on those who hold the >power. This I agree with. But remember that the ability to combine the desires of thousands of people counts for something as well. If the only time you had to worry is if one individual was mad enough to see you dead, and would either do it himself or pay the whole bill himself, you'd feel relatively safe. If, on the other hand, the cost could be split up 10,000 ways or more, you'd better not be a crook! >Note: I don't necessarily think that AP is a good idea. I think >that people should do their own dirty work. In practice, I think this would be comparatively common as well. What currently deters such "take the law into your own hands" is the fact that police (being, essentially, in the business of protection) don't want you to provide for yourself by protecting yourself. They make it hard on people, in the same way they did with Bernard Goetz, the guy who shot four muggers on the New York city subway system. Once AP gets rid of the police, it will be much easier to protect yourself and not risk jail time, etc. Superficially, a person might argue that the lack of police would also make it easier for the muggers. However, a "professional mugger" would make a LOT of enemies, and it wouldn't take long before he's dead. He'd only have to be caught once. Any victim of any mugger would be happy to donate to see him gone. >> such is the total moral perversion of the thinking behind >> "assassination politics". most of the adherents work from the >> following argument, nicely summarized by JFA above: >> 1. the government is corrupt >> 2. therefore, it is okay to kill people who further that corruption. >> wow, what brilliant logic. > > How about this: > Goverments, and the people in them are corrupt. This corruption, >caused by acts of these people, lead to oppression and death. By THEIR >MORALITY oppression and killing are ok, so it is ok to use their tools >agaisnt them. In part 7 I use somewhat different justification. I believe that a person should be able to use whatever level is force is necessry to get rid of the transgression, with no upper limit. In any case, I think that government corruption is way more than enough to justify whatever level of counter-attack is needed. >> there is a trite saying, "two wrongs do not make a right" (trite >> because most have mastered the simple truth of it in their pre-teen >> years). a concept not grasped by some second-graders. some >> require a lifetime of lessons to comprehend it in the end.. > > Putting people in cages is wrong. > Stealing is wrong. > Is putting people in cages for stealing wrong? Yes; I've noticed that people who oppose AP generally don't want to address the question of self-defense issues. >> carefully the errors of those who have come before you. write >> a long treatise with lots of footnotes to past assassination >> difficulties and how you would advance past them. I tell >> you flat out that any respectable assassin would be quite embarrassed >> to be associated with you at the moment because of your arrogance >> and ignorance. > > I might be wrong here, but I don't think that Mr. Bell actually >wants anyone actually shot, Shot? Not necessarily. Let's not forget about blown up, poisoned, stabbed, beheaded, etc. B^) > well, maybe he does, but what he wants is to >have the same power over members of governments than they have over him. Right. Moreover, I believe that governments simply cannot exist as we know them under these circumstances. Besides, they won't be necessary. Jim Bell jimbell at pacifier.com From bryce at digicash.com Wed May 22 07:51:46 1996 From: bryce at digicash.com (bryce at digicash.com) Date: Wed, 22 May 1996 22:51:46 +0800 Subject: The Crisis with Remailers In-Reply-To: <2.2.32.19960521175237.0036cc44@mail.pi.se> Message-ID: <199605220958.LAA16017@digicash.com> -----BEGIN PGP SIGNED MESSAGE----- Matts Kallionieme wrote: > At 17:44 1996-05-21 +0200, bryce at digicash.com wrote: > >Matts, you don't want to do floating point for money, because > >floating point doesn't give you good control of precision. > > Yes I do. Several major currency traders in Sweden keep all > their money in 64 bit floating point storage. I think that DigiCash > will go floating point (get real?) when you start doing currency. > If you sell 1 DEM, you don't want to get paid in cents, you want > to get paid in 10-15 decimal places. That's where the currency > action is right now, and before Ecash(tm) is fully deployed we'll > probably see traders going for 15-20 decimal places. Floating > point is the way to do it, but are your accountants ready for it? Matts, _floating_ point numbers are numbers in which the decimal place moves ("floats") around depending on the value of the number. Floating point numbers are convenient if you want to handle a number that isn't going to be too large, and that isn't going to need a great deal of precision. They are _not_ useful if you want to handle a number with a lot of precision, nor indeed, if you want to be able to _know_ the precision! If you have a number that represents money, you want to know the precision! As an aside, there are rare cases when you will use a floating point number to _represent_ a fixed-point number just because the floating point math is faster on your hardware. As far as I know, this only happens on certain supercomputers. I shall try to refrain from taking umbrage at your comment that DigiCash is "not real". Also that DigiCash doesn't "do" currency. What could you possibly mean by that? > >Keep in mind that only Ecash(tm) Mints can create Ecash(tm) > >coins and choose what values the coins have. > > Sorry, I thought that the client created the coins and the mint > just signed them. I guess I should go back to RTFAPI. I'm sorry-- I didn't speak clearly. _Kinds_ of coins, including such things as the currency and base value (i.e. smallest possible coin) are created by Mints. We call these "coinages". They are analogous to new kinds of coin or paper notes in traditional currency. The individual coins are generated by the Ecash(tm) client, but those coins are worthless until they are stamped by the Mint, giving them a currency and denomination (i.e., is this a 5-dollar-cent coin, a 10-dollar-cent coin, a 100-Finnish-Mark coin, etc.). For further reading material as well as the API , I can recommend the Ecash(tm) FAQ , the Bryce (not speaking for DigiCash on these pages) FAQ , the somewhat out-dated Ecash(tm) protocol description , and Ian Goldberg's Ecash(tm) pages . For further reading on floating point and other representations of numbers in computing, I recommend any good introductory university text on mathematical computing. Sorry I don't have mine handy or I'd give you a specific reference. Regards, Bryce - -----BEGIN GOODTIMES VIRUS INNOCULATION----- Copy me into your .sig for added protection! - ----- END GOODTIMES VIRUS INNOCULATION----- -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.1b2 iQB1AwUBMaLlGkjbHy8sKZitAQFNmwMAzoYmjg8XQ5lG+Uq8vEzpwTe8TWWcGx6Z zsc02WNMRAzT9iu/upK14bW8kdtAr5f50z3FSpUdbtOr9YbNi8akdZaWYH2w03Xg VivCG3FzfyT03vZtyMEPN1+eEcWSrCt7 =aa73 -----END PGP SIGNATURE----- From pfarrell at netcom.com Wed May 22 08:26:19 1996 From: pfarrell at netcom.com (Pat Farrell) Date: Wed, 22 May 1996 23:26:19 +0800 Subject: DC area physical meeting, this saturday Message-ID: <199605221125.EAA11190@netcom13.netcom.com> Appologies to the 1000+ folks who are too far away to care about this... The next Washington DC area cypherpunks physical meeting will be this saturday, May 25 at 3:00 PM, at Digex.net. Details, directions, etc. at http://www.isse.gmu.edu/~pfarrell/dccp Pat Pat Farrell Grad Student http://www.isse.gmu.edu/~pfarrell Info. Systems & Software Engineering, George Mason University, Fairfax, VA PGP key available on homepage #include From middle-man-admin at alpha.c2.org Wed May 22 08:55:01 1996 From: middle-man-admin at alpha.c2.org (middle-man-admin at alpha.c2.org) Date: Wed, 22 May 1996 23:55:01 +0800 Subject: The Twilight of the Remailers? Message-ID: <199605221131.EAA06184@infinity.c2.org> On Tue, 21 May 1996, Timothy C. May wrote: > At 7:59 PM 5/21/96, Alex Strasheim wrote: > >I'm closing my mixmaster, nsa at omaha.com, on the 4th of June. > Between Hacktic going down, Hal's comments that he may shut down his two > sites, and this, plus others who are more quietly making plans to shut > down, I think the thread title "The Remailer Crisis" is more apt than ever. I tend to agree. I realize that the middle-man remailer requires that there be bastion remailers on the end of the chain. Without them, the "middle-man" concept won't work. I thank the remailer sites the allow the middle-man to work. Anyway, with all the remailers that have either vocalized their retirement and those that are silently considering retirement, I would like to announce that the middle-man remailer should be available for download as early as this weekend. Utopia.hacktic.nl (basement) and c2.org have agreed to carry the middle-man remailer on their FTP sites. As soon as I can get the documentation finished, I'll post it. middle-man-admin From declan+ at CMU.EDU Wed May 22 10:02:11 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Thu, 23 May 1996 01:02:11 +0800 Subject: FTC online workshop on privacy In-Reply-To: <01I4ZKWPMI7K8Y5IL9@mbcl.rutgers.edu> Message-ID: Excerpts from internet.cypherpunks: 22-May-96 FTC online workshop on privacy by "E. ALLEN SMITH"@ocelot. > Date: Wed, 22 May 1996 01:08 EDT > From: "E. ALLEN SMITH" > Subject: FTC online workshop on privacy > To: cypherpunks at toad.com > > Pointing out encryption, anonymnity, etcetera as means couldn't > hurt... Speaking of privacy and cypherpunkly interests, one bill that seems to have grown out of the FTC's recent interest in the area will be introduced in two hours. The legislation being introduced at 10:30 am will restrict selling mailing lists with childrens' names and other identifying info on them, including email lists. Another attempt to regulate the net, or a good thing? Supporting is Christian Coalition, Family Research Council, Enough is Enough!, Bruce "I wrote the CDA" Taylor's group, and EPIC. I'm not sure what I think of it, since I just got the text of the legislation yesterday. -Declan From rah at shipwright.com Wed May 22 11:11:28 1996 From: rah at shipwright.com (Robert Hettinga) Date: Thu, 23 May 1996 02:11:28 +0800 Subject: Reply to e$: The Wealth of Nation-States Message-ID: --- begin forwarded text Date: Tue, 21 May 1996 23:35:22 +0900 To: rah at shipwright.com From: tatsuo at glocom.ac.jp (Tatsuo Tanaka) X-Sender: tatsuo at izanagi.glocom.ac.jp Subject: Reply to e$: The Wealth of Nation-States Cc: tatsuo at glocom.ac.jp (Tatsuo Tanaka) MIME-Version: 1.0 Dear Mr. Robert Hettinga, Please allow me to write you. I am a visiting research fellow of Columbia University, and study digital cash from the economics point fo view. I read your article on "e$:The Wealth of Nation-States." ineterestingly. I also think that digital cash will cause a conflict with the Nation-States, though my major concern is financial economics view point, not taxation problem. I wrote a paper on this issue,"Possible Economic Consequences of Digital Cash " which is supposed to be presented at the coming INET96. This paper's URL is http://tenjin.glocom.ac.jp/tanaka/inet/DigitalCash_v1e.html I hope this paper might be of interest to you. Following is an abstract of this paper. Author discusses possible consequences of digital cash from the view of economics and forcasts a possible scenario for the future. Digital cash will bring us benefits as well as problems. One major benefit of digital cash is its increased efficiency which will open new business opportunities, especially for small businesses. On the other hand, it will bring us four problems: taxation and money laundering, instability of the foreign exchange rate, disturbance of money supply, and the possibility of financial crisis. There is one important attribute of digital cash, however, that overshadows these benefit and problems. It is the transnationality of digital cash, that is, the ability of digital cash to flow freely accross national borders. Every bank can issue it and everybody all over the world can use it. This transnationality is a cause for both benefits and problems, and could have significant repurcussions internationally. From the economic stand point, the most important characteristic of digital cash is its transnationality. If digital cash circulated only within a traditional national border and was controlled under a central monetary authority, there would be no economic implications that would be worth analyzing. In this case, digital cash would be nothing more than a convenient transaction method such as a credit card. However, digital cash is more than that. Its transnationality has the potential to cause conflict between cyberspace and nation states. If digital cash spreads successfully in the 21st century, its history may be written as a record of its battle with nation states. Thank you for your time. Sincerely yours, Tatsuo TANAKA Tatsuo Tanaka Email:tatsuo at glocom.ac.jp -Current Address- -Contact in Japan- Center on Japanese Economy & Businness Center for Global Communications 521 Uris Hall International Univ. of Japan Columbia University 6-15-21, Roppongi,Minato-ku New York, NY, 10027, USA Tokyo 106,Japan Fax:+1-212-678-6958 Tel:665-5028 Fax:+81-3-5412-7111 Tel:5411-6677 --- end forwarded text ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "If they could 'just pass a few more laws', we would all be criminals." --Vinnie Moscaritolo The e$ Home Page: http://thumper.vmeng.com/pub/rah/ From Doug.Hughes at Eng.Auburn.EDU Wed May 22 11:23:08 1996 From: Doug.Hughes at Eng.Auburn.EDU (Doug Hughes) Date: Thu, 23 May 1996 02:23:08 +0800 Subject: Rumor: DSS Broken? In-Reply-To: Message-ID: Snow wrote: > >> >> Yes, it is. But I'd like to think that the NSA isn't acting as if WE are >> the "enemy." > > I'd like to beleive that Santa will bring me Sparc20. > > 20! you set your sites too low. Ask Santa for an Ultra! :) Not much more expensive, a whole lot more powerful. Just think of the numbers you can crunch.. Wonderful machine. -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug at eng.auburn.edu Pro is to Con as progress is to congress From m5 at vail.tivoli.com Wed May 22 11:24:43 1996 From: m5 at vail.tivoli.com (Mike McNally) Date: Thu, 23 May 1996 02:24:43 +0800 Subject: Bit tax proposal? In-Reply-To: <01I4ZMQQODUA8Y5IL9@mbcl.rutgers.edu> Message-ID: <31A313CA.405D@vail.tivoli.com> E. ALLEN SMITH forwarded: > > ... And what about the tax rate itself? Is it too high or not high enough? > If the tax of .000001 cents per bit yields too much revenue, then it can > always be adjusted. ROTFL. ______c_____________________________________________________________________ Mike M Nally * Tiv^H^H^H IBM * Austin TX * pain is inevitable m5 at tivoli.com * m101 at io.com * * suffering is optional From matts at pi.se Wed May 22 12:41:16 1996 From: matts at pi.se (Matts Kallioniemi) Date: Thu, 23 May 1996 03:41:16 +0800 Subject: The Crisis with Remailers Message-ID: <2.2.32.19960522141400.00340478@mail.pi.se> At 11:58 1996-05-22 +0200, bryce at digicash.com wrote: >Matts, _floating_ point numbers are _not_ useful >if you want to handle a number with a lot of precision, nor >indeed, if you want to be able to _know_ the precision! If you >have a number that represents money, you want to know the >precision! As I said yesterday, there are in fact people dealing with billions in all major currencies that keep their money in 64 bit floats. The precision is far better than anything you can do in 32 bit integers. Trust me, this is a fact and can easily be proven. >I shall try to refrain from taking umbrage at your comment that >DigiCash is "not real". The "get real" was a pun on floats. Many languages, such as Pascal, calls them real numbers. Sorry I forgot the smiley. >Also that DigiCash doesn't "do" currency. What could you possibly >mean by that? In my client (2.1.5a MT) there is no way to do currency conversion. If I go to a FIM or DEM merchant I can't buy anything in the store. This will probably change in the near future when a new client is released, and then we'll have the question of how to represent these currencies in one wallet. What do you think will happen if you have a one italian lira coin and you try to deposit it with Mark Twain's USD account? With integer math it won't be pretty. >For further reading on floating point and other representations >of numbers in computing, I recommend any good introductory >university text on mathematical computing. Sorry I don't have >mine handy or I'd give you a specific reference. Maybe you should start looking for it. You'll need it when the lira arrives... Regards, Matts From bryce at digicash.com Wed May 22 13:05:39 1996 From: bryce at digicash.com (bryce at digicash.com) Date: Thu, 23 May 1996 04:05:39 +0800 Subject: The Crisis with Remailers In-Reply-To: <2.2.32.19960522141400.00340478@mail.pi.se> Message-ID: <199605221451.QAA27787@digicash.com> -----BEGIN PGP SIGNED MESSAGE----- Hi again Matts, This conversation has been thorough enough already that perhaps it is time to take it off-lists. I think that you are unaware of the difference between floating point numbers (e.g. the 'IEEE 754' 32 bit floating point number spec) and fixed-point numbers which are used to represent amounts other than "units" of a thing. (E.g., use a 32-bit integer and say that it represents millionths of an apple. You can now represent anything from 0.000001 apples to 4294.967295 apples with no loss of precision.) There are also many other ways to represent different kinds of numbers, including multi-precision integers and rationals, imaginary and complex numbers, etc. I reiterate that floating point numbers are for convenience when dealing with values whose precision is unimportant. Anyone who encodes real money into a float is dumb. > What do you think will happen if you have a one italian lira coin and > you try to deposit it with Mark Twain's USD account? With integer > math it won't be pretty. It will be _very_ pretty. Stay tuned. :-) Regards, Bryce -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.1b2 iQB1AwUBMaMp1kjbHy8sKZitAQFlBwMAwhwLBvPvKMwjzWMj/HMDrzlws9CRwPxd ylBIIWCnaChUafO9Gbjptd12A+nRlwgMJ27N+aY5GCcUu6jlVZz2j7jtxOqMMwNm VFHs0itk7hotPGAoFBF4i4iB0YG1C0Ih =y5zo -----END PGP SIGNATURE----- From reagle at MIT.EDU Wed May 22 14:07:39 1996 From: reagle at MIT.EDU (Joseph M. Reagle Jr.) Date: Thu, 23 May 1996 05:07:39 +0800 Subject: Another Analysis -- Re: NIST Draft Key Escrow Paper Message-ID: <9605221534.AA03805@rpcp.mit.edu> Declan McCullagh and Gilmore have already provided a brief summary of the doc, here are a few thoughts I sent to some others last night: - the meat is in the footnotes. - buzzword compliance: key recovery and Key Management Infrastructure (KMI). - intro: market forces and government/industry cooperation. - key bullet points: o Certificate authorities will operate within performance standards set by legislation o Agreements between governments will serve as the basis for international cross certification. o Self-escrow will be permitted under specific circumstances. [1] [1] The escrow agency must meet performance requirements for law enforcement access. - Denning's CACM survey key escrow article and Hoffman's "Building in Big Brother" are cited. - A lot of talk about "mutually trusted CAs" A footnote [4] "A mutually trusted authority is an escrow agent trusted by users to store keys and trusted by law enforcement to provide access upon certification of lawful authority." One has freedom to choose any CA, as long as the mutual trust exists. - At the international level "Law enforcement and some national security concerns would be protected since government agencies would be able to obtain escrowed key pursuant to government-to-government agreements." - Products can be exported to countries with these agreements. - Self escrow: "To avoid this risk [of investigations being compromised], independent escrow authorities could be added as another layer. Such a solution would drive up the cost to operate the PKI and drive down the efficiency of conducting public key certification functions, particularly for individual users." [Ok, so independent CAs are "bad" things"] "The solution may be a national policy which allows CAs for an organization to be escrow authorities if they can reliably turn over keys in a timely fashion when requested and to protect the confidentiality of any request for escrowed key. To this end, the government should seek legislation that would shield organization certificate authorities from internal pressures in the course of law enforcement investigations." [A "good" thing?] - provisions for legislation on civil or criminal liability on the commercial/private side. - gives requirements for KMI: key integrity, key accessibility, key recovery with respect to confidentiality, availability and responsiveness (24 hours) requirements. So Clipper III is a bit meaner and leaner. If Clipper I would have sunk because of sheer clumsiness, a sleeker ship carrying the same load will now be developed by the free market. The load is the assumption that citizens can be "compelled in any criminal case to be a witness against himself." _______________________ Regards, We could never learn to be brave and patient, if there were only joy in the world. -Helen Keller Joseph Reagle http://farnsworth.mit.edu/~reagle/home.html reagle at mit.edu E0 D5 B2 05 B6 12 DA 65 BE 4D E3 C1 6A 66 25 4E From snow at smoke.suba.com Wed May 22 14:34:28 1996 From: snow at smoke.suba.com (snow) Date: Thu, 23 May 1996 05:34:28 +0800 Subject: TCM: mafia as a paradigm for cyberspace In-Reply-To: <199605220934.CAA29479@mail.pacifier.com> Message-ID: On Wed, 22 May 1996, jim bell wrote: > At 03:55 PM 5/21/96 -0500, snow wrote: > >On Mon, 20 May 1996, Vladimir Z. Nuri wrote: > >> the assassination politics is quite Hitleresque at its root. > >> "kill our enemies, and everything will be better. it is our enemies > >> that are the root of all evil in the world. extinguish them, and > >> you solve all problems automatically" > > > > It is more the MAD theory brought down to the personal level. > > With all due respect, I think that comparison is a bit flawed. MAD (mutual You are right. It is flawed. > more, you'd better not be a crook! Or turn in too powerful a crook. Law enforcement won't just go away. There will always be those of us who feel that most crimes _don't_ deserve the Death Penalty, and that some sort of penal system will continue to be necessary. In your system this would not be possible because most people would be afraid to turn people in for fear of reprisal. I think that the biggest flaw in your system is the belief that people will act rationally. Do you think that the Menendez(sp?) brothers would have hesitated one second in having there parents offed to collect the inheretance? > >Note: I don't necessarily think that AP is a good idea. I think > >that people should do their own dirty work. > > In practice, I think this would be comparatively common as well. What > currently deters such "take the law into your own hands" is the fact that > police (being, essentially, in the business of protection) don't want you to > provide for yourself by protecting yourself. They make it hard on people, > in the same way they did with Bernard Goetz, the guy who shot four muggers > on the New York city subway system. Once AP gets rid of the police, it will > be much easier to protect yourself and not risk jail time, etc. Umm... I think that the biggest reason that the Police don't want you taking the law into your own hands is that civilians tend to screw up badly. They get the wrong target, they don't stop when they should etc. The POLICE usually don't have a problem with an individual protecting themselves (as long as the response fits the crime, killing a shoplifter is a no no.) It is the court system that frowns on it. Is there the ability to predict a "mild beating" with your system? or a "severe beating", or simply a killing? Having one level of punishment is not a very good legal system. AP cannot replace it. > Superficially, a person might argue that the lack of police would also make > it easier for the muggers. However, a "professional mugger" would make a > LOT of enemies, and it wouldn't take long before he's dead. He'd only have > to be caught once. Any victim of any mugger would be happy to donate to see > him gone. Give me the name of a mugger. > > Right. Moreover, I believe that governments simply cannot exist as we know > them under these circumstances. Besides, they won't be necessary. See, you have far more faith in humanity than I do. Petro, Christopher C. petro at suba.com snow at crash.suba.com From iang at cs.berkeley.edu Wed May 22 14:38:31 1996 From: iang at cs.berkeley.edu (Ian Goldberg) Date: Thu, 23 May 1996 05:38:31 +0800 Subject: Is Chaum's System Traceable or Untraceable? In-Reply-To: Message-ID: <4nvdgd$4ll@abraham.cs.berkeley.edu> -----BEGIN PGP SIGNED MESSAGE----- In article , Tim Dierks wrote: >Not that full anonymity isn't a Good Thing, but couldn't this be solved by >having the merchant (who presumably is on-line) provide PDA <-> mint >connectivitiy for the purposes of getting change, exchanging coins, etc.? >My assumption is that all the ecash protocols are not subject to a MITM >attack, which I would just presume to be good practice. But if you go online, you give away your identity due to a timing coincidence. > >Also, given the fully anonymous protocol as you've described it (both payor >and payee blind the coins), what's to prevent the merchant from depositing >your change before he gives it to you? Unless your PDA is online, you'll be >home before you find out the hot dog vendor shorted you. (It's my >understanding that the current digicash system does not support Chaum's >method of revealing the identity of double-spenders). That's another of the cool features of the "anon" protocol: the coin isn't complete until the protocol is finished. The hot-dog vendor doesn't have enough information to spend the coin. - Ian -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMaM5QUZRiTErSPb1AQH8FgP6A6eCI7dqEMUf27x/dsZjN5rp9fGWuhaf /DSQ2CAbdvBqpoYh4uMLkEMSD9WCD+NoV4Uy8MIkxLV+nUz2ZmkEqW+zHRy7zv9G Ag923kzlY8cLt3730EFz+WC64fOORz8UroBO53QDxvRP3RyiddZx4fw0LeP1YgiW urXhLYM3N+k= =axOu -----END PGP SIGNATURE----- From shabbir at vtw.org Wed May 22 14:39:57 1996 From: shabbir at vtw.org (Shabbir J. Safdar) Date: Thu, 23 May 1996 05:39:57 +0800 Subject: REMINDER: Leahy at Hotwired 5/22/96 4pm EST Message-ID: <199605221538.LAA14006@panix3.panix.com> ------ Date: May 22, 1996 (THIS IS TODAY) Senator Patrick Leahy (D-VT) will be on HotWired TODAY, May 22nd at 4pm EST at http://www.hotwired.com/wiredside/ You can tune in and listen to the chat with the RealAudio software (http://www.realaudio.com). You can ask questions of the Senator through a moderator and get real, immediate responses. Topics likely to be covered: Clipper I/II/III and Net Censorship -Shabbir J. Safdar shabbir at vtw.org From jf_avon at citenet.net Wed May 22 15:05:04 1996 From: jf_avon at citenet.net (Jean-Francois Avon) Date: Thu, 23 May 1996 06:05:04 +0800 Subject: Misquoting and Vlad (LD?) Message-ID: <9605221620.AB09031@cti02.citenet.net> Here, I quote some text that is quoted frequently: > >> such is the total moral perversion of the thinking behind > >> "assassination politics". most of the adherents work from the > >> following argument, nicely summarized by JFA above: ^^^^^ > >>1. the government is corrupt > >>2. therefore, it is okay to kill people who further that > >> corruption. wow, what brilliant logic. I would appreciate if everybody would stop using that example. No threat or heinous tone here, but simply a reasonable request. I am getting tired of it. Of course, the collectivist who wrote that sentence is totally wrong because I never said such things in the context he meant them. But again, it is not everybody that followed the thread and I am fed-up of seing thoses words attributed to me. I have no problem in building my bad reputation myself. I don't like it when other do it... So, please, if ever you quote it again, put at the beginning of the paragraph: "Vlad Z. Nuri wrote:" or "Vlad Z. Nuri aka L. D(R)otweiller wrote:" Thanks and Regards. JFA DePompadour, Societe d'Importation Ltee; Limoges porcelain, silverware and crystal JFA Technologies, R&D consultants; physists, technologists and engineers. PGP keys at: http://w3.citenet.net/users/jf_avon ID# C58ADD0D : 529645E8205A8A5E F87CC86FAEFEF891 I reserve the right to post publicly any private e-mail sent to me. Unsollicited commercial e-mail will be proofread at US165 $/h Any sender of such material will be considered as to have ac- cepted the above mentionned terms. From perry at piermont.com Wed May 22 15:06:56 1996 From: perry at piermont.com (Perry E. Metzger) Date: Thu, 23 May 1996 06:06:56 +0800 Subject: The Crisis with Remailers In-Reply-To: <2.2.32.19960521175237.0036cc44@mail.pi.se> Message-ID: <199605221614.MAA23436@jekyll.piermont.com> Matts Kallioniemi writes: > At 17:44 1996-05-21 +0200, bryce at digicash.com wrote: > >Matts, you don't want to do floating point for money, because > >floating point doesn't give you good control of precision. > > Yes I do. Several major currency traders in Sweden keep all > their money in 64 bit floating point storage. I have trouble believing you. None of the forex accounting I know of in the U.S. is done in floating point. It simply isn't accurate enough. It is true enough that *rates* can be stored as floats if you want, but never actual sums. Perry From hendersn at zeta.org.au Wed May 22 15:07:52 1996 From: hendersn at zeta.org.au (Zed) Date: Thu, 23 May 1996 06:07:52 +0800 Subject: SEVERE undercapacity, we need more remailer servers FAST (fwd) Message-ID: <199605221617.CAA05808@godzilla.zeta.org.au> >Had he posted it through a remailer, I think it would have been well >justified. He was obviously blowing the whistle on what he saw as illegal >activities. The only reason that Keith could post NOTS 34 at all was because it had previously been posted to a.r.s anonymously. Prior to that, no-one outside of the Church had a copy of any NOTS materials(or so the Church says). > That's a much different matter than posting the entire NOTs >series, though. The wholesale copying is what most people seem to object >to, though my observations tell me that the "Church" objects to any >copying, even for fair use... Grady Ward got sued by the Church just because he _asked_ for a NOTS pack to be sent to him. The Church will do everything within its not inconsiderable power to prevent NOTS material being disseminated on the Internet - up to and including destroying the anonymous remailer network. Zed(hendersn at zeta.org.au) "Don't hate the media, become the media" - Jello Biafra PGP key on request From mpd at netcom.com Wed May 22 15:09:27 1996 From: mpd at netcom.com (Mike Duvos) Date: Thu, 23 May 1996 06:09:27 +0800 Subject: Floating Point and Financial Software Message-ID: <199605221618.JAA04180@netcom7.netcom.com> There seem to be a few mini-flames on the list over whether floating point data representations are appropriate for financial software. In a nutshell, the answer is "YES", and the use of floating point arithmetic is common in such applications. One argument heard against the use of floating point is that it is inherently "imprecise." In reality, floating point representations and the results of floating point operations are perfectly well defined, and the points on the real number line which are exactly representable by double-precision floating point values are usually a superset of those representable by the default integer on most machines. Storing monetary values as double-precision floats having integer values in cents is even common in COBOL programs, where the "COMP-3" data type allows the use of fast floating point in lieu of the default and slow manipulation of packed decimal and decimal data. It is even common in certain CPUs, like CDC Mainframes and SPARCS, which are primarily floating point engines, to omit integer divide and sometimes even multiply, and to provide a subroutine which employs floating point calculations to emulate these operations. This is completely transparent to the user of the machine, and there is no problem in using floating point to do integer operations. In fact, when running financial applications on large engineering mainframes, which generally lack a business instruction set, floating point is not only commonly employed, it is the obvious way to get the maximum performance out of the machine. -- Mike Duvos $ PGP 2.6 Public Key available $ mpd at netcom.com $ via Finger. $ From iang at cs.berkeley.edu Wed May 22 15:20:27 1996 From: iang at cs.berkeley.edu (Ian Goldberg) Date: Thu, 23 May 1996 06:20:27 +0800 Subject: Is Chaum's System Traceable or Untraceable? In-Reply-To: <199605201902.MAA16278@netcom8.netcom.com> Message-ID: <4nvd96$4k8@abraham.cs.berkeley.edu> -----BEGIN PGP SIGNED MESSAGE----- In article <199605201902.MAA16278 at netcom8.netcom.com>, Bill Frantz wrote: >At 9:10 AM 5/20/96 -0700, Ian Goldberg wrote: >>However, if you use the "fully anonymous" protocol, change becomes trivial. >>You don't have to go online; the payer (the shop) does, which it assumedly >>already is. Another benefit is that coins received in this way as change >>are immediately spendable by you, without having to go online in between. > >Perhaps I am confused, but I see no need for change in the fully anonymous >protocol. I see the fully anonymous protocol as: > >(1) The payee generates a coin for the amount of purchase, blinds it and >gives it to the payer. >(2) The payer blinds it again and gives it to the bank, which signs it >debiting the payer's account. >(3) The payer removes his blinding and gives the signed coin to the payee. >(4) The payee removes his blinding and deposits the coin. > >Step 1 could be called a request for payment (an invoice), step 2 a >withdrawal, step 3 the payment, and step 4 a deposit. > >Is there another version which allows the payee to have an unconnected >wallet of coins and get change in return? In the "normal" protocol, the payee has to go online. In the "anon" protocol, the payer has to go online. Since you don't want to go online when you walk into a shop, you can pay the shop with the "normal" protocol, and the shop gives you change with the "anon" protocol. That way, you never need to go online, and your identity is never compromised. - Ian -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMaM4VkZRiTErSPb1AQF8tAQAktvqP2vIKx3igJyfQsFFfJ4PTydBpPrT W1+uEBIFJgn9sKf+KFXojntn+CKjc6fx0pTBsutXH8UjJxVWZxC1VF7F5jFzCNq3 ZjjkxuX5WrREAZheCu2KydRKVazkEdXVLTPhPHP2D923ZBAOm7B6lCOJ/ykuEaUn znYuAu1DaOQ= =rodG -----END PGP SIGNATURE----- From mark at unicorn.com Wed May 22 15:41:28 1996 From: mark at unicorn.com (Rev. Mark Grant, ULC) Date: Thu, 23 May 1996 06:41:28 +0800 Subject: Bit tax proposal? Message-ID: > All interactive digital information would be subject to the new tax. > Thus digital broadcast and digital radio (all 'one to many' broadcasts) > would be exempted from the tax. Gosh, so the TV and radio companies would get to broadcast tax-free and the rest of us would have to pay. Not like this is intended to turn the scary old Internet into the digital equivalent of the broadcast media. I'm sure that idea never even considered crossing their minds... Hmm, maybe "Cypherpunks Productions" should start broadcasting soap operas and gameshows with email and Usenet stego-ed into the low bits. Mark From roger at coelacanth.com Wed May 22 15:43:57 1996 From: roger at coelacanth.com (Roger Williams) Date: Thu, 23 May 1996 06:43:57 +0800 Subject: FTC online workshop on privacy In-Reply-To: Message-ID: <9605221603.AA0058@sturgeon.coelacanth.com> >>>>> "Declan B McCullagh" writes: > The legislation being introduced at 10:30 am will restrict selling > mailing lists with childrens' names and other identifying info on > them, including email lists. Another attempt to regulate the net, > or a good thing? > Supporting is Christian Coalition, Family Research Council, Enough > is Enough!, Bruce "I wrote the CDA" Taylor's group, and EPIC. Bwahahahaha... So selling mailing lists which identify children is bad, but adding "I'm a minor" tags to TCP/IP packets is good? OK, so where's that Lolita Filter source code again... -- Roger Williams finger me for my PGP public key Coelacanth Engineering consulting & turnkey product development Middleborough, MA wireless * DSP-based instrumentation * ATE tel +1 508 947-8049 * fax +1 508 947-9118 * http://www.coelacanth.com/ From perry at piermont.com Wed May 22 15:51:03 1996 From: perry at piermont.com (Perry E. Metzger) Date: Thu, 23 May 1996 06:51:03 +0800 Subject: Floating Point and Financial Software In-Reply-To: <199605221618.JAA04180@netcom7.netcom.com> Message-ID: <199605221706.NAA23567@jekyll.piermont.com> Mike Duvos writes: > There seem to be a few mini-flames on the list over whether > floating point data representations are appropriate for financial > software. > > In a nutshell, the answer is "YES", and the use of floating point > arithmetic is common in such applications. Again, I have seen floating point used for things like rates and in simulations. I have never seen it used for accounting. If you can name a system in which accounts were kept in floats I'd like to hear about it -- personally I'd be surprised. I've never seen such a thing. .pm From bryce at digicash.com Wed May 22 15:57:45 1996 From: bryce at digicash.com (bryce at digicash.com) Date: Thu, 23 May 1996 06:57:45 +0800 Subject: The Crisis with Remailers In-Reply-To: <199605221614.MAA23436@jekyll.piermont.com> Message-ID: <199605221708.TAA00752@digicash.com> -----BEGIN PGP SIGNED MESSAGE----- > It is true enough that *rates* can be stored as floats if you want, > but never actual sums. > > Perry That's interesting. Because rates never approach 2^23, and because you never need that much precision with rates? It seems like a bad idea to me anyway. Why not just use an Int32 if you don't need that much precision? Regards, Bryce -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.1b2 iQB1AwUBMaNKIUjbHy8sKZitAQFohwL/TnGoBAD2qi+zCf43FqhhPijFf6vNq3Ca ddhNsCKQTML3V7MtQ7TkeMNZqSGexITkXqppxaiFY/uPLqz3b5NDv0JV7xl0bFh9 AiqS4vz1uxeBON5jCJXZI4Cu7HhDf0j0 =pmvp -----END PGP SIGNATURE----- From perry at piermont.com Wed May 22 16:18:03 1996 From: perry at piermont.com (Perry E. Metzger) Date: Thu, 23 May 1996 07:18:03 +0800 Subject: The Crisis with Remailers In-Reply-To: <199605221708.TAA00752@digicash.com> Message-ID: <199605221731.NAA23607@jekyll.piermont.com> bryce at digicash.com writes: > > It is true enough that *rates* can be stored as floats if you want, > > but never actual sums. > > That's interesting. Because rates never approach 2^23, and > because you never need that much precision with rates? It seems > like a bad idea to me anyway. Why not just use an Int32 if you > don't need that much precision? I only report the news. I have occassionally seen floats in rates, I have never seen them used in accounting. I will also note that rates do indeed get astonishingly precise -- five significant figures. In any case, however, I have never seen accounts done as floats -- never. .pm From bobpal at cdt.org Wed May 22 16:28:58 1996 From: bobpal at cdt.org (Bob Palacios) Date: Thu, 23 May 1996 07:28:58 +0800 Subject: CDT Policy Post 2.20 - Clinton Administration Floats Clipper III Draft Message-ID: ----------------------------------------------------------------------------- _____ _____ _______ / ____| __ \__ __| ____ ___ ____ __ | | | | | | | | / __ \____ / (_)______ __ / __ \____ _____/ /_ | | | | | | | | / /_/ / __ \/ / / ___/ / / / / /_/ / __ \/ ___/ __/ | |____| |__| | | | / ____/ /_/ / / / /__/ /_/ / / ____/ /_/ (__ ) /_ \_____|_____/ |_| /_/ \____/_/_/\___/\__, / /_/ \____/____/\__/ The Center for Democracy and Technology /____/ Volume 2, Number 20 ---------------------------------------------------------------------------- A briefing on public policy issues affecting civil liberties online ---------------------------------------------------------------------------- CDT POLICY POST Volume 2, Number 20 May 22, 1996 CONTENTS: (1) Clinton Administration Floats Clipper III Key-Escrow Proposal (2) Join Sen Leahy TODAY (5/22) At HotWired to Discuss His Crypto Bill (3) Subscription Information (4) About CDT, contacting us ** This document may be redistributed freely with this banner in tact ** Excerpts may be re-posted with permission of ----------------------------------------------------------------------------- (1) CLINTON ADMINISTRATION FLOATS 'CLIPPER III' KEY ESCROW PROPOSAL The Clinton Administration Tuesday (5/21) unveiled a new encryption policy proposal which would use a government-sanctioned key certification system as an incentive to virtually impose key escrow on domestic users. The draft proposal, "Achieving Privacy, Commerce, Security and Public Safety in the Global Information Infrastructure" (already dubbed Clipper III), seeks to establish a "public key infrastructure" for encryption. Broadly speaking, a public key infrastructure would enable users to clearly identify the people they are communicating with and facilitate key management, and is widely viewed as an important component of a secure and trusted communications environment. However, the Clipper III would establish this infrastructure at a price: All users of the public key infrastructure would have to ensure government access to their encryption keys through an approved key escrow authority. A detailed analysis of the Administration's latest draft proposal is attached below. Among other concerns: * The proposal is hardly voluntary - Key-escrow would become a prerequisite for participation in the Global Information Infrastructure. * The proposal contains few guidelines for how keys would be shared with foreign governments. * The proposal encourages the collection of highly sensitive private key information. * The proposal does not address major privacy concerns such as liability for key holders, limitations on law enforcement access, audit requirements, and other concerns that many have already identified as crucial to protecting individual privacy even in a voluntary key escrow system. CDT believes that the Administration's draft proposal does not meet the privacy and security needs of Internet users or the demands of the marketplace. While the proposal represents real progress by the Administration in recognizing the importance of encryption and the value of a public key infrastructure, in reality it provides few provisions to protect individual privacy. Moreover, the Clipper III proposal, like its predecessors, continues to put law enforcement and national security concerns above the privacy and security needs of the American public. The latest Administration proposal comes in the midst of Congressional efforts to relax encryption export controls and encourage the widespread use of strong, easy-to-use encryption and prohibit the government from imposing key escrow domestically. It also comes in the wake of a letter signed by over 27 Representatives last week urging the Administration to abandon its key-escrow initiative (See CDT Policy Post 2.19) A copy of the Draft proposal is available on CDT's encryption policy web page (http://www.cdt.org/crypto). SUMMARY OF THE PROPOSAL: ------------------------ Taking a nod from the efforts currently under way through the European Commission to establish a Public Key Infrastructure (PKI) in Europe, the Clipper III seeks to establish a means of ensuring authentication and key management for Americans. Among other things, the Clipper III draft proposal: * RECOGNIZES THAT THE GOVERNMENT SHOULD NOT IMPOSE ENCRYPTION STANDARDS ON MARKET: One positive element of the new proposal is an explicit recognition of the importance of encryption and the need for private sector, as opposed to government solutions. The draft states, "Government can no longer monopolize state of the art cryptography ... It is unrealistic to believe that government can produce solutions which keep ahead of today's rapidly changing information technology". * ESTABLISHES KEY MANAGEMENT INFRASTRUCTURE: The draft proposal would create a new public key infrastructure designed to tie individuals and entities to their public keys. * RELAXES EXPORT CONTROLS FOR KEY ESCROW PRODUCTS: The new draft would continue and expand the effort started with the Clipper II proposal by allowing the export of software with 64 bit key lengths (80 bits for hardware) on the condition that products contain a key-escrow function. Keys could be escrowed in the United States or where the US has a bilateral escrow agreement. Other exports to certain markets would be considered on a case-by-case basis. * PROVIDES FOR 'SELF ESCROW' OF ENCRYPTION KEYS: Self Escrow (where a corporation or individual could become an escrow agent for its own private keys) would be permitted, though the exact conditions of and obligations are not specified in the draft. MAJOR FLAWS IN THE CLIPPER PROPOSAL RENDER IT A NON-STARTER ----------------------------------------------------------- * CLIPPER III IS NOT VOLUNTARY & MAKES KEY-ESCROW A PRECONDITION FOR PARTICIPATION IN THE GLOBAL INFORMATION INFRASTRUCTURE While the Administration deserves credit for recognizing that a trusted public key infrastructure is an important component of a workable National Encryption policy, the latest proposal attempts to use the need for a public key infrastructure as a means to impose key escrow domestically. Although the Administration has repeatedly stressed that any key-escrow initiative would be a voluntary system, the text of the latest draft directly contradicts that contention. The proposal states that in order to participate in the Global Information Infrastructure, users will need to escrow their keys; if they choose not to participate in the key infrastructure, "users cannot know with whom they are dealing on the network, or sending money too, or who signed a document, or if the document was intercepted and changed by a third party." (page 3). The proposal goes on to state: "To participate in the network a user needs a public key certificate signed by a CA [Certification Authority] which 'binds' the user's identity to their public key. One condition of obtaining a certificate is that sufficient information (e.g., private keys or other information as appropriate) has been escrowed with a certified escrow authority to allow access to a user's data or communications." (page 5) In other words, the Clipper III proposal would require individuals and businesses to use key-escrow encryption as a condition of participating in the Global Information Infrastructure. Under the proposal, an individual cannot obtain certification by a Key Certification Authority (a necessity under the Clipper III scheme) unless he or she registers with a "certified escrow authority". There is no technical or structural reason (beyond law enforcement access) why key escrow must be a component of a public key infrastructure. In fact, a robust example of a public key infrastructure exists today for exchanging PGP keys (the PGP public key server at MIT ). * CLIPPER III TARGETS DOMESTIC USERS While export controls have ostensibly been aimed at controlling the use of encryption by foreign users (and indirectly, at domestic users as well), the Clipper III proposal is aimed directly at the domestic use of encryption and seeks to establish a system whereby key escrow becomes a de-facto component of domestic encryption products. * RAISES MAJOR QUESTIONS WITH RESPECT TO INTERNATIONAL KEY EXCHANGE In order to work, Clipper III assumes bi-lateral agreements between the US and other countries with respect to law enforcement access to escrowed keys, who could legally be an escrow agent, and other factors. Currently no such agreements exist. Bilateral agreements also raise important privacy issues, including how to deal with releasing keys to foreign governments, particularly those without any tradition of privacy protections. Finally, a patchwork of international agreements can create problems for interoperability. The same encryption and or authentication scheme exportable to Germany or England might not be exportable to India or China in the absence of a appropriate bi-lateral agreements. * CONTAINS NO PRIVACY PROTECTIONS/RESTRICTIONS ON LAW ENFORCEMENT ACCESS TO ESCROWED KEYS: Like Clipper and Clipper II, the latest proposal does not squarely address standards for law enforcement access to escrowed keys, unauthorized disclosure of keys by escrow agents, and other privacy issues associated with key escrow. * CREATES VULNERABILITY AND INSECURITY BY ENCOURAGING STORAGE OF PRIVATE KEYS: The proposal suggests that escrow agents hold either a user's private key or "other information as appropriate". Allowing escrow agents to accumulate private keys creates severe vulnerabilities in the network. Once a private key is disclosed (either to law enforcement or to an unauthorized third party), *every* communication using that key is compromised. Although the draft does attempt to limit this concern by allowing escrow agents to hold "other information", the proposal no where specifies what that would be. NEXT STEPS ---------- Congress is currently considering legislation which would head off the Administration's efforts to encourage domestic key-escrow encryption schemes and promote the widesprad avaiability of strong, easy-to-ues encryption technologies. Several bills, including S.1726 (the Pro-CODE bill) sponsored by Senators Burns (R-MT), Leahy (D-VT), Dole (R-KS), Pressler (R-SD), Wyden (D-OR) and others, along with HR 3011, sponsored by Reps Goodlatte (R-VA), Eshoo (D-CA), Campbell (D-CA) and over 25 others are currently being considered by Congress. Both bills would relax export restrictions and prohibit the government from imposing key escrow domestically. CDT looks forward to working with Members of Congress to pass legislation that encourages the widespread availability of strong, easy-to-use encryption technologies based on marketplace, not government, standards. ----------------------------------------------------------------------- (2) JOIN SENATOR LEAHY TODAY (Wed 5/22) TO DISCUSS PRIVACY AND SECURITY ONLINE Senator Patrick Leahy (D-VT), the "Senior Senator from Cyberspace", ardent proponent of Net.Freedom and co-sponsor of 2 bills to repeal encryption export controls, will hold an online "town meeting" on Wednesday May 22 to discuss privacy and security online. DETAILS ON THE EVENT * Wednesday May 22, 4 - 5 pm ET (1 pm Pacific) on HotWired URL: http://www.hotwired.com/wiredside/ To participate, you must be a registered HotWired member (there is no charge for registration). You must also have RealAudio(tm) and a telnet application properly configured to work with your browser. Please visit http://www.hotwired.com/wiredside/ for information on how you can easily register for Hotwired and obtain RealAudio. Wednesday's town meeting is another in a series of planned events, and is part of a broader project coordinated by CDT and the Voters Telecommunications Watch (VTW) designed to bring the Internet Community into the debate and encourage members of Congress to work with the Net.community on vital Internet policy issues. Events with other members of Congress working on Internet Policy Issues are currently being planned. Please check http://www.crypto.com for announcements of future events ------------------------------------------------------------------------ (3) SUBSCRIPTION INFORMATION Be sure you are up to date on the latest public policy issues affecting civil liberties online and how they will affect you! Subscribe to the CDT Policy Post news distribution list. CDT Policy Posts, the regular news publication of the Center For Democracy and Technology, are received by more than 9,000 Internet users, industry leaders, policy makers and activists, and have become the leading source for information about critical free speech and privacy issues affecting the Internet and other interactive communications media. To subscribe to CDT's Policy Post list, send mail to policy-posts-request at cdt.org with a subject: subscribe policy-posts If you ever wish to remove yourself from the list, send mail to the above address with a subject of: unsubscribe policy-posts ----------------------------------------------------------------------- (4) ABOUT THE CENTER FOR DEMOCRACY AND TECHNOLOGY/CONTACTING US The Center for Democracy and Technology is a non-profit public interest organization based in Washington, DC. The Center's mission is to develop and advocate public policies that advance democratic values and constitutional civil liberties in new computer and communications technologies. Contacting us: General information: info at cdt.org World Wide Web: URL:http://www.cdt.org/ FTP URL:ftp://ftp.cdt.org/pub/cdt/ Snail Mail: The Center for Democracy and Technology 1634 Eye Street NW * Suite 1100 * Washington, DC 20006 (v) +1.202.637.9800 * (f) +1.202.637.0968 ----------------------------------------------------------------------- End Policy Post 2.20 5/22/96 ----------------------------------------------------------------------- From R.Hirschfeld at cwi.nl Wed May 22 16:41:00 1996 From: R.Hirschfeld at cwi.nl (R.Hirschfeld at cwi.nl) Date: Thu, 23 May 1996 07:41:00 +0800 Subject: The Crisis with Remailers In-Reply-To: <2.2.32.19960522141400.00340478@mail.pi.se> Message-ID: <9605221739.AA03647=ray@groen.cwi.nl> Despite the ugliness of floating point arithmetic (lack of associativity, for example) and my general distaste for it, I would have to agree that 64-bit floats are higher precision than 32-bit fixed-points, since more than half the bits are mantissa. Do major currency traders really store money as 64-bit floats? It surprises me. By the way, I thought the "get real" pun was funny and not at all disparaging. But I hope that "get rational" is good enough for currency exchange. From frantz at netcom.com Wed May 22 16:47:20 1996 From: frantz at netcom.com (Bill Frantz) Date: Thu, 23 May 1996 07:47:20 +0800 Subject: Clipper III analysis Message-ID: <199605221756.KAA01022@netcom8.netcom.com> John Gilmore wrote an excellent description of GAK 3 (aka Clipper III, aka Enabling Privacy, Commerce, Security and Public Safety in the Global Information Infrastructure). Here are a couple of other points that even the proponents of this scheme should agree to: (1) GAK3 does not provide for the significant public purpose of protecting dissident groups under repressive regimes. Human rights groups in Bosina/Serbia have used PGP to protect their files. Since their computers have been frequently seized, the only protection for those people who have made human rights complaints has been that the local government has not had access to the keys. (2) The paper fails to differentiate between the needs of communication privacy and data storage privacy. No rational person would want to GAK their communication keys. Data lost because keys are lost can always be retransmitted. Since communications are easy to intercept, having a long term GAK key greatly increases the chances that the long term key will be stolen and the session keys intercepted. Communication session keys should be decided by techniques such as Diffie Hellman which ensure that the only entities with access to the key are the programs/hardware at each end of the link. A better case for escrowing long term data storage keys can be made. Physical security provides some protection for the cyphertext. Loss of a key can mean loss of the data. However, it is not clear why encrypting for data storage is any different from storing confidential data in a safe. If the government has a legitimate need to access the data, they can access it through the same legal processes they use to access data in safes. While long term data storage can use escrow agents, it does not need GAK for any legal public purpose. ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From AFDA2 at aol.com Wed May 22 17:01:46 1996 From: AFDA2 at aol.com (AFDA2 at aol.com) Date: Thu, 23 May 1996 08:01:46 +0800 Subject: Criminal Law Web Site Message-ID: <960522133157_496416046@emout09.mail.aol.com> The upgraded Web site for the Association of Federal Defense Attorneys (AFDA) is now available at http://www.afda.org The site provides several valuable tools for criminal defense attorneys who practice in the federal courts: (1) a convenient compilation of over 100 Web sites pertaining to federal law, including search capabilities through all the statutes and case law rulings; (2) an online newsletter that is updated weekly; (3) a message board; (4) a form library for downloading documents (we will soon begin uploading documents to the library); (4) a listing of upcoming seminars for which you can register online; (6) a feedback form so that you can give us your comments and suggestions; (7) and a survey function so that we can conduct polls within the criminal defense bar online for submission to Congress. The Web site is financed through membership dues on a non-profit basis. Until mid-June, the site will be free to all users but will then become password-protected for members only. We hope you will take advantage of this important resource and join the Association so that we can continue providing the defense bar with needed support. To join, simply click the "Join AFDA" bar on the main page of the Web site. Best regards to all. Greg Nicolaysen (Los Angeles) From jimbell at pacifier.com Wed May 22 17:10:42 1996 From: jimbell at pacifier.com (jim bell) Date: Thu, 23 May 1996 08:10:42 +0800 Subject: Another Analysis -- Re: NIST Draft Key Escrow Paper Message-ID: <199605221827.LAA23713@mail.pacifier.com> At 11:35 AM 5/22/96 -0400, Joseph M. Reagle Jr. wrote: >Declan McCullagh and Gilmore have already provided a brief summary of the >doc, here are a few thoughts I sent to some others last night: [schtuff deleted] >So Clipper III is a bit meaner and leaner. If Clipper I would have sunk >because of sheer clumsiness, a sleeker ship carrying the same load will now >be developed by the free market. The load is the assumption that citizens >can be "compelled in any criminal case to be a witness against himself." I didn't notice any specific reference to the difference between materials encrypted for long-term storage or transmission (data, email) and on the other hand audio telephone communications, the original stated application for the Clipper chip. I can't see any reason that an individual would want the key to his own crypto telephone keys escrowed; unlike the key for data on a computer, which at least theoretically might be lost, the cryptophone data is by definition lost as soon as it is used. Therefore, I can see no argument which would make a person support this key escrow for that purpose. Since the whole system is supposed to be "voluntary", who is going to accept this? Jim Bell jimbell at pacifier.com From llurch at networking.stanford.edu Wed May 22 17:32:47 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Thu, 23 May 1996 08:32:47 +0800 Subject: FTC online workshop on privacy In-Reply-To: Message-ID: On Wed, 22 May 1996, Declan B. McCullagh wrote: > The legislation being introduced at 10:30 am will restrict selling > mailing lists with childrens' names and other identifying info on them, > including email lists. Another attempt to regulate the net, or a good > thing? I'd have to see the bill, but I think it's a good general idea, provided there's the caveats KNOWINGLY and WITHOUT THEIR [parent/guardian's] KNOWLEDGE. As much as I hate direct marketers, I don't want them subject to malicious and arbitrary prosecution because one address out of thousands happens to belong to a kid. On second thought, why are kids different than adults? Selling lists of women? Gays? Kids aren't the only group subject to harassment. > Supporting is Christian Coalition, Family Research Council, Enough is > Enough!, Bruce "I wrote the CDA" Taylor's group, and EPIC. They're not *always* wrong. Oh, EPIC too, eh? -rich From bruce at aracnet.com Wed May 22 17:34:06 1996 From: bruce at aracnet.com (Bruce Baugh) Date: Thu, 23 May 1996 08:34:06 +0800 Subject: The Crisis with Remailers Message-ID: <2.2.32.19960522172644.006bb3f4@mail.aracnet.com> At 12:30 AM 5/22/96 EDT, E. ALLEN SMITH wrote: > Would you suspect that having more warning labels (before & after, >not just in the headers) would help with any negative reputation thus >generated? Probably not. Does it really matter how many times I tell you "I'm not being a jerk" if everything I send you is in fact jerky? (FBI and "this is not an assault", anyone?) Pointing people at legitimate uses of anonymity, as various folks have suggested, is undoubtedly a good idea. Would anyone care to suggest a few newsgroups where the vast majority of anonymous posts have really good reasons for being so? In cases where there's been serious abuse of remailers that's been caught and dealt with, some PR on the part of remailer operators might go a long way toward helping things. "Yes, this person was doing loathsome things, but we put a stop to it [insert details here." >put into public view... I see no reason to give lawyers more of a privilege >than religious/psychiatric individuals. Ditto. Likewise, I liked the instance last year of a student applying for the mail logs of the local (state?) government. It is Good for rulers to feel the same weight of the rules they impose on others. -- Bruce Baugh bruce at aracnet.com http://www.aracnet.com/~bruce From perry at piermont.com Wed May 22 17:48:28 1996 From: perry at piermont.com (Perry E. Metzger) Date: Thu, 23 May 1996 08:48:28 +0800 Subject: The Crisis with Remailers In-Reply-To: <2.2.32.19960522141400.00340478@mail.pi.se> Message-ID: <199605221857.OAA23701@jekyll.piermont.com> Matts Kallioniemi writes: > What do you think will happen if you have a one italian lira coin and > you try to deposit it with Mark Twain's USD account? With integer > math it won't be pretty. Fixed point math is not ugly. It is the only way to go if you are representing currency and thus cannot afford loss of precisions -- and isn't particularly onerous to use. Perry From declan+ at CMU.EDU Wed May 22 17:49:27 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Thu, 23 May 1996 08:49:27 +0800 Subject: FTC online workshop on privacy In-Reply-To: <01I4ZKWPMI7K8Y5IL9@mbcl.rutgers.edu> Message-ID: Excerpts from internet.cypherpunks: 22-May-96 Re: FTC online workshop on .. by Declan McCullagh at CMU.EDU > The legislation being introduced at 10:30 am will restrict selling > mailing lists with childrens' names and other identifying info on them, > including email lists. Another attempt to regulate the net, or a good > thing? Whoops. I should have said the press conference happened at 10:30 am. The bill will be introduced in both houses later this week. Interesting press conference. Enough is Enough! took quite a bit of time to rant about the dangers of the Internet. Pedophiles, chat rooms, illegal pornography. You get the idea. Did you know May 20-26 is "Safe Cyber Week?" -Declan From drosoff at arc.unm.edu Wed May 22 18:07:56 1996 From: drosoff at arc.unm.edu (David Rosoff) Date: Thu, 23 May 1996 09:07:56 +0800 Subject: An alternative to remailer shutdowns (fwd) Message-ID: <1.5.4.16.19960522184009.4f4f8220@arc.unm.edu> -----BEGIN PGP SIGNED MESSAGE----- At 10:24 AM 5/21/96 -0800, jim bell wrote: >At 06:28 PM 5/20/96 -0500, Jim Choate wrote: >> >>Forwarded message: >> >>> Date: Mon, 20 May 1996 15:02:08 -0700 >>> From: Hal >>> Subject: An alternative to remailer shutdowns >> >>> was apparently sent through my remailer. According to 18 USC 875(c), >>> "Whoever transmits in interstate commerce any communication containing >>> any threat to kidnap any person or any threat to injure the person of >>> another, shall be fined not more than $1,000 or imprisoned not more >>> than five years, or both." I may not be able to continue operating >>> either of my remailers (alumni.caltech.edu and shell.portal.com) for >>> much longer due to this kind of abuse. >> >>There should be a section in there dealing with 'knowingly'. If not then we >>should immediately bring charges against any and all newspapers who have >>ever printer a ransom letter, or perhaps even the Unibomber Manifesto since >>there is clear evidence of 'threat to injure the person of another'. > >But even "knowingly" needs to be carefully defined. A remailer operator >today KNOWS that his system COULD be used for illegal activities; he merely >doesn't know that they are, currently. I think that the definition should >be so narrow that it is impossible for a third party (or the government >itself) to incriminate the remailer operator by having his system forward >arguably illegal or copyright-violating material. > > >Jim Bell >jimbell at pacifier.com Can the same sort of standards as per the U.S. CDA be applied? The first draft of the CDA would have held ISP's responsible for, e.g., porn transmitted using their services. Isn't this the same sort of thing - that is, that remailer operators provide a service, and they cannot be held responsible for people who abuse that service? I think that this line of thought is reasonable. David -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMaNZlxguzHDTdpL5AQGkIgQAkfTaXyFp32yX1CiKK/7xlfvojYK+oG2U BWS5w2gMWeorRB1jPJW3Aec3cAlUQCoYg7TOd+Z8EgHWqHxR30cDUBd56oq1wlmf 0X3d2rjnM64Bcq8gonFXPxeSU+C3O0qobdj58BUpo+o2ueNo0sPGLK79KKAHuhWW oBBXV6jGTWc= =AXOt -----END PGP SIGNATURE----- From perry at piermont.com Wed May 22 19:20:57 1996 From: perry at piermont.com (Perry E. Metzger) Date: Thu, 23 May 1996 10:20:57 +0800 Subject: ecash representation Message-ID: <199605221908.PAA23731@jekyll.piermont.com> In my last article, I slightly screwed up. A signed 32 bit fixed point number, with two places of precision (less than you need when calculating things like interest and what have you, but lets be generous) has a maximum representation of even less than I off the cuffed -- a mere 21,474,836.48. This is hardly sufficient for accounting. However, floating point is even less useful. .pm From mpd at netcom.com Wed May 22 19:34:04 1996 From: mpd at netcom.com (Mike Duvos) Date: Thu, 23 May 1996 10:34:04 +0800 Subject: The Twilight of the Remailers? In-Reply-To: <9605221917.AA00675@nwk2_ocalsl> Message-ID: <199605222008.NAA02211@netcom16.netcom.com> Andrew Loewenstern writes: Mike Duvos writes: >> Contrast this with a DC-Net of boxes which can covertly inject >> packets into the Net, in some untracable manner. Now we have >> no identifiable "Hal" to be harrassed, and no one for the >> Clams to aim their lawyers at. > While this is a nice thought, it is incorrect. You can't > "covertly inject packets into the Net, in some untraceable > manner." You can temporarily modify router tables, spoof IPs and idents, and leave few traces behind once the data has been transferred, particularly if the origin is some obscure foreign location. > The output of the DC net is simply a block of > random-looking bits for each member of the net. Someone > must XOR each of the blocks together before the message is > readable. Correct. But I was mentioning DC-Nets only in the context of a mechanism for permitting the dispersed parts of such a system to communicate with each other, without identification of a particular node as being responsible for a particular action. > If the addressee is not personally watching the DC-net and > assembling all the blocks looking for a message, someone > else must do that and put it out on the Internet (via > e-mail, usenet, IRC, etc...). That someone is the person > who is going to take the heat for the massage. It is > exactly the same situation as with current remailers: > someone gets mail they don't like, they trace it back as far > as possible (i.e., to the remailer operator). The last > person holding the 'hot-potato' gets burned. The idea here was to have a large number of nodes, each capable of injecting data into the Net in a manner which cannot be easily traced back to an individual. These nodes would talk to each other using a mechanism which obscured both eavesdropping and traffic analysis of their communications, a DC-Net being one possible way of doing this. > Since it looks like the "everyone's a remailer" dream is > not becoming a reality, the key to successful remailers is > to make the *operators* untraceable as well. If you can't > trace the operator, you can't hold them liable. We have > discussed techniques for doing this before: cash paid > accounts, using dialups (possibly from a public phone). > The remailer must be a 'sacrificial cow' that can be > snatched up by 'authorities' at any time. You could get the same effect with an instant anonymous account that could be purchased with Ecash. You would buy it on the spot, send your mail, and forget about it. For all practical purposes, it would serve the same function as a remailer, and steps could be taken to obscure the identity of whoever had telnetted to it. Another possible approach is the "remailing packets" one. You could set up a packet remailer which could be used as a universal proxy server in some untouchable foreign location. If we had a "packet remailer in a box", these things could pop up all over the place, live a short time, and be nuked. Since the communication would be real-time, concerns over reliability and delivery would not exist in the same way they do for the current system of remailers. > Because it takes considerable time, effort, and money to > setup and run a remailer that is untraceable to the > operator, there must be compensation. The solution is a > typical cypherpunk one: Digital cash postage that is > collected by the remailer, encrypted with a public key, and > posted to alt.anonymous.messages. Our untraceable remailer > operator sits back and collects the cash until the remailer > is forcibly shut-down. Then he starts up a new one > (assuming this is profitable). I don't think most people are going to pay to remail. Or, to put it another way, the types of traffic people will pay to remail are those no remailer operator will want to touch with a barge pole. > The age of remailers with publically known operators is > drawing to a close. Basically the only missing link is the > digital postage. If we get that, then being an anonymous > remailer operator could be the first cryptoanarchist job > that basically anyone can get and where you can collect > money completely untraceably and tax-free. To me that seems > like a big step towards the future that many of us have been > discussing for the past few years. A very exciting > prospect. Perhaps. Time will tell. -- Mike Duvos $ PGP 2.6 Public Key available $ mpd at netcom.com $ via Finger. $ From vznuri at netcom.com Wed May 22 19:37:12 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Thu, 23 May 1996 10:37:12 +0800 Subject: the system CAN work In-Reply-To: Message-ID: <199605222009.NAA01919@netcom11.netcom.com> > I might be wrong here, but I don't think that Mr. Bell actually >wants anyone actually shot, well, maybe he does, but what he wants is to >have the same power over members of governments than they have over him. the way to exercise power of the government is to organize and wield that power. JB and others are people who have never tried this process and in fact are dysfunctional human specimens whose sheer irritability cause them to be incapable of successfully interacting in a society. so, like Ted Kaczinsky, they come up with their own novel solution. JB reminds me of people who start to play a game, but then find that they are losing by the rules of the game, and then throw up the game and hit their opponent. the rules of the game of our government are mostly fair. there are legitimate ways to revolutionize the system, working from the inside. those working on overthrowing it have no qualifications. have they personally tried to organize? of course they claim it is fruitless. but I think it is only fruitless because everyone claims it is. if everyone acted as if it wasn't fruitless, it wouldn't be. the recent actions in congress regarding clipper are STRONG EVIDENCE that our political system will respond to our demands, and more so the more pressure we put on it. it would have been unthinkable even say 6 months ago to imagine senators publicly opposing Clipper. we not only have Burns outright opposing Clipper and the Clinton administrations' stand, we also have Dole up there as well. they have made it a MAJOR ISSUE. we have very strong pro-crypto bills in the works. the whole idea of the senators even taking an INTEREST in this case was unthinkable only a short time ago. yet the system has changed DRAMATICALLY. you expect the tax code to be abolished TOMORROW?? sorry, it won't happen. but the amazing resonance of the flat tax with Forbes this year, which again would have been unthinkable only a few years ago, shows that strong currents are coming to bear on the system. do you hear any cpunks rejoicing about these new dramatic victories and motions? no, because they are mostly a bunch of whining nihilists, anarchists, and cynics. no matter what happens, they will tell you that the sky is falling and Big Brother is still hiding in your closet, that the world is hopeless so we might as well just go out and shoot our enemies. they want instant gratification. they don't want to work to have a better system, they would much rather kill a few people in government this weekend and get the satisfaction from it. "ah, a job well done" they would conclude. perhaps so, by their standards. why am I so incensed at all the APers? because they don't realize they will devastate our society far more than it is already devastated. we don't have a great system now, but what they are proposing is an apocalypse of sanity. our system can be pressured to change. are we acknowledging how pathetic our skills are in manipulating politicians? how can it be that a government that is so corrupt can have such power over you? are you saying that you are powerless against it? it takes two to tango. a corrupt government is the perfect match for a corrupt populace. From perry at piermont.com Wed May 22 19:41:12 1996 From: perry at piermont.com (Perry E. Metzger) Date: Thu, 23 May 1996 10:41:12 +0800 Subject: The Crisis with Remailers In-Reply-To: <9605222009.AA04459=ray@groen.cwi.nl> Message-ID: <199605222104.RAA23933@jekyll.piermont.com> R.Hirschfeld at cwi.nl writes: > > Date: Wed, 22 May 1996 15:04:04 -0400 > > From: "Perry E. Metzger" > > > > Floating point systems are built to do approximate math on a very wide > > range of number sizes. Accounting systems require exact math -- down > > to the cent. Floats aren't suitable. > > I completely agree. But are the usual fixed-point representations > adequate for exchange rates, where it's not a matter of "down to the > cent" but of ratios of cents and centimes? It depends on the number of significant figures you need to represent. Forex usually involves numbers with five significant figures, which can be represented fairly conveniently in fixed point. Perry From R.Hirschfeld at cwi.nl Wed May 22 19:57:40 1996 From: R.Hirschfeld at cwi.nl (R.Hirschfeld at cwi.nl) Date: Thu, 23 May 1996 10:57:40 +0800 Subject: The Crisis with Remailers In-Reply-To: <199605221904.PAA23720@jekyll.piermont.com> Message-ID: <9605222009.AA04459=ray@groen.cwi.nl> > Date: Wed, 22 May 1996 15:04:04 -0400 > From: "Perry E. Metzger" > > Floating point systems are built to do approximate math on a very wide > range of number sizes. Accounting systems require exact math -- down > to the cent. Floats aren't suitable. I completely agree. But are the usual fixed-point representations adequate for exchange rates, where it's not a matter of "down to the cent" but of ratios of cents and centimes? Is an exact representation of rationals (e.g., pairs of integers) needed? From mpd at netcom.com Wed May 22 20:01:24 1996 From: mpd at netcom.com (Mike Duvos) Date: Thu, 23 May 1996 11:01:24 +0800 Subject: The Crisis with Remailers In-Reply-To: <199605221904.PAA23720@jekyll.piermont.com> Message-ID: <199605222051.NAA20284@netcom21.netcom.com> Perry Writes: > Floating point systems are built to do approximate math on a very wide > range of number sizes. Accounting systems require exact math -- down > to the cent. Floats aren't suitable. Calling floating point math "approximate" is a bit of a misnomer. Floating point numbers all correspond to exact points on the real number line. The floating point number taken as the result of an operation, if that result is not another floating point number, is always chosen consistantly in a way which has minimum error and zero bias. Floating point numbers can be used to do exact integer arithmetic quite easily. A 48 bit mantissa can represent 14 decimal digit signed integers with no loss of precision, and $999,999,999,999.99 is more than enough magnitude for most bean counters. -- Mike Duvos $ PGP 2.6 Public Key available $ mpd at netcom.com $ via Finger. $ From jad at dsddhc.com Wed May 22 20:04:27 1996 From: jad at dsddhc.com (John Deters) Date: Thu, 23 May 1996 11:04:27 +0800 Subject: The Crisis with Remailers Message-ID: <2.2.32.19960522214836.003432fc@labg30> At 12:14 PM 5/22/96 -0400, Perry wrote: > >Matts Kallioniemi writes: >> At 17:44 1996-05-21 +0200, bryce at digicash.com wrote: >> >Matts, you don't want to do floating point for money, because >> >floating point doesn't give you good control of precision. >> >> Yes I do. Several major currency traders in Sweden keep all >> their money in 64 bit floating point storage. > >I have trouble believing you. None of the forex accounting I know of >in the U.S. is done in floating point. It simply isn't accurate >enough. > >It is true enough that *rates* can be stored as floats if you want, >but never actual sums. I wish there were a hard-and-fast rule that this were true. I work in Point Of Sale (POS or cash registers), and occasionally we will see a vendor whose software stores money/currency in floating point data types. I try very hard to make sure we do not purchase their software, because this implies the most gross lack of understanding imaginable. Floating points are simply not accurate when you're performing math on other people's money. And, yes, rates are acceptable to store and use as floats, but even the conversion process ultimately yields a long, not a float. And, we usually go out of our way to code rates up as integers and perform the decimal point shifting in code. In the currency class we use, we have an exponent property that defines where the decimal point is. I imagine that by converting the exponent from a short to a long we could even handle lira! :-) * * Note to persons who respect the Italian economy**: That was a joke! ** Note to persons who believe there are people who respect the Italian economy: That was a joke! -john -- J. Deters >From Senator C. Burns' Pro-CODE bill, which I support and you can find at: http://www.senate.gov/member/mt/burns/general/billtext.htm " (2) Miniaturization, disturbed computing, and reduced transmission costs make communication via electronic networks a reality." +---------------------------------------------------------+ | NET: jad at dsddhc.com (work) jad at pclink.com (home) | | PSTN: 1 612 375 3116 (work) 1 612 894 8507 (home) | | ICBM: 44^58'33"N by 93^16'42"W Elev. ~=290m (work) | | PGP Key ID: 768 / 15FFA875 | +---------------------------------------------------------+ From jf_avon at citenet.net Wed May 22 20:08:50 1996 From: jf_avon at citenet.net (Jean-Francois Avon) Date: Thu, 23 May 1996 11:08:50 +0800 Subject: (Fwd) Re: TCM: mafia as a paradigm for cyberspace Message-ID: <9605222053.AA24683@cti02.citenet.net> Take note: If you want me to read you, cc me since I unsubscriVed :) from Cypherpunks... While frothing at the mouth (and god knows what other sphincters...), on a 22 May 96 at 12:37, somebody that behaves like a Rotweiller wrote: > oh, so in other words, a lot of "innocent" people will be murdered > under AP. ah, another great "feature", not a "bug", right?? Yes, but please note that the point for the validating of his statement is that even if this will happens, overall, *less innocents* will suffer from the seemingly random violence of AP than from the actual system. He might be wrong, but you seem to bring no new knowledge that would elucidate the question. Should the US have not dropped the A-Bomb on Japan and let happen 10 times mores casualties (from both sides)? The following paragraphs illustrate very well the way our local Rotweiller sees the world, which is very close to the vision of most statists. > ah, like murder. I see. well, I think you are violating my rights > by disagreeing with me. I shall arrange your consequences > accordingly. > but who decides what is wrong? the arbitrary opinion of some single > human idiot out anywhere in the world? don't you see the tyranny of > this? > it is far worse than the tyranny of a government if I were to > be killed by someone who believes that I violated his rights by > breathing air particles or whatever. via AP, you wish to give him > the mechanism to murder me without trace. Why do you fear so much for yourself? I guess, thoses who want to murder for all sort of reasons like hunting white baby seals or smoking in public simply share your psycho-epistemology. They would have no reasons to put a contract on you. Or would they anyways? > deny rights, legitimacy, justice, blah, blah, blah. the terms you > use have no meaning in the system you are advocating. there are no > "rights" in an anarchy, because a government is the entity created > to safeguard/protect them. all actions are legitimate in an > anarchy, because there is no civilized system that rejects any ones > in particular. By definition, you are right. But note that *they* never advocated true anarchy, only *you* claim that they do. Their vision of Life clearly entail some vision of Rights, Rules of Conduct, etc. They did *not* rule out laws, they only said that they do not like laws that are there to oppress peoples. Now, might you say, how are you gonna know? Because your philosophy is somewhat of a cross between Nietche and Sartre, you see no way out. But they (proponents of AP) have a vision of life that value, as the good old american constitution say, life, liberty and "pursuit of happiness". I might even agree with you, dear Rotty, that Jim Bell is a bit naive and shows a kind of outdated philosophy. Jim Bell et al. entertain the delusion that human beings are intrinsically joyous rationnal animals that, most of the time, love life. Therefore, for them, the AP scheme cannot lead to anything but a kind of laissez-faire world where everybody would be able to pursue happiness to the best of their abilities. OTOH, you believe that the natural tendency of AP would bring a world as you describe it vocally here. A world where the essence of Mankind is not to be a rationnal animal, but an animal, period. In that vision, you believe that a bloodthirsty beast within us will always take over. Maybe you learned that truth from your *own* life experience, I have no idea. So, according to your logic, anybody who doesn't like you will put a prize on your head, and probably look up the necrology section of the paper everyday while gigling. And here, I have to conceed that you may be right. After all, what philosophy ran the country since a hundred years? Huhh? So many peoples are so convinced of that that AP might very well turn against it's originator and further corruption. Don't you think so? > if you think that a government is a tyranny, perhaps you are not > aware of the tyranny of the irrationality of individual men. That sentence should earn one of the top spot of the CP top-ten-of-the-year list! ROTFL and L and L and L ! > it will "work" exactly as anonymous murdering now works. Nobody is more deaf than the blind who does not want to smell... > ah yes, exactly what we need. "enhanced anarchy". you and TCM really > should get together and collaborate. I'm sure you'd come up with > some fruitful conclusions. Who knows? JFA DePompadour, Societe d'Importation Ltee; Limoges porcelain, silverware and crystal JFA Technologies, R&D consultants; physists, technologists and engineers. PGP keys at: http://w3.citenet.net/users/jf_avon ID# C58ADD0D : 529645E8205A8A5E F87CC86FAEFEF891 I reserve the right to post publicly any private e-mail sent to me. Unsollicited commercial e-mail will be proofread at US165 $/h Any sender of such material will be considered as to have ac- cepted the above mentionned terms. From EALLENSMITH at ocelot.Rutgers.EDU Wed May 22 20:12:21 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Thu, 23 May 1996 11:12:21 +0800 Subject: MixMaster fair use Message-ID: <01I50JO1JL548Y4X9G@mbcl.rutgers.edu> From: IN%"loki at infonex.com" 22-MAY-1996 03:43:54.45 >It is patent on RSA, which expires in 2000 as I remember. It can be >licensed, but it is not cheap. I don't know how they would handle a free >program which people pay to use. Do they allow non-profit usage? If so, you could send out a new version that supported ecash payments, with an agreement not to use it for profit. I'd call building up a reserve against legal fees a justifiable action for a non-profit organization (if the interest went back into the same account or toward operating the remailer), but IANAL. Could someone who is comment, preferably after looking over the RSA license? -Allen From unicorn at schloss.li Wed May 22 20:18:13 1996 From: unicorn at schloss.li (Black Unicorn) Date: Thu, 23 May 1996 11:18:13 +0800 Subject: An alternative to remailer shutdowns (fwd) In-Reply-To: Message-ID: On Tue, 21 May 1996, snow wrote: > On Mon, 20 May 1996, Jim Choate wrote: > > Forwarded message: > > > Date: Mon, 20 May 1996 15:02:08 -0700 > > > From: Hal > > > Subject: An alternative to remailer shutdowns > > > was apparently sent through my remailer. According to 18 USC 875(c), > > > "Whoever transmits in interstate commerce any communication containing I don't have time to do it just now. Look in the definitions section under "transmit" and I bet you will find language that suggests it is the original transmitter, not innocent intermediaries, which are liable under the statute. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From abc at gateway.com Wed May 22 20:21:26 1996 From: abc at gateway.com (Alan B. Clegg) Date: Thu, 23 May 1996 11:21:26 +0800 Subject: Number one story on CNN this hour. Message-ID: There are 40 million 'attack capable' systems connected to the Internet and over 120 countries have developed or are developing 'attack software'. [BTW, there will be a BUNCH more attacking systems when 'a new protocol is deployed because they are running out of addresses'] Sheesh. -abc \ Alan B. Clegg Just because I can \ Network Technologist does not mean I will. \ gateway.com, inc. \ From unicorn at schloss.li Wed May 22 20:27:58 1996 From: unicorn at schloss.li (Black Unicorn) Date: Thu, 23 May 1996 11:27:58 +0800 Subject: PROPOSAL In-Reply-To: <199605211950.MAA11596@mail.pacifier.com> Message-ID: On Tue, 21 May 1996, jim bell wrote: > At 04:28 PM 5/20/96 +0000, Jean-Francois Avon wrote: [quoting Jim Ray>>] > > >Interesting. Has AP ever popped-up in the conventional medias? > > Other than the article I quote in its entirety in Part 8 of AP, an article > from the Asahi Evening News (an english-language daily newspaper in > Japan), no. [Yadda Yadda Yadda] Motion: To create the alt.politics.assassination.politics newsgroup and the "AP" mailing list so as to clear the meaningless traffic (for which I am significantly responsible) out of this forum. Any seconds? --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From unicorn at schloss.li Wed May 22 20:31:16 1996 From: unicorn at schloss.li (Black Unicorn) Date: Thu, 23 May 1996 11:31:16 +0800 Subject: An alternative to remailer shutdowns In-Reply-To: Message-ID: On Tue, 21 May 1996, Ben Holiday wrote: > > > On Tue, 21 May 1996, Daniel R. Oelke wrote: > > > > The second is to simply include the > > > consent-code along with the encrypted peice of mail and a legal notice > > > stating that decryption of the mail constitutes your consent to receive > > > the mail, as well as your agreement to hold the remailer-operator harmless > > > > By reduction - you could just do a rot13 on the message and > > append the "legal notice". If all the information for decoding > > a message is present in that message, is a different encoding > > mechanism really any different from straight ASCII text? > > (i.e. Netscape 9.13 might have auto decoding built it....) > > Then, the user doesn't do anything "extra" - does this invalidate > > the notice? > > Donno. IANAL. :) A person has notice of a fact if he knows the fact, has reason to know it, should know it, or has been given notification of it. Restatement, Second, Agency section 9. The important issue here is what constitutes constructive or implied notice (the second example above). Constructive notice exists where a party could have discovered a fact by proper diligence and where the situation casts a duty on him to inquire into the matter. A person who has _actual_ notice of circumstances which would set of the "alarm bells" of a prudent person has constructive notice of the issue itself where a notice clause was available and easily referenced. See F.P. Baugh, Inc. v. Little Lake Lumber Co., 297 F.2d 692, 696. Also comes the question what notice is adequate? Notice reasonably calculated, in all circumstances, to apprise all interested parties of actionm and opportunity to present their objections, says U.S. v San Juan Lumber Co., 313 F.Supp. 703, 709. I'm not going to discuss what constitutes a legal agreement here for the purposes of waiving rights to hold the remailer operater harmless. These are traditionally unnegotiated agreements that courts are not likely to want to enforce. (Back of a ski lift ticket, notice that the garage is not responsible for theft). If a court feels that the remailer operator is being negligent or some such, a notice like you are talking about is not likely to be very effective. I find that making the user decrypt the message as acceptance of the mail is clever, but what exactly does it accomplish? The user can still have his copyrights violated in the text, what does it matter that he did or did not accept the mailing? > This would accomplish two things: We could source block an address without > knowing the source; and if push came to shove an address could be > backtracked to its original source, provided a complaint was made in time, > and that the Bad Guy sent another mail from the same address. I think > that legally there would be a good argument that the remailer ops had made > a reasonable attempt and holding lawbreakers accountable, while still > preserving the anonymity of non-abusers Let's call this the "hash policy." I'd be interested to see what the ration of volume between mailers with a hash policy and mailers without a hash policy would be. Simply the perception that records are being kept could have a chilling effect. The user is in no position to verify how secure those records are, or that they are indeed hashed at all. While the same is true with regards to logging at all (hash or no) I think the feeling that the existance of records somehow makes it more likely the the remailer operator will (with resistance) cooperate with the authorities is amplified. Either you do or do not believe that a remailer operator is keeping full and unhashed records. If you KNOW that records are being kept, well, to the user, what's the difference between this and the mailer logging all traffic fully and putting the information in a "Secure" directory? How precisely does hashing protect the user? > Just a thought.. > > Ben. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From unicorn at schloss.li Wed May 22 20:38:18 1996 From: unicorn at schloss.li (Black Unicorn) Date: Thu, 23 May 1996 11:38:18 +0800 Subject: FTC online workshop on privacy In-Reply-To: <01I4ZKWPMI7K8Y5IL9@mbcl.rutgers.edu> Message-ID: On Wed, 22 May 1996, E. ALLEN SMITH wrote: > Pointing out encryption, anonymnity, etcetera as means couldn't > hurt... > BTW, at the end of the message is something from this Adam Starchild > fellow, with a web address for "Asset Protection & Becoming Judgement Proof." > I'd be interested in a review of it. Unsophisticated, lacking in real substantative sources for material (scope is again mentioned, and I find them often dangerously inaccurate, a resort to the paladin press for reference information is equally suspect in my view), and while containing some interesting ideas and general outlines, mostly dangerous to those who do not understand that a little knowledge is a dangerous thing. > > Posted by Adam Starchild > Asset Protection & Becoming Judgement Proof at > http://www.catalog.com/corner/taxhaven --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From unicorn at schloss.li Wed May 22 20:42:15 1996 From: unicorn at schloss.li (Black Unicorn) Date: Thu, 23 May 1996 11:42:15 +0800 Subject: An alternative to remailer shutdowns In-Reply-To: <9605212257.AA00853@ch1d157nwk> Message-ID: On Tue, 21 May 1996, Andrew Loewenstern wrote: > Ben Holiday writes: > > As far as I can tell an agreement of this form would be at > > least as valid as the software licenses ("NOTICE: Opening this > > envelope constitutes your agreement to the terms.. blah blah > > blah") that are commonly used today. > > IANAL, but I have one, and he said (a couple of years ago) that these > shrinkwrap contracts are practically worthless without a signature. At least > this was how things were being handled in some districts. Anyone care to > comment? I concur. > > crypto relevance: Can RSADSI __really__ enforce the silly "thou shalt not > call certain functions" restrictions in their 'license'? I doubt it, but I > would love for someone to prove me wrong. This is closer. You're asked to accept the terms of the license or return the product. It's a stronger issue and more likely to be upheld. > > andrew > --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From unicorn at schloss.li Wed May 22 20:42:54 1996 From: unicorn at schloss.li (Black Unicorn) Date: Thu, 23 May 1996 11:42:54 +0800 Subject: Remailers, Copyright, and Scientology In-Reply-To: <199605220346.UAA17821@mail.pacifier.com> Message-ID: On Tue, 21 May 1996, jim bell wrote: > At 07:36 PM 5/21/96 -0500, Allen Ethridge wrote: > >Yes, the cult does have a legitimate interest in protecting their > >copyrights. > > I'm wondering whether they properly handled the copyright status of some of > those (silly) texts. While it is somewhat nice of you (in regards to them) > to say what you did, it is possible that they lost their copyrights decades > ago by printing them (even internally) without the (then) appropriate > "circle-C" copyright notice. Chances are good that none of this material > could survive a genuine copyright test case today. Incorrect. Please learn the "latter in time" rule and revisit the above question. > > > > Jim Bell > jimbell at pacifier.com > --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From jimbell at pacifier.com Wed May 22 20:47:51 1996 From: jimbell at pacifier.com (jim bell) Date: Thu, 23 May 1996 11:47:51 +0800 Subject: TCM: mafia as a paradigm for cyberspace Message-ID: <199605222032.NAA04351@mail.pacifier.com> At 10:02 AM 5/22/96 -0500, snow wrote: >On Wed, 22 May 1996, jim bell wrote: >> more, you'd better not be a crook! > > Or turn in too powerful a crook. Since ratting on people can always be anonymous (and especially so after the advent of good encryption and remailers, assuming they survive!) I don't think it'll be a problem to turn in somebody "too powerful." In fact, the AP system will probably spur the simultaneous development of a system to anonymously reward people who identify and locate bad people of all kinds, even if all they do is this. But unlike the current form of rewards, the snitch won't have to reveal himself to anybody. > Law enforcement won't just go away. That's true, but with a caveat: Post-AP, there will be no such thing as "laws" per se. What there will be is an amorphous world of various interests, of people who feel stepped on if you abuse them, etc. Cumulatively, those interests will constitute "laws," but not like a list of hard-and-fast rules. >There will always be those of us who feel that most crimes _don't_ >deserve the Death Penalty, and that some sort of penal system will >continue to be necessary. In your system this would not be possible >because most people would be afraid to turn people in for fear of >reprisal. Unfortunately, I still haven't written up a description of a replacement for the current "criminal justice system" that I anticipated, and another person on a different list independently though of and described in much greater detail: A set of independant, privatized court systems which an agrieved victim can go to (perhaps anonymously) to charge the "defendant." The defendant, however, doesn't have to show up because it's a voluntary system. The punishment will probably be usually a monetary penalty, which if not paid is numerically added to the reward fund against that person. A defendant is motivated to defend himself to prevent such an eventuality. The accuser is, likewise, motivated to use this system because if the defendant is exposed as an unchallenged criminal, potential assassins (and AP organizations) will presumably work cheaper for their deaths if the defendant doesn't pay the fine. > I think that the biggest flaw in your system is the belief that >people will act rationally. Do you think that the Menendez(sp?) brothers >would have hesitated one second in having there parents offed to collect >the inheretance? Did the Menendez family have relatives who might have wanted retribution for the killings? If so, they could have gotten their revenge very cheaply. How about other rich people who didn't want their to be a precedent that two sons could kill their rich parents and get away with it? >> >Note: I don't necessarily think that AP is a good idea. I think >> >that people should do their own dirty work. >> >> In practice, I think this would be comparatively common as well. What >> currently deters such "take the law into your own hands" is the fact that >> police (being, essentially, in the business of protection) don't want you to >> provide for yourself by protecting yourself. They make it hard on people, >> in the same way they did with Bernard Goetz, the guy who shot four muggers >> on the New York city subway system. Once AP gets rid of the police, it will >> be much easier to protect yourself and not risk jail time, etc. > > Umm... I think that the biggest reason that the Police don't want >you taking the law into your own hands is that civilians tend to screw up >badly. They get the wrong target, they don't stop when they should etc. While I can't quote a specific study, I seem to recall a statistic that civilians were actually MORE likely to shoot and/or kill the RIGHT person, as opposed to the wrong person Remember, most police show up substantially after an incident starts, and they don't know who's in the wrong. A person who's in the right KNOWS this already; he's seen the incident from the beginning. Also, you said civilians "don't stop when they should." Who decides when they should stop? Well, more likely than not it's the police, who would prefer to NOT obsolete themselves, and a dead criminal is far less valuable to the police, prosecutors, and jailers than a live one. I'd say that's a conflict of interest, wouldn't you? (a live criminal results in profits to all these groups, plus lawyers, etc.) > The POLICE usually don't have a problem with an individual >protecting themselves (as long as the response fits the crime, killing a >shoplifter is a no no.) It is the court system that frowns on it. It doesn't really matter which group is making it difficult on the civilians, if they are doing it, it makes it harder for the civilians to protect themselves. > Is there the ability to predict a "mild beating" with your system? >or a "severe beating", or simply a killing? Having one level of punishment >is not a very good legal system. AP cannot replace it. It can with the competing, privatized system with punishments based on fines that I described above. >> Superficially, a person might argue that the lack of police would also make >> it easier for the muggers. However, a "professional mugger" would make a >> LOT of enemies, and it wouldn't take long before he's dead. He'd only have >> to be caught once. Any victim of any mugger would be happy to donate to see >> him gone. > > Give me the name of a mugger. Offer to pay money for such information in most inner cities, and you'll get plenty of takers if the reward's high enough. (and can be collected anonymously.) Remember, AP works because certain people with access to information are given the financial motivation to either kill the criminal or simply reveal (possibly anonymously) who he is. The current system uses money rewards only sparsely, and does not publicize them very well. >> Right. Moreover, I believe that governments simply cannot exist as we know >> them under these circumstances. Besides, they won't be necessary. > > See, you have far more faith in humanity than I do. I have plenty of faith that once the centralized, heirarchical political structure is demonished, things will be better. Jim Bell jimbell at pacifier.com From EALLENSMITH at ocelot.Rutgers.EDU Wed May 22 20:53:15 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Thu, 23 May 1996 11:53:15 +0800 Subject: The Crisis with Remailers Message-ID: <01I50KKMD21Q8Y4X9G@mbcl.rutgers.edu> From: IN%"bruce at aracnet.com" "Bruce Baugh" 22-MAY-1996 17:00:33.67 >Pointing people at legitimate uses of anonymity, as various folks have >suggested, is undoubtedly a good idea. Would anyone care to suggest a few >newsgroups where the vast majority of anonymous posts have really good >reasons for being so? While it isn't usage of true cypherpunk remailers, the sexual abuse survivors newsgroup(s) would appear to be a place to start. Some of the groups discussing human rights cases are also a possibility, as is alt.religion.scientology. -Allen From adam at lighthouse.homeport.org Wed May 22 20:56:07 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Thu, 23 May 1996 11:56:07 +0800 Subject: Feds Web Crypto In-Reply-To: <199605201549.IAA00569@jobe.shell.portal.com> Message-ID: <199605222028.PAA15709@homeport.org> I'm suprised no one has pointed out that this could mean all confidential communication with the government, such as paying your taxes, will require a $95 Fortezza card. Of course, you could then use that card to encrypt your credit card numbers and email, as well. Label this Clipper IV. Adam anonymous-remailer at shell.portal.com wrote: | | | Washington Post, May 20, 1996 | | Feds on the Web | | Federal agencies' efforts to link up with the citizenry over | the World Wide Web take a step forward today. Officials plan | to announce a pilot program in which 1,000 to 2,000 people | will try their hands at secure Web transactions with federal | agencies. It's set to start later this month. | | The vision for the "Paperless Transactions for the Public | Project": a taxpayer files a return to the Internal Revenue | Service over Web links that use advanced cryptography to | confirm to the agency that the return's really coming from the | right party. Or, a retiree goes into a Social Security | Administration computer to check benefit information. | | VIPs, civil servants and ordinary folks are to be issued | special "key cards" to take part in the test, which will use | cryptography from Frontier Technologies Corp., a Wisconsin | networking company. Officials promise the vision is not that | far away. | | -- | | | -- "It is seldom that liberty of any kind is lost all at once." -Hume From EALLENSMITH at ocelot.Rutgers.EDU Wed May 22 21:05:44 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Thu, 23 May 1996 12:05:44 +0800 Subject: Alleged abuse of anonymnity/pseudonymnity Message-ID: <01I50LF7FUKG8Y4XBN@mbcl.rutgers.edu> Someone's forgetting that it would be smart - and should be possible - for the men in question also to be anonymous/pseudonymous. As it was, they could have been, and were evidently too dumb. Edited for fair use. -Allen >Kansas veterinarian extorts husbands on 'married but looking' chat line >Copyright 1996 Nando.net >Copyright 1996 The Associated Press >(May 21, 1996 10:41 p.m. EDT) Men flirted shamelessly with "Rita" in >America Online's "Married But Looking" computer chat line. The typed chatter >often got steamy, and she even offered them provocative photos of herself. >But some men found that "she" was a "he" -- with printed copies of their >explicit exchanges and blackmail on his mind. >Veterinarian Ron Hornbaker, 29, of Shawnee Mission, Kan., pleaded guilty to >extortion Tuesday in a case that some say illustrates problems in the >unpoliced Internet. He faces two years in prison and fines up to $250,000. >"It's an old crime, just new tools," said assistant U.S. Attorney John >McKenzie, who prosecuted the case in U.S. District Court in Rockford, Ill. [...] >In August 1995, Hornbaker created an America Online profile of himself as a >married woman named Rita, authorities say. He would log into "Married But >Looking" or similar chat areas and start engaging male victims in typed >conversation. After a while, he would ask them to go to a more confidential >area called a private chat room "to get to know each other better. >"There Rita would engage each man in erotic conversation, asking the victim >to get her "hot" and offering a sexy photograph. >Hornbaker, meanwhile, stored the conversation and printed out transcripts. >Victims awaiting the nude photograph instead got a threatening letter. In it, >Hornbaker -- now posing as Rita's enraged husband -- said he'd found a >transcript of the conversation between the victim and Rita. >Hornbaker set up boxes at private mail services to handle the bribes, >usually between $500 and $2,000. None of the recipients paid him. From janke at unixg.ubc.ca Wed May 22 21:14:54 1996 From: janke at unixg.ubc.ca (Leonard Janke) Date: Thu, 23 May 1996 12:14:54 +0800 Subject: (Another) alternative to remailer shutdowns Message-ID: Instead of having the last remailer in the chain store the plaintext of an encrypted anonymous message, it might be more convenient to have the sender split the message into two messages and send these. The first message would contain random characters, and the second would contain the xor of these random characters with the anonymous message. By themselves, each piece would, of course, be harmless random text, so remailer operators greatest crime would be spamming. If the two pieces were sent through chains with different last remailers, no one operator could be held accountable, and, of course, it would be ridiculous to suggest that one operator could be held responsible for that fact that another sent some random text which happened to be the xor of the random text another had sent with a harassing message. (For instance, the other operator could be trying to frame the first, with the help of the receiver.) It seems to me that the only way to deal with a remailing scheme of this kind would be outlaw anonymous remalining in general. Leonard From vznuri at netcom.com Wed May 22 21:25:18 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Thu, 23 May 1996 12:25:18 +0800 Subject: (Fwd) Re: TCM: mafia as a paradigm for cyberspace In-Reply-To: <01I4ZKIOEV7G8Y5IL9@mbcl.rutgers.edu> Message-ID: <199605221952.MAA29965@netcom11.netcom.com> I will quote an anonymous AP proponent with the initials EAS >>the above sentence I find absolutely abhorrent: it justifies killing, >>not merely because of the effect (the sort of "ends-justifies-the-means" >>argument used by most here), but that in addition it is >>supposedly "ethical". ethical?!?!? for g*d's sakes, promote your >>depraved scheme under any other heading, but do not claim it is >>"ethical" unless you want to further demonstrate how far from >>morality you have twisted your brain. > > In other words, if I'm shooting at you, it's unethical for you to >shoot back? get a clue. I didn't argue against someone shooting at you. I argued against the claim that you should be allowed to shoot anyone in the government because you think the government is corrupt. While I'm not sure whether I approve of Assasination Politics or >not (I'm not sure whether it'd lead to more or less violations of rights than >other possible means of changing the current setup), as I wrote, there is no such thing as a "right" in a society in which people decide who they would like to kill based on their own whims. there are no rights in a socieity in which killing is considered an everyday part of life, period. note I do agree this applies to some forms of government. I do achnowledge the >rightness of self-defense against governmental evildoing. ah, now there's where the silly non-sequitur of AP proponents comes in. "the government is corrupt, therefore we should be able to shoot any government employees we choose". the government is not sticking a gun down your throat this minute, are they? well, why are you seriously contemplating the converse? oh, you say that FIGURATIVELY the government is doing this to you? and you want to respond LITERALLY? I wonder who is the tyrant in this situation? "the government might shoot me if I don't pay my taxes". uhm, can you point out who this actually happened to you? what? you have an example? out of the 250 million people in this country, you actually found one? and you are concerned this will happen to you? well if you keep making a lot of noise, maybe you can achieve what appears to be your wildest fantasy!! AP proponents piss on the english language in their quest for "justice". the ways that AP proponents are twisting language, AP trash is almost worse than much classic government propaganda that has started past wars. "we have rights. we want justice. our rights are being violated. we are acting in self defense." TRASH, TRASH, TRASH To use your >example of Hitler, somehow I think an assasination of him would have been >ethical. I used him as an example of the kind of thinking that "murdering your enemies solves all your problems". yes, that was his point of view, and you inform me that you share it? well, congratualations!! hitler doesn't have too many friends and can use all the sympathy he can get. murdering Hitler would not have solved all the problems of WWII. the problem was militarism that was embodied by many cultures outside of his own, e.g. Japan and Russia. AP proponents believe that: 1. the world is full of people that are part of the problem or part of the solution 2. I can tell precisely the difference 3. I'd like to kill those that are part of the problem. 4. if AP existed, and it appeared there was a way to kill other people without trace, I would go through with it. 5. I have a lot of teachers I hated in my childhood too. I think I will go for them next. possibly not before seeing if they beg for mercy. From dlv at bwalk.dm.com Wed May 22 21:26:24 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Thu, 23 May 1996 12:26:24 +0800 Subject: the system CAN work In-Reply-To: <199605222009.NAA01919@netcom11.netcom.com> Message-ID: "Vladimir Z. Nuri" writes: > > it takes two to tango. a corrupt government is the perfect match > for a corrupt populace. So why are you here? Go back to Sovok and improve the government there. (I know, you like American welfare :-) --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From EALLENSMITH at ocelot.Rutgers.EDU Wed May 22 21:32:48 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Thu, 23 May 1996 12:32:48 +0800 Subject: (Fwd) Re: TCM: mafia as a paradigm for cyberspace Message-ID: <01I50J36B3OG8Y4X9G@mbcl.rutgers.edu> From: IN%"vznuri at netcom.com" "Vladimir Z. Nuri" 22-MAY-1996 15:50:29.93 To: IN%"EALLENSMITH at mbcl.rutgers.edu" "E. ALLEN SMITH" CC: IN%"vznuri at netcom.com", IN%"cypherpunks at toad.com" Subj: RE: (Fwd) Re: TCM: mafia as a paradigm for cyberspace Received: from netcom11.netcom.com by mbcl.rutgers.edu (PMDF #12194) id <01I50FPCUY748WW02X at mbcl.rutgers.edu>; Wed, 22 May 1996 15:50 EDT Received: from localhost (vznuri at localhost) by netcom11.netcom.com (8.6.13/Netcom) id MAA29965; Wed, 22 May 1996 12:52:08 -0700 Date: Wed, 22 May 96 12:52:07 -0700 From: "Vladimir Z. Nuri" Subject: RE: (Fwd) Re: TCM: mafia as a paradigm for cyberspace In-reply-to: Your message of "Wed, 22 May 96 00:57:00 EDT." <01I4ZKIOEV7G8Y5IL9 at mbcl.rutgers.edu> To: "E. ALLEN SMITH" Cc: vznuri at netcom.com, cypherpunks at toad.com Message-id: <199605221952.MAA29965 at netcom11.netcom.com> X-Envelope-to: EALLENSMITH >I will quote an anonymous AP proponent with the initials EAS >>>the above sentence I find absolutely abhorrent: it justifies killing, >>>not merely because of the effect (the sort of "ends-justifies-the-means" >>>argument used by most here), but that in addition it is >>>supposedly "ethical". ethical?!?!? for g*d's sakes, promote your >>>depraved scheme under any other heading, but do not claim it is >>>"ethical" unless you want to further demonstrate how far from >>>morality you have twisted your brain. >> >> In other words, if I'm shooting at you, it's unethical for you to >>shoot back? The above is evidence that your accusing anyone of reposting private email is the pot calling the kettle black, LD (unless, as Dr. Vulis said, you're too dumb to be him). That was specifically sent in private email, for the simple reason that I saw no reason to clutter up the list with another response like the 10 others that had been sent. >get a clue. I didn't argue against someone shooting at you. I argued >against the claim that you should be allowed to shoot anyone in >the government because you think the government is corrupt. Nobody, so far as I know, is arguing that one ought to shoot anyone in the government... I'd be in danger if that were the case, given that my current employer is a state university. If someone is in government and is doing something very wrong (although one may disagree on what is wrong, of course), then they're a proper target. >>I do achnowledge the rightness of self-defense against governmental evildoing. >ah, now there's where the silly non-sequitur of AP proponents comes >in. "the government is corrupt, therefore we should be able to shoot >any government employees we choose". the government is not sticking >a gun down your throat this minute, are they? well, why are you >seriously contemplating the converse? oh, you say that FIGURATIVELY >the government is doing this to you? and you want to respond >LITERALLY? I wonder who is the tyrant in this situation? If the only workable method of self-defense is to kill the person, then that's a justifiable means of self-defense. Hopefully, other means of removal of those in government who do what is wrong is possible; I do my best to work for this. But if it isn't, I'll support AP as an alternative. >>To use your >>example of Hitler, somehow I think an assasination of him would have been >>ethical. >I used him as an example of the kind of thinking that "murdering your >enemies solves all your problems". yes, that was his point of view, and >you inform me that you share it? well, congratualations!! hitler >doesn't have too many friends and can use all the sympathy he can get. All your problems? No. But leaving it out as a possible partial solution is irrational. >murdering Hitler would not have >solved all the problems of WWII. the problem was militarism that >was embodied by many cultures outside of his own, e.g. Japan and >Russia. Executing Hitler would have saved a lot of lives, even if it didn't stop the war entirely. Germany without him would, more than likely, not have held together nearly as long as it did. >AP proponents believe that: >1. the world is full of people that are part of the problem or part >of the solution >2. I can tell precisely the difference No, I don't think that I can tell precisely the difference. But it appears possible that I'd make less mistakes than the current government does, even considering only the cases in which they do kill people (e.g., shootouts with drug dealers et al). >3. I'd like to kill those that are part of the problem. If that's the only way that works, yes. >4. if AP existed, and it appeared there was a way to kill other people >without trace, I would go through with it. Again, if that's the only way that works, yes. >5. I have a lot of teachers I hated in my childhood too. I think I >will go for them next. possibly not before seeing if they beg for mercy. I invite you to look at the psychological defense mechanism known as projection, preferably along with a trained psychiatrist or clinical psychologist in inpatient therapy. -Allen From EALLENSMITH at ocelot.Rutgers.EDU Wed May 22 21:43:03 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Thu, 23 May 1996 12:43:03 +0800 Subject: An alternative to remailer shutdowns Message-ID: <01I50N2UZXFI8Y4X9G@mbcl.rutgers.edu> From: IN%"unicorn at schloss.li" "Black Unicorn" 22-MAY-1996 19:03:58.98 >On Tue, 21 May 1996, Ben Holiday wrote: >> On Tue, 21 May 1996, Daniel R. Oelke wrote: >>> The second is to simply include the >>> consent-code along with the encrypted peice of mail and a legal notice >>> stating that decryption of the mail constitutes your consent to receive >>> the mail, as well as your agreement to hold the remailer-operator harmless >> >> By reduction - you could just do a rot13 on the message and >> append the "legal notice". If all the information for decoding >> a message is present in that message, is a different encoding >> mechanism really any different from straight ASCII text? >> (i.e. Netscape 9.13 might have auto decoding built it....) >> Then, the user doesn't do anything "extra" - does this invalidate >> the notice? >A person has notice of a fact if he knows the fact, has reason to know it, >should know it, or has been given notification of it. Restatement, >Second, Agency section 9. >The important issue here is what constitutes constructive or implied >notice (the second example above). >Constructive notice exists where a party could have discovered a fact by >proper diligence and where the situation casts a duty on him to inquire >into the matter. >A person who has _actual_ notice of circumstances which would set of the >"alarm bells" of a prudent person has constructive notice of the issue >itself where a notice clause was available and easily referenced. >See F.P. Baugh, Inc. v. Little Lake Lumber Co., 297 F.2d 692, 696. >Also comes the question what notice is adequate? Notice reasonably >calculated, in all circumstances, to apprise all interested parties of >actionm and opportunity to present their objections, says U.S. v San Juan >Lumber Co., 313 F.Supp. 703, 709. >I'm not going to discuss what constitutes a legal agreement here for the >purposes of waiving rights to hold the remailer operater harmless. These >are traditionally unnegotiated agreements that courts are not likely to >want to enforce. (Back of a ski lift ticket, notice that the garage is >not responsible for theft). Umm... the RSA licensing agreement isn't exactly a negotiated contract. What makes the difference between the contract in question and the RSA licensing agreement (to use it as an example)? >If a court feels that the remailer operator is being negligent or some >such, a notice like you are talking about is not likely to be very >effective. Part of this depends on negligent in what sense. If, due to the message being encrypted, the remailer operator couldn't read it to see if it was copyright-violating anyway, would he/she be negligent to send it on? >I find that making the user decrypt the message as acceptance of the mail >is clever, but what exactly does it accomplish? The user can still have >his copyrights violated in the text, what does it matter that he did or >did not accept the mailing? The primary use of the contract is to avoid complaints from the user for "harrassing" email, not to avoid copyright problems. I'm not sure if there is anything that could be done to avoid the copyright problems, aside from the disposable output addresses with multiple remailers using them. (One possible problem with these is that it could be argued that the remailer operators sending to such addresses can read over the mail before encrypting it to the front end and check to see if it's a copyright violation. However, they would appear to be covered by the exemptions that should be in the copyright law, namely for ISPs - if they aren't covered, then the Net is dead anyway.) One method around this would be for the initial user to specify the output address - or, preferably, input address that outputted to multiple different output addresses - to use, and encrypt the message for that addresss. However, this would require common knowledge of the input addresses, which could lead to their being shut down quickly or the owner being held liable. One could have a group of input/output providers with a common public/private key for the initial user to use for the final encryption, although then you'd need to be careful about who you let into this group. -Allen From EALLENSMITH at ocelot.Rutgers.EDU Wed May 22 22:05:19 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Thu, 23 May 1996 13:05:19 +0800 Subject: The Crisis with Remailers Message-ID: <01I50NKMAX5W8Y4X9G@mbcl.rutgers.edu> I just realized that I haven't been making something clear. The ephemeral endpoints (to use Lance Cottrell's phrase) will be identified when they're used. The purpose of concealing from all but a trusted group (remailer operators) their address (at first) is to slow that identification as much as possible. If it takes someone (NSA or whatever) repeatedly sending messages through to discover each new address, this will take longer (and make it harder for traffic analysis, especially by other parties) than if the output end's address were immediately made public knowledge. This can be helped by the remailer(s) sending to the output address only accepting such mail from another remailer. -Allen From EALLENSMITH at ocelot.Rutgers.EDU Wed May 22 22:23:40 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Thu, 23 May 1996 13:23:40 +0800 Subject: FTC online workshop on privacy Message-ID: <01I50KTHZCI88Y4X9G@mbcl.rutgers.edu> It's unsurprising that some of the same groups backing the CDA are backing this, since they used danger to children as an excuse for it. (A rather transparent one, given the actions vs Compuserve). I am disappointed in EPIC for cooperating with them. From: IN%"declan+ at CMU.EDU" "Declan B. McCullagh" 22-MAY-1996 17:46:10.71 >Excerpts from internet.cypherpunks: 22-May-96 Re: FTC online workshop on >.. by Declan McCullagh at CMU.EDU >> The legislation being introduced at 10:30 am will restrict selling >> mailing lists with childrens' names and other identifying info on them, >> including email lists. Another attempt to regulate the net, or a good >> thing? >Whoops. I should have said the press conference happened at 10:30 am. >The bill will be introduced in both houses later this week. >Interesting press conference. Enough is Enough! took quite a bit of time >to rant about the dangers of the Internet. Pedophiles, chat rooms, >illegal pornography. >You get the idea. Quite. -Allen From jimbell at pacifier.com Wed May 22 22:29:29 1996 From: jimbell at pacifier.com (jim bell) Date: Thu, 23 May 1996 13:29:29 +0800 Subject: An alternative to remailer shutdowns (fwd) Message-ID: <199605222104.OAA06174@mail.pacifier.com> At 12:40 PM 5/22/96 -0600, David Rosoff wrote: >>But even "knowingly" needs to be carefully defined. A remailer operator >>today KNOWS that his system COULD be used for illegal activities; he merely >>doesn't know that they are, currently. I think that the definition should >>be so narrow that it is impossible for a third party (or the government >>itself) to incriminate the remailer operator by having his system forward >>arguably illegal or copyright-violating material. >> >> >>Jim Bell >>jimbell at pacifier.com > >Can the same sort of standards as per the U.S. CDA be applied? The first >draft of the >CDA would have held ISP's responsible for, e.g., porn transmitted using their >services. Isn't this the same sort of thing - that is, that remailer >operators provide a service, and they cannot be held responsible for people who abuse that >service? I think that this line of thought is reasonable. "Reasonable," yes. But remailers provide a service that governments won't consider politically popular; ISP's provide a nominally popular service. The government will find a way to interpret the actions of a remailer entirely differnetly than that of an ISP. Sigh. Jim Bell jimbell at pacifier.com From rah at shipwright.com Wed May 22 22:36:13 1996 From: rah at shipwright.com (Robert Hettinga) Date: Thu, 23 May 1996 13:36:13 +0800 Subject: Clipper III analysis In-Reply-To: <199605221756.KAA01022@netcom8.netcom.com> Message-ID: At 1:58 PM -0400 5/22/96, Bill Frantz wrote: > John Gilmore wrote an excellent description of GAK 3 ^^^^^ I think we have a winner, folks! GAK3 it is... Cheers, Bob Hettinga ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "If they could 'just pass a few more laws', we would all be criminals." --Vinnie Moscaritolo The e$ Home Page: http://www.vmeng.com/rah/ From EALLENSMITH at ocelot.Rutgers.EDU Wed May 22 22:36:27 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Thu, 23 May 1996 13:36:27 +0800 Subject: PROPOSAL Message-ID: <01I50Q8K5UQO8Y4XFA@mbcl.rutgers.edu> From: IN%"unicorn at schloss.li" "Black Unicorn" 22-MAY-1996 20:48:51.42 >Motion: To create the alt.politics.assassination.politics newsgroup and >the "AP" mailing list so as to clear the meaningless traffic (for which I >am significantly responsible) out of this forum. >Any seconds? So long as the AP list is specifically for debates about the ethics of such, seconded. If it would remove from cypherpunks discussion of implementation or of social consequences, that wouldn't be good, since the implementation of this is definitely cypherpunks material. -Allen From EALLENSMITH at ocelot.Rutgers.EDU Wed May 22 22:38:57 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Thu, 23 May 1996 13:38:57 +0800 Subject: Is Chaum's System Traceable or Untraceable? Message-ID: <01I50K5LNPQG8Y4X9G@mbcl.rutgers.edu> From: IN%"iang at cs.berkeley.edu" 22-MAY-1996 14:51:29.42 >In the "normal" protocol, the payee has to go online. In the "anon" protocol, >the payer has to go online. Since you don't want to go online when you >walk into a shop, you can pay the shop with the "normal" protocol, and >the shop gives you change with the "anon" protocol. >That way, you never need to go online, and your identity is never compromised. However, the shop's still is, although the bank might not be able to determine as much about how much income is coming in. OTOH, we're talking about a physical shop situation; I'm not sure how critical it is to have shop anonymnity with payor cooperation for this, since the payor can break it anyway. -Allen From EALLENSMITH at ocelot.Rutgers.EDU Wed May 22 22:45:30 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Thu, 23 May 1996 13:45:30 +0800 Subject: An alternative to remailer shutdowns Message-ID: <01I50LTPJE848Y4XBT@mbcl.rutgers.edu> From: IN%"unicorn at schloss.li" "Black Unicorn" 22-MAY-1996 18:40:57.71 >On Tue, 21 May 1996, Andrew Loewenstern wrote: >> IANAL, but I have one, and he said (a couple of years ago) that these >> shrinkwrap contracts are practically worthless without a signature. At >> least this was how things were being handled in some districts. Anyone >> care to comment? >I concur. Those (other) lawyers who I have read on the subject would also concur. >> crypto relevance: Can RSADSI __really__ enforce the silly "thou shalt not >> call certain functions" restrictions in their 'license'? I doubt it, but I >> would love for someone to prove me wrong. >This is closer. You're asked to accept the terms of the license or return >the product. It's a stronger issue and more likely to be upheld. Would this be extensible to the remailer question by saying "agree to hold us blameless for the contents of this mail or don't mail it back to us for decoding"? Admittedly, this might not get around the problem of overly long mail used for bombing, but with Mixmaster you'd get such a letter for each section as I understand it. -Allen From vznuri at netcom.com Wed May 22 22:47:06 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Thu, 23 May 1996 13:47:06 +0800 Subject: (Fwd) Re: TCM: mafia as a paradigm for cyberspace In-Reply-To: <199605211950.MAA11604@mail.pacifier.com> Message-ID: <199605221937.MAA28526@netcom11.netcom.com> ok, I will reply to JB because it amuses me to tear his flimsy wet-tissue-paper thinking. >>the above sentence I find absolutely abhorrent: it justifies killing, >>not merely because of the effect (the sort of "ends-justifies-the-means" >>argument used by most here), but that in addition it is >>supposedly "ethical". ethical?!?!? > >Then you've obviously dramatically mis-read my ideas. I don't claim that >_EVERYBODY_ who will fall victim will "deserve" it by your or my opinions, oh, so in other words, a lot of "innocent" people will be murdered under AP. ah, another great "feature", not a "bug", right?? >For example, if you believe in NIOFP, then anyone who violates it has >initiated force, and the victim of such force (or, perhaps, anyone else?) >can legitimately use a system like AP to fight back. what is "legitimate"? in our government, "legitimate" refers to our judicial system. it is what determines what is "legitimate" based on laws. in your AP anarchy scheme, the word "legitimate" has no meaning. "legitimate" is in the eye of the beholder. this ridiculous and impractical definition was discarded centuries ago because of the free-for-all bloody violence it inevitably leads to. be very clear about what you are advocating: in AP, there are no laws. people do not rely on the judicial system to solve their problems. they take the "law" into their own hands and take out contracts on anyone who offends them. would they feel justified in killing people who disagree with them on cyberspace mailing lists? perhaps, who is to tell? If you _don't_ believe >in libertarian philsophy, obviously you won't necessarily agree with AP, but >the source of your agreement is that, not something inherently wrong with AP. you don't have the slightest clue why I have lambasted AP despite my very clear statements about why, because your brain has been twisted in knots by something, perhaps watching too many old westerns. >>the assassination politics is quite Hitleresque at its root. >>"kill our enemies, and everything will be better. it is our enemies >>that are the root of all evil in the world. extinguish them, and >>you solve all problems automatically" > >THat's a false claim. If the "enemies" are enemies because of what they've >actually done wrong, say violate your rights, then it should be your right to stop >them. The method you choose shouldn't matter. ah, like murder. I see. well, I think you are violating my rights by disagreeing with me. I shall arrange your consequences accordingly. >You seem to be assuming that if there are TWO "wrongs" here. But I've tried >to make it abundantly clear that justification for the self-defense comes >from the initial "wrong." but who decides what is wrong? the arbitrary opinion of some single human idiot out anywhere in the world? don't you see the tyranny of this? it is far worse than the tyranny of a government if I were to be killed by someone who believes that I violated his rights by breathing air particles or whatever. via AP, you wish to give him the mechanism to murder me without trace. > Where, then, is the SECOND "wrong"? What, >exactly, makes it wrong? If a person can't get justice any other way (not >to be confused with merely a chance at justice) then why deny that person >his rights? deny rights, legitimacy, justice, blah, blah, blah. the terms you use have no meaning in the system you are advocating. there are no "rights" in an anarchy, because a government is the entity created to safeguard/protect them. all actions are legitimate in an anarchy, because there is no civilized system that rejects any ones in particular. >I acknowledge that if there is no initial "wrong" (the target didn't >actually do anything wrong) then the act of targeting him is, itself, wrong, >but you're apparently unwilling to back up this hypothetical. what? that is exactly the hypothetical I have been focusing on. what you fail to comprehend in your reptile-size brain is that "wrong" is a matter of subjectivity. violation of a right is also a subjective matter. after many centuries of experimentation mankind settled on something called a "court system" to make civilized decisions that transcend the irrationality of single men. if you think that a government is a tyranny, perhaps you are not aware of the tyranny of the irrationality of individual men. ah, but if you thought about it some more you might come up with some examples in your close proximity. >It should be obvious to anyone around here that if AP "works," it will work >regardless of whether it meets with your approval or any other subset of >humankind. That makes it worthy of discussion even if you don't like it. it will "work" exactly as anonymous murdering now works. AP already exists, that's what you don't understand. what you seem to claim is that by opening it up to the masses, you'd have an egaltarian murder effect that would cleanse society. just curious, how were you raised? what kind of childhood did you have that would cause you to think like you do? I really pity you. >Your objections are invalid. The mere fact that SOME organized killing >systems occurred in the past has essentially no relationship to the system I >describe. assassination politics already exists and have existed for centuries. there is nothing fundamentally new about your ideas. The prospect of perfect anonymity, allowing the system to be open >to anyone who chooses to contribute, will make it vastly different from >anything that came before. ah yes, exactly what we need. "enhanced anarchy". you and TCM really should get together and collaborate. I'm sure you'd come up with some fruitful conclusions. == let me give everyone an example of Jim Bell AP thinking. I will do this some more if he persists. A brilliant scientist named Jim Bell studied the problem for many years and in an epiphany one day realized that 99% of murders were due to weapons held with people's hands. he proposed that everyone's hands be cut off. murders would instantly drop 99%. congress decided that rich people needed to be taxed more. so they put a luxury tax on yachts and nice cars. they computed exactly how much they would make based on this tax, and patted themselves on the back. unfortunately, the effect was to cause the rich to stop buying these products. the industries were devastated. Jim Bell, a masterful sociologist, proposed setting up a system whereby people could arrange anonymous "hits" on others who annoyed them as a solution to all society's problems. of course it wasn't that simple, but that's what it amounted to. the system was quite popular at first. it created an air of deadly fear in which everyone was afraid to do anything, even go out of their houses to shop for groceries. eventually, someone snuffed out Jim Bell, and everyone went back to living normal lives. yes, the system worked exactly as it was supposed to. From rittle at comm.mot.com Wed May 22 23:10:54 1996 From: rittle at comm.mot.com (Loren James Rittle) Date: Thu, 23 May 1996 14:10:54 +0800 Subject: Long-Lived Remailers In-Reply-To: <199605212215.RAA13102@cdale1.midwest.net> Message-ID: <9605230140.AA12217@supra.comm.mot.com> >From: "David E. Smith" >Date: Tue, 21 May 1996 17:31:23 -0600 >Actually, there's an Idea. Set up a single address; use added >headers in the style of: > >:: >Remailers-To-Chain: 7 >Remailers-To-Avoid: remailer at nsa.gov >Final-Destination: tcmay at got.net David, This will not work. The original sender must pick the path himself, if maximum encryption to hide the final destination is to be used. The properly used cypherpunks-style remailer network provides that as long as even one remailer in the chain is trustworthy, your secret is safe. Under your scheme, if the first remailer is untrustworthy, everything is blown. This is because unless the original sender pick's the path (or at least the last hop explicitly), the final destination and message must be available to each hop. Loren From vile at burris.apdg.com Wed May 22 23:11:02 1996 From: vile at burris.apdg.com (Kurt Vile) Date: Thu, 23 May 1996 14:11:02 +0800 Subject: Floating Point and Financial Software In-Reply-To: <199605221706.NAA23567@jekyll.piermont.com> Message-ID: <9605222358.AA08828@burris.apdg.com> per at oiemont.com writes: >Again, I have seen floating point used for things like rates and in >simulations. I have never seen it used for accounting. If you can >name a system in which accounts were kept in floats I'd like to hear >about it -- personally I'd be surprised. I've never seen such a thing. I don't think its all that uncommon.... The Options Clearing Corporation does all of their clearing in 64 bit floats, for one. Most market making firms (read not a huge bank, clearing risk of less than say 50 mil) tend to do their accounting (both in house, and inventory (derivative instrument inventory) )in packages written in dos which mostly do 32 bit floats - Swiss Bank/O'connor, NationsBank/CRT, Fannie Mae, Merril Lynch use NeXT's as their trading platform so you can rest assured that they are using 64's The Federal Reserve Bank, European Ecomonic Community, England, France, Germany, Japan, Canada, etc store their historical data in a time series database called FAME, which does 64 bit representation of floating point data.... Once you get down into the 10000th's of a us penny it really doesn't matter anymore... --Kurt From furballs at netcom.com Wed May 22 23:15:27 1996 From: furballs at netcom.com (Paul S. Penrod) Date: Thu, 23 May 1996 14:15:27 +0800 Subject: The Crisis with Remailers In-Reply-To: <199605222051.NAA20284@netcom21.netcom.com> Message-ID: On Wed, 22 May 1996, Mike Duvos wrote: > Perry Writes: > > > Floating point systems are built to do approximate math on a very wide > > range of number sizes. Accounting systems require exact math -- down > > to the cent. Floats aren't suitable. > > Calling floating point math "approximate" is a bit of a misnomer. > Floating point numbers all correspond to exact points on the real > number line. The floating point number taken as the result of an > operation, if that result is not another floating point number, is > always chosen consistantly in a way which has minimum error and zero > bias. If floating point is implemented properly in *both* hardware and software, then the claim is valid. I have seen too many instances of floating point support and/or emulation from people like MS and Borland that would scare the bejeebers out of most competent programmers > > Floating point numbers can be used to do exact integer arithmetic > quite easily. A 48 bit mantissa can represent 14 decimal digit signed > integers with no loss of precision, and $999,999,999,999.99 is more > than enough magnitude for most bean counters. > Again, exact integer artimetic derived from floating point is dependant on how well the floating point "behaves". Mainframes dont suffer the same fate as some of the uP's do. > -- > Mike Duvos $ PGP 2.6 Public Key available $ > mpd at netcom.com $ via Finger. 7 $ > > > ------------------------------------------------------------------------- "Faced with the choice between changing one's mind and proving that there is no need to do so, almost everybody gets busy on the proof" -- John Kenneth Galbraith "Success is attending a funeral as a spectator" -- E. BonAnno ------------------------------------------------------------------------- From andrew_loewenstern at il.us.swissbank.com Wed May 22 23:24:30 1996 From: andrew_loewenstern at il.us.swissbank.com (Andrew Loewenstern) Date: Thu, 23 May 1996 14:24:30 +0800 Subject: The Twilight of the Remailers? In-Reply-To: <199605220316.UAA18744@netcom2.netcom.com> Message-ID: <9605221917.AA00675@nwk2_ocalsl> Mike Duvos writes: > Contrast this with a DC-Net of boxes which can covertly inject > packets into the Net, in some untracable manner. Now we have > no identifiable "Hal" to be harrassed, and no one for the > Clams to aim their lawyers at. While this is a nice thought, it is incorrect. You can't "covertly inject packets into the Net, in some untraceable manner." The output of the DC net is simply a block of random-looking bits for each member of the net. Someone must XOR each of the blocks together before the message is readable. If the addressee is not personally watching the DC-net and assembling all the blocks looking for a message, someone else must do that and put it out on the Internet (via e-mail, usenet, IRC, etc...). That someone is the person who is going to take the heat for the massage. It is exactly the same situation as with current remailers: someone gets mail they don't like, they trace it back as far as possible (i.e., to the remailer operator). The last person holding the 'hot-potato' gets burned. Since it looks like the "everyone's a remailer" dream is not becoming a reality, the key to successful remailers is to make the *operators* untraceable as well. If you can't trace the operator, you can't hold them liable. We have discussed techniques for doing this before: cash paid accounts, using dialups (possibly from a public phone). The remailer must be a 'sacrificial cow' that can be snatched up by 'authorities' at any time. Because it takes considerable time, effort, and money to setup and run a remailer that is untraceable to the operator, there must be compensation. The solution is a typical cypherpunk one: Digital cash postage that is collected by the remailer, encrypted with a public key, and posted to alt.anonymous.messages. Our untraceable remailer operator sits back and collects the cash until the remailer is forcibly shut-down. Then he starts up a new one (assuming this is profitable). While I haven't actually had experience running a remailer, I can imagine that the hassle of initially setting up the remailer in an untraceable manner may actually be less than the hassle of dealing with complaints. The age of remailers with publically known operators is drawing to a close. Basically the only missing link is the digital postage. If we get that, then being an anonymous remailer operator could be the first cryptoanarchist job that basically anyone can get and where you can collect money completely untraceably and tax-free. To me that seems like a big step towards the future that many of us have been discussing for the past few years. A very exciting prospect. andrew From ses at tipper.oit.unc.edu Wed May 22 23:53:45 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Thu, 23 May 1996 14:53:45 +0800 Subject: Number one story on CNN this hour. In-Reply-To: Message-ID: On Wed, 22 May 1996, Alan B. Clegg wrote: > There are 40 million 'attack capable' systems connected to the Internet > and over 120 countries have developed or are developing 'attack software'. Does that mean I need a concealed carry permit for my Newton? Simon From paul.elliott at hrnowl.lonestar.org Thu May 23 00:02:01 1996 From: paul.elliott at hrnowl.lonestar.org (Paul Elliott) Date: Thu, 23 May 1996 15:02:01 +0800 Subject: PGP MIME INTERNET DRAFT considered harmful. In-Reply-To: <199605201710.KAA23072@muddcs.cs.hmc.edu> Message-ID: <31a3910d.flight@flight.hrnowl.lonestar.org> -----BEGIN PGP SIGNED MESSAGE----- > > [Note: CC'd to the pgp-mime list.] > > Paul Elliott writes: > > [Encrypted & Signed binary data.] > > Now when there is a data path for PGP's cyphertext, PGP provides a > > binary data path for its plain text. Thus, the inner base64 that PGP > > MIME internet draft requires is totally unnecessary. It will cause a 30% > > increase in the size of those messages that are encrypted and signed and > > large amounts of CPU time will be used applying & removing the base64. > > This design decision actually serves a purpose. The scenario is as > follows: Suppose you are a company which has west-coast and east-coast > offices, and the only connectivity which exists is via the open Internet. > Suppose further that you wished to send out a company memorandum to all > the employees. Obviously you will want to sign and encrypt your message. > However, one it reaches your offices, you would like to have the encryption > "layer" stripped leaving just the signed message. Now, if when you generated > that message you did not restrict yourself to 7 bits, there is a likely > probability given todays software, that you are not going to be able to > transmit that message over an SMTP framework. I as you should know, I have never said that base64 should never be used. I merely say that signatures should be taken over the original binary data. Base64 can be used for transport as needed, but it should be a convention that the any base64 is removed before signatures are checked. Using this convention, it is easy to see that the node that strips encryption could add base64 without invalidating the signature, because of the convention that the base64 so added will be removed before the signature is checked on the original binary data. > > Now, this does present some bloat for people who do not strip the encryption, > but it seems far better to design the protocol such that this case will > work. > > > [Signed binary data.] > > Now let us consider the question of what PGP-MIME draft requires users > > to sign. Suppose we want to send a signed .gif file to a sysop. The > > sysop wants to store the .gif in his download section. Suppose the sysop > > wants to store the signature as a detached signature so that people who > > download it can check the authorship. But the signature proposed by the > > PGP-MIME draft is useless for this purpose. It has MIME headers attached > > and it has been base64'ed. People who download such a file from a BBS > > have no use for it, unless they have MIME. > > [...several other examples deleted...] > > PGP/MIME is _not_ meant to be used in this fashion! It never was! PGP/MIME > is only to be used for transport, not for long term storage. If you need > a persistent signature, you should generate a detached signature as an > attachment. It should allow users to use it in such a fashion! PGP MIME should respect the wishes of the users! Software should not view users as tools to accomplish some goal predetermined by developers, but it should rather make it easy for the user to accomplish what the user wants! This attitude of service causes software to be in harmony with market forces and leads to success! (Market forces apply to freware/guiltware/ copylefted/public domain software as well as software for sale or licence.) By existing in a context of service, PGP MIME can make encryption easy to use and become widespread. By doing so, it can entrench the widespread use of encryption, making it politicly impossible to regulate it! Thus, it can confound the evil plans of those dark forces that seek to enslave us all! As my examples show, some users may have legitimate reasons for wishing to attach a generally useful PGP signature to a MIME message. Not all users are technically sophisticated, it would be nice if PGP_MIME could accommodate such wishes. Digital signatures are an unrevokable record of what a person believes and attests to at a given time. Belief is an attribute of persons, that is not subject to command, certainly not by a piece of software. PGP MIME should allow users to sign those documents the user wishes to sign, faithfully transmitting those signatures to the receiver. It should not dictate that a user will sign an unintelligible artifact of a data transmission system. > > > If users get in the habit of signing binary files which represent > > multimedia data, and which can not be examined with commonly available > > inspection tools, it is inevitable and predictable that sooner or later > > this will cause some kind of negative security event. > > By this argument nobody should bother signing e-mail or news posts. I > haven't seen any good tools to handle this easily for PC's and Macs. > New proposals have to be made before the tools become available. This > draft is the result of experience with what does and doesn't work. > For example, the application/pgp content-type which many people like > is horribly broken for what it's probably used for 95% of the time. > > > There is no good reason to sign the base64 rather than the original > > data. Once a file has been base64ed, the file can not be examined > > with the usual inspection tools. > > Yes, base64 is just another stream of bytes, but there are FEW places on > the Internet SMTP framework that can support BINARY transport. BINARY > streams often contain very long lines which existing software simply can't > handle. You are ignoring an already exiting binary transport, that exists right now. Namely, PGP provides a BINARY datapath for its plaintext! In the future, other binary transports will become more common. 7 bit datapaths will become less common. Pressure will build for PGP MIME to support binary datapaths. PGP MIME will have to go through a complicated migration path to phase in this transition. All this complexity can be avoided by doing the right thing now. Make the method of representing the data for signatures independent of the representation of the data for transport! It might take some effort for PGP-MIME annalists and developers now. But that effort, will be more than repaid by saving people the hassle of having to clean up an intolerable mess later! I do not see exactly how this should be done for multipart messages in detail right now. That is why I have not made a specific proposal. But I do see that it should be possible to come up with such a representation. That is why I say that the draft should be withdrawn and sent back for further study. > > There is also another reason to sign the encoded version. Remember that > it also includes the content headers of that part. This is very important > especially for automated processing of messages. The typical user does not necessarily know the difference between a .gif and a .jpg file. He only knows he wants to send this pretty picture on the screen. Users should have a policy of only attesting to statements by digital signature, that they know _of their own personal knowledge_ is true. Any other policy is to court disaster. If Malley ( the active message hacker ) hacks the content-type MIME line, all that will happen is that the message to be sent to the .gif viewer rather than the .jpg viewer, causing the message to be lost. But Malley already had the ability to loose the message, after all, he hacked it didn't he? In general, the content type line should not be signed. If some technically advanced user wants to sign the content-type line, his wishes should be accommodated. But it should not be made a requirement that technically unsophisticated users attest to things they have no hope of understanding! > > > The typical user of MIME software is not necessarily technically > > sophisticated. When the deficiencies and disasters associated with > > software patterned on this draft become apparent, not everyone will know > > exactly which software component is at fault. The problems associated > > with the draft (or its successors) may adversely affect the reputation > > of PGP. > > Bad implementations can always adversely affect your reputation, even if > the theory behind it is solid. The average non-technical user which you > have been describing in this message will should not even be aware of > the underlying details if the implementation is done correctly. > > > The draft should be withdrawn. People should rethink and create a better > > plan to combine the benefits of PGP and MIME. > > You are more than welcome to submit your proposal the the pgp-mime mailing > list. [send mail to pgp-mime-request at lists.uchicago.edu with a subject of > "subscribe"] I have gotten the impression that you guys have stopped listening. Everyone seems hell-bent on standardizing this inferior system that will lockin a poor design. I hoped that by appealing to a larger audience I could get more articulate and respected people to persuade you to rethink. Perhaps some of the cypherpunks can say something that will provoke an attack of sanity that will stop this inexorable march toward a bad standard. > > We've seen a lot of different proposals go by, and none of them have stood > up to PGP/MIME. From my point of view, most of the problems that people > have with the draft is their failure to understand what it is to be used > for. Many people have the impression that PGP/MIME is meant to be the > end-all-be-all for PGP. But it's not! PGP/MIME is meant to securely > transmit messages across the Internet in a manner which all platforms > can use. PGP/MIME is text based because most transport systems in use > are. Nowhere is anyone saying "thou shalt not use PGP without MIME." > I think if more people understood that, we wouldn't have so many > objections to it. > > > It should not require any additional space overhead (more than that > > which may be necessary for transport) when signing and encrypting. > > The note in parens is interesting. What you consider overhead I consider > necessary for transport. In the specific case I mentioned, (signed & encrypted) it is not necessary for transport. It is only necessary for transport under your mis-designed system whereby signatures must be taken over entities designed for transport. > > me - -- Paul Elliott Telephone: 1-713-781-4543 Paul.Elliott at hrnowl.lonestar.org Address: 3987 South Gessner #224 Houston Texas 77063 -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: cp850 iQCVAgUBMaOd5PBUQYbUhJh5AQE6IwP9EjScv5K1CjOUvwBwbW0ovD5iwa/37/5q WxI7rR8k2jArKQpBm8KKySMQs7YxQD28JU5FjS8IUJBRMkQRBkBZwUvTrWjW0Rs+ EKdyimgjd4KrsmVmHPxfAOhPjjNqUD2DVOWlRNfzc+0f+RW2Bxn3R4/XJQ3sFf5n 0kBISWaYHeg= =HknB -----END PGP SIGNATURE----- From furballs at netcom.com Thu May 23 00:02:09 1996 From: furballs at netcom.com (Paul S. Penrod) Date: Thu, 23 May 1996 15:02:09 +0800 Subject: Floating Point and Financial Software In-Reply-To: <199605221618.JAA04180@netcom7.netcom.com> Message-ID: While I wont argue the veracity of floating point use in financials, I will make a point or two for your consideration. The basic issue in the micro world has been imprecision - primarily due to word size (8 and 16 bit). Frankly I view it more as a pain tolerance to estimation. Now that 32 and 64 processors are handy (yes the 80 bit x87 has been around for a while), it becomes more of an issue of hair splitting. I never incorporate floating point into any of the financial software I have written over the years, primarily just on a matter of principle. Secondly, since most of it was written to the Intel platform (read washing machine controller), there is a very distinct advantage in doing integer only from purely a performance basis. As to acuracy. Normally it doesn't matter when the rounding error sits some 18 to 23 decimal places out, when you are calculating dollars and cents, but many of the calculations I have been forced to endure center around such mathematical abuses as compound interest. Here, it is not only probably, but expected to work thousands of recalculations in a series, with each building upon the last. Rounding error grows very quickly in these types of circumstances. However, just to be fair, there is a plethora of business math done in software that limits itself from one to several recalcs, and the accuracy only needs to be to the penny or at worst 4 to 6 decimal places out. Even Intel can handle this.... :-) >From alt.humor.pentium: DId you hear that Intel has found a home for all those pentiums with the floating point error ? They sold them to Mattel. Now when you pull Barbie's string, she says "Math is hard..." ...Paul (politically incorrect and loving it..) On Wed, 22 May 1996, Mike Duvos wrote: > There seem to be a few mini-flames on the list over whether > floating point data representations are appropriate for financial > software. > > In a nutshell, the answer is "YES", and the use of floating point > arithmetic is common in such applications. > > One argument heard against the use of floating point is that it > is inherently "imprecise." In reality, floating point > representations and the results of floating point operations are > perfectly well defined, and the points on the real number line > which are exactly representable by double-precision floating > point values are usually a superset of those representable by the > default integer on most machines. > > Storing monetary values as double-precision floats having integer > values in cents is even common in COBOL programs, where the > "COMP-3" data type allows the use of fast floating point in lieu > of the default and slow manipulation of packed decimal and > decimal data. > > It is even common in certain CPUs, like CDC Mainframes and > SPARCS, which are primarily floating point engines, to omit > integer divide and sometimes even multiply, and to provide a > subroutine which employs floating point calculations to emulate > these operations. This is completely transparent to the user of > the machine, and there is no problem in using floating point to > do integer operations. > > In fact, when running financial applications on large engineering > mainframes, which generally lack a business instruction set, > floating point is not only commonly employed, it is the obvious > way to get the maximum performance out of the machine. > > -- > Mike Duvos $ PGP 2.6 Public Key available $ > mpd at netcom.com $ via Finger. $ > > ------------------------------------------------------------------------- "Faced with the choice between changing one's mind and proving that there is no need to do so, almost everybody gets busy on the proof" -- John Kenneth Galbraith "Success is attending a funeral as a spectator" -- E. BonAnno ------------------------------------------------------------------------- From blancw at MICROSOFT.com Thu May 23 00:03:10 1996 From: blancw at MICROSOFT.com (Blanc Weber) Date: Thu, 23 May 1996 15:03:10 +0800 Subject: CDT Policy Post 2.20 - Clinton Administration Floats Clipper III Draft Message-ID: >From the Proposal: "To participate in the network a user needs a public key certificate signed by a CA [Certification Authority] which 'binds' the user's identity to their public key. One condition of obtaining a certificate is that sufficient information (e.g., private keys or other information as appropriate) has been escrowed with a certified escrow authority to allow access to a user's data or communications." ...................................................................... Along with the escrow requirement, I keep seeing in here somewhere the eventuality of a tie being established between public keys and a national identifying scheme, possibly to update and replace the present Social Security system. .. Blanc From fletch at ain.bls.com Thu May 23 00:24:34 1996 From: fletch at ain.bls.com (Mike Fletcher) Date: Thu, 23 May 1996 15:24:34 +0800 Subject: Layman's explanation for limits on escrowed encryption ... In-Reply-To: <199605230053.RAA28116@ohio.chromatic.com> Message-ID: <9605230303.AA17239@outland.ain_dev> > Could someone with some knowledge of NSA/DoS/FBI intentions please > explain why key length limitations are necessary for escrowed > encryption? Obviously it's so they can keep feeding international traffic through the [Insert fav TLA here]'s 64-bit cracking machines. .5 * :), of course. (Is this an acceptable use for floating point :). --- Fletch __`'/| fletch at ain.bls.com "Lisa, in this house we obey the \ o.O' ______ 404 713-0414(w) Laws of Thermodynamics!" H. Simpson =(___)= -| Ack. | 404 315-7264(h) PGP Print: 8D8736A8FC59B2E6 8E675B341E378E43 U ------ From daw at cs.berkeley.edu Thu May 23 00:29:40 1996 From: daw at cs.berkeley.edu (David Wagner) Date: Thu, 23 May 1996 15:29:40 +0800 Subject: PROTOCOL: Encrypted Open Books In-Reply-To: Message-ID: <4o0cfk$1i7@joseph.cs.berkeley.edu> Apologies for replying to a reposted article; I wasn't subscribed when the (very interesting!) open books protocol was originall proposed. In article , Timothy C. May wrote: > >Date: Mon, 16 Aug 93 13:57:51 -0700 > >From: Eric Hughes > >Subject: PROTOCOL: Encrypted Open Books > > > >One criticism I do wish to address now. I don't think it matters if > >the bank manufactures fake transactions. The customer can reveal the > >sum of all the blinding factors for transactions on that account, in > >public, and can thus prove what should have been there. Since the > >blinding factors were committed to in public, there is a strong > >assurance that these blinding factors are what they are claimed to be. > >This in itself can be made into an actual proof of liability. Note > >that even this revelantion does not compromise individual > >transactions. It only reveals the aggregate value change, which is > >exactly what is at issue with the bank. Yes, if the bank manufactures a fake transaction to a customer's account, I see that the customer can discover the discrepancy & step forward to identify the bank. But what if the bank manufactures a fake account, without a real customer, and fakes a transfer into that account, pocketing the money that should have gone into that account? There is no real customer corresponding to that account to check up on the open books, so it seems to me like a bank employee can embezzle money undetectably this way. Did I miss an important part of the protocol, or does some extra mechanism need to be added to counter this threat? From declan+ at CMU.EDU Thu May 23 00:30:38 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Thu, 23 May 1996 15:30:38 +0800 Subject: FTC online workshop on privacy In-Reply-To: <01I50KTHZCI88Y4X9G@mbcl.rutgers.edu> Message-ID: <0lcucI200YUzQcMfpR@andrew.cmu.edu> Excerpts from cypherpunks: 22-May-96 Re: FTC online workshop on .. by "E. ALLEN SMITH"@ocelot. > It's unsurprising that some of the same groups backing the CDA are > backing this, since they used danger to children as an excuse for it. (A > rather transparent one, given the actions vs Compuserve). I am disappointed in > > EPIC for cooperating with them. You shouldn't be, and I should have been more clear. There is a broad coalition of groups supporting this legislation, including (from memory) the Kids off Lists! project, Center for Media Education, and Consumer Federation of America. I'm putting together a writeup of the press conference today and the language of the bill. More on this later tonight. -Declan From llurch at networking.stanford.edu Thu May 23 00:38:27 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Thu, 23 May 1996 15:38:27 +0800 Subject: FTC online workshop on privacy In-Reply-To: Message-ID: On Wed, 22 May 1996, Declan B. McCullagh wrote: > Did you know May 20-26 is "Safe Cyber Week?" Of course! Didn't everybody? -- rich.graves at stanford.edu this is safe cyber week! http://www.cybercorp.net/safe/ From tcmay at got.net Thu May 23 00:59:30 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 23 May 1996 15:59:30 +0800 Subject: PROTOCOL: Encrypted Open Books Message-ID: >Date: Mon, 16 Aug 93 22:25:47 PDT >To: cypherpunks at toad.com >Subject: PROTOCOL: Encrypted Open Books >From: hfinney at shell.portal.com >Status: OR > >Eric had some good ideas in his protocol for verifying anonymous bank >deposits. One thing wasn't clear to me: what if the bank creates >a fake account? > >It would seem that the bank could explain away a sudden decrease in its >asset reserves (money that the bank officers actually spent on mistresses >and drugs) by creating a fake anonymous account which made a large with- >drawal. The books would still balance. > >It wasn't clear to me in Eric's protocol whether it would be expected that >the identity of accounts which made such withdrawals would be revealed. >Doing so would seem to go against the purpose of the digital bank. But >without that ability it would seem that fake accounts could cover up any >amount of mismanagement. > >Hal Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From hua at xenon.chromatic.com Thu May 23 01:01:02 1996 From: hua at xenon.chromatic.com (Ernest Hua) Date: Thu, 23 May 1996 16:01:02 +0800 Subject: Layman's explanation for limits on escrowed encryption ... Message-ID: <199605230053.RAA28116@ohio.chromatic.com> Could someone with some knowledge of NSA/DoS/FBI intentions please explain why key length limitations are necessary for escrowed encryption? Please reply by E-Mail. Thanks! Ern From tcmay at got.net Thu May 23 01:02:08 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 23 May 1996 16:02:08 +0800 Subject: PROTOCOL: Encrypted Open Books Message-ID: At 12:45 AM 5/23/96, David Wagner wrote: >Apologies for replying to a reposted article; I wasn't subscribed when >the (very interesting!) open books protocol was originall proposed. ... >Did I miss an important part of the protocol, or does some extra >mechanism need to be added to counter this threat? I only forwarded the original article, not any of the discussion which followed. Inasmuch as the archives at hks don't appear to be coming back anytime soon (the March 18th message said "a few days"), I'll forward to the list the followup articles by Hal Finney and Eric Hughes. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From alanh at infi.net Thu May 23 01:27:02 1996 From: alanh at infi.net (Alan Horowitz) Date: Thu, 23 May 1996 16:27:02 +0800 Subject: Bit tax proposal? In-Reply-To: <01I4ZMQQODUA8Y5IL9@mbcl.rutgers.edu> Message-ID: << " Govt has not yet figured out how to tax this new wealth" >> That is the main reason it came into being. Start taxing it on some arbitrary basis, and people won't bother creating it. << " Proposed is an easily administered" >> " My convenience as a bureacrat is more important than the convenience of the people who are creating wealth" >> From perry at piermont.com Thu May 23 01:33:54 1996 From: perry at piermont.com (Perry E. Metzger) Date: Thu, 23 May 1996 16:33:54 +0800 Subject: The Crisis with Remailers In-Reply-To: <9605221739.AA03647=ray@groen.cwi.nl> Message-ID: <199605221904.PAA23720@jekyll.piermont.com> R.Hirschfeld at cwi.nl writes: > Despite the ugliness of floating point arithmetic (lack of > associativity, for example) and my general distaste for it, I would > have to agree that 64-bit floats are higher precision than 32-bit > fixed-points, since more than half the bits are mantissa. However, accounting systems DO NOT use 32 bit fixed point arithmetic. One client of mine had around $10Billion under management. Do you think they were doing their accounting on a system that could only deal with fixed point numbers of 45Million or so? Hell, individual trades are larger. Floating point systems are built to do approximate math on a very wide range of number sizes. Accounting systems require exact math -- down to the cent. Floats aren't suitable. Anyone who needs to understand why should go off and read Knuth, Volume 2. {erru From minow at apple.com Thu May 23 02:01:39 1996 From: minow at apple.com (Martin Minow) Date: Thu, 23 May 1996 17:01:39 +0800 Subject: An alternative to remailer shutdowns Message-ID: Black Unicorn comments on the responsiblity of prudent persons (in, I presume, the context of threating e-mail sent through an anonymous remailier). I'm still perplexed: what can a "prudent" remailer operator do if a threatening e-mail was sent through a remailer under one or more of the following conditions: -- The remailer operator is legally enjoined from reading messages transversing his system. (For example, the remailer is subject to data privacy laws.) -- The message was encrypted using the intended recipient's public key. (This means that, without access to the private key, the operator has no mechanism to examine the e-mail.) Confused in Cupertino. Martin Minow minow at apple.com From shabbir at vtw.org Thu May 23 02:10:10 1996 From: shabbir at vtw.org (Shabbir J. Safdar) Date: Thu, 23 May 1996 17:10:10 +0800 Subject: FTC online workshop on privacy Message-ID: <199605230414.AAA22841@panix4.panix.com> There's actually an interesting parallel here. If you look at the Dworkin "ban pornography because speech is action" crowd, they often end up on the same side of things as the Christian Coalition "ban porn because it drives you to ungodly acts" crowd. They both happily support legislation that would ban such images. The left and the right move so far off the edges of the scales that they come around and meet each other on the same side of the issue. -Shabbir J. Safdar * Online Representative * Voters Telecomm. Watch (VTW) http://www.vtw.org/ * Defending Your Rights In Cyberspace "E. ALLEN SMITH" writes: > It's unsurprising that some of the same groups backing the CDA are >backing this, since they used danger to children as an excuse for it. (A >rather transparent one, given the actions vs Compuserve). I am disappointed in >EPIC for cooperating with them. > >From: IN%"declan+ at CMU.EDU" "Declan B. McCullagh" 22-MAY-1996 17:46:10.71 > >>Excerpts from internet.cypherpunks: 22-May-96 Re: FTC online workshop on >>.. by Declan McCullagh at CMU.EDU >>> The legislation being introduced at 10:30 am will restrict selling >>> mailing lists with childrens' names and other identifying info on them, >>> including email lists. Another attempt to regulate the net, or a good >>> thing? > >>Whoops. I should have said the press conference happened at 10:30 am. >>The bill will be introduced in both houses later this week. > >>Interesting press conference. Enough is Enough! took quite a bit of time >>to rant about the dangers of the Internet. Pedophiles, chat rooms, >>illegal pornography. > >>You get the idea. > > Quite. > -Allen From grewals at acf2.NYU.EDU Thu May 23 02:11:11 1996 From: grewals at acf2.NYU.EDU (Subir Grewal) Date: Thu, 23 May 1996 17:11:11 +0800 Subject: The Crisis with Remailers In-Reply-To: <2.2.32.19960522172644.006bb3f4@mail.aracnet.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Wed, 22 May 1996, Bruce Baugh wrote: :Pointing people at legitimate uses of anonymity, as various folks have :suggested, is undoubtedly a good idea. Would anyone care to suggest a few :newsgroups where the vast majority of anonymous posts have really good :reasons for being so? On certain political newsgroups (perhaps most noticeably in the soc.culture.* heirarchy) it's common to see someone's views refuted because they are identified with a particular interest group. The "result" of the argument is suspect simply because it may be considered favourable to the author's interest-group, the (sometimes rigourous) argument /justification is pushed aside in the rush to malign another's contention. Anonymity serves as a barrier for some of these conjecturous refutations (though there is a loss of credibility associated with an anonymous post as well). In certain other cases, someone may wish to keep their employer ignorant of their political beliefs. Then there are all the cases where one wishes to keep sexual-orientation (or anything else considered private), membership in an organization from others. There is no doubt that anonymity is an extremely valuable position to occupy (and an important option to keep open for everyone). Of course we tend to hear of the "bad" uses to which remailers are put. hostmaster at trill-home.com * Trills 4 thrills * Blue-Ribbon * Lynx 2.5 Anything labeled "NEW" and/or "IMPROVED" isn't. The label means the price went up. The label "ALL NEW", "COMPLETELY NEW", or "GREAT NEW" means the price went way up. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Key Escrow = Conscription for the masses | 2048 bit via finger iQB1AwUBMaPb6xwDKqi8Iu65AQH16AL9GIL69AjCdJpmMVULUyFdbvjDu511+H4y Kbow6o501FiWJJvqNitEqQHVTe+O3RCFIKdW3UyVibb08ndCcvtADbA69+DOIW0H TPAq5eM6f5EMADg53wnFlimpdl+gnIsT =edo3 -----END PGP SIGNATURE----- From shabbir at vtw.org Thu May 23 02:33:40 1996 From: shabbir at vtw.org (Voters Telecommunications Watch) Date: Thu, 23 May 1996 17:33:40 +0800 Subject: INFO: Transcript of Sen. Leahy's RealAudio chat now available! (5/22/96) Message-ID: <199605230534.BAA08778@panix3.panix.com> ============================================================================= ____ _ _ _ / ___|_ __ _ _ _ __ | |_ ___ | \ | | _____ _____ | | | '__| | | | '_ \| __/ _ \ _____| \| |/ _ \ \ /\ / / __| | |___| | | |_| | |_) | || (_) |_____| |\ | __/\ V V /\__ \ \____|_| \__, | .__/ \__\___/ |_| \_|\___| \_/\_/ |___/ |___/|_| REALAUDIO TRANSCRIPTS OF LEAHY'S WIREDSIDE CHAT AVAILABLE CLIPPER III RESOURCES AVAILABLE REP. RICK WHITE (R-WA) SCHEDULED FOR HOTWIRED CHAT 6/5/96 9-10PM EST Date: May 22, 1996 URL:http://www.crypto.com/ crypto-news at panix.com If you redistribute this, please do so in its entirety, with the banner intact. ----------------------------------------------------------------------------- Table of Contents News How to receive crypto-news ----------------------------------------------------------------------------- NEWS Rave reviews of Senator Leahy's appearance on HotWired's WiredSide chat are coming already. With this appearance, the gentleman from Vermont proves once again that he knows net.politics on a personal level, and can understands the subtleties that we assume many in Congress are just learning. If you missed Sen. Leahy's appearance, arranged by HotWired, the Center for Democracy and Technology (CDT), and the Voters Telecommunications Watch (VTW), you can still hear the Realaudio transcript from the front page at http://www.crypto.com/ A new Clipper III section has been added to www.crypto.com, with pointers to the online version of the White House proposal and the initial analyses from EPIC, CDT, and John Gilmore of the EFF. DON'T FORGET! Representative Rick White (R-WA) will be on HotWired Wednesday June 5th at 9pm EST at http://www.hotwired.com/wiredside/ You can tune in and listen to the chat with the RealAudio software (http://www.realaudio.com). You can ask questions of the Representative through a moderator and get real, immediate responses. Rep. White is part of the new breed of legislators leading Congress to make better net policy through his leadership in the Internet Caucus, a vanguard group of legislators who have vowed to provide sound leadership and advice to other members of Congress in the area of net.policy. ----------------------------------------------------------------------------- HOW TO RECEIVE CRYPTO-NEWS To subscribe to crypto-news, sign up from our WWW page (http://www.crypto.com) or send mail to majordomo at panix.com with "subscribe crypto-news" in the body of the message. ----------------------------------------------------------------------------- End crypto-news ============================================================================= From llurch at networking.stanford.edu Thu May 23 02:34:18 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Thu, 23 May 1996 17:34:18 +0800 Subject: Clipper III analysis In-Reply-To: Message-ID: On Wed, 22 May 1996, Robert Hettinga wrote: > At 1:58 PM -0400 5/22/96, Bill Frantz wrote: > > > John Gilmore wrote an excellent description of GAK 3 > ^^^^^ > I think we have a winner, folks! GAK3 it is... In the "Nickelodeon" section of Great America amusement park in Sunnyvale, there's a big sign covered with green ooze saying "Beware of GAK." It's almost worth $18.00 to go back with a camera. -rich From grafolog at netcom.com Thu May 23 02:49:32 1996 From: grafolog at netcom.com (jonathon) Date: Thu, 23 May 1996 17:49:32 +0800 Subject: The Crisis with Remailers In-Reply-To: <199605222051.NAA20284@netcom21.netcom.com> Message-ID: Mike: On Wed, 22 May 1996, Mike Duvos wrote: > quite easily. A 48 bit mantissa can represent 14 decimal digit signed > integers with no loss of precision, and $999,999,999,999.99 is more > than enough magnitude for most bean counters. Not when that bean counter is a judge chasing down the $ 999 999 999 999.999 999 decimal, for an interest rate calculation. << You try defending that one to a judge who is looking for a reason to dismiss your case, with prejudice. >> xan jonathon grafolog at netcom.com ********************************************************************** * * * Opinions expressed don't necessarily reflect my own views. * * * * There is no way that they can be construed to represent * * any organization's views. * * * ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * * * http://members.tripod.com/~graphology/index.html * * * *********************************************************************** From elkins at antares.aero.org Thu May 23 02:54:35 1996 From: elkins at antares.aero.org (Michael Elkins) Date: Thu, 23 May 1996 17:54:35 +0800 Subject: PGP MIME INTERNET DRAFT considered harmful. In-Reply-To: <31a3910d.flight@flight.hrnowl.lonestar.org> Message-ID: <199605230403.VAA14508@zzyzx.aero.org> On May 22, paul.elliott at Hrnowl.LoneStar.ORG (Paul Elliott) wrote: > I as you should know, I have never said that base64 should never be used. > I merely say that signatures should be taken over the original binary data. > Base64 can be used for transport as needed, but it should be a convention > that the any base64 is removed before signatures are checked. However, this method does not allow for any verification of the content-type headers for that part. > As my examples show, some users may have legitimate reasons for > wishing to attach a generally useful PGP signature to a MIME message. > PGP MIME should allow users to sign those documents the user wishes > to sign, faithfully transmitting those signatures to the receiver. It should > not dictate that a user will sign an unintelligible artifact of a data > transmission system. Your last two comments really illustrate the divison that we've previously seen on the pgp-mime list. On the one side you have those who want to include the MIME headers in the digital signature, and on the other are those who want the signature to be over the data in it's "binary" (unencoded) form. I _do_ see merit in the latter. However, that was not the goal of my draft. What I've been trying to get across is that my draft does not preclude you from writing your own draft on how to transmit detached signatures along with your message (perhaps something like multipart/pgp-signed). > Pressure will build for PGP MIME to support binary datapaths. When this occurs, I will glady remove that restriction. > PGP MIME will have to go through a complicated migration path > to phase in this transition. All this complexity can be avoided by > doing the right thing now. Complex migration path? How so? Implementations that accept both 7-bit and 8-bit PGP messages but only generate 7-bit messages will not suffer in the least if one day we decide it's ok to generate 8-bit signed messages. They will still accept either. Newer versions of the software can make use of the 8-bit path and it will interoperate perfectly with older versions. > Users should have a policy of only attesting to statements by digital > signature, that they know _of their own personal knowledge_ is true. > Any other policy is to court disaster. This argument, which while true, doesn't make your approach any safer. Any software used is a proxy, and no matter how brilliant or naive the user is, it's still a proxy. There is some amount of trust that the software is doing the "right thing." It doesn't matter if I'm signing a PGP/MIME message in my e-mail client or running PGP to encrypt a .gif or .jpg. > I have gotten the impression that you guys have stopped listening. > Everyone seems hell-bent on standardizing this inferior system that > will lockin a poor design. I hoped that by appealing to a larger > audience I could get more articulate and respected people to > persuade you to rethink. Perhaps some of the cypherpunks can > say something that will provoke an attack of sanity that will > stop this inexorable march toward a bad standard. No, we haven't stopped listening. We've just heard these arguments arguments over and over again for the past six months and nobody from that camp has proposed an alternative. Again, I do not believe the two methods are mutually exclusive. PGP/MIME is not meant do what I term "object security," it's meant for "transport security." I think perhaps it's not so much PGP/MIME that you don't like, but the whole multipart/security architecture in general. me -- Michael Elkins http://www.cs.hmc.edu/~me PGP key fingerprint: EB B1 68 32 3F B5 54 F9 6C AF 4E 94 5A EB 90 EC -------------- next part -------------- A non-text attachment was scrubbed... Name: pgp00003.pgp Type: application/octet-stream Size: 288 bytes Desc: "PGP signature" URL: From llurch at networking.stanford.edu Thu May 23 02:57:47 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Thu, 23 May 1996 17:57:47 +0800 Subject: The Crisis with Remailers In-Reply-To: <01I50KKMD21Q8Y4X9G@mbcl.rutgers.edu> Message-ID: On Wed, 22 May 1996, E. ALLEN SMITH wrote: > From: IN%"bruce at aracnet.com" "Bruce Baugh" 22-MAY-1996 17:00:33.67 > > >Pointing people at legitimate uses of anonymity, as various folks have > >suggested, is undoubtedly a good idea. Would anyone care to suggest a few > >newsgroups where the vast majority of anonymous posts have really good > >reasons for being so? > > While it isn't usage of true cypherpunk remailers, the sexual abuse > survivors newsgroup(s) would appear to be a place to start. Some of the groups > discussing human rights cases are also a possibility, as is > alt.religion.scientology. To those unfamiliar with the issues, ars is not a good example. At first, it looks like a bunch of louts screaming. I'd mention alt.revisionism, where anonymity is used and recognized by all sides, usually responsibly (though that probably wasn't true before I dropped in). It's the stupid skinheads configuring Netscape with "anonymous" addresses that bug me; I usually find their real address and tell them how to get a real remailer or freenet account. Of course, to people who don't know what to filter, alt.revisionism also looks like a bunch of louts screaming. -rich From ichudov at algebra.com Thu May 23 03:03:44 1996 From: ichudov at algebra.com (Igor Chudov @ home) Date: Thu, 23 May 1996 18:03:44 +0800 Subject: the system CAN work In-Reply-To: Message-ID: <199605230426.XAA06531@manifold.algebra.com> Dr. Dimitri Vulis wrote: > So why are you here? Go back to Sovok and improve the government there. > (I know, you like American welfare :-) I wonder how long it will take them to create a cypherpunks-robomoderated list. :) - Igor. From tcmay at got.net Thu May 23 03:08:59 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 23 May 1996 18:08:59 +0800 Subject: PROTOCOL: Encrypted open books Message-ID: >Date: Thu, 26 Aug 93 11:28:14 -0700 >From: Eric Hughes >To: cypherpunks at toad.com >Subject: PROTOCOL: Encrypted open books >Status: OR > >Note: I started this reply last week; I've decided to post what I >know, since I don't have a solution and I've run out of simple ideas >for now. > >Hal' criticism that (real) money could leak out of the system is >correct. The problem is that while the books would still balance, >i.e. sum to zero, some fake depositor would have a negative balance, >the net result of taking out more money than you put in. Negative >numbers just aren't allowed in double-entry bookkeeping, but they were >allowed in the first protocol set. > >The first part of the solution is to allow no private accounts on the >left hand (asset) side of the ledger, in other words, no anonymous >loans. A protocol for doing anonymous loans could be invented, but >since the first problem is merely to run a money exchange and not more >complicated financial services, this is acceptable. Most of the money >that left the S&L's was by corrupt loan practices, so I don't consider >this omission a particularly glaring one right now. > >Therefore all the private accounts must be on the right hand side, >that is, they are all liabilities. In layman's terms, the bank owes >you; should you ask for your money, they have to give it to you. If >we can verify that each of these accounts never goes negative, then we >can be certain that if the books balance, that the amounts of money in >each account are accurate. > >Consider this. If money was transferred from your account to another >one, that transaction shows up in the public encrypted transaction >record. If you have due diligence over this record, you can assertain >that no transaction was performed against your will. This case >corresponds to a debit and credit against two customer accounts, >decreasing one and increasing the other. > >Another way that money might end up in a fake account if it were >credited with assets. A debit to an asset increase its value and the >credit to the account increases that value. This is the case of a >deposit; the bank gets cash (+asset) and credits someone's account >(+account). Now if they want to give someone money this way, they >have to do so by increasing the assets somehow; in other words, they >money has to come from somewhere. It didn't come from any of the >customers because they've already verified that. It didn't magically >appear from one of the other asset accounts because these are all >publically audited. > >In summary, we need to ensure that all accounts have positive balance. >Public accounts can be revealed and seen to be positive. Private >accounts need a cryptographic assurance. > >A private account starts off at zero. This can be publically >revealed. Then to the encrypted transaction log and the public cyclic >balances we add publication of the private balances in encrypted form >that allows us to verify to the blinded balance is positive. This >balance is verifiably linked to previous cyclic balances via the >transaction log. It is therefore linked all the way back to the >beginning balance which was zero. > >Consider all the transaction triples for which the first element is >equal to the private account in question, since the account was >opened. Take a product of all of the second elements and a product of >all the third elements. It is clear that these products can be >calculated inductively from the previous cyclic products and the >activity in this cycle. > >The products on second and third elements are equal to > > g^( Sum x_i,j,t + Sum r_i,j,t ), h^( Sum r_i,j,t ) > >where I've added a time index by cycle which was implicit before. The >notation for the inductive calculation is different, of course, and >also obscures the underlying invariant. > >What we want is a certificate that Sum x_i,j,t is positive. Here it >gets a bit hairy. There are likely other solutions to this technical >requirement; here is the one I thought up yesterday and today. > >I thought I had an idea with promise on how to create such >certificates using quadratic residuosity, but it doesn't work. I'm >still thinking about it; this certificate doesn't seem impossible to >create, but the standard ideas that I know about in algebraic protocol >design don't seem to work. > >If anybody wants to work on this technical point off-line with me, >send me mail. The math involved is advanced enough that I'd prefer to >post summaries of work rather than all the detailed discussion. > >Another non-technical attack on the problem is to require periodic >bank holidays, where all private balances will be revealed to be zero >(preferably), or whatever is actually in the account. This doesn't >prevent owner fraud, but does put an upper bound on the time in which >to perpetrate it. > >Eric From WlkngOwl at unix.asb.com Thu May 23 03:10:29 1996 From: WlkngOwl at unix.asb.com (Deranged Mutant) Date: Thu, 23 May 1996 18:10:29 +0800 Subject: "Very Famous Reporter" Message-ID: <199605230657.CAA21475@unix.asb.com> On 21 May 96 at 10:06, Robert Hettinga wrote: > In the meantime, it appears that I have egg on my face, as no story has > emerged... > > By the way, did I say it was a rumor? ;-). Likely the Very Famous Reporter (tm) misheard something about MD5, confused it with DSS (and possibly even something to do with PGP), though (s)he had a hot story, spoke to some folx, and it fizzled. Nah. Just a rumor. Rob. --- No-frills sig. Key-ID: 5D3F2E99 1996/04/22 wlkngowl at unix.asb.com (root at magneto) AB1F4831 1993/05/10 Deranged Mutant Send a message with the subject "send pgp-key" for a copy of my key. From schaefer at z-code.ncd.com Thu May 23 03:23:47 1996 From: schaefer at z-code.ncd.com (Barton E. Schaefer) Date: Thu, 23 May 1996 18:23:47 +0800 Subject: PGP MIME INTERNET DRAFT considered harmful. In-Reply-To: <31a3910d.flight@flight.hrnowl.lonestar.org> Message-ID: <960522223315.ZM13949@zyrcon.z-code.com> On May 22, 11:11pm, Paul Elliott wrote: } Subject: Re: PGP MIME INTERNET DRAFT considered harmful. } } > > Suppose we want to send a signed .gif file to a sysop. The } > > sysop wants to store the .gif in his download section. Suppose the sysop } > > wants to store the signature as a detached signature so that people who } > > download it can check the authorship. But the signature proposed by the } > > PGP-MIME draft is useless for this purpose. It has MIME headers attached } > > and it has been base64'ed. People who download such a file from a BBS } > > have no use for it, unless they have MIME. } > } > [...several other examples deleted...] } > } > PGP/MIME is _not_ meant to be used in this fashion! It never was! } > PGP/MIME is only to be used for transport, not for long term storage. } > If you need a persistent signature, you should generate a detached } > signature as an attachment. } } It should allow users to use it in such a fashion! PGP MIME should } respect the wishes of the users! Software should not view users } as tools to accomplish some goal predetermined by developers, but it } should rather make it easy for the user to accomplish what the user } wants! PGP/MIME is not software! PGP/MIME is a *spec* for *one part* of what comprehensive secure email software should provide! PGP/MIME is not required to specify the entire software system, and should *not* be interpreted as limiting the system to only the part it discusses! I think that's enough exclamation points. If you want a spec for the kind of usage described above, one can be created. Then, if it seems necessary, yet a third spec can reference both PGP/MIME and your new spec, and say that a mail system conforming to PGP security standards shall provide both PGP/MIME and this other usage, and any other that you happen to think of. There's no reason to expect PGP/MIME to *be* that all-encompassing third spec. That's not what PGP/MIME is for, which is what Michael has been trying to say all along. } PGP MIME should allow users to sign those documents the user wishes } to sign, faithfully transmitting those signatures to the receiver. It } should not dictate that a user will sign an unintelligible artifact of } a data transmission system. Sigh. The *point* is to use PGP to verify or secure the transmission system -- not merely to secure the content being transmitted. How can that be done without including some "artifact" of the transmission within the signed or encrypted content? } > There is also another reason to sign the encoded version. Remember that } > it also includes the content headers of that part. This is very important } > especially for automated processing of messages. } } The typical user does not necessarily know the difference between } a .gif and a .jpg file. He only knows he wants to send this pretty picture } on the screen. } } If Malley ( the active message hacker ) hacks the content-type } MIME line, all that will happen is that the message to be sent } to the .gif viewer rather than the .jpg viewer, causing the message } to be lost. But Malley already had the ability to loose the message, } after all, he hacked it didn't he? In general, the content type line } should not be signed. I put forth this very issue on the IMC resolving-security mailing list some weeks ago. I encourage anyone who wasn't involved in the IMC secure email discussions to check out the archive at: http://www.imc.org/workshop/mail-archive/ Briefly, the important thing to remember is that the content type is not the only interesting thing that may appear in the MIME headers. The headers may include checksums, part identifiers for external parts, and so on. There *is* a difference between securing a MIME body part and securing the data contained in the part; RFC1847 applies in those cases where securing the body part is important, and PGP/MIME applies when you want to use PGP as the security mechanism. That's it. } If some technically advanced user wants to sign the content-type } line, his wishes should be accommodated. But it should not be made } a requirement that technically unsophisticated users attest to things } they have no hope of understanding! By that argument, users shouldn't be signing GIF or JPEG images either, unless they know they're not just a pretty picture. However, the thing to wrap your brain around is that IT IS NOT BEING MADE A REQUIREMENT that the MIME headers be signed. PGP/MIME specifies *how* you sign (or encrypt) the MIME headers along with the content *when that is the intent*. The non-technical user doesn't need to know what the headers he's signing are, any more than he needs to be able to read GIF format. He does need to understand whether he's signing a simple data object or a specific transmission of that object. That's up to his software to make clear, but it's *not* up to the PGP/MIME specification. } I have gotten the impression that you guys have stopped listening. So far all your arguments seem predicated on misunderstanding of the goals and scope of the thing you're arguing against. That makes *us* the ones who've stopped listening? } In the future, other binary transports will become more common. } 7 bit datapaths will become less common. } Pressure will build for PGP MIME to support binary datapaths. } } PGP MIME will have to go through a complicated migration path } to phase in this transition. All this complexity can be avoided by } doing the right thing now. Actually, the migration path is simple, obvious, and almost completely compatible with the current specification. The only migration required is to lift the 7-bit constraint in PGP/MIME section 3, and to apply the canonicalization in section 5 only to parts whose C-T-E is not `binary'. Michael, what do you think about adding a remark about handling of the `binary' C-T-E to section 5, with the stipulation that it is there in anticipation of a future version of the protocol? The section 3 restriction is obviously desirable at this time, but a lot of spurious objections might go away if the transition plan were laid out. -- Bart Schaefer Vice President, Technology, Z-Code Software schaefer at z-code.com Division of NCD Software Corporation http://www.well.com/www/barts http://www.ncdsoft.com/ZMail/ From bogus@does.not.exist.com Thu May 23 03:27:58 1996 From: bogus@does.not.exist.com () Date: Thu, 23 May 1996 18:27:58 +0800 Subject: No Subject Message-ID: <199605230539.WAA09625@netcom21.netcom.com> The answer to information is more information. From jamesd at echeque.com Thu May 23 03:35:31 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Thu, 23 May 1996 18:35:31 +0800 Subject: PROTOCOL: Encrypted Open Books Message-ID: <199605230631.XAA03491@dns2.noc.best.net> At 05:45 PM 5/22/96 -0700, David Wagner wrote: > a fake account, without a real >customer, and fakes a transfer into that account, pocketing the >money that should have gone into that account? Then the total indebtedness of the bank will go up, but its total assets will not. If the bank does this, then there is no point. If an employee does this, then the loss will show up on the books. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From dsmith at midwest.net Thu May 23 03:47:45 1996 From: dsmith at midwest.net (David E. Smith) Date: Thu, 23 May 1996 18:47:45 +0800 Subject: Long-Lived Remailers Message-ID: <199605230524.AAA17410@cdale1.midwest.net> At 20:40 22 May 96 NSA operative Loren James Rittle wrote... (This was originally me. Wow.) > >:: > >Remailers-To-Chain: 7 > >Remailers-To-Avoid: remailer at nsa.gov > >Final-Destination: tcmay at got.net > > This will not work. The original sender must pick the path himself, > if maximum encryption to hide the final destination is to be used. > The properly used cypherpunks-style remailer network provides that as > long as even one remailer in the chain is trustworthy, your secret is > safe. Under your scheme, if the first remailer is untrustworthy, > everything is blown. This is because unless the original sender > pick's the path (or at least the last hop explicitly), the final > destination and message must be available to each hop. Well, I freely admit that it was just a notion that sort of came to me whilst at the terminal, with a beer on the desk. The sort of thing that often impairs my already-limited judgment :) Although... is this a possible way to lessen remailer-operator liability? If it is known that every remailer along the way chooses another remailer at random, it might become less likely to hold any given last-hop remailer liable for the CO$ documents spewed forth from it. It would become necessary to keep track of the final destination and to decrypt at every stage, unless there's a set Last-Hop: header; but that would defeat the whole purpose. Having traffic going all over the place randomly might be useful to defeat traffic analysis, though. I think I've just argued myself out of the whole idea. Never mind :) dave ObCPList: Have I been killfiled yet? If you don't see this message, send me a note :) ---- David Smith Box 324 Cape Girardeau MO USA 63702 http://www.prairienet.org/~dsmith dsmith at prairienet.org Reality is only for those lacking in true imagination... Send mail w/'send pgp-key' in subject for PGP public key From EALLENSMITH at ocelot.Rutgers.EDU Thu May 23 04:37:14 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Thu, 23 May 1996 19:37:14 +0800 Subject: FTC online workshop on privacy Message-ID: <01I514L3ED5S8Y4XHY@mbcl.rutgers.edu> From: IN%"declan+ at CMU.EDU" "Declan B. McCullagh" 22-MAY-1996 19:58:03.69 >Excerpts from cypherpunks: 22-May-96 Re: FTC online workshop on .. by "E. ALLEN SMITH"@ocelot. >> It's unsurprising that some of the same groups backing the CDA are >> backing this, since they used danger to children as an excuse for it. (A >> rather transparent one, given the actions vs Compuserve). I am >> disappointed in EPIC for cooperating with them. >You shouldn't be, and I should have been more clear. There is a broad >coalition of groups supporting this legislation, including (from memory) >the Kids off Lists! project, Center for Media Education, and Consumer >Federation of America. This appears to be another liberal (e.g., EPIC) vs libertarian difference. Liberals say we've got to have laws to protect the children, such as via keeping them from _email_ lists. Libertarians say it's the job of the parents (and the police, for non-anarchists) to protect the children. Yes, such lists can be misused (although I see no more reason to say the email ones can be truly misused than to say the CDA was justified). So can, say, cryptography. -Allen From wlkngowl at unix.asb.com Thu May 23 04:48:57 1996 From: wlkngowl at unix.asb.com (Mutatis Mutantdis) Date: Thu, 23 May 1996 19:48:57 +0800 Subject: NOISE.SYS and Win95? Message-ID: <199605230639.CAA21091@unix.asb.com> I've just got a Pentium and Win95 so I can try to get NOISE.SYS working for both. It seems to crash in Win'95 though... not sure why yet: has anybody used it or had problems with it on Win95/DOS7? (I've gotten it loaded using a device driver loading util from the command line, but the RANDOM$ device produces only one byte and a string of zeros... not good at all. Very bad, actually. URANDOM$ seems to work fine though.) From EALLENSMITH at ocelot.Rutgers.EDU Thu May 23 05:09:52 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Thu, 23 May 1996 20:09:52 +0800 Subject: An alternative to remailer shutdowns Message-ID: <01I5156RK8ZI8Y4XHY@mbcl.rutgers.edu> From: IN%"minow at apple.com" 23-MAY-1996 01:57:15.69 >-- The remailer operator is legally enjoined from reading messages > transversing his system. (For example, the remailer is subject to > data privacy laws.) I suspect that it is rather unlikely that the court would find a remailer operator covered by those laws. >-- The message was encrypted using the intended recipient's public key. > (This means that, without access to the private key, the operator > has no mechanism to examine the e-mail.) This is related to the old ISP liability question, although amplified by being not only a practical impossibility to filter but close to a physical impossibility also. (Please note the "close" part.) I am not sure if a judge could find any grounds to slap a remailer operator with contempt of court in such a case, but if it were so, Uni has pointed out that it's rather difficult to override a judge in such a matter, even based on plain facts. -Allen From WlkngOwl at unix.asb.com Thu May 23 06:11:46 1996 From: WlkngOwl at unix.asb.com (Deranged Mutant) Date: Thu, 23 May 1996 21:11:46 +0800 Subject: FTC online workshop on privacy Message-ID: <199605230918.FAA22809@unix.asb.com> On 22 May 96 at 11:16, Rich Graves wrote: > I'd have to see the bill, but I think it's a good general idea, provided > there's the caveats KNOWINGLY and WITHOUT THEIR [parent/guardian's] > KNOWLEDGE. As much as I hate direct marketers, I don't want them subject > to malicious and arbitrary prosecution because one address out of > thousands happens to belong to a kid. When I was on the FTC privacy list a while back there were more details about that. Companies would set of very commercial web sites oriented towards kids, for the main purpose of getting the kids to give information about themselves. So imagine if somebody set up a Barney fan page with all sorts of links and goodies but with the encouragement (if not requirement for access) to fill out personal information, even personal info about family members. Ok... maybe that's within one's right. But while (most) adults would be suspicious, it's not necessarily so with some children... (who'd give out parent's CC#'s if they knew them). Teaching kids basic privacy issues is a whole lot better than legislation. (Caveat emptor aside, fraud and cons are still illegal...). I haven't seen the legislation so I won't rant for or against it (at least not on the list) for now. Rob. --- No-frills sig. Key-ID: 5D3F2E99 1996/04/22 wlkngowl at unix.asb.com (root at magneto) AB1F4831 1993/05/10 Deranged Mutant Send a message with the subject "send pgp-key" for a copy of my key. From dlv at bwalk.dm.com Thu May 23 09:04:35 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Fri, 24 May 1996 00:04:35 +0800 Subject: the system CAN work In-Reply-To: <199605230426.XAA06531@manifold.algebra.com> Message-ID: ichudov at algebra.com (Igor Chudov @ home) writes: > Dr. Dimitri Vulis wrote: > > So why are you here? Go back to Sovok and improve the government there. > > (I know, you like American welfare :-) > > I wonder how long it will take them to create a > cypherpunks-robomoderated list. :) You mean to filter out Sovoks like the nuriweiller? --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From declan+ at CMU.EDU Thu May 23 09:21:26 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Fri, 24 May 1996 00:21:26 +0800 Subject: FTC online workshop on privacy In-Reply-To: <199605230414.AAA22841@panix4.panix.com> Message-ID: Excerpts from internet.cypherpunks: 23-May-96 Re: FTC online workshop on .. by Shabbir J. Safdar at vtw.or > There's actually an interesting parallel here. If you look at the > Dworkin "ban pornography because speech is action" crowd, they often > end up on the same side of things as the Christian Coalition "ban porn > because it drives you to ungodly acts" crowd. They both happily support > legislation that would ban such images. The left and the right move so > far off the edges of the scales that they come around and meet each other > on the same side of the issue. More to the point, the left and the right come together on privacy issues. Remember the Christian Coalition's take on national ID cards? "Mark of the Beast!" (Does anyone have an original cite for this? I also recall the CC opposing Clipper...) -Declan From jay_haines at connaught-usa.com Thu May 23 09:26:03 1996 From: jay_haines at connaught-usa.com (Jay Haines) Date: Fri, 24 May 1996 00:26:03 +0800 Subject: (Another) alternative to Message-ID: Reply to: RE>(Another) alternative to remailer shutdowns Where would these message parts be put back together/decrypted? Wouldn't this require the receivers mail program to re-generate the original message? -------------------------------------- Instead of having the last remailer in the chain store the plaintext of an encrypted anonymous message, it might be more convenient to have the sender split the message into two messages and send these. The first message would contain random characters, and the second would contain the xor of these random characters with the anonymous message. By themselves, each piece would, of course, be harmless random text, so remailer operators greatest crime would be spamming. If the two pieces were sent through chains with different last remailers, no one operator could be held accountable, and, of course, it would be ridiculous to suggest that one operator could be held responsible for that fact that another sent some random text which happened to be the xor of the random text another had sent with a harassing message. (For instance, the other operator could be trying to frame the first, with the help of the receiver.) It seems to me that the only way to deal with a remailing scheme of this kind would be outlaw anonymous remalining in general. Leonard From byrd at ACM.ORG Thu May 23 09:55:26 1996 From: byrd at ACM.ORG (Jim Byrd) Date: Fri, 24 May 1996 00:55:26 +0800 Subject: subpoenas coming against 2 anon remailers? Message-ID: <2.2.16.19960523104722.1bf77b98@shore.net> This was posted by henri at netcom.com to alt.religion.scientology: ---------- -----BEGIN PGP SIGNED MESSAGE----- I have just received urgent email from Grady Ward regarding the case against him by the cult of $cientology. Apparently, the depraved and insane cult of degenerates and reprobates has decided that Grady Ward is responsible for the recent posting of the NUTS scriptures, the final secret of the crime cult. Many of these 'scriptures' are simply recipes for crime, including how to practice medicine without a license and get away with it, in defiance of Judge Gessell's order demanding that they cease that fraud immediately. Nevertheless, this demented nut-cult has demanded a third-party expedited subpoena to obtain the records from the University of Maryland which they claim will prove their preposterous allegations. Two unnamed anonymous remailers will also be harassed in this bizarre fashion, though news on that is sketchy. The deranged and idiotic cult cites as 'evidence' of their ludicrous allegation that Grady filed a Motion to Dissolve the injunction against him after the NUTS pack was posted, on the grounds that it was then moot. This is the sole 'proof' they have. Bullshit and lies. So the nut-cult intends to rape remailers with no evidence at all. - From the criminal cult's filing: ". . .strong inference that defendant (1)is or is acting in concert with SCAMIZDAT; (2) has made postings of Plaintiff's Advanced Technology works; (3) may have made or been acting in concert with those who made the May 6 postings of the NOTs works for the express purpose of undermining the injunction entered herein. Defendant certainly let no grass grow under his feet in attempting to take advantage to [sic] those postings by asserting the invalidity of the injunction four days later. "As the collusion become more and more apparent with the latest blatant attempt to destroy RTC's trade secrets, the need for complete and expedited discovery of defendant becomes even greater." Not a scrap of evidence is offered that Grady Ward had anything to do with SCAMIZDAT, is SCAMIZDAT, or even knows who SCAMIZDAT is. Just brazen lies, bizarre accusations, and increasingly shrill and hysterical court filings, now even including sloppy grammar, as the cult lawyers are obviously working without sleep, and possibly under the influence of mind-altering drugs. In further proof of Grady Ward's guilt, the clam-cult offers the fact that Grady Ward has exchanged email with Alex de Joode, who operated the now-defunct remailer at utopia.hacktic.nl. Obviously, anyone who would associate with such a nefarious remailer operator must also continually post NUTS packs. In more absurd claims of the cult, they actually have the gall to accuse him of "taking advantage" of not having a lawyer while facing a worldwide criminal organization which has retained dozens of lawfirms simultaneously in order to fight its frivolous lawsuits against everything in existence. They are claiming that Grady Ward is somehow at an advantage over them because he doesn't even have a lawyer. They are also claiming, this cult which filed hundreds of lawsuits against the IRS alone, to dodge their taxes, that somehow the net "tricked" them into suing everything in sight. They also claim that Grady Ward (and everyone on the net) obviously keeps huge archives of mail and news, because "it is inherently unbelievable that defendant retypes several paragraphs of identical wording in message after message." In short, what the cult is claiming is that quotes ">" in USEnet followups prove that you keep huge archives. Apparently, these invidious cretins have never heard of the "F" key on a keyboard. One wonders how they manage to type a single word. "uck you you motherucking uckhead" just doesn't have the same "zip" without an "f" in there now and again, does it? They also accuse him of keeping huge archives, despite the fact that he doesn't keep any, because he had a list of cancelled messages that were feloniously cancelled with forged control messages, despite the fact that Ron Newman's web page at http://www.cybercom.net/~rnewman/scientology/home.html keeps a complete tally of all the forgeries. The cult then tries to impugn all of Grady Ward's exhibits as "unauthenticated and hearsay," because they're USEnet posts, while submitting as exhibits all of Grady Ward's posts, which by their own claims are ALSO "unauthenticated and hearsay." In other words, they've blown their own case out of the water! Well, their case is doomed, but it's still entirely possible that this imbecilic cult of droolers could cause some damage to remailers in their last dying thrashings. h - -- fuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuck f f u "When you can't say 'fuck,' you can't say u c 'FUCK THE CDA!' -- Lenny Bruce rephrased c k k fuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuck ObURL: http://www.cybercom.net/~rnewman/scientology/erlich/defense-fund [ For Public Key: finger henri at netcom.com ] -----BEGIN PGP SIGNATURE----- Version: 2.6.i Comment: PGP signed with SigEd v1.3.1 - http://www.nyx.net/~pgregg/siged/ iQCVAgUBMaKFP2130hVrA/MJAQFaDgQAmWYgLr78HTeH7uNF9pcWnu862IokSt1d sIR9jjlKRApSSjiOPkNInDf4XwTHUsx6VxpAV16f4d2lEJrNcoRH1sizEKnNeEi3 +V5tqsdaawzYWi6kncHfONTqElshmWnRvXh5Zs1cjW11xjoXlWn2GEViKKO8UHtm vsK3PXuJEsg= =+ybQ -----END PGP SIGNATURE----- From matts at pi.se Thu May 23 09:57:18 1996 From: matts at pi.se (Matts Kallioniemi) Date: Fri, 24 May 1996 00:57:18 +0800 Subject: The Crisis with Remailers Message-ID: <2.2.32.19960523122903.003b857c@mail.pi.se> At 15:04 1996-05-22 -0400, Perry E. Metzger wrote: >However, accounting systems DO NOT use 32 bit fixed point arithmetic. > >One client of mine had around $10Billion under management. Do you >think they were doing their accounting on a system that could only >deal with fixed point numbers of 45Million or so? Hell, individual >trades are larger. Sure, but we were really discussing Ecash(tm), not accounting. To quote from the FAPI: /* An EC_Amount is a signed 32-bit integer. It represents an amount * of money in units of the coinage's base value. */ >Accounting systems require exact math -- down to the cent. Come on, we're not talking cents here. Question is, how do you represent a one ITL coin in Ecash(tm) with a USD mint? We are way below the cent level, where no accountant has ever gone before... Regards, Matts From jay_haines at connaught-usa.com Thu May 23 09:57:21 1996 From: jay_haines at connaught-usa.com (Jay Haines) Date: Fri, 24 May 1996 00:57:21 +0800 Subject: PROPOSAL Message-ID: Reply to: RE>>PROPOSAL Thirded, with bilateral agreement. -------------------------------------- >Motion: To create the alt.politics.assassination.politics newsgroup and >the "AP" mailing list so as to clear the meaningless traffic (for which I >am significantly responsible) out of this forum. >Any seconds? So long as the AP list is specifically for debates about the ethics of such, seconded. If it would remove from cypherpunks discussion of implementation or of social consequences, that wouldn't be good, since the implementation of this is definitely cypherpunks material. -Allen From pcw at access.digex.net Thu May 23 10:02:54 1996 From: pcw at access.digex.net (Peter Wayner) Date: Fri, 24 May 1996 01:02:54 +0800 Subject: TILT! Counterfeit pachinko cards send $588 million down the chute. Message-ID: The WSJ of Wednesday, May 22nd, 1996 (A18) reports that two Japanese firms lost about 55 billion yen when criminals counterfeited the stored money cards that they manufactured. These cards are used to pay for pachinko games, but you can get refunds wired to an account if you cash in a card. If my memory serves me correctly, there is a certain amount of skill involved. If you play well or are lucky, you might even add money to the cards. But I'm not sure about this detail. In any case, the people with the counterfeit cards could get refunds when they didn't pay for the original card. The Journal mentions three interesting details. First, the cards were pushed by the police as a means to track the flow of cash and stop money laundering. Obviously, there wouldn't be these losses if they could really track the flow. Second, the convenience of the new cards initially boosted profits because it was so much easier to play with the cards that automatically kept track of your money. Finally, the Journal reported that there are 18,244 pachinko parlors in Japan. From rah at shipwright.com Thu May 23 10:05:12 1996 From: rah at shipwright.com (Robert Hettinga) Date: Fri, 24 May 1996 01:05:12 +0800 Subject: SURVEY: Trading on the Internet Message-ID: --- begin forwarded text Sender: e$@thumper.vmeng.com Reply-To: Ian Grigg (by way of Rachel Willmer) Mime-Version: 1.0 Precedence: Bulk Date: Thu, 23 May 1996 12:37:41 +0100 (BST) From: Ian Grigg (by way of Rachel Willmer) To: Multiple recipients of Subject: SURVEY: Trading on the Internet Following on from The Spring Street Brewery's successful IPO, I am researching the nature of Internet issues of debt and equity. This envisages the use of electronic token value systems such as Digicash and the digital bearer bonds that Bob talks about. The topic is for a management report that I am writing as the final deliverable in my MBA, and has a lot of bearing on what we are trying to do within the embryonic Internet Financial System. So, making whatever assumptions you like (but please mention them), here goes with some questions: ----8<----8<----8<----8<----8<----8<----8<----8<----8<----8<---- Would your company be interested in the idea of issuing on the Internet? What specifically would attract you to issuing on the Internet? What specifically would worry you? Would you prefer Debt (bonds) or Equity (shares) (or something more exotic)? What sort of products/services does your company sell? Do you think Internet users would be attracted enough to your company to give you money (e.g. are you the Netscape of '97)? If not the general Internet community, who would buy your shares or bonds (local community, funds, family+friends, business contacts...)? ---->8---->8---->8---->8---->8---->8---->8---->8---->8---->8---- That's it, thanks in advance for your patience. Please forward to me directly, rather than posting (but post any deeper questions as they will, no doubt, be welcome). I am not interested in direct marketing anything (and please don't ask for a list of respondents), but any interesting answers I would like to follow up by email to develop them. Indicate if you want some summarised feedback (won't be for a few weeks). -- Ian Grigg iang at systemics.com --- end forwarded text ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "If they could 'just pass a few more laws', we would all be criminals." --Vinnie Moscaritolo The e$ Home Page: http://www.vmeng.com/rah/ From perry at piermont.com Thu May 23 10:48:54 1996 From: perry at piermont.com (Perry E. Metzger) Date: Fri, 24 May 1996 01:48:54 +0800 Subject: Floating Point and Financial Software In-Reply-To: <9605222358.AA08828@burris.apdg.com> Message-ID: <199605231257.IAA26297@jekyll.piermont.com> Kurt Vile writes: > The Federal Reserve Bank, European Ecomonic Community, England, > France, Germany, Japan, Canada, etc store their historical data in a > time series database called FAME, which does 64 bit representation > of floating point data.... FAME is NOT an accounting package. I'm talking about accounting. > The Options Clearing Corporation does all of their clearing in 64 > bit floats, for one. Options are traded in integral units. Why would they use floats for counting them? > Swiss Bank/O'connor, NationsBank/CRT, Fannie Mae, Merril Lynch use > NeXT's as their trading platform so you can rest assured that they > are using 64's 1) Most of those firms have used *some* NeXT machines, none have used them exclusively. (My friends who were at Swiss Bank used HPs. My friends at M-L use Suns). In any case, it doesn't matter. Why would the native floating point representation of the machine have anything to do with accounting? Most of the accounting in those firms wasn't ever done on their trading platforms at all anyway -- many of them still do all their accounting on mainframes, and whether they use mainframes or not they tend to write their accounting on top of database packages that have exact numerical representations available for money. The accounting systems are in any case back office systems, not front office systems, and have nothing to do with the trading platforms. Perry From stewarts at ix.netcom.com Thu May 23 10:52:16 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Fri, 24 May 1996 01:52:16 +0800 Subject: MixMaster fair use Message-ID: <199605231259.FAA13476@toad.com> At 12:14 AM 5/22/96 EDT, you wrote: >From: IN%"loki at infonex.com" 21-MAY-1996 17:19:02.59 > >>The problem is RSAREF. I can't chose license terms for that. > > Oof... I see the problem. No, it's not you, it's them. The Agreement, as written, covers all of Mixmaster; it would be easier for people to adapt Mixmaster code if you either release a bones version or a license that clarifies that you can't use the RSAREF portions commercially but can do whatever you want with the rest of Mixmaster (if that's what you want) or however much freedom you want to grant (e.g. you may want to say some disclaimerish words about obeying ITAR etc.) Consensus.com is doing commercial licensing for RSAREF now; there may be some reasonably-priced approach to the problem. RSAREF has at least three kinds of legal protection: - contract (if you're using a licensed version) - patent (on doing RSA-method encryption, not on the code itself) - copyright (on the RSAREF code itself.) # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 # goodtimes signature virus innoculation From stewarts at ix.netcom.com Thu May 23 11:13:24 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Fri, 24 May 1996 02:13:24 +0800 Subject: An alternative to remailer shutdowns Message-ID: <199605231304.GAA13631@toad.com> At 03:05 PM 5/21/96 -0500, you wrote: >To make it easy, how about a two part MIME message with the key and the >PGP-encrypted message. The message text would be directions on opening >it up, and breaking the "seal", which constitutes acceptance of the >remailer terms... Is that really any different than delivering the message rot-13? One of the reasons people object to getting anonymous email is spam; sending "You have mail; pick up message-id #2718281828 by midnight tonight!" encourages you to go to some effort to pick up the message, so you'll be even more annoyed if it's spam. Similarly, for hate-mail. PROPOSAL -------- On the other hand, a pickup system could reduce directed spam, if people generally don't pick up remailer pickups unless they recognize the messageid, leaving the remailer system to people who actually want to communicate with each other anonymously, which _had_ been one of the original goals of remailer systems. Protocol support requirements:? We could build in a fancy header, or we could just use the Subject: line, which many remailers know how to paste in anyway, and let the remailer do a messageid. Response mechanisms should probably be an email message to the remailer :: Deliver-Message: 2718281828 A secondary concern is handling multi-casts - should the remailer create one copy for each recipient (secure, easy, space-wasteful), or should it try to get fancy and keep the message for N recipients or D days? Two ways to implement the fancy version are to keep a flag that says not to delete the article upon receipt, while the normal behavior deletes it, or to use different keywords for picking up delete-after-pickup and shared messages. NEGATIVES --------- The big negatives with this approach are that it doesn't support PGP-encrypted messages, since they don't easily fit into one line, while they also encourage people to forget that the header of their message will be delivered insecurely. But it's probably close enough for non-anti-government work. Of course, it also doesn't do chaining; that either needs to be implemented by recognizing well-known remailers and forwarding directly instead of pickup, or by using a standard message format, so other remailers could do pickup. It's probably worth doing both, to support other remailer types transparently and to allow remailers to use pickups without having to be well-known. Adding automatic remailer registration is easy, but requires care to avoid spammers falsely registering victim at wherever.com as a remailer and then spamming. SPAM POSSIBILITIES ------------------ That still allows 1-line spams like Subject: ! You ! or Subject: Our new Remail-Spam(tm) system lets you fit 1015 characters in a Subject: line, just like this one, so your whole message can fit through those anti-marketing filters! You can MAKE M0NEY REAL FAST building your downline - send e$1 of Bank Foo ecash to the top three addresses in the Cc: line but at least it cuts down on the annoyance level. It also supports messages like Subject: Secrets of the Scientologists for Sale! Pick up message for free sample and price list! Operate your own Thetan today! which permit direct-e-mail spams, or as some people prefer to call them, marketing opportunities. An interesting security/legality wrinkle is that if somebody is trying to multicast-publish unencrypted contraband data, it's sitting around in the mail-pickup spool, it can be seized by Bad Guys / courts / sheriffs / etc. As with most remailers, there's also a risk that outgoing unicast mail could be seized while in the spool, which is higher for a pickup system because the data may be in the spool longer. # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 # goodtimes signature virus innoculation From hendersn at zeta.org.au Thu May 23 11:27:12 1996 From: hendersn at zeta.org.au (Zed) Date: Fri, 24 May 1996 02:27:12 +0800 Subject: Long-Lived Remailers Message-ID: <199605231319.XAA19785@godzilla.zeta.org.au> >Ideally the final emanation point will be epherimal indeed. Perhaps only a >few minutes or an hour or two. I really like this idea. How about instead of a full-scale remailer being the final jump of the message, you have a _very_ simple remailer set up along the lines of anon.penet.fi. No encryption, just strip off the headers and send the message to its final destination. Sorry for being clueless in how this works(I'm learning as fast as I can), but wouldn't this kind of system be incredibly easy to start up and fold? You could have a host of such final emanation points winking in and out of existence while the actual encrypting remailers remain relatively safe. Zed(hendersn at zeta.org.au) "Don't hate the media, become the media" - Jello Biafra PGP key on request From bryce at digicash.com Thu May 23 11:32:40 1996 From: bryce at digicash.com (bryce at digicash.com) Date: Fri, 24 May 1996 02:32:40 +0800 Subject: The Crisis with Remailers In-Reply-To: <2.2.32.19960523122903.003b857c@mail.pi.se> Message-ID: <199605231344.PAA29038@digicash.com> -----BEGIN PGP SIGNED MESSAGE----- An entity known as "Matts Kallioniemi" wrote something like: > > Sure, but we were really discussing Ecash(tm), not accounting. To quote > from the FAPI: > > /* An EC_Amount is a signed 32-bit integer. It represents an amount > * of money in units of the coinage's base value. > */ Note "units of the coinage's base value". The coinage's base value could be 0.000000007 Lira if the bank so desired. Unfortunately since the largest EC_Amount in the API is 2^31, you wouldn't be able to buy much with coins of that type. :-) It is more likely that the coinage's base value will be 0.01 U.S. Dollars or 0.0001 U.S. Dollars or something on that order. If a need arises for a greater range of values, the Ecash(tm) API can be easily extended by using a larger int for EC_Amount. Regards, Bryce -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.1b2 iQB1AwUBMaRrokjbHy8sKZitAQGeVAMAqKcDlnOlHH+HF98aK6M75AelWFMtw36z tyRGlKp04jLtbmzL634ojoH+3zf+FyQvz+1pQCJw2sgkBChD0vsxomP/dqb2UXYK RPEBjAchsw8TU4xuq/yunB4j4RNoru9q =gNIJ -----END PGP SIGNATURE----- From ac at hawk.twinds.com Thu May 23 11:46:54 1996 From: ac at hawk.twinds.com (Arley Carter) Date: Fri, 24 May 1996 02:46:54 +0800 Subject: Number one story on CNN this hour. In-Reply-To: Message-ID: They forgot to mention that there are ~100 milllion 2 ton missiles roaming freely throughout the USA. I guess we'll need a disarmament policy for automobiles now. ;-) Arley Carter Tradewinds Technologies, Inc. email: ac at hawk.twinds.com www: http://www.twinds.com "Trust me. This is a secure product. I'm from ." On Wed, 22 May 1996, Simon Spero wrote: > On Wed, 22 May 1996, Alan B. Clegg wrote: > > > There are 40 million 'attack capable' systems connected to the Internet > > and over 120 countries have developed or are developing 'attack software'. > > Does that mean I need a concealed carry permit for my Newton? > > Simon > From jmoll at acquion.com Thu May 23 11:48:45 1996 From: jmoll at acquion.com (Joseph L. Moll) Date: Fri, 24 May 1996 02:48:45 +0800 Subject: Lotus Notes 4.0 stream encryption. Message-ID: <2.2.32.19960523140749.006ac8dc@mail.acquion.com> Can anyone comment on this? --- Joseph L. (Joe) Moll mailto:jmoll at acquion.com Network and Communications Engineering http://www.acquion.com phone:864-281-4108 fax:864-281-4576 ACQUION, Inc. Greenville, SC USA -- Specialists in Electronic Commerce disclaimer: This email is not to be considered official correspondence --- From jya at pipeline.com Thu May 23 12:40:26 1996 From: jya at pipeline.com (John Young) Date: Fri, 24 May 1996 03:40:26 +0800 Subject: CLI_pr3 Message-ID: <199605231418.OAA02731@pipe2.t1.usa.pipeline.com> 5-23-96. WaJo: "Chasing Criminals at Cyberspeed." Three recent developments in the money laundering trade have governments especially worried: the proliferation of offshore financial centers, the collapse of the Soviet Union and the adaptation of emerging technologies to criminal ends. Officials think newly developed "smart cards" will be particularly appealing to criminals. Smart cards could be used to download cash from bank accounts, then used to make payments or deposits anywhere in the world. All without anyone knowing who holds the smart card, because encryption guarantees anonymity. Says Stanley Morris, director of FinCEN, "The only way we can adequately assist our federal law enforcement counterparts in following the trail of the multinational money launderer is through our linkages with multilateral arrangements such as ... [Clipper 3]." 5-23-96. FiTi: "Japanese recruit 2,000 spies to monitor Asia crises." Their main source of official information will be material gathered by six electronic listening posts stationed across Japan. CLI_pr3 (for 2) From reagle at MIT.EDU Thu May 23 12:53:58 1996 From: reagle at MIT.EDU (Joseph M. Reagle Jr.) Date: Fri, 24 May 1996 03:53:58 +0800 Subject: nyt: Report Warns of Security Threats Posed by Computer Hackers Message-ID: <9605231405.AA12953@rpcp.mit.edu> Copyright 1996 The New York Times Company May 23, 1996 Report Warns of Security Threats Posed by Computer Hackers By PHILIP SHENON [W] ASHINGTON -- Government investigators warned Wednesday that computer hackers cruising the Internet posed a serious and growing threat to national security, with the Pentagon suffering as many as 250,000 "attacks" on its computers last year. The investigators, from the General Accounting Office, offered scenarios in which terrorists or enemy governments might break into Defense Department computer networks and shut them down, cutting off communications between military commanders in the middle of a war. "There will become an increasingly attractive way for terrorists or adversaries to wage attacks," the investigators said in a report prepared for two congressional committees. "The potential for catastrophic damage is great." The Pentagon did not dispute the findings of the study, although Defense Department officials said they knew of no instance in which hackers had obtained secret information or gained access to computer networks that control the firing of weapons. "We are certainly well aware that people are breaking in or trying to hack into our systems," said Susan Hansen, a department spokeswoman. While the Pentagon is developing encryption devices that show promise in defeating computer hackers, the accounting office, which is the investigative arm of Congress, warned that none of the proposed technical solutions was foolproof, and that the military's current security program was "dated, inconsistent and incomplete." The explosion in the use of the Internet and the increasing power and sophistication of small desktop computers has compounded the Pentagon's problems, creating a worldwide army of hackers able to break into all but the most secure computer networks. The report cited Defense Department estimates that the number of unauthorized efforts to enter its computer systems -- "attacks," in the parlance of cyberspace -- was doubling every year and may have reached 250,000 in 1995, most of them made through the Internet. Pentagon figures suggest that in about 65 percent of those efforts, hackers were able to gain entry to a computer network. The investigators provided details on several recent attacks on the Pentagon's computers, including a 1994 incident in which two computer hackers were able to gain "complete access to all of the information" on the computer systems of the Rome Air Development Center, the Air Force laboratory in Rome, N.Y., where the Defense Department carries out some of its most important research on weapons systems. The report said the hackers rummaged through the computer networks for several days and stole information on the methods used by Air Force commanders to relay secret intelligence and targeting information during wartime. Working through the Internet and a variety of phone switches in South America, the hackers also used the laboratory's computers as a "launching platform to attack other military, government, commercial and academic systems worldwide," including the Wright-Patterson Air Force Base in Ohio and the Goddard Space Flight Center in Greenbelt, Md., the report said. One of the hackers, a Briton whose code name was "Datastream Cowboy," was later arrested in England. The authorities say they do not know the nationality of the other hacker, whose code name is "Kuji" and who was never apprehended. "There may have been some national security risks associated with the Rome incident," the report said. "Air Force officials told us that at least one of the hackers may have been working for a foreign country interested in obtaining military research data or information on areas in which the Air Force was conducting advanced research." The foreign country was not identified in the report. In separate incidents between April 1990 and May 1991, the report said, hackers from the Netherlands broke into computer networks at 34 Defense Department sites and browsed the electronic-mail systems of several department officials, calling up all messages that contained the key words "nuclear," "weapons" or "missile." The accounting office investigator who oversaw the report, Jack L. Brock Jr., said in testimony Wednesday before the Senate Permanent Subcommittee on Investigations that more than 120 nations are reported to be developing "information warfare techniques" that could "allow our enemies to seize control of public networks which Defense relies upon for communications." "Countries today do not have to be military superpowers with large standing armies, fleets of battleships or squadrons of fighters to gain a competitive edge," he said. "Instead, all they really need to steal sensitive data or shut down military computers is a $2,000 computer and modem and a connection to the Internet." The investigators said the Pentagon had made itself vulnerable to attack by making itself so dependent on computers and the Internet, a system that its own researchers created in the 1970s. "Defense's computer systems are particularly susceptible to attack through connections on the Internet, which Defense uses to enhance communication and information sharing," the report said, noting that an estimated 40 million people worldwide are Internet users. "In turning to the Internet, Defense has increased its own exposure to attacks." The Pentagon uses the Internet to distribute electronic mail and other information. During the war in the Persian Gulf, the Defense Department used the Internet to communicate with allied armies and gather and distribute intelligence information. _______________________ Regards, When we ask advice, we are usually looking for an accomplice. -Marquis de la Grange Joseph Reagle http://farnsworth.mit.edu/~reagle/home.html reagle at mit.edu E0 D5 B2 05 B6 12 DA 65 BE 4D E3 C1 6A 66 25 4E From bogus@does.not.exist.com Thu May 23 13:33:18 1996 From: bogus@does.not.exist.com () Date: Fri, 24 May 1996 04:33:18 +0800 Subject: No Subject Message-ID: <199605231521.IAA18698@netcom13.netcom.com> Copyright 1996 The New York Times Company ^^^^^^^^^^^^^^ Report Warns of Security Threats Posed by Computer Hackers ^^^^^^ ^^^^^^^^ ^^^^^^^ [W] ASHINGTON -- Government investigators warned Wednesday that computer hackers cruising the ^^^^^^^^ Internet posed a serious and growing threat to national ^^^^^^^^ security, with the Pentagon suffering as many as 250,000 ^^^^^^^ "attacks" on its computers last year. ^ ^ -- Love, Qut at netcom.com From crypto at nas.edu Thu May 23 13:46:03 1996 From: crypto at nas.edu (CRYPTO) Date: Fri, 24 May 1996 04:46:03 +0800 Subject: The National Research Council Study of National... Message-ID: <9604238328.AA832875005@nas.edu> Subject: The National Research Council Study of National Cryptography Policy (An incorrect web page/URL locator was posted in the previous message; apologies. If you found your way to the right page anyway and signed up for information, you don't need to do it again.) Please post this message widely I am writing to let interested parties know about the imminent release of the NRC's study of national cryptography policy. If all goes well, we hope to release it on May 30, 1996. However, prior to that time, we won't be able to comment on its contents. For current information on release, visit the web site http://www2.nas.edu/cstbweb/notifyme.html When you visit that site, you'll have the opportunity to be put onto a mailing list so that we can inform you by e-mail when the report is available in print and/or electronically, as well as any public events associated with the report (e.g., public briefings). Herb Lin Cryptography Policy Study Director Computer Science and Telecommunications Board National Academy of Sciences/National Research Council 202-334-2605 From iang at cs.berkeley.edu Thu May 23 13:53:27 1996 From: iang at cs.berkeley.edu (Ian Goldberg) Date: Fri, 24 May 1996 04:53:27 +0800 Subject: Is Chaum's System Traceable or Untraceable? In-Reply-To: <01I50K5LNPQG8Y4X9G@mbcl.rutgers.edu> Message-ID: <4o205r$7br@abraham.cs.berkeley.edu> -----BEGIN PGP SIGNED MESSAGE----- In article <01I50K5LNPQG8Y4X9G at mbcl.rutgers.edu>, E. ALLEN SMITH wrote: >From: IN%"iang at cs.berkeley.edu" 22-MAY-1996 14:51:29.42 > >>In the "normal" protocol, the payee has to go online. In the "anon" protocol, >>the payer has to go online. Since you don't want to go online when you >>walk into a shop, you can pay the shop with the "normal" protocol, and >>the shop gives you change with the "anon" protocol. > >>That way, you never need to go online, and your identity is never compromised. > > However, the shop's still is, although the bank might not be able to >determine as much about how much income is coming in. OTOH, we're talking about >a physical shop situation; I'm not sure how critical it is to have shop >anonymnity with payor cooperation for this, since the payor can break it >anyway. Ah. I see I was misunderstood. The goal was not to make the shop anonymous, but rather to be able to provide change to an anonymous payer. - Ian -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMaSD4kZRiTErSPb1AQEa5gP/V1hAcycmBO9MMqQUng3ZdHejVgHLCa7J 1KHQgVKjJGRpUUCcARo0Yl3wtwRc2sX6TboUewVxBGAg6BLFzwwGY8D1ZgLaDk3D ktfAn3H15QF/qsdDQVyixu5P37ly1NEeU9ff5UO/KggvwGXs8jZzBXLdsvQWgbKl Ks5qQCwd/4I= =Fkgx -----END PGP SIGNATURE----- From gelmanl at gwis2.circ.gwu.edu Thu May 23 14:24:22 1996 From: gelmanl at gwis2.circ.gwu.edu (Lauren Amy Gelman) Date: Fri, 24 May 1996 05:24:22 +0800 Subject: Children's Privacy Act In-Reply-To: Message-ID: The text of the Children's Privacy Protection and Parental Empowerment Act is available at the Epic "Children's Privacy" web site: http://epic.org/privacy/kids/ Read it before you trash it! ------------ Summary: Rep. Bob Franks (R-NJ) and Senator Diane Feinstein (D-CA) have introduced the Children's Privacy Protection and Parental Empowerment Act. The bill would establish fair information practices for personal information about kids and curb recent abuses in the direct marketing industry. The Children's Privacy Protection and Parental Empowerment Act would: Prohibit the sale or purchase of personal information about children without parental consent. Require list brokers and solicitors to disclose to parents, upon request, the source and content of personal information on file about their children. Require list brokers to disclose to parents, upon request, the names of persons or entities to whom they have distributed personal information on that parent's child. Prohibit prisoners and convicted sex criminals from processing the personal information of children. Prohibit any exchange of children's personal information that one has a reason to believe will be used to harm or abuse a child. ---------------------------------------------------------------------------- ---------------------------------------------------------------------------- Lauren Amy Gelman gelmanl at gwis2.circ.gwu.edu George Washington University gelman at epic.org Science, Technology, and Public Policy Program gelman at acm.org From adam at lighthouse.homeport.org Thu May 23 14:57:53 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Fri, 24 May 1996 05:57:53 +0800 Subject: nyt: Report Warns of Security Threats Posed by Computer Hackers In-Reply-To: <9605231405.AA12953@rpcp.mit.edu> Message-ID: <199605231708.MAA19410@homeport.org> The government made this bed, now they need to sleep in it. Strong encryption and authentication would go a long way towords making the net safer. But the NSA wants the market fragmented & weak. (Strong encryption is not a cure-all, nor a replacement for firewalls. But it is a needed part of the infrastructure.) Adam | Copyright 1996 The New York Times Company | | May 23, 1996 | | Report Warns of Security Threats Posed by Computer | Hackers | | By PHILIP SHENON | | [W] ASHINGTON -- Government investigators warned | Wednesday that computer hackers cruising the | Internet posed a serious and growing threat to national | security, with the Pentagon suffering as many as 250,000 | "attacks" on its computers last year. -- "It is seldom that liberty of any kind is lost all at once." -Hume From jyacc!aspen!bdodds at uunet.uu.net Thu May 23 15:07:25 1996 From: jyacc!aspen!bdodds at uunet.uu.net (brian dodds) Date: Fri, 24 May 1996 06:07:25 +0800 Subject: Number one story on CNN this hour. In-Reply-To: Message-ID: On Wed, 22 May 1996, Simon Spero wrote: > > There are 40 million 'attack capable' systems connected to the Internet > > and over 120 countries have developed or are developing 'attack software'. > > Does that mean I need a concealed carry permit for my Newton? yes, you're now carrying what the media would call an `assault pda'.. it's small, black, military-styled, and fully automatic.. bri.. --bdodds at jyacc.com brian dodds, systems administration, jyacc, inc. wellesley, ma --617.431.7431x125 opinions expressed within are not necessarily my own or anyone elses.. From frantz at netcom.com Thu May 23 15:08:25 1996 From: frantz at netcom.com (Bill Frantz) Date: Fri, 24 May 1996 06:08:25 +0800 Subject: The Political Map, (was Re: FTC online workshop on privacy) Message-ID: <199605231643.JAA23120@netcom8.netcom.com> At 12:14 AM 5/23/96 -0400, Shabbir J. Safdar wrote: >There's actually an interesting parallel here. If you look at the >Dworkin "ban pornography because speech is action" crowd, they often >end up on the same side of things as the Christian Coalition "ban porn >because it drives you to ungodly acts" crowd. They both happily support >legislation that would ban such images. The left and the right move so >far off the edges of the scales that they come around and meet each other >on the same side of the issue. This is because any analysis of political opinion that tries to reduce it to a one dimensional metric is ipso facto wrong. Two dimensions gives you a much better match. (Try personal freedom on one axis and economic freedom on the other.) I suspect the more dimensions you include, the better you analysis will be. Regards - Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From jimbell at pacifier.com Thu May 23 15:34:45 1996 From: jimbell at pacifier.com (jim bell) Date: Fri, 24 May 1996 06:34:45 +0800 Subject: INFO: Transcript of Sen. Leahy's RealAudio chat now available! (5/22/96) Message-ID: <199605231655.JAA26293@mail.pacifier.com> At 01:34 AM 5/23/96 -0400, Voters Telecommunications Watch wrote: > REALAUDIO TRANSCRIPTS OF LEAHY'S WIREDSIDE CHAT AVAILABLE > Date: May 22, 1996 > URL:http://www.crypto.com/ crypto-news at panix.com >NEWS >Rave reviews of Senator Leahy's appearance on HotWired's WiredSide chat >are coming already. With this appearance, the gentleman from Vermont >proves once again that he knows net.politics on a personal level, and >can understands the subtleties that we assume many in Congress are just >learning. Well, he must have learned it all in the last few months, because his bill was the closest thing to DOA that we've seen in a long time, exceeded only by GAK 3. I'd like to hear from him what the source of the text of the Leahy bill on encryption really was: Who pressured him to make it so bad? Jim Bell jimbell at pacifier.com From bruce at aracnet.com Thu May 23 16:07:27 1996 From: bruce at aracnet.com (Bruce Baugh) Date: Fri, 24 May 1996 07:07:27 +0800 Subject: The Crisis with Remailers Message-ID: <2.2.32.19960523174541.006b98dc@mail.aracnet.com> At 11:30 PM 5/22/96 -0400, Joined Trill wrote: >On certain political newsgroups (perhaps most noticeably in the >soc.culture.* heirarchy) it's common to see someone's views refuted >because they are identified with a particular interest group. Now _there_ is a good point, well-known to the sort of people I'm concerned about presenting good advocacy to. Thanks! -- Bruce Baugh bruce at aracnet.com http://www.aracnet.com/~bruce From trei at process.com Thu May 23 16:12:55 1996 From: trei at process.com (Peter Trei) Date: Fri, 24 May 1996 07:12:55 +0800 Subject: ecash representation Message-ID: <199605231725.KAA18985@toad.com> > In my last article, I slightly screwed up. > > A signed 32 bit fixed point number, with two places of precision (less > than you need when calculating things like interest and what have you, > but lets be generous) has a maximum representation of even less than I > off the cuffed -- a mere 21,474,836.48. This is hardly sufficient for > accounting. However, floating point is even less useful. > > .pm Back in the mid-80's, I worked for several years at Irving Trust, a (now-gone) major money center bank. One of the financial messaging systems I worked with stored currency amounts as 96-bit vectors of a base unit (eg, a penny), and could have a 'binary point' anywhere in the vector. There were the usual math functions available to handle this data type. If you split the vector evenly between fractional and non-fractional parts, you could represent amounts up to $7E13 to an accuracy of about 3E-15 of a cent. The maximal amount that could be represented was about $2E28, and the highest precision about $1E-29 of a cent. This range and level of precision was judged adequate of most purposes :-). Peter Trei ptrei at acm.org "Did you know that there is a subunit of the Japanese yen?" From tcmay at got.net Thu May 23 16:23:55 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 24 May 1996 07:23:55 +0800 Subject: CLI_pr3 Message-ID: At 2:17 PM 5/23/96, John Young wrote: > 5-23-96. WaJo: > > "Chasing Criminals at Cyberspeed." .... > Says Stanley Morris, director of FinCEN, "The only way > we can adequately assist our federal law enforcement > counterparts in following the trail of the multinational > money launderer is through our linkages with > multilateral arrangements such as ... [Clipper 3]." Of course, this appears to be implying that _domestic_ data will be subject to Clipper 3 restrictions, else this statement is meaningless. So, will my stored-value cards that I "charge up" in California and carry in my wallet to Zurich be GAKked? If not, Morris's statement is meaningless. If so, domestic data is intended to be GAKked. (But we knew this, didn't we?) --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From janke at unixg.ubc.ca Thu May 23 16:29:20 1996 From: janke at unixg.ubc.ca (Leonard Janke) Date: Fri, 24 May 1996 07:29:20 +0800 Subject: (Another) alternative to In-Reply-To: Message-ID: On 23 May 1996, Jay Haines wrote: > Reply to: RE>(Another) alternative to remailer shutdowns > > Where would these message parts be put back together/decrypted? Wouldn't this > require the receivers mail program to re-generate the original message? > > [my stuff] Yes, it would require work on the part of the receiver to put the message back together. This shouldn't be too difficult, though. The receiver's software could look through all random messages of the same length and xor them together to see if something non-random popped out. Alternatively, a "standard" format for these split messages could include the a random message ID as the last 160 bits of one part of the message and the SHA hash of this ID in the last 160 bits of the other part. (The idea is to keep the messages looking random for legal reasons.) Remailer operators may want to add a note to message to the effect of "For legal reasons, this remailer only sends random looking text. For information on the possible usefulness of random looking text visit ." From cme at ACM.ORG Thu May 23 16:29:40 1996 From: cme at ACM.ORG (Carl Ellison) Date: Fri, 24 May 1996 07:29:40 +0800 Subject: draft NIST key escrow paper In-Reply-To: <199605212038.NAA08809@netcom3.netcom.com> Message-ID: At 16:38 -0400 5/21/96, Pat Farrell wrote: >http://www.isse.gmu.edu/~pfarrell/nist/kmi.html after sentence 1 of their introduction, people might want to re-read http://www.clark.net/pub/cme/html/civ-own-crypto.html "Government can no longer monopolize state of the art cryptography." It's about time they admitted that governments historically had no monopoly on state-of-the-art cryptography. > >Enjoy >Pat > >Pat Farrell grad student http://www.isse.gmu.edu/students/pfarrell >Infor. Systems and Software Engineering, George Mason University, Fairfax, VA >PGP key available via finger or request #include standard.disclaimer - Carl +------------------------------------------------------------------------+ |Carl M. Ellison cme at acm.org http://www.clark.net/pub/cme | |PGP: E0414C79B5AF36750217BC1A57386478 & 61E2DE7FCB9D7984E9C8048BA63221A2| | "Officer, officer, arrest that man! He's whistling a dirty song." | +-------------------------------------------- Jean Ellison (aka Mother) -+ From paul at ljl.COM Thu May 23 16:50:41 1996 From: paul at ljl.COM (Paul Robichaux) Date: Fri, 24 May 1996 07:50:41 +0800 Subject: [AP] [NOISE] Re: PROPOSAL In-Reply-To: <199605211950.MAA11596@mail.pacifier.com> Message-ID: Uni (for whom I have great esteem and no little curiosity about why he lets Bell send him off into the weeds) said: >[Yadda Yadda Yadda] > >Motion: To create the alt.politics.assassination.politics newsgroup and >the "AP" mailing list so as to clear the meaningless traffic (for which I >am significantly responsible) out of this forum. > >Any seconds? Seconded enthusiastically. All in favor, see you in alt.config. -Paul -- Paul Robichaux LJL Enterprises, Inc. paul at ljl.com Be a cryptography user. Ask me how. -------------- next part -------------- A non-text attachment was scrubbed... Name: pgp00004.pgp Type: application/octet-stream Size: 284 bytes Desc: "PGP signature" URL: From jimbell at pacifier.com Thu May 23 16:50:49 1996 From: jimbell at pacifier.com (jim bell) Date: Fri, 24 May 1996 07:50:49 +0800 Subject: An alternative to remailer shutdowns Message-ID: <199605231809.LAA00519@mail.pacifier.com> At 09:02 PM 5/22/96 -0700, Martin Minow wrote: >Black Unicorn comments on the responsiblity >of prudent persons (in, I presume, the context of threating e-mail >sent through an anonymous remailier). > >I'm still perplexed: what can a "prudent" remailer operator do if a >threatening e-mail was sent through a remailer under one or more of >the following conditions: > >-- The remailer operator is legally enjoined from reading messages > transversing his system. (For example, the remailer is subject to > data privacy laws.) > >-- The message was encrypted using the intended recipient's public key. > (This means that, without access to the private key, the operator > has no mechanism to examine the e-mail.) That's just it, the government wants (or, will want) "the prudent operator" to SHUT DOWN his system entirely. We, on the other hand, should take the position that operating a remailer is a right, and further that such remailers get a broad immunity for materials send through their system. Providing for the opposite was one of the reasons the Leahy bill on encryption was so bad. It criminalized use of encryption to "thwart a law-enforcement investigation" and there was no way for a (encrypted) remailer operator to know that any given message flowing through his system might eventually trigger such an investigation. In fact, the prospect of the government actually setting up such an operator by having his remailer act as the last link in the chain of an otherwise-untraceable message, whose transmission could arguably be a violation of law. Jim Bell jimbell at pacifier.com From sunder at dorsai.dorsai.org Thu May 23 16:51:09 1996 From: sunder at dorsai.dorsai.org (Ray Arachelian) Date: Fri, 24 May 1996 07:51:09 +0800 Subject: An alternative to remailer shutdowns In-Reply-To: <199605231304.GAA13631@toad.com> Message-ID: Probably the best system is one that is in the middle.... that is say a message comes into a remailer targetting a user whom the remailer hasn't seen before, the remailer needs to make a decision as to whether to discard the message or deliver it. While the idea to either ROT13 the message or PGP it or somesuch sounds like a good one, it doesn't prevent spam-your-enemy's-mailbox attacks. Imagine 10,000,000 messages sent through remailers to your mailbhox, each ROT13'ed with a notice at the top stating "Wana read this? Un ROT13 it!" Very bad. However, what this is trying to do is quite honorable. Here's what I propose: Finger the target user and see if there's a universal token in his finger info (.plan file) that say looks like "::*ACCEPT ANONYMOUS EMAIL*::" or "::*REJECT ANONYMOUS EMAIL*::" or some such... If we can get all remailers to do this and respect finger info then there is no issue. One flaw in this is that some systems (my isp, dorsai, included) shut off the finger daemon for security reasons. In this case, the remailer should store the anonymous message on its hard drive for upto a week and send a notice message to the target asking them if they want to receive the email or not, and how to deal with future anonymous requests The remailer then has to keep a table of those recipients for whom finger fails. This is also an issue for shitty ISP's such as AOL or CI$ whom will not allow finger info because they don't run a cool unix service. :^) While this is going to eat up a bit of space on the remailer, space could be limited for the user, etc. If the space on the server runs out, what do you do? The remailer should still inform the target, but again a policy question rises - does the remailer send the message anyway, does it delete the message but inform the target that "Sorry dude, you had an anonymous email, but I had no room to store it and so I delted it. IF you don't want it delted the next time around, activate finger tags thusly, or send a reply to this message with "Accept Anonymous Email" or "Reject Anonymous Email" as the subject and I'll respect your wishes from now on"??? If a target's finger info does not fail but fails to produce a remailer accet/reject tag, there's a question of policy: does the remailer go ahead and send the message and adds a heading to the message informing the user how to set accept/reject in their finger info, or does it act as if the user's finger server is disabled? Another thought is that we could set up some universal remailer allow fingering service where the remailers can use some server somewhere or a list of servers somewhere to look up a user's email address and see if they are willing to receive anonymous email. Sort of like PGP key servers. Or we could have a DNS like service of email addresses between all remailers which should propagate their tables to each other of the exceptions and whether or not they wish to receive anonymous email... This setup also allows a potential anonymous person to see whether or not their target accepts anonymous messages before they bother writing a long rant to them about what a nice person they are, and what to shove where. :) This also solves the question or rather wishes of the mailing list or usenet group owners who may not wish to accept anonymous posts, such as alt.uptight.assholes.at.some.org but allows them to be posted on something like alt.whistleblowers, alt.sex-victims or whatever. :) Is this enough food for thought? ========================================================================== + ^ + | Ray Arachelian |FH| KAOS KERAUNOS KYBERNETOS |==/|\== \|/ |sunder at dorsai.org|UE|__Nothing_is_true,_all_is_permitted!_|=/\|/\= <--+-->| --------------- |CC|What part of 'Congress shall make no |=\/|\/= /|\ | Just Say |KD|law abridging the freedom of speech' |==\|/== + v + | "No" to the NSA!|TA| do you not understand? |======= ===================http://www.dorsai.org/~sunder/========================= Obscenity laws are the crutches of inarticulate motherfuckers-Fuck the CDA From mark at unicorn.com Thu May 23 16:53:28 1996 From: mark at unicorn.com (Rev. Mark Grant, ULC) Date: Fri, 24 May 1996 07:53:28 +0800 Subject: An alternative to remailer shutdowns Message-ID: On Wed, 22 May 1996, Bill Stewart wrote: > A secondary concern is handling multi-casts - should the remailer > create one copy for each recipient (secure, easy, space-wasteful), > or should it try to get fancy and keep the message for N recipients or D days? Easy on Unix - just create N links to the same file, delete each link as the recipient requests it, and delete all remaining links after D days. Mark From andrew_loewenstern at il.us.swissbank.com Thu May 23 17:05:02 1996 From: andrew_loewenstern at il.us.swissbank.com (Andrew Loewenstern) Date: Fri, 24 May 1996 08:05:02 +0800 Subject: The Twilight of the Remailers? In-Reply-To: <199605222008.NAA02211@netcom16.netcom.com> Message-ID: <9605231751.AA00362@ch1d157nwk> Mike Duvos wrote: > Andrew Loewenstern wrote: > > While this is a nice thought, it is incorrect. You can't > > "covertly inject packets into the Net, in some untraceable > > manner." > > You can temporarily modify router tables, spoof IPs and idents, > and leave few traces behind once the data has been transferred, > particularly if the origin is some obscure foreign location. Sure, doing this will make your packets untraceable, but for how long? Changing router tables and spoofing IPs is going to attract unwanted attention fast. I don't think such active IP attacks are appropriate for a remailer running unattended. Perhaps you mean that individual users should do these kinds of things instead of using remailers? For untraceability, I would put my money on chained MixMasters over IP spoofing. Besides, with IPv6 you won't be able to do these things anymore, but remailers will still work. > The idea here was to have a large number of nodes, each capable > of injecting data into the Net in a manner which cannot be > easily traced back to an individual. These nodes would talk > to each other using a mechanism which obscured both eavesdropping > and traffic analysis of their communications, a DC-Net being > one possible way of doing this. It's a good idea but it doesn't work in the real life. You can't put a message in a public place (like UseNet) or send one to an unwitting e-mail recipient (such as a mailing list) in an untraceable manner, repeatedly over time. The last remailer is going to traceable. A DC-Net is great, but it isn't going to be useful to very many people if the only people you can send messages to are the other DC-Net participants. Yes, this has applications, but it is not a replacement for the remailers we have now and are starting to loose at an alarming rate. > > Since it looks like the "everyone's a remailer" dream is > > not becoming a reality, the key to successful remailers is > > to make the *operators* untraceable as well. If you can't > > trace the operator, you can't hold them liable. We have > > discussed techniques for doing this before: cash paid > > accounts, using dialups (possibly from a public phone). > > The remailer must be a 'sacrificial cow' that can be > snatched > > up by 'authorities' at any time. > You could get the same effect with an instant anonymous account > that could be purchased with Ecash. You would buy it on the > spot, send your mail, and forget about it. For all practical > purposes, it would serve the same function as a remailer, and > steps could be taken to obscure the identity of whoever had > telnetted to it. But not every piece of mail sent through a remailer is 'hot' enough to get it shut down. The vast majority of traffic is harmless. Also, taking steps to obscure the identity of whoever had telnetted to it is hard, way too hard for the average user who wants to send remail securely. If the remailer op does it once to setup a remailer, then potentially a very large number of people can use the remailer until it gets busted. In the mean time the remailer op collects postage to compensate him for his effort. Also you later say that "I don't think most people are going to pay to remail." Well if people aren't going to pay to remail, why would they pay to open a disposable ecash account to send a piece of untraceable mail? How much will the cheapest account be? Probably less than what a remailer, which can handle hundreds of messages a day, running on the exact same account would charge. Then you say "Or, to put it another way, the types of traffic people will pay to remail are those no remailer operator will want to touch with a barge pole." Well duh. My message you are refuting (and suggesting that the alternative is IP spoofing) is entirely centered around the idea that the remailer operator remain untraceable is because the traffic could potentially be too 'hot' for the remail-op to manage. I guess you mean that the all the harmless traffic will disappear once you have to pay to play. Well, if the only remailers around are for-pay ones with untraceable operators because all the public ones got busted, people will pay. If people didn't want a high assurance of untraceability, people would just use Penet. I don't think remail postage is going to have to be expensive. It doesn't take long to pay for a $15 a month telnet-only account. If you charged only a dime each, it would only take 150 messages to pay for it. Over a month thats about 5 messages a day. Sounds reasonable to me. A 3 remailer chain would cost $0.30, less than snail mail... > Another possible approach is the "remailing packets" one. > You could set up a packet remailer which could be used as a > universal proxy server in some untouchable foreign location. > If we had a "packet remailer in a box", these things could > pop up all over the place, live a short time, and be nuked. > Since the communication would be real-time, concerns over > reliability and delivery would not exist in the same way they > do for the current system of remailers. Which untouchable foreign locations do you refer to? For all the talk of these glorious havens we don't have any remailers setup in them. The Netherlands isn't one of them. Neither is Germany or France for sure. You can't have these "pop up all over the place" if it has to pop up in an untouchable foreign location that doesn't exist. If you think people get the heebie jeebies about running a remailer that could possibly be used to carry threats or illegal pictures, just wait to you see their reaction when you tell them that people could use their packet remailer to hack other sites. While remailer traffic has a chance of getting constitutional protection (in this country obviously), there is no doubt that hacking machines is not protected. Buying an anonymous telnet-only account with cash, then using a CyberCafe or some other public Net terminal to setup the remailer sounds like a much more viable solution for a potential remail-op than flying to Micronesia. Or waiting patiently for people in these untouchable foreign locations to setup remailers. Also, I think it's time to stop expecting people to rush out and setup these things if they were easier to setup. People simply don't get enough benefit for the risk of running a remailer. A web server is harder to setup than Mixmaster but there are a lot more web sites. If remailer ops are going to be liable for content, then few people are going to want to do it, regardless of the difficulties involved of setting up the software. Also, people want an/pseud-onymity. Look at how many accounts the penet service has. As people realize that such services offer little assurance of untraceability, they will turn more and more to cypherpunk remailers. If the only way a remailer can stay up is if it charges then the market will decide if it is worth it. I think the market is there. andrew From jf_avon at citenet.net Thu May 23 17:09:14 1996 From: jf_avon at citenet.net (Jean-Francois Avon) Date: Fri, 24 May 1996 08:09:14 +0800 Subject: (Fwd) Re: TCM: mafia as a paradigm for cyberspace Message-ID: <9605231819.AA20115@cti02.citenet.net> -----BEGIN PGP SIGNED MESSAGE----- On 23 May 96 at 13:16, Bovine Remailer wrote: > jf_avon at citenet.net wrote: > >Take note: If you want me to read you, cc me since I unsubscriVed > >:) from Cypherpunks... > > > > there _IS_ a God... > woof Of course! But it just unsubscriVed from CP. Talk about cowardice... not even posting in your own name a remark of that style... You should consider switching to the fuckin.chicken.com remailer. Sigh... So many things to do, so little time... JFA While the Brave dies only once, the Coward dies a thousand times. (old arab proverb) -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQEVAwUBMaRycMiycyXFit0NAQFPlQf/R/ynMySw2SkoWZKjCsdl5CqpuF4VwaTq P/1+o+/kDnf+M66NJ/dznmm8VDj3mNtU0uhU9nIBWegsWel7UKQf9e3WAp9tRs5q 9pmkCvoLVJmSGHrMeXbLrcd+fynKOsgEV2ma4SIrrmVoafwtbkcK7DrYh/PuVSUd ItMCbN8BzD332hQ1ETEHn0tG+hBFheLDFo5oaCqL1Zg4pd2CYRW8x2xKy4DoyEkH 7Fl1MhG0WaIu2MAB68IEKO5rCS8Y2V9L2zkCxNYqCMucK6ZwzL7vlXd7wVFEG+gI OTpiZvhWLv7Tl/j3Fgk7rgunzJcNEY9YMDjqd2ufMKYNk/3BveST1g== =molC -----END PGP SIGNATURE----- DePompadour, Societe d'Importation Ltee; Limoges porcelain, silverware and crystal JFA Technologies, R&D consultants: physicists, technologists and engineers. PGP keys at: http://w3.citenet.net/users/jf_avon ID# C58ADD0D : 529645E8205A8A5E F87CC86FAEFEF891 I reserve the right to post publicly any private e-mail sent to me. Unsollicited commercial e-mail will be proofread at US165 $/h Any sender of such material will be considered as to have ac- cepted the above mentionned terms. From janke at unixg.ubc.ca Thu May 23 17:12:58 1996 From: janke at unixg.ubc.ca (Leonard Janke) Date: Fri, 24 May 1996 08:12:58 +0800 Subject: The last node in split message remail schemes In-Reply-To: Message-ID: I would like to add an extension to my proposal for split message anonymous remailing schemes. The current proposal counts on the good will of the senders to split their messages into random pieces. If a remailer operator receives non-random text I can think of at least three options for what to do: 1) The operator can drop the message. 2) The remailer operator can split the message him or herself and send the pieces through new remailer chains. 3) Suppose there is a computer named Moe that lives on the internet, is hidden behind a nym, and splits messages and enters the pieces into remailer chains. The remailer can then encrypt the non-random text along with a "please forward to" command to Moe, and send the ciphertext anonymously to Moe. (Due to the encryption there is no need to split this message.) The risk, in ascending terms of legal danger, for the operator would be 1), 3), and 2). Nevertheless, all three alternatives should be safe within a secure (in the sense of Chaum, 1981) remailer network. Leonard From rpowell at algorithmics.com Thu May 23 17:24:19 1996 From: rpowell at algorithmics.com (Robin Powell) Date: Fri, 24 May 1996 08:24:19 +0800 Subject: ecash representation In-Reply-To: <199605231725.KAA18985@toad.com> Message-ID: <96May23.154209edt.20491@janus.algorithmics.com> >>>>> "Peter Trei" writes: > "Did you know that there is a subunit of the Japanese yen?" I lived there for three years, and I don't remember that... -Robin From tcmay at got.net Thu May 23 17:30:50 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 24 May 1996 08:30:50 +0800 Subject: [SCARE]: "If you only knew what we know..." Message-ID: At 5:53 PM 5/23/96, jim bell wrote: >Well, he must have learned it all in the last few months, because his bill >was the closest thing to DOA that we've seen in a long time, exceeded only >by GAK 3. I'd like to hear from him what the source of the text of the >Leahy bill on encryption really was: Who pressured him to make it so bad? "If you only knew what we know..." ("...you wouldn't support encryption, you wouldn't push for privacy legislation, you would order all citizen-units to have tatooed ID numbers on their arms...") Though I normally avoid "Wired," I did pick up the latest issue to skim through. A couple of good things, actually, including a nice summary of the state of crypto laws, etc. (I don't recall the author, as I didn't buy the issue.) A great discussion of the Deepest and Darket Secret in Washington, the special "If you only knew what we know..." briefing given to legislators, staffers, etc. to convince them of the Evils of Cryptography. Paraphrasing the "Wired" item, "No person who has ever received "The Briefing" has ever again argued forcefully for the rights of citizens to use strong cryptography." I surmise that either Sen. Burns has not yet been given The Briefing, or he is for some reason more resistant than most other burrowcrats to the scare tactics used in The Briefing. I sure would like to know what's in this briefing. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From declan at well.com Thu May 23 17:37:49 1996 From: declan at well.com (Declan McCullagh) Date: Fri, 24 May 1996 08:37:49 +0800 Subject: National Journal article sez net-activism is just political hicks Message-ID: >Date: Thu, 23 May 1996 11:04:50 -0700 >From: jwarren at well.com (Jim Warren) >Subject: National Journal article sez net-activism is just political hicks >Sender: owner-fight-censorship at vorlon.mit.edu >Precedence: bulk >X-URL: http://fight-censorship.dementia.org/top/ > >Tommorrow, Washington's politically-powerful National Journal reportedly >will publish a know-nothing piece of "journalism" saying that net-aided >politics is essentially nothing but a batch of ineffective, know-nothing >nerds and back-water political hacks. > >Check it out on Friday or thereafter -- at www.politicsusa.com -- and >forward your *informed* comments to the NJ's Editor and Letters Editor. > >--jim > >On the other hand, maybe we ought to just continue escalating our political >effectiveness using the net, and let it come as a total shock to the >Beltway insiders who trust this piece of misinformed blather ... when we >provide more and more swing votes in contested elections -- as already >occured with DeFoley8 against ex-Speaker Tom Foley, VTW for now-Senator Ron >Wyden, me for now-available Calif legislative data, the gun BBS against >ex-Calif Senate Prez Pro Tem David Roberti, etc. :-) > From jimbell at pacifier.com Thu May 23 17:41:39 1996 From: jimbell at pacifier.com (jim bell) Date: Fri, 24 May 1996 08:41:39 +0800 Subject: (Fwd) Re: TCM: mafia as a paradigm for cyberspace Message-ID: <199605231913.MAA03950@mail.pacifier.com> At 12:37 PM 5/22/96 -0700, Vladimir Z. Nuri wrote: >>>the above sentence I find absolutely abhorrent: it justifies killing, >>>not merely because of the effect (the sort of "ends-justifies-the-means" >>>argument used by most here), but that in addition it is >>>supposedly "ethical". ethical?!?!? >> >>Then you've obviously dramatically mis-read my ideas. I don't claim that >>_EVERYBODY_ who will fall victim will "deserve" it by your or my opinions, > >oh, so in other words, a lot of "innocent" people will be murdered >under AP. ah, another great "feature", not a "bug", right?? Tell ya what: name a weapon that CANNOT be used to harm an innocent person. Go ahead, I'm waiting. >>For example, if you believe in NIOFP, then anyone who violates it has >>initiated force, and the victim of such force (or, perhaps, anyone else?) >>can legitimately use a system like AP to fight back. > >what is "legitimate"? in our government, "legitimate" refers to our >judicial system. "Legal" is the word you're looking for, not legitimate. > it is what determines what is "legitimate" based >on laws. in your AP anarchy scheme, the word "legitimate" has no meaning. >"legitimate" is in the eye of the beholder. this ridiculous and >impractical definition was discarded centuries ago because of the >free-for-all bloody violence it inevitably leads to. What?!? You mean that after 100 million war deaths in this century alone, you're suggesting that we DON'T have "free-for-all bloody violence"? Or are you simply used to the kind of violence that exists today? That's a common trap people fall into: They simply accept whatever current system we have, as if it is somehow required or okay or... >be very >clear about what you are advocating: in AP, there are no laws. Right! There are no "laws" per se. But there are people, and their interests, and what they believe to be their rights. > people >do not rely on the judicial system to solve their problems. RIGHT! But as importantly, they aren't the _victims_ of that "judicial system" either. Rodney King, for instance. Donald Scott. Randy Weaver. The Branch Davidians, etc. All these people were fundamentally victims of an organization political/legal heirarchy filled with people who had (defacto) greater rights/authority than ordinary citizens, and abused the public with it. > they >take the "law" into their own hands and take out contracts on anyone >who offends them. would they feel justified in killing people who >disagree with them on cyberspace mailing lists? perhaps, who is to tell? I've explained that I believe that the post-AP world will be far less violent than today, partly because there will be no people in positions of authority who can abuse the rest of us with impunity, or force us to go to war against our will. It will also allow GOOD people to punish BAD people without depending on the "system" to do it. It will also tend to prevent the enforcement of "victimless crime" laws that currently result in 60-70% of the prison and jail population. You need to show that yes, you see the advantages, but also show that you have a plausible belief that my system will be worse than the status quo. Citing a specific potential problem without quantifying it is pointless. >>You seem to be assuming that if there are TWO "wrongs" here. But I've tried >>to make it abundantly clear that justification for the self-defense comes >>from the initial "wrong." > >but who decides what is wrong? Each individual, for himself. True, he may occasionally make mistakes, but I contend that the vast majority of these decisions will be entirely justified. The truly bad people, the REAL criminals, will not last long. > the arbitrary opinion of some single >human idiot out anywhere in the world? don't you see the tyranny >of this? it is far worse than the tyranny of a government if I were >to be killed by someone who believes that I violated his rights >by breathing air particles or whatever. via AP, you wish to give him >the mechanism to murder me without trace. If the danger you describe was of higher probability than the alternative, the status quo, you might have a point. But it isn't. Further, the prospect of AP getting rid of (or reforming, because they'll have no choice) most of the real criminals (plus de-populating government and preventing its abusiveness) results in a dramatic reduction in the violations of rights that will occur. >> Where, then, is the SECOND "wrong"? What, >>exactly, makes it wrong? If a person can't get justice any other way (not >>to be confused with merely a chance at justice) then why deny that person >>his rights? > >deny rights, legitimacy, justice, blah, blah, blah. the terms you use have no >meaning in the system you are advocating. there are no "rights" in an anarchy, >because a government is the entity created to safeguard/protect them. Just because we currently think of "the government" as "the entity created to safeguard rights" doesn't mean that this is really so, and it doesn't mean that it actually achieves a net protection of our rights. What government actually does is to monopolize (as best it can) the use of force, and then force the public to pay for a protection service. And monopolies result in classicly bad service, as we all know. >all actions are legitimate in an anarchy, because there is no civilized >system that rejects any ones in particular. If the probability of an improper action is dramatically reduced, without being eliminated, that is an improvement, right? Tell me, as a citizen don't we deserve changing to a system that reduces violations of rights? >>>It should be obvious to anyone around here that if AP "works," it will work >>regardless of whether it meets with your approval or any other subset of >>humankind. That makes it worthy of discussion even if you don't like it. > >it will "work" exactly as anonymous murdering now works. AP already exists, >that's what you don't understand. No, it doesn't, certainly not quantitatively, and in practice not qualitatively, either. Take a 5-foot wave, and notice that it doesn't overflow a 50-foot seawall. Twenty of them, separately, likewise don't get past it. But combine them in one large wave, and the 100-foot wave does get by. The fundamental advantage of AP is that the desires of thousands of people can be combined in order to accomplish what no individual would be able to induce on his own. Jim Bell jimbell at pacifier.com From perry at piermont.com Thu May 23 17:47:01 1996 From: perry at piermont.com (Perry E. Metzger) Date: Fri, 24 May 1996 08:47:01 +0800 Subject: ecash representation In-Reply-To: <199605231726.NAA17935@linet02.li.net> Message-ID: <199605231858.OAA26827@jekyll.piermont.com> "Peter Trei" writes: > Back in the mid-80's, I worked for several years at Irving Trust, > a (now-gone) major money center bank. One of the financial > messaging systems I worked with stored currency amounts > as 96-bit vectors of a base unit (eg, a penny), and > could have a 'binary point' anywhere in the vector. There were > the usual math functions available to handle this data type. Sounds like the usual fixed point hack used for manipulating and storing money. Most systems I've seen use things like this. Floats have all sorts of defects, like not conveniently indicating to you the point at which they start dropping precision. A float doesn't care that it just started dropping vast amounts of the precision in some calculation where you are unfortunate enough to have done the order of operations wrong. At that point, a hack will have kept its precision or will indicate overflow, but floats blythely keep on going. This leads to very unpleasant problems down the road. Perry From trei at process.com Thu May 23 17:50:03 1996 From: trei at process.com (Peter Trei) Date: Fri, 24 May 1996 08:50:03 +0800 Subject: [NOISE] Re: ecash representation Message-ID: <199605232012.NAA22771@toad.com> > >>>>> "Peter Trei" writes: > > "Did you know that there is a subunit of the Japanese yen?" > > I lived there for three years, and I don't remember that... > > -Robin It hasn't been used much since the value of the Yen dropped after WW2, but 100 sen = 1 yen. I don't think there is any actual sen currancy in circulation. A numistmatist (sp?) might be able to tell you more. Peter From vznuri at netcom.com Thu May 23 18:10:00 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Fri, 24 May 1996 09:10:00 +0800 Subject: assassinating an AP proponent In-Reply-To: <01I50J36B3OG8Y4X9G@mbcl.rutgers.edu> Message-ID: <199605231919.MAA27630@netcom15.netcom.com> > > Nobody, so far as I know, is arguing that one ought to shoot anyone >in the government... I'd be in danger if that were the case, given that my >current employer is a state university. uhm, I hate to bring this up, but the topic of discussion is ASSASSINATION POLITICS. those that are in favor of it are in favor of KILLING POLITICIANS THEY DON'T LIKE. there is absolutely no way you can flimflam your way around this basic tenet of the philosophy, no matter how much you or other proponents snivel about "our rights, violations, justice, due process" etc. now it is quite possible you might be advocating killing politicians other than with guns, perhaps death by covering them with honey and putting them in anthills. but get a clue about what you are advocating!! killing politicians you don't like!! (above statement is equivalent to: well, I SUPPORT AP, but only insofar as I don't put my own job at risk. if anyone who employs me THINKS I support AP, please realize you are mistaken) > If someone is in government and is >doing something very wrong (although one may disagree on what is wrong, of >course), then they're a proper target. "proper target". another lovely euphemism for "target practice for submachine guns". > If the only workable method of self-defense is to kill the person, then >that's a justifiable means of self-defense. of course, that is what AP proponents are asserting. THERE IS NO OTHER WAY they shout. it's our last result. we have no other choice. Hopefully, other means of removal >of those in government who do what is wrong is possible; I do my best to work >for this. But if it isn't, I'll support AP as an alternative. hee, hee. what is your criteria? "if the government doesn't repeal taxes tomorrow, we're fully justified on going on a shooting spree at our local government offices". no? oh, perhaps you require a little more provocation? perhaps a government cleark has to look at you snidely when you go to review your driver's license? pray tell, what is the line? please illuminate my ignorance. you see, I have a hard time telling when someone ought to be put to death. the AP proponents such as yourself seem so sure of yourself that I'm quite envious. at times TCM and other cpunks display as much confidence and I must admit I'm quite embarrassed not to have such security in my own judgements. can one of the experts here teach me how to pick out the people in a crowd that deserve execution? surely there must be some simple trick to it all that others here are not fully sharing. [hitler] >>I used him as an example of the kind of thinking that "murdering your >>enemies solves all your problems". yes, that was his point of view, and >>you inform me that you share it? well, congratualations!! hitler >>doesn't have too many friends and can use all the sympathy he can get. > > All your problems? No. But leaving it out as a possible partial >solution is irrational. ah, so you do have admitted sympathies for the "kill thine enemies" approach. yes, perhaps I was too hasty. killing your opponents has many very obvious and delectable advantages. I'll have to consider it any future situations I encounter and decide if it would be a useful approach. >>AP proponents believe that: > >>1. the world is full of people that are part of the problem or part >>of the solution > >>2. I can tell precisely the difference > > No, I don't think that I can tell precisely the difference. But it >appears possible that I'd make less mistakes than the current government does, >even considering only the cases in which they do kill people (e.g., shootouts >with drug dealers et al). so in other words, if you were in charge of the government, it would be far better off? >>3. I'd like to kill those that are part of the problem. > > If that's the only way that works, yes. ah, but you seem to have exhausted all other solutions. could you inform me when you are going to actually put into play your ideas on assassination politics? I want to attempt to gauge the results informally. if government suddenly becomes less oppressive while various bureacrats begin dropping like flies, I'll know who to thank!! >>4. if AP existed, and it appeared there was a way to kill other people >>without trace, I would go through with it. > > Again, if that's the only way that works, yes. but that is your own and other AP's exact beliefs. "nothing else works. we're just going to have to start putting politicians to death for their crimes against humanity". of course you/they don't use this terminology, but that's the obvious insinuation to anyone with half a brain. unless you really DO believe the idiotic propaganda terms you guys use like SELF DEFENSE JUSTICE RIGHTS FAIR TARGET blah blah blah >>5. I have a lot of teachers I hated in my childhood too. I think I >>will go for them next. possibly not before seeing if they beg for mercy. > > I invite you to look at the psychological defense mechanism known as >projection, preferably along with a trained psychiatrist or clinical >psychologist in inpatient therapy. I invite you to consider the meaning of the exhortation, "thou shalt not kill", and the consequences of defying it. From jya at pipeline.com Thu May 23 18:12:35 1996 From: jya at pipeline.com (John Young) Date: Fri, 24 May 1996 09:12:35 +0800 Subject: [SCARE]: "If you only knew what we know..." Message-ID: <199605232006.UAA29852@pipe2.t1.usa.pipeline.com> Peter Cassidy, an esteemed subscriber here, is the Wired author Tim notes, who reports on the Bernstein case in the June issue. A well-written piece with several thought-provokings in addition to those cited by Tim. Peter writes of Judge Marilyn Hall Patel on the Bernstein case: "Before the case is resolved, Patel's skepticism of the state's perogatives will be tested to the limit when the government is called upon to defend its policy. Patel is then likely to be given the *in camera* presentation of The Deepest Darkest Secrets of Cryptography -- probably a modified version of the classifed briefing the NSA has used with great success to influence members of Congress. Legend has it that no one who ever got 'the briefing' ever again opposed the agency." Peter, anyone, are these welcome-to-the-inner-circle briefings always by NDA, or worse threat? Wonder if a public-spirited cryptographer is working on a book for a movie about this heart of the deepest darkness? From sandfort at crl.com Thu May 23 18:16:38 1996 From: sandfort at crl.com (Sandy Sandfort) Date: Fri, 24 May 1996 09:16:38 +0800 Subject: (Fwd) Re: TCM: mafia as a paradigm for cyberspace Message-ID: <2.2.32.19960523200615.0072a288@popmail.crl.com> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ At 12:11 PM 5/23/96 -0800, jim bell wrote: >Tell ya what: name a weapon that CANNOT be used to harm an >innocent person. Go ahead, I'm waiting. The Truth? S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From maldrich at grci.com Thu May 23 18:21:49 1996 From: maldrich at grci.com (Mark O. Aldrich) Date: Fri, 24 May 1996 09:21:49 +0800 Subject: your mail In-Reply-To: <199605231521.IAA18698@netcom13.netcom.com> Message-ID: On Thu, 23 May 1996, it was written: > Copyright 1996 The New York Times Company > ^^^^^^^^^^^^^^ > Report Warns of Security Threats Posed by Computer Hackers > ^^^^^^ ^^^^^^^^ ^^^^^^^ > [W] ASHINGTON -- Government investigators warned > Wednesday that computer hackers cruising the > ^^^^^^^^ > Internet posed a serious and growing threat to national > ^^^^^^^^ > security, with the Pentagon suffering as many as 250,000 > ^^^^^^^ > "attacks" on its computers last year. > ^ ^ So, what's your point other than: a) You figured out how to use the "shift-6" on your keyboard, and b) You can remove the "from" header in your e-mail Are we supposed to be impressed? ------------------------------------------------------------------------- | Liberty is truly dead |Mark Aldrich | | when the slaves are willing |GRCI INFOSEC Engineering | | to forge their own chains. |maldrich at grci.com | | STOP THE CDA NOW! |MAldrich at dockmaster.ncsc.mil | |_______________________________________________________________________| |The author is PGP Empowered. Public key at: finger maldrich at grci.com | | The opinions expressed herein are strictly those of the author | | and my employer gets no credit for them whatsoever. | ------------------------------------------------------------------------- From gcg at pb.net Thu May 23 18:29:50 1996 From: gcg at pb.net (gcg at pb.net) Date: Fri, 24 May 1996 09:29:50 +0800 Subject: VIRUS ALERT: Java virus that affects Netscape 2.0 & 2.01. Message-ID: <2.2.32.19960523202049.006a6eac@mail.pb.net> > >WHO IS AFFECTED BY THIS ALERT? >------------------------------ > >Users of Netscape Navigator 2.0 or 2.01. To determine what version of >Netscape you are running, do the following: > > 1. Open Netscape Navigator. > 2. Pull down the Help menu. > 3. Click on About Netscape. > 4. Check to see if you have version 2.0 or 2.01. If so, read on. > If not, then you can not be affected by this alert. > >WHAT IS THE PROBLEM? >-------------------- > >There have been reports lately of a hostile Java applet (a Black Widow >Java applet called JAVA) that is downloaded and executed automatically >when certain sites are visited with Netscape versions 2.0 or 2.01. Java >applets are small applications that are automatically started when you >access certain web pages. This particular Java applet is a malicious >program that can destroy data, interfere with your network, and possibly >even upload sensitive material to a third party. > >WHAT SHOULD YOU DO? >------------------- > >Upgrade to Netscape Navigator 2.02. > > >WHAT SHOULD YOU DO IF YOU CAN'T DOWNLOAD VERSION 2.02 RIGHT NOW? >---------------------------------------------------------------- > >You can temporarily protect your PC or Macintosh by disabling the Java >functionality. However, this should only be a short-term fix as many >legitimate web sites make use of Java applets. To disable the use of >Java applets, do the following: > > 1. Open Netscape Navigator. > 2. Pull down the Options menu. > 3. Click on Security Preferences. > 4. Under General, place a "X" in the Disable Java and the > Disable Java Script boxes in the Java window. Click on OK. > >After upgrading to the latest version of Netscape Navigator (version >2.02), re-enable the Java applets by doing the following: > > 1. Open Netscape Navigator. > 2. Pull down the Options menu. > 3. Click on Security Preferences. > 4. Under General, remove the "X" in the Disable Java and the > Disable Java Script boxes in the Java window. Click on OK. > > From minow at apple.com Thu May 23 18:39:24 1996 From: minow at apple.com (Martin Minow) Date: Fri, 24 May 1996 09:39:24 +0800 Subject: Floating Point and Financial Software Message-ID: A 64-bit floating point number (i.e., C double) should be suitable for financial software under the following conditions: -- Money must be represented in integral units (cents, not dollars and cents). -- The maximum value to be computed must be less than about 10^17. This includes intermediate values. -- Addition, subtraction, and multiplication by an integer are the only operators. Under the above conditions, there should be no loss of precision. However, when division is required (as in currency conversion or interest rate computation), one must be careful to control round-off error. For example, a mortage payment schedule might be computed using true (non-exact) floating-point arithmetic, with the last or first payment adjusted to cover any residual error. (You might want to re-read Donn Parker's book on computer crime, paying special attention to the "salami" method of embezzelment by accumulating round-off errors in a private account.) Note that not all financial computation needs to be done with "to the penny" accuracy: even our own dearly beloved IRS allows (indeed, encourages) us to compute our tax declaration using a whole-dollar round-off method. Martin Minow minow at apple.com From vznuri at netcom.com Thu May 23 18:47:16 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Fri, 24 May 1996 09:47:16 +0800 Subject: (Fwd) Re: TCM: mafia as a paradigm for cyberspace In-Reply-To: <199605231913.MAA03950@mail.pacifier.com> Message-ID: <199605231952.MAA00769@netcom15.netcom.com> >What?!? You mean that after 100 million war deaths in this century alone, >you're suggesting that we DON'T have "free-for-all bloody violence"? Or are >you simply used to the kind of violence that exists today? That's a common >trap people fall into: They simply accept whatever current system we have, >as if it is somehow required or okay or... ah yes, more "two wrongs make a right". "dammit, the government gets to kill people all the TIME, why can't we share the same JOY in doing so? the world would be a far better place. Assassination Politics-- it's only *fair*!!" > >Right! There are no "laws" per se. But there are people, and their >interests, and what they believe to be their rights. as I was saying, I believe one of my rights is that anyone who disagrees with me about the horror and depravity of AP should be snuffed out immediately. >RIGHT! But as importantly, they aren't the _victims_ of that "judicial >system" either. Rodney King, for instance. Donald Scott. Randy Weaver. >The Branch Davidians, etc. All these people were fundamentally victims of >an organization political/legal heirarchy filled with people who had >(defacto) greater rights/authority than ordinary citizens, and abused the >public with it. > ah, so two wrongs make a right. if a court anywhere at any time in the US, in centuries of perhaps hundreds of thousands of decisions, makes a decision YOU PERSONALLY DISAGREE WITH, then you are fully justified in going out and shooting some people (or government bureacrats, that is, who cannot really be considered human) >I've explained that I believe that the post-AP world will be far less >violent than today, hee, hee. that's like Hitler explaining why the enemies of the state must be expurgated for any meaningful advancement in the glorious 1000 year reich. read "mein kampf". surely you can borrow a lot of his ideas. obviously you already have many of them. partly because there will be no people in positions of >authority who can abuse the rest of us with impunity, or force us to go to >war against our will. ah yes. kill everyone who moves. then you will finally have peace. what about simply resisting a government that supposedly "forces" you to do something? well, I have to admit that just shooting government bureacrats is probably much more fun. I guess that is the definition of resistance for you. it's so @#$%^^&* tedious and time consuming to do anything else. It will also allow GOOD people to punish BAD people >without depending on the "system" to do it. hee, hee. that's funny, because you have alway struck me as a BAD person. and I KNOW that I am a GOOD person. It will also tend to prevent >the enforcement of "victimless crime" laws that currently result in 60-70% >of the prison and jail population. uh huh. it probably leaves your dishes virtually spotless too. gosh, can you tell me where I can buy this wonderful stuff? > You need to show that yes, you see the advantages, but also show that you >have a plausible belief that my system will be worse than the status quo. >Citing a specific potential problem without quantifying it is pointless. yes, clearly I have utterly failed to demonstrate why shooting random government bureacrats would not improve our reality but in fact make it worse. I'll have to work on my case some more. I fully concede to your superior debate skills that have left me choking on dust. >>but who decides what is wrong? > >Each individual, for himself. True, he may occasionally make mistakes, but >I contend that the vast majority of these decisions will be entirely >justified. The truly bad people, the REAL criminals, will not last long. you've got something there. it's an easy way of looking at it all. if a lot of people are dying like flies around me because of AP, I only need conclude they were the real criminals. what a relief!! it would be quite horrible if innocent people died. that's the part I like most about your plan. only criminals are killed. the innocent would be left alone. now that you explain it in those terms I find it far more appealing and perhaps even workable. >If the danger you describe was of higher probability than the alternative, >the status quo, you might have a point. But it isn't. Further, the >prospect of AP getting rid of (or reforming, because they'll have no choice) >most of the real criminals (plus de-populating government and preventing its >abusiveness) results in a dramatic reduction in the violations of rights >that will occur. actually, your ideas sound so outstanding and progressive that I wish you would run for office. in fact if you don't I'm going to put your name on the next write-in ballot. we'll get you in a place where your ideas can have some application if it kills somebody. hehehehhee >Just because we currently think of "the government" as "the entity created >to safeguard rights" doesn't mean that this is really so, and it doesn't >mean that it actually achieves a net protection of our rights. What >government actually does is to monopolize (as best it can) the use of force, >and then force the public to pay for a protection service. And monopolies >result in classicly bad service, as we all know. right. so the solution to this thing is to just kill everybody that is participating in its perpetuation. of course you shouldn't use words like "kill" outright. use words like "self defense" ad nauseam. such is the true art of the propagandist. congratulations on your mastery!! >If the probability of an improper action is dramatically reduced, without >being eliminated, that is an improvement, right? Tell me, as a citizen >don't we deserve changing to a system that reduces violations of rights? yeah. and I like the idea of shooting people as the only means to do so. I guess that once I learn to read between your lines, and find what you are really advocating, I feel much better. >>it will "work" exactly as anonymous murdering now works. AP already exists, >>that's what you don't understand. > >No, it doesn't, certainly not quantitatively, and in practice not >qualitatively, either. yeah, assassinations of political leaders are kinda rare. like kennedy. and then there's the bungling like with Reagan. really, we need a better system. we need to increase the percentage. it doesn't work right now because the efficacy is way lacking. I'm glad someone with brains such as yourself is working on this problem. again, perhaps you should talk to TCM who also believes that a more mafia-like reality would be the salvation of humanity. >Take a 5-foot wave, and notice that it doesn't overflow a 50-foot seawall. >Twenty of them, separately, likewise don't get past it. But combine them in >one large wave, and the 100-foot wave does get by. The fundamental >advantage of AP is that the desires of thousands of people can be combined >in order to accomplish what no individual would be able to induce on his own. beautiful. I always love your analogies in which you talk about waves instead of killing and murdering politicians. its so much more poetic. your opponents are the ones that use all the crass words. well, screw 'em. From sameer at c2.org Thu May 23 19:05:43 1996 From: sameer at c2.org (sameer at c2.org) Date: Fri, 24 May 1996 10:05:43 +0800 Subject: [SCARE]: "If you only knew what we know..." In-Reply-To: Message-ID: <199605231937.MAA25268@clotho.c2.org> > > Paraphrasing the "Wired" item, "No person who has ever received "The > Briefing" has ever again argued forcefully for the rights of citizens to > use strong cryptography." It's my understanding that this statement is now false. I believe that Matt Blaze recently received "The Briefing" and he is still on our side. (I personally think it was a mistake on their part to give him said Briefing, as they should have realized he couldn't be converted. Now that someone has "withstood the Briefing" it gives them less credibility.) -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion, Inc. FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.net/ (or login as "guest") sameer at c2.net From ravage at ssz.com Thu May 23 19:52:28 1996 From: ravage at ssz.com (Jim Choate) Date: Fri, 24 May 1996 10:52:28 +0800 Subject: Innocence & harmless weapons Message-ID: <199605232202.RAA22518@einstein.ssz.com> Hi Sandy et al., Whose side of the truth? To be honest I was surprised by your simplistic responce. Jim Choate Forwarded message: > From cypherpunks-errors at toad.com Thu May 23 16:01:31 1996 > Message-Id: <2.2.32.19960523200615.0072a288 at popmail.crl.com> > X-Sender: sandfort at popmail.crl.com > X-Mailer: Windows Eudora Pro Version 2.2 (32) > Mime-Version: 1.0 > Content-Type: text/plain; charset="us-ascii" > Date: Thu, 23 May 1996 13:06:15 -0700 > To: jim bell > From: Sandy Sandfort > Subject: Re: (Fwd) Re: TCM: mafia as a paradigm for cyberspace > Cc: cypherpunks at toad.com > Sender: owner-cypherpunks at toad.com > Precedence: bulk > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > SANDY SANDFORT > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > At 12:11 PM 5/23/96 -0800, jim bell wrote: > > >Tell ya what: name a weapon that CANNOT be used to harm an > >innocent person. Go ahead, I'm waiting. > > The Truth? > > > S a n d y > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > From jya at pipeline.com Thu May 23 19:57:23 1996 From: jya at pipeline.com (John Young) Date: Fri, 24 May 1996 10:57:23 +0800 Subject: CLI_pr3 Message-ID: <199605232145.VAA08342@pipe2.t1.usa.pipeline.com> On May 23, 1996 10:41:13, 'tcmay at got.net (Timothy C. May)' wrote: >Of course, this appears to be implying that _domestic_ data will be subject >to Clipper 3 restrictions, else this statement is meaningless. > >So, will my stored-value cards that I "charge up" in California and carry >in my wallet to Zurich be GAKked? If not, Morris's statement is >meaningless. If so, domestic data is intended to be GAKked. > >(But we knew this, didn't we?) Several news reports in the last few days seem to be aiming at raising the alarm about crypto, perhaps in response to the various crypto bills, administration reformulations, and studies such as that headed by Herb Lin. The recycling of the news of DoD break-ins supposedly due to heavy military reliance on the Internet; the drumbeat of conferences, press releases and planted stories on international money laundering, the hazards of E-money to the stability of the banking system, spreading "Russian" criminality, and the role of high-technology in each; global Chinese arms dealers and copyright pirates; thousands of Japanese spies needed to combat "Asian" threats. These scares might well be orchestrated in support of Clipper 3 -- to the mutual benefit of international governments and commerce as stated by the IWGCP report. The Clipper 3 report, as John Gilmore and others have noted, aims at an international clampdown on non-GAKed crypto. For this to work, all the major crypto players must agree to act at the same time so that no one gets an advantage by offering non-GAKed products. But is it not probable that there will be a holdout nation(s), like the Swiss in war and bank secrecy, to offer crypto that is non-GAKed? Or will a holdout be starved? Or is it more likely that the genuine alternative to multilateral governmental regulation is going to be small- scale, non-corporate, private parties, insusceptible to large-sacle governmental-market coercion, willing to offer risky, covert services, perhaps as lucrative as prohibited armaments? In such a case, for example, would not a highly skilled cryptographer, let us call her Mathilda Blaze, be able to sell covert crypto (on the side, encrypted transactions, anonymity assured) for far greater reward than a not-very- secure pittance and pension at a downsizing ATT, or NSA, or Russia, China, Israel, France, UK, NL, JP ... ? To be sure, if we knew what they knew, we would understand why the House has just increased the intelligence budget to $30bn, $2bn more than 1996 (WaPo 5-23-96). Maybe all the major crypto nations (gov-and-com), are minting E-money to pay their best techies to protect their secrets. If so, may the best algorithmist take 'em all to the cleaners -- just remember to share with the hackers spooking the spooks-and-crooks of gov-com intel-insec, and causing "Yo, man's" of recognition and admiration of those peering for pennies at ELINT and NetSec screens. From frantz at netcom.com Thu May 23 20:06:06 1996 From: frantz at netcom.com (Bill Frantz) Date: Fri, 24 May 1996 11:06:06 +0800 Subject: [SCARE]: "If you only knew what we know..." Message-ID: <199605232224.PAA20822@netcom7.netcom.com> At 12:37 PM 5/23/96 -0700, sameer at c2.org wrote: > > Paraphrasing the "Wired" item, "No person who has ever received "The > Briefing" has ever again argued forcefully for the rights of citizens to > use strong cryptography." I assume that since Senator Leahy is a co-sponsor of the Burns bill, "The Briefing's" effects are not long lasting. ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From mpd at netcom.com Thu May 23 20:16:19 1996 From: mpd at netcom.com (Mike Duvos) Date: Fri, 24 May 1996 11:16:19 +0800 Subject: [SCARE]: "If you only knew what we know..." In-Reply-To: <199605231937.MAA25268@clotho.c2.org> Message-ID: <199605232231.PAA13882@netcom20.netcom.com> Sameer Parekh writes: > It's my understanding that this statement is now false. I > believe that Matt Blaze recently received "The Briefing" and he is > still on our side. Don't suppose Matt could do a little executive summary of "The Briefing" and post it to the list, could he? -- Mike Duvos $ PGP 2.6 Public Key available $ mpd at netcom.com $ via Finger. $ From furballs at netcom.com Thu May 23 21:18:28 1996 From: furballs at netcom.com (Paul S. Penrod) Date: Fri, 24 May 1996 12:18:28 +0800 Subject: Floating Point and Financial Software In-Reply-To: Message-ID: On Thu, 23 May 1996, Martin Minow wrote: > A 64-bit floating point number (i.e., C double) should be suitable for > financial software under the following conditions: > > -- Money must be represented in integral units (cents, not dollars and > cents). > > -- The maximum value to be computed must be less than about 10^17. This > includes intermediate values. > > -- Addition, subtraction, and multiplication by an integer are the > only operators. > > Under the above conditions, there should be no loss of precision. > > However, when division is required (as in currency conversion > or interest rate computation), one must be careful to control > round-off error. For example, a mortage payment schedule might > be computed using true (non-exact) floating-point arithmetic, with > the last or first payment adjusted to cover any residual error. > (You might want to re-read Donn Parker's book on computer crime, > paying special attention to the "salami" method of embezzelment > by accumulating round-off errors in a private account.) Yes, I suppose we could revive the urban legend about the programmer at SW Bank in Houston who did this slight of hand for 18 mos and then split the country. But there is a simpler method to avoid the problem entirely. There is suffcient horsepower in uP's these days to support "long hand" division and multiplication. Granted it takes some extra grey matter to write the routines, but once done, you can vary the amount of precision to whatever you desire and not have to worry about accuracy. The only penalty you pay for is time. If you need the accuracy, you'll gladly give the time, or put more horsepower in the box. > > Note that not all financial computation needs to be done with "to > the penny" accuracy: even our own dearly beloved IRS allows > (indeed, encourages) us to compute our tax declaration using > a whole-dollar round-off method. > > Martin Minow > minow at apple.com > > > > > From jimbell at pacifier.com Thu May 23 21:29:36 1996 From: jimbell at pacifier.com (jim bell) Date: Fri, 24 May 1996 12:29:36 +0800 Subject: [SCARE]: "If you only knew what we know..." Message-ID: <199605232353.QAA19079@mail.pacifier.com> At 12:07 PM 5/23/96 -0700, Timothy C. May wrote: > >"If you only knew what we know..." > >("...you wouldn't support encryption, you wouldn't push for privacy >legislation, you would order all citizen-units to have tatooed ID numbers >on their arms...") > >Though I normally avoid "Wired," I did pick up the latest issue to skim >through. A couple of good things, actually, including a nice summary of the >state of crypto laws, etc. (I don't recall the author, as I didn't buy the >issue.) > >A great discussion of the Deepest and Darket Secret in Washington, the >special "If you only knew what we know..." briefing given to legislators, >staffers, etc. to convince them of the Evils of Cryptography. There is a clue here. If that briefing is so effective, why don't they give it to the entire country? We "all" know (at least around CP) of a number of sorta-bad things that might occur as a consequence of allowing good cryptography. (none of which, on balance, even come close to justifying banning or restricting good crypto, or justify GAK, etc.) However, very few of them require more than a little imagination to invent on our own, and given communication most of them will be thought of and disseminated without being revealed by the government. So it's a bit difficult to imagine why they'd avoid discussing those issues in public. The clue, I think, is that this briefing is given to "legislators, staffers, etc". Presumably, whatever arguments they use in this briefing are quite selective and tailored to appeal to government types. They're telling these people of a argument against good encryption that works for government-types but NOT ordinary civilians. It isn't that they don't want the average civilian to know of these arguments, they simply don't want the populace to know what subset of these consequences the government is really concerned about. Okay, what kind of thing would terrify government-types but not most civilians? >Paraphrasing the "Wired" item, "No person who has ever received "The >Briefing" has ever again argued forcefully for the rights of citizens to >use strong cryptography." >I surmise that either Sen. Burns has not yet been given The Briefing, or he >is for some reason more resistant than most other burrowcrats to the scare >tactics used in The Briefing. >I sure would like to know what's in this briefing. >--Tim May It probably starts like this: "See, there's this guy named Jim Bell...." B^) Seriously, though, I can't see how it could be anything other than the typical Crypto-Anarchy-type scenarios, but presented as if they are a Bad Thing as opposed to being a Good Thing. This would fit all the criteria: They appear to be extremely bad from the standpoint of the government-types, are not particularly convincing to the citizens, and the government wouldn't want the public to know what they're most concerned with. It might start'em thinking. Jim Bell jimbell at pacifier.com From frantz at netcom.com Thu May 23 21:46:49 1996 From: frantz at netcom.com (Bill Frantz) Date: Fri, 24 May 1996 12:46:49 +0800 Subject: GAK3 Message-ID: <199605232224.PAA20814@netcom7.netcom.com> "That's a very powerful thing. Suppose the king of England, or the French government, for example, says that you must use our way of assigning identity, and if you do not use our way to assign identity you don't get to play. By doing this they get complete control over the system. Good points and bad points, but if they can make it stick, it's a very powerful position to be in. Indeed it's the position of the king or the sovereign. The identity by fiat." ... [Discussion of Microsoft/Visa proprietary, patented and non-disclosed CA system elided] "So if you allow this sort of a vertically-integrated system to come into place, whoever controls that vertically-integrated system will have control not only over the liquidity--that is, issuing you money--they will end up with a monopoly over the control of the content. Having a monopoly over the content, of course, gives them the power to tax, and the power to get revenues as a percentage of those sales transactions. "So we conclude by asking these questions: If identity no longer comes from your bank, but from your PC operating system, what role does your bank have in granting you liquidity? And if your identity comes from your PC operating system, why can't the PC operating system grant you liquidity? And, indeed, granting you liquidity is known as extending credit. And extending credit is, and has been, historically the function of banks and banks alone. "The point of this discourse into identity and liquidity is to get you to think a little bit about the power of the way that these different systems go together using the bionomic model. If we indeed live with historical, pyramidal kinds of structures, we step right into an economic world where there is, by default, the accident of handing someone else the ability to provide us taxation. If we, on the other hand, maintain autonomies--small self-organizing groups with a language that allows us to communicate from group to group--along with that economic freedom comes a social freedom." - Bill Melton, CEO-CyberCash Inc. Quoted in: http://www.upside.com/news/archive/speech/melton/melton.html ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From mab at crypto.com Thu May 23 22:05:19 1996 From: mab at crypto.com (Matt Blaze) Date: Fri, 24 May 1996 13:05:19 +0800 Subject: [SCARE]: "If you only knew what we know..." In-Reply-To: <199605231937.MAA25268@clotho.c2.org> Message-ID: <199605240112.VAA20633@crypto.com> I don't think I actually got "the breifing", if any such standard briefing actually exists. What Sameer is probably thinking of is that the seven authors of the "key length report" were invited down to DC to talk with a bunch of high-level policy types, but they never showed us the bodies (or the files on us, or whatever it is they show the people who they really want to impress). -matt [NB, please send any reply directly to me; I don't read the list with any regularity these days, and saw this message only because someone mentioned it. thanks. -matt] > > > > Paraphrasing the "Wired" item, "No person who has ever received "The > > Briefing" has ever again argued forcefully for the rights of citizens to > > use strong cryptography." > > It's my understanding that this statement is now false. I > believe that Matt Blaze recently received "The Briefing" and he is > still on our side. > (I personally think it was a mistake on their part to give him > said Briefing, as they should have realized he couldn't be > converted. Now that someone has "withstood the Briefing" it gives them > less credibility.) > > > -- > Sameer Parekh Voice: 510-601-9777x3 > Community ConneXion, Inc. FAX: 510-601-9734 > The Internet Privacy Provider Dialin: 510-658-6376 > http://www.c2.net/ (or login as "guest") sameer at c2.net From perry at piermont.com Thu May 23 22:26:44 1996 From: perry at piermont.com (Perry E. Metzger) Date: Fri, 24 May 1996 13:26:44 +0800 Subject: Matt says he didn't get "The Briefing" Message-ID: <199605240105.VAA27290@jekyll.piermont.com> The claim was that Matt Blaze got "the briefing". I asked him about this, and this is what he said to me (forwarded with permission). I don't think I actually got "the briefing". They invited the seven authors of the key length report down to DC to talk with a bunch of policy types, but they never showed us the bodies (or the files on us, or whatever it is they show the people who they really want to impress). Perry From reagle at MIT.EDU Thu May 23 22:37:12 1996 From: reagle at MIT.EDU (Joseph M. Reagle Jr.) Date: Fri, 24 May 1996 13:37:12 +0800 Subject: Trust In A Cryptographic Economy And Digital Security Deposits: Protocols And Policies Message-ID: <9605240148.AA19641@rpcp.mit.edu> My thesis "Trust In A Cryptographic Economy And Digital Security Deposits: Protocols And Policies" is now available in digital form for those that might be interested. You can find it on my ecommerce page at: http://farnsworth.mit.edu/~reagle/commerce/commerce.html An intro, table of contents, conclusion, and the refs are in html format. You may download the whole thing as compressed postscript. _______________________ Regards, When we ask advice, we are usually looking for an accomplice. -Marquis de la Grange Joseph Reagle http://farnsworth.mit.edu/~reagle/home.html reagle at mit.edu E0 D5 B2 05 B6 12 DA 65 BE 4D E3 C1 6A 66 25 4E From ses at tipper.oit.unc.edu Thu May 23 22:40:11 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Fri, 24 May 1996 13:40:11 +0800 Subject: [SCARE]: "If you only knew what we know..." In-Reply-To: Message-ID: If I were planning such a briefing I'd probably concentrate on real cases that were cracked due to NSA SIGINT - especially terrorist groups operating with only limited state sponsorship Simon From mrm at netcom.com Thu May 23 22:54:33 1996 From: mrm at netcom.com (Marianne Mueller) Date: Fri, 24 May 1996 13:54:33 +0800 Subject: VIRUS ALERT: Java virus that affects Netscape 2.0 & 2.01. In-Reply-To: <2.2.32.19960523202049.006a6eac@mail.pb.net> Message-ID: <199605240129.SAA00250@netcom20.netcom.com> We've reached urban legend time for Java...? There is no Java virus known as "Black Widow". There was a melodramatic web article about Java security that used the title "Black Widow", a pun on the web. The article focused mostly on the danger of denial-of-service applets that consume resources on the client. While rude, annoying, and potentially the cause of losing unsaved edits in a word processor, (if you were flumoxed and panic'd and instead of killing your browser, you rebooted your computer and lost any pending edits) denial-of-service applets are *not* viruses. And they are not stalking the web. Really. I work on Java security at JavaSoft which is part of Sun, and try to keep our web page up to date. See http://java.sun.com/sfaq/ for info. In the "for what it's worth dept", the security breaches that have gotten so much press are fixed in JDK 1.0.2, our current release, and in NN3.0b4. This includes the bug mentioned in the May 18 NY Times story. Marianne From jimbell at pacifier.com Thu May 23 22:58:29 1996 From: jimbell at pacifier.com (jim bell) Date: Fri, 24 May 1996 13:58:29 +0800 Subject: Innocence & harmless weapons Message-ID: <199605240159.SAA25213@mail.pacifier.com> While it was a slick one-liner, it was also wrong. The truth can indeed harm innocents. For example, "The truth is that Anne Frank lived in an Amsterdam attic." is an excellent example of a truth that can, indeed, be used to harm people should it become known. The reason we use encryption is to disguise truths that we don't want others to know, and if those truths become known there may indeed be harm to innocents.. At 05:02 PM 5/23/96 -0500, Jim Choate wrote: >Whose side of the truth? To be honest I was surprised by your simplistic >responce. > Jim Choate >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> SANDY SANDFORT >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> >> At 12:11 PM 5/23/96 -0800, jim bell wrote: >> >> >Tell ya what: name a weapon that CANNOT be used to harm an >> >innocent person. Go ahead, I'm waiting. >> >> The Truth? >> >> >> S a n d y Jim Bell jimbell at pacifier.com From herodotus at alpha.c2.org Thu May 23 23:03:24 1996 From: herodotus at alpha.c2.org (herodotus at alpha.c2.org) Date: Fri, 24 May 1996 14:03:24 +0800 Subject: Attacks on remailers Message-ID: <199605240137.SAA28344@infinity.c2.org> The current discussion on the future of remailers seems to have been ignited by two events: the closure of the Hacktic remailer and the FBI's contacting an operator about a threatening message sent through his remailer. We have, however, almost no actual information about the two incidents, especially the type of threats, if any, made against the operators of the two remailers. This lack of information makes it difficult for others interested in remailers to make informed decisions about their future. We need more specific information about these two incidents. -- Herodotus From jimbell at pacifier.com Thu May 23 23:14:20 1996 From: jimbell at pacifier.com (jim bell) Date: Fri, 24 May 1996 14:14:20 +0800 Subject: National Journal article sez net-activism is just political hicks Message-ID: <199605240208.TAA25747@mail.pacifier.com> At 03:31 PM 5/23/96 -0500, Declan McCullagh wrote: > >>Date: Thu, 23 May 1996 11:04:50 -0700 >>From: jwarren at well.com (Jim Warren) >>Subject: National Journal article sez net-activism is just political hicks >>Sender: owner-fight-censorship at vorlon.mit.edu >>Precedence: bulk >>X-URL: http://fight-censorship.dementia.org/top/ >> >>Tommorrow, Washington's politically-powerful National Journal reportedly >>will publish a know-nothing piece of "journalism" saying that net-aided >>politics is essentially nothing but a batch of ineffective, know-nothing >>nerds and back-water political hacks. At least we now know that the National Journal hasn't heard of Cyber-Anarchy--- or they didn't understand one word of it. >>Check it out on Friday or thereafter -- at www.politicsusa.com -- and >>forward your *informed* comments to the NJ's Editor and Letters Editor. >> >>--jim >> >>On the other hand, maybe we ought to just continue escalating our political >>effectiveness using the net, and let it come as a total shock to the >>Beltway insiders who trust this piece of misinformed blather ... when we >>provide more and more swing votes in contested elections -- as already >>occured with DeFoley8 against ex-Speaker Tom Foley, VTW for now-Senator Ron >>Wyden, me for now-available Calif legislative data, the gun BBS against >>ex-Calif Senate Prez Pro Tem David Roberti, etc. :-) Slowly but surely, they're learning! Jim Bell jimbell at pacifier.com From tcmay at got.net Thu May 23 23:21:16 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 24 May 1996 14:21:16 +0800 Subject: Children's Privacy Act Message-ID: Lauren Amy Gelman said: >The text of the Children's Privacy Protection and Parental Empowerment >Act is available at the Epic "Children's Privacy" web site: > >http://epic.org/privacy/kids/ > >Read it before you trash it! We at LolitaWatch GMBH are amused that legislators in the United States are attempting to legislate that which can be so easily bypassed with the world-wide Internet. In fact, anticipating such restrictions on the collection of some data, we moved our operations to Aalborg, Danmark earlier this year. (Forslag og ideer vedr. indhold modtages gerne af: www at lolita.nordjyllands .dk ) Danish laws are not so repressive as American laws, and our American friends can so easily access our data bases of information derived from the mandatory age-labeling tags you Americans so conveniently (for us) insist upon. --Klaus Jellingestenen From perry at piermont.com Thu May 23 23:21:43 1996 From: perry at piermont.com (Perry E. Metzger) Date: Fri, 24 May 1996 14:21:43 +0800 Subject: VIRUS ALERT: Java virus that affects Netscape 2.0 & 2.01. In-Reply-To: <199605240129.SAA00250@netcom20.netcom.com> Message-ID: <199605240220.WAA27452@jekyll.piermont.com> Marianne Mueller writes: > In the "for what it's worth dept", the security breaches that have gotten > so much press are fixed in JDK 1.0.2, our current release, and in NN3.0b4. > This includes the bug mentioned in the May 18 NY Times story. The problem, Marianne, is that Java security has become a total industry joke. When Java came out, we were assured it was secure. Then we were assured it was Beta software but real Java as released would be secure. Then we were told that it was mostly secure, and anyway bugs are fixed quickly, and anyway they aren't serious in general, maybe. In short, you are starting to look very defensive and very unreliable. The bugs show up on a weekly basis. This is because the underlying security model is flawed. No amount of denial on your part is going to fix that. Sadly, Java hype has become a giant industry, and the hype machine assures that honesty about Java is going to continue to decline. Java has become a major stock booster for Sun and other companies. Congenital Java security holes aren't going to get serious attention because whether one likes it or not Sun's stock is impacted by the whole thing. Perry From llurch at networking.stanford.edu Thu May 23 23:34:43 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Fri, 24 May 1996 14:34:43 +0800 Subject: SF Bay Area: Topics (?) for Meeting June 8th Message-ID: Apologies if you prefer leaving these for the last minute. Unless someone has a better place, we'll meet at Stanford again, this time with a big enough room, fewer singing trees, and less sun putting me to sleep. Since we'll have a projection screen and multiple T3 Internet connection (knock on wood), it might be nice to show off some mockups of crypto GUIs, as discussed last time. Just hack together some GIFs or HTML to show what you like. In order to justify a room, this will be billed as a Stanford PGP Club meeting, so a key signing and a presentation from somebody (?) on some PGP thing (?) would probably be appropriate. Any chance of what's-their-name that stood us up last time showing up this month? There may be a speaker from CMU talking about net.censorship and privacy/pseudonymity in academia. Other topics? -rich From llurch at networking.stanford.edu Thu May 23 23:56:04 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Fri, 24 May 1996 14:56:04 +0800 Subject: your mail In-Reply-To: Message-ID: On Thu, 23 May 1996, Mark O. Aldrich wrote: > So, what's your point other than: > > a) You figured out how to use the "shift-6" on your keyboard, and > > b) You can remove the "from" header in your e-mail > > Are we supposed to be impressed? Well, he's got his name in lights. Shouldn't we all be impressed? I'm certainly impressed that he's figured out, all by his lonesome, how to Cc every Usenet and cypherpunks post to me. http://www.almanac.bc.ca/cgi-bin/ftp.pl?people/h/harman.david From norm at netcom.com Fri May 24 00:03:38 1996 From: norm at netcom.com (Norman Hardy) Date: Fri, 24 May 1996 15:03:38 +0800 Subject: Runtime info flow in Java Message-ID: At 7:06 AM 5/9/96, Christian Wettergren wrote: >Hi! > >I'm presenting my licentiate research proposal >next week, and I thought that some of you might >find it interesting. I'd like to find others >that are working with similar projects, to have >some people to discuss with. > >The actual proposal is available at > > http://www.it.kth.se/~cwe/phd/licprop.ps I began to look at your paper online but that works poorly for me. My printer does not handle A4 paper. PostScript seems inflexible in this regard. If it were available in 8.5 X 11 inch format you would have least one more reader. I am interested in your paper because you define the problem as we do. There are some who think that capability architectures are the solution. There is little information on how to solve these problems with capabilities. I am trying to find time to address some of these issues. KeyKOS is a capability based operating system that is designed to solve a variety of security problems. There are some papers at and . We find that Java as a language conforms well enough to capability principles even though not using the term. Some of the primordial classes do not conform and indeed it was there that the Princeton group found the problems that are most difficult to fix. From norm at netcom.com Fri May 24 00:07:03 1996 From: norm at netcom.com (Norman Hardy) Date: Fri, 24 May 1996 15:07:03 +0800 Subject: [hrdware] anti-Tempest video settings Message-ID: At 10:20 AM 5/10/96, Jean-Francois Avon wrote: >Hi again. > >Is there anybody that have any idea about a color setting that would >make it more difficult to detect by a Tempest attack? >(I assume that Tempest cannot discriminate between various color guns >and signals in the monitor... Maybe I am completely wrong...) .... I imagine that a color combination that cancels for an antenna in one location will not cancel for another location. Many monitors have separated wires for the separate colors. A color combination that cancels for one antenna polarization may not cancel for the other. From llurch at networking.stanford.edu Fri May 24 00:21:33 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Fri, 24 May 1996 15:21:33 +0800 Subject: FYA: "The ANOREV INTERCEPTS" [Usenet censorship] (fwd) Message-ID: Sometimes I amaze even myself, or whoever people think I am. This was written by Tallpaul, everyone's favorite anti-fascist activist. -rich INFORMATIONAL FOLLOWUP TO INTERNET NEWS GROUPS "rec.music.white-power" "soc.politics.marxism" "talk.politics.natl-socialism" Because of the role I played in the campaign to get people to VOTE NO on "rec.music.white-power" many people have sent me e-mail asking about the vote results on several political news groups on the internet. The following is the latest data available as posted in the official USENET news group called "news.groups". 1. "rec.music.white-power" (RMW-P) Today, May 21 at 04:46 GMT, the vote taker Michael Handler posted a message to "news groups" that read: "I have completed the tabulation of the rec.music.white-power vote, and submitted the results to David Lawrence. They should be posted shortly. "I will comment more on the subject, including regarding the delay in the posting of the results, once the results have been posted to news.announce.newgroups." The battle over RMW-P was perhaps the most intensive in the history of the internet and informal earlier reports indicated the raw vote broke the all-time internet record by a factor of two. The results of the vote, whatever they are and however they were counted, promises to be equally if not more controversial, particularly because of the two+ month delay between the vote deadline and the announcement of the results. I will inform all of you what the vote is as soon as it is posted. 2. "soc.politics.marxism" Yesterday, May 20 at 22:12 (GMT -04:00), the vote taker Brennan Price posted a message to "news groups" announcing that the group passed the vote 355 to 106. There is now a formal five-day waiting period for people to comment/protest/etc. on how the vote was counted, the method(s) used to invalidate ballots, and so forth. I will also keep you informed of how this discussion unfolds. 3. "talk.politics.natl-socialism" (TPN-S) R. Graves was the original proponent of TPN-S. He had opposed the earlier RMW-P group but on technical, not political reasons, and he does, as he once put it, "not consider [himself] anti-racist." Rather Graves opposition centered on whether the nazi news group had demonstrated sufficient interest as a music group, whether it had been properly proposed in terms of proper USENET/uunet electronic paperwork at the like. His version of the Kleim proposal for a nazi group was designed, in part, to straighten out this paperwork. Highly skilled technically, Graves seems quite clueless about the nature of fascism as a political tendency off the internet in the real world. He has opposed individual cybernazi dirty tricks in cyberspace, including some first-class technical tracking of cybernazis using anonymity and other devices to hide their identities. On the other hand, he has announced, for example, that there are only some one-to- two thousand hardened nazis in the entire world. Before the vote on SPM was announced, Graves stated he was "thinking of dropping" his proposal for the nazi group on the grounds (among others) that even the cybernazis themselves showed little interest in it. However, today at 00:35 (GMT -7:00) he posted to "news.groups" under the subject line "Going forward with talk.politics.natl-socialism after all" that: "The recent 60 Minutes interview with Dr. William Pierce, in which Mike Wallace was obviously uninformed about the person with whom he was speaking, has reestablished the need, as far as I am concerned, for a public forum dedicated to the discussion of national socialist movements. With Milton Kleim's permission, I will list him as an official co-proponent on the third RFD, for which I believe we just barely have time." Kleim accepted almost immediately. Graves's new view threatens additional ominous organizing by cybernazis on the net as they go for an additional news group even before the results of their previous organizing effort is announced. Nor does Graves's reason for going ahead seem particularly convincing. A search of the internet reveals only four mentions of Dr. William Pierce in recent times. One of them is by Graves himself a week or so before the Wallace interview. The other three were all responses to the interview. Nor does it seem likely that Mike Wallace or his staff will be avid readers of Graves's proposed TPN-S. Graves's decision also comes immediately after the statement that the votes on the earlier cybernazi proposal RMW-P were counted. It is possible that Graves's genuinely changed his mind (as did Milton Kleim) independently of the success of SPM and the vote on RMW-P. But one wonders how many will be convinced that this is the case versus the number that will see Graves's reference to Pierce/Wallace as more rationalization than reason. Still, until Graves's third version of the proposal is written and posted there seems little to be gained by any formal speculation on his motives or those of the cybernazis. Nor, until the vote on RMW-P is announced does it seem beneficial for new people to closely follow the post-announcement followups to "news.groups." I and others will be closely monitoring the group and will keep you informed of what is happening, what we think the significance is, and our thinking on how best to support, oppose, or avoid it. The short time line is uncertain. (Thus I am not even getting this ready to mail until I have again checked the group when I next log on.) But for political activists it promises to be an "interesting" summer and fall. --tallpaul at nyc.pipeline.com Post Script to New Readers: This series of letters originated with what a few of us jokingly call the ANOREV INTERCEPTS. I returned to the internet in September 1995 after a long absence. Various technical people who were anti-fascist but not activists had been following cybernazi organizing attempts in cyberspace. They had assembled a series of documents and analyses of the nazis, and, knowing that I was an antifascist activist sent me copies. (Some years ago Anglo/US intelligence intercepted and decoded some detailed material from Soviet intelligence that was code-worded VERONA. ANOREV is just that word spelled backwards.) The ANOREV material proved to be highly accurate. Based on this, I started the series called "This computer kills fascists," posting material to friends and other net activists. From jimbell at pacifier.com Fri May 24 00:35:46 1996 From: jimbell at pacifier.com (jim bell) Date: Fri, 24 May 1996 15:35:46 +0800 Subject: [SCARE]: "If you only knew what we know..." Message-ID: <199605240352.UAA01260@mail.pacifier.com> At 08:06 PM 5/23/96 GMT, John Young wrote: > >"Before the case is resolved, Patel's skepticism of the state's perogatives >will be tested to the limit when the government is called upon to defend >its policy. Patel is then likely to be given the *in camera* presentation >of The Deepest Darkest Secrets of Cryptography -- probably a modified >version of the classifed briefing the NSA has used with great success to >influence members of Congress. Legend has it that no one who ever got 'the >briefing' ever again opposed the agency." >Peter, anyone, are these welcome-to-the-inner-circle briefings always by >NDA, or worse threat? It seems to me that if the government REALLY thought it could push GAK by convincing the public that it was wise, it would at least prepare a redacted version of this briefing that it _could_ present to the public, if different than the "eyes only" version. After all, would they risk losing it all by NOT telling at least part of the story? Or is their failure to publicize all this because they realize that spilling the beans (even only some of them) would actually make it _less_ likely that GAK would be accepted by the public, rather than more? I think the latter is much closer to the truth. >Wonder if a public-spirited cryptographer is working on a book for a movie >about this heart of the deepest darkness? That depends on what you mean. I know a free-lance movie scriptwriter who is working on a story along related lines. Jim Bell jimbell at pacifier.com From daemon at anon.penet.fi Fri May 24 00:58:20 1996 From: daemon at anon.penet.fi (daemon at anon.penet.fi) Date: Fri, 24 May 1996 15:58:20 +0800 Subject: Anonymous password assignment failure (no password) Message-ID: <9605240440.AA28627@anon.penet.fi> You have requested the assignment of a new password However, your message text didn't contain any password. Remember that passwords should only contain letters and numbers. From sandfort at crl.com Fri May 24 01:03:02 1996 From: sandfort at crl.com (Sandy Sandfort) Date: Fri, 24 May 1996 16:03:02 +0800 Subject: Innocence & harmless weapons In-Reply-To: <199605232202.RAA22518@einstein.ssz.com> Message-ID: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks, On Thu, 23 May 1996, Jim Choate wrote: > Hi Sandy et al., > > Whose side of the truth? That was a capital "T", bub. Truth doesn't have sides. (Think of it as an archetype.) > To be honest I was surprised by your simplistic responce. That was a question mark, bub. It wasn't an answer, it was a question. Hey, the devil is in the details, gang. Too bad modern schools teach "self-esteem" instead of reading, writing and rhetoric. (Spelling wouldn't hurt either.) S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From tcmay at got.net Fri May 24 01:05:41 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 24 May 1996 16:05:41 +0800 Subject: National Journal article sez net-activism is just political hicks Message-ID: At 3:06 AM 5/24/96, jim bell wrote: >At 03:31 PM 5/23/96 -0500, Declan McCullagh wrote: >>>Tommorrow, Washington's politically-powerful National Journal reportedly >>>will publish a know-nothing piece of "journalism" saying that net-aided >>>politics is essentially nothing but a batch of ineffective, know-nothing >>>nerds and back-water political hacks. > >At least we now know that the National Journal hasn't heard of >Cyber-Anarchy--- or they didn't understand one word of it. What is this "cyber-anarchy" (or "Cyber-Anarchy") you keep talking about? --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From wendigo at gti.net Fri May 24 01:08:54 1996 From: wendigo at gti.net (Rev. Mark Rogaski) Date: Fri, 24 May 1996 16:08:54 +0800 Subject: VIRUS ALERT: Java virus that affects Netscape 2.0 & 2.01. In-Reply-To: <199605240129.SAA00250@netcom20.netcom.com> Message-ID: <199605240431.AAA28575@apollo.gti.net> -----BEGIN PGP SIGNED MESSAGE----- An entity claiming to be Marianne Mueller wrote: : : We've reached urban legend time for Java...? : : There is no Java virus known as "Black Widow". There was a melodramatic : web article about Java security that used the title "Black Widow", a pun : on the web. The article focused mostly on the danger of denial-of-service "Black Widow" was the calling card of a little script called 'latro' that exploited the stupidity of certain webmasters who put perl.exe in the cgi-bin directory on PC-based webservers. The default code to execute on the remote machine was: print "If I were nasty, you'd be spiderfood by now.\n"; print "\n\n\t--the black widow\n"; - -- Mark Rogaski | Why read when you can just sit and | Member GTI System Admin | stare at things? | Programmers Local wendigo at gti.net | Any expressed opinions are my own | # 0xfffe wendigo at pobox.com | unless they can get me in trouble. | APL-CPIO -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMaU7oA0HmAyu61cJAQGxHQP+OkDD+v4FhAQynhI4V2GpwilaOEoxlow0 Y5s1g8YkIYuApvxAU8eyFfqmlp8fG1rnc4mITXmvYGj66Wy5L/n2npfXTo45KAHc VRr7qT7HeEFwgunMCnJcZ+7CtlAKpXn6siuenUEl4gqRjApmFI/pLSXna4sbG4v8 1tNAcyOITmk= =McGt -----END PGP SIGNATURE----- From tcmay at got.net Fri May 24 01:29:25 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 24 May 1996 16:29:25 +0800 Subject: Floating Point and Financial Software Message-ID: At 11:40 PM 5/23/96, Paul S. Penrod wrote: >But there is a simpler method to avoid the problem entirely. There is >suffcient horsepower in uP's these days to support "long hand" division >and multiplication. Granted it takes some extra grey matter to write the >routines, but once done, you can vary the amount of precision to whatever >you desire and not have to worry about accuracy. I've been skipping most of the "floatingpointpunks" messags, but will note that several languages I personally use (however infrequently) have "bignum" support and support full-precision calculations. These include: LISP and Scheme, Smalltalk, and Mathematica. If performance is not an issue, the bignum packages available in C and C++ ought to be sufficient for any financial needs. And Hal Finney is working on a bignum package for Java. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From paul.elliott at Hrnowl.LoneStar.ORG Fri May 24 01:33:42 1996 From: paul.elliott at Hrnowl.LoneStar.ORG (Paul Elliott) Date: Fri, 24 May 1996 16:33:42 +0800 Subject: Transfer encoding indpendant signatures. Was (considered harmful.) In-Reply-To: <199605230403.VAA14508@zzyzx.aero.org> Message-ID: <31a50db6.flight@flight.hrnowl.lonestar.org> -----BEGIN PGP SIGNED MESSAGE----- > Your last two comments really illustrate the divison that we've previously > seen on the pgp-mime list. On the one side you have those who want to > include the MIME headers in the digital signature, and on the other are those > who want the signature to be over the data in it's "binary" (unencoded) > form. I _do_ see merit in the latter. However, that was not the goal of > my draft. What I've been trying to get across is that my draft does not > preclude you from writing your own draft on how to transmit detached > signatures along with your message (perhaps something like > multipart/pgp-signed). OK, it's not PGP MIME's department. Still, I hope that someone will develop a spec for doing the other, because as my examples show, some users may need that ability. If specs & software for easy of use with PGP & mail and widely available, it will tend to entrench the use of PGP and encryption. > > > Pressure will build for PGP MIME to support binary datapaths. > > When this occurs, I will glady remove that restriction. The problem is that the transision will occur gradually. At what point do you tell one class of users that they are out of luck, in order to better serve another kind of user? Ten percent? Five percent? One percent? A tenth of a percent? They will scream bloody murder. What if you want to send signed mail to a mailing list that includes users of both kinds of users. Your message will go to a large number of people, so there is reason for efficiency. Do you want to send two kinds of messages to users depending on what kind of transfer they have available? It is time to invent transfer-encoding-independant signatures! We are assuming that the user trusts the pgp-mime software to specify what will be signed, so that my previous objection to signing arbitary objects has been ruled out of order. We want to invent a method of "signing" a complex mime object that will detect any modification of the information the user is trying to convey, but will allows us to change the transfer encoding of a body part without invalidating the "signature". What we need is a computable map M from the class of mime objects to a class of "binary signature objects". (Which are basicly streams of bytes which can be fed into PGP to generate or check a signature). ( Don't tell me there is this wierd machine that can not represent a stream of bytes. PGP assumes that many of its files are streams of bytes, so that such a machine can not run PGP to generate or check a signatures and everything with respect to signatures becomes mute.) CLASS OF MIME OBJECTS ======= M ========> BINARY SIGNATURE OBJECTS. M should have the following properties: 1) Any change in the "message" that the user wants to convey will change the object that it maps to under M. 2) We can change the way a body part is transfer-encoded without changing the signature object it maps to under M. Note: These binary signature objects are not going to be used to transfer data. They are not going to be used to display information. They are only going to be used to generate and check signatures. Given such an M, is is possible to define a method of signing a MIME object, that will detect any change to the "message", but not invalidate the signature when changing how a body part is transfer encoded. To generate a signature, apply M and generate a PGP binary signature on the result. To check a signature, apply M and PGP signature check the result. It should work. Is it possible to define such a map M? I think so, but I am not 100% certain on the details. Something approximately similar to the following should work: Go thru the object copying header lines as a stream of ascii bytes, seperated UNIX style with linefeeds. Except, do not copy the transfer-encoding lines or the delimiter fields. Or any other field that only serves to tell how the object is transfer encoded. Convert the body parts themselves to a stream of bytes as specified by the transfer-encoding field and included in the outgoing stream. For text encoding, trailing white space could be handled as per the draft. Other text canonicalization as PGP does it. I believe that this method has the two properties mentioned above. Perhaps it needs to be somewhat modified. I am sure that such a map M can be defined if smart people think about it. - -- Paul Elliott Telephone: 1-713-781-4543 Paul.Elliott at hrnowl.lonestar.org Address: 3987 South Gessner #224 Houston Texas 77063 -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: cp850 iQCVAgUBMaUbTPBUQYbUhJh5AQEsLQQAnugKr8rQdJi1F6EKxG9slMjVaQcVl9i4 N0azwKH46sIStm7/t8aWu2QnvosFLszt0/jD+NvQqgRU2XwlB/ynDChiMz9yANvy 1rd44r8rVIFZF3zyP9zxgJR+L8liQ/YdwLfEJTHk6Z1pFRMCoYz6Hs7nqvMDSvoc jmhZQ7Z26AU= =iKTw -----END PGP SIGNATURE----- From declan at well.com Fri May 24 01:49:51 1996 From: declan at well.com (Declan McCullagh) Date: Fri, 24 May 1996 16:49:51 +0800 Subject: National Journal article sez net-activism is just political hicks In-Reply-To: Message-ID: On Thu, 23 May 1996, Timothy C. May wrote: > >At least we now know that the National Journal hasn't heard of > >Cyber-Anarchy--- or they didn't understand one word of it. > > > What is this "cyber-anarchy" (or "Cyber-Anarchy") you keep talking about? Heh. Check out http://anarchy-online.dementia.org/book/ for Charles Platt's "Anarchy Online." (Did I mention it here before? Charles talks about a few things we've discussed here, like the Zundel mirrors, Marty Rimm, and the fight over the CDA.) -Declan From ravage at ssz.com Fri May 24 02:01:41 1996 From: ravage at ssz.com (Jim Choate) Date: Fri, 24 May 1996 17:01:41 +0800 Subject: Innocence & harmless weapons (fwd) Message-ID: <199605240530.AAA23158@einstein.ssz.com> Forwarded message: > Date: Thu, 23 May 1996 21:35:57 -0700 (PDT) > From: Sandy Sandfort > Subject: Re: Innocence & harmless weapons > > > Whose side of the truth? > > That was a capital "T", bub. Truth doesn't have sides. (Think > of it as an archetype.) Sorry but the very fact that I don't agree with you is proof enough that there is no absolute 'Truth' as you use it. That is unless you are attempting to claim absolute omnipotence on the point of determination. > > To be honest I was surprised by your simplistic responce. > > That was a question mark, bub. It wasn't an answer, it was > a question. Hey, the devil is in the details, gang. Too bad > modern schools teach "self-esteem" instead of reading, writing > and rhetoric. (Spelling wouldn't hurt either.) Nice tactical ploy, an ad hominem buried in a straw man argument. Jim Choate From tcmay at got.net Fri May 24 02:02:26 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 24 May 1996 17:02:26 +0800 Subject: Truth can sometimes be harmful... Message-ID: At 8:06 PM 5/23/96, Sandy Sandfort wrote: >At 12:11 PM 5/23/96 -0800, jim bell wrote: > >>Tell ya what: name a weapon that CANNOT be used to harm an >>innocent person. Go ahead, I'm waiting. > >The Truth? > "The coordinates of Hiroshima are...." Q.E.D. (And there are thousands of variants of this, where "truth" leads to harm. Sandy was being terse in his comments, so he may have intended various qualifications, but as he stated things, my example stands.) --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From dlv at bwalk.dm.com Fri May 24 02:05:42 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Fri, 24 May 1996 17:05:42 +0800 Subject: [AP] [NOISE] Re: PROPOSAL In-Reply-To: Message-ID: Paul Robichaux writes: > Uni (for whom I have great esteem and no little curiosity about why he lets > Bell send him off into the weeds) said: I think they're both having fun, as am I. > >Motion: To create the alt.politics.assassination.politics newsgroup and > >the "AP" mailing list so as to clear the meaningless traffic (for which I > >am significantly responsible) out of this forum. > > > >Any seconds? > > > Seconded enthusiastically. All in favor, see you in alt.config. Objection. talk.politics.assassination is already available on some Usenet servers. The propagation is appropriate. No new newsgroups are necessary. Tell the nuriweiller Sovok to take his crituque of AP there. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From tcmay at got.net Fri May 24 02:32:23 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 24 May 1996 17:32:23 +0800 Subject: Cyber-Anarchy Message-ID: At 5:41 AM 5/24/96, jim bell wrote: >At 09:05 PM 5/23/96 -0700, Timothy C. May wrote: >>At 3:06 AM 5/24/96, jim bell wrote: >>>At least we now know that the National Journal hasn't heard of >>>Cyber-Anarchy--- or they didn't understand one word of it. >> >> >>What is this "cyber-anarchy" (or "Cyber-Anarchy") you keep talking about? > >(Yeah, yeah. Okay, I forgot the trademark. But I still can't find the >"circle-C" on my keyboard!) My point is actually not so much one of claiming credit for something I've been involved with since 1988, as being somewhat critical of the all-too-common tendency I see of _renaming_ something without adding any new content. Jim Bell calls his set of ideas "cyber-anarchy," and certain journalists have picked up on this (as with the Australian article). But with the exception of the one variant of anonymous markets, namely, "assassination politics," most or all of the other ideas of his "cyber-anarchy" seem to be encompassed by the already-existing term. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From jimbell at pacifier.com Fri May 24 02:40:52 1996 From: jimbell at pacifier.com (jim bell) Date: Fri, 24 May 1996 17:40:52 +0800 Subject: National Journal article sez net-activism is just political hicks Message-ID: <199605240443.VAA03981@mail.pacifier.com> At 09:05 PM 5/23/96 -0700, Timothy C. May wrote: >At 3:06 AM 5/24/96, jim bell wrote: >>At 03:31 PM 5/23/96 -0500, Declan McCullagh wrote: > >>>>Tommorrow, Washington's politically-powerful National Journal reportedly >>>>will publish a know-nothing piece of "journalism" saying that net-aided >>>>politics is essentially nothing but a batch of ineffective, know-nothing >>>>nerds and back-water political hacks. >> >>At least we now know that the National Journal hasn't heard of >>Cyber-Anarchy--- or they didn't understand one word of it. > > >What is this "cyber-anarchy" (or "Cyber-Anarchy") you keep talking about? (Yeah, yeah. Okay, I forgot the trademark. But I still can't find the "circle-C" on my keyboard!) That's exactly the reaction of the typical mainstream media news person today. But that will change, I think, and probably well within a couple of years. I keep waiting for Time magazine to declare the Internet to be "The Man of the Year", like they did the (personal?) computer in one year in the middle 1980's. It has certainly been covered far more this year than any year in the past. Now that the traditional media has discovered the Internet, they'd damn well start covering its political implications. Last year, for instance, the media was apparently unwilling to admit that the main reason the Congressional hearings on Waco occurred was because the subject was kept alive on the computer networks. By next year, I don't think they'll be able to keep silent on similar situations: Too many people will consider the Internet to be at least their secondary news source, if not their primary one. Jim Bell jimbell at pacifier.com From llurch at networking.stanford.edu Fri May 24 03:13:56 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Fri, 24 May 1996 18:13:56 +0800 Subject: Children's Privacy Act In-Reply-To: Message-ID: On Thu, 23 May 1996, Timothy C. May wrote: > We at LolitaWatch GMBH are amused that legislators in the United States are > attempting to legislate that which can be so easily bypassed with the > world-wide Internet. [...] > Danish laws are not so repressive as American laws, and our American > friends can so easily access our data bases of information derived from the > mandatory age-labeling tags you Americans so conveniently (for us) insist > upon. Good and valid points about the CPA's hypocrisy and inanity, but this doesn't really address the bill (was it meant to?). CDA + CPA = bad. CDA = bad. CPA is still indeterminate. I recognize that criminalizing the free flow of information is like trying to stick your finger in a dike, but every little bit has an effect. In this case, I'd call it a positive effect. I was certainly disappointed to hear a couple of cypherpunks the other day discussing for-profit offshore data havens full of personal information that is illegal to collect in the US as a business opportunity *they* were interested in pursuing. I just can't see myself doing that, for anybody. Gubmint or private, doesn't matter. -rich From cp at proust.suba.com Fri May 24 03:37:08 1996 From: cp at proust.suba.com (Alex Strasheim) Date: Fri, 24 May 1996 18:37:08 +0800 Subject: [SCARE]: "If you only knew what we know..." In-Reply-To: <199605240352.UAA01260@mail.pacifier.com> Message-ID: <199605240642.BAA00623@proust.suba.com> > Patel is then likely to be given the *in camera* presentation > of The Deepest Darkest Secrets of Cryptography -- probably a modified > version of the classifed briefing the NSA has used with great success to > influence members of Congress. Legend has it that no one who ever got 'the > briefing' ever again opposed the agency." The last part reminds me of the Monty Python bit about the funniest joke in the world -- during the war Brittish soldiers would shout out a translated version they couldn't understand and the Germans would die laughing. It seems pretty obvious that there are people who have withstood the NSA's siren song -- people in Congress and agencies like the Department of Commerce (who presumably have heard it) oppose the agency. I've felt for a long time that the division in venues has hurt us. The other side pitches in secret to Congressmen and administration officials, while we preach to the converted and argue against straw men here on the net. As a consequence they own official Washington and we own public opinion. The problem with this is that we don't get a chance to refute their arguments. I think we're right -- and to me believing we're right means beliving that we can win a fair fight. Logic and the facts ought to bear us out. One idea that I toyed around with but was too lazy to pursue was to have a public debate on the web. A small group of people would be invited to participate -- maybe Dr. Denning on one side, and whoever else we could find to speak for the government. We could pick an equal number of our best people to go up against them. The debate would proceed in rounds. Each particpant could write his or her arguments for or against government restrictions on crypto, and the moderator would publish them all simultaneously. Then there would a set period of time for the participants to write responses -- maybe a couple of days or a week. Then another round of responses to the responses. After that everyone could write closing arguments. I think there are a couple of advantages to taking this sort of an approach rather than a more free form discussion on a mail list. The first is that the other side would probably feel more welcome -- the lack of public support for their position and the net being what it is have combined to create a hostile environment for those who disagree with us. The debate would prevent personal attacks (if we pick the right participants) and it would give the opposition some assurances that they won't get shouted down. The idea is to create a level playing field -- something that doesn't exist anywhere right now -- each side has it's own home court, but a neutral space doesn't seem to exist. Another advantage would be that if people agree to particpate they'd probably take it seriously enough to follow through and answer criticisms of their arguments. The idea of a formal discussion with a beginning, a middle, and an end might help keep things moving along. Restricting things to a small number of participants who understand the technology and the history of crypto politics could also be helpful. Finally, when the whole thing was over the web site would be a valuable resource for anyone who wants to explore the issue. Both sides would be there nobody would feel that they had been bullied or manipulated into believing one thing or another. As I said above, I think we're right, and to me that means believing that we'd come out on top in a fair fight. It seems to me that we ought to figure out how to set up a few of them and do whatever we can to get the other side to show up. From blancw at accessone.com Fri May 24 06:31:01 1996 From: blancw at accessone.com (blanc) Date: Fri, 24 May 1996 21:31:01 +0800 Subject: Truth can sometimes be harmful...(talk.cpunks.truth) Message-ID: <01BB491B.4E7D4DC0@blancw.accessone.com> There are small truths and "big" truths - or the smaller parts of a whole, or the smaller ingredients of a complete context. In the larger context of complete truth, although the small truth of the location where Anne Frank was hiding was harmful to her safety, it was harmful only because those who had created the war surrounding her were not prepared (did not want) to see the larger truths of reality. In the context of such an attitude inimical to complete truth, any truth can become a threat to safety. Analogous to the use of any weapon or tool of destruction it is not accurate to hold the truth at fault, but rather the one who interprets it and decides on what action to take based upon it. This reminds me of those arguments on the list where that old objection against encrypting personal messages was brought up: "what have you got to hide?", implying: do you fear the truth, do you mean to live outside the context of honesty and truth? And the cypherpunks would counter, no - we just want to be particular about who receives it. .. Blanc From bryce at digicash.com Fri May 24 07:02:31 1996 From: bryce at digicash.com (bryce at digicash.com) Date: Fri, 24 May 1996 22:02:31 +0800 Subject: [PHILOSOPHYPUNKS] Re: Innocence & harmless weapons (fwd) In-Reply-To: <199605240530.AAA23158@einstein.ssz.com> Message-ID: <199605240904.LAA16191@digicash.com> -----BEGIN PGP SIGNED MESSAGE----- Jim Choate wrote: > > > From: Sandy Sandfort > > > > That was a capital "T", bub. Truth doesn't have sides. (Think > > of it as an archetype.) > > Sorry but the very fact that I don't agree with you is proof enough that > there is no absolute 'Truth' as you use it. Hm. So you are using the implied premise, Jim, that if there were an absolute 'Truth' that you would know it? I find that somewhat amusing. :-) Regards, Bryce -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.1b2 iQB1AwUBMaV7j0jbHy8sKZitAQGP2wMAq9MTFw9Mamepgp58aTRjae2VqFDDJfVn 78LdugL+f6Kd0X4I5nfWs6EEKlItchtmCFxu2sUGKL55igk1D+z+hCfgZflWUocU mECzMzX3Al3HinsunA3NBW4zY61jpCuW =Wnod -----END PGP SIGNATURE----- From perry at alpha.jpunix.com Fri May 24 07:38:29 1996 From: perry at alpha.jpunix.com (John A. Perry) Date: Fri, 24 May 1996 22:38:29 +0800 Subject: New type2.list/pubring.mix Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hello Everyone, There is a new type2.list/pubring.mix combination on jpunix.com that reflects the retirement of the nsa (omaha) remailer. It's available by Web and by anon FTP. John Perry - KG5RG - perry at alpha.jpunix.com - PGP-encrypted e-mail welcome! WWW - http://www.jpunix.com PGP 2.62 key for perry at jpunix.com is on the keyservers. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMaWTF1OTpEThrthvAQHg5AP9Hi66SmUpFYUQrDHjRXQnWKQpc7yXTsaJ rpaaHjd4TIr0mCbVm0ZXfDMq9r/igrqDX6SzCGUDvBxxsumcBCKCNJ59EpSOCcPM e2I3v3MSwapaLe/8/5Ztk81IvUVhnyzkctEW11w+S7hk6ZCU2nz5yFL4AkASgPrk SP0WxYyA1mA= =jM6N -----END PGP SIGNATURE----- From adam at lighthouse.homeport.org Fri May 24 08:52:57 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Fri, 24 May 1996 23:52:57 +0800 Subject: VIRUS ALERT: Java virus that affects Netscape 2.0 & 2.01. In-Reply-To: <199605240220.WAA27452@jekyll.piermont.com> Message-ID: <199605241245.HAA22317@homeport.org> Hype about Java and a move to a policy based security mechanism are not incompatible. Perry's security model will probably be NO Java, NO Livescript. Mine might be only Java signed by McAffee can get more than 3 seconds of CPU time, or access remote network ports on the server it came from, no other code can run. Adam Perry E. Metzger wrote: | Sadly, Java hype has become a giant industry, and the hype machine | assures that honesty about Java is going to continue to decline. Java | has become a major stock booster for Sun and other | companies. Congenital Java security holes aren't going to get serious | attention because whether one likes it or not Sun's stock is impacted | by the whole thing. -- "It is seldom that liberty of any kind is lost all at once." -Hume From jya at pipeline.com Fri May 24 10:52:22 1996 From: jya at pipeline.com (John Young) Date: Sat, 25 May 1996 01:52:22 +0800 Subject: TILT! Counterfeit pachinko cards send $588 million down the chute. Message-ID: <199605241243.MAA01566@pipe2.t1.usa.pipeline.com> Follow-up to Peter Wayner's post yesterday: The New York Times, May 24, 1996, p. D8. American Banknote Gets Into Pachinko The American Banknote Corporation said yesterday that it was developing optical-reading technology for a group of Japanese companies to help prevent counterfeit prepaid cards in the pachinko business. Pachinko, which is similar to pinball, is played in some 18,000 parlors in Japan and has grown in popularity in the last few years. Morris Weissman, American Banknote's chairman, said American Banknote's holographics unit was making cash-value cards and machines to read them. The cards and machines will be tested in Japan in July, and "if certain criteria are met," more will be installed in August, he said. He said cards would authorize a person to play a game of pachinko and win money. The cards, he said had "specific algorithms and codes we believe are almost impossible to duplicate." ----- From sinclai at ecf.toronto.edu Fri May 24 12:18:17 1996 From: sinclai at ecf.toronto.edu (SINCLAIR DOUGLAS N) Date: Sat, 25 May 1996 03:18:17 +0800 Subject: Mission Impossible Message-ID: <96May24.090930edt.1570@cannon.ecf.toronto.edu> I saw Mission Impossible last night. It deals with some cypherpunks issues, as the plot centers on anonymous BlackNet style operations on the Internet. Unfortunately, it does it badly. Particularly silly is the reference that a STU-III is a security penetration device. The main hacker is called Luthor, though he doesn't look a thing like Lex. The Usenet is dealt with in a laughable manner -- a grep of the entire 'net for "Job" doesn't turn up a single hit. Having said all of that, lots of things explode. It's good in THX. From blake at bcdev.com Fri May 24 13:47:11 1996 From: blake at bcdev.com (Blake Coverett) Date: Sat, 25 May 1996 04:47:11 +0800 Subject: Truth can sometimes be harmful... Message-ID: <01BB4959.96BD0E70@bcdev.com> > >The Truth? > > > > "The coordinates of Hiroshima are...." > > Q.E.D. Oh no, can the return of abombpunks be far behind? :-) regards, -Blake (who figures if your can't count or measure it, it's an opinion) From sandfort at crl.com Fri May 24 14:09:10 1996 From: sandfort at crl.com (Sandy Sandfort) Date: Sat, 25 May 1996 05:09:10 +0800 Subject: Truth can sometimes be harmful...(talk.cpunks.truth) In-Reply-To: <01BB491B.4E7D4DC0@blancw.accessone.com> Message-ID: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks, On Fri, 24 May 1996, blanc wrote: > This reminds me of those arguments on the list where that old > objection against encrypting personal messages was brought up: > "what have you got to hide?", implying: do you fear the truth, > do you mean to live outside the context of honesty and truth? > And the cypherpunks would counter, no - we just want to be > particular about who receives it. This is the most concise and logical response yet, to my suggested answer of "Truth" to Bell's question. Blanc has masterfully shown why that dog won't hunt. S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From pcw at access.digex.net Fri May 24 14:32:50 1996 From: pcw at access.digex.net (Peter Wayner) Date: Sat, 25 May 1996 05:32:50 +0800 Subject: The Anti-Briefing... Message-ID: I'm sure the "Briefing" is quite impressive and it includes several strong arguments for government surveillance. There are bound to be more than a few kids that are alive today thanks to eavesdropping and the quick thinking of folks in FBI, NSA et al. That being said, I'm sure that there is also an "anti-Briefing" that can be given that illustrates that the huge cost of redesigning the phone system and forcing businesses and people to operate without protection. Here are some examples from the recent press that I think are good arguments for why strong crypto won't change the status quo. 1) A recent video tape on the news showed some convicted bad guy doing drugs and having sex with one of his convict buddies. They just happened to be in a side room of the prison that had a video camera. Some people tried to make political hay by saying that the prisons were really coddling the prisons too much. But prisons already have all of the enforcement tools that the police wish they had. They can strip search people without a warrant. They can read all of their mail and listen in to all conversations with visitors who aren't their lawyer. But there are still drugs in the prison. So how do they expect to eradicate drugs in the real world? 2) There are persistent rumors that Tim McVeigh et al were under some sort of surveillance. I know of no facts to back this up. I've heard some people say that they feel it was part of a sting operation that failed because the bomb actually went off. Who knows? But the World Trade Center bombers were under surveillance and that failed. This doesn't show that surveillance is bad, it just shows that it isn't perfect. 3) Pachinko machines and cell phones have both used weak crypto. Whoops. The gangsters figured out how to break the crippled system. There must more examples but I'm typing from memory. The point is that full surveillance rarely stops crime altogether, but it may make a dent. The question is whether it is worth redesigning our phone system and computer networks to introduce even more weakness just because the police can use this weakness. Some might argue that if weak crypto can save one child's life than it is worth it. This is a strong, sentimental argument, but it really doesn't reflect the reality of the tradeoff. We could spend a lot more money on airlines, trains and cars and save a few kids lives, but the cost could be phenomenal. The fact is that government enforced weak crypto is a tradeoff. We pay for the ease of the police surveillance because we make life simpler for crooks who make their living eavesdropping and circumventing security systems. The big question is whether the tradeoff is worth it. From flyvebed at eel.org Fri May 24 14:33:55 1996 From: flyvebed at eel.org (Anders Bxdker) Date: Sat, 25 May 1996 05:33:55 +0800 Subject: Children's Privacy Act In-Reply-To: Message-ID: <9605241431.AA0314@sturgeon.coelacanth.com> >>>>> "Klaus Jellingestenen" writes: > We at LolitaWatch GMBH are amused... > .. we moved our operations to Aalborg, Danmark earlier this year. > (Forslag og ideer vedr. indhold modtages gerne af: > www at lolita.nordjyllands .dk ) Hmmm, but still incorporated in Germany, huh? I assume that LolitaWatch Gesellschaft mit beschr�nkter Haftung will shortly become LolitaWatch aktieselskab... Klaus, hvor l�nge har De haft disse mareridt? -- Anders B�dker From unicorn at schloss.li Fri May 24 14:34:11 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sat, 25 May 1996 05:34:11 +0800 Subject: ecash representation In-Reply-To: <199605221908.PAA23731@jekyll.piermont.com> Message-ID: A collegue of mine is taking a position where he will be recommending secure communications technologies to various big money clients. He asked me if I could drum up some contacts for him. Do you have a fact sheet on Piermont I might give to him? He could be in a position to generate significant business for a consulting firm which really knew the ins and outs of strong encryption. I'd also be interested for my own reasons. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From ses at tipper.oit.unc.edu Fri May 24 14:43:38 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Sat, 25 May 1996 05:43:38 +0800 Subject: VIRUS ALERT: Java virus that affects Netscape 2.0 & 2.01. In-Reply-To: <199605241245.HAA22317@homeport.org> Message-ID: Actually, a more canonical Perry policy would probably be to only allow code signed by Perry (or the security audit team) to be executed [trust only yourself] vs [trust nobody, not even your self] Simon From tcmay at got.net Fri May 24 15:24:38 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 25 May 1996 06:24:38 +0800 Subject: Children's Privacy Act Message-ID: At 6:45 AM 5/24/96, Rich Graves wrote: >I recognize that criminalizing the free flow of information is like trying >to stick your finger in a dike, but every little bit has an effect. In >this case, I'd call it a positive effect. > >I was certainly disappointed to hear a couple of cypherpunks the other day >discussing for-profit offshore data havens full of personal information >that is illegal to collect in the US as a business opportunity *they* were >interested in pursuing. I just can't see myself doing that, for anybody. >Gubmint or private, doesn't matter. These off-shore data havens, possibly in Anguilla, possibly elsewhere, have long been a motivation for crypto anarchy. "Illegal to collect in the U.S." is the operative phrase. (P.S. Cf. the sections in my Cyphernomicon for a discussion of how the main U.S. credit-collecting agencies (TRW Credit, Transunion, and Equifax) have various cozy relationships with the U.S. government and intelligence agencies. Many of the laws about collection of data are ignored when needed. Ask the credit agencies why and how they willingly participate in the falsification of credit histories, and even the creation of credit histories out of thin air.) --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From sameer at c2.org Fri May 24 15:25:43 1996 From: sameer at c2.org (sameer at c2.org) Date: Sat, 25 May 1996 06:25:43 +0800 Subject: COMMUNITY CONNEXION ANNOUNCES WORLDWIDE BETA-TEST OF THE ANONYMIZER Message-ID: <199605241617.JAA03283@atropos.c2.org> For Immediate Release - May 24, 1996 Contact: Sameer Parekh 510-601-9777x3 COMMUNITY CONNEXION ANNOUNCES WORLDWIDE BETA-TEST OF THE ANONYMIZER BERKELEY, CA - Community ConneXion, Inc., The Internet Privacy Provider, announced today the worldwide Beta release of the "Anonymizer" service for the World-Wide-Web. The Anonymizer allows people browsing the web to be completely anonymous when making web transactions. It protects people from having the sites they visit discover their email address, hostname, type of computer, and other potentially sensitive information. "The Anonymizer finally brings Caller-ID-Block to the Internet," said Justin Boyan, who designed and implemented the system. "If you don't want records of your activities being kept by every web site you visit, you should definitely be using this service." Community ConneXion ("C2") is glad to be able to provide such a service to the Internet community free of charge. C2's President, Sameer Parekh, commented on the availability of this service, "We feel that people's privacy is too important to make people pay directly for basic privacy services. Therefore, we've built The Anonymizer with a model that will allow people on the Internet to use the basic level of service at no charge." Future enhancements to the system include support for Netscape's Secure Sockets Layer, which will provide web surfers with the ability not only to hide their identity from the remote site, but to hide the identity of the sites they are browsing from their employer, university, or ISP. The threat of a university clamping down on the ability of its students to browse the web freely is very strong, and C2 plans to make this service available in order to protect against such threats. The Anonymizer can be accessed at http://www.anonymizer.com/. Users need only click on "BEGIN SURFING ANONYMOUSLY" and then choose a site to visit anonymously. All their web transactions from that point on are anonymized. As the service is only in Beta phase at this point, users may experience slow connections or downtime. As the service moves to Production release, these problems will be eliminated. Community ConneXion is the leading provider of privacy on the Internet. They provide anonymous and pseudonymous internet access and web pages in addition to powerful web service, virtual hosts, and web design consultation. Information is available from their web pages at http://www.c2.net/. From unicorn at schloss.li Fri May 24 15:26:55 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sat, 25 May 1996 06:26:55 +0800 Subject: Layman's explanation for limits on escrowed encryption ... In-Reply-To: <199605230053.RAA28116@ohio.chromatic.com> Message-ID: On Wed, 22 May 1996, Ernest Hua wrote: > Could someone with some knowledge of NSA/DoS/FBI intentions please > explain why key length limitations are necessary for escrowed > encryption? To deal with the possibility that someone might slip through the cracks of the escrow process. Insurance. > > Please reply by E-Mail. > > Thanks! > > Ern > --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From unicorn at schloss.li Fri May 24 15:28:54 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sat, 25 May 1996 06:28:54 +0800 Subject: An alternative to remailer shutdowns In-Reply-To: Message-ID: On Wed, 22 May 1996, Martin Minow wrote: > Black Unicorn comments on the responsiblity > of prudent persons (in, I presume, the context of threating e-mail > sent through an anonymous remailier). > > I'm still perplexed: what can a "prudent" remailer operator do if a > threatening e-mail was sent through a remailer under one or more of > the following conditions: > > -- The remailer operator is legally enjoined from reading messages > transversing his system. (For example, the remailer is subject to > data privacy laws.) Nothing. Perhaps block e-mail from the address the threat mail was sent from after a certain number of legitimate complaints. This, of course, depends on the threats/whatever being sent to the remailer in question as a 'first in chain' mailer. > -- The message was encrypted using the intended recipient's public key. > (This means that, without access to the private key, the operator > has no mechanism to examine the e-mail.) Ask the recipient if he or she wishes all encrypted mail addressed to his or her key to be supressed. > Confused in Cupertino. > > Martin Minow > minow at apple.com > > > --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From unicorn at schloss.li Fri May 24 15:32:02 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sat, 25 May 1996 06:32:02 +0800 Subject: your mail In-Reply-To: <199605230539.WAA09625@netcom21.netcom.com> Message-ID: On Wed, 22 May 1996, it was written: > The answer to information is more information. The answer to your question lies within the question itself. Now go away. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From shamrock at netcom.com Fri May 24 15:37:41 1996 From: shamrock at netcom.com (Lucky Green) Date: Sat, 25 May 1996 06:37:41 +0800 Subject: Runtime info flow in Java Message-ID: At 20:06 5/23/96, Norman Hardy wrote: >I am interested in your paper because you define the problem as we do. >There are some who think that capability architectures are the solution. >There is little information on how to solve these problems with >capabilities. I am trying to find time to address some of these issues. I walked away from your presentation of KeyKOS with the impression that a capability system to be secure it would have to be implemented at the OS level. Can you build a such a system on top of an insecure OS, as Java would have to do? TIA, Disclaimer: My opinions are my own, not those of my employer. -- Lucky Green PGP encrypted mail preferred. From ses at tipper.oit.unc.edu Fri May 24 15:45:58 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Sat, 25 May 1996 06:45:58 +0800 Subject: [SCARE]: "If you only knew what we know..." In-Reply-To: Message-ID: On Fri, 24 May 1996, Martin Minow wrote: > > The briefing might go something like this: "Remember the terrorist bombing of > the Libian Embassy? Well, "they" were planning to bomb the embassy, > but we intercepted their messages and prevented the attack. > Libyan embassies don't get bombed. They just have thugs shooting unarmed WPCs from them under protection of diplomatic immunity (I used to live in Pimlico, and went to college in South Kensington, and going past the Yvonne Fletcher memorial always got me upset Anyway, they're not just state sponsored terrorists, they're the actual terrorist state, and can thus can easily get access to whatever crypto they want; in extrimis shipping OTPs by diplomatic pouch; it's the smaller, unofficial groups where the case is most easily made. If I thought that restricting crypto were possible, I might be convinced by solid argument along this line, though as a Londoner and having spent some time working in Israel, I'm probably easier to convince than most people here (just about the only tube station I used to use regularly that wasn't hit by the IRA was Chigwell, and that isn't wholly a good thing :-). However, now that the four horses have gone, and all that's left in the stable are the my little ponies, why slam the barn door and bop their noses for no good reason? Simon From jimbell at pacifier.com Fri May 24 15:53:47 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 25 May 1996 06:53:47 +0800 Subject: Cyber-Anarchy Message-ID: <199605241644.JAA01750@mail.pacifier.com> At 11:14 PM 5/23/96 -0700, Timothy C. May wrote: >My point is actually not so much one of claiming credit for something I've >been involved with since 1988, as being somewhat critical of the >all-too-common tendency I see of _renaming_ something without adding any >new content. > >Jim Bell calls his set of ideas "cyber-anarchy," and certain journalists >have picked up on this (as with the Australian article). > >But with the exception of the one variant of anonymous markets, namely, >"assassination politics," most or all of the other ideas of his >"cyber-anarchy" seem to be encompassed by the already-existing term. I don't tend to carefully distinguish between "crypto-anarchy" and "cyber-anarchy" although the former is a subset of the latter. Also, one big influence on society has nothing to do with encryption at all: The fact that people are beginning to get their news and information from other ordinary people (as opposed to newspapers and TV networks) is not dependant on encryption, at least in a country that's supposed to be blessed with the 1st amendment. The deathgrip the politicians have on the public as a whole will at least start to be weakened by non-crypto "cyberanarchy" effects like this, although perhaps it would be better named "cyber-minarchy." I think we can attribute the difficulty the establishment is having passing a Clipper-type law to the portion of cyberminarchy that has nothing to do with encryption. Jim Bell jimbell at pacifier.com From unicorn at schloss.li Fri May 24 15:56:09 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sat, 25 May 1996 06:56:09 +0800 Subject: [SCARE]: "If you only knew what we know..." In-Reply-To: <199605232231.PAA13882@netcom20.netcom.com> Message-ID: On Thu, 23 May 1996, Mike Duvos wrote: > Sameer Parekh writes: > > > It's my understanding that this statement is now false. I > > believe that Matt Blaze recently received "The Briefing" and he is > > still on our side. > > Don't suppose Matt could do a little executive summary of > "The Briefing" and post it to the list, could he? Probably not unless he wanted to do time. I suspect some anonymous person might put bamboo shoots under his fingernails and post the results of the interrogation however. > > -- > Mike Duvos $ PGP 2.6 Public Key available $ > mpd at netcom.com $ via Finger. $ > > --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From unicorn at schloss.li Fri May 24 15:58:09 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sat, 25 May 1996 06:58:09 +0800 Subject: An alternative to remailer shutdowns In-Reply-To: <01I50N2UZXFI8Y4X9G@mbcl.rutgers.edu> Message-ID: On Wed, 22 May 1996, E. ALLEN SMITH wrote: > From: IN%"unicorn at schloss.li" "Black Unicorn" 22-MAY-1996 19:03:58.98 > > >On Tue, 21 May 1996, Ben Holiday wrote: > > >> On Tue, 21 May 1996, Daniel R. Oelke wrote: > > >>> The second is to simply include the > >>> consent-code along with the encrypted peice of mail and a legal notice > >>> stating that decryption of the mail constitutes your consent to receive > >>> the mail, as well as your agreement to hold the remailer-operator harmless > >> > >> By reduction - you could just do a rot13 on the message and > >> append the "legal notice". If all the information for decoding > >> a message is present in that message, is a different encoding > >> mechanism really any different from straight ASCII text? > >> (i.e. Netscape 9.13 might have auto decoding built it....) > >> Then, the user doesn't do anything "extra" - does this invalidate > >> the notice? > > >A person has notice of a fact if he knows the fact, has reason to know it, > >should know it, or has been given notification of it. Restatement, > >Second, Agency section 9. > > >The important issue here is what constitutes constructive or implied > >notice (the second example above). > > >Constructive notice exists where a party could have discovered a fact by > >proper diligence and where the situation casts a duty on him to inquire > >into the matter. > > >A person who has _actual_ notice of circumstances which would set of the > >"alarm bells" of a prudent person has constructive notice of the issue > >itself where a notice clause was available and easily referenced. > > >See F.P. Baugh, Inc. v. Little Lake Lumber Co., 297 F.2d 692, 696. > > >Also comes the question what notice is adequate? Notice reasonably > >calculated, in all circumstances, to apprise all interested parties of > >actionm and opportunity to present their objections, says U.S. v San Juan > >Lumber Co., 313 F.Supp. 703, 709. > > >I'm not going to discuss what constitutes a legal agreement here for the > >purposes of waiving rights to hold the remailer operater harmless. These > >are traditionally unnegotiated agreements that courts are not likely to > >want to enforce. (Back of a ski lift ticket, notice that the garage is > >not responsible for theft). > > Umm... the RSA licensing agreement isn't exactly a negotiated contract. > What makes the difference between the contract in question and the RSA > licensing agreement (to use it as an example)? One is trying to remove liability for a tort, the other is instructing the purchaser on the conditions of use. While a ski-lift ticket could be considered a "license" to use the property, selling an actual intellectual property ITEM makes the limiting terms of its purchase a bit easier for a court to stomach. Telling a licensee that if he gets hurt its too bad, and telling one that he cannot call a function or copy the work are fairly distinct in this way. In the practical world, the plaintiff who is trying to enforce a software licensing agreement is much better off than a defendant trying to resist liability for a tort. It's a question of appearances which can get lost in the nuances of definition and technicality. > >If a court feels that the remailer operator is being negligent or some > >such, a notice like you are talking about is not likely to be very > >effective. > > Part of this depends on negligent in what sense. If, due to the > message being encrypted, the remailer operator couldn't read it to see if it > was copyright-violating anyway, would he/she be negligent to send it on? That depends. If there was reason to believe, for instance, that the message might indeed be four-horseman type (as a plaintiff's attorney I would jump all over any messages which came from "soandso at PLO.com" or somesuch) then negligence becomes an issue regardless. Perhaps the host was the site from which other nastiness was mailed? Anything that could be shown to put the operator on effective, implied, or constructive notice that something was amiss. Remember, technical savvy judges are few and far between. Technical savvy juries are nearly non-entitites. My concept of what is or is not suspicious when it comes to such things is going to be much more sophisticated than that of a judge or jury in most if not all cases. This is an important point. The truth of the matter is entirely pointless in the U.S. Judicial system. The APPEARANCE of the matter is key. 'punks seem to forget this in all their discussion of what a court might do because, simply put, they know more than 99% of the population about the subject. > >I find that making the user decrypt the message as acceptance of the mail > >is clever, but what exactly does it accomplish? The user can still have > >his copyrights violated in the text, what does it matter that he did or > >did not accept the mailing? > > The primary use of the contract is to avoid complaints from the user > for "harrassing" email, not to avoid copyright problems. >From the recipiant? I would simply put a notice of where complaints can be directed to, and publish a stated (and carefully worded) policy for addressing abuses. This will go a LONG way to insulating remailer operators. "Your honor, my client has made every effort to filter the legitimate users of his system from the illegitimate. He has a stated policy regarding complaints and investigates them to the full extent of his ability in every case in which a complaint is filed. Even as this is so, he can no more completely assure that harassing messages will never slip through than can the U.S. post office protect every citizen from mail bombings." Or some such. If you can say this in court and back it up, you're in better shape. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From minow at apple.com Fri May 24 16:00:17 1996 From: minow at apple.com (Martin Minow) Date: Sat, 25 May 1996 07:00:17 +0800 Subject: [SCARE]: "If you only knew what we know..." Message-ID: Simon Spero writes: >If I were planning such a briefing I'd probably concentrate on real cases >that were cracked due to NSA SIGINT - especially terrorist groups >operating with only limited state sponsorship > You might find hints at "the briefing" in some of the recent terrorist-porno novels by Tom Clancey (for example). Also, "Spike" by Arnaud de Bouchgrave (apologies for possible misspelling) is an interesting book to read between the lines The briefing might go something like this: "Remember the terrorist bombing of the Libian Embassy? Well, "they" were planning to bomb the embassy, but we intercepted their messages and prevented the attack. Martin Minow minow at apple.com From msmith at rebound.slc.unisys.com Fri May 24 16:27:54 1996 From: msmith at rebound.slc.unisys.com (Matt Smith) Date: Sat, 25 May 1996 07:27:54 +0800 Subject: Innocence & harmless weapons In-Reply-To: Message-ID: <199605241552.PAA00821@rebound.slc.unisys.com> Sandy Sandfort was accused of saying: > C'punks, > > On Thu, 23 May 1996, Jim Choate wrote: > > > Hi Sandy et al., > > > > Whose side of the truth? > > That was a capital "T", bub. Truth doesn't have sides. (Think > of it as an archetype.) Not to drag a whole new level of philosophy into this already dragging list, but Plato disagrees with you. There is no The Truth. It's all in perception. > S a n d y -- Matt Smith - msmith at unislc.slc.unisys.com "Nothing travels faster than light, with the possible exception of bad news, which follows its own rules." - Douglas Adams, "Mostly Harmless" Disclaimer: I came up with these ideas, so they're MINE! From sandfort at crl.com Fri May 24 16:32:25 1996 From: sandfort at crl.com (Sandy Sandfort) Date: Sat, 25 May 1996 07:32:25 +0800 Subject: PILATE SAYETH UNTO HIM... In-Reply-To: <199605240530.AAA23158@einstein.ssz.com> Message-ID: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks, On Fri, 24 May 1996, Jim Choate wrote: > Sorry but the very fact that I don't agree with you is proof enough that > there is no absolute 'Truth' as you use it. It isn't obvious that we DON"T agree. It was still a question. Actually, I rather fancied Bell and May's responses. To the extent we do disagree reflects in no way on the Truth, only in our abilities to determine what Truth is. Again, think of it as an archetype or reality not as a popularity contest. > That is unless you are attempting to claim absolute omnipotence > on the point of determination. Nope, not me. Hell, I don't even claim *partial* omnipotence. You really have to pay attention to those details. Why are you having so much trouble understanding the question mark? > Nice tactical ploy, an ad hominem buried in a straw man argument. Thanks, but you got it wrong again. Yes, there was an indirect (and apparently valid) ad hominem, but apparently you do not know what a straw man is. For your edification, your out-of-left-field suggestion that my discussion of Truth represents some claim of omnipotence on my part is clearly a straw man (and an implied ad hominem, for good measure). S a n d y ...WHAT IS TRUTH? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From ravage at ssz.com Fri May 24 16:46:08 1996 From: ravage at ssz.com (Jim Choate) Date: Sat, 25 May 1996 07:46:08 +0800 Subject: PILATE SAYETH UNTO HIM... (fwd) Message-ID: <199605241639.LAA24014@einstein.ssz.com> Hiya Sandy, Forwarded message: > Date: Fri, 24 May 1996 07:43:06 -0700 (PDT) > From: Sandy Sandfort > Subject: PILATE SAYETH UNTO HIM... > > It isn't obvious that we DON"T agree. It was still a question. If there was an absolute Truth as you postulate the results would be many and varied. For instance, 1. If the Truth were absolute everyone would have to accept it as such even if they disagreed or said it wasn't the Truth, In essence it would at the same time create the ultimate Lie. This leads to a logic inconsistancy, something can't be the ultimate Truth and at the same be the ultimate Lie AND and claim no relativity applies. If you allow relativity into your argument then it is clear that the subject of study is not an ultimate anything. 2. What is the litmus test for ultimate Truth? How do you tell it from regular truth? How do you tell it from a lie? From the Lie? 3. If there were a ultimate Truth then this implies that it is possible to have a system which can fully describe itself. Godel's Incompletenes Theorem would be found invalid, which by extension would have some wide spread ramifications for the rest of our knowledge base. 4. An ultimate Truth would philosphicaly be inseperable from God. Being a pantheist, you are going to have a hard time floating that boat in my pond. 5. An ultimate truth would imply that all existance conformed or was aware of the ultimate Truth. In essence you are claiming that truth and falsity (good/bad) exist as a absolute and not a consequence of human psychology. I would be very interested in your reasoning regarding how a rock on the other side of the Magellanic Clouds could be effected by a ultimate Truth. 6. I suspect that any ultimate Truth would have to be so trival it would be useless. Tautologies are worthless for proving anything. 7. On the issue of postulates (ie unprovable assumptions necessary for the creation of a logical framework - Godel rears its ugly head again) the implication is that we can now prove Euclids 5 postulates absolutely. I am shure many mathematicians would be interested in this. > Actually, I rather fancied Bell and May's responses. To the > extent we do disagree reflects in no way on the Truth, only in > our abilities to determine what Truth is. Again, think of it > as an archetype or reality not as a popularity contest. Which reality? Yourse, mine, a photons? To a photon the entire universe is the photon. Would your Truth be true for it? It is obvious that its truth's are not valid for us (unless you are claiming we are all everywhere at once). If there is no one absolute Reality how can there be a absolute Truth? > Nope, not me. Hell, I don't even claim *partial* omnipotence. > You really have to pay attention to those details. Why are you > having so much trouble understanding the question mark? I understand it quite well. Why are you having so hard a time giving me a straight answer? > > Nice tactical ploy, an ad hominem buried in a straw man argument. > > Thanks, but you got it wrong again. Yes, there was an indirect > (and apparently valid) ad hominem, but apparently you do not know > what a straw man is. For your edification, your out-of-left-field > suggestion that my discussion of Truth represents some claim of > omnipotence on my part is clearly a straw man (and an implied ad > hominem, for good measure). If you admit fallibility then how can one claim to recognize a ultimate anything, let along Truth? Hardly a left field question as you claim. It doesn't qualify as ad hominem because it was not directed at a personality but rather at your basic theoretical assumptions. It is completely valid (and necessary I might) to both question basic postulates (otherwise non-Euclidian geometry would not have existed) as well as to clearly elucidate what those postulates are. You did not do that, I simply asked for clarification. I have never made a attack on personality as a basis for any of my discussion on this list. I have made some comments to folks about�the way they treated others, but this is clearly different than a discourse on a technical issue. At no point have I implied covertly or otherwise any statement about anybody on this lists intelligence or ability to reason being a reflection of their basic worth as a human being. I accept you each as being basicly worthy of respect for no other reason than you simply exist. Whether a particular individual was right, wrong, or simply holds a radicly different view than myself is not sufficient reason for me or anyone else to judge anothers worth. An ad hominem is the embodyment of measuring a persons intrinsic worth by their ability to argue or hold an opinion (or spell). To my way of thinking, if the only bitch you have about a argument is whether it was spelled correctly each time, you don't have much to say worth listening to. My responce does not qualify as a straw man argument because I am discussing your original claims, not drawing an analogy and claiming equivalence. You were drawing an analogy and claiming equivalence. I have asked several times if you would accept or believe other situations to be similar, hardly the same as a straw man since you did not ask if others thought they were equivalent but simply stated it as such. To the point, I don't care where the theory came from (ever), I simply want to know if it works. If I had my way the discussion on this list would never have a personality attached to it, complete anonymity. From blancw at accessone.com Fri May 24 17:29:24 1996 From: blancw at accessone.com (blanc) Date: Sat, 25 May 1996 08:29:24 +0800 Subject: The Anti-Briefing... Message-ID: <01BB4970.70BB2BA0@blancw.accessone.com> From: Peter Wayner [......]The fact is that government enforced weak crypto is a tradeoff. We pay for the ease of the police surveillance because we make life simpler for crooks who make their living eavesdropping and circumventing security systems. The big question is whether the tradeoff is worth it. ............................................................... "Government enforced weakness": They try to do good for the benefit of all by reducing the individual's personal efficacy, until the nation is transformed into a mass of whining weanies. Like sitting ducks, everyone is then in the position of being totally vulnerable to corrupt government administrators. I wouldn't think that being of no practical use to oneself would be a valuable tradeoff, given such a (frequently recurring) potentiality. If they really wanted the nation to be strong and secure, they would actively take up the task of providing "government assisted strength", advising us on how to protect ourselves, our property, our email....perhaps evern receiving "The Briefing", so that we could all be prepared to resist (or assist in resisting) threats from pervs and terrorists, et al. (this "Briefing" reminds me of Atlas Shrugged, but in the opposite direction - where instead of the targets becoming enlightened, their minds become closed.) .. Blanc From tcmay at got.net Fri May 24 18:18:27 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 25 May 1996 09:18:27 +0800 Subject: The Anti-Briefing... Message-ID: At 2:12 PM 5/24/96, Peter Wayner wrote: >I'm sure the "Briefing" is quite impressive and it includes >several strong arguments for government surveillance. There are >bound to be more than a few kids that are alive today thanks to >eavesdropping and the quick thinking of folks in FBI, NSA et al. I expect The Briefing contains unreleased material about FBI stings and apprehensions, such as the apprehension of the group planning to shoot down several airliners in the U.S., the plans to kill Clinton in Manila, etc. No doubt it cites the killing of Pablo Escobar (the real one, not VZNuri) because he was using a typically-insecure cellphone. (Though I doubt they will mention the U.S. involvement in using a cellphone to pinpoint The Bomber, in Palestine.) And almost certainly a few juicy tidbits about "pedophile rings using PGP" (which is almost certainly the case, of course). The Briefing may also contain hints of intelligence ops which caught nuclear material smugglers, which prevented CBW attacks such as the Sarin gas attack in Tokyo, and so on. (Some of this stuff is "CLASSIFIED," and this probably increases the sex appeal to the burrowcrats who get The Briefing. A darkened room, a succession of G-Man accounts of bad guys caught, a glimpse into the world of SIGINT, some nice dramatic music by Lalo Schifrin, and dire warnings about What Will Happen When the Bad Guys Get Crypto.) And so on. As Peter notes, there are undeniably cases where a Surveillance State can in fact capture terrorists, murderers, abortionists, smokers, carnivores, and other criminals and thoughtcriminals. >That being said, I'm sure that there is also an "anti-Briefing" >that can be given that illustrates that the huge cost of >redesigning the phone system and forcing businesses and people >to operate without protection. Here are some examples from the >recent press that I think are good arguments for why strong >crypto won't change the status quo. I agree that there are many examples that could be cited. Here are a few more: -- the spies and moles within the intelligence agencies, from the Walkers to Aldrich Ames. Here is an environment in which communications are ostensibly controlled, in which surveillance is ubiquitous, in which counterintel teams have wide lattitude to investigate, entrap, etc....and yet the crimes occurred. (Of course, we don't really know how much worse the spying would be without such surveillance. But the point is that even heavy surveillance still lets willing perps find ways.) -- drug rings have often operated right under the noses of cops, sometimes out of police stations. (The theme of any number of "Serpico"-type books, movies, and television shows.) -- and let us not forget the "Surveillance States" which already exist, or existed in recent memory. The PRC, implicated in various criminal activities, the leftist and rightist governments of the world involved in the drug trade, and so on. (The point being that even such Surveillance States have plenty of crime, and often the apparatus of the State is used for criminal purposes.) -- and so on... >Some might argue that if weak crypto can save one child's life >than it is worth it. This is a strong, sentimental argument, but >it really doesn't reflect the reality of the tradeoff. We could >spend a lot more money on airlines, trains and cars and save a >few kids lives, but the cost could be phenomenal. The fact is >that government enforced weak crypto is a tradeoff. We pay for >the ease of the police surveillance because we make life simpler >for crooks who make their living eavesdropping and circumventing >security systems. The big question is whether the tradeoff is >worth it. We can all think of repressive steps which undeniably will save the lives of some children, babies, old people, mothers, etc. Banning alcohol, banning smoking, banning sex outside of marriage.... (Some of these were tried, some are even now being tried by do-gooding statists....) Where the USA has gone off the beam is in legislating behaviors which are not directly harmful to others, presumably on the rationale of "the common good." But freedoms are being taken away daily in this rush to make the USA a "more pleasant" place. (The movie "Demolition Man" captured this trend nicely.) And beware the Law of Unintended Consequences. Mandatory airbags in cars, for example. They are having the effect that people are not using seat belts as often as they used to. And inflating airbags are killing children, probably more than are being saved by the airbags in the first place. Whoops. Better rethink that "we know what's good for you and we're going to force you to pay $500 more per car to have it." Meanwhile, the government pays farmers to grow tobacco.... Are things out of whack, or what? --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From unicorn at schloss.li Fri May 24 18:50:03 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sat, 25 May 1996 09:50:03 +0800 Subject: ecash representation In-Reply-To: Message-ID: On Fri, 24 May 1996, Black Unicorn wrote: [...] > Do you have a fact sheet on Piermont I might give to him? > > He could be in a position to generate significant business for a > consulting firm which really knew the ins and outs of strong encryption. > > I'd also be interested for my own reasons. This was not meant to go to the list, sorry everyone. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From ravage at ssz.com Fri May 24 18:51:44 1996 From: ravage at ssz.com (Jim Choate) Date: Sat, 25 May 1996 09:51:44 +0800 Subject: Truth is equivalent to law? Message-ID: <199605242031.PAA24301@einstein.ssz.com> Hi blanc, Forwarded message: > From: blanc > Subject: RE: Truth can sometimes be harmful...(talk.cpunks.truth) > Date: Fri, 24 May 1996 12:24:23 -0700 > I understood what you meant. I appreciate the general nature of truth, = > in spite of the possibilities for misinterpretations of or = > prevarications from it.=20 What is the 'general nature of truth'? > Jim, a quote for you: > > "We are able to act at all - that is to say, we have the power=20 > to order our conduct in such a way that the ends we desire=20 > can be attained - only because the phenomena of the world=20 > are governed not by arbitrariness, but by laws that we have=20 > the capacity to know something about. If it were otherwise,=20 > we should be completely at the mercy of forces that we should=20 > be unable to understand."=20 > ~ Human Action, Ludwig Von Mises > > Substitute the word "truth" for "laws" and it makes equal sense. We = > would be at the mercy of forces that we could not control, if our = > perceptions and interpretations could not correspond to the actual, the = > real, the truth. So in your mind truth is equivalent to law? In the sense of the above quote the 'laws' that are refered to are general observed regularities that we are capable of understanding. Being a pantheist and hence seeing the entire cosmos as all there is (and hence divine in toto), I can appreciate the original intent (being a physicist helps a little bit). If I accept your equivalency (which I do) then there is no such thing as Truth in the sense of the original discussion. The laws refered to in the quote have the implicit characteristic of being disproved. A characteristic not shared by Truth. I further believe the universe is understandable, just not in toto. It is a little simplistic to believe that every system in the cosmos uses all the regularities that we observe. When followed to its logical conclusion it implies that there may (are) systems which we won't be able to understand in toto (quantum effects come to mind) simply because the system that is our brain either is not complex enough or runs into the Godel paradox. In short, if we assume that we can understand the universe in toto then we have in effect demonstrated that Godel was incorrect. I have covered the ramifications of this previously. Crypto relevancy: many assumptions that we take for granted are based upon proof and 'laws' we ASSUME to be isotropic and homogeneous. If we don't have a clear and present understanding of the 'laws', the procedures used to obtain them, and the limitations of both our 'laws' and the procedures, then we are opening ourselves up for a large dose of security by obscurity. Always question authority, it is simply another human being who does not have your best interest at heart since they have their own agenda. Jim Choate From rah at shipwright.com Fri May 24 19:00:03 1996 From: rah at shipwright.com (Robert Hettinga) Date: Sat, 25 May 1996 10:00:03 +0800 Subject: Truth can sometimes be harmful...(talk.cpunks.truth) In-Reply-To: <01BB496C.7E658A60@blancw.accessone.com> Message-ID: At 3:24 PM -0400 5/24/96, blanc wrote: > "We are able to act at all - that is to say, we have the power > to order our conduct in such a way that the ends we desire > can be attained - only because the phenomena of the world > are governed not by arbitrariness, but by laws that we have > the capacity to know something about. If it were otherwise, > we should be completely at the mercy of forces that we should > be unable to understand." > ~ Human Action, Ludwig Von Mises > Or, the terse version, from my old .sig: "Reality is not optional" -- Thomas Sowell ;-). Cheers, Bob Hettinga ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "If they could 'just pass a few more laws', we would all be criminals." --Vinnie Moscaritolo The e$ Home Page: http://www.vmeng.com/rah/ From jimbell at pacifier.com Fri May 24 19:05:46 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 25 May 1996 10:05:46 +0800 Subject: [SCARE]: "If you only knew what we know..." Message-ID: <199605242004.NAA12841@mail.pacifier.com> At 12:26 PM 5/24/96 -0400, Simon Spero wrote: >Libyan embassies don't get bombed. They just have thugs shooting unarmed >WPCs from them under protection of diplomatic immunity (I used to live in >Pimlico, and went to college in South Kensington, and going past the >Yvonne Fletcher memorial always got me upset > >Anyway, they're not just state sponsored terrorists, they're the actual >terrorist state, and can thus can easily get access to whatever >crypto they want; in extrimis shipping OTPs by diplomatic pouch; it's the >smaller, unofficial groups where the case is most easily made. If the Libyans are so bad (and they probably are) then why shouldn't the public in other countries be entitled to pool their contributions and take their government down? (okay, this is a rhetorical question...) Jim Bell jimbell at pacifier.com From Doug.Hughes at Eng.Auburn.EDU Fri May 24 19:08:58 1996 From: Doug.Hughes at Eng.Auburn.EDU (Doug Hughes) Date: Sat, 25 May 1996 10:08:58 +0800 Subject: (Fwd) Re: TCM: mafia as a paradigm for cyberspace In-Reply-To: <2.2.32.19960523200615.0072a288@popmail.crl.com> Message-ID: > >At 12:11 PM 5/23/96 -0800, jim bell wrote: > >>Tell ya what: name a weapon that CANNOT be used to harm an >>innocent person. Go ahead, I'm waiting. > >The Truth? > > > S a n d y Bravo!!!! Game set match! -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug at eng.auburn.edu Pro is to Con as progress is to congress From jimbell at pacifier.com Fri May 24 19:31:58 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 25 May 1996 10:31:58 +0800 Subject: PILATE SAYETH UNTO HIM... Message-ID: <199605241813.LAA07195@mail.pacifier.com> At 07:43 AM 5/24/96 -0700, Sandy Sandfort wrote: >On Fri, 24 May 1996, Jim Choate wrote: > >> Sorry but the very fact that I don't agree with you is proof enough that >> there is no absolute 'Truth' as you use it. > >It isn't obvious that we DON"T agree. It was still a question. >Actually, I rather fancied Bell and May's responses. I just dragged out my copy of a book titled "A Bodyguard of Lies," by Anthony Cave Brown. It's a book on the various deception strategems used against the Germans in the latter part of WWII. This deception plan was given the code-name, "Bodyguard", because Churchill had said in Tehran that "In war-time, truth is so precious that she should always be attended by a bodyguard of lies." Jim Bell jimbell at pacifier.com From cp at panix.com Fri May 24 19:51:25 1996 From: cp at panix.com (Charles Platt) Date: Sat, 25 May 1996 10:51:25 +0800 Subject: Anarchy Online In-Reply-To: Message-ID: On Fri, 24 May 1996, Rich Graves wrote: > Oh, I have no doubt that he believes everything you tell him. So, Charles, > do you think I'm a net.loon, and why? Please reply publicly on > cypherpunks. I'd like E. Allen Smith and Jim Bell to read this. Your wish is my command, but--who are they? Actually Rich it took me a while to remember you. The Zundel affair didn't loom large in my life (because I wasn't part of it, I guess). I assumed you had long since moved on to more important matters. I have no idea whether you are a net.loon. But I am sorry if I misspelled your name in my book, and indeed as soon as I get offline here, I'm going to do a word search. We're making the text into pages right now, so the time is right. Which Donna did I misspell? Donna Hoffman? --Charles Platt From frantz at netcom.com Fri May 24 19:52:41 1996 From: frantz at netcom.com (Bill Frantz) Date: Sat, 25 May 1996 10:52:41 +0800 Subject: Layman's explanation for limits on escrowed encryption ... Message-ID: <199605241805.LAA11918@netcom7.netcom.com> On Wed, 22 May 1996, Ernest Hua wrote: > Could someone with some knowledge of NSA/DoS/FBI intentions please > explain why key length limitations are necessary for escrowed > encryption? In their paper (Enabling Privacy, Commerce, Security and Public Safety in the Global Information Infrastructure), McConnell and Appel state that they are willing to allow 80 bit GAKed hardware to be exported, but only 64 bit software. They state the reason for this difference is because it is harder to hack the hardware to defeat the GAK. Now we all know that, should this proposal be adopted, the four horsemen will use some non-GAKed cypher system, e.g. PGP, inside the GAKed envelope. When privacy is outlawed, only outlaws will have privacy. ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From llurch at networking.stanford.edu Fri May 24 19:55:21 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sat, 25 May 1996 10:55:21 +0800 Subject: Anarchy Online In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Thu, 23 May 1996, Declan McCullagh wrote: > On Thu, 23 May 1996, Timothy C. May wrote: > > >At least we now know that the National Journal hasn't heard of > > >Cyber-Anarchy--- or they didn't understand one word of it. > > > > What is this "cyber-anarchy" (or "Cyber-Anarchy") you keep talking about? > > Heh. Check out http://anarchy-online.dementia.org/book/ for Charles > Platt's "Anarchy Online." > > (Did I mention it here before? Charles talks about a few things we've > discussed here, like the Zundel mirrors, Marty Rimm, and the fight over > the CDA.) Yeah, you'd mentioned it, but I hadn't read it until just now. I see he mentions me on http://anarchy-online.dementia.org/book/section.2.html, but my name is badly misspelled; it starts with "R," not "D." Donna's name is badly misspelled, too, early on. I wholeheartedly support his conclusions, by the way. They're based on a number of incorrect premises, but any fictions are convenient ones. http://www.stanford.edu/~ajg/project.html http://www.c2.org/~rich/Not_By_Me_Not_My_Views/rebuttal.html - -rich -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMaX2m43DXUbM57SdAQFnWwP8DZQJL7aNCYR7P8nE/A1oRNI6IaxiUbY/ AqSWhr1WC+HjbE+V+790u7a+C4doMe7Ay+sxTe5jQpuFrExE3hMDPN7xjoxQ9rK/ MTX0pdxKIfyZDQxDV/XaxjtdMn5zH/0Ye6C+hC9QuZ8s++l3y7IuiENwOM6BYNi1 qVuzInNA3OI= =AWhp -----END PGP SIGNATURE----- From jya at pipeline.com Fri May 24 19:55:35 1996 From: jya at pipeline.com (John Young) Date: Sat, 25 May 1996 10:55:35 +0800 Subject: Denning Sums Key Escrow Message-ID: <199605242134.VAA13386@pipe2.t1.usa.pipeline.com> Professor Dorothy Denning has an impressive accounting of 30+ key escrow systems, dated May 1, 1996, at: http://guru.cosc.georgetown.edu/~denning/crypto/Appendix.html This pointer came from "Marg's" report on a Denning seminar in February at: http://www.dstc.qut.edu.au/MSU/staff/marg/denning-sem.html Marg's site also has pointers to an impressive array of worldwide E-commerce and security links at: http://www.dstc.qut.edu.au/MSU/staff/marg/ecom.html ----- Thanks much, Marg. From frantz at netcom.com Fri May 24 20:03:17 1996 From: frantz at netcom.com (Bill Frantz) Date: Sat, 25 May 1996 11:03:17 +0800 Subject: VIRUS ALERT: Java virus that affects Netscape 2.0 & 2.01. Message-ID: <199605241748.KAA28206@netcom7.netcom.com> At 7:45 AM 5/24/96 -0500, Adam Shostack wrote: > Hype about Java and a move to a policy based security >mechanism are not incompatible. Perry's security model will probably >be NO Java, NO Livescript. Mine might be only Java signed by McAffee >can get more than 3 seconds of CPU time, or access remote network >ports on the server it came from, no other code can run. I would like to be able to enforce a policy for Java applet CPU time which says, the applet can have as much time as it wants/needs constrained by: (1) I can always determine how much it is using. (2) I can kill it without killing other processes/threads including the browser. (3) Without interfering with 1 or 2, I can set its priority in relation to other programs running on my machine. In the long term, I would like the ability to sell CPU cycles to Java applets. (Or donate cycles to projects I support.) ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From llurch at networking.stanford.edu Fri May 24 20:16:12 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sat, 25 May 1996 11:16:12 +0800 Subject: Children's Privacy Act In-Reply-To: Message-ID: On Fri, 24 May 1996, Timothy C. May wrote: > At 6:45 AM 5/24/96, Rich Graves wrote: > >I was certainly disappointed to hear a couple of cypherpunks the other day > >discussing for-profit offshore data havens full of personal information > >that is illegal to collect in the US as a business opportunity *they* were > >interested in pursuing. I just can't see myself doing that, for anybody. > >Gubmint or private, doesn't matter. > > These off-shore data havens, possibly in Anguilla, possibly elsewhere, have > long been a motivation for crypto anarchy. Yes, but is it a motivation to do "good" or "evil"? Maybe this belongs on PHILOSOPHYpunks. Who would control the offshore data havens? What would they have on me? I am well aware of what TRW et al can do, but at least in theory (cough), they're legally accountable (cough). I know you disagree, but I'm a big fan of statutes of limitations and the firewalling of unrelated issues. Someone went bankrupt or beat her husband seven years ago (or whatever), I don't want to know about it. I'd rather ten (configurable) guilty men go free than one innocent man get punished. These are artificial boundaries, yes, but they're boundaries within which I'm comfortable living. -rich From pjb at ny.ubs.com Fri May 24 20:27:03 1996 From: pjb at ny.ubs.com (Paul J. Bell) Date: Sat, 25 May 1996 11:27:03 +0800 Subject: (Fwd) Re: TCM: mafia as a paradigm for cyberspace Message-ID: <9605241714.AA04977@sherry.ny.ubs.com> Right, someone tells your wife that you are sleeping with someone else. The truth, does it hurt? (-: -paul > From cypherpunks-errors at toad.com Thu May 23 23:20:18 1996 > X-Sender: sandfort at popmail.crl.com > X-Mailer: Windows Eudora Pro Version 2.2 (32) > Mime-Version: 1.0 > Content-Type> : > text/plain> ; > charset="us-ascii"> > Date: Thu, 23 May 1996 13:06:15 -0700 > To: jim bell > From: Sandy Sandfort > Subject: Re: (Fwd) Re: TCM: mafia as a paradigm for cyberspace > Cc: cypherpunks at toad.com > Sender: owner-cypherpunks at toad.com > Content-Length: 396 > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > SANDY SANDFORT > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > At 12:11 PM 5/23/96 -0800, jim bell wrote: > > >Tell ya what: name a weapon that CANNOT be used to harm an > >innocent person. Go ahead, I'm waiting. > > The Truth? > > > S a n d y > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > From stewarts at ix.netcom.com Fri May 24 20:39:31 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sat, 25 May 1996 11:39:31 +0800 Subject: Floating Point and Financial Software Message-ID: <199605242014.NAA17367@toad.com> Did that earlier posting really mean Digicash code uses 16-bit quantities for moving money around? Yow! The API says 32 bits. 32 bits isn't enough precision; 64 bits is almost always enough. Floating point gives you about 53 bits, which is usually enough, but it fails badly for accounting. The problem is that the amount of precision in a floating-point calculation depends on the magnitude of the numbers, so A+D and B-D may have different roundoff errors, which is a Very Bad Thing when you're trying to move $D from A to B. Floating point is fine for deciding how much money to move, but you have to move the same amount in each calculation. Otherwise, if there's no clever salami-attack programmer siphoning off the roundoff error, little half-bits of salami get created or destroyed on every transaction, leaving a random-walk amount of spam or anti-spam splattered all over the accounting system, which is Not Good. And, of course, translating fractional decimal numbers of dollars into floating-point binary creates another roundoff spam event, while fixed-point systems would just use pennies or mills or microbucks and operate integrally, only doing roundoff for multiplications such as interest-rate calculation or /12s where you're deciding how much money to move from account to account.* Currency conversion is a good example - floating point may give you the most accurate number of dollars to move for a transaction of some integral number of yen, ecus, or zorkmids, which will generally be non-integral. Suppose Alice and Bob have ECU-denominated accounts, and Alice pays Bob 1 dollar, or ECU 1/1.2299=0.8130742336775 **. If Alice's account has, say, 3.1459265 million dollars' worth of ECUs, and Bob's has 2.718128459045 ECUs, it's easy to lose 4.6566e-10 ECUS in the transaction, and probably more if you didn't have decimal conversions. 64-bit integers let you use, say, millionths of a cent as your currency, with values up to +/- 8 trillion, which will handle the US Federal Debt for another couple of years, though more bits let you use the same code for anything from micropayment to hyperinflated currencies. One motivation for floating-point is historical computer power limits: bignum arithmetics on 8086s takes lots of work, especially in languages like Pascal or BASIC without abstract data types, and it's slow, while the 8087 chip was far faster, and handled big enough chunks of money for almost anybody who was doing their accounting on a PC instead of a Mainframe. [*My paycheck at AT&T often includes an Annual Penny Adjustment at the end of the year to correct for the monthly payments for salaries that aren't divisible by 3....] [** ECU value from WSJ May 13. Ukrainian Karbovanets were 183300/dollar.] # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 # goodtimes signature virus innoculation From crypto at nas.edu Fri May 24 20:45:11 1996 From: crypto at nas.edu (CRYPTO) Date: Sat, 25 May 1996 11:45:11 +0800 Subject: the NRC report on National Cryptography Policy Message-ID: <9604248329.AA832977773@nas.edu> Please post widely. To whom it may concern: The Computer Science and Telecommunications Board (CSTB) of the National Research Council (NRC) has completed a congressionally mandated study of national cryptography policy. The final report, Cryptography's Role in Securing the Information Society, will be released to the public on May 30, 1996 at a public briefing. A large number of the authoring committee members will attend. The public briefing will take place in the Main Lounge of the National Press Club, 14th and F Streets, N.W., Washington, D.C., from 1:00 PM to 3:00 PM, on Thursday, May 30, 1996. Committee members will respond to questions from attendees, and a limited number of pre-publication copies of the report will be available at that time. By the close of business on May 30, a summary of the report will be made available through http://www2.nas.edu/cstbweb; the full publication will be made available when final printed copies of the book are available (probably around the beginning of August). The committee also intends to conduct a second public briefing on the report in Menlo Park, California at SRI International. The briefing will be held in the Auditorium of the International Building from 10 to 11 am on Wednesday, June.5. The address is 333 Ravenswood Avenue, Menlo Park, California, 94025. For more information about the briefing at SRI, contact Alice Galloway at 415-859-2711 (alice_galloway at qm.sri.com). If you have suggestions about other places that the committee should offer a public briefing, please let me know (crypto at nas.edu or 202-334-2605). If you wish to be kept informed of various other public activities regarding dissemination of this report, you can sign up for an e-mail list by visiting the web page http://www2.nas.edu/cstbweb/notifyme.html. I apologize to you for the short notice on this invitation, but hope that you will be able to attend. Herb Lin Senior Staff Officer Study Director CSTB/NRC Study of National Cryptography Policy From EALLENSMITH at ocelot.Rutgers.EDU Fri May 24 20:49:40 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 25 May 1996 11:49:40 +0800 Subject: Is Chaum's System Traceable or Untraceable? Message-ID: <01I53GAYSQUC8Y4Z90@mbcl.rutgers.edu> From: IN%"iang at cs.berkeley.edu" 23-MAY-1996 13:56:31.71 >Ah. I see I was misunderstood. The goal was not to make the shop anonymous, >but rather to be able to provide change to an anonymous payer. I had thought that the basic purpose of the fully anon system was just that - full anonymnity for payer and payee. Under your suggestion, the shop gives up this anonymnity under these circumstances in order to be able to make change. I'm not sure if I would call that a very good tradeoff... -Allen From declan at well.com Fri May 24 21:01:54 1996 From: declan at well.com (Declan McCullagh) Date: Sat, 25 May 1996 12:01:54 +0800 Subject: Anarchy Online In-Reply-To: Message-ID: On Fri, 24 May 1996, Rich Graves wrote: > Oh, I have no doubt that he believes everything you tell him. I have enough respect for Charles to say that he probably doesn't believe everything *anyone* tells him, including me. -Declan From frantz at netcom.com Fri May 24 21:03:32 1996 From: frantz at netcom.com (Bill Frantz) Date: Sat, 25 May 1996 12:03:32 +0800 Subject: Runtime info flow in Java Message-ID: <199605241946.MAA03873@netcom7.netcom.com> At 10:09 AM 5/24/96 -0700, Lucky Green wrote: >At 20:06 5/23/96, Norman Hardy wrote: > >>I am interested in your paper because you define the problem as we do. >>There are some who think that capability architectures are the solution. >>There is little information on how to solve these problems with >>capabilities. I am trying to find time to address some of these issues. > >I walked away from your presentation of KeyKOS with the impression that a >capability system to be secure it would have to be implemented at the OS >level. >Can you build a such a system on top of an insecure OS, as Java would have >to do? Let me take a couple of stabs at this question. A lot of the answer depends on what you mean by secure. For example, if the Java run-time can successfully contain Java applets so they can't access any of the unsecured portions of your OS, then it doesn't matter that those OS holes exist as far as protection from the applets is concerned. The proof that the Java run-time actually can do this containment is left as an exercise for the student :-). Capabilities could be used to give specific Java applets access to specific resources on your computer system. e.g. You could give an applet the capability to read a file. In the Java world it would appear as an object with only one method (read). The specific applet object instances which had access to that object could read the file. Others could not. A slightly different view of where capabilities might fit in is on a network of mutually suspicious actors (e.g. the global Internet). Start by assuming that each machine is strongly resistant to attack through the network. (Ironically, Mac/Wintel platforms may be easier to secure in this manner than Unix platforms because they have fewer of the compromised network daemons running. Firewalls already allow Unix networks to approach this level of security.) In this model, you must either trust or contain all the code you run on your machine. We can use certificates (ref: SPKI) to implement network capabilities. These certificates make statements of the form: The holder of the secret key which corresponds to this public key is permitted these specific forms of access to this specific resource on this location (e.g. a URL). These certificates can act like capabilities. They can be passed by creating a new certificate for the receiver which gives it the privileges implied by the old certificate. They can be rescinded in any of a number of ways. Capability certificates allow you to give access to specific resources on your machine with public key authentication to prevent spoofing. Because they support one or more techniques for the holder to pass the capability to others, they allow subcontracting computation to other machines in the network. I will note in passing that ACLs do not allow for subcontracting. Regards - Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From EALLENSMITH at ocelot.Rutgers.EDU Fri May 24 21:04:02 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 25 May 1996 12:04:02 +0800 Subject: FTC online workshop on privacy Message-ID: <01I53FTZQTS08Y4Z90@mbcl.rutgers.edu> From: IN%"declan+ at CMU.EDU" "Declan B. McCullagh" 23-MAY-1996 09:57:37.53 >More to the point, the left and the right come together on privacy issues. >Remember the Christian Coalition's take on national ID cards? "Mark of >the Beast!" (Does anyone have an original cite for this? I also recall >the CC opposing Clipper...) Yes, even the CC types can get some things right. Take a look at the opposition to the Anti-Terrorism bill, for instance. Quite a few militia organizations are Christian fundamentalist in orientation (unfortunately); they were in alliance with the ACLU in opposing it. However, the objection to banning address lists of interference with private business still stands, so long as the addresses are not gotten from governmental or quasi-governmental (e.g., allowed/regulated monopoly/ogliopoly) sources. -Allen From hua at XENON.chromatic.com Fri May 24 21:07:35 1996 From: hua at XENON.chromatic.com (Ernest Hua) Date: Sat, 25 May 1996 12:07:35 +0800 Subject: why is no one (apparently) worried about escrowed key length limits? Message-ID: <199605241756.KAA07067@ohio.chromatic.com> It appears that (from the responses I have gotten on why there are key length limits at all on escrowed encryption) I am not forgetting anything obvious. So why is no one seriously questioning why this limit has to be there for key escrow? One suggestion was: the NSA does not completely trust key escrow. But if the NSA (who should know all the inner secrets of it) cannot completely trust key escrow, then why should WE trust key escrow? Obviously, the implication is that brute force (or "near brute force") methods WILL be used against encrypted transactions. So in the best case, there is some lower strata of law enforcement who are only allowed to use the escrowed path to intercept, but there is also some upper strata of law enforcement (presumably some anti-terrorist or national security section of ATF or FBI or CIA or Secret Service) who will be allowed to use such super-duper cracking methods to achieve their goals (assuming their goals are good). But, if the best case happens, then we're all Ozzie and Harriet (or Archie and Edith), and we should be in a love fest with the government. Obviously we don't competely and blindly trust our government. So why do we allow the NSA to get away with such a policy? "Here is something you can use. We can't completely trust it but it should be good enough for you folks." Ern From snow at smoke.suba.com Fri May 24 21:17:48 1996 From: snow at smoke.suba.com (snow) Date: Sat, 25 May 1996 12:17:48 +0800 Subject: PILATE SAYETH UNTO HIM... In-Reply-To: Message-ID: On Fri, 24 May 1996, Sandy Sandfort wrote: > S a n d y > > ...WHAT IS TRUTH? Reality viewed through the lenses of Dogma. Petro, Christopher C. petro at suba.com snow at crash.suba.com From EALLENSMITH at ocelot.Rutgers.EDU Fri May 24 21:20:23 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 25 May 1996 12:20:23 +0800 Subject: Long-Lived Remailers Message-ID: <01I53G3L1NBU8Y4Z90@mbcl.rutgers.edu> From: IN%"hendersn at zeta.org.au" 23-MAY-1996 11:35:09.98 >I really like this idea. How about instead of a full-scale remailer being >the final jump of the message, you have a _very_ simple remailer set up >along the lines of anon.penet.fi. No encryption, just strip off the headers >and send the message to its final destination. Sorry for being clueless in >how this works(I'm learning as fast as I can), but wouldn't this kind of >system be incredibly easy to start up and fold? You could have a host of >such final emanation points winking in and out of existence while the actual >encrypting remailers remain relatively safe. Well, an anon.penet.fi one has the disadvantage of not encrypting between the final sendings.... which means that it's relatively easy to trace back a given message to whatever remailer sent it, via traffic monitoring. A forwarding remailer that decrypted mail according to a published key would get around this, especially if it were being run out of a POP or other email forwarding account (otherwise, the operator of the system could just look and see what the private key was, and thus be able to trace back). -Allen From herodotus at alpha.c2.org Fri May 24 21:35:21 1996 From: herodotus at alpha.c2.org (herodotus at alpha.c2.org) Date: Sat, 25 May 1996 12:35:21 +0800 Subject: SSL Telnet Proxy? Message-ID: <199605242231.PAA12375@infinity.c2.org> Does anyone know of a publically available telnet proxy, preferably one using SSL? -- Herodotus From unicorn at schloss.li Fri May 24 21:36:58 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sat, 25 May 1996 12:36:58 +0800 Subject: Layman's explanation for limits on escrowed encryption ... In-Reply-To: <199605241914.MAA10326@mail.pacifier.com> Message-ID: On Fri, 24 May 1996, jim bell wrote: > At 11:47 AM 5/24/96 -0400, Black Unicorn wrote: > >On Wed, 22 May 1996, Ernest Hua wrote: > > > >> Could someone with some knowledge of NSA/DoS/FBI intentions please > >> explain why key length limitations are necessary for escrowed > >> encryption? > > > >To deal with the possibility that someone might slip through the cracks of > >the escrow process. > > However, this escrow process is claimed to be _voluntary._ And good, > non-escrowed encryption already exists today, outside the US. It won't be > "slipping through the cracks," it'll be like opening the floodgates. So the > question is still open: Why key-length limitations on export? I never said it was a reasonable explanation, I said it was an explanation. He asked about TLA intentions, not my views. Really, and when you look at these things in the context of the Clipper like plans, i.e. setting the defacto standard and chilling the development of unescrowed strong crypto, it covers the bases nicely. The assumption that needs to be looked at is that a standard setting plan will actually shape the market. > > Jim Bell > jimbell at pacifier.com > --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From EALLENSMITH at ocelot.Rutgers.EDU Fri May 24 21:48:37 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 25 May 1996 12:48:37 +0800 Subject: Children's Privacy Act Message-ID: <01I53GHKZH1M8Y4Z90@mbcl.rutgers.edu> From: IN%"gelmanl at gwis2.circ.gwu.edu" "Lauren Amy Gelman" 23-MAY-1996 14:26:28.11 >The text of the Children's Privacy Protection and Parental Empowerment >Act is available at the Epic "Children's Privacy" web site: >http://epic.org/privacy/kids/ >Read it before you trash it! I have examined it; I see no reason to change my stated opposition to it. Quite simply, it is an invasion of the privacy rights of businesses to force them to turn over such information as the law demands they turn over; it is an invasion of the property rights of businesses to mandate what they do with the information they have received and consequently own. -Allen From crypto at nas.edu Fri May 24 22:00:24 1996 From: crypto at nas.edu (CRYPTO) Date: Sat, 25 May 1996 13:00:24 +0800 Subject: Please Post Widely -- The NRC Cryptography Policy Report Message-ID: <9604248329.AA832976724@nas.edu> To whom it may concern: The Computer Science and Telecommunications Board (CSTB) of the National Research Council (NRC) has completed a congressionally mandated study of national cryptography policy. The final report, Cryptography's Role in Securing the Information Society, will be released to the public on May 30, 1996 at a public briefing. A large number of the authoring committee members will attend. The public briefing will take place in the Main Lounge of the National Press Club, 14th and F Streets, N.W., Washington, D.C., from 1:00 PM to 3:00 PM, on Thursday, May 30, 1996. Committee members will respond to questions from attendees, and a limited number of pre-publication copies of the report will be available at that time. By the close of business on May 30, a summary of the report will be made available through http://www2.nas.edu/cstbweb; the full publication will be made available when final printed copies of the book are available (probably around the beginning of August). The committee also intends to conduct a second public briefing on the report in Menlo Park, California at SRI International. The briefing will be held in the Auditorium of the International Building from 10 to 11 am on Wednesday, June.5. The address is 333 Ravenswood Avenue, Menlo Park, California, 94025. For more information about the briefing at SRI, contact Alice Galloway at 415-859-2711 (alice_galloway at qm.sri.com). If you have suggestions about other places that the committee should offer a public briefing, please let me know (crypto at nas.edu or 202-334-2605). If you wish to be kept informed of various other public activities regarding dissemination of this report, you can sign up for an e-mail list by visiting the web page http://www2.nas.edu/cstbweb/notifyme.html. I apologize to you for the short notice on this invitation, but hope that you will be able to attend. Herb Lin Senior Staff Officer Study Director CSTB/NRC Study of National Cryptography Policy From blancw at accessone.com Fri May 24 22:02:41 1996 From: blancw at accessone.com (blanc) Date: Sat, 25 May 1996 13:02:41 +0800 Subject: Truth can sometimes be harmful...(talk.cpunks.truth) Message-ID: <01BB496C.7E658A60@blancw.accessone.com> From: Sandy Sandfort This is the most concise and logical response yet, to my suggested answer of "Truth" to Bell's question. Blanc has masterfully shown why that dog won't hunt. ........................................................................... Thanks for the compliment, Sandy. I understood what you meant. I appreciate the general nature of truth, in spite of the possibilities for misinterpretations of or prevarications from it. Jim, a quote for you: "We are able to act at all - that is to say, we have the power to order our conduct in such a way that the ends we desire can be attained - only because the phenomena of the world are governed not by arbitrariness, but by laws that we have the capacity to know something about. If it were otherwise, we should be completely at the mercy of forces that we should be unable to understand." ~ Human Action, Ludwig Von Mises Substitute the word "truth" for "laws" and it makes equal sense. We would be at the mercy of forces that we could not control, if our perceptions and interpretations could not correspond to the actual, the real, the truth. (and anyway, what does God have to do with crypto? Never mind....) .. Blanc From snow at smoke.suba.com Fri May 24 22:06:12 1996 From: snow at smoke.suba.com (snow) Date: Sat, 25 May 1996 13:06:12 +0800 Subject: [SCARE]: "If you only knew what we know..." In-Reply-To: Message-ID: On Fri, 24 May 1996, Black Unicorn wrote: > On Thu, 23 May 1996, Mike Duvos wrote: > > > believe that Matt Blaze recently received "The Briefing" and he is > > > still on our side. > > Don't suppose Matt could do a little executive summary of > > "The Briefing" and post it to the list, could he? > Probably not unless he wanted to do time. > I suspect some anonymous person might put bamboo shoots under his > fingernails and post the results of the interrogation however. Isn't this exactly what the anon remailers were designed for? Petro, Christopher C. petro at suba.com snow at crash.suba.com From EALLENSMITH at ocelot.Rutgers.EDU Fri May 24 22:19:29 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 25 May 1996 13:19:29 +0800 Subject: An alternative to remailer shutdowns Message-ID: <01I53H8LBTAG8Y4Z90@mbcl.rutgers.edu> From: IN%"sunder at dorsai.dorsai.org" "Ray Arachelian" 23-MAY-1996 16:51:17.15 >One flaw in this is that some systems (my isp, dorsai, included) shut off >the finger daemon for security reasons. In this case, the remailer >should store the anonymous message on its hard drive for upto a week and >send a notice message to the target asking them if they want to receive >the email or not, and how to deal with future anonymous requests The >remailer then has to keep a table of those recipients for whom finger fails. One other reason to have such a voluntary message is to account for users/nyms who wouldn't want that they receive anonymous messages to be made public. For instance, that would clue in someone that they might have a nym at a nym-server, thus narrowing down the field for traffic analysis and forensic stylology. >While this is going to eat up a bit of space on the remailer, space could >be limited for the user, etc. If the space on the server runs out, what >do you do? The remailer should still inform the target, but again a >policy question rises - does the remailer send the message anyway, does >it delete the message but inform the target that "Sorry dude, you had an >anonymous email, but I had no room to store it and so I delted it. IF >you don't want it delted the next time around, activate finger tags >thusly, or send a reply to this message with "Accept Anonymous Email" or >"Reject Anonymous Email" as the subject and I'll respect your wishes from >now on"??? The latter has the advantage of preventing spamming via flooding the remailer. >Another thought is that we could set up some universal remailer allow >fingering service where the remailers can use some server somewhere or a >list of servers somewhere to look up a user's email address and see if >they are willing to receive anonymous email. Sort of like PGP key servers. The possible problem of improper information going out (as per the finger idea) is also the case with this one. -Allen From EALLENSMITH at ocelot.Rutgers.EDU Fri May 24 22:25:13 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 25 May 1996 13:25:13 +0800 Subject: FYA: "The ANOREV INTERCEPTS" [Usenet censorship] (fwd) Message-ID: <01I53IIPRK9S8Y4Z90@mbcl.rutgers.edu> From: IN%"llurch at networking.stanford.edu" "Rich Graves" 24-MAY-1996 01:09:35.99 (quoting tallpaul) >Because of the role I played in the campaign to get people to VOTE NO >on "rec.music.white-power" many people have sent me e-mail asking about >the vote results on several political news groups on the internet. The >following is the latest data available as posted in the official USENET >news group called "news.groups". Oh? And were you, tallpaul, behind the mailing to uninvolved mailing lists of politically-biased pleas to vote "no" on that group, sans a copy of the CFV? If I had had time, I would have voted in favor of it on those grounds. >R. Graves was the original proponent of TPN-S. He had opposed the >earlier RMW-P group but on technical, not political reasons, and he >does, as he once put it, "not consider [himself] anti-racist." Rather >Graves opposition centered on whether the nazi news group had >demonstrated sufficient interest as a music group, whether it had been >properly proposed in terms of proper USENET/uunet electronic paperwork >at the like. I have read over the proposal in question, specifically its latter version. It has a robomoderator that attempts to reach the laudable goal of reducing inappropriate crossposting by persons arguing on this issue. While I have my doubts about how effective this is likely to be (looking for whether approximately identical posts with the same subject line had been posted to the excluded groups would probably be necessary, to prevent spamming tactics from being used), it is a valid goal. >Highly skilled technically, Graves seems quite clueless about the >nature of fascism as a political tendency off the internet in the real >world. He has opposed individual cybernazi dirty tricks in cyberspace, >including some first-class technical tracking of cybernazis using >anonymity and other devices to hide their identities. On the other >hand, he has announced, for example, that there are only some one-to- >two thousand hardened nazis in the entire world. To my knowledge, Rich has not opposed anonymnity; indeed, he has praised anonymnity as needed on groups such as alt.revisionism. I would be interested in hearing whether tallpaul supports anonymnity; it appears to be on-topic for cypherpunks. (Interestingly, the address from which various non-political mailing lists were sent the aforementioned improper email was either quickly shut down or the product of email header faking, according to the results I got when I emailed the person back with a letter of protest.) I would also suspect that tallpaul may be biased on his estimates of the number of full-blown nazis in existence, although this admittedly depends on definitions; activists are prone, often innocently, to overinflate the problems with which they deal. (I refer interested parties to the statistics on rape customarily used by those promoting action against it; they typically include such occurrences as sexual harrassment - a usage of free speech. While I disapprove of sexual harrassment and tend to regard rapists as proper subjects for the death penalty, I wish activists would be more accurate in their statistics.) >Graves's new view threatens additional ominous organizing by cybernazis >on the net as they go for an additional news group even before the >results of their previous organizing effort is announced. Cybernazi organizing is an inevitable consequence of the ability of all minority political groups to organize better thanks to the Internet. They have as much right to organizational activity as anyone else - including anti-fascist activists such as tallpaul. I would suggest reading over some issues of CuDigest with my contributions in them for further discussion on this matter. -Allen From EALLENSMITH at ocelot.Rutgers.EDU Fri May 24 22:27:58 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 25 May 1996 13:27:58 +0800 Subject: Children's Privacy Act Message-ID: <01I53IY1L6BG8Y4Z90@mbcl.rutgers.edu> From: IN%"llurch at networking.stanford.edu" "Rich Graves" 24-MAY-1996 04:18:17.16 >I recognize that criminalizing the free flow of information is like trying >to stick your finger in a dike, but every little bit has an effect. In >this case, I'd call it a positive effect. That's funny, most people would call the German action to censor pro-nazi information a criminalization of the free flow of information with a positive effect. >I was certainly disappointed to hear a couple of cypherpunks the other day >discussing for-profit offshore data havens full of personal information >that is illegal to collect in the US as a business opportunity *they* were >interested in pursuing. I just can't see myself doing that, for anybody. >Gubmint or private, doesn't matter. Why, pray tell, _should_ someone be able to conceal that they declared bankrupcy - e.g., ran out on their debtors that they had freely contracted to repay - more than 7 years ago? Should prison terms to theft be limited to 7 years? Moreover, there are significant negative economic impacts for criminalizing the possession of such information. The above is one instance; another, which is even more of interest to me due to my profession, is that of genetic information and insurance. Genetic screening for insurance purposes decreases the risk to an insurance company. It is therefore possible to issue insurance with less of a pool backing it up (for claims in insurance, for bad debt in the case of credit). This increases the number of businesses who can get into a given market, which will decrease prices for insurance since the current insurance business is quite ogliopolistic. Thus, for the average individual the availablility of such information is beneficial. I would personally be interested in setting up some such business in the future, specifically one with a genetic screening lab. While I would not wish to devote my entire time to it, I would be quite willing to help with setup and updating it - if paid a fee, of course. -Allen From declan at well.com Fri May 24 22:38:50 1996 From: declan at well.com (Declan McCullagh) Date: Sat, 25 May 1996 13:38:50 +0800 Subject: Anarchy Online In-Reply-To: Message-ID: A shame that Charles didn't give you all the credit you so rightfully deserve. Holocaust fetishists need all the press they can get. :) Perhaps he thinks you're a net.loon -- I do suggest you ask him! Yours truly, Declan On Fri, 24 May 1996, Rich Graves wrote: > Date: Fri, 24 May 1996 10:50:05 -0700 (PDT) > From: Rich Graves > To: Declan McCullagh > Cc: "Timothy C. May" , jim bell , > cypherpunks at toad.com, cp at panix.com > Subject: Anarchy Online > > -----BEGIN PGP SIGNED MESSAGE----- > > On Thu, 23 May 1996, Declan McCullagh wrote: > > > On Thu, 23 May 1996, Timothy C. May wrote: > > > >At least we now know that the National Journal hasn't heard of > > > >Cyber-Anarchy--- or they didn't understand one word of it. > > > > > > What is this "cyber-anarchy" (or "Cyber-Anarchy") you keep talking about? > > > > Heh. Check out http://anarchy-online.dementia.org/book/ for Charles > > Platt's "Anarchy Online." > > > > (Did I mention it here before? Charles talks about a few things we've > > discussed here, like the Zundel mirrors, Marty Rimm, and the fight over > > the CDA.) > > Yeah, you'd mentioned it, but I hadn't read it until just now. I see he > mentions me on http://anarchy-online.dementia.org/book/section.2.html, but > my name is badly misspelled; it starts with "R," not "D." Donna's name is > badly misspelled, too, early on. > > I wholeheartedly support his conclusions, by the way. They're based on > a number of incorrect premises, but any fictions are convenient ones. > > http://www.stanford.edu/~ajg/project.html > http://www.c2.org/~rich/Not_By_Me_Not_My_Views/rebuttal.html > > - -rich > > -----BEGIN PGP SIGNATURE----- > Version: 2.6.2 > > iQCVAwUBMaX2m43DXUbM57SdAQFnWwP8DZQJL7aNCYR7P8nE/A1oRNI6IaxiUbY/ > AqSWhr1WC+HjbE+V+790u7a+C4doMe7Ay+sxTe5jQpuFrExE3hMDPN7xjoxQ9rK/ > MTX0pdxKIfyZDQxDV/XaxjtdMn5zH/0Ye6C+hC9QuZ8s++l3y7IuiENwOM6BYNi1 > qVuzInNA3OI= > =AWhp > -----END PGP SIGNATURE----- > > From MAILER-DAEMON at kermit.aatech.com Fri May 24 22:40:46 1996 From: MAILER-DAEMON at kermit.aatech.com (MAILER-DAEMON at kermit.aatech.com) Date: Sat, 25 May 1996 13:40:46 +0800 Subject: Alternative to remailer shutdowns... Message-ID: <19960524.1408058.1225D@kermit.aatech.com> There are hundreds of machines littered around the net that dont bother adding "received" headers to mail. I dont think that these provide anything near the security and anonymity that a single remailer (much less a remailing chain) provide, but it seems to me that routing outbound traffic from a remailer through one of these sites would provide at least /some/ measure of protection for the remailer-operator. It feels a bit underhanded, but it may be that involving some "innocent" bystanders in the remail process would be useful. Even if the sites being routed through /were/ keeping logs it would still require their participation in any investigation to discover where the mail had originated, and this would introduce the question of whether the (psuedo)anonymous sendmail host should bear any liability for not tracking where mail came from. The operator of the particular smtp host would seem to have a pretty good defense should a charge be raised, but in defending the smtp-host you could also be strengthening the defense of the r-ops. Another possibility is that rather than operating remailers at all, maybe we should be operating non-logging smtp hosts that dont add received headers. Building a client to take advantage of these servers would be trivial (i wrote one last night, and i am not proficient in C) and it could be argued that the situation was not created intentionally to allow anonymous messages, merely to preserve disk space and bandwidth. Flame Away... From EALLENSMITH at ocelot.Rutgers.EDU Fri May 24 22:44:05 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 25 May 1996 13:44:05 +0800 Subject: An alternative to remailer shutdowns Message-ID: <01I53JFM4MP28Y4Z90@mbcl.rutgers.edu> From: IN%"unicorn at schloss.li" "Black Unicorn" 24-MAY-1996 11:44:01.40 >While a ski-lift ticket could be considered a "license" to use the >property, selling an actual intellectual property ITEM makes the limiting >terms of its purchase a bit easier for a court to stomach. Telling a >licensee that if he gets hurt its too bad, and telling one that he cannot >call a function or copy the work are fairly distinct in this way. Hmm... the first (license vs item) could be argued with by that the remailer operator _is_ sending the recipient a copyrighted work, which the remailer has - so far as it knows - been given proper permission to choose to transfer to the recipient. The second is more bothersome, and is an instance of the unfortunate overuse of liability in the American legal system. As you state, >In the practical world, the plaintiff who is trying to enforce a software >licensing agreement is much better off than a defendant trying to resist >liability for a tort. I would gather that countersuits for violation of a contract - that not to sue - would not be likely to succeed. Unfortunate. >That depends. If there was reason to believe, for instance, that the >message might indeed be four-horseman type (as a plaintiff's attorney I >would jump all over any messages which came from "soandso at PLO.com" or >somesuch) then negligence becomes an issue regardless. Perhaps the host >was the site from which other nastiness was mailed? Anything that could >be shown to put the operator on effective, implied, or constructive notice >that something was amiss. A clear reason for demanding that mail come from a recognized remailer before putting it to an output end. In this case, the ouputting remailer never has to worry about it - that's the job of the actual primary inputting remailer. >Remember, technical savvy judges are few and far between. Technical savvy >juries are nearly non-entitites. My concept of what is or is not >suspicious when it comes to such things is going to be much more >sophisticated than that of a judge or jury in most if not all cases. >This is an important point. >The truth of the matter is entirely pointless in the U.S. Judicial system. >The APPEARANCE of the matter is key. >'punks seem to forget this in all their discussion of what a court might >do because, simply put, they know more than 99% of the population about >the subject. The simple way to put this is that juries and, indeed, the voting population, are completely incompetent to be in power. This is always something that one should remember, and an excellent argument as to why democracy is not a good system of government. >From the recipiant? >I would simply put a notice of where complaints can be directed to, and >publish a stated (and carefully worded) policy for addressing abuses. >This will go a LONG way to insulating remailer operators. >"Your honor, my client has made every effort to filter the legitimate >users of his system from the illegitimate. He has a stated policy >regarding complaints and investigates them to the full extent of his >ability in every case in which a complaint is filed. Even as this is so, >he can no more completely assure that harassing messages will never slip >through than can the U.S. post office protect every citizen from mail >bombings." >Or some such. If you can say this in court and back it up, you're in >better shape. Would also doing a respond-back hold harmless agreement, of the form perhaps of: "We do our best to guarantee that this system will not be used illegitimately. Unfortunately, this is not always possible. By responding to this message and requesting us to send you the information in question, you are agreeing to hold us harmless." help any? Or would this be seen by the court as an attempt to reduce liability when the court (incorrectly) believes it should be assigned? -Allen From remailer at flame.alias.net Fri May 24 22:45:12 1996 From: remailer at flame.alias.net (Flame Remailer) Date: Sat, 25 May 1996 13:45:12 +0800 Subject: middleman remailer available on hacktic Message-ID: <199605241955.VAA24531@basement.replay.com> The middleman remailer software is now available for download. The file middleman.tar.gz can be found on ftp.hacktic.nl in /pub/replay/pub/incoming and /pub/replay/pub/remailer. Installation instructions are included. middle-man-admin at alpha.c2.org From perry at alpha.jpunix.com Fri May 24 22:45:55 1996 From: perry at alpha.jpunix.com (John A. Perry) Date: Sat, 25 May 1996 13:45:55 +0800 Subject: middleman remailer available on hacktic In-Reply-To: <199605241955.VAA24531@basement.replay.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Fri, 24 May 1996, Flame Remailer wrote: > The middleman remailer software is now available for download. The > file middleman.tar.gz can be found on ftp.hacktic.nl in > /pub/replay/pub/incoming and /pub/replay/pub/remailer. Installation > instructions are included. I FTP'ed middleman from hacktic and have placed it in the noexport directory on the anonymous FTP site at ftp.jpunix.com. Since it contains a copy of Mixmaster with the crypto-code intact, the instructions for downloading mixmaster also apply to middleman. You can find it in the same hidden directory as mixmaster. John Perry - KG5RG - perry at alpha.jpunix.com - PGP-encrypted e-mail welcome! WWW - http://www.jpunix.com PGP 2.62 key for perry at jpunix.com is on the keyservers. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMaYwmFOTpEThrthvAQE0AgP/Rptxa5tO4g+WE7arfek12fKnrSjCj20u /f+a/fhjetQrbJ/FCRMYewBdpLtuC+2Qywx8+LTQXPG0fd/4cSwHTDfpcTntoxjp rU76lvJYOWHZUXjaTCaHe9JD89PI71UIRCiPfDOPEXJaQjyiwDosivNUG9jI0OUG MpGGAJLb+y8= =q4uL -----END PGP SIGNATURE----- From llurch at networking.stanford.edu Fri May 24 22:52:24 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sat, 25 May 1996 13:52:24 +0800 Subject: Anarchy Online In-Reply-To: Message-ID: On Fri, 24 May 1996, Declan McCullagh wrote: > > Yeah, you'd mentioned it, but I hadn't read it until just now. I see he > > mentions me on http://anarchy-online.dementia.org/book/section.2.html, but > > my name is badly misspelled; it starts with "R," not "D." Donna's name is > > badly misspelled, too, early on. > > > > I wholeheartedly support his conclusions, by the way. They're based on > > a number of incorrect premises, but any fictions are convenient ones. > > > > http://www.stanford.edu/~ajg/project.html > > http://www.c2.org/~rich/Not_By_Me_Not_My_Views/rebuttal.html > > A shame that Charles didn't give you all the credit you so rightfully > deserve. Holocaust fetishists need all the press they can get. :) > > Perhaps he thinks you're a net.loon -- I do suggest you ask him! Oh, I have no doubt that he believes everything you tell him. So, Charles, do you think I'm a net.loon, and why? Please reply publicly on cypherpunks. I'd like E. Allen Smith and Jim Bell to read this. Declan, I sincerely apologize by "avoiding" you by going to a long- scheduled DHCP implementation meeting with Rob Riepel and Roger Avedon rather than taking your one call. As I told you, again, yesterday, my alphanumeric pager can be reached via rich at beep.stanford.edu (80 characters from the Subject: line), and I'd be happy to talk to you at any convenient time outside working hours. -rich moderator, comp.os.ms-windows.announce From hfinney at shell.portal.com Fri May 24 22:55:00 1996 From: hfinney at shell.portal.com (Hal) Date: Sat, 25 May 1996 13:55:00 +0800 Subject: Children's Privacy Act In-Reply-To: Message-ID: <199605250000.RAA11921@jobe.shell.portal.com> Rich Graves writes: >Who would control the offshore data havens? What would they have on me? I >am well aware of what TRW et al can do, but at least in theory (cough), >they're legally accountable (cough). >I know you disagree, but I'm a big fan of statutes of limitations and the >firewalling of unrelated issues. Someone went bankrupt or beat her husband >seven years ago (or whatever), I don't want to know about it. I'd rather >ten (configurable) guilty men go free than one innocent man get punished. >These are artificial boundaries, yes, but they're boundaries within which >I'm comfortable living. I think the reason (some) cypherpunks support things like offshore data havens isn't that they think it's great to reduce the amount of privacy people have. Why would they support crypto and such if that were their motivation? The real reason is because we expect that such databases are going to come into existence regardless of legal efforts. They may be "underground", or for that matter they may be run by governments themselves, whom we are supposed to trust with our secrets. The point is that the best countermeasure is to prevent the collection of the data in the first place. Ecash is better than credit cards for this reason. People should try to structure their lives so that as little information is leaked about them as possible. Relying on laws forbidding people to keep information they have run across isn't likely to be effective. Now maybe the laws, while not perfect, can still at least reduce the amount of this dataveillance. The problem is, this is likely to lead to a false sense of security, where people don't bother to protect their own privacy because big brother is doing it for them. We would rather have these real privacy threats be right out in the open where people can see them. In a way, our position is like those revolutionaries who are convinced the government is evil, while the populace mindlessly goes along with the status quo. Terrorists inflict terror largely to force the government to crack down, raising popular awareness of its oppressive nature, and fostering revolutionary feelings. This is not the cypherpunk goal (as I see it) but still we share the same sense of seeing trouble that most people aren't aware of. Supporting offshore data havens, while harmful to privacy in the short term, might at least awaken people to the problem. If that leads to greater awareness of the need to directly control the release of information about themselves, then in the long run it will be good. Hal From remailer at 2005.bart.nl Fri May 24 23:09:59 1996 From: remailer at 2005.bart.nl (Senator Exon) Date: Sat, 25 May 1996 14:09:59 +0800 Subject: No Subject Message-ID: <199605220300.FAA15035@spoof.bart.nl> Enough already? Please! ---------------------------------------------------------------------- *WARNING* *WARNING* *WARNING* *WARNING* *WARNING* *WARNING* *WARNING* This message has been forwarded using your anon id on the anon.penet.fi anonymous server, but any direct reply will show your real name/address. From snow at smoke.suba.com Fri May 24 23:20:19 1996 From: snow at smoke.suba.com (snow) Date: Sat, 25 May 1996 14:20:19 +0800 Subject: (Fwd) Re: TCM: mafia as a paradigm for cyberspace In-Reply-To: <9605241714.AA04977@sherry.ny.ubs.com> Message-ID: On Fri, 24 May 1996, Paul J. Bell wrote: > Right, someone tells your wife that you are sleeping with someone else. > The truth, does it hurt? (-: Not as much as finding out by catching gonherea, however you spell it. In this case it isn't the truth hurting, but rather the lies and broken promises. Petro, Christopher C. petro at suba.com snow at crash.suba.com From EALLENSMITH at ocelot.Rutgers.EDU Fri May 24 23:29:54 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 25 May 1996 14:29:54 +0800 Subject: Society and the Future of Computing Conference Message-ID: <01I53IYZMWGY8Y4Z90@mbcl.rutgers.edu> From: IN%"rre at weber.ucsd.edu" 24-MAY-1996 05:04:37.21 Subject: Society and the Future of Computing '96 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= This message was forwarded through the Red Rock Eater News Service (RRE). Send any replies to the original author, listed in the From: field below. You are welcome to send the message along to others but please do not use the "redirect" command. For information on RRE, including instructions for (un)subscribing, send an empty message to rre-help at weber.ucsd.edu =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Date: Wed, 22 May 1996 16:14:13 -0600 (MDT) From: Rick Light Subject: Important_SFC_Update <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> Society and the Future of Computing '96 June 16-19, 1996, Snowbird, Utah, USA http://www.lanl.gov/SFC <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> The conference structure includes keynote speakers, panels of invited speakers, Net-connected poster presentations, debates, and workshops. The intent is to share ideas in a diverse multidisciplinary environment for mutual enrichment and learning, ultimately to affect the directions of computer science research and applications for the benefit of all. See the conference Web site for details and to register. Contents: --------- * Registration Still Open! * Diverse Keynote Speakers Featured * Unique Workshops Offered * Outstanding Agenda Registration Still Open! ------------------------ *** Only 3 weeks left! *** *** Register today to reserve your place at SFC'96! *** Registration for the conference is still available through the conference Web site "Registration" page. Electronic registrations will be accepted only through June 7th. After that you must register at the conference registration desk in the Cliff Lodge in Snowbird. To register see http://www.lanl.gov/SFC/96/reginfo.html. Diverse Keynote Speakers Featured --------------------------------- We are honored to feature the following prominent leaders from industry and academia as the keynote speakers of the conference: Laura Breeden, Formerly of USDC National Telecommunications & Information Administration Tom Landauer, University of Colorado, Boulder Bob Lucky, Bellcore Charlie Slocomb, Los Alamos National Laboratory Bud Wonsiewicz, U S WEST Advanced Technologies Bill Wulf, University of Virginia Other important leaders have been invited as moderators and panelists. See the conference Agenda Web page for details: http://www.lanl.gov/SFC/96/program.html Unique Workshops Offered ------------------------ The conference is pleased to offer 4 unique and important workshops this year. Each offers intriguing opportunities, and all 4 are very different from each other. The workshops are integrated into the conference agenda throughout the conference so that their study and findings will enhance the participants' experience of the conference as a whole, as well as offering their outcomes to the entire conference attendance. The workshops are as follows: Steve Cisler, Willard Uncapher, Larry Press: "Implications of the Net for Industrialized Countries, Developing Nations, and Indigenous Cultures" Richard G. Epstein: "Emerging Realities, Virtual and Otherwise" Mary A. Meyer: "Anthropology and SFC'96 Computer Technologies" Ben Shneiderman: "The Durango Declaration Continued: Toward A Snowbird Conference Statement" Outstanding Agenda ------------------ The conference technical program is very full and provides a robust, multidisciplinary agenda for a wide range of interesting and important discussions. This program is balanced with hikes in the clean mountain air of Snowbird. Attendees are coming from all over the United States and a few foreign countries as well. Please see the Web agenda page for details: http://www.lanl.gov/SFC/96/program.html Questions? ---------- All conference information and the registration form are available through the Web site (http://www.lanl.gov/SFC/96/). Any questions or comments you might have may be addressed to sfc96 at lanl.gov. <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> From tcmay at got.net Fri May 24 23:32:45 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 25 May 1996 14:32:45 +0800 Subject: Children's Privacy Act Message-ID: At 11:00 PM 5/24/96, Rich Graves wrote: >Who would control the offshore data havens? What would they have on me? I >am well aware of what TRW et al can do, but at least in theory (cough), >they're legally accountable (cough). Who would control them? Their owners, presumably. What would they have on you? Depends on what you've done and what they can learn. >I know you disagree, but I'm a big fan of statutes of limitations and the >firewalling of unrelated issues. Someone went bankrupt or beat her husband >seven years ago (or whatever), I don't want to know about it. I'd rather If you don't want to know about it, fine. Set your filters to ignore such things. But suppose *I* want to know? (And there are "legitimate" reasons. Isn't it quite plausible for a woman to be interested in whether her prospective husband is a wife-beater? Even if the last incident occurred (or was publically reported, at least) more than the 7-year (or whatever) period ago?) In any case, there are public records, such as arrest records, court transcripts, newspaper articles, and so on. To forbid me from using these (to throw me in jail, ultimately, for this crime) is inconsistent with a free society. And technology is already finding ways to route around such laws. The stuff we are involved with will shatter such laws completely. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From tcmay at got.net Fri May 24 23:35:39 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 25 May 1996 14:35:39 +0800 Subject: Children's Privacy Act Message-ID: At 12:00 AM 5/25/96, Hal wrote: >I think the reason (some) cypherpunks support things like offshore data >havens isn't that they think it's great to reduce the amount of privacy >people have. Why would they support crypto and such if that were their >motivation? The real reason is because we expect that such databases are >going to come into existence regardless of legal efforts. They may be >"underground", or for that matter they may be run by governments >themselves, whom we are supposed to trust with our secrets. Yes, this is part of it (at least for me, and many others have expressed similar thoughts). We all as Cypherpunks know about "security through obscurity." Related names are: the _illusion_ of security, the "ostrich effect," etc. (Another key development which informs the CP outlook is the Lotus experience with their CD-ROM database on zipcodes, names, etc. I think it was called "Neighborhoods." Privacy advocates bought themselves the illusion of privacy by getting Lotus to cancel this...even as the data remained available to corporate, credit, intelligence agency, etc. customers.) >The point is that the best countermeasure is to prevent the collection of >the data in the first place. Ecash is better than credit cards for this >reason. People should try to structure their lives so that as little >information is leaked about them as possible. Relying on laws forbidding >people to keep information they have run across isn't likely to be >effective. Indeed, and "privacy laws," besides infringing on the basic freedoms of people to compile public data as they see fit, give people a "security blanket" which lessens their motivation to ensure their own privacy through direct, technological means. I frankly cannot understand how _any_ member of this list could _ever_ support so-called "privacy laws." Such laws fail to actually ensure privacy, and in fact give government new avenues for control. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From jimbell at pacifier.com Fri May 24 23:37:11 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 25 May 1996 14:37:11 +0800 Subject: Layman's explanation for limits on escrowed encryption ... Message-ID: <199605241914.MAA10326@mail.pacifier.com> At 11:47 AM 5/24/96 -0400, Black Unicorn wrote: >On Wed, 22 May 1996, Ernest Hua wrote: > >> Could someone with some knowledge of NSA/DoS/FBI intentions please >> explain why key length limitations are necessary for escrowed >> encryption? > >To deal with the possibility that someone might slip through the cracks of >the escrow process. However, this escrow process is claimed to be _voluntary._ And good, non-escrowed encryption already exists today, outside the US. It won't be "slipping through the cracks," it'll be like opening the floodgates. So the question is still open: Why key-length limitations on export? Jim Bell jimbell at pacifier.com From droelke at rdxsunhost.aud.alcatel.com Fri May 24 23:38:59 1996 From: droelke at rdxsunhost.aud.alcatel.com (Daniel R. Oelke) Date: Sat, 25 May 1996 14:38:59 +0800 Subject: Announcing CryptaPix 1.0 Message-ID: <9605241820.AA25279@spirit.aud.alcatel.com> > From: KDBriggs1 at aol.com > Date: Fri, 24 May 1996 13:05:32 -0400 > Subject: Announcing CryptaPix 1.0 > > > FOR IMMEDIATE RELEASE Information Contact: > > May 24, 1996 Kent Briggs > kbriggs at execpc.com > CIS: 72124,3234 > > > NEW GRAPHICS VIEWER FOR WINDOWS RELEASED > > Hewitt, Texas - Kent Briggs, author of Puffer, One-Page Calendar, > File Maven, and Directory Maven, has announced the release of > CryptaPix 1.0. Available in both 16-bit and 32-bit editions, > CryptaPix is a general purpose image viewer for GIF, JPG, PNG, > PCX, TIF, and BMP graphics files. > > What sets CryptaPix apart from ordinary viewers is its secure > encryption feature utilizing the same technology found in Puffer > 2.0. The encryption feature prevents unauthorized use of your > personal image collection by requiring a password for access. > Images are decrypted directly into memory for viewing. A secure > wipe feature will permanently remove unwanted images from your > disk drive. > [...more stuff deleted...] Expect to be hearing about this being a problem with some child porn case real soon now... However - I can see this becoming VERY popular with the teenage crowd wanting to keep mom & dad out of their stash ;-) That being said - Thumbs up to Kent for another crypto program that pushes the "genie" even farther out of the bottle. Dan ------------------------------------------------------------------ Dan Oelke Alcatel Network Systems droelke at aud.alcatel.com Richardson, TX From MAILER-DAEMON at kermit.aatech.com Fri May 24 23:52:26 1996 From: MAILER-DAEMON at kermit.aatech.com (MAILER-DAEMON at kermit.aatech.com) Date: Sat, 25 May 1996 14:52:26 +0800 Subject: Alternative to remailer shutdowns... Message-ID: <19960524.1408058.131BE@kermit.aatech.com> There are hundreds of machines littered around the net that dont bother adding "received" headers to mail. I dont think that these provide anything near the security and anonymity that a single remailer (much less a remailing chain) provide, but it seems to me that routing outbound traffic from a remailer through one of these sites would provide at least /some/ measure of protection for the remailer-operator. It feels a bit underhanded, but it may be that involving some "innocent" bystanders in the remail process would be useful. Even if the sites being routed through /were/ keeping logs it would still require their participation in any investigation to discover where the mail had originated, and this would introduce the question of whether the (psuedo)anonymous sendmail host should bear any liability for not tracking where mail came from. The operator of the particular smtp host would seem to have a pretty good defense should a charge be raised, but in defending the smtp-host you could also be strengthening the defense of the r-ops. Another possibility is that rather than operating remailers at all, maybe we should be operating non-logging smtp hosts that dont add received headers. Building a client to take advantage of these servers would be trivial (i wrote one last night, and i am not proficient in C) and it could be argued that the situation was not created intentionally to allow anonymous messages, merely to preserve disk space and bandwidth. Flame Away... From blancw at accessone.com Fri May 24 23:55:46 1996 From: blancw at accessone.com (blanc) Date: Sat, 25 May 1996 14:55:46 +0800 Subject: Truth is equivalent to law? Message-ID: <01BB499D.2F829240@blancw.accessone.com> From: Jim Choate So in your mind truth is equivalent to law? In the sense of the above quote the 'laws' that are refered to are general observed regularities that we are capable of understanding. Being a pantheist and hence seeing the entire cosmos as all there is (and hence divine in toto), I can appreciate the original intent (being a physicist helps a little bit). ....................................................................... You know how in science they speak of "laws of the universe"? The quote I offered had to with our capacity to know the phenomena of the world (in any amount) and consequently our ability to exert control over these universal forces (or "laws") to whatever degree. It was not in reference to man-made laws, but to those principles of cause & effect, those natural forces, which have been identified as comprising the elements of existence in the known universe (no one can make verifiable remarks about it beyond that). It isn't necessary to know the world in toto in order to realize the validity of some of its parts; we are equipped with the mechanisms and abilities to achieve a useful grasp of what's going on, and what we grasp as being "true" can be satisfactorily distinguished from what is "false" (or a "mistaken assumption"). Nevertheless, the original subject of this thread was about the harmfulness in truth, not with how much of it we can grasp at any time or whether Goedel was incorrect. I guess your argument is that we can't even discuss the properties of truth, harmful or not, because we can't even be sure that there is any truth in existence. This makes all your robotics projects bogus exercises in futility, hmm? The general nature of truth has to do with the difference it makes in the calculations of humans, and the consequences of those calculations upon their lives. (like, if truth is harmful, should any human being be allowed to use it, speak it, express it, think it; put a crypto envelope around it and send it?) .. Blanc (sigh) From richieb at teleport.com Sat May 25 00:22:01 1996 From: richieb at teleport.com (Rich Burroughs) Date: Sat, 25 May 1996 15:22:01 +0800 Subject: Another attack on alt.religion.scientology Message-ID: <2.2.32.19960525031459.0069eab8@mail.teleport.com> Someone has launched another attack on the Usenet group alt.religion.scientology. In the last five days, hundreds of messages have been posted to a.r.s. in what many presume to be yet another attempt by CoS to stifle criticism and shut down the newsgroup. The first poster used the return address "Chris Maple" , and made use of a mail gateway at Yale. The Yale admins closed the gateway to the spammer, but several hundred posts had already made it through (I got at least 400 here). I believe the Yale admin said that 800 more attempts were made to post to a.r.s. after the gateway had been closed. Since then, "Chris Maple" has been followed by several other vertical spammers, all posting similar material, even formatted the same -- same intro and URLs at the end. As each new vertical spammer shows up we contact their ISP, but by the time anything happens we have several hundred more messages. The group has been flooded with spam for about five days straight. While there is no direct evidence, AFAIK, that CoS is responsible for the attack, it is consistent with their ongoing attempts to silence their critics, including lawsuit, harassment by private investigators, rmgrouping a.r.s., and (presumably) shutting down hacktic. Please let others know about what's happening, and feel free to repost this message in appropriate forums. Thanks, Rich ______________________________________________________________________ Rich Burroughs richieb at teleport.com http://www.teleport.com/~richieb See my Blue Ribbon Page at http://www.teleport.com/~richieb/blueribbon New EF zine "cause for alarm" - http://www.teleport.com/~richieb/cause From unicorn at schloss.li Sat May 25 00:26:46 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sat, 25 May 1996 15:26:46 +0800 Subject: Remailers - What exists? Message-ID: Question: Which remailers can be run without root? Which remailers can be run best on the most systems? Which remailers are easiest to set up? --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From unicorn at schloss.li Sat May 25 00:29:10 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sat, 25 May 1996 15:29:10 +0800 Subject: [SCARE]: "If you only knew what we know..." In-Reply-To: Message-ID: On Fri, 24 May 1996, snow wrote: > On Fri, 24 May 1996, Black Unicorn wrote: > > On Thu, 23 May 1996, Mike Duvos wrote: > > > > believe that Matt Blaze recently received "The Briefing" and he is > > > > still on our side. > > > Don't suppose Matt could do a little executive summary of > > > "The Briefing" and post it to the list, could he? > > Probably not unless he wanted to do time. > > I suspect some anonymous person might put bamboo shoots under his > > fingernails and post the results of the interrogation however. > > Isn't this exactly what the anon remailers were designed for? That was the point, yes. > > Petro, Christopher C. > petro at suba.com > snow at crash.suba.com > > --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From fletch at ain.bls.com Sat May 25 00:29:27 1996 From: fletch at ain.bls.com (Mike Fletcher) Date: Sat, 25 May 1996 15:29:27 +0800 Subject: Alternative to remailer shutdowns... In-Reply-To: <19960524.1408058.1225D@kermit.aatech.com> Message-ID: <9605250258.AA00973@outland.ain_dev> > There are hundreds of machines littered around the net that > dont bother adding "received" headers to mail. [ . . . ] > Another possibility is that rather than operating remailers at all, maybe > we should be operating non-logging smtp hosts that dont add received > headers. Building a client to take advantage of these servers would be > trivial (i wrote one last night, and i am not proficient in C) and it > could be argued that the situation was not created intentionally to allow > anonymous messages, merely to preserve disk space and bandwidth. You really don't even need a client. RFC822 defines a method for bouncing mail through another server. Just use "user%final.dest.com at laxly.configured.org" as the address and laxly.configured.org will send it on to user at final.dest.com. Wonder what would happened if the sendmail in the (Linux|NetBSD|your favourite i386 UNIX) distributions came cofigured to not add Received: headers by default . . . . Probably would make diagnosing bounces hell, but it would make a lot of remailer-chain tail ends. Anyone tried out whitehouse.gov to see if it's adding Received:'s or not yet? :) --- Fletch __`'/| fletch at ain.bls.com "Lisa, in this house we obey the \ o.O' ______ 404 713-0414(w) Laws of Thermodynamics!" H. Simpson =(___)= -| Ack. | 404 315-7264(h) PGP Print: 8D8736A8FC59B2E6 8E675B341E378E43 U ------ From EALLENSMITH at ocelot.Rutgers.EDU Sat May 25 00:34:46 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 25 May 1996 15:34:46 +0800 Subject: An alternative to remailer shutdowns Message-ID: <01I53O6XASPY8Y4ZAY@mbcl.rutgers.edu> From: IN%"unicorn at schloss.li" "Black Unicorn" 24-MAY-1996 20:51:51.95 >Nothing. Perhaps block e-mail from the address the threat mail was sent >from after a certain number of legitimate complaints. >This, of course, depends on the threats/whatever being sent to the >remailer in question as a 'first in chain' mailer. It also depends on the remailer being able to tell that the messages in question came from a particular address. If the messages are encrypted with the keys of the other remailers in the chain (as should be the case for proper privacy, etcetera), then there's no real way to tell for many cases. About the only exception would be recognizable spam, all being sent along the same remailer path (notice that lots and lots of mail is being sent from an address, and is going out to the same other remailer). >Ask the recipient if he or she wishes all encrypted mail addressed to his >or her key to be supressed. This is a version of the final remailer blocking mail to a particular address, at least using the possible means (see above). -Allen From EALLENSMITH at ocelot.Rutgers.EDU Sat May 25 00:38:17 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 25 May 1996 15:38:17 +0800 Subject: Anarchy Online Message-ID: <01I53NY1MORK8Y4ZAY@mbcl.rutgers.edu> From: IN%"cp at panix.com" "Charles Platt" 24-MAY-1996 20:49:17.28 To: IN%"llurch at networking.stanford.edu" "Rich Graves" CC: IN%"declan at well.com" "Declan McCullagh", IN%"cypherpunks at toad.com" Subj: RE: Anarchy Online Received: from toad.com by mbcl.rutgers.edu (PMDF #12194) id <01I53IQ90DU88WW6WB at mbcl.rutgers.edu>; Fri, 24 May 1996 20:49 EDT Received: (from majordom at localhost) by toad.com (8.7.5/8.7.3) id OAA19674 for cypherpunks-outgoing; Fri, 24 May 1996 14:36:05 -0700 (PDT) Received: from panix.com (panix.com [198.7.0.2]) by toad.com (8.7.5/8.7.3) with ESMTP id OAA19649 for ; Fri, 24 May 1996 14:35:32 -0700 (PDT) Received: (from cp at localhost) by panix.com (8.7.5/8.7/PanixU1.3) id RAA16576; Fri, 24 May 1996 17:35:33 -0400 (EDT) Date: Fri, 24 May 1996 17:35:33 -0400 (EDT) From: Charles Platt Subject: RE: Anarchy Online In-reply-to: Sender: owner-cypherpunks at toad.com To: Rich Graves Cc: Declan McCullagh , cypherpunks at toad.com Message-id: X-Envelope-to: eallensmith Content-type: TEXT/PLAIN; charset=US-ASCII MIME-Version: 1.0 Precedence: bulk >On Fri, 24 May 1996, Rich Graves wrote: >> Oh, I have no doubt that he believes everything you tell him. So, Charles, >> do you think I'm a net.loon, and why? Please reply publicly on >> cypherpunks. I'd like E. Allen Smith and Jim Bell to read this. >Your wish is my command, but--who are they? I am not particularly sure why Rich named either me or Jim Bell as particular recipients of this message. If you're curious as to what my viewpoint is, I would suggest reading over various CuDigest issues that show up as having messages from EALLENSMITH or E. Allen Smith on them (the mbcl.rutgers.edu sometimes fluctuates). >Actually Rich it took me a while to remember you. The Zundel affair didn't >loom large in my life (because I wasn't part of it, I guess). I assumed >you had long since moved on to more important matters. I have no idea >whether you are a net.loon. But I am sorry if I misspelled your name in my >book, and indeed as soon as I get offline here, I'm going to do a word >search. We're making the text into pages right now, so the time is right. I would guess Rich is referring to that Declan was actually the second person to put up a mirror and publicize it; Rich was the first. (I may not be completely accurate in this; not being one of the participants, I didn't exactly follow the Rich-Declan discussion on the subject here on cypherpunks that closely.) Interesting book from what I've read of it; I will read farther when I have time. -Allen From declan+ at CMU.EDU Sat May 25 00:38:31 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Sat, 25 May 1996 15:38:31 +0800 Subject: Children's Privacy Act In-Reply-To: <01I53GHKZH1M8Y4Z90@mbcl.rutgers.edu> Message-ID: <8ldbhXq00iWT09gHY9@andrew.cmu.edu> Excerpts from internet.cypherpunks: 24-May-96 Re: Children's Privacy Act by "E. ALLEN SMITH"@ocelot. > I have examined it; I see no reason to change my stated opposition > to it. Quite simply, it is an invasion of the privacy rights of businesses to > force them to turn over such information as the law demands they turn over; it > > is an invasion of the property rights of businesses to mandate what they do > with the information they have received and consequently own. >From a strict libertarian standpoint, it may implicate property rights. I won't argue that. But I tend to think of my (and individual) privacy rights as ones that should receive greater attention than a businesses "privacy rights." If they have mailing list info on me, I'd like to know where they got it. -Declan From blancw at accessone.com Sat May 25 00:45:11 1996 From: blancw at accessone.com (blanc) Date: Sat, 25 May 1996 15:45:11 +0800 Subject: FW: INTERNET NETWORK PROFESSIONALS Message-ID: <01BB49A7.15260580@blancw.accessone.com> This was posted to a local mailing list; I thought some of you might be interested. .. Blanc ---------- From: Herbert Edelhertz[SMTP:edel at halcyon.com] Sent: Friday, May 24, 1996 16:08 To: seasigi at halcyon.com Subject: INTERNET NETWORK PROFESSIONALS >Date: Fri, 24 May 96 11:56:09 CST >From: "Sharon M. Hughes" >To: edel at halcyon.com >Subject: INTERNET NETWORK PROFESSIONALS >X-UIDL: d791369eb8aa0a0d02201d3a635acbd5 > > Herbert, > > My name is Sharon Hughes and I am a recruiter at Deloitte & Touche > Consulting Group. We are looking for Internet Network > Developers for a new start-up venture in Chicago. > > I would like to post this ad with the Internet SIG, Pacific Northwest > Users Group. > > Your assistance to this matter is appreciated. > > Thank you, > > Sharon Hughes > > _________ > Internet Developers for Startup Opportunity > > Deloitte & Touche Consulting Group is the Management Consulting > Services division of Deloitte & Touche LLP, the worldwide accounting > and professional services firm. We have over 2,700 consulting > partners and staff in the US and over 6,000 worldwide. > > Deloitte & Touche Consulting Group is looking for Internet gurus > (multiple positions open) for a fully funded startup with tremendous > growth potential, starting immediately. The positions are located in > a northern suburb of Chicago. > > Specialists are required with implementation experience in Electronic > Commerce and the Internet in the areas of e-mail integration, > encryption, authentication and secure transport over the Internet. A > minimum of three years experience in one or more of the following > three areas is necessary, in addition to object-oriented development > in C++ on Unix (Solaris). Unix inter-process communications, > distributed computing software development and optimization a plus. > > Internet Transport/Security: TCP/IP, HTTP, FTP, SSL, CGI, IPSET, firewalls > E-mail: e-mail integration, SMTP, MIME, S/MIME, MAPI, SET, X.509 > directory services, LDAP, X.500 > > Encryption: RSA, PGP, PEM, MOSS, integration of encryption > technologies > > Experience in HTML, Web Servers and Web Home page creation only, > without development experience in other areas will not be adequate > qualifications. > > Minimum educational requirement is a B.S., with M.S. preferred. > > > Please submit resume to: > > Sharon Hughes > Deloitte & Touche Consulting Group > 180 N. Stetson, Chicago, IL 60601. > > Tel. (800)895-0469 > Fax (800)895-0465 > Internet: smhughes at dttus.com > > > > From EALLENSMITH at ocelot.Rutgers.EDU Sat May 25 00:50:01 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 25 May 1996 15:50:01 +0800 Subject: Children's Privacy Act Message-ID: <01I53Q0L7J6A8Y4ZAY@mbcl.rutgers.edu> From: IN%"declan+ at CMU.EDU" "Declan B. McCullagh" 24-MAY-1996 23:16:49.32 >From a strict libertarian standpoint, it may implicate property rights. >I won't argue that. >But I tend to think of my (and individual) privacy rights as ones that >should receive greater attention than a businesses "privacy rights." If >they have mailing list info on me, I'd like to know where they got it. Well, it's either from someone you chose to hand it over to... or from someone you didn't. In the first case, it's your problem. In the second case, then you've got a claim. We have no disagreement on that governments and other coercive institutions shouldn't be allowed to collect more information than necessary, or to release any such information to an uninvolved third party. As Hal pointed out, we also have no disagreement with trying to reduce the level of information that you give out by accident or for the sake of convenience - e.g., credit cards. -Allen From ravage at ssz.com Sat May 25 00:52:56 1996 From: ravage at ssz.com (Jim Choate) Date: Sat, 25 May 1996 15:52:56 +0800 Subject: Truth is equivalent to law? (fwd) Message-ID: <199605250439.XAA25212@einstein.ssz.com> Hi Blanc, Forwarded message: > From: blanc > Subject: RE: Truth is equivalent to law? > Date: Fri, 24 May 1996 18:14:33 -0700 > > The quote I offered had to with our capacity to know the phenomena of = > the world (in any amount) and consequently our ability to exert control = > over these universal forces (or "laws") to whatever degree. Why is this so surprising? We are nothing more than a manifistation of those self same forces. It is not us manipulating nature, it is nature manipulating nature. This is why there are no Truths and what we do know of truth is more a tale about us than about what we 'know' of the universe.. The universe is sentient, and we are it (as far as we know). What you and others offer is a bipolar anthropocentic example of the schism our rapid technology has generated in our lives. > I guess your argument is that we can't even discuss the properties of = > truth, harmful or not, because we can't even be sure that there is any = > truth in existence. There is no absolute truth. As I have stated before when this issue has arisen, the truth we all see and know so well is nothing more than a representation of what good pattern recognition engines our brains are. One which makes mistakes in easily proven ways (e.g. optical illusions). > This makes all your robotics projects bogus exercises in futility, hmm? Actualy I have been building robots for nearly 20 years now. Jim Choate \\///// "Don't have a cow, man" | | / (.) (.) ===========================oOO==(_)==OOo========================== Tivoli an IBM company CyberTects: SSZ Customer Support Engineer SOHO Consulting/VR/Robotics 9442 Capitol of Texas Highway North 1647 Rutland Suite 500 #244 Austin, TX 78759 Austin, TX 78758 Email: jchoate at tivoli.com Email: ravage at ssz.com Phone: (512) 436-8893 Phone: (512) 259-2994 Fax: (512) 345-2784 Fax: n/a WWW: www.tivoli.com WWW: www.ssz.com Modem: n/a Modem: (512) 836-7374 Pager: n/a Pager: n/a Cellular: n/a Cellular: n/a =================================================================== From MAILER-DAEMON at kermit.aatech.com Sat May 25 00:53:10 1996 From: MAILER-DAEMON at kermit.aatech.com (MAILER-DAEMON at kermit.aatech.com) Date: Sat, 25 May 1996 15:53:10 +0800 Subject: Alternative to remailer shutdowns... Message-ID: <19960524.1408058.135B8@kermit.aatech.com> There are hundreds of machines littered around the net that dont bother adding "received" headers to mail. I dont think that these provide anything near the security and anonymity that a single remailer (much less a remailing chain) provide, but it seems to me that routing outbound traffic from a remailer through one of these sites would provide at least /some/ measure of protection for the remailer-operator. It feels a bit underhanded, but it may be that involving some "innocent" bystanders in the remail process would be useful. Even if the sites being routed through /were/ keeping logs it would still require their participation in any investigation to discover where the mail had originated, and this would introduce the question of whether the (psuedo)anonymous sendmail host should bear any liability for not tracking where mail came from. The operator of the particular smtp host would seem to have a pretty good defense should a charge be raised, but in defending the smtp-host you could also be strengthening the defense of the r-ops. Another possibility is that rather than operating remailers at all, maybe we should be operating non-logging smtp hosts that dont add received headers. Building a client to take advantage of these servers would be trivial (i wrote one last night, and i am not proficient in C) and it could be argued that the situation was not created intentionally to allow anonymous messages, merely to preserve disk space and bandwidth. Flame Away... From EALLENSMITH at ocelot.Rutgers.EDU Sat May 25 00:57:51 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 25 May 1996 15:57:51 +0800 Subject: Layman's explanation for limits on escrowed encryption ... Message-ID: <01I53K6SDN348Y4Z90@mbcl.rutgers.edu> From: IN%"unicorn at schloss.li" "Black Unicorn" 24-MAY-1996 15:07:57.78 >On Wed, 22 May 1996, Ernest Hua wrote: >> Could someone with some knowledge of NSA/DoS/FBI intentions please >> explain why key length limitations are necessary for escrowed >> encryption? >To deal with the possibility that someone might slip through the cracks of >the escrow process. >Insurance. Hmm.... what were the normal key-length recommendations again? This appears to imply that the NSA can break at least 64-bit, and probably 80-bit, encryption. How does this translate into public key lengths? E.g., how many normal bits is a 1024-bit PGP key equivalent to? -Allen From snow at smoke.suba.com Sat May 25 01:17:51 1996 From: snow at smoke.suba.com (snow) Date: Sat, 25 May 1996 16:17:51 +0800 Subject: SSL Telnet Proxy? In-Reply-To: <199605242231.PAA12375@infinity.c2.org> Message-ID: On Fri, 24 May 1996 herodotus at alpha.c2.org wrote: > Does anyone know of a publically available telnet proxy, preferably > one using SSL? There is SSH, more of a rlogin. I don't know if it uses SSL or not. Here is the first bit of the README: Ssh (Secure Shell) is a program to log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another. It provides strong authentication and secure communications over insecure channels. It is inteded as a replacement for rlogin, rsh, rcp, and rdist. See the file INSTALL for installation instructions. See COPYING for license terms and other legal issues. See RFC for a description of the protocol. There is a WWW page for ssh; see http://www.cs.hut.fi/ssh. Compiled out of the box under linux. Petro, Christopher C. petro at suba.com snow at crash.suba.com From snow at smoke.suba.com Sat May 25 01:19:27 1996 From: snow at smoke.suba.com (snow) Date: Sat, 25 May 1996 16:19:27 +0800 Subject: [SCARE]: "If you only knew what we know..." In-Reply-To: Message-ID: On Fri, 24 May 1996, Black Unicorn wrote: > On Fri, 24 May 1996, snow wrote: > > On Fri, 24 May 1996, Black Unicorn wrote: > > > On Thu, 23 May 1996, Mike Duvos wrote: > > > > > believe that Matt Blaze recently received "The Briefing" and he is > > > > > still on our side. > > > > Don't suppose Matt could do a little executive summary of > > > > "The Briefing" and post it to the list, could he? > > > Probably not unless he wanted to do time. > > > I suspect some anonymous person might put bamboo shoots under his > > > fingernails and post the results of the interrogation however. > > > > Isn't this exactly what the anon remailers were designed for? > > That was the point, yes. Sorry, I was on skim mode, and missed the "posts the results" portion. I was just thinking along the lines of getting the bamboo slivers (shoots don't work too good) under the finger nails. How pedestrian. Petro, Christopher C. petro at suba.com snow at crash.suba.com From snow at smoke.suba.com Sat May 25 01:24:13 1996 From: snow at smoke.suba.com (snow) Date: Sat, 25 May 1996 16:24:13 +0800 Subject: Is Chaum's System Traceable or Untraceable? In-Reply-To: <01I53GAYSQUC8Y4Z90@mbcl.rutgers.edu> Message-ID: On Fri, 24 May 1996, E. ALLEN SMITH wrote: > From: IN%"iang at cs.berkeley.edu" 23-MAY-1996 13:56:31.71 > > >Ah. I see I was misunderstood. The goal was not to make the shop anonymous, > >but rather to be able to provide change to an anonymous payer. > > I had thought that the basic purpose of the fully anon system was just > that - full anonymnity for payer and payee. Under your suggestion, the shop > gives up this anonymnity under these circumstances in order to be able to make > change. I'm not sure if I would call that a very good tradeoff... Howzabout this: Figure out about how many coins of each denom. the shop should have on hand, and every so often the shop goes online to even out it's til. That way the shop maintains the capability to make change for anything. Alternative: Instead of the shop going online every minutes, set it up so that everytime the shop goes online it evens out the til so that it really isn't know whether the shop went online to make change for a specific customer, or just to even out the til. Petro, Christopher C. petro at suba.com snow at crash.suba.com From jimbell at pacifier.com Sat May 25 01:25:46 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 25 May 1996 16:25:46 +0800 Subject: [SCARE]: "If you only knew what we know..." Message-ID: <199605250455.VAA04892@mail.pacifier.com> At 09:07 PM 5/24/96 -0600, David Rosoff wrote: >At 01.03 PM 5/24/96 -0800, jim bell wrote: > >>If the Libyans are so bad (and they probably are) then why shouldn't the >>public in other countries be entitled to pool their contributions and take >>their government down? > >I believe I understand the basic concepts of AP - perhaps not the far-reaching >implications, but the fundamentals. I've thought about it, and I am against this >system. What will happen when you've killed off all of the politicians/gov't employees >who haven't quit? Do you really think this will make things better? 1. There will be no politicans and government employees, except for those few who do not arouse the ire of more than a tiny fraction of the population, and are paid for by voluntary contributions. In other words, damn few. 2. There will be no taxes and no war. Any disputes will be of very small scale, a handful of people at most. 3. Individuals will be able to, and in fact will be responsible to defend themselves, although they may be able to do it by proxy. People will always have the option of defending others, and will do so if they believe that it deters future crimes that might be against them. >Anarchy simply >won't work with people. Have you ever read Lord of the Flies? I'm sure some >people haven't. Yes, I read it years ago. That book is fiction. Whether it represents any sort of potential reality is highly questionable. Even its premise is stilted: It hypothesizes a tiny, essentially homogenous society populated by immature boys, dropped into circumstances entirely foreign from anything they had ever known, with no adult guidance at all. Can you really expect good results from this, in fiction no less? Would it have made a good book if everything had happened hunky-dory? Anyway, anarchy is tradionally considered unstable because the strong are able to oppress the weak, and the weak can't effectively fight back, so governments are instituted. The system I've described, AP, allows a substantial number of anonymous weak people to (anonymously) pool their resources and defend themselves against a smaller number of strong oppressors. This is NEW. It may, in fact, allow anarchy to exist in a stable form, which may sound like an oxymoron but is not. If anarchy does indeed work, when suitably stabilized, then your premise is simply wrong. > Have any of you AP proponents >considered that perhaps our oh-so-corrupt government officials are simply >the best that our amoral, decaying populace has to offer? What would we >gain by rubbing them out? I see we have another Dr. Pangloss here. "the best of all possible worlds." We have plenty to gain by removing them from their positions of power. They are wasteful parasites. They engage in make-work. They manipulate the rest of us. They criminalize activities that should not be crimes. They make us waste our resources, for example by keeping ever-larger numbers of people in jail and prison. They are protected by militaries, which are wasteful uses of our resources. Ultimately, they end up killing huge numbers of people, ultimately just to protect the supremacy of these government employees and officeholders. > Maybe the current form of government isn't perfect, or even great, but it is still >much better than anything that could possibly result from anonymous terrorism, >which is really what AP is, isn't it? Who is to say that we even need a government? What, exactly, is the function of a government? Is that function truly necessary? Remember, AP changes the political landscape substantially. You can't any longer say things like "governmnet is necessary so that we can protect ourselves against foreign nations," because there will no longer be any foreign nations, or foreign armies, etc. >Peace can only be achieved by understanding, not through force or fear. Sounds like a truism that isn't necessarily true. Don't deny individuals the right to defend themselves. If you do, then you actually encourage force used against them, and magnify their fear. Don't selectively apply this rule to ordinary citizens, while forgetting to apply it to officials. And maybe we don't really even need to "achieve peace." I've come to the conclusion that the only reason war is "necessary" is to protect the leadership of a country, not to protect its citizens. Remove that leadership from power, and peace will be automatic. Jim Bell jimbell at pacifier.com From jimbell at pacifier.com Sat May 25 01:30:21 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 25 May 1996 16:30:21 +0800 Subject: (Fwd) Re: TCM: mafia as a paradigm for cyberspace Message-ID: <199605250142.SAA27683@mail.pacifier.com> At 01:14 PM 5/24/96 EDT, Paul J. Bell wrote: >Right, someone tells your wife that you are sleeping with someone else. >The truth, does it hurt? (-: Let's ask John Bobbit, shall we? Ouch! Jim Bell jimbell at pacifier.com From EALLENSMITH at ocelot.Rutgers.EDU Sat May 25 01:39:40 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 25 May 1996 16:39:40 +0800 Subject: Runtime info flow in Java Message-ID: <01I53OEA1Q5O8Y4ZAY@mbcl.rutgers.edu> From: IN%"frantz at netcom.com" 24-MAY-1996 21:22:44.97 >A lot of the answer depends on what you mean by secure. For example, if >the Java run-time can successfully contain Java applets so they can't >access any of the unsecured portions of your OS, then it doesn't matter >that those OS holes exist as far as protection from the applets is >concerned. The proof that the Java run-time actually can do this >containment is left as an exercise for the student :-). This does, of course, depend on one's knowing where the holes in the OS are. The Java approach, at least by default, appears to be to shut all the places where they think a hole might be, while leaving open those which an applet practically has to use. (E.g., it shouldn't be possible under the current design for an untrusted applet to access the disk; since an applet does need to use the CPU, it can consume CPU time.) >We can use certificates (ref: SPKI) to implement network capabilities. >These certificates make statements of the form: The holder of the secret >key which corresponds to this public key is permitted these specific forms >of access to this specific resource on this location (e.g. a URL). These >certificates can act like capabilities. They can be passed by creating a >new certificate for the receiver which gives it the privileges implied by >the old certificate. They can be rescinded in any of a number of ways. I suppose that the new certificate is created through a message signed by the old certificate's private key? -Allen From llurch at networking.stanford.edu Sat May 25 01:40:35 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sat, 25 May 1996 16:40:35 +0800 Subject: Children's Privacy Act In-Reply-To: <01I53IY1L6BG8Y4Z90@mbcl.rutgers.edu> Message-ID: On Fri, 24 May 1996, E. ALLEN SMITH wrote: > Why, pray tell, _should_ someone be able to conceal that they declared > bankrupcy - e.g., ran out on their debtors that they had freely contracted to > repay - more than 7 years ago? Should prison terms to theft be limited to 7 > years? I think forgiveness, within reason, tends to have a positive economic effect. I'm not the same person I was seven years ago, or even seven months. (Is it 7 years, btw? Or was it 12? It's arbitrary, in any case.) I have no objection to allowing someone to become, and remain, a productive member of society years after fucking up badly. Note there are no statutes of limitations and no forgive-and-forget mandates for the more heinous violent crimes. > Moreover, there are significant negative economic impacts for > criminalizing the possession of such information. The above is one instance; > another, which is even more of interest to me due to my profession, is that of > genetic information and insurance. Genetic screening for insurance purposes > decreases the risk to an insurance company. Someone once said something about giving up a little freedom in return for security. How far does this go? Do you want your insurance company controlling your life? "Managed care" is bad enough. I'm willing to pay a little more into the risk pool if it means I don't have to submit to a DNA test, and don't have to submit all of my grocery purchases for nutritional review, and don't have to be fingerprinted, and don't have to tell them the details of my sex life, and don't have to tell them every time I walk outside without wearing sunscreen. OK, that's a straw man. The last couple examples show why some laws aren't necessary. The market simply wouldn't accept a too-totalitarian insurance company; people would rather pay as they go, and accept the risk themselves. But why is it fair to discriminate against detectable risks, when undetectable risks may be more expensive? -rich From drosoff at arc.unm.edu Sat May 25 01:42:51 1996 From: drosoff at arc.unm.edu (David Rosoff) Date: Sat, 25 May 1996 16:42:51 +0800 Subject: [SCARE]: "If you only knew what we know..." Message-ID: <1.5.4.16.19960525030725.34bfb678@arc.unm.edu> -----BEGIN PGP SIGNED MESSAGE----- At 01.03 PM 5/24/96 -0800, jim bell wrote: >If the Libyans are so bad (and they probably are) then why shouldn't the >public in other countries be entitled to pool their contributions and take >their government down? I believe I understand the basic concepts of AP - perhaps not the far-reaching implications, but the fundamentals. I've thought about it, and I am against this system. What will happen when you've killed off all of the politicians/gov't employees who haven't quit? Do you really think this will make things better? Anarchy simply won't work with people. Have you ever read Lord of the Flies? I'm sure some people haven't. I will explain my reasoning. In Lord of the Flies (a novel by William Golding) a group of British schoolboys are deposited on a desert island. They have been evacuated from England because of a nuclear war. There are no adults. A responsible few try to maintain the rules and order of society to which they all are accustomed, but they are symbolically "AP'ed" out of power when the anarchists of the group break away and form their own tribe. To make a long story short, they revert to animal sacrifice, and human sacrifice, before the story closes. Very unsettling, no? The defects of society can be traced back to the defects in the individual. A direct quote from the author, who is not infallible, or even a reputable authority on the flaws and merits of humanity, but still, who is to say that once our notably corrupt governments are gone, the corruption in ourselves won't surface? Who is to say that we are any better than the government? They had to come from somewhere - the public, obviously. Have any of you AP proponents considered that perhaps our oh-so-corrupt government officials are simply the best that our amoral, decaying populace has to offer? What would we gain by rubbing them out? The point I make is that in elected governments (and I realize, not all are so lucky) the elected people are, most likely, the best of what the public has to offer. Who can blame them for being corrupt? Doesn't all power corrupt? I believe so. Maybe the current form of government isn't perfect, or even great, but it is still much better than anything that could possibly result from anonymous terrorism, which is really what AP is, isn't it? Peace can only be achieved by understanding, not through force or fear. >(okay, this is a rhetorical question...) Oops. Well. It's too late now... :-) David -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMaZ4tRguzHDTdpL5AQEW3gP+OvHHoPxJnFQUahCsjYcQaRJ2FV6eJA7F s0BQ0jSvJCsGjMCEzT+bsNpErSNVxIafuq5AkMJQFhQHkhxUrPl/eqtBhomh5YV1 6CD5VGL0y030zmdzDBhLpJjLjKIkMzAC1DIdLmWCXZRyHDCD00KRdyRup72XZAqQ Ka3Klr8JOBQ= =LXi/ -----END PGP SIGNATURE----- From EALLENSMITH at ocelot.Rutgers.EDU Sat May 25 01:47:01 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 25 May 1996 16:47:01 +0800 Subject: Children's Privacy Act Message-ID: <01I53P6L2ZIQ8Y4ZAY@mbcl.rutgers.edu> From: IN%"llurch at networking.stanford.edu" "Rich Graves" 24-MAY-1996 21:35:29.54 >I think forgiveness, within reason, tends to have a positive economic >effect. I'm not the same person I was seven years ago, or even seven >months. (Is it 7 years, btw? Or was it 12? It's arbitrary, in any case.) >I have no objection to allowing someone to become, and remain, a >productive member of society years after fucking up badly. Note there are >no statutes of limitations and no forgive-and-forget mandates for the more >heinous violent crimes. I have no objections to giving people a second chance. I just like to know _when_ I'm giving someone a second chance. What the laws in question say is that companies - and individuals, so far as I know - shouldn't be allowed to have that knowledge. >Someone once said something about giving up a little freedom in return for >security. Do try to keep in mind the freedom of the data-gatherer. This was also said in regards to government. I'd agree with keeping governments and similar coercive forces (e.g., monopolistic and ogliopolistic companies) from having this information, or from misusing it if they have to have it for some reason. >OK, that's a straw man. The last couple examples show why some laws aren't >necessary. The market simply wouldn't accept a too-totalitarian insurance >company; people would rather pay as they go, and accept the risk >themselves. But why is it fair to discriminate against detectable risks, >when undetectable risks may be more expensive? Discriminate? A rather loaded term. I generally define discrimination, and have confirmed this definition by a dictionary check, as bias against someone on a basis other than rational information. If someone refuses to hire me for a job necessitating calligraphy, they aren't discrimiating against me or other people with bad handwriting (including those, like me, who have that due to neurological problems). They're being rational. A health insurance company that judges who should be insured by that company on the basis of whether the person is likely to get sick is surely being rational. A credit company that judges who should get credit from that company on the basis of whether that person is likely to declare bankrupcy is surely being rational. Moreover, even when it isn't rational, it's still that company's business what it does with its dollars. It's analogous to the problem of not allowing people to freely contract not to sue, as in remailers. While it might be considered stupid for someone to do so - particularly in hindsight, when they're claiming that they should be able to do so - the person should still be allowed to do so. In regards to accepting the risk themselves, look at what happens when you have insurance companies that are required to accept everyone at an equal price. The ones who have information - denied to the insurance company - that they're going to get sick will sign up more than the ones who won't. Take Huntington's as an example. If genetic screening is prohibited to insurance companies, someone who has a test and finds out that they've got the allele for Huntington's, and thus will get sick and die from it, is going to go down and get themselves insurance. Then the insurance - e.g., everyone else who buys from that insurance company - will have to pay for them when they need several years of nursing care before dying. How is this fair to everyone else, including the insurance company? You spoke of fairness. Capitalism isn't fair; neither is life. Someone who is bigger physically will have to spend more on food to keep alive than someone who is small. Does that argue for socialization of food, so that those who are big (partially a genetic trait) won't have to pay any more? Some people are smarter than others. Does that mean that the ones who are smart should be handicapped artificially to make everything fair? Most arguments on fairness ultimately come down to either appeals to gut instincts - not a valid argument - or philosophical ones, generally Rawls' Theory of Justice. That one has a problem. Rawls thought that the most just social system was that which a group of people would come up with when they didn't know what position they'd be in. This would lead to equality, since nobody'd want to be in the low position, right? Wrong. People can rationally take a chance. If you give someone a choice between gambling for (on the flip of a 50/50 coin) 150 or 0 dollars, and getting 50 dollars guaranteed, the rational choice is the gamble. In other words, if it is more efficient - as I have argued - for things to be unequal, then this idea of what justice is would argue for inequality being just. -Allen From jimbell at pacifier.com Sat May 25 01:52:16 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 25 May 1996 16:52:16 +0800 Subject: Announcing CryptaPix 1.0 Message-ID: <199605250414.VAA03308@mail.pacifier.com> At 01:20 PM 5/24/96 CDT, Daniel R. Oelke wrote: >> NEW GRAPHICS VIEWER FOR WINDOWS RELEASED > >> What sets CryptaPix apart from ordinary viewers is its secure >> encryption feature utilizing the same technology found in Puffer >> 2.0. The encryption feature prevents unauthorized use of your >> personal image collection by requiring a password for access. >> Images are decrypted directly into memory for viewing. A secure >> wipe feature will permanently remove unwanted images from your >> disk drive. >> >[...more stuff deleted...] > >Expect to be hearing about this being a problem >with some child porn case real soon now... > >However - I can see this becoming VERY popular with the >teenage crowd wanting to keep mom & dad out of their stash ;-) > >That being said - Thumbs up to Kent for another crypto program >that pushes the "genie" even farther out of the bottle. What they ought to do is to "stegofy" this system by binding a picture with a lower-quality, non-suspicious picture which can be brought up with a "duress code." Jim Bell jimbell at pacifier.com From EALLENSMITH at ocelot.Rutgers.EDU Sat May 25 02:03:27 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 25 May 1996 17:03:27 +0800 Subject: An alternative to remailer shutdowns Message-ID: <01I53PQSSUL88Y4ZAY@mbcl.rutgers.edu> From: IN%"unicorn at schloss.li" "Black Unicorn" 24-MAY-1996 22:52:03.64 >Remailers on the attack points (first in chain, last in chain) simply MUST >be disposable as tissue. They must be run as anonymously as possible, >with as little connection to the ISP's assets as possible and immediately >disposable. They must be easy to set up, runable without root and there >must be a much more efficent tracking mechanism. (Mr. Levin has done a >terrific job, but even more needs to be done). Why the first in chain? If the anti-traffic-analysis provisions are working properly, it should be impossible to prove that a given first remailer was the first remailer for any particular message. I had thought that even civil courts required that you be the person who committed some act, not the person who _might_ have committed some act. Otherwise, all the remailers are in danger. This is even if someone tries an entrapment by sending through some illegal material - if the courts accept that they should be allowed to do this, then all the remailers they chained are going to be hit. >This wanton suing, as I think we all know, is an abuse of the copyright >protections and their intent. The only way to really deal with it is make >remailers unassailable. Doing that with tricky dick type legal arguments >will, in my view, eventually fail. Ultimately, I have to agree. Protect the remailers as much as possible with the legal arguments... but don't depend on them. The government in general has no motivation to protect the remailers. They've got a motivation to protect ISPs, and thus may put in protections for them regarding liability. >It only takes ONE operator to get a tiny ($2500-$10,000) fine or judgement >and that will be the end of most of the mailers. Poof. What, pray tell, is the result of a judgement in which the person manifestedly doesn't have the money to pay? I couldn't pay a 10,000 dollar judgement; I don't have that much money. I would guess it'd be some form of attachment of income; this wouldn't get them much... >This we cannot allow. Quite. >I wouldn't go this far. It is an excellent argument for picking juries >that are experts with regard to the subject at hand. One step in this direction would be requiring some level of education from juries. If the defendant is someone with a college degree, require the jurors to have a college degree. If the defendant is someone with a Ph.D., require the jurors to have a Ph.D. or similarly high equivalent (J.D., M.D., etcetera). While this doesn't mean that the jury will necessarily know what's being talked about (I've given presentations to _graduate_ school seminars in which I went well over the heads of everyone in the class - including the professor - after spending maybe four weeks working on the project), it does increase the chance that they're at least teachable. >In my view trying to balance bias rather than eliminate it is much more >effective. Modification of jury selection? Removal of some of the preemptory challenges? Hmm... some challenges are for cause, as I recall. Unless it's a particulary egregious case of such, I'd suggest allowing the other side to override such with expenditure of a preemptory challenge. >If harassing mail is the issue, I can see how this might help in terms of >image. I don't think its a complete solution however. >Again, I think the attack points have to be protected. Agreed. -Allen From norm at netcom.com Sat May 25 02:06:47 1996 From: norm at netcom.com (Norman Hardy) Date: Sat, 25 May 1996 17:06:47 +0800 Subject: Runtime info flow in Java Message-ID: At 9:09 AM 5/24/96, Lucky Green wrote: .... >I walked away from your presentation of KeyKOS with the impression that a >capability system to be secure it would have to be implemented at the OS >level. >Can you build a such a system on top of an insecure OS, as Java would have >to do? .... I agree with everything that Bill Frantz said. I certainly didn't mean to imply that a system such as Java could not be secure. I can't think about a whole system at once. We developed KeyKOS over a span of several years and we were able to convince the NCSC it had a firm security foundation. The NCSC convinced us to do some formal descriptions of our system to articulate some of our previously undescribed programming patterns. These said in a somewhat mathematical way how capabilities work. (Like you can't do something to zot unless you have a capability to zot. etc.) Object references in C++ and Java pretty much conform to these capability patterns. In Java you can get an object reference only when you create the object or some one passes it to you (or you get it thru a shared variable). In C++ you can also get an object reference by casting and other chicanery. None of these formalities seemed the least bit surprising. There was no deep mathematical insight here. It was merely restating the familiar in very different terms. The exercise did lead us over some old territory with new eyes and we saw some easily eliminated covert channels that we had been unaware of. We do not have a complete map between capabilities and Java. There are things about Java that we have not mapped to capabilities yet. For instance any piece of code in a Java program that can declare a reference to an object of classs Zot is also able to invoke any of the public constructors for Zot. This may be too strong an ability. (In KeyKos you could create a zot just in case you held the capability to the zot creator.) Perhaps you put all of the constructing code in static methods for Zot and make all constructors private. It is important that some code be able to construct Zot instances that other code is unable to construct. Java's security manager classes are not capability like. They seem to us too much like merely a series of plausible decisions for which we can see no general principles. Each decision makes sense but we have no feeling that they are complete. I suppose that the above sounds as if I am saying "Trust us. We know all about security.". Unless the end user is able to understand just what the lattitude that the applets in his machine have, he has no security. Java will not be secure until the security principles can be understood by the intelligent end-user. I think that you must make graphically explicit which agents in the computer have access to the phone. You may be keeping secrets because untrusted agents can't phone home, or because they can't see the secrets. Current user interface design is predicated on the idea that such issues should not concern the end user. I dearly wish that when some application in my Mac complains that it can't get the phone, there were a way for me to find out who was using the phone and take it away from him. I would also like to easily deny applications access to the phone. Even more I would like to explicitly grant phone access to an application just as I must plug my modem into the phone line before it can transmit bits from my house. In such a system I could begin to reason about where the secrets were going or why things didn't work. Access to the phone should be via a capability. The same goes for TCP connections, the ability to send a user data gram to a given IP address. Access to a random stream of bits should be via a capability. Access to a particular file or directory should be a capability. etc. etc. Everything should be a capability!!! From llurch at networking.stanford.edu Sat May 25 02:23:10 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sat, 25 May 1996 17:23:10 +0800 Subject: Children's Privacy Act In-Reply-To: <01I53P6L2ZIQ8Y4ZAY@mbcl.rutgers.edu> Message-ID: On Fri, 24 May 1996, E. ALLEN SMITH wrote: > In regards to accepting the risk themselves, look at what happens when > you have insurance companies that are required to accept everyone at an equal > price. The ones who have information - denied to the insurance company - that > they're going to get sick will sign up more than the ones who won't. Take > Huntington's as an example. If genetic screening is prohibited to insurance > companies, someone who has a test and finds out that they've got the allele > for Huntington's, and thus will get sick and die from it, is going to go down > and get themselves insurance. Then the insurance - e.g., everyone else who > buys from that insurance company - will have to pay for them when they need > several years of nursing care before dying. How is this fair to everyone else, > including the insurance company? I'm sure you know the law and practice better, but my insurance seems to have a "preexisting conditions" clause. Knowingly doing the above constitutes fraud. (Of course lots of people probably get away with it.) Moreover, when the insurance company pays out, that ultimately comes out of premiums. I don't have Huntington's, but I don't mind paying an extra $X into a risk pool for people with Huntington's because it means I don't have to submit to genetic screening, either. You don't have to have something to hide to see it as an invasion of privacy. It's a pool of consumers establishing preferences, not just individual consumers v. producers. The meaning of microeconomics changes as it scales. > You spoke of fairness. Capitalism isn't fair; neither is life. Someone > who is bigger physically will have to spend more on food to keep alive than > someone who is small. Does that argue for socialization of food, so that [Yawn] By "fairness" I meant that equal risks should be treated equally. Cost of disease A = cost of disease B. The detection of predisposition to disease A is politically feasible, but the same isn't true for disease B. I'd say you were discriminating against people predisposed to disease A, because they're paying into the risk pool for B, but B isn't paying into the risk pool for A. -rich From blancw at accessone.com Sat May 25 02:23:17 1996 From: blancw at accessone.com (blanc) Date: Sat, 25 May 1996 17:23:17 +0800 Subject: Truth is equivalent to law? Message-ID: <01BB49C9.BC665DA0@blancw.accessone.com> From: Jim Choate What you and others offer is a bipolar anthropocentic example of the schism our rapid technology has generated in our lives. ...................................................................... Well you may be right and this may be The Absolute Truth, but I'm not saying anymore because it's hurting my brain to think about it. .. Blanc From tcmay at got.net Sat May 25 02:32:24 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 25 May 1996 17:32:24 +0800 Subject: Children's Privacy Act Message-ID: At 3:15 AM 5/25/96, Declan B. McCullagh wrote: >But I tend to think of my (and individual) privacy rights as ones that >should receive greater attention than a businesses "privacy rights." If >they have mailing list info on me, I'd like to know where they got it. Well, I'd like a lot of things, but that doesn't mean I'm entitled to them. And I think the confusion between "business rights" and "individual rights" is part of the problem here. That is, I don't see any significant distinction, nor does the Constitution say anything about rights being different. At least not for the rights usually considered to be the central rights. Thus, there is not free speech for individuals, but not for the owner of a company. (There are many quibbles that can be made, about the alleged right of government to regulate business, interstate commerce, etc. And about the various laws that demonstrably apply to businesses, but not to individuals (OSHA, business taxes, etc.). And, regrettably, the government has placed limits on the advertising that companies--or presumably individuals--can do.) Not to sound rude to either Declan or Rich, but here's the bottom line: If I have compiled records, dossiers, etc., as I most assuredly have (got to fill up those MO disks with something), this is "my" information. Mine in the sense that others can't dictate to me what I do with it. What Rich or Declan "wants" is beside the point. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From unicorn at schloss.li Sat May 25 02:50:42 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sat, 25 May 1996 17:50:42 +0800 Subject: An alternative to remailer shutdowns In-Reply-To: <01I53JFM4MP28Y4Z90@mbcl.rutgers.edu> Message-ID: On Fri, 24 May 1996, E. ALLEN SMITH wrote: > From: IN%"unicorn at schloss.li" "Black Unicorn" 24-MAY-1996 11:44:01.40 [...] > >In the practical world, the plaintiff who is trying to enforce a software > >licensing agreement is much better off than a defendant trying to resist > >liability for a tort. > > I would gather that countersuits for violation of a contract - that not > to sue - would not be likely to succeed. Unfortunate. Really hard to get courts to pay attention to these. Signing away the right to process is a thorny thing. > >That depends. If there was reason to believe, for instance, that the > >message might indeed be four-horseman type (as a plaintiff's attorney I > >would jump all over any messages which came from "soandso at PLO.com" or > >somesuch) then negligence becomes an issue regardless. Perhaps the host > >was the site from which other nastiness was mailed? Anything that could > >be shown to put the operator on effective, implied, or constructive notice > >that something was amiss. > > A clear reason for demanding that mail come from a recognized remailer > before putting it to an output end. In this case, the ouputting remailer never > has to worry about it - that's the job of the actual primary inputting > remailer. Remailers on the attack points (first in chain, last in chain) simply MUST be disposable as tissue. They must be run as anonymously as possible, with as little connection to the ISP's assets as possible and immediately disposable. They must be easy to set up, runable without root and there must be a much more efficent tracking mechanism. (Mr. Levin has done a terrific job, but even more needs to be done). This wanton suing, as I think we all know, is an abuse of the copyright protections and their intent. The only way to really deal with it is make remailers unassailable. Doing that with tricky dick type legal arguments will, in my view, eventually fail. It only takes ONE operator to get a tiny ($2500-$10,000) fine or judgement and that will be the end of most of the mailers. Poof. This we cannot allow. > > >Remember, technical savvy judges are few and far between. Technical savvy > >juries are nearly non-entitites. My concept of what is or is not > >suspicious when it comes to such things is going to be much more > >sophisticated than that of a judge or jury in most if not all cases. > > >This is an important point. > > >The truth of the matter is entirely pointless in the U.S. Judicial system. > >The APPEARANCE of the matter is key. > > >'punks seem to forget this in all their discussion of what a court might > >do because, simply put, they know more than 99% of the population about > >the subject. > > The simple way to put this is that juries and, indeed, the voting > population, are completely incompetent to be in power. This is always > something that one should remember, and an excellent argument as to why > democracy is not a good system of government. I wouldn't go this far. It is an excellent argument for picking juries that are experts with regard to the subject at hand. In my view trying to balance bias rather than eliminate it is much more effective. > > >From the recipiant? > >I would simply put a notice of where complaints can be directed to, and > >publish a stated (and carefully worded) policy for addressing abuses. > > >This will go a LONG way to insulating remailer operators. [...] > Would also doing a respond-back hold harmless agreement, of the form > perhaps of: "We do our best to guarantee that this system will not be used > illegitimately. Unfortunately, this is not always possible. By responding to > this message and requesting us to send you the information in question, you are > agreeing to hold us harmless." help any? Or would this be seen by the court as > an attempt to reduce liability when the court (incorrectly) believes it should > be assigned? If harassing mail is the issue, I can see how this might help in terms of image. I don't think its a complete solution however. Again, I think the attack points have to be protected. > -Allen > --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From tcmay at got.net Sat May 25 03:18:00 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 25 May 1996 18:18:00 +0800 Subject: Children's Privacy Act Message-ID: At 1:36 AM 5/25/96, Rich Graves wrote: >I think forgiveness, within reason, tends to have a positive economic >effect. I'm not the same person I was seven years ago, or even seven >months. (Is it 7 years, btw? Or was it 12? It's arbitrary, in any case.) But "forgiveness" is highly personal. That you set your personal statute of limitations at X years does not mean others do. >I have no objection to allowing someone to become, and remain, a >productive member of society years after fucking up badly. Note there are >no statutes of limitations and no forgive-and-forget mandates for the more >heinous violent crimes. You are of course free to act on your beliefs and forgive such persons. I am of course free to remember what they did and not forgive them. Or, more likely, not give them a job, not lend them money, not enter into business dealings with them, etc. (The likeliest main application of data havens are for such things. Things like "rent deadbeats," credit data extending further back in time than the "Fair Credit Reporting Act" chooses to allow, data bases of bad doctors and lawyers, etc.) Like most laws "banning discrimination," the Fair Credit Reporting Act is a gross violation of freedoms. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From stewarts at ix.netcom.com Sat May 25 03:53:29 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sat, 25 May 1996 18:53:29 +0800 Subject: why is no one (apparently) worried about escrowed key length limits? Message-ID: <199605250733.AAA27259@toad.com> Ernest Hua and several others have asked things like: >It appears that (from the responses I have gotten on why there are key >length limits at all on escrowed encryption) I am not forgetting >anything obvious. >So why is no one seriously questioning why this limit has to be there >for key escrow? >One suggestion was: the NSA does not completely trust key escrow. But >if the NSA (who should know all the inner secrets of it) cannot >completely trust key escrow, then why should WE trust key escrow? What the NSA can't trust isn't the key escrow itself - it's the ability of applications to work around the key escrow, so they get decent encryption without escrow. They also can't 100% trust escrow agents; maybe Cosa Nostra Key Escrow has an "accidental" disk crash that wipes out 5% of their clients' keys one week, and discovers that the backup tapes can't be read. Or terrorists who've been using Uncle Sam's Nephew Fred Key Escrow make him an offer he can't refuse, just as the FBI is closing in on the terrorist ring. It's for your own protection, after all! So they need to be able to crack it, just in case. Alternatively, they really Just Don't Get It. Or they hope that industry will get tired of arguing, and take the deal in return for export permission, figuring that they've got the upper hand so they don't need to fold early, while more and more vendors succumb to FUD and make deals like Lotus. Or they _know_ that nobody likes it, and industry will refuse to cooperate yet again, so they'll go to Congress saying "OK, we've given the industry three _perfectly reasonable_ choices, and they're too stubborn and hostile to cooperate, so it's time to stop playing around and just make a new law whether they like it or not." # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 # goodtimes signature virus innoculation From mab at research.att.com Sat May 25 03:53:42 1996 From: mab at research.att.com (Matt Blaze) Date: Sat, 25 May 1996 18:53:42 +0800 Subject: "Key Escrow without Escrow Agents" Message-ID: <199605250132.VAA09818@nsa.tempo.att.com> Here's a draft of a (rather half-baked) data recovery scheme that I'll be presenting at a workshop next week. I've included the LaTeX source below; sorry for the length and for the formatting (which should be reasonably easy to ignore for those without LaTeX). Please include me in any response, since I don't read the list these days. -matt ======cut here==== \documentstyle[11pt,fullpage]{article} \begin{document} \title{Key Escrow without Escrow Agents} \author{{Matt Blaze}\\ AT\&T Research\\ Murray Hill, NJ 07974\\ {\tt mab at research.att.com}} \date{DRAFT -- 24 May 1996 -- Extended Abstract -- DRAFT} \maketitle \begin{abstract} We propose a simple scheme, based on secret sharing over large-scale networks, for assuring recoverability of sensitive archived data (e.g., cryptographic keys). In our model anyone can request a copy of the archived data but it is very difficult to keep the existence of a request secret or to subvert the access policy of the data ``owner''. We sketch an architecture for such a system that might be suitable for deployment over very large-scale networks such as the Internet. \end{abstract} \section{Introduction} In any system in which sensitive information must be stored for future use, there is a fundamental tension between ensuring the {\em secrecy} of data against those who are not authorized for access to it and ensuring its {\em availability} to those who are. Secrecy is often best served by making only a small number of carefully-guarded copies of the data, while availability favors a policy of the widest possible dissemination in the hope that at least one copy will be intact at the time it is required. In general, a balance has to be struck between these two goals based on the requirements of and resources available to the particular application, but in any case copies of the sensitive data must be controlled in some careful manner (e.g., through the use of an off-site, trusted backup facility employing guards and other effective, if expensive, security practices). Another approach is ``key escrow'', in which the sensitive data is encrypted so that the ciphertext can be widely copied and backed-up via conventional methods, but the decryption keys are controlled in some careful manner by trusted third parties who assume responsibility for revealing the keys to authorized entities in the event of an emergency. One advantage of key escrow over controlled backup of the data itself is that keys can be escrowed at any time, even prior to the creation of the actual sensitive data, and one escrowed key can represent arbitrarily much encrypted information. A number of key escrow schemes have been proposed for a variety of applications, most with the aim of facilitating law enforcement access to encrypted data, but also for commercial data recovery \cite{clipper}\cite{micali}\cite{tis}\cite{denning}. Third party backup, whether of data or keys, has a number of disadvantages, however. The ``escrow agents'' must be highly trusted and carefully protected, since compromise single escrow site (or small set of sites, in the case of split data) can result in an irrevocable loss of security. Since protecting such data is likely to be expensive, one escrow site can be expected to serve many different sets of data, making each site an attractive ``fat target'' for attack. Finally, legal, liability, and conflict-of-interest issues sometimes make it difficult to ensure that an escrow agent will act only in the best interests of the data owner, especially when served with a legal demand to turn over keys or tempted with some inducement to misbehave. One of the frequently-raised objections to government-run key escrow systems (e.g., the ``Clipper'' chip) is the fear that the escrow centers will, perhaps secretly, assist a rogue government in violating its citizens' privacy. In this abstract, we propose a different model for assuring both recoverability and protection of sensitive data based on two concepts: secret sharing and the decentralized nature of large, heterogeneous networks such as the Internet. In our model, anyone can request a copy of anyone's data but it is not possible to keep the existence of such a request secret or to subvert the access policy of the data ``owner'' without subverting a significant fraction of participants in the network. There are no explicit ``escrow agents''; instead, key shares are distributed widely to ordinary networked computers spread across a wide variety of administrative and geographic boundaries. \section{``The Net'' as an Escrow Agent} The goal of our scheme is to make it difficult to recover escrowed data without the knowledge and consent of the data owner, while still assuring high availability in an emergency. Its security rests on the premise that highly distributed systems spread over many administrative, political, and geographic domains (such as the Internet), are more robust than any single site or small set of sites, no matter how well protected. Other systems, such as Eternity \cite{eternity}, have recognized and exploited this property of global networks for maintaining information availability; we simply expand this notion to include secrecy as well. We assume that each node (or a large number of nodes) in the network runs an ``escrow server'' that performs most of the steps of the protocol, and that there is some broadcast mechanism for reaching them (which could be based on existing mechanisms such as Usenet news). The first step in using ``the net'' as an escrow agent is to split the key to be escrowed using some secret sharing scheme \cite{simmons} with a very large number of shares (e.g., a $k$ out-of $n$ scheme where $k=500$ and $n=5000$, but we leave the details of determining an appropriate access structure to the reader). Next, we package each share along with a key identifier, a digital signature of the share, and a policy describing the circumstances under which the share should be disclosed (discussed below). Finally, we select, at random (or according to some other policy) as many sites as we have shares and send one share to each site, over a secure channel. We then destroy the shares and the list of sites to which they were sent. To recover escrowed data, we broadcast a request for shares for the key identifier we want to recover, using some mechanism that is likely to be received by the shareholders' escrow servers. Upon receipt of a request for shares, each escrow server logs the request and, if it holds a share for the key in question, checks the policy contained in the share package. If the request conforms to the policy we send the share to the requester. The requester (who can verify the authenticity of each share by checking the signature) can recover the key once enough shares have been received. Whether such a scheme is robust, secure, or otherwise adequate depends primarily on three factors: the reliability (in terms of continued existence, security against compromise, and ability to follow instructions) of the nodes that handle the key shares, the access structure of the secret sharing scheme, and the nature of the policy that each node is supposed to follow. If the nature of today's Internet is any indication, we must assume that the individual nodes are not very reliable, especially over time. Some nodes will simply disappear. Others will maliciously fail to follow instructions. Still others will fail to safeguard their shares, sometimes due to malice but more often as a result of mistake, incompetence, or failure of some underlying security mechanism. It is likely that as the net grows these issues will become even more pronounced. Therefore, the security of the scheme depends on a choice of access structures and policies that assumes that a large fraction of shareholders will not follow the correct protocol. The secret sharing access structure must be chosen to require enough shares to prevent key recovery by collusion among a few nodes, yet with enough redundancy to allow recovery in the likely event that most nodes are not available or did not retain their shares at the time key recovery is required. Scale appears to help here; consider, for example, a 500 out of 5000 threshold scheme, which permits key recovery even when 90\% of nodes have failed and yet retains its security until 500 nodes have been compromised. The distribution of nodes could also play a part here, particularly when the key is split with a more sophisticated access structure. For example, key shares could be distributed to nodes selected across a variety of administrative, legal, political and geographic domains, with the access structure selected to require that shares be collected from nodes in several different categories. Each shareholder is also asked to respect the access policy included with the share. The policy must be designed to facilitate emergency access without also permitting undetected disclosure. Because shares can only be recovered by broadcasting, we can take advantage of the inherently public nature of requests in formulating the access policies. For example, the policy might specify a public signature key to which the real key holder knows the corresponding secret and a request to delay revealing key shares for some period of time, say one week. If an unauthorized request for a key is broadcast, the real key holder would have one week to notice the request and broadcast another message, signed with this key, requesting that the shareholders ignore the original request and turn over information that might aid in tracking down the source of the unauthorized request. Policies might also include instructions on the minimum identification that share requests must include and instructions on how share requests should be logged (e.g., by posting to a news group or even advertisements in newspapers). They might also include an expiration date beyond which the share is to be deleted. We defer the question of how policies should be specified, but it may be sufficient for the server, upon receipt of a share request, to send a message to its (human) operator containing instructions (written in English) that were included in the share package. Some infrastructure is required. Key holders would need a directory or other mechanism for identifying and communicating with escrow servers at the time the shares are created. A broadcast mechanism for key recovery is also required. It is possible that existing mechanisms could suffice for both these purposes (e.g., DNS for server identification and Usenet news for broadcasting) but more specialized systems would be required if this scheme were to be fielded on a large scale. Share distribution must be secure against both eavesdropping and traffic analysis. The need for security against eavesdropping is obvious, since observing all the shares allows recovery keys without the assistance of the shareholders. Resistance to traffic analysis is required to ensure that shares can only be recovered by broadcasting. If the identities of the shareholders are known, an attacker could ``target'' the sites believed to be weakest, and, if successful, recover shares without broadcasting the request and without following the share access policy. Shares could be distributed via an anonymous communication network or some other mechanism (such as oblivious transfer) that obscures the nature of the transaction from an observer (and perhaps even from the participants themselves). Key identifiers should be chosen so that an outside attacker cannot derive the purpose or owner of the key from its identifier and so that shareholders do not know exactly what their shares are for. In any case, the list of shareholders should not be retained by the key owner once the shares have been distributed. \subsection{Emergency Access -- ``Angry Mob Cryptanalysis''} In general, the key identifier should be stored with all copies of the ciphertext (since without the key ID, it is impossible to recover a key). Under ordinary circumstances when a key recovery is required, the original key owner will initiate the request. The owner extracts the key ID and broadcasts the request to the network, performing whatever (presumably public) logging is required by the policy that was sent to the shareholders. Upon receipt of the broadcast, each server checks whether it is a shareholder for the requested key. If it is, it checks whether request satisfies the access policy (perhaps by transmitting a copy of the English-specified policy to the server operator, perhaps by automated means if the policy is more formally specified). If the access policy is satisfied (e.g., a message announcing the request appeared in some established place, a certificate of the identity of the requester was included in the request, or whatever) and after waiting however log the policy specified to allow for repudiation of the request by the legitimate key owner, the share is transmitted back to the requestor over a secure channel. The requestor can then combine the shares to recover the key; corrupted shares will not affect the protocol since the shares should have been digitally signed by the original key owner at the time they were distributed. Sometimes, however, an extreme emergency might make it necessary to recover keys in a manner contrary to the policy specified in the original shares. For example, it may be necessary to recover keys before the policy-imposed delay has elapsed, or to obtain access in spite of the objections of the original key owner. Such a situation is most likely to arise from some kind of law enforcement or public safety emergency in which the requestor makes the case that public policy should supersede the access policy of the key holder. Of course, such a situation is fraught with difficult issues of judgement and policy, and fears of abuse, fraud, or coercion are among the primary objections raised against key escrow in general. Our scheme places the burden of determining whether such an exceptional access request should be granted on the shareholders. Indeed, the dependence on the collective judgement of the widely distributed shareholder operators may be the scheme's most important property. Under normal circumstances, the shareholders can be expected to behave approximately as specified in the share policies (with occasional pathological exceptions, limited in their effect by the nature of the secret sharing access structure). In exceptional situations, however, a public appeal can be made in an attempt to convince the shareholders to reveal their shares in a manner not permitted by the stated policy (e.g., the police could broadcast an appeal for key shares on television news, stating the facts of the case under investigation). In particular, because the identities of the shareholders are not known, such an appeal must be done publicly and in a manner designed to attract considerable attention. It is not possible to secretly induce, through legal means or otherwise, shareholders to reveal their shares. For some applications (e.g., personal information associated with an individual), such a scheme could be acceptable even when key escrow is not. (We introduce the rather lighthearted term ``angry mob cryptanalysis'' to refer to the threat of enough shareholders being convinced to violate the share access policy to permit key recovery. It is distinguished from ``rubber hose cryptanalysis,'' which involves obtaining keys by legal or extra-legal intimidation\footnote{The phrase ``rubber hose cryptanalysis'' appears to be due to Phil Karn.}.) \section{Conclusions} Key escrow is a confusing subject, especially so because there is little general agreement as to even its basic goals and requirements. We have proposed a scheme that has a number of interesting properties that may make it appropriate for protecting secrecy and availability in certain kinds of applications. A number of open problems remain, of course, before such a scheme could be made completely practical. Areas for further study include the effects of different access structures, specification of policy, and economic, performance, and reliability analysis. Of course, we do not in complete seriousness propose this scheme as a general solution to the key recovery problem, but intend instead to open a new avenue of discussion. In particular, the scheme appears to address many of the concerns of both opponents of ``government'' key escrow as well as many of the (stated) concerns of law enforcement. \section{Acknowledgements} Much of the inspiration for this scheme arose from Ross Anderson's description of the motivation and principles behind the Eternity file service, in conversations at Cambridge and at AT\&T Bell Labs. \begin{thebibliography}{MMMM00} \bibitem[Ande96]{eternity} \newblock Ross Anderson. \newblock ``The Eternity Service.'' \newblock Invited paper to appear at {\em Pragocrypt 96.} 30 Sep - 3 Oct 1996, Prague. \bibitem[Denn96]{denning} \newblock Dorothy Denning. \newblock ``A Taxonomy for Key Escrow Encryption Systems.'' \newblock {\em CACM.} March 1996. \bibitem[Mica94]{micali} \newblock Silvio Micali. \newblock ``Fair Cryptosystems.'' \newblock {\em MIT/LCS/TR-579.c} Laboratory for Computer Science, Massachusetts Institute of Technology, Cambridge, MA, August 1994. \bibitem[NIST94]{clipper} \newblock National Institute for Standards and Technology. \newblock Escrowed Encryption Standard, {\em Federal Information Processing Standards Publication 185}, U.S. Dept. of Commerce, 1994. \bibitem[Simm92]{simmons} \newblock G.J. Simmons. \newblock ``An introduction to Shared Secret and/or Shared Control Schemes and their Applications.'' \newblock In {\em Contemporary Cryptolgy,} Simmons, ed. IEEE Press, 1992. \bibitem[WLEB96]{tis} \newblock Stephen T. Walker, Stephen B. Lipner, Carl M. Ellison, and David M. Balenson. \newblock ``Commercial Key Recovery.'' \newblock {\em CACM.} March 1996. \end{thebibliography} \end{document} From stewarts at ix.netcom.com Sat May 25 04:42:57 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sat, 25 May 1996 19:42:57 +0800 Subject: [SCARE]: "If you only knew what we know..." Message-ID: <199605250823.BAA27934@toad.com> At 05:52 PM 5/24/96 -0500, snow wrote: >> > Don't suppose Matt could do a little executive summary of >> > "The Briefing" and post it to the list, could he? >> Probably not unless he wanted to do time. >> I suspect some anonymous person might put bamboo shoots under his >> fingernails and post the results of the interrogation however. > > Isn't this exactly what the anon remailers were designed for? It's also what Canary Traps were designed for. Are the "secrets" they told Matt the same as the ones they told Dorothy? Not likely.... # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 # goodtimes signature virus innoculation From rah at shipwright.com Sat May 25 07:33:59 1996 From: rah at shipwright.com (Robert Hettinga) Date: Sat, 25 May 1996 22:33:59 +0800 Subject: PILATE SAYETH UNTO HIM... In-Reply-To: Message-ID: At 6:45 PM -0400 5/24/96, snow wrote: > Reality viewed through the lenses of Dogma. The Words Speak You War is Peace Freedom is Slavery Murk is Darts Can we stop this crap, now? Cheers, Bob Hettinga ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "If they could 'just pass a few more laws', we would all be criminals." --Vinnie Moscaritolo The e$ Home Page: http://www.vmeng.com/rah/ From bruce at aracnet.com Sat May 25 07:59:55 1996 From: bruce at aracnet.com (Bruce Baugh) Date: Sat, 25 May 1996 22:59:55 +0800 Subject: Children's Privacy Act Message-ID: <2.2.32.19960525115008.006ed084@mail.aracnet.com> At 11:34 PM 5/24/96 -0700, tcmay at got.net (Timothy C. May) wrote: >If I have compiled records, dossiers, etc., as I most assuredly have (got >to fill up those MO disks with something), this is "my" information. Mine >in the sense that others can't dictate to me what I do with it. I don't see that this is necessarily true for information any more than it is property. Property can be bought, sold, traded, given away, made...but it can also be stolen. Just as I have a right to complain if you walk off with my couch without my permission, so if you walk off with data on my blood chemistry or credit history without my permission. -- Bruce Baugh bruce at aracnet.com http://www.aracnet.com/~bruce From um at c2.org Sat May 25 09:06:52 1996 From: um at c2.org (Ulf Moeller) Date: Sun, 26 May 1996 00:06:52 +0800 Subject: Remailers - What exists? In-Reply-To: Message-ID: >Which remailers can be run without root? >Which remailers can be run best on the most systems? >Which remailers are easiest to set up? I guess Mixmaster wins in all categories. -- `Der Staatsanwalt empfiehlt der Lufthansa, die Linie Moskau-Muenchen einzustellen, weil nicht sichergestellt werden kann, dass dort keine BND-Mitarbeiter Plutonium schmuggeln.' From dlv at bwalk.dm.com Sun May 26 11:58:20 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Mon, 27 May 1996 02:58:20 +0800 Subject: Remailers - What exists? In-Reply-To: Message-ID: um at c2.org (Ulf Moeller) writes: > >Which remailers can be run best on the most systems? > > I guess Mixmaster wins in all categories. Does it mean it runs on NT or W95 or OS/2 or Mac or VAX/VMS? (E-mail me for the Usenet cancelbot that does :-) --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From unicorn at schloss.li Sun May 26 12:45:55 1996 From: unicorn at schloss.li (Black Unicorn) Date: Mon, 27 May 1996 03:45:55 +0800 Subject: An alternative to remailer shutdowns In-Reply-To: <01I53PQSSUL88Y4ZAY@mbcl.rutgers.edu> Message-ID: On Sat, 25 May 1996, E. ALLEN SMITH wrote: > From: IN%"unicorn at schloss.li" "Black Unicorn" 24-MAY-1996 22:52:03.64 > > >Remailers on the attack points (first in chain, last in chain) simply MUST > >be disposable as tissue. They must be run as anonymously as possible, > >with as little connection to the ISP's assets as possible and immediately > >disposable. They must be easy to set up, runable without root and there > >must be a much more efficent tracking mechanism. (Mr. Levin has done a > >terrific job, but even more needs to be done). > > Why the first in chain? If the anti-traffic-analysis provisions are > working properly, it should be impossible to prove that a given first remailer > was the first remailer for any particular message. Unless said message was sent only through one remailer. In this case the remailer operator is very vulnerable to the problems we have been discussing. > >It only takes ONE operator to get a tiny ($2500-$10,000) fine or judgement > >and that will be the end of most of the mailers. Poof. > > What, pray tell, is the result of a judgement in which the person > manifestedly doesn't have the money to pay? I couldn't pay a 10,000 dollar > judgement; I don't have that much money. I would guess it'd be some form > of attachment of income; this wouldn't get them much... Garnishment, attachment of assets, perhaps forcing you into bankrupcy. Not pretty. > >In my view trying to balance bias rather than eliminate it is much more > >effective. > > Modification of jury selection? Removal of some of the preemptory > challenges? Hmm... some challenges are for cause, as I recall. Unless it's > a particulary egregious case of such, I'd suggest allowing the other side to > override such with expenditure of a preemptory challenge. No, I mean that the selection process would be from a pool of experts on the issues involved. This is done in many European systems. We should take this to e-mail. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From grewals at acf2.nyu.edu Sun May 26 12:46:19 1996 From: grewals at acf2.nyu.edu (Subir Grewal) Date: Mon, 27 May 1996 03:46:19 +0800 Subject: [SCARE]: "If you only knew what we know..." In-Reply-To: <1.5.4.16.19960525030725.34bfb678@arc.unm.edu> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Fri, 24 May 1996, David Rosoff wrote: I think an insight your analysis may benefit by is that certain institutions/societal norms create incetives for "corrupt politicians". Hayek argues against the "benevolent dictator" concept because he says no gentle person would ever aspire to be a dictator. The system itself calls for people who are ruthless to take the reins. A similar argument can be made for the various functions of a modenr democracy (like the US). It is rarely that we hear of a considerate IRS auditor, or a principled politician. The structures themselves call for and promote those who (in that an individual is more successful if they) are corrupt, power-hungry, unprincipled and ruthless. As for Assasination Politics, I can understand such proposals in jest. I too say things to appear controversial. As a serious political structure, however, it is reprehensible. Murder cannot be condoned (as a pacifist, the argument that politicians create wars and must be killed for that reason does not hold much water for me) and the proponents of such systems would do well to look more closely at the systemic ills rather than individuals. The argument that AP is an institutional dis-incentive for "bad" representatives that offsets other incentives is problematic since I do not believe the methods are just. hostmaster at trill-home.com * Symbiant test coaching * Blue-Ribbon * Lynx 2.5 WHERE CAN THE MATTER BE Oh, dear, where can the matter be When it's converted to energy? There is a slight loss of parity. Johnny's so long at the fair. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Key Escrow = Conscription for the masses | 2048 bit via finger iQB1AwUBMacbxRwDKqi8Iu65AQEn3AMAwCh+WWQsUrL1cnfZElzNmqexngXs4rAo Pz4ztTXpGPLxLMAKO5qcGNmI7yT8DP1rVH21EumZG700jQ18pH/7NWQj1RnAK3ZQ pJInW4kZ3iEjFKhCto0TzVOYEwMkZrrK =Wlte -----END PGP SIGNATURE----- From jlasser at rwd.goucher.edu Sun May 26 12:56:40 1996 From: jlasser at rwd.goucher.edu (Moltar Ramone) Date: Mon, 27 May 1996 03:56:40 +0800 Subject: why is no one (apparently) worried about escrowed key length limits? In-Reply-To: <199605241756.KAA07067@ohio.chromatic.com> Message-ID: On Fri, 24 May 1996, Ernest Hua wrote: > Obviously, the implication is that brute force (or "near brute force") > methods WILL be used against encrypted transactions. So in the best > case, there is some lower strata of law enforcement who are only > allowed to use the escrowed path to intercept, but there is also some > upper strata of law enforcement (presumably some anti-terrorist or > national security section of ATF or FBI or CIA or Secret Service) who > will be allowed to use such super-duper cracking methods to achieve > their goals (assuming their goals are good). This is hardly questionable as the reason for restricted key lengths; if this wasn't the fact of the matter, they wouldn't make it difficult to superencrypt with the same system over and over again, which they do. And "best" case for who? Not I, surely. Simply putting a "national security" clause in this makes the CIA or SS or FBI or ATF or whatever above the law, regardless of the reasons. I certainly don't want these organizations above the law. I remember (well, not really. But I've read about) J Edgar Hoover, and I don't want a repeat. > But, if the best case happens, then we're all Ozzie and Harriet (or > Archie and Edith), and we should be in a love fest with the > government. Obviously we don't competely and blindly trust our > government. Archie didn't completely and blindly trust the government. Ozzie and Harriet, yes. Edith, probably. Archie, no. (ObGunPunks: remember the episode where Archie got to do the TV editorial about gun control? :-)) Jon ---------- Jon Lasser (410)532-7138 - Obscenity is a crutch for jlasser at rwd.goucher.edu inarticulate motherfuckers. http://www.goucher.edu/~jlasser/ Finger for PGP key (1024/EC001E4D) - Fuck the CDA. From grewals at acf2.nyu.edu Sun May 26 13:01:18 1996 From: grewals at acf2.nyu.edu (Subir Grewal) Date: Mon, 27 May 1996 04:01:18 +0800 Subject: Rawls, was RE: Children's Privacy Act. In-Reply-To: <01I53P6L2ZIQ8Y4ZAY@mbcl.rutgers.edu> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Fri, 24 May 1996, E. ALLEN SMITH wrote: : Most arguments on fairness ultimately come down to either appeals to :gut instincts - not a valid argument - or philosophical ones, generally :Rawls' Theory of Justice. That one has a problem. Rawls thought that the :most just social system was that which a group of people would come up with :when they didn't know what position they'd be in. This would lead to equality, :since nobody'd want to be in the low position, right? Wrong. People can :rationally take a chance. If you give someone a choice between gambling for :(on the flip of a 50/50 coin) 150 or 0 dollars, and getting 50 dollars :guaranteed, the rational choice is the gamble. In other words, if it is more :efficient - as I have argued - for things to be unequal, then this idea of :what justice is would argue for inequality being just. I don't think that is exactly what Rawls was postulating (though I would be the first to agree that Rawls' prose is exceptionally interpretable, which I belive is a point in Rawls favour as a writer). Rawlsian "Justice as fairness" is based on the idea that a just system is one in which people decide rules before they know what their starting positions are. In a sense this is only taking the idea of a "disinterested/impartial lawmaker" and putting it into another context. What is perhaps more fundamentally important about Rawls is his profound respect for contract and expectations engendered by the contract, as evidenced in his argument for the rules being laid down befor eht egame (in this case life as we know it) begins. I think this is why Hayek felt "A theory of Justice" was not the text others thought it was (I haven't read Nozick's Anarchy, State and Utopia as of yet, only bits of it). In any case, I don't really believe Rawls argued for an egalitarian system. The two "rules" he thinks will emerge from the "initial position behind the veil of ignorance" are (pg. 60) First; each person is to have an equal right to the most extensive basic liberty compatible with a similar liberty for others. Second: social and economic inequalities are to be arranged so that they are both a) reasonably expected to be to everyone's advantage, and b) attached to positions and offices open to all. He goes on to say "While the distribution of wealth and income need not be equal, it must be to everyone's advantage, and at the same time, positions of authority and offices of command must be accessible to all. .... These principles are to be arranged in a serial order with the first principle prior to the second. This ordering means that a departure from the institutions of equal liberty required by the first principle cannot be justified by, or compensated for, by greater social and economic advantages". He then adds to the argument the concept of the difference principle (pareto optimality in the final reckoning) and maximin (maximizing the expectations/outcome of the person at the lowest rung of the ladder). About the difference principle Rawls says " it should be observed that the difference principle, or the ideas expressed by it, can easily be accomodated to the general conception of justice. In fact, the general conception is simply the difference principle applied to all primary goods including liberty and opportunity". I really don't see Rawls arguing strict egalitarianism in "A theory of Justice". Further, I believe the most important contribution made by this book is the principle of the "veil of ignorance / initial position" as a test for the fariness/justice of a particular system. Rawls proposal is simply his idea of what would result from the initial position (as you poit out) and certainly we can come up with other equally acceptable proposals. But it is essential to read Rawls because he is so interpretable, my own reading may be flawed. In any case, Rawls is well aware of the demands efficiency places on an egalitarian system (which it is unable to meet) and does agree that inequality can be in everyone's interest (i.e. spill-over's, for eg. because geniuses need incentives as well as does the company that brings you your breakfast cereal). As a final quip, the result (in any particular game) of the question regarding the gamble you proposed earlier depends almost entirely on the player's aversion to risk. Some among us (I'm sure) would be willing to take $50 in hand rather than $2million in the bush ;~) hostmaster at trill-home.com * Symbiant test coaching * Blue-Ribbon * Lynx 2.5 WHERE CAN THE MATTER BE Oh, dear, where can the matter be When it's converted to energy? There is a slight loss of parity. Johnny's so long at the fair. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Key Escrow = Conscription for the masses | 2048 bit via finger iQB1AwUBMacYMRwDKqi8Iu65AQGsuAL+OVORTCAedDLFaG4WqrUow2Ytx5CE8/vU X8KO6D7f8G5uUTi5yEKxz+rrx3mOVg7lyLyqA0a05CbZfiUnoSuAXxKkFihST8xi JM2xWsngdyG0ZbEtV85+3TASBRvXP8rR =Ebe4 -----END PGP SIGNATURE----- From thad at hammerhead.com Sun May 26 13:43:10 1996 From: thad at hammerhead.com (Thaddeus J. Beier) Date: Mon, 27 May 1996 04:43:10 +0800 Subject: [SCARE]: "If you only knew what we know..." Message-ID: <199605251528.IAA15783@hammerhead.com> I asked Peter Neumann, of the NRC commission whose report is due very very soon, and they did indeed get "The Briefing". He was very keen to have all appendices of the final report be public, we may get to see the story there. I am just on pins and needles waiting for the report. I thought, when it was announced, that in the year-and-a-half that it would take to write that the war would be won. It hasn't, of course. I think that the NRC report will define the landscape of the debate for the next year or so. We'll see. thad -- Thaddeus Beier thad at hammerhead.com Visual Effects Supervisor 408) 286-3376 Hammerhead Productions http://www.got.net/~thad From snow at smoke.suba.com Sun May 26 14:18:37 1996 From: snow at smoke.suba.com (snow) Date: Mon, 27 May 1996 05:18:37 +0800 Subject: [SCARE]: "If you only knew what we know..." In-Reply-To: <199605250823.BAA27934@toad.com> Message-ID: On Sat, 25 May 1996, Bill Stewart wrote: > At 05:52 PM 5/24/96 -0500, snow wrote: > >> > Don't suppose Matt could do a little executive summary of > >> > "The Briefing" and post it to the list, could he? > >> Probably not unless he wanted to do time. > >> I suspect some anonymous person might put bamboo shoots under his > >> fingernails and post the results of the interrogation however. > > Isn't this exactly what the anon remailers were designed for? > It's also what Canary Traps were designed for. > Are the "secrets" they told Matt the same as the ones they told Dorothy? > Not likely.... Thought about that, just couldn't remember the name of the bird. If someone was to post a summary, leaving out specific cases, that _might_ get around it. Also, depending on exactly what was in the breifing, one could "embellish" it a little, give cases _similar_ (i.e. made up) to give us an idea of what goes on, but not to release specific details. Petro, Christopher C. petro at suba.com snow at crash.suba.com From jya at pipeline.com Sun May 26 14:23:28 1996 From: jya at pipeline.com (John Young) Date: Mon, 27 May 1996 05:23:28 +0800 Subject: Software Fame and Fortune Message-ID: <199605251653.QAA15534@pipe2.t1.usa.pipeline.com> The EcoMist of May 25 has a special survey (80 kb) of the global software industry, which, the report claims, is the next fountainhead of computer fame and fortune, thanks to the Internet, and the successor to the H/W fairy tales. It barely mentions crypto -- described as a prime commercial product of Israel's defense industry and the key to secure fame and fortune! It can be read-only at: http://pwp.usa.pipeline.com/~jya/software.txt From tcmay at got.net Sun May 26 14:41:46 1996 From: tcmay at got.net (Timothy C. May) Date: Mon, 27 May 1996 05:41:46 +0800 Subject: The Report -- The Day the Earth Stood Still Message-ID: I wrote: "And don't forget that Ray Ozzie, the esteemed developer of Lotus Notes (Iris Associates, connected with Lotus, and now IBM), is on the panel. He got all the various briefings, I presume. His response? Don't forget that he announced that Lotus Notes and such products would implement the "40 + 24 Solution," with 24 bits of a 64-bit key given to the government, leaving users with a trivially-crackable 40-bit key." Just to clarify this a bit, this was for the export versions of the products, not the domestic versions. (Most such restrictions have been for export versions.) But the point is that companies are, behind the scenes, making plans to incorporate GAK into their products. The list carried a long discussion of the Lotus plan, back several months ago. (Too bad the archives are no longer available....that "several days" mentioned in the March 18th message at the http://www.hks.net/cpunks/index.html site sure has gotten longer.) Only 4.8 days left until The Report is released. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From jamesd at echeque.com Sun May 26 14:42:07 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Mon, 27 May 1996 05:42:07 +0800 Subject: [SCARE]: "If you only knew what we know..." Message-ID: <199605251729.KAA25537@dns2.noc.best.net> At 09:31 PM 5/23/96 -0400, Simon Spero wrote: > If I were planning such a briefing I'd probably concentrate on real cases > that were cracked due to NSA SIGINT - especially terrorist groups > operating with only limited state sponsorship This assumes that such cases actually exist. I imagine if such a thing ever happened, the NSA would shout it from the rooftops for the next three hundred years. Recollect that the trade tower bombers were caught because they were unclear on the concept of a deposit. Whenever terrorists are busted, nobody makes any big secret of how they were busted. On the contrary, the newspaper reporters are in danger of being trampled in the rush to take credit. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From tcmay at got.net Sun May 26 15:00:32 1996 From: tcmay at got.net (Timothy C. May) Date: Mon, 27 May 1996 06:00:32 +0800 Subject: The Report -- The Day the Earth Stood Still Message-ID: "Just 15 more days until the NRC report is released...." "Only 12 days until we release the NRC report...." "Since there are only 8 days left, you might want to place your order for the NRC report now..." "Only 7 more days..." Personally, I think we're getting entirely too many update reports on when The Report is coming. Just release the damned thing, so we can reject it forthwith. (If it needs being rejected....) At 3:28 PM 5/25/96, Thaddeus J. Beier wrote: >I asked Peter Neumann, of the NRC commission whose report is due >very very soon, and they did indeed get "The Briefing". He was >very keen to have all appendices of the final report be public, >we may get to see the story there. > >I am just on pins and needles waiting for the report. I thought, >when it was announced, that in the year-and-a-half that it would take >to write that the war would be won. It hasn't, of course. I think >that the NRC report will define the landscape of the debate for the >next year or so. We'll see. It's risky for me to even speculate what's in this report, but a look at who's on the panel raises my eyebrows. (Many of the panel members were at the CFP '95, in San Francisco, and listened to public input from a crowd of agitated Cypherpunks and others. From their questions, many of them were clearly skeptical of the views expressed from the floor. Some of them couched their points in terms of that magic code phrase, "the legitimate needs of law enforcement," so draw your own conclusions.) Maybe their report will call for unlimited strength crypto to be freely available to all citizens (as it is now, legally), free export of said crypto (as it not now), no restrictions on digital money, and no mention of "key escrow" whatsoever (as there should not be, as "key escrow" is not an issue for governments to get involved in). Maybe. But color me a bit skeptical, given their inside-the-Beltway focus. And don't forget that Ray Ozzie, the esteemed developer of Lotus Notes (Iris Associates, connected with Lotus, and now IBM), is on the panel. He got all the various briefings, I presume. His response? Don't forget that he announced that Lotus Notes and such products would implement the "40 + 24 Solution," with 24 bits of a 64-bit key given to the government, leaving users with a trivially-crackable 40-bit key. This from one of the most technically-up-to-date members of the panel.... I'm holding my breath.... "Remember, there are only 5 days left until the release of The Report. Set your watches, program your Newtons, and plan your affairs accordingly." --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From jamesd at echeque.com Sun May 26 15:15:03 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Mon, 27 May 1996 06:15:03 +0800 Subject: Children's Privacy Act Message-ID: <199605251729.KAA25539@dns2.noc.best.net> >On Fri, 24 May 1996, E. ALLEN SMITH wrote: >> Why, pray tell, _should_ someone be able to conceal that they declared >> bankrupcy - e.g., ran out on their debtors that they had freely contracted to >> repay - more than 7 years ago? Should prison terms to theft be limited to 7 >> years? At 06:36 PM 5/24/96 -0700, Rich Graves wrote: > I think forgiveness, within reason, tends to have a positive economic > effect. Government compelled forgiveness does not have a positive economic affect, and if it did it would still be wrong. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From nobody at foo.bar.net Sun May 26 15:15:26 1996 From: nobody at foo.bar.net (nCognito Remailer ) Date: Mon, 27 May 1996 06:15:26 +0800 Subject: None Message-ID: <199605261015.DAA14390@rigel.infonex.com> nCognito is back up and running, with a new address and new keys, etc etc. I apologize for any inconvenience this may (have) cause(d). The new address is: ncognito at cyberpass.net The NEW pgp key is: -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCNAzGoBNkAAAEEALIv/aWoSIOOyabGttucdRynVguSqbXCwlEfEn0wn6tgyl2j kNLos2aKp/Fdqo2ZxlsVbfhTLtgPa8WNO3uUML+4QOxsXVfy+z9arceEr6ABJUdY s0Lv/vXFkKlOhHl/5at5RZRTjfjpm2t+G4TW4WT3L7i/LNtlMbGlo8DEMb2JAAUR tDBuQ29nbml0byBSZW1haWxlciA8bmNvZ25pdG9AcmlnZWwuY3liZXJwYXNzLm5l dD4= =oUNh -----END PGP PUBLIC KEY BLOCK----- And the new mix key is: ncognito ncognito at cyberpass.net 94e30b262408ac816144405faa62d623 2.0.2 -----Begin Mix Key----- 94e30b262408ac816144405faa62d623 258 AATm9nuuApioD58C7c2ksmQql9J42eOzJEvhGAAu L9fxKmWl2H+gC5CVqeZciuJdfO04gK8IMiPa4R7h sHCApMKvk/XjRh3CZzsRXK0LzvVKQLgJXHTPigJI 56cLjSG/mkxJ7xgGshEjhuu/sglAZk4qfizV0er9 iyr1F70+8rgVnQAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAQAB -----End Mix Key----- Lot's of thank-you's to everyone that helped with getting the mailer back up and running so quickly. ...Oh, and next time someone remind me to keep my keys so we can avoid all this work in the future. From loki at infonex.com Sun May 26 15:20:43 1996 From: loki at infonex.com (Lance Cottrell) Date: Mon, 27 May 1996 06:20:43 +0800 Subject: MixMaster fair use Message-ID: At 7:14 PM 5/22/96, Bill Stewart wrote: >At 12:14 AM 5/22/96 EDT, you wrote: >>From: IN%"loki at infonex.com" 21-MAY-1996 17:19:02.59 >> >>>The problem is RSAREF. I can't chose license terms for that. >> >> Oof... I see the problem. No, it's not you, it's them. > >The Agreement, as written, covers all of Mixmaster; it would be easier >for people to adapt Mixmaster code if you either release a bones version >or a license that clarifies that you can't use the RSAREF portions >commercially but can do whatever you want with the rest of Mixmaster >(if that's what you want) or however much freedom you want to grant >(e.g. you may want to say some disclaimerish words about obeying ITAR etc.) > I think the current license is fine for most purposes. I am not some monolithic corporation. If someone needs a license with special terms, my email address is public knowledge and I am generally very accommodating. -Lance ---------------------------------------------------------- Lance Cottrell loki at obscura.com PGP 2.6 key available by finger or server. Mixmaster, the next generation remailer, is now available! http://www.obscura.com/~loki/Welcome.html or FTP to obscura.com "Love is a snowmobile racing across the tundra. Suddenly it flips over, pinning you underneath. At night the ice weasels come." --Nietzsche ---------------------------------------------------------- From loki at infonex.com Sun May 26 15:24:03 1996 From: loki at infonex.com (Lance Cottrell) Date: Mon, 27 May 1996 06:24:03 +0800 Subject: DOS/WINDOWS Mixmaster Client Message-ID: At 6:05 PM 5/20/96, anonymous-remailer at shell.portal.com wrote: >Anyone know if there is a DOS or Windows version of the mixmaster >client? We are talking days now. Really, I mean it this time. I know I said that last time (and the time before) but this time it is true. Trust me, I have your best interests at heart :) In fact, I have a working version. I am just beating on it a bit, and waiting for the Mix enabled Private Idaho (in beta) to be ready. Since Mix can't call sendmail on a PC, a front end is really required for it to be useful. -Lance ---------------------------------------------------------- Lance Cottrell loki at obscura.com PGP 2.6 key available by finger or server. Mixmaster, the next generation remailer, is now available! http://www.obscura.com/~loki/Welcome.html or FTP to obscura.com "Love is a snowmobile racing across the tundra. Suddenly it flips over, pinning you underneath. At night the ice weasels come." --Nietzsche ---------------------------------------------------------- From loki at infonex.com Sun May 26 15:27:51 1996 From: loki at infonex.com (Lance Cottrell) Date: Mon, 27 May 1996 06:27:51 +0800 Subject: Mixmaster version usable with POP? Message-ID: At 5:22 PM 5/25/96, E. ALLEN SMITH wrote: > One application of an anonymous remailer that has come up is using POP >to get into an account via which remailing could be done without the remailer >having to run on the machine receiving/sending the mail. It would instead occur >on a machine running the remailer software and equipped for doing POP. Has >anyone written a mixmaster version (or additions onto Mixmaster) that will do >this automatically? > While having the entire remailer with logs and private key in a >different country would still be best, if an anonymous POP account were used >this would still shield the remailer operator from forced disclosure. It would >also cut down on the costs; for instance, offshore.com.ai's monthly price for >a UNIX shell account is 50$ a month, but theirs for an email-only account is >20$ a month (albeit with only 20 M/month of mail). > Thanks, > -Allen While there is not an "out of the box" version of Mixmaster like this, it would be easy to do. The UNIX POP clients I have seen just dump the mail into a mbox formated file. A simple script could be written to yank out the messages one at a time, and feed them to Mixmaster (or mail-in or whatever). In fact, the more recent versions of Mixmaster should be able to swallow the file whole, pulling out the mixmaster messages itself. This modification was made to support "subway" remailers, which want to send a fixed number of messages (in one email) each time period. -Lance ---------------------------------------------------------- Lance Cottrell loki at obscura.com PGP 2.6 key available by finger or server. Mixmaster, the next generation remailer, is now available! http://www.obscura.com/~loki/Welcome.html or FTP to obscura.com "Love is a snowmobile racing across the tundra. Suddenly it flips over, pinning you underneath. At night the ice weasels come." --Nietzsche ---------------------------------------------------------- From herodotus at alpha.c2.org Sun May 26 15:28:17 1996 From: herodotus at alpha.c2.org (herodotus at alpha.c2.org) Date: Mon, 27 May 1996 06:28:17 +0800 Subject: telnet anonymizer? Message-ID: <199605260130.SAA07374@infinity.c2.org> Does anyone know of a publicly available site that provides telnet anonymizing/proxying? -- Herodotus From grewals at acf2.nyu.edu Sun May 26 15:28:24 1996 From: grewals at acf2.nyu.edu (Subir Grewal) Date: Mon, 27 May 1996 06:28:24 +0800 Subject: [SCARE]: "If you only knew what we know..." In-Reply-To: <199605260254.TAA14336@mail.pacifier.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Sat, 25 May 1996, jim bell wrote: :At 09:48 PM 5/25/96 -0400, Subir Grewal wrote: :How "removed" do they have to be to be innocent, in your opinion? If they didn't pull the trigger or give the order, they're innocent. Making these criteria any laxer will cause problems as more and more people are drawn into the category of offenders, pretty soon you're the only victim, everyone else is out there to steal from you or assist in the theft. :Nuclear bomb design. Done with funds stolen from taxpayers. Done to :protect the leadership of this country, not the public. Pure mathematics as far as the people working at the lab were concerned. You really think if the receptionist had died, it would have been self-defense? A couple of kids died in computer labs at other schools where this happened, they were there feeding punched cards into the machines. Somehow that doesn't sound right to me. :And isn't it immoral for George Bush, for instance, to choose a solution :that results in the deaths of tens of thousands of comparatively innocent :Iraqis, both during and after the Gulf war, rather than bumping off Saddam :Hussein? Think about it. Exactly why does he do the former, rather than :the latter? And the Iranian leaders really think Clinton is an ungoldy kafir for meeting Rushdie the apostate. Why not kill him, after all various Americans have suggested this is a valid tactic? Your methods will be used for ends you do not agree with. From what I've learnt of the Gulf war (I was reading most of the time, kept away from the TV), they did try very hard to kill Sadaam Hussein, but got nowhere. As is apparent, political leaders value their own lives more than they do those of the foot-soldiers. Many among the foot-soldiers belive their lives would be "brutish, nasty and short" without the mechanism of the state and are willing to defend it and those who currently operate the machine. Of course George Bush I don't trust at all because the man was practically glowing during "his war", anyone who enjoys a war, revels in it, is not someone I admire, respect, or even talk to. However, when you propose that we kill this person, I'm not going to stand with you either. Rest assured, there will be many others waiting to take his place when he is killed, and some of them will spell potato like the English feudal lords did. :>- From what I've gathered of AP, it attempts no radical reformation of "the :>system", simply adds another set of costs for individuals within the govt. :>to take into account. : :"Another set of costs"? Yikes! Read the essay, governments as we know them :can't possibly survive post-AP. Oh no, I think they will survive post AP. The odds are quite high that the people who are convinced to act on the AP philosophy will be branded terrorists and become the objectives of many witch hunts the world over. The IRA has a bad rep, though most sympathize with their cause. And they engender Thatchers, or others who are convinced of their "rightness" and can only get to those posts by making public their convictions and gaining some sympathy from the populace. The fact that their targets, and know it but still do not waver, makes them heroes in many eyes. :Well, I disagree. Until recently, public opinion was almost entirely :manufactured. It was a joint project of the government and the news media. I too think Chomsky has perceptive vision when it comes to the media. :Is there any significant likelihood that the people in power today will :relinquish power absent a system such as AP? I'm not optimistic about that. No, noone "relinquishes" power. They fight to keep it, but the struggle does not always have to be violent, and it hurts our cause to instigate violence when none has been used directly against us. hostmaster at trill-home.com * Symbiant test coaching * Blue-Ribbon * Lynx 2.5 WHERE CAN THE MATTER BE Oh, dear, where can the matter be When it's converted to energy? There is a slight loss of parity. Johnny's so long at the fair. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Key Escrow = Conscription for the masses | 2048 bit via finger iQB1AwUBMaiFnBwDKqi8Iu65AQGSngMAluS3YrESGUjk/e9DQxP5AIovFfaF8kcg hF3WO7k7UvAhhcOq9FAHg2B7QnllEdPTohQqoxcC/F4RHZE7Ak1aHkhpxq3hopCO 1YOO3M3fGiz32TX8GnM9M61xiEUQ814b =igsk -----END PGP SIGNATURE----- From pjb at 23kgroup.com Sun May 26 15:31:42 1996 From: pjb at 23kgroup.com (Paul J. Bell) Date: Mon, 27 May 1996 06:31:42 +0800 Subject: [SCARE]: "If you only knew what we know..." Message-ID: <9605261552.AA08814@23kgroup.com> a good idea. what we really need to do is to obtain, by whatever means seems available, a copy of "the briefing", and to publish it, on the web/net, with detail anotations of each point. having their story in public view would certainly take away a lot of it's power. also, on the off chance that there were any errors in their version of the facts, it could make for an interesting q&a session when the next receiptent didn't buy the pitch. -paul ps.. no, i don't know, right off-hand, how to obtain such a copy, but if the employee manual that was making the rounds a few years was what it porported to be, well, there's hope for this document to see the light of day. (-: > From cypherpunks-errors at toad.com Fri May 24 18:26:04 1996 > From: Alex Strasheim > Subject: Re: [SCARE]: "If you only knew what we know..." > To:cypherpunks at toad.com > Date: Fri, 24 May 1996 01:42:53 -0500 (CDT) > X-Mailer: ELM [version 2.4 PL23] > Content-Type> : > text> > Sender: owner-cypherpunks at toad.com > Content-Length: 3634 > > > Patel is then likely to be given the *in camera* presentation > > of The Deepest Darkest Secrets of Cryptography -- probably a modified > > version of the classifed briefing the NSA has used with great success to > > influence members of Congress. Legend has it that no one who ever got 'the > > briefing' ever again opposed the agency." > > The last part reminds me of the Monty Python bit about the funniest joke > in the world -- during the war Brittish soldiers would shout out a > translated version they couldn't understand and the Germans would die > laughing. It seems pretty obvious that there are people who have > withstood the NSA's siren song -- people in Congress and agencies like the > Department of Commerce (who presumably have heard it) oppose the agency. > > I've felt for a long time that the division in venues has hurt us. The > other side pitches in secret to Congressmen and administration officials, > while we preach to the converted and argue against straw men here on the > net. As a consequence they own official Washington and we own public > opinion. > > The problem with this is that we don't get a chance to refute their > arguments. I think we're right -- and to me believing we're right means > beliving that we can win a fair fight. Logic and the facts ought to bear > us out. > > One idea that I toyed around with but was too lazy to pursue was to have a > public debate on the web. A small group of people would be invited to > participate -- maybe Dr. Denning on one side, and whoever else we could > find to speak for the government. We could pick an equal number of our > best people to go up against them. > > The debate would proceed in rounds. Each particpant could write his or > her arguments for or against government restrictions on crypto, and the > moderator would publish them all simultaneously. Then there would a set > period of time for the participants to write responses -- maybe a couple > of days or a week. Then another round of responses to the responses. > After that everyone could write closing arguments. > > I think there are a couple of advantages to taking this sort of an > approach rather than a more free form discussion on a mail list. The > first is that the other side would probably feel more welcome -- the lack > of public support for their position and the net being what it is have > combined to create a hostile environment for those who disagree with us. > The debate would prevent personal attacks (if we pick the right > participants) and it would give the opposition some assurances that they > won't get shouted down. The idea is to create a level playing field -- > something that doesn't exist anywhere right now -- each side has it's own > home court, but a neutral space doesn't seem to exist. > > Another advantage would be that if people agree to particpate they'd > probably take it seriously enough to follow through and answer criticisms > of their arguments. The idea of a formal discussion with a beginning, a > middle, and an end might help keep things moving along. Restricting > things to a small number of participants who understand the technology and > the history of crypto politics could also be helpful. > > Finally, when the whole thing was over the web site would be a valuable > resource for anyone who wants to explore the issue. Both sides would be > there nobody would feel that they had been bullied or manipulated into > believing one thing or another. > > As I said above, I think we're right, and to me that means believing that > we'd come out on top in a fair fight. It seems to me that we ought to > figure out how to set up a few of them and do whatever we can to get the > other side to show up. > > From jimbell at pacifier.com Sun May 26 15:33:12 1996 From: jimbell at pacifier.com (jim bell) Date: Mon, 27 May 1996 06:33:12 +0800 Subject: An alternative to remailer shutdowns Message-ID: <199605251737.KAA26055@mail.pacifier.com> At 12:10 AM 5/25/96 EDT, E. ALLEN SMITH wrote: >From: IN%"unicorn at schloss.li" "Black Unicorn" 24-MAY-1996 22:52:03.64 > >>Remailers on the attack points (first in chain, last in chain) simply MUST >>be disposable as tissue. They must be run as anonymously as possible, >>with as little connection to the ISP's assets as possible and immediately >>disposable. They must be easy to set up, runable without root and there >>must be a much more efficent tracking mechanism. (Mr. Levin has done a >>terrific job, but even more needs to be done). > > Why the first in chain? If the anti-traffic-analysis provisions are >working properly, it should be impossible to prove that a given first remailer >was the first remailer for any particular message. I had thought that even >civil courts required that you be the person who committed some act, not the >person who _might_ have committed some act. Otherwise, all the remailers are >in danger. This is even if someone tries an entrapment by sending through some >illegal material - if the courts accept that they should be allowed to do this, >then all the remailers they chained are going to be hit. Likewise, I don't see why the first address in the chain is vulnerable, as long as the message subsequently passes through at least one trustworthy remailer, and probably a temporary output address. Jim Bell jimbell at pacifier.com From adamsc at io-online.com Sun May 26 15:35:33 1996 From: adamsc at io-online.com (Chris Adams) Date: Mon, 27 May 1996 06:35:33 +0800 Subject: Children's Privacy Act Message-ID: <199605260449.VAA29497@cygnus.com> On 25 May 1996 08:37:24 pdt, bruce at aracnet.com wrote: >At 11:34 PM 5/24/96 -0700, tcmay at got.net (Timothy C. May) wrote: > >>If I have compiled records, dossiers, etc., as I most assuredly have (got >>to fill up those MO disks with something), this is "my" information. Mine >>in the sense that others can't dictate to me what I do with it. > >I don't see that this is necessarily true for information any more than it >is property. Property can be bought, sold, traded, given away, made...but it >can also be stolen. Just as I have a right to complain if you walk off with >my couch without my permission, so if you walk off with data on my blood >chemistry or credit history without my permission. Yes. For instance, a photographer should get a release for a photo of a person, particularly if he plans to resell it. It does make me wonder whether you could file a suit against TRW for selling information about you, particularly since it could affect you adversely and there is no guaruntee it is accurate. /* From Chris Adams on a Warped PC running a proudly unregistered (for now) PMMAIL 1.5! The Enigman Group - We do Web Pages! */ This Message Was Sent With An UNREGISTERED Version Of PMMail. Please Encourage Its Author To Register Their Copy Of PMMail. For More Information About PMMail And SouthSide Software's Other Products, Contact http://www.southsoft.com. From vznuri at netcom.com Sun May 26 15:36:10 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Mon, 27 May 1996 06:36:10 +0800 Subject: "Key Escrow without Escrow Agents" In-Reply-To: <199605250132.VAA09818@nsa.tempo.att.com> Message-ID: <199605252056.NAA28915@netcom7.netcom.com> the splitting of the keys among different *private* sites, in such a way that key requests must be revealed publicly, is an interesting idea. the way that individual sites evaluate revelation requests might usefully be compared to "juries" in our society. in the case of the grand jury, the government invites a set of citizens to determine if an indictment is justified. their consensus opinion determines the decision. in the case of conviction, we have a similar system. the idea of "jury nullification" has a direct analogy as well. in the key escrow scheme MB proposes, if a lot of sites refuse to release keys based on the circumstances of the case, that would be very similar to jury nullification. I can see that you might create a code of law that determines what procedures that these "distributed key juries" are supposed to follow. but like our legal system, the interpretation and application is ultimately left up to them. an interesting system, that is commendable for trying to find a compromise between two seemingly irreconcilable polarities (privacy and surveillance) but I doubt anyone in law enforcement (with the mindset, "I can't be stopped from doing my job as I see fit or criminals will get away") would go for it in the current form. From jamesd at echeque.com Sun May 26 15:36:13 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Mon, 27 May 1996 06:36:13 +0800 Subject: PILATE SAYETH UNTO HIM... (fwd) Message-ID: <199605251909.MAA01818@dns2.noc.best.net> At 11:39 AM 5/24/96 -0500, Jim Choate wrote: >If there was an absolute Truth as you postulate the results would >be many and varied. For instance, > >1. If the Truth were absolute everyone would have to accept it as such > even if they disagreed or said it wasn't the Truth, Only if they were infallible. >2. What is the litmus test for ultimate Truth? How do you tell it from > regular truth? How do you tell it from a lie? From the Lie? The usual methods. >3. If there were a ultimate Truth then this implies that it is possible > to have a system which can fully describe itself. This is an argument against divinity, not an argument that the truth does not exist out there in the world and pretty well knowable most of the time. All your arguments are just variants of the claim "Subjectivism must be true because it must be true", which is obviously self contradictory --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From EALLENSMITH at ocelot.Rutgers.EDU Sun May 26 15:36:36 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Mon, 27 May 1996 06:36:36 +0800 Subject: Mixmaster version usable with POP? Message-ID: <01I54W2YQPBC8Y4ZK2@mbcl.rutgers.edu> One application of an anonymous remailer that has come up is using POP to get into an account via which remailing could be done without the remailer having to run on the machine receiving/sending the mail. It would instead occur on a machine running the remailer software and equipped for doing POP. Has anyone written a mixmaster version (or additions onto Mixmaster) that will do this automatically? While having the entire remailer with logs and private key in a different country would still be best, if an anonymous POP account were used this would still shield the remailer operator from forced disclosure. It would also cut down on the costs; for instance, offshore.com.ai's monthly price for a UNIX shell account is 50$ a month, but theirs for an email-only account is 20$ a month (albeit with only 20 M/month of mail). Thanks, -Allen From bruce at aracnet.com Sun May 26 15:37:46 1996 From: bruce at aracnet.com (Bruce Baugh) Date: Mon, 27 May 1996 06:37:46 +0800 Subject: Children's Privacy Act Message-ID: <2.2.32.19960526010616.006a3d14@mail.aracnet.com> At 05:45 PM 5/25/96 EDT, E. ALLEN SMITH wrote: >such as monopolistic and oglipolistic corporations). You do have a choice in >dealing with other entities. I make that choice; I minimize my use of a credit >card, for instance. I've had months where my bill was $0.00. Now, if the >agency in question is required to collect such information because of coercion, >then that's wrongful, and that information shouldn't be retransmitted. Righ. But in addition to the forcible acquisition of information, there's the unwitting acquisition - you are never informed that party A has transmitted information X to party B, who in turn passed it to C, who garbled it and then passed the erroneous info to D.... I'm a raving anarcho-capitalist, and I see not the slightest ethical problem in requiring people to tell me what information they're gathering on me. At that point I can make an informed decision to deal or not deal with them - and that's a complex decision. I might well prefer to do business with, say, Tim's House O' Stuff even though it's collecting more info than I'd prefer, if there are compensatory factors. But I can't weigh my options in a void. -- Bruce Baugh bruce at aracnet.com http://www.aracnet.com/~bruce From hendersn at zeta.org.au Sun May 26 15:38:00 1996 From: hendersn at zeta.org.au (Zed) Date: Mon, 27 May 1996 06:38:00 +0800 Subject: An alternative to remailer shutdowns Message-ID: <199605251914.FAA28059@godzilla.zeta.org.au> >From: IN%"unicorn at schloss.li" "Black Unicorn" 24-MAY-1996 22:52:03.64 > >>Remailers on the attack points (first in chain, last in chain) simply MUST >>be disposable as tissue. They must be run as anonymously as possible, >>with as little connection to the ISP's assets as possible and immediately >>disposable. They must be easy to set up, runable without root and there >>must be a much more efficent tracking mechanism. (Mr. Levin has done a >>terrific job, but even more needs to be done). This is what I was groping for before, I think. I would like to set up an anonymous remailer, but I have little to no idea how to go about it. I need something that I can set up cheaply and easily on a machine that I don't have root on, and that I could close down in a flash if there was a problem. I'm proposing a stop-gap measure that could take some of the heat off genuine remailers - simple, easy-to-create remailers that do nothing except anonymize the fullscale remailer that's being used. If you make it so that Type-I and Type-II remailers can _only_ remail to these simple remailers as well as other remailers, you've insulated them from the overt threat of being caught as the last remailer in the chain. Hopefully the number of full-scale remailers would then start increasing instead of decreasing if there is less reason to threaten them. As for traffic analysis uncovering the previous remailer in the chain: how would discovering that the previous remailer in the chain was utopia.hacktic.nl be any different from the message actually appearing from utopia.hacktic.nl? The Church of Scientology doesn't have the resources to do full-scale traffic analysis, so hacktic's role would never have been discovered. And what would you do if it turned out that the previous remailer was middle-man at alpha.c2.org? Who do you prosecute? >>It only takes ONE operator to get a tiny ($2500-$10,000) fine or judgement >>and that will be the end of most of the mailers. Poof. > > What, pray tell, is the result of a judgement in which the person >manifestedly doesn't have the money to pay? I couldn't pay a 10,000 dollar >judgement; I don't have that much money. I would guess it'd be some form >of attachment of income; this wouldn't get them much... You either pay up as your income allows you, or you file for bankruptcy. Neither option is likely to make other remailer operators feel good about themselves. Zed(hendersn at zeta.org.au) "Don't hate the media, become the media" - Jello Biafra PGP key on request From EALLENSMITH at ocelot.Rutgers.EDU Sun May 26 15:39:34 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Mon, 27 May 1996 06:39:34 +0800 Subject: Announcing CryptaPix 1.0 Message-ID: <01I54Q9TVIC68Y4ZHR@mbcl.rutgers.edu> From: IN%"jimbell at pacifier.com" "jim bell" 25-MAY-1996 03:29:13.89 >What they ought to do is to "stegofy" this system by binding a picture with >a lower-quality, non-suspicious picture which can be brought up with a >"duress code." The idea has come up before; I raised it a while back, for instance. Your simple version has the problem that if the system is known to hide info in this way, the cops or whoever will just pressure you for the other picture's code. Really, the only way to get around this is to have a system that allows an indeterminate (from the perspective of those who don't have all the phrases) number of pictures/blocks of text/whatever to coexist, thus allowing one to pull up a subset of them and realistically claim that that's all of them. While, as Uni has pointed out, a judge can still toss you in jail for contempt of court, that is preferable to the results for the discovery of some other information (i.e., that which would get you the death penalty). -Allen From vznuri at netcom.com Sun May 26 15:40:20 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Mon, 27 May 1996 06:40:20 +0800 Subject: Cyber-Anarchy In-Reply-To: Message-ID: <199605252027.NAA26357@netcom7.netcom.com> TCM >My point is actually not so much one of claiming credit for something I've >been involved with since 1988, as being somewhat critical of the >all-too-common tendency I see of _renaming_ something without adding any >new content. no, you want credit, otherwise you wouldn't care ("cyberanarchy"? how far is that? in many ways it is more descriptive/accurate for what is being connoted). you get credit when people use "your" term, the etymology you love to wax on occasionally here. > >Jim Bell calls his set of ideas "cyber-anarchy," and certain journalists >have picked up on this (as with the Australian article). > >But with the exception of the one variant of anonymous markets, namely, >"assassination politics," most or all of the other ideas of his >"cyber-anarchy" seem to be encompassed by the already-existing term. a pseudo-word that you invented. any pseudo-word is as good as any other. I think you need to reevaluate your life when you get upset that people don't use word you invented. for example the term "pseudospoofing" has many applications to recent news but has never been properly used by journalists. (hee, hee) From vznuri at netcom.com Sun May 26 15:40:46 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Mon, 27 May 1996 06:40:46 +0800 Subject: [SCARE]: "If you only knew what we know..." In-Reply-To: Message-ID: <199605252014.NAA25450@netcom7.netcom.com> >Paraphrasing the "Wired" item, "No person who has ever received "The >Briefing" has ever again argued forcefully for the rights of citizens to >use strong cryptography." > >I surmise that either Sen. Burns has not yet been given The Briefing, or he >is for some reason more resistant than most other burrowcrats to the scare >tactics used in The Briefing. > >I sure would like to know what's in this briefing. perhaps the "four horsemen of the infocalypse" (terrorists, child pornographers, drug dealers, money launderers) only scratches the surface. seriously though, it's possible to imagine some things. 1. there could be some info on how the NSA foiled various horrible james-bond like plots for governments to destroy the world 2. information on terrorists using cryptography, to create a kind of link in the mind of the feebleminded 3. nuclear secrets. defense secrets. information on state-of-the-art weapons systems that are subject to spying and espionage. creating the impression that any private crypto would tend to totally destabilize the "stability" of the world, upheld by the NSA of course 4. another classic NSA/secret society trick is to say, "you are a special person. we can't tell everyone what we are going to tell you now, but you have reached a position wherein you have earned this privilege. you are going to become a warrior in the fight against world tyranny. few know about us. we are the few, the proud." in short, I think the Briefing probably has a lot of psychological theater going on to create an aura of reverence even if the info is not all that substantial. things like talking about who else knows the info, how private it is, what the huge stakes involved are of defying the plan, etc. From perry at jpunix.com Sun May 26 15:42:50 1996 From: perry at jpunix.com (John A. Perry) Date: Mon, 27 May 1996 06:42:50 +0800 Subject: Several things.. Message-ID: -----BEGIN PGP SIGNED MESSAGE----- 1. Damn! Another remailer bites the dust. I've removed ncognito from the type2.list/pubring.mix combo on jpunix.com. The updated lists are available by web (www.jpunix.com) and by anon FTP (ftp.jpunix.com). 2. I wonder if we are going to see more "middleman" remailers now that the code has been released? Anyone have any thoughts or ideas on the subject? 3. Since remailers are dropping like flies, I've decided to bite the bullet and wake up nymrod. I no longer have the obligations that I had in the recent past that caused me to question running a nym server. I can now do so with a clear, unfettered conscience. Nymrod is now awake and active, ready to accept your nyms on nym.jpunix.com. The two names that that nym server will answer to are: nymrod at nym.jpunix.com (preferred) alias at nym.jpunix.com (to support some nym packages) John Perry - KG5RG - perry at alpha.jpunix.com - PGP-encrypted e-mail welcome! WWW - http://www.jpunix.com PGP 2.62 key for perry at jpunix.com is on the keyservers. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMadvJ1OTpEThrthvAQFrwAQAqcUIMAnSliEX5eZ9R30+NMk3pmrYuxEH TvzdK0mMfvkP+i+/1hj1muw+yAmomNogaphXYMbHDFBYCXjNscFSMCCWyECsjE6H Jm5B8/FzRYuLy83JugHE6KGLcmRkZeSmxG6p7O3W/IAoO2ThAyW8YYYOBZGASqQy qD1gEFWO9EI= =GpYT -----END PGP SIGNATURE----- From somogyi at digmedia.com Sun May 26 15:42:56 1996 From: somogyi at digmedia.com (Stephan Somogyi) Date: Mon, 27 May 1996 06:42:56 +0800 Subject: WhoWhere Robot strikes again Message-ID: I now have a WhoWhere Robot hitting one of my web servers from orion.parsecweb.com and it is most assuredly not honoring the robots.txt file regarding directories to exclude. I also just looked in the bot registry again and the WhoWhere Robot remains unlisted. Needless to say, I'm denying accesses from parsecweb.com from here onward. Stephan ________________________________________________________________________ Stephan Somogyi Central Services Digital Media From gbroiles at netbox.com Sun May 26 15:43:31 1996 From: gbroiles at netbox.com (Greg Broiles) Date: Mon, 27 May 1996 06:43:31 +0800 Subject: Remailers & liability Message-ID: <2.2.16.19960525223433.092f4224@mail.io.com> Hello again to list folks. Had to disappear for a bit due to school & work, but am back for a few weeks before the bar. (doh.) I upgraded from Eudora Lite to Eudora Pro before resubscribing and find its filtering makes the cpunks traffic much more manageable. Cheerfully recommended to everyone who's still got cpunks dumping in their regular mailbox and cursing at the lack of mail kill files. Have been following the discussion re remailers & liability. The use of waivers and hold-harmless clauses and ROT13 and all of the rest seems like it might have some potential where the potential plaintiff you're worried about is a message recipient angered or shocked by receiving mail which bothers them. I don't think they'll do much good where the potential plaintiff is a third party whose gripe is that the material was distributed. I'm thinking here of copyright plaintiffs like Newsweek or Brad Templeton/Clarinet or the Church of Scamentology, or a person concerned about invasion of privacy or defamation. A recipient can't waive/disclaim the rights of a third party, and an indemnity clause isn't worth much without assets and an honest intention to back it up. Waivers and disclaimers also aren't likely to be any help against criminal charges, because the aggrieved party is the State, not the "victim". The real key to long-lasting remailers is relatively judgement-proof remailer operators who aren't scared of going to court. (cf. Grady Ward and Arnie Lerma) Remailer operators are first amendment activists who are going to take heat the same way that environmental and anti-abortion activists have. I talked with one woman who was hit with a judgement by a timber company after she & other activists blocked logging equipment, causing the timber company to lose money (_Huffman-Wright v. Wade_, 317 Or 445, 452, 857 P.2d 101 (1993)) - her comment was that she's able to maintain a reasonable but not luxurious life with the roughly $9000 per year income that the judgement creditor can't touch, and that the minimal possessions which can't be seized by the sheriff are enough for her. Remailer operators may have to choose between comfortable living and their commitment to the principle of free speech. Remailers are attempting to do something that the legal system is hostile to - allow action (potentially harm) without corresponding liability. (If the remailer's not liable, and the sender isn't identifiable, there's nobody to sue and nobody to throw in jail.) Some people on the list take the position that sending and receiving electronic data cannot create the sort of harm that the legal system ought to concern itself with. While this might be the case (I'm not convinced yet either way), it's certainly not the law. Lots of tricky lawyers spend lots of time trying to structure relationships so that it's possible to have activity without liability for their clients. As far as I can tell, the way to achieve this result is through public relations and lobbying (e.g., "tort reform"). Unfortunately, remailer operators aren't as sympathetic as big insurance companies, so we may lose out. :( For what it's worth, I'm still planning to run a remailer again when I get settled down somewhere. (I don't think remailers do much good where the operator isn't root, so I'm not bothering with trying to run one on someone else's system.) My debt/asset ratio is bad enough from all of this school that I don't have much for anyone to levy against. Ha, ha. Anyone want some rapidly obsolescing computer and law books? :( -- Greg Broiles |"Post-rotational nystagmus was the subject of gbroiles at netbox.com |an in-court demonstration by the People http://www.io.com/~gbroiles |wherein Sgt Page was spun around by Sgt |Studdard." People v. Quinn 580 NYS2d 818,825. From jamesd at echeque.com Sun May 26 15:46:01 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Mon, 27 May 1996 06:46:01 +0800 Subject: PILATE SAYETH UNTO HIM... Message-ID: <199605252330.QAA10379@dns2.noc.best.net> At 12:30 AM 5/24/96 -0500, Jim Choate wrote: > Sorry but the very fact that I don't agree with you is proof enough that > there is no absolute 'Truth' as you use it. That is unless you are > attempting to claim absolute omnipotence on the point of determination. Say Jim, did you major in sociology literature: Here is Dave Barry on college and truth: After you've been in college for a year or so, you're supposed to choose a major, which is the subject you intend to memorize and forget the most things about. Here is a very important piece of advice: Be sure to choose a major that does not involve Known Facts and Right Answers. This means you must *not* major in mathematics, physics, biology, or chemistry, because these subjects involve actual facts. If, for example, you major in mathematics, you're going to wander into class one day and the professor will say: "Define the cosine integer of the quadrant of a rhomboid binary axis, and extrapolate your result to five significant vertices." If you don't come up with *exactly* the answer the professor has in mind, you fail. The same is true of chemistry: if you write in your exam book that carbon and hydrogen combine to form oak, your professor will flunk you. He wants you to come up with the same answer he and all the other chemists have agreed on. Scientists are extremely snotty about this. So you should major in subjects like English, philosophy, psychology, and sociology -- subjects in which nobody really understands what anybody else is talking about, and which involve virtually no actual facts. I attended classes in all these subjects, so I'll give you a quick overview of each: read little snippets of just before class. Here is a tip on how to get good grades on your English papers: Never say anything about a book that anybody with any common sense would say. For example, suppose you are studying Moby-Dick. Anybody with any common sense would say that Moby-Dick is a big white whale, since the characters in the book refer to it as a big white whale roughly eleven thousand times. So in *your* paper, *you* say Moby-Dick is actually the Republic of Ireland. Your professor, who is sick to death of reading papers and never liked Moby-Dick anyway, will think you are enormously creative. If you can regularly come up with lunatic interpretations of simple stories, you should major in English. PHILOSOPHY: Basically, this involves sitting in a room and deciding there is no such thing as reality and then going to lunch. You should major in philosophy if you plan to take a lot of drugs. PSYCHOLOGY: This involves talking about rats and dreams. Psychologists are *obsessed* with rats and dreams. I once spent an entire semester training a rat to punch little buttons in a certain sequence, then training my roommate to do the same thing. The rat learned much faster. My roommate is now a doctor. If you like rats or dreams, and above all if you dream about rats, you should major in psychology. SOCIOLOGY: For sheer lack of intelligibility, sociology is far and away the number one subject. I sat through hundreds of hours of sociology courses, and read gobs of sociology writing, and I never once heard or read a coherent statement. This is because sociologists want to be considered scientists, so they spend most of their time translating simple, obvious observations into scientific-sounding code. If you plan to major in sociology, you'll have to learn to do the same thing. For example, suppose you have observed that children cry when they fall down. You should write: "Methodological observation of the sociometrical behavior tendencies of prematurated isolates indicates that a casual relationship exists between groundward tropism and lachrimatory, or 'crying,' behavior forms." If you can keep this up for fifty or sixty pages, you will get a large government grant. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From EALLENSMITH at ocelot.Rutgers.EDU Sun May 26 15:46:57 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Mon, 27 May 1996 06:46:57 +0800 Subject: Children's Privacy Act Message-ID: <01I54QLMVIVO8Y4ZHR@mbcl.rutgers.edu> From: IN%"bruce at aracnet.com" "Bruce Baugh" 25-MAY-1996 09:21:06.18 >I don't see that this is necessarily true for information any more than it >is property. Property can be bought, sold, traded, given away, made...but it >can also be stolen. Just as I have a right to complain if you walk off with >my couch without my permission, so if you walk off with data on my blood >chemistry or credit history without my permission. Certainly, if you were coerced into giving up this information, it would be wrongful - including to knowingly retransmit it. But that's only the case for dealing with governments (and, I would include, other coercive groups such as monopolistic and oglipolistic corporations). You do have a choice in dealing with other entities. I make that choice; I minimize my use of a credit card, for instance. I've had months where my bill was $0.00. Now, if the agency in question is required to collect such information because of coercion, then that's wrongful, and that information shouldn't be retransmitted. -Allen From EALLENSMITH at ocelot.Rutgers.EDU Sun May 26 15:48:27 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Mon, 27 May 1996 06:48:27 +0800 Subject: Children's Privacy Act Message-ID: <01I54Q46PC5C8Y4ZHR@mbcl.rutgers.edu> From: IN%"llurch at networking.stanford.edu" "Rich Graves" 25-MAY-1996 02:09:28.75 >I'm sure you know the law and practice better, but my insurance seems to >have a "preexisting conditions" clause. Knowingly doing the above >constitutes fraud. (Of course lots of people probably get away with it.) And how's the insurance company going to know that something is a preexisting condition when they can't keep records of it? Moreover, partially due to state laws, most preexisting condition exemptions have limits on how long they last; if someone has a 1-year window, and they sign up more than 1 year after when they find out about their having Huntington's, then it will be covered despite their knowing about it. >Moreover, when the insurance company pays out, that ultimately comes out >of premiums. I don't have Huntington's, but I don't mind paying an extra >$X into a risk pool for people with Huntington's because it means I don't >have to submit to genetic screening, either. You don't have to have >something to hide to see it as an invasion of privacy. It's a pool of >consumers establishing preferences, not just individual consumers v. >producers. The meaning of microeconomics changes as it scales. This would be the case if the laws in question didn't exist. If you don't want to get genetic screening - because you have Huntington's or because you don't like genetic screening - it should be perfectly possible for you to make that choice, and pay the higher premiums. But it should also be possible for someone to make the opposite choice; that's what current laws prevent. It is not, at present, consumers establishing preferences - it's the majority dictating its preferences to the minority. >By "fairness" I meant that equal risks should be treated equally. Cost of >disease A = cost of disease B. The detection of predisposition to disease >A is politically feasible, but the same isn't true for disease B. I'd say >you were discriminating against people predisposed to disease A, because >they're paying into the risk pool for B, but B isn't paying into the risk >pool for A. That's an argument against any restrictions on risk. Currently, in most states it is politically feasible to get higher rates for someone addicted to nicotine, even if the person became addicted when they were too young to be responsible for their own actions (generally the case). But in some of those same states, genetic screening is banned. Aren't you being unfair to the smoker? Some people argue for community risk pools, in which everyone in a community gets the same rate. But shouldn't someone who is sicker because of his/her own choices (e.g., chooses to have unprotected sex) pay a higher rate? But such choices are what I'd call even more private than genetics. Whether I've had unprotected sex in the past 5 years is a lot more intrusive a question than whether I have any genetic diseases in my family tree. Quite simply, politically unfeasible means should be removed from the realm of politics. -Allen From EALLENSMITH at ocelot.Rutgers.EDU Sun May 26 15:49:21 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Mon, 27 May 1996 06:49:21 +0800 Subject: Why does the state still stand: Message-ID: <01I54WMDV8268Y4ZK2@mbcl.rutgers.edu> From: IN%"hfinney at shell.portal.com" "Hal" 16-MAY-1996 10:21:05.33 >One issue is whether these banking-secrecy countries like Anguilla are >followers of the Berne convention or other international copyright >regulations. Banking secrecy and software piracy don't necessarily go >hand in hand. I hear a lot about copyright violations in China but not >in the Caribbean. So actually it isn't clear that this country is the >right location for a remailer that can post arbitrary material. As I have stated, I am currently working on the second edition of this list. One consideration that I have thought of on using a banking-secrecy country is that it may be possible to set up a local limited-liability corporation there (assuming a remailer requiring an ecash payment), possibly paying into a trust fund with duress provisions. As an example, I might set up an offshore company in Anguilla which was owned by a trust fund; I would be the initial trustee for this trust fund, and Vince Cate might be the backup trustee if I was put under any duress (e.g., legal problems). Since I would have some costs for the initial setup of such an operation, I would deem it perfectly reasonable for the trust fund to owe me some money, which it would then pay me back as interest on this loan. -Allen From vznuri at netcom.com Sun May 26 15:49:47 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Mon, 27 May 1996 06:49:47 +0800 Subject: The Anti-Briefing... In-Reply-To: Message-ID: <199605252034.NAA26938@netcom7.netcom.com> PW >Some might argue that if weak crypto can save one child's life >than it is worth it. This is a strong, sentimental argument, but >it really doesn't reflect the reality of the tradeoff. We could >spend a lot more money on airlines, trains and cars and save a >few kids lives, but the cost could be phenomenal. The fact is >that government enforced weak crypto is a tradeoff. We pay for >the ease of the police surveillance because we make life simpler >for crooks who make their living eavesdropping and circumventing >security systems. The big question is whether the tradeoff is >worth it. I'm surprised that there hasn't been more mention of a trend in Britain toward installing video cameras all over the place. saw a story on this on "hard copy". apparently they don't have "invasion of privacy" laws there, and this couple who had been filmed having sex in an elevator, and the footage sold on a video tape, didn 't have any particular legal recourse. if people want to study what social effect that widespread surveillance has, and what its true cost is, I hope that they look toward Britain to try to gauge some of the effects. apparently the trend has been in motion there long enough that some serious studies might be made. the privacy debate reminds me of speed limits. there is one side that says, "55 saves lives" and in their tiny brains think that is the end of the argument. well, "50, 45, 40, 35, 30 ..." save lives too. why did you pick 55? the point is that there are other factors. similarly, with police surveillance, small-brained police often say, "video cameras prevent crimes" and think that is the end of the argument. or, if you are in NSA, "restricting worldwide crypto keeps the planet in order". etc. ad infinitum. pathetically simplistic arguments that the general public does not always see through. when the public does begin to see through them, and expect answers that are more complicated than can be explained in 30 second sound bites, then I'd say we're making a bit of progress toward rationality. From jimbell at pacifier.com Sun May 26 15:49:58 1996 From: jimbell at pacifier.com (jim bell) Date: Mon, 27 May 1996 06:49:58 +0800 Subject: [SCARE]: "If you only knew what we know..." Message-ID: <199605260254.TAA14336@mail.pacifier.com> At 09:48 PM 5/25/96 -0400, Subir Grewal wrote: >The exception I took to your proposal was that it seemed like a >half-measure to me. From what I understand of it the porposal is that >elected officials who "do wrong" (or violate a particular code of conduct) >should be killed. I would suggest that this is problematic because it >does nothing to solve the ills of the system, simply clears those players >whom a particular set of people do not believe are playing fairly/well. And any successors that take their place, as well. Remember, even a tiny fraction of the population can eject (by forced resignation or worse) an officeholder. The only ones who survive (literally or figuratively) are the ones who don't irritate even a tiny fraction of the public. Those will be the ones who don't do anything, and are not paid by stolen taxes. >I'm not sure I'd accept the claim that millions of offenders (I too find >drug laws stifling, illogical and counter to the liberal ideal) are put in >jail, deprived of their freedom by a particular set of people. Drug laws >are a reflection of the opinions held by many people in this country (and >others), of course we wonder sometimes whether people have really thought >about it or whether the "just say no" jingle was too irresistable, and the >concept of "a war on drugs" another tool to define outsiders against whom >to band against and maintain a cohesive identity. To a great degree, the "public perception" of drugs and drug laws has been a _product_ of the news media, in particular the TV networks and the newspapers, as influenced by the government. Study the matter and you'll find this is true. There is no reason to believe that the community will be as anti-drug as the conventional wisdom says they are. > And the manner in which >Americans (and indeed other peoples) have been whipped into fervour by >the rhetoric that accompanies a war is truly frightening. This "whipping" is quite intentional. It keeps cops, prosecutors, and judges employed. Not to mention politicians. > But I reall >don't think killing a few Presidents or Joint Chiefs of Staff or Prime >Ministers will solve this (or anything). Please understand: While the term "assassination" is usually used to refer to killings of high-level people, I'm using a broader definition to refer to ANY target, including middle and lower-level people. My solution is far more thorough than you've implied. Anyone who exercises force for the state is subject to "recall." Even people who just take a government paycheck are at least nominally at risk. > It seems as if you were trying >to say that AP is acceptable because similar methods are employed by the >state all the time. I will not defend the coercive actions of the state, >but I do not believe they give one the right to coerce others, especially >if they are removed from the actual act. How "removed" do they have to be to be innocent, in your opinion? >:Then you need to learn to be more consistent. While you may, indeed, be a >:pacifist, most of the rest of us see nothing wrong with the concept of >:self-defense. You may argue as to what's really self-defense and what >:isn't, but the reality is that government engages in violence and the >:threat of violence regularly. Are you, by your statements, implicitly >:tolerating violence by government that you wouldn't tolerate from >:individuals? It is easy to fall into such a trap. > >But self-defense is not conductive either. To bring a rather fascinating >example into this, in the 70s a group of students occupied a variety of >buildings at NYU in protest against the Cambodian war. They set a bomb >in our computing center that was defused just before it blew. But if it >had detonated it would have destroyed a rather large computer (used for >pure mathematical problems that the Dept. of Defense wished to >incorporate into its Nuclear program) Nuclear bomb design. Done with funds stolen from taxpayers. Done to protect the leadership of this country, not the public. > and a number of people standing >outside the building. The rationale used was that this was >"self-defense", the people of the world were banding together to protect >each other from the actions of the state. In practice, it probably WAS "self-defense." However, it may not have been a particularly selective example of self-defense. The system I describe is, in fact, vastly more effective than this at getting rid of the bad guys, and far more selective than a planted bomb. > While I sympathize with the >feelings that led the activists to take such measures, I have no respect >for their methods or the reasoning they employed to extend the argument >for self-defense into a situation that had nothing to do with >self-defense. That's why I think my system will be far better. >No, I do not wish to condone the coercive actions of the state (and >certainly not any violent ones), and certainly we all take exception to >one or another act of the government machine. Incidentally, I do not >believe the state has the right to take life in the quest for justice >(aka the death penalty). A war against a foreign threat can be justified >on grounds of self-defense. Notice, however, that the US government fails to use a cleaner method to defeat its opponents (killing the leaders) and in its place puts the lives of thousands of solders at risk. Isn't this illogical, unless you realize that if WE can do that to those foreign leaders, THEY can do the same to OUR leaders? Isn't this more than a bit self-serving on the part of our leaders? And isn't it immoral for George Bush, for instance, to choose a solution that results in the deaths of tens of thousands of comparatively innocent Iraqis, both during and after the Gulf war, rather than bumping off Saddam Hussein? Think about it. Exactly why does he do the former, rather than the latter? >:Why? Isn't it possible that it is not possible to reform a system because >:embedded within it is a fundamental flaw which makes real freedom >:impossible? The current system is heirarchically structured, and results in >:situations where millions die in the place of the very few. I'd say that's >:a serious, systemic flaw that needs fixing. > >- From what I've gathered of AP, it attempts no radical reformation of "the >system", simply adds another set of costs for individuals within the govt. >to take into account. "Another set of costs"? Yikes! Read the essay, governments as we know them can't possibly survive post-AP. >I don't think you're proposing a "true democracy" >or absolute anarchy (without all the conotations of disorder, simply >no-government), but rather a vigilante clause, I may have misunderstood >you though. It may be looked at as an example of vigilante action, but it will be ANONYMOUS vigilantes. > A minimalist state is generally considered desireable as it >provides a framework within which individuals can engage in mutually >beneficial interactions with each other. That's conventional wisdom. Historically, anarchy is considered unstable. Freud though so, but he was wrong. Read part 9. > Our present structures do not >"work" very well (though they have their redeeming factors when compared >to other alternatives) and I'd say we need a greater degree of respect for >personal liberty and individualism than is manifest in our institutions >today, but these changes take place on a level very different from that of >govt. the state is almost powerless when it comes to these metamorphoses >in opinion. Well, I disagree. Until recently, public opinion was almost entirely manufactured. It was a joint project of the government and the news media. > They take place through tradition and the spread of ideas not >through legislation. The alternative I would suggest is an appreciation >for the minimalist state (with the observation that there are some things >the state does do very well, and which are desireable) and the liberty of >the individual. Similarly a respect for life is in order, too often we >think we're absolutely right and believe we should use "any means >necessary" (no reflection on the misunderstood philosophy of Malcolm X) Is there any significant likelihood that the people in power today will relinquish power absent a system such as AP? I'm not optimistic about that. Jim Bell jimbell at pacifier.com From vznuri at netcom.com Sun May 26 15:51:05 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Mon, 27 May 1996 06:51:05 +0800 Subject: holographic remailing & the scientologists Message-ID: <199605252119.OAA00566@netcom7.netcom.com> it seems that anonymous remailing has split into two basic areas, each with distinct requirements and demands and problems: 1. private mail, sent to another email address 2. posts to Usenet or other forums such as mailing lists. now, interestingly, apparently most of the extremely heavy political backlash has come against (2), causing Hal Finney for example to advocate or suggest that remailers not be designed for posting but be limited to emailing to individual users somehow. (he didn't mention how mailing lists would be handled, but one might screen out email addresses that are "known mailing list addresses" or something like that) regarding (2), with scientology, I was trying to imagine how one could accomplish the same feature of distributing information anonymously in a "public place", but without giving the scientologists the ability to track a particular origination of the email, even remailers. Chaum's DC net idea is a useful approach. here I'd like to suggest another. some time ago someone had the amusing idea of cutting up the PGP binary code, UUencoded, and putting all the zillions of pieces in peoples signatures. each person would send mail to the signature server to pick up one of the 1/n pieces, and they would put it in their messages. frankly, I think this was a great idea that we could explore some more. in a sense, it stores data "holographically" over all kinds of different people's messages. imagine a system in which the scientology documents are stored in people's signatures, and someone writes software to go and recombine the documents based on finding signatures "out there". this could be applied to one newsgroup by having remailers post only tiny pieces of the material, but with enough on the newsgroup at any time to recombine them all with the software, but far too many pieces for the scientologists to attack all the remailers they are sent through. (people could post them through their regular email addresses). furthermore anyone posting a piece has a sort of minor plausible deniability. ("I just copied the signature from so-and-so as a protest, I have no idea what it refers to") == this all suggests to me the following idea. suppose that some document has been created that someone wants censored. how could net citizens protest this censorship? one scheme would be for everyone to put a tiny piece of the document in their signatures. if you get enough people to do this, it may actually be the case that at any one time, just because of the randomness of all the pieces available, the news server has enough messages archived for a program to scan the message directories and reconstruct the documents from all the pieces that are found. these "pieces" could even be stored solely in the netnews header fields. another idea involves the concept behind "spread spectrum". in this system, little pieces of data are spit out in different places, or channels, and the source and the reciever are scanning the exact same channel at the same time based on exact synchronization. I guess an analogy to usenet would be tiny pieces of data showing up in seemingly random newsgroups, but which are followed or "caught" exactly by the "reconstruction software". some interesting ideas related to steganography that some people might like to play with. == for a model of the scientology problem, it appears that what we have is a set of email addresses (S) and a public forum that essentially reaches some large subset of these people (S2). a person wishes to send out a secret document to S2, but he can't do so by posting to the forum, because then the censors "see" him and shut him down. but what he *can* do is send lots of pieces to a group of people in S, and each of these people individually posts their piece. (the censors have no control over mail sent between individuals, only that posted collectively). possibly, then, there is no single target of "who posted the material" for the censors to clamp down on, and the information eventually can be reconstructed by all S2. == key ways what I am proposing is different than some of the other "cut up the anonymous messages and recombine" proposals out there: 1. the recombination is not done by a remailer. it is done by anyone who can run software on the newsserver (i.e. reading the directories). the scientologists or "censors" cannot tell who is doing this. 2. the messages are not completely comprised of the data to be sent. the data could be stored in headers or the signatures of otherwise "legitimate" messages. note that the same scheme could be applied to web pages. you could store a document "holographically" in which pieces are obtained at all kinds of different URLs. it would be laughable for the censors to try to get court orders against individual pieces. and furthermore, the entire document is not stored anywhere "out there" in particular but recombined by anyone. the scientologists don't know who. note that I am giving the scientologists a lot more credit for their enmity than they deserve. they have mostly lost their war already in many ways, and they aren't a very serious threat to cyberspace in general, imho. they have shown an amazingly unabated aggression & zeal against remailer operators, however, something that could possibly be derailed with a little ingenuity. From ncognito at gate.net Sun May 26 15:52:45 1996 From: ncognito at gate.net (Ben Holiday) Date: Mon, 27 May 1996 06:52:45 +0800 Subject: nCognito is Dead.. In-Reply-To: Message-ID: Well I have been given my notice to terminate the remailers running at this account. Make a note to remove ncognito from your type2.list, and those running pingers, please remove nCognito as soon as its convenient. Below i've quoted verbatim the request to shutdown that I received. PLEASE note that there is no mention of FBI, NSA, or Co$. :) The request is the result of some errors that mix generated while I was makeing changes, that resulted in the administration at gate.net noticing the remailer. Frankly, I cant blame them given the current legal climate. Although I would have liked to continute operating the remailers, I must admit that I'll sleep better at night now that its gone. BTW: Does anyone know of a few ISP's that accept cash and dont require verification of your identity? :) ----------------------------------------------------------------------------- >From gli at gate.net Sat May 25 15:51:35 1996 Date: Sat, 25 May 1996 15:45:19 -0400 (EDT) From: gli at gate.net To: Ben Holiday Subject: Re: Problems with your mail mix program Please note that CyberGate does not support remailer program so please stop running it on gate.net immediately. Repeated violation will cause your login privilege compromised. Your cooperation will be appreciated. Gary Li Systems Administrator CyberGate, Inc. -------------------------------------------------------------------------- From jimbell at pacifier.com Sun May 26 16:04:20 1996 From: jimbell at pacifier.com (jim bell) Date: Mon, 27 May 1996 07:04:20 +0800 Subject: [SCARE]: "If you only knew what we know..." Message-ID: <199605252140.OAA04527@mail.pacifier.com> At 10:39 AM 5/25/96 -0400, Subir Grewal wrote: >I think an insight your analysis may benefit by is that certain >institutions/societal norms create incetives for "corrupt politicians". >Hayek argues against the "benevolent dictator" concept because he says no >gentle person would ever aspire to be a dictator. The system itself calls >for people who are ruthless to take the reins. A similar argument can be >made for the various functions of a modenr democracy (like the US). It is >rarely that we hear of a considerate IRS auditor, or a principled >politician. The structures themselves call for and promote those who (in >that an individual is more successful if they) are corrupt, power-hungry, >unprincipled and ruthless. Which means that attempting to clean up the system by half-measures is doomed to failure, wouldn't you say? >As for Assasination Politics, I can understand such proposals in jest. Ironically, I originally proposed it to myself in jest. However, I quickly realized that there was far more to it than a joke. I went through most of the objections that were later commonly raised against it, and then concluded that those objections were invalid. I also noted that most people recognized the flaws in those objections after they were explained to them. It has the prospect of enormously changing society. Too many pieces fell into place, like a jigsaw puzzle. This system is NOT an accident; it is fundamental. Admittedly, it is still a bit scary, because of the depth of its changes, but that does not make it wrong! > I too say things to appear controversial. AP was not publicized "to appear controversial." I think it's "controversial" simply because it is so different from the current system, and those in power in that system (and their sympathizers) realize how serious and enormous such a change would be. > As a serious political structure, however, it is reprehensible. Unfortunately, that's not a particularly specific claim. "reprehensible"? I'd call the current system reprehensible. Why should the government be able to put over a million people in prison, most for victimless drug crimes? Why should the government be able to start a war and send millions of people against their will, and thousands to die (as in Vietnam)? Why should their be repeated mass killings (Armenia, Russia, Germany, China, Uganda, Cambodia, Rwanda, etc)? If you could show that the current system had somehow been fixed to prevent these kinds of incident, you might have a point, but you cannot. Your claim is also biased: Everything you think about the term, "political," is based on the kind of systems you know and have known. For you, and most of us, politics is just about defined as that system by which a small number of people manipulate a larger number, ostensibly guided by the wishes of the larger number. > Murder cannot be condoned (as a pacifist, >the argument that politicians create wars and must be killed for that >reason does not hold much water for me) Then you need to learn to be more consistent. While you may, indeed, be a pacifist, most of the rest of us see nothing wrong with the concept of self-defense. You may argue as to what's really self-defense and what isn't, but the reality is that government engages in violence and the threat of violence regularly. Are you, by your statements, implicitly tolerating violence by government that you wouldn't tolerate from individuals? It is easy to fall into such a trap. >and the proponents of such systems >would do well to look more closely at the systemic ills rather than individuals. Why? Isn't it possible that it is not possible to reform a system because embedded within it is a fundamental flaw which makes real freedom impossible? The current system is heirarchically structured, and results in situations where millions die in the place of the very few. I'd say that's a serious, systemic flaw that needs fixing. > The argument that AP is an institutional dis-incentive for >"bad" representatives that offsets other incentives is problematic since I >do not believe the methods are just. I invite you to provide an alternative solution. Jim Bell jimbell at pacifier.com From mpj at csn.net Sun May 26 16:05:40 1996 From: mpj at csn.net (Michael Johnson) Date: Mon, 27 May 1996 07:05:40 +0800 Subject: Where is PGP? Message-ID: -----BEGIN PGP SIGNED MESSAGE----- WHERE TO GET THE PRETTY GOOD PRIVACY PROGRAM (PGP) FAQ Revised 24 May 1996 Disclaimer -- I haven't recently verified all of the information in this file, and much of it is probably out of date. For questions not covered here, please read the documentation that comes with PGP, get one of the books mentioned below, or search for other relevant FAQ documents at rtfm.mit.edu and on the alt.security.pgp news group. A NOTE FROM THE FAQ MAINTAINERS Peter Herngaard is taking over the maintenance of this FAQ until further notice. Some of you sent me (Mike Johnson) corrections and suggestions for this FAQ, and I stored them away on my hard disk to edit from. Then, Windows 95 got indigestion (induced by a sound card) and destroyed all of the data in that partition. If you suggested changes and they aren't in this FAQ, please send them to Peter Herngaard . WHAT IS THE LATEST VERSION OF PGP? Viacrypt PGP (commercial version): 2.7.1 (4.0 is due out Real Soon Now) MIT & Philip Zimmermann (freeware, USA-legal): 2.6.2 Staale Schumacher's International variant: 2.6.3i for non-USA (2.6.3ai source code only); 2.6.3 for USA WHERE CAN I GET VIACRYPT PGP? Just call 800-536-2664 and have your credit card handy. WHERE IS PGP ON THE WORLD WIDE WEB? U.S. only availability: PGP: http://web.mit.edu/network/pgp-form.html PGPfone: http://web.mit.edu/network/pgpfone International availability: PGP and PGPfone: http://www.ifi.uio.no/pgp/ WHERE CAN I FTP PGP IN NORTH AMERICA? If you are in the USA or Canada, you can get PGP by following the instructions in any of: ftp://net-dist.mit.edu/pub/PGP/README ftp://ftp.csn.net/mpj/README.MPJ ftp://miyako.dorm.duke.edu/pub/GETTING_ACCESS ftp://ftp.csua.berkeley.edu/pub/cypherpunks/pgp/ ftp://ftp.gibbon.com/pub/pgp/README.PGP ftp://ftp.wimsey.bc.ca/pub/crypto/software/README WHERE IS PGP ON COMPUSERVE? GO NCSAFORUM. Follow the instructions there to gain access to Library 12: Export Controlled. AOL Go to the AOL software library and search "PGP" or ftp from ftp://ftp.csua.berkeley.edu/pub/cypherpunks/pgp or another site listed above. It is possible to get PGP from ftp sites with hidden directories with the following trick: (1) View the README file with the hidden directory name in it, then quickly (2) Start a new ftp connection, specifiying the hidden directory name with the ftp site's address, like ftp.csn.net/mpj/I_will_not_export/crypto_xxxxxxx (where the xxxxxxx is replaced with the current character string). WHAT BULLETIN BOARD SYSTEMS CARRY PGP? MANY BBS carry PGP. The following carry recent versions of PGP and allow free downloads of PGP. US 303-343-4053 Hacker's Haven, Denver, CO 303-772-1062 Colorado Catacombs BBS, Longmont CO 8 data bits, 1 stop, no parity, up to 28,800 bps. Use ANSI terminal emulation. For free access: log in with your own name, answer the questions. 314-896-9309 The KATN BBS 317-887-9568 Computer Virus Research Center (CVRC) BBS, Indianapolis, IN Login First Name: PGP Last Name: USER Password: PGP 501-791-0124, 501-791-0125 The Ferret BBS, North Little Rock, AR Login name: PGP USER Password: PGP 506-457=0483 Data Intelligence Group Corporation BBS 508-668-4441 Emerald City, Walpole, MA 601-582-5748 CyberGold BBS 612-690-5556, !CyBERteCH SeCURitY BBS! Minneapolis MN 914-667-4567 Exec-Net, New York, NY 915-587-7888, Self-Governor Information Resource, El Paso, Texas GERMANY +49-781-38807 MAUS BBS, Offenburg - angeschlossen an das MausNet +49-521-68000 BIONIC-BBS Login: PGP WHERE CAN I FTP PGP CLOSE TO ME? IT ftp://ftp.dsi.unimi.it/pub/security/crypt/PGP FI ftp://ftp.funet.fi/pub/crypt/pgp/ NL ftp://ftp.nl.net/pub/crypto/pgp ftp.nic.surfnet.nl/surfnet/net-security/encryption/pgp NO ftp://menja.ifi.uio.no/pub/pgp/ NZ ftp://ftphost.vuw.ac.nz SE ftp://leif.thep.lu.se TW ftp://nctuccca.edu.tw/PC/wuarchive/pgp/ UK ftp://ftp.ox.ac.uk/pub/crypto/pgp HOW CAN I GET PGP BY EMAIL? If you have access to email, but not to ftp, send a message saying "help" to ftpmail at decwrl.dec.com or mailserv at nic.funet.fi WHERE CAN I GET MORE PGP INFORMATION? http://www.csn.net/~mpj http://www.mit.edu:8001/people/warlord/pgp-faq.html http://www.eff.org/pub/EFF/Issues/Crypto/ITAR_export/cryptusa_paper.ps.gz ftp://ds.internic.net/internet-drafts/draft-pgp-pgpformat-00.txt ftp://ds.internic.net/internet-drafts/draft-ietf-pem-mime-08.txt http://www-mitpress.mit.edu/mitp/recent-books/comp/pgp-source.html http://web.cnam.fr/Network/Crypto/(c'est en francais) http://web.cnam.fr/Network/Crypto/survey.html(en anglais) http://www2.hawaii.edu/~phinely/MacPGP-and-AppleScript-FAQ.html http://www.pgp.net/pgp http://www.sydney.sterling.com:8080/~ggr/pgpmoose.html http://www.ifi.uio.no/pgp/ http://inet.uni-c.dk/~pethern/privacy.html WHAT ARE SOME GOOD PGP BOOKS? Protect Your Privacy: A Guide for PGP Users by William Stallings Prentice Hall PTR ISBN 0-13-185596-4 US $19.95 PGP: Pretty Good Privacy by Simson Garfinkel O'Reilly & Associates, Inc. ISBN 1-56592-098-8 US $24.95 E-Mail Security: How to Keep Your Electronic Mail Private "Covers PGP/PEM" by Bruce Schneier Wiley Publishing The Computer Privacy Handbook: A Practical Guide to E-Mail Encryption, Data Protection, and PGP PRivacy Software by André Bacard Peachpit Press ISBN 1-56609-171-3 US $24.95 800-283-9444 or 510-548-4393 THE OFFICIAL PGP USER'S GUIDE by Philip R. Zimmerman MIT Press April 1995 - 216 pp. - paper - US $14.95 - ISBN 0-262-74017-6 ZIMPP Standard PGP documentation neatly typeset and bound. PGP SOURCE CODE AND INTERNALS by Philip R. Zimmerman April 1995 - 804 pp. - US $55.00 - 0-262-24039-4 ZIMPH How to Use PGP, 61 pages, (Pub #121) from the Superior Broadcasting Company, Box 1533-N, Oil City, PA 16301, phone: (814) 678-8801 (about US $10-$13). IS PGP LEGAL? Pretty Good Privacy is legal if you follow these rules: Don't export PGP from the USA except to Canada, or from Canada except to the USA, without a license. If you are in the USA, use either Viacrypt PGP (licensed for commercial use) or MIT PGP using RSAREF (limited to personal, noncommercial use). Outside of the USA, where RSA is not patented, you may prefer to use a version of PGP (2.6.3i) that doesn't use RSAREF to avoid the restrictions of that license. If you are in a country where the IDEA cipher patent holds in software (including the USA, Canada, and some countries in Europe), make sure you are licensed to use the IDEA cipher commercially before using PGP commercially. (No separate license is required to use the freeware PGP for personal, noncommercial use). For direct IDEA licensing, contact Ascom Systec: Erhard Widmer, Ascom Systec AG, Dep't. CMVV Phone +41 64 56 59 83 Peter Hartmann, Ascom Systec AG, Dep't. CMN Phone +41 64 56 59 45 Fax: +41 64 56 59 90 e-mail: IDEA at ascom.ch Mail address: Gewerbepark, CH-5506 Maegenwil (Switzerland) Viacrypt has an exclusive marketing agreement for commercial distribution of Philip Zimmermann's copyrighted code. (Selling shareware/freeware disks or connect time is OK). This restriction does not apply to PGP 3.0, since it is a complete rewrite by Colin Plumb. If you modify PGP (other than porting it to another platform, fixing a bug, or adapting it to another compiler), don't call it PGP (TM) or Pretty Good Privacy (TM) without Philip Zimmermann's permission. IMPORTANT: Please note that there is an official distribution site for MIT PGP and another for the International version: WorldWideWeb references: U.S/Canada non-commercial use: http://web.mit.edu/network/pgp-form.html Norway/International non-commercial use: http://www.ifi.uio.no/pgp/ U.S. commercial use: http://www.viacrypt.com WHAT IS PHILIP ZIMMERMANN'S LEGAL STATUS? Philip Zimmermann was under investigation for alleged violation of export regulations, with a grand jury hearing evidence for about 28 months, ending 11 January 1996. The Federal Government chose not to comment on why it decided to not prosecute, nor is it likely to. The Commerce Secretary stated that he would seek relaxed export controls for cryptographic products, since studies show that U. S. industry is being harmed by current regulations. Philip endured some serious threats to his livelihood and freedom, as well as some very real legal expenses, for the sake of your right to electronic privacy. The battle is won, but the war is not over. The regulations that caused him so much grief and which continue to dampen cryptographic development, harm U. S. industry, and do violence to the U. S. National Security by eroding the First Ammendment of the U. S. Constitution and encouraging migration of cryptographic industry outside of the U. S. A. are still on the books. If you are a U. S. Citizen, please write to your U. S. Senators, Congressional Representative, President, and Vice President pleading for a more sane and fair cryptographic policy. WHERE CAN I GET WINDOWS & DOS SHELLS FOR PGP? http://www.dayton.net/~cwgeib ftp://oak.oakland.edu/SimTel/msdos/security/apgp22b.zip http://alpha.netaccess.on.ca/~spowell/crypto/pwf31.zip ftp://ftp.netcom.com/pub/dc/dcosenza/pgpw40.zip ftp://ftp.firstnet.net/pub/windows/winpgp/pgpw40.zip http://www.eskimo.com/~joelm(Private Idaho) ftp://ftp.eskimo.com/~joelm http://www.xs4all.nl/~paulwag/security.htm http://www.LCS.com/winpgp.html http://netaccess.on.ca/~rbarclay/index.html http://netaccess.on.ca/~rbarclay/pgp.html ftp://ftp.leo.org/pub/comp/os/os2/crypt/gcppgp10.zip ftp://ftp.leo.org/pub/comp/os/os2/crypt/pmpgp.zip http://iquest.com/~aegisrcs WHAT OTHER FILE ENCRYPTION (DOS, MAC) TOOLS ARE THERE? PGP can do conventional encryption only of a file (-c) option, but you might want to investigate some of the other alternatives if you do this a lot. Alternatives include Quicrypt and Atbash2 for DOS, DLOCK for DOS & UNIX, Curve Encrypt (for the Mac), HPACK (many platforms), and a few others. Quicrypt is interesting in that it comes in two flavors: shareware exportable and registered secure. Atbash2 is interesting in that it generates ciphertext that can be read over the telephone or sent by Morse code. DLOCK is a no-frills strong encryption program with complete source code. Curve Encrypt has certain user-friendliness advantages. HPACK is an archiver (like ZIP or ARC), but with strong encryption. A couple of starting points for your search are: U.S. only availability: ftp://ftp.csn.net/mpj/qcrypt11.zip ftp://ftp.csn.net/mpj/README ftp://ftp.miyako.dorm.duke.edu/pub/GETTING_ACCESS International availability: ftp://ftp.informatik.uni-hamburg.de/pub/virus/crypt/file/ ftp://ftp.dsi.unimi.it/pub/crypt/code/ HOW DO I SECURELY DELETE FILES (DOS)? If you have the Norton Utilities, Norton WipeInfo is pretty good. I use DELETE.EXE in del110.zip, which is really good at deleting existing files, but doesn't wipe "unused" space. US ftp://ftp.csn.net/mpj/public/del120.zip NL ftp://utopia.hacktic.nl/pub/replay/pub/security/del120.zip UK ftp://ftp.demon.co.uk/pub/ibmpc/security/realdeal.zip WHAT DO I DO ABOUT THE PASS PHRASE IN MY WINDOWS SWAP FILE? The nature of Windows is that it can swap any memory to disk at any time, meaning that all kinds of interesting things could end up in your swap file. ftp://ftp.firstnet.net/pub/windows/winpgp/wswipe.zip WHERE DO I GET PGPfone(tm)? PGPfone is in beta test for Macintosh and Windows'9 users. The MIT has shut down their ftp distribution of PGPfone for Macintosh and Windows'95, so within the U.S/Canada you must obtain PGPfone using a WorldWideWeb browser. U.S. only availability: http://web.mit.edu/network/pgpfone International availability: DK ftp://ftp.datashopper.dk/pub/users/pethern/pgp/ NL ftp://utopia.hacktic.nl/pub/replay/pub/voice/ NO ftp://menja.ifi.uio.no/pub/pgp/mac/ ftp://menja.ifi.uio.no/pub/pgp/windows/ WHERE DO I GET NAUTILUS? Bill Dorsey, Pat Mullarky, and Paul Rubin have come out with a program called Nautilus that enables you to engage in secure voice conversations between people with multimedia PCs and modems capable of at least 7200 bps (but 14.4 kbps is better). See: U.S. only availability: ftp://ripem.msu.edu/pub/crypt/GETTING_ACCESS ftp://ripem.msu.edu/pub/crypt/other/nautilus-phone-0.9.2-source.tar.gz ftp://ftp.csn.net/mpj/README ftp://miyako.dorm.duke.edu/pub/GETTING_ACCESS International availability: ftp://ftp.ox.ac.uk/pub/crypto/misc ftp://utopia.hacktic.nl/pub/replay/pub/voice/ The official Nautilus homepage is at: http://www.lila.com/nautilus/ HOW DO I ENCRYPT MY DISK ON-THE-FLY? Secure File System (SFS) is a DOS device driver that encrypts an entire partition on the fly using SHA in feedback mode. Secure Drive also encrypts an entire DOS partition, using IDEA, which is patented. Secure Device is a DOS device driver that encrypts a virtual, file-hosted volume with IDEA. Cryptographic File System (CFS) is a Unix device driver that uses DES. CryptDisk is a ShareWare package for Macintosh that uses strong IDEA encryption like PGP. U.S. only availability: ftp://ftp.csn.net/mpj/README ftp://miyako.dorm.duke.edu/mpj/crypto/disk/ International availability: http://www.cs.auckland.ac.nz/~pgut01/sfs.html ftp://ftp.informatik.uni-hamburg.de/pub/virus/crypt/disk/ ftp://ftp.nic.surfnet.nl/surfnet/net-security/encryption/disk/ ftp://ftp.ox.ac.uk/pub/crypto/misc/ ftp://menja.ifi.uio.no/pub/pgp/mac/ ftp://utopia.hacktic.nl/pub/replay/pub/disk/ WHERE IS PGP'S COMPETITION? RIPEM is the second most popular freeware email encryption package. I like PGP better for lots of reasons, but if for some reason you want to check or generate a PEM signature, RIPEM is available at ripem.msu.edu. There is also an exportable RIPEM/SIG. U.S. only availability: ftp://ripem.msu.edu/pub/GETTING_ACCESS International availability: ftp://ftp.dsi.unimi.it/pub/crypt/code/ HOW DO I PUBLISH MY PGP PUBLIC KEY? Send mail to one of these addresses with the single word "help" in the subject line to find out how to use them. These servers sychronize keys with each other. There are other key servers, too. pgp-public-keys at keys.pgp.net pgp-public-keys at keys.de.pgp.net pgp-public-keys at keys.no.pgp.net pgp-public-keys at keys.uk.pgp.net pgp-public-keys at keys.us.pgp.net WWW interface to the key servers: http://www.pgp.net/pgp/www-key.html http://www-swiss.ai.mit.edu/~bal/pks-toplev.html For US $20/year or so, you can have your key officially certified and published in a "clean" key database that is much less susceptible to denial-of-service attacks than the other key servers. Send mail to info-pgp at Four11.com for information, or look at http://www.Four11.com/ Of course, you can always send your key directly to the parties you wish to correspond with by whatever means you wish. CAN I COPY AND REDISTRIBUTE THIS FAQ? Yes. Permission is granted to distribute unmodified copies of this FAQ. Please e-mail comments to Peter Herngaard Look for the latest html version of this FAQ at http://inet.uni-c.dk/~pethern/getpgp.html -----BEGIN PGP SIGNATURE----- Version: 2.7.1 iQEVAgUBMaftOm+Iqt/O4EnZAQHk8ggAwL5UcRF4Gv1F6eO7NaQcb45Xa+ST3l3S +6sPHN5vFn/LvUsNHO4o9gDBDJB3Bd8S3nDfRxoSolD1ijNtKGOvJzzXtAf2lXFI 95YXCuF+DyhBrghBfwNzFePjuiDZ/92aeXn90oAEpHc5gaUFoSo+o9Gu8sD0TMo7 p3houk0AdVRRQBTTljWDin2yoJcGLzbmY6ewRcdkYnEqmcv2oW9drSKky04bcg2A KGfOKk/5i1Mw3CPKJu/eHy1gi0P4hd5WbH23Jc3cHQVk2BvmR6lLL+ffl4TGjkxt o61fzYYunxuQzLOi4EeQWWhq31+WJwOO0CuW35nA1XzoQXALdBfF8A== =1NGG -----END PGP SIGNATURE----- From grewals at acf2.nyu.edu Sun May 26 16:05:53 1996 From: grewals at acf2.nyu.edu (Subir Grewal) Date: Mon, 27 May 1996 07:05:53 +0800 Subject: [SCARE]: "If you only knew what we know..." In-Reply-To: <199605252140.OAA04527@mail.pacifier.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Sat, 25 May 1996, jim bell wrote: :Which means that attempting to clean up the system by half-measures is :doomed to failure, wouldn't you say? The exception I took to your proposal was that it seemed like a half-measure to me. From what I understand of it the porposal is that elected officials who "do wrong" (or violate a particular code of conduct) should be killed. I would suggest that this is problematic because it does nothing to solve the ills of the system, simply clears those players whom a particular set of people do not believe are playing fairly/well. :fundamental. Admittedly, it is still a bit scary, because of the depth of :its changes, but that does not make it wrong! Yes we do have fear the unfamiliar. I'm not sure I'd accept the claim that millions of offenders (I too find drug laws stifling, illogical and counter to the liberal ideal) are put in jail, deprived of their freedom by a particular set of people. Drug laws are a reflection of the opinions held by many people in this country (and others), of course we wonder sometimes whether people have really thought about it or whether the "just say no" jingle was too irresistable, and the concept of "a war on drugs" another tool to define outsiders against whom to band against and maintain a cohesive identity. And the manner in which Americans (and indeed other peoples) have been whipped into fervour by the rhetoric that accompanies a war is truly frightening. But I reall don't think killing a few Presidents or Joint Chiefs of Staff or Prime Ministers will solve this (or anything). It seems as if you were trying to say that AP is acceptable because similar methods are employed by the state all the time. I will not defend the coercive actions of the state, but I do not believe they give one the right to coerce others, especially if they are removed from the actual act. :Then you need to learn to be more consistent. While you may, indeed, be a :pacifist, most of the rest of us see nothing wrong with the concept of :self-defense. You may argue as to what's really self-defense and what :isn't, but the reality is that government engages in violence and the :threat of violence regularly. Are you, by your statements, implicitly :tolerating violence by government that you wouldn't tolerate from :individuals? It is easy to fall into such a trap. But self-defense is not conductive either. To bring a rather fascinating example into this, in the 70s a group of students occupied a variety of buildings at NYU in protest against the Cambodian war. They set a bomb in our computing center that was defused just before it blew. But if it had detonated it would have destroyed a rather large computer (used for pure mathematical problems that the Dept. of Defense wished to incorporate into its Nuclear program) and a number of people standing outside the building. The rationale used was that this was "self-defense", the people of the world were banding together to protect each other from the actions of the state. While I sympathize with the feelings that led the activists to take such measures, I have no respect for their methods or the reasoning they employed to extend the argument for self-defense into a situation that had nothing to do with self-defense. No, I do not wish to condone the coercive actions of the state (and certainly not any violent ones), and certainly we all take exception to one or another act of the government machine. Incidentally, I do not believe the state has the right to take life in the quest for justice (aka the death penalty). A war against a foreign threat can be justified on grounds of self-defense. :>and the proponents of such systems would do well to look more closely :>at the systemic ills rather than individuals. : :Why? Isn't it possible that it is not possible to reform a system because :embedded within it is a fundamental flaw which makes real freedom :impossible? The current system is heirarchically structured, and results in :situations where millions die in the place of the very few. I'd say that's :a serious, systemic flaw that needs fixing. - From what I've gathered of AP, it attempts no radical reformation of "the system", simply adds another set of costs for individuals within the govt. to take into account. I don't think you're proposing a "true democracy" or absolute anarchy (without all the conotations of disorder, simply no-government), but rather a vigilante clause, I may have misunderstood you though. A minimalist state is generally considered desireable as it provides a framework within which individuals can engage in mutually beneficial interactions with each other. Our present structures do not "work" very well (though they have their redeeming factors when compared to other alternatives) and I'd say we need a greater degree of respect for personal liberty and individualism than is manifest in our institutions today, but these changes take place on a level very different from that of govt. the state is almost powerless when it comes to these metamorphoses in opinion. They take place through tradition and the spread of ideas not through legislation. The alternative I would suggest is an appreciation for the minimalist state (with the observation that there are some things the state does do very well, and which are desireable) and the liberty of the individual. Similarly a respect for life is in order, too often we think we're absolutely right and believe we should use "any means necessary" (no reflection on the misunderstood philosophy of Malcolm X) hostmaster at trill-home.com * Symbiant test coaching * Blue-Ribbon * Lynx 2.5 WHERE CAN THE MATTER BE Oh, dear, where can the matter be When it's converted to energy? There is a slight loss of parity. Johnny's so long at the fair. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Key Escrow = Conscription for the masses | 2048 bit via finger iQB1AwUBMae4ZBwDKqi8Iu65AQH/uQMAutPdsot4N9/dBFK1OhSmf9XHNsuic0yD JL19I68i0kgUt1omXqySVy0w/FfyUkqWo7XYsTfBkrRAGz2X8KNHkMRYEr2TGl9Q /TI6Kn5NBTXx49XXYeHU4q/dYAaZoJ0j =inqJ -----END PGP SIGNATURE----- From mab at research.att.com Sun May 26 16:14:02 1996 From: mab at research.att.com (Matt Blaze) Date: Mon, 27 May 1996 07:14:02 +0800 Subject: net-based key archival Message-ID: <199605262005.QAA14953@nsa.tempo.att.com> I've put a revised version of my "Key Escrow without Escrow Agents" abstract in my ftp directory, in PostScript and Latex formats. ftp://research.att.com/dist/mab/netescrow.ps ftp://research.att.com/dist/mab/netescrow.tex -matt From vince at offshore.com.ai Sun May 26 17:47:55 1996 From: vince at offshore.com.ai (Vincent Cate) Date: Mon, 27 May 1996 08:47:55 +0800 Subject: 407 Arms Traffickers in first month of training Message-ID: In the first month the Arms Trafficker Training Page has helped 407 people to become Arms Traffickers. Here are the stats: International Arms Traffickers 407 Public List of Known Arms Traffickers 147 Letters to the president 83 Number of times page was read 2498 So about one arms trafficker for every 6 times the page is read (some people read the page more than once so the real ratio is better). Kind of fun that a web page can turn 1 out of 6 people into criminals. Thanks for your support both as arms traffickers and for linking to this page. It is off to a good start. For anyone who had missed it, the URL is: http://online.offshore.com.ai/arms-trafficker/ -- Vince Cate From weidai at eskimo.com Sun May 26 18:06:45 1996 From: weidai at eskimo.com (Wei Dai) Date: Mon, 27 May 1996 09:06:45 +0800 Subject: holographic remailing & the scientologists In-Reply-To: <199605252119.OAA00566@netcom7.netcom.com> Message-ID: On Sat, 25 May 1996, Vladimir Z. Nuri wrote: > frankly, I think this was a great idea that we could explore > some more. in a sense, it stores data "holographically" over > all kinds of different people's messages. imagine a system in which > the scientology documents are stored in people's signatures, > and someone writes software to go and recombine the documents > based on finding signatures "out there". This software already exists. Take a look at Disperse/Collect at http://www.eskimo.com/~weidai. Disperse splits a file into n base64 encoded pieces where any k of them can be used to reconstruct the original. Collect will search through arbitrary collection of files (for example the entire news spool) for these pieces and automatically reconstruct everything that it finds. Wei Dai From orrin at redshift.com Sun May 26 18:06:46 1996 From: orrin at redshift.com (O. C. Winton WN1Z) Date: Mon, 27 May 1996 09:06:46 +0800 Subject: e-mail gateways to usenet Message-ID: <31A8D4FD.352B@redshift.com> Wonder if anyone would consider posting a list of currently functioning e-mail ways to post to usenet. Would be useful for people like me who often use libraries' access to internet, and the libraries don't give newsgroup access. orrin at redshift.com From markm at voicenet.com Sun May 26 18:10:06 1996 From: markm at voicenet.com (Mark M.) Date: Mon, 27 May 1996 09:10:06 +0800 Subject: Mixmaster version usable with POP? In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Sat, 25 May 1996, Lance Cottrell wrote: > While there is not an "out of the box" version of Mixmaster like this, it > would be easy to do. The UNIX POP clients I have seen just dump the mail > into a mbox formated file. A simple script could be written to yank out the > messages one at a time, and feed them to Mixmaster (or mail-in or > whatever). In fact, the more recent versions of Mixmaster should be able to > swallow the file whole, pulling out the mixmaster messages itself. This > modification was made to support "subway" remailers, which want to send a > fixed number of messages (in one email) each time period. On Linux this works: popclient -3 -c POPHOSTNAME | formail -s mixmaster -R >> $MAIL It will work on any system that has formail and popclient on it. - -- Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xe3bf2169 http://www.voicenet.com/~markm/ | d61734f2800486ae6f79bfeb70f95348 ((2b) || !(2b)) | Old key now used only for signatures "The concept of normalcy is just a conspiracy of the majority" -me -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMajYyLZc+sv5siulAQGX9QP7Bb5Lm/zgf3r3R5r1pmvGRaCA0T+DpnAK pQepAEsjU2Dt2U1/Hj5EZ846xmAg5oI3Dc7T42vGr+iW6Frt6e9TXq2I/xzal6NJ h+P4o5poU7cX7xVWoQv08Z5zcYAbJfwHxg6yJbIOKYyb8EbDB2m+sFCeM1M6g63O 8740njLFiRk= =WMmU -----END PGP SIGNATURE----- From carolann at censored.org Sun May 26 18:30:27 1996 From: carolann at censored.org (Censored Girls Anonymous) Date: Mon, 27 May 1996 09:30:27 +0800 Subject: nCognito is Dead.. Message-ID: <2.2.16.19960526223322.258ff54a@primenet.com> Long Live nCognito! Member Internet Society - Certified BETSI Programmer - Webmistress *********************************************************************** Carol Anne Braddock (cab8) carolann at censored.org 206.42.112.96 My Homepage The Cyberdoc *********************************************************************** ------------------ PGP.ZIP Part [017/713] ------------------- M8H,),S$8G>&.WP(8IRA`-M['+`Q%&_C"">5-F%LX@<_Q$;*P'',Q$Z/AA[8M MF=O0H+*%(-S%&>S%+FS& http://dcs.ex.ac.uk/~aba/export/ From jimbell at pacifier.com Sun May 26 18:31:42 1996 From: jimbell at pacifier.com (jim bell) Date: Mon, 27 May 1996 09:31:42 +0800 Subject: "Key Escrow without Escrow Agents" Message-ID: <199605262233.PAA16932@mail.pacifier.com> At 01:56 PM 5/25/96 -0700, Vladimir Z. Nuri wrote: > >I can see that you might create a code of law that determines >what procedures that these "distributed key juries" are supposed >to follow. but like our legal system, the interpretation and >application is ultimately left up to them. > >an interesting system, that is commendable for trying to >find a compromise between two seemingly irreconcilable polarities >(privacy and surveillance) but I doubt anyone in law enforcement >(with the mindset, "I can't be stopped from doing my job as I >see fit or criminals will get away") would go for it in the current form. But as long as key-escrow is claimed to be "voluntary," then the police should be happy if it is used at all. If they object that it is possible somebody won't agree that the person involved shouldn't have his data revealed, we can remind them that the jury system prevents conviction if not all of the jury agrees as to guilt. This is no worse than having, say, 12 key-escrow organizations and allowing any one to not reveal the correct key. Naturally, it will be necessary to ensure that they can refuse without anyone else knowing who opted out... Jim Bell jimbell at pacifier.com From markm at voicenet.com Sun May 26 18:33:11 1996 From: markm at voicenet.com (Mark M.) Date: Mon, 27 May 1996 09:33:11 +0800 Subject: nCognito is Dead.. In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Sat, 25 May 1996, Ben Holiday wrote: > > Well I have been given my notice to terminate the remailers running at > this account. Make a note to remove ncognito from your type2.list, and > those running pingers, please remove nCognito as soon as its convenient. > > Below i've quoted verbatim the request to shutdown that I received. PLEASE > note that there is no mention of FBI, NSA, or Co$. :) The request is the > result of some errors that mix generated while I was makeing changes, that > resulted in the administration at gate.net noticing the remailer. Frankly, > I cant blame them given the current legal climate. > > Although I would have liked to continute operating the remailers, I must > admit that I'll sleep better at night now that its gone. > > BTW: Does anyone know of a few ISP's that accept cash and dont require > verification of your identity? :) C2 (http://www.c2.org) and I think Cyberpass (http://www.cyberpass.net) both allow anonymous accounts. There was also a list of offshore ISP's posted a while ago. I am looking into getting an account on one of these myself. P.S. For you non-UNIX types, I am currently in the process of writing a program that will automatically install an anonymous remailer on a UNIX account. It should be ready for release in the next couple of days. - -- Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xe3bf2169 http://www.voicenet.com/~markm/ | d61734f2800486ae6f79bfeb70f95348 ((2b) || !(2b)) | Old key now used only for signatures "The concept of normalcy is just a conspiracy of the majority" -me -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMajak7Zc+sv5siulAQH5UAP/ZOC2OePpoyJw3H2UE/Y8l2emjABjGEbo /7IYaEjrTy0Dd4jpzITfO6/Uba/H870BUYuO9+iv3Dx2kjwiPRVV2EK/cNGQlFGF xHCPGbnjbDkJatX/CclN9WgCuqgBp+o03T410y4Oh60jyUZ5KBIWmKNNi5B5SKWl Gjwo+DAzTlk= =tLcZ -----END PGP SIGNATURE----- From jf_avon at citenet.net Sun May 26 19:43:01 1996 From: jf_avon at citenet.net (Jean-Francois Avon) Date: Mon, 27 May 1996 10:43:01 +0800 Subject: [SCARE]: "If you only knew what we know..." Message-ID: <9605262337.AA24223@cti02.citenet.net> On 26 May 96 at 12:23, Subir Grewal wrote: > the > struggle does not always have to be violent, and it hurts our cause > to instigate violence when none has been used directly against us. How would you qualify the seizing of 50+ % of our productive work? Since only the productive work permits an individual to live, could you say that they steal half of your life? Why not? Then, any tax man targeted by AP who is past 1/2 the life expectency is getting an "an eye for an eye" or better deal... Are you telling that giving your wallet to a mugger is not done under violence directed against you since he did not shoot you or beat you in the first place? Do you tell me that the fact that he did not use his gun means that there is no violence implied? Under every pile of red-tape lies a fully loaded gun. And *this* is what gives govt employees their attitude toward you. Just some thoughts. Ciao JFA ...and actually, I am not even on CP mailing list... PLEASE NOTE: THIS POST DOES NOT MEAN THAT I ENDORSE MR. BELL'S SYSTEM. MY RATIONNAL CONCLUSIONS ABOUT IT'S INTERNAL MECHANICS AND IT'S INTRINSIC LOGICS DOES NOT MEAN THAT I LIKE NOR ENDORSE THE SYSTEM. I SIMPLY CONCLUDED THAT IT IS IMPOSSIBLE TO PREVENT THE SYSTEM FROM BEING IMPLEMENTED. IMO, IT IS UNAVOIDABLE. DePompadour, Societe d'Importation Ltee Limoges porcelain, Silverware and mouth blown crystal glasses JFA Technologies, R&D consultants. Physists, technologists and engineers. PGP keys at: http://w3.citenet.net/users/jf_avon ID# C58ADD0D : 529645E8205A8A5E F87CC86FAEFEF891 From jimbell at pacifier.com Sun May 26 19:50:54 1996 From: jimbell at pacifier.com (jim bell) Date: Mon, 27 May 1996 10:50:54 +0800 Subject: [SCARE]: "If you only knew what we know..." Message-ID: <199605262337.QAA18778@mail.pacifier.com> At 12:23 PM 5/26/96 -0400, Subir Grewal wrote: >On Sat, 25 May 1996, jim bell wrote: > >:At 09:48 PM 5/25/96 -0400, Subir Grewal wrote: >:How "removed" do they have to be to be innocent, in your opinion? > >If they didn't pull the trigger or give the order, they're innocent. >Making these criteria any laxer will cause problems as more and more >people are drawn into the category of offenders, pretty soon you're the >only victim, everyone else is out there to steal from you or assist in the >theft. Qualitatively, perhaps. But quantitatively, no. I think that blame for any given situation or government behavior will be distributed in a reasonably fair fashion, with those directly responsible for abuse becoming "dead meat" while those on the periphery only marginal targets. Your generous interpretation of their guilt is certainly not binding on me. And in any case the fact that the people involved will usually be able to resign will be a logical "out." >:Nuclear bomb design. Done with funds stolen from taxpayers. Done to >:protect the leadership of this country, not the public. > >Pure mathematics as far as the people working at the lab were concerned. >You really think if the receptionist had died, it would have been >self-defense? A couple of kids died in computer labs at other schools >where this happened, they were there feeding punched cards into the >machines. Somehow that doesn't sound right to me. I agree. Which is why I'd much prefer a method to preferentially target a relatively smaller number of people, and I've invented (discovered?) just such a system. Why not let it work? >:And isn't it immoral for George Bush, for instance, to choose a solution >:that results in the deaths of tens of thousands of comparatively innocent >:Iraqis, both during and after the Gulf war, rather than bumping off Saddam >:Hussein? Think about it. Exactly why does he do the former, rather than >:the latter? > >And the Iranian leaders really think Clinton is an ungoldy kafir for >meeting Rushdie the apostate. Why not kill him, after all various >Americans have suggested this is a valid tactic? Why not kill those Iranian leaders, using AP? And if you're afraid they'll retaliate against "our" leaders, I see nothing wrong with that, either. It's the leaders who maintain the dispute. > Your methods will be used for ends you do not agree with. Hey, I realized that long ago! But I'm not under any illusion that this system can be molded to conform to my wishes alone: If I could, I'd become a dictator and the cycle of tyranny would continue. > From what I've learnt of the Gulf >war (I was reading most of the time, kept away from the TV), they did try >very hard to kill Sadaam Hussein, but got nowhere. "Very hard"? If they'd tried "very hard" they would have succeeded. No, the various leadership groups controlling different countries have far more in common with each other than with the ordinary citizens. They all are perfectly aware that if a precedent is established that killing the leadership is to be used to solve a dispute, eventually they'll all be dead. Thus, they reject this solution like the plague. The government only pretends to not be able to succeed at this task in order to assuage the natural desires of the public. >As is apparent, >political leaders value their own lives more than they do those of the >foot-soldiers. Many among the foot-soldiers belive their lives would be >"brutish, nasty and short" without the mechanism of the state and are >willing to defend it and those who currently operate the machine. They are misled, of course. >Of >course George Bush I don't trust at all because the man was practically >glowing during "his war", anyone who enjoys a war, revels in it, is not >someone I admire, respect, or even talk to. However, when you propose >that we kill this person, I'm not going to stand with you either. Rest >assured, there will be many others waiting to take his place when he is >killed, and some of them will spell potato like the English feudal lords >did. The only reason there might be "many others waiting to take his place" is that assassination is actually a rare event. Make it easily accomplished, and who would want to take any politician's place? >:"Another set of costs"? Yikes! Read the essay, governments as we know them >:can't possibly survive post-AP. > >Oh no, I think they will survive post AP. The odds are quite high that >the people who are convinced to act on the AP philosophy will be branded >terrorists and become the objectives of many witch hunts the world over. Unless I capture the public's imagination, and they realize what kind of improvements it promises. Or, at least they recognize that opposition by those in government is entirely self-serving. >:Well, I disagree. Until recently, public opinion was almost entirely >:manufactured. It was a joint project of the government and the news media. > >I too think Chomsky has perceptive vision when it comes to the media. It doesn't take a great deal of perception to see this. The media and the government are dependent on each other: The media needs access to news, the government needs a pliable sounding board. Chomsky has gotten smart on this subject, a little bit late in my estimation. Chomsky's main advantage is that he's been a public figure for years, which means when HE spouts this stuff it's considered news. When we talk about it, it's ignored. >:Is there any significant likelihood that the people in power today will >:relinquish power absent a system such as AP? I'm not optimistic about that. > >No, noone "relinquishes" power. They fight to keep it, but the struggle >does not always have to be violent, It isn't that it "has to" be violent. Resignation is always an option. Problem is, they don't want to give up their positions of power. > and it hurts our cause to instigate >violence when none has been used directly against us. That depends entirely on what your definition of instigating violence really is. I happen to believe that the act of collecting taxes, involuntarily, IS the "instigation of violence" even if the victim gives up his assets without a fight, if there is the prospect of eventual violence should he refuse to cooperate. Until you see this, you'll have a warped view of the propriety of AP, not to mention the libertarian non-initiation of force principle. (NIOFP.) Jim Bell jimbell at pacifier.com From alanh at infi.net Sun May 26 19:55:50 1996 From: alanh at infi.net (Alan Horowitz) Date: Mon, 27 May 1996 10:55:50 +0800 Subject: COMMUNITY CONNEXION ANNOUNCES WORLDWIDE BETA-TEST OF THE ANONYMIZER (fwd) Message-ID: Date: Sun, 26 May 1996 14:17:38 -0400 From: Ralph Jennett To: Alan Horowitz Of course the people at Community Connection know what you are up to when you use their service. From bruce at aracnet.com Sun May 26 20:00:51 1996 From: bruce at aracnet.com (Bruce Baugh) Date: Mon, 27 May 1996 11:00:51 +0800 Subject: Children's Privacy Act Message-ID: <2.2.32.19960527001900.006db418@mail.aracnet.com> At 09:15 PM 5/25/96, Chris Adams wrote: >particularly if he plans to resell it. It does make me wonder whether you could file a suit >against TRW for selling information about you, particularly since it could affect you >adversely and there is no guaruntee it is accurate. Thanks to existing laws, almost certainly not. If they satisfy the government, credit agencies don't have to worry much about what harm they might do to individuals. -- Bruce Baugh bruce at aracnet.com http://www.aracnet.com/~bruce From nobody at REPLAY.COM Sun May 26 20:27:51 1996 From: nobody at REPLAY.COM (Anonymous) Date: Mon, 27 May 1996 11:27:51 +0800 Subject: No Subject Message-ID: <199605262356.BAA05794@basement.replay.com> -----BEGIN PGP SIGNED MESSAGE----- We are pleased to announce the opening of the Czarevna Tatjana Mixmaster Remailer at tat at mindport.net. At present the remailer is configured to accept type2 messages only. Questions or comments should be directed to tatjana at mindport.net. Please note that some debugging is still in the works. An announcement of our complete confidence in the remailer's full and proper operation will be made presently. All official announcements will be signed with the following PGP key: - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQBtAzGo67oAAAEDAK/Pr9W3uySr/cb8cxHIEu0rfTGVaulmtFZ5fVN0M+fg9/AA 1ZM1PoJR9f8Oxjmg1+UG69SFLxgJSAZAQDwJjOAfwQG47n08eDjeNnZSezuZEC1L ZIj7KCG7mCX4fe8+7QAFEbQsQ3phcmV2bmEgVGF0amFuYSBSZW1haWxlciA8dGF0 QG1pbmRwb3J0Lm5ldD4= =4ukd - -----END PGP PUBLIC KEY BLOCK----- Mixmaster key information follows: czarevna tat at mindport.net 0bd7631f6a2ca8c6a16f3e85a7526f43 2.0.3 - -----Begin Mix Key----- 0bd7631f6a2ca8c6a16f3e85a7526f43 258 AATLWxuW8j90eNaVFGVBMV5rCWT49MOoPTZXpHGb vGbTLUe/K60+bMP6+nIuWU3dbIQORa7ZI0emwRRr EWXVhCZnnDnf+G3O2Vjqw8Py9JoXJufSYig1bV0K kuN4p87Cu6FlWdQFT19fI28B42b0pZYgyVuB9ns0 3VARqmCl5LHziwAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAQAB - -----End Mix Key----- -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMajtQbuYJfh97z7tAQGRGwL/fm9VqOsTxtb61aZi5yq6YNzl05mZu6QU uzsIXz9LPd2J/iWYDx5CKASytDeb9YOY6HxYEec7sLFArjUu2999UcQRGp8uoFmT 9YKiRrwrc4Nr82E2q3LMZzVHgt403Z+U =SXwM -----END PGP SIGNATURE----- From markm at voicenet.com Sun May 26 20:40:58 1996 From: markm at voicenet.com (Mark M.) Date: Mon, 27 May 1996 11:40:58 +0800 Subject: e-mail gateways to usenet In-Reply-To: <31A8D4FD.352B@redshift.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Sun, 26 May 1996, O. C. Winton WN1Z wrote: > Wonder if anyone would consider posting a list of currently > functioning e-mail ways to post to usenet. Would be useful for > people like me who often use libraries' access to internet, and > the libraries don't give newsgroup access. There is a list at http://students.cs.byu.edu/~don/mail2news.html . - -- Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xe3bf2169 http://www.voicenet.com/~markm/ | d61734f2800486ae6f79bfeb70f95348 ((2b) || !(2b)) | Old key now used only for signatures "The concept of normalcy is just a conspiracy of the majority" -me -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMaj4F7Zc+sv5siulAQGXQgP+O4vGS+Dz/tqGdeG82V6rhzTkdjutFGeY sy44Xwuvq4EMd5HJaP4xwIV6YLIGOt0rxN77Ln2Gzi/KiYK+T5sdHuoWicWGgkN+ AZ5ZPUxHAJ2cEongPpBt3bCq1vHDBasXIehGxzivejLVoHz0rOf7pX6NYrYH6SHj Bv7xE9WjM5A= =G5Ks -----END PGP SIGNATURE----- From markm at voicenet.com Sun May 26 21:56:18 1996 From: markm at voicenet.com (Mark M.) Date: Mon, 27 May 1996 12:56:18 +0800 Subject: Quickremail v1.0b Message-ID: -----BEGIN PGP SIGNED MESSAGE----- I have just released Quickremail, a UNIX program that provides an easy interface to install an anonymous remailer. Just unzip and untar in your home directory, execute remailer-install.sh, and then you will have a fully functional remailer. You do not need root access to install it. It is available at http://www.voicenet.com/~markm/quickremail.1.0.b.tar.gz . - -- Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xe3bf2169 http://www.voicenet.com/~markm/ | d61734f2800486ae6f79bfeb70f95348 ((2b) || !(2b)) | Old key now used only for signatures "The concept of normalcy is just a conspiracy of the majority" -me -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMakKLLZc+sv5siulAQFRggP8CUjAKn6WKL73PuPbG+h1DsZKj+K5v0iG 3a01RPmQca3VWa8jeFsX6OfUH6XrI4L+GN8o2W+6nzULur36Fyxovj9NN0A8sGBu Ww1v0wu6MTA/r6HXiaGmPdSCZ5BeUF7TqPI2C9mgsAqlTinffR85aGpjYaev2Ffq MumHbq1wH7g= =4PPV -----END PGP SIGNATURE----- From grewals at acf2.nyu.edu Sun May 26 22:24:22 1996 From: grewals at acf2.nyu.edu (Subir Grewal) Date: Mon, 27 May 1996 13:24:22 +0800 Subject: [SCARE]: "If you only knew what we know..." In-Reply-To: <199605262337.QAA18778@mail.pacifier.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Sun, 26 May 1996, jim bell wrote: :At 12:23 PM 5/26/96 -0400, Subir Grewal wrote: :Qualitatively, perhaps. But quantitatively, no. I think that blame for any :given situation or government behavior will be distributed in a reasonably :fair fashion, with those directly responsible for abuse becoming "dead meat" :while those on the periphery only marginal targets. Your generous :interpretation of their guilt is certainly not binding on me. And in any :case the fact that the people involved will usually be able to resign will :be a logical "out." Nor is your generous interpretation of the guilt of of hte peripheral binding on those who do not like them for whatever reason. Your suggestion is that open season be declared on those who work for the state (or are the state). Your claim is that one has to satisfy everyone (or the small minority that is unsatisfied might come out and kill you) andd the only way that will happen is when there is no state at all. Of course there are those who fervently believe in the socialist ideal and would probably feel justified in killing the do nothing libertarians (as opposed to old-style liberals, i.e. minimalists) who ostensibly form the state. For them, inaction might be sufficient cause to initiate an AP campaign. Now what happens if one group feels another group's AP campaign is directly hurting their interests (for a smaller/larger state). Isn't there the possibility that they will begin to assign to the other's AP leaders the status of the state (after all their AP campaign is determining the nature of the state, and we can begin a reverse AP campaign on them to halt that). The ideal of the minimalist state permits an out clause, so the socialists (or anyone who wants a paternal govt.) can form their own little community with their state acting as mother. If you envision "resigning" as a means of escaping being the target of AP, you must be aware that we don't forgive easily and there will be groups who wish to kill politicos who've "ruined our lives because of what they did x years ago". If those who begin AP campaigns on "retired" govt. employees will be "playing unfairly" and your system has a clause to tackle them, I can see a group using a succession of politicos (each of whom gains amnesty by retiring after a bit) to accomplish what they wish to. :I agree. Which is why I'd much prefer a method to preferentially target a :relatively smaller number of people, and I've invented (discovered?) just :such a system. Why not let it work? I'd prefer a system that doesn't "target" people at all. :Why not kill those Iranian leaders, using AP? And if you're afraid they'll :retaliate against "our" leaders, I see nothing wrong with that, either. :It's the leaders who maintain the dispute. Sure, and suppose the option is that there be no dispute at all. So Rushdie (or you or I) becomes the sacrifical lamb, precisely because the "leaders" value their own lives, but ostensibly to kill the "dispute" in the bud. One of the fundamental principles of justice is that it be comensurate (in some sense) to the crime, AP lacks that aspect. "Final solutions" are all it has, but final solutions aren't always desireable. :Hey, I realized that long ago! But I'm not under any illusion that this :system can be molded to conform to my wishes alone: If I could, I'd become :a dictator and the cycle of tyranny would continue. The question is not one of becoming a dictator, but rather one of what values will be protected, what freedoms will people have in the world/state you imagine. I think the values AP engenders are not the ones we want. We probably don't want to legitimize murder. It's difficult to operate in a vacuum of principles/values, we can't simply say, "well whatever people will want to happen will happen and why not give them that choice". Marx was not the first to poitn out that institutions influence our actions, that we are products of our times, that the choices we face are as much determined by our own preferences as they are by the world around us. AP will create an environment where, I believe, an undesireable set of options will be presented to each of us. This is the "outcome" argument, i.e. undesireable ends, the means themselves are reprehensible. :The only reason there might be "many others waiting to take his place" is :that assassination is actually a rare event. Make it easily accomplished, :and who would want to take any politician's place? Only the fanatic :It isn't that it "has to" be violent. Resignation is always an option. :Problem is, they don't want to give up their positions of power. You've heard about the elections where libertarian candidates ran for office with the objective of doing away with the office if they were elected. I believe one such candidate won the election and came through on his promise. :That depends entirely on what your definition of instigating violence really :is. I happen to believe that the act of collecting taxes, involuntarily, IS :the "instigation of violence" even if the victim gives up his assets without :a fight, if there is the prospect of eventual violence should he refuse to :cooperate. Until you see this, you'll have a warped view of the propriety :of AP, not to mention the libertarian non-initiation of force principle. :(NIOFP.) As I've said, the minimalist state is desireable in my opinion. The most efficient system of taxation is the truly flat tax (i.e. a fixed amount for each individual), since each person derives aprox. equivalent benefits from the minimalist state, their contributions are also equal. Each of us derives some benefits from the existence of the state, some of these benefits are non-exclusionary. Till these benefits are dependent on territory and jurisdiction taxation of those who reside within the jurisdiction/territory will have to be enforced. You must of course, be aware of the medieval practice of making an offender an "outlaw", i.e. not under the protection of any laws. These outlaws were then fair game for anyone. When we have arrived at the point where the free-rider problem does not exist for things like national defense (i.e the shields won't exist over your property, and you'll enforce your ownership of it yourself) you will have the option (once again) of becoming an outlaw. I don't think it's going to be very pretty. To bring up another subject, we make compromises. I personally find socialists endearing and am willing to make certain compromises to live with them amicably. AP will draw battle-lines that will make such associations extremely hard to maintain. I'd rather not be the member of a "group" and have that membership/taint dictate the degree to which I can associate with a particular set of people. AP, in providing "final solutions", will bring about a state of affairs where the actions of a particular group (which they think are legitimate and do not run counter to the rules of the game) will be unacceptable for another group and the "finality" of these actions will create rifts. Violence does not beget peace. hostmaster at trill-home.com * Symbiant test coaching * Blue-Ribbon * Lynx 2.5 -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Key Escrow = Conscription for the masses | 2048 bit via finger iQB1AwUBMakHvBwDKqi8Iu65AQEmnQMArCatzEoPOHSiSSlb8yhMupx0sbx4ZwZs pY6A78B+LQwceyTnPE9mQ/4C8Zyr+IF9MPEKJgXJ8TPkeL/P24k8+oqiUwXq0pMN UsyS8c4RUW3d72s/ctV9tDQKumu9zc/p =BZV+ -----END PGP SIGNATURE----- From spyking at mne.net Sun May 26 22:29:44 1996 From: spyking at mne.net (SpyKing) Date: Mon, 27 May 1996 13:29:44 +0800 Subject: Tempest Info Message-ID: <9605270106.AA19474@mne.com> RISE of the TEMPEST by Sarah Ellerman Reprinted from Internet UnderGround Magazine June 1996 Edition Pg. 42 thru 46 The unmarked government van slows and stops. The agent inside puts down his coffee and starts in on the day's work: monitoring John Doe's computer, 10 blocks away. John is busy working on his Mac with the curtains pulled against the morning sunlight. The agent watches with great interest as John reads through the cryptography and privacy newsgroups, then downloads some fiction from alt.sex.stories. Everything that flashes by on John's monitor is videotaped for later review: the balance and payees of John's checking account, some decrypted e-mail that John assumed was private and an illegal copy of Adobe Photoshop. Is this scenario making you take stock of what appears on your computer screen? We all indulge in vices large and small, mentally shrugging, "Who will ever know?" In everyday life, we usually manage to keep our transgressions secret, but when it comes to information flitting across our computer screens, the answer is that there are no secrets, thanks to a relatively new, obscure form of surveillance that's a threat to your privacy and your civil rights. It's so secret that the Feds refuse to even release its real name. Privacy advocates have filled the void by nicknaming this technology "TEMPEST," which stands for "Transient Electromagnetic Pulse Emanation Surveillance Technology." What it does is allow a simple scanning device to read the output from your monitor from up to one kilometer away. No one ever need enter your house to plant a bug or copy your floppies; it's non invasive and virtually undetectable. You won't even know what hit you until your name gets put on a list of troublemakers or the marshals come busting down your door. Here's how it works: There is an electron gun in the back of your monitor which repeatedly fires electrons at your screen, causing different pixels to illuminate and form the text or graphics that you see. The gun sweeps rapidly up and down, sending an electromagnetic signal which constantly refreshes the information displayed on the screen. This signal doesn't stop at the perimeter of your computer; it continues expanding outwards, seeping through the ether much like a radio wave. Exposed cables act as inadvertent antennas, trans mitting the contents of your screen across your neighborhood. Information even travels back along modem lines and power cords, back into the walls and out into the world. These signals can be easily reconstructed. What's more, a spy can differentiate between many different units operating in the same room. The signals don't conflict or jam each other as one might suspect. Even identical units send out distinct signals because of slight differ ences in the manufacturing of various components. You may not think it, but your PC is hardly a self-contained unit storing information privy to you alone. In fact, you're better off thinking of it as a small-scale broadcast station operating out of your house. You may think, "So what if someone can see a screen?" Consider the test conducted by security professionals for the Technical Assistance Group at http://www. thecodex.com who actually jury-rigged their own Tempest scanning device and took it for a test drive in downtown Manhattan this spring. As described in an essay by CEO Frank Jones, their "DataScan" device (four years in the making) enabled them to "view CRT screens at ATM machines, banks, the local state lottery machine in a neighborhood candy store, a doctor's office, the local high school, the fire department, the local police department doing a DMV license plate check, a branch office of a securities trader making a stock trade and the local gas station (owner) tallying up his day's receipts...The U.S. Customs building (in NYC) leaks information as well as the Federal Reserve. Wall Street itself was a wealth of information for anyone interested. The World Trade Center was fertile. It afforded open parking areas nearby with millions of glass windows to snoop. We headed east toward the New York Post newspaper offices and read the latest news off their monitors (which was printed the next day). We headed north toward City Hall and NYPD Police Headquarters. Guess what? They're not Tempest-certified either...Neither is the United Nations, any of the midtown banks, Con Edison (the power company), New York Telephone on 42nd Street or Trump Tower!" Although this kind of eavesdropping has been featured in the media, most people are unaware of the ease with which spies can virtually look over their shoulder. Most react with incredulity swelling into anger and fear when the technology is demonstrated to them. However, specialists agree that the average person should not be unduly concerned with being spied on. "No, by and large it's not used to crack down on the common criminal," says Winn Schwartau, author of Information Warfare and Security Insider Report. "You've got to look at the expense that goes into one of these things, the eavesdropping vans and equipment. It's not cheap stuff to do at the very highest levels. As a number of prosecutors have told me, 'I wish so many people wouldn't be so paranoid. They don't know we don't have the time or the budget to waste on them.' I wouldn't worry for the individual reader; I'd worry for the corporation that has something of value." Mike, an electronic surveillance specialist (who requested that we not print his last name) and proprietor of the Chicago-area Discreet Electronics and Security, Inc. at http://www.w2. com/docs2/z/spyshop. html, also warns the public to keep things in perspective. "Let's say you are invaded, and there's an outrage at the invasion. It may be that your federal rights were violated... but so what?" he says. "One variable in how to assess countermeasures and detec tion devices is to figure out how much damage could happen to you as a result of your privacy being invaded." What could someone find out from your screen that would be of enough value or interest for them to go to the trouble and expense of getting a crack at your intellectual property? Pure curiosity? Unlikely. A nasty divorce or child custody case? The pur suit of a suspected hacker? A suspicion that you stole company secrets? Maybe. "If, on the other hand, you're involved in something that's rather political, if you're suing an insurance company for a $500,000 worker's compensation claim, boy, there's a lot involved here," Mike says. "And they're going to do whatever they have to, believe it or not, to get their information." GOOD NEWS BAD NEW Paranoid or protective U.S. citizens and companies can purchase snoop-proof" Tempest-certified" computers for their own use. However, the high cost of such a secure system may be prohibitive to consumers, says Jules Rutstein, program manager for Secure Systems at Wang Federal, Inc. Even after paying through the nose, information on how the computer was modified to meet the undisclosed emissions standards is top-secret. Wang, found at http://www.wangfed.com, a leading supplier of computers to the government, offers an affordable alternative to Tempest products, called ZONE. Rutstein explains, "The ZONE alternative is a lighter version of the full Tempest program. The ZONE program is actually an endorsed program under NSA (the National Security Agency.)" The cost of ZONE protection is significantly less than Tempest-certified units, but Rutstein wouldn't provide IU with definitive figures. "We try to price our ZONE products at what we consider commercial prices. [I'm] ambivalent because it's so difficult to pin down prices on PC products today...We've been selling it from the position that you can purchase a ZONE product for virtually the same price as a normal system. It's not costing you any more." IU pressed to find the exact difference between the products, but emission levels are top secret information, and ZONE can only be measured as relative to Tempest. It is probably safe to say that ZONE products would be acceptable for the average consumer's privacy needs, which is good news for those concerned enough with security to purchase a new computer. The bad news is that you don't have the highest level of security. Information about exactly how the process works is veiled. Seminars on building Tempest-certified equipment are only available to persons with certain security clearances, and rumor has it that people attempting to talk about Tempest are often silenced with the excuse that they're creating a security threat. Rutstein says, "Tempest is a munitions controlled item, which means that the export of the product is controlled. . . Currently the only [foreign entities] we sell to are NATO governments." These prohibitions protect the U.S. from acts of terrorism, but the secrecy surrounding Tempest specifications creates a dilemma for citizens. The government's reticence about standards prevents us from properly shielding the normal computers we already own. We can guess what kind of emissions they're giving off and try to suppress them, but without cold hard data, we can never rcally be sure. Most people don't even know of the existence of the technology, much less the exact shielding specifications. "It is not possible for the average person to go to a database and find out what is Tempest certified and what is not. I believe that perhaps that's the way the government wants it," says Jones of the Technical Assistance Group. Jones feels that citizens should be able to test emanations on their own. He points out that "there are several ways of blocking unintended transmissions, but how effective are they? The people who manufacture shielding always say, 'it's great, it's effective,' but you don't really know. But now there is a way to test it. We built a room and we used woven shielding with the DataScan device and it did block emissions, but it didn't block them to their specs. We had to use close to twice what they thought was secure to actually make the room secure." Mike of Discreet Electronics and Security, Inc. also comes out in favor of defensive countermeasures, saying, "Used in the application of creating awareness, to show how vulnerable let's say, a bank could be, it actually serves a very high and valuable purpose. The idea here is to create an awareness, because most people don't know, and what's frightening is that they don't know that they don't know." YEAH, BUT IS IT LEGAL? Jones says it's somewhat unclear whether citizens can lawfully monitor electromagnetic emanations. Depending on how one interprets the 1986 Electronic Communications and Privacy Act, it seems it could be legal. According to Jones, the 1986 measure covers, in depth, that "it is illegal to own, possess or use any device whose primary purpose is the surreptitious interception of ora/ or data communications." How does this apply to Tempest scanning devices? Well, that depends on how you define the word "data. " Tempest works by picking up computer emanations that happen to seep into the ether, remember? Those electrons were not created to transfer information to another party; rather, they were created for putting images on a computer screen, many theorize. "The emanations are not communications, it's not 'data' by the definition of the word," Jones says. "They are spurious emissions that are nothing but white noise. It's garbage." So what about the Act's clause that forbids the "interception of intended communications?" That's where things get complicated, Schwartau admits. "The key word there is 'intended,' that's exactly correct," Schwartau says. "I've posed this question of Tempest interception to lawyers and judges. The operational phrase came out of some of the cellular interception, the mobile home phone interception: Those are intentional broadcasts, and interception of those is clearly illegal." Schwartau says that legal colleagues agree with Jones' assertion that intercepting unintentional, surreptitious emanations from electronic equipment is not illegal. "However, there have been other lawyers who've maintained--and these operate on the government side--that "we'd find a way to get you." In the end, no matter how brilliant an argument lawyers can make that such transmissions "don't count," there's only one interpretation that really matters: namely, the definition decided on by the government. "That is the end-all and be-all," says Mike of Discreet Electronics and Security, Inc. "If the government says it's illegal, then guess what? It's illegal." So although the consensus may be that current law leaves a convenient loophole that technically permits Tempest monitoring, the prudent person shouldn't risk it. "I can modify a black-and-white television set, with seven cents in parts, to make it work. Does that make my TV illegal? No, of course not," says Schwartau. "The equipment that the government uses to monitor and test this type of equipment is open sale equipment. There are no clearances required. " Schwartau believes that even while providers' motivations in selling Tempest scanning equipment may be questionable, it's clearly legal for them to sell the stuff. Using it is another question. "lt's shaky ground if I'm going to go out and intercept the signals surreptitiously, but you also have to ask the question: How can you prosecute something that is passive and invisible?" That's a good point and a chief concern for privacy advocates. This monitoring is so non-invasive that most people will never even have a clue that they were spied on. Many fear that the government will abuse their privileged position as the keepers of Tempest standards and that the situation could turn into an unconstitutional, one-sided information war. As a consequence, there is a grass-roots movement of people learning to protect themselves. In his article "Tempest in a Teapot" at http:t/www.quadralay.com/ www/Crypt/Tempest/ tempest.html, Grady Ward notes that concerned computer users can take a number of simple steps to reduce compromising emanations. Ward suggests keeping cables between components as short as possible, to reduce the length of cable that acts as an antenna and to use only shielded cable which is wrapped with metal to keep emissions within the sheath. He recommends that users make sure that all computers and peripherals that they use meet the Federal Communications Commission's Class B stan dard which permits only one tenth the power of spurious emissions than the Class A standard. Ward also instructs users to keep the cover on their computer, to mount telephone-line filter products at the jack of the modem and to snap metallic ferrite beads over all cables so that offending electromagnetic emissions are used up in a heat sink instead of being released into the air. Those who feel the need to protect truly valuable information can take further steps by altering the rooms in which they work. "You don't need the proverbial lead-lined room anymore," Jones says. "There are composite non wovens that are similar to wallpaper that you can do a room in: the walls, the ceiling, the floors. Paste the stuff on the walls and then put paneling or regular wallpaper over it, and it pretty much makes the room secure. It blocks the electromagnetic emissions from going out. There also is translucent shielding similar to the sun tinting in an automobile that you put on the windows." Schwartau offers an alternative, saying, "The least expensive and easiest way to do it is electromagnetic moire' pattern masking. That' a technique using an inline box that plugs between the monitor and the video card on your PC. It creates an electromagnetic moire pattern that for all intents and purposes would keep out everybody but the absolutely most dedicated national resources." What's more, the active-matrix screens now built into laptops operate with out electron guns and their emissions are much lower. When such screens are commonly used as desktop monitors the possibility for being spied on will be lessened. Active matrix ? Electromagnetic moire? Isn't all this a little extreme ? Maybe not. Privacy advocates note that Tempest monitoring is just one facet of an information war in which the government has an unfair upper hand. We probably don't need to remind you, but the U.S. government has not always demonstrated the best judgment when it comes to emerging technologies, individual rights or covert actions involving "dangerous"citizens. The hope is that public indignation about Tempest monitoring will cause a true tempest, a whirlwind of anger and official accountability. Only then will we have the same tools and information as the Feds, bringing the battle onto an even playing field. Perhaps strife, outcry and controversy during this period of rapidly emerging technology would not be such a bad thing. Consider these words from Shakespeare's Orthello: "If after every tempest come such calms, may the winds blow till they have waken'd death!" You may view Jones' paper " Nowhere to Run...Nowhere to Hide...The vulnerability of CRT's, CPU's and peripherals to TEMPEST monitoring" at: http://www.thecodex.com/c_tempest.html You may view Jones' DataScan TEMPEST monitoring device at: http://www.thecodex.com/datscan.html Check out our WEB SITE - The Codex Privacy Page URL: http://www.thecodex.com Home of The Codex Surveillance & Privacy Newsletter DataScan - Diagnostic TEMPEST Evaluation System Technical Surveillance CounterMeasures (TSCM) Forensic Audio Restoration & Audio Tape Enhancement -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.7.1 mQCNAzDgc7MAAAEEAK1gzGapvWKn287T8QPYphpIzF6+uHAyf/shVPbrGD/f5v8i sgMOSC5x05w9xyijpzx2ua5i4eXXzjiq257y7oJy60TEFWRHYqGJtZRpqlh9DKjD 0EA5dVitmEgKNot3rmcF9amBxUP2RwIq2nzHfgiLGB3obqeKYp0MXw7qZrH7AAUR tB5TcHlLaW5nIDxzcHlraW5nQG5vdmFsaW5rLmNvbT4==UBv6 -----END PGP PUBLIC KEY BLOCK----- From pgut001 at cs.auckland.ac.nz Sun May 26 22:45:13 1996 From: pgut001 at cs.auckland.ac.nz (pgut001 at cs.auckland.ac.nz) Date: Mon, 27 May 1996 13:45:13 +0800 Subject: cryptlib debugging for Win95, WinNT Message-ID: <199605270148.NAA08392@cs26.cs.auckland.ac.nz> In order for the RSA encryption functions in cryptlib (ftp://garbo.uwasa.fi/pc/security/crypl110.zip, but that one's without the RSA stuff for reasons which will become apparent) to work, I need to find someone to test the Win95 and WinNT random-number generation code, which calls various Win32 statistics-monitoring functions to seed its internal random number pool. I've written most of the code, but since some of the documentation for the API's is pretty dodgy, it'll need a bit of debugging and testing to get going. Is there anyone here who can help with this? I estimate that it's an hour or so of work for the Win95 side (which has Toolhelp32), and maybe half a day for NT (which has the incredibly complex registry-walking system and semi-documented network statistics gathering). There are two files to compile, with a total size of about 20K. I can't do it myself since I don't have easy access to any sort of Win32 system. Oh yes, this part of the code has nothing to do with crypto, so there are no problems with US people doing it. Peter. From grewals at acf2.NYU.EDU Sun May 26 23:09:24 1996 From: grewals at acf2.NYU.EDU (Subir Grewal) Date: Mon, 27 May 1996 14:09:24 +0800 Subject: [SCARE]: "If you only knew what we know..." In-Reply-To: <9605262337.AA24223@cti02.citenet.net> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Sun, 26 May 1996, Jean-Francois Avon wrote: :How would you qualify the seizing of 50+ % of our productive work? : :Are you telling that giving your wallet to a mugger is not done under :violence directed against you since he did not shoot you or beat you :in the first place? Do you tell me that the fact that he did not use :his gun means that there is no violence implied? : :Under every pile of red-tape lies a fully loaded gun. And *this* is :what gives govt employees their attitude toward you. It is quite obvious that the state enforces taxation via coercion, whether that coercion always takes the form of "your money or your life" is doubtful, more often it involves the threat of incarceration rather than death. The (supposed) difference between taxation and robbery is that one is ostensibly deriving some benefit from taxation (i.e. even if it is used for welfare, the argument is this is some sort of insurance scheme in that you would derive some benefits if unemployed, we believe unemployment insurance should be voluntary but that's another matter). Of course the state is inefficient and taxes do not always go where they are meant to, but it is difficult to sustain an analogy between a mugging and taxation. A money laundering scheme is probably much more appropriate (ironic because we only launder money to pacify the state), you must appreciate the subtlety of taxation. You might very well believe that taxation is robbery, and everyone else who reads Reason might agree with you, but the rest of the world is not about to look at this in the same way, and you hurt your cause by the rhetoric. Most people, quite rightly in my opinion, believe taxes are necessary and that collecting them forcefully is the only option available to us. The minimalist state will probably have an "out" clause and you will be able to go out "into the woods" and set up your own little libertarian (or anarcho-capitalist) commune with all the others who believe all taxation is robbery, and you'll probably be able to keep your Uzi to guard yoruself against your neighbours as well (good luck). I'll be happy with a state-run law enforcement agency (of a form different from the one we have today of course). hostmaster at trill-home.com * Symbiant test coaching * Blue-Ribbon * Lynx 2.5 -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Key Escrow = Conscription for the masses | 2048 bit via finger iQB1AwUBMakLFxwDKqi8Iu65AQHDVQL+OqP/NogXPNYXTfYE2JmYcpsaR84ToMti X2iToIWKQ6F7xUzYT/lbiOg45h8KLPXr6BNpoVpoVowukXdM8ZTEVTaARpMM/iY2 bF6FUZ33c41eV58ZJriJh6yjMjlKwUsE =u2vX -----END PGP SIGNATURE----- From llurch at networking.stanford.edu Sun May 26 23:42:22 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Mon, 27 May 1996 14:42:22 +0800 Subject: WhoWhere Robot strikes again In-Reply-To: Message-ID: WhoWhere.com and ParsecWeb.com are being firewalled from all but a few networks at stanford.edu, ucr.edu, and other places. This is a step I recommend to others. Unfortunately, I have more important things to worry about than fighting off threats from some petty net-abusing scam, but I'd be glad to give the reasons privately. -rich On Sat, 25 May 1996, Stephan Somogyi wrote: > I now have a WhoWhere Robot hitting one of my web servers from > orion.parsecweb.com and it is most assuredly not honoring the > robots.txt file regarding directories to exclude. I also just looked in > the bot registry again and the WhoWhere Robot remains unlisted. > > Needless to say, I'm denying accesses from parsecweb.com from here onward. > > Stephan > > ________________________________________________________________________ > Stephan Somogyi Central Services Digital Media From jimbell at pacifier.com Sun May 26 23:44:14 1996 From: jimbell at pacifier.com (jim bell) Date: Mon, 27 May 1996 14:44:14 +0800 Subject: [SCARE]: "If you only knew what we know..." Message-ID: <199605270314.UAA26114@mail.pacifier.com> At 09:39 PM 5/26/96 -0400, Subir Grewal wrote: >-----BEGIN PGP SIGNED MESSAGE----- > >On Sun, 26 May 1996, jim bell wrote: > >:At 12:23 PM 5/26/96 -0400, Subir Grewal wrote: >:Qualitatively, perhaps. But quantitatively, no. I think that blame for any >:given situation or government behavior will be distributed in a reasonably >:fair fashion, with those directly responsible for abuse becoming "dead meat" >:while those on the periphery only marginal targets. Your generous >:interpretation of their guilt is certainly not binding on me. And in any >:case the fact that the people involved will usually be able to resign will >:be a logical "out." > >Nor is your generous interpretation of the guilt of of hte peripheral >binding on those who do not like them for whatever reason. True, but if I oppose and you don't, and my opposition results in their forced removal from office, what you believe will be irrelevant. >Your >suggestion is that open season be declared on those who work for the state >(or are the state). They obtain their salary through theft from taxpayers. I'd say that's plenty of an offense. > Your claim is that one has to satisfy everyone >(or the small minority that is unsatisfied might come out and kill you) >andd the only way that will happen is when there is no state at all. Or, at most, an exceedingly minimal one, operated by donation or extremely minor tax levels. > Of >course there are those who fervently believe in the socialist ideal and >would probably feel justified in killing the do nothing libertarians (as >opposed to old-style liberals, i.e. minimalists) who ostensibly form the >state. But it wouldn't matter. They wouldn't know who to target, and the people wanting to form a state have an inherent disadvantage against those who do not: The act of forming the state identifies them. > For them, inaction might be sufficient cause to initiate an AP >campaign. How would you distinguish between just some ordinary citizen and somebody that ought to be targeted because of opposition to the state? With my system, the latter can be silent and get the job done. >Now what happens if one group feels another group's AP campaign >is directly hurting their interests (for a smaller/larger state). Then there will be a fight, won by the group that isn't publicly recognized. A group trying to form a centralized entity (and force this on others) will fail; those opposing it will win. >Isn't >there the possibility that they will begin to assign to the other's AP >leaders the status of the state (after all their AP campaign is >determining the nature of the state, and we can begin a reverse AP >campaign on them to halt that). It doesn't work like that. The act of formation of a state inevitably calls attention to oneself. The act of opposing that formation does not. AP is "biased," as it were, against centralized, organized political structure that arouses the ire of even a tiny fraction of the population. A person who dedicates himself to ELIMINMATING the state, and does so anonymously, is difficult or impossible to target. > The ideal of the minimalist state permits >an out clause, so the socialists (or anyone who wants a paternal govt.) >can form their own little community with their state acting as mother. I don't deny that a group of people can, willingly, form a subset of society where they agree to be bound by certain conditions that the rest of society does not tolerate. However, the key word is "willingly." If that mini-state ever becomes abusive of the rights of its own citizens, or becomes threatening of any outside individuals, its leaders will be targeted, either by its own citizens or those outside who feel threatened. > If >you envision "resigning" as a means of escaping being the target of AP, >you must be aware that we don't forgive easily and there will be groups >who wish to kill politicos who've "ruined our lives because of what they >did x years ago". I have no problem with that. That's just great. Arbitrarily serious guilt should be followed by arbitrarily harsh punishement, even if it is years or decades later. Resigning is in no way respected by the AP system per se, but it _may_ be considered by the average citizen to be a reason for mercy. > If those who begin AP campaigns on "retired" govt. >employees will be "playing unfairly" and your system has a clause to >tackle them, I can see a group using a succession of politicos (each of >whom gains amnesty by retiring after a bit) to accomplish what they wish >to. No, AP has no inherent ability to punish those who "play unfairly." However, the cost to purchase "predictions" (and the number of other citizens who share in this cost) will probably depend substantially on the perceived guilt of the target, in the minds of others. A person who resigns, and especially one who did little to directly anger the populace, other than to collect a stolen paycheck, is probably fairly safe. An ex-employee of a particularly abusive government agency is, however, far more likely to remain considered a legitimate target by the public. >:I agree. Which is why I'd much prefer a method to preferentially target a >:relatively smaller number of people, and I've invented (discovered?) just >:such a system. Why not let it work? > >I'd prefer a system that doesn't "target" people at all. Perhaps, but the current system does, and even after AP is instituted there will still be common criminals to keep down. >:Why not kill those Iranian leaders, using AP? And if you're afraid they'll >:retaliate against "our" leaders, I see nothing wrong with that, either. >:It's the leaders who maintain the dispute. > >Sure, and suppose the option is that there be no dispute at all. So >Rushdie (or you or I) becomes the sacrifical lamb, precisely because the >"leaders" value their own lives, but ostensibly to kill the "dispute" in >the bud. No, the donations will be made against those people who are actually seen by the people as the real problem. In an "AP-world," there would be no "Islamic leaders" to call for Rushdie's death. True, if an author like Rushdie said or wrote something that really angered a substantial number of people, they might individually be aroused enough to target him, but that is far less likely than ire directed by an Islamic leader today, I think. > One of the fundamental principles of justice is that it be >comensurate (in some sense) to the crime, AP lacks that aspect. I (and others) have predicted that there will indeed be "court systems" in place, although they will be numerous, competing, and voluntary, which will turn most offenses into crimes punishable by fines. That will adjust the punishment to the crime, in most people's opinions. >:Hey, I realized that long ago! But I'm not under any illusion that this >:system can be molded to conform to my wishes alone: If I could, I'd become >:a dictator and the cycle of tyranny would continue. > >The question is not one of becoming a dictator, but rather one of what >values will be protected, what freedoms will people have in the >world/state you imagine. No "values will be protected," except those that the individuals in society choose to be protected. > I think the values AP engenders are not the ones we want. Who is "we"? > We probably don't want to legitimize murder. Don't call it "murder," then. It's self-defense, at least by those who use it legitimately. > It's difficult to >operate in a vacuum of principles/values, we can't simply say, "well >whatever people will want to happen will happen and why not give them that >choice". Ultimately, that's the way it's going to happen, UNLESS the society's control is waylaid by government. > Marx was not the first to poitn out that institutions influence >our actions, that we are products of our times, that the choices we face >are as much determined by our own preferences as they are by the world >around us. AP will create an environment where, I believe, an >undesireable set of options will be presented to each of us. This is >the "outcome" argument, i.e. undesireable ends, the means themselves are >reprehensible. I wish I understood what you just said... >:It isn't that it "has to" be violent. Resignation is always an option. >:Problem is, they don't want to give up their positions of power. > >You've heard about the elections where libertarian candidates ran for >office with the objective of doing away with the office if they were >elected. I believe one such candidate won the election and came through >on his promise. Yes, that's great. But I don't think we (the public) should have to depend on the good will of the elected officeholder, especially one who DIDN'T make such a promise. >:That depends entirely on what your definition of instigating violence really >:is. I happen to believe that the act of collecting taxes, involuntarily, IS >:the "instigation of violence" even if the victim gives up his assets without >:a fight, if there is the prospect of eventual violence should he refuse to >:cooperate. Until you see this, you'll have a warped view of the propriety >:of AP, not to mention the libertarian non-initiation of force principle. >:(NIOFP.) > >As I've said, the minimalist state is desireable in my opinion. But what is the minimum in "minimalist"? I was a minarchist for a couple of decades, because I couldn't think of an intellectually consistent way to get rid of the last vestiges of government, permanently. Now I can. The most >efficient system of taxation is the truly flat tax (i.e. a fixed amount >for each individual), since each person derives aprox. equivalent benefits >from the minimalist state, their contributions are also equal. Each of us >derives some benefits from the existence of the state, some of these >benefits are non-exclusionary. Till these benefits are dependent on >territory and jurisdiction taxation of those who reside within the >jurisdiction/territory will have to be enforced. Sigh. I'm afraid that kind of thinking has been obsoleted... > You must of course, be >aware of the medieval practice of making an offender an "outlaw", i.e. not >under the protection of any laws. These outlaws were then fair game for >anyone. When we have arrived at the point where the free-rider problem >does not exist for things like national defense (i.e the shields won't >exist over your property, and you'll enforce your ownership of it >yourself) you will have the option (once again) of becoming an outlaw. The whole concept of having to maintain "the national defense" is totally obsoleted by the stable anarchy formed by AP. After AP, all defense will be local, because no large attacker could survive the "predictions" of the rest of the world. > I >don't think it's going to be very pretty. I agree it sounds a bit scary, but that's mainly because it's so different from the current system. > To bring up another subject, we >make compromises. Reminds me of the old saying, "Democracy is two wolves and a sheep voting on what to have for dinner." The problem with the concept of "compromises" is that it assumes that it is necessary to make those compromises. > I personally find socialists endearing and am willing >to make certain compromises to live with them amicably. I don't care what they THINK, but if they try to enforce their society on me I'll feel no hesitancy to eliminate them. > AP will draw >battle-lines that will make such associations extremely hard to maintain. No, it'll make compromises totally unnecessary. >I'd rather not be the member of a "group" and have that membership/taint >dictate the degree to which I can associate with a particular set of >people. AP, in providing "final solutions", will bring about a state of >affairs where the actions of a particular group (which they think are >legitimate and do not run counter to the rules of the game) will be >unacceptable for another group and the "finality" of these actions will >create rifts. Violence does not beget peace. Historically, that has been often true. But then again, I think the rules have changed. (or will soon change.) Jim Bell jimbell at pacifier.com From ses at tipper.oit.unc.edu Sun May 26 23:50:00 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Mon, 27 May 1996 14:50:00 +0800 Subject: COMMUNITY CONNEXION ANNOUNCES WORLDWIDE BETA-TEST OF THE ANONYMIZER (fwd) In-Reply-To: Message-ID: On Sun, 26 May 1996, Alan Horowitz wrote: > Date: Sun, 26 May 1996 14:17:38 -0400 > From: Ralph Jennett > To: Alan Horowitz > > Of course the people at Community Connection know what you are up to when > you use their service. So sameer is a deep-cover plant... but for whom? I know it's not the CIA, because they're too stretched at the moment (ever wonder why all those voice mail systems keep putting you on hold - it's because they don't have enough agents free to monitor all calls, and it woudn't be the NSA, because it'd be too tacky). I reckon it's the spirit of Vince Foster inhabiting his body. It all fits together too neatly From dhaskove at ucsd.edu Mon May 27 00:16:52 1996 From: dhaskove at ucsd.edu (Dan Haskovec) Date: Mon, 27 May 1996 15:16:52 +0800 Subject: Software Fame and Fortune In-Reply-To: <199605251653.QAA15534@pipe2.t1.usa.pipeline.com> Message-ID: It is also available at http://www.economist.com/survey/software/ On Sat, 25 May 1996, John Young wrote: > The EcoMist of May 25 has a special survey (80 kb) of the global software > industry, which, the report claims, is the next fountainhead of computer > fame and fortune, thanks to the Internet, and the successor to the H/W > fairy tales. > > > It barely mentions crypto -- described as a prime commercial product of > Israel's defense industry and the key to secure fame and fortune! > > > It can be read-only at: > > > http://pwp.usa.pipeline.com/~jya/software.txt > > > From EALLENSMITH at ocelot.Rutgers.EDU Mon May 27 00:17:54 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Mon, 27 May 1996 15:17:54 +0800 Subject: Children's Privacy Act Message-ID: <01I56FGPW4PW8Y4ZUF@mbcl.rutgers.edu> From: IN%"hfinney at shell.portal.com" "Hal" 24-MAY-1996 22:08:34.83 >In a way, our position is like those revolutionaries who are convinced >the government is evil, while the populace mindlessly goes along with >the status quo. Terrorists inflict terror largely to force the >government to crack down, raising popular awareness of its oppressive >nature, and fostering revolutionary feelings. This has some interesting analogies in the area of currency, and promoting privately-backed currencies. We want privately-backed currencies because they won't have the political motives (e.g., Senator Harkin holding up Greenspan's confirmation because Greenspan doesn't produce enough inflation for Harkin's voters' liking) to have inflation that governmental agencies do. But that doesn't mean that inflation of _governmental_ currencies isn't a good thing from our viewpoint (so long as we're invested into non-governmental currencies and other investments); it encourages people to switch. It is also interesting, in the same area of thought, to take a look at the effects of the inflation-indexed bonds that the Treasury Dept looks to be coming out with soon. If there's enough inflation for people to be interested, and those people trust the government, then people will move their capital from more liquid areas (e.g., bank accounts) into these (as well as from existing governmental bonds). This reduces the value of money, since less people want to hold it in liquid form (for one thing, if inflation is a concern, you might as well go ahead and spend money) and there is more of it in that liquid form - democratically-elected governments that get this money are going to spend it or use it to reduce taxes. That means the rate of inflation will increase... meaning the government will have to pay out more on the bonds, and those buying the bonds (or, preferably, moving to other currencies) will increase. Such bonds are normally created by governments with high inflation rates - usually prior to a hyperinflationary collapse. It's an interesting question whether this is cause or effect - likely both. -Allen From somogyi at digmedia.com Mon May 27 00:20:13 1996 From: somogyi at digmedia.com (Stephan Somogyi) Date: Mon, 27 May 1996 15:20:13 +0800 Subject: Software Fame and Fortune In-Reply-To: <199605251653.QAA15534@pipe2.t1.usa.pipeline.com> Message-ID: At 16:53 +0000 25.5.96, John Young wrote: > It can be read-only at: It can also be read on the Economist's own site at ________________________________________________________________________ Stephan Somogyi Information Dispersal Digital Media From EALLENSMITH at ocelot.Rutgers.EDU Mon May 27 00:48:52 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Mon, 27 May 1996 15:48:52 +0800 Subject: Children's Privacy Act Message-ID: <01I56JFJ7EW08Y4ZUN@mbcl.rutgers.edu> From: IN%"bruce at aracnet.com" "Bruce Baugh" 26-MAY-1996 17:00:35.76 >Righ. But in addition to the forcible acquisition of information, there's >the unwitting acquisition - you are never informed that party A has >transmitted information X to party B, who in turn passed it to C, who >garbled it and then passed the erroneous info to D.... Assume that they're gathering all information they can, unless they make a specific agreement that they aren't doing so. Some magazines have that as part of their subscriptions - they state that they only exchange mailing list with certain other parties, wh have agreed that they won't transmit it further; these magazines (e.g., Consumer Reports) also tend to give people an opt-out option on even this exchange, incidentally. -Allen From llurch at networking.stanford.edu Mon May 27 00:49:07 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Mon, 27 May 1996 15:49:07 +0800 Subject: WhoWhere Robot strikes again In-Reply-To: Message-ID: Btw, when they bought me lunch a few weeks ago, they promised to register their robot and follow the robot exclusion standard right away. -rich From EALLENSMITH at ocelot.Rutgers.EDU Mon May 27 00:49:50 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Mon, 27 May 1996 15:49:50 +0800 Subject: Mixmaster version usable with POP? Message-ID: <01I56JIU6MHY8Y4ZUN@mbcl.rutgers.edu> From: IN%"markm at voicenet.com" "Mark M." 26-MAY-1996 18:46:13.23 >On Linux this works: >popclient -3 -c POPHOSTNAME | formail -s mixmaster -R >> $MAIL >It will work on any system that has formail and popclient on it. Is this only for getting mail, or also for sending it? Sorry, I'm not very familiar with UNIX, especially the pipe commands. -Allen From EALLENSMITH at ocelot.Rutgers.EDU Mon May 27 00:55:25 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Mon, 27 May 1996 15:55:25 +0800 Subject: MixMaster fair use Message-ID: <01I56JWNJ2OG8Y4ZV3@mbcl.rutgers.edu> From: IN%"loki at infonex.com" 26-MAY-1996 16:50:16.67 >I think the current license is fine for most purposes. I am not some >monolithic corporation. If someone needs a license with special terms, my >email address is public knowledge and I am generally very accommodating. You have a point. Speaking of this issue, as I understand it the RSA patents only apply in the US; their copyrights apply outside the US, but there are replacement "parts" for their library for outside of the US which don't run into those copyrights. What happens if I telnet into an account outside the US and download into that account, from an outside of the US distribution point, a copy of Mixmaster with the substitute ones, then start using it for profit (an ecash-accepting-program or whatever)? I assume that I'd get around ITAR this way - I'm not exporting it, I didn't even bring it into the US to bring it back out - but can RSA sue me/my company (I'd do it through a company) for patent infringement? -Allen From llurch at networking.stanford.edu Mon May 27 00:56:56 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Mon, 27 May 1996 15:56:56 +0800 Subject: nCognito is Dead.. In-Reply-To: Message-ID: To the honor list of ISPs accepting of free/anonymous speech, add: dhp.com shellback.com l0pht.com (not exactly an ISP, though...) I'm maintaining a list of sorts at http://www-leland.stanford.edu/~llurch/potw2/ From jf_avon at citenet.net Mon May 27 01:00:57 1996 From: jf_avon at citenet.net (Jean-Francois Avon) Date: Mon, 27 May 1996 16:00:57 +0800 Subject: [SCARE]: "If you only knew what we know..." Message-ID: <9605270508.AA07185@cti02.citenet.net> On 26 May 96 at 20:11, jim bell wrote: >At 09:39 PM 5/26/96 -0400, Subir Grewal wrote: > > Marx was not the first to poitn out that institutions influence > >our actions, that we are products of our times, that the choices we > >face are as much determined by our own preferences as they are by > >the world around us. AP will create an environment where, I > >believe, an undesireable set of options will be presented to each > >of us. This is the "outcome" argument, i.e. undesireable ends, the > >means themselves are reprehensible. > I wish I understood what you just said... ROTFL! JFA DePompadour, Societe d'Importation Ltee; Limoges porcelain, silverware and crystal JFA Technologies, R&D consultants: physicists, technologists and engineers. PGP keys at: http://w3.citenet.net/users/jf_avon ID# C58ADD0D : 529645E8205A8A5E F87CC86FAEFEF891 I reserve the right to post publicly any private e-mail sent to me. Unsollicited commercial e-mail will be proofread at US165 $/h Any sender of such material will be considered as to have ac- cepted the above mentionned terms. From llurch at networking.stanford.edu Mon May 27 01:10:29 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Mon, 27 May 1996 16:10:29 +0800 Subject: WhoWhere Robot strikes again In-Reply-To: <01I56K3M2RAU8Y4ZV3@mbcl.rutgers.edu> Message-ID: On Mon, 27 May 1996, E. ALLEN SMITH wrote: > a (randomly-created) link to http://foo.bar.com/563.html etcetera? Or are they > looking at more specific locations that couldn't be faked this way? What they are doing is spidering the entire web looking for anything that looks like an email address, running a dictionary finger attack on the host part of any email addresses they find, and reporting things that look like lists of email addresses to humans (or the closest approximation employed by WhoWhere). Usually they do port scans for http and whois servers too. The way they bootstrapped their database was with dictionary searches on InterNIC and okra.ucr.edu, with a significant enough effect that lawsuits were considered. -rich From grewals at acf2.NYU.EDU Mon May 27 01:37:59 1996 From: grewals at acf2.NYU.EDU (Subir Grewal) Date: Mon, 27 May 1996 16:37:59 +0800 Subject: [SCARE]: "If you only knew what we know..." In-Reply-To: <199605270314.UAA26114@mail.pacifier.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Sun, 26 May 1996, jim bell wrote: :But it wouldn't matter. They wouldn't know who to target, and the people :wanting to form a state have an inherent disadvantage against those who do :not: The act of forming the state identifies them. Real world anonymity is difficult to buy, and actions such as murder (or what you'd like to call "self-defense") take place in the real world. :It doesn't work like that. The act of formation of a state inevitably calls :attention to oneself. The act of opposing that formation does not. AP is :"biased," as it were, against centralized, organized political structure :that arouses the ire of even a tiny fraction of the population. A person :who dedicates himself to ELIMINMATING the state, and does so anonymously, is :difficult or impossible to target. I'd expect a realization of AP to promote a great backlash from a variety of quarters. Such methods, besides being unethical, are probably going to be used as fodder to infringe the liberties of others. In other words, a witch-hunt will result, AP advocates marginalized (if they are discovered). My original reservations, on the grounds of unjust means still stand, maybe we can return to this discussion sometime later. :No, the donations will be made against those people who are actually seen by :the people as the real problem. In an "AP-world," there would be no :"Islamic leaders" to call for Rushdie's death. True, if an author like :Rushdie said or wrote something that really angered a substantial number of :people, they might individually be aroused enough to target him, but that is :far less likely than ire directed by an Islamic leader today, I think. "Religious" fanatics have great appeal, I don't think even AP will make them "go away", the odds are they'll become martyrs. And we know where that takes us. :I (and others) have predicted that there will indeed be "court systems" in :place, although they will be numerous, competing, and voluntary, which will :turn most offenses into crimes punishable by fines. That will adjust the :punishment to the crime, in most people's opinions. I wasn't talking about the legal system in an AP world, but the idea that AP is justice in some sense. Incidentally, a purely civil law court is what I'd like as well, and competing courts and arbitration systems sound good to me. :No "values will be protected," except those that the individuals in society :choose to be protected. :> Marx was not the first to poitn out that institutions influence :>our actions, that we are products of our times, that the choices we face :>are as much determined by our own preferences as they are by the world :>around us. AP will create an environment where, I believe, an :>undesireable set of options will be presented to each of us. This is :>the "outcome" argument, i.e. undesireable ends, the means themselves are :>reprehensible. The answer (in some sense) to your second statement is contained in the little section I wrote earlier. It's an institutional argument. hostmaster at trill-home.com * Symbiant test coaching * Blue-Ribbon * Lynx 2.5 WHERE CAN THE MATTER BE Oh, dear, where can the matter be When it's converted to energy? There is a slight loss of parity. Johnny's so long at the fair. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Key Escrow = Conscription for the masses | 2048 bit via finger iQB1AwUBMakuLBwDKqi8Iu65AQHxzAMAteGkGW3Y2eIzpli5UuoaTUK/4hlQbZkN eutzCIgsBN2jUtBau0zz4Vjr0p+edTyXXhiBUv3VXjKPkNh4nPZcmG6kv37BLjlg +EhVAl55v8/+b2pqnQ0kx5a+9vr58c7H =VKHB -----END PGP SIGNATURE----- From ravage at ssz.com Mon May 27 01:45:33 1996 From: ravage at ssz.com (Jim Choate) Date: Mon, 27 May 1996 16:45:33 +0800 Subject: nCognito is Dead.. (fwd) Message-ID: <199605270532.AAA28181@einstein.ssz.com> Hi, You can add SSZ (ssz.com) to the list. We accept anonymous accounts at standard rates ($10/mo. for 12 mo.). This includes a web-page. Contact 'staff at ssz.com' for further information. We are currently supporting the Austin Cypherpunks Anonymous Remailer project. If you would like more information please contact: austin-cpunks at ssz.com Jim Choate "Reality is observer dependant" \ \ \\///// | | (.) (.) ===========================oOO==(_)==OOo========================== Tivoli an IBM company CyberTects: SSZ Customer Support Engineer SOHO Consulting/VR/Robotics 9442 Capitol of Texas Highway North 1647 Rutland Suite 500 #244 Austin, TX 78759 Austin, TX 78758 Email: jchoate at tivoli.com Email: ravage at ssz.com Phone: (512) 436-8893 Phone: (512) 259-2994 Fax: (512) 345-2784 Fax: n/a WWW: www.tivoli.com WWW: www.ssz.com Modem: n/a Modem: (512) 836-7374 Pager: n/a Pager: n/a Cellular: n/a Cellular: n/a =================================================================== Forwarded message: > From cypherpunks-errors at toad.com Mon May 27 00:10:29 1996 > Date: Sun, 26 May 1996 21:58:08 -0700 (PDT) > From: Rich Graves > To: cypherpunks at toad.com > Subject: Re: nCognito is Dead.. > In-Reply-To: > Message-ID: > X-PGP-key: finger llurch at mordor.stanford.edu > X-URL: http://www-leland.stanford.edu/~llurch/ > MIME-Version: 1.0 > Content-Type: TEXT/PLAIN; charset=US-ASCII > Sender: owner-cypherpunks at toad.com > Precedence: bulk > > To the honor list of ISPs accepting of free/anonymous speech, add: > > dhp.com > shellback.com > l0pht.com (not exactly an ISP, though...) > > I'm maintaining a list of sorts at > http://www-leland.stanford.edu/~llurch/potw2/ > From loki at infonex.com Mon May 27 01:51:11 1996 From: loki at infonex.com (Lance Cottrell) Date: Mon, 27 May 1996 16:51:11 +0800 Subject: Quickremail v1.0b Message-ID: Which remailers does it install? -Lance At 6:49 PM 5/26/96, Mark M. wrote: >-----BEGIN PGP SIGNED MESSAGE----- > >I have just released Quickremail, a UNIX program that provides an easy >interface to install an anonymous remailer. Just unzip and untar in your >home directory, execute remailer-install.sh, and then you will have a fully >functional remailer. You do not need root access to install it. It is >available at http://www.voicenet.com/~markm/quickremail.1.0.b.tar.gz . > >- -- Mark > >=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= >markm at voicenet.com | finger -l for PGP key 0xe3bf2169 >http://www.voicenet.com/~markm/ | d61734f2800486ae6f79bfeb70f95348 >((2b) || !(2b)) | Old key now used only for signatures >"The concept of normalcy is just a conspiracy of the majority" -me > > >-----BEGIN PGP SIGNATURE----- >Version: 2.6.3 >Charset: noconv > >iQCVAwUBMakKLLZc+sv5siulAQFRggP8CUjAKn6WKL73PuPbG+h1DsZKj+K5v0iG >3a01RPmQca3VWa8jeFsX6OfUH6XrI4L+GN8o2W+6nzULur36Fyxovj9NN0A8sGBu >Ww1v0wu6MTA/r6HXiaGmPdSCZ5BeUF7TqPI2C9mgsAqlTinffR85aGpjYaev2Ffq >MumHbq1wH7g= >=4PPV >-----END PGP SIGNATURE----- ---------------------------------------------------------- Lance Cottrell loki at obscura.com PGP 2.6 key available by finger or server. Mixmaster, the next generation remailer, is now available! http://www.obscura.com/~loki/Welcome.html or FTP to obscura.com "Love is a snowmobile racing across the tundra. Suddenly it flips over, pinning you underneath. At night the ice weasels come." --Nietzsche ---------------------------------------------------------- From unicorn at schloss.li Mon May 27 02:09:21 1996 From: unicorn at schloss.li (Black Unicorn) Date: Mon, 27 May 1996 17:09:21 +0800 Subject: An alternative to remailer shutdowns In-Reply-To: <199605270636.XAA02836@mail.pacifier.com> Message-ID: On Sun, 26 May 1996, jim bell wrote: > At 02:12 AM 5/27/96 -0400, Black Unicorn wrote: > >On Sat, 25 May 1996, jim bell wrote: > >> Likewise, I don't see why the first address in the chain is vulnerable, as > >> long as the message subsequently passes through at least one trustworthy > >> remailer, and probably a temporary output address. > > > >I repeat, all it takes is one person to send through only one remailer > >(perhaps even a Co$ plant) and the first in chain remailer is toasted. > > > >Think before you type please. > > You should take your own advice. The mere fact that the first link in > the chain is "known" doesn't mean that it is provably involved. Without > a substantial amount of bugging that the COS hasn't the resources to do, > there is a big difference between them _believing_ that a given message > originated there, and being able to prove it in court. And notice my > caveat: "As long as the message subsequently passes through at least > one trustworthy remailer, and probably a temporary output address." The above is incorrect for several reasons and is a poor dodge to boot. Take it to private mail. > > Jim Bell > jimbell at pacifier.com > --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From unicorn at schloss.li Mon May 27 02:21:52 1996 From: unicorn at schloss.li (Black Unicorn) Date: Mon, 27 May 1996 17:21:52 +0800 Subject: An alternative to remailer shutdowns In-Reply-To: <199605251737.KAA26055@mail.pacifier.com> Message-ID: On Sat, 25 May 1996, jim bell wrote: > At 12:10 AM 5/25/96 EDT, E. ALLEN SMITH wrote: > >From: IN%"unicorn at schloss.li" "Black Unicorn" 24-MAY-1996 22:52:03.64 > > Why the first in chain? If the anti-traffic-analysis provisions are > >working properly, it should be impossible to prove that a given first remailer > >was the first remailer for any particular message. I had thought that even > >civil courts required that you be the person who committed some act, not the > >person who _might_ have committed some act. Otherwise, all the remailers are > >in danger. This is even if someone tries an entrapment by sending through some > >illegal material - if the courts accept that they should be allowed to do this, > >then all the remailers they chained are going to be hit. > > Likewise, I don't see why the first address in the chain is vulnerable, as > long as the message subsequently passes through at least one trustworthy > remailer, and probably a temporary output address. I repeat, all it takes is one person to send through only one remailer (perhaps even a Co$ plant) and the first in chain remailer is toasted. Think before you type please. > Jim Bell > jimbell at pacifier.com --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From loki at infonex.com Mon May 27 02:31:56 1996 From: loki at infonex.com (Lance Cottrell) Date: Mon, 27 May 1996 17:31:56 +0800 Subject: Mixmaster version usable with POP? Message-ID: At 9:44 PM 5/26/96, E. ALLEN SMITH wrote: >From: IN%"markm at voicenet.com" "Mark M." 26-MAY-1996 18:46:13.23 > >>On Linux this works: >>popclient -3 -c POPHOSTNAME | formail -s mixmaster -R >> $MAIL > >>It will work on any system that has formail and popclient on it. > > Is this only for getting mail, or also for sending it? Sorry, I'm >not very familiar with UNIX, especially the pipe commands. > -Allen That would be just for receiving it. It is fine to use sendmail for sending email over a dialup connection. It is just not very good for receiving it. -Lance ---------------------------------------------------------- Lance Cottrell loki at obscura.com PGP 2.6 key available by finger or server. Mixmaster, the next generation remailer, is now available! http://www.obscura.com/~loki/Welcome.html or FTP to obscura.com "Love is a snowmobile racing across the tundra. Suddenly it flips over, pinning you underneath. At night the ice weasels come." --Nietzsche ---------------------------------------------------------- From jf_avon at citenet.net Mon May 27 02:54:12 1996 From: jf_avon at citenet.net (Jean-Francois Avon) Date: Mon, 27 May 1996 17:54:12 +0800 Subject: [SCARE]: "If you only knew what we know..." Message-ID: <9605270506.AA07168@cti02.citenet.net> On 27 May 96 at 0:22, Subir Grewal wrote: > Real world anonymity is difficult to buy, and actions such as murder > (or what you'd like to call "self-defense") take place in the real > world. But that is the principle by which AP operates. That *is* the whole point that seems to miss you: encryption technologies makes that perfectly feasible. I agree that it is a novelty in the history of humankind... > I'd expect a realization of AP to promote a great backlash from a > variety of quarters. Such methods, besides being unethical, are > probably going to be used as fodder to infringe the liberties of > others. During the transition period, definitely. >In other words, a witch-hunt will result, AP advocates > marginalized (if they are discovered). My original reservations, on > the grounds of unjust means still stand, maybe we can return to this > discussion sometime later. Why, is it becoming too hot? Are you tempted to send the cops at Jim Bell's place? > "Religious" fanatics have great appeal, I don't think even AP will > make them "go away", the odds are they'll become martyrs. And we > know where that takes us. Against *whom* will they retaliate? And more down to earth, I bet that in the advent of AP becoming operationnal, their leaders will go down even faster than our own. > I wasn't talking about the legal system in an AP world, but the idea > that AP is justice in some sense. "In a competition between a pickpocket and a murderer, hte murderer always win" -Ayn Rand > Incidentally, a purely civil law > court is what I'd like as well, and competing courts and arbitration > systems sound good to me. Since you said yourself that the actual govt will *never* relinquish power, I find that statement a bit of a contradiction. JFA PLEASE NOTE: THIS POST DOES NOT MEAN THAT I ENDORSE MR. BELL'S SYSTEM. MY RATIONNAL CONCLUSIONS ABOUT IT'S INTERNAL MECHANICS AND IT'S INTRINSIC LOGICS DOES NOT MEAN THAT I LIKE NOR ENDORSE THE SYSTEM. I SIMPLY CONCLUDED THAT IT IS IMPOSSIBLE TO PREVENT THE SYSTEM FROM BEING IMPLEMENTED. IMO, IT IS UNAVOIDABLE. DePompadour, Societe d'Importation Ltee Limoges porcelain, Silverware and mouth blown crystal glasses JFA Technologies, R&D consultants. Physists, technologists and engineers. PGP keys at: http://w3.citenet.net/users/jf_avon ID# C58ADD0D : 529645E8205A8A5E F87CC86FAEFEF891 From jf_avon at citenet.net Mon May 27 02:56:40 1996 From: jf_avon at citenet.net (Jean-Francois Avon) Date: Mon, 27 May 1996 17:56:40 +0800 Subject: [SCARE]: "If you only knew what we know..." Message-ID: <9605270445.AB06762@cti02.citenet.net> On 26 May 96 at 21:39, Subir Grewal wrote: > Of course there are those who > fervently believe in the socialist ideal But, my dear, even in the most libertarian or AP-ruled world, they would absolutely free to give away *all* of their salary for the causes they consider valid. Only, thoses who don't agree with them would not be coerced into thoses noble causes. > and would probably feel > justified in killing the do nothing libertarians This paragraph seems to indicate that the only difference between libertarians and socialist is a mere difference of opinion and that everybody is justified to act on their beliefs. But the socialists who pretend that are simply blanking out the fact that *they too* recognize that Reality Is since they want to use force to get a lunch out of the mouth of somebody who have one (and who happened to produce it himself) to put it in the mouth of another who didn't have. Therefore, it is OK to deny reality when somebody come up with arguements against socialism, but it is darn convenient to use it (in the form of a loaded gun...) > (as opposed to > old-style liberals, i.e. minimalists) who ostensibly form the state. BTW, they do not "ostensibly" form the state. They simply *do*not*coerce* individuals into being sacrificial animals for the unearned benefits of others... > For them, inaction might be sufficient cause to initiate an AP > campaign. Oh, you mean, "for them, anybody who pass a judgment of his own that contradict them should be killed" I see... > I'd prefer a system that doesn't "target" people at all. I'd prefer a pink elephant with wings. Do you think that govt does not target peoples? > One of the fundamental principles of justice is that it be > comensurate (in some sense) to the crime, AP lacks that aspect. > "Final solutions" are all it has, but final solutions aren't always > desireable. JB seem to agree with the view that turning our most productive individuals into sacrificial animals for the benefit of the less productive is not exactly a kind thing to do. I tend to agree. To say "commensurate" means that you must quantify various things in their proper context. I invite you to do so. > The question is not one of becoming a dictator, but rather one of > what values will be protected, what freedoms will people have in the > world/state you imagine. I think the values AP engenders are not > the ones we want. We probably don't want to legitimize murder. It does not legitimates murder per se. I don't think that JB ever said that murder was legitimate. He only explained that the technology makes it inevitable to happens and that he believes that the outcome will be a better society. You will note that to the act of murdering, he opposed many other actions, including many that leads to direct loss of lives. He claims that the positives will outnumber the negatives. As to the morality, by your own standards, of starting a "Vietnam" war, I suppose it is highly questionnable, or so you seems to indicate. > It's difficult to operate in a vacuum of principles/values, we can't > simply say, "well whatever people will want to happen will happen > and why not give them that choice". Jim Bell does not believe that AP will evolve in a moral vacuum. On the contrary (and most collectivists think he is wrong), I think he believes that human beings have an intrinsic sense of justice and that this will prevail. > Marx was not the first to poitn > out that institutions influence our actions, that we are products of > our times, that the choices we face are as much determined by our > own preferences as they are by the world around us. Well, of course, our perception of reality is context dependent. But you seems to attempt to hint that truth is relative because knowledge is contextual. It looks like an attempt on reason. > :and who would want to take any politician's > :place? > Only the fanatic I think that by the nature of AP, this would be ruled out. Maybe there would be a fanatic president, but he would preside nothing because nobody would be there to enforce his fanatic views. > As I've said, the minimalist state is desireable in my opinion. The > most efficient system of taxation is the truly flat tax (i.e. a > fixed amount for each individual), since each person derives aprox. > equivalent benefits from the minimalist state, their contributions > are also equal. Each of us derives some benefits from the existence > of the state, some of these benefits are non-exclusionary. Till > these benefits are dependent on territory and jurisdiction taxation > of those who reside within the jurisdiction/territory will have to > be enforced. That is absolute BS. It might have been true before, but with the advent of the net and of computers and smart cards, it is becoming a fallacy. If Visa or Mastercard can operate on a voluntary basis, the govt could also do it. The technology makes it possible that any individual who wish to subscribe to any of the various insurances the govt could offer might do so. Including contributions to finance museums, research projects, etc. And mandatory taxes could be enforced in period of emergencies like wars, if ever they happens. The population seems to have a very short memory: Before the great wars, there was *no* income tax. It is mainly with the advent of socialism, coinciding with the nuclear era, that the taxes were hiked to the level they are now. Johnson blew up whatever Eisehower tried to do. Of course, it started before them but Eisehower tried to get back to the old system. I guess what defeated him what that too many poeples longed for a free lunch... Anyhow, we have the technology to institutes a card that would give access to most services like health care, unemployement insurance, etc. Why don't they put it in place? [Cypherpunkishstuff] Hey guys, could you believe it? I actually closed a post with some tiny relevance to CP! Gee, my brain must have skipped a few cpu cycles! JFA I am not subscribing to CP. For me to read you, you must cc to me directly. DePompadour, Societe d'Importation Ltee; Limoges porcelain, silverware and crystal JFA Technologies, R&D consultants: physicists, technologists and engineers. PGP keys at: http://w3.citenet.net/users/jf_avon ID# C58ADD0D : 529645E8205A8A5E F87CC86FAEFEF891 I reserve the right to post publicly any private e-mail sent to me. Unsollicited commercial e-mail will be proofread at US165 $/h Any sender of such material will be considered as to have ac- cepted the above mentionned terms. From jimbell at pacifier.com Mon May 27 02:59:53 1996 From: jimbell at pacifier.com (jim bell) Date: Mon, 27 May 1996 17:59:53 +0800 Subject: An alternative to remailer shutdowns Message-ID: <199605270636.XAA02836@mail.pacifier.com> At 02:12 AM 5/27/96 -0400, Black Unicorn wrote: >On Sat, 25 May 1996, jim bell wrote: > >> > Why the first in chain? If the anti-traffic-analysis provisions are >> >working properly, it should be impossible to prove that a given first remailer >> >was the first remailer for any particular message. I had thought that even >> >civil courts required that you be the person who committed some act, not the >> >person who _might_ have committed some act. Otherwise, all the remailers are >> >in danger. This is even if someone tries an entrapment by sending through some >> >illegal material - if the courts accept that they should be allowed to do this, >> >then all the remailers they chained are going to be hit. >> >> Likewise, I don't see why the first address in the chain is vulnerable, as >> long as the message subsequently passes through at least one trustworthy >> remailer, and probably a temporary output address. > >I repeat, all it takes is one person to send through only one remailer >(perhaps even a Co$ plant) and the first in chain remailer is toasted. > >Think before you type please. You should take your own advice. The mere fact that the first link in the chain is "known" doesn't mean that it is provably involved. Without a substantial amount of bugging that the COS hasn't the resources to do, there is a big difference between them _believing_ that a given message originated there, and being able to prove it in court. And notice my caveat: "As long as the message subsequently passes through at least one trustworthy remailer, and probably a temporary output address." Jim Bell jimbell at pacifier.com From fstuart at vetmed.auburn.edu Mon May 27 03:12:08 1996 From: fstuart at vetmed.auburn.edu (Frank Stuart) Date: Mon, 27 May 1996 18:12:08 +0800 Subject: Sun pushing SKIP for intranets and java Message-ID: <199605270739.CAA11092@snoopy.vetmed.auburn.edu> Sun is pushing SKIP for intranets and encrypting/verifying java applets. Bay Networks, BBN, Premenos Technology, Milkyway Networks, and VPNet have signed on. See http://www.cnet.com/ for more info. I took a quick look at Sun's site and didn't see anything. | (Douglas) Hofstadter's Law: | It always takes longer than you expect, even Frank Stuart | when you take into account Hofstadter's Law. From perry at jpunix.com Mon May 27 07:37:39 1996 From: perry at jpunix.com (John A. Perry) Date: Mon, 27 May 1996 22:37:39 +0800 Subject: Updated type2.list/pubring.mix Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hello Everyone, I just updated the type2.list/pubring.mix combination on jpunix.com to reflect the opening of the czarevna type-II remailer. The lists are available by anonymous FTP from ftp.jpunix.com as well as by Web from www.jpunix.com John Perry - KG5RG - perry at alpha.jpunix.com - PGP-encrypted e-mail welcome! WWW - http://www.jpunix.com PGP 2.62 key for perry at jpunix.com is on the keyservers. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMamUHlOTpEThrthvAQHGFAP+IAE4NCXH20XuhpYoEZHJYMP4oAkiFxl7 TwkNWcbCC+GJVddjQVoORvLtNNwgeA6RxkJR+sAnwB3NbtynBi1NVymKEUj6FO4W 4Q5i/0BaRbYpMdqpgmYwCbvrFtG3IJh715o9oGG9ylP3f89vDMN9CBw0iSMhJDva DeIyKxaFseA= =RK3J -----END PGP SIGNATURE----- From bwitanek at igc.apc.org Mon May 27 07:39:33 1996 From: bwitanek at igc.apc.org (Bob Witanek) Date: Mon, 27 May 1996 22:39:33 +0800 Subject: ACLU: Secret Intelligence Budget Message-ID: Posted: sspnj at exit109.com ACLU News 05-23-96: *House Votes to Keep Intelligence Budget Secret* In a blow to open government, the House of Representatives has rejected a move by the Clinton Administration to -- for the first time -- make public the overall national intelligence budget, The Washington Post reported today. The rejection came on a vote of 248 to 176 on an amendment to a bill that would fund the CIA and 11 other, mostly Pentagon-based, intelligence agencies. The ACLU had supported the amendment, saying that "taxpayers have a right to know what their tax dollars support." But the Post said that House Intelligence Chairman Larry Combest, R-TX, opposed disclosure in committee and led the opposition on the floor yesterday. He said making the overall figure public inevitably would lead to disclosure of individual intelligence accounts, which, he said, could harm clandestine sources and methods. ACLU Legislative Counsel Gregory T. Nojeim disagreed. "Disclosure of the bottom-line figure is the absolute minimum that Congress should do to make the intelligence agencies accountable to the American public," he said. "All of these intelligence agencies have acknowledged that any Cold War justification for keeping the total budget secret has passed." -------------------------------------- -------------------------- *State Police Search Blacks More Than Whites* PERRYVILLE, Md. -- Black drivers are being stopped and searched for drugs at least four times more often than whites by a special Maryland state police squad that patrols stretches of Interstate 95, the East Coast's main north-south artery, the Associated Press reports today. This finding from an Associated Press computer analysis of car searches raises questions of whether troopers are following their own written training procedures and complying with a court ruling that specifically bars them from using racial profiles to determine likely drug couriers. More than 75 percent of all drivers whose cars were searched by the special drug squad through the first nine months of last year were black, the AP said. State police steadfastly denied using racial profiles, which in the past typically targeted young minority men driving late-model cars and carrying pagers or wearing gold jewelry. The Maryland police maintained that black motorists were searched for reasons other than race and that the preponderance of blacks searched amounted to coincidence. Maryland state police are forbidden to use racial profiles in traffic stops under terms of a legal settlement reached in 1994 with Robert Wilkins, a black Washington lawyer searched for drugs as he drove home from a funeral in 1992. The settlement also requires troopers to provide records on all 1995-97 highway searches to the American Civil Liberties Union of Maryland. The AP examined the records for January through September 1995. The AP said that it asked the ACLU for the early reports after a Philadelphia couple filed a discrimination suit in January against three troopers. Charles Carter, now 66, and his wife, Etta, 65, were driving north on I-95 in a rented minivan on July 12, 1994, their 40th wedding anniversary, when troopers pulled them over and searched the van for drugs. The couple claim they were searched because they are black. ``This entire incident was and continues to be deeply humiliating for my wife and myself,'' Carter said in an affidavit. ``It is inconceivable to us that, as American citizens of the late twentieth century, we would be treated in this manner by officers of the law.'' The ACLU said the data may eventually prove a pattern of discrimination. If the organization can show in court that blacks are being searched in inappropriately high numbers, it may consider a class-action lawsuit, said Debbie Jeon, an ACLU attorney. ---------------------------------------------------------------- ONLINE RESOURCES FROM THE ACLU NATIONAL OFFICE ---------------------------------------------------------------- ACLU Freedom Network Web Page: http://www.aclu.org. America Online users should check out our live chats, auditorium events, *very* active message boards, and complete news on civil liberties, at keyword ACLU. ---------------------------------------------------------------- ACLU Newsfeed American Civil Liberties Union National Office 132 West 43rd Street New York, New York 10036 To subscribe to the ACLU Newsfeed, send a message to majordomo at aclu.org with "subscribe News" in the body of the message. To terminate your subscription, send a message to majordomo at aclu.org with "unsubscribe News" in the body of the message. For general information about the ACLU, write to info at aclu.org. - ---------------------------------------------------------------This message was sent to the news From jk at stallion.ee Mon May 27 08:21:43 1996 From: jk at stallion.ee (=?ISO-8859-1?Q?J=FCri_Kaljundi?=) Date: Mon, 27 May 1996 23:21:43 +0800 Subject: Sun pushing SKIP for intranets and java In-Reply-To: <199605270739.CAA11092@snoopy.vetmed.auburn.edu> Message-ID: Mon, 27 May 1996, Frank Stuart kirjutas: > Sun is pushing SKIP for intranets and encrypting/verifying java applets. > Bay Networks, BBN, Premenos Technology, Milkyway Networks, and VPNet > have signed on. You can find more about SKIP from http://www.incog.com/ or http://skip.incog.com/ which are servers for Sun Internet Commerce Group. J�ri Kaljundi AS Stallion jk at stallion.ee From raph at CS.Berkeley.EDU Mon May 27 10:33:09 1996 From: raph at CS.Berkeley.EDU (Raph Levien) Date: Tue, 28 May 1996 01:33:09 +0800 Subject: List of reliable remailers Message-ID: <199605271350.GAA22800@kiwi.cs.berkeley.edu> I operate a remailer pinging service which collects detailed information about remailer features and reliability. To use it, just finger remailer-list at kiwi.cs.berkeley.edu There is also a Web version of the same information, plus lots of interesting links to remailer-related resources, at: http://www.cs.berkeley.edu/~raph/remailer-list.html This information is used by premail, a remailer chaining and PGP encrypting client for outgoing mail. For more information, see: http://www.c2.org/~raph/premail.html For the PGP public keys of the remailers, finger pgpkeys at kiwi.cs.berkeley.edu This is the current info: REMAILER LIST This is an automatically generated listing of remailers. The first part of the listing shows the remailers along with configuration options and special features for each of the remailers. The second part shows the 12-day history, and average latency and uptime for each remailer. You can also get this list by fingering remailer-list at kiwi.cs.berkeley.edu. $remailer{"extropia"} = " cpunk pgp special"; $remailer{"portal"} = " cpunk pgp hash"; $remailer{"alumni"} = " cpunk pgp hash"; $remailer{"c2"} = " eric pgp hash reord"; $remailer{"penet"} = " penet post"; $remailer{"flame"} = " cpunk mix pgp. hash latent cut post reord"; $remailer{"mix"} = " cpunk mix pgp hash latent cut ek ksub reord ?"; $remailer{"replay"} = " cpunk mix pgp hash latent cut post ek"; $remailer{"ecafe"} = " cpunk mix"; $remailer{"amnesia"} = " cpunk mix pgp hash latent cut ksub"; $remailer{'alpha'} = ' alpha pgp'; $remailer{"lead"} = " cpunk pgp hash latent cut ek"; $remailer{"treehole"} = " cpunk pgp hash latent cut ek"; $remailer{"exon"} = " cpunk pgp hash latent cut ek"; $remailer{"vegas"} = " cpunk pgp hash latent cut"; $remailer{"haystack"} = " cpunk mix pgp hash latent cut ek"; catalyst at netcom.com is _not_ a remailer. lmccarth at ducie.cs.umass.edu is _not_ a remailer. usura at replay.com is _not_ a remailer. Groups of remailers sharing a machine or operator: (c2 alpha) (flame replay) (alumni portal) Use "premail -getkeys pgpkeys at kiwi.cs.berkeley.edu" to get PGP keys for the remailers. Fingering this address works too. Note: The remailer list now includes information for the alpha nymserver. Last update: Mon 27 May 96 6:45:11 PDT remailer email address history latency uptime ----------------------------------------------------------------------- portal hfinney at shell.portal.com ####+##*#-+# 5:49 99.97% penet anon at anon.penet.fi -_______-. 51:37:29 99.86% exon remailer at remailer.nl.com ****** +***# 2:57 99.83% replay remailer at replay.com *+***+ ***** 5:42 99.60% alumni hal at alumni.caltech.edu ##* + *#-+# 5:29 99.58% lead mix at zifi.genetics.utah.edu ++++++ +++++ 37:43 99.47% vegas remailer at vegas.gateway.com -*#**+*** * 7:27 99.28% mix mixmaster at remail.obscura.com ++-+++ .--++ 5:21:48 99.11% haystack haystack at holy.cow.net *####- +*-*# 33:43 99.01% flame remailer at flame.alias.net ++++++ ---- 1:31:02 98.86% amnesia amnesia at chardos.connix.com ---+-- ---- 3:18:01 98.65% ecafe cpunk at remail.ecafe.org -##### ####+ 3:20 97.12% c2 remail at c2.org -++-** +- ++ 45:44 96.90% alpha alias at alpha.c2.org -++-++ *+ ++ 50:38 96.87% extropia remail at miron.vip.best.com ..-.----- 10:35:00 92.95% treehole remailer at mockingbird.alias.net --+---- - 3:58:26 85.32% History key * # response in less than 5 minutes. * * response in less than 1 hour. * + response in less than 4 hours. * - response in less than 24 hours. * . response in more than 1 day. * _ response came back too late (more than 2 days). cpunk A major class of remailers. Supports Request-Remailing-To: field. eric A variant of the cpunk style. Uses Anon-Send-To: instead. penet The third class of remailers (at least for right now). Uses X-Anon-To: in the header. pgp Remailer supports encryption with PGP. A period after the keyword means that the short name, rather than the full email address, should be used as the encryption key ID. hash Supports ## pasting, so anything can be put into the headers of outgoing messages. ksub Remailer always kills subject header, even in non-pgp mode. nsub Remailer always preserves subject header, even in pgp mode. latent Supports Matt Ghio's Latent-Time: option. cut Supports Matt Ghio's Cutmarks: option. post Post to Usenet using Post-To: or Anon-Post-To: header. ek Encrypt responses in reply blocks using Encrypt-Key: header. special Accepts only pgp encrypted messages. mix Can accept messages in Mixmaster format. reord Attempts to foil traffic analysis by reordering messages. Note: I'm relying on the word of the remailer operator here, and haven't verified the reord info myself. mon Remailer has been known to monitor contents of private email. filter Remailer has been known to filter messages based on content. If not listed in conjunction with mon, then only messages destined for public forums are subject to filtering. Raph Levien From m5 at vail.tivoli.com Mon May 27 10:36:55 1996 From: m5 at vail.tivoli.com (Mike McNally) Date: Tue, 28 May 1996 01:36:55 +0800 Subject: Philosophy of information ownership [ Re: Children's Privacy Act ] In-Reply-To: <2.2.32.19960525115008.006ed084@mail.aracnet.com> Message-ID: <31A9BB1D.7BE5@vail.tivoli.com> Bruce Baugh wrote: > At 11:34 PM 5/24/96 -0700, tcmay at got.net (Timothy C. May) wrote: > > >If I have compiled records, dossiers, etc., as I most assuredly have (got > >to fill up those MO disks with something), this is "my" information. Mine > >in the sense that others can't dictate to me what I do with it. > > I don't see that this is necessarily true for information any more than it > is property. Property can be bought, sold, traded, given away, made...but it > can also be stolen. I don't think this comparison is valid at all. > Just as I have a right to complain if you walk off with my couch without > my permission, so if you walk off with data on my blood chemistry or > credit history without my permission. What if I just *see* your couch, and then back in my garage I use my couch replicator to make a couch just like yours, complete with fuzzballs and loose change between the cushions? Now I have your couch, in a sense. Are you still upset? When I walked off with your blood chemistry data, did you lose the use of it for your future purposes? And try this: I now am in posession of some information about you, specifically: * You subscribe to cypherpunks and are aware of (and possibly a sympathizer towards) a variety of wacko political ideas; * You believe in "strong" ownership rights over information (something handy if I'm on some legislative warpath and need supporters) What do you propose as to the obligations I should have to you as regards the disposition of this information? For example, what if I receive a phone call from somebody interested in any e-mail addresses of people I know who might be interested in supporting the new on-line copyright bill? I just might decide to sell him your address. ______c_____________________________________________________________________ Mike M Nally * Tiv^H^H^H IBM * Austin TX * pain is inevitable m5 at tivoli.com * m101 at io.com * * suffering is optional From markm at voicenet.com Mon May 27 11:44:42 1996 From: markm at voicenet.com (Mark M.) Date: Tue, 28 May 1996 02:44:42 +0800 Subject: Quickremail v1.0b In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Sun, 26 May 1996, Lance Cottrell wrote: > Which remailers does it install? Mixmaster, and it gives a choice of either installing the Freedom remailer or the remailer code written by Matt Ghio. It also has support for reorder scripts, but I haven't debugged that part yet. - -- Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xe3bf2169 http://www.voicenet.com/~markm/ | d61734f2800486ae6f79bfeb70f95348 ((2b) || !(2b)) | Old key now used only for signatures "The concept of normalcy is just a conspiracy of the majority" -me -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBManL0LZc+sv5siulAQGZnAQAqS39haDGgJt/2WrdyKH1GjyK4mwviM+t BJ8ssA9SIJ/QuruvZhTE8IaUeRqdTrqAFNWM6fmgZ0Idlm55DEoBmgdH88fznoao SdWUAd/zqBJaGX1SCcXcHLU2V1pCAs8hZpmvSjsd343b/pGqCGmXwS/x915s+ame IfHyOPtO3Hs= =DviA -----END PGP SIGNATURE----- From grewals at acf2.nyu.edu Mon May 27 12:21:58 1996 From: grewals at acf2.nyu.edu (Subir Grewal) Date: Tue, 28 May 1996 03:21:58 +0800 Subject: [SCARE]: "If you only knew what we know..." In-Reply-To: <9605270506.AA07168@cti02.citenet.net> Message-ID: On Mon, 27 May 1996, Jean-Francois Avon wrote: :Since you said yourself that the actual govt will *never* relinquish :power, I find that statement a bit of a contradiction. Asking someone to "relinquish" is not the only manner in which a change is effected. BTW, I have no problem with your proposals for voluntary insurance, health etc. schemes. In fact a minimalist state assumes all of that. You might want to read up on what classical liberalism is andd what a minimalist state implies before you spout Rand. hostmaster at trill-home.com * Symbiant test coaching * Blue-Ribbon * Lynx 2.5 A fool must now and then be right by chance. From pclow at pc.jaring.my Mon May 27 12:25:43 1996 From: pclow at pc.jaring.my (peng-chiew low) Date: Tue, 28 May 1996 03:25:43 +0800 Subject: CyberCash just did it! In-Reply-To: <31A8F226.33C@netconx.de> Message-ID: <31A9E1AA.53B0@pc.jaring.my> Markus Guehrs wrote: > Is anybody aware of the fact that CyberCashs credit card payment system > (http://www.cybercash.com) is an almost 1:1 SET implementation. Since > this system is now working and SET is still a draft I assume the SET > authors got/took/copied many ideas from CyberCashs genius software > system. Out of curiousity I visited their site and I read the part of the security section which I've pasted below. Is it true? After all that I've read about the export issue and here Cybercash tells me they have got permission to export strong crypto? Please note that I am not someone who is familiar with the strength of crypto algo and any response to this post would be most helpful to a newbie in this business. Thanks. Quote from Cybercash's web page : http://www.cybercash.com/cybercash/wp/bankwp.html#security " CyberCash transactions are protected by a powerful and sophisticated system of encryption, combining DES private-key and RSA public-key encryption technologies. In fact, CyberCash's 768-bit RSA key encryption capability is unique in that it is the most powerful encryption technology currently licensed by the United States government for export. CyberCash also has been approved by the government for 1024-bit RSA key encryption, and will be providing that technology by the end of 1996. " From jimbell at pacifier.com Mon May 27 12:31:58 1996 From: jimbell at pacifier.com (jim bell) Date: Tue, 28 May 1996 03:31:58 +0800 Subject: FW: "Scannist" arrested Message-ID: <199605271553.IAA17167@mail.pacifier.com> If there is any residual doubt as to why I'm proposing an "extreme" solution to government, "Assassination Politics," I think the following is just another good reason to do so. I contend that people like that cop and the judge would be FAR more careful in how they do their job if they were aware they might be angering well over a half a million hams. This kind of abuse will happen as long as there is no mechanism to prevent it. > ---------- >From: owner-scan-l >To: Multiple recipients of list SCAN-L >Subject: "Scannist" arrested >Date: Sunday, May 26, 1996 1:47PM > >Two sad things: > >1) Cops in some parts of Kentucky can't tell a scanner >when they see one (or don't see one, in this case), and > >2) the radio in question IS INCPABLE OF BEING MODIFIED TO >RECEIVE OUT OF BAND!!!! Sheesh. > >Peter > >Excerpted from: > >The ARRL Letter >Electronic Update >May 24, 1996 > ><...> > > >TEEN HAM ARRESTED ON SCANNER CHARGES > >Greg Godsey, KF4BDY, a 16-year-old ham from Hopkinsville, Kentucky, was >arrested May 11 by local police who charged him with carrying a scanner that >could receive police radio frequencies. His Radio Shack HTX-202 2-meter >transceiver was confiscated. At a court appearance May 14, he was bound over >for trial on June 4. The judge reportedly didn't hear any arguments >concerning whether the law was broken, possibly because the arresting >officer wasn't present. > >According to reports, Greg, the ARES EC for Christian County, Kentucky, and >a ham since last summer, was detained by Hopkinsville Police. The officer >indicated that when he arrived, Greg "was talking on a radio that is capable >of receiving police frequencies. I verified this by keying my radio, which >broke the squelch on [Greg's] radio." > >Greg denies the charges and says his radio has not been modified and cannot >receive or transmit outside of the 2-meter band. He has sought advice from >the ARRL in resolving the matter. ARRL Regulatory Information Branch >Supervisor Norman Bliss, WA1CCQ, says the Kentucky law exempts equipment >possessed by a licensed Amateur Radio operator that is capable of receiving >police frequencies. > ><...> > >=========================================================== >Material from The ARRL Letter may be reproduced in whole or in part, in any >form, including photoreproduction and electronic databanks, provided that >credit is given to The ARRL Letter and The American Radio Relay League. > > >To subscribe to the email distribution list for the ARRL Letter, send >a message to listserv at netcom.com with the body (subject is ignored) > >subscribe letter-list > >To unsubscribe, > >unsubscribe letter-list > > Jim Bell jimbell at pacifier.com From lc2m+ at andrew.cmu.edu Mon May 27 16:57:59 1996 From: lc2m+ at andrew.cmu.edu (L. Jean Camp) Date: Tue, 28 May 1996 07:57:59 +0800 Subject: The Anti-Briefing... In-Reply-To: <199605241937.PAA08694@pair> Message-ID: Excerpts from espam: 24-May-96 Re: The Anti-Briefing... by e$pam at intertrader.com > We can all think of repressive steps which undeniably will save the lives > of some children, babies, old people, mothers, etc. > > Banning alcohol, banning smoking, banning sex outside of marriage.... > I would like to point out that these things will almost certainly not save the lives of mothers and babies and were sure as fuck not intented to protect women & children. Clue in, in places where all sex outside marraige is illegal being a victim of rape is a crime. It is rapist protection. The banning of alcohol was used to remove children from the homes of 'unfit' immigrant families. It was about 'culture wars' & racial purity. Drug test are proposed to refuse people benefits (sorry your mom's a pothead kid -- so now your going to be HOMELESS!) Then when this kind of propaganda works, women end up fighting idiots who buy _into_ the idea that _we_ caused the problem and thereby preventing more effective action. You do not need to vomit DoD crap about children. You aren't helping anyone but the DoD. Get a half a clue -- if they wanted to protect children they could support funds for housing, food, and health care for families. Five kids a day die from violence from the hands of their parents. The infant mortality rate in DC is twice what it is in Havana. I'm sure those kids are really happy that they do not have to worry about cryptography or seeing naked people on the Internet. Yeah, these are the important issue today for America's children -- NOT. I hope that you do not seriously buy that crap about prohibition of crypto (or porn or pot, etc) being about "protecting children." All that line does is separate otherwise effective advocates of freedom - - if you're bitching about women & children you're not fighting the NSA and it will keep you from working effectively with anyone in the categories >old people, mothers, etc.. and other not entirely trivial political groups. Jean From EALLENSMITH at ocelot.Rutgers.EDU Mon May 27 17:13:44 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Tue, 28 May 1996 08:13:44 +0800 Subject: Remailers & liability Message-ID: <01I57HT7DIPS8Y503M@mbcl.rutgers.edu> From: IN%"gbroiles at netbox.com" "Greg Broiles" 26-MAY-1996 19:38:38.36 >For what it's worth, I'm still planning to run a remailer again when I get >settled down somewhere. (I don't think remailers do much good where the >operator isn't root, so I'm not bothering with trying to run one on someone >else's system.) My debt/asset ratio is bad enough from all of this school >that I don't have much for anyone to levy against. Ha, ha. Anyone want some >rapidly obsolescing computer and law books? :( Why, precisely, do you think that remailers don't do much good where the operator isn't root? The possibility of the sysop looking at the mail & getting the private key, the increased susceptibility to cracking of non-root accounts, possible sysop non-cooperation in an honest manner (as opposed to the first one), or what? Thanks, -Allen From EALLENSMITH at ocelot.Rutgers.EDU Mon May 27 17:23:10 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Tue, 28 May 1996 08:23:10 +0800 Subject: Czarevna Tatjana Mixmaster Remailer Message-ID: <01I57HVMTTUE8Y503M@mbcl.rutgers.edu> From: IN%"nobody at replay.com" 26-MAY-1996 20:19:44.63 >Questions or comments should be directed to tatjana at mindport.net. Might I ask why you didn't mail from this address? -Allen From EALLENSMITH at ocelot.Rutgers.EDU Mon May 27 17:56:25 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Tue, 28 May 1996 08:56:25 +0800 Subject: Quickremail v1.0b Message-ID: <01I57ILMRZQ08Y503M@mbcl.rutgers.edu> From: IN%"markm at voicenet.com" "Mark M." 27-MAY-1996 12:57:44.84 >On Sun, 26 May 1996, Lance Cottrell wrote: >> Which remailers does it install? >Mixmaster, and it gives a choice of either installing the Freedom remailer or >the remailer code written by Matt Ghio. It also has support for reorder >scripts, but I haven't debugged that part yet. What are the major differences between the various Mixmaster remailer codes, especially in terms of the logistics of running a remailer? I'm particularly interested in aspects related to A. running one by someone not particularly familiar with UNIX (e.g., me) and B. a remailer accepting/sending mail only from/to a limited list of addresses (e.g., only other remailers). Thanks, -Allen P.S. I'm planning on starting up a remailer, probably on Lance's machine (to take advantage of his expertise) sometime this summer. I do want to get PGP for the VAX before then, and the MIT site doesn't appear to have this code. From EALLENSMITH at ocelot.Rutgers.EDU Mon May 27 18:10:50 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Tue, 28 May 1996 09:10:50 +0800 Subject: CyberCash just did it! Message-ID: <01I57IPALWC08Y503M@mbcl.rutgers.edu> From: IN%"pclow at pc.jaring.my" "peng-chiew low" 27-MAY-1996 13:41:16.44 >Out of curiousity I visited their site and I read the part of the security >section which I've pasted below. Is it true? After all that I've read about >the export issue and here Cybercash tells me they have got permission to >export strong crypto? Please note that I am not someone who is familiar with >the strength of crypto algo and any response to this post would be most >helpful to a newbie in this business. Thanks. While I am also uncertain as to how strong the crypto they're using is, I would guess that this passes under the banking exemption... I would suspect that there is some lack of full anonymnity in the method, because otherwise the US government wouldn't have given export permission even with that exemption. -Allen From EALLENSMITH at ocelot.Rutgers.EDU Mon May 27 18:16:21 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Tue, 28 May 1996 09:16:21 +0800 Subject: Edited Edupage, 26 May 1996 Message-ID: <01I57IV7LQ068Y503M@mbcl.rutgers.edu> From: IN%"educom at educom.unc.edu" 27-MAY-1996 14:46:47.89 From: Edupage Editors >FLAT PC SCREENS HEAD FOR THE DESKTOP >Liquid crystal display screens currently cost about five times that of a >similarly-sized cathode ray tube screen, but that should be changing over >the next couple of years, say LCD makers. Next year, major LCD vendors >expect to halve the difference, bringing prices down to two-and-a-half times >that of CRTs. Analysts say when the difference comes down to that point, >the desktop replacement market could really take off. "CRT replacement is >inevitable, it's just that in the near term there are a lot of hurdles," >says an analyst at Stanford Resources. "The place where it makes the most >sense are with large-screen LCDs." NEC recently unveiled a 20-inch >high-resolution LCD screen with wide-angle viewing designed as a >"CRT-killer" according to a NEC engineer. (Investor's Business Daily 23 May >96 A8) IIRC, LCD screens are considerably harder to read off of by Tempest equipment than normal CRT screens. An encouraging change. >NORTHERN TELECOM PHONES GET JAVATIZED >Northern Telecom plans to incorporate Sun Microsystems' Java microprocessors >and software in a new class of inexpensive "smart" telephones designed to >double as Internet appliances. The move makes Northern Telecom the first >telephone manufacturer to license Java chips for its products. The chips >will be used in its wired PowerTouch phones and its wireless digital phones, >and customer trials should start next year. (Wall Street Journal 23 May 96 >B3) I would guess that these phones would still not be crypto-capable, but I'm not quite sure what they have in mind to use Java in them for. -Allen >*************************************************************** >Edupage ... is what you've just finished reading. To subscribe to Edupage: >send mail to: listproc at educom.unc.edu with the message: subscribe edupage >John McCain (if your name is John McCain; otherwise, substitute your own >name). ... To cancel, send a message to: listproc at educom.unc.edu with the >message: unsubscribe edupage. (If you have subscription problems, send >mail to educom at educom.unc.edu.) From reagle at MIT.EDU Mon May 27 19:19:19 1996 From: reagle at MIT.EDU (Joseph M. Reagle Jr.) Date: Tue, 28 May 1996 10:19:19 +0800 Subject: holographic remailing & key escrow Message-ID: <9605272240.AA13172@rpcp.mit.edu> At 03:20 PM 5/26/96 -0700, Wei Dai wrote: >This software already exists. Take a look at Disperse/Collect at >http://www.eskimo.com/~weidai. Disperse splits a file into n base64 >encoded pieces where any k of them can be used to reconstruct the >original. Collect will search through arbitrary collection of files (for >example the entire news spool) for these pieces and automatically >reconstruct everything that it finds. Could something akin to this be a practicle method or test for Blaze's "Key Escrow without Escrow Agents"? The main thing lacking is a secure method to get it out to the different escrow servers... (One could just encrypt each chunk of the message/key in a server's public key... Servers would read that newsgroup and pull down and escrow the chunks that they recognize.) _______________________ Regards, When we ask advice, we are usually looking for an accomplice. -Marquis de la Grange Joseph Reagle http://farnsworth.mit.edu/~reagle/home.html reagle at mit.edu E0 D5 B2 05 B6 12 DA 65 BE 4D E3 C1 6A 66 25 4E From reagle at MIT.EDU Mon May 27 19:31:37 1996 From: reagle at MIT.EDU (Joseph M. Reagle Jr.) Date: Tue, 28 May 1996 10:31:37 +0800 Subject: CyberCash just did it! Message-ID: <9605272240.AA13168@rpcp.mit.edu> At 12:08 AM 5/28/96 +0700, peng-chiew low wrote: According to below, it looks like the session keys are single-DES, and they are swapped using RSA... I'd think people would rather try cracking the DES without bothering with the RSA -- be it 768 or 1024... (If the session key is weak, it doesn't much matter what you send it in...) >http://www.cybercash.com/cybercash/wp/bankwp.html#security > > " CyberCash transactions are protected by a powerful and sophisticated > system of encryption, combining DES private-key and RSA public-key > encryption technologies. In fact, CyberCash's 768-bit RSA key encryption > capability is unique in that it is the most powerful encryption technology > currently licensed by the United States government for export. CyberCash > also has been approved by the government for 1024-bit RSA key encryption, > and will be providing that technology by the end of 1996. " _______________________ Regards, When we ask advice, we are usually looking for an accomplice. -Marquis de la Grange Joseph Reagle http://farnsworth.mit.edu/~reagle/home.html reagle at mit.edu E0 D5 B2 05 B6 12 DA 65 BE 4D E3 C1 6A 66 25 4E From jamesd at echeque.com Mon May 27 19:59:28 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Tue, 28 May 1996 10:59:28 +0800 Subject: Noise, was The Anti-Briefing... Message-ID: <199605272325.QAA06412@dns2.noc.best.net> At 04:08 PM 5/27/96 -0400, L. Jean Camp wrote: > Five kids a day die from violence from the hands of their parents. Not so: I believe this figure is "parent or guardian". Nearly all kids are killed by stepfathers, and some by step mothers. Murders of children by their natural parents are extraordinarily rare. A stepfather or stepmother has even more incentive, and considerably more opportunity, to murder her spouses children than she has to murder her spouses lover. > The > infant mortality rate in DC is twice what it is in Havana. Nobody, least of all Castro, knows what the infant mortality rate in Cuba is, since in Cuba, truth is a crime. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From nobody at flame.alias.net Mon May 27 20:10:17 1996 From: nobody at flame.alias.net (Anonymous) Date: Tue, 28 May 1996 11:10:17 +0800 Subject: noneAttn Sameer: Are alias@alpha.c2.org and/or remail@c2.org down? Message-ID: <199605272325.BAA23173@basement.replay.com> My 'nym which has worked just fine has suddenly stopped working this weekend. My reply block has not changed, and the only remailer in it is remail at c2.org. I have the reply block set up to send the encrypted reply to remail at c2.org where Newsgroups: and Subject: headers are pasted on with the "##" operator. The message is then sent on to the replay mail2news gateway for posting to alt.anonymous.messages. What's happened? Anyone know? From perry at piermont.com Mon May 27 20:31:27 1996 From: perry at piermont.com (Perry E. Metzger) Date: Tue, 28 May 1996 11:31:27 +0800 Subject: Sun pushing SKIP for intranets and java In-Reply-To: <199605270739.CAA11092@snoopy.vetmed.auburn.edu> Message-ID: <199605272346.TAA08318@jekyll.piermont.com> Frank Stuart writes: > Sun is pushing SKIP for intranets and encrypting/verifying java applets. If thats true, its a remarkably bad idea. The IP security layer isn't anywhere near the layer where you should be doing things like signing Java applets. .pm From grafolog at netcom.com Mon May 27 20:50:12 1996 From: grafolog at netcom.com (jonathon) Date: Tue, 28 May 1996 11:50:12 +0800 Subject: Edited Edupage, 26 May 1996 In-Reply-To: <01I57IV7LQ068Y503M@mbcl.rutgers.edu> Message-ID: On Mon, 27 May 1996, E. ALLEN SMITH wrote: > I would guess that these phones would still not be crypto-capable, but > I'm not quite sure what they have in mind to use Java in them for. Porting PGPhone to JAVA, perhaps? xan jonathon grafolog at netcom.com From perry at alpha.jpunix.com Mon May 27 20:51:30 1996 From: perry at alpha.jpunix.com (John A. Perry) Date: Tue, 28 May 1996 11:51:30 +0800 Subject: Public Key for Nymrod Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hello Everyone, I forgot to publish the public key for nymrod at nym.jpunix.com the other day when I announced the re-birth of the Nymrod nym server. Here it is: - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCNAzGm8g4AAAEEALaIAOXXnpui2Tlf7801sYp968SviYV45qrVpn9dbCxYRlUO 1g/NFHjUDO09NVn3GoWHRKfD81U6mNf+2lSkCDRaiYWysJpjSIspRIX5uZ44vmBx ZcBQzO35jxamJCoxHmVYkDF7IdWutIlmAzjLMdkS3lKJUaEwDqJo4m8yfNopAAUR tDNUaGUgTnltcm9kIFBzZXVkb255bSBTZXJ2ZXIgPG55bXJvZEBueW0uanB1bml4 LmNvbT6JAJUDBRAxpwtzU5OkROGu2G8BAcycA/9rKX7giTJ0FCaBb0ihJxZsGgth FdjmNt6dVh0AJ26CK5EiqehMHXhINcugWmRQY5OcIfhIUI8/ZW/EJpiaky+NWY5b nHmcXlJj07tmAiAa6B8gs8aWH5XyJ9AlEXC5OdhfpTZKFL9fHNceZtJYwABZeD11 KDVrZqCW6lNcw7IqL7QyVGhlIE55bXJvZCBQc2V1ZG9ueW0gU2VydmVyIDxhbGlh c0BueW0uanB1bml4LmNvbT6JAJUDBRAxpwvUU5OkROGu2G8BAZCsA/9sQP71f5YC 4DonpGwKw8vcz4IQ/P8jZEFpbzkJoBIg+PTrTqQZxmzr0Gg4bZn3f+0BIsuqId/U H71thZH7MvxHBQqU+E4oCzy44cmujMQv+BnT44F91ztutPTyyf2KlXEFBBX6ofbf ffJsmWIVkjWMcdnZndHMHuo/8/FxByC+hw== =pbAO - -----END PGP PUBLIC KEY BLOCK----- I apologize for any inconvenience. John Perry - KG5RG - perry at alpha.jpunix.com - PGP-encrypted e-mail welcome! WWW - http://www.jpunix.com PGP 2.62 key for perry at jpunix.com is on the keyservers. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMapEqFOTpEThrthvAQG1awP+N3N6aQc5M8TofwJLPJ8gzKl6y6B6Y/iS 6l+nq0nCE369eWTC2Fgp30ihlLY9FOcg+M1QtVv/SQiozd+vrDaPTXtIQh8OPmw6 RZemfAkNgetIimpA1gNyN8/gLXGhKBnkaFawuNw4FESEyjbQ/IZmV02W4qO4MC9J axN6nfcTFa8= =5g4m -----END PGP SIGNATURE----- From adamsc at io-online.com Mon May 27 20:59:10 1996 From: adamsc at io-online.com (Chris Adams) Date: Tue, 28 May 1996 11:59:10 +0800 Subject: Philosophy of information ow Message-ID: <199605280046.RAA28929@toad.com> On 27 May 1996 11:25:28 pdt, m5 at vail.tivoli.com wrote: >What if I just *see* your couch, and then back in my garage I use my >couch replicator to make a couch just like yours, complete with fuzzballs >and loose change between the cushions? Now I have your couch, in a sense. >Are you still upset? > >When I walked off with your blood chemistry data, did you lose the use >of it for your future purposes? I believe that you are free to keep information, use it, etc. but you MUST get permission before selling it. /* From Chris Adams on a Warped PC running a proudly unregistered (for now) PMMAIL 1.5! The Enigman Group - We do Web Pages! */ This Message Was Sent With An UNREGISTERED Version Of PMMail. Please Encourage Its Author To Register Their Copy Of PMMail. For More Information About PMMail And SouthSide Software's Other Products, Contact http://www.southsoft.com. From EALLENSMITH at ocelot.Rutgers.EDU Mon May 27 21:02:51 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Tue, 28 May 1996 12:02:51 +0800 Subject: Edited Edupage, 26 May 1996 Message-ID: <01I57PI2X82O8Y506V@mbcl.rutgers.edu> From: IN%"grafolog at netcom.com" "jonathon" 27-MAY-1996 20:45:08.30 > Porting PGPhone to JAVA, perhaps? The difficulty is that I don't know if the Java in the phones can actually affect the phone transactions in voice, or just do modem connections using the phones, or just act to handle the phone numbers. -Allen From loki at infonex.com Mon May 27 21:02:53 1996 From: loki at infonex.com (Lance Cottrell) Date: Tue, 28 May 1996 12:02:53 +0800 Subject: Quickremail v1.0b Message-ID: At 2:28 PM 5/27/96, E. ALLEN SMITH wrote: >From: IN%"markm at voicenet.com" "Mark M." 27-MAY-1996 12:57:44.84 > >>On Sun, 26 May 1996, Lance Cottrell wrote: > >>> Which remailers does it install? > >>Mixmaster, and it gives a choice of either installing the Freedom remailer or >>the remailer code written by Matt Ghio. It also has support for reorder >>scripts, but I haven't debugged that part yet. > > What are the major differences between the various Mixmaster remailer >codes, especially in terms of the logistics of running a remailer? I'm >particularly interested in aspects related to A. running one by someone not >particularly familiar with UNIX (e.g., me) and B. a remailer accepting/sending >mail only from/to a limited list of addresses (e.g., only other remailers). > Thanks, > -Allen > >P.S. I'm planning on starting up a remailer, probably on Lance's machine (to >take advantage of his expertise) sometime this summer. I do want to get PGP for >the VAX before then, and the MIT site doesn't appear to have this code. I thing you misunderstood his answer, it installs Mixmaster and also installs either the Ghio or Freedom remailer. There are several flavors of remailer. The most common (but not most popular) are Cypherpunk and Mixmaster. At this time there is only one implementation of Mixmaster, mine. There are several version of the Cypherpunk remailer (A.K.A. Type 1) of which "Ghio" and "Freedom" are two. Mixmaster is known as a Type 2 remailer. Type 1 and type 2 are completely incompatible. -Lance ---------------------------------------------------------- Lance Cottrell loki at obscura.com PGP 2.6 key available by finger or server. Mixmaster, the next generation remailer, is now available! http://www.obscura.com/~loki/Welcome.html or FTP to obscura.com "Love is a snowmobile racing across the tundra. Suddenly it flips over, pinning you underneath. At night the ice weasels come." --Nietzsche ---------------------------------------------------------- From EALLENSMITH at ocelot.Rutgers.EDU Mon May 27 21:12:46 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Tue, 28 May 1996 12:12:46 +0800 Subject: Programmable field gate array chips down in price Message-ID: <01I57OPPFA748Y506V@mbcl.rutgers.edu> What were the estimates people were giving for the cost of an array to crack current credit card over the Net encryption? -Allen > XILINX SLASHES PRICES OF FIELD GATE ARRAY CHIPS, UPS PERFORMANCE > __________________________________________________________________________ > Copyright © 1996 Nando.net > Copyright © 1996 Bloomberg > SAN JOSE, Calif. (May 27, 1996 12:53 p.m. EDT) -- Xilinx Inc. said it > will slash the price of some of its programmable microchips by as much > as 53 percent over the next 12 months. > Xilinx said a new manufacturing process also will allow it to increase > performance of the chips, known as field programmable gate arrays, > which are found in a variety of complex electronic devices. > Xilinx said that by the end of the year, it expects to be selling its > XC5202 field programmable gate arrays for $5 apiece, down 44 percent > from an earlier projected price of $9. That price should decline to > $4.50 by mid-1997, Xilinx said. > The San Jose, California-based semiconductor maker said it also will > trim prices of more expensive gate arrays by as much as 53 percent, > bringing XC5210, for example, to $18 in mid-1997 from a current price > of $38. > The price cuts are for customers who purchase thousands of gate arrays > at a time. [...] > Xilinx pioneered the development of programmable chips, which are > found in complex devices such as networking and telecommunications > equipment utilizing Asynchronous Transfer Mode (ATM) technology. Its > revenue increased 58 percent to $560.8 million in the fiscal year > ended March 31, in the face of steadily falling chip prices, as the > company's products found uses in a growing number of devices. From jya at pipeline.com Mon May 27 21:36:39 1996 From: jya at pipeline.com (John Young) Date: Tue, 28 May 1996 12:36:39 +0800 Subject: SEM_tex Message-ID: <199605280113.BAA26887@pipe2.t1.usa.pipeline.com> New Sci 25 May 1996: "Forensic lab awash with Semtex." Just 5 nanograms of RDX -- one of the ingredients in Semtex -- is enough to link a suspected terrorist to a bombing. Yet the DERA forensic laboratory that carries out tests in many high-profile terrorist cases frequently finds more than this on its floor. "It's horrifying," says an independent forensic scientist who specialises in explosives cases. "They seem to have been getting contamination all the time." In contrast, forensic experts frequently say that the Forensic Science Agency in Northern Ireland has the most thorough precautions against contamination. The agency moved to a new laboratory in 1992 after the IRA blew up its old one. SEM_tex From jya at pipeline.com Mon May 27 21:39:15 1996 From: jya at pipeline.com (John Young) Date: Tue, 28 May 1996 12:39:15 +0800 Subject: MIN_ers Message-ID: <199605280112.BAA26773@pipe2.t1.usa.pipeline.com> New Sci 25 May 1996: "Panning for data gold." Nowadays nearly every organization from supermarkets to the police can boast a vast mine of electronic data. Separating the gold from the dross is the real challenge. A growing band of computer scientists say they can dig out nuggets of 24-carat knowledge from huge mountains of database dross. They call themselves "data miners", and they are wielding some pretty impressive tools -- information theory, laws of probability, neural networks, tree induction, genetic algoritms, disjunctive normal form logic. But the impact of their efforts is anything but esoteric. By identifying potential new customers -- or ways of hanging on to existing ones -- this information is worth millions in extra revenue. And this is just the start, according to Usama Fayyad of Microsoft Research and co-editor of a new book on data mining. MIN_ers From ncognito at gate.net Mon May 27 22:11:46 1996 From: ncognito at gate.net (Ben Holiday) Date: Tue, 28 May 1996 13:11:46 +0800 Subject: Asendmail For Mix [Testers Needed] In-Reply-To: Message-ID: On Mon, 27 May 1996, John A. Perry wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > On Mon, 27 May 1996, Ben Holiday wrote: > > > I've put together a program that acts as a replacement for sendmail with > > mixmaster, along with a list of 135 sites on the internet that either do > > not add received headers at all, or add headers that don't indicate who > > the originator was. > > Do these sites know that you are using them to mask a remailer? I > would think it would be very bad netiquette to cause a system to be > investigated by some official authority because your remailer was using > them as a front without their express knowledge and permission. No, they dont. And yes, it probably is bad netiquette. Unfortunately, the idea of your friendly neighborhood remailer is dying very quickly. Using other remailers as out-points is fine in so far as it goes, but someone eventually must eventually send mail to someone who isnt a remailer. If we define a remailer as a site that strips identifying headers from mail and passes it to its destination, then these sites are in fact remailers. They simply dont advertise themselves as such. Why is it that hundreds of government and university machines can operate what amount to anonymous remailers, and no one pays any attention, and yet cypherpunks are threatened with jail time for what is essentially the same thing? From jf_avon at citenet.net Mon May 27 22:14:11 1996 From: jf_avon at citenet.net (Jean-Francois Avon) Date: Tue, 28 May 1996 13:14:11 +0800 Subject: Throwing away the whole bushell because one apple is rotten... Message-ID: <9605280104.AB17333@cti02.citenet.net> On 27 May 96 at 12:07, Subir Grewal wrote: > You might want to read up on what > classical liberalism is andd what a minimalist state implies before > you spout Rand. The fact that I quote Rand occasionnally does not mean that I endorse everything she said. The word "spout" seems to be derogatory here and I see nothing that guarantee it. Some of her ideas did not pass the test of reality, and some other did. But the fact that some did not does not invalidate the other that did. :) JFA DePompadour, Societe d'Importation Ltee; Limoges porcelain, silverware and crystal JFA Technologies, R&D consultants: physicists, technologists and engineers. PGP keys at: http://w3.citenet.net/users/jf_avon ID# C58ADD0D : 529645E8205A8A5E F87CC86FAEFEF891 I reserve the right to post publicly any private e-mail sent to me. Unsollicited commercial e-mail will be proofread at US165 $/h Any sender of such material will be considered as to have ac- cepted the above mentionned terms. From ncognito at gate.net Mon May 27 22:47:53 1996 From: ncognito at gate.net (Ben Holiday) Date: Tue, 28 May 1996 13:47:53 +0800 Subject: Asendmail For Mix [Testers Needed] Message-ID: For the past several days i've been working on a method of concealing the identity of Remailers.. I've put together a program that acts as a replacement for sendmail with mixmaster, along with a list of 135 sites on the internet that either do not add received headers at all, or add headers that don't indicate who the originator was. The program is called asendmail and what it does is pick 2 servers from its list of proxy's (using a modified version of the rnd generator from Lance Cottrell's reorder package). It then opens an smtp socket with the first server, sends the second servers name in its introduction, and procedes to send its mail that way. I'm not an expert on such things, but a careful look at the resulting mail has revealed no sign of the originating remailers address. As far as I can tell the only way to identify the remailer would be by obtaining logs from the proxy host, if they exist. Asendmail is being used for all mixmaster mail sent through ncognito at cyberpass.net currently. It would be helpful in debugging if some people could route a few test messages through the mailer, examine the headers, verify that mail has arrived, etc. Any and all feedback will be greatly appreciated. Assuming that the results of this testing are acceptable, i will make a beta version of asendmail, and my (ever expanding) proxy list available. Thanks, From markm at voicenet.com Mon May 27 22:50:10 1996 From: markm at voicenet.com (Mark M.) Date: Tue, 28 May 1996 13:50:10 +0800 Subject: Layman's explanation for limits on escrowed encryption ... In-Reply-To: <01I53K6SDN348Y4Z90@mbcl.rutgers.edu> Message-ID: On Fri, 24 May 1996, E. ALLEN SMITH wrote: > Hmm.... what were the normal key-length recommendations again? This > appears to imply that the NSA can break at least 64-bit, and probably 80-bit, > encryption. How does this translate into public key lengths? E.g., how many > normal bits is a 1024-bit PGP key equivalent to? > -Allen The normal key-length recommendation was 96 bits. 64 bits and 80 bits are equivalent to 512 bits and 768 bits respectively. I would guess that a 1024-bit key is about as strong as an 96-bit key. The first two numbers are from _Applied Cryptography_; my estimate is an extrapolation from the data in AC. -- Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xe3bf2169 http://www.voicenet.com/~markm/ | d61734f2800486ae6f79bfeb70f95348 ((2b) || !(2b)) | Old key now used only for signatures "The concept of normalcy is just a conspiracy of the majority" -me -------------- next part -------------- A non-text attachment was scrubbed... Name: pgp00005.pgp Type: application/octet-stream Size: 284 bytes Desc: "PGP signature" URL: From jf_avon at citenet.net Mon May 27 23:14:25 1996 From: jf_avon at citenet.net (Jean-Francois Avon) Date: Tue, 28 May 1996 14:14:25 +0800 Subject: [SCARE]: "If you only knew what we know..." Message-ID: <9605280210.AA20962@cti02.citenet.net> On 27 May 96 at 21:46, Subir Grewal wrote: > > Oh, you mean, "for them, anybody who pass a judgment of his own > > that :contradict them should be killed" I see... > Glad you noticed that. Now tell me how AP for any other cause is > different? It has similarities. But AP will not be the enforcer of *one* opinion. And, according to Jim Bell, people will realize that the best way to behave is to adopt a low profile. Again, this is where I do not agree with JB, although I cannot say I disagree. I simply do not know. Maybe, since the basis for sustenance of human life is production, and since the majority has to be producers, the majority will endorse more libertarians ideas. But again, maybe Joe Average was so convinced that "the rich" owe him a free lunch that AP will lead to complete destruction of the system. I personnally tend to believe that Joe Average still has some common sense and integrity. JFA PLEASE NOTE: THIS POST DOES NOT MEAN THAT I ENDORSE MR. BELL'S SYSTEM. MY RATIONNAL CONCLUSIONS ABOUT IT'S INTERNAL MECHANICS AND IT'S INTRINSIC LOGICS DOES NOT MEAN THAT I LIKE NOR ENDORSE THE SYSTEM. I SIMPLY CONCLUDED THAT IT IS IMPOSSIBLE TO PREVENT THE SYSTEM FROM BEING IMPLEMENTED. IMO, IT IS UNAVOIDABLE. DePompadour, Societe d'Importation Ltee Limoges porcelain, Silverware and mouth blown crystal glasses JFA Technologies, R&D consultants. Physists, technologists and engineers. PGP keys at: http://w3.citenet.net/users/jf_avon ID# C58ADD0D : 529645E8205A8A5E F87CC86FAEFEF891 From perry at alpha.jpunix.com Mon May 27 23:21:22 1996 From: perry at alpha.jpunix.com (John A. Perry) Date: Tue, 28 May 1996 14:21:22 +0800 Subject: Asendmail For Mix [Testers Needed] In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Mon, 27 May 1996, Ben Holiday wrote: > For the past several days i've been working on a method of concealing the > identity of Remailers.. > > I've put together a program that acts as a replacement for sendmail with > mixmaster, along with a list of 135 sites on the internet that either do > not add received headers at all, or add headers that don't indicate who > the originator was. Do these sites know that you are using them to mask a remailer? I would think it would be very bad netiquette to cause a system to be investigated by some official authority because your remailer was using them as a front without their express knowledge and permission. I would think that obtaining permission would be the least you could do, but that would also defeat the anomitity by the nature of notifying the site that you wish to use them. This does not apply to chaining remailers as by running a remailer, the operator of the remailer is tacitly giving permission to be used in the chain in most cases. John Perry - KG5RG - perry at alpha.jpunix.com - PGP-encrypted e-mail welcome! WWW - http://www.jpunix.com PGP 2.62 key for perry at jpunix.com is on the keyservers. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMapW01OTpEThrthvAQENiwP+LIrhnIK02gV28W/0GhBr1QvYjSvL6N8V XE9s85AkQEtfjYMI78PkGAEH0Wj8ZcOGsdz0ZySGD/BxGXHjvOCbW3ObUoytASx6 phllJ+cb1e4bGZu0WOcpnRUjz9M/yVB9uO/6K4zYqipVv18Cdt33yOb0joBimVMa XUAFfwJtpGM= =m9Ar -----END PGP SIGNATURE----- From grewals at acf2.NYU.EDU Mon May 27 23:33:28 1996 From: grewals at acf2.NYU.EDU (Subir Grewal) Date: Tue, 28 May 1996 14:33:28 +0800 Subject: [SCARE]: "If you only knew what we know..." In-Reply-To: <9605270445.AB06762@cti02.citenet.net> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Mon, 27 May 1996, Jean-Francois Avon wrote: [NOTE: I'm going to be going away later this week and network connectivity will probably be intermittent for a month. I'll have to unsubscribe to Cypherpunks sometime soon. Which is why I suggested we continue this another time.] :> Of course there are those who :> fervently believe in the socialist ideal : :But, my dear, even in the most libertarian or AP-ruled world, they :would absolutely free to give away *all* of their salary for the :causes they consider valid. Only, thoses who don't agree with them :would not be coerced into thoses noble causes. Socialists aren't really interested in "giving away money" to a particular cause. To put it in crude terms, they're interested in taking your money (and that of others) to create a socialist (read collectivist) society. To believe that socialists will be content in a liberal world because philanthropy is not illegal is to misunderstand socialism completely. :This paragraph seems to indicate that the only difference between :libertarians and socialist is a mere difference of opinion and that :everybody is justified to act on their beliefs. But the socialists :who pretend that are simply blanking out the fact that *they too* :recognize that Reality Is since they want to use force to get a :lunch out of the mouth of somebody who have one (and who happened to :produce it himself) to put it in the mouth of another who didn't :have. Therefore, it is OK to deny reality when somebody come up :with arguements against socialism, but it is darn convenient to use :it (in the form of a loaded gun...) Nope, the socialists don't believe they're taking "lunch out of someone's mouth". They believe they are creating a communitarian society where there is no decadence, and each of us gets an approximately equal amount. "progressive" taxation exists because socialists believe those who have more (have taken more from society, benefited more from the infrastructure of the state etc.) should put more into the communitarian pot. That this does not work in a society with any degree of freedom (and esp. a democracy) is difficult to get through to socialists. Most of them believe that democracy, freedom and a socilist structure (read public ownership of the means of production) are compatible with each other. - From all evidence, they are sadly mistaken. :Oh, you mean, "for them, anybody who pass a judgment of his own that :contradict them should be killed" I see... Glad you noticed that. Now tell me how AP for any other cause is different? :> Marx was not the first to poitn :> out that institutions influence our actions, that we are products of :> our times, that the choices we face are as much determined by our :> own preferences as they are by the world around us. : :Well, of course, our perception of reality is context dependent. But :you seems to attempt to hint that truth is relative because knowledge :is contextual. It looks like an attempt on reason. The statement I made has absolutely jack-shit to do with "truth". It's simply a comment on the insidious nature of institutions and how it may be easy to ignore the variety of effects they may have. :I think that by the nature of AP, this would be ruled out. Maybe :there would be a fanatic president, but he would preside nothing :because nobody would be there to enforce his fanatic views. That depends. If enough people believe the AP tactics are threatening they may support a rigid state that cracks down on AP groups in a totalitarian fashion. It may be possible to prevent this, but the only way I can see it happening is if there is a greater level of class-consciousness promoting a view of politicos and bureaucrats as "them". Till kids dream of becoming president I doubt it's about to happen. On income taxes, one of the most fundamental oppositions to income taxes when they were first introduced was on privacy grounds. It seemed to be a gross invasion of privacy to have someone else know exactly how much you were earning and from where. I wish more people today looked at it in the same manner. Other objections include interference with the pricing mechanism and incentives. hostmaster at trill-home.com * Symbiant test coaching * Blue-Ribbon * Lynx 2.5 A fool must now and then be right by chance. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Key Escrow = Conscription for the masses | 2048 bit via finger iQB1AwUBMapbBRwDKqi8Iu65AQG6CwL/QfpVjlNq5rmo/L0Biv7iqrUtz5zHiPEe Sje788mJDM1yj/Ri7QNMOIBuSZ7AToub3mpSI3udW23L80u7W8nwl+/gERJKk+uL jpSdGjNGCjfIurxMPr3LxnBDDi/BQz6B =CNuE -----END PGP SIGNATURE----- From llurch at networking.stanford.edu Tue May 28 00:45:16 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Tue, 28 May 1996 15:45:16 +0800 Subject: SEM_tex In-Reply-To: <199605280113.BAA26887@pipe2.t1.usa.pipeline.com> Message-ID: On Tue, 28 May 1996, John Young wrote: > In contrast, forensic experts frequently say that the > Forensic Science Agency in Northern Ireland has the most > thorough precautions against contamination. The agency > moved to a new laboratory in 1992 after the IRA blew up > its old one. I suppose that's one way to deal with a housekeeping problem... From nobody at REPLAY.COM Tue May 28 00:48:51 1996 From: nobody at REPLAY.COM (Anonymous) Date: Tue, 28 May 1996 15:48:51 +0800 Subject: remail@c2.org Blocked From replay mail2news Gateway Message-ID: <199605280420.GAA06863@basement.replay.com> usura at basement.replay.com (Alex de Joode) wrote (to Usenet): > Anonymous (nobody at flame.alias.net) sez: > : My alpha.c2.org 'nym suddenly stopped working this weekend. I > : haven't changed my reply block, and the only remailer in my reply > : chain (thus far) is remail at c2.org. That remailer is used to paste > : in the Subject: and Newsgroups: headers, then the encrypted > : message is sent to the replay mail2news gateway to be posted in > : alt.anonymous.messages. > > : It used to work, now I'm getting nothing, and I haven't changed > : anything. Help!!!!! > > : Anyone know why? > > Yes, the replay mail2news gateway is currently unavaliable for > people using the c2.org remailer, this due to the ongoing forging > of peoples 'from:' headers in sci.med, alt.smoking and the like. > > When the mail2news software has been rewritten to be able to > block on a per newsgroup basis I'll probably remove the block > on c2.org. > > If you need to post you can use the remailer at replay.com and give > the 'Post-To: ' command, this will preserve the 'From: ' header > if you want to post under an nym. %$#&*!!! (Not directed at you, Alex!) It wasn't outgoing posts that I was worried about, so much as my replies that were being posted to alt.anonymous.messages via alpha.c2.org rather than being chained to me through e-mail. I wonder how much (if any) mail I may have lost. How long has this embargo been in effect? Is there any chance (pretty please) that the obviously non-forged mail from alpha.c2.org to alt.anonymous.messages, such as that with "nobody at c2.org" in the From: line, can be unblocked on a one-time basis, or have they already been consigned to the bit-bucket? Between this and the antics of the Co$, this has not been a pleasant weekend. All I gotta say is XENU XENU XENU! From llurch at networking.stanford.edu Tue May 28 01:18:08 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Tue, 28 May 1996 16:18:08 +0800 Subject: none [mail2news broke] In-Reply-To: <199605272325.BAA23173@basement.replay.com> Message-ID: Usura just answered this on alt.privacy.anon-server. The basement mail2news gateway is temporarily blocking posts from c2.org until the alt.syntax.tactical forgers go away or can be filtered with new code. While I publicly whined that SOMETHING needed to be done about the problem (for PR reasons if nothing else), I'm disappointed that there was no public announcement of the downtime first. Heck, when Scientology came knocking, there was an 11-day window before utopia shut down... Of course, there's probably more to this than we mere mortals know, so don't take this as any kind of judgement. (I'm answering mainly to cover my ass that it ain't totally my fault.) -rich On Tue, 28 May 1996, Anonymous wrote: > My 'nym which has worked just fine has suddenly stopped working this > weekend. My reply block has not changed, and the only remailer in > it is remail at c2.org. > > I have the reply block set up to send the encrypted reply to > remail at c2.org where Newsgroups: and Subject: headers are pasted on > with the "##" operator. The message is then sent on to the replay > mail2news gateway for posting to alt.anonymous.messages. > > What's happened? Anyone know? From stewarts at ix.netcom.com Tue May 28 01:50:54 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Tue, 28 May 1996 16:50:54 +0800 Subject: Mixmaster version usable with POP? Message-ID: <199605280529.WAA04756@toad.com> At 12:44 AM 5/27/96 EDT, E. ALLEN SMITH wrote: >From: IN%"markm at voicenet.com" "Mark M." 26-MAY-1996 18:46:13.23 > >>On Linux this works: >>popclient -3 -c POPHOSTNAME | formail -s mixmaster -R >> $MAIL > >>It will work on any system that has formail and popclient on it. > > Is this only for getting mail, or also for sending it? Sorry, I'm >not very familiar with UNIX, especially the pipe commands. A pipe takes the standard output of the program on the left-hand side and feeds it to the standard input of the program on the right. On Real Operating Systems, like Unix, both programs are running at once, so the pipe doesn't need to buffer very much information; MS-DOS fakes it out by running the first command while dumping its output in a temp file, then running the second command with its input from the temp file. A program named "popclient" is almost certainly designed for fetching mail from a Post Office Protocol server, which keeps a mailbox for you. I'm don't know what "formail" does, but it's presumably going to crunch your newly fetched mail through mixmaster to send it out. (A not unreasonable guess for what it does is to take a bunch of mail from standard input (e.g. the output of popclient) and crunch each mail message according to the options on the command line, for instance filing it, prettyprinting it, or whatever.) So this is a remailer. To just send mail, you'd use mixmaster. # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 # goodtimes signature virus innoculation From paul.elliott at hrnowl.lonestar.org Tue May 28 02:34:32 1996 From: paul.elliott at hrnowl.lonestar.org (Paul Elliott) Date: Tue, 28 May 1996 17:34:32 +0800 Subject: PGP MIME INTERNET DRAFT considered harmful. Message-ID: <199605280509.WAA04350@comsec.com> -----BEGIN PGP SIGNED MESSAGE----- Summary: The PGP MIME INTERNET DRAFT, draft-elkins-pem-pgp-03.txt, contains a design error with respect to signatures on binary data. This error results from the failure to recognize the distinction between those features of MIME which are necessary to represent complex data and those features of MIME that are used to transport the data. The design error will result in the following negative results if PGP-MIME is widely used with binary data. (1) Huge unnecessary inefficiency whenever binary data is sent signed and encrypted. (2) The signatures on PGP MIMEd objects can not be extracted from a MIME context and used where MIME programs are not available. (3) Many users will rightly refuse to sign the entities the PGP-MIME draft envisions. This reduces the utility of PGP-MIME. (4) If users do sign these files, they will be signing data for which there are no commonly available inspection tools. This will eventually result in a security breach. - ---------------------------------------------------------------------- The problem is that when binary data is to be signed the data is to be PGPed _after_ base64 has been applied and the MIME headers added. This is required by the draft: > >3. Content-Transfer-Encoding restrictions > > Multipart/signed and multipart/encrypted are to be treated by agents > as opaque, meaning that the data is not to be altered in any way > [1]. However, many existing mail gateways will detect if the next > hop does not support MIME or 8-bit data and perform conversion to > either Quoted-Printable or Base64. This presents serious problems > for multipart/signed, in particular, where the signature is > invalidated when such an operation occurs. For this reason it is > necessary to REQUIRE that ALL data signed according to this protocol > be constrained to 7 bits (8-bit data should be encoded using either > Quoted-Printable or Base64). Note that this also includes the case > where a signed object is also encrypted (see section 6). This > restriction will increase the likelihood that the signature will be > valid upon receipt. > > Data that is only to be encrypted is allowed to contain 8-bit > characters and therefore need not be converted to a 7-bit format. > > In this the draft follows RFC1847. [Encrypted & Signed binary data.] Now when there is a data path for PGP's cyphertext, PGP provides a binary data path for its plain text. Thus, the inner base64 that PGP MIME internet draft requires is totally unnecessary. It will cause a 30% increase in the size of those messages that are encrypted and signed and large amounts of CPU time will be used applying & removing the base64. It is worth noting that huge amounts of binary data will be transferred by MIME, so the above represents a significant problem. [Signed binary data.] Now let us consider the question of what PGP-MIME draft requires users to sign. Suppose we want to send a signed .gif file to a sysop. The sysop wants to store the .gif in his download section. Suppose the sysop wants to store the signature as a detached signature so that people who download it can check the authorship. But the signature proposed by the PGP-MIME draft is useless for this purpose. It has MIME headers attached and it has been base64'ed. People who download such a file from a BBS have no use for it, unless they have MIME. Or suppose we send as signed .gif file to the maintainer of a WEB page. He stores the .gif on an insecure UNIX system connected to the internet. Suppose, a year later the maintainer wants to check if the .gif has been tampered with. Can the maintainer store the signature on a floppy and use the signature for later checking? No, the only way the signatures specified by the draft can be used, would be to add MIME headers and apply base64. The maintainer will have to store the entire MIME message, .gif and all if he wants to check the signature later. Or let us consider an .gif artist. The artist has a policy of only signing works that he can be proud of. He does not sign his sketches, because he does not want sketches to tarnish his reputation. Before signing and releasing a work, he examines it with several different gif viewers and paint programs. But what does the draft PGP-MIME want the artist to sign? It wants him to sign a file that has been base64'ed and with mime headers added. The artist can not examine the file to be signed with any of his gif viewers or paint programs. Everyone's mother has told them to "Never sign anything unless you have read the fine print first." But here we have a file that has been scrambled so that it can not be inspected with the commonly available tools. The artist refuses to sign. Not only does he not know what he is signing, but the base64 offends his artistic standards. Who can be proud of base64? Necessary perhaps, but lets face it, base64 is an horrible kludge built to meet the deficiencies of a network. If users get in the habit of signing binary files which represent multimedia data, and which can not be examined with commonly available inspection tools, it is inevitable and predictable that sooner or later this will cause some kind of negative security event. Now there is some justification for the way the draft handles text. Different operating systems and machine architectures represent text in different ways, so that it is necessary that digital signatures be taken over some "canonical" format so that signatures will check on different operating systems. Even after text has been mangled by Quoted-Printable it can still be read after a fashion by the person asked to sign it. Operating systems and machine architectures also differ in the way they represent binary data. The differences in the ways integers, floating point numbers and other such thingies are represented are well known. However, such differences must be handled at the application level. The location within a file of integers, floating points, etc must be set by the application programmer/designer. PGP, MIME, and base64 can not deal with these differences, because the location of integers and floats can not be specified in advance for an arbitrary data file. Thus, from the point of view of PGP and base64, these differences do not exist and binary data may as well be a stream of bytes. Thus, in the case of binary data, base64 is not more "canonical" than the original data. There is no good reason to sign the base64 rather than the original data. Once a file has been base64ed, the file can not be examined with the usual inspection tools. The draft has chosen to treat text and binary data similarly. This results in negative results mentioned above, but the developer and draft author do not have to deal with any logic to handle text and binary data separately. User utility and security have been sacrificed for the convenience of simplicity for the draft author and the PGP-MIME developer. The typical user of MIME software is not necessarily technically sophisticated. When the deficiencies and disasters associated with software patterned on this draft become apparent, not everyone will know exactly which software component is at fault. The problems associated with the draft (or its successors) may adversely affect the reputation of PGP. Now some descendant of the draft could become a standard or the draft could become a de-facto standard through wide-spread use. Such a standard could become a barrier to the acceptance of other software without the draft's deficiencies. Thus, the draft could permanently inflict poor software on the world. (Look at the memory architecture of the IBMPC for one example. Or look at the MSDOS operating system for another example.) The draft should be withdrawn. People should rethink and create a better plan to combine the benefits of PGP and MIME. It should accommodate the user who wishes to mail a generally usable PGP signature (that is, one that can be used outside the context of MIME) along with multimedia binary data. It should not ask a user to apply a signature to any data that cannot be examined with commonly available tools. It should not require anyone to sign an artifact of a data transfer system such as base64. It should not require any additional space overhead (more than that which may be necessary for transport) when signing and encrypting. - -- Paul Elliott Telephone: 1-713-781-4543 Paul.Elliott at hrnowl.lonestar.org Address: 3987 South Gessner #224 Houston Texas 77063 -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: cp850 iQCVAgUBMaBPRPBUQYbUhJh5AQH2hwP+J1ADSzD3Yx4gvUIvAwN+EDikIN2IaHhM j+znIlt9QPzl5SSp44H+JnhoivhKR3562ACI1nexNMZ9E2MrPNioiGmrmz0uGwM6 Px/k2HbioQrgqmmP0IO/98cTZGA71pK7iNk7AZbWpEW4XfWkyRDW9hQzrCEZXXw8 jQwM/VHUPl8= =BvoZ -----END PGP SIGNATURE----- From an116512 at anon.penet.fi Tue May 28 02:36:21 1996 From: an116512 at anon.penet.fi (an116512 at anon.penet.fi) Date: Tue, 28 May 1996 17:36:21 +0800 Subject: net-based key archival Message-ID: <9605280603.AA24810@anon.penet.fi> In .cypherpunks, Matt Blaze writes: >I've put a revised version of my "Key Escrow without Escrow Agents" >abstract in my ftp directory, in PostScript and Latex formats. > ftp://research.att.com/dist/mab/netescrow.ps > ftp://research.att.com/dist/mab/netescrow.tex I just brought these files down + a few others in the same directory that he didnt tell us about (you can see them with netscape by leaving off the last part. Check out MKCS.PS and others. They take a while to see because you need a postscript viewer but if you can read them they are enlightening abot this guys character. It looks like AT&T is in the key escrow biz, folks!!! Maybe someone should scan them in and post them to the list, so we know what the enemy is doing. The MKCS.PS file is about how to make a code for other people to use so that you can break. And then they say dont worry the government would never do this!!! Riiiiggggght. PS I hope this message goes through, my posting software on connectnet doesn't work so I'm using penet. ++arlo : --****ATTENTION****--****ATTENTION****--****ATTENTION****--***ATTENTION*** Your e-mail reply to this message WILL be *automatically* ANONYMIZED. Please, report inappropriate use to abuse at anon.penet.fi For information (incl. non-anon reply) write to help at anon.penet.fi If you have any problems, address them to admin at anon.penet.fi From perry at piermont.com Tue May 28 03:39:46 1996 From: perry at piermont.com (Perry E. Metzger) Date: Tue, 28 May 1996 18:39:46 +0800 Subject: net-based key archival In-Reply-To: <9605280603.AA24810@anon.penet.fi> Message-ID: <199605280732.DAA04752@jekyll.piermont.com> an116512 at anon.penet.fi writes: > I just brought these files down + a few others in the same directory that > he didnt tell us about (you can see them with netscape by leaving off the > last part. Check out MKCS.PS and others. They take a while to see because > you need a postscript viewer but if you can read them they are > enlightening abot this guys character. It looks like AT&T is in the > key escrow biz, folks!!! Maybe someone should scan them in and post > them to the list, so we know what the enemy is doing. > > The MKCS.PS file is about how to make a code for other people to use so > that you can break. And then they say dont worry the government would never > do this!!! Riiiiggggght. God, your are an imbecile. You couldn't even be bothered to read the document you are yelling about, could you. The MKCS abstract explains the result that Blaze et al arrived at which shows that generalized systems with back doors in them are roughly equivalent to public key systems -- that is, any generalized Master Key Cryptosystem can be used as a public key system. Thus, although it is possible that there are faster techniques available, it would appear that to to design a cipher with a back door, we would have to use techniques that are currently thought to be slow. A lot of the point was that ciphers like DES are unlikely to have "master key" style back doors. This result is about the opposite of what you trumpet. They come up with some other interesting results about master keyed systems. None of them are "AT&T is in the key escrow biz" revelations. Might I suggest that in the future you have someone jackhammer your head out of the concrete block it is encased in before you make pronouncements? Perry From tcmay at got.net Tue May 28 03:45:19 1996 From: tcmay at got.net (Timothy C. May) Date: Tue, 28 May 1996 18:45:19 +0800 Subject: Philosophy of information ownership Message-ID: At 5:55 AM 5/28/96, Bruce Baugh wrote: >What specifically bothers me is the reselling of information that I chose to >reveal for a specific transaction, most especially when I did so with an >assumption of privacy. I'm happy to provide businesses with the info they >need to see that I'm not going to stiff them on a sale. I am _very_ unhappy >that some of them then turn around and sell that info to others, and doubly >so when what gets passed on is wrong. Contracts are the key. If Alice contractually agreed to hold data confidential, then didn't, Bob would have a case for suing. If Bob revealed information without a contract, Alice can do with it as she pleases. And in most of the cases I was talking about a few days ago (I was gone for the weekend and could not participate in this debate until now), Alice is using various records or observations that are free for anyone to remember, save, use, etc. Alice compiles a dossier on Bob based on press items, public court records, bankruptcy filings, divorce decrees, and all the various things that are available to anyone who is "observant." (The government has attempted to interfere with this record-keeping and -reporting, such as with the "Fair Credit Reporting Act," which makes the "remembering" of bankruptcies, defaults, and other such indiscretions a crime if the records are greater than 7 years, or somesuch. My point is that such laws are not only unconstitutional, even under the "regulate commerce" clause, but are laws which ultimately invite the government to inspect the files and records of someone...so much for "secure in one's papers.") Face it, if one makes public utterances, or utterances on lists like this, or one files for bankruptcy protection, or any number of such things, then others can and will "remember" these things. How they use these remembrances or who they pass them on to, or sell them to, has *never* been something that the U.S. government has been empowered to control or regulate. Until recently, of course. All to the worse. >>When I walked off with your blood chemistry data, did you lose the use >>of it for your future purposes? > >What I've lost here is privacy, something which does have monetary value to me. As others have noted, the proper solution is to make contractual arrangements with those doing blood analyses, or handling the data. It works for financial data, more or less, and so on. There is no justification (and many reasons against such a thing) for invoking some nebulous "right to personal information." >[example of info gleanable by my reading/posting to Cypherpunks and other >sources out there for the world to see] >>What do you propose as to the obligations I should have to you as regards >>the disposition of this information? For example, what if I receive a > >Things like that don't bother me, either. If I really didn't want to be >associated with Cypherpunks that way, I could do things to protect my identity. Fine, you draw the line at "Cypherpunks information can be revealed, but you'd better not reveal XYZ." Others would use your same logic to argue that even the "who cypherpunks" command information is "private" and not to be compiled into a dossier or revealed or, God forbid, sold. Again, what are the contractual relationships? >On the other hand, say I sign up for a mailing list that charges a >subscription fee, like Extropians. I would feel no ground for complaint if >someone markets a list of Extropian subscribers - but I'd feel much ground >for complaint if I learned the list owner were selling credit histories >gathered during the subscription process. (Unless, of course, I assent to a >clause to the effect that the list owner can do anything he wants with my >credit info, as opposed to the specific purpose of getting payment for the >list.) Here you seem to be referring to contracts. A good start. And much better than mere appeals to intuition about what ought to be private and what ought to be public. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From bruce at aracnet.com Tue May 28 04:05:33 1996 From: bruce at aracnet.com (Bruce Baugh) Date: Tue, 28 May 1996 19:05:33 +0800 Subject: Philosophy of information ownership [ Re: Children's Privacy Act ] Message-ID: <2.2.32.19960528055505.006ae230@mail.aracnet.com> At 09:24 AM 5/27/96 -0500, Mike McNally wrote: >What if I just *see* your couch, and then back in my garage I use my >couch replicator to make a couch just like yours, complete with fuzzballs >and loose change between the cushions? Now I have your couch, in a sense. >Are you still upset? Watch and act. This doesn't bother me. What specifically bothers me is the reselling of information that I chose to reveal for a specific transaction, most especially when I did so with an assumption of privacy. I'm happy to provide businesses with the info they need to see that I'm not going to stiff them on a sale. I am _very_ unhappy that some of them then turn around and sell that info to others, and doubly so when what gets passed on is wrong. >When I walked off with your blood chemistry data, did you lose the use >of it for your future purposes? What I've lost here is privacy, something which does have monetary value to me. [example of info gleanable by my reading/posting to Cypherpunks and other sources out there for the world to see] >What do you propose as to the obligations I should have to you as regards >the disposition of this information? For example, what if I receive a Things like that don't bother me, either. If I really didn't want to be associated with Cypherpunks that way, I could do things to protect my identity. On the other hand, say I sign up for a mailing list that charges a subscription fee, like Extropians. I would feel no ground for complaint if someone markets a list of Extropian subscribers - but I'd feel much ground for complaint if I learned the list owner were selling credit histories gathered during the subscription process. (Unless, of course, I assent to a clause to the effect that the list owner can do anything he wants with my credit info, as opposed to the specific purpose of getting payment for the list.) -- Bruce Baugh bruce at aracnet.com http://www.aracnet.com/~bruce From gbroiles at netbox.com Tue May 28 04:12:19 1996 From: gbroiles at netbox.com (Greg Broiles) Date: Tue, 28 May 1996 19:12:19 +0800 Subject: Remailers & liability Message-ID: <2.2.16.19960528062833.26bfd90e@mail.io.com> At 05:06 PM 5/27/96 EDT, E. Allen Smith wrote: > Why, precisely, do you think that remailers don't do much good where >the operator isn't root? The possibility of the sysop looking at the mail & >getting the private key, the increased susceptibility to cracking of >non-root accounts, possible sysop non-cooperation in an honest manner (as >opposed to the first one), or what? I think it's more difficult to covertly monitor communications through a remailer if the remailer operator isn't root; this is also the case if the primary MX record doesn't point directly to a machine under the operator's control. I think it'd be possible for a hostile party to monitor/intercept communications through any remailer; but it's more likely to cause an unexplained disruption or outage where the hostile party has less access to the target machine/network, and the operator (who we assume is trusted) has more access. I also think that where root is not the remailer operator, root is a lot less likely to say "fuck off you evil TLA I won't help you monitor remailer traffic." My hunch is that many/most remailer operators would shut down a remailer instead of letting a TLA monitor traffic, and/or would refuse to take clear steps to publically reestablish the integrity of a remailer if its confidentiality was in question. My hunch is that many/most "professional" sysadmins would let a TLA monitor traffic if a user was running a remailer, and wouldn't do anything to let either the user/operator or the clients of the remailer know anything was amiss. Look at the way that the WELL and Netcom and AOL (I'm probably missing some examples here) have been willing to let amateur and professional spooks & cops wander around their systems reading mail and looking in home directories while chasing "bad guys". How many ISP's are going to say "come back with a warrant" if cops show up with badges & guns, saying "User X is running a remailer which sends kiddie porn/drug sales transaction info/whatever"? I bet very, very few. (And no, the ECPA won't be much help, see _Steve Jackson Games_ re "what does intercept mean?") Obviously I'm talking about "more" and "fewer" and hunches, not a mathematical proof. This is really just another web-of-trust; I may trust X to run a remailer (and not log traffic or disclose it to outsiders), but I probably don't trust X to pick a service provider who will not be susceptible to "the Briefing" and who won't hire anyone as a sysadmin who isn't bribable or coercible. My intention is not to slam remailer operators who aren't root, just to point out that the level of protection we should expect from those remailers is relatively small. Ditto for remailers operated by unknown nyms who don't have well-known people willing to vouch for their integrity. Truly, no offense is intended. If I have some idea who the remailer operator is, and they are root, I feel like I learn something if the operator says "My system doesn't log traffic." If the operator isn't in a position to know (because they're not root) or if I don't have a reason to trust them, I assume the remailer is logging traffic. And a remailer that logs traffic may be more dangerous than no remailer at all, because the amount of security provided is illusory. -- Greg Broiles |"Post-rotational nystagmus was the subject of gbroiles at netbox.com |an in-court demonstration by the People http://www.io.com/~gbroiles |wherein Sgt Page was spun around by Sgt |Studdard." People v. Quinn 580 NYS2d 818,825. From tcmay at got.net Tue May 28 04:27:29 1996 From: tcmay at got.net (Timothy C. May) Date: Tue, 28 May 1996 19:27:29 +0800 Subject: Philosophy of information ow Message-ID: At 5:46 PM 5/27/96, Chris Adams wrote: >On 27 May 1996 11:25:28 pdt, m5 at vail.tivoli.com wrote: > >>What if I just *see* your couch, and then back in my garage I use my >>couch replicator to make a couch just like yours, complete with fuzzballs >>and loose change between the cushions? Now I have your couch, in a sense. >>Are you still upset? >> >>When I walked off with your blood chemistry data, did you lose the use >>of it for your future purposes? > >I believe that you are free to keep information, use it, etc. but >you MUST get permission before selling it. This opinion summarizes what's wrong with the world today. Facts are facts. Statements about reality. If I happen across a piece of information, such as "Chris Adams is subscribed to the Cypherpunks list," I need not get permission from Chris Adams to sell this fact to another. (Unless of course I have a contractual relationship with Chris involving this in some way.) Not even in these Beknighted States, unless the laws have recently gotten much worse that they were a short while ago. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From stewarts at ix.netcom.com Tue May 28 04:33:06 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Tue, 28 May 1996 19:33:06 +0800 Subject: Remailers - What exists? Message-ID: <199605280739.AAA07812@toad.com> At 11:00 PM 5/24/96 -0400, Black Unicorn wrote: >Question: >Which remailers can be run without root? >Which remailers can be run best on the most systems? >Which remailers are easiest to set up? Basic remailers can run fine as a mail user on any Unix system that supports executing user-specified programs on incoming mail. Almost any modern Unix system will do this, either through sendmail .forward files or some similar (dangerous :-) mechanism. Even on systems that don't do it automagically, you can batch the mail through a remailer command either by hand or using a cron script if your system lets you. It helps a lot to have an account that isn't your main email account, because it's going to get lots of junk in it that you want to discard most of, so you'd be better off without your real mail going there, unless you're a procmail wizard. Mixmaster-style remailers are more secure than vanilla ones, but of course you need to use the Mixmaster client software to use them, which could be a problem if you're a DOS or Mac user. Being root gets you a couple of things: - ability to set up multiple names to receive mail on, which you need to run a user-friendly 2-way remailer, like anon.penet.fi or alpha.c2.org. Some sendmail flavors have extensions on user names ( myname+whatever at machine.edu ) which would let you do the same thing as a regular user, but it doesn't seem to be a widespread feature. - ability to mess with the sendmail logs - ability to tell the backup software not to back up your spool directory (which would be Really Bad, especially if your computer provider keeps backups forever.) The alternative is to put it under /tmp somewhere, and just make sure it recovers if too much stuff gets deleted by regular daemons. - Extra Slack for mail-to-news gateways. You can often do them without being root, but not everywhere, and it's harder to fake From: addresses if you're not root. Of course, you can always run Linux at home - there are even new versions for Mac coming out. # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 # goodtimes signature virus innoculation From stewarts at ix.netcom.com Tue May 28 04:35:54 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Tue, 28 May 1996 19:35:54 +0800 Subject: Tempest Info Message-ID: <199605280739.AAA07817@toad.com> There was some interesting stuff on the web page about experience TEMPEST-surfing CRTs, and Sarah Ellerman's article is better than some of its sources, but there's still bogosity around. >It's so secret that the Feds refuse to even release its real name. >Privacy advocates have filled the void by nicknaming this >technology "TEMPEST," which stands for "Transient Electromagnetic Pulse >Emanation Surveillance Technology." Nope. TEMPEST _is_ its real name. It's not an acronym, and the stuff doesn't even deal with Transient ElectroMagnetic Pulses; that's somebody's attempt to take a non-acronym and find plausible buzzwords to fill it. >What it does is allow a simple scanning device to read the output from >your monitor from up to one kilometer away. It's not just about monitors; they're just easy targets because they're usually electrically noisy, and the stuff they broadcast is in an easily usable form (if you've got a monitor around that can handle the output frequencies required, which is to say it costs at least as much as the monitor you're bugging :-). One reason they're noisy is the basic technology they use; another is that they're hard to stick in metal boxes because you'd like to be able to see the screen. In the days before FCC Class A and Class B certification became near-mandatory, there were a _lot_ of noisy devices out there; one early dot-matrix electronic typewriter could be read a couple of miles away. On the other hand, random signals from your CPU's crunching are not only harder to detect among all the other electronic noise, it's hard to translate them into anything human-readable. >We headed east toward the New York Post newspaper offices and read the >latest news off their monitors (which was printed the next day). We headed >north toward City Hall and NYPD Police Headquarters. Guess what? They're not >Tempest-certified either...Neither is the United Nations, any of the midtown About 8-10 years ago, TEMPEST-certified computers typically cost about $5000 more than equivalent regular computers, as well as being 6-12 months behind the commercial products they were based on. A big reason for this is that certification is an expensive technical and paperwork process, and most products aren't going to sell enough units to spread the cost around. Sure, some of it's due to shielded cables, grounded metal boxes, and paying careful attention to board design. As one of the posters pointed out, you can cut down your exposure a lot by using an LCD display instead of a CRT, and sticking to FCC Class B equipment, which is a tighter standard than Class A. One of the articles also described making a shielded room using some of the non-woven carbon-fiber fabric shielding, and said it didn't stop everything. Shielding is a tricky business - modern computers have a lot of harmonic energy in the 100 MHz - 10 GHz ranges, especially now that clock speeds are in the 100 MHz range instead of the 8 MHz range that was common when I started, so the wavelengths get very short and stuff leaks out easily around joints unless you're very careful about both the technology and the installation; you've _got_ to test a room for tightness and hunt down all the leaks before you can trust it. Also, of course, your electrical power system needs to be shielded and filtered, so only 60Hz gets through, unless you plan to stick to laptops and bring in spare battery packs. # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 # goodtimes signature virus innoculation From tcmay at got.net Tue May 28 06:00:49 1996 From: tcmay at got.net (Timothy C. May) Date: Tue, 28 May 1996 21:00:49 +0800 Subject: [SCARE]: "If you only knew what we know..." Message-ID: At 3:52 PM 5/26/96, Paul J. Bell wrote: >a good idea. what we really need to do is to obtain, by whatever means >seems available, a copy of "the briefing", and to publish it, >on the web/net, with detail anotations of each point. having >their story in public view would certainly take away a lot of it's power. >also, on the off chance that there were any errors in their version of >the facts, it could make for an interesting q&a session when the next >receiptent didn't buy the pitch. > > -paul >ps.. no, i don't know, right off-hand, how to obtain such a copy, >but if the employee manual that was making the rounds a few years was >what it porported to be, well, there's hope for this document to >see the light of day. (-: I doubt this. The "NSA Employee's Manual" which was published (first by 2600 or Phrack, then on the Net by Grady Ward) was of course just the typical stuff handed out to the 25,000 or so employees of the NSA...any of them could have passed the stuff on to 2600 or Phrack. Nothing very sensitive for such a large "corporation." "The Briefing" is an altogether different thing. A private briefing, with photos, maybe audio and video clips, and definitely "personal." Classified information, intelligence sources revealed or hinted at, etc. It is almost certainly not some kind of printed document. And certainly not sent out to lots of people. In any case, I don't think this is something one really "refutes." Because the events are likely real events, and are thus irrefutable. (As to catching the NSA in outright lies, I doubt this. Enough real stuff that they wouldn't have to invent history. In my opinion, of course.) What can be refuted are the possible claims that particular events imply that civil liberties need to be restricted, or that crypto needs to be controlled. That is, the philosophical points. And for this we already have anticipated most of the likely scenarios, aka the Four Horsemen. Sure, I'd like to hear what is being whispered to the burrowcrats to scare them so much....but "obtain, by whatever means seems available" is something I'll leave for you black bag operatives to take care of. Good luck! --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From vince at cryptonet.it Tue May 28 06:08:18 1996 From: vince at cryptonet.it (David Vincenzetti) Date: Tue, 28 May 1996 21:08:18 +0800 Subject: holographic remailing & the scientologists (fwd) Message-ID: <199605280855.KAA23960@relay.cryptonet.it> A number of secret-sharing/splitting programs for Unix are available at idea.sec.dsi.unimi.it/pub/crypt/code, ftp.dsi.unimi.it's new location For instance, check idea.sec.dsi.unimi.it/pub/crypt/code/secshar.tar.gz Ciao, David > Forwarded by Robert Hettinga > > ----------------------------------------------------------------------- > Date: Sun, 26 May 1996 15:20:32 -0700 (PDT) > From: Wei Dai > To: "Vladimir Z. Nuri" > cc: cypherpunks at toad.com > Subject: Re: holographic remailing & the scientologists > MIME-Version: 1.0 > Sender: owner-cypherpunks at toad.com > Precedence: bulk > > > On Sat, 25 May 1996, Vladimir Z. Nuri wrote: > > > frankly, I think this was a great idea that we could explore > > some more. in a sense, it stores data "holographically" over > > all kinds of different people's messages. imagine a system in which > > the scientology documents are stored in people's signatures, > > and someone writes software to go and recombine the documents > > based on finding signatures "out there". > > This software already exists. Take a look at Disperse/Collect at > http://www.eskimo.com/~weidai. Disperse splits a file into n base64 > encoded pieces where any k of them can be used to reconstruct the > original. Collect will search through arbitrary collection of files (for > example the entire news spool) for these pieces and automatically > reconstruct everything that it finds. > > Wei Dai > > > > -------------------------------------------------- > The e$ lists are brought to you by: > > Take Your Business Online with Intertrader Ltd, Edinburgh, U.K. > Visit http://www.intertrader.com or email info at intertrader.com > > Making Commerce Convenient (tm) - Oki Advanced Products - Marlboro, MA > Value-Checker(tm) smart card reader= http://www.oki.com/products/vc.html > > Where people, networks and money come together: Consult Hyperion > http://www.hyperion.co.uk info at hyperion.co.uk > > See your name here. Be a charter sponsor for e$pam, e$, and Ne$ws! > See http://thumper.vmeng.com/pub/rah/ or e-mail rah at shipwright.com > for details... > ------------------------------------------------- > From cwe at it.kth.se Tue May 28 06:57:00 1996 From: cwe at it.kth.se (Christian Wettergren) Date: Tue, 28 May 1996 21:57:00 +0800 Subject: Runtime info flow in Java In-Reply-To: Message-ID: <199605280933.LAA20313@piraya.electrum.kth.se> | At 7:06 AM 5/9/96, Christian Wettergren wrote: | >Hi! | > | >I'm presenting my licentiate research proposal | >next week, and I thought that some of you might | >find it interesting. I'd like to find others | >that are working with similar projects, to have | >some people to discuss with. | > | >The actual proposal is available at | > | > http://www.it.kth.se/~cwe/phd/licprop.ps | | I began to look at your paper online but that works poorly for me. My | printer does not handle A4 paper. PostScript seems inflexible in this | regard. If it were available in 8.5 X 11 inch format you would have least | one more reader. I've uploaded a letter-formatted version of the paper as well now. (Or I hope so at least, can't try it here since we only have A4 paper.) I have also put the original FrameMaker document there, as well as a small presentation in PowerPoint about the topic. Take a look at http://www.it.kth.se/~cwe/phd/ for more information. | I am interested in your paper because you define the problem as we do. | There are some who think that capability architectures are the solution. | There is little information on how to solve these problems with | capabilities. I am trying to find time to address some of these issues. | | KeyKOS is a capability based operating system that is designed to solve a | variety of security problems. There are some papers at | and | . I've read briefly previously about KeyKOS, I believe it was in IEEE Symp on Sec & Priv, or something like that. I'll take a closer look at KeyKOS. It is interesting to find others doing similar things, since it is quite hard to find previous work in the area. (I've digged through Comm of ACM all the way back to 1969 for material. Sigh! :-)) | We find that Java as a language conforms well enough to capability | principles even though not using the term. Some of the primordial classes | do not conform and indeed it was there that the Princeton group found the | problems that are most difficult to fix. I have experiences from UNIX, and I would say that a large number of the security problems in the daemons are due to the fact that the programmer did not succeed in keeping data from different subjects separated. This is today solved by ad hoc methods by the programmer, and the task is too difficult. One of the things I want to examine is how fast a subject's influence is spreading through the program during execution. I'm worried that the influence in general is not contained, and that one either has to have a very intelligent compiler or have to rewrite most programs to take advantage of the scheme. I hope to be able to straighten out this question mark during the coming months. /Christian From proff at suburbia.net Tue May 28 07:19:04 1996 From: proff at suburbia.net (Julian Assange) Date: Tue, 28 May 1996 22:19:04 +0800 Subject: France's proposed telecoms law Message-ID: <199605280918.TAA17579@suburbia.net> Paris, May 23, 1996: There is an EC regulation called which applies to all EC countries. This restricts the use of cryptography in the context of weapons of mass destruction, but not for any other purpose. The UK also has an export licensing requirement which is similar in scope. France, on the other hand, has much wider restrictions. The EC regulation is "Dual-Use and Related Goods (Export Control) Regulations" and the UK is "Export of Goods (Control) Order". Attached is a message containing the pending French legislation, followed by some comments. I hope this is helpful to readers on both sides of the pond. [Tuesday, 07 May 96 08:30:54 EST, "jean-bernard condat" writte:] --------------- Art. 12 Article 28 of the Law No. 90-1170 dated December 29, 1990, on telecommunications regulation is hereby amended as follows: I - Section I is hereby amended as follows: 1) The first paragraph shall be completed by the following phrase: "Secret coding method denotes all materials or programs conceived or modified for the same purpose." 2) The second and third paragraphs are hereby replaced by the following provisions: "To preserve the interests of national defense and the internal or external security of the State, while permitting the protection of information and the development of secure communications and transactions, 1) the use of a secret coding method or service shall be: a) allowed freely: - if the secret coding method or service does not allow the assurance of confidentiality, particularly when it can only be used to authenticate a communication or ensure the integrity of the transmitted message; - or if the method or the service assures confidentiality and uses only coding conventions managed according to the procedures and by an organization approved under the conditions defined in Section II; b) subject to the authorization of the Prime Minister in other cases. 2) the supply, importation from countries not belonging to the European Community, and exportation of secret coding methods as well as services: a) shall require the prior authorization of the Prime Minister when they assure confidentiality; the authorization may require the supplier to reveal the identity of the purchaser; b) shall require declaration in other cases." 3) A decree sets the conditions under which the declarations are signed and the authorizations approved. This decree provides for: a) a simplified system of declaration or authorization for certain types of methods or services or for certain categories of users; b) the substitution of the declaration for the authorization, for transactions concerning secret coding methods or services whose technical characteristics or conditions of use, while justifying a certain attention being paid with regard to the aforementioned interests, do not require the prior authorization of these transactions; c) the waiver of all prior formalities for transactions concerning secret coding methods or services whose technical characteristics or conditions of use are such that the transactions are not capable of damaging the interests mentioned at the beginning of this paragraph. II - Section II is hereby replaced by the following provisions: "II - Organizations responsible for managing, on behalf of others, the coding conventions for secret coding methods or services that allow the assurance of confidentiality must be approved in advance by the Prime Minister. They are obligated to maintain professional confidentiality in the exercise of their approved activities. The approval shall specify the methods and services that they may use or supply. They shall be responsible to preserve the coding conventions that they manage. Within the framework of application of the Law No. 91-646 dated July 10, 1991, concerning the confidentiality of correspondence sent via telecommunications, and within the framework of investigations made under the rubric of Articles 53 et seq. and 75 et seq. of the Code of Criminal Procedure, they must release them to judicial authorities or to qualified authorities, or implement them according to their request. They must exercise their activities on domestic soil. A decree in the Council of State sets the conditions under which these organizations shall be approved, as well as the guarantees which the approval shall require; it specifies the procedures and the technical provisions allowing the enforcement of the obligations indicated above. III - a) Without prejudice to the application of the Customs Code, the fact of supplying, importing from a country not belonging to the European Community, or exporting, a secret coding method or service, without having obtained the prior authorization mentioned in I or in violation of the conditions of the granted approval, shall be punishable by six months imprisonment and a fine of FF 200,000. The fact of managing, on behalf of others, the coding conventions for secret coding methods or services that allow the assurance of confidentiality, without having obtained the approval mentioned in II or in violation of the conditions of this approval, shall be punishable by two years imprisonment and a fine of FF 300,000. The fact of supplying, importing from a country not belonging to the European Community, or exporting, a secret coding method or service, in order to facilitate the preparation or commission of a felony or misdemeanor, shall be punishable by three years imprisonment and a fine of FF 500,000. The attempt to commit the infractions mentioned in the preceding paragraphs shall be punishable by the same penalties. b) The natural persons guilty of the infractions mentioned under a) shall incur the complementary penalties provided for in Articles 131-19, 131-21, and 131-27, as well as, either indefinitely or for a period of five years or longer, the penalties provided for in Articles 131-33 and 131-34 of the Criminal Code. c) Judicial persons may be declared criminally responsible for the infractions defined in the first paragraph under the conditions provided for in Article 121-2 of the Criminal Code. The penalties incurred by judicial persons are: 1) the fine according to the modalities provided for by Article 131-38 of the Criminal Code; 2) the penalties mentioned in the Article L. 131-39 of the same code. The prohibition mentioned in 2) of this article L. 131-39 concerns activities, during the exercise of which, or on the occasion of the exercise of which, the infraction was committed." III - Section III becomes IV. Its last paragraph is hereby replaced by the following provisions: "The fact of refusing to supply information or documents, or of obstructing the progress of the investigations mentioned in this section IV, shall be punishable by six months imprisonment and a fine of FF 200,000." IV - Section IV becomes V. After the word "authorizations," the words "and declarations" are hereby inserted. V - A section VI is hereby added, formulated as follows: "VI - The provisions of this article shall not hinder the application of the Decree dated April 18, 1939, establishing the regulation of war materials, arms, and munitions, to those secret coding methods which are specially conceived or modified to allow or facilitate the use or manufacture of arms." VI - This article is applicable to overseas territories and to the territorial commonwealth of Mayotte. Copyright 1996 Steptoe & Johnson LLP Steptoe & Johnson LLP grants permission for the contents of this publication to be reproduced and distributed in full free of charge, provided that: (i) such reproduction and distribution is limited to educational and professional non-profit use only (and not for advertising or other use); (ii) the reproductions or distributions make no edits or changes in this publication; and (iii) all reproductions and distributions include the name of the author(s) and the copyright notice(s) included in the original publication. --------------- In trying to analyze the impact of the proposed law, I would note the following: Section I: Paragraph 1 (a), first bullet, seems to explicitly allow digital signatures, and does not require that the secret keys used for such purposes be escrowed. Paragraph 1 (a), second bullet, in combination with Section II, strongly hints at a requirement for key escrow. Conceivably, depending on the details of Law No 91-646 dated July 10, 1991 concerning the confidentiality of correspondence sent via telecommunications, the use of short keys that might expose information to unauthorized individuals (a la the IBM masked DES and Lotus Notes solution) might even be prohibited! Paragraph 1 (b) provides an escape clause for certain favored activities (and/or organizations?). Presumably international standards such as Visa/MasterCard's SET, which apply strong confidentiality to only certain data fields, notably the cardholders account number, would be permitted under this kind of an exception. Banking transactions and other sensitive information may also be excluded from the key escrow requirement, especially if (since) the Government could subpoena the bank's records directly. This is further borne out by paragraph 3, (a, b, and c). Paragraph 1 seems to apply to the use of encryption, as opposed to the supply, import, or export. However, unless such use is covered by Law No. 91-646, the proposed amendment does not seem to apply criminal or civil penalties to such use. Paragraph 2 is interesting, in that it differentiates between "supply" and "importing from countries not belonging to the European community". This may be a techni-cality of the European Community import/export laws -- perhaps importation from countries within the European Community no longer has any meaning, since such customs barriers were supposed to have been removed. I would interpret "supply" to include the offering for sale, or even distributing for free, such code, even by a French citizen. This would therefore appear to apply to the (re-)distribution of PGP and/or any home-grown French products, as well as any encryption products originating within the EC. If so, this would seem to be more even-handed with respect to imports from the US and elsewhere than might otherwise appear, and may obviate any claim that the law would violate the World Trade Organization's Most Favored Nation agreements. The apparent import preference for EC products simply reflect's France's obligation to allow the free flow of goods within the EC. Paragraph 3 seems to provide for some simplified administrative mechanisms that may be less onerous than a case by case review. IN US terms, this may be similar to requesting a commodity jurisdiction from Commerce, rather than having encryption being construed as following under the ITARs. If so, we should certainly investigate these options. Subparagraphs b and c may apply to the use of relatively short keys, or for transactions of limited scope, e.g., for SET. Section II defines conditions for establishing and approving escrow agencies. Given the requirement for "professional confidentiality", I would not be at all surprised if the civil law "notaires" didn't jump at the chance to get into this business. The requirement that they exercise their activities on French soil is rather obscure. The prior language doesn't explicitly say that anything about escrow, nor where the escrowed keys must be maintained -- it only talks about the management of coding conventions, and the requirement to comply with the requirements of the Code of Civil Procedure, which presumably requires that they divulge the keys and/or the text of any confidential messages upon demand by a proper authority. But a literal reading of the text would suggest that a standards organization that manages and preserves the coding conventions would have to carry out their activities on French soil, while the escrow repository might be elsewhere. Section III certainly makes it clear that they are serious about all this. The natural persons who have committed, or even attempted to commit acts in violation of the Act are subject to fines and imprisonment, and I would hazard a guess that the Articles 131-33 and 131-34 would debar them from participating in any future importing or exporting. Corporations (judicial persons) may be held criminally responsible for any infractions caused by their employees, and I would assume that Article 131-39 would also lead to a debarment for future import or export, in exactly the same manner as US export violations would. Section VI makes the Act applicable to overseas territories, which means that some of the more obscure areas and countries would also be covered, such as French Guiana, etc. Disclaimer: I am not a French attorney, nor someone who is at all knowledgeable about EC law. The preceding analysis should not be construed as any kind of an official position. Go get your own hired guns if you need advice! From matts at pi.se Tue May 28 07:32:41 1996 From: matts at pi.se (Matts Kallioniemi) Date: Tue, 28 May 1996 22:32:41 +0800 Subject: Quickremail v1.0b Message-ID: <2.2.32.19960528100951.0038fbb4@mail.pi.se> At 17:28 1996-05-27 EDT, E. ALLEN SMITH wrote: >I'm planning on starting up a remailer, probably on Lance's machine (to >take advantage of his expertise) sometime this summer. I do want to get PGP >for the VAX before then, and the MIT site doesn't appear to have this code. Why would anyone set up a remailer at Lance's (or Sameer's) machine? They have remailers running already. If the thugs break root and obtain one remailer key from a machine, they probably get all the keys on that machine, compromising all the remailers in one single attack. Or am I missing something? Is there any benefit of multiple remailers on a machine where root is running his own remailer? Matts ps. The vax pgp is available at ftp://ftp.net-connect.net/pub/cypherpunks/pgp/vaxpgp262.tar.Z From usura at replay.com Tue May 28 07:38:52 1996 From: usura at replay.com (Alex de Joode) Date: Tue, 28 May 1996 22:38:52 +0800 Subject: none [mail2news broke] Message-ID: <199605281011.MAA16551@basement.replay.com> Rich sez: : Usura just answered this on alt.privacy.anon-server. The basement : mail2news gateway is temporarily blocking posts from c2.org until the : alt.syntax.tactical forgers go away or can be filtered with new code. : While I publicly whined that SOMETHING needed to be done about the problem : (for PR reasons if nothing else), I'm disappointed that there was no : public announcement of the downtime first. Heck, when Scientology came : knocking, there was an 11-day window before utopia shut down... My fault, I didn't imagine shutting down access for c2.org would have a big impact. (other then that the forgeries would stop) Besides the block was in effect for about 12 hours and I was mearly testing if the code did work. (apperantly it does) My sincere apologies if mail has been lost due to this situation. bEST Regards, -- -AJ- From cwe at it.kth.se Tue May 28 07:39:12 1996 From: cwe at it.kth.se (Christian Wettergren) Date: Tue, 28 May 1996 22:39:12 +0800 Subject: Runtime info flow in Java In-Reply-To: Message-ID: <199605281015.MAA21153@piraya.electrum.kth.se> | At 9:09 AM 5/24/96, Lucky Green wrote: | .... | >I walked away from your presentation of KeyKOS with the impression that a | >capability system to be secure it would have to be implemented at the OS | >level. | >Can you build a such a system on top of an insecure OS, as Java would have | >to do? | [....] | | We do not have a complete map between capabilities and Java. There are | things about Java that we have not mapped to capabilities yet. For instance | any piece of code in a Java program that can declare a reference to an | object of classs Zot is also able to invoke any of the public constructors | for Zot. This may be too strong an ability. First of all I'm concentrating on programs that deals with data input from many different subjects. There is a problem in trying to separate the influence of these different subjects from each other. What resources should the process be allowed to access? If it is too little, nothing useful can be done. If it is too much, you run a risk of compromise. I try to achieve my goals in a somewhat different way than in a traditional capabilities system. Much, if not most, of the security work make the assumption that the program can do anything, and that the OS doesn't know squat about what the program does from a security point of view. This clearly doesn't work anymore, at least in my view. What I try to achieve is that one doesn't have to trust the program anymore. The program is compiled with a special compiler that inserts an extra "guarding" program in parallell with the original program. I call this the "shadow code", since it shadows the original program's execution. All data inputs to the process have a subject identity to them. The shadow code keeps track of how these identities flow through the variables and the execution path as the program is executed. Suppose we're calculating c := a + b, then the subject set of 'c' is the union of the subject sets of 'a' and 'b'; sset[c] := sset[a] U sset[b]. Subject sets appear, instead of plain subjects, as you can see. This is a piece of shadow code that is executed just before the original statement is executed. You have to take care of the execution path as well for conditionals as well. The subject sets are presented to the OS by the shadow code when the program does a system call. These subject sets are now used to do *detailed* access control for the *specific* system call. This (hopefully) solves the problem of giving too much/too little access, since this decision now can be based on the precise subject sets presented. You can find a discussion on this in a power point presentation at http://www.it.kth.se/~cwe/phd/licpres.ppt. Take a look at http://www.it.kth.se/~cwe for more info. Comments are most welcome! /Christian From anonymous-remailer at shell.portal.com Tue May 28 07:55:53 1996 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Tue, 28 May 1996 22:55:53 +0800 Subject: World Economic Forum (fwd) Message-ID: <199605281057.DAA04719@jobe.shell.portal.com> Horsemen continue to ride. ---------- Forwarded message ---------- Last night, C-SPAN carried a public session from the WEF meeting held last February in Davos, Switzerland. It looked like a chorus of kinder gentler totalitarians, fascists, and Big Brothers. Louis Freeh, speaking in bureaucratese, said it was time to create an international police force, stamp out uncrackable encryption, and enlist business as allies in implementing the total surveillance state. Elie Wiesel, guru of Humanism from Boston U., was more direct and explicitly called for an international police force to protect us from nuclear terrorists and other bogeymen. One bright note: Freeh said a recent poll of interest to his bureau discovered that 10% of Americans believe the U.S. government was complicit in the Oklahoma City bombing. Maybe there is hope after all. From weidai at eskimo.com Tue May 28 07:56:42 1996 From: weidai at eskimo.com (Wei Dai) Date: Tue, 28 May 1996 22:56:42 +0800 Subject: holographic remailing & the scientologists (fwd) In-Reply-To: <199605280855.KAA23960@relay.cryptonet.it> Message-ID: On Tue, 28 May 1996, David Vincenzetti wrote: > A number of secret-sharing/splitting programs for Unix are available > at idea.sec.dsi.unimi.it/pub/crypt/code, ftp.dsi.unimi.it's new location > > For instance, check idea.sec.dsi.unimi.it/pub/crypt/code/secshar.tar.gz Disperse/Collect is a information dispersal program rather than a secret sharing program. They are similiar have different purposes. Here we want to improve accessibility and reliability without regard to secrecy. That is, for information dispersal we don't care if information about the original file is leaked with with each share, whereas secret sharing has to guarantee that an attacker can find out nothing about the original secret unless he has at least k shares. That aside, Disperse/Collect might be better suited for what Vladimir had in mind because it was explicitly designed for broadcasting files through Usenet. The secret sharing programs you mention would not work well because each share would be as big as the original secret. (There are secret sharing schemes with short shares, but I don't think any of those programs implement the more efficient schemes.) Wei Dai From matts at pi.se Tue May 28 08:45:06 1996 From: matts at pi.se (Matts Kallioniemi) Date: Tue, 28 May 1996 23:45:06 +0800 Subject: Remailers & liability Message-ID: <2.2.32.19960528112004.003a64cc@mail.pi.se> At 23:28 1996-05-27 -0700, Greg Broiles wrote: >If I have some idea who the remailer operator is, and >they are root, I feel like I learn something if the operator says "My system >doesn't log traffic." If the operator isn't in a position to know (because >they're not root) or if I don't have a reason to trust them, I assume the >remailer is logging traffic. And a remailer that logs traffic may be more >dangerous than no remailer at all, because the amount of security provided >is illusory. One benefit of non root / anonymous remailers is deniability. When the police come knocking on root's door, root can say that he didn't know about the kiddie porn remailer and he will shut it down asap. It will be hard to prove that he had intent to run a remailer (assuming that remailers are outlawed, like they are in France?). A remailer that logs traffic is still useful because it will take the enemy some time and money to get the log. With plenty of remailers in your chain, that's plenty of time and money, and hopefully at least one remailer isn't keeping logs. Matts From jya at pipeline.com Tue May 28 09:49:57 1996 From: jya at pipeline.com (John Young) Date: Wed, 29 May 1996 00:49:57 +0800 Subject: ONE_two Message-ID: <199605281206.MAA27132@pipe2.t1.usa.pipeline.com> 5-28-96. NYPaper: "Physicists Put Atom In 2 Places At Once." A team of NIST physicists has proved that an entire atom can simultaneously exist in two widely separated places. The achievement not only sheds light on the paradox of Schrodinger's cat but could also have important consequences for cryptography, a science that creates codes to safeguard the electronic transfer of money, state secrets and other valuable things. ONE_two From rah at shipwright.com Tue May 28 11:37:53 1996 From: rah at shipwright.com (Robert Hettinga) Date: Wed, 29 May 1996 02:37:53 +0800 Subject: DCSB: The FSTC Electronic Check Project Message-ID: -----BEGIN PGP SIGNED MESSAGE----- The Digital Commerce Society of Boston Presents Frank Jaffe, of The Bank of Boston and The Financial Services Technology Consortium (FSTC) "The FSTC Electronic Check Project" Tuesday, June 4, 1996 12 - 2 PM The Downtown Harvard Club of Boston One Federal Street, Boston, MA Frank Jaffe is a Senior Systems Consultant in the Applied Technology Group at the Bank of Boston. Frank is currently the project manager for the FSTC Electronic Check project which involves over 30 companies. Frank has played a leadership role in planning the amalgamation of Bank of Boston's five major retail computer systems into a single, common software system; acting as project leader for a new teller system, and leading the screen phone R&D project in cooperation with Northern Telecom and Bellcore. The FSTC Electronic Check project will develop an enhanced all-electronic replacement to the paper check. Electronic checks will be used like paper checks, by businesses and consumers, and will use existing inter-bank clearing systems. Like its paper counterpart, the Electronic Check represents a self contained "information object," which has all of the information necessary to complete a payment. Likewise, paper checkbooks are replaced by portable Electronic Checkbooks; pens & signatures are replaced by signature card functions and digital signatures using advanced cryptographic techniques; stamps and envelopes by electronic mail or other communications options such as the World Wide Web over the Internet. The fully automated processing capabilities of Electronic Checks opens the possibility of other types of financial instruments, such as electronic cashiers, travelers, and certified checks. Electronic check writing and processing will be integrated into existing applications, from cash registers to personal checkbook managers to large corporate accounting systems, to greatly increase the convenience, and reduce the costs, of writing, accepting, and processing checks. This meeting of the Digital Commerce Society of Boston will be held on Tuesday, June 4, 1996 from 12pm - 2pm at the Downtown Branch of the Harvard Club of Boston, One Federal Street. The price for lunch is $27.50. This price includes lunch, room rental, and the speaker's lunch. ;-). The Harvard Club *does* have dress code: jackets and ties for men, and "appropriate business attire" for women. We need to receive a company check, or money order, (or if we *really* know you, a personal check) payable to "The Harvard Club of Boston", by Saturday, June 1, or you won't be on the list for lunch. Checks payable to anyone else but The Harvard Club of Boston will have to be sent back. Checks should be sent to Robert Hettinga, 44 Farquhar Street, Boston, Massachusetts, 02131. Again, they *must* be made payable to "The Harvard Club of Boston". If anyone has questions, or has a problem with these arrangements (We've had to work with glacial A/P departments more than once, for instance), please let us know via e-mail, and we'll see if we can work something out. Planned speakers for the following few months are: July Pete Loshin Author, "Electronic Commerce" August Duane Hewitt Idea Futures We are actively searching for future speakers. If you are in Boston on the first Tuesday of the month, and you would like to make a presentation to the Society, please send e-mail to the DCSB Program Commmittee, care of Robert Hettinga, rah at shipwright.com . For more information about the Digital Commerce Society of Boston, send "info dcsb" in the body of a message to majordomo at ai.mit.edu . If you want to subscribe to the DCSB e-mail list, send "subscribe dcsb" in the body of a message to majordomo at ai.mit.edu . Looking forward to seeing you there! Cheers, Robert Hettinga Moderator, The Digital Commerce Society of Boston -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMZnOlvgyLN8bw6ZVAQEm8gP/deJ/J0ncmiUTJo82jeGMRp38q+8u+/LH zUZ3dgOCXFM9Nldni/EM0nKiRAgPJTqlcGkrE6Q44s2+ZSPtTiop2Tbx+3xoCW9t zTeKoLoTLgcS7LYS1b/VpcJqN9+q7gGxqmyAd88yZei+i4ZHw6kUGB6MyeHMPq+t CSrEOkkikXE= =SWUd -----END PGP SIGNATURE----- ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "If they could 'just pass a few more laws', we would all be criminals." --Vinnie Moscaritolo The e$ Home Page: http://www.vmeng.com/rah/ From sandfort at crl.com Tue May 28 14:44:11 1996 From: sandfort at crl.com (Sandy Sandfort) Date: Wed, 29 May 1996 05:44:11 +0800 Subject: Philosophy of information ownership Message-ID: <2.2.32.19960528162550.00706388@popmail.crl.com> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ C'punks, At 10:55 PM 5/27/96 -0700, Bruce Baugh wrote: >What specifically bothers me is the reselling of information that I chose to >reveal for a specific transaction, most especially when I did so with an >assumption of privacy. ^^^^^^^^^^ The magic phrase in law is--and should be--"reasonable expectation of privacy." The world is full of unreasonable assumptions about all sorts of things. One certainly has the right to feel bothered about acts that violate one's assumptions, but this hardly gives one the right to compel others to comply with those whims. >...I'd feel much ground >for complaint if I learned the list owner were selling credit histories >gathered during the subscription process. (Unless, of course, I assent to a >clause to the effect that the list owner can do anything he wants with my >credit info, as opposed to the specific purpose of getting payment for the >list.) Every day, merely by existing, we give other people information about ourselves. is it reasonable to expect these people to no release nor use that information unless we specifically give them permission? I don't think so. In most situations, we must take positive steps to assure that our privacy will be maintained. Generally, it is incumbunt upon us--not others--to secure our own privacy. S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From andrew_loewenstern at il.us.swissbank.com Tue May 28 17:15:58 1996 From: andrew_loewenstern at il.us.swissbank.com (Andrew Loewenstern) Date: Wed, 29 May 1996 08:15:58 +0800 Subject: Layman's explanation for limits on escrowed encryption ... In-Reply-To: Message-ID: <9605281800.AA00525@ch1d157nwk> Mark M. writes: > The normal key-length recommendation was 96 bits. 64 bits > and 80 bits are equivalent to 512 bits and 768 bits respectively. > I would guess that a 1024-bit key is about as strong as an > 96-bit key. The first two numbers are from _Applied > Cryptography_; my estimate is an extrapolation from the data > = in AC. These number should be qualified with the date on which the estimate was determined. New factoring techniques increase the number of RSA key bits required to make factoring work equivalent to a given brute-force search. Also, I would think that the NFS makes 512 bit RSA key factoring easier than brute-forcing 64-bits of key space... andrew From bruce at aracnet.com Tue May 28 17:59:33 1996 From: bruce at aracnet.com (Bruce Baugh) Date: Wed, 29 May 1996 08:59:33 +0800 Subject: Philosophy of information ownership Message-ID: <2.2.32.19960528193842.00700704@mail.aracnet.com> At 12:29 AM 5/28/96 -0700, Timothy C. May wrote: >Contracts are the key. Agreed. The more that can be explicitly spelled out about these matters, the better. A separate problem arises when the government compels the disclosure of information for one purpose - getting a driver's license, say - and then turns around and sells it to others. It's much harder to either negotiate a new contract or go to a competitor when the other party is a government. -- Bruce Baugh bruce at aracnet.com http://www.aracnet.com/~bruce From andrew_loewenstern at il.us.swissbank.com Tue May 28 18:04:59 1996 From: andrew_loewenstern at il.us.swissbank.com (Andrew Loewenstern) Date: Wed, 29 May 1996 09:04:59 +0800 Subject: Tempest Info In-Reply-To: <199605280739.AAA07817@toad.com> Message-ID: <9605281908.AA00554@ch1d157nwk> Bill Stewart writes: > Also, of course, your electrical power system needs to be > shielded and filtered, so only 60Hz gets through, unless you > plan to stick to laptops and bring in spare battery packs. At HoHoCon a few years ago, someone did a tempest demo and mentioned that signals could be recovered from water pipes! Fire sprinkler systems were specifically mentioned... Theres a lot of different avenues for your eminations to be recovered, some you may not of have thought of. Like crypto, tempest is economics. andrew From bruce at aracnet.com Tue May 28 18:05:04 1996 From: bruce at aracnet.com (Bruce Baugh) Date: Wed, 29 May 1996 09:05:04 +0800 Subject: Philosophy of information ownership Message-ID: <2.2.32.19960528193844.0070beac@mail.aracnet.com> At 09:25 AM 5/28/96 -0700, Sandy Sandfort wrote: >information about ourselves. is it reasonable to expect >these people to no release nor use that information unless >we specifically give them permission? In many cases, sure it is. I can't see how giving you the information to establish that I can pay a bill I owe you should be in any sense treated as a license do anything else with that info. A great many transactions are finite, and ought not have lingering implications or side deals dangling off the end. In the long run, this is where anonymous payments come in. In the meantime, I muddle on as best I can. -- Bruce Baugh bruce at aracnet.com http://www.aracnet.com/~bruce From markm at voicenet.com Tue May 28 18:13:43 1996 From: markm at voicenet.com (Mark M.) Date: Wed, 29 May 1996 09:13:43 +0800 Subject: Layman's explanation for limits on escrowed encryption ... In-Reply-To: <9605281800.AA00525@ch1d157nwk> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Tue, 28 May 1996, Andrew Loewenstern wrote: > Mark M. writes: > > The normal key-length recommendation was 96 bits. 64 bits > > and 80 bits are equivalent to 512 bits and 768 bits respectively. > > I would guess that a 1024-bit key is about as strong as an > > 96-bit key. The first two numbers are from _Applied > > Cryptography_; my estimate is an extrapolation from the data > > = in AC. > > These number should be qualified with the date on which the estimate was > determined. New factoring techniques increase the number of RSA key bits > required to make factoring work equivalent to a given brute-force search. > > Also, I would think that the NFS makes 512 bit RSA key factoring easier than > brute-forcing 64-bits of key space... Quite true. These estimates were made in 1995 so they are probably still pretty accurate. The rate at which factoring time decreases is greater than the rate at which brute-force time decreases. As to your claim that factoring a 512 bit number is easier than bruting a 64-bit key space, it is not feasible for anyone except maybe the NSA to do either of these. I have heard that an effort similar to that of factoring RSA 127 will be launched against a 512- bit modulus. I think that the difficulty is about equal to that of brute- forcing a 64-bit key. - -- Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xe3bf2169 http://www.voicenet.com/~markm/ | d61734f2800486ae6f79bfeb70f95348 ((2b) || !(2b)) | Old key now used only for signatures "The concept of normalcy is just a conspiracy of the majority" -me -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMatd7bZc+sv5siulAQHZZAP/eyguOKHDmfYtVEr7JVH0jxuTRVWdWDxJ ICEuHrhKnF0xG3kaBirOMtvZjnga90cFRk++pEv/zbAS0qyEoizA1YxnKUQrqHn5 emuYf+lbm83fzBBOcKwdspoSg8W25TTtJIH2BX7JpNiyVzfco7DcHJOPxlDxspGZ LgUf7G9L4vI= =uO8h -----END PGP SIGNATURE----- From markm at voicenet.com Tue May 28 18:19:36 1996 From: markm at voicenet.com (Mark M.) Date: Wed, 29 May 1996 09:19:36 +0800 Subject: Quickremail v1.0b In-Reply-To: <2.2.32.19960528100951.0038fbb4@mail.pi.se> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Tue, 28 May 1996, Matts Kallioniemi wrote: > At 17:28 1996-05-27 EDT, E. ALLEN SMITH wrote: > >I'm planning on starting up a remailer, probably on Lance's machine (to > >take advantage of his expertise) sometime this summer. I do want to get PGP > >for the VAX before then, and the MIT site doesn't appear to have this code. > > Why would anyone set up a remailer at Lance's (or Sameer's) machine? > They have remailers running already. If the thugs break root and obtain > one remailer key from a machine, they probably get all the keys on that > machine, compromising all the remailers in one single attack. Or am I > missing something? Is there any benefit of multiple remailers on a machine > where root is running his own remailer? It's better than nothing. And besides, the more remailers there are, the more difficult it is to do traffic analysis on remailer traffic. Actually, its the more remailers people chain messages through, but there are software packages that can do this easily. The more remailers there are, the longer remailer chains have the possibility of becoming. - -- Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xe3bf2169 http://www.voicenet.com/~markm/ | d61734f2800486ae6f79bfeb70f95348 ((2b) || !(2b)) | Old key now used only for signatures "The concept of normalcy is just a conspiracy of the majority" -me -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMatgVbZc+sv5siulAQEpcwP/Rrg6SqcC6ywc0TD0kERpVmuKCfRRbP5C tcY6ImX33JAIWb+/anhl52r6IpMg8Xv75D+3jbhZO1yhbdeM3UEX3oeTmFrzr63a x5WTb5mPRGBazYXZgfcP0kiBdzsMNCEtMHjefIpVDkOfcuoQrgZSUfPuYaGBF45W WCVdxmVMqpo= =zFgt -----END PGP SIGNATURE----- From ravage at ssz.com Tue May 28 18:32:55 1996 From: ravage at ssz.com (Jim Choate) Date: Wed, 29 May 1996 09:32:55 +0800 Subject: Remailer chain length? Message-ID: <199605282112.QAA03652@einstein.ssz.com> Hi Mark, Forwarded message: > Date: Tue, 28 May 1996 16:21:22 -0400 (EDT) > From: "Mark M." > Subject: Re: Quickremail v1.0b > > > At 17:28 1996-05-27 EDT, E. ALLEN SMITH wrote: > > >I'm planning on starting up a remailer, probably on Lance's machine (to > > >take advantage of his expertise) sometime this summer. I do want to get PGP > > >for the VAX before then, and the MIT site doesn't appear to have this code. > > > > Why would anyone set up a remailer at Lance's (or Sameer's) machine? > > They have remailers running already. If the thugs break root and obtain > > one remailer key from a machine, they probably get all the keys on that > > machine, compromising all the remailers in one single attack. Or am I > > missing something? Is there any benefit of multiple remailers on a machine > > where root is running his own remailer? > > It's better than nothing. And besides, the more remailers there are, the > more difficult it is to do traffic analysis on remailer traffic. Actually, > its the more remailers people chain messages through, but there are software > packages that can do this easily. The more remailers there are, the longer > remailer chains have the possibility of becoming. If this is strictly true, why not simply run several instances of a remailer on the same machine. Then randomly chain them prior to sending them off site. This would be a lot cheaper and faster than trying to convince hobbyist to set it up or businesses to to use their profit & legal council. Jim Choate From cme at ACM.ORG Tue May 28 18:36:28 1996 From: cme at ACM.ORG (Carl Ellison) Date: Wed, 29 May 1996 09:36:28 +0800 Subject: Clipper III analysis In-Reply-To: <199605280545.WAA04738@comsec.com> Message-ID: There were a number of flaws in that paper, but perhaps the most glaring to me is that there are actually 3 classes of key: the two you mentioned: communications key storage key and signature key Of these, you want key recovery *only* for storage keys. You want to make sure no one can get to your signature key. Even the IWG paper notes that. But the only use for a PKI of any form is for a signature key. Once you have your identity established somehow for a signature key, you can generate and sign comm or storage keys at will. Furthermore, if you lose a signature key, there's no big loss. You generate a new one and get a new cert for it. So there's *NEVER* a reason for key recovery for a signature key -- the only keys for which there is a need for a PKI. I find myself wondering. Did some very clever crypto-theoretician plant this idea in their heads (sig key database giving GAK) knowing that the structure had termites? I first heard this from Micali...and here I always thought he was on their side. I may have misjudged the man. :) - Carl +------------------------------------------------------------------------+ |Carl M. Ellison cme at acm.org http://www.clark.net/pub/cme | |PGP: E0414C79B5AF36750217BC1A57386478 & 61E2DE7FCB9D7984E9C8048BA63221A2| | "Officer, officer, arrest that man! He's whistling a dirty song." | +-------------------------------------------- Jean Ellison (aka Mother) -+ From sandfort at crl.com Tue May 28 18:42:48 1996 From: sandfort at crl.com (Sandy Sandfort) Date: Wed, 29 May 1996 09:42:48 +0800 Subject: Philosophy of information ownership Message-ID: <2.2.32.19960528211416.0072ecfc@popmail.crl.com> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ C'punks, At 12:38 PM 5/28/96 -0700, Bruce Baugh wrote: >I can't see how giving you the information to >establish that I can pay a bill I owe you should be in any sense treated as >a license do anything else with that info. A great many transactions are >finite, and ought not have lingering implications or side deals dangling off >the end. > >In the long run, this is where anonymous payments come in. >In the meantime, I muddle on as best I can. ^^^^^ As must we all. As I said, we are all responsible for our own privacy. S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From iang at cs.berkeley.edu Tue May 28 19:07:57 1996 From: iang at cs.berkeley.edu (Ian Goldberg) Date: Wed, 29 May 1996 10:07:57 +0800 Subject: Is Chaum's System Traceable or Untraceable? In-Reply-To: <01I53GAYSQUC8Y4Z90@mbcl.rutgers.edu> Message-ID: <4ofo56$hbv@abraham.cs.berkeley.edu> -----BEGIN PGP SIGNED MESSAGE----- In article <01I53GAYSQUC8Y4Z90 at mbcl.rutgers.edu>, E. ALLEN SMITH wrote: >From: IN%"iang at cs.berkeley.edu" 23-MAY-1996 13:56:31.71 > >>Ah. I see I was misunderstood. The goal was not to make the shop anonym= ous, >>but rather to be able to provide change to an anonymous payer. > > I had thought that the basic purpose of the fully anon system was just >that - full anonymnity for payer and payee. Under your suggestion, the shop >gives up this anonymnity under these circumstances in order to be able to = make >change. I'm not sure if I would call that a very good tradeoff... > -Allen Yes, that's the _basic_ purpose, but the "anon" protocol has several useful "secondary" properties as well. This (providing change to an anonymous payer) is one of them. - Ian -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMatj1kZRiTErSPb1AQH0PQP/U6SvqgUew4oDQjo5U4mRJurDm0Co+3va YCQ6TvqfkkvQDMu3HtFqolBKa6CAhJXz3RFq1mEV50F/VvafD45Utui6btH4JSCh 1xljSeGO6aF7cFW5NhSe/r8oW1IkwQbb6vkJRZQlt2fYr1qTjYp2+PmJsHXbIqk+ z1aV/VYiJdI= =r7eJ -----END PGP SIGNATURE----- From iang at cs.berkeley.edu Tue May 28 19:18:32 1996 From: iang at cs.berkeley.edu (Ian Goldberg) Date: Wed, 29 May 1996 10:18:32 +0800 Subject: Is Chaum's System Traceable or Untraceable? In-Reply-To: <01I53GAYSQUC8Y4Z90@mbcl.rutgers.edu> Message-ID: <4ofocm$hd1@abraham.cs.berkeley.edu> -----BEGIN PGP SIGNED MESSAGE----- In article , snow wrote: >On Fri, 24 May 1996, E. ALLEN SMITH wrote: > >> From: IN%"iang at cs.berkeley.edu" 23-MAY-1996 13:56:31.71 >> >> >Ah. I see I was misunderstood. The goal was not to make the shop anonymous, >> >but rather to be able to provide change to an anonymous payer. >> >> I had thought that the basic purpose of the fully anon system was just >> that - full anonymnity for payer and payee. Under your suggestion, the shop >> gives up this anonymnity under these circumstances in order to be able to make >> change. I'm not sure if I would call that a very good tradeoff... > > Howzabout this: Figure out about how many coins of each denom. the >shop should have on hand, and every so often the shop goes online to even >out it's til. That way the shop maintains the capability to make change >for anything. > Alternative: Instead of the shop going online every minutes, >set it up so that everytime the shop goes online it evens out the til so >that it really isn't know whether the shop went online to make change for >a specific customer, or just to even out the til. > > But then the shop, having seen the coins before, can collude with the bank to identify the customer! The point of this use of the "anon" protocol is that the shop, throughout the transaction, never sees the coin it uses to provide change to the customer. - Ian -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMatkxUZRiTErSPb1AQEoJQQAqNnLZZybaB45yci7wiHI7fXX/tjEKc2n riAJ0TV/Ensuzan7KxYYQSyxvtBnZS5LxDM/pq25zh66WHgzVs4ocJPIuBLl/8Qz ITeIEKTuZ+ZwoyR0oPfO/73wPO4j7fNmShQ0sC/Hx4s2C4zX3I+9buegiSX24ded 883j6nY357o= =drwL -----END PGP SIGNATURE----- From richieb at teleport.com Tue May 28 19:21:06 1996 From: richieb at teleport.com (Rich Burroughs) Date: Wed, 29 May 1996 10:21:06 +0800 Subject: [Fwd: --> CRISIS on USENET -- SIGN THE PROTEST STATEMENT VIA E-MAIL] Message-ID: <31AAE908.4D23@teleport.com> This is a post from Jon Noring (noring at netcom.com) about the recent spamming of alt.religion.scientology. I thought he summed the situation up very well. Jon is asking folks to sign an email petition to show their protest over this threat to free speech. The signatures will be counted by an independent third party, and the names/email addresses of signers will not be made available to CoS. Please redistrubute freely. Rich ____________ Subject: --> CRISIS on USENET -- SIGN THE PROTEST STATEMENT VIA E-MAIL From: noring at netcom.com (Jon Noring) Date: Tue, 28 May 1996 06:24:49 GMT Newsgroups: alt.clearing.technology,alt.religion.scientology,alt.support.ex-cult,news.admin.net-abuse.misc,nl.scientology,talk.religion.misc Organization: Netcom Online Communications Services (408-241-9760 login: guest) Sender: noring at netcom11.netcom.com Xref: nntp.teleport.com alt.clearing.technology:19074 alt.religion.scientology:176837 alt.support.ex-cult:8143 news.admin.net-abuse.misc:60902 nl.scientology:182 talk.religion.misc:215542 This post is to outline what I see as a major crisis now occuring on Usenet. The crisis is a massive, ongoing, vertical spamming (*) of a Usenet newsgroup never before seen at this scale, and its purpose is to completely drown out regular discussion on a newsgroup of public interest, alt.religion.scientology. The evidence points to the "Church" of Scientology as being behind this massive, incessant, carpet bombing. (* Vertical Spamming, for those who don't know, is when somebody posts a huge number of posts to a single newsgroup in a very short period of time. It's purpose is usually to shut the newsgroup down by making it useless to carry on any meaningful discussion.) In the next few sections I'll outline what's currently happening and provide the evidence -- you make up your own mind who is behind the assault on the newsgroup, and its importance to you. No matter who is really behind it, it is a crisis that needs to be dealt with by everybody in the Usenet community because it concerns the important matter of freedom of expression. If we fail to understand the spam's long-term ramifications and fail to take the appropriate action, we seriously risk losing our freedom to express our thoughts and beliefs on Usenet. After all, if the massive spam succeeds to shut down one newsgroup in order to stifle critical discussion, then it will set a dangerous precedent and embolden other organizations and groups that likewise cannot tolerate open discussion to follow in the same path. We must prevent this. We must draw the line clearly in the sand -- now! And after reading this, if you agree with my assessment of who is behind the spamming, and see the threat it poses to freedom of expression, one thing you can do right now is to sign (via e-mail) a statement of protest directed towards the "Church" of Scientology. It is a very easy yet effective way to express your opinion. Details for submitting your signature are given at the end of this post. NOTE: I will NOT publicly release, nor send to the "Church" of Scientology, the names or e-mail addresses of those who sign, just tally the total count, verifed by an independent third party, probably someone in the news media. Please do consider signing the statement and ask others to do the same. I'd like to get 10,000 sigs, but 1000 would send a clear message to the "Church" of Scientology organization that their actions towards Usenet and the Internet are totally unacceptable to the Usenet community, and pose a serious threat to freedom of expression on the Internet. (Note that many of the participants of a.r.s. are former Scientologists who still want to practice the *religion* of Scientology, but free from the iron control of the current "Church" of Scientology organization -- thus one could strongly argue that their freedom of religion is also being hampered by the spam attack, so the issues go beyond freedom of expression.) And do forward this post to anybody who may be interested, including the news media. One of the best solutions to this crisis is media attention. THE SITUATION (as of 27 May 1996) ================================= In the last week, there have been several thousand (and rapidly approaching 10,000!) short posts swamping the newsgroup alt.religion.scientology (a.r.s.) by a person or persons unknown. They are coming from several accounts, most of them forged or bogus, and when the account is closed by its site administrator based on complaints, the flood begins anew elsewhere. In at least one instance a mail-to-news gateway has been used, necessitating the administrator to close all posting to a.r.s. That one gateway has received, last we heard, 886 attempted posts by the spammer within a 28 hour period (which fortunately never reached their intended destination -- but thousands of others have.) And at this moment, while you read this post, the spam continues unabated from new accounts. Almost a thousand of the same type of post have been made to a.r.s. within the last 24 hours. There is no indication it will stop, and has actually stepped up the last two days as the spam is now coming from multiple sources. THE EVIDENCE WHO MAY BE BEHIND THE ROBO-SPAMMING ================================================ It is unknown the person or persons who are behind this. However, the evidence strongly points to the "Church" of Scientology (CoS) as the culprit. Here is the evidence: 1) All the posts are supportive of Scientology, and each one is a short snippet taken from their copyrighted book "What is Scientology", which has also been placed on their Web site. 2) They all use a similar "boiler-plate" format, including a similar preamble: "Many falsehoods and inaccurate statements regarding several aspects of the religion of Scientology have been observed on ars..." 3) The use of semi-anonymous "throw-away" accounts somewhat follows the same pattern used recently to cancel posts containing portions of CoS' "secret" scriptures, and which used the boiler-plate statement "Cancelled due to copyright infringement" as the justification for the clearly illegal cancels. 4) Most of the materials being spammed have a prominent CoS copyright notice. Since CoS has shown by their actions within the last year to be very sensitive to unauthorized recopying of their materials, their silence on what is now happening is clear tacit approval of the massive spamming now taking place. In essence, by their inaction to do or say anything to stop the spam, they are thus tacitly *authorizing* the spam attack, whether they instigated it or not (though I believe they did). 5) In the last 1.5 years, internal documents from CoS have been revealed detailing such a plan to overwhelm the newsgroup alt.religion.scientology with their own posts. CoS has not disavowed or refuted these documents. They are in the file 'spamplan.txt', which can be downloaded via anonymous ftp from ftp.netcom.com /pub/no/noring/spamplan.txt, or in URL form: ftp://ftp.netcom.com/pub/no/noring/spamplan.txt 6) A recent post, supposedly based on intelligence information from inside CoS, but so far unverified, stated that the spam is part of a Scientology program to so overwhelm the newsgroup 'alt.religion.scientology' with 'theta' (their term for 'safe' ideas) that it would be safe to allow loyal rank-and-file Scientologists to begin accessing the Internet, particulary their new Web site (up to now they've not been allowed to access the Internet because of the 'entheta', their term for 'unsafe' ideas.) Even if this turns out not to be one of the reasons for the spam attack, it is entirely plausible based on assessment by those who are knowledgeable with how the CoS organization thinks and operates. THE RAMIFICATIONS TO USENET IF THIS CONTINUES UNSTOPPED ======================================================= Already, discussion on a.r.s. has been affected, and if it continues without adjustment by the Usenet community, will seriously hamper the free exchange of ideas and viewpoints on that newsgroup. The ramifications of this to all of Usenet as a whole is clear: if the spammers get away with this, then what will prevent other organizations from anonymously using the same tactic to squelch unfavorable discussion on other unmoderated newsgroups? Thus, the Usenet community needs to be aware that the spam attack has grave ramifications to freedom of expression to Usenet above and beyond just the Scientology newsgroup. It should be considered as serious a threat to free expression as the Exon CDA. And in some ways it is even worse since it will also affect the integrity and viability of Usenet itself. It is very important that we get concerned and fight it any way we can. Get involved, even if you're a lurker or a new person on Usenet! WHAT CAN BE DONE? ================= There are several things that can be done to handle the crisis. Some of them are now being employed by concerned net citizens who are in a position to do so. However, for the reasons I'll give, they are not adequate enough, which makes this, in my opinion, a crisis. If you have other ideas for how to deal with this, do post them. Let's keep discussion level-headed and avoid silly ad hominem attacks and the like. This is a serious situation. The following are listed in no particular order of importance. Consider it a partial list only. 1) IGNORE THE SPAM -- With most newsreaders, this is simply not a solution. When there are 1000 spam posts in 24 hours, like we saw today, the reader simply has trouble locating the discussion threads, no matter how sophisticated the newsreader. And if the reader doesn't locate the legitimate discussion, they will not contribute to any discussion, and poof, no more discussion. New subscribers to a.r.s., most of whom want to get all sides of the issue, won't even participate when they see the huge numbers of single-sided robo-posts with no discussion. And for those who must download all the posts before reading them (or even kill-filing them), the spam will most likely force the user to unsubscribe from and no longer participate in the newsgroup. Freedom of Expression has thus been curtailed because of the massive spam. 2) KILL FILES -- The usual reply to a problem like this is "kill files". However, it is clear that kill files will not work to prevent grave impact on the newsgroup because: a) Many users today don't even have kill file capability (unix-based newsreaders are rapidly being pushed into the minority), and for those who do, only a fraction of them have the computer savvy necessary to implement it. And for those who pay for their news one way or another, it becomes expensive for the kill file to do its thing (this is especially onerous for those who have to actually download all the posts, several megabytes per day, through their modem *before* they can even "kill file" them). b) Kill files work by finding posts having certain identifiable attributes in the header or message body, such as the From: address -- but as the spam on a.r.s. shows, we've got a moving target that will resist kill files. Any organization with enough money can keep getting throw-away accounts that cannot be traced to the organization. They can also alter the wording to foil kill-files searching for words in the message body. Thus, those using kill files will continually see unwanted SPAM getting through their filters, requiring constant modification of their kill files, which means their kill files will get so unwieldy that they take longer to work effectively. The end result is that it may cause many to simply give up on the newsgroup rather than trying to fight the onslaught using kill files. It's like using a spray bottle to fight a raging forest fire. And don't forget the new people in the future who will visit the newsgroup. Unless they are unusually motivated or knowledgeable, they will judge the newsgroup's purpose based on the content of the spam and not the real discussion. Thus kill files won't even be considered by them since from their reckoning the newsgroup's purpose has already been decided (and their kill files will be empty to start out!) Only those already established on the newsgroup will consider using kill files. Thus, those who flippantly believe that kill files are adequate to solve the problem are being short-sighted and even selfish, and not considering the effect on new subscribers to the newsgroup. Free expression is destroyed when new subscribers turn away because of the spam. 3) MODERATION -- There are many who believe that a solution to a lot of problems on Usenet is to require all newsgroups to be moderated. The arguments for this are many, but few realize that moderation can have a profound stifling of free expression for certain subjects. It also puts the burden on moderators, who are now vulnerable to attack, and any organization which does not like discussion on a certain moderated newsgroup can put pressure on the moderator. This, of course, would be a threat to the free expression we now enjoy on Usenet. And it would take a while for moderation to be implemented even if the Usenet community decides now that it should be done. 4) HUNT DOWN THE SPAMMERS -- This is being done, and should continue to be done to make life miserable for the spammers, but at the bottom line it so far has not reduced, and certainly not eliminated, the spamming. The reason for this is that the spammers seem to have a virtually unlimited supply of new accounts. They are probably now acquiring new accounts as fast as they are being pulled. There is no reason why this can't go on for months or even indefinitely. 5) CANCEL THE SPAM POSTS -- This certainly should and is now being done. However, because we have a moving target, and thousands of posts, issuing cancels is not a trivial exercise. In addition, many sites don't honor cancels. And, finally, the spammer can simply overcome the cancels by continuing to repost over and over again as fast as the canceler can do its thing. The delay time between the arriving of a spam post and the effect of cancel will guarantee enough posts will hang around to clog up the newsgroup and render it nearly useless for discussion. 6) LAW-ENFORCEMENT/LEGAL ACTION -- This spamming is clearly a disruption of electronic data communications, and in the U.S. may be a Federal offense (if an organization is behind it, it could also be RICOable or lead to a class action lawsuit). But the DoJ/FBI will not investigate this until enough ISP's themselves request it -- they've shown in prior complaints from individuals to not be very interested in investigating. And legal action cannot be taken until you get the conclusive evidence required to take the spammers to court. Even though we're sure who's behind the spam, it cannot easily be proven in court since you have to first find the real people behind the accounts (which is not easy, especially if they keep moving around -- it'd take the FBI to do this), and then when you find them, to connect them to any organization (this can also be very hard.) CONCLUSION ========== It is my opinion that the massive spamming on a.r.s. is a major threat to Usenet, and the Usenet community needs to be very concerned. The hopefully partial list of solutions I outlined above (do you have more ideas?) may not be adequate to stop the spam and protect a.r.s. from oblivion. However, if we as a cyber community join together as one voice, we may be able to force a resolution in favor of freedom of expression for all. I offer one way in the next section by which you can raise your voice, and it is as easy as sending a blank e-mail message. Of course, I urge you to take other actions as well if you are in a position to do so. Become involved on alt.religion.scientology for starters! There's still good discussion taking place, though you'll have to wade through the huge piles of spam. SIGN (via e-mail) A STATEMENT PROTESTING CoS SPAM! ================================================== If you are now concerned by what's happening, I offer one way by which you can do something to show your concern. I've drafted a short statement protesting CoS spam which you can sign via e-mail if you agree with it. After a month or so, an independent third-party (maybe someone in the news media) will verify my tally of the signatures and the number will be posted, as well as sent to the news media and possibly even law enforcement. Of course, CoS will see the tally of signatures since their intelligence organization continually monitors the Internet. Here's the protest statement: "We, the undersigned, looking at the evidence, have concluded that the Church of Scientology (or one of its many affiliated organizations) is officially behind the massive, highly disruptive and immoral spamming of the newsgroup 'alt.religion.scientology'. It is a serious and grave threat to freedom of expression on the Internet. We therefore call upon the Church of Scientology to immediately cease this action, to publicly disavow it, and to work with the Internet community to prevent this from reoccuring." If you agree with this statement, send e-mail, no later than June 30, 1996, to: ******************************* petition-1 at netcom.com ******************************* Before sending a message to the above e-mail address, you MUST read ALL following "fine print". If you don't, your signature may be lost or I simply cannot or will not use it. Also, if you forward this post, please keep all the information (above and below) intact! If you fear retribution for your signature, please read item #8 below -- you have nothing to fear as your signature will be kept confidential. 1) This is NOT a vote. If you don't agree with the above statement, your only recourse is NOT to send e-mail to the above address. Or, to put it another way, sending an e-mail message to the above address, no matter what your views or what you say in the message, is an AUTOMATIC AGREEMENT with the statement. You have been forewarned. 2) Each reply sent to the above e-mail address will be authenticated by an automatic mailing back to you (it will also emphasize point 1 above). This is to prevent forged e-mail addresses being used to try to either inflate the tally or to discredit the signature gathering process. 3) Leave the e-mail message blank -- I won't read what you write anyway. If you have a point to make, it is better you post it to the relevant Usenet newsgroups (and which I highly encourage -- the more public discussion on this matter, the better.) 4) Note that in the signature e-mail address the character after the '-' is a 'one' and not an 'ell'. 5) Your e-mail address will be extracted from the From: lines in the header block of your message. So be careful which account you use. It is recommended you avoid using any government and military accounts -- using your work account may also be unwise depending on your terms of agreement with your employer providing the account. 6) Please only sign once (but do ask your friends to also sign it!) 7) The e-mail address to send your signature "petition-1 at netcom.com' is NOT the same as my personal e-mail address. If you do send your agreement to my personal e-mail address it'll probably get lost. If you don't get an automatic reply within a few days of submitting your signature, it may mean your signature got lost. And if you try to sign by simply replying to this post in your newsreader without changing the To: line to the e-mail address "petition-1 at netcom.com", your reply will not be sent to the right place! In summary, be very careful which e-mail address you use -- it MUST be 'petition-1 at netcom.com' and not any other !!!!! 8) To protect those who do e-mail sign the statement, I will not post the list of e-mail signatures, nor will they be released to CoS nor any other party except the person who will independently verify the tally, who will be sworn to secrecy on the matter (if it is a person in the news media, they will be covered under Press protection). I will keep the signatures triply DES-encrypted on any media I store them on and the encrypted list will also be kept by another person I trust (but who will not have the decryption keys). I will only further reveal the names on the list if I receive a valid court order to do so. The list will not be used for any junk-mail, though I may e-mail those on the list in the future should any *major* event occur related to Scientology activity that has grave and profound ramifications for the Internet, such as this spam attack. --> AND DO ADD A LINK FROM YOUR WEB SITE TO THE SCIENTOLOGY CRITICS PAGES! ========================================================================== There are many great sites on the Web that summarize the many attacks so far on the Internet community by CoS, most of them motivated, in my opinion, by a desire to suppress all discussion critical of them. These sites also talk about Scientology in general which makes for a very sobering "wake up" experience for those not familiar with this controversial organization. The primary Web site describing the attack on the Internet is by Ron Newman: http://www.cybercom.net/~rnewman/scientology/home.html (You can also go to Scientology's official Web site from the above link, so you can read the other side of the issues -- CoS refuses to reciprocate, though.) Also check out these other three Web sites which, in turn, have links to many Web sites which discuss Scientology from many perspectives: http://home.pacific.net.sg/~marina/misc/arshtml.htm (great index) http://www.ncf.carleton.ca/~av282/ http://www.demon.net/castle/x/clam/index.html It is IMPORTANT if you do add a link to one or more of the above sites, or any other Scientology-related site, to inform me when you have done so. That way, at some future time, if the links change in any way, I can quicky contact you with updated information. Our goal is to get at least 10,000 links, and preferably 100,000, world-wide -- please help us -- link to one of the above sites today! FINAL WORDS =========== Hurry, please e-mail your signature to the protest statement right now! And be sure to send it to petition-1 at netcom.com, and NOT to my e-mail address as seen in my .sig below! Thank you. Jon Noring -- OmniMedia Electronic Books | URL: http://www.awa.com/library/omnimedia 9671 S. 1600 West St. | Anonymous FTP: South Jordan, UT 84095 | ftp.awa.com /pub/softlock/pc/products/OmniMedia 801-253-4037 | E-mail: omnimedia at netcom.com ------------------------------------------------------------------------------- Join the Electronic Books Mailing List (EBOOK-List) Today! Just send e-mail to majordomo at aros.net, and put the following line in the body of the message: subscribe ebook-list From markm at voicenet.com Tue May 28 20:13:24 1996 From: markm at voicenet.com (Mark M.) Date: Wed, 29 May 1996 11:13:24 +0800 Subject: remail@c2.org Blocked From replay mail2news Gateway In-Reply-To: <199605280420.GAA06863@basement.replay.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Tue, 28 May 1996, Anonymous wrote: > It wasn't outgoing posts that I was worried about, so much as my > replies that were being posted to alt.anonymous.messages via > alpha.c2.org rather than being chained to me through e-mail. I > wonder how much (if any) mail I may have lost. How long has this > embargo been in effect? > > Is there any chance (pretty please) that the obviously non-forged > mail from alpha.c2.org to alt.anonymous.messages, such as that with > "nobody at c2.org" in the From: line, can be unblocked on a one-time > basis, or have they already been consigned to the bit-bucket? I think mail2news at anon.lcs.mit.edu and mail2news at myriad.alias.net accept anonymous messages. - -- Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xe3bf2169 http://www.voicenet.com/~markm/ | d61734f2800486ae6f79bfeb70f95348 ((2b) || !(2b)) | Old key now used only for signatures "The concept of normalcy is just a conspiracy of the majority" -me -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMatiOrZc+sv5siulAQEwnAP/dfmsuk/8tghjZMUE/HTl4EmN+hvSF2Qe piEcVnt/LMTT94Je179HpQFOkAFCuMt3VMBnTrrum0f6wzimrOLdqPHCgNNdNTeh 6aeO2nidmuMmZVS1I1bM6EHCTg/c1th62gd+2+S/UEVTt6LKkaLRBQxq5eouCS07 ByvJlmrjXN8= =FjQX -----END PGP SIGNATURE----- From tcmay at got.net Tue May 28 20:16:04 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 29 May 1996 11:16:04 +0800 Subject: Fairness, Justice, and Cypherpunks Message-ID: Several recent messages have raised issues about "ownership of information," "compilation of dossiers," and the (putative) imbalance between personal power and corporate power (which some think justifies denying corporations certain basic rights or Constitutional protections). I'll try to make my points brief. For those who think this has little to do with the Cypherpunks list, I disagree. Everyday we see proposed laws which seek to create a "fairer" society but which actually do not (and cannot, using the violations of other basic rights such laws so often entail). We see on this very list calls for "Data Privacy Laws," and Europe's various data privacy laws are often held up as a model. A couple of posters have also mentioned the seminal work of John Rawls, and his "Theory of Justice." I'll use this as a platform for my points, though it is only one of several viewpoints which say much the same thing. To cut to the chase: When any law is proposed, think of how one would react to the law if in the shoes of others. How would one react if one were the "target" of the law? (While Rawls posits a situation in which one is to imagine alternate universes in which one trades places with others, with "just" laws being those that the maximum number of people would accept in this ensemble of universes, the situation is not nearly so abstract as one might imagine. Namely, one can imagine becoming wealthy, or owning a business, or someday needing to speak controversial thoughts. A wise person thinks about these possible developments in his life and carefully asks himself if the laws he is thinking about supporting would be supported by himself should he become wealthy, own a business, or have controversial things to say. Nietzsche said the most corrosive human sentiment is _envy_, and I think he was paralleling the later thoughts of Rawls, Nozick, Rand, and many others. It is interesting that one of the "British diseases" is intense class envy, with a desire to pull down those who have succeeded...ironic that Britain is a pioneer in "data privacy laws.") Let's take the somewhat off-topic (for the list) case of "minimum wage laws." It casts a different light on the issue. Many people talk about the "reasonableness" of insisting that employers give their employees a "fair" wage. But how can "fairness" ever be defined except in terms of what an employer is willing to pay and what an employee is willing to accept? As a prospective employee, I may _wish_ that the State force employers to pay more than they are normally willing to pay for a job. But imagining myself as an employer, maybe a job is "worth" only $3.50 an hour to me, period. It just ain't worth more. In a free market, people can take it or leave it. It is not right that the government decide how much I must pay (There are related issues of job opportunities for young kids, which have been severely cut as "floor-sweeping" sorts of "starter jobs" (e.g., teens bagging groceries, day laborers picking up roadside trash, etc.) have been made uneconomical by minimum wage laws. And when an employer is told to pay more than a job is worth to him, he may either automate the job or simply find ways not to do the job. But I'm concentrating on the "justice"-type issues, not various practical side effects, though these are real.) As this relates to Rawls, I view all laws in terms of how I would react if they applied to _me_. This informs all of my analyses of laws. This is why I often say politically incorrect things about various forms of job discrimination. For example, I view the laws saying that an employer cannot discharge an employee unless "adequate reason" is given. (Increasing numbers of states and locales have increasing numbers of restrictions on employers.) I imagine myself hiring a worker to do something, then, for various reasons, no longer wishing that worker to be at my house (maybe it's the bone through his nose, maybe it's her Mohawk haircut, maybe it's a chip on his shoulder, maybe I just don't like him, etc.). I picture the employee taking his "grievance" to the State, and collecting back wages plus penalties from me. Arggh! So much for freedom. (I also like playing the "turn the tables" game in another related way. Various laws say that employers cannot get rid of employees except under certain circumstances. Shouldn't such laws apply the other way around? "I'm sorry Manuel, but I cannot let you leave this job to take that better job. Under the Fairness in Employment Act, you cannot leave this job unless you have justified your actions with the State Fairness in Employment Office.") * Data Privacy Laws * Closer to the CP themes, let's look at "data privacy laws." I mean the laws similar to what Europe has, not contractual arrangements made with data collectors. (That is, we probably all agree that a doctor who sells patient medical data is wrongly selling this data, as there is either an implied contract (much as I hate this "implied" construct), a formal code of medical ethics (which may be what generates the implied contract), or an actual formal contract stating that the doctor will preserve the confidentiality of his patient's records.) Here's the semi-Rawls interpretation: * To the consumer, or private citizen, or ordinary person, such laws may initially sound good. It stops "dossiers" from being compiled (or so the theory goes...the reality, even in Britain, is quite different). * But what if the citizen imagines himself on the _other end_ of such laws? (This is, as I said, a mental exercise when considering all proposed laws.) Will I get a knock on the door and have the Data Privacy Enforcement Office demand to enter my home to inspect my computer files? Will they demand that I decrypt the encrypted files to ensure that no violations of the Data Privacy Act of 1998 have occurred? (What happened to "secure in one's papers.." and "Congress shall make no law...free speech"? Or do such rights only apply to individuals and not groups (companies, clubs, etc.)? Sadly, such appears to be the case, with raids and random inspections of companies for various reasons. This is a worrisome development, the notion that if I have a business or company my rights go out the door. (And some crypto relevance is that such interpretations of rights could be used to say that whereas any single individual may have the right to use strong crypto, all groups, clubs, companies, partnerships, etc. must comply with government rules on crypto. The "regulate commerce" clause rides again.)) Will it become a crime to "remember" the public utterances of others? (Me: "But in 1988 you said you were a supporter of Fidel Castro" Him: "How dare you remember that information!...that information belongs to _me_, and I insist that you not repeat that illegally-remembered item to anyone, summarize it in any way, or sell it as part of any transaction without a formal release from me.") Supporters of Data Privacy Laws may well say that the laws do not outlaw mere "rememberances." Well, in fact the U.K. laws _do_ effectively regulate such collections of utterances or other publically-derivable facts by mandating that any data bases of names, dossiers (which are of course collections of facts attached to a name), and mailing lists be subject to regulations, be reported to the appropriate authorities, and that the subjects of dossiers be notified that a dossier exists on them. (As might be imagined, this law is probably not very effective. But like many bad laws, it automatically makes a large number of people into de facto criminals. Of course, governments often like this situation...it increases leverage on those they wish to hassle.) * Enforcement of Laws * Another semi-Rawlsian way to look at laws is to imagine what might be needed to enforce particular laws and then ask if this is something one wants to see. We do this a lot on this list with discussions of the outlawing of strong crypto. We realize that outlawing strong crypto would effectively require a kind of police state to enforce, with random searches of packets, with monitoring of communications, and with draconian penalties for the violators. "A law which is not enforceable without a police state should not be a law." Much of what we talk about on the list is oriented toward making such laws as "Data Privacy Laws" essentially unenforceable. Think of data havens, keeping "illegal mailing lists" in other countries, bypassing the Fair Credit Reporting Act by various stratagems, etc. I'll leave it to those who have read this far to think about this issue in more detail. * Last Thought * Before supporting a law which "sounds fair," ask yourself how the law will be applied to those on the other side, and how you would feel if the law were to be applied to you. While probably very few of us _like_ the thought that various people and organizations are taking our words and our actions and placing them in data bases or dossiers, think of the implications overall in banning or attempting to ban such actions. (For one thing, the administrative overhead of complying with the laws would probably make hosting the CP list in the U.K. prohibitively time-consuming. Mailing lists are covered by the U.K.'s Data Privacy Laws, and the operators of a list site would have to fill out the appropriate paperwork, probably pay for a license, report regularly to the members of the list, etc. And those who _archive_ these lists (the hks archives, my own archives, your archives, etc.) are ipso facto, slam dunk violations of the European-style laws. Is this what is wanted? And does it make a difference?) We should have very, very few laws. Laws about murder, rape, theft, etc. And most such laws pass the "Rawls test, of course. (Another formulation of the Rawls sort of analysis is in terms of "rights as Schelling points," after the noted game theorist.) Cypherpunks should not, in my strong belief, support "data fairness laws" or "anti-gossip laws." Put yourself in the shoes of someone affected by these kinds of laws. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From frantz at netcom.com Tue May 28 20:17:33 1996 From: frantz at netcom.com (Bill Frantz) Date: Wed, 29 May 1996 11:17:33 +0800 Subject: Runtime info flow in Java Message-ID: <199605282216.PAA15909@netcom7.netcom.com> At 11:31 PM 5/24/96 -0400, E. ALLEN SMITH wrote: >From: IN%"frantz at netcom.com" 24-MAY-1996 21:22:44.97 >>We can use certificates (ref: SPKI) to implement network capabilities. >>These certificates make statements of the form: The holder of the secret >>key which corresponds to this public key is permitted these specific forms >>of access to this specific resource on this location (e.g. a URL). These >>certificates can act like capabilities. They can be passed by creating a >>new certificate for the receiver which gives it the privileges implied by >>the old certificate. They can be rescinded in any of a number of ways. > > I suppose that the new certificate is created through a message >signed by the old certificate's private key? Sounds like a good way to me. When you want to pass a capability, you can either get a completely new certificate from the resource's system, or generate a (possibly temporary) transfer certificate that accompanies a copy of your certificate. Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From EALLENSMITH at ocelot.Rutgers.EDU Tue May 28 20:29:41 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 29 May 1996 11:29:41 +0800 Subject: Quickremail v1.0b Message-ID: <01I58Z8XIXP08Y50T6@mbcl.rutgers.edu> From: IN%"matts at pi.se" "Matts Kallioniemi" 28-MAY-1996 06:08:28.40 >Why would anyone set up a remailer at Lance's (or Sameer's) machine? >They have remailers running already. If the thugs break root and obtain >one remailer key from a machine, they probably get all the keys on that >machine, compromising all the remailers in one single attack. Or am I >missing something? Is there any benefit of multiple remailers on a machine >where root is running his own remailer? Well, the advantages are: A. I get Lance's help more quickly in setting up this one, so I can later go to other machines (preferably out of the country) and set things up the same way there (getting Mixmaster from an out-of-US source, of course); and B. supporting the efforts of Sameer, Lance, et al by paying them some money. While multiple ISPs are certainly preferable (to avoid one rubber-hose (e.g., law enforcement) breaking from getting everything), your argument assumes that all the machines at a given ISP are linked together such that if one is broken, the rest are - which isn't very good from a security standpoint, so I'd hope it _isn't_ the case. >The vax pgp is available at >ftp://ftp.net-connect.net/pub/cypherpunks/pgp/vaxpgp262.tar.Z Thanks, -Allen From tcmay at got.net Tue May 28 20:30:09 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 29 May 1996 11:30:09 +0800 Subject: Philosophy of information ownership Message-ID: At 7:38 PM 5/28/96, Bruce Baugh wrote: >At 12:29 AM 5/28/96 -0700, Timothy C. May wrote: > >>Contracts are the key. > >Agreed. The more that can be explicitly spelled out about these matters, the >better. > >A separate problem arises when the government compels the disclosure of >information for one purpose - getting a driver's license, say - and then >turns around and sells it to others. It's much harder to either negotiate a >new contract or go to a competitor when the other party is a government. And I agree, too. I can support "data privacy laws" when the government is the party affected by the laws. (Though, being somewhat cynical and having seen many cases where governments conveniently exempted themselves from laws or simply ignored them, I am not hopeful that any data privacy laws will have the intended effect.) --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From sandfort at crl.com Tue May 28 20:37:09 1996 From: sandfort at crl.com (Sandy Sandfort) Date: Wed, 29 May 1996 11:37:09 +0800 Subject: Fairness, Justice, and Cypherpunks Message-ID: <2.2.32.19960528225501.00747668@popmail.crl.com> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ C'punks, At 01:55 PM 5/28/96 -0700, Timothy C. May wrote a thoughtful disquisition on privacy laws and concluded: >Cypherpunks should not, in my strong belief, support "data >fairness laws" or "anti-gossip laws." To which I would add: Cypherpunks has never been about laws at all, except in the subversive sense. It has been the oft stated goal of Cypherpunks to protect privacy through the use of techonology, *irrespective* of what laws say. Cypherpunks who don't want powerful corporations to invade their privacy should be working on better privacy technology instead of trying to dance with the devil. S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From tcmay at got.net Tue May 28 20:40:55 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 29 May 1996 11:40:55 +0800 Subject: Philosophy of information ownership Message-ID: At 7:38 PM 5/28/96, Bruce Baugh wrote: >In many cases, sure it is. I can't see how giving you the information to >establish that I can pay a bill I owe you should be in any sense treated as >a license do anything else with that info. A great many transactions are >finite, and ought not have lingering implications or side deals dangling off >the end. Most lenders are interested in these things: * past history of paying bills, especially for monthly bills such as VISA (and when one applies for and accepts a VISA card, it is explicitly made clear that repayment/deliquency information will be reported to credit agencies...most people of course _want_ this information reported, as this is largely what "establishing a credit history" is all about). * lenders for larger items, such as cars and houses, will want collateral and some evidence that the monthly repayment amounts are achievable (even if a loan is secured by a car, for example, it makes no sense for them to lend money to an unemployed 18-year-old and then have to spend money and time retrieving the car, etc. * other factors which have historically affected loan repayment probabilities, such as age, sex, ethnic group, religion, educational background, etc. (Note: Some of these criteria are of course no longer legal to officially use, even if their strong and clear correlations.) Note that "credit" is not a right. Credit, like insurance, is a kind of "bet" a lender is making. A bet that he will get his principal back, with interest. To help him make this bet, people offer evidence of past good faith in loans, and choose to reveal their current salaries, ownership of other assets, etc. In no way is this coerced. Anyone is free to eschew credit, avoid borrowing money, and pay with cash or checks for all purchases. >In the long run, this is where anonymous payments come in. In the meantime, >I muddle on as best I can. No, anonymous payments have very little to do with credit. See above. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From hfinney at shell.portal.com Tue May 28 20:54:37 1996 From: hfinney at shell.portal.com (Hal) Date: Wed, 29 May 1996 11:54:37 +0800 Subject: Remailer chain length? Message-ID: <199605282223.PAA14079@jobe.shell.portal.com> From: Jim Choate > > From: "Mark M." > > And besides, the more remailers there are, the > > more difficult it is to do traffic analysis on remailer traffic. Actually, > > its the more remailers people chain messages through, but there are software > > packages that can do this easily. The more remailers there are, the longer > > remailer chains have the possibility of becoming. > > If this is strictly true, why not simply run several instances of a remailer > on the same machine. Then randomly chain them prior to sending them off > site. Or better still, run one remailer on the machine, and use it multiple times in the chain. It seems to me that one remailer on a machine is better than several because it will allow more mixing of messages. If two messages enter a machine and later leave, it may be possible to distinguish them if they went to different remailers and left with different From: addresses (or other header fields) as a result. If they had both gone to the same remailer it would be harder to tell them apart. I understand that there may be political reasons to have the machine owner and remailer operator be separate (although AFAIK the reasoning behind this is untested), but technically it seems better to have one remailer per machine based on traffic analysis issues. Hal From frantz at netcom.com Tue May 28 21:20:41 1996 From: frantz at netcom.com (Bill Frantz) Date: Wed, 29 May 1996 12:20:41 +0800 Subject: Philosophy of information ownership [ Re: Children's Privacy Act ] Message-ID: <199605282216.PAA16023@netcom7.netcom.com> At 09:24 AM 5/27/96 -0500, Mike McNally wrote: >What if I just *see* your couch, and then back in my garage I use my >couch replicator to make a couch just like yours, complete with fuzzballs >and loose change between the cushions? Now I have your couch, in a sense. >Are you still upset? If the couch design is copyrighted, you have just violated the copyright :-). ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From EALLENSMITH at ocelot.Rutgers.EDU Tue May 28 21:33:43 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 29 May 1996 12:33:43 +0800 Subject: Remailers - What exists? Message-ID: <01I58Z1TPRZY8Y50T6@mbcl.rutgers.edu> From: IN%"stewarts at ix.netcom.com" "Bill Stewart" 28-MAY-1996 05:27:38.19 >It helps a lot to have an account that isn't your main email >account, because it's going to get lots of junk in it >that you want to discard most of, so you'd be better >off without your real mail going there, unless you're >a procmail wizard. A related question is about the cover traffic generators. With those, I've gathered you've got the two choices of loops and nowhere-ending chains (e.g., directing it to "nobody" on most systems). If it's done using a loop, is there any way for a procmail script to determine that and toss them into /dev/null? >Mixmaster-style remailers are more secure than vanilla ones, >but of course you need to use the Mixmaster client software >to use them, which could be a problem if you're a DOS or Mac user. Or a VAX/VMS user; there are, I have been informed, enough UNIX-specific system calls in Mixmaster that porting it isn't a trivial task. >- ability to mess with the sendmail logs >- ability to tell the backup software not to back up your > spool directory (which would be Really Bad, especially > if your computer provider keeps backups forever.) > The alternative is to put it under /tmp somewhere, > and just make sure it recovers if too much stuff gets > deleted by regular daemons. What mechanisms are available to make sure it will recover if /tmp gets deleted? I suspect also that many ISPs might be quite willing not to bother backing up some directory or another - it saves them time and space. Thanks, -Allen From proff at suburbia.net Tue May 28 21:44:54 1996 From: proff at suburbia.net (Julian Assange) Date: Wed, 29 May 1996 12:44:54 +0800 Subject: Tempest Info In-Reply-To: <9605281908.AA00554@ch1d157nwk> Message-ID: <199605282356.JAA29834@suburbia.net> > > Bill Stewart writes: > > Also, of course, your electrical power system needs to be > > shielded and filtered, so only 60Hz gets through, unless you > > plan to stick to laptops and bring in spare battery packs. > > At HoHoCon a few years ago, someone did a tempest demo and mentioned that > signals could be recovered from water pipes! Fire sprinkler systems were > specifically mentioned... Water pipes are often form the earth line. If only 60hz (US) can get through the power cables then only 60 hz can get into the water pipes (I'll ignore re-radiating, because water pipes are the least of your problems there). -- "Of all tyrannies a tyranny sincerely exercised for the good of its victims may be the most oppressive. It may be better to live under robber barons than under omnipotent moral busybodies, The robber baron's cruelty may sometimes sleep, his cupidity may at some point be satiated; but those who torment us for own good will torment us without end, for they do so with the approval of their own conscience." - C.S. Lewis, _God in the Dock_ +---------------------+--------------------+----------------------------------+ |Julian Assange RSO | PO Box 2031 BARKER | Secret Analytic Guy Union | |proff at suburbia.net | VIC 3122 AUSTRALIA | finger for PGP key hash ID = | |proff at gnu.ai.mit.edu | FAX +61-3-98199066 | 0619737CCC143F6DEA73E27378933690 | +---------------------+--------------------+----------------------------------+ From frantz at netcom.com Tue May 28 21:56:02 1996 From: frantz at netcom.com (Bill Frantz) Date: Wed, 29 May 1996 12:56:02 +0800 Subject: Clipper III analysis Message-ID: <199605290034.RAA26908@netcom7.netcom.com> At 4:11 PM 5/28/96 -0400, Carl Ellison wrote: >There were a number of flaws in that paper, but perhaps the most glaring to >me is that there are actually 3 classes of key: > >the two you mentioned: > communications key > storage key >and > signature key > >Of these, you want key recovery *only* for storage keys. You want to make >sure no one can get to your signature key. Even the IWG paper notes that. >But the only use for a PKI of any form is for a signature key. Once you >have your identity established somehow for a signature key, you can >generate and sign comm or storage keys at will. Furthermore, if you lose a >signature key, there's no big loss. You generate a new one and get a new >cert for it. So there's *NEVER* a reason for key recovery for a signature >key -- the only keys for which there is a need for a PKI. Carl is right. They want to GAK all keys including signature keys. Now think, to whom in your life are you willing to grant unlimited power of attorney? Your spouse? Your lawyer? Your banker? Your employer? Your government? Giving away your signature key is worse. Not only can any key holder act FOR you, he can act AS you. "We've got you cold perp. You signed this child porn that was posted to alt.binary.etc. You can make your calls from jail." Who needs entrapment. ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From tcmay at got.net Tue May 28 23:13:00 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 29 May 1996 14:13:00 +0800 Subject: Clipper III analysis Message-ID: At 12:37 AM 5/29/96, Bill Frantz wrote: >Carl is right. They want to GAK all keys including signature keys. Now >think, to whom in your life are you willing to grant unlimited power of >attorney? Your spouse? Your lawyer? Your banker? Your employer? Your >government? > >Giving away your signature key is worse. Not only can any key holder act >FOR you, he can act AS you. "We've got you cold perp. You signed this >child porn that was posted to alt.binary.etc. You can make your calls from >jail." Who needs entrapment. But, though things have gotten pretty bad these last 40 years, there are still courts, expert witnesses, and standards for signature verification. Experts are called upon to give testimony about the likelihood that a signature is that of the person claimed (by one side or the other). Though there have been few tests of digital signatures that I know of (I think Utah has a law...), this government access to identities (GAI) will throw a spanner in efforts to get digital signatures widely accepted. Once it gets shown in open court that Joe Blow can claim he did not sign a document and the government will have to admit that this is a possibility, and admits that anyone in government with access to the escrowed data base could have done the signing....well, digital signatures will lose much of their value immediately. Inasmuch as unforgeable digital signatures are critical for electronic commerce, a fact even Clinton cannot ignore, I expect this weakness to help sink Clipper III. As Carl noted, Cypherpunk Deep Cover Agent Micali has been doing a good job in planting logic bombs in these schemes...I urge we approve his bonus. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From alano at teleport.com Tue May 28 23:14:22 1996 From: alano at teleport.com (Alan Olsen) Date: Wed, 29 May 1996 14:14:22 +0800 Subject: Philosophy of information ownership Message-ID: <2.2.32.19960529023715.00b0a30c@mail.teleport.com> At 12:38 PM 5/28/96 -0700, Bruce Baugh wrote: >A separate problem arises when the government compels the disclosure of >information for one purpose - getting a driver's license, say - and then >turns around and sells it to others. It's much harder to either negotiate a >new contract or go to a competitor when the other party is a government. This is a problem in Oregon. The database of drivers licences and registered automobiles is sold openly by the state. (You can also order a copy on CD-ROM from a company based in Oregon as well...) As far as I know, there is no way to opt out of having your name sold to marketing firms. These records are routinely purchaced by mail order houses for resale to clients all over the country. The cost is pretty minimal (under $200) and you have to provide the media (usually two 9-track tapes). The database includes current address, vehicle licence number and the type of car that you own (among other things). The only way to not be on the list is to not have ID. Not viable in todays society. --- |Coors - For people who don't want to think about what they are drinking.| |"The moral PGP Diffie taught Zimmermann unites all| Disclaimer: | | mankind free in one-key-steganography-privacy!" | Ignore the man | |`finger -l alano at teleport.com` for PGP 2.6.2 key | behind the keyboard.| | http://www.teleport.com/~alano/ | alano at teleport.com | From bruce at aracnet.com Tue May 28 23:19:06 1996 From: bruce at aracnet.com (Bruce Baugh) Date: Wed, 29 May 1996 14:19:06 +0800 Subject: Philosophy of information ownership Message-ID: <2.2.32.19960529005251.006cd984@mail.aracnet.com> At 09:25 AM 5/28/96 -0700, Sandy Sandfort wrote: >that our privacy will be maintained. Generally, it is >incumbunt upon us--not others--to secure our own privacy. I'm in complete agreement here, and I'm willing to drop the thread here - I don't think I have much else to add. -- Bruce Baugh bruce at aracnet.com http://www.aracnet.com/~bruce From tcmay at got.net Wed May 29 00:47:59 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 29 May 1996 15:47:59 +0800 Subject: Philosophy of information ownership Message-ID: At 2:37 AM 5/29/96, Alan Olsen wrote: >At 12:38 PM 5/28/96 -0700, Bruce Baugh wrote: > >>A separate problem arises when the government compels the disclosure of >>information for one purpose - getting a driver's license, say - and then >>turns around and sells it to others. It's much harder to either negotiate a >>new contract or go to a competitor when the other party is a government. > >This is a problem in Oregon. The database of drivers licences and >registered automobiles is sold openly by the state. (You can also order a >copy on CD-ROM from a company based in Oregon as well...) As far as I know, >there is no way to opt out of having your name sold to marketing firms. >These records are routinely purchaced by mail order houses for resale to >clients all over the country. The cost is pretty minimal (under $200) and >you have to provide the media (usually two 9-track tapes). The database >includes current address, vehicle licence number and the type of car that >you own (among other things). As I said, I favor "data privacy laws" when they deal with government use of mandatory data (but not in the case of illegalizing the mere "remembering" of data obtained non-coercively). The problem has been made worse by "revenue enhancement" policies by various govenmental agencies. Local and regional governments have discovered they can make a few extra bucks by selling data bases they acquired through government power. Here in California there are restrictions on DL records, following the use of DL records to allow a guy to track down an actress, Rebecca Shaefer, and then kill her. (But this doesn't stop such abuses. A couple of years ago I obtained the NLETS (National Law Enforcement Telecommunications System) printout for the extremely reclusive and unseen-since-1957 author Thomas Pynchon. He lived a few miles from me, in Aptos, on an old logging road.) The problem of government records being "open to the public" of course is a two-edged sword. We want government to not operate in secret on the one hand, but we are naturally horrified when it is possible to go to the right office of government and look at lists of all the women who received abortions in county hospitals. I place no faith in government to protect my privacy. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From stewarts at ix.netcom.com Wed May 29 01:13:16 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Wed, 29 May 1996 16:13:16 +0800 Subject: Tempest Info [ELECTRICAL NOISE] Message-ID: <199605290454.VAA11416@toad.com> At 02:08 PM 5/28/96 -0500, Andrew Loewenstern wrote: >Bill Stewart writes: >> Also, of course, your electrical power system needs to be >> shielded and filtered, so only 60Hz gets through, unless you >> plan to stick to laptops and bring in spare battery packs. >At HoHoCon a few years ago, someone did a tempest demo and mentioned that >signals could be recovered from water pipes! Fire sprinkler systems were >specifically mentioned... Yup. When you're installing a shielded room with waterpipes, it's best to use a chunk of plastic pipe just outside the shieldwall, and you need to make sure the plumbers use teflon tape instead of pipe dope ( unless it was the other way around; it's been a while.) >Theres a lot of different avenues for your eminations to be recovered, some >you may not have thought of. Like crypto, tempest is economics. And like crypto, there are lots of diddly little things you've got to check to make sure you've done _all_ of them correctly. Unlike crypto, however, it's generally easy to find out if you've made a mistake; big mistakes peg your test meter, little ones require you to wave the meter around everywhere and watch for little motions. Also unlike crypto, little mistakes generally won't lose the whole game for you; if somebody's got to watch for six months to accumulate enough leaked electrons to find out the Secret Plans, and you haven't noticed the black van with all the antennas parked out in your parking lot by then, you've got far more serious troubles than just a few stray electrons :-) You may also notice that you can't park your black antenna-van too near the Pentagon. It's not just because they think you're hauling fertilizer; electromagnetic emanations follow this nice square-law that means that a few hundred meters of extra distance makes it _much_ harder to detect the signal you're looking for, as well as mushing it together with all the other stray signals from the building. # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 # goodtimes signature virus innoculation From ses at tipper.oit.unc.edu Wed May 29 01:40:36 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Wed, 29 May 1996 16:40:36 +0800 Subject: [crypto] crypto-protocols for trading card games Message-ID: Here's an interesting problem: In the not too distant past there was a fad for collectible trading card games, the most famous of which was Magic, The Gathering (tm). These games combined the collecting and trading of baseball cards with traditional aspects of card playing. Cards were issued by a central authority/publisher (Wizards of the Coast in the case of MtG). Each player uses his or her own deck; cards that are not played remain secret; however the same deck mut be used in each round of a match. tournament games are adjudicated by an umpire. Design a set of crypto protocols to support the issuing, trading, and playing of such card games in real time (100ms compute time per move) Simon From grafolog at netcom.com Wed May 29 02:47:22 1996 From: grafolog at netcom.com (jonathon) Date: Wed, 29 May 1996 17:47:22 +0800 Subject: Clipper III analysis In-Reply-To: Message-ID: Tim: On Tue, 28 May 1996, Timothy C. May wrote: > document and the government will have to admit that this is a possibility, > and admits that anyone in government with access to the escrowed data base > could have done the signing....well, digital signatures will lose much of > their value immediately. A good Questioned Document Examiner will be able to demonstrate that the signed document in question was not authored by Joe Blow, even if it contains his digital signature. Of course, the question becomes one of whether or not Joe Blow can afford the $5K he will be charged, to prove his innocence. xan jonathon grafolog at netcom.com ********************************************************************** * * * Opinions expressed don't necessarily reflect my own views. * * * * There is no way that they can be construed to represent * * any organization's views. * * * ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * * * http://members.tripod.com/~graphology/index.html * * * *********************************************************************** From cme at clark.net Wed May 29 02:47:42 1996 From: cme at clark.net (Carl Ellison) Date: Wed, 29 May 1996 17:47:42 +0800 Subject: Clipper III analysis Message-ID: <199605290626.CAA24463@clark.net> >Date: Tue, 28 May 1996 17:37:05 -0700 >From: frantz at netcom.com (Bill Frantz) >Subject: Re: Clipper III analysis > They want to GAK all keys including signature keys. Now >think, to whom in your life are you willing to grant unlimited power of >attorney? Your spouse? Your lawyer? Your banker? Your employer? Your >government? Almost. Actually, they mention at one point that they don't want to GAK the signature keys, but it's almost an afterthought. The thing I find peculiar is that they wand GAK through access to private keys in a PKI, ala Micali or Banker's Trust, but the only keys which need to be in a PKI are signature keys -- ones even they admit should not be recovered. Can you spell "empty intersection", boys and girls? :) Mighty clever of the cryptographer who started them down this path. - Carl +--------------------------------------------------------------------------+ |Carl M. Ellison cme at acm.org http://www.clark.net/pub/cme | |PGP: E0414C79B5AF36750217BC1A57386478 & 61E2DE7FCB9D7984E9C8048BA63221A2 | | ``Officer, officer, arrest that man! He's whistling a dirty song.'' | +---------------------------------------------- Jean Ellison (aka Mother) -+ From youssefy at ucla.edu Wed May 29 03:19:18 1996 From: youssefy at ucla.edu (kashi) Date: Wed, 29 May 1996 18:19:18 +0800 Subject: [Fwd: --> CRISIS on USENET -- SIGN THE PROTEST STATEMENT VIA E-MAIL] Message-ID: <2.2.32.19960529062105.0070a4b8@pop.ben2.ucla.edu> At 11:52 AM 5/28/96 +0000, you wrote: >This is a post from Jon Noring (noring at netcom.com) about the recent >spamming of alt.religion.scientology. I thought he summed the >situation up very well. Why don't we get together an organized spamming of the CoC's servers? Let's give them a taste of their medicine! I bet that we can make their servers crash before they know what him them! From EALLENSMITH at ocelot.Rutgers.EDU Wed May 29 04:04:40 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 29 May 1996 19:04:40 +0800 Subject: Philosophy of information ownership Message-ID: <01I59H7KD7P48Y5191@mbcl.rutgers.edu> From: IN%"bruce at aracnet.com" "Bruce Baugh" 28-MAY-1996 18:50:34.36 >A separate problem arises when the government compels the disclosure of >information for one purpose - getting a driver's license, say - and then >turns around and sells it to others. It's much harder to either negotiate a >new contract or go to a competitor when the other party is a government. Quite. A related problem is when the government generates some information attached to you - the most obvious case being a social security number. Should a private company (e.g., a credit bureau) be allowed to make use of such? On the one hand, it would definitely limit companies not to be able to... on the other hand, you were coerced into having that information attached to you. One option is to have multiple possible SSNs for each person, but that gets into the problem of the credit bureaus, etcetera, may not deal with people who use a new SSN. It's their choice... but they're only able to make that choice because of governmental interference. -Allen From lyalc at ozemail.com.au Wed May 29 04:54:22 1996 From: lyalc at ozemail.com.au (Lyal Collins) Date: Wed, 29 May 1996 19:54:22 +0800 Subject: Tempest Info In-Reply-To: <199605282356.JAA29834@suburbia.net> Message-ID: <31AD02EB.5BF5@ozemail.com.au> Julian Assange wrote: > > > > > Bill Stewart writes: > > > Also, of course, your electrical power system needs to be > > > shielded and filtered, so only 60Hz gets through, unless you > > > plan to stick to laptops and bring in spare battery packs. > > > > At HoHoCon a few years ago, someone did a tempest demo and mentioned that > > signals could be recovered from water pipes! Fire sprinkler systems were > > specifically mentioned... > > Water pipes are often form the earth line. If only 60hz (US) can get through > the power cables then only 60 hz can get into the water pipes (I'll ignore > re-radiating, because water pipes are the least of your problems there). As the water pipe can form a signal "drain", monitoring that with respoect to an artificial refernce "earth" allowsthe signal(s) to be reccovered, unless the waterpipe is of very low impedance. lyal -- All mistakes in this message belong to me - you should not use them! From EALLENSMITH at ocelot.Rutgers.EDU Wed May 29 04:54:59 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 29 May 1996 19:54:59 +0800 Subject: Remailer chain length? Message-ID: <01I59JCT7T2Q8Y5191@mbcl.rutgers.edu> From: IN%"hfinney at shell.portal.com" "Hal" 28-MAY-1996 21:35:03.17 >Or better still, run one remailer on the machine, and use it multiple >times in the chain. It seems to me that one remailer on a machine is >better than several because it will allow more mixing of messages. If >two messages enter a machine and later leave, it may be possible to >distinguish them if they went to different remailers and left with >different From: addresses (or other header fields) as a result. If they >had both gone to the same remailer it would be harder to tell them >apart. But you could get a massive amount of mixing of messages, by this logic, simply by having 1 gigantic remailer. It'd have a vast traffic flow and could do a lot of latency, etcetera. But this also means that whoever runs it can trace everything - and whoever breaks into it can trace everything. While multiple remailers on the same machine isn't ideal for this purpose (if root is cracked, they all are cracked), it's better for this aspect than 1 remailer; root can be assumed to be harder to crack than a non-root-account remailer. Moreover, this is assuming one machine, or an interlinked group of machines set up such that there is one root account for all of them; separating the remailers into machines with different roots would help. The rubber-hose attack on the sysadmin is still a problem, though. -Allen From EALLENSMITH at ocelot.Rutgers.EDU Wed May 29 05:14:30 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 29 May 1996 20:14:30 +0800 Subject: [Fwd: --> CRISIS on USENET -- SIGN THE PROTEST STATEMENT VIAE-MAIL] Message-ID: <01I59HR1QWW68Y5191@mbcl.rutgers.edu> From: IN%"richieb at teleport.com" "Rich Burroughs" 28-MAY-1996 19:12:55.39 >In the last week, there have been several thousand (and rapidly approaching >10,000!) short posts swamping the newsgroup alt.religion.scientology (a.r.s.) >by a person or persons unknown. They are coming from several accounts, most >of them forged or bogus, and when the account is closed by its site >administrator based on complaints, the flood begins anew elsewhere. In at >least one instance a mail-to-news gateway has been used, necessitating the >administrator to close all posting to a.r.s. That one gateway has received, >last we heard, 886 attempted posts by the spammer within a 28 hour period >(which fortunately never reached their intended destination -- but thousands >of others have.) >3) The use of semi-anonymous "throw-away" accounts somewhat follows the same > pattern used recently to cancel posts containing portions of CoS' "secret" > scriptures, and which used the boiler-plate statement "Cancelled due to > copyright infringement" as the justification for the clearly illegal > cancels. > b) Kill files work by finding posts having certain identifiable attributes > in the header or message body, such as the From: address -- but as the > spam on a.r.s. shows, we've got a moving target that will resist kill > files. Any organization with enough money can keep getting throw-away > accounts that cannot be traced to the organization. They can also alter I am curious as to what systems these throw-away accounts are on; they would appear to be good output systems for ephemeral remailer endpoints. Admittedly, I suspect that this will take ecash remailers unless they're all through systems like aol.com that accept credit cards with inadequate verification (from what I know, check digit(s) only). -Allen From fletch at ain.bls.com Wed May 29 05:38:47 1996 From: fletch at ain.bls.com (Mike Fletcher) Date: Wed, 29 May 1996 20:38:47 +0800 Subject: [crypto] crypto-protocols for trading card games In-Reply-To: Message-ID: <9605290634.AA09375@outland.ain_dev> > In the not too distant past there was a fad for collectible trading card > games, the most famous of which was Magic, The Gathering (tm). These Oy, don't mention that name. I spent waaay too much money on cards (Ah, my foolish youth. Anyone want to buy a slightly used Chaos Orb? :). > games combined the collecting and trading of baseball cards with traditional > aspects of card playing. Cards were issued by a central > authority/publisher (Wizards of the Coast in the case of MtG). Each > player uses his or her own deck; cards that are not played remain secret; > however the same deck mut be used in each round of a match. tournament > games are adjudicated by an umpire. > > Design a set of crypto protocols to support the issuing, trading, and > playing of such card games in real time (100ms compute time per move) Well, here goes nothing for the playing part: Each player should submit a signed copy of their deck (i.e. a listing of all the cards therin) to the umpire (if you don't want the even umpire seeing the deck contents until afterwards, make them submit a bit-committed symetric key and encrypt the deck manifest with it). Each individual card in the deck should have a unique identifier which should be noted on the manifest. Identifiers wouldn't need to be sequential (in fact they might leak info to the opponent if they were), but duplicates of the same card should each have its own id. Depending on how you want to run things, you could allow (and probably should require) players to submit new a ID->card list before each round begins. So my deck might look like: ID Card -------------------- 309487 Prodigal Sorcerer 008461 Land (Plains) 663542 Land (Forrest) .... Before each round, opponents would exchange lists of card IDs. Whenever a player needs to "draw", the other player takes an ID at random off the list of IDs (and marks is as "used"). At the end of each round the players submit a transcript of the game to the umpire who then checks that all the cards played were in the decks, that no duplicates of the same id/card were used, or changes of cards (i.e. ID 440315 was supposed to be a "Zombie" but the owning player said it was a "Yawgmoth's Daemon"). If you want to do away with the umpire (for casual play between two people), have opponents swap the encrypted deck manifest and bit commit to key used. Afterwards they can double check for cheating themselves. Something you might want to allow is letting a player include extra IDs which map to "no card, pick again". This would allow players to disguise the exact size of their deck (although this would only allow for puffing up a deck, not making it appear smaller). As for issuing and trading cards, maybe store cards as signed certificates (something along the lines of "card name & serial number" signed by the owner, then by the issuer). This would make trading a bit of a problem as you couldn't give the card away without the issuer (Online clearing for Magic cards? :). And there's the problem of how do you tell who actually owns the card (if the issuer keeps a list of serial number->owners that might work, but again that needs online clearing). I missed all the discussion on digital bearer bonds a while back, but something like that might could be applied here. Don't know if that's what you were looking fore, but it's all I can think of at this late hour and I'm sure someone will shoot holes all through it anyhow. :) What do you think, sirs? --- Fletch __`'/| fletch at ain.bls.com "Lisa, in this house we obey the \ o.O' ______ 404 713-0414(w) Laws of Thermodynamics!" H. Simpson =(___)= -| Ack. | 404 315-7264(h) PGP Print: 8D8736A8FC59B2E6 8E675B341E378E43 U ------ From nobody at REPLAY.COM Wed May 29 06:41:04 1996 From: nobody at REPLAY.COM (Anonymous) Date: Wed, 29 May 1996 21:41:04 +0800 Subject: Internet traffic is monitored. Message-ID: <199605290937.LAA16955@basement.replay.com> Date: Tue, 28 May 1996 10:03:11 -0700 X-Sender: bstout at osc.hidata.com To: Firewalls at GreatCircle.COM, Return requested From: Bill Stout Subject: Re: Encryption Technology Sender: firewalls-owner at GreatCircle.COM At 09:05 PM 5/22/96 -0700, Michael Dillon wrote: >... >RTFM > On the Encryption note, and I swear not along the lines of the 'DOJ' and 'FBI Snooping' Big-Brother events, I heard another story recently. # begin story A person working on the MBONE project did an unannounced experiment across the internet using Triple-DES for MBONE, and the very next day, 'ATF' agents knocked on his door and warned him against exporting munitions. The experimentor was shaken by the fact that agents approached him so quickly after the experiment. # end story Extrapolations of fact: 1. Internet traffic is monitored. 2. The ability to snoop for encrypted traffic is present 3. The ability to identify encryption levels is present (How else can they differentiate DES-1 from DES-3?) 4. The ability to crack DES-1 in near real-time mode is present. (See above). 5. If above=true, then Feds dropping the Zimmerman PGP case probably also points to it also being crackable in a similar manner. 6. Using encryption only flags traffic for capture and decryption, using strong encryption makes you all that more interesting. Sorry, couldn't resist. I'll try not to start a threads about electro-plasma propulsion craft at Area 51, metallic-ceramic skin and pulse-jets on the Aurora spy plane, heat-imaging video cameras on satellites and planes that can watch you through your houses' roof, etc. :) Bill From 1b2herma at nun.iut2-grenoble.fr Wed May 29 09:35:50 1996 From: 1b2herma at nun.iut2-grenoble.fr (  Toth) Date: Thu, 30 May 1996 00:35:50 +0800 Subject: RSA breaking Message-ID: <199605291221.OAA32353@nun.iut2-grenoble.fr> First i want to apologize: I'm french, my english is pretty good, but if there's some things you don't understand, don't hesitate to ask me further explanations. I'm studying computing. I've studied the RSA encription system, i know that PGP is based on RSA and o know that you give full confiance to PGP. As i and another student, have calculated, an RSA public key of a hundred numbers can't be broken with a software by the force method.(You all know that, sorry to say evidences :) ) But, cause there is a but, it can be broken by an hardware system. Gimme the money, i'll break it, a simple algorithm can be "hardwarly programmed" and with very high-tech components, the speed it can have is enough to break an RSA key. It's for me an evidence that your government has already done it, and that your dreams of privacy are maybe a good joke for some bureaucratists of the pentagon. Of course it (would) take a little time, but as soon as they have your key, it's real time for them to decrypt. One constant thing in the RSA code is that it is always faster to find a key than to break it, that's why i suggest that you find a system of russian dolls encryption with PGP that would crypt a message a lot of times. For studying computing, i know that is time to decrypt a message with the key is so small, that even if i am wrong, it won't be a loss to use a multiple encryption. I hope i don't look like a rooky for you, this letter is humblously written. Greetings, salutations.... No one is more vulnerable than the one who thinks he is, and who's wrong. From jolson3 at netbox.com Wed May 29 10:42:03 1996 From: jolson3 at netbox.com (JOlson) Date: Thu, 30 May 1996 01:42:03 +0800 Subject: INteresting tidbit Message-ID: <199605291307.NAA01224@netbox.com> The following text is an e-mail I picked up from a firewall listserver. Return-Path: Date: Tue, 28 May 1996 10:03:11 -0700 X-Sender: bstout at osc.hidata.com To: Firewalls at GreatCircle.COM, Return requested From: Bill Stout Subject: Re: Encryption Technology Sender: firewalls-owner at GreatCircle.COM Real-To: Bill Stout At 09:05 PM 5/22/96 -0700, Michael Dillon wrote: >... >RTFM > On the Encryption note, and I swear not along the lines of the 'DOJ' and 'FBI Snooping' Big-Brother events, I heard another story recently. # begin story A person working on the MBONE project did an unannounced experiment across the internet using Triple-DES for MBONE, and the very next day, 'ATF' agents knocked on his door and warned him against exporting munitions. The experimentor was shaken by the fact that agents approached him so quickly after the experiment. # end story Extrapolations of fact: 1. Internet traffic is monitored. 2. The ability to snoop for encrypted traffic is present 3. The ability to identify encryption levels is present (How else can they differentiate DES-1 from DES-3?) 4. The ability to crack DES-1 in near real-time mode is present. (See above). 5. If above=true, then Feds dropping the Zimmerman PGP case probably also points to it also being crackable in a similar manner. 6. Using encryption only flags traffic for capture and decryption, using strong encryption makes you all that more interesting. Sorry, couldn't resist. I'll try not to start a threads about electro-plasma propulsion craft at Area 51, metallic-ceramic skin and pulse-jets on the Aurora spy plane, heat-imaging video cameras on satellites and planes that can watch you through your houses' roof, etc. :) Bill From sinclai at ecf.toronto.edu Wed May 29 11:06:20 1996 From: sinclai at ecf.toronto.edu (SINCLAIR DOUGLAS N) Date: Thu, 30 May 1996 02:06:20 +0800 Subject: Tempest Info In-Reply-To: <199605282356.JAA29834@suburbia.net> Message-ID: <96May29.092735edt.10690@cannon.ecf.toronto.edu> > Water pipes are often form the earth line. If only 60hz (US) can get through > the power cables then only 60 hz can get into the water pipes (I'll ignore > re-radiating, because water pipes are the least of your problems there). The high-frequency harmonics from your computers are probably above the cutoff frequency of the water-pipes when considered as circular waveguides. The water filling will act as a dielectric, bringing F0 down. So, it is conceivable that extremely high frequency radiation (>3 Ghz) could propagate well in a water pipe. From Clay.Olbon at dynetics.com Wed May 29 11:19:05 1996 From: Clay.Olbon at dynetics.com (Clay Olbon II) Date: Thu, 30 May 1996 02:19:05 +0800 Subject: Statistical analysis of anonymous databases Message-ID: I ran across an interesting problem on the STAT-L mailing list. I came up with an initial solution, but it didn't fully solve the problem. I will summarize: In medical research (this particular application - there are others I am sure) it is desirable to have a large database of individual medical histories available to search for correlations, risk factors, etc. The problem, of course, is that many individuals want their medical histories kept private. It is therefore necessary to maintain a database that is not traceable back to individuals. An additional requirement is that people must be able to add additional information to their records as it becomes available. The researcher who initially posed the question suggested adding random data to "encrypt anonymity". My first cut solution was to hash the individual's name (perhaps including some other info or random info to thwart dictionary attacks) and send the records in under the hashed name. If done correctly, this should protect the anonymity of the record. The problem with this is that with the volume of data available in a medical record, it is very probable that a person could be tied to that record. Does anyone have any insights into this problem? This is of purely academic interest to me, I don't know the person who asked the intial question (other than through email). It just sounds like a neat problem. Clay --------------------------------------------------------------------------- Clay Olbon II | Clay.Olbon at dynetics.com Systems Engineer | ph: (810) 589-9930 fax 9934 Dynetics, Inc., Ste 302 | http://www.msen.com/~olbon/olbon.html 550 Stephenson Hwy | PGP262 public key: on web page Troy, MI 48083-1109 | pgp print: B97397AD50233C77523FD058BD1BB7C0 TANSTAAFL --------------------------------------------------------------------------- From 1b2herma at nun.iut2-grenoble.fr Wed May 29 11:46:28 1996 From: 1b2herma at nun.iut2-grenoble.fr (  Toth) Date: Thu, 30 May 1996 02:46:28 +0800 Subject: RSA breaking Message-ID: <199605291420.QAA20321@nun.iut2-grenoble.fr> >Yes, RSA can be "broken" if enough computer power is thrown at a small key, > but what you wrote is not proof that PGP is "broken". PGP is completely based on RSA, break RSA, it's breaking PGP at the same time. >What size of key are you talking about? I said a hundred numbers key, but it can be applied on more, course a thousand, even 200 or 300 seems quite impossible in matter of time. >How much hardware? Difficult to evaluate, as long as it is not really my way(it's programming), but it's kite simple to make hardware from algorithms, just with an optimized eratosten crible(it's the name in french, i don't know the translation, but you'll certainly understand). >How much cost? Hard to evaluate, an infinite amount of money(i mean in matter of research) would be enough, sure that only a big lab, or a government can support this, but as soon as built, the breaking box is of no price. >Please back it up with some numbers. For the cost, i can't evaluate, for the time, i'll calculate tonight, and will send results tomorrow. Sincerely yours, Eric PS: Hope not everyone will take my mail as bad as you think to take it, a thousands pardon if i misunderstood(or you), but it's quite hard for me to follow in English, and to explain with full subtility. From adam at lighthouse.homeport.org Wed May 29 12:00:46 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Thu, 30 May 1996 03:00:46 +0800 Subject: Notes from the SF Physical Cypherpunks meeting In-Reply-To: Message-ID: <199605291533.KAA09610@homeport.org> Dial-back does not add security to a system, and in fact, often reduces system security. Dial back takes responsibility for authentication from your system (where it belongs), and transfers it to the phone company. Telco switches have a long history of being comprimised. Assuming a telco switch gets back to the right number when you're under attack is bogus. Relying on an external system like this is evidence of shoddy thinking about security issues. That should have been obvious in the mid 70's, when telcos knew that their switches were being abused by phreaks. Adam (playing catch-up, but this is a pet peeve.) Martin Minow wrote: | For example, the initial Swedish implementation of a national | criminal database in the mid 1970's (equivalent to the US NCIC) used | dialback telexes to prevent unauthorized (and untracked) access. | A recent newspaper article noted that some police officers were | being investigated for unauthorized access to the personal information | of a collegue who had complained of sexual harassment. -- "It is seldom that liberty of any kind is lost all at once." -Hume From jya at pipeline.com Wed May 29 12:03:08 1996 From: jya at pipeline.com (John Young) Date: Thu, 30 May 1996 03:03:08 +0800 Subject: Quantum Logic Gates Message-ID: <199605291436.OAA25145@pipe2.t1.usa.pipeline.com> As complement to the ONE_two article on the NIST team's latest work on quantum logic gates, we note that Malcolm Browne also reported last August on parallel work at MIT. We have put that article (keyed then as CAT_tal) at our rickety Web site: http://pwp/usa.pipeline.com/~jya/cattal.txt Also, Signal magazine reported on this area of research in its April 1996 issue at: http://www.us.net/signal/CurrentIssue/April/ Quantum-apr.html From perry at piermont.com Wed May 29 12:44:54 1996 From: perry at piermont.com (Perry E. Metzger) Date: Thu, 30 May 1996 03:44:54 +0800 Subject: INteresting tidbit In-Reply-To: <199605291307.NAA01224@netbox.com> Message-ID: <199605291501.LAA01290@jekyll.piermont.com> JOlson writes: > The following text is an e-mail I picked up from a firewall listserver. I don't believe any of the story. .pm From 1b2herma at nun.iut2-grenoble.fr Wed May 29 13:03:30 1996 From: 1b2herma at nun.iut2-grenoble.fr (  Toth) Date: Thu, 30 May 1996 04:03:30 +0800 Subject: RSA breaking Message-ID: <199605291505.RAA102870@nun.iut2-grenoble.fr> > System of Russian dolls? What would you suggest? My idea(it is not me that found that) is that tou could have many public keys, when someone want to send you something, he just mail you his(or her) keys, and then you encrypt with the first key, then with the second, etc... This system is used by some anonymous remailers: Each one has a key, you encript your text with the key of the last remailer, then you put your text, the adress of the people tou want the letter to be sent, then encrypt it with the key of the before the last remailer, and put the adress to be sent of the last remailer, etc So your letter is decripted by the first remailer, then sent to the adress found, then the second remailer decrypts it, etc, like an onion. The fact is that you can obtain a very good privacy if you have some keymaker programm. Let suppose you want to send me a crypted text(don't, it's forbidden to crypt in france), you mail to my remailer, that choose 1000(arbitrary number) keys, that send it to you, crypted with your key, you crypt your text the necessary number of times. This way, the message will be maybe uncrypted by someone, but if the key change for each message, someone can't find your key, i insist on this danger, having one key is useless as soon as someone found it. >What kind of system do you think would be needed to crack RSA coded messages? As i said, it is impossible to break an RSA code with softwares, the best attempt was 25 days with ten Crays linked for a key of only 50 numbers. But this can be done as i said before with a simple eratosten crible "translated" into hardware. Sorry electronic is not my way, but for the exemples i saw in class, it is really to the ability of a basic electronician, and they were more complicated than what i am talking about. The best components you have, the faster you'll go, so a governement or a bog private lab can afford this kind of prices. From geeman at best.com Wed May 29 13:03:49 1996 From: geeman at best.com (geeman at best.com) Date: Thu, 30 May 1996 04:03:49 +0800 Subject: WSJ on "IRS-bashing" Message-ID: <01BB4D3A.09B7C120@geeman.vip.best.com> According to WSJ, Leslie B. Samuels, "Treasury's top tax-policy official" says that "IRS-bashing is 'counterproductive and harmful'" -- and that "destructive rhetoric ... hurts the tax system and society" [elisions are the WSJ's] What if a the CDA grew little by little by little until it covered statements deemed "destructive rhetoric" .... hmmm. I mean after all, if it harms society....! Let's see ... Treasury: BATF. Key Escrow. GAK, anyone? ;) keep up the good work. From s1113645 at tesla.cc.uottawa.ca Wed May 29 13:28:56 1996 From: s1113645 at tesla.cc.uottawa.ca (s1113645 at tesla.cc.uottawa.ca) Date: Thu, 30 May 1996 04:28:56 +0800 Subject: [crypto] crypto-protocols for trading card games In-Reply-To: Message-ID: On Wed, 29 May 1996, Simon Spero wrote: > Design a set of crypto protocols to support the issuing, trading, and > playing of such card games in real time (100ms compute time per move) I'd been thinking about it from the opposite point of view: make up a card game (possibly electronic, like what you're proposing) that acts as intro to crypto for the untamed hordes of game players. As you noticed, Simon, cardgames are a good analogue for cryptography. They operate on the principle of secrecy/discovery (turning over the cards), there are analogues for all sorts of algorithms (rules of the game), we have randomness (shuffling), concepts of authentication (to beat cheaters, no cards up the sleaves, no color-laser-photocopied Magic cards...), tokens and smartcards (the cards themselves), integer numbers, and a whole host of special characters a la Alice, Bob, Trent, etc. (Kings, Queens, Jacks, Jokers). In short, all the building blocks for working crypto protocols and their interfaces, needing no introduction for most people. I can sort of even see a representation of a public card scheme with signatures and certs (I'll have to go grab a deck and try). Presumably, given a careful choice rules one could do for crypto what Solitaire did for Windows 3.1 . I see no reason why a card game could not be an interface for pgp or remailers, or an easier demonstration for DC-nets, blinding or complicated market protocols. One might even build a programming language out of such building blocks (probably for scripting). Poker for Java--Do not Export! (If the CJR for the RSA-Perl T-shirt was absurd wait till the authorities get stuck with this one.) (Mind you, I probably wouldn't use an imperative language like Java for the scripting, but that's just me.) This is of course all idle speculation, 'cause I'm lazy and have neither the time nor the expertise. It's all yours folks. From s1113645 at tesla.cc.uottawa.ca Wed May 29 13:35:08 1996 From: s1113645 at tesla.cc.uottawa.ca (s1113645 at tesla.cc.uottawa.ca) Date: Thu, 30 May 1996 04:35:08 +0800 Subject: [Fwd: --> CRISIS on USENET -- SIGN THE PROTEST STATEMENT VIA E-MAIL] In-Reply-To: <01I59HR1QWW68Y5191@mbcl.rutgers.edu> Message-ID: On Wed, 29 May 1996, E. ALLEN SMITH wrote: > I am curious as to what systems these throw-away accounts are on; they > would appear to be good output systems for ephemeral remailer endpoints. > Admittedly, I suspect that this will take ecash remailers unless they're all > through systems like aol.com that accept credit cards with inadequate > verification (from what I know, check digit(s) only). AOL's been mass-mailing intro packages (I just got one) with free time. I presume we will be seeing a rise in spam as more service providers try these marketing techniques. From jya at pipeline.com Wed May 29 13:41:58 1996 From: jya at pipeline.com (John Young) Date: Thu, 30 May 1996 04:41:58 +0800 Subject: UNV_eil Message-ID: <199605291544.PAA03412@pipe5.t1.usa.pipeline.com> 21+C, Scanning the Future (UK), February, 1996: "Dataveillance." A global trend is emerging toward citizen surveillance. While authorities speak of the need for data regulation and people become digital shadows, watchdogs are doing some monitoring of their won. With interviews of Phil Agre, Roger Clarke and Simon Davies on invasive and privacy technology. These technologies face an uphill public relations battle. Digital cash has already been widely accused of providing money launderers, drug barons and other criminals with the perfect means of continuing their activities. It's the same argument that was used in the Clipper Chip debate, in which the US government proposed a central encryption software, and it will no doubt be directed towards pseudonymous techniques as they emerge. Simon Davies is familiar with this type of argument. He says there has been a change of political winds in recent years. Where once privacy was used to protect individual freedoms it is now officially deemed by governments and corporations to be an aid to criminals and a barrier to administrative efficiency. "In a generation, we now have privacy as almost like an ancient forgotten wisdom," he says. Then he adds: "The point that needs to be made very clear is that technology has been misused. It always did have the capacity, the capability to be a friend to people. Instead, it has become a potential tool of enslavement. And it has rendered society vulnerable on a scale that has never been seen before. It is technologists and politicians and financiers who have misused the technology and should be brought to account for it." UNV_eil From tcmay at got.net Wed May 29 13:57:55 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 30 May 1996 04:57:55 +0800 Subject: Clipper III analysis Message-ID: At 5:54 AM 5/29/96, jonathon wrote: > A good Questioned Document Examiner will be able to demonstrate > that the signed document in question was not authored by Joe > Blow, even if it contains his digital signature. I was of course talking about digital signatures, not handwritten signatures. I would be very interested to hear how a "Questioned Document Examiner" can possibly determine that a digital signature was not applied by a particular person. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From jya at pipeline.com Wed May 29 14:03:04 1996 From: jya at pipeline.com (John Young) Date: Thu, 30 May 1996 05:03:04 +0800 Subject: TIC_hip Message-ID: <199605291546.PAA03554@pipe5.t1.usa.pipeline.com> 5-29-96. FiTi: Chips Galore [Editorial] Texas Instruments' claim to have developed a technology capable of inscribing 125m transistors, or computing elements, on a thumbnail-sized slice of silicon is remarkable chiefly because the technique is commonplace. ... The consequences for society of this continued rise in complexity are perhaps not fully grasped even in an age in which computers are taken for granted. The latest technology promises ubiquitous, tiny packages of electronic intelligence. Today's model is the smart card and the tiny videocamera. Tomorrow, tiny processors will be embedded in jewellery, spectacles, buildings and furniture. ... Widely distributed computer power will confer substantial advantages on society; but it will create new ethical problems for society, such as the individual's right to privacy, which may be at least as difficult to master as the technology. ----- FiTi reported yesterday and today on TI's new chip: TIC_hip From stewarts at ix.netcom.com Wed May 29 14:07:56 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Thu, 30 May 1996 05:07:56 +0800 Subject: [Fwd: --> CRISIS on USENET -- SIGN THE PROTEST STATEMENT VIA E-MAIL] Message-ID: <199605291534.IAA27683@toad.com> At 11:21 PM 5/28/96 -0700, you wrote: >At 11:52 AM 5/28/96 +0000, you wrote: >>This is a post from Jon Noring (noring at netcom.com) about the recent >>spamming of alt.religion.scientology. I thought he summed the >>situation up very well. > >Why don't we get together an organized spamming of the CoC's servers? >Let's give them a taste of their medicine! >I bet that we can make their servers crash before they know what him them! Please take that to alt.religion.scientology or some other relevant list. [ I recently found a Dianetics Personality Test on my car. I haven't put it in the toaster yet :-) ] # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 # goodtimes signature virus innoculation From matts at pi.se Wed May 29 14:24:48 1996 From: matts at pi.se (Matts Kallioniemi) Date: Thu, 30 May 1996 05:24:48 +0800 Subject: RSA breaking Message-ID: <2.2.32.19960529162523.0035a098@mail.pi.se> At 14:21 1996-05-29 +0200,   Toth wrote: >But, cause there is a but, it can be broken by an hardware system. Gimme the money, i'll break it, a simple algorithm can be "hardwarly programmed" and with very high-tech components, the speed it can have is enough to break an RSA key. How much money do you want for breaking a 2048 bit RSA key? How soon can you deliver the broken private key? Matts From jimbell at pacifier.com Wed May 29 14:31:35 1996 From: jimbell at pacifier.com (jim bell) Date: Thu, 30 May 1996 05:31:35 +0800 Subject: Internet traffic is monitored. Message-ID: <199605291605.JAA21685@mail.pacifier.com> At 11:37 AM 5/29/96 +0200, Anonymous wrote: >Date: Tue, 28 May 1996 10:03:11 -0700 >X-Sender: bstout at osc.hidata.com >To: Firewalls at GreatCircle.COM, Return requested >From: Bill Stout >Subject: Re: Encryption Technology >Sender: firewalls-owner at GreatCircle.COM > >Extrapolations of fact: > 1. Internet traffic is monitored. > 2. The ability to snoop for encrypted traffic is present > 3. The ability to identify encryption levels is present > (How else can they differentiate DES-1 from DES-3?) > 4. The ability to crack DES-1 in near real-time mode is present. > (See above). > 5. If above=true, then Feds dropping the Zimmerman PGP case probably > also points to it also being crackable in a similar manner. >Bill I think the Feds non-prosecution of Zimmermann had absolutely nothing to do with the crackability/non-crackability of PGP. They just had an extremely weak case: They probably had no way to demonstrate that any particular person exported PGP, which means that prosecuting Zimmermann would have looked like sour grapes. (or, in the alternative, if they had records to show that PGP was exported, they might not have wanted to reveal the extent of their Internet monitoring.) Jim Bell jimbell at pacifier.com From jimbell at pacifier.com Wed May 29 14:37:27 1996 From: jimbell at pacifier.com (jim bell) Date: Thu, 30 May 1996 05:37:27 +0800 Subject: Tempest Info Message-ID: <199605291556.IAA21231@mail.pacifier.com> At 09:27 AM 5/29/96 -0400, SINCLAIR DOUGLAS N wrote: >> Water pipes are often form the earth line. If only 60hz (US) can get through >> the power cables then only 60 hz can get into the water pipes (I'll ignore >> re-radiating, because water pipes are the least of your problems there). > >The high-frequency harmonics from your computers are probably above the >cutoff frequency of the water-pipes when considered as circular waveguides. >The water filling will act as a dielectric, bringing F0 down. So, it >is conceivable that extremely high frequency radiation (>3 Ghz) could >propagate well in a water pipe. No, you misunderstood. The RF wouldn't be transmitted on the inside of the pipes (how could it get inside, anyway?) but on the outside. Since most information-containing appliances are well-grounded, there is at least a strong possibility that a ground connection would carry enough interesting RF to be useful to tap. Jim Bell jimbell at pacifier.com From tcmay at got.net Wed May 29 15:04:43 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 30 May 1996 06:04:43 +0800 Subject: WSJ on "IRS-bashing" Message-ID: At 3:36 PM 5/29/96, geeman at best.com wrote: >According to WSJ, Leslie B. Samuels, "Treasury's top tax-policy official" >says that "IRS-bashing is 'counterproductive and harmful'" -- and that >"destructive rhetoric ... hurts the tax system and society" [elisions are >the WSJ's] > >What if a the CDA grew little by little by little until it covered >statements deemed "destructive rhetoric" .... hmmm. I mean after all, if >it harms society....! If the CDA is upheld by the Supreme Court, which would surprise me, then "free speech" as we know it is gone completely. By the way, it's _already_ the case that "hurtful speech" can be prosecuted as a civil rights violation of a class of persons. If I refer to women as "bitches and hoes" ("hoe" = "whore," in certain American dialects) I am, as I understand things, technically in violation of various laws which outlaw the repression, subjugation, marginalization, and encheferation of women and other colored people. (Oh, I can say these things in the privacy of my home without fear of reprisal by the State, or even in small groups. But if I say this in public, or in a company, or in many other fora, look out!) Liberty has been given away for several decades in this country. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From JeanPaul.Kroepfli at ns.fnet.fr Wed May 29 15:35:40 1996 From: JeanPaul.Kroepfli at ns.fnet.fr (Jean-Paul Kroepfli) Date: Thu, 30 May 1996 06:35:40 +0800 Subject: What is the strength of the MPJ/Diamond algorithm (Michael Paul Johnson 1989) Message-ID: <01BB4D90.20F86640@JPKroepsli.S-IP.EUnet.fr> I have seen the Diamond2 algorithm in the dlock2 package, with its predecessors MPJ, MPJ2. This a thesis by Michael Paul Johnson for is Master of Science degree (1989), and a free softwar (date: 12/21/1995). Schneier's Applied Cryptography doesn't say anything about MPJ or Diamond. What is its strength? Jean-Paul Kroepfli ~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~- Jean-Paul et Micheline Kroepfli (our son: Nicolas and daughter: Celine) eMail: JeanPaul.Kroepfli at utopia.fnet.fr Also Compuserve and MSNetwork Phone: +33 81 55 52 59 (F) PostMail: F-25640 Breconchaux (France) or: +41 21 843 27 36 (CH) or: CP 138, CH-1337 Vallorbe Fax: +33 81 55 52 62 (Switzerland) Zephyr(r) : InterNet Communication and Commerce, Security and Cryptography consulting PGP Fingerprint : 19 FB 67 EA 20 70 53 89 AF B2 5C 7F 02 1F CA 8F "The InterNet is the most open standard since air for breathing" From reagle at MIT.EDU Wed May 29 16:06:50 1996 From: reagle at MIT.EDU (Joseph M. Reagle Jr.) Date: Thu, 30 May 1996 07:06:50 +0800 Subject: [crypto] crypto-protocols for trading card games Message-ID: <9605291713.AA28253@rpcp.mit.edu> At 12:15 AM 5/29/96 -0400, you wrote: >Design a set of crypto protocols to support the issuing, trading, and >playing of such card games in real time (100ms compute time per move) Well, not quite the same thing, but the cool stored-value cards in Japan (for things like phones and the like) are very collectible. Everyone wants a Armitage (anime) card! _______________________ Regards, If it weren't for the last minute, nothing would ever get done. Joseph Reagle http://farnsworth.mit.edu/~reagle/home.html reagle at mit.edu E0 D5 B2 05 B6 12 DA 65 BE 4D E3 C1 6A 66 25 4E From adam at lighthouse.homeport.org Wed May 29 16:24:21 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Thu, 30 May 1996 07:24:21 +0800 Subject: Statistical analysis of anonymous databases In-Reply-To: Message-ID: <199605291844.NAA10130@homeport.org> One solution to this is to have a database that 'generalizes' its answers as it provides them. For example, rather than returning Clay Olbon, 32, m, left handed, cholesterol 350, bp 200/160, 5'9", 175#, it would return: fooblat martin,25-35, m, left handed, cholest. 3-400, 5.5-6ft, heavy. researchers could then provide ranges to get answers. Thus, if I'm very concerned about the correlation between age and weight, I could get that information very specifically and nothing else. The generalization filter could be written to only allow N queries of a given level of detail, so that the more detail you wanted in one area, the more you give up in others. There could be a review comittee (This is the way hospitals & medical research works) to review requests for more specific data. Doctors like having names, so you could genrate arbitrary names for patients, or use a sylable genarator to come up with pronounceable nonsense. Adam Clay Olbon II wrote: | In medical research (this particular application - there are others I am | sure) it is desirable to have a large database of individual medical | histories available to search for correlations, risk factors, etc. The | problem, of course, is that many individuals want their medical histories | kept private. It is therefore necessary to maintain a database that is not | traceable back to individuals. An additional requirement is that people | must be able to add additional information to their records as it becomes | available. The researcher who initially posed the question suggested | adding random data to "encrypt anonymity". | -- "It is seldom that liberty of any kind is lost all at once." -Hume From perry at piermont.com Wed May 29 16:31:46 1996 From: perry at piermont.com (Perry E. Metzger) Date: Thu, 30 May 1996 07:31:46 +0800 Subject: What is the strength of the MPJ/Diamond algorithm (Michael Paul Johnson 1989) In-Reply-To: <01BB4D90.20F86640@JPKroepsli.S-IP.EUnet.fr> Message-ID: <199605291743.NAA01615@jekyll.piermont.com> Jean-Paul Kroepfli writes: > I have seen the Diamond2 algorithm in the dlock2 package, with its > predecessors MPJ, MPJ2. This a thesis by Michael Paul Johnson for > is Master of Science degree (1989), and a free softwar (date: > 12/21/1995). Schneier's Applied Cryptography doesn't say anything > about MPJ or Diamond. What is its strength? Unknown. MPJ is a skilled amateur. However, none of his algorithms have been rigorously analyzed. Perry From alanh at infi.net Wed May 29 18:15:50 1996 From: alanh at infi.net (Alan Horowitz) Date: Thu, 30 May 1996 09:15:50 +0800 Subject: [crypto] crypto-protocols for trading card games In-Reply-To: Message-ID: What _did_ Solitaire do for Windows 3.1? Distract the attention of the unwashed masses away from the actual merits of the beast? From alanh at infi.net Wed May 29 18:17:18 1996 From: alanh at infi.net (Alan Horowitz) Date: Thu, 30 May 1996 09:17:18 +0800 Subject: Statistical analysis of anonymous databases In-Reply-To: Message-ID: I would ask, is there any known medical gain that has resulted from such a data-base correllation. I do not accept a researcher's own statements as to the utility of the work (S)he's done with someone's funding. Seen too much of it at close quarters... Nor do I accept reeports in the lay press - these are nothing more than re-gurgitated press releases from PR depts of institutions. From wlkngowl at unix.asb.com Wed May 29 18:20:32 1996 From: wlkngowl at unix.asb.com (Mutatis Mutantdis) Date: Thu, 30 May 1996 09:20:32 +0800 Subject: Ok, what about PGP (was: MD5 collisions) Message-ID: <199605292005.QAA27595@unix.asb.com> I poked around the pgp.h and pgformat.txt files in the PGP 2.6.2 distribution. There *are* designator bytes for the hash (and cipher) algorithms, hash size, etc. It seems quite doable to add support for SHA-1 signatures (and possibly key generation for encrypting secret keys?). Adding 3DES (and maybe Luby-Rackoff-SHA, assuming it hasn't been cracked recently at the Fast Software Conf.... more info?!?) would be nifty too... unless, of course, there's meaning to the Real Soon Now that PGP3 folx claim. I d work on the hack now (and just might...) but I'm stuck stranded in the United States. :( Rob. From jimbell at pacifier.com Wed May 29 18:23:55 1996 From: jimbell at pacifier.com (jim bell) Date: Thu, 30 May 1996 09:23:55 +0800 Subject: TIC_hip Message-ID: <199605292004.NAA06310@mail.pacifier.com> At 03:46 PM 5/29/96 GMT, John Young wrote: > 5-29-96. FiTi: > > Chips Galore [Editorial] > Texas Instruments' claim to have developed a technology > capable of inscribing 125m transistors, or computing > elements, on a thumbnail-sized slice of silicon is > remarkable chiefly because the technique is commonplace. Having been following the progress of IC technology for over 20 years, I can recall when 1 million transistors/chip was the furthest-out prediction "they" were willing to make. Jim Bell jimbell at pacifier.com From stewarts at ix.netcom.com Wed May 29 18:36:10 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Thu, 30 May 1996 09:36:10 +0800 Subject: An alternative to remailer shutdowns Message-ID: <199605292009.NAA01448@toad.com> >>>Remailers on the attack points (first in chain, last in chain) simply MUST >>>be disposable as tissue. They must be run as anonymously as possible, .... >> Why the first in chain? If the anti-traffic-analysis provisions are >>working properly, it should be impossible to prove that a given first remailer >>was the first remailer for any particular message. [....] entrapment >Likewise, I don't see why the first address in the chain is vulnerable, as >long as the message subsequently passes through at least one trustworthy >remailer, and probably a temporary output address. There are two major problems, which have different impacts - protecting the users from corrupt remailers, and - protecting the remailers from spamming or entrapping users To protect users from corrupt remailers, you not only have to pass through at least one trustworthy remailer, you have to encrypt the message for each remailer in the chain so that any corrupt remailers can't read it at least until it's been through the trustworthy remailer. Protecting remailers from users depends on the threat. If the government wanted to claim that all the remailers were part of a Conspiracy to Distribute Laundered Narcoterrorist Tax Evasion Paraphrenalia, first-in-chain remailers become vulnerable, since the Postal Inspectors can send entrapment material to them and document where it comes out, though the path between first and egress can't always be documented, depending on how the remailers handle mail. On the other hand, if the Church of Spam tries to frame remailers by posting their own Secret Documents, they can only target the terminal remailers and as far back as they can subpoena, because they'd otherwise have to admit that they posted it. There's been some discussion of delivering outgoing mail by sending it through systems that don't add Received: headers; it may make sense for non-root-owned remailers to do this using telnet to port 25 instead of their local sendmail, to prevent local logging and prevent their sendmail from adding its own information. Some sendmails try to detect forgery, but systems that aren't even configured to do Receive: probably don't. Bill # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 # goodtimes signature virus innoculation From llurch at networking.stanford.edu Wed May 29 18:39:00 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Thu, 30 May 1996 09:39:00 +0800 Subject: INteresting tidbit In-Reply-To: <199605291501.LAA01290@jekyll.piermont.com> Message-ID: On Wed, 29 May 1996, Perry E. Metzger wrote: > JOlson writes: > > The following text is an e-mail I picked up from a firewall listserver. > > I don't believe any of the story. Oh, I believe he read the story on the firewalls list. I wouldn't go any farther than that, though. -rich From ogren at cris.com Wed May 29 18:47:20 1996 From: ogren at cris.com (David F. Ogren) Date: Thu, 30 May 1996 09:47:20 +0800 Subject: [crypto] crypto-protocols for trading card games Message-ID: <199605292058.QAA24885@darius.cris.com> -----BEGIN PGP SIGNED MESSAGE----- > On Wed, 29 May 1996, Simon Spero wrote: > > > Design a set of crypto protocols to support the issuing, trading, > > and playing of such card games in real time (100ms compute time > > per move) > > I'd been thinking about it from the opposite point of view: make up > a card game (possibly electronic, like what you're proposing) that > acts as intro to crypto for the untamed hordes of game players. > I've had similar ideas, but there are snags. Card playing via encryption techniques is a great idea in theory, but in reality the technical requirements often prevent implementation. Think of the requirements of this system: 1. Cards must be transferrable. 2. Cards must not be duplicated by anyone other than the game company. 3. Cards must be able to be randomly shuffled. (Since most trading card games are two-player games our task is simplified greatly.) Here is one possible algorithm, and some of its weaknesses. The game company generates a master public key pair with which it will sign all game cards. Each player generates a public key pair to verify his identity. Each card is composed of the following fields: A serial number, so that each card is unique. A public key generated by that the owner as a proof of indentity. (Each card owned by a player will have the same public key.) The name of the card and (optionally) a desception of its effects. Each card is then signed using the game company's secret key. For each game both partners generate a public key pair. Alice then signs each card in her deck with the public key she generated for this game and then transmits the cards (in a random order) to Bob. Bob does the same thing for his deck. Each time Alice needs a card, Bob selects one of Alice's encrypted cards and Alice decrypts it. As an additional measure to determine that Bob's cards are genuine, Alice sends Bob a random string and asks that he sign it with the secret key that matches the indentity-verifying public key on his cards. If Bob can return a signed version of that string, the ownership of his cards is verified. This indentity verifying routine can be conducted as soon as Bob's first card is revealed. Bob of course, conducts the same procedure for Alice after she plays her first card. After the game is over (or Alice's deck needs to be reshuffled), she reveals her secret key and Bob verifies that her cards are genuine and that she played fairly. Advantages: This system prevents anyone other than the game company from duplicating cards (each card has a unique serial number), and from copying other people's cards (each card has an indentifying public key). Any cheating can be discovered at the end of the game. Bob knows the order in which he selected Alice's encrypted cards. After the game, when Alice hands over her game-session secret key, he can check to make sure that Alice revealed her cards in the order he selected them. Only a reasonably amount of encryption/decryption is required. Most importantly only one key per player needs to be generated for each shuffle. During play only decryption is required. In other words, a modicum of set up is required, but once play begins the decryption shouldn't slow the program down appreciably. Disadvantages: The entire integrity of the system relies on the security of the game company's key pair. If the secret key is comprimised, either by a disloyal employee or by crytographic techniques, all cards in existence must be recreated. Cards are not transferrable. In order to make cards transferrable the game company must be able to invalidate cards which have been traded to others. In other words if Alice wants to give a cards to Bob she must: 1. Contact the game company and tell them she wants to give the card to Bob. 2. The game company must issue a new card to Bob with a new serial number and with Bob's public key rather than Alice's. 3. The game company must invalidate Alice's old card. Since there is no way that the game company can make sure all copies of the card have been destroyed it must create a "invalid serial number list" and have the players dial into that list everytime the game is played. Since step 3 is so costly to implement, I think it is unlikely that a cryptography-based trading card game will have tradable cards. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMay5ZvBB6nnGJuMRAQHYFAQAl/PwCB0U/rQfjNgdoeLNpo9TyPAdebhT FWjE44zjTmr6Cbl6S5D9QsqLub6eDI5DsXhD+w4Tipjn9/GZwQtFpEORx9MeAUWh 9TCtcDY4Tn5d8aNwtVikHt971uW6ROU7qWikIDipxotWtTscl8NESZbgmZqGOBWW 4VzGRMuIr1E= =bXqs -----END PGP SIGNATURE----- -- David F. Ogren ogren at concentric.net (alternate address: dfogren at msn.com) PGP Key ID: 0xC626E311 PGP Key Fingerprint: 24 23 CD 15 BF 8D D1 DE 81 71 84 C8 2C E0 4B 01 (public key available via server or by sending a message to ogren at concentric.net with a subject of GETPGPKEY) From perry at piermont.com Wed May 29 19:07:40 1996 From: perry at piermont.com (Perry E. Metzger) Date: Thu, 30 May 1996 10:07:40 +0800 Subject: Internet traffic is monitored. In-Reply-To: Message-ID: <199605292113.RAA02043@jekyll.piermont.com> "Mark M." writes: > > Extrapolations of fact: > > 1. Internet traffic is monitored. > > Maybe. But I doubt that the above story is true. >From what I can tell, the story is pure excrement. Just to give everyone a reality check here, I routinely use encrypted links across the net, often internationally. A houseguest of mine used 3DES from my apartment to his office in Finland for days. No one has as much as sneezed at any of this. None of it is the least bit unusual or illegal to begin with. Perry From perry at alpha.jpunix.com Wed May 29 19:23:04 1996 From: perry at alpha.jpunix.com (John A. Perry) Date: Thu, 30 May 1996 10:23:04 +0800 Subject: Broken Nymserver Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hello Everyone, It turns out that the nym server at nymrod at nym.jpunix.com was slightly broken. My tests indicate that it is fully functional now. I apologize for the inconvenience. John Perry - KG5RG - perry at alpha.jpunix.com - PGP-encrypted e-mail welcome! WWW - http://www.jpunix.com PGP 2.62 key for perry at jpunix.com is on the keyservers. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMayhBlOTpEThrthvAQH3NwP/fF8SMTlV+LkaeyTz0YrWcY3wfeNaTkV/ u5JATy0yRgW/U/l6KsxI5mc2onVD5em2+srlvqb9JkLcQ8PTQWRSULwRpFO8rDvI fEic0UBdObt8QpacbNUgWJeNfXzbgYfv6Po72fci3aWWBc6RLuLC/uAnYv4VaNej IPyui2isWT0= =PCKi -----END PGP SIGNATURE----- From nobody at nowher.com Wed May 29 19:44:36 1996 From: nobody at nowher.com (Nobody in particular) Date: Thu, 30 May 1996 10:44:36 +0800 Subject: forged addresses Message-ID: <199605292012.NAA01475@toad.com> Hi, I'm not sure if there was ever a thread on this, but I was wondering if anyone can determine your real email address, if you were to fake it to your email client. I hope that this doesn't offend anyone, since this is a high traffic list, but I was wondering if this would work. To try it out, I setup my client to think I was someone else, and sent myself an email. I could only figure out what ISP it came from. What I would like to know is, can any of the experts on this list determine my address from the header of this post?? again, if this is something that I shouldn't have done, just let me know, and it won't happen again. From mclow at owl.csusm.edu Wed May 29 19:46:50 1996 From: mclow at owl.csusm.edu (Marshall Clow) Date: Thu, 30 May 1996 10:46:50 +0800 Subject: Where does your data want to go today? Message-ID: >From : >Helping pave the way toward cost-effective disaster recovery >systems, MCI Communications Corp. this week will join a growing >number of providers offering file backup and storage over the >Internet. [snip] >MCI and Connected house data on servers at two mirrored sites. >Both companies are adding an extra dimension of security over the >Internet by encrypting data. > >MCI's networkMCI Backup software, for Windows 95 or 3.x, will >scan a file for viruses, encrypt it using an RSA Data Security Inc. >public key and compress it before it is uploaded onto MCI's Internet >backbone network to a secure storage facility, said MCI officials in >Atlanta. [snip] Some comments (off the top of my head): * What kind of encryption? [The article says RSA. ] How big is the key? * Why encrypt before compression? If the encryption is any good, then the encrypted data won't compress much at all. However, compression before encryption has its own problems. * Who does the key management (if any)? * Does MCI store copies of the keys used? * How does MCI authenticate users who request copies of files, and do they then return them encrypted or as plaintext? If encrypted, how does the recepient decryt the files? (He/she just had a disk crash, and this is their backup medium, remember?) I looked on MCI's web site , but couldn't find anything. Besides, it's slower than sludge. [ 90 secs/page over my 128K link. :-( ] -- Marshall Marshall Clow Aladdin Systems "We don't have to take it; never have, never will. Gonna shake it, gonna break it; let's forget it: better still" --The Who, "Tommy" From dlv at bwalk.dm.com Wed May 29 20:07:56 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Thu, 30 May 1996 11:07:56 +0800 Subject: [crypto] crypto-protocols for trading card games In-Reply-To: Message-ID: Alan Horowitz writes: > What _did_ Solitaire do for Windows 3.1? Distract the attention of > the unwashed masses away from the actual merits of the beast? It's interesting to note that a) All previous versions of MS Windows starting I think with the beta .9 which I first saw included Reversi (Othello), a much more intellectual game. b) IBM OS/2 comes with a pile of games, including a much nicer solitaire, chess, a game where you have to catch a cat with your mouse, etc. Ostensibly, they're there to train users to use the mouse interface. E.g., Solitaire teaches users to drag and drop. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From warlord at MIT.EDU Wed May 29 20:19:11 1996 From: warlord at MIT.EDU (Derek Atkins) Date: Thu, 30 May 1996 11:19:11 +0800 Subject: Ok, what about PGP (was: MD5 collisions) In-Reply-To: <199605292005.QAA27595@unix.asb.com> Message-ID: <199605292310.TAA20965@toxicwaste.media.mit.edu> > It seems quite doable to add support for SHA-1 signatures (and possibly key > generation for encrypting secret keys?). > > Adding 3DES (and maybe Luby-Rackoff-SHA, assuming it hasn't been cracked > recently at the Fast Software Conf.... more info?!?) would be nifty too... > unless, of course, there's meaning to the Real Soon Now that PGP3 folx > claim. Both of these algorithms are currently in the PGPlib sources. -derek From markm at voicenet.com Wed May 29 20:34:58 1996 From: markm at voicenet.com (Mark M.) Date: Thu, 30 May 1996 11:34:58 +0800 Subject: Internet traffic is monitored. In-Reply-To: <199605290937.LAA16955@basement.replay.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Wed, 29 May 1996, Anonymous wrote: > # begin story > > A person working on the MBONE project did an unannounced experiment > across the internet using Triple-DES for MBONE, and the very next day, > 'ATF' agents knocked on his door and warned him against exporting > munitions. The experimentor was shaken by the fact that agents > approached him so quickly after the experiment. > > # end story Do you have any information to back this up? It sounds like an urban myth. Also, AFAIK the ATF isn't the agency that controls arms exports. > > Extrapolations of fact: > 1. Internet traffic is monitored. Maybe. But I doubt that the above story is true. > 2. The ability to snoop for encrypted traffic is present And how exactly is this done? Unless data is tagged with a header, encrypted traffic is indistinguishable from random data. > 3. The ability to identify encryption levels is present > (How else can they differentiate DES-1 from DES-3?) Same as above. > 4. The ability to crack DES-1 in near real-time mode is present. > (See above). Several years ago, the cost of building a DES cracking machine was $100 million dollars. this value is now much smaller. > 5. If above=true, then Feds dropping the Zimmerman PGP case probably > also points to it also being crackable in a similar manner. The Feds dropped the Zimmerman case because there wasn't any evidence to support the accusation that PRZ had exported PGP or broken any laws. Also, if someone was ever tried for ITAR violations, it would most likely be found unconstitutional. > 6. Using encryption only flags traffic for capture and decryption, > using strong encryption makes you all that more interesting. This is why there is steganography. - -- Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xe3bf2169 http://www.voicenet.com/~markm/ | d61734f2800486ae6f79bfeb70f95348 ((2b) || !(2b)) | Old key now used only for signatures "The concept of normalcy is just a conspiracy of the majority" -me -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMayySbZc+sv5siulAQHw5QP7B6FhdMxpQQ/neNJcQnNG0hwu0bsDmmes Is6wC14qkIaKUSF2yak4cQDqwOMBj9O/0l357YDHFSXTsZm9Bq3pBYCDg8Ws55/0 1BUz6WEi+Clf2WQz4i9FVhYESPQ3zIIYTJMjn9H0v3KQqojQTP9Z4zhgFeRjHfjn rBfdvRDwCPw= =Zye2 -----END PGP SIGNATURE----- From droelke at rdxsunhost.aud.alcatel.com Wed May 29 21:29:24 1996 From: droelke at rdxsunhost.aud.alcatel.com (Daniel R. Oelke) Date: Thu, 30 May 1996 12:29:24 +0800 Subject: Where does your data want to go today? Message-ID: <9605292205.AA02198@spirit.aud.alcatel.com> > > >From : > > >Helping pave the way toward cost-effective disaster recovery > >systems, MCI Communications Corp. this week will join a growing > >number of providers offering file backup and storage over the > >Internet. > [snip] > > >MCI and Connected house data on servers at two mirrored sites. > >Both companies are adding an extra dimension of security over the > >Internet by encrypting data. > > > >MCI's networkMCI Backup software, for Windows 95 or 3.x, will > >scan a file for viruses, encrypt it using an RSA Data Security Inc. > >public key and compress it before it is uploaded onto MCI's Internet > >backbone network to a secure storage facility, said MCI officials in > >Atlanta. > [snip] > > > Some comments (off the top of my head): > > * What kind of encryption? [The article says RSA. ] How big is the key? Web page, and sign-up email doesn't say... > * Why encrypt before compression? If the encryption is any good, then the > encrypted data won't compress much at all. However, compression before > encryption has its own problems. This is just confusing wording I am sure - marketing/press-release people rarely get the details right. I would guess, that in order it is scanned, compressed, and then encrypted. Nothing else makes sense. > * Who does the key management (if any)? > * Does MCI store copies of the keys used? > * How does MCI authenticate users who request copies of files, and do they > then return them encrypted or as plaintext? If encrypted, how does the > recepient decryt the files? (He/she just had a disk crash, and this is > their backup medium, remember?) These are all good questions.... > I looked on MCI's web site , but couldn't find > anything. Besides, it's slower than sludge. [ 90 secs/page over my 128K > link. :-( ] http://www.mci.com/productview/framelements/backupindex.shtml (probably need netscape2 for this.) I requested to be a beta-test member and got confirmation email. I guess I'll wait until they contact me "early this summer" and see what their software does.... Dan ------------------------------------------------------------------ Dan Oelke Alcatel Network Systems droelke at aud.alcatel.com Richardson, TX From llurch at networking.stanford.edu Wed May 29 21:54:48 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Thu, 30 May 1996 12:54:48 +0800 Subject: WSJ on "IRS-bashing" In-Reply-To: Message-ID: On Wed, 29 May 1996, Timothy C. May wrote: > If the CDA is upheld by the Supreme Court, which would surprise me, then > "free speech" as we know it is gone completely. I agree. I don't think it will surprise me, though, because it just ain't gonna happen. :-) > By the way, it's _already_ the case that "hurtful speech" can be prosecuted > as a civil rights violation of a class of persons. If I refer to women as > "bitches and hoes" ("hoe" = "whore," in certain American dialects) I am, as > I understand things, technically in violation of various laws which outlaw > the repression, subjugation, marginalization, and encheferation of women > and other colored people. Fascinating. Could you provide citations to these laws so that people in this plane of reality might take a look at them? Over here, any such law would be invalidated by R.A.V. v. St. Paul. The only exceptions are restrictions on "fighting words" that meet the tests in Chaplinsky v. New Hampshire and "hostile working environment" discrimination, which I assume is what you're talking about, in some elliptical way. -rich In February, John Howard opened a Ku Klux Klan museum and apparel store, called The Redneck Shop, in Laurens, S. Car. Asked by a reporter what the reaction was by townspeople, Howard said, "The only people I've had a problem with, who took it as an insult and a racial situation, have been blacks. I didn't know blacks here were so prejudiced." [Louisville Courier-Journal-AP, 3-7-96] From stevenw at best.com Wed May 29 23:08:32 1996 From: stevenw at best.com (Steven Weller) Date: Thu, 30 May 1996 14:08:32 +0800 Subject: [SF Bay Area] A talk on Pari by Carl Hansen Message-ID: Seen on the net: Pari talk by Carl Hansen Monday, June 10 from 7:30 pm to 9 pm BMUG, 2055 Center Street, Berkeley Carl will give an introductory talk on Pari, software that supports arbitrary precision arithmetic and includes many function for doing number theory. He will compare it to other math software and show the special features of this program, including how Pari can be used as a cryptographers workbench. This presentation will be at the BMUG office at 2055 Center Street in Berkeley. The office is near the north west corner of Center Street and Shattuck Ave. which is half a block from the Berkeley BART station. Driving directions: Take the University exit off 80. Head east on University toward the UC Berkeley campus. Turn right at Shattuck (McDonalds will be at the corner.) Go 2 blocks. Turn right on Center and look for parking. I recommend the parking garage on the left, as the one on the right may close at 8 pm. For more information on the Berkeley Macintosh Users Group (BMUG) Mathematics Special Interest Group (SIG), contact: Nancy Blachman Variable Symbols, Inc. 6537 Chabot Road Oakland, CA 94618-1618 Email: nb at cs.stanford.edu nb at eeyore.stanford.edu Fax: 510 652 8461 Telephone: 510 652 8462 ------------------------------------------------------------------------- Steven Weller | Technology (n): | | A substitute for adulthood. stevenw at best.com | Popular with middle-aged men. From tcmay at got.net Wed May 29 23:12:14 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 30 May 1996 14:12:14 +0800 Subject: Clipper III analysis Message-ID: At 1:57 AM 5/30/96, jonathon wrote: .... > It is a specialty within the QDE Field, but there are a few > QDE's that are _currently_ doing that. << Printed hard copy, > not electronic copy, but that is the _only_ difference. >> > >> I would be very interested to hear how a "Questioned Document Examiner" can > > It is at the point where statistics, textual analysis, grammar > and lingustics converge. > >> possibly determine that a digital signature was not applied by a particular >> person. > > I don't remember the minimum number of characters that are needed > to establish that a document was written by a specific individual. > Roughly fifteen pages of text that both sides admit as being > authentic is required for the undisputed exemplars. Ah, but the issue of who _signs_ a document is fundamentally and importantly different from the issue of who _wrote_ the document. If I have allegedly _signed_ a contract, who cares if exhaustive analysis reveals it to have been _written_ with 77.93% probability by Irving J. Shlublutz, CPA for State Farm Insurance Compance? The issue with digital signatures is who _signed_ a document, not who _wrote_ a document. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From jya at pipeline.com Wed May 29 23:15:27 1996 From: jya at pipeline.com (John Young) Date: Thu, 30 May 1996 14:15:27 +0800 Subject: Science on Schrodinger's Cat Message-ID: <199605300220.CAA02723@pipe2.t1.usa.pipeline.com> We've filed at our Web site two May 24 Science articles on the NIST team's research on quantum superposition, reported by the NYT yesterday (keyed ONE_two): A Research News article on the research by Gary Taubes, "Schizophrenic Atom Doubles As Schrodinger's Cat -- or Kitten." And, the Research Article: "A 'Schrodinger's Cat' Superposition State of an Atom." C. Monroe, D. M. Meekhof, B. E. King, D. J. Wineland. Due to the heavy use of equations and figures, the material is imaged in JPEG (compressed) format -- 150 resolution and enlarged a bit for readability, so the files are fairly large: The news article: http://pwp.usa.pipeline.com/~jya/scat0.jpg (234 kb) The research article: http://pwp.usa.pipeline.com/~jya/scat1.jpg (153 kb) http://pwp.usa.pipeline.com/~jya/scat2.jpg (223 kb) http://pwp.usa.pipeline.com/~jya/scat3.jpg (224 kb) http://pwp.usa.pipeline.com/~jya/scat4.jpg (248 kb) http://pwp.usa.pipeline.com/~jya/scat5.jpg (200 kb) http://pwp.usa.pipeline.com/~jya/scat6.jpg (179 kb) http://pwp.usa.pipeline.com/~jya/scat7.jpg (210 kb) http://pwp.usa.pipeline.com/~jya/scat8.jpg (245 kb) http://pwp.usa.pipeline.com/~jya/scat9.jpg (35 kb) From grafolog at netcom.com Wed May 29 23:15:40 1996 From: grafolog at netcom.com (jonathon) Date: Thu, 30 May 1996 14:15:40 +0800 Subject: Clipper III analysis In-Reply-To: Message-ID: On Wed, 29 May 1996, Timothy C. May wrote: > At 5:54 AM 5/29/96, jonathon wrote: > > > A good Questioned Document Examiner will be able to demonstrate > > that the signed document in question was not authored by Joe > > Blow, even if it contains his digital signature. > > I was of course talking about digital signatures, not handwritten signatures. I was also talking about digital signatures. It is a specialty within the QDE Field, but there are a few QDE's that are _currently_ doing that. << Printed hard copy, not electronic copy, but that is the _only_ difference. >> > I would be very interested to hear how a "Questioned Document Examiner" can It is at the point where statistics, textual analysis, grammar and lingustics converge. > possibly determine that a digital signature was not applied by a particular > person. I don't remember the minimum number of characters that are needed to establish that a document was written by a specific individual. Roughly fifteen pages of text that both sides admit as being authentic is required for the undisputed exemplars. The actual work is not that difficult, just time consuming. xan jonathon grafolog at netcom.com ********************************************************************** * * * Opinions expressed don't necessarily reflect my own views. * * * * There is no way that they can be construed to represent * * any organization's views. * * * ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * * * http://members.tripod.com/~graphology/index.html * * * *********************************************************************** From skaplin at iaxs.net Wed May 29 23:23:53 1996 From: skaplin at iaxs.net (Samuel Kaplin) Date: Thu, 30 May 1996 14:23:53 +0800 Subject: Subpoenaed for Deposition Message-ID: <31ad07e6.209427706@mail.iaxs.net> Forwarded from alt.religion.scientology ----------------------------------------------- >From: "Homer W. Smith" >Subject: Subpoenaed for Deposition >Date: Wed, 29 May 1996 14:03:47 -0400 >Organization: ART MATRIX - LIGHTLINK >Lines: 12 >Distribution: inet >Message-ID: >NNTP-Posting-Host: light.lightlink.com >Mime-Version: 1.0 >Content-Type: TEXT/PLAIN; charset=US-ASCII >To: Remailer Operators Network >cc: Multiple recipients of list IAP I have received a subpoena to be deposed by the Church of Scientology concerning the posting of Scamizdat #3 through the Free Zone Remailer on April 1st, 1995. Homer ------------------------------------------------------------------------------ Homer Wilson Smith News, Web, Telnet Art Matrix - Lightlink (607) 277-0959 SunOS 4.1.4 Sparc 20 Internet Access, Ithaca NY homer at lightlink.com info at lightlink.com http://www.lightlink.com --- Never play cards with a man called Doc. Fuck Exon - Fuck The CDA - Fuck Scientology - Fuck Dianetics - Fuck Congress Fuck The President - Fuck Obsenity - Fuck Democrats - Fuck Republicans Support Freedom Of Expression! From tcmay at got.net Wed May 29 23:29:45 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 30 May 1996 14:29:45 +0800 Subject: Statistical analysis of anonymous databases Message-ID: At 8:12 PM 5/29/96, Alan Horowitz wrote: >I would ask, is there any known medical gain that has resulted from >such a data-base correllation. > >I do not accept a researcher's own statements as to the utility of the work >(S)he's done with someone's funding. Seen too much of it at close >quarters... Nor do I accept reeports in the lay press - these are >nothing more than re-gurgitated press releases from PR depts of institutions. Separating out issues of privacy, and addressing only your basic point about a "known medical gain that has resulted from such a data-base correllation," there are many obvious correlations which have been discovered by use of various data in data bases. The increased prevalence of sickle cell anemia in blacks, the increased prevalence of Tay-Sachs in Jews....all of these things are well-established (and important for dealing with health issues of these groups...that is, it is important and beneficial that someone made such correlations). Back to privacy issues. I am not arguing that the privacy wishes, contractually agreed to, of a patient be ignored. I am simply refuting your point that no medical gain has come from data base correlations. As to the "lay press," I read some issues of "Nature," "Science," "New Scientist," "Discover," and "Scientific American," the journals in which the scientists speak more or less directly, and I am convinced that statistical inference from data bases is indeed a powerful tool. (I am not saying that the privacy wishes and contractual language of patients is to be ignored on this basis, only saying that statistical inference is indeed valuable. So valuable, in fact, that the libertarian/cypherpunk solution is for patients to "sell" this information.) --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From ncognito at gate.net Wed May 29 23:51:09 1996 From: ncognito at gate.net (Ben Holiday) Date: Thu, 30 May 1996 14:51:09 +0800 Subject: Asendmail Status & Politikal Rant Message-ID: Well, asendmail has been running for several days now, handling outbound mix mail from my remailer. It appears to be getting the mail through reliably, although there are still a few bugs. After reading through the responses from other cypherpunks and interested parties, I decided to make a few changes to the software, the largest of which was support for a separate configuration file of text strings to be sent in SMTP's initial HELO command. It is possible to add as many lines as you care to in the list of fake HELO strings, which should satisfy the need (want?) for randomness in the headering of outbound mail, without restricting anyone to useing either faked site names, OR real site names. I'll be working on final preparation of README's and install notes, and should have a tar.gziped source available by friday at the outside. Once the initial software is released I'll put together a mail robot to help with gathering proxy addresses. I still need test mail to be routed through the mailer! Everything appears to be OK, but I'd like more chances to see what is happening with mail that gets resent this way. On to politiks: I understand that the entire concpet of this program is a bit controversial, and I can accept that. Personnaly I am not certain exactly how to feel about it. I suppose that I am not thrilled about the idea of cloaking the mailer this way, but at the same time I perceive it as an evil of requirement. I beleive very strongly that remailers SHOULD exist, whether or not the CoS, or the FBI agree; and I am willing to be a bit impolite if thats what needs to be. My only hesitation is that I'm afraid now might be to soon. At the same time I think it would be unfortunate if it came down to someone actually going to jail for remailing before people are willing to do something that may be a bit extreme. Anyway, someone raised the argument that the problem was political, and that a technical solution would do more harm than good - maybe you're right, I can't see the future, But it seems to me that I read somewhere that "Cypherpunks Write Code". This statement is amazingly profound in its implications. Anonymous communication on the net depends on the technical solutions embodied in the current remailing software, and cryptography applications. If, years ago, the cypherpunks had decided that a publicity campaign, political lobbying, and apologizing were the right course of action, anonymous speach on the internet would be virtually non-existant today. If the cypherpunks decide today that coding is not the answer, where will free speach on the net be in 5 years? I think it is very naive to beleive that the world is going to change enough, quickly enough, that remailers will become accepted, and protected, methods of speaking - no matter how politically correct we try to be. Why do we see big business and big government launching a full frontal assault on the remailers, while the mailing lists continue to operate without incident? Because the enemy's of free speach recognize where the true threat to their opression lies. Relying on politics to preserve our rights is like throwing down your gun and asking the bear to please not eat you. The powers that be want us to shut up. The programs that we write are the weapons that will defend our right to speak. From vznuri at netcom.com Thu May 30 00:16:18 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Thu, 30 May 1996 15:16:18 +0800 Subject: online law-- new book Message-ID: <199605300324.UAA09313@netcom4.netcom.com> a quick word to the cpunks with legal interests. a great new book called "Online Law: the SPA's Legal Guide to Doing Business on the Internet" seems to me to be a superlative compilation. edited by Thomas J Smedinghoff. Addison-Wesley, 1996. extremely up-to-date-- in one section cites various court decisions from 1995 on the scientologists vs. netcom etc. heavy on the citations/footnotes of existing law. has very good coverage of encryption and digital signatures etc. and talks about their legal status. also, good info on copyrights, defamation, patents, online transactions, trade secrets, privacy, licensing 1st amendment, sexually explicit materials, email in the workplace, export control, trade practices, contracts, etc. I expect this volume is going to be widely praised and become a very definitive guide. it seems to me a quick look in this book would go about 95% toward resolving immediately a lot of the online debates I've read here and elsewhere about "what the law says". the price is also very good for something of this type, typically the law-related material is really expensive. ordering: (800) 238 9682 see http://www.aw.com/devpress ISBN 0-201-48980-5 $34.95 544 pages paperback From jya at pipeline.com Thu May 30 00:31:47 1996 From: jya at pipeline.com (John Young) Date: Thu, 30 May 1996 15:31:47 +0800 Subject: NRC crypto policy report to be released Thursday Message-ID: <199605300317.DAA09263@pipe2.t1.usa.pipeline.com> The initial September 14, 1994 announcement of the NRC National Cryptography project is at: http://www.wpi.edu/~ryant/ncp.html It describes the program and lists committee members absolutely certain to deny GAK tomorrow, trust them. From declan at well.com Thu May 30 00:37:49 1996 From: declan at well.com (Declan McCullagh) Date: Thu, 30 May 1996 15:37:49 +0800 Subject: NRC crypto policy report to be released Thursday Message-ID: I was offline for the Memorial Day weekend, and I'm hundreds of messages behind on cypherpunks, so ignore this if it's redundant... But anyway, a reminder: The National Research Council's report on crypto policy will be unveiled tomorrow at the National Press Club at 1 pm in Washington, DC. I'm going to try my best to be there. >From their web page at : The Computer Science and Telecommunications Board (CSTB) of the National Research Council (NRC) has completed a congressionally mandated study of national cryptography policy. The final report, Cryptography's Role in Securing the Information Society, will be released to the public on May 30, 1996 at a public briefing. A large number of the authoring committee members will attend. The public briefing will take place in the Main Lounge of the National Press Club, 14th and F Streets, N.W., Washington, D.C., from 1:00 PM to 3:00 PM, on Thursday, May 30, 1996. Committee members will respond to questions from attendees, and a limited number of pre-publication copies of the report will be available at that time. By the close of business on May 30, a summary of the report will be made available through this web page; the full publication will be made available when final printed copies of the book are available (probably around the beginning of August). The committee also intends to conduct a second public briefing on the report in Menlo Park, California at SRI International. The briefing will be held in the Auditorium of the International Building from 10 to 11 am on Wednesday, June.5. The address is 333 Ravenswood Avenue, Menlo Park, California, 94025. For more information about the briefing at SRI, contact Alice Galloway at 415-859-2711 (alice_galloway at qm.sri.com). -Declan From snow at smoke.suba.com Thu May 30 00:38:07 1996 From: snow at smoke.suba.com (snow) Date: Thu, 30 May 1996 15:38:07 +0800 Subject: [crypto] crypto-protocols for trading card games In-Reply-To: Message-ID: On Wed, 29 May 1996, Alan Horowitz wrote: > What _did_ Solitaire do for Windows 3.1? Distract the attention of > the unwashed masses away from the actual merits of the beast? What "merits"? Petro, Christopher C. petro at suba.com snow at crash.suba.com From tcmay at got.net Thu May 30 01:05:57 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 30 May 1996 16:05:57 +0800 Subject: [crypto] crypto-protocols for trading card games Message-ID: At 8:56 PM 5/29/96, David F. Ogren wrote: >> On Wed, 29 May 1996, Simon Spero wrote: >> >> > Design a set of crypto protocols to support the issuing, trading, >> > and playing of such card games in real time (100ms compute time >> > per move) >> >> I'd been thinking about it from the opposite point of view: make up >> a card game (possibly electronic, like what you're proposing) that >> acts as intro to crypto for the untamed hordes of game players. >> >I've had similar ideas, but there are snags. Card playing via >encryption techniques is a great idea in theory, but in reality the >technical requirements often prevent implementation. I didn't comment earlier, because I didn't want to sound like the old-timer who claims an idea is an old one, but "card games" were in fact cited as a perfect example of a "tools needed" situation. At least 3 years ago, and probably closer to 3.5 years ago, there was discussion of the cryptographic primitives needed to play cards. (I mean on the Cypherpunks list...there was certainly academic research on "fair coin tosses over insecure lines" and "card games" going back at least 15 years. Specifically, some of the work on "mental poker" and "bit commitment" is very directly related to playing games over insecure lines.) In fact, one of the goals Eric Hughes and I had in our early discussions, before this group and this mailing list, was of what it would take to make real, or reify, the many academic results of cryptography. (Only the simplest of which are "secure communications" and "digital signatures.") Dice games, card games, numbers games, are only special cases of the larger issue of "mutually untrusted agents" and the interactions they can handle. I applaud Simon Spero's interest, even if it others raised similar issues a few years ago. Actually, little progress has been made, so there is much work still to be done. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From rarab at localnet.com Thu May 30 01:38:45 1996 From: rarab at localnet.com (rarab at localnet.com) Date: Thu, 30 May 1996 16:38:45 +0800 Subject: Any pertinent info-remail,thanks. Message-ID: <199605300501.BAA09791@buffalo1.localnet.com> From tcmay at got.net Thu May 30 01:57:37 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 30 May 1996 16:57:37 +0800 Subject: A billion transistors on a chip Message-ID: At 9:01 PM 5/29/96, jim bell wrote: >At 03:46 PM 5/29/96 GMT, John Young wrote: >> 5-29-96. FiTi: >> >> Chips Galore [Editorial] >> Texas Instruments' claim to have developed a technology >> capable of inscribing 125m transistors, or computing >> elements, on a thumbnail-sized slice of silicon is >> remarkable chiefly because the technique is commonplace. > >Having been following the progress of IC technology for over 20 years, I can >recall when 1 million transistors/chip was the furthest-out prediction >"they" were willing to make. I was one of "them" as early as 1974, more than 22 years ago, when the leading chips of the day contained about 15,000 transistors. And I recall _many_ forecasts about the number of transistors which would be likely to be on a chip. Gordon Moore, a guy I had many dealings with in my years at Intel, had his charts and it was pretty clear where things were going. At least 20 years ago it was apparent that lithography trends would make a million transistors on a chip a reality by 1990, if not earlier. I recall Jim Meindl of Stanford, whose class I spoke to in the late 70s, was predicting a _billion_ transistors on a chip by the year 2000. I and my colleagues at Intel felt he was on target, and this was almost 20 years ago. And it appears he is on target, give or take a trivial factor of two or so. Final Note: I watched Jerry Junkins of T.I. make his "TImeline" (not to be confused with "TIMline") chip announcement yesterday, on CNN and CNBC. He died this morning of a heart attack, on a business trip to Germany. Texas Instruments was a rival of Intel's, but Junkins was undoubtetly a great business leader. He will be missed. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From declan at well.com Thu May 30 02:46:44 1996 From: declan at well.com (Declan McCullagh) Date: Thu, 30 May 1996 17:46:44 +0800 Subject: Update on CDA and copyright (5/29/96) Message-ID: ON THE CDA: Folks involved in the case expect a decision within the next week from the Philadelphia three-judge panel hearing our challenge to the CDA. The DoJ has a few weeks to appeal to the Supreme Court if they lose. -------------------------------------------------------------------------- ON COPYRIGHT: Regarding the online copyright legislation, there's plenty of action on the Hill -- and contrary to what I thought a week ago, there's even a fighting chance that this bill will pass this year. So far, full Senate judiciary and the House judiciary intellectual property subcommittee have held hearings. The House has taken the lead here, and the tentative date for the subcommittee markup of HR2441 is June 5. (It was to have been last week, but was cancelled at the last minute when no agreement was reached.) The Senate seems to be waiting to see what the House does before making any sudden moves. General feeling is that the legislation was on a fast schedule but has been slowed down considerably because of ongoing controvery over OSP liability and (especially) section 1201. The big snarl is over 1201, and some alliances of convenience are breaking down. More to the point, libraries are finally mobilizing grassroots opposition. Brock has a piece about this in a recent Muckraker on HotWired. (I'm hundreds of messages behind on cypherpunks so if you reply to this please copy me.) -Declan From stonnes at ix.netcom.com Thu May 30 03:02:33 1996 From: stonnes at ix.netcom.com (Steve Tonnesen) Date: Thu, 30 May 1996 18:02:33 +0800 Subject: Austin Cpunks Meet Saturday Message-ID: <2.2.32.19960530052417.0069af54@popd.ix.netcom.com> The Austin Cypherpunks will have a monthly general meeting on Saturday June 1 at 6:00PM at the Central Market Cafe on North Lamar. Look for the stack of crypto-related books. This is an informal meeting for discussion of assorted projects including the remailer, the video, recent crypto events, etc. -S From grafolog at netcom.com Thu May 30 04:41:15 1996 From: grafolog at netcom.com (jonathon) Date: Thu, 30 May 1996 19:41:15 +0800 Subject: Clipper III analysis In-Reply-To: Message-ID: Tim: On Wed, 29 May 1996, Timothy C. May wrote: > The issue with digital signatures is who _signed_ a document, not who > _wrote_ a document. For legal contracts and electronic cheques, yes. I was thinking of other uses for digital signatures, where being able to authenticate who wrote the document is the issue. xan jonathon grafolog at netcom.com ********************************************************************** * * * Opinions expressed don't necessarily reflect my own views. * * * * There is no way that they can be construed to represent * * any organization's views. * * * ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * * * http://members.tripod.com/~graphology/index.html * * * *********************************************************************** From EALLENSMITH at ocelot.Rutgers.EDU Thu May 30 06:47:01 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Thu, 30 May 1996 21:47:01 +0800 Subject: WWW Security Message-ID: <01I5AWXCU2K28Y51NQ@mbcl.rutgers.edu> I just noticed that the WWW-security mailing list and group are run out of Rutgers. What opinions do people have on the current drafts, references to which can be found at http://www.ietf.cnri.reston.va.us/html.charters/wts-charter.html? Thanks, -Allen From EALLENSMITH at ocelot.Rutgers.EDU Thu May 30 06:47:55 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Thu, 30 May 1996 21:47:55 +0800 Subject: Where does your data want to go today? Message-ID: <01I5AWSFT3H48Y51NQ@mbcl.rutgers.edu> From: IN%"mclow at owl.csusm.edu" "Marshall Clow" 29-MAY-1996 19:18:31.60 >* Why encrypt before compression? If the encryption is any good, then the >encrypted data won't compress much at all. However, compression before >encryption has its own problems. What problems does compression before encryption have? It at least seems to work for PGP. -Allen From EALLENSMITH at ocelot.Rutgers.EDU Thu May 30 06:59:56 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Thu, 30 May 1996 21:59:56 +0800 Subject: Statistical analysis of anonymous databases Message-ID: <01I5AWJPQ4XE8Y51NQ@mbcl.rutgers.edu> From: IN%"alanh at infi.net" "Alan Horowitz" 29-MAY-1996 19:09:26.68 >I would ask, is there any known medical gain that has resulted from >such a data-base correllation. >I do not accept a researcher's own statements as to the utility of the work >(S)he's done with someone's funding. Seen too much of it at close >quarters... Nor do I accept reeports in the lay press - these are >nothing more than re-gurgitated press releases from PR depts of institutions. Medical gain? I was doing some research a bit back (paid for out of my own pocket, thank you very much) that involved such correlations. We've used them to revamp some allergy skin testing so that patients don't have to suffer so many tests. -Allen From gary at systemics.com Thu May 30 10:18:43 1996 From: gary at systemics.com (Gary Howland) Date: Fri, 31 May 1996 01:18:43 +0800 Subject: forged addresses In-Reply-To: <199605292012.NAA01475@toad.com> Message-ID: <31AD7B96.7BCD88A1@systemics.com> Nobody in particular wrote: > > Hi, I'm not sure if there was ever a thread on this, but I was wondering if > anyone can determine your real email address, if you were to fake it to your > email client. > > I hope that this doesn't offend anyone, since this is a high traffic list, but > I was wondering if this would work. To try it out, I setup my client to think > I was someone else, and sent myself an email. I could only figure out what > ISP it came from. It has been known for a very long time that email does not identify the user who sent the mail, only the machine or ISP that it was sent from (which in this case was Myna Communications). However, the machine/ISP will have logs which can identify the user. Gary -- pub 1024/C001D00D 1996/01/22 Gary Howland Key fingerprint = 0C FB 60 61 4D 3B 24 7D 1C 89 1D BE 1F EE 09 06 From declan at well.com Thu May 30 11:38:53 1996 From: declan at well.com (Declan McCullagh) Date: Fri, 31 May 1996 02:38:53 +0800 Subject: NRC crypto policy report to be released Thursday In-Reply-To: <199605300317.DAA09263@pipe2.t1.usa.pipeline.com> Message-ID: >From a friend who got a copy of the NRC report yesterday evening: > The report is very good. -Declan On Thu, 30 May 1996, John Young wrote: > Date: Thu, 30 May 1996 03:17:40 GMT > From: John Young > To: Declan McCullagh > Cc: cypherpunks at toad.com > Subject: Re: NRC crypto policy report to be released Thursday > > The initial September 14, 1994 announcement of the NRC National > Cryptography project is at: > > > http://www.wpi.edu/~ryant/ncp.html > > > It describes the program and lists committee members absolutely certain to > deny GAK tomorrow, trust them. > > > From rah at shipwright.com Thu May 30 12:09:24 1996 From: rah at shipwright.com (Robert Hettinga) Date: Fri, 31 May 1996 03:09:24 +0800 Subject: NSA's role in Digital Telephony bill... Message-ID: C'punks, I had dinner with another cypherpunk, Peter Cassidy, and he said that he just finished something for the Sacremento Bee's "Forum" section, which talks about the NSA's involvement in the Digital Telephony bill. Those of you who get the Bee might want to fill us in on the details, whenever the article. He said that the article might go to the wires, so we might see it elsewhere... Cheers, Bob Hettinga ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "If they could 'just pass a few more laws', we would all be criminals." --Vinnie Moscaritolo The e$ Home Page: http://www.vmeng.com/rah/ From gary at systemics.com Thu May 30 15:33:35 1996 From: gary at systemics.com (Gary Howland) Date: Fri, 31 May 1996 06:33:35 +0800 Subject: [crypto] crypto-protocols for trading card games Message-ID: <199605301440.QAA29702@internal-mail.systemics.com> David F. Ogren wrote: > Cards are not transferrable. In order to make cards transferrable the > game company must be able to invalidate cards which have been traded > to others. In other words if Alice wants to give a cards to Bob she > must: > > 1. Contact the game company and tell them she wants to give the card > to Bob. 2. The game company must issue a new card to Bob with a new > serial number and with Bob's public key rather than Alice's. 3. The > game company must invalidate Alice's old card. Since there is no way > that the game company can make sure all copies of the card have been > destroyed it must create a "invalid serial number list" and have the > players dial into that list everytime the game is played. This is the double spending problem. > Since step 3 is so costly to implement, I think it is unlikely that a > cryptography-based trading card game will have tradable cards. Given that untraceability of tradable cards is less of an issue than with e-cash, why not have a central registry of the owners of the cards (which would consist of the card details paired with the public key of the owner)? Admittedly this means the players must be on line, but then we all know how difficult off line detection of double spenders is. For anyone who is _serious_ about starting work on such a game system, I have a few pieces of Perl and Java code that would really get you on your way - let me know if you are interested. Gary -- pub 1024/C001D00D 1996/01/22 Gary Howland Key fingerprint = 0C FB 60 61 4D 3B 24 7D 1C 89 1D BE 1F EE 09 06 From adam at lighthouse.homeport.org Thu May 30 15:37:38 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Fri, 31 May 1996 06:37:38 +0800 Subject: Statistical analysis of anonymous databases In-Reply-To: Message-ID: <199605301602.LAA13227@homeport.org> The evidence about the dangers of smoking is largely based on huge data sets where large amounts of information was gathered and sifted through to eliminate other correlations, until only cigarettes were left. Adam Alan Horowitz wrote: | I would ask, is there any known medical gain that has resulted from | such a data-base correllation. | | I do not accept a researcher's own statements as to the utility of the work | (S)he's done with someone's funding. Seen too much of it at close | quarters... Nor do I accept reeports in the lay press - these are | nothing more than re-gurgitated press releases from PR depts of institutions. | -- "It is seldom that liberty of any kind is lost all at once." -Hume From mclow at owl.csusm.edu Thu May 30 15:38:27 1996 From: mclow at owl.csusm.edu (Marshall Clow) Date: Fri, 31 May 1996 06:38:27 +0800 Subject: Where does your data want to go today? In-Reply-To: <01I5AWSFT3H48Y51NQ@mbcl.rutgers.edu> Message-ID: At 12:47 AM -0700 5/30/96, E. ALLEN SMITH wrote: >From: IN%"mclow at owl.csusm.edu" "Marshall Clow" 29-MAY-1996 19:18:31.60 > >>* Why encrypt before compression? If the encryption is any good, then the >>encrypted data won't compress much at all. However, compression before >>encryption has its own problems. > > What problems does compression before encryption have? It at least >seems to work for PGP. > Most compression schemes put a header/index on the front of the compressed data. This makes recognizing the correct decryption very simple. Call it a limited "known plaintext" situation. -- Marshall Marshall Clow Aladdin Systems "We don't have to take it; never have, never will. Gonna shake it, gonna break it; let's forget it: better still" --The Who, "Tommy" From editor at cdt.org Thu May 30 16:09:50 1996 From: editor at cdt.org (Bob Palacios) Date: Fri, 31 May 1996 07:09:50 +0800 Subject: Policy Post 2.21 - Your Privacy Online: CDT Unveils Demo & Clearinghouse Message-ID: ----------------------------------------------------------------------------- _____ _____ _______ / ____| __ \__ __| ____ ___ ____ __ | | | | | | | | / __ \____ / (_)______ __ / __ \____ _____/ /_ | | | | | | | | / /_/ / __ \/ / / ___/ / / / / /_/ / __ \/ ___/ __/ | |____| |__| | | | / ____/ /_/ / / / /__/ /_/ / / ____/ /_/ (__ ) /_ \_____|_____/ |_| /_/ \____/_/_/\___/\__, / /_/ \____/____/\__/ The Center for Democracy and Technology /____/ Volume 2, Number 21 ---------------------------------------------------------------------------- A briefing on public policy issues affecting civil liberties online ---------------------------------------------------------------------------- CDT POLICY POST Volume 2, Number 21 May 30, 1996 CONTENTS: (1) Your Privacy Online - CDT Unveils Demonstration and Clearinghouse (2) Join Rep. White Wed 6/5 At HotWired to Discuss the Internet Caucus, the CDA, and other Internet Policy Issues (3) Subscription Information (4) About CDT, contacting us ** This document may be redistributed freely with this banner in tact ** Excerpts may be re-posted with permission of ----------------------------------------------------------------------------- (1) Your Privacy Online - CDT Unveils Demonstration & Clearinghouse Many people surf the World Wide Web with an illusion of anonymity, believing that their activities are unobserved and that they can explore the Internet without leaving a trail. In reality, this is not the case. During the normal course of using the Internet, a great deal of personally revealing information is routinely generated, collected, and stored. Most of this information is collected for purposes of system maintenance, billing, or other necessary functions. But a sophisticated marketer, determined hacker, or law enforcement official can put together a detailed profile of your online activities, personal tastes, interests, habits and vices with relative ease. Today, the Center for Democracy and Technology unveiled an interactive privacy demonstration and privacy policy clearinghouse on our World Wide Web site. The demonstration is located at http://www.cdt.org/privacy/ The goals of the demonstration are two fold: 1. To educate the public about the extent to which personal information is automatically revealed online, and 2. To begin to make available examples of privacy and information usage policies that give people greater knowledge of and control over the personal information revealed online. The current focus of this "Privacy Clearinghouse" is centered on commercial online service providers (ie, America Online, CompuServe, Prodigy, Microsoft). Future updates of the clearinghouse will include information on Internet Service Providers, content providers, and web browser software. Future updates will also explore the extent that users can employ various technological solutions to control the collection and disclosure of personal information. FEDERAL TRADE COMMISSION TO HOLD HEARINGS ON ONLINE PRIVACY On June 4 and 5, the Federal Trade Commission (FTC) will hold hearings to explore online privacy issues. The FTC is particularly interested in exploring privacy protecting technologies which empower users to exercise more control over the collection and use of personally identifiable information online. CDT has been invited to present testimony at the hearings. Testimony and other background information on the FTC hearings will be available at CDT's web page at the end of next week. Details on the hearings are available at http://www.ftc.gov/. WHY SHOULD NETIZENS CARE ABOUT THIS ISSUE? Although it may not seem like it, someone is following you through cyberspace. Every time you retrieve a file, view an image, send an email message or jump to a new web site, a record is created somewhere on the Net. While much of this information may never be used, it can be, and you have little control over it. In the hands of a marketer with a powerful computer, or the government, it is possible to build a detailed profile of your tastes and preferences by monitoring your online activities. The information can be used to send you unsolicited email or snail mail, to call you, or to even put you on a list of people likely to support a particular political candidate. A single piece of information about you can support a tremendous range of activities. For example, if your repeated visits to web sites containing information on cigarettes results in free samples, coupons, or even email to you about a new tobacco product, you may not be concerned. However, if your visits to these web sites result in escalating insurance premiums due to categorization as a smoker - now you're beginning to get concerned. HOW PERSONAL INFORMATION IS COLLECTED ONLINE Web sites and Web browsers -------------------------- Your personal information (including your hobbies, political and product interests and ways to contact you, such as your email address) can be collected by web sites in two ways: directly or indirectly. * PASSIVE RECORDING OF TRANSACTIONAL INFORMATION: The transactional information revealed in the normal course of surfing the net reveals a great deal of information about your online activities. When you visit a particular web site, for example, the webmaster can determine what files, pictures, or other information you are most interested in (and what you ignored), how long you examined a particular page, image or file, where you came from, where you went to. Web servers collect transactional information in order to allow the system operator to perform necessary system maintenance, auditing, and other essential system functions. However, when correlated with other sources of personal information, including marketing databases, phone books, voter registration lists, etc, a detailed profile of your online activities can be created without your knowledge or consent. * COOKIES: Additionally, many web browsers contain a feature called "cookies," or client-side persistent information. Cookies allows any web site to store information about your visit to that site on your hard drive. Every time you return to that site, "cookies" will read your hard drive to find out if you've been there before. (The Privacy Demonstration has a link to a site that utilizes cookies.) * DIRECT DISCLOSURE OF PERSONAL INFORMATION: A growing number of web sites offer users the ability to register with the site. In many cases, registration brings real, important benefits, such as access to special areas, timely information, discounts, etc. While registration or other mechanisms by which users divulge personal information to a web site provide some obvious benefits to a users, it also provides the site's operator with a detailed picture of how you use the site. Regardless of how the information is obtained, a great deal of personally identifiable information is revealed in the normal course of surfing the web. Commercial Online Service Providers ----------------------------------- Commercial online service providers are configured in a variety of ways, but generally, little personally identifiable information is revealed to Internet sites visited directly from an online service. If you subscribe to a commercial online service, your service provider has access to lots of information about your online activities. These records are generated in the normal course of using the service, and are important for billing and maintenance purposes. However, not all services treat the use and disclosure of this information the same way. Please visit The Center for Democracy and Technology's Clearinghouse on Privacy Policies (http://www.cdt.org/privacy/) for a detailed description of the information practices of the major commercial online services. Future updates of the clearinghouse will focus on other Internet entities, such as browsers, content providers, and Internet service providers. ------------------------------------------------------------------------ (2) JOIN CONGRESSMAN RICK WHITE (R-WA) LIVE ONLINE TO TALK ABOUT THE INTERNET CAUCUS, THE CDA, AND TAKE YOUR QUESTIONS Congressman Rick White (R-WA) will be live online at HotWired on Wednesday June 5 at 9:00 pm ET to discuss his efforts to encourage better communication between members of Congress and the Internet community, his plans for the Congressional Internet Caucus, and other topics. Representative White will also answer questions from Netizens. DETAILS ON THE EVENT * Wednesday June 5, 9 - 10 pm ET (6 pm Pacific) on HotWired URL: http://www.hotwired.com/wiredside/ To participate, you must be a registered HotWired member (there is no charge for registration). You must also have RealAudio(tm) and a telnet application properly configured to work with your browser. Please visit http://www.hotwired.com/wiredside/ for information on how you can easily register for Hotwired and obtain RealAudio. Wednesday's forum is another in a series of planned events, and is part of a broader project coordinated by CDT and the Voters Telecommunications Watch (VTW) designed to bring the Internet Community into the debate and encourage members of Congress to work with the Net.community on vital Internet policy issues. Transcripts from last week's discussion with Senator Leahy are available at http://www.cdt.org/crypto/. Events with other members of Congress working on Internet Policy Issues are currently being planned. Please check http://www.cdt.org/ for announcements of future events ------------------------------------------------------------------------ (3) SUBSCRIPTION INFORMATION Be sure you are up to date on the latest public policy issues affecting civil liberties online and how they will affect you! Subscribe to the CDT Policy Post news distribution list. CDT Policy Posts, the regular news publication of the Center For Democracy and Technology, are received by more than 9,000 Internet users, industry leaders, policy makers and activists, and have become the leading source for information about critical free speech and privacy issues affecting the Internet and other interactive communications media. To subscribe to CDT's Policy Post list, send mail to policy-posts-request at cdt.org with a subject: subscribe policy-posts If you ever wish to remove yourself from the list, send mail to the above address with a subject of: unsubscribe policy-posts ----------------------------------------------------------------------- (4) ABOUT THE CENTER FOR DEMOCRACY AND TECHNOLOGY/CONTACTING US The Center for Democracy and Technology is a non-profit public interest organization based in Washington, DC. The Center's mission is to develop and advocate public policies that advance democratic values and constitutional civil liberties in new computer and communications technologies. Contacting us: General information: info at cdt.org World Wide Web: URL:http://www.cdt.org/ FTP URL:ftp://ftp.cdt.org/pub/cdt/ Snail Mail: The Center for Democracy and Technology 1634 Eye Street NW * Suite 1100 * Washington, DC 20006 (v) +1.202.637.9800 * (f) +1.202.637.0968 ----------------------------------------------------------------------- End Policy Post 2.21 5/30/96 ----------------------------------------------------------------------- From modemac at netcom.com Thu May 30 16:12:23 1996 From: modemac at netcom.com (Modemac) Date: Fri, 31 May 1996 07:12:23 +0800 Subject: Scientology subpoenas operator of "freezone" anon remailer Message-ID: <199605301622.JAA06658@netcom4.netcom.com> Path: netcom.com!ixnews1.ix.netcom.com!howland.reston.ans.net!swrinde!newsfeed.internetmci.com!cdc2.cdc.net!news.texas.net!nntp.primenet.com!news.cais.net!bofh.dot!news.his.com!news.lightlink.com!light.lightlink.com!homer From: "Homer W. Smith" Newsgroups: alt.religion.scientology,alt.religion.scientology.xenu,comp.org.eff.talk,misc.legal Subject: Body of Subpoena (fwd) Date: Wed, 29 May 1996 15:12:09 -0400 Organization: ART MATRIX - LIGHTLINK Lines: 28 Distribution: inet Message-ID: NNTP-Posting-Host: light.lightlink.com Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII To: Multiple recipients of list IAP , Remailer Operators List Xref: netcom.com alt.religion.scientology:185032 comp.org.eff.talk:85083 misc.legal:174678 DOCUMENTS AND THINGS TO BE PRODUCED 1.) All documents relating to the posting, the header of which is attached hereto as Exhibit A, which was made through the anonymous remailer, freezone.remailer, including, without limitation, the identity of the person or persons who made the posting. 2.) All documents relating to logs or other records kept by the computer of any individuals who sent messages through freezone.remailer at the time the Exhibit A posting was made. 3.) All documents relating to how records are kept by the freezone.remailer computer of the source of postings made or messages send through the computer. Exhibit A is the header as received by netcom.com of Scamizdat #3, posted on April 1st 1995. Homer ------------------------------------------------------------------------------ Homer Wilson Smith News, Web, Telnet Art Matrix - Lightlink (607) 277-0959 SunOS 4.1.4 Sparc 20 Internet Access, Ithaca NY homer at lightlink.com info at lightlink.com http://www.lightlink.com -- Reverend Modemac (modemac at netcom.com) First Online Church of "Bob" "There is no black and white." PGP Key Fingerprint: 47 90 41 70 B4 5B 06 90 7B 38 4E 11 8A ED 80 DF URL: http://www.tiac.net/users/modemac/ (FINGER modemac at netcom.com for a FREE SubGenius Pamphlet!) From gnu at toad.com Thu May 30 17:14:06 1996 From: gnu at toad.com (John Gilmore) Date: Fri, 31 May 1996 08:14:06 +0800 Subject: NRC Cryptography Report: The Text of the Recommendations Message-ID: <199605301742.KAA17655@toad.com> Recommendation 1: No law should bar the manufacture, sale, or use of any form of encryption within the United States. Recommendation 2: National cryptography policy should be developed by the executive and legislative branches on the basis of open public discussion and governed by the rule of law. Recommendation 3: National cryptography policy affecting the development and use of commercial cryptography should be more closely aligned with market forces. Recommendation 4: Export controls on cryptography should be progressively relaxed but not eliminated. 4.1 -- Products providing confidentiality at a level that meets most general commercial requirements should be easily exportable. Today, products with encryption capabilities that incorporate 56-bit DES provide this level of confidentiality and should be easily exportable. 4.2 -- Products providing stronger confidentiality should be exportable on an expedited basis to a list of approved companies if the proposed product user is willing to provide access to decrypted information upon legally authorized request. 4.3 -- The U.S. government should streamline and increase the transparency of the export licensing process for cryptography. Recommendation 5: The U.S. government should take steps to assist law enforcement and national security to adjust to new technical realities of the information age. 5.1 -- The U.S. government should actively encourage the use of cryptography in nonconfidentiality applications such as user authentication and integrity checks. 5.2 -- The U.S. government should promote the security of the telecommunications networks more actively. At a minimum, the U.S. government should promote the link encryption of cellular communications and the improvement of security at telephone switches. 5.3 -- To better understand how escrowed encryption might operate, the U.S. government should explore escrowed encryption for its own uses. To address the critical international dimensions of escrowed communications, the U.S. government should work with other nations on this topic. 5.4 -- Congress should seriously consider legislation that would impose criminal penalties on the use of encrypted communications in interstate commerce with the intent to commit a federal crime. [Page 28 of the "Overview and Recommendations". There's a lot more discussion of each of these in the whole overview, which should be up on the web late today at www2.nas.edu/cstbweb/.] From guest at guest.com Thu May 30 17:27:17 1996 From: guest at guest.com (-) Date: Fri, 31 May 1996 08:27:17 +0800 Subject: Asendmail Status & Politikal Rant Message-ID: <31ADD5CE.3769@gate.net> -----BEGIN PGP SIGNED MESSAGE----- Ben Holiday wrote: >On to politiks: > >I understand that the entire concpet of this program is a bit >controversial, and I can accept that. Personnaly I am not certain exactly >how to feel about it. I suppose that I am not thrilled about the idea of >cloaking the mailer this way, but at the same time I perceive it as an >evil of requirement. Yes. Yet another example of Unintended Consequences. I seem to be hearing that meme more-and-more these days. >I beleive very strongly that remailers SHOULD exist, >whether or not the CoS, or the FBI agree; and I am willing to be a bit >impolite if thats what needs to be. My only hesitation is that I'm afraid >now might be to soon. Absolutely, I think no fair observer could say that "we" [I know, "there's no 'we'"] "started it." Your concern is valid, IMO, but it should be balanced with the equally-valid fear that later might be too late. I have said this many times, both privately and in public, but it bears repeating: "Things are likely to be worse after the election." Like many here, I am surprised, and somewhat happy [easy issue for my political party] that the administration is making GAK3 noises now, and still trying to Newspeak it into the word "escrow." <"Escrow"-rant resisted to save bandwidth> ... >Anyway, someone raised the argument that the problem was political, and >that a technical solution would do more harm than good - maybe you're >right, I can't see the future, But it seems to me that I read somewhere >that "Cypherpunks Write Code". This statement is amazingly profound in its >implications. You are right, but it all interacts, IMO, in a "team effort." cypherpunks DO write code, and politico-crypto-punks like me admire your work greatly.We also talk about it, and try to spread it around in order to "protect" it. Users are far better off if someone besides me writes their software, :) but I can help them install PGPetc. without too much trouble. [Besides, 2/3 of the Cybergate-cypherpunks seem to write excellent code. I could never compete!] >Anonymous communication on the net depends on the technical solutions >embodied in the current remailing software, and cryptography applications. >If, years ago, the cypherpunks had decided that a publicity campaign, >political lobbying, and apologizing were the right course of action, >anonymous speach on the internet would be virtually non-existant today. If >the cypherpunks decide today that coding is not the answer, where will >free speach on the net be in 5 years? I think it is very naive to beleive >that the world is going to change enough, quickly enough, that remailers >will become accepted, and protected, methods of speaking - no matter how >politically correct we try to be. Sadly, despite my and others' political work to make this statement untrue, I must again agree with Ben Holiday. >Why do we see big business and big government launching a full frontal >assault on the remailers, while the mailing lists continue to operate >without incident? Because the enemy's of free speach recognize where the >true threat to their opression lies. Relying on politics to preserve our >rights is like throwing down your gun and asking the bear to please not >eat you. Agreed. >The powers that be want us to shut up. The programs that we write are the >weapons that will defend our right to speak. Yes, and many like you fill another important function for us, a function for which many of you take personal risks and spend a lot of unpaid time (and I thank you). Without comparing the particular goals, individuals, or any other aspects of earlier movements to the "Internet Privacy movement" of today, I see examples from recent history of how we interact without always knowing it. First, and despite current anti-gun sentiments among many of the same people, I think that the Civil Rights movement in the '60s _would_ have suffered more brutality from law enforcement and the KKK were it not for the armed Black Panthers, who had a diametrically opposed strategy. Second, the more recent "environmental" movement has profited by continuously spinning off more radical factions of itself [ex. "Earth First!"] to make its positions seem more reasonable and reduce the chances of compromise. The key to success seems more to be the capability of more radical action, and yet avoidance of violence or even the advocacy of violence among the mainstream to maintain either good PR, principles, or both, while continuing the political- legal fight. The "threat" of a technical solution "weapon" forces any political opponents to show their cards before they play (or just lie) and ideally involves (because it requires) *no* physical violence whatsoever. Despite opinions to the contrary, "war is [still] the health of the state." -- I forget who said that, sorry. JMR Regards, Jim Ray -- DNRC Minister of Encryption Advocacy "Why is it that hundreds of government and university machines can operate what amount to anonymous remailers, and no one pays any attention, and yet cypherpunks are threatened with jail time for what is essentially the same thing?" -- Ben Holiday ___________________________________________________________________ PGP id.E9BD6D35 51 5D A2 C3 92 2C 56 BE 53 2D 9C A1 B3 50 C9 C8 http://www.shopmiami.com/prs/jimray ___________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Freedom isn't Freeh. iQCVAwUBMa3D7G1lp8bpvW01AQEzawP/VhP+EU1hk5aniN3IZ7cGkn5joUFA9dhj yC/D67wj68pfsTQZNOvRsVpEiapfc2OB3INVnjJroLY3i4r7ebiCoowTl+TF6NR+ MtheZ+mkyclpG832cJQLkWI5C61Lk1M5nNRNZ4blR3Gr07Ip5ku0RVovS0Qo8qyi V9KzwwveO48= =mydx -----END PGP SIGNATURE----- From frantz at netcom.com Thu May 30 17:38:59 1996 From: frantz at netcom.com (Bill Frantz) Date: Fri, 31 May 1996 08:38:59 +0800 Subject: NRC crypto policy report to be released Thursday Message-ID: <199605301757.KAA20667@netcom7.netcom.com> The San Jose Mercury News has the top business section article: ON-LINE SECRECY WINS BACKING Without it there could be havoc, panel says Basically the report says the US will get more protection by using strong crypto to secure its networks and systems than by keeping week crypto and allowing LEAs to read comm. The report describes GAK as "an untested, unproven technology that should not be foisted on the public until it is proven in extensive field use by the government." A quote: "We believe government policy should support the broad use of cryptography." ... "We believe it presents problems for the legitimate concerns of national security and law enforcement. But we also point out that strong cryptography is needed because of the proliferation of computer-based crimes, that it would deal with national security issues by protecting vital public networks." - Kenneth W. Dam, Chairman ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From ichudov at algebra.com Thu May 30 18:20:01 1996 From: ichudov at algebra.com (Igor Chudov @ home) Date: Fri, 31 May 1996 09:20:01 +0800 Subject: Your experiences with CFS Message-ID: <199605301910.OAA31166@manifold.algebra.com> Hello, Does anyone have any real experience running CFS under Linux (1.2.13)? I was planning to start using it, but am concerned about its reliability. Has anyone experienced any glitches with CFS? How does CFS behave in case of a sudden power loss? Have you tried to use CFS under pre2.0 versions of linux? Thanks! - Igor. From jim at ACM.ORG Thu May 30 19:20:02 1996 From: jim at ACM.ORG (Jim Gillogly) Date: Fri, 31 May 1996 10:20:02 +0800 Subject: NRC's CRISIS report: Chairman's opening statement Message-ID: <199605301801.LAA25779@mycroft.rand.org> OPENING STATEMENT KENNETH DAM Max Pam Professor of American and Foreign Law University of Chicago Law School and Chair, Committee to Study National Cryptography Policy News Conference on Cryptography's Role in Securing the Information Society National Press Club Washington, D.C. May 30, 1996 *** Good morning. In this age of telecommunications and lightning-speed advances in computing, keeping private information private gets tougher all the time. Without proper safeguards, personal financial transactions, medical records, corporate secrets such as bidding information and proprietary research reports may be compromised by criminals and corporate spies. Without proper safeguards, crucial information systems such as those of the banking system and the public switched telecommunications network may be vulnerable to intrusion by terrorists, curious computer hackers, and unfriendly foreign governments. One of the best ways to protect electronic information is through encryption, which is the use of mathematical formulas to scramble information into digital codes. Once of concern only to spies and the military, cryptography has now become a vital tool for protecting the legitimate interests of the nation's businesses and the privacy of its citizens. This change has created a dilemma for the U.S. government because encryption also can be used in a wide range of illegitimate activities. Drug dealers, terrorists, and other criminals can use cryptography to thwart even legally authorized search and surveillance by law enforcement officials; foreign governments can encrypt information that the U.S. needs to protect its national security. Now the federal government -- which in the past has sought to restrict the spread of encryption -- must weigh the pros and cons of promoting broader use of cryptography. The National Research Council was asked by Congress to provide policy makers with guidance in making this assessment. Our study committee was made up of individuals with expertise in many relevant fields: technical expertise in computers, communications, and cryptography; policy experience in law enforcement, intelligence, civil liberties, national security, diplomacy, and international trade; business experience in telecommunications and computer hardware and software, as well as in protecting information in the for-profit and not-for-profit sectors. It was formed to examine the appropriate balance among various national security, law enforcement, business, and privacy interests. Our committee's broad conclusion is that the advantages of cryptography in safeguarding information outweigh the possible disadvantages of making apprehension and prosecution of criminals more difficult. Thus, we believe that federal policies should promote rather than discourage the use of encryption. For example, current export controls impede the use of strong encryption by U.S. firms with foreign customers and suppliers as well as reducing the availability of strong encryption domestically. The government needs to make it easier for U.S. companies operating internationally to use strong encryption, and for U.S. technology vendors to develop and sell cryptography products both in this country and abroad. Indeed, maintaining world leadership for U.S. information technology vendors is an important contribution to national security, as well as being important to the economy. Furthermore, the development of products with encryption should be driven largely by market forces rather than by government-imposed requirements or standards. There are no legal limits on the kinds of encryption that presently can be sold in the United States and we strongly endorse the idea that no law should bar the manufacture, sale, or use of any form of encryption within the United States. We do not believe that by adopting such a course the government would necessarily be choosing the interests of business and individuals over those of national security and law enforcement. We say this for two reasons. First, availability of encryption technologies will benefit law enforcement and national security. Here's how: by making economic espionage more difficult, cryptography supports law enforcement. By protecting elements of the civilian infrastructure such as banking, telecommunications, and air traffic control networks, cryptography safeguards national security. The second reason is that current national policy -- which discourages the use of cryptography despite its many valuable applications -- can at most delay encryption's spread. Already, the use of such technologies is growing, and in the long run, we believe widespread non-governmental use of cryptography in the United States and abroad is inevitable. The government should recognize this changing reality and help law enforcement and national security authorities develop the new technical capabilities they will need to conduct investigations and surveillance in a world in which information will be more protected and even unencrypted communications will be harder to read. Our report also urges that the government should explore escrowed encryption rather than the aggressive promotion that is the case today. Encrypted information is unintelligible to anyone lacking the keys to unlock the digital code. In escrowed encryption, the decoding key would be held by a trusted third-party organization or institution. This is attractive to law enforcement agencies because with a court order, they could obtain the key and unlock even the most unbreakable code. However, escrowed encryption is relatively untried and many unresolved issues remain, ranging from the liability of these third parties to the magnitude of the risk incurred by companies trusting these third parties with the keys to their sensitive business plans and trade secrets. Rather than aggressively promoting escrowed encryption, our committee believes that the government should explore escrowed encryption for its own purposes as a way of gaining operational experience with this technology and making it more useful to the commercial sector. Even when that occurs, we say that adoption of escrowed encryption or of any other specific technology or standard by the commercial sector should be voluntary and based on business needs, not government pressure. To make it easier for U.S. companies with foreign customers and suppliers to protect their information with the best encryption technologies, the committee believes that export controls should be progressively relaxed, though not eliminated. Right now federal law makes it hard to export strong encryption technology. This helps protect the government's ability to gather foreign intelligence. However, it also makes it more difficult for U.S. technology vendors to produce and sell cryptography products both here and overseas, and it limits what's available here because software companies are reluctant to develop different products for U.S. and foreign markets. And we call on the executive and legislative branches to develop national cryptography policy on the basis of open public discussion. In the past, government officials have treated many aspects of cryptography policy as "top secret," to be discussed only behind closed doors. This has led to considerable public distrust and resistance, which makes it impossible to achieve consensus. In our report we point to a number of specific areas such as telecommunications and banking where the government should actively promote the adoption of encryption. For example, the privacy of the cellular phone and the security of the nation's telecommunications networks should be enhanced through the use of cryptography. In the case of the cellular phone many people have at home, the digital signals sent between the cell phone and the cell's ground station could be encrypted. This would prevent eavesdroppers from listening in on conversations. Overall, we believe that adoption of our recommendations would lead to enhanced protection and privacy for individuals and businesses in a many areas, while also bolstering the international competitiveness of U.S. companies. My colleagues and I will now entertain questions from the media. Before asking a question, please step to an aisle microphone and state your name and affiliation. ---------------------------------------------------------------------------- From markm at voicenet.com Thu May 30 19:51:10 1996 From: markm at voicenet.com (Mark M.) Date: Fri, 31 May 1996 10:51:10 +0800 Subject: Where does your data want to go today? In-Reply-To: Message-ID: On Thu, 30 May 1996, Marshall Clow wrote: > At 12:47 AM -0700 5/30/96, E. ALLEN SMITH wrote: > >From: IN%"mclow at owl.csusm.edu" "Marshall Clow" 29-MAY-1996 19:18:31.60 > > > >>* Why encrypt before compression? If the encryption is any good, then the > >>encrypted data won't compress much at all. However, compression before > >>encryption has its own problems. > > > > What problems does compression before encryption have? It at least > >seems to work for PGP. > > > Most compression schemes put a header/index on the front of the > compressed data. > This makes recognizing the correct decryption very simple. > > Call it a limited "known plaintext" situation. PGP, and I'm sure other encryption programs, strip this header off as there is no need for it. Compression actually makes encryption much stronger because it eliminates a lot of the patterns found in plaintext and makes cryptanalysis much harder. -- Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xe3bf2169 http://www.voicenet.com/~markm/ | d61734f2800486ae6f79bfeb70f95348 ((2b) || !(2b)) | Old key now used only for signatures "The concept of normalcy is just a conspiracy of the majority" -me -------------- next part -------------- A non-text attachment was scrubbed... Name: pgp00006.pgp Type: application/octet-stream Size: 284 bytes Desc: "PGP signature" URL: From gnu at toad.com Thu May 30 20:02:45 1996 From: gnu at toad.com (John Gilmore) Date: Fri, 31 May 1996 11:02:45 +0800 Subject: NRC Cryptography Report: One More Recommendation In-Reply-To: <199605301747.KAA17778@toad.com> Message-ID: <199605301940.MAA22617@toad.com> Sigh. Add one more Recommendation. It wasn't on the summary page of the fax copy I got, but it was in the text of the Report, and is in the Web page: Recommendation 6: The U.S. government should develop a mechanism to promote information security in the private sector. John From stewarts at ix.netcom.com Thu May 30 20:39:30 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Fri, 31 May 1996 11:39:30 +0800 Subject: Internet traffic is monitored. [NOISE][BOGUS] Message-ID: <199605302044.NAA24061@toad.com> >> > Extrapolations of fact: >> > 1. Internet traffic is monitored. >> Maybe. But I doubt that the above story is true. The story does have a high probability of being bogus, but it has the slight ring of plausibility that makes it good conspiracy-urban-legend material. - The 3DES-encrypted stuff was allegedly posted to the MBONE, so many people _could_ have seen it, including Feds, without requiring any special Pervasive Monitoring Program. - Single-DES encryption is commonly available, using tools like nevot and mmcc. - Triple-DES encryption probably gets different headers, to tell the tools how to decrypt them, so you don't need cracking to know. On the other hand, it'd be highly unlikely that the BATF would be involved. Maybe Customs, maybe the FBI, possibly even the Secret Service if they argue that it's computer crime. But it's not the BATF's turf. But then, the folks at Area 51 might _claim_ they're BATF..... # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 # goodtimes signature virus innoculation From rah at shipwright.com Thu May 30 21:48:48 1996 From: rah at shipwright.com (Robert Hettinga) Date: Fri, 31 May 1996 12:48:48 +0800 Subject: ELSI: Electronic Licensing and Security Initiative Message-ID: --- begin forwarded text X-Sender: oldbear at pop.tiac.net Mime-Version: 1.0 Date: Thu, 30 May 1996 17:01:10 -0300 To: dcsb at ai.mit.edu (Digital Commerce Society of Boston) From: The Arctos Group Subject: ELSI: Electronic Licensing and Security Initiative At 03:43 PM 5/30/96 -0400, Robert Hettinga wrote: >Will, > >Will you send me another message with a paragraph about ELSI with the >URL you gave me, and I'll put it into the e$pam and DCSB lists... > >Cheers, >Bob Sure. Here is the beginning of the press release: Stream, LitleNet, BBN, and KPMG Announce Industry-Wide Initiative to Enable Wide Scale Software Electronic Commerce Westwood, MA - May 7, 1996 - Supported by AT&T,IBM , First Data, Microsoft Stream International Inc. and LitleNet in association with BBN and KPMG, announced today the formation of the Electronic Licensing and Security Initiative (ELSI). The objective of this initiative is to develop standards and build and operate a scalable clearinghouse infrastructure that will make electronic distribution of software secure, accountable, quick, and inexpensive. The group expects the ELSI clearinghouse, which will be designed to accommodate various industry approaches, to be operational in test mode by late 1996... The "ELSI Clearinghouse Technology Backgrounder" which I pointed you to earlier is available at: http://www.litle.net/ELSI.html The full text of the press release, with information about the several particpants is available at: http://www.litle.net/cgi-bin/pr.cgi?pr=26 Cheers, Will The Old Bear ------------------------------------------------------------------------ The Arctos Group [Information Strategies for the Real Estate Industry] Post Office Box 329 - Chestnut Hill, Massachusetts 02167-0003 USA tel: 617.342.7411 - fax: 617.232.0025 - email: arctos at arctos.com visit our WWW site at URL: http://www.arctos.com/arctos ------------------------------------------------------------------------ --- end forwarded text ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "If they could 'just pass a few more laws', we would all be criminals." --Vinnie Moscaritolo The e$ Home Page: http://www.vmeng.com/rah/ From mestema2 at pilot.msu.edu Thu May 30 22:15:44 1996 From: mestema2 at pilot.msu.edu (Marty Mestemaker) Date: Fri, 31 May 1996 13:15:44 +0800 Subject: info about subscription Message-ID: <01BB4E52.7C035AA0@pm101-22.dialip.mich.net> From stewarts at ix.netcom.com Thu May 30 22:21:45 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Fri, 31 May 1996 13:21:45 +0800 Subject: Group-oriented Key Management (GKMP) protocol Message-ID: <199605302159.OAA25583@toad.com> There's an interesting proposal for a study at ORNL about key management for multicast applications. Unfortunately, the ietf drafts on the protocol itself have expired :-), but there are a couple of Postscript papers pointed to by Tom Dunigan's really extensive reference list http://www.epm.ornl.gov/~dunigan/security.html The ORNL proposal is at http://www.epm.ornl.gov/~sgb/mvpnet.html ABSTRACT This proposal focuses on providing security in a multicast-based network such as the mbone. The proposed solution is application-based and works with all IP-multicast based routing protocols. It utilizes the group-oriented key management (GKMP) protocol which provides greater scaleability by removing the need for a separate key distribution center. Secondly, we look at ways of securing IP multicast from denial of service attacks. ...... The first step in implementing a secure multicast capability is the ability to provide group access control and a scaleable efficient key distribution meshanism. We propose implementing the Group-oriented Key Management (GKMP) protocol as the core of our group access scheme. GKMP currently only exists as a beta version at SPARTA. GKMP has become an experimental RFC and the code will be made publicly available by SPARTA. # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 # goodtimes signature virus innoculation From jimbell at pacifier.com Thu May 30 22:38:46 1996 From: jimbell at pacifier.com (jim bell) Date: Fri, 31 May 1996 13:38:46 +0800 Subject: NRC Cryptography Report: The Text of the Recommendations Message-ID: <199605302210.PAA26716@mail.pacifier.com> At 10:42 AM 5/30/96 -0700, John Gilmore wrote: >Recommendation 2: National cryptography policy should be developed by >the executive and legislative branches on the basis of open public >discussion and governed by the rule of law. Why is it that we even need a "national cryptography policy"? We don't have a "national beer policy," do we? A "national furniture policy"? A "national pencil policy"? A "national movie policy"? The very concept of a "national cryptography policy" implies a level of centrally-controlled interest that is unjustified given our constitutution and laws. >Recommendation 3: National cryptography policy affecting the >development and use of commercial cryptography should be more closely >aligned with market forces. Does this mean, "Give people what they want," or merely "suck up to industry"? There is a difference... >Recommendation 4: Export controls on cryptography should be >progressively relaxed but not eliminated. > > 4.1 -- Products providing confidentiality at a level that > meets most general commercial requirements should be easily > exportable. Today, products with encryption capabilities that > incorporate 56-bit DES provide this level of confidentiality > and should be easily exportable. What if "commercial requirements" including security the NSA can't break? > 4.2 -- Products providing stronger confidentiality should be > exportable on an expedited basis to a list of approved > companies if the proposed product user is willing to provide > access to decrypted information upon legally authorized request. Where's the justification for any restrictions at all? We all know that good encryption is going to get out, anyway. No criminals are going to use escrowed encryption, which removes the justification for a restriction. And what is a "legally authorized request"? If a encryption user in another country is given a "legally authorized request" from a US court, in what way is it binding on HIM? > 5.3 -- To better understand how escrowed encryption might > operate, the U.S. government should explore escrowed > encryption for its own uses. To address the critical > international dimensions of escrowed communications, the U.S. > government should work with other nations on this topic. Why are these "critical international dimensions"? Why "critical"? I don't see it as coming even close to being "critical." > 5.4 -- Congress should seriously consider legislation that > would impose criminal penalties on the use of encrypted > communications in interstate commerce with the intent to > commit a federal crime. Gee, I wonder who they're thinking of! What's wrong with just punishing the underlying crime? What about some day, when encrypted telephones are ubiquitous, and we use them without thought? Does that mean we're all guilty of an extra crime or two, just by using that crypto phone? Jim Bell jimbell at pacifier.com From editor at cdt.org Fri May 31 00:15:44 1996 From: editor at cdt.org (Bob Palacios) Date: Fri, 31 May 1996 15:15:44 +0800 Subject: CDT Policy Post 2.22 - NRC Report Calls Admin Crypto Policy Into Question Message-ID: ----------------------------------------------------------------------------- _____ _____ _______ / ____| __ \__ __| ____ ___ ____ __ | | | | | | | | / __ \____ / (_)______ __ / __ \____ _____/ /_ | | | | | | | | / /_/ / __ \/ / / ___/ / / / / /_/ / __ \/ ___/ __/ | |____| |__| | | | / ____/ /_/ / / / /__/ /_/ / / ____/ /_/ (__ ) /_ \_____|_____/ |_| /_/ \____/_/_/\___/\__, / /_/ \____/____/\__/ The Center for Democracy and Technology /____/ Volume 2, Number 22 ---------------------------------------------------------------------------- A briefing on public policy issues affecting civil liberties online ---------------------------------------------------------------------------- CDT POLICY POST Volume 2, Number 22 May 30, 1996 CONTENTS: (1) NRC Report Calls Admin. Crypto Policy Into Question (2) Join Rep. White Wed 6/5 At HotWired to Discuss the Internet Caucus, the CDA, and other Internet Policy Issues (3) Subscription Information (4) About CDT, contacting us ** This document may be redistributed freely with this banner in tact ** Excerpts may be re-posted with permission of ----------------------------------------------------------------------------- (1) NATIONAL RESEARCH COUNCIL REPORT CALLS ADMINISTRATION CRYPTO A blue ribbon panel of experts today released a comprehensive report on the state of US encryption policy that calls the Administration's current cryptography policy into question. The 500 page report, sponsored by the National Research Council (NRC), highlights the need for strong, reliable encryption to protect individual privacy, provide security for businesses, and maintain national security. Among other things, the report describes how the current US encryption policy is not working, notes that classified information is not relevant to the policy debate, and outlines the adverse impact export restrictions have had on the domestic market. In addition, the study emphasizes that market forces and user choices, not law enforcement or national security interests, should drive the development of encryption technologies and the debate over US cryptography policy. The report, entitled "Cryptography's Role in Securing the Information Society", provides an important starting point for an honest and open debate on this critical issue. A summary of the report's most important findings and an overview of its policy recommendations is included below. OVERVIEW OF SOME OF THE REPORT'S MOST IMPORTANT FINDINGS For the past 3 years, the US government has attempted to leverage the need for strong encryption and the desire of US businesses to export strong privacy and security products as a means impose key-escrow encryption. The result of this has been a policy morass which has stifled innovation, limited the availability of strong, easy to use encryption technologies, and endangered the ability of US companies to compete in the global information marketplace. While acknowledging the complexities and challenges associated with the encryption policy debate, the study's findings directly undermine the Administration's current approach to cryptography policy. The report concludes by noting that the "[w]idespread commercial and private use of cryptography in the United States and abroad is inevitable in the long run and that its advantages, on balance, outweigh its disadvantages. The committee concluded that the overall interests of the government and the nation would best be served by a policy that fosters a judicious transition toward the broad use of cryptography." The NRC study identified several critical issues: * CURRENT US ENCRYPTION POLICY IS NOT WORKING: The study is highly critical of the current ad-hoc approach to US encryption policy, particularly the reliance on export controls. The study states explicitly, "Current national cryptography policy is not adequate to support the information security requirements of an information society." The study goes on to note, "Indeed, current policy discourages the use of cryptography, whether intentionally or not, and in so doing impedes the ability of the nation to use cryptographic tools that would help to remediate certain important vulnerabilities. For example, through the use of export controls, national policy has explicitly sought to limit the use of encryption abroad but has also had the effect of reducing the domestic availability to businesses and other users of products with strong encryption capabilities." * CLASSIFIED INFORMATION IS NOT RELEVANT TO THE POLICY DEBATE: The NRC report explicitly states that classified information is "not particularly relevant" to the policy debate. The study states, "The debate over national cryptography policy can be carried out in a reasonable manner on an unclassified basis." The study goes on to note, "Although many of the details relevant to policy makers are necessarily classified, these details are not central to making policy arguments one way or another. Classified material, while important to operational matters in specific cases, is neither essential to the big picture or why policy has the shape and texture that it does today nor required for the general outline of how technology will, and why policy should, evolve in the future." This is a startling revelation which will profoundly alter the encryption policy debate. No longer can the government claim, "If you knew what we knew, you would understand this issue." It also suggests that, while national security and law enforcement interests are an important element in the debate, there is no "secret-silver-bullet" which trumps all other considerations. From now on, the debate over cryptography policy should occur in the open, with all issues aired publicly. By removing its arguments from the veil of secrecy, the government can go a long way towards building the trust of the public. * EXPORT CONTROLS DO INFLUENCE THE DOMESTIC MARKET AND HARM COMPETITIVENESS OF US INDUSTRY: The NRC study confirms what civil liberties advocates and the computer industry have long argued: that the current administration policy of limiting the export of strong encryption is impacting the domestic market and harming US business. The study states, "Export controls also have had the effect of reducing the domestic availability of products with strong encryption capabilities... Thus, domestic users face a more limited range of options for strong encryption than they would in the absence of export controls." * MARKET FORCES, NOT GOVERNMENT INTERESTS, SHOULD DRIVE THE POLICY DEBATE: The study stresses that the domestic availability of encryption should not be restricted in any way, and that the market of individual users, rather than the government's interests, should drive the development of technology and policy. The study notes, "As cryptography has assumed a greater importance to non government interests, national cryptography policy has become increasingly disconnected from market reality and the needs of parties in the private sector ... A national cryptography policy that is aligned with market forces would emphasize the freedom of domestic users to determine cryptographic functionality, protections, and implementations according to their security needs as they see fit." The study is without a doubt the most comprehensive and balanced analysis of the complex encryption policy debate yet published. While stressing the need for strong encryption to protect individual privacy and to maintain the competitiveness of US industry in the global marketplace, the report also acknowledges the real challenges posed to law enforcement and national security by the global proliferation of strong encryption technologies. The authors of the study deserve great credit for their work in producing what will clearly become the basis for an open and honest public debate over the need to reform US encryption policy. Information on how to obtain a copy of the document is available at OVERVIEW OF THE NRC REPORT'S POLICY RECOMMENDATIONS The report also outlines several recommendations for a national cryptography policy. An overview of these recommendations is attached below. CDT will post an analysis of the NRC's policy recommendations in the near future. Recommendations of the Committee for national cryptography policy would: 1. Free domestic manufacture, sale, and use of encryption -- The committee argued that any future legal prohibitions on the domestic use of any kind of cryptography are "inappropriate." While no such prohibitions are currently in effect, many encryption users have been concerned over law enforcement's articulated desire to slow the domestic use of encryption. 2. Call for open policy-making process -- The report supports the development of national cryptography policy based on open public discussion. Policy to date has often taken place outside of the public eye, and with little guidance from Congress or the general public. 3. Align national policy with market and user demand -- The report notes that national policy has "become increasingly disconnected from market reality and the needs of parties in the private sector." 4. Progressively relax, but not eliminate, export controls -- The committee recommends that export controls should be "progressively relaxed but not eliminated." This would include: 4.1. Products that meet "most general commercial requirements" for confidentiality should be exportable -- The report suggested that 56-bit DES products would meet this need and should be exportable today, and that this level of security should be increased over time. The report noted that DES provides a significantly more attractive level of security than 40-bit products currently exportable, without imposing too great a burden on national security as many sophisticated targets do not use U.S. products today. 4.2. Stronger products should be exportable to a list of approved companies if access to decrypted information is provided -- The report argues that exports of encryption greater than 56-bit DES should be permitted for "trustworthy" users who will guarantee access to decrypted information upon a legally authorized request. The report does, however, acknowledge the significant privacy and security concerns raised by any such "key escrow" plan. 4.3. The U.S. government should streamline the export licensing process. 5. Provide assistance for law enforcement -- The report recognizes that "cryptography is a two-edged sword" for law enforcement, providing both a tool to help prevent crime such as economic espionage, fraud, or destruction of the information infrastructure, and a potential impediment to law enforcement investigations and signals intelligence. Specific suggestions to assist in adjustment to "new technical realities of the information age" include: 5.1. The government should encourage use of encryption for authentication and integrity. 5.2. The government should promote telecommunications security, especially for cellular phones and telephone switches. 5.3. The government should explore escrowed encryption for its own uses. The report recommends further use of escrowed encryption for government purposes as a testbed for the technical and privacy concerns raised by key escrow policies. The report acknowledged many of the problems of escrow, and noted that escrow may never be adopted freely by the market for real-time communications but that such communications will be of less concern to law enforcement over time. 5.4. The government should seriously consider criminalizing "the use of encrypted communications in interstate commerce with the intent to commit a federal crime." The report acknowledged the risks posed by such legislation, including ambiguity about what is an encrypted communication, how to deal with automatic or ubiquitous encryption, and how to define intent and the need for an underlying criminal conviction. 5.5. Research and development of additional capabilities for law enforcement should be given a high priority. 6. The government should develop a mechanism to promote information security in the private sector. CDT will post an analysis of the report's recommendations soon. In the meantime, detailed background information on the encryption policy debate, including the text of several bills pending before the Congress to liberalize the export of encryption technology, is available at CDT's encryption policy web page: http://www.cdt.org/crypto/. ------------------------------------------------------------------------ (2) JOIN CONGRESSMAN RICK WHITE (R-WA) LIVE ONLINE TO TALK ABOUT THE INTERNET CAUCUS, THE CDA, AND TAKE YOUR QUESTIONS Congressman Rick White (R-WA) will be live online at HotWired on Wednesday June 5 at 9:00 pm ET to discuss his efforts to encourage better communication between members of Congress and the Internet community, his plans for the Congressional Internet Caucus, and other topics. Representative White will also answer questions from Netizens. DETAILS ON THE EVENT * Wednesday June 5, 9 - 10 pm ET (6 pm Pacific) on HotWired URL: http://www.hotwired.com/wiredside/ To participate, you must be a registered HotWired member (there is no charge for registration). You must also have RealAudio(tm) and a telnet application properly configured to work with your browser. Please visit http://www.hotwired.com/wiredside/ for information on how you can easily register for Hotwired and obtain RealAudio. Wednesday's forum is another in a series of planned events, and is part of a broader project coordinated by CDT and the Voters Telecommunications Watch (VTW) designed to bring the Internet Community into the debate and encourage members of Congress to work with the Net.community on vital Internet policy issues. Transcripts from last week's discussion with Senator Leahy are available at http://www.cdt.org/crypto/. Events with other members of Congress working on Internet Policy Issues are currently being planned. Please check http://www.cdt.org/ for announcements of future events ------------------------------------------------------------------------ (3) SUBSCRIPTION INFORMATION Be sure you are up to date on the latest public policy issues affecting civil liberties online and how they will affect you! Subscribe to the CDT Policy Post news distribution list. CDT Policy Posts, the regular news publication of the Center For Democracy and Technology, are received by more than 9,000 Internet users, industry leaders, policy makers and activists, and have become the leading source for information about critical free speech and privacy issues affecting the Internet and other interactive communications media. To subscribe to CDT's Policy Post list, send mail to policy-posts-request at cdt.org with a subject: subscribe policy-posts If you ever wish to remove yourself from the list, send mail to the above address with a subject of: unsubscribe policy-posts ----------------------------------------------------------------------- (4) ABOUT THE CENTER FOR DEMOCRACY AND TECHNOLOGY/CONTACTING US The Center for Democracy and Technology is a non-profit public interest organization based in Washington, DC. The Center's mission is to develop and advocate public policies that advance democratic values and constitutional civil liberties in new computer and communications technologies. Contacting us: General information: info at cdt.org World Wide Web: URL:http://www.cdt.org/ FTP URL:ftp://ftp.cdt.org/pub/cdt/ Snail Mail: The Center for Democracy and Technology 1634 Eye Street NW * Suite 1100 * Washington, DC 20006 (v) +1.202.637.9800 * (f) +1.202.637.0968 ----------------------------------------------------------------------- End Policy Post 2.22 5/30/96 ----------------------------------------------------------------------- From hfinney at shell.portal.com Fri May 31 00:24:01 1996 From: hfinney at shell.portal.com (Hal) Date: Fri, 31 May 1996 15:24:01 +0800 Subject: NRC Cryptography Report: The Text of the Recommendations In-Reply-To: <199605301742.KAA17655@toad.com> Message-ID: <199605302304.QAA14424@jobe.shell.portal.com> I read the overview of this, and while it is good that the report calls for maintaining the legality of domestic encryption and some slight loosening of the export rules, overall I was diappointed. First, the report reads as though the intended audience is law enforcement and security personnel. The perspective seems to generally be from the points of view of those bodies. This is just a subjective impression I have and it would be interesting to hear whether other people feel the same. Second, although they go to some lengths to emphasize the importance of an open, unclassified process, and that the report itself is completely unclassified, there are some curios omissions. For example, recommendation 4.1 is that 56-bit DES encryption should be exportable. However, they follow that by saying, "Products covered under Recommendation 4.1 must be designed in a way that would preclude their repeated use to increase confidentiality beyond the acceptable level." This is then followed with a couple of pages of justification for why this relaxation of the export policies should be allowed. Much is made of the fact that people will be more likely to use 56 bit encryption than the 40 bit which is currently allowed. (This is an example of the perspective issue I mentioned above.) However, nowhere is it stated why more than 56 bits is not OK, and why it is necessary to forbid repeated use to increase confidentiality. There is not one word of discussion of this proviso. I suspect the reason is that the NSA can break 56 bit DES but cannot break higher levels. But the report doesn't say so. Presumably this is because that fact is classfied. Okay, but it seems hypocritical to make much of the fact that the discussion is open, and then to limit the recommendations by considerations which can't be discussed openly. I also think it is sneaky that they bury this limitation in text which will not be seen by people who read only the recommendations. Third, although in broad terms the report is supportive of the use of cryptography, the specific recommendations do very little to liberalize current policies. Free domestic access to cryptography is already the law. Raising the export size limit from 40 to 56 bits is a step forward, but a small one. Beyond 56 bits they recommend the requirement of escrowed encryption. Given current moves to standardize on triple DES, this is a retrenching action. They recommend criminalizing the use of cryptography in committing crimes, admitting that this may be used in some cases (as comparable mail fraud statues have been) to bring prosecutions against people who cannot be proven to have committed any other crime. "[T]he committee understands that it is largely the integrity of the judicial and criminal justice process that will be the ultimate check on preventing its use for such purposes." Fourth, recommendation 5.2, to promote the use of link encryption for cellular phones, is designed to reduce privacy, not help it. "Recommendation 5.2 is an instance of a general philosophy that link (or node) security provided by a service provider offers more opportunities for providing law enforcement with legally authorized access than does security provided by the end user." When I wrote my letter to the NRC during their comment period (available at ) I made a similar point, but with the opposite conclusion, that end to end encryption would be preferred. Overall, I am disappointed that the report seems to adopt so much of the point of view of those forces which will oppose the use of cryptography. At best it seems to be a recognition that change is inevitable, and that the most that can be hoped for is to ease the transition to a world where people have free access to privacy tools. But in the meantime it appears designed to delay the transition rather than advance it. Hal From jya at pipeline.com Fri May 31 01:14:46 1996 From: jya at pipeline.com (John Young) Date: Fri, 31 May 1996 16:14:46 +0800 Subject: The Full NRC Crypto Report Message-ID: <199605302337.XAA26658@pipe2.t1.usa.pipeline.com> We got a copy of the full 434-page NRC report today at the D.C. public meeting, headed noted "May 30, 1996, Prepublication Copy subject to Further Editorial Correction." We are now scanning it and would be interested to know if anyone else is doing so we don't duplicate the task. The full report consists of 32 pages of intro, 276 pages of main text in 8 parts, and 126 pages of 14 appendices. We note that the CSTB Web version of the Overview does not include the Contents of the full report as did the printed Overview available at the meeting. We will post the Contents here shortly to give a taste. And later give a Web site for the Thing. BTW, there was a press briefing on the report at 11:00 AM, so stories may be in the works. From Cyber9090 at aol.com Fri May 31 01:19:13 1996 From: Cyber9090 at aol.com (Cyber9090 at aol.com) Date: Fri, 31 May 1996 16:19:13 +0800 Subject: unsubscibe Message-ID: <960530201605_124302710@emout10.mail.aol.com> unsubscibe cypherpunks cyber9090 at aol.com From Cyber9090 at aol.com Fri May 31 01:23:01 1996 From: Cyber9090 at aol.com (Cyber9090 at aol.com) Date: Fri, 31 May 1996 16:23:01 +0800 Subject: unsubscibe Message-ID: <960530201539_124302386@emout16.mail.aol.com> unsubscibe cyberpunks cyber9090 at aol.com From shamrock at netcom.com Fri May 31 01:35:27 1996 From: shamrock at netcom.com (Lucky Green) Date: Fri, 31 May 1996 16:35:27 +0800 Subject: Java Crypto API questions Message-ID: Today, CP's own Marianne Mueller was scheduled to give a talk at JavaOne on the eagerly awaited (at least by this user) Java Crypto API. I could not attend the conference, but downloaded the slides for the presentation Viewing the slides left me with some questions that I hope someone that attended the talk might be able to answer: o "Developers do not call into Security Packages directly." It seems the developer calls java.security (presumably provided by Sun), which then will call the Security Packages. Is this view correct? o "Security Packages must be signed. Policy for signing is public and open." I assume the packages must be signed by Sun. How much will it cost to have a package signed? How do I obtain a copy of this "public and open" policy? o "Exportable API. Exportable applications." One code example shows performing a DES encryption. Another slide mentions "Support for [...] RSA." This is exportable? What am I missing? o Where can I get more info on "Jeeves", the Java HTTP Server? TIA, Disclaimer: My opinions are my own, not those of my employer. -- Lucky Green PGP encrypted mail preferred. From mixmaster at remail.ecafe.org Fri May 31 01:35:39 1996 From: mixmaster at remail.ecafe.org (Ecafe Mixmaster Remailer) Date: Fri, 31 May 1996 16:35:39 +0800 Subject: Do you know what to do with this? Message-ID: <199605310225.CAA10359@avignon.hypereality.co.uk> well, someone stuffed this in my mailbox, with a note asking that I "delete my email address and send it to the world." im not sure what to make of it but maybe someone here will better know what do do with it. ---------- Forwarded message ---------- [headers snipped] delete my email addresses and send it to the world. these are the people who i suspect of terrorism related activities. the country they are residing in is pakistan. the address are 1-)12 ,a,b,c chinar roadu.town not marked no no no name. 2-) 6chinar road,utown peshawar,next to former prov minister ghani dad khan's house not marked, nothing written on the gate no no,no name. 3-)32b actually 12e or 14 chinar road university town peshawar. marked as 32b 4-)11 chinar road university town peshawar 5-)18 or 20chinar road university town peshawar not marked.no no. the cars are 1_)prk 9325 or 9327,a sudanese doctor ali working for the islamic relief agency mental hospital chinar road university town peshawar. 2-) a silver pajero prn or prh 6973 or 6874 4-)a white toyota landcruiser prl 8470 5-) a white pajero ningrahar(afghan) 63or ngr 133, a white girl .sometimes it has the no ngr134 on it. 6-a white pajero prp 2364 5-)a cream coloured suzuki jeep prm 6872 the cars that used to come to their house during the xmas break or on sundays when the american diplomats went to isb and they took them out the year was 1993-94 1-a red american jeep cc64-138 2-a blue old senator cc64-47 another blue senator ad 64-47 3- a white toyota land cruiser pro or prp 3305. 4- agrey american jeep prp 1228 5- a toyota pickup pro1269 or pro1260 6- ablue pajero prl 2667 7- a rust coloured corona prn 2147 8-) a white pajero ad44-104. 9-)the other cars that come are cc29-??? and cc-19 they people who come to these houses are sudanese, one phillipino woman some afghans or arabs it is difficult to tell. and a lot of white people, who mostly ride on pakistani made sohrab cycles or toyota pickups,probably muslim converteees. the cc64-138 jeep used to be driven by a pakistani looking guy ,dark with spectacles. the other pakistani nos they kept on changing ,so iam not sure if these are the correct nos 10- awhite nissan patrol x68-2199. 11-PRP 1228 grey american jeep just look for the addresses,most of the car nos are from the year 1993 so they might have changed them since.most of these people belong to the islamic relief agency. From tien at well.com Fri May 31 01:36:05 1996 From: tien at well.com (Lee Tien) Date: Fri, 31 May 1996 16:36:05 +0800 Subject: NRC crypto report Message-ID: <199605310140.SAA03680@mh1.well.com> I'm told the study officially emerges from the National Academy Press as a book early August. Until then, apparently, the only available copies will be a limited number of pre-publication drafts issued at events like the one scheduled at SRI International, 333 Ravenswood Avenue, Menlo Park on June 5. A long way of saying that to get a copy of the whole thing, not a summary, attend on Wednesday. Lee From EALLENSMITH at ocelot.Rutgers.EDU Fri May 31 01:58:24 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Fri, 31 May 1996 16:58:24 +0800 Subject: An alternative to remailer shutdowns Message-ID: <01I5BYGFWN5S8Y52RR@mbcl.rutgers.edu> From: IN%"stewarts at ix.netcom.com" "Bill Stewart" 29-MAY-1996 19:17:02.67 >On the other hand, if the Church of Spam tries to frame remailers >by posting their own Secret Documents, they can only target the >terminal remailers and as far back as they can subpoena, >because they'd otherwise have to admit that they posted it. Unfortunately, you may very well be incorrect on this. I had a chat with Uni over email a couple of days ago, and he reminded me of the possibility of them doing this through an account that wasn't obviously theirs, then claiming the initial remailer operator was negligent in not filtering the mail. The way to counter this is to only accept mail that's already encrypted to another remailer (i.e., Mixmaster with outgoing mail from non-remailers only to other remailers). If the judge is going to find a remailer operator responsible for the content of material he/she can't even read, then the remailer network is dead in its present form anyway. There's also the analogous consideration for outgoing remailers; they may need to send only encrypted mail to the transient end point(s), and the end points may need to be anonymous both in input and output. If the last remailer can read the material, then the Co$ or whoever can argue that they should filter it. The end point has to be able to read it for public messages (I'm not counting encrypted posts meant for one or a few people as public messages) to go out, so the end point would be vulnerable to lawsuits, etcetera if its identity were known. We've thus got to have the initial user choosing the ephemeral end point, and sending it to that end point encrypted for that end point. Since a well-known end point (e.g., everybody knows where to send mail to) is likely to get shut down quickly (much more so for its input end than would otherwise be the case, if the input and output ends are separate), I would suggest having the ephemeral end point owners send an appropriately encrypted message to the remailer operators, or (preferably) to a subset of them (thus being able to spot any corrupted remailer who consistently blows the gaff). This message would contain the public key for an end point or set of end points, a random number associated with that public key (although a KeyID or fingerprint might do instead), plus input end addresses for each of the end points run using that public key; this would all be signed with the public key in question. (Having it on the keyservers so as to build up reputation through signatures would be good in addition, with some appropriate pseudonymous UserID to link it with). Remailer users would then get the random number plus its associated public key upon mailing a remailer with an appropriate help request. If a remailer received for output a number it didn't recognize, I would suggest remailing the information - encrypted appropriately - to another remailer. One additional advantage of this system would be that the end users wouldn't need to know about changes in input end points - their mail would simply go to whichever of the available input end points corresponding to that public key & random number that that remailer knew and happened to randomly select. >There's been some discussion of delivering outgoing mail by >sending it through systems that don't add Received: headers; >it may make sense for non-root-owned remailers to do this >using telnet to port 25 instead of their local sendmail, >to prevent local logging and prevent their sendmail from >adding its own information. Some sendmails try to detect forgery, >but systems that aren't even configured to do Receive: probably don't. I had wondered about Port 25 as one possibility for this. Incidentally, I forgot to save the posting from someone who had commented about AOL sending out lots of membership kits with free net time - useful for ephemeral end points, although the anonymnity would be a problem. It might be interesting to find out what mailing lists they're getting their lists from - magazines catering to the middle+ classes is my guess. -Allen From declan at eff.org Fri May 31 02:01:19 1996 From: declan at eff.org (Declan McCullagh) Date: Fri, 31 May 1996 17:01:19 +0800 Subject: Fight-Censorship Dispatch #11: Landmark Crypto Study Released Message-ID: ----------------------------------------------------------------------------- Fight-Censorship Dispatch #11 ----------------------------------------------------------------------------- Landmark NRC crypto policy report released ----------------------------------------------------------------------------- By Declan McCullagh / declan at well.com / Redistribute freely ----------------------------------------------------------------------------- In this dispatch: National Research Council releases crypto policy study Summary of NRC report recommendations Update on online copyright legislation and the CDA May 30, 1996 WASHINGTON, DC -- The National Research Council released their hefty, long-awaited report on crypto policy today at a two-hour briefing this afternoon at the National Press Club in Washington, DC. The NRC's Computer Science and Telecommunications Board's congressionally-mandated study, named "Cryptography's Role in Securing the Information Society," calls for no restrictions on domestic use of crypto but falls short of recommending that export controls should be eliminated. Instead, the report says that controls "should be progressively relaxed." The inch-thick study is certain to pack a sizeable wallop in the DC crypto policy debate, coming on the heels of the Clinton administration's "Clipper III" white paper and the crypto legislation pending in Congress. Kenneth Dam, a law professor at the University of Chicago and the chair of the NRC committee, summed it up: "We're going to have a national public debate and Congress has to be involved. We hope this report contributed to it." After Dam's overview, Marc Rotenberg from EPIC asked: "There are many issues left unresolved or open by your report. What happens next with key escrow?" Rotenberg also asked about the right to speak anonymously online, which the report didn't address. Dam hedged, as he did throughout the Q&A session: "We did not set out to evaluate key escrow. With regard to the right to speak anonymously, we saw nothing in our report that requires us to take a position. Accountability is a competing interest. It was not vital to our report." The RAND Corporation's Willis Ware clarified: "We by no means advocate authentication in a universal sense." Strangely, the executive summary doesn't even mention Pretty Good Privacy -- the NRC only recommended that 56-bit DES "should be easily exportable," ignoring PGP completely. The text of Recommendation 4.1 says "products providing confidentiality at a level that meets most general commercial requirements should be easily exportable." But does that cover the export of PGP? The report also says, in Recommendation 5.4, that Congress should consider legislation that would criminalize the use of crypto to commit a Federal crime. This portion also attracted flames. Some audience members wondered if this means crypto would continue to be treated as a munition, like guns, that can be regulated. Bottom line: the report is much more favorable than we hoped for, though it doesn't have everything we want. It *is* surprisingly pro-crypto considering that all but three of the 16 committee members had security clearances and were subjected to the NSA's classified briefing -- widely rumored to be designed to scare the recipient into agreeing to restrictions on encryption. As David Sobel from EPIC told me: "These people *did* know what the NSA knew -- but they still rejected the administration's policy." CDT's Danny Weitzner wrote: "The study is without a doubt the most comprehensive and balanced analysis of the complex encryption policy debate yet published." Fortunately, the voluminous report comes with an 35-page executive summary that's available at . The full text of the report will be available online next week. (Pre-publication hardcopies were distributed at the briefing and will be available from the National Academy Press for $45. Call 202-334-2605 in two months.) +-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+ SUMMARY OF NRC REPORT RECOMMENDATIONS +-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+ Recommendation 1: No law should bar the manufacture, sale, or use of any form of encryption within the United States. Recommendation 2: National cryptography policy should be developed by the executive and legislative branches on the basis of open public discussion and governed by the rule of law. Recommendation 3: National cryptography policy affecting the development and use of commercial cryptography should be more closely aligned with market forces. Recommendation 4: Export controls on cryptography should be progressively relaxed but not eliminated. 4.1 -- Products providing confidentiality at a level that meets most general commercial requirements should be easily exportable. Today, products with encryption capabilities that incorporate 56-bit DES provide this level of confidentiality and should be easily exportable. 4.2 -- Products providing stronger confidentiality should be exportable on an expedited basis to a list of approved companies if the proposed product user is willing to provide access to decrypted information upon legally authorized request. 4.3 -- The U.S. government should streamline and increase the transparency of the export licensing process for cryptography. Recommendation 5: The U.S. government should take steps to assist law enforcement and national security to adjust to new technical realities of the information age. 5.1 -- The U.S. government should actively encourage the use of cryptography in nonconfidentiality applications such as user authentication and integrity checks. 5.2 -- The U.S. government should promote the security of the telecommunications networks more actively. At a minimum, the U.S. government should promote the link encryption of cellular communications and the improvement of security at telephone switches. 5.3 -- To better understand how escrowed encryption might operate, the U.S. government should explore escrowed encryption for its own uses. To address the critical international dimensions of escrowed communications, the U.S. government should work with other nations on this topic. 5.4 -- Congress should seriously consider legislation that would impose criminal penalties on the use of encrypted communications in interstate commerce with the intent to commit a federal crime. +-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+ UPDATE ON ONLINE COPYRIGHT LEGISLATION AND THE CDA +-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+ ON THE CDA: Folks involved in the case expect a decision within the next week from the Philadelphia three-judge panel hearing our challenge to the CDA. The Department of Justice has a few weeks to appeal to the Supreme Court if they lose. ON COPYRIGHT: There's plenty of action on the Hill -- and contrary to what I thought a week ago, there's even a fighting chance that this braindead copyright bill will pass this year. So far, full Senate judiciary and the House judiciary intellectual property subcommittee have held hearings. The House has taken the lead now, and the tentative date for the subcommittee markup of HR2441 is June 5. (It was to have been last week, but was cancelled at the last minute when no agreement was reached.) As Brock Meeks wrote in his Muckraker column on HotWired: Both bills contain intellectual property land mines. If they aren't defused, all online service providers - from the single-line BBS to commercial online services to internet service providers - could end up as de facto "copyright cops," made to rig their systems so that they can monitor every single bit of information trafficked by their users. Reason: both bills hold online service providers liable for any infringing information passing through or stored on their system. There are other reasons not to like this bill, including language that makes surfing the Net a copyright violation unless you happen to have a "license" for hitting a particular site with your browser. You see, the courts have ruled that simply sucking bits into your computer's memory, i.e. surfing, is the same as making a copy of something. No, I'm not making this up. Stay tuned for more reports. ----------------------------------------------------------------------------- Mentioned in this Fight-Censorship Dispatch: NRC report overview text: Info on online copyright legislation: Brock Meeks' column on online copyright: This and previous Fight-Censorship Dispatches are available at: Want to subscribe to the low-traffic, moderated fight-censorship announcement mailing list for future Fight-Censorship Dispatches and related messages? Send "subscribe fight-censorship-announce" in the body of a message addressed to: majordomo at vorlon.mit.edu Other relevant web sites: ----------------------------------------------------------------------------- From jya at pipeline.com Fri May 31 02:03:54 1996 From: jya at pipeline.com (John Young) Date: Fri, 31 May 1996 17:03:54 +0800 Subject: NRC Report Contents Message-ID: <199605310124.BAA06936@pipe2.t1.usa.pipeline.com> [Report Cover] [Header all pages] May 30, 1996, Prepublication Copy Subject to Further Editorial Correction Cryptography's Role in Securing the Information Society Kenneth Dam and Herbert Lin, Editors Committee to Study National Cryptography Policy Computer Science and Telecommunications Board Commission on Physical Sciences, Mathematics, and Applications National Research Council National Academy Press Washington, D.C. 1996 ____________________________________________________________ Contents PREFACE Introduction Charge of the Committee to Study National Cryptography Policy What This Report Is Not On Secrecy and Report Time Line A Note from the Chair Acknowledgments EXECUTIVE SUMMARY A ROAD MAP THROUGH THIS REPORT PART I -- FRAMING THE POLICY ISSUES 1 GROWING VULNERABILITY IN THE INFORMATION AGE 1.1 The Technology Context of the Information Age 1.2 Transitions to an Information Society -- Increasing Interconnections and Interdependence 1.3 Coping with Information Vulnerability 1.4 The Business and Economic Perspective 1.4.1 Protecting Important Business Information 1.4.2 Ensuring the Nation's Ability to Exploit Global Markets 1.5 Individual and Personal Interests in Privacy 1.5.1 Privacy in an Information Economy 1.5.2 Privacy for Citizens 1.6 Special Needs of Government 1.7 Recap 2 CRYPTOGRAPHY: ROLES, MARKET, AND INFRASTRUCTURE 2.1 Cryptography in Context 2.2 What Is Cryptography and What Can It Do? 2.3 How Cryptography Fits into the Big Security Picture 2.3.1 Technical Factors Inhibiting Access to Information 2.3.2 Factors Facilitating Access to Information 2.4 The Market for Cryptography 2.4.1 The Demand Side of the Cryptography Market 2.4.2 The Supply Side of the Cryptography Market 2.5 Infrastructure for Widespread Use of Cryptography 2.5.1 Key Management Infrastructure 2.5.2 Certificate Infrastructures 2.6 Recap 3 NEEDS FOR ACCESS TO ENCRYPTED INFORMATION 3.1 Terminology 3.2 Law Enforcement: Investigation and Prosecution 3.2.1 The Value of Access to Information for Law Enforcement 3.2.2 The Legal Framework Governing Surveillance 3.2.3 The Nature of Surveillance Needs of Law Enforcement 3.2.4 The Impact of Cryptography and New Media on Law Enforcement (Stored and Communicated Data) 3.3 National Security and Signals Intelligence 3.3.1 The Value of Signals Intelligence 3.3.2 The Impact of Cryptography on SIGINT 3.4 Similarities and Differences Between Foreign Policy/National Security and Law Enforcement Needs for Communications Monitoring 3.4.1 Similarities 3.4.2 Differenees 3.5 Business and Individual Needs for Exceptional Access to Protected Information 3.6 Other Types of Exceptional Access to Protected Information 3.7 Recap PART II -- POLICY INSTRUMENTS 4 EXPORT CONTROLS 4.1 Brief Description of Current Export Controls 4.1.1 The Rationale for Export Controls 4.1.2 General Description 4.1.3 Discussion of Current Licensing Practices 4.2 Effectiveness of Export Controls on Cryptography 4.3 The Impact of Export Controls on U.S. Information Technology Vendors 4.3.1 De Facto Restrictions on the Domestic Availability of Cryptography 4.3.2 Regulatory Uncertainty Related to Export Controls 4.3.3 The Size of the Affected Market for Cryptography 4.3.4 Inhibiting Vendor Responses to User Needs 4.4 The Impact of Export Controls on U.S. Economic and National Security Interests 4.4.1 Direct Economic Harm to U.S. Businesses 4.4.2 Damage to U.S. Leadership in Information Technology 4.5 The Mismatch Between the Perceptions of Government/ National Security and Those of Vendors 4.6 Export of Technical Data 4.7 Foreign Policy Considerations 4.8 Technology-Policy Mismatches 4.9 Recap 5 ESCROWED ENCRYPTION AND RELATED ISSUES 5.1 What Is Escrowed Encryption? 5.2 Administration Initiatives Supporting Escrowed Encryption 5.2.1 The Clipper Initiative and the Escrowed Encryption Standard 5.2.2 The Capstone/Forteza (sic) Initiative 5.2.3 The Relaxation of Export Controls on Software Products Using "Properly Escrowed" 64-bit Encryption 5.2.4 Other Federal Initiatives in Escrowed Encryption 5.3 Other Approaches to Escrowed Encryption 5.4 The Impact of Escrowed Encryption on Information Security 5.5 The Impact of Escrowed Encryption on Law Enforcement 5.5.1 Balance of Crime Enabled vs. Crime Prosecuted 5.5.2 Impact on Law Enforcement Access to Information 5.6 Mandatory vs. Voluntary Use of Escrowed Encryption 5.7 Process Through Which Policy on Escrowed Encryption Was Developed 5.8 Affiliation and Number of Escrow Agents 5.9 Responsibilities and Obligations of Escrow Agents and Users of Escrowed Encryption 5.9.1 Partitioning Escrowed Information 5.9.2 Operational Responsibilities of Escrow Agents 5.9.3 Liabilities of Escrow Agents 5.10 The Role of Secrecy in Ensuring Product Security 5.10.1 Algorithm Secrecy 5.10.2 Product Design and Implementation Secrecy 5.11 The Hardware/Software Choice in Product Implementation 5.12 Responsibility for Generation of Unit Keys 5.13 Issues Related to the Administration Proposal to Exempt 64-bit Escrowed Encryption in Software 5.13.1 The Definition of "Proper Escrowing" 5.13.2 The Proposed Limitation of Key Lengths to 64 Bits or Less 5.14 Recap 6 OTHER DIMENSIONS OF NATIONAL CRYPTOGRAPHY POLICY 6.1 The Communications Assistance for Law Enforcement Act 6.1.1 Brief Description of and Stated Rationale for the CALEA 6.1.2 Reducing Resource Requirements for Wiretaps 6.1.3 Obtaining Access to Digital Streams in the Future 6.1.4 The CALEA Exemption of Information Service Providers and Distinctions Between Voice and Data Services 6.2 Other Levers Used in National Cryptography Policy 6.2.1 Federal Information Processing Standards 6.2.2 The Government Procurement Process 6.2.3 Implementation of Policy: Fear, Uncertainty, Doubt, Delay, Complexity 6.2.4 R&D Funding 6.2.5 Patents and Intellectual Property 6.2.6 Formal and Informal Arrangements with Various Other Governments and Organizations 6.2.7 Certification and Evaluation 6.2.8 Nonstatutory Influence 6.2.9 Interagency Agreements Within the Executive Branch 6.3 Organization of the Federal Government with Respect to Information Security 6.3.1 Role of National Security vis-a-vis Civilian Information Infrastructures 6.3.2 Other Government Entities with Influence on Information Security 6.4 International Dimensions of Cryptography Policy 6.5 Recap PART III--POLICY OPTIONS, FINDINGS, AND RECOMMENDATIONS 7 POLICY OPTIONS FOR THE FUTURE 7.1 Export Control Options for Cryptography 7.1.1 Dimensions of Choice for Controlling the Exportof Cryptography 7.1.2 Complete Elimination of Export Controls on Cryptography 7.1.3 Transferral of All Cryptography Products to the Commerce Control List 7.1.4 End-use Certification 7.1.5 Nation-by-Nation Relaxation of Controls and Harmonization of U.S. Export Control Policy on Cryptography with Export/Import Policies of Other Nations 7.1.6 Liberal Export for Strong Cryptography with Weak Defaults 7.1.7 Liberal Export for Cryptographic Applications Programming Interfaces 7.1.8 Liberal Export for Escrowable Products with Encryption Capabilities 7.1.9 Alternatives to Government Certification of Escrow Agents Abroad 7.1.10 Use of Differential Work Factors in Cryptography 7.1.11 Separation of Cryptography from Other Items on the U.S. Munitions List 7.2 Alternatives for Providing Government Exceptional Access to Encrypted Data 7.2.1 A Prohibition of the Use and Sale of Cryptography Lacking Features for Exceptional Access 7.2.2 Criminalization of the Use of Cryptography in the Commission of a Crime 7.2.3 Technical Non-Escrow Approaches for Obtaining Access to Information 7.2.4 Network-based Encryption 7.2.5 Distinguishing Between Encrypted Voice and Data Communications Services for Exceptional Access 7.2.6 A Centralized Decryption Facility for Government Exceptional Access 7.3 Looming Issues 7.3.1 The Adequacy of Various Levels of Encryption Against High-Quality Attack 7.3.2 Organizing the U.S. Government for Better Information Security on a National Basis 7.4 Recap 8 SYNTHESIS, FINDINGS, AND RECOMMENDATIONS 8.1 Synthesis and Findings 8.1.1 The Problem of Information Vulnerability 8.1.2 Cryptographic Solutions to Information Vulnerabilities 8.1.3 The Policy Dilemma Posed by Cryptography 8.1.4 National Cryptography Policy for the Information Age 8.2 Recommendations 8.3 Additional Work Needed 8.4 Conclusion APPENDIXES A Contributors to the NRC Project on National Cryptography Policy B Glossary C A Brief Primer on Cryptography D An Overview of Electronic Surveillance: History and Current Status E A Brief History of Cryptography Policy F A Brief Primer on Intelligence G The International Scope of Cryptography Policy H Summary of Important Requirements for a Public-Key Infrastructure I Industry-Specific Dimensions of Security J Examples of Risks Posed by Unprotected Information K Cryptographic Applications Programming Interfaces L Laws, Regulations, and Documents Relevant to Cryptography M Other Looming Issues Related to Cryptography Policy N Federal Information Processing Standards [End Contents] From EALLENSMITH at ocelot.Rutgers.EDU Fri May 31 02:39:40 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Fri, 31 May 1996 17:39:40 +0800 Subject: Edited ACLU News Message-ID: <01I5BZJM1TGG8Y52RR@mbcl.rutgers.edu> From: IN%"rre at weber.ucsd.edu" 30-MAY-1996 01:11:39.86 From: Phil Agre >=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= >This message was forwarded through the Red Rock Eater News Service (RRE). >Send any replies to the original author, listed in the From: field below. >You are welcome to send the message along to others but please do not use >the "redirect" command. For information on RRE, including instructions >for (un)subscribing, send an empty message to rre-help at weber.ucsd.edu >=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= >Date: Wed, 29 May 1996 11:57:30 GMT >From: ACLU Newsfeed Owner >To: news at aclu.org [...] > *Ban on "Offensive" Comments Ruled Vague* >SAN FRANCISCO -- A state law against "offensive" personal comments by lawyers >was ruled unconstitutionally vague Friday for the second time, despite the >State Bar's attempt to define it, the Associated Press reports. >The 9th U.S. Circuit Court of Appeals first struck the law down in April >1995, overturning a disciplinary order against a Los Angeles attorney who >denounced women lawyers, the AP reported. In a 3-0 ruling, the court said the >law was so broad and undefined that lawyers wouldn't know when they were >violating it. >The panel granted a rehearing last December to give the state and the State >Bar, not previously parties, a chance to defend the law. >The bar cited its new policy, adopted in October, that said the law would be >enforced only against conduct in a courtroom or similar setting, such as a >sworn deposition, that was so serious as to be "prejudicial to the >administration of justice." They also said the law merely enforced an ethical >code that lawyers were required to know as part of their profession. >The court was unpersuaded, AP said, reaffirming its previous decision in a >2-1 ruling. >The case involved a disciplinary order against attorney Frank L. Swan, who >wrote an angry note in May 1993 to a female prosecutor who had gotten him >removed from a case. He attached the following statement to the note, >photocopied from a magazine article: >"Male lawyers play by the rules, discover truth and restore order. Female >lawyers are outside the law, cloud truth and destroy order." >In overturning the disciplinary order, the appeals court said the note showed >a "patently sexist attitude'' but did not impugn the female prosecutor's >integrity or interfere with the administration of justice. >The American Civil Liberties Union defended Swan. The National Organization >for Women was among those opposing him. One notices that the court did not strike this down on the obvious grounds of free speech. I believe this may be an example of a law, not struck down on such grounds, that fits TCMay's description that Rich disputed. >---------------------------------------------------------------- > *Clinton Expands National ID* >Seeking to further demonstrate its tough stance against illegal immigration, >the Clinton Administration announced Thursday a national expansion of a pilot >program in California that requires participating employers to verify the >legal status of job seekers, according to a front page article in the New >York Times. >Specifically, the Immigration and Naturalization Service reached agreement >with the nation's four largest meat-packing companies (representing 80 >percent of the industry's 70,000 employees) to use a computerized data system >at 41 plants in 12 Western and Midwestern states to determine if job >applicants are documented workers. >The ACLU and other civil libertarians have long criticized the plan, saying >it would lead to an costly, intrusive and error-prone national identification >card. >The effort announced today builds on the seven-month-old pilot program in two >Southern California counties, Santa Ana and the City of Industry. >Meanwhile, immigration bills approved by the House and the Senate, and now >awaiting resolution in a conference committee, include differing provisions >that would expand pilot programs even further to allow the INS to more >quickly evaluate among different systems. >"These pilot programs all lead down the same path," said Greg T. Nojeim, an >ACLU Legislative Counsel. "Unless the public steps up its pressure to stop >them from proceeding, the government will build a giant computer registry >that will require every single hiring decision in this country to be cleared >through a centralized database." From snow at smoke.suba.com Fri May 31 03:42:15 1996 From: snow at smoke.suba.com (snow) Date: Fri, 31 May 1996 18:42:15 +0800 Subject: Something that just crossed my mind. Sorry. Message-ID: In some of the discussion on this list there has been some concern about the governments position on anonymous fund transfers. Well, maybe concern is incorrect. We _know_ (or should) what it is. They are dead set against it. My thought was that business would be against it as well, which would make it even harder to implement. Now maybe this has been dicussed in the years before I got here, so if it has, sorry. The discussion here seems to assume that business will accept, or even welcome the ability of it's customers to remain unknown, or nymknown. It is my position (until proven wrong--please) that larger business DON'T want anonymity. They _want_ to be able to track purchases and use of their product for several reasons. These are still pretty rough, but: 1) Marketing. Here in chicago, there is a grocery store that issues a discount/check cashing card. Because this card is a Check Cashing card you need to give financial data to get it. This data includes address, bank account info etc. This card is presented at purchase time, and is of course personalized and your purchases are (assumptions from here to end) tracked, and can be used to develop targeted marketing (with the development of print on demand systems, this becomes even easier). The use of anonymity (at this point you don't _need_ to get the card, unless you want to use a check, so cash (how I pay, my wife is different) is still viable) would ruin this. Why would they want to change? 2) For larger purchases, this data gathering is even more important. I am sure that GM, Ford, Toyota et. al. keep and compile extensive demographic information on their customers for use in product development and target marketing. It is my belief that it is infact big business that drives the legislation in this country, and if they want anonymous fund transfers, they will get it. Most people would be more than willing to use anonymous purchasing, but big business doesn't currently want it, and IMO, they never will. Smaller business would welcome it, but many of these businesses are the very businesses that many fundamentalist/feminist/statist types would like to eliminate. Porn, Sex trade, and drug trade(which is already pretty anonymous) all fall into this category. The questions that this raises are: 1) Am I full of shit. This is very possible. 2) What pressure can we put on the government to go against both their own wishes and the wishes of Big Business (answer: none, or very little) 3) Given 2, what can be done to change the minds of Big Business? Not to say that the protocalls and software shouldn't be developed and deployed. It should, to prove that it works, and to allow those willing to use it to do so. If it proves popular and economically viable, it could do 3, and then 2 would not be necessary. Then again, given 1... Petro, Christopher C. petro at suba.com snow at crash.suba.com From EALLENSMITH at ocelot.Rutgers.EDU Fri May 31 03:43:27 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Fri, 31 May 1996 18:43:27 +0800 Subject: Possible out-of-US remailer sites, 2nd edition Message-ID: <01I5C4N7IN5C8Y52T1@mbcl.rutgers.edu> This is the second edition of my listing of possible good companies outside the US from which to run an anonymous remailer, assuming telnetting to a UNIX shell in most cases. (Those marked with a + have access through PPP, SLIP, or similar protocols). I have removed Malaysia from the listing due to its government's suppression of free speech/press, which Rich Graves was kind enough to point out to me. The countries on here are a mixture of those with strong support for free speech/press, and those with useful laws regarding offshore companies, through which a for-profit remailer might be run with limited liability. _Country/Area_ _Name_ _Email_ Anguilla Cable & Wireless webmaster at candw.com.ai Anguilla Offshore Information Services*** info at offshore.com.ai Antigua Cable & Wireless scholla at candw.ag Barbados CaribSurf webmaster at caribsurf.com Denmark cybernet.dk info at cybernet.dk Finland Clinet clinet at clinet.fi Finland Net People helpdesk at netppl.fi Finland Xgateway Finland* pal at xgw.fi Iceland Multimedia Consumer Services mmedia at mmedia.is Isle of Man Advanced Systems Consultants** info at advsys.co.uk Jamaica InfoChannel icquery at infochan.com Liechtenstein Ping Services afink at ping.ch Liechtenstein Online Store webmaster at onlinestore.com Malta maltaNET info at maltanet.omnes.net New Zealand +PlaNet Free NZ support at planet.gen.nz New Zealand +PlaNet FreeNZ Wellington tich at wn.planet.gen.nz New Zealand The Internet Group info at ihug.co.nz New Zealand +Manawatu Internet Services info at manawatu.gen.nz New Zealand Wave Internet Services accounts at wave.co.nz Sweden FX fx at uni-x.se Sweden Internet One** Support at one.se Sweden Kajplats 305 info at kajen.malmo.se * = This organization has on its main page a link to a document called the "Declaration of an Independent Internet." It thus may be possible to persuade them to support a remailer at reduced or no charge as part of this. ** = This organization's main page has the EFF blue ribbon, unlike others. *** = This organization is run by a cypherpunk, Vince Cate. It does have the disadvantages of requiring $50 a month or $420 a year for a telnet-only UNIX shell, with a limit of 50 MB/month for mail without extra charges. However, its charge is $20 a month or $168 a year for a POP account, although the limit is then 20 MB/month for mail without extra charges. I would appreciate comment on all aspects of this list. These include: additional companies and countries to add; companies or countries to take off (international politics & law is not my subject); and suggestions about where to look for more (it is quite possible that I did not locate all the lists of out-of-US ISPs). -Allen From stewarts at ix.netcom.com Fri May 31 04:24:48 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Fri, 31 May 1996 19:24:48 +0800 Subject: Possible out-of-US remailer sites, 2nd edition Message-ID: <199605310555.WAA01089@dfw-ix6.ix.netcom.com> >_Country/Area_ _Name_ _Email_ >Anguilla Cable & Wireless webmaster at candw.com.ai >Anguilla Offshore Information Services*** info at offshore.com.ai .... Cool list - thanks! Cable & Wireless, by the way, is a major carrier in a number of places in the world, so it may have to tolerate government regulations more than a small or non-telecom business would. On the other hand, when I've done traceroutes to Vince's machine, they went through C&W, so if there were really major pressure on C&W, they might end up having to cut of Vince and other small remailers anyway. There are a number of small countries that aren't part of the US/European/Chinese/Singaporean Hegemonies, where telecom is expensive and Fidonets and uucp are the way to get email there. If you're willing to pay some money to support one, you might get some real anonymity for financially critical data. Also, there are periodic articles in magazines like Wired about how George Soros is wiring the Balkans; perhaps someone there would like to make some money running remailers. There was one in Slovenia for a while, though I don't know if it was physically there or only had a .si domain. # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 # goodtimes signature virus innoculation From frantz at netcom.com Fri May 31 04:45:01 1996 From: frantz at netcom.com (Bill Frantz) Date: Fri, 31 May 1996 19:45:01 +0800 Subject: NRC Cryptography Report: Message-ID: <199605310619.XAA02330@netcom7.netcom.com> Some dumb questions from a citizen. Note: Recommendation summaries are from "Fight-Censorship Dispatch #11: Landmark Crypto Study Released", posted by Declan McCullagh . Thanks Declan. >Recommendation 4: Export controls on cryptography should be >progressively relaxed but not eliminated. > > 4.1 -- Products providing confidentiality at a level that > meets most general commercial requirements should be easily > exportable. Today, products with encryption capabilities that > incorporate 56-bit DES provide this level of confidentiality > and should be easily exportable. How do you reconcile this recommendation with the recommendation of the Cryptography experts group that data which needs to be kept secret for 20 years should be protected by at least 90 bit keys? The current export restrictions inhibit using strong crypto domestically. How do this recomendation free domestic crypto for commercial development? Another way of asking is, how can strong crypto be distributed in the US so as to preclude prosecution for exporting it? How do future export controls affect software posted to FTP/web sites? > > 5.3 -- To better understand how escrowed encryption might > operate, the U.S. government should explore escrowed > encryption for its own uses. To address the critical > international dimensions of escrowed communications, the U.S. > government should work with other nations on this topic. How do government experiments with key recovery systems help us learn about their vulnerablities to human level attacks, e.g. bribery? How much negotiable value will these government systems carry? How will GAKed systems protect US business from spying by foreign governments? France is rumored to be particularly active in commercial spying, and will want access to all keys used in France. ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From ogren at cris.com Fri May 31 05:12:29 1996 From: ogren at cris.com (David F. Ogren) Date: Fri, 31 May 1996 20:12:29 +0800 Subject: (Fwd) Re: [crypto] crypto-protocols for trading card games Message-ID: <199605310701.DAA16729@darius.cris.com> -----BEGIN PGP SIGNED MESSAGE----- Gary Howland asked me to forward his response to the mailing-list: - ------- Forwarded Message Follows ------- Date: Thu, 30 May 1996 12:12:48 +0200 From: Gary Howland Organization: Systemics Ltd. To: ogren at cris.com Subject: Re: [crypto] crypto-protocols for trading card games David F. Ogren wrote: > Cards are not transferrable. In order to make cards transferrable > the game company must be able to invalidate cards which have been > traded to others. In other words if Alice wants to give a cards to > Bob she must: > > 1. Contact the game company and tell them she wants to give the card > to Bob. 2. The game company must issue a new card to Bob with a new > serial number and with Bob's public key rather than Alice's. 3. The > game company must invalidate Alice's old card. Since there is no > way that the game company can make sure all copies of the card have > been destroyed it must create a "invalid serial number list" and > have the players dial into that list everytime the game is played. This is the double spending problem. > Since step 3 is so costly to implement, I think it is unlikely that > a cryptography-based trading card game will have tradable cards. Given that untraceability of cards is less of an issue than with e-cash, why not have a central registry of the owners of the cards (which would consist of the card hashes paired with the public key fingerprint)? Admittedly this means the players must be on line, but then we all know how difficult off line detection of double spenders is. For anyone who is _serious_ about starting work on such a game system, I have a few pieces of Perl and Java code that would really get you on your way - let me know if you are interested. Gary - -- pub 1024/C001D00D 1996/01/22 Gary Howland Key fingerprint = 0C FB 60 61 4D 3B 24 7D 1C 89 1D BE 1F EE 09 06 -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMa6YXPBB6nnGJuMRAQG0tgP8DSnhI+SgoaR63AuOpOi7qPgC6Ei3bFJV TdZUB6lfYg3FnE4AaBkxdYkGPfzoyJx1u3Nu/s2BJs5i3Zd2eOfYohj3CJoXJVo1 04zXamo9cCvgemNTplT331sFc+nX/iOIRUvAWbJdfhaOapnm6KVSrNkFqhiRhQ5S 0SYvgcISnZA= =VdtP -----END PGP SIGNATURE----- -- David F. Ogren ogren at concentric.net (alternate address: dfogren at msn.com) PGP Key ID: 0xC626E311 PGP Key Fingerprint: 24 23 CD 15 BF 8D D1 DE 81 71 84 C8 2C E0 4B 01 (public key available via server or by sending a message to ogren at concentric.net with a subject of GETPGPKEY) From clouds at alpha.c2.org Fri May 31 05:14:29 1996 From: clouds at alpha.c2.org (The Dreamer) Date: Fri, 31 May 1996 20:14:29 +0800 Subject: someone to "educate" Message-ID: <199605310231.TAA25953@infinity.c2.org> This was, well, interesting. As a result of the recent loss of many remailers, I started looking for a local (to me) ISP that would offer me an anonymous account, and/or a shell account. Nobody would offer me a shell account except for these people, and here's what they had to say about an anonymous account... Received: by alpha.c2.org for clouds at alpha.c2.org From gjung at igateway.net Thu May 30 06:33:10 1996 The policy is set and I am not going to argue with you about it. I explained that we do not feel that anyone needs to be doing things that they do not want their name attached to on the Internet, and for that reason do not offer anonymous accounts. You have offered no reason to change the policy. I regret that we are unable to offer service to you. ---------- From: The Dreamer[SMTP:clouds at alpha.c2.org] Sent: Wednesday, May 29, 1996 5:32 PM To: gjung at igateway.net Subject: anonymity/corporate policy > Corporate policy dictates that we do not offer anonymous > accounts. It is corporate belief that there should be no > reason anyone needs anonymity on the net That's an, er, interesting policy. Although there are a great number of arguments for anonymity - and privacy - I won't try to persuade an obviously uninterested audience. (That's you.) I'd like to see the relevant corporate policies; are they available at www.igateway.net or elsewhere? Also, is there a more precise rationale behind the decision? I'd very much like to do business with you, but if you don't want my money, that's cool. d. From loki at infonex.com Fri May 31 05:19:04 1996 From: loki at infonex.com (Lance Cottrell) Date: Fri, 31 May 1996 20:19:04 +0800 Subject: Quickremail v1.0b Message-ID: At 3:36 PM 5/28/96, E. ALLEN SMITH wrote: >From: IN%"matts at pi.se" "Matts Kallioniemi" 28-MAY-1996 06:08:28.40 > >>Why would anyone set up a remailer at Lance's (or Sameer's) machine? >>They have remailers running already. If the thugs break root and obtain >>one remailer key from a machine, they probably get all the keys on that >>machine, compromising all the remailers in one single attack. Or am I >>missing something? Is there any benefit of multiple remailers on a machine >>where root is running his own remailer? > > Well, the advantages are: A. I get Lance's help more quickly in setting >up this one, so I can later go to other machines (preferably out of the >country) and set things up the same way there (getting Mixmaster from an >out-of-US source, of course); and B. supporting the efforts of Sameer, Lance, >et al by paying them some money. While multiple ISPs are certainly >preferable (to avoid one rubber-hose (e.g., law enforcement) breaking from >getting everything), your argument assumes that all the machines at a given >ISP are linked together such that if one is broken, the rest are - which >isn't very good from a security standpoint, so I'd hope it _isn't_ the case. > > Thanks, > -Allen In addition, it is more remailers which need to be shut down to bring the remailer system down. At this point I think we need to think of robustness against shutdowns in our threat models, in addition to the usual considerations of traffic analysis. With all the shutdowns, the most immediate need is for more remailers. -Lance ---------------------------------------------------------- Lance Cottrell loki at obscura.com PGP 2.6 key available by finger or server. Mixmaster, the next generation remailer, is now available! http://www.obscura.com/~loki/Welcome.html or FTP to obscura.com "Love is a snowmobile racing across the tundra. Suddenly it flips over, pinning you underneath. At night the ice weasels come." --Nietzsche ---------------------------------------------------------- From tcmay at got.net Fri May 31 05:28:40 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 31 May 1996 20:28:40 +0800 Subject: opinions on book "The Truth Machine" Message-ID: It sounds like a "make.money.fast.by.promoting.this.book" scam to me. At 3:32 AM 5/31/96, A.Back at exeter.ac.uk wrote: >Anyone read this book? Available on line: > > http://www.truthmachine.com/ > >The book is a possible future world scenario exploring the social >implications of another new potential technology, a 100% reliable >truth test. What would society do with such a device? > >The book explores the direction in which it is no longer possible to >speak untruthfully without detection. A different approach to AP to >ensuring honesty in politicians. .... Adam, I find it hard to believe you're caught up in this "Amway novel" nonsense. (I saw the ads for it in many newsgroups a few weeks ago.) A "machine which makes lying impossible"? Give me a break. (Sounds like a great scheme for factoring large numbers...you just pick a pair of factors at random and the "truth machine" says whether you're lying or not....Other problems with this "truth machine" are left as an exercise.) In any case, I decided to waste a few minutes skimming the opening parts of this "online media event novel" and discovered at the URL you cited: "Complete this brief survey and receive the first two and a half chapters of the book free! Upon submission, you will be given access to these chapters of The Truth Machine......" Utter bullshit. If the book was any good it would have a real publisher, not an opinion survey. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From ogren at cris.com Fri May 31 05:40:44 1996 From: ogren at cris.com (David F. Ogren) Date: Fri, 31 May 1996 20:40:44 +0800 Subject: [crypto] crypto-protocols for trading card games Message-ID: <199605310727.DAA21133@darius.cris.com> -----BEGIN PGP SIGNED MESSAGE----- In my earlier message I said: > > Cards are not transferrable. In order to make cards transferrable > > the game company must be able to invalidate cards which have been > > traded to others. In other words if Alice wants to give a cards > > to Bob she must: Gary Howland said: > This is the double spending problem. > Me again: > > Since step 3 is so costly to implement, I think it is unlikely > > that a cryptography-based trading card game will have tradable > > cards. > Mr. Howland again: > Given that untraceability of cards is less of an issue than with > e-cash, why not have a central registry of the owners of the cards > (which would consist of the card hashes paired with the public key > fingerprint)? Admittedly this means the players must be on line, > but then we all know how difficult off line detection of double > spenders is. > And herein lies the problem with an implementation of trading card games. In order to detect "double spenders", the system must be on-line. However, I believe going on-line will drive the costs of running such a game out of the range of commercial feasibility. First of all, it requires that all players have Internet access. This reduces marketability. Secondly, it requires that both players make an Internet connection with the game company everytime they want to play a game. This will incur costs to the game company that it invariably will want to pass on to the players. Players, however, will be very resistant to a game that requires a subscription fee as well as costs for purchasing "cards". Especially, if becomes known that the only reason for the game requiring on-line access is to prevent "cheaters". It also raises the question of whether the game program could be "hacked" to avoid checking for authenticity of cards. I think that a more realistic solution to the "double spending" problem is to not allow the transfer of cards between players. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMa6cjPBB6nnGJuMRAQGr3wP+K+DXJVM0rX0F6FSqwfTE/YCJbfiJXC7g dAlwBA1URYA96h4su6xRThD2SbL0vJSLhvi3djQiTeshdqgmD8MTzlDsqTDLPp+f Sw0GN7OjHWlt8VO5UOK9686L7u2Ev49EdGqkaR2NOy5qNdj079v0JydRCg3qhvmT 7LqcXhRbH7g= =h3Eq -----END PGP SIGNATURE----- -- David F. Ogren ogren at concentric.net (alternate address: dfogren at msn.com) PGP Key ID: 0xC626E311 PGP Key Fingerprint: 24 23 CD 15 BF 8D D1 DE 81 71 84 C8 2C E0 4B 01 (public key available via server or by sending a message to ogren at concentric.net with a subject of GETPGPKEY) From A.Back at exeter.ac.uk Fri May 31 05:49:09 1996 From: A.Back at exeter.ac.uk (A.Back at exeter.ac.uk) Date: Fri, 31 May 1996 20:49:09 +0800 Subject: opinions on book "The Truth Machine" Message-ID: <18231.199605310332@olib> Anyone read this book? Available on line: http://www.truthmachine.com/ The book is a possible future world scenario exploring the social implications of another new potential technology, a 100% reliable truth test. What would society do with such a device? The book explores the direction in which it is no longer possible to speak untruthfully without detection. A different approach to AP to ensuring honesty in politicians. The political climate has moved to a situation were the population accepts a world government and loss of privacy for the payback of near zero crime rate. Is this utopia or has free will been removed? Certainly many of the premises in the book are contrary to cypherpunk goals in that privacy is erroded (you can not lie, and truth tests with the question as to wether you have committed a crime at routine points, for example when you need to renew a driving license, etc). Government regulation of many aspects of life have been increased. Position escrow or some near-relative is in there too, for the purpose of allowing one to prove what was said, the video stream is sent and encrypted in real time. Also cryogenics, and nano-tech. Interesting technology for cypherpunks to think about the implications, likelihood, desirability etc. Adam From ogren at cris.com Fri May 31 05:56:02 1996 From: ogren at cris.com (David F. Ogren) Date: Fri, 31 May 1996 20:56:02 +0800 Subject: Where does your data want to go today? Message-ID: <199605310727.DAA21108@darius.cris.com> > > > What problems does compression before encryption have? It at least > > >seems to work for PGP. > > > > > Most compression schemes put a header/index on the front of the > > compressed data. > > This makes recognizing the correct decryption very simple. > > > > Call it a limited "known plaintext" situation. > Using a random IV also limits the effectiveness of using known headers for "known plaintext" attacks. Also note that a good block cipher isn't that vulnerable even to "known plaintext" attacks. -- David F. Ogren ogren at concentric.net (alternate address: dfogren at msn.com) PGP Key ID: 0xC626E311 PGP Key Fingerprint: 24 23 CD 15 BF 8D D1 DE 81 71 84 C8 2C E0 4B 01 (public key available via server or by sending a message to ogren at concentric.net with a subject of GETPGPKEY) From stewarts at ix.netcom.com Fri May 31 07:26:47 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Fri, 31 May 1996 22:26:47 +0800 Subject: remailers, mail technology Message-ID: <199605310904.CAA05411@toad.com> >>>Why would anyone set up a remailer at Lance's (or Sameer's) machine? >>>They have remailers running already. If the thugs break root and obtain >>>one remailer key from a machine, they probably get all the keys on that >>>machine, compromising all the remailers in one single attack. Or am I >>>missing something? Is there any benefit of multiple remailers on a machine >>>where root is running his own remailer? There are multiple threats that remailers have to face; multiple remailers on one machine are jointly vulnerable to some of them, but separately vulnerable to others. If there are keys stored in plaintext on a machine, then root-breakers can steal them (unless it's running a multi-level secure operating system that can prevent that, if physical security is maintained.) Thugs confiscating the hardware or trashing the OS obviously break all the remailers at once, though that's only denial of service and not compromise. Offline remailers using POP, UUCP, or other mail forwarding also don't risk compromise (if they only accept encrypted messages), because they don't keep keys or perform encryption on the ISP's server. For all of these cases, the remailer-positive ISP provides a certain amount of flak catching, but can also avoid much of it because _he_ isn't running the remailer - his customers are, and if the remailer gets abused, maybe they'll have to become ex-customers. That's especially effective for ISPs that support customers with their own DNS names - foobar.com is owned by someone other than Sameer, and if Sameer has to squash them, maybe they start getting hosted by Lance instead, or by AOL, or by YAISP.SF.CA.US. Telnet-only shell account providers probably get a little less deniability than dial-only IP+POP providers or especially dial-only IP-only providers. (On the other hand, the fact that Sameer's systems are telnet-only means that users can be spread around to other dial-IP providers, including all those 10-hour AOLers he just has to keep squashing :-), while if he had dial-up users the thugs might go for telephone records. ==== What kind of technical infrastructure would help run remailers in environments like this? I can think of three things - Encrypted IP sessions (either IPv6, if it ever gets deployed, or swIPe) - Encrypted POP and SMTP client/server interactions. - User-based encrypted communications (SSH? SSL?) relaying POP/SMTP. If we're going to get convenient wide deployment before the millenium brings IPv6, the approach will either need to run on shell(-like) accounts only, or else will need to piggyback on SSL. Either way, rather than get everyone to replace POP3 with CryptoPOP (they haven't even done IMAP), it'll probably take some kind of relay that sits on your desktop machine, speaking POP3-server on one side and CryptoPOP on the other. And you'd have to handle firewalls. Is there any way to get Netscape to implement something like pop3: and smtp: services for the client software (or do them as plug-ins)? Adding them to a server (i.e.. Apache-SSL) would allow SSL to do the crypto, and would mean you could use https: proxies to handle firewalls, since everybody's got to deal with them anyway. # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 # goodtimes signature virus innoculation From jk at stallion.ee Fri May 31 09:06:24 1996 From: jk at stallion.ee (=?ISO-8859-1?Q?J=FCri_Kaljundi?=) Date: Sat, 1 Jun 1996 00:06:24 +0800 Subject: Possible out-of-US remailer sites, 2nd edition In-Reply-To: <01I5C4N7IN5C8Y52T1@mbcl.rutgers.edu> Message-ID: Fri, 31 May 1996, E. ALLEN SMITH wrote: > I would appreciate comment on all aspects of this list. These include: > additional companies and countries to add; companies or countries to take off > (international politics & law is not my subject); and suggestions about where > to look for more (it is quite possible that I did not locate all the lists of > out-of-US ISPs). I think you could add Estonia to the list. Although I have not discussed this with local ISP's, I think running a remailer or nymserver from a Unix shell account should not be such a big problem. The Internet connection to the rest of the world is quite good and there are no government regulations. MicroLink OnLine (info at online.ee, http://www.online.ee/) has a PPP/Unix shell account (on Sun Sparc) with 1MB disk space for 170 USD a year or 15 USD a month. Just pay in advance, they have an on-line registration. Teleport (info at teleport.ee, http://www.teleport.ee/) is another company, which has PPP/Unix (on Linux) with 1 MB for 8 USD a month or 96 MB a year. J�ri Kaljundi AS Stallion jk at stallion.ee From wb8foz at nrk.com Fri May 31 10:49:23 1996 From: wb8foz at nrk.com (David Lesher) Date: Sat, 1 Jun 1996 01:49:23 +0800 Subject: NRC Cryptography Report: The Text of the Recommendations In-Reply-To: <199605302304.QAA14424@jobe.shell.portal.com> Message-ID: <199605311115.HAA05118@nrk.com> > > I read the overview of this, and while it is good that the report calls > for maintaining the legality of domestic encryption and some slight > loosening of the export rules, overall I was diappointed. Watching faces at the NPC, it was clear there was lots of private divergence midst the panel. A further indication of this was that three of them refused to get clearances. I'd say the report was a success based solely on the fact the Administration does not like it ;=| -- A host is a host from coast to coast.................wb8foz at nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433 From jlasser at rwd.goucher.edu Fri May 31 11:53:48 1996 From: jlasser at rwd.goucher.edu (Moltar Ramone) Date: Sat, 1 Jun 1996 02:53:48 +0800 Subject: Java Crypto API questions In-Reply-To: Message-ID: On Thu, 30 May 1996, Lucky Green wrote: > o "Security Packages must be signed. Policy for signing is public and open." > I assume the packages must be signed by Sun. How much will it cost to have > a package signed? How do I obtain a copy of this "public and open" policy? > > o "Exportable API. Exportable applications." > One code example shows performing a DES encryption. Another slide mentions > "Support for [...] RSA." This is exportable? What am I missing? My guess would be that the first of these two points answers the second. Everything is exportable -- except signed third-party security packages. My bet would be that the exportable code would not be more than RC4-40 or perhaps 1DES, but that a signed package would go to RC4-128, 3DES, and RSA-1024. However, the signature on that package would be on the condition that the vendor/distributor of that package follow all export regulations. This is the way Micro$oft's CAPI is supposed to work; it's got commodities jurisdiction approval already, my bet is Sun can get the same. ---------- Jon Lasser (410)532-7138 - Obscenity is a crutch for jlasser at rwd.goucher.edu inarticulate motherfuckers. http://www.goucher.edu/~jlasser/ Finger for PGP key (1024/EC001E4D) - Fuck the CDA. From jeffb at sware.com Fri May 31 11:56:40 1996 From: jeffb at sware.com (Jeff Barber) Date: Sat, 1 Jun 1996 02:56:40 +0800 Subject: NRC Cryptography Report: The Text of the Recommendations In-Reply-To: <199605302304.QAA14424@jobe.shell.portal.com> Message-ID: <199605311124.HAA12879@jafar.sware.com> Hal writes: [ Good critique of NRC crypto report ] I completely agree. The *best* that could be said of this report is "56 bits instead of 40". B.F.D. And aside from that one concession, it's a step backward. BTW, does it seem to anyone else that recommendation 1 "no law should bar the .... use of ... encryption within the United States" is contradicted by recommendation 5.4: "Congress should seriously consider legislation that would impose criminal penalties on the use of encrypted communications in interstate commerce with the intent to commit a federal crime"? Maybe they meant to say "no law except those we propose below" :-(. -- Jeff From jlasser at rwd.goucher.edu Fri May 31 12:45:34 1996 From: jlasser at rwd.goucher.edu (Moltar Ramone) Date: Sat, 1 Jun 1996 03:45:34 +0800 Subject: NRC Cryptography Report: The Text of the Recommendations In-Reply-To: <199605302304.QAA14424@jobe.shell.portal.com> Message-ID: On Thu, 30 May 1996, Hal wrote: > Second, although they go to some lengths to emphasize the importance of > an open, unclassified process, and that the report itself is completely > unclassified, there are some curios omissions. For example, > recommendation 4.1 is that 56-bit DES encryption should be exportable. > However, they follow that by saying, "Products covered under > Recommendation 4.1 must be designed in a way that would preclude their > repeated use to increase confidentiality beyond the acceptable level." That is a modest misreading of the statement -- what it says is a sort of "generally available" requirement that the committee did a _BIG_ job of trying to soft-pedal at the conference. Especially when PGP was mentioned, they said "well, it's not _really_ a 'generally available' recommendation." But it _is_. One Cypherpunk at the meeting suggested to me that they knew if PGP was mentioned, heads would roll, and this might be a quiet way of sneaking that in. > I also think it is sneaky that they bury this limitation in text which > will not be seen by people who read only the recommendations. Yep, but OTOH, how much can they fit into a decent blurb anyways, which is all the actual recommendation text is? > Overall, I am disappointed that the report seems to adopt so much of the > point of view of those forces which will oppose the use of cryptography. > At best it seems to be a recognition that change is inevitable, and that > the most that can be hoped for is to ease the transition to a world where > people have free access to privacy tools. But in the meantime it appears > designed to delay the transition rather than advance it. Which is as good as we could hope for from a government-sponsored report, whose team was required to include members of the intelligence community, and which those members know will be looked at seriously by congress. While on the one hand I'm disappointed, OTOH it was much better than I expected it to be. While it is essentially a "status quo" sort of report, it still allows us to deploy strong crypto now. What I was most disappointed with was that (as far as I've found so far -- I've not slogged my way through the entire 500+ page report quite yet) CAPIs are totally ignored (although described in an appendix, I haven't yet been able to find any reference with regards to exporting them) thus leaving the "crypto in the hole" issue up in the air... ---------- Jon Lasser (410)532-7138 - Obscenity is a crutch for jlasser at rwd.goucher.edu inarticulate motherfuckers. http://www.goucher.edu/~jlasser/ Finger for PGP key (1024/EC001E4D) - Fuck the CDA. From tcmay at got.net Fri May 31 15:45:36 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 1 Jun 1996 06:45:36 +0800 Subject: Optimism re NRC Cryptography Report Message-ID: At 11:04 PM 5/30/96, Hal wrote: >I read the overview of this, and while it is good that the report calls >for maintaining the legality of domestic encryption and some slight >loosening of the export rules, overall I was diappointed. Reading it at the Web site (http://www2.nas.edu/cstbweb/), and looking at some of the comments here, I'm not as disappointed as I expected to be. Sure, there is a lot of language about meeting law enforcement needs (including the disturbing proposal to apply NSA SIGINT capabilities domestically to help the FBI and law enforcement solve the "growing gap" problem in telecommunications intercepts), and the language about "56 bit" systems seems to leave open the door for severe restrictions on stronger systems (as Hal, Bill Frantz, and others note in their posts). But, on balance, I think this NRC report comes down strongly enough in favor of cryptography use for business and individuals that it will effectively *derail* and *stall* current Administration proposals, give support to the Burns Bill, and delay key escrow systems for at least several years. This should be enough to ensure our victory. (Not that I think that even fairly repressive legislation would've been enough to defeat us, but a new breathing spell can only help.) Unless laws are passed very quickly to outlaw the things we are involved with, including such things as superencryption, steganography, anonymous remailers, and digital money, I think we will "win the race to the fork in the road." The "fork in the road" being the point at which the changes are unstoppable. (And I couldn't see much about these technologies....though I haven't read every line of the Web summary, and have certainly not seen the full report.) So, at first reading, I am cautiously optimistic that this NRC report will carry enough weight to delay crypto legislation long enough to ensure our ultimate victory. The "degrees of freedom" will soon be too large as to ever control. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From jlasser at rwd.goucher.edu Fri May 31 16:08:12 1996 From: jlasser at rwd.goucher.edu (Moltar Ramone) Date: Sat, 1 Jun 1996 07:08:12 +0800 Subject: Java Crypto API questions In-Reply-To: Message-ID: On Fri, 31 May 1996, Lucky Green wrote: > At 8:15 5/31/96, Moltar Ramone wrote: > > >My guess would be that the first of these two points answers the second. > >Everything is exportable -- except signed third-party security packages. > >My bet would be that the exportable code would not be more than RC4-40 or > >perhaps 1DES, but that a signed package would go to RC4-128, 3DES, and > >RSA-1024. However, the signature on that package would be on the > >condition that the vendor/distributor of that package follow all export > >regulations. > > Where does this leave foreign vendors? Will Sun sign the 3DES package of a > foreign vendor? Probably. But they won't be able to export the signed 3DES package :) It leaves foreign vendors in trouble, is where. ---------- Jon Lasser (410)532-7138 - Obscenity is a crutch for jlasser at rwd.goucher.edu inarticulate motherfuckers. http://www.goucher.edu/~jlasser/ Finger for PGP key (1024/EC001E4D) - Fuck the CDA. From shamrock at netcom.com Fri May 31 16:28:55 1996 From: shamrock at netcom.com (Lucky Green) Date: Sat, 1 Jun 1996 07:28:55 +0800 Subject: Java Crypto API questions Message-ID: At 8:15 5/31/96, Moltar Ramone wrote: >My guess would be that the first of these two points answers the second. >Everything is exportable -- except signed third-party security packages. >My bet would be that the exportable code would not be more than RC4-40 or >perhaps 1DES, but that a signed package would go to RC4-128, 3DES, and >RSA-1024. However, the signature on that package would be on the >condition that the vendor/distributor of that package follow all export >regulations. Where does this leave foreign vendors? Will Sun sign the 3DES package of a foreign vendor? Disclaimer: My opinions are my own, not those of my employer. -- Lucky Green PGP encrypted mail preferred. From sandfort at crl.com Fri May 31 16:40:19 1996 From: sandfort at crl.com (Sandy Sandfort) Date: Sat, 1 Jun 1996 07:40:19 +0800 Subject: Something that just crossed my mind. Sorry. Message-ID: <2.2.32.19960531170109.007070cc@popmail.crl.com> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ C'punks, At 10:35 PM 5/30/96 -0500, snow wrote: >It is my position (until proven wrong--please) that larger business DON'T >want anonymity. They _want_ to be able to track purchases and use of their >product for several reasons. Two quick answers: 1) What big business wants and what it would be willing to accept in order to make sales, are two different things. While demographic data are nice, an more robust economy full of big spenders is better. 2) Big businesses are made up of individuals. Most individuals would still prefer to have their own privacy preserved even if they would prefer less privacy for others. S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From sandfort at crl.com Fri May 31 16:45:49 1996 From: sandfort at crl.com (Sandy Sandfort) Date: Sat, 1 Jun 1996 07:45:49 +0800 Subject: opinions on book "The Truth Machine" Message-ID: <2.2.32.19960531170108.0070c300@popmail.crl.com> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ C'punks, At 03:32 AM 5/31/96 GMT, A.Back at exeter.ac.uk wrote: >The book is a possible future world scenario exploring the social >implications of another new potential technology, a 100% reliable >truth test. What would society do with such a device? > >The book explores the direction in which it is no longer possible to >speak untruthfully without detection. A different approach to AP to >ensuring honesty in politicians. If such a device were to exist, you can bet your last e-buck that the politicians would be the LAST to be tested. Today, they ban or highly regulte the PRIVATE use of lie detectors. The excuse is "reliability," but the various levels of government still use them for their own purposes. With a 100% reliable device, they would either claim "national security"--the government needs to lie some times for your own good--or they would rig or evade its application to themselves. Count on it. S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From jya at pipeline.com Fri May 31 16:54:01 1996 From: jya at pipeline.com (John Young) Date: Sat, 1 Jun 1996 07:54:01 +0800 Subject: NRC Report, 0, 1, 2 Message-ID: <199605311656.QAA04259@pipe3.t1.usa.pipeline.com> The first parts of the full NRC report are filed at our Web site: Preface, Executive Summary and Road Map: http://pwp.usa.pipeline.com/~jya/nrc00.txt (92 kb) Part I -- Framing the Policy Issues Chapter 1 Growing Vulnerability in the Information Age http://pwp.usa.pipeline.com/~jya/nrc01.txt (101 kb) Chapter 2 Cryptography: Roles, Market and Infrastructure http://pwp.usa.pipeline.com/~jya/nrc02.txt (80 kb) --------- Remaining 6 chapters and 14 appendices to be announced as completed. --------- Declan reports that an on-line version is due next week. Note that National Academy Press is accepting orders for the printed version, $45.00 + s/h each. For August. National Academy Press, 2101 Constitution Ave, NW, Lockbox 285, Washington, DC 20055. Tel 1-800-624-6242. From jimbell at pacifier.com Fri May 31 17:27:07 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 1 Jun 1996 08:27:07 +0800 Subject: NRC Cryptography Report: The Text of the Recommendations Message-ID: <199605311725.KAA21348@mail.pacifier.com> At 04:04 PM 5/30/96 -0700, Hal wrote: >This is then followed with a couple of pages of justification for why >this relaxation of the export policies should be allowed. Much is made >of the fact that people will be more likely to use 56 bit encryption than >the 40 bit which is currently allowed. (This is an example of the >perspective issue I mentioned above.) However, nowhere is it stated why >more than 56 bits is not OK, and why it is necessary to forbid repeated >use to increase confidentiality. There is not one word of discussion of >this proviso. A very curious omission! It seems to me that if they're trying to explain any sort of limits on encryption, they should focus carefully on WHY those limits should exist, and why, exactly, those limits should be selected at any particular level. >Third, although in broad terms the report is supportive of the use of >cryptography, the specific recommendations do very little to liberalize >current policies. Free domestic access to cryptography is already the >law. Raising the export size limit from 40 to 56 bits is a step >forward, but a small one. Beyond 56 bits they recommend the >requirement of escrowed encryption. Given current moves to standardize >on triple DES, this is a retrenching action. They recommend >criminalizing the use of cryptography in committing crimes, admitting >that this may be used in some cases (as comparable mail fraud statues >have been) to bring prosecutions against people who cannot be proven to >have committed any other crime. "[T]he committee understands that it >is largely the integrity of the judicial and criminal justice process >that will be the ultimate check on preventing its use for such >purposes." I can think of a much better "ultimate check on preventing its use for such purposes." Jim Bell jimbell at pacifier.com From gary at systemics.com Fri May 31 18:11:37 1996 From: gary at systemics.com (Gary Howland) Date: Sat, 1 Jun 1996 09:11:37 +0800 Subject: Backdoor in RSA Discovered Message-ID: <199605311811.UAA10519@internal-mail.systemics.com> > In this paper we present a mechanism that can quite easily be > added to PGP that allows the person who modifies PGP to learn > the private keys of those who use it to generate keys. Furthermore > the keys are leaked securely and subliminally, i.e. even if you > analyze the source code you cannot determine previously generated > keys or future keys, only the attacker can. The only way to detect the > presence of the mechanism itself is by looking over the source code, or > the compiled code. The attack has the effect of turning a database of > public keys into a database of public/private key pairs with respect to > the attacker *exclusively*. Sounds like they are doing something like this: Generate a prime P of 500 bits (say) Encrypt with Mallets public key Generate start_q using (E(P) << 524)/P Keep incrementing start_q until prime, and call this Q Generate N by multiplying P and Q to get a 1024 bit key Top 500 bits of N will be E(P) It could also be done like this: Generate a random H of, say, 290 bits Keep incrementing H until (H << 300) + 1 is prime and call this Q Encrypt H for Mallet H <<= 10 Keep incrementing H until prime Generate N by multiplying P by Q, to get a 900 bit key Bottom 300 (but 10) bits of N will E(P) I'm sure there are few mistakes, and there need to be a few other trivial tests in there somewhere, but I think this should work. The first method should produce "better" keys than the first (as if Mallet cares) I'll try and knock some code up to demonstrate this over the next few days. Gary -- pub 1024/C001D00D 1996/01/22 Gary Howland Key fingerprint = 0C FB 60 61 4D 3B 24 7D 1C 89 1D BE 1F EE 09 06 From jpp at software.net Fri May 31 18:17:50 1996 From: jpp at software.net (John Pettitt) Date: Sat, 1 Jun 1996 09:17:50 +0800 Subject: Privacy (was Re: Something that just crossed my mind. Sorry.) Message-ID: <2.2.32.19960531185137.00d74220@mail.software.net> At 10:01 AM 5/31/96 -0700, Sandy Sandfort wrote: >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > SANDY SANDFORT >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > >>Two quick answers: > >1) What big business wants and what it would be > willing to accept in order to make sales, are > two different things. While demographic data > are nice, an more robust economy full of big > spenders is better. > >2) Big businesses are made up of individuals. > Most individuals would still prefer to have > their own privacy preserved even if they would > prefer less privacy for others. > > I think what most people want is no surprises, by that I mean that peoples perceptions of privacy should match reality. In many cases that will mean no demographics. However there are a lot of situations where people will trade information for something they perceive as having value. I see nothing wrong with this *if* there is informed consent. John Pettitt, jpp at software.net EVP, CyberSource Corporation, 415 473 3065 PGP Key available at: http://www-swiss.ai.mit.edu/htbin/pks-extract-key.pl?op=get&search=0xB7AA3705 From perry at piermont.com Fri May 31 18:29:21 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sat, 1 Jun 1996 09:29:21 +0800 Subject: I told you so Message-ID: <199605311928.PAA07729@jekyll.piermont.com> Reposted from the firewalls mailing list. Date: Thu, 30 May 1996 16:39:33 -0700 From: Bill Stout Subject: DES-3 Story retraction I retract the following story, it was told to me by a contractor who attended a MBONE group meeting on the MBONE, where the story originated: Story: 'A person working on the MBONE project did an unannounced experiment across the internet using Triple-DES for MBONE, and the very next day, 'ATF' agents knocked on his door and warned him against exporting munitions. The experimentor was shaken by the fact that agents approached him so quickly after the experiment.' The MBONE experimentor referred to in the story was Van Jacobson at the Lawrence Berkeley Labs. I followed this up since receiving much interested mail responses. I called Van Jacobson himself at the Lab (the web is a wonderful thing!), and found that the story was embellished. The real event as told by Van Jacobson was: 'MBONE software was at one time accidentally compiled with links into libraries which contained DES, and someone (I don't remember who) noticed the DES capability in our MBONE binaries, and informed the group about the encryption export problem. The problem was promptly fixed.' Sorry for the mis-information. Bill <=======10========20====Ruler for Eudora users==50========60========70========80 William B. Stout | "Stop socialism in America!" Senior Systems Admin | "Dilbert for President." Hitachi Data Systems | "Police power today=police state tomorrow." Open Systems Center | "The secret of life - being part of the process of Santa Clara, California | creation." 408-970-4822 | #include <=======10========20========30========40========50========60========70========80 From jya at pipeline.com Fri May 31 19:41:22 1996 From: jya at pipeline.com (John Young) Date: Sat, 1 Jun 1996 10:41:22 +0800 Subject: NRC Report, 3 Message-ID: <199605311902.TAA14046@pipe3.t1.usa.pipeline.com> Chapter 3 Needs for Access to Encrypted Information http://pwp.usa.pipeline.com/~jya/nrc03.txt (88 kb) From llurch at networking.stanford.edu Fri May 31 20:14:43 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sat, 1 Jun 1996 11:14:43 +0800 Subject: Optimism re NRC Cryptography Report In-Reply-To: Message-ID: I agree. As a political matter, which is often what really counts, the NRC report is almost unambiguously positive. It pays at least lip service to everything that civil libertarians and coders who'd like to be able to export crypto have been saying for years, thereby legitimizing them. The fact that the technical details -- 56-bit encryption, suggestions that surveilance within the US might be a good idea -- betray the supposed conclusions of the report is largely irrelevant. The general public/ politicians aren't going to understand the technical details. They're going to see the headline, "NRC Report Backs Crypto Exports and *Real* Security." Work the headline, claim that they agree with you 100% (even though you know that they don't), and continue to say what you believe. It's called politics. -rich From andrew_loewenstern at il.us.swissbank.com Fri May 31 20:18:20 1996 From: andrew_loewenstern at il.us.swissbank.com (Andrew Loewenstern) Date: Sat, 1 Jun 1996 11:18:20 +0800 Subject: Java Crypto API questions In-Reply-To: Message-ID: <9605312056.AA01716@ch1d157nwk> Moltar Ramone writes: > Probably. But they won't be able to export the signed 3DES > package :) It leaves foreign vendors in trouble, is where. Sun can export the signature though. The vendor already has the package, they just need the sig/cert... andrew From ncognito at gate.net Fri May 31 20:22:04 1996 From: ncognito at gate.net (Ben Holiday) Date: Sat, 1 Jun 1996 11:22:04 +0800 Subject: Asendmail V0.5beta is available now. Message-ID: The beta release of asendmail is now available from: http://www.cyberpass.net/~ncognito/asendmail.tar.gz The compressed archive is about 13k. Included are the current proxys.conf and a sample fakes.conf file, along with pretty decent instructions for use with and without mix. I'll be out of town for the next 2 days, so I'll not be responding to email until monday. Adios.. Ben From jeremey at forequest.com Fri May 31 20:28:01 1996 From: jeremey at forequest.com (Jeremey Barrett) Date: Sat, 1 Jun 1996 11:28:01 +0800 Subject: NRC Cryptography Report: The Text of the Recommendations In-Reply-To: <199605302210.PAA26716@mail.pacifier.com> Message-ID: On Thu, 30 May 1996, jim bell wrote: > At 10:42 AM 5/30/96 -0700, John Gilmore wrote: > >Recommendation 2: National cryptography policy should be developed by > >the executive and legislative branches on the basis of open public > >discussion and governed by the rule of law. > > Why is it that we even need a "national cryptography policy"? We don't have > a "national beer policy," do we? A "national furniture policy"? A > "national pencil policy"? A "national movie policy"? > > The very concept of a "national cryptography policy" implies a level of > centrally-controlled interest that is unjustified given our constitutution and laws. > > Jim Bell > jimbell at pacifier.com > I agree completely... the existence of a "national cryptography policy" is a basic violation of the civil rights of every citizen in this country, and should be dealt with as such. The only reason for a government to control the use of cryptography is to prevent its citizens from protecting themselves against the activities of that government. It's analogous to removing freedom of public assembly. The government "relaxing" crypto controls is like Hitler saying, "ok, ok, I promise not to be SUCH a fascist." -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Jeremey Barrett Senior Software Engineer jeremey at forequest.com The ForeQuest Company http://www.forequest.com/ "less is more." -- Mies van de Rohe. Ken Thompson has an automobile which he helped design. Unlike most automobiles, it has neither speedometer, nor gas gage, nor any of the numerous idiot lights which plague the modern driver. Rather, if the driver makes any mistake, a giant "?" lights up in the center of the dashboard. "The experienced driver", he says, "will usually know what's wrong." -- 'fortune` output From wombat at mcfeely.bsfs.org Fri May 31 20:30:38 1996 From: wombat at mcfeely.bsfs.org (Rabid Wombat) Date: Sat, 1 Jun 1996 11:30:38 +0800 Subject: Policy Post 2.21 - Your Privacy Online: CDT Unveils Demo & Clearinghouse In-Reply-To: Message-ID: One can easily mess with the cookie file ... See http://home.netscape.com/newsref/std/cookie_spec.html for info on cookies. The only useful information the demo returns is taken from the domain associated with the address of the user. Must be for people who have never seen nslookup, whois, or run expn on the SMTP port of a server ... My $.02 - r.w. On Thu, 30 May 1996, Bob Palacios wrote: > > (1) Your Privacy Online - CDT Unveils Demonstration & Clearinghouse > > Many people surf the World Wide Web with an illusion of anonymity, > believing that their activities are unobserved and that they can explore > the Internet without leaving a trail. In reality, this is not the case. > > During the normal course of using the Internet, a great deal of personally > revealing information is routinely generated, collected, and stored. Most > of this information is collected for purposes of system maintenance, > billing, or other necessary functions. But a sophisticated marketer, > determined hacker, or law enforcement official can put together a detailed > profile of your online activities, personal tastes, interests, habits and > vices with relative ease. > > Today, the Center for Democracy and Technology unveiled an interactive > privacy demonstration and privacy policy clearinghouse on our World Wide > Web site. The demonstration is located at > > http://www.cdt.org/privacy/ > From tcmay at got.net Fri May 31 20:31:17 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 1 Jun 1996 11:31:17 +0800 Subject: Something that just crossed my mind. Sorry. Message-ID: At 5:01 PM 5/31/96, Sandy Sandfort wrote: >At 10:35 PM 5/30/96 -0500, snow wrote: > >>It is my position (until proven wrong--please) that larger business DON'T >>want anonymity. They _want_ to be able to track purchases and use of their >>product for several reasons. > >Two quick answers: > >1) What big business wants and what it would be > willing to accept in order to make sales, are > two different things. While demographic data > are nice, an more robust economy full of big > spenders is better. To add to this point, "all XYZ is economics." (Crypto, security, customer preferences, etc.) A K-Mart or Radio Shack might place a value on any customer's spending preferences at, for instance, $0.035 per $100 spent. This is just a figure I'm inventing to make a point; market researchers within K-Mart or Radio Shack probably have better estimates. Thus, if customers give information away for "free," as many do, then a Radio Shack will naturally try to collect this information. Even better if they can get info about earning power, neighborhood, magazines subscribed to, etc. Some stores try to collect this information. In any case, few stores will turn down a sale because this $0.035 or even $0.10 "value" is denied to them. It's always about economics. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From reagle at MIT.EDU Fri May 31 20:32:38 1996 From: reagle at MIT.EDU (Joseph M. Reagle Jr.) Date: Sat, 1 Jun 1996 11:32:38 +0800 Subject: Optimism re NRC Cryptography Report Message-ID: <9605312250.AA20290@rpcp.mit.edu> At 07:40 AM 5/31/96 -0700, Timothy C. May wrote: >This should be enough to ensure our victory. (Not that I think that even >fairly repressive legislation would've been enough to defeat us, but a new >breathing spell can only help.) Actually, I felt this upon reading the general recommendations, but then in reading the expansion of the recommendations, I could see a lot there for the continuance of the "status-quo" type of attitude. After talking about it with other people, my feeling is that the document might be all things to all people...? Pro-crypto will be happy with it and point to this para and that, "anti"-crypto (law enforcement type) could also be happy with it and point to that para and the other. The question then is, how will it be read/perceived by its audience (which I suspect is legislators.) Given the way the press is reporting, it is being received as a pro-crypto report, congress might pick up on it. Unfortunately, it might pick up on it with respect to publicity and posturing, and a fair amount of "the briefing" back door stuff will continue. Can't say though. _______________________ Regards, If it weren't for the last minute, nothing would ever get done. Joseph Reagle http://farnsworth.mit.edu/~reagle/home.html reagle at mit.edu E0 D5 B2 05 B6 12 DA 65 BE 4D E3 C1 6A 66 25 4E From sjb at universe.digex.net Fri May 31 20:39:05 1996 From: sjb at universe.digex.net (Scott Brickner) Date: Sat, 1 Jun 1996 11:39:05 +0800 Subject: Remailer chain length? In-Reply-To: <199605282112.QAA03652@einstein.ssz.com> Message-ID: <199605311956.PAA25321@universe.digex.net> Jim Choate writes: >> It's better than nothing. And besides, the more remailers there are, the >> more difficult it is to do traffic analysis on remailer traffic. Actually, >> its the more remailers people chain messages through, but there are software >> packages that can do this easily. The more remailers there are, the longer >> remailer chains have the possibility of becoming. > >If this is strictly true, why not simply run several instances of a remailer >on the same machine. Then randomly chain them prior to sending them off >site. This would be a lot cheaper and faster than trying to convince >hobbyist to set it up or businesses to to use their profit & legal council. Because it's not strictly true. Implicit in traffic analysis is looking at the "envelopes" of the traffic. Since this means intercepting those envelopes, once you've put your monitor on the first remailer at a site, you've probably gotten all the rest at the site for free. I don't think multiple remailers at the same site help anything. From jlasser at rwd.goucher.edu Fri May 31 20:44:48 1996 From: jlasser at rwd.goucher.edu (Moltar Ramone) Date: Sat, 1 Jun 1996 11:44:48 +0800 Subject: Java Crypto API questions In-Reply-To: <199605312029.NAA01041@mail.pacifier.com> Message-ID: On Fri, 31 May 1996, jim bell wrote: > >Probably. But they won't be able to export the signed 3DES package :) > >It leaves foreign vendors in trouble, is where. > > But why can't they just export the SIGNATURE, if it is detached from the software itself? I would assume because the signature is probably not detached, or detachable. But that's just a guess, really. ---------- Jon Lasser (410)532-7138 - Obscenity is a crutch for jlasser at rwd.goucher.edu inarticulate motherfuckers. http://www.goucher.edu/~jlasser/ Finger for PGP key (1024/EC001E4D) - Fuck the CDA. From tcmay at got.net Fri May 31 21:01:56 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 1 Jun 1996 12:01:56 +0800 Subject: opinions on book "The Truth Machine" Message-ID: At 7:06 AM 5/31/96, Timothy C. May wrote: >It sounds like a "make.money.fast.by.promoting.this.book" scam to me. ... >In any case, I decided to waste a few minutes skimming the opening parts of >this "online media event novel" and discovered at the URL you cited: > >"Complete this brief survey and receive the first two and a half chapters >of the book free! Upon submission, you will be given access to these >chapters of The Truth Machine......" > >Utter bullshit. If the book was any good it would have a real publisher, >not an opinion survey. I confess to eventually yielding to temptation and answering the "survey" questions (though I just made up some semi-random answers so as to get Chapters 1-3, then 4-12, etc.). It was truly bad stuff. Terribly written, confusing, no character development except in a cartoonish way. One correspondent chided me for saying that if the book was any good it would have a real publisher, citing the opportunities for using the Web to self-publish. Well, the book is coming out in _printed_ form, for $20 or somesuch, from a press I've never heard of. If more than 500 copies are sold to actual paying, third-party customers, I'll be surprised. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From harka at nycmetro.com Fri May 31 21:16:40 1996 From: harka at nycmetro.com (harka at nycmetro.com) Date: Sat, 1 Jun 1996 12:16:40 +0800 Subject: Fight-Censorship Disp Message-ID: -=> Quoting In:declan at eff.org to Harka <=- In> 4.1 -- Products providing confidentiality at a level that In> meets most general commercial requirements should be easily In> exportable. For they are easily breakable... In> 4.2 -- Products providing stronger confidentiality should be In> exportable on an expedited basis to a list of approved In> companies if the proposed product user is willing to provide In> access to decrypted information upon legally authorized In> request. Sounds like a "Clipper VI" proposal. In> Recommendation 5: The U.S. government should take steps to assist law In> enforcement and national security to adjust to new technical realities In> of the information age. See 4.1 and 4.2. Harka ___ Blue Wave/DOS v2.30 [NR] From frantz at netcom.com Fri May 31 21:33:19 1996 From: frantz at netcom.com (Bill Frantz) Date: Sat, 1 Jun 1996 12:33:19 +0800 Subject: Where does your data want to go today? Message-ID: <199606010032.RAA27060@netcom7.netcom.com> At 3:25 AM 5/31/96 -0400, David F. Ogren wrote: >> > > What problems does compression before encryption have? It at least >> > >seems to work for PGP. >> > > >> > Most compression schemes put a header/index on the front of the >> > compressed data. >> > This makes recognizing the correct decryption very simple. >> > >> > Call it a limited "known plaintext" situation. >> > >Using a random IV also limits the effectiveness of using known >headers for "known plaintext" attacks. Also note that a good block >cipher isn't that vulnerable even to "known plaintext" attacks. I don't think this is true given a brute force attack. Let me assume DES-CBC as a specific system. Let us assume that the plaintext is: IV || PKZIP2.1 || Where IV is the 8 byte initialization vector. The brute force system decrypts the first, and second blocks (8 bytes each) of the cyphertext, XORs them, and compares the result with "PKZIP2.1". If the comparison is equal it has the key. If we eliminated the header and just started with the compressed data, then the brute force system would have to decrypt and decompress enough of the data to run statistical tests. The cost of the additional decryptions, decompression, and statistical tests substantially raise the cost of the brute force attack. ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From hoz at univel.telescan.com Fri May 31 21:46:15 1996 From: hoz at univel.telescan.com (rick hoselton) Date: Sat, 1 Jun 1996 12:46:15 +0800 Subject: someone to "educate" Message-ID: <199606010057.RAA18664@toad.com> At 07:31 PM 5/30/96 -0700, you quoted someone: >> Corporate policy dictates that we do not offer anonymous >> accounts. It is corporate belief that there should be no >> reason anyone needs anonymity on the net Perhaps you could ask whoever sent you that message for their home phone number, address, and Visa Account number, to be posted to this newsletter. After all, if they are sure this is a good policy, and they are not ashamed of it, then the individuals who authored it have nothing to hide! If they really believe what they say, then they won't mind. I, for one, am waiting. From jimbell at pacifier.com Fri May 31 21:48:27 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 1 Jun 1996 12:48:27 +0800 Subject: Java Crypto API questions Message-ID: <199605312029.NAA01041@mail.pacifier.com> At 11:44 AM 5/31/96 -0400, Moltar Ramone wrote: >On Fri, 31 May 1996, Lucky Green wrote: >> Where does this leave foreign vendors? Will Sun sign the 3DES package of a >> foreign vendor? > >Probably. But they won't be able to export the signed 3DES package :) >It leaves foreign vendors in trouble, is where. But why can't they just export the SIGNATURE, if it is detached from the software itself? Jim Bell jimbell at pacifier.com From daw at cs.berkeley.edu Fri May 31 21:50:41 1996 From: daw at cs.berkeley.edu (David Wagner) Date: Sat, 1 Jun 1996 12:50:41 +0800 Subject: Statistical analysis of anonymous databases In-Reply-To: Message-ID: <4onta5$4fb@joseph.cs.berkeley.edu> In article , Clay Olbon II wrote: > In medical research (this particular application - there are others I am > sure) it is desirable to have a large database of individual medical > histories available to search for correlations, risk factors, etc. The > problem, of course, is that many individuals want their medical histories > kept private. It is therefore necessary to maintain a database that is not > traceable back to individuals. An additional requirement is that people > must be able to add additional information to their records as it becomes > available. How about a simple non-technical solution? Each patient picks a random pseudonym; the database is keyed off that pseudonym, and the person's True Name(tm) never appears in the database. Patients should remember their pseudonym (or write it down); then they can add information to the database. Ahh, anonymity. (Hey, I posted about something exportable-- that should fill my quota for the year. :-) From jya at pipeline.com Fri May 31 21:53:30 1996 From: jya at pipeline.com (John Young) Date: Sat, 1 Jun 1996 12:53:30 +0800 Subject: NRC Report, 4, 5, 6 Message-ID: <199606010123.BAA15381@pipe2.t1.usa.pipeline.com> Part II Policy Instruments Chapter 4 Export Controls http://pwp.usa.pipeline.com/~jya/nrc04.txt (163 kb) Chapter 5 Escrowed Encryption and Related Issues http://pwp.usa.pipeline.com/~jya/nrc05.txt (144 kb) Chapter 6 Other Dimensions of National Cryptography Policy http://pwp.usa.pipeline.com/~jya/nrc06.txt (85 kb) --------- Tomorrow: Part III Policy Options, Findings and Recommendations Chapter 7 Policy Options of the Future Chapter 8 Synthesis, Findings and Recommendations 14 Appendices From tcmay at got.net Fri May 31 22:14:38 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 1 Jun 1996 13:14:38 +0800 Subject: Statistical analysis of anonymous databases Message-ID: At 10:53 PM 5/31/96, David Wagner wrote: >In article , >Clay Olbon II wrote: >> In medical research (this particular application - there are others I am >> sure) it is desirable to have a large database of individual medical >> histories available to search for correlations, risk factors, etc. The >> problem, of course, is that many individuals want their medical histories >> kept private. It is therefore necessary to maintain a database that is not >> traceable back to individuals. An additional requirement is that people >> must be able to add additional information to their records as it becomes >> available. > >How about a simple non-technical solution? Each patient picks a >random pseudonym; the database is keyed off that pseudonym, and the >person's True Name(tm) never appears in the database. Patients >should remember their pseudonym (or write it down); then they can >add information to the database. This "leaks" too much information. It is not hard at all to figure out that the only 32-year-old white male with appendicitis is Sidney Jackson. And so on, for enough of the patients to effectively identify most or even all of them. Blinding only the true name while leaving the essentially unique parameter sets unchanged pretty much makes the name blinding moot. I have a hunch it's possible to blind the individual parameters in some way so as to make analysis possible, but I don't have any approaches in mind. I recall that Joan Feigenbaum was working on "computing with encrypted instances" for her Ph.D. work at Stanford (she's now at one of the AT&Ts now). The idea being quite similar to this application: transform a set of data for analysis by a party which is not to know the nature of the work being done, then transforms back the answers obtained. And there is another angle discussed a few years back in connection with AIDS testing. Specifically, for door-to-door polls asking if a person has been tested for AIDS (or whatever). One effectively "confuses" the answer by flipping a coin or rolling a die and "switching" the answer depending on the results. This allows any particular person to, for example, say "Yes" to the question "Have you been tested for AIDS?" without this actually being the case. (The tosses have to be skewed so that statisticians can still extract/deconvolve useful information.) I think of this as "plausible deniability." Of course, this is confusing to the average person, and maybe even to folks like us, so this proposal (by I don't recall whom) has not gone very far. But it shows that some semi-cryptographic protocols could be used to get some sensitive information. I don't know if something like this could be used for the medical database problem, but it's interesting. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From tcmay at got.net Fri May 31 22:52:50 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 1 Jun 1996 13:52:50 +0800 Subject: [Off-Topic] "Curfews" Message-ID: Cypherpunks, This is off-topic for the list, but I want to share it anyway. It touches on issues of increasing police surveillance, and also touches on the issue of "age credentials" (in the sense that how else is a cop who stops a young person for "curfew violation" to determine if a violation has occurred when most 14- and 15-year-olds carry no driver's licenses?) The "curfew" meme is spreading quickly, with Clinton calling for a federal curfew, at least in cities, and Dole trying to outdo him with even more draconian curfew laws. Many communities already have them, including San Jose, New Orleans, and other large cities. And my own community, Santa Cruz County, ironically begins a curfew program on Saturday, tomorrow. I wrote this item for our local newsgroup, scruz.general, announcing that "my household" will not abide by this law. I didn't come out and say "my kids" would not abide by it, inasmuch as I have no kids. So I elliptically referred to "parents and guardians"...after all, my sister visits with her husband and son, and in theory I could be the guardian of this kid. And friends bring their kids. My point is to send a "warning" to the Sheriff's office that at least some households think this crackdown on the movements of children is unacceptable. Children have the right to travel, especially as the parents permit it, without being stopped, questioned, forced to state their destinations, and, if the answers don't satisfy the cop, taken into detention at some children's equivalent of a "drunk tank." (Some purists claim that children are exempted from normal constitutional protections, such as the right of free association, the right to be free from unwarranted searches and seizures, the right of free speech, etc. Especially this comes up in debates about rights in public schools (speech, locker searches, movements are controlled, etc.). But I think a public school environment is a dramatically different situation, whatever one thinks of these claims about rights, from a kid walking on a public street. To claim that such a child may be stopped, interrogated, taken to a detention center, without a crime having been committed, is a clear violation of his or her rights.) As I said, should such curfews become widespread, children will of course need forms of age identification, and this opens yet another door for universal I.D. cards. And for "travel papers." Maybe it would be easier to just put a tattoo on their arms--especially as the younger generation is so into tattoos these days. "Pappieren, bitte. Macht schnell!" Here's what I sent in to scruz.general tonight: So Santa Cruz begins its own fascist crackdown on the free movements of persons. The "curfew" begins Saturday night. Allegedly these persons are children, but it is up to parents and guardians to control the movements of their children or charges in public places, NOT the function of the police to detain these children or charges. (Initially a "warning," but the child's name is recorded in police data bases....if the child is detained a second time, he or she may face detention time, community service, fines on the parents or guardians, and so forth.) ANNOUNCEMENT: I am responsible for the children in my household or in my custody or guardianship. Not the cops. Not the Sheriff. Not the CAMP helicopters. Not the narcs. Not the vice squad. Not anyone but me. I am instructing those in my household or who visit to IGNORE all interrogations by cops. I am telling them not to let the cops search their bags, not to let the cops ask where they are going, not to let the cops demand that they give a reason for being out. If they pick up people from my household, I expect the children to remain silent and to just fill up the god-damned jail cells until I eventually raise a ruckus and (maybe) pick them up. If some kids are out and about and making mischief, the cops should concentrate on catching _those_ children! Don't immobilize all kids for the sake of supposedly cutting down on the activities of the perps. As with so many do-gooder laws, the effect will largely be felt on the "good" kids and will be ignored or evaded by the "bad" kids. As to the claims that children have no valid reason to be out after 9, or 11, or whatever, this is not for anyone but the parents and guardians to decide. The god-damned cops are not the ones to decide what a valid reason for being out is. (I have heard that "religious worship," a la "Midnight Mass," is one of the valid reasons for a child to be out after curfew. Fine, religion is then the stated reason those in my household are out! I will tell them to tell any nosy cops or Sheriff's Deputies that they are worshippers of Baal, and Baal requires them to be out to appreciate the darkness. If the cops claim this is "not a valid religion," I will recite to them the First Amendment of the U.S. Constitution, where it says: "Congress shall make no law respecting the establishment of religion or prohibiting the free exercise thereof.") I moved to the rural part of Santa Cruz, Corralitos, to escape this fascist and socialist nonsense, and now I find it primarily the Sheriff-dominated parts of this county which will now claim to tell parents and guardians they no longer control their children. Fuck this. --Tim May -- Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From tcmay at got.net Fri May 31 23:08:46 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 1 Jun 1996 14:08:46 +0800 Subject: "Anonymity is bad," says a source who wishes to remain anonymous Message-ID: I'm not going to dig up the exact quote, but I was struck by a couple of "comments" on crypto policy recently. One involved some crypto news of several days ago, and one was reported yesterday in the "San Jose Mercury News," in an early glimpse of what the NRC report would say. In both cases--and these were not the first such cases I've seen--a source "who wishes to remain anonymous" is announcing just how bad and dangerous crypto, anonymity, remailers and stuff like that are. "But the official, speaking on condition of anonymity, insisted that any computer system that did not include a way for authorities to decipher data would 'pose very costly and time-consuming problems' for law enforcement officials." [SJMN, C1, 1996-05-30] ""Anonymity is bad," says a source who wishes to remain anonymous." The definition of irony, I'd say. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From shamrock at netcom.com Fri May 31 23:43:50 1996 From: shamrock at netcom.com (Lucky Green) Date: Sat, 1 Jun 1996 14:43:50 +0800 Subject: Statistical analysis of anonymous databases Message-ID: At 15:53 5/31/96, David Wagner wrote: >How about a simple non-technical solution? Each patient picks a >random pseudonym; the database is keyed off that pseudonym, and the >person's True Name(tm) never appears in the database. Patients >should remember their pseudonym (or write it down); then they can >add information to the database. In medical research, third party audit, i.e., the Department of Health and Human Services, is often required. A simple pseudonym picked by the patient won't do. Disclaimer: My opinions are my own, not those of my employer. -- Lucky Green PGP encrypted mail preferred.