From dlv at bwalk.dm.com Mon Jan 1 08:40:22 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Mon, 1 Jan 96 08:40:22 PST Subject: Can We Cut the Crap? In-Reply-To: <199601010637.AAA22761@dal1820.computek.net> Message-ID: "Ed Carp [khijol SysAdmin]" writes: > No one is forcing you to read anything I, or anyone else, says. If you > don't like it, the 'd' key is somewhere on your keyboard. Or is that too > much manual labor for you? Grrr... Ed, no one forced you (or anyone else) to read Fred Cohen while he was posting to this mailing list. I happen to be interested in his point of view. I may or may not agree with it, but I want to know it and I'm grateful to Fred for having taken his time to write. There are people on this mailing list who appear to have very little technical expertise (e.g., can't figure out how an anonymous remailer works), contribute nothing but silly puerile flames to the discussion, and whose harassment has caused Fred to stop contributing. They've deprived Fred of his right to spreak and readers like me of our right to listen. This is censorship by bullying. There exists, AFAIK, no procmail for the weird setup I have on this box. As soon as I get something working, I'll start junking the flamers from my mail feed. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From attila at primenet.com Mon Jan 1 02:01:40 1996 From: attila at primenet.com (attila) Date: Mon, 1 Jan 1996 18:01:40 +0800 Subject: Australian "calculatorcard" In-Reply-To: <01HZH81Y0DKI95P3WV@MAIL-CLUSTER.PCY.MCI.NET> Message-ID: On Mon, 1 Jan 1996, amp wrote: > DS> I'd think you could have the server safely accept # N, N-60 sec, and > DS> N+60 seconds; and adjust the server's idea of your card's clock speed > DS> from that. > > DS> What new risk would that create? > > i would figure the server would give a minute or so for slippage. > basically the risk is that it would give someone 3 minutes to do a > brute force attack rather than one. if you have decent security on > the server side, i.e., disallow the card for 5 minutes or more after 3 > or so failed attempts, brute attacks would be minimized. however, if > the actual window for a single code is 3 minutes, that increases your > chance of hitting it as 3 separate numbers would be valid for a given > card at any given time. > START Bank wire systems over the SWIFT private wire are time synched much closer than a minute although I have never been given more of an answer than that. given that you have a tolerable high speed link, and are not dealing with an overloaded concentrator at the telco -> carrier inferface or an overloaded server, I believe you can solve most of the windowing problem by: 1. client sends number and time to server 2. server send what it thinks as time to client 3. client can place a delta on servers time for local time 4. enter PIN, etc. and you are working with a much narrower window. the security risk does not appear to increase from the exchange times and entering the PIN and letting the normal progression go forward once v. just monitoring a series of successive verifications trying to effect a pattern in the hash. Secure-ID seems to be a one-time time-based single use pad; to me, using a time exchange initiator has the advantage of a smaller window, and fewer problems with client machines running on strange times which require sloppier time windows. END From raph at CS.Berkeley.EDU Mon Jan 1 07:06:58 1996 From: raph at CS.Berkeley.EDU (Raph Levien) Date: Mon, 1 Jan 1996 23:06:58 +0800 Subject: List of reliable remailers Message-ID: <199601011450.GAA17007@kiwi.cs.berkeley.edu> I operate a remailer pinging service which collects detailed information about remailer features and reliability. To use it, just finger remailer-list at kiwi.cs.berkeley.edu There is also a Web version of the same information, plus lots of interesting links to remailer-related resources, at: http://www.cs.berkeley.edu/~raph/remailer-list.html This information is used by premail, a remailer chaining and PGP encrypting client for outgoing mail, which is available at: ftp://ftp.csua.berkeley.edu/pub/cypherpunks/premail/premail-0.33a.tar.gz For the PGP public keys of the remailers, finger pgpkeys at kiwi.cs.berkeley.edu This is the current info: REMAILER LIST This is an automatically generated listing of remailers. The first part of the listing shows the remailers along with configuration options and special features for each of the remailers. The second part shows the 12-day history, and average latency and uptime for each remailer. You can also get this list by fingering remailer-list at kiwi.cs.berkeley.edu. $remailer{"extropia"} = " cpunk pgp special"; $remailer{"portal"} = " cpunk pgp hash"; $remailer{"alumni"} = " cpunk pgp hash"; $remailer{"bsu-cs"} = " cpunk hash ksub"; $remailer{"c2"} = " eric pgp hash reord"; $remailer{"penet"} = " penet post"; $remailer{"ideath"} = " cpunk hash ksub reord"; $remailer{"hacktic"} = " cpunk mix pgp hash latent cut post ek"; $remailer{"flame"} = " cpunk mix pgp. hash latent cut post reord"; $remailer{"rahul"} = " cpunk pgp hash filter"; $remailer{"mix"} = " cpunk mix pgp hash latent cut ek ksub reord ?"; $remailer{"ford"} = " cpunk pgp hash ksub ek"; $remailer{"hroller"} = " cpunk pgp hash latent ek"; $remailer{"vishnu"} = " cpunk mix pgp. hash latent cut ek ksub reord"; $remailer{"robo"} = " cpunk hash mix"; $remailer{"replay"} = " cpunk mix pgp hash latent cut post ek"; $remailer{"spook"} = " cpunk mix pgp hash latent cut ek reord"; $remailer{"rmadillo"} = " mix cpunk pgp hash latent cut ek"; $remailer{"ecafe"} = " cpunk mix"; $remailer{"wmono"} = " cpunk mix pgp. hash latent cut"; $remailer{"shinobi"} = " cpunk mix hash latent cut ek reord"; $remailer{"amnesia"} = " cpunk mix pgp hash latent cut ek ksub"; $remailer{"gondolin"} = " cpunk mix pgp hash latent cut ek reord"; $remailer{"tjava"} = " cpunk mix pgp hash latent cut"; $remailer{"pamphlet"} = " cpunk pgp hash latent cut"; $remailer{'alpha'} = ' alpha pgp'; $remailer{'gondonym'} = ' alpha pgp'; catalyst at netcom.com is _not_ a remailer. lmccarth at ducie.cs.umass.edu is _not_ a remailer. usura at replay.com is _not_ a remailer. Groups of remailers sharing a machine or operator: (c2 robo hroller alpha) (gondolin gondonym) (flame hacktic replay) (alumni portal) (vishnu spook wmono) Use "premail -getkeys pgpkeys at kiwi.cs.berkeley.edu" to get PGP keys for the remailers. Fingering this address works too. Note: all of the "ek" tags have been verified correct. Apologies to those who were inconvenienced by incorrect "ek" tags in the past. Last update: Mon 1 Jan 96 6:49:52 PST remailer email address history latency uptime ----------------------------------------------------------------------- c2 remail at c2.org +.-+++-.-*** 47:18 99.99% hacktic remailer at utopia.hacktic.nl *****+****** 8:12 99.99% bsu-cs nowhere at bsu-cs.bsu.edu #*#+#+##++*# 3:50 99.98% replay remailer at replay.com *****+**+*** 6:58 99.98% pamphlet pamphlet at idiom.com +--++* 1:32:43 99.97% ford remailer at bi-node.zerberus.de -+-++-+--+++ 2:16:40 99.97% hroller hroller at c2.org #.-##+-.-#*# 23:11 99.94% flame remailer at flame.alias.net +.-----+-++ 2:35:44 99.93% spook remailer at valhalla.phoenix.net *.--+-.--.-+ 4:33:40 99.88% amnesia amnesia at chardos.connix.com -++--------- 3:31:08 99.85% rmadillo remailer at armadillo.com +++++++ #### 15:42 99.81% mix mixmaster at remail.obscura.com __.------+- 6:43:02 99.77% extropia remail at extropia.wimsey.com --.-------- 5:40:08 99.69% wmono wmono at valhalla.phoenix.net * **+ *** * 13:04 98.86% penet anon at anon.penet.fi --- *+++++++ 3:07:11 98.86% alumni hal at alumni.caltech.edu +###*++*-- # 31:22 98.14% vishnu mixmaster at vishnu.alias.net ----- - -* 1:22:32 98.12% portal hfinney at shell.portal.com #####+##- # 26:19 97.36% shinobi remailer at shinobi.alias.net -+++++++++ 1:33:37 90.69% rahul homer at rahul.net -+##*+*+#### 5:20 99.99% tjava remailer at tjava.com #+#*#*# :40 89.19% ecafe cpunk at remail.ecafe.org -#___.## 16:32:15 67.10% gondolin mix at remail.gondolin.org -*+..* 15:03:39 46.77% History key * # response in less than 5 minutes. * * response in less than 1 hour. * + response in less than 4 hours. * - response in less than 24 hours. * . response in more than 1 day. * _ response came back too late (more than 2 days). cpunk A major class of remailers. Supports Request-Remailing-To: field. eric A variant of the cpunk style. Uses Anon-Send-To: instead. penet The third class of remailers (at least for right now). Uses X-Anon-To: in the header. pgp Remailer supports encryption with PGP. A period after the keyword means that the short name, rather than the full email address, should be used as the encryption key ID. hash Supports ## pasting, so anything can be put into the headers of outgoing messages. ksub Remailer always kills subject header, even in non-pgp mode. nsub Remailer always preserves subject header, even in pgp mode. latent Supports Matt Ghio's Latent-Time: option. cut Supports Matt Ghio's Cutmarks: option. post Post to Usenet using Post-To: or Anon-Post-To: header. ek Encrypt responses in reply blocks using Encrypt-Key: header. special Accepts only pgp encrypted messages. mix Can accept messages in Mixmaster format. reord Attempts to foil traffic analysis by reordering messages. Note: I'm relying on the word of the remailer operator here, and haven't verified the reord info myself. mon Remailer has been known to monitor contents of private email. filter Remailer has been known to filter messages based on content. If not listed in conjunction with mon, then only messages destined for public forums are subject to filtering. Raph Levien From jya at pipeline.com Mon Jan 1 07:21:24 1996 From: jya at pipeline.com (John Young) Date: Mon, 1 Jan 1996 23:21:24 +0800 Subject: 96R_azz Message-ID: <199601011504.KAA14190@pipe1.nyc.pipeline.com> 1-1-96: NYP: Denise Caruso offers '96 resolutions on Nscp/Aol bugs, Web rubes, daft pols, Gates' dogs, crypto zip, Apple rot, W$ dupes. 96R_azz From Steve14571 at aol.com Mon Jan 1 08:29:56 1996 From: Steve14571 at aol.com (Steve14571 at aol.com) Date: Tue, 2 Jan 1996 00:29:56 +0800 Subject: Who sent me this message? Message-ID: <960101111333_28712586@emout04.mail.aol.com> Someone from this list sent me a message encrypted with the international version of PGP 2.6.2. Unfortunately, my system crashed and lost the email address... Plaintext of the message follows: Hi Stephen, >Me too 8^) This is a 2047 bit key (I think big) :-) As I can see. How did you generate this key? Are you using a special version of PGP? Maybe something about myself to start with: I'm from Belgium (that small spot between France, Germany and the Netherlands). I work in a bank (no, this does not mean that I'm swimming in money!) as a system engineer. We work mainly with A-Series mainframes from UNISYS. At home I spent some time on the internet, my PC, reading a good book and last but not least having a beer with my friends. That's it for now, looking forward to hear from you again. Happy New Year! Luc Whoever sent me this message please write back, and send a public key so that I can respond. From campbelg at limestone.kosone.com Mon Jan 1 09:36:00 1996 From: campbelg at limestone.kosone.com (Gordon Campbell) Date: Tue, 2 Jan 1996 01:36:00 +0800 Subject: Can We Cut the Crap? Message-ID: <2.2.32.19960101164513.006a3e98@limestone.kosone.com> At 12:18 PM 12/31/95 -0800, tcmay at got.net (Timothy C. May) wrote: > >Really, the S/N ratio is approaching all-time lows, even for the Silly >Season of Xmas. A week or so ago there was a massive flame war involving >insults and counter-insults--I returned from my Xmas vacation to find the >list melting down. Now, a week later, a new flamewar has erupted. As a lurker on the list, I'd like to second this opinion. The cypherpunks list is held up to be this almighty oracle of cryptographic information. Yet, every time I subscribe to it (this is the fourth time in a year) I have to wade through irrelevant personal attacks and various other rubbish. I mean, really. This is worse than Fidonet. However, I suppose that with any gathering of (mostly) intelligent, liberty and privacy minded people, there are likely to be clashes of one sort or another. If the anonymous twits will grow up and stop stirring things up, maybe the rest of us can learn something. Just my $0.02 ----- Gordon R. Campbell, Owner - Mowat Woods Graphics P.O. Box 1902, Kingston, Ontario, Canada K7L 5J7 Ph: (613) 542-4087 Fax: (613) 542-1139 2048-bit PGP key available on request. From erc at dal1820.computek.net Mon Jan 1 09:41:24 1996 From: erc at dal1820.computek.net (Ed Carp [khijol SysAdmin]) Date: Tue, 2 Jan 1996 01:41:24 +0800 Subject: Can We Cut the Crap? In-Reply-To: Message-ID: <199601011646.KAA23871@dal1820.computek.net> -----BEGIN PGP SIGNED MESSAGE----- > There are people on this mailing list who appear to have very little technical > expertise (e.g., can't figure out how an anonymous remailer works), contribute > nothing but silly puerile flames to the discussion, and whose harassment has > caused Fred to stop contributing. They've deprived Fred of his right to spreak > and readers like me of our right to listen. This is censorship by bullying. Now there you are wrong. No one forced Fred to stop posting to the list (I noticed that I just got a posting from him just yesterday, so he may have stopped since then), but no one deprived Fred of his right to speak. I don't see Eric Hughes standing up and saying "Fed, stop posting to the list", and I certainly note that his postings are getting through to the list. So, your statements regarding people harassing Fred, causing him to stop posting, etc., are just eyewash and an attempt to emotionally manipulate your audience by calling it "censorship". - -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 214/993-3935 voicemail/digital pager 800/558-3408 SkyPager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMOgP1yS9AwzY9LDxAQG2tgQAqpoTneK0dSqK7VKWBUZZcS710KOnWLlC j1opYymkAzc4dhNUw7NSqwrEm51+lty7xxrXuqDSBrBJp5fkI5sn81Bg3SIN2JFx iIKyvo57oOe/jOoJp7ONmqCpnPvsJbar0T+q7eHXdZCGM4VRSLVrqDxwMg4NnYE4 JFxgqp2qBDo= =09VD -----END PGP SIGNATURE----- From bplib at wat.hookup.net Mon Jan 1 09:52:33 1996 From: bplib at wat.hookup.net (Tim Philp) Date: Tue, 2 Jan 1996 01:52:33 +0800 Subject: Canadian Cypherpunks Message-ID: Is there some interest in a meeting of Canadian Cypherpunks? If you are a Canadian (or an American who is fortunate enough to live near our sainted shores ;-)) send me a private E-mail message. Because Canada is such a big country, I propose that we start with a meeting in Toronto or area. If there is enough interest, I will arrange for a meeting place. Regards, Tim Philp =================================== For PGP Public Key, Send E-mail to: pgp-public-keys at swissnet.ai.mit.edu In Subject line type: GET PHILP =================================== From dlv at bwalk.dm.com Mon Jan 1 10:16:24 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Tue, 2 Jan 1996 02:16:24 +0800 Subject: Can We Cut the Crap? In-Reply-To: <199601011646.KAA23871@dal1820.computek.net> Message-ID: "Ed Carp [khijol SysAdmin]" writes: > > There are people on this mailing list who appear to have very little techni > > expertise (e.g., can't figure out how an anonymous remailer works), contrib > > nothing but silly puerile flames to the discussion, and whose harassment ha > > caused Fred to stop contributing. They've deprived Fred of his right to spr > > and readers like me of our right to listen. This is censorship by bullying. > > Now there you are wrong. No one forced Fred to stop posting to the list > (I noticed that I just got a posting from him just yesterday, so he may > have stopped since then), but no one deprived Fred of his right to speak. > I don't see Eric Hughes standing up and saying "Fed, stop posting to the > list", and I certainly note that his postings are getting through to the > list. So, your statements regarding people harassing Fred, causing him to > stop posting, etc., are just eyewash and an attempt to emotionally > manipulate your audience by calling it "censorship". Ed, I've met Eric Hughes. You're no Eric Hughes. The crypto people on this mailing list have asked people repeatedly to curtail non-crypto-related postings (most recently, Tim May, who started this thread). This is not censorship. The sliencing of Fred Cohen by a lynch mob of non-technicals (who, e.g., send e-mail twice) is a disturbing example of censorship. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From erc at dal1820.computek.net Mon Jan 1 10:40:19 1996 From: erc at dal1820.computek.net (Ed Carp [khijol SysAdmin]) Date: Tue, 2 Jan 1996 02:40:19 +0800 Subject: Can We Cut the Crap? In-Reply-To: Message-ID: <199601011751.LAA27876@dal1820.computek.net> -----BEGIN PGP SIGNED MESSAGE----- > > "Ed Carp [khijol SysAdmin]" writes: > > > There are people on this mailing list who appear to have very little techni > > > expertise (e.g., can't figure out how an anonymous remailer works), contrib > > > nothing but silly puerile flames to the discussion, and whose harassment ha > > > caused Fred to stop contributing. They've deprived Fred of his right to spr > > > and readers like me of our right to listen. This is censorship by bullying. > > > > Now there you are wrong. No one forced Fred to stop posting to the list > > (I noticed that I just got a posting from him just yesterday, so he may > > have stopped since then), but no one deprived Fred of his right to speak. > > I don't see Eric Hughes standing up and saying "Fed, stop posting to the > > list", and I certainly note that his postings are getting through to the > > list. So, your statements regarding people harassing Fred, causing him to > > stop posting, etc., are just eyewash and an attempt to emotionally > > manipulate your audience by calling it "censorship". > > Ed, I've met Eric Hughes. You're no Eric Hughes. So? How do you know? Your comment made absolutely no sense at all. > The crypto people on this mailing list have asked people repeatedly to > curtail non-crypto-related postings (most recently, Tim May, who started > this thread). This is not censorship. The sliencing of Fred Cohen by a lynch > mob of non-technicals (who, e.g., send e-mail twice) is a disturbing example > of censorship. Crap. If Fred doesn't want to post, that's his choice (as he has indicated in private mail to me), but it's not your call to conclude that he is being "censored". - -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 214/993-3935 voicemail/digital pager 800/558-3408 SkyPager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMOgfCCS9AwzY9LDxAQEIHwP/QBvrw/2ePyPqPzs8UcZ3COomXwtYpgBz 8RWnIIdNbEqkf0U/v+OWoeb1cMAPdvyo4CmYLfRlaroSaCGGzfcCDRp3GOtq6zEO njk1QPAoSb5pxT6zABGPO3ogeBbGB3E5a5AKy+yQrc2MpmzFN0r8EOQ1CPReF3c0 YmOgPbn/b5o= =EJk4 -----END PGP SIGNATURE----- From jmatk at tscm.com Mon Jan 1 10:48:52 1996 From: jmatk at tscm.com (James M. Atkinson, Comm-Eng) Date: Tue, 2 Jan 1996 02:48:52 +0800 Subject: TSCM.COM Counter Surveillance, Privacy, & Security Page Message-ID: Happy New Year!!!!! TSCM Technical Surveillance Counter Measure - new materials finished... Check it out... http://www.tscm.com/ New section on TSCM test equipment New section on TSCM training and career paths Coming Soon, TSCM Hand tools TSCM and Technical Surveillance books - James M. Atkinson "...shaken, not stirred" From froomkin at law.miami.edu Mon Jan 1 10:49:31 1996 From: froomkin at law.miami.edu (Michael Froomkin) Date: Tue, 2 Jan 1996 02:49:31 +0800 Subject: SEY_use In-Reply-To: <199512311518.KAA19667@pipe4.nyc.pipeline.com> Message-ID: SEY_use A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) Associate Professor of Law | U. Miami School of Law | froomkin at law.miami.edu P.O. Box 248087 | http://www.law.miami.edu/~froomkin Coral Gables, FL 33124 USA | It's warm here. From hal9001 at panix.com Mon Jan 1 12:10:25 1996 From: hal9001 at panix.com (Robert A. Rosenberg) Date: Tue, 2 Jan 1996 04:10:25 +0800 Subject: "Deterrence" Message-ID: At 19:17 12/29/95, jim bell wrote: >In my essay, "Assassination Politics," I pointed out that it would be >relatively easy to deter such official-type actions if enough of us simply >said, "NO!" and denominated it in terms of dollars and cents. After all, >with four million Compuserve users, if they each were willing to donate a >penny to see this latter-day Fuhrer dead, that would be $40,000. (Pardon me >if I don't translate this into marks and other currencies.) [snip] >WHEN, exactly, would it be appropriate to act? This reminds me of a Science Fiction story by H. Beam Piper called "A Planet for Texans" where as part of the laws of the planet (and the oath of office) was a statement that the politician was representing the interests of ALL of their constituents. Every constituent had the legal right (and duty) to register any protests of the politician's actions _in-person_ with said politician. Such protest could take any form up-to-and-including killing the SOB on the spot. In the story, this right was illustrated by a small farmer being charged will killing a Senator by hacking him to death with a machete (all legal protests are required to be registered in person and use of long range techniques such as car-bombs or snipping with rifles is not regarded as a valid protest) and we are shown his trial. The charge is not killing the Senator (which is by law the farmer's right since he felt that the Senator was violating his oath of office by misrepresenting him) but whether, in exercising this right, he used excessive force out of proportion to the actions that was being protested. From hal9001 at panix.com Mon Jan 1 12:11:47 1996 From: hal9001 at panix.com (Robert A. Rosenberg) Date: Tue, 2 Jan 1996 04:11:47 +0800 Subject: (NOISE) Re: PLA_gue Germ Terrorism Message-ID: At 21:54 12/30/95, jonnyx wrote: > >Think that's fun? How 'bout this: given that the initial "mapping" >phase of the human genome project is nearly complete, and the huge >amount of genetic information available on the net, PLUS ever- >more-powerful-yet-less-costly computers anyone can purchase, just >how long do y'all think it'll be before some nut whips up a bug >that targets, say, people with negroid genetic characteristics? >Or epicanthic folds? Or blonde hair? This reminds me of a 1940's Novel by Science Fiction Author Robert A. Heinlein called "Sixth Column." In it the US has been conquered by an invasion from Asia and the resistance (such as it is) is a small Top Secret hidden US Army research center with some equipment that can act on people based on their genetic makeup. Thus when it is time to go after the invaders, it is done with guns that kill only Asians but have no effect on anyone-else. From attila at primenet.com Mon Jan 1 12:20:10 1996 From: attila at primenet.com (attila) Date: Tue, 2 Jan 1996 04:20:10 +0800 Subject: SEY_use In-Reply-To: Message-ID: somewhere along the line, the body of your message was lost... the concept is interesting... diplomatic immunity is not automatic in that it implies diplomatic recognition. does a rogue state enjoy the privilege of obviously bogus diplomatic passports? the diplomatic passport is a "gentleman's agreement" to facilitate trading intelligence officers --sarcastic maybe, truthful? been there, done that. if nothing else, the bearer of a diplomatic passport can be effectively forcing house arrest in the embassy/consulate while the host government forces a recall --I hope the islands have a luxury hotel in every port of call. actually, I would be more interested in your comments on the wire fraud charges used for an "insufficient" lab facility of a known microbiologist who happens to be a kook. standard US procedural use of conspiracy or wire fraud and/or conspiracy to force a plea bargain. In return, we get more government bureaucracy, and probably government review of credentials, or licensing. academic freedom? From m5 at dev.tivoli.com Mon Jan 1 12:44:09 1996 From: m5 at dev.tivoli.com (Mike McNally) Date: Tue, 2 Jan 1996 04:44:09 +0800 Subject: Guerilla Internet Service Providers In-Reply-To: Message-ID: <9601012017.AA15101@alpha> Timothy C. May writes: > And support your local ISPs! > > (Or, even better, direct connection to the Net, though this is harder for > most of us to arrange.) For how long is this really going to be the case? As the whole world of HTTP and related things (like Java & VRML) advances in capability and sophistication, how long will the Compuserve/AOL/Genie "Big Online Service" model continue to make sense? Seems to me at as soon as things like a general-purpose browser (and associated TCP/IP stack & PPP or SLIP) becomes as easy to load up as an AOL demo disk, and local ISP's are listed in the yellow pages, the advantage of being able to pay a provider for nothing more than the routing of IP packets so that the net as a whole can be explored (and, perhaps, more services purchased) will FAR outweigh any of the goodies the current big providers offer. The flip side of that, of course, is that big service providers can offer access to their goodies to anybody with net access. That sort of setup would make the whole concept of Internet regulation even more bizarre; we'd really have something more directly parallel to the phone system. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Nobody's going to listen to you if you just | Mike McNally (m5 at tivoli.com) | | stand there and flap your arms like a fish. | Tivoli Systems, Austin TX | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From vznuri at netcom.com Mon Jan 1 13:00:22 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Tue, 2 Jan 1996 05:00:22 +0800 Subject: p vs. np etc. In-Reply-To: Message-ID: <199601012034.MAA28180@netcom2.netcom.com> TCM: >There is no point in the back-and-forth of insults, "Dr. Fred is a loon," >"Alice is Detweiler," and other such nonsense. If you don't want to read >the comments of Fred Cohen, Dimitri Vulis, Alice whatever, >Vlad/Lance/Larry/Pablo, then just don't read them! Filter them out, delete >them immediately, read them briefly, whatever. this of course would be obvious to anyone without an ego. however because this list is really "war of the egos", it escapes everyone here (and has for the entire existence of the list). far more fun to yell at someone publicly, esp. through a pseudonym. interesting too how some people who use pseudonyms still cannot avoid defending themselves when attacked. it appears that pseudonyms do not dissociate ego-based psychology from communication. in fact to the contrary they appear to make it more prevalent. this would be an interesting area to study. ripe with lots of seething, semi-conscious feelings and attitudes deep within the psyche. Freud would have a field day with flamewars, trolls, and pseudonyms. > I'm not convinced there's much more about the >_theory_ of viruses to "push forward," for various reasons. The theory was >laid out, some Bulgarians and others are busily writing viruses, but >there's not likely to be some whole reservoir of new theory to be worked >on. I object. this sounds like the 1890 patent worker who suggested the patent office be shut down because, after all, all the important inventions had already been invented. you are careful to attribute your opinion only to yourself, but you must recognize how dangerous speculation about the future is, if you wish to preserve your credibility in the long run. especially sentences that sound like, "there is not much more to be uncovered in so-and-so area" tend to sound especially foolish from future perspectives. the Virus area is in fact ripe with study. Java is actually a language designed to prevent viruses. many have proposed operating systems for computers that may work like the way computer viruses spread. I predict that virus study is really going to blossom even more once Java or other similar languages become more entrenched and "distributed computing" really comes to the fore. >(This is true of a lot of fields, where the work done decades ago >basically was complete....look at how we all cite Garey and Johnson and how >little has changed in the field of NP-completeness.) whoa, you are way off here. NP vs. P is a field *ripe* with new studies. what these pioneers did was map out the terrain. but there are still many *unresolved* areas of research here. P vs. NP is *entirely* unresolved. that doesn't mean that someone has come up with an answer and everyone says, "the field is basically complete". what it means is that a bazillion researchers are dying to know the answers to tough questions posed by the pioneers decades ago. it is true there is little progress in some key areas, but only because the problems are so insanely difficult. the work is only "complete" in the sense that it has posed questions that have not required any modification-- they are still the hardest in all of mathematics and computer science, and still not solved. are you aware of how critical the P vs. NP question is to cryptography? theoretically public key cryptography and many other forms in common use today would be "impossible" if P= NP. I've met some very good cryptographers who don't understand this basic point of computer theory. they think one can always just create more ingenious algorithms. >Blasting Cohen because you don't think he carried his work far enough is >clearly blasting wildly. Have you asked whether others on this list have >carried the work they did in their early careers far enough? (Did I carry >my work in the 1970s on alpha particle effects on chips far enough, or am I >just a Cohen-like slacker because I moved on to other things?) uhm, I have to side with PM on this one -- I vote for 40-something slacker. >So why don't I just do this? Well, I do have a filter file in my Eudora Pro >mailer, and I use it. But I still see the crossfire on the list, the >pointless flames and personal attacks. This angers and saddens me. Hence >this message. the noise is a periodic reoccurence because of the basic list architecture. personally I enjoy it immensely. it's all the grandeur and muck of seething human psychology in digital form. no amount of continual concerned messages will ever change the basic fact that the list architecture by design is highly conducive to noise. to complain about this is like complaining that cars emit exhaust. well, yes, but that's the basic design. you can't get rid of the exhaust until you experiment with a new design. I'm actually not necessarily in favor of a new design here either, even though I have suggested variations/alternatives frequently. as I say, I enjoy it here a lot. > The recent increase in "one-sentance >repartee" is indicative of late-stage list meltdown. (Some of the posts >here quote a couple of paragraphs, add one or two lines of insults, then > have another screenful of PGP sigs, auto-signing sigs, anonymous IDs, and >then a conventional sig. Jeesh!) hee, hee. "meltdown". love that term. but again you mix big egos and a totally open list (throw in a little cryptoanarchy for more explosive force), and this is the inevitable result. there's nothing perplexing or mystifying why this happens. its the basic conclusion reaffirmed zillions of times by many years of this list activity. to complain about this reminds me of person who murdered his parents and then pleads to the court that he was an orphan who deserves relief. that is, this situation here is the creation of everyone who participates, and those who suffer are precisely those that created it. cyberspatial karma if you will. >I'm hoping that this is just a Xmas vacation silly season. well you can always post a exasperated message in which you declare you've had it with the list, period, and are not going to hang out here any more. there is a precedent for that kind of thing. From shamrock at netcom.com Mon Jan 1 13:31:16 1996 From: shamrock at netcom.com (Lucky Green) Date: Tue, 2 Jan 1996 05:31:16 +0800 Subject: Guerilla Internet Service Providers Message-ID: At 14:17 1/1/96, Mike McNally wrote: >Seems to me at as soon as things like a general-purpose browser (and >associated TCP/IP stack & PPP or SLIP) becomes as easy to load up as >an AOL demo disk, and local ISP's are listed in the yellow pages, the >advantage of being able to pay a provider for nothing more than the >routing of IP packets so that the net as a whole can be explored (and, >perhaps, more services purchased) will FAR outweigh any of the goodies >the current big providers offer. But how many of them will be willing to forward certain newsgroups if doing so carries a mandatory 10 year prison term? Hint: count the number of narcotics dealers that advertize in your local yellow pages. -- Lucky Green PGP encrypted mail preferred. From m5 at dev.tivoli.com Mon Jan 1 13:47:56 1996 From: m5 at dev.tivoli.com (Mike McNally) Date: Tue, 2 Jan 1996 05:47:56 +0800 Subject: Guerilla Internet Service Providers In-Reply-To: Message-ID: <9601012114.AA15133@alpha> Lucky Green writes: > But how many of them [ IP providers ] will be willing to forward > certain newsgroups if doing so carries a mandatory 10 year prison > term? Hint: count the number of narcotics dealers that advertize > in your local yellow pages. But an IP provider doesn't have to know that it's "forwarding" *any* newsgroups; all it has to know is that IP packets are moving between my PC and the outside world. It doesn't have any way of knowing what those packets contain and doesn't want to. The Internet is more than news, FTP, the web, and so on primarily because it's so much *less*. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Nobody's going to listen to you if you just | Mike McNally (m5 at tivoli.com) | | stand there and flap your arms like a fish. | Tivoli Systems, Austin TX | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From attila at primenet.com Mon Jan 1 14:15:43 1996 From: attila at primenet.com (attila) Date: Tue, 2 Jan 1996 06:15:43 +0800 Subject: SEY_use [NOISE] In-Reply-To: <199601012027.PAA02788@nrk.com> Message-ID: On Mon, 1 Jan 1996, David Lesher wrote: > > > > > > the concept is interesting... diplomatic immunity is not automatic in > > that it implies diplomatic recognition. does a rogue state enjoy the > > privilege of obviously bogus diplomatic passports? the diplomatic > > passport is a "gentleman's agreement" to facilitate trading intelligence > > officers --sarcastic maybe, truthful? been there, done that. > > A Dip Passport does nothing of the kind. > come on, David. stated and "real" use are often quite different. I meant what I said, literally: "...been there, done that." it's nice to believe that governments are above board --they never have been, and never will be --and Bubba is a prime example. I would buy a used car from Tricky Dick long before I would from Bubba! power is not only corruption, it is _deceit_! BTW, I do not disagree with your "protocol" in the slightest. PNG, and the trading of PNGs has been around ever since the French seemed to their language dominate foreign affairs --however, persona non gratis is rather explicit. and, I still wonder how the host country will treat "bogus" DPs from rogue states if they have more DPs than real citizens. uncle has been getting less suble these days.... > You are awarded stutus by your placement by the host country, on their > Diplomatic List. If you are there, fine; otherwise... Now, you'll never > get on that list without a Dip. Passport & recipricol agreement but it's > not enough... > > Your name can be removed by the host at any time (PNG'ed) but some kind > of warning is necessary so you can leave the host country prior to > expiration of the status. (Not much, however! I recall one case where it > was _literally_ "Be on the 4pm plane, or else.") If you are out of the > country already, you won't be back. (One person was, and his cat became > the ""PNG Pussy"" as she was shipped home the next day.) > > The Dip List being out-of-date caused considerable embarrassment to the > US during our invasion of Panama. Marines raided the Nicaraguan > Ambassador's Residence because the out-of-date copy at the US Mission > showed the _old_ address. > > -- > A host is a host from coast to coast.................wb8foz at nrk.com > & no one will talk to a host that's close........[v].(301) 56-LINUX > Unless the host (that isn't close).........................pob 1433 > is busy, hung or dead....................................20915-1433 > From shamrock at netcom.com Mon Jan 1 14:29:28 1996 From: shamrock at netcom.com (Lucky Green) Date: Tue, 2 Jan 1996 06:29:28 +0800 Subject: Guerilla Internet Service Providers Message-ID: At 15:14 1/1/96, Mike McNally wrote: >Lucky Green writes: > > But how many of them [ IP providers ] will be willing to forward > > certain newsgroups if doing so carries a mandatory 10 year prison > > term? Hint: count the number of narcotics dealers that advertize > > in your local yellow pages. > >But an IP provider doesn't have to know that it's "forwarding" *any* >newsgroups; all it has to know is that IP packets are moving between >my PC and the outside world. It doesn't have any way of knowing what >those packets contain and doesn't want to. Some site in physical space has to host the nntpd, the ftpd, and the httpd. That site will be subject to search, seizure, and arrest and conviction of owner. If you don't have a host, there won't be any packets to forward. -- Lucky Green PGP encrypted mail preferred. From markh at wimsey.bc.ca Mon Jan 1 14:36:54 1996 From: markh at wimsey.bc.ca (Mark C. Henderson) Date: Tue, 2 Jan 1996 06:36:54 +0800 Subject: Canadian Cypherpunks [NOISE] Message-ID: > Is there some interest in a meeting of Canadian Cypherpunks? If > you are a Canadian (or an American who is fortunate enough to live near > our sainted shores ;-)) send me a private E-mail message. > Because Canada is such a big country, I propose that we start > with a meeting in Toronto or area. If there is enough interest, I will > arrange for a meeting place. I don't think it is any more practical to have "Canadian Cypherpunks" meetings than "U.S. Cypherpunks" meetings. Call them what they are, i.e. regional meetings, (e.g. areas around Toronto, Montreal, Vancouver, Quebec, Calgary-Edmonton, etc.), but I suspect that most people are unlikely to travel in excess of 3000km for meetings which last a few hours. For example, I expect that Vancouverites are much more likely to travel to Seattle for a meeting than to Toronto. My point is, don't advertise what is really a Southern Ontario regional meeting as the meeting of "Canadian Cypherpunks". This would be like calling the S.F. Bay Area meetings the "U.S. Cypherpunks meetings". -- Mark Henderson -- markh at wimsey.bc.ca, henderso at netcom.com, mch at squirrel.com PGP 1024/C58015E3 fingerprint=21 F6 AF 2B 6A 8A 0B E1 A1 2A 2A 06 4A D5 92 46 cryptography archive maintainer -- ftp://ftp.wimsey.com/pub/crypto ftp://ftp.wimsey.com/pub/crypto/sun-stuff/change-sun-hostid-1.6.1.tar.gz From winkjr at teleport.com Mon Jan 1 14:44:15 1996 From: winkjr at teleport.com (Wink Junior) Date: Tue, 2 Jan 1996 06:44:15 +0800 Subject: CSPAN Currency Creation Hearings Message-ID: <199601012202.OAA02434@kelly.teleport.com> Dave Feustel on talk.politics.crypto mentioned that on Saturday morning CSPAN was broadcasting congressional hearings on "currency creation, during which smartcards, Ecash, encryption, privacy and government regulation of all of the above were discussed." There's supposed to be at least one rebroadcast. A brief review of the highlights would be very interesting. Wink -- winkjr at teleport.com From andreas at horten.artcom.de Mon Jan 1 15:05:53 1996 From: andreas at horten.artcom.de (Andreas Bogk) Date: Tue, 2 Jan 1996 07:05:53 +0800 Subject: Guerilla Internet Service Providers In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- >>>>> "Lucky" == Lucky Green writes: Lucky> Some site in physical space has to host the nntpd, the Lucky> ftpd, and the httpd. That site will be subject to search, Lucky> seizure, and arrest and conviction of owner. So I guess we'll need some computers in outer space, on offshore boats or in well-bribed stable dictatorships. Andreas -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQCVAgUBMOhgZ0yjTSyISdw9AQEfggP+N2p9/ar1Z9gFFlpwAUf21YX0jd8XeU7Z jzgUWP5n/A4udka4T6sqLef1gu68BxEQYGBe3ZUQmV286xcyouelg2OTfriGRh/j E2rpl7EO1kyUrK3zbDU5OSglmHBI9kJzLK8fs+gyhyLiu3t9MeFf9ydgJ45BmIuj ztZbMPrvhJc= =XW6V -----END PGP SIGNATURE----- From andr0id at midwest.net Mon Jan 1 15:20:27 1996 From: andr0id at midwest.net (Jason Rentz) Date: Tue, 2 Jan 1996 07:20:27 +0800 Subject: Who sent me this message? Message-ID: <199601012250.QAA04037@cdale1.midwest.net> >:-) As I can see. How did you generate this key? Are you using a >special version of PGP? > Well I didn't send the message but I also use an undocumented larger key with PGP. Read it in the book a friend got. (andr0id at midwest.net callsign: N9XLM) ( Computer Consulting & Management ) (P.O. Box 421 Cambria, IL 62915-0421) -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQENAzCsIi4AAAEH/1hb5+tO/n99Nbppf0ImLJ6AaVZ3NlZP0ZHwRQor00uA129i d4zWixNXxc8t2auaqN+asV99LpIip3/nQzBnjydiumeBdGLF2PR9+6X8X/RrqKa1 dVIukxM5Agg2eM6ih+0J38hgKJ3qzKXSz6sjYmpaxvbXZoHHOLUk/ZtHUKvvEyPw hnJEYnut8NUnIeK56lqeqRw86yoeRKymbfCdjdpgeY2aRwK2FJts8sbb7Fs10s4y jgxWIxIipBznbGUTh1hb2XrLGPENwk3E/qqXQJEsrySbtwdl6VgTVQjhDDEJMitL DYeiQ3W5EgxfcdbM1j2FwYu3P/dM6Y0I8xLMYT0ABRG0NmFuZHIwaWRAb2ljdTgx Mi5jb20gKG9pY3U4MTIuY29tIHN5c3RlbSBhZG1pbmlzdHJhdG9yKYkBFQMFEDCs LO90C7R/GkJcSQEB01cH/0KC3sd+u4OxMku5378SJktoN6QIQYLJ7uVbuV4S51yK NAotCGf4Wl6wwjynzZvXKU0H87oDuMiq7FybgMNL2n+4bQIZi0iz0lIuzwoMDu63 NrHUW9Kz42pOnhrEhrdkHhHL9O5GgD1yc40fJ3qw5h7LQEjDxgypyw0IFILFc34u LeRLliNibxKp8JwAxXNHWSgxu28TQvmnkHi0AHP6tJ/uZYe+4dqJtrMMsYFjzZaz DPmxD+dzbTwlQKtJaP1ZkDI0Sr072wrZDv+G86GyGBMX2lpSafpRitnxuUttjU9o wsQ9Qo5xiH1nZRCs/bDzJe/gng+GHzevixDIITurtNA= =SgPT -----END PGP PUBLIC KEY BLOCK----- From shamrock at netcom.com Mon Jan 1 15:39:22 1996 From: shamrock at netcom.com (Lucky Green) Date: Tue, 2 Jan 1996 07:39:22 +0800 Subject: Guerilla Internet Service Providers Message-ID: At 23:30 1/1/96, Andreas Bogk wrote: >So I guess we'll need some computers in outer space, on offshore boats >or in well-bribed stable dictatorships. o Outer space: not very realistic o Offshore boats: see the fate of drug trafficers in international waters after the Coast Guard is through with them. o Stable dictatorships: Not stable enough to withstand an humanitarian mission by the US Army. -- Lucky Green PGP encrypted mail preferred. From joee at li.net Mon Jan 1 15:48:57 1996 From: joee at li.net (j. ercole) Date: Tue, 2 Jan 1996 07:48:57 +0800 Subject: Prevention Of Trauma 2 [NOISE] Message-ID: [Here's something scary to start your new year. . . ] << start of forwarded material >> ** Date: Mon, 1 Jan 1996 23:41:38 -0000 ** Reply-To: "POLI-PSY [ Political Science-Psychology/Psychiatry ]" ** ** Sender: "POLI-PSY [ Political Science-Psychology/Psychiatry ]" ** ** From: Michael Benjamin ** Subject: Prevention Of Trauma 2 ** X-To: Multiple recipients of list FORENSIC-PSYCHOLOGY ** , ** Multiple recipients of list LEGALTEN ** , ** Stress Traumatic ** X-cc: Multiple recipients of list TRANSCULTURAL-PSYCHOLOGY ** , ** Traumatic Stress Forum ** To: Multiple recipients of list POLI-PSY ** ** PREVENTION TRAUMA II ** ** In a previous letter I pointed out the need to eliminate ** trauma by prevention. I mentioned that there are generally Agencies ** whose function is to prevent trauma, if it is in industry, military, driving, ** etc. These agencies have criteria for excluding people who they feel ** are liable to mal-function and cause trauma (danger). Often these ** Agencies employ programs to reduced the likelihood of trauma. ** I pointed out that I feel it is legitimate to help these Agencies ** not in defining their criteria but in eliciting the given criteria by the use ** of the techniques which are used in a Diagnostic Setting. I emphasize ** that the presence or absence of these criteria are not indicative of any ** pathology. As such I feel that this discussion does not only belong in ** the field of Forensic Psychiatry but is a legitimate form of treating ** trauma, i.e. prevention. ** In the field of Road Safety in Israel the Institute for Road ** Safety is a medical institute which advises on likelihood of a driver to ** be dangerous. ** The examination is carried out on all applicants for a Public ** License (taxi, autobus), heavy vehicle drivers, and drivers involved in ** fatal accidents, and drivers or prospective drivers who have had ** contact with Mental Health Care. Generally the exams are given by ** Psychologists and are based partially on the M.M.P.I. and a clinical ** examination. More difficult cases are referred to Consultant ** Psychiatrists and an Ad-Hoc Committee. ** The criteria under discussion are mainly:- Concentration, ** Attention, Projectivity, Judgment, Consistency, Reality Jesting, Ability ** to identify , Confirm with instructions, Impulsivity and Control over ** Impulsivity. ** Over the years we have found these to be of primary ** importance and we thus concentrate on illnesses or personality ** disturbance where these criteria may well occur. ** If these indications are discovered we check if they are ** causing driving delinquency. If so, we then determine if there is a ** reasonable likelihood of the patient / examinee being made to ** understand and correct himself. Obviously in some instances this is of ** little likelihood. If these indications are present or applying for a new ** license, the application is rejected. If we allow a "trial" period, the ** position is first explained to the examinee, and we try and ascertain if it ** at all possible that he both understands and is able of "changing his ** ways". ** In addition to the "meeting point" between Forensic ** Psychiatry and "Preventive" Traumatology we feel that we are on the ** delicate meeting point of "Personal Rights" and Societies "Right to ** defend itself". ** We are under perpetual scrutiny, which I feel is justified and ** healthy. I would very much enjoy any comments or suggestions. ** ** ** Michael. << end of forwarded material >> j. ercole ny, usa pgp public key at: http://www.li.net/~joee/index.html $$$$$$$$$$$$$$$$********************&&&&&&&&&&&&&&&&& Stand By---.sig presently being unearthed in regression therapy. From flee at teleport.com Mon Jan 1 16:06:09 1996 From: flee at teleport.com (Felix Lee) Date: Tue, 2 Jan 1996 08:06:09 +0800 Subject: Guerilla Internet Service Providers In-Reply-To: Message-ID: <199601012332.PAA10533@desiree.teleport.com> Lucky Green: > Some site in physical space has to host the nntpd, the ftpd, and the httpd. > That site will be subject to search, seizure, and arrest and conviction of > owner. but if it turns out that 30% of home PCs have to be seized to prevent dissemination of dangerous-information-X? though we're not quite there yet... eg, it's a little expensive to run your own httpd 24 hours/day. -- From ravage at ssz.com Mon Jan 1 16:14:10 1996 From: ravage at ssz.com (Jim Choate) Date: Tue, 2 Jan 1996 08:14:10 +0800 Subject: Guerilla Internet Service Providers (fwd) Message-ID: <199601012358.RAA01029@einstein.ssz.com> Forwarded message: > From owner-cypherpunks at toad.com Mon Jan 1 17:53:37 1996 > Message-Id: <199601012332.PAA10533 at desiree.teleport.com> > Subject: Re: Guerilla Internet Service Providers > To: cypherpunks at toad.com > In-Reply-To: Your message of Mon, 01 Jan 1996 13:41:13 PST. > > Date: Mon, 01 Jan 1996 15:32:37 -0800 > From: Felix Lee > Sender: owner-cypherpunks at toad.com > Precedence: bulk > > Lucky Green: > > Some site in physical space has to host the nntpd, the ftpd, and the httpd. > > That site will be subject to search, seizure, and arrest and conviction of > > owner. > > but if it turns out that 30% of home PCs have to be seized to prevent > dissemination of dangerous-information-X? > > though we're not quite there yet... eg, it's a little expensive to run > your own httpd 24 hours/day. > -- > If you live in the Austin, TX area I will setup a dedicated slip for you at only $100/mo. From bdolan at use.usit.net Mon Jan 1 16:27:06 1996 From: bdolan at use.usit.net (Brad Dolan) Date: Tue, 2 Jan 1996 08:27:06 +0800 Subject: CSPAN Currency Creation Hearings In-Reply-To: <199601012202.OAA02434@kelly.teleport.com> Message-ID: I caught part of it. The general theme was,~"we're going to establish a `partnership' with digicash / crypto firms to ensure that our `legitimate law-enforcement needs' are designed into the products."~ bd On Mon, 1 Jan 1996, Wink Junior wrote: > Dave Feustel on talk.politics.crypto mentioned that > on Saturday morning CSPAN was broadcasting congressional hearings on > "currency creation, during which smartcards, Ecash, encryption, privacy and > government regulation of all of the above were discussed." There's supposed > to be at least one rebroadcast. > > A brief review of the highlights would be very interesting. > > Wink > > -- > winkjr at teleport.com > From shamrock at netcom.com Mon Jan 1 17:09:15 1996 From: shamrock at netcom.com (Lucky Green) Date: Tue, 2 Jan 1996 09:09:15 +0800 Subject: Guerilla Internet Service Providers Message-ID: At 15:32 1/1/96, Felix Lee wrote: >Lucky Green: >> Some site in physical space has to host the nntpd, the ftpd, and the httpd. >> That site will be subject to search, seizure, and arrest and conviction of >> owner. > >but if it turns out that 30% of home PCs have to be seized to prevent >dissemination of dangerous-information-X? Wrong. Only 0.03% of the home PCs have to be seized and the owners incarcerated. The remaining users will cease to carry controlled data on their own. -- Lucky Green PGP encrypted mail preferred. From shamrock at netcom.com Mon Jan 1 17:09:30 1996 From: shamrock at netcom.com (Lucky Green) Date: Tue, 2 Jan 1996 09:09:30 +0800 Subject: CSPAN Currency Creation Hearings Message-ID: At 19:04 1/1/96, Brad Dolan wrote: >I caught part of it. > >The general theme was,~"we're going to establish a `partnership' with >digicash / crypto firms to ensure that our `legitimate law-enforcement >needs' are designed into the products."~ I sincerely doubt that there will be any 'partnerships' between DigiCash and law enforcement. -- Lucky Green PGP encrypted mail preferred. From delznic at storm.net Mon Jan 1 17:44:47 1996 From: delznic at storm.net (Douglas F. Elznic) Date: Tue, 2 Jan 1996 09:44:47 +0800 Subject: [local] Syracuse new york Message-ID: <2.2.16.19960102011329.2e1723c0@terminus.storm.net> Are their any interested people in having a meeting in the syr area? From ravage at ssz.com Mon Jan 1 18:38:00 1996 From: ravage at ssz.com (Jim Choate) Date: Tue, 2 Jan 1996 10:38:00 +0800 Subject: Guerilla ISP's... Message-ID: <199601020219.UAA00419@einstein.ssz.com> Has anyone looked at operating systems like Plan 9 which divide the services into 3 sets (terminal, file, process) and then distribute them over various machines (and cpu's in multi-cpu systems) on a 'cost' basis? This would effectively address the issue of where named, httpd, or whatever was running. Mainly because it would never run on the same machine (or cpu) each time or necessarily all the time (ie run a while here then over there). From shamrock at netcom.com Mon Jan 1 19:08:52 1996 From: shamrock at netcom.com (Lucky Green) Date: Tue, 2 Jan 1996 11:08:52 +0800 Subject: Guerilla ISP's... Message-ID: At 20:19 1/1/96, Jim Choate wrote: >Has anyone looked at operating systems like Plan 9 which divide the services >into 3 sets (terminal, file, process) and then distribute them over various >machines (and cpu's in multi-cpu systems) on a 'cost' basis? > >This would effectively address the issue of where named, httpd, or whatever >was running. Mainly because it would never run on the same machine (or cpu) >each time or necessarily all the time (ie run a while here then over there). That is called a conspiracy. The consequence is that all machines involved will be confiscated and their respective owners jailed. -- Lucky Green PGP encrypted mail preferred. From ravage at ssz.com Mon Jan 1 19:26:34 1996 From: ravage at ssz.com (Jim Choate) Date: Tue, 2 Jan 1996 11:26:34 +0800 Subject: Guerilla ISP's... (fwd) Message-ID: <199601020316.VAA00545@einstein.ssz.com> Forwarded message: > Date: Mon, 1 Jan 1996 18:49:28 -0800 > From: shamrock at netcom.com (Lucky Green) > Subject: Re: Guerilla ISP's... > > At 20:19 1/1/96, Jim Choate wrote: > >Has anyone looked at operating systems like Plan 9 which divide the services > >into 3 sets (terminal, file, process) and then distribute them over various > >machines (and cpu's in multi-cpu systems) on a 'cost' basis? > > > >This would effectively address the issue of where named, httpd, or whatever > >was running. Mainly because it would never run on the same machine (or cpu) > >each time or necessarily all the time (ie run a while here then over there). > > That is called a conspiracy. The consequence is that all machines involved > will be confiscated and their respective owners jailed. > Wow, you mean you can prosecute an operating system? From merriman at arn.net Mon Jan 1 20:08:01 1996 From: merriman at arn.net (David K. Merriman) Date: Tue, 2 Jan 1996 12:08:01 +0800 Subject: Paperclip original posting? Message-ID: <2.2.32.19960102032915.00683458@arn.net> could someone kindly forward me a copy of the original paperclip symbology posting? Thanks. ------------------------------------------------------------- "It is not the function of our Government to keep the citizen from falling into error; it is the function of the citizen to keep the Government from falling into error." Robert H. Jackson (1892-1954), U.S. Judge <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> My web page: http://www.geopages.com/CapitolHill/1148 From shamrock at netcom.com Mon Jan 1 22:09:06 1996 From: shamrock at netcom.com (Lucky Green) Date: Tue, 2 Jan 1996 14:09:06 +0800 Subject: Guerilla ISP's... (fwd) Message-ID: At 21:16 1/1/96, Jim Choate wrote: >Wow, you mean you can prosecute an operating system? Well, you can seize the machine running the OS for the crimes it committed. I am serious. No prosecution needed. Prosecution followed by conviction is what will happen to the owner of the computer on which the OS was running. -- Lucky Green PGP encrypted mail preferred. From dlv at bwalk.dm.com Mon Jan 1 22:38:03 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Tue, 2 Jan 1996 14:38:03 +0800 Subject: Guerilla Internet Service Providers In-Reply-To: <9601012017.AA15101@alpha> Message-ID: m5 at dev.tivoli.com (Mike McNally) writes: > For how long is this really going to be the case? As the whole world > of HTTP and related things (like Java & VRML) advances in capability > and sophistication, how long will the Compuserve/AOL/Genie "Big Online > Service" model continue to make sense? For as long as they're able to provide information and services that customers want, which are not available via "generic" small ISP's. For example, one can read the New York Times (and many other periodicals) via AOL; one can read the NCSA forum on CompuServe. One has to be pretty dumb to use AOL or CS as an _Internet_ provider. Yet a lot of very sharp people use these services. The content providers aren't willing to put their wares on "generic" internet, and won't be willing to in the foreseeable future. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From clarkm at cnct.com Mon Jan 1 23:22:08 1996 From: clarkm at cnct.com (Clark Matthews) Date: Tue, 2 Jan 1996 15:22:08 +0800 Subject: A weakness in PGP signatures, and a suggested solution Message-ID: <199601020339.WAA15209@cnct.com> Just a note to Dr. Dmitri Vulis -- your post by this name appears to have been forge-cancelled on mail. cypherpunks 1/1/96 at 4:13 EST. Two replies also forge-cancelled. Anybody running lazarus on mail.cypherpunks? Might be an interesting idea. Dr. Vulis, can you repost the item to this list? Best, Clark .---. .----------- * :::::::::::::::::::::::::::: / \ __ / ------ * clark.matthews at paranet.org / / \(..)/ ----- * :::::::::::::::::::::::::::: ////// ' \/ ` ---- * //// / // : : --- * PERMISSION TO \\/ / * / /` '--* COPY / REPOST \*/ * //..\\ x-x-UU----UU-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x- '//||\\` N E M O..M E..I M P U N E..L A C E S S I T x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x From shamrock at netcom.com Mon Jan 1 23:41:02 1996 From: shamrock at netcom.com (Lucky Green) Date: Tue, 2 Jan 1996 15:41:02 +0800 Subject: Guerilla Internet Service Providers Message-ID: At 23:35 1/1/96, Jon Lasser wrote: >More work needs to be done on untracable, yet at least modestly >efficient, truly anonymous routing, even in a system where many of the >participants, and perhaps even one of the endpoints, is or is willing to >"cheat." Time to bring up my favorite CP invention of the last years: Wai Dai's Pipenet. Of course running Pipenet would be a felony in the future I forsee, but it sure is a great idea. -- Lucky Green PGP encrypted mail preferred. From sameer at c2.org Mon Jan 1 23:43:15 1996 From: sameer at c2.org (sameer) Date: Tue, 2 Jan 1996 15:43:15 +0800 Subject: Guerilla ISP's... (fwd) In-Reply-To: Message-ID: <199601020520.VAA24179@infinity.c2.org> > Prosecution followed by conviction is what will happen to the owner of the > computer on which the OS was running. It's hard to jail a corporation. -- sameer Voice: 510-601-9777x3 Community ConneXion FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.org/ (or login as "guest") sameer at c2.org From bal at martigny.ai.mit.edu Tue Jan 2 00:46:37 1996 From: bal at martigny.ai.mit.edu (Brian A. LaMacchia) Date: Tue, 2 Jan 1996 16:46:37 +0800 Subject: Guerilla Internet Service Providers (fwd) In-Reply-To: <199601020427.UAA16858@desiree.teleport.com> Message-ID: <9601020613.AA28127@toad.com> Date: Mon, 01 Jan 1996 20:27:23 -0800 From: Felix Lee Sender: owner-cypherpunks at toad.com Precedence: bulk compare with software piracy. when was the last time a kid in your neighborhood was busted for unlicensed copying of software? and software is big business, lots of suits and $$$. Look for this to change if the copyright "high-protectionists" succeed in getting Congress to criminalize every act of copyright infringement, which is what the Leahy-Feingold "Criminal Copyright Improvement Act of 1995" (S.1122) will do if it becomes law. Under current copyright law infringements that are not committed wilfully and "for purposes of commercial advantage or private financial gain" are not criminal. Such non-profit/noncommercial infringements are still civil infringements, and copyright holders may sue for actual and/or statutory damages, but since the typical kid has net assets less than $39.95 it's not worth the effort. If S.1122 becomes law, though, the software companies (or other copyright holders) will be able to get the Feds to prosecute such cases criminally (so we, as taxpayers, get to foot the bill for those prosecutions that are not monetarily attractive to the copyright holders). --bal From erc at dal1820.computek.net Tue Jan 2 00:47:32 1996 From: erc at dal1820.computek.net (Ed Carp [khijol SysAdmin]) Date: Tue, 2 Jan 1996 16:47:32 +0800 Subject: Another Internet Provider Censors Access (fwd) In-Reply-To: Message-ID: <199601020615.AAA12494@dal1820.computek.net> -----BEGIN PGP SIGNED MESSAGE----- > Under the guise of a minor software upgrade, Netcom has changed > its newsgroups access list to totally exclude "alt" groups > altogether. Since there is no way to sign up for a newsgroup > other than via the selection menu that Netcom provides, it > appears that Netcom has managed to censor access to all those > discussion groups. Really? A quick check shows that alt. groups, even the alt.sex.* groups, are still in /usr/lib/news/active, and articles are still in /usr/spool/news/alt/sex/*. Whoever supplied that information is apparently wrong. - -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 214/993-3935 voicemail/digital pager 800/558-3408 SkyPager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMOjNciS9AwzY9LDxAQE74gP+MD9vqln8W/55QXW7IgBosZkWu0923Wp/ 8il41W2xhJEv7/DYcDjzMAZZKK1/F5Nwl6rv1mqxzUGP6UJg60RC3w6+Q9Pnr5R3 i7DJ0IO8LryJOFMFrIT9RAKLdwjic7NjglksD8rWjHJP14XV2m1R8xToGMtFeE+T Y8VWdh98ZXM= =V6vA -----END PGP SIGNATURE----- From bdolan at use.usit.net Tue Jan 2 01:13:46 1996 From: bdolan at use.usit.net (Brad Dolan) Date: Tue, 2 Jan 1996 17:13:46 +0800 Subject: Another Internet Provider Censors Access (fwd) In-Reply-To: <199601020615.AAA12494@dal1820.computek.net> Message-ID: Gulp. Sorry. That's the last time I believe anybody with a name like "Y." bd On Tue, 2 Jan 1996, Ed Carp [khijol SysAdmin] wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > > Under the guise of a minor software upgrade, Netcom has changed > > its newsgroups access list to totally exclude "alt" groups > > altogether. Since there is no way to sign up for a newsgroup > > other than via the selection menu that Netcom provides, it > > appears that Netcom has managed to censor access to all those > > discussion groups. > > Really? A quick check shows that alt. groups, even the alt.sex.* groups, > are still in /usr/lib/news/active, and articles are still in > /usr/spool/news/alt/sex/*. > > Whoever supplied that information is apparently wrong. > - -- > Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com > 214/993-3935 voicemail/digital pager > 800/558-3408 SkyPager > Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi > > "Past the wounds of childhood, past the fallen dreams and the broken families, > through the hurt and the loss and the agony only the night ever hears, is a > waiting soul. Patient, permanent, abundant, it opens its infinite heart and > asks only one thing of you ... 'Remember who it is you really are.'" > > -- "Losing Your Mind", Karen Alexander and Rick Boyes > > -----BEGIN PGP SIGNATURE----- > Version: 2.6.2 > > iQCVAwUBMOjNciS9AwzY9LDxAQE74gP+MD9vqln8W/55QXW7IgBosZkWu0923Wp/ > 8il41W2xhJEv7/DYcDjzMAZZKK1/F5Nwl6rv1mqxzUGP6UJg60RC3w6+Q9Pnr5R3 > i7DJ0IO8LryJOFMFrIT9RAKLdwjic7NjglksD8rWjHJP14XV2m1R8xToGMtFeE+T > Y8VWdh98ZXM= > =V6vA > -----END PGP SIGNATURE----- > From nobody at REPLAY.COM Tue Jan 2 01:16:47 1996 From: nobody at REPLAY.COM (Anonymous) Date: Tue, 2 Jan 1996 17:16:47 +0800 Subject: Guerilla Internet Service Providers Message-ID: <199601020640.HAA03781@utopia.hacktic.nl> -----BEGIN PGP SIGNED MESSAGE----- On 1/1/96 at 3:11 pm Lucky Green replied to Andreas Bogk about: >>So I guess we'll need some computers in outer space, on offshore boats >>or in well-bribed stable dictatorships. >o Outer space: not very realistic >o Offshore boats: see the fate of drug trafficers in international waters >after the Coast Guard is through with them. What about using converted freighters offshore in international waters for storing the computers? i.e. Sameer the Wolfman Jack of Pirate Internet Services (tm) I was told that Belize is offering passports for the next two years for $50,000 and that might be even less if offers were made to the government to provide low cost Internet access to the citizens of Belize. http://www.belize.com/citzdoc.html Belize has always been known as a home for pirates, A wonderful Cypherpunk candidate for an offshore data haven! L. Malthus -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMOjOmQJo+wOswDgJAQEdGgP8CzcIf7/p1QS8yYc7uelApYLWcDUHo1AE LHBz4kWg8bdrvWEqck1oIgY/Z+gvr88tKP3l7TDei8y+mJFoqYeSM27aE0ohvS2a XVq7YwbGs+/CKTWJTWsyxwsQEQHyj+Ig7oY+JB76wUN9WTz9pfuwXQ7oaF4RXHcf WqFOXM6ogMA= =0UFR -----END PGP SIGNATURE----- From wb8foz at nrk.com Tue Jan 2 01:19:23 1996 From: wb8foz at nrk.com (David Lesher) Date: Tue, 2 Jan 1996 17:19:23 +0800 Subject: Another Internet Provider Censors Access (fwd) In-Reply-To: Message-ID: <199601020639.BAA05196@nrk.com> > Under the guise of a minor software upgrade, Netcom has changed > its newsgroups access list to totally exclude "alt" groups > altogether. Since there is no way to sign up for a newsgroup > other than via the selection menu that Netcom provides, it > appears that Netcom has managed to censor access to all those > discussion groups. Horsefeathers. I'm reading alt.fan.david-sternlight in another window as I type. Yes, on netcom8.netcom.com..... -- A host is a host from coast to coast.................wb8foz at nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433 From dlv at bwalk.dm.com Tue Jan 2 17:26:55 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Tue, 2 Jan 96 17:26:55 PST Subject: Guerilla Internet Service Providers In-Reply-To: <9601021325.AA15502@alpha> Message-ID: m5 at dev.tivoli.com (Mike McNally) writes: > Dimitri Vulis writes: > > > For how long ... ? > > > > For as long as they're able to provide information and services that > > customers want, which are not available via "generic" small ISP's. > > But don't you think it likely that AOL & Compuserve will soon see the > economic advantage of making their services available (for per-use > fees) to the Internet as a whole? If not AOL & Compuserve, then > certainly the actual content providers themselves. (The NSA may be a > different matter.) > > I don't see why content providers would not be willing to make stuff > available via the internet; they don't have to do it for free. OK, I'm sure we have the nice folks from the National Computer Security Association on this list. Why don't they set up their forum so it's not necessary to have a CompuServe account to access it? --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From shamrock at netcom.com Tue Jan 2 01:31:53 1996 From: shamrock at netcom.com (Lucky Green) Date: Tue, 2 Jan 1996 17:31:53 +0800 Subject: Guerilla ISP's... (fwd) Message-ID: At 21:20 1/1/96, sameer wrote: >> Prosecution followed by conviction is what will happen to the owner of the >> computer on which the OS was running. > It's hard to jail a corporation. Pretty hard. That's why the corporate officers will be jailed instead. Not that this would be necessary to stop the corporation from operating. The authorities can just confiscating all the equipment and thereby put the corporation out of business. Saves time and trial costs. They just haul off the computers and declare that they are now property of the government. -- Lucky Green PGP encrypted mail preferred. From mpd at netcom.com Tue Jan 2 01:32:53 1996 From: mpd at netcom.com (Mike Duvos) Date: Tue, 2 Jan 1996 17:32:53 +0800 Subject: Another Internet Provider Censors Access (fwd) In-Reply-To: Message-ID: <199601020701.XAA29889@netcom18.netcom.com> An embarrassed Brad Dolan writes: > Gulp. Sorry. That's the last time I believe anybody with a > name like "Y." Netcom has not removed access to the alt groups, but they have definitely screwed something up in the news system for the shell machines. Netcruiser accounts seem to work fine. I just tried a test post to a bunch of alt.sex groups from Netcom shell and it bounced instantly with the obnoxious message. /usr/lib/newsbin/inject/injnews:alt.sex.girl.watchers, alt.sex.graphics,alt.sex.hello-kitty,alt.sex.homosexual, alt.sex.incest,alt.sex.intergen,alt.sex.magazines, alt.sex.masturbation,alt.sex.pedophile.mike-labbe: no groups in active file /usr/lib/newsbin/inject/injnews: article in /u1/mpd/dead.article /usr/lib/news/inews failed Given Netcom's superb reputation for protecting free speech, It is very unlikely this has anything to do with censorship. Possibly someone encountered this glitch while trying to access an alt group and jumped to conclusions. Then again, maybe the Bavarians are running Netcom now. :) -- Mike Duvos $ PGP 2.6 Public Key available $ mpd at netcom.com $ via Finger. $ From ghio at netcom.com Tue Jan 2 01:34:07 1996 From: ghio at netcom.com (Matthew Ghio) Date: Tue, 2 Jan 1996 17:34:07 +0800 Subject: Another Internet Provider Censors Access (fwd) In-Reply-To: Message-ID: <199601020708.XAA23044@netcom15.netcom.com> >Under the guise of a minor software upgrade, Netcom has changed >its newsgroups access list to totally exclude "alt" groups >altogether. Since there is no way to sign up for a newsgroup >other than via the selection menu that Netcom provides, it >appears that Netcom has managed to censor access to all those >discussion groups. Can you say B-U-L-L-S-H-I-T ??? Man, this place is like a bunch of guerilla fighters preparing for war. People are really on edge. Make one wrong move and everybody starts shooting. I'm afraid that sooner or later it could be real bullets too. BTW, Netcom splits its newsfeed between two servers. Currently the netcom.*, comp.*, and rec.* are all on one, and everything else is on the other, although they move them around every few months. Occasionally one or the other server starts acting up, causing the respective heirarchies to be temporarily inaccessable. From bart at netcom.com Tue Jan 2 01:34:35 1996 From: bart at netcom.com (Harry Bartholomew) Date: Tue, 2 Jan 1996 17:34:35 +0800 Subject: Another Internet Provider Censors Access (fwd) In-Reply-To: Message-ID: <199601020708.XAA23593@netcom22.netcom.com> > ---------- Forwarded message ---------- > > Another shoe drops? > > ---------- Forwarded message ---------- > > Under the guise of a minor software upgrade, Netcom has changed > its newsgroups access list to totally exclude "alt" groups > altogether. Since there is no way to sign up for a newsgroup > other than via the selection menu that Netcom provides, it > appears that Netcom has managed to censor access to all those > discussion groups. > Not entirely. From my shell account I just used Tin to view and subscribe to alt.sex and several others without a problem. Perhaps the above is true of their browser (NetCruiser) accounts? Bart From pmonta at qualcomm.com Tue Jan 2 17:40:48 1996 From: pmonta at qualcomm.com (Peter Monta) Date: Tue, 2 Jan 96 17:40:48 PST Subject: Guerilla Internet Service Providers (fwd) In-Reply-To: Message-ID: <199601030140.RAA03047@mage.qualcomm.com> > It seems to me that phone line costs are turning into a floor price for > Internet access, when they shouldn't really be. The main asset telephone > companies have, right now, is in RIGHTS OF WAY. Put an ISP in a business > park that allows you to run your own dedicated copper pairs, and you've > bypassed $25/month/line business phone line charges. > > At some point, individual urban and suburban blocks could easily be > "guerilla re-wired" for ISP access without serious trenching, etc. The > phoneco would still be involved, but in a far lower-profit mode, as the > supplier of a single T1 to a multi-block area. For the "last mile" to the ISP user, wireless could be a better bet. Have antenna, will surf. (Not speaking for Qualcomm, etc.) Peter Monta pmonta at qualcomm.com Qualcomm, Inc./Globalstar From ravage at ssz.com Tue Jan 2 17:46:13 1996 From: ravage at ssz.com (Jim Choate) Date: Tue, 2 Jan 96 17:46:13 PST Subject: Guerilla Internet Service Providers (fwd) Message-ID: <199601030146.TAA02574@einstein.ssz.com> Forwarded message: > From: Jeff Simmons > Subject: Re: Guerilla Internet Service Providers > Date: Tue, 2 Jan 1996 16:32:33 -0800 (PST) > > Punknet is a 'Guerilla ISP'. Twenty of us share a 128k ISDN line, > distributed via high-speed modems. It's been running fine for over > a year now, but Pacific Bell has evidently decided to get rid of us. > > How? Simply by refusing to either repair or replace our 25 pair trunk > line, which is rapidly degrading. We've offered to replace it ourselves, > but according to them, it's illegal. Right now, we've got three dead lines, > and two others that only will do 1200 baud. > Hmmm, you should have some kind of Public Utility Commission (PUC) in your area that regulates the service provider. Here in Texas if SWBT received more than 2 complaints on a single problem without resolution then the customer can request that the PUC force a resolution of the problem. It has the power to fine SWBT on a per day basis until the problem is resolved. I have used the process one time to a successful end. I had squirrels that kept eating my phone lines when I first put in my ISDN and its dial-in lines. SWBT kept comming out and repairing the lines and the squirrels kept eating them. I asked for armored cables and was refused. I kept requesting them (and keeping records). On the next to last time the tech came out I showed him the records and advised him that I wanted armored lines. He said he would advise his supervisor. A week later I had my armored lines (run specialy nearly a block to the tie-block) and the problem was resolved until my roomie burned the house down (the phone lines survived). > We've been told that what they're doing is probably illegal, but it's the > old problem: Where does an 800 lb. gorilla sleep? > > We're fighting this like all hell, but who knows? After they get rid of us, > I wonder who's next ... > You also have the option of starting a civil and criminal claim dealing with breach of contract. Phone companies must provide phone lines that meet minimal standards (3kHz bandwidth / -32dB S/N). If the lines don't then the phone company is responsible for getting the lines upgraded. I rather doubt the phone company wants you out of business, they want your money. It is probably a local supervisor who has a limited budget and staff and is having to set priorities according to their supervisory responsibilities. Get it taken up a level and you might find the climate changes. The FCC is enacting a new regulation that will cause every phone company to provide 100% of their service areas with ISDN (you should have received some kind of notice last week, I did). This also sets some minimum standards as well as to the type and quality of service the phone company must provide. Good luck. From winkjr at teleport.com Tue Jan 2 17:52:01 1996 From: winkjr at teleport.com (Wink Junior) Date: Tue, 2 Jan 96 17:52:01 PST Subject: Errata for _Applied Crypto_ Message-ID: <199601030151.RAA10025@kelly.teleport.com> Bruce Schneier has an errata file for the second edition of _Applied Cryptography_ available on request. Hopefully he will also make it available via the Web. Hats off to Bruce for making this information available in a timely, cost-effective manner. Wink -- "Dilute! Dilute! OK!" From sameer at c2.org Tue Jan 2 02:40:46 1996 From: sameer at c2.org (sameer) Date: Tue, 2 Jan 1996 18:40:46 +0800 Subject: Guerilla Internet Service Providers In-Reply-To: Message-ID: <199601020114.RAA06256@infinity.c2.org> > Some site in physical space has to host the nntpd, the ftpd, and the httpd. > That site will be subject to search, seizure, and arrest and conviction of > owner. Said site, however, can be located in a different jurisdiction than the laws. -- sameer Voice: 510-601-9777x3 Community ConneXion FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.org/ (or login as "guest") sameer at c2.org From shamrock at netcom.com Tue Jan 2 02:40:55 1996 From: shamrock at netcom.com (Lucky Green) Date: Tue, 2 Jan 1996 18:40:55 +0800 Subject: Guerilla Internet Service Providers Message-ID: At 17:14 1/1/96, sameer wrote: >> Some site in physical space has to host the nntpd, the ftpd, and the httpd. >> That site will be subject to search, seizure, and arrest and conviction of >> owner. > > Said site, however, can be located in a different jurisdiction >than the laws. Seems to me that the laws are becomming unified on a global scale. The people in power all over the world have the same interests. To stay in power. The 'unregulated' Internet is in direct confilict with this interest. Since these powers make the laws, they will use the laws to reduce the threat the present day Internet presents. Will C2 carry certain newsgroups/info after doing so has become a felony? Who wants to be an 'illegal data' kingpin and face execution? (Kingpins are 'data trafficers' that carry more than 1.5 Megs of 'controlled information'.) -- Lucky -- Lucky Green PGP encrypted mail preferred. From dmandl at panix.com Tue Jan 2 02:41:06 1996 From: dmandl at panix.com (David Mandl) Date: Tue, 2 Jan 1996 18:41:06 +0800 Subject: Guerilla Internet Service Providers Message-ID: At 4:44 PM 1/1/96, Lucky Green wrote: >At 15:32 1/1/96, Felix Lee wrote: >>Lucky Green: >>> Some site in physical space has to host the nntpd, the ftpd, and the httpd. >>> That site will be subject to search, seizure, and arrest and conviction of >>> owner. >> >>but if it turns out that 30% of home PCs have to be seized to prevent >>dissemination of dangerous-information-X? > >Wrong. Only 0.03% of the home PCs have to be seized and the owners >incarcerated. The remaining users will cease to carry controlled data on >their own. I agree. It's not a good idea to assume that there's going to be some kind of widespread opposition movement when the big Net Crackdown comes. Most people will either obey the law, be unaffected by it, or violate it in very insignificant ways ("net jaywalking"). There's strength in numbers, but I just don't think the numbers will be there. --Dave. -- Dave Mandl dmandl at panix.com http://www.wfmu.org/~davem <---Completely overhauled--tons of new stuff From alano at teleport.com Tue Jan 2 03:09:03 1996 From: alano at teleport.com (Alan Olsen) Date: Tue, 2 Jan 1996 19:09:03 +0800 Subject: [Local] Portland OR Cypherpunks anyone? Message-ID: <2.2.32.19960102063831.0091f620@mail.teleport.com> I am considering getting regular Cypherpunks meetings going in the Portland, OR area. If anyone is interested in such a thing, please drop me e-mail. I have gotten some interest from a few friends and so I am sending out the request to the rest of the list to see who else is interested. Ideas for a local meeting place would also be appreciated, as my apartment is way too small. (And not the same time and place of the 2600 meetings. I am alergic to video cameras.) It would also be a chance to meet some of the people I see on the list who I know post from Portland... | Remember: Life is not always champagne. Sometimes it is REAL pain. | |"The moral PGP Diffie taught Zimmerman unites all| Disclaimer: | | mankind free in one-key-steganography-privacy!" | Ignore the man | |`finger -l alano at teleport.com` for PGP 2.6.2 key | behind the keyboard.| | http://www.teleport.com/~alano/ | alano at teleport.com | From jya at pipeline.com Tue Jan 2 04:17:46 1996 From: jya at pipeline.com (John Young) Date: Tue, 2 Jan 1996 20:17:46 +0800 Subject: Unmuzzling the Internet Message-ID: <199601021139.GAA10271@pipe4.nyc.pipeline.com> The New York Times, January 2, 1996, p. A15. Unmuzzling the Internet [OpEd] How to evade the censors and make a statement, too. By Jaron Lanier (Visiting scholar at the Columbia University department of computer science.) If President Clinton signs the telecommunications bill drastically restricting private as well as public speech on the Internet, he can expect a rollicking cat-and-mouse game. It can be comical when politicians try to control something they do not understand. Such is the case with the bill's censorship provision, which not only outlaws the transmission of material over the Internet that would be allowed in most newspapers, but also makes owners of computers on a network liable for the speech of others. (As Compuserve demonstrated last week when, to satisfy a German court, it blocked American subscribers' access to sexually explicit material, regulation of the Internet can threaten both commercial and constitutional freedoms.) The other day, I came up with a way to easily evade the proposed American restrictions. My simple idea would be to create a computer program, dubbed "Unmuzzle," which would deposit incomprehensible fragments of any forbidden material in different foreign computers (though maybe not Germany's). The contraband communication would only be reassembled into a coherent whole when downloaded in the home of the user back in the United States, where it would become protected speech, as in any other medium. I had no intention of actually building "Unmuzzle," but I mentioned the notion in E-mail to a friend, and within days I was hearing from people I didn't know who were busy creating the program with the idea of distributing it freely. Fine with me. Such a program would make an mportant statement. Speaking as someone who has been involved with computers for most of my life (I coined the phrase "virtual reality" in the early 1980's and created much of the technology for it), I find that many Internet users have been reacting to attacks on freedom in cyberspace by slumping into a separatist, angry mood. They feel that they are being denied the rights that others enjoy. On the Internet, separatism is expressed by encryption: an encrypted message can be read only by the party it is intended for. Therefore, in the spirit of the First Amendment, I suggest Unmuzzle as an alternative method: it may break up images or text into a hundred pieces, but they are still accessible to the public. The idea of censoring the Internet should be unthinkable, especially in the United States. Aside from the question of free speech, there's the economic imperative as well. The Internet is not a plaything: it is the infrastructure of our information technology industry. The young have the most to lose from the new restrictions, in spite of the fact that such limits are purportedly meant to protect them. Schools and libraries will find it extremely difficult to offer vital Internet services in the face of a mine field of criminal liabilities. It is members of Congress and the President who need to show some maturity, by rejecting free-speech restrictions in the telecommunications bill. [End] From frissell at panix.com Tue Jan 2 04:36:00 1996 From: frissell at panix.com (Duncan Frissell) Date: Tue, 2 Jan 1996 20:36:00 +0800 Subject: Guerilla ISP's... Message-ID: <2.2.32.19960102115836.008c6b40@panix.com> At 06:49 PM 1/1/96 -0800, Lucky Green wrote: >That is called a conspiracy. The consequence is that all machines involved >will be confiscated and their respective owners jailed. > > >-- Lucky Green > PGP encrypted mail preferred. If the processes are operating in encrypted accounts not under the control of the machine owner it is hard to find the machine owner liable. In addition, the Feds can only afford a few prosecutions at $50-$100K each (Brian, if you're listening what *does* the average Federal prosecution cost?). The cost of setting up servers is much lower than the cost of busting them. DCF "RIP -- the Interstate Commerce Commission. Dead Jan 1 at the age of 120(?). The first Federal regulatory agency. One down, thousands to go." From erc at dal1820.computek.net Tue Jan 2 06:03:08 1996 From: erc at dal1820.computek.net (Ed Carp [khijol SysAdmin]) Date: Tue, 2 Jan 1996 22:03:08 +0800 Subject: Guerilla ISP's... (fwd) In-Reply-To: Message-ID: <199601021330.HAA11247@dal1820.computek.net> -----BEGIN PGP SIGNED MESSAGE----- Lucky sez: > At 21:20 1/1/96, sameer wrote: > >> Prosecution followed by conviction is what will happen to the owner of the > >> computer on which the OS was running. > > It's hard to jail a corporation. > > Pretty hard. That's why the corporate officers will be jailed instead. Not > that this would be necessary to stop the corporation from operating. The > authorities can just confiscating all the equipment and thereby put the > corporation out of business. Saves time and trial costs. They just haul off > the computers and declare that they are now property of the government. Good way to get the latest and greatest technology without paying for it, too. I wonder how many of those Mercedes and BMWs are sitting around in impound lots ad how many of them are being driven around by DEA bigwigs? Didn't they used to do this sort of thing 200+ years ago - convict someone of a minor crime, then seize all their assets? Wasn't this one of the things that prompted the US breaking away from GB? Seems like history is full of stuff like this. Sad case of 'those who fail to learn from history are destined to repeat it.' - -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 214/993-3935 voicemail/digital pager 800/558-3408 SkyPager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMOkzXyS9AwzY9LDxAQG0CAQAgSNBJnp0IFwCL8YfpF1n7xQUIkQsN8Mq gaHD1SBPvVUvOtqQqgUK8uQVLGeN5aXVcITtt0RfSgqQKQ8twmkbKtaU9t5hwNnb seN4N3RJ3IbOKGV0nfj9u8fUGyIDuZQGX916RyPWUgDuF0iORpBpf5aEjJCEeqyq ebuU6dxaUgo= =6tCV -----END PGP SIGNATURE----- From erc at dal1820.computek.net Tue Jan 2 07:21:51 1996 From: erc at dal1820.computek.net (Ed Carp [khijol SysAdmin]) Date: Tue, 2 Jan 1996 23:21:51 +0800 Subject: Guerilla Internet Service Providers In-Reply-To: <199601020640.HAA03781@utopia.hacktic.nl> Message-ID: <199601021341.HAA12007@dal1820.computek.net> -----BEGIN PGP SIGNED MESSAGE----- > On 1/1/96 at 3:11 pm Lucky Green replied to Andreas Bogk about: > > >>So I guess we'll need some computers in outer space, on offshore boats > >>or in well-bribed stable dictatorships. > > >o Outer space: not very realistic > >o Offshore boats: see the fate of drug trafficers in international waters > >after the Coast Guard is through with them. Why isn't outer space realistic? We already have store-and-forward packet radio systems in AMSAT satellites - they usually hitch a ride up with a commercial satellite. - -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 214/993-3935 voicemail/digital pager 800/558-3408 SkyPager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMOk2ByS9AwzY9LDxAQFM0AQAgrdQAJnu5Jd3edGDqCMfCU5TFnBJRp7Z gg6bdH1SdSKVEe+/GGFsHg6ITUWg6L9Hjuz63jw6yrjek4i7GZZY4pcb44Cqe4cP CSk5GJkebJL21dl3egN+jAmNl+rD5JJfTW/jHCibB5p/6cWem9QEUmhLDquFZebb /fFQEHN0A/E= =MUq5 -----END PGP SIGNATURE----- From flee at teleport.com Tue Jan 2 08:52:55 1996 From: flee at teleport.com (Felix Lee) Date: Wed, 3 Jan 1996 00:52:55 +0800 Subject: Guerilla Internet Service Providers (fwd) In-Reply-To: <199601012358.RAA01029@einstein.ssz.com> Message-ID: <199601020427.UAA16858@desiree.teleport.com> Lucky Green: > Wrong. Only 0.03% of the home PCs have to be seized and the owners > incarcerated. The remaining users will cease to carry controlled data on > their own. depends. prohibition was a failure. information is much easier to duplicate and conceal, spy thrillers aside. many people find it hard to justify information being dangerous, especially if it's something innocuous like just another cryptosystem, or just another penis. compare with software piracy. when was the last time a kid in your neighborhood was busted for unlicensed copying of software? and software is big business, lots of suits and $$$. they can try to make disassemblers illegal, but it's not likely to succeed. Jim Choate: > If you live in the Austin, TX area I will setup a dedicated slip for you at > only $100/mo. in the Portland Oregon area, the price ranges from $234/year to $1750/year for unlimited ppp access. (I have no idea how long the $234/year is going to stay in business. that won't even cover the cost of a phone line.) -- From bdolan at use.usit.net Tue Jan 2 08:53:53 1996 From: bdolan at use.usit.net (Brad Dolan) Date: Wed, 3 Jan 1996 00:53:53 +0800 Subject: Another Internet Provider Censors Access (fwd) Message-ID: ---------- Forwarded message ---------- Another shoe drops? ---------- Forwarded message ---------- Date: Mon, 1 Jan 1996 19:44:30 -0600 From: x To: y Y - Coming off CompuServe's announcement last week that it was cutting off all access to "alt.binaries" newsgroups under pressure from the German government, I'm passing along another apparent development from another Internet access provider, Netcom. Under the guise of a minor software upgrade, Netcom has changed its newsgroups access list to totally exclude "alt" groups altogether. Since there is no way to sign up for a newsgroup other than via the selection menu that Netcom provides, it appears that Netcom has managed to censor access to all those discussion groups. We are witnessing the not-so-gradual erosion of freedom of the Net. I not often find myself allied with John Perry Barlow, but on this one we are four-square: what with stupid attempts of government to pass unconstitutional restrictions, and acquiescence of the private sector to intimidation and pressure, freedoms of the many are being dictated by reactionary elements in places like Memphis, Tennessee. The next opportunity, I expect, will be to help underwrite the defense of the first criminal action brought under the new law. In the meantime, we can unsubscribe to services that curtail our liberties. "X" Speaking solely for myself, this time. From jlasser at rwd.goucher.edu Tue Jan 2 08:56:41 1996 From: jlasser at rwd.goucher.edu (Jon Lasser) Date: Wed, 3 Jan 1996 00:56:41 +0800 Subject: Guerilla Internet Service Providers In-Reply-To: Message-ID: On Mon, 1 Jan 1996, Lucky Green wrote: > At 15:14 1/1/96, Mike McNally wrote: > >Lucky Green writes: > > > But how many of them [ IP providers ] will be willing to forward > > > certain newsgroups if doing so carries a mandatory 10 year prison > > > term? Hint: count the number of narcotics dealers that advertize > > > in your local yellow pages. > > > >But an IP provider doesn't have to know that it's "forwarding" *any* > >newsgroups; all it has to know is that IP packets are moving between > >my PC and the outside world. It doesn't have any way of knowing what > >those packets contain and doesn't want to. > > Some site in physical space has to host the nntpd, the ftpd, and the httpd. > That site will be subject to search, seizure, and arrest and conviction of > owner. > > If you don't have a host, there won't be any packets to forward. This is _exactly_ where the transnational nature of the Internet becomes successful, when combined with strong crypto. If the sites coming into your machine are encrypted, nobody outside of your system (perhaps only you) know that said newsgroups, websites, etc. are being hit. If the site they originate from is determined to be offshore, they can't stop the site. Probably. Subject, at least, to foreign cooperation or direct CIA/NSA involvement. The potential for traffic analysis is the danger here. If an "FBI International Data Laundering Expert" testifies in court that said data came from a site known to be frequented solely by so-and-sos, all the strong crypto in the world won't stop the average jury from convicting you. Carl Ellison (among others, I'm sure) has suggested various means of foiling traffic analysis among a group of trusted conspirators, using a token-ring-like routing scheme. I'm not completely convinced that it's robust enough, but a variation on it is probably adaptable. The point-to-point nature of the internet is also its achilles heel, as far as traffic analysis is concerned... the troubles faced by traditional cypherpunk remailers, the generalized problem of anonymous message distribution, and such are the current limits of consideration on the list (as far as I'm thinking right now... I may be wrong). However, the problem of, say, webservers collecting statistics on users, would be moot should it be possible for truly anonymous websurfing (I'm convinced that traditional http proxies have the same flaws as traditional cypherpunk remailers). More work needs to be done on untracable, yet at least modestly efficient, truly anonymous routing, even in a system where many of the participants, and perhaps even one of the endpoints, is or is willing to "cheat." Jon Lasser ------------------------------------------------------------------------------ Jon Lasser (410)494-3072 Visit my home page at http://www.goucher.edu/~jlasser/ You have a friend at the NSA: Big Brother is watching. Finger for PGP key. From jya at pipeline.com Tue Jan 2 11:43:21 1996 From: jya at pipeline.com (John Young) Date: Wed, 3 Jan 1996 03:43:21 +0800 Subject: In Search of Computer Security Message-ID: <199601021239.HAA10963@pipe4.nyc.pipeline.com> The New York Times, January 2, 1996, p. C15. Special section "Business World Outlook '96." In Search Of Computer Security By John Markoff Computer security is making a transition from the university and the research laboratory to the real world. So far it is proving to be a rocky evolution. Last year, a series of embarrassing gaffes and shortcomings undermined the faith of potential computer users in the certainty that their data are secure. The flaws have led to a growing realization that computer security systems are largely untested and that in complex environments like the Internet, they do not always respond the way their creators had intended. Paul C. Kocher, a computer security expert who discovered one potential flaw, said, "Many of the security systems that I am examining are good enough to keep out casual snoopers, but they're failing catastrophically when it comes to protecting data against determined attacks." The problems are emerging as the computer industry increasingly relies upon an arcane mathematical discipline that is intended to hide the secrets embedded in digital information behind a veil of imposing math problems. Cryptography, the science of writing secrets, was for centuries largely the province of kings, soldiers and spies. But that has changed in the 1990's as the world has rushed to use personal computers and computer networks as the basis for electronic commerce, communication and entertainment. Data scrambling has become the key to a vision that it will be possible to have private electronic conversations and secure financial transactions. In principle, data coding protects information by scrambling it to keep it out of the reach of everybody but those with a supercomputer and tens or even hundreds of years to crunch the data. But computer researchers have begun discovering flaws, sometimes subtle and sometimes glaring, that can help criminals take devious shortcuts to obtain the mathematical keys used to scramble the data. In August, a French computer hacker proved that it was possible to use a network of work stations to guickly find the secret key created by a coding system developed by the Netscape Communications Corporation, the leading developer of World Wide Web software. The feat cast doubts on the security of a system whose security had been scaled back to meet stringent United States Government export controls. The following month, two computer science graduate students at the University of California at Berkeley reported a flaw in the Netscape that would permit a technically skilled attacker to steal data by circumventing the complex calculations needed to break the code. In October, a team of Berkeley researchers, including the two computer science students, detailed security weaknesses in the fundamental software of the Internet that make it difficult to protect data that is sent between computers. And last month, Mr. Kocher explained a potential flaw in a widely used data coding approach known as public-key cryptography. The flaw could allow eavesdroppers to infer a secret key used to protect data in Internet security software, electronic payment smart cards and related systems by carefully timing how long it takes to compute the secret key. Mr. Kocher said that while he believed that trusted electronic security systems would ultimately emerge, there should be no urgency to rush their deployment. Banks have spent several hundred years perfecting systems for protecting money, he noted, but they have far less experience with the new computerized systems designed to protect information that represents money. One of the pioneers in the mathematics underlying most public key systems agrees that prudence is required in developing digital commerce. "Paul's discovery is one more piece of evidence that designing security mechanisms is tricky," said Whitfield Diffie, a Sun Microsystems researcher who was one of the co-inventors of the original public key technology. "Given the trust that we will be placing in systems for electronic commerce," he continued, "we should be putting all the effort we can into getting them right." [End] ---------- [Box] 1996 Will Be the Year When: "Congress will pass a law restricting public comment on the Internet to individuals who have spent a minimum of one hour actually accomplishing a specific task while on line." Andrew Grove, Intel Corp. CEO From frissell at panix.com Tue Jan 2 13:16:29 1996 From: frissell at panix.com (Duncan Frissell) Date: Wed, 3 Jan 1996 05:16:29 +0800 Subject: Guerilla Internet Service Providers Message-ID: <2.2.32.19960102115316.008b7368@panix.com> At 09:07 PM 1/1/96 -0500, David Mandl wrote: >I agree. It's not a good idea to assume that there's going to be some kind >of widespread opposition movement when the big Net Crackdown comes. Most >people will either obey the law, be unaffected by it, or violate it in very >insignificant ways ("net jaywalking"). There's strength in numbers, but I >just don't think the numbers will be there. > > --Dave. During Prohibition, consumption of illegal booze increased steadily during the whole period. Hard liquor consumption was actually higher at the end of Prohibition than it had been before Prohibition. DCF From andr0id at midwest.net Tue Jan 2 15:05:07 1996 From: andr0id at midwest.net (Jason Rentz) Date: Wed, 3 Jan 1996 07:05:07 +0800 Subject: Guerilla Internet Service Providers Message-ID: <199601021435.IAA10484@cdale1.midwest.net> >At 23:30 1/1/96, Andreas Bogk wrote: > >>So I guess we'll need some computers in outer space, on offshore boats >>or in well-bribed stable dictatorships. > >o Outer space: not very realistic Not that I'm into Guerilla Internet Services or anything; but; an Outer space server isn't all that far off. Its not hard at all controlling a lynix box remotely using a good sat. link. All you need to do is go to your nearest junkyard and get an old used Satalite, contract Russia to send it up for you for the price of an e-mail account or somthin and away you go. :) (andr0id at midwest.net callsign: N9XLM) ( Computer Consulting & Management ) (P.O. Box 421 Cambria, IL 62915-0421) -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQENAzCsIi4AAAEH/1hb5+tO/n99Nbppf0ImLJ6AaVZ3NlZP0ZHwRQor00uA129i d4zWixNXxc8t2auaqN+asV99LpIip3/nQzBnjydiumeBdGLF2PR9+6X8X/RrqKa1 dVIukxM5Agg2eM6ih+0J38hgKJ3qzKXSz6sjYmpaxvbXZoHHOLUk/ZtHUKvvEyPw hnJEYnut8NUnIeK56lqeqRw86yoeRKymbfCdjdpgeY2aRwK2FJts8sbb7Fs10s4y jgxWIxIipBznbGUTh1hb2XrLGPENwk3E/qqXQJEsrySbtwdl6VgTVQjhDDEJMitL DYeiQ3W5EgxfcdbM1j2FwYu3P/dM6Y0I8xLMYT0ABRG0NmFuZHIwaWRAb2ljdTgx Mi5jb20gKG9pY3U4MTIuY29tIHN5c3RlbSBhZG1pbmlzdHJhdG9yKYkBFQMFEDCs LO90C7R/GkJcSQEB01cH/0KC3sd+u4OxMku5378SJktoN6QIQYLJ7uVbuV4S51yK NAotCGf4Wl6wwjynzZvXKU0H87oDuMiq7FybgMNL2n+4bQIZi0iz0lIuzwoMDu63 NrHUW9Kz42pOnhrEhrdkHhHL9O5GgD1yc40fJ3qw5h7LQEjDxgypyw0IFILFc34u LeRLliNibxKp8JwAxXNHWSgxu28TQvmnkHi0AHP6tJ/uZYe+4dqJtrMMsYFjzZaz DPmxD+dzbTwlQKtJaP1ZkDI0Sr072wrZDv+G86GyGBMX2lpSafpRitnxuUttjU9o wsQ9Qo5xiH1nZRCs/bDzJe/gng+GHzevixDIITurtNA= =SgPT -----END PGP PUBLIC KEY BLOCK----- From jya at pipeline.com Tue Jan 2 16:19:34 1996 From: jya at pipeline.com (John Young) Date: Wed, 3 Jan 1996 08:19:34 +0800 Subject: COP_box Message-ID: <199601021507.KAA00575@pipe1.nyc.pipeline.com> 1-2-96. WaPo: "Undercover on the Dark Side of Cyberspace. On-Line FBI Agents Troll for Those Who Prey on Children." The FBI unit now has more than $1 million worth of equipment, including high-speed modems and large data storage devices. In cases where suspects' computers have been seized, the agents have run up against password-protected and encrypted files, which sometimes have taken FBI technicians hundreds of hours to decode. 1-2-96. FiTi: "Pobox and the magic cookie." Which company will have the greatest effect on the development of the Internet this year? My answer is neither Microsoft nor Netscape. It is a tiny new company called Pobox.com. Its product consists of a simple forwarding service that is an electronic equivalent of a post office box. This service allows people to give out an e-mail address that is independent of where they work or where they choose to buy Internet access. COP_box From erc at dal1820.computek.net Tue Jan 2 18:22:22 1996 From: erc at dal1820.computek.net (Ed Carp [khijol SysAdmin]) Date: Wed, 3 Jan 1996 10:22:22 +0800 Subject: Guerilla Internet Service Providers (fwd) In-Reply-To: <199601030140.RAA03047@mage.qualcomm.com> Message-ID: <199601030209.UAA27249@dal1820.computek.net> -----BEGIN PGP SIGNED MESSAGE----- > > It seems to me that phone line costs are turning into a floor price for > > Internet access, when they shouldn't really be. The main asset telephone > > companies have, right now, is in RIGHTS OF WAY. Put an ISP in a business > > park that allows you to run your own dedicated copper pairs, and you've > > bypassed $25/month/line business phone line charges. > > > > At some point, individual urban and suburban blocks could easily be > > "guerilla re-wired" for ISP access without serious trenching, etc. The > > phoneco would still be involved, but in a far lower-profit mode, as the > > supplier of a single T1 to a multi-block area. > > For the "last mile" to the ISP user, wireless could be a better bet. > Have antenna, will surf. I can easily visualize mobile and portable systems linking to an ISP, downloading email via encrypted POP/UUCP/whatever, using itinerant 2m or 450 MHz frequencies. A mobile system connects to any ISP, gets a login: prompt, enters "xyz at host.domain", gets thrown into a POP session on host.domain, uploads/downloads, then disconnects. All it would really require is implementing "exec rlogin -l xyz host.domain" into getty (a very simple patch) and suitable crypto protocols... - -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 214/993-3935 voicemail/digital pager 800/558-3408 SkyPager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMOnlPyS9AwzY9LDxAQHJ2QP7BhISrKa3zgNs7gsGaTdp3JLj39ER6mJ1 NiefPhys5wsKfSSzOeGbVzOTahmFJHofeY3qyhkCjycinLttSYtN7lAhwrskXbdx 8x/DjHBisOaloyEZPjpdSRshGi65ziUNhudEr+NAWdF3izZ/R0M3m6WkN7O7VH2S 8xh+SQWFA44= =P+B0 -----END PGP SIGNATURE----- From master at internexus.net Tue Jan 2 18:51:28 1996 From: master at internexus.net (Laszlo Vecsey) Date: Wed, 3 Jan 1996 10:51:28 +0800 Subject: Unmuzzy Explained Message-ID: So is the idea beyond this that if file or a group of files were to be distributed over many computers (possibly hundreds or more) then none of the computers would be "responsible" for their content? I would think that any participant in the network would have to claim full responsibility for the content, assuming the file(s) could be accessed from any of the participating servers. I'd be interesting in joining the Unmuzzy (programmers) mailing list, does anyone know what the email is or where the home page is? A net search returned nothing. From frantz at netcom.com Tue Jan 2 19:52:35 1996 From: frantz at netcom.com (Bill Frantz) Date: Wed, 3 Jan 1996 11:52:35 +0800 Subject: Guerilla Internet Service Providers (fwd) Message-ID: <199601030331.TAA27550@netcom2.netcom.com> At 9:51 1/2/96 -0800, jim bell wrote: >At some point, individual urban and suburban blocks could easily be >"guerilla re-wired" for ISP access without serious trenching, etc. The >phoneco would still be involved, but in a far lower-profit mode, as the >supplier of a single T1 to a multi-block area. Don't forget about infrared to cross public rights-of-way. I have long dreamed of tossing a piece of coax over the fence to my neighbors. ----------------------------------------------------------------- Bill Frantz Periwinkle -- Computer Consulting (408)356-8506 16345 Englewood Ave. frantz at netcom.com Los Gatos, CA 95032, USA From cg at bofh.toad.com Tue Jan 2 19:59:05 1996 From: cg at bofh.toad.com (Cees de Groot (none)) Date: Wed, 3 Jan 1996 11:59:05 +0800 Subject: A great time to be a cypherpunk In-Reply-To: <199512312146.NAA22286@infinity.c2.org> Message-ID: <199601021319.OAA01013@bofh.cdg.openlink.co.uk> > > Here's a subjective top 5 list: > 6. Premail 0.42alpha, by Raph. I know got elm+pgp sending its mail through premail, making elm a all-in-one solution for signing, encryption, decryption, nymming and all types of remailing. Perfect job! -- Cees de Groot, OpenLink Software 262ui/2048: ID=4F018825 FP=5653C0DDECE4359D FFDDB8F7A7970789 [Key on servers] -- Any opinions expressed above might be mine. From shamrock at netcom.com Tue Jan 2 19:59:17 1996 From: shamrock at netcom.com (Lucky Green) Date: Wed, 3 Jan 1996 11:59:17 +0800 Subject: Foiling Traffic Analysis Message-ID: At 20:02 1/2/96, Jon Lasser wrote: >When the group of packets arrives at a given station, it replaces its >current encrypted packet with a new packet; if it doesn't have any new >packets to send, it puts up a garbage packet that is indistinguishable >from a normal packet. It then scans all the other packets and attempts to >decrypt them with its private key. Any it can read, it does; all the >packets are forwarded to the next station in the ring. All participants in this network are clearly guilty of conspiracy. Their assets will be confiscated under RICO. As Brian mentioned, the law enforcement agencies are creating a surplus by such seizures. The costs associated with more prosecutions are more than offset by the revenue generated. Your computer will make a welcome addition to their budget. -- Lucky Green PGP encrypted mail preferred. From holovacs at styx.ios.com Tue Jan 2 20:00:18 1996 From: holovacs at styx.ios.com (Jay Holovacs) Date: Wed, 3 Jan 1996 12:00:18 +0800 Subject: Guerilla Internet Service Providers In-Reply-To: <199601021341.HAA12007@dal1820.computek.net> Message-ID: On Tue, 2 Jan 1996, Ed Carp [khijol SysAdmin] wrote: > > Why isn't outer space realistic? We already have store-and-forward > packet radio systems in AMSAT satellites - they usually hitch a ride up > with a commercial satellite. > - -- Commercial satallites have land based corporate owners. Remember the success that Alabama had a few years ago pulling the plug on a New York based softporn tv satellite distribution system. They simply went after the assets of the satellite companies and got quick cooperation. Jay Holovacs PGP Key fingerprint = AC 29 C8 7A E4 2D 07 27 AE CA 99 4A F6 59 87 90 (KEY id 1024/80E4AA05) email me for key From jimbell at pacifier.com Tue Jan 2 20:00:33 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 3 Jan 1996 12:00:33 +0800 Subject: Guerilla Internet Service Providers (fwd) Message-ID: At 08:27 PM 1/1/96 -0800, you wrote: >Jim Choate: >> If you live in the Austin, TX area I will setup a dedicated slip for you at >> only $100/mo. > >in the Portland Oregon area, the price ranges from $234/year to >$1750/year for unlimited ppp access. (I have no idea how long the >$234/year is going to stay in business. that won't even cover the >cost of a phone line.) It seems to me that phone line costs are turning into a floor price for Internet access, when they shouldn't really be. The main asset telephone companies have, right now, is in RIGHTS OF WAY. Put an ISP in a business park that allows you to run your own dedicated copper pairs, and you've bypassed $25/month/line business phone line charges. At some point, individual urban and suburban blocks could easily be "guerilla re-wired" for ISP access without serious trenching, etc. The phoneco would still be involved, but in a far lower-profit mode, as the supplier of a single T1 to a multi-block area. From alano at teleport.com Tue Jan 2 20:01:46 1996 From: alano at teleport.com (Alan Olsen) Date: Wed, 3 Jan 1996 12:01:46 +0800 Subject: [local] Portland OR Cypherpunks meeting Message-ID: <2.2.32.19960103034409.0091ae54@mail.teleport.com> It looks like the Portland Cypherpunks meeting is going to happen. The meeting plans are not set in stone. (I am still trying to make certain that the maximum amount of people can attend.) The current plans: Location: The Habit Internet Cafe 21st and Clinton Portland Or Time: 5:23pm (Discordian Standard time) Date: January 20th, 1996 There are machines and Internet connections available at the site. I am concidering adding an IRC channel for virtual Cypherpunk attendance. (Encrypted IRC anyone?) Planned activities include keysigning, discussing various issues and projects of the day, drinking lots of coffee, and whatever else we can come up with. (A Detwiller Doom patch?) No video cammeras, regualer cameras, and/or other soul stealing devices will be allowed on the premises. (Many of the people attending have pork and pork-substitute related alergies.) A more detailed porting will occur in a couple of days. For more information, complaints, flames, etc., just send me e-mail. Thanks! Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "Governments are potholes on the Information Superhighway." - Not TCMay From rsalz at osf.org Tue Jan 2 20:17:25 1996 From: rsalz at osf.org (Rich Salz) Date: Wed, 3 Jan 1996 12:17:25 +0800 Subject: altavista.digital.com Message-ID: <9601030354.AA29834@sulphur.osf.org> >From a friend at work. Marginal crypto relevance but useful for alerting those who think public mailing lists and Usenet are one-time pads. :) >A friend of mine at Digital implemented the Alta Vista search engine. >Here's the configuration he's working with today, with plans for scaling >as necessary. > >>The web index is built and queried by a two processor 300MHz Alpha. >>There's 2GBytes of RAM and 200GBytes of disc on RAID controllers. >>We'll have to expand if load really takes off. There are other, >>smaller machines doing the HTTP server, the news index, the news spool, >>and the web robot. /r$ From ghio at c2.org Tue Jan 2 20:22:55 1996 From: ghio at c2.org (Matthew Ghio) Date: Wed, 3 Jan 1996 12:22:55 +0800 Subject: Risks of writing a remailer In-Reply-To: <199601022345.AAA04572@utopia.hacktic.nl> Message-ID: Anonymous (nobody at flame.alias.net) wrote: > What are the legal risks of writing (and releasing) a remailer, > and what steps can an author go to to minimise any unwanted (legal > or civil) attention ? I've never heard of anyone complaining that I wrote a remailer. A few were upset at my running a remailer, but nobody every complained that the software was available. As far as minimizing attention to yourself, you obviously know how to post anonymously. From shamrock at netcom.com Tue Jan 2 20:30:35 1996 From: shamrock at netcom.com (Lucky Green) Date: Wed, 3 Jan 1996 12:30:35 +0800 Subject: Inter-Patch Voice Network Message-ID: At 19:25 1/2/96, J. Kent Hastings wrote: >-- [ From: J. Kent Hastings * EMC.Ver #2.5.02 ] -- > >-----BEGIN PGP SIGNED MESSAGE----- > >Cpunx, > >This may be old hat, but now that PGPfone is available, why >don't we start an "Inter-Patch" Network using PGP and ecash? The time for that type of project is definitely here. There is a "Free World Dial-up" project out there that offers free calls worldwide. It is modeled after the remote printing fax network. -- Lucky Green PGP encrypted mail preferred. From delznic at storm.net Tue Jan 2 21:04:20 1996 From: delznic at storm.net (Douglas F. Elznic) Date: Wed, 3 Jan 1996 13:04:20 +0800 Subject: 2047 bit keys in PGP Message-ID: <2.2.16.19960103035752.3e0fe0d8@terminus.storm.net> What is the deal with the 2047 bit keys? How do you produce one? IS it compatible with international versions? -- ==================Douglas Elznic=================== delznic at storm.net http://www.vcomm.net/~delznic/ (315)682-5489 (315)682-1647 4877 Firethorn Circle Manlius, NY 13104 "Challenge the system, question the rules." =================================================== PGP key available: http://www.vcomm.net/~delznic/pgpkey.asc PGP Fingerprint: 68 6F 89 F6 F0 58 AE 22 14 8A 31 2A E5 5C FD A5 =================================================== From tcmay at got.net Tue Jan 2 21:31:06 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 3 Jan 1996 13:31:06 +0800 Subject: Criminal Money-laundering Offshore Digital Banks Message-ID: At 1:34 AM 1/2/96, Lucky Green wrote: >Will C2 carry certain newsgroups/info after doing so has become a felony? >Who wants to be an 'illegal data' kingpin and face execution? (Kingpins are >'data trafficers' that carry more than 1.5 Megs of 'controlled >information'.) I've also heard that some of these Data Kingpins (shudder!) are making use of Criminal Money-Laundering Banks (tm), including a bank called "The Mark Twain Bank"! (I hear that MTB has been offered a deal they cannot refuse.) These criminal "offshore" banks are of course illegal for ordinary citizen-units (aka proles) to use, being the sole province of Certain Government Agencies. Authorized Offshore Criminal Banks, like the Castle Bank, the Nugan-Hand Bank, and the Bank of Commerce and Credit International (BCCI) are of course needed by legitimate government as a way to fund Contra resupply efforts from the Southeast Asian drug trade. (Seriously, really seriously, our list is generally not a place to obsess on conspiracies. But anyone who has any doubts about what is going on, and how some parts of government have become too large/too corrupt, should spend at least a day or so looking into these things. You should all know the search keywords by now (BCCI, Mena, Castle Bank, Air America, Khun Sa, Banco Lavoro del Nazionale, Gehlen, etc.). Anyone who looks into the tangled web of such dealings will never, ever think the government is trying to ban encryption so it can protect us from child pornographers.) --Tim May We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From bugs at ritz.mordor.com Tue Jan 2 22:17:33 1996 From: bugs at ritz.mordor.com (Mark Hittinger) Date: Wed, 3 Jan 1996 14:17:33 +0800 Subject: Netcom censoring alt.* ? Message-ID: <199601021625.LAA04725@ritz.mordor.com> I don't think thats the case. I'm the senior admin at the Dallas backup site for Netcom. I'm setting up several backup news servers here and we aren't doing any alt.* censorship. "alt" groups are still sucking up lots of bandwidth and gigs :-). On the other hand the San Jose site has had a lot of power problems and news software problems to contend with lately (hence the idea of a "backup" site for netcom :-) ) Maybe you are branching to a conclusion? Now if there was only a way to tie the scientology thing in with the alt.* censorship conspiracy. Regards, Mark Hittinger Netcom/Dallas bugs at freebsd.netcom.com bugs at ritz.mordor.com From nobody at alpha.c2.org Tue Jan 2 22:24:51 1996 From: nobody at alpha.c2.org (Anonymous) Date: Wed, 3 Jan 1996 14:24:51 +0800 Subject: Guerilla Internet Service Providers (fwd) In-Reply-To: <199601030331.TAA27550@netcom2.netcom.com> Message-ID: <199601030611.WAA13284@infinity.c2.org> frantz at netcom.com (Bill Frantz) wrote: > Don't forget about infrared to cross public rights-of-way. What about fog? > I have long dreamed of tossing a piece of coax over the fence to my > neighbors. That's not difficult. From ravage at ssz.com Tue Jan 2 22:31:06 1996 From: ravage at ssz.com (Jim Choate) Date: Wed, 3 Jan 1996 14:31:06 +0800 Subject: FCC require ISDN? (fwd) Message-ID: <199601030308.VAA02856@einstein.ssz.com> Forwarded message: > Date: Tue, 02 Jan 1996 20:40:25 -0600 > From: "David K. Merriman" > Subject: FCC require ISDN? > > At 07:46 PM 01/2/96 -0600, Jim Choate bespake thusly: > > >The FCC is enacting a new regulation that will cause every phone company to > >provide 100% of their service areas with ISDN (you should have received some > >kind of notice last week, I did). This also sets some minimum standards as > >well as to the type and quality of service the phone company must provide. > > Citation? Here in Amarillo, if it rains, the phone lines start caving in, > and I'd like to beat up SWBT for ISDN service :-) > > Dave Merriman > > PS - sorry for posting this to the whole list, but couldn't get this past my > ISP to Jim directly :-( Public Utility Commission of Texas 7800 Shoal Creek Blvd. Austin, TX 78757 512-458-0256 512-458-0221 Please be advised that the PUC is not responsible for enforcing the technical standards overall, that is the FCC. It is responsible for setting rates and resolving problems with customers on specific problems. The letter I received from SWBT is as follows: Dear Customer: On November 17, 1995, Southwestern Bell Telephone Company (SWBT) filed an application (assigned Tariff Control No. 15024) concerning its ISDN-based services, as required by the Public Utility Commission of Texas (Commission) Substantive Rule (SR) 23.69 Integrated Services Digital Network (ISDN). ISDN is a digital network architecture that provides a wide variety of services, a standard set of user-network messages, and integrated access to the network. Access methods to the ISDN are the Basic Rate Interface (BRI) and the Primary Rate Interface (PRI). This application does not increase the currently approved rates or optional ISDN based services (i.e. SWBT's DigiLine(sm), SmartTrunk(sm), SelectVideo Plus(sm) and PLEXAR(sm) ISDN services) and their features. SR 23.69 sets forth the requirements for the provision of optional ISDN-based services. In accordance with SR 23.69, at a minimum, ISDN-based services shall comply with National ISDN-1 and National ISDN-2 Standards and be capable of providing end-to-end digital connectivity. SWBT's application includes the offering of ISDN with PLEXAR(sm) II Service and new features to DigiLine(sm) and SmartTrunk(sm) Services to meet the standards required to meet standards required by SR 23.69. Also, SBWT is proposing in this application to eliminate the minimum station requirement for PLEXAR II(sm) Service and the offering of occassional user plan for DigiLine(sm) Service to future customers. In addition, SR 23.69 requires SWBT to make ISDN-based services available to all its exchanges in Texas by July 1, 1996. SWBT is currently offering ISDN-based services in its exchanges comprised in the Abilene, Amarillo, Austin, Brownsville, Dallas, El Paso, Houston, Lubbock and San Antonio LATAs. In compliance with the rule, SWBT will make ISDN-based services available in its remaining exchanges comprised in the Beaumont, Corpus Christi, Hearne, Longview, Midland, Waco, and Wichita Falls LATAs by July 1, 1996. SR 23.69 also establishes the effective date of this application to be no later than July 1, 1996. The new optional ISDN-based service and features are expected to generate first year net revenues of approximately $372,000. Persons who wish to comment on this application should notify the Commission by January 12, 1996. Requests for further information should be mailed (faxed material is not acceptable for filling) to the Public Utility Commission of Texas, 7800 Shoal Creek Blvd., Austin, Texas 78757, or you may call the Public Utility Commission Public Information Office at 512-458-0256 or 512-458-0221 for text telephone. From erc at dal1820.computek.net Tue Jan 2 22:31:18 1996 From: erc at dal1820.computek.net (Ed Carp [khijol SysAdmin]) Date: Wed, 3 Jan 1996 14:31:18 +0800 Subject: Why Net Censorship Doesn't Work In-Reply-To: <2.2.32.19960102170305.0069891c@panix.com> Message-ID: <199601021729.LAA26098@dal1820.computek.net> -----BEGIN PGP SIGNED MESSAGE----- > It used to be said that no country would be allowed to move from Communism > to Capitalism. It can now be said that it is inconceivable that a modern > country will move from a Market to a Command Economy. Market discipline is > strong. Tell that to folks in the contries of used-to-be-Russia. Lots of old Communist leaders getting back into power - some folks are even saying that the old days under the Communists were better than living in a free market economy. Never underestimate the value of human stupidity and shortsightedness. > Where are the pressure points where regulation can be applied? How about on the backbone itself? Since everyone goes through the htree major backbones, all one would have to do is control access at those points. Of course, that would lead to clandestine use of store-and-forward LEOsats, s&f UUCP sites, etc. UUCP might even make a comeback ;) - -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 214/993-3935 voicemail/digital pager 800/558-3408 SkyPager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMOlrZCS9AwzY9LDxAQE5NgP+K0M4dCNmi6lJSiew+BELRQs9A+YU5XeX TVte3vtTrpwhqePj2c6YXzPtKAl5Bu+JbQxI9+4m6dbmYQ6gW9D7VZLni5EOKWwP CSHg/bUJIf3tFY5/p0tRPIx800AH+n/TOIg9fMtqe3unjkJ78a014aAij6/ssoyO UKbUXDYOxOk= =E+l9 -----END PGP SIGNATURE----- From erc at dal1820.computek.net Tue Jan 2 22:51:56 1996 From: erc at dal1820.computek.net (Ed Carp [khijol SysAdmin]) Date: Wed, 3 Jan 1996 14:51:56 +0800 Subject: Guerilla ISP's... In-Reply-To: <2.2.32.19960102115836.008c6b40@panix.com> Message-ID: <199601021849.MAA31203@dal1820.computek.net> -----BEGIN PGP SIGNED MESSAGE----- > If the processes are operating in encrypted accounts not under the control > of the machine owner it is hard to find the machine owner liable. In > addition, the Feds can only afford a few prosecutions at $50-$100K each > (Brian, if you're listening what *does* the average Federal prosecution > cost?). The cost of setting up servers is much lower than the cost of > busting them. And the servers could really be set up anonymously. Pay cash to an ISP for a SLIP or PPP account, get a phone line under a ficticious name, set up a PO box for the (few) bills, find somewhere to set up the machine, and away you go... - -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 214/993-3935 voicemail/digital pager 800/558-3408 SkyPager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMOl+VCS9AwzY9LDxAQGFfAQArUOg/QPRluQEwJQNxx7VxhwgxrzCO91T WRHvP71Cgb8cpYorWrHTf0xrh+ng7RtLkXaiJJd7RWmx2ggp8Tpv1sBxaAN9sgXm lhHFlD9eHVf/q6ZsmohNTQSh7ZDav4gB2ewHwZDzTwD3stm4Q06tH6p7XUAfmGlK iYT8dN2fHBg= =MwEh -----END PGP SIGNATURE----- From erc at dal1820.computek.net Tue Jan 2 22:58:02 1996 From: erc at dal1820.computek.net (Ed Carp [khijol SysAdmin]) Date: Wed, 3 Jan 1996 14:58:02 +0800 Subject: Guerilla Internet Service Providers In-Reply-To: Message-ID: <199601021624.KAA22254@dal1820.computek.net> -----BEGIN PGP SIGNED MESSAGE----- > I don't know if I am the only one who this is happening to, but I keep > getting two copies of every post you send. Has anyone else commented on > this? I will forward them back to you following this response so that > you will have the header info if you choose to track down the source of > the duplication. I don't know where the dups are coming from - my logs don't show that I'm sending two copies, and no one else has complained. I'm also not sending out dups on any other list I'm on... - -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 214/993-3935 voicemail/digital pager 800/558-3408 SkyPager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMOlcFyS9AwzY9LDxAQFSjQP/dYUpg2SNMb3qGhrkerD5nIU0GcopXkZ+ odhi4KhyUiipPljwwBcPxLfrduxW/A8QOviXJR++Fz/ZOnRrZ6NfKC2sgiO3GuYn W642nNFEJ/cf+pFVxvxcyDMyOc0db+hOWC54JrctyjckNkJKTyE6OyLIfQ3O+aBF l2YhORWBWOQ= =0Idn -----END PGP SIGNATURE----- From nobody at REPLAY.COM Tue Jan 2 23:00:11 1996 From: nobody at REPLAY.COM (Anonymous) Date: Wed, 3 Jan 1996 15:00:11 +0800 Subject: No Subject Message-ID: <199601022027.VAA24980@utopia.hacktic.nl> Cypherpunks write code. With that phrase and the wave of attempts to censor the 'Net, I've embarked on a quest to make remailers easier to use. Has anyone written an easy to use Windows or DOS application that will let someone chain a message through several remailers, perhaps with support for the mailer at alpha.c2.org? Would the writer of such a program, if in the US fall under the provisions in ITAR? Obviously, calls to the PGP program would have to be made. I recall reading that such hooks do fall under the ITAR. If this is true, so much for a more user friendly version of chain for the masses. From schneier at winternet.com Tue Jan 2 23:02:42 1996 From: schneier at winternet.com (Bruce Schneier) Date: Wed, 3 Jan 1996 15:02:42 +0800 Subject: no subject (file transmission) Message-ID: <199601030329.VAA04190@parka> APPLIED CRYPTOGRAPHY, Second Edition ERRATA Version 1.0 - 3 January 1996 This errata includes all errors I have found in the book, including minor spelling and grammatical errors. Please distribute this errata sheet to anyone else who owns a copy of the book. Page 11: Line 18, the reference should be "[703]" and not "[699]". Page 13: Fifth paragraph, first sentence, should read: "The German Enigma had three rotors, chosen from a set of five,...." Page 14: The last sentence should read: "The smallest displacement that indicates a multiple of the key length is the length of the key." Page 16: Third line from the bottom, "1.44" makes more sense as "1.544". Page 18: Table 1.1, second item. 1 in 4,000,000 is 2^22. Page 53: Second to last sentence about SKEY should read: "Similarly, the database is not useful to an attacker." Page 61: Step (3), the second message should contain A instead of B. Page 62: In the third line, there's a comma missing. Page 63: Second protocol, step (2), the second message should be "S_T(C,K_C)". Page 70: In the first step (4), the equation should be "R XOR S = M". In the second step (2), it should be "to generate U". Page 77: In step (2), the message is signed with Trent's private key. And T_n is mistakenly both the time and the timestamp. Page 82: Fourth line from the bottom, the correct expression is "up and died." Page 99: Tenth line from the bottom, delete the second word: "will". Page 104: Graph isomorphism has never been proven to be an NP-Complete problem. It does seem to be hard, and is probably useful for cryptography. Page 105: In Step (2), Peggy gives Victor a copy of H'. Page 112: Step (1) should read "Alice takes the document and multiplies it by a random value." Page 116: The protocol could be worded better. Step (3) should begin: "Alice decrypts Bob's key twice, once with each of her private keys." Step (4) should begin: "Alice encrypts both of her messages, each with a different one of the DES keys...." Page 126: The "Voting with Blind Signatures" protocol is a little more complicated. The voter does not send all the blinding factors in step (2). The CTF requests 9 of 10 blinding factors in step (3), and the voter sends only those blinding factors to the CTF. Page 134: Another problem with this protocol is that there are numerous ways that various participants can cheat and collude to find out the salary of another participant. These cheaters can misrepresent their own salaries during their attack. Page 135: Lines 13-14; technically Alice and Bob get no additional information about the other's numbers. Page 136: Lines 14-15; technically Alice and Bob get no additional information about the other's numbers. Page 144: Line 27, the odds should be "1 in n". Line 29, "step (2) should be "step (1)". Page 161: In the eleventh line from the bottom, "harnesses" should be "harnessed". Page 181: Line a should read "he does not know it" instead of "he does know it". Page 195: In line 13, the reference number should be [402]. Page 201: Error Propagation, lines 5-6. The sentence should read: "In 8- bit CFB mode, 9 bytes of decrypted plaintext are garbled by a single-bit error in the ciphertext." Page 202: Third to last line, toggling individual bits does not affect subsequent bits in a synchronous stream cipher. Page 203: Section 9.8, both equations should be "S_i = E_K(S_(i-1))". Page 209: Table 9.1. CFB, Security: Bits of the last block can be changed, not the first. CFB, Efficiency: The speed is the same as the block cipher only in 64-bit CFB. CFB and OFB, Efficiency: "Ciphertext is the same size as the plaintext" should be a plus. Page 217: The Table 10.1 headers got garbled. They should be: "Algorithm", "Confidentiality", "Authentication", "Integrity", and "Key Management". Page 246: The last line should be: "#define isEven(x) ((x & 0x01) == 0)". Page 249: Line 9, "Euclid's generalization" should be "Euler's generalization". Page 251: Lines 20-21. The sentence should read: "For example, there are 11 quadratic residues mod 35: 1, 4, 9, 11, 14, 15, 16, 21, 25, 29, and 30." See page 505 for more details. Page 258: In line 27, his name is spelled "Chandrasekhar". Page 275: Table 12.4; it should be a "48-Bit Input". Page 281: In line 4, "minuscule" is misspelled as "miniscule". Page 287: In Figure 12.6, there should be no period in X or Y. Page 292: Second line, "b_24" should be "b_26". In line 10, "1/2 - .0061" should be "1/2 + .0061". Page 295: Third line from the bottom, 2^(120/n) should be (2^120)/n. Page 300: In the first line, "56" should be "48". Page 319: In line 11, Section "25.13" should be "25.14". Page 322: Last line, the chip is 107.8 square mm. Page 338: In Figure 14.3 and in the first line, "f" should be "F". Page 340: Second equation should be "mod 256". Page 341: The current variants of SAFER are SAFER SK-40, SAFER SK-64, and SAFER SK-128, all with a modified key schedule, in response to a theoretical attack by Lars Knudsen presented at Crypto '95. Page 345: Lines 10 and 11; the + should be a -. Page 346: The reference number for BaseKing should be [402]. Page 352: In line 8, that second "l" should be an "r". Page 358: In the decryption equation of Davies-Price mode, the final D should be an E. Page 362: In the first equation, P is used to indicate both padding and plaintext. If P is plaintext and p is padding, then the equation should be: C = E_K3(p(E_K2(p(E_K1(P))))). Page 362: Figure 15.2 is wrong. The middle and top rows of "Encrypt," and the plaintext feeding them, are shifted right by 1/2 block from where they should be. Page 363: The parenthetical remark would be clearer as: "encryption with one of n different keys, used cyclically". Page 363: Second to last line, the equation should have an I_2 in place of the I_1. Page 367: Second equation, "P XOR K_3" should be "C XOR K_3". Page 369: A maximal period linear congruential generator as a period of m, not m-1. Page 375: Third paragraph should read: "It is easy to turn this into a maximal period LFSR. The highest exponent is the size of the register, n. Number the bits from n-1 to 0. The numbers, including the 0, specify the tap sequence, counting from the left of the register. The x^n term of the polynomial stands for the input being fed into the left end." The next paragraph is wrong. Page 379: Second line of code has an extra close parentheses. Page 380: The forth line should begin: "On the other hand, an astonishingly...." Page 393: In Figure 16.16, there should be an arrow from b_4 to the Output Function. Page 393: Second sentence should be: "It's a method for combining multiple pseudo-random streams that increases their security." Page 429: The second sentence should be: "It returns a fixed-length hash value, h." Page 431: In step (2), "prepend" instead of "append". Page 440: In item 3, there is an "AND" missing in the equation. Page 441: The compression function of MD2 is confusing without the indentations. The two for-loops are nested, and include the next two statements. Page 444: In figure 18.7, the a, b, c, d, and e variables are backwards. Page 445: Line 14, SHA should be compared to MD4. Page 447: Lines 3-4 should read: "...CBC in [1145], CBC in [55,56,54]...." Page 449: Figure 18.9, M_i and H_i-1 in the upper-left diagram should be reversed. Page 456: Table 18.2. Encryption speed should be in "kilobytes/second", and "SNEERU" should be "SNEFRU". Page 457: Lines 3 and 4, the ending "-1" and "-2" should be superscripts. Page 465: In the third line of text, the number should be n^-1. Page 470: The second to last line is missing an "is". Page 480: An additional reference for elliptic-curve cryptosystems is N. Koblitz, A Course in Number Theory and Cryptography, Springer-Verlag, 1988. This is an excellent book, and omitting it was an oversight. Page 489: Caption to Table 20.3 should specify an "80386 33 MHz personal computer". Page 495: In Step (8), the constant should be "0x7fffffff". Page 497: Delete the fourth equation in the list of verification equations. Page 499: ESIGN, seventh line: "m-1 should be "n-1". Page 505: In step 3, the third sentence should be: "If Victor's first bit is a 1, then s_1 is part of the product...." Page 514: In step (1), Alice must sent X to Bob. Page 515: In line 1, "commutitive" is misspelled as "communitive". Page 515: Hughes. Step (2): In order for step (4) to work, y must be relatively prime to n-1 else the inverse function in step (4) won't work. If n is a strong prime such that (n-1)/2 is also prime, then y can be any odd random large integer except for (n-1)/2. In step (4), Bob computes: z=y^-1 mod (n-1). Page 516: In the Station-to-Station protocol, the exponentiation is missing. In step (1), Alice sends Bob g^x mod p. In step (2), Bob computes the shared key based on g^x mod p and y. He signs g^x mod p and g^y mod p, and encrypts the signature using k. He sends that, along with g^y mod p, to Alice. In step (3), Alice sends a signed message consisting of g^x mod p and g^y mod p, encrypted in their shared key. Page 529: Line 13 should be a polynomial of degree 5, not 6. Page 535: The technique wherein Mallory leaks 10 bits of DSA secret per signature, can be sped up by a factor of 16 or so. Instead of choosing a 4-bit block randomly and then searching for a k that leaks the correct 14 bits, he can just use the low 4 bits of r to select the block of the signature to leak (no need to have an opaque subliminal channel) and he only has to check an average of 1024 k values until the bits sent out over the 10 subliminal channels match the 10 bits of the secret selected by r = (g^k mod p) mod q. Page 568: In the Kerberos Version 5 Messages, step 3, the final "s" should not be subscripted. Page 586: Figure 24.7, in the key the arrow should point from y to x. Page 586: Seventh line, "revokation" should be spelled "revocation". Page 589: Section 24.15, fourth line: "Nambia" should be "Namibia". Page 592: The equation is wrong. The structure of the LEAF is "E_KF(U,E_KU(K_S),C)", where U is the 32-bit unit ID, K_S is the 80-bit session key, and C is a 16-bit checksum of K_S and the IV (and possibly other material) used by the receiving chip to ensure that it has a valid LEAF. Page 604: Fourth line from the bottom should read: "to U.S. patent law." Page 606: In lines 12 and 13, the cross-references are to chapter 18. Page 607: In Table 25.4, the column headers are reversed. Page 610: Sixth line should read "it is filed", not "it is filled". Page 683: In reference 210, the title of the paper is "A Comparison of Three Modular Reduction Functions". Page 705: In reference 727, subscript should be a superscript. This errata is updated periodically. For a current errata sheet, send a self-addressed stamped envelope to: Bruce Schneier, Counterpane Systems, 101 East Minnehaha Parkway, Minneapolis, MN 55419; or send electronic mail to: schneier at counterpane.com. From vznuri at netcom.com Tue Jan 2 23:09:12 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Wed, 3 Jan 1996 15:09:12 +0800 Subject: CIA intelligence info Message-ID: <199601022117.NAA13088@netcom12.netcom.com> some interesting info on apparent efforts by the CIA spooks to get into economic espionage and be more "user friendly" .. (blecch) ------- Forwarded Message From: "Ron Pappas" Date: Sun, 31 Dec 1995 18:17:52 +0000 Subject: Intelligence Anyone? FRM: Ron Pappas FOR: All - - -=> Quoting Paul McGinnis <=- April 12, 1994 -- the CIA released a document in February 1994 called "A Consumer's Guide to Intelligence". My copy arrived today, so I will provide a review for interested parties. This item has a slick marketing feel to it, similar to that of a prospectus for a new stock or something given to prospective car buyers. It's even printed on glossy paper. About the only thing missing, that other marketing documents have, is color photographs of happy employees. Apparently, in this era of shrinking budgets, it was prepared to "sell" the Intelligence Community to various government officials. In fact, inside the front cover, is the statement "This publication is prepared for the use of US government officials, and the format, coverage, and content are designed to meet their specific requirements." So, what's the content like? It discusses what various intelligence agencies actually do, types of intelligence, how intelligence is collected (helpful tip: if you have just come back from an exotic foreign country, the U.S. government would really like to have a friendly chat with you...) and the reports that can be provided to policymakers. For example, if you have enough political clout, you can get a free subscription to the following (quoted verbatim from page 23 of the CIA publication): Defense Intelligence Agency Current Assessments _______________________________________________ A tabloid product that provides a brief and timely assessment of an ongoing military or military-related situation or recent development considered highly significant to national-level decisionmakers. Given the word "tabloid" one wonders if it features lurid New York Post style headlines, such as "Serbian general's secret Bosnian girlfriend"... There are a few surprises though. For example, among current large consumers of intelligence information, it lists the Department of Agriculture and the Federal Aviation Administration (FAA). They also discuss the rarely mentioned MASINT field (Measurements and Signatures Intelligence). MASINT involves using scientists and engineers to study other characteristics of intelligence information gathered. For example, although it is not stated in this publication, it is believed that MASINT specialists studied the spectral characteristics of Soviet rocket exhausts to determine the fuel mixture used in the rocket. How does one obtain a copy of this document? It is available for $12.50 to addresses in the U.S., Canada, and Mexico, and $25.00 elsewhere. (There was an error in the NTIS database entry I posted earlier which indicated the price was $17.50). Also, you need to add $3.00 for postage per order (not per copy) in the U.S., Canada and Mexico, and $4.00 for postage elsewhere. To order, make checks payable to NTIS, and request item # PB93-928021 from U.S. Department of Commerce National Technical Information Service Springfield, VA 22161 phone (703) 487-4650 Ask for a free copy of their catalog of products and services. So, is it worth ordering? If you are interested in intelligence, I recommend this publication. Also, it might be a good thing to leave laying around on your coffee table if you have "politically correct" visitors... Paul McGinnis / TRADER at cup.portal.com - - ------------------------------------------------ (This file was found elsewhere on the Internet and uploaded to the Patriot FTP site by S.P.I.R.A.L., the Society for the Protection of Individual Rights and Liberties. E-mail alex at spiral.org) Peace, Pap... The College Board 864.878.7340 FIDO - 1:3639/60 - ------- End of Forwarded Message ------- End of Forwarded Message From tcmay at got.net Tue Jan 2 23:22:52 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 3 Jan 1996 15:22:52 +0800 Subject: Why Net Censorship Doesn't Work Message-ID: At 8:17 PM 1/2/96, Duncan Frissell wrote: >That would require outlawry of crypto over the backbone and some way of >convincing the backbone to run government approved code. Quite a bit of >resistance would ensue. Have the Feds ever successfully mandated that large >numbers of people run government code? Aren't we all using Ada? --Tim May We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From raph at c2.org Tue Jan 2 23:24:44 1996 From: raph at c2.org (Raph Levien) Date: Wed, 3 Jan 1996 15:24:44 +0800 Subject: New year's letter picked up by Netly News Message-ID: <199601022206.OAA27617@infinity.c2.org> Hi cypherpunks, In case anyone missed it the first time, or just prefers to see it in HTML (with URLs), my new year's eve letter got picked up by the Netly News, Josh Quittner's daily column on Time's Pathfinder Web site. http://pathfinder.com/@@noje*HGS0AMAQNl0/Netly/nnhome.html The second part will run tomorrow. Raph From cme at clark.net Tue Jan 2 23:27:43 1996 From: cme at clark.net (Carl Ellison) Date: Wed, 3 Jan 1996 15:27:43 +0800 Subject: Foiling Traffic Analysis Message-ID: <199601030421.XAA29402@clark.net> >Date: Tue, 02 Jan 1996 19:44:53 -0800 >From: shamrock at netcom.com (Lucky Green) >Subject: Re: Foiling Traffic Analysis >At 20:02 1/2/96, Jon Lasser wrote: > >>When the group of packets arrives at a given station, it replaces its >>current encrypted packet with a new packet; >All participants in this network are clearly guilty of conspiracy. Their >assets will be confiscated under RICO. Sounds like disasterizing to me. This is merely a technical means for producing anonymous communications. Anonymity = conspiracy? - Carl +--------------------------------------------------------------------------+ | Carl M. Ellison cme at acm.org http://www.clark.net/pub/cme | | PGP: E0414C79B5AF36750217BC1A57386478 & 61E2DE7FCB9D7984E9C8048BA63221A2 | | ``Officer, officer, arrest that man! He's whistling a dirty song.'' | +---------------------------------------------- Jean Ellison (aka Mother) -+ From frissell at panix.com Tue Jan 2 23:33:19 1996 From: frissell at panix.com (Duncan Frissell) Date: Wed, 3 Jan 1996 15:33:19 +0800 Subject: Shut 'er down Message-ID: <2.2.32.19960102203509.006bed68@panix.com> At 03:06 PM 1/2/96 -0500, Brian Davis wrote: >BTW our office collects more every year (from fines, foreclosures, >bankruptcies, affirmative civil cases, etc. etc.) than our total office >budget. We make money -- so why am I unpaid this week! :-) The courts cost too though. Also there's your share of general government overhead. You may cover variable direct costs but perhaps not indirect and fixed costs. I take it you are unpaid but working. Couldn't we reverse the process and pay you not to work? Sort of like protection money. It would be worth it I think. DCF "Some of my best friends are public employees but I wouldn't want my sister to marry one. She needs someone with a steady income and future prospects." From shamrock at netcom.com Tue Jan 2 23:42:42 1996 From: shamrock at netcom.com (Lucky Green) Date: Wed, 3 Jan 1996 15:42:42 +0800 Subject: Guerilla Internet Service Providers (fwd) Message-ID: At 22:11 1/2/96, Anonymous wrote: >frantz at netcom.com (Bill Frantz) wrote: > >> Don't forget about infrared to cross public rights-of-way. > >What about fog? Infrared and laser are not very reliable between buildings during fog. Between your house and your neighbor, a low cost 900MHz bridge would be the best way to go. On such short distances, an omni-directional antenna will work just fine. Check out Solectek (cheaper) or Cylink (faster). Both offer DES link encryption. -- Lucky Green PGP encrypted mail preferred. From shamrock at netcom.com Tue Jan 2 23:45:09 1996 From: shamrock at netcom.com (Lucky Green) Date: Wed, 3 Jan 1996 15:45:09 +0800 Subject: Guerilla Internet Service Providers (fwd) Message-ID: At 22:51 1/2/96, Steve Gibbons wrote: >I had a similar thought about a month ago. In particular, I was thinking that >skyrise office buildings would be a great market for ISPs to target. Rent a >closet in the basement/top floor close to the telco demarc. Run lots of >UTP to >the cients through the existing conduit, ceiling acces, air ducts, or whatever >and boom, lots of clients, low overhead, telco bills cut to 1/2 of the >competitions'. Up-front costs might (or might not be) higher, since the wire >installation would now be the burden of the ISP. [...] >FWIW, (and if anyone winds up doing something like this, I want a "finders >fee" ;-) ) Sorry, I thought of this months ago :-) But there is an even better business opportunity out there. Wireless T1 service covering a whole downtown area. I speced the whole system for the last company I worked for before they ran out of money. My calculations show that you can deliver close to T1 speed to corporate customers at fraction of the cost using land lines. In the best case scenario, you can produce the individual connection at below $200. No land line based ISP can ever touch that. The total cost for a land line based IPS is at least $395/T1. Set-up fee is lower too. Best, the whole thing can be set up self financing. If I wasn't so busy with other projects, I'd implement it myself. -- Lucky Green PGP encrypted mail preferred. From shamrock at netcom.com Wed Jan 3 00:11:53 1996 From: shamrock at netcom.com (Lucky Green) Date: Wed, 3 Jan 1996 16:11:53 +0800 Subject: Guerilla ISP's... Message-ID: At 12:49 1/2/96, Ed Carp [khijol SysAdmin] wrote: >And the servers could really be set up anonymously. Pay cash to an ISP >for a SLIP or PPP account, get a phone line under a ficticious name, set >up a PO box for the (few) bills, find somewhere to set up the machine, >and away you go... Only to have the box impounded within a few days after going on-line. A very costly and likely short lived hobby. -- Lucky Green PGP encrypted mail preferred. From frantz at netcom.com Wed Jan 3 00:12:59 1996 From: frantz at netcom.com (Bill Frantz) Date: Wed, 3 Jan 1996 16:12:59 +0800 Subject: Guerilla Internet Service Providers (fwd) Message-ID: <199601030710.XAA28408@netcom5.netcom.com> At 22:11 1/2/96 -0800, Anonymous wrote: >frantz at netcom.com (Bill Frantz) wrote: > >> Don't forget about infrared to cross public rights-of-way. > >What about fog? How much reliability do you need? As a first approxmation, look out your window. How often is it that you can't see your neighbor's house? Here in California, power failures are more frequent. (N.B. higher level protocols will recover from interruptions due to, e.g. large trucks.) I first heard of people using the technology to extend an IBM mainframe channel across a freeway 15 or 20 years ago. Bill From nobody at REPLAY.COM Wed Jan 3 00:24:22 1996 From: nobody at REPLAY.COM (Anonymous) Date: Wed, 3 Jan 1996 16:24:22 +0800 Subject: Why Net Censorship Doesn't Work Message-ID: <199601022214.XAA28190@utopia.hacktic.nl> Ed Carp: >Tell that to folks in the contries of used-to-be-Russia. Lots of old >Communist leaders getting back into power - some folks are even saying >that the old days under the Communists were better than living in a free >market economy. > >Never underestimate the value of human stupidity and shortsightedness. Definitely. The number of warm and well-fed people who are willing to lecture the cold and starving on morals and higher principles is mind-boggling. From a-kurtb at microsoft.com Wed Jan 3 01:06:52 1996 From: a-kurtb at microsoft.com (Kurt Buff (Volt Comp)) Date: Wed, 3 Jan 1996 17:06:52 +0800 Subject: Guerilla Internet Service Providers Message-ID: Another suggestion: The Republic of the Seychelles. Saw an AP article on them over the weekend. Seems they now (since November, if I remember the article correctly) offer unconditional haven for anyone who has $10,000,000 (didn't specify if in US$). No extradition, guaranteed, no matter what the crime, if perpetrated anywhere else in the world. Instant citizenship, no questions asked. Kurt ---------- From: nobody at REPLAY.COM[SMTP:nobody at REPLAY.COM] Sent: Monday, January 01, 1996 22:40 To: Cypherpunks at toad.com Subject: Re: Guerilla Internet Service Providers -----BEGIN PGP SIGNED MESSAGE----- On 1/1/96 at 3:11 pm Lucky Green replied to Andreas Bogk about: >>So I guess we'll need some computers in outer space, on offshore boats >>or in well-bribed stable dictatorships. >o Outer space: not very realistic >o Offshore boats: see the fate of drug trafficers in international waters >after the Coast Guard is through with them. What about using converted freighters offshore in international waters for storing the computers? i.e. Sameer the Wolfman Jack of Pirate Internet Services (tm) I was told that Belize is offering passports for the next two years for $50,000 and that might be even less if offers were made to the government to provide low cost Internet access to the citizens of Belize. http://www.belize.com/citzdoc.html Belize has always been known as a home for pirates, A wonderful Cypherpunk candidate for an offshore data haven! L. Malthus -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMOjOmQJo+wOswDgJAQEdGgP8CzcIf7/p1QS8yYc7uelApYLWcDUHo1AE LHBz4kWg8bdrvWEqck1oIgY/Z+gvr88tKP3l7TDei8y+mJFoqYeSM27aE0ohvS2a XVq7YwbGs+/CKTWJTWsyxwsQEQHyj+Ig7oY+JB76wUN9WTz9pfuwXQ7oaF4RXHcf WqFOXM6ogMA= =0UFR -----END PGP SIGNATURE----- From tcmay at got.net Wed Jan 3 01:09:24 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 3 Jan 1996 17:09:24 +0800 Subject: How the Gov't. "Deputizes" Corporations to Enforce Laws Message-ID: At 4:27 AM 1/2/96, Felix Lee wrote: >compare with software piracy. when was the last time a kid in your >neighborhood was busted for unlicensed copying of software? and >software is big business, lots of suits and $$$. they can try to make >disassemblers illegal, but it's not likely to succeed. Though I generally agree with the point that laws can and are skirted (I've argued this too many time myself to repeat it again here), this point about software piracy needs to be critiqued. The software piracy laws are usually targetted at _corporations_. The Software Publisher's Association has very effectively caused corporations to launch extensive anti-piracy programs (including the very audits of disk drives that so many on this list think is a violation of their human rights). As with the drug laws, which corporations have been "deputized" (= threatened) to enforce via drug testing, urine tests, random searches, etc. Whit Diffie has been making this point for several years, that the drug laws may not be very enforceable on street corners, but by threatening corporations with loss of contracts, shutdown of plants, seizure of assets, and even criminal prosecution if they fail to take approved steps to create a "drug-free workplace," the long arm of the law is supplemented by corporate enforcement. The "War on Drugs," "Just Say No," and "FooCorp Maintains a Drug-Free Workplace" sorts of campaigns. (When I was at Intel, 1974-86, nobody cared what drugs were used in the evenings, weekends, etc., so long as one did not come to work stoned or otherwise impaired. Now, like most other large corporations, there are posters up on the walls with childish slogans about the dangers of "substance abuse," extensive drug tests for new employees (not sure about existing employees), employee training seminars devoted to substance abuse, etc. Not because Andy Grove sees a drug problem, but because of the drum beat of "Just Say No!" hysteria and the threats of government sanctions. Corporations have been enlisted into the War on (Some) Drugs.) The same applies to software piracy. Nobody expects casual, personal copying to stop, but anyone in a company can anonymously narc out the company to the SPA and law enforcement. The SPA and cops may then decide to "make an example" out of the company, launching raids, detailed audits of all machines, and the levying of huge fines for copies of software which are thought to be illegal. (This course of action seems to happen regularly in the Bay Area...the press is usually invited along or tipped off, and the evening news shows some company shut down for a day as SPA and law enforcement agents carry off dozens of bootlegged copies of WordPerfect and Excel.) The drug and software piracy cases give us some hints about how restrictions on "illegal crypto" are likely to be enforced. The "casual user" will not be targetted. He can pretty much expect to see no effective enforcement. However, the Lockheeds and Apples will face sanctions, loss of contracts, asset forfeiture, etc., unless they take "positive steps" to ensure that PGP, BlackNet, non-GAKked crypto, anonymous remailers, and other illegal programs are not being used on their systems. This will entail packet sniffers checking for the usual signs, audits of employee workstations and PCs, posted policies on "cybersubstance abuse" and its dangers, etc. (I'm only slightly joking here.) While this will still not stop all crypto use--just as tax evasion continues, drug use is rampant, and software piracy is done to some extent by nearly everyone--it will halt certain types of rapid deployment, pushing crypto use to the fringes and away from mainstream use. It will terrorize the Intels and Merrill Lynches of the country into being enforcers of the laws. This is how things are being done in these waning years of the 20th Century. --Tim May We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From nobody at flame.alias.net Wed Jan 3 01:13:25 1996 From: nobody at flame.alias.net (Anonymous) Date: Wed, 3 Jan 1996 17:13:25 +0800 Subject: NSA gets into the ISP business Message-ID: <199601030825.JAA21055@utopia.hacktic.nl> Recently I went out shopping for a cheaper ISP. I found one which was very inexpensive. Too inexpensive. At first I was thrilled...then I began to wonder how they could charge so little. Pcix.com is offering static ip address, domain name, etc, the whole schebang for $20 a month, or $75 if you want a dedicated line. That's less then TLG, and TLG is a non-profit organization. As the saying goes, if it sounds too good to be true, it probably is. It seems our government friends have found themselves a new hobby. I'm not sure exactly what this sting operation was set up for, but I'm sure you can use your imagination. The user agreement is very interesting. It states: 1) You're not allowed to upload any encryption software (even if you don't export it) or have any strong crypto in your shell account, and 2) They are allowed to monitor anything you send over their network. Spooks' dream ISP. Highlights from the user agreement: Section 2.7(b) > Member further agrees not to upload to the PCIX services any data or > software that cannot be exported without the prior written > government authorization, including, but not limited to, certain > types of encryption software. Section 4.1 > PCIX may elect to electronically monitor any and all traffic > which passes over our Wide Area Network. This monitoring may include > public as well as private communications and data transfers from our > Members and to our Members as well as any and all communications and > data transfers to and from any other internet sites. PCIX will > monitor our Members and those who use or transmit communications or > other data over our network to try and ensure adherence to > international, federal, state and local laws as well as the PCIX > Terms of Service Agreement. From dlv at bwalk.dm.com Wed Jan 3 01:15:44 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Wed, 3 Jan 1996 17:15:44 +0800 Subject: Guerilla Internet Service Providers In-Reply-To: Message-ID: <9FP4gD15w165w@bwalk.dm.com> David Mandl writes: > The number of people who drank booze when Prohibition began dwarfs the > number of people who want access to "controlled" information on the > net today. Most people still don't even understand what the net is. > They're two completely different situations. Also, the powers that be > have much better reasons for killing the net than they had for banning > booze. Also, the powers that be could have wiped out bootlegging if they really wanted to -- by draconian means. Corrupt politicians at various levels chose to let the laws be violated and to accept the bribes. There's much less money involved in the distribution of "undesirable" information. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From BRUEN at mitlns.mit.edu Wed Jan 3 01:24:59 1996 From: BRUEN at mitlns.mit.edu (Bob Bruen, MIT Lab for Nuclear Science) Date: Wed, 3 Jan 1996 17:24:59 +0800 Subject: Why Net Censorship Doesn't Work Message-ID: <960102200837.4460036b@mitlns.mit.edu> DCF wrote: >Thought control is a very difficult task. It always has been. The >Inquisition, Nazi Germany, the Soviet Union, and the People's Republic of >China tried but three of the four are no longer with us. Short of >totalitarian controls, thought controls will be ineffective. And >totalitarian controls are difficult to impose these days. While thought control is difficult, one cannot ignore the damage done trying to do it. All of the above examples were expensive in terms of human suffering and death toll for long periods of time. The controls were effective for some time with long periods for recovery. The facists may lose in the end but the price of victory is very high. I fear the current and future efforts at controls will be costly no matter what the outcome. bob From rittle at comm.mot.com Wed Jan 3 01:33:08 1996 From: rittle at comm.mot.com (Loren James Rittle) Date: Wed, 3 Jan 1996 17:33:08 +0800 Subject: NYT's _Unmuzzling the Internet_ Message-ID: <9601030920.AA05852@supra.comm.mot.com> -----BEGIN PGP SIGNED MESSAGE----- Jaron Lanier wrote in the _The New York Times_, January 2, 1996, p. A15: ``The other day, I came up with a way to easily evade the proposed American restrictions. My simple idea would be to create a computer program, dubbed `Unmuzzle,' which would deposit incomprehensible fragments of any forbidden material in different foreign computers (though maybe not Germany's). The contraband communication would only be reassembled into a coherent whole when downloaded in the home of the user back in the United States, where it would become protected speech, as in any other medium.'' Is this the state to which the Internet must evolve to withstand attack from the possible near-future legislation contained within the current draft of the Telecommunications Reregulation Bill? The Internet technology that was designed to withstand network outages by routing around the problem must now, perhaps, also be designed to allow information to be split for storage and transmission to navigate around mere political insanity. I know: "Cypherpunks write code!", but something seems amiss with the technical solution proposed in the opinion editorial quoted above. Many questions are begged in my mind. At first, the Jaron proposal sounds like an interesting thought experiment but a total waste of bandwidth, both CPU and network, to me. The unconstitutional Bill must be defeated in Congress, by that Presidential veto pen that Clinton has become so fond of using recently or the Court system, if absolutely necessary. If none of that happens, then surely technology can be used to route around this "political" problem. It just seems like a shame to have to expend technical effort and valuable network resources to play games to meet the letter of a law, which would so clearly break the direct spirit of the Constitution, if signed into Law and later found during a Supreme Court battle to "pass constitutional muster," as they like to say. Under my model, which may be different than Jaron's, I assume the raw data is useless without a recipe, or algorithm, if you prefer. Jaron doesn't say how the ``incomprehensible fragments of any forbidden material'' are known to be joinable and how they are to be joined so I invented this as the missing glue to discuss his idea in this forum. I assume a recipe would be a new base item fetchable via a standard URL. It would disclose the location of raw data sets, how they should be joined and the resultant data-type of the information, if the recipe were to be followed. In this way, it might be possible to work a decoder directly into Mosaic/NetScape/HotJava/. (Perhaps a self-imposed rating could be included within the recipe as additional information bits. Or, perhaps the recipe could be signed by one or more reviewers, which may be trusted by end-users. These features are mentioned only as side features, they do not affect the basic operation to circumvent the letter of the proposed Law. Back to the questions begged and partial solutions. For instance, if one provides, in a distributed fashion, data sets --- which taken apart are not indecent in anyone's mind since they appear completely random --- and a recipe to generate information from the data sets --- which may construct something which might be considered indecent --- does anyone violate any portion of the insane Indecent Bill, if passed by Congress and signed into Indecent Law by the President? Does the person who set up the information split get in trouble? Do the people pulling in recipes and various piece of random-looking data sets get in trouble? Do the data set warehousers get in trouble, even if they could have had no direct way to know the raw pieces of data that they stored were to something eventually seen to be indecent when a recipe was followed. Do the recipe warehousers get in trouble, since they could have known what might be created if all data sets were obtained and joined as proscribed by the recipe? What if end-user client software was taught to do all the steps required to follow a recipe automatically? Same as last question, except the user was explicitly asked before any recipe was followed to completion? I think that the Court would be hard-pressed to find a difference between distribution of something indecent and a recipe known to create something indecent from raw data. But, what if recipes were used for everything, not just items thought to be borderline indecent to totally obscene. Under this assumption, if it could be shown that a recipe and raw data warehousers had no knowledge of each other's contents, they could do no self-policing. It appears that raw data warehousers have "no knowledge" of recipe warehousers as long as the raw data contains no reference to the recipe. The recipe warehousers appear to have no such luck since they contain URLs that point to the raw data chunks required to form coherent information. Recipe warehousers could follow the recipe to "check" content. Finally, on a different tangent, why do the raw data pieces have to be stored on different machines in different countries, if by themselves they are unreadable? Since I believe it is the recipe, not the contributing raw data that presents a problem, it seems like this must be the piece to be stored external to the U.S. For example, only the recipe need be stored abroad in a nice little computer in the Netherlands. Assuming the recipe included only URL-style pointers to the data sets' distributed location and mixing method, a recipe should be quite small. Imagine the Government trying to explain to a jury that random looking transmissions taken together in some exotic manner --- as described by a file fetched from outside the U.S. --- equals some filthy text or image or some other unpopular political speech. Using these rules, I could probably find three passages of text in the 100,000's of pages composing the U.S. Code that when XOR'd together generate something obscene. To make the Government's job even harder before a jury, what if the recipe to be fetched from the foreign country always generated the First Amendment text when followed directly. Imagine the Government's surprise when the Defense later shows a recipe involving the exact same information sets that, perhaps, yields the text of the First Amendment, The Indecent Bill itself or another interesting historical document. What if certain implementations of software that decode these recipes could infer another recipe implicitly encoded within the fetched data sets which were required to follow the explicitly given recipe. Since the information required to regenerate the First Amendment text will have always been pulled, in its entirety, an external observer must concluded that the receiver might have plainly followed the directions in the recipe leading to its generation instead of any hidden inferred recipe for the questionably indecent text or image. That sounds like reasonable doubt to me, regardless of the facts of the case. The Defense can always argue that the client was just trying to express the First Amendment in a novel manner, which happens to be true in more ways than one in this case. :-) The Jaron proposal does have some major benefits at least as I have framed the idea. These need to be mentioned explicitly, in case the important side goal was too subtle expressed above. I reverse the location of the bulk of the data required to store the real information. The recipe, which is assumed to be small with respects to the size of the raw data, is stored in any Internet friendly location (i.e. most of the world except the U.S. after the CDA passes) and pulled into the U.S. as required. The raw data is stored within the U.S., randomly spread between data set servers. When arranged in this manner, the bulk of the data continues to be stored as it would have been before stupid U.S. regulations took affect. This final analysis might sound U.S. centric. It was not meant to be. I assume that any information replication scheme that might have been used could continue to be used. For example, one recipe might exist for each regional replication that existed. Hopefully, the recipes themselves would be replicated in many Internet friendly locations. I welcome informed legal comments on this modified proposal. Regards, Loren -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMOpKUv8de8m5izJJAQH+cgP+MDO6TK5s1MkkiWcvSKP9wwoVn0VqMM+U hPRGQJ2MjL3s7r9mPTqlbnPOllI4FO6rBQt5vqmzMnemFG1k94REvmGHuSMxZ7xV zoqYcvZzxdG2KwKBiLWiilirA0IrDV1MQJ4i7xMYYdOoOoeN1VnUbgHW9iWquwKT tIpWzbFFGO0= =m0bM -----END PGP SIGNATURE----- From zeus at pinsight.com Wed Jan 3 01:33:59 1996 From: zeus at pinsight.com (J. Kent Hastings) Date: Wed, 3 Jan 1996 17:33:59 +0800 Subject: Inter-Patch Voice Network Message-ID: <199601030419.UAA11507@Chico.pinsight.com> -- [ From: J. Kent Hastings * EMC.Ver #2.5.02 ] -- -----BEGIN PGP SIGNED MESSAGE----- Cpunx, This may be old hat, but now that PGPfone is available, why don't we start an "Inter-Patch" Network using PGP and ecash? Here are features to consider: * Computer users generate pre-paid phone cards for non-geeks. * Rate is say, 2 cents per minute, for near-real-time voice. * "Voice Mail" service is not subject to telco utility regs. * PIN#s can be changed by users, who can also confirm value. * Thus a user can sell remaining time on a card to others. * A local participant to the target number is selected. * Ecash is instantly delivered in exchange for communications. * Perhaps a 50 percent split, 1 cent per minute for example. * Bad participants are removed from the network. Kent - -- J. Kent Hastings Assistant Director of The Agorist Institute zeus at pinsight.com, http://www.pinsight.com/~zeus/agorist/ -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMOn0hTTxxI221vktAQHs3AQAj/uI2xYGSfE9iSVttCncBrS7yDAUaecX +s1U8zF29zx4a/zq6yUOOJncxS7GWXavUhNLcjuruH7f9tHO1Sam8XcT59rwVlvv P+xnrV/NwaDW0q+TxWjnNhVgTJePC6Hq+6bLRiod+hOTuawkJ3vx50CmDoEKC1Fk HrNqiRLzNQc= =O3Bo -----END PGP SIGNATURE----- From erc at dal1820.computek.net Wed Jan 3 01:38:08 1996 From: erc at dal1820.computek.net (Ed Carp [khijol SysAdmin]) Date: Wed, 3 Jan 1996 17:38:08 +0800 Subject: Guerilla Internet Service Providers (fwd) In-Reply-To: <199601030146.TAA02574@einstein.ssz.com> Message-ID: <199601030240.UAA29676@dal1820.computek.net> -----BEGIN PGP SIGNED MESSAGE----- > > From: Jeff Simmons > > Subject: Re: Guerilla Internet Service Providers > > Date: Tue, 2 Jan 1996 16:32:33 -0800 (PST) > > > > Punknet is a 'Guerilla ISP'. Twenty of us share a 128k ISDN line, > > distributed via high-speed modems. It's been running fine for over > > a year now, but Pacific Bell has evidently decided to get rid of us. > > > > How? Simply by refusing to either repair or replace our 25 pair trunk > > line, which is rapidly degrading. We've offered to replace it ourselves, > > but according to them, it's illegal. Right now, we've got three dead lines, > > and two others that only will do 1200 baud. > > Hmmm, you should have some kind of Public Utility Commission (PUC) in your area > that regulates the service provider. Here in Texas if SWBT received more Anyone else get two copies of this? I don't think this is me... - -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 214/993-3935 voicemail/digital pager 800/558-3408 SkyPager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMOnsgiS9AwzY9LDxAQF1RwQApz1hFlsNIMiX5cKf9Sy484HIg8N5WfDr PX12AVDlfmbCxbMRAJ/lyfJMgEOYTEURinjg5rk53KLOA+TNimTyawl0sArIOvdQ xJvklJQd3LFH6EfIg7pDXOiD/Rn6b/+bnDI4FBYL06C708cWWuWxcFGzghF9PWyI mouSBFOl8zQ= =lQ4N -----END PGP SIGNATURE----- From markh at wimsey.bc.ca Wed Jan 3 02:23:58 1996 From: markh at wimsey.bc.ca (Mark C. Henderson) Date: Wed, 3 Jan 1996 18:23:58 +0800 Subject: Errata for _Applied Crypto_ Message-ID: Wink Junior writes: > Bruce Schneier has an errata file for the second > edition of _Applied Cryptography_ available on request. Hopefully he will > also make it available via the Web. Hats off to Bruce for making this > information available in a timely, cost-effective manner. It is available from the Wimsey crypto archive (thanks Bruce!) ftp://ftp.wimsey.com/pub/crypto/Doc/applied_cryptography/2nd_ed_errata-1.0 -- Mark Henderson -- markh at wimsey.bc.ca, henderso at netcom.com, mch at squirrel.com PGP 1024/C58015E3 fingerprint=21 F6 AF 2B 6A 8A 0B E1 A1 2A 2A 06 4A D5 92 46 cryptography archive maintainer -- ftp://ftp.wimsey.com/pub/crypto ftp://ftp.wimsey.com/pub/crypto/sun-stuff/change-sun-hostid-1.6.1.tar.gz From sameer at c2.org Wed Jan 3 02:27:09 1996 From: sameer at c2.org (sameer) Date: Wed, 3 Jan 1996 18:27:09 +0800 Subject: US calls for measures against Internet porn In-Reply-To: <199601030047.LAA07011@oznet02.ozemail.com.au> Message-ID: <199601030549.VAA11513@infinity.c2.org> > You can't tell me that someone who fires up their Web browser and points it > to http://www.playboy.com, or clicks yes to a request that they acknowledge > that they are over 18/21/majority and agree to access adult material doesn't > know what they are getting themselves into... Just to offer another story of the cluelessness of some people: I've been receiving a number of complaints about one of my users who has gotten into a flamewar on Usenet. They claim that flaming is a violation of FCC regulations. (Maybe eventually it will be.. sigh.) -- sameer Voice: 510-601-9777x3 Community ConneXion FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.org/ (or login as "guest") sameer at c2.org From shamrock at netcom.com Wed Jan 3 02:27:40 1996 From: shamrock at netcom.com (Lucky Green) Date: Wed, 3 Jan 1996 18:27:40 +0800 Subject: Foiling Traffic Analysis Message-ID: At 23:21 1/2/96, Carl Ellison wrote: >This is merely a technical means for producing anonymous communications. > >Anonymity = conspiracy? Poll after poll shows that the majority of Americans is eager to allow warrantless searches of their homes and property to aid the War on Drugs. Every non-CP person that I tell about remailers asks me "This is legal?". Meaning that they would expect it to be illegal. Surely a prohibition against anonymous remailers and especially against DC nets is a small prize to pay for perceived security against the Four Horsemen... Inevitably, a DC net or the Token Ring approach described earlier will be used for illegal purposes. Once, not if, that comes to pass all participants will be guilty of conspiracy and their property subject to forfeiture. No trial needed and it will happen to the applause of the general public. -- Lucky Green PGP encrypted mail preferred. From jimbell at pacifier.com Wed Jan 3 02:28:06 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 3 Jan 1996 18:28:06 +0800 Subject: Guerilla Internet Service Providers (fwd) Message-ID: At 05:37 PM 1/2/96 -0800, you wrote: >> It seems to me that phone line costs are turning into a floor price for >> Internet access, when they shouldn't really be. The main asset telephone >> companies have, right now, is in RIGHTS OF WAY. Put an ISP in a business >> park that allows you to run your own dedicated copper pairs, and you've >> bypassed $25/month/line business phone line charges. >> >> At some point, individual urban and suburban blocks could easily be >> "guerilla re-wired" for ISP access without serious trenching, etc. The >> phoneco would still be involved, but in a far lower-profit mode, as the >> supplier of a single T1 to a multi-block area. > >For the "last mile" to the ISP user, wireless could be a better bet. >Have antenna, will surf. Yes, you're absolutely right. It would be great if some entrepreneur could buy a T1, put up a 2000 MHz (or somewhere around that; whatever frequency was allocated appropriately) local "cellular" data system which would be able to connect to up to, say, 100 simultaneous or so local users using modems little more complicated than a current 900 MHz cordless phone. Okay, maybe all this stuff is already being worked on at a few dozen or hundred companies around the globe, but I can't wait... >(Not speaking for Qualcomm, etc.) > >Peter Monta pmonta at qualcomm.com >Qualcomm, Inc./Globalstar Question: Is this the "Qualcomm" that does the Internet access software, or the "Qualcomm" who builds the wireless amps/filters/hardware/etc? Or is it all the same company?!? From DMiskell at envirolink.org Wed Jan 3 02:50:46 1996 From: DMiskell at envirolink.org (Daniel Miskell) Date: Wed, 3 Jan 1996 18:50:46 +0800 Subject: [local] Syracuse new york Message-ID: <9601021659.AA08805@envirolink.org> Douglas F. Elznic writes: >Are their any interested people in having a meeting in the syr area? I most certainly would. I currently reside in the western ny state area. Anybody else interested? Munster --- _________________________________ *!Cheese Doctrine:!* Though cultured over time, and aged to perfection, one must not yield to produce mold. One must also not belittle themselves by conforming to the "whiz", but melt over the unprocessed ideas of Ghuda. _________________________________ From perry at piermont.com Wed Jan 3 02:54:15 1996 From: perry at piermont.com (Perry E. Metzger) Date: Wed, 3 Jan 1996 18:54:15 +0800 Subject: Guerilla Internet Service Providers In-Reply-To: Message-ID: <199601021624.LAA21091@jekyll.piermont.com> Lucky Green writes: > >> That site will be subject to search, seizure, and arrest and conviction of > >> owner. > > > >but if it turns out that 30% of home PCs have to be seized to prevent > >dissemination of dangerous-information-X? > > Wrong. Only 0.03% of the home PCs have to be seized and the owners > incarcerated. The remaining users will cease to carry controlled data on > their own. Just like no one smokes pot any more. Perry From steve at aztech.net Wed Jan 3 03:21:11 1996 From: steve at aztech.net (Steve Gibbons) Date: Wed, 3 Jan 1996 19:21:11 +0800 Subject: Guerilla Internet Service Providers (fwd) Message-ID: <0099BD00.63F6D1E0.1@aztech.net> In Article: , shamrock at netcom.com (Lucky Green) wrote: # At 22:51 1/2/96, Steve Gibbons wrote: # >I had a similar thought about a month ago. In particular, I was thinking that # >skyrise office buildings would be a great market for ISPs to target. Rent a # >closet in the basement/top floor close to the telco demarc. Run lots of # >UTP to # >the cients through the existing conduit, ceiling acces, air ducts, or whatever # >and boom, lots of clients, low overhead, telco bills cut to 1/2 of the # >competitions'. Up-front costs might (or might not be) higher, since the wire # >installation would now be the burden of the ISP. # [...] # >FWIW, (and if anyone winds up doing something like this, I want a "finders # >fee" ;-) ) # Sorry, I thought of this months ago :-) But did you post/publish? :) # But there is an even better # business opportunity out there. Wireless T1 service covering a whole # downtown area. I speced the whole system for the last company I worked for # before they ran out of money. My calculations show that you can deliver # close to T1 speed to corporate customers at fraction of the cost using land # lines. In the best case scenario, you can produce the individual connection # at below $200. No land line based ISP can ever touch that. The total cost # for a land line based IPS is at least $395/T1. Set-up fee is lower too. # Best, the whole thing can be set up self financing. If I wasn't so busy # with other projects, I'd implement it myself. I'd be interested in seeing your numbers and cost breakdowns. I'd really be interested in the up-front costs that would be associated with the equipment and set-up time/training that will help "insure" data privacy over wideley broadcast media. The up-front costs for ~T1 capable tranceivers isn't insignificant either. I figure ~$10K up front (maybe half of that, maybe twice when you include management overhead) Amortize over 3 years, and compare. All of this is assuming that the bandwidth is available on the airwaves to handle ~200 ~T1s. (If we're talking $200.00/mo. for T1, sign me up tomorrow, and my neighbor, and his, and hers, and... *poof* no more bandwidth in a "decently" populated metro area or even a downtown. (Back of the envelope calculations show that ~200 T1 ~= 1 TV station [although I might be off by an order of magnitude.]) I apologize if this is off topic, but the crypto part still applies (moreso, even!) to broadcast over the airwaves. (Besides, I'm sure that this list has enough subscribers that are shelling out $200-$500/mo. for 56K/Frac T1/ISDN that they'd be interested in a less expensive alternative.) -- Steve at AZTech.Net From frissell at panix.com Wed Jan 3 03:23:30 1996 From: frissell at panix.com (Duncan Frissell) Date: Wed, 3 Jan 1996 19:23:30 +0800 Subject: Why Net Censorship Doesn't Work Message-ID: <2.2.32.19960102170305.0069891c@panix.com> Sometimes in the day-to-day wrangling with the net censors, we forget the larger picture. There is an assumption here and in the media (see the Newsweek year-end piece on the nets by Steven Levy) that the prospect of 2 years in stir and $100,000 fines will quell net speech. This seems unlikely because of the nature of the medium. Thought control is a very difficult task. It always has been. The Inquisition, Nazi Germany, the Soviet Union, and the People's Republic of China tried but three of the four are no longer with us. Short of totalitarian controls, thought controls will be ineffective. And totalitarian controls are difficult to impose these days. It used to be said that no country would be allowed to move from Communism to Capitalism. It can now be said that it is inconceivable that a modern country will move from a Market to a Command Economy. Market discipline is strong. Since only totalitarians have a shot (for a short time) to enforce thought control, the OECD countries will not succeed at thought control. This used to be unimportant because one's thoughts were trapped in one's head. You could speak only to a few people and "mass media" from books to TV was expensive, centralized and somewhat easy to control. You were free in your mind but cut off from communicating your thoughts freely to others. Those conditions no longer exist. If you can think it (or even not think it) you can communicate it easily and cheaply to others. Since thought is free and communications is almost free, control by others is difficult. The net is a fair mapping of the consciousness of its participants onto a world spanning communications system. Large companies and even quite small businesses are concerned about legal hassles. They have an investment to lose and they are more likely to be prosecuted than ordinary individuals. Ordinary people rightly suspect that their risk of punishment is quite low. Particularly since if they are worried about it, they can take many easy steps to protect themselves. In the coming world in which millions of households have multitasking computers with full-time highspeed connections to the nets, Java-like applets running wild, etc; the opportunities to stash info in easily accessible but hard to trace forms expands without limit. I was trying to imagine over the weekend how the Feds would regulate the Net. Will Janet and her Storm troopers (wearing Nazi-style bucket helmets) smash into the next meeting of the Internet Engineering Task Force and lock everyone up or force them at gunpoint to adopt standards proposed by the government? And if they do, will their code be any good and will it be accepted by enough nodes to make a difference? Unlikely in the extreme. Where are the pressure points where regulation can be applied? To me, it looks like King Canute ordering back the tide. DCF From maierd at bvsd.k12.co.us Wed Jan 3 19:44:22 1996 From: maierd at bvsd.k12.co.us (Maier David) Date: Wed, 3 Jan 96 19:44:22 PST Subject: NOISE.SYS /dev/random driver for DOS, v0.3.3-Beta In-Reply-To: <199601031215.HAA19436@UNiX.asb.com> Message-ID: <199601040344.UAA18222@bvsd.k12.co.us> send noise033 From frantz at netcom.com Wed Jan 3 19:45:24 1996 From: frantz at netcom.com (Bill Frantz) Date: Wed, 3 Jan 96 19:45:24 PST Subject: 2047 bit keys in PGP Message-ID: <199601040341.TAA19633@netcom5.netcom.com> At 19:52 1/3/96 -0500, Rick Busdiecker wrote: >Another point to realize is that PGP uses a combination of ciphers. >When encrypting, the RSA key is only used to encrypt an IDEA key. >That IDEA key is used to encrypt your message. Somewhere between 2048 >and 4096, you're making the RSA key stronger (harder to brute force) >than the IDEA key. At that point, the extra time that you're using >for super-big RSA keys is totally wasted. To nitpick: Getting the RSA key will give you ALL the IDEA keys. That is probably worth 200-10000 times the effort. ----------------------------------------------------------------- Bill Frantz Periwinkle -- Computer Consulting (408)356-8506 16345 Englewood Ave. frantz at netcom.com Los Gatos, CA 95032, USA From jimbell at pacifier.com Wed Jan 3 04:11:08 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 3 Jan 1996 20:11:08 +0800 Subject: Guerilla Internet Service Providers (fwd) Message-ID: At 08:09 PM 1/2/96 -0600, you wrote: >> For the "last mile" to the ISP user, wireless could be a better bet. >> Have antenna, will surf. > >I can easily visualize mobile and portable systems linking to an ISP, >downloading email via encrypted POP/UUCP/whatever, using itinerant 2m or >450 MHz frequencies. A mobile system connects to any ISP, gets a login: >prompt, enters "xyz at host.domain", gets thrown into a POP session on >host.domain, uploads/downloads, then disconnects. All it would really >require is implementing "exec rlogin -l xyz host.domain" into getty (a >very simple patch) and suitable crypto protocols... >- -- >Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com As a ham, too (N7IJS) I recognize your implicit selection of 2m or 450 MHz. But I gently object to this, for reasons that I think will be obvious. First, technology has been marching on in the last 10-20 years, and communications frequencies of 2 GHz and more are technically do-able and comparatively empty. (and with modern IC technology, even easy) Secondly, ham gear tends to be used for long-range communication (miles and watts) and generally has little or no ability to frequency hop/time hop or to automatically turn down transmitter power to be able to share frequencies over short distances (low milliwatts or even microwatts). Those high gigahertz frequencies would be ideal for communication over a few blocks distance. (Sure, packet has been done for years but it is a still-born development; they still think 9600 bps is a "fast" modem speed.) I forsee locally-owned boxes that are the equivalent of a wireless phone switch implementing re-used freuqency microcells; the cost SHOULD be far lower than the current copperline phone systems, once the telephones are paid for. And they shouldn't cost much more than current 900 MHz cordless telephones, too. From steve at aztech.net Wed Jan 3 04:11:53 1996 From: steve at aztech.net (Steve Gibbons) Date: Wed, 3 Jan 1996 20:11:53 +0800 Subject: Guerilla Internet Service Providers (fwd) Message-ID: <0099BCED.4820A3A0.346@aztech.net> In Article: , jim bell wrote: # It seems to me that phone line costs are turning into a floor price for # Internet access, when they shouldn't really be. The main asset telephone # companies have, right now, is in RIGHTS OF WAY. Put an ISP in a business # park that allows you to run your own dedicated copper pairs, and you've # bypassed $25/month/line business phone line charges. # At some point, individual urban and suburban blocks could easily be # "guerilla re-wired" for ISP access without serious trenching, etc. The # phoneco would still be involved, but in a far lower-profit mode, as the # supplier of a single T1 to a multi-block area. I had a similar thought about a month ago. In particular, I was thinking that skyrise office buildings would be a great market for ISPs to target. Rent a closet in the basement/top floor close to the telco demarc. Run lots of UTP to the cients through the existing conduit, ceiling acces, air ducts, or whatever and boom, lots of clients, low overhead, telco bills cut to 1/2 of the competitions'. Up-front costs might (or might not be) higher, since the wire installation would now be the burden of the ISP. ObCrypto: Wiring overhead could be reduced if the building network was moved away from a star configuration to something closer to a backbone with multiple physical subnets (say, per floor.) How do you keep your next door neighbor from sniffing your traffic on the same subnet? Encrypt it, silly... For performance reasons, truly local traffic could be in the clear, but traffic between the clients' routers and the ISP's would run through something that could keep up with the ISP's max throughput on the ISP's outside interface. You might read "Firewall with encrypted tunnels" for "router" in the paragraph above. If you do, then you have the infrastructure for supporting "secure" trans-Internet traffic. Of course we're not talking about $25.00/mo. service with a $50.00 setup anymore, but low-ish priced, "secure" 56Kb/s, fractional T1, T1, and even T3 seem to be where corporate America/Earth wants to go. FWIW, (and if anyone winds up doing something like this, I want a "finders fee" ;-) ) -- Steve at AZTech.Net From jirib at sweeney.cs.monash.edu.au Wed Jan 3 04:12:32 1996 From: jirib at sweeney.cs.monash.edu.au (Jiri Baum) Date: Wed, 3 Jan 1996 20:12:32 +0800 Subject: Proxy/Representation? In-Reply-To: <199512290024.TAA10333@jekyll.piermont.com> Message-ID: <199601030633.RAA16556@sweeney.cs.monash.edu.au> -----BEGIN PGP SIGNED MESSAGE----- Hello "David E. Smith" and cypherpunks at toad.com and "Perry E. Metzger" PEM wrote: > "David E. Smith" writes: ...[about power of attorney and PGP, reply-to-reply]... > > >standard for "Power of Attorney" documents, and for the entity > > >receiving something signed in your key that should be signed in > > >another person's key to also see the digitally signed power of ... > > That's more of what I was looking for. I suppose that (I'm still using > > PGP as my example) there could be a shared PGP key, signed by Helen and > > myself, where only the two of us know the passphrase, I don't think that's what was intended. If I understood: There'd be a document (hereinafter PoA) signed by Helen which would say "This is a PoA appointing Dave, PGP key X fingerprint Y, to do A, B, C on my behalf #include". Then, when signing, Dave would sign with his own key X, making sure that every document has "p.p. Helen" at the end. The recipient checks Dave's signature on the document and Helen's signature on the PoA. > Huh? Why? Why would you need [a separate key]? ... Many automatic systems will assume that a key can only sign for one person (though each person may have several keys). Therefore, it'll confuse "Dave" and "pp. Helen". The RISKS are obvious. To avoid such confusion, Dave should create a separate key with the key ID "Dave pp. Helen" (or similar). However, Helen doesn't need to (shouldn't) know that key! This is Dave's key, created by Dave for Dave's use while he is agent for Helen. Helen would probably sign this key, but doesn't need to since the PoA has the f'print. In fact, you don't want Helen to know it, so that if Dave oversteps his authority she can prove that it was him not her. Ie if Helen finds out the key, Dave should revoke it. Hope that makes sense... Jiri - -- If you want an answer, please mail to . On sweeney, I may delete without reading! PGP 463A14D5 (but it's at home so it'll take a day or two) PGP EF0607F9 (but it's at uni so don't rely on it too much) -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQCVAwUBMOoi4CxV6mvvBgf5AQGUJwP/fUPQgzYrbAuGGC8Q4ha8zNNoiAJVU3Rw /mAZbPtG6OQsoFal3xKtsquilXuCsj40btJc2XaTNL7adcKAN+0ZNwYgCHC5C8Yc zzgTwCSdnb9t8RY6vcZeIcXixboF1BKGtqSyzICJfd7yHNJWrh0YfUzTSPVD6jXC kOl7JNurEFY= =a/TW -----END PGP SIGNATURE----- From wlkngowl at unix.asb.com Wed Jan 3 04:13:50 1996 From: wlkngowl at unix.asb.com (Mutatis Mutantdis) Date: Wed, 3 Jan 1996 20:13:50 +0800 Subject: NOISE.SYS /dev/random driver for DOS, v0.3.3-Beta Message-ID: <199601031215.HAA19436@UNiX.asb.com> The leatest version is ready to be examined. Much rewriting. Send a message with the subject "send noise033" and an automated responder should eventually send you a uu-encoded Info-Zip file with a compiled version of the driver, assembler source-code, and pgp-sig. Again, comments & criticism would be appreciated. Help is especially needed trying to find IRQs to sample for sources of randomness. Finding a good way to sample mouse or video scan lines would also be a help.... etc. --Rob From goerzenj at complete.org Wed Jan 3 04:17:16 1996 From: goerzenj at complete.org (John Goerzen) Date: Wed, 3 Jan 1996 20:17:16 +0800 Subject: Massey, CEO of Compuserve, on Internet In-Reply-To: <951231091526_102864093@mail06.mail.aol.com> Message-ID: I have not been a CompuServe subscriber for years. But I do remember how things worked. It is my _assumption_ that the Usenet gateway operates by importing all Usenet news into the CompuServe system, at which point users can access it. CompuServe is not location-dependant. The network operates exactly the same regardless of calling location (indeed, the system doesn't even know where you're calling from I believe). It is a worldwide CompuServe Network that people use to access it. This network just allows dialups and then gets the users connected to the CompuServe computers. The main computers handle all traffic. They don't are location-independant, making it impossible to block access based on location. -- John Goerzen, programmer and owner | Merry Christmas! | Communications Centre, Goessel, KS +-------------------------------------+ Main e-mail: jgoerzen at complete.org | Other e-mail: goerzenj at complete.org | On Sun, 31 Dec 1995 Steve14571 at aol.com wrote: > In a message dated 95-12-30 21:34:12 EST, accessnt at ozemail.com.au (Mark > Neely) wrote: > > I assume that C$ is only filtering the newsfeed as it hits German shores? > Please tell me > they aren't denying access to these "banned" newsgroups for all users > worldwide! > > This is exactly what they are doing, Mr. Neely. I am not familiar with > CompuServe, as I have never used it. However, based on my understanding of > how Usenet operates, it would be possible to write software and incorporate > it into CompuServe software that would block German readers from the > "obscene" newsgroups. CompuServe would rather score points with the mostly > ignorant general public by saying that they are becoming more > "family-oriented." > > I get my access through America Online, and I am afraid that these monolith > online services (AOL, Delphi, Prodigy) will follow C$'s lead so they may also > say they are "family-oriented." > > I will no longer send mail to addresses that end with "compuserve.com." If > AOL decides to become family oriented, I will look for other ways to connect > to the net. > From lull at acm.org Wed Jan 3 05:08:08 1996 From: lull at acm.org (John Lull) Date: Wed, 3 Jan 1996 21:08:08 +0800 Subject: Proxy/Representation? In-Reply-To: <199601030633.RAA16556@sweeney.cs.monash.edu.au> Message-ID: <30ea3076.11971382@smtp.ix.netcom.com> On Wed, 03 Jan 1996 17:32:59 +1100 (EST), jirib at cs.monash.edu.au wrote: > To avoid such confusion, Dave should create a separate key with > the key ID "Dave pp. Helen" (or similar). However, Helen doesn't need > to (shouldn't) know that key! This is Dave's key, created by Dave > for Dave's use while he is agent for Helen. Helen would probably > sign this key, but doesn't need to since the PoA has the f'print. > > In fact, you don't want Helen to know it, so that if Dave oversteps > his authority she can prove that it was him not her. Ie if Helen finds > out the key, Dave should revoke it. There is also something to be said for Helen having a copy of the revocation certificate for the key. If Helen believes Dave has or is likely to overstep his authority, she could then essentially revoke the power of attorney by revoking the "Dave pp. Helen" key. From jimbell at pacifier.com Wed Jan 3 05:09:15 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 3 Jan 1996 21:09:15 +0800 Subject: Guerilla Internet Service Providers (fwd) Message-ID: At 01:47 PM 1/2/96 -0600, you wrote: > >Forwarded message: > >> Date: Tue, 2 Jan 1996 18:43:31 +0000 (GMT) >> From: "Mark Grant, M.A. (Oxon)" >> Subject: Re: Guerilla Internet Service Providers >> >> About ten years ago a group I was involved with were thinking about >> putting something into space as a publicity stunt. One company we talked >> to claimed they could put 1 kg into orbit on one of their sounding rockets >> for about $ 30,000 (that's a 1 kg satellite, not $ 30,000 per kg). How >> small can you build a "data haven" satellite ? >> >> Looking a few years into the future, you could probably stick a >> stripped-down Linux laptop with solar cells and a stripped-down satellite >> telephone as a Net link on top of a slightly larger rocket and charge for >> on-orbit storage using ecash... Using remailers it should be pretty-much >> untraceable. >> > >Actualy, both the Pacific Coast Rocketry group and the Experimental >Spacecraft Association are working on putting the first amateur payload in >LEO. ESA wants to put a telescope with real-time downlink up as their >payload. PCR wants to put some kind of transponder up. > >Under current technology a group of about 30 dedicated amateurs (with >suitable skills) could put a 25kg payload in orbit for under 1/4 million. >It would consist of surplus and amateur built equipment. > >Tripolli puts out a magazine called High Performance Rocketry which you may >be able to find at your local newstand (in Austin you get it at the Central >Market Bookstop). It usually carries at least a couple of adds for material >that PCR and a couple of smaller groups are putting out to help fund their >project. I would say it will be less than 3 years before this dream occurs >unless the DOT (the people who regulate all space shots now) decides not to >give them a permit. As I understand the physics, the whole process could be made FAR FAR FAR more efficient if the rocket was boosted to about 40000 feet with a subsonic airplane, a' la' X-15 and such. It's above 75% of the earth's atmosphere (dramatically reduced drag), is already going 600 mph in the correct direction, and is 8 miles closer to the ultimate goal 250 miles up). This might not sound like much of an advantage, but if you've ever worked out the mathematics of the Saturn V (or space shuttle, etc), the VAST majority of the fuel was used up in the first 20,000 feet, maybe even the first 5000 feet. It would be even better if the first stage could be an air-breathing supersonic ramjet, but that's not my field of expertise. In addition, the existence of relatively low-cost GPS receivers would make achieving an accurate orbit vastly cheaper than with the inertial guidance systems historically used. Sure, cheap accelerometers are being sold by Analog Devices and Murata Erie sells cheap vibrational gyros (not to mention fiber gyros) but it would be hard to beat the accuracy you could get with GPS. From dlv at bwalk.dm.com Wed Jan 3 05:09:58 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Wed, 3 Jan 1996 21:09:58 +0800 Subject: A weakness in PGP signatures, and a suggested solution (long) Message-ID: <199601030407.UAA12551@comsec.com> I've been engaged in a lively debate with a few members of the cypherpunks mailing list about forgeries that are hard to repudiate even if PGP signatures are used. One of the participants suggested that I post a summary to alt.privacy.pgp and sci.crypt, which is just what I'm doing. (My apologies to the mail.cypherpunks readers who already saw much of this once.) I'll illustrate the problem with several scenarios of forgeries. (It's funny that earlier today I was showing a friend how easy it is to post forgeries. She seemed suitably impressed. :) Scenario 1: Bob once sent Carol an e-mail that looked like this: ----------------------------------------------------------------------- From: Bob at boxb To: Carol at boxc Date: 25 Dec 1965 Subject: Carol, we're history Message-ID: <111 at boxb> ----BEGIN PGP SIGNED MESSAGE---- I no longer wish to go out with you. Merry Christmas! ----BEGIN PGP SIGNATURE---- Version 2.6.2 12341234... ----END PGP SIGNATURE---- ----------------------------------------------------------------------- Carol can forge an e-mail to Alice that looks like this: ----------------------------------------------------------------------- From: Bob at boxb To: Alice at boxa Date: 25 Dec 1995 Subject: Alice, we're history Message-ID: <222 at bobb> ----BEGIN PGP SIGNED MESSAGE---- I no longer wish to go out with you. Merry Christmas! ----BEGIN PGP SIGNATURE---- Version 2.6.2 12341234... ----END PGP SIGNATURE---- ----------------------------------------------------------------------- We assume that it's easy for Carol to forge the RFC 822 headers to make it look like the e-mail came from Bob. That's why many of us use digital signatures. The signed portion of Bob's original e-mail did not state that the message is addressed to Carol (e.g., "Dear Carol"). Alice will probably verify that the signature matches Bob's private key and assume that the e-mail is authentic and has been sent to her by Bob. To repudiate the e-mail, Bob might have to point out that the "Received:" headers differ from his usual e-mails, without relying on PGP. In fact, the presense of his verifiable signature would create more of a presumption of authenticity of Alice's part. Scenario 2: Bob sends the same e-mail as above to Carol. David, a rogue sysadmin, gets a copy of the e-mail, forges the same e-mail as above to Alice. Scenario 3: Bob sends a signed e-mail to Alice. Alice sees it in her newsfeed, forges a Usenet article, makes it look like it came from Bob, and includes the body of Bob's e-mail as the body of the Usenet forgery. Usenet forgeries are easy. Again, if the signed text happens to be suitable, then Bob will have difficulty repudiating the forgery. He won't not be able to use the PGP signature, which will in fact verify. Hopefully, he'll be able to point out that the RFC 1036 Path: header is different from his usual header (which may not be the case). Many Usenet readers would be unconvinced and Bob's reputation would be damaged. Scenario 4: Bob posts a signed Usenet article to alt.sex. Alice forges a usenet article in Bob's name to misc.kids, recycilng the signed body, which would probably be considered inappropriate for misc.kids. Same result as #3. Scenario 5: Bob posts a signed Usenet article to some innocuous newsgroup. Alice reposts the same body in a forgery in Bob's name. The forgery can be cross-posted to numerous "inappropriate" newsgroups ("velveeta"), or multi-posted ("spam"). Certain rogue self-apponited net.cops forge cancels for all copies of Bob's article, including the original. (They are a bigger menace than the forgers :) (As several people know, I have been a victim of some of the above-described kinds of forgeries.) I think the underlying problem is that the way PGP signatures are used by most people, they validate a text, but allow it to be quoted out of context in an e-mail or Usenet forgery. I suggest to the kind folks working on PGP 3 that there should be a standard protocol to include within the signed portion the information on when and for whom this text is written: i.e. the list of e-mail recipients and/or Usenet newsgroups, which could be easily compared with the RFC 822/1036 headers of an e-mail/Usenet article. Perhaps there could be a new option for PGP to look _outside_ the signed block and match the headers with what's inside the block. For example, suppose the signature block says: this text was written by alice at zog.org, posted to alt.sex and alt.sex.banal and e-mailed to bob at masons.com. Suppose PGP is asked to check the signature in a file that purports to be a e-mail or a Usenet article and has some headers before the signed portion. If there is a list of To: recipients, and it includes someone other than the recipients listed within the signed block; or if there is a Newsgroups: header, and it includes newsgroups not listed within the signed portion; then the input is bogus. For compatibility with the existing software, if the signed block doesn't include this info, then this checking should't be done, of course. After I posted the above suggestion to cypherpunks, one very respected member of that list informed me that "the security multiparts standard (RFC 1848) includes a provision for signing the headers as well as the body of a message. The security multiparts can be used with PGP, and there is even an Internet Draft for it (draft-elkins-pem-pgp-02.txt), but there is not yet consensus for adopting this as a standard on the pgp-mime mailing list." I hope my examples will convince some that present practice of signing pieces of text which can be quoted out of context in a forgery is just not enough. We need to have an easy way to sign the headers without resorting to mine. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From David_R._Rorabaugh at dsmllp.com Wed Jan 3 05:18:42 1996 From: David_R._Rorabaugh at dsmllp.com (David R. Rorabaugh) Date: Wed, 3 Jan 1996 21:18:42 +0800 Subject: Compuserve *hasn't* banned newsgroups Message-ID: <199601021605.LAA26607@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- >>I pointed my copy of Free Agent at CPCNET's open news server >>(198.70.185.5) and grabbed a list of groups sure enough, there were >>the seasoned citizens in all their glory. And I was checking out >>those binaries via CompuServe. I suspect that CompuServe doesn't care much what goes over their network (they will claim "common carrier" status) as much as they care about what they themselves provide. The groups in question ARE gone from CompuServe's news servers. - -- David R. Rorabaugh Systems Operations Specialist Dickstein, Shapiro & Morin, L.L.P. The opinions expressed are my own. - -- - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMOlXuioZzwIn1bdtAQGgAgF9GOa8Sl3mu6wDt70k6Ij3ZBAfi0j+9i1f bxC/+g1qecXUCL//wPwiTToTjyLouUaW =vXmL -----END PGP SIGNATURE----- From jamesd at echeque.com Wed Jan 3 05:20:32 1996 From: jamesd at echeque.com (James A. Donald) Date: Wed, 3 Jan 1996 21:20:32 +0800 Subject: Guerilla Internet Service Providers Message-ID: <199601021621.IAA07942@blob.best.net> At 09:07 PM 1/1/96 -0500, David Mandl wrote: >I agree. It's not a good idea to assume that there's going to be some kind >of widespread opposition movement when the big Net Crackdown comes. Most >people will either obey the law, be unaffected by it, or violate it in very >insignificant ways ("net jaywalking"). When printing was introduced in the west, the big print crackdown was successful, but there was great resistance, and the crackdown on the printed word required great and continuing violence over a long period, and was never entirely effective. A net crackdown will be substantially less effective than the print crackdown was, and the level of violence is likely to be greater. There is of course a tradeoff: An highly ineffectual net crackdown will not provoke large scale resistance. They can probably force the stuff on alt.pictures.erotica.children to be published in a more discreet manner. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From accessnt at ozemail.com.au Wed Jan 3 06:59:01 1996 From: accessnt at ozemail.com.au (Mark Neely) Date: Wed, 3 Jan 1996 22:59:01 +0800 Subject: US calls for measures against Internet porn Message-ID: <199601030047.LAA07011@oznet02.ozemail.com.au> > WASHINGTON DC (Reuter) - The US called Sunday for improved >management of the Internet to prevent people seeing pornographic >material on the world computer network. Perhaps it is a result of many self-interested parties who have hyped the Internet to the hilt, but it never ceases to amaze me how people think that as soon as you connect a PC to the Internet, suddenly, all this information and computer wizardry _leaps_ down the phone line and _jumps_ out of your screen. It can be clearly demonstrated (even to US politicians) that the Internet is not a passive media - users must go out and find what they are looking for (especially pornography). You cannot "stumble" upon pornography, as you might by, say, channel surfing on cable. You can't tell me that someone who fires up their Web browser and points it to http://www.playboy.com, or clicks yes to a request that they acknowledge that they are over 18/21/majority and agree to access adult material doesn't know what they are getting themselves into... Mark ___ Mark Neely - accessnt at ozemail.com.au Lawyer, Professional Cynic Author: Australian Beginner's Guide to the Internet Work-in-Progress: Australian Business Guide to the Internet WWW: http://www.ozemail.com.au/~accessnt From jlasser at rwd.goucher.edu Wed Jan 3 06:59:57 1996 From: jlasser at rwd.goucher.edu (Jon Lasser) Date: Wed, 3 Jan 1996 22:59:57 +0800 Subject: Foiling Traffic Analysis In-Reply-To: Message-ID: On Tue, 2 Jan 1996, Timothy C. May wrote: > At 4:35 AM 1/2/96, Jon Lasser wrote: > > >The potential for traffic analysis is the danger here. If an "FBI > >International Data Laundering Expert" testifies in court that said data > >came from a site known to be frequented solely by so-and-sos, all the > >strong crypto in the world won't stop the average jury from convicting you. > > > >Carl Ellison (among others, I'm sure) has suggested various means of > >foiling traffic analysis among a group of trusted conspirators, using a > >token-ring-like routing scheme. I'm not completely convinced that it's > >robust enough, but a variation on it is probably adaptable. > > How does this differ from Dining Cryptographers approaches? Totally different from a DC-Net, as far as I understand DC-Nets (I think I do, but Applied Crypto's in my dorm, and I'm at home, so I can't check) In this approach, computers are organized in "rings"; each computer in a given ring always has an encrypted packet in circulation. When the group of packets arrives at a given station, it replaces its current encrypted packet with a new packet; if it doesn't have any new packets to send, it puts up a garbage packet that is indistinguishable from a normal packet. It then scans all the other packets and attempts to decrypt them with its private key. Any it can read, it does; all the packets are forwarded to the next station in the ring. By the time the next set of packets arrives, all have been replaced; the station is unable to determine either the source or the destination of any given packet. Routing between loops is done by routers, which are computers on multiple loops. Perhaps all machines are on multiple loops and serve as routers. I'm not sure about traffic analysis in cases where Mallet controls a significant portion of the network; while this is unlikely, it must be considered. Any significant inconsistancies are probably mine... Jon Lasser ------------------------------------------------------------------------------ Jon Lasser (410)494-3072 Visit my home page at http://www.goucher.edu/~jlasser/ You have a friend at the NSA: Big Brother is watching. Finger for PGP key. From bdavis at thepoint.net Wed Jan 3 07:03:15 1996 From: bdavis at thepoint.net (Brian Davis) Date: Wed, 3 Jan 1996 23:03:15 +0800 Subject: Guerilla ISP's... In-Reply-To: <2.2.32.19960102115836.008c6b40@panix.com> Message-ID: On Tue, 2 Jan 1996, Duncan Frissell wrote: > At 06:49 PM 1/1/96 -0800, Lucky Green wrote: > > >That is called a conspiracy. The consequence is that all machines involved > >will be confiscated and their respective owners jailed. > > > > > >-- Lucky Green > > PGP encrypted mail preferred. > > If the processes are operating in encrypted accounts not under the control > of the machine owner it is hard to find the machine owner liable. In > addition, the Feds can only afford a few prosecutions at $50-$100K each > (Brian, if you're listening what *does* the average Federal prosecution > cost?). The cost of setting up servers is much lower than the cost of I am listening, but don't know the marginal cost of such a prosecution. It is really more a reallocation of already existing resources. For example, we could let the state prosecutors handle a bank robbery or three while we protect the unwary innocent from encryption! EBD BTW our office collects more every year (from fines, foreclosures, bankruptcies, affirmative civil cases, etc. etc.) than our total office budget. We make money -- so why am I unpaid this week! :-) > busting them. > > DCF > > "RIP -- the Interstate Commerce Commission. Dead Jan 1 at the age of > 120(?). The first Federal regulatory agency. One down, thousands to go." > > Not a lawyer on the Net, although I play one in real life. ********************************************************** Flame away! I get treated worse in person every day!! From cman at communities.com Wed Jan 3 07:03:19 1996 From: cman at communities.com (Douglas Barnes) Date: Wed, 3 Jan 1996 23:03:19 +0800 Subject: Why Net Censorship Doesn't Work Message-ID: I think that there is still a substantial possibility that many kinds of expression will be marginalized and hard to access for a great many users. One of my co-workers has pointed out that the need for something as simple as a helper application for Netscape loses about 90% of his audience. By simply making it rather more difficult for people to chat about some things, governments can effectively push such things out of the way of all but the most determined readers. This is actually one of those odd Laffer-curve-like phenomena, where as long as the expression isn't too inherently desirable, government restrictions can be somewhat effective, but the more tightly they try to control things, the more likely the are to lose, as there will be more and more desirable content outside the sanctioned sphere of activity. Consequently, I was much happier to see the "indecency" standard get passed instead of the "harmful" standard, as the former will push far more content into the "gray" area of the net, which will encourage development and adoption of appropriate tools. A quote from Star Wars (which I'm just now incorporating into my .sig) was just echoed back to me in a letter from a chap I spoke with from the Australian Office of Strategic Crime Assessment, as encapsulating what he got out of a rather long chat we had when he was passing through the Bay Area last month. Here it is: ------ , ------ Douglas Barnes "The tighter you close your fist, Governor Tarkin, cman at communities.com the more systems will slip through your fingers." cman at best.com --Princess Leia From sinclai at ecf.toronto.edu Wed Jan 3 08:12:07 1996 From: sinclai at ecf.toronto.edu (SINCLAIR DOUGLAS N) Date: Thu, 4 Jan 1996 00:12:07 +0800 Subject: Guerilla Internet Service Providers [NOISE] In-Reply-To: Message-ID: <96Jan3.102233edt.2052@cannon.ecf.toronto.edu> > As I understand the physics, the whole process could be made FAR FAR FAR > more efficient if the rocket was boosted to about 40000 feet with a subsonic > airplane, a' la' X-15 and such. It's above 75% of the earth's atmosphere > (dramatically reduced drag), is already going 600 mph in the correct > direction, and is 8 miles closer to the ultimate goal 250 miles up). This > might not sound like much of an advantage, but if you've ever worked out the > mathematics of the Saturn V (or space shuttle, etc), the VAST majority of > the fuel was used up in the first 20,000 feet, maybe even the first 5000 > feet. It would be even better if the first stage could be an air-breathing > supersonic ramjet, but that's not my field of expertise. Cypherpunks isn't the right place to discuss this in detail, but... Efficiency != Cheap Kerosene is cheap. Steel fuel tanks and rocket motors are quite cheap. Making big dumb rockets is well understood. However, aircraft integration is not. If you use an 'off-the-shelf' aircraft, it has a human in it. That means the whole thing must be safe. If you don't, you have a drone aircraft which isn't cheap at all. Remember, the cost of materials scales linearly with size. The cost of a complex system scales as the square of the parts count. These arguments are hashed out (admittedly without consensus) regularly in the sci.space newsgroups. From jya at pipeline.com Wed Jan 3 08:33:53 1996 From: jya at pipeline.com (John Young) Date: Thu, 4 Jan 1996 00:33:53 +0800 Subject: FOI_led Message-ID: <199601031602.LAA06860@pipe4.nyc.pipeline.com> For comparison to snooping on search site searchers. 1-3-96. WsJo: "Freedom of Information Act Gets Wider Use by Sleuths, Snoops and Senators." FOIA is a handy tool for companies, politicians and journalists to snoop on one another. Many people who file requests aren't aware that the requests themselves are made public. Those who really know the process make FOIA requests on other people's FOIA requests. "It's not like I tapped someone's phone or got them drunk. These are public documents." Journalists sometimes use FOIA to scoop their colleagues. A cottage industry provides information about other people seeking information. Lexis/Nexis carries synopses of FOIA requests. So rich is FOIA intelligence that some are learning to take countermeasures. For a $36 fee, FOI Services will file its own FOIA requests on behalf of people who wish to remain anonymous. FOI_led From jimbell at pacifier.com Wed Jan 3 09:40:52 1996 From: jimbell at pacifier.com (jim bell) Date: Thu, 4 Jan 1996 01:40:52 +0800 Subject: Guerilla Internet Service Providers (fwd) Message-ID: At 01:08 AM 1/3/96 -700, you wrote: >All of this is assuming that the bandwidth is available on the airwaves to >handle ~200 ~T1s. (If we're talking $200.00/mo. for T1, sign me up tomorrow, >and my neighbor, and his, and hers, and... *poof* no more bandwidth in a >"decently" populated metro area or even a downtown. (Back of the envelope >calculations show that ~200 T1 ~= 1 TV station [although I might be off by an >order of magnitude.]) > >I apologize if this is off topic, but the crypto part still applies (moreso, >even!) to broadcast over the airwaves. (Besides, I'm sure that this list has >enough subscribers that are shelling out $200-$500/mo. for 56K/Frac T1/ISDN >that they'd be interested in a less expensive alternative.) >Steve at AZTech.Net To a certain extent, I think this is (or should be!) VERY MUCH "on topic." If our goal is to allow/assist privacy, we need to start actually anticipating technological developments so that we can do "minor course corrections" that will end up guaranteeing unbreakable security. One of these is by routing data through organizations (NOT THE PHONE CO!) that won't tend to kow-tow to the wishes of the government. We know that if this telephone-company bypass is done, it can either be done "right" (from a cypherpunks standpoint; so that it's including encryption, etc) or "wrong." If we don't plan ahead, it will almost certainly be done "wrong." Witness the fact that the vast majority of modems contain no encryption standard, for example. If USR or somebody else had mandated it in 1982 with 2400 bps modems, we might all be talking on encrypted lines already. And as you pointed out, this is especially important if RF is the medium-of-choice for connections. We should definitely make a serious amount of contact with people working on the PCS standards to ensure that GOOD encryption is included. From fc at all.net Wed Jan 3 09:41:13 1996 From: fc at all.net (Fred Cohen) Date: Thu, 4 Jan 1996 01:41:13 +0800 Subject: Foiling Traffic Analysis In-Reply-To: <199601030421.XAA29402@clark.net> Message-ID: <9601031202.AA18524@all.net> You seem to be missing an important point about foiling traffic analysis. It is essentially the same problem as the covert channel problem and its solution has the same challenges - it consumes a great in the way of resources. In order to eliminate traffic analysis, you essentially have to always use the full bandwidth available (although you can have pseudo-random burst behaviors). This in turn means that instead of gaining the low cost resulting from sharing bandwidth, you end up having far more utilization and (depending on what portion of the world does this) increasing the price of the resource. So it costs a lot more and uses a great deal of bandwidth. -> See: Info-Sec Heaven at URL http://all.net/ Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 From stend at cris.com Wed Jan 3 10:02:49 1996 From: stend at cris.com (Sten Drescher) Date: Thu, 4 Jan 1996 02:02:49 +0800 Subject: Chinese Cypherpunk quote [NOISE] In-Reply-To: Message-ID: <557mz96uc7.fsf@galil.austnsc.tandem.com> dlv at bwalk.dm.com (Dr. Dimitri Vulis) said: DV> Corey Bridges writes: >> To reply simply: Wrong -- the will of the people is as fickle as the >> wind. Follow the will of the people, and you run your country by >> following fads. Mob rule and all that. We're in deep trouble if we >> ever get a true democracy. DV> One of the things Adolph Hitler and Bill Clinton have in common is DV> that both were democratically elected leaders. That, and that the elections were bad decisions, without much better alternatives at the time );. But as much as I dislike Clinton, I think that that's about as far as a comparison can go. -- #include /* Sten Drescher */ To get my PGP public key, send me email with your public key and Subject: PGP key exchange Key fingerprint = 90 5F 1D FD A6 7C 84 5E A9 D3 90 16 B2 44 C4 F3 Junk email is NOT appreciated. If I want to buy something, I'll find you. From jimbell at pacifier.com Wed Jan 3 10:17:37 1996 From: jimbell at pacifier.com (jim bell) Date: Thu, 4 Jan 1996 02:17:37 +0800 Subject: Guerilla Internet Service Providers (fwd) Message-ID: At 09:08 AM 1/3/96 -0600, you wrote: > >> As a ham, too (N7IJS) I recognize your implicit selection of 2m or 450 MHz. >> But I gently object to this, for reasons that I think will be obvious. > >I was thinking of the itenerant frequencies around 151 MHz, but the >bandwidth would be limited. I wasn't thinking of amateur frequencies, >but my fingers sometimes have a mind of their own ;) Interestingly enough, my primary objection was NOT really commercial encroachment on an existing amateur structure (though that is an important consideration!); rather, it was the fact that because we're talking really short-range communication (way less than a kilometer, in most cases) using frequencies below a gigahertz would be a counter-productive shame. Here, we WANT "line of sight"! And, of course, the bandwidth issue is inherently better: It would be FAR easier to get 100 MHz width at around 2.5 GHz than under 1 gig! >> First, technology has been marching on in the last 10-20 years, and >> communications frequencies of 2 GHz and more are technically do-able and >> comparatively empty. (and with modern IC technology, even easy) > >I'd love to see plans (or used commercial gear) able to do this - I've >got a point-to-point application that I'd love to set up ... I get a free (bingo-card) magazine industry magazine called "Microwaves and RF," which is sort of the EDN for the high-frequency communication crowd. You'd be amazed at the level of technical (chip) development there. Chip sets that do frequency synthesis/full RF/IF on surface mount chips. Jim Bell, N7IJS (BTW, I use Eudora, and I have PGP. Could somebody explain how to PGP-sign messages, ideally EASILY?) From stend at cris.com Wed Jan 3 10:29:08 1996 From: stend at cris.com (Sten Drescher) Date: Thu, 4 Jan 1996 02:29:08 +0800 Subject: 2047 bit keys in PGP In-Reply-To: <2.2.16.19960103035752.3e0fe0d8@terminus.storm.net> Message-ID: <5568et6trn.fsf@galil.austnsc.tandem.com> "Douglas F. Elznic" said: DE> What is the deal with the 2047 bit keys? How do you produce one? IS DE> it compatible with international versions? When you do 'pgp -kg', you are asked to pick a PGP key size, and given 3 preselected sizes. You can select one of the sizes, or enter your own choice. Actually, the pgp source will allow 2048, but there is a bug in the DOS version (from the compiler) that limits that one to 2047. The international version is identical to the domestic one, except for the RSA code, so everything is interoperable. There is a hacked version that allows 4096 bit keys, and the supersized keys are incompatible. -- #include /* Sten Drescher */ To get my PGP public key, send me email with your public key and Subject: PGP key exchange Key fingerprint = 90 5F 1D FD A6 7C 84 5E A9 D3 90 16 B2 44 C4 F3 Junk email is NOT appreciated. If I want to buy something, I'll find you. -------------- next part -------------- A non-text attachment was scrubbed... Name: pgp00000.pgp Type: application/octet-stream Size: 284 bytes Desc: "PGP signature" URL: From frissell at panix.com Wed Jan 3 10:34:14 1996 From: frissell at panix.com (Duncan Frissell) Date: Thu, 4 Jan 1996 02:34:14 +0800 Subject: Compuserve *hasn't* banned newsgroups Message-ID: <2.2.32.19960103180226.006a9ffc@panix.com> At 05:30 PM 1/3/96 +0100, Anonymous wrote: > If you do this, you'll find out very quickly just how empty (or at >least how slippery) slogans like "the Internet routes around censorship" >are: if your efforts pay off and you steer even a fraction of CIS's >traffic toward the remaining open newsservers, they'll close faster than >you can say "alt." So before you do it, think about how the net will route >around sysops closing their servers off from the net. > >Hieronymous You mean that the thirty-some odd open news servers listed on http://dana.ucc.nau.edu/~jwa/open-sites.html might get swamped. Then the CIS refugees will be forced to pay Sameer the massive $12.50 (?) a month for a net-access-only account and read off of c2.org's server. (Or any of the thousands of sites worldwide one can open a shell account on.) DCF From frantz at netcom.com Wed Jan 3 10:40:51 1996 From: frantz at netcom.com (Bill Frantz) Date: Thu, 4 Jan 1996 02:40:51 +0800 Subject: Guerilla Internet Service Providers (fwd) Message-ID: <199601031815.KAA15424@netcom5.netcom.com> At 23:33 1/2/96 -0800, Lucky Green wrote: Previous exchanges deleted... >Infrared and laser are not very reliable between buildings during fog. >Between your house and your neighbor, a low cost 900MHz bridge would be the >best way to go. On such short distances, an omni-directional antenna will >work just fine. Check out Solectek (cheaper) or Cylink (faster). Both offer >DES link encryption. With a tightly focused beam (light is easy, I don't know about lower frequencies), you can prevent interception except by very obvious physical devices. (e.g. Someone in a cherry picker truck.) You may be able to avoid the need to encrypt the link (and all the paranoia about key management, advances in factoring etc. that that implies.) Bill ----------------------------------------------------------------- Bill Frantz Periwinkle -- Computer Consulting (408)356-8506 16345 Englewood Ave. frantz at netcom.com Los Gatos, CA 95032, USA From alano at teleport.com Wed Jan 3 10:41:11 1996 From: alano at teleport.com (Alan Olsen) Date: Thu, 4 Jan 1996 02:41:11 +0800 Subject: Windows Eudora and PGP Message-ID: <2.2.32.19960103182405.00946468@mail.teleport.com> At 09:43 AM 1/3/96 -0800, Jim Bell wrote: >(BTW, I use Eudora, and I have PGP. Could somebody explain how to PGP-sign >messages, ideally EASILY?) I use Eudora as well. It is not as easy as I would like. You have a couple of options: 1) Use cut-and-paste into Private Idaho. Private Idaho will allow you to paste back into Eudora. (Or you can send out from Private Idaho directly.) This option is useful becuase it supports nyms and chaining of remailers. 2) Get one of the standard Windows PGP shells and paste into that. After signing, you will have to repaste into Eudora again. These seem to be the only options. I am not certain if there is a standard DDE or OLE interface that could be used to feed message information back and forth between Eudora and some other app. There have been a number of promises of Eudora/PGP integration, but nothing has materialized yet. There are no easy answers I know of... If you need a copy of Private Idaho, I can point you to a web site or bring a copy along to the meeting on the 20th. Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "Governments are potholes on the Information Superhighway." - Not TCMay From nobody at flame.alias.net Wed Jan 3 10:51:24 1996 From: nobody at flame.alias.net (Anonymous) Date: Thu, 4 Jan 1996 02:51:24 +0800 Subject: Risks of writing a remailer Message-ID: <199601022345.AAA04572@utopia.hacktic.nl> What are the legal risks of writing (and releasing) a remailer, and what steps can an author go to to minimise any unwanted (legal or civil) attention ? ob. From frissell at panix.com Wed Jan 3 10:58:25 1996 From: frissell at panix.com (Duncan Frissell) Date: Thu, 4 Jan 1996 02:58:25 +0800 Subject: Why Net Censorship Doesn't Work Message-ID: <2.2.32.19960102203505.006abc30@panix.com> At 02:13 PM 1/2/96 -0500, dmandl at panix.com wrote: >In other words: If people dump communism for capitalism, it shows how >the free market will always triumph, and if people dump capitalism for >communism, it shows how stupid and shortsighted humans are. Hmmmm... > > --Dave. > Remember the old Russian joke: What's the difference between capitalism and socialism? Capitalism is the exploitation of man by man and socialism is the exact reverse. From master at internexus.net Wed Jan 3 10:58:47 1996 From: master at internexus.net (Laszlo Vecsey) Date: Thu, 4 Jan 1996 02:58:47 +0800 Subject: 2047 bit keys in PGP In-Reply-To: <5568et6trn.fsf@galil.austnsc.tandem.com> Message-ID: > "Douglas F. Elznic" said: > > DE> What is the deal with the 2047 bit keys? How do you produce one? IS > DE> it compatible with international versions? > > =09When you do 'pgp -kg', you are asked to pick a PGP key size, and > given 3 preselected sizes. You can select one of the sizes, or enter > your own choice. Actually, the pgp source will allow 2048, but there is > a bug in the DOS version (from the compiler) that limits that one to > 2047. The international version is identical to the domestic one, > except for the RSA code, so everything is interoperable. There is a > hacked version that allows 4096 bit keys, and the supersized keys are > incompatible. Are you sure it's a bug in the DOS version? When I did a pgp -kg in my UNIX shell (US version 2.6.2) I also entered 2048 bits and it too created a 2047 bit key instead. Why is there a limit to the size of the key anyway? It's too bad PGP doesn't support any size key (within reason). From ses at tipper.oit.unc.edu Wed Jan 3 11:00:37 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Thu, 4 Jan 1996 03:00:37 +0800 Subject: Guerilla Internet Service Providers In-Reply-To: <199601021435.IAA10484@cdale1.midwest.net> Message-ID: On Tue, 2 Jan 1996, Jason Rentz wrote: > > All you need to do is go to your nearest junkyard and get an old used > Satalite, contract Russia to send it up for you for the price of an e-mail > account or somthin and away you go. :) > [Why am I taking this seriously? :-)] Make sure that the person you talk to in Russia is actually allowed to sell you the launch system first; a few years ago there were a lot of people trying to sell the stuff on, some of whom were even authorised. Simon From grafolog at netcom.com Wed Jan 3 11:02:46 1996 From: grafolog at netcom.com (Jonathan Blake) Date: Thu, 4 Jan 1996 03:02:46 +0800 Subject: Netcom censoring alt.* ? In-Reply-To: <199601021625.LAA04725@ritz.mordor.com> Message-ID: On Tue, 2 Jan 1996, Mark Hittinger wrote: > Now if there was only a way to tie the scientology thing in with the alt.* > censorship conspiracy. There is. Netcom is a repentant squirrel. To ensure that Netocom will never ever deliver anything which offends Co$, Netcom has deleted all alt.* nesgroups. xan jonathon grafolog at netcom.com From mianigand at unique.outlook.net Wed Jan 3 11:06:30 1996 From: mianigand at unique.outlook.net (Michael C. Peponis) Date: Thu, 4 Jan 1996 03:06:30 +0800 Subject: What to do about Germany Message-ID: <199601030019.SAA23577@unique.outlook.net> What the German goverement threatned to do was inexcusable, but something can be done about it. The way that mail and postings are handeld, it is possible to trash mail and posting coming or going to a certin destination. This is censorship, but maybe the members of the goverment have justified such an action. If they can censor others, should others not be able to censor them? That's one of the beauties of the electronic age, the only thing that matters is intelligence, numbers or political power have negligable effects. Are the german authorities worthy of such an reaction? Have they crossed the line? If they have, maybe they can serve as the example of what happens when a group of people attempt to force their will on others. Regards, Michael Peponis PGP Key Avalible form MIT Key Server From tcmay at got.net Wed Jan 3 11:07:17 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 4 Jan 1996 03:07:17 +0800 Subject: Foiling Traffic Analysis Message-ID: At 4:35 AM 1/2/96, Jon Lasser wrote: >The potential for traffic analysis is the danger here. If an "FBI >International Data Laundering Expert" testifies in court that said data >came from a site known to be frequented solely by so-and-sos, all the >strong crypto in the world won't stop the average jury from convicting you. > >Carl Ellison (among others, I'm sure) has suggested various means of >foiling traffic analysis among a group of trusted conspirators, using a >token-ring-like routing scheme. I'm not completely convinced that it's >robust enough, but a variation on it is probably adaptable. How does this differ from Dining Cryptographers approaches? --Tim May We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From shamrock at netcom.com Wed Jan 3 11:11:21 1996 From: shamrock at netcom.com (Lucky Green) Date: Thu, 4 Jan 1996 03:11:21 +0800 Subject: Guerilla Internet Service Providers (fwd) Message-ID: At 9:43 1/3/96, jim bell wrote: >Interestingly enough, my primary objection was NOT really commercial >encroachment on an existing amateur structure (though that is an important >consideration!); rather, it was the fact that because we're talking really >short-range communication (way less than a kilometer, in most cases) using >frequencies below a gigahertz would be a counter-productive shame. Here, we >WANT "line of sight"! And, of course, the bandwidth issue is inherently >better: It would be FAR easier to get 100 MHz width at around 2.5 GHz than >under 1 gig! There are several vendors offering 2.4GHz wireless with ranges up to 20 miles. Though the 900MHz stuff is much cheaper. Unless you have a pager cell on your roof, 900MHz should serve you fine. >I get a free (bingo-card) magazine industry magazine called "Microwaves and >RF," which is sort of the EDN for the high-frequency communication crowd. >You'd be amazed at the level of technical (chip) development there. Chip >sets that do frequency synthesis/full RF/IF on surface mount chips. If you don't want to build your own, there are various vendors that use the NEC 900MHz bridge card in their products. Or just buy the card, get an old 486, and round up the software from somone. >(BTW, I use Eudora, and I have PGP. Could somebody explain how to PGP-sign >messages, ideally EASILY?) Assuming Eudora for Mac: Download MacPGP Control. -- Lucky Green PGP encrypted mail preferred. From jk at digit.ee Wed Jan 3 11:11:29 1996 From: jk at digit.ee (Jyri Kaljundi) Date: Thu, 4 Jan 1996 03:11:29 +0800 Subject: Starting an e-cash bank In-Reply-To: <199512302305.SAA20998@netaxs.com> Message-ID: On Sat, 30 Dec 1995, Ryan Lackey wrote: > What would it take to start an anonymous, private, secure, etc. etc. bank > issuing e-cash, located in a country without taxes/etc.? I think this idea of a new e-cash bank or other kind of financial institution sounds very good. I have been thinking of the same thing here in Estonia, to set up a financial institution issuing e-cash for people here, but I think this would not in any way be an easy task. I am not very familiar with local legislation about financial and credit institutions, but I know that at least for banks the minimum equity capital or what you call it must be 50 million Estonian kroons (4 million US dollars). But I still think that for issuing e-cash and opening e-cash accounts you might not need to have such kind of capital. What does it take to be called a bank? And how easy is it to start a bank in some caribbean country or similar tax haven? What are the minimum requirements? Juri Kaljundi jk at digit.ee Digiturg http://www.digit.ee/ From jsimmons at goblin.punk.net Wed Jan 3 11:11:45 1996 From: jsimmons at goblin.punk.net (Jeff Simmons) Date: Thu, 4 Jan 1996 03:11:45 +0800 Subject: Guerilla Internet Service Providers Message-ID: <199601030032.QAA00749@goblin.punk.net> -----BEGIN PGP SIGNED MESSAGE----- Jim Bell writes: >It seems to me that phone line costs are turning into a floor price for >Internet access, when they shouldn't really be. The main asset telephone >companies have, right now, is in RIGHTS OF WAY. Put an ISP in a business >park that allows you to run your own dedicated copper pairs, and you've >bypassed $25/month/line business phone line charges. > >At some point, individual urban and suburban blocks could easily be >"guerilla re-wired" for ISP access without serious trenching, etc. The >phoneco would still be involved, but in a far lower-profit mode, as the >supplier of a single T1 to a multi-block area. That's assuming the phoneco cooperates. Punknet is a 'Guerilla ISP'. Twenty of us share a 128k ISDN line, distributed via high-speed modems. It's been running fine for over a year now, but Pacific Bell has evidently decided to get rid of us. How? Simply by refusing to either repair or replace our 25 pair trunk line, which is rapidly degrading. We've offered to replace it ourselves, but according to them, it's illegal. Right now, we've got three dead lines, and two others that only will do 1200 baud. We've been told that what they're doing is probably illegal, but it's the old problem: Where does an 800 lb. gorilla sleep? We're fighting this like all hell, but who knows? After they get rid of us, I wonder who's next ... - -- Jeff Simmons jsimmons at goblin.punk.net -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMOnOnuL8IP70uJJBAQF3EwP9He5bWGBRcYv3LZDAB7XJt34zr+Pi/WWp a2NjFdDuxxc7VwO1tcSvqq+PX23OtJnay9yWkcpRBUissyJ5CPzqGQv4dX8vqN0R F1EK8zTSuEnQpiMVSqduknusVeQYOq2tP6b+iDtGKgCu2veDSLS10SY82qOPmQ8j OjxkfDcxJjI= =xJeV -----END PGP SIGNATURE----- From vince at offshore.com.ai Wed Jan 3 11:15:52 1996 From: vince at offshore.com.ai (Vincent Cate) Date: Thu, 4 Jan 1996 03:15:52 +0800 Subject: Compuserve *hasn't* banned newsgroups In-Reply-To: Message-ID: It seems to me that posting this widely on Compuserve (or at least on alt.online-service.compuserve) and then contacting CNN and making comments about how "the Internet interprets censorship as damage and routes around it" is the best way to handle this. We want the public to get the idea that censorship does not work on the Internet. Are you up for this Duncan? Or do you want to call for volunteer, or should this get posted anonymously. :-) Seems better if someone does it who is willing to talk to reporters, and who is a Compuserve user. Makes a better story on TV etc. -- Vince Duncan: > I grabbed a copy of the Free Agent newsreader: > > http://www2.interpath.net/forte/agent/freagent.htm > [...] > I grabbed the latest list of open NNTP Servers from: > > http://dana.ucc.nau.edu/~jwa/open-sites.html From cg at bofh.cdg.openlink.co.uk Wed Jan 3 11:15:55 1996 From: cg at bofh.cdg.openlink.co.uk (Cees de Groot) Date: Thu, 4 Jan 1996 03:15:55 +0800 Subject: What to do about Germany In-Reply-To: <199601030019.SAA23577@unique.outlook.net> Message-ID: <199601031052.LAA09691@bofh.cdg.openlink.co.uk> > > What the German goverement threatned to do was inexcusable, but > something can be done about it. > Sorry, but the "German government" did not threaten to do anything at all. A (conservative-ish) prosecutor started an _investigation_, which in his eyes was nothing more than executing the law (and sorry, that's what the guy is paid for). If the German government did something wrong, it was accepting a law for the protection of minors (Jugendschutzgesetz), which says that minors should not be allowed to have access to booze, dope and porno. Please tell me such laws do not exist in your country... If anything, this whole bussiness will be one step in the correct direction: - Either some modus operandum is found which makes it clear for everybody how to offer pornographic material and comply with the law at the same time (cf. the First Virtual account ID's you have to enter at all those sites pointing to www.infohaus.com - in the US, this modus operandum seems to be ``proof of having a credit card''); - Or the German Government learns about the lack of frontiers on the Net, and gives up (which is highly improbable). I think the first point is most realistic (especially when considering that German prosecutors don't have the option of not prosecuting when they hear about a felony, like for example Dutch prosecutors). Given my experience with the German government, however, it will take some time for them to realize that they need a set of rules in this area. -- Cees de Groot, OpenLink Software 262ui/2048: ID=4F018825 FP=5653C0DDECE4359D FFDDB8F7A7970789 [Key on servers] -- Any opinions expressed above might be mine. From nobody at REPLAY.COM Wed Jan 3 12:11:27 1996 From: nobody at REPLAY.COM (Anonymous) Date: Thu, 4 Jan 1996 04:11:27 +0800 Subject: Compuserve *hasn't* banned newsgroups Message-ID: <199601031920.UAA08670@utopia.hacktic.nl> -----BEGIN PGP SIGNED MESSAGE----- Duncan Frissell 1/3/96 1:02 PM: >You mean that the thirty-some odd open news servers listed on >http://dana.ucc.nau.edu/~jwa/open-sites.html might get swamped. Then the >CIS refugees will be forced to pay Sameer the massive $12.50 (?) a month for >a net-access-only account and read off of c2.org's server. (Or any of the >thousands of sites worldwide one can open a shell account on.) CIS refugees aren't the only people who use or need free NNTP servers: > Here's what you can do for $208: get a used XT with two floppy drives for > $70; a 2400-baud internal modem (new at a local computer show) for $18 > (it comes with free communications software); and an e-mail and Usenet > news-reading account for $10 per month. Sound familiar? Hieronymous -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQBVAwUBMOrWzb3g0mNE55u1AQEH5AH8D6P1BPIMpLTq0JWiwLz3na4Rgv3QeymK zeNbKnbtyDkJ2h9MW8+GiPKY7uOsdZsU34eOdFtmP7/+OV0naO8AAw== =fAWj -----END PGP SIGNATURE----- From mianigand at unique.outlook.net Wed Jan 3 12:11:53 1996 From: mianigand at unique.outlook.net (Michael C. Peponis) Date: Thu, 4 Jan 1996 04:11:53 +0800 Subject: What to do about Germany Message-ID: <199601031913.NAA11851@unique.outlook.net> On Wed, 3 Jan 1996 11:52:34 +0100 (MET) Cees de Groot wrote >> What the German goverement threatned to do was inexcusable, but >> something can be done about it. >Sorry, but the "German government" did not threaten to do anything at >all. A (conservative-ish) prosecutor started an _investigation_, which >in his eyes was nothing more than executing the law (and sorry, >that's what the guy is paid for). So what does the above paragraph mean, it was not the goverment that threated, it was a procecutor who was acting on behalf of the govement to enforcese the laws of that body which is what he is paid to do. Gee, that's what I said, only alot more complicated and detailed. In the end, the party at fault is the some division of the German goverment, the procecutor is not an individual person acting on his/her own behalf. >If the German government did something wrong, it was accepting a law >for the protection of minors (Jugendschutzgesetz), which says that >minors should not be allowed to have access to booze, dope and porno. But that's a GERMAN law, the Internet is an INTERNATIONAL community. If we have to respect the laws of Germany, and their customs and archaic belief systems, them we have to give the same consideration to anyother countries backwords, morality-based, mentality. There are hundreds of countries on the planet, most of them backwards. Respect everybodys sence of decency and right and wrong and nobody will be able to transmit anything the least be vulgar becasue it would violate some countries law some where on the planet. >Please tell me such laws do not exist in your country... They do exist, but I have been breaking them since 13, I don't care to be protected by some "moral" and "ethical" person, I can decide for myself what I can and can not do. >If anything, this whole bussiness will be one step in the correct >direction: >- Either some modus operandum is found which makes it clear for >everybody > how to offer pornographic material and comply with the law at the > same time (cf. the First Virtual account ID's you have to enter at > all those sites pointing to www.infohaus.com - in the US, this >modus > operandum seems to be ``proof of having a credit card''); That's just brilliant exhange one evil for another. Instead of censorship, we take away people's rights to autonymity and privacy. Sorry, not an option. > Or the German Government learns about the lack of frontiers on the >Net, and gives up (which is highly improbable). Or they can be given consequences for their actions. Let it be known that people will not tolerate them enforcing their laws on everybody. The weaker any goverment, the more ineffective it is in imposing it's will, the better off individuals are. >considering that German prosecutors don't have the option of not >prosecuting when they hear about a felony, like for example Dutch >prosecutors. No the prosecutor does not have a choice, that's why you attact the people that make the laws, or the governing body as a whole. They try to impose there will on me, I will unlease my dirty tricks on them. Fair is fair. I have the ablity to impose my will on ohters, I have done so when certin persons have gotten on my nerves by posting things to newsgroups that were blatently off topic and they had been told and warned about it on serveral occasions. But when you go to a sexualy explicit newsgroup, what do you think you will find, what is the purpose of such a group? Protection of children is a parents responsiblity, if they can't handle that responsiblity, that is thier problem, not mine. Given my experiencewith the German government, >however, it will take some time for them >to realize that they need >a set of rules in this area. Again, that is Germany's problem, not mine, make it an issue and suffer the consequences. -- >OpenLink Software Tell Kinsley I said hello Regards, Michael Peponis PGP Key Avalible form MIT Key Server From cp at proust.suba.com Wed Jan 3 12:21:59 1996 From: cp at proust.suba.com (Alex Strasheim) Date: Thu, 4 Jan 1996 04:21:59 +0800 Subject: Compuserve *hasn't* banned newsgroups In-Reply-To: <2.2.32.19960103180226.006a9ffc@panix.com> Message-ID: <199601031919.NAA02071@proust.suba.com> > You mean that the thirty-some odd open news servers listed on > http://dana.ucc.nau.edu/~jwa/open-sites.html might get swamped. Then the > CIS refugees will be forced to pay Sameer the massive $12.50 (?) a month for > a net-access-only account and read off of c2.org's server. (Or any of the > thousands of sites worldwide one can open a shell account on.) And if the feds come knocking on Sameer's door, the refugees can go to the Netherlands or some other country with respect for privacy. When netscape releases an official, untimed browser with ssl news and mail built in, one that lets users pick their own CAs, we'll have reached escape velocity. I think this all comes back to anarchy. Anarchy as it relates to cyberspace isn't a political ideology or a vision of how things ought to be. Rather it's a realistic analysis of the net dynamic as it is, a natural and almost unavoidable consequence of the interaction of the market and the technology. Our opponents' position is weak, despite their having the massive power of the government behind them. In order for them to pull out a victory, they'll have to impose extraordinarily draconian restrictions on crypto very quickly, and they'll have to do it in the face of overwhelming public opposition as well as strong resistance from business. On top of that, they'll have to secure an unprecented degree of international cooperation to enforce rules net wide, something that's probably going to prove impossibly difficult for them. Again, they've got to do this quickly, because genies are popping out of bottles all over the place. It's not impossible for them to pull this off, but I think the smart money's with us. From andr0id at midwest.net Wed Jan 3 12:36:37 1996 From: andr0id at midwest.net (Jason Rentz) Date: Thu, 4 Jan 1996 04:36:37 +0800 Subject: Unmuzzy Explained Message-ID: <199601031924.NAA24001@cdale1.midwest.net> >So is the idea beyond this that if file or a group of files were to >be distributed over many computers (possibly hundreds or more) then >none of the computers would be "responsible" for their content? I would >think that any participant in the network would have to claim full >responsibility for the content, assuming the file(s) could be accessed >from any of the participating servers. > Okay. So what if serveral groups of computers, in public FTP directories, allowed anonymous ftp uploads of "parts" of a file that would be construde as bad content. The only way to assemble the file is to download several parts of it from serveral diffrent servers and assemble the file on your system. Thus the illegal file isn't illegal until its assembled. Sorta like switchblade knives. Lots of places can sell the parts legally, they just can't sell the assembled product. Would the servers that contain "parts" of the file be responsible for the content? (andr0id at midwest.net callsign: N9XLM) ( Computer Consulting & Management ) (P.O. Box 421 Cambria, IL 62915-0421) -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQENAzCsIi4AAAEH/1hb5+tO/n99Nbppf0ImLJ6AaVZ3NlZP0ZHwRQor00uA129i d4zWixNXxc8t2auaqN+asV99LpIip3/nQzBnjydiumeBdGLF2PR9+6X8X/RrqKa1 dVIukxM5Agg2eM6ih+0J38hgKJ3qzKXSz6sjYmpaxvbXZoHHOLUk/ZtHUKvvEyPw hnJEYnut8NUnIeK56lqeqRw86yoeRKymbfCdjdpgeY2aRwK2FJts8sbb7Fs10s4y jgxWIxIipBznbGUTh1hb2XrLGPENwk3E/qqXQJEsrySbtwdl6VgTVQjhDDEJMitL DYeiQ3W5EgxfcdbM1j2FwYu3P/dM6Y0I8xLMYT0ABRG0NmFuZHIwaWRAb2ljdTgx Mi5jb20gKG9pY3U4MTIuY29tIHN5c3RlbSBhZG1pbmlzdHJhdG9yKYkBFQMFEDCs LO90C7R/GkJcSQEB01cH/0KC3sd+u4OxMku5378SJktoN6QIQYLJ7uVbuV4S51yK NAotCGf4Wl6wwjynzZvXKU0H87oDuMiq7FybgMNL2n+4bQIZi0iz0lIuzwoMDu63 NrHUW9Kz42pOnhrEhrdkHhHL9O5GgD1yc40fJ3qw5h7LQEjDxgypyw0IFILFc34u LeRLliNibxKp8JwAxXNHWSgxu28TQvmnkHi0AHP6tJ/uZYe+4dqJtrMMsYFjzZaz DPmxD+dzbTwlQKtJaP1ZkDI0Sr072wrZDv+G86GyGBMX2lpSafpRitnxuUttjU9o wsQ9Qo5xiH1nZRCs/bDzJe/gng+GHzevixDIITurtNA= =SgPT -----END PGP PUBLIC KEY BLOCK----- From cp at proust.suba.com Wed Jan 3 12:50:22 1996 From: cp at proust.suba.com (Alex Strasheim) Date: Thu, 4 Jan 1996 04:50:22 +0800 Subject: Starting an e-cash bank In-Reply-To: Message-ID: <199601031925.NAA02085@proust.suba.com> > What does it take to be called a bank? Is it necessary to be called a bank? I've got a storefront in Chicago. What would prevent me from opening up a Mark Twain account and buying and selling ecash on floppies, in person? Do account holders have to agree not to do that before Mark Twain gives them an account? Is it illegal? The currency exchange model almost seems more appropriate for most users than the bank model. From shamrock at netcom.com Wed Jan 3 13:17:56 1996 From: shamrock at netcom.com (Lucky Green) Date: Thu, 4 Jan 1996 05:17:56 +0800 Subject: Foiling Traffic Analysis Message-ID: At 7:02 1/3/96, Fred Cohen wrote: >You seem to be missing an important point about foiling traffic >analysis. It is essentially the same problem as the covert channel >problem and its solution has the same challenges - it consumes a great >in the way of resources. In order to eliminate traffic analysis, you >essentially have to always use the full bandwidth available (although >you can have pseudo-random burst behaviors). This in turn means that >instead of gaining the low cost resulting from sharing bandwidth, you >end up having far more utilization and (depending on what portion of the >world does this) increasing the price of the resource. So it costs a >lot more and uses a great deal of bandwidth. You are correct. A network of encrypted links that allways move packets at full bandwidth is the basis of Wei Dai's Pipenet. If anyone ever codes this, I am willing to sponsor a node. Other nodes may be set up if some payment mechanism using Ecash is integrated with the system. -- Lucky Green PGP encrypted mail preferred. From nobody at REPLAY.COM Wed Jan 3 13:50:31 1996 From: nobody at REPLAY.COM (Anonymous) Date: Thu, 4 Jan 1996 05:50:31 +0800 Subject: Compuserve *hasn't* banned newsgroups Message-ID: <199601031630.RAA03391@utopia.hacktic.nl> -----BEGIN PGP SIGNED MESSAGE----- Vincent Cate, 1/3/96 10:41 AM: >It seems to me that posting this widely on Compuserve (or at least on >alt.online-service.compuserve) and then contacting CNN and making comments >about how "the Internet interprets censorship as damage and routes around >it" is the best way to handle this. We want the public to get the idea >that censorship does not work on the Internet. If you do this, you'll find out very quickly just how empty (or at least how slippery) slogans like "the Internet routes around censorship" are: if your efforts pay off and you steer even a fraction of CIS's traffic toward the remaining open newsservers, they'll close faster than you can say "alt." So before you do it, think about how the net will route around sysops closing their servers off from the net. Hieronymous -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQBVAwUBMOqvAb3g0mNE55u1AQGG1AH/cGlgviaPIn2oDQ+QS7HJdkyeo0sRmHEO ALtF08CmBIPK4hqcxd/3ESWi7IwoaJtEPyAMvwigPtvdTxO/q4ubMg== =H5rs -----END PGP SIGNATURE----- From tedwards at Glue.umd.edu Wed Jan 3 13:50:35 1996 From: tedwards at Glue.umd.edu (Thomas Grant Edwards) Date: Thu, 4 Jan 1996 05:50:35 +0800 Subject: Guerilla ISPs Message-ID: On LECs attacking ISPs, it is interesting to note that several medium-sized ISPs in Maryland which have over 100 phone lines are now getting them delivered by fiber direct to the ISP. This is nothing new - what is news is that some of these fiber setups use a form of SLC-96 systems which are incapable of carrying data traffic over 21 kbps with modern 28.8 kbps modems. Nobody new what the problem was for a long time, until finally Bell Atlantic admitted that there were some bandwidth limitations in some SLC-96 setups. They went on to note that the tarrif required them to carry only acceptable voice and 4800 bps communication, nothing more, and that these ISPs were basically stuck with substandard lines. The ISPs involved are now looking into alternative local dialtone, but it is few and far between. Bell Atlantic is looking to get into the Internet business...perhaps they will engineer their own dialups properly, while giving low-data-rate fiber connections to ISPs? And on the radio-last-mile service, I used to be enthusiastic about it, but I am no more. It is pretty impractical to discuss VHF or UHF frequencies for real net connectivity, there just isn't enough bandwidth to be practical. 900 MHz and higher appear to be the best solution, using CDMA spread-spectrum in a microcellular environment. Metricom (http://www.metricom.com) has CDMA microcellular modems which get 14.4 kbps equivalent throughput in the 900 MHz region, and they have a large microcellular network already set up in the Bay Area with Internet connectivity. Once 2 GHz technology becomes cheap enough (that's GaAs chips instead of Si), I can imagine wide-scale 56kbps service over microcellular networks. But how can these things compete with @Home, which is promising 10 Mbps in and 128 kbps out of homes with cable modems? -Thomas Edwards From ses at tipper.oit.unc.edu Wed Jan 3 14:13:06 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Thu, 4 Jan 1996 06:13:06 +0800 Subject: Guerilla Internet Service Providers In-Reply-To: Message-ID: On Tue, 2 Jan 1996, Mark Grant, M.A. (Oxon) wrote: > About ten years ago a group I was involved with were thinking about > putting something into space as a publicity stunt. One company we talked > to claimed they could put 1 kg into orbit on one of their sounding rockets > for about $ 30,000 (that's a 1 kg satellite, not $ 30,000 per kg). How Hey! I've just had an epiphany. HOToL promised much cheaper costs to put things in LEO. The initial design was finished and tested, but nobody would provide the funds for the second round or implementation (probably because it wasn't French enough :) Nowdays, anything involving the Internet automatically gets ridiculous levels of funding. If we can just get John Markoff or Walter Mossberg to declare HOTol to be an Internet Technology they'll be able to use banknotes as heat shields. Simon Spero, BSc. Eng, ACGI {Ok, this whole thread is noise - I'm up to my eyeballs doing PKCS in java, and I canna take no more :)} From koontz at MasPar.COM Wed Jan 3 14:18:29 1996 From: koontz at MasPar.COM (David G. Koontz) Date: Thu, 4 Jan 1996 06:18:29 +0800 Subject: US calls for measures against Internet porn Message-ID: <9601032009.AA01109@argosy.MasPar.COM> >> WASHINGTON DC (Reuter) - The US called Sunday for improved >>management of the Internet to prevent people seeing pornographic >>material on the world computer network. I feel so much better, having the burden of deciding what I can see or read lifted from my weary shoulders. Maybe a ban on politicians appearing in the media? (Some might consider it an obscenity.) From stend at cris.com Wed Jan 3 14:22:07 1996 From: stend at cris.com (Sten Drescher) Date: Thu, 4 Jan 1996 06:22:07 +0800 Subject: 2047 bit keys in PGP In-Reply-To: Message-ID: <5520ph6naq.fsf@galil.austnsc.tandem.com> Laszlo Vecsey said: LV> Are you sure it's a bug in the DOS version? When I did a pgp -kg in LV> my UNIX shell (US version 2.6.2) I also entered 2048 bits and it too LV> created a 2047 bit key instead. I had heard elsewhere that there was such a bug. My mistake, then. LV> Why is there a limit to the size of the key anyway? It's too bad PGP LV> doesn't support any size key (within reason). As I understand it (which, given my previous error, is in serious doubt), after a point the IDEA session keys become far easier to use a brute force attack on than the RSA keypair. Since I think that increasing the RSA keysize is supposed to double the attack time, if a RSA key size of N takes as much time to break as 1 IDEA key, making the RSA key N+8 bits makes it better to break the IDEA keys of 200 messages rather than the RSA key. Does anyone know if there are comparisons of estimates of the time to break the IDEA session keys used in PGP vs time to break RSA keys of various sizes? -- #include /* Sten Drescher */ To get my PGP public key, send me email with your public key and Subject: PGP key exchange Key fingerprint = 90 5F 1D FD A6 7C 84 5E A9 D3 90 16 B2 44 C4 F3 Junk email is NOT appreciated. If I want to buy something, I'll find you. From schneier at winternet.com Wed Jan 3 14:22:57 1996 From: schneier at winternet.com (Bruce Schneier) Date: Thu, 4 Jan 1996 06:22:57 +0800 Subject: Someone wanted to give PGP lecture at CSI conference Message-ID: <199601032007.OAA26735@parka> I'm looking, on behalf of the COmputer Security Institute, for someone who is willing to give a 1.5 hour PGP primer at their summer conference in SF. They don't pay, but they will give you free admission into the conference (and two bad hotel conference meals). I speak at their conferences; they're not a bad lot. Interested parties should email me directly. Bruce ************************************************************************** * Bruce Schneier * Counterpane Systems For a good prime, call 391581 * 2^216193 - 1 * schneier at counterpane.com ************************************************************************** From merriman at arn.net Wed Jan 3 14:22:59 1996 From: merriman at arn.net (David K. Merriman) Date: Thu, 4 Jan 1996 06:22:59 +0800 Subject: FCC require ISDN? Message-ID: <2.2.32.19960103024025.00684b40@arn.net> At 07:46 PM 01/2/96 -0600, Jim Choate bespake thusly: >The FCC is enacting a new regulation that will cause every phone company to >provide 100% of their service areas with ISDN (you should have received some >kind of notice last week, I did). This also sets some minimum standards as >well as to the type and quality of service the phone company must provide. Citation? Here in Amarillo, if it rains, the phone lines start caving in, and I'd like to beat up SWBT for ISDN service :-) Dave Merriman PS - sorry for posting this to the whole list, but couldn't get this past my ISP to Jim directly :-( ------------------------------------------------------------- "It is not the function of our Government to keep the citizen from falling into error; it is the function of the citizen to keep the Government from falling into error." Robert H. Jackson (1892-1954), U.S. Judge <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> My web page: http://www.geopages.com/CapitolHill/1148 From hal9001 at panix.com Wed Jan 3 14:38:58 1996 From: hal9001 at panix.com (Robert A. Rosenberg) Date: Thu, 4 Jan 1996 06:38:58 +0800 Subject: Massey, CEO of Compuserve, on Internet Message-ID: At 23:03 1/2/96, John Goerzen wrote: >CompuServe is not location-dependant. The network operates exactly the >same regardless of calling location (indeed, the system doesn't even know >where you're calling from I believe). It is a worldwide CompuServe >Network that people use to access it. This network just allows dialups >and then gets the users connected to the CompuServe computers. The main >computers handle all traffic. They don't are location-independant, >making it impossible to block access based on location. CIS always knows where you are dialing in from. Here is the start of a typical connection (using the Mac Program NAVIGATOR). >0001NUH > >Host Name: CIS > >User ID: xxxxx,xxx/INT >Password: >[Navigator: Logged on] > >Welcome to CompuServe Information ServiceT01NUH @38400! > >Last access: Mon, Dec 18, 1995 23:11 >Connected to port CIS T01NUH @38400 That NUH identifies that I am calling in via a V34 Node in NYC and the T01 says I got the first modem on the Rotory. If CIS wanted to restrict access via the NYS nodes, that NUH would be an adequate flag to trigger this action. From stend at cris.com Wed Jan 3 14:45:07 1996 From: stend at cris.com (Sten Drescher) Date: Thu, 4 Jan 1996 06:45:07 +0800 Subject: 2047 bit keys in PGP In-Reply-To: Message-ID: <55zqc557z8.fsf@galil.austnsc.tandem.com> (sorry if this is a duplicate) Laszlo Vecsey said: LV> Are you sure it's a bug in the DOS version? When I did a pgp -kg in LV> my UNIX shell (US version 2.6.2) I also entered 2048 bits and it too LV> created a 2047 bit key instead. I had heard elsewhere that there was such a bug. My mistake, then. LV> Why is there a limit to the size of the key anyway? It's too bad PGP LV> doesn't support any size key (within reason). As I understand it (which, given my previous error, is in serious doubt), after a point the IDEA session keys become far easier to use a brute force attack on than the RSA keypair. Since I think that increasing the RSA keysize is supposed to double the attack time, if a RSA key size of N takes as much time to break as 1 IDEA key, making the RSA key N+8 bits makes it better to break the IDEA keys of 200 messages rather than the RSA key. Does anyone know if there are comparisons of estimates of the time to break the IDEA session keys used in PGP vs time to break RSA keys of various sizes? -- #include /* Sten Drescher */ To get my PGP public key, send me email with your public key and Subject: PGP key exchange Key fingerprint = 90 5F 1D FD A6 7C 84 5E A9 D3 90 16 B2 44 C4 F3 Junk email is NOT appreciated. If I want to buy something, I'll find you. -------------- next part -------------- A non-text attachment was scrubbed... Name: pgp00001.pgp Type: application/octet-stream Size: 284 bytes Desc: "PGP signature" URL: From shamrock at netcom.com Wed Jan 3 15:01:40 1996 From: shamrock at netcom.com (Lucky Green) Date: Thu, 4 Jan 1996 07:01:40 +0800 Subject: Starting an e-cash bank Message-ID: At 13:25 1/3/96, Alex Strasheim wrote: >> What does it take to be called a bank? > >Is it necessary to be called a bank? To get a license for the bank software from DigiCash, you have to convince them that you are a major player in whatever country you are in or have to offer some exceptional additional value to the service. >I've got a storefront in Chicago. >What would prevent me from opening up a Mark Twain account and buying and >selling ecash on floppies, in person? You touched on a very important issue: the party converting currency into Ecash does not have to be the Ecash bank. There have been discussions that in the future one should be able to buy Ecash on floppy at the local supermarket, similar to today's prepaid calling cards. I certainly would like to see that happen rather sooner than later. It is my understanding that you would be welcome to issue MT Ecash for USD. Here is another business opportunity: MT Bank does not allow the purchase of Ecash by credit card, since they consider the risk of chargebacks unacceptable. This might be a market for a third party. >Do account holders have to agree >not to do that before Mark Twain gives them an account? Is it illegal? MT Bank doesn't mind. IANAL. -- Lucky Green PGP encrypted mail preferred. From tony at secapl.com Wed Jan 3 15:06:11 1996 From: tony at secapl.com (Tony Iannotti) Date: Thu, 4 Jan 1996 07:06:11 +0800 Subject: Massey, CEO of Compuserve, on Internet In-Reply-To: Message-ID: On Wed, 3 Jan 1996, Robert A. Rosenberg wrote: > CIS always knows where you are dialing in from. Here is the start of a > typical connection (using the Mac Program NAVIGATOR). > > >0001NUH > > > >Host Name: CIS > > > >User ID: xxxxx,xxx/INT > >Password: > >[Navigator: Logged on] > > > >Welcome to CompuServe Information ServiceT01NUH @38400! > > > >Last access: Mon, Dec 18, 1995 23:11 > >Connected to port CIS T01NUH @38400 > > That NUH identifies that I am calling in via a V34 Node in NYC and the T01 > says I got the first modem on the Rotory. If CIS wanted to restrict access > via the NYS nodes, that NUH would be an adequate flag to trigger this > action. Wouldn't this require some software routines added to check for this? I expect the decision to build or buy is what CIS is now weighing. Also, I would imagine that a German could always call a POP outside the country if they wanted to pay for it..... (note that I am still not in favor of the action, but these are probably CIS's considerations.) From jimbell at pacifier.com Wed Jan 3 15:07:10 1996 From: jimbell at pacifier.com (jim bell) Date: Thu, 4 Jan 1996 07:07:10 +0800 Subject: Windows Eudora and PGP Message-ID: At 10:24 AM 1/3/96 -0800, you wrote: >At 09:43 AM 1/3/96 -0800, Jim Bell wrote: > >>(BTW, I use Eudora, and I have PGP. Could somebody explain how to PGP-sign >>messages, ideally EASILY?) > >I use Eudora as well. It is not as easy as I would like. You have a couple >of options: > >1) Use cut-and-paste into Private Idaho. Private Idaho will allow you to >paste back into Eudora. (Or you can send out from Private Idaho directly.) >This option is useful becuase it supports nyms and chaining of remailers. > >2) Get one of the standard Windows PGP shells and paste into that. After >signing, you will have to repaste into Eudora again. > >These seem to be the only options. I am not certain if there is a standard >DDE or OLE interface that could be used to feed message information back and >forth between Eudora and some other app. There have been a number of >promises of Eudora/PGP integration, but nothing has materialized yet. [sigh] Just what I thought, no easy solutions. Well, for now I'll just skip signing; I haven't had any problem (that I know of...knock on silicon) with forged messages, and my normal posts are so enthusiastically anarchical and inflammatory that the only way anybody could really embarrass me is to forge a message, ostensibly from me, saying I agreed with some governmental activity somewhere. >There are no easy answers I know of... > >If you need a copy of Private Idaho, I can point you to a web site or bring >a copy along to the meeting on the 20th. Please do... From sjb at universe.digex.net Wed Jan 3 15:08:14 1996 From: sjb at universe.digex.net (Scott Brickner) Date: Thu, 4 Jan 1996 07:08:14 +0800 Subject: Guerilla Internet Service Providers (fwd) In-Reply-To: <199601031815.KAA15424@netcom5.netcom.com> Message-ID: <199601032143.QAA25385@universe.digex.net> Bill Frantz writes: >With a tightly focused beam (light is easy, I don't know about lower >frequencies), you can prevent interception except by very obvious physical >devices. (e.g. Someone in a cherry picker truck.) You may be able to >avoid the need to encrypt the link (and all the paranoia about key >management, advances in factoring etc. that that implies.) Key management problems? With someone across the street? You gotta be kidding. If you can't memorize the key (say with the S/Key key-to- phrase algorithm) and walk it across the street, write it on the back of an envelope, walk it over, re-key, and burn it. From iagoldbe at calum.csclub.uwaterloo.ca Wed Jan 3 15:37:30 1996 From: iagoldbe at calum.csclub.uwaterloo.ca (Ian Goldberg) Date: Thu, 4 Jan 1996 07:37:30 +0800 Subject: Starting an e-cash bank In-Reply-To: Message-ID: <4cf0qb$65h@calum.csclub.uwaterloo.ca> (Just about caught up to 2 week's worth of cypherpunks... That 'J' got quite a workout...) In article <199601031925.NAA02085 at proust.suba.com>, Alex Strasheim wrote: >> What does it take to be called a bank? > >Is it necessary to be called a bank? I've got a storefront in Chicago. >What would prevent me from opening up a Mark Twain account and buying and >selling ecash on floppies, in person? Do account holders have to agree >not to do that before Mark Twain gives them an account? Is it illegal? > >The currency exchange model almost seems more appropriate for most users >than the bank model. Isn't that what Sameer announced in his latest(?) press release? c2.org has a MT account. c2.org customers don't. The customers receive ecash payments from the Net (for accessing their |<00|_ web pages) and give the payments to c2.org, which deposits them in its MT acocunt, and credits the customer (minus a percentage? Lower than the customer would otherwise get from MT, but higher than c2.org (a merchant) is charged?). Did I get that right? - Ian From anonymous-remailer at shell.portal.com Wed Jan 3 15:39:25 1996 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Thu, 4 Jan 1996 07:39:25 +0800 Subject: US calls for measures against Internet porn In-Reply-To: <9601032009.AA01109@argosy.MasPar.COM> Message-ID: <199601032247.OAA00603@jobe.shell.portal.com> My original post, "US calls for measures against Internet porn" was a satire. The entire point was that, by changing a few words in the "China calls for measures against Internet porn" story, a statement by a totalitarian communist regime could be made to look like official US policy. Obviously, the project was a success, as people are taking it seriously in spite of the fact that it had telltale clues, and that the original source was revealed. The exact changes were: BEIJING -> WASHINGTON DC China -> The US State Council -> Clinton administration's State Council Communist Party -> Republican Party Xinhua news agency -> the Associated Press personal computers in China -> modems in the US That's it. None of the actual words quoted from the statement were changed. Frightening, isn't it? From futplex at pseudonym.com Wed Jan 3 15:46:40 1996 From: futplex at pseudonym.com (Futplex) Date: Thu, 4 Jan 1996 07:46:40 +0800 Subject: 2047 bit keys in PGP In-Reply-To: <55zqc557z8.fsf@galil.austnsc.tandem.com> Message-ID: <199601032300.SAA15180@opine.cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- Sten Drescher writes: > Since I think that > increasing the RSA keysize is supposed to double the attack time, if a > RSA key size of N takes as much time to break as 1 IDEA key, making the > RSA key N+8 bits makes it better to break the IDEA keys of 200 messages > rather than the RSA key. > > Does anyone know if there are comparisons of estimates of the > time to break the IDEA session keys used in PGP vs time to break RSA > keys of various sizes? Off the top of my head, the figure I have usually heard quoted puts RSA at about 100 times slower than your average symmetric key algorithm. So ignoring key setup, I would expect an extra factor of 100 in the brute forcing time for RSA over IDEA. I don't believe it's worth spending much time worrying about your RSA key size. If you pick some decent size (1-2k), it's likely that RSA itself will have been broken, or your key compromised by some other means, before any direct brute force attack will succeed. Futplex -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMOsKNCnaAKQPVHDZAQHIRgf/ZS29BnGaZ60PeMlhIoniETAtI2VYNstM yFV6tl5w1Kzu9Q2TcJk/tdpW9QVbWOrB2IMdELBrk1urcYBS6YUBXcAlI7UhinA9 sapoZpz3WUCnRdb/64HkGFsOYgEVyVjsrrmu+M2RUUNRnOwWSS0KFAz8GYqj83ry xSpvrRNJPqCNARBsh9VPKgrRS1qNH5Zc1Tyu5Dr/E3OiQkzVCqHhQYYDj/PCESLL Y1Sly6n133Jq8J3TWoXAzeNKAOwy4tLz6TFn63OgbfcnTp1hndsMlIwCN3tzn9el T7b4LBMeVq2hXVkmotE0BURW7Phuckpmk1Xiow3vBXFMRxWPFz6lOg== =Njig -----END PGP SIGNATURE----- From m5 at dev.tivoli.com Wed Jan 3 15:48:55 1996 From: m5 at dev.tivoli.com (Mike McNally) Date: Thu, 4 Jan 1996 07:48:55 +0800 Subject: crypto (semi-)export issue Message-ID: <9601032309.AA16448@alpha> It's been a while since this went 'round, and my memories are hazy of the details. Isn't it the case that there are loopholes or explicit exceptions in crypto export regulations that allow American businesses to supply their overseas operatives with tools for secure communication back home? We were discussing today some stuff about our web server, and there's some desire to provide secure access for our sales people to internal junk. Nobody was sure whether it'd be OK for our people in the Evil Empire (Europe) to have the 128-bit-RC4 Netscape for that purpose. (If so, I wonder if the exceptions apply to other munitions too? Like, maybe it's OK to take a medium-range missile overseas if you're just going to use it to blow up your manager's office :-) (No, I don't hate my manager.) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Nobody's going to listen to you if you just | Mike McNally (m5 at tivoli.com) | | stand there and flap your arms like a fish. | Tivoli Systems, Austin TX | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From jya at pipeline.com Wed Jan 3 15:48:57 1996 From: jya at pipeline.com (John Young) Date: Thu, 4 Jan 1996 07:48:57 +0800 Subject: New Mitnick Book Message-ID: <199601032306.SAA07090@pipe3.nyc.pipeline.com> Jonathan Littman, an investigative reporter, has published "The Fugitive Game: Online With Kevin Mitnick," Little Brown, 1996. 381 pp. $23.95. ISBN 0-316-52858-7. It is a dramatic recount of Mitnick's exploits; the pursuit by Shimomura, Markoff, telcos and Feds; the bust and Markoff's tales; The Well controversies aand disputes about what really happened; suspicions of Shimomura and Markoff - - their complicity with TLAs, their movie and book dealings, their disputes with hackers and journalists. What Mitnick was telling Littman while a fugitive. Littman ends with this letter from Markoff and Shimomura: October 8, 1995 Jonathan Littman 38 Miller Avenue Suite 122 Mill Valley, California 94941 Dear Jonathan, This is in response to your separate letters to us. We apologize for not being more prompt, Tsutomu was travelling on business and did not receive your September 5 letter until recently. As you know we have a contract with Hyperion for Tsutomu's account of his participation in the arrest of Kevin Mitnick, and at the request of our publisher we have decided not to participate in other books on the same subject. First, in response to your September 7 request to John Markoff, for permission to reprint his March 14 Well posting, he is not willing to give permission. However, we do think it is appropriate to respond to several points where you have received inaccurate information. Our responses are not intended to be a comprehensive answer to your list of questions, but only to protect you from including libelous material in your book. Tsutomu was not asked by any governmental, military or intelligence representative to assist in the capture of Mr. Mitnick. All of his actions were taken in response to requests for assistance from both The Well and Netcom to deal with extensive and persistent break-ins. Tsutomu's decision to tell John Markoff that he was travelling to Raleigh on Sunday morning was done without contact with any law enforcement agency. Markoff flew to Raleigh independently six hours later after discussing the possibility of a story with his editors at the New York Times. Markoff did not at any time assist or participate in any aspect of the investigation into Kevin Mitnick's activities; Markoff was there only as an observer in his role as a newspaper reporter. Moreover, in Raleigh on Sunday evening the Cellscope equipment was never placed in Markoff's car, and there was never any discussion about taking it out of the Cellular One engineer's van or about placing it in Markoff's car. Markoff parked his car near the cell site that night and then later drove back to his hotel. Tsutomu never told anyone from law enforcement that anyone had authorized or cleared Markoff's presence in Raleigh. Tsutomu was informed by the Justice Department that his actions on behalf of the Internet providers and the cellular telephone company during the course of the investigation were covered under their fraud detection and prevention exception granted to these organizations under the ECPA. Tsutomu did have discussions with the National Security Agency about funding computer security research, the results of which were to be placed in the public domain, however no research grant was ever made. Tsutomu was not aware of any statements made in the search warrant until many days after the arrest. Tsutomu did not lure Mitnick or anyone else into breaking-in to his computers. The attack was entirely unprovoked. No copies of any files allegedly stolen by Mitnick were provided by Tsutomu to anyone other than the legitimate owners. The first discussion of the possibility of a book on the subject of Kevin Mitnick's arrest took place on Thursday February 16, when John Markoff received a telephone call from John Brockman, a New York City literary agent, proposing a collaboration between Markoff and Shimomura. You will remember, we hope, that after his July 4, 1994 article about the hunt for Mitnick, Markoff did not wish to pursue the subject of Mitnick's life as a fugitive and referred a free-lance article on the subject proposed by Playboy to you. Also please note that you are inaccurate in stating that Tsutomu requested immunity before testifying before Congress on April 1993. We realize this is a delicate issue for you because of your involvement and communication with Kevin Mitnick during the period he was a fugitive. However, since your questions suggest you believe there may have been something inappropriate in Tsutomu's cellular telephone software development work, if you do include material in your book along this line, journalistic ethics require you to include the following: Tsutomu, unlike Mitnick, in all of his computer security research over a fifteen year period, has always, whenever he has found a vulnerability, made it known to the appropriate people, whether CERT, or a private company at risk, or the United States Congress. Sincerely, (signed) John Markoff Tsutomu Shimomura From mianigand at unique.outlook.net Wed Jan 3 16:17:23 1996 From: mianigand at unique.outlook.net (Michael C. Peponis) Date: Thu, 4 Jan 1996 08:17:23 +0800 Subject: Massey, CEO of Compuserve, on Internet Message-ID: <199601032345.RAA06435@unique.outlook.net> > On Wed, 3 Jan 1996, Robert A. Rosenberg wrote: > > > CIS always knows where you are dialing in from. Here is the start of a > > typical connection (using the Mac Program NAVIGATOR). > > > > >0001NUH > > > > > >Host Name: CIS > > > > > >User ID: xxxxx,xxx/INT > > >Password: > > >[Navigator: Logged on] > > > > > >Welcome to CompuServe Information ServiceT01NUH @38400! > > > > > >Last access: Mon, Dec 18, 1995 23:11 > > >Connected to port CIS T01NUH @38400 > > > > That NUH identifies that I am calling in via a V34 Node in NYC and the T01 > > says I got the first modem on the Rotory. If CIS wanted to restrict access > > via the NYS nodes, that NUH would be an adequate flag to trigger this > > action. > > Wouldn't this require some software routines added to check for this? I > expect the decision to build or buy is what CIS is now weighing. Also, I > would imagine that a German could always call a POP outside the country if > they wanted to pay for it..... (note that I am still not in favor of the > action, but these are probably CIS's considerations.) Well, this could be away for compuserve to cover it's rear in a realy slick fashion. If they chose to do it this way. Most CIS subscribers use their proprietary interface, which puts a GUI front end over what is going on with them modem, what they amount to are scripts. Anyways, CIS could add a script that would check the NUH identifier, if it is in Germany, it goes to one newsfeed, if it's outside of Germany, it would go to another newsfeed. They could even market the service here in the US to those who like censorship. What could be "Accidentaly" leaked is a different version of the same file, that would not contain the check. That way, Compuserve could claime that the offending parties tampered with the software, and they can not be help responsible for the tampering. I highly doubt that Compuserve would go for such a resolution, but it's worth throwing into the mix Regards, Michael Peponis PGP Key Avalible form MIT Key Server Key fingerprint = DD 39 66 3D AE DE 71 C2 B6 DA B2 3F 47 2A EB AC From Steve14571 at aol.com Wed Jan 3 16:27:27 1996 From: Steve14571 at aol.com (Steve14571 at aol.com) Date: Thu, 4 Jan 1996 08:27:27 +0800 Subject: Massey, CEO of Compuserve, on Internet Message-ID: <960103185717_83306823@emout04.mail.aol.com> In a message dated 96-01-03 00:34:25 EST, you write: >CompuServe is not location-dependant. The network operates exactly the >same regardless of calling location (indeed, the system doesn't even know >where you're calling from I believe). It is a worldwide CompuServe >Network that people use to access it. This network just allows dialups >and then gets the users connected to the CompuServe computers. The main >computers handle all traffic. They don't are location-independant, >making it impossible to block access based on location. I see two possible ways to censor German users only (but I still believe censoring anyone is wrong). First, the "main computers" could be told where they are, and "censored" material could be filtered at that level before it is sent to individual users. Or CompuServe could release a software update for German users. The software would not recognize banned newsgroups. How difficult could that possibly be? From iagoldbe at csclub.uwaterloo.ca Thu Jan 4 08:30:45 1996 From: iagoldbe at csclub.uwaterloo.ca (Ian Goldberg) Date: Thu, 4 Jan 96 08:30:45 PST Subject: 2047 bit keys in PGP In-Reply-To: Message-ID: <4cgva5$qe6@calum.csclub.uwaterloo.ca> In article , netdog wrote: >nobody will ever need more than 640K or RAM? i wouldn't underestimate the >ability of technology to grow at a pace that is beyond our wildest >dreams-especially with this network serving as a virtual office/lab. of >course, ymmv. Order of magnitude check: There is a very well-defined limit to the size of key that can be broken by brute force, independent of your "wildest dreams" as to the growth of technology. It's the Laws of Thermodynamics. For a symmetric algorithm for which any value of the appropriate length n is a possibly valid (and equally likely) key, there are 2^n keys to try in a brute-force search. From Applied Crypto, 2nd ed, pp157-158, setting or clearing one bit takes at _least_ 4.4*10^-16 erg of energy. For symmetric keys of size 256, then, you would need more than 10^61 erg (that's 10^45 GJ) of energy just to _enumerate_ the states. For comparison, this about 10 billion times larger than the output of a typical supernova. (Ibid.) >From the same source: "These numbers have nothing to do with the technology of the devices; they are the maximums that thermodynamics will allow. And they strongly imply that brute-force attacks against 256-bit keys will be infeasible until computers are built from something other than matter and occupy something other than space." Thus this situation is quite different from the 640K of RAM scenario. It's more like "who would ever need more RAM than you could get by storing a bit on every subatomic particle in the universe". It's not a matter of what resources you can imagine using, but rather, what resources are in the universe, able to be used. - Ian "First post of the morning; it shows, doesn't it..." From sameer at eternity.c2.org Wed Jan 3 16:37:21 1996 From: sameer at eternity.c2.org (sameer at eternity.c2.org) Date: Thu, 4 Jan 1996 08:37:21 +0800 Subject: Compuserve *hasn't* banned newsgroups In-Reply-To: <2.2.32.19960103180226.006a9ffc@panix.com> Message-ID: <199601031928.LAA18583@eternity.c2.org> > CIS refugees will be forced to pay Sameer the massive $12.50 (?) a month for $7.50 -- sameer Voice: 510-601-9777x3 Community ConneXion FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.org/ (or login as "guest") sameer at c2.org From vznuri at netcom.com Wed Jan 3 16:53:59 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Thu, 4 Jan 1996 08:53:59 +0800 Subject: NYT's _Unmuzzling the Internet_ In-Reply-To: <9601030920.AA05852@supra.comm.mot.com> Message-ID: <199601040008.QAA14520@netcom18.netcom.com> >At first, the Jaron proposal sounds like an interesting thought >experiment but a total waste of bandwidth, both CPU and network, to >me. The unconstitutional Bill must be defeated in Congress, by that >Presidential veto pen that Clinton has become so fond of using >recently or the Court system, if absolutely necessary. If none of >that happens, then surely technology can be used to route around this >"political" problem. It just seems like a shame to have to expend >technical effort and valuable network resources to play games to meet >the letter of a law, which would so clearly break the direct spirit of >the Constitution, if signed into Law and later found during a Supreme >Court battle to "pass constitutional muster," as they like to say. the laws are very likely to be challenged almost from the instant they become active by EFF et. al-- there are a lot of powerful legal allies against it. however, to borrow from Nietzche, "that which attempts to destroy the net will only help it grow stronger". Congressmen and governments have a choice: be a friend or enemy of cyberspace. if they choose the latter, they will simply become increasingly irrelevant. cyberspace will inevitably transcend local regulatory laws and feebleminded bureacrats in the long run. if parts of it have to go "underground" to do so, that will be the approach. a network that is impervious to these misguided bureacrats, far from being a waste of time developing as you write, would be a very, very significant achievement. it would be a form of technology that resists attack on more than merely technological grounds but work in ideological areas as well. I am all for helping congressmen "get a clue" at this moment in time. the Digital Telephony bill is not a declaration of war. when they try to tax Cyberspace or get the FCC to regulate it, or outlaw cryptography, *that* will be a declaration of war. From shamrock at netcom.com Wed Jan 3 17:07:53 1996 From: shamrock at netcom.com (Lucky Green) Date: Thu, 4 Jan 1996 09:07:53 +0800 Subject: Guerilla Internet Service Providers (fwd) Message-ID: At 1:08 1/3/96, Steve Gibbons wrote: >I'd be interested in seeing your numbers and cost breakdowns. I'd really be >interested in the up-front costs that would be associated with the equipment >and set-up time/training that will help "insure" data privacy over wideley >broadcast media. The up-front costs for ~T1 capable tranceivers isn't >insignificant either. I figure ~$10K up front (maybe half of that, maybe twice >when you include management overhead) Amortize over 3 years, and compare. You can get by with one base station per five remote receivers. This is no different than the 5/1 to 12/1 oversale ratios common to the T1 ISP business. As long as you prohibit resale of bandwidth and specialize in hooking up business lans you'll have no problems with this layout. Latency, which really is more important than bandwidth in many cases, is actually better using wireless than using traditional T1s. The set-up costs are also less to the customer than if they used a regular ISP. Only difference is that by paying the set-up fees they are buying the equipment for _you_. So once they leave your ISP, you still have all the hardware :-) >All of this is assuming that the bandwidth is available on the airwaves to >handle ~200 ~T1s. (If we're talking $200.00/mo. for T1, sign me up tomorrow, >and my neighbor, and his, and hers, and... *poof* no more bandwidth in a >"decently" populated metro area or even a downtown. 900MHz spread spectrum can get a bit crowded, but you don't need to sell 200 connections to make money. Breakeven based on competitive montly fees (in my original calculations that ment less than the lowest priced local ISP) is about 10 customers. Of course this is not at <$200 per customer. That figure is the lowest possible if you max out a T3, but still, no landline based ISP will be able to deliver bandwidth that cheap. Remember that the fees _include_ the cost for the pipe. Breakeven based on the set-up fees (meaning zero dollars investment by you) is about 18 customers. >I apologize if this is off topic, but the crypto part still applies (moreso, >even!) to broadcast over the airwaves. All major wireless vendors offer DES encryption at about $300 per node. -- Lucky Green PGP encrypted mail preferred. From fletch at ain.bls.com Wed Jan 3 17:12:17 1996 From: fletch at ain.bls.com (Mike Fletcher) Date: Thu, 4 Jan 1996 09:12:17 +0800 Subject: Why Net Censorship Doesn't Work In-Reply-To: Message-ID: <9601031537.AA16841@outland> > One of my co-workers has pointed out that the need for something as > simple as a helper application for Netscape loses about 90% of his > audience. By simply making it rather more difficult for people to > chat about some things, governments can effectively push such things > out of the way of all but the most determined readers. Ah, but consider what happens when Java (or Java-esque platform independant executable content) really takes off. Gee, your browser doesn't know how to view image/stego? Just pull down https://foobaz.com/isView.class and off you go. (Or your browser will pull it down automagically for you and pay the author for it from your ewallet. Or it could rent a copy from Blockbuster(tm) Applets. You get the idea :) Software will become less and less what your machine has and more what it has access to. --- Fletch __`'/| fletch at ain.bls.com "Lisa, in this house we obey the \ o.O' ______ 404 713-0414(w) Laws of Thermodynamics!" H. Simpson =(___)= -| Ack. | 404 315-7264(h) PGP Print: 8D8736A8FC59B2E6 8E675B341E378E43 U ------ From pcw at access.digex.net Wed Jan 3 17:14:32 1996 From: pcw at access.digex.net (Peter Wayner) Date: Thu, 4 Jan 1996 09:14:32 +0800 Subject: New Mitnick Book Message-ID: > Also please note that you are inaccurate in stating that > Tsutomu requested immunity before testifying before > Congress on April 1993. I don't know anything about the accuracy of the rest of the post, but I was there at this hearing. Immunity was granted, but it wasn't the same type of immunity granted to someone like Oliver North. My recollection is that the immunity was granted to allow Tsutomu Shimomura to convert an ordinary cellular phone into a scanner by typing in the magic combination of numbers. Ordinarily, this would break the law. The immunity prevented this from happening. The act was simply done to demonstrate just how easy it is to do this. They quickly switched channels several times and then turned off the phone. Nothing salicious or interesting came over the air, alas. It would have been funny if some bribe deal involving the chairman of the committee filled the room, but that only happens in movies. I don't know who requested the immunity. It could have been John Gage of Sun Micro who seemed to be running the show. There were probably transcripts made of the session and for all I know the Government might even have them around. That would allow us to get to the bottom of this important detail. -Peter From pfarrell at netcom.com Wed Jan 3 17:35:05 1996 From: pfarrell at netcom.com (Pat Farrell) Date: Thu, 4 Jan 1996 09:35:05 +0800 Subject: crypto (semi-)export issue Message-ID: <70723.pfarrell@netcom.com> m5 at dev.tivoli.com (Mike McNally) writes: > Isn't it the case that there are loopholes or explicit exceptions in > crypto export regulations that allow American businesses to supply > their overseas operatives with tools for secure communication back > home? We were discussing today some stuff about our web server, and > there's some desire to provide secure access for our sales people to > internal junk. Nobody was sure whether it'd be OK for our people in > the Evil Empire (Europe) to have the 128-bit-RC4 Netscape for that > purpose. At the December NIST Key Escrow/GAK export meeting, Mike Nelson said that there are rules that allow US companies to "easily" export strong encryption to their overseas operations. The important (key :-) idea is that the export is to protect the corporate assetts of US companies. He seemed to imply that exporting, say PGP, for internal corporate use was fine and easily done. Other folks later claimed that this wasn't quite as easy as he claimed. For more, see, http://www.isse.gmu.edu/~pfarrell/nist/pdf.nist2.html Pat Pat Farrell Grad Student http://www.isse.gmu.edu/students/pfarrell Info. Systems & Software Engineering, George Mason University, Fairfax, VA PGP key available on homepage #include From declan+ at CMU.EDU Wed Jan 3 17:38:20 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Thu, 4 Jan 1996 09:38:20 +0800 Subject: US calls for measures against Internet porn In-Reply-To: <199601030549.VAA11513@infinity.c2.org> Message-ID: Excerpts from internet.cypherpunks: 2-Jan-96 Re: US calls for measures a.. by sameer at c2.org > Just to offer another story of the cluelessness of some > people: I've been receiving a number of complaints about one of my > users who has gotten into a flamewar on Usenet. They claim that > flaming is a violation of FCC regulations. (Maybe eventually it will > be.. sigh.) This apparently is becoming a common tactic among would-be censors. One example involving a web site and complainants from Carnegie Mellon University and the University of Pittsburgh is at: http://joc.mit.edu/attack.html And more on Compuserve... Excepts from today's Washington Post: BERLIN, Jan. 2 -- German authorities say the CompuServe on-line service decided on its own which sexually explicit Internet forums to ban its 4 million customers from viewing. In addition, prosecutors reiterated today that they never explicitly threatened CompuServe Inc. with criminal charges. The statements appear to conflict with CompuServe's explanation last Thursday of why it blocked access to 200 newsgroups. But a CompuServe spokeswoman repeated the company's initial explanation today, saying German authorities specified which newsgroups should be banned... Munich senior public prosecutor Manfred Wick said today that his office did not provide CompuServe any such list as part of its investigation of child pornography on the Internet. "We did not make any stipulations. It was the decision of CompuServe alone," he said. -Declan From lastxit at alphachannel.com Wed Jan 3 17:39:55 1996 From: lastxit at alphachannel.com (Marc Martinez) Date: Thu, 4 Jan 1996 09:39:55 +0800 Subject: 2047 bit keys in PGP In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- In article master at internexus.net (Laszlo Vecsey) writes: Are you sure it's a bug in the DOS version? When I did a pgp -kg in my UNIX shell (US version 2.6.2) I also entered 2048 bits and it too created a 2047 bit key instead. Why is there a limit to the size of the key anyway? It's too bad PGP doesn't support any size key (within reason). Regarding the unix version, what sort of processor is the machine running? We noticed on a 486 running linux, with a vanilla MIT release pgp, that it made 2047 bit keys when prompted for 2048. However, after compiling the same code on a SunOS 4.1.3 it had no problems making a 2048 key, though it took significantly longer due to differences in the how the operating systems function. Also, most of the unix machines I work on now are running hacked versions which will handle up to 4096 bit keys, so I could handle all of my keys relatively painlessly (and because I was curious about the code in pgp itself). In any case, that's about all I know on the topic, check the architecture of the machine your shell account is on, and if you have access to a sun, you might try it there. If you really want larger keys just poke around in the code, it's not that hard of a feat to accomplish. - ----BEGIN PGP SIGNED HEADERS---- From: "Marc Martinez" To: cypherpunks at toad.com Subject: Re: 2047 bit keys in PGP Date: 03 Jan 1996 18:49:44 -0600 Message-ID: -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQDVAwUBMOskKHutHIVnrGOxAQGvIAYAwU7RJkBu33HXd7g1V1DtH7p8cXTwpral lrYDCQDwRflxJUeNRAGUvL5cnfCGP0SGLcolkw4bsia92JtooyBrPhzNkAvh56O7 r9cXNb7EVnZIhEbgc5aVwa2BBSNgsbXNMYKhXmknrCkIUdBvIAf539xzkq5CXQQS 4ht8zhNku9UhAtuwNKa85zxUW+xmGdHX5kVn+aVAWUByxw5ndXq0aQkGFU7W9PVq Vr/qLVrMheMMgIWw9w86ZQnz7UmWbWht =vl/U -----END PGP SIGNATURE----- -- Marc Martinez "Sleep is unnecessary in the presence of more espresso." lastxit at mindport.net Key fingerprint: PGP public key available 47 AD 25 FF C2 B7 F8 57 C5 B6 2E B3 5E 98 A5 DE by finger or keyserver From pcw at access.digex.net Wed Jan 3 17:55:24 1996 From: pcw at access.digex.net (Peter Wayner) Date: Thu, 4 Jan 1996 09:55:24 +0800 Subject: New Mitnick Book Message-ID: >From the Littman book: > Shimomura likes his computer-controlled cellular phone, but > its use for tracking is limited. Its main purpose is to > lock on a call and eavesdrop. It is illegal to use it to > eavesdrop on calls. That's why Shimomura needed immunity > from prosecution when he demonstrated his Oki scanner > before Congress a couple of years ago. (p. 6) > Well, here's another minor error. At the hearing, Shimomura just used a new, shrink wrapped cell phone. I think it was an AT&T model, but my memory is faint on these details. I'm pretty sure it wasn't an off the shelf Oki 900. Half the point was to show just how easy it was. He didn't even bother to hook the cell phone up to a laptop or palmtop. Just a few button pushes and instant scanner. I tried to get him to tell me the right buttons afterwards, but he was too busy and didn't answer. Sigh. But aside from the brand name of the phone, Littman's sentence seems accurate according to my recollection. The transcript should settle all of this. -Peter From jya at pipeline.com Wed Jan 3 18:03:05 1996 From: jya at pipeline.com (John Young) Date: Thu, 4 Jan 1996 10:03:05 +0800 Subject: New Mitnick Book Message-ID: <199601040114.UAA21383@pipe3.nyc.pipeline.com> Responding to msg by pcw at access.digex.net (Peter Wayner) on Wed, 3 Jan 7:39 PM Here's Littman on immunity for Shimomura (describing telco tracking Mitnick): Shimomura's brought along his own hacker's scanning rig. It's pretty basic, just an Oki 900 cellular phone and a hardware interface to his tiny HP Palmtop. One of Shimomura's friends -- who happens to be under federal indictment for illegal hacking -- cooked up the interface and helped write the software. Shimomura likes his computer-controlled cellular phone, but its use for tracking is limited. Its main purpose is to lock on a call and eavesdrop. It is illegal to use it to eavesdrop on calls. That's why Shimomura needed immunity from prosecution when he demonstrated his Oki scanner before Congress a couple of years ago. (p. 6) ------ [Still reading ... ] From stevenw at best.com Wed Jan 3 18:08:14 1996 From: stevenw at best.com (Steven Weller) Date: Thu, 4 Jan 1996 10:08:14 +0800 Subject: Guerilla Internet Service Providers (fwd) Message-ID: >As I understand the physics, the whole process could be made FAR FAR FAR >more efficient if the rocket was boosted to about 40000 feet with a subsonic >airplane, a' la' X-15 and such. It's above 75% of the earth's atmosphere >(dramatically reduced drag), is already going 600 mph in the correct >direction, and is 8 miles closer to the ultimate goal 250 miles up). This >might not sound like much of an advantage, but if you've ever worked out the >mathematics of the Saturn V (or space shuttle, etc), the VAST majority of >the fuel was used up in the first 20,000 feet, maybe even the first 5000 >feet. It would be even better if the first stage could be an air-breathing >supersonic ramjet, but that's not my field of expertise. Orbital Sciences Corp in Virginia do exactly that, but with a B52 and a 60 foot long rocket. They launch relatively small payloads for relatively cheap and have done it successfully on many occasions. ------------------------------------------------------------------------- Steven Weller | "The Internet, of course, is more | than just a place to find pictures | of people having sex with dogs." stevenw at best.com | -- Time Magazine, 3 July 1995 From tallpaul at pipeline.com Wed Jan 3 18:52:21 1996 From: tallpaul at pipeline.com (tallpaul) Date: Thu, 4 Jan 1996 10:52:21 +0800 Subject: AP Story: "Germans: Was CompuServe's Call Message-ID: <199601031516.KAA13633@pipe5.nyc.pipeline.com> CPers may want to examine this Associated Press story: "Germans: Was CompuServe's Call" 02 Jan 1996, 14:30 clari.news.censorship Message-ID: -- -- tallpaul -- Visualize HappyNet! From rubin at faline.bellcore.com Wed Jan 3 18:52:43 1996 From: rubin at faline.bellcore.com (Aviel D Rubin) Date: Thu, 4 Jan 1996 10:52:43 +0800 Subject: Experience teaching cryptography and computer security at NYU Message-ID: <199601031528.KAA04490@faline.bellcore.com> Last semester, I taught a graduate course called "Cryptography and Computer Security" at NYU. I have written up a summary of the experience. You can find it at ftp: thumper.bellcore.com in /pub/rubin/fall95.ps or fall95.ps.Z web: ftp://thumper.bellcore.com/pub/rubin/fall95.ps.Z and there is a link to it from my home page: ftp://thumper.bellcore.com/pub/rubin/rubin.html I will be teaching the same class next semester at NYU, and there are plans for a sequel next fall. Avi ********************************************************************* Aviel D. Rubin Email: rubin at faline.bellcore.com Research Scientist Adjunct Professor at NYU Bellcore (MRE-2M354) 445 South St. ftp://thumper.bellcore.com/pub/rubin/rubin.html Morristown, NJ 07960 Voice: +1 201 829 4105 USA FAX: +1 201 829 2645 From erc at dal1820.computek.net Wed Jan 3 19:03:43 1996 From: erc at dal1820.computek.net (Ed Carp [khijol SysAdmin]) Date: Thu, 4 Jan 1996 11:03:43 +0800 Subject: test Message-ID: <199601040246.UAA14351@dal1820.computek.net> test, please ignore From erc at dal1820.computek.net Wed Jan 3 19:07:40 1996 From: erc at dal1820.computek.net (Ed Carp [khijol SysAdmin]) Date: Thu, 4 Jan 1996 11:07:40 +0800 Subject: test Message-ID: <199601040247.UAA14402@dal1820.computek.net> test, please ignore - 1 copy sent. From master at internexus.net Wed Jan 3 19:10:00 1996 From: master at internexus.net (Laszlo Vecsey) Date: Thu, 4 Jan 1996 11:10:00 +0800 Subject: Unmuzzy Explained In-Reply-To: <199601031924.NAA24001@cdale1.midwest.net> Message-ID: > >So is the idea beyond this that if file or a group of files were to > >be distributed over many computers (possibly hundreds or more) then > >none of the computers would be "responsible" for their content? I would > >think that any participant in the network would have to claim full > >responsibility for the content, assuming the file(s) could be accessed > >from any of the participating servers. > > > Okay. So what if serveral groups of computers, in public FTP directories, > allowed anonymous ftp uploads of "parts" of a file that would be construde > as bad content. The only way to assemble the file is to download several > parts of it from serveral diffrent servers and assemble the file on your > system. Thus the illegal file isn't illegal until its assembled. Sorta > like switchblade knives. Lots of places can sell the parts legally, they > just can't sell the assembled product. Would the servers that contain > "parts" of the file be responsible for the content? PGP encrypting a file and putting it on an ftp site is unusable unless you have the key to unlock it.. in this sense the file is only partly on-line and therefore there would be no need to even split the file apart to various servers! Would the site containing this PGP encrypted data be responsible for it's content? From stevenw at best.com Wed Jan 3 19:20:43 1996 From: stevenw at best.com (Steven Weller) Date: Thu, 4 Jan 1996 11:20:43 +0800 Subject: Kocher timing attack in RISKS Message-ID: Reproduced here from RISKS digest: ------------------------------ Date: Tue, 26 Dec 1995 17:23:09 -0100 From: Saso Tomazic Subject: Re: Timing cryptanalysis of RSA, DH, DSS (Kocher, RISKS-17.53) The timing attack presented by Paul C. Kocher in his extended abstract of the paper "Cryptanalysis of Diffie-Helman, RSA, DSS, and Other Systems Using Timing Attacks" (ftp://ftp.cryptography.com/pub/kocher_timing_attack.ps) is really worth consideration, however I would like to stress there is no need for panic, mainly for two reasons: 1) Security of practical cryptosystems do not rest solely on security of crypt algorithm. In fact, cryptoanalysis attacks are rare, due to strong crypto algorithms that are presently known. More often cryptosystems are broken using other weak points of cryptosystems as insecurity of keys, bad key management, easy to guess passwords, computer screen radiation, monitoring the keystrokes of computer in network, ... The timing attack can be considered just as one of them, not the most dangerous one. For practical cryptosystem, it would be extremely difficult to measure exact timing of encryption process, at least much more difficult as to monitor keystrokes or to capture entire message from the screen. The intruder, who would be able to measure the exact timing of encryption in a multitasking environment, would probably also have access to everything else (i.e., secret message, secret key, passwords, ...) and thus no need to measure timing. 2.) It is not so difficult to rewrite algorithms to be resistant to timing attacks, i.e., to have execution time independent of secret key. For example, the algorithm to compute R = y^x mod n given in the Kocher paper can be simply rewritten as: Let R = 1. Let A = 1. Let z = y. For i=0 upto (bits_in_x-1): If (bit i of x) is 1 then Let A = (R*z) mod n Else Let B = (R*z) mod n Let y = y^2 mod n. Let R = A. End. to be resistant to timing attacks. ------------------------------ ------------------------------------------------------------------------- Steven Weller | "The Internet, of course, is more | than just a place to find pictures | of people having sex with dogs." stevenw at best.com | -- Time Magazine, 3 July 1995 From liberty at gate.net Wed Jan 3 19:26:04 1996 From: liberty at gate.net (Jim Ray) Date: Thu, 4 Jan 1996 11:26:04 +0800 Subject: NYT's _Unmuzzling the Internet_ Message-ID: <199601040312.WAA22282@osceola.gate.net> -----BEGIN PGP SIGNED MESSAGE----- "Vlad" wrote: >I am all for helping congressmen "get a clue" at this moment in time. >the Digital Telephony bill is not a declaration of war. when they try >to tax Cyberspace or get the FCC to regulate it, or outlaw cryptography, >*that* will be a declaration of war. I hate to be the bearer of bad news, and I try to resist forwarding messages from other lists, but on cyberia-L, Mr. Nick Keenan wrote: ____________________________________ The FCC is now proposing a tax on ISP's -- in the name of "universal access" !?? :O(. They claim that since voice can be transmitted over the Internet, it falls under the jurisdiction of the FCC. Read about it in the Dec. 18 issue of Interactive Week ( http://www.zdnet.com/~intweek/print/951218/upfront/doc11.html) >From the article: >FCC Chairman Reed Hundt provided the tip-off earlier this year during a >speech he gave in Washington at the Networked Economy Conference. Hundt said >the commission would issue a Notice of Proposed Rule-Making sometime this >year in order to re-examine how access charges are assigned and universal >service is funded, said Mark Corbitt, Hundt's main technology adviser. > >The Internet community "should wake up [and] pay attention," Corbitt >said. "This issue could hit them before they know it. I don't think >most of them are even aware" that this is bubbling up through the agency. ____End forwarded message____ I would hope that we would flood them with comments during the period after the "Notice of Proposed Rule-Making" appears, not that it will help, as they have already made up their minds. The FCC (like the FDA) should be defunded, not just "cut," whatever that word means anymore. There are good economic reasons why this won't help "universal access" any more than peanut subsidies help minority farmers, despite lies to the contrary by various self-interested bureaucrats. As Republicans said (before they became the majority party) "Cut Their Pay and Send Them Home." JMR Regards, Jim Ray http://www.shopmiami.com/prs/jimray "Hooters GUYS? Washington -- GET A GRIP!" _______________________________________________________________________ PGP key Fingerprint 51 5D A2 C3 92 2C 56 BE 53 2D 9C A1 B3 50 C9 C8 Public Key id. # E9BD6D35 IANAL _______________________________________________________________________ Help Phil! e-mail zldf at clark.net or http://www.netresponse.com/zldf _______________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Freedom isn't Freeh. iQCVAwUBMOtDhm1lp8bpvW01AQHwXQP/XLPjBtLj55FUCTIY+F5Jz6+q9Y3a6Ies qLKoMcGbSMZfNxqzS7nenBCwGgyajl2kxea7zjPJkVZiKgAMPTyOYQ7inrIMyLp3 G7OgmroqnqT7NqXJuAzpOVO86QrbT29kJhsTs9HgiD3dBjHLEGZX5uCAhiAxVS/A ZraKvoyZ1ao= =3NjK -----END PGP SIGNATURE----- From tallpaul at pipeline.com Wed Jan 3 19:27:02 1996 From: tallpaul at pipeline.com (tallpaul) Date: Thu, 4 Jan 1996 11:27:02 +0800 Subject: US calls for measures against Internet porn Message-ID: <199601040042.TAA29802@pipe6.nyc.pipeline.com> On Jan 03, 1996 14:47:35, 'anonymous-remailer at shell.portal.com' wrote: >My original post, "US calls for measures against Internet porn" was a >satire. The entire point was that, by changing a few words in the >"China calls for measures against Internet porn" story, a statement by >a totalitarian communist regime could be made to look like official US >policy. Obviously, the project was a success, as people are taking it >seriously in spite of the fact that it had telltale clues, and that >the original source was revealed. > I was going to post on this topic, especially on a paraphrase of the (ostensible) original. I still want to, but let me play either the skeptical or responsible journalist (reader's choice of adjectives). Anonymous has *not* revealled the original source as he/it/she claimed. They have asserted it came from Xinhua news agency. Will Anonymous post a pointer to where we can access on the internet the original? News feed, date, and time of posting, as well as message ID should suffice. -- tallpaul -- Any political analysis that fits on a bumper sticker is wrong. From tallpaul at pipeline.com Wed Jan 3 19:30:10 1996 From: tallpaul at pipeline.com (tallpaul) Date: Thu, 4 Jan 1996 11:30:10 +0800 Subject: US calls for measures against Internet porn Message-ID: <199601040158.UAA10766@pipe6.nyc.pipeline.com> On Jan 03, 1996 20:54:01, '"Declan B. McCullagh" ' wrote: >Excerpts from internet.cypherpunks: 3-Jan-96 Re:US calls for measures >ag.. by tallpaul at pipeline.com >> Anonymous has *not* revealled the original source as he/it/she claimed. >> They have asserted it came from Xinhua news agency. Will Anonymous post a >> pointer to where we can access on the internet the original? News feed, >> date, and time of posting, as well as message ID should suffice. > >It's been on the AP and Reuters wires, as well as on the CNN web site. > >-Declan > > "newswires" and "web sites" are not pointers to exact quotations. my question remains unanswered. -- tallpaul -- Any political analysis that fits on a bumper sticker is wrong. From erc at dal1820.computek.net Wed Jan 3 19:30:19 1996 From: erc at dal1820.computek.net (Ed Carp [khijol SysAdmin]) Date: Thu, 4 Jan 1996 11:30:19 +0800 Subject: NYT's _Unmuzzling the Internet_ In-Reply-To: <199601040312.WAA22282@osceola.gate.net> Message-ID: <199601040317.VAA16388@dal1820.computek.net> -----BEGIN PGP SIGNED MESSAGE----- > The FCC is now proposing a tax on ISP's -- in the name of "universal access" > !?? :O(. > > They claim that since voice can be transmitted over the Internet, it falls > under the jurisdiction of the FCC. This is pretty stupid - I mean, even I know that it's all just data. Besides, it's irrelevent - if the FCC had jurisdiction over the net because it can carry digitized voice, then they could regulate what I scream out my back door. Last time I looked, I didn't need a license to broadcast my voice out over the airwaves with my mouth... - -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 214/993-3935 voicemail/digital pager 800/558-3408 SkyPager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMOtGryS9AwzY9LDxAQFR9AP/YI62YWJSwikRgLVibKK0VlQ0iL70nz8J YR5njK2y9r9nN0TZ6B8W+PYxbT3nbhioSHrg1z29U1jOwTaYenwsytTGfRF2S7fe 3j8eZNF0bEnIdZP/7WE11t/t5rXBqdGW8CvvcTDvjBxIgXtsXZtR5bBdnjcObeEF JFEjkW3afKA= =Tckk -----END PGP SIGNATURE----- From delznic at storm.net Wed Jan 3 19:33:25 1996 From: delznic at storm.net (Douglas F. Elznic) Date: Thu, 4 Jan 1996 11:33:25 +0800 Subject: Windows Eudora and PGP Message-ID: <2.2.16.19960104004641.084f6bfe@terminus.storm.net> At 01:27 PM 1/3/96 -0800, jim bell wrote: >At 10:24 AM 1/3/96 -0800, you wrote: >>At 09:43 AM 1/3/96 -0800, Jim Bell wrote: >> >>>(BTW, I use Eudora, and I have PGP. Could somebody explain how to PGP-sign >>>messages, ideally EASILY?) >> >>I use Eudora as well. It is not as easy as I would like. You have a couple >>of options: >> >>1) Use cut-and-paste into Private Idaho. Private Idaho will allow you to >>paste back into Eudora. (Or you can send out from Private Idaho directly.) >>This option is useful becuase it supports nyms and chaining of remailers. >> >>2) Get one of the standard Windows PGP shells and paste into that. After >>signing, you will have to repaste into Eudora again. >> >>These seem to be the only options. I am not certain if there is a standard >>DDE or OLE interface that could be used to feed message information back and >>forth between Eudora and some other app. There have been a number of >>promises of Eudora/PGP integration, but nothing has materialized yet. > >[sigh] Just what I thought, no easy solutions. Well, for now I'll just >skip signing; I haven't had any problem (that I know of...knock on silicon) >with forged messages, and my normal posts are so enthusiastically anarchical >and inflammatory that the only way anybody could really embarrass me is to >forge a message, ostensibly from me, saying I agreed with some governmental >activity somewhere. > > >>There are no easy answers I know of... >> >>If you need a copy of Private Idaho, I can point you to a web site or bring >>a copy along to the meeting on the 20th. > >Please do... > > > I have heard that their are alpha releases currentky geing worked on at quest/qualcomm. But i would have to say before they come out your best bet to pgp and eudora is either pidaho or just use it in dos. pidaho is a great front end. A lot better than any others out their. I have also heard that ViaCrypt is a good alternative. But I am not sure. Has anyone else out there heard anything good/bad about ViaCrypt? -- ==================Douglas Elznic=================== delznic at storm.net http://www.vcomm.net/~delznic/ (315)682-5489 (315)682-1647 4877 Firethorn Circle Manlius, NY 13104 "Challenge the system, question the rules." =================================================== PGP key available: http://www.vcomm.net/~delznic/pgpkey.asc PGP Fingerprint: 68 6F 89 F6 F0 58 AE 22 14 8A 31 2A E5 5C FD A5 =================================================== From markm at voicenet.com Wed Jan 3 19:34:58 1996 From: markm at voicenet.com (Mark M.) Date: Thu, 4 Jan 1996 11:34:58 +0800 Subject: 2047 bit keys in PGP In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Wed, 3 Jan 1996, Laszlo Vecsey wrote: > > "Douglas F. Elznic" said: > > > > Are you sure it's a bug in the DOS version? When I did a pgp -kg in my > UNIX shell (US version 2.6.2) I also entered 2048 bits and it too > created a 2047 bit key instead. This is correct. I believe there are some UNIX flavors under which U.S. PGP can generate 2048 bit keys. However, most only allow 2047 bit keys. The international version does not have this bug. > > Why is there a limit to the size of the key anyway? It's too bad PGP > doesn't support any size key (within reason). I really don't see the point of using a key larger than 2048 bits. Any larger key would actually be harder to factor than brute forcing the IDEA keyspace. Very little security would be gained from using a key larger than 3000 bits. Of course, one can always argue that improved factoring methods would require that an RSA public key be longer than 3000 bits to have equal security to IDEA. However, I doubt that factoring methods will improve that much. A 2048 bit key should be more than enough security for most applications. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMOrkUbZc+sv5siulAQFWJgP+IlKURN3TtdXrqzLf3vCrva1tYkYC/lZU fIOlk5Cvnt9wpm/huZKu/nESvFmJutoTbZVvJz1EPglLc1YrAlo4xyWTJZgwMpgv khXzkEMaPludU1qfKowaM0qqeSHv80zSB97Mq0SbqNEPyM2K0r+gDobSjUgwKQCQ Mb5D9L3hTLA= =CDHg -----END PGP SIGNATURE----- finger -l markm at voicenet.com for PGP key http://www.voicenet.com/~markm/ Fingerprint: bd24d08e3cbb53472054fa56002258d5 Key-ID: 0xF9B22BA5 -----BEGIN GEEK CODE BLOCK----- Version: 3.1 GAT d- s:- a? C++++ U+++>$ P+++ L++(+++) E--- W++(--) N+++ o- K w--- O- M- V-- PS+++>$ PE-(++) Y++ PGP+(++) t-@ 5? X++ R-- tv+ b+++ DI+ D++ G+++ e! h* r! y? ------END GEEK CODE BLOCK------ From corey at netscape.com Wed Jan 3 19:37:08 1996 From: corey at netscape.com (Corey Bridges) Date: Thu, 4 Jan 1996 11:37:08 +0800 Subject: AOL security letter Message-ID: <199601040227.SAA14744@urchin.netscape.com> Looks like AOL is being dragged, kicking and screaming, into the world of security. This is a note that AOL subscribers are receiving today: >>>> bj: ALERT: Password Security Date: 95-12-31 07:27:13 EST From: Steve Case Sent on: America Online (using Stratus) Dear Friend of America Online, I want to raise your awareness about an issue that affects us all: the importance of never revealing your password. Recently there have been a few incidents where computer hackers have tried to gain access to passwords by soliciting individuals online. These hackers have increased their level of sophistication so much that they have begun to correspond in a style to make you believe they are representing America Online. Here's an edited excerpt from a recent e-mail attempt: "Dear AOL Community Member: AOL is experiencing major problems...Due to a virus that was recently loaded...onto our main user database, containing most of our member registration information, we are currently experiencing widespread system failure. The problem originated...when our system was illegally breached by a former AOL employee. We believe the employee, who is currently being questioned by authorities, loaded a virus into our database. Because we identified the problem quickly, we were able to stop the problem before the entire database was deleted. The files that were deleted, however, happened to be the database link files...that link a user's password and screen name to the rest of their account. We are currently...working with McAfee Associates (Anti-Virus), to replace the lost files... ...Some of the effects as a result of not having the database link files include: random log-off's, AOLnet runs slower, and Email may accidentally be deleted. These problems are MAJOR inconveniences to our users, so we need your help to fix the problem." The letter continues, outlining the steps you must take to keep your account active, and awarding you free online hours for your troubles. Sending e-mail is just one tactic. Another approach is by using IMs (Instant Messages), where a hacker will notice you are online and try to pass himself off as an employee. Hackers sometimes scan chat areas and the member directory for screen names. Simply put, your passwords are like items in your safety deposit box. They're confidential. YOU are the only person who should know your password. Giving someone (even unintentionally) your password -- especially online -- is like handing over your wallet, keys, and other valuables to complete strangers. There is absolutely no reason why America Online would ever ask you for your password! Be aware: NO EMPLOYEE OR REPRESENTATIVE OF AMERICA ONLINE WILL EVER ASK YOU FOR YOUR PASSWORD, YOUR CREDIT CARD NUMBER, OR TO VERIFY YOUR BILLING INFORMATION ONLINE. IF THEY DO, BE SUSPICIOUS AND TAKE ACTION--REPORT IT IMMEDIATELY. Here are some quick steps to keep your passwords secure: 1) Immediately change your passwords (at keyword PASSWORD) to at least 6 alphanumeric characters -- combination of letters and numbers -- for all of your sub-accounts. Delete unused sub-accounts. 2) NEVER use your screen name, first or last name, town, street, etc. as a password. Do not use a common word. Add a few digits to a word, or misspell it. Hackers use all kinds of programs that search for common words. 3) Inform spouses, children, and others who have access to your account to take the same safety measures, and to NEVER give out passwords. 4) Report suspicious behavior at keyword STAFFPAGER immediately. Computer hacking on America Online is not widespread. But it's an activity -- and an illegal act -- which hinders our ability to conduct business and ensure a safe online community. AOL will pursue all legal action and law enforcement protection within our right to protect the security of our service. We also rely on our members, partners, remote community leaders, and others with overhead accounts much like a neighborhood watch program -- to help crush hacking, to maintain confidentiality of the simplest personal belonging (your password), and to report activity of this kind to AOL immediately. If you have any questions, please discuss them with your contact at AOL. Thank you, and have a Happy New Year. Regards, Steve Case Corey Bridges Security Documentation Netscape Communications Corporation home.netscape.com/people/corey 415-528-2978 From tallpaul at pipeline.com Wed Jan 3 19:48:06 1996 From: tallpaul at pipeline.com (tallpaul) Date: Thu, 4 Jan 1996 11:48:06 +0800 Subject: Will the real Anonynous please stand up Message-ID: <199601040332.WAA24066@pipe6.nyc.pipeline.com> Herewith is where my confusion developed by Anonymous #1, posted as Date: Sun, 31 Dec 1995 18:34:56 -0600, Message-Id: <199601010034.SAA07422 at tjava.com>: The story as presented by Anon #1, while supposedly from Reuters quotes the Associated Press, something that rarely if even happens. Another story, posted by Anonymous #2 (presumably the same entity as Anonymous #1), posted as Date: Mon, 1 Jan 1996 01:25:12 +0100, Message-Id: <199601010025.BAA04537 at utopia.hacktic.nl> is slugged "BEIJING (AP)_ " and quotes Xinhua News Agency; A reference by Anonymous #3 (presumably the same entity as Anon #1 & #2), posted as Date: Wed, 3 Jan 1996 14:47:35 -0800, Message-Id: <199601032247.OAA00603 at jobe.shell.portal.com> states that the faked story changed the words "Xinhua news agency" to "the Associated Press." Looking down the list of posts to the cp list for past posts by "Anonymous" the first one I came to was titled "first germany, now china" and not "US calls for measures... " as Anonymous #3 wrote in the referencing post. There were at least two wire service stories: Reuters: China calls for measures against Internet porn Date: Sun, 31 Dec 1995 9:20:13 PST Message-ID: clari.news.censorship Associated Press: China to Block Internet Porn Date: Sun, 31 Dec 1995 15:10:29 PST Message-ID: clari.news.censorship Add to this is the confusion that several entities are posting to the cp list using the same name -- "Anonymous" -- without differentiating their posts from any of the other posts by (inferentially) other entities with the same name. I have no problem with people (dolphins, whales, or space creatures, etc.) posting anonymously. I do have *significant* problems with their lack of seriousness that we see in their willingness to be confused by others of the same name. I have even more significant problems with their seeming willingness to expect me to straighten out this confusion that they are either too lazy or too chaotically-oriented to do themselves. Even English monarchs, in centuries past when monarchs like Anonymous only had one name, were given some additional signifier to keep them separate (e.g. "Donald the Fat" vs. "Donald the Terribly Ugly" vs. "Donald the Wonderful With A Really Good Ad Agency"). Scientific discussions to which people wish to contribute anonymously are OK with me; the same discussions that are starting to resemble the confusion of a Month Python skit are not. -- -- tallpaul -- Any political analysis that fits on a bumper sticker is wrong. From alano at teleport.com Wed Jan 3 19:53:31 1996 From: alano at teleport.com (Alan Olsen) Date: Thu, 4 Jan 1996 11:53:31 +0800 Subject: Duplicate messages Message-ID: <2.2.32.19960104033750.009219b4@mail.teleport.com> Has everyone else been getting two messages for the price of one? (Maybe Tim May is getting back at me for the semi-plagerized sig quote...) Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "Governments are potholes on the Information Superhighway." - Not TCMay From ses at tipper.oit.unc.edu Wed Jan 3 20:20:25 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Thu, 4 Jan 1996 12:20:25 +0800 Subject: New Mitnick Book In-Reply-To: Message-ID: On Wed, 3 Jan 1996, Peter Wayner wrote: > I don't know who requested the immunity. It could have been John > Gage of Sun Micro who seemed to be running the show. There were > probably transcripts made of the session and for all I know the > Government might even have them around. That would allow us to > get to the bottom of this important detail. Yes, it was John who set this up (I remember him talking about the arrangements he was making just before the actual session). Simon From huntting at glarp.com Wed Jan 3 21:14:06 1996 From: huntting at glarp.com (Brad Huntting) Date: Thu, 4 Jan 1996 13:14:06 +0800 Subject: New Mitnick Book In-Reply-To: <199601040114.UAA21383@pipe3.nyc.pipeline.com> Message-ID: <199601040453.VAA00416@misc.glarp.com> > Shimomura likes his computer-controlled cellular phone, but > its use for tracking is limited. Its main purpose is to > lock on a call and eavesdrop. It is illegal to use it to > eavesdrop on calls. That's why Shimomura needed immunity > from prosecution when he demonstrated his Oki scanner > before Congress a couple of years ago. (p. 6) Curious, David Skaggs (R-CO) while arguing against having the Rocky Flats Grand Jury testify before congress on they're findings pointed out that congress can only offer immunity from prosecution for a testimony _about_ crimes they may have committed. In Shimomura's case the crime was committed in front of congress as _part_ of his testimony. One could easily argue, as Skaggs did, that congress oversteped it's bounds by asking a witness to commit a crime. Then again, they're the ones who decide what most of these crimes are in the first place. Sorry to stray off topic. brad From jimbell at pacifier.com Wed Jan 3 21:23:15 1996 From: jimbell at pacifier.com (jim bell) Date: Thu, 4 Jan 1996 13:23:15 +0800 Subject: Guerilla ISPs Message-ID: At 02:07 PM 1/3/96 -0800, you wrote: >Thomas Edwards writes: > >> [ microcellular nets ] >> >> But how can these things compete with @Home, which is promising 10 Mbps >> in and 128 kbps out of homes with cable modems? > >I'm skeptical about cable modems---few cable providers have adequate >return paths, and everyone competes for the downlink bandwidth. >Broadcast is not the right architecture. > Even admittedly with no evidence, I tend to disagree. I think the world needs cable-driven "mostly-one-way" Internet access for the same reason we need both: 1. Magazines/books (few to many) vs. snail-mail (1-to-1 communication). 2. Television/radio (few to many) vs. telephones (1-to-1 communication). If, as I've heard, you could broadcast 28 mbits per second down a 6-megahertz cable line, that's a lot of "news, weather, and sports" to be broadcast to EVERYONE, similar to newspapers. Imagine the entire contents of USENET, plus a goodly supply of (encrypted) individual mail, etc. The contents of every newspaper in the country, transmitted a few times every day, etc. >Any systems in actual operation? How many users do they support? No idea. Wish I knew. From jimbell at pacifier.com Wed Jan 3 21:23:33 1996 From: jimbell at pacifier.com (jim bell) Date: Thu, 4 Jan 1996 13:23:33 +0800 Subject: 2047 bit keys in PGP Message-ID: At 05:17 AM 1/4/96 +0000, you wrote: > >> Why is there a limit to the size of the key anyway? It's too bad PGP >> doesn't support any size key (within reason). > >Within reason is the Key Phrase. Even with a Pentium 90, I notice a >considerable lag in decrypting messages that have been encrypted with >a key larger than 2047/8. > >Even if you have a fast machine, if the person recieving the message >could wait a long time to decrypt you 4096 byte encrypted message. It seems to me that the best argument AGAINST supporting (and using) keys greater than 2048 bits is the false sense of security created. Even 1024-bit keys will probably be safe for decades if just the algorithm is concerned. Far more threatening are various other attacks, including RF snooping in combination with specialized viruses, as well as black-bag jobs on hardware. Why build a castle with a front wall a mile high when the back wall is a 5-foot chain-link fence?!? From dmandl at panix.com Wed Jan 3 21:29:49 1996 From: dmandl at panix.com (dmandl at panix.com) Date: Thu, 4 Jan 1996 13:29:49 +0800 Subject: Why Net Censorship Doesn't Work In-Reply-To: <9601021825.AB15309@virgo.bsnet> Message-ID: On Tue, 2 Jan 1996, Ed Carp wrote: Duncan Frissell wrote: > > It used to be said that no country would be allowed to move from Communism > > to Capitalism. It can now be said that it is inconceivable that a modern > > country will move from a Market to a Command Economy. Market discipline is > > strong. > > Tell that to folks in the contries of used-to-be-Russia. Lots of old > Communist leaders getting back into power - some folks are even saying > that the old days under the Communists were better than living in a free > market economy. > > Never underestimate the value of human stupidity and shortsightedness. In other words: If people dump communism for capitalism, it shows how the free market will always triumph, and if people dump capitalism for communism, it shows how stupid and shortsighted humans are. Hmmmm... --Dave. -- Dave Mandl dmandl at panix.com http://www.wfmu.org/~davem From frissell at panix.com Wed Jan 3 21:32:59 1996 From: frissell at panix.com (Duncan Frissell) Date: Thu, 4 Jan 1996 13:32:59 +0800 Subject: Why Net Censorship Doesn't Work Message-ID: <2.2.32.19960102201728.0069e780@panix.com> At 11:29 AM 1/2/96 -0600, Ed Carp [khijol SysAdmin] wrote: >Tell that to folks in the contries of used-to-be-Russia. Lots of old >Communist leaders getting back into power - some folks are even saying >that the old days under the Communists were better than living in a free >market economy. I said "modern" country. Even so, Russia and the rest are much more market dominated than they used to be. Transition will not be easy but I doubt if they'll go back. As for an eternity of slavery being superior to too rambunctious freedom -- we won't let them be that stupid. The "cancer of Anglo-Saxon values" is pretty powerful. >> Where are the pressure points where regulation can be applied? > >How about on the backbone itself? Since everyone goes through the htree >major backbones, all one would have to do is control access at those >points. Of course, that would lead to clandestine use of >store-and-forward LEOsats, s&f UUCP sites, etc. UUCP might even make a >comeback ;) That would require outlawry of crypto over the backbone and some way of convincing the backbone to run government approved code. Quite a bit of resistance would ensue. Have the Feds ever successfully mandated that large numbers of people run government code? DCF From mark at unicorn.com Wed Jan 3 21:33:30 1996 From: mark at unicorn.com (Mark Grant, M.A. (Oxon)) Date: Thu, 4 Jan 1996 13:33:30 +0800 Subject: Guerilla Internet Service Providers Message-ID: On Tue, 2 Jan 1996, Jay Holovacs wrote: > Commercial satallites have land based corporate owners. Remember the > success that Alabama had a few years ago pulling the plug on a New York > based softporn tv satellite distribution system. They simply went after the > assets of the satellite companies and got quick cooperation. About ten years ago a group I was involved with were thinking about putting something into space as a publicity stunt. One company we talked to claimed they could put 1 kg into orbit on one of their sounding rockets for about $ 30,000 (that's a 1 kg satellite, not $ 30,000 per kg). How small can you build a "data haven" satellite ? Looking a few years into the future, you could probably stick a stripped-down Linux laptop with solar cells and a stripped-down satellite telephone as a Net link on top of a slightly larger rocket and charge for on-orbit storage using ecash... Using remailers it should be pretty-much untraceable. Mark From nobody at tjava.com Wed Jan 3 21:50:41 1996 From: nobody at tjava.com (Anonymous) Date: Thu, 4 Jan 1996 13:50:41 +0800 Subject: US calls for measures against Internet porn [NOISE] In-Reply-To: <199601040042.TAA29802@pipe6.nyc.pipeline.com> Message-ID: <199601040526.XAA03570@tjava.com> tallpaul writes: > I was going to post on this topic, especially on a paraphrase of the > (ostensible) original. I still want to, but let me play either the > skeptical or responsible journalist (reader's choice of adjectives). > > Anonymous has *not* revealled the original source as he/it/she claimed. > They have asserted it came from Xinhua news agency. Will Anonymous post a > pointer to where we can access on the internet the original? News feed, > date, and time of posting, as well as message ID should suffice. I hope these headers are sufficient. I used the Clarinet news feed on Netcom to get the original copy of the text. No doubt the story is on archive sites elsewhere. I did _not_ post the original to cpunks. From: C-reuters at clari.net (Reuters) Subject: China calls for measures against Internet porn Message-ID: Date: Sun, 31 Dec 1995 9:20:13 PST Newsgroups: clari.tw.new_media,clari.news.issues.censorship, clari.world.asia.china,clari.tw.issues,clari.news.sex,clari.news.issues.misc, clari.news.censorship,clare.tw.misc Thus, this is the first of the two stories you cited in "Will the real Anonymous please stand up". <199601040332.WAA24066 at pipe6.nyc.pipeline.com> tallpaul also writes: > Herewith is where my confusion developed by Anonymous #1, posted as Date: > Sun, 31 Dec 1995 18:34:56 -0600, Message-Id: > <199601010034.SAA07422 at tjava.com>: I am the author of that message. > The story as presented by Anon #1, while supposedly from Reuters quotes the > Associated Press, something that rarely if even happens. The original of the story does quote Xinhua. I personally thought it was a nice satirical touch to equate Xinhua and the Associated Press. Apparently, my irony was lost. > Another story, posted by Anonymous #2 (presumably the same entity as > Anonymous #1), posted as Date: Mon, 1 Jan 1996 01:25:12 +0100, Message-Id: > <199601010025.BAA04537 at utopia.hacktic.nl> > is slugged "BEIJING (AP)_ " and quotes Xinhua News Agency; Not the same anonymous. That was the AP story, and I believe is legitimate. > A reference by Anonymous #3 (presumably the same entity as Anon #1 & #2), > posted as Date: Wed, 3 Jan 1996 14:47:35 -0800, Message-Id: > <199601032247.OAA00603 at jobe.shell.portal.com> states that the faked story > changed the words "Xinhua news agency" to "the Associated Press." That's me, thus the same as #1, but different from #2. > Add to this is the confusion that several entities are posting to the cp > list using the same name -- "Anonymous" -- without differentiating their > posts from any of the other posts by (inferentially) other entities with > the same name. I agree this is confusing. I considered signing my posts "Mallet D'nonymous," but decided that would be too much of a taunt. > Scientific discussions to which people wish to contribute anonymously are > OK with me; the same discussions that are starting to resemble the > confusion of a Month Python skit are not. I _do_ apologize for the confusion. I thought it was going to be a nice clean satire, but the two wire stories made things more complicated, and I perhaps did not step in to clear the confusion when I should have. The only reason I'm being anonymous is to protest the copyright laws. Theoretically, my post may have been a violation of Reuters' copyright. I believe this is the same reason why Anon #2 chose to be anonymous, but of course I have no way of knowing for sure. From everard at infi.net Wed Jan 3 21:55:10 1996 From: everard at infi.net (M. Scott Everard) Date: Thu, 4 Jan 1996 13:55:10 +0800 Subject: Fred Cohen, PhD In-Reply-To: <9512311818.AA16259@all.net> Message-ID: <4cfl5e$qj9@news.infi.net> In article <9512311818.AA16259 at all.net>, fc at all.net (Fred Cohen) says: > >> Regarding Fred Cohen, PhD: >> >> Cohen's haughty and bombastic style do nothing good for his reputation. I >> assume he advertises his PhD to highlight his early accomplishments; he has >> done little since. > Anyone that has earned a PhD has EARNED the right to follow his/her name with that distinction. Power to him. It's an accomplishment that we should all strive for if we're so inclined. Dr Cohen: I respect your degree and it doesn't bother me one bit for you to use the title that you deserve. >Apparently you have a reading disability. I haven't used Ph.D. next to my >name on this forum for some time. > >> Let's also consider the granting institution, a second-rank school. Let's consider the cretin that considers USC a "second rank school." > >When you insult me, that's one thing, but insulting my school is >something quite different. The University of Southern California is one >of the finest educational institutions in the world, and is widely >recognized as such. The engineering school at USC (from which I earned >my Ph.D.) is commonly ranked in the top 10 in the US, and in the year >that I graduated, my department was ranked in the top 5 in the US. > >USC, in addition to having a fine athletic tradition, also has many >unique benefits that sets it apart from many other excellent schools. >But I wouldn't want to advertise in this forum - you'll have to contact >them directly for more extensive information. > >> Cohen's thesis broke new ground, but how many people have read it, or any of >> his writings, or know anything about his ideas beyond a single word? How far >> did he carry this work? Where are the conference and journal papers? Cohen's >> reputation faded into obscurity long ago. Now he is building a new reputation >> as a pig-headed loudmouth, threatening his "defamers." Shades of Sternlight. And what, may I ask, have YOU written? >Some people are ignorant because they haven't had a chance to learn, but >other people are ignorant because they choose to be. In your case, it is >apparently the latter. But I will answer your questions nonetheless: > >How many people have read it, or any of his writings, or know anything >about his ideas beyond a single word? > > The thesis has only sold a few hundred copies, however, over > 20,000 people have read my books on the subject. My two > articles in "The Sciences" reached about 25,000 people each. > But I don't think thatr the value of peoples' work is a > function of how many people know about them. > >How far did he carry this work? > > I have published over 30 refereed journal articles on the subject, > about 50 conference papers, about 100 invited talks, and today, > over 1/2 of all computers in the world run virus defense software > using techniques I first published. That's more refereed papers > than anyone else in the world on that particular subject. > >Where are the conference and journal papers? > > They are listed on the Web site listed below. They include > IEEE, ACM, and IFIP papers, invited papers at IEEE, ACM, > DPMA, IFIP, and NIST conferences (as well as many others). > >So, now that we have a very brief history of my work, let us all know >where you went to school, how many journal and conference papers you >have published, how many books you have written. > >We already know that you won't tell people your name because you are >afraid to have it associated with you personally, but maybe you can help >us all understand how expert you are and what you have contributed to >the world so we can appreciate your point of view. > >-> See: Info-Sec Heaven at URL http://all.net/ >Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 I really don't understand this guys' hostility toward Dr Cohen. But... it just doesn't matter. To hell with him. From tcmay at got.net Wed Jan 3 22:08:09 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 4 Jan 1996 14:08:09 +0800 Subject: AOL security letter Message-ID: >bj: ALERT: Password Security >Date: 95-12-31 07:27:13 EST >From: Steve Case >Sent on: America Online (using Stratus) >"Dear AOL Community Member: >...Some of the effects as a result of not having the database link files >include: random log-off's, AOLnet runs slower, and Email may accidentally be >deleted. These problems are MAJOR inconveniences to our users, so we need >your help to fix the problem." Are you guys really sure you need me to send in my AOL password? I don't use my AOL account very often, but if you really need it, here it is: Username: Tim May, tcmay at aol.com Passphrase: 42trollsrus I hope this helps. --Tim May, tcmay at aol.com From ravage at ssz.com Wed Jan 3 22:13:10 1996 From: ravage at ssz.com (Jim Choate) Date: Thu, 4 Jan 1996 14:13:10 +0800 Subject: Guerilla Internet Service Providers (fwd) Message-ID: <199601021947.NAA01688@einstein.ssz.com> Forwarded message: > Date: Tue, 2 Jan 1996 18:43:31 +0000 (GMT) > From: "Mark Grant, M.A. (Oxon)" > Subject: Re: Guerilla Internet Service Providers > > About ten years ago a group I was involved with were thinking about > putting something into space as a publicity stunt. One company we talked > to claimed they could put 1 kg into orbit on one of their sounding rockets > for about $ 30,000 (that's a 1 kg satellite, not $ 30,000 per kg). How > small can you build a "data haven" satellite ? > > Looking a few years into the future, you could probably stick a > stripped-down Linux laptop with solar cells and a stripped-down satellite > telephone as a Net link on top of a slightly larger rocket and charge for > on-orbit storage using ecash... Using remailers it should be pretty-much > untraceable. > Actualy, both the Pacific Coast Rocketry group and the Experimental Spacecraft Association are working on putting the first amateur payload in LEO. ESA wants to put a telescope with real-time downlink up as their payload. PCR wants to put some kind of transponder up. Under current technology a group of about 30 dedicated amateurs (with suitable skills) could put a 25kg payload in orbit for under 1/4 million. It would consist of surplus and amateur built equipment. Tripolli puts out a magazine called High Performance Rocketry which you may be able to find at your local newstand (in Austin you get it at the Central Market Bookstop). It usually carries at least a couple of adds for material that PCR and a couple of smaller groups are putting out to help fund their project. I would say it will be less than 3 years before this dream occurs unless the DOT (the people who regulate all space shots now) decides not to give them a permit. Hi ho, Hi ho, it's of to LEO we go.... From dmandl at bear.com Wed Jan 3 22:28:00 1996 From: dmandl at bear.com (David Mandl) Date: Thu, 4 Jan 1996 14:28:00 +0800 Subject: Guerilla Internet Service Providers In-Reply-To: <2.2.32.19960102115316.008b7368@panix.com> Message-ID: On Tue, 2 Jan 1996, Duncan Frissell wrote: > At 09:07 PM 1/1/96 -0500, David Mandl wrote: > >I agree. It's not a good idea to assume that there's going to be some kind > >of widespread opposition movement when the big Net Crackdown comes. Most > >people will either obey the law, be unaffected by it, or violate it in very > >insignificant ways ("net jaywalking"). There's strength in numbers, but I > >just don't think the numbers will be there. > > > > --Dave. > > During Prohibition, consumption of illegal booze increased steadily during > the whole period. Hard liquor consumption was actually higher at the end of > Prohibition than it had been before Prohibition. > > DCF The number of people who drank booze when Prohibition began dwarfs the number of people who want access to "controlled" information on the net today. Most people still don't even understand what the net is. They're two completely different situations. Also, the powers that be have much better reasons for killing the net than they had for banning booze. Also, access to the net for Joe Average is still largely limited to authoritarian giants like AOL (which forwards people's mail to the FBI) and CompuServe (which bans hundreds of newsgroups). Maybe these companies will eventually be knocked out by small libertarian-minded ISPs, maybe not. --D. -- David Mandl Bear, Stearns & Co. Inc. Phone: (212) 272-3888 Email: dmandl at bear.com -- ******************************************************************************* Bear Stearns is not responsible for any recommendation, solicitation, offer or agreement or any information about any transaction, customer account or account activity contained in this communication. ******************************************************************************* From norm at netcom.com Wed Jan 3 22:33:36 1996 From: norm at netcom.com (Norman Hardy) Date: Thu, 4 Jan 1996 14:33:36 +0800 Subject: A Mondex like Protocol Message-ID: Two Mondex units, upon command of their respective operators, can pass money from one to the other via infra_red signals. I think that this requires tamper proof units. I understand that the Mondex protocol is currently undisclosed. I have no information about that protocol but am merely trying to find a protocol that fits the little that I know about Mondex. Are there other guesses? Here is one way it might work. Upon an operator receive command, the payee unit transmits a DH greeting along with the value of a counter located in the payee unit. (The integrity of the counter value in the greeting is somehow ensured.) It continues to send this greeting while it awaits a greeting. Upon a pay command from its operator, a payer unit transmits a DH greeting and continues to send that while it awaits a greeting. When either unit receives a greeting it computes the shared secret key ala DH. The payer decrements its cash value and generates a pay order enciphered under the secret key. The pay order includes the counter value from the payee's greeting. This order is transmitted repeatedly until an acknowledgement is received or times out. If it times out then the money is lost. When the payee receives a pay order, it verifies that the counter value is correct and then increments the counter, preventing replay. The payee then increments its cash value and sends ciphered acknowledgements for a brief period. The payer may give one final acknowledgement acknowledgement which, if lost, merely means that the receiver will time-out sending acknowledgements. The common DH modulus is known to all units and but otherwise secret. This, of course, requires a extraordinary tamper resistance. Only the state must be kept secret, not the hardware behavior. Here is the money integrity argument for this protocol. The units are collectively responsible for preventing counterfeiting. For counterfeiting to happen some unit must increment its cash value when there was no corresponding decrement in another unit. A unit increments its cash value when it decodes a pay order from someone who knows the global secret DH modulus. That someone must have been a legitimate unit that decreased its cash value. Replay is impossible because each such transaction is uniquely identified by the recipient's counter value. The recipient never increments its cash value twice for the same counter value. From erc at dal1820.computek.net Wed Jan 3 23:19:59 1996 From: erc at dal1820.computek.net (Ed Carp [khijol SysAdmin]) Date: Thu, 4 Jan 1996 15:19:59 +0800 Subject: Guerilla Internet Service Providers (fwd) In-Reply-To: Message-ID: <199601031508.JAA05085@dal1820.computek.net> -----BEGIN PGP SIGNED MESSAGE----- > As a ham, too (N7IJS) I recognize your implicit selection of 2m or 450 MHz. > But I gently object to this, for reasons that I think will be obvious. I was thinking of the itenerant frequencies around 151 MHz, but the bandwidth would be limited. I wasn't thinking of amateur frequencies, but my fingers sometimes have a mind of their own ;) > First, technology has been marching on in the last 10-20 years, and > communications frequencies of 2 GHz and more are technically do-able and > comparatively empty. (and with modern IC technology, even easy) I'd love to see plans (or used commercial gear) able to do this - I've got a point-to-point application that I'd love to set up ... > Secondly, ham gear tends to be used for long-range communication (miles and > watts) and generally has little or no ability to frequency hop/time hop or > to automatically turn down transmitter power to be able to share frequencies > over short distances (low milliwatts or even microwatts). Those high > gigahertz frequencies would be ideal for communication over a few blocks > distance. (Sure, packet has been done for years but it is a still-born > development; they still think 9600 bps is a "fast" modem speed.) The opportunities for this sort of thing are amazing. And remember, there are two types of spread spectrum - the high bandwidth stuff as well as the frequency hopping stuff. > I forsee locally-owned boxes that are the equivalent of a wireless phone > switch implementing re-used freuqency microcells; the cost SHOULD be far > lower than the current copperline phone systems, once the telephones are > paid for. And they shouldn't cost much more than current 900 MHz cordless > telephones, too. Again, I'd like to see this, too... - -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 214/993-3935 voicemail/digital pager 800/558-3408 SkyPager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMOqb1CS9AwzY9LDxAQGDQQP5AaMaKy6t4q6Xfog19JFAnuqxULH6r6UV 03I2sA+h1/vyM9fAuyUEwlBlKUrA3+tByM3VCn5Q2HH4twxwRRLRSn9peJG7fpnE pc36wVwqwXHvKslrSFA10Y5lahEzuS7NC+jTYgw6l+VF17yJaPw+dtXlpcsq+SMo bj3VDH6nVDQ= =vamo -----END PGP SIGNATURE----- From mianigand at unique.outlook.net Thu Jan 4 00:23:48 1996 From: mianigand at unique.outlook.net (Michael C. Peponis) Date: Thu, 4 Jan 1996 16:23:48 +0800 Subject: 2047 bit keys in PGP Message-ID: <199601040009.SAA07299@unique.outlook.net> -----BEGIN PGP SIGNED MESSAGE----- > Why is there a limit to the size of the key anyway? It's too bad PGP > doesn't support any size key (within reason). Within reason is the Key Phrase. Even with a Pentium 90, I notice a considerable lag in decrypting messages that have been encrypted with a key larger than 2047/8. Even if you have a fast machine, if the person recieving the message could wait a long time to decrypt you 4096 byte encrypted message. -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQCVAwUBMOs4u0UffSIjnthhAQEfigP9GQvgcyuCUxkrPqX/3yDdtwxDGajKbbhY j90px4tr1Q1sNQue8ywBDdBIQakirTr95QDeGMrC1n0NjSh5+dotUUWiChWLCLS+ AMIsA3LCJr5BzeCOni8bYyz7+alt617cIIYZs0Unt26BKJVI20hU8OgD0oC9K/uR 7WN3YIKff0k= =TuOD -----END PGP SIGNATURE----- Regards, Michael Peponis PGP Key Avalible form MIT Key Server Key fingerprint = DD 39 66 3D AE DE 71 C2 B6 DA B2 3F 47 2A EB AC From stewarts at ix.netcom.com Thu Jan 4 00:26:36 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Thu, 4 Jan 1996 16:26:36 +0800 Subject: DOS/Windows remailer chaining Message-ID: <199601040811.AAA27446@ix12.ix.netcom.com> At 09:27 PM 1/2/96 +0100, nobody at REPLAY.COM (Anonymous) wrote: >Cypherpunks write code. With that phrase and the wave of attempts to >censor the 'Net, I've embarked on a quest to make remailers easier to use. > >Has anyone written an easy to use Windows or DOS application that will let >someone chain a message through several remailers, perhaps with support >for the mailer at alpha.c2.org? Yup. Private Idaho, www.eskimo.com/~joelm/ does just that, along with calling PGP to do things you commonly want done. >Would the writer of such a program, if in the US fall under the provisions >in ITAR? Obviously, calls to the PGP program would have to be made. I >recall reading that such hooks do fall under the ITAR. If this is true, so >much for a more user friendly version of chain for the masses. Depends on whether it's a "component" of an encryption system or not. But if you're not doing PGP, no problem at all (except of course that _real_ remailers only talk encrypted....) #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, Pager/Voicemail 1-408-787-1281 # # "The price of liberty is eternal vigilance" used to mean us watching # the government, not the other way around.... From rfb at lehman.com Thu Jan 4 01:09:43 1996 From: rfb at lehman.com (Rick Busdiecker) Date: Thu, 4 Jan 1996 17:09:43 +0800 Subject: 2047 bit keys in PGP In-Reply-To: <199601040009.SAA07299@unique.outlook.net> Message-ID: <9601040052.AA07122@cfdevx1.lehman.com> -----BEGIN PGP SIGNED MESSAGE----- From: "Michael C. Peponis" Date: Thu, 4 Jan 1996 05:17:35 +0000 > Why is there a limit to the size of the key anyway? It's too bad PGP > doesn't support any size key (within reason). Within reason is the Key Phrase. Even with a Pentium 90, I notice a considerable lag in decrypting messages that have been encrypted with a key larger than 2047/8. Even if you have a fast machine, if the person recieving the message could wait a long time to decrypt you 4096 byte encrypted message. Another point to realize is that PGP uses a combination of ciphers. When encrypting, the RSA key is only used to encrypt an IDEA key. That IDEA key is used to encrypt your message. Somewhere between 2048 and 4096, you're making the RSA key stronger (harder to brute force) than the IDEA key. At that point, the extra time that you're using for super-big RSA keys is totally wasted. A similar argument applies to authentication, but then you're comparing RSA and MD5, although I believe the argument holds for even smaller RSA keys than in the RSA-IDEA comparison. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMOsj8JNR+/jb2ZlNAQGcRgP+JONF2g2Nw7SIKvcfCKurvS5WQ0WWjQmd H7NjkVjtjf947o1OKUMDYdKWTjSmvV//hdRloWz3T4kaS9FCLvzFbTZLNRtz33ic kcX0XIDYZ0pohMo98IaeXS/odB+tmo8jPTfZeC2lBuv4PRphSLypxDrR0VmQX2ld EVOl6RUBknw= =l/T7 -----END PGP SIGNATURE----- -- Rick Busdiecker Please do not send electronic junk mail! net: rfb at lehman.com or rfb at cmu.edu PGP Public Key: 0xDBD9994D www: http://www.cs.cmu.edu/afs/cs.cmu.edu/user/rfb/http/home.html send mail, subject "send index" for mailbot info, "send pgp key" gets my key A `hacker' is one who writes code. Breaking into systems is `cracking'. From shamrock at netcom.com Thu Jan 4 01:36:31 1996 From: shamrock at netcom.com (Lucky Green) Date: Thu, 4 Jan 1996 17:36:31 +0800 Subject: Guerilla ISPs Message-ID: At 14:07 1/3/96, Peter Monta wrote: >I'm skeptical about cable modems---few cable providers have adequate >return paths, and everyone competes for the downlink bandwidth. >Broadcast is not the right architecture. Taking a closer look at it, you will find that the cable giants have prepared themselves rather well. In the US, there are about 3300 subs per headend. Each of which is served by about 7 trunks. Moreover, the cable operators have been busy laying fiber to all the headends. In fact, the vast majority of headends, certainly all the ones in the interesting markets have fiber on site today. The bandwidth crunch only happens if most cable subscribers want to use the ISP services. How many of the 3300 subs have PCs and are willing to pay $500-1000 per hookup? If you add switching to the picture, not that switching was necessarily needed, things look even better for cable based ISPs. -- Lucky Green PGP encrypted mail preferred. From erc at dal1820.computek.net Thu Jan 4 02:16:15 1996 From: erc at dal1820.computek.net (Ed Carp [khijol SysAdmin]) Date: Thu, 4 Jan 1996 18:16:15 +0800 Subject: Duplicate messages In-Reply-To: <2.2.32.19960104033750.009219b4@mail.teleport.com> Message-ID: <199601040340.VAA17921@dal1820.computek.net> -----BEGIN PGP SIGNED MESSAGE----- > Has everyone else been getting two messages for the price of one? I've gotten several pieces of email from people who are getting two copies of stuff I post, but I've looked at my mailer (sendmail 8.6.10) and it's not sending out dups to toad.com, as far as I can tell. If people continue to get dups from just me, then I'll have to install a sendmail front-end to log outgoing email or something... - -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 214/993-3935 voicemail/digital pager 800/558-3408 SkyPager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMOtMRCS9AwzY9LDxAQFbvwQAnIlapjkMlqGc9+DnCfRXBV+OzTzZ39wB 6xq3qiTavHblUsoozvgV9olKFhaBD5xYz9nnt+v8Cms4JyAIOB28DtbMKdRrjcht bpn3C0Mb7jNV7rXG0QZl3v6DLXTs7JzqnL5leVthNgA58J8FgEgMgpnGaHCCM8tQ RjAioEEIaXo= =BJzR -----END PGP SIGNATURE----- From meredith at ecid.cig.mot.com Thu Jan 4 02:40:51 1996 From: meredith at ecid.cig.mot.com (Andrew Meredith) Date: Thu, 4 Jan 1996 18:40:51 +0800 Subject: Guerilla Internet Service Providers (fwd) In-Reply-To: Message-ID: <30EBA97C.41C67EA6@ecid.cig.mot.com> jim bell wrote: > And as you pointed out, this is especially important if RF is the > medium-of-choice for connections. We should definitely make a > serious amount of contact with people working on the PCS standards > to ensure that GOOD encryption is included. If by PCS you mean the GSM derived 2GHz system, then I believe that they use the A5 algorithm, the same as GSM. Unless they are using one of deliberately crippled versions, then I think you'll find that this is quite tough stuff. Seeing as the rest of the planet seems to have gone with GSM 900, it's a shame you guys didn't do likewise, you'd have had proper international roaming and decent airlink encryption for years by now ;) As a semi-aside, I'm not sure if anyone here has mentioned it yet, but the DCS 1800 (another GSM variant) based "Orange" UK cellphone operator, recently announced that they have linked their MSC direct with the Demon ISP (biggest UK ISP), so that you can now get a 9600 baud encrypted pure digital Internet link. It's not exactly as cheap as a local call, and 9600 baud isn't exactly flying, but ... Andy M PS Ok then, maybe I _am_ biased towards GSM, see .sig ;) -- Andrew Meredith Senior Systems Engineer Tel: (direct) +44(0) 1793 545377 Network Engineering Tools Group Tel: (main) +44(0) 1793 541541 Motorola, GSM Products Division Fax: +44(0) 1793 512618 16, Euroway, Blagrove SMTP: meredith at ecid.cig.mot.com Swindon, SN5 8YQ, UK X400: Andrew_Meredith-QSWI016 at email.mot.com From pmonta at qualcomm.com Thu Jan 4 03:26:06 1996 From: pmonta at qualcomm.com (Peter Monta) Date: Thu, 4 Jan 1996 19:26:06 +0800 Subject: Guerilla ISPs In-Reply-To: Message-ID: <199601032207.OAA03764@mage.qualcomm.com> Thomas Edwards writes: > [ microcellular nets ] > > But how can these things compete with @Home, which is promising 10 Mbps > in and 128 kbps out of homes with cable modems? I'm skeptical about cable modems---few cable providers have adequate return paths, and everyone competes for the downlink bandwidth. Broadcast is not the right architecture. Any systems in actual operation? How many users do they support? Cheers, Peter Monta pmonta at qualcomm.com Qualcomm, Inc./Globalstar From frantz at netcom.com Thu Jan 4 04:26:50 1996 From: frantz at netcom.com (Bill Frantz) Date: Thu, 4 Jan 1996 20:26:50 +0800 Subject: Guerilla ISPs Message-ID: <199601040341.TAA19626@netcom5.netcom.com> At 14:07 1/3/96 -0800, Peter Monta wrote: >I'm skeptical about cable modems---few cable providers have adequate >return paths, and everyone competes for the downlink bandwidth. >Broadcast is not the right architecture. I would be skeptical too, but the cable modems I reviewed in a marketing research focus group were from HP. My view of HP's reputation is that when they claim their equipment does something, it does. Does anyone want to offer counter examples? ----------------------------------------------------------------- Bill Frantz Periwinkle -- Computer Consulting (408)356-8506 16345 Englewood Ave. frantz at netcom.com Los Gatos, CA 95032, USA From alano at teleport.com Thu Jan 4 04:28:14 1996 From: alano at teleport.com (Alan Olsen) Date: Thu, 4 Jan 1996 20:28:14 +0800 Subject: Duplicate messages Message-ID: <2.2.32.19960104035542.0093e29c@mail.teleport.com> At 09:40 PM 1/3/96 -0600, you wrote: >-----BEGIN PGP SIGNED MESSAGE----- > >> Has everyone else been getting two messages for the price of one? > >I've gotten several pieces of email from people who are getting two >copies of stuff I post, but I've looked at my mailer (sendmail 8.6.10) >and it's not sending out dups to toad.com, as far as I can tell. > >If people continue to get dups from just me, then I'll have to install a >sendmail front-end to log outgoing email or something... It is not just you. I am getting dups from about half the list. Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "Governments are potholes on the Information Superhighway." - Not TCMay From tallpaul at pipeline.com Thu Jan 4 04:30:02 1996 From: tallpaul at pipeline.com (tallpaul) Date: Thu, 4 Jan 1996 20:30:02 +0800 Subject: bumper stickers Message-ID: <199601040411.XAA29821@pipe6.nyc.pipeline.com> On Jan 03, 1996 22:25:26, 'liberty at gate.net (Jim Ray)' wrote: > > >> -- Any political analysis that fits on a bumper sticker is wrong. > > >My bumper sticker says, "Politicians and diapers need to be changed -- >often for the same reason." Politicians keep on proving this analysis >RIGHT, much as I *wish* it were wrong. >JMR >Regards, Jim Ray >http://www.shopmiami.com/prs/jimray >"Hooters GUYS? Washington -- GET A GRIP!" > I am not sure if I understand the political argument that J. Ray believes is so "RIGHT" that he wishes to post it to the cypherpunks list. I infer that the answer he is implying is that they are both "full of shit." I have no problem with humorous bumper stickers. I frequently use parodies of bubble-brained "progressivism" as my .sig files (e.g. "Visualize whirled peas" or "Give pizza chants" but I do not confuse them with detailed social, political, mathematical, philosophical, or especially economic analysis. J.Ray may wish to comment on the anality of politicians; that is an opinion over which I have no desire to comment. But to seriously maintain that one needs to replace an elected official based on the presumed state of his bowels, to post this info publically, and to insist that the analysis is "RIGHT" is rather an example of what I meant. One might define cypherpunks in three areas: a) they write code, *code* and CODE; b) they are concerned about anonymity; c) they are concerned about privacy. The code they write is based on algorythms. They are short, terse, and elegant. The code that the algorythmicly-oriented cypherpunks have written is wonderful and a major contribution to human freedom. They write far better code than I have ever written or will ever be likely to write. And you can put elegant mathematical equations on bumper stickers. They can fit and they are true. The best example might be "E = MC^2". Unfortunately, the other two issues are not subject to the same type of solutions as is encryption code. The time one spends working on the elegant algorythms is time not spent on broader issues of political science, sociology, economics, history, etc. Unfortunately, many do not realize this and so treat complex social issues as if they can be decided with the same type of elegant algorthym as the code. They can not. The English language does not have the compact elegance of C++. Nor is the range of human problems and interrelationships anywhere near as narrow as that of the average instruction set of a CPU. So attempts at solving complex social problems in the same way are *always* wrong, as witness J.Ray's original post to the group. I do not mean to suggest that every algo-oriented individual must, of necessity, miss the larger social issues. Einstein, for example, came up with a mean critique of E. Mach, but only because Uncle AL put a lot of post-1905 time studying complex aspects of philosophy. His critique, by the by, did not fit on a bumber sticker. -- tallpaul -- Gun control means being able to hit your target! From joelm at eskimo.com Thu Jan 4 04:38:48 1996 From: joelm at eskimo.com (Joel McNamara) Date: Thu, 4 Jan 1996 20:38:48 +0800 Subject: New Mitnick Book Message-ID: <199601040434.UAA22197@mail.eskimo.com> >Well, here's another minor error. At the hearing, Shimomura >just used a new, shrink wrapped cell phone. I think it was an AT&T >model, but my memory is faint on these details. I'm pretty sure it >wasn't an off the shelf Oki 900. Half the point was to show just >how easy it was. He didn't even bother to hook the >cell phone up to a laptop or palmtop. Just a few button pushes and >instant scanner. I tried to get him to tell me the right buttons afterwards, >but he was too busy and didn't answer. Sigh. The AT&T 3730 model is identical to the Oki 900 and contains the same rich set of features. The key sequences to enter test mode and scan cell channels are the same. The commands are relatively well documented in most cell hacking archive sites. Joel From dlv at bwalk.dm.com Thu Jan 4 05:07:32 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Thu, 4 Jan 1996 21:07:32 +0800 Subject: test In-Reply-To: <199601040247.UAA14402@dal1820.computek.net> Message-ID: "Ed Carp [khijol SysAdmin]" writes: > test, please ignore - 1 copy sent. Ed, I've pointed out to you during our mini-flame war that I've been getting 4 copies of your every e-mail: 2 via the cpunks list, 2 directly from your box cc:'d to me. You _know_ that I've been getting 2 copies of cc:'s not passing through toad.com, that the problem is at your end, and not at toad.com, and you should _not_ send test posts to cypherpunks. I'm sorry if your recent posting flurry was provoked by my question about what you have contributed to this discussion besides puerile flames of Fred Cohen. None of the following: * your test posts * your lack of understanding of anonymous remailers * your inability to configure sendmail have any cryptographic relevance (other than to discredit your technical knowledge, which you have done quite thoroughly :) Please stop polluting this mailing list with test messages. Thank you. (I wish I could set up procmail on this box.) --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From rra at feilmeier.de Thu Jan 4 05:35:30 1996 From: rra at feilmeier.de (Rudi Raith) Date: Thu, 4 Jan 1996 21:35:30 +0800 Subject: No Subject Message-ID: <199601041317.OAA04812@aws26.muc.feilmeier.de> Some thoughts on the possibility or well-definedness of banning specific (indecent?) contents on the net (or elsewhere): 1) All contents (files) can be seen as natural numbers. (Use your favourite encoding function.) 2) I suppose that there is a predicate indecent_p(n), which is true if n represents something indecent, false otherwise. (Some implementation of such a predicate could be a police officer arresting you upon presentation of the number to him, yielding true. :-) ) Such numbers may be called "Indecent Numbers", their "posession", "transfer", etc. be banned. 3) Every natural number n can be perceived as the encryption of every other one m (including itself) by some function enc. n = enc(m). (Proof by cardinality) Examples: Trivial enc: "If the number is n, return m." Not so trivial enc: "Take m as a one time pad to encrypt n." 4) As a consequence, every natural number can be perceived as the encryption of an Indecent Number, hence should be banned, shouldn't it? 5) The decimal representation of any irrational number (e.g. pi, e) contains the decimal representation of every natural number somewhere. (Proof by diagonalization.) Hence the algorithm for creating this decimal representation should be banned, too, shoudn't it? 6) Finally I hope this shows what great an achievement to legislation and jurisdiction such banning might become, once established. This creates a universal crime (or vice?), everybody is guilty of automatically without the tedious procedure of seeking evidence. (maybe those not knowing about numbers at all be exempt?) Virtually Yours, Rudi Raith (raith at feilmeier.de) From liberty at gate.net Thu Jan 4 05:44:57 1996 From: liberty at gate.net (Jim Ray) Date: Thu, 4 Jan 1996 21:44:57 +0800 Subject: bumper stickers--WANNA BET??? Message-ID: <199601041329.IAA41784@osceola.gate.net> -----BEGIN PGP SIGNED MESSAGE----- tallpaul at pipeline.com *posted* to the entire list! >I am not sure if I understand the political argument that J. Ray believes >is so "RIGHT" that he wishes to post it to the cypherpunks list. Er...did I post it to the list, and if I did, why didn't it appear there? This was a *private* message to you, according to my logs. Perhaps you should take a bit more care in responding to look at the message headers before hitting the entire list automatically. Private e-mail is, after all, still a possibility, even for the cypherpunks... >So attempts at solving complex social >problems in the same way are *always* wrong, as witness J.Ray's original >post to the group. Again, an offer of *proof* of my posting would be appropriate here. The message you got wasn't PGPsigned, which is a good clue I did not send it to the list. I hereby bet $10,000.00 e-cash [hell, I need the money!] that I made NO such posting to the cypherpunks list. I believe an apology (or a bet) is in order. Of course, I'm hoping for the bet. Switch to decaf, tallpaul! JMR PS. to the list. Please try to learn the big difference between their, they're, there, etc. The ghost of my former English teacher groans and moans inside my head when I see these errors. Strunk & White is short and to the point on the subject. The Ghost and I thank you. Regards, Jim Ray http://www.shopmiami.com/prs/jimray "Hooters GUYS? Washington -- GET A GRIP!" _______________________________________________________________________ PGP key Fingerprint 51 5D A2 C3 92 2C 56 BE 53 2D 9C A1 B3 50 C9 C8 Public Key id. # E9BD6D35 IANAL _______________________________________________________________________ Help Phil! e-mail zldf at clark.net or http://www.netresponse.com/zldf _______________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Freedom isn't Freeh. iQCVAwUBMOvUHG1lp8bpvW01AQHbvgP+JR1gSBQvHu286IiWG+K4OGJi9NNcAHeY u5DLnloHF8UvZ8D1b4uKB85z17iZVvSjGA1HS8SkZ6sxgwsHsv5ZrzI65Nenqb2d vLbE1Ds9USmNBQAOtTs+dVUKkelpgbSLE9a2o8B866vT3lRPwluYSaHNX7CTHS67 /ZbTJ5qiP7E= =X2kk -----END PGP SIGNATURE----- From m5 at dev.tivoli.com Thu Jan 4 06:16:14 1996 From: m5 at dev.tivoli.com (Mike McNally) Date: Thu, 4 Jan 1996 22:16:14 +0800 Subject: "Concryption" Message-ID: <9601041355.AA16880@alpha> Did I miss something in here about the alleged "Concryption" patent awarded Security Dynamics Technologies? Supposedly a press release was posted to sci.crypt. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Nobody's going to listen to you if you just | Mike McNally (m5 at tivoli.com) | | stand there and flap your arms like a fish. | Tivoli Systems, Austin TX | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From edgar at Garg.Campbell.CA.US Thu Jan 4 06:27:19 1996 From: edgar at Garg.Campbell.CA.US (Edgar Swank) Date: Thu, 4 Jan 1996 22:27:19 +0800 Subject: SecureDrive News Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Overseas FTP site Changes As I thought might happen, the operators of the utopia ftp site have moved SecureDrive 1.4a from the incoming directory to a permanent home, ftp://utopia.hacktic.nl/pub/reply/pub/disk/secdr14a.zip ftp://utopia.hacktic.nl/pub/replay/pub/crypto/CRYPTOapps/secdr14a.zip It has also appeared on at least one "mirror" site Host ftp.univie.ac.at Location: /security/crypt/mirrors/utopia.hacktic.nl/crypto/CRYPTOapps FILE -r--r--r-- 131174 01-Jan-1996 01:54:57 secdr14a.zip Location: /security/crypt/mirrors/utopia.hacktic.nl/disk FILE -r--r--r-- 131174 01-Jan-1996 01:54:57 secdr14a.zip which turned up in an Archie search. New Utility for use with SecureDrive and Windows 3.1 I have previously recommended EDOS as a mechanism to allow setting PGPPASS under a DOS window of Windows 3.1. A user has brought to my attention that a freeware utility, SETENV, that can be found at ftp://ftp.coast.net/SimTel/msdos/envutil/stnvjw25.zip that has the same function and also has a "password" mode for non-echo entry. I just tried it and it seems to work. SecureDrive and Windows 95 I have gotten many inquiries about SecureDrive and Windows 95. I don't have a copy of Win95 myself, but, based on user reports, I can report that SecureDrive 1.4a does work with Windows 95, but with some restrictions. 1)Always run CRYPTDSK and LOGIN under bare DOS, outside of Windows 95. Do not try to run either in a DOS window under Win95. 2)Run SECTSR and LOGIN x: /S in AUTOEXEC.BAT before other TSR's. 3)Run LOGIN x: (prompts for passphrase) later in AUTOEXEC.BAT, but before entering Windows. Enter the correct passphrase if you anticipate needing access to the encrypted partition. 4)After entering Windows, use the Control Panel to set 16-bit disk access. Use of 32-bit drivers may give direct access to the encrypted data, which is very dangerous for integrity of the data. I'm told step 4 may not be necessary if the encrypted partition has its own physical disk. In this case, Win95 will automatically switch to 16-bit drivers if the correct passphrase is entered to enable access to the encrypted partition. I've also been told of one instance where CRYPTDSK and/or LOGIN failed to find the correct partition from the DOS drive letter. If this happens, use the physical partition parameters, as explained in the documentation. Please continue to report experiences & problems to me. Edgar W. Swank -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMOtGRN4nNf3ah8DHAQGzRAP9G6Ct2+pSH23h1GdoWqjCUAVkxs1oWvLU 4qz76NkVUQ9ZnlbSTY8bPvfAZZICBh9TjnBF+T5ph6fLaBEYj+q6od8RvO+HJY+r a7B6/3RSQHKNcAjpn4YZ9wIVimQS7RNLyBCiiuEbuC70OwgezD8p98/aWuRlCDxC ZcTRbkyyEsA= =KFb/ -----END PGP SIGNATURE----- -- edgar at Garg.Campbell.CA.US (Edgar Swank) The Land of Garg BBS -- +1 408 378-5108 From nobody at REPLAY.COM Thu Jan 4 06:53:38 1996 From: nobody at REPLAY.COM (Anonymous) Date: Thu, 4 Jan 1996 22:53:38 +0800 Subject: \"Concryption\" Message-ID: <199601041435.PAA16631@utopia.hacktic.nl> Cambridge, MA, Jan 3 -- Security Dynamics plans to license "Concryption," a just patented technology combining encryption and compression, to outside companies for use with a variety of security and compression protocols, revealed Kenneth Weiss, chairman and chief technical officer. "It is my belief that Concryption will solve the two biggest problems that exist today: the need for privacy and more available bandwidth," Weiss said. "Compression has been catching on. It takes less time today to send a whole page of fax than it used to, for example, and part of that is because of better data compression. But encryption has not caught on in the way it should, because of time and expense issues and the hassles of key management." Still, though, available bandwidth for data storage and transmission is diminishing all the time, in arenas ranging from fax to satellite technology, networked information, and the World Wide Web, according to the company chairman. Compression will become an even more significant requirement in the future, with an anticipated explosion of multimedia applications, he predicted. Security Dynamics has been awarded US Patent No. 5,479,512 for Concryption. The Cambridge, Massachusetts-based company now holds a total of 14 patents from the US Patent Office, most related to its "core business" of computer security, he reported. One of the company's other patents, for instance, is for a biometric technology designed to enable "voice fingerprinting." Security Dynamics also produces the SecureID Card, ACE/Server, and ACM series of user authentication products. Security Dynamics' newly patented Concryption technology is based on mathematical synergies between the processes of encrypting and compressing data. Both procedures call for analyzing arrays of binary patterns, "seeing where the spaces are," and then applying rules to the data. Weiss added that encryption and compression are both highly intensive in terms of CPU (central processor unit) cycles and disk accesses. As a result, he asserted, integrating the two technologies into a "single set of operations" will bring cost reductions in CPU usage as well as faster encryption times. "The time to compress might increase a little bit, but on the other hand, the time to encrypt goes to zero. Whatever the disk accesses are for compression, there would be no other disk accesses for encryption." Security Dynamics sees Concryption as a "concept pattern" suited to use with a variety of data types, network transports, and security protocols, according to Weiss. "This is a new enabling technology that we believe should have an impact on the way information is communicated in the future." The company intends to work with outside licensees on integrating different compression and encryption methods. "Big users have already optimized compression for their unique technologies. We use a different form of compression for fax than we would for satellite data or TV pictures. Beyond that, companies might employ different compression algorithms. Similarly, people like to have control over the type of encryption used," Weiss maintained. Although forthcoming multimedia applications will require much greater compression than text, conventional needs for "privacy" may not be as high, since many video offerings of the future will be geared to entertainment, Weiss acknowledged. "But we will probably be seeing 'economic privacy,' " the company chairman noted, pointing to a trend, already well established in the cable TV industry, toward providing "high demand" fare such as first-run movies only on separately priced, encrypted, "premium channels." Contact: Security Dynamics, 617-547-7820 From tallpaul at pipeline.com Thu Jan 4 07:00:57 1996 From: tallpaul at pipeline.com (tallpaul) Date: Thu, 4 Jan 1996 23:00:57 +0800 Subject: An apology to Jim Ray Message-ID: <199601041437.JAA19955@pipe8.nyc.pipeline.com> On Jan 04, 1996 08:28:11, 'liberty at gate.net (Jim Ray)' wrote a critique of my post to the list concerning what turned out to be a private message to me. J. Ray's points made in his critique are on-target and correct. My actions were not. I apologize to the people on the list for eating up their bandwidth in a public response to a private e-message. I especially apologize to J.Ray for whatever inconvience I may have caused him. -- -- tallpaul -- "Let's All Visualize HappyNet!" From thomas at inch.com Thu Jan 4 07:14:04 1996 From: thomas at inch.com (Thomas Massengale) Date: Thu, 4 Jan 1996 23:14:04 +0800 Subject: 2047 bit keys in PGP Message-ID: At 3:17 PM 1/3/96, Mark M. wrote: >I really don't see the point of using a key larger than 2048 bits. Any larger >key would actually be harder to factor than brute forcing the IDEA keyspace. the world will never need more than 640K of RAM? <><><><><><><><><><><><><><><><><><><><><><><><><><><><><> the Forest will always be there...and anybody who is Friendly with Bears can find it. - A. A. Milne From MMiller224 at gnn.com Thu Jan 4 07:15:40 1996 From: MMiller224 at gnn.com (Matthew Miller) Date: Thu, 4 Jan 1996 23:15:40 +0800 Subject: Please take me off your mailing list Message-ID: <199601040240.VAA03543@mail-e1a.gnn.com> Please take me off your mailing list...I can't keep up with all this mail. From herbs at connobj.com Thu Jan 4 07:17:34 1996 From: herbs at connobj.com (Herb Sutter) Date: Thu, 4 Jan 1996 23:17:34 +0800 Subject: Answer: Windows Eudora and PGP Message-ID: <2.2.32.19960104024833.006b10e8@mail.interlog.com> Run, don't walk, to check out: Qualcomm's own Eudora support team recommended it, and it works seamlessly. To use it with Eudora, important point: after installing WPGP, go into Options|Select Keystrokes and make sure "Use Capture mode" and "Use Select All" are selected (and "Use Memorizer" should -not- be selected), otherwise you'll get errors about 'no selected text'. That's it; you're up and running. Example of using WPGP: After writing your message as usual in Eudora, to encrypt simply click on WPGP's "Enc" button and then click on the window containing your message; that's it, very slick. Another example: If you get a PGP-encrypted email and want to reply, just hit Eudora's Reply as usual (this will ">"-quote the entire original email as usual including the PGP block), click on WPGP to "Dec"rypt, and click anywhere on your reply window... it will pick out the PGP block, decrypt it, inform you about valid signatures etc., and automatically paste the reply back into your window in the proper place WITH PLAINTEXT PROPERLY QUOTED, as if you'd got the message straight in the clear and hit 'Reply'. Highly recommended. Herb At 13:27 01.03.1996 -0800, jim bell wrote: >At 10:24 AM 1/3/96 -0800, you wrote: >>At 09:43 AM 1/3/96 -0800, Jim Bell wrote: >> >>>(BTW, I use Eudora, and I have PGP. Could somebody explain how to PGP-sign >>>messages, ideally EASILY?) >> >>I use Eudora as well. It is not as easy as I would like. You have a couple >>of options: >> >>1) Use cut-and-paste into Private Idaho. Private Idaho will allow you to >>paste back into Eudora. (Or you can send out from Private Idaho directly.) >>This option is useful becuase it supports nyms and chaining of remailers. >> >>2) Get one of the standard Windows PGP shells and paste into that. After >>signing, you will have to repaste into Eudora again. >> >>These seem to be the only options. I am not certain if there is a standard >>DDE or OLE interface that could be used to feed message information back and >>forth between Eudora and some other app. There have been a number of >>promises of Eudora/PGP integration, but nothing has materialized yet. > >[sigh] Just what I thought, no easy solutions. Well, for now I'll just >skip signing; I haven't had any problem (that I know of...knock on silicon) >with forged messages, and my normal posts are so enthusiastically anarchical >and inflammatory that the only way anybody could really embarrass me is to >forge a message, ostensibly from me, saying I agreed with some governmental >activity somewhere. > > >>There are no easy answers I know of... >> >>If you need a copy of Private Idaho, I can point you to a web site or bring >>a copy along to the meeting on the 20th. > >Please do... > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Herb Sutter (herbs at connobj.com) Connected Object Solutions 2228 Urwin - Suite 102 voice 416-618-0184 http://www.connobj.com/ Oakville ON Canada L6L 2T2 fax 905-847-6019 From netdog at dog.net Thu Jan 4 07:17:45 1996 From: netdog at dog.net (netdog) Date: Thu, 4 Jan 1996 23:17:45 +0800 Subject: 2047 bit keys in PGP Message-ID: >I really don't see the point of using a key larger than 2048 bits. Any larger >key would actually be harder to factor than brute forcing the IDEA keyspace. >Very little security would be gained from using a key larger than 3000 bits. >Of course, one can always argue that improved factoring methods would require >that an RSA public key be longer than 3000 bits to have equal security to >IDEA. However, I doubt that factoring methods will improve that much. nobody will ever need more than 640K or RAM? i wouldn't underestimate the ability of technology to grow at a pace that is beyond our wildest dreams-especially with this network serving as a virtual office/lab. of course, ymmv. <><><><><><><><><><><><><><><><><><><><><><><><><><><><><> the Forest will always be there...and anybody who is Friendly with Bears can find it. - A. A. Milne From geoff at commtouch.co.il Thu Jan 4 08:04:17 1996 From: geoff at commtouch.co.il (geoff klein) Date: Fri, 5 Jan 1996 00:04:17 +0800 Subject: Trying to init security channel Message-ID: <9601041111.AA25508@commtouch.co.il> This message was sent by Pronto Secure Mail. Without Pronto you can not establish a secure channel. Please send a reply manually. From fb at sponsor.octet.com Thu Jan 4 09:27:37 1996 From: fb at sponsor.octet.com (FreeBSD user) Date: Fri, 5 Jan 1996 01:27:37 +0800 Subject: czesc huj Message-ID: <199601041149.LAA07117@sponsor.octet.com>  �$� �� �� �‰�3�����1��š���p�� �  1��e�[^_�� � t�F@��9�sEA�9 u��ύN�~ t�~ u �A�9 t��9 t��S.� �9 t��AB9�s�9 u�� � )Ή�D�����@�����H���9�@���rϋ�P����@���9�l���s��l���9�P���s +�P�����@���� � ��������������������������u��������u"�������u�|����������u�n���1����� ��K��w�7�G�Ѓ����tE���� ƃ���v������w ����_��u W�k����'���uW��������t� h�#��� 1��R �U�R�U��� �X�� � $ h�5�蔸 1�� u�V �R(�M�1��T u�v �u��M �Q�V(1�� � t � VW��� f��t f��t�*��Q�E�P�r �cS f��t f��t�*��Q�E�P�r �R f��t"f��uH�yt � �E�2 uaf�E� t �- f�E� � � h�U�9Qu�}�9yw.���u���t$9q|u9Y s �y �u�y�u � � � �]�{ K8����u�S$��tV�}��u�)L�� �)O�Ή�������}WO �S$���O�����u�|� ��t�B�A�B�j)R����1��@�����u1��3��ḣ���e �Z��z�r ��e�[^_�� � �C0�F�.���F9C0t$P��������t��� 9st9su���t!9{t9{t�E� ��@9Ct��@�C�U�J( 9{ t9{u���t!9s t9st�E� ��@ 9C t��@ �C�U�J( 1��Ð�� u jR�������� ��� ��t�� � � ��t� � � u,�S9Vs$�U��� u�; u�; �� t��u � !�� �� t��u �  WS� ��� <tv�� ����!�� �C)� ��te�_����{0~u�� f��^���t � S�6�u���S�u�6��T ��t�+���Q�3�V ���Q�3�xV �e�[^_�� v �  �� � � � RQ�u�A ���� ǃL [^_�� � �RPP� )�R)PP� cleaning up... �3�;� ��� ���@�� J�J�]��� � Q�Q1��e�[^_�� �������M ���t9Zv �[�D���r*j Ћu��D�C��}~ŋu��D������E��e�[^_��bad sector table corrupted ����E����C$��t����  9w,�D����C$ S� �E�𐐐�E� 1�����8 �`�� �`�� V�T>���R���V��� ��t��#u1�+]�}��e�[^_�� ��t��#u1�+u�M�1�}� j�u���|���؍e�[^_�� ��t��#u1ۃ� u j �u�h���+u�}�7�؍e�[^_�� ��t��#u1ۃ� u j �u�4�����+u�M�1�}� j�u���z���؍e�[^_�� u�F �P(1��� � u1ۋF �@(��t�����t����F�u��t���hwt@V�@�ЉË�t�������K���F�u��t���WV�@�ЉÃ���u-�� � �� � � � ��f@tN�|�� s@tX�r���; ��VSQ�<� t*�Cu$f�{$ 9�:� h/����������N ����f�Jf����f�Jf�F f�������f�^ �F9�:�f�=�:�f)~딐��f�F �t hM��w�������Ѕ��5Ѕ�e�[^_��msg_cbytes is screwed up �C9��b h&��D����F ��� � �C ���� ‹M�1��e�[^_��msgwait �G9��� �E��Y h���P���9=��} h���>������E�F9F s h���'�������=Ѕ� h�� ��f�M�f�H���� hL�����f����f��� h]��������9�:� hm���������ÉE����f� Bf� ���� ��E�f�@ �M�f�J�E�f�X O���m���j�E��P�u���� �}� h���h���f�f���~ �M �A9��9 �E��D �E��� �M �A9�t � f�M��E� h ������E�9�:� h ��������u��u��E���:����P�� ��t �#���� ����)���� � u � �u �F9��� �E�� f@��f�D f�t�D ���� ‹}�1��e�[^_��semwait �M �A9��� �f�Fj �M �A9�t � ����f�N��������}� h�.��P���Ky�1�9]���������[��0�MЋI�M��Rf�D0f)�C9]���m�������E̋M�9M��%����E� h�2�蔺���]��C9�| h�2���������}� ����9�t1����ȋ]��� � ���� ���� ‹M�1���� � hq:���������=`���`�����������<��f�C f@��f�C j ���� Ɖu�j � SW������F��95L:��j�G ��� �`�� 9�u5�y �t/�}� �y ��� u �M���@t� ��$ t"�M��9�t�A9�t�A9�u)��� u.��� � B���������� t�m�} t��� �Wh�R ����1u � �]�f�{ �O\ � � � �  @^t�ZZ�Rh t,��t����9�t�V9�t�V9�u��� �������� ��� uU��� N���]��� hl������Gh�X��uh+l�W�_����" ��t9������t3�Cl9Alr'�Al9Clr �y( �y( u Vj �s�����VW�i���V������ � t�"= t�}7=t��� ���������� ��� F`� �����!F`WV� t�~b=t�t[�  1�� �# ��te��  t�J�� t���  �Fh�@ ���1��M�1��� t��� t�}7��t�>��}t�|6�%���ut�t ��t�t���t,���t,�|�K@jV�x�����1���� S�D��������F 9F~�^+^ ����P� ����K��C �} ����K��C hr���a����P��� hr���_����P��� � ���� �����������؍e�[^�� �����������؍e�[^�� V����1��I�Ft#�V�N�S�Kf�~f��f�{�{�{ �f��3�ރ} cw�d ��u��} ��  �+ h?���8?���KS�������M��   P�B����soaccept: !NOFDREF uV� �% u�} ��E�@�E�}� ���E�B�@4�} � �y$�� f��$f��u�Fu@�}� �� �}� t�}� �}� �� t�E�9 �g �}� u �}� �}� t�M��M���u?�G0P�d t� t�A�x j � RQ� ��@�x � ���9 hu���� ���} ��[�{ �H� ��R�z f�U�f V� h��������e�[^_��sbflush hA�������]��s�u���  h����@���E�f�@  �% �^$f�F$   �@ ���� ���Eԋ@ ���+Eԃ� v�Eԃ@ �@ ���j ��t��#u1ۃ� u j �u�n�������u+u�}�7�}� �( �( ��t��#u1ۅ��7 �H��E� �( �( � j   �:w��B�� ���e�[^_��U��E�U �M9Pv � � u �1��Ð���& �- �} �~ ����E�7 h�������F ��} tE�Ctj �) u)�S ��t"�B �x<��u�@ thL���rD�� ���Gf�C �Ӆ�u׋u��_���|���p ���������Ky�u��_���|���j  h8��������C$�� �� S� �G$%�����G$� hF��������x hY��������� ht���L����M��� �������f��t�{(t h�����������u(�d� �E PS�L�������t��u�5 ������u9s4tG�C$� �} �����U�B$%����B$R�`������M��  �b0�R负���e�[^_��U���WVS�M�A$�  ���C ���S �C�� ���C ���S �C��C ��@ ����P �@��� �E��� ���u�����]؉sD�M�QL�SL�e�[^_��vfs_cluster: warning: buffer already busy  � �uЁf�����M�A�8 �M�Yf�C�u�^�M��A u�E����]�� ���S�E�P���Ѓ��u��F�A h'=��X����E�ܰ�}�] �]�u� ܰ�W�E�P���ЉE܃���t-����� �u��^���� h5B������e�[^_�� h5F�茧���M�A,��t�E t �xH �{H h\F�蜥��1��e�[^_��bgetvp: not free hyI��̤��� � ��Z�<^�8^��B 8^�"����!���B h�O��x�����t S�������(e�C�C` h�Q��ԛ���CtV1ɋC<� ���C �<^�S �C��8^�C��t�{�x � �{�=<^�8^��C 8^��C8 �� �M�=�|���� �z � ts�uW�H���� t�CuW�����- ���� � ���C��|�S���C �@< ���M��U� 1��e�[^_��  = P�<���� ���u���������}� S�`���� ���u�� �����S������e�[^_�� � t � ��� f�A f�B f�A f�Bf�Af�Bf�A�z4 � � � � � �������x��������j �u�������� �}� � � � u �1��Ð��� P����� ���}�w�e������M�A � ��|���f�G1�� ��|���������؍�l���[^_��U��E� �S�V �S �V�SD�V�S�K�V0�N4�S$�K(�V�N�S,�K0�V �N$�S4�K8�V(�N,�S �V@�S@�VD�S<�VHj 1�� hҗ��hV���C�x8u1������ � �{ �B�@<� �3��*�����Ft�Ku �s�*�����U�f�z~1��4���3�������s������jS�Q����U��B< PS�U������CL ����C)uG�������u>�{,t8j ���Ã� �E� � �( u�X��3 ���; �s ����������u� �����U��E�PJ��wm�$����ܱ������������ ������@ � j �r�N���1��� �E� ����E���}� � f�A1��� � ����E���}� � ���W�]�S���҃��G<�H �I��)ʋ}�w V�p ������҉E؃� �E�l��u�u�� l��VS����� �u��>����u��D=�����}� ����Ã� ���� �uVW�C�Ѝe�[^_�� �E��9�u1��l�����+}G�}��U��M�1���������tB�A��< v�}�� �� i �t6�m��i �t,�c����i �tD �� i �t2�M��i �t8��i �t8�;���U��z �� i �t�"��i �t��i �u�U�f�Jf�J���1��e�[^_�� �Eče�[^_��0123456789 �V �������V ���)�� v �F �F��jjV�����ƃ� ���� � ��tV�*����E�e�[^_�� f�K �u���� dž� dž� u�W� �f� �W��f����� 1��� ǃ� ���^�B��^���^�( ���� t�R��R�䐐�����U��VS�]�u�E f�x t��P t�@�ᐐ��@�ِ���e�[^�� ���)‰U�CA�E� t��鐐��␐�� � 8t�[���[�C9�w��uR�u������E�P�u�F �N � 8u �M�N� ��M�u�N�u�s�M�N�F �N � 8u�^� ����u�V�^�Ѝe�[^_��rn_addmask: mask impossibly already in tree �}���u�9�u4�u܋}�M�O�A �G �q�w�y9Nu�~�����~���u�� ���}�U�B�G�z�W� �J �u��1��t�u��1��t�R�Ԑ�R�ΐ���U��r�u�f�z h���P�����z�@P�5|D��p �- � � �9 �]�f�C6�(��]؅�tC�C9t=�E� PS�@0�Ѓ�f�{6 h{ ��\���� Hh�f�{6 h� ������f�x h� ������}��G:t �} 9�� S� ���� ����� ����C at f�H�s@�F �C 9J(t9J u� ��R��u�1��]��� t�Bu�E� � �/ �h��@<���u�h��B �@t�BL�G�M�y �h���tF�G������% �0 ����9BXwEf�z6 h�l��(���j �(�� ����0���5 ��h�m�j�р���E� t)��<v ��<v��<v� f���f�C �V ���F�� 9�s h+p��|����F �F���F�F�M�A�F�^ jS�u��a� ��f�C �C������% �M��A ����}��G�X���vhT���pU���ƒ����� � hy��0u��1҉�- ��i��N��������|a�B��� ��^� ��f��t�t��� �{ .� u�C 9Bu�C9Bu�C 8B t ������u�1�f){�c��C t�Kf�Cf��f�C�Cuf��t)����RS�t �� �A �G�A�G���� �E�H�7 j�=���Å�u1��n����5���� �����(������}� � �B f�x.t �- �u�6�u��u��u�M�Ad�ЉEЃ�� �u܋M��1���u�������M�Mԋu��F9E��Z����]�]ċM��A��)Ɖ�P�u����M�Yf�A��u�f�Ff�F�� ��f�Ff�F ���M�M܅�tO���u܋v�u�M��A �����u�u܅�u��}� ����뜐���e�[^_��U��� WVS�E �H �M��u�v �u��@����E��FE�=�� � ����E�* j j �1�l�����U� � �@�M�9tC9�|��G9�} �E�0 �E�1 ��D��D�C�G9�|�f�O�M�  j �� �B<�뿐��� j )�����| �At�A�Q �B j � �9 ��{+~��~S�F 9�|8�����F ����u�4������ R�s� ������|���W�u����f)~ ~��������F ���M�N9]tI�F F��+S��~9�C 9�|���S�J�M�B� �A��J��B �MAH�^!����F�B�V���F f�W ��f�W P�u�2 �}��� ������E�9u+�G!u%�M��P������U�@������E��E� �U��Btt�Ѓ�TPR�p�����EȃxT �UȋB<+B8�E��Z4+Z09�~�]�9�[�����G FH����� �}�=����u�]ȃ�0S�P��S�u��������Uȃz| 9NDs-��+^D����P�u�����f�FDf�G �e�����������GH�F4�W�VL�Ę�* u ��� ��������& 9� u%�U���u�e���N�_ ������������������S�u����_f)_ �G&��9�~ f)_&� ����e��f�G& ��_�FHFD)Å��� 9�|a ���U���t/f�~ u(�G+FH��~�FH �e�����E�t!�G+�� ��U�f�B$6 �� ���m �� 9�w+�U��Bu"�uWR� VH�G!���E������ �}�=����u�]ȃ�0S����S�u�� �����Uȃz| jj GP�uWV�� � �P���Ð���xP �u�N�N\�E� �E��E� ������������������M��� �uf�~ �E�E�P�u���� �u�F,�N�U��MQ,�Q,�A,�u+FX��~�VXf�~f f�y ����( �C�B �C�Bf�C f�Bf�Cf�B�B �E�(�}��M�y�y�A �B�A�J���B uj t�Cd9���|f�d��f�C�� f�{~�s$諎��f�Clf��fCnf�Cl �/ �# u��� �E� j f����f�C�؋]���U��VS�E�u�]�M�U�} t � �����* �CP�u�/� �8 �9 �G�C �G�Cf�G f�Cf�Gf�Cf�C f�Cf�C �8 �9 � 1��� �  �\��t�U��u�u �u�΋  ����� S� ������l�����l����u�9�� u)9�� h���@����E�̷�l����}��WX�̷�J�U�R���҃��������� ��t@�+�����u#1��2�����l����WL�����u �V�N �����}�w8h�����������l����������p��� � ������uL���uj u9�� hl��Z����l� hl��T����l� ��S �C�BV�Q��j�vd�q���Fd j �r�q��1��� �8� �{8�_@��Ӆ��� u1��? �����l�����h��� f� �N���9 �A�e�� �Q �A�B�Y�e��e�t��9Z~ �R ��e�u��e�u4�e�A�A e�=e�e�u � e�� ��e�H � e��%�B�A�Q �ze�u � e�����B�H �J�]��� t �u�v��(�uԍE�Pj jj �At�A�Q �A��� ��V�F �B �~ e�u �F�e�� �V �F�B�> �C�������VD������S�V������S$�V������S(�V������Sj �C �������VD������S �V������S,�V������S0�V������S�V������S�VL������S$�VH������S(�V$������S4�V(������S8�V,������S<�V0������S@�V4������SD�V8������SH�V@������SL�V<������SP�VT������ST�VP������SX����8���[^_�� �S���u��E�P�E�PRWj �Ct�C�S �C��� �E�E �3�������PRj �EP�EP��  h�-��о���E�9Cu �S ��� ��K�S �Q �E�9C u �S��� h�-�������E�9Fu-�u�u jV���������u��� �G@�#���� ��H �P�Q��u� ��u�`0����H0@�} �u�E �!��E�PRj �EP�EP���  �U�E �;���|���RQj �UR�UR�)� 1�� ���d�����D��d������P��������>u�V 0�������V � �������S�V������S�V������S �V ������S�x��+ �C �������VD������S �V������S,�V������S0�V������S�V������S�VL������S$�VH������S(�V$������S4�V(������S8�V,������S<�V0������S@�V4������SD�V8������SH�V@������SL�V<������SP�VT������ST�VP������SX��H�����8���[^_�� D������S ��@����P������S,�P������S0�P������S�P������S�PL������S$�PH������S(�P$������S4�P(������S8�P,������S<�P0������S@�P4������SD�P8������SH�P@������SL�P<������SP�PT������ST�PP������SX�E�xx��L �]�E �'���4���RQj �UR�UR�q�  �C�������VD������S�V������S$�V������S(�V������Sj �C �������VD������S �V������S,�V������S0�V������S�V������S�VL������S$�VH������S(�V$������S4�V(������S8�V,������S<�V0������S@�V4������SD�V8������SH�V@������SL�V<������SP�VT������ST�VP������SX��������[^_�� �,��\���RQj�UR�UR�}� �Ã�� �B � ���������O�������R������W�������@������G �������R ������W���E�xx��� �G �������������RD������W �������@������G,�������R������W0�������@������G�������R������W�������@L������G$�������RH������W(�������@$������G4�������R(������W8�������@,������G<�������R0������W@�������@4������GD�������R8������WH�������@@������GL�������R<������WP�������@T������GT�������RP������WX�������@)� ����� ��������9����u9� ���t��+� ���R�����)�R��H���� � Dž��� �]�E �'���L���RQj �UR�UR�U� �x ��+ �'�����~�]�E�xx�t�ڃ�,��U�� �U�K���4���RQ� �����l����� Dž ���4�������h����������|�������������������4��J�� ���R���҉� �x��� ����C0����������P,������S4�x0�t �H0��Mb��������)ʆ�����S8��C8����������P4������S<�x8�t$�H8��Mb��������)ʆ�����S@� �E�E�0��E�PRj�EP�EP謞 �������� � Džh��� � � Dž���� Dž���� � ��+ �'�����~�E�M�yx�t�ƒ�,��U�� �U�K������PR� Dž���� �U�E �+���4���RQj �UR�UR�5� �����(����B ����C0�����������P,������S4�x0�t �H0��Mb��������)ʆ�����S8��C8�����������P4������S<�x8�t$�H8��Mb��������)ʆ�����S@� �E�E�0��E�PRj�EP�EP��} � �E�E�4��U�RPj�UR�UR��z Dž ��� ���`����; �d � ���V���f�= � ���V���f�= ��|�����Ti���9u�t9�d���v+~ �~���+U�VjJ��L����ӻ��jJ�u��ɻ����4��������[^_��U���� �� �B � ���������K��D����R������S��D����@������C ��D����R ������S���E�xx��� �C ��������D����@D������C ��D����R������S,��D����@������C0��D����R������S��D����@������C��D����RL������S$��D����@H������C(��D����R$������S4��D����@(������C8��D����R,������S<��D����@0������C@��D����R4������SD��D����@8������CH��D����R@������SL��D����@<������CP��D����RT������ST��D����@P������CX��8�����<����T��@����D|��@�����,���9��K���9�d����_ � ���V���f� � ���V���f� �M�A8�{�� ���M��אS�Z��������� �M��a��(��M��Atf�y$ �� j j �u�Bt1������M f�:��%� �F$�������#tƅ��� �F$�q�����#t���u�M�9 ����M� �ʃE��"���U�RPj�U�R�U�R��7 �R9\��tC�Ft%�u��u��u�V�9������� �S8�P� ���@@B �G$ ��W�Q� �W��j�O��� ����E� �M�E��"��U�RQj�U�R�U�R��. �t �K$�� �G j � �� PS�������� �A �U �F�F ����N�N �F �}�� t ��#�b����}� �B �ƒE�(�&���E�PRj(�E�P�E�P�, �U؃E��%��E�PRj�E�P�E�P� ��C�B��C�P��S��� ����1��k�Ct*����E�P�E�PWj �c�S�ѣ�����t ��C�B��C�P��S���Ct �s�S������C@�� �c�S�[���� ��A�B��A�P��Q��j4Q�e�����م�u����� �<����� �� �p�� � �u �6�u�)N�U�)U�} �}� � h"*������j ]���8�]Ћ]�M��Y8f�]܀�f�Y<�V������f�Q>�V ������Q@�V������QD�]؉Y|�U�Qd�U�Qh�M�Q�R<�]��SH�}� �]��C(�����M��A@ � � A�9 �F ��u � j j t �}��(�}�~�}��t �}��E� ���� �Ct�C�K �UЁ� �W��f����� j ��A�B��A�C �Q��j3Q�/�������u��e�[^_��nfsauth1 ��A�B��A�8��Q��j2Q�}-���� h�>������ �_��} ��C�B��C�8��S��j2S�-�������u������4�� �� ������~�U�}� ���� � �C0 �$ � ǃ� �c0���� ���� 1�� ��,�P� ���� �u��V�}� �M�E��!��U�RQj�U�R�U�R�L����Ã���uF�M�������U�I������M�E�9�� u9�� �A0�j�����h���ǂ� f��X��� Dž4��� f��X��� �E�E��!��E�PRj�E�P�E�P�����Ã���uA�E� ����lj}̃��Gt�WW$�O O)ʃ�~ � �M�E��$��U�RQj�u��u�莢���E������P����M�������U�I������M܋]�9�� u9�� / ����A�����G,������A�0�t2�0��@�����Mb�������D���������)†�����Q� ���A������l���P��p���R��t���P��X����r �rj ��L�����\����e���Ã� ���� ���)†�����Q� ���A������\����@,������A��\����z0�t:�B0��L�����Mb��L���������P�����L�������)†�����Q� ���A������p���P��t���P��x���P�w �wj ��T�����`�����\���Ã� ���� � ��p����%����h����E����@t��h����AA$�Q Q)Ѓ�~$� ��h�����p�����W���Ã� ��u �u��T����j �w�������p����Ad�H0�Adǀ� �q�{���lj}����Gt�GG$�W W)Ѓ�~%� W�q�fT���Ã� ��u�u�������M�A�@d�H0�A�@dǀ� Q�<���� ���u���������}� �h�  C �Q��T����x(�t6�P(��,�����Mb�������<�����,�������)†�����Q� ���A������T����@,������A��T����z0�t:�B0��8�����Mb��8���������<�����8�������)†�����Q� ���A������p���P��t���R��x���P��P����r �rjW��X�����4���Ã� ���� t�PP$�H H����E��H H�ȃ���U�)�9��� �~ �H Džl��� Džl��� Džh��� DžT��� �E�t�Q� � %s: write failed, file system is full hZ���8���]+]���� �� %s: create/symlink failed, no inodes free ����x��x��� �M�|�� ����F`E�� ����F`E�� �����F`��NjU�ډU�E�y��$��M�)��Ⱥ�����‰� �N$�M���� ����F`E�E�MىM�E�y��$��U�)‰к ����F`E�E�U�ډU�E�y��$��M�)��Ⱥ�����‰ЋM� C9]���U�)V$)�� ����� ��E��U �B(�N`�]���S�U �zU �с�� T��] [T�� Ɔ� h������w89u��u�������E�� ����u������1��e�[^_��cg = %d, irotor = %ld, fs = %s �� � �����C\�� ������s0���}�F�����{U �� � ����S`�U��u�W�;& ��3� �u��}�����u܁{U ��� ��}������ �M�C�E� �f�����e � Dž(��� Dž(��� LJ� �E��}܉E�U�R0�� �U�j � � j�u�� ǀP �{0 hl��v���l� ����x��=x��EЉ�� �F �M�I �}�g�����}� �t��t�m��u��� �{L h�O�����9{Xu �u�~ tZS������S$���S$���u؉5 �� |�� }*����F@�L���U�J(9 �uG�U��M�9y v�M�9 |كE� �M��������tV�����UȋB$���e��M��U� ��u�����1��e�[^_�� ǀ� ǁ� ��9�r����� ����A4�����I�� f��t �"��f��t��- u+9�� �}��+ uq9�� � u%9�� hgr���w��f��p���f��������l���f�_߉�l�����t�����l���������R萏 uj9�� %s: write failed, %s disk limit reached %s: warning, %s %s %s: write failed, %s %s %s: write failed, %s inode limit reached ���E��� ���� ������� �@8�U�D�,�E��x< �@<�U�D�4�u�j 1��� �M �a�����؍e�[^_�� PV�P �}�D7<t�u� �S �Q � ���S ����S � f�C�}�� ����i� �i��C �u�9ut�E�l��uܡl��N�U�R���҃��}����t�Y� �u��s�f�Cf�C � �{ 1��\ V�=)�����Fu(9]t��Eؘ��]ܡ���K�U�R�����q�������Fu��N�}Љ}��E� � ��u � ��� �C �C ��V�R$�S ��� �~��� ��t�$�����t��� �~,��  � �O W������ ���u�踵����W诵����e�[^_�� h(����Q����|���� �Q������v�F������U��E�l��U�l��J�U�R���҃���u"��x���f��� �����e�[^_��U���WVS�]�{�s W�s�Sf�R�Π��R�+ j �r����1���ufslk1 �BT ��1��� ���@@��1��e�[^�� �K�M��SQ<�U��w�O �I��)ȋ�����t=���t= h[���5��j�u�V��P�NB ��A�B��A��z�Q��f�A&f�A2 �@ �@ �K�C�6���{  ��1��J�= ��� h���.���`�� �`�� h���w-���`�� �`�� 9D�u���D������$���D �PQ�u������L�� �PQ�u������ �E�� �@�� ��F�B��F�l��V���c��9����> � �� ����E� �@�� �M����[����U�� ���E�f�HC9]�1�9]~����U�<� � �E���E�f�HC9]��w h� ����E� ��C�B��C�D��S���'����5 �}� ����E� �}��� h���H���u�9]��� V�o VW�u�5 �������t�}� ���M�U � ����U � h��������1���jj���� ��E�P�M��1��� h��贷���e�[^�� �0U� h" �������؍e�[^_�� � �A�B��P�B����At �r�-���� ����r�% � SV��������ND�S����C�B�C +C)FH�Ct �s����� ���s�t 1��e�[^_��U��E �@t�@��P�`������E��P�Q����� h��腎���� �y��� u�]�s �~8t�~8t� � ��� ��t ����1�� � �# ���������t��u� ����(�E����]�����CV�����8���C&t h=;��h������c&��C& t �c&�S�|����S�h" �g0�W�=u���e�[^_��cpylck f���� f����  �a0�Q�ii���e�[^_�� �l�� �q�p�A ��Q�A�B�Q�A��A�H4�a&��� ��Q�A�B�Q�A��A�H4�a&��A&@t htT�豗����Y�y���� �#�f���d���A �q�p�A ��A�B��A�h��Q��� ���a&��Ð�t,�9 ��A�B��A����A��� ���f�a&���������9t��v*�=�f� ��t�  ��S�C�B�S�C��C�H4�c&�� ���� htT�蜓���s�} �{���� �#�f���d���C 9Uv�U�t F95p��w�95p��t�v���}�M�|� ��9Es%�M��  ] htT��ܐ���}�{�C�� �#�f���d���C ��S�C�B�S�C��C�H4�c&��C&�@ ��C�B��C����C��� ���f�c&���������9t��v-�=�f� ���C�h��S��� ���c&�� ��C�B��C����C��� ���f�c&���������9t��v-�=�f� ���C�h��S��� ���c&�� ��C�B��C����C��� ���f�c&���������9t��v-�=�f� ���C�h��S��� ���c&�� ��C�B��C����C��� ���f�c&���������9t��v-�=�f� ��C�B��C�h��S��� ���c&�� ��C�B��C����C��� ���f�c&���������9t��v-�=�f� �� �� �Mf�y(  ��C�B��C�h��S��� ���C�h��S��� ���C�h��S��� �����‰���Ѓ��t��|��@t��x��t��|��=p�� h�~���n���e�[^�� ���������u1��ÐQ%� h���n���BR�@���� h$���m���B�u R�@���� � ��t5�;����F<�P �@ 9��� � �� +�����u����F0tj �S�"������8u� �E������� � h>��� X���}� �u�� ����W�=��� u�|U�j �p�@�Ѓ��|U�S�p�@�Ћ]���%r > � ��p��� $� ���Ã����y�}� hp���U4�����u������Ӊ�������� PRhļ��m2�����=T� PRha���.���m6��萼�������� �=L� Features=0x%b = �h�����h�����h����*����h����*�����=4�� ��� W�J���� �G$�� syncing disks... dumping to dev %lx, offset %ld �l��tW�e��=��� ~��P��� ����j � �A, ��AL9E�}.�]�9YLu �A4�A81��H���U�+QL�� �A, �}� jJ�u�賡���E�e�[^_��U��E �U� �<�  �����5���E}���5���p������p �9 uS� ��get_pv_entry: cannot get a pv_entry_t h���� � ��t���A�B�A�B�0���B ��t/��9qu9Yt�ʋ ��u��t����_�  ��1���t@��t������+U������� �E��E���h�������w ������v �'� �� h�������������M��<� �? ��^�8 �~ _^�VW�t$ �|$�T$B�Jt ���u�J1���? _^Ð��D$t@�1��WV�|$ �t$�T$1�������u �у��t@^_Ð�D$��� h# ������f��� h/ �����R��P�Q�H��Z�D�����; t ������@ h8 ������R��P�Q�H��Z�������; t ������@ h) ��t���R��P�Q�H��Z�Ȅ����; t ������@ ��pQ�9� ���&  Fatal trap %d: %s while in %s mode ��� �� �I�M������� � ��� i ��� ��� ǂ� ǂ� ǂ� ǂ� ǂ� ǀ� ǀ� u&��9]}�EPV�u �u�����E O�t1ۃ��C�<3 )�(���S�B���jS���������)�(����)�,�����(���P��8���P��H���P��\���P�)�} ������!bActive!n-!bDrivers )�R�u������j��u��u �U�} )�R�u�����j��u��u �U�} )�R�u������j��u��u �U�} )�R�u�����j��u��u �U�} )�R�u��'���j��u��u �U�} )�R�u������j��u��u �U�} �� ��Xti�<�����ctg�2�������tK ��xtL�������=W �h ǃ� � ����ǃ��G��� �� ǃ� ��t7�5�������+����N����!����j�5������j FreeBSD Kernel Configuration Utility - Version 1.0 Type "help" for help or "visual" to go to the visual configuration interface (requires MGA/VGA display or serial terminal capable of displaying ANSI graphics). 1��� CB�; �; t�; u��D*� �E�PS� )�E�P�ܩ����$�C ��t��@HPh�1�E�P轩���CPh�1�E�P誩���sh )�E�P虩����$�sh�1�E�P腩���sh�1�E�P�t����s h )�E�P�c�����$�GL�{4 ��@�; �� t�� u� �E� �E�������E�����w=�E����E�9}�}/��|9M�r u�U�9U�~������ �� hS������OD�M��w@�� h|T��ș���^@�� ���������� PV�5TV����1��e�[^��U��=�� �9�������|�1�j �������l �p���q� �p��qj�����ƒ���th�_�Rh�_��9����� j ������)��� �p���q�� �M��1����t�M � � �M��1����t�M �I� �{ ���C9�|�1��e�[^_��Sense Drive Status failed ����E� Wjj�u��e���h� Wjj�u��"�������uh� u �0� h%{��0������ ������~ �  �F(������F$%� �~������F$%� E���Y���������Ɔ� ��� ��� ��t]뉐����@t#��� ƃ� 1��; Ph�������� 0��Q �Q � �Q ��Q��� dž� ��� �  ��� ��� ���SR�(�����E��}�4u0SV� ����E� ��� �E����f�M�f���}�� �ȉ��M������f���u�� ��� �U�� �E��f�U�f���U��M��� �E����M����E���f�Mf���u��� �ȉ���U�� �E܉��f�M�f���w �ȉ��O�؉��f���O �؉�����M��� /����h#����.���M��u�S������� ��� � � ��� �栰(桰桰桰�桰 栋]���isa_dmacascade: impossible request �À��р�����ֈ�����isa_dmastart: impossible request � ��$ D�����$ H��0��؍������U��с�� NMI ISA %x, EISA %x �M���w ��t�� v � �������"E��ȃ��E�9�tKu��E�9���%� �E� f���� �f�V�����e�[^��lpclose Q�D �Ft�N�e�[^��interrupt-driven � �4�$�8E�tI�� � �^�� ����^�H� �^���^�( �E�P�����U�R�U������!���U谀� �U���G0�����U��h,E 1�� �C�C �C�E�� �}� f��� � �`�� � $ ��uЁ�� ��}ЊO�ῈO�]̃��ȉ���( ���j�U�2�u��� B�U��t(�t�� � ����E� �*��t�#��A$������� A������"A�A�Ql��1��e�[^��U���VSj �����u&�B � �O���`�����CL �qO���`�������t���t���t C���� �5O�����d�t�j �%O���`�Ј������tڀ��t Rh� ��:���� ��������=d3� ��"�h� ����=`3� ���h� ���������5X3�jh� �����1��e�[^_�� ��t"� c ��H K f�Cf�G�C@% ������������t ��t�����KH �������9,��u)�{H u#�i3� �  ����\3� ��MtQ� ��t�. ��t�F �G� ����%X3���G(t � X3��7���%X3��� �Y��Y�r��Y�,�� ��8ti� Q�޹���5,��F ��E�� �M  ����i3� �#����K���u�]��� �����`�Ѓ���� �� �U��A��~ދ`3���1ɐ��Ⱥ� � �����E�Ȋ�1 �]�A9M��G��� ����T4���� 1��� �G�z �� �U��z F�M�I����ǀ|Z� ���� �� �O�� tO�U�R�����HZ��D8�|8 �D4 $X -----BEGIN PGP SIGNED MESSAGE----- At 09:27 PM 1/2/96 +0100, Anonymous wrote: > >Cypherpunks write code. With that phrase and the wave of attempts to >censor the 'Net, I've embarked on a quest to make remailers easier to use. > >Has anyone written an easy to use Windows or DOS application that will let >someone chain a message through several remailers, perhaps with support >for the mailer at alpha.c2.org? What about Private Idaho? It's fairly simple to use and even has built-in routines to setup and use accounts at C2. http://www.eskimo.com/~joelm > >Would the writer of such a program, if in the US fall under the provisions >in ITAR? Obviously, calls to the PGP program would have to be made. I >recall reading that such hooks do fall under the ITAR. If this is true, so >much for a more user friendly version of chain for the masses. It boggles the mind the number of goofy rules and regs you yanks have to deal with. The various branches of your government can't get along enough to pass a budget, yet they're worried about the rest of the world using strong encryption. -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: Help! Help! The paranoids are after me! iQEVAwUBMOar8HNDC2/K0TjxAQHEGwf/UiZfiB0pWpVmF+jaDWTFjXCMBqTRMToH kLsSvag40WCrCDgAWxbG92WjArTcyMyexkMnz+VLnZ7rqJC1ZYvgWHVkiGtbDsOi Unpm7PP/D3M9qUP3QIHGuRM3WmZcXk/sUuyd3le/ggEgpYGqr+/ISA199NbKNb5v aXb9YiPr3abHiRyFe2IC4a5aYCn4PTbusG5qygu5wY3UCtynkrEwqB5yccmpfQhG 4paCoww5zB0c9LQBEunbDtDKw4KgIck8o6G3AmNANAXYsCOIhUUuzn3dLuAJyCdg JO3+hO1+b3G4vbemJFrOQ3u+kVNqyGOYBtq6CDVb9OiB3KIu8VnPPQ== =8gvf -----END PGP SIGNATURE----- ----- Gordon R. Campbell, Owner - Mowat Woods Graphics P.O. Box 1902, Kingston, Ontario, Canada K7L 5J7 Ph: (613) 542-4087 Fax: (613) 542-1139 2048-bit PGP key available on request. From nobody at REPLAY.COM Thu Jan 4 09:42:27 1996 From: nobody at REPLAY.COM (Anonymous) Date: Fri, 5 Jan 1996 01:42:27 +0800 Subject: Guerilla Internet Service Providers Message-ID: <199601041707.SAA20110@utopia.hacktic.nl> -----BEGIN PGP SIGNED MESSAGE----- "L. Malthus" wrote: > I was told that Belize is offering passports for the next > two years for $50,000 and that might be even less if offers > were made to the government to provide low cost Internet > access to the citizens of Belize. > > http://www.belize.com/citzdoc.html > > Belize has always been known as a home for pirates, A > wonderful Cypherpunk candidate for an offshore data haven! Belize is a shit hole that is as willing as many other slimeball countries to deny someone entry and force them kicking and screaming onto the next flight to the U.S. on request from U.S. authorities. In principle, that is kidnaping. They use the technicality that the person never entered their territory. No- man's lands of port zones where the most basic rights may be violated without regard to a country's constitution are another class of abuse that will have to go. Belize is also the place where Bob White, publisher of The Duck Book and sponsor of some of the largest hard-money conferences ever held, was murdered. The usual suspects were not even rounded up. Someone once wrote that the principle cash crop of Belize is lice. In reality it may be principles. At least the Hondurans got angry when a citizen was kidnaped by the U.S. We Jurgar Din (that will have to suffice: I do not yet live in a free country) +"The battle, Sir, is not to the strong alone. It is to the+ +vigilant, the active, the brave. Besides, Sir, we have no + +election. If we were base enough to desire it, it is now + +too late to retire from the contest." -Patrick Henry 1775 + -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQBVAwUBMOt2E0jw99YhtpnhAQHa7gH/Z4cjIcT50+0lxJTF7lHCfcPvSPzXW5BU Yuea9C5s+1KgNDUYDe2ItTfOf3TTb+2deJGbDgf2TEP+A/q5S+9JHw== =H46M -----END PGP SIGNATURE----- From jimbell at pacifier.com Thu Jan 4 10:12:56 1996 From: jimbell at pacifier.com (jim bell) Date: Fri, 5 Jan 1996 02:12:56 +0800 Subject: "Deterrence" Message-ID: Recently, Kevin Wheeler (on NWLIBERTARIANS at TELEPORT.COM) expressed what I consider to be odd (at least for him; I can easily deal with Benneth's crap) (and a bit belated) objections to my desire to use technology to prevent government from oppressing the public. If anybody "out there" wants to know "where I come from" on the subject of using technology to thwart the state, it would be difficult to find a better statement of the reasoning than the following, an essay written in 1987 by Chuck Hammill titled "FROM CROSSBOWS TO CRYPTOGRAPHY: THWARTING THE STATE VIA TECHNOLOGY. It is interesting to note, I think, that this essay predates both the "fall of Communism" in 1989 as well as the writing of the first version of PGP later. It it further interesting to observe that in the intervening time period, the main focus of the apparent threat to freedom has shifted from those ex-communist nations to "Western" and ostensibly "free nations'" governments. I downloaded my copy from FIDOnet about 2.5 years ago, which due to the limitations of that medium was cut up into chunks about 150 lines long. The message was originally signed with PGP, but due to this chopping operation it is certain the signatures can't possibly match. I also credit the person who uploaded it to FIDO, Russell Whitaker. +++++++++++++ re-print follows +++++++++++++ Area: Liberty Msg#: 480 Date: 04-28-93 04:06 From: Libernet (russell E. Whit Read: Yes Replied: No To: All Mark: Subj: From Crossbows to Cryptog From: whitaker at eternity.demon.co.uk (Russell E. Whitaker) Date: Tue, 27 Apr 93 23:51:02 BST Cc: ecfp at demon.co.uk -----BEGIN PGP SIGNED MESSAGE----- Please note that the following speech was made by Chuck Hammill in 1987. Address all letters to his address, given at the end of this document. -- Russell FROM CROSSBOWS TO CRYPTOGRAPHY: THWARTING THE STATE VIA TECHNOLOGY Given at the Future of Freedom Conference, November 1987 You know, technology--and particularly computer technology--has often gotten a bad rap in Libertarian cir- cles. We tend to think of Orwell's 1984, or Terry Gilliam's Brazil, or the proximity detectors keeping East Berlin's slave/citizens on their own side of the border, or the so- phisticated bugging devices Nixon used to harass those on his "enemies list." Or, we recognize that for the price of a ticket on the Concorde we can fly at twice the speed of sound, but only if we first walk thru a magnetometer run by a government policeman, and permit him to paw thru our be- longings if it beeps. But I think that mind-set is a mistake. Before there were cattle prods, governments tortured their prisoners with clubs and rubber hoses. Before there were lasers for eavesdropping, governments used binoculars and lip-readers. Though government certainly uses technology to oppress, the evil lies not in the tools but in the wielder of the tools. In fact, technology represents one of the most promis- ing avenues available for re-capturing our freedoms from those who have stolen them. By its very nature, it favors the bright (who can put it to use) over the dull (who can- not). It favors the adaptable (who are quick to see the merit of the new (over the sluggish (who cling to time- tested ways). And what two better words are there to de- scribe government bureaucracy than "dull" and "sluggish"? One of the clearest, classic triumphs of technology over tyranny I see is the invention of the man-portable crossbow. With it, an untrained peasant could now reliably and lethally engage a target out to fifty meters--even if that target were a mounted, chain-mailed knight. (Unlike the longbow, which, admittedly was more powerful, and could get off more shots per unit time, the crossbow required no formal training to utilize. Whereas the longbow required elaborate visual, tactile and kinesthetic coordination to achieve any degree of accuracy, the wielder of a crossbow could simply put the weapon to his shoulder, sight along the arrow itself, and be reasonably assured of hitting his tar- get.) Moreover, since just about the only mounted knights likely to visit your average peasant would be government soldiers and tax collectors, the utility of the device was plain: With it, the common rabble could defend themselves not only against one another, but against their governmental masters. It was the medieval equivalent of the armor- piercing bullet, and, consequently, kings and priests (the medieval equivalent of a Bureau of Alcohol, Tobacco and Crossbows) threatened death and excommunication, respec- tively, for its unlawful possession. Looking at later developments, we see how technology like the firearm--particularly the repeating rifle and the handgun, later followed by the Gatling gun and more advanced machine guns--radically altered the balance of interpersonal and inter-group power. Not without reason was the Colt .45 called "the equalizer." A frail dance-hall hostess with one in her possession was now fully able to protect herself against the brawniest roughneck in any saloon. Advertise- ments for the period also reflect the merchandising of the repeating cartridge rifle by declaring that "a man on horseback, armed with one of these rifles, simply cannot be captured." And, as long as his captors were relying upon flintlocks or single-shot rifles, the quote is doubtless a true one. Updating now to the present, the public-key cipher (with a personal computer to run it) represents an equiv- alent quantum leap--in a defensive weapon. Not only can such a technique be used to protect sensitive data in one's own possession, but it can also permit two strangers to ex- change information over an insecure communications channel--a wiretapped phone line, for example, or skywriting, for that matter)--without ever having previously met to exchange cipher keys. With a thousand-dollar com- puter, you can create a cipher that a multi-megabuck CRAY X-MP can't crack in a year. Within a few years, it should be economically feasible to similarly encrypt voice communi- cations; soon after that, full-color digitized video images. Technology will not only have made wiretapping obsolete, it will have totally demolished government's control over in- formation transfer. I'd like to take just a moment to sketch the mathemat- ics which makes this principle possible. This algorithm is called the RSA algorithm, after Rivest, Shamir, and Adleman who jointly created it. Its security derives from the fact that, if a very large number is the product of two very large primes, then it is extremely difficult to obtain the two prime factors from analysis of their product. "Ex- tremely" in the sense that if primes p and q have 100 digits apiece, then their 200-digit product cannot in gen- eral be factored in less than 100 years by the most powerful computer now in existence. The "public" part of the key consists of (1) the prod- uct pq of the two large primes p and q, and (2) one fac- tor, call it x , of the product xy where xy = {(p-1) * (q-1) + 1}. The "private" part of the key consists of the other factor y. Each block of the text to be encrypted is first turned into an integer--either by using ASCII, or even a simple A=01, B=02, C=03, ... , Z=26 representation. This integer is then raised to the power x (modulo pq) and the resulting integer is then sent as the encrypted message. The receiver decrypts by taking this integer to the (secret) power y (modulo pq). It can be shown that this process will always yield the original number started with. What makes this a groundbreaking development, and why it is called "public-key" cryptography," is that I can openly publish the product pq and the number x , while keeping secret the number y --so that anyone can send me an encrypted message, namely x a (mod pq) , but only I can recover the original message a , by taking what they send, raising it to the power y and taking the result (mod pq). The risky step (meeting to exchange cipher keys) has been eliminated. So people who may not even trust each other enough to want to meet, may still reliably ex- change encrypted messages--each party having selected and disseminated his own pq and his x , while maintaining the secrecy of his own y. Another benefit of this scheme is the notion of a "dig- ital signature," to enable one to authenticate the source of a given message. Normally, if I want to send you a message, I raise my plaintext a to your x and take the result (mod your pq) and send that. However, if in my message, I take the plaintext a and raise it to my (secret) power y , take the result (mod my pq), then raise that result to your x (mod your pq) and send this, then even after you have normally "decrypted" the message, it will still look like garbage. However, if you then raise it to my public power x , and take the result (mod my public pq ), so you will not only recover the ori- ginal plaintext message, but you will know that no one but I could have sent it to you (since no one else knows my secret y). And these are the very concerns by the way that are to- day tormenting the Soviet Union about the whole question of personal computers. On the one hand, they recognize that American schoolchildren are right now growing up with com- puters as commonplace as sliderules used to be--more so, in fact, because there are things computers can do which will interest (and instruct) 3- and 4-year-olds. And it is pre- cisely these students who one generation hence will be going head-to-head against their Soviet counterparts. For the Soviets to hold back might be a suicidal as continuing to teach swordsmanship while your adversaries are learning ballistics. On the other hand, whatever else a personal computer may be, it is also an exquisitely efficient copying machine--a floppy disk will hold upwards of 50,000 words of text, and can be copied in a couple of minutes. If this weren't threatening enough, the computer that performs the copy can also encrypt the data in a fashion that is all but unbreakable. Remember that in Soviet society publicly ac- cessible Xerox machines are unknown. (The relatively few copying machines in existence are controlled more inten- sively than machine guns are in the United States.) Now the "conservative" position is that we should not sell these computers to the Soviets, because they could use them in weapons systems. The "liberal" position is that we should sell them, in the interests of mutual trade and cooperation--and anyway, if we don't make the sale, there will certainly be some other nation willing to. For my part, I'm ready to suggest that the Libertarian position should be to give them to the Soviets for free, and if necessary, make them take them . . . and if that doesn't work load up an SR-71 Blackbird and air drop them over Moscow in the middle of the night. Paid for by private sub- scription, of course, not taxation . . . I confess that this is not a position that has gained much support among members of the conventional left-right political spectrum, but, af- ter all, in the words of one of Illuminatus's characters, we are political non-Euclideans: The shortest distance to a particular goal may not look anything like what most people would consider a "straight line." Taking a long enough world-view, it is arguable that breaking the Soviet govern- ment monopoly on information transfer could better lead to the enfeeblement and, indeed, to the ultimate dissolution of the Soviet empire than would the production of another dozen missiles aimed at Moscow. But there's the rub: A "long enough" world view does suggest that the evil, the oppressive, the coercive and the simply stupid will "get what they deserve," but what's not immediately clear is how the rest of us can escape being killed, enslaved, or pauperized in the process. When the liberals and other collectivists began to at- tack freedom, they possessed a reasonably stable, healthy, functioning economy, and almost unlimited time to proceed to hamstring and dismantle it. A policy of political gradualism was at least conceivable. But now, we have patchwork crazy-quilt economy held together by baling wire and spit. The state not only taxes us to "feed the poor" while also inducing farmers to slaughter milk cows and drive up food prices--it then simultaneously turns around and sub- sidizes research into agricultural chemicals designed to in- crease yields of milk from the cows left alive. Or witness the fact that a decline in the price of oil is considered as potentially frightening as a comparable increase a few years ago. When the price went up, we were told, the economy risked collapse for for want of energy. The price increase was called the "moral equivalent of war" and the Feds swung into action. For the first time in American history, the speed at which you drive your car to work in the morning be- came an issue of Federal concern. Now, when the price of oil drops, again we risk problems, this time because Ameri- can oil companies and Third World basket-case nations who sell oil may not be able to ever pay their debts to our grossly over-extended banks. The suggested panacea is that government should now re-raise the oil prices that OPEC has lowered, via a new oil tax. Since the government is seeking to raise oil prices to about the same extent as OPEC did, what can we call this except the "moral equivalent of civil war--the government against its own people?" And, classically, in international trade, can you imag- ine any entity in the world except a government going to court claiming that a vendor was selling it goods too cheaply and demanding not only that that naughty vendor be compelled by the court to raise its prices, but also that it be punished for the act of lowering them in the first place? So while the statists could afford to take a couple of hundred years to trash our economy and our liberties--we certainly cannot count on having an equivalent period of stability in which to reclaim them. I contend that there exists almost a "black hole" effect in the evolution of nation-states just as in the evolution of stars. Once free- dom contracts beyond a certain minimum extent, the state warps the fabric of the political continuum about itself to the degree that subsequent re-emergence of freedom becomes all but impossible. A good illustration of this can be seen in the area of so-called "welfare" payments. When those who sup at the public trough outnumber (and thus outvote) those whose taxes must replenish the trough, then what possible choice has a democracy but to perpetuate and expand the tak- ing from the few for the unearned benefit of the many? Go down to the nearest "welfare" office, find just two people on the dole . . . and recognize that between them they form a voting bloc that can forever outvote you on the question of who owns your life--and the fruits of your life's labor. So essentially those who love liberty need an "edge" of some sort if we're ultimately going to prevail. We obvi- ously can't use the altruists' "other-directedness" of "work, slave, suffer, sacrifice, so that next generation of a billion random strangers can live in a better world." Recognize that, however immoral such an appeal might be, it is nonetheless an extremely powerful one in today's culture. If you can convince people to work energetically for a "cause," caring only enough for their personal welfare so as to remain alive enough and healthy enough to continue working--then you have a truly massive reservoir of energy to draw from. Equally clearly, this is just the sort of ap- peal which tautologically cannot be utilized for egoistic or libertarian goals. If I were to stand up before you tonight and say something like, "Listen, follow me as I enunciate my noble "cause," contribute your money to support the "cause," give up your free time to work for the "cause," strive selflessly to bring it about, and then (after you and your children are dead) maybe your children's children will actu- ally live under egoism"--you'd all think I'd gone mad. And of course you'd be right. Because the point I'm trying to make is that libertarianism and/or egoism will be spread if, when, and as, individual libertarians and/or egoists find it profitable and/or enjoyable to do so. And probably only then. While I certainly do not disparage the concept of poli- tical action, I don't believe that it is the only, nor even necessarily the most cost-effective path toward increasing freedom in our time. Consider that, for a fraction of the investment in time, money and effort I might expend in try- ing to convince the state to abolish wiretapping and all forms of censorship--I can teach every libertarian who's in- terested how to use cryptography to abolish them unilaterally. There is a maxim--a proverb--generally attributed to the Eskimoes, which very likely most Libertarians have al- ready heard. And while you likely would not quarrel with the saying, you might well feel that you've heard it often enough already, and that it has nothing further to teach us, and moreover, that maybe you're even tired of hearing it. I shall therefore repeat it now: If you give a man a fish, the saying runs, you feed him for a day. But if you teach a man how to fish, you feed him for a lifetime. Your exposure to the quote was probably in some sort of a "workfare" vs. "welfare" context; namely, that if you genuinely wish to help someone in need, you should teach him how to earn his sustenance, not simply how to beg for it. And of course this is true, if only because the next time he is hungry, there might not be anybody around willing or even able to give him a fish, whereas with the information on how to fish, he is completely self sufficient. But I submit that this exhausts only the first order content of the quote, and if there were nothing further to glean from it, I would have wasted your time by citing it again. After all, it seems to have almost a crypto-altruist slant, as though to imply that we should structure our ac- tivities so as to maximize the benefits to such hungry beggars as we may encounter. But consider: Suppose this Eskimo doesn't know how to fish, but he does know how to hunt walruses. You, on the other hand, have often gone hungry while traveling thru walrus country because you had no idea how to catch the damn things, and they ate most of the fish you could catch. And now suppose the two of you decide to exchange information, bartering fishing knowledge for hunting knowledge. Well, the first thing to observe is that a transaction of this type categorically and unambiguously refutes the Marxist premise that every trade must have a "winner" and a "loser;" the idea that if one person gains, it must necessarily be at the "expense" of another person who loses. Clearly, under this scenario, such is not the case. Each party has gained some- thing he did not have before, and neither has been dimin- ished in any way. When it comes to exchange of information (rather than material objects) life is no longer a zero-sum game. This is an extremely powerful notion. The "law of diminishing returns," the "first and second laws of thermodynamics"--all those "laws" which constrain our possi- bilities in other contexts--no longer bind us! Now that's anarchy! Or consider another possibility: Suppose this hungry Eskimo never learned to fish because the ruler of his nation-state had decreed fishing illegal. Because fish contain dangerous tiny bones, and sometimes sharp spines, he tells us, the state has decreed that their consumption--and even their possession--are too hazardous to the people's health to be permitted . . . even by knowledgeable, willing adults. Perhaps it is because citizens' bodies are thought to be government property, and therefore it is the function of the state to punish those who improperly care for govern- ment property. Or perhaps it is because the state gener- ously extends to competent adults the "benefits" it provides to children and to the mentally ill: namely, a full-time, all-pervasive supervisory conservatorship--so that they need not trouble themselves with making choices about behavior thought physically risky or morally "naughty." But, in any case, you stare stupefied, while your Eskimo informant re- lates how this law is taken so seriously that a friend of his was recently imprisoned for years for the crime of "pos- session of nine ounces of trout with intent to distribute." Now you may conclude that a society so grotesquely oppressive as to enforce a law of this type is simply an affront to the dignity of all human beings. You may go far- ther and decide to commit some portion of your discretion- ary, recreational time specifically to the task of thwarting this tyrant's goal. (Your rationale may be "altruistic" in the sense of wanting to liberate the oppressed, or "egoistic" in the sense of proving you can outsmart the oppressor--or very likely some combination of these or per- haps even other motives.) But, since you have zero desire to become a martyr to your "cause," you're not about to mount a military campaign, or even try to run a boatload of fish through the blockade. However, it is here that technology--and in particular in- formation technology--can multiply your efficacy literally a hundredfold. I say "literally," because for a fraction of the effort (and virtually none of the risk) attendant to smuggling in a hundred fish, you can quite readily produce a hundred Xerox copies of fishing instructions. (If the tar- geted government, like present-day America, at least permits open discussion of topics whose implementation is re- stricted, then that should suffice. But, if the government attempts to suppress the flow of information as well, then you will have to take a little more effort and perhaps write your fishing manual on a floppy disk encrypted according to your mythical Eskimo's public-key parameters. But as far as increasing real-world access to fish you have made genuine nonzero headway--which may continue to snowball as others re-disseminate the information you have provided. And you have not had to waste any of your time trying to convert id- eological adversaries, or even trying to win over the unde- cided. Recall Harry Browne's dictum from "Freedom in an Unfree World" that the success of any endeavor is in general inversely proportional to the number of people whose persua- sion is necessary to its fulfilment. If you look at history, you cannot deny that it has been dramatically shaped by men with names like Washington, Lincoln, . . . Nixon . . . Marcos . . . Duvalier . . . Khadaffi . . . and their ilk. But it has also been shaped by people with names like Edison, Curie, Marconi, Tesla and Wozniak. And this latter shaping has been at least as per- vasive, and not nearly so bloody. And that's where I'm trying to take The LiberTech Project. Rather than beseeching the state to please not en- slave, plunder or constrain us, I propose a libertarian net- work spreading the technologies by which we may seize freedom for ourselves. But here we must be a bit careful. While it is not (at present) illegal to encrypt information when government wants to spy on you, there is no guarantee of what the fu- ture may hold. There have been bills introduced, for exam- ple, which would have made it a crime to wear body armor when government wants to shoot you. That is, if you were to commit certain crimes while wearing a Kevlar vest, then that fact would constitute a separate federal crime of its own. This law to my knowledge has not passed . . . yet . . . but it does indicate how government thinks. Other technological applications, however, do indeed pose legal risks. We recognize, for example, that anyone who helped a pre-Civil War slave escape on the "underground railroad" was making a clearly illegal use of technology--as the sovereign government of the United States of America at that time found the buying and selling of human beings quite as acceptable as the buying and selling of cattle. Simi- larly, during Prohibition, anyone who used his bathtub to ferment yeast and sugar into the illegal psychoactive drug, alcohol--the controlled substance, wine--was using technol- ogy in a way that could get him shot dead by federal agents for his "crime"--unfortunately not to be restored to life when Congress reversed itself and re-permitted use of this drug. So . . . to quote a former President, un-indicted co- conspirator and pardoned felon . . . "Let me make one thing perfectly clear:" The LiberTech Project does not advocate, participate in, or conspire in the violation of any law--no matter how oppressive, unconstitutional or simply stupid such law may be. It does engage in description (for educa- tional and informational purposes only) of technological processes, and some of these processes (like flying a plane or manufacturing a firearm) may well require appropriate li- censing to perform legally. Fortunately, no license is needed for the distribution or receipt of information it- self. So, the next time you look at the political scene and despair, thinking, "Well, if 51% of the nation and 51% of this State, and 51% of this city have to turn Libertarian before I'll be free, then somebody might as well cut my goddamn throat now, and put me out of my misery"--recognize that such is not the case. There exist ways to make your- self free. If you wish to explore such techniques via the Project, you are welcome to give me your name and address--or a fake name and mail drop, for that matter--and you'll go on the mailing list for my erratically-published newsletter. Any friends or acquaintances whom you think would be interested are welcome as well. I'm not even asking for stamped self- addressed envelopes, since my printer can handle mailing la- bels and actual postage costs are down in the noise compared with the other efforts in getting an issue out. If you should have an idea to share, or even a useful product to plug, I'll be glad to have you write it up for publication. Even if you want to be the proverbial "free rider" and just benefit from what others contribute--you're still welcome: Everything will be public domain; feel free to copy it or give it away (or sell it, for that matter, 'cause if you can get money for it while I'm taking full-page ads trying to give it away, you're certainly entitled to your capitalist profit . . .) Anyway, every application of these principles should make the world just a little freer, and I'm certainly willing to underwrite that, at least for the forseeable fu- ture. I will leave you with one final thought: If you don't learn how to beat your plowshares into swords before they outlaw swords, then you sure as HELL ought to learn before they outlaw plowshares too. --Chuck Hammill THE LIBERTECH PROJECT 3194 Queensbury Drive Los Angeles, California 90064 310-836-4157 hammill at netcom.com [The above LiberTech address was updated December 1992, with the permission of Chuck Hammill, by Russell Whitaker] Those interested in the issues raised in this piece should participate in at least these newsgroups: alt.privacy alt.security.pgp comp.org.eff.talk sci.crypt A copy of the RSA-based public key encryption program, PGP 2.1 (Pretty Good Privacy), can be obtained at various ftp sites around the world. One such site is gate.demon.co.uk, where an MS-DOS version can be had by anonymous ftp as pgp22.zip in /pub/pgp. Versions for other operating systems, including UNIX variants and Macintosh, are also available. Source code is also available. Here's the blurb for PGP, by the way: - ---------------------- Quote ---------------------------------------- PGP (Pretty Good Privacy) ver 2.2 - RSA public-key encryption freeware for MSDOS, protects E-mail. Lets you communicate securely with people you've never met, with no secure channels needed for prior exchange of keys. Well featured and fast! Excellent user documentation. PGP has sophisticated key management, an RSA/conventional hybrid encryption scheme, message digests for digital signatures, data compression before encryption, and good ergonomic design. Source code is free. Filenames: pgp22.zip (executable and manuals), pgp22src.zip (sources) Keywords: PGP, Pretty Good Privacy, RSA, public key, encryption, privacy, authentication, signatures, email - ---------------------- End Quote ------------------------------------- Russell Earl Whitaker whitaker at eternity.demon.co.uk Communications Editor AMiX: RWhitaker EXTROPY: The Journal of Transhumanist Thought Board member, Extropy Institute (ExI) +++++++++++++ End of quoted material re-printed from FIDOnet. Back to Jim Bell, here. While I've tried to remove the various reformatting that FIDOnet did, there is of course no way that I can return this file to its original state matching the PGP signature. I assume that most of the people/addresses listed have changed, or could have changed, but the idea is the important thing. From liberty at gate.net Thu Jan 4 10:43:31 1996 From: liberty at gate.net (Jim Ray) Date: Fri, 5 Jan 1996 02:43:31 +0800 Subject: [NOISE]Apologies accepted. Message-ID: <199601041732.MAA07216@osceola.gate.net> -----BEGIN PGP SIGNED MESSAGE----- All apologies accepted. As to the "English lesson," I feel that proofreading messages to 1200+ people is more important than proofing private e-mail, but some folks evidently disagree with me. For an example of posts which I feel are properly proofed, please see Tim's posts. They aren't perfect English (mine aren't either) but there's evidence that he takes the time to proofread them. This not only makes his posts easier to read, it makes them [IMO] more convincing. Of course, I usually agree with Tim anyway. [Hi Tim] I'll shut up now and resume lurking mode. Please e-mail me privately if you feel the urge to comment on this distinctly non-cypherpunk subject. TIA. JMR Regards, Jim Ray http://www.shopmiami.com/prs/jimray "Hooters GUYS? Washington -- GET A GRIP!" _______________________________________________________________________ PGP key Fingerprint 51 5D A2 C3 92 2C 56 BE 53 2D 9C A1 B3 50 C9 C8 Public Key id. # E9BD6D35 IANAL _______________________________________________________________________ Help Phil! e-mail zldf at clark.net or http://www.netresponse.com/zldf _______________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Freedom isn't Freeh. iQCVAwUBMOwN9m1lp8bpvW01AQEk2QP/YRYyPgPjeq6CTa0vhCcsgujIonn2yJLC zU2wUjVZiACLMtugCQzG5kzjmR4S176QKsowaNrAx9LhPV2xHym+pyJpsK9zA6gp iZskqymulqjF43Q/rOTzmFoVZfcHhAQdJSeEcit1kp/wERbCIOX80RuL1ZX2WD8p 89BVlhp0zaY= =+LFM -----END PGP SIGNATURE----- From nobody at REPLAY.COM Thu Jan 4 10:44:36 1996 From: nobody at REPLAY.COM (Anonymous) Date: Fri, 5 Jan 1996 02:44:36 +0800 Subject: Foiling Traffic Analysis Message-ID: <199601041734.SAA20843@utopia.hacktic.nl> -----BEGIN PGP SIGNED MESSAGE----- Lucky, are you just the cynic's cynic, a farther-gone revolutionary than you seem, or did you just have a bad month? shamrock at netcom.com (Lucky Green) wrote (on various occasions): - ---------- Prepare to see "felony Internet access" on the books before long. - ---------- Nothing new here. Pornography and the other Three Horsemen will be use to ban the spread of 'dangerous' thoughts on the Internet. This was clear years ago. Let me emphasize a few facts: o Non-GAK Encryption will be outlawed. o 'Immoral' texts and pictures will be banned. o The dissemination of 'dangerous ideas' will become a felony. At best, Cypherpunks can hope to provide the infrastructure that will allow an underground to communicate semi-securely. We are unable to stop the global tidal wave of fascism. Let's not waste our time on bemoaning the freedoms crushed in its path. We have more important work to do. - ---------- But how many of them will be willing to forward certain newsgroups if doing so carries a mandatory 10 year prison term? Hint: count the number of narcotics dealers that advertize in your local yellow pages. - ---------- Some site in physical space has to host the nntpd, the ftpd, and the httpd. That site will be subject to search, seizure, and arrest and conviction of owner. - ---------- o Outer space: not very realistic o Offshore boats: see the fate of drug trafficers in international waters after the Coast Guard is through with them. o Stable dictatorships: Not stable enough to withstand an humanitarian mission by the US Army. - ---------- Wrong. Only 0.03% of the home PCs have to be seized and the owners incarcerated. The remaining users will cease to carry controlled data on their own. - ---------- Seems to me that the laws are becomming unified on a global scale. The people in power all over the world have the same interests. To stay in power. The 'unregulated' Internet is in direct confilict with this interest. Since these powers make the laws, they will use the laws to reduce the threat the present day Internet presents. Will C2 carry certain newsgroups/info after doing so has become a felony? Who wants to be an 'illegal data' kingpin and face execution? (Kingpins are 'data trafficers' that carry more than 1.5 Megs of 'controlled information'.) - ---------- That is called a conspiracy. The consequence is that all machines involved will be confiscated and their respective owners jailed. - ---------- Well, you can seize the machine running the OS for the crimes it committed. I am serious. No prosecution needed. - ---------- Prosecution followed by conviction is what will happen to the owner of the computer on which the OS was running. - ---------- Time to bring up my favorite CP invention of the last years: Wai Dai's Pipenet. Of course running Pipenet would be a felony in the future I forsee, but it sure is a great idea. - ---------- Pretty hard. That's why the corporate officers will be jailed instead. Not that this would be necessary to stop the corporation from operating. The authorities can just confiscating all the equipment and thereby put the corporation out of business. Saves time and trial costs. They just haul off the computers and declare that they are now property of the government. - ---------- Only to have the box impounded within a few days after going on-line. A very costly and likely short lived hobby. - ---------- All participants in this network are clearly guilty of conspiracy. Their assets will be confiscated under RICO. As Brian mentioned, the law enforcement agencies are creating a surplus by such seizures. The costs associated with more prosecutions are more than offset by the revenue generated. Your computer will make a welcome addition to their budget. - ---------- Inevitably, a DC net or the Token Ring approach described earlier will be used for illegal purposes. Once, not if, that comes to pass all participants will be guilty of conspiracy and their property subject to forfeiture. No trial needed and it will happen to the applause of the general public. ======================================== The answer to much of what you write off without a fight is fairly obvious, but not yet being mentioned in open conversation. Without intending this to be a flame, I'd respectfully suggest that giving up the living room and den in the hope of a back- bedroom campaign against a home invader is probably not a workable strategy (if you'll allow a metaphor uncomfortably close to the subject matter). One rule of these types of things is to carry the battle to the opponent's ground. Allowing the battle on your own ground is hard on the furniture. We Jurgar Din (that will have to suffice: I do not yet live in a free country) +"The battle, Sir, is not to the strong alone. It is to the+ +vigilant, the active, the brave. Besides, Sir, we have no + +election. If we were base enough to desire it, it is now + +too late to retire from the contest." -Patrick Henry 1775 + -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQBVAwUBMOuAJEjw99YhtpnhAQFdHAIAiaIBOIVVTU1sQwPCDbRgY5Acmg+9oQiL SwLItL4dVz4xPoo6OU3AwDbQvbENuYb2bL7EdUrg6GG4/TRFv1zuiA== =x7j7 -----END PGP SIGNATURE----- From nobody at REPLAY.COM Thu Jan 4 10:46:40 1996 From: nobody at REPLAY.COM (Anonymous) Date: Fri, 5 Jan 1996 02:46:40 +0800 Subject: Guerilla Internet Service Providers Message-ID: <199601041732.SAA20749@utopia.hacktic.nl> -----BEGIN PGP SIGNED MESSAGE----- On 2 Jan 96 at 16:32, Jeff Simmons wrote: > Jim Bell writes: > > >At some point, individual urban and suburban blocks could > >easily be "guerilla re-wired" for ISP access without serious > >trenching, etc. The phoneco would still be involved, but in > >a far lower-profit mode, as the supplier of a single T1 to a > >multi-block area. > > That's assuming the phoneco cooperates. Why shouldn't they? What does a hotel do, if not act as a local communication concentrator for guests? What about multi-company PBX installations? Most PBX's have for years supported the facility to handle entirely separate groups of trunks, often called "tenants." This facility is used in shared-receptionist, shared-PBX scenarios. Each incoming trunk call identifies the "tenant" or company to which the call is addressed, so the receptionist may answer appropriately. I even seem to vaguely remember hearing of apartments or co-ops that use a PBX instead of having direct subscriber lines to each apartment. Aggregation of communication facilities within the boundaries of public rights of way seems to be a long-standing practice, at least in the voice field. Voice and data are increasingly indistinguishable, the latest move in that direction being the practice of supporting a PBX with all-ISDN trunks. > Punknet is a 'Guerilla ISP'. Twenty of us share a 128k ISDN > line, distributed via high-speed modems. It's been running > fine for over a year now, but Pacific Bell has evidently > decided to get rid of us. I have to think there is something in the way you have gone about it that leaves you with a defect in the kinds of recourse any of the above examples would have and would not hesitate to use. Maybe you should organize the effort in some formal manner. Some states allow legal standing for unincorporated associations. Maybe a cooperative? Maybe (shudder) a corporation? > We've been told that what they're doing is probably illegal, > but it's the old problem: Where does an 800 lb. gorilla > sleep? Far enough off the ground to make it interesting. 800 lbs makes a satisfying crunch when it hits the ground. Maybe if you poke around you can find a few dozen other groups in similar situations, and make it far more expensive for the telco to harrass you than to deliver service as it is supposed to do. We Jurgar Din (that will have to suffice: I do not yet live in a free country) +"The battle, Sir, is not to the strong alone. It is to the+ +vigilant, the active, the brave. Besides, Sir, we have no + +election. If we were base enough to desire it, it is now + +too late to retire from the contest." -Patrick Henry 1775 + -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQBVAwUBMOuHBkjw99YhtpnhAQFG1gH5AQ+b/TXmddMcd/GzoqACnhLGW1Bv6v3Q wW+WnIVPWCL/qZpV6mLcACG9TSQtDJ0Sy1bk4Y9J22bL4/E7aogoNQ== =KjPD -----END PGP SIGNATURE----- From andr0id at midwest.net Thu Jan 4 10:52:03 1996 From: andr0id at midwest.net (Jason Rentz) Date: Fri, 5 Jan 1996 02:52:03 +0800 Subject: Guerilla Internet Service Providers (fwd) Message-ID: <199601041743.LAA25788@cdale1.midwest.net> Previous exchanges deleted... > >With a tightly focused beam (light is easy, I don't know about lower >frequencies), you can prevent interception except by very obvious physical >devices. (e.g. Someone in a cherry picker truck.) You may be able to >avoid the need to encrypt the link (and all the paranoia about key >management, advances in factoring etc. that that implies.) > >Bill The problem with this comes when you start creating links between much taller buildings like in San Fran. Any give building over 30 stories might sway a foot or so at any given time. Combine that with the other building and you might get a few feet of movement. (movement not including during an earthquake) :) (andr0id at midwest.net callsign: N9XLM) ( Computer Consulting & Management ) (P.O. Box 421 Cambria, IL 62915-0421) -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQENAzCsIi4AAAEH/1hb5+tO/n99Nbppf0ImLJ6AaVZ3NlZP0ZHwRQor00uA129i d4zWixNXxc8t2auaqN+asV99LpIip3/nQzBnjydiumeBdGLF2PR9+6X8X/RrqKa1 dVIukxM5Agg2eM6ih+0J38hgKJ3qzKXSz6sjYmpaxvbXZoHHOLUk/ZtHUKvvEyPw hnJEYnut8NUnIeK56lqeqRw86yoeRKymbfCdjdpgeY2aRwK2FJts8sbb7Fs10s4y jgxWIxIipBznbGUTh1hb2XrLGPENwk3E/qqXQJEsrySbtwdl6VgTVQjhDDEJMitL DYeiQ3W5EgxfcdbM1j2FwYu3P/dM6Y0I8xLMYT0ABRG0NmFuZHIwaWRAb2ljdTgx Mi5jb20gKG9pY3U4MTIuY29tIHN5c3RlbSBhZG1pbmlzdHJhdG9yKYkBFQMFEDCs LO90C7R/GkJcSQEB01cH/0KC3sd+u4OxMku5378SJktoN6QIQYLJ7uVbuV4S51yK NAotCGf4Wl6wwjynzZvXKU0H87oDuMiq7FybgMNL2n+4bQIZi0iz0lIuzwoMDu63 NrHUW9Kz42pOnhrEhrdkHhHL9O5GgD1yc40fJ3qw5h7LQEjDxgypyw0IFILFc34u LeRLliNibxKp8JwAxXNHWSgxu28TQvmnkHi0AHP6tJ/uZYe+4dqJtrMMsYFjzZaz DPmxD+dzbTwlQKtJaP1ZkDI0Sr072wrZDv+G86GyGBMX2lpSafpRitnxuUttjU9o wsQ9Qo5xiH1nZRCs/bDzJe/gng+GHzevixDIITurtNA= =SgPT -----END PGP PUBLIC KEY BLOCK----- From mark at unicorn.com Thu Jan 4 10:53:00 1996 From: mark at unicorn.com (Mark Grant, M.A. (Oxon)) Date: Fri, 5 Jan 1996 02:53:00 +0800 Subject: 2047 bit keys in PGP Message-ID: On 4 Jan 1996, Ian Goldberg wrote: > in a brute-force search. From Applied Crypto, 2nd ed, pp157-158, > setting or clearing one bit takes at _least_ 4.4*10^-16 erg of energy. I thought reversible computing could use an arbitarily small amount of energy in computations ? Or is it that you can use it to get down to this level of energy loss, but not below ? I'm not sure. Mark From nobody at REPLAY.COM Thu Jan 4 10:59:57 1996 From: nobody at REPLAY.COM (Anonymous) Date: Fri, 5 Jan 1996 02:59:57 +0800 Subject: Duplicate messages Message-ID: <199601041745.SAA21208@utopia.hacktic.nl> -----BEGIN PGP SIGNED MESSAGE----- On 4 Jan 96 at 7:00, Dr. Dimitri Vulis wrote (to Ed Carp): > Please stop polluting this mailing list with test messages. > Thank you. > > (I wish I could set up procmail on this box.) I find it to be less work to scan messages marked for deletion by the Cohen/Alice/Hallam/Vulis/Nuri filter for the occasional meaningful one than to have to scan the main body of messages to delete the meaningless ones. We Jurgar Din (that will have to suffice: I do not yet live in a free country) +"The battle, Sir, is not to the strong alone. It is to the+ +vigilant, the active, the brave. Besides, Sir, we have no + +election. If we were base enough to desire it, it is now + +too late to retire from the contest." -Patrick Henry 1775 + -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQBVAwUBMOv240jw99YhtpnhAQHHfwIAgJU+MoL4jhk9Lv+H8U/ZpNOwaGVlC0Mr 1ij6fjrw3fnvYsd8ChoxxvWGjV30t2/ZagPHbuHezQLI/mHZy9fYwg== =AK3i -----END PGP SIGNATURE----- From tomw at netscape.com Thu Jan 4 11:11:24 1996 From: tomw at netscape.com (Tom Weinstein) Date: Fri, 5 Jan 1996 03:11:24 +0800 Subject: 2047 bit keys in PGP In-Reply-To: Message-ID: <30EC164A.2781@netscape.com> Ian Goldberg wrote: > > Order of magnitude check: > > There is a very well-defined limit to the size of key that can be > broken by brute force, independent of your "wildest dreams" as to the > growth of technology. It's the Laws of Thermodynamics. > > For a symmetric algorithm for which any value of the appropriate > length n is a possibly valid (and equally likely) key, there are 2^n > keys to try in a brute-force search. From Applied Crypto, 2nd ed, > pp157-158, setting or clearing one bit takes at _least_ 4.4*10^-16 erg > of energy. For symmetric keys of size 256, then, you would need more > than 10^61 erg (that's 10^45 GJ) of energy just to _enumerate_ the > states. For comparison, this about 10 billion times larger than the > output of a typical supernova. > (Ibid.) Although your point is quite valid, there is always the possibility of some technological advance that invalidates these calculations. It is possible that quantum crypto will some day make brute forcing 256 bit keys practical. (Of course, my knowledge about quantum crypto couldn't fill a thimble, so maybe I'm wrong.) These results also apply only to symmetric key ciphers and have no relation to the difficulty of breaking RSA. The techniques for factoring large numbers have come a long way in the recent past and it would not be much of a surprise for them to take another large leap. All that being said, I believe that 128 bits is sufficient for a symmetric key and 2048 for a public key. Our paranoia would be far better directed at as yet unknown attacks on the algoritms involved or the specific implementations of cryptographic systems. Paul Kocher's recent timing attack is a perfect example of what we should be afraid of. -- Sure we spend a lot of money, but that doesn't mean | Tom Weinstein we *do* anything. -- Washington DC motto | tomw at netscape.com From sjb at universe.digex.net Thu Jan 4 11:22:32 1996 From: sjb at universe.digex.net (Scott Brickner) Date: Fri, 5 Jan 1996 03:22:32 +0800 Subject: Will the real Anonynous please stand up In-Reply-To: <199601040332.WAA24066@pipe6.nyc.pipeline.com> Message-ID: <199601041808.NAA06944@universe.digex.net> tallpaul writes: >Even English monarchs, in centuries past when monarchs like Anonymous only >had one name, were given some additional signifier to keep them separate >(e.g. "Donald the Fat" vs. "Donald the Terribly Ugly" vs. "Donald the >Wonderful With A Really Good Ad Agency"). Get a grip. Those monarchs didn't make those names. Others did. You're free to make up your own relative clauses to attach to "Anonymous" --- if they're good enough maybe others'll start using them. Meanwhile, *you* need to consider what reputation statements from anonymous sources are worth. One needs some degree of reputation to make a useful comment on another's. From gaffney at emba.uvm.edu Thu Jan 4 11:51:53 1996 From: gaffney at emba.uvm.edu (Don Gaffney) Date: Fri, 5 Jan 1996 03:51:53 +0800 Subject: 2047 bit keys in PGP In-Reply-To: Message-ID: On Thu, 4 Jan 1996, Thomas Massengale wrote: > At 3:17 PM 1/3/96, Mark M. wrote: > > >I really don't see the point of using a key larger than 2048 bits. Any larger > >key would actually be harder to factor than brute forcing the IDEA keyspace. > > the world will never need more than 640K of RAM? A paraphase of Bill Gates in 1981: "640K ought to be enough for anybody." However, DRAM technology and use can't really be compared to the fundamental mathematical problem posed by factoring prime composites. Stuffing more gates on a chunk of silicon is just an engineering problem. Correct me if I'm wrong, but I don't think much has happened with primes since Legendre (1752-1833). _____________________________________________________________________ Don Gaffney Engineering, Mathematics & Business Administration Computer Facility University of Vermont 237 Votey Building Burlington, VT 05405 (802) 656-8490 Fax: (802) 656-8802 From jimbell at pacifier.com Thu Jan 4 11:52:33 1996 From: jimbell at pacifier.com (jim bell) Date: Fri, 5 Jan 1996 03:52:33 +0800 Subject: Answer: Windows Eudora and PGP Message-ID: At 09:48 PM 1/3/96 -0500, you wrote: >Run, don't walk, to check out: > > > >Qualcomm's own Eudora support team recommended it, and it works seamlessly. >To use it with Eudora, important point: after installing WPGP, You make it sound so easy. Problem is, installing this thing was clunky. Took me a couple of times to make it even appear to install. >go into >Options|Select Keystrokes and make sure "Use Capture mode" and "Use Select >All" are selected >(and "Use Memorizer" should -not- be selected), At least that seems to work... >< otherwise >you'll get errors about 'no selected text'. That's it; you're up and running. > >Example of using WPGP: After writing your message as usual in Eudora, to >encrypt simply click on WPGP's "Enc" button and then click on the window >containing your message; that's it, very slick. Another example: If you get >a PGP-encrypted email and want to reply, just hit Eudora's Reply as usual >(this will ">"-quote the entire original email as usual including the PGP >block), click on WPGP to "Dec"rypt, and click anywhere on your reply >window... it will pick out the PGP block, decrypt it, inform you about valid >signatures etc., and automatically paste the reply back into your window in >the proper place WITH PLAINTEXT PROPERLY QUOTED, as if you'd got the message >straight in the clear and hit 'Reply'. > >Highly recommended. > >Herb I apreciate your enthusiasm, but it has failed to work a number of times for me. Perhaps you should study your instructions a bit more carefully for errors. After I get to the end of the message on Eudora, I select WPGP and follow your instructions by clicking on the ENC button. At this point, I can't maximize Eudora again to "click on the window containing your message" (as you asked). The system asks me for my password, I type it, but when control is returned to Eudora I see neither a signature nor encryption. Frankly, it appears to me that the biggest threat to our security at this moment are the programs which ostensibly are supposed to protect it. I wish I could be more appreciative. From sjb at universe.digex.net Thu Jan 4 11:52:57 1996 From: sjb at universe.digex.net (Scott Brickner) Date: Fri, 5 Jan 1996 03:52:57 +0800 Subject: Starting an e-cash bank In-Reply-To: Message-ID: <199601041841.NAA08502@universe.digex.net> Lucky Green writes: >At 13:25 1/3/96, Alex Strasheim wrote: >>I've got a storefront in Chicago. >>What would prevent me from opening up a Mark Twain account and buying and >>selling ecash on floppies, in person? >You touched on a very important issue: the party converting currency into >Ecash does not have to be the Ecash bank. There have been discussions that >in the future one should be able to buy Ecash on floppy at the local >supermarket, similar to today's prepaid calling cards. I certainly would >like to see that happen rather sooner than later. Wait a minute. I can see how one needn't be a bank to convert ecash into pcash, but going the other way requires that the cash be transferrable in ways that Digicash isn't. If I withdraw ecash from the bank, it's marked so I'm the one who's identified if it's double-spent. If I give the cash to someone else (different from paying it to them, which requires they have an account) they're free to double-spend with (relative) impugnity. What'd I miss? From hal9001 at panix.com Thu Jan 4 11:55:16 1996 From: hal9001 at panix.com (Robert A. Rosenberg) Date: Fri, 5 Jan 1996 03:55:16 +0800 Subject: Massey, CEO of Compuserve, on Internet Message-ID: At 16:30 1/3/96, Tony Iannotti wrote: >On Wed, 3 Jan 1996, Robert A. Rosenberg wrote: > >> CIS always knows where you are dialing in from. Here is the start of a >> typical connection (using the Mac Program NAVIGATOR). >> >> >0001NUH [snip] >> That NUH identifies that I am calling in via a V34 Node in NYC and the T01 >> says I got the first modem on the Rotory. If CIS wanted to restrict access >> via the NYS nodes, that NUH would be an adequate flag to trigger this >> action. > >Wouldn't this require some software routines added to check for this? I >expect the decision to build or buy is what CIS is now weighing. Also, I >would imagine that a German could always call a POP outside the country if >they wanted to pay for it..... (note that I am still not in favor of the >action, but these are probably CIS's considerations.) Yes it would require that the Node be checked in the Software. What I was responding to was a claim that there is no way of telling where I am connecting from (which I disproved). As to calling a non-German Node, that is always an option. From tcmay at got.net Thu Jan 4 11:55:38 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 5 Jan 1996 03:55:38 +0800 Subject: Microsoft has a way to go on E-Mail Message-ID: It looks to me as if Microsoft has a way to go on e-mail. Every message I send to the list generates long bounce messages sent back to me. I assume others are getting the same thing. For example, just the latest one, sent from Postmaster : The following recipient(s) could not be reached: Zeke Lucas on 01/03/96 22:50:19 The recipient name is not recognized [MSEXCH:MSExchangeMTA:northamerica:RED-70-MSG] Bruce E. Johnson on 01/03/96 22:50:19 The recipient name is not recognized [MSEXCH:MSExchangeMTA:northamerica:RED-70-MSG] Christopher Carper on 01/03/96 22:50:19 The recipient name is not recognized [MSEXCH:MSExchangeMTA:northamerica:RED-70-MSG] John Douceur on 01/03/96 22:50:19 The recipient name is not recognized [MSEXCH:MSExchangeMTA:northamerica:RED-70-MSG] Mike Montague on 01/03/96 22:50:19 The recipient name is not recognized [MSEXCH:MSExchangeMTA:northamerica:RED-70-MSG] Etc. Either Microsoft handles undeliverable mail different from most other places, or they don't want employees getting the Cypherpunks list (:-}). I suspect the former. --Tim May We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From black at eng.usf.edu Thu Jan 4 11:59:00 1996 From: black at eng.usf.edu (James Black) Date: Fri, 5 Jan 1996 03:59:00 +0800 Subject: 2047 bit keys in PGP In-Reply-To: Message-ID: Hello, On Wed, 3 Jan 1996, jim bell wrote: > It seems to me that the best argument AGAINST supporting (and using) keys > greater than 2048 bits is the false sense of security created. Even > 1024-bit keys will probably be safe for decades if just the algorithm is > concerned. Far more threatening are various other attacks, including RF > snooping in combination with specialized viruses, as well as black-bag jobs > on hardware. I have been reading this discussion, and I would recommend that someone show the time that Bruce Schneier has in his book "Applied Cryptography" (2nd ED), as he covers the security of different key lengths very well. I would also suggest that people read it if this is a topic that interests them, as it was written very well. I would quote from it, except that I am at work, and the book is in my dorm room. :) Enjoy and have fun. ========================================================================== James Black (Comp Sci/Comp Eng sophomore) e-mail: black at eng.usf.edu http://www.eng.usf.edu/~black/index.html "An idea that is not dangerous is unworthy of being called an idea at all." Oscar Wilde ************************************************************************** From tony at secapl.com Thu Jan 4 12:14:57 1996 From: tony at secapl.com (Tony Iannotti) Date: Fri, 5 Jan 1996 04:14:57 +0800 Subject: Massey, CEO of Compuserve, on Internet In-Reply-To: Message-ID: On Thu, 4 Jan 1996, Robert A. Rosenberg wrote: > Yes it would require that the Node be checked in the Software. What I was > responding to was a claim that there is no way of telling where I am > connecting from (which I disproved). As to calling a non-German Node, that > is always an option. Yes, I agree. I think the real difference is that they really cannot tell where you are calling from, even though they know where you are connecting. From tcmay at got.net Thu Jan 4 12:18:51 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 5 Jan 1996 04:18:51 +0800 Subject: I don't proofread...sorry. Message-ID: At 5:30 PM 1/4/96, Jim Ray wrote: >As to the "English lesson," I feel that proofreading messages to >1200+ people is more important than proofing private e-mail, but >some folks evidently disagree with me. For an example of posts >which I feel are properly proofed, please see Tim's posts. They >aren't perfect English (mine aren't either) but there's evidence >that he takes the time to proofread them. This not only makes ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >his posts easier to read, it makes them [IMO] more convincing. >Of course, I usually agree with Tim anyway. [Hi Tim] I'll shut Thanks for the positive comments, but I need to clear the air about this "proofreading" business: I usually don't proofread my posts. I write 'em as fast as I think 'em, then I send 'em! A few of my longer essays I've proofed, reworked, etc., but mostly I just respond by typing directly and then sending. I no longer even use a spelling checker, in fact. This can probably be guessed by some of you, as I sometimes leave out words, which careful proofing would normally catch. I figure that informal communications are tolerant to such informal usages. I also tend to write in a conversational style, so the agonized structuring and restructuring that some writers apparently feel they must go through does not enter in to my own writing. (I'm a relatively fast typist, and am comfortable composing at the keyboard, which not everone is, of course.) One thing I try to scrupulously check are the distribution list and the other message headers, usually because I edit down the distribution list and sometimes to change the thread title to something more closely related to my actual message (as I have done here). --Tim May We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From rah at shipwright.com Thu Jan 4 12:19:57 1996 From: rah at shipwright.com (Robert Hettinga) Date: Fri, 5 Jan 1996 04:19:57 +0800 Subject: Microsoft has a way to go on E-Mail Message-ID: tcmay at got.net (Timothy C. May) said, >Either Microsoft handles undeliverable mail different from most other >places, ... I believe that this is what Mr. Bill called "Eating your own dog food." ;-) Cheers, Bob Hettinga ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "Reality is not optional." --Thomas Sowell The NEW(!) e$ Home Page: http://thumper.vmeng.com/pub/rah/ >>>>Phree Phil: Email: zldf at clark.net http://www.netresponse.com/zldf <<<<< From frantz at netcom.com Thu Jan 4 12:22:05 1996 From: frantz at netcom.com (Bill Frantz) Date: Fri, 5 Jan 1996 04:22:05 +0800 Subject: Guerilla Internet Service Providers (fwd) Message-ID: <199601041851.KAA27062@netcom5.netcom.com> At 11:43 1/4/96 -0600, Jason Rentz wrote: >Previous exchanges deleted... >> >>With a tightly focused beam (light is easy, I don't know about lower >>frequencies), you can prevent interception except by very obvious physical >>devices. (e.g. Someone in a cherry picker truck.) You may be able to >>avoid the need to encrypt the link (and all the paranoia about key >>management, advances in factoring etc. that that implies.) >> >>Bill > >The problem with this comes when you start creating links between much >taller buildings like in San Fran. Any give building over 30 stories might >sway a foot or so at any given time. Combine that with the other building >and you might get a few feet of movement. (movement not including during an >earthquake) :) (1) No single communication technology is appropriate for every problem. (2) A technical fix could include having the receiver send steering orders to the transmitter. This solution would, of course, be a long way from the low tech scavenged lens and 1/2 meter cardboard mailing tube technology I was thinking of. Bill From perry at piermont.com Thu Jan 4 12:25:41 1996 From: perry at piermont.com (Perry E. Metzger) Date: Fri, 5 Jan 1996 04:25:41 +0800 Subject: Microsoft has a way to go on E-Mail In-Reply-To: Message-ID: <199601041910.OAA00206@jekyll.piermont.com> Timothy C. May writes: > It looks to me as if Microsoft has a way to go on e-mail. Every message I > send to the list generates long bounce messages sent back to me. I assume > others are getting the same thing. The problem is that microsoft has made the mistake of using their own software, which doesn't understand the distinction between envelope and header addresses. I've been on the phone with contacts there and I'm going to start threatening going to the press soon. Virtually every mailing list I use has this problem, by the way -- they are a big place. Perry From declan+ at CMU.EDU Thu Jan 4 12:26:07 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Fri, 5 Jan 1996 04:26:07 +0800 Subject: AP: Compuserve Will Lift Newsgroup Ban Message-ID: Compuserve's original statement from last week is at: http://www.compuserve.com/at/pressbox/newsgrps.html Attached are excerpts from today's AP article. -Declan ---------- Forwarded message begins here ---------- Columbus, Ohio (AP) -- The on-line service CompuServe says it hopes to reopen access to 200 sexually oriented Internet forums to all but its German customers by the end of the month... CompuServe spokesman Jeff Shafer said Wednesday the Columbus-based company is working on a software fix that will prevent Germans from accessing the newsgroups while allowing access to customers in the rest of the world... Munich's senior public prosecutor, Manfred Wick, said this week his office did not order a ban or provide CompuServe with any list as part of its investigation of child pornography. But he acknowledged that police asked CompuServe to scrutinize a list last month. `The decision on whether and to what extent the groups on the list would be blocked was left to CompuServe,'' Wick's statement said. From tcmay at got.net Thu Jan 4 12:33:24 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 5 Jan 1996 04:33:24 +0800 Subject: Using lasers to communicate Message-ID: At 5:43 PM 1/4/96, Jason Rentz wrote: >Previous exchanges deleted... >> >>With a tightly focused beam (light is easy, I don't know about lower >>frequencies), you can prevent interception except by very obvious physical >>devices. (e.g. Someone in a cherry picker truck.) You may be able to >>avoid the need to encrypt the link (and all the paranoia about key >>management, advances in factoring etc. that that implies.) >> >>Bill > >The problem with this comes when you start creating links between much >taller buildings like in San Fran. Any give building over 30 stories might >sway a foot or so at any given time. Combine that with the other building >and you might get a few feet of movement. (movement not including during an >earthquake) :) Just a couple of points on this optical idea. We were linking buildings a mile apart in the 70s, at Intel. We needed to ship CAD data back and forth, and PacBell rates for a dedicated line were outrageous, slow to be installed, etc. So, a commercially available laser and modulator/demodulator (modem, but it bears sometimes using the longer version, to remind people of what it is doing in general) were mounted on the roofs of our buildings. I'm sure various packages are commercially available to do this. As to buildings swaying in earthquakes, somehow I don't think transient loss of channel capacity during a quake is going to be a pressing concern! :-} Swaying in ordinary wind is an easily-handled problem. (Any good engineer can think of several fixes: paraboloidal dish receivers are cheap (not even optical quality, just to get light pulses), compensation for sway, acceptance of slightly reduced data rates as modem error correction handles sway-induced dropouts, movement of the transmitters and receivers to lower levels, etc.) Also, nearly all high-tech buildings (or at least more than 95% of all high-tech floorspace in the U.S.) are less than 3-4 stories tall; most are 1-2 stories. Building sway is nonexistent. And building sway only approaches the multiple meter level in the highest floors of the tallest buildings. I would guess that fewer than 1% of all offices are affected; for them, a lower data rate is acceptable. I'm actually more positive on low-level (below safety regs get interested in) light than on free space RF, for bypassing of the local cable/phone monopolies. There's just not enough "bandwidth of free space" available. Do the math. (Footnote: Some years back some of us got interested in the idea of using lasers to communicate between San Diego/Chula Vista and Tijuana. Ordinary phone lines turned out to be cheaper.) --Tim May We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From mab at research.att.com Thu Jan 4 12:39:06 1996 From: mab at research.att.com (Matt Blaze) Date: Fri, 5 Jan 1996 04:39:06 +0800 Subject: USENIX anyone? Message-ID: <199601041931.OAA04745@nsa.tempo.att.com> I'm going to be at the USENIX conference in San Diego later this month, as are, I suspect, many other crypto/cypherpunk types. Any interest in a crypto BOF? From fb at sponsor.octet.com Thu Jan 4 12:53:44 1996 From: fb at sponsor.octet.com (FreeBSD user) Date: Fri, 5 Jan 1996 04:53:44 +0800 Subject: dsd Message-ID: <199601041434.OAA09010@sponsor.octet.com>  �$� �� �� �‰�3�����1��š���p�� �  1��e�[^_�� � t�F@��9�sEA�9 u��ύN�~ t�~ u �A�9 t��9 t��S.� �9 t��AB9�s�9 u�� � )Ή�D�����@�����H���9�@���rϋ�P����@���9�l���s��l���9�P���s +�P�����@���� � ��������������������������u��������u"�������u�|����������u�n���1����� ��K��w�7�G�Ѓ����tE���� ƃ���v������w ����_��u W�k����'���uW��������t� h�#��� 1��R �U�R�U��� �X�� � $ h�5�蔸 1�� u�V �R(�M�1��T u�v �u��M �Q�V(1�� � t � VW��� f��t f��t�*��Q�E�P�r �cS f��t f��t�*��Q�E�P�r �R f��t"f��uH�yt � �E�2 uaf�E� t �- f�E� � � h�U�9Qu�}�9yw.���u���t$9q|u9Y s �y �u�y�u � � � �]�{ K8����u�S$��tV�}��u�)L�� �)O�Ή�������}WO �S$���O�����u�|� ��t�B�A�B�j)R����1��@�����u1��3��ḣ���e �Z��z�r ��e�[^_�� � �C0�F�.���F9C0t$P��������t��� 9st9su���t!9{t9{t�E� ��@9Ct��@�C�U�J( 9{ t9{u���t!9s t9st�E� ��@ 9C t��@ �C�U�J( 1��Ð�� u jR�������� ��� ��t�� � � ��t� � � u,�S9Vs$�U��� u�; u�; �� t��u � !�� �� t��u �  WS� ��� <tv�� ����!�� �C)� ��te�_����{0~u�� f��^���t � S�6�u���S�u�6��T ��t�+���Q�3�V ���Q�3�xV �e�[^_�� v �  �� � � � RQ�u�A ���� ǃL [^_�� � �RPP� )�R)PP� cleaning up... �3�;� ��� ���@�� J�J�]��� � Q�Q1��e�[^_�� �������M ���t9Zv �[�D���r*j Ћu��D�C��}~ŋu��D������E��e�[^_��bad sector table corrupted ����E����C$��t����  9w,�D����C$ S� �E�𐐐�E� 1�����8 �`�� �`�� V�T>���R���V��� ��t��#u1�+]�}��e�[^_�� ��t��#u1�+u�M�1�}� j�u���|���؍e�[^_�� ��t��#u1ۃ� u j �u�h���+u�}�7�؍e�[^_�� ��t��#u1ۃ� u j �u�4�����+u�M�1�}� j�u���z���؍e�[^_�� u�F �P(1��� � u1ۋF �@(��t�����t����F�u��t���hwt@V�@�ЉË�t�������K���F�u��t���WV�@�ЉÃ���u-�� � �� � � � ��f@tN�|�� s@tX�r���; ��VSQ�<� t*�Cu$f�{$ 9�:� h/����������N ����f�Jf����f�Jf�F f�������f�^ �F9�:�f�=�:�f)~딐��f�F �t hM��w�������Ѕ��5Ѕ�e�[^_��msg_cbytes is screwed up �C9��b h&��D����F ��� � �C ���� ‹M�1��e�[^_��msgwait �G9��� �E��Y h���P���9=��} h���>������E�F9F s h���'�������=Ѕ� h�� ��f�M�f�H���� hL�����f����f��� h]��������9�:� hm���������ÉE����f� Bf� ���� ��E�f�@ �M�f�J�E�f�X O���m���j�E��P�u���� �}� h���h���f�f���~ �M �A9��9 �E��D �E��� �M �A9�t � f�M��E� h ������E�9�:� h ��������u��u��E���:����P�� ��t �#���� ����)���� � u � �u �F9��� �E�� f@��f�D f�t�D ���� ‹}�1��e�[^_��semwait �M �A9��� �f�Fj �M �A9�t � ����f�N��������}� h�.��P���Ky�1�9]���������[��0�MЋI�M��Rf�D0f)�C9]���m�������E̋M�9M��%����E� h�2�蔺���]��C9�| h�2���������}� ����9�t1����ȋ]��� � ���� ���� ‹M�1���� � hq:���������=`���`�����������<��f�C f@��f�C j ���� Ɖu�j � SW������F��95L:��j�G ��� �`�� 9�u5�y �t/�}� �y ��� u �M���@t� ��$ t"�M��9�t�A9�t�A9�u)��� u.��� � B���������� t�m�} t��� �Wh�R ����1u � �]�f�{ �O\ � � � �  @^t�ZZ�Rh t,��t����9�t�V9�t�V9�u��� �������� ��� uU��� N���]��� hl������Gh�X��uh+l�W�_����" ��t9������t3�Cl9Alr'�Al9Clr �y( �y( u Vj �s�����VW�i���V������ � t�"= t�}7=t��� ���������� ��� F`� �����!F`WV� t�~b=t�t[�  1�� �# ��te��  t�J�� t���  �Fh�@ ���1��M�1��� t��� t�}7��t�>��}t�|6�%���ut�t ��t�t���t,���t,�|�K@jV�x�����1���� S�D��������F 9F~�^+^ ����P� ����K��C �} ����K��C hr���a����P��� hr���_����P��� � ���� �����������؍e�[^�� �����������؍e�[^�� V����1��I�Ft#�V�N�S�Kf�~f��f�{�{�{ �f��3�ރ} cw�d ��u��} ��  �+ h?���8?���KS�������M��   P�B����soaccept: !NOFDREF uV� �% u�} ��E�@�E�}� ���E�B�@4�} � �y$�� f��$f��u�Fu@�}� �� �}� t�}� �}� �� t�E�9 �g �}� u �}� �}� t�M��M���u?�G0P�d t� t�A�x j � RQ� ��@�x � ���9 hu���� ���} ��[�{ �H� ��R�z f�U�f V� h��������e�[^_��sbflush hA�������]��s�u���  h����@���E�f�@  �% �^$f�F$   �@ ���� ���Eԋ@ ���+Eԃ� v�Eԃ@ �@ ���j ��t��#u1ۃ� u j �u�n�������u+u�}�7�}� �( �( ��t��#u1ۅ��7 �H��E� �( �( � j   �:w��B�� ���e�[^_��U��E�U �M9Pv � � u �1��Ð���& �- �} �~ ����E�7 h�������F ��} tE�Ctj �) u)�S ��t"�B �x<��u�@ thL���rD�� ���Gf�C �Ӆ�u׋u��_���|���p ���������Ky�u��_���|���j  h8��������C$�� �� S� �G$%�����G$� hF��������x hY��������� ht���L����M��� �������f��t�{(t h�����������u(�d� �E PS�L�������t��u�5 ������u9s4tG�C$� �} �����U�B$%����B$R�`������M��  �b0�R负���e�[^_��U���WVS�M�A$�  ���C ���S �C�� ���C ���S �C��C ��@ ����P �@��� �E��� ���u�����]؉sD�M�QL�SL�e�[^_��vfs_cluster: warning: buffer already busy  � �uЁf�����M�A�8 �M�Yf�C�u�^�M��A u�E����]�� ���S�E�P���Ѓ��u��F�A h'=��X����E�ܰ�}�] �]�u� ܰ�W�E�P���ЉE܃���t-����� �u��^���� h5B������e�[^_�� h5F�茧���M�A,��t�E t �xH �{H h\F�蜥��1��e�[^_��bgetvp: not free hyI��̤��� � ��Z�<^�8^��B 8^�"����!���B h�O��x�����t S�������(e�C�C` h�Q��ԛ���CtV1ɋC<� ���C �<^�S �C��8^�C��t�{�x � �{�=<^�8^��C 8^��C8 �� �M�=�|���� �z � ts�uW�H���� t�CuW�����- ���� � ���C��|�S���C �@< ���M��U� 1��e�[^_��  = P�<���� ���u���������}� S�`���� ���u�� �����S������e�[^_�� � t � ��� f�A f�B f�A f�Bf�Af�Bf�A�z4 � � � � � �������x��������j �u�������� �}� � � � u �1��Ð��� P����� ���}�w�e������M�A � ��|���f�G1�� ��|���������؍�l���[^_��U��E� �S�V �S �V�SD�V�S�K�V0�N4�S$�K(�V�N�S,�K0�V �N$�S4�K8�V(�N,�S �V@�S@�VD�S<�VHj 1�� hҗ��hV���C�x8u1������ � �{ �B�@<� �3��*�����Ft�Ku �s�*�����U�f�z~1��4���3�������s������jS�Q����U��B< PS�U������CL ����C)uG�������u>�{,t8j ���Ã� �E� � �( u�X��3 ���; �s ����������u� �����U��E�PJ��wm�$����ܱ������������ ������@ � j �r�N���1��� �E� ����E���}� � f�A1��� � ����E���}� � ���W�]�S���҃��G<�H �I��)ʋ}�w V�p ������҉E؃� �E�l��u�u�� l��VS����� �u��>����u��D=�����}� ����Ã� ���� �uVW�C�Ѝe�[^_�� �E��9�u1��l�����+}G�}��U��M�1���������tB�A��< v�}�� �� i �t6�m��i �t,�c����i �tD �� i �t2�M��i �t8��i �t8�;���U��z �� i �t�"��i �t��i �u�U�f�Jf�J���1��e�[^_�� �Eče�[^_��0123456789 �V �������V ���)�� v �F �F��jjV�����ƃ� ���� � ��tV�*����E�e�[^_�� f�K �u���� dž� dž� u�W� �f� �W��f����� 1��� ǃ� ���^�B��^���^�( ���� t�R��R�䐐�����U��VS�]�u�E f�x t��P t�@�ᐐ��@�ِ���e�[^�� ���)‰U�CA�E� t��鐐��␐�� � 8t�[���[�C9�w��uR�u������E�P�u�F �N � 8u �M�N� ��M�u�N�u�s�M�N�F �N � 8u�^� ����u�V�^�Ѝe�[^_��rn_addmask: mask impossibly already in tree �}���u�9�u4�u܋}�M�O�A �G �q�w�y9Nu�~�����~���u�� ���}�U�B�G�z�W� �J �u��1��t�u��1��t�R�Ԑ�R�ΐ���U��r�u�f�z h���P�����z�@P�5|D��p �- � � �9 �]�f�C6�(��]؅�tC�C9t=�E� PS�@0�Ѓ�f�{6 h{ ��\���� Hh�f�{6 h� ������f�x h� ������}��G:t �} 9�� S� ���� ����� ����C at f�H�s@�F �C 9J(t9J u� ��R��u�1��]��� t�Bu�E� � �/ �h��@<���u�h��B �@t�BL�G�M�y �h���tF�G������% �0 ����9BXwEf�z6 h�l��(���j �(�� ����0���5 ��h�m�j�р���E� t)��<v ��<v��<v� f���f�C �V ���F�� 9�s h+p��|����F �F���F�F�M�A�F�^ jS�u��a� ��f�C �C������% �M��A ����}��G�X���vhT���pU���ƒ����� � hy��0u��1҉�- ��i��N��������|a�B��� ��^� ��f��t�t��� �{ .� u�C 9Bu�C9Bu�C 8B t ������u�1�f){�c��C t�Kf�Cf��f�C�Cuf��t)����RS�t �� �A �G�A�G���� �E�H�7 j�=���Å�u1��n����5���� �����(������}� � �B f�x.t �- �u�6�u��u��u�M�Ad�ЉEЃ�� �u܋M��1���u�������M�Mԋu��F9E��Z����]�]ċM��A��)Ɖ�P�u����M�Yf�A��u�f�Ff�F�� ��f�Ff�F ���M�M܅�tO���u܋v�u�M��A �����u�u܅�u��}� ����뜐���e�[^_��U��� WVS�E �H �M��u�v �u��@����E��FE�=�� � ����E�* j j �1�l�����U� � �@�M�9tC9�|��G9�} �E�0 �E�1 ��D��D�C�G9�|�f�O�M�  j �� �B<�뿐��� j )�����| �At�A�Q �B j � �9 ��{+~��~S�F 9�|8�����F ����u�4������ R�s� ������|���W�u����f)~ ~��������F ���M�N9]tI�F F��+S��~9�C 9�|���S�J�M�B� �A��J��B �MAH�^!����F�B�V���F f�W ��f�W P�u�2 �}��� ������E�9u+�G!u%�M��P������U�@������E��E� �U��Btt�Ѓ�TPR�p�����EȃxT �UȋB<+B8�E��Z4+Z09�~�]�9�[�����G FH����� �}�=����u�]ȃ�0S�P��S�u��������Uȃz| 9NDs-��+^D����P�u�����f�FDf�G �e�����������GH�F4�W�VL�Ę�* u ��� ��������& 9� u%�U���u�e���N�_ ������������������S�u����_f)_ �G&��9�~ f)_&� ����e��f�G& ��_�FHFD)Å��� 9�|a ���U���t/f�~ u(�G+FH��~�FH �e�����E�t!�G+�� ��U�f�B$6 �� ���m �� 9�w+�U��Bu"�uWR� VH�G!���E������ �}�=����u�]ȃ�0S����S�u�� �����Uȃz| jj GP�uWV�� � �P���Ð���xP �u�N�N\�E� �E��E� ������������������M��� �uf�~ �E�E�P�u���� �u�F,�N�U��MQ,�Q,�A,�u+FX��~�VXf�~f f�y ����( �C�B �C�Bf�C f�Bf�Cf�B�B �E�(�}��M�y�y�A �B�A�J���B uj t�Cd9���|f�d��f�C�� f�{~�s$諎��f�Clf��fCnf�Cl �/ �# u��� �E� j f����f�C�؋]���U��VS�E�u�]�M�U�} t � �����* �CP�u�/� �8 �9 �G�C �G�Cf�G f�Cf�Gf�Cf�C f�Cf�C �8 �9 � 1��� �  �\��t�U��u�u �u�΋  ����� S� ������l�����l����u�9�� u)9�� h���@����E�̷�l����}��WX�̷�J�U�R���҃��������� ��t@�+�����u#1��2�����l����WL�����u �V�N �����}�w8h�����������l����������p��� � ������uL���uj u9�� hl��Z����l� hl��T����l� ��S �C�BV�Q��j�vd�q���Fd j �r�q��1��� �8� �{8�_@��Ӆ��� u1��? �����l�����h��� f� �N���9 �A�e�� �Q �A�B�Y�e��e�t��9Z~ �R ��e�u��e�u4�e�A�A e�=e�e�u � e�� ��e�H � e��%�B�A�Q �ze�u � e�����B�H �J�]��� t �u�v��(�uԍE�Pj jj �At�A�Q �A��� ��V�F �B �~ e�u �F�e�� �V �F�B�> �C�������VD������S�V������S$�V������S(�V������Sj �C �������VD������S �V������S,�V������S0�V������S�V������S�VL������S$�VH������S(�V$������S4�V(������S8�V,������S<�V0������S@�V4������SD�V8������SH�V@������SL�V<������SP�VT������ST�VP������SX����8���[^_�� �S���u��E�P�E�PRWj �Ct�C�S �C��� �E�E �3�������PRj �EP�EP��  h�-��о���E�9Cu �S ��� ��K�S �Q �E�9C u �S��� h�-�������E�9Fu-�u�u jV���������u��� �G@�#���� ��H �P�Q��u� ��u�`0����H0@�} �u�E �!��E�PRj �EP�EP���  �U�E �;���|���RQj �UR�UR�)� 1�� ���d�����D��d������P��������>u�V 0�������V � �������S�V������S�V������S �V ������S�x��+ �C �������VD������S �V������S,�V������S0�V������S�V������S�VL������S$�VH������S(�V$������S4�V(������S8�V,������S<�V0������S@�V4������SD�V8������SH�V@������SL�V<������SP�VT������ST�VP������SX��H�����8���[^_�� D������S ��@����P������S,�P������S0�P������S�P������S�PL������S$�PH������S(�P$������S4�P(������S8�P,������S<�P0������S@�P4������SD�P8������SH�P@������SL�P<������SP�PT������ST�PP������SX�E�xx��L �]�E �'���4���RQj �UR�UR�q�  �C�������VD������S�V������S$�V������S(�V������Sj �C �������VD������S �V������S,�V������S0�V������S�V������S�VL������S$�VH������S(�V$������S4�V(������S8�V,������S<�V0������S@�V4������SD�V8������SH�V@������SL�V<������SP�VT������ST�VP������SX��������[^_�� �,��\���RQj�UR�UR�}� �Ã�� �B � ���������O�������R������W�������@������G �������R ������W���E�xx��� �G �������������RD������W �������@������G,�������R������W0�������@������G�������R������W�������@L������G$�������RH������W(�������@$������G4�������R(������W8�������@,������G<�������R0������W@�������@4������GD�������R8������WH�������@@������GL�������R<������WP�������@T������GT�������RP������WX�������@)� ����� ��������9����u9� ���t��+� ���R�����)�R��H���� � Dž��� �]�E �'���L���RQj �UR�UR�U� �x ��+ �'�����~�]�E�xx�t�ڃ�,��U�� �U�K���4���RQ� �����l����� Dž ���4�������h����������|�������������������4��J�� ���R���҉� �x��� ����C0����������P,������S4�x0�t �H0��Mb��������)ʆ�����S8��C8����������P4������S<�x8�t$�H8��Mb��������)ʆ�����S@� �E�E�0��E�PRj�EP�EP謞 �������� � Džh��� � � Dž���� Dž���� � ��+ �'�����~�E�M�yx�t�ƒ�,��U�� �U�K������PR� Dž���� �U�E �+���4���RQj �UR�UR�5� �����(����B ����C0�����������P,������S4�x0�t �H0��Mb��������)ʆ�����S8��C8�����������P4������S<�x8�t$�H8��Mb��������)ʆ�����S@� �E�E�0��E�PRj�EP�EP��} � �E�E�4��U�RPj�UR�UR��z Dž ��� ���`����; �d � ���V���f�= � ���V���f�= ��|�����Ti���9u�t9�d���v+~ �~���+U�VjJ��L����ӻ��jJ�u��ɻ����4��������[^_��U���� �� �B � ���������K��D����R������S��D����@������C ��D����R ������S���E�xx��� �C ��������D����@D������C ��D����R������S,��D����@������C0��D����R������S��D����@������C��D����RL������S$��D����@H������C(��D����R$������S4��D����@(������C8��D����R,������S<��D����@0������C@��D����R4������SD��D����@8������CH��D����R@������SL��D����@<������CP��D����RT������ST��D����@P������CX��8�����<����T��@����D|��@�����,���9��K���9�d����_ � ���V���f� � ���V���f� �M�A8�{�� ���M��אS�Z��������� �M��a��(��M��Atf�y$ �� j j �u�Bt1������M f�:��%� �F$�������#tƅ��� �F$�q�����#t���u�M�9 ����M� �ʃE��"���U�RPj�U�R�U�R��7 �R9\��tC�Ft%�u��u��u�V�9������� �S8�P� ���@@B �G$ ��W�Q� �W��j�O��� ����E� �M�E��"��U�RQj�U�R�U�R��. �t �K$�� �G j � �� PS�������� �A �U �F�F ����N�N �F �}�� t ��#�b����}� �B �ƒE�(�&���E�PRj(�E�P�E�P�, �U؃E��%��E�PRj�E�P�E�P� ��C�B��C�P��S��� ����1��k�Ct*����E�P�E�PWj �c�S�ѣ�����t ��C�B��C�P��S���Ct �s�S������C@�� �c�S�[���� ��A�B��A�P��Q��j4Q�e�����م�u����� �<����� �� �p�� � �u �6�u�)N�U�)U�} �}� � h"*������j ]���8�]Ћ]�M��Y8f�]܀�f�Y<�V������f�Q>�V ������Q@�V������QD�]؉Y|�U�Qd�U�Qh�M�Q�R<�]��SH�}� �]��C(�����M��A@ � � A�9 �F ��u � j j t �}��(�}�~�}��t �}��E� ���� �Ct�C�K �UЁ� �W��f����� j ��A�B��A�C �Q��j3Q�/�������u��e�[^_��nfsauth1 ��A�B��A�8��Q��j2Q�}-���� h�>������ �_��} ��C�B��C�8��S��j2S�-�������u������4�� �� ������~�U�}� ���� � �C0 �$ � ǃ� �c0���� ���� 1�� ��,�P� ���� �u��V�}� �M�E��!��U�RQj�U�R�U�R�L����Ã���uF�M�������U�I������M�E�9�� u9�� �A0�j�����h���ǂ� f��X��� Dž4��� f��X��� �E�E��!��E�PRj�E�P�E�P�����Ã���uA�E� ����lj}̃��Gt�WW$�O O)ʃ�~ � �M�E��$��U�RQj�u��u�莢���E������P����M�������U�I������M܋]�9�� u9�� / ����A�����G,������A�0�t2�0��@�����Mb�������D���������)†�����Q� ���A������l���P��p���R��t���P��X����r �rj ��L�����\����e���Ã� ���� ���)†�����Q� ���A������\����@,������A��\����z0�t:�B0��L�����Mb��L���������P�����L�������)†�����Q� ���A������p���P��t���P��x���P�w �wj ��T�����`�����\���Ã� ���� � ��p����%����h����E����@t��h����AA$�Q Q)Ѓ�~$� ��h�����p�����W���Ã� ��u �u��T����j �w�������p����Ad�H0�Adǀ� �q�{���lj}����Gt�GG$�W W)Ѓ�~%� W�q�fT���Ã� ��u�u�������M�A�@d�H0�A�@dǀ� Q�<���� ���u���������}� �h�  C �Q��T����x(�t6�P(��,�����Mb�������<�����,�������)†�����Q� ���A������T����@,������A��T����z0�t:�B0��8�����Mb��8���������<�����8�������)†�����Q� ���A������p���P��t���R��x���P��P����r �rjW��X�����4���Ã� ���� t�PP$�H H����E��H H�ȃ���U�)�9��� �~ �H Džl��� Džl��� Džh��� DžT��� �E�t�Q� � %s: write failed, file system is full hZ���8���]+]���� �� %s: create/symlink failed, no inodes free ����x��x��� �M�|�� ����F`E�� ����F`E�� �����F`��NjU�ډU�E�y��$��M�)��Ⱥ�����‰� �N$�M���� ����F`E�E�MىM�E�y��$��U�)‰к ����F`E�E�U�ډU�E�y��$��M�)��Ⱥ�����‰ЋM� C9]���U�)V$)�� ����� ��E��U �B(�N`�]���S�U �zU �с�� T��] [T�� Ɔ� h������w89u��u�������E�� ����u������1��e�[^_��cg = %d, irotor = %ld, fs = %s �� � �����C\�� ������s0���}�F�����{U �� � ����S`�U��u�W�;& ��3� �u��}�����u܁{U ��� ��}������ �M�C�E� �f�����e � Dž(��� Dž(��� LJ� �E��}܉E�U�R0�� �U�j � � j�u�� ǀP �{0 hl��v���l� ����x��=x��EЉ�� �F �M�I �}�g�����}� �t��t�m��u��� �{L h�O�����9{Xu �u�~ tZS������S$���S$���u؉5 �� |�� }*����F@�L���U�J(9 �uG�U��M�9y v�M�9 |كE� �M��������tV�����UȋB$���e��M��U� ��u�����1��e�[^_�� ǀ� ǁ� ��9�r����� ����A4�����I�� f��t �"��f��t��- u+9�� �}��+ uq9�� � u%9�� hgr���w��f��p���f��������l���f�_߉�l�����t�����l���������R萏 uj9�� %s: write failed, %s disk limit reached %s: warning, %s %s %s: write failed, %s %s %s: write failed, %s inode limit reached ���E��� ���� ������� �@8�U�D�,�E��x< �@<�U�D�4�u�j 1��� �M �a�����؍e�[^_�� PV�P �}�D7<t�u� �S �Q � ���S ����S � f�C�}�� ����i� �i��C �u�9ut�E�l��uܡl��N�U�R���҃��}����t�Y� �u��s�f�Cf�C � �{ 1��\ V�=)�����Fu(9]t��Eؘ��]ܡ���K�U�R�����q�������Fu��N�}Љ}��E� � ��u � ��� �C �C ��V�R$�S ��� �~��� ��t�$�����t��� �~,��  � �O W������ ���u�踵����W诵����e�[^_�� h(����Q����|���� �Q������v�F������U��E�l��U�l��J�U�R���҃���u"��x���f��� �����e�[^_��U���WVS�]�{�s W�s�Sf�R�Π��R�+ j �r����1���ufslk1 �BT ��1��� ���@@��1��e�[^�� �K�M��SQ<�U��w�O �I��)ȋ�����t=���t= h[���5��j�u�V��P�NB ��A�B��A��z�Q��f�A&f�A2 �@ �@ �K�C�6���{  ��1��J�= ��� h���.���`�� �`�� h���w-���`�� �`�� 9D�u���D������$���D �PQ�u������L�� �PQ�u������ �E�� �@�� ��F�B��F�l��V���c��9����> � �� ����E� �@�� �M����[����U�� ���E�f�HC9]�1�9]~����U�<� � �E���E�f�HC9]��w h� ����E� ��C�B��C�D��S���'����5 �}� ����E� �}��� h���H���u�9]��� V�o VW�u�5 �������t�}� ���M�U � ����U � h��������1���jj���� ��E�P�M��1��� h��贷���e�[^�� �0U� h" �������؍e�[^_�� � �A�B��P�B����At �r�-���� ����r�% � SV��������ND�S����C�B�C +C)FH�Ct �s����� ���s�t 1��e�[^_��U��E �@t�@��P�`������E��P�Q����� h��腎���� �y��� u�]�s �~8t�~8t� � ��� ��t ����1�� � �# ���������t��u� ����(�E����]�����CV�����8���C&t h=;��h������c&��C& t �c&�S�|����S�h" �g0�W�=u���e�[^_��cpylck f���� f����  �a0�Q�ii���e�[^_�� �l�� �q�p�A ��Q�A�B�Q�A��A�H4�a&��� ��Q�A�B�Q�A��A�H4�a&��A&@t htT�豗����Y�y���� �#�f���d���A �q�p�A ��A�B��A�h��Q��� ���a&��Ð�t,�9 ��A�B��A����A��� ���f�a&���������9t��v*�=�f� ��t�  ��S�C�B�S�C��C�H4�c&�� ���� htT�蜓���s�} �{���� �#�f���d���C 9Uv�U�t F95p��w�95p��t�v���}�M�|� ��9Es%�M��  ] htT��ܐ���}�{�C�� �#�f���d���C ��S�C�B�S�C��C�H4�c&��C&�@ ��C�B��C����C��� ���f�c&���������9t��v-�=�f� ���C�h��S��� ���c&�� ��C�B��C����C��� ���f�c&���������9t��v-�=�f� ���C�h��S��� ���c&�� ��C�B��C����C��� ���f�c&���������9t��v-�=�f� ���C�h��S��� ���c&�� ��C�B��C����C��� ���f�c&���������9t��v-�=�f� ��C�B��C�h��S��� ���c&�� ��C�B��C����C��� ���f�c&���������9t��v-�=�f� �� �� �Mf�y(  ��C�B��C�h��S��� ���C�h��S��� ���C�h��S��� �����‰���Ѓ��t��|��@t��x��t��|��=p�� h�~���n���e�[^�� ���������u1��ÐQ%� h���n���BR�@���� h$���m���B�u R�@���� � ��t5�;����F<�P �@ 9��� � �� +�����u����F0tj �S�"������8u� �E������� � h>��� X���}� �u�� ����W�=��� u�|U�j �p�@�Ѓ��|U�S�p�@�Ћ]���%r > � ��p��� $� ���Ã����y�}� hp���U4�����u������Ӊ�������� PRhļ��m2�����=T� PRha���.���m6��萼�������� �=L� Features=0x%b = �h�����h�����h����*����h����*�����=4�� ��� W�J���� �G$�� syncing disks... dumping to dev %lx, offset %ld �l��tW�e��=��� ~��P��� ����j � �A, ��AL9E�}.�]�9YLu �A4�A81��H���U�+QL�� �A, �}� jJ�u�賡���E�e�[^_��U��E �U� �<�  �����5���E}���5���p������p �9 uS� ��get_pv_entry: cannot get a pv_entry_t h���� � ��t���A�B�A�B�0���B ��t/��9qu9Yt�ʋ ��u��t����_�  ��1���t@��t������+U������� �E��E���h�������w ������v �'� �� h�������������M��<� �? ��^�8 �~ _^�VW�t$ �|$�T$B�Jt ���u�J1���? _^Ð��D$t@�1��WV�|$ �t$�T$1�������u �у��t@^_Ð�D$��� h# ������f��� h/ �����R��P�Q�H��Z�D�����; t ������@ h8 ������R��P�Q�H��Z�������; t ������@ h) ��t���R��P�Q�H��Z�Ȅ����; t ������@ ��pQ�9� ���&  Fatal trap %d: %s while in %s mode ��� �� �I�M������� � ��� i ��� ��� ǂ� ǂ� ǂ� ǂ� ǂ� ǀ� ǀ� u&��9]}�EPV�u �u�����E O�t1ۃ��C�<3 )�(���S�B���jS���������)�(����)�,�����(���P��8���P��H���P��\���P�)�} ������!bActive!n-!bDrivers )�R�u������j��u��u �U�} )�R�u�����j��u��u �U�} )�R�u������j��u��u �U�} )�R�u�����j��u��u �U�} )�R�u��'���j��u��u �U�} )�R�u������j��u��u �U�} �� ��Xti�<�����ctg�2�������tK ��xtL�������=W �h ǃ� � ����ǃ��G��� �� ǃ� ��t7�5�������+����N����!����j�5������j FreeBSD Kernel Configuration Utility - Version 1.0 Type "help" for help or "visual" to go to the visual configuration interface (requires MGA/VGA display or serial terminal capable of displaying ANSI graphics). 1��� CB�; �; t�; u��D*� �E�PS� )�E�P�ܩ����$�C ��t��@HPh�1�E�P轩���CPh�1�E�P誩���sh )�E�P虩����$�sh�1�E�P腩���sh�1�E�P�t����s h )�E�P�c�����$�GL�{4 ��@�; �� t�� u� �E� �E�������E�����w=�E����E�9}�}/��|9M�r u�U�9U�~������ �� hS������OD�M��w@�� h|T��ș���^@�� ���������� PV�5TV����1��e�[^��U��=�� �9�������|�1�j �������l �p���q� �p��qj�����ƒ���th�_�Rh�_��9����� j ������)��� �p���q�� �M��1����t�M � � �M��1����t�M �I� �{ ���C9�|�1��e�[^_��Sense Drive Status failed ����E� Wjj�u��e���h� Wjj�u��"�������uh� u �0� h%{��0������ ������~ �  �F(������F$%� �~������F$%� E���Y���������Ɔ� ��� ��� ��t]뉐����@t#��� ƃ� 1��; Ph�������� 0��Q �Q � �Q ��Q��� dž� ��� �  ��� ��� ���SR�(�����E��}�4u0SV� ����E� ��� �E����f�M�f���}�� �ȉ��M������f���u�� ��� �U�� �E��f�U�f���U��M��� �E����M����E���f�Mf���u��� �ȉ���U�� �E܉��f�M�f���w �ȉ��O�؉��f���O �؉�����M��� /����h#����.���M��u�S������� ��� � � ��� �栰(桰桰桰�桰 栋]���isa_dmacascade: impossible request �À��р�����ֈ�����isa_dmastart: impossible request � ��$ D�����$ H��0��؍������U��с�� NMI ISA %x, EISA %x �M���w ��t�� v � �������"E��ȃ��E�9�tKu��E�9���%� �E� f���� �f�V�����e�[^��lpclose Q�D �Ft�N�e�[^��interrupt-driven � �4�$�8E�tI�� � �^�� ����^�H� �^���^�( �E�P�����U�R�U������!���U谀� �U���G0�����U��h,E 1�� �C�C �C�E�� �}� f��� � �`�� � $ ��uЁ�� ��}ЊO�ῈO�]̃��ȉ���( ���j�U�2�u��� B�U��t(�t�� � ����E� �*��t�#��A$������� A������"A�A�Ql��1��e�[^��U���VSj �����u&�B � �O���`�����CL �qO���`�������t���t���t C���� �5O�����d�t�j �%O���`�Ј������tڀ��t Rh� ��:���� ��������=d3� ��"�h� ����=`3� ���h� ���������5X3�jh� �����1��e�[^_�� ��t"� c ��H K f�Cf�G�C@% ������������t ��t�����KH �������9,��u)�{H u#�i3� �  ����\3� ��MtQ� ��t�. ��t�F �G� ����%X3���G(t � X3��7���%X3��� �Y��Y�r��Y�,�� ��8ti� Q�޹���5,��F ��E�� �M  ����i3� �#����K���u�]��� �����`�Ѓ���� �� �U��A��~ދ`3���1ɐ��Ⱥ� � �����E�Ȋ�1 �]�A9M��G��� ����T4���� 1��� �G�z �� �U��z F�M�I����ǀ|Z� ���� �� �O�� tO�U�R�����HZ��D8�|8 �D4 $X At 13:55 1/4/96 -0500, Tony Iannotti wrote: >On Thu, 4 Jan 1996, Robert A. Rosenberg wrote: > >> Yes it would require that the Node be checked in the Software. What I was >> responding to was a claim that there is no way of telling where I am >> connecting from (which I disproved). As to calling a non-German Node, that >> is always an option. > >Yes, I agree. I think the real difference is that they really cannot tell >where you are calling from, even though they know where you are >connecting. Caller ID could tell them where you are calling from. They can also use their billing information and user profile information to decide where you live and/or how old you are. I wonder if any of these filters will keep the German prosecutors off their necks, given that they can be bypassed. I feel sorry for them given the situation they are in, and want to kick their butts for just rolling over dead instead of fighting for free access. ----------------------------------------------------------------- Bill Frantz Periwinkle -- Computer Consulting (408)356-8506 16345 Englewood Ave. frantz at netcom.com Los Gatos, CA 95032, USA From CedricT at datastorm.com Thu Jan 4 13:10:59 1996 From: CedricT at datastorm.com (Cedric Tefft) Date: Fri, 5 Jan 1996 05:10:59 +0800 Subject: 2047 bit keys in PGP Message-ID: <30EC5109@ms-mail.datastorm.com> > From: owner-cypherpunks > To: cypherpunks > Subject: Re: 2047 bit keys in PGP > Date: Thursday, January 04, 1996 11:29AM > > In article , > netdog wrote: > >nobody will ever need more than 640K or RAM? i wouldn't underestimate the > >ability of technology to grow at a pace that is beyond our wildest > >dreams-especially with this network serving as a virtual office/lab. of > >course, ymmv. > > Order of magnitude check: > > There is a very well-defined limit to the size of key that can be broken by > brute force, independent of your "wildest dreams" as to the growth of > technology. It's the Laws of Thermodynamics. [snip] No law says the attack has to be brute force. What about the birthday attack, differential cryptanalysis, etc? True, I believe neither of those examples are applicable to RSA, but factoring is, and it's _much_ more efficient than brute force searches. There might be other algorithems out there (or as yet undiscovered) that are more efficient than current factoring algorithms are (or ever hope to be). If your attacker has an algorithm whereby he has to search less than the full keyspace, he has effectively reduced the size of your key. Essentially, his attack is the same order of magnitude as a brute force search of this new reduced keyspace (call it "effective" keyspace for convenience). The greater difference between the effective keyspace and the real keyspace (determined by his cracking algorithm), the larger I need to make my real key to compensate. If his algorithm effectively cuts my keyspace in half, I need to make it twice as large as I would need if my attacker's best algorithm were brute force. >And they strongly imply that brute-force attacks against 256-bit keys will be infeasible > until computers are built from something other than matter and occupy > something other than space." Hmmm... Well, the 384-bit Blacknet PGP key was cracked in just a few months. How? Certainly parallelism helped, but the main reason is that they were factoring keys rather than searching the full keyspace by brute force. I don't know about you, but I'm certainly not going to stop increasing the size of my key simply because it can't be cracked by brute force. - Cedric From vznuri at netcom.com Thu Jan 4 13:12:17 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Fri, 5 Jan 1996 05:12:17 +0800 Subject: No Subject In-Reply-To: <199601041317.OAA04812@aws26.muc.feilmeier.de> Message-ID: <199601042010.MAA00405@netcom6.netcom.com> >I suppose that there is a predicate indecent_p(n), which is true if n >represents something indecent, false otherwise. (Some implementation >of such a predicate could be a police officer arresting you upon >presentation of the number to him, yielding true. :-) ) Such numbers >may be called "Indecent Numbers", their "posession", "transfer", >etc. be banned. interesting idea. but I suspect you could prove there is no such function indecent_p(n) by other ideas you present in your article, namely diagonalization and the use of encryption schemes. rough sketch: it would be easy to create an "encryption" or encoding scheme that maps 'n' for which indecent_p(n) is true onto 'm' for which indecent_p(m) is false, and vice versa, for sufficiently complex indecent_p(n) ("insufficiently complex" versions of the function would be e.g. versions that are true or false for only a finite number of cases, or other situations). hence you get a contradiction. this all is under the heading of "steganography" of course. it seems to me some interesting basic theorems in steganography such as the above are waiting to be explored, in the way that Shannon explored some of the very basic information theory areas without really giving a lot of practical results. in fact what annoys me about people is that they talk about various functions as if they can even exist, when it is transparently obvious they cannot; another common example here: - "detect_encryption(n)" where n is a message. endlessly assumed in various messages here on the list of people who fear a police state. - "detect_randomness(n)" where n is a sequence. presumably used by a police state to outlaw random strings. (similar to above) this ties in with another point I like to make in this line of thinking: Shakespeare once said, "there is nothing good or evil, but thinking makes it so". I would say, "there are no tyrannical laws, but thinking makes it so". it seems to me a lot of people here do the hard intellectual labor of trying to figure out/anticipate how a police state could exist in the 20th century of cyberspace. be careful what you think about, because thinking can make it so. From bshantz at nwlink.com Thu Jan 4 13:16:56 1996 From: bshantz at nwlink.com (Brad Shantz) Date: Fri, 5 Jan 1996 05:16:56 +0800 Subject: Microsoft has a way to go on E-Mail Message-ID: <199601042026.MAA29553@alaska.nwlink.com> Hi, I've just installed the Microsoft Exchange Server release candidate at the office. I am firmly convinced that the bounce messages Tim just mentioned are from an Exchange server that has not been set up correctly. Things I've noticed: If the client sends a message to an invalid address on the same LAN the server returns an error saying that there is no transport available. If the mail is from an oustide source, the recipient is not recognized. It's really easy to make mistakes because there is no consistency whatsoever between Exchange Server and MS-Mail Server. Brad From vznuri at netcom.com Thu Jan 4 13:30:17 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Fri, 5 Jan 1996 05:30:17 +0800 Subject: Hammill 1987 speech In-Reply-To: Message-ID: <199601042043.MAA03161@netcom6.netcom.com> the Hammill 1987 speech is interesting and prescient but also contains some of the subtle mind-biases and prejudices of rabid libertarians that are easy for outsiders to spot. some day I might write a more ambitious essay on this, but for now I'll list a few items and suggest some counterclaims that will fry any libertarians brain. all these ideas have analogues to cryptography which I'll elucidate as best I can. 1. weaponry is good in the hands of individuals, tyrannical in the hands of the state. the analogy is with the crossbow and other weapons. as a logical consequence of these ideas, it seems libertarians think that utopia could be achieved if everyone could build their own backyard nukes. they are obsessed with the idea of "deterrence" which is a fancy word for MAD feer, mutual assured destruction fear. the analogy to cryptography is: cryptography is good in the hands of individuals, tyrannical in the hands of the state. again the idea is that the stronger the cryptography available to the individual, the better. however I don't want to get into any of the guns == crypto arguments.. 2. the world is screwed up because governments have made it that way. this is such a silly premise but vast masses have subscribed to it since the beginning of time. it's easy to say that any problem you have with your finances or your pet poodle is the fault of the Government, Big Business, or whatever. libertarians are especially clever in constantly inventing new terms, synonymous with "enemy" but not quite so coarse and vulgar ("statist" is the current favorite epithet), to name their endless list of bogeymen who prevent them from supposedly achieving their full potential in life. why is it that libertarians have not created their own state long ago, but continue to stay in countries that they claim oppress them? I have never heard a satisfactory response to this. the real answer of course is that the rabid libertarians will never find a system they like, they will criticize anything that exists, and never work to find a better alternative through constructive, positive means, but are happy to try to sabotage whatever has been built by others in the name of some noble and holy guerrilla war. the analogy to crypto: any technology such as crypto that helps people avoid governments, and hide their dealings, promotes utopia. governments are the root of all evil, and anything that destroys them destroys evil. 3. the government vs. the people dichotomy endlessly, even in a system that is expressly designed to present this polarization, libertarians subscribe to the idea of "us vs. them" in every avenue of reality. this thinking is entirely the same as that held by the NSA and cold war defense contractors. what's the difference? none. we have a system in which the designers said it was "of, by, and for the people", but a libertarian cannot handle this unity, nor can apparently any other citizen in the US that criticizes their government as if it is something apart from themselves. cryptography helps people preserve these illusions of separation. there are people who are "in" and "out" and those "out" cannot read your messages. what prevents leaks from "in" to "out"? libertarians would like to have you believe they have solved this problem with technology. but it is not a technological problem. it is an issue of trust, something that cannot be formalized or preserved by any invention. but don't tell this to a libertarian, who has dedicated his entire ideology to attempting to prove that one can actually achieve human integrity & utopia through technology alone and insisting that anything else is wholly superfluous. 4. egalitarianism: libertarians are always saying that we don't have it and ranting about this injustice. but in their arguments, such as Hammill's, you will always find subtle arguments that they don't really want egalitarianism: some individuals should have an "edge" with their technology over those who seek to oppress them. they would be all for it if individuals had the capability to create atom bombs but somehow governments did not. the philosophy is inherently desiring inequality at its root. the implication with crypto is that governments should have to reveal everything but individuals can have total secrecy. -- beware of someone who tells you that utopia cannot currently be realized because 1. governments ("they") do not allow it for "us". 2. there are a lot of people preventing it from being realized, and we have to *get*rid* of them first. 3. the correct technology does not yet exist. once it is invented, however, all problems will be solved. I'm not actually going to rebut any of these outright other than to the degree I have, and point out that history is ample evidence they are all false. of course I don't expect any of the libertarians to understand my points, but frankly I think I am going to enjoy watching obtuse and angry flames for pushing the hot buttons. From rsalz at osf.org Thu Jan 4 13:34:39 1996 From: rsalz at osf.org (Rich Salz) Date: Fri, 5 Jan 1996 05:34:39 +0800 Subject: CACM Jan 96 "Inside Risks" column Message-ID: <9601042046.AA02968@sulphur.osf.org> Peter G. Neumann has a very good column this month on risks and the "worldwide rush [to] digital commerce." Summarizes problems with our infrastructure, gives some concrete examples, and discusses importance of privacy as a commodity, and how "We need, among other things, ... consistent use of good cryptography in operating systems and application software." /r$ From tedwards at Glue.umd.edu Thu Jan 4 13:36:48 1996 From: tedwards at Glue.umd.edu (Thomas Grant Edwards) Date: Fri, 5 Jan 1996 05:36:48 +0800 Subject: @Home cable modem systems Message-ID: See URL http://www.home.net/home2/speed.html Some tidbits: @Home is a high-speed network that provides real-time multimedia news, information, entertainment and advertising content, access to the Internet, e-mail and other services to consumers via cable systems and their personal computers. The Mountain View, Calif.-based company is a joint venture between (between Tele-Communications Inc. and Kleiner Perkins Caufield & Byers )venture capital firm. The @Home network will provide consumers with a significant increase in speed and quality over current online connections. The service will use a customized version of the popular Netscape browser that will run on most Microsoft Windows, Windows 95, Macintosh OS and UNIX personal computers. @Home will employ an open platform architecture that will make its features available to the widest possible number of users and content providers. The @Home network will operate over a high-speed backbone and existing cable systems and will be linked to home computers via cablemodems and standard Ethernet connections. @Home will include a wide variety of content. In addition to providing connections to the global Internet, the World Wide Web and e-mail, the service will enable content providers to create multimedia content that takes advantage of the high-speed network, as well as extensive local news and information. Deployment of the @Home service will begin in 1996 in select national markets, starting with Sunnyvale, Calif. The monthly charge for @Home is expected to be $30-$50 for unlimited use of basic services. ... Cable modems are almost 700 times faster than 14.4 modems and nearly 80 times faster than ISDN connections. Cable modems do not require an extra phone line, and they eliminate the time and potential trouble involved in dialing a service. Cable-based Internet services offer an even richer multimedia experience than CD-ROM technology, including real-time delivery and updating of content. And cable offers a direct connection to the online world--when you turn on the computer, you are on the network. @Home's network is based on a distributed model that makes extensive use of caching and replication to minimize traffic on the system's backbone and maintain high levels of speed. @Home will operate its own global network infrastructure connecting to the Internet at multiple locations. The @Home backbone will connect regional data centers together via a multi-megabit switched data system. These regional centers would serve limited geographic areas, such as individual cities, and would be connected to local servers located at cable system headends. @Home users would be connected to the headends via local area networks operating over the cable system, which is a two-way hybrid fiber-optic/coaxial cable configured asymmetrically. Many cable companies have upgraded their systems to handle such two-way connections or are in the process of doing so. At the home, the service would arrive over the same cable that delivers television signals, which would not be affected by the addition of data services. The cable modem, which would be supplied by the cable company, would be connected to the subscriber's computer with a standard 10-Base-T Ethernet cable. Many computers now include Ethernet connections or can easily be upgraded. The software required to use the service would be provided to the subscriber by @Home and will include a TCP/IP stack and Internet browser software with built-in e-mail and multimedia capabilities. From fb at sponsor.octet.com Thu Jan 4 13:45:42 1996 From: fb at sponsor.octet.com (FreeBSD user) Date: Fri, 5 Jan 1996 05:45:42 +0800 Subject: hi peter! Message-ID: <199601041557.PAA09665@sponsor.octet.com>  �$� �� �� �‰�3�����1��š���p�� �  1��e�[^_�� � t�F@��9�sEA�9 u��ύN�~ t�~ u �A�9 t��9 t��S.� �9 t��AB9�s�9 u�� � )Ή�D�����@�����H���9�@���rϋ�P����@���9�l���s��l���9�P���s +�P�����@���� � ��������������������������u��������u"�������u�|����������u�n���1����� ��K��w�7�G�Ѓ����tE���� ƃ���v������w ����_��u W�k����'���uW��������t� h�#��� 1��R �U�R�U��� �X�� � $ h�5�蔸 1�� u�V �R(�M�1��T u�v �u��M �Q�V(1�� � t � VW��� f��t f��t�*��Q�E�P�r �cS f��t f��t�*��Q�E�P�r �R f��t"f��uH�yt � �E�2 uaf�E� t �- f�E� � � h�U�9Qu�}�9yw.���u���t$9q|u9Y s �y �u�y�u � � � �]�{ K8����u�S$��tV�}��u�)L�� �)O�Ή�������}WO �S$���O�����u�|� ��t�B�A�B�j)R����1��@�����u1��3��ḣ���e �Z��z�r ��e�[^_�� � �C0�F�.���F9C0t$P��������t��� 9st9su���t!9{t9{t�E� ��@9Ct��@�C�U�J( 9{ t9{u���t!9s t9st�E� ��@ 9C t��@ �C�U�J( 1��Ð�� u jR�������� ��� ��t�� � � ��t� � � u,�S9Vs$�U��� u�; u�; �� t��u � !�� �� t��u �  WS� ��� <tv�� ����!�� �C)� ��te�_����{0~u�� f��^���t � S�6�u���S�u�6��T ��t�+���Q�3�V ���Q�3�xV �e�[^_�� v �  �� � � � RQ�u�A ���� ǃL [^_�� � �RPP� )�R)PP� cleaning up... �3�;� ��� ���@�� J�J�]��� � Q�Q1��e�[^_�� �������M ���t9Zv �[�D���r*j Ћu��D�C��}~ŋu��D������E��e�[^_��bad sector table corrupted ����E����C$��t����  9w,�D����C$ S� �E�𐐐�E� 1�����8 �`�� �`�� V�T>���R���V��� ��t��#u1�+]�}��e�[^_�� ��t��#u1�+u�M�1�}� j�u���|���؍e�[^_�� ��t��#u1ۃ� u j �u�h���+u�}�7�؍e�[^_�� ��t��#u1ۃ� u j �u�4�����+u�M�1�}� j�u���z���؍e�[^_�� u�F �P(1��� � u1ۋF �@(��t�����t����F�u��t���hwt@V�@�ЉË�t�������K���F�u��t���WV�@�ЉÃ���u-�� � �� � � � ��f@tN�|�� s@tX�r���; ��VSQ�<� t*�Cu$f�{$ 9�:� h/����������N ����f�Jf����f�Jf�F f�������f�^ �F9�:�f�=�:�f)~딐��f�F �t hM��w�������Ѕ��5Ѕ�e�[^_��msg_cbytes is screwed up �C9��b h&��D����F ��� � �C ���� ‹M�1��e�[^_��msgwait �G9��� �E��Y h���P���9=��} h���>������E�F9F s h���'�������=Ѕ� h�� ��f�M�f�H���� hL�����f����f��� h]��������9�:� hm���������ÉE����f� Bf� ���� ��E�f�@ �M�f�J�E�f�X O���m���j�E��P�u���� �}� h���h���f�f���~ �M �A9��9 �E��D �E��� �M �A9�t � f�M��E� h ������E�9�:� h ��������u��u��E���:����P�� ��t �#���� ����)���� � u � �u �F9��� �E�� f@��f�D f�t�D ���� ‹}�1��e�[^_��semwait �M �A9��� �f�Fj �M �A9�t � ����f�N��������}� h�.��P���Ky�1�9]���������[��0�MЋI�M��Rf�D0f)�C9]���m�������E̋M�9M��%����E� h�2�蔺���]��C9�| h�2���������}� ����9�t1����ȋ]��� � ���� ���� ‹M�1���� � hq:���������=`���`�����������<��f�C f@��f�C j ���� Ɖu�j � SW������F��95L:��j�G ��� �`�� 9�u5�y �t/�}� �y ��� u �M���@t� ��$ t"�M��9�t�A9�t�A9�u)��� u.��� � B���������� t�m�} t��� �Wh�R ����1u � �]�f�{ �O\ � � � �  @^t�ZZ�Rh t,��t����9�t�V9�t�V9�u��� �������� ��� uU��� N���]��� hl������Gh�X��uh+l�W�_����" ��t9������t3�Cl9Alr'�Al9Clr �y( �y( u Vj �s�����VW�i���V������ � t�"= t�}7=t��� ���������� ��� F`� �����!F`WV� t�~b=t�t[�  1�� �# ��te��  t�J�� t���  �Fh�@ ���1��M�1��� t��� t�}7��t�>��}t�|6�%���ut�t ��t�t���t,���t,�|�K@jV�x�����1���� S�D��������F 9F~�^+^ ����P� ����K��C �} ����K��C hr���a����P��� hr���_����P��� � ���� �����������؍e�[^�� �����������؍e�[^�� V����1��I�Ft#�V�N�S�Kf�~f��f�{�{�{ �f��3�ރ} cw�d ��u��} ��  �+ h?���8?���KS�������M��   P�B����soaccept: !NOFDREF uV� �% u�} ��E�@�E�}� ���E�B�@4�} � �y$�� f��$f��u�Fu@�}� �� �}� t�}� �}� �� t�E�9 �g �}� u �}� �}� t�M��M���u?�G0P�d t� t�A�x j � RQ� ��@�x � ���9 hu���� ���} ��[�{ �H� ��R�z f�U�f V� h��������e�[^_��sbflush hA�������]��s�u���  h����@���E�f�@  �% �^$f�F$   �@ ���� ���Eԋ@ ���+Eԃ� v�Eԃ@ �@ ���j ��t��#u1ۃ� u j �u�n�������u+u�}�7�}� �( �( ��t��#u1ۅ��7 �H��E� �( �( � j   �:w��B�� ���e�[^_��U��E�U �M9Pv � � u �1��Ð���& �- �} �~ ����E�7 h�������F ��} tE�Ctj �) u)�S ��t"�B �x<��u�@ thL���rD�� ���Gf�C �Ӆ�u׋u��_���|���p ���������Ky�u��_���|���j  h8��������C$�� �� S� �G$%�����G$� hF��������x hY��������� ht���L����M��� �������f��t�{(t h�����������u(�d� �E PS�L�������t��u�5 ������u9s4tG�C$� �} �����U�B$%����B$R�`������M��  �b0�R负���e�[^_��U���WVS�M�A$�  ���C ���S �C�� ���C ���S �C��C ��@ ����P �@��� �E��� ���u�����]؉sD�M�QL�SL�e�[^_��vfs_cluster: warning: buffer already busy  � �uЁf�����M�A�8 �M�Yf�C�u�^�M��A u�E����]�� ���S�E�P���Ѓ��u��F�A h'=��X����E�ܰ�}�] �]�u� ܰ�W�E�P���ЉE܃���t-����� �u��^���� h5B������e�[^_�� h5F�茧���M�A,��t�E t �xH �{H h\F�蜥��1��e�[^_��bgetvp: not free hyI��̤��� � ��Z�<^�8^��B 8^�"����!���B h�O��x�����t S�������(e�C�C` h�Q��ԛ���CtV1ɋC<� ���C �<^�S �C��8^�C��t�{�x � �{�=<^�8^��C 8^��C8 �� �M�=�|���� �z � ts�uW�H���� t�CuW�����- ���� � ���C��|�S���C �@< ���M��U� 1��e�[^_��  = P�<���� ���u���������}� S�`���� ���u�� �����S������e�[^_�� � t � ��� f�A f�B f�A f�Bf�Af�Bf�A�z4 � � � � � �������x��������j �u�������� �}� � � � u �1��Ð��� P����� ���}�w�e������M�A � ��|���f�G1�� ��|���������؍�l���[^_��U��E� �S�V �S �V�SD�V�S�K�V0�N4�S$�K(�V�N�S,�K0�V �N$�S4�K8�V(�N,�S �V@�S@�VD�S<�VHj 1�� hҗ��hV���C�x8u1������ � �{ �B�@<� �3��*�����Ft�Ku �s�*�����U�f�z~1��4���3�������s������jS�Q����U��B< PS�U������CL ����C)uG�������u>�{,t8j ���Ã� �E� � �( u�X��3 ���; �s ����������u� �����U��E�PJ��wm�$����ܱ������������ ������@ � j �r�N���1��� �E� ����E���}� � f�A1��� � ����E���}� � ���W�]�S���҃��G<�H �I��)ʋ}�w V�p ������҉E؃� �E�l��u�u�� l��VS����� �u��>����u��D=�����}� ����Ã� ���� �uVW�C�Ѝe�[^_�� �E��9�u1��l�����+}G�}��U��M�1���������tB�A��< v�}�� �� i �t6�m��i �t,�c����i �tD �� i �t2�M��i �t8��i �t8�;���U��z �� i �t�"��i �t��i �u�U�f�Jf�J���1��e�[^_�� �Eče�[^_��0123456789 �V �������V ���)�� v �F �F��jjV�����ƃ� ���� � ��tV�*����E�e�[^_�� f�K �u���� dž� dž� u�W� �f� �W��f����� 1��� ǃ� ���^�B��^���^�( ���� t�R��R�䐐�����U��VS�]�u�E f�x t��P t�@�ᐐ��@�ِ���e�[^�� ���)‰U�CA�E� t��鐐��␐�� � 8t�[���[�C9�w��uR�u������E�P�u�F �N � 8u �M�N� ��M�u�N�u�s�M�N�F �N � 8u�^� ����u�V�^�Ѝe�[^_��rn_addmask: mask impossibly already in tree �}���u�9�u4�u܋}�M�O�A �G �q�w�y9Nu�~�����~���u�� ���}�U�B�G�z�W� �J �u��1��t�u��1��t�R�Ԑ�R�ΐ���U��r�u�f�z h���P�����z�@P�5|D��p �- � � �9 �]�f�C6�(��]؅�tC�C9t=�E� PS�@0�Ѓ�f�{6 h{ ��\���� Hh�f�{6 h� ������f�x h� ������}��G:t �} 9�� S� ���� ����� ����C at f�H�s@�F �C 9J(t9J u� ��R��u�1��]��� t�Bu�E� � �/ �h��@<���u�h��B �@t�BL�G�M�y �h���tF�G������% �0 ����9BXwEf�z6 h�l��(���j �(�� ����0���5 ��h�m�j�р���E� t)��<v ��<v��<v� f���f�C �V ���F�� 9�s h+p��|����F �F���F�F�M�A�F�^ jS�u��a� ��f�C �C������% �M��A ����}��G�X���vhT���pU���ƒ����� � hy��0u��1҉�- ��i��N��������|a�B��� ��^� ��f��t�t��� �{ .� u�C 9Bu�C9Bu�C 8B t ������u�1�f){�c��C t�Kf�Cf��f�C�Cuf��t)����RS�t �� �A �G�A�G���� �E�H�7 j�=���Å�u1��n����5���� �����(������}� � �B f�x.t �- �u�6�u��u��u�M�Ad�ЉEЃ�� �u܋M��1���u�������M�Mԋu��F9E��Z����]�]ċM��A��)Ɖ�P�u����M�Yf�A��u�f�Ff�F�� ��f�Ff�F ���M�M܅�tO���u܋v�u�M��A �����u�u܅�u��}� ����뜐���e�[^_��U��� WVS�E �H �M��u�v �u��@����E��FE�=�� � ����E�* j j �1�l�����U� � �@�M�9tC9�|��G9�} �E�0 �E�1 ��D��D�C�G9�|�f�O�M�  j �� �B<�뿐��� j )�����| �At�A�Q �B j � �9 ��{+~��~S�F 9�|8�����F ����u�4������ R�s� ������|���W�u����f)~ ~��������F ���M�N9]tI�F F��+S��~9�C 9�|���S�J�M�B� �A��J��B �MAH�^!����F�B�V���F f�W ��f�W P�u�2 �}��� ������E�9u+�G!u%�M��P������U�@������E��E� �U��Btt�Ѓ�TPR�p�����EȃxT �UȋB<+B8�E��Z4+Z09�~�]�9�[�����G FH����� �}�=����u�]ȃ�0S�P��S�u��������Uȃz| 9NDs-��+^D����P�u�����f�FDf�G �e�����������GH�F4�W�VL�Ę�* u ��� ��������& 9� u%�U���u�e���N�_ ������������������S�u����_f)_ �G&��9�~ f)_&� ����e��f�G& ��_�FHFD)Å��� 9�|a ���U���t/f�~ u(�G+FH��~�FH �e�����E�t!�G+�� ��U�f�B$6 �� ���m �� 9�w+�U��Bu"�uWR� VH�G!���E������ �}�=����u�]ȃ�0S����S�u�� �����Uȃz| jj GP�uWV�� � �P���Ð���xP �u�N�N\�E� �E��E� ������������������M��� �uf�~ �E�E�P�u���� �u�F,�N�U��MQ,�Q,�A,�u+FX��~�VXf�~f f�y ����( �C�B �C�Bf�C f�Bf�Cf�B�B �E�(�}��M�y�y�A �B�A�J���B uj t�Cd9���|f�d��f�C�� f�{~�s$諎��f�Clf��fCnf�Cl �/ �# u��� �E� j f����f�C�؋]���U��VS�E�u�]�M�U�} t � �����* �CP�u�/� �8 �9 �G�C �G�Cf�G f�Cf�Gf�Cf�C f�Cf�C �8 �9 � 1��� �  �\��t�U��u�u �u�΋  ����� S� ������l�����l����u�9�� u)9�� h���@����E�̷�l����}��WX�̷�J�U�R���҃��������� ��t@�+�����u#1��2�����l����WL�����u �V�N �����}�w8h�����������l����������p��� � ������uL���uj u9�� hl��Z����l� hl��T����l� ��S �C�BV�Q��j�vd�q���Fd j �r�q��1��� �8� �{8�_@��Ӆ��� u1��? �����l�����h��� f� �N���9 �A�e�� �Q �A�B�Y�e��e�t��9Z~ �R ��e�u��e�u4�e�A�A e�=e�e�u � e�� ��e�H � e��%�B�A�Q �ze�u � e�����B�H �J�]��� t �u�v��(�uԍE�Pj jj �At�A�Q �A��� ��V�F �B �~ e�u �F�e�� �V �F�B�> �C�������VD������S�V������S$�V������S(�V������Sj �C �������VD������S �V������S,�V������S0�V������S�V������S�VL������S$�VH������S(�V$������S4�V(������S8�V,������S<�V0������S@�V4������SD�V8������SH�V@������SL�V<������SP�VT������ST�VP������SX����8���[^_�� �S���u��E�P�E�PRWj �Ct�C�S �C��� �E�E �3�������PRj �EP�EP��  h�-��о���E�9Cu �S ��� ��K�S �Q �E�9C u �S��� h�-�������E�9Fu-�u�u jV���������u��� �G@�#���� ��H �P�Q��u� ��u�`0����H0@�} �u�E �!��E�PRj �EP�EP���  �U�E �;���|���RQj �UR�UR�)� 1�� ���d�����D��d������P��������>u�V 0�������V � �������S�V������S�V������S �V ������S�x��+ �C �������VD������S �V������S,�V������S0�V������S�V������S�VL������S$�VH������S(�V$������S4�V(������S8�V,������S<�V0������S@�V4������SD�V8������SH�V@������SL�V<������SP�VT������ST�VP������SX��H�����8���[^_�� D������S ��@����P������S,�P������S0�P������S�P������S�PL������S$�PH������S(�P$������S4�P(������S8�P,������S<�P0������S@�P4������SD�P8������SH�P@������SL�P<������SP�PT������ST�PP������SX�E�xx��L �]�E �'���4���RQj �UR�UR�q�  �C�������VD������S�V������S$�V������S(�V������Sj �C �������VD������S �V������S,�V������S0�V������S�V������S�VL������S$�VH������S(�V$������S4�V(������S8�V,������S<�V0������S@�V4������SD�V8������SH�V@������SL�V<������SP�VT������ST�VP������SX��������[^_�� �,��\���RQj�UR�UR�}� �Ã�� �B � ���������O�������R������W�������@������G �������R ������W���E�xx��� �G �������������RD������W �������@������G,�������R������W0�������@������G�������R������W�������@L������G$�������RH������W(�������@$������G4�������R(������W8�������@,������G<�������R0������W@�������@4������GD�������R8������WH�������@@������GL�������R<������WP�������@T������GT�������RP������WX�������@)� ����� ��������9����u9� ���t��+� ���R�����)�R��H���� � Dž��� �]�E �'���L���RQj �UR�UR�U� �x ��+ �'�����~�]�E�xx�t�ڃ�,��U�� �U�K���4���RQ� �����l����� Dž ���4�������h����������|�������������������4��J�� ���R���҉� �x��� ����C0����������P,������S4�x0�t �H0��Mb��������)ʆ�����S8��C8����������P4������S<�x8�t$�H8��Mb��������)ʆ�����S@� �E�E�0��E�PRj�EP�EP謞 �������� � Džh��� � � Dž���� Dž���� � ��+ �'�����~�E�M�yx�t�ƒ�,��U�� �U�K������PR� Dž���� �U�E �+���4���RQj �UR�UR�5� �����(����B ����C0�����������P,������S4�x0�t �H0��Mb��������)ʆ�����S8��C8�����������P4������S<�x8�t$�H8��Mb��������)ʆ�����S@� �E�E�0��E�PRj�EP�EP��} � �E�E�4��U�RPj�UR�UR��z Dž ��� ���`����; �d � ���V���f�= � ���V���f�= ��|�����Ti���9u�t9�d���v+~ �~���+U�VjJ��L����ӻ��jJ�u��ɻ����4��������[^_��U���� �� �B � ���������K��D����R������S��D����@������C ��D����R ������S���E�xx��� �C ��������D����@D������C ��D����R������S,��D����@������C0��D����R������S��D����@������C��D����RL������S$��D����@H������C(��D����R$������S4��D����@(������C8��D����R,������S<��D����@0������C@��D����R4������SD��D����@8������CH��D����R@������SL��D����@<������CP��D����RT������ST��D����@P������CX��8�����<����T��@����D|��@�����,���9��K���9�d����_ � ���V���f� � ���V���f� �M�A8�{�� ���M��אS�Z��������� �M��a��(��M��Atf�y$ �� j j �u�Bt1������M f�:��%� �F$�������#tƅ��� �F$�q�����#t���u�M�9 ����M� �ʃE��"���U�RPj�U�R�U�R��7 �R9\��tC�Ft%�u��u��u�V�9������� �S8�P� ���@@B �G$ ��W�Q� �W��j�O��� ����E� �M�E��"��U�RQj�U�R�U�R��. �t �K$�� �G j � �� PS�������� �A �U �F�F ����N�N �F �}�� t ��#�b����}� �B �ƒE�(�&���E�PRj(�E�P�E�P�, �U؃E��%��E�PRj�E�P�E�P� ��C�B��C�P��S��� ����1��k�Ct*����E�P�E�PWj �c�S�ѣ�����t ��C�B��C�P��S���Ct �s�S������C@�� �c�S�[���� ��A�B��A�P��Q��j4Q�e�����م�u����� �<����� �� �p�� � �u �6�u�)N�U�)U�} �}� � h"*������j ]���8�]Ћ]�M��Y8f�]܀�f�Y<�V������f�Q>�V ������Q@�V������QD�]؉Y|�U�Qd�U�Qh�M�Q�R<�]��SH�}� �]��C(�����M��A@ � � A�9 �F ��u � j j t �}��(�}�~�}��t �}��E� ���� �Ct�C�K �UЁ� �W��f����� j ��A�B��A�C �Q��j3Q�/�������u��e�[^_��nfsauth1 ��A�B��A�8��Q��j2Q�}-���� h�>������ �_��} ��C�B��C�8��S��j2S�-�������u������4�� �� ������~�U�}� ���� � �C0 �$ � ǃ� �c0���� ���� 1�� ��,�P� ���� �u��V�}� �M�E��!��U�RQj�U�R�U�R�L����Ã���uF�M�������U�I������M�E�9�� u9�� �A0�j�����h���ǂ� f��X��� Dž4��� f��X��� �E�E��!��E�PRj�E�P�E�P�����Ã���uA�E� ����lj}̃��Gt�WW$�O O)ʃ�~ � �M�E��$��U�RQj�u��u�莢���E������P����M�������U�I������M܋]�9�� u9�� / ����A�����G,������A�0�t2�0��@�����Mb�������D���������)†�����Q� ���A������l���P��p���R��t���P��X����r �rj ��L�����\����e���Ã� ���� ���)†�����Q� ���A������\����@,������A��\����z0�t:�B0��L�����Mb��L���������P�����L�������)†�����Q� ���A������p���P��t���P��x���P�w �wj ��T�����`�����\���Ã� ���� � ��p����%����h����E����@t��h����AA$�Q Q)Ѓ�~$� ��h�����p�����W���Ã� ��u �u��T����j �w�������p����Ad�H0�Adǀ� �q�{���lj}����Gt�GG$�W W)Ѓ�~%� W�q�fT���Ã� ��u�u�������M�A�@d�H0�A�@dǀ� Q�<���� ���u���������}� �h�  C �Q��T����x(�t6�P(��,�����Mb�������<�����,�������)†�����Q� ���A������T����@,������A��T����z0�t:�B0��8�����Mb��8���������<�����8�������)†�����Q� ���A������p���P��t���R��x���P��P����r �rjW��X�����4���Ã� ���� t�PP$�H H����E��H H�ȃ���U�)�9��� �~ �H Džl��� Džl��� Džh��� DžT��� �E�t�Q� � %s: write failed, file system is full hZ���8���]+]���� �� %s: create/symlink failed, no inodes free ����x��x��� �M�|�� ����F`E�� ����F`E�� �����F`��NjU�ډU�E�y��$��M�)��Ⱥ�����‰� �N$�M���� ����F`E�E�MىM�E�y��$��U�)‰к ����F`E�E�U�ډU�E�y��$��M�)��Ⱥ�����‰ЋM� C9]���U�)V$)�� ����� ��E��U �B(�N`�]���S�U �zU �с�� T��] [T�� Ɔ� h������w89u��u�������E�� ����u������1��e�[^_��cg = %d, irotor = %ld, fs = %s �� � �����C\�� ������s0���}�F�����{U �� � ����S`�U��u�W�;& ��3� �u��}�����u܁{U ��� ��}������ �M�C�E� �f�����e � Dž(��� Dž(��� LJ� �E��}܉E�U�R0�� �U�j � � j�u�� ǀP �{0 hl��v���l� ����x��=x��EЉ�� �F �M�I �}�g�����}� �t��t�m��u��� �{L h�O�����9{Xu �u�~ tZS������S$���S$���u؉5 �� |�� }*����F@�L���U�J(9 �uG�U��M�9y v�M�9 |كE� �M��������tV�����UȋB$���e��M��U� ��u�����1��e�[^_�� ǀ� ǁ� ��9�r����� ����A4�����I�� f��t �"��f��t��- u+9�� �}��+ uq9�� � u%9�� hgr���w��f��p���f��������l���f�_߉�l�����t�����l���������R萏 uj9�� %s: write failed, %s disk limit reached %s: warning, %s %s %s: write failed, %s %s %s: write failed, %s inode limit reached ���E��� ���� ������� �@8�U�D�,�E��x< �@<�U�D�4�u�j 1��� �M �a�����؍e�[^_�� PV�P �}�D7<t�u� �S �Q � ���S ����S � f�C�}�� ����i� �i��C �u�9ut�E�l��uܡl��N�U�R���҃��}����t�Y� �u��s�f�Cf�C � �{ 1��\ V�=)�����Fu(9]t��Eؘ��]ܡ���K�U�R�����q�������Fu��N�}Љ}��E� � ��u � ��� �C �C ��V�R$�S ��� �~��� ��t�$�����t��� �~,��  � �O W������ ���u�踵����W诵����e�[^_�� h(����Q����|���� �Q������v�F������U��E�l��U�l��J�U�R���҃���u"��x���f��� �����e�[^_��U���WVS�]�{�s W�s�Sf�R�Π��R�+ j �r����1���ufslk1 �BT ��1��� ���@@��1��e�[^�� �K�M��SQ<�U��w�O �I��)ȋ�����t=���t= h[���5��j�u�V��P�NB ��A�B��A��z�Q��f�A&f�A2 �@ �@ �K�C�6���{  ��1��J�= ��� h���.���`�� �`�� h���w-���`�� �`�� 9D�u���D������$���D �PQ�u������L�� �PQ�u������ �E�� �@�� ��F�B��F�l��V���c��9����> � �� ����E� �@�� �M����[����U�� ���E�f�HC9]�1�9]~����U�<� � �E���E�f�HC9]��w h� ����E� ��C�B��C�D��S���'����5 �}� ����E� �}��� h���H���u�9]��� V�o VW�u�5 �������t�}� ���M�U � ����U � h��������1���jj���� ��E�P�M��1��� h��贷���e�[^�� �0U� h" �������؍e�[^_�� � �A�B��P�B����At �r�-���� ����r�% � SV��������ND�S����C�B�C +C)FH�Ct �s����� ���s�t 1��e�[^_��U��E �@t�@��P�`������E��P�Q����� h��腎���� �y��� u�]�s �~8t�~8t� � ��� ��t ����1�� � �# ���������t��u� ����(�E����]�����CV�����8���C&t h=;��h������c&��C& t �c&�S�|����S�h" �g0�W�=u���e�[^_��cpylck f���� f����  �a0�Q�ii���e�[^_�� �l�� �q�p�A ��Q�A�B�Q�A��A�H4�a&��� ��Q�A�B�Q�A��A�H4�a&��A&@t htT�豗����Y�y���� �#�f���d���A �q�p�A ��A�B��A�h��Q��� ���a&��Ð�t,�9 ��A�B��A����A��� ���f�a&���������9t��v*�=�f� ��t�  ��S�C�B�S�C��C�H4�c&�� ���� htT�蜓���s�} �{���� �#�f���d���C 9Uv�U�t F95p��w�95p��t�v���}�M�|� ��9Es%�M��  ] htT��ܐ���}�{�C�� �#�f���d���C ��S�C�B�S�C��C�H4�c&��C&�@ ��C�B��C����C��� ���f�c&���������9t��v-�=�f� ���C�h��S��� ���c&�� ��C�B��C����C��� ���f�c&���������9t��v-�=�f� ���C�h��S��� ���c&�� ��C�B��C����C��� ���f�c&���������9t��v-�=�f� ���C�h��S��� ���c&�� ��C�B��C����C��� ���f�c&���������9t��v-�=�f� ��C�B��C�h��S��� ���c&�� ��C�B��C����C��� ���f�c&���������9t��v-�=�f� �� �� �Mf�y(  ��C�B��C�h��S��� ���C�h��S��� ���C�h��S��� �����‰���Ѓ��t��|��@t��x��t��|��=p�� h�~���n���e�[^�� ���������u1��ÐQ%� h���n���BR�@���� h$���m���B�u R�@���� � ��t5�;����F<�P �@ 9��� � �� +�����u����F0tj �S�"������8u� �E������� � h>��� X���}� �u�� ����W�=��� u�|U�j �p�@�Ѓ��|U�S�p�@�Ћ]���%r > � ��p��� $� ���Ã����y�}� hp���U4�����u������Ӊ�������� PRhļ��m2�����=T� PRha���.���m6��萼�������� �=L� Features=0x%b = �h�����h�����h����*����h����*�����=4�� ��� W�J���� �G$�� syncing disks... dumping to dev %lx, offset %ld �l��tW�e��=��� ~��P��� ����j � �A, ��AL9E�}.�]�9YLu �A4�A81��H���U�+QL�� �A, �}� jJ�u�賡���E�e�[^_��U��E �U� �<�  �����5���E}���5���p������p �9 uS� ��get_pv_entry: cannot get a pv_entry_t h���� � ��t���A�B�A�B�0���B ��t/��9qu9Yt�ʋ ��u��t����_�  ��1���t@��t������+U������� �E��E���h�������w ������v �'� �� h�������������M��<� �? ��^�8 �~ _^�VW�t$ �|$�T$B�Jt ���u�J1���? _^Ð��D$t@�1��WV�|$ �t$�T$1�������u �у��t@^_Ð�D$��� h# ������f��� h/ �����R��P�Q�H��Z�D�����; t ������@ h8 ������R��P�Q�H��Z�������; t ������@ h) ��t���R��P�Q�H��Z�Ȅ����; t ������@ ��pQ�9� ���&  Fatal trap %d: %s while in %s mode ��� �� �I�M������� � ��� i ��� ��� ǂ� ǂ� ǂ� ǂ� ǂ� ǀ� ǀ� u&��9]}�EPV�u �u�����E O�t1ۃ��C�<3 )�(���S�B���jS���������)�(����)�,�����(���P��8���P��H���P��\���P�)�} ������!bActive!n-!bDrivers )�R�u������j��u��u �U�} )�R�u�����j��u��u �U�} )�R�u������j��u��u �U�} )�R�u�����j��u��u �U�} )�R�u��'���j��u��u �U�} )�R�u������j��u��u �U�} �� ��Xti�<�����ctg�2�������tK ��xtL�������=W �h ǃ� � ����ǃ��G��� �� ǃ� ��t7�5�������+����N����!����j�5������j FreeBSD Kernel Configuration Utility - Version 1.0 Type "help" for help or "visual" to go to the visual configuration interface (requires MGA/VGA display or serial terminal capable of displaying ANSI graphics). 1��� CB�; �; t�; u��D*� �E�PS� )�E�P�ܩ����$�C ��t��@HPh�1�E�P轩���CPh�1�E�P誩���sh )�E�P虩����$�sh�1�E�P腩���sh�1�E�P�t����s h )�E�P�c�����$�GL�{4 ��@�; �� t�� u� �E� �E�������E�����w=�E����E�9}�}/��|9M�r u�U�9U�~������ �� hS������OD�M��w@�� h|T��ș���^@�� ���������� PV�5TV����1��e�[^��U��=�� �9�������|�1�j �������l �p���q� �p��qj�����ƒ���th�_�Rh�_��9����� j ������)��� �p���q�� �M��1����t�M � � �M��1����t�M �I� �{ ���C9�|�1��e�[^_��Sense Drive Status failed ����E� Wjj�u��e���h� Wjj�u��"�������uh� u �0� h%{��0������ ������~ �  �F(������F$%� �~������F$%� E���Y���������Ɔ� ��� ��� ��t]뉐����@t#��� ƃ� 1��; Ph�������� 0��Q �Q � �Q ��Q��� dž� ��� �  ��� ��� ���SR�(�����E��}�4u0SV� ����E� ��� �E����f�M�f���}�� �ȉ��M������f���u�� ��� �U�� �E��f�U�f���U��M��� �E����M����E���f�Mf���u��� �ȉ���U�� �E܉��f�M�f���w �ȉ��O�؉��f���O �؉�����M��� /����h#����.���M��u�S������� ��� � � ��� �栰(桰桰桰�桰 栋]���isa_dmacascade: impossible request �À��р�����ֈ�����isa_dmastart: impossible request � ��$ D�����$ H��0��؍������U��с�� NMI ISA %x, EISA %x �M���w ��t�� v � �������"E��ȃ��E�9�tKu��E�9���%� �E� f���� �f�V�����e�[^��lpclose Q�D �Ft�N�e�[^��interrupt-driven � �4�$�8E�tI�� � �^�� ����^�H� �^���^�( �E�P�����U�R�U������!���U谀� �U���G0�����U��h,E 1�� �C�C �C�E�� �}� f��� � �`�� � $ ��uЁ�� ��}ЊO�ῈO�]̃��ȉ���( ���j�U�2�u��� B�U��t(�t�� � ����E� �*��t�#��A$������� A������"A�A�Ql��1��e�[^��U���VSj �����u&�B � �O���`�����CL �qO���`�������t���t���t C���� �5O�����d�t�j �%O���`�Ј������tڀ��t Rh� ��:���� ��������=d3� ��"�h� ����=`3� ���h� ���������5X3�jh� �����1��e�[^_�� ��t"� c ��H K f�Cf�G�C@% ������������t ��t�����KH �������9,��u)�{H u#�i3� �  ����\3� ��MtQ� ��t�. ��t�F �G� ����%X3���G(t � X3��7���%X3��� �Y��Y�r��Y�,�� ��8ti� Q�޹���5,��F ��E�� �M  ����i3� �#����K���u�]��� �����`�Ѓ���� �� �U��A��~ދ`3���1ɐ��Ⱥ� � �����E�Ȋ�1 �]�A9M��G��� ����T4���� 1��� �G�z �� �U��z F�M�I����ǀ|Z� ���� �� �O�� tO�U�R�����HZ��D8�|8 �D4 $X At 12:41 1/4/96, Scott Brickner wrote: >Wait a minute. I can see how one needn't be a bank to convert ecash >into pcash, but going the other way requires that the cash be >transferrable in ways that Digicash isn't. > >If I withdraw ecash from the bank, it's marked so I'm the one who's >identified if it's double-spent. If I give the cash to someone else >(different from paying it to them, which requires they have an account) >they're free to double-spend with (relative) impugnity. Present day Ecash is bases on online clearing. I does not encode any user idendifiying information into the coin. You are thinking of offline Ecash. Besides, wherer users get the Ecash from, be it by putting money into their account at MT or buying it from you doesn't matter. They still need an account with MT. -- Lucky Green PGP encrypted mail preferred. From gnu at toad.com Thu Jan 4 14:26:54 1996 From: gnu at toad.com (John Gilmore) Date: Fri, 5 Jan 1996 06:26:54 +0800 Subject: Guerilla Internet Service Providers (wireless) Message-ID: <9601040826.AA09122@toad.com> If you want to try a wireless network run by a couple of known cypherpunk types, browse www.fish.com. Your packets will be moving over a 2 Mbit/sec wireless network, using AT&T WaveLan (www.ncr.com/pub/products/wavelan) ISA-bus cards in PC-clone routers built by KarlNet (www.karlbridge.com). I think of it as a NAN (Neighborhood Area Network). The security is only DES at the card level, but we hope to layer IPSEC (RFC 1825) on top. John From stewarts at ix.netcom.com Thu Jan 4 14:29:13 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Fri, 5 Jan 1996 06:29:13 +0800 Subject: 2047 bit keys in PGP Message-ID: <199601040811.AAA27453@ix12.ix.netcom.com> >> Are you sure it's a bug in the DOS version? When I did a pgp -kg in my >> UNIX shell (US version 2.6.2) I also entered 2048 bits and it too >> created a 2047 bit key instead. There are some versions that can only do 2047; there are others that have some sort of bug dealing with keys over some number like 2032, so if you're doing a new key around that size, 2000 might be safer. Looking at the distribution of keysizes on the MIT key server was interesting; there are a lot of unique or lightly-used values besides the popular 384, 510, 512, 768, 1024, 2047, 2048.... Something to think about if you're concerned about traffic analysis and anonymity. >> Why is there a limit to the size of the key anyway? It's too bad PGP >> doesn't support any size key (within reason). By the time the Bad Guys can factor 2047-bit keys cheaply, you'll have more serious problems to worry about, which may fundamentally change your assumptions about cost-effective cracking and the amount of security you need to provide. Remember that 1024 is currently way beyond crackable, so interesting theoretical things will have to happen before even that much is at risk. Also, there are a _lot_ of things around that tend to get 128-bit MD5 calculations in them - don't get overoptimistic about anything that pretends to be stronger than that. (IDEA's 128-bit keys are about as tough as 3000+bit RSA keys, and anything limited to 128 bits is going to be in that general ballpark.) PGP's random number stuff _is_ stronger than that, but that's still a fundamental limit. As a separate issue, programs do their calculations in data structures which have _some_ sizes to them. They could be assigned dynamically, but large-and-static isn't that bad, and PGP was originally for DOS anyway; if that's the least evil thing you find in the code, be happy :-) #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, Pager/Voicemail 1-408-787-1281 # # "The price of liberty is eternal vigilance" used to mean us watching # the government, not the other way around.... From CedricT at datastorm.com Thu Jan 4 14:36:31 1996 From: CedricT at datastorm.com (Cedric Tefft) Date: Fri, 5 Jan 1996 06:36:31 +0800 Subject: 2047 bit keys in PGP Message-ID: <30EC6B75@ms-mail.datastorm.com> > From: Scott Brickner > To: Cedric Tefft > Subject: Re: 2047 bit keys in PGP > Date: Thursday, January 04, 1996 3:41PM > > Return-Path: > Message-Id: <199601042141.QAA15905 at universe.digex.net> > X-Authentication-Warning: universe.digex.net: Host localhost didn't use HELO > protocol > To: Cedric Tefft > Subject: Re: 2047 bit keys in PGP > In-Reply-To: (Your message of Thu, 04 Jan 1996 14:12:00 PST.) > <30EC5109 at ms-mail.datastorm.com> > Date: Thu, 04 Jan 1996 15:41:51 -0600 > From: Scott Brickner > ---------------------------------------------------------------------------- -- > Cedric Tefft writes: > > If his algorithm effectively cuts my keyspace in half, I need to make it > >twice as large as I would need if my attacker's best algorithm were brute > >force. > > Um. No. If his algorithm cuts the keyspace in half, you only need to > make it one bit larger. > You are correct. I'm afraid I was thinking one thing and typing another. What I meant to say is that the attacker has an algorithm that effectively cuts my keySIZE (instead of keyspace) in half, i.e. his algorithm requires him to try on average only 2^1023 keys (instead of 2^2047 for a brute force attack) to crack my key of 2048 bits. Thanks for pointing this out. "Who needs encryption when their thoughts are unclear in plaintext?" - Cedric From a-kurtb at microsoft.com Thu Jan 4 14:41:29 1996 From: a-kurtb at microsoft.com (Kurt Buff (Volt Comp)) Date: Fri, 5 Jan 1996 06:41:29 +0800 Subject: Guerilla Internet Service Providers Message-ID: OK, I'm game. What is the story behind your .sig? Given the obvious reluctance state it fully, perhaps someone else can reply? |We Jurgar Din |(that will have to suffice: I do not yet live in a free country) ---------- From: nobody at REPLAY.COM[SMTP:nobody at REPLAY.COM] Sent: Thursday, January 04, 1996 9:07 To: cypherpunks at toad.com Subject: Re: Guerilla Internet Service Providers -----BEGIN PGP SIGNED MESSAGE----- "L. Malthus" wrote: > I was told that Belize is offering passports for the next > two years for $50,000 and that might be even less if offers > were made to the government to provide low cost Internet > access to the citizens of Belize. > > http://www.belize.com/citzdoc.html > > Belize has always been known as a home for pirates, A > wonderful Cypherpunk candidate for an offshore data haven! Belize is a shit hole that is as willing as many other slimeball countries to deny someone entry and force them kicking and screaming onto the next flight to the U.S. on request from U.S. authorities. In principle, that is kidnaping. They use the technicality that the person never entered their territory. No- man's lands of port zones where the most basic rights may be violated without regard to a country's constitution are another class of abuse that will have to go. Belize is also the place where Bob White, publisher of The Duck Book and sponsor of some of the largest hard-money conferences ever held, was murdered. The usual suspects were not even rounded up. Someone once wrote that the principle cash crop of Belize is lice. In reality it may be principles. At least the Hondurans got angry when a citizen was kidnaped by the U.S. We Jurgar Din (that will have to suffice: I do not yet live in a free country) +"The battle, Sir, is not to the strong alone. It is to the+ +vigilant, the active, the brave. Besides, Sir, we have no + +election. If we were base enough to desire it, it is now + +too late to retire from the contest." -Patrick Henry 1775 + -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQBVAwUBMOt2E0jw99YhtpnhAQHa7gH/Z4cjIcT50+0lxJTF7lHCfcPvSPzXW5BU Yuea9C5s+1KgNDUYDe2ItTfOf3TTb+2deJGbDgf2TEP+A/q5S+9JHw== =H46M -----END PGP SIGNATURE----- From gates_r at maths.su.oz.au Thu Jan 4 15:00:45 1996 From: gates_r at maths.su.oz.au (Robbie Gates) Date: Fri, 5 Jan 1996 07:00:45 +0800 Subject: In-Reply-To: <199601041317.OAA04812@aws26.muc.feilmeier.de> Message-ID: <30EC571A.41C6@maths.su.oz.au> > The decimal representation of any irrational number (e.g. pi, e) > contains the decimal representation of every natural number > somewhere. (Proof by diagonalization.) What you say here isn't quite true. The number with decimal rep 0.10100100000010000000000000000000000001.... where the number of zero's is going 1!, 2!, 3!, 4!, ... is transcendatal, and hence irrational, but clearly doesn't contain the decimal representation of every natural number. i'm sure the above fact is believed about e, pi & other such ``important transcendentals'' - i can't recall if there is a proof or how it goes. diagonalization is used to prove that there are uncountably many irrationals. if you want to argue the ludicrosity of trying to ban certain numbers, just consider the function f(n) = n + 1. Iterating this function yields all natural numbers, so the increment operation should clearly be banned. I'm not sure how much programming you can do without increment. - robbie -- ---------------------------------------------------------------------- robbie gates | it's not a religion, it's just a technique. apprentice algebraist | it's just a way of making you speak. pgp key available | - "destination", the church. From turner at TeleCheck.com Thu Jan 4 15:17:33 1996 From: turner at TeleCheck.com (turner at TeleCheck.com) Date: Fri, 5 Jan 1996 07:17:33 +0800 Subject: hi peter! In-Reply-To: <199601041557.PAA09665@sponsor.octet.com> Message-ID: <9601042207.AA32619@mercury.telecheck.com> Is it my imagination or is someone posting a FreeBSD kernel configuration binary to the list? fb at sponsor.octet.com said: > > cosmos at sponsor.octet.com:/usr/src/sys/compile/SPONSOR > fb at sponsor.octet.com said: > FreeBSD Kernel Configuration Utility - Version 1.0 Type "help" for > help or "visual" to go to the visual configuration interface > (requires MGA/VGA display or serial terminal capable of displaying > ANSI graphics). From stend at cris.com Thu Jan 4 15:18:21 1996 From: stend at cris.com (Sten Drescher) Date: Fri, 5 Jan 1996 07:18:21 +0800 Subject: FreeBSD user In-Reply-To: <199601041557.PAA09665@sponsor.octet.com> Message-ID: <5568er602z.fsf_-_@galil.austnsc.tandem.com> Am I the only one who has received three unreadable messages from this address on cypherpunks? -- #include /* Sten Drescher */ To get my PGP public key, send me email with your public key and Subject: PGP key exchange Key fingerprint = 90 5F 1D FD A6 7C 84 5E A9 D3 90 16 B2 44 C4 F3 Unsolicited email advertisements will be proofread for a US$100 fee. From jthomas at access.digex.net Thu Jan 4 15:46:24 1996 From: jthomas at access.digex.net (Joe Thomas) Date: Fri, 5 Jan 1996 07:46:24 +0800 Subject: Compuserve *hasn't* banned newsgroups In-Reply-To: <2.2.32.19960103180226.006a9ffc@panix.com> Message-ID: On Wed, 3 Jan 1996, Duncan Frissell wrote: > You mean that the thirty-some odd open news servers listed on > http://dana.ucc.nau.edu/~jwa/open-sites.html might get swamped. Then the > CIS refugees will be forced to pay Sameer the massive $12.50 (?) a month for > a net-access-only account and read off of c2.org's server. (Or any of the > thousands of sites worldwide one can open a shell account on.) Cheaper still (and more compatible with GUI newsreaders) try AltNet: > telnet news.alt.net nntp Trying 204.137.156.2... Connected to tofu.alt.net. Escape character is '^]'. 200 Mail info at alt.net for info about $5/month NNTP access (posting ok). If you can't afford $5/month, you're not using Compu$erve. Joe (not affliated with AltNet, just giving them a random plug) From proff at suburbia.net Thu Jan 4 15:49:25 1996 From: proff at suburbia.net (Julian Assange) Date: Fri, 5 Jan 1996 07:49:25 +0800 Subject: FreeBSD user Message-ID: <199601042215.JAA03077@suburbia.net> I've just had my 3rd Freebsd kernel. Enough is enough. --Proff -- +----------------------------------+-----------------------------------------+ |Julian Assange | "if you think the United States has | |FAX: +61-3-9819-9066 | stood still, who built the largest | |EMAIL: proff at suburbia.net | shopping centre in the world?" - Nixon | +----------------------------------+-----------------------------------------+ From reagle at rpcp.mit.edu Thu Jan 4 16:26:17 1996 From: reagle at rpcp.mit.edu (Joseph M. Reagle Jr.) Date: Fri, 5 Jan 1996 08:26:17 +0800 Subject: FreeBSD user Message-ID: <9601050000.AA09148@rpcp.mit.edu> I consider it to be an attack. Certainly seems like it to me when it bungs up my poor eudora dial-up connection and I can't get mail. From Lou.Zirko at rex.isdn.net Thu Jan 4 16:38:19 1996 From: Lou.Zirko at rex.isdn.net (Lou Zirko) Date: Fri, 5 Jan 1996 08:38:19 +0800 Subject: FreeBSD user Message-ID: No, got three myself. The third did seem a little different from the first two though, but I didn't study them that closely. ]> > Am I the only one who has received three unreadable > messages from this address on cypherpunks? > > -- > #include /* Sten Drescher */ Lou Zirko (615)851-1057 Zystems lzirko at isdn.net "We're all bozos on this bus" - Nick Danger, Third Eye -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCNAzBLJocAAAEEAMlDzYJPYq0pvfMuSiKU0Y65L2nJql+qEJHYGjO5Pys4prDw YW1ooPWaqrPQAy/eyqrM7I9KNFDCtmaPxtgcPw2oEDfc/w6cPkrVzvovKLfHQvtg V/hHUekptSf6j525omrVAoM9MxVL3sEGCjn9VrTeC3h9upkfntHOJeL88i2NAAUR tB5Mb3UgWmlya28gPHppcmtvbEBkYXRhdGVrLmNvbT4= =Qlxm -----END PGP PUBLIC KEY BLOCK----- From jimbell at pacifier.com Thu Jan 4 16:53:47 1996 From: jimbell at pacifier.com (jim bell) Date: Fri, 5 Jan 1996 08:53:47 +0800 Subject: 2047 bit keys in PGP Message-ID: At 10:02 AM 1/4/96 -0800, you wrote: >All that being said, I believe that 128 bits is sufficient for a >symmetric key and 2048 for a public key. Our paranoia would be far >better directed at as yet unknown attacks on the algoritms involved >or the specific implementations of cryptographic systems. Paul Kocher's >recent timing attack is a perfect example of what we should be afraid >of. Exactly! I agree. There is plenty of work that can be directed towards the hardware arena, for example. Better filters (AC, telephone, keyboard cable), untamperable hardware (keyboards come to mind, for instance: Design one whose RF "signature" can't be read remotely), a push towards the use of thin-film-type displays that don't radiate (much) in the RF spectrum, automatic over-write of unused data areas in hard/floppy disks (including the (unallocated) space at the ends of files), etc. From futplex at pseudonym.com Thu Jan 4 16:55:13 1996 From: futplex at pseudonym.com (Futplex) Date: Fri, 5 Jan 1996 08:55:13 +0800 Subject: Kocher timing attack in RISKS In-Reply-To: Message-ID: <199601050027.TAA03963@thor.cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- [via Steven Weller] > Reproduced here from RISKS digest: > > ------------------------------ > > Date: Tue, 26 Dec 1995 17:23:09 -0100 > From: Saso Tomazic > Subject: Re: Timing cryptanalysis of RSA, DH, DSS (Kocher, RISKS-17.53) [...] > 2.) It is not so difficult to rewrite algorithms to be resistant to timing > attacks, i.e., to have execution time independent of secret key. For > example, the algorithm to compute R = y^x mod n given in the Kocher paper > can be simply rewritten as: > > Let R = 1. > Let A = 1. > Let z = y. > For i=0 upto (bits_in_x-1): > If (bit i of x) is 1 then > Let A = (R*z) mod n > Else > Let B = (R*z) mod n > Let y = y^2 mod n. > Let R = A. > End. > > to be resistant to timing attacks. This appears to be a version of something Hal and I and others initially suggested that doesn't really defeat the timing attack. In particular, the variable size of R in iteration k affects the time taken to compute either A or B in iteration k+1. Futplex *** Welcome to Cypherpunks -- Now Go Home *** -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMOxwKCnaAKQPVHDZAQEapwf+IcCBI6ksBOftZ/ASB7azlmNXAT2Gzvlw /1ifFUPNY3nF1G2KWOVUi7tfke0W9xzPDM9G5oG4lJ+SoRcalnO9sVcL5UaxQT0d 9mpskePCgyhQhYfYlVcRL7DglcY+7y451TSkHihRCyyUxxV5xfy9PDBPNDlXBwnR y9JSsEwuB9Amv2BrX/fwI5m6nuGNvRytSNrqFeLw1X8XTXknwx89KIlIlyOTPGYa ntS90pJ+bbiYnr3caOLrwAzSBsDnHduFA+0IKa66dOZNahF+1OiCC/roOE4lAxfl vQ8hOH6Y2EMdJ5If3IchnuunC10xBE+PQhRepBoSQCuTxqfbItaDGw== =izhc -----END PGP SIGNATURE----- From futplex at pseudonym.com Thu Jan 4 17:09:30 1996 From: futplex at pseudonym.com (Futplex) Date: Fri, 5 Jan 1996 09:09:30 +0800 Subject: [NOISE] Trying to init security channel Message-ID: <199601050040.TAA06237@thor.cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- Forwarded message: > Date: Thu, 4 Jan 96 13:11:36 IST > From: geoff klein > To: cypherpunks at toad.com > Subject: Trying to init security channel > X-Potpinitrequest: AwAAAAAAAADhi+swAQAAAPqPQh4AACoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARjMwMzBGRjIyMTFENTBEMABnZW9mZkBjb21tdG91Y2guY28uaWwAY3lwaGVycHVua3NAdG9hZC5jb20A Another satisfied "Power One Time Pad" user, it would appear.... > > This message was sent by Pronto Secure Mail. > Without Pronto you can not establish a secure channel. > > Please send a reply manually. Futplex *** Welcome to Cypherpunks -- Now Go Home *** -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMOxzMinaAKQPVHDZAQGcIwf+KYlU8PiutVTduMG2Jxt7KDsEhDvjjiDi p+kBKw0y2Tj+Z/LGoCTSu2egMxFf9L9mWg8ulNCXPu92Bg1PWNPFJpTeXYcQfHnz fQfQlbnixwo1gU1DW0AVpeq5iIdBwOOqh2TEa5m7LQXiCU3RDS0Q0+muDzvncykC UkF+uzPvxrZW88LFnxSmYez3o/Xj0V39gvKANkZvqOotm90g5bYb6TY8qCUFfSUh hNPPA1irtYc96a73WXRYciW4T1H8cfsmmlwMxbCbILer6MPH+2CZMD1DP5eIu0cd 4vvN6n3pPgBs7YAp4RANf6HKHZpJwB/MG+TOt2ngolsPt5JFvrUKuQ== =wXVD -----END PGP SIGNATURE----- From erc at dal1820.computek.net Thu Jan 4 17:13:19 1996 From: erc at dal1820.computek.net (Ed Carp [khijol SysAdmin]) Date: Fri, 5 Jan 1996 09:13:19 +0800 Subject: test In-Reply-To: Message-ID: <199601050049.SAA19801@dal1820.computek.net> -----BEGIN PGP SIGNED MESSAGE----- > Ed, I've pointed out to you during our mini-flame war that I've been getting > 4 copies of your every e-mail: 2 via the cpunks list, 2 directly from your > box cc:'d to me. You _know_ that I've been getting 2 copies of cc:'s not > passing through toad.com, that the problem is at your end, and not at toad.com, > and you should _not_ send test posts to cypherpunks. The problem is *not* at my end, your ignorance is showing. If it were, then everyone would be getting 2 copies of everything I send, and that's simply not true. Some people are getting two copies, but some are only getting one copy. > None of the following: > * your test posts > * your lack of understanding of anonymous remailers > * your inability to configure sendmail > have any cryptographic relevance (other than to discredit your technical > knowledge, which you have done quite thoroughly :) My understanding of anonymous remailers has nothing to do with this - I've not posted or emailed through one, so I don't know where this comment is coming from. As for configuring sendmail, I would not be afraid to estimate that I've probably configured sendmail for more systems than you've ever seen in your entire life, so if my technical qualifications are in doubt, they are in doubt only in your own mind. My employer (and all of my employers for the last 16 years) have paid relatively well for my technical shills, and continue to do so. > Please stop polluting this mailing list with test messages. Thank you. I would suggest that it is *your* lack of technical expertise that is at the root of your not neing able to set up procmail. Besides, if you want to filter my posts or email, filter will do the job, and it's so fast and easy to set up that I taught an ex- to do it in about 10 minutes - and she has trouble finding the on/off switch to her computer. Please stop polluting the list with your flames. - -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 214/993-3935 voicemail/digital pager 800/558-3408 SkyPager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMOx1jSS9AwzY9LDxAQFpMAP/WZv/JrA6WIagfL12Jxni+HQH/4lsOMFc gK51Jeb1HTE7+gPf03yPSFqkW6fp3jZzIN6Mr3PuaB0cOk92irRU9RHd3L4rtyPE 1IJ/KKaoluMO0dOq4duFvpJO1ximKQD7TPyMKDlBZSLbZ5nP6yXogOrH7Aep5fJ+ DkXnkhWVKiw= =crDC -----END PGP SIGNATURE----- From MMac102754 at aol.com Thu Jan 4 17:19:05 1996 From: MMac102754 at aol.com (MMac102754 at aol.com) Date: Fri, 5 Jan 1996 09:19:05 +0800 Subject: FreeBSD user Message-ID: <960104195738_106753282@mail02.mail.aol.com> I've gotten thee posting from fb at sponsor.octet.com that are greek to me. Or is it code? From anonymous at freezone.remailer Thu Jan 4 17:27:43 1996 From: anonymous at freezone.remailer (anonymous at freezone.remailer) Date: Fri, 5 Jan 1996 09:27:43 +0800 Subject: \"Concryption\" In-Reply-To: <199601041435.PAA16631@utopia.hacktic.nl> Message-ID: <199601050105.UAA29900@light.lightlink.com> Does anyone understand what this "Concryption" really is? Reading the press blurbs, it could be nothing more than simply compressing the stream before encrypting it. A patent on that idea would be rather awkward. From m5 at dev.tivoli.com Thu Jan 4 17:36:13 1996 From: m5 at dev.tivoli.com (Mike McNally) Date: Fri, 5 Jan 1996 09:36:13 +0800 Subject: FreeBSD user In-Reply-To: <9601050000.AA09148@rpcp.mit.edu> Message-ID: <9601050011.AA17233@alpha> Joseph M. Reagle, Jr. writes: > I consider it to be an attack. He's either a live nutcase, newbie of the year, or a no-life out trolling. I strongly recommend against sending him/it mail, helpful or hateful. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Nobody's going to listen to you if you just | Mike McNally (m5 at tivoli.com) | | stand there and flap your arms like a fish. | Tivoli Systems, Austin TX | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From futplex at pseudonym.com Thu Jan 4 17:52:19 1996 From: futplex at pseudonym.com (Futplex) Date: Fri, 5 Jan 1996 09:52:19 +0800 Subject: CryptoPessimism (Was: Foiling Traffic Analysis) In-Reply-To: <199601041734.SAA20843@utopia.hacktic.nl> Message-ID: <199601050134.UAA06813@thor.cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- Anonymous claiming to be "We Jurgar Din" [perhaps truthfully, I didn't check the PGP sig against previous ones] writes: > Lucky, are you just the cynic's cynic, a farther-gone > revolutionary than you seem, or did you just have a bad month? Lucky usually defines the pessimistic extreme of cypherpunk views of the future (with Duncan at the other end). I tend to agree with Lucky's side, but then I _am_ an inveterate cynic. But to be annoyingly cute about it, inveterate != invertebrate. I don't envision a rosy scenario, but I'm not giving up. [various quoted Lucky lines elided] > The answer to much of what you write off without a fight is > fairly obvious, but not yet being mentioned in open conversation. Well, let's talk about it openly! I'm not terribly interested in answers of the form "God moves in mysterious ways" or "If you knew what I knew, you'd support the government's proposal to do this", although most of the world seems to find such answers enthralling. > Without intending this to be a flame, I'd respectfully suggest > that giving up the living room and den in the hope of a back- > bedroom campaign against a home invader is probably not a > workable strategy (if you'll allow a metaphor uncomfortably > close to the subject matter). - From where I sit, Lucky seems to have been quite active on the front lines, in spite (or perhaps because) of his rhetoric. Futplex *** Welcome to Cypherpunks -- Now Go Home *** -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMOyAGSnaAKQPVHDZAQEU4wf+IlcCtj9mofE4bDVfcQXoGDk3qjT8JhQ+ yHrPgtEl2zrnzD8d9pX7X8M03brBlWHkr68PkOwh+V0XRDvNISs3KOt4vzK41+jt Z5BW7oIGaFBU1lVV8d9KAxynFrv/mMegyAjZ49vLnm/+wyyZGme08QkoHZeyTbxK F/i6+pbtSu3cFWVwNH+urf+ySeCV61wEDBkN4vmxiFCkcJYZ90jDOC8jJKBhXkzX wg5DNAcpN7CKm2PJiU/H7Eu6Edjnj234aVlYQy2sPAN8JuA8whdxzPuNC/5ZPdu7 PuAAkE2eR+iN1KxYXA2Qv8lKgsiznyR6cBvx1sdkaG3Pd/obokoKAQ== =EMdm -----END PGP SIGNATURE----- From mclow at owl.csusm.edu Thu Jan 4 18:01:19 1996 From: mclow at owl.csusm.edu (Marshall Clow) Date: Fri, 5 Jan 1996 10:01:19 +0800 Subject: \"Concryption\" Message-ID: A little birdie (anonymous at freezone.remailer) said: >Does anyone understand what this "Concryption" really is? Reading the >press blurbs, it could be nothing more than simply compressing the >stream before encrypting it. A patent on that idea would be rather >awkward. > I doubt that it could be awkward, given that my employer, Aladdin Systems, has been shipping a software package that implements this since 1986. :-) -- Marshall Marshall Clow Aladdin Systems "Eternal vigilance is the price of PostScript" -- MacUser Jan 96 DTP and Graphics column From tcmay at got.net Thu Jan 4 18:09:56 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 5 Jan 1996 10:09:56 +0800 Subject: Double Messages from Ed Carp Message-ID: At 12:49 AM 1/5/96, Ed Carp [khijol SysAdmin] wrote: >-----BEGIN PGP SIGNED MESSAGE----- > >> Ed, I've pointed out to you during our mini-flame war that I've been getting >> 4 copies of your every e-mail: 2 via the cpunks list, 2 directly from your >> box cc:'d to me. You _know_ that I've been getting 2 copies of cc:'s not >> passing through toad.com, that the problem is at your end, and not at >>toad.com, >> and you should _not_ send test posts to cypherpunks. > >The problem is *not* at my end, your ignorance is showing. If it were, >then everyone would be getting 2 copies of everything I send, and that's >simply not true. Some people are getting two copies, but some are only >getting one copy. I have also been getting two copies of most or all of your messages, at least for the past few weeks (since you became active on the list again, I think). I have not been complaining, just deleting the extra copies. In looking at the detailed headers of a pair of such duplicates I see that there may have been some kind of "fork" (not a technical term, just a description) where the two messages (called Blue and Red) differ as follows: Blue Message: Received: from dal1820.computek.net by toad.com id AA01149; Thu, 4 Jan 96 16:49:35 PST Received: (from erc at localhost) by dal1820.computek.net (8.6.10/8.6.10) id SAA19801; Thu, 4 Jan 1996 18:49:29 -0600 Red Message: Received: from dal1820.computek.net by toad.com id AA01148; Thu, 4 Jan 96 16:49:36 PST Received: (from erc at localhost) by dal1820.computek.net (8.6.10/8.6.10) id SAA19801; Thu, 4 Jan 1996 18:49:29 -0600 Only a one-second difference, but the difference grows in later headers. The point is that there were already two slightly difference versions of the message before toad.com was reached. Other subtle differences exist, too. For example: Blue Message: X-UIDL: 820809984.020 Red Message: X-UIDL: 820809984.018 I don't even know what X-UIDL is, but this is a notable difference between the two versions. I suggest you carefully examine the full headers and go from there. It appears that toad.com is only sending two messages because it _received_ two messages. --Tim May We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From JonathanZ at consensus.com Thu Jan 4 18:43:33 1996 From: JonathanZ at consensus.com (Jonathan Zamick) Date: Fri, 5 Jan 1996 10:43:33 +0800 Subject: Apologies for my absense Message-ID: Sorry I've been so absent from the list recently. I've been variously flying back and forth to different conferences, working on putting new things together for RSAREF, and finally going on a much needed vacation (I'm feeling much better now.) Actually, after recovering from blood loss from the hoards of mosquitos which greeted me at the airport, I've finally gotten ready to wade through my Cpunk backlogs. Some news: 1. Come to the RSAREF conference, and say hi at the Consensus booth. Its rumored I'll be wearing a white shirt 2 of the 3 days and maybe a jacket, while wearing a tie and boxers one one of the days. (The tie is a bit unusual I have to admit.) You all gave me a number of nifty wishlists when I stuck the option out there before and I think life is good. I can't tell you about it now, or at least I'm not going to because suspense is fun. However, in seriousness stop by. We'll have at least 3 major announcements to make which will be of moderate interest to y'all. Besides, I'm spending the next two weeks panicking about the booth and will need some peer support once I collapse. (We just wanted a room for an hour to get a little roundtable.) 2. Please give some comment on our RSAREF web pages. I've just started pouring some info into them to answer questions people have about the licensing and such. If there are questions you have that aren't answered, let me know. (If the question is, where do I send my flame... you don't really need me to answer do you? :) Anyway, who else is going to be at the conference? (Also who is going to be at MacWorld?) Lastly, I'd like to plan a Cpunk party. I'm thinking about March 15th perhaps in the Berkeley area. Its going to be a Sake party, in the Takara Sake factory, so we can be really droll and mix the Cyber/Cypher punk motif. :) That sound like a good night? Any major conferences causing a problem? Jonathan ------------------------------------------------------------------------ ..Jonathan Zamick Consensus Development Corporation.. .. 1563 Solano Ave, #355.. .. Berkeley, CA 94707-2116.. .. o510/559-1500 f510/559-1505.. ..Mosaic/WWW Home Page: .. .. Consensus Home Page .. From cminter at mipos2.intel.com Thu Jan 4 19:00:33 1996 From: cminter at mipos2.intel.com (Corey Minter) Date: Fri, 5 Jan 1996 11:00:33 +0800 Subject: Concription [NOISE] Message-ID: <199601050244.VAA02095@zws388.sc.intel.com> anonymous at freezone.remailer wrote: > Does anyone understand what this "Concryption" really is? Reading the > press blurbs, it could be nothing more than simply compressing the > stream before encrypting it. A patent on that idea would be rather > awkward. if there is nothing more to concription, then it sounds like a bogus patent since PGP documents and implements the technique already. Maybe it would make a nice trademark though. Does anyone know if macaroni and cheese combined in one meal is patented? If not, maybe I can go out and patent it. :) -- ______________________________________________________________________ Corey Minter | cminter at mipos2.intel.com | (408) 765-1714 From frantz at netcom.com Thu Jan 4 19:39:40 1996 From: frantz at netcom.com (Bill Frantz) Date: Fri, 5 Jan 1996 11:39:40 +0800 Subject: Net Censorship Story on All Things Considered Message-ID: <199601050311.TAA27573@netcom5.netcom.com> This evening I heard a story on Internet censorship on All Things Considered. They said that Compuserve was close to deploying technology to keep only Germans out of the 200 news groups. (Compuserve and the Germans still disagree about where the list came from.) They also interviewed Denise Curaso (sp?) who provided some reality about the how censorship could quickly move to political views that certain countries don't like and how a Compuserve user could easly bypass Compuserve censorship. The story ended with the comment that in the past, many net people have said that since the Internet was designed to survive atomic war, the net would just bypass around censorship, but between the Germans and Exon, fewer of them are saying it now. ----------------------------------------------------------------- Bill Frantz Periwinkle -- Computer Consulting (408)356-8506 16345 Englewood Ave. frantz at netcom.com Los Gatos, CA 95032, USA From sameer at c2.org Thu Jan 4 20:13:59 1996 From: sameer at c2.org (sameer) Date: Fri, 5 Jan 1996 12:13:59 +0800 Subject: COMMUNITY CONNEXION ANNOUNCES PROMOTION FOR UNCENSORED ACCESS TO THE INTERNET Message-ID: <199601041701.JAA09953@infinity.c2.org> Newsgroups: alt.censorship,comp.org.eff.talk,news.admin.censorship,alt.privacy,comp.privacy Subject: COMMUNITY CONNEXION ANNOUNCES PROMOTION FOR UNCENSORED ACCESS TO THE INTERNET From: Community ConneXion For Immediate Release - January 4, 1996 Contact: Sameer Parekh 510-601-9777x3 COMMUNITY CONNEXION ANNOUNCES PROMOTION FOR UNCENSORED ACCESS TO THE INTERNET Berkeley, CA - In response to recent restrictions on Usenet material made available to CompuServe customers, Community ConneXion, an Internet privacy provider, today announced that has begun a promotion to offer uncensored access to Usenet newsgroups at a discount to users who have experienced censorship at the hands of their Internet service provider, employer, or university. "'The Internet views censorship as damage, and routes around it,'" said Community ConneXion President Sameer Parekh, quoting a famous saying on the net, "While a network provider, university, or employer may want to limit the access their customers, students, or employees may have to potentially controversial material on the Internet, people need to realize that it is still possible for them to access controversial material through alternative means. We're making available services to make this fact obvious." Community ConneXion offers full Internet access to its customers, with no content-based restrictions on materials its customers may read or make available on the Internet. Community ConneXion has made available one free month of service to users signing up for services with Community ConneXion who are doing so in order to avoid content- based restrictions instituted by their net provider, university, or employer. Customers who would like to take advantage of Community ConneXion's uncensored access may continue to use their current provider for their basic access, but to access the previously-unavailable materials they may proxy through to the Community ConneXion servers. Parekh commented on the ease with which people can bypass censorship instituted by their provider or employer, "Providers, employers, and universities may think that they are restricting access through their sites, but given the ease with which people can set up an account with us, the organizations trying to restrict access will soon realize that censorship is hopeless." Community ConneXion, founded in June of 1994, is the leading provider of privacy on the Internet. They provide anonymous and pseudonymous Internet access and web pages in addition to powerful web service, virtual hosts, and web design consultation. Information is available from their web pages at http://www.c2.org/. More information on the uncensored promotion is available at http://www.c2.org/uncensored/. From dccotey at alf.uccs.edu Thu Jan 4 20:22:43 1996 From: dccotey at alf.uccs.edu (Daniel C. Cotey) Date: Fri, 5 Jan 1996 12:22:43 +0800 Subject: FreeBSD Message-ID: I was wondering if anyone else with pine observed wierd behaviour when reading that message. My pine exported the file, started a message, then fired up a shell, at which point I killed it before anything else happened. --- --- Daniel Cotey dccotey at serf.uccs.edu From rfb at lehman.com Thu Jan 4 21:00:12 1996 From: rfb at lehman.com (Rick Busdiecker) Date: Fri, 5 Jan 1996 13:00:12 +0800 Subject: 2047 bit keys in PGP In-Reply-To: <30EC5109@ms-mail.datastorm.com> Message-ID: <9601050442.AA25099@cfdevx1.lehman.com> From: Cedric Tefft Date: Thu, 04 Jan 96 14:12:00 PST >And they strongly imply that brute-force attacks against 256-bit >keys will be infeasible until computers are built from something >other than matter and occupy something other than space." Hmmm... Well, the 384-bit Blacknet PGP key was cracked in just a few months. How? Factoring a 384-bit number is not equivalent to searching a 384-bit keyspace. Consider that there are 78498 primes less than 1000000. This means that you can do a brute force search of a keyspace of under 17-bits to find a prime factor of any composite number less than 1000000000000 -- a bit under 40 bits. I've done this to verify the results of an implementation of the Rabin-Miller primality test on relatively small numbers. I'm not sure how many primes there are with 192 or fewer bits, but it's far fewer than 2^384. There are better techniques around for factoring large numbers than this sort of brute force testing. While I didn't follow the thread very closely, they probably used the quadratic sieve or number field sieve algorithm. See Schneier's _Applied_Cryptography_ for more on factoring, including references to more detailed works. -- Rick Busdiecker Please do not send electronic junk mail! net: rfb at lehman.com or rfb at cmu.edu PGP Public Key: 0xDBD9994D www: http://www.cs.cmu.edu/afs/cs.cmu.edu/user/rfb/http/home.html send mail, subject "send index" for mailbot info, "send pgp key" gets my key A `hacker' is one who writes code. Breaking into systems is `cracking'. From sameer at c2.org Thu Jan 4 21:13:32 1996 From: sameer at c2.org (sameer) Date: Fri, 5 Jan 1996 13:13:32 +0800 Subject: test In-Reply-To: <199601050049.SAA19801@dal1820.computek.net> Message-ID: <199601050446.UAA24423@infinity.c2.org> > The problem is *not* at my end, your ignorance is showing. If it were, > then everyone would be getting 2 copies of everything I send, and that's > simply not true. Some people are getting two copies, but some are only > getting one copy. This mail arrived twice. -- sameer Voice: 510-601-9777x3 Community ConneXion FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.org/ (or login as "guest") sameer at c2.org From jimbell at pacifier.com Thu Jan 4 21:28:46 1996 From: jimbell at pacifier.com (jim bell) Date: Fri, 5 Jan 1996 13:28:46 +0800 Subject: Representations of Pi, etc. Message-ID: At 09:39 AM 1/5/96 +1100, you wrote: >> The decimal representation of any irrational number (e.g. pi, e) >> contains the decimal representation of every natural number >> somewhere. (Proof by diagonalization.) >What you say here isn't quite true. Right. But BTW, isn't it interesting, that news item from a few weeks ago, on an algorithm for determining individual bits in Pi, regardless of whether you've calculated all the previous ones. Only problem is, it only works in hexadecimal (and, obviously, binary, etc, not decimal. From tcmay at got.net Thu Jan 4 22:04:57 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 5 Jan 1996 14:04:57 +0800 Subject: Forcible Concryption of Data Message-ID: >anonymous at freezone.remailer wrote: >> Does anyone understand what this "Concryption" really is? Reading the >> press blurbs, it could be nothing more than simply compressing the >> stream before encrypting it. A patent on that idea would be rather >> awkward. "Concryption" is the process by which your secret data gets enlisted in service to the government, as with Clipper and GAK. The original term when people got pressed into military service was "conscription," but times change. Thus, one might say, "My secrets have been concrypted--the government now has them." (After all, why do you think so many software releases are called "drafts"?) --Klaus! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From jirib at sweeney.cs.monash.edu.au Thu Jan 4 22:41:30 1996 From: jirib at sweeney.cs.monash.edu.au (Jiri Baum) Date: Fri, 5 Jan 1996 14:41:30 +0800 Subject: Why Net Censorship Doesn't Work In-Reply-To: Message-ID: <199601050621.RAA19851@sweeney.cs.monash.edu.au> -----BEGIN PGP SIGNED MESSAGE----- Hello Duncan Frissell and cman at communities.com (Douglas Barnes) and cypherpunks at toad.com ... > A quote from Star Wars (which I'm just now incorporating into my .sig) ... > ------ , ------ > Douglas Barnes "The tighter you close your fist, Governor Tarkin, > cman at communities.com the more systems will slip through your fingers." > cman at best.com --Princess Leia Perhaps not the most comforting quote you could have used... If I remember my Star Wars correctly, Tarkin's reply consisted largely of blasting Alderaan out of existence. Jiri - -- If you want an answer, please mail to . On sweeney, I may delete without reading! PGP 463A14D5 (but it's at home so it'll take a day or two) PGP EF0607F9 (but it's at uni so don't rely on it too much) -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQCVAwUBMOzDRyxV6mvvBgf5AQGwzAP/RSujB74fLHKzgTQOISNzEWBhZwzL4jrV sS0B/K32osfy911ahWuUeq7RO5s4WDum4+8ptC65IQDwmZ4xEYz+lNANb5I2MKso 4ICZjeKi5Mfb/vzI0RnGxhTGPQsrlvs32qXtE066hw7QibjAY3wRC08OFsqullR9 oL6RPrfgVCQ= =uMhK -----END PGP SIGNATURE----- From alano at teleport.com Thu Jan 4 22:53:53 1996 From: alano at teleport.com (Alan Olsen) Date: Fri, 5 Jan 1996 14:53:53 +0800 Subject: Double Messages from Ed Carp Message-ID: <2.2.32.19960105050514.0096c610@mail.teleport.com> At 07:19 PM 1/4/96 -0800, Tim May wrote: >In looking at the detailed headers of a pair of such duplicates I see that >there may have been some kind of "fork" (not a technical term, just a >description) where the two messages (called Blue and Red) differ as >follows: > [Weirdness deleted] I am seeing the duplicates with another user as well. Received: (from lastxit at localhost) by arrakis.alphachannel.com (8.6.12/8.6.12) id SAA10251; Wed, 3 Jan 1996 18:52:35 -0600 To: cypherpunks at toad.com From: "Marc Martinez" In-Reply-To: master at internexus.net's message of 3 Jan 1996 13:44:30 -0500 Subject: Re: 2047 bit keys in PGP Received: (from lastxit at localhost) by arrakis.alphachannel.com (8.6.12/8.6.12) id SAA10237; Wed, 3 Jan 1996 18:50:10 -0600 Date: Wed, 3 Jan 1996 18:50:10 -0600 To: cypherpunks at toad.com From: "Marc Martinez" In-Reply-To: master at internexus.net's message of 3 Jan 1996 13:44:30 -0500 This might be an isolated problem with this user or someplace between here and there is duping mail messages... I thought there were more but it turned out to be a bunch of messages I was cc:ed on and it got caught in the filter. Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "Governments are potholes on the Information Superhighway." - Not TCMay From jimbell at pacifier.com Thu Jan 4 23:03:49 1996 From: jimbell at pacifier.com (jim bell) Date: Fri, 5 Jan 1996 15:03:49 +0800 Subject: Guerilla Internet Service Providers (fwd) Message-ID: At 10:54 AM 1/4/96 -0800, you wrote: >At 11:43 1/4/96 -0600, Jason Rentz wrote: >>Previous exchanges deleted... >>> >>>With a tightly focused beam (light is easy, I don't know about lower >>>frequencies), you can prevent interception except by very obvious physical >>>devices. (e.g. Someone in a cherry picker truck.) You may be able to >>>avoid the need to encrypt the link (and all the paranoia about key >>>management, advances in factoring etc. that that implies.) >>> >>>Bill >> >>The problem with this comes when you start creating links between much >>taller buildings like in San Fran. Any give building over 30 stories might >>sway a foot or so at any given time. Combine that with the other building >>and you might get a few feet of movement. (movement not including during an >>earthquake) :) > >(1) No single communication technology is appropriate for every problem. > >(2) A technical fix could include having the receiver send steering orders >to the transmitter. This solution would, of course, be a long way from the >low tech scavenged lens and 1/2 meter cardboard mailing tube technology I >was thinking of. I think you guys (further up the reply chain) are missing the point. While IR does have stealth advantages in, say, wartime, for routine network usage everyone can be assumed to know where everyone else is, and where all the optical links are, etc. There's no point trying to use link-location secrecy. And presumably, encryption will provide all the message-secrecy/anti-spoofing functions required. Simply ASSUME that the beams can be intercepted (although probably not intentionally cut). That's why we're "cypherpunks," right?!? Secondly, IR beams can be plenty narrow enough to avoid inter-link interference, but at the same time wide enough to avoid beam-steering problems. Note: I'm assuming link distances of under, say 300 meters here. Previously, a point was made about the effects of fog cutting links: Due to scattering, one of the reasons automobile fog lamps are 550 nanometer yellow/orange is to minimize the scattering that shorter wavelengths (400 nm blue, 450 nm green) are more prone to. I would imagine that near IR at, say, 890 nm would be dramatically less sensitive to such scattering. 1400 nm might be even better. Rain might be a different story. But then again, if we're limiting the links to around 300 meters, the total amount of water between "here" and "there" CAN'T be all that great. And in addition, one of the advantages of computer networking over telephone-type networking is that we can "tolerate" (although, not LIKE) the occasional necessity of re-transmitting data. And dynamic re-routing is probably far easier than for real-time telephone-type data. >From the standpoint of computer networking, the main benefit of IR is to cross rights-of-way without permission or trenching (or stringing cables from telephone poles) in urban and suburban areas, allowing data transfer near-fiber speeds. In an urban setting, a single tall building could become a central hub for most of its nearest neighbors. I don't anticipate IR being used "to the home" (especially since residential areas have trees, etc); rather, I would imagine that it would be used to feed the occasional top-of-the-telephone-pole microcell, with very-low-milliwatt (or high microwatt) RF going the last 100 meters or so to the home. This would allow a non-phoneco, non-cableco company to offer bidirectional networking in an entire residential area with an absolute minimum of costs/rights aquisition. From Greg_Rose at sydney.sterling.com Thu Jan 4 23:34:38 1996 From: Greg_Rose at sydney.sterling.com (Greg Rose) Date: Fri, 5 Jan 1996 15:34:38 +0800 Subject: Representations of Pi, etc. In-Reply-To: Message-ID: At 3:19 AM 1/5/96, jim bell wrote: >But BTW, isn't it interesting, that news item from a few weeks ago, on an >algorithm for determining individual bits in Pi, regardless of whether >you've calculated all the previous ones. Only problem is, it only works in >hexadecimal (and, obviously, binary, etc, not decimal. ^^^^^^^^^^^ ??? I didn't see this result you mention, but it surprises me. The part about how it works in some bases, but not in decimal. I assume it really works only in binary, and hexadecimal follows, not the other way around. The "hand-waving" (motivational/informal) explanation for why I am surprised is that "Nature doesn't care about bipeds with 10 digits vs. bipeds, or whatever, with 2 digits or 16 digits." That is, results applicable in base 16, hexadecimal, should be easily applicable in base 10. Sorry, but it is quite possible for this to be the case. (I don't know for sure whether this is one of them or not, though, having not seen the result myself.) But assume for the moment that the formula, or algorithm, or whatever it is, really does tell you exactly the value of a contiguous chunk of "bits", real honest-to-god binary digits. You cannot translate these to a decimal representation without knowing all of the bits leading up to them. For example, you know the last four bits of an eight bit string: XXXX0011 In Hex the last digit is 3. But what is the last digit in decimal? If the 'X's are all 0, it is 3, but if the last X is a 1 (making the number 00010011 = 19), it is not 3 but 9. If only the first X is a one, it is 1. There are plenty of places in information theory where a log base 2 shows up, so I don't doubt that there might be an algorithm for determining a particular "bit" of Pi. But just to prove I have a more concrete example, suppose you have an encrypted bank transfer, with the numbers expressed in binary. Further suppose you know it is encrypted with a one-time-pad (just to be contraversial) where you know a particular n-bit chunk of the pad. Given this you can recover the corresponding n-bit chunk of the amount, but unless this spans the entire number you can't express this unambiguously in decimal digits. This is a simple consequence of the fact that log(2) and log(10) are not integer multiples of each other (you know what I mean). The same goes the other way, of course. Given a string of decimal digits extracted from the middle of a number, I can't unambiguously decide what string of bits these would become without knowing the rest of the number. The result is fascinating, assuming it is real. Greg. Greg Rose INTERNET: greg_rose at sydney.sterling.com Sterling Software VOICE: +61-2-9975 4777 FAX: +61-2-9975 2921 28 Rodborough Rd. http://www.sydney.sterling.com:8080/~ggr/ French's Forest 35 0A 79 7D 5E 21 8D 47 E3 53 75 66 AC FB D9 45 NSW 2086 Australia. co-mod sci.crypt.research, USENIX Director. From WlkngOwl at UNiX.asb.com Thu Jan 4 23:49:04 1996 From: WlkngOwl at UNiX.asb.com (Deranged Mutant) Date: Fri, 5 Jan 1996 15:49:04 +0800 Subject: Visual Correlations of RNGs useful for cryptanalysis? Message-ID: <199601050740.CAA26664@UNiX.asb.com> Somebody passed an interesting article to me, "Random number generators: pretty good ones are easy to find", Clifford Pickover (IBM Watson Research Ctr, NY), The Visual Computer (1995) 11:369-377. The article does NOT deal with cryptographically secure RNGs, however the author discusses some interesting methods for visualizing correlations in RNGs that probably can be applied to crypto. One is the "Noise Sphere", which involves plotting the last three numbers generated by the RNG (Xn, Xn+1, Xn+2, where 0 Send a blank message with the subject "send pgp-key" (not in quotes) for a copy of my PGP key. From jirib at sweeney.cs.monash.edu.au Fri Jan 5 00:02:43 1996 From: jirib at sweeney.cs.monash.edu.au (Jiri Baum) Date: Fri, 5 Jan 1996 16:02:43 +0800 Subject: For the New Year: A Symbol for Information Freedom In-Reply-To: <199601010311.WAA12624@mail.FOUR.net> Message-ID: <199601050739.SAA19965@sweeney.cs.monash.edu.au> -----BEGIN PGP SIGNED MESSAGE----- Hello groundfog at alpha.c2.org and cypherpunks at toad.com > In talk.politics.crypto, ptupper at direct.ca (Peter Tupper) wrote: > > A Symbol for Information Freedom ... > > The symbol I have chosen is the paper clip. ... If you want to put one on your web page but can't be bothered drawing it, I've got one at http://www.cs.monash.edu.au/~jirib Take care! Adiau - Jiri - -- If you want an answer, please mail to . On sweeney, I may delete without reading! PGP 463A14D5 (but it's at home so it'll take a day or two) PGP EF0607F9 (but it's at uni so don't rely on it too much) -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQCVAwUBMOzVsyxV6mvvBgf5AQFZqwP/Yj/Gb0W5YqgTbHu99zPxOpyAFa7UC4NY M7SCo8DSbnHsb13gT78Rm34irQtmzW5B9wJ97L+FeTFRBmqe8CX9dghjSDwNHdW/ yKKpnu9HtYXWkb6bNPbfDEexPq4Qs1q5DIukeGVIDeedOMQwUtOlsoLNVnyHExvV zzYYPKPzjjY= =RW1K -----END PGP SIGNATURE----- From attila at primenet.com Fri Jan 5 00:20:38 1996 From: attila at primenet.com (attila) Date: Fri, 5 Jan 1996 16:20:38 +0800 Subject: \"Concryption\" In-Reply-To: <199601050105.UAA29900@light.lightlink.com> Message-ID: On Thu, 4 Jan 1996 anonymous at freezone.remailer wrote: > Does anyone understand what this "Concryption" really is? Reading the > press blurbs, it could be nothing more than simply compressing the > stream before encrypting it. A patent on that idea would be rather > awkward. > thought that myself when I first read it -- did that at least 15 years with the standard unix compress --broke compress into a single library module, fed itfrom the input buffer and directly fed it to an RSA style paired key unit and streamed it out whereever specified --yes, it was far more efficient than two programs --and that was on my VAXEN (780)! however, I guess they think they have reinvented the world and no one ever tried to patent the process. patents are not worth the paper they are printed on in general --I stopped filing in 1975. I was supporting ignorant patent lawyers who could not even write the claims! That, and feds took away a nuber of patents in the national interest, which of course they deny as they scrubbed the rcords clean.... so, let's see if he can enforce it! __________________________________________________________________________ go not unto usenet for advice, for the inhabitants thereof will say: yes, and no, and maybe, and I don't know, and fuck-off. _________________________________________________________________ attila__ From jh at teleport.com Fri Jan 5 00:46:47 1996 From: jh at teleport.com (Jack Hammer) Date: Fri, 5 Jan 1996 16:46:47 +0800 Subject: "Deterrence" In-Reply-To: Message-ID: On Thu, 4 Jan 1996, jim bell wrote: > Recently, Kevin Wheeler (on NWLIBERTARIANS at TELEPORT.COM) expressed what I > consider to be odd (at least for him; I can easily deal with Benneth's crap) > (and a bit belated) objections to my desire to use technology to prevent > government from oppressing the public. Well I'm really pleased to hear that you're considering actually dealing with someone's objections to your insane ideas, rather than hiding out like a little crybaby. But really, there's not much to object to. No one is taking you seriously Mr. Bell. If anyone did, you'd probably be in jail by now. In part, I must thank you for helping me to see what the actual Libertarian mindset is capable of. That more people haven't immediately and unequivocably confronted you on your murderous plans to institute a new regime of terror and lawlessness indicates to me that the average Libertarian is philosophically bankrupt. The best that could be said for them is that they're humoring you. BTW, my show is being scheduled to go daily for North American broadcast via the TVRO satellite, and I may be doing drive time daily from Vancouver to Portland. So consider each waking day a new opposition from Jack Hammer. When you roll out of your fart sack each evening (or whenever you rise from yhour grave) consider that I will have been already up making statements against your plans for assassination, and consider that, should you ever manage to actually be awake at such an early hour, you can meet me in verbal combat simply by reachning over and picking up your phone. Of course you won't do it. You've had numerous opportunities to give voice to your maniacal plans on my show, but you've chickened out then, you'll chicken out now. -jac jh at teleport.com FLASHNEWSHAMMERNET- Honoring the tradition of Emerson, Thoreau, and Ghandi, Hammer World Radio goes on the air daily 2-3pm PST beginning on Reverend Doctor Martin Luther King Junior's birthday, January 15, 1997, with a MESSAGE OF CIVIL DISOBEDIENCE TO THE WRONG WORLD ORDER. HOW TO JOIN THE HAMMERNET. Receive the most interesting e-mail and get to know the best writers on the Internet. Saints and flamers, they're on the Hammernet! Here's how to join. Send the following message in the body of your text space to majordomo at teleport.com : subscribe hammernet-l It's as easy as that! From mixmaster at anon.alias.net Fri Jan 5 01:21:30 1996 From: mixmaster at anon.alias.net (Mr. Nobody) Date: Fri, 5 Jan 1996 17:21:30 +0800 Subject: None In-Reply-To: <199601050311.TAA27567@netcom5.netcom.com> Message-ID: <199601060905.DAA21075@fuqua.fiftysix.org> In article <199601050311.TAA27567 at netcom5.netcom.com> frantz at netcom.com (Bill Frantz) writes: > From: frantz at netcom.com (Bill Frantz) > Date: Thu, 4 Jan 1996 19:13:58 -0800 > > At 20:05 1/4/96 -0500, anonymous at freezone.remailer wrote: > >Does anyone understand what this "Concryption" really is? Reading the > >press blurbs, it could be nothing more than simply compressing the > >stream before encrypting it. A patent on that idea would be rather > >awkward. > > What I interpreted their press release as saying was that they had patented > the idea of doing the compression AND the encryption in one pass over the > data. If they got a patent for this, then the patent office has totally > lost the concept that in order to be patentable, the idea must not be > obvious to those well versed in the state of the art. Unfortunately, the patent office has totally lost that concept, with rather disastrous consequences for people who can't afford to fight bogus patents in court. http://www.lpf.org for more info. From jirib at sweeney.cs.monash.edu.au Fri Jan 5 03:30:14 1996 From: jirib at sweeney.cs.monash.edu.au (Jiri Baum) Date: Fri, 5 Jan 1996 19:30:14 +0800 Subject: What to do about Germany In-Reply-To: <199601031913.NAA11851@unique.outlook.net> Message-ID: <199601051104.WAA20347@sweeney.cs.monash.edu.au> -----BEGIN PGP SIGNED MESSAGE----- Hello "Michael C. Peponis" and cypherpunks at toad.com M.C.P. wrote: ...[in reply to someone Re: Compu$erve vs Germany]... > But that's a GERMAN law, the Internet is an INTERNATIONAL community. > If we have to respect the laws of Germany, and their customs and > archaic belief systems, them we have to give the same consideration > to anyother countries backwords, morality-based, mentality. There ... What if the laws actually contradict each other? Eg if there was a country that forbade women speaking on the net, and another that forbade distinctions between men and women to be made? (Sorry about the example, ladies, but it's one that comes to mind...) I guess at that stage one or the other of the countries will cut itself off the net. BTW, in the January 96 *Australian Personal Computer*, an opinion column draws a comparison between the attitude to the Internet and the (ancient) obligation for a motor car to be preceeded by someone carrying a red flag... Not such a bad metaphor, I thought. ... > But when you go to a sexualy > explicit newsgroup, what do you think you will find, what is the ... Prayers? Adiau - Jiri - -- If you want an answer, please mail to . On sweeney, I may delete without reading! PGP 463A14D5 (but it's at home so it'll take a day or two) PGP EF0607F9 (but it's at uni so don't rely on it too much) -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQCVAwUBMO0FsSxV6mvvBgf5AQGArgP9ERnp79miefBoDlaVrVSFILG7nsFAh3l3 54S54voFHhBUowAYXET8ZaNbN+ZxNcAJYjft+pELIXo2iCQtexYKdfY2fEPDh8Vu L2UcWMuV/WOBJ4U75YiHHUcZUE4rdqeeyW9A5NIqTv84NYzOAF28LI921I4Nq2/T E8o5m8AaIvQ= =6GVd -----END PGP SIGNATURE----- From frissell at panix.com Fri Jan 5 03:55:46 1996 From: frissell at panix.com (Duncan Frissell) Date: Fri, 5 Jan 1996 19:55:46 +0800 Subject: Indecency Mathematics Message-ID: <2.2.32.19960105113904.008ea92c@panix.com> At 02:26 PM 1/4/96 +0100, Rudi Raith wrote: >2) > >I suppose that there is a predicate indecent_p(n), which is true if n >represents something indecent, false otherwise. (Some implementation >of such a predicate could be a police officer arresting you upon >presentation of the number to him, yielding true. :-) ) Such numbers >may be called "Indecent Numbers", their "posession", "transfer", >etc. be banned. Fortunately or unfortunately, "decency" and "indecency" are incapable of exact mapping to words. Location, context, tone of voice, year, time of day, recipient of communication, etc. all affect "indecency." "That girl is attractive." "The bitch is in heat." "Our President -- William Jefferson Blythe Clinton." "Jesus Christ is the Son of God." All of these statements are sometimes decent and sometimes indecent/blasphemous. It depends purely on a host of factors. That is the point of using the "indecency" standard. Consider the similar problem of defining the crime of Blasphemy: Christian: "Jesus Christ, the Messiah is God" Blasphemy because it claims that a man as God. Jew: "The Messiah has not yet come." Blasphemy because it denies the divinity of Jesus. We solved this problem in the US by legalizing all such speech. That is the only way to handle the similar decency/indecency definition problems. DCF "Government is not established for the benefit of the governed." From harmon at tenet.edu Fri Jan 5 03:57:58 1996 From: harmon at tenet.edu (Dan Harmon) Date: Fri, 5 Jan 1996 19:57:58 +0800 Subject: Double Messages from Ed Carp In-Reply-To: <2.2.32.19960105050514.0096c610@mail.teleport.com> Message-ID: I have been seeing duplicates also, but it seems to be random. Some from Ed, and some from others. Dan On Thu, 4 Jan 1996, Alan Olsen wrote: > At 07:19 PM 1/4/96 -0800, Tim May wrote: > > >In looking at the detailed headers of a pair of such duplicates I see that > >there may have been some kind of "fork" (not a technical term, just a > >description) where the two messages (called Blue and Red) differ as > >follows: > > > [Weirdness deleted] > > I am seeing the duplicates with another user as well. > > Received: (from lastxit at localhost) by arrakis.alphachannel.com > (8.6.12/8.6.12) id SAA10251; Wed, 3 Jan 1996 18:52:35 -0600 > To: cypherpunks at toad.com > From: "Marc Martinez" > In-Reply-To: master at internexus.net's message of 3 Jan 1996 13:44:30 -0500 > Subject: Re: 2047 bit keys in PGP > > Received: (from lastxit at localhost) by arrakis.alphachannel.com > (8.6.12/8.6.12) id SAA10237; Wed, 3 Jan 1996 18:50:10 -0600 > Date: Wed, 3 Jan 1996 18:50:10 -0600 > To: cypherpunks at toad.com > From: "Marc Martinez" > In-Reply-To: master at internexus.net's message of 3 Jan 1996 13:44:30 -0500 > > This might be an isolated problem with this user or someplace between here > and there is duping mail messages... > > I thought there were more but it turned out to be a bunch of messages I was > cc:ed on and it got caught in the filter. > > > > Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction > `finger -l alano at teleport.com` for PGP 2.6.2 key > http://www.teleport.com/~alano/ > "Governments are potholes on the Information Superhighway." - Not TCMay > > From SudduthLM at SecureC2.com Fri Jan 5 04:02:08 1996 From: SudduthLM at SecureC2.com (Sudduth, Larry) Date: Fri, 5 Jan 1996 20:02:08 +0800 Subject: Compuserve grovels to foreign censors Message-ID: At 15:05 1/4/96, Bill Frantz wrote: >Caller ID could tell them where you are calling from. They can also use >their billing information and user profile information to decide where you >live and/or how old you are. I wonder if any of these filters will keep >the German prosecutors off their necks, given that they can be bypassed. I don't know whether or not one can presume the existence of Caller ID over in Germany. When I lived there (albeit several years ago), it was a frustrating mixture of old technology (no records of any calls, just a counter that registered message units, so one could get a monster phone bill, and not even contest it) and new (ISDN and the German Post's version of BTX, Bildschirmtext). >I feel sorry for them given the situation they are in, and want to kick >their butts for just rolling over dead instead of fighting for free access. Feeling much the way you do about CompuServe's actions, I voted with my wallet, and canceled my membership. More and more vendors are offering equivalent support through the I'net anyway. The vision of a tin horn prosecutor in Munich being successful will only fuel the zeal of the would-be censors here and elsewhere in the World. (I wonder if the Revolutionary Guards in Iran are discussing what they next want censored.) BTW, I've never been an alt.* group reader, etc. That being said, who is CompuServe to try to control access to it. CompuServe is transport-only, and not a content originator. Since the Una-bomber used Fed-Ex to kill his victims should Fed-Ex no longer deliver to US addresses? begin 600 WINMAIL.DAT M>)\^(AX%`0:0" `$```````!``$``0>0!@`(````Y 0```````#H``$%@ ,` M#@```,P'`0`%````. `)``4`'P$!"8 !`"$```!%1C8U,# Y0S8X-#9#1C$Q M.$$P,# P-C X0S8X13)S=&5M`H,SMP+D!Q,"@S02S!3(-0/&713%?0J ",\)V3L8SS(\-34" M@ J!#;$+8&YG&#$P,Q10"P-L:3.^- at WP"U46\@P!$U!O$]!Z8P5 005 `% + M515B,G42L&,`0" 6\!S_'@,Z+QZ?'Z ')!V*L R(2\%L6B^;P?@!O I MP"KE+"%))_#W`B $@3%09C(1+( RT"HB?Q&P*] #$!/0$: G\"7B:ST)X' U M+S8_+X\J0"!'SP20`X(=T1&P8W4S\#P!ES+0.S,PL6X%D&MS)("^9SA1,]$1 M@#!C+(1B*L#<8GD*L 00"8 N/,T=9*X@"H\>[#H at 9 (@)P5 _&MN.1$J at 2HQ M!< %L4A WP5 `B K0D!R!Y!U!X _T\QE> 0`$]!N8RK .R%U*.AO.&!R1<4+ M@$ 5>?TL(58' MD'/_4# JP%8 at 3R!",2T!27,ID]]8,%7"!& `@%9"<#D`28'_,.(D@#(B23)/ M80.@!:!6,3M5L4\@*47%6T,'T2A)6%-$3C(3/^E00+!T/B<$($PQ`) Q\3LA M0E2^6"2 )=%4@!%P,+!M$]#]4G I1%9%RQR;/;\^SSH1SF8)X , at +0!R
=O at 3LA,N!G:%&39H(#4-L)X"L08TL@ M!! N:I\?H,UA?$9EX2NB;741<#_3_U# +( JXD?0*Q &X$#P2W#Y`W!P=09A M.&!?00#0,=)[0C$Z('8=\6E!3R!TL&V_+(!A[V+_'Y%0P"D!=%LD_RRA2R I M$"G >%$'@ ;0._'U8-!P+"%-!; X$*P+IY1<5'9^!4]O@ 20)( 1P&,L(T+AA?7]"W!D)( J@"T0! !%Q78H_S/B46 L@#/Q7!)N MD7%U,^)_3R L(9B)! "940!Q@*(M_X=26R-%Q4DR5>)6,6F!!;#?<' +@#' M!; L(5,+@$LA_3_B58XPB4 #<'R!+2(IP/-T`(DP17AII"7Q8-!?4?MI\#'0 M;9@&?+ IDZ$55 &_&& ;T&\S.$)682T0507PS6^ 9$H!$;!S/VHO'S8O'<>F M+W*>%_$`JI! `#D`(+FB at C+;N@$"`4<``0```#(```!C/553.V$](#MP/5-E M8W5R94,R.VP]4')I=F%T92!-1$(M.38P,3 U,#4U-C$P6BTY````0 `', #( MA.$PV[H!0 `(,.!,WXXRV[H!'@`]``$````!``````````(!%#0!````$ `` 3`%24H< I?Q ;I8<(`"LJ)1=K< `] ` end From norm at netcom.com Fri Jan 5 06:00:11 1996 From: norm at netcom.com (Norman Hardy) Date: Fri, 5 Jan 1996 22:00:11 +0800 Subject: cyphernomicon FTP site? Message-ID: At 12:58 AM 12/20/95, Harry Bartholomew wrote: .... > When using lynx from my shell account, I like to grab the whole > thing at once at net speed. Just now this took 65 seconds for > the 1.28 Mb with obvious pauses ( I've seen it twice as fast). .... I was using Lynx just now to do something like this (Mediacity was kaput). I couldn't find out how to tell lynx to save the file. Do you know how? Thanks From geoff at commtouch.co.il Fri Jan 5 06:14:02 1996 From: geoff at commtouch.co.il (geoff klein) Date: Fri, 5 Jan 1996 22:14:02 +0800 Subject: Fw: Re: [NOISE] Trying to init security channel Message-ID: <9601051337.AA26973@commtouch.co.il> On 4 Jan 1996 19:40:39 futplex posted the message included below: 1. My apologies to all for the original accidental posting to this list. 2. futplex: "Another satisfied "Power One Time Pad" user, it would appear...." Things are not always quite the way they appear, Commtouch are the developers of Pronto Secure, - a pretty good Windows e-mail client providing security services using PGP (or POTP). Lookout for a beta release announcement in early February. Geoff Klein Product Manager - Pronto Secure http://www.commtouch.com *Welcome to the post of Cypherpunk censor - Now Go Home & change your sig.* -----Begin Included Message ----- Date: Thu, 4 Jan 1996 19:40:39 -0500 (EST) From: futplex at pseudonym.com (Futplex) To: cypherpunks at toad.com (Cypherpunks Mailing List) Cc: -----BEGIN PGP SIGNED MESSAGE----- Forwarded message: > Date: Thu, 4 Jan 96 13:11:36 IST > From: geoff klein > To: cypherpunks at toad.com > Subject: Trying to init security channel > X-Potpinitrequest: AwAAAAAAAADhi+swAQAAAPqPQh4AACoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARjMwMzBGRjI yMTFENTBEMABnZW9mZkBjb21tdG91Y2guY28uaWwAY3lwaGVycHVua3NAdG9hZC5jb20A Another satisfied "Power One Time Pad" user, it would appear.... > > This message was sent by Pronto Secure Mail. > Without Pronto you can not establish a secure channel. > > Please send a reply manually. Futplex *** Welcome to Cypherpunks -- Now Go Home *** -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMOxzMinaAKQPVHDZAQGcIwf+KYlU8PiutVTduMG2Jxt7KDsEhDvjjiDi p+kBKw0y2Tj+Z/LGoCTSu2egMxFf9L9mWg8ulNCXPu92Bg1PWNPFJpTeXYcQfHnz fQfQlbnixwo1gU1DW0AVpeq5iIdBwOOqh2TEa5m7LQXiCU3RDS0Q0+muDzvncykC UkF+uzPvxrZW88LFnxSmYez3o/Xj0V39gvKANkZvqOotm90g5bYb6TY8qCUFfSUh hNPPA1irtYc96a73WXRYciW4T1H8cfsmmlwMxbCbILer6MPH+2CZMD1DP5eIu0cd 4vvN6n3pPgBs7YAp4RANf6HKHZpJwB/MG+TOt2ngolsPt5JFvrUKuQ== =wXVD -----END PGP SIGNATURE----- . ---- End of forwarded message ---- From jimbell at pacifier.com Fri Jan 5 07:13:36 1996 From: jimbell at pacifier.com (jim bell) Date: Fri, 5 Jan 1996 23:13:36 +0800 Subject: testing WPGP Message-ID: -----BEGIN PGP SIGNED MESSAGE----- I'm trying to test out version 1.5.0.10 of the program WPGP that I downloaded a day ago. So far, I am able to sign messages and (probably?) encrypt them, but decrypting fails me. Below is my 1024-bit public key; could somebody verify the proper signing, and send something encrypted to me? (Also include your public key and I'll see if I can successfully reply.) - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCNAi1zvWcAAAEEAKmSqngLWK2N2gOJKPtjF9VCfSkXY+XUZBRCbbFU71uH/dLX C2Uq6wFS8alRgMc3rp90JnnJ/6eJqXwMjCunogwucWOaU7S/w+OwjOG9fUqsXIA6 2j25Wtjce65mbp0TKLAzwMb/P/Qq7BlclqhuKzfVBH7dIHnVAvqHVDBboB2dAAUR tBFKYW1lcyBEYWx0b24gQmVsbA== =G3LA - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMOzCPvqHVDBboB2dAQGHDgP6ApIYzoZs2LBK5c8p3H+BHzMevgf2zuWy oTt9kiMrirrzsZQ+aGfKTEk3HaEcg9c2bgbM4JjfeZQLXI53edYl5DNuh4newvry PwRLf7eYOtPsxfEMAsmcJkuiwvk1czOZZ/fW+dK5mbsZQ/c5fgcWILvFuey9uOd2 lZ7zqD/Kt54= =/qXq -----END PGP SIGNATURE----- From merriman at arn.net Fri Jan 5 07:20:33 1996 From: merriman at arn.net (David K. Merriman) Date: Fri, 5 Jan 1996 23:20:33 +0800 Subject: Windows Eudora and PGP Message-ID: <2.2.32.19960104183919.00677094@arn.net> -----BEGIN PGP SIGNED MESSAGE----- - -----BEGIN PGP SIGNED MESSAGE----- At 07:46 PM 01/3/96 -0500, Douglas F. Elznic" wrote: ... ... >I have heard that their are alpha releases currentky geing worked on at >quest/qualcomm. But i would have to say before they come out your best bet >to pgp and eudora is either pidaho or just use it in dos. pidaho is a great >front end. A lot better than any others out their. > > I have also heard that ViaCrypt is a good alternative. But I am not sure. >Has anyone else out there heard anything good/bad about ViaCrypt? I've gotten ahold of the WPGP mentioned here a couple days ago, and it seems to be working just fine, for me. Even easier to use than PIdaho, though not quite as 'full-featured' (ie, remailer support, etc). Using it to sign this message, FWIW :-) - - -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMOwCBMVrTvyYOzAZAQGpVgQApdkjY9KoiI4TYhd6h8at6R1DfEFldE0M y9iY3lcUjGuCn6RASVUxbDXVYWtbeCPGveaAfIri6ccM2Fcw6WboS2YXM7Xmpubr 7j6o48IwKB0YZadwtxRXQWddE3RUwbIa52xmmywdlshLGy7IEAJ+NHgrlZZk/sdR SilciAe65Hs= =0izb - - -----END PGP SIGNATURE----- - -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMOwCPsVrTvyYOzAZAQEjzAP/bEK4Q/uJgbXY9/HMp+Cu1YF/1x1/tlI5 T3b1Vb4WvsZCUbGlMzqzNKFO6qJoMxGGQoVi3LzWixGEVeaD93QJGQXtR3p/v2HS fogEk5bVFr6+ljreuhLDhl4sQpNx+fnibXg013zb2dKv0btwTst+vh7Vm1vYZ84T uJFMVZPxL+I= =xUTN - -----END PGP SIGNATURE----- -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMOwCasVrTvyYOzAZAQFY5wP9HdMiDu1cqShuz6GPjNNzNwtEbXaxfDsQ sWZq0tcSkIVaY7vix8X02PxV7tqMqdbyBBnO9n6unRhitJfuTtJ1Fh7lGB/6/TtU o2/7510JcwyfVXB3Lb6tenvu0G9aQrkGqzoHcSXr854GzsU2KfjGEM9l9xpczj+B O5wiYXU00yc= =tkkz -----END PGP SIGNATURE----- ------------------------------------------------------------- "It is not the function of our Government to keep the citizen from falling into error; it is the function of the citizen to keep the Government from falling into error." Robert H. Jackson (1892-1954), U.S. Judge <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> My web page: http://www.geopages.com/CapitolHill/1148 From tcmay at got.net Fri Jan 5 07:22:26 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 5 Jan 1996 23:22:26 +0800 Subject: Representations of Pi, etc. Message-ID: At 3:19 AM 1/5/96, jim bell wrote: >But BTW, isn't it interesting, that news item from a few weeks ago, on an >algorithm for determining individual bits in Pi, regardless of whether >you've calculated all the previous ones. Only problem is, it only works in >hexadecimal (and, obviously, binary, etc, not decimal. ^^^^^^^^^^^ ??? I didn't see this result you mention, but it surprises me. The part about how it works in some bases, but not in decimal. The "hand-waving" (motivational/informal) explanation for why I am surprised is that "Nature doesn't care about bipeds with 10 digits vs. bipeds, or whatever, with 2 digits or 16 digits." That is, results applicable in base 16, hexadecimal, should be easily applicable in base 10. And there is are interesting properties about the distribution of digits in "random" numbers. Pi is of course not random by many definitions, but shares certain important properties with random numbers. (Or sequences, if you wish.) One of these is properties is that of _regularity_, the frequency of digits. A regular number is one whose expansion has in the limit the same frequency for all digits, and this is so in any base. Thus, a regular number has an equal frequency (in the limit, blah blah) of 0s, 1s, 2s, 3s, etc. And switching to another base will not change this. I recollect that pi has been proved to me regular, i.e., that pi has an equal frequency of all digits, in the limit, in all bases. (This is the sense in which we can argue that pi is "random." in the sense that there are no correlations, no dependence of the n+1th digit on the nth digit, and "no apparent order." Furthermore, there is no effective compression of pi, except by some tricks, such as _naming_ it (a dictionary compression, of sorts) or by specifying a program which computes it. Lots of interesting issues about the real meaning of randomness and compressability, about the "logical depth" of certain computations, etc. I recommend "The Universal Turing Machine" (ed. by Haken, as I recall) for a nice set of articles on these fascinating issues.) In summary, I would be surprised to find that a method for calculating the Nth digit of pi works for base N but not for base M (modulo some minor efficiency factors related to machine architecture, etc.). Any pointers to this result would be appreciated. --Tim May (By the way, randomness and regularity, real or only apparent, are some of my favorite topics. Numbers which _appear_ to be regular, but which actually aren't, are said to be "cryptoregular" (hidden regular). The connection with cryptography is more than tangential: a text block or number which _appears_ to be random or regular (the same frequency definition applies to letters as well as digits) may be transformed by application of a key to a nonrandom or nonregular thing. The connection with entropy and randomness is right there, of course, and is left for the interested folks to think about.) We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From jays at cloud9.net Fri Jan 5 07:27:17 1996 From: jays at cloud9.net (Jay Sulzberger) Date: Fri, 5 Jan 1996 23:27:17 +0800 Subject: Three recent posts on usenet about getting far hex digits of pi. Message-ID: For Timothy C. May and all the cypherists on this list: Here are three recent posts to usenet on the beautiful, and partly new results on getting digits far out in pi, without explicitly getting all the nearer to the heximal point digits. > From sci.math Wed Dec 20 05:16:17 1995 > Path: panix!news.denver.eti.net!imci3!imci2!newsfeed.internetmci.com!uwm.edu!msunews!netnews.upenn.edu!red.seas.upenn.edu!jimmosk > From: jimmosk at red.seas.upenn.edu (Jim J Moskowitz) > Newsgroups: sci.math > Subject: nth digit of pi calculable? > Date: 18 Dec 1995 03:29:08 GMT > Organization: University of Pennsylvania > Lines: 29 > Message-ID: <4b2n64$s27 at netnews.upenn.edu> > NNTP-Posting-Host: red.seas.upenn.edu > Status: RO > X-Status: > > I've seen the recent reports about the discovery of a formula for pi > of the form > infinity > ----- > \ (- n) / 4 2 1 1 \ > ) 16 (------- - ------- - ------- - ------- ) > / \8 n + 1 8 n + 4 8 n + 5 8 n + 6 / > ----- > n = 0 > > which is said to tell you in a simple manner what the nth digit in the > hexadecimal expansion of pi is. I don't see why. Yes, the ith term of > this series does include 16^-i, which is the ith place in said expansion, > but the term in parentheses (sorry; they look more like angle brackets) > isn't an integer, so it's not giving you the value of the number in that > ith place. Instead, it gives you several digits which are in places further > along in pi, with no guarantee that other terms in this sigma won't also > include digits in those places, forcing you to calculate and add up many > terms.... > > Taking an incautious plunge into the world of computational math, > Jim > > > -- > ----------------------------------------------------------------------------- > Jim Moskowitz (jimmosk at eniac.seas.upenn.edu) > Visit the Unknown Composers Page: > http://www.seas.upenn.edu/~jimmosk/TOC.html > > >From sci.math.pi Fri Jan 5 04:08:06 1996 > From sci.math Wed Dec 20 05:16:57 1995 > Path: panix!cmcl2!oitnews.harvard.edu!purdue!lerc.nasa.gov!magnus.acs.ohio-state.edu!math.ohio-state.edu!howland.reston.ans.net!newsfeed.internetmci.com!EU.net!peer-news.britain.eu.net!lyra.csx.cam.ac.uk!cet1 > From: cet1 at cus.cam.ac.uk (Chris Thompson) > Newsgroups: sci.math > Subject: Re: nth digit of pi calculable? > Date: 18 Dec 1995 15:21:18 GMT > Organization: University of Cambridge, England > Lines: 46 > Message-ID: <4b40te$r02 at lyra.csx.cam.ac.uk> > References: <4b2n64$s27 at netnews.upenn.edu> > NNTP-Posting-Host: grus.cus.cam.ac.uk > Status: RO > X-Status: > > In article <4b2n64$s27 at netnews.upenn.edu>, jimmosk at red.seas.upenn.edu > (Jim J Moskowitz) writes: > |> I've seen the recent reports about the discovery of a formula for pi > |> of the form > |> infinity > |> ----- > |> \ (- n) / 4 2 1 1 \ > |> ) 16 (------- - ------- - ------- - ------- ) > |> / \8 n + 1 8 n + 4 8 n + 5 8 n + 6 / > |> ----- > |> n = 0 > |> > |> which is said to tell you in a simple manner what the nth digit in the > |> hexadecimal expansion of pi is. I don't see why. Yes, the ith term of > |> this series does include 16^-i, which is the ith place in said expansion, > |> but the term in parentheses (sorry; they look more like angle brackets) > |> isn't an integer, so it's not giving you the value of the number in that > |> ith place. Instead, it gives you several digits which are in places further > |> along in pi, with no guarantee that other terms in this sigma won't also > |> include digits in those places, forcing you to calculate and add up many > |> terms.... > > You certainly have to add up a large number of terms. It is the ease with > which these terms can be computed that has attracted interest to this and > similar formulae. > > Think in terms of trying to find the fractional part of 16^N * pi to reasonable > accuracy, which is what is really meant by "finding the (N+1)'th hexadecmal > digit" here -- you might always get unlucky and find only that this fractional > part was between .2fffff and .300001, say. The terms with n >= N are of > absolute value less than 1, and form a rapidly converging series, so their > contribution is easy to compute. The term with n < N contribute terms of > the form > > fractional part ( 16^a(i) * b(i) / i ) > > where i < 8N, a(i) < N, and the b(i) are small integers. So it is sufficient > to compute 16^a(i) mod i. If you don't already know, you can find out how to > do this in time logarithmic in a(i) in, say, Knuth ACP Vol 2. > > This is all explained in detail in the Borwein/Borwein/Plouffe paper, available > from http://www.cecm.sfu.ca/~pborwein/PAPERS/P123.ps, which should be pretty > comprehensible even by an amateur. > > Chris Thompson > Email: cet1 at cam.ac.uk > > >From sci.math.pi Fri Jan 5 04:08:06 1996 > From sci.math Wed Dec 20 05:17:20 1995 > Path: panix!bloom-beacon.mit.edu!gatech!psuvax1!news.math.psu.edu!chi-news.cic.net!uwm.edu!lll-winken.llnl.gov!apple.com!apple.com!not-for-mail > From: rjohnson at apple.com (Robert Johnson) > Newsgroups: sci.math > Subject: Re: nth digit of pi calculable? > Date: 19 Dec 1995 13:01:28 -0800 > Organization: Apple Computer, Inc., Cupertino, California > Lines: 57 > Message-ID: <4b7978$cj1 at apple.com> > References: <4b2n64$s27 at netnews.upenn.edu> > NNTP-Posting-Host: apple.com > Status: RO > X-Status: > > > In article <4b2n64$s27 at netnews.upenn.edu>, > Jim J Moskowitz wrote: > >I've seen the recent reports about the discovery of a formula for pi > >of the form > > infinity > > ----- > > \ (- n) / 4 2 1 1 \ > > ) 16 (------- - ------- - ------- - ------- ) > > / \8 n + 1 8 n + 4 8 n + 5 8 n + 6 / > > ----- > > n = 0 > > > >which is said to tell you in a simple manner what the nth digit in the > >hexadecimal expansion of pi is. I don't see why. Yes, the ith term of > >this series does include 16^-i, which is the ith place in said expansion, > >but the term in parentheses (sorry; they look more like angle brackets) > >isn't an integer, so it's not giving you the value of the number in that > >ith place. Instead, it gives you several digits which are in places further > >along in pi, with no guarantee that other terms in this sigma won't also > >include digits in those places, forcing you to calculate and add up many > >terms.... > > The full article can be found in PostScript form at > > http://www.cecm.sfu.ca/personal/pborwein/PAPERS/P123.ps > > and a text announcement can be found at > > http://www.mathsoft.com/asolve/plouffe/scimath.txt > > Yes indeed, you have to add up many terms. However, the amount of > computation to find the n^th digit is on the order of n. Whereas, > to compute n digits would require computation on the order of n^2. > > The idea that drastically reduces the work here is that it is very easy > to compute the n^th hex digit of 1/k. This is accomplished by raising > 16 to the n-1^st power modulo k. Dividing the remainder by k gives the > hex expansion of 1/k starting at the n^th hex digit. Raising 16 to the > n-1^st power modulo k is done by squaring and multiplying based on the > binary expansion of n-1 (the method of repeated squaring). > > Thus, to get 16^{-k} 4/(8k+1) starting at the nth hex digit, > compute 4*16^(n-1-k) mod 8k+1. Divide this remainder by 8k+1. > For example, take n = 1000000000 and k = 1257894: > > 4*16^998742105 mod 10063153 = 4894450 > > and 4894450/10063153 = .7C82F7B089CCA729... (hex) > > It will still entail around billion terms to compute the billionth > digit of pi, but that's better than computing a quintillion digits. > > Rob Johnson > Apple Computer, Inc. > rjohnson at apple.com > > > From ngps at cbn.com.sg Fri Jan 5 07:34:14 1996 From: ngps at cbn.com.sg (Ng Pheng Siong) Date: Fri, 5 Jan 1996 23:34:14 +0800 Subject: Windows Eudora and PGP In-Reply-To: <2.2.32.19960104183919.00677094@arn.net> Message-ID: On Fri, 5 Jan 1996, David K. Merriman wrote: > I've gotten ahold of the WPGP mentioned here a couple days ago, and it seems > to be working just fine, for me. Even easier to use than PIdaho, though not > quite as 'full-featured' (ie, remailer support, etc). Aegis, which was mentioned on this list some months ago, is the best of the lot, IMHO. No remailer support: You can talk to a remailer from an email program. ;) - PS -- Ng Pheng Siong NetCentre Pte Ltd * Singapore Finger for PGP key. From jya at pipeline.com Fri Jan 5 07:39:44 1996 From: jya at pipeline.com (John Young) Date: Fri, 5 Jan 1996 23:39:44 +0800 Subject: ZAP_law Message-ID: <199601051521.KAA15505@pipe1.nyc.pipeline.com> 1-5-96. W$Jaw: "High Tech Zaps German Privacy Laws. CompuServe Case Shows Difficulty of Enforcement." The growing popularity of the Internet and other multimedia services poses a major challenge to Germany's tough data-protection legislation. The personal information that is freely given and used for marketing purposes in the U.S. is off limits in Germany. The CompuServe case demonstrates just how difficult it is becoming for national regulators to control the flow of information. This is particularly true in Germany, where a raft of legislation is in force designed to avoid-any repeat of the Nazi-era abuse of data, as well as the dissemination of pornography and extremist propaganda. The nation's internal security services are already struggling to combat the sophisticated use of computers by neo-Nazi groups. Following a recent ban on several such organizations, right-wing extremists have been sending coded messages of racial hatred to one another through a system of computer mailboxes known as the Thule network. "CompuServe Seeks a High-Tech Answer To Fracas Over Bar on Adult Material." Industry executives said the move sets a bad precedent that could invite still more countries to demand their own diverging standards of what is acceptable. Critics further maintained that the approach simply won't work. In addition, critics voiced concern that CompuServe's efforts will lead to on-line services being forced to take responsibility for information they didn't create. 1-5-95, WashPo: "Worldwide Net, Worldwide Trouble" [Editorial] The borderless quality of the Internet, one of its great strengths, can now be seen also as a source of unprecedented and unnerving international liability. Just as "community standards" were used in Tennessee to prosecute two California-based bulletin board operators on obscenity charges a few years back, big commercial providers like CompuServe or America Online could find themselves facing charges based on the very different legal systems of a Germany or France or, for that matter, an Iran. Trio: ZAP_law From jya at pipeline.com Fri Jan 5 07:47:57 1996 From: jya at pipeline.com (John Young) Date: Fri, 5 Jan 1996 23:47:57 +0800 Subject: ISD_eny Message-ID: <199601051524.KAA15888@pipe1.nyc.pipeline.com> 1-5-96. NYP: "2 Large Phone Companies Seek Higher Digital Rates. Critics See Damage to a Fast Internet Link." The proposal has angered people who use the ISDN service to work from home. Phil Karn, an engineer at Qualcomm, argued that the new tariff would cost him about $100 more a month. He said he was upset by the proposal to lift rates and was anxious to switch to cable service when it became available. ISD_eny --------- On cable modems: the 12-27 W$J reported on a test at Boston College, and provided comparisons with other systems. GEY_ser From frissell at panix.com Fri Jan 5 08:37:35 1996 From: frissell at panix.com (Duncan Frissell) Date: Sat, 6 Jan 1996 00:37:35 +0800 Subject: Market Earth Wins Another Message-ID: <2.2.32.19960105111646.008fb73c@panix.com> NEW YORK (Reuter) - AT&T Corp. said Thursday that its embryonic online service AT&T Interchange Online Network would become part of the Internet's World Wide Web within a year instead of being a proprietary system. ``The Interchange platform as we know it will phase out over a year or so. That platform will be dissolved into the World Wide Web,'' Michael Kolowich, president of AT&T New Media Services told journalists on a conference call. AT&T said it would be able to take advantage of the best electronic commerce and navigation software for the Internet, most of which are not compatible with Interchange. In doing so AT&T is taking a leaf out of Microsoft Corp.'s book which in December changed tack to open its online service for free to Internet users. The move may be replicated in other online companies, analysts say. ****************** Now if Microsoft and AT&T can't fight open market information networks, what chance do the Feds have to impose their proprietary system on the Net? The Feds are even worse at marketing than AT&T. DCF "If AT&T owned KFC they'd advertize that they are selling 'hot, dead, chicken'. No, I'm afraid they'd advertize 'lukewarm, dead, chicken'." -- Stolen from Jerry Pournelle From stewarts at ix.netcom.com Fri Jan 5 09:03:10 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sat, 6 Jan 1996 01:03:10 +0800 Subject: Windows Eudora and PGP Message-ID: <199601050721.XAA01227@ix6.ix.netcom.com> >>>1) Use cut-and-paste into Private Idaho. Private Idaho will allow you to >>>paste back into Eudora. (Or you can send out from Private Idaho directly.) >>>This option is useful becuase it supports nyms and chaining of remailers. ... >>[sigh] Just what I thought, no easy solutions. Private Idaho's pretty easy - if you're replying to a message, you'll need to do a cut&paste to move the original into PI, but it follows all the standard Windows cut&paste clipboard stuff, and after that you can send the message directly (from newer versions of PI) or pick a menu item that hands it back to your mailer (Eudora or several others are supported) for delivery. Inside PI, you can pick menu items to call PGP, add remailer headers, etc. At 07:46 PM 1/3/96 -0500, "Douglas F. Elznic" wrote: > I have also heard that ViaCrypt is a good alternative. But I am not sure. >Has anyone else out there heard anything good/bad about ViaCrypt? I've got the ViaCrypt Windows package, as well as their DOS versions. It's really nice for key management (which Private Idaho doesn't do much of), though some of the other PGP Windows frontends also do that. Its encryption/decryption/signing functions are mainly oriented towards files rather than Clipboards - the big advantage of this is that there aren't any silly 64KB or 640KB limits anywhere, but it's a bit clumsier. I usually use Private Idaho as a front-end to ViaCrypt as well; it's faster and prettier to have ViaCrypt handling the Windows interfaces than to have PI pop up a DOS window to run Real PGP in. The PGP 3.0 stuff, when it comes out, will help the process a lot. #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, Pager/Voicemail 1-408-787-1281 # # "The price of liberty is eternal vigilance" used to mean us watching # the government, not the other way around.... From pjb at ny.ubs.com Fri Jan 5 09:46:47 1996 From: pjb at ny.ubs.com (Paul J. Bell) Date: Sat, 6 Jan 1996 01:46:47 +0800 Subject: Internet Gateway for Bletchly Park Trust Message-ID: <9601051554.AA09438@sherry.ny.ubs.com> I am trying to setup an Internet gateway for BP Trust. I will either convience Sun to donate a SparcStation for this purpose, or I will donate one myself. What I need is a contact in the UK for some ISPs, or a University or somesuch that would consider hosting their domain/address. Will anyone having any information that might be of use to me in this endevour please email me at: pjb at ny.ubs.com and/or pjb at 23kgroup.com. I have just returned from a trip to BP, and there are many new and exciting things going on there. I will (RSN) post an article re: the current state of affairs at BP. Cheers, paul From stevenw at best.com Fri Jan 5 10:09:27 1996 From: stevenw at best.com (Steven Weller) Date: Sat, 6 Jan 1996 02:09:27 +0800 Subject: Representations of Pi, etc. Message-ID: Tim May wrote: >In summary, I would be surprised to find that a method for calculating the >Nth digit of pi works for base N but not for base M (modulo some minor >efficiency factors related to machine architecture, etc.). > >Any pointers to this result would be appreciated. See Peter Borwein's home page: http://www.cecm.sfu.ca:80/personal/pborwein/ under _Calculating Pi and Other matters_. ------------------------------------------------------------------------- Steven Weller | "The Internet, of course, is more | than just a place to find pictures | of people having sex with dogs." stevenw at best.com | -- Time Magazine, 3 July 1995 From iagoldbe at calum.csclub.uwaterloo.ca Fri Jan 5 11:04:31 1996 From: iagoldbe at calum.csclub.uwaterloo.ca (Ian Goldberg) Date: Sat, 6 Jan 1996 03:04:31 +0800 Subject: Starting an e-cash bank In-Reply-To: Message-ID: <4cjg0c$rm5@calum.csclub.uwaterloo.ca> In article , Lucky Green wrote: >Besides, wherer users get the Ecash from, be it by putting money into their >account at MT or buying it from you doesn't matter. They still need an >account with MT. Huh? Why? If I'm an ecash seller, I take a customer's paper money, withdraw ecash from _my_ MT account, give the ecash to the customer (_not_ a payment: I just give him the coin -- the pair (n,f(n)^(1/h))) and the customer is free to use it at will. It's Digicash's slogan: the numbers _are_ the money. - Ian From pmonta at qualcomm.com Fri Jan 5 11:11:06 1996 From: pmonta at qualcomm.com (Peter Monta) Date: Sat, 6 Jan 1996 03:11:06 +0800 Subject: Representations of Pi, etc. In-Reply-To: Message-ID: <199601051850.KAA01175@mage.qualcomm.com> Tim May writes: > > [ individual bits of pi ] > > I didn't see this result you mention, but it surprises me. The part about > how it works in some bases, but not in decimal. It's an open question as to whether there's a version that works in base 10. There's a nice summary at "http://www.mathsoft.com/asolve/plouffe/plouffe.html". > In summary, I would be surprised to find that a method for calculating the > Nth digit of pi works for base N but not for base M (modulo some minor > efficiency factors related to machine architecture, etc.). It does seem strange, but radix conversion can be much more expensive than the baseline algorithm. I vaguely remember hearing that the billion-digit pi computations done with AGM techniques haven't dealt with base 10 recently. Cheers, Peter Monta pmonta at qualcomm.com Qualcomm, Inc./Globalstar From campbelg at limestone.kosone.com Fri Jan 5 11:11:14 1996 From: campbelg at limestone.kosone.com (Gordon Campbell) Date: Sat, 6 Jan 1996 03:11:14 +0800 Subject: Compuserve grovels to foreign censors Message-ID: <2.2.32.19960105184756.00681e94@limestone.kosone.com> At 12:56 AM 1/5/96 -0500, Larry Sudduth wrote: >Attachment Converted: C:\WORK\WINMAIL.DAT What, pray tell, is this? ----- Gordon R. Campbell, Owner - Mowat Woods Graphics P.O. Box 1902, Kingston, Ontario, Canada K7L 5J7 Ph: (613) 542-4087 Fax: (613) 542-1139 2048-bit PGP key available on request. From thad at hammerhead.com Fri Jan 5 11:27:41 1996 From: thad at hammerhead.com (Thaddeus J. Beier) Date: Sat, 6 Jan 1996 03:27:41 +0800 Subject: US cryptographic patents, 1995 Message-ID: <199601051906.LAA13100@hammerhead.com> lull at acm.org (John Lull) said: > This data was extracted from a free database maintained by the > EDS Shadow Patent Office at http://www.spo.edo.com/ That's really http://www.spo.eds.com thad -- Thaddeus Beier thad at hammerhead.com Technology Development 408) 286-3376 Hammerhead Productions http://www.got.net/~thad From rah at shipwright.com Fri Jan 5 11:39:51 1996 From: rah at shipwright.com (Robert Hettinga) Date: Sat, 6 Jan 1996 03:39:51 +0800 Subject: DCSB: Digital Commerce: Living Room ExIm, Retail Replacement, or Mail-Order Redux? Message-ID: -----BEGIN PGP SIGNED MESSAGE----- The Digital Commerce Society of Boston (Formerly The Boston Society for Digital Commerce) Presents Fred Hapgood Digital Commerce: Living Room ExIm, Retail Replacement, or Mail-Order Redux? Tuesday, February 6, 1995 12 - 2 PM The Downtown Harvard Club of Boston One Federal Street, Boston, MA Fred says: >So far Web commerce has largely been a speciality export story. >(www.activmedia.com says that web commerce is half exports.) This >reflects the obvious strengths of the medium: webstores are >globally accessible and can support information resources to any >depth customers require. > >However, the meat and potatoes of the $2 trillion American retail >market lie not in specialty exports but in geographically >structured markets built on access to local traffic and >characterized by low-information transactions. If web commerce >has no role to play in commerce on this level, it will end up >little more than an extension and enhancement of direct mail. >(Which is of course not to be dismissed entirely: direct mail did >$55 billion last year.) > >My talk will address the compatibility of these segments with the >web, now and later. Fred Hapgood has written on internet commerce for _CIO_ and _Webmaster_ magazines. He has written on associated subjects for _Wired_ and _Inc-Technology_. The February talk will be based on research for an article on the web and franchising. This meeting of the Boston Society for Digital Commerce will be held on Tuesday, January 2, 1995 from 12pm - 2pm at the Downtown Branch of the Harvard Club of Boston, One Federal Street. The price for lunch is $27.50. This price includes lunch, room rental, and the speaker's lunch. ;-). The Harvard Club *does* have a jacket and tie dress code. We need to receive a company check, or money order, (or if we *really* know you, a personal check) payable to "The Harvard Club of Boston", by Saturday, February 2 , or you won't be on the list for lunch. Checks payable to anyone else but The Harvard Club of Boston will have to be sent back. Checks should be sent to Robert Hettinga, 44 Farquhar Street, Boston, Massachusetts, 02131. Again, they *must* be made payable to "The Harvard Club of Boston". If anyone has questions, or has a problem with these arrangements (We've had to work with glacial A/P departments more than once, for instance), please let us know via e-mail, and we'll see if we can work something out. Planned speakers for the following few months are: February Fred Hapgood Freelance Author March Glenda Barnes X.9 Electronic Commerce Security Group April Donald Eastlake CyberCash May Perry Metzger Security Consultant and Cypherpunk June Dan Shutzer FSTC July Pete Loshin Author, "Electronic Commerce" We are actively searching for future speakers. If you are in Boston on the first Tuesday of the month, and you would like to make a presentation to the Society, please send e-mail to the DCSB Program Commmittee, care of Robert Hettinga, rah at shipwright.com . For more information about the Digital Commerce Society of Boston, send "info dcsb" in the body of a message to majordomo at ai.mit.edu . If you want to subscribe to the DCSB e-mail list, send "subscribe dcsb" in the body of a message to majordomo at ai.mit.edu . Looking forward to seeing you there! Cheers, Robert Hettinga Moderator, The Digital Commerce Society of Boston -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMO1H9vgyLN8bw6ZVAQGPyAQAkJeE0VtJXMQ58uUss1hvW0Xtf5FBvAM8 3uNGxQIjLT48rkSPRtmqxsx8KLoirdbCdARwbwStewVVvehvUIByYTCGmUWXBxPH OKhCM/iuEqZ0oZR7RNcTHu2/rduIBdpC53CwyiUmaomj8tAgM5fry9H5h/mjJVu8 aRu36l8isH8= =+lq2 -----END PGP SIGNATURE----- ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "Reality is not optional." --Thomas Sowell The NEW(!) e$ Home Page: http://thumper.vmeng.com/pub/rah/ >>>>Phree Phil: Email: zldf at clark.net http://www.netresponse.com/zldf <<<<< From bdavis at thepoint.net Fri Jan 5 12:20:03 1996 From: bdavis at thepoint.net (Brian Davis) Date: Sat, 6 Jan 1996 04:20:03 +0800 Subject: New Mitnick Book In-Reply-To: <199601032306.SAA07090@pipe3.nyc.pipeline.com> Message-ID: On Wed, 3 Jan 1996, John Young wrote: > Jonathan Littman, an investigative reporter, has published > "The Fugitive Game: Online With Kevin Mitnick," Little > Brown, 1996. 381 pp. $23.95. ISBN 0-316-52858-7. > > It is a dramatic recount of Mitnick's exploits; the pursuit > > Littman ends with this letter from Markoff and Shimomura: > > October 8, 1995 > Jonathan Littman > 38 Miller Avenue Suite 122 > Mill Valley, California 94941 > > Dear Jonathan, > > Tsutomu's decision to tell John Markoff that he was > travelling to Raleigh on Sunday morning was done without > contact with any law enforcement agency. Markoff flew to > Raleigh independently six hours later after discussing the > possibility of a story with his editors at the New York > Times. Markoff did not at any time assist or participate in > any aspect of the investigation into Kevin Mitnick's > activities; Markoff was there only as an observer in his > role as a newspaper reporter. > > Tsutomu never told anyone from law enforcement that anyone > had authorized or cleared Markoff's presence in Raleigh. > FWIW: When Markoff showed up with Tsutomu, the FBI agents "assumed" that he was there with Tsutomu as a fellow researcher/grad student/assistant/whatever. They had no idea (initially) that he was with the media. ... From frissell at panix.com Fri Jan 5 12:21:14 1996 From: frissell at panix.com (Duncan Frissell) Date: Sat, 6 Jan 1996 04:21:14 +0800 Subject: Compuserve grovels to foreign censors Message-ID: <2.2.32.19960105193754.006aa0cc@panix.com> At 01:47 PM 1/5/96 -0500, Gordon Campbell wrote: >At 12:56 AM 1/5/96 -0500, Larry Sudduth wrote: > >>Attachment Converted: C:\WORK\WINMAIL.DAT > >What, pray tell, is this? > When a MS Mail attachment wanders around the world, it is accompanied by a data file of some kind. That is winmail.dat. So every MS MAIL attachment is really two attachments. Try to ignore it. DCF "Windoz. It may not be an operating system but at least it's out there on the hardware." From alano at teleport.com Fri Jan 5 12:26:04 1996 From: alano at teleport.com (Alan Olsen) Date: Sat, 6 Jan 1996 04:26:04 +0800 Subject: Portland Cypherpunks Meeting Message-ID: <2.2.32.19960105193942.009413c0@mail.teleport.com> -----BEGIN PGP SIGNED MESSAGE----- Here is the final(?) information on the Portland Cypherpunks meeting. Date: Jan 20, 1996 Time: 5:23pm (discordian time) Location: The Habit Internet Cafe 2633 S.E. 21st Av., Portland OR 97202 SE 21st @ Clinton in Portland, OR (503)235-5321 For more information on the location, visit: http://www.teleport.com/~habit/ We will be having a key signing and other activities, as well as general socializing. Bring information on projects you are pursuing or questions you would like to ask. Please leave your cameras and other photographic equiptment at home as some of the people attending are pretty camera shy. (And not shy about informing you of it...) It looks like we will be getting people outside of the Portland metro area attending as well. (I have heard from at least one person from the Bay area and one from Seattle, so who knows how many will show up.) If you want to be on the information list for this, just send me e-mail at alano at teleport.com. If all goes well, this may turn into a regular thing... -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMO19CuQCP3v30CeZAQGi+wf+N7HUDRpgP40SDZHcHlGLk2ApMrQhfAKM 9zxYzphkuqNqNfQB1+b+EFb4dYGOJUcE+DScCbmZMFdy4k9xY78z3Lc3aGFQz4uS ALuPh2T4jbe3rqqJq0aqM/mHlYD63oMi1/aZNMLRmGb7UVMUiGvulYaWI6GBiZVz rMTrmKdQ/2jEzZRpCWbyVCa8X04QY3XnH2nP2s/nDgWyZl9Y87KXN44BizRKfde/ 9x/vWf3mceVa1e09YHwQEwzZNFBvIGlpM4XWLkxh12QeQGCu08CvfJo3dSL0OU/u nRlaBO7IqLH90Ejv0/bLRuI0G3jKXb6yZxexORl6+PUbmwusIeaWIA== =qpD8 -----END PGP SIGNATURE----- Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "Governments are potholes on the Information Superhighway." - Not TCMay From Kevin.L.Prigge-2 at cis.umn.edu Fri Jan 5 12:30:43 1996 From: Kevin.L.Prigge-2 at cis.umn.edu (Kevin L Prigge) Date: Sat, 6 Jan 1996 04:30:43 +0800 Subject: Scaling Web-of-Trust Message-ID: <30ed7ecd005b002@noc.cis.umn.edu> Sorry for the noise, someone had emailed a while ago with the URL for a paper on scaling the web of trust for PGP, and I've lost the email. If whomever it was could resend the information, I'd be most appreciative. Thanks. -- Kevin L. Prigge |"Have you ever gotten tired of hearing those UofM Central Computing | ridiculous AT&T commercials claiming credit email: klp at tc.umn.edu | for things that don't even exist yet? 010010011101011001100010| You will." -Emmanuel Goldstein From alano at teleport.com Fri Jan 5 12:34:29 1996 From: alano at teleport.com (Alan Olsen) Date: Sat, 6 Jan 1996 04:34:29 +0800 Subject: RSA's Art gallery is now on the web Message-ID: <2.2.32.19960105194639.0096ea60@mail.teleport.com> At 09:57 AM 1/5/96 PST, you wrote: > Are you tired of the clip art you downloaded last week? Do you >need a new background screen for you PC? Does your cubicle need something >to give it character? > Look no further. Visit the RSA Data Security Art Gallery and >download to your hearts content. BTW, the URL for this is: http://www.rsa.com/rsa/gallery/gallery.htm Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "Governments are potholes on the Information Superhighway." - Not TCMay From cosmos at sponsor.octet.com Fri Jan 5 12:36:54 1996 From: cosmos at sponsor.octet.com (Daniel Leeds) Date: Sat, 6 Jan 1996 04:36:54 +0800 Subject: recent garbage posts Message-ID: <199601051114.LAA13949@sponsor.octet.com> The user in question has been talked to. DO NOT mailbomb root or any other account any more, this will be seen as hostile activities. We apologize for your inconvenience, but please, the death threats, physical bomb threats, and other nonsense is not called for. From frissell at panix.com Fri Jan 5 12:49:59 1996 From: frissell at panix.com (Duncan Frissell) Date: Sat, 6 Jan 1996 04:49:59 +0800 Subject: New Mitnick Book Message-ID: <2.2.32.19960105200208.006a8900@panix.com> At 02:36 PM 1/5/96 -0500, Brian Davis wrote: >FWIW: When Markoff showed up with Tsutomu, the FBI agents "assumed" that >he was there with Tsutomu as a fellow researcher/grad >student/assistant/whatever. > >They had no idea (initially) that he was with the media. > >... > I take it that you were in the vicinity? Or is this just what you've heard? Any more iside tidbits on the bust? DCF From bdavis at thepoint.net Fri Jan 5 12:50:59 1996 From: bdavis at thepoint.net (Brian Davis) Date: Sat, 6 Jan 1996 04:50:59 +0800 Subject: New Mitnick Book In-Reply-To: <2.2.32.19960105200208.006a8900@panix.com> Message-ID: On Fri, 5 Jan 1996, Duncan Frissell wrote: > At 02:36 PM 1/5/96 -0500, Brian Davis wrote: > >FWIW: When Markoff showed up with Tsutomu, the FBI agents "assumed" that > >he was there with Tsutomu as a fellow researcher/grad > >student/assistant/whatever. > > > >They had no idea (initially) that he was with the media. > > > >... > > > > I take it that you were in the vicinity? Or is this just what you've heard? > Any more iside tidbits on the bust? > I spoke to one of the case agents who was in on the bust while at a Computer Crime Conference at Quantico. I don't recall any other tidbits at the moment, but I'll think about it again. They were fairly closemouthed about the whole thing because it was reasonably soon after the arrest and the case was just getting going (that is, the "case" in court, not the "matter" under investigation -- U.S. Attorney-speak). EBD > DCF > > From master at internexus.net Fri Jan 5 13:11:10 1996 From: master at internexus.net (Laszlo Vecsey) Date: Sat, 6 Jan 1996 05:11:10 +0800 Subject: FreeBSD In-Reply-To: Message-ID: > I was wondering if anyone else with pine observed wierd behaviour > when reading that message. My pine exported the file, started a message, > then fired up a shell, at which point I killed it before anything else > happened. I have pine, but the FreeBSD message just showed up as garbage. I deleted the message and that was the end of it. How did it execute a shell when you read the message? I didn't think pine had those capabilities... I'm using version 3.91 From jimbell at pacifier.com Fri Jan 5 13:13:17 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 6 Jan 1996 05:13:17 +0800 Subject: Representations of Pi, etc. Message-ID: At 11:45 PM 1/4/96 -0800, you wrote: >At 3:19 AM 1/5/96, jim bell wrote: > >>But BTW, isn't it interesting, that news item from a few weeks ago, on an >>algorithm for determining individual bits in Pi, regardless of whether >>you've calculated all the previous ones. Only problem is, it only works in >>hexadecimal (and, obviously, binary, etc, not decimal. > ^^^^^^^^^^^ >??? > >I didn't see this result you mention, but it surprises me. And practically everybody else, I'm sure! It was written up in Science News magazine, BTW. >The part about how it works in some bases, but not in decimal. Well, by definition if it works in hex, it'll work in octal, "quadal" (?), binary, etc. That's ASSUMED, since they would be subsets (co-sets?) of each other. >The "hand-waving" (motivational/informal) explanation for why I am >surprised is that "Nature doesn't care about bipeds with 10 digits vs. >bipeds, or whatever, with 2 digits or 16 digits." That is, results >applicable in base 16, hexadecimal, should be easily applicable in base 10. Yeah, well, I understand your frustration, but to me the really amazing part is that the elephant flies at all, and not how well he flies () (In other words, the amazing thing is that there is a predictable relationship in ANY base system) Chances are the thing WON'T work in base 3,5,6,7,9,10,11,12,13,14,15, and any other non 2**n base. Or, at least, it will take a DIFFERENT equation to work in those other bases, if they work at all. >And there is are interesting properties about the distribution of digits in >"random" numbers. Pi is of course not random by many definitions, but >shares certain important properties with random numbers. (Or sequences, if >you wish.) One of these is properties is that of _regularity_, the >frequency of digits. A regular number is one whose expansion has in the >limit the same frequency for all digits, and this is so in any base. Thus, >a regular number has an equal frequency (in the limit, blah blah) of 0s, >1s, 2s, 3s, etc. And switching to another base will not change this. Not "regular," you used the wrong term. As a mathematician's term of art, this is called "normal." In other words, equal numbers of digits 0-9, equal numbers of digit pairs 00-through 99, equal number of digit triplets 000-999, etc. A series of random numbers, by definition, must be "normal." But "Normal" numbers do not necessarily have to be random. As you might expect, however, testing for "normality" is a good first test of "randomness." (I'm not a mathematician, and I don't play one on TV. Don't be overly impressed with the preceeding knowledge; I'm sure there are dozens if a hundred people reading cypherpunks who know more math than I do. I only got a 780 on the math portion of my SAT, 20 years ago... 790's and 800's weren't all that uncommon.) >I recollect that pi has been proved to me regular, i.e., that pi has an >equal frequency of all digits, in the limit, in all bases. Yes, pi is apparently "normal." (at least four the first 4 billion or so digits...) >(This is the sense in which we can argue that pi is "random." in the sense >that there are no correlations, no dependence of the n+1th digit on the nth >digit, and "no apparent order." Furthermore, there is no effective >compression of pi, except by some tricks, such as _naming_ it (a dictionary >compression, of sorts) or by specifying a program which computes it. Lots >of interesting issues about the real meaning of randomness and >compressability, about the "logical depth" of certain computations, etc. I >recommend "The Universal Turing Machine" (ed. by Haken, as I recall) for a >nice set of articles on these fascinating issues.) Of course, I'm not sure of the ramifications of this new discovery (individual-digit computability of pi) on the facts you list... (for example, inter-digit dependence) However, if the digital representations of the digits of pi were indeed still individually "random" and they could be individually computed rapidly enough, at least hypothetically you could use the digits of pi as a "one-time-pad". Obviously, everyone would know (at least, conceptually) the ENTIRE CONTENT of the pad; the only issue would be the location where you started. If the starting point was the key, and could be defined by a number of at least, say, 256-bits long, it might be a replacement for IDEA whose current length is fixed at 128 bits. I suppose the problem with this technique will probably be that it would take too long to calculate the (a number somewhere around 2**256) bit of pi, and for an n-bit message you'd have to do this n times. >In summary, I would be surprised to find that a method for calculating the >Nth digit of pi works for base N but not for base M (modulo some minor >efficiency factors related to machine architecture, etc.). I'm sure somebody else will have seen it. It was in Science News in the last couple of months, as I recall. Some kind soul will probably type it in. Maybe I can even retrieve my copy from my sister. From frissell at panix.com Fri Jan 5 13:16:20 1996 From: frissell at panix.com (Duncan Frissell) Date: Sat, 6 Jan 1996 05:16:20 +0800 Subject: Idiot's Guide to News via Compuserve Message-ID: <2.2.32.19960105203138.006a306c@panix.com> Idiots Guide to Reading Banned Newsgroups via CompuServe CompuServe (alone among the Big Three) gives all subscribers a PPP connection to the Net through any CIS node (including those in Germany). This is a real Net connection that makes it possible to use CIS to fully access all the Net's resources including "banned" newsgroups. A Point-to-Point Protocol (PPP) connection makes your computer just another machine on the Net for the time you are connected. Anything that any Net-connected machine can do, you can do. The CompuServe Dialer (formerly CompuServe Internet Dialer) software that has been included with WINCIM at least since version 1.4 gives you a PPP connection but you need additional newsreading software to dodge CompuServe restrictions. So for real beginners, here is how you can use your CompuServe account to access banned newsgroups as well as the rest of the Internet. These instructions are for Windows users. MAC users can do the same things but I don't know the available MAC software. 1) Get the latest copy of WINCIM. GO WINCIM (hit Ctrl-G and type WINCIM in the dialog box) from within CIS. Download is free. Install it according to the instructions and make sure that you can log on to CIS. 2) Next, let's get a copy of Freeagent which is a free usenet newsreader which works with CompuServe's own Internet connection software. Log on to CIS. GO FTP or: Click the Internet icon, click the File Downloads (FTP) icon and proceed to the main FTP screen. Click the Access a Specific Site button. 3) Enter ftp.forteinc.com in the Site Name box and /pub/free_agent in the Directory box. Click OK and you should see some site login information. Click OK again and you should see a check box next to the file name fagent10.zip. Click the check box and then click the Retrieve button. Wincim will show you that it will save the file in the Compuserv\download directory on your hard drive. (Remember where it's going.) 744279 bytes later, you will have a copy of Freeagent. 4) Move the file fagent.zip into a directory by itself (C:\AGENT for example). Unzip it with Pkunzip or one of the many zip utilities available on CIS. 5) What you are going to do is to connect directly to the Internet via CompuServe and read usenet newsgroups using Freeagent. In order to do that, you will need to find a site somewhere on the Net that will let you read Usenet News for free or you will have to obtain an account on another Internet-connected machine. 6) Community ConneXion (c2.org) will give a month of free service to CompuServe members suffering from censorship. For information send email to uncensored at c2.org. After your free month, c2.org costs only $7.50 a month for accounts accessed via the Internet. 7) There are some news servers out there that are open to the public. A news server is just a machine connected to the Internet that stores and forwards Usenet news. The IP addresses of two of the open news servers are 198.70.185.5 and 205.139.39.1. Once you become a sophisticated user of the nets, you can use your Web Browser to pick up a longer list of open news servers at http://dana.ucc.nau.edu/~jwa/open-sites.html. 8) Now back to Free Agent to grab those banned newsgroups. In your WINCIM directory (maybe in a subdirectory called \cid), click cid.exe to start CompuServe (Internet) Dialer or find the phone-shaped dialer icon in your CompuServe group window. Inside the Dialer, hit dial to log on to the Internet. 9) Start Free Agent. Click Accept to accept the license agreement. It will prompt you to enter various information including the address of the news server you want to use, your email address, and other info. All that you have to enter is the address of a news server. In the box labeled "News (NNTP) Server:" enter one of the IP addresses of open news servers (198.70.185.5, 205.139.39.1, or another from the list) or the address of the news server of a system you've opened an account on (news.c2.org, for example). 10) Freeagent will ask you if it's OK to retrieve a list of news groups from the server. Click Yes. Free agent will then tell you that it is Retrieving complete List of Groups. Once that's finished you'll be ready to read all the newsgroups you want and neither CompuServe nor the Bavarian prosecutor will have anything to say about it. "The Internet belongs to no one except its users." From frissell at panix.com Fri Jan 5 13:17:52 1996 From: frissell at panix.com (Duncan Frissell) Date: Sat, 6 Jan 1996 05:17:52 +0800 Subject: Idiot's Guide to News via Compuserve Message-ID: <2.2.32.19960105181132.006a4c74@panix.com> Idiots Guide to Reading Banned Newsgroups via CompuServe CompuServe (alone among the Big Three) gives all subscribers a PPP connection to the Net through any CIS node (including those in Germany). This is a real Net connection that makes it possible to use CIS to fully access all the Net's resources including "banned" newsgroups. A Point-to-Point Protocol (PPP) connection makes your computer just another machine on the Net for the time you are connected. Anything that any Net-connected machine can do, you can do. The CompuServe Dialer (formerly CompuServe Internet Dialer) software that has been included with WINCIM at least since version 1.4 gives you a PPP connection but you need additional newsreading software to dodge CompuServe restrictions. So for real beginners, here is how you can use your CompuServe account to access banned newsgroups as well as the rest of the Internet. These instructions are for Windows users. MAC users can do the same things but I don't know the available MAC software. 1) Get the latest copy of WINCIM. GO WINCIM (hit Ctrl-G and type WINCIM in the dialog box) from within CIS. Download is free. Install it according to the instructions and make sure that you can log on to CIS. 2) Next, let's get a copy of Freeagent which is a free usenet newsreader which works with CompuServe's own Internet connection software. Log on to CIS. GO FTP or: Click the Internet icon, click the File Downloads (FTP) icon and proceed to the main FTP screen. Click the Access a Specific Site button. 3) Enter ftp.forteinc.com in the Site Name box and /pub/free_agent in the Directory box. Click OK and you should see some site login information. Click OK again and you should see a check box next to the file name fagent10.zip. Click the check box and then click the Retrieve button. Wincim will show you that it will save the file in the Compuserv\download directory on your hard drive. (Remember where it's going.) 744279 bytes later, you will have a copy of Freeagent. 4) Move the file fagent.zip into a directory by itself (C:\AGENT for example). Unzip it with Pkunzip or one of the many zip utilities available on CIS. 5) What you are going to do is to connect directly to the Internet via CompuServe and read usenet newsgroups using Freeagent. In order to do that, you will need to find a site somewhere on the Net that will let you read Usenet News for free or you will have to obtain an account on another Internet-connected machine. 6) Community ConneXion (c2.org) will give a month of free service to CompuServe members suffering from censorship. For information send email to uncensored at c2.org. After your free month, c2.org costs only $7.50 a month for accounts accessed via the Internet. 7) There are some news servers out there that are open to the public. A news server is just a machine connected to the Internet that stores and forwards Usenet news. The IP addresses of two of the open news servers are 198.70.185.5 and 205.139.39.1. Once you become a sophisticated user of the nets, you can use your Web Browser to pick up a longer list of open news servers at http://dana.ucc.nau.edu/~jwa/open-sites.html. 8) Now back to Free Agent to grab those banned newsgroups. In your WINCIM directory (maybe in a subdirectory called \cid), click cid.exe to start CompuServe (Internet) Dialer or find the phone-shaped dialer icon in your CompuServe group window. Inside the Dialer, hit dial to log on to the Internet. 9) Start Free Agent. Click Accept to accept the license agreement. It will prompt you to enter various information including the address of the news server you want to use, your email address, and other info. All that you have to enter is the address of a news server. In the box labeled "News (NNTP) Server:" enter one of the IP addresses of open news servers (198.70.185.5, 205.139.39.1, or another from the list) or the address of the news server of a system you've opened an account on (news.c2.org, for example). 10) Freeagent will ask you if it's OK to retrieve a list of news groups from the server. Click Yes. Free agent will then tell you that it is Retrieving complete List of Groups. Once that's finished you'll be ready to read all the newsgroups you want and neither CompuServe nor the Bavarian prosecutor will have anything to say about it. "The Internet belongs to no one except its users." From lmccarth at cs.umass.edu Fri Jan 5 13:40:55 1996 From: lmccarth at cs.umass.edu (lmccarth at cs.umass.edu) Date: Sat, 6 Jan 1996 05:40:55 +0800 Subject: Idiot's Guide to News via Compuserve In-Reply-To: <2.2.32.19960105203138.006a306c@panix.com> Message-ID: <199601052055.PAA24269@opine.cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- Duncan Frissell writes: > Idiots Guide to Reading Banned Newsgroups via CompuServe [...] I have just put an HTMLized version of the full text on my web pages at http://www.cs.umass.edu/~lmccarth/cypherpunks/banned.html Feel free to distribute this URL widely. Please send any comments on the HTMLizing etc. to me; comments on the content of the guide to Duncan. Lewis McCarthy -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMO2QI2f7YYibNzjpAQF1pgQAyNnUHYiNQunBRdwW81oDNbfV1ybvxZeK yiUHrB8dz+vF3O09Kh2xBEyyBv+ly7nrRD1Ki/tY2DlRHUY7kLWe6Cl5jbvluMIv SdltRmAjLspP13LlgY7r43n+ymk+4qQCFumYVBPN+7NprFc2zMiSDtZNQpLUeLjX oNHaHYUNa+c= =m9ul -----END PGP SIGNATURE----- From mpd at netcom.com Fri Jan 5 14:37:19 1996 From: mpd at netcom.com (Mike Duvos) Date: Sat, 6 Jan 1996 06:37:19 +0800 Subject: Pi Stuff Message-ID: <199601052115.NAA17798@netcom17.netcom.com> Various amazed people on the Pi thread wrote: > But BTW, isn't it interesting, that news item from a few > weeks ago, on an algorithm for determining individual bits > in Pi, regardless of whether you've calculated all the > previous ones. Only problem is, it only works in > hexadecimal (and, obviously, binary, etc, not decimal. > I didn't see this result you mention, but it surprises me. > Yeah, well, I understand your frustration, but to me the > really amazing part is that the elephant flies at all, and > not how well he flies () (In other words, the amazing > thing is that there is a predictable relationship in ANY > base system) Chances are the thing WON'T work in base > 3,5,6,7,9,10,11,12,13,14,15, and any other non 2**n base. > Or, at least, it will take a DIFFERENT equation to work in > those other bases, if they work at all. A few quick comments. The notion that one might be able to compute digits of Pi efficiently at any starting point in the number is not late-breaking news. The Chudnovsky brothers developed a formula which permitted them to do this a number of years ago, and used it to compute Pi to several billion digits. Prior to that time, the Borweins' quartic interation based on Ramanujan's modular identities and AGM techniques was the existing state of the art. Given a base, d, and an finite ordinal, i, the function which computes the ith digit of the Pi in the base d is certainly a computable one. If we can find an algorithm for computing this function whose time as a function of "i" does not include the time required to compute all previous digits, then we are to a certain extent evaluating individual digits of Pi without calculating the previous ones. One should keep in mind, however, that the degree to which such things are true for algorithms lies on a continuum, with a near-constant number of arithmetic operations at one end, and a geometric progression at the other. So it is not the classic either/or situation. Good algorithms whose times are tractable functions of "i" are certainly desirable, and have been discovered. Someone suggested that radix conversion was a time-consuming operation. Modern FFT-based algorithms can do multiplication, division, Nth root, reciprocal, and base conversion in near-linear time. Doubtless good algorithms to compute the Nth digit of Pi in any base do exist, but their form may not be as obvious as those for trivial bases, such as powers of two. -- Mike Duvos $ PGP 2.6 Public Key available $ mpd at netcom.com $ via Finger. $ From hal9001 at panix.com Fri Jan 5 14:57:56 1996 From: hal9001 at panix.com (Robert A. Rosenberg) Date: Sat, 6 Jan 1996 06:57:56 +0800 Subject: Massey, CEO of Compuserve, on Internet Message-ID: At 13:55 1/4/96, Tony Iannotti wrote: >On Thu, 4 Jan 1996, Robert A. Rosenberg wrote: > >> Yes it would require that the Node be checked in the Software. What I was >> responding to was a claim that there is no way of telling where I am >> connecting from (which I disproved). As to calling a non-German Node, that >> is always an option. > >Yes, I agree. I think the real difference is that they really cannot tell >where you are calling from, even though they know where you are >connecting. Since the German Government (or the local "DA" who is claiming to represent the National Government ) is talking about delivery of banned items in Germany, I think that the relevant location is the node that is being used not where the other end of the call to that node is located. What is being requested is that CIS refrain for delivering the stuff to the Nodes in Germany (they are not being told to monitor someone in Germany who is trying to get it by calling LD to a node in France (or the US for that matter). From raph at c2.org Fri Jan 5 15:04:07 1996 From: raph at c2.org (Raph Levien) Date: Sat, 6 Jan 1996 07:04:07 +0800 Subject: An open letter to Commtouch Message-ID: <199601052139.NAA20363@infinity.c2.org> Hi Commtouch people, I am intrigued and hopeful about your secure e-mail product, Pronto Secure. However, I am puzzled about its support for POTP encryption. The other encryption protocols (PGP, PEM, MOSS, and S/MIME) have all been reviewed carefully by outside experts, and there is general consensus that these protocols embody state-of-the-art cryptographic technology, and that there are no known major security flaws. POTP stands out on your list because such a review has not been carried out. In fact, grave doubts have been raised regarding its security, and (to my taste, anyway) not satisfactorily answered. I do not wish to raise those points here, nor do I wish to claim here that POTP is insecure. However, I believe the reputation of your product is drawn into question by association. Should POTP be definitively demonstrated to be weak, then it would not be the case that using your product according to the instructions would provide "security." Further, I would consider it slightly misleading to describe it as "mission-critical." I feel the situation is analogous to that of a hypothetical networking company claiming that their product delivers high bandwidth by offering the choice of ATM, Myrinet, 100Mbps Ethernet, or string and tin cans. That said, I applaud your multiprotocol approach in general. In fact, I feel it is the future of Internet security tools. I hope your product gains widespread acceptance, and helps to further the cause of deployment of strong crypto. Raph Levien From mwohler at ix.netcom.com Fri Jan 5 15:05:06 1996 From: mwohler at ix.netcom.com (Marc J. Wohler) Date: Sat, 6 Jan 1996 07:05:06 +0800 Subject: No Subject Message-ID: <199601052142.NAA22262@ix6.ix.netcom.com> -----BEGIN PGP SIGNED MESSAGE----- Anyone know of the staus of the Phil Zimmermann Grand Jury investagation? Is there a Statuate of Limitations or what? -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMO2XK2eikzgqLB7pAQE6wgQAg7bs/b9qkayCQSUz8Ql8vcVNF74cSAl+ TRs/HQWA8g99x5j0Boircf7kpO8LR8orFkHdsSApYWCOCTDTHpiQNmcLYcSbTiFn td3cJsponuKLa0qTjRpo3e+yIo8ebDC1tCrJaFXTZD8hHGLchr+rz8CLJR8R7pLS LxYr3TFMM3s= =x1Al -----END PGP SIGNATURE----- ***Preserve, Protect and Defend the private use of Strong Crypto*** * * * PGP for the masses * * * Finger mjwohler at netcom.com for Marc Wohler's public key fingerprint= F1 70 23 13 91 B5 10 63 0F CF 33 AD BE E6 7B B6 From Steve14571 at aol.com Fri Jan 5 15:33:34 1996 From: Steve14571 at aol.com (Steve14571 at aol.com) Date: Sat, 6 Jan 1996 07:33:34 +0800 Subject: FreeBSD user Message-ID: <960105181333_32916749@mail02.mail.aol.com> In a message dated 96-01-04 18:44:46 EST, you write: > Am I the only one who has received three unreadable >messages from this address on cypherpunks? No, I have them too... What is going on? Pvt Stephen Herbert United States Marine Corps From jya at pipeline.com Fri Jan 5 15:53:52 1996 From: jya at pipeline.com (John Young) Date: Sat, 6 Jan 1996 07:53:52 +0800 Subject: New Mitnick Book Message-ID: <199601052331.SAA07024@pipe4.nyc.pipeline.com> Responding to msg by bdavis at thepoint.net (Brian Davis) on Fri, 5 Jan 3:4 PM Here's Littman on what the Feds knew about Markoff at Raleigh (Orsak and Murphy are with Sprint Cellular; Kent Walker was US Attorney in San Francisco): Monday afternoon, Special Agent LeVord Burns sits by the coffee pot and vending machine at the Sprint switch and debates the legal issues with Shimomura. "Tsutomu wanted us to kick his door down," recalls Orsak, who along with Murphy, listened in. "Burns was talking about what warrants had been issued, what the FBI was going to do." Burns impresses Orsak. A well-built, bespectacled black man in a suit and tie, Burns looks like the kind of FBI agent that doesn't miss details. As Burns recounts Mitnick's background, Orsak is surprised by what the agent says about Mitnick. "Burns said there were a lot of guys that as far as national security went were a lot more dangerous than Mitnick -- that a lot of professional hackers are a lot more dangerous." To Orsak, cyberspace's Most Wanted Hacker doesn't sound all that threatening. "One of the more interesting things, I thought, was the FBI goes, 'As far as hackers go,' Mitnick was 'benign.' They didn't have evidence he was in it for the money." A little later, John Markoff and Shimomura's girlfriend, Julia Menapace, who just flew in, arrive at the switch. Orsak and Murphy invite Shimomura's team, Burns, and two other FBI agents from Quantico, Virginia, out to Ragazzi's, a casual Italian restaurant nearby. Orsak spreads out a Raleigh street plan on the checkered tablecloth and pinpoints Mitnick's location. "LeVord was telling us what his involvement was for the FBI," recalls Murphy. "It was light banter. LeVord assumed like we all did, that Markoff was just another guy out of California. Just another egghead. One of Tsutomu's." Markoff gets everyone's ear when he mentions Mitnick inspired the hit movie WarGames. "Markoff was filling us in on Mitnick's typical behavior, the different people Mitnick had run-ins with," recalls Murphy. "A guy in England, a guy in Princeton, one at Digital." Then, Markoff runs through some of Mitnick's aliases. One of the phony names rings a bell with Murphy. After dinner, the whole crew heads back to the switch, and just as Murphy suspected, he finds a memo describing a recent attempt by someone using the alias to social engineer a new bunch of MINs. Meanwhile, the FBI is bumping up against a technical problem. The agents had planned to install the FBI's own bulky scanning equipment in a rental van, but they can't find one. Murphy suggests using his co-worker Fred's minivan. Burns gives the idea the green light, and Orsak helps the agents set up and calibrate their equipment in Fred's van. Around midnight, Fred chauffeurs the two agents to circle the cell site to calibrate their scanning equipment. Fred and the FBI agents get to talking. "He [Fred] let the cat out of the bag," confides Murphy. "We didn't tell him not to say anything. We weren't trying to hide it, but we were also not trying to convey it. He told them Markoff wrote a book on this guy." The boys from Quantico aren't happy. "They freaked," recalls Murphy. "They thought Markoff would tip the guy [Mitnick] so he could write another book." One of the Quantico agents phones the Sprint switch to confirm Markoff's identity. "Me, Markoff, Tsutomu, and Julia were at the switch," remembers Murphy. "One of the Quantico guys was on the phone. He wanted to talk to Tsutomu." Murphy passes the phone to Shimomura. "He [Shimomura] wasn't about to lie," says Murphy of the tense moment. "He [Shimomura] was trying to evade a little bit. He said that Kent Walker knew about Markoff being there, which of course Walker did." Murphy, Markoff, and Menapace listen to Shimomura. "Kent knows about it," insists Shimomura to the agent from Quantico. "He's cleared through Kent." But Kent Walker later denied ever giving Shimomura such approval or knowing John Markoff was in Raleigh. Shimomura later disputed Murphy's account and said he "never told anyone from law enforcement that anyone had authorized Markoff's presence in Raleigh." (pp. 357-58) From wlkngowl at unix.asb.com Fri Jan 5 15:56:42 1996 From: wlkngowl at unix.asb.com (wlkngowl at unix.asb.com) Date: Sat, 6 Jan 1996 07:56:42 +0800 Subject: More Noise Sphere Noise (simple source code) Message-ID: <199601051236.HAA28251@UNiX.asb.com> Ok, no language holy wars. This was quickie to test out the Noise Sphere plotting. It's in Pascal, but it's understandable. { Simple demo of a Noise Sphere in Turbo Pascal } { (If only I had a really awful RNG to test it with...) } program NoiseSphere; uses Graph, Crt; const BGIPath = ''; { where those silly Borland *.BGI drivers are } var GraphMode, GraphDriver: Integer; type Polar = record r, theta, phi: Real; end; Cartesian = record x,y,z: Real; end; procedure PolarToCartesian(var P: Polar; var C: Cartesian); begin C.x := P.r * Sin(P.phi) * Cos(P.theta); C.y := P.r * Sin(P.phi) * Sin(P.theta); C.z := P.r * Cos(P.phi); end; procedure Plot(var C: Cartesian); begin with C do begin PutPixel(100+(Round(100*y)), 200-(Round(120*z)), Yellow); PutPixel(320+(Round(100*x)), 200-(Round(120*y)), Red); PutPixel(540+(Round(100*x)), 200-(Round(120*z)), Blue); end; Delay(1); end; function ByteToReal(b: Byte): Real; begin ByteToReal := b / 256; end; function InitScreen: Integer; begin GraphMode := VGAHi; GraphDriver := EGA; InitGraph(GraphDriver,GraphMode,BGIPath); InitScreen := GraphResult; end; var n: LongInt; X: Array [ 0..2 ] of Real; P: Polar; C: Cartesian; begin InitScreen; Randomize; for n := 0 to 2 do X[n] := {$ifdef USEDEV} {$else} ByteToReal(Random(256)); {$endif} n := 0; repeat with P do begin r := Sqrt(X[(n+2) mod 3]); theta := pi * X[(n+1) mod 3]; phi := 2 * pi * X[n]; end; PolarToCartesian(P,C); Plot(C); X[n] := {$ifdef USEDEV} {$else} ByteToReal(Random(256)); {$endif} n := (n + 1) mod 3; until KeyPressed; ReadKey; RestoreCrtMode; end. From adam at lighthouse.homeport.org Fri Jan 5 16:18:21 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Sat, 6 Jan 1996 08:18:21 +0800 Subject: Mixmaster In a Box Message-ID: <199601060006.TAA20848@homeport.org> Towords the goal of making Mixmasters in a box, I've written an installer script for mixmaster. If you're running on one of the supported platforms (alpha, bsdi, hpux, linux, sunos, solaris), the script will walk you through everything from the make to setting up cron jobs & /etc/aliases. If you've been putting off setting up a remailer because its a pain, give this a shot. Lance will probably be including it in the next release of mixmaster, but you can get it now by sending me a message with the Subject: get mix-installer. Comments, bugs, bug fixes are welcome. Thanks to Rich $alz for a extensive comments & suggestions for portability. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From wlkngowl at unix.asb.com Fri Jan 5 16:32:18 1996 From: wlkngowl at unix.asb.com (Mutatis Mutantdis) Date: Sat, 6 Jan 1996 08:32:18 +0800 Subject: More Noise Sphere Noise (simple source code) Message-ID: <199601051644.LAA01347@UNiX.asb.com> On Fri, 05 Jan 96 07:24:03, I wrote: >Ok, no language holy wars. This was quickie to test out >the Noise Sphere plotting. It's in Pascal, but it's >understandable. >{ Simple demo of a Noise Sphere in Turbo Pascal } >{ (If only I had a really awful RNG to test it with...) } Odd... That came through on the mail/news gateway but the preceeding article that explains what that was about didn't.... did anyone receive it? In case no, it's based on Clifford A. Pickover's paper "Random Number Generators: Pretty Good Ones are Easy to Find" which doesn't deal with useful RNGs for crypto sense, but the paper does explain ways to visually represent RNGs so that seemingly good RNGs show their awful correlations, etc. My previous post that should have showed up mentioned that these methods might be useful for checking out crypto functions (hashes, pRNGs, ciphers). The full reference is The Visual Computer (1995) 11:369-377, Springer Verlag, 1995. From mpj at netcom.com Fri Jan 5 16:52:10 1996 From: mpj at netcom.com (Michael Paul Johnson) Date: Sat, 6 Jan 1996 08:52:10 +0800 Subject: Ruby Block Cipher Mark 5 Message-ID: -----BEGIN PGP SIGNED MESSAGE----- The Ruby Block Cipher, Mark 4, had some problems with slow avalanche with a worst-case input, as well as some really amateurish reference code bugs that I apologize for. The good news is that these things have (I hope) all been corrected in the Ruby Block Cipher, Mark 5. The biggest change to the algorithm is that the "family key" is no longer simply added (modulo 2) to the input blocks, but is used in add and multiply steps to eliminate the old worst case avalanche patterns. The Ruby Block Cipher is not a general block cipher in that it cannot be used in Electronic Codebook (ECB) mode. It is a cryptographic hash function with a block size of only 64 bits. Of course, 64 bits is too short for a cryptographic hash function intended for digital signature use, but it is just fine for a quick block cipher. This may be a good reference for those folks who want a quick & easy encryption algorithm that need not withstand nuclear attack but can provide something better than common weak encryption methods in use in the software industry. The small amount of code, fast operation, and lack of the need for a lengthy key setup time are definite advantages where computing resources are at a premium. On the other hand, fast key setup time substantially reduces the cost of a brute force attack on the key, so use of the full 64 bits of the key is essential. Your comments and suggestions on this rather strange little cipher are welcome and encouraged. I'm particularly interested in any ideas as to how many rounds (the STRENGTH constant in the source code) are appropriate for well-balanced security. Information on the Ruby Block Cipher is available as ftp://ftp.csn.net/mpj/public/ruby_m5.ps.gz or ftp://ftp.csn.net/mpj/public/ruby_m5.rtf.gz and, if you are in the USA or Canada, a reference implementation and a sample file encryption program with free source code is in ftp://ftp.csn.net/mpj/I_will_not_export/crypto_???????/mpj/ruby_m5.zip where the ??????? is revealed in ftp://ftp.csn.net/mpj/README ruby_m5.zip is also available on the Colorado Catacombs BBS at 303-772-1062. I urge caution in using such a new cipher in actual applications, but if you feel the need to, you might consider asking me if any known weaknesses have been reported before you do. Note: this is not a product for sale (it is free and probably worth at least as much as you pay for it). It is also not a prepublication (it is THE publication in electronic form with no paper publication anticpated in the near future). ___________________________________________________________ | | |\ /| | | Michael Paul Johnson Colorado Catacombs BBS 303-772-1062 | | \/ |o| | PO Box 1151, Longmont CO 80502-1151 USA Jesus is alive! | | | | / _ | mpj at csn.net aka mpj at netcom.com m.p.johnson at ieee.org | | |||/ /_\ | ftp://ftp.csn.net/mpj/README.MPJ CIS: 71331,2332 | | |||\ ( | http://www.csn.net/~mpj -. --- ----- .... | | ||| \ \_/ | PGPprint=F2 5E A1 C1 A6 CF EF 71 12 1F 91 92 6A ED AE A9 | |___________________________________________________________| -----BEGIN PGP SIGNATURE----- Version: 2.7.1 iQCVAgUBMO1VgvX0zg8FAL9FAQECzQP/fD9dLLeixfZAtKXM2tDXrGgrashiqEsn jU9ohnNsou9MMU+PUmNj8RJCRHSXy4HMskV5BhnILUYaSI5ztJjZYvhBcIbBcR8J ecGl5++iaj4vRAb1vs32Y6LVsQm7hsMvy0byaszOWUKDpn+ZJrFCwMiKgD50ecXW y+XlpkdOhiA= =FQec -----END PGP SIGNATURE----- Please include my address on followups, since I don't read all mail on this wonderful (but high volume) list. Thanks! mpj at netcom.com From futplex at pseudonym.com Fri Jan 5 16:54:30 1996 From: futplex at pseudonym.com (Futplex) Date: Sat, 6 Jan 1996 08:54:30 +0800 Subject: 2047 bit keys in PGP In-Reply-To: <199601051026.VAA20257@sweeney.cs.monash.edu.au> Message-ID: <199601052219.RAA24875@opine.cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- Jiri Baum writes: > This is not really the case. The way PGP is set up, the operations > that take a long time are those that involve the secret key - signing > and decrypting. Encrypting and checking signatures are much quicker. > > In other words, the person that chooses the key is the one that'll > be most delayed. > > (I think it's something to do with the relative sizes of the exponents.) Right. We can (generally) make a "small" choice of the public exponent e, with a corresponding "large" choice of the private exponent d, rather than having them both "medium-sized". A "small" choice of d, however, would be easy to guess, which is a Bad Thing (tm). Futplex *** Welcome to Cypherpunks -- Now Go Home *** -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMO2jkinaAKQPVHDZAQF7BAf/XrZ+abVfAw2Vle/8yomUZkC1Ol35g2yf gx6QKEkPDwEhw2B1qUJPA0veJmU4wGoXO5dOjsDkUtPtCU4StBVu2Axo2Hf1cknz raBWi/htN7xxKdeZ9+xiYduN3QQxwAhot8yTuaXqwswgjDwWjS4JJvfMG49lEqEN PGVHbYHKYlIumjzgLE5TbQ58EkNWmOw/BqojniTDyf98+5tZz0t2gx+ezLMG1S9C b12uCrw+EMmS7JDM+197xP+7JenXJUL41REVUAOVlcKh4TBLVFkRtzWa8Bt6vbPk A7XiFKE9PdjzaOOUo1M2lI8ocz5nq7PysghSt8UzBGDDvUmIWd+0RQ== =h4Li -----END PGP SIGNATURE----- From rsalz at osf.org Fri Jan 5 16:57:38 1996 From: rsalz at osf.org (Rich Salz) Date: Sat, 6 Jan 1996 08:57:38 +0800 Subject: http://www.rsa.com/rsalabs/cryptobytes/ Message-ID: <9601051755.AA04835@sulphur.osf.org> FYI. ---------- Begin Forwarded Message ---------- From: Message-ID: <30ED605E-00000001 at wotan.gte.com> Date: Fri, 05 Jan 1996 12:31:08 EST Subject: Recent cryptographic findings To: ietf-pkix at tandem.com For those who may not have seen it, the most recent issue of CryptoBytes (Vol1, No. 3) put out by RSA Laboratories has a wealth of information in it. I have not had the time to fully digest the importance of all of the articles, but in the first one Adi Shamir has proposed an "unbalanced RSA" variant of RSA which "makes it possible to increase the modulus size from 500 bits to 5,000 bits without any speed penalty." Another article discusses means of deliberately constructing collisions (due to Hans Dobbertin of the German Information Security Agency) when using MD4, and concludes that "where MD4 is in use, it should be replaced." So far, at least, it appears that MD5, RIPEMD, and SHA-1 would resist this kind of attack, but a certain amount of nervousness might be in order. (Hugo Krawczyk of IBM Research and I considered some of these possibilities in conjunction with work we did on the SEPP protocol, which uses a salted hash function as a means of confirming the knowledge of a secret to a third party without having to use encryption. We were concerned that collisions might be possible, and also that it might be possible to partially reverse a hash function and glean at least information about the message that was being hashed, (the credit card number) in the case of a very short message. We ended up proposing a combination 140-bit hash function which includes both MD5 and SHA-1, assuming that it would be much more difficult to break both algorithms than just one. I will post the analysis to this list in a subsequent message.) Finally, Burt Kalisky provides a compendium of some of the possible attacks against RSA, and discusses simple and practical countermeasures. It seems to me that the most important of the various attacks involve the encryption and decryption of small messages. Since small messages are frequently generated for key exchange and for signature purposes, it is important that we consider these issues carefully. In particular, the use of pseudo-random padding for both encryption (a la the Bellare-Rogaway Optimal Asymmetric Encryption Padding) seems very beneficial, and padding is also important in the signature block. This group certainly ought to examine these issues very carefully, and we should probably give serious consideration to adopting OAEP for message encryption and key exchange. I believe we should also give serious consideration to a increased length message digest function such as SHA-1, and perhaps incorporate the use of multiple message digest algorithms for particularly important signatures , e.g., CA certificates. The back issues of CryptoBytes are available at http://www.rsa.com/rsalabs/cryptobytes/. Bob ---------------------------- Robert R. Jueneman GTE Laboratories 1-617-466-2820 Office "The opinions expressed are my own, and may or may not reflect the official position of GTE, if any." ----------- End Forwarded Message ----------- From baldwin at RSA.COM Fri Jan 5 17:02:11 1996 From: baldwin at RSA.COM (baldwin (Robert W. Baldwin)) Date: Sat, 6 Jan 1996 09:02:11 +0800 Subject: RSA's Art gallery is now on the web Message-ID: <9600058208.AA820864531@snail.rsa.com> Are you tired of the clip art you downloaded last week? Do you need a new background screen for you PC? Does your cubicle need something to give it character? Look no further. Visit the RSA Data Security Art Gallery and download to your hearts content. We have such classics as the "Sink Clipper" T-shirt image, and our latest "We Hear You" poster by the famous political cartoonist, Dan Perkins (a.k.a. Tom Tomarrow). Don't miss the our rendition of the NSA logo ("We read your mail, so you don't have too"). More art will be coming soon. Feel free to send us your favorite images, or ideas (webmaven at rsa.com). --Bob Baldwin RSA Data Security From goedel at tezcat.com Fri Jan 5 17:36:39 1996 From: goedel at tezcat.com (Dietrich J. Kappe) Date: Sat, 6 Jan 1996 09:36:39 +0800 Subject: Representations of Pi, etc. Message-ID: tcmay at got.net (Timothy C. May) wrote: >I didn't see this result you mention, but it surprises me. The part about >how it works in some bases, but not in decimal. > >The "hand-waving" (motivational/informal) explanation for why I am >surprised is that "Nature doesn't care about bipeds with 10 digits vs. >bipeds, or whatever, with 2 digits or 16 digits." That is, results >applicable in base 16, hexadecimal, should be easily applicable in base 10. Since we're talking about digits rather than numbers, I can see why base to some power of 2 might turn out to be significant. The trivial base 2 or 16 to base 10 conversion isn't useful if you're working with a single digit. A well, its fruitless to guess without looking at the result. Let me close by saying that in decimal notation, not a single digit of Klarner's Konstant is known. Not really relevant, but its as close a chance as I get to mentioning my research. :-) Dietrich J. Kappe | Web Publishing: http://www.redweb.com Red Planet, L.L.C. | Chess Space: http://www.redweb.com/chess 1-800-RED 0 WEB | MS Access: http://www.redweb.com/cobre RedPlanet at redweb.com | Comics: http://www.redweb.com/wraithspace From tallpaul at pipeline.com Fri Jan 5 18:20:21 1996 From: tallpaul at pipeline.com (tallpaul) Date: Sat, 6 Jan 1996 10:20:21 +0800 Subject: Mixmaster On A $20 Floppy? Message-ID: <199601060155.UAA13574@pipe3.nyc.pipeline.com> On Jan 05, 1996 19:06:21, 'Adam Shostack ' wrote: > Towords the goal of making Mixmasters in a box, I've written >an installer script for mixmaster. If you're running on one of the >supported platforms (alpha, bsdi, hpux, linux, sunos, solaris), the >script will walk you through everything from the make to setting up >cron jobs & /etc/aliases. > > If you've been putting off setting up a remailer because its a >pain, give this a shot. Lance will probably be including it in the >next release of mixmaster, but you can get it now by sending me a >message with the Subject: get mix-installer. > > Comments, bugs, bug fixes are welcome. Thanks to Rich $alz >for a extensive comments & suggestions for portability. > >Adam > I've reports that the latest version of SyQuest's external parallel port EZ135 "floppy" drive is due on the shelves this month. Also reported is the ability to effectively boot off the thing, and thus run whatever OS resides on the SyQuest "floppy" rather than an OS that has to be on the host's hard drive partition. Weight, under two pounds. Price ~$US250. Capacity 135 Mb formatted. Price of spare disks: $US 20. Take it off a computer. Put it in a briefcase. Carry it with you nicely out of public view. Hook it up to another machine and .... Question 1: Can you fit linux, pgp, mixmaster, etc. on the 135 Mb disk and have enough useful space left over for a useful amount of data? Question 2: Anybody want to speculate on what traffic analysis is like when encrypted data comes INTO one known Mixmaster site but goes OUT on one or more "unknown" or (partially) random Mixmaster sites? Question 3: Anyone want to speculate on what data recovery is like when encrypted data and the horse it rode in (and out) on has all been physically destroyed at a replacement cost of only $US20? -- -- tallpaul -- "If they think you're crude, go technical; if they think you're technical, go crude." William Gibson "Johnny Mnemonic" From tcmay at got.net Fri Jan 5 18:21:24 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 6 Jan 1996 10:21:24 +0800 Subject: Big Bill: "You will be assimilated" Message-ID: At 7:37 PM 1/5/96, Duncan Frissell wrote: >At 01:47 PM 1/5/96 -0500, Gordon Campbell wrote: >>At 12:56 AM 1/5/96 -0500, Larry Sudduth wrote: >> >>>Attachment Converted: C:\WORK\WINMAIL.DAT >> >>What, pray tell, is this? >> > >When a MS Mail attachment wanders around the world, it is accompanied by a >data file of some kind. That is winmail.dat. So every MS MAIL attachment >is really two attachments. Try to ignore it. You know, between Microsoft Mail, Microsoft Exchange, and other weirdnesses associated with Microsoft, it's almost as if Big Bill (the guy in Washington, but not D.C.) is trying to tell us be assimilated or face continued pseudo-spamming. (No insult to Microsoft intended, but other companies seem to understand it is up to them to make efforts to comply with conventional Internet standards, while MS seems to relish doing things its own way, the rest of us be damned.) I hate the thought of putting all Microsoft domain addresses in my kill file, but at least it solves the problem. --Tim May We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From jya at pipeline.com Fri Jan 5 18:22:20 1996 From: jya at pipeline.com (John Young) Date: Sat, 6 Jan 1996 10:22:20 +0800 Subject: Crypto Rules Report Message-ID: <199601060141.UAA21362@pipe1.nyc.pipeline.com> In response to the December Financial Times article "Encryption Rules Coming," about an international cryptography meeting in Paris, and our request for additional information, we have received from nobody: Report of the Business-Government Forum on Global Cryptogoraphy Policy Held on 19-20 December 1995 in Paris Detailed Report The report includes meeting background information, notes on the speakers articulation of the positions of industry and governments, and four annexes: 1. List of participants (EU, US, Japan -- biz and gov); 2. Statement of Eurobit-ITAC-ITI-JEIDA which sets out 20 principles of global cryptographic policy; 3. Statement by the Infosec Business Advisory Group (IBAG) on 17 principles of international cryptography; 4. The Mike Nelson Policy Problem (last point: "No one trusts anyone.") It would be great if someone would provide an FTP site. It is about 31 kb. From ravage at ssz.com Fri Jan 5 18:39:34 1996 From: ravage at ssz.com (Jim Choate) Date: Sat, 6 Jan 1996 10:39:34 +0800 Subject: get mix-installer. (fwd) Message-ID: <199601060224.UAA04211@einstein.ssz.com> Forwarded message: >From adam at lighthouse.homeport.org Fri Jan 5 20:23:21 1996 From: Adam Shostack Message-Id: <199601060225.VAA21165 at homeport.org> Subject: Re: get mix-installer. To: ravage at ssz.com (Jim Choate) Date: Fri, 5 Jan 1996 21:25:59 -0500 (EST) In-Reply-To: <199601060152.TAA04065 at einstein.ssz.com> from "Jim Choate" at Jan 5, 96 07:52:17 pm X-Mailer: ELM [version 2.4 PL24 ME8b] Content-Type: text Content-Length: 367 Jim Choate wrote: | I would like a copy to use in my consulting business as well as put on the | Austin Cypherpunks ftp site. Both are fine. I assume that a copy was auto mailed to you; let me know if there is a problem. May I ask who pays to get mixmasters installed? -- "It is seldom that liberty of any kind is lost all at once." -Hume From ravage at ssz.com Fri Jan 5 18:39:41 1996 From: ravage at ssz.com (Jim Choate) Date: Sat, 6 Jan 1996 10:39:41 +0800 Subject: get mix-installer. (fwd) Message-ID: <199601060223.UAA04181@einstein.ssz.com> Forwarded message: > From adam at lighthouse.homeport.org Fri Jan 5 19:52:45 1996 > Date: Fri, 5 Jan 1996 20:55:25 -0500 > From: Adam Shostack > Message-Id: <199601060155.UAA21106 at homeport.org> > To: ravage at ssz.com > Subject: Re: get mix-installer. > References: <199601060152.TAA04065 at einstein.ssz.com> > In-Reply-To: <199601060152.TAA04065 at einstein.ssz.com> > Precedence: junk > > I followed the request information per the original posting by Adam and received this in reply. This leads me to believe that Mr. Shostack is basicaly unwilling to fulfill his own promises. My advice, avoid like the plague. Caviat emptor. From ravage at ssz.com Fri Jan 5 18:57:36 1996 From: ravage at ssz.com (Jim Choate) Date: Sat, 6 Jan 1996 10:57:36 +0800 Subject: get mix-installer. (fwd) Message-ID: <199601060231.UAA04264@einstein.ssz.com> Forwarded message: > From adam at lighthouse.homeport.org Fri Jan 5 20:23:21 1996 > From: Adam Shostack > Message-Id: <199601060225.VAA21165 at homeport.org> > Subject: Re: get mix-installer. > To: ravage at ssz.com (Jim Choate) > Date: Fri, 5 Jan 1996 21:25:59 -0500 (EST) > In-Reply-To: <199601060152.TAA04065 at einstein.ssz.com> from "Jim Choate" at Jan 5, 96 07:52:17 pm > X-Mailer: ELM [version 2.4 PL24 ME8b] > Content-Type: text > Content-Length: 367 > > Jim Choate wrote: > > | I would like a copy to use in my consulting business as well as put on the > | Austin Cypherpunks ftp site. > > Both are fine. I assume that a copy was auto mailed to you; let me > know if there is a problem. > > > May I ask who pays to get mixmasters installed? > > -- > "It is seldom that liberty of any kind is lost all at once." > -Hume > In a earlier message I received from Adam I mistook his auto-remailers scripts responce as a refusal to supply the afformentioned code. I apoligize for my ignorance and retract any negative statements or implications that I may have made. In the last year I have had a couple of local business people and about a dozen individuals ask about remailers and using PGP. I currently have a couple of state political activists in the gun lobby who have begun using it for internal communications. I am hoping to have another machine installed in the next couple of weeks with mixmaster available. It is my intention to run a remailer here in Texas with the help of the local cpunks (I hope) in order to demonstrate what the technology is capable of. I see this script as a major advance in making the software more palatable to the general populace. My current business plan is to educate several international translaters I work with about the technology. They work with foreign patents being applied for here in the US and they typicaly must sign non-disclosure agreements to get the contracts. Such technology may be something they find useful. Jim Choate From futplex at pseudonym.com Fri Jan 5 19:05:58 1996 From: futplex at pseudonym.com (Futplex) Date: Sat, 6 Jan 1996 11:05:58 +0800 Subject: get mix-installer. (fwd) In-Reply-To: <199601060223.UAA04181@einstein.ssz.com> Message-ID: <199601060232.VAA09545@thor.cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- Jim Choate writes: > I followed the request information per the original posting by Adam and > received this in reply. > > This leads me to believe that Mr. Shostack is basicaly unwilling to fulfill > his own promises. My advice, avoid like the plague. > > Caviat emptor. Chill the fuck out (this obscenity brought to you by the U.S. Congress). Adam has already posted an earlier version of the script to the Mixmaster mailing list. It's not vaporware. Besides, Adam has been around and contributing for quite a while. Smearing his rather excellent c'punk reputation because of (probably) a malfunctioning procmail recipe isn't terribly productive, or neighborly. Futplex -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMO3fBinaAKQPVHDZAQE3PQf/WbzMM67+nvUKyHzoeuFzk0/OCL/CxAFR 3BClrig/4CYZvEGLbaqZbhzjsQQ04Wgl39T4nntclU9TZpbvyvRPnat+rZuEl0xK cefKyfMCGvU1Ia92MdXzTYZYM5/7DHjVKo+rMBbKHiolrEKsTTsP7oo4Cgju25OQ ekPCqTyPeY+mO8e3pQd29h/oFJMte8hi8k9AJ88AhpEKlORETNx/mRYz17PtSHwF yUg82YbYY1YLGKXRnUON+FIgmSQo9VeFK1VQouvmX+7JA5BDwdrbz731ZZd4nvpj /JXK0zG5x2rkJgDmrNK4/HKEhnkS6lR/4NubojXFdJmv6UA+Cw++dQ== =1xgH -----END PGP SIGNATURE----- From lmccarth at cs.umass.edu Fri Jan 5 19:14:24 1996 From: lmccarth at cs.umass.edu (lmccarth at cs.umass.edu) Date: Sat, 6 Jan 1996 11:14:24 +0800 Subject: Crypto Rules Report In-Reply-To: Message-ID: <199601060259.VAA27843@thor.cs.umass.edu> (John and Aleph, strike my last message) A copy of the report John mentioned is now on http://www.cs.umass.edu/~lmccarth/cypherpunks/icl.txt From delznic at storm.net Fri Jan 5 20:12:29 1996 From: delznic at storm.net (Douglas F. Elznic) Date: Sat, 6 Jan 1996 12:12:29 +0800 Subject: WIRE TAP ON NET Message-ID: <2.2.16.19960106040018.259fb770@terminus.storm.net> E-MAIL-TAP NETS CRIMINALS The first-ever court-approved wiretap of an e-mail account has resulted in the arrest of three people charged with running a sophisticated cellular-fraud ring. The alleged mastermind, a German electrical engineer, advertised his illicit wares on CompuServe, where they caught the attention of an engineer at AT&T's wireless unit. The Secret Service and the Drug Enforcement Agency then got into the act and obtained the Justice Dept.'s permission to intercept e-mail messages between the alleged perpetrator and his accomplices. "This case represents the challenges in the future if we can't get ahead of the curve in technology," says a U.S. attorney, whose office is prosecuting the case. (Wall Street Journal 2 Jan 96 p16) -- ==================Douglas Elznic=================== delznic at storm.net http://www.vcomm.net/~delznic/ (315)682-5489 (315)682-1647 4877 Firethorn Circle Manlius, NY 13104 "Challenge the system, question the rules." =================================================== PGP key available: http://www.vcomm.net/~delznic/pgpkey.asc PGP Fingerprint: 68 6F 89 F6 F0 58 AE 22 14 8A 31 2A E5 5C FD A5 =================================================== From mpd at netcom.com Fri Jan 5 21:52:36 1996 From: mpd at netcom.com (Mike Duvos) Date: Sat, 6 Jan 1996 13:52:36 +0800 Subject: Pi Stuff In-Reply-To: Message-ID: <199601060513.VAA12559@netcom21.netcom.com> jim bell writes: > While I'm not an expert at this, I think you're > misrepresented the Chudnovsky result. They formulated an > equation that allowed "you" to continue the calculation > past "N" digits as long as you had the result that far. That property would be possessed by any self-correcting iteration which converged in a neighborhood of Pi. It would not be necessary to repeat ones earlier calculations at increased precision in order to determine Pi to additional digits. One could just use the previous calculations as a starting point and continue to iterate, doing the new calculations to extended precision. I believe the Chudnovskys proved a much stronger result than this, although precisely what it was escapes me at the moment. [Please hum the theme to "Final Jeopardy" while I look up Chudnovsky's formula] Good - it's in the sci.math FAQ. Set k_1 = 545140134 k_2 = 13591409 k_3 = 640320 k_4 = 100100025 k_5 = 327843840 k_6 = 53360; Then pi = (k_6 sqrt(k_3))/(S), where S = sum_(n = 0)^oo (-1)^n ((6n)!(k_2 +nk_1))/(n!^3(3n)!(8k_4k_5)^n) This converges linearly at about 14 digits a term, and carries forward a sufficiently small amount of state that one can iterate into the billions of digits without the CPU requirements becoming painful. So it basically functions as a digit generator for Pi, which, when appropriately initialized, will work on any part of the number and emit the appropriate output. The denominator simplifies in a special way which keeps the computation localized to a small neighborhood of the place where the new digits are appearing. > As far as I know, they DID NOT generate any formula for the > generation of isolated digits of pi, the more recent news. I guess you're right about it not having the specific form of a function which takes "i" as input and emits the "ith" bit. Nonetheless, the discovery of this particular formula and the way in which its computational requirements expand tastefully with increasing numbers of digits hints strongly at the existence of the aforementioned closed solution. -- Mike Duvos $ PGP 2.6 Public Key available $ mpd at netcom.com $ via Finger. $ From jimbell at pacifier.com Fri Jan 5 22:23:23 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 6 Jan 1996 14:23:23 +0800 Subject: Pi Stuff Message-ID: -----BEGIN PGP SIGNED MESSAGE----- At 01:15 PM 1/5/96 -0800, you wrote: >Various amazed people on the Pi thread wrote: > > > But BTW, isn't it interesting, that news item from a few > > weeks ago, on an algorithm for determining individual bits > > in Pi, regardless of whether you've calculated all the > > previous ones. Only problem is, it only works in > > hexadecimal (and, obviously, binary, etc, not decimal. >A few quick comments. The notion that one might be able to >compute digits of Pi efficiently at any starting point in the >number is not late-breaking news. The Chudnovsky brothers >developed a formula which permitted them to do this a number of >years ago, and used it to compute Pi to several billion digits. While I'm not an expert at this, I think you're misrepresented the Chudnovsky result. They formulated an equation that allowed "you" to continue the calculation past "N" digits as long as you had the result that far. As far as I know, they DID NOT generate any formula for the generation of isolated digits of pi, the more recent news. I'm signing this message after having turned off word-wrap in Eudora. I'm told this my help my clearsigning process. Could somebody verify this? - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCNAi1zvWcAAAEEAKmSqngLWK2N2gOJKPtjF9VCfSkXY+XUZBRCbbFU71uH/dLX C2Uq6wFS8alRgMc3rp90JnnJ/6eJqXwMjCunogwucWOaU7S/w+OwjOG9fUqsXIA6 2j25Wtjce65mbp0TKLAzwMb/P/Qq7BlclqhuKzfVBH7dIHnVAvqHVDBboB2dAAUR tBFKYW1lcyBEYWx0b24gQmVsbA== =G3LA - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMO3ArPqHVDBboB2dAQFXfQP+OhdkTw+3TFF4x97Or4hBRGSCd015+ZfJ 1wTov5MuKgfHlVEqml02mi3RJQSD1WYryysMkcQKrGS+X6IULolxtasKrXEUBw5P fIiEAc+ueY68XZULGTL0IpsUDhUYXTWRaP9l64iELrdtmvtDQAd0zxfGDAoeyhvO goZCWxWXUqs= =ZGyP -----END PGP SIGNATURE----- From tcmay at got.net Sat Jan 6 00:06:07 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 6 Jan 1996 16:06:07 +0800 Subject: Revoking Old Lost Keys Message-ID: At 7:07 AM 1/6/96, Bruce Baugh wrote: >I'd like to bring up a problem I haven't seen addressed much yet, and which >I think is going to come up with increasing frequency as PGP use spreads. > >The problem is this: how can one spread the word that an old key is no >longer to be used when one no longer has the pass phrase, and cannot >therefore create a revocation certificate? Basically, you are screwed. Any revocation you attempt will not be trusted, as we will suspect the new "you" to be an attacker, perhaps an agent of the NSA or the Illuminati. In the view that "you are your key," the old you no longer exists. Perhaps you could just move to a different city, change your name, and create a new key. (However, be sure you write down your passphrase and other salient information to handle your next memory loss.) > >In my case the problem is medical: thanks to autoimmune problems, I get >random memory loss from time to time. Sometimes it's big - like an entire >semester of my sophomore year of college. Sometimes it's small - like three >old pass phrases. So there are keys of mine floating around the key servers >that I don't want used, and which are just taking up space. Pardon me for being politically incorrect (*), but anyone who has these sorts of memory lapses should certainly write down the passphrases! While it is true that writing down a passphrase increases the risk slightly that a black bag operative will sneak into one's house and use his Minox to record the passphrases, in practice this is a minor risk. Especially compared to the immediate risk of losing or forgetting the passphrase. (* I said I was being "politically incorrect" because I've found that people these days don't want their defects and weaknesses commented upon by others, even when they mention them themselves. Thus, cripples don't want anyone to comment on their handicaps, and so on. Someone on this list with "Multiple Personality Disorder" got mightily offended when someone else mentioned MPD in a joking way in a post. Others freak out at innocent remarks, seeing their own demons.) So, if you are losing entire semesters worth of memory, you might want to start writing a lot of stuff down. Seriously, this is an example where "escrow" works. Seal an envelope with your passphrase and any other stuff you want to remember, and leave it with your lawyer or escrow agency with instructions to only turn it over to you. Same as a safe deposit box, unless you forget the key. (You could forget you have a lawyer, so better write that down somewhere, too.) I've not forgotten my PGP passphrase, but then I've only had one PGP key in the last several years and I've written a note to myself someplace which describes what the passphrase is in terms I think would only be meaningful to me. Not fully secure, but nothing really is. And secure enough. If you've had several keys in several years, and yet you are risk of forgetting entire semesters, maybe you ought to think about whether encryption is all that necessary for you. (I rarely see the need to encrypt, even as I cherish the ability and present right to encrypt, so I naturally wonder what it is all these people who seem to be encrypting nearly every private message they send are really concerned about....just my opinion.) I hope all turns out well, and I hope my candid answers to your questions are not too politically incorrect. --Tim May We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From futplex at pseudonym.com Sat Jan 6 00:10:31 1996 From: futplex at pseudonym.com (Futplex) Date: Sat, 6 Jan 1996 16:10:31 +0800 Subject: Mixmaster On A $20 Floppy? In-Reply-To: <199601060155.UAA13574@pipe3.nyc.pipeline.com> Message-ID: <199601060756.CAA08977@thor.cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- tallpaul writes: > Weight, under two pounds. Price ~$US250. Capacity 135 Mb formatted. Price > of spare disks: $US 20. > Take it off a computer. Put it in a briefcase. Carry it with you nicely out > of public view. Hook it up to another machine and .... [...] > Question 2: Anybody want to speculate on what traffic analysis is like when > encrypted data comes INTO one known Mixmaster site but goes OUT on one or > more "unknown" or (partially) random Mixmaster sites? The "ultimate" traffic analysis problem, as others have observed, is the correlation between messages sent by A and received by B via the overall network. Hence the utility of a Dining Cryptographers' Net, PipeNet, etc. in which the apparent bandwidth variation between any two points is eliminated. A and B are effectively folded into the network. I suppose that a site that escapes detection as a Mixmaster will throw off the correlation stats (i.e. because a message from that site to B won't be identified as a remailed message). But such sites are elusive objects I think. On the one hand, the site can't endure for long, or else its throughput traffic will likely give it away as an anonymizer (i.e. it gets lots of mail from the Mix network, and sends out similar amounts of mail to all sorts of people and the network). On the other hand, it had better last, or else it will look suspicious as a transient account receiving mail from the Mix network, sending a few messages, and quickly vanishing. Futplex "Dammit Jim, I'm a doctor, not a bricklayer!" -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMO4q/SnaAKQPVHDZAQHO/Qf+Jck8iHbDUw82+9vpuSL69u/Rz071/2fj ni0ubl1pceBYDar+xYumo9FclIt9mr9P/D/as/5NxQ94vCLsomle88SvtOsGyZxE +10uKlMevp3L3Q7FKYuXqjxb5Np1qrbLHxZvkeaA1llCGdaZMiohyIJGUKyJhqEw M0br/9wLrux4IrTNR6Gj53MUdNwjQFwHnESfKtInZbKBKWYtPfL9LMCNttb8EUBg vCcq3V1lEW3ykxnRMrFyc53+j3DfL0U1npuO5JgbyCrFjIIviWDTM+r8bV9VXiK7 ZBbrQbDCigSoeWT7kYYxI6iw28NtlVEnsz39qEafKWlNnQemswVyHQ== =Uo6y -----END PGP SIGNATURE----- From tcmay at got.net Sat Jan 6 00:28:10 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 6 Jan 1996 16:28:10 +0800 Subject: "Microsoft.com" added to my KILL file Message-ID: After getting another batch of bounce messages from Microsoft's Postmaster, I have reluctantly decided to filter out all messages from Microsoft.com until they fix this problem with Microsoft Exchange. Their latest message was: ***** Your message did not reach some or all of the intended recipients. To: cypherpunks at toad.com Subject: Foiling Traffic Analysis Sent: 01/05/96 08:51:18 The following recipient(s) could not be reached: Ron Murray on 01/05/96 08:51:18 The recipient name is not recognized [MSEXCH:MSExchangeMTA:northamerica:RED-70-MSG] ***** Rather than fight their misconfigured mail system, or try to convince them to change their ways so as to conform to accepted practices, I'll just use technology. --Tim May We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From mpd at netcom.com Sat Jan 6 00:32:40 1996 From: mpd at netcom.com (Mike Duvos) Date: Sat, 6 Jan 1996 16:32:40 +0800 Subject: Pi Code....... Message-ID: <199601060817.AAA07878@netcom2.netcom.com> In case anyone wants to play with the little program that emits bits of Pi, a Fortran version is available on the Web at... http://www.cecm.sfu.ca/~pborwein/PISTUFF/FORTRAN -- Mike Duvos $ PGP 2.6 Public Key available $ mpd at netcom.com $ via Finger. $ From black at eng.usf.edu Sat Jan 6 01:23:36 1996 From: black at eng.usf.edu (James Black) Date: Sat, 6 Jan 1996 17:23:36 +0800 Subject: Revoking Old Lost Keys In-Reply-To: <2.2.32.19960106070719.00694cc8@mail.teleport.com> Message-ID: Hello, On Fri, 5 Jan 1996, Bruce Baugh wrote: > The problem is this: how can one spread the word that an old key is no > longer to be used when one no longer has the pass phrase, and cannot > therefore create a revocation certificate? If there is someone that you trust (or several people), just make a revocation certificate and possibly cut it into pieces, and just let those know when to send it out, so that you don't have to rely on a faulty memory, and by having it in several hands they can't just send it out, as they don't know the other people. Just a thought. ========================================================================== James Black (Comp Sci/Comp Eng sophomore) e-mail: black at eng.usf.edu http://www.eng.usf.edu/~black/index.html "An idea that is not dangerous is unworthy of being called an idea at all." Oscar Wilde ************************************************************************** From alano at teleport.com Sat Jan 6 01:32:59 1996 From: alano at teleport.com (Alan Olsen) Date: Sat, 6 Jan 1996 17:32:59 +0800 Subject: Revoking Old Lost Keys Message-ID: <2.2.32.19960106092022.009408f0@mail.teleport.com> -----BEGIN PGP SIGNED MESSAGE----- At 03:10 AM 1/6/96 +0000, Michael C. Peponis wrote: >On 5 Jan 96 , Bruce Baugh wrote: >Another problem, let's say I get your public key from Bob, who signed >your key, and Bob knows you have revoked your key, but I don't, so >what happens to my copy of your key? > >Since there is no revokation certificate, I am forced to take Bob's >word that you have indeed want to revoke your key, but have no way of >verifying that without talking to you, and agin I have to go through >the same verification process that Bob did. I know Bruce and his problem is quite real. I happened to have the three keys that he is wanting to revoke in my keyring. (And one of them he had forgotten he had made at all.) It would be nice if there was a way to use the "web of trust" to certify a key revokation in the same way that one signs a key. Basically get a couple of your friends who are accepted in the crypto community and have them vouch for the actual loss of the key(s). It would certainly help patch the problem. (It might open up things for spoofing anyways. There would have to be a way of overriding such a thing with the real key, but that would require the passphrase. (Which should be available if not lost.)) An idea at least... -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMO495OQCP3v30CeZAQHObQf/VtMoPzpBqx9wU2rsrHkMc5K4LF2PbZdj QboPyoR0c56zIGPiDDoRed4aiy8ylBlPjEGdSeLjoVysbY+yfWz1GDzsrmsdNw9G tAE7DxX88kk9ym4ixy+3CIsFqKrHn1CBh64DAsoJzXRLgwEhPENLmqf0VXgRkYnI Dd7UE3fF15sMEEVdGYXBqEy7r3e83R9dW7ap/z8wy/sM5U8pzo0SwRrqEFVNe2/g 8rYDF8uFgDjbCrU60UVqFq3ipRbGDBGMI9xSLqpSkBHuSOk0si3sNqvSM09WuWFE LjkrVWPvZNaw1DbuQT7v2FTXNrNnfBsVH9MicM2fednOV0Fe7ZIoZg== =sT8b -----END PGP SIGNATURE----- Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "Governments are potholes on the Information Superhighway." - Not TCMay From alano at teleport.com Sat Jan 6 01:44:35 1996 From: alano at teleport.com (Alan Olsen) Date: Sat, 6 Jan 1996 17:44:35 +0800 Subject: Windows Eudora and PGP Message-ID: <2.2.32.19960106093243.00968ed0@mail.teleport.com> At 03:04 PM 1/5/96 +0800, Ng Pheng Siong wrote: >On Fri, 5 Jan 1996, David K. Merriman wrote: >> I've gotten ahold of the WPGP mentioned here a couple days ago, and it seems >> to be working just fine, for me. Even easier to use than PIdaho, though not >> quite as 'full-featured' (ie, remailer support, etc). > >Aegis, which was mentioned on this list some months ago, is the best >of the lot, IMHO. No remailer support: You can talk to a remailer from >an email program. ;) I use Aegis right now and I have only one major problem with it. It does not have a facility to do word wraps in the program before signing. This means that if you use it with Eudora and word wrap is on, all of your sigs are going to be bad. (And hitting return on every line before feeding it through is a pain in the ass.) On the other hand, I have heard that WPGP is not very stable under Win95. Can't win for losing... Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "Governments are potholes on the Information Superhighway." - Not TCMay From alano at teleport.com Sat Jan 6 02:29:01 1996 From: alano at teleport.com (Alan Olsen) Date: Sat, 6 Jan 1996 18:29:01 +0800 Subject: Revoking Old Lost Keys Message-ID: <2.2.32.19960106101559.00919d9c@mail.teleport.com> At 09:47 AM 1/6/96 -0000, Frank O'Dwyer wrote: >On Saturday, January 06, 1996 09:18, Timothy C. May[SMTP:tcmay at got.net] wrote: >>At 7:07 AM 1/6/96, Bruce Baugh wrote: >>>I'd like to bring up a problem I haven't seen addressed much yet, and which >>>I think is going to come up with increasing frequency as PGP use spreads. >>> >>>The problem is this: how can one spread the word that an old key is no >>>longer to be used when one no longer has the pass phrase, and cannot >>>therefore create a revocation certificate? >> >>Basically, you are screwed. Any revocation you attempt will not be trusted, >>as we will suspect the new "you" to be an attacker, perhaps an agent of the >>NSA or the Illuminati. In the view that "you are your key," the old you no >>longer exists. > >This is true, but the "old you" can be resurrected if you can get enough >people to believe your new key using any out-of-band means available >to you. You can also put a comment in your new key's uid explaining the >problem and how to verify the new key. You will find it very hard to use this >new key for a while, though, during the transition period. Many people will take >the existence of two keys with the same uid as suspicious in itself, since it at >least indicates some kind of attack (even if only a denial of service attack). There are times when you want multiple keys with the same ID. I have two key sizes becuase one is an older key. I keep it around for use with people who are using versions that do not support the larger keys. (I have run into this once from a sometimes user of PGP. He finally upgraded.) To aleviate the suspicion, I have the two keys sign each other. >This is really a usability flaw with current PGP. Only if you use the name to refer to the key and not the hex ID. (I found out the hard way that some front ends use either the last key created or whatever they feel like for signing keys and/or signing messages. I am still trying to straighten out some of the weird results of that.) Fortunatly, some programs will use the hex ID to refer to the key so there is no confusion. >The PGP formats do allow for a 'revocation' certificate, but PGP doesn't >implement it (yet, I guess). In any case, it's not really strong enough, >since what it says is "I retract all my previous statements that this key is >related to this user". This'd mean that you'd have to visit everyone who'd ever >signed your key and get them to issue this retraction. What would be needed >for this problem is either an "anti-certificate" ("This key does not belong to this >user"), or else some convention. For example, if two _trusted_ keys are found for the >same uid, the most recent one could be chosen, and the earlier one be purged >from keyservers, etc. This may be possible with current PGP. I haven't tried it, >but since I have some keys which have fallen into disuse, I will need to do so >sometime.). Revocations are supported, but they require the passphrase. (I have a number of revokations on my keyring from various folks.) The problem here is occasions where you have forgotten the passphrase. (I have an old keyring that I need to go and revoke all of the old keys on it. I have not used them in a year or two. I doubt if they are even on the keyserver...) Eventually there will be a way of revoking keys in the circumstance. Something similar to a notary (or a combination of notaries) who can vouch and say "hey, this guy really did lose his keys". Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "Governments are potholes on the Information Superhighway." - Not TCMay From alano at teleport.com Sat Jan 6 02:43:21 1996 From: alano at teleport.com (Alan Olsen) Date: Sat, 6 Jan 1996 18:43:21 +0800 Subject: A couple of ideas for PGP-based programs Message-ID: <2.2.32.19960106103250.00947438@mail.teleport.com> -----BEGIN PGP SIGNED MESSAGE----- I am posting these ideas here before I annoy the people who will probibly implement them just to see if they have much merit... (If this is incoherent it is because of the late night posting, but I want to get it done while the thoughts are still there...) Maybe some of this will occur after PGP 3.0 is released. (That is, if the universe has not cooled down into a small lump of coal before then...) 1) Something I would like to see on the keyservers for PGP is a way of retreving all of the key revokations since x date without having to get all of the keys since that date. I hate having to check each key every so often to see if it is revoked. It would make it alot easier to avoid using compromised or old unused keys. 2) I would like to see a program like private Idaho have the ability to send mail to the key server and grab all of the "unknown signator" keys. This would have the interesting effect of building a more complete keyring, while using the "web of trust" to weed out alot of the bogus keys that tend to crop up on the key servers. After n number of itenerations you would have more of the "important keys" and the ones that have little or no signage would be left to grab when needed. This would avoid the need to grab the entire key database. (In fact, it would make it desirable NOT to...) More later when I am not so tired... -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMO5PTOQCP3v30CeZAQET8wf/WI8o18pAol3HcN8j+EZyM7aIkPRFg/EQ IYU+J8c5UrXrHDyUY+lZI11Ip2CgXfL/9ER6+vJ/xKPRfNOYnzOe+53FIOKbhJ0U VPGCJYi7tbIpqBB+SHJe555fijEeGAORMvGqCVosb+KKsZQvQP5SHGK3zsy9rBP+ ojkM3AyJs5uyia4pAjV1Zz3DfxEgMPvBPtqXObN32FVbAq7hGmscDKNHEJ7ifO7H xQiMWyzPJgWdUttdoi9ko7kFYLzze4472hEGNV9DbFZMlpVn6Eex9Hhz/wq20j4i mgfyjU3GF+6+OY8KgkXU79FYKkZYqa019uCuPk50cgRdUZsI1BLyHA== =ImCD -----END PGP SIGNATURE----- Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "Governments are potholes on the Information Superhighway." - Not TCMay From aleph1 at dfw.dfw.net Sat Jan 6 04:07:46 1996 From: aleph1 at dfw.dfw.net (Aleph One) Date: Sat, 6 Jan 1996 20:07:46 +0800 Subject: Crypto Rules Report In-Reply-To: <199601060141.UAA21362@pipe1.nyc.pipeline.com> Message-ID: I'll be happy to provide an http site. On Fri, 5 Jan 1996, John Young wrote: > In response to the December Financial Times article > "Encryption Rules Coming," about an international > cryptography meeting in Paris, and our request for > additional information, we have received from nobody: > > Report of the Business-Government Forum on Global > Cryptogoraphy Policy > > Held on 19-20 December 1995 in Paris > > Detailed Report > > The report includes meeting background information, notes > on the speakers articulation of the positions of industry > and governments, and four annexes: > > 1. List of participants (EU, US, Japan -- biz and gov); > > 2. Statement of Eurobit-ITAC-ITI-JEIDA which sets out > 20 principles of global cryptographic policy; > > 3. Statement by the Infosec Business Advisory Group (IBAG) > on 17 principles of international cryptography; > > 4. The Mike Nelson Policy Problem (last point: "No one > trusts anyone.") > > > It would be great if someone would provide an FTP site. It > is about 31 kb. > > > > > > > > > Aleph One / aleph1 at dfw.net http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 From ravage at ssz.com Sat Jan 6 04:10:21 1996 From: ravage at ssz.com (Jim Choate) Date: Sat, 6 Jan 1996 20:10:21 +0800 Subject: get mix-installer. (fwd) In-Reply-To: <199601060232.VAA09545@thor.cs.umass.edu> Message-ID: <199601060236.UAA04326@einstein.ssz.com> Who the fuck elected you reputation monitor. You should chill. Please refrain from sending any more posts to me privately that are not directly crypto related. I have better things to do than listen to your rantings and raving. If Adam and I have a problem then we will work it out without! your involvment. Jim Choate > > -----BEGIN PGP SIGNED MESSAGE----- > > Jim Choate writes: > > I followed the request information per the original posting by Adam and > > received this in reply. > > > > This leads me to believe that Mr. Shostack is basicaly unwilling to fulfill > > his own promises. My advice, avoid like the plague. > > > > Caviat emptor. > > Chill the fuck out (this obscenity brought to you by the U.S. Congress). > > Adam has already posted an earlier version of the script to the Mixmaster > mailing list. It's not vaporware. > > Besides, Adam has been around and contributing for quite a while. Smearing > his rather excellent c'punk reputation because of (probably) a malfunctioning > procmail recipe isn't terribly productive, or neighborly. > > Futplex > > -----BEGIN PGP SIGNATURE----- > Version: 2.6.2 > > iQEVAwUBMO3fBinaAKQPVHDZAQE3PQf/WbzMM67+nvUKyHzoeuFzk0/OCL/CxAFR > 3BClrig/4CYZvEGLbaqZbhzjsQQ04Wgl39T4nntclU9TZpbvyvRPnat+rZuEl0xK > cefKyfMCGvU1Ia92MdXzTYZYM5/7DHjVKo+rMBbKHiolrEKsTTsP7oo4Cgju25OQ > ekPCqTyPeY+mO8e3pQd29h/oFJMte8hi8k9AJ88AhpEKlORETNx/mRYz17PtSHwF > yUg82YbYY1YLGKXRnUON+FIgmSQo9VeFK1VQouvmX+7JA5BDwdrbz731ZZd4nvpj > /JXK0zG5x2rkJgDmrNK4/HKEhnkS6lR/4NubojXFdJmv6UA+Cw++dQ== > =1xgH > -----END PGP SIGNATURE----- > From aleph1 at dfw.dfw.net Sat Jan 6 04:52:38 1996 From: aleph1 at dfw.dfw.net (Aleph One) Date: Sat, 6 Jan 1996 20:52:38 +0800 Subject: Crypto Rules Report In-Reply-To: <199601060141.UAA21362@pipe1.nyc.pipeline.com> Message-ID: Sorry for the SPAM it was meant to go to John only. Typing to fast again.... Aleph One / aleph1 at dfw.net http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 From markm at voicenet.com Sat Jan 6 05:11:38 1996 From: markm at voicenet.com (Mark M.) Date: Sat, 6 Jan 1996 21:11:38 +0800 Subject: Mixmaster On A $20 Floppy? In-Reply-To: <199601060155.UAA13574@pipe3.nyc.pipeline.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Fri, 5 Jan 1996, tallpaul wrote: > I've reports that the latest version of SyQuest's external parallel port > EZ135 "floppy" drive is due on the shelves this month. Also reported is the > ability to effectively boot off the thing, and thus run whatever OS resides > on the SyQuest "floppy" rather than an OS that has to be on the host's hard > drive partition. > > Weight, under two pounds. Price ~$US250. Capacity 135 Mb formatted. Price > of spare disks: $US 20. > Take it off a computer. Put it in a briefcase. Carry it with you nicely out > of public view. Hook it up to another machine and .... > > Question 1: Can you fit linux, pgp, mixmaster, etc. on the 135 Mb disk and > have enough useful space left over for a useful amount of data? > I have PGP, mixmaster, and several other crypto programs as well as X, Netscape, the entire Linux kernel, and several other huge programs and files that I never even use on my Linux system, and all of that takes up ~137 Mb. A base Linux system takes up between 10 and 80 Mb, so Linux would fit quite nicely on one of these disks. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMO3zeLZc+sv5siulAQFW9AP/c9Bq1jzpb7pL7eTdhngLGJ9OOmDzWJ8u CMI+dJkvhpPCOTfFf22RAO/LE/9x2wxYedmLMPniZfMQ3UIph1esibz8VbN8+IAI IABbeU3pKVdOQEDG5w6QafBNvaiXlSx6EvFyaRf3n0y1pSriV3u1dBeB9If+TVHG MOb3ftp56F0= =e+Ey -----END PGP SIGNATURE----- -- finger -l markm at voicenet.com for PGP key http://www.voicenet.com/~markm/ Fingerprint: bd24d08e3cbb53472054fa56002258d5 Key-ID: 0xF9B22BA5 -----BEGIN GEEK CODE BLOCK----- Version: 3.1 GAT d- s:- a? C++++ U+++>$ P+++ L++(+++) E--- W++(--) N+++ o- K w--- O- M- V-- PS+++>$ PE-(++) Y++ PGP+(++) t-@ 5? X++ R-- tv+ b+++ DI+ D++ G+++ e! h* r! y? ------END GEEK CODE BLOCK------ From jya at pipeline.com Sat Jan 6 06:04:23 1996 From: jya at pipeline.com (John Young) Date: Sat, 6 Jan 1996 22:04:23 +0800 Subject: CelBomb Message-ID: <199601061349.IAA11236@pipe4.nyc.pipeline.com> Can anyone in IL, or elsewhere, report more on the head-job of The Engineer: Any crypto used to authenticate the target for the boombox, or to obscure links to the assassin? How was the blast specifically targeted at him and not a phone borrower? How it was set off -- by user-dialing, remote control, some other means? Any fishy smelling brand names to immediately run from? Answers urgent. From mianigand at unique.outlook.net Sat Jan 6 06:40:55 1996 From: mianigand at unique.outlook.net (Michael C. Peponis) Date: Sat, 6 Jan 1996 22:40:55 +0800 Subject: Revoking Old Lost Keys Message-ID: <199601060759.BAA03401@unique.outlook.net> -----BEGIN PGP SIGNED MESSAGE----- On 5 Jan 96 , Bruce Baugh wrote: > I'd like to bring up a problem I haven't seen addressed much yet, and which > I think is going to come up with increasing frequency as PGP use spreads. > > The problem is this: how can one spread the word that an old key is no > longer to be used when one no longer has the pass phrase, and cannot > therefore create a revocation certificate? It's an administrative nightmare. I assume that you mean if the key is widley distributed. If it's only circulating among a small group of people that know each other, no problem. If it's widley distributed, or on a keyserver, that becomes hard. First you would have to be authenticated as the origional key owner, ie how do I realy know that you are you, and not somebody saying you are the orgional key owner? Another problem, let's say I get your public key from Bob, who signed your key, and Bob knows you have revoked your key, but I don't, so what happens to my copy of your key? Since there is no revokation certificate, I am forced to take Bob's word that you have indeed want to revoke your key, but have no way of verifying that without talking to you, and agin I have to go through the same verification process that Bob did. Good topic. -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQCVAwUBMO2+BkUffSIjnthhAQFPuQP7BOBJTkqInT4nIAQ7ity4/AutSn9QusFx FdG6iPQVG11fp2BbGtDeQMSgaFUDxXm99Oim/VINGWDmbMWhcWTAXDPpYrd2+bjH Q9/SNs+5akQc+bbojqIjDoXas/5LL4VvbrEeSOvklpKg+GrCleJYqN+Mh2aY35ZL 04GLVJJLzSo= =Xr5x -----END PGP SIGNATURE----- Regards, Michael Peponis PGP Key Avalible form MIT Key Server Key fingerprint = DD 39 66 3D AE DE 71 C2 B6 DA B2 3F 47 2A EB AC From merriman at arn.net Sat Jan 6 06:51:48 1996 From: merriman at arn.net (David K. Merriman) Date: Sat, 6 Jan 1996 22:51:48 +0800 Subject: Windows Eudora and PGP Message-ID: <2.2.32.19960106023946.0068c404@arn.net> -----BEGIN PGP SIGNED MESSAGE----- At 01:32 AM 01/6/96 -0800, Alan Olsen wrote: >At 03:04 PM 1/5/96 +0800, Ng Pheng Siong wrote: >>On Fri, 5 Jan 1996, David K. Merriman wrote: >>> I've gotten ahold of the WPGP mentioned here a couple days ago, and it seems >>> to be working just fine, for me. Even easier to use than PIdaho, though not >>> quite as 'full-featured' (ie, remailer support, etc). >> >>Aegis, which was mentioned on this list some months ago, is the best >>of the lot, IMHO. No remailer support: You can talk to a remailer from >>an email program. ;) > >I use Aegis right now and I have only one major problem with it. It does >not have a facility to do word wraps in the program before signing. This >means that if you use it with Eudora and word wrap is on, all of your sigs >are going to be bad. (And hitting return on every line before feeding it >through is a pain in the ass.) > >On the other hand, I have heard that WPGP is not very stable under Win95. >Can't win for losing... > I'm running WPGP under Win95, and so far it's been as stable as Win95. On my machines, that's been pretty darn stable - YMMV :-) -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMO3EV8VrTvyYOzAZAQGrLwP+M2Sol133Vg329ImG39utW+kxhjcg9Ctc nEPZl9hqPXGG/tPbRG7UMbNi8TBW8/Qqw4oWV6hNb/aOLlYuQ5hrxOogFCSzUn4w 0smLGwrc1siWa1YEWiBgbgrzY7nP0thCgM7jiVbkbaNLAn01+Rj8ZzuSxWP/1sxW l6E7+pZ7Rx8= =5lv3 -----END PGP SIGNATURE----- ------------------------------------------------------------- "It is not the function of our Government to keep the citizen from falling into error; it is the function of the citizen to keep the Government from falling into error." Robert H. Jackson (1892-1954), U.S. Judge <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> My web page: http://www.geopages.com/CapitolHill/1148 From Chris.Claborne at SanDiegoCA.ATTGIS.com Sat Jan 6 07:23:14 1996 From: Chris.Claborne at SanDiegoCA.ATTGIS.com (Chris Claborne) Date: Sat, 6 Jan 1996 23:23:14 +0800 Subject: Compuserve grovels to foreign censors Message-ID: <2.2.32.19960106033904.00352520@opus.SanDiegoCA.ATTGIS.com> At 01:47 PM 1/5/96 -0500, you wrote: >At 12:56 AM 1/5/96 -0500, Larry Sudduth wrote: > >>Attachment Converted: C:\WORK\WINMAIL.DAT > >What, pray tell, is this? If a MSMail for Windows user attaches a file to her message, it also sends along the icon for the ride. This file could also be a picture that someone pasted in to their message. ... __o .. -\<, Chris.Claborne at SanDiegoCA.ATTGIS.Com ...(*)/(*). CI$: 76340.2422 http://bordeaux.sandiegoca.attgis.com/ PGP Pub Key fingerprint = A8 FA 55 92 23 20 72 69 52 AB 64 CC C7 D9 4F CA Avail on Pub Key server. From bruceab at teleport.com Sat Jan 6 07:25:56 1996 From: bruceab at teleport.com (Bruce Baugh) Date: Sat, 6 Jan 1996 23:25:56 +0800 Subject: Revoking Old Lost Keys Message-ID: <2.2.32.19960106070719.00694cc8@mail.teleport.com> -----BEGIN PGP SIGNED MESSAGE----- I'd like to bring up a problem I haven't seen addressed much yet, and which I think is going to come up with increasing frequency as PGP use spreads. The problem is this: how can one spread the word that an old key is no longer to be used when one no longer has the pass phrase, and cannot therefore create a revocation certificate? In my case the problem is medical: thanks to autoimmune problems, I get random memory loss from time to time. Sometimes it's big - like an entire semester of my sophomore year of college. Sometimes it's small - like three old pass phrases. So there are keys of mine floating around the key servers that I don't want used, and which are just taking up space. Others will have more mundane problems, like creating a key years ago and just plain not using it. But as PGP use moves out of essentially pure-geek communities into the surrounded net.world, accidents and other carelessness _will_ happen. I'm curious as to what thoughts, if any, y'all have about how to deal with it. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEPAwUBMO4fZH3AXR8sjiylAQHOqwfPbvjHnfM7WlbjjUrrmYQ6Diba2aJb0g2K KjsgTAZ3hyUGcnSBRsMPAb+GTkf440SRvX3JxBsRKn0X0lzHvM6ejKducQPrlJyM ter8C8kiwhZXLcNQiAVpOthrarO7qYqs9JBXmEIm2JwAXtO2SwhB8KsUxvHJpf5R v2036MQb2DSpz1VwmPw6yJYSCy5WrvyT/bRCgJ1Tukx2N0AJ3+tEBeXO9BhpwkjZ oGQPa1XtvcgUGsR1a+HKytz9RrBcgh8voXOBz3LmP1EZH0YEG0VA0a2ej/JUkwza et55dxK8LuuwOz6qo/9QJ2kyGqo641nRLowCdjXI29wITQ== =Asuu -----END PGP SIGNATURE----- Bruce Baugh bruceab at teleport.com http://www.teleport.com/~bruceab From don at wero.cs.byu.edu Sat Jan 6 07:35:54 1996 From: don at wero.cs.byu.edu (Don M. Kitchen) Date: Sat, 6 Jan 1996 23:35:54 +0800 Subject: Forgetting passphrase/escrow/pgp 3 Message-ID: <199601061403.HAA00239@wero.cs.byu.edu> As has been mentioned, this is a good situation for the use of some kind of escrow. Not meaning to talk about crypto or anything, but it seems to me that there's already some good shamir sharing code out there, I hope the overworked, underpaid PGP 3.0 people put shamir sharing capabilities. I see it as a slight modification of the split/merge code, which PGP already has, plus already written shamir code that hopefully need only be cut-and-pasted into PGP. This is what non-GAK escrow people want, right? Easy-to-use strong-crypto escrow? Don -- fRee cRyPTo! jOin the hUnt or BE tHe PrEY PGP key - http://students.cs.byu.edu/~don or PubKey servers (0x994b8f39) June 7&14, 1995: 1st amendment repealed. Junk mail to root at 127.0.0.1 * This user insured by the Smith, Wesson, & Zimmermann insurance company * From mab at crypto.com Sat Jan 6 08:34:31 1996 From: mab at crypto.com (Matt Blaze) Date: Sun, 7 Jan 1996 00:34:31 +0800 Subject: Revoking Old Lost Keys In-Reply-To: Message-ID: <199601061626.LAA06345@crypto.com> Timothy May wrote: > At 7:07 AM 1/6/96, Bruce Baugh wrote: > > >I'd like to bring up a problem I haven't seen addressed much yet, and which > >I think is going to come up with increasing frequency as PGP use spreads. > > > >The problem is this: how can one spread the word that an old key is no > >longer to be used when one no longer has the pass phrase, and cannot > >therefore create a revocation certificate? > > Basically, you are screwed. Any revocation you attempt will not be trusted, > as we will suspect the new "you" to be an attacker, perhaps an agent of the > NSA or the Illuminati. In the view that "you are your key," the old you no > longer exists. > ... > > Seriously, this is an example where "escrow" works. Seal an envelope with > your passphrase and any other stuff you want to remember, and leave it with > your lawyer or escrow agency with instructions to only turn it over to you. > Same as a safe deposit box, unless you forget the key. (You could forget > you have a lawyer, so better write that down somewhere, too.) Escrow is orthogonal to the underlying problem here, which is that the PGP revocation model is completely wrong. Since the trust properties and other semantics of a key originate with the certificates attached to the key, and not from the key owner per se, it makes little sense to make the key owner responsible for revoking that trust. Far more sensible would be a scheme in which the certificate issuers themselves could revoke their certificates when they believe a key is no longer trustworthy. (A practical decentralized system like PGP could provide a facility for certifiers to "pre-revoke" their certificates at the time they are issued so that the key owner could distribute the revocation certificates himself if he discovers his own key to have been compromised or lost.) Note that the problem here is in the basic trust model, not just the certificate distribution model (which is a separate problem). The lack of ability for a certifier to revoke his own certification, plus the lack of a facility to put limits on the duration and meaning of the certification, make PGP certificates of very limited practical value. -matt From jya at pipeline.com Sat Jan 6 09:31:08 1996 From: jya at pipeline.com (John Young) Date: Sun, 7 Jan 1996 01:31:08 +0800 Subject: Mitnik: latest? -- Long, watch it Message-ID: <199601061716.MAA01565@pipe2.nyc.pipeline.com> Perhaps Brian Davis will comment with the latest but here's Littman on Mitnick (and scans of Shimomura/Media/Feds) through October, 1995: As Tsutomu Shimomura launched his new careers as pitchman, author, movie subject, and video game designer, Kevin Mitnick sat in a Southern county jail. Mitnick wrote to me nearly every week on yellow legal paper in longhand, bemoaning the lack of a word processor as he recounted the hardships of jail. He told me he had been attacked and robbed by two inmates and barely avoided fights with several others. When he complained that the vegetarian diet he requested was limited to peanut butter sandwiches, and that his stress and stomach medication prescriptions weren't filled, he was moved to a tougher county jail. His grammar wasn't perfect, but his writing was surprisingly frank and descriptive. Mitnick punctuated his letters with Internet shorthand, noting the precise minute he began each letter, as if he were still online. He was bitter, but he hadn't lost his sense of humor. When his jailers admitted they'd read the letter Mike Wallace wrote him, inviting him to appear on 60 Minutes, Mitnick admitted the irony of him, of all people, complaining about other people reading his mail. "Poetic justice, eh? ..." Once in a while he'd slip in a tantalizing comment about his case. One week he'd appear to trust me, the next he'd wonder whether I would betray him. It was strange corresponding with the man the media and our government had cast as a twenty-first-century Frankenstein. Mitnick himself didn't seem sure of who or what he was. He asked whether I felt he should be given a long prison sentence. Did I think he was evil? Dangerous? When he was sent to his second jail, as a matter of policy the U.S. Marshals confiscated his books, his underwear, his toiletries. Mitnick was doing the worst prison "time" possible, because the Eastern District of North Carolina had no federal detention center. That meant he would have to defend himself without access to a law library, required by law in federal institutions. The nurse in Mitnick's second county jail cut his medication again, and on June 18, his attorney filed a motion in federal court stating that Mitnick "was taken to the hospital and diagnosed with esophageal spasms." The attorney argued that the "deliberate indifference" to Mitnick's "serious medical needs" violated constitutional standards. Before a federal judge could order a hearing on the medical issues, Mitnick was transferred to his third North Carolina jail in as many months. "He [Mitnick] overextended his welcome," explained a deputy U.S. Marshal in Raleigh who preferred to remain anonymous. "It was time for a change of scenery. This happens with a lot of them. They get where they think they're running the place." Mitnick's third county jail was his worst yet. He shared a cell with seven other men. There was no law library, radio or television, and each inmate was allowed only two books at a time. Mitnick's were the Federal Criminal Code and the Federal Sentencing Guidelines. The eight men in Mitnick's cell were forced to share a single pencil stub that was taken away in the afternoon. Mitnick was allotted one sheet of paper a day. On April 10, 1995, John Dusenberry, Mitnick's public defender, filed a motion to suppress evidence and dismiss the indictment. He argued that the blank search warrants and the warrantless search of Mitnick's apartment violated the Fourth Amendment, which specifically prohibits unreasonable search and seizure. In the government's response, John Bowler, the Assistant U.S. Attorney in Raleigh, defended the blank search warrants, not an easy proposition in a free country. Bowler prefaced his argument by claiming, despite evidence to the contrary, that Shimomura tracked Mitnick on his own until February I4, just hours before his capture. The government's response to the issue of the blank search warrants was to blame Magistrate Wallace Dixon. Bowler asserted that the FBI had wanted to execute the search properly, but the magistrate had "upon his own initiative" insisted on signing the blank search warrants. But a judge never ruled on these arguments. The twenty-three-count indictment the Associated Press had hypothesized could land Mitnick 460 years in jail fell apart. The government abandoned its case in Raleigh, dismissing all but one of the counts in accepting a plea bargain from Mitnick that would likely get him time served, or at most eight months. The tiny story was buried in the back pages of the New York Times. "Kevin is going to come and face the music in L.A., where, of course, the significant case has always been," David Schindler, the U.S. Attorney in Los Angeles, told the L.A. Times. The newspaper said the prosecutor believed Mitnick would receive stiffer punishment "than any hacker has yet received," a sentence greater than Poulsen's four years and three months. Mitnick's letters revealed how Schindler planned to win the record prison term. Schindler was claiming losses in excess of $80 million, the amount that would garner the longest possible sentence for a fraud case according to the Federal Sentencing Guidelines. Nor would Schindler have to substantiate his claim. The government only had to "estimate" the loss. Mitnick's attorneys said the figure was grossly exaggerated, and added that the case rested on source code allegedly copied from cellular companies. There was no proof that Mitnick had tried to sell the code, and there was no evidence it could be sold for an amount approaching $80 million. But under the guidelines the absence of a profit motive was no obstacle to a long jail term. David Schindler was seeking an eight-to-ten-year sentence for Kevin Mitnick, about the same prison time doled out for manslaughter. The jailed hacker wasn't the only one whose feats were being hyped. By August of 1995, the advertisement in Publishers Weekly for Shimomura's upcoming book featured Mitnick's New York Times photo stamped with the caption HE COULD HAVE CRIPPLED THE WORLD. Declared the ad, "Only One Man Could Stop Him: SHIMOMURA." The hyperbole made me flash on what Todd Young had done in Seattle. The bounty hunter had tracked Kevin Mitnick down in a few hours with his Cellscope. Unauthorized to arrest him, he'd kept Mitnick under surveillance for over two weeks as he sought assistance. But the Secret Service didn't think the crimes were significant. The U.S. Attorney's Office wouldn't prosecute the case. Even the local cops didn't really care. When I met Young in San Francisco a couple of weeks after Mitnick's arrest, he was puzzled by the aura surrounding Shimomura and his "brilliant" capture of Kevin Mitnick. We both knew from independent sources that Shimomura had never before used a Cellscope. Young asked why the FBI would bring an amateur with no cellular tracking skills to Raleigh for the bust. If Shimomura's skill was measured by his ability to catch the hacker, then he was on a par with Todd Young, a thousand-dollar-a-day bounty hunter who never had the help of the FBI. The simple, unglamorous truth was that Kevin Mitnick, whatever his threat to cyberspace and society, was not that hard to find. I tried to get the government to answer Young's question about Shimomura's presence. I asked the San Francisco U.S. Attorney's Office and they suggested I ask the FBI. But the FBI had no comment. I asked Schindler, the Assistant U.S. Attorney in L.A., and he didn't have an answer. I asked Scott Charney, the head of the Justice Department's Computer Crime group, and he said he couldn't comment. I asked the Assistant U.S. Attorney who would logically had to have approved sending Shimomura three thousand miles to Raleigh, North Carolina. But Kent Walker oddly suggested I ask Shimomura for the answer. The response reminded me of what John Bowler, the Raleigh prosecutor, had said when I asked him how John Markoff came to be in Raleigh. He, too, had suggested I ask Shimomura. Shimomura seemed to be operating independently. outside of the Justice Department's control. Or was he running their show? The media appeared captivated by Shimomura's spell. Except for the Washington Post and The Nation, most major publications and the television networks accepted John Markoff's and Tsutomu Shimomura's story at face value. Kevin Mitnick's capture made for great entertainment. Not one reporter exposed the extraordinary relationship between Shimomura and the FBI. Most seemed to ignore the conflict of interest raised by the financial rewards Shimomura and Markoff received by cooperating with the FBI. A Rolling Stone magazine story condoned Markoff's actions, saying he had merely done what any journalist would do when presented with the possibility of a big scoop. The media critic for Wired suggested only that Markoff should have advised New York Times readers earlier of his personal involvement in capturing Mitnick. The media functioned as a publicity machine for Shimomura and the federal government, quickly churning out a round of articles arguing for tougher laws and greater security on the Internet. But the fury over what Assistant U.S. Attorney Kent Walker described as Mitnick's "billion dollar" crimes simply distracted the public from the real issues. Privacy intrusions and crime in cyberspace were old news, and a series of Internet break-ins after Mitnick's arrest proved the capture of cyberspace's most wanted criminal had changed little. The real story was that Internet providers, the new equivalent of phone companies on the information superhighway, appeared naive about how to investigate break-ins while protecting the privacy of their subscribers. After an FBI computer child-pornography investigation was made public in September of 1995, the Bureau revealed that it had read thousands of e-mail correspondences, and invaded the privacy of potentially dozens of citizens in the course of its investigation. Privacy activists complained that constitutional rights were being bulldozed, but the FBI announced the public should expect more of the same. "From our standpoint, this investigation embodies a vision of the type of investigatory activity we may be drawn to in the future," said Timothy McNally, the special agent in charge. The government seemed to be promoting a hacker dragnet to make sure the Internet was crime free for the millions of dollars of commerce on its way. Kent Walker, the Assistant U.S. Attorney who left the Justice Department within weeks of Mitnick's arrest for a job with a Pacific Telesis spin- off, was one of the many government officials who claimed the FBI couldn't crack high-tech cases without people like Shimomura. Perhaps prosecutions would increase if the FBI bolstered its force with nonprofessionals. But where would that leave the law and the Constitution? (pp. 368-73) From Steve14571 at aol.com Sat Jan 6 09:34:57 1996 From: Steve14571 at aol.com (Steve14571 at aol.com) Date: Sun, 7 Jan 1996 01:34:57 +0800 Subject: Fwd: Undeliverable: Re: Massey, CEO of Compuserve, on Internet Message-ID: <960106095457_108133691@mail04.mail.aol.com> Something else I want to know... Why is my mail going through microsoft.com? --------------------- Forwarded message: From: postmaster at microsoft.com (Postmaster) To: Steve14571 at aol.com (Steve14571 at aol.com) Date: 96-01-05 19:32:00 EST Your message did not reach some or all of the intended recipients. To: goerzenj at complete.org Cc: cypherpunks at toad.com Subject: Re: Massey, CEO of Compuserve, on Internet Sent: 01/04/96 18:43:35 The following recipient(s) could not be reached: David Tagliani on 01/04/96 18:43:35 The recipient name is not recognized [MSEXCH:MSExchangeMTA:northamerica:RED-70-MSG] Eric S. Hanson (NT RPC) on 01/04/96 18:43:35 The recipient name is not recognized [MSEXCH:MSExchangeMTA:northamerica:RED-70-MSG] Original Message Follows ======================== From: "Steve14571 at aol.com" To: "goerzenj at complete.org" Cc: "cypherpunks at toad.com" Subject: Re: Massey, CEO of Compuserve, on Internet Date: Thu, 4 Jan 1996 18:43:35 -0800 In a message dated 96-01-03 00:34:25 EST, you write: >CompuServe is not location-dependant. The network operates exactly the >same regardless of calling location (indeed, the system doesn't even know >where you're calling from I believe). It is a worldwide CompuServe >Network that people use to access it. This network just allows dialups >and then gets the users connected to the CompuServe computers. The main >computers handle all traffic. They don't are location-independant, >making it impossible to block access based on location. I see two possible ways to censor German users only (but I still believe censoring anyone is wrong). First, the "main computers" could be told where they are, and "censored" material could be filtered at that level before it is sent to individual users. Or CompuServe could release a software update for German users. The software would not recognize banned newsgroups. How difficult could that possibly be? From tcmay at got.net Sat Jan 6 10:00:22 1996 From: tcmay at got.net (Timothy C. May) Date: Sun, 7 Jan 1996 02:00:22 +0800 Subject: Revoking Old Lost Keys Message-ID: At 9:10 AM 1/6/96, James Black wrote: >Hello, > >On Fri, 5 Jan 1996, Bruce Baugh wrote: > >> The problem is this: how can one spread the word that an old key is no >> longer to be used when one no longer has the pass phrase, and cannot >> therefore create a revocation certificate? > > If there is someone that you trust (or several people), just make a >revocation certificate and possibly cut it into pieces, and just let >those know when to send it out, so that you don't have to rely on a >faulty memory, and by having it in several hands they can't just send it >out, as they don't know the other people. Just a thought. If one can safely and securely store a revocation certificate for later use, why not just store the much shorter passphrase? --Tim May We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From ravage at ssz.com Sat Jan 6 10:04:54 1996 From: ravage at ssz.com (Jim Choate) Date: Sun, 7 Jan 1996 02:04:54 +0800 Subject: Internet & Porno on A&E tonite Message-ID: <199601061654.KAA05672@einstein.ssz.com> Hi, Just saw an add for a Investigative Reports show tonite on A&E dealing with the Internet and some of the current issues relating to porno and privacy. Jim Choate From cp at proust.suba.com Sat Jan 6 10:12:10 1996 From: cp at proust.suba.com (Alex Strasheim) Date: Sun, 7 Jan 1996 02:12:10 +0800 Subject: Revoking Old Lost Keys In-Reply-To: <199601061626.LAA06345@crypto.com> Message-ID: <199601061748.LAA06159@proust.suba.com> > Note that the problem here is in the basic trust model, not just the > certificate distribution model (which is a separate problem). The lack of > ability for a certifier to revoke his own certification, plus the lack of a > facility to put limits on the duration and meaning of the certification, > make PGP certificates of very limited practical value. Isn't the last bit here, the part about duration and meaning, the practical answer to the problem? Especially duration? The stuff that's been going on lately with Netscape's browsers, Sameer's apache ssl server, and the difficulty of getting CAs like verisign to approve keys underscores the importance of this issue. This is probably sort of half-baked, but is it possible to come up with a formal grammar that would allow us to describe trust models in general? What if we had a prolog-like system that allowed you to set up rules like: "x is a student if x has got a signature from a school" "x is a school if x has got a signature from the accredation authority" "x belongs to the secret society of x has signatures from 3 other people who have belonged to the society for more than a year, and if x is a certified owner of a duck." Wouldn't something like this give us the flexibility to use a PGPish model of trust or an X.509ish model, or whatever else we wanted to do? It seems to me that the rules that govern when you can accept which signature ought to be data objects in a more flexible system, just as the signatures themselves are data objects. That means that the rules themselves ought to be subject to change, revokation, or revision. The constitution wouldn't have survived if it didn't contain a mechanism for ammendment. Wouldn't a model of trust with the same ability for revision and extension be a lot more robust, and a lot more resistent to centralized control? From mark at tipper.oit.unc.edu Sat Jan 6 10:15:06 1996 From: mark at tipper.oit.unc.edu (Mark) Date: Sun, 7 Jan 1996 02:15:06 +0800 Subject: Mitnik: latest? Message-ID: <199601061547.KAA13440@tipper.oit.unc.edu> I was curious where Kevin is now and what he is doing or waiting for? Anyone got a timeline of whats in store for him? Cheers, Mark From vince at dsi.unimi.it Sat Jan 6 10:17:43 1996 From: vince at dsi.unimi.it (David Vincenzetti) Date: Sun, 7 Jan 1996 02:17:43 +0800 Subject: (cpx) Re: mental cryptography (fwd) Message-ID: <199601061748.AA216460533@idea.sec.dsi.unimi.it> > I have read one paper which attempts to solve this problem, called "Human > Identification through Insecure Channel". Unfortunately my papers are in > a mess right now so I don't have the reference handy. It was by some > Japnese researchers, published in one of the proceedings books. I > believe a follow-on paper was published within the last year or two which > had some improvements or corrections to their algorithm. Sorry to be so > vague, I'll try to dig out more info over the weekend. > > Basically they used a challenge-response system which was intended to > be simple enough that people could do it in their heads. The card > would display a random challenge string, some characters of which were > special to the user and others which he would ignore. He would then > input a response string, where it didn't matter what corresponded to > the "ignore" slots, but in the special slots he had to produce certain > symbols corresponding to the other symbols, with the rules changing as > you move along. The intention was that even by capturing and analyzing a > great many challenge-response pairs you couldn't create a response to a > challenge you hadn't seen before. > > I coded this up, and frankly, I couldn't do the required manipulations in > my head, at least not without taking a very, very long time, and thinking > very carefully. Maybe it would get easier with practice, I don't know. > But my overall feeling was that this would be at the limits of human > capability even for fairly bright people. (OTOH I suppose learning to > read and write might seem pretty tough if you'd never done it. Maybe > the 1st grade classes of the future will spend months training the kids > on how to use these kinds of algorithms.) The paper can be found in the proceedings of Eurocrypt '91, D.W. Davies (Ed.), Springer-Verlag. The author is Hideki IMAI, . I found the above paper very interesting, and I am actually going to code it up. Eventually, I would be highly interested in giving a glance at your code. Is your code available? Ciao, David From tcmay at got.net Sat Jan 6 10:21:15 1996 From: tcmay at got.net (Timothy C. May) Date: Sun, 7 Jan 1996 02:21:15 +0800 Subject: Revoking Old Lost Keys Message-ID: At 9:47 AM 1/6/96, Frank O'Dwyer wrote: >On Saturday, January 06, 1996 09:18, Timothy C. May[SMTP:tcmay at got.net] wrote: >>Basically, you are screwed. Any revocation you attempt will not be trusted, >>as we will suspect the new "you" to be an attacker, perhaps an agent of the >>NSA or the Illuminati. In the view that "you are your key," the old you no >>longer exists. > >This is true, but the "old you" can be resurrected if you can get enough >people to believe your new key using any out-of-band means available >to you. You can also put a comment in your new key's uid explaining the Could you explain how "enough people" can get around a basic feature/limitation of the current PGP web of trust? Who, besides the originator, can revoke an old key? How many does it take? If a bunch of the "alleged" friends of Bruce could do this, could they not revoke the key of someone they simply wish to hassle? I agree that a new key can be generated, and a new "Please use this key, not the other one" message sent, and this may work, but I don't believe this revokes the old key and removes it from the keyservers. I could be wrong, as I am certainly no expert on the keyservers. The question is: is there a "majority vote" mode on the keyservers that causes them to remove a key if enough people claim it is no longer valid? --Tim May We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From futplex at pseudonym.com Sat Jan 6 10:32:21 1996 From: futplex at pseudonym.com (Futplex) Date: Sun, 7 Jan 1996 02:32:21 +0800 Subject: Revoking Old Lost Keys In-Reply-To: Message-ID: <199601061803.NAA17075@thor.cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- Tim May writes: > If one can safely and securely store a revocation certificate for later > use, why not just store the much shorter passphrase? Well, you're dealing with very different threats in the two cases AFAICS. With your passphrase and private key, someone can forge your signature, read your encrypted incoming mail, etc. With your revocation certificate and private key, about all they can do is revoke your key and force you to create a new one. I certainly find the latter prospect much less alarming -- by far the lesser of two evils. Heck, it's good to update keys periodically, so they might even be doing me a favor of sorts ;) Futplex -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMO65WSnaAKQPVHDZAQEIngf+OnXNLpkc4MlE+F0O24lCgso29k0cYRiW jOHKJJfl9ryfaM/WT8eyRLIbWhO7A2qMGSF9nlRUCuhLBgQuX6tmboTwDPW3RPzq jKbZ6LO615w0xPhZpDQO/B963sF0UOcIc0v49k1Ua6biUeEQ/0luYn7nQPD9RVDV pb0qkk201qgVDkXXxPR+hN/HXstI0mc2+HjQjAhHiIOLyiMN3aPwGDH1XmHP5UiE TVw+M9cAqyC863KMg+WEkIGXvdwLJ2or6QQ07i50Zwl905mSFd9+nHVx5HLbkKFa UZvwU46zZXx069MIKHLFY2hX1ZqgR5eGGHUa6bZbMkeIjSl50IzILA== =ssJd -----END PGP SIGNATURE----- From mab at crypto.com Sat Jan 6 10:34:23 1996 From: mab at crypto.com (Matt Blaze) Date: Sun, 7 Jan 1996 02:34:23 +0800 Subject: Revoking Old Lost Keys In-Reply-To: <199601061748.LAA06159@proust.suba.com> Message-ID: <199601061822.NAA06999@crypto.com> > > Note that the problem here is in the basic trust model, not just the > > certificate distribution model (which is a separate problem). The lack of > > ability for a certifier to revoke his own certification, plus the lack of a > > facility to put limits on the duration and meaning of the certification, > > make PGP certificates of very limited practical value. > > Isn't the last bit here, the part about duration and meaning, the > practical answer to the problem? Especially duration? > > The stuff that's been going on lately with Netscape's browsers, Sameer's > apache ssl server, and the difficulty of getting CAs like verisign to > approve keys underscores the importance of this issue. > > This is probably sort of half-baked, but is it possible to come up with a > formal grammar that would allow us to describe trust models in general? > What if we had a prolog-like system that allowed you to set up rules like: > > "x is a student if x has got a signature from a school" > "x is a school if x has got a signature from the accredation authority" > "x belongs to the secret society of x has signatures from 3 other people > who have belonged to the society for more than a year, and if x is > a certified owner of a duck." > > Wouldn't something like this give us the flexibility to use a PGPish model > of trust or an X.509ish model, or whatever else we wanted to do? > > It seems to me that the rules that govern when you can accept which > signature ought to be data objects in a more flexible system, just as the > signatures themselves are data objects. That means that the rules > themselves ought to be subject to change, revokation, or revision. > > The constitution wouldn't have survived if it didn't contain a mechanism > for ammendment. Wouldn't a model of trust with the same ability for > revision and extension be a lot more robust, and a lot more resistent to > centralized control? > Indeed, I agree that's the right approach. In fact, I agree so much that I've spent the last few months (with Joan Feigenbaum and Jack Lacy) developing the principles and structure for just such a "trust management" system. Watch this space for details of our system, called "PolicyMaker", which I expect to release a paper about shortly and a reference implementation around April or May. -matt From bart at netcom.com Sat Jan 6 10:55:35 1996 From: bart at netcom.com (Harry Bartholomew) Date: Sun, 7 Jan 1996 02:55:35 +0800 Subject: http://www.rsa.com/rsalabs/cryptobytes/ In-Reply-To: <9601051755.AA04835@sulphur.osf.org> Message-ID: <199601061616.IAA10646@netcom13.netcom.com> >lynx http://www.rsa.com/rsalabs/cryptobytes/ CryptoBytes (p2 of 4) Back issues available in electronic form: Volume 1 Number 1 - Spring 1995 ... Alas thats all there is. No later volumes yet. Preserving the value of the $90 annual subscription I guess. From iagoldbe at calum.csclub.uwaterloo.ca Sat Jan 6 11:02:06 1996 From: iagoldbe at calum.csclub.uwaterloo.ca (Ian Goldberg) Date: Sun, 7 Jan 1996 03:02:06 +0800 Subject: Mixmaster On A $20 Floppy? In-Reply-To: <199601060155.UAA13574@pipe3.nyc.pipeline.com> Message-ID: <4cmg14$682@calum.csclub.uwaterloo.ca> In article <199601060155.UAA13574 at pipe3.nyc.pipeline.com>, tallpaul wrote: >Question 1: Can you fit linux, pgp, mixmaster, etc. on the 135 Mb disk and >have enough useful space left over for a useful amount of data? Yes. I have a pair of standard 1.44 MB floppies, one of which has a Linux kernel (boot disk), the other has a filesystem containing just enough stuff to be able to stick the disk in an arbitrary PC, use PPP to connect to the net, and use kerberos to log in. I'm going to use the new ramdisk features in the 1.3 kernels to put more useful stuff on the disk, too, like file utils, maybe... :-) But if I can squeeze everything I need to turn an arbitrary PC into a secure (modulo hardware) login session into 1.44 MB + boot image, I don't think there's a problem putting all the stuff you want on a 135MB disk. Hell, the _hard disk_ on my Linux box is only 80MB... - Ian From master at internexus.net Sat Jan 6 11:22:03 1996 From: master at internexus.net (Laszlo Vecsey) Date: Sun, 7 Jan 1996 03:22:03 +0800 Subject: Mixmaster On A $20 Floppy? In-Reply-To: <4cmg14$682@calum.csclub.uwaterloo.ca> Message-ID: > >Question 1: Can you fit linux, pgp, mixmaster, etc. on the 135 Mb disk and > >have enough useful space left over for a useful amount of data? > > [snip snip snip] > > But if I can squeeze everything I need to turn an arbitrary PC > into a secure (modulo hardware) login session into 1.44 MB + boot image, > I don't think there's a problem putting all the stuff you want on a > 135MB disk. Hell, the _hard disk_ on my Linux box is only 80MB... Someone can get one of those tiny devices that slips on the end of a keyboard connector and captures all the scan codes - you're better off bringing the whole computer (laptop) along with your floppy. From blancw at accessone.com Sat Jan 6 11:31:08 1996 From: blancw at accessone.com (blanc) Date: Sun, 7 Jan 1996 03:31:08 +0800 Subject: FW: Undeliverable: Re: Massey, CEO of Compuserve, on Internet Message-ID: <01BADC29.B54CF780@blancw.accessone.com> From: Steve14571 at aol.com Something else I want to know... Why is my mail going through microsoft.com? ....................................................................................................... There is an email 'alias' at Microsoft which was subscribed to the cpunk list, to receive and distribute the cpunk list to members of that alias. A new beta version of Exchange is being used on a test basis by some departments (apparently all of the cpunks at MS are using it), and the programmers recently encountered a "little complication" (to use a phrase from the movie 'Brazil'). I'm told that the problems were corrected, but that now the spoolers are releasing messages which were backed up while mail delivery was put on hold. I hate to agree with Timothy C. May, but it is probably best to "use technology " to deal with it for a day or so. .. Blanc From post at why.net Sat Jan 6 11:52:15 1996 From: post at why.net (post) Date: Sun, 7 Jan 1996 03:52:15 +0800 Subject: Why can't I get PGP from MIT Message-ID: <19960106184748728.AAA262@tar176.why.net> MIT won't let me get PGP or PGPhone. I know their server went down awhile back but, I have tried them several times and sent several e-mail requests. I thought maybe I was missing something obvious or maybe they are just really busy. I keep being told I'm not in the U.S. I have tried two different Internet service providers and my Unix account at Lockheed Martin Tactical Aircraft Systems. I understand why I would be denied when trying to get PGP from a commercial site but, under my personal accounts I get the same results. I requested that my providers be put on the "approved" list of domestic sites but still get the same results. My original e-mail request to MIT was sent roughly 3 months ago. All I want is clean copy of PGP for personal use. I have considered purchasing a commercial system but still would like to try PGP with the big keys. Thanks, Sid Post post at why.net From tcmay at got.net Sat Jan 6 12:09:28 1996 From: tcmay at got.net (Timothy C. May) Date: Sun, 7 Jan 1996 04:09:28 +0800 Subject: Why can't I get PGP from MIT Message-ID: At 6:47 PM 1/6/96, post wrote: >MIT won't let me get PGP or PGPhone. I know their server >went down awhile back but, I have tried them several times >and sent several e-mail requests. I thought maybe I was >missing something obvious or maybe they are just really >busy. I keep being told I'm not in the U.S. As I recall, they don't tell you you're "not in the U.S.," they tell you they cannot conclude in the affirmative that you _are_ in the U.S. This has to do with whether they have a record (DNS) of your site, blah blah. And the message about sending them e-mail affirming your status, etc., points out that the mail is handled manually and may not be gotten to for a while. This happened to me, with PGPhone, when they could not confirm my ISP (got.net) to be a U.S.-based service. I simply grabbed one of the "otherwise available" copies (it was either posted publically, or available at an offshore site, I forget which). This was several months ago, the day after it was released. I fired it up, concluded I was missing some pieces needed to make it work, and put it aside for the time being. For PGP, I always go to the offshore sites anyway, on principle. These sites are listing with numbing frequency in all the usual places. --Tim May We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From dsmith at midwest.net Sat Jan 6 12:11:41 1996 From: dsmith at midwest.net (David E. Smith) Date: Sun, 7 Jan 1996 04:11:41 +0800 Subject: Revoking Old Lost Keys Message-ID: <199601062000.OAA20579@cdale1.midwest.net> At 11:11 AM 1/6/96 -0800, tcmay at got.net wrote: >If one can safely and securely store a revocation certificate for later >use, why not just store the much shorter passphrase? If the security of the safely-stored passphrase is violated, a lot of trouble can be caused. There's not nearly as much that can be done with a stored revocation certificate. dave --- Sorry for any delayed replies, but business trips are so seldom announced. David E. Smith, dsmith at midwest.net, PGP ID 0x92732139 From alano at teleport.com Sat Jan 6 12:25:39 1996 From: alano at teleport.com (Alan Olsen) Date: Sun, 7 Jan 1996 04:25:39 +0800 Subject: Why can't I get PGP from MIT Message-ID: <2.2.32.19960106200842.0095e840@mail.teleport.com> At 12:47 PM 1/6/96 -0600, post wrote: >MIT won't let me get PGP or PGPhone. I know their server >went down awhile back but, I have tried them several times >and sent several e-mail requests. I thought maybe I was >missing something obvious or maybe they are just really >busy. I keep being told I'm not in the U.S. There was a posting (either on the server or somewhere else) that claimed that the MIT site was having problems with .net and .org sites. (As well as a couple of others if I remember correctly.) The posting claimed that they had fixed the problem, but i guess not... | Remember: Life is not always champagne. Sometimes it is REAL pain. | |"The moral PGP Diffie taught Zimmerman unites all| Disclaimer: | | mankind free in one-key-steganography-privacy!" | Ignore the man | |`finger -l alano at teleport.com` for PGP 2.6.2 key | behind the keyboard.| | http://www.teleport.com/~alano/ | alano at teleport.com | From master at internexus.net Sat Jan 6 12:38:38 1996 From: master at internexus.net (Laszlo Vecsey) Date: Sun, 7 Jan 1996 04:38:38 +0800 Subject: Why can't I get PGP from MIT In-Reply-To: <2.2.32.19960106200842.0095e840@mail.teleport.com> Message-ID: On Sat, 6 Jan 1996, Alan Olsen wrote: > At 12:47 PM 1/6/96 -0600, post wrote: > >MIT won't let me get PGP or PGPhone. I know their server > >went down awhile back but, I have tried them several times > >and sent several e-mail requests. I thought maybe I was > >missing something obvious or maybe they are just really > >busy. I keep being told I'm not in the U.S. > > There was a posting (either on the server or somewhere else) that claimed > that the MIT site was having problems with .net and .org sites. (As well as > a couple of others if I remember correctly.) The posting claimed that they > had fixed the problem, but i guess not... I believe I had a problem when I wanted to get PGP coming from internexus.net (New Jersey). I just e-mailed them about it and I think they just added the site to their 'acceptable' list. I did a traceroute to why.net and noticed that it is very close to me, coming off of SprintNet... probably the same situation. From loki at obscura.com Sat Jan 6 12:49:27 1996 From: loki at obscura.com (Lance Cottrell) Date: Sun, 7 Jan 1996 04:49:27 +0800 Subject: USENIX anyone? Message-ID: At 11:31 AM 1/4/96, Matt Blaze wrote: >I'm going to be at the USENIX conference in San Diego later this month, >as are, I suspect, many other crypto/cypherpunk types. > >Any interest in a crypto BOF? I have organized a Remailers and other "Cypherpunkish" topics BOF. I think it is scheduled for Thursday at 6:30 - 8:30 -Lance ---------------------------------------------------------- Lance Cottrell loki at obscura.com PGP 2.6 key available by finger or server. Mixmaster, the next generation remailer, is now available! http://obscura.com/~loki/Welcome.html or FTP to obscura.com "Love is a snowmobile racing across the tundra. Suddenly it flips over, pinning you underneath. At night the ice weasels come." --Nietzsche ---------------------------------------------------------- From tallpaul at pipeline.com Sat Jan 6 13:15:51 1996 From: tallpaul at pipeline.com (tallpaul) Date: Sun, 7 Jan 1996 05:15:51 +0800 Subject: Mixmaster On A $20 Floppy? Message-ID: <199601062050.PAA04925@pipe1.nyc.pipeline.com> On Jan 06, 1996 12:16:57, 'Laszlo Vecsey ' wrote: >> >Question 1: Can you fit linux, pgp, mixmaster, etc. on the 135 Mb disk and >> >have enough useful space left over for a useful amount of data? >> >> [snip snip snip] >> >> But if I can squeeze everything I need to turn an arbitrary PC >> into a secure (modulo hardware) login session into 1.44 MB + boot image, >> I don't think there's a problem putting all the stuff you want on a >> 135MB disk. Hell, the _hard disk_ on my Linux box is only 80MB... > >Someone can get one of those tiny devices that slips on the end of a >keyboard connector and captures all the scan codes - you're better off >bringing the whole computer (laptop) along with your floppy. > First, I am not convinced that such devices exist in the real, practical world. They would require either storage hardware or radio transmitters, all in a package small enough to be undetectable to the naked eye. Second, I do not think it practicable that the cosmic-nasties (of one's chosen social bias) could, in the real, practical world, run black-bag jobs on tens of thousands of surburban garages as a prophylactic measure against teenagers "playfully" setting up Mixmaster sites. The software costs of quality crypto approach nil thanks to the terrific folks who brough us things like linux and pgp. It is, I think, easy for us to miss the giantic steps forward that these technologies represent. Imagine talking to an IBM-mainframe priest of not-too-many years ago about the idea of something like linux; imagine the same thing with an NSA bureaucrat about the development cost of a security concept/package like pgp! Move hardware costs downward and user-interface upward, and Mixmaster isn't a "black art" of cypherpunks. It is a parlor game for teenage slumber parties. That's the type of world I want to see. -- -- tallpaul -- Any political analysis that fits on a bumper sticker is wrong. From Lou.Zirko at rex.isdn.net Sat Jan 6 14:02:52 1996 From: Lou.Zirko at rex.isdn.net (Lou Zirko) Date: Sun, 7 Jan 1996 06:02:52 +0800 Subject: Why can't I get PGP from MIT Message-ID: I have sent two requests myselt in the last two months that have gone unanswered. The request was to have isdn.net added to the allowed list. I know the initial rejection was the .net domain, but the location should not be hard to look up - just a basic whois. I got PGP from alternative locations, but still have not been able to get PGPhone. > MIT won't let me get PGP or PGPhone. I know their server > went down awhile back but, I have tried them several times > and sent several e-mail requests. I thought maybe I was > missing something obvious or maybe they are just really > busy. I keep being told I'm not in the U.S. > All I want is clean copy of PGP for personal use. I have considered > purchasing a commercial system but still would like to try PGP with > the big keys. > > Thanks, > Sid Post > post at why.net > > > Lou Zirko (615)851-1057 Zystems lzirko at isdn.net "We're all bozos on this bus" - Nick Danger, Third Eye -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCNAzBLJocAAAEEAMlDzYJPYq0pvfMuSiKU0Y65L2nJql+qEJHYGjO5Pys4prDw YW1ooPWaqrPQAy/eyqrM7I9KNFDCtmaPxtgcPw2oEDfc/w6cPkrVzvovKLfHQvtg V/hHUekptSf6j525omrVAoM9MxVL3sEGCjn9VrTeC3h9upkfntHOJeL88i2NAAUR tB5Mb3UgWmlya28gPHppcmtvbEBkYXRhdGVrLmNvbT4= =Qlxm -----END PGP PUBLIC KEY BLOCK----- From wlkngowl at unix.asb.com Sat Jan 6 14:20:23 1996 From: wlkngowl at unix.asb.com (Mutatis Mutantdis) Date: Sun, 7 Jan 1996 06:20:23 +0800 Subject: Internet & Porno on A&E tonite Message-ID: <199601062218.RAA12597@UNiX.asb.com> On Sat, 6 Jan 1996 10:54:55 -0600 (CST), you wrote: >Hi, >Just saw an add for a Investigative Reports show tonite on A&E dealing with >the Internet and some of the current issues relating to porno and privacy. What time?!? From mab at research.att.com Sat Jan 6 14:42:51 1996 From: mab at research.att.com (Matt Blaze) Date: Sun, 7 Jan 1996 06:42:51 +0800 Subject: "trust management" vs. "certified identity" Message-ID: <199601062232.RAA12812@nsa.tempo.att.com> The discussions here of the limits of PGP's certification and revocation model are close to the core of some work I've been doing (with Joan Feigenbaum and Jack Lacy) on what we call the "trust management" problem. Essentially we consider the consequences of abandoning the notion of "certified identity" implicit in systems like X.509 and PGP and subsuming identity under the more general umbrella of specifying and determining what a key is trusted to do. We've built a system, called "PolicyMaker", that allows the certifier of a key to specify what the key is trusted to do rather than to whom the key is trusted to belong. The same mechanism is also used to specify and interpret local policies. The PolicyMaker system is designed to be called as a service by local applications, which could be email systems like PGP or network-layer security protocols or any other application that requires complex trust relationships. Some early, local experience suggests that this approach is a good one. It's easy to specify X.509- and PGP-style policies and certificates, but you can also say things like "valid for transactions over $500 only if countersigned" in a fairly natural way. I'll be happy to send a (very early) draft of our paper, "Decentralized trust management" to anyone who's interested. I've made the draft available in the CFS-users email archive server. To request a copy (PostScript format) by email: echo get cfs-users pmdraft.ps | mail cfs-users-request at research.att.com (For non-unix shell people, just send a message to cfs-users-request at research.att.com With the line: get cfs-users pmdraft.ps in the BODY of the message (NOT on the subject line).) Comments and discussion appreciated. This is an early draft, and I'd appreciate it if it not be directly quoted, cited, or re-distributed. -matt PS We expect to give away our reference implementation, too. (Probably by May or so.) Note that this is just research, and does not represent any current, past, or future product or service offering on the part of AT&T or anyone else. From fod at brd.ie Sat Jan 6 15:00:50 1996 From: fod at brd.ie (Frank O'Dwyer) Date: Sun, 7 Jan 1996 07:00:50 +0800 Subject: Revoking Old Lost Keys Message-ID: <01BADC1C.309CFE20@dialup-080.dublin.iol.ie> On Saturday, January 06, 1996 09:18, Timothy C. May[SMTP:tcmay at got.net] wrote: >At 7:07 AM 1/6/96, Bruce Baugh wrote: >>I'd like to bring up a problem I haven't seen addressed much yet, and which >>I think is going to come up with increasing frequency as PGP use spreads. >> >>The problem is this: how can one spread the word that an old key is no >>longer to be used when one no longer has the pass phrase, and cannot >>therefore create a revocation certificate? > >Basically, you are screwed. Any revocation you attempt will not be trusted, >as we will suspect the new "you" to be an attacker, perhaps an agent of the >NSA or the Illuminati. In the view that "you are your key," the old you no >longer exists. This is true, but the "old you" can be resurrected if you can get enough people to believe your new key using any out-of-band means available to you. You can also put a comment in your new key's uid explaining the problem and how to verify the new key. You will find it very hard to use this new key for a while, though, during the transition period. Many people will take the existence of two keys with the same uid as suspicious in itself, since it at least indicates some kind of attack (even if only a denial of service attack). This is really a usability flaw with current PGP. The PGP formats do allow for a 'revocation' certificate, but PGP doesn't implement it (yet, I guess). In any case, it's not really strong enough, since what it says is "I retract all my previous statements that this key is related to this user". This'd mean that you'd have to visit everyone who'd ever signed your key and get them to issue this retraction. What would be needed for this problem is either an "anti-certificate" ("This key does not belong to this user"), or else some convention. For example, if two _trusted_ keys are found for the same uid, the most recent one could be chosen, and the earlier one be purged from keyservers, etc. This may be possible with current PGP. I haven't tried it, but since I have some keys which have fallen into disuse, I will need to do so sometime.). Cheers, Frank O'Dwyer fod at brd.ie http://www.iol.ie/~fod From perry at piermont.com Sat Jan 6 15:42:19 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sun, 7 Jan 1996 07:42:19 +0800 Subject: please stop the Mitnick stuff Message-ID: <199601062331.SAA05063@jekyll.piermont.com> This is cypherpunks, not Mitnick punks, Shimomura punks, or anything similar. I personally don't care about Kevin Mitnick, and he most certainly has little to no cryptography relevance at this point. Take it elsewhere. Perry From mikepb at freke.hoplite.org Sat Jan 6 15:58:28 1996 From: mikepb at freke.hoplite.org (Michael P. Brininstool) Date: Sun, 7 Jan 1996 07:58:28 +0800 Subject: Another Internet Provider Censors Access (fwd) In-Reply-To: Message-ID: <1996Jan6.154423.21243@freke.hoplite.org> In article , Brad Dolan wrote: >Date: Tue, 2 Jan 1996 00:02:44 -0500 (EST) >---------- Forwarded message ---------- >Coming off CompuServe's announcement last week that it was >cutting off all access to "alt.binaries" newsgroups under >pressure from the German government, I'm passing along another >apparent development from another Internet access provider, >Netcom. > >Under the guise of a minor software upgrade, Netcom has changed >its newsgroups access list to totally exclude "alt" groups >altogether. Since there is no way to sign up for a newsgroup >other than via the selection menu that Netcom provides, it >appears that Netcom has managed to censor access to all those >discussion groups. I saw all the posts regarding this and proclaiming it to be false. I feel obligated to point out a discussion we had at work last week about our news feeds (I work for an ISP). Our news machines are constantly filling up, and we can only add so much disk-space to the news spools. We have been reducing the expire times, and the news spools are still filling up too fast. 40%, I think it was, of the news was alt.*. I suggested (Bad, Mike!) that we kill all the alt.* groups, and add back only those that people customers actually request. The whole engineering group jumped down my throat saying that that action would be seen by the customers, and potential customers, as censorship. I withdrew my proposal, because I agreed with them. The reason I bring this up is to point out that the removal of the alt.* groups does not necessarily mean the people removing those groups are trying to censor anything, but may just be trying to reduce the resources eaten by news on their systems and network. -------------------------------------------------------------| | #include "std/disclaimer.h" Michael P. Brininstool | | http://www.hoplite.org/~mikepb/ NIC: MB458 | |------------------------------------------------------------- From frantz at netcom.com Sat Jan 6 16:00:07 1996 From: frantz at netcom.com (Bill Frantz) Date: Sun, 7 Jan 1996 08:00:07 +0800 Subject: Revoking Old Lost Keys Message-ID: <199601062342.PAA04578@netcom6.netcom.com> Perhaps if keys could be made with expiration dates (certificates too), this problem might be reduced to managable proportions. ----------------------------------------------------------------- Bill Frantz Periwinkle -- Computer Consulting (408)356-8506 16345 Englewood Ave. frantz at netcom.com Los Gatos, CA 95032, USA From mrm at netcom.com Sat Jan 6 16:05:45 1996 From: mrm at netcom.com (Marianne Mueller) Date: Sun, 7 Jan 1996 08:05:45 +0800 Subject: Jan 13 Mountain View CA meeting Message-ID: <199601062350.PAA18983@netcom20.netcom.com> Hi all, happy new year. The Jan 13 Mountain View, California meeting will be held again at Sun Microsystems, at Sparcy's cafeteria. That's building 21, in the set of Sun buildings near Shoreline Park in Mountain View. Take 101 to Amphitheater Parkway exit, turn left onto Charleston at the light (this street is also named Garcia at its far end) and follow the purple Sun signs for building 21. You'll drive down Charleston (Garcia) for about 1/3 mile and then turn right onto a road that in about 3 blocks takes you to B21. Please send mail if you have a topic you would like to speak about, and I'll send out a speaking agenda towards the end of the week. Marianne mrm at netcom.com mrm at eng.sun.com p.s. I'll bring bagels again but since I never got reimbursed last time around I think I will put out the donation jar this time ...! From lharrison at mhv.net Sat Jan 6 16:13:43 1996 From: lharrison at mhv.net (Lynne L. Harrison) Date: Sun, 7 Jan 1996 08:13:43 +0800 Subject: Internet & Porno on A&E tonite Message-ID: <9601070002.AA26160@mhv.net> At 10:05 PM 1/6/96 GMT, Mutatis Mutantdis wrote: > >>Just saw an add for a Investigative Reports show tonite on A&E dealing with >>the Internet and some of the current issues relating to porno and privacy. > >What time?!? 9:00 P.M. E.S.T. ******************************************************* Lynne L. Harrison, Esq. | "The key to life: Poughkeepsie, New York | - Get up; E-mail: | - Survive; lharrison at mhv.net | - Go to bed." ******************************************************* From nobody at REPLAY.COM Sat Jan 6 16:42:48 1996 From: nobody at REPLAY.COM (Anonymous) Date: Sun, 7 Jan 1996 08:42:48 +0800 Subject: please stop the Mitnick stuff Message-ID: <199601070023.BAA04907@utopia.hacktic.nl> At 06:31 PM 1/6/96 -0500, Perry Metzger wrote: > >This is cypherpunks, not Mitnick punks, Shimomura punks, or anything >similar. I personally don't care about Kevin Mitnick, and he most >certainly has little to no cryptography relevance at this point. Take >it elsewhere. C'mon, Perry, give it a break. Mitnick's case has to do with security issues as well as the violations of privacy and/or search and seizure the government used to arrest him. It may not be cryptography per se, but are you going to seriously argue that security, etc. is not encompassed in crypto issues? I found it interesting. If you didn't, then all you had to do was delete it. No one needs to read your personal crusade as *The One* who tells us what's relevant and what's not. From fod at brd.ie Sat Jan 6 16:55:08 1996 From: fod at brd.ie (Frank O'Dwyer) Date: Sun, 7 Jan 1996 08:55:08 +0800 Subject: Revoking Old Lost Keys Message-ID: <01BADC96.AA0A0B20@dialup-169.dublin.iol.ie> On Saturday, January 06, 1996 07:19, Timothy C. May[SMTP:tcmay at got.net] wrote: >At 9:47 AM 1/6/96, Frank O'Dwyer wrote: >>On Saturday, January 06, 1996 09:18, Timothy C. May[SMTP:tcmay at got.net] wrote: > >>>Basically, you are screwed. Any revocation you attempt will not be trusted, >>>as we will suspect the new "you" to be an attacker, perhaps an agent of the >>>NSA or the Illuminati. In the view that "you are your key," the old you no >>>longer exists. >> >>This is true, but the "old you" can be resurrected if you can get enough >>people to believe your new key using any out-of-band means available >>to you. You can also put a comment in your new key's uid explaining the > >Could you explain how "enough people" can get around a basic >feature/limitation of the current PGP web of trust? Who, besides the >originator, can revoke an old key? How many does it take? I wasn't referring to revoking the old key, but to introducing a new one and letting the old one fall into disuse. I think this can sometimes be done even if you've lost access to the old key, albeit in a painful out-of-band fashion. It does depend on the application, though, and if the (relevant portion of the) web of trust was very large, you might find that the old key kept popping up and you kept getting mail (or whatever-it-is-you're-encrypting) that you couldn't read. (and/or some people wouldn't believe your signatures). Basically, PGP's revocation model is broken unless you create a revocation cert. at the time you make your key, and keep it safely somewhere in case you need it. Even then, as time goes by the keyring keeps accumulating all these extra packets and growing without bound. It's not just PGP--all long-lived certificates are hard to revoke (for example X.509's revocation is also clunky). It's just that PGP's certificates are particularly long-lived, and PGP's revocation is particularly broken. Luckily the data formats do allow for a validity time, and a revocation of a key's countersignature, so this can perhaps be fixed sometime. >If a bunch of the "alleged" friends of Bruce could do this, could they not >revoke the key of someone they simply wish to hassle? Well, see above. The key is not revoked. But a bunch of people _could_ attempt to introduce a key under the name of someone they just wanted to hassle. The conspiracy doesn't have to be especially large. For example, it would be easy for me to invent a key for you and have _my_ friends believe it even in spite of your real key being on their keyrings. It wouldn't be so easy for me to get _your_ friends believe it. In Bruce's case, he'd be trying to do a similar thing, except that the key'd really be his, and more people'd be likely to believe him (especially his friends, and their friends, and so on). >I agree that a new key can be generated, and a new "Please use this key, >not the other one" message sent, and this may work, but I don't believe >this revokes the old key and removes it from the keyservers. I could be >wrong, as I am certainly no expert on the keyservers. I think you're right. The key will still be out there. >The question is: is there a "majority vote" mode on the keyservers that >causes them to remove a key if enough people claim it is no longer valid? I don't think so. At best, you might be able to convince the admins to manually delete the old key from the server's rings (assuming the software is able to do this). Even then, the key might keep popping back up, for example if you had countersigned other people's keys with your old key and they kept uploading their key with additional signatures. A practical solution might be for the key servers to automatically remove keys older than X years (or some time limit related to the key size). Ultimately though, what is needed is a new revocation model (maybe implementing the unused fields in the PGP certs is good enough to begin with). Cheers,Frank O'Dwyer fod at brd.ie http://www.iol.ie/~fod From perry at piermont.com Sat Jan 6 17:00:02 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sun, 7 Jan 1996 09:00:02 +0800 Subject: please stop the Mitnick stuff In-Reply-To: <199601070023.BAA04907@utopia.hacktic.nl> Message-ID: <199601070042.TAA05199@jekyll.piermont.com> Anonymous writes: > > At 06:31 PM 1/6/96 -0500, Perry Metzger wrote: > > > >This is cypherpunks, not Mitnick punks, Shimomura punks, or anything > >similar. I personally don't care about Kevin Mitnick, and he most > >certainly has little to no cryptography relevance at this point. Take > >it elsewhere. > > C'mon, Perry, give it a break. Mitnick's case has to do with security > issues as well as the violations of privacy and/or search and seizure > the government used to arrest him. This isn't Libernet-d or something similar. This isn't where we discuss violations of search and seizure laws or thing of that kind. The world is full of injustice -- but this isn't the place to discuss it. Mitnick's case has very little (certainly at this point) to do with security, and never had anything to do with cryptography. > I found it interesting. If you didn't, then all you had to do was > delete it. When there are one or two small items posted on a topic thats no big deal. When its a lot of stuff, it becomes an enormous pain. Multiply the few seconds to read and digest enough of a message to know you should delete it by dozens of messages per mailing list per day and by a dozen mailing lists and you suddenly have an untenable waste of your time. Perry From fod at brd.ie Sat Jan 6 17:07:26 1996 From: fod at brd.ie (Frank O'Dwyer) Date: Sun, 7 Jan 1996 09:07:26 +0800 Subject: "trust management" vs. "certified identity" Message-ID: <01BADC99.C7034FE0@dialup-169.dublin.iol.ie> On Saturday, January 06, 1996 10:32, Matt Blaze[SMTP:mab at research.att.com] wrote: >The discussions here of the limits of PGP's certification and >revocation model are close to the core of some work I've been doing >(with Joan Feigenbaum and Jack Lacy) on what we call the "trust >management" problem. > >Essentially we consider the consequences of abandoning the notion >of "certified identity" implicit in systems like X.509 and PGP and >subsuming identity under the more general umbrella of specifying >and determining what a key is trusted to do. This is an interesting idea. I think, though, that there's something to be said for keeping identity and privilege separate things to be vouched for. For one thing privileges and policy change but identity doesn't. Privilege is also relative, but identity is not (nyms and that aside). I'm Frank O'Dwyer anywhere I go, but I'm not "loyal bank customer" to all banks. Also, it's easier to securely determine that I'm Frank O'Dwyer than it is to securely determine (say) my credit limit. So, a signator's job in signing for my identity is easier (and less risky) than signing for my trustworthiness. And we still don't have many CAs signing for identity! Plus, given secure identity (which might be an anonymous id), you can layer the other stuff on top. That's not to say that the certification approach can't be general, though. It occurred to me that a very general certificate format would simply be to sign some assertions (predicates), and then feed all available signed predicates plus some axioms (the analogue of root keys) into a theorem prover. Sounds slow though. More practically perhaps, you could sign some kind of (safe) interpreted code, and have the verifier execute it on some initial variable set to come up with some access decision. I haven't read your paper yet though! I'll read it and get back to you. There does seem to be something about current models of certification that inhibits their take up, so it's good to hear something new in this area... Cheers, Frank O'Dwyer fod at brd.ie http://www.iol.ie/~fod From mab at research.att.com Sat Jan 6 17:13:47 1996 From: mab at research.att.com (Matt Blaze) Date: Sun, 7 Jan 1996 09:13:47 +0800 Subject: "trust management" vs. "certified identity" In-Reply-To: <01BADC99.C7034FE0@dialup-169.dublin.iol.ie> Message-ID: <199601070103.UAA13065@nsa.tempo.att.com> ... >That's not to say that the certification approach can't be general, though. >It occurred to me that a very general certificate format would >simply be to sign some assertions (predicates), and then >feed all available signed predicates plus some axioms (the analogue >of root keys) into a theorem prover. Sounds slow though. More >practically perhaps, you could sign some kind of (safe) interpreted code, >and have the verifier execute it on some initial variable set to come up with >some access decision. > Yes. That's pretty much PolicyMaker in a nutshell. -matt From srw134 at psu.edu Sat Jan 6 17:22:36 1996 From: srw134 at psu.edu (Sean Wilkins) Date: Sun, 7 Jan 1996 09:22:36 +0800 Subject: No Subject Message-ID: <199601070102.UAA91196@r04n12.cac.psu.edu> unsubscibe Sean Robert Wilkins Student , Staff , And The MAN (SRW134 at PSU.EDU) ---LTR--- From jya at pipeline.com Sat Jan 6 17:22:37 1996 From: jya at pipeline.com (John Young) Date: Sun, 7 Jan 1996 09:22:37 +0800 Subject: Crypto Rules Report Message-ID: <199601070103.UAA25559@pipe2.nyc.pipeline.com> Thanks to MH, The report is available by anon ftp from ftp.wimsey.com in /pub/crypto/Doc/crypto_policy_report.12.95 or from a WWW browser via URL: ftp://ftp.wimsey.com/pub/crypto/Doc/crypto_policy_report.12.95 From jya at pipeline.com Sat Jan 6 17:40:11 1996 From: jya at pipeline.com (John Young) Date: Sun, 7 Jan 1996 09:40:11 +0800 Subject: Mixmaster On A $20 Floppy? Message-ID: <199601070127.UAA26984@pipe2.nyc.pipeline.com> On small boxes, John Dvorak in Jan 23 PC Mag: "Other Things of Interest Dept: Virtual I-0, the Seattle company that brings you those nifty 3-D LCD eye-glasses, was showing [at Comdex] a complete hard disk-based computer the size of a beta video cassette. The idea was that you could plug in a keyboard and the video headset and finally have that computer-without-a-screen concept that we've been promised. Perfect for someone wanting genuine privacy, although I think once we start seeing a plane load of people all wearing virtual reality headsets, the world becomes a little creepier. Most Interesting Rumor Dept: Supposedly, Microsoft is quietly wooing Hitachi and has secretly ported Windows 95 to the Hitachi 32-bit RISC processor. It hopes to have Casio build and market a small RISC computer about half the size of the Newton in an attempt to open up the market for those little hand-held, do-all gizmos that seem to be attracting a lot of attention in Japan. This is being developed by the same group who did the Timex/Microsoft watch, I'm told. When I pressed on whether this will really be Windows 95 or Windows NT with a Windows 95 shell, I was told it will be plain-vanilla Windows 95 stripped down to fit on a smaller platform. If Microsoft ports plain Windows 95 to other chips, this will not sit well with Intel. Maybe this thing is the wallet computer that Gates keeps mumbling about in his more recent speeches." From belize at ix.netcom.com Sat Jan 6 17:57:03 1996 From: belize at ix.netcom.com (GENERAL STEVEN WALZ) Date: Sun, 7 Jan 1996 09:57:03 +0800 Subject: ssn Message-ID: <199601070144.RAA23014@ix3.ix.netcom.com> Send info on ssn# belize at ix.netcom.com From jamesd at echeque.com Sat Jan 6 18:01:03 1996 From: jamesd at echeque.com (James A. Donald) Date: Sun, 7 Jan 1996 10:01:03 +0800 Subject: \"Concryption\" Message-ID: <199601061852.KAA00797@blob.best.net> At 07:13 PM 1/4/96 -0800, Bill Frantz wrote: > What I interpreted their press release as saying was that they had patented > the idea of doing the compression AND the encryption in one pass over the > data. If they got a patent for this, then the patent office has totally > lost the concept that in order to be patentable, the idea must not be > obvious to those well versed in the state of the art. All bureaucracies act in to extend their power, regardless of the laws and the official purpose of the bureacracy. We will soon have a patent on bicycles. > > >----------------------------------------------------------------- >Bill Frantz Periwinkle -- Computer Consulting >(408)356-8506 16345 Englewood Ave. >frantz at netcom.com Los Gatos, CA 95032, USA > > > --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From jya at pipeline.com Sat Jan 6 18:31:14 1996 From: jya at pipeline.com (John Young) Date: Sun, 7 Jan 1996 10:31:14 +0800 Subject: please stop the Mitnick stuff Message-ID: <199601070216.VAA02580@pipe1.nyc.pipeline.com> Perry's askance leads me to propose stealing Littman's book. It's as techno-thrilling as cypherpunks in describing the melodrama of unexpected human/technology malfunctions. True, only a bit of bare crypto in it, with Kevin advising Littman to use PGP so his Well mail could not be read -- as Kevin's e-mail to Littman was by Shimomura and Markoff. Littman says that was how Markoff learned of Kevin's and Littman's exchanges and why Markoff started hustling Littman for leads on Kevin to feed the trackers. Also, crypto-related: The fact that Shimomura's supposedly secret files were not protected by encryption or other security is what causes Littman and others to think there was a sting (perhaps with TLA help) rather than foolish vanity of the security wizard. Best, the book provides Clancy-like fun in deciphering the question of why humans abuse technology to mask their own frailty. From accessnt at ozemail.com.au Sat Jan 6 18:37:40 1996 From: accessnt at ozemail.com.au (Mark Neely) Date: Sun, 7 Jan 1996 10:37:40 +0800 Subject: What to do about Germany Message-ID: <199601070223.NAA05634@oznet02.ozemail.com.au> jirib at cs.monash.edu.au wrote: 7 >What if the laws actually contradict each other? > >Eg if there was a country that forbade women speaking on the net, and >another that forbade distinctions between men and women to be made? I guess one thing politicians should consider _real_ hard is whether they want the Internet to be ruled by the lowest common denominator (so to speak). If the US (or Germany etc.) wants to impose it's version of morality/PC then it really doesn't have any grounds to complain when other countries decided to do so. Mark ___ Mark Neely - accessnt at ozemail.com.au Lawyer, Professional Cynic Author: Australian Beginner's Guide to the Internet Work-in-Progress: Australian Business Guide to the Internet WWW: http://www.ozemail.com.au/~accessnt From ravage at ssz.com Sat Jan 6 18:56:20 1996 From: ravage at ssz.com (Jim Choate) Date: Sun, 7 Jan 1996 10:56:20 +0800 Subject: Mixmaster On A $20 Floppy? (fwd) Message-ID: <199601070243.UAA06855@einstein.ssz.com> Forwarded message: > From: John Young > Date: Sat, 6 Jan 1996 20:27:02 -0500 > Subject: Re: Mixmaster On A $20 Floppy? > > "Other Things of Interest Dept: Virtual I-0, the Seattle > company that brings you those nifty 3-D LCD eye-glasses, > was showing [at Comdex] a complete hard disk-based computer > the size of a beta video cassette. The idea was that you > could plug in a keyboard and the video headset and finally > have that computer-without-a-screen concept that we've been > promised. Perfect for someone wanting genuine privacy, > although I think once we start seeing a plane load of > people all wearing virtual reality headsets, the world > becomes a little creepier. Anyone looking for small 486 compatible pc's should check out the system that scuba divers have been using for the last couple of years. They strap on your tank, have a cable with one-hand keyboard (usually hangs on the R. since your console is on the L.) that emulates a standard 101 and uses a small display that hangs off your mask. They run standard windows apps and are not too expensive. Check your local dive shop for specifics. From shamrock at netcom.com Sat Jan 6 20:06:18 1996 From: shamrock at netcom.com (Lucky Green) Date: Sun, 7 Jan 1996 12:06:18 +0800 Subject: please stop the Mitnick stuff Message-ID: At 21:16 1/6/96, John Young wrote: > Also, crypto-related: The fact that Shimomura's supposedly > secret files were not protected by encryption or other > security is what causes Littman and others to think there > was a sting (perhaps with TLA help) rather than foolish > vanity of the security wizard. [I do belive this has CP relevance.] Of course it was a set-up. Mitnick got into Shimomura's computer by impersonating the IP address of one of Shimomura's machines. The router should have never let packets in from outside that have an IP address that is supposed to be inside. That a 'security expert' would overlook such a blatant and well publicized hole in his _own_ router is inconceivable. Shimomura was trying to get someone to break into his system. If the bait was specifically for Mitnick, we may never know. -- Lucky Green PGP encrypted mail preferred. From tcmay at got.net Sat Jan 6 20:20:57 1996 From: tcmay at got.net (Timothy C. May) Date: Sun, 7 Jan 1996 12:20:57 +0800 Subject: please stop the Mitnick stuff Message-ID: At 3:45 AM 1/7/96, Lucky Green wrote: >Of course it was a set-up. Mitnick got into Shimomura's computer by >impersonating the IP address of one of Shimomura's machines. The router >should have never let packets in from outside that have an IP address that >is supposed to be inside. That a 'security expert' would overlook such a >blatant and well publicized hole in his _own_ router is inconceivable. > >Shimomura was trying to get someone to break into his system. If the bait >was specifically for Mitnick, we may never know. I've met Shimomura several times, and I don't think he was trying to get someone to break into his system. I tend strongly to believe his basic story, that he found someone entering his system. (Shimomura as I have met him is not some kind of Junior G-Man, intent on catching minor criminals. He's about as counter-cultural as any of us. Thus, his account that he found Mitnick breaking into his systems and stealing things as a taunt rings more true than some view that he is an FBI or BATF narc in training.) As to whether a security expert should have seen this coming, there are a couple of factors at work. First, being a security expert/consultant doesn't mean one has perfect security oneself (the shoes of the cobbler, etc.). Second, new attack modes are often involved. Third, Shimomura _did_ ultimately find the attack. As to what really happened with Shimomura, Markoff, Mitnick, and the Feds, I have no idea. The Littman account is one side of the story. The Shimomura-Markoff book will be another. The various movies and other deals will further complicate the picture. (There are some mighty strange characters involved. Katie Hafner, former wife of Markoff, wrote a piece for one of various weeklies or monthlies (maybe "Esquire," as I recall) about a former prostitute living in a trailer in Nevada--do former prostitutes ever live anywhere else?--who was badmouthing Shimomura and praising her buddy Mitnick...bizarre stuff...maybe it's make it into the movie. I understand that Christian Slater has agreed to play Mitnick, John Lone will play Shimomura, and Richard Drefuss will get the role of Markoff.) Knowing Markoff, Shimomura, and (vaguely) Menapace, and not knowing either Littman or Mitnick, I am somewhat biased toward the M-S-M view of things. While I don't think news of Mitnick is utterly alien to our group, I think people need to be discriminating in ascribing pro-Mitnick views to the Cypherpunks, at least as individuals. Supporting Mitnick just because he is a "hacker" or a "cracker" or a "cyber-outlaw" is wrong-headed. Also, I'm not persuaded that the Feds used blatantly illegal search and seizure tactics to arrest Mitnick. --Tim May We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From grendel at netaxs.com Sat Jan 6 20:29:37 1996 From: grendel at netaxs.com (Michael Handler) Date: Sun, 7 Jan 1996 12:29:37 +0800 Subject: Domains, InterNIC, and PGP (and physical locations of hosts, to boot) Message-ID: The InterNIC (the company responsible for registering .COM, .EDU, .ORG, and .NET domains) has had a great deal of trouble lately, with people submitting malicious CHANGE DOMAIN requests (change admin or technical contact, point root nameserver entries to rival ISPs, etc). In response, the InterNIC has created "the Guardian project" which delineates who has access and authorization to change data in the InterNIC's record. Not much new cpunk relevance, but much of what has been discussed here is very applicable to this project (digital signatures, common access to databases, etc). I'm not completely pleased with their implementation, but it will do for now. They _do_ support PGP as an access controller within the Guardian project, and they have purchased a copy from ViaCrypt for this purpose. A good thing, says I. Check out their proposal: ftp://rs.internic.net/policy/internic/internic-gen-1.txt ObGPS/cpunk/physical-location-of-machines: A recent IETF proposal would create a new DNS record that encoded the physical location of a machine, encoded in latitude and longitude. This would solve the problem MIT has had in distributing PGP, i.e. where exactly is unix5.netaxs.com? However, there's nothing to stop you from adding records that say your machines are at the latitude and longitude of, say, Fort Meade... ;-) ftp://ds.internic.net/rfc/rfc1876.txt Again, I'm not too sure of the viability of this proposal. Not on effectiveness of proving true location -- it is more geared toward "visual 3-D packet tracing" -- but simply because I have _no_ fricking idea where our machines are (in terms of lat and long) to any degree of accuracy. ("They're somewhere in PA." Brilliant, you can find that out via WHOIS.) The document suggests using GPS to locate your true location, but I'll be damned if my boss is going to spend $1,000 just so I can have more DNS entries to maintain... -- Michael Handler "Hours of frustration punctuated by moments of sheer terror." From bdolan at use.usit.net Sat Jan 6 20:33:46 1996 From: bdolan at use.usit.net (Brad Dolan) Date: Sun, 7 Jan 1996 12:33:46 +0800 Subject: please stop the Mitnick stuff In-Reply-To: <199601070216.VAA02580@pipe1.nyc.pipeline.com> Message-ID: I'm enjoying the story, partly because I took copious abuse from some CPs for posting - before Mitnick hit the papers - that the Well was under surveillance. [Crypto relevance of (TLA contract?) surveillance of ISPs should be obvious.] Anyway, it's too bad Mitnick didn't read CP. I'm still angry about the Well's voluntary cooperation in this scam. Why should I pay money to an outfit that's in bed with the TLAs? bdolan at use.usit.net, formerly bdolan at well.com On Sat, 6 Jan 1996, John Young wrote: > Perry's askance leads me to propose stealing Littman's > book. It's as techno-thrilling as cypherpunks in describing > the melodrama of unexpected human/technology malfunctions. > > True, only a bit of bare crypto in it, with Kevin advising > Littman to use PGP so his Well mail could not be read -- as > Kevin's e-mail to Littman was by Shimomura and Markoff. > Littman says that was how Markoff learned of Kevin's and > Littman's exchanges and why Markoff started hustling > Littman for leads on Kevin to feed the trackers. > > Also, crypto-related: The fact that Shimomura's supposedly > secret files were not protected by encryption or other > security is what causes Littman and others to think there > was a sting (perhaps with TLA help) rather than foolish > vanity of the security wizard. > > Best, the book provides Clancy-like fun in deciphering the > question of why humans abuse technology to mask their > own frailty. > > > > > > > > > From futplex at pseudonym.com Sat Jan 6 20:52:53 1996 From: futplex at pseudonym.com (Futplex) Date: Sun, 7 Jan 1996 12:52:53 +0800 Subject: please stop the Mitnick stuff In-Reply-To: <199601070023.BAA04907@utopia.hacktic.nl> Message-ID: <199601070438.XAA26617@opine.cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- Perry Metzger writes: > This is cypherpunks, not Mitnick punks, Shimomura punks, or anything > similar. I personally don't care about Kevin Mitnick, and he most > certainly has little to no cryptography relevance at this point. Take > it elsewhere. I agree 100% with Perry. The Mitnick discussion is somewhat more stimulating than the recent flood of alt.security.pgp fodder (HINT HINT use alt.security.pgp instead HINT HINT), but it doesn't belong here either. Futplex -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMO9OIynaAKQPVHDZAQHKrQf9Hc/wotKRqNKTYVQ4Zno6++CXIphyLrH8 qUL8pkTcTkoxB10X6x+TueA2jNFzZbzAdCpR1K20SSFXSSFwmvOtjqsSsJlKhyBC BLlGOtlWfZ9MxOPT/cXkr0a8GRKVz5G38h53vULnttI86eGGuO6XS4p/nBlyPqO5 oZJAFXJjjYSDXkmUKelRv5dKvf7z1sKjzbU0rZl95yX3t/Jy/PamroGWt7dEG//U 64ET47ZYBGg4xEG6hsJlOKiOVH5AmBk2lAUFricrkNw8ytzKwkVwJ0habZ45c0zy fyk+Dl6Kjcr/RO+FMkRKS0c0njmMBrLjDiiSZ3S80uuGc18IIwq9hw== =VLoM -----END PGP SIGNATURE----- From jya at pipeline.com Sat Jan 6 21:13:03 1996 From: jya at pipeline.com (John Young) Date: Sun, 7 Jan 1996 13:13:03 +0800 Subject: please stop the Mitnick stuff Message-ID: <199601070455.XAA14715@pipe1.nyc.pipeline.com> Littman mentions toad.com twice -- that site, a character says, suspiciously, "run by one of the founders of Sun." Used, allegedly by the perp, to get into the drawers of, Well, you know. BTW, Littman says, and that Markoff agrees, that it was not Mitnick who got into Shimomura's underware, but, more than likely, the "Israeli." Apparently, an incident occurred after Kevin's bust. Agree with Tim that the Markoff/Shimomura book is needed to see both sides. For now, Mitnick seems to be a hapless pawn. Me too, about stuff I only read about. From jimbell at pacifier.com Sat Jan 6 21:36:01 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 7 Jan 1996 13:36:01 +0800 Subject: Mixmaster On A $20 Floppy? Message-ID: At 03:50 PM 1/6/96 -0500, you wrote: >>Someone can get one of those tiny devices that slips on the end of a >>keyboard connector and captures all the scan codes - you're better off >>bringing the whole computer (laptop) along with your floppy. >> > >First, I am not convinced that such devices exist in the real, practical >world. They would require either storage hardware or radio transmitters, >all in a package small enough to be undetectable to the naked eye. As a ham I can tell you that such devices will ALMOST CERTAINLY exist, at least in arbitrarily small quantities against high-value, rare targets. All that's needed is an VHF/UHF/microwave oscillator whose frequency is varied slightly in response to a change in control voltage (which in this case would be the data line voltage). The antenna would be the data line itself. Commercially, they are called VCO's (voltage controlled oscillator) or VCXO's (voltage controlled crystal oscillator). Historically, many were/are built in packages the size of large oscillator modules, with pinouts compatible with 14-bit dips. These are the dinosaurs of the current era. More modern are surface-mount parts substantially smaller than a TO-92 transistor case. It is probably possible to put a VCO in an SOT-23 package, which is so small that unless your vision is good it's hard to see! Embedding these in a custom, one-off cable for a black-bag job would be rather easy, even for an organization far less sophisticated than the NSA/CIA. Another option would be to make the thing look like a surface-mount resistor or capacitor, and replacing an existing bias/decoupling component in an existing keyboard product. I think chances are very good that the NSA/CIA buys at least "one of" EVERYTHING sold (especially keyboards) to plan for just such jobs. >Second, I do not think it practicable that the cosmic-nasties (of one's >chosen social bias) could, in the real, practical world, run black-bag jobs >on tens of thousands of surburban garages as a prophylactic measure against >teenagers "playfully" setting up Mixmaster sites. _THAT_ is probably true, given "tens of thousands." But individual hardware can indeed be attacked. From futplex at pseudonym.com Sat Jan 6 21:36:01 1996 From: futplex at pseudonym.com (Futplex) Date: Sun, 7 Jan 1996 13:36:01 +0800 Subject: "trust management" vs. "certified identity" In-Reply-To: <01BADC99.C7034FE0@dialup-169.dublin.iol.ie> Message-ID: <199601070522.AAA26624@opine.cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- Frank O'Dwyer writes: [I've adjusted the line breaks for those of us with 80-column displays] > Privilege is also relative, but identity is not (nyms and that aside). That's a pretty large aside ! > I'm Frank O'Dwyer anywhere I go, I am definitely not "Futplex" in many places I go, and often I am not anyone in particular. "Auuugh! Single personality disorder! No cure!" -Beverley R. White > but I'm not "loyal bank customer" to all banks. Also, it's easier to > securely determine that I'm Frank O'Dwyer than it is to securely determine > (say) my credit limit. So, a signator's job in signing for my identity is > easier (and less risky) than signing for my trustworthiness. I am doubtful. I can't vouch for the identities of very many people on this list. (I've even met, e.g., Lucky in person and I certainly have no clue what his verinym might be, nor do I particularly care.) On the other hand, I am willing to sign onto all sorts of judgements about the trustworthiness of various people on the list, and other aspects of their reputations. I've driven hundreds of miles based on trust developed online with people whose identities I still haven't verified. I've even agreed to loan hundreds of dollars to someone I knew only as an online pseudonym. [...] > Plus, given secure identity (which might be an anonymous id), you can > layer the other stuff on top. I am swayed by the view expounded by Carl Ellison that a key, not an identity, should be the anchor to which attributes are attached. (Sorry if I am misstating or oversimplifying the position here.) I think identity should be hung off the key as just another (optional) attribute. I think your comments apply pretty well to trust relationships in the flesh, but don't fully take the net into account. Futplex The Pack Is Back -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMO9YXCnaAKQPVHDZAQHKwwf/UQWZY9X9KV27qePoqPLRdsDN0Yn9v27F uIDapw0btdS4i9kkGONN/dGMC9EvQJv2ZOemIvqJ/0R09X7tD1bRIrqzDokvZEKw zMrkZ2xcvgAnq0FGG//awz8bveFyff1U2PL7xtHdvmNi6mtgzNah9L8yZCLqtmAD Uerh9+Qq9MSq6bidHBadVqwUr2y/7/1IWiYiMFqGZou7Gmwiu4AQDtKi04bVGi4b /VJHVe1/eyoN6nV7PyOWJsigP01+ZJblPgeg8Q37Mf8x7Hxjz5bWuFraS6jO+aNZ EduLoSyulblNKIWs3WRP339RJL0kAsPycdSfh6VVVUQRiHv5uaigyQ== =wcp/ -----END PGP SIGNATURE----- From shamrock at netcom.com Sat Jan 6 21:40:09 1996 From: shamrock at netcom.com (Lucky Green) Date: Sun, 7 Jan 1996 13:40:09 +0800 Subject: Revoking Old Lost Keys Message-ID: At 15:45 1/6/96, Bill Frantz wrote: >Perhaps if keys could be made with expiration dates (certificates too), >this problem might be reduced to managable proportions. I would very much like to see expiration dates on public keys. Is PGP 3.0 offering this feature? -- Lucky Green PGP encrypted mail preferred. From jwhiting at igc.apc.org Sat Jan 6 21:49:50 1996 From: jwhiting at igc.apc.org (Jerry Whiting) Date: Sun, 7 Jan 1996 13:49:50 +0800 Subject: carrick demo revisited Message-ID: <199601070327.TAA04424@igc4.igc.apc.org> Please note that the carrick demo that is available on www.encryption.com is just that; a DEMO. As the documentation states, the file format is NOT what is in the full retail product. The files that the demo generates are NOT compatible with the full retail version. The demo is a marketing-driven effort. The shipping version will have a different UI, a different file structure, a different file header, etc. Azalea Software will make full source code available to those who wish to review carrick under nondisclosure agreement. We have written an FAQ that details carrick's API's and file header. It will answer many questions that some cryptographically sophisticated users may have. We apologize for any misunderstanding or inconvenience the demo may have caused. Again, the demo is a marketing piece to accompany the press release that we are distributing. Ver 1.0 should be going out the door any day now and we invite all cypherpunks and other encryption fans to look it over. Azalea Software, Inc. 1 800 ENCRYPT www.encryption.com carrick at azalea.com From steve at aztech.com Sat Jan 6 22:03:16 1996 From: steve at aztech.com (steve at aztech.com) Date: Sun, 7 Jan 1996 14:03:16 +0800 Subject: please stop the Mitnick stuff In-Reply-To: <199601070023.BAA04907@utopia.hacktic.nl> Message-ID: <9601070542.AA01803@Mail.AZTech.Net> I don't usually rant, but nobody at replay.com (Anonymous) said: #C'mon, Perry, give it a break. Mitnick's case has to do with security #issues as well as the violations of privacy and/or search and seizure #the government used to arrest him. #It may not be cryptography per se, but are you going to seriously argue #that security, etc. is not encompassed in crypto issues? #I found it interesting. If you didn't, then all you had to do was #delete it. No one needs to read your personal crusade as *The One* #who tells us what's relevant and what's not. I too found it interesting reading (agreeing with your position). I too found it to be off-topic/off-charter (agreeing with Perry's position.) It really torques me when someone suggests: (in response to someone else's suggestion that something was off-topic) "just delete it." I subscribe to a lot of mailing lists and news groups. Anything that contributes to the noise/signal ratio, and doesn't aplologize for it is a bad thing, IMHO. To be more on-topic, if Mitnick knew more about crypto and covert ops, he probably woudln't have been caught as easily. When he was caught, the feds probably wouldn't have been able to gather as much evidence against him. I'll stop ranting, now. You probably don't know me, and probably don't care about why I don't care to read alt.fan.kevin.mitnick stuff on the cypherpunks list. FWIW, -- S From loki at obscura.com Sat Jan 6 22:44:17 1996 From: loki at obscura.com (Lance Cottrell) Date: Sun, 7 Jan 1996 14:44:17 +0800 Subject: Mixmaster On A $20 Floppy? Message-ID: -----BEGIN PGP SIGNED MESSAGE----- The second paragraph of this post seems to address a different issue than the first. The problem of correlations between a certain sender sending and a certain receiver receiving, is well known and understood. The best defense against this (as a sender) is to send messages into the remailer network with a period equal to or less than the the time required for a message with your typical chain length to pass through the remailer net. If these are sent at random intervals, then your real mail will blend with the cover traffic, and mail from you will correlate with all message receipts by all message recipients. The second paragraph seems to deal with the issue of being known as an anonymous remailer or regular remailer user. I am not sure exactly what the concern with that is. -Lance At 11:56 PM 1/5/96, Futplex wrote: >The "ultimate" traffic analysis problem, as others have observed, is >the correlation between messages sent by A and received by B via the overall >network. Hence the utility of a Dining Cryptographers' Net, PipeNet, etc. in >which the apparent bandwidth variation between any two points is eliminated. >A and B are effectively folded into the network. > >I suppose that a site that escapes detection as a Mixmaster will throw off >the correlation stats (i.e. because a message from that site to B won't be >identified as a remailed message). But such sites are elusive objects I >think. On the one hand, the site can't endure for long, or else its >throughput traffic will likely give it away as an anonymizer (i.e. it gets >lots of mail from the Mix network, and sends out similar amounts of mail to >all sorts of people and the network). On the other hand, it had better last, >or else it will look suspicious as a transient account receiving mail from >the Mix network, sending a few messages, and quickly vanishing. > >Futplex >"Dammit Jim, I'm a doctor, not a bricklayer!" > -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMO9nDfPzr81BVjMVAQF1YQgAo08ndnu7Lcok3O12hCYz57j+PClp8ulk LRRGGejhTNerums+FInio2IUQK3YvWLsIUj+UkZZkYPGAV292AsKnQROzBAYZ2kd V8MdVUqolZQfFzR7VYS2n+6ARlplff0E+58X2NDHgw25welmg7Id/xJmjiIwHI8J U6eGUw0BhMKrQuXCv4NpUsYGC2ux2abOs+Y2f4pjzSSyJhLuAXJbzlr0eRYWPOj7 AU2AAs/l4xTGbErYc2F5D9pfTJe6sMkUCseIyVpsoLUMsg24LItlDOUq1feT2ppq X1LJQRu05ERt3LIhjB5JHFClxecQyw31JDZV8E2H19mawK1LIkgKNA== =MU1s -----END PGP SIGNATURE----- ---------------------------------------------------------- Lance Cottrell loki at obscura.com PGP 2.6 key available by finger or server. Mixmaster, the next generation remailer, is now available! http://obscura.com/~loki/Welcome.html or FTP to obscura.com "Love is a snowmobile racing across the tundra. Suddenly it flips over, pinning you underneath. At night the ice weasels come." --Nietzsche ---------------------------------------------------------- From jimbell at pacifier.com Sat Jan 6 23:17:15 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 7 Jan 1996 15:17:15 +0800 Subject: Domains, InterNIC, and PGP (and physical locations of hosts, to boot) Message-ID: At 11:15 PM 1/6/96 -0500, you wrote: >ObGPS/cpunk/physical-location-of-machines: A recent IETF proposal would >create a new DNS record that encoded the physical location of a >machine, encoded in latitude and longitude. This would solve the >problem MIT has had in distributing PGP, i.e. where exactly is >unix5.netaxs.com? However, there's nothing to stop you from adding >records that say your machines are at the latitude and longitude of, >say, Fort Meade... ;-) > > ftp://ds.internic.net/rfc/rfc1876.txt > >Again, I'm not too sure of the viability of this proposal. Not on >effectiveness of proving true location -- it is more geared toward >"visual 3-D packet tracing" -- but simply because I have _no_ fricking >idea where our machines are (in terms of lat and long) to any degree >of accuracy. Question: Do we really WANT to advertise the location of machines? Especially to an accuracy commensurate with current technology? And if lying is possible, what's the point?!? >("They're somewhere in PA." Brilliant, you can find that >out via WHOIS.) The document suggests using GPS to locate your true >location, but I'll be damned if my boss is going to spend $1,000 just >so I can have more DNS entries to maintain... BTW, the cheapest GPS receivers (Magellan 2000's, as I recall) at $200 at the local marine supply shop. Excellent price. Even so, I won't buy one when I get my first GPS reciever, for two reasons: 1. No differential capability. (will improve accuracy to typically 2 meters) 2. Only two digits past the "minutes" decimal point resolution. From wlkngowl at unix.asb.com Sat Jan 6 23:17:46 1996 From: wlkngowl at unix.asb.com (Mutatis Mutantdis) Date: Sun, 7 Jan 1996 15:17:46 +0800 Subject: Revoking Old Lost Keys Message-ID: <199601070707.CAA25933@UNiX.asb.com> On Sat, 6 Jan 1996 03:10:49 +0000, "Michael C. Peponis" wrote: >If it's widley distributed, or on a keyserver, that becomes hard. >First you would have to be authenticated as the origional key owner, >ie how do I realy know that you are you, and not somebody saying you >are the orgional key owner? [..] >Good topic. Interesting, yes. Also a possible attack... Alice sends a PGP'd message to Charlie, but gets a reply from "Charlie" saying that they original key was lost due to a hard drive crash, etc.... and that she should coinsider it revoked. Is that message from Charlie or from Mallet (the demonic SysAdmin), who is trying to get in between Alice and Charlie...? From wlkngowl at unix.asb.com Sat Jan 6 23:22:47 1996 From: wlkngowl at unix.asb.com (Mutatis Mutantdis) Date: Sun, 7 Jan 1996 15:22:47 +0800 Subject: Revoking Old Lost Keys Message-ID: <199601070714.CAA02909@UNiX.asb.com> On Fri, 05 Jan 1996 23:07:19 -0800, Bruce Baugh wrote: >I'd like to bring up a problem I haven't seen addressed much yet, and which >I think is going to come up with increasing frequency as PGP use spreads. >The problem is this: how can one spread the word that an old key is no >longer to be used when one no longer has the pass phrase, and cannot >therefore create a revocation certificate? [..] Keys should have built-in expiration dates (adjustable by the user manually the way one would change their user-id, passphrase, etc.) PGP should give a warning when the key passes the expiration date. It should not prevent you from using it, but should remind you that the key is rather old, and that the owner may have moved, etc. Users who want to extend the life of their keys should send special certificates (at least once a year or every other year?) that tell keyservers and those with copies of their public keys that the key is still being used, and to update the expiration time. Comments? --Rob From j.miranda3 at genie.com Sat Jan 6 23:53:50 1996 From: j.miranda3 at genie.com (j.miranda3 at genie.com) Date: Sun, 7 Jan 1996 15:53:50 +0800 Subject: info Message-ID: <199601070733.AA020080001@relay1.geis.com> Anyone have any connections with the alternative/underground rock scene. I have been reality surfing it here in the L.A. area and am looking for people who are interested in coming along to assorted indsutrial/techno/gothic/rave places. Also, are there any cybernetic developments related to this scene I was thinking of something along a program which would be used when employing the mini-monitors (which you wear like sunglasses). From hal9001 at panix.com Sun Jan 7 00:09:52 1996 From: hal9001 at panix.com (Robert A. Rosenberg) Date: Sun, 7 Jan 1996 16:09:52 +0800 Subject: Internet & Porno on A&E tonite Message-ID: At 10:54 1/6/96, Jim Choate wrote: >Hi, > >Just saw an add for a Investigative Reports show tonite on A&E dealing with >the Internet and some of the current issues relating to porno and privacy. > > > Jim Choate I just got done watching it. Heavy on the porno and Light on the privacy. It did cover some of our hot buttons but stayed away from talking about their context (ie: They covered the TN prosecution of the CA BBS owner but ignored the question of if it was a prosecution or a persecution [as well as the question of if the charge/trial was legal in the first case]). From hal9001 at panix.com Sun Jan 7 00:09:55 1996 From: hal9001 at panix.com (Robert A. Rosenberg) Date: Sun, 7 Jan 1996 16:09:55 +0800 Subject: FW: Undeliverable: Re: Massey, CEO of Compuserve, on Internet Message-ID: At 11:25 1/6/96, blanc wrote: >From: Steve14571 at aol.com > >Something else I want to know... Why is my mail going through microsoft.com? >........................................................................... >............................ > >There is an email 'alias' at Microsoft which was subscribed to the cpunk >list, to receive and distribute the cpunk list to members of that alias. > >A new beta version of Exchange is being used on a test basis by some >departments (apparently all of the cpunks at MS are using it), and the >programmers recently encountered a "little complication" (to use a phrase >from the movie 'Brazil'). I'm told that the problems were corrected, but >that now the spoolers are releasing messages which were backed up while >mail delivery was put on hold. I hate to agree with Timothy C. May, but >it is probably best to "use technology " to deal with it for a day or so. > > .. >Blanc I had a bounce from another list () so it is not only cypherpunks which is having the problem. From sameer at c2.org Sun Jan 7 02:14:03 1996 From: sameer at c2.org (sameer) Date: Sun, 7 Jan 1996 18:14:03 +0800 Subject: NSA says strong crypto to china?? In-Reply-To: <199601070941.BAA12858@ammodump.mcom.com> Message-ID: <199601070958.BAA04319@infinity.c2.org> > Does anyone know of real documentation of this "suggestion" from the NSA? > It quite telling, though no surprise to any of us I'm sure, that they would > think that strong crypto should be a tool of freedom in china, but not in > this country. But they do. That's why they don't want it. That too should be obvious. I think though, that this is an example of the two major functional halves of the NSA, with rather opposite goals: COMSEC vs. COMINT. -- sameer Voice: 510-601-9777x3 Community ConneXion FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.org/ (or login as "guest") sameer at c2.org From leefi at microsoft.com Sun Jan 7 04:12:37 1996 From: leefi at microsoft.com (Lee Fisher) Date: Sun, 7 Jan 1996 20:12:37 +0800 Subject: "Microsoft.com" added to my KILL file Message-ID: | After getting another batch of bounce messages from Microsoft's Postmaster, | I have reluctantly decided to filter out all messages from Microsoft.com | until they fix this problem with Microsoft Exchange. I'm not in the Exchange group, not the internal operations group responsible for this last error, but I'll try to clarify the two issues raised by this thread. (But perhaps this message was pointless, as the folks I'm attempting to explain to have already this filtered out by their KILL file?) MSMail and Exchange started before MIME started. They wanted to have "richer" email (as with MIME), and started some efforts, which put data in a uuencoded WINMAIL.DAT file. Exchange switched from TNEF (Transport Neutral something or another) to MIME. Originally the default was to send "rich" email but after beta feedback came in, it was changed to NOT be the default. So, these winmail.dat and MIME (and some TNEF) data included in some messages are from MSMail and Exchange clients. And while I expect that there are some things that our MS Mail and Exchange groups could have done better to introduce support for more than just ASCII messages, there is also some user education needed (that some forums -- such as mailing lists and newsgroups) often aren't the right place to post non-ASCII text like MIME attachments and older winmail.dat files. Another issue (the one mentioned in the above message). Last week the mail server operations group on Microsoft campus experienced a few "growing pains" switching over to later builds of Exchange server, switching over from MS Mail. Apparently there were some brief problems, causing some bounce messages, which would have manifested from a few users @microsoft.com. I don't know if it due to humans (operations group error) or computers (Exchange server bug) that caused it. The flurry of bounces was [hopefully] a one-time problem. Lee Fisher, leefi at microsoft.com From cp at proust.suba.com Sun Jan 7 06:04:34 1996 From: cp at proust.suba.com (Alex Strasheim) Date: Sun, 7 Jan 1996 22:04:34 +0800 Subject: NSA says strong crypto to china?? In-Reply-To: <199601070941.BAA12858@ammodump.mcom.com> Message-ID: <199601071037.EAA00310@proust.suba.com> > > What one government regards as harmful material is an instrument of freedom > > and democracy to another. Officials at the US National Security Agency have > > suggested that Internet encryption technology - a sophisticated method of > > encoding information - be deliberately exported to Chinese dissidents to > > help them in their fight against their government - even though its export > > is otherwise banned under US arms control regulations. If this is true, it's great news. It would mean that the NSA is adopting both cypherpunk analysis and tactics. Who would have thought? An NSA remade in Tim May's image. > Does anyone know of real documentation of this "suggestion" from the NSA? > It quite telling, though no surprise to any of us I'm sure, that they would > think that strong crypto should be a tool of freedom in china, but not in > this country. The NSA is a big organization with a lot of people in it. It could be that the people in charge of thinking about Chineese dissidents are far removed from the people who think about domestic crypto. I'm skeptical about this story, but it would be a sensible policy for us to pursue. But not just with dissidents, and not just in China. We ought to try to create an environment in which people who want to do business need to have access to strong crypto in order to interoperate with the rest of the world. Pump high quality free tools out to the world, and push for solid standards for encrypted communications. And make sure those Chineese and Iraqi dissidents always have a safe way to post anonymously. We're already living in a world in which it's necessary to give people computers if you want them to be competitive economically. Let's try to make giving people computers the functional equivilant of abandoning any hope of making censorship work. I doubt they're interested in doing this, but I don't understand why. It's a sensible policy. Can you imagine what would happen to freedom and privacy around the world if the NSA went cypherpunk? In the space of a month they could eliminate the possibility of totalitarianism world wide. From wlkngowl at unix.asb.com Sun Jan 7 06:33:43 1996 From: wlkngowl at unix.asb.com (Mutatis Mutantdis) Date: Sun, 7 Jan 1996 22:33:43 +0800 Subject: Revoking Old Lost Keys Message-ID: <199601071215.HAA05673@UNiX.asb.com> shamrock at netcom.com (Lucky Green) writes: >I would very much like to see expiration dates on public keys. Is PGP 3.0 >offering this feature? I would very uch like to see PGP 3.0, but that's another story... --Rob From fod at brd.ie Sun Jan 7 06:33:44 1996 From: fod at brd.ie (Frank O'Dwyer) Date: Sun, 7 Jan 1996 22:33:44 +0800 Subject: "trust management" vs. "certified identity" Message-ID: <01BADCE4.66BC9880@dialup-100.dublin.iol.ie> On Sunday, January 07, 1996 12:22, Futplex[SMTP:futplex at pseudonym.com] wrote:>Frank O'Dwyer writes: >[I've adjusted the line breaks for those of us with 80-column displays] Apologies - this mailer doesn't give me any indication where the margin is. [...] >>a signator's job in signing for my identity is >> easier (and less risky) than signing for my trustworthiness. >I am doubtful. I can't vouch for the identities of very many people on this >list. (I've even met, e.g., Lucky in person and I certainly have no clue >what his verinym might be, nor do I particularly care.) On the other hand, I >am willing to sign onto all sorts of judgements about the trustworthiness of >various people on the list, and other aspects of their reputations. I've >driven hundreds of miles based on trust developed online with people whose >identities I still haven't verified. I've even agreed to loan hundreds of >dollars to someone I knew only as an online pseudonym. I'm not saying that trust requires identity (it obviously doesn't, since we all make trusted cash transactions all the time without having to produce any id.). But it is usually easier to determine (and vouch for) who a stranger is than how trustworthy they are, if only because there are quick and easy real-world mechanisms for this (driver's licence, passport,etc.). That's all I meant. (BTW, can you lend me a few bucks? :-) [...] >I am swayed by the view expounded by Carl Ellison that a key, not an >identity, should be the anchor to which attributes are attached. (Sorry if >I am misstating or oversimplifying the position here.) I think identity >should be hung off the key as just another (optional) attribute. That's an extremely useful way of looking at it, I agree. But the lifetime of a key is often less than that of some attribute. It's easy to imagine one email address having a succession of keys. But then again, one might acquire and discard email address more often than keys (I've gone through three addresses in the last year or so). So perhaps a better model is just a loose assocation of attributes, with "key(s)" and "identity(s)" being two very interesting ones, but no one attribute being primary all the time. (I'm thinking out loud here -- I'm actually trying to come up with some C++ classes for this sort of stuff, so this discussion is pretty interesting to me. Thus far, I'd got to the model you describe - a key has a bunch of attributes, one them identity. But now I'm thinking that this maybe isn't enough, and an 'identity-centric' view is also needed. Perhaps there should be multiple views into the same data?). >I think your comments apply pretty well to trust relationships in the flesh, >but don't fully take the net into account. Right. I was only talking about 'verinyms', really. Cheers,Frank O'Dwyer fod at brd.ie http://www.iol.ie/~fod From don at wero.cs.byu.edu Sun Jan 7 06:39:50 1996 From: don at wero.cs.byu.edu (Don M. Kitchen) Date: Sun, 7 Jan 1996 22:39:50 +0800 Subject: Key Expirations (was: Revoking Old Lost Keys) Message-ID: <199601071308.GAA00421@wero.cs.byu.edu> -----BEGIN PGP SIGNED MESSAGE----- - -----BEGIN PGP SIGNED MESSAGE----- >From: shamrock at netcom.com (Lucky Green) >At 15:45 1/6/96, Bill Frantz wrote: >>Perhaps if keys could be made with expiration dates (certificates too), >>this problem might be reduced to managable proportions. > >I would very much like to see expiration dates on public keys. Is PGP 3.0 >offering this feature? (it would be nice to know of anything that PGP 3 will be offering) >From: wlkngowl at unix.asb.com (Mutatis Mutantdis) > >Keys should have built-in expiration dates (adjustable by the user >manually the way one would change their user-id, passphrase, etc.) I disagree, I think a key should be be given a specific lifetime. A master key, for example, might be given a life of 7-10 years, while a common-use key a life of, for example, 2-5 years. >PGP should give a warning when the key passes the expiration date. It >should not prevent you from using it, but should remind you that the >key is rather old, and that the owner may have moved, etc. I disagree. I think that it's the key owners' responsibility to provide transitions to a new key. (it would be nice to have a mechanism to auto transfer signatures to a new key, but I can't see that being both safe and practical) I also would also like to see PGP/keyservers with more of a current-status paradigm, rather than a from-the-beginning-of-time model. A "my master key is foo" and "I'm master of: fiz, bar, baz" fields would encourage the emergant practice of having a secure master key, and a common key that is replaced more often. Not-Secure Systems are Not-Secure Systems, and there should be Not-Secure keys to be used on these ISP/multiuser/whatever systems, without resorting to multiple keys, mutually signed, that merely proclaim their properties in the key ID. I'm certainly not calling for Someone[tm] to code it up, only pleading that the paradigms be established conceptually, so that everyone knows (and hopefully agrees) where it's going. We have security (stealth pgp, if generally indistinguishable from random data, will ensure that, and prevent all but human betrayal or tremendously draconian outlawing of random data from taking that security from us) but we do not have seamlessness, and we do not have a PGP that fits how PGP is being used, and not knowing if these things have even been planned is distressing. >Users who want to extend the life of their keys should send special >certificates (at least once a year or every other year?) that tell >keyservers and those with copies of their public keys that the key is >still being used, and to update the expiration time. I can only this working elegantly if the expiration date, as a signed block, could be expunged and a new expiration date block put in. Signatures, of course, would have to authenticate the parts that don't change. If the expiration date is inside the _owner's_ authentication block, everything would still be attack-resistant. (Everything absolutely should be designed to resist spoofing, etc. I would like to see PGP _IGNORE_ key ID's that are not signed, and naturally default to signing key-IDs when being added.) I too would like would like to see expiration dates built into the keys. The PGP key has too much of a static-model, long life paradigm. IMHO, I see two problems. First, key signature are for the key/ID string pair. Every time someone changes email addresses, a clunky ID string addition is made to the key, and subsequent signatures are made to _that_ pair. I don't disagree that it should be this way, only suggest that a more integrated, conceptual view even, should be presented. While I'm presenting my wish list, it would also be nice for PGP to be able to extract keys that are in the Web Of Trust[tm] relative to an arbitrary key. I attempted to do something like this with by Web Of Nobody's keyring for those of you who didn't see my posts, that's what I called what I generated because the brute-force way I extracted it necessitated the signatures going the opposite direction than they should have, resulting in a great many nobody's and missing a few somebody's.) which reduced the then-5 meg keyring to 1 meg. (I am considering doing it again, since I still don't know enough PERL to generate a web of trust instead of a web of nobodies) A feature like this would, in my opinion, largely negate (or at least greatly delay) the need for a DNS-style key lookup. And, after all, what's the purpose in having a list of all keys in the world, why not just have a list of keys that are actually interrelated, extracted from the former. Perhaps even a batch-mode "copy all new and trusted keys from keyring X", THAT would help tremendously with a "locally-trusted" / "globally known" dual-use of PGP and its keys. >From: "Frank O'Dwyer" >portion of the) web of trust was very large, you might find that the old key >kept popping up and you kept getting mail ... >It's just that PGP's certificates are particularly long-lived, and PGP's >revocation is particularly broken. Luckily the data formats do allow for a >validity time, and a revocation of a key's countersignature, so this can >perhaps be fixed sometime. ... >uploading their key with additional signatures. A practical solution >might be for the key servers to automatically remove keys older than X >years (or some time limit related to the key size). Ultimately though, what >is needed is a new revocation model (maybe implementing the unused fields >in the PGP certs is good enough to begin with). This is all a me-too. As I said, I would like to see a current, how-it-is-now list, rather than having keys whose replacement's replacements' replacements have been revolked long ago. >On Sat, 6 Jan 1996 09:47:16 -0000, "Frank O'Dwyer" wrote: > >The PGP formats do allow for a 'revocation' certificate, but PGP doesn't >implement it (yet, I guess). In any case, it's not really strong enough, >since what it says is "I retract all my previous statements that this key is >related to this user". This'd mean that you'd have to visit everyone who'd >ever signed your key and get them to issue this retraction. What would be >needed for this problem is either an "anti-certificate" ("This key does not >belong to this user"), or else some convention. For example, if two _trusted_ >keys are found for the same uid, the most recent one could be chosen, and >the earlier one be purged from keyservers, etc. This may be possible with >current PGP. I haven't tried it, but since I have some keys which have >fallen into disuse, I will need to do so sometime.). I think this is a feature that would be good to have, not necessary for all signatory parties to retract sigs, but certainly for one or more of them to do so. I do think, however, that both should be kept (and not just one cancel another like a current-status model would) and that perhaps the two should default to not being displayed, but certainly PGP explain it as "X revokes signature, contact both parties for explanation" type of thing; let the human be the judge. Don PS: This message may be double-signed, don't think it unusual if it is. - - --- fRee cRyPTo! jOin the hUnt or BE tHe PrEY PGP key - http://students.cs.byu.edu/~don or PubKey servers (0x994b8f39) June 7&14, 1995: 1st amendment repealed. Junk mail to root at 127.0.0.1 * This user insured by the Smith, Wesson, & Zimmermann insurance company * - -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMO/FtsLa+QKZS485AQGcSwL/eyUiZ4YgKfLyQx94K+Vm/y2Jmsx1DnOm Anvv2EA98qY1wBxpg2HUCrV2NO97vafTPNJ5dcZsLUIDOnzjw3Pxj7ikNTnwL45Q 89NVqc6jHG3NCbIirDTPSN/q20N2yhEA =qRq9 - -----END PGP SIGNATURE----- -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMO/FzcLa+QKZS485AQG8OQMAj9mDA9v7f68cKDl4z8JLieFsFo4EtzJb XDna9JXvYQj/tBd+AFuBNxhawzIgSn7ydIw/QtRcE/a9HbAY4eJDfuEANfoKZARb TpxLWpmGU1uDidEB9irGxGGZd4uen7Mz =Ku7l -----END PGP SIGNATURE----- From alanh at infi.net Sun Jan 7 07:24:35 1996 From: alanh at infi.net (Alan Horowitz) Date: Sun, 7 Jan 1996 23:24:35 +0800 Subject: NSA says strong crypto to china?? In-Reply-To: <199601071037.EAA00310@proust.suba.com> Message-ID: Yeah but if NSA went Cypherpunks, what would be the new PC dogma - the current San Fransisco trendlines? If you aren't a Sensitive Guy who'd rather re-read Hillary's speech at the Beijing Women's Conference, than watch the jittering cheerleaders on Monday Night Football - there goes your promotion! Not to shatter your illusions boys, but there's a school of thought back here East of the Rockies that the whole shebang south of Redding should be written off after the next Big One - no taxpayer dollars spent _at all_. Commit American Imperialist Aggression against Mexico - use gunboat diplomacy to make them take California back. Only hold onto a few selected spots as Possessions. I mean, Vandenberg's on a very convenient spot for launching birds to listen in on the Beijing apparatchiks on the cellphone, running their mistresses in and out of the secret entrances of the Forbidden City faster than the JFK-era Secret Service could have kept up with. Visit the hospitality room at the next annual convention of the Old Crows Association, if you want to see proof that the electronic-warfare community, like worker-bee military types in general nowadays, comprises LOTS of folks with a rather Libertarian outlook. Alan Horowitz alanh at infi.net From jya at pipeline.com Sun Jan 7 08:21:36 1996 From: jya at pipeline.com (John Young) Date: Mon, 8 Jan 1996 00:21:36 +0800 Subject: CelBomb Message-ID: <199601071609.LAA23989@pipe4.nyc.pipeline.com> The New York Post, Jan 6, 1996. By Uri Dan from Jerusalem Palestinian police said Ayash [The Engineer] was killed north of Gaza City when he answered a call on a cell phone rigged with two ounces of explosives. Israeli sources said the phone had been secretly traded for Ayash's real phone -- and the explosion was triggered by remote control once it was determined he was on the line. ---------- No brand name given, however, another source writes that Mot runs the IL cel net. So use that neat audio-vox wire on MicroTAC Elites only with paid-up Shin Bet dues, absent TS-immunization. From wlkngowl at unix.asb.com Sun Jan 7 08:34:27 1996 From: wlkngowl at unix.asb.com (Mutatis Mutantdis) Date: Mon, 8 Jan 1996 00:34:27 +0800 Subject: Revoking Old Lost Keys Message-ID: <199601070721.CAA03941@UNiX.asb.com> On Sat, 6 Jan 1996 09:47:16 -0000, "Frank O'Dwyer" wrote: [..] >The PGP formats do allow for a 'revocation' certificate, but PGP doesn't >implement it (yet, I guess). In any case, it's not really strong enough, >since what it says is "I retract all my previous statements that this key is >related to this user". This'd mean that you'd have to visit everyone who'd ever >signed your key and get them to issue this retraction. What would be needed >for this problem is either an "anti-certificate" ("This key does not belong to this >user"), or else some convention. For example, if two _trusted_ keys are found for the >same uid, the most recent one could be chosen, and the earlier one be purged >from keyservers, etc. This may be possible with current PGP. I haven't tried it, >but since I have some keys which have fallen into disuse, I will need to do so >sometime.). Revocation of signatures is a good thing, but beware of anti-certificates, since one can create a nasty web of affirmations and denaials that is unresolvable. (Yes, literally from Logic 101 classes about paradoxes....) From cp at proust.suba.com Sun Jan 7 08:51:18 1996 From: cp at proust.suba.com (Alex Strasheim) Date: Mon, 8 Jan 1996 00:51:18 +0800 Subject: "trust management" vs. "certified identity" In-Reply-To: <199601062232.RAA12812@nsa.tempo.att.com> Message-ID: <199601071633.KAA00530@proust.suba.com> > Comments and discussion appreciated. This is very interesting stuff -- a big improvement, I think. I have the impression that pm might look a little bit like an sql server. Is that in the ballpark? Feeding pm an assertion might be analagous to giving an sql server a command that defines a table, and a pm query might be similar to an sql command that queries a database. Whether or not someone (some key) is allowed to change the assertions would be governed by assertions that are already in place. Or are things going to be setup so that a querying application (like a mailer) will feed pm all the information it needs, including assertions, each time a query is made? Although the name of the paper is "decentralized trust management", it seems to me that the ability to implemenent centralized trust management schemes would be useful for pm. Centralized trust management has a lot going for it as long as no one's being forced to accept it. I would expect that in a large organization the rules as well as the identities of the players would change frequently. Someone will decree that level j is no longer sufficient to authorize purchase orders for $5000 or less, level j+1 will be required in the future. One advantage of the sql style server is that an organization's trust manager could implement these changes for lots of work stations centrally, independently of specific applications (ie., changes could affect all mailers). A particular pm server on a workstation might know about different trust models from different organizations. Someone who reads cypherpunks at work might have a set of assertions that his company's trust manager can modify, a set of assertions about cypherpunks that Eric can modify, and another set of assertions about personal correspondence that only the server's owner can modify. The server's owner could always do anything he wanted -- an assertion that says a specific owner key can do anything would be hardcoded into the system. Does this make sense? From tallpaul at pipeline.com Sun Jan 7 09:40:06 1996 From: tallpaul at pipeline.com (tallpaul) Date: Mon, 8 Jan 1996 01:40:06 +0800 Subject: NSA says strong crypto to China? Message-ID: <199601071553.KAA18768@pipe3.nyc.pipeline.com> Logically, it seems the best thing for the NSA to do (given the political character of the group) is to send strong-but-not-that-strong crypto out. In other words, they would want the various offically-USA recognized "dissidents" (as opposed to officially-USA recognized "terrorists") to have crypto strong enough so that the various defined-as-repressive governments cannot decrypt it while not-strong-enough to prevent NASA from reading it. -- -- tallpaul -- Any political analysis that fits on a bumper sticker is wrong. From adam at lighthouse.homeport.org Sun Jan 7 10:36:11 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Mon, 8 Jan 1996 02:36:11 +0800 Subject: Revoking Old Lost Keys In-Reply-To: <199601070714.CAA02909@UNiX.asb.com> Message-ID: <199601071814.NAA04825@homeport.org> Mutatis Mutantdis wrote: | PGP should give a warning when the key passes the expiration date. It | should not prevent you from using it, but should remind you that the | key is rather old, and that the owner may have moved, etc. | | Users who want to extend the life of their keys should send special | certificates (at least once a year or every other year?) that tell | keyservers and those with copies of their public keys that the key is | still being used, and to update the expiration time. Expire should mean expire, i.e., no longer valid, useful or useable. If you want to have a 'depreciated after' and an expire date, that might be useful, but it seems more like feeping creaturitis to me. It adds bulk to every key, when a better solution would be to have keys automatically deprecitated some time before they are due to expire. Also, the ability to extend the life of a key is fraught with danger. The longer a key is around, the more likely it is to become comprimised. The user might not be aware that the key is comprimised. Better to have an unchangeable date. (On a more technical level, allowing users to change the expiry date on a key means that the key's expiry date is not signed by the signatories, and an opponent who comprimised a key could simply change the expiry date on that key and send it to the servers, so that it would continue to be used, and your opponent could continue to read all your communications.) Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From raph at c2.org Sun Jan 7 11:09:59 1996 From: raph at c2.org (Raph Levien) Date: Mon, 8 Jan 1996 03:09:59 +0800 Subject: "Re: NSA says strong crypto to china?? In-Reply-To: <199601070941.BAA12858@ammodump.mcom.com> Message-ID: <199601071847.KAA26014@infinity.c2.org> The original article in the Indpendent contained too many factual inaccuracies to take the NSA statement at face value. Further, some of the details resemble an interchange between Carl Ellison and the OSTP. For the details, check out: http://www.clark.net/pub/cme/html/nist-ske.html Here's the relevant excerpt: Sell to Chinese dissidents In the opening session, Mike Nelson of the OSTP (Office of Science and Technology Policy on the vice president's staff) presented his discussion of the Key Escrow criteria. He was asked who in his right mind would buy a product with a master key escrowed in the U.S., with access by US Law Enforcement. His answer was that a Chinese dissident would be quite happy to have the key escrowed by a US agent, in the US, for US government access -- rather than by a Chinese agent, in China, for Chinese government access. That's a good plan, Mike. That's a huge market. I'm looking forward to seeing the agreement with the People's Republic under which they allow the importation of such products. [end excerpt] My best guess is that we're seeing a distortion of this interchange. If I were a Chinese dissident, I wouldn't want to use GAK, for three reasons: using US-lackey encryption is certainly not going to get you into any _less_ trouble than using independent encryption, if you used GAK you'd be working as a US spy whether you wanted to be or not, and finally, who says the Chinese can't decrypt it, especially with the rapid growth of television. Raph P.S. To those who are suriprised that I'm still here - my flight got delayed, and I'm waiting it out on the Net, in true geek style. From tcmay at got.net Sun Jan 7 11:17:00 1996 From: tcmay at got.net (Timothy C. May) Date: Mon, 8 Jan 1996 03:17:00 +0800 Subject: "Microsoft.com" added to my KILL file Message-ID: At 7:51 AM 1/7/96, Lee Fisher wrote: >| After getting another batch of bounce messages from Microsoft's >Postmaster, >| I have reluctantly decided to filter out all messages from Microsoft.com >| until they fix this problem with Microsoft Exchange. > >I'm not in the Exchange group, not the internal operations group responsible >for this last error, but I'll try to clarify the two issues raised by this >thread. (But perhaps this message was pointless, as the folks I'm attempting >to explain to have already this filtered out by their KILL file?) I'm reading this, obviously. I use Eudora Pro, a mail program, to filter messages into various mailboxes, based on key words in the headers. Rather than immediately trashing messages I wish to filter out, I put them into a mailbox I've labelled "Kill File." It is, however, just another Eudora mailbox, and doesn't get emptied unless I explicitly transfer the files into the "Trash" folder. (And to confuse non-Eudora users further, even my Trash folder does not get emptied unless and until I explicitly say "Empty Trash," as I have things configured.) This allows me, when I am bored, to see what stuff has floated into my Kill File mailbox, and sometimes to even respond. My point about filtering out all Microsoft.com addresses was really to make the point that Microsoft needs to understand--as they seem to be doing, vis-a-vis their new Internet strategy--that if they want their mail to be read outside of Microsoft, then they have to conform to certain emergent standards. ... >messages are from MSMail and Exchange clients. And while I expect that there >are some things that our MS Mail and Exchange groups could have done better >to introduce support for more than just ASCII messages, there is also some >user education needed (that some forums -- such as mailing lists and >newsgroups) often aren't the right place to post non-ASCII text like MIME >attachments and older winmail.dat files. This is a battle I've been fighting for roughly the past year. When I get a blank message from someone saying only "attachment converted," I add that username to my kill file. My feeling is that a mailing list with 1000+ subscribers, or even one with far fewer, is a terrible place to send non-ASCII messages. Readers will be using VT-100s on campus networks, old Amiga 1000s, EMACs, Suns, Macs, IBM PCs, Windows, and all sorts of configurations to read mail, and there is almost no chance that all or even most of these will be brought up to the latest MIME standards. Plain ASCII, such as 98% of this list has been for the past several years, is the lingua franca, the lowest common denominator (see, some number theory relevance for you purists!) of the Net. There has been little compelling need for embedded spreadsheets and embedded graphics. And as for attachments, such as attaching programs for running on a machine, mailing list messages are a very poor way to distribute such programs, for many reasons. (Sure, a chicken-egg situation. But most of what people have to say in chat groups, in Usenet groups, and on mailing lists is of a primarily _prose_ nature...few of us would be willing to prepare line drawings, graphs, spreadsheets, etc., for casual posts. My hunch is that if a fully graphics-supportive mailing list were to emerge, most people would not generate _new_ graphics for each post (such as graphs to make a point) but would simply clutter up their posts with cutesy logos, pictures of their cats, etc.).) --Tim May We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From alano at teleport.com Sun Jan 7 11:49:15 1996 From: alano at teleport.com (Alan Olsen) Date: Mon, 8 Jan 1996 03:49:15 +0800 Subject: "Re: NSA says strong crypto to china?? Message-ID: <2.2.32.19960107193222.009566d0@mail.teleport.com> At 10:47 AM 1/7/96 -0800, Raph wrote: > > My best guess is that we're seeing a distortion of this >interchange. If I were a Chinese dissident, I wouldn't want to use >GAK, for three reasons: using US-lackey encryption is certainly not >going to get you into any _less_ trouble than using independent >encryption, if you used GAK you'd be working as a US spy whether you >wanted to be or not, and finally, who says the Chinese can't decrypt >it, especially with the rapid growth of television. I can also think of another good reason that no dissident in their right mind would want to use US escrowed GAK. How many times have individuals been sold out for some "greater good". I can just imagine some dissident getting sold out as the result of some mega-trade deal or the like. (And I am sure that they can too...) Why does this news report sound more like someone trying to sell GAK to the US public and not "chinese dissidents? > >Raph > >P.S. To those who are suriprised that I'm still here - my flight got >delayed, and I'm waiting it out on the Net, in true geek style. > > Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "Governments are potholes on the Information Superhighway." - Not TCMay From jimbell at pacifier.com Sun Jan 7 11:54:47 1996 From: jimbell at pacifier.com (jim bell) Date: Mon, 8 Jan 1996 03:54:47 +0800 Subject: phone calls from hell Message-ID: At 01:15 PM 1/7/96 -0500, you wrote: >SNS News Service "Exploding Phone" >January 7, 1996..15 Teves 5756..Number 850..Update from Israel >It is now being reported that the cellular phone that killed him was >detonated by a remote control. The son of Ayyash's landlord, identified >as Ikrimeh Hamad, was expected to have handed Ayyash the phone >earlier in the day. Some reports state that his whereabouts are >unknown but other reports stated that he is now hiding-out in Israel. >>>27 Heathway Court * London England * NW3 7TS * 44-181-458-6510 >Fax: 44-181-455-8701 > Copyright, Shomron News Service, 1996 > >*** > >Comment by bd: > >I suppose this phone was prepared especially for Ayyash, but the >imagination wanders. Imagine a world in which *every* cellphone >(or other net-connected computer or ....) had a little explosive built >in. For that matter, the case itself could be constructed of a plastic >explosive. > >Sure would make it easy to get rid of unwanted citizens. >Just match the voice pattern on the cellphone or confirm the password >issuing from the computer, send the special signal down the line and >*BOOM*, one less nuisance for the state. Sorta gives new meaning to the term "_Terminate_ and Stay Resident" program, doesn't it?!? (Or "end of file.") From jis at mit.edu Sun Jan 7 11:58:58 1996 From: jis at mit.edu (Jeffrey I. Schiller) Date: Mon, 8 Jan 1996 03:58:58 +0800 Subject: New PGPfone Beta Test Available (1.0b5) Still Mac only Message-ID: -----BEGIN PGP SIGNED MESSAGE----- MIT is now distributing a new beta test version of PGPfone. This version (1.0b5) is not compatible with the previous version (1.0b4) and may not be compatible with the final 1.0 release. This version supports Macintoshes with half-duplex hardware. It also supports secure voice communication over the Internet (the "Internet" button that had been grayed out in earlier versions is now active). PGPfone is being distributed both via anonymous FTP and via the World Wide Web (WWW). The WWW retrieval path is preferred because it is much easier to use. U.S. and Canadian FTP users should retrieve the file /pub/PGPfone/README via anonymous FTP from net-dist.mit.edu. It explains how to obtain the PGPfone release via FTP. Note: The old release is still located on the FTP site. The new version is named "PGPfone10b5.sea.Hqx." Web users should visit the PGPfone home page located at: "http://web.mit.edu/network/pgpfone/" In addition to general information and information on getting PGPfone, the home page also contains a link to the PGPfone HTML on-line manual. The manual can also be found directly at: "http://web.mit.edu/network/pgpfone/manual/". THE WINDOWS '95 VERSION IS EXPECTED TO BE AVAILABLE WITHIN THREE WEEKS. However schedules can and do often change. Please DO NOT send me e-mail requesting information on release scheduling. I will also be releasing shortly the SOURCE CODE to this beta test version. We (the PGPfone development team and myself) do not recommend that people attempt to compile this source (unless you are a real wizard). YOU SHOULD NOT ATTEMPT TO DO PGPFONE PORTS TO OTHER PLATFORMS with this code. I say this because this is still a beta test version and things are likely to still change significantly. If you port this source code, you may be wasting your time! However I doubt that the basic structure of the code will change, so you can get an idea of how it works and how much effort a port would require. NOTE: The FTP PGP/PGPfone distribution site has recently been updated with a list of many more "known to be in the U.S. or Canada" domain names. If you are a U.S. or Canadian user and you cannot get access to the PGPfone distribution it is either because your domain name is not known to us to be located in the U.S. or Canada *or* we could not determine your host's domain name given its Internet address. IF YOU CANNOT GET PGPFONE FROM US try to get it from somewhere else. I cannot afford the time to e-mail people personal copies at this time. We are working on alternative technology for the FTP/WWW distribution site so that the number of bad denials (i.e., not letting people in the U.S. or Canada get in) is reduced. Bugs and Questions should be directed to pgpfone-bugs at mit.edu. -Jeff -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMPAeNcUtR20Nv5BtAQEz6AP+JUSyBUGH1iZHCTxGICfcuZy4qTlDpqXJ xUDaS6IPKJKHPj5Np0EghRQ4e5CMQcknlz4WN6G++Zoy2tMUOVkpIe20Oor/XTia xCQVyydXDfHk0U6nv4HxVMxBajL6YSzw0Kb+L2JQDbSSbt3DGkujnT003bxvUZgi syDfLcUl7ks= =tiRZ -----END PGP SIGNATURE----- From merriman at arn.net Sun Jan 7 12:06:45 1996 From: merriman at arn.net (David K. Merriman) Date: Mon, 8 Jan 1996 04:06:45 +0800 Subject: phone calls from hell Message-ID: <2.2.32.19960107075136.006895e4@arn.net> -----BEGIN PGP SIGNED MESSAGE----- At 11:16 AM 01/7/96 -0800, you wrote: >At 01:15 PM 1/7/96 -0500, you wrote: > >>SNS News Service "Exploding Phone" >>January 7, 1996..15 Teves 5756..Number 850..Update from Israel >>It is now being reported that the cellular phone that killed him was >>detonated by a remote control. The son of Ayyash's landlord, identified >>as Ikrimeh Hamad, was expected to have handed Ayyash the phone >>earlier in the day. Some reports state that his whereabouts are >>unknown but other reports stated that he is now hiding-out in Israel. >>>>27 Heathway Court * London England * NW3 7TS * 44-181-458-6510 >>Fax: 44-181-455-8701 >> Copyright, Shomron News Service, 1996 >> >>*** >> >>Comment by bd: >> >>I suppose this phone was prepared especially for Ayyash, but the >>imagination wanders. Imagine a world in which *every* cellphone >>(or other net-connected computer or ....) had a little explosive built >>in. For that matter, the case itself could be constructed of a plastic >>explosive. >> >>Sure would make it easy to get rid of unwanted citizens. >>Just match the voice pattern on the cellphone or confirm the password >>issuing from the computer, send the special signal down the line and >>*BOOM*, one less nuisance for the state. > > >Sorta gives new meaning to the term "_Terminate_ and Stay Resident" program, doesn't it?!? > >(Or "end of file.") > Wrong number? Nuisance Call? Termination of Service? -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMO9fIsVrTvyYOzAZAQGIIAP/YgT7jrlyUOTLVPHn1HytkYr5PbQoeiCd 3M1n+WRXEWJAEVEDZ5+FpxKcW+5b9qXjZyeL+PmGy90xQ6LaBewQ2EIMJFw48PZw TsZ8kalL8s2+rSOuxJJmVVBuUs3P4RzIJ0qL1A43SNf4AJb/V4COmvFf3wfHwYI0 zyfVH+435Fg= =gQRH -----END PGP SIGNATURE----- ------------------------------------------------------------- "It is not the function of our Government to keep the citizen from falling into error; it is the function of the citizen to keep the Government from falling into error." Robert H. Jackson (1892-1954), U.S. Judge <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> My web page: http://www.geopages.com/CapitolHill/1148 From mrm at netcom.com Sun Jan 7 12:26:53 1996 From: mrm at netcom.com (Marianne Mueller) Date: Mon, 8 Jan 1996 04:26:53 +0800 Subject: Jan 13 CA bay area meeting - time Message-ID: <199601072004.MAA27310@netcom20.netcom.com> Sorry! I forgot to mention that the meeting is held from 12 noon to 6 p.m. Date: Saturday January 13 Time: 12 noon - 6 p.m. Location: Building 21, Sparcy's cafeteria, Sun Microsystems Agenda: YOUR NAME HERE! (hint hint) Food: Bagels provided. Feel free to bring lunch to munch. Directions: Take 101 to Amphitheater Parkway. At the end of the exit ramp, turn left at the light onto Charleston. (This street is also known as Garcia.) After about 1/3 mile, turn right onto the side street. This will be the first city side street on your right, as you drive down Charleston/Garcia. In about 2 or 3 blocks, you'll see purple signs for Building 21 of Sun. If anyone driving down from SF or Berkeley can pick up Ian at the SF airport that would be way groovy. Marianne mrm at netcom.com mrm at eng.sun.com From Alan.Pugh at internetMCI.COM Sun Jan 7 12:36:55 1996 From: Alan.Pugh at internetMCI.COM (amp) Date: Mon, 8 Jan 1996 04:36:55 +0800 Subject: PGP 3.0 Message-ID: <01HZQF02DX5U95Q5Q6@MAIL-CLUSTER.PCY.MCI.NET> -- [ From: amp * EMC.Ver #2.3 ] -- -----BEGIN PGP SIGNED MESSAGE----- Hello all, I've seen a couple of messages here about possibilities of what might be in pgp 3.0. I am in agreement that keys should be expirable. I produce new keys once a year anyway. This is probably excessive given my probable threat models, but I think it lends itself well to having a sort of time-stamp on documents. Given that it is true that I could keep a copy of my unrevoked key after I've formally revoked it, I still think that it is beneficial to have signed documnents produced over time bear keys that are time-bound at least as far as the way I use pgp. The main point of this post was really to ask if there is a page or rfc somewhere that describes what is expected to be in pgp 3.0. Is there a particular reason that this to-be-released-with-source program is shrouded in what appears to be secrecy? As usual, I'm confused. It would help me greatly if I were able to give people an idea of the added capabilities pgp will posess whenever it is finally released. This isn't a flame as I'd like to see it done right the first time rather than have it released then see 4 or 5 different bug fixes quickly come out that confuse the issue during its introduction. I found the FUD surrounding 2.6.x to be hard to overcome with some people. Heck, I found a copy of pkz204e the other day on a pc in my office. The FUD surrounding this product was pretty great if y'all recall. I give talks occasionally about my company's internet offerings for business. It would be nice to be able to speak of the future of crypto with pgp with a bit more certainty. Thanks for your time and consideration, amp <0003701548 at mcimail.com> (since 10/31/88) PGP Key = 57957C9D PGP FP = FA 02 84 7D 82 57 78 E4 E2 1C 7B 88 62 A6 F9 F7 January 7, 1996 15:12 -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMPApK4dTfgZXlXydAQHRagf/dqF+gF41JYIBroUlmddgX6Lur3ISBxrl MhtMAdcFzyBcRxrYIgPf+gkkzOqNSBeXHvwvZ/CWLuJpvbRXnCD0IL3hhoYGVIl5 UxvP2gh1M+wU7pEm6DYlQpq2z3OVxoG62LW6+v1YgVP6hHOEQNUYGn64TSFMDbdr cU63c3pXLusBb6yLM5dKaPZDqo8y2YHo6hYDT21SW+Tx0MxOK7/diL9qfbBXyitk 8tmNmgti6V0MCatRAh0L4xc7kkDq33RXhyEgjTimTTwt0QIgV/QLAPN1Mdj/ZEoj U599xGySNUfPXLwJz5mda0UDS3Pp1CNHpjdUzpFUbhDndSo1sh+ocA== =cxUU -----END PGP SIGNATURE----- From jya at pipeline.com Sun Jan 7 12:58:18 1996 From: jya at pipeline.com (John Young) Date: Mon, 8 Jan 1996 04:58:18 +0800 Subject: Toad Hop Message-ID: <199601072043.PAA14996@pipe4.nyc.pipeline.com> [Before it is publicized, KM describes for Littman the Christmas 1994 attack on Shimomura's systems as a "TCP/IP prediction packet attack." (. . .) below are by Littman.] Three days later, on January 23, Shimomura will describe the attack in a widely distributed public Internet post. IP source address spoofing and TCP/IP sequence number prediction are the technical terms Shimomura uses to describe it, much like Mitnick's description. But his analysis is extremely technical, and even some UNIX security experts find it tough going. That same day, about 2 P.M., CERT will blast out an advisory to its international mailing list of 12,000 Internet sites in the United States, Germany, Australia, the United Kingdom, Japan, and other countries. The vaguely worded report is much less specific than Mitnick's one-minute explanation on the telephone. Most likely, CERT is trying to provide enough detail so Internet sites can protect themselves against future attacks without providing so much detail that it could encourage copycat attacks. On one level, the hack is simple, a clever strike at a basic weakness of the Internet. Computers on the Internet are often programmed to trust other computers. The Internet was created to share information, and the attack on Shimomura, just like the Robert Morris Internet Worm attack seven years before, exploits that trust. The Internet has its own way of sending e-mail or files. Messages or files are split into smaller digital chunks or packets, each with its own envelope and address. When each message is sent, it's like a flock of birds that migrates to a planned location and reunites as a flock at the destination. Computers on the Internet often act like great flocks of birds that trust one another too. And all it takes is one enemy bird to infiltrate the flock. . . . On Christmas Day 1994 the attack begins. First, the intruder breaks into a California Internet site that bears the cryptic name toad.com. Working from this machine, the intruder issues seven commands to see who's logged on to Shimomura's workstation, and if he's sharing files with other machines. Finger is one of the common UNIX commands the intruder uses to probe Shimomura's machine. As a security professional Shimomura should have disabled the feature. Finger is so commonly used by hackers to begin attacks that 75 percent of Internet sites, or about 15 million of the more than 20 million Internet users, block its function to increase security. The intruder's making judgment calls on the fly about which commands will help him uncover which machines Shimomura's workstation might trust. He works fast. In six minutes he deduces the pattern of trust between Shimomura's UNIX workstation and an unknown Internet server. Then the automatic spoofing attack begins. It will all be over in sixteen seconds. The prediction packet attack program fires off a flurry of packets to busy out the trusted Internet server so it can't respond. Next, the program sends twenty more packets to Shimomura's UNIX workstation. The program is looking for a pattern in the initial sequence numbers -- the numbers used to acknowledge receipt of data during communications. The program deciphers the returned packets by subtracting each sequence number from the previous one. It notes that each new initial sequence number has grown by exactly 128,000. The program has unlocked the sequence number key. Shimomura's machine has to be idle for the attack to succeed. New Internet connections would change the initial sequence number and make it more difficult to predict the key. That's why the hacker attacks on Christmas Day. The attack program sends packets that appear to be coming from the trusted machine. The packet's return or source address is the trusted machine's Internet address. Shimomura's workstation sends a packet back to the trusted machine with its initial sequence number. But flooded by the earlier flurry of packets, the trusted server is still trying to handle the earlier traffic. It's tangled up. Taking advantage of the gagged server, the attacking program sends a fake acknowledgment. It looks real because it's got the source address of the trusted server, and the correct initial sequence number. Shimomura's workstation is duped. It believes it's communicating with a trusted server. Now the attacking program tells Shimomura's obedient workstation to trust everyone. It issues the simple UNIX "Echo" command to instruct Shimomura's workstation to trust the entire Internet. At that point, Shimomura's personal and government files are open game to the world. It's more than a humiliating blow to the security expert. By making Shimomura's machine accessible from any Internet site, the intruder has masked his own location. He can return from anywhere. The hacker can't believe his good luck. The attack is only successful because Shimomura has not disabled the "R" commands, three basic commands that allow users to remotely log-in or execute programs without a password. Tens of thousands of security-conscious Internet sites, representing well over a million users, routinely block access to the R commands to avoid its well publicized abuse by hackers. It takes a few keystrokes and about thirty seconds to shut off the R commands on an Internet server. You don't even have to turn off the machine. Why didn't Shimomura do it? . . . Mitnick laughs. "He's [Shimomura's] not happy. I have nothing to do with it. I'm just telling you what I hear through the grapevine." [Littman] "Who do you think might have done it?" I ask the likely suspect. "How did he figure it out himself?" "He [Shimomura] realized that somebody had edited his wrapper log, which shows incoming connections. Somebody actually modified those logs, and then he was able to reconstruct what happened through these logs that were mailed to another site unbeknownst to the intruder." Mitnick's actually telling me the evidence Shimomura collected to figure out the attack. The wrapper is supposed to control connections to Shimomura's server and log all connection attempts. It failed to protect Shimomura but still it logged the hacker's spoofed connection, and a copy of the log was e-mailed off-site. "So you were asking me if there's a secure e-mail site?" Mitnick continues, his voice suddenly hard. "My answer is no. This guy in my estimation is the brightest in security on the whole Internet. He blows people like Neil Clift away. I have a lot of respect for this guy. 'Cuz I know a lot about him. He doesn't know anything about me, hopefully, but he's good. "On the Internet, he's one of the best in the world." [pp. 222-25] ----- [KM] "I don't know what his motive is. I don't know the man at all. Alls I know is he's very technical and he's very good at what he does. He's in the top five." [JL] "What makes Shimomura so good?" [M] "When someone penetrates his system he knows what to look for. When you compile a program, it uses external files and libraries. This is the type of guy that would look at the access times of the files to try to figure out what type of program somebody was compiling. The guy's sharp." On UNIX systems it's possible to tell the last time a file was read. Mitnick's guessing that Shimomura could determine the type of application that was compiled (converted into the computer's most basic machine language) by examining the date stamps in certain system directories. He's also acknowledging he knows that the intruder compiled a program while he was on Shimomura's machine. Once again, Kevin Mitnick seems to have an amazing amount of detail on how Shimomura analyzes an attack. [M] "He's just very good at -- well, he's a spook. What do you expect? This is only what I hear in the grapevine." ... [L] "But does the grapevine say he's primarily a spook?" [M] "Unknown. He's good in security and he consults with companies like Trusted Information Systems, the people that develop Internet fire walls, and a lot of people in D.C. and the Virginia area." Trusted Information -- the name strikes a bell. Markoff quoted someone from Trusted Information in his front-page "Data Threat" article. [L] "Where is Trusted Information?" [M] "Oh, in Maryland, 301 area code. Baltimore, I believe." [L] "What are some of the Virginia companies Shimomura works with?" [M] "I just have the phone numbers," Mitnick reveals casually. "I haven't called them yet to see." [pp. 252-53] ----- Why not ask John Markoff about the real reason he called me twice this morning? So I ask him about the Shimomura Newsweek story, and the odd reference to cellular phones. He comes back with a stunning revelation. "Somebody hit a different Tsutomu machine last summer and the NSA was pissed," Markoff tells me. "They freaked out. There's no question about it." Why didn't he mention this in his New York Times stories? Why create the false appearance Shimomura was first hacked Christmas Day? "But it was a different machine?" I ask. "Am I being interviewed here?" It strikes me as an odd question. Markoff was the one who called me twice in the space of an hour. Who's interviewing whom? "Let's get on the same wavelength," Markoff suggests. "I'm glad to share this stuff with you, but I want to know where it's going to show up. 'Cuz I'm pretty close to Shimo and it's an issue for me." Before I can respond, he starts talking about Shimomura again. "I wrote that profile of Tsutomu because after I mentioned him in the bottom of my story ["Data Threat"] I basically outed him and a million reporters were all over him." "He wasn't happy about that?" "No, Tsutomu loves it," Markoff says. "He's playing his own games. "I'II tell you it's unclear what was taken [referring to the Christmas hack], and point two, I can send you a public posting by an Air Force information warfare guy who described what was taken and their assessment of the damage. "And there are lots of little snips of code that a brilliant hacker could probably use. But Tsutomu's mind works in very cryptic ways. It's not clear that without Tsutomu you're going to be able to do anything with it. "Now in this break-in I don't actually think a lot of stuff was taken." This break-in? Just how many times was Shimomura hacked before Christmas? But I ask a different question. "Why would an Air Force guy post something?" "Oh, Tsutomu," Markoff casually replies. "He produced a lot of software for the Air Force." "Where would he post this?" "Oh, to a mailing list. A lot of people were concerned about what was taken from his [Shimomura's] machine. What they [the hacker] got was a lot of his electronic mail. Some of it's kind of embarrassing. [But] I don't think people are going to find new ways to attack the network based on this particular attack. "There is another issue," Markoff cautions in a serious tone. "Tsutomu is a very sharp guy, and it is not impossible that that was a bait machine, which is why I stayed away from the issue." Is Markoff implying Shimomura, a rumored NSA spy, laid a trap? And what about Markoff's New York Times articles? Were they part of the trap, too? "Think about it for a second," Markoff pauses dramatically. "And you get into this wilderness-of-mirrors kind of world. And a lot of people that are writing don't know everything, and I don't know everything. "I've been protecting him [Shimomura] for five years. I get the profile and the [Wall Street] Journal is on him. They don't know how close he is to the military. It would make perfect sense. Who knows what's on the code? The guy is in the counterintelligence business." [pp. 258-60] From alano at teleport.com Sun Jan 7 13:20:37 1996 From: alano at teleport.com (Alan Olsen) Date: Mon, 8 Jan 1996 05:20:37 +0800 Subject: "trust management" vs. "certified identity" Message-ID: <2.2.32.19960107210215.00960a68@mail.teleport.com> At 12:00 PM 1/7/96 -0800, you wrote: >We already operate largely in a "web of trust" model world. > >Here's a pertinent example. I've met perhaps 100 people from this list, >over the last several years. Not a single one--not even one--have I ever >seen any "proofs of identity" for. Did I say "Not a single one"? How many people ask for "proof of Identity" from their friends? Not very many, I can bet... (Maybe the excesivly paranoid.) >I deal with them as "persistent personnas," with either their physical >appearances (biometric security) or their writing styles/e-mail addresses >providing the continuity of their persistent personna. Things like this can complicate depending on your social circles. For those involved in the SCA (Society for Creative Anacrnyms) or Science Fiction conventions people may or may not go under a host of names. You may or may not know their "true" name. There are people who i have known for many years who are good friends and yet I do not know their "real" name. (And I am not really concerned about not knowing that name.) Some people I know by multiple names. (Makes conversations interesting when the nyms change every few sentences...) What matters is the continuity of the individual, not what nym they happen to be using at any given point. (The net makes this alot more complex though, as you usually do not have visual contact with the people you are responding to... Individuals are harder to forge than e-mail.) The criteria I use as to whether I can "trust" a source is based on a number of factors. Have they given reliable information in the past? Does the information corilate with other information from reliable sources? Does their attitude get in the way of the information provided? (Sometimes it takes heavy filters to discern fact from opinion or just a pissy attitude...) What gains my respect is similar, but also based on their general attitude and how they treat people. (Of course there is not cert mechanism for a "web of respect".) [examples cliped] >Frankly, the notion that a central government would issue proofs of >trustability, via identity cards and the like, is a modern invention. I find the idea that a little card "proves" my identity a bizarre form of mystisism. (Especially when that "proof" can suddenly expire or be revoked by the whims of the State.) >(The message of Vinge's "True Names" was partly ironic, that one's True >Name is important primarily in allowing tagging by the government. As has been said before, one of the main reasons for the Government's (and others) desire for "true names" is so those that offend them can be punished. >Ordinary >people rarely need True Names. As I said, I've never checked the supposed >True Names of those I deal with. Nor have most of you, I strongly suspect. >In fact, given the way credentials can be so easily forged, I wouldn't >trust a driver's license or even a passport. And given the government's >ability and demonstrated willingness to generate false >documentation--60,000 new identities in the Witness Security Program, plus >all the spies, narcs, etc.--I even more surely don't care what official >identification supposedly proves.) Government paperwork proves that "they" know who you are and have some sort of hooks into your persona. (taxation, legal, and/or otherwise.) This is, of course, if it is "real" identification and not forged by a competing interest. >I don't want official proof of my identity. If others want it, let them >make their own arrangements. > >"Papieren, bitte! Macht schnell!" "I don't have any papers. All I got is a pipe!" | Remember: Life is not always champagne. Sometimes it is REAL pain. | |"The moral PGP Diffie taught Zimmerman unites all| Disclaimer: | | mankind free in one-key-steganography-privacy!" | Ignore the man | |`finger -l alano at teleport.com` for PGP 2.6.2 key | behind the keyboard.| | http://www.teleport.com/~alano/ | alano at teleport.com | From zinc at zifi.genetics.utah.edu Sun Jan 7 13:27:24 1996 From: zinc at zifi.genetics.utah.edu (zinc) Date: Mon, 8 Jan 1996 05:27:24 +0800 Subject: NSA says strong crypto to china?? In-Reply-To: Message-ID: On Sun, 7 Jan 1996, Timothy C. May wrote: > Date: Sun, 7 Jan 1996 11:43:40 -0800 > From: Timothy C. May > To: cypherpunks at toad.com > Subject: Re: NSA says strong crypto to china?? > > At 10:37 AM 1/7/96, Alex Strasheim wrote: > > By the way, this is related to why I think you folks should all be > supporting the "flat tax" and similar proposals. (Especially the proposal > to end the double taxation of corporate income: tax the company and not the > individual shareholders, or vice versa, but don't first tax the income to > the corporation and then tax the distributed income/dividends/capital gains > again.) you think that's a bit ridiculous? i'm paid via an NIH grant given to my adivisor by the govt. this stipend is taxed. it didn't used to be (started to be taxed around '86 i believe). why the hell doesn't the govt just save everyone the trouble and pay me less. i'm sure they could get rid of a couple of IRS people this way. -pjf patrick finerty = zinc at zifi.genetics.utah.edu = pfinerty at nyx.cs.du.edu U of Utah biochem grad student in the Bass lab - zinc fingers + dsRNA! ** FINGER zinc-pgp at zifi.genetics.utah.edu for pgp public key - CRYPTO! zifi runs LINUX 1.2.13 -=-=-=WEB=-=-=-> http://zifi.genetics.utah.edu From tcmay at got.net Sun Jan 7 13:45:00 1996 From: tcmay at got.net (Timothy C. May) Date: Mon, 8 Jan 1996 05:45:00 +0800 Subject: "Re: NSA says strong crypto to china?? Message-ID: At 7:32 PM 1/7/96, Alan Olsen wrote: >I can also think of another good reason that no dissident in their right >mind would want to use US escrowed GAK. How many times have individuals >been sold out for some "greater good". I can just imagine some dissident >getting sold out as the result of some mega-trade deal or the like. (And I >am sure that they can too...) As when the Cossacks who fled the U.S.S.R. after the war and pledged to help the West fight Communism were returned by the British to Stalin, where they were executed. (I was reminded of this by the latest Bond movie, where Bond avers, "Not exactly Britain's finest moment.") Had they been using Brit-GAK, then even more of them could've been rounded up by the Brits and send packing. >Why does this news report sound more like someone trying to sell GAK to the >US public and not "chinese dissidents? Was Noriega our friend or our enemy, and when? If his followers were using the U.S. as their friendly keyholder, how would this have played out when the U.S. government decided to switch sides? When governments change, the U.S. often switches sides as well. The U.S. holding the keys of dissidents will not fly. The notion that the U.S. will become the GAK-holder for the world's dissidents is too absurd to waste more time on. --Tim May We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From cp at proust.suba.com Sun Jan 7 13:46:26 1996 From: cp at proust.suba.com (Alex Strasheim) Date: Mon, 8 Jan 1996 05:46:26 +0800 Subject: NSA says strong crypto to China? In-Reply-To: <199601071553.KAA18768@pipe3.nyc.pipeline.com> Message-ID: <199601072123.PAA00769@proust.suba.com> > Logically, it seems the best thing for the NSA to do (given the political > character of the group) is to send strong-but-not-that-strong crypto out. I know I'm out of step with most of you on this point, and it could very well be that I'm incredibly naive. But I don't necessarily look at the NSA as an enemy. Right now we're on opposite sides of an important issue, and I think they're doing a lot of damage. But I tend to think that they believe what they're doing is in the national interest. They're trying to defend democracy -- our democracy, at least. Right now we're in a position to impose the first ammendment on the entire world. Not through a political process or a military attack, but rather with anarchy. (Anarchy as Tim has described it.) That's what this list is all about: we're trying to impose certain civil liberties on the world using a strategy that's based on anarchy theory. That theory tells us that if we can distribute tools and establish standards we'll secure privacy and free speech rights regardless of what governments do. That's a very startling idea, and I believe it's sound. I believe that it's possible to impose the first ammendment on the entire world by distributing crypto software. So the question we ought to be putting to the NSA is this: isn't it in the best interest of the United States and the other capitalist Western democracies to impose the first ammendment on the rest of the world? I don't see how anyone could argue that it isn't. Look at who our adversaries are in the world today. North Korea, Iraq, etc. Would any of those regiemes be able to survive if their citizens were able to safely critique their governments publicly? Is there any country in the world we can't get along with that allows ideas to flow freely? What are we giving up if we do this? Does anyone believe that strong crypto is beyond the reach of anyone who really wants or needs it? Will terrorists not have access to secure communications because our government won't let Netscape sell them an ssl web server? It's an absurd argument. I don't think the NSA is out to suppress our liberties. They're trying to protect the nation. Their problem is that they're operating under an old, obsolete paradigm. They're fighting for something that's simply not achievable: crypto is out of the box, and no one's going to put it back. Once you accept that fact -- and it is a fact -- you have to start formulating tactics based on reality as it exists now. Right now the NSA is trying to push us into sacrificing our liberty and privacy to an unwinnable cause. If they succeed (and I don't think they will), they will have done something terribly destructive in this country and we will have missed an extraorinary opportunity to effect substantive political change in the world at large. They are wrong and they are dangerous. But it is a mistake to think of them as evil, as people who will tell any lie to get what they want. I don't expect the NSA to adopt the cypherpunk world view. But it's too bad, because they'd do an awful lot of good all over the world if they did. Totalitarianism depends upon censorship and control over the mass media. If the NSA turned on a dime today, they could eliminate the possibility of totalitarianism within the year. Cypherpunks write code -- think of what the NSA could do. From ngps at cbn.com.sg Mon Jan 8 05:49:26 1996 From: ngps at cbn.com.sg (Ng Pheng Siong) Date: Mon, 8 Jan 96 05:49:26 PST Subject: Toad Hop In-Reply-To: <199601072043.PAA14996@pipe4.nyc.pipeline.com> Message-ID: On Sun, 7 Jan 1996, John Young wrote: > Quoting some body: > On Christmas Day 1994 the attack begins. > > First, the intruder breaks into a California Internet site > that bears the cryptic name toad.com. Working from this > machine, the intruder issues seven commands to see who's > logged on to Shimomura's workstation, and if he's sharing > files with other machines. >From Shimomura's mail last January: : The IP spoofing attack started at about 14:09:32 PST on 12/25/94. The first : probes were from toad.com (this info derived from packet logs): : : 14:09:32 toad.com# finger -l @target : 14:10:21 toad.com# finger -l @server : 14:10:50 toad.com# finger -l root at server : 14:11:07 toad.com# finger -l @x-terminal : 14:11:38 toad.com# showmount -e x-terminal : 14:11:49 toad.com# rpcinfo -p x-terminal : 14:12:05 toad.com# finger -l root at x-terminal > Then the automatic spoofing attack begins. It will all be > over in sixteen seconds. The prediction packet attack > program fires off a flurry of packets to busy out the > trusted Internet server so it can't respond. Next, the > program sends twenty more packets to Shimomura's UNIX > workstation. Again, quoting Shimomura's mail: : About six minutes later, we see a flurry of TCP SYNs (initial connection : requests) from 130.92.6.97 to port 513 (login) on server... : 130.92.6.97 appears to be a random (forged) unused address (one that will : not generate any response to packets sent to it)... Given that this was a _spoofing_ attack, mayhaps the packets from toad.com were also forgeries. Anyone in the know? - PS -- Ng Pheng Siong NetCentre Pte Ltd * Singapore Finger for PGP key. From WlkngOwl at UNiX.asb.com Sun Jan 7 13:54:51 1996 From: WlkngOwl at UNiX.asb.com (Deranged Mutant) Date: Mon, 8 Jan 1996 05:54:51 +0800 Subject: Revoking Old Lost Keys Message-ID: <199601072144.QAA06839@UNiX.asb.com> Adam Shostack wrote: I wrote: > | PGP should give a warning when the key passes the expiration date. It > | should not prevent you from using it, but should remind you that the > | key is rather old, and that the owner may have moved, etc. [..] > Expire should mean expire, i.e., no longer valid, useful or > useable. If you want to have a 'depreciated after' and an expire > date, that might be useful, but it seems more like feeping creaturitis > to me. It adds bulk to every key, when a better solution would be to > have keys automatically deprecitated some time before they are due to > expire. The reason I think a warning option is good (really, 1 bit bit flag for warn rather than kill... that's "bulk" to every key?) is so that if for whatever reason the key is used (say I am unable to get a newer key for you but really need to send you a private message) I have something to use... and you, if you choose to hold onto old keys, can decrypt it. If not, the sender was warned. > Also, the ability to extend the life of a key is fraught with > danger. The longer a key is around, the more likely it is to become > comprimised. The user might not be aware that the key is comprimised. > Better to have an unchangeable date. (On a more technical level, > allowing users to change the expiry date on a key means that the key's > expiry date is not signed by the signatories, and an opponent who > comprimised a key could simply change the expiry date on that key and > send it to the servers, so that it would continue to be used, and your > opponent could continue to read all your communications.) > > Adam > > -- > "It is seldom that liberty of any kind is lost all at once." > -Hume > > > --- "Mutant" Rob Send a blank message with the subject "send pgp-key" (not in quotes) for a copy of my PGP key. From adam at lighthouse.homeport.org Sun Jan 7 14:11:37 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Mon, 8 Jan 1996 06:11:37 +0800 Subject: Revoking Old Lost Keys In-Reply-To: <199601072144.QAA06839@UNiX.asb.com> Message-ID: <199601072153.QAA11487@homeport.org> I was thinking of two dates, an expire and a warn. Admittedly, adding a few bytes to a key is not a big deal, but neither is the gain from a warn and expire date. If you want to be able to set a bit for 'use after expire,' I would see that as a reasonable thing. Adam Deranged Mutant wrote: | Adam Shostack wrote: | | DM wrote: | | > | PGP should give a warning when the key passes the expiration date. It | > | should not prevent you from using it, but should remind you that the | > | key is rather old, and that the owner may have moved, etc. | [..] | > Expire should mean expire, i.e., no longer valid, useful or | > useable. If you want to have a 'depreciated after' and an expire | > date, that might be useful, but it seems more like feeping creaturitis | > to me. It adds bulk to every key, when a better solution would be to | > have keys automatically deprecitated some time before they are due to | > expire. | | The reason I think a warning option is good (really, 1 bit bit flag | for warn rather than kill... that's "bulk" to every key?) is so that | if for whatever reason the key is used (say I am unable to get a | newer key for you but really need to send you a private message) I | have something to use... and you, if you choose to hold onto old | keys, can decrypt it. If not, the sender was warned. -- "It is seldom that liberty of any kind is lost all at once." -Hume From jc123 at arn.net Sun Jan 7 14:14:17 1996 From: jc123 at arn.net (jc123 at arn.net) Date: Mon, 8 Jan 1996 06:14:17 +0800 Subject: No Subject Message-ID: <199601072156.PAA28141@arnet.arn.net> Could you send me some information about crypto stuff. From jcobb at ahcbsd1.ovnet.com Sun Jan 7 14:23:15 1996 From: jcobb at ahcbsd1.ovnet.com (James M. Cobb) Date: Mon, 8 Jan 1996 06:23:15 +0800 Subject: NSA says strong crypto to china?? In-Reply-To: Message-ID: Tim, On 01 07 96 you say: ...the crypto anarchy notions we talk about makes collection of taxes increasingly problematic. You also say: Today, and especially with strong crypto and all the develop- ing methods we talk about, how will the Ruler know what to tax? You conclude: ...I believe that this issue [collection of taxes] is one of the motivations to restrict the use of strong crypto and to make transactions monitorable. In 02 96 Internet World, science fiction writer Vernor Vinge is interviewed: Suddenly [about 1984] people realized that if a 100 million people each had computers that were one-tenth of one percent as smart as the government's computers, they had much less to fear about government. Now we've entered an era where the government understands this. One the one hand, police forces are legitimately [?] frightened; law enforcement could become much more difficult. But at the same time --with some new laws and technology-- police powers could be much greater than before.... You've heard of ubiquitous computing, but how about UBIQUITOUS LAW ENFORCEMENT? Developing that line of thought, Vinge says: ...the old Clipper chip proposal recommended that GOVERNMENT LOGIC be present in certain communications equipment. For the future I think this aspect of Clipper was as significant as the crypto issues. What would it be like if a certain amount of GOVERNMENT LOGIC were mandated in the design of every host in a country? And Vinge concludes: WE COULD HAVE REAL-TIME TAXATION. and ...very fine-grain CONTROL would be possible. Capitalization in the above excerpts is mine. The whole interview is worth reading. Its title is: Reality & Fiction. It starts at page 82. Jeff Ubois asked the questions. Every HOST in a country? As Larry Ellison says in 12 26 95 / 01 02 96 Computerworld 41: The ideal operating system arrives across a network when you turn your computer on. The GOVERNMENT LOGIC arrives too... Cordially, Jim From jrochkin at cs.oberlin.edu Sun Jan 7 14:27:59 1996 From: jrochkin at cs.oberlin.edu (Jonathan Rochkind) Date: Mon, 8 Jan 1996 06:27:59 +0800 Subject: "Re: NSA says strong crypto to china?? Message-ID: At 10:50 PM 01/07/96, Timothy C. May wrote: >As when the Cossacks who fled the U.S.S.R. after the war and pledged to >help the West fight Communism were returned by the British to Stalin, where >they were executed. (I was reminded of this by the latest Bond movie, where >Bond avers, "Not exactly Britain's finest moment.") The Kurds in Iraw during the Persina Gulf war is an analagous situation. The Kurds supported and assisted the U.S. government during the war. Really pro-U.S.. At some point near the end of the war, though, the U.S. just started ignoring them, and Hussein started bombing them and killing huge numbers of them. From ses at tipper.oit.unc.edu Sun Jan 7 14:30:14 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Mon, 8 Jan 1996 06:30:14 +0800 Subject: phone calls from hell In-Reply-To: Message-ID: Hey - he spent so much time training suicide bombers maybe the phone was set to blow if anyone dialed the, er, Samaritans. Simon (defun modexpt (x y n) "computes (x^y) mod n" (cond ((= y 0) 1) ((= y 1) (mod x n)) ((evenp y) (mod (expt (modexpt x (/ y 2) n) 2) n)) (t (mod (* x (modexpt x (1- y) n)) n)))) From jis at mit.edu Sun Jan 7 14:35:27 1996 From: jis at mit.edu (Jeffrey I. Schiller) Date: Mon, 8 Jan 1996 06:35:27 +0800 Subject: Why can't I get PGP from MIT Message-ID: -----BEGIN PGP SIGNED MESSAGE----- >I believe I had a problem when I wanted to get PGP coming from >internexus.net (New Jersey). I just e-mailed them about it and I think >they just added the site to their 'acceptable' list. I did a traceroute >to why.net and noticed that it is very close to me, coming off of >SprintNet... probably the same situation. Internexus.net has been added to the list. The heuristic that the MIT site enforces is as follows: o To get access you must properly answer some questions regarding export control law and licensing. o Your host must have an "inverse" DNS mapping so we can learn its name. o Your host's name must end in either ".EDU", ".COM", ".MIL", ".GOV", ".US", or ".CA". *or* Be on our exception list. All the ".NET's" and ".ORG's" need to be "excepted." Maintaining the exception list has turned out to be a serious problem. I receive roughly 20 messages a day from people needed to be added. To make matters worse the exception list has to be maintained in two different locations in two different formats. I just broke down today and automated the management of the lists. Unfortunately the only thing I can do for people whose machines do not have an inverse DNS mapping is to send them personal copies via e-mail. However, I have been too swamped to do this. I am looking into alternative approaches of guarding the FTP site (possibly doing a traceroute or something similar) in a better way that still meets the requirements of maintaining export restrictions. Please remember that I maintain the MIT FTP site in my all too rare spare time. Thank you. -Jeff -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMPBCFcUtR20Nv5BtAQEUhAQAnzPlxiXo33DqX0X1m39Xh1I0e7ND332n L4vZlf7T3VDU0jYv1IB/6D3aNvMXo0l8JpsXIxqzaxP5nYgVgm1idx06IgY7T1rJ vVRCIqfFleUFPTS/ndo7jznzr+w7Dq1+5wRU2Oa+ymRICBNHCeEnaxcmx3zs4R6a VEBmc/6w8TQ= =vFSt -----END PGP SIGNATURE----- From twcook at cts.com Sun Jan 7 14:35:58 1996 From: twcook at cts.com (Tim Cook) Date: Mon, 8 Jan 1996 06:35:58 +0800 Subject: Another Internet Provider Censors Access (fwd) Message-ID: > The reason I bring this up is to point out that the removal of the > alt.* groups does not necessarily mean the people removing those > groups are trying to censor anything, but may just be trying to > reduce the resources eaten by news on their systems and network. > That is a good point Mike. From a smart business perspective though you would want to ask current customers to send a list of the ones they read BEFORE you start dropping them. Tim Cook Linux Expert (wannabe!) From blancw at accessone.com Sun Jan 7 14:50:09 1996 From: blancw at accessone.com (blanc) Date: Mon, 8 Jan 1996 06:50:09 +0800 Subject: NSA says strong crypto to China? Message-ID: <01BADD0E.00F2C220@blancw.accessone.com> From: Alex Strasheim[ (...)But I don't necessarily look at the NSA as an enemy. Right now we're on opposite sides of an important issue, and I think they're doing a lot of damage. But I tend to think that they believe what they're doing is in the national interest. They're trying to defend democracy -- our democracy, at least. "The" NSA is not a constant, a body which remains the same regardless of the individuals working within it. The character of the agency, I expect, would change with the individuals. The agency is not designed to be dangerous to citizens. But their mileage could vary depending upon the leadership, upon their grasp of its purpose. That's what this list is all about: we're trying to impose certain civil liberties on the world using a strategy that's based on anarchy theory. That theory tells us that if we can distribute tools and establish standards we'll secure privacy and free speech rights regardless of what governments do. That's a very startling idea, and I believe it's sound. I believe that it's possible to impose the first ammendment on the entire world by distributing crypto software. But realize that these software tools and what they make possible (first amendment ideas, anarchy) are not being "imposed" - they're being selected/accepted by the users by a process of conscious individual decision, not by a blanket policy imposition handed down from 'above' (you *will* use crypto, and you *will* like it). I don't think the NSA is out to suppress our liberties. They're trying to protect the nation. Their problem is that they're operating under an old, obsolete paradigm. (.......) But the question is, why are they operating under obsolete paradigms? Why aren't they paying attention to what they are doing, to what is intelligently appropriate, to the philosophical ideals of the nation they're representing? (and therefore who or what are they *really* trying to protect) .. Blanc From jbarrow at inf.net Sun Jan 7 14:57:12 1996 From: jbarrow at inf.net (Jonathan Keith Barrow) Date: Mon, 8 Jan 1996 06:57:12 +0800 Subject: No Subject Message-ID: <01BADD1E.0E5DDDE0@ppp5.inf.net> -----BEGIN PGP SIGNED MESSAGE----- My internet service provider does not carry alt.sex at all is there anyway that i can still get into these newsgroups? Sorry if this question is a little elementary to some of you, but i have to learn somewhere. -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQCVAwUBMO/2Ax34sJAQcsCpAQFUugP/TThD+3F5ifba118ktl5NhHzzmiMTRxoG 8D///RbTgna0OvPhNpgz5MrHGewGhyHfDtbedI0MieHiGEj+az7xSp2qIgOlMKKm i7mz9IFIxBzjLqV/n27gYuW12yb6eeEau9GkkvYeF7gq49AocenYUw1BrlFn58zJ BfFxTRPsGjI= =Dyre -----END PGP SIGNATURE----- From jsw at netscape.com Sun Jan 7 15:26:32 1996 From: jsw at netscape.com (Jeff Weinstein) Date: Mon, 8 Jan 1996 07:26:32 +0800 Subject: NSA says strong crypto to china?? Message-ID: <199601070941.BAA12858@ammodump.mcom.com> This is a quote from an article by Paul Vallely in The Independent, London, which can be found here: http://nytsyn.com/live/News3/006_010696_101827_2723.html > What one government regards as harmful material is an instrument of freedom > and democracy to another. Officials at the US National Security Agency have > suggested that Internet encryption technology - a sophisticated method of > encoding information - be deliberately exported to Chinese dissidents to > help them in their fight against their government - even though its export > is otherwise banned under US arms control regulations. Does anyone know of real documentation of this "suggestion" from the NSA? It quite telling, though no surprise to any of us I'm sure, that they would think that strong crypto should be a tool of freedom in china, but not in this country. Maybe they should get Microsoft to insert subliminal directions for downloading PGP into a future episode of "My Computer Family". :-) --Jeff Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw at netscape.com - http://home.netscape.com/people/jsw/ Any opinions expressed above are mine. From Greg_Rose at sydney.sterling.com Sun Jan 7 15:47:41 1996 From: Greg_Rose at sydney.sterling.com (Greg Rose) Date: Mon, 8 Jan 1996 07:47:41 +0800 Subject: Revoking Old Lost Keys In-Reply-To: <2.2.32.19960106101559.00919d9c@mail.teleport.com> Message-ID: There hav been a lot of replies to the original question, but I think a lot of people are missing a simple solution. >>At 7:07 AM 1/6/96, Bruce Baugh wrote: >>>I'd like to bring up a problem I haven't seen addressed much yet, and whic h >>>I think is going to come up with increasing frequency as PGP use spreads. >>> >>>The problem is this: how can one spread the word that an old key is no >>>longer to be used when one no longer has the pass phrase, and cannot >>>therefore create a revocation certificate? You create a revocation certificate at the time you create the key, and store it somewhere (I'd recommend putting it on a floppy). Then either give it to your lawyer, with a note saying "If I forget the passphrase, give me back this", or just write a note to yourself, and store it in a place where you'll find it when the time comes. It is inconvenient if a nasty third party finds it while you were still using the key, but much less damaging than if they found the password. (Someone wrote that PGP doesn't support revocation certificates. This is not correct.) Greg. Greg Rose INTERNET: greg_rose at sydney.sterling.com Sterling Software VOICE: +61-2-9975 4777 FAX: +61-2-9975 2921 28 Rodborough Rd. http://www.sydney.sterling.com:8080/~ggr/ French's Forest 35 0A 79 7D 5E 21 8D 47 E3 53 75 66 AC FB D9 45 NSW 2086 Australia. co-mod sci.crypt.research, USENIX Director. From frissell at panix.com Sun Jan 7 15:57:03 1996 From: frissell at panix.com (Duncan Frissell) Date: Mon, 8 Jan 1996 07:57:03 +0800 Subject: "trust management" vs. "certified identity" Message-ID: <2.2.32.19960107233946.00902734@panix.com> At 12:00 PM 1/7/96 -0800, Timothy C. May wrote: >Frankly, the notion that a central government would issue proofs of >trustability, via identity cards and the like, is a modern invention. > >(The message of Vinge's "True Names" was partly ironic, that one's True >Name is important primarily in allowing tagging by the government. Ordinary >people rarely need True Names. > >I don't want official proof of my identity. If others want it, let them >make their own arrangements. In the early 1950's Robert Heinlein and his wife Virginia took a trip around the world ("Tramp Royale" recently published by Ace Books). He had to apply for a Passport and got a Certificate of Delayed Birth Registration from Missouri since his county had not kept birth records when he was born. "I breathed a sigh of relief; at last I was me. I had attended school [Annapolis BTW], been commissioned in the armed services, held two civil service jobs, married, voted run for office, drawn a pension and done all manner of things as a flesh-and-blood being through more than four decades, all without having had any legal existence whatsoever." Proof of identity is never needed. Proof of authorization is only needed by one's bankers. The rest is government garbage. Hopefully enough people will learn this and we can reduce the nonsense a bit. DCF "Where are your papers? Sorry buddy, I'm a fundamentalist. I don't go in for that Mark of the Beast stuff. Have you ever read Revelations? You aren't one of those tools of Satan are you?" From futplex at pseudonym.com Sun Jan 7 15:59:42 1996 From: futplex at pseudonym.com (Futplex) Date: Mon, 8 Jan 1996 07:59:42 +0800 Subject: Mixmaster On A $20 Floppy? In-Reply-To: Message-ID: <199601072345.SAA28014@opine.cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- I wrote: # I suppose that a site that escapes detection as a Mixmaster will throw off # the correlation stats (i.e. because a message from that site to B won't be # identified as a remailed message). But such sites are elusive objects I # think. On the one hand, the site can't endure for long, or else its # throughput traffic will likely give it away as an anonymizer (i.e. it gets # lots of mail from the Mix network, and sends out similar amounts of mail to # all sorts of people and the network). On the other hand, it had better last, # or else it will look suspicious as a transient account receiving mail from # the Mix network, sending a few messages, and quickly vanishing. Lance writes: > The second paragraph seems to deal with the issue of being known as an > anonymous remailer or regular remailer user. I am not sure exactly what the > concern with that is. I was trying to explore possible ways to beat TA with less bandwidth, in the context of transient (w.r.t. network address) anonymizers. I indicated doubt about the possibility of any real gain, and as I think about it more I'm not able to convince myself that there's any real value at all in that regard. Futplex - "IBM ?" Go Colts ! - "All the girls are doing it" -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMPBbEynaAKQPVHDZAQGm7wf+LbaZeZqI8/qwBQi+6vS4bzvtSkdf9i1v aD8I0jlNLAmFsPQ6dJ0mOBObPz8b+3PbJ1/TCyr5w0vWcb6XpEemblqNf1H+SdY+ nP6Xbmdoyie2cObGjYOz8HHvhg+qANnanIqtax/CPd9smPMcLnl20pyLJPhlFRPG MUQX33yIrxXEGY0os725Q1lQDWHaMpbt65+quzVZYFAfaNzBzQ99vy4ZrzsBPZIK GLiqPcygWt3Kxfk7O0WjI2Gic3nrrpP1X5SxWwFnGQmlm9Zd9FwJxhpLsW4s+0B0 CNAI8c1ASA9AebLVVYVP4riQRkVDK/BYYSJLcXQfp2TzDSgPXg32JQ== =coNU -----END PGP SIGNATURE----- From frissell at panix.com Sun Jan 7 16:09:16 1996 From: frissell at panix.com (Duncan Frissell) Date: Mon, 8 Jan 1996 08:09:16 +0800 Subject: Message-ID: <2.2.32.19960107235519.0091931c@panix.com> At 04:34 PM 1/7/96 -0600, Jonathan Keith Barrow wrote: >-----BEGIN PGP SIGNED MESSAGE----- > >My internet service provider does not carry alt.sex at all is there anyway that i can still get into these newsgroups? Sorry if this question is a little elementary to some of you, but i have to learn somewhere. > Are you sure alt.sex.* is good for you? Read the How to Receive Banned Newsgroups FAQ at: http://www.ecnet.net/users/mumbv/pages/banned-groups-faq.html DCF From llurch at networking.stanford.edu Sun Jan 7 16:14:18 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Mon, 8 Jan 1996 08:14:18 +0800 Subject: "Microsoft.com" added to my KILL file Message-ID: <199601072354.SAA21227@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- Poor me has to run a mailing list where the *majority* of subscribers are using MS Mail or Exchange. For a partial list of MS Mail/Excahnge bugs relevant to list administrators, fetch my list info file. Send "info win95netbugs" to majordomo at lists.stanford.edu. Fortunately, there's been no need to killfile msn.com recently. Microsoft incompetence took care of that at the source. See the January 2nd news article on http://www.zdnet.com/~pcweek/ - -rich - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMPBdIyoZzwIn1bdtAQG1JAF/bcnxMqmR1YAtf3trsGC8o8RKqXUdufrT H93ID8hJvr2bxXtdgqm2cmd5vVerRk5l =gQTE -----END PGP SIGNATURE----- From llurch at networking.stanford.edu Sun Jan 7 16:19:19 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Mon, 8 Jan 1996 08:19:19 +0800 Subject: Jan 13 Mountain View CA meeting Message-ID: <199601072358.SAA21252@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- Did you have any specific time in mind? - -rich mrm at netcom.com (Marianne Mueller) wrote: >Hi all, happy new year. > >The Jan 13 Mountain View, California meeting will be held again >at Sun Microsystems, at Sparcy's cafeteria. That's building 21, >in the set of Sun buildings near Shoreline Park in Mountain View. >Take 101 to Amphitheater Parkway exit, turn left onto Charleston >at the light (this street is also named Garcia at its far end) >and follow the purple Sun signs for building 21. You'll drive >down Charleston (Garcia) for about 1/3 mile and then turn right >onto a road that in about 3 blocks takes you to B21. > >Please send mail if you have a topic you would like to speak about, >and I'll send out a speaking agenda towards the end of the week. > >Marianne >mrm at netcom.com >mrm at eng.sun.com > >p.s. I'll bring bagels again but since I never got reimbursed >last time around I think I will put out the donation jar this >time ...! - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBEAwUBMPBeHCoZzwIn1bdtAQFR9wF4nonVEmlnlahBGjNOnEvKlFCWz9QXkTPB vH/9uXyAZsWPwf01bqe4xWiBCvePqVI= =pdTJ -----END PGP SIGNATURE----- From llurch at networking.stanford.edu Sun Jan 7 16:42:37 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Mon, 8 Jan 1996 08:42:37 +0800 Subject: Microsoft has a way to go on E-Mail Message-ID: <199601080028.TAA21744@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- - -----BEGIN PGP SIGNED MESSAGE----- Perry say: >The problem is that microsoft has made the mistake of using >their own software, which doesn't understand the distinction >between envelope and header addresses. I've been on the phone >with contacts there and I'm going to start threatening going >to the press soon. I'm sure they're scared. What press? NBC News? The Seattle Times? The Wall Street Journal? Windows Magazine? Maybe Michael Kinsley will run a hard-hitting expose. About a dozen recognizable computer magazine reporters and editors are on the win95netbugs mailing list. For months, the majordomo welcome message has told subscribers the bugs they should come to expect in Exchange: 1. Return-Path overrides From:. This is a Major Bummer on, for example, majordomo lists, because by default all replies go to the list owner. 2. No .signature support. Combine with the above and you have a real problem. 3. Annoying WINMAIL.DAT ms-tnef attachment. 4. Annoying "if you don't have a standard MIME mail reader, you need to upgrade" prepended to every message. Suddenly Microsoft supports IETF standards. 5. The alternative to ms-tnef is quoted/printable, not text/plain. Not all MUAs handle the quoted/printable generated by Exchange properly. Microsoft Mail and Pine, for example. - - -rich owner-win95netbugs at lists.stanford.edu http://www-leland.stanford.edu/~llurch/win95netbugs/faq.html - -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: I have no further comment at this time. iQCVAwUBMPBlho3DXUbM57SdAQEOcgP8DSRKwW44fKpWWxDBZOBvb2hKfX8b6p85 NnhYgzjUlNC7wneOww2NcO+Lb+F9pPfBYWVgCeUN3kUWHbp4b/MMx+RmzQXxmwLL lNghzWxBTY4JR3/088mOPNMnp8xfLArS75lvtM+13/fIBlibAoye5uq57r5h1tGT DC/X6n2/TLQ= =zgD4 - -----END PGP SIGNATURE----- - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMPBlPSoZzwIn1bdtAQFk1wF+NhPXjVnj35ZgKdVq+aCOipXIDlly5hbe zbiuXjrzd32XZuzIUgixnQnAKJTh8EJ/ =BnVe -----END PGP SIGNATURE----- From bdolan at use.usit.net Sun Jan 7 17:03:44 1996 From: bdolan at use.usit.net (Brad Dolan) Date: Mon, 8 Jan 1996 09:03:44 +0800 Subject: (fwd) Private SSN Collection Project (fwd) Message-ID: I thought this was interesting. -bd ---------- Forwarded message ---------- Date: Sun, 31 Dec 1995 00:01:48 -0800 From: Clint Danbury Thank you for your response. Please send Full names and Social Security Numbers of anyone you know, including government officers and/or employees, to: Clint Danbury, Box 750037, Petaluma, CA 94975-0037 email: danbury at ssnShirt.com Questions And Answers On The Nationwide SSN Collection Project. -1- Why are you collecting SSNs ? Answer: For fun and amusement. -2- What do you plan to do with them ? Answer: Put them on sweatshirts and sell them through specialty clothing retailers. It has been suggested also that I post them on large billboards along the Mexican border, but I don't have enough capital to pull of such a stunt at this time. -3- How long do you intend to continue this ? Answer: Until it becomes illegal. The moment any legitimate government authority informs me of the specific laws which (A) Forbid the collection, recording, and distribution of SSNs by private parties, and (B) Provide legal recourse for the individual citizen against private parties which do so, I will stop. -4- What if the government finds out what you're doing ? Answer: First off, the government knows very well what I'm doing. I've been "reported" multiple times to the SSA and the Secret Service. Secondly, the government can find me quite easily (I'm in the phone book). Third, I will cooperate completely with any legitimate government authority. -5- Here's my ex-spouse's SSN; will you make him/her miserable for me ? Answer: Hell No ! If you want me to engage in illegal activity for you, then go somewhere else ! -6- Isn't what you are doing illegal ? Answer: Not according to the SSA. They have declared the private use of the SSN unrestricted. (More on this in a few questions) -7- If My name/SSN were in your database, would you tell me ? Answer: In order for me to confirm this, you must first tell me what your full name and SSN is, then I will tell you if you were already in there. If this sounds like two-faced hypocrisy, great! I got the idea from CBI-Equifax; that's their very own policy. If you don't tell them what your SSN is, they won't tell you what they've got on you. Therefore, I have decided to do the exact same thing. (If you don't believe it, then why don't you call them and ask for yourself?) -8- What if someone did the same thing to you ? How would YOU feel ? Answer: This already has happened to me. I told the SSA office about it, repeatedly, and they would take no action. (The story appears in the next answer.) -9- How did this all start ? Answer: In 1985, a co-worker learned that I object to the "Uni-Number" concept of identifying a single person across multiple databases. I was (and still am) specifically concerned about the use of the SSN for Non-Tax identification. The company placed our SSNs on our name tags, which, thankfully, we did not have to wear constantly, although we would occasionally have to display it for a guard during certain times. This co-worker went poking through my briefcase while I was out of my office, copied down my SSN, and then, for his own fun and amusement (I'm guessing at his motives, I don't know his true reasons) displayed it for me, and would not tell me where he got it. Seeing that this angered me, he then went to other co-workers, who joined him in making my SSN even more public. They then went to the personnel files, (which the company made no attempt to keep locked) and double-checked the number with my job application. After that, they memorized it, and, (again, I'm guessing here) for their own amusement, they would recite it in unison around the lunch table. (I know this sounds impossible, but it really did happen.) After that job ended (not very happily, surprise) I let myself cool off for a few months, and then moved to another city. During my time in that other city, I contacted the SSA office there, seeking another SSN. I made dozens of phone calls and wrote letter after letter, all to no avail. My letters got shorter and to-the-point, not long drawn out things. It took only 30 seconds to read them. This continued for several months. The result was always the same: words without action, and no replacement SSN. The company in that city went down the tube, and I had to move again. I wrote and called off-and-on over the next few years, and got the same treatment; empty words, stall-him-off, and they would make no statement one way or the other. In September of 1993 (perhaps an earlier date, I'm not sure) the SSA finally came out and gave their official written approval for unrestricted use of the SSN by private individuals and private organizations for any purpose, including fun and amusement. The pamphlet is entitled "Your Social Security Number", is SSA Publication 05-10002, and dated September/1993. You can get a copy by calling them at 1-800-772-1213. On page 9 of that pamphlet, they have finally removed all restrictions on the private use of the SSN and they've put it in writing... "Because there is no law concerning the use of a person's Social Security number by a private individual or organization, Social Security has no control over such use." So, if those are the rules they've made, fine. Those are the rules by which I'll act. The collection and distribution of other people's SSNs is (as you've just read) a legally unrestricted activity and that's exactly what I'm doing. -10- Where do you get the SSNs ? Answer: "...there is no law..." so, just like CBI, TRW, TU, et.al., I don't have to tell you where I got yours. Ask CBI where they got your SSN; they won't tell you, and neither will I. -11- How do you check for accuracy ? This question bothered me a lot at first, however, it has become astoundingly simple to check whether a number is accurate or not. So, just exactly how do I do this ? CBI doesn't have to tell, and neither do I. "...there is no law..." -12- How can I get a copy of your list ? Answer: Unfortunately, I have found the drones to outnumber the worker-bees by a factor of about 10-to-1. This is not the soup-kitchen, it's a group project. If you want SSNs from me, then I want SSNs from you. In the past, I offered a 1-for-1 exchange. I will no longer make that public offer. What is offered is this: If you will send me full names and SSNs of prominently elected officials, media-babes, et.al., then I will (to the extent my database allows) send you back full names and SSNs of other prominent politicians and media babes, 1-for-1 if I can. Of course, full names and SSNs of any individual or group are still welcome, they just don't qualify for the 1-for-1 offer. Copyright, 1995 by Clint Danbury From jya at pipeline.com Sun Jan 7 17:12:41 1996 From: jya at pipeline.com (John Young) Date: Mon, 8 Jan 1996 09:12:41 +0800 Subject: NOM_ail Re: Microsoft has a way to go on E-Mail Message-ID: <199601080056.TAA09551@pipe4.nyc.pipeline.com> Responding to msg by llurch at networking.stanford.edu (Rich Graves) on Sun, 7 Jan 7:28 PM >I'm sure they're scared. What press? NYTimes has a piece today on buggy and clogged e-mail and mentions MSN as an example, along with overloaded IPs, badly designed security wraps and other clunkers. "Right now, building market share is the name of the game. Service will get worse for a while, reputations for quality will start to be formed, at which points firms will compete on quality, which will start to improve," says a brain. NOM_ail From migueldiaz at gnn.com Sun Jan 7 17:51:52 1996 From: migueldiaz at gnn.com (miguel diaz) Date: Mon, 8 Jan 1996 09:51:52 +0800 Subject: phone calls from hell Message-ID: <199601080136.UAA31233@mail-e1a.gnn.com> > >I suppose this phone was prepared especially for Ayyash, but the >imagination wanders. Imagine a world in which *every* cellphone >(or other net-connected computer or ....) had a little explosive built >in. For that matter, the case itself could be constructed of a plastic >explosive. Certainly gives a whole new meaning to the slogan "Reach out and touch someone". From wlkngowl at unix.asb.com Sun Jan 7 18:02:58 1996 From: wlkngowl at unix.asb.com (Mutatis Mutantdis) Date: Mon, 8 Jan 1996 10:02:58 +0800 Subject: A /dev/random standard is need. Message-ID: I'm revising the DOS NOISE.SYS driver currently. In writing the documentation I am discussing the advantages of such a driver (part of the logic behind writing it). Mainly, a hardware (and to some extent) operating system independent means is needed for generating random numbers. It seems to me that a device driver (at least for DOS, Unix and maybe Amiga or Atari) is the best way to do this. If one has special chips or diodes for generating randomness, a device driver which reads from them can be used. If one lacks such equipment, something like NOISE.SYS or random.c for Linux, or Noiz (which I have not yet look at) can be used. Even then, random.c defines two devices, random (which only returns as many bits as there are fresh bits in the entropy pool) and urandom (which keeps hashing the bits and will return as many as requested.) NOISE.SYS defines only random, which behaves more like urandom above. If there is a standard, it will make it easier to use special hardware since software which reads from a random device can access it. Perhaps a kind of standard should be discussed and created so that cross-platform development is made much easier, and so that features and capabilities can be worked out. Does anybody else see a need for this? --Rob From iagoldbe at calum.csclub.uwaterloo.ca Sun Jan 7 19:29:00 1996 From: iagoldbe at calum.csclub.uwaterloo.ca (Ian Goldberg) Date: Mon, 8 Jan 1996 11:29:00 +0800 Subject: [NOISE] Re: please stop the Mitnick stuff In-Reply-To: Message-ID: <4cq1u3$84m@calum.csclub.uwaterloo.ca> In article , Lucky Green wrote: >At 21:16 1/6/96, John Young wrote: > >> Also, crypto-related: The fact that Shimomura's supposedly >> secret files were not protected by encryption or other >> security is what causes Littman and others to think there >> was a sting (perhaps with TLA help) rather than foolish >> vanity of the security wizard. > >[I do belive this has CP relevance.] > >Of course it was a set-up. Mitnick got into Shimomura's computer by >impersonating the IP address of one of Shimomura's machines. The router >should have never let packets in from outside that have an IP address that >is supposed to be inside. That a 'security expert' would overlook such a >blatant and well publicized hole in his _own_ router is inconceivable. "That word you keep using -- I do not think it means what you think it means." - Ian From jirib at sweeney.cs.monash.edu.au Sun Jan 7 20:12:49 1996 From: jirib at sweeney.cs.monash.edu.au (Jiri Baum) Date: Mon, 8 Jan 1996 12:12:49 +0800 Subject: phone calls from hell In-Reply-To: Message-ID: <199601080355.OAA23848@sweeney.cs.monash.edu.au> Hello, (Maybe I should put [Noise] into the subject, but then again the whole thread is, isn't it...) ...[About exploding phones]... > Sorta gives new meaning to the term "_Terminate_ and Stay Resident" program, doesn't it?!? > > (Or "end of file.") This isn't really news... Haven't you ever heard of the ASCII control character EOU? Quoting from the Jargon file: :EOU: /E-O-U/ n. The mnemonic of a mythical ASCII control character (End Of User) that would make an ASR-33 Teletype explode on receipt. This construction parodies the numerous obscure delimiter and control characters left in ASCII from the days when it was associated more with wire-service teletypes than computers (e.g., FS, GS, RS, US, EM, SUB, ETX, and esp. EOT). It is worth remembering that ASR-33s were big, noisy mechanical beasts with a lot of clattering parts; the notion that one might explode was nowhere near as ridiculous as it might seem to someone sitting in front of a {tube} or flatscreen today. This isn't worth signing and I'm tired... Jiri -- If you want an answer, please mail to . On sweeney, I may delete without reading! PGP 463A14D5 (but it's at home so it'll take a day or two) PGP EF0607F9 (but it's at uni so don't rely on it too much) From pati at ipied.tu.ac.th Sun Jan 7 20:29:27 1996 From: pati at ipied.tu.ac.th (Patiwat Panurach) Date: Mon, 8 Jan 1996 12:29:27 +0800 Subject: Cypherpunk FAQ? In-Reply-To: <199601060236.UAA04326@einstein.ssz.com> Message-ID: Is there a cypherpunk FAQ? Or any other FAQ that gives basics on cypherpunk stuff, i.e., PGP, mixmaster, clipper...... ------------------------------------------------------------------------------- Patiwat Panurach Whatever you can do, or dream you can, begin it. eMAIL: pati at ipied.tu.ac.th Boldness has genius, power and magic in it. m/18 junior Fac of Economics -Johann W.Von Goethe ------------------------------------------------------------------------------- From jimbell at pacifier.com Sun Jan 7 21:36:17 1996 From: jimbell at pacifier.com (jim bell) Date: Mon, 8 Jan 1996 13:36:17 +0800 Subject: Hammill 1987 speech Message-ID: This is a response to feedback on my original post that was originally posted to Cypherpunks at toad.com, newlibertarians at teleport.com, and dnowch2 at teleport.com. The respondor ("Vladimir Z. Nuri", widely suspected of being an L. Detweiler 'tentacle,') put his response into Cypherpunks alone. At 12:43 PM 1/4/96 -0800, you wrote: > >the Hammill 1987 speech is interesting and prescient but also contains >some of the subtle mind-biases and prejudices of rabid libertarians >that are easy for outsiders to spot. Gee, YOUR biases seem AT LEAST as easy to spot too, huh?!? > some day I might write a more >ambitious essay on this, but for now I'll list a few items and suggest some >counterclaims that will fry any libertarians brain. Don't flatter yourself. > all these ideas >have analogues to cryptography which I'll elucidate as best I can. > >1. weaponry is good in the hands of individuals, tyrannical in the hands >of the state. > >the analogy is with the crossbow and other weapons. as a logical >consequence of these ideas, it seems libertarians >think that utopia could be achieved if everyone could build their own >backyard nukes. they are obsessed with the idea of "deterrence" which >is a fancy word for MAD feer, mutual assured destruction fear. Not, at least, for me. The "backyard nukes" analogy is the one typically grabbed by the anti-gunners when they're trying to justify limiting the 2nd amendment. One problem that I see with this "reasoning" is that they never analogize by trying to limit the power of THE STATE to own weapons, despite the fact that maximum-bang weaponry increased by over a factor of 1,000,000 between about 1935 and 1955 or so. And not to mention that military weaponry deadliness increased by probably a factor of at least 100 between 1790 and 1935. Since (I assume you understand the argument, here) the US Constitution is supposed to be the complete statement of the legal powers of the Federal government, what's missing is a justification for even ALLOWING the government to engage in the kinds of weapons developments that it did post 1935 on constitutional/legal grounds. The significance of this argument is this: If you argue that "things have changed" and indiiduals should not be able to make/own nukes, that opens the door to similar claims that "things have changed" and the US Government should not be allowed to maintain the current military that it does. Don't just come back and say the Constitution provides for open-ended "defense": Nobody today would argue that the writers of the Constitution could have anticipated the development of the H-bomb or the F-15 or AWACS, but I see nobody using that argument to de-empower the government, while I FREQUENTLY see people trying to justify restrictions on guns based on the kinds of developments in guns that have happened since the muzzle-loader was king. >the analogy to cryptography is: cryptography is good in the hands >of individuals, tyrannical in the hands of the state. Sometimes, it is indeed. Especially since "the state" SHOULD serve at the pleasure of the individuals, not hte other way around. You may disagree... >again the idea is that the stronger the cryptography available to the >individual, the better. however I don't want to get into any of the >guns == crypto arguments.. > >2. the world is screwed up because governments have made it that way. > >this is such a silly premise It's also your "straw-man argument." >but vast masses have subscribed to it >since the beginning of time. it's easy to say that any problem you have >with your finances or your pet poodle is the fault of the Government, >Big Business, or whatever. While it's true that "the world is screwed up" and it's also true that "governments have made it screwed up," libertarians don't usually (?) try to claim that governments bear _full_ responsibility. Just most of it. > libertarians are especially clever in >constantly inventing new terms, synonymous with "enemy" but not quite >so coarse and vulgar ("statist" is the current favorite epithet), Actually, the term "statist" is a particularly useful and interesting term. Against the backdrop of people stuck in their traditional left/right, liberal/conservative, Democrat/Republican ruts, libertarians remindthe world that politics can be viewed even better in two dimensions, for example the "Nolan Chart," otherwise known as "the world's smallest political quiz." The thing I've always found fascinating about that representation is that it contains, embedded within it, the left/right spectrum, but perpendical to this is the libertarian/authoritarian (statist) axis. In other words, it showed that some people seem to be just naturally control-freaks, whether they come from the left or the right. Now, language is IMPORTANT. If you can control the language, you can control the debate. Historically, there was no easy way to describe people now well-described by the term "statist", because they could be either of the "liberal" or "conservative" bent, the "Republican" or "Democratic" bent, etc. >to name their endless list of bogeymen who prevent them from >supposedly achieving their full potential in life. > >why is it that libertarians have not created their own state long ago, >but continue to stay in countries that they claim oppress them? I have >never heard a satisfactory response to this. [note: already in the Cypherpunks area he has been given a number of reasons for this; primarily based on attack by non-libertarian states] These examples are presumably true; governments fear competition that may later eliminate them. Companies do too, but they're generally limited in their ability to fight back. > the real answer of course >is that the rabid libertarians will never find a system they like, A misleading statement. They may never "like" any system forced on them, and by saying they "find" it implies that it is made by (and, presumably, ENFORCED BY) somebody else! > they >will criticize anything that exists, and never work to find a better >alternative through constructive, positive means, but are happy to try >to sabotage whatever has been built by others in the name of some >noble and holy guerrilla war. What's wrong with sabotaging the work of flaming statists?!? >the analogy to crypto: any technology such as crypto that helps people avoid >governments, and hide their dealings, promotes utopia. governments >are the root of all evil, and anything that destroys them destroys >evil. Sounds logical to me... >3. the government vs. the people dichotomy > >endlessly, even in a system that is expressly designed to present this >polarization, Maybe you meant, "prevent." But even expressed this way, that was wrong. > libertarians subscribe to the idea of "us vs. them" in >every avenue of reality. So what else is new for nearly all political philosophy? If anything, I've heard more "us vs. them" from NON-libertarians than from libertarians. > this thinking is entirely the same as that >held by the NSA and cold war defense contractors. what's the difference? Maybe this portion of the philosophy ISN'T the difference, and something else IS... >none. we have a system in which the designers said it was "of, by, and >for the people", but a libertarian cannot handle this unity, The variability is the entent to which "this system" controls society. Even if we assume that "a government" is necessary, there is still an enormous variability as to HOW MUCH that government controls. 200 years of change has produced an enormous differnece. There is NO REASON TO BELIEVE that libertarians should have to "handle" the 1996 version of reality that was only originally intended in 1790 to control a tiny fraction of one's life. Your argument seems to be a paean to an open-ended approval of government. >nor can >apparently any other citizen in the US that criticizes their government >as if it is something apart from themselves. The answer to that is simple. "Their ('our') government" is INDEED "something apart from themselves"! For just one example, those military contractors pay their bribes to POLITICIANS, not randomly selected citizens, for a GOOD REASON. Governments of all kinds are INDEED, "apart" from their citizenry!!! >cryptography helps people preserve these illusions of separation. >there are people who are "in" and "out" and those "out" cannot read >your messages. what prevents leaks from "in" to "out"? libertarians >would like to have you believe they have solved this problem with >technology. but it is not a technological problem. it is an issue >of trust, something that cannot be formalized or preserved by any >invention. but don't tell this to a libertarian, who has dedicated >his entire ideology to attempting to prove that one can actually >achieve human integrity & utopia through technology alone and >insisting that anything else is wholly superfluous. Detweiler is beginning to lose touch with reality with this previous sentence. > >4. egalitarianism: libertarians are always saying that we don't >have it and ranting about this injustice. Odd that you would claim this. If anything, the libertarians I've met are about as "anti-egalitarian" as they come, as long as you're talking about GOVERNMENT ENFORCED ACCESS TO WEALTH AND POWER. >but in their arguments, such as Hammill's, you will always find subtle >arguments that they don't really want egalitarianism: some individuals should >have an "edge" with their technology over those who seek to oppress them. Subtle? SUBTLE???? I have, in fact, heard more RABIDLY ANTI-EGALITARIAN (again: Where egalitarianism is defined as government-enforced equal-treatment by private individuals of private individuals.) arguments by libertarians, who object (for just one example) to the ADA (Americans with a Disability Act) because it requires private organizations (corporations, for instance) to build buildings to be "accessible" to everyone. If anything, libertarians are the most PROUDLY anti-egalitarian people around, in that they don't want the heavy hand of government to try to equalize society by the barrel of the gun. In other words, Detweiler...er...Nuri has totally dissociated himself from reality. He clearly doesn't understand the first thing about libertarianism. >they would be all for it if individuals had the capability to create >atom bombs but somehow governments did not. the philosophy is inherently >desiring inequality at its root. the implication with crypto is that >governments should have to reveal everything but individuals can have >total secrecy. Actually, since "governments" are merely the agents and employees of the citizenry (or they should be!!!) this is a valid argument. Since the government is the "employee" and the citizenry pays it, the citizenry gets to call the shots. >beware of someone who tells you that utopia cannot currently be realized >because > >1. governments ("they") do not allow it for "us". >2. there are a lot of people preventing it from being realized, and we >have to *get*rid* of them first. >3. the correct technology does not yet exist. once it is invented, however, >all problems will be solved. Actually, my "Assassination Politics" idea stands an excellent chance of achieving exactly these breakthroughs. You don't like it, however. >I'm not actually going to rebut any of these outright other than to >the degree I have, In other words, you can't think of any better arguments... > and point out that history is ample evidence they are all false. Which history? What history? Whose version of history? > of course I don't expect any of the libertarians to understand >my points, but frankly I think I am going to enjoy watching obtuse and >angry flames for pushing the hot buttons. In other words, you've given up now. Thank you for your flames. They'll probably convince something new that I'm right... From alano at teleport.com Mon Jan 8 13:53:51 1996 From: alano at teleport.com (Alan Olsen) Date: Mon, 8 Jan 96 13:53:51 PST Subject: A couple of ideas for PGP-based programs Message-ID: <2.2.32.19960108215510.0095a6d4@mail.teleport.com> At 10:26 PM 1/8/96 +1100, Jiri Baum wrote: >> 2) I would like to see a program like private Idaho have the ability to send >> mail to the key server and grab all of the "unknown signator" keys. >... > >This is very easy, at least in Unix: pgp -kvv, grep, cut, for. > >In DOS, you can do pgp -kvv and find, then edlin to change >every "sig" into "call getkey", call the resulting (batch) file, >which will call GETKEY.BAT for every missing key. I hope. This is about what I do now. I am writing a perl program that splits the requests up into seperate mail messages and dumps them out to the mail program dujour. >However, I don't see much of a point to it: these are people you don't >even know the keys of; how are you going to know whether they are >trustworthy? (The Web-o-Trust can only tell you who they are, not >whether to trust them.) True, but I hate seeing keys with 40 signatures on it and all of them read "Unknown Signator". (I am expecting someone to use "Unknown Signator" or "Key revoked" as a nym any day now.) >... >> This would >> have the interesting effect of building a more complete keyring, while using >> the "web of trust" to weed out alot of the bogus keys that tend to crop up on >> the key servers. After n number of itenerations you would have more of the >> "important keys" and the ones that have little or no signage would be left to >... > >No, you wouldn't. You would tend to have the keys that sign a lot >of other keys, which would include both SLED (Four-11) and a lot >of careless people that sign every key in sight. Very good point! I was actually talking about the "incredibly bogus keys that stopped living and take up valuable keyserver space". Keys with names like "Wow! This is neat! I think I will create 3-4 keys a day!!!!!". (I actually wound up retrieving a key like this. They are pretty annoying...) >How about, instead: > >3) A way to retrieve all the keys signed by a given entity. > >This would have the effect that when you come to trust Alice, you >can simply go and get all the keys she signed. I believe the present >keyservers don't allow that... (Or else I don't know how to ask for it.) I like that idea alot! That way you can retrieve keys signed by people you trust. (Would this be the "Web of Guilt by Association"?) It might have a downside or two... (Privacy for key signers? Job seekers denied a job because they signed the key of a known member of the four horsemen? "Are you or have you ever been a key signer for Tim May or one of his Tentacles?") Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "Governments are potholes on the Information Superhighway." - Not TCMay From dang at netcom.com Sun Jan 7 21:58:56 1996 From: dang at netcom.com (DRG) Date: Mon, 8 Jan 1996 13:58:56 +0800 Subject: Encryption sales ban costs U.S. $60 billion Message-ID: <199601080540.VAA20262@netcom8.netcom.com> Nothing like boiling things down to the bottom dollar to make the media pay attention. The following brief ran in the business section of the S.F. Examiner: ENCRYPTION SALES BAN COSTS U.S. $60 BILLION NEW YORK U.S. companies will lose as much as 30 percent of the $200 billion in U.S. computer system sales expected in 200 because of federal export laws that limit the encryption of information, a recent study found. The study was sponsored by 13 large U.S. technology companies. The group, known as the Computer Systems Policy Project, includes International Business Machines Corp., the workd's larges computer maker, and AT&T corp., the nation's biggest phone company. "It's the first time anyone has set out to show the real economic impact export laws have," said Jeff Rulifson, director of technology development as Sun Microsystems Inc., one of the study's sponsors. The government prevents U.S. companies from exporting hard-to-break computer codes that turn information, such as files and credit card numbers, into indecipherable material that can be sent across computer networks without fear of tampering. -- quoted without permission. From jsw at netscape.com Sun Jan 7 22:06:19 1996 From: jsw at netscape.com (Jeff Weinstein) Date: Mon, 8 Jan 1996 14:06:19 +0800 Subject: "trust management" vs. "certified identity" In-Reply-To: <01BADC99.C7034FE0@dialup-169.dublin.iol.ie> Message-ID: <30F0AEA5.64DD@netscape.com> Futplex wrote: > Frank O'Dwyer writes: > > Plus, given secure identity (which might be an anonymous id), you can > > layer the other stuff on top. > > I am swayed by the view expounded by Carl Ellison that a key, not an > identity, should be the anchor to which attributes are attached. (Sorry if > I am misstating or oversimplifying the position here.) I think identity > should be hung off the key as just another (optional) attribute. This is exactly how I view X509 Version 3 certificates. You can attach any sort of attribute to the key, including a name/identity. Though the spec gives the name preferential treatment for historical reasons, I view it as just another optional attribute. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw at netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine. From vznuri at netcom.com Sun Jan 7 22:21:08 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Mon, 8 Jan 1996 14:21:08 +0800 Subject: Hammill 1987 speech In-Reply-To: Message-ID: <199601080601.WAA09591@netcom4.netcom.com> Mr. Bell: if I were to summarize my arguments, they would be that governments are the way that they are not so much because they attract certain dysfunctional individuals, but rather because they are microcosms and macrocosms of human psychology. the problems with government that libertarians rant about are problems with human behavior. the solution is not to get rid of governments-- this is confusing cause and effect, symptom and cause. the solution is to work on human behavior. when humans begin to think in a different, positive way, their governing systems will automatically reflect the change. my essay was designed to show the negative aspects of governments that rabid libertarians are always endlessly ranting about are actually embodied in the psychologies of those libertarians themselves. therefore, while I agree with the libertarian that there are many problems with governments, I see no reason to believe that libertarians are proposing a workable alternative, based on their own stark biases and prejudices. in fact it seems quite obvious to me that their own "alternatives" are either "vaporware" or would be far worse in practice than even the dysfunctional systems we have in place today. rabid libertarianism reminds me of Marxism: sounds great in theory, and you might even convince large parts of the population or key people in power to follow it. but does it truly present an implementable and workable alternative? where are the specifics? identifying problems with government is quite trivial. this is destructive criticism, analogous to the guerilla warfare of words that rabid libertarians love. but criticism is easy compared to construction of something that works. when you focus your attempts on creating a system that embodies your ideals instead of ranting at those that do not (and complaining that you cannot because governments prevent you), you will make far more progress in developing your ideas and convincing the world to follow you than any number of essays can accomplish. if libertarianism is truly workable, shouldn't it be workable on small scales? what prevents individuals from actually starting it going at a small scale and growing it? that is the path that every government and nation has taken since the beginning of time, why do you think you should be exmempt? I don't see that any of your response to my essay detract from this basic message so I'm going to pass on a detailed reply. From mfischer at nsi.edu Mon Jan 8 14:22:47 1996 From: mfischer at nsi.edu (Michael S. Fischer) Date: Mon, 8 Jan 96 14:22:47 PST Subject: WIRE TAP ON NET In-Reply-To: <2.2.16.19960106040018.259fb770@terminus.storm.net> Message-ID: <199601082222.OAA28936@equus.nsi.edu> On Fri, 05 Jan 1996 23:00:18 -0500, "Douglas F. Elznic" said: DFE> E-MAIL-TAP NETS CRIMINALS The first-ever court-approved wiretap DFE> of an e-mail account has resulted in the arrest of three people DFE> charged with running a sophisticated cellular-fraud ring. The DFE> alleged mastermind, a German electrical engineer, advertised his DFE> illicit wares on CompuServe, where they caught the attention of DFE> an engineer at AT&T's wireless unit. The Secret Service and the DFE> Drug Enforcement Agency then got into the act and obtained the DFE> Justice Dept.'s permission to intercept e-mail messages between DFE> the alleged perpetrator and his accomplices. "This case DFE> represents the challenges in the future if we can't get ahead of DFE> the curve in technology," says a U.S. attorney, whose office is DFE> prosecuting the case. (Wall Street Journal 2 Jan 96 p16) -- Well, I can't exactly say I feel sorry for the guys, even if cellular companies are ripping us off. Anyone who commits crimes while using email without encryption are idiots. --Michael From shamrock at netcom.com Sun Jan 7 22:38:13 1996 From: shamrock at netcom.com (Lucky Green) Date: Mon, 8 Jan 1996 14:38:13 +0800 Subject: "trust management" vs. "certified identity" Message-ID: At 1:40 1/7/96, Frank O'Dwyer wrote: >But it is usually easier to >determine (and vouch for) who a stranger is than how trustworthy >they are, if only because there are quick and easy real-world >mechanisms for this (driver's licence, passport,etc.). That's all >I meant. Though it may seem that way, I am not so sure that it is true. I am told that you can buy a CA driver licence in the hispanic part of San Francisco for about $50. Hologram and all. Reputations can take years to establish. I am would feel more comfortable to sign certain statements about the (on-line) character or technical skills of some people on this list whom I have never met, than to sign the PGP key of an utter stranger that shows me his Alabama ID card. -- Lucky Green PGP encrypted mail preferred. From jcobb at ahcbsd1.ovnet.com Sun Jan 7 22:49:11 1996 From: jcobb at ahcbsd1.ovnet.com (James M. Cobb) Date: Mon, 8 Jan 1996 14:49:11 +0800 Subject: Naw, They Can't Censor the 'Net! Message-ID: Friend, A 01 07 96 Scripps Howard newsstory reports that a US tele- communications firm providing Internet access to Jordan was asked by authorities there to install a SCREENING FACILITY so censors could preview ANY messages LIKELY to be PICTURES ! A censor's life in a screening facility can be hard...but the authorities are firm. There's the urgent ...need to prevent the spread of pornography in this con- servative desert kingdom. And that US telecommunications firm? "We agreed with the authorities' request," said GlobeNet's vice-president, Carlton Tolsdorf. "And, by the way, I think we should have the same thing back home in the United States." So it too can be a PICTURESQUE desert kingdom. Cordially, Jim NOTE. The newsstory's headline? ARAB WORLD GRAPPLES WITH THE INTERNET'S BENEFITS, DRAWBACKS. Its dateline? AMMAN, Jordan (Jan 7, 1996 1:22 p.m. EST). Its Nando News online filename? info57_806.html From jamesd at echeque.com Sun Jan 7 22:53:10 1996 From: jamesd at echeque.com (James A. Donald) Date: Mon, 8 Jan 1996 14:53:10 +0800 Subject: NSA says strong crypto to China? Message-ID: <199601080625.WAA21243@blob.best.net> At 03:23 PM 1/7/96 -0600, Alex Strasheim wrote: > But I don't necessarily look at the > NSA as an enemy. Right now we're on opposite sides of an important issue, > and I think they're doing a lot of damage. But I tend to think that they > believe what they're doing is in the national interest. They're trying > to defend democracy -- our democracy, at least. I see no sign that NSA is capable of distinguishing between the interest of the state and the interest of the nation. It is perfectly clear that the threat that NSA is primarily concerned with comes from within, not from without. > So the question we ought to be putting to the NSA is this: isn't it in > the best interest of the United States and the other capitalist Western > democracies to impose the first ammendment on the rest of the world? There is this big myth, spread partly by the US government, and partly by the radical left, notably Chomsky, that the US has been protecting the world against socialism: This is a load of old bananas. The US government has been pro socialist -- not as pro socialist as the IMF, and the IMF has not been as pro socialist as the Soviets -- but the US has still been shoving socialism down peoples throats in a heavy handed way, because they could get away with that kind of stuff abroad, when they cop hell for it at home. The nastiest piece of socialism was arguably the land reform scheme in El Salvador, which converted the peasants from tenants of a few powerful rural landlords, to serfs on state run collective farms. This screwed up agriculture big time, and the peasants detested it. If you want to use land reform to make peasants into anti communists, you use the method so successfully used in Taiwan. You make it possible for the peasant to buy land, and encourage him to buy land, and once he has some land of his own, and has sacrificed in order to obtain it, you can then trust him to resist communism. If there are communist guerrillas around, you should give him a shotgun. The US government followed a very different strategy in El Salvador, from which we may conclude that just as the South Vietnamese government considered that robbing the Montagnards, and rendering them powerless and afraid was more important than resisting North Vietnamese communism, the US government similarly considered that suppressing private property, was more important than resisting communist infiltration in El Salvador. El Salvador was vulnerable to communism because only two hundred families owned everything worth owning. If you want to prevent communism the kind of land reform you need is land reform that allows more people to acquire individual property rights. > I don't think the NSA is out to suppress our liberties. > [...] it is a mistake to think of them as evil, as people who > will tell any lie to get what they want. I disagree. Two government officials, one of whom is a communist, have more in common than two communists, one of whom is a government official. The NSA is on the same side as the Chinese government, and if Chinese dissidents used crypto with US GAK, this information would be exchanged with the Chinese government. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From futplex at pseudonym.com Sun Jan 7 23:50:13 1996 From: futplex at pseudonym.com (Futplex) Date: Mon, 8 Jan 1996 15:50:13 +0800 Subject: e$ payee anonymity (Was: e$: Come aaaannnndddd Get it!) Message-ID: <199601080435.XAA20775@thor.cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- Still working through my 10MB cpunks mail backlog; this one's from November 17, 1995: jim bell writes [msg #0]: > It seems to me that this should be possible, within limits, if the potential > payee could generate a "blinded" note to be delivered to the payer by > anonymous means. The payer could get the note certified by the bank, > possibly given an extra "blind" if necessary (is this possible? Desirable? > Why not?) and then the resulting still-blinded but certified note is posted > (in encrypted form, I supposed) to the 'net so that only the payee can > decrypt and unblind it. I wrote: # This sounds like a version of "Hey, I'll pay you $10, if you give me a ten # dollar bill first." As I understand your protocol, Bob gives Alice an enote, # then Alice gives Bob an enote. [...] jim bell writes [msg #1]: > It sounds like you understand even less about the details of digital cash > than I do. > > First, read the August 1992 issue of Scientific American, the article by > David Chaum. He explains, with a certain amount of detail, how blinded > digital cash operates. To become validated and worth money, it first has to > be electronically "written," blinded, and then signed by the bank. Then it > is unblinded, at which point it can be spent. > > What I was saying is that the notes would be written by the payee, then > blinded by the payee, given to the payer, and then signed by the payer's > bank. At this point, they are worth money, and they are then returned to > the payee, [...] Aha, thanks for the elaboration. I was confused by your use of the term "note" to describe something that isn't in fact worth money, when you said "the potential payee could generate a "blinded" note to be delivered to the payer". It also helps that I haven't read much of the ecash(tm :) protocol details :} Futplex "KC who?" -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMPCeyynaAKQPVHDZAQFDygf/bUtOQcyhz9p1a3SdmwW8z0+sLtIhTgpM Ii3mmFiFPaKmUYwdQiRbUi8KVCIooZCWhY44NRDlcRUZJSYCy0E0vBoJmwIKEq7g NMN5wvmoRhEnoezYMaI2bVW782cTN9RZy4MH2oRc8OARTrm1yGrLh31WN7iX9Uh3 hv6nDVPjVfSg7T1O5P4upN8UWEiLaEvCvzeKvdLZoIrNpWaMNsdUOgV9+IOv7ns7 NVYtfb3ZgURr3/kxpvRAMorW76+qpaDF9CH6us9bI4ZTsUMhoH4JfSTeNQ3XaSnC QAZxpjfM3EVd79jF+djnliq+29bDnzMuOhpAefIBs6PQMq05gQfE0A== =1aX0 -----END PGP SIGNATURE----- From jsw at netscape.com Mon Jan 8 00:09:57 1996 From: jsw at netscape.com (Jeff Weinstein) Date: Mon, 8 Jan 1996 16:09:57 +0800 Subject: NSA says strong crypto to China? In-Reply-To: <199601071553.KAA18768@pipe3.nyc.pipeline.com> Message-ID: <30F0CE52.6E04@netscape.com> Alex Strasheim wrote: > That's what this list is all about: we're trying to impose certain civil > liberties on the world using a strategy that's based on anarchy theory. > That theory tells us that if we can distribute tools and establish > standards we'll secure privacy and free speech rights regardless of what > governments do. That's a very startling idea, and I believe it's sound. > I believe that it's possible to impose the first ammendment on the entire > world by distributing crypto software. > > So the question we ought to be putting to the NSA is this: isn't it in > the best interest of the United States and the other capitalist Western > democracies to impose the first ammendment on the rest of the world? > > I don't see how anyone could argue that it isn't. I think that you are putting too much faith in both the western governments and the citizens of those countries. If you read the article that I originally quoted, you will find that the author (in the UK) feels that the first ammendment gives us in the US too much freedom of speech. I think that many (perhaps most) feel the same way. They are willing to give up their liberty for some dubious protections as Ben Franklin spins in his grave. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw at netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine. From evan at darkstar.cygnus.com Mon Jan 8 00:36:43 1996 From: evan at darkstar.cygnus.com (Evan Ravitz) Date: Mon, 8 Jan 1996 16:36:43 +0800 Subject: DNow2 Re: Hammill 1987 speech In-Reply-To: <199601080601.WAA09591@netcom4.netcom.com> Message-ID: On Sun, 7 Jan 1996, Vladimir Z. Nuri wrote: > while I agree with the libertarian that there are many problems with > governments, I see no reason to believe that libertarians are proposing > a workable alternative, > > rabid libertarianism reminds me of Marxism: sounds great in theory, and > you might even convince large parts of the population or key people in > power to follow it. but does it truly present an implementable and workable > alternative? where are the specifics? Well put. And where is there a model that works? In Switzerland we have a model of 148 years of true democracy, where the people propose and vote on legislation. One result is that "pork-barrell" is mimimal, because citizens won't vote for it! Libertarians would generally prefer it to government by a parasitic ruling class. And libs could propose and perhaps pass laws to try out their ideas. Here you are limited to begging for mercy. Sure, theoretically, encrypted financial transactions on the 'net will inhibit taxation, but Congress seems likely to nip that in the bud, massive begging notwithstanding. The 'net could be used for the interaction of true democracy (along with the more available Plain Old Telephone System, fax, paper, etc), as well as for beggary. The Swiss experience for 148 years is available for review from the very first link from our web site: Evan Ravitz, director, VOTING BY PHONE FOUNDATION: evanr at vote.org Electronic democracy! From the directors of the U.S. National Science Foundation's 1974 Televote trials and Boulder's 1993 ballot initiative: http://www.vote.org/v A FUTURE PASTURES PRESENTATION (303)440-6838 fon/fax "What government is best? That which teaches us to govern ourselves." -Goethe From jirib at sweeney.cs.monash.edu.au Mon Jan 8 03:34:43 1996 From: jirib at sweeney.cs.monash.edu.au (Jiri Baum) Date: Mon, 8 Jan 1996 19:34:43 +0800 Subject: A couple of ideas for PGP-based programs In-Reply-To: <2.2.32.19960106103250.00947438@mail.teleport.com> Message-ID: <199601081126.WAA24401@sweeney.cs.monash.edu.au> -----BEGIN PGP SIGNED MESSAGE----- Hello cypherpunks at toad.com and Alan Olsen ... > 1) Something I would like to see on the keyservers for PGP is a way of > retreving all of the key revokations since x date without having to get all of ... Probably a good idea (that, and/or have a mailing list with key revocations). How about it, keys.pgp.net people? > 2) I would like to see a program like private Idaho have the ability to send > mail to the key server and grab all of the "unknown signator" keys. ... This is very easy, at least in Unix: pgp -kvv, grep, cut, for. In DOS, you can do pgp -kvv and find, then edlin to change every "sig" into "call getkey", call the resulting (batch) file, which will call GETKEY.BAT for every missing key. I hope. However, I don't see much of a point to it: these are people you don't even know the keys of; how are you going to know whether they are trustworthy? (The Web-o-Trust can only tell you who they are, not whether to trust them.) ... > This would > have the interesting effect of building a more complete keyring, while using > the "web of trust" to weed out alot of the bogus keys that tend to crop up on > the key servers. After n number of itenerations you would have more of the > "important keys" and the ones that have little or no signage would be left to ... No, you wouldn't. You would tend to have the keys that sign a lot of other keys, which would include both SLED (Four-11) and a lot of careless people that sign every key in sight. How about, instead: 3) A way to retrieve all the keys signed by a given entity. This would have the effect that when you come to trust Alice, you can simply go and get all the keys she signed. I believe the present keyservers don't allow that... (Or else I don't know how to ask for it.) Hope that makes sense... Adiau - Jiri - -- If you want an answer, please mail to . On sweeney, I may delete without reading! PGP 463A14D5 (but it's at home so it'll take a day or two) PGP EF0607F9 (but it's at uni so don't rely on it too much) -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQCVAwUBMPD/cSxV6mvvBgf5AQEAoQP+MB78qOcXqqXp8XKh8y/UCD7QW1SDN9WX XMEYQqQijHE1JCwYBlvhtRdqunPJODGBOhN+EVNG8OBrSzQZGkWeRxa+ThhQ+E4L dwB5WYRzjzDWTNxA1UW1W994Z+FzCUE0OouOiOLOCrstnlnJ6rEY0+NCzieQkx0L Bf5pVdsEUJg= =dkEp -----END PGP SIGNATURE----- From vince at dsi.unimi.it Mon Jan 8 04:43:59 1996 From: vince at dsi.unimi.it (David Vincenzetti) Date: Mon, 8 Jan 1996 20:43:59 +0800 Subject: (cpx) Re: Why can't I get PGP from MIT (fwd) Message-ID: <199601081234.AA104254454@idea.sec.dsi.unimi.it> > >I believe I had a problem when I wanted to get PGP coming from > >internexus.net (New Jersey). I just e-mailed them about it and I think > >they just added the site to their 'acceptable' list. I did a traceroute > >to why.net and noticed that it is very close to me, coming off of > >SprintNet... probably the same situation. > > Internexus.net has been added to the list. The heuristic that the MIT site > enforces is as follows: > > o To get access you must properly answer some questions regarding export control > law and licensing. > > o Your host must have an "inverse" DNS mapping so we can learn its name. > > o Your host's name must end in either ".EDU", ".COM", ".MIL", ".GOV", ".US", > or ".CA". > > *or* > > Be on our exception list. > > All the ".NET's" and ".ORG's" need to be "excepted." *or* just get it from ftp.dsi.unimi.it! Use the ftp INDEX command upon being connected. Most of US's crypto software, in fact, has already been exported to Europe and is *freely* available at ftp.dsi.unimi.it Ciao, David From cg at bofh.toad.com Mon Jan 8 06:27:34 1996 From: cg at bofh.toad.com (Cees de Groot (none)) Date: Mon, 8 Jan 1996 22:27:34 +0800 Subject: Domains, InterNIC, and PGP (and physical locations of hosts, to boot) In-Reply-To: Message-ID: <199601081009.LAA27006@bofh.cdg.openlink.co.uk> > > Again, I'm not too sure of the viability of this proposal. Not on > effectiveness of proving true location -- it is more geared toward > "visual 3-D packet tracing" -- but simply because I have _no_ fricking > idea where our machines are (in terms of lat and long) to any degree > of accuracy. ("They're somewhere in PA." Brilliant, you can find that > out via WHOIS.) The document suggests using GPS to locate your true > location, but I'll be damned if my boss is going to spend $1,000 just > so I can have more DNS entries to maintain... > I think a call to your local land registry office will get you a quite precise bearing (although I never bothered to actually do that, not even in the time when people were doing that for UUCP maps). It doesn't solve the problem for LISP's, however - last time I checked it, MIT gave me happily access from my CIS account... -- Cees de Groot, OpenLink Software 262ui/2048: ID=4F018825 FP=5653C0DDECE4359D FFDDB8F7A7970789 [Key on servers] http://web.inter.nl.net/users/inter.NL.net/C/C.deGroot From raph at CS.Berkeley.EDU Mon Jan 8 06:58:23 1996 From: raph at CS.Berkeley.EDU (Raph Levien) Date: Mon, 8 Jan 1996 22:58:23 +0800 Subject: List of reliable remailers Message-ID: <199601081450.GAA30457@kiwi.cs.berkeley.edu> I operate a remailer pinging service which collects detailed information about remailer features and reliability. To use it, just finger remailer-list at kiwi.cs.berkeley.edu There is also a Web version of the same information, plus lots of interesting links to remailer-related resources, at: http://www.cs.berkeley.edu/~raph/remailer-list.html This information is used by premail, a remailer chaining and PGP encrypting client for outgoing mail, which is available at: ftp://ftp.csua.berkeley.edu/pub/cypherpunks/premail/premail-0.33a.tar.gz For the PGP public keys of the remailers, finger pgpkeys at kiwi.cs.berkeley.edu This is the current info: REMAILER LIST This is an automatically generated listing of remailers. The first part of the listing shows the remailers along with configuration options and special features for each of the remailers. The second part shows the 12-day history, and average latency and uptime for each remailer. You can also get this list by fingering remailer-list at kiwi.cs.berkeley.edu. $remailer{"extropia"} = " cpunk pgp special"; $remailer{"portal"} = " cpunk pgp hash"; $remailer{"alumni"} = " cpunk pgp hash"; $remailer{"bsu-cs"} = " cpunk hash ksub"; $remailer{"c2"} = " eric pgp hash reord"; $remailer{"penet"} = " penet post"; $remailer{"ideath"} = " cpunk hash ksub reord"; $remailer{"hacktic"} = " cpunk mix pgp hash latent cut post ek"; $remailer{"flame"} = " cpunk mix pgp. hash latent cut post reord"; $remailer{"rahul"} = " cpunk pgp hash filter"; $remailer{"mix"} = " cpunk mix pgp hash latent cut ek ksub reord ?"; $remailer{"ford"} = " cpunk pgp hash ksub ek"; $remailer{"hroller"} = " cpunk pgp hash latent ek"; $remailer{"vishnu"} = " cpunk mix pgp. hash latent cut ek ksub reord"; $remailer{"robo"} = " cpunk hash mix"; $remailer{"replay"} = " cpunk mix pgp hash latent cut post ek"; $remailer{"spook"} = " cpunk mix pgp hash latent cut ek reord"; $remailer{"rmadillo"} = " mix cpunk pgp hash latent cut ek"; $remailer{"ecafe"} = " cpunk mix"; $remailer{"wmono"} = " cpunk mix pgp. hash latent cut"; $remailer{"shinobi"} = " cpunk mix hash latent cut ek reord"; $remailer{"amnesia"} = " cpunk mix pgp hash latent cut ek ksub"; $remailer{"gondolin"} = " cpunk mix pgp hash latent cut ek reord"; $remailer{"tjava"} = " cpunk mix pgp hash latent cut"; $remailer{"pamphlet"} = " cpunk pgp hash latent cut ?"; $remailer{'alpha'} = ' alpha pgp'; $remailer{'gondonym'} = ' alpha pgp'; catalyst at netcom.com is _not_ a remailer. lmccarth at ducie.cs.umass.edu is _not_ a remailer. usura at replay.com is _not_ a remailer. Groups of remailers sharing a machine or operator: (c2 robo hroller alpha) (gondolin gondonym) (flame hacktic replay) (alumni portal) (vishnu spook wmono) Use "premail -getkeys pgpkeys at kiwi.cs.berkeley.edu" to get PGP keys for the remailers. Fingering this address works too. Note: all of the "ek" tags have been verified correct. Apologies to those who were inconvenienced by incorrect "ek" tags in the past. Last update: Mon 8 Jan 96 6:47:57 PST remailer email address history latency uptime ----------------------------------------------------------------------- replay remailer at replay.com *+****+***+* 6:11 100.00% bsu-cs nowhere at bsu-cs.bsu.edu #++*##*++#+# 2:43 99.99% hroller hroller at c2.org .-#*#--#-### 12:12 99.98% flame remailer at flame.alias.net +-++++++++++ 1:14:40 99.98% pamphlet pamphlet at idiom.com --++++++++++ 48:13 99.98% c2 remail at c2.org .-***--*-+** 29:43 99.97% rmadillo remailer at armadillo.com ########### 3:46 99.95% mix mixmaster at remail.obscura.com --+-------- 3:03:29 99.95% tjava remailer at tjava.com *#*#__-+#### 5:22:45 99.93% amnesia amnesia at chardos.connix.com ------+--+-+ 3:32:22 99.90% ecafe cpunk at remail.ecafe.org #___.#**#### 9:32:42 99.88% hacktic remailer at utopia.hacktic.nl ****** ***+* 8:42 99.83% penet anon at anon.penet.fi ++++++----- 4:54:49 99.74% vishnu mixmaster at vishnu.alias.net - -**-++*+* 37:22 99.59% ford remailer at bi-node.zerberus.de --++++..--. 10:22:10 99.58% alumni hal at alumni.caltech.edu *-- # -+*+*# 13:39 99.47% portal hfinney at shell.portal.com #- ######## 5:54 99.42% spook remailer at valhalla.phoenix.net --.-+ --.-* 4:03:17 98.30% wmono wmono at valhalla.phoenix.net *** * 17:40 93.55% rahul homer at rahul.net +####+###### 1:29 99.99% extropia remail at extropia.wimsey.com -------- 4:58:18 72.87% shinobi remailer at shinobi.alias.net +++- -+ 2:02:20 63.07% History key * # response in less than 5 minutes. * * response in less than 1 hour. * + response in less than 4 hours. * - response in less than 24 hours. * . response in more than 1 day. * _ response came back too late (more than 2 days). cpunk A major class of remailers. Supports Request-Remailing-To: field. eric A variant of the cpunk style. Uses Anon-Send-To: instead. penet The third class of remailers (at least for right now). Uses X-Anon-To: in the header. pgp Remailer supports encryption with PGP. A period after the keyword means that the short name, rather than the full email address, should be used as the encryption key ID. hash Supports ## pasting, so anything can be put into the headers of outgoing messages. ksub Remailer always kills subject header, even in non-pgp mode. nsub Remailer always preserves subject header, even in pgp mode. latent Supports Matt Ghio's Latent-Time: option. cut Supports Matt Ghio's Cutmarks: option. post Post to Usenet using Post-To: or Anon-Post-To: header. ek Encrypt responses in reply blocks using Encrypt-Key: header. special Accepts only pgp encrypted messages. mix Can accept messages in Mixmaster format. reord Attempts to foil traffic analysis by reordering messages. Note: I'm relying on the word of the remailer operator here, and haven't verified the reord info myself. mon Remailer has been known to monitor contents of private email. filter Remailer has been known to filter messages based on content. If not listed in conjunction with mon, then only messages destined for public forums are subject to filtering. Raph Levien From jamesd at echeque.com Mon Jan 8 07:28:25 1996 From: jamesd at echeque.com (James A. Donald) Date: Mon, 8 Jan 1996 23:28:25 +0800 Subject: NSA says strong crypto to China? Message-ID: <199601081514.HAA03562@blob.best.net> At 11:05 PM 1/7/96 -0800, Rich Graves wrote: >The NSA is logically allied with other organizations of greater >repressiveness, inasmuch as it is not really in the interest of the NSA to >pursue absolute freedom anywhere. Certainly they have no desire for anyone >in the world to enjoy privacy. However, this logical symmetry does not >translate to practical collaboration. You think the NSA and the Chinese >government trust each other at all? They're spying on each other. They have common interests and conflicting interests. They have a common interest in repressing Chinese dissidents, to keep the world safe for National Security Agencies. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From llurch at networking.stanford.edu Mon Jan 8 07:40:33 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Mon, 8 Jan 1996 23:40:33 +0800 Subject: NSA says strong crypto to China? In-Reply-To: <199601080625.WAA21243@blob.best.net> Message-ID: On Sun, 7 Jan 1996, James A. Donald wrote: > At 03:23 PM 1/7/96 -0600, Alex Strasheim wrote: > > But I don't necessarily look at the > > NSA as an enemy. Right now we're on opposite sides of an important issue, > > and I think they're doing a lot of damage. But I tend to think that they > > believe what they're doing is in the national interest. They're trying > > to defend democracy -- our democracy, at least. > > I see no sign that NSA is capable of distinguishing between the > interest of the state and the interest of the nation. Agreed. They're a bureaucracy and a statist entity. But states are distinct and antagonistic entities. There's no world government. As someone who worked with Terry Karl in El Salvador, I also think your Central American history is a bit off, but that's off topic, and normal for the US. Agreed that Chomsky is usually rather weak on the facts, which is why he is seldom cited in academic journals; he's really just a darling of the press, because the man exudes eggheadedness and erudite sarcasm. He never should have strayed from developmental linguistics. > Two government officials, one of whom is a communist, have > more in common than two communists, one of whom is a government > official. The NSA is on the same side as the Chinese government, > and if Chinese dissidents used crypto with US GAK, this information > would be exchanged with the Chinese government. I don't see this happening. The NSA is logically allied with other organizations of greater repressiveness, inasmuch as it is not really in the interest of the NSA to pursue absolute freedom anywhere. Certainly they have no desire for anyone in the world to enjoy privacy. However, this logical symmetry does not translate to practical collaboration. You think the NSA and the Chinese government trust each other at all? They're spying on each other. One certainly observes strange bedfellow situations among three letter agencies (the Iran/Contra affair; Cuban and South African aiding of insurgents of every political stripe; US intelligence information on Iran provided to Iraq); but one also observes strange conflicts (the Pollard affair, Israel's spying on the US; back to Dreyfuss; intrigue within the EC). -rich From jya at pipeline.com Mon Jan 8 08:08:27 1996 From: jya at pipeline.com (John Young) Date: Tue, 9 Jan 1996 00:08:27 +0800 Subject: Cite for Toad Hop Message-ID: <199601081558.KAA11884@pipe4.nyc.pipeline.com> There have been inquiries on the source of the "Toad Hop" material, some from places to which it was forwarded. As noted on cypherpunks earlier, the material is directly from: Jonathan Littman, an investigative reporter, has published "The Fugitive Game: Online With Kevin Mitnick," Little Brown, 1996. 381 pp. $23.95. ISBN 0-316-52858-7. It is a dramatic recount of Mitnick's exploits; the pursuit by Shimomura, Markoff, telcos and Feds; the bust and Markoff's tales; The Well controversies and disputes about what really happened; suspicions of Shimomura and Markoff - their complicity with TLAs, their movie and book dealings, their disputes with hackers and journalists. What Mitnick was telling Littman while a fugitive. From olbon at dynetics.com Mon Jan 8 09:36:19 1996 From: olbon at dynetics.com (Clay Olbon II) Date: Tue, 9 Jan 1996 01:36:19 +0800 Subject: Key Expiration (was: Revoking Old Lost Keys) Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Numerous people over that last few days have suggested key expiration dates. Viacrypt advertises this for their commercial version of pgp. Has anyone used this feature or know how it works (i.e. how does it remain interoperable with other versions of pgp, or does the expiration feature only work with other viacrypt users?) Clay - ------------------------------------------------------------------------ Clay Olbon II | olbon at dynetics.com Systems Engineer | ph: (810) 589-9930 fax 9934 Dynetics, Inc., Ste 302 | http://www.msen.com/~olbon/olbon.html 550 Stephenson Hwy | PGP262 public key: finger olbon at mgr.dynetics.com Troy, MI 48083-1109 | pgp print: B97397AD50233C77523FD058BD1BB7C0 "To escape the evil curse, you must quote a bible verse; thou shalt not ... Doooh" - Homer (Simpson, not the other one) - ------------------------------------------------------------------------ -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMPFTWAS4mEMx6xUNAQFn+AP+KANJoiLTbbeuqvkHsrnHm1o7vVeXYmXr 9Rjnr6HAuOLL1JJRqd2D2csKC6MaWXkwWbfihdqiPbQJT8MfNwevYBzVVXEmALRI Ic2uFkESHnHdcht7IVNInCiqlt6Bm17t9ZGlPWSk8aeENaP5bKI3AqJ8AqLROovx 8EK2NHvNPjo= =VCui -----END PGP SIGNATURE----- From evan at darkstar.cygnus.com Mon Jan 8 09:40:29 1996 From: evan at darkstar.cygnus.com (Evan Ravitz) Date: Tue, 9 Jan 1996 01:40:29 +0800 Subject: DNow2 Re: Hammill 1987 speech In-Reply-To: <199601080601.WAA09591@netcom4.netcom.com> Message-ID: On Sun, 7 Jan 1996, Vladimir Z. Nuri wrote: > when you focus your attempts on creating a system that embodies your > ideals...you will make far more > progress in developing your ideas and convincing the world to follow you > than any number of essays can accomplish. As well as the Swiss direct democratic system, at the other end of the scale, the poorest people of the Americas have the same idea. The Zapatista rebels, laboriously "making all the major decisions by the referendum" in 8 Mayan languages in the jungles and mountains of Chiapas, have stood off the US-funded Mexican army for 2 years and a week now. Here's what Bishop of Chiapas Samuel Ruiz, how the world's foremost exponent of "liberation theology" has to say: From: Bill Stivers Newsgroups: misc.activism.progressive Subject: Bishop Ruiz: EZLN Calls People to Civil-Political Action Followup-To: alt.activism.d Date: 25 Dec 1995 05:12:59 GMT Enclosure one was excerpted from Latinamerica Press, Nov. 23, 1995. LP contributor Dauno Totoro Taulis interviewed Chiapas Bishop Samuel Ruiz. ------------- LP: Does the indigenous uprising in Chiapas contradict the dream of justice and fraternity among men and women? Ruiz: One must look at the facts. Something awaits the world, something that can come out of all this. Perhaps it is a certain model, a road to greater citizen participation in the transformation ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ of their own reality. The EZLN (Zapatista National Liberation Army) has not called on the people to rise up in arms, it has called on them to rise up as civic-political actors. It is curious that, after 500 years, when nobody was expecting there to be articulated indigenous groups but only "conquered Indians," it is precisely these Indians who are motivating us to change, to participate. It is surprising that the most marginalized inhabitants of the continent, who are on the social floor, are those who are rising up with the prospects of a transforming success. A voice is being heard from those living in a culture distinct from the West, from the heart of the communitarian concept. It is an ancient voice that has never been heard before--and for this reason appears as a new voice--and it offers a successful alternative for everyone. Besides it was always thought that we had to "rescue" the Indians, that we had to help them, and now they are offering the possibility of renovation for us. LP: Isn't it contradictory that to talk of peace, the communities had to take up arms? Ruiz: What is new is that those who have risen up in arms did not make the same decision as the continent's other known armed movements, which believed that to achieve justice they first had to take power. The EZLN does not espouse this idea. This is war for peace, a war so that there is peace, a war in which they are not asking others to rise up in arms but to rise up as subjects of a transformation. It is not an armed group talking with a government to reach partial accords, but a people, an organized civil society, that is transforming itself through social change. It is a search that has returned to the subject and protagonist of history, the citizen, the ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ right and duty for his or her own transformation. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Evan Ravitz, director, VOTING BY PHONE FOUNDATION: evanr at vote.org Electronic democracy! From the directors of the U.S. National Science Foundation's 1974 Televote trials and Boulder's 1993 ballot initiative: http://www.vote.org/v A FUTURE PASTURES PRESENTATION (303)440-6838 fon/fax "What government is best? That which teaches us to govern ourselves." -Goethe From skc at huge.net.hk Mon Jan 8 09:51:10 1996 From: skc at huge.net.hk (Shri) Date: Tue, 9 Jan 1996 01:51:10 +0800 Subject: [Fwd: Re: ABOI: Desperate User Support] Message-ID: <30F17C73.4765@huge.net.hk> Seen on Alt.best.of.internet. Would love to find out if this is true! Shri > > Origination: alt.sysadmin.recovery > > Originator: jerry at worf.tcs.com (Jerry Carlin) > >Original Subject: support call - urban legand or fact? > > Date: 27 Jul 1995 16:44:18 -0700 > >... (many forwards deleted)... > > >This falls into the "Why did it have to happen on *MY* shift?" category. > > >A friend of mine is a chief engineer at SuperMac, and he related this > >story to me. > > >SuperMac records a certain number of technical support calls at random, > >to keep tabs on customer satisfaction. By wild "luck", they managed to > >catch the following conversation on tape. > > >Some poor SuperMac TechSport got a call from some middle level official... > >from the legitimate government of Trinidad. The fellow spoke very good > >English, and fairly calmly described the problem. > > >It seemed there was a coup attempt in progress at that moment. However, > >the national armoury for that city was kept in the same building as the > >Legislature, and it seems that there was a combination lock on the door > >to the armoury. Of the people in the capitol city that day, only the > >Chief of the Capitol Guard and the Chief Armourer knew the combination to > >the lock, and they had already been killed. > > >So, this officer of the government of Trinidad continued, the problem is > >this. The combination to the lock is stored in a file on the Macintosh, > >but the file has been encrypted with the SuperMac product called Sentinel. > >Was there any chance, he asked, that there was a "back door" to the > >application, so they could get the combination, open the armoury door, > >and defend the Capitol Building and the legitimately elected government > >of Trinidad against the insurgents? > > >All the while he is asking this in a very calm voice, there is the sound > >of gunfire in the background. The Technical Support guy put the person on > >hold. A phone call to the phone company verified that the origin of the > >call was in fact Trinidad. Meanwhile, there was this mad scramble to see > >if anybody knew of any "back doors" in the Sentinel program. > > >As it turned out, Sentinel uses DES to encrypt the files, and there was > >no known back door. The Tech Support fellow told the customer that aside > >from trying to guess the password, there was no way through Sentinel, and > >that they'd be better off trying to physically destroy the lock. > > >The official was very polite, thanked him for the effort, and hung up. > >That night, the legitimate government of Trinidad fell. One of the BBC > >reporters mentioned that the casualties seemed heaviest in the capitol, > >where for some reason, there seemed to be little return fire from the > >government forces. > > >O.K., so they shouldn't have kept the combination in so precarious a > >fashion. But it does place, "I can't see my Microsoft Mail server" > >complaints in a different sort of perspective, does it not? From abacard at well.com Mon Jan 8 09:56:59 1996 From: abacard at well.com (Andre Bacard) Date: Tue, 9 Jan 1996 01:56:59 +0800 Subject: PLAYBOY Magazine, Raph Levien & Remailers Message-ID: <199601081743.JAA22884@well.com> Hello Remailer Users, The current PLAYBOY magazine refers readers to the web site of Raph Levien, "The Remailer Guru." Raph's site focuses upon remailers. See the February 1996 PLAYBOY Forum (pages 33-35) interview with yours truly, Andre Bacard, entitled "The Computers Have Eyes." See you in the future, Andre Bacard ====================================================================== abacard at well.com Bacard wrote "The Computer Privacy Stanford, California Handbook" [Intro by Mitchell Kapor]. http://www.well.com/user/abacard Published by Peachpit Press, (800) Enjoy your privacy... 283-9444, ISBN # 1-56609-171-3. ======================================================================= From llurch at networking.stanford.edu Tue Jan 9 02:19:52 1996 From: llurch at networking.stanford.edu (Richard Charles Graves) Date: Tue, 9 Jan 96 02:19:52 PST Subject: Microsoft white paper on Access "security" Message-ID: <199601091019.CAA27132@Networking.Stanford.EDU> Apparently the file name of the official position on Access security is wx1051.exe. It should be on CompuServe and www/ftp.microsoft.com. Among other wondrous things, Peter Miller writes in article <4crdu2$gua at news-e1a.megaweb.com> in comp.databases.ms-access: BTW, there's a typo in the White Paper. Where it says Access security relies upon 'RSA4 data encryption', they meant to say 'you not knowing the difference between a secure database application, and one that just contains a bunch of security dialogs that confuses the average user, but fails to protect either your code or your data'. I bet someone's going to have a lot of fun with this one!!! -rich From frissell at panix.com Tue Jan 9 02:57:43 1996 From: frissell at panix.com (Duncan Frissell) Date: Tue, 9 Jan 96 02:57:43 PST Subject: phone calls from hell Message-ID: <2.2.32.19960109105852.00911118@panix.com> At 12:48 AM 1/9/96 +0100, Anonymous wrote: >Media reports said that the explosion was set off by >remote control when Ayyash answered a call to him. It is >not known how the identity of Ayyash was ascertained. NBC News reported Monday that it was a Motorola phone, that Israel cut the landlines to the house to encourage cellular use, that *the* call came from the Engineer's *father*, and that an Israeli aircraft overhead triggered the blast after assuring itself (by voice info) that the Engineer was using the phone. DCF From reagle at rpcp.mit.edu Mon Jan 8 11:01:11 1996 From: reagle at rpcp.mit.edu (Joseph M. Reagle Jr.) Date: Tue, 9 Jan 1996 03:01:11 +0800 Subject: "Microsoft.com" added to my KILL file Message-ID: <9601081654.AA03388@rpcp.mit.edu> Tim and Lucky were talking.... >>embedded spreadsheets and embedded graphics. And as for attachments, such >>as attaching programs for running on a machine, mailing list messages are a >>very poor way to distribute such programs, for many reasons. To say nothing of the risk of some nasty Word virus or other malicious executable. _______________________ Regards, Truth can never be told so as to be understood, and not be believed. -William Blake Joseph Reagle http://farnsworth.mit.edu/~reagle/home.html reagle at mit.edu 0C 69 D4 E8 F2 70 24 33 B4 5E 5E EC 35 E6 FB 88 From stend at cris.com Mon Jan 8 11:13:57 1996 From: stend at cris.com (Sten Drescher) Date: Tue, 9 Jan 1996 03:13:57 +0800 Subject: [NOISE] Re: get mix-installer. (fwd) In-Reply-To: <199601060236.UAA04326@einstein.ssz.com> Message-ID: <55ag3ya50k.fsf_-_@galil.austnsc.tandem.com> Jim Choate said: JC> Who the fuck elected you reputation monitor. You should chill. You did, when you decided to trash Adam in public. JC> Please refrain from sending any more posts to me privately that are JC> not directly crypto related. I have better things to do than listen JC> to your rantings and raving. If Adam and I have a problem then we JC> will work it out without! your involvment. Then you shouldn't have involved the entire mailing list in the first place. From ee380 at shasta.Stanford.EDU Mon Jan 8 11:20:13 1996 From: ee380 at shasta.Stanford.EDU (ee380) Date: Tue, 9 Jan 1996 03:20:13 +0800 Subject: W 4:15 ** Markoff and Shimomura on the pursuit of Kevin Mitnick, ComputerCriminal Message-ID: <199601081859.KAA28612@netcom6.netcom.com> Highly edited announcement perhaps of interest to SF Bay Area cpunks. My appologies to those that are not interested in the subject. - Bill Frantz EE380 Computer Systems Colloquium Date: Wednesday, Jan 10,1995 Time: 4:15-5:30 pm Location: Skilling Auditorium, Stanford University, Stanford, CA Speakers: John Markoff, New York Times Tsutomu Shimomura, San Diego Supercomputer Center Title: Takedown: The Capture of Kevin Mitnick Abstract Shimomura and Markoff will talk about the pursuit and capture of Kevin Mitnick, a 32-year old computer programmer who was arrested in Raleigh, N.C. last year by the FBI, after Shimomura, working on behalf of several Internet service providers, traced him to an apartment complex on the outskirts of the city. Shimomura and Markoff have cooperated to write a soon to be released book about the pursuit, Takedown (Hyperion 1996) ************************************************************************ * EE380 is the Computer Systems Laboratory Colloquium. The Colloquium * * meets most Wednesdays throughout the normal academic year. * * * * For information on the class send e-mail with a subject line * * mentioning "info" in the subject line to ee380 at shasta.stanford.edu. * * * * WWW Page: http://www-leland.stanford.edu/class/ee380 * ************************************************************************ From stend at cris.com Mon Jan 8 11:20:44 1996 From: stend at cris.com (Sten Drescher) Date: Tue, 9 Jan 1996 03:20:44 +0800 Subject: phone calls from hell In-Reply-To: Message-ID: <5591jia4qo.fsf@galil.austnsc.tandem.com> jim bell said: jb> Sorta gives new meaning to the term "_Terminate_ and Stay Resident" jb> program, doesn't it?!? Wouldn't that be "Stay Resident and Terminate" or "Stay and Terminate Resident"? jb> (Or "end of file.") -- #include /* Sten Drescher */ To get my PGP public key, send me email with your public key and Subject: PGP key exchange Key fingerprint = 90 5F 1D FD A6 7C 84 5E A9 D3 90 16 B2 44 C4 F3 Unsolicited email advertisements will be proofread for a US$100 fee. -------------- next part -------------- A non-text attachment was scrubbed... Name: pgp00002.pgp Type: application/octet-stream Size: 284 bytes Desc: "PGP signature" URL: From kent at trouble.WV.TEK.COM Mon Jan 8 12:05:23 1996 From: kent at trouble.WV.TEK.COM (Kent Dahlgren) Date: Tue, 9 Jan 1996 04:05:23 +0800 Subject: Cool story. In-Reply-To: Message-ID: I'm in the Air Guard and have been for almost 10 years. I work in the crypto vault, which is really really boring. but we keep it interesting by shreading pieces of cardboard in the outer vault and yelling to my chief "...O.K. CHIEF...I'M SHREADING THE PICTURES OF THE CRASH SITE IN NEVADA...YOU WANT ME TO SHREAD THEM ALL?" Anyhow, last summer our material controller got tasked by (I think) the OSI to do this emergency audit on this unit's material control section up in Washington. There's these cool safes that we use to store our cryto in that look kinda like the ones behind Trey at: http://www.msen.com/~olbon/trey.html These safes are only build and sold for DOD use; you can't buy them as civilians. At least these specific ones are. So it turns out that the guy who was in charge of the supplies of this unit was selling all kinds of stuff at his garage sales, including some of these safes. This civilian bought a safe and a year or so later it stopped working, so he called the phone number on the metal tag thats on the safe. The conversation went like this: Safe manufacturer: Hello? Civilian: Yeah, I got this safe of yours and its broken. SM: What unit are you with? C: HUH? SM: Who are you? C: Look, I don't like your attitude. What does it matter who I am...who are you?!? I want this thing fixed. SM: Are you with the military? C: No, why would I be? SM: Can I put you on hold for a second, please don't hang up. You can guess the rest. It didn't take them long to figure out what happened, and the material control guy who sold the safe cut town. but they got him. At least that's how I heard it. I hate to relay these things second hand, but looking at Trey's picture made me remember it. ______________________________________________________________________________ ______ T E K T R O N I X _ C P I D _ T E C H N I C A L _ S U P P O R T _______ / Voice: 1.800.835.6100 E-mail: support at colorprinters.tek.com Fax: 1.503.685.3063 WWW: www.tek.com BBS: 1.503.685.4504 E-World: Keyword Tektronix HAL: 1.503.682.7450 AOL: Keyword Tektronix Service: 1.800.835.6100 FTP: ftp.tek.com ______________________________________________________________________________ From froomkin at law.miami.edu Mon Jan 8 14:39:02 1996 From: froomkin at law.miami.edu (Michael Froomkin) Date: Tue, 9 Jan 1996 06:39:02 +0800 Subject: Certificates: limiting your liability with reuse limitations Message-ID: Suppose I am a CA. I am worried that by issuing a certificate with a lifespan of more than 2 milliseconds I am opening myself up to unlimited liability if for some reason, despite my best efforts, I issue an erroneous certificate. I know I can write disclaimers, but that's not reliable since courts often ignore them, and anyway it scares off customers. I know I can put an expiration date on the certificate, but that's not enough. I can accumulate a lot of exposure in a few seconds, much less weeks. I know I can put a reliance limit in the X.509 ver 3 certificate, but that's not enough. Even a $1 limit could be used many millions of times. Is it feasabile to say: Can only be relied on once per day/week/month? Is this something the relying parties can reasonably be expected to monitor? It seems to me that this sort of a limit is essential if a CA is to feel comfortable outside Utah.... A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) Associate Professor of Law | U. Miami School of Law | froomkin at law.miami.edu P.O. Box 248087 | http://www.law.miami.edu/~froomkin Coral Gables, FL 33124 USA | It's warm here. From alanh at infi.net Mon Jan 8 14:52:01 1996 From: alanh at infi.net (Alan Horowitz) Date: Tue, 9 Jan 1996 06:52:01 +0800 Subject: phone calls from hell In-Reply-To: Message-ID: I almost hate to start a thread about something that will inevitably implode into a middle-east-politics flamefest, but this reminds me of the time the newswires reported that 10% of Israel's population had attended that peace rally in Tel-Aviv. Was it right after the Sabra-Shatilla massacre? Anyway, the followup news (which of course never made the news) was that it would not be physically possible for a third of that many people to all be in that place (Kikar Square?) all at once. The original numbers were published by the Israeli "peace camp", who would have liked for there to be that many people there. 100,000 people at a funeral? I don't doubt that there were 100,000 people who would have liked to be there, but I am skeptical that there's enough vehicles in Gaza to assemble 100,000 people to a funeral within a few hours. It doesn't matter does it? Everyone is willing to lie when they write press releases; newspapers are willing to not check ridiculous claims (if the claim comports with the publisher's outlook); and setting the record straight doesn't help sell advertising, publishers really care how lazy journalists are. I saw a great interview with the man who invented the phrase "ethnic cleansing" - a PR-agency guy in Boston under contract to the Bosnian Government. He openly stated, that he doesn't get paid to write the truth into press releases; he's paid to get his client's press releases into opinion-molder's fax machines FIRST. The first press release always wins. He also openly stated that he didn't know and didn't care if the Bosnian-Serb militias were operating concentration camps or not; the important thing was to fax the story to the American Jewish groups; he knew that the very *word* concentration camp would catch their eye and push them into agitating against the Serbs. He specifically stated, that he was so proud of his cleverness, because the Croatian President (foe of the Serbs) has a book under his belt ("Wastelands of Historical Reality") that is packed full of some very hot anti-Semetism. Alan Horowitz alanh at infi.net From futplex at pseudonym.com Mon Jan 8 15:22:17 1996 From: futplex at pseudonym.com (Futplex) Date: Tue, 9 Jan 1996 07:22:17 +0800 Subject: Certificates: limiting your liability with reuse limitations In-Reply-To: Message-ID: <199601082310.SAA27803@thor.cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- A. Michael Froomkin writes: > I know I can put an expiration date on the certificate, but that's not > enough. I can accumulate a lot of exposure in a few seconds, much less > weeks. > > I know I can put a reliance limit in the X.509 ver 3 certificate, but > that's not enough. Even a $1 limit could be used many millions of times. > > Is it feasabile to say: Can only be relied on once per day/week/month? This sounds like it would present the same exposure problems as an expiration date, but perhaps be more difficult to impose. As you said above, you can assume huge liability in a few seconds, even if you're only given a few seconds a week. Also, I don't immediately see a way to arrange this on the technical side that doesn't reduce to using something that expires and replacing/refreshing it periodically. Of course, the net is in some ways excellent for that sort of application. How about combining value limits with time limits ? Over the wire, using low value limits and replacing them frequently might be a workable solution. > Is this something the relying parties can reasonably be expected to monitor? This sounds like a legal question, so I don't think I can offer a useful response. Futplex "I think every player in the NFL should have to go through grad school. It would be a great humbler." -Matt Miller, Cleveland Browns 1979-1983, Ph.D. Georgia Tech 1993 -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMPGj8SnaAKQPVHDZAQG/NQf/V5toCNRKaSZjVwACN663gWbq0rysZq3r 7d/XKAZHCUWoaYWS4RkaF101/0t7jEAww+wggrl02MNximN7Ku/CM1sJkDT/Ixzm KCAQwl96ov3UgBYkol66ubciHRmX897NszCwqEgoc/pcOq2rLvhjskUZXt0WHhU7 U10/00/Zg86kAsCo3xUAB3ci4t9Pk2YJigg5n23vJfuN3j0BpKcGW9B7McP9fm59 V8bBp1CDF3Ey5XwPaaNkwmuYlT7QVyDlEOYu0EppzvQdT2PyXT8B9cAjGR5PO8IJ xUIkxmXmfPlRxjJVUTSfvf3gKJnK1ax09sPDwNiA6/JAtHXPTo5llw== =rHvs -----END PGP SIGNATURE----- From jcobb at ahcbsd1.ovnet.com Mon Jan 8 15:23:12 1996 From: jcobb at ahcbsd1.ovnet.com (James M. Cobb) Date: Tue, 9 Jan 1996 07:23:12 +0800 Subject: The LOGIC of Navigator 2.0 ? Message-ID: Friend, 01 07 96 the business news agency Bloomberg reports: Netscape Communications Corp. said it will release in two weeks a new version of its popular browsing software, de- signed to keep the Internet software company ahead of rival Microsoft Corp. ... The [new] browser can use programs that are stored on cen- tral computers on the Internet, making a personal computer's operating system less important. And thereby making GOVERNMENT LOGIC more important? Cordially, Jim NOTE: The newsstory's headline? NETSCAPE WILL RELEASE AN UPDATED INTERNET BROWSER IN TWO WEEKS. Its dateline? MOUNTAIN VIEW, Calif. (Jan 7, 1996 4:16 p.m. EST). Its Nando News online filename? biz7_1087.html From jimbell at pacifier.com Mon Jan 8 15:26:35 1996 From: jimbell at pacifier.com (jim bell) Date: Tue, 9 Jan 1996 07:26:35 +0800 Subject: e$ payee anonymity (Was: e$: Come aaaannnndddd Get it!) Message-ID: At 11:35 PM 1/7/96 -0500, you wrote: >Still working through my 10MB cpunks mail backlog; this one's from >November 17, 1995: > >jim bell writes [msg #0]: >> It seems to me that this should be possible, within limits, if the potential >> payee could generate a "blinded" note to be delivered to the payer by >> anonymous means. The payer could get the note certified by the bank, >> possibly given an extra "blind" if necessary (is this possible? Desirable? >> Why not?) and then the resulting still-blinded but certified note is posted >> (in encrypted form, I supposed) to the 'net so that only the payee can >> decrypt and unblind it. > >I wrote: ># This sounds like a version of "Hey, I'll pay you $10, if you give me a ten ># dollar bill first." As I understand your protocol, Bob gives Alice an enote, ># then Alice gives Bob an enote. >[...] > >jim bell writes [msg #1]: >> It sounds like you understand even less about the details of digital cash >> than I do. >> >> First, read the August 1992 issue of Scientific American, the article by >> David Chaum. He explains, with a certain amount of detail, how blinded >> digital cash operates. To become validated and worth money, it first has to >> be electronically "written," blinded, and then signed by the bank. Then it >> is unblinded, at which point it can be spent. >> >> What I was saying is that the notes would be written by the payee, then >> blinded by the payee, given to the payer, and then signed by the payer's >> bank. At this point, they are worth money, and they are then returned to >> the payee, >[...] > >Aha, thanks for the elaboration. I was confused by your use of the term >"note" to describe something that isn't in fact worth money, when you said >"the potential payee could generate a "blinded" note to be delivered to the >payer". It also helps that I haven't read much of the ecash(tm :) protocol >details :} > >Futplex I'm quoting the whole thing since it's so old. As I assume you are aware, the reason I'm so interested in full payee/full payer anonymity for digital cash is that my idea, "Assassination Politics", requires it: It is necessary to be able to reward a completely unknown person by a completely unknown person, in such a way that nobody can rat out the other person. Even the presence of an intermediary (trusted) organization would be unnecessary if it were possible to GUARANTEE the offer of payment to the payee. As the idea is currently structured, the central organization collects the money, reports the donations, and makes the (continuing) publicized offer. It publicizes enough information to prove to the average citizen that it is dealing fairly with all concerned. Obviously, communication with the donors/guessors must be minimized/secured also, in such a way as to make detection of these people extremely difficult and ideally impossible. From adam at lighthouse.homeport.org Mon Jan 8 15:42:46 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Tue, 9 Jan 1996 07:42:46 +0800 Subject: Certificates: limiting your liability with reuse limitations In-Reply-To: <199601082310.SAA27803@thor.cs.umass.edu> Message-ID: <199601082339.SAA27242@homeport.org> A. Michael Froomkin writes: > I know I can put an expiration date on the certificate, but that's not > enough. I can accumulate a lot of exposure in a few seconds, much less > weeks. > > I know I can put a reliance limit in the X.509 ver 3 certificate, but > that's not enough. Even a $1 limit could be used many millions of times. > > Is it feasabile to say: Can only be relied on once per day/week/month? Undeniable digital signatures. They're not 'undeniable' differently from normal digital signatures, but they do require the cooperation of the signer to confirm the signature. Thus, a KCA could decide only to verify a signature 50 times, or once per day (or once per being paid the $10 signature verification fee.) Schneier has a decent amount on undeniable digital signatures. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From stewarts at ix.netcom.com Mon Jan 8 15:59:23 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Tue, 9 Jan 1996 07:59:23 +0800 Subject: "Re: NSA says strong crypto to china?? Message-ID: <199601080808.AAA10674@ix12.ix.netcom.com> At 10:47 AM 1/7/96 -0800, Raph Levien wrote: > My best guess is that we're seeing a distortion of this >interchange. If I were a Chinese dissident, I wouldn't want to use >GAK, for three reasons: using US-lackey encryption is certainly not >going to get you into any _less_ trouble than using independent >encryption, if you used GAK you'd be working as a US spy whether you >wanted to be or not, and finally, who says the Chinese can't decrypt >it, especially with the rapid growth of television. And, four, there's no guarantee the US keymasters won't burn you to the Chinese government, if it seems useful in preserving "stability"... #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, Pager/Voicemail 1-408-787-1281 # # "The price of liberty is eternal vigilance" used to mean us watching # the government, not the other way around.... From nobody at REPLAY.COM Mon Jan 8 15:59:32 1996 From: nobody at REPLAY.COM (Anonymous) Date: Tue, 9 Jan 1996 07:59:32 +0800 Subject: phone calls from hell Message-ID: <199601082348.AAA09773@utopia.hacktic.nl> 8 Jan 1996 Jerusalem, (Reuter) - The head of Israel's Shin Bet resigned Monday just three days after the killing of a wanted Palestinian bombmaker recovered some of the damage the secret service suffered from the assassination of Yitzhak Rabin. The man, identified by his initial "kaf," remains in office until a successor is appointed, Israel Radio said. His predecessor, Yaacov Peri, is now president of one of Israel's two cellular telephone networks. -- 8 Jan 1996 Jerusalem (AP) -- The booby-trapped cellular phone that killed an Islamic militant was delivered by a longtime informer for Israel who was paid $1 million for helping, media reports said Monday. A fugitive for three years, Ayyash was hiding in the home of Osama Hamad, his friend from college days. Hamad said he warned Ayyash in the summer that his uncle, Kamal Hamad, may be an informer for Israel. Hamad said his uncle gave him a cellular phone so he could be found easily. A day before Ayyash was killed, his uncle asked for the cellular phone, took it and returned it later, requesting that it be kept on at all times, Hamad said. Israel's security services apparently deceived Kamal Hamad, telling him they had planted a bug in the phone, rather than explosives, the radio said. Media reports said that the explosion was set off by remote control when Ayyash answered a call to him. It is not known how the identity of Ayyash was ascertained. -- From root at bushing.plastic.crosslink.net Mon Jan 8 16:14:47 1996 From: root at bushing.plastic.crosslink.net (greeeeaaaaat*) Date: Tue, 9 Jan 1996 08:14:47 +0800 Subject: [Fwd: Re: ABOI: Desperate User Support] In-Reply-To: <30F17C73.4765@huge.net.hk> Message-ID: <199601081852.SAA03871@bushing.plastic.crosslink.net> -----BEGIN PGP SIGNED MESSAGE----- > > Seen on Alt.best.of.internet. Would love to find out if this is > true! > > Shri > > > >This falls into the "Why did it have to happen on *MY* shift?" category. > > > > >A friend of mine is a chief engineer at SuperMac, and he related this > > >story to me. > > > > >Some poor SuperMac TechSport got a call from some middle level official... > > >from the legitimate government of Trinidad. The fellow spoke very good > > >English, and fairly calmly described the problem. > > > > >It seemed there was a coup attempt in progress at that moment. However, > > >the national armoury for that city was kept in the same building as the > > >Legislature, and it seems that there was a combination lock on the door > > >to the armoury. Of the people in the capitol city that day, only the > > >Chief of the Capitol Guard and the Chief Armourer knew the combination to > > >the lock, and they had already been killed. It's not. This was hashed over in alt.folklore.computers a little while back, and someone did some research and found out that there haven't been any coup attempts in the past few years in Trinidad, or something like that. - -- Ben Byer root at bushing.plastic.crosslink.net I am not a bushing GCS d-- s: a--- C++ UL++++ P++ L++ E+ W+ N++ o K-- w-- !O M-- !V !PS !PE Y+(++) PGP t+ 5 !X R tv(+) DI+ G e- h! r !y -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQB1AwUBMPFn4LD5/Q37XXHFAQFTHgL+O4EzDxZVHSOmb2SZ3vbJi64tZyZfvuUk Stgr4qUJ8xfXahNxgDR3WgbTcvWt8s1nFc0FdWCuQzOnaX8Tz4f8C1R83bS1fUDb lH8jgEFdsCJ1GGy0yL1lB7JvcFlRYFpM =zeah -----END PGP SIGNATURE----- From warlord at MIT.EDU Mon Jan 8 16:19:24 1996 From: warlord at MIT.EDU (Derek Atkins) Date: Tue, 9 Jan 1996 08:19:24 +0800 Subject: Scaling Web-of-Trust In-Reply-To: <30ed7ecd005b002@noc.cis.umn.edu> Message-ID: <199601090005.TAA17163@toxicwaste.media.mit.edu> Hi. I believe you are talking about the paper that Jeff Schiller and I presented at the January '95 USENIX Conference, _Scaling the Web of Trust_. You can find this paper (in ASCII or PS) via ftp: ftp://toxicwaste.mit.edu/pub/pgpsign/scaleweb.txt ftp://toxicwaste.mit.edu/pub/pgpsign/scaleweb.PS -derek From iagoldbe at calum.csclub.uwaterloo.ca Mon Jan 8 16:21:49 1996 From: iagoldbe at calum.csclub.uwaterloo.ca (Ian Goldberg) Date: Tue, 9 Jan 1996 08:21:49 +0800 Subject: [NOISE] Re: PLAYBOY Magazine, Raph Levien & Remailers In-Reply-To: <199601081743.JAA22884@well.com> Message-ID: <4cru2d$a1u@calum.csclub.uwaterloo.ca> In article <199601081743.JAA22884 at well.com>, Andre Bacard wrote: >The current PLAYBOY magazine refers readers to the web site of Raph >Levien, "The Remailer Guru." Raph's site focuses upon remailers. > Honest! I buy Playboy for the articles on remailers! Really! - Ian "or not" From llurch at networking.stanford.edu Mon Jan 8 16:47:05 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Tue, 9 Jan 1996 08:47:05 +0800 Subject: "trust management" vs. "certified identity" In-Reply-To: <55entaabdw.fsf@galil.austnsc.tandem.com> Message-ID: On 8 Jan 1996, Sten Drescher wrote: > shamrock at netcom.com (Lucky Green) said: > > LG> At 1:40 1/7/96, Frank O'Dwyer wrote: > >> But it is usually easier to determine (and vouch for) who a stranger > >> is than how trustworthy they are, if only because there are quick and > >> easy real-world mechanisms for this (driver's licence, > >> passport,etc.). That's all I meant. > > LG> Though it may seem that way, I am not so sure that it is true. I am > LG> told that you can buy a CA driver licence in the hispanic part of > LG> San Francisco for about $50. Hologram and all. > > 60 Minutes did a report a year or so ago where one of their > reporters (Harry Reasoner, I think) purchased various fake IDs, ranging > from drivers licenses to 'green' cards. The green cards he purchased > were virtually indistinguishable (in quality - the names varied (; ) > from his genuine green card (the reporter was/is Canadian). Someone got a McArthur grant for a study of this in Redwood City a couple years back. She studied the long-term patterns of smuggling between towns in the SF Bay Peninsula and central Mexico. I saw her speak once, but I don't remember her name. I could probably find the reference if you're interested. There haven't been that many McArthur grants. Any decent book on private investigation should give you enough information to pass as someone else. -rich owner-win95netbugs at lists.stanford.edu ftp://ftp.stanford.edu/pub/mailing-lists/win95netbugs/ gopher://quixote.stanford.edu/1m/win95netbugs http://www-leland.stanford.edu/~llurch/win95netbugs/faq.html From jimbell at pacifier.com Mon Jan 8 17:00:51 1996 From: jimbell at pacifier.com (jim bell) Date: Tue, 9 Jan 1996 09:00:51 +0800 Subject: phone calls from hell Message-ID: At 01:03 PM 1/8/96 -0600, you wrote: >jim bell said: > > >jb> Sorta gives new meaning to the term "_Terminate_ and Stay Resident" >jb> program, doesn't it?!? > > Wouldn't that be "Stay Resident and Terminate" or "Stay and >Terminate Resident"? > >jb> (Or "end of file.") "end of life"? From futplex at pseudonym.com Mon Jan 8 17:00:53 1996 From: futplex at pseudonym.com (Futplex) Date: Tue, 9 Jan 1996 09:00:53 +0800 Subject: [NOISE] [Fwd: Re: ABOI: Desperate User Support] In-Reply-To: <30F17C73.4765@huge.net.hk> Message-ID: <199601082050.PAA01206@thor.cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- Shri writes: > Seen on Alt.best.of.internet. Would love to find out if this is > true! [...] > > > Origination: alt.sysadmin.recovery [...] > > > Date: 27 Jul 1995 16:44:18 -0700 ~~~~~~~~ > > >... (many forwards deleted)... Please don't post 6-month-old urban net.urban.legends to cypherpunks. (Do we really need to put that in the Junior Grade Cypherpunks Training Manual?) [...] > > >Some poor SuperMac TechSport got a call from some middle level official... > > >from the legitimate government of Trinidad. The fellow spoke very good > > >English, and fairly calmly described the problem. > > > > >It seemed there was a coup attempt in progress at that moment. [...] Someone posted this to c'punks a while ago (about 6 months ago, perchance?). Beyond the fact that it sounds like an UL right off the bat, it's been pointed out that there haven't been any military coups in Trinidad & Tobago any time recently (or some similar historical fact). Futplex -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMPGC3CnaAKQPVHDZAQHxwAf9ECZ6RVOgkGV+Fw4UWAL6y6nPs1oI45s9 IK25YRUzFPGH+iFkvXCvV9qwAR/pDec/i/V92+hoz7dJK0oyv37vbBgIDVvULhuK cH1NMLMUTyzBFJ6wa73+4JR7yAg8CmtgdghWpltvI+yczbOM9+rLA3zHFYfSbtET dB6jds4nnMu4pvSP+FZAoLKP2Wuy5Xl2IRMhWm9vpRfJoiTSatef1JH+Vt8hQVQm f06XtiPoqNSV3S97t79jyibYB9XLkH0shlPAnmu5li+1VW2HrnakRCAFVpSZnbxV Af5uCpdWTKtcDyWjo4h1ohWwoJxj3yrLMyz+21zRxLfuy1gPgBWKag== =POUz -----END PGP SIGNATURE----- From llurch at networking.stanford.edu Mon Jan 8 17:01:15 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Tue, 9 Jan 1996 09:01:15 +0800 Subject: [Fwd: Re: ABOI: Desperate User Support] In-Reply-To: <199601081852.SAA03871@bushing.plastic.crosslink.net> Message-ID: On Mon, 8 Jan 1996, greeeeaaaaat* wrote: > It's not. This was hashed over in alt.folklore.computers a little > while back, and someone did some research and found out that there > haven't been any coup attempts in the past few years in Trinidad, or > something like that. Someone did very poor research, then. In fact there was a Libyan-backed coup two or three years ago, which was overthrown in about a month. I distinctly remember the headline in The Economist, which was similar to "Trinidad Coup Not Considered Cricket." Info on the coup and a copy of this bit of folklore is on a Trinidad & Tobago Web Page somewhere. Maybe they got a definitive answer in the six months or so since I last looked. This should probably get a [NOISE] for Perry's benefit... -rich owner-win95netbugs at lists.stanford.edu ftp://ftp.stanford.edu/pub/mailing-lists/win95netbugs/ gopher://quixote.stanford.edu/1m/win95netbugs http://www-leland.stanford.edu/~llurch/win95netbugs/faq.html From jcobb at ahcbsd1.ovnet.com Mon Jan 8 17:06:52 1996 From: jcobb at ahcbsd1.ovnet.com (James M. Cobb) Date: Tue, 9 Jan 1996 09:06:52 +0800 Subject: NSA says strong crypto to China? In-Reply-To: <199601081514.HAA03562@blob.best.net> Message-ID: Jim, That's it in a nutshell: They have common interests AND con- flicting interests. AND-thinking and the identification of specific time-place- circumstances factors are effectively BANNED. It's part of the mostly unquestioned "success" of US schools. I say mostly because 12 95 The Atlantic Monthly 65 features Paul Gagnon's two essays What Should Children Learn? and Botched Standards. Cordially, Jim INCLOSURE: Date: Sun, 07 Jan 1996 19:13:36 -0800 From: "James A. Donald" To: cypherpunks at toad.com Subject: Re: NSA says strong crypto to China? [deleted] They have common interests and conflicting interests. They have a common interest in repressing Chinese dissidents, to keep the world safe for National Security Agencies. [deleted] From stend at cris.com Mon Jan 8 17:07:51 1996 From: stend at cris.com (Sten Drescher) Date: Tue, 9 Jan 1996 09:07:51 +0800 Subject: "trust management" vs. "certified identity" In-Reply-To: Message-ID: <55entaabdw.fsf@galil.austnsc.tandem.com> shamrock at netcom.com (Lucky Green) said: LG> At 1:40 1/7/96, Frank O'Dwyer wrote: >> But it is usually easier to determine (and vouch for) who a stranger >> is than how trustworthy they are, if only because there are quick and >> easy real-world mechanisms for this (driver's licence, >> passport,etc.). That's all I meant. LG> Though it may seem that way, I am not so sure that it is true. I am LG> told that you can buy a CA driver licence in the hispanic part of LG> San Francisco for about $50. Hologram and all. 60 Minutes did a report a year or so ago where one of their reporters (Harry Reasoner, I think) purchased various fake IDs, ranging from drivers licenses to 'green' cards. The green cards he purchased were virtually indistinguishable (in quality - the names varied (; ) from his genuine green card (the reporter was/is Canadian). -- #include /* Sten Drescher */ To get my PGP public key, send me email with your public key and Subject: PGP key exchange Key fingerprint = 90 5F 1D FD A6 7C 84 5E A9 D3 90 16 B2 44 C4 F3 Unsolicited email advertisements will be proofread for a US$100 fee. From tallpaul at pipeline.com Mon Jan 8 17:21:48 1996 From: tallpaul at pipeline.com (tallpaul) Date: Tue, 9 Jan 1996 09:21:48 +0800 Subject: Horowitz "thread" Message-ID: <199601090108.UAA00896@pipe4.nyc.pipeline.com> On Jan 08, 1996 17:41:10, 'Alan Horowitz ' wrote: > >I almost hate to start a thread about something that will inevitably >implode into a middle-east-politics flamefest... > Then don't. --tallpaul From adam at lighthouse.homeport.org Mon Jan 8 17:46:34 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Tue, 9 Jan 1996 09:46:34 +0800 Subject: [NOISE] Re: get mix-installer. (fwd) In-Reply-To: <55ag3ya50k.fsf_-_@galil.austnsc.tandem.com> Message-ID: <199601081931.OAA23987@homeport.org> Can we let this die? I think it was pretty bogus to flame me over a broken auto-responder, but its not that important. Lets let it go.. Thank you for not posting on this thread, Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From nobody at REPLAY.COM Mon Jan 8 18:04:07 1996 From: nobody at REPLAY.COM (Anonymous) Date: Tue, 9 Jan 1996 10:04:07 +0800 Subject: NSA Rigs Win NT to B Message-ID: <199601090127.CAA14816@utopia.hacktic.nl> Global Internet Wins NSA Contract for Windows NT Security Enhancement Feasibility Study to Analyze B-Level Security Requirements Palo Alto, Calif., Jan. 8 -- Global Internet today announced that the National Security Agency has awarded them a contract to conduct a feasibility study on raising the security level of Windows NT 3.51 to B-level. Global Internet will analyze Windows NT's ability to meet B-level security requirements, as well as develop a software prototype that demonstrates a Fortezza-based cryptocard access control mechanism. The contract was granted by the NSA under the Multilevel Information System Security Initiative (MISSI), which has the charter to provide security services for information ranging from Unclassified but Sensitive up to and including Top Secret. Windows NT was originally designed with security in mind. A NSA evaluation team has determined that Windows NT 3.5 with Service Pack 3 satisfies all class C-2 security requirements. B-level of security strengthens the C2 level security features while providing stricter system assurances. Global Internet has a proven expertise with Windows NT. Centri TNT is the only network security solution that is fully integrated into Windows NT TCP/IP networks by complementing and extending Windows NT's inherent strengths, while maintaining 100% compatibility with existing applications. Global Internet also has extensive experience architecting, designing and developing high level secure operating systems. "This project addresses anticipated security requirements for DOD, as well as commercial customers using Windows NT," said Michelle Ruppel, a director of the Global Internet Software Group. "Our analysis will address compatibility issues with B-level security requirements and identify the changes necessary to provide this level of support." According to Outlink, Inc., a New York-based research and publishing firm focusing on the information security market, about 80% of the PC hardware market supports Microsoft's DOS and Windows 3.1. This combination, though popular, does not provide inherent security features such as secure login, access control, auditing and self-protection. Strong access control is a highly desirable function of the MISSI architecture. Trusted Operating Systems will play a role in the MISSI success. Windows NT is a modular OS and combined with its current security features that are based on the Trusted Products Evaluation Program (TPEP) C2 level of security and it's ability to operate on the majority of customer platforms while supporting DOS and Windows applications, the architecture lends itself to support B-level requirements. An operating system with few security features allows anyone to use the machine without validating their identity, while allowing access to all files, objects and resources. C2 level security includes: auditing to allow security-relevant events to be recorded and monitored, discretionary (need-to-know) access controls to mediate who can access (read or write) files and other objects and identification and authentication (login) to require users to identify themselves to the system before they are allowed to use the system. B-level security additionally includes: labeling of users, files and other objects with a sensitivity label, mandatory access controls to enforce a security policy based on the labels of the users and objects and trusted path that ensures users they are using the actual programs provided with the system. The Global Internet Software Group specializes in security software for Windows NT networks and other operating environments. The Software Group is a division of Global Internet, a full-service internetworking solutions company focusing on secure, reliable internetworking software and services. Located in Palo Alto, California, Global Internet is privately held and was founded in 1993. Global Internet Home Page: http://www.gi.net. From llurch at networking.stanford.edu Mon Jan 8 18:04:37 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Tue, 9 Jan 1996 10:04:37 +0800 Subject: Still [NOISE] but a.f.urban was clearly wrong [Fwd: Re: ABOI: Desperate User Support]) In-Reply-To: <199601082050.PAA01206@thor.cs.umass.edu> Message-ID: You should know better than to believe everything you read in alt.folklore.urban, even the debunking. There was a brief Libyan-backed coup in Trinidad & Tobago in July 1990. Here are a few Reuters headlines in reverse chronological order, courtesy of Lexis/Nexis. I also recall a couple of excellent articles in The Economist. I believe that the Symantec story has at least some truth to it. I don't read alt.folklore.urban, so I won't post there, but someone should. -rich Copyright 1991 Reuters April 9, 1991, Tuesday, AM cycle LENGTH: 167 words HEADLINE: TRINIDAD COUP HEARING POSTPONED AFTER NOISY COURTROOM PROTESTS DATELINE: PORT OF SPAIN, Trinidad BODY: A pretrial hearing for 18 of the alleged plotters in the July 1990 Trinidad coup attempt was postponed Tuesday because of noisy courtroom protests. Members of the black Moslem Jamaat al Muslimeen group chanted and banged ... Copyright 1990 Reuters October 2, 1990, Tuesday, BC cycle LENGTH: 3422 words HEADLINE: WORLD NEWS EVENTS SCHEDULED DURING THE NEXT FOUR WEEKS BODY: ... visits (until Oct. 10). NASHVILLE Country Music Association annual awards. PORT-OF-SPAIN Expected starting date of Trinidad coup plotters trial. STOCKHOLM Nobel Prize for Medicine announced. STRASBOURG, France European Parliament plenary session (until ... ... visits (until Oct. 10). Copyright 1990 Reuters September 13, 1990, Thursday, AM cycle LENGTH: 371 words HEADLINE: TRINIDAD COUP PLOTTERS FACE TRIAL BYLINE: By Lindsay MacKoon DATELINE: PORT OF SPAIN, Trinidad Copyright 1990 Reuters August 23, 1990, Thursday, AM cycle LENGTH: 184 words HEADLINE: TRINIDAD COUP HEARING DELAYED OVER SECURITY CONCERNS DATELINE: PORT OF SPAIN, Trinidad Copyright 1990 Reuters August 15, 1990, Wednesday, AM cycle LENGTH: 387 words HEADLINE: TRIAL OF TRINIDAD MOSLEM REBELS COULD BEGIN NEXT WEEK BYLINE: By Lindsay MacKoon DATELINE: PORT OF SPAIN, Trinidad BODY: ... 1 and transferred to Trinidad's state prison under heavy security. Caribbean nations, worried about the economic conditions that contributed to the Trinidad coup attempt, plan to hold a meeting to discuss ways of improving regional security. Barbados Prime Minister Erskine Sandiford ... Copyright 1990 Reuters July 31, 1990, Tuesday, AM cycle LENGTH: 496 words HEADLINE: ANY FLIGHT WILL DO FOR THOUSANDS THRONGING TRINIDAD AIRPORT BYLINE: By Peter Zollman DATELINE: PORT OF SPAIN, Trinidad BODY: Thousands of sweaty tourists and business people trying to flee the chaos of the Trinidad coup attempt jammed Piarco International Airport Tuesday, jostling and shoving to get on any available flight out of the island. Copyright 1990 Reuters July 30, 1990, Monday, AM cycle LENGTH: 96 words HEADLINE: AGREEMENT TO END TRINIDAD COUP ATTEMPT BREAKS DOWN BYLINE: By Peter Zollman DATELINE: PORT OF SPAIN, Trinidad Copyright 1990 Reuters July 29, 1990, Sunday, AM cycle LENGTH: 507 words HEADLINE: MORE THAN 300 WOUNDED IN TRINIDAD COUP AS TALKS BOG DOWN BYLINE: By Peter Zollman DATELINE: PORT-OF-SPAIN, Trinidad From llurch at networking.stanford.edu Mon Jan 8 18:27:03 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Tue, 9 Jan 1996 10:27:03 +0800 Subject: NSA Rigs Win NT to B In-Reply-To: <199601090127.CAA14816@utopia.hacktic.nl> Message-ID: On Tue, 9 Jan 1996, Anonymous wrote: > including Top Secret. Windows NT was originally designed > with security in mind. A NSA evaluation team has > determined that Windows NT 3.5 with Service Pack 3 > satisfies all class C-2 security requirements. B-level > of security strengthens the C2 level security features > while providing stricter system assurances. This is misleading at best. Windows NT is certified C2 as a standalone workstation only. It has not been tested or certified for networked environments. The fact that NT lets you know when you have attempted a login as a user does not exist, without asking for a password, would clearly disqualify NT Server from a C2 rating in a network environment, at least when NetWare services are used. Real NetWare servers do qualify for a C2 rating. -rich owner-win95netbugs at lists.stanford.edu ftp://ftp.stanford.edu/pub/mailing-lists/win95netbugs/ gopher://quixote.stanford.edu/1m/win95netbugs http://www-leland.stanford.edu/~llurch/win95netbugs/faq.html From kephart at interserv.com Tue Jan 9 10:37:11 1996 From: kephart at interserv.com (kephart at interserv.com) Date: Tue, 9 Jan 96 10:37:11 PST Subject: No Subject Message-ID: <199601091836.AA25616@relay.interserv.com> please send anon remailer faq. many thanks. From abostick at netcom.com Mon Jan 8 18:48:22 1996 From: abostick at netcom.com (Alan Bostick) Date: Tue, 9 Jan 1996 10:48:22 +0800 Subject: [NOISE] Re: PLAYBOY Magazine, Raph Levien & Remailers In-Reply-To: <199601081743.JAA22884@well.com> Message-ID: In article <4cru2d$a1u at calum.csclub.uwaterloo.ca>, iagoldbe at csclub.uwaterloo.ca (Ian Goldberg) wrote: > In article <199601081743.JAA22884 at well.com>, > Andre Bacard wrote: > >The current PLAYBOY magazine refers readers to the web site of Raph > >Levien, "The Remailer Guru." Raph's site focuses upon remailers. > > > Honest! I buy Playboy for the articles on remailers! Really! > > - Ian "or not" I haven't bought an issue of PLAYBOY for years. Nowadays, I get all of my naked lady pictures from the Internet. Alan "I use them to practice LSB steganography with" Bostick -- Alan Bostick | He played the king as if afraid someone else Seeking opportunity to | would play the ace. develop multimedia content. | John Mason Brown, drama critic Finger abostick at netcom.com for more info and PGP public key From frankw at in.net Tue Jan 9 11:23:31 1996 From: frankw at in.net (Frank Willoughby) Date: Tue, 9 Jan 96 11:23:31 PST Subject: Microsoft continues to mislead public about Windows security Message-ID: <9601091923.AA01238@su1.in.net> >From the desk of Lucky Green: > >Very true. But why does it always seem to take an exploitable crack before >companies pay attention to security flaws? Is it because they are unable to >admit that they have made a mistake? Everybody makes mistakes. What's the >big deal? I really don't understand it. Any psychologists on this list? I'm not a psychologist, but I have worked in the Information Security field for a while now. When a system is breached or a CERT Advisory is issued, this is a major embarassment for the company. The breach (or publicized security flaw) shakes the confidence of people in the vendor's products. People are rather unwilling to risk putting their business-critical data on a system which has just recently breached. This lack of confidence translates into a loss in sales. If unchecked or the case if severe enough, this could also translate into a loss of jobs. If the consumers (or some key major players) put pressure on the vendors to secure their systems, then it will happen. Until then, the vendors will continue provide us in the Information Security field with unparalleled job security. 8^) You would be surprised how bad the situation really is and how many companies are vulnerable and to what extent (then again, you may not). We now return you to your discussion on crypto. 8^) Best Regards, Frank Fortified Networks Inc. - Management & Information Security Consulting Phone: (317) 573-0800 - http://www.fortified.com/fortified/ The opinions expressed above are of the author and may not necessarily be representative of Fortified Networks Inc. From llurch at networking.stanford.edu Mon Jan 8 19:27:37 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Tue, 9 Jan 1996 11:27:37 +0800 Subject: Microsoft continues to mislead public about Windows security bugs (a bit long, with references) Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Please do not dismiss this as mere "Microsoft Bashing." c2.org has similar promotions running for Netscape, DigiCash, and Java. The following is a quote from Microsoft's "Knowledge Base" technical support and marketing database, which is online in CompuServe and at: http://www.microsoft.com/kb/peropsys/windows/q90271.htm Security of the Windows for Workgroups Password Cache _____________________________________________________ The password list file is encrypted with an algorithm that meets the U.S. government Data Encryption Standard (DES). This encryption technology is the highest security allowed in software exported from the United States. The odds of breaking the encryption algorithm are less than those for random guesses of what the password might be. Even if your logon password is blank, Windows for Workgroups generates seemingly random data in your PWL file, so you cannot discover the passwords if you look at the PWL file using a file viewer. Currently, no user interface exists that allows you to unencrypt passwords in the PWL file, so password caching in Windows for Workgroups is as secure as the choice of the password used to encrypt your PWL file. As Microsoft well knows, this is completely untrue. The rest of the world has known that this is untrue since November 29th. Microsoft quietly acknowledged on December 7th (after a day of much "Internet Strategy" hype, and after the deadline for the morning papers) that the exact same implementation was insecure in Windows 95, and claims to have released a patch that fixes the problem (the efficacy of the Win95 patch does not appear to have been verified by anyone outside Microsoft, however). Microsoft has not even admitted that this bug in both Windows 95 and Windows for Workgroups affects Windows for Workgroups, apparently because they have decided not to fix it. Information on the .PWL implementation bugs was first broached on the sci.crypt newsgroup in late November 1995, then discussed on the cypherpunks list and refined for Community ConneXion's "Hack Microsoft" promotion, http://www.c2.org/hackmsoft/. We have since been given a sample trojan horse that will very efficiently exploit this bug in Windows for Workgroups. Distributed as a Word Basic virus, MIME attachment, or downloadable archive (note that Exchange and Internet Explorer unwisely execute downloaded binaries without even a virus check, a problem that Sun's Java has long acknowledged and addressed), this trojan horse could collect passwords and other sensitive information from .PWL files and other sources and send them out via email, possibly through an untraceable chain of remailers or to a throwaway trial account on, for example, America "Online." We believe that it would be highly irresponsible to release the full version of this hack, but we will soon release a crippled demonstration-only version if Microsoft does not at the very least admit that this problem has always affected Windows for Workgroups, correct their online documentation, publish the specifications of the Win95 security patch for review by outside security experts, and issue a public retraction. See also: http://www.microsoft.com/kb/peropsys/windows/90210.htm http://www.microsoft.com/windows/pr/clarifications.htm http://www.c2.org/hackmsoft/ http://www-leland.stanford.edu/~llurch/win95netbugs/faq.html {mirror of above} http://www.mari.su/guide/win95/ {mirror of above} ftp://ftp.demon.co.uk/pub/mirrors/win95net/ {more mirrors are under construction in Australia and elsewhere} In other news, I assume everyone knows by now that NT's claimed C2 security rating was granted *for use a standalone workstation only*. It has been widely reported that its NetWare Services implementation does not ask for passwords for nonexistent usernames, making a potential cracker's job that much easier. The correct response, which is given by real NetWare servers and other servers that are certified C2-secure on networks, is to silently ask for a password in all cases. I started getting copies of hackmsoft at c2.org mail on December 20th. It's really depressing. We've also seen problems with Microsoft Access 95's security. Basically, there is none. Anyone can access the network-enabled Access as any user without knowing the password. We don't think it would be responsible to publicly release this hack, either, until Microsoft has had another chance to patch the hole (they've known about it for some time). These are far, far worse than the widely publicized bugs in Netscape's SSL implementation, which have been fixed. Yet the only place I've seen them mentioned is the lapdog Seattle Times, which only reports bug *fixes* in glowing terms. Is anybody listening? - -rich owner-win95netbugs at lists.stanford.edu ftp://ftp.stanford.edu/pub/mailing-lists/win95netbugs/ gopher://quixote.stanford.edu/1m/win95netbugs http://www-leland.stanford.edu/~llurch/win95netbugs/faq.html -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMPHZrI3DXUbM57SdAQFojwP/T0CIjfyEz5NHD81wPdkAuUf1YCB8OE3/ 4NakffTxzmPxJXRT/MoRpOMn4qJa6mzC6WAgAdwtKWG/3K9WS1LNgM/w/PYMHj45 pEQroJBzoXU/Sctjnyz87FBl2/m6dwAdvPQqGOzGqsLVDaFsmqbWtalkvP2y0707 ntdb2fkqpNI= =q491 -----END PGP SIGNATURE----- From kent at trouble.WV.TEK.COM Tue Jan 9 12:28:25 1996 From: kent at trouble.WV.TEK.COM (Kent Dahlgren) Date: Tue, 9 Jan 96 12:28:25 PST Subject: Still [NOISE] but a.f.urban was clearly wrong [Fwd: Re: ABOI: Desperate User Support]) In-Reply-To: <199601091717.MAA31459@thor.cs.umass.edu> Message-ID: On Tue, 9 Jan 1996, Futplex wrote: > trouble of doing an Alta Vista search for "trinidad" and "supermac". I think Speaking of Altavista, check this data for the host www.dec.com: Export list for www.digital.com: /udir server2-fddi /www_root/.i server2-fddi enet-gw.pa.dec.com mts-gw.pa.dec.com decpa .pa.dec.com /www_root/.h server2-fddi enet-gw.pa.dec.com mts-gw.pa.dec.com decpa .pa.dec.com /archive everyone /archive/.4 everyone /archive/.5 everyone /archive/.6 everyone /archive/.7 everyone /archive/.a everyone /archive/.c everyone /archive/.d everyone /archive/.e everyone /archive/.j everyone /archive/.k everyone /archive/contrib everyone /archive/contrib/src everyone I told them about this via e-mail almost three weeks ago when I told them about being able to get different host's /etc/passwd file from a search. But I guess that's the way they want it. This probably isn't the appropriate forum, but obviously they don't care. Does anyone know a better way to tell them? Maybe I'm just paranoid. Its just that I kind of feel sorry for DEC; its not easy being burdened with the worst marketing staff in the world, having the world's fastest RISC processor, and having the media go wild over the P6. Flames welcomed.....I'm homesick and need the abuse...:) ______________________________________________________________________________ ______ T E K T R O N I X _ C P I D _ T E C H N I C A L _ S U P P O R T _______ / Voice: 1.800.835.6100 E-mail: support at colorprinters.tek.com Fax: 1.503.685.3063 WWW: www.tek.com BBS: 1.503.685.4504 E-World: Keyword Tektronix HAL: 1.503.682.7450 AOL: Keyword Tektronix Service: 1.800.835.6100 FTP: ftp.tek.com ______________________________________________________________________________ From kent at trouble.WV.TEK.COM Tue Jan 9 12:30:01 1996 From: kent at trouble.WV.TEK.COM (Kent Dahlgren) Date: Tue, 9 Jan 96 12:30:01 PST Subject: Microsoft continues to mislead public about Windows security bugs (a bit long, with references) In-Reply-To: <199601091809.KAA15511@netcom6.netcom.com> Message-ID: On Tue, 9 Jan 1996, Bill Frantz wrote: > Security is a checkoff item, and if you can convince a retired major that > the OS is secure, then he will approve it. He is not going to check the > details. His expertise is in guard stations and chain link fences. > However, if someone, e.g. the trade press, rubs his nose in the fact that > an OS's security can be breached, then he will take action. He will > pressure the publisher to release a fix that they say will fix the problem. > When they do, he will be happy. > > Microsoft particulary, is oriented to selling product, not pride in > workmanship. Wow. Truth spoken. ______________________________________________________________________________ ______ T E K T R O N I X _ C P I D _ T E C H N I C A L _ S U P P O R T _______ / Voice: 1.800.835.6100 E-mail: support at colorprinters.tek.com Fax: 1.503.685.3063 WWW: www.tek.com BBS: 1.503.685.4504 E-World: Keyword Tektronix HAL: 1.503.682.7450 AOL: Keyword Tektronix Service: 1.800.835.6100 FTP: ftp.tek.com ______________________________________________________________________________ From campbelg at limestone.kosone.com Tue Jan 9 12:30:25 1996 From: campbelg at limestone.kosone.com (Gordon Campbell) Date: Tue, 9 Jan 96 12:30:25 PST Subject: Microsoft continues to mislead public about Windows security bugs (a bit long, with references) Message-ID: <2.2.32.19960109200303.0068fed4@limestone.kosone.com> At 12:37 AM 1/9/96 -0800, you wrote: >Very true. But why does it always seem to take an exploitable crack before >companies pay attention to security flaws? Is it because they are unable to >admit that they have made a mistake? Everybody makes mistakes. What's the >big deal? I really don't understand it. Any psychologists on this list? I'm not a psychologist, but I'd guess that by the time a crack is released, knowledge of a problem is so widespread, that the company responsible can't ignore it. Kind of an ostrich thing. ----- Gordon R. Campbell, Owner - Mowat Woods Graphics P.O. Box 1902, Kingston, Ontario, Canada K7L 5J7 Ph: (613) 542-4087 Fax: (613) 542-1139 2048-bit PGP key available on request. From shamrock at netcom.com Mon Jan 8 21:03:19 1996 From: shamrock at netcom.com (Lucky Green) Date: Tue, 9 Jan 1996 13:03:19 +0800 Subject: "Microsoft.com" added to my KILL file Message-ID: At 12:32 1/7/96, Timothy C. May wrote: >This is a battle I've been fighting for roughly the past year. When I get a >blank message from someone saying only "attachment converted," I add that >username to my kill file. My feeling is that a mailing list with 1000+ >subscribers, or even one with far fewer, is a terrible place to send >non-ASCII messages. Readers will be using VT-100s on campus networks, old >Amiga 1000s, EMACs, Suns, Macs, IBM PCs, Windows, and all sorts of >configurations to read mail, and there is almost no chance that all or even >most of these will be brought up to the latest MIME standards. Plain ASCII, >such as 98% of this list has been for the past several years, is the lingua >franca, the lowest common denominator (see, some number theory relevance >for you purists!) of the Net. There has been little compelling need for >embedded spreadsheets and embedded graphics. And as for attachments, such >as attaching programs for running on a machine, mailing list messages are a >very poor way to distribute such programs, for many reasons. I agree 100% with this paragraph. [Some old story, if you don't know it, don't worry :-] -- Lucky Green PGP encrypted mail preferred. From baldwin at RSA.COM Tue Jan 9 13:55:05 1996 From: baldwin at RSA.COM (baldwin (Robert W. Baldwin)) Date: Tue, 9 Jan 96 13:55:05 PST Subject: Can you break my encryption protocol ? - improvements Message-ID: <9600098212.AA821224351@snail.rsa.com> Mark, The protocol works well as long as you trust the ability of clients to generate random numbers and you are not too worried about replay or message modification attacks. If you are, then the session key should be a function of random values chosen by both the client and the server. That way, a replay of the initial connection message will not cause the server to use the same key. You may also want to add key verification in case the application does not already provide a simple way to tell if both parties are using the same key. For example, the client and server could exchange known values encrypted under the session key before continuing. Here's a protocol based on the ISO standards that has both dual key determination (both parties influence the key value and neither can control the range of possible keys in any useful way), and dual key validation (both parties end up knowing they are talking to someone who can compute the common key). Client computes: Mc = unpredictable 128 bit value. Serves as authenticator and as a value that is unknown to the attacker. Nc = H(Mc) // Hash of Mc like MD5(Mc) C->S: C, S, Nc The names or IP addresses of C & S are included to avoid various replay and reflection attacks. Message integrity is done later. Server computes: Ms = unpredictable 128 bit value. Ns = H(Ms) P = shared passphrase padded with zeros to multiple of 64 bytes which is the block size of the hash function's compress operation. K = H(P || H(P || C || Nc || S || Ns)) Vs = Enc(K, Ms) The value Ms is unknown to the attacker, so this value does not help with mounting a brute force key search. S->C: S, C, Ns, Vs Client computes: P = shared passphrase padded with zeros to multiple of 64 bytes which is the block size of the hash function's compress operation. K = H(P || H(P || C || Nc || S || Ns)) X = Dec(K, Vs) Test that H(X) = Ns, if not return error and close connection. Vc = Enc(K, Mc) C->S: C, S, Vc Server computes: X = Dec(K, Vs) Test that H(X) = Ns, if not return error and close connection. All subsequent communication should be encrypted with K. --Bob Baldwin ______________________________ Forward Header __________________________________ Subject: Can you break my encryption protocol ? Author: ,"Mark Grant, M.A. (Oxon)" at INTERNET Date: 1/9/96 8:10 AM I'm trying to put together a simple protocol for encrypting confidential but typically low-value data (i.e. I don't want people to be able to read it, but in most cases it wouldn't be catastrophic if they could). I want it to be completely license-free, so I can't use RSA or other patented algorithms. It also would only be used inside one organisation, so key management isn't so much of a problem, and the main attack it has to defend against is packet-sniffing on the Net. It also has to support variable-length keys for ITAR.. The idea is as follows.. Client and server both have copies of a passphrase, of any length. When starting the connection, client sends 128 random bits to the server. Both ends take this data, append the passphrase, and use MD5 to generate a session key. If a key of less than 128 bits is required for legal reasons, then the appropriate number of bits are retained, and the rest replaced with bits from the random data that was sent in the clear. That is, if you're only allowed 40 bit security, you take the first 88 bits that you were sent, and append the last 40 bits of the generated key to give you the session key to use. You then go off and encrypt the session (probably using 3DES or Blowfish). Can anyone spot any flaws in this system ? The only potential problem I can see would be that by cracking a number of sessions you could work out the passphrase. However, I think the number required would still be infeasible. Also, are there any known problems with using Blowfish for encrypting a data stream ? I'm assuming it's OK as it's used in PGPfone. Mark From alano at teleport.com Mon Jan 8 21:55:37 1996 From: alano at teleport.com (Alan Olsen) Date: Tue, 9 Jan 1996 13:55:37 +0800 Subject: Revoking Old Lost Keys Message-ID: <2.2.32.19960108094632.0095dda0@mail.teleport.com> At 12:02 PM 1/7/96 GMT, you wrote: >shamrock at netcom.com (Lucky Green) writes: > >>I would very much like to see expiration dates on public keys. Is PGP 3.0 >>offering this feature? > >I would very uch like to see PGP 3.0, but that's another story... So would I. I posted a message to alt.security.pgp and sci.crypt stating that "I had found the release schedule for PGP 3.0 on page 16 of Applied Cryptography (1st edition) and was wondering if had been updated for the second." I got lots of answers, but no one seemed to look at what was on page 16. (It happens to be the examples of incredibly huge numbers.) No wonder I have so little faith in that newsgroup... | Remember: Life is not always champagne. Sometimes it is REAL pain. | |"The moral PGP Diffie taught Zimmerman unites all| Disclaimer: | | mankind free in one-key-steganography-privacy!" | Ignore the man | |`finger -l alano at teleport.com` for PGP 2.6.2 key | behind the keyboard.| | http://www.teleport.com/~alano/ | alano at teleport.com | From tcmay at got.net Mon Jan 8 22:29:14 1996 From: tcmay at got.net (Timothy C. May) Date: Tue, 9 Jan 1996 14:29:14 +0800 Subject: URLs -- Urban Regurgitated Legends Message-ID: At 8:50 PM 1/8/96, Futplex wrote: >Please don't post 6-month-old urban net.urban.legends to cypherpunks. >(Do we really need to put that in the Junior Grade Cypherpunks Training >Manual?) Have you heard that flashing your headlights is a gang signal and can get you killed? Or about the LSD-soaked samples the kiddies are getting? Do you know that the word "gullible" is not in any major dictionary? --Tim May We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From alanh at infi.net Mon Jan 8 22:30:56 1996 From: alanh at infi.net (Alan Horowitz) Date: Tue, 9 Jan 1996 14:30:56 +0800 Subject: DNow2 Re: Hammill 1987 speech In-Reply-To: Message-ID: Hi Evan, Thanks for that lovely peice about the Chiapas uprising. I'm saving it to disk. It's so archtypal of the turgid prose of graduates of Moscow's Patrice Lumumba University. How wondrous that leftists-without-a-home can find a cause to latch onto and keep their rhetorical skills in practice. Want to come with me tomorrow? I'm going down to the library to re-read the history of the Indians of Meso-America. I like the part about the hundreds of thousands of peasants who had their hearts cut out without anesthesia, so that the Emperor could collect lots of taxes on an abundant harvest. Damn shame that the Spaniards came along and destroyed a culture, ya know? Alan Horowitz alanh at infi.net From jya at pipeline.com Mon Jan 8 23:16:56 1996 From: jya at pipeline.com (John Young) Date: Tue, 9 Jan 1996 15:16:56 +0800 Subject: CAL_bak Message-ID: <199601090214.VAA08347@pipe3.nyc.pipeline.com> The Jan 6 Emist reports on the $488m callback game: Callback services exploit the fact that in many countries it costs more to make one international telephone call than to make two from America. By the end of the year more than 100 American companies will be selling the service. Places that have tried to stop the services include Saudi Arabia, Argentina, South Korea, China, Malaysia and Canada's North West Territories, where even local calls were cheaper by callback. The operators believe they are beyond the reach of local laws. Even if laws are passed, technology makes them hard to police. "It's a cat and mouse game," one says. "It's kind of fun." CAL_bak Thx to AS. From jamesd at echeque.com Tue Jan 9 00:18:40 1996 From: jamesd at echeque.com (James A. Donald) Date: Tue, 9 Jan 1996 16:18:40 +0800 Subject: Microsoft continues to mislead public about Windows security bugs (a bit long, with references) Message-ID: <199601090802.AAA13049@blob.best.net> At 07:15 PM 1/8/96 -0800, Rich Graves wrote: >As Microsoft well knows, this is completely untrue. [...] > > [...] > >Microsoft has not even admitted that this bug in both Windows 95 and >Windows for Workgroups affects Windows for Workgroups, apparently because >they have decided not to fix it. > > [...] > > We believe that it would be highly irresponsible to release the full > version of this hack, but we will soon release a crippled > demonstration-only version > > Is anybody listening? They will listen if you start to release full uncrippled exploits, after a reasonable delay. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From bart at netcom.com Tue Jan 9 00:18:44 1996 From: bart at netcom.com (Harry Bartholomew) Date: Tue, 9 Jan 1996 16:18:44 +0800 Subject: S.652 (H.R. 1555) Message-ID: <199601090608.WAA25533@netcom14.netcom.com> Today's version of the bill is posted at: http://www.cdt.org/policy/freespeech/12_21.cda.html This title may be cited as the "Communications Decency Act of 1995". Perhaps some of our more lawyerly types can decipher whether it is getting better or worse as the conference committee chews. Not I. From shamrock at netcom.com Tue Jan 9 00:48:37 1996 From: shamrock at netcom.com (Lucky Green) Date: Tue, 9 Jan 1996 16:48:37 +0800 Subject: Microsoft continues to mislead public about Windows security bugs (a bitlong, with references) Message-ID: At 12:01 1/8/96, James A. Donald wrote: >At 07:15 PM 1/8/96 -0800, Rich Graves wrote: >>As Microsoft well knows, this is completely untrue. [...] >> >> [...] >> >>Microsoft has not even admitted that this bug in both Windows 95 and >>Windows for Workgroups affects Windows for Workgroups, apparently because >>they have decided not to fix it. >> >> [...] >> >> We believe that it would be highly irresponsible to release the full >> version of this hack, but we will soon release a crippled >> demonstration-only version >> >> Is anybody listening? > >They will listen if you start to release full uncrippled exploits, after >a reasonable delay. Very true. But why does it always seem to take an exploitable crack before companies pay attention to security flaws? Is it because they are unable to admit that they have made a mistake? Everybody makes mistakes. What's the big deal? I really don't understand it. Any psychologists on this list? -- Lucky Green PGP encrypted mail preferred. From jimbell at pacifier.com Tue Jan 9 01:46:11 1996 From: jimbell at pacifier.com (jim bell) Date: Tue, 9 Jan 1996 17:46:11 +0800 Subject: NWLibs Re: Hammill 1987 speech Message-ID: At 10:01 PM 1/7/96 -0800, you wrote: >Mr. Bell: > >if I were to summarize my arguments, they would be that governments >are the way that they are not so much because they attract certain >dysfunctional individuals, but rather because they are microcosms >and macrocosms of human psychology. the problems with government >that libertarians rant about are problems with human behavior. >the solution is not to get rid of governments-- this is confusing >cause and effect, symptom and cause. the solution is to work on >human behavior. when humans begin to think in a different, >positive way, their governing systems will automatically reflect the change. Gobbledygook. Blaming the problems of the system on the people involved. It is obvious that you are unwilling to admit that THE SYSTEM could, indeed, BE the problem. >my essay was designed to show the negative aspects of governments >that rabid libertarians are always endlessly ranting about are actually >embodied in the psychologies of those libertarians themselves. More gobbledygook. Blaming the problem on the observers of the problem. >therefore, >while I agree with the libertarian that there are many problems with >governments, I see no reason to believe that libertarians are proposing >a workable alternative, based on their own stark biases and prejudices. Still more gobbledygook. You don't mention WHICH "stark biases and prejudices," for instance. >in fact it seems quite obvious to me that their own "alternatives" are >either "vaporware" "Vaporware" is generally thought of as programs that have not yet been implemented. While it is true that much of what libertarians have proposed has not yet been implemented, blame for this lies strongly (and primarily) with NON-libertarians. >or would be far worse in practice than even the >dysfunctional systems we have in place today. You haven't established this, and haven't even attempted to. Your argumentation is weak and practically meaningless. >rabid libertarianism reminds me of Marxism: sounds great in theory, Lots of things "sound great in theory". That does not mean that everything that "sounds great in theory" will NOT be good in practice, if allowed to operate. This is ESPECIALLY true that much of libertarianism which "sounds great in theory" actually sounds PERFECTLY AWFUL to the statists who currently control things. > and >you might even convince large parts of the population or key people in >power to follow it. but does it truly present an implementable and workable >alternative? First, you tell us: What are your standards for this? Are you never going to admit that it's "workable" until it's actually working? In other words, when those opposing it have finally FAILED? where are the specifics? "Specific" what? >identifying problems with government is quite trivial. If you admit this is the case, this puts even more blame on those defending government's flaws (or failure to fix them.) >this is destructive >criticism, Please document this silly claim. You're saying identify problems with government is "destructive"? "Destructive" of what, pray tell?!? If it's "destructive" of a bad and corrcupt government, I'm HAPPY to hear it. This kind of "destructive" we need PLENTY more of! ?analogous to the guerilla warfare of words that rabid libertarians >love. but criticism is easy compared to construction of something that works. Oddly, the non-libertarians don't usually want to give libertarians the opportunity to take enough control to show that what they can do "works." Gee, I wonder why! Maybe they're afraid of incipient success. Privatization of previously publicly-provided services is strongly resisted. >when you focus your attempts on creating a system that embodies your >ideals instead of ranting at those that do not (and complaining that >you cannot because governments prevent you), you will make far more >progress in developing your ideas and convincing the world to follow you >than any number of essays can accomplish. More gobbledygook. >if libertarianism is truly workable, shouldn't it be workable on >small scales? It is, and does, work on small scales, WHEN ALLOWED. >what prevents individuals from actually starting it going >at a small scale and growing it? It's called, "government regulation," "taxes," and such. If you've been following the news recently, perhaps you've noticed that there are "peanut quotas" (to cite just one example) which legally prevent me from deciding to grow peanuts and sell them freely on the American market. ___THIS___ is just one of those things which "prevents individuals from actually starting it going at a small scale and growing it." Feeling a bit more foolish, Mr. Nuri?!? >that is the path that every government >and nation has taken since the beginning of time, why do you think you >should be exmempt? That's EXACTLY why libertarianism ISN'T being allowed to flourish. It eliminates control that others worked hard to achieve. >I don't see that any of your response to my essay detract from this >basic message so I'm going to pass on a detailed reply. Typical Nuri wimp-out. From llurch at networking.stanford.edu Tue Jan 9 01:48:45 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Tue, 9 Jan 1996 17:48:45 +0800 Subject: Microsoft continues to mislead public about Windows security bugs (a bit long, with references) In-Reply-To: Message-ID: [Cc'd outsiders can browse this thread on the cypherpunks list via the public news://nntp.hks.net/hks.lists.cypherpunks; please drop the Cc line on followups] I just made a couple of updates to http://www.c2.org/hackmmsoft/ after reviewing the responses trolled up in the last several hours; take a gander. On further review, I don't think Peter's latest, which you run from the DOS command prompt to email a randomly chosen password to your email address of choice, is that serious a threat. I don't have it on a machine I can get to now, and I'm going to be offline tomorrow, but I'd suggest that Sameer go ahead and post the binary soon. Btw, Peter hasn't given us the source code, and I wouldn't post it anyway, because it would make it too easy for someone without the proper ethic to "improve" the hack. I just don't want us to look like the bad guys here. I think a little patience and bending over backwards to be nice encourages non-cypherpunk types like Peter Miller (the Access crack) to come down on the right side. By the way, in response to my newsgroup posting, I got a few messages that Bill Gates had been interviewed somewhere and had said that all the problems with Windows security were the result of the US Government's restrictions on the export of strong cryptography. It's nice to see the richest man in the world on the right side of at least one issue, but this is of course complete bullshit. ITAR has nothing whatsoever to do with these bugs. Any press who cover the issue incorrectly should be educated about the difference between a good implementation that can be brute-forced in X amount of time with Y amount of computing power because the guvmint puts limits on the key size, and a stupid implementation that is far, far less secure than (X,Y) because of poor programming. -rich From an466459 at anon.penet.fi Tue Jan 9 02:22:08 1996 From: an466459 at anon.penet.fi (an466459 at anon.penet.fi) Date: Tue, 9 Jan 1996 18:22:08 +0800 Subject: can we trust the government as custodians of private info? Message-ID: <9601090852.AA22761@anon.penet.fi> DOYLESTOWN, Pa. (ITN) * Carol Sandusky didn't want to hear how her biological father supposedly stabbed her mother with an ice pick and threw her out a window while pregnant with Carol. She didn't want to know she was beaten in the face with a saucepan and burned with cigarettes as a toddler. She didn't want to hear that her biological family members accuse each other of rape, murder, beatings and infidelity. Sandusky, 26, learned the details because a government caseworker violated her wishes -- and the law -- by helping a sister track her down. What's worse, she said, the same agency might have saved her from a tormented adolescence had it disclosed the abuse to Jeanne and Thomas Sandusky when they adopted Carol in 1973 at the age of 3 1/2. "The state made a decision to take me out of this environment, then they decided 20 years later to bring it back to me," Sandusky said. "My file was supposed to be really private." In telling her story and advocating privacy laws, Sandusky stands among the few trying to counter a movement promoting vigorous searches for birth families. She rejects the arguments of those, including her biological sister, who believe she's not dealing with her adoption and must hear the grisly details to heal emotionally. "They thought this information was going to help me. I wasn't even born yet. What's this information going to do for me?" Sandusky said. Sandusky, her parents and her husband recently filed a federal lawsuit against the Cumberland County Children and Youth Services, administrator Gary I. Shuey and the person she blames for improperly revealing sealed information, former agency caseworker Marlene Bohr. They contend the agency violated Sandusky's privacy and fraudulently withheld information that would have led her adoptive parents to seek therapy for her years earlier. In Pennsylvania, adoptees may obtain information about their birth parents with the consent of a court and the parents, but the law forbids agencies from opening records to siblings. Most states have restrictions on adoption records. Bohr did not return messages left on her home answering machine and Shuey didn't return calls to his office. Ruby D. Weeks, attorney for the youth agency, referred calls to county solicitor Hank Johnson, who said he had not seen the lawsuit and could not comment. Sandusky's ordeal started in February 1992, two months after her wedding. At 22, Sandusky had achieved stability after an adolescence marked by bulimia, suicide attempts and hospital stays for emotional problems. Along with a new marriage, she had a good job as a nanny. Her parents then got a call from Bohr saying the eldest of Carol's two older biological sisters was looking for her. The Sanduskys, who live in Newtown, Bucks County, refused to divulge their daughter's phone number but passed the message to her, along with Bohr's number. "I said, 'Throw the number out,' " Sandusky recalled. But her parents, who also have a biological son, 17-year-old Brad, encouraged her to call as a matter of courtesy. Talking on the phone with Bohr, Sandusky said, she learned that her sister "had a great need to see me because she protected me during infancy." Sandusky was put off by that great need and mortified when she learned the sister had located her biological parents and grandparents. "I didn't want to be involved with any of that," said Sandusky. "I said, 'No way.' " Sandusky did, however, agree to hear medical background information from Bohr. Instead, Sandusky said, she ended up with disturbing information from the caseworker and two years' worth of bizarre, harassing letters from the sister. First came the medical information from Bohr. "She said, 'It looks as if you were beaten in the face with a saucepan. It looks as if you have cigarette burns. It looks like you were tied to a chair and shot up with Thorazine. I have a picture right in front of me of your face with a huge hand print on it,' " Sandusky recalled. The abuse reportedly came at the hands of her birth parents and, later, her foster parents. "That wasn't what I expected to hear. That's not what I consider medical information, and I hung up the phone," Sandusky said. Two days later, she got the first letter from her sister, who is two years older. Many others followed, detailing not only family medical history but also family brutality. "It's unbelievable what this family life was like," said Sandusky. Sandusky and her husband eventually moved to a new home in Bucks County, fearful of visits from blood relatives. In the letters, the sister indicated Bohr had given her extensive details about Sandusky and other biological relatives. Sandusky's anger focuses on Bohr. In a thick file, she has letters from state lawmakers who agree that, by law, Bohr had no business calling on behalf of the sister. But District Attorney Michael Eakin, in a statement issued at year's end, said the two-year statute of limitation in the case had expired, giving him no legal avenue to press charges. He declined to comment further. Florence Anna Fisher, who helped found the adoptee search movement 25 years ago by launching Adoptees' Liberty Movement Association, advocates breaking laws that keep information from adoptees. She said she doesn't understand Sandusky's complaint. "Nobody can pressure you into staying on the phone and seeing someone you don't want to see if you're an adult," Fisher said. She agrees adoptees should be left alone if they want no contact, but she believes that all adoptees really do want to know about their past and owe it to their children and grandchildren to find out. "If they told me I had been burned, if they told me I had been abused as a child, I would rather know that than walk around a blank slate all (my) life," she said. Joanne W. Small, executive director of Adoptees in Search in Bethesda, Md., said the Sandusky case should not be used as a reason to keep records closed. "It must be considered atypical and aberrant," she said. But Mary Beth Style, vice president of the National Council for Adoption in Washington, D.C., the prime organization lobbying to keep adoption records closed, said she receives calls from people hysterical over unwanted contacts. One woman in Washington state reported that an intermediary had violated her wishes and revealed her identity to her birth daughter. It turned out the daughter worked for the mother's husband. "You're assuming that these adults cannot make decisions on their own, that they're in denial and you're going to help them," she said. "There is no way to protect the quality of the searches and I'm very concerned about that." Even initial contacts can be traumatic for people who thought they had put adoptions behind them, according to Style, who added that opening closed records also erodes trust among those considering adoption. For her part, Sandusky, who hopes to adopt someday, can do without the biological family reunion. "They almost killed me," she said. "I don't need to confront that situation." --****ATTENTION****--****ATTENTION****--****ATTENTION****--***ATTENTION*** Your e-mail reply to this message WILL be *automatically* ANONYMIZED. Please, report inappropriate use to abuse at anon.penet.fi For information (incl. non-anon reply) write to help at anon.penet.fi If you have any problems, address them to admin at anon.penet.fi From sasha1 at netcom.com Tue Jan 9 19:24:17 1996 From: sasha1 at netcom.com (Alexander 'Sasha' Chislenko) Date: Tue, 9 Jan 96 19:24:17 PST Subject: PRIVACY: Private traces in public places Message-ID: <2.2.32.19960110032650.006f1934@netcom.com> Most of the materials that are currently available on the Net and can be easily found through many search engines were created for other media, by people who were not aware that these materials may ever end up on the Web. Sometimes, it comes as an unpleasant surprise to a person who looks for web pages referencing his own name, and finds, among other things, many of his explicit or controversial usenet or mailing list messages, old resumes that may contradict the current one, critical remarks of his high school girlfriend and former colleagues, etc. Knowing that this information is easily accessible to his new girlfriend and prospective employer may make him more than uncomfortable. All advice to such a person you may see on the Net mentions Net laws that should have been passed and personal actions that should or should not have been taken. In both cases, it's usually too late. Fortunately, not that many people have been burned. We can bury them (or their reputations) and move ahead, vowing not to repeat their mistakes. From now on we, the prudent ones, will be very careful not to leave compromising traces where they can be uncovered by existing technologies and made public. It's called "learning from other people's mistakes". - No, it isn't ! The mistake those people made was not leaving traces that could be made public with *then* existing technologies. It was doing things that could be uncovered by technologies (like search engines) that at the time *did not exist*. If you want to learn from these mistakes, you should look at what information about yourself you are leaving behind that can be made public tomorrow. Let's look at what traces you leave. I do not want to consider time travelers from the future watching your life. - Just some already available technologies that are on the rise and will be cheap and ubiquitous tomorrow. - Your database records. - All letters to public officials that you ever wrote or that mentioned your name. - All mentions of you in any printed press. - All published photos where you can be recognized (including street crowds, demonstrations, football games) - they will all be scanned some day, and machines with image recognition will find you even where you wound't. - Your fingerprints. How many books, magazines and other things currently stored all over the world carry your fingerprints? It is possible to figure out what pages you read, after whom, with whom, etc. - Landfills: They are probably the richest source of detailed historical information that is not obtainable from any other source and can be used to reconstruct the detailed history of society, economy, technology and any single person with incredible detail. Besides thousands of your personal letters and documents, they contain data on the evolution of your intelligence, handwriting, habits such as nail-biting, samples of hair that you washed with different shampoos (or didn't) and millions of discarded little things identifiable by your writing, fingerprints or DNA samples. One may figure out where you drank a cup of Coke 30 years ago, and who you shared it with. And so on. The technology necessary to recover and index all this data is already available and will become very cheap in a few decades. How can people protect themselves from all this? Will people of the future all wear identical privacy suits, gloves and helmets and burn everything they have touched? Or they will just try not to do things they may later be ashamed of? (How do you know what you may be ashamed of 30 years from now?) ---------------------------------------------------------- Alexander 'Sasha' Chislenko Home page: http://www.lucifer.com/~sasha/home.html Great Thinkers page: http://www.lucifer.com/~sasha/thinkers.html From vin at shore.net Tue Jan 9 03:32:14 1996 From: vin at shore.net (Vin McLellan) Date: Tue, 9 Jan 1996 19:32:14 +0800 Subject: Spiegel on CIS Censorship Message-ID: Interesting, below, how CMU's lack of standards, Marty Rim's exploitive "scholarship," Time Magazine's sensationalistic schlock journalism (shades of "National Inquirer" there! remember!) and CIS's utter ignorance of free-speech principles set the stage for the symbolic Bravarian Censorship of the Net. You'll hear of a dozen other nations jumping in, with different standards, within the month. I find the tragic association of a "free" Internet and porn to be painfully common among cyberless adults even in my own community. Odds are, my state, Massachusetts -- arguably the most liberal of the US states -- would vote for Censorship Filter tomorrow if it were on a ballot. It's amazing how incompetent the liberal/libertarian side has been in this public debate. (So incompetent, in fact, that there has been _no_ public debate!) Everyone who wants to place control over any filter (any part of The Filter?) in the hands of the citizen is just another snuff/torture/kiddy porn addict. How have we let the image of the Net -- surely one of the most generous, selfless, sharing communities ever to come into existance (think of the freeware!) -- be reduced to such degradation. _Vin ---------- Forwarded message begins here ---------- From--michael_kunze at spiegel.de (Michael Kunze) Newsgroups--alt.censorship Subject--CIS censorship--The whole story Date--Sat, 06 Jan 1996 09:33:39 GMT Dear Nettizens, Some few fivehundred postings ago, I promised you let you have more details about the CompuServe censorship case investigated by the editorial staff of SPIEGEL online. It is not a story of evil but of people acting overambitious and ignorant. And it is not quite as simple as DrG might be wishing! To keep it short, here are the facts: In 1994, a Task Force called "AG EDV" was set up by the Bavarian Minister of Interior at the Police Headquarters in Munich. Initially, the Task Force was formed to search persons dealing with pornographic material via BTX the former online service of German Telekom and its work was limited to one year. For the moment, investigations of this Task Force ran successfully due to the assistance of Telekom. But simultaneously, people being suspected changed their ways of distributing either to closed BBS systems or chose more secret methods. So the Task Force was compelled to enhance their efforts and they raided Munich BBS systems. Furthermore, they studied computer magazines to find ads for pornographic CD-ROMs. During this operation they found what they were looking for, and "PC Direkt", a Ziff Davis publication, and some other magazine were forced to pulp some issues. All activities of the Task Force could not have happened, if they were not supported by a whole bunch of local prosecutors and judges. Sticking together, chatting, doing favours forms a part of the social life in Munich - in malicious words - the 'Munich swamp'. The prevailing opinion of the Task Force and of some prosecutors is that carriers of digital information could held responsible for the content of what they are spreading. This meaning matches exactly the content of the CDA. But this is only one point of view. Up to now, there doesn't exist any law or direction in Germany concerning responsibilities of ISPs or online services regarding contents they only do deliver. And so, judges decide from case to case. The German department of justice thinks that carriers could be held responsible if they deliver illegal content "deliberately". But then, could one call them "carriers"? Last summer, a kind of hysteria about Internet pornography broke out in German media. A few journalist had made their first steps in the Internet and discovered nasty postings in the alt.binaries.pictures.erotica Usenet hierarchy. A student of Erlangen University was seized because of spreading child porn via Usenet. Then, the "Time" article about Internet porn was published and quoted by nearly every German newspaper. I think at that time the Task Force planned to investigate the Usenet. Due to the facts that CIS had become a big ISP and their German office is located in Munich, CIS seemed to be a worthwhile target. Somehow the Task Force managed to get a search warrant to investigate the Munich CIS office on November, 22nd. However, the search was more or less like a visit. Let me quote the public prosecutor: CompuServe "was quite cooperative". "We sat together talking about chances to kick pornographic contents out of CompuServe's information system." The police officers just collected a copy of the CompuServe association contract and the address of the CEO. Two days later, CompuServe's German managers published that they "will do anything to support the work of German authorities fighting against pornography in Cyberspace". On December, 8th, CIS was handled a list of more than 200 newsgroups by the Task Force. In my opinion, interpreting the prosecutor and the CIS spokeswoman, this list was presented to CIS as containing "suspicious newsgroups". In the attached letter from the prosecutor it is said: "... it is left to CompuServe to take the necessary steps to avoid possible liabilities to punishment." So, if CompuServe should have ever had threats, it could have been only very small ones. But there is no reason to their German management to risk anything. CompuServe's approach is not to guarantee for "freedom of speech and information" but to make "money". When i interviewed the prosecutor, it soon became quite clear that his department had tried to bring CIS to court to get its legal position checked by some judges. Because of CIS servile tactics they had to give up their goal. The ominous list itself shows, how ignorant the members of the Task Force are about the Usenet. In my opinion, they just sampled all newsgroups containing words like "sex", "erotic", "gay" and so on and put the result onto the list. We have two in depth articles on the whole affair on our web server. One is an extended version of what i've posted here, the other deals with the CDA and the actual political and legal situation concerning the Internet. Unfortunately for US readers, these articles are in German because we didn't found the time to translate them. But i hope will can manage this until Monday 8th, 8:00 AM, EST. Then, you should point your browser to or have a look at our complete online services at By the way, SPIEGEL online is the online department of the reputable German news magazin DER SPIEGEL. Greetings Michael -------------------------------------------------------------- Michael Kunze Tel.:+49(0)40-3007-0 Redaktion/editorial staff Fax :+49(0)40-3007-2986 Spiegel Online Brandstwiete 19 20457 Hamburg / Germany ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ std. disclaimer: diese Meinung meins, exclusiv und immerdar <*><*>< Vin McLellan + The Privacy Guild + vin at shore.net ><*><**> Heed, fellow citizens, Justice Felix Frankfurter (Butler v. Michigan): "The State insists that, by thus quarantining the general reading public against books not too rugged for grown men and women in order to shield juvenile innocence, it is exercising its power to promote the general welfare. Surely this is to burn the house to roast the pig.... The incidence of this enactment is to reduce the adult population of Michigan to reading only what is fit for children." From blancw at accessone.com Tue Jan 9 20:40:38 1996 From: blancw at accessone.com (blanc) Date: Tue, 9 Jan 96 20:40:38 PST Subject: S.652 (H.R. 1555) ("obscene, lewd, lascivious, filthy, or indecent...et al") Message-ID: <01BADED3.DE4C0660@blancw.accessone.com> You know, you all are worrying too much about this War of the Offending Words. What the governing types are really trying to prevent is communication which is succinct, direct, penetrating, & to the point. What needs to do is to learn to speak like politicians. Learn to go around the subject, make indirect reference, make vague allusions, be indirect & wavering, ambiguous & obfuscating, evasive & hypocritical; never openly offending, never possible to be held liable for having said anything of consequence. Of course it will still be annoying, but how can they criticize their own style & manner. .. Blanc From lvhove at vnet3.vub.ac.be Tue Jan 9 05:27:44 1996 From: lvhove at vnet3.vub.ac.be (Leo Van Hove) Date: Tue, 9 Jan 1996 21:27:44 +0800 Subject: Belgium has 'key escrow' law Message-ID: Surprise, surprise. Today's issue of 'De Standaard', Flanders' most respected newspaper, reports that - much to everybody's amazement - Belgium has a key escrow law in working order - or almost... The newspaper states that certain articles of a much 'broader' law that was passed on the 21th of December 1994, if enforced - which to date has _not_ been the case, would imply that encryption of computer messages is illegal unless the private key is registered with the BIPT (the Belgian Institute for Postal services and Telecommunication; a government administration that regulates the telecom sector). At the time of enactment these articles went almost completely unnoticed - hence the amazement. As mentioned, said articles are not enforced yet but it now appears that a working group, called Belinfosec (Belgium Information & Security), led by a colonel of the military intelligence services - no less, is preparing a report which would contain further specifications and would propose enacting clauses. Note that at present there is already legislation up and working that enables Belgian law enforcement to tap telephone lines 'in specific circumstances' (i.e., suspicion of criminal or terroristic activities). Judging by the newspaper article it will not be long before this will include computer messages. Asked for a reaction, officials from the banking sector reacted with both disbelief and outrage. The article quotes the head of security at Banksys (the interbank consortium that operates Belgium's nation-wide ATM/POS-network) who considers it to be "unacceptable" and "an intrusion on privacy" if government authorities were to be able to monitor all the money flows that pass through the Banksys network. He also fears that once revealed to the authorities, the keys might fall into the wrong hands, thus jeopardizing the system's security. I'll try to find out more and keep you informed. Ciao, leo P.S. I'm not on the cpx mailing list, so please Cc me. _________________________________________________________________________ Leo Van Hove Centre for Financial Economics Vrije Universiteit Brussel (Free University of Brussels) Pleinlaan 2 B-1050 Brussels Vox: +32 2 629.21.25 Fax: +32 2 629.22.82 e-mail: lvhove at vnet3.vub.ac.be VUB's Web site: http://www.vub.ac.be _________________________________________________________________________ From tallpaul at pipeline.com Tue Jan 9 06:47:13 1996 From: tallpaul at pipeline.com (tallpaul) Date: Tue, 9 Jan 1996 22:47:13 +0800 Subject: A little skepticism over $60 billion Message-ID: <199601091428.JAA16977@pipe9.nyc.pipeline.com> On Jan 08, 1996 21:16:20, 'Bill Stewart ' quoted dang at netcom.com's post about a S.F. Examiner story, to wit: >> >>NEW YORK U.S. companies will lose as much as 30 percent of the $200 >>billion in U.S. computer system sales expected > B. Stewart went on to remark: >OK, so crypto export laws will cost.... The phrase "as much as" does not mean "will," as in: "Lose as much as 14 pounds this month with the newly discovered miracle diet...." or "Studies show as many as 1 in 4 students will be raped while ...." The phrases use weasel words that say little about the real nature of the real world. How much money will companies *likely* lose, how many *likely* pounds lost, how many *likely* rapes? None of the "studies" say. Assuming the studies are reliable in the first place, the only thing the weasel words state accurately is the potential maximum, E.G. "You can starve yourself all you want and the universe will die a heat death before any human being will ever lose more than 14 pounds on our diet and you may not lose anything...." or "No matter how much we fudge with the English language's definition of 'rape' for political reasons, we can't get estimates above 1 in 4 ...." Now we know that U.S. companies will lose something off the government's anti-export policies. But will we really see 30% of sales lost by purchasing agents saying "Gee, we'd like to buy IBM mainframe's and Dell micros and Windows and unix but we won't because there is no secure encryption program in the world that will run on the IBM or U.S. micros or under the U.S. OS's"? Let's fight the export laws over exporting quality crypto without accepting advertising hype from any industry. -- -- tallpaul -- Any political analysis that fits on a bumper sticker is wrong. From declan+ at CMU.EDU Tue Jan 9 06:50:52 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Tue, 9 Jan 1996 22:50:52 +0800 Subject: S.652 (H.R. 1555) In-Reply-To: <199601090608.WAA25533@netcom14.netcom.com> Message-ID: Excerpts from internet.cypherpunks: 8-Jan-96 S.652 (H.R. 1555) by Harry Bartholomew at netcom > Perhaps some of our more lawyerly types can decipher whether > it is getting better or worse as the conference committee chews. > Not I. I'm not a lawyerly type by any means, but my understanding is that it's getting worse: * The provision prohibiting the FCC from regulating the Net has been removed. * The max fine for "indecent" speech is now $250,000. The budget crisis stalled work on the legislation, and many congressperns are out of town. But the Senate wants the bill to pass in its current form, as does the White House -- Gore called it "an early Christmas present to the American people." The only opposition is from the House freshman Republicans, who are criticizing the bill on other grounds. Since they don't want to be seen as "porn-sympathetic," my guess is that the indecency provisions will stay in. And the bill should become law within the next month. -Declan From jcobb at ahcbsd1.ovnet.com Tue Jan 9 23:16:54 1996 From: jcobb at ahcbsd1.ovnet.com (James M. Cobb) Date: Tue, 9 Jan 96 23:16:54 PST Subject: Book on Electronic Commerce In-Reply-To: <01HZTEQR5AE8A0UD8R@mbcl.rutgers.edu> Message-ID: Allen, Here's another one, fresh out: Daniel Lynch and Leslie Lundquist. Digital Money. The New Era of Internet Commerce. 1996. 304 pages. $24.95. John Wiley & Sons, Inc. 1 800 22 559 4539. ISBN 0 471 14178 X. From the blurb: It explains the technical underpinnings of transactions, including encryption and digital signatures, and details the resources and procedures involved in establishing an exchange-capable service. Cordially, Jim From gaffney at emba.uvm.edu Tue Jan 9 07:46:23 1996 From: gaffney at emba.uvm.edu (Don Gaffney) Date: Tue, 9 Jan 1996 23:46:23 +0800 Subject: S.652 (H.R. 1555) In-Reply-To: <199601090608.WAA25533@netcom14.netcom.com> Message-ID: On Mon, 8 Jan 1996, Harry Bartholomew wrote: > > http://www.cdt.org/policy/freespeech/12_21.cda.html > > This title may be cited as the "Communications Decency Act of 1995". > > Perhaps some of our more lawyerly types can decipher whether > it is getting better or worse as the conference committee chews. > Not I. > I'm not a lawyer, but from what I've read from the WWW site above, it seems that only providing "indecent" materials to minors is prohibited. I think this is already illegal. Broadcasting or sending unsolicited "indecent" materials is also prohibited, but that seems to have always been the case (except that objectionable materials have been called "obscence" rather than "indecent"). There are provisions, as I read it, that protect electronic intermediaries from the acts of the actual publishers of the materials (i.e. an ISP is not responsible for the material of other internet sites not under their control). It sounds to me like the only real task posed is to authenticate those accessing questionable materials as being >= 18 years old. Hmmmm. Don't authentication & crypto go hand-in-hand? Anyway, being rather foolish I suppose, I don't exactly see what the big deal is - am I missing something??? _____________________________________________________________________ Don Gaffney Engineering, Mathematics & Business Administration Computer Facility University of Vermont 237 Votey Building Burlington, VT 05405 (802) 656-8490 Fax: (802) 656-8802 From mark at unicorn.com Tue Jan 9 08:03:03 1996 From: mark at unicorn.com (Mark Grant, M.A. (Oxon)) Date: Wed, 10 Jan 1996 00:03:03 +0800 Subject: Can you break my encryption protocol ? Message-ID: I'm trying to put together a simple protocol for encrypting confidential but typically low-value data (i.e. I don't want people to be able to read it, but in most cases it wouldn't be catastrophic if they could). I want it to be completely license-free, so I can't use RSA or other patented algorithms. It also would only be used inside one organisation, so key management isn't so much of a problem, and the main attack it has to defend against is packet-sniffing on the Net. It also has to support variable-length keys for ITAR.. The idea is as follows.. Client and server both have copies of a passphrase, of any length. When starting the connection, client sends 128 random bits to the server. Both ends take this data, append the passphrase, and use MD5 to generate a session key. If a key of less than 128 bits is required for legal reasons, then the appropriate number of bits are retained, and the rest replaced with bits from the random data that was sent in the clear. That is, if you're only allowed 40 bit security, you take the first 88 bits that you were sent, and append the last 40 bits of the generated key to give you the session key to use. You then go off and encrypt the session (probably using 3DES or Blowfish). Can anyone spot any flaws in this system ? The only potential problem I can see would be that by cracking a number of sessions you could work out the passphrase. However, I think the number required would still be infeasible. Also, are there any known problems with using Blowfish for encrypting a data stream ? I'm assuming it's OK as it's used in PGPfone. Mark From jya at pipeline.com Tue Jan 9 08:23:37 1996 From: jya at pipeline.com (John Young) Date: Wed, 10 Jan 1996 00:23:37 +0800 Subject: Eavesdrop Law Message-ID: <199601091608.LAA16877@pipe2.nyc.pipeline.com> As variation on the recent discussion of employee e-rights, WSJ today: New eavesdropping law creates labor-management tussle in Illinois. The Illinois AFL-CIO is going to court to fight a provision in a bill Gov. Jim Edgar signed last month that the labor group says allows employers to listen in on employees' conversations "for virtually any reason." A spokesman for the Illinois Retail Merchants Association, the provision's prime backer, says such fears are "wild speculation." Critics say the provision's language, allowing monitoring for "service quality control or for educational, training, or research purposes," is far too broad. The retail merchants association notes that employers are responsible for the conduct of employees who deal with customers over the phone. From bdavis at thepoint.net Tue Jan 9 08:38:43 1996 From: bdavis at thepoint.net (Brian Davis) Date: Wed, 10 Jan 1996 00:38:43 +0800 Subject: S.652 (H.R. 1555) In-Reply-To: Message-ID: On Tue, 9 Jan 1996, Declan B. McCullagh wrote: > Excerpts from internet.cypherpunks: 8-Jan-96 S.652 (H.R. 1555) by Harry > Bartholomew at netcom > > Perhaps some of our more lawyerly types can decipher whether > > it is getting better or worse as the conference committee chews. > > Not I. > > I'm not a lawyerly type by any means, but my understanding is that it's > getting worse: > > * The provision prohibiting the FCC from regulating the Net has been removed. > * The max fine for "indecent" speech is now $250,000. ^^^^^^^^^ Probably accomplished by making the "crime" a felony. Standard fine for Title 18 cases is $250,000 (there are exceptions, of course. EBD From frissell at panix.com Tue Jan 9 08:51:52 1996 From: frissell at panix.com (Duncan Frissell) Date: Wed, 10 Jan 1996 00:51:52 +0800 Subject: S.652 (H.R. 1555) Message-ID: <2.2.32.19960109163321.006a3fdc@panix.com> At 10:32 AM 1/9/96 -0500, Don Gaffney wrote: >On Mon, 8 Jan 1996, Harry Bartholomew wrote: > >> >> http://www.cdt.org/policy/freespeech/12_21.cda.html >> >> This title may be cited as the "Communications Decency Act of 1995". >> >> Perhaps some of our more lawyerly types can decipher whether >> it is getting better or worse as the conference committee chews. >> Not I. >> > >I'm not a lawyer, No kidding. > but from what I've read from the WWW site above, it >seems that only providing "indecent" materials to minors is prohibited. >I think this is already illegal. No. For example, the San Francisco Chronicle can be sold or given to minors without restriction and yet it has published the word "fuck" on several occasions. This is considered "indecent" but not obscene. Likewise other newspapers, magazines, and books. The Supremes have upheld time, place, and manner restrictions on over-the-air broadcast of indecent material (The Seven Words You Can't Say on Television), but these restrictions do not apply to cable or even to broadcast later at night. >Broadcasting or sending unsolicited "indecent" materials is also >prohibited, but that seems to have always been the case (except that >objectionable materials have been called "obscence" rather than "indecent"). Obscene is different from indecent. What Congress is attempting to do is apply conventional broadcast TV and radio regulation to the Internet and other computer networks in spite of the fact that they are not like those systems and in any case those systems are supposed to be in the process of being deregulated themselves. >There are provisions, as I read it, that protect electronic >intermediaries from the acts of the actual publishers of the materials >(i.e. an ISP is not responsible for the material of other internet sites >not under their control). But the protections are phony because ISPs have to bend over backwards to block their systems from being used to transmit indecent material. It just deputizes them as cops. DCF "Frankly, my Dear. I don't give a damn." -- Indecency, 1939 style. From declan+ at CMU.EDU Tue Jan 9 08:52:54 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Wed, 10 Jan 1996 00:52:54 +0800 Subject: S.652 (H.R. 1555) In-Reply-To: Message-ID: Excerpts from internet.cypherpunks: 9-Jan-96 Re: S.652 (H.R. 1555) by Don Gaffney at emba.uvm.edu > I'm not a lawyer, but from what I've read from the WWW site above, it > seems that only providing "indecent" materials to minors is prohibited. > I think this is already illegal. Fortunately, that's not true. Now, I'm anything but a lawyer, so I welcome corrections. My understanding is: * INDECENCY is illegal to *broadcast* under Federal law, as enforced by the FCC. Examples of indecent words include "fuck" and "cocksucker," which the Supreme Court has defined as illegal in the George Carlin speech, Pacifica case. The justification for a compelling government interest is that radio waves are pervasive, and a child can turn on the radio and hear dirty words by accident. The great free speech attorney Harvey Silverglate has been representing Alan Ginsberg in an "indecency" case, since "Howl" contains "indecent" words -- I believe he managed to get the FCC to include an exemption for material broadcast after midnight. * OBSCENITY is illegal to *distribute* under state laws, which usually incorporate the Miller test. That is, material which has no redeeming artistic, scientific, educational, or political value is obscene. (There are some excemptions, including university libraries. The ACLU has argued that in that context, Usenet can be considered a library.) In practice, text is not obscene; only bestiality and heavy BDSM pix are. > It sounds to me like the only real task posed is to authenticate those > accessing questionable materials as being >= 18 years old. Hmmmm. Don't > authentication & crypto go hand-in-hand? If you're running a public web site or anon FTP site, how do you do that? And should you have to? Anyway, the current telecom bill language continues to include the "indecency" language. Since there are no post-midnight exemptions, it means the Internet would be the most regulated communications medium in the United States. What does that mean? When this becomes law, you'll be hit with fines of $250,000 and prison terms of two years if you post the word "fuck" in a Usenet newsgroup or on a web page where a minor can read it. Fuck that. -Declan From perry at piermont.com Tue Jan 9 09:04:29 1996 From: perry at piermont.com (Perry E. Metzger) Date: Wed, 10 Jan 1996 01:04:29 +0800 Subject: NSA says strong crypto to china?? In-Reply-To: <199601071037.EAA00310@proust.suba.com> Message-ID: <199601091649.LAA11718@jekyll.piermont.com> Alex Strasheim writes: > If this is true, it's great news. It would mean that the NSA is adopting > both cypherpunk analysis and tactics. Who would have thought? An NSA > remade in Tim May's image. I suspect that the NSA was thinking in our terms long before many of us were aware of cryptography. I actually think that in many cases, their behavior is perfectly rational. Their goals are merely different. If you are in SIGINT, I believe that the possibility of totally losing a valued intelligence tool must heavily weigh on your mind. Of course, they are hardly monolithic, and different groups at the NSA necessarily have different goals. Once SIGINT becomes much harder regardless of their previous attempts to stop it, I suspect that the NSA will become a friend and not an impediment. By that time, of course, the "we have to protect our people" types will be the only ones producing results and getting funding, and the "we have to gather information" types will have long ceased to produce. Thats probably a decade or more off, though. Perry From perry at piermont.com Tue Jan 9 09:12:48 1996 From: perry at piermont.com (Perry E. Metzger) Date: Wed, 10 Jan 1996 01:12:48 +0800 Subject: please stop the Mitnick stuff In-Reply-To: <2.2.32.19960107165924.0068f9e0@limestone.kosone.com> Message-ID: <199601091651.LAA11733@jekyll.piermont.com> Gordon Campbell writes: > >When there are one or two small items posted on a topic thats no big > >deal. When its a lot of stuff, it becomes an enormous pain. Multiply > >the few seconds to read and digest enough of a message to know you > >should delete it by dozens of messages per mailing list per day and by > >a dozen mailing lists and you suddenly have an untenable waste of your > >time. > > I con't recall you speaking up against the various flame wars that have been > going on in here lately, Perry. Thats because I largely send people private mail. I try not to nag in public. Just because you don't see me say "this is irrelevant" doesn't mean I didn't notice. Perry From futplex at pseudonym.com Tue Jan 9 09:37:35 1996 From: futplex at pseudonym.com (Futplex) Date: Wed, 10 Jan 1996 01:37:35 +0800 Subject: Still [NOISE] but a.f.urban was clearly wrong [Fwd: Re: ABOI: Desperate User Support]) In-Reply-To: Message-ID: <199601091717.MAA31459@thor.cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- my second white noise message on the same thread: rich writes: > You should know better than to believe everything you read in > alt.folklore.urban, even the debunking. > > There was a brief Libyan-backed coup in Trinidad & Tobago in July 1990. > Here are a few Reuters headlines in reverse chronological order, courtesy > of Lexis/Nexis. I also recall a couple of excellent articles in The > Economist. > > I believe that the Symantec story has at least some truth to it. > > I don't read alt.folklore.urban, so I won't post there, but someone should. OK, Rich succeeded in irritating me with some facts ;} so I went to the trouble of doing an Alta Vista search for "trinidad" and "supermac". I think you will find this archived response informative: http://rampages.onramp.net/~mdmiller/complain.htm Futplex -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMPKi/inaAKQPVHDZAQHcwAf+OrcUYUm7oB/Jany8NXRu8SiFlifEsKxA S2EngRDyg6WZsrnpCbh7dGv0PXpxnogUQzhTRcTXPYaDyr5k3zvwNd4+0Oqk/qXL DPcCkGcwi456vPpMKQyTjFZlyO46uXgJA/ITTJciPvvxuC1X1/TK2Yq8Twb/5HBH 6jil5A5Jo0mJ+p4gKYT0hkgDA5JRncElgGJUl7W5A1qzZlp6FLmoNr+V7FLv04oz 7LiXUmiHiOSK/302u5M6gi231rra3DJ+JijtGHiesF4pVP46bJf5psWVzSTvpsKG UtI+Gr7oo3aetltwICKvRG/YC/Gny7Vo6q6NMwccgFqpRbaKwdSN6g== =SzRB -----END PGP SIGNATURE----- From berkley at ixl.net Tue Jan 9 10:03:40 1996 From: berkley at ixl.net (berkley at ixl.net) Date: Wed, 10 Jan 1996 02:03:40 +0800 Subject: S.652 (H.R. 1555) Message-ID: Earlier today (Mon, 8 Jan 1996), you (Don Gaffney) expressed the following: >I'm not a lawyer, but from what I've read from the WWW site above, it >seems that only providing "indecent" materials to minors is prohibited. >I think this is already illegal. It is _not_ currently illegal, as the term "indecent," in all its vagueness, can be defined as anything from a "Bonnie's Busty Barnyard Buddies" video, to _Catcher in the Rye_, which has been deemed "indecent" by several of this nation's local legislative bodies. >Broadcasting or sending unsolicited "indecent" materials is also >prohibited, but that seems to have always been the case (except that >objectionable materials have been called "obscence" rather than "indecent"). And that is EXACTLY the point. You'll notice that the passage (I believe) in question: "(B) by means of a telecommunications device knowingly - "(i) makes, creates, or solicits, and "(ii) initiates the transmission of, any comment, request, suggestion, proposal, image, or other communication which is obscene or indecent knowing that the recipient of the communication is under ^^^^^^^^^^^ 18 years of age regard less of whether the maker of such communication placed the call or initiated the communication; goes deliberately beyond simply "obscene." Which means that if I were to send my 17 year-old cousin a digitized copy of some "indecent" song lyrics or possibly even information on the AIDS epidemic, I am now facing felony charges from los federales. >There are provisions, as I read it, that protect electronic >intermediaries from the acts of the actual publishers of the materials >(i.e. an ISP is not responsible for the material of other internet sites >not under their control). It seems... But if I let my friendly neighborhood service provider know I'm sending my cousin the electronic copy of Charles Bukowski's "Septegenerian Stew" he requested, no doubt we're both doomed. (...knowingly permits a telecommunications facility under his control to be used for any activity prohibited by paragraph (1) with the intent that it be used for such activity) >It sounds to me like the only real task posed is to authenticate those >accessing questionable materials as being >= 18 years old. Hmmmm. Don't >authentication & crypto go hand-in-hand? No question it is one of them, but the questionable materials are being defined too broadly. >Anyway, being rather foolish I suppose, I don't exactly see what the big >deal is - am I missing something??? Along the same freedom of speech lines, the pending legislation also would make it illegal to use a telecommunications medium to express anything "obscene, lewd, lascivious, filthy, or indecent, with intent to annoy, abuse, threaten, or harass an other person;" meaning if I sent e-mail to a spamming "Get Rich Quick-er" telling him to fuck off, I am now in violation of the CDA. The real bitch is that they can continue spamming (IMO, a worse crime) as I rot away in Lemon Creek Correctional Facility; however, I am not about to propose legislation to limit their ability to do that, either. There is also the matter of allowing the FCC to regulate the internet, which I find equally as disturbing, but I am sure there are people on this list who will be able to express concerns with this far more eloquently than myself. Sincerely, Angus Durocher. ____________________________ It should be an outrage for \_ Angus Durocher people who have never seen a \_ No one of much importance road to be so presumptious as \_ berkley at ixl.net to regulate those of us who drive.\________________________ From futplex at pseudonym.com Tue Jan 9 10:14:50 1996 From: futplex at pseudonym.com (Futplex) Date: Wed, 10 Jan 1996 02:14:50 +0800 Subject: [NOISE] The LOGIC of Navigator 2.0 ? In-Reply-To: Message-ID: <199601091756.MAA31007@opine.cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- James M. Cobb writes: > That message quoted a couple of paragraphs from a Bloomberg news > agency newsstory. The story is headlined, Netscape Will Release > an Updated Internet Browser in Two Weeks. The story's datelined > Mountain View CA. [...] > You posted your message via Best Internet Communications Inc in > Mountain View CA... > > Whatever the significance of that may be, As Perry has patiently pointed out time and again, this is not "conspiracypunks". In this case, I expect you might even get laughed off alt.conspiracy. Don't post this silliness here. Futplex -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMPKsJCnaAKQPVHDZAQGRkQf/afMIAN7jcBZFb7mN2OH/d8FtzX7qWvIx 0hYiWw6pK3d8S/4hDzPNrr5ORyNmW7xWfZ0VrU3Oqryvj6dvRVGbCk99dO+8jTQd qiJohvOm9OiYBLG4raoqWTnF0eBw3COnKs1qS4Jk9rr1SfFYJYAtBXYMH9NjcgwU qocrhXPdvltcF2piQqZwzWvKvR7IZmp6jF1UzbuL5HDabtr3qi3B2qjAJuf22/UM 866RQGUrBUNOTSoDbTOWJ4eP8GKseqFIEEJGBA44rhwGm8VOwrZIPNqCdUgi8Qaj rSrPkJbXKGg/2N0WkuQHIjR+bJhdkmHcN2ksqNU0qTdYUPWszEIpZQ== =Gl7W -----END PGP SIGNATURE----- From rich at c2.org Tue Jan 9 10:29:07 1996 From: rich at c2.org (Just Rich) Date: Wed, 10 Jan 1996 02:29:07 +0800 Subject: Anyone using Microsoft Access 95? Message-ID: <199601080931.BAA16945@infinity.c2.org> Have a hackmsoft submission that needs fleshing out. Not enough general interest to post in detail. Basically, you're supposed to be able to spoof the database server as any user. -rich From frantz at netcom.com Tue Jan 9 10:34:32 1996 From: frantz at netcom.com (Bill Frantz) Date: Wed, 10 Jan 1996 02:34:32 +0800 Subject: Microsoft continues to mislead public about Windows securitybugs (a bit long, with references) Message-ID: <199601091809.KAA15511@netcom6.netcom.com> At 0:37 1/9/96 -0800, Lucky Green wrote: > >Very true. But why does it always seem to take an exploitable crack before >companies pay attention to security flaws? Is it because they are unable to >admit that they have made a mistake? Everybody makes mistakes. What's the >big deal? I really don't understand it. Any psychologists on this list? Having, in the past, attempted to sell an Operating System with high security features, and failed, I think I can give you some insight. Security does not sell an OS to anyone, even the Department of Defense. People buy OSs to run applications. The only thing a lack of security in an OS will do is allow someone in an obscure department (perhaps called Corporate Security) to say no. Security is a checkoff item, and if you can convince a retired major that the OS is secure, then he will approve it. He is not going to check the details. His expertise is in guard stations and chain link fences. However, if someone, e.g. the trade press, rubs his nose in the fact that an OS's security can be breached, then he will take action. He will pressure the publisher to release a fix that they say will fix the problem. When they do, he will be happy. Microsoft particulary, is oriented to selling product, not pride in workmanship. ----------------------------------------------------------------- Bill Frantz Periwinkle -- Computer Consulting (408)356-8506 16345 Englewood Ave. frantz at netcom.com Los Gatos, CA 95032, USA From futplex at pseudonym.com Tue Jan 9 10:40:29 1996 From: futplex at pseudonym.com (Futplex) Date: Wed, 10 Jan 1996 02:40:29 +0800 Subject: A little skepticism over $60 billion In-Reply-To: <199601091428.JAA16977@pipe9.nyc.pipeline.com> Message-ID: <199601091811.NAA31069@opine.cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- SF Examiner writes: # NEW YORK U.S. companies will lose as much as 30 percent of the $200 # billion in U.S. computer system sales expected tallpaul writes: > Now we know that U.S. companies will lose something off the government's > anti-export policies. But will we really see 30% of sales lost by > purchasing agents saying "Gee, we'd like to buy IBM mainframe's and Dell > micros and Windows and unix but we won't because there is no secure > encryption program in the world that will run on the IBM or U.S. micros or > under the U.S. OS's"? > > Let's fight the export laws over exporting quality crypto without accepting > advertising hype from any industry. First of all, Bill S. was suggesting that the $60B figure is too low to be convincing to certain crucial people. Arguing that the figure should probably be even lower can only lend weight to that argument. Secondly, as I'm sure you'll agree, mass media reports and advertising can sway public opinion. IMHO cypherpunks should not hesitate to use those tools to further our cause. Putting a specific number, almost any number, on the anticipated opportunity cost drives the point home with a lot of people. Now most reasonable people know (I think) that projections are based on assumptions that turn out to be partially wrong, for various reasons. But they still form useful premises for debate. (I have the current U.S. federal budget battle in the back of my mind here.) Futplex (in a verbose mood, inexplicably) -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMPKvwSnaAKQPVHDZAQGbkAf+MINM93dSp5wSpd7w0A7qnSu4JQgQhcXS 22TaRnd4vUtVs/EK/qpdVwTrYuVwmaaTX99OLHjIJkYrbFOeU8KReXhS787/66dg 8LDqehcz2OW0eueo96lDMUD6HD9cmOrNkZHwTOuCrlCJTg7pVT5Y4dGADgRruVVN Ll9FULAOWqw2Ks6g4xgrtTFxrlIX2pCKJIyfsD1m2fbxZucNqUTVxYYTG22fq8no V5tLSog8zxkzawHXTdtjkxaFlt+jvwZJUZRjynT8T9UJB522LJnvJAEWS2cgdw1W cOiRdNZv5Y4Se4cJasMO62G5ipSeWMjw3F2ADfmWIrUr2eYdKpOyCA== =K4KN -----END PGP SIGNATURE----- From evan at darkstar.cygnus.com Tue Jan 9 10:45:39 1996 From: evan at darkstar.cygnus.com (Evan Ravitz) Date: Wed, 10 Jan 1996 02:45:39 +0800 Subject: DNow2> Re: DNow2 Re: Hammill 1987 speech In-Reply-To: Message-ID: On Mon, 8 Jan 1996, Alan Horowitz wrote: > Thanks for that lovely peice about the Chiapas uprising. I'm saving it to > disk. It's so archtypal of the turgid prose of graduates of Moscow's > Patrice Lumumba University. How wondrous that leftists-without-a-home can > find a cause to latch onto and keep their rhetorical skills in practice. Carlos Fuentes calls the rebellion the first "post-Communist" revolution. They specifically reject the rhetoric you set up as a straw-man. If you want to actually become informed about reality down there (I lived in Chiapas 2 winters, Guatemala 4), please subscribe to the mailing list that the NY Times says has prevented more Mexican Army massacres: To subscribe to the chiapas-l list send a message to: majordomo at profmexis.dgsca.unam.mx with these words in the body of the message: subscribe chiapas-l Your-Email-Adress and leave the subject line empty. You will receive a welcome message with info on the group *and on how to unsubscribe*. You should save this message for future reference. You can expect several messages per day. > Want to come with me tomorrow? I'm going down to the library to re-read > the history of the Indians of Meso-America. I like the part about the > hundreds of thousands of peasants who had their hearts cut out without > anesthesia, so that the Emperor could collect lots of taxes on an abundant > harvest. Damn shame that the Spaniards came along and destroyed a > culture, ya know? Having lived with Mayans for 6 winters I still have my heart and suggest you don't hold the campesinos responsible for their "emperor's" actions of centuries ago. Stop fighting the cold war and against the past and transcend virtual reality and see how others really live and act. Or is your ignorance such bliss? My Mayan friends are some of the finest I have. Evan Ravitz, director, VOTING BY PHONE FOUNDATION: evanr at vote.org Electronic democracy! From the directors of the U.S. National Science Foundation's 1974 Televote trials and Boulder's 1993 ballot initiative: http://www.vote.org/v A FUTURE PASTURES PRESENTATION. We sell voting systems "What government is best? That which teaches us to govern ourselves." -Goethe From pcw at access.digex.net Tue Jan 9 10:47:42 1996 From: pcw at access.digex.net (Peter Wayner) Date: Wed, 10 Jan 1996 02:47:42 +0800 Subject: Why I think the NSA should love Strong Crypto Message-ID: Perry writes: >Once SIGINT becomes much harder regardless of their previous attempts >to stop it, I suspect that the NSA will become a friend and not an >impediment. Well, I often think that institutions and their desire to maintain their funding can lead to strange decisions. On one hand, doing everything to slow the emergence of strong crypto allows the NSA to continue to vaccuum up signals from the world. That would seem to justify their existence. But there are many people who can do this without the assistance of the NSA. The FBI has a crack team. I'm sure every agency can learn to snoop on phone calls. The US Forest Service, for instance, is meeting plenty of resistence out in the American West. I wouldn't be surprised if they have their own internal security unit that has developed the ability to do this. Now, imagine a world with plenty of strong crypto everywhere. Suddenly, cracking messages is a very tough job that requires plenty of computer power and high-powered mathematicians. The Forest Service can't order that up from the Police version of Toys-R-Us. Even the FBI's relatively sophisticated team isn't ready for it. It just takes plenty of investment of time and education. That's why I say that Strong Crypto is really in the NSA's best interest. They haven't had a worthy adversary since the Soviet Union fell apart. But I'm just a wise guy. -Peter From futplex at pseudonym.com Tue Jan 9 10:57:00 1996 From: futplex at pseudonym.com (Futplex) Date: Wed, 10 Jan 1996 02:57:00 +0800 Subject: DNow2> Re: DNow2 Re: Hammill 1987 speech Message-ID: <199601091824.NAA31073@opine.cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- Greetings to all from someone on the cypherpunks list. Please don't crosspost threads on cypherpunks + other mailing lists. This thread, in particular, has essentially nothing to do with cypherpunks at this point. Please eliminate cypherpunks at toad.com from the cc: on future responses. Thanks. Futplex -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMPKyuinaAKQPVHDZAQFoYQf+PKbtkD4P5SmV0JchrkMNvKWfGXLik1mW /0WkUXTZ8rENwozWkrh3cUmzmR0YoMJBLAlJvmcJuzPVIpz8rjTLMhbp2VPeuQct 9/eTT7DOUqrekL0QWzlZP24wMYiHhTQEsMtbKlI3PT55ZMu95L4PJscZsdVG6OQY cX7rJD2xbLYcaxRF04KKm8ajltieDmTmH3/Lk3AOnnB/HFn5ZArCam5PJcWvXFWg kdPQjlW+iUFT+5kuXny5Jug9PTXL37zW8z9OBsKXMGARdeV8vDFiV8HX/ge4SAie qWpgPfuMqHXZbCc1doQdOMv1iuWCUhQH0f2azkNG6UiPurVxqwnCYg== =JcyK -----END PGP SIGNATURE----- From corey at netscape.com Tue Jan 9 11:00:54 1996 From: corey at netscape.com (Corey Bridges) Date: Wed, 10 Jan 1996 03:00:54 +0800 Subject: NSA and NT security Message-ID: <199601091826.KAA06961@urchin.netscape.com> PALO ALTO, Calif., Jan. 8 /PRNewswire/ via Individual Inc. -- Global Internet today announced that the National Security Agency has awarded them a contract to conduct a feasibility study on raising the security level of Windows NT 3.51 to B-level. Global Internet will analyze Windows NT's ability to meet B-level security requirements, as well as develop a software prototype that demonstrates a Fortezza-based cryptocard access control mechanism. The contract was granted by the NSA under the Multilevel Information System Security Initiative (MISSI), which has the charter to provide security services for information ranging from Unclassified but Sensitive up to and including Top Secret. Windows NT was originally designed with security in mind. A NSA evaluation team has determined that Windows NT 3.5 with Service Pack 3 satisfies all class C-2 security requirements. B-level of security strengthens the C2 level security features while providing stricter system assurances. Global Internet has a proven expertise with Windows NT. Centri TNT is the only network security solution that is fully integrated into Windows NT TCP/IP networks by complementing and extending Windows NT's inherent strengths, while maintaining 100% compatibility with existing applications. Global Internet also has extensive experience architecting, designing and developing high level secure operating systems. "This project addresses anticipated security requirements for DOD, as well as commercial customers using Windows NT," said Michelle Ruppel, a director of the Global Internet Software Group. "Our analysis will address compatibility issues with B-level security requirements and identify the changes necessary to provide this level of support." According to Outlink, Inc., a New York-based research and publishing firm focusing on the information security market, about 80% of the PC hardware market supports Microsoft's DOS and Windows 3.1. This combination, though popular, does not provide inherent security features such as secure login, access control, auditing and self-protection. Strong access control is a highly desirable function of the MISSI architecture. Trusted Operating Systems will play a role in the MISSI success. Windows NT is a modular OS and combined with its current security features that are based on the Trusted Products Evaluation Program (TPEP) C2 level of security and it's ability to operate on the majority of customer platforms while supporting DOS and Windows applications, the architecture lends itself to support B-level requirements. An operating system with few security features allows anyone to use the machine without validating their identity, while allowing access to all files, objects and resources. C2 level security includes: auditing to allow security-relevant events to be recorded and monitored, discretionary (need-to-know) access controls to mediate who can access (read or write) files and other objects and identification and authentication (login) to require users to identify themselves to the system before they are allowed to use the system. B-level security additionally includes: labeling of users, files and other objects with a sensitivity label, mandatory access controls to enforce a security policy based on the labels of the users and objects and trusted path that ensures users they are using the actual programs provided with the system. The Global Internet Software Group specializes in security software for Windows NT networks and other operating environments. The Software Group is a division of Global Internet, a full-service internetworking solutions company focusing on secure, reliable internetworking software and services. Located in Palo Alto, California, Global Internet is privately held and was founded in 1993. Global Internet Home Page: http://www.gi.net. /CONTACT: Jim Adams of Adams And Associates, 408-370-5390, or E-mail: jaadams at ix.netcom.com, for Global Internet; or Mark R. Kriss of Global Internet, 415-855-1700, or E-mail: mkriss at gi.net/ From kent at trouble.WV.TEK.COM Tue Jan 9 11:07:15 1996 From: kent at trouble.WV.TEK.COM (Kent Dahlgren) Date: Wed, 10 Jan 1996 03:07:15 +0800 Subject: [NOISE] [Fwd: Re: ABOI: Desperate User Support] In-Reply-To: <199601082050.PAA01206@thor.cs.umass.edu> Message-ID: On Mon, 8 Jan 1996, Futplex wrote: > > > >Some poor SuperMac TechSport got a call from some middle level official... > > > >from the legitimate government of Trinidad. The fellow spoke very good > > > >English, and fairly calmly described the problem. > > > > > > >It seemed there was a coup attempt in progress at that moment. > [...] God...are we going to have to endure this like we have had to endure that stupid good times virus e-mail crap? Let it die. Let it die. ______________________________________________________________________________ ______ T E K T R O N I X _ C P I D _ T E C H N I C A L _ S U P P O R T _______ / Voice: 1.800.835.6100 E-mail: support at colorprinters.tek.com Fax: 1.503.685.3063 WWW: www.tek.com BBS: 1.503.685.4504 E-World: Keyword Tektronix HAL: 1.503.682.7450 AOL: Keyword Tektronix Service: 1.800.835.6100 FTP: ftp.tek.com ______________________________________________________________________________ From jcobb at ahcbsd1.ovnet.com Tue Jan 9 11:50:18 1996 From: jcobb at ahcbsd1.ovnet.com (James M. Cobb) Date: Wed, 10 Jan 1996 03:50:18 +0800 Subject: The LOGIC of Navigator 2.0 ? Message-ID: Steve, I posted a message, The LOGIC of Navigator 2.0 ?, to the list on 01 08 96. That message quoted a couple of paragraphs from a Bloomberg news agency newsstory. The story is headlined, Netscape Will Release an Updated Internet Browser in Two Weeks. The story's datelined Mountain View CA. Your 01 08 96 followup message characterized my original message as "garbage." You posted your message via Best Internet Communications Inc in Mountain View CA... Whatever the significance of that may be, there's the additional matter that you may not understand the significance of the phrase GOVERNMENT LOGIC which I used in my original message. I hope the following provides you sufficient context-- In 02 96 Internet World, science fiction writer Vernor Vinge is interviewed: Suddenly [about 1984] people realized that if a 100 million people each had computers that were one-tenth of one percent as smart as the government's computers, they had much less to fear about government. Now we've entered an era where the government understands this. On the one hand, police forces are legitimately [?] frightened; law enforcement could become much more difficult. But at the same time --with some new laws and technology-- police powers could be much greater than before.... You've heard of ubiquitous computing, but how about UBIQUITOUS LAW ENFORCEMENT? Developing that line of thought, Vinge says: ...the old Clipper chip proposal recommended that GOVERNMENT LOGIC be present in certain communications equipment. For the future I think this aspect of Clipper was as significant as the crypto issues. What would it be like if a certain amount of GOVERNMENT LOGIC were mandated in the design of every host in a country? And Vinge concludes: WE COULD HAVE REAL-TIME TAXATION. and ...very fine-grain CONTROL would be possible. Capitalization in the above excerpts is mine. The whole interview is worth reading. Its title is: Reality & Fiction. It starts at page 82. Jeff Ubois asked the questions. Every HOST in a country? As Larry Ellison says in 12 26 95 / 01 02 96 Computerworld 41: The ideal operating system arrives across a network when you turn your computer on. The GOVERNMENT LOGIC arrives too... Cordially, Jim INCLOSURE: Date: Mon, 8 Jan 1996 16:03:06 -0800 (PST) From: Steven Weller To: "James M. Cobb" Subject: Re: The LOGIC of Navigator 2.0 ? Please refrain from posting such garbage on the cypherpunks mailing list. You are not a friend, you are a pest. On Mon, 8 Jan 1996, James M. Cobb wrote: > > > Friend, > > > 01 07 96 the business news agency Bloomberg reports: > > Netscape Communications Corp. said it will release in two > weeks a new version of its popular browsing software, de- > signed to keep the Internet software company ahead of rival > Microsoft Corp. > ... > > The [new] browser can use programs that are stored on cen- > tral computers on the Internet, making a personal computer's > operating system less important. > > > And thereby making GOVERNMENT LOGIC more important? > > > Cordially, > > Jim > > > > > NOTE: The newsstory's headline? NETSCAPE WILL RELEASE AN > UPDATED INTERNET BROWSER IN TWO WEEKS. Its dateline? > MOUNTAIN VIEW, Calif. (Jan 7, 1996 4:16 p.m. EST). Its > Nando News online filename? biz7_1087.html > > > From usura at utopia.hacktic.nl Wed Jan 10 03:53:19 1996 From: usura at utopia.hacktic.nl (Alex de Joode) Date: Wed, 10 Jan 96 03:53:19 PST Subject: SSH for Windows Message-ID: <199601101153.MAA20011@utopia.hacktic.nl> : ...can be found at URL http://public.srce.hr/~cigaly/ssh/. FYI. also on ftp.hacktic.nl/pub/replay/pub/incoming/ssh-1-2.zip (the .hr link is _very_ slow) -AJ- From tcmay at got.net Tue Jan 9 11:56:12 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 10 Jan 1996 03:56:12 +0800 Subject: Don't type: "g**d t*m*s v*r*s" Message-ID: At 6:35 PM 1/9/96, Kent Dahlgren wrote: >God...are we going to have to endure this like we have had to endure that >stupid g**d t*m*s v*r*s e-mail crap? Let it die. Let it die. I have edited the name of this virus so as to minimized its damage. I read that even _typing_ the phrase "g**d t*m*s v*r*s" in its full form can cause the information stored in the phrease "g**d t*m*s v*r*s" to unpack itself, install itself on all types of disk drives, and then initialize the disks. I hope we caught it in time! (More seriously, I notice that "alt.folklore.suburban at c2.org" was in the distribution list for the message I'm replying to (pared out by me on this message). I really hope that this does not mean what I think it means, that "alt.folklore.suburban" is not being copied! The cross-contamination of many mailing lists is one thing, but cross-contaminating our mailing list and Usenet groups would truly be the work of the Army of the Twelve Monkeys.) --Tim May We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From futplex at pseudonym.com Tue Jan 9 12:14:01 1996 From: futplex at pseudonym.com (Futplex) Date: Wed, 10 Jan 1996 04:14:01 +0800 Subject: Can you break my encryption protocol ? In-Reply-To: Message-ID: <199601091954.OAA31373@opine.cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- Mark writes: [description of threat model elided] > Client and server both have copies of a passphrase, of any length. > > When starting the connection, client sends 128 random bits to the server. > > Both ends take this data, append the passphrase, and use MD5 to generate > a session key. If a key of less than 128 bits is required for legal > reasons, then the appropriate number of bits are retained, and the rest > replaced with bits from the random data that was sent in the clear. > > That is, if you're only allowed 40 bit security, you take the first 88 > bits that you were sent, and append the last 40 bits of the generated key > to give you the session key to use. So this is: Salt = RNG(128,Seed); SessionKey = MD5(Salt | PassPhrase); Or for export: Salt = RNG(128,Seed); Temp = MD5(Salt | PassPhrase); SessionKey = (Salt[1..(128 - NumExportBits)] | Temp[(128 - NumExportBits + 1)..128]); Sounds good, assuming the passphrase is nice and long (i.e. 128 bits, or NumExportBits) and MD5 holds up. If you haven't already, you might want to look at some of the work Hugo Krawczyk and some others have been doing on keyed MD5. Their application is different (primarily, authentication) but I think many of the concerns are similar. Look for draft-krawczyk-keyed-md5-01.txt in the usual places. "It is not appropriate to use Internet Drafts as reference material, or to cite them other than as a ``working draft'' or ``work in progress''." Futplex -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMPLHrCnaAKQPVHDZAQEoNQf/UCk2GwCMDqjodyqqduEUrbcOZFyBXsuV RPSUqgo7GcJ7HpPqzgQyEREW71g9iSfpzqMDihjjJK1SJGfKS6dy60wYSbYtNrta sEeLWDfpABTW7CgbpYaeDrMug1ASmcRThjeTzRqXyhUiWDFloNw7yASnyzbH4o+M cVgwSTTBlvvxpvgOnXtLpr85a14FBBOXlsq5dWcaUW2V0+bt6qsbgeLqTUpCrtn5 dkzjprekBIxxQOwFh9vSKjXaBdhZAgmzI0nRVOmOBAxj2KSoGHqKwpUmQfx7yZeP nJuGUPA0E+hgmPqTBv6e9CQSZmpY+x932YH7jWOrgscS/HQJYLq+4g== =nyGN -----END PGP SIGNATURE----- From kent at trouble.WV.TEK.COM Tue Jan 9 12:15:24 1996 From: kent at trouble.WV.TEK.COM (Kent Dahlgren) Date: Wed, 10 Jan 1996 04:15:24 +0800 Subject: Microsoft continues to mislead public about Windows security bugs (a bit long, with references) In-Reply-To: <199601090802.AAA13049@blob.best.net> Message-ID: On Mon, 8 Jan 1996, James A. Donald wrote: > > > > Is anybody listening? > > They will listen if you start to release full uncrippled exploits, after > a reasonable delay. > I agree. It all comes down to money, as you all know. Do you think the bean counters and lawyers at MS see it proitable to announce such a obvious problem, no doubt running the risk of being unfavorably depicted in the ignorant mass media as offering a product that is "insecure?" We all know what the responcible thing to do is. I suspect marketing has a hand in quelling the idea of announcing this problem. That's why I agree.. to a point. ______________________________________________________________________________ ______ T E K T R O N I X _ C P I D _ T E C H N I C A L _ S U P P O R T _______ / Voice: 1.800.835.6100 E-mail: support at colorprinters.tek.com Fax: 1.503.685.3063 WWW: www.tek.com BBS: 1.503.685.4504 E-World: Keyword Tektronix HAL: 1.503.682.7450 AOL: Keyword Tektronix Service: 1.800.835.6100 FTP: ftp.tek.com ______________________________________________________________________________ From jya at pipeline.com Wed Jan 10 04:19:41 1996 From: jya at pipeline.com (John Young) Date: Wed, 10 Jan 96 04:19:41 PST Subject: S.652 (H.R. 1555) (\"obscene, lewd, lascivious, filthy, or indecent...et al\") Message-ID: <199601101219.HAA28940@pipe4.nyc.pipeline.com> Responding to msg by blancw at accessone.com (blanc) on Tue, 9 Jan 8:41 PM >What needs to do is to learn to speak like politicians. > Learn to go around the subject, make indirect >reference, make vague allusions, be indirect & >wavering, ambiguous & obfuscating, evasive & >hypocritical; never openly offending, never possible >to be held liable for having said anything of >consequence. > >Of course it will still be annoying, but how can they >criticize their own style & manner. Ah, you've godiva'd le roy, and guttered moi. From nobody at REPLAY.COM Wed Jan 10 04:43:45 1996 From: nobody at REPLAY.COM (Anonymous) Date: Wed, 10 Jan 96 04:43:45 PST Subject: PRIVACY: Private traces in public places Message-ID: <199601101243.NAA21309@utopia.hacktic.nl> Responding to msg by tcmay at got.net (Timothy C. May) on Wed, 10 Jan 0:9 AM >I'm not trivializing the issue of search engines and >archiving systems turning up articles written, old >posts, etc. Every couple of weeks, sometimes more >often, someone sends me a copy of one of my postings >and claims that someone else must be forging my name >(recent posts on racial issues, for example--while I'm >not a racist, I despise quotas, setasides, and >preferential treatment for lazy people, of any >race...this obviously makes some people "ashamed for >me" :-}). http://nytsyn.com/live/News3/006_010696_101827_2723.html Last summer the first case in Britain of a libel on the Internet was settled out of court when Laurence Godfrey accepted undisclosed damages from another nuclear physicist, Philip Hallam-Baker, over remarks made in 1993 on Usenet, an electronic conference with 16 million users. And Peter Lilley, the Social Security Secretary, sent a stiff letter to the vice-chancellor of Leeds University after one of its students used a faculty computer to make defamatory allegations about him. From alano at teleport.com Tue Jan 9 13:52:32 1996 From: alano at teleport.com (Alan Olsen) Date: Wed, 10 Jan 1996 05:52:32 +0800 Subject: The LOGIC of Navigator 2.0 ? Message-ID: <2.2.32.19960109074348.0095ce48@mail.teleport.com> At 06:12 PM 1/8/96 -0500, you wrote: > The [new] browser can use programs that are stored on cen- > tral computers on the Internet, making a personal computer's > operating system less important. > > > And thereby making GOVERNMENT LOGIC more important? I think they are refering to Java scripting in this article. (You have to remember that such articles are phrased for those who have little or no technical knowledge.) I find it amazing though that they claim a two week release date when I have not heard of a Java version for the Mac as of yet. I would think that they would have put it through at least one beta first. (But then again, this is netscape we are talking about...) [Note to Jeff and other Netscape employees: I realize you have gotten better. Lets hope it stays that way. (And I won't make *any* comments about "tech support".] Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "Governments are potholes on the Information Superhighway." - Not TCMay From dmandl at bear.com Wed Jan 10 06:40:07 1996 From: dmandl at bear.com (David Mandl) Date: Wed, 10 Jan 96 06:40:07 PST Subject: TAL_kup In-Reply-To: <199601101426.JAA16123@pipe3.nyc.pipeline.com> Message-ID: On Wed, 10 Jan 1996, John Young wrote: > "Group Urges an Internet Ban On Hate Groups' Messages. > Joins in Move to Censor Offensive Material." > > Citing the "rapidly expanding presence of organized hate > groups on the Internet," a leading Jewish human rights > group yesterday began sending letters to hundreds of > Internet access providers and universities asking them > to refuse to carry messages that "promote racism, anti- > Semitism, mayhem and violence." ^^^^^^ Damn it, _now_ they've gone too far. -- David Mandl Bear, Stearns & Co. Inc. Phone: (212) 272-3888 Email: dmandl at bear.com -- ******************************************************************************* Bear Stearns is not responsible for any recommendation, solicitation, offer or agreement or any information about any transaction, customer account or account activity contained in this communication. ******************************************************************************* From stewarts at ix.netcom.com Tue Jan 9 15:50:31 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Wed, 10 Jan 1996 07:50:31 +0800 Subject: Encryption sales ban costs U.S. $60 billion Message-ID: <199601090516.VAA28411@ix6.ix.netcom.com> At 09:40 PM 1/7/96 -0800, dang at netcom.com (DRG) wrote: >S.F. Examiner: > >ENCRYPTION SALES BAN COSTS U.S. $60 BILLION > >NEW YORK U.S. companies will lose as much as 30 percent of the $200 >billion in U.S. computer system sales expected in 200 because of federal >export laws that limit the encryption of information, a recent study found. OK, so crypto export laws will cost about as much as direct expenditures on the War On Politically Incorrect Drugs, or medical costs of tobacco. No problem.... :-( #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, Pager/Voicemail 1-408-787-1281 # # "The price of liberty is eternal vigilance" used to mean us watching # the government, not the other way around.... From EALLENSMITH at ocelot.Rutgers.EDU Tue Jan 9 16:03:38 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 10 Jan 1996 08:03:38 +0800 Subject: Book on Electronic Commerce Message-ID: <01HZTEQR5AE8A0UD8R@mbcl.rutgers.edu> From: IN%"rre at weber.ucsd.edu" 7-JAN-1996 08:47:56.17 Date: Sat, 6 Jan 1996 12:32:20 -0600 (CST) From: "Andrew B. Whinston" To: misfaculty at moe.cc.utexas.edu Subject: Electronic Commerce Hi: We are pleased to announce the publication of a new book on electronic commerce titled: FRONTIERS of ELECTRONIC COMMERCE (868 pages). The publisher is Addison-Wesley (1-800-822-6339) and the ISBN no. is 0-201-84520-2. For more details -- Preface, Chapter 1, Research issues in Online Banking Syllabus of course using the book, Tranparencies of talks on Electronic Commerce -- see: http://commerce.ssb.rochester.edu/book.html ================== Table of Contents: ================== Frontiers of Electronic Commerce Ravi Kalakota, University of Rochester and Andrew B. Whinston, University of Texas at Austin ISBN: 0-201-84520-2, 868 pp., softcover, 1996. Preface 1 Welcome to Electronic Commerce 1.Electronic Commerce Framework 2.Electronic Commerce and Media Convergence 3.The Anatomy of E-Commerce Applications 4.Electronic Commerce Consumer Applications 5.Electronic Commerce Organization Applications 6.Summary 2 The Network Infrastructure for Electronic Commerce 1.Market Forces Influencing the I-Way 2.Components of the I-Way 3.Network Access Equipment 4.The Last Mile: Local Roads and Access Ramps 5.Global Information Distribution Networks 6.Public Policy Issues Shaping the I-Way 7.Summary 3 The Internet as a Network Infrastructure 1.The Internet Terminology 2.Chronological History of the Internet 3.NSFNET: Architecture and Components 4.National Research and Education Network 5.Globalization of the Academic Internet 6.Internet Governance: The Internet Society 7.An Overview of Internet Applications 8.Summary 4 The Business of Internet Commercialization 1.Telco/Cable/On-Line Companies 2.National Independent ISPs 3.Regional-Level ISPs 4.Local-Level ISPs 5.Service Providers Abroad 6.Service Provider Connectivity: Network Interconnection Points 7.Internet Connectivity Options 8.Logistics of Being an Internet Service Provider 9.Summary 5 Network Security and Firewalls 1.Client�Server Network Security 2.Emerging Client�Server Security Threats 3.Firewalls and Network Security 4.Data and Message Security 5.Challenge-Response Systems 6.Encrypted Documents and Electronic Mail 7.U.S. Government Regulations and Encryption 8.Summary 6 Electronic Commerce and World Wide Web 1.Architectural Framework for Electronic Commerce 2.World Wide Web (WWW) as the Architecture 3.Web Background: Hypertext Publishing 4.Technology behind the Web 5.Security and the Web 6.Summary 7 Consumer-Oriented Electronic Commerce 1.Consumer-Oriented Applications 2.Mercantile Process Models 3.Mercantile Models from the Consumer's Perspective 4.Mercantile Models from the Merchant's Perspective 5.Summary 8 Electronic Payment Systems 1.Types of Electronic Payment Systems 2.Digital Token-Based Electronic Payment Systems 3.Smart Cards and Electronic Payment Systems 4.Credit Card-Based Electronic Payment Systems 5.Risk and Electronic Payment Systems 6.Designing Electronic Payment Systems 7.Summary 9 Interorganizational Commerce and EDI 1.Electronic Data Interchange 2.EDI Applications in Business 3.EDI: Legal, Security, and Privacy Issues 4.EDI and Electronic Commerce 5.Summary 10 EDI Implementation MIME, and Value-Added Networks 1.Standardization and EDI 2.EDI Software Implementation 3.EDI Envelope for Message Transport 4.Value-Added Networks (VANs) 5.Internet-Based EDI 6.Summary 11 Intraorganizational Electronic Commerce 1.Internal Information Systems 2.Macroforces and Internal Commerce 3.Work-flow Automation and Coordination 4.Customization and Internal Commerce 5.Supply Chain Management (SCM) 6.Summary 12 The Corporate Digital Library 1.Dimensions of Internal Electronic Commerce Systems 2.Making a Business Case for a Document Library 3.Types of Digital Documents 4.Issues behind Document Infrastructure 5.Corporate Data Warehouses 6.Summary 13 Advertising and Marketing on the Internet 1.The New Age of Information-Based Marketing 2.Advertising on the Internet 3.Charting the On-Line Marketing Process 4.Market Research 5.Summary 14 Consumer Search and Resource Discovery 1.Search and Resource Discovery Paradigms 2.Information Search and Retrieval 3.Electronic Commerce Catalogs or Directories 4.Information Filtering 5.Consumer-Data Interface: Emerging Tools 6.Summary 15 On-Demand Education and Digital Copyrights 1.Computer-Based Education and Training 2.Technological Components of Education On-Demand 3.Digital Copyrights and Electronic Commerce 4.Summary 16 Software Agents 1.History of Software Agents 2.Characteristics and Properties of Agents 3.The Technology behind Software Agents 4.Telescript Agent Language 5.Safe-Tcl 6.Applets, Browsers, and Software Agents 7.Software Agents in Action 8.Summary 17 The Internet Protocol Suite 1.Layers and Networking 2.Internet Protocol Suite 3.Desktop TCP/IP: SLIP and PPP 4.Other Forms of IP-Based Networking 5.Mobile TCP/IP-Based Networking 6.Multicast IP 7.Next Generation IP (IPng) 8.Summary 18 Multimedia and Digital Video 1.Key Multimedia Concepts 2.Digital Video and Electronic Commerce 3.Desktop Video Processing 4.Desktop Video Conferencing 5.Summary 19 Broadband Telecommunications 1.Broadband Background Concepts 2.Frame Relay 3.Cell Relay 4.Switched Multimegabit Data Service (SMDS) 5.Asynchronous Transfer Mode (ATM) 6.Summary 20 Mobile and Wireless Computing Fundamentals 1.Mobile Computing Framework 2.Wireless Delivery Technology and Switching Methods 3.Mobile Information Access Devices 4.Mobile Data Internetworking Standards 5.Cellular Data Communications Protocols 6.Mobile Computing Applications 7.Personal Communication Services (PCS) 8.Summary 21 Structured Documents 1.Structured Document Fundamentals 2.Standard Generalized Markup Language (SGML) 3.Summary 22 Active/Compound Document Architecture 1.Defining Active Documents 2.Approaches to Active Documents 3.Object Linking and Embedding 4.OpenDoc 5.COBRA: Distributed Objects 6.Summary References Index -- Ravi __________________________________________________________________________ Ravi Kalakota POTS: (716) 275-3102 Fax: (716)273-1140 Xerox Assistant Professor of Information Systems Simon School--University of Rochester Rochester, New York 14627 e-mail: kalakota at uhura.cc.rochester.edu __________________________________________________________________________ From abostick at netcom.com Wed Jan 10 08:56:34 1996 From: abostick at netcom.com (Alan Bostick) Date: Wed, 10 Jan 96 08:56:34 PST Subject: Don't type: "g**d t*m*s v*r*s" In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- In article , tcmay at got.net (Timothy C. May) wrote: > (More seriously, I notice that "alt.folklore.suburban at c2.org" was in the > distribution list for the message I'm replying to (pared out by me on this > message). I really hope that this does not mean what I think it means, that > "alt.folklore.suburban" is not being copied! The cross-contamination of > many mailing lists is one thing, but cross-contaminating our mailing list > and Usenet groups would truly be the work of the Army of the Twelve > Monkeys.) Fear not. alt.folklore.suburban is a moderated newsgroup; if c2.org injects the message into the newsfeed without an Approved: header, it isn't going anywhere. - -- Alan Bostick | He played the king as if afraid someone else Seeking opportunity to | would play the ace. develop multimedia content. | John Mason Brown, drama critic Finger abostick at netcom.com for more info and PGP public key -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMPMr8eVevBgtmhnpAQEs2AMAqLm3/ctZbG3AP5fSIA6d6H8tji6/rKZa usm4NLgn3K0gGQvz8WV+lUyl65vRsD+7xSCQkkqJZhcRnuhgRfyAkmONTFZliuQ8 pqzQATB2SY7sA29vEosEv+HN4T14RX9I =jqpY -----END PGP SIGNATURE----- From kent at trouble.WV.TEK.COM Wed Jan 10 09:13:34 1996 From: kent at trouble.WV.TEK.COM (Kent Dahlgren) Date: Wed, 10 Jan 96 09:13:34 PST Subject: When they came for the Jews... In-Reply-To: <2.2.32.19960110153325.006b5980@panix.com> Message-ID: On Wed, 10 Jan 1996, Duncan Frissell wrote: > "I favor discrimination on the basis of race, creed, color sex, age, > alienage, previous condition of servitude, recent interstate travel, > handicap, sexual or affectional preference, marital status, Vietnam-era > veteran status (or lack thereof), occupation, economic status, and anything > else I can think of." > I really wish I had the original newspaper clipping so I correctly quote the column, but it went something like this: Here in Portland, Oregon, we used to have quite a problem with Nazi skinheads. Not that they are not around now, but then they were everywhere. Being that most of the city is white trash, you'd think it wouldn't have caused much of a ruckus if they were simply beating up minorities. But its been my personal experience that they would prefer beating up "fellow" whites instead. That, coupled with the murder of Saraw, seemed to stir things up against the skinheads. Anyhow, that's my background to it. The column didn't talk about that. It was this guy writing about the Banai Brith (spelling?) in Los Angeles getting critisism about gathering and keeping records on suspected skinheads. Turns out they got alot of that stuff from Portland's own Multnomah County Sheriff, who releases thier police reports as public information. So this reporter decided to get some of these reports, and some of the records that the banai brith were keeping, and printed some. Like I was saying, public opinion at the time was way against the skinheads, and I was more than a little irritated at the time at them because of the roving bands of punks that made life in MY city uncomfortable. So I read through each police report, really eating it up. "White male, (his name,) apprehended for distributing nazi literature." "White female, (her name,) questioned. Wearing a jacket with a swastika." Stuff like that. Then the reporter lowered the boom. He asked us in the reading audience to substitute "skinhead" and "nazi" with "hippy" or "communist," and see how we felt about that. This was a very unpopular position at the time, in a city hell bent on getting rid of these skinheads, but he made a good point with me. Maybe someone could tell me how I could get a hold of the original. The paper is the Oregonian. I could probably figure out the reporter's name...if I only had a brain. I'd love to post it. Again, flames are always welcomed, as I am home sick and could use the abuse. ______________________________________________________________________________ ______ T E K T R O N I X _ C P I D _ T E C H N I C A L _ S U P P O R T _______ / Voice: 1.800.835.6100 E-mail: support at colorprinters.tek.com Fax: 1.503.685.3063 WWW: www.tek.com BBS: 1.503.685.4504 E-World: Keyword Tektronix HAL: 1.503.682.7450 AOL: Keyword Tektronix Service: 1.800.835.6100 FTP: ftp.tek.com ______________________________________________________________________________ From nobody at REPLAY.COM Tue Jan 9 17:13:44 1996 From: nobody at REPLAY.COM (Anonymous) Date: Wed, 10 Jan 1996 09:13:44 +0800 Subject: Sci-Atlanta Uses RSA Message-ID: <199601100050.BAA00333@utopia.hacktic.nl> Scientific-Atlanta Announces Development of PowerKEY Conditional Access System Using RSA 'Public Key' Encryption Techniques PowerKEY System Will Provide Sophisticated Security For Signal Content, Interactive Messaging and Electronic Commerce S-A Becomes First Digital Set-Top Terminal Provider To Use Patented RSA Algorithms Atlanta, Jan. 9 -- Scientific-Atlanta, Inc. announced today that it has licensed advanced encryption technology from RSA Data Security, Inc. to be included in its PowerKEY(TM) digital conditional access system, which is being developed for use in set-top terminals, headend components, cable modems and network element management software. The system will combine public key and secret key cryptographic methods in physically secure implementations to provide a high-performance security solution for broadband networks. Sophisticated conditional access systems allow cable and other broadband network operators to be more flexible in implementing new services that employ easy-to-use security. For example, both content providers and network operators can have their own secure way to protect content and communicate interactively with subscribers. Theft of services, falsified orders, and vandalism of software and databases can be curtailed. Sensitive information, such as credit card numbers, can be encrypted and exchanged. In addition, the identity of the sender and the message content can be authenticated -- an important capability for multi-provider authorization environments and for validation of orders from subscribers. The PowerKEY system, which is designed to be a licensable access control and security system, will combine robust security and encryption techniques with physically secure implementation and sophisticated control systems. The PowerKEY system will be available on a variety of interactive and broadcast networks, including CATV broadcast, data, broadband multimedia, switched and terrestrial wireless. Its key functions will include: -- message authentication to reject altered content and prevent downloading computer viruses to digital terminals -- RSA's method of digital signature to provide unambiguous confirmation of sender's identity -- public key encryption for secure transfer of entitlements, authorizations and consumer orders -- high-speed secret key encryption to protect against theft of services -- physically secure logic with renewable and replaceable security modules to thwart pirate tampering -- seamless operation in support of both analog and digital services -- multi-provider authenticated key management -- forward and reverse path protection -- messaging with guaranteed non-repudiation without need for trusted third parties RSA's products are considered a de facto standard for data encryption and authentication all over the world. The license to Scientific-Atlanta is the first that RSA has granted to a set-top terminal manufacturer of its widely adopted, patented technique for private messaging and digital signature authentication. The agreement provides for the licensing of RSA technology, including the algorithms that enable RSA's public key-private key cryptography. No other terms of the agreement were disclosed. With the PowerKEY system, Scientific-Atlanta plans to use RSA cryptography algorithms in its end-to-end digital systems -- set-top terminals, headend equipment and control systems -- to improve communications security for digital pay-per-view, cable modems and other broadcast and interactive applications. Scientific-Atlanta also plans to license the PowerKEY system for use by other manufacturers. The widespread deployment of RSA encryption methods supports the move to open standards of interactivity. "RSA's public key technology is one of the most advanced forms of commercial cryptography available today," said Michael P. Harney, Scientific-Atlanta's vice president and general manager of broadband systems and technology. For the first time, this highly sophisticated encryption technology will be bundled in a conditional access system for both broadcast and interactive applications. This means carriers and MSOs will have a much better way to manage conditional access issues." The PowerKEY system's implementation of RSA algorithms and Cylink Corporation's "Stanford patents" (licensing of which was also announced today by Scientific-Atlanta) is designed to be compatible with global open standards, such as MPEG, DVB and DAVIC. RSA developed and patented a method of exchanging authenticated secret messages without exchanging secret keys. Most encryption systems rely on the sender of a message or document to know the receiver's "secret key." The more parties a secret key is distributed to, the more vulnerable it becomes to unauthorized use. With RSA's "public key" approach, a person's public key can be made available to any interested party to send that person a private message. There is no need to privately exchange secret keys. For other parts of the electronic network services application, such as digital video transmission, the PowerKEY system will employ proven private key algorithms that provide high-speed operation and excellent signal security. RSA Data Security is a leading cryptographic research and development firm. Its products focus on the secure creation, transmission and storage of data, as well as authenticating the author of data. RSA provides software developers with its BSAFE(TM) cryptography engine, which includes multiple algorithms and modules for adding encryption and authentication features to any application. Scientific-Atlanta plans to use RSA's engines for development of some elements of the PowerKEY system. Scientific-Atlanta is a leader in providing conditional access systems for broadband and satellite communications networks. Its Vari-Axis(TM) analog descrambling systems are deployed in millions of analog set-tops, and a robust, secret-key digital conditional access system, based on proven BMAC technology, is part of the PowerVu(TM) system family of products. The PowerKEY system will expand Scientific-Atlanta's product line to include the industry's first conditional access system to utilize public key cryptography. Scientific-Atlanta, Inc. (http://www.sciatl.com) is a leading supplier of broadband communications systems, satellite-based video, voice and data communications networks and worldwide customer service and support. The company is the Official Broadband Video Distribution Sponsor of the 1996 Olympic Games in Atlanta, Georgia. From nobody at REPLAY.COM Tue Jan 9 17:14:08 1996 From: nobody at REPLAY.COM (Anonymous) Date: Wed, 10 Jan 1996 09:14:08 +0800 Subject: Sci-Atlanta Uses Cylink Message-ID: <199601100051.BAA00377@utopia.hacktic.nl> Scientific-Atlanta Licenses Cylink's Security Techniques for Digital Broadband Application First Use of Patented Cylink Public Key Methods by a Digital Set-Top Terminal Supplier for Two-Way Message Encryption, Decryption and Authentication Atlanta, Jan. 9 -- Scientific-Atlanta, Inc. announced today the licensing from Cylink Corporation of communications security techniques for use by cable and other broadband television systems. Cylink, a provider of enterprise-wide network information security products and wireless communications, has licensed to Scientific-Atlanta what are known as the "Stanford patents," which cover the field of public key cryptography, a security technique that ensures privacy, authentication and integrity of electronic information. The license gives Scientific-Atlanta the right to practice public key cryptography methods, as defined in certain intellectual property holdings of Cylink. These include methods for generation, authentication and exchange of "public keys" used in securely communicating point-to-point network messages. Scientific-Atlanta plans to use these cryptography techniques in its development of a conditional access system for digital networks -- including set-top terminals, headend components, and network element management software -- to improve communications security for digital pay-per-view, cable modems and other broadcast and interactive applications. The license is the first that Cylink has granted to a set-top terminal manufacturer of its patented cryptographic techniques. No other terms were disclosed. With sophisticated encryption systems, cable and other broadband network operators can be more flexible in implementing new services that employ easy-to-use security. For example, both content providers and the network operator can have a secure way of interactive communications with subscribers. Sensitive information, such as credit card numbers, can be encrypted and exchanged. The identity of the sender and the message content can be authenticated -- an important capability for multi-provider authorization environments and for validation of orders from subscribers. A public key-based cryptography system controls the encryption and decryption of messages. Each user is assigned two unique mathematically-related keys: a published public key, and a secret private key. In a cable TV environment, the public key for each subscriber's set-top terminal can be distributed or "published" while keeping the private key in secure memory. "We're excited about the opportunities this license opens for content providers and network operators," said Bob Van Orden, Scientific-Atlanta's product line director of digital subscriber systems. "With Cylink's innovations, we have the foundation necessary for designing very advanced security into any digital broadband application, including pay-per-view, cable modems and electronic shopping." "Through the use of public key technologies, Scientific- Atlanta will help network operators to protect the value of their services," said David Morris, vice president of marketing for Cylink. "This is a vitally important step for operators as they migrate to digital networks." Scientific-Atlanta, Inc. (http://www.sciatl.com) is a leading supplier of broadband communications systems, satellite-based video, voice and data communications networks and worldwide customer service and support. The company is the Official Broadband Video Distribution Sponsor of the 1996 Olympic Games in Atlanta, Georgia. From jimbell at pacifier.com Wed Jan 10 09:20:27 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 10 Jan 96 09:20:27 PST Subject: E-cash and Interest Message-ID: At 08:20 AM 1/10/96 -0500, you wrote: > >I think that you have hit the nail on the head. Money could still 'earn' >interest until it is spent. The 'bank' still has the 'real' money. In >fact, it is an improvement over cash, in that you could still earn >interest on the money on your hard drive. >Thanks for the clarification. I think there is another way of looking at the ecash/interest situation: >From upside down, so to speak. If the USE of Ecash avoids (legally or illegally) income or sales taxes, that constitutes an "interest," in an odd sort of way. Not "real" interest, of course, but the next best thing. From tcmay at got.net Tue Jan 9 17:46:15 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 10 Jan 1996 09:46:15 +0800 Subject: Why Companies are Poor at Finding Bugs Message-ID: At 8:37 AM 1/9/96, Lucky Green wrote: >Very true. But why does it always seem to take an exploitable crack before >companies pay attention to security flaws? Is it because they are unable to >admit that they have made a mistake? Everybody makes mistakes. What's the >big deal? I really don't understand it. Any psychologists on this list? I'm not a psychologist, though I doubt that would help. (Having had a girlfriend who was one, she had no special knowledge about corporate motivations...) Companies are pyramids, with a flood of signals flowing up and down the pyramid. Few of the signals are truly important, most are just noise. Hence the difficulty with corporations responding to crises. When a confirmation of a serious problem is made--a building collapses, a floating point bug is found in a chip, a random number generator is found to be flawed, etc.--then there is little doubt that a real problem exists, or at least that a public relations problem must be dealt with. Therefore, a flurry of corporate activity ensues, task forces are created, press releases issued, etc. I'm neither surprised nor disheartened by this. It often takes hitting a company over the head with a two-by-four..."to get their attention." (I saw this many times at Intel, and they were ahead of most of their rivals in spotting problems early on. The "Pentium debacle" is a perfect example of what Lucky is decrying, as internal memos on the problem had been basically pooh-poohed and ignored, until a major public relations disaster hit.) And this has always been a major role of extra-corporate agents: safety inspectors, insurance companies, independent testing laboratories, and so on. The in-house testing departments are frequently inclined to overstate concerns (known universally as "CYA," for "cover your ass"), so it is not surprising that their concerns are often treated as a non-urgent matter. Until a crisis happens, then they are lambasted for not having spoken up more loudly and more forcefully. This was true in ancient Sumeria, in the early factories in Europe, on the communes in China, and in the high-tech labs of today. An easily understandable mixture of psychology, systems analysis, group dynamics, economics, and evolutionary game theory. The Cypherpunks group is, to some extent, helping in this process by trying to break or cripple new software. (As several of us have noted, the NSA's second official role, that of securing commercial cryptography, COMSEC, seems to have been ignored. We are thus left to fill in for these slackers.) --Tim May We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From EALLENSMITH at ocelot.Rutgers.EDU Tue Jan 9 17:47:42 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 10 Jan 1996 09:47:42 +0800 Subject: IRS/FBI story re Internet Message-ID: <01HZTIGWNLFGA0UD8R@mbcl.rutgers.edu> From: IN%"educom at elanor.oit.unc.edu" 9-JAN-1996 20:19:54.25 To: IN%"edupage at elanor.oit.unc.edu" "EDUCOM Edupage Mailing List" IRS, FBI EYE INTERNET WITH SUSPICION The Clinton administration's reluctance to ease up on export controls for encryption software stems in part from pressure from U.S. law enforcement agencies, and the owner of a New York-based software company sees heavy lobbying behind the government's desire to regulate content on the Internet: "I think the Internal Revenue Service and the FBI are watching this one very carefully. They wouldn't mind seeing the government set a precedent for deciding what can and cannot go on the Internet." The IRS fears that easy access to cheap and sophisticated encryption software will make income- and sales-tax evasion too easy, and the FBI worries about criminal and terrorist plots hatched in cyberspace, but some observers say government control tactics are too little, too late. A Hudson Institute economist says, "Electronic money gets really interesting when you realize how impossible it is to put national walls around it, mandate the use of national currencies, or require that transactions go through banks... The country will have no practical choice but to rely more than ever on voluntary tax compliance. That means tax rates will have to be kept as low as possible on people and on businesses." (Investor's Business Daily 9 Jan 96 B1) [...] EDUPAGE is what you've just finished reading. (Please note that it's "Edupage" and not "EduPage.") To subscribe to Edupage: send a message to: listproc at educom.unc.edu and in the body of the message type: subscribe edupage Warren Buffett (assuming that your name is Warren Buffett; if it's not, substitute your own name). ... To cancel, send a message to: listproc at educom.unc.edu and in the body of the message type: unsubscribe edupage. (Subscription problems? Send mail to educom at educom.unc.edu.) From weidai at eskimo.com Tue Jan 9 17:51:07 1996 From: weidai at eskimo.com (Wei Dai) Date: Wed, 10 Jan 1996 09:51:07 +0800 Subject: NSA says strong crypto to china?? In-Reply-To: <199601091649.LAA11718@jekyll.piermont.com> Message-ID: > Once SIGINT becomes much harder regardless of their previous attempts > to stop it, I suspect that the NSA will become a friend and not an > impediment. By that time, of course, the "we have to protect our > people" types will be the only ones producing results and getting > funding, and the "we have to gather information" types will have long > ceased to produce. Thats probably a decade or more off, though. I doubt this will ever happen. If strong cryptography is ever deployed worldwide ubiquitously, which is a big if, passive ether sniffing becomes much harder, but the SIGINT people will likely switch to active attacks. Defense against active attacks is much more difficult than against passive attacks, and requires a host of technologies besides strong crypto (the one we're lacking most, I think, is a good software engineering methodology). I bet the NSA is doing active research on sniffer viruses and other automated tools for large scale active attacks. Wei Dai From tcmay at got.net Tue Jan 9 18:13:34 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 10 Jan 1996 10:13:34 +0800 Subject: RISC not everything Message-ID: At 8:24 PM 1/9/96, Kent Dahlgren wrote: >better way to tell them? Maybe I'm just paranoid. Its just that I kind >of feel sorry for DEC; its not easy being burdened with the worst >marketing staff in the world, having the world's fastest RISC processor, >and having the media go wild over the P6. I'm also a fan of Alta Vista, and use it daily. And I'd love to have a DEC Alpha workstation. However, there's more to success than being "the world's fastest RISC processor," as history has shown for the past decade or so. (Amongst other things, the SPECInts for the Alpha are actually lower than for the P6, though SPECfps are higher. And some of the MIPS/SGI processors are about as powerful as either.) The various high-end Alphas have a high per-chip cost. Very high. (Low-end Alphas are cheaper, but mainly for good reasons...a low-end Alpha is not compelling.) The high per-chip cost is associated with the large die size, DEC's lack of volume in making chips (which largely determines chip yields), the "mostly clock" layout (the 300 MHz clock is hard to distribute across the entire die area, and DEC uses a considerable fraction of the chip area and metallization in distributing the clock without significant skew), and the architecture. I'm not a P6 expert (nor do I even own or use any Intel processor machines, save for an old laptop, a first-generatino IBM PC, and a 1978-era Sol), but my friend John Wharton has written glowingly of the P6 architectural innovations in the P6. In any case, Intel has the manufacturing machine able to make Pentiums in large enough volume for low enough cost to be a major market force. DEC does not have the same advantages. There are of course lots of issues to consider. If NT is as successful as I think it will be (see, I'm not _only_ a basher of Microsoft!), and if the versions of software for NT will not require extensive tuning for various platforms, then I think Intel's dominance will be slightly weakened. However, Intel is not standing still--it's busy building several new fabs that each cost more than a billion dollars (including one that will cost $2 B). Its "P7" processor is far along in development, and reportedly will merge today's features with "very long instruction word" (VLIW) techniques. DEC is back to making profits, but it sure wasn't for several years while it coasted on the work done earlier on the VAX. --Tim May We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From EALLENSMITH at ocelot.Rutgers.EDU Tue Jan 9 18:15:24 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 10 Jan 1996 10:15:24 +0800 Subject: WIRE TAP ON NET Message-ID: <01HZTGS7MTBOA0UD8R@mbcl.rutgers.edu> From: "Michael S. Fischer" >Well, I can't exactly say I feel sorry for the guys, even if cellular companies are ripping us off. Anyone who commits crimes while using email without encryption are idiots. ---------- While I can't really approve of stealing from the cellular companies, I do like a lot of the uses of such stolen numbers. Specifically, that they're being used in ways (such as by drug dealers) that the government doesn't like at all. -Allen From tcmay at got.net Tue Jan 9 18:44:37 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 10 Jan 1996 10:44:37 +0800 Subject: Scenario: Digital Telephony Leads to GAK Message-ID: Thanks, Leo, for providing this, and the translation into English. At 7:45 PM 1/9/96, Leo Van Hove wrote: >I looked up the law mentioned in the newspaper article and it goes like >this (non french speaking cypherpunks, please see comments below ): ... >Art. 202 stipulates that Belgacom (= Belgium's leading telephone company) >and other telecom companies have to cooperate with law enforcement when it >wants to tap telephone lines - no, sorry, make that telecom lines (!). >Note that tapping is only allowed under certain circumstances stipulated in >the so-called Privacy Law (see also my previous posting to this list). This is almost exactly the same provision that Digital Telephony established in the U.S., namely, that switch providers (phone companies, loosely speaking, but possibly more, including packet switches....). More on this in a moment. >Art. 203 is the most important as far as key escrow is concerned. It >completes Art. 95 of the 1991 Law which stipulated 4 conditions in which >telecom equipment may be seized. These initial conditions are rather >harmless (equipment does no longer conform to the initial specifications, >it hinders public broadcasts, presents health risks for the users,...). >Art. 203 adds a 5th and stingy one: equipment that makes tapping impossible >may be disconnected from the network and seized ... On the face of it - >I'm not a lawyer, so don't pin me down on this - this means no crypto (or ^^^^^^^^^^^^^^^^^^^^^^^^ >only with key escrow) ... ^^^^^^^^^^^^^^^^^^^^^ I think this ties in closely with the European meetings on key escrow (recall that our earliest indications of a move to get "software key escrow" came from the Karlsruhe meeting in the spring of 1994, and various international forums on key escrow began soon thereafter). This fits with several trends I and others here have discussed: * getting corporations to do as much of the enforcment work as possible. * using the civil forfeiture and penalty provisions to terrify the corporations, ISPs, switch providers, etc., to cooperate (I referred to this as "deputizing" the corporations as soldiers in the government's wars). * having Europe launch the crackdowns, then pleading that the U.S. must "conform" to international treaties and law enforcement agreements. (Some have argued that the Bavarian version of Exon was a step in this direction....) So, we need to be alert for the following scenario: 1. Telephone companies, telecom providers, ISPs, etc., must conform to the Digital Telephony wiretapping provisions, or variants thereof (not just the language of Digital Telephony, but also language in pending and future bills). 1a. If Exon passes, ISPs may also have to verify ages of users. This would necessitate a form of "Internet ID card," with all that this implies for the use of cryptography, anonymity, etc. 2. European companies (private, and PTTs) set the precedent. 3. An exception is made for key escrow. That is, one of the companies in #1 can be held harmless if it has taken major steps to ensure that users are not using encryption that is not properly escrowed. That is, they can escape the Title 18 fines and seizure of their equipment if they "cooperate" with "valid investigations." 4. A few prosecutions will likely have to made, just to make sure the message is properly received. (Like the two-by-four over the head I mentioned in my last message.) 5. A panic sets in. Just as CompuServe dumped 200 newsgroups on the whiff that a prosecution and seizure might happen, many ISPs will ignorantly send out warnings to users that all encrypted messages must use GAK. (To be sure, not all will. Some will ignore the warnings, some will contemptuously flout the law, etc.) 6. The government gets a large fraction of messages into a GAK format. Once again, corporations and ISPs become the deputies. (Note: Sure, superencryption still works, and no GAK system will be universally successful. Maybe not even successful in a majority of cases. But probably enough to cripple large-scale usage and, especially, commercial payment usage. This may be enough for the IRS, FinCen, etc.) We really need to be looking to what the nations of Europe are doing (as we have been of course, as the crypto laws of Europe have always been interesting to us, even if the machinations of the U.S. get most of the attention, for obvious reasons). --Tim May We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From wlkngowl at unix.asb.com Tue Jan 9 18:45:52 1996 From: wlkngowl at unix.asb.com (wlkngowl at unix.asb.com) Date: Wed, 10 Jan 1996 10:45:52 +0800 Subject: NOISE.SYS for DOS v0.3.5 (NEW!) Message-ID: <199601100247.VAA20366@UNiX.asb.com> The latest version of NOISE.SYS (v0.3.5-Beta) can be gotten via anonymous ftp at ftp.funet.fi/pub/crypt/random/noise035.zip NOISE.SYS is a /dev/random driver for DOS systems running on 386 or later processors. It will sample fast timings between keystrokes and disk access, as well as changes in mouse position and CPU-clock drift, mixing with SHA-2 message digest to generate crypto-quality random numbers. Added in this version: Added documentation!!! Fixed timer sampling bug Fixed clock drift sampling (better entropy too) Added mouse position sampling Different accumulation function Lots of other changes From alano at teleport.com Tue Jan 9 18:57:53 1996 From: alano at teleport.com (Alan Olsen) Date: Wed, 10 Jan 1996 10:57:53 +0800 Subject: Why Companies are Poor at Finding Bugs Message-ID: <2.2.32.19960110024957.00963960@mail.teleport.com> At 06:53 PM 1/9/96 -0800, Tim May wrote: >And this has always been a major role of extra-corporate agents: safety >inspectors, insurance companies, independent testing laboratories, and so >on. The in-house testing departments are frequently inclined to overstate >concerns (known universally as "CYA," for "cover your ass"), so it is not >surprising that their concerns are often treated as a non-urgent matter. >Until a crisis happens, then they are lambasted for not having spoken up >more loudly and more forcefully. I have seen this before in a number of companies... I think it is becuase alot of management is trained to think of things in the positive. To try and put the best spin on any situation... On the other hand, people of a technical bent tend to think of things as problems to be solved. Such an outlook is seen as negative. The two outlooks seem to conflict on many levels. Such outlooks from management tend to delay resolution of problems until it is too late... >This was true in ancient Sumeria, in the early factories in Europe, on the >communes in China, and in the high-tech labs of today. An easily >understandable mixture of psychology, systems analysis, group dynamics, >economics, and evolutionary game theory. You forgot the works of Machivelli... Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "Governments are potholes on the Information Superhighway." - Not TCMay From pamphlet at idiom.com Wed Jan 10 11:09:10 1996 From: pamphlet at idiom.com (Anonymous Pamphlet Distributor - wcs@idiom.com) Date: Wed, 10 Jan 96 11:09:10 PST Subject: nazi's, jews, and why you don't get to hear about them Message-ID: <199601101909.LAA23040@idiom.com> Internet providers asked to censor racist groups ---------------------------------------------------------------------------- Copyright 1996 Nando.net Copyright 1996 The Associated Press BOSTON (Jan 10, 1996 09:34 a.m. EST) -- White supremacist groups that once spread their racist messages at rallies and in leaflets are now going high-tech on the Internet -- a trend a leading Jewish human rights group wants to stop. The Simon Wiesenthal Center on Tuesday began sending hundreds of letters to Internet access providers asking them to refuse to carry messages that "promote racism, anti-Semitism, mayhem and violence." Good idea? No, say providers and civil libertarians. They argue that public debate is the way to defeat hate. The Internet allows users to "show the whole world what's wrong wrong about what the hate speakers are saying," said Mike Godwin, staff counsel for the Electronic Frontier Foundation, a civil liberties group dealing with computer communications. "The correct place to try and put pressure is on the people who create the content, not the person who provides access to it," said CompuServe spokesman William Giles. The roughly 250 hate groups in the United States, whose previous methods reached a limited audience, now "have a magnificent marketing technology dumped in their laps," said Rabbi Abraham Cooper, associate dean of the Wiesenthal center, based in Los Angeles. "They are able to dress up their message in a way that looks ... presentable." Slick web sites are springing up every day, with names such as Aryan Nations, Skinheads U.S.A. and The Aryan Crusader's Library. Ernst Zundel, a prominent Canadian Holocaust revisionist who has a homepage called Zundelsite, says he should have as much of a right to post a web page as anyone else. "The Internet is the first and last truly free marketplace of ideas, for the time being. It levels the playing field," Zundel said. "To curtail the freedom for some will curtail the freedom for all." The Wiesenthal Center's request is part of a growing debate over whether Internet service providers should be viewed as publishers responsible for what moves on their networks, or carriers who simply provide access to a service without monitoring what is communicated. The Wiesenthal Center argues that the services are publishers who have a civic responsibility not to promote bigotry. Godwin says Internet service providers should be treated like bookstores, which exercise some control when they decide to specialize in science fiction instead of mysteries, but are not expected to read every book and be held responsible for the books' contents. Prodigy spokesman Brian Ek said the service does employ systems operators who monitor content on its proprietary bulletin boards and can remove any messages with "blatant expressions of bigotry, racism or hate." But what exactly meets that definition is hard to pin down: "You make a decision when you see it." For example, when one subscriber pointed out a "repugnant" bulletin board message saying the Nazi extermination of 6 million Jews was a good thing, Prodigy removed it Joe Bunkley -- who operates the "1st WWW Banned Media Page," a web site that links to virtually every other white supremacist and neo-Nazi Internet site -- had a strong message for those who would want to stop him from posting his views. "You cowards who want my page shut down can't deal with either the diversity or the free interaction of ideas," he said. "You, the intellectually dead, are hereby formally notified that my intentions are not to offend anyone. It is to speak the truth as I know it and to ensure, to the best of my abilities, the survival of the White Race." From Kevin.L.Prigge-2 at cis.umn.edu Wed Jan 10 11:09:30 1996 From: Kevin.L.Prigge-2 at cis.umn.edu (Kevin L Prigge) Date: Wed, 10 Jan 96 11:09:30 PST Subject: When they came for the Jews... In-Reply-To: <199601101826.NAA04543@homeport.org> Message-ID: <30f40ea06f6c002@noc.cis.umn.edu> sameer wrote: | | | Is there some way I can get a copy of this letter? Is it | directed at specific ISPs or ISPs in general? An open response, | publicized, to this sounds like something I could do. Publicity is | fun. | > Citing ``the rapidly expanding presence of organized hate groups on the | > Internet,'' a leading Jewish human rights group [the Simon Wiesenthal | > Center] on Tuesday began sending letters to hundreds of Internet access | > providers and universities asking them to refuse to carry messages that | > ``promote racism, anti-Semitism, mayhem and violence.'' As of the current time, we haven't received this letter (via postmaster at umn.edu or root at umn.edu). Anyone know where it might be coming from, i.e. @wiesenthal.com or something similar? -- Kevin L. Prigge |"Have you ever gotten tired of hearing those UofM Central Computing | ridiculous AT&T commercials claiming credit email: klp at tc.umn.edu | for things that don't even exist yet? 010010011101011001100010| You will." -Emmanuel Goldstein From sameer at c2.org Wed Jan 10 11:33:20 1996 From: sameer at c2.org (sameer) Date: Wed, 10 Jan 96 11:33:20 PST Subject: When they came for the Jews... In-Reply-To: <199601101826.NAA04543@homeport.org> Message-ID: <199601101927.LAA14427@infinity.c2.org> > > The Wiesenthal center is very influential in Jewish circles. That's very unfortunate, considering how fascist they are. > Attacking them directly would probably be a bad idea, and create bad > associations for anonymity amongst Jews. (I'll come back to this.) You make very good points though. I'll have to stress the benefits of not preventing hate speech rather than just saying that it's impossible to prevent. -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.org/ (or login as "guest") sameer at c2.org From stend at grendel.texas.net Wed Jan 10 11:49:54 1996 From: stend at grendel.texas.net (Sten Drescher) Date: Wed, 10 Jan 96 11:49:54 PST Subject: When they came for the Jews... In-Reply-To: <199601101826.NAA04543@homeport.org> Message-ID: <55d98r96f2.fsf@galil.austnsc.tandem.com> Adam Shostack said: AS> The Wiesenthal center is very influential in Jewish circles. AS> Attacking them directly would probably be a bad idea, and create bad AS> associations for anonymity amongst Jews. (I'll come back to this.) AS> As always, the best answer to bad speech is more speech. Ken McVay, AS> and his Nizkor project, (http://nizkor.almanac.bc.ca) have been AS> involved in fighting hate speech, holocaust revisionism, and the AS> like for long time through archiving the big lies that revisionists AS> pump out, documenting the bogosity of their footnotes, showing their AS> contradictions, etc. Pointing out this, and other net resources AS> fighting anti-semitism is a much cleaner approach than attacking the AS> Wiesenthal center. Isn't this attacking, or at least opposing, them directly? AS> Someone noted the police stopping skinheads in Oregon-- I'll point AS> out that there is a substantial difference between talking and AS> randomly beating the crap out of people. The later is a fair basis AS> for action by police, although we may choose to question their AS> methodology. There is also a difference between stopping skinheads AS> and stopping blacks, in that the skinheads decided to wear clothing AS> and tattoos that identify them as skinheads, and thus may more AS> fairly be asked to bear the consequences. This is known as the "[S]he asked for it" argument, a widely discredited defense. If their _behavior_ doesn't indicate criminal behavior, and there isn't a report of a crime with suspects meeting their descriptions, there is no more excuse for hassling them than there is for hassling blacks, or hispanics, or.... Who knows, they could actually be a bunch of Marines (depending on the area). AS> Another approach might be to talk about the concept of identity, and AS> how dangerous mandating identity cards and papers can be. Jews in AS> Germany were tracked down via phone records, bank records, AS> membership lists of organizations (a lesson probably noted by the AS> NAACP in refusing to give Alabama its membership rolls, leading to a AS> supreme court case upholding the right of anonymous association.) And more recently used in Texas by the KKK, represented by a black (given the organization defended, I think that the race of the attorney is relevant) attorney from the ACLU. The attorney was subsequently removed as the counsel for the Texas chapter of the NAACP. -- #include /* Sten Drescher */ 1973 Steelers About Three Bricks Shy of a Load 1994 Steelers 1974 Steelers And the Load Filled Up 1995 Steelers? To get my PGP public key, send me email with your public key and Subject: PGP key exchange Key fingerprint = 90 5F 1D FD A6 7C 84 5E A9 D3 90 16 B2 44 C4 F3 Unsolicited email advertisements will be proofread for a US$100 fee. -------------- next part -------------- A non-text attachment was scrubbed... Name: pgp00005.pgp Type: application/octet-stream Size: 284 bytes Desc: "PGP signature" URL: From alanh at infi.net Tue Jan 9 20:47:47 1996 From: alanh at infi.net (Alan Horowitz) Date: Wed, 10 Jan 1996 12:47:47 +0800 Subject: PRIVACY: Private traces in public places In-Reply-To: <2.2.32.19960110032650.006f1934@netcom.com> Message-ID: Governments or whoever, can do all they want to make their collection of dossiers bulge even bigger than they are. But, these dossiers are only data sets. Data isn't quite the same os information. Information isn't quite the same as knowledge. Knowledge isn't quite the same as understanding. And understanding the situation has not been, historically, enough to ensure that government (or whoever) decision makers make the "right" decision. Let the internal security apparatchiks spin the bottle all they want. They couldn't keep Rome from falling, nor the Byzantine Empire, nor the Ottoman Sultanate. They couldn't keep the Third Reich in place for a thousand years. They couldn't keep the Soviet Union glued together by force nor dirty persuasion nor extortionate non-economics. The FBI can run, but it can't hide. Alan Horowitz alanh at infi.net From llurch at networking.stanford.edu Wed Jan 10 13:01:40 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Wed, 10 Jan 96 13:01:40 PST Subject: Is this true... In-Reply-To: <2.2.32.19960110202813.006bb954@visi.net> Message-ID: On Wed, 10 Jan 1996, Ted Garrett wrote: > Being new to crypto subjects, I guess I'm pretty gullable about how much one > should use encryption in general. I remember reading somewhere that it > would probably be best for the 'world as a whole' if everyone used > encryption whenever possible so that when you DO send encrypted messages > that actually contain information you want kept secret, it doesn't stick out > like a sore thumb. > > To that end, I should imagine that once I have a person's pgp key, they may > well never see another cleartext message from me again! The liability of that is a little inconvenience, which can lead to laziness and insecurity. I usually read mail on a highly visible multiuser UNIX system of which I am not the sysadmin and that has been broken into several times. If you send me encrypted mail, then I either need to keep my key, type my passphrase, etc. on this insecure system, or download the mail to a PC or Mac, which isn't always possible. Most sessions of mine to this host are encrypted in kerberos or ssh, but not all. Sending unencrypted mail is rather like sending a postcard. But postcards are fine a lot of the time. Being too cavalier about the use of PGP is rather like putting multiple deadbolts on the front door to your house, but accidentally dropping copies of your house keys wherever you go. -rich From kolivet at alpha.c2.org Tue Jan 9 21:19:39 1996 From: kolivet at alpha.c2.org (kolivet at alpha.c2.org) Date: Wed, 10 Jan 1996 13:19:39 +0800 Subject: Microsoft continues to mislead public about Windows security Message-ID: <199601100451.UAA13211@infinity.c2.org> On Tue, 9 Jan 1996, Frank Willoughby wrote: > When a system is breached or a CERT Advisory is issued, this is a major > embarassment for the company. The breach (or publicized security flaw) > shakes the confidence of people in the vendor's products. People are > rather unwilling to risk putting their business-critical data on a system > which has just recently breached. This lack of confidence translates into > a loss in sales. If unchecked or the case if severe enough, this could > also translate into a loss of jobs. What are CERT's criteria for a bulletin to be issued? Would the previously mentioned Windows NT and Windows 95 security bugs qualify? - Kay Olivetti From erc at dal1820.computek.net Tue Jan 9 21:23:26 1996 From: erc at dal1820.computek.net (Ed Carp [khijol SysAdmin]) Date: Wed, 10 Jan 1996 13:23:26 +0800 Subject: PRIVACY: Private traces in public places In-Reply-To: Message-ID: <199601100511.XAA20243@dal1820.computek.net> > Governments or whoever, can do all they want to make their collection of > dossiers bulge even bigger than they are. But, these dossiers are only > data sets. Data isn't quite the same os information. Information isn't > quite the same as knowledge. Knowledge isn't quite the same as > understanding. And understanding the situation has not been, > historically, enough to ensure that government (or whoever) decision > makers make the "right" decision. > > Let the internal security apparatchiks spin the bottle all they want. > They couldn't keep Rome from falling, nor the Byzantine Empire, nor the > Ottoman Sultanate. They couldn't keep the Third Reich in place for a > thousand years. They couldn't keep the Soviet Union glued together by > force nor dirty persuasion nor extortionate non-economics. The problem, as I see it, is that you can have too much information. Information takes up room, takes up CPU cycles to process and store and retrieve, and the worst part is, it takes a human to evaluate it. No computer in the world is going to be able to evaluate incoming humint for reliability. That takes a human, and I suspect that it will be that way for quite some time. The more information you gather, the worse the problem gets, until you have this massive database of information, all indexed and stuff, at your fingertips, but it's useless, because you can't tell whether it's real or BS or disinformation. -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 214/993-3935 voicemail/digital pager 800/558-3408 SkyPager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes From delznic at storm.net Tue Jan 9 21:47:17 1996 From: delznic at storm.net (Douglas F. Elznic) Date: Wed, 10 Jan 1996 13:47:17 +0800 Subject: No Subject Message-ID: <2.2.16.19960110022146.3717051a@terminus.storm.net> Has anyone bought the disks mentioned in applied cryptography? Are they anvailable anywhere online to citizens of the US? -- ==================Douglas Elznic=================== delznic at storm.net http://www.vcomm.net/~delznic/ (315)682-5489 (315)682-1647 4877 Firethorn Circle Manlius, NY 13104 "Challenge the system, question the rules." =================================================== PGP key available: http://www.vcomm.net/~delznic/pgpkey.asc PGP Fingerprint: 68 6F 89 F6 F0 58 AE 22 14 8A 31 2A E5 5C FD A5 =================================================== From kent at trouble.WV.TEK.COM Tue Jan 9 21:59:53 1996 From: kent at trouble.WV.TEK.COM (Kent Dahlgren) Date: Wed, 10 Jan 1996 13:59:53 +0800 Subject: Still [NOISE] but a.f.urban was clearly wrong [Fwd: Re: ABOI: Desperate User Support]) In-Reply-To: Message-ID: Let it die...Please. ______________________________________________________________________________ ______ T E K T R O N I X _ C P I D _ T E C H N I C A L _ S U P P O R T _______ / Voice: 1.800.835.6100 E-mail: support at colorprinters.tek.com Fax: 1.503.685.3063 WWW: www.tek.com BBS: 1.503.685.4504 E-World: Keyword Tektronix HAL: 1.503.682.7450 AOL: Keyword Tektronix Service: 1.800.835.6100 FTP: ftp.tek.com ______________________________________________________________________________ From jimbell at pacifier.com Wed Jan 10 14:43:16 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 10 Jan 96 14:43:16 PST Subject: Is this true... Message-ID: At 03:28 PM 1/10/96 -0500, you wrote: >To that end, I should imagine that once I have a person's pgp key, they may >well never see another cleartext message from me again! Of course, now I'm >trying to figure out how to use the anonymous remailers and such. Boy, this >is fun! > >Of course, the fact that my government doesn't really care for the idea of >publicly available cryptography makes it even more enticing. >Ted Garrett >Live Systems Integration And that's the REALLY ironic part! PGP (as wonderful as it is, politically, that Zimmermann wrote it...) is so frigging frustrating and difficult to use (as programs go, anyway), and interface to, and I haven't even TRIED to use anonymous emailers yet (sheer laziness on my part, I admit). If the government came out neutral about them, or "God forbid" REQUIRED us to learn how to use them, I'd probably be proudly resisting their desires and ignoring the whole technology. Makes you stop and think, doesn't it?!? From mixmaster at anon.alias.net Wed Jan 10 14:57:47 1996 From: mixmaster at anon.alias.net (Mr. Nobody) Date: Wed, 10 Jan 96 14:57:47 PST Subject: None In-Reply-To: Message-ID: <199601112245.QAA00505@fuqua.fiftysix.org> In article "Declan B. McCullagh" writes: > From: "Declan B. McCullagh" > Date: Tue, 9 Jan 1996 11:35:42 -0500 (EST) > X-From-Line: owner-cypherpunks at toad.com Tue Jan 9 11:53:19 1996 > References: > Sender: owner-cypherpunks at toad.com > Precedence: bulk > Lines: 46 > > * INDECENCY is illegal to *broadcast* under Federal law, as enforced by > the FCC. Examples of indecent words include "fuck" and "cocksucker," > which the Supreme Court has defined as illegal in the George Carlin > speech, Pacifica case. The justification for a compelling government > interest is that radio waves are pervasive, and a child can turn on the > radio and hear dirty words by accident. The great free speech attorney > Harvey Silverglate has been representing Alan Ginsberg in an "indecency" > case, since "Howl" contains "indecent" words -- I believe he managed to > get the FCC to include an exemption for material broadcast after > midnight. Isn't a large part of the reason the FCC can regulate broadcasters without violating the first ammendment the fact that there are only a finite number of broadcast frequencies, and that TV/radio stations are required to serve the public interest? I don't see how the same login can be applied to the internet. From vznuri at netcom.com Wed Jan 10 15:01:54 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Wed, 10 Jan 96 15:01:54 PST Subject: Net Control is Thought Control In-Reply-To: <2.2.32.19960110175223.006a6bcc@panix.com> Message-ID: <199601102251.OAA09843@netcom7.netcom.com> DCF makes some excellent points about the difficulty of *overt* thought control in a information society. however I would like to suggest that in our own democratic culture, *overt* thought control is not really that important and is not necessarily the major means of thought control. the most insidious, and effective, form of thought control is that which manipulates subject's thinking without their being aware of it. there are a variety of ways to accomplish this, many of them outlined in a book called "Coercive Persuasion" loaned to me be an acquaintance. one way is to try to infiltrate groups with particular individuals who are loyal to the "thought control" agenda, who then attempt to gain the trust of members, but then also try to subtly manipulate their thinking. the problem that "covert thought control" becomes more possible with an information age that does not handle identity in any "permanent" or "enduring" way. agent provocateurs etc. may be more difficult to identify and easier to create and maintain. in fact a single "government thought control agent" might be able to create and maintain dozens of convincing identities, all of them working to subtly manipulate the population's thinking without detection. in the real world, once a "person" is discredited, all that they do is tainted, but when a "tentacle" is "tainted" in cyberspace, the "operator" need only create a new "tentacle"-- an operation that is becoming increasingly cheap. so in other words I would say that cyberspace raises some problems while solving others, and that its full implications are not yet apparent. I suspect we are simply going to run into new, more sophisticated forms of thought control, not the total dissolution of its capability, in cyberspace. old forms of trying to kill thoughts based on the physical medium, such as bashing printing presses, will dissolve, but other forms of "meme damage" such as "flooding attacks" etc. may arise instead. From phv at bim.be Wed Jan 10 15:04:45 1996 From: phv at bim.be (Philippe VIJGHEN) Date: Wed, 10 Jan 96 15:04:45 PST Subject: A weakness in PGP signatures, and a suggested solution (long) In-Reply-To: <199601030407.UAA12551@comsec.com> Message-ID: <30F37F39.480@bim.be> You are right but the question is: what do you want to sign/encipher, the message body or the whole message exchange? We thinked about this when we developed a piece of software for the European Space Agency which is called EDIDOC server (Electronic Data Interchange of Documents). In our case, SMTP header signing was anyway not acceptable because we needed to support various communication means. I won't go into too much details but EDIDOC is acting as a central server for information exchange with value added as: - a clearing house - security gateway - communication gateway - a gateway at document format level - groupware aspects Roughly, - a clearing house: everything exchange is logged in the server db - security gateway ...this requires of course trusting of the server but people with different security packages can send/receive "secured message" (signature, enciphering) to/from the server without worrying of the recipient/originator configuration. Only the server public key need to be known by the partners. - communication gateway: Various ways of transmitting the messages to/from the server depending of partner configuration. This means that although, as you pointed out, the envelope must be secured itself it can not be the envelope specific to the communication method used (SMTP, X.400,...) -> usefull information can not be stored at the level of the communication method header (ex. SMTP) but is included in the secured body (originator, destinator, timestamp, subject, ....) Only the strict minimal information is included in the SMTP, X.400, FTP, floppy, a.s.o. "headers". Our envelope is structured according to a SGML DTD. - a gateway at document format level Server is doing conformance checking of documents and can even down-translate them based on the recipient settings (some will expect SGML, other ones EDIFACT, other ones ASCII, other partners WP, .... depending of the type of document) - groupware aspects complex scenarios (as chain of approval, document review, ...) may be implemented at the server level For more information, send an e-mail to edidoc-info at bim.be ESA/ESRIN has some information at http://www.esrin.esa.it BIM Engineering as a home page (http://www.bim.be) which should "soon" include information about the server Philippe VIJGHEN BIM Engineering Europe From tcmay at got.net Tue Jan 9 23:10:10 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 10 Jan 1996 15:10:10 +0800 Subject: E-cash and Interest Message-ID: At 5:26 AM 1/10/96, Tim Philp wrote: >I had been doing some thinking about E-cash and some of the implications. >It seems to me that there is another element in the discussion that has >not gotten very much consideration. >When you have your money in the bank, you are earning interest on the >money (albeit not very much! ) and that money continues to earn What interest, if any, is a contractual arrangement a customer makes with a bank. Some banks pay no interest at all, some pay low rates, some pay more. A function of a lot of factors. Before saying that digital cash will not pay interest, one would have to know the type of digital cash and the ancillary contracts that may go with it. For example, the online clearing model could certainly still have interest-bearing accounts, in the underlying currency or commodity that represents the store of value to be paid out when the digital cash is redeemed. It might be cumbersome, but it would certainly be possible for an agent to buy what I'll call a "digital bond," worth one unit at time zero, 1.1 unit after one year, and so on. >interest until it is withdrawn. If you write a check to pay for >something, that ends your interest accumulation for that money. Actually, writing the check does not end your accumulation of interest. The payout of funds to the check casher is what ends the accumulation. Some parallels with online clearing digital cash. >With the E-cash systems that I have seen, you generate your own E-cash >and have it signed by a 'bank' At that moment, it becomes like cash in >your wallet and you loose interest that this money could be earning. >Has this issue been addressed, or am I missing something? Depends on the exact type. From your description, you're looking at the model in which one closes out a bank account (presumably interest-bearing), and says "Give it to me in unmarked bills" (loosely speaking). Well, if the digital cash is really just a call on funds still held (and perhaps used, hence they can give interest), then interest is still possible. If the bank has given out funds to some other bank, then they can no longer pay interest. (If this sounds confusing, it is because even in digital cash systems one must think about where the store of value really is, who has it, who must trade it for the numbers representing cash, etc. "There is no digital coin" means more than just that there is no unforgeable thing that is unforgeable the way a gold coin is; it also means that the numbers are not actual value, that the value exists in other places...it gets murky, though.) In any case, most initial uses of digital cash will more closely resemble currency exchanges (which it can be argued is a better model....), for which the customer usually pays a fee, or there are buy/sell rates that give the moneychangers in the temple their pound of flesh. --Tim May We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From steve at aztech.net Tue Jan 9 23:26:14 1996 From: steve at aztech.net (Steve Gibbons) Date: Wed, 10 Jan 1996 15:26:14 +0800 Subject: PRIVACY: Private traces in public places Message-ID: <0099C274.0F297360.261@aztech.net> # > Governments or whoever, can do all they want to make their collection of # > dossiers bulge even bigger than they are. But, these dossiers are only # > data sets. Data isn't quite the same os information. Information isn't # > quite the same as knowledge. Knowledge isn't quite the same as # > understanding. And understanding the situation has not been, # > historically, enough to ensure that government (or whoever) decision # > makers make the "right" decision. # > # > Let the internal security apparatchiks spin the bottle all they want. # > They couldn't keep Rome from falling, nor the Byzantine Empire, nor the # > Ottoman Sultanate. They couldn't keep the Third Reich in place for a # > thousand years. They couldn't keep the Soviet Union glued together by # > force nor dirty persuasion nor extortionate non-economics. # The problem, as I see it, is that you can have too much information. # Information takes up room, takes up CPU cycles to process and store and # retrieve, and the worst part is, it takes a human to evaluate it. No # computer in the world is going to be able to evaluate incoming humint for # reliability. That takes a human, and I suspect that it will be that way # for quite some time. The more information you gather, the worse the # problem gets, until you have this massive database of information, all # indexed and stuff, at your fingertips, but it's useless, because you can't # tell whether it's real or BS or disinformation. It's how you classify things. Raw data is raw data, and raw data is not the same thing as information. Until the disinformation gets filtered out, it can't be classified as information, but falls into the raw-data category. -- Steve at AZTech.Net From jya at pipeline.com Wed Jan 10 16:17:19 1996 From: jya at pipeline.com (John Young) Date: Wed, 10 Jan 96 16:17:19 PST Subject: David Kahn on C-Span 2 Message-ID: <199601110017.TAA06836@pipe1.nyc.pipeline.com> David Kahn, NSA Scholar-in-Residence, is speaking on C-Span 2 now, 7:20 PM Est, reviewing "Secret Codes in WW2." From erc at dal1820.computek.net Wed Jan 10 00:25:07 1996 From: erc at dal1820.computek.net (Ed Carp [khijol SysAdmin]) Date: Wed, 10 Jan 1996 16:25:07 +0800 Subject: SSH for Windows Message-ID: <199601100334.VAA13005@dal1820.computek.net> ...can be found at URL http://public.srce.hr/~cigaly/ssh/. FYI. -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 214/993-3935 voicemail/digital pager 800/558-3408 SkyPager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes From tcmay at got.net Wed Jan 10 00:54:02 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 10 Jan 1996 16:54:02 +0800 Subject: PRIVACY: Private traces in public places Message-ID: (Sasha, good to have you on our list!) At 3:26 AM 1/10/96, Alexander 'Sasha' Chislenko wrote: > Sometimes, it comes as an unpleasant surprise to a person who >looks for web pages referencing his own name, and finds, among >other things, many of his explicit or controversial usenet or mailing >list messages, old resumes that may contradict the current one, >critical remarks of his high school girlfriend and former colleagues, etc. >Knowing that this information is easily accessible to his new girlfriend >and prospective employer may make him more than uncomfortable. Remember a couple of years ago on the Extropians list when I claimed to have compiled dossiers on people, from their admissions in posts about drug use, infidelities, and other such things? Several of them got quite irate. >All advice to such a person you may see on the Net mentions Net laws >that should have been passed and personal actions that should or >should not have been taken. Not all such advice, because my advice has been different from this. >How can people protect themselves from all this? > >Will people of the future all wear identical privacy suits, gloves and >helmets and burn >everything they have touched? > >Or they will just try not to do things they may later be ashamed of? >(How do you know what you may be ashamed of 30 years from now?) Or, the option I prefer: do what you gotta do, and screw those who claim you should be ashamed of yourself. Think of this as a screening process: anyone who is so offended or ashamed for you (what a concept: "I'm ashamed for you") probably is not someone you would want to deal with. Works for me. I'm not trivializing the issue of search engines and archiving systems turning up articles written, old posts, etc. Every couple of weeks, sometimes more often, someone sends me a copy of one of my postings and claims that someone else must be forging my name (recent posts on racial issues, for example--while I'm not a racist, I despise quotas, setasides, and preferential treatment for lazy people, of any race...this obviously makes some people "ashamed for me" :-}). These people, obsessed with political correctness, or having some notion that consistency must be enforced, are the populist form of Thought Police. Mostly I ignore these people pestering me to "explain" a post I made in a group, and, if they persist, I add them to my filter file. I prefer this liberated outlook to either of the two options you presented. --Tim May We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From stewarts at ix.netcom.com Wed Jan 10 03:12:35 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Wed, 10 Jan 1996 19:12:35 +0800 Subject: Domains, InterNIC, and PGP (and physical locations of hosts, to boot) Message-ID: <199601101100.DAA27160@ix11.ix.netcom.com> At 11:15 PM 1/6/96 -0500, Michael Handler wrote: >ObGPS/cpunk/physical-location-of-machines: A recent IETF proposal would >create a new DNS record that encoded the physical location of a >machine, encoded in latitude and longitude. This would solve the >problem MIT has had in distributing PGP, i.e. where exactly is >unix5.netaxs.com? However, there's nothing to stop you from adding >records that say your machines are at the latitude and longitude of, >say, Fort Meade... ;-) My laptop's latitude and longitude aren't constants.... And a DNS record identifying the precise location of compuserve.com or netcom.com might not be very meaningful; a more detailed record identifying the location of port5.paloalto-annex-3.netcom.com might tell you which terminal server to aim an ICBM at, but won't tell you where I dialed in to it from. But it still won't tell you if the user is in Washington DC or Germany, though perhaps a DNS record for Snow-Depth might be a bit more informative. > ftp://ds.internic.net/rfc/rfc1876.txt >Again, I'm not too sure of the viability of this proposal. Not on >effectiveness of proving true location -- it is more geared toward >"visual 3-D packet tracing" -- but simply because I have _no_ fricking >idea where our machines are (in terms of lat and long) to any degree >of accuracy. There are several geography servers on the net, which can tell you the lat/long for a city (more useful if your city is, say, Holmdel NJ than if it's Los Angeles.) Or you can buy one of those $12.95 CD-ROMs with all the street addresses in the US on them (perhaps at the cost of adding a PC or Mac and CDROM drive to run the software...) Feed it a street address, and you can get pretty close (mine actually targets the other end of my block, but it's not doing interpolations...) #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, Pager/Voicemail 1-408-787-1281 # # "The price of liberty is eternal vigilance" used to mean us watching # the government, not the other way around.... From JOANNA at Vela.filg.uj.edu.pl Wed Jan 10 04:39:22 1996 From: JOANNA at Vela.filg.uj.edu.pl (Joanna Orzechowska) Date: Wed, 10 Jan 1996 20:39:22 +0800 Subject: Groups of prime order Message-ID: <8F61E63A05@Vela.filg.uj.edu.pl> Hi CP's! Hope someone would be so kind to help me wiht this: Is it weaker to use arithmetic mod (p-1), and hence all Zp, when suggested to work in a group of prime order q? This question is connected with discrete log signature protocols such as that in Pedersen's "Improved privacy in Wallets with Observers" or Schnorr's. I would appreciate any help ASAP, since I'm in a hurry. Please, answer me by personal mail since I'm not subscribed to the CPs list now. Thanks and best wishes from Poland. Joanna From pati at ipied.tu.ac.th Wed Jan 10 04:58:00 1996 From: pati at ipied.tu.ac.th (luxana) Date: Wed, 10 Jan 1996 20:58:00 +0800 Subject: Starting an e-cash bank In-Reply-To: <4cjg0c$rm5@calum.csclub.uwaterloo.ca> Message-ID: On 5 Jan 1996, Ian Goldberg wrote: > Huh? Why? If I'm an ecash seller, I take a customer's paper money, > withdraw ecash from _my_ MT account, give the ecash to the customer > (_not_ a payment: I just give him the coin -- the pair (n,f(n)^(1/h))) > and the customer is free to use it at will. It's Digicash's slogan: > the numbers _are_ the money. But you're not issuing ecash, you're just exchanging it. Do the blackmarket money changers of many countries issue cash? No, the governments do that. The governments may outlaw the practice, but its still done coz of the government's inneffiencies. But MT is the issuer, they actually create the money from your original deposits. They can't issue ecash without user deposits. ------------------------------------------------------------------------------- Patiwat Panurach Whatever you can do, or dream you can, begin it. eMAIL: pati at ipied.tu.ac.th Boldness has genius, power and magic in it. m/18 junior Fac of Economics -Johann W.Von Goethe ------------------------------------------------------------------------------- From pati at ipied.tu.ac.th Wed Jan 10 05:11:55 1996 From: pati at ipied.tu.ac.th (luxana) Date: Wed, 10 Jan 1996 21:11:55 +0800 Subject: Starting an e-cash bank In-Reply-To: <199601031925.NAA02085@proust.suba.com> Message-ID: sorry if this is a little late..... On Wed, 3 Jan 1996, Alex Strasheim wrote: > > What does it take to be called a bank? > > Is it necessary to be called a bank? I've got a storefront in Chicago. > What would prevent me from opening up a Mark Twain account and buying and > selling ecash on floppies, in person? Do account holders have to agree > not to do that before Mark Twain gives them an account? Is it illegal? > > The currency exchange model almost seems more appropriate for most users > than the bank model. Not exactly currency exchange. More like simple exchange. Don't confuse "issuing ecash" with "exchanging ecash for cash". Issuing implies that you have assets to back up the ecash. Exchange only means that your giving up your ecash for an equivalent amount of cash. Anybody could conceivably "exchange ecash". Only "banks", who back up your money by law and researves can "issue ecash". ------------------------------------------------------------------------------- Patiwat Panurach Whatever you can do, or dream you can, begin it. eMAIL: pati at ipied.tu.ac.th Boldness has genius, power and magic in it. m/18 junior Fac of Economics -Johann W.Von Goethe ------------------------------------------------------------------------------- From pati at ipied.tu.ac.th Wed Jan 10 05:28:54 1996 From: pati at ipied.tu.ac.th (luxana) Date: Wed, 10 Jan 1996 21:28:54 +0800 Subject: E-cash and Interest In-Reply-To: Message-ID: On Wed, 10 Jan 1996, Tim Philp wrote: > With the E-cash systems that I have seen, you generate your own E-cash > and have it signed by a 'bank' At that moment, it becomes like cash in > your wallet and you loose interest that this money could be earning. >From the standpoint of monetary economics, this is correct. The (ecash) bank has the right to use your deposits to give out loans. When you withdraw your money (and turn it into either cash or ecash) they (the bank) no longer have the right to turn your deposits into loans. Withdrawn cash/ecash can not earn interest. This is the problem of (e)cash: if you have it on hand you _must_ forgo any interest earnings. Theoretically, the optimum holding of (e)cash is a function of interest rate (the greater the interest rate, the less cash on hand), transaction cost of making withdrawals (the easier and more convenient the withdrawals, the less cash on hand), and the "providence value" of cash (the more you value instant gratification, the more cash on hand). Thats why ATM machines have caused us to hold less cash. We can now keep money in the bank (letting it earn interest and letting the bank create loans with it) and withdraw from ATM terminals only when we need it. ------------------------------------------------------------------------------- Patiwat Panurach Whatever you can do, or dream you can, begin it. eMAIL: pati at ipied.tu.ac.th Boldness has genius, power and magic in it. m/18 junior Fac of Economics -Johann W.Von Goethe ------------------------------------------------------------------------------- From jya at pipeline.com Wed Jan 10 05:36:00 1996 From: jya at pipeline.com (John Young) Date: Wed, 10 Jan 1996 21:36:00 +0800 Subject: PRIVACY: Private traces in public places Message-ID: <199601101328.IAA01966@pipe4.nyc.pipeline.com> Responding to msg by nobody at REPLAY.COM (Anonymous) on Wed, 10 Jan 1:43 PM > Last summer the first case in Britain of a libel on the Internet was > settled out of court when Laurence Godfrey accepted undisclosed > damages from another nuclear physicist, Philip Hallam-Baker, over > remarks made in 1993 on Usenet, an electronic conference with 16 > million users. And Peter Lilley, the Social Security Secretary, sent a > stiff letter to the vice-chancellor of Leeds University after one of > its students used a faculty computer to make defamatory allegations > about him. ---------- The NYT reports that by 2000 there will be over 1 million lawyers in the US. These fine-minders, supported by the burgeoning private investigative and security fields, will surely mine electronic archives as thoroughly as they research paper -- and thanks to wondrous Altavistas maybe more thoroughly. And backed by these highly skilled lobbyists, laws will change to make remunerative rain of -- and by -- archiving and search technology as they have to capitalize on the technology of doing the same in the worlds of printing, telegraph, telephone and television. Promotion of these privacy-invasive services on the Net parallels the defensive measures explored on cypherpunks. Perhaps all c'punks should subscribe to cyberia-l and vice versa; they are hand in hand, or fist to fist, on this. From erc at dal1820.computek.net Wed Jan 10 05:43:11 1996 From: erc at dal1820.computek.net (Ed Carp [khijol SysAdmin]) Date: Wed, 10 Jan 1996 21:43:11 +0800 Subject: PRIVACY: Private traces in public places In-Reply-To: <199601101328.IAA01966@pipe4.nyc.pipeline.com> Message-ID: <199601101336.HAA15355@dal1820.computek.net> > These fine-minders, supported by the burgeoning private > investigative and security fields, will surely mine electronic > archives as thoroughly as they research paper -- and thanks to > wondrous Altavistas maybe more thoroughly. > > And backed by these highly skilled lobbyists, laws will change > to make remunerative rain of -- and by -- archiving and search > technology as they have to capitalize on the technology of > doing the same in the worlds of printing, telegraph, telephone > and television. > > Promotion of these privacy-invasive services on the Net > parallels the defensive measures explored on cypherpunks. Agreed. You don't even have to read the newsgroup or the web page - just search for "John Young" or "Ed Carp", and in a few seconds read everything your detractors have been saying about you anywhere on the net. Then all it takes is one phone call to your lawyer. -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 214/993-3935 voicemail/digital pager 800/558-3408 SkyPager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes From erc at dal1820.computek.net Wed Jan 10 06:00:23 1996 From: erc at dal1820.computek.net (Ed Carp [khijol SysAdmin]) Date: Wed, 10 Jan 1996 22:00:23 +0800 Subject: SSH for Windows In-Reply-To: <199601101153.MAA20011@utopia.hacktic.nl> Message-ID: <199601101350.HAA16405@dal1820.computek.net> > also on ftp.hacktic.nl/pub/replay/pub/incoming/ssh-1-2.zip actually, it's ssh-1.2-.zip -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 214/993-3935 voicemail/digital pager 800/558-3408 SkyPager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes From m5 at dev.tivoli.com Wed Jan 10 06:21:52 1996 From: m5 at dev.tivoli.com (Mike McNally) Date: Wed, 10 Jan 1996 22:21:52 +0800 Subject: Why Companies are Poor at Finding Bugs In-Reply-To: <2.2.32.19960110024957.00963960@mail.teleport.com> Message-ID: <9601101403.AA25208@alpha> Alan Olsen writes: > >Until a crisis happens, then they are lambasted for not having > >spoken up more loudly and more forcefully. > > I have seen this before in a number of companies... Anyone more interested in these sorts of organizational behavior things should read Peter Senge's "The Fifth Discipline". (Either that or "Dilbert".) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Nobody's going to listen to you if you just | Mike McNally (m5 at tivoli.com) | | stand there and flap your arms like a fish. | Tivoli Systems, Austin TX | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From tallpaul at pipeline.com Wed Jan 10 06:22:40 1996 From: tallpaul at pipeline.com (tallpaul) Date: Wed, 10 Jan 1996 22:22:40 +0800 Subject: Mixmaster On A $20 Floppy? Message-ID: <199601101410.JAA29058@pipe1.nyc.pipeline.com> On Jan 10, 1996 03:00:00, 'Bill Stewart ' wrote: >At 08:55 PM 1/5/96 -0500, tallpaul at pipeline.com (tallpaul) wrote: >>I've reports that the latest version of SyQuest's external parallel port >>EZ135 "floppy" drive is due on the shelves this month. > >Iomega's ZIP drives are similarly priced, hold 100 MB, and >come in parallel and SCSI flavors. > Quite right. In many ways the SyQuest and Iomega products are identical. However, I'm shooting for the SyQuest because of the advertised 12.5 msec access time. In any case, the tech is there and it is portable so we can expect to see a variety of similar products in the future. >>Question 1: Can you fit linux, pgp, mixmaster, etc. on the 135 Mb disk and >>have enough useful space left over for a useful amount of data? > >As various people have said, you can do it on a couple of floppies. >Is Mixmaster designed in a way that could easily accommodate having >Mixmasters pop in and out of existence, either well-known ones that travel, >or (with some enhancement) temporaries that pop up and squawk their >existence to some sort of web site or mailing list? What would it >take to add this capability? > I can't answer these questions which is why I started this thread to get answers from those who have the knowledge required to make meaningful answers. The major problem today stopping the proliferation of "temporary" sites seems to be the user interface. Ultimately, we would want something that was very easy to use and had incredibly simple user manuals (like the Army's Training Manuals for really dumb soldiers). You know, the ones that start: "This is a bullet. It has a pointy end and a flat end. The pointy end is the end you want to face the enemy. The flat end is the end you want to face you." >>Question 3: Anyone want to speculate on what data recovery is like when >>encrypted data and the horse it rode in (and out) on has all been >>physically destroyed at a replacement cost of only $US20? > >Old 5 1/4" floppies make a very secure satisfying sound when you >take the magnetic material out and drop it into a shredder :-) >The 20 MB Bernoulli Box floppies were also shreddable. > Yeah, and imagine the noise an anti-privacy technician makes when he/she/it is told to try to extract plaintext from the shredded results. >#-- ># Thanks; Bill ># Bill Stewart, stewarts at ix.netcom.com, Pager/Voicemail 1-408-787-1281 ># ># "The price of liberty is eternal vigilance" used to mean us watching ># the government, not the other way around.... > > -- -- tallpaul -- Any political analysis that fits on a bumper sticker is wrong. From jya at pipeline.com Wed Jan 10 06:35:33 1996 From: jya at pipeline.com (John Young) Date: Wed, 10 Jan 1996 22:35:33 +0800 Subject: TAL_kup Message-ID: <199601101426.JAA16123@pipe3.nyc.pipeline.com> 1-10-96. NYPaper: "Group Urges an Internet Ban On Hate Groups' Messages. Joins in Move to Censor Offensive Material." Citing the "rapidly expanding presence of organized hate groups on the Internet," a leading Jewish human rights group yesterday began sending letters to hundreds of Internet access providers and universities asking them to refuse to carry messages that "promote racism, anti- Semitism, mayhem and violence." A sage says, "It is not possible to end idiocy by censoring it. The best response is cellular." TAL_kup From bplib at wat.hookup.net Wed Jan 10 06:44:57 1996 From: bplib at wat.hookup.net (Tim Philp) Date: Wed, 10 Jan 1996 22:44:57 +0800 Subject: E-cash and Interest Message-ID: I had been doing some thinking about E-cash and some of the implications. It seems to me that there is another element in the discussion that has not gotten very much consideration. When you have your money in the bank, you are earning interest on the money (albeit not very much! ) and that money continues to earn interest until it is withdrawn. If you write a check to pay for something, that ends your interest accumulation for that money. With the E-cash systems that I have seen, you generate your own E-cash and have it signed by a 'bank' At that moment, it becomes like cash in your wallet and you loose interest that this money could be earning. Has this issue been addressed, or am I missing something? Regards, Tim Philp =================================== For PGP Public Key, Send E-mail to: pgp-public-keys at swissnet.ai.mit.edu In Subject line type: GET PHILP =================================== From bianco at itribe.net Wed Jan 10 06:51:45 1996 From: bianco at itribe.net (David J. Bianco) Date: Wed, 10 Jan 1996 22:51:45 +0800 Subject: Reports available via CTRS Message-ID: <199601101438.JAA03611@gatekeeper.itribe.net> [Abstracts for, and (in most cases) links to these report titles can be found at the CTRS site, http://www.itribe.net/CTRS/ ] 1.Tuomas Aura, Modelling the Needham-Schroeder authentication protocol with high level Petri nets, Technical Report B14, Espoo, Finland, September 1995. 2.Arnold G. Reinhold, Diceware for Passphrase Generation and Other Cryptographic Applications, Cambridge, MA, July 28, 1995. 3.Arnold G. Reinhold, A Diceware Word List, Cambridge, MA, July 28, 1995. 4.Arnold G. Reinhold, Results of a Survey on PGP Pass Phrase Usage, Cambridge, MA, July 28, 1995. 5.Arnold G. Reinhold, "Common Sense and Cryptography" , Internet Secrets, John Levine and Carol Baroudi (Ed.), Foster City, CA, 1995, pp. 115-150. 6.Arnold G. Reinhold, On the Function of MHC-Antigen Specificity, Cambridge, MA, March 3, 1989. 7.VeriSign, Inc., FAQ: Answers About Today's Digital IDs, July 15, 1995. 8.Roos, Andrew, A Class of Weak Keys in the RC4 Stream Cipher (Preliminary Draft), Westville, South Africa, September 1995. 9.Terry Ritter, Substitution Cipher with Pseudo-Random Shuffling: The Dynamic Substitution Combiner., Cryptologia, vol. 14, no. 4, 1990, pp. 289-303. 10.Terry Ritter, Transposition Cipher with Pseudo-Random Shuffling: The Dynamic Transposition Combiner., Cryptologia, vol. 15, no. 1, 1991, pp. 1-17. 11.Terry Ritter, The Efficient Generation of Cryptographic Confusion Sequences., Cryptologia, vol. 15, no. 2, 1991, pp. 81-139. 12.Terry Ritter, Voice and Video Cryptography in a DSP Environment., Proceedings of the Second Annual Texas Instruments TMS320 Educators Conference, Houston, Texas, August 5-7, 1992. 13.Terry Ritter, Estimating Population from Repetitions in Accumulated Random Samples., Cryptologia, vol. 18, no. 2, 1994, pp. 155-190. 14.Camenisch, Jan; Piveteau, Jean-Marc; Stadler, Markus, An Efficient Fair Payment System, India, Mai 1996. 15.Camenisch, Jan; Piveteau, Jean-Marc; Stadler, Markus, An Efficient Electronic Payment System Protecting Privacy, Lecture Notes in Computer Science, vol. 875, pp. 207-215, Berlin, November 1994. 16.Camenisch, Jan; Piveteau, Jean-Marc; Stadler, Markus, Blind Signatures Based on the Discrete Logarithm Problem, Proceedings of EUROCRYPT 94,Lecture Notes in Computer Science, vol. 9505, pp. 428-432, Berlin, May 1994. 17.Stadler, Markus; Piveteau, Jean-Marc; Camenisch, Jan, Fair Blind Signatures , Proceedings of EUROCRYPT 95,Lecture Notes in Computer Science, vol. 921, pp. 209-219, Berlin, May 1995. 18.Kocher, Paul C., Cryptanalysis of Diffie-Hellman, RSA, DSS, and Other Systems Using Timing Attacks, Stanford, California, December 1995. 19.Schoenmakers, Berry, An Efficient Electronic Payment System Withstanding Parallel Attacks, CS-R9522, Amsterdam, Netherlands, March, 1995. =========================================================================== David J. Bianco | Web Wonders, Online Oddities, Cool Stuff iTribe, Inc. | Phone: (804) 446-9060 Fax: (804) 446-9061 Suite 1700, World Trade Center | email: Norfolk, VA 23510 | URL : http://www.itribe.net/~bianco/ From vznuri at netcom.com Wed Jan 10 07:22:42 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Wed, 10 Jan 1996 23:22:42 +0800 Subject: SSN collection prank Message-ID: <199601091945.LAA18379@netcom17.netcom.com> I haven't seen this here. somewhat amusing. ------- Forwarded Message Date: Sun, 7 Jan 1996 19:49:14 -0500 (EST) From: Brad Dolan To: snet-l at world.std.com Subject: (fwd) Private SSN Collection Project (fwd) - - ---------- Forwarded message ---------- - - ---------- Forwarded message ---------- Date: Sun, 31 Dec 1995 00:01:48 -0800 From: Clint Danbury Thank you for your response. Please send Full names and Social Security Numbers of anyone you know, including government officers and/or employees, to: Clint Danbury, Box 750037, Petaluma, CA 94975-0037 email: danbury at ssnShirt.com Questions And Answers On The Nationwide SSN Collection Project. - - -1- Why are you collecting SSNs ? Answer: For fun and amusement. - - -2- What do you plan to do with them ? Answer: Put them on sweatshirts and sell them through specialty clothing retailers. It has been suggested also that I post them on large billboards along the Mexican border, but I don't have enough capital to pull of such a stunt at this time. - - -3- How long do you intend to continue this ? Answer: Until it becomes illegal. The moment any legitimate government authority informs me of the specific laws which (A) Forbid the collection, recording, and distribution of SSNs by private parties, and (B) Provide legal recourse for the individual citizen against private parties which do so, I will stop. - - -4- What if the government finds out what you're doing ? Answer: First off, the government knows very well what I'm doing. I've been "reported" multiple times to the SSA and the Secret Service. Secondly, the government can find me quite easily (I'm in the phone book). Third, I will cooperate completely with any legitimate government authority. - - -5- Here's my ex-spouse's SSN; will you make him/her miserable for me ? Answer: Hell No ! If you want me to engage in illegal activity for you, then go somewhere else ! - - -6- Isn't what you are doing illegal ? Answer: Not according to the SSA. They have declared the private use of the SSN unrestricted. (More on this in a few questions) - - -7- If My name/SSN were in your database, would you tell me ? Answer: In order for me to confirm this, you must first tell me what your full name and SSN is, then I will tell you if you were already in there. If this sounds like two-faced hypocrisy, great! I got the idea from CBI-Equifax; that's their very own policy. If you don't tell them what your SSN is, they won't tell you what they've got on you. Therefore, I have decided to do the exact same thing. (If you don't believe it, then why don't you call them and ask for yourself?) - - -8- What if someone did the same thing to you ? How would YOU feel ? Answer: This already has happened to me. I told the SSA office about it, repeatedly, and they would take no action. (The story appears in the next answer.) - - -9- How did this all start ? Answer: In 1985, a co-worker learned that I object to the "Uni-Number" concept of identifying a single person across multiple databases. I was (and still am) specifically concerned about the use of the SSN for Non-Tax identification. The company placed our SSNs on our name tags, which, thankfully, we did not have to wear constantly, although we would occasionally have to display it for a guard during certain times. This co-worker went poking through my briefcase while I was out of my office, copied down my SSN, and then, for his own fun and amusement (I'm guessing at his motives, I don't know his true reasons) displayed it for me, and would not tell me where he got it. Seeing that this angered me, he then went to other co-workers, who joined him in making my SSN even more public. They then went to the personnel files, (which the company made no attempt to keep locked) and double-checked the number with my job application. After that, they memorized it, and, (again, I'm guessing here) for their own amusement, they would recite it in unison around the lunch table. (I know this sounds impossible, but it really did happen.) After that job ended (not very happily, surprise) I let myself cool off for a few months, and then moved to another city. During my time in that other city, I contacted the SSA office there, seeking another SSN. I made dozens of phone calls and wrote letter after letter, all to no avail. My letters got shorter and to-the-point, not long drawn out things. It took only 30 seconds to read them. This continued for several months. The result was always the same: words without action, and no replacement SSN. The company in that city went down the tube, and I had to move again. I wrote and called off-and-on over the next few years, and got the same treatment; empty words, stall-him-off, and they would make no statement one way or the other. In September of 1993 (perhaps an earlier date, I'm not sure) the SSA finally came out and gave their official written approval for unrestricted use of the SSN by private individuals and private organizations for any purpose, including fun and amusement. The pamphlet is entitled "Your Social Security Number", is SSA Publication 05-10002, and dated September/1993. You can get a copy by calling them at 1-800-772-1213. On page 9 of that pamphlet, they have finally removed all restrictions on the private use of the SSN and they've put it in writing... "Because there is no law concerning the use of a person's Social Security number by a private individual or organization, Social Security has no control over such use." So, if those are the rules they've made, fine. Those are the rules by which I'll act. The collection and distribution of other people's SSNs is (as you've just read) a legally unrestricted activity and that's exactly what I'm doing. - - -10- Where do you get the SSNs ? Answer: "...there is no law..." so, just like CBI, TRW, TU, et.al., I don't have to tell you where I got yours. Ask CBI where they got your SSN; they won't tell you, and neither will I. - - -11- How do you check for accuracy ? This question bothered me a lot at first, however, it has become astoundingly simple to check whether a number is accurate or not. So, just exactly how do I do this ? CBI doesn't have to tell, and neither do I. "...there is no law..." - - -12- How can I get a copy of your list ? Answer: Unfortunately, I have found the drones to outnumber the worker-bees by a factor of about 10-to-1. This is not the soup-kitchen, it's a group project. If you want SSNs from me, then I want SSNs from you. In the past, I offered a 1-for-1 exchange. I will no longer make that public offer. What is offered is this: If you will send me full names and SSNs of prominently elected officials, media-babes, et.al., then I will (to the extent my database allows) send you back full names and SSNs of other prominent politicians and media babes, 1-for-1 if I can. Of course, full names and SSNs of any individual or group are still welcome, they just don't qualify for the 1-for-1 offer. Copyright, 1995 by Clint Danbury (Better Living Thru Better Living) ************************************************************************** X SNAIL ME + GABRIELLI'S (Mendocino,CA, USA) 0 X YER ROSEHIPS + 0 X IF YOU LIKED THIS POST! + *Pinot Noir* & *ASCENZA* (WHITE-BLEND)-YUMMY!0 ************************************************************************** [Ask Fer "Mendocino,Ca. -- *Gabrielli Wine*" at yer local wine shop if'n ya want to tend yer rugosa] Let your voice be heard in the campaign to save the life of Mumia Abu Jamal ++++ more info: http://www.calyx.com/ ++++ - ------- End of Forwarded Message ------- End of Forwarded Message From lvhove at vnet3.vub.ac.be Wed Jan 10 07:22:43 1996 From: lvhove at vnet3.vub.ac.be (Leo Van Hove) Date: Wed, 10 Jan 1996 23:22:43 +0800 Subject: More on Belgian 'key escrow law' Message-ID: I looked up the law mentioned in the newspaper article and it goes like this (non french speaking cypherpunks, please see comments below ): ---- "Loi du 21 d�cembre 1994 portant des dispositions sociales et diverses" - published in the 'Moniteur Belge' (= the official journal in which all laws are published), Vol. 164, Nr. 250, Friday 23 December 1994, p. 31878-31963. (p. 31960-31961): " Art. 202 Il est ins�r� dans la loi du 21 mars 1991 portant r�forme de certaines entreprises publiques �conomiques, un article 70bis, r�dig� comme suit: <>" (p. 31961): " Art. 203 L'article 95, alin�a 1er, de la m�me loi est compl�t� comme suit: <<5� l'appareil terminal rends inefficaces les moyens permettant, dans les conditions pr�vues aux articles 88bis et 90ter � 90decies du Code d'instruction criminelle, le rep�rage, les �coutes, la prise de connaissance et l'enregistrement des t�l�communications.>>" ---- Simplifying it all seems to boil down to this: The 1994 Law ammends a 1991 Law; that is, it adds a couple of articles/paragraphs. Art. 202 stipulates that Belgacom (= Belgium's leading telephone company) and other telecom companies have to cooperate with law enforcement when it wants to tap telephone lines - no, sorry, make that telecom lines (!). Note that tapping is only allowed under certain circumstances stipulated in the so-called Privacy Law (see also my previous posting to this list). Art. 203 is the most important as far as key escrow is concerned. It completes Art. 95 of the 1991 Law which stipulated 4 conditions in which telecom equipment may be seized. These initial conditions are rather harmless (equipment does no longer conform to the initial specifications, it hinders public broadcasts, presents health risks for the users,...). Art. 203 adds a 5th and stingy one: equipment that makes tapping impossible may be disconnected from the network and seized ... On the face of it - I'm not a lawyer, so don't pin me down on this - this means no crypto (or only with key escrow) ... Ciao, leo _________________________________________________________________________ Leo Van Hove Centre for Financial Economics Vrije Universiteit Brussel (Free University of Brussels) Pleinlaan 2 B-1050 Brussels Vox: +32 2 629.21.25 Fax: +32 2 629.22.82 e-mail: lvhove at vnet3.vub.ac.be VUB's Web site: http://www.vub.ac.be _________________________________________________________________________ From bplib at wat.hookup.net Wed Jan 10 07:48:07 1996 From: bplib at wat.hookup.net (Tim Philp) Date: Wed, 10 Jan 1996 23:48:07 +0800 Subject: E-cash and Interest In-Reply-To: Message-ID: I think that you have hit the nail on the head. Money could still 'earn' interest until it is spent. The 'bank' still has the 'real' money. In fact, it is an improvement over cash, in that you could still earn interest on the money on your hard drive. Thanks for the clarification. Regards, Tim Philp =================================== For PGP Public Key, Send E-mail to: pgp-public-keys at swissnet.ai.mit.edu In Subject line type: GET PHILP =================================== From frissell at panix.com Wed Jan 10 07:53:08 1996 From: frissell at panix.com (Duncan Frissell) Date: Wed, 10 Jan 1996 23:53:08 +0800 Subject: When they came for the Jews... Message-ID: <2.2.32.19960110153325.006b5980@panix.com> ********* Citing ``the rapidly expanding presence of organized hate groups on the Internet,'' a leading Jewish human rights group [the Simon Wiesenthal Center] on Tuesday began sending letters to hundreds of Internet access providers and universities asking them to refuse to carry messages that ``promote racism, anti-Semitism, mayhem and violence.'' But Cooper said the ``unprecedented potential and scope of the Internet'' gives people ``incredible power to promote violence, threaten women, denigrate minorities, promote homophobia and conspire against democracy.'' He cited the posting of instructions for making explosive devices, including recipes for Sarin nerve gas and bombs similar to the one that destroyed the Federal Building in Oklahoma City last April 19. *********** In reading the above from today's NYT, I was interested to see the expansion of the protected classes who are not to have unkind things said about them on the Nets. Aside from the usual list of suspects, I noted that *democrats* were also to be protected. I thought that "conspiring against democracy" (something I do daily) was classic political speech and and activity that even the drafters of the American Constitution practiced from time to time. I guess I'm going to have to watch my attacks on democracy if I don't want to get my Net access cut off. DCF "I favor discrimination on the basis of race, creed, color sex, age, alienage, previous condition of servitude, recent interstate travel, handicap, sexual or affectional preference, marital status, Vietnam-era veteran status (or lack thereof), occupation, economic status, and anything else I can think of." From tbyfield at panix.com Wed Jan 10 07:55:34 1996 From: tbyfield at panix.com (t byfield) Date: Wed, 10 Jan 1996 23:55:34 +0800 Subject: PRIVACY: Private traces in public places Message-ID: At 10:26 PM 1/9/96, Alexander 'Sasha' Chislenko wrote: >- Landfills: They are probably the richest source of detailed historical >information > that is not obtainable from any other source and can be used to reconstruct > the detailed history of society, economy, technology and any single >person with > incredible detail. I ain't holding my breath until someone develops a search engine for Fresh Kills. Ted From asgaard at sos.sll.se Wed Jan 10 08:01:14 1996 From: asgaard at sos.sll.se (Asgaard) Date: Thu, 11 Jan 1996 00:01:14 +0800 Subject: Scenario: Digital Telephony Leads to GAK In-Reply-To: Message-ID: On Tue, 9 Jan 1996, Timothy C. May wrote: > We really need to be looking to what the nations of Europe are doing (as we > have been of course, as the crypto laws of Europe have always been > interesting to us, even if the machinations of the U.S. get most of the > attention, for obvious reasons). But the latest developments, like the December meeting in Paris and another international meeting advertized for March -96, seem to take place on a Worl Government basis (OECD). Obviously various national governments understand that they can't really act on their own. I don't think the EC will propose any actual laws on their own but together with the US, Canada, Australia and possibly Japan. Asgaard (formerly writing under the pseudonym 'Mats' to confuse Alta Vista but I don't care any more...) From kent at trouble.WV.TEK.COM Wed Jan 10 08:16:26 1996 From: kent at trouble.WV.TEK.COM (Kent Dahlgren) Date: Thu, 11 Jan 1996 00:16:26 +0800 Subject: Don't type: "g**d t*m*s v*r*s" In-Reply-To: Message-ID: On Tue, 9 Jan 1996, Timothy C. May wrote: > I have edited the name of this virus so as to minimized its damage. I read > that even _typing_ the phrase "g**d t*m*s v*r*s" in its full form can cause > the information stored in the phrease "g**d t*m*s v*r*s" to unpack itself, > install itself on all types of disk drives, and then initialize the disks. > > I hope we caught it in time! Of what was I thinking!?! I owe all a big apology; I hope my habit of living my life on the edge of a knife didn't jepordize everyone. Man, do I feel like a slob. Thank you Tim! ;) ______________________________________________________________________________ ______ T E K T R O N I X _ C P I D _ T E C H N I C A L _ S U P P O R T _______ / Voice: 1.800.835.6100 E-mail: support at colorprinters.tek.com Fax: 1.503.685.3063 WWW: www.tek.com BBS: 1.503.685.4504 E-World: Keyword Tektronix HAL: 1.503.682.7450 AOL: Keyword Tektronix Service: 1.800.835.6100 FTP: ftp.tek.com ______________________________________________________________________________ From pcw at access.digex.net Wed Jan 10 08:35:08 1996 From: pcw at access.digex.net (Peter Wayner) Date: Thu, 11 Jan 1996 00:35:08 +0800 Subject: Bignum support added to XLISP 2.1h Message-ID: Many cypherpunks might enjoy programming in XLISP 2.1h because the freely available implementation of LISP now offers support for BIGNUMS. That means it is quite easy to write cryptographic algorithms that use very large numbers without adding extra support. The downside is that the language is interpretted and thus much slower than something like C. It should also be possible to write RSA in a very short XLISP program. I don't know if you can do 4 lines, but it should be quite short. -Peter From stewarts at ix.netcom.com Wed Jan 10 08:43:39 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Thu, 11 Jan 1996 00:43:39 +0800 Subject: A couple of ideas for PGP-based programs Message-ID: <199601101100.DAA27140@ix11.ix.netcom.com> At 02:32 AM 1/6/96 -0800, Alan Olsen wrote: >1) Something I would like to see on the keyservers for PGP is a way of >retreving all of the key revokations since x date without having to get all of >the keys since that date. The web interface to the MIT keyserver lets you search for keys, and probably some of the other interfaces do too. So do a retrieve on REVOKE, snarf the output, and feed it to perl or grep or something. PGP keyserver >2) I would like to see a program like private Idaho have the ability to send >mail to the key server and grab all of the "unknown signator" keys. This would >have the interesting effect of building a more complete keyring, while using >the "web of trust" to weed out alot of the bogus keys that tend to crop up on >the key servers. I found that a very convenient way to add things to my keyring was to use the keyserver web page and Private Idaho simultaneously. Grab the keys you want on the keyserver, cut+paste into Private Idaho, decrypt (PGP won't find a message, but will find keys), and click on anything you don't recognize. Parsing email isn't too tough, but it takes some work, and it's easier for PC tools to interact through Netscape or finger when they can instead. > After n number of iterations you would have more of the >"important keys" n=4 is an interesting depth, given PGP's default settings..... #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, Pager/Voicemail 1-408-787-1281 # # "The price of liberty is eternal vigilance" used to mean us watching # the government, not the other way around.... From stewarts at ix.netcom.com Wed Jan 10 08:44:33 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Thu, 11 Jan 1996 00:44:33 +0800 Subject: Revocation, Trust, Policy Models, etc. Message-ID: <199601101059.CAA27100@ix11.ix.netcom.com> >>The question is: is there a "majority vote" mode on the keyservers that >>causes them to remove a key if enough people claim it is no longer valid? No - it's too easy to attack. (It's also outside the scope of what the keyservers do - they're convenient ways to collect the data for the Web of Trust, but they're not trusted themselves.) Even if you wanted "A majority vote of people who've signed a given key" to revoke the key, that's easy to attack - you and your tentacles can all sign the victim's key, send the signatures to the keyservers, and now that you're the majority, you can all send in notes saying "please revoke victim at antinuke.org's key - he's an FBI plant". I'm not really satisfied with Matt's description of revocation that requires it to be done by a key's signers, not owner, though there are workarounds for most of the problems, though I agree that PGP's framework is deficient (not inadequate - it's still Pretty Good - but way underpowered.) One problem is that usually _you_ are the one who knows your key needs revoking (either you forgot the passphrase, or you know the computer it was on has been compromised, or whatever.) Under PolicyMaker, I guess the best way to implement this is to always sign your own key (since signers are the ones who revoke keys), and establish policies requiring unrevoked self-signatures. It may be difficult to implement Certificate Revocation Lists in a way that works well for your own keys, though, depending on why you want to revoke them. #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, Pager/Voicemail 1-408-787-1281 # # "The price of liberty is eternal vigilance" used to mean us watching # the government, not the other way around.... From frissell at panix.com Wed Jan 10 08:44:50 1996 From: frissell at panix.com (Duncan Frissell) Date: Thu, 11 Jan 1996 00:44:50 +0800 Subject: Spiegel on CIS Censorship Message-ID: <2.2.32.19960110111839.00925ad8@panix.com> At 10:11 PM 1/8/96 -0500, Vin McLellan wrote: >CIS's utter >ignorance of free-speech principles set the stage for the symbolic >Bravarian Censorship of the Net. You'll hear of a dozen other nations >jumping in, with different standards, within the month. Don't overdo the CIS newsgroup "ban". The first sysop to "ban" newsgroups did so many years ago. There are well-developed techniques to read "banned" newsgroups. A FAQ and everything. http://www.ECNet.Net/users/mumbv/pages/banned-groups-faq.shtml Compuserve is just a large proprietary service and sometime ISP (and one of the most expensive ones). They are not a big player on the Net. > I find the tragic association of a "free" Internet and porn to be >painfully common among cyberless adults even in my own community. Odds >are, my state, Massachusetts -- arguably the most liberal of the US states >-- would vote for Censorship Filter tomorrow if it were on a ballot. Luckily it's not and can't be. > It's amazing how incompetent the liberal/libertarian side has been >in this public debate. (So incompetent, in fact, that there has been _no_ >public debate!) Everyone who wants to place control over any filter (any >part of The Filter?) in the hands of the citizen is just another >snuff/torture/kiddy porn addict. Almost all of the articles on the CIS "ban" have mentioned that "therapeutic" groups were also included. Certainly the Net has let CIS know what we think of them. They expressed surprise at our reaction. Their "ban" isn't even a ban as my piece on using CIS to read banned groups shows. (http://www.cs.umass.edu/~lmccarth/cypherpunks/banned.html) It is making it into Wired and the Baltimore Sun (maybe) and was good enough that Michael Miller, author of "Using Compuserve" linked to it from his book page: http://www.mcp.com/people/miller/cistop.htm. DCF From jya at pipeline.com Wed Jan 10 08:45:32 1996 From: jya at pipeline.com (John Young) Date: Thu, 11 Jan 1996 00:45:32 +0800 Subject: PRIVACY: Private traces in public places Message-ID: <199601101635.LAA16811@pipe4.nyc.pipeline.com> Responding to msg by tbyfield at panix.com (t byfield) on Wed, 10 Jan 10:42 AM > I ain't holding my breath until someone >develops a search engine for Fresh Kills. (See code relevance at end.) For the curious, Fresh Kills is NYC's main waste archive, the largest built structure in the US (a favorite of Japanese techno-tourists exceeding 256 Great Pyramids of Egypt) and still heaping. Archeologists are indeed excavating selected spots, under grants made after probes revealed that decomposition was not occurring as expected. Newspapers and such were perfectly preserved after years of burial. Due to sophisticated engineering of the mountain to prevent dispersal, air and moisture could not enter to lubricate return to mother earth. However, very profitable methane gas retrieval has been taking place for many years -- which may be a suitable metaphor for mining electronic archives. Now, then, code for this glop? Construction debris can be illegally dumped at Fresh Kills with the proper building-code-compliant green handily hooked to the side of the dumpster for the guard. From sameer at c2.org Wed Jan 10 08:54:29 1996 From: sameer at c2.org (sameer) Date: Thu, 11 Jan 1996 00:54:29 +0800 Subject: When they came for the Jews... In-Reply-To: <2.2.32.19960110153325.006b5980@panix.com> Message-ID: <199601101633.IAA18047@infinity.c2.org> Is there some way I can get a copy of this letter? Is it directed at specific ISPs or ISPs in general? An open response, publicized, to this sounds like something I could do. Publicity is fun. > > ********* > Citing ``the rapidly expanding presence of organized hate groups on the > Internet,'' a leading Jewish human rights group [the Simon Wiesenthal > Center] on Tuesday began sending letters to hundreds of Internet access > providers and universities asking them to refuse to carry messages that > ``promote racism, anti-Semitism, mayhem and violence.'' > > But Cooper said the ``unprecedented potential and scope of the Internet'' > gives people ``incredible power to promote violence, threaten women, > denigrate minorities, promote homophobia and conspire against democracy.'' > > He cited the posting of instructions for making explosive devices, including > recipes for Sarin nerve gas and bombs similar to the one that destroyed the > Federal Building in Oklahoma City last April 19. > *********** > > In reading the above from today's NYT, I was interested to see the expansion > of the protected classes who are not to have unkind things said about them > on the Nets. Aside from the usual list of suspects, I noted that > *democrats* were also to be protected. I thought that "conspiring against > democracy" (something I do daily) was classic political speech and and > activity that even the drafters of the American Constitution practiced from > time to time. I guess I'm going to have to watch my attacks on democracy if > I don't want to get my Net access cut off. > > DCF > > "I favor discrimination on the basis of race, creed, color sex, age, > alienage, previous condition of servitude, recent interstate travel, > handicap, sexual or affectional preference, marital status, Vietnam-era > veteran status (or lack thereof), occupation, economic status, and anything > else I can think of." > > -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.org/ (or login as "guest") sameer at c2.org From jcobb at ahcbsd1.ovnet.com Wed Jan 10 09:10:33 1996 From: jcobb at ahcbsd1.ovnet.com (James M. Cobb) Date: Thu, 11 Jan 1996 01:10:33 +0800 Subject: Counterpane Source Code Discs In-Reply-To: <2.2.16.19960110022146.3717051a@terminus.storm.net> Message-ID: Doug, I bought the disks offered in the first edition. I expect to buy those offered in the second. The contents of the disks may be available in some rogue archive. In headbuilding as in bodybuilding, you have to pay your dues. From Counterpane Systems, you can order: Applied Cryptography Source Code Disks A THREE-disk set of over 100 encryption programs for algorithms such as DES, RSA, IDEA, Blowfish, and many more. Most of these programs are in the public domain, and can be integrated into working software products. These disks are updated twice a year, and subscriptions are available. Disks: $40; 2-year Subscription: $120 You can also order: A Bimonthly Newsletter APPLIED CRYPTOGRAPHY UPDATE Now you can subscribe to a newsletter covering the latest advances in cryptographic protocols, algorithms, and tech- niques. Among regular features, an "Algorithms Watch" summarizes recent cryptanalytic results against block and stream ciphers. "Recent Patents" examines U.S. patents awarded in cryptography and related areas. "Product Data" dis- cusses protocols and algorithms in hardware and software products. A must for anyone who needs timely information on cryp- tography. Published 6 times a year. Annual subscription: $400 Source code disks will only be sent to U.S. and Canadian citi- zens residing in the U.S. or Canada. Address: Counterpane Systems 7115 W North Av Suite 16 Oak Park IL 60302 USA Cordially, Jim INCLOSURE: Date: Tue, 09 Jan 1996 21:21:46 -0500 From: "Douglas F. Elznic" To: cypherpunks at toad.com Has anyone bought the disks mentioned in applied cryptography? Are they anvailable anywhere online to citizens of the US? -- ==================Douglas Elznic=================== delznic at storm.net http://www.vcomm.net/~delznic/ (315)682-5489 (315)682-1647 4877 Firethorn Circle Manlius, NY 13104 "Challenge the system, question the rules." =================================================== PGP key available: http://www.vcomm.net/~delznic/pgpkey.asc PGP Fingerprint: 68 6F 89 F6 F0 58 AE 22 14 8A 31 2A E5 5C FD A5 =================================================== From davidm at iconz.co.nz Thu Jan 11 01:32:38 1996 From: davidm at iconz.co.nz (David Murray) Date: Thu, 11 Jan 96 01:32:38 PST Subject: Some questions about ecash[tm] Message-ID: <199601110932.WAA09988@iconz.co.nz> -----BEGIN PGP SIGNED MESSAGE----- Some questions that I send into the ether in the knowledge, or hope, that the great and the good are listening, and will enlighten me... (Since this exercise strikes even me as incredibly presumptious, feel free to ignore this. [It takes less energy than flaming. If you must flame, do it in private email - I'll post a summary to the list :-)]) 1. Has there been any significant/in-depth coverage of the Mark Twain Banks product in the financial/ banking press? Digicash's press file stops just before the launch, and Digicash/Mark Twain Banks press releases are not exactly what I'm looking for. 2. In the Digicash ecash tutorial (also referenced from MT's website) the example is given of Alice sending ecash to Cindy (Candy, Clarissa?). Cindy's bank checks with Alice's bank before crediting Cindy's wallet with the $5.00 sent. In MT's FAQ, they refer, somewhat wistfully, to a future where the ecash systems of different banks may be able to interoperate. How difficult would such interoperation be? Is this something that is inherent/built into the Digicash supplied bank system? Or would it require significant changes to the way things are done? Similarly, since the software supplied by Digicash to MT customers seems somewhat MT specific, how easy would it be for future ecash issuers to piggy back on MT's customer base? How about merchants? 3. The MT ecash[tm] project is repeatedly referred to as an experiment, a system in beta phase. Any word on when the experiment will be over, or what it is trying to prove/discover? The thrust of these questions, of course, is How easy will it be for the next eBank? And the one after that? Is Digicash ready for the move to multiple issuers? Does it have the resources to assist another institution to launch ecash this year? This month? One a month for the year? Whatever. Too many questions that cannot possibly be answered, even if there were answers to give... Dm -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMPTVR1lo3j8JHzalAQG/JAP/dBNTMHdo4MP7TaIAZrKwMxt3U4fH/qsb TipYBcS8lgEgUsD9Pu/enIzxeEs52K6ARnq1BE6V/G1jxFVbfnLmfV6t6TWqRxSM 68FH3eX0+ZBGFGzDMmvOGWaibZETfHikv55q7ZuqYrnfZ+wrIPKlF+UGiNY3lJlw rpNkY3oBwqY= =0g2R -----END PGP SIGNATURE----- From sameer at c2.org Thu Jan 11 01:43:54 1996 From: sameer at c2.org (sameer) Date: Thu, 11 Jan 96 01:43:54 PST Subject: COMMUNITY CONNEXION REFUSES TO CENSOR INTERNET SERVICES Message-ID: <199601110938.BAA10567@infinity.c2.org> For Immediate Release - January 11, 1996 Contact: Sameer Parekh 510-601-9777x3 COMMUNITY CONNEXION REFUSES TO CENSOR INTERNET SERVICES Berkeley, CA - In an open letter sent today to the Simon Wiesenthal Center, Community ConneXion, the Internet Privacy Provider, explicitly stated its refusal to agree to their request to restrict access to services based on the content of the web pages their customers may implement using Community ConneXion services. On Wednesday, January 10th, the Simon Wiesenthal Center issued a request to Internet providers and universities to refuse to carry messages that "promote racism, anti-Semitism, mayhem and violence." Their target in the request was not Usenet, the discussion forums on the Internet which were recently targeted for censorship by CompuServe, but the World-Wide-Web, the area of the Internet which allows anyone to serve their words and ideas to the nearly thirty million people on the Internet. Efforts are growing to regulate content on the Internet and restrict freedom of expression. Community ConneXion is opposed to all forms of censorship. In the letter to the Simon Wiesenthal Center, Sameer Parekh, President of Community ConneXion, described their position in reply to the Center's request that Internet providers pledge to restrict service, "Community ConneXion considers it our civic duty to provide Internet access, services, and privacy to any individual or group, no matter what their political or social agenda." The Simon Wiesenthal Center is asking Internet providers to restrict access to individuals and groups who would use their services to promote hateful ideas. "The answer to hateful speech is more speech," said Parekh, "Rather than attempting to ban hateful speech, which does nothing to prevent the hate and the effects of hate in the long run, human rights groups should devote their time and energies towards positive activities, such as speaking out debunking the hate groups and holocaust revisionists. Only by speaking out against the hate-mongers can any progress be made. Trying to stop them from speaking will only serve to encourage them." The very same services that Community ConneXion refuses to censor may be used by the persecuted groups who are harassed by the anti-Semites and neo-Nazis to aid them to protect themselves from persecution. "Using our services someone who may be afraid of the neo-Nazis, perhaps because they live in a very intolerant town, may set up web pages speaking out against the anti-Semites, but not reveal their real name or address. In this way people can provide information and speak out against the hate without fearing any repercussions. The very same services which can help drive out hate are the very same ones which the Simon Wiesenthal Center is asking Internet providers to restrict." Community ConneXion, founded in June of 1994, is the leading provider of privacy on the Internet. They provide anonymous and pseudonymous Internet access and web pages in addition to powerful web service, virtual hosts, and web design consultation. Information is available from their web pages at http://www.c2.org/. Attachment: Open letter to the Simon Wiesenthal Center ------------------------------------------------------------------------ Community ConneXion 3038A Mabel St. Berkeley, CA 94702 510-601-9777 http://www.c2.org/ January 11, 1996 The Simon Wiesenthal Center 9760 West Pico Boulevard Los Angeles, California 90035 To Whom it May Concern: This letter is in response to your call for Internet providers to refuse to carry messages which "promote racism, anti-Semitism, mayhem and violence." Community ConneXion, The Internet Privacy Provider, explicitly refuses to take such action as requested by your organization. I will, in this letter, explain the rationale behind our decision. While the reasons to not censor Internet traffic are great, we will only describe a few of them in order to explain our decision. First, the best way to fight speech is with more speech. Second, it violates the fundamentals upon this country was founded, in particular the ideal of freedom of expression. Finally, we believe that trying to restrict harmful speech, which, for example, "conspires against democracy," does more damage to the cause of democracy than allowing the hateful individuals and organizations to speak in the first place. In order to fight the hateful speech to which your organization objects, it is more productive to speak out against the hate and the lies of the anti-Semites and neo-Nazis than to try to prevent them from speaking. By preventing them from speaking, you are giving them more allies, and more legitimacy than they would have if you merely spoke out against them and debunked their words. If you actually take proactive action towards debunking their lies, people will understand that they are actually lying. By preventing them from speaking, you are promoting the idea that they actually might have something valuable to say. Hateful action, of course, should be prosecuted to the fullest extent permissible by law. Second, this country was founded on the ideal of freedom of expression. The First Amendment to the United States Constitution is the first one on the list of the Bill of Rights. Restricting access to freedom of expression to only people with acceptable viewpoints is not true freedom of expression. Finally, and most important, restricting speech in order to ostensibly protect democracy does more to damage democracy than to help it. Censorship leads towards a more restrictive society, one which grows ever more similar to the totalitarian government of the Third Reich, which made the atrocities of the Holocaust possible. In order to prevent such an atrocity from happening again, no government must be allowed to gain the power over its citizens that was allowed the Third Reich. By asking for restrictions on speech you are asking for a return to the controls which gave the Third Reich its power. Therefore, we have taken a stance directly opposed to any and all forms of censorship. Community ConneXion considers it our civic duty to provide Internet access, services, and privacy to any individual or group, no matter what their political or social agenda. Thank you. Sincerely, Sameer Parekh President, Community ConneXion From futplex at pseudonym.com Wed Jan 10 09:44:40 1996 From: futplex at pseudonym.com (Futplex) Date: Thu, 11 Jan 1996 01:44:40 +0800 Subject: When they came for the Jews... In-Reply-To: <199601101633.IAA18047@infinity.c2.org> Message-ID: <199601101722.MAA21848@thor.cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- > > Citing ``the rapidly expanding presence of organized hate groups on the > > Internet,'' a leading Jewish human rights group [the Simon Wiesenthal > > Center] on Tuesday began sending letters to hundreds of Internet access > > providers and universities asking them to refuse to carry messages that > > ``promote racism, anti-Semitism, mayhem and violence.'' > > > > But Cooper said the ``unprecedented potential and scope of the Internet'' > > gives people ``incredible power to promote violence, threaten women, > > denigrate minorities, promote homophobia and conspire against democracy.'' The SWC has a Web site http://www.wiesenthal.com, but there's no sign of the letter on it right now. They do have a web-form survey on Hate on the Internet, which I filled out for kicks. The CyberWatch section of their site is the sort of place that says (and I quote) "Is there anything that can be done?". Their "CyberWatch Perspective" http://www.wiesenthal.com/watch/wpers.htm attacks anonymity on the net in a couple of places. Here are some relevant excerpts: - ---------------- "An incident in Texas highlights yet another advantage the information superhighway gives bigots - anonymity and deniability. Witness the recent equivalent of a hi-tech hate drive-by in Texas: Someone broke into the electronic mail account of a professor and fired off a virulent anti-black and anti-Semitic attack to 20,000 computer users in four states. The attack was authored by the National Alliance, whose leader simply denied sending the message. Its source was a convenient "anonymous I.D."" [...] "Hateful speech is, in general, "protected speech," but is there any reason why, at a minimum, a recipient of any unsolicited and threatening message from the superhighway should not have the right to know instantly the source of the message? Right now, the Internet, in effect, provides stealth technology for bigots, child pornographers and the like. Accountability, not anonymity, should be the operative principle." - ----------------- No big surprise to see these folks come out against free speech in a new medium. Too bad they're utterly blind to the lessons of the history they've documented so well. Futplex -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMPP1jSnaAKQPVHDZAQEl4Qf+JUnC0XFqFvpHZ9YGlb5fW+EnsQ8gTJ4C 0for1k8zbCiR0iCL39E1a1I/SSD1LidjAPPuaaDHqORsf4ixlTIP59+Uxi5LK6GH P9mwMViehs/OflmJrpC087UfRGsrd/KTnYeLRX4g773zsPCcChEjpj7LxYmLfZYV 1jsZBNwY+JoWEriPL9Hx/hMiJ11xY2f5RkeBp9rP6nKHvYQab365cKOcVA3DYt82 jG15jEw9p7Ub96gown1aJasr9GEj4DYkUzL74I6/0ewxqHVC8KEmdg5PdpxAJUkI Lx2GLneBSWUqN1eGvXS2oW2PZ3A2kQ7P8Eoi7w3l7M94jsktELrfmA== =AsJw -----END PGP SIGNATURE----- From cp at proust.suba.com Wed Jan 10 09:56:40 1996 From: cp at proust.suba.com (Alex Strasheim) Date: Thu, 11 Jan 1996 01:56:40 +0800 Subject: When they came for the Jews... In-Reply-To: <2.2.32.19960110153325.006b5980@panix.com> Message-ID: <199601101729.LAA01429@proust.suba.com> > Citing ``the rapidly expanding presence of organized hate groups on the > Internet,'' a leading Jewish human rights group [the Simon Wiesenthal > Center] on Tuesday began sending letters to hundreds of Internet access > providers and universities asking them to refuse to carry messages that > ``promote racism, anti-Semitism, mayhem and violence.'' This is really unfortunate. Many well intentioned people often forget that groups like the Nazis did more than simply bombard the public with hate speech -- they suppressed opposing points of view. The problem isn't that the haters were able to speak their minds, the problem was that the reasonable people were unable to respond. Censorship is an essential component of totalitarianism, while free speech is fundamentally incompatible with it. There is a marketplace of ideas, and our goal ought to be to make sure that marketplace has integrity, that the rules are fair. Anti-semitic ideas aren't going to succeed in the marketplace because they're wrong, which is to say that arguments which try to prove anti-semitic points will always contain logical and factual errors. Once you start interferring with the market by restricting what can be said, you run into at least two important problems. First of all, you open yourself up to the possibility that some good ideas will be unable to emerge from the debate. The nazis suppressed speech, for example, and solid arguments against their positions weren't able to emerge. The second problem is more subtle, and it happens all the time in this country: people lose confidence in the market. I've spoken with people who believe, for example, that black people are inherently dumber than white people. If you ask these people for proof, they say that it's being suppressed. In a sense they're right: arguments that blacks are dumber than whites are suppressed, not by law, but informally. But *proof* isn't being suppressed, because proof doesn't exist. The suppression of arguments gives people an out in their own minds, and it allows them to cling to some silly notions. Supression of an argument also ends up eliminating the rebuttal, and when you're dealing with hate speech the rebuttal is always more powerful than the argument. If you can win a fair fight, why do you need to cheat? From perry at piermont.com Wed Jan 10 10:03:02 1996 From: perry at piermont.com (Perry E. Metzger) Date: Thu, 11 Jan 1996 02:03:02 +0800 Subject: Bignum support added to XLISP 2.1h In-Reply-To: Message-ID: <199601101736.MAA15287@jekyll.piermont.com> Peter Wayner writes: > Many cypherpunks might enjoy programming in XLISP 2.1h because the freely > available implementation of LISP now offers support for BIGNUMS. Almost all scheme implementations do the same, but scheme is a lot cleaner than XLISP... .pm From frissell at panix.com Wed Jan 10 10:12:16 1996 From: frissell at panix.com (Duncan Frissell) Date: Thu, 11 Jan 1996 02:12:16 +0800 Subject: Net Control is Thought Control Message-ID: <2.2.32.19960110175223.006a6bcc@panix.com> On CSPAN Friday morning a gentlemen who is, I take it, a lobbyist for TPC or the Competitive Long Distance Coalition (TPCs) said that the Internet could be regulated just like magazines, tv, or anything else. I have long doubted statements like this particularly since they come from people without apparent experience on the Net. I have long suggested that net control=thought control and will prove as difficult in the modern world as the more conventional thought control itself. But why is net control just a form of thought control? It is difficult for others to control our thoughts because they are insubstantial, hidden, and under our control. Small groups (family, village, etc) have a better chance of influencing what we think but even they are not totally successful. Governments who wanted to engage in thought control have usually set up government schools for this purpose with mixed results. Liberal societies (broadly defined) have loosened many of the traditional controls on our thoughts exercised by our families and neighbors. They have tried to replace these controls with bureaucratic thought control systems with limited success. Only the totalitarian states have done much of a job in this area but not enough (obviously) to save themselves from destruction. There has been a general decline in the effectiveness of thought control since the Industrial Revolution made (atomistic) individualism possible and books cheap. The Nets are the next step in this process. Since they allow our thoughts to easily, rapidly, and cheaply leap from our minds to a world-wide communications medium, our minds are in some sense extended worldwide. It becomes cheap and easy for anyone to publish their thoughts. The dramatic changes occasioned by the mechanical production of cheap pulp paper and steam-driven printing presses in the 19th century will be as nothing compared to effects of the speed and reach of Net "publishing." In addition to expanding the scope of our thoughts, the Nets also give us new powers of secret communication. Modern encryption and anonymity technology lets us both keep our thoughts secret and communicate them to anyone else who is interested. Quite an expansion of the capabilities of "the thought in the brain." Also, the Nets allow us to find others of our ilk (however small and deviate that may be) who offer support to us in our thoughts. This further reduces the power of traditional thought controls exercised by our immediate communities. Since my immediate community has included Cypherpunks since February 1993, I am less likely to be influenced "locally" on topics of Cypherpunk interest. The normal primate tendency to look to the "troop" for guidance in what to think and do is sabotaged by our ability to find our own reinforcing communities where ever we like. So even less thought control is possible. As we users know and non-users will find out, the Nets are not "just another medium" like books, magazines, and TV (just as those were not "just another medium" in their day). Control of the Nets will prove as difficult as the control of thoughts themselves. DCF From frissell at panix.com Wed Jan 10 10:18:13 1996 From: frissell at panix.com (Duncan Frissell) Date: Thu, 11 Jan 1996 02:18:13 +0800 Subject: When they came for the Jews... Message-ID: <2.2.32.19960110180248.006b2198@panix.com> At 08:33 AM 1/10/96 -0800, sameer wrote: > Is there some way I can get a copy of this letter? Is it >directed at specific ISPs or ISPs in general? An open response, >publicized, to this sounds like something I could do. Publicity is >fun. It's not on http://www.wiesenthal.com/ yet. Maybe I'll query. They are sending it to "hundreds" of ISPs. Hitting the big services first (even though they aren't really ISPs.) DCF From bplib at wat.hookup.net Wed Jan 10 10:19:06 1996 From: bplib at wat.hookup.net (Tim Philp) Date: Thu, 11 Jan 1996 02:19:06 +0800 Subject: E-cash and Interest In-Reply-To: Message-ID: Jim: In some respects, it might actually be better. I recall attending an investment talk where the guru said that a dollar tax avoided was better than a dollar earned because it was less work! =================================== For PGP Public Key, Send E-mail to: pgp-public-keys at swissnet.ai.mit.edu In Subject line type: GET PHILP =================================== On Wed, 10 Jan 1996, jim bell wrote: > At 08:20 AM 1/10/96 -0500, you wrote: > > > >I think that you have hit the nail on the head. Money could still 'earn' > >interest until it is spent. The 'bank' still has the 'real' money. In > >fact, it is an improvement over cash, in that you could still earn > >interest on the money on your hard drive. > >Thanks for the clarification. > > I think there is another way of looking at the ecash/interest situation: > >From upside down, so to speak. If the USE of Ecash avoids (legally or > illegally) income or sales taxes, that constitutes an "interest," in an odd > sort of way. Not "real" interest, of course, but the next best thing. > > From wb8foz at nrk.com Wed Jan 10 10:29:52 1996 From: wb8foz at nrk.com (David Lesher) Date: Thu, 11 Jan 1996 02:29:52 +0800 Subject: NOISE Today in history Message-ID: <199601100428.XAA05110@nrk.com> There is 'Punk irony in spades in today's list: On Jan. 10, 1776, Thomas Paine published his influential pamphlet, ``Common Sense.'' In his call for American independence from England, Paine wrote, ``Everything that is right or reasonable pleads for separation.'' >From personol independence to personel monopoly control: In 1870, John D. Rockefeller incorporated Standard Oil. Promises made, promises broken: In 1920, the League of Nations was established as the Treaty of Versailles went into effect. and In 1928, the Soviet Union ordered the exile of Leon Trotsky. If at first you don't succeed... In 1946, 50 years ago, the first General Assembly of the United Nations convened in London. Can the telescreen be far behind?: In 1946, the first man-made contact with the moon was made as radar signals were bounced off the lunar surface. Gee, will ITAR be next to go?: In 1990, Chinese Premier Li Peng lifted Beijing's seven-month-old martial law, and said that by crushing pro-democracy protests, the army had saved China from ``the abyss of misery.'' -- A host is a host from coast to coast.................wb8foz at nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433 From adam at lighthouse.homeport.org Wed Jan 10 10:34:55 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Thu, 11 Jan 1996 02:34:55 +0800 Subject: When they came for the Jews... In-Reply-To: <199601101633.IAA18047@infinity.c2.org> Message-ID: <199601101826.NAA04543@homeport.org> The Wiesenthal center is very influential in Jewish circles. Attacking them directly would probably be a bad idea, and create bad associations for anonymity amongst Jews. (I'll come back to this.) As always, the best answer to bad speech is more speech. Ken McVay, and his Nizkor project, (http://nizkor.almanac.bc.ca) have been involved in fighting hate speech, holocaust revisionism, and the like for long time through archiving the big lies that revisionists pump out, documenting the bogosity of their footnotes, showing their contradictions, etc. Pointing out this, and other net resources fighting anti-semitism is a much cleaner approach than attacking the Wiesenthal center. Someone noted the police stopping skinheads in Oregon-- I'll point out that there is a substantial difference between talking and randomly beating the crap out of people. The later is a fair basis for action by police, although we may choose to question their methodology. There is also a difference between stopping skinheads and stopping blacks, in that the skinheads decided to wear clothing and tattoos that identify them as skinheads, and thus may more fairly be asked to bear the consequences. Another approach might be to talk about the concept of identity, and how dangerous mandating identity cards and papers can be. Jews in Germany were tracked down via phone records, bank records, membership lists of organizations (a lesson probably noted by the NAACP in refusing to give Alabama its membership rolls, leading to a supreme court case upholding the right of anonymous association.) At the last CFP, Hugh Daniels was distributing buttons with a bar code on the that said things like 'Is your Jew bit set?' and 'Is your gay bit set?' Proposals to require everyone to have ID are a slippery slope leading to a police state. Jews of all people should know better. sameer wrote: | | | Is there some way I can get a copy of this letter? Is it | directed at specific ISPs or ISPs in general? An open response, | publicized, to this sounds like something I could do. Publicity is | fun. | > Citing ``the rapidly expanding presence of organized hate groups on the | > Internet,'' a leading Jewish human rights group [the Simon Wiesenthal | > Center] on Tuesday began sending letters to hundreds of Internet access | > providers and universities asking them to refuse to carry messages that | > ``promote racism, anti-Semitism, mayhem and violence.'' -- "It is seldom that liberty of any kind is lost all at once." -Hume From frissell at panix.com Wed Jan 10 10:47:12 1996 From: frissell at panix.com (Duncan Frissell) Date: Thu, 11 Jan 1996 02:47:12 +0800 Subject: When they came for the Jews... Message-ID: <2.2.32.19960110182140.006cee40@panix.com> At 12:22 PM 1/10/96 -0500, Futplex wrote: >No big surprise to see these folks come out against free speech in a new >medium. Too bad they're utterly blind to the lessons of the history they've >documented so well. > >Futplex Just part of the ongoing conflict between Anglo-Saxon values and European values. Runnymede vs Canossa. TCP/IP vs X.25. Some think that one should bow to authority others think that authority should bow to them. DCF "Canossa -- In Germany, HENRY IV joined the antireform party and was excommunicated (1076) by Pope Gregory VII. Losing support, Henry humbled himself before Gregory at Canossa." From pete at loshin.com Wed Jan 10 11:02:59 1996 From: pete at loshin.com (Pete Loshin) Date: Thu, 11 Jan 1996 03:02:59 +0800 Subject: Net Control is Thought Control Message-ID: <01BADF61.67341C00@ploshin.tiac.net> Duncan Frissell wrote: >On CSPAN Friday morning a gentlemen who is, I take it, a lobbyist for TPC or >the Competitive Long Distance Coalition (TPCs) said that the Internet could >be regulated just like magazines, tv, or anything else. I have long doubted >statements like this particularly since they come from people without >apparent experience on the Net. > >[many other interesting comments deleted] Magazines and TV (and books, newspapers, movies etc.) are _NOT_ regulated, at least not as to content. These media are all pretty much self-regulated. The judgement of whether to print the f-word in a newspaper is made by the editors and/or the publishers--not the government. The same goes for how much flesh gets displayed on a television show, or in a movie, or on the cover of a magazine. It is true that the TV and movie industry have subjected themselves to self-censorship and "guidelines" to avoid having the government step in and do it for them, however. It may be that this individual was speaking in favor of having the Internet community police itself--which may mean he's in favor of an updated Hayes board of censors (the folks who felt that, during the 40's it was obscene to indicate that ANYONE, particularly married people, slept in the same bed together, with the result that bedroom scenes always had the couple sleeping in their own individual single beds). -Pete Loshin pete at loshin.com From pete at loshin.com Wed Jan 10 11:14:05 1996 From: pete at loshin.com (Pete Loshin) Date: Thu, 11 Jan 1996 03:14:05 +0800 Subject: Book on Electronic Commerce Message-ID: <01BADF61.69133C40@ploshin.tiac.net> For the sake of completeness, I'll mention my book, too: _Electronic Commerce: On-Line Ordering and Digital Money_ 1995, 282 pages, $35.95 (includes CD ROM) Charles River Media, Inc. 1 800 382-8505 ISBN # 1-886801-08-8 Excerpts (preface, Chapter 3, part of Chapter 6) are available at: http://www.loshin.com/ -Pete Loshin pete at loshin.com From frissell at panix.com Wed Jan 10 11:17:16 1996 From: frissell at panix.com (Duncan Frissell) Date: Thu, 11 Jan 1996 03:17:16 +0800 Subject: When they came for the Jews... Message-ID: <2.2.32.19960110184247.006bad88@panix.com> >But Cooper said the ``unprecedented potential and scope of the Internet'' >gives people ``incredible power to promote violence, As opposed, say, to the "82nd Airborne Division" or the "3rd Shock Army." >threaten women, Not to mention threaten men. But I guess we don't deserve protection. >denigrate minorities What an incredibly racist statement. Why should blackening (denigrating) someone be bad? >promote homophobia Promote the fear of the same. No risk of the Nets doing that. >and conspire against democracy.'' Asked and answered. DCF "The 3rd Shock Army was the Red Army unit charged with charging through the Fulda Gap to split the BRD if and when. But 'if and when' never came." From pati at ipied.tu.ac.th Wed Jan 10 11:31:39 1996 From: pati at ipied.tu.ac.th (luxana) Date: Thu, 11 Jan 1996 03:31:39 +0800 Subject: KC/KI encryption on smart cards In-Reply-To: <199601080931.BAA16945@infinity.c2.org> Message-ID: I've seen semantics of the KC/KI encryption system used on smart cards for the local PCN cellular system. Does anybody know whether this is secure, and where to get more info on it? The smart card seems to generate keys by itself that are used by the cellular phone to encrypt its calls. Could this be applied as a universal smart card crypto system? ------------------------------------------------------------------------------- Patiwat Panurach Whatever you can do, or dream you can, begin it. eMAIL: pati at ipied.tu.ac.th Boldness has genius, power and magic in it. m/18 junior Fac of Economics -Johann W.Von Goethe ------------------------------------------------------------------------------- From nobody at REPLAY.COM Thu Jan 11 03:40:23 1996 From: nobody at REPLAY.COM (Anonymous) Date: Thu, 11 Jan 96 03:40:23 PST Subject: Message-ID: <199601111137.GAA14805@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMPT2hioZzwIn1bdtAQEE3wF8CffiCrBxUj8QpoRZ/Zw8uXyKNMRhYzVy y8xlsMYMfkzEskgvYV4Wo+7yz9PNXyDT =6s9S -----END PGP SIGNATURE----- From frantz at netcom.com Wed Jan 10 12:13:56 1996 From: frantz at netcom.com (Bill Frantz) Date: Thu, 11 Jan 1996 04:13:56 +0800 Subject: Net Control is Thought Control Message-ID: <199601101954.LAA12507@netcom6.netcom.com> At 13:34 1/10/96 -0500, Pete Loshin wrote: >... [The] Hayes board of censors (the folks who felt that, during >the 40's it was obscene to indicate that ANYONE, particularly >married people, slept in the same bed together, with the result >that bedroom scenes always had the couple sleeping in their own >individual single beds). Who apperently when thru the roof when they saw Casablanca. It was real obvious what Rick and Ilsa were doing in Paris, but there were no bedroom scenes to cut. A classic example of Art over Asshole. ----------------------------------------------------------------- Bill Frantz Periwinkle -- Computer Consulting (408)356-8506 16345 Englewood Ave. frantz at netcom.com Los Gatos, CA 95032, USA From frissell at panix.com Wed Jan 10 12:23:02 1996 From: frissell at panix.com (Duncan Frissell) Date: Thu, 11 Jan 1996 04:23:02 +0800 Subject: Net Control is Thought Control Message-ID: <2.2.32.19960110200221.006aa430@panix.com> At 01:34 PM 1/10/96 -0500, Pete Loshin wrote: >Magazines and TV (and books, newspapers, movies etc.) are _NOT_ >regulated, at least not as to content. These media are all >pretty much self-regulated. Lots of content regulation in the US: Libel, slander, indecency (radio and TV), obscenity, Federal Trade Commission (advertizing controls), Food and Drug Administration (drug 'labeling' and info controls), booze and cigarette advertizing, EEOC (controls on discriminatory advertizing), children's television requirements, civil defense broadcast requirements, station identification requirements, civil controls on advertizing foreign financial services (did you know this was illegal?), civil liability for carrying 'hit man' ads, etc. I'd come up with more if I had more time. I'll add more over the next few days as I think of them. Not to mention the numerous content controls in countries other than the US. The Nets will smash all of these content controls. DCF From cp at proust.suba.com Wed Jan 10 12:31:18 1996 From: cp at proust.suba.com (Alex Strasheim) Date: Thu, 11 Jan 1996 04:31:18 +0800 Subject: Net Control is Thought Control In-Reply-To: <2.2.32.19960110175223.006a6bcc@panix.com> Message-ID: <199601102011.OAA01630@proust.suba.com> [a lot of good stuff deleted] > Control of the Nets will prove as difficult as the control of thoughts > themselves. I agree with everything you said. It seems to me that the simplest way to describe crypto anarchy is to say that it's the observation that technological change is going to make certain kinds of rules -- like our current tax and censorship laws -- nearly impossible to enforce. The analysis makes sense to me, and I'm inclined to believe that the crypto anarchy predictions will be borne out. Censorship is rapidly becoming technically infeasible. That doesn't mean that attempts to censor the net won't be mounted, that they won't be damaging, and that people won't go to jail. It just means that all of that ugliness will go down for nothing. That's why it's important to try to educate people about the dynamics of the net, and to try to persuade them that our analysis is accurate. If our government would simply look at things as they are with respect to crypto, they would see that along with the inevitable loss of control there are a lot of opportunities and benefits, both politically and economically, to the new dynamic. We ought to be trying to open up speech in countries like North Korea and Iraq with crypto tools. We ought to make sure that American companies reap the benefits of the new financial tools that are coming down the pike. And we ought to make sure that the software industry doesn't move overseas because our people aren't allowed to give their customers the crypto the market demands. Our government's inability to accept reality on these issues is alreacy costing business tens of billions of dollars each year, shipping jobs overseas, and having a chilling effect on computer security resarch at home and abroad (thereby exposing computer users to risks and damages they might otherwise avoid). Our own rights as citizens are being compromised, and the arrival of free speech in other countries is being postponed needlessly. For what? So Sen. Exon and the NSA can tilt at windmills? I wish the NSA would participate in these discussions publicly. It wouldn't even be necessary for them to do it as an institution. Let's get some individuals from the NSA who agree with the agency's position out here to defend it. Engage us in debate on the net. Here's a challenge for the NSA: Let's find a neutral third party, an academic or a journalist perhaps (someone from CSPAN?), to moderate a newsgroup or a mail list so that things won't degenerate into a shouting match. We'll make a rule that even posts that don't pass moderation will be published in a different list, so that charges of biased moderation can be evaluated. Tell us what you're trying to accomplish, why your goals are in the nation's interest, and how your policy will accomplish those goals. Then let us challenge your arguments. Let us explain what we're trying to accomplish, why our goals are beneficial, and how our proposed policies will accomplish those goals. Then you guys can take your best shots at us. Of course it's unthinkable that the NSA would accept such a challenge. But if you think about it, it shouldn't be. These are important issues -- they affect our civil liberties and our wallets. This is a democracy. And if the NSA believes in the strength of its position, it ought to have enough confidence to defend it in public. From jcobb at ahcbsd1.ovnet.com Thu Jan 11 04:31:33 1996 From: jcobb at ahcbsd1.ovnet.com (James M. Cobb) Date: Thu, 11 Jan 96 04:31:33 PST Subject: Some questions about ecash[tm] In-Reply-To: <199601110932.WAA09988@iconz.co.nz> Message-ID: Dave, The following may be of some help: DigiCash bv was founded by Dr. David Chaum, a digital cash and electronic security expert. DigiCash announced the first software-only product, called Ecash, that allows the transfer of digital cash over the Internet. CURRENTLY, DigiCash tech- nology is being used in electronic wallets and smart cards; but IN THE LONG-TERM, the technology will be used for MANY MORE applications. ... Company Information: Kruislaan 419 1098 VA Amsterdam The Netherlands Phone: 31 20 665 2611 Fax: 31 20 668 5486 http://www.digicash.com E-mail: info at digicash.nl ... Security RSA Data Security public key cryptography, including en- cryption, authentication, and digital signatures, as well as PROPRIETARY blind signature technology. Unique Attributes Blind signature technology ensures anonymous transactions. The above is excerpted from Lisa Morgan's chapter, "Internet Com- merce," in: Frederick Cooper et al Implementing Internet Security New Riders Publishing 1995 Capitalization is mine. Cordially, Jim From sameer at c2.org Wed Jan 10 12:40:03 1996 From: sameer at c2.org (sameer) Date: Thu, 11 Jan 1996 04:40:03 +0800 Subject: Don't type: "g**d t*m*s v*r*s" In-Reply-To: Message-ID: <199601102015.MAA21474@infinity.c2.org> Just to set the record straight-- There's no mail->news gateway at c2.org which works like that.. Mail to alt.folklore.suburban at c2.org will give you a nice and ugly User unknown error message. -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.org/ (or login as "guest") sameer at c2.org From grimm at MIT.EDU Wed Jan 10 12:41:44 1996 From: grimm at MIT.EDU (grimm at MIT.EDU) Date: Thu, 11 Jan 1996 04:41:44 +0800 Subject: When they came for the Jews... In-Reply-To: <199601101729.LAA01429@proust.suba.com> Message-ID: <9601102024.AA27342@w20-575-60.MIT.EDU> If anyone is interested, here is the URL for the Simon Wiesenthal Center's cyberwatch (dedicated to fighting hatred and bigotry around the globe): http://www.wiesenthal.com/watch/index.html -James From teddygee at visi.net Wed Jan 10 12:45:02 1996 From: teddygee at visi.net (Ted Garrett) Date: Thu, 11 Jan 1996 04:45:02 +0800 Subject: Is this true... Message-ID: <2.2.32.19960110202813.006bb954@visi.net> -----BEGIN PGP SIGNED MESSAGE----- Being new to crypto subjects, I guess I'm pretty gullable about how much one should use encryption in general. I remember reading somewhere that it would probably be best for the 'world as a whole' if everyone used encryption whenever possible so that when you DO send encrypted messages that actually contain information you want kept secret, it doesn't stick out like a sore thumb. To that end, I should imagine that once I have a person's pgp key, they may well never see another cleartext message from me again! Of course, now I'm trying to figure out how to use the anonymous remailers and such. Boy, this is fun! Of course, the fact that my government doesn't really care for the idea of publicly available cryptography makes it even more enticing. - -- Ted Garrett Live Systems Integration -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMPQhKc1+l8EKBK5FAQGkqgf7BN6GxJ5MHCAJZwfuS1JjNNQanT471L3O 0VEhkg0S0GG+827Swly3Bi+0BABcGcQatBSMGFRiecjIEzrRRa/6ME4tAr8qT/EW DXVksWk4Bf6ax8uIF1uPf0uIOeQHOuCZwVnH7uHYCpaOMaMeTVobbyLeT30Gc5Ou YhRIeyUvTazqlWqQaNSLSJX1no9Ph0R6WnDMUYGXof+VXgLw//jddcEfMYYn24hA C8860mAbzke95iuACGcu6hzrr6njVaPMJHqyHb8kZwOjuESzDxZw0cYxt3VRPE72 NXqHzati0Rc/uzpx9FXV5lopRd0fFQUBOK75w0PA3Q5h/RQE6cvj+g== =SQ81 -----END PGP SIGNATURE----- From bruceab at teleport.com Wed Jan 10 13:01:11 1996 From: bruceab at teleport.com (Bruce Baugh) Date: Thu, 11 Jan 1996 05:01:11 +0800 Subject: Net Metaphor Message-ID: <2.2.32.19960110204432.006a9008@mail.teleport.com> Given that most people have neither the time nor interest to understand how the net really works, we need concise images that convey the truth. In particular, we need to get across to the net.unhip masses the idea that the net is not a "thing", not any single organization. I've recently begun using this metaphor: the Internet is a society, composed of all the systems that "speak" its computer protocols. In this it's like, say, the society of all English-speakers. The English-language society includes governments and businesses and churches and fraternal orders and magazines and all sorts of things, but it isn't any of them. And obviously there is nobody in charge of the English-language society as a whole - the language itself evolves over time (and changes across space), and no institution controls the whole show. When I've brought that up, I've all but seen lightbulbs go on over people's heads. Bruce Baugh bruceab at teleport.com http://www.teleport.com/~bruceab From dmandl at bear.com Wed Jan 10 13:02:31 1996 From: dmandl at bear.com (David Mandl) Date: Thu, 11 Jan 1996 05:02:31 +0800 Subject: Net Control is Thought Control In-Reply-To: <2.2.32.19960110200221.006aa430@panix.com> Message-ID: On Wed, 10 Jan 1996, Duncan Frissell wrote: > Lots of content regulation in the US: > > Libel, slander, indecency (radio and TV), obscenity, Federal Trade > Commission (advertizing controls), Food and Drug Administration (drug > 'labeling' and info controls), booze and cigarette advertizing, EEOC > (controls on discriminatory advertizing), children's television > requirements, civil defense broadcast requirements, station identification > requirements, civil controls on advertizing foreign financial services (did > you know this was illegal?), civil liability for carrying 'hit man' ads, > etc. I'd come up with more if I had more time. I'll add more over the next > few days as I think of them. < > Not to mention the numerous content controls in countries other than the US. > > The Nets will smash all of these content controls. So when WFMU starts broadcasting over the net, will I be able to play smutty records on my show? And when will I be able to add some kiddie-porn images to my web page? --D. P.S.: Regarding limits on "freedom of speech" in the U.S., take a look at the long list Tim May posted a few months back. (I was scoffing at Perry's claim that we had nearly complete freedom of speech in the U.S., and then Tim responded with much more detail.) -- David Mandl Bear, Stearns & Co. Inc. Phone: (212) 272-3888 Email: dmandl at bear.com -- ******************************************************************************* Bear Stearns is not responsible for any recommendation, solicitation, offer or agreement or any information about any transaction, customer account or account activity contained in this communication. ******************************************************************************* From alanh at infi.net Wed Jan 10 13:22:55 1996 From: alanh at infi.net (Alan Horowitz) Date: Thu, 11 Jan 1996 05:22:55 +0800 Subject: E-cash and Interest In-Reply-To: Message-ID: > When you have your money in the bank, you are earning interest on the > Has this issue been addressed, or am I missing something? You are missing something. One can earn interest on money, or gold, or oil, or pork bellies, if one - puts it at risk. Typically by lending it out. In our curent FDIC system, there is created the myth, that bank interest is given without concomiitant risk. The laws of economics are like the laws of physics. They apply, no matter what anyone says about anything. There is no free lunch - nor risk-free interest. From gary at kampai.euronet.nl Thu Jan 11 05:24:21 1996 From: gary at kampai.euronet.nl (Gary Howland) Date: Thu, 11 Jan 96 05:24:21 PST Subject: NSA says strong crypto to china?? Message-ID: <199601111321.IAA15089@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- > you think that's a bit ridiculous? i'm paid via an NIH grant given to my > adivisor by the govt. this stipend is taxed. it didn't used to be > (started to be taxed around '86 i believe). why the hell doesn't the > govt just save everyone the trouble and pay me less. i'm sure they could > get rid of a couple of IRS people this way. It's even sillier over here in Europe, and the paperwork is probably a couple of order of magnitudes more expensive (due to the translations required). Quick example (but old figures) - the EU spends $10 million a year to campaign against smoking, and then spends $1200 million a year to subsidise tobacco production. Thought for the day - Think about what the 'S' in IRS stands for. Gary - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMPUO4yoZzwIn1bdtAQGTEQGAuuoLP0gviZeGIuy7o4oc3jqanUYKp5eT Ce4FxXNfmz3DGZ6FY1UPGIEYZL6a7XzY =/sBS -----END PGP SIGNATURE----- From E.J.Koops at kub.nl Thu Jan 11 05:24:41 1996 From: E.J.Koops at kub.nl (Bert-Jaap Koops) Date: Thu, 11 Jan 96 05:24:41 PST Subject: Crypto Law Survey - new URL and update Message-ID: <1FE4D411F7B@frw3.kub.nl> The URL of my Crypto Law Survey has been changed several times over the past month due to changes in servers. Apologies. It is now located at http://cwis.kub.nl/~frw/people/koops/lawsurvy.htm (and it is meant to stay there :-)). So, please put pointers to this new URL, and accept my apologies for the inconvenience. To make up for this, I have updated the survey with all recent events, such as the ICC meeting in Paris and the recent discovery of a crypto law in Belgium, and added a few links. As always, comments are more than welcome. Kind regards, Bert-Jaap ---------------------------------------------------------------------- Bert-Jaap Koops tel +31 13 466 8101 Center for Law and Informatization facs +31 13 466 8102 Tilburg University e-mail E.J.Koops at kub.nl -------------------------------------------------- Postbus 90153 | This world's just mad enough to have been made | 5000 LE Tilburg | by the Being his beings into being prayed. | The Netherlands | (Howard Nemerov) | --------------------------------------------------------------------- http://cwis.kub.nl/~frw/schrdijk/CRI/people/bertjaap.htm --------------------------------------------------------------------- From david at sternlight.com Wed Jan 10 13:26:59 1996 From: david at sternlight.com (David Sternlight) Date: Thu, 11 Jan 1996 05:26:59 +0800 Subject: A weakness in PGP signatures, and a suggested solution (long) In-Reply-To: <199601030407.UAA12551@comsec.com> Message-ID: In article <199601030407.UAA12551 at comsec.com>, dlv at bwalk.dm.com (Dr. Dimitri Vulis) wrote: >I've been engaged in a lively debate with a few members of the cypherpunks >mailing list about forgeries that are hard to repudiate even if PGP signatures >are used. One of the participants suggested that I post a summary to >alt.privacy.pgp and sci.crypt, which is just what I'm doing. Although I do not disagree with the poster, and it may be useful to include headers in the encryption (though care must be taken in verifying them if the routing process adds anything), the lesson here is really a different and important one than the writer's idea of encrypting headers. It is that signed messages en clair are a)unencrypted to a specific recipient, b) anyone may "validate" such a message, and c) "BEGIN PGP SIGNED MESSAGE" and "END PGP SIGNATURE" mean exactly what they say--only the delimited matter is authenticated. Thus if one is writing to Carol to break off a relationship, one had better include "Dear Carol" in the message text, and if you are in relationship with more than one Carol, or expect to be, the date and other particularizing info as well. By the way, if Bob is sending unencrypted e-mail to Carol about the details of their relationship for reasons other than public witness, he has more than spoofed headers to worry about. It's his own head, er, that needs scrutiny. :-) David From mdiehl at dttus.com Wed Jan 10 13:59:06 1996 From: mdiehl at dttus.com (Martin Diehl) Date: Thu, 11 Jan 1996 05:59:06 +0800 Subject: Can you break my encryption protocol ? - improvements Message-ID: <9600108212.AA821264060@cc2.dttus.com> On 1/9/96 at 1:55pm, Bob Baldwin wrote: > Mark, > The protocol works well ... [SNIP] > Server computes: > X = Dec(K, Vs) > Test that H(X) = Ns, if not ... > All subsequent communications should be encrypted with K. > -- Bob Baldwin I think that the last part should be: Server computes: X = Dec(K, Vc) Test that H(X) = Nc Martin G. Diehl From nobody at REPLAY.COM Thu Jan 11 06:00:48 1996 From: nobody at REPLAY.COM (Anonymous) Date: Thu, 11 Jan 96 06:00:48 PST Subject: Message-ID: <199601111358.IAA15210@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMPUXcCoZzwIn1bdtAQGs0QF+IETWZ95anHmhOLoBJWLKvMbYU7evstfO 7+GuBtNMUJPNN/60DF2c9d/cjV3JnFhz =stz/ -----END PGP SIGNATURE----- From futplex at pseudonym.com Wed Jan 10 14:04:42 1996 From: futplex at pseudonym.com (Futplex) Date: Thu, 11 Jan 1996 06:04:42 +0800 Subject: When they came for the Jews... In-Reply-To: <199601101826.NAA04543@homeport.org> Message-ID: <199601102152.QAA24188@thor.cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- Adam Shostack writes: > There is also a difference between stopping skinheads > and stopping blacks, in that the skinheads decided to wear clothing > and tattoos that identify them as skinheads, and thus may more fairly > be asked to bear the consequences. Sorry, but from where I stand there's nothing "wrong" with wearing clothing, bearing tattoos, etc., any more than there's anything "wrong" with having a particular level of skin pigmentation. When you decide that only clothing, tattoos, etc. that display particular colors, emblems, words, etc. are "wrong", then you are stifling free expression. This is very similar to the absurd flag burning "issue". (I would laugh, but both houses of the U.S. Congress came damn close to passing the proposed Constitutional amendment just a few weeks ago, although I thought the matter was long dead.) When they decide that burning a piece of cloth _with a particular emblem on it_ is "wrong", they rip up the First Amendment all over again. I happen to think that going around burning pieces of cloth is a bad idea from an environmental standpoint, but it's not clear that even that should be illegal, let alone unconstitutional. Futplex "Freedom...oh freedom...that's just some people talking" -Eagles -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMPQ07SnaAKQPVHDZAQGnZQf+J+23cD39BAaGl1KZZJJTNu4DMPRxNLq8 E+E/f2MBV7BVlBrOBJqUL1uzyBDuJm9eI+jjcxXbBWZzL64ER7pOM82gdNHZcElh xcgCswgX0FZ2iLcWN8cRAbaDq9QgilTvEzQjszLWVwTVQilZsncSLkNPdTGcSHwY X5ku3cim7N4Z3aHYt+dpozoLkYCyJDHJOQ82jUioszXVY8fTyqxm3zurzzkNQpgp 9Fd9bJdp/LttIs6uJ1sH9cJVvhb44YfyOwIJJAaYXeRo3p2UOgmHvj0ZSEf9jHXk qandwt8sAsStZ84RYZUWx66YitoRIhx/w2TQdLKqM54pQua9KMujeg== =XyED -----END PGP SIGNATURE----- From jcobb at ahcbsd1.ovnet.com Wed Jan 10 14:05:33 1996 From: jcobb at ahcbsd1.ovnet.com (James M. Cobb) Date: Thu, 11 Jan 1996 06:05:33 +0800 Subject: Belgium has 'key escrow' law In-Reply-To: Message-ID: Leo, I read with wry amusement that "...enactment of these [register keys or else!] articles went almost completely unnoticed...." Here's ANOTHER "almost completely unnoticed" item: On 10 02 95 The Electronic Telegraph (www.telegraph.co.uk), in a newsstory headlined "Plan to police e-mail seems [!] certain to fail," reports that In France, it is illegal to use any kind of encryption, and police can arrest the authors of any e-mail which they cannot understand. My question: In Europe, is anyone working on translating plaintext 1 into plaintext 2, so that the latter serves to encrypt the former? Plaintext 2 will have to be good enough to satisfy the gendarm- erie, which NEVER fails to notice enactment of electronic-baton laws. Cordially, Jim INCLOSURE: Date: Tue, 9 Jan 1996 14:16:06 +0100 From: Leo Van Hove To: cypherpunks at toad.com Subject: Belgium has 'key escrow' law Surprise, surprise. Today's issue of 'De Standaard', Flanders' most respected newspaper, reports that - much to everybody's amazement - Belgium has a key escrow law in working order - or almost... The newspaper states that certain articles of a much 'broader' law that was passed on the 21th of December 1994, if enforced - which to date has _not_ been the case, would imply that encryption of computer messages is illegal unless the private key is registered with the BIPT (the Belgian Institute for Postal services and Telecommunication; a government administration that regulates the telecom sector). At the time of enactment these articles went almost completely unnoticed - hence the amazement. As mentioned, said articles are not enforced yet but it now appears that a working group, called Belinfosec (Belgium Information & Security), led by a colonel of the military intelligence services - no less, is preparing a report which would contain further specifications and would propose enacting clauses. v Note that at present there is already legislation up and working that enables Belgian law enforcement to tap telephone lines 'in specific circumstances' (i.e., suspicion of criminal or terroristic activities). Judging by the newspaper article it will not be long before this will include computer messages. Asked for a reaction, officials from the banking sector reacted with both disbelief and outrage. The article quotes the head of security at Banksys (the interbank consortium that operates Belgium's nation-wide ATM/POS-network) who considers it to be "unacceptable" and "an intrusion on privacy" if government authorities were to be able to monitor all the money flows that pass through the Banksys network. He also fears that once revealed to the authorities, the keys might fall into the wrong hands, thus jeopardizing the system's security. I'll try to find out more and keep you informed. Ciao, leo P.S. I'm not on the cpx mailing list, so please Cc me. _________________________________________________________________________ Leo Van Hove Centre for Financial Economics Vrije Universiteit Brussel (Free University of Brussels) Pleinlaan 2 B-1050 Brussels Vox: +32 2 629.21.25 Fax: +32 2 629.22.82 e-mail: lvhove at vnet3.vub.ac.be VUB's Web site: http://www.vub.ac.be _________________________________________________________________________ From adam at lighthouse.homeport.org Wed Jan 10 17:16:35 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Thu, 11 Jan 1996 09:16:35 +0800 Subject: When they came for the Jews... Message-ID: <199601110051.TAA10090@homeport.org> Sten Drescher wrote: Adam Shostack said: AS> As always, the best answer to bad speech is more speech. Ken McVay, AS> and his Nizkor project, (http://nizkor.almanac.bc.ca) have been AS> involved in fighting hate speech, holocaust revisionism, and the AS> like for long time through archiving the big lies that revisionists AS> pump out, documenting the bogosity of their footnotes, showing their AS> contradictions, etc. Pointing out this, and other net resources AS> fighting anti-semitism is a much cleaner approach than attacking the AS> Wiesenthal center. Isn't this attacking, or at least opposing, them directly? Nope; its changing the terms of the debate. Saying 'you can't make this happen' is attacking them. AS> Someone noted the police stopping skinheads in Oregon-- I'll point AS> out that there is a substantial difference between talking and AS> randomly beating the crap out of people. The later is a fair basis AS> for action by police, although we may choose to question their AS> methodology. There is also a difference between stopping skinheads AS> and stopping blacks, in that the skinheads decided to wear clothing AS> and tattoos that identify them as skinheads, and thus may more AS> fairly be asked to bear the consequences. =09This is known as the "[S]he asked for it" argument, a widely discredited defense. If their _behavior_ doesn't indicate criminal behavior, and there isn't a report of a crime with suspects meeting their descriptions, there is no more excuse for hassling them than there is for hassling blacks, or hispanics, or.... Who knows, they could actually be a bunch of Marines (depending on the area). No, this is not 'she asked for it.' If there are skinheads who fit the description 'bald, black leather, swastikas' attacking people, then stopping people who fit that description is ok by me, as opposed to stopping people who fit the description 'black, medium hight, living in Boston,' which were the criterion here a few years back after Chuck Stewart shot his wife. The lead-in was people being attacked on the street at random. I thought I had hypothosized that they were skinheads. The crypto relevance might be getting thin. I think this will end my contribution to this thread in public. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From cc047 at Cranfield.ac.uk Thu Jan 11 09:18:32 1996 From: cc047 at Cranfield.ac.uk (Jeffrey Goldberg) Date: Thu, 11 Jan 96 09:18:32 PST Subject: A weakness in PGP signatures, and a suggested solution (long) In-Reply-To: <199601030407.UAA12551@comsec.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- [I am posting this to exactly the same groups that the original was posted to. If someone feels that the distribution should be more limited please restrict the follow-ups. I have also mailed a copy to the original poster.] On Wed, 27 Dec 1995, Dr. Dimitri Vulis wrote: > Bob once sent Carol an e-mail that looked like this: > > ----------------------------------------------------------------------- > From: Bob at boxb > To: Carol at boxc > Date: 25 Dec 1965 > Subject: Carol, we're history > Message-ID: <111 at boxb> > > ----BEGIN PGP SIGNED MESSAGE---- > > I no longer wish to go out with you. Merry Christmas! > > ----BEGIN PGP SIGNATURE---- > Version 2.6.2 > > 12341234... > > ----END PGP SIGNATURE---- > > ----------------------------------------------------------------------- > > Carol can forge an e-mail to Alice that looks like this: > > ----------------------------------------------------------------------- > From: Bob at boxb > To: Alice at boxa > Date: 25 Dec 1995 > Subject: Alice, we're history > Message-ID: <222 at bobb> > > ----BEGIN PGP SIGNED MESSAGE---- > > I no longer wish to go out with you. Merry Christmas! > > ----BEGIN PGP SIGNATURE---- > Version 2.6.2 > > 12341234... > > ----END PGP SIGNATURE---- I have omitted the other scenarios for reasons of space. All of them are based on the fact that information about the intended recipient (including newsgroup) is not part of the information signed. I proposal is made for a mechanism to have some header information signed as well. I don't think that such a thing needs to be build into pgp, but might be included in pgp/MUA interfaces. I also think that the crucial lesson here is to take the analogy to signature on paper more seriously. Imagine that paper documents were reproducible in a way that made the original indistinguishable from copies. Under search circumstances you would never sign something like: I agree to give you my house plus $30,000 in exchange for your house. (signature) For the same reasons that you would never sign something like that (without specifying the individuals and the properties in question), you shouldn't sign an electronic when the interpretation of the document is a function of whose hands its in. As with the paper document, you would never rely on its interpretation depending on the name on the envelope, you shouldn't rely on the headers. As for the recipient, the signature determines responsibility for the signed portion, but not for the act of sending the document. The only difference between paper and E-docs is that with paper there is a distinction between the original and copies. The lesson is not so much that we should change pgp, but that we should pay very careful attention to what we sign. - -jeff Jeffrey Goldberg +44 (0)1234 750 111 x 2826 Cranfield Computer Centre FAX 751 814 J.Goldberg at Cranfield.ac.uk http://WWW.Cranfield.ac.uk/public/cc/cc047/ "An `alternative paradigm' is the first refuge of the incompetent" --LM -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: Processed by mkpgp, a Pine/PGP interface. iQCVAgUBMPQNUBu6nIqxqP+5AQGHxgQAunhff6dV0eCXuVe6w+t0KWELlfjx3Iu4 SrKKo/DB+yWYDn+UVsFPyqvG64qmBxSaLLT95S3rbJEPklpRteN2+8Z94O5PxvL4 Q0OfGSX7oPN2Hwl3hkbjhwLWMpogcxfg6yle1SsqMCTMj3t8RAdmWD8DAQ9fEVzK JdSdEXoc37s= =21Kt -----END PGP SIGNATURE----- From jya at pipeline.com Wed Jan 10 17:33:02 1996 From: jya at pipeline.com (John Young) Date: Thu, 11 Jan 1996 09:33:02 +0800 Subject: David Kahn on C-Span 2 Message-ID: <199601110121.UAA13773@pipe1.nyc.pipeline.com> The occasion was a "Cryptologic History Symposium," held on October 26, 1995, at NSA. No time was given for rebroadcast. Kahn spoke briefly on material covered in his book on codebreaking before and during WW2. The second speaker was Professor Colin Burke, Univ. of Maryland, like Kahn a scholar-in-residence at NSA, who reviewed the pre-war and WW2 machines and proto-computers for cryptanalysis. Kahn, a charming speaker, said about Russian cryptanalysis ability during WW2, that while there has been no published material on the period, three talents make for excellent cryptology: chess, music and mathematics, all of which the Russians excell at. --- Other codebreaking news: the English are making a TV-movie on Alan Turing, due to be broadcast around Easter. It is based on the successful theater play a while back. From shamrock at netcom.com Thu Jan 11 11:11:10 1996 From: shamrock at netcom.com (Lucky Green) Date: Thu, 11 Jan 96 11:11:10 PST Subject: When they came for the Jews... In-Reply-To: <2.2.32.19960110153325.006b5980@panix.com> Message-ID: On Wed, 10 Jan 1996, Duncan Frissell wrote: > He cited the posting of instructions for making explosive devices, including > recipes for Sarin nerve gas and bombs similar to the one that destroyed the > Federal Building in Oklahoma City last April 19. Sarin nerve gas? Can anyone find that URL? TIA, From nobody at flame.alias.net Wed Jan 10 19:44:20 1996 From: nobody at flame.alias.net (Anonymous) Date: Thu, 11 Jan 1996 11:44:20 +0800 Subject: SSH for Windows In-Reply-To: <199601101153.MAA20011@utopia.hacktic.nl> Message-ID: <199601110325.EAA25254@utopia.hacktic.nl> Alex de Joode (usura at utopia.hacktic.nl) wrote: > : ...can be found at URL http://public.srce.hr/~cigaly/ssh/. FYI. > > also on ftp.hacktic.nl/pub/replay/pub/incoming/ssh-1-2.zip > > (the .hr link is _very_ slow) > -AJ- *ahem* Where's the source code? You don't expect us to trust a crypto implementation without source code, do you? Not to mention that that would be a violation of the GPL... From norm at netcom.com Wed Jan 10 19:46:11 1996 From: norm at netcom.com (Norman Hardy) Date: Thu, 11 Jan 1996 11:46:11 +0800 Subject: A Mondex like Protocol (2) Message-ID: An improved Mondex like protocol About a week ago I posted a protocol that meets the requirements of the Mondex cards as I understand them. It was overkill. I wasn't clear in my own mind what properties of Diffie Hellman I was depending on. Here is an improvement that does not use DH and thus uses less compute power. Two Mondex units, upon command of their respective operators, can pass money from one to the other via infrared signals. I think that this requires tamper proof units. I understand that the Mondex protocol is currently undisclosed. I have no information about that protocol but am merely trying to find a protocol that fits the little that I know about Mondex. Are there other guesses? When a receiving unit, the payee, is instructed by its operator to be ready to receive a payment, it increments an internal counter. The payee transmits an infrared message including its unique id, the counter value and a simple checksum. This message is repeated until some timeout or a valid transmission from a payer is received. The payer unit, having been instructed by its operator to pay, awaits such a message. Upon receipt it decrements its local balance and constructs a record consisting of the payee's id, the payee's counter value, the payment amount and a secret shared by all money units. The payer then transmits a message with the payment amount, and the secure hash of the record. This transmission is repeated until an acknowledgment or a timeout. Upon receipt the payee is able to reconstruct the payer's record and compute the secure hash. If the computed hash matches the received hash then the payee can be sure that some legitimate payer unit has decremented its local balance and it is thus valid for the payee to increment its value by that amount. It then transmits one acknowledgment. If the receiver's transmission is garbled but the checksum does not catch it then the transmitted money is lost. The payer thinks it has authorized a balance increment but no unit recognizes the authorization as its own. Garbled transmission from a payer are ignored when the hash check fails. Subsequent transmissions will hopefully succeed. Note that this scheme uses no crypto. From jcobb at ahcbsd1.ovnet.com Wed Jan 10 20:00:29 1996 From: jcobb at ahcbsd1.ovnet.com (James M. Cobb) Date: Thu, 11 Jan 1996 12:00:29 +0800 Subject: Popular Science on US Spysats - Part 1 Message-ID: Friend, 02 96 Popular Science runs a cover story, America's First Eyes in Space. It's by Stuart Brown. It's about "a secret space reconnaisance program known as Corona." Brown reports that Last year, the federal government declassified the program's history and the more than 800,000 photographs that Corona recorded.... The development of the reconnaisance satellite was "the big- gest advance in the history of the intelligence world," says Jeffrey Richelson, a senior fellow at the National Security Archive. According to the article, the chronology of that and similar pro- grams is: 1955 "Mid-air retrieval of spy cameras was originally de- veloped during the secret Genetrix program authorized by Eisenhower in 1955, which released 516 reconnai- sance balloons to drift across the Soviet Union...." "...the U-2 high-altitude spyplane took to the skies." It made "24 flights...between 1956 and 1960." 1958 "In early 1958, the National Security Council gave the development of photo reconnaisance satellites its high- est priority, and the Corona program was born." 1959 Specifically mentioned is "a failed mission in 1959." Generally mentioned is "the failure of the first dozen missions...." 1960 "In 1960, Corona was placed under the...National Recon- naisance Office." "...on May 1, 1960...[U-2] pilot...Powers was shot down ...." "Eisenhower promised that the United States would cease all manned [!] overflights of Soviet territory." "Just 110 days after the Powers incident, the 14th Cor- ona flight produced photos of...the Soviet Union...." "In mid-August 1960, President...Eisenhower held a press conference to announce the successful recovery of an American flag that had flown into orbit aboard Discover- er XIII. Proudly displaying the flag, Eisenhower told reporters that the Discoverer launch was part of a scientific re- search effort to explore environmental conditions in space. But he was lying." 1962 "Zenit, the first succesful Soviet spysat, was launched in April 1962...." 1972 "Of 145 flights conducted before the [Corona] program's conclusion in 1972,...102 [were] deemed successful...." In 1960, Statesman Eisenhower weazel-worded. Also in 1960 Scientist Eisenhower lied. BIKEL: Impossible! HEPBURN: Nevertheless. --African Queen Cordially, Jim From jya at pipeline.com Thu Jan 11 12:31:10 1996 From: jya at pipeline.com (John Young) Date: Thu, 11 Jan 96 12:31:10 PST Subject: Toad Hall Message-ID: <199601112030.PAA04786@pipe3.nyc.pipeline.com> Chapter 2 TOAD HALL In keeping with Internet nomenclature, Toad Hall acquired the Internet domain name toad.com, whose gateway to the rest of the world was a Sun SPARCstation computer in the building's basement. This digital domain was run by John and an eclectic band of programmers and hardware gurus, who together had a diverse political outlook, and while privacy was a priority, computer security at Toad was often pretty loose. ... For the past five years, Toad Hall had been Julia [Menapace]'s home -- for John Gilmore was the "other man," with whom her relationship had been souring even before she and I had met. During the Christmas holidays John was away visiting his relatives in Florida, and so Julia and I had Toad Hall to ourselves when we arrived around 4 P.M. on the afternoon of her flight from Nepal. John, now forty, was someone I'd known from hacker circles, and even as a friend, for a number of years. ... Initially he hadn't minded that Julia and I spent time backpacking together while he worked long hours on his new start-up, because hiking didn't interest him. But once Julia and I had become more intimately involved, things grew chilly between him and me. Julia and I sent out for dinner from an Italian place called Bambino's. When it came, we undressed and sank into the indoor hot tub, eating while we soaked. The upstairs bathroom in Toad Hall is an unusual room. It is faced with a white and pink marble floor and wainscoting surrounding a dark green jacuzzi tub and other fixtures. A large asparagus fern sits on the window ledge, centered above the cascading waterfall of the tub's larger faucet. The fronds of the fern tumble down toward the water. Julia had, put on a cassette tape of Karma Moffet playing Himalayan intruments, and then lit candles; the only other light came from four overhead spotlights that dimly illuminated each corner of the tub. "This is just amazing," Julia murmured through the steamy air. She said she had fantasized continually about a long soak in hot water while trekking in the frigid Himalayas, where water is carried by hand from its source and becomes hot only when heated over flames, and where there is never enough to sit in. And at high altitude in the Solu Khumbu region of Nepal, the only heat had come from the sun, the small cooking fire, and the occasional woodstove fueled by wood scraps or dung. While we ate Julia told me stories of her adventures. In the kitchen of a lodge where she stayed she met and befriended a Sherpa guide named Tshering and a mountain guide from Seattle named Rachel DeSilva, who had led a group of 12 women to climb a 6,000-meter trekking peak in the region named Mara. Afterward they had invited her to climb another mountain named Lobuche, which lay to the north toward Everest. She had made it to just below the summit. I sat entranced. "I wish I had been there too," was all I could find to say. Julia had spent her birthday at the Tengboche monastery to celebrate the Mani Rimdu festival. She showed me a red string necklace that she had received when a Tibetan Lama had blessed her on her thirty-fifth birthday. "Near noon that same day, I heard the sound of long horns, cymbals, and drums," she recalled. "Then an avalanche poured in slow motion down the south face of Ama Dablam." Later in the trip she had stopped at one point to watch a sunset over Everest through the gathering mist, and she said it was so stark and beautiful that she cried. "I thought of you," she told me, "and wished you were there to share it with me." As we soaked, I told her about what had happened to me while she was gone. When Julia left I had been waiting for a $500,000 per year research grant from the National Security Agency, the nation's electronic intelligence- gathering organization. The NSA has two missions: one, its foreign spying mission and the other its responsibility for the security of all the governments computers and communications. In the fall an information security division in the agency had told me they would fund a project permitting me to assemble a team of experts to do research in new areas of computer security. I was ready to go and I had commitments from people to start work, but the agency had dragged its feet for months. Finally I had gotten tired of being jerked around, and two of my researchers had been forced to take other jobs. "I thought everything would be ironed out and I'd come back to find you happily at work with your team," she said. "No it wasn't," I answered. "They're amazingly inept, just like any government bureaucracy." We talked for a while about the NSA and how so many people in the civil liberties community fear them as Big Brother as well as anyone associated with them, arguing that they become corrupted by association. But that had never seemed accurate to me. Everything I'd seen indicated they were a largely incompetent organization tied up in endless regulations that could do little good or evil. And people are quite capable of making up their own minds. "I don't want to deal with them," I said. "I'm sorry it didn't work out, Tsutomu," she said quietly. We soaked for a while, both of us lost in thought. Finally I changed the subject. "I want to tell you something I've been thinking about," I said. "I've thought about a lot of things while you were away. I'd really like to try having a committed relationship with you, if you're willing to." Julia smiled. She didn't say anything, but she reached over and held me closely. It seemed like we would now be able to share a lot of time together. I told her I'd taken a leave of absence from the universlty and now I was looking forward to skiing and getting away. I was finally pursuing my long-held plan to spend a winter in the mountains, spending the mornings and late afternoons skiing and the mid-days and evenings thinking and working on my research projects. "Why don't you come with me and live in the mountains?" I suggested. "You can come ski and it will be good to be outside." We woke at about 1 P.M. the next day and Julia -- who grew up on the East Coast and is still learning to deal with mild California winters -- told me that she had seen the first morning light before she fell asleep and thought to herself, *It's Christmas and there is no sign of it here.* She was still jet-lagged and also feeling what she feared was flu coming on. We decided to spend the day inside, catching up on talk and sleep. It was chilly out, so Julia turned up Toad Hall's central heat, still eager to soak up the warmth of civilization after two months in the Himalaya. A bit later, while she rested, I was walking around the house, and several times went past the Sun SPARCstation in the hallway. It was a reminder that I probably had new electronic mail, but I didn't feel like checking it. At just about that moment, however, ominous bits of data were flowing through the Ethernet cable that wound through Toad's rooms and hallways. From somewhere, perhaps thousands of kilometers away, an electronic intruder had taken control of toad.com by remotely commandeering the SPARCstation in the basement. And while the two of us spent the day together two floors above, the electronic hijacker was using toad.com as a staging base to launch an attack on the computers in my own beach house some 800 kilometers south. ----- From: "Takedown: The pursuit and Capture of Kevin Mitnick, America's Most Wanted Outlaw -- By the Man Who Did It," by Tsutomu Shimura, with John Markoff, Hyperion Press, a subsidiary of The Disney Company, 1996, 326 pp. $24.95. ISBN 0-7868-6210-6 [pp. 17-21] ---------- The author appears on NBC's Dateline tomorrow, January 12. From zinc at zifi.genetics.utah.edu Thu Jan 11 12:38:49 1996 From: zinc at zifi.genetics.utah.edu (zinc) Date: Thu, 11 Jan 96 12:38:49 PST Subject: BIG NEWS: PRZ investigation dropped! In-Reply-To: <9601112011.AA25213@toad.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Thu, 11 Jan 1996, John Gilmore wrote: > Date: Thu, 11 Jan 1996 12:11:32 -0800 > From: John Gilmore > To: cypherpunks at toad.com > Subject: BIG NEWS: PRZ investigation dropped! > > From: Stanton McCandlish > Date: Thu, 11 Jan 1996 11:53:46 -0800 (PST) > > Justice Dept. dropped investigation of Phil Zimmermann, declines to > prosecute. > They put out a press rel. about it, already got a journo call regarding this. > More when I find it. what i'd really like to hear/see is something from the prosecutor or grand jury in this case. i'd like to know what they really thought was going to come of this, how much of the investigation was pushed by TLA types, and exactly what made them think they actually had a case in the first place. i would hope that after persecuting this man for years they would offer some reasonable explanations about their (real) motivations and why they decided to drop the case. - -pjf - -- patrick finerty = zinc at zifi.genetics.utah.edu = pfinerty at nyx.cs.du.edu U of Utah biochem grad student in the Bass lab - zinc fingers + dsRNA! ** FINGER zinc-pgp at zifi.genetics.utah.edu for pgp public key - CRYPTO! zifi runs LINUX 1.3.56 -=-=-=WEB=-=-=-> http://zifi.genetics.utah.edu -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Processed by mkpgp1.6, a Pine/PGP interface. iQCVAwUBMPV1FE3Qo/lG0AH5AQGRewQAgphy7tN+eG+XV+Wthr3U8+m24KfogKr3 G4amKgBITIn6gdk6teOzR3nGsauUytfg6k3LA+jdBTnyVQX9Ol30HNcnqKc+poAP lvSjokMX/a/FWkxuFkUkMDc3dBDCzx732L107uDlJaXeUjwIxhWWyKJPUqGjDi4V O1X3jV0DC5A= =ywnX -----END PGP SIGNATURE----- From vznuri at netcom.com Thu Jan 11 13:48:22 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Thu, 11 Jan 96 13:48:22 PST Subject: Net Control is Thought Control In-Reply-To: Message-ID: <199601112147.NAA21851@netcom13.netcom.com> I had a request for more info on the book "Coercive Persuasion". written by Edgar H. Schein. "a socio-psychological analysis of the 'brainwashing' of American civilian prisoners by the Chinese Communists". c 1961 WW Norton & CO, Inc this book was written in 1961 when the word "brainwashing" had just been invented. the American prisoners came back from China saying that they believed in communism and that they knew they were "spies" when they were not, etc. considers the link between social situation and beliefs and shows that the former has tremendous effect on people's philosophies. the Chinese had pretty much perfected all the techniques of getting people to change their beliefs without necessarily the overt methods of totalitarian systems such as torture, suppression of free speech etc. in fact they tended to create systems in which speech was encouraged, but was subtly manipulated so that it was always used in their favor. again, as I wrote: thought control without the subject realizing it was thought control. this is especially dangerous in cyberspace as I mentioned because one now has all kinds of "virtual communities" that may not behave in the same ways that communities now do (such as widespread use of pseudonymity) and hence have unanticipated effects. From CedricT at datastorm.com Thu Jan 11 14:09:13 1996 From: CedricT at datastorm.com (Cedric Tefft) Date: Thu, 11 Jan 96 14:09:13 PST Subject: Zimmermann case is dropped. Message-ID: <30F5A6B0@ms-mail.datastorm.com> > From: owner-cypherpunks > To: cypherpunks > Cc: prz > Subject: Zimmermann case is dropped. > Date: Monday, January 08, 1996 3:35AM > > Return-Path: > X-Authentication-Warning: net.indra.com: uumaalox set sender to prz at maalox > using -f > Message-Id: <199601081035.KAA02532 at maalox> > Subject: Zimmermann case is dropped. > To: cypherpunks at toad.com (Cypherpunks) > Date: Mon, 8 Jan 1996 03:35:46 -0700 (MST) > Cc: prz at acm.org (Philip Zimmermann) > From: Philip Zimmermann > Reply-To: Philip Zimmermann > X-Mailer: ELM [version 2.4 PL22] > Content-Type: text > Sender: owner-cypherpunks at toad.com > Precedence: bulk > ---------------------------------------------------------------------------- -- > -----BEGIN PGP SIGNED MESSAGE----- > > My lead defense lawyer, Phil Dubois, received a fax this morning from > the Assistant US Attorney in Northern District of California, William > Keane. The letter informed us that I "will not be prosecuted in connection > with the posting to USENET in June 1991 of the encryption program > Pretty Good Privacy. The investigation is closed." > > This brings to a close a criminal investigation that has spanned the > last three years. I'd like to thank all the people who helped us in > this case, especially all the donors to my legal defense fund. Apparently, > the money was well-spent. And I'd like to thank my very capable defense > team: Phil Dubois, Ken Bass, Eben Moglen, Curt Karnow, Tom Nolan, and Bob > Corn-Revere. Most of the time they spent on the case was pro-bono. I'd > also like to thank Joe Burton, counsel for the co-defendant. > > There are many others I can thank, but I don't have the presence of mind > to list them all here at this moment. The medium of email cannot express > how I feel about this turn of events. > > > -Philip Zimmermann > 11 Jan 96 > > -----BEGIN PGP SIGNATURE----- > Version: 2.6.2 > > iQCVAwUBMPDy4WV5hLjHqWbdAQEqYwQAm+o313Cm2ebAsMiPIwmd1WwnkPXEaYe9 > pGR5ja8BKSZQi4TAEQOQwQJaghI8QqZFdcctVYLm569I1/8ah0qyJ+4fOfUiAMda > Sa2nvJR7pnr6EXrUFe1QoSauCASP/QRYcKgB5vaaOOuxyXnQfdK39AqaKy8lPYbw > MfUiYaMREu4= > =9CJW > -----END PGP SIGNATURE----- > Chalk one up for the good guys. Thanks for hanging in there Phil. - Cedric From andypr at ix.netcom.com Wed Jan 10 22:22:10 1996 From: andypr at ix.netcom.com (Andrew Purshottam ) Date: Thu, 11 Jan 1996 14:22:10 +0800 Subject: Saw the Tsutomu and John show... (Mitnick haters skip this) Message-ID: <199601110559.VAA14202@ix5.ix.netcom.com> Saw the Stanford seimnar given by Tsutomu Shimomura and John Markoff, on the subject of Tsutomu's pursuit of Kevin Mitnick. While not a technical seminar on the vulnerablities of TCP and system services, the talk was quite interesting and I recommend it to you, if they bring it to a campus or bookstore near you. Markoff began with brief bio of Mitnick, with stories of the legendary 8BBS in the late 70's, and how Mitnick started his "career" as a phone phreak, exploting his understanding of social processes inside companies (whom to spy on or dupe to get confidential information.) Tsutomu played a hilarious and vile sounding taunt left on his answering machine after a breakin (presumably Mitnick, but never stated, perhaps for legal reasons). Markoff's presentation was interesting, but pretty much old hat for people who read his stories or the Mitnick chapter of the Hafner/Markoff text _Cyberpunk_. Markoff did mention that Mitnick was _Anton Chernoff_ on 8BBS, something I do not recall in Markoff's previous writings. Then Tsutsomu described how he got involved in the case, after a friend of his asked for help. He illustrated his tracking of Mitnick with logfiles and realtime-captured vt100 transcripts of Mitnick's breakin attempts and talk sessions with associates. These were quite hilarious, as Mitnick apparently took his breakins very personally, and planned various nasty pranks to play on Tsutsomu and Markoff. (Note to TS, please equip your VT100 playback with bigger fonts or get a magnifier program for your laptop, as is used by the visually impaired, as it was very hard to read the material, especially the obscenities and vulgar personal remarks you did not dignify with reading ;-) I particularly liked the low key and realistic image of Mitnick; neither evil genius nor master technician (TS speculates that Mitnick could not have written his Morris/Bellovin IP ISN spoofer or other tools, but rather had a standard collection of breakins that he mechanically applied to the companies whose data his desired) Mitnick's main skills were his understanding of how tech companies work, and his updating of the phone-phreak "social engineering" techniques, applied to software developers instead of telco people. They also managed to convey how throughly unpleasant and mean-spirited Mitnick is (contrast with the poor oppressed boy picture given by Bloombecker's text). Tsutomu mentioned that much source material for the investigation, including a Java version of the vt100 transcript player with many Mitnick intercepts, will be available from www.takedown.com (which does not appear to be up yet.) The cite is Takedown, Tsutomu Shimomura with John Markoff, Hyperion 1996. ISBN 0-7868-6210-6. Cheers, Andy (andy at acgeas.com) From tcmay at got.net Wed Jan 10 23:02:35 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 11 Jan 1996 15:02:35 +0800 Subject: Net Control is Thought Control Message-ID: At 8:41 PM 1/10/96, David Mandl wrote: >P.S.: Regarding limits on "freedom of speech" in the U.S., take a look >at the long list Tim May posted a few months back. (I was scoffing at >Perry's claim that we had nearly complete freedom of speech in the >U.S., and then Tim responded with much more detail.) This may have been more than a "few" months back...maybe even more than several. I'm not sure when I wrote this, and I have too many megs of past messages to find it. The gist (without examples right now) is that the U.S. has a truly stunning amount of regulation of speech. Between regulation of professions, restrictions on product claims, the whole mess of tort law, and the various anti-discrimination and fairness laws, the only speech which is truly free is that of penniless idiots spouting off in public parks. The U.S. has few restrictions on speech in the form of prior restraint (that is, words do not have to be cleared by censors or approval boards, mostly), but a welter of post-speech sanctions. --Tim May We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From harmon at tenet.edu Wed Jan 10 23:27:58 1996 From: harmon at tenet.edu (Dan Harmon) Date: Thu, 11 Jan 1996 15:27:58 +0800 Subject: Popular Science on US Spysats - Part 1 In-Reply-To: Message-ID: On Wed, 10 Jan 1996, Steven Weller wrote: > > Friend, > > > > > > 02 96 Popular Science runs a cover story, America's First Eyes > > in Space. It's by Stuart Brown. It's about "a secret space > > reconnaisance program known as Corona." > > Yawn. > > Didn't I ask you to stop posting garbage to the list? Please do not grace > us with parts 2, 3 or whatever. > Did I miss something? Your request or what? Yes, I know the future flames (Please, put them to email), but it seems we have a new moderator for the list. Dan From attila at primenet.com Thu Jan 11 01:13:47 1996 From: attila at primenet.com (attila) Date: Thu, 11 Jan 1996 17:13:47 +0800 Subject: When they came for the Jews... In-Reply-To: <199601102152.QAA24188@thor.cs.umass.edu> Message-ID: On Wed, 10 Jan 1996, Futplex wrote: > Adam Shostack writes: > > There is also a difference between stopping skinheads > > and stopping blacks, in that the skinheads decided to wear clothing > > and tattoos that identify them as skinheads, and thus may more fairly > > be asked to bear the consequences. > > Sorry, but from where I stand there's nothing "wrong" with wearing clothing, > bearing tattoos, etc., any more than there's anything "wrong" with having a > particular level of skin pigmentation. When you decide that only clothing, > tattoos, etc. that display particular colors, emblems, words, etc. are > "wrong", then you are stifling free expression. > guess I dare not to go to Portland.... age 55, no grey hairs on a full head to past my shoulder blades, full reddish brown beard with some white in it past my neck (what there is of it ), 300 lb gorilla with tattoo of the "Ace of Swords" on left arm, dressed in all black whether t-shirt/jeans or hand-tailored suit, and black leather flat rim "assassin's" hat... often seen arriving on a big bore outlaw chopper. Considered armed and dangerous.... oh, I almost forgot: with an attitude.... > > Futplex > "Freedom...oh freedom...that's just some people talking" -Eagles > __________________________________________________________________________ go not unto usenet for advice, for the inhabitants thereof will say: yes, and no, and maybe, and I don't know, and fuck-off. _________________________________________________________________ attila__ From EALLENSMITH at ocelot.Rutgers.EDU Thu Jan 11 01:21:57 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Thu, 11 Jan 1996 17:21:57 +0800 Subject: When they came for the Jews... Message-ID: <01HZVCRZLG80A0UE92@mbcl.rutgers.edu> In regards to all this, I thought that people might be interested in knowing about an interview on Fresh Aire, a radio program I heard via WNYC. The individual being interviewed was the American Jewish Committee's person on Hate Groups, Kenneth Stern. He was being interviewed due to a book he'd written before the Oklahoma City bombing, in which he (mis-)called all militia groups hate groups. In the interview, he was asked about the Simon Weisenthal Center's letter in regards to the Internet. He spoke in opposition to it, and mentioned later that he tends to advise people that the best solution for hate speech is speech against it- a definitely good message. He mentioned the Internet as being a popular place for militia and similar groups to form. The two reasons he gave were that it was an easy means to spread information, and that the information was hard to verify (the urban/computer legend phenomenon, helping give rise to the various conspiracy theories circulating on the Net). He also mentioned that "hate" groups, including militias are using encryption, but didn't say anything further. Unfortunately, he also had some problems, which I'll go into here because of the analogies between guns and cryptography. While having respect for the First Amendment's protections of speech and press, and (to some degree) even the Second Amendment's protections of the right to keep & bear arms, he forgot completely about freedom of association- he called for a federal law making it a felony to have "private armies." There are some such laws on the books on various states, but they are (fortunately) not enforced, and thus have not yet been constitutionally challenged. The second group of his problems were in defining all militia groups as "hate" groups. His basic analysis for this was threefold: A. They have members in common with some definite hate groups, such as the Aryan Nations. B. Some militias have made racist, etcetera statements that qualify them as hate groups. C. They hate somebody, namely the federal government. The first argument falls apart once one points out that this is a classic conspiracy theorist untrue argument- one can use it to argue that the Trilateral Commission runs the US government, for instance. The second argument is obviously false. It's a variety of stereotyping, something that I would have thought he'd be more sensitive to. The third argument would classify the Simon Weisenthal Center as a hate group... he might actually have the guts to do this, since he also named the Nation of Islam as a hate group (due to their antisemitism, though, not due to their anti-white racism). All in all, though, he gave a much better impression for his group than I've gathered for the Simon Weisenthal Center. IIRC, the latter was essentially put together to pursue Nazis, as opposed to Neo-Nazis. My guess is that they're feeling useless and wanting to pursue somebody- sort of like the Secret Service and Steve Jackson Games. -Allen From erc at dal1820.computek.net Thu Jan 11 17:25:54 1996 From: erc at dal1820.computek.net (Ed Carp [khijol SysAdmin]) Date: Thu, 11 Jan 96 17:25:54 PST Subject: Shimomura on TV? In-Reply-To: <199601120102.TAA21599@unique.outlook.net> Message-ID: <199601120124.TAA04433@dal1820.computek.net> > Why let it bother you? You must understand that the majority of the > population of the United States is working class trash, the news "Working class trash"? You are starting to sound like slick willie..."the problem with this country is the working class" or some such nonsense... -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 214/993-3935 voicemail/digital pager 800/558-3408 SkyPager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes From aleph1 at dfw.net Thu Jan 11 17:39:02 1996 From: aleph1 at dfw.net (Aleph One) Date: Thu, 11 Jan 96 17:39:02 PST Subject: Mitnik and Shimomura In-Reply-To: <199601112238.MAA04861@zang.com> Message-ID: On Thu, 11 Jan 1996, Mark wrote: > It was not a trap. Shimomura was caught with his proverbials down. His > arrogance made him complacent and as such he didnt take the most basic > steps to keep the attack out. > > According to Tsutomo's own account of the incident he was only able to > decipher what happened because the attacker(s) didnt clean away the info > off the hard drive when they were finished. They rm'd sure but he dd'd > the raw disk to another drive and worked through the blocks until he > found the two tools that were used to effect the intrusion. He was also > able to recover the tcpdump logs that were erased. > > If the intruder(s) had rm'd the data and THEN done a mkfile that filled the > disk with 0's then most of what we know today would not be available. > As mentioned a week or two back, filling the unused portions of blocks with > 0's would probably also be necessary. Yes but the the attacker would have been a malicous one wouldnt he? > As to wether Mitnik is capable of effecting the intrusion, that is yet to > be ascertained. He claims no involvement in it and based on whats known of > his cracking prowess there is a certain truth to it. He's infinitely better > with a phone than a keyboard. > And hes not the one that made the phonecalls either. BTW,I'am I the only one bother to see my tax dollars being wasted my scsd.edu hosting www.takedown.com a commercial venture? Iam sure T&M have ebough money after book and movie deals to pay for their net access. Aleph One / aleph1 at dfw.net http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 From cp at proust.suba.com Thu Jan 11 18:05:57 1996 From: cp at proust.suba.com (Alex Strasheim) Date: Thu, 11 Jan 96 18:05:57 PST Subject: Zimmermann case is dropped. In-Reply-To: <9601120029.AA04608@zorch.w3.org> Message-ID: <199601120205.UAA02271@proust.suba.com> > > We've made no progress. Phil has lots lots of time and gained > >lots of grey hairs, and everyone who donated to his defense fund lost > >money. > > No progress? At least Phil is not going off on a trip to Alcatraz to > make small ones out of big ones. Thats a big plus in many peoples books. I wish I could make another of my pollyannaish posts now, but I agree with Sameer. It's great that Phil's off the hook, but there's nothing to stop them from doing the same thing to someone else tomorrow. What's more,, everyone here knows that, and so the government gets what it really wants: a chilling effect on crypto development. How much credit do you give a guy when he stops beating his wife? They put Phil through the ringer, made him spend his money on lawyers, and added a lot of stress to his life. But they haven't admitted that they were wrong, and they haven't renounced such actions in the future. We're all very happy that Phil's out of the woods, and today's announcement is a great thing. But it's not enough. From jya at pipeline.com Thu Jan 11 02:20:22 1996 From: jya at pipeline.com (John Young) Date: Thu, 11 Jan 1996 18:20:22 +0800 Subject: Shimomura on TV? Message-ID: <199601110308.WAA26826@pipe1.nyc.pipeline.com> Someone just said that NBC's Dateline showed a snippet of Shimomura on an upcoming show about rampant cyber-crime and that he was the best hope against it, or something to that effect. Did anyone see it and get the time and date? Anyone attend the Shimomura-Markoff lecture at Stanford today? Is this the media blitz for their pot-boiler? Can't wait to slurp it. From ses at tipper.oit.unc.edu Thu Jan 11 18:38:59 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Thu, 11 Jan 96 18:38:59 PST Subject: Zimmermann case is dropped. In-Reply-To: <9601120029.AA04608@zorch.w3.org> Message-ID: On Thu, 11 Jan 1996 hallam at w3.org wrote: > make small ones out of big ones. Thats a big plus in many peoples books. > > > > > We've made no progress. Phil has lots lots of time and gained > >lots of grey hairs, and everyone who donated to his defense fund lost > >money. > > No progress? At least Phil is not going off on a trip to Alcatraz to > One of the most overdue reforms of the US government is the renaming of > the FBI building to remove the name of J Edgar Hoover. The abuse of power > under his administration of the FBI continues to poison the US polity > by providing clear proof to many citizens that their government cannot be > trusted. While the abuses of Hoover continue to be commemerated in this > fashion there can be little public confidence in any claims of reform. > > > The US can still harass people if they want, and make their > >life hell. > > Not just the US government. There are many crooks out there who have attempted > or are attempting worse. At least with the government there are means to > bring it to heel eventually. > > Phill > > (defun modexpt (x y n) "computes (x^y) mod n" (cond ((= y 0) 1) ((= y 1) (mod x n)) ((evenp y) (mod (expt (modexpt x (/ y 2) n) 2) n)) (t (mod (* x (modexpt x (1- y) n)) n)))) From perry at piermont.com Thu Jan 11 18:42:52 1996 From: perry at piermont.com (Perry E. Metzger) Date: Thu, 11 Jan 96 18:42:52 PST Subject: legal question Message-ID: <199601120242.VAA19147@jekyll.piermont.com> A question for our local attorneys. There have been several times in the past where people have questioned whether cryptographic hash functions like SHA and the like are exportable under the ITAR? In a joint declaration of facts not in dispute as part of Karn v. State Department, the following was agreed by the government: (see http://www.qualcomm.com/people/pkarn/export/karnsf.html) 34. Three of the source code listings on the diskette and in Part Five of the Applied Cryptography book, MD-5, N-HASH, and SHS are "hashing routines" that perform a data authentication function and, by themselves, are not controlled for export under the ITAR because cryptographic software that is solely limited to a data authentication function is excluded from Category XIII(b) of the United States Munitions List. See 22 C.F.R. 121.1 XIII(b)(vi). Would this not mean that the government is estopped from ever again claiming that hash functions are export controlled under the ITAR? Just curious as to whether or not things have been made more clear... Perry PS they also admit in the same declaration to having broken Enigma in WWII. A shocking revelation. From ses at tipper.oit.unc.edu Thu Jan 11 19:02:29 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Thu, 11 Jan 96 19:02:29 PST Subject: Pantsing- sorry, Takedown In-Reply-To: <199601120029.TAA28014@pipe3.nyc.pipeline.com> Message-ID: I skimmed through the book at Keplers; it seemed an interesting enough romp. The style is Markoff all the way, so it's well pretty well written. They do seem to paint a pretty black and white picture of Mitnick, which is to be expected given the author's involvement in the investigation. It seems like a good book for a long flight, or a slow caltrain. I was a little annoyed by the way the authors dissed Raleigh as a 'backwater' though. Ok, it's not Chapel Hill, but still :-) Simon From nobody at REPLAY.COM Thu Jan 11 03:14:15 1996 From: nobody at REPLAY.COM (Anonymous) Date: Thu, 11 Jan 1996 19:14:15 +0800 Subject: Message-ID: <199601111103.GAA14697@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMPTubCoZzwIn1bdtAQHDwQF+JX+aO6VsLP2lruyhHnybD44hSb/JLzU1 fTa36XwrRQoowAt1Hdw3NyqHB59BNxKm =b5TF -----END PGP SIGNATURE----- From ses at tipper.oit.unc.edu Thu Jan 11 19:18:01 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Thu, 11 Jan 96 19:18:01 PST Subject: Zimmermann case is dropped. In-Reply-To: <199601112329.PAA15617@infinity.c2.org> Message-ID: For once, Thatcher said it best: "Just Rejoice." However, Churchill said it better: "This is not the end. This is not the beginning of the, but rather the end of the beginning". But has Phil sold the photos to a tabloid yet? Simon (defun modexpt (x y n) "computes (x^y) mod n" (cond ((= y 0) 1) ((= y 1) (mod x n)) ((evenp y) (mod (expt (modexpt x (/ y 2) n) 2) n)) (t (mod (* x (modexpt x (1- y) n)) n)))) From holovacs at styx.ios.com Thu Jan 11 03:18:16 1996 From: holovacs at styx.ios.com (Jay Holovacs) Date: Thu, 11 Jan 1996 19:18:16 +0800 Subject: When they came for the Jews... In-Reply-To: <199601102152.QAA24188@thor.cs.umass.edu> Message-ID: A city in Illinois (I forget the name at the moment) enacted a law against clothing color combinations favored by gangs. Ironically the local high school colors were included on the list. Things can get real scarey real fast. Jay Holovacs PGP Key fingerprint = AC 29 C8 7A E4 2D 07 27 AE CA 99 4A F6 59 87 90 (KEY id 1024/80E4AA05) email me for key On Wed, 10 Jan 1996, Futplex wrote: > Sorry, but from where I stand there's nothing "wrong" with wearing clothing, > bearing tattoos, etc., any more than there's anything "wrong" with having a > particular level of skin pigmentation. When you decide that only clothing, > tattoos, etc. that display particular colors, emblems, words, etc. are > "wrong", then you are stifling free expression. From nobody at c2.org Thu Jan 11 19:26:31 1996 From: nobody at c2.org (Anonymous User) Date: Thu, 11 Jan 96 19:26:31 PST Subject: Shimomura on TV? Message-ID: <199601120305.TAA16534@infinity.c2.org> > From: Michael C. Peponis > To: cypherpunks at toad.com > > Why let it bother you? You must understand that the majority of the ^^^^^^^^ > population of the United States is working class trash, the news ^^^^^^^^^^^^^^^^^^^ Hope you're including yourself in that. > media is just peddeling to the masses, just like the morons that hold ^^^^^^^^^ Can't spell - *must* be working class trash... > elected office. > > Regards, > Michael Peponis ^^^^^^^ Tell me: is the 'po' silent? From don at wero.cs.byu.edu Thu Jan 11 19:30:47 1996 From: don at wero.cs.byu.edu (Don M. Kitchen) Date: Thu, 11 Jan 96 19:30:47 PST Subject: https & encrypted connections Message-ID: <199601120211.TAA00265@wero.cs.byu.edu> -----BEGIN PGP SIGNED MESSAGE----- First of all, let me apologize for not being very knowledgable about CA's and https and SSLeay, apache, and generating renegade (ie, your own) certificates. If someone wants to go over this [again] certainly it'd be welcome. I was today playing around with a Mozilla 2.0beta5 that someone gave me [more bells and whistles than my 1.12, but not much more bang for the buck] and was showing a friend all the nifty information that netscape tells about you when you visit sites, then went to c2 to show off the apache web server and when I tried to use https:// to show off how you can have your own encrypting web server for free and everything, a window popped up and said the certificate was expired. I couldn't really tell if it meant that the certificate that Sameer generated really needed to be updated, or if Netscape beta 5 had just been rigged to reject non-netscape certificates, but the end result was no encryption. (Jeff, if you're reading this, of course we know that Netscape, with it's open loving policies wouldn't do anything underhanded, but the thought does come to mind, and by the way, when are we going to see an option to turn off or control what information is passed out to the other end. Specifically, I'd like http://anonymizer.cs.cmu.edu:8080/prog/snoop.pl to come up nearly blank.) Soooo, anyway, I was wondering if anyone knows anything about the use of privately generated certificates. Yes, Jeff, we know that Netscape is jumping to fully support user-specified certificates, but personally I saw, relating to certificates, a lot of *nifty* options and displays, but really didn't see much in the way of anything that looked like "add". ...Looking forward to the day where end-to-end encryption is king, and the TLA, my competition, or anyone else can take their packet sniffer and kiss my butt. Don PS: my predictions on the PRZ-secretly-sold-out-rumor-index: 6. my predictions on the IQ of those making those claims: 6. (cumulative) woohooo Phil! - -- fRee cRyPTo! jOin the hUnt or BE tHe PrEY PGP key - http://students.cs.byu.edu/~don or PubKey servers (0x994b8f39) June 7&14, 1995: 1st amendment repealed. Junk mail to root at 127.0.0.1 * This user insured by the Smith, Wesson, & Zimmermann insurance company * -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMPXDV8La+QKZS485AQHkXwMAnGWVeLB6ntpkK1ksZ7a8+iklA/sPfIT2 XqqJRRX0Ddg2UuAAxmk6WOC/nxnRPRlM/4AkkaEohZRv14ccnlvv3qVGFxpLlxKG iYgbn1x9/xgHjwAB31HqozQix79wPfB/ =v9ni -----END PGP SIGNATURE----- From erc at dal1820.computek.net Thu Jan 11 19:45:54 1996 From: erc at dal1820.computek.net (Ed Carp [khijol SysAdmin]) Date: Thu, 11 Jan 96 19:45:54 PST Subject: web reference to PRZ FAX from US Atty Message-ID: <199601120345.VAA15609@dal1820.computek.net> -----BEGIN PGP SIGNED MESSAGE----- Got this off the web - it's a link to the letter that Phil got from the US attorney: http://www.eff.org/pub/Alerts/usatty_pgp_011196.announce U.S. Atty. DROPS PGP INVESTIGATION! - -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 214/993-3935 voicemail/digital pager 800/558-3408 SkyPager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMPXZYyS9AwzY9LDxAQG4BgP+PmA6GoUSMCpnvUfo+1v1MpFX0pdg66jN Foo5yuT+G2fIG1m+K4aVrZusPHhC+tHjx2kaMqn0ZSE9nC8U32blpt01+CE+xgp3 x4q5L6llkyEK4oWSrnjbZImcjm3VIrAiaj8S3+qGfAz3FEZ5ChJZ2Q4J91lsqv5z 3FY/xiKqu60= =Nrr2 -----END PGP SIGNATURE----- From dmandl at bear.com Thu Jan 11 07:06:13 1996 From: dmandl at bear.com (David Mandl) Date: Thu, 11 Jan 1996 23:06:13 +0800 Subject: Net Control is Thought Control In-Reply-To: Message-ID: On Thu, 11 Jan 1996, Timothy C. May wrote: > At 8:41 PM 1/10/96, David Mandl wrote: > > >P.S.: Regarding limits on "freedom of speech" in the U.S., take a look > >at the long list Tim May posted a few months back. (I was scoffing at > >Perry's claim that we had nearly complete freedom of speech in the > >U.S., and then Tim responded with much more detail.) > > This may have been more than a "few" months back...maybe even more than > several. I'm not sure when I wrote this, and I have too many megs of past > messages to find it. Here it is: Date: Fri, 30 Jun 1995 11:26:30 -0700 From: "Timothy C. May" To: David Mandl , cypherpunks at toad.com Subject: Re: MORE *ANTI-INTERNET* PROP >The gist (without examples right now) is that the U.S. has a truly stunning >amount of regulation of speech. Between regulation of professions, >restrictions on product claims, the whole mess of tort law, and the various >anti-discrimination and fairness laws, the only speech which is truly free >is that of penniless idiots spouting off in public parks. I disagree with this, but no need to argue about it here. --D. -- David Mandl Bear, Stearns & Co. Inc. Phone: (212) 272-3888 Email: dmandl at bear.com -- ******************************************************************************* Bear Stearns is not responsible for any recommendation, solicitation, offer or agreement or any information about any transaction, customer account or account activity contained in this communication. ******************************************************************************* From cigaly at srce.hr Thu Jan 11 07:59:10 1996 From: cigaly at srce.hr (Cedomir Igaly) Date: Thu, 11 Jan 1996 23:59:10 +0800 Subject: SSH for Windows In-Reply-To: <199601110325.EAA25254@utopia.hacktic.nl> Message-ID: <19960111.152756215F@srce.hr> On Thu, 11 Jan 1996 04:25:21 +0100, nobody at flame.alias.net (Anonymous) said: > Alex de Joode (usura at utopia.hacktic.nl) wrote: > > : ...can be found at URL http://public.srce.hr/~cigaly/ssh/. FYI. > > > > also on ftp.hacktic.nl/pub/replay/pub/incoming/ssh-1-2.zip > > > > (the .hr link is _very_ slow) > > -AJ- > > *ahem* Where's the source code? You don't expect us to trust a crypto > implementation without source code, do you? > > Not to mention that that would be a violation of the GPL... Maybe you're right. You have my promise that I will not do such things again. Regards, C.I. From blancw at accessone.com Thu Jan 11 08:00:43 1996 From: blancw at accessone.com (blanc) Date: Fri, 12 Jan 1996 00:00:43 +0800 Subject: Net Control is Thought Control Message-ID: <01BADFF7.0DBE4740@blancw.accessone.com> From: Vladimir Z. Nuri the problem that "covert thought control" becomes more possible with an information age that does not handle identity in any "permanent" or "enduring" way. agent provocateurs etc. may be more difficult to identify and easier to create and maintain. in fact a single "government thought control agent" might be able to create and maintain dozens of convincing identities, all of them working to subtly manipulate the population's thinking without detection. (...) ........................................................................................................... I read the book, too, Nuri, and I think you overlooked an important point. It doesn't matter about the identity of the provocateur. It is the identity of the "target" which is crucial. It is when the prisoner in a psychologically restricted setting begins to identify with their agent-provocateur cell mates, to sympathize with and accept their ideology, that change in that prisoner's mind becomes possible and the thought control is achieved. This change in the prisoner's image of themselves is not so easily accomplished in a setting where they are free to leave, free to seek and hear other points of view - more importantly, the actual truth. "The primary effect of unfreezing is that it makes the prisoner seek information which will guide him in finding an adaptational solution to his problems. Such information can be gotten to some extent from the propaganda input to him via the mass media, lectures, loudspeakers, etc., but more likely is obtained from cell mates or interrogators who begin to be models of how to adapt successfully. The prisoner who has been unfrozen begins to treat the inter- personal cues he obtains from them as credible and valid, and begins to take their point of view seriously, where previously he may have paid no attention to it or even discounted it. " A mistake people make even when they are not physically imprisoned, is that they seek to benefit by association: they will accept an appearance of confidence as equivalent to knowledge, accepting the word of those who "seem to know", instead of searching for definite facts. They come to depend upon their identification with groups of such like-minded people, and thus get themselves in trouble when the whole herd is suddenly corralled and taken for a ride (by their leaders). Rather than worry so much about anyone's actual identity as a determining factor in what one will accept from them, I think it is much more critical to consider the content of the information they offer; to develop one's judgement (to "know how to know")so to be able to evaluate that information and make realistic decisions for one'self about what to support or what actions to take. .. Blanc From don at cs.byu.edu Thu Jan 11 10:22:01 1996 From: don at cs.byu.edu (don at cs.byu.edu) Date: Fri, 12 Jan 1996 02:22:01 +0800 Subject: archives Message-ID: <199601102345.QAA00195@wero.cs.byu.edu> will whoevers maintaining the cpunk archives please check them, they don't have anything since new years. And while you're at it, please put in a mailto: link so that you can be informed directly that they're down, or do I have to cc to postmaster and root? Thanks Don From stevenw at best.com Thu Jan 11 11:53:53 1996 From: stevenw at best.com (Steven Weller) Date: Fri, 12 Jan 1996 03:53:53 +0800 Subject: Popular Science on US Spysats - Part 1 Message-ID: > Friend, > > > 02 96 Popular Science runs a cover story, America's First Eyes > in Space. It's by Stuart Brown. It's about "a secret space > reconnaisance program known as Corona." Yawn. Didn't I ask you to stop posting garbage to the list? Please do not grace us with parts 2, 3 or whatever. ------------------------------------------------------------------------- Steven Weller | "The Internet, of course, is more | than just a place to find pictures | of people having sex with dogs." stevenw at best.com | -- Time Magazine, 3 July 1995 From tcmay at got.net Thu Jan 11 11:54:51 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 12 Jan 1996 03:54:51 +0800 Subject: Good Riddance to Wiesenthal and His Nazis Message-ID: At 6:26 PM 1/10/96, Adam Shostack wrote: > The Wiesenthal center is very influential in Jewish circles. >Attacking them directly would probably be a bad idea, and create bad >associations for anonymity amongst Jews. (I'll come back to this.) I for one won't hesitate to criticize these Jew Nazis. Who cares if it "creates bad associations for anonymity amongst Jews"? If a Jew is put off by condemnation of the Wiesenthalistas and their pogrom against free speech, I say good riddance. Didn't those Jews learn anything? It wasn't "free speech" in pre-war Germany that led to the extermination of Jews, it was the rise to power (by a combination of circumstances involving a putsch, the Reichstag fire, a feeble ruler, hunger for strong leadership, dire economic conditions, and other factors) by Hitler and the placing of too much power in the hands of a central government. >methodology. There is also a difference between stopping skinheads >and stopping blacks, in that the skinheads decided to wear clothing >and tattoos that identify them as skinheads, and thus may more fairly >be asked to bear the consequences. So, wearing the wrong clothes because the clothes identify one as a member of a political group is grounds for being stopped by the police? "Asked to bear the consequences"? Since when? --Tim May (In case anyone is in doubt, I have no beef (or pork) with Jews. I think their religion is just another quaint Middle Eastern idol-worshiping cult, on a par with Islam and Christianity and Zoroastrianism. But I have been following the attempts by such Nazi Jews as the Simon Wiesenthal chapter Jews in L.A. to censor the Net--their first calls went out at least two years ago--and this latest sending of 200+ "advisory letters" to ISPs, if confirmed, will be their undoing. The Thule Network is already using Cypherpunks-type remailers, and this will only gain them more members.) We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From proff at suburbia.net Fri Jan 12 04:08:17 1996 From: proff at suburbia.net (Julian Assange) Date: Fri, 12 Jan 96 04:08:17 PST Subject: Zimmermann case is dropped. In-Reply-To: <9601120040.AA03530@toad.com> Message-ID: <199601121206.XAA04446@suburbia.net> > Of course they can; they're the U.S. government. No possible outcome of > Phil's case would have changed this fact. If the Federal government > wishes to make your life miserable they can always do so. The more important point being missed of course that Phil has and no doubt will continue to make certain elements of the U.S government quite miserable indeed. Something that I suspect doesn't make Phil too miserable at all. -- +----------------------------------+-----------------------------------------+ |Julian Assange | "if you think the United States has | |FAX: +61-3-9819-9066 | stood still, who built the largest | |EMAIL: proff at suburbia.net | shopping centre in the world?" - Nixon | +----------------------------------+-----------------------------------------+ From gnu at toad.com Thu Jan 11 12:25:37 1996 From: gnu at toad.com (John Gilmore) Date: Fri, 12 Jan 1996 04:25:37 +0800 Subject: BIG NEWS: PRZ investigation dropped! Message-ID: <9601112011.AA25213@toad.com> From: Stanton McCandlish Date: Thu, 11 Jan 1996 11:53:46 -0800 (PST) Justice Dept. dropped investigation of Phil Zimmermann, declines to prosecute. They put out a press rel. about it, already got a journo call regarding this. More when I find it. -- Stanton McCandlish
mech at eff.org

Electronic Frontier Foundation

Online Activist From ftrotter at marktwain.com Thu Jan 11 13:38:16 1996 From: ftrotter at marktwain.com (Frank O. Trotter, III) Date: Fri, 12 Jan 1996 05:38:16 +0800 Subject: New Ecash Consumer Fee Schedule Message-ID: <199601112113.AA14249@mail.crl.com> ----------------------------------------------------------- MARK TWAIN BANK (Member FDIC) ANNOUNCES NEW CONSUMER FEE STRUCTURE FOR ECASH See all the information at: www.marktwain.com or email us at: Ecash-info at marktwain.com Mark Twain Bank is rolling back consumer Ecash fees in reaction to the tremendous positive response to Ecash. "Because of the level of interest we have elected to reward users for their acceptance of Ecash," said Frank Trotter, Mark Twain Ecash project director. "Ecash represents the future of money and we want to make it available to all Internet users." Ecash enables you to control your money and your privacy while doing business on the Internet. The Ecash software is available free of charge when you sign up for an account. Once your application has been approved you can download the software directly from the Internet and start using Ecash right away! WORLD CURRENCY ACCESS ACCOUNTS ARE INSURED BY THE FDIC. AMOUNTS HELD IN THE ECASH MINT OF ON YOUR HARD DRIVE ARE NOT INSURED BY THE FIDC. NEW FEES FOR CONSUMERS ----------------------- There is no charge for movement of money within the Ecash system! Once the money is in Ecash you can do as many transactions as you like and it won't cost you anything more! There is only a charge to move money back and forth between your WorldCurrency Access account and the Ecash system (much like an ATM fee). Depending on the Schedule you select, and the balances you keep, there may be no monthly fee for your WorldCurrency Access account or for money movements between your WorldCurrency Access account and the Ecash Mint! That means a no monthly fee account is within your reach! -------------------------------------------------------- Remember that you can also earn interest by maintaining a balance over $2,500 in an interest bearing WorldCurrency Access account. $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ SCHEDULE OF CHARGES You choose the option that suits you best: Schedule 1 Schedule 2 Schedule 3 ========================================================== Ecash Account Opening Fee $11.00 $25.00 $25.00 Monthly Fee: 1.00 2.00 5.00 Number of included monthly transfers in to Mint: 1 2 5 (any dollar amount!) Cost of transactions within Ecash system: Zero Zero Zero Average balance in WorldCurrency Access to waive Monthly Fee: $500 $750 $1,500 Cost per additional transfer to Mint: 3.00 2.00 1.00 Move money out of Mint: 5.00% 4.50% 4.00% (percent of balance transferred) Additional transfers to Mint and fees to move money out of Mint apply at all balance levels. ================================================= Explanation of fees: There are several types of fees that are designed to be easy to understand, and low where you want them to be low. 1) Ecash Account Opening fee - this covers the processing involved in setting up an account. 2) Monthly Maintenance Fee - low if you are an infrequent user - higher if you want to reduce your overall cost. The monthly fee covers the scheduled number of transfers to the Ecash system from your WorldCurrency Access Account, and each schedule type receive a different charge for transfers from the Ecash system Back to the WorldCurrency Access account. 3) Additional transfer fee - cost per additional transfer per month to the Ecash system from your WorldCurrency Access account- if you just do one large one per month then you may never need this. 4) Move money out of Mint - when you want to move your money from the Ecash system to your WorldCurrency Access account. To make this cost effective to you there is no minimum charge per transfer charge, only a charge based on a percentage of the balance transferred! 5) Average Balance in WorldCurrency Access to waive Monthly Fee: If you maintain this amount as an average daily balance for the entire interest payment period, the monthly fee will be waived. Additional transfer fees and "Move money out of Mint" fees will continue to apply and can result in a charge. Contact: Mark Twain Bank Frank O. Trotter, III Vice President Capital Markets Group Director International Markets Division ftrotter at marktwain.com Phone: +314-997-9213 Fax: +314-569-4906 =========================================================== From prz at acm.org Thu Jan 11 13:54:09 1996 From: prz at acm.org (Philip Zimmermann) Date: Fri, 12 Jan 1996 05:54:09 +0800 Subject: Zimmermann case is dropped. Message-ID: <199601081035.KAA02532@maalox> -----BEGIN PGP SIGNED MESSAGE----- My lead defense lawyer, Phil Dubois, received a fax this morning from the Assistant US Attorney in Northern District of California, William Keane. The letter informed us that I "will not be prosecuted in connection with the posting to USENET in June 1991 of the encryption program Pretty Good Privacy. The investigation is closed." This brings to a close a criminal investigation that has spanned the last three years. I'd like to thank all the people who helped us in this case, especially all the donors to my legal defense fund. Apparently, the money was well-spent. And I'd like to thank my very capable defense team: Phil Dubois, Ken Bass, Eben Moglen, Curt Karnow, Tom Nolan, and Bob Corn-Revere. Most of the time they spent on the case was pro-bono. I'd also like to thank Joe Burton, counsel for the co-defendant. There are many others I can thank, but I don't have the presence of mind to list them all here at this moment. The medium of email cannot express how I feel about this turn of events. -Philip Zimmermann 11 Jan 96 -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMPDy4WV5hLjHqWbdAQEqYwQAm+o313Cm2ebAsMiPIwmd1WwnkPXEaYe9 pGR5ja8BKSZQi4TAEQOQwQJaghI8QqZFdcctVYLm569I1/8ah0qyJ+4fOfUiAMda Sa2nvJR7pnr6EXrUFe1QoSauCASP/QRYcKgB5vaaOOuxyXnQfdK39AqaKy8lPYbw MfUiYaMREu4= =9CJW -----END PGP SIGNATURE----- From wilcoxb at nagina.cs.colorado.edu Thu Jan 11 14:01:18 1996 From: wilcoxb at nagina.cs.colorado.edu (Bryce) Date: Fri, 12 Jan 1996 06:01:18 +0800 Subject: When they came for the Jews... In-Reply-To: <2.2.32.19960110153325.006b5980@panix.com> Message-ID: <199601112133.OAA12590@nagina.cs.colorado.edu> -----BEGIN PGP SIGNED MESSAGE----- An entity calling itself Duncan Frissel is alleged to have written: > > > "I favor discrimination on the basis of race, creed, color sex, age, > alienage, previous condition of servitude, recent interstate travel, > handicap, sexual or affectional preference, marital status, Vietnam-era > veteran status (or lack thereof), occupation, economic status, and anything > else I can think of." > > "Color sex"? Oh nevermind... Bryce, Just Another Conspirator Against Democracy signatures follow "To strive, to seek, to find and not to yield." -Tennyson bryce at colorado.edu -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.01 iQCVAwUBMPWCMfWZSllhfG25AQGcIwQAq8x9Cf8DfbPHcGVodfC7pyB5Jv+0RqUr 6kJ+fN1lA329OSdFOViFQc1rDlZd/OroLXn5Sgfw1nmx0+zfYLRlxrW3iScFtHDT C2PsNLBeUvqhf/zurnRSk0sX1ehdrNywGfuw6R0fWAGLKqaxXw7Kpntc88ZMVG/6 7ZEjb9j9Etw= =W3DD -----END PGP SIGNATURE----- From carolann at censored.org Thu Jan 11 14:38:14 1996 From: carolann at censored.org (Censored Girls Anonymous) Date: Fri, 12 Jan 1996 06:38:14 +0800 Subject: Zimmermann case is dropped. Message-ID: <199601112215.PAA28808@usr4.primenet.com> CLAP!!! CLAP!!! CLAP!!! CLAP!!! At 03:35 AM 1/8/96 -0700, you wrote: >-----BEGIN PGP SIGNED MESSAGE----- > >My lead defense lawyer, Phil Dubois, received a fax this morning from >the Assistant US Attorney in Northern District of California, William >Keane. The letter informed us that I "will not be prosecuted in connection >with the posting to USENET in June 1991 of the encryption program >Pretty Good Privacy. The investigation is closed." > -Philip Zimmermann > 11 Jan 96 > >-----BEGIN PGP SIGNATURE----- >Version: 2.6.2 > >iQCVAwUBMPDy4WV5hLjHqWbdAQEqYwQAm+o313Cm2ebAsMiPIwmd1WwnkPXEaYe9 >pGR5ja8BKSZQi4TAEQOQwQJaghI8QqZFdcctVYLm569I1/8ah0qyJ+4fOfUiAMda >Sa2nvJR7pnr6EXrUFe1QoSauCASP/QRYcKgB5vaaOOuxyXnQfdK39AqaKy8lPYbw >MfUiYaMREu4= >=9CJW >-----END PGP SIGNATURE----- > > -- Member Internet Society - Certified BETSI Programmer - Webmistress *********************************************************************** Carol Anne Braddock (cab8) carolann at censored.org 206.42.112.96 My Homepage The Cyberdoc *********************************************************************** ------------------ PGP.ZIP Part [017/713] ------------------- M8H,),S$8G>&.WP(8IRA`-M['+`Q%&_C"">5-F%LX@<_Q$;*P'',Q$Z/AA[8M MF=O0H+*%(-S%&>S%+FS& http://dcs.ex.ac.uk/~aba/export/ From mpd at netcom.com Thu Jan 11 14:48:02 1996 From: mpd at netcom.com (Mike Duvos) Date: Fri, 12 Jan 1996 06:48:02 +0800 Subject: Zimmermann case is dropped. In-Reply-To: <30F5A6B0@ms-mail.datastorm.com> Message-ID: <199601112225.OAA17391@netcom23.netcom.com> Phil Writes: > This brings to a close a criminal investigation that has spanned the > last three years. I'd like to thank all the people who helped us in > this case, especially all the donors to my legal defense fund. Gosh - I guess the NSA finally managed to crack PGP after all. (sigh) -- Mike Duvos $ PGP 2.6 Public Key available $ mpd at netcom.com $ via Finger. $ From hallam at w3.org Thu Jan 11 15:12:40 1996 From: hallam at w3.org (hallam at w3.org) Date: Fri, 12 Jan 1996 07:12:40 +0800 Subject: Zimmermann case is dropped. In-Reply-To: <199601081035.KAA02532@maalox> Message-ID: <9601112236.AA04283@zorch.w3.org> Good news, but lets not forget that winning the battle isn't winning the war. The dropping of the case means that the legality of the ITAR restrictions goes untested. Had the case not been dropped it would have expired shortly under the statute of limitations. The real issue here is the abuse of the investigative powers of the FBI in support of their own political agenda. Phill Hallam-Baker From mark at zang.com Thu Jan 11 15:13:05 1996 From: mark at zang.com (Mark (Mookie)) Date: Fri, 12 Jan 1996 07:13:05 +0800 Subject: Mitnik and Shimomura Message-ID: <199601112238.MAA04861@zang.com> >Shimomura had almost complete packet traces of the break-in, which >allowed him to reconstruct the attack. >It was a trap. It was not a trap. Shimomura was caught with his proverbials down. His arrogance made him complacent and as such he didnt take the most basic steps to keep the attack out. According to Tsutomo's own account of the incident he was only able to decipher what happened because the attacker(s) didnt clean away the info off the hard drive when they were finished. They rm'd sure but he dd'd the raw disk to another drive and worked through the blocks until he found the two tools that were used to effect the intrusion. He was also able to recover the tcpdump logs that were erased. If the intruder(s) had rm'd the data and THEN done a mkfile that filled the disk with 0's then most of what we know today would not be available. As mentioned a week or two back, filling the unused portions of blocks with 0's would probably also be necessary. As to wether Mitnik is capable of effecting the intrusion, that is yet to be ascertained. He claims no involvement in it and based on whats known of his cracking prowess there is a certain truth to it. He's infinitely better with a phone than a keyboard. From ryan at netaxs.com Thu Jan 11 15:26:30 1996 From: ryan at netaxs.com (Ryan Lackey) Date: Fri, 12 Jan 1996 07:26:30 +0800 Subject: E-cash and Interest In-Reply-To: <199601111911.AA16628@mail.crl.com> Message-ID: <199601112252.RAA03445@unix5.netaxs.com> In one of many possible worlds, Frank O. Trotter, III did say: > One note, under US banking regulation, "transaction accounts" fall > under different rules than money market accounts, savings accounts, > and NOW accounts. Depending on the exact functionality desired, > and future regulation changes, there will be more or less incentive > and/or legal ability to pay interest. Yet more incentive for starting a bank somewhere in the free world... > Given the current functionality of Ecash there will be little > incentive to hold balances on your hard drive once interest is > available. It is just too easy to move the money down when > you need it. Today there is no specific cost incentive between > the Mint and your hard drive. Ecash really would be a lot nicer if it were implemented in a multi-issuer system with even more choices for storing your money, like in an ecash money market account at a non-issuing institution. I can wait. I agree that there's little point in storing ecash on your hard drive past a slush amount for purchases (hopefully the sw will be smart enough to advise people as to how much to keep on hand)...ecash still requires a check with the bank before spending any cash, correct? Ecash on disk doesn't protect against denial-of-service-through-networking attacks then. Keeping ecash at MTB, however, wouldn't be my reason for keeping it at a remote location. Probably. > It does not take a long leap to see that when the account and the > Mint are merged, that since the Mint _is_ the account, PC/Internet > banking, debit and all other regular banking functionality can > become immediately integrated! If I had to conduct all of my banking in accordance with Mark Twain's fee schedule and legal restrictions, I'd be buying another mattress right now..well, maybe pillowcase. By integrating all of these services under Mark Twain Bank Ecash Mint, I would get all of the advantages of a rather pricey bank, 4-5% loss on all my deposits, minimal privacy protection, no FDIC protection, $2500 initial deposit (not a problem for me, but it does keep many of the people I'd like to send money to out of the system..always a feature), and _tens_ of places to spend my ecash, only 4 or 5 of which that really sell things. -- Ryan Lackey -*- ryan at pobox.com -*- http://www.netaxs.com/people/ryan/ "Calmly and impersonally, she, who would have hesitated to fire at an animal, pulled the trigger and fired straight at the heart of a man who had wanted to exist without the responsibility of consciousness." -- Ayn Rand, _Atlas Shrugged_. From andr0id at midwest.net Thu Jan 11 15:27:58 1996 From: andr0id at midwest.net (Jason Rentz) Date: Fri, 12 Jan 1996 07:27:58 +0800 Subject: Message-ID: <199601112305.RAA00123@cdale1.midwest.net> >[This message has been signed by an auto-signing service. A valid signature >means only that it has been received at the address corresponding to the >signature and forwarded.] > Am I the only one getting this message several times? (\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/) (http://www.oicu812.com Maybe one of the ) ( cheapest Internet services! ) (andr0id at midwest.net callsign: N9XLM) (Finger andr0id at oicu812.com for public PGP Key) From sameer at c2.org Thu Jan 11 15:54:31 1996 From: sameer at c2.org (sameer) Date: Fri, 12 Jan 1996 07:54:31 +0800 Subject: Zimmermann case is dropped. In-Reply-To: <9601112236.AA04283@zorch.w3.org> Message-ID: <199601112329.PAA15617@infinity.c2.org> We've made no progress. Phil has lots lots of time and gained lots of grey hairs, and everyone who donated to his defense fund lost money. The US can still harass people if they want, and make their life hell. -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.org/ (or login as "guest") sameer at c2.org From mianigand at unique.outlook.net Thu Jan 11 16:17:27 1996 From: mianigand at unique.outlook.net (Michael C. Peponis) Date: Fri, 12 Jan 1996 08:17:27 +0800 Subject: Zimmermann case is dropped. Message-ID: <199601112334.RAA20954@unique.outlook.net> -----BEGIN PGP SIGNED MESSAGE----- > Good news, but lets not forget that winning the battle isn't winning the war. > > The dropping of the case means that the legality of the ITAR restrictions goes > untested. Had the case not been dropped it would have expired shortly under the > statute of limitations. > > The real issue here is the abuse of the investigative powers of the FBI in > support of their own political agenda Congradulations to Philip, but Phill(boy this is getting confussing) is right. By dropping the case, the goverment avoids a high visiblity case that could change the rules. What happened to Phillip Zimmermann is unexcusable, but others must continue in his footsteps in order to win a decicive victory. Gee, Anybody got a good public-domain Windoz version of PGP? -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQCVAwUBMPUxI0UffSIjnthhAQGkZQP/eTE7ngFyUPE3RqHB3spKmSiqneNw9WBy 5SkR4njN56ylUklkQjkxEtLijucugbsmiwIglBVaVaqwMKMoOjtbxyTrnoJj/8rk YjvGn5Zgn4oD0fTegTKmSk3H2QzdzaHJo+l829KOAsvMOaaazsal3ml2+m5BGWpa kwf11AglmOs= =RPqk -----END PGP SIGNATURE----- Regards, Michael Peponis PGP Key Avalible form MIT Key Server,or via finger From delznic at storm.net Thu Jan 11 16:36:41 1996 From: delznic at storm.net (Douglas F. Elznic) Date: Fri, 12 Jan 1996 08:36:41 +0800 Subject: Shimomura on TV? Message-ID: <2.2.16.19960112000749.2b6f98f8@terminus.storm.net> At 10:08 PM 1/10/96 -0500, John Young wrote: >Someone just said that NBC's Dateline showed a snippet of >Shimomura on an upcoming show about rampant cyber-crime and >that he was the best hope against it, or something to that >effect. Did anyone see it and get the time and date? > > >Anyone attend the Shimomura-Markoff lecture at Stanford today? > > >Is this the media blitz for their pot-boiler? Can't wait to >slurp it. > > > > > > Has anyone heard anything else about this? I am getting real sick of the media's portrayal of the internet. They never say anything good about it. If they were to mention C2's system they would say how it is a no-rules server to hide thugs and pornos from the police. I am getting sick of watching this trash. The whole realm of the internet and computers and their associated areas are very dear to me I am sick of the media bludgeoning them to death. -- ==================Douglas Elznic=================== delznic at storm.net http://www.vcomm.net/~delznic/ (315)682-5489 (315)682-1647 4877 Firethorn Circle Manlius, NY 13104 "Challenge the system, question the rules." =================================================== PGP key available: http://www.vcomm.net/~delznic/pgpkey.asc PGP Fingerprint: 68 6F 89 F6 F0 58 AE 22 14 8A 31 2A E5 5C FD A5 =================================================== From mab at crypto.com Thu Jan 11 16:59:13 1996 From: mab at crypto.com (Matt Blaze) Date: Fri, 12 Jan 1996 08:59:13 +0800 Subject: Zimmermann case is dropped. In-Reply-To: <199601081035.KAA02532@maalox> Message-ID: <199601120022.TAA23574@crypto.com> Congratulations! You must be very relieved, as are the rest of us in the cryptographic community in the US. One question, though. In your comments, you write I'd also like to thank Joe Burton, counsel for the co-defendant. This raises the obvious question - do you know if the entire case has been dropped, or have you just been eliminated as a target with the possibility still open that others may yet be indicted? Again, my congratulations. -matt From adam at lighthouse.homeport.org Thu Jan 11 17:00:32 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Fri, 12 Jan 1996 09:00:32 +0800 Subject: Zimmermann case is dropped. In-Reply-To: <199601112334.RAA20954@unique.outlook.net> Message-ID: <199601120023.TAA22279@homeport.org> Michael C. Peponis wrote: | What happened to Phillip Zimmermann is unexcusable, but others must | continue in his footsteps in order to win a decicive victory. | | Gee, Anybody got a good public-domain Windoz version of PGP? If someone really is looking to get in trouble for exporting crypto software, I'd suggest that they consider Crypto++ or Cryptolib as good things to export. -- "It is seldom that liberty of any kind is lost all at once." -Hume From hallam at w3.org Thu Jan 11 17:30:44 1996 From: hallam at w3.org (hallam at w3.org) Date: Fri, 12 Jan 1996 09:30:44 +0800 Subject: Zimmermann case is dropped. In-Reply-To: <199601112329.PAA15617@infinity.c2.org> Message-ID: <9601120029.AA04608@zorch.w3.org> > We've made no progress. Phil has lots lots of time and gained >lots of grey hairs, and everyone who donated to his defense fund lost >money. No progress? At least Phil is not going off on a trip to Alcatraz to make small ones out of big ones. Thats a big plus in many peoples books. One of the most overdue reforms of the US government is the renaming of the FBI building to remove the name of J Edgar Hoover. The abuse of power under his administration of the FBI continues to poison the US polity by providing clear proof to many citizens that their government cannot be trusted. While the abuses of Hoover continue to be commemerated in this fashion there can be little public confidence in any claims of reform. > The US can still harass people if they want, and make their >life hell. Not just the US government. There are many crooks out there who have attempted or are attempting worse. At least with the government there are means to bring it to heel eventually. Phill From m5 at dev.tivoli.com Thu Jan 11 17:33:26 1996 From: m5 at dev.tivoli.com (Mike McNally) Date: Fri, 12 Jan 1996 09:33:26 +0800 Subject: Shimomura on TV? In-Reply-To: <2.2.16.19960112000749.2b6f98f8@terminus.storm.net> Message-ID: <9601120025.AA27664@alpha> Douglas F. Elznic writes: > I am getting real sick of the media's portrayal of the > internet. They never say anything good about it. The local news here in Austin, which in general seems to have a terrible time filling up a 30-minute news presentation, had a big story the other morning about how an Internet pedophile had been caught. It seems that some dude in Oregon was running a sting (I think it was a reporter, not police, but I'm not sure) and some loser in Austin took the bait and actually flew out there to meet the boy of his dreams. (Like I've said many times, it's a Real Good Thing most criminals are so incredibly stupid.) It turns out this guy worked at a school for handicapped children up in Round Rock (the heart of Williamson County, the place hard-core "old Austin" liberals like to think of as a portal to Redneck Hell). So they start asking questions and they find some kids who say the guy abused them (or whatever). (The whole story might turn out to be bogus, for all I know; it's disappeared from my sphere of awareness.) My wife pointed out that though the "news" people made heavy (though generally absurd) use of the Internet connection in the story, it left her thinking that the Internet is a damn good tool for trolling out undesirables like pedophiles (at least the stupid ones). It makes it a *hell* of a lot easier to sting people when *they'll pay for the plane tickets*! And of course, they can't do any actual damage over the wire while you string 'em along. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Nobody's going to listen to you if you just | Mike McNally (m5 at tivoli.com) | | stand there and flap your arms like a fish. | Tivoli Systems, Austin TX | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From wb8foz at nrk.com Fri Jan 12 09:36:32 1996 From: wb8foz at nrk.com (David Lesher) Date: Fri, 12 Jan 96 09:36:32 PST Subject: Zimmermann case is dropped. In-Reply-To: <199601121619.IAA06808@montana.nwlink.com> Message-ID: <199601121731.MAA05385@nrk.com> > > > Well, so far the feds haven't prosecuted "Jim Bidzos" for posting Crypto++ > > to usenet. Anyway, both versions have been on utopia.hacktic.nl for months. > > I thought that it was determined to be a hoax. Someone "disguised" > as Jim Bidzos posted it to USENET. So what? Prosecute him anyhow; let HIM prove he's innocent. Isn't that the way it's SUPPOSED to work in the U S of A, now-a-daze? -- A host is a host from coast to coast.................wb8foz at nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433 From hallam at w3.org Thu Jan 11 17:36:49 1996 From: hallam at w3.org (hallam at w3.org) Date: Fri, 12 Jan 1996 09:36:49 +0800 Subject: Shimomura on TV? In-Reply-To: <2.2.16.19960112000749.2b6f98f8@terminus.storm.net> Message-ID: <9601120038.AA04474@zorch.w3.org> >Has anyone heard anything else about this? I am getting real sick of the >media's portrayal of the internet. They never say anything good about it. At the last World Wide Web consortium meeting I said that the media were pumping up the bubble and their favourite game is to see if they can destroy what they have the arrogance to imagine they created. That is why we have to replace the press. Consider this in the next election voters on the Internet will be able to read the press releases of the candidates without the press filtering them. There is the potential for the internet citizens to participate in shaping the political agenda - another role the press likes to usurp for itself. I recently held a workshop on political use of the Web which was attended by Republican and Democrat party workers and political activists from 6 other countries. One thing that suprized me was the consensus amongst the politicians that the differences between them were smaller than their differences with the press. To take one example. A collumnist in the New York Times recently received much coverage for calling the First Lady "a congenital liar". Yet little mention is made of the fact that said collumnist worked for both Nixon and Spiro Agnew and has never condemned either for their actions. Phill From jya at pipeline.com Fri Jan 12 09:38:08 1996 From: jya at pipeline.com (John Young) Date: Fri, 12 Jan 96 09:38:08 PST Subject: Toad Sex Message-ID: <199601121737.MAA22857@pipe6.nyc.pipeline.com> The oldest and most trustworthy way to crack crypto -- and a cryptologist -- is sex, regularly employed by royalty and traitors, tyrants and anarchists, governments and bandits, warfighters and jealous lovers, spouses and businesses, and whatever other position/opposition pleasures and betrays. If you have a security system that does not protect against it you're really fucked. Just who is doing what to who in "Takedown" constitutes its shameless Hollywoodian prurience, as it was in Littman, Clancy, Vinge, Tolstoy, the Bible, the Koran, the Kama Sutra, any indecent Exon-prohibition of your dreams. Shimomura, Markoff, Mitnick -- are the games of seductive illusion they're playing so different from vaunted cryptography of the ever-randy, coy/decoy Net? Has nobody ever blurted their password in the throes of passionate words? Imagine Toad Hall and what was up in the hot tub. From erc at dal1820.computek.net Thu Jan 11 18:07:38 1996 From: erc at dal1820.computek.net (Ed Carp [khijol SysAdmin]) Date: Fri, 12 Jan 1996 10:07:38 +0800 Subject: Zimmermann case is dropped. In-Reply-To: <9601120040.AA03530@toad.com> Message-ID: <199601120100.TAA02304@dal1820.computek.net> -----BEGIN PGP SIGNED MESSAGE----- > We've made no progress. Phil has lots lots of time and gained > lots of grey hairs, and everyone who donated to his defense fund lost > money. > > To the contrary, Phil won big. He avoided going to Federal court as the > defendant in a felony case. That's what matters most. Yes, a lot of > time, money and effort was spent reaching this outcome, but none of it > was wasted. > > The US can still harass people if they want, and make their > life hell. > > Of course they can; they're the U.S. government. No possible outcome of > Phil's case would have changed this fact. If the Federal government > wishes to make your life miserable they can always do so. > > The legal challenges to the ITAR regulations will continue forward in > the various Federal courts, but that fight will no longer be on Phil > Zimmermann's back. Mike Godwin can speak to this a lot better than I can, but I believe that by abandoning their case against PRZ, they have seriously weakened their case against anyone else that they feel has violated the ITAR in a similar manner - it's called "selective enforcement" and courts have been taking a dim view of that sort of thing. I predict that you will start seeing a *lot* of crypto software showing up on FTP sites within the next 24-48 hours, as news of this spreads. - -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 214/993-3935 voicemail/digital pager 800/558-3408 SkyPager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMPWywyS9AwzY9LDxAQF9zwP/Q8STXpBYNNJgvA5YUWDnxaV5YvmrS6SR Zyp6KKyeEmCmMAJRqazoSkQWXuCbg8iPserEnxDMvZUDRkGxmO3EI2zX1Aqr5Am/ GXAPdGBxQ0tsCy7I4F4Icorgx7ZA8D0d6VJmBxCNu6NrmZvFvn1EMNLZjzqmlls/ ufHh+YG6zFI= =OC4X -----END PGP SIGNATURE----- From mwohler at ix.netcom.com Thu Jan 11 18:16:14 1996 From: mwohler at ix.netcom.com (Marc J. Wohler) Date: Fri, 12 Jan 1996 10:16:14 +0800 Subject: The cost of victory? Message-ID: <199601120108.RAA13368@ix2.ix.netcom.com> -----BEGIN PGP SIGNED MESSAGE----- Anyone care to estimate the *true cost* to PRZ for this victory? Haven't the bad guys made their point? -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMPWtdGeikzgqLB7pAQHGfAQAifBSfY7fSLccdhpdWnNSW/prMdKyPaRF XqEHfc9L+g2rYggYxWFXAZYBef2UjX8sQV6IZG7YN4wIT2IlifYa9GO0xVXC5LiC Diu0GPgXD6mg2WInfhzedCQNOfby+LF+oEo04whvz1dkMjo8ntEsczjY82VRYBh1 wUmdZyBsVNE= =RHPc -----END PGP SIGNATURE----- ***Preserve, Protect and Defend the private use of Strong Crypto*** * * * PGP for the masses * * * Finger mjwohler at netcom.com for Marc Wohler's public key fingerprint= F1 70 23 13 91 B5 10 63 0F CF 33 AD BE E6 7B B6 From mianigand at unique.outlook.net Thu Jan 11 18:24:03 1996 From: mianigand at unique.outlook.net (Michael C. Peponis) Date: Fri, 12 Jan 1996 10:24:03 +0800 Subject: Shimomura on TV? Message-ID: <199601120102.TAA21599@unique.outlook.net> > Has anyone heard anything else about this? I am getting real sick of the > media's portrayal of the internet. They never say anything good about it. If > they were to mention C2's system they would say how it is a no-rules server > to hide thugs and pornos from the police. I am getting sick of watching this > trash. The whole realm of the internet and computers and their associated > areas are very dear to me I am sick of the media bludgeoning them to death. Douglas, Why let it bother you? You must understand that the majority of the population of the United States is working class trash, the news media is just peddeling to the masses, just like the morons that hold elected office. They can keep up the bitching, but that's a good thing, I encourage the spread of this kind of disinformation, it keeps even more of the masses from getting on for fear of being offenced. Regards, Michael Peponis PGP Key Avalible form MIT Key Server,or via finger From hfinney at shell.portal.com Thu Jan 11 18:24:16 1996 From: hfinney at shell.portal.com (Hal) Date: Fri, 12 Jan 1996 10:24:16 +0800 Subject: Certificates: limiting your liability with reuse limitations In-Reply-To: Message-ID: <199601120107.RAA21967@jobe.shell.portal.com> You write: >Suppose I am a CA. I am worried that by issuing a certificate with a >lifespan of more than 2 milliseconds I am opening myself up to unlimited >liability if for some reason, despite my best efforts, I issue an >erroneous certificate. How do notaries public get around this liability problem? It seems to me that the checking done for a certificate might be similar to the checking done by a notary - a glance at a driver's license, say. Are they subject to liability if they are fooled by fake ID? Hal From bruceab at teleport.com Thu Jan 11 19:05:36 1996 From: bruceab at teleport.com (Bruce Baugh) Date: Fri, 12 Jan 1996 11:05:36 +0800 Subject: C2 and the Worst Case Message-ID: <2.2.32.19960111040212.006a69dc@mail.teleport.com> -----BEGIN PGP SIGNED MESSAGE----- First off, this is _not_ a criticism - c2.org provides wonderful services, and I'm budgeting to buy more from them. However, I'm curious. Consider a reasonably worst case, in which ye jack-booted thugges come through the door unannounced, scoop up everything, and haul it off for examination. The question is, how much would they get? How much information about c2 users would fall into the wrong hands? -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEPAwUBMPSLo33AXR8sjiylAQEHOgfPQyULO5Ni/4VCZPo8PNLbURy7bgkMG7aw UWeorZr95e8kFA3JA6VxCpmgRmStpeX78ZcN9a35Z0lguRF5+VNddzQYv/ydZxtg u5HP2stit9PG8fyP0SEGrxEVpnbwchOxtUxhuxJ7CZsZfMGWKi6EtXrQ5LhNGSCZ isoShwOXse5/XLHY3JzcrjbSa6PDHxmpwhYbkk8tyi8jQWFDDc+HbncgaC4FZL4V 2tntjx3HPe9Hy92v24K59UnzIpudVqF8f1jX6Z+m7lLzStARkNZwliRjL6pIz8G7 fz2uSXrgbAMVIkK6g9DOP3A48prob7LFnPZmEw4J6gF4fA== =+ZDY -----END PGP SIGNATURE----- Bruce Baugh bruceab at teleport.com http://www.teleport.com/~bruceab From anonymous-remailer at shell.portal.com Thu Jan 11 20:35:11 1996 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Fri, 12 Jan 1996 12:35:11 +0800 Subject: No Subject Message-ID: <199601120425.UAA08583@jobe.shell.portal.com> The other day I was poking around lists of open NNTP servers, and came across something odd at llyene.jpl.nasa.gov . It appears that nothing has ever been expired there. Some groups had hundreds of thousands of messages. This might be interesting and useful for some purposes. Anyone know if that's where Dave Hayes does his amazing administrative thing? From llurch at networking.stanford.edu Fri Jan 12 12:57:27 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Fri, 12 Jan 96 12:57:27 PST Subject: Boston talk on offshore banks In-Reply-To: <9601122001.AA18808@sulphur.osf.org> Message-ID: Every issue of The Economist (and I'm sure lots of other publications) has ads for this kind of thing. Anyone know a reference for ranking the "legitimacy" of these services and seminars? I'd assume that many of them are scams that will gladly take your money overseas, but you might never see it again. Probably follow up offline, because cpunk relevance is a bit tenuous. -rich On Fri, 12 Jan 1996, Rich Salz wrote: > I heard an ad on the radio for a free seminar on how to protect your assets > using off-shore banks. I forget who the speaker is, I think they're with > the English-Irish bank in Austria, or something like that. The thrust > was to save assets for when you retire and Social Security isn't there > for you. > > I'm posting this since off-shore banking touches on privacy issues > and comes up here now and then. > > Two dates, Jan 17 (Newton, MA) or Jan 18 (Burlington, MA). > Call 617 663 3299 for more info. From zinc at zifi.genetics.utah.edu Fri Jan 12 12:58:43 1996 From: zinc at zifi.genetics.utah.edu (zinc) Date: Fri, 12 Jan 96 12:58:43 PST Subject: Novel use of Usenet and remailers to mailbomb from luzskru@cpcnet.com In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- regarding remailer spams: one way to prevent this sort of spamming is to put a cap on the number of messages that can be delivered to a given address. of course, an exception will have to be made for instances of chaining so that the number of messages allowed to be forwarded to another remailer is not limited. i'm trying to think of a scenario where this would not be a good thing. i suppose if somone was conducting an anonymous poll their address should not have a limit. i'm sure there are problems with a mesg quota system, but it does seem like an easy solution. - -pjf patrick finerty = zinc at zifi.genetics.utah.edu = pfinerty at nyx.cs.du.edu U of Utah biochem grad student in the Bass lab - zinc fingers + dsRNA! ** FINGER zinc-pgp at zifi.genetics.utah.edu for pgp public key - CRYPTO! zifi runs LINUX 1.3.56 -=-=-=WEB=-=-=-> http://zifi.genetics.utah.edu -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Processed by mkpgp1.6, a Pine/PGP interface. iQCVAwUBMPbLOE3Qo/lG0AH5AQHJWgQAmvlOnHIAiWZz3Dw/czAeKEeylCTUVxRi BFTwFPbwTR2QtwcLfDpw5+Ym/Qss2jx1MVoVJuTbjx4D7GGitSdYSWN6TuAapUdr oeFPo5+EuIwAT77luwYWa9gXYN36IZlWuzYgdbjkMorxz0UwSn4Y8U1fnaAmTh1e GwZhC5+tcZw= =bzmC -----END PGP SIGNATURE----- From loki at obscura.com Thu Jan 11 22:01:55 1996 From: loki at obscura.com (Lance Cottrell) Date: Fri, 12 Jan 1996 14:01:55 +0800 Subject: E-cash and Interest Message-ID: At 2:52 PM 1/11/96, Ryan Lackey wrote: >By integrating all of these services under Mark Twain Bank Ecash Mint, I >would get all of the advantages of a rather pricey bank, 4-5% loss on all >my deposits, minimal privacy protection, no FDIC protection, $2500 ^^^^^ >initial deposit (not a problem for me, but it does keep many of the >people I'd like to send money to out of the system..always a feature), >and _tens_ of places to spend my ecash, only 4 or 5 of which that really >sell things. > Where do people keep getting this number. I have an account, my initial deposit was $36 ($11 for startup and $25 to play with). >-- >Ryan Lackey -*- ryan at pobox.com -*- http://www.netaxs.com/people/ryan/ -Lance ---------------------------------------------------------- Lance Cottrell loki at obscura.com PGP 2.6 key available by finger or server. Mixmaster, the next generation remailer, is now available! http://obscura.com/~loki/Welcome.html or FTP to obscura.com "Love is a snowmobile racing across the tundra. Suddenly it flips over, pinning you underneath. At night the ice weasels come." --Nietzsche ---------------------------------------------------------- From pati at ipied.tu.ac.th Thu Jan 11 22:07:11 1996 From: pati at ipied.tu.ac.th (Patiwat Panurach (akira rising)) Date: Fri, 12 Jan 1996 14:07:11 +0800 Subject: E-cash and Interest In-Reply-To: Message-ID: On Wed, 10 Jan 1996, Tim Philp wrote: > I think that you have hit the nail on the head. Money could still 'earn' > interest until it is spent. The 'bank' still has the 'real' money. In NO! money could still earn interest untill it is _withdrawn_. This includes withdrawals from MTB accounts into the Mint. Coz ecash in any form (whether in the mint or in the HDD) is equivalent to cash. And cash (by definition) cant earn interest. ------------------------------------------------------------------------------- Patiwat Panurach Whatever you can do, or dream you can, begin it. eMAIL: pati at ipied.tu.ac.th Boldness has genius, power and magic in it. m/18 junior Fac of Economics -Johann W.Von Goethe ------------------------------------------------------------------------------- From fstuart at vetmed.auburn.edu Thu Jan 11 22:08:44 1996 From: fstuart at vetmed.auburn.edu (Frank Stuart) Date: Fri, 12 Jan 1996 14:08:44 +0800 Subject: Zimmermann case is dropped. Message-ID: <199601120546.XAA04381@snoopy.vetmed.auburn.edu> Since there is no longer an ongoing investigation, perhaps now would be a good time to file FOIA requests to see if there is evidence of the Justice Department acting improperly. | (Douglas) Hofstadter's Law: Frank Stuart | It always takes longer than you expect, even fstuart at vetmed.auburn.edu | when you take into account Hofstadter's Law. From alanh at infi.net Thu Jan 11 22:29:11 1996 From: alanh at infi.net (Alan Horowitz) Date: Fri, 12 Jan 1996 14:29:11 +0800 Subject: When they came for the Jews... In-Reply-To: <01HZVCRZLG80A0UE92@mbcl.rutgers.edu> Message-ID: The Weisenthal brown shirts aren't *feeling* useless. They are scared shitless that they might have to go out and get a real job. Do-gooder organizations are in the same bind as breakfast cereals. It's so easy to enter the game that there's cut-throat competition. You've got to keep your name in front of the public, or else people will relegate you to the Flat-Earth Society status you actually deserve. So, you've got to hire skilled flacks who know how to position a press release on a slow news day. Imagine if the Simeonistas' press release hit the fax machines on the same day that the blizzard shut down the East - it would have gotten lost. There's an association of Association Executives. You should see their training programs. Alan Horowitz alanh at infi.net From ryan at netaxs.com Thu Jan 11 22:31:37 1996 From: ryan at netaxs.com (Ryan Lackey) Date: Fri, 12 Jan 1996 14:31:37 +0800 Subject: E-cash and Interest In-Reply-To: Message-ID: <199601120620.BAA14910@unix5.netaxs.com> In one of many possible worlds, Lance Cottrell did say: > Where do people keep getting this number. I have an account, my initial > deposit was $36 ($11 for startup and $25 to play with). It's the amount required to earn interest on a World Currency Access account. I was incorrect in assuming it was the minimum to start an account...it's just the minimum _I_ would have it in, because I do not like savings accounts which don't draw interest unless they're held in gold, offshore, or both. -- Ryan Lackey -*- ryan at pobox.com -*- http://www.netaxs.com/people/ryan/ "Calmly and impersonally, she, who would have hesitated to fire at an animal, pulled the trigger and fired straight at the heart of a man who had wanted to exist without the responsibility of consciousness." -- Ayn Rand, _Atlas Shrugged_. From nobody at REPLAY.COM Thu Jan 11 23:49:01 1996 From: nobody at REPLAY.COM (Anonymous) Date: Fri, 12 Jan 1996 15:49:01 +0800 Subject: NSA Message-ID: <199601111719.MAA16056@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMPVGgyoZzwIn1bdtAQG/1wGAwFELRklL0jv58QWSXMg8Z+OUNPX1OtXJ UaI51iIBh2IjH1hggHtyMUi1B6xrlbmo =h/+n -----END PGP SIGNATURE----- From tim at dierks.org Thu Jan 11 23:51:28 1996 From: tim at dierks.org (Tim Dierks) Date: Fri, 12 Jan 1996 15:51:28 +0800 Subject: Domains, InterNIC, and PGP (and physical locations of hosts, to boot) Message-ID: At 3:00 AM 1/10/96, Bill Stewart wrote: >At 11:15 PM 1/6/96 -0500, Michael Handler wrote: >> ftp://ds.internic.net/rfc/rfc1876.txt >>Again, I'm not too sure of the viability of this proposal. Not on >>effectiveness of proving true location -- it is more geared toward >>"visual 3-D packet tracing" -- but simply because I have _no_ fricking >>idea where our machines are (in terms of lat and long) to any degree >>of accuracy. > >There are several geography servers on the net, which can tell you >the lat/long for a city (more useful if your city is, say, >Holmdel NJ than if it's Los Angeles.) For what it's worth, you can use the mapping software at to find your location fairly accurately; you may need another map to locate yourself, since the streets are unlabeled. I managed to figure out that I'm currently at latitude 37.3435 degrees, longitude -121.8925 degrees. I think that's correct to within about 100 feet or so. - Tim Anyone with a GPS device, feel free to stop by; I'm in unit A2, and I've got homebrew in the fridge. Tim Dierks - Software Haruspex - tim at dierks.org If you can't lick 'em, stick 'em on with a big piece of tape. - Negativland From ftrotter at marktwain.com Fri Jan 12 00:25:23 1996 From: ftrotter at marktwain.com (Frank O. Trotter, III) Date: Fri, 12 Jan 1996 16:25:23 +0800 Subject: E-cash and Interest Message-ID: <199601111911.AA16628@mail.crl.com> Once the Ecash Mint and the account (in our case the WorldCurrency Access account - others will be different) are merged, the balance you hold in the Mint may be able to earn interest. Like an individual, the amount of interest offered will involve a cost benefit relationship based on cost of funds, regulation, and operational costs, but there should be no obvious reason not to pay something in most curencies. One note, under US banking regulation, "transaction accounts" fall under different rules than money market accounts, savings accounts, and NOW accounts. Depending on the exact functionality desired, and future regulation changes, there will be more or less incentive and/or legal ability to pay interest. Given the current functionality of Ecash there will be little incentive to hold balances on your hard drive once interest is available. It is just too easy to move the money down when you need it. Today there is no specific cost incentive between the Mint and your hard drive. It does not take a long leap to see that when the account and the Mint are merged, that since the Mint _is_ the account, PC/Internet banking, debit and all other regular banking functionality can become immediately integrated! Frank Trotter ftrotter at marktwain.com Opinions expressed are my own.... > On Wed, 10 Jan 1996, Tim Philp wrote: > > > With the E-cash systems that I have seen, you generate your own E-cash > > and have it signed by a 'bank' At that moment, it becomes like cash in > > your wallet and you loose interest that this money could be earning. > > >From the standpoint of monetary economics, this is correct. The (ecash) > bank has the right to use your deposits to give out loans. When you > withdraw your money (and turn it into either cash or ecash) they (the > bank) no longer have the right to turn your deposits into loans. > Withdrawn cash/ecash can not earn interest. > > This is the problem of (e)cash: if you have it on hand you _must_ forgo > any interest earnings. Theoretically, the optimum holding of (e)cash is a > function of interest rate (the greater the interest rate, the less cash on > hand), transaction cost of making withdrawals (the easier and more > convenient the withdrawals, the less cash on hand), and the "providence > value" of cash (the more you value instant gratification, the more cash on > hand). > > Thats why ATM machines have caused us to hold less cash. We can now keep > money in the bank (letting it earn interest and letting the bank create > loans with it) and withdraw from ATM terminals only when we need it. > > ------------------------------------------------------------------------------- > Patiwat Panurach Whatever you can do, or dream you can, begin it. > eMAIL: pati at ipied.tu.ac.th Boldness has genius, power and magic in it. > m/18 junior Fac of Economics -Johann W.Von Goethe > ------------------------------------------------------------------------------- From jim at acm.org Fri Jan 12 00:36:03 1996 From: jim at acm.org (Jim Gillogly) Date: Fri, 12 Jan 1996 16:36:03 +0800 Subject: US DoJ Zimmermann Press Release In-Reply-To: Message-ID: <199601120600.WAA09559@mycroft.rand.org> > "Declan B. McCullagh" writes: > [logo] United States Attorney > Northern District of California > Norther District of California, announced today that his office > has declined prosectution of any individuals in connection with > the posting to USENET in June 1991 of the encryption program Cool -- that means Kelly Goen is also off the hook, which is also a big relief! Jim Gillogly Sterday, 21 Afteryule S.R. 1996, 05:59 From llurch at networking.stanford.edu Fri Jan 12 00:58:00 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Fri, 12 Jan 1996 16:58:00 +0800 Subject: [Sarin?] Re: When they came for the Jews... In-Reply-To: Message-ID: On Thu, 11 Jan 1996, Lucky Green wrote: > On Wed, 10 Jan 1996, Duncan Frissell wrote: > > > He cited the posting of instructions for making explosive devices, including > > recipes for Sarin nerve gas and bombs similar to the one that destroyed the > > Federal Building in Oklahoma City last April 19. > > Sarin nerve gas? Can anyone find that URL? > > TIA, You're kidding, right? With all the uncensored spiders out there, anybody can find anything in a second. Search for "sarin not japan not aum" to cut down on the noise. Here's two of the top ten from AltaVista. 1. For US Occupational Health and Safety Administration (OSHA) recommendations regarding Sarin (um... avoid?), see: http://www.skcinc.com/niosh/file_1424.html 2. Sorry, no detailed recipe, and it says "don't try this at home," but there is a bibliography, and the Stanford Libraries have four of the journals listed. From http://www.xmission.com/~seer/mcw/sarin.html Sarin is now known as "GB." It has several chemical names: 1-Methylethyl methylphosphonate, Isopropylhydrogen methylphosphonate or Isopropyl methylphosphonate. Note the word "isopropyl." One of the key ingredients of the Sarin made by AUM Shinrikyo is isopropyl alcohol. Altogether there are four ingredients in Sarin: phosphorus trichloride, sodium fluoride, isopropyl alcohol and acetonitrile. Its chemical structure is as follows: (H3C)2CHOPF(O)Me. Sarin is not the type of weapon that can be made in the home, it can only be manufactured in a laboratory, though very sophisticated equipment is not needed. It is extremely dangerous to manufacture and handle. It's a German invention. Here's a (mostly) German Bibliography. GMELINS HDB, 1965, P482; PHOSPHOR VERBINDUNGE, 1963, V1, P433; PHOSPHOR ERBINDUNGE, 1964, V2, P27; 810930, 1959, CHILDS AF; ARBUSOV A, 1902, P1639; CHEM ZENTR BOOTH HS, 1939, V61, P2927; J AM CHEM SOC; BRAUER G, 1975, P209; HDB PRAPARATIVEN ANO; BRYANT PJR, 1960, P1553, J CHEM SOC; DEBORST C, 1972, V27, P305, TNO NIEUWS; FORDMOORE AH, 1951, V31, P33, ORGANIC SYNTHESES; FRANKE S, 1976, V1, LEHRBUCH MILITARCHEM; FRANKE S, 1976, V2, LEHRBUCH MILITARCHEM; KUHN SJ, 1962, V40, P1951, CAN J CHEM; LORQUET JC, 1959, V68, P336, B SOC CHIM BELG; SAMMET R, 1983, THESIS ETH ZURICH; SASS S, 1979, V14, P257, ORG MASS SPECTROM; SCHRADER G, 1963, ENTWICKLUNG NEUER IN; TAMMELIN LE, 1957, V11, P1340, ACTA CHEM SCAND; WASER PG, 1983, CHOLINERGE PHARMAKON; WASER PG, 1975, CHOLINERGIC MECHANIS; WASER PG, 1986, P157, DISCOVERIES PHARM; WASER PG, 1986, P743, DYNAMICS CHOLINERGIC. From Jueneman at gte.com Fri Jan 12 00:58:19 1996 From: Jueneman at gte.com (Jueneman at gte.com) Date: Fri, 12 Jan 1996 16:58:19 +0800 Subject: Reliance Limits Considered Harmful Message-ID: <30F54978-00000001@wotan.gte.com> >Suppose I am a CA. I am worried that by issuing a certificate with a >lifespan of more than 2 milliseconds I am opening myself up to unlimited >liability if for some reason, despite my best efforts, I issue an >erroneous certificate. > >I know I can write disclaimers, but that's not reliable since courts >often ignore them, and anyway it scares off customers. > >I know I can put an expiration date on the certificate, but that's not >enough. I can accumulate a lot of exposure in a few seconds, much less >weeks. > >I know I can put a reliance limit in the X.509 ver 3 certificate, but >that's not enough. Even a $1 limit could be used many millions of times. > >Is it feasabile to say: Can only be relied on once per day/week/month? >Is this something the relying parties can reasonably be expected to monitor? > >It seems to me that this sort of a limit is essential if a CA is to feel >comfortable outside Utah.... > >A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) >Associate Professor of Law | >U. Miami School of Law | froomkin at law.miami.edu >P.O. Box 248087 | http://www.law.miami.edu/~froomkin >Coral Gables, FL 33124 USA | It's warm here. > I have been troubled from the first with the concept of a reliance limit, in particular because of the problem Prof. Froomkin cites. In the "normal" paradigm for digital signatures, neither the CA nor the relying party(ies) have any knowledge of how many times that particular certificate/key has been used. As a result, there are few if any controls that would operate to enforce the notion of a reliance limit. Even in the electronic credit card environment where there is some sort of a closed loop system (the purchases are reported back to the Issuing Bank, and presumably would be or could be known by the CA, which is probably acting as an agent of the bank), there are some substantial problems. The first problem is one of privacy. If I have a very high credit limit, I certainly don't want to advertise that fact in a public certificate. On the other hand, if I have a low limit, I don't want to advertise that either. And in any case, the reliance limit is not intended to be a "floor limit", i.e., an amount below which it is not required to contact the credit card company for authrotization. (Floor limits used to be popular, especially in Europe where the cost of telecommuncations was high. But now almost all transactions are authorized against the customer's current balance and credit limit, and if the merchant doesn't check he can be stuck with the charge if the customer doesn't pay.) I have argued (quite unsuccessfully in the credit card community) that the reliance limit can provide a useful means of limiting the subscriber's exposure (as well as the CA's) in the event of a security compromise affecting the subscriber's private key. Since there are no perfect computer security solutions available at any price, much less an affordable price, both the subscriber and the CA have to make a tradeoff between their risks and the rewards of greater convenience, etc. I tried to get around the privacy issue in the credit card environment by treating a negative reliance limit as a percentage of the customer credit limit. But no one in the credit card industry was convinced, and maybe I'm not either. The concept of a reliance limit is enshrined in the Utah Digital Signature statute (and the ABA draft Digital Signature Guidelines), where it is wrapped up with a draconian requirement that registered CAs have to put up a surety bond or irrevocable letter or credit in the amount of 30% of the aggregate of all outstanding reliance limits. This is not just an insurance policy -- a CA's corporate assets are pledged to back up the certificates issued, not withstanding the fact that the identification system we have in this country is not sufficiently reliable to warrant such representations. And surely no CA is going to hire private investigators to check out who someone claims to be with sufficient credibility as to be able to issue certificates to individuals -- at least if they intend to charge any kind of a reasonable price for the certificates. In my personal opinion, that requirement in the Utah law makes it highly unlikely that anyone will ever become a registered CA in Utah, unless the reliance limit is set to $1 and/or the expiration period to about 1 millisecond. (Maybe the Utah statute was really trying to set up a lottery, rather than a system for registering CAs. Everyone gets to play, and if you can find a person who has invalid credentials, even if issued through an innocuous clerical error (someone misspelled the street name in someone's address), you can claim you were harmed in some way, sue them big time and collect millions. That's the American way, isn't it? :-) Although X.509 v3 provides a simple mechanism to allow additional attributes, potentially including a reliance limit, to be included in the certificate, there are at present no plans that I know of for any existing CA to actually do so, or more importantly, for anyone else's software to be able to read and comprehend those reliance limits or perform any checking. As a purely technical matter, the problem could be solved by requiring the relying party to validate the transaction (not just the certificate) with the CA in real time. (Checking a CRL database isn't good enough.) By providing a transaction amount, the CA could keep track of the extent of its liability, and could detect misuse. Alternatively, the subscriber could request a new certificate for each one time use. However, both of these "solutions" would require a significant extension to the current mechanisms, and also give rise to a number of privacy issues. In addition, there are other practical problems. If I am the relying party (or the CA), and the subscriber is using his digital signature to confirm an order to sell futures on the commodities market, how can I evaluate the potential risk? If the subscriber is selling futures for orange juice and a storm wipes out all of the orange trees, his losses could be unbounded. Similar situations could exist in the case of a signature on a patent claim, and creative people can probably think of many more cases. Although the notion of a reliance limit usually arises in conjunction with digital signatures, it would presumably apply to certificates used for message encryption, to set up encrypted sessions, etc., as well. This puts the CA in an even more difficult position, for now we are not talking about a (single) financial transaction. If I send an encrypted message to someone, and it turns out that the person who received it was not who he claimed be, I may in fact be greatly harmed. (If the message wasn't important, why would I have encrypted it in the first place. Suits for violation of privacy have resulted in millions of dollars in damages -- does that mean that the CA ought to provide a million dollar reliance limit? My conclusion after having thought about this a lot is that reliance limits are at best ineffective and at worst positively harmful. They are difficult or impossible to enforce in any meaningful way, they raise substantial privacy issues, and at least as codified in the Utah Act and the draft Digital Signature Guidelines they will almost surely act to dissuade any prudent business from setting up a licensed CA. Does this mean that the subscriber, relying party, and CA all have effectively unbounded liability, absent a stated reliance limit? No, I don't think so, but we may have to change our paradigm a little bit. Most people accept a driver's license as providing a degree of proof of someone's identity, but very few would consider it proof positive. Since the state-issued driver's license is the only practical means of identication available to a CA in the case of private individuals, that consitutes the weakest link in the system and is quite likely to remain so. The only other identification document I am aware of that is available to private individuals that provides substantially better identification than a driver's license is a permit to carry a concealed weapon. Here in Massachusetts, obtaining a pistol permit requires a trip to the local police station, where you are photographed, fingerprinted, and two or more affidavits concerning your character are reviewed prior to submitting your fingerprints and picture to the FBI, where a search of the NCIC database is used to determine if you have any prior arrests, etc. The permit card that is issued carries your residence or business address, your picture, fingerprint, date and place of birth, height, weight, complexion, hair color, eye color, and occupation. Since the Brady Bill was passed, I believe that many states have set up similar systems. (Of course many jurisdictions sharply limit who can actually receive a weapons permit. I'm only describing the process, not debating the reasonableness or unreasonableness of gun controls.) Even if state laws were amended to make this degree of identification assurance available for purposes other than weapons permits, many if not most people would have strong reservations about the privacy implications. And to the best of my knowledge, private companies are not allowed to access the NCIC, also for privacy reasons. Does all this mean that digital signatures are worthless? No, not at all. But it does mean that they are unlikely to convey a degree of surety as to someone's identity that is very much stronger than a driver's license identification. In my personal opinion, I think we need to establish a stronger degree of "no fault" protection for CAs that follow the rules. Whose rules are to be followed, and who audits them for conformance are valid issues. We clearly don't want irresponsible CAs issuing certificates to all and sundry, but we can't make the cost of entry into the business so high that no one takes on the burden of being a CA at all. The issue is how to balance risks, the costs, and the rewards equitably between the subscriber, the relying party, and the CA. In the case of the credit/debit card industry, the credit card companies charge a fee that covers both the risk and their administrative costs. If digital signatures can be used to reduce their risks, presumably the fees charged to the merchants can be reduced somewhat. But in any case, the fee that is charged is proportional to the amount of the transaction, and therefore statistically covers the risk. The real question is what to do outside of the credit card industry, where certificates may be used for transactions are much more complex, and where there may not be the infrastructure to collect a percentage fee for each use. Please copy me directly on any replies, as (to the best of my knowledge) I am not a subscriber to cypherpunks. Bob ---------------------------- Robert R. Jueneman GTE Laboratories 1-617-466-2820 "The opinions expressed are my own, and may or may not reflect the official position of GTE, if any." From jimbell at pacifier.com Fri Jan 12 01:04:21 1996 From: jimbell at pacifier.com (jim bell) Date: Fri, 12 Jan 1996 17:04:21 +0800 Subject: Domains, InterNIC, and PGP (and physical locations of hosts, to boot) Message-ID: At 11:22 PM 1/11/96 -0800, you wrote: >For what it's worth, you can use the mapping software at > to find your location fairly accurately; you may >need another map to locate yourself, since the streets are unlabeled. I >managed to figure out that I'm currently at latitude 37.3435 degrees, >longitude -121.8925 degrees. I think that's correct to within about 100 >feet or so. > > - Tim > >Anyone with a GPS device, feel free to stop by; I'm in unit A2, and I've >got homebrew in the fridge. About 10 years ago, I bought a Loran unit from Heath, and (due to my association with some people who did laser photoplotting for PC boards) had a program written which generated a "LAT/LON" map plastic overlay. Apply over a USGS 7.5 minute map, and you can read LAT/LON directly. (It only needed to be photoplotted once, of course: positive contact printing duplicated it easily.) Only one problem: Since the width of longitude changes with latitude, a given map overlay can only be "exactly" accurate at one latitude. Still, it made estimating LAT/LON FAR easier. From bal at martigny.ai.mit.edu Fri Jan 12 01:09:08 1996 From: bal at martigny.ai.mit.edu (Brian A. LaMacchia) Date: Fri, 12 Jan 1996 17:09:08 +0800 Subject: Zimmermann case is dropped. In-Reply-To: <199601112329.PAA15617@infinity.c2.org> Message-ID: <9601120040.AA03530@toad.com> From: sameer Date: Thu, 11 Jan 1996 15:29:11 -0800 (PST) Cc: prz at acm.org, cypherpunks at toad.com X-Mailer: ELM [version 2.4 PL20] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-cypherpunks at toad.com Precedence: bulk We've made no progress. Phil has lots lots of time and gained lots of grey hairs, and everyone who donated to his defense fund lost money. To the contrary, Phil won big. He avoided going to Federal court as the defendant in a felony case. That's what matters most. Yes, a lot of time, money and effort was spent reaching this outcome, but none of it was wasted. The US can still harass people if they want, and make their life hell. Of course they can; they're the U.S. government. No possible outcome of Phil's case would have changed this fact. If the Federal government wishes to make your life miserable they can always do so. The legal challenges to the ITAR regulations will continue forward in the various Federal courts, but that fight will no longer be on Phil Zimmermann's back. --bal From daw at quito.CS.Berkeley.EDU Fri Jan 12 01:09:25 1996 From: daw at quito.CS.Berkeley.EDU (David A Wagner) Date: Fri, 12 Jan 1996 17:09:25 +0800 Subject: [NOISE] Microsoft continues to mislead public about Windows security Message-ID: <199601120042.TAA18188@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- In article <199601100451.UAA13211 at infinity.c2.org>, wrote: > On Tue, 9 Jan 1996, Frank Willoughby wrote: > > When a system is breached or a CERT Advisory is issued, this is a major > > embarassment for the company. > > What are CERT's criteria for a bulletin to be issued? Would the previously > mentioned Windows NT and Windows 95 security bugs qualify? CERT normally won't publish a security warning until the manufacturers have fixed the bug & offered a patch. So I doubt the Win95/NT bugs will be announced by CERT tomorrow. If you want to publish a bug, CERT is probably not the best place to go. CERT often ends up sitting on bugs for ages, because nobody knows about the hole, so nobody can pressure the vendors to fix 'em, so CERT refuses to release a bulletin-- a vicious cycle. IMHO, embarassing public pressure often seems to be the quickest way to get attention & fixes from uncooperative vendors... But then again, that's the old "full disclosure" (and "security through obscurity") debate(s). - -- Dave "a believer in security through caffeine" Wagner - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMPWugyoZzwIn1bdtAQFYrgGAyQhuXiFCK36qFdJzEw4PSp2f/oIvpoi+ 8peJmKjle86aBlY20SGYQBQoactyKcza =3NOo -----END PGP SIGNATURE----- From tcmay at got.net Fri Jan 12 01:27:33 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 12 Jan 1996 17:27:33 +0800 Subject: Minor correction about tax rates and witholding Message-ID: At 1:21 PM 1/11/96, Gary Howland wrote: >-----BEGIN PGP SIGNED MESSAGE----- > >> you think that's a bit ridiculous? i'm paid via an NIH grant given to my >> adivisor by the govt. this stipend is taxed. it didn't used to be >> (started to be taxed around '86 i believe). why the hell doesn't the >> govt just save everyone the trouble and pay me less. i'm sure they could >> get rid of a couple of IRS people this way. > >It's even sillier over here in Europe, and the paperwork is probably .. I didn't comment when the first remark was made, several days ago, but if others are going to elaborate on it, I will now comment. The government cannot simply take its cut before sending the stipend/salary for a very good reason: they don't know the final tax rates of the taxpayers! Some people will end up paying no taxes, for whatever reasons (low overall wages, lots of deductions and dependents, offsetting capital losses, etc.). Others will pay 20%, and some may even pay more (doubtful, on a stipend, but you get the point). Clearly the government cannot simply "withold" 15%, say, nor can it know in advance the precise amount to withold. A flat tax rate would make this more possible, but would still not be completely accurate. --Tim May We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From declan+ at CMU.EDU Fri Jan 12 01:47:06 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Fri, 12 Jan 1996 17:47:06 +0800 Subject: US DoJ Zimmermann Press Release Message-ID: >From Mike Godwin and Stanton McCandlish. Transcribed from fax. -Declan ----------- [begin] [logo] United States Attorney Northern District of California _____________________________________________________________________________ San Jose Office (408) 535-5061 280 South First Street, Suite 371 San Jose, California 95113 FAX: (408) 535-5066 PRESS RELEASE FOR IMMEDIATE RELEASE January 11, 1995 Michael J. Yamaguchi, United States Attorney for the Norther District of California, announced today that his office has declined prosectution of any individuals in connection with the posting to USENET in June 1991 of the encryption program known as "Pretty Good Privacy." The investigation has been closed. No further comment will be made by the U.S. Attorney's office on the reasons for declination. Assistant U.S. Attorney William P. Keane of the U.S. Attorney's Office in San Jose at (408) 535-5053 oversaw the government's investigation of the case. [end] From owner-cypherpunks at toad.com Fri Jan 12 01:47:43 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Fri, 12 Jan 1996 17:47:43 +0800 Subject: No Subject Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Got this off the web - it's a link to the letter that Phil got from the US attorney: http://www.eff.org/pub/Alerts/usatty_pgp_011196.announce U.S. Atty. DROPS PGP INVESTIGATION! - -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 214/993-3935 voicemail/digital pager 800/558-3408 SkyPager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMPXZYyS9AwzY9LDxAQG4BgP+PmA6GoUSMCpnvUfo+1v1MpFX0pdg66jN Foo5yuT+G2fIG1m+K4aVrZusPHhC+tHjx2kaMqn0ZSE9nC8U32blpt01+CE+xgp3 x4q5L6llkyEK4oWSrnjbZImcjm3VIrAiaj8S3+qGfAz3FEZ5ChJZ2Q4J91lsqv5z 3FY/xiKqu60= =Nrr2 -----END PGP SIGNATURE----- From tcmay at got.net Fri Jan 12 01:50:57 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 12 Jan 1996 17:50:57 +0800 Subject: Zimmermann case is dropped. Message-ID: At 11:29 PM 1/11/96, sameer wrote: > We've made no progress. Phil has lots lots of time and gained >lots of grey hairs, and everyone who donated to his defense fund lost >money. > The US can still harass people if they want, and make their >life hell. Yes, I think it likely that another case will be filed, a case the government senses is more winnable. In many ways, what Phil and/or some of his friends may or may not have done was too "stale." None of the Four Horsemen were involved directly, and Phil's case generated publicity that tended to make him a hero, not an Enemy of the People. I would look for something like a prosecution of a remailer operator, though only after laws are passed making it illegal to remail certain items. (Right now there is no law against redirecting a message, so prosecution would be difficult.) --Tim May We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From sameer at c2.org Fri Jan 12 01:59:34 1996 From: sameer at c2.org (sameer) Date: Fri, 12 Jan 1996 17:59:34 +0800 Subject: C2 and the Worst Case In-Reply-To: <2.2.32.19960111040212.006a69dc@mail.teleport.com> Message-ID: <199601111704.JAA12833@infinity.c2.org> > > The question is, how much would they get? How much information about c2 > users would fall into the wrong hands? The only information we have is the information you give us. If you don't give us your name, we don't have your name. If you don't give us the site you're coming from, we don't have the sit eyour coming from. They can't get information out of us that we don't have. That's our guiding principle, in terms of the privacy against government-level attack. > > > -----BEGIN PGP SIGNATURE----- > Version: 2.6.2 > > iQEPAwUBMPSLo33AXR8sjiylAQEHOgfPQyULO5Ni/4VCZPo8PNLbURy7bgkMG7aw > UWeorZr95e8kFA3JA6VxCpmgRmStpeX78ZcN9a35Z0lguRF5+VNddzQYv/ydZxtg > u5HP2stit9PG8fyP0SEGrxEVpnbwchOxtUxhuxJ7CZsZfMGWKi6EtXrQ5LhNGSCZ > isoShwOXse5/XLHY3JzcrjbSa6PDHxmpwhYbkk8tyi8jQWFDDc+HbncgaC4FZL4V > 2tntjx3HPe9Hy92v24K59UnzIpudVqF8f1jX6Z+m7lLzStARkNZwliRjL6pIz8G7 > fz2uSXrgbAMVIkK6g9DOP3A48prob7LFnPZmEw4J6gF4fA== > =+ZDY > -----END PGP SIGNATURE----- > > Bruce Baugh > bruceab at teleport.com > http://www.teleport.com/~bruceab > -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.org/ (or login as "guest") sameer at c2.org From owner-cypherpunks at toad.com Fri Jan 12 02:13:25 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Fri, 12 Jan 1996 18:13:25 +0800 Subject: No Subject Message-ID: For once, Thatcher said it best: "Just Rejoice." However, Churchill said it better: "This is not the end. This is not the beginning of the, but rather the end of the beginning". But has Phil sold the photos to a tabloid yet? Simon (defun modexpt (x y n) "computes (x^y) mod n" (cond ((= y 0) 1) ((= y 1) (mod x n)) ((evenp y) (mod (expt (modexpt x (/ y 2) n) 2) n)) (t (mod (* x (modexpt x (1- y) n)) n)))) From owner-cypherpunks at toad.com Fri Jan 12 02:14:11 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Fri, 12 Jan 1996 18:14:11 +0800 Subject: No Subject Message-ID: -----BEGIN PGP SIGNED MESSAGE----- First of all, let me apologize for not being very knowledgable about CA's and https and SSLeay, apache, and generating renegade (ie, your own) certificates. If someone wants to go over this [again] certainly it'd be welcome. I was today playing around with a Mozilla 2.0beta5 that someone gave me [more bells and whistles than my 1.12, but not much more bang for the buck] and was showing a friend all the nifty information that netscape tells about you when you visit sites, then went to c2 to show off the apache web server and when I tried to use https:// to show off how you can have your own encrypting web server for free and everything, a window popped up and said the certificate was expired. I couldn't really tell if it meant that the certificate that Sameer generated really needed to be updated, or if Netscape beta 5 had just been rigged to reject non-netscape certificates, but the end result was no encryption. (Jeff, if you're reading this, of course we know that Netscape, with it's open loving policies wouldn't do anything underhanded, but the thought does come to mind, and by the way, when are we going to see an option to turn off or control what information is passed out to the other end. Specifically, I'd like http://anonymizer.cs.cmu.edu:8080/prog/snoop.pl to come up nearly blank.) Soooo, anyway, I was wondering if anyone knows anything about the use of privately generated certificates. Yes, Jeff, we know that Netscape is jumping to fully support user-specified certificates, but personally I saw, relating to certificates, a lot of *nifty* options and displays, but really didn't see much in the way of anything that looked like "add". ...Looking forward to the day where end-to-end encryption is king, and the TLA, my competition, or anyone else can take their packet sniffer and kiss my butt. Don PS: my predictions on the PRZ-secretly-sold-out-rumor-index: 6. my predictions on the IQ of those making those claims: 6. (cumulative) woohooo Phil! - -- fRee cRyPTo! jOin the hUnt or BE tHe PrEY PGP key - http://students.cs.byu.edu/~don or PubKey servers (0x994b8f39) June 7&14, 1995: 1st amendment repealed. Junk mail to root at 127.0.0.1 * This user insured by the Smith, Wesson, & Zimmermann insurance company * -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMPXDV8La+QKZS485AQHkXwMAnGWVeLB6ntpkK1ksZ7a8+iklA/sPfIT2 XqqJRRX0Ddg2UuAAxmk6WOC/nxnRPRlM/4AkkaEohZRv14ccnlvv3qVGFxpLlxKG iYgbn1x9/xgHjwAB31HqozQix79wPfB/ =v9ni -----END PGP SIGNATURE----- From 14740 at ef.pc.maricopa.edu Fri Jan 12 02:19:03 1996 From: 14740 at ef.pc.maricopa.edu (Mario Enrique Sanchez) Date: Fri, 12 Jan 1996 18:19:03 +0800 Subject: No Subject Message-ID: <9601111632.AA10238@PCEF.pc.maricopa.edu> Can i be subscribed to the list? From nobody at tjava.com Fri Jan 12 02:23:07 1996 From: nobody at tjava.com (Anonymous) Date: Fri, 12 Jan 1996 18:23:07 +0800 Subject: Cryptology and classification Message-ID: <199601110430.WAA26205@tjava.com> Hi all, Just received a memo, the "Desk Reference Guide" to Executive Order 12958. This memo/executive order discusses classified national security information. The cypherpunks-interesting aspect of this memo lies in exceptions to some new guidelines. Basically, this executive order removes the authority for the government to "permanently" classify information. Basically, classification is now limited to 10 years (or 25 years in some special cases). The exceptions to this allow classification for longer durations for certain types of material. These types include things like protecting intelligence sources and nuclear weapons design info. One of the other exeptions is for: "...information that would impair United States cryptologic systems or activities." This appears to be taken directly from the executive order, so these types of decisions are being made at high levels. Thought you might be interested. Hooker From Andrew_Barrett at checkfree.com Fri Jan 12 02:26:02 1996 From: Andrew_Barrett at checkfree.com (Andrew Barrett/CheckFree Corporation) Date: Fri, 12 Jan 1996 18:26:02 +0800 Subject: Mitnick Road Show Message-ID: <9601111747.AA0296@6thstreetcheckfree.com> Andy P. wrote: >Saw the Stanford seimnar given by Tsutomu Shimomura and John Markoff, >on the subject of Tsutomu's pursuit of Kevin Mitnick. Saw a teaser last night for Friday's broadcast of the Stone and Pauly show. Looks like they're doing a piece on Mitnick. They did not mention him by name, but used some of the epitaphs commonly associated with Mitnick since Markoff's Cyberpunk. Which makes sense, since most of the viewing public doesn't know Kevin Mitnick from Steve Jobs. I just hope this piece is better than the infamous Unsolved Mysteries treatments. I am not holding my breath. From roger at coelacanth.com Fri Jan 12 02:36:03 1996 From: roger at coelacanth.com (Roger Williams) Date: Fri, 12 Jan 1996 18:36:03 +0800 Subject: Net Metaphor In-Reply-To: <2.2.32.19960110204432.006a9008@mail.teleport.com> Message-ID: >>>>> "Bruce" == Bruce Baugh writes: > I've recently begun using this metaphor: the Internet is a > society, composed of all the systems that "speak" its computer > protocols... Hey -- I like it! (You don't have a trademark on that, do you? ;) -- Roger Williams PGP key available from PGP public keyservers Coelacanth Engineering consulting & turnkey product development Middleborough, MA wireless * DSP-based instrumentation * ATE tel +1 508 947-8049 * fax +1 508 947-9118 * http://www.coelacanth.com/ From jya at pipeline.com Fri Jan 12 18:47:20 1996 From: jya at pipeline.com (John Young) Date: Fri, 12 Jan 96 18:47:20 PST Subject: Cybersloth Message-ID: <199601130247.VAA11438@pipe1.nyc.pipeline.com> Shimomura and Markoff give an illuminating account of tracking system break-ins; it is in those that Tsutomu and his road crew really dazzle. Skip the filmic crud and enjoy the gritty details of hackers hacking, stretching legality and propriety, emulating their mocking nemeses. Glimpse the far-side hackers, say, jsz and jft and xxx, still taunting, eluding, taking down, making pay for job- security cybersloths. From delznic at storm.net Fri Jan 12 02:49:46 1996 From: delznic at storm.net (Douglas F. Elznic) Date: Fri, 12 Jan 1996 18:49:46 +0800 Subject: Shimomura on TV? Message-ID: <2.2.16.19960112025408.2fd72342@terminus.storm.net> At 08:15 PM 1/11/96 +0000, Michael C. Peponis wrote: > >> Has anyone heard anything else about this? I am getting real sick of the >> media's portrayal of the internet. They never say anything good about it. If >> they were to mention C2's system they would say how it is a no-rules server >> to hide thugs and pornos from the police. I am getting sick of watching this >> trash. The whole realm of the internet and computers and their associated >> areas are very dear to me I am sick of the media bludgeoning them to death. > >Douglas, > >Why let it bother you? You must understand that the majority of the >population of the United States is working class trash, the news >media is just peddeling to the masses, just like the morons that hold >elected office. > >They can keep up the bitching, but that's a good thing, I encourage >the spread of this kind of disinformation, it keeps even more of the >masses from getting on for fear of being offenced. > >Regards, >Michael Peponis >PGP Key Avalible form MIT Key Server,or via finger > > Mr. Peponis, I see what you are saying but doesn't it bother you the slightest bit? I guess it is the principle of the whole thing for me. Look at us. Members of a group that's purpose is to make computers free. We read hundred's and hundred's of messages a week talking about crypto and legal stuff, because we care about what happens on a economic, civil and most importantly a personal level. I don't know it just bothers me that they are dragging something so important to me throught the mud. They never mention the good stuff like the OK City support group page, the use in schools, the effectiveness of the internet as a research tool. And most of the time their "internet" is AOL. -- ==================Douglas Elznic=================== delznic at storm.net http://www.vcomm.net/~delznic/ (315)682-5489 (315)682-1647 4877 Firethorn Circle Manlius, NY 13104 "Challenge the system, question the rules." =================================================== PGP key available: http://www.vcomm.net/~delznic/pgpkey.asc PGP Fingerprint: 68 6F 89 F6 F0 58 AE 22 14 8A 31 2A E5 5C FD A5 =================================================== From anon-remailer at utopia.hacktic.nl Fri Jan 12 02:50:14 1996 From: anon-remailer at utopia.hacktic.nl (Anonymous) Date: Fri, 12 Jan 1996 18:50:14 +0800 Subject: AP story on PGP Message-ID: <199601120310.EAA03281@utopia.hacktic.nl> U.S. Attorney Won't Prosecute Author of Computer Encryption Program By ELIZABETH WEISE= AP Cyberspace Writer= SAN FRANCISCO (AP) - A software writer won't be prosecuted for a program he wrote that was put on the Internet and is now widely used by computer users to keep their communications secret, the government said Thursday. Philip Zimmermann's Pretty Good Privacy encryption program turns computer messages into a jumble of numbers and letters unreadable to anyone except the intended recipient. The code is so unbreakable that it is classified as munitions under the Arms Export Control Act, making its export without a license a felony. Federal prosecutors began investigating Zimmerman in 1993 after the program appeared on the Internet global computer network. Zimmerman said that others put it there, not him. The government opposes export of cryptographic technology for fear it will make it harder to monitor electronic communications overseas, and domestic law enforcement agencies are concerned such programs could keep them from eavesdropping on digital conversations. U.S. Attorney Michael J. Yamaguchi announced the decision not to prosecute Zimmerman, but didn't say why. If convicted, Zimmermann would have faced 51 months in prison. ``I'm just really pleased that the sword of Damocles is not over me anymore and I wonder why it took so long,'' Zimmermann said in a phone interview from his home in Boulder, Colorado. ``This is not just for spies anymore. It's for the rest of us. The information age is here. The rest of us need cryptography to conduct our business.'' The case had been closely watched as computer users and the government square off over free speech and privacy rights. Some critics contended it was foolish of the government to claim that Zimmerman had broken the law because the same coding information forbidden for export electronically may be shipped abroad in print form. They also noted that the technology already circulates throughout the world, making the law unenforceable. ``Zimmermann never exported Pretty Good Privacy, so the U.S. Attorney seemed to be missing the point. Unfortunately there still is no clear ruling from our government as to whether or not making software available on the Internet counts as exporting it,'' said Simson Garfinkel, who wrote a book about the program. Zimmerman's supporters argued that without encryption, government could do widespread eavesdropping, perhaps for political reasons, scanning for words and phrases it considers subversive. They acknowledge that a few criminals may use programs like PGP to hide out in cyberspace, but believe that concern is outweighed by free speech and privacy rights. ``The case was part of the government effort to crack down on good technologies for privacy. We hope the government's decision signals a rethinking of federal policy in this very important area,'' said Marc Rotenberg of the Electronic Privacy Information Center in Washington, an on-line civil rights watchdog group. Others see the 2.5-year investigation of Zimmermann as intimidation. ``It seems to me is that all the U.S. Attorney is saying is that they don't want the public relations nightmare of prosecuting Philip Zimmermann, but they still want everyone scared so that they won't exercise their Constitutional rights,'' Garfinkel said. --- Pretty Good Privacy is available on the World Wide Web at http://www.epic.org/privacy/tools.html From llurch at Networking.Stanford.EDU Fri Jan 12 18:52:41 1996 From: llurch at Networking.Stanford.EDU (Rich Graves) Date: Fri, 12 Jan 96 18:52:41 PST Subject: A weakness in PGP signatures, and a suggested solution (long) In-Reply-To: <199601030407.UAA12551@comsec.com> Message-ID: An easy short-term partial solution would be to modify mailcrypt, bap, or whatever front end you use to automatically put the current date and (a shortened form of) the To: or Newsgroups: header into the PGP signature Comments: line. -rich From ggeens at elis.rug.ac.be Fri Jan 12 18:52:51 1996 From: ggeens at elis.rug.ac.be (Guy Geens) Date: Fri, 12 Jan 96 18:52:51 PST Subject: A weakness in PGP signatures, and a suggested solution (long) In-Reply-To: <199601030407.UAA12551@comsec.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Fri, 12 Jan 1996, Rich Graves wrote: > Date: Fri, 12 JAN 1996 02:04:13 -0800 > From: Rich Graves > Newgroups: netcraft.cypherpunks, alt.security.pgp, sci.crypt, > mail.cypherpunks > Subject: Re: A weakness in PGP signatures, and a suggested solution (long) > > An easy short-term partial solution would be to modify mailcrypt, bap, or > whatever front end you use to automatically put the current date and (a > shortened form of) the To: or Newsgroups: header into the PGP signature > Comments: line. > > -rich PGP totally ignores the Comment: line. How do you think this helps? (Note: references are signed with the rest of the message ;-) Guy Geens : Ph.D. student at ELIS -- TFCG / IMEC Atypical civil engineer -- And proud of it! Home Page: http://www.elis.rug.ac.be/ELISgroups/tfcg/staff/gg.html finger ggeens at elis.rug.ac.be for PGP public keys (or use keyserver) -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQBVAwUBMPZFaXwHoCha5QR1AQG/0wH/XmSC8y6/IKk3kuDYFTOCVvU6+j+Zlu0B XpssrtwG3Fhck0CyJhYLzpqfw2D5wj8lL/SLsilmd8fVLo//jLUmSw== =8xTy -----END PGP SIGNATURE----- From zinc at zifi.genetics.utah.edu Fri Jan 12 18:53:31 1996 From: zinc at zifi.genetics.utah.edu (zinc) Date: Fri, 12 Jan 96 18:53:31 PST Subject: Novel use of Usenet and remailers to mailbomb from luzskru@cpcnet.com In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Fri, 12 Jan 1996, Jay Holovacs wrote: > Date: Fri, 12 Jan 1996 21:31:27 -0500 (EST) > From: Jay Holovacs > To: zinc > Cc: Alan Bostick , cypherpunks at toad.com > Subject: Re: Novel use of Usenet and remailers to mailbomb from luzskru at cpcnet.com > > > > On Fri, 12 Jan 1996, zinc wrote: > > > regarding remailer spams: > > > > one way to prevent this sort of spamming is to put a cap on the number > > of messages that can be delivered to a given address. of course, an > > exception will have to be made for instances of chaining so that the > > number of messages allowed to be forwarded to another remailer is not > > limited. > > > > i'm trying to think of a scenario where this would not be a good > > thing. i suppose if somone was conducting an anonymous poll their > > address should not have a limit. > > > > i'm sure there are problems with a mesg quota system, but it does seem > > like an easy solution. > > > Unrelated legitimate messages may arrive after the 'limit ' has been reached. i realize this is an obvious problem. although this is a weakness, i'm not sure it would really matter. if a person was going to be doing something on the net they expected would generate a lot of anon traffic they could notifiy the remailer operators. this has other weaknesses related to forgeries but there's only so much that can be done... obviously this is not going to be an easy problem to solve. - -pjf patrick finerty = zinc at zifi.genetics.utah.edu = pfinerty at nyx.cs.du.edu U of Utah biochem grad student in the Bass lab - zinc fingers + dsRNA! ** FINGER zinc-pgp at zifi.genetics.utah.edu for pgp public key - CRYPTO! zifi runs LINUX 1.3.56 -=-=-=WEB=-=-=-> http://zifi.genetics.utah.edu -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Processed by mkpgp1.6, a Pine/PGP interface. iQCVAwUBMPcejU3Qo/lG0AH5AQEteQP/Ss6/bPyii2WW/2Z1qJG+J+sDAfI1RAuU zKpnS6pCPGaoF/Hn4YYDwyG6ut168KP536Q+fQDTV0yPuTKxT1pjO2+vqY8XeOmA Mj/D8cOEN6dMPThp8Tgd93/wJKRE1+lW70YkXAybMtISMe3ulrOVCXyNcAGAhpQj f35BKt2km3g= =PeFd -----END PGP SIGNATURE----- From liberty at gate.net Fri Jan 12 02:54:03 1996 From: liberty at gate.net (Jim Ray) Date: Fri, 12 Jan 1996 18:54:03 +0800 Subject: Zimmermann case is dropped. Message-ID: <199601121039.FAA03748@osceola.gate.net> -----BEGIN PGP SIGNED MESSAGE----- [My sincere congrats to PRZ & Mr. Goen, and to Mr. Keane for getting a clue. I am sure the timing of this happy news had *nothing at all* to do with politics...] A few questions about the investigation: What did the ZLDF end up spending? What did the govt. end up spending? [I know, it's hard to track taxe$.] Was this decision on the part of the prosecution as voluntary as it's made to sound, or were some members of the grand jury starting to make "nullification noises" as the investigation progressed? Has the grand jury been dismissed yet? If so, have any jurors spoken publicly about the investigation? JMR -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Freedom isn't Freeh. iQCVAwUBMPY6HW1lp8bpvW01AQH6oAQAjCePRH2YcEo/OlJrfXMG/K0Fk0/0gcE5 z9k0AYDeNb4iY7vaxSaauPlbQZrw2J48ItWf1y45LSiAE32+sJvYogrIyJbqTDhB 4yC5uXXPzLQcA3tp3AEkUe7Zbr7n1X1uAz2LwfddwRRiNnXxFtd0TIcReg4Bdv5g KB8S+9fCgk8= =hPyf -----END PGP SIGNATURE----- From adam at lighthouse.homeport.org Fri Jan 12 02:58:11 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Fri, 12 Jan 1996 18:58:11 +0800 Subject: Cryptolib & Crypto++ In-Reply-To: <9601120145.AA09274@vongole.MIT.EDU> Message-ID: <199601120225.VAA22645@homeport.org> grimm at MIT.EDU wrote: | What are Cryptolib & Crypto++? Cryptolib is a package by Jack Lacy of AT&T. It provides a C library interface to a variety of useful crypto algorithims. Includes bignums, standard ciphers, a truerand, public key time quantization, some other stuff. Crytpo++ is a C++ library by Wei Dai. Its original implementation was pulled after RSA threw lawyers around. Version 1.1 was released recently with RSA cooperation. It includes a very large number of algorithims, including all the usual ones (DES, IDEA, rsa) and some less common ones: Lubyrack, diamond, rc5. It also has random number, compression, hash functions, zeroknowledge, secret sharing, ascii armoring, etc. If I used C++, this would be all I needed. -- "It is seldom that liberty of any kind is lost all at once." -Hume From pati at ipied.tu.ac.th Fri Jan 12 03:04:01 1996 From: pati at ipied.tu.ac.th (Patiwat Panurach (akira rising)) Date: Fri, 12 Jan 1996 19:04:01 +0800 Subject: Some questions about ecash[tm] In-Reply-To: <199601110932.WAA09988@iconz.co.nz> Message-ID: On Thu, 11 Jan 1996, David Murray wrote: > 1. Has there been any significant/in-depth coverage > of the Mark Twain Banks product in the financial/ > banking press? Digicash's press file stops just > before the launch, and Digicash/Mark Twain Banks > press releases are not exactly what I'm looking for. I wrote a paper on the economic aspects of ecash and other electronic cashes last month. I believe I posted it onto cypherpunks. Main conclusion was that ecash is equivalent to cash in terms of bank practice and money supply. I'll send you a copy if you want. Not seen any mention in the academic press though (either of my paper or of any others). PS the ecash mailing list is low volume and pretty focused. discusses securty and economics and stuff. ------------------------------------------------------------------------------- Patiwat Panurach Whatever you can do, or dream you can, begin it. eMAIL: pati at ipied.tu.ac.th Boldness has genius, power and magic in it. m/18 junior Fac of Economics -Johann W.Von Goethe ------------------------------------------------------------------------------- From koontz at MasPar.COM Fri Jan 12 03:16:52 1996 From: koontz at MasPar.COM (David G. Koontz) Date: Fri, 12 Jan 1996 19:16:52 +0800 Subject: VHDL des model Message-ID: <9601120256.AA24690@argosy.MasPar.COM> A mimimal DES chip implementation can be found at: ripem.msu.edu:/pub/crypt/des/vhdl_des.tar.z -rw-r----- 1 mrr ftpsec 93630 Jan 12 02:01 vhdl_des.tar.z It was written to go with a paper on DES Hardware I'm putting the finishing touches on. Note that this site requires a password to belong to group ftpsec to download. It will encrypt in 47 clocks (8 IP, 29 Key Schedule, 8 FP) or decrypt in 46 clocks (28 Key Schedule), and will fit in some of the larger FPGAs. The paper, when finished, will describe various performance enhancements such as double buffered IP and FP (which is covered by an Ultron patent, although probably invalid), direct key schedule (16 clocks), or superscalar DES (approaching 1 clock per 64 bit block). For any hardware wonks, this is done in Synopsys VSS, although the README file contains enough information for other VHDL implmentations. There are also 4 or 5 'C' programs for generating VHDL files of the S Boxes in various configurations, and a sample 'C' DES program done in 1988 for the original UNIX libdes (source included). The 'C' program can be used to generate equivalent structures for debugging your own DES hardware variations. The test vectors are from NBS Special Pub 500-20 (circa 1978). From owner-cypherpunks at toad.com Fri Jan 12 03:22:44 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Fri, 12 Jan 1996 19:22:44 +0800 Subject: No Subject Message-ID: On Thu, 11 Jan 1996 hallam at w3.org wrote: > make small ones out of big ones. Thats a big plus in many peoples books. > > > > > We've made no progress. Phil has lots lots of time and gained > >lots of grey hairs, and everyone who donated to his defense fund lost > >money. > > No progress? At least Phil is not going off on a trip to Alcatraz to > One of the most overdue reforms of the US government is the renaming of > the FBI building to remove the name of J Edgar Hoover. The abuse of power > under his administration of the FBI continues to poison the US polity > by providing clear proof to many citizens that their government cannot be > trusted. While the abuses of Hoover continue to be commemerated in this > fashion there can be little public confidence in any claims of reform. > > > The US can still harass people if they want, and make their > >life hell. > > Not just the US government. There are many crooks out there who have attempted > or are attempting worse. At least with the government there are means to > bring it to heel eventually. > > Phill > > (defun modexpt (x y n) "computes (x^y) mod n" (cond ((= y 0) 1) ((= y 1) (mod x n)) ((evenp y) (mod (expt (modexpt x (/ y 2) n) 2) n)) (t (mod (* x (modexpt x (1- y) n)) n)))) From owner-cypherpunks at toad.com Fri Jan 12 03:29:48 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Fri, 12 Jan 1996 19:29:48 +0800 Subject: No Subject Message-ID: > > We've made no progress. Phil has lots lots of time and gained > >lots of grey hairs, and everyone who donated to his defense fund lost > >money. > > No progress? At least Phil is not going off on a trip to Alcatraz to > make small ones out of big ones. Thats a big plus in many peoples books. I wish I could make another of my pollyannaish posts now, but I agree with Sameer. It's great that Phil's off the hook, but there's nothing to stop them from doing the same thing to someone else tomorrow. What's more,, everyone here knows that, and so the government gets what it really wants: a chilling effect on crypto development. How much credit do you give a guy when he stops beating his wife? They put Phil through the ringer, made him spend his money on lawyers, and added a lot of stress to his life. But they haven't admitted that they were wrong, and they haven't renounced such actions in the future. We're all very happy that Phil's out of the woods, and today's announcement is a great thing. But it's not enough. From jya at pipeline.com Fri Jan 12 03:29:50 1996 From: jya at pipeline.com (John Young) Date: Fri, 12 Jan 1996 19:29:50 +0800 Subject: PGP_foi Message-ID: <199601121122.GAA22917@pipe4.nyc.pipeline.com> 1-12-96. NYPaper: "Data Secrecy Export Case Dropped by U.S." By John Markoff. PGP_foi From jya at pipeline.com Fri Jan 12 03:52:59 1996 From: jya at pipeline.com (John Young) Date: Fri, 12 Jan 1996 19:52:59 +0800 Subject: Shimomura on BPF, NSA, Crypto Message-ID: <199601120029.TAA28014@pipe3.nyc.pipeline.com> Shimomura on BPF, NSA and Crypto: One of the tools I modified for my work was a sophisticated piece of software called the Berkeley Packet Filter. ... Unlike the original BPF, my version was designed to bury itself inside the operating system of a computer and watch for certain information as it flowed through the computer from the Internet. When a packet from a certain address, or for that matter any other desired piece of information designated by the user flashed by, BPF would grab it and place it in a file where it could be kept for later viewing. I had developed my initial version of the faster BPF in the expectation that I would receive additional research funding for the work from the National Security Agency. The Agency had begun supporting my work under a Los Alamos National Labs research grant in 1991, and had promised to extend their support for my work, but the funding was never forthcoming. I developed the tool, but after I completed the work, in early 1994, the bureaucrats in the agency reneged on funding. The idea of working with the NSA is controversial in the community of security professionals and civil libertarians, many of whom regard the NSA as a high-tech castle of darkness. Libertarian by inclination or by the influence of their colleagues, the nation's best computer hackers tend to possess a remarkable sensitivity to even the slightest hint of a civil liberties violation. They view with deep distrust the work of the National Security Agency, which has the twin missions of electronic spying around the globe and protecting the government's computer data. This distrust extends to anyone who works with the agency. Am I contaminated because I accepted research funding from the NSA? The situation reminds me of the scene in the movie Dr. Strangelove where General Jack D. Ripper is obsessed by the idea of his bodily fluids being contaminated. I think the idea of guilt by association is absurd. My view is very different. First of all, I don't believe in classified research and so I don't do it. The work I was undertaking on packet-filtering tools was supposed to be funded by the agency for public release. The tools were to be made widely available to everyone, to use against the bad guys who were already using similar tools to invade people's privacy and compromise the security of machines on the Internet. But even more to the point, I believe that the agency, rather than inherently evil, is essentially inept. Many people are frightened of the NSA, not realizing that it is like any other bureaucracy, with all of a bureaucracy's attendant failings. Because the NSA staff lives in a classified world, the government's normal system of checks and balances doesn't apply. But that doesn't mean that their technology outpaces the open computer world; it just means they're out of touch and ponderous. In any case, I feel strongly that tools like BPF are absolutely essential if the Internet is to have real security, and if we are to have the ability to trace vandals through the Net. If people are concerned that individual privacy is at stake, they should probably worry less about who should have the right to monitor the networks, and instead focus their efforts on making cryptographic software widely available. If information is encrypted it doesn't matter who sees it if they can't read the code. Cryptography is another example of my point that a tool is just a tool. It was, after all, used primarily by kings, generals, and spies until only two decades ago. Then work done by scientists at Stanford, MIT, and UCLA, coupled with the advent of the inexpensive personal computer, made encryption software available to anyone. As a result, the balance of power is dramatically shifting away from the NSA back toward the individual, and toward protecting our civil liberties. ["Takedown," pp. 102-04] From owner-cypherpunks at toad.com Fri Jan 12 04:14:55 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Fri, 12 Jan 1996 20:14:55 +0800 Subject: No Subject Message-ID: > From: Michael C. Peponis > To: cypherpunks at toad.com > > Why let it bother you? You must understand that the majority of the ^^^^^^^^ > population of the United States is working class trash, the news ^^^^^^^^^^^^^^^^^^^ Hope you're including yourself in that. > media is just peddeling to the masses, just like the morons that hold ^^^^^^^^^ Can't spell - *must* be working class trash... > elected office. > > Regards, > Michael Peponis ^^^^^^^ Tell me: is the 'po' silent? From rainbird at smartlink.net Fri Jan 12 05:00:38 1996 From: rainbird at smartlink.net (William T. Rainbird) Date: Fri, 12 Jan 1996 21:00:38 +0800 Subject: reach out! Message-ID: <30F609CC.3C03@smartlink.net> I know this isn't a typical posting for this group, but I thought I'd point out that O.J. Simpson has a video for sale, to further exploit his carnage. You can buy it by dialing 1-800-OJTELLS 1-800-658-3557 it is a FREE CALL (for you). I guess that means the MERCHANT PAYS for the calls, even if NOTHING IS ORDERED... Please repost and tell your friends! From rah at shipwright.com Fri Jan 12 21:01:40 1996 From: rah at shipwright.com (Robert Hettinga) Date: Fri, 12 Jan 96 21:01:40 PST Subject: Novel use of Usenet and remailers to mailbomb Message-ID: Jammin' on the mailbomb trick... Looks like it's a variant of another scheme used elsewhere, viz, --- begin forwarded text To: rah at shipwright.com (Robert A. Hettinga) From: oldbear at arctos.com (The Old Bear) Subject: Re: Novel use of Usenet and remailers to mailbomb Date: Fri, 12 Jan 1996 23:10:43 EDT rah at shipwright.com (Robert A. Hettinga) writes: >From: rah at shipwright.com (Robert A. Hettinga) >Newsgroups: tiac >Subject: Novel use of Usenet and remailers to mailbomb >Date: Fri, 12 Jan 1996 14:34:18 -0500 >Organization: e$ >| Somebody, too clever for their own good by half, has come up with a >| novel way of using Usenet and anonymous remailers to perpetrate >| mailbombs. The M.O. is to post a message to the naked-lady newsgroups >| saying "get pics in your mailbox! send this message to this address!), >| giving the email address of a cypherpunk-style anonymous remailer and >| including a pgp-encrypted message block. A variation on the mailbomb from dispersed unwitting sites, except involving the telephone network, was discussed on alt.dcom.telecom some time back. Maybe you call this a phone bomb. As you know, pager companies get blocks of numbers within a local exchange for their operations. So, for example, 635-3000 to 635-3999 may represent a thousand radio pager customers of a particular paging company. Wanting to harrass an estranged spouse, some nefarious character programmed a dialler deamon to sequentially call each of the numbers in a pager block and leave a messsage to return call to the spouse's phone number. Naturally, caller id did no good to track or ignore the unwanted calls to the spouse at all hours from pager subscribers who were receiving messages on their alpha-numberic pagers to call the spouse's number. 'Wrong number' calls were coming in to the spouse from all over at all times. Moreover, it is virtually impossible for a pager company to track a single number which calls each of its lines only once. Definitely not a nice thing. --- end forwarded text Cheers, Bob Hettinga ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "Reality is not optional." --Thomas Sowell The NEW(!) e$ Home Page: http://thumper.vmeng.com/pub/rah/ From anon-remailer at utopia.hacktic.nl Fri Jan 12 05:07:38 1996 From: anon-remailer at utopia.hacktic.nl (Anonymous) Date: Fri, 12 Jan 1996 21:07:38 +0800 Subject: BIG NEWS: PRZ investigation dropped! In-Reply-To: <199601120538.VAA02068@blob.best.net> Message-ID: <199601120716.IAA11219@utopia.hacktic.nl> James A. Donald (jamesd at echeque.com) wrote: : >From: Stanton McCandlish : >Date: Thu, 11 Jan 1996 11:53:46 -0800 (PST) : > : >Justice Dept. dropped investigation of Phil Zimmermann, declines to : >prosecute. : : I never expected them to prosecute, unless he forced them to by : toilet bombing the court, but I did expect them to keep on : "investigating" him forever and a day. The statute of limitations would have run out in a few months. They could have kept "investigating" a little longer, but then they would have looked really stupid investigating a crime that they couldn't prosecute. That would also have been clear evidence of harassment. From dmandl at bear.com Fri Jan 12 05:51:52 1996 From: dmandl at bear.com (David Mandl) Date: Fri, 12 Jan 1996 21:51:52 +0800 Subject: Zimmermann case is dropped. In-Reply-To: <199601112329.PAA15617@infinity.c2.org> Message-ID: On Thu, 11 Jan 1996, sameer wrote: > We've made no progress. Phil has lots lots of time and gained > lots of grey hairs, and everyone who donated to his defense fund lost > money. > The US can still harass people if they want, and make their > life hell. Agreed. To me it was always a question of _when_ the charges would be dropped, not _if_. The point of these things is generally not to prosecute people but to harrass them, paralyze them, and make them blow lots of money. Unfortunately, the government was successful on all three counts. The good news is that if the case hadn't been dropped it would have meant more of all three for Phil, whether or not he "won" the case in the end. --Dave. -- ******************************************************************************* Bear Stearns is not responsible for any recommendation, solicitation, offer or agreement or any information about any transaction, customer account or account activity contained in this communication. ******************************************************************************* From nowhere at bsu-cs.bsu.edu Fri Jan 12 06:15:39 1996 From: nowhere at bsu-cs.bsu.edu (Anonymous) Date: Fri, 12 Jan 1996 22:15:39 +0800 Subject: E-mail Spoof Throws Apple for a Loop Message-ID: <199601121356.IAA03781@bsu-cs.bsu.edu> Your message here. Dirty, Rotten E-Mail Liar Accuses Apple of Being Worth a Lot More By JIM CARLTON Staff Reporter of The Wall Street Journal To Apple Computer Inc.'s litany of woes, add a mad e-mailer. The e-mailer struck this week with a copy of a bogus message from Sony Corp.'s president threatening a hostile takeover of the Cupertino, Calif., computer maker. The "letter" showed up in e-mail baskets of computers throughout Silicon Valley and beyond. Managers at Apple read the letter with great interest -- until they got to the part about Sony offering $63 a share, or roughly double Apple's stock value. Now Silicon Valley is abuzz about who the mad e-mailer is. Sony has launched an investigation, promising to explore "the availability of appropriate legal action against those responsible." At first glance, the letter appears to be worded authentically enough. Addressed to Apple CEO Michael Spindler from Nobuyuki Idei, it says Sony intends to buy all of Apple's shares for $7.74 billion after a breakdown in merger talks that were supposedly taking place between the two companies. "We believe this is the fastest, most efficient way to bring our companies together," Mr. Idei purportedly says. But at Apple, executives quickly dismissed the letter as a prank. For one thing, the Apple e-mail address was for a "c.franz," a person unknown to the company. The letter also misidentified Mr. Idei as Sony's chairman and CEO. And initial notification of such a takeover bid is almost never made by letter, for secrecy reasons. So just who is the mad e-mailer? The return address was left blank, and a list of suspects could prove endless. A disgruntled employee is one possibility. Scads of Apple managers have departed in recent months. Or, analysts say, it could be a cheap shot by an employee at an Apple competitor. Whoever the culprit is, "this sounds like a real attempt to tick somebody off," says Mark Macgillivray, an industry consultant in Sunnyvale, Calif. The e-mail letter was circulating as Apple was announcing an estimated loss of $68 million and plans for a restructuring that analysts expect to include massive layoffs. Since Apple has long been rumored to be a takeover target, the letter added to the angst in Cupertino. In a reflection of morale at Apple, some engineers are joking they're disappointed the letter was phony. They would have liked Apple to accept the offer. From jsw at netscape.com Fri Jan 12 07:35:10 1996 From: jsw at netscape.com (Jeff Weinstein) Date: Fri, 12 Jan 1996 23:35:10 +0800 Subject: (none) In-Reply-To: Message-ID: <30F67AE6.76F1@netscape.com> owner-cypherpunks at toad.com wrote: > I was today playing around with a Mozilla 2.0beta5 that someone gave me > [more bells and whistles than my 1.12, but not much more bang for the buck] > and was showing a friend all the nifty information that netscape tells > about you when you visit sites, then went to c2 to show off the apache > web server and when I tried to use https:// to show off how you can have your > own encrypting web server for free and everything, a window popped up and > said the certificate was expired. > > I couldn't really tell if it meant that the certificate that Sameer generated > really needed to be updated, or if Netscape beta 5 had just been rigged to > reject non-netscape certificates, but the end result was no encryption. I just looked at c2's certificate, and it doesn't expire until april. The only reason I can think of that you should have a problem is if the date on your machine is wrong. > (Jeff, if you're reading this, of course we know that Netscape, with it's open > loving policies wouldn't do anything underhanded, but the thought does come > to mind, and by the way, when are we going to see an option to turn off or > control what information is passed out to the other end. Specifically, I'd like > http://anonymizer.cs.cmu.edu:8080/prog/snoop.pl to come up nearly blank.) We do not send the HTTP 'From:' header. I will look into where they are getting the user name and location from. There is really nothing I can do in the Navigator to stop them from getting your IP address or DNS name. > Soooo, anyway, I was wondering if anyone knows anything about the use of > privately generated certificates. Yes, Jeff, we know that Netscape is jumping > to fully support user-specified certificates, but personally I saw, relating > to certificates, a lot of *nifty* options and displays, but really didn't > see much in the way of anything that looked like "add". If you are operating a server you can use a certificate signed by any CA you want. When someone running Navigator 2.0 connects to that site they will be presented with a sequence of dialogs that allow them to decide if they want to talk to your site. Adding new certificates (other than for remote SSL servers) will generally be done via CA web pages, not the preferences UI. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw at netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine. From JMKELSEY at delphi.com Fri Jan 12 08:27:54 1996 From: JMKELSEY at delphi.com (JMKELSEY at delphi.com) Date: Sat, 13 Jan 1996 00:27:54 +0800 Subject: Limiting Reuse of Certificates Message-ID: <01HZW0SKW2K29BX1TS@delphi.com> -----BEGIN PGP SIGNED MESSAGE----- [To: cypherpunks list ## Date: 01/11/96 02:25 pm ## Subject: Limiting reuse of certificates. ] >Date: Mon, 08 Jan 1996 17:31:24 -0500 (EST) >From: Michael Froomkin >Subject: Certificates: limiting your liability with reuse limitations >Suppose I am a CA. I am worried that by issuing a certificate with >a lifespan of more than 2 milliseconds I am opening myself up to >unlimited liability if for some reason, despite my best efforts, I >issue an erroneous certificate. >I know I can put an expiration date on the certificate, but that's >not enough. I can accumulate a lot of exposure in a few seconds, >much less weeks. >I know I can put a reliance limit in the X.509 ver 3 certificate, >but that's not enough. Even a $1 limit could be used many millions >of times. >Is it feasabile to say: Can only be relied on once per >day/week/month? Is this something the relying parties can reasonably >be expected to monitor? This is a hard problem. The only way I can see to do this is to require interaction with the CA (or its proxy) for each signature. The good news is that if you're doing certificate revokation lists online, then there is probably already some interaction with the server to verify that a certificate is still valid, before it is accepted. The trick here is to flip around who has to check the CRL server. a. Bob forms D = document he wants signed, ID_B = Bob's ID, and sends to Alice M_0 = ID_B, D. b. Alice forms T = timestamp and sends to the Server M_1 = T, hash(ID_B, D), Sign_{SK_A}(T, hash(ID_B, D)). c. The Server verifies the timestamp, the signature, and that Alice is currently allowed to sign things (her certificate is valid and hasn't been overused today). If not, it drops the connection and ends the protocol. If things all check out, however, it forms M_2 = T, Sign{SK_S}(T, hash(ID_B, D), Certificate_A). d. Alice now has (until the timestamp T becomes too stale) an authorization to sign D. She does so, and sends to Bob (who's been waiting all this time) M_3 = T, ID_B, D, Certificate_A, M_2, Sign_{SK_A}(ID_B, D). Now, the trick is to redefine valid signatures as only those that look like M_3. The recipient has to verify the timestamp, and that he hasn't received an identical signature from Alice recently, and has to verify the two signatures. (I make no promises about the soundness of this protocol--it's meant to illustrate the idea, not to be used directly.) Other than that, I can't think of anything that will fit the bill. >A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) >Associate Professor of Law | >U. Miami School of Law | froomkin at law.miami.edu >P.O. Box 248087 | http://www.law.miami.edu/~froomkin >Coral Gables, FL 33124 USA | It's warm here. Note: Please respond via e-mail as well as or instead of posting, as I get CP-LITE instead of the whole list. --John Kelsey, jmkelsey at delphi.com PGP 2.6 fingerprint = 4FE2 F421 100F BB0A 03D1 FE06 A435 7E36 -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMPV110Hx57Ag8goBAQFVggP+P9ilz7cM8BQX+nDgjByG4avAoHxgDpDw cWsx7dw31MQsPCEkzvuvCcwf36e4xEQd3jKMh5rYmWrYRAMQAoB4yGm7ixN4tqXH 1g6Xw9QPCLnW4OJvjfynzFfKb5i8KcvOSBnCXzOd1Z/LYEI23/6phdNd9rRf/YjL mxbKS7gDrHI= =dn6t -----END PGP SIGNATURE----- From jamesd at echeque.com Fri Jan 12 08:28:33 1996 From: jamesd at echeque.com (James A. Donald) Date: Sat, 13 Jan 1996 00:28:33 +0800 Subject: BIG NEWS: PRZ investigation dropped! Message-ID: <199601120538.VAA02068@blob.best.net> >From: Stanton McCandlish >Date: Thu, 11 Jan 1996 11:53:46 -0800 (PST) > >Justice Dept. dropped investigation of Phil Zimmermann, declines to >prosecute. I never expected them to prosecute, unless he forced them to by toilet bombing the court, but I did expect them to keep on "investigating" him forever and a day. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From declan+ at CMU.EDU Fri Jan 12 08:32:31 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Sat, 13 Jan 1996 00:32:31 +0800 Subject: Zimmermann case is dropped. In-Reply-To: <199601121406.JAA26445@pipe4.nyc.pipeline.com> Message-ID: Excerpts from internet.cypherpunks: 12-Jan-96 Re: Zimmermann case is drop.. by John Young at pipeline.com > AUSA William Keane in today's WSJ: > > "This decision shouldn't be interpreted as meaning > anything. I caution people against concluding the > Internet is now free for export." And in today's Washington Post, in an article by Elizabeth Corcoran: William P. Keane, assistant U.S. attorney in San Jose, declined to explain why the government closed its investigation of Zimmermann, citing the Justice Department's policy of not commenting on reasons for dropping a case. There is "no change in law, no change in [encryption] policy," he said. "If you're planning on making encryption available over the Internet . . . or other means, better check with the State Department first." -Declan From carolann at censored.org Fri Jan 12 08:41:40 1996 From: carolann at censored.org (Censored Girls Anonymous) Date: Sat, 13 Jan 1996 00:41:40 +0800 Subject: Certificates: limiting your liability with reuse limitations Message-ID: <199601120400.VAA26163@usr3.primenet.com> In Minnesota, you wouldn't be liable. All you can do IS all you can do. Anything else is a crime! (on their part). Love Always, Carol Anne At 05:07 PM 1/11/96 -0800, you wrote: >You write: >How do notaries public get around this liability problem? It seems to me >that the checking done for a certificate might be similar to the checking >done by a notary - a glance at a driver's license, say. Are they subject >to liability if they are fooled by fake ID? > >Hal > > -- Member Internet Society - Certified BETSI Programmer - Webmistress *********************************************************************** Carol Anne Braddock (cab8) carolann at censored.org 206.42.112.96 My Homepage The Cyberdoc *********************************************************************** ------------------ PGP.ZIP Part [017/713] ------------------- M8H,),S$8G>&.WP(8IRA`-M['+`Q%&_C"">5-F%LX@<_Q$;*P'',Q$Z/AA[8M MF=O0H+*%(-S%&>S%+FS& http://dcs.ex.ac.uk/~aba/export/ From declan+ at CMU.EDU Fri Jan 12 08:49:43 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Sat, 13 Jan 1996 00:49:43 +0800 Subject: Mitnick: Markoff responds to Platt's CuD "Takedown" critique Message-ID: Topic 1119 [media]: Media Appearances of WELLperns VI, S.F.Bay Area Division #160 of 296: john markoff (johnm) Wed Dec 20 '95 (14:49) 557 lines Charles is certainly entitled to his opinion about our book, but I thought I would take this opportunity to correct his inaccuracies. REVIEW OF TAKEDOWN ON THE COMPUTER UNDERGROUND DIGEST The Mad-Scientist Myth Figure A circumlocuitous review of_Takedown_ by Tsutomu Shimomura and John Markoff (Hyperion, $24.95) by Charles Platt > Perhaps it seems strange that a journalist should defend herself by pleading ignorance of the subject that she chose to write about. Still, we should give Katie Hafner credit where it is due: she now seems genuinely repentant. Just for the record, Katie says that her remarks were taken out of context here by Charles. For her actual views you might want to look at her Esquire article on the subject, which is reprinted in a new paperback version of Cyberpunk. > The same can hardly be said for her ex-husband and ex- collaborator John Markoff, who must have made well over half a millions dollars by now, portraying Kevin Mitnick as an arch-enemy of techno-society. If Markoff regrets the "darkside hacker" label, he hasn't said much about it. * * * > Unlike many hackers, Kevin Mitnick never looked for publicity. He felt he should be paid for giving interviews, and when Hafner and Markoff refused to come up with any money, he refused to talk to them. He became famous--or infamous--while doing his best to remain obscure. The darkside hacker label was created during the late 1980s by the Southern California press. It is a label that I noted, but I didn't create. However, he's right I don't regret using it. And also for the record, Kevin Mitnick used to drive around in Las Vegas with a stack of copies of Cyberpunk in the trunk of his car to give away to admirers. He is on record as saying the book is "20 percent inaccurate." > The key event that catalyzed this strange ascent to notoriety occurred on July 4th, 1994, when a story by John Markoff appeared on the front page of _The New York Times._ Headlined "Cyberspace's Most Wanted: Hacker Eludes F.B.I. Pursuit," the text described Mitnick as "one of the nation's most wanted computer criminals" and was accompanied with a suitably menacing mug shot. The story was liberally spiced with tidbits recycled from _Cyberpunk,_ but if you looked more closely, there wasn't any actual news. Mitnick had violated parole a year or so previously, had disappeared at that time, and hadn't been seen since. That was all. This is really inaccurate. Kevin Mitnick had become notorious nationally in the late 1980s as a result of his being arrested for attacks on Digital Equipment Computers. A menacing mug shot? It was the only photo available. No actual news? Not the way I remember it. The news was that he was being pursued by the FBI (three agents full time), the California DMV, US Marshalls, telco security, local police, etc. The further news was that the FBI had told cellular telephone companies that they believed the fugitive had stolen software from at least six cellular phone manufacturers. I thought then, and still think, this merited a story. I also think the story was a good yarn. Mitnick had succeeded in evading law enforcement for more than a year - again. Why was this on the front page of a highly respected newspaper? Maybe because of the scary implications: that a weirdo who could paralyze vast computer networks was on the loose, and law enforcement had been too stupid to catch him. In reality, though, Mitnick has never been accused of willfully damaging any hardware or data, and has never been Wrong again. He was accused of doing more than $100,000 damage at US Leasing, a SF time sharing company in 1980. Their system was trashed by a group that Mitnick was a member of. After that, at various other times he cost companies tens of thousands of dollars trying to close the door on his attacks. A further point is that I have no control over placement of my stories in the paper. In _Cyberpunk,_ he was described as an omnipotent, obsessive-compulsive, egotistical, vindictive sociopath who used his computer to take revenge on the world that had spurned him. He later claimed (in _2600_ magazine) that this This is a totally misreading of Cyberpunk. I invite anyone to read that section of the book and see if that is the way he was portrayed. was "twenty percent fabricated and libelous." Maybe so, but I guess Kevin acknowledged 80 percent of what we wrote as accurate... 8) So far as I can discover, the FBI didn't classify Mitnick as one of America's most wanted; it was John Markoff who chose to apply that label. Markoff went far beyond the traditional function of a journalist who merely reports news; he helped to create a character, and the character himself became the news. Sorry, but I didn't create the character, Kevin did. He has now been arrested six times in fifteen years. Each time, except for this last time, he was given a second chance to get his act together. He chose not too. It seems to me that he is an adult and makes choices. He chose to keep breaking in to computers. He knew what the penalty was. So what's the problem? Unfortunately for Mitnick, this made him the target of a hacker witch hunt. A few years ago, here in CuD, Jim Thomas A witch hunt? Give me a break. It was an article describing a law enforcement hunt for a fugitive, who had been arrested five times previously, convicted at least three times, and was known to be attacking the computers of the nation's cellular telephone companies. * * * This information probably wasn't worth much; Markoff told the feds that Mitnick could probably be found stuffing himself with junk food at the nearest Fatburger, whereas in fact Mitnick was working out regularly, had slimmed down to normal weight, and had become a vegetarian. Oh please. I was called by Kent Walker, the AUSA on the case during a meeting at the Well. He asked me if I thought Mitnick was dangerous. I responded that everything I knew about Mitnick had either been in Cyberpunk or my July 4 1994 article, ie. in the public. I repeated the story of one arrest in which Kevin ended up handcuffed in tears over the hood of the detective's car. I gave no other information, nor got any. John Markoff's precise motives remain a mystery. We can, however, learn something by examining his writing. In his _Times_ article describing Mitnick's capture, he stated that the hacker had been on a "long crime spree" during which he had managed to "vandalize government, corporate and university computer systems." These are interesting phrases. "Crime spree" suggests a wild cross-country caper involving robberies and maybe even a shoot-out. In reality, Mitnick seems to have spent most of his time hiding in an apartment, typing on a keyboard. The word "vandalize" implies that he wantonly wrecked some property; in reality, Mitnick caused no intentional damage to anyone or anything. This is just not true. Kevin Mitnick was actively sharing system vulnerabilities with other people on the net. That is about the most damaging thing that could be done to the Internet community. When it came down to it, Markoff's journalism was long on opinion and short on facts. Sort of like this review, I guess..... 8) * * * I have a fantasy. In my fantasy, John Markoff bursts into a room where Tsutomu Shimomura sits as solemn as a zen master, peering impassively at a computer screen while he types a Perl script. "Tsutomu, I have good news and bad news!" Markoff exclaims. "The good news is, we sold the book rights for three-quarters of a million. The bad news is, I haven't got a clue what Mitnick was doing for the past two years. What the hell are we going to write about?" Shimomura doesn't even bother to look up. He gives a barely perceptible shrug and says, "Me, of course." This is weird... Mitnick grew up in a lower-class single-parent household and taught himself almost everything he knew about computers. Nice try. Kevin took lots of computer classes at various schools. * * * Presumably because Markoff felt that some romantic interest would help to sell the story, this book contains revelations of a type normally reserved for Hollywood celebrities or British royalty. While he was pursuing Mitnick, Shimomura was also pursuing "Julia," the long-term girlfriend of John Gilmore, one of the first employees at Sun Microsystems in 1982 who subsequently co-founded the software corporation Cygnus. The reason we described what happened at Toad Hall on Xmas was that the attacks first came from toad.com while Tsutomu and Julia were there. If we hadn't have been complete in our description someone would have charged us with a cover up. Please remember that David Bank, a San Jose Mercury reporter, spent several weeks pursuing the hypothesis that Tsutomu had attack his own computers. Kevin Mitnick begins to seem likable by comparison. At least he shows some irreverence, taunting Shimomura and trying to puncture his pomposity. At one point, Mitnick bundles up all the data he copied from Shimomura's computer and saves it onto the system at Netcom where he knows that Shimomura will find it. He names the file "japboy." At Yea, That Kevin is a real likeable guy. another point, in a private online communication (intercepted by Shimomura without any lawful authorization) Mitnick Wrong. At the Well, Netcom and in Raleigh, Tsutomu, at all times was operating under the exemptions granted Internet Service Providers by the ECPA. Well, maybe so, but unlike Shimomura, Mitnick never claimed to be heroic. Nor did he cause any intentional "damage." Nor did he "attack," "pilfer," and "vandalize" computer systems, even though these words are used repeatedly throughout the book--in the same pejorative style that John Markoff previously perfected in _The New York Times._ Perjorative?? Yikes! I mean we could go to the dictionary..... * * * All the charges except one have been dropped against Kevin Mitnick. He may even be out of jail in time for the Markoff/Shimomura book tour. In other words, the man Wrong. Kevin Mitnick is in jail in Los Angeles facing charges from more than six United States Federal Districts. He may go on trial or he may plea bargain. described in advance publicity for _Takedown_ as a threat to global civilization will befree to go about his business-- because, in the end, he wasn't much of a threat at all. Will this create an embarrassing schism between _Takedown_ and reality? Probably not. Reality has been at odds with the Mitnick myth for quite a while, but the myth is stronger than ever. Myth and reality? I have been writing about Kevin Mitnick for a long time, since 1981 to be precise, but I didn't create a myth, he created his own story. From declan+ at CMU.EDU Fri Jan 12 08:56:02 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Sat, 13 Jan 1996 00:56:02 +0800 Subject: Mitnick #4: Platt's final response to Markoff Message-ID: Topic 1119 [media]: Media Appearances of WELLperns VI, S.F.Bay Area Division #217 of 296: Aaron L Dickey (kieran) Wed Jan 3 '96 (20:19) 7 lines Charles Platt responds: "John Markoff's reply to my replies is much more factual and convincing than his original response to my review of his book. I thank him for his time and trouble. I still find it hard to agree with his overall perspective, but I am now convinced that he does have a sincere point of view, and I value the instances where he has corrected me on details." Topic 1119 [media]: Media Appearances of WELLperns VI, S.F.Bay Area Division #223 of 296: Declan McCullagh (declan) Thu Jan 4 '96 (07:33) 23 lines And one final response from Charles Platt: "Someone suggested that by criticizing TAKEDOWN I attempted to further my own career. "My primary career has nothing to do with computer journalism. Under a different name I write a series of prehistory novels, the first of which now has 200,000 copies in print. This is my main source of income; I pursue computer journalism as a sideline, because it pleases me. "I do have a computer-related book coming out under my own name later this year, but it was written more for pleasure than profit and is aimed at a small audience: people who are more concerned about really dangerous criminals such as James Exon or Ralph Reed than about hackers such as Kevin Mitnick. Frankly, this book will not sell a lot of copies no matter what I do, because decency legislation and first-amendment issues are a noncommercial topic compared with so-called computer crime. "Bearing all this in mind, it is misleading to suggest that I wrote my review for motives of self-promotion. I wrote it because I had just finished reading TAKEDOWN, it had irritated me greatly, and I believed (perhaps wrongly) that I possessed background information that might not be mentioned by other reviewers elsewhere." From declan+ at CMU.EDU Fri Jan 12 08:59:08 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Sat, 13 Jan 1996 00:59:08 +0800 Subject: Mitnick #2: Platt responds to Markoff's rebuttal Message-ID: Topic 1119 [media]: Media Appearances of WELLperns VI, S.F.Bay Area Division #190 of 296: Declan McCullagh (declan) Tue Jan 2 '96 (09:38) 212 lines From cp at panix.com Tue Jan 2 09:26:11 1996 Date: Tue, 2 Jan 1996 03:11:10 -0500 (EST) From: Charles Platt To: Declan McCullagh Cc: Charles Platt Subject: John Markoff's "rebuttal" In Computer Underground Digest I wrote a critical review of the recent book _Takedown_ by Shimomura and Markoff, in which I suggested that John Markoff had profited handsomely by mythologizing Kevin Mitnick as one of "America's most wanted computer criminals." My review was copied to The Well, where JM wrote a rebuttal. I am amused to fiund that this rebuttal not only fails to answer my rather serious allegations, but commits exactly the same journalistic sins of vagueness and hyperbole that I complained about originally. JM writes: "Just for the record, Katie [Hafner] says that her remarks were taken out of context here by Charles." This statement is perhaps intentionally vague, because if I don't know exactly what I'm being accused of, I can't answer it. *What,* precisely, was taken out of context? JM doesn't say. All I know is that when Katie Hafner contacted me directly, she complained that she never branded Kevin Mitnick a "darkside hacker" in the book _Cyberpunk;_ she merely used the phrase as the title of the first section of the book. But in fact, the "darkside hacker" term *is* applied to Mitnick within the text of the book; and in any case, a section heading obviously sets the tone for everything that follows. Therefore, I do not believe that I quoted Katie Hafner out of context--unless JM is talking about something else entirely, in which case he should say so, instead of attempting to devalue my review by a generalized accusation. JM Writes: "The darkside hacker label was created during the late 1980s by the Southern California press. It is a label that I noted, but I didn't create. However, he's right I don't regret using it. And also for the record, Kevin Mitnick used to drive around in Las Vegas with a stack of copies of Cyberpunk in the trunk of his car to give away to admirers. He is on record as saying the book is '20 percent inaccurate.'" JM is confusing the issue. I never suggested he invented the "darkside hacker" term. This is totally irrelevant. I said, very specifically, that he was the first to *apply* this label to Mitnick. JM does not actually deny this, and I believe it is true. Re my description of his initial article about Mitnick for the NY Times, JM writes: "This is really inaccurate. Kevin Mitnick had become notorious nationally in the late 1980s as a result of his being arrested for attacks on Digital Equipment Computers. A menacing mug shot? It was the only photo available. No actual news? Not the way I remember it. The news was that he was being pursued by the FBI (three agents full time), the California DMV, US Marshalls, telco security, local police, etc. The further news was that the FBI had told cellular telephone companies that they believed the fugitive had stolen software from at least six cellular phone manufacturers. I thought then, and still think, this merited a story. I also think the story was a good yarn. Mitnick had succeeded in evading law enforcement for more than a year - again." "Notorious" in what sense? This is another of those vague terms that JM throws around without limiting or defining it. Mitnick may have been "notorious" in hacker circles, but not in the eyes of the general public. My point was, and is, that JM converted Mitnick from a relatively obscure hacker into a public figure. JM tries to evade this point but cannot specifically deny it. As for Mitnick being "actively pursued," I believe this is a vast overstatement. As I understand it, law enforcement had largely lost interest until JM's news item embarrassed them. Even after that, according to JM's own book _Takedown,_ law enforcement had to be prodded into taking action. They seemed not to share JM's perception of Mitnick as a severe threat. They certainly didn't characterize him as one of "America's most wanted." In response to my statement that Kevin Mitnick has never been accused of intentionally damaging a computer, JM writes: "Wrong again. He was accused of doing more than $100,000 damage at US Leasing, a SF time sharing company in 1980. Their system was trashed by a group that Mitnick was a member of. After that, at various other times he cost companies tens of thousands of dollars trying to close the door on his attacks. A further point is that I have no control over placement of my stories in the paper." With all due respect, this is not fair or accurate journalism. Was Mitnick *active* in the group that caused the alleged damage? Did he play a personal role? Does JM know? If not, he's just slinging mud. This is a smear and should not be presented as if it is a fact. On the other hand, if there is evidence that Mitnick was indeed actively responsible, I will gladly admit that I didn't know of this. As for the money that companies spent fixing the security weaknesses that allowed Mitnick to gain access, it is grossly unfair and misleading for JM to throw this into a paragraph discussing "intentional damage." This is exactly the kind of deliberate blurring of different kinds of computer misuse that I complained about in my review. Regarding Mitnick's "most wanted" status, JM writes: "Sorry, but I didn't create the character, Kevin did. He has now been arrested six times in fifteen years. Each time, except for this last time, he was given a second chance to get his act together. He chose not too. It seems to me that he is an adult and makes choices. He chose to keep breaking in to computers. He knew what the penalty was. So what's the problem?" Here again, JM avoids my direct point--that he was the first to categorize Mitnick as "one of America's most wanted." Of course Mitnick is responsible for his actions. I never disputed this, and never suggested he was innocent of the crimes for which he was convicted. I merely suggested that the crimes were relatively trivial and were exaggerated out of all proportion by JM's extravagant prose. Exaggeration, imprecision, and innuendo: *that's* the problem, JM. JM writes: "A witch hunt? Give me a break. It was an article describing a law enforcement hunt for a fugitive, who had been arrested five times previously, convicted at least three times, and was known to be attacking the computers of the nation's cellular telephone companies." My review complained that JM throws around words such as "attack" without ever defining them in computer terms. He's still doing it here in his rebuttal. Kevin Mitnick never attacked any computer, by my understanding of the word. Re providing advice to the police, JM writes: "I was called by Kent Walker, the AUSA on the case during a meeting at the Well. He asked me if I thought Mitnick was dangerous. I responded that everything I knew about Mitnick had either been in Cyberpunk or my July 4 1994 article, ie. in the public. I repeated the story of one arrest in which Kevin ended up handcuffed in tears over the hood of the detective's car. I gave no other information, nor got any." Since we will never know the extent to which JM tried to help the FBI, I guess we'll just have to take his word for this. Re Mitnick's dangerousness, JM writes: "This is just not true. Kevin Mitnick was actively sharing system vulnerabilities with other people on the net. That is about the most damaging thing that could be done to the Internet community." Is JM aware that some highly respected security experts believe that sharing news of vulnerabilities is the best way to encourage better security? True, this is a controversial subject; but certainly the sharing of vulnerabilities is NOT "the most damaging thing that could be done to the Internet community." That's just another of those wildly exaggerated phrases that JM throws out for emotional effect. I can think of many politicians--and even a few journalists--who pose a far greater danger to the future of the net than Kevin Mitnick ever did. Re the petty gossip in _Takedown,_ JM writes: "The reason we described what happened at Toad Hall on Xmas was that the attacks first came from toad.com while Tsutomu and Julia were there. If we hadn't have been complete in our description someone would have charged us with a cover up. Please remember that David Bank, a San Jose Mercury reporter, spent several weeks pursuing the hypothesis that Tsutomu had attack his own computers." Uh-huh. And I suppose the rest of the sordid, relentlessly personal thread in _Takedown,_ describing every little nuance of Shimomura's campaign to steal someone's long-term girlfriend, was merely included so that no one could complain that the account was incomplete? Really! In my review, I complained about pejorative terms (such as "attack") that JM uses repeatedly. His response: "Perjorative?? Yikes! I mean we could go to the dictionary....." Well, I guess JM *should* go to the dictionary. If he does, he will find that pejorative is a perfectly good word which I spelled correctly. It's ironic that he seems unaware of it, since it so aptly describes his own journalistic technique. Re my assertion that all charges but one against Mitnick have been dropped, JM replies: "Wrong. Kevin Mitnick is in jail in Los Angeles facing charges from more than six United States Federal Districts. He may go on trial or he may plea bargain." I tried to contact Mitnick's attorney before I wrote my review. He did not return my calls. I based my statement on information from three other sources. If it's incorrect, obviously I stand corrected. As I understand it, though, those charges from other federal districts may not have been actually filed. Is "facing charges" another of those slightly misleading terms that makes the situation sound worse than it really is? Are the charges actual, or potential? Finally JM writes: "Myth and reality? I have been writing about Kevin Mitnick for a long time, since 1981 to be precise, but I didn't create a myth, he created his own story." In his own rebuttal, JM has already referred to the Mitnick story as a "good yarn." A yarn, of course, is a richly embroidered, sometimes fictionalized version of the truth. This is precisely what I believe he concocted, and it isn't my idea of decent journalism. ---- Lastly, a question which occurred to me after I wrote my original review. Around the same time that Kevin Mitnick broke into Tsutomo Shimomura's computer, he also broke into the system of Dan Farmer, another extremely well known security expert. What did Farmer do? He didn't get self-righteous about the "invasion of privacy." He didn't start ranting about the "extreme danger" posed by Mitnick. He certainly didn't take several weeks from his normal schedule and pursue a personal vendetta. Nor did he coauthor a book portraying Mitnick as a danger to the net. He presumably fixed the flaw that had allowed Mitnick to get in, and went on with his life. Would JM like to explain how Dan Farmer's perception of "the Mitnick threat" can be so different from Shimomura's? To the outside observer, it almost looks as if there wasn't a significant security threat, and Shimomura must have been motivated by wounded vanity, while John Markoff was motivated by his desire to tell a "good yarn" and make a lot of money. Am I wrong? From grimm at MIT.EDU Fri Jan 12 09:00:08 1996 From: grimm at MIT.EDU (grimm at MIT.EDU) Date: Sat, 13 Jan 1996 01:00:08 +0800 Subject: Cryptolib & Crypto++ In-Reply-To: <199601120023.TAA22279@homeport.org> Message-ID: <9601120145.AA09274@vongole.MIT.EDU> What are Cryptolib & Crypto++? -James From bshantz at nwlink.com Fri Jan 12 09:06:20 1996 From: bshantz at nwlink.com (Brad Shantz) Date: Sat, 13 Jan 1996 01:06:20 +0800 Subject: Phil Z getting through customs Message-ID: <199601121612.IAA06275@montana.nwlink.com> David Koontz wrote: > The question is, can Phil get through U.S. Customs at a point of entry > in a reasonable time, now? No. Just because he's off the hook as such doesn't mean that Customs will know about it. Customs officials often appear to me to be in their own little world...(personal opinion only.) I wasn't aware that Phil would have problems at customs anyway. If you answer the questions truthfully and are a US citizen, they really can't hold you back. Brad From mpd at netcom.com Fri Jan 12 09:13:17 1996 From: mpd at netcom.com (Mike Duvos) Date: Sat, 13 Jan 1996 01:13:17 +0800 Subject: Shimomura on TV? In-Reply-To: <199601120124.TAA04433@dal1820.computek.net> Message-ID: <199601120146.RAA26258@netcom2.netcom.com> > "Working class trash"? You are starting to sound like slick > willie..."the problem with this country is the working class" or some > such nonsense... While I might put it in a somewhat less insulting manner, the central thesis here is correct. Society consists basically of a few percent of the people who see things one way because of strong ideological reasons. This is balanced by another few percent who see things the exact opposite because of strong ideological reasons. The remainder of the population generally follows whomever is perceived to be running things. Such people may safely be ignored during any revolution, although it is probably not a bright idea to use terms like "working class trash" when describing them. -- Mike Duvos $ PGP 2.6 Public Key available $ mpd at netcom.com $ via Finger. $ From llurch at networking.stanford.edu Fri Jan 12 09:15:41 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sat, 13 Jan 1996 01:15:41 +0800 Subject: [CORRECTION] Microsoft continues to mislead public about Windows security In-Reply-To: <199601120042.TAA18188@bb.hks.net> Message-ID: In a couple of silly posts, I'd uncritically repeated a Bob Cringely piece in the December 10th InfoWorld (plus various other sources) without adequately verifying the facts. I hope this will clear some things up. First, NT was C2-certified in a specific configuration as a standalone workstation only, not as a network server. So any points about NT's C2 security being compromised by the following problems are *moot* and should be ignored. 1. NetWare Services lets you know when you try to log on as a user that doesn't exist, rather than asking for a password. Real NetWare servers do the right thing. 2. Because of a common user error, documentation errors, and a couple bugs, it is possible to gain read-only access to the root directory of many NT FTP servers (20% of the known NT servers at Stanford when I checked -- this has been fixed) by giving a nonexistent username and password, for example, cypherpunks/cypherpunk, to Microsoft's FTP server. These aren't important, because Microsoft does not claim that NT Server, as a server, is C2-secure; only many authorized distributors do. Also, the note that NetWare was C2-certified is misleading. I've been told and find credible (but have not verified) that NetWare was only certified in an unusual environment with packet-encrypting NICs. The rest was true. The main point was that Microsoft continues to make statements that are clearly at variance with the truth concerning the acknowledged .PWL, IPX SAP, and SMB bugs, among others. Microsoft has yet to revise several known incorrect pertinent articles in their "Knowledge" Base technical/marketing database, which you can search via: http://www-leland.stanford.edu/~llurch/win95netbugs/kb.html Incorrect articles include Q92588, Q90210, Q36634, Q103887, Q120554, and especially Q90271. The specific URL for each of these articles is: http://www.microsoft.com/kb/peropsys/windows/{ID}.htm For example, the article that purports to contain technical information on why you can trust the security of .PWL files is: http://www.microsoft.com/kb/peropsys/windows/Q90271.htm Also, http://www.windows.microsoft.com/windows/software/mspwlupd.htm, the PR on the "fix" for the acknowledged .PWL bugs in Win95 (the same bugs exist in Windows 3.11, but Microsoft has not acknowledged this or committed to fixing it), is clearly incorrect. It says that the new algorithm is 2^96 times more secure because it uses a larger key. Besides the fact that the extreme weakness of the .PWL algoritm has nothing whatsoever to do with the key size, the new algorithm does not use 128 random bits. Like many other exportable algorithms, the key size is 128 bits, but only 40 bits are random. By the way, neither I nor the comp.risks moderator have heard a peep from any Microsoft source in any newsgroup or mailbox. This I find somewhat disheartening. We know that there are at least five microsoft.com addresses on cypherpunks because we all got bounced email when Microsoft broke their mail gateway. Cat got your tongue? -rich owner-win95netbugs at lists.stanford.edu ftp://ftp.stanford.edu/pub/mailing-lists/win95netbugs/ ftp://ftp.demon.co.uk/pub/mirrors/win95netfaq/ gopher://quixote.stanford.edu/1m/win95netbugs http://www-leland.stanford.edu/~llurch/win95netbugs/faq.html http://www.mari.su/guide/win95/faq.html rich at c2.org http://www.c2.org/hackmsoft/ From bshantz at nwlink.com Fri Jan 12 09:19:16 1996 From: bshantz at nwlink.com (Brad Shantz) Date: Sat, 13 Jan 1996 01:19:16 +0800 Subject: Zimmermann case is dropped. Message-ID: <199601121619.IAA06808@montana.nwlink.com> > Well, so far the feds haven't prosecuted "Jim Bidzos" for posting Crypto++ > to usenet. Anyway, both versions have been on utopia.hacktic.nl for months. I thought that it was determined to be a hoax. Someone "disguised" as Jim Bidzos posted it to USENET. Anyone have confirmation? Brad From sameer at c2.org Fri Jan 12 09:28:48 1996 From: sameer at c2.org (sameer) Date: Sat, 13 Jan 1996 01:28:48 +0800 Subject: (none) In-Reply-To: <30F67AE6.76F1@netscape.com> Message-ID: <199601121631.IAA03887@infinity.c2.org> > > control what information is passed out to the other end. Specifically, I'd like > > http://anonymizer.cs.cmu.edu:8080/prog/snoop.pl to come up nearly blank.) > > We do not send the HTTP 'From:' header. I will look into where > they are getting the user name and location from. There is really > nothing I can do in the Navigator to stop them from getting your > IP address or DNS name. I beleive that it uses finger. If you really want to prevent people from finding out where you're coming from, use the anonymizer. Not at CMU? Don't worry. -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.org/ (or login as "guest") sameer at c2.org From sameer at c2.org Fri Jan 12 09:29:59 1996 From: sameer at c2.org (sameer) Date: Sat, 13 Jan 1996 01:29:59 +0800 Subject: https & encrypted connections In-Reply-To: <199601120211.TAA00265@wero.cs.byu.edu> Message-ID: <199601121633.IAA04084@infinity.c2.org> > Soooo, anyway, I was wondering if anyone knows anything about the use of > privately generated certificates. Yes, Jeff, we know that Netscape is jumping We use a Verisign-signed certificate here at c2, btw. -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.org/ (or login as "guest") sameer at c2.org From jya at pipeline.com Fri Jan 12 09:31:56 1996 From: jya at pipeline.com (John Young) Date: Sat, 13 Jan 1996 01:31:56 +0800 Subject: SPO_oks Message-ID: <199601121607.LAA09897@pipe6.nyc.pipeline.com> 1-12-96. WashP: "Agencies Debate Value of Being Out in the Cold. Spies Under 'Nonofficial Cover' Are Among Most Sensitive Operations." Today, as the roles and missions of American spying are being reviewed, one of the most sensitive debates in the U.S. intelligence community is whether to step up the overseas use of NOCs, not only by the CIA but also by the Pentagon's Defense Humint Service and the FBI, both of which also can work abroad under cover. Because they operate alone and outside embassies, NOCs need their own secure communications and a safe way to keep their highly classified files. 1-11-96. WashP: "Israeli Media Break Censorship Rules to Name New Security Service Head." The man who will take the reins of Israel's Shin Bet security service, Rear Adm. Ami Ayalon, was named today in Israeli news accounts for the first time in the history of the secretive organization. Israeli media have yet to name Ayalon's predecessor, Karmi Gilon, who was still referred to today as "Kaf." 1-11-96. FinTim: "Yeltsin's New Spy Master to Play by the Rules." Mr Trubnikov will be the first spymaster to work under new legislation which says the intelligence services must use "a combination of open and secret methods and tactics and in accordance with the principle of legality and respect for human rights and freedoms". Separately, Mr Yeltsin signed a decree limiting phone taps and the unauthorised collection of information on firms and individuals. But Tass, which reported the decree, gave no details of how it would work. SPO_oks From proff at suburbia.net Fri Jan 12 09:35:56 1996 From: proff at suburbia.net (Julian Assange) Date: Sat, 13 Jan 1996 01:35:56 +0800 Subject: Shimomura on BPF In-Reply-To: <199601120029.TAA28014@pipe3.nyc.pipeline.com> Message-ID: <199601121223.XAA04718@suburbia.net> > Shimomura on BPF, NSA and Crypto: > > One of the tools I modified for my work was a sophisticated > piece of software called the Berkeley Packet Filter. ... > Unlike the original BPF, my version was designed to bury ^^^^^^^^^^^^^^^^^^^^^^^ > itself inside the operating system of a computer and watch > for certain information as it flowed through the computer > from the Internet. When a packet from a certain address, or > for that matter any other desired piece of information > designated by the user flashed by, BPF would grab it and > place it in a file where it could be kept for later > viewing. This is *exactly* what BPF does, always did and was designed to do. As for writing the packets to a file, everything but opening and closing the file are described in the man page. You could code it in 10 lines. +----------------------------------+-----------------------------------------+ |Julian Assange | "if you think the United States has | |FAX: +61-3-9819-9066 | stood still, who built the largest | |EMAIL: proff at suburbia.net | shopping centre in the world?" - Nixon | +----------------------------------+-----------------------------------------+ From perry at piermont.com Fri Jan 12 09:36:18 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sat, 13 Jan 1996 01:36:18 +0800 Subject: Mitnick: Markoff responds to Platt's CuD "Takedown" critique In-Reply-To: Message-ID: <199601121648.LAA21298@jekyll.piermont.com> "Declan B. McCullagh" writes: [A large bunch of Mitnick crap] THIS IS NOT MITNICK PUNKS. I'm sick of seeing this. I and many others read this mailing list for information on CRYPTOGRAPHY. If and when you can demonstrate why there is a link between, say, factoring and whether John Markoff is profiteering off of the Mitnick case, then this becomes relevant. Until then, GET THE CRAP OFF. (I've been writing people privately for some time. I'm again writing in public because more and more people seem to be getting in to the act.) Perry PS I'm really not interested in reading large chunks of information on John Gilmore's or Tsutomu Shimomura's sex lives anywhere at all, but I'm sure there is SOME mailing list where it is relevant. Why don't you go and post the garbage there, eh? From bplib at wat.hookup.net Fri Jan 12 09:37:33 1996 From: bplib at wat.hookup.net (Tim Philp) Date: Sat, 13 Jan 1996 01:37:33 +0800 Subject: E-cash and Interest In-Reply-To: Message-ID: I guess that it would depend upon your definition of 'withdraw'. If you say that money is withdrawn when it is on your hard drive, what you say is true. However, if the money is 'withdrawn' when it is returned to the 'bank' for 'clearing it could still earn interest. Of course, this is predicated on an e-cash/check analogy that requires specific clearing. In any case, at some point, this stuff has to be turned into 'real money'. =================================== For PGP Public Key, Send E-mail to: pgp-public-keys at swissnet.ai.mit.edu In Subject line type: GET PHILP =================================== On Fri, 12 Jan 1996, Patiwat Panurach (akira rising) wrote: > On Wed, 10 Jan 1996, Tim Philp wrote: > > > I think that you have hit the nail on the head. Money could still 'earn' > > interest until it is spent. The 'bank' still has the 'real' money. In > > NO! money could still earn interest untill it is _withdrawn_. This > includes withdrawals from MTB accounts into the Mint. Coz ecash in any > form (whether in the mint or in the HDD) is equivalent to cash. And cash > (by definition) cant earn interest. > > ------------------------------------------------------------------------------- > Patiwat Panurach Whatever you can do, or dream you can, begin it. > eMAIL: pati at ipied.tu.ac.th Boldness has genius, power and magic in it. > m/18 junior Fac of Economics -Johann W.Von Goethe > ------------------------------------------------------------------------------- > > > > From tcmay at got.net Fri Jan 12 10:48:17 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 13 Jan 1996 02:48:17 +0800 Subject: Next on "Geraldo": "Darkside Hackers in Love with their Trackers" Message-ID: At 4:48 PM 1/12/96, Perry E. Metzger wrote: >PS I'm really not interested in reading large chunks of information on >John Gilmore's or Tsutomu Shimomura's sex lives anywhere at all, but >I'm sure there is SOME mailing list where it is relevant. Why don't >you go and post the garbage there, eh? On this one I have to agree with Perry. As I started to read the item someone posted (I have mercifully forgotten the poster) about TS in the upstairs-hot-tub-with-waterfalls and the Nepal-returned-starstruck lovers and their "committed" relationship, I felt I'd opened a manhole above a sewer. Or tuned in to "Sally Jesse Raphael." "Takedown" is one book I don't plan to even flip through at the bookstore. No offense intended to John, Tsutomo, Kevin, Julia, Kent, Katie, or John. --Tim May We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From Bill.Humphries at msn.fullfeed.com Fri Jan 12 10:51:11 1996 From: Bill.Humphries at msn.fullfeed.com (Bill Humphries) Date: Sat, 13 Jan 1996 02:51:11 +0800 Subject: [NOISE] Censorship as Theater: Media Coverage of the Internet Message-ID: Censorship as Theater Several members of the list have complained of how the TV press portrays the Web and the USENET as central casting for pederasts, copperheads and narco-terrorists. I know, I've sent a couple of email messages to local TV news outlets complaining about the broad brush of tar they've been slinging. However, I don't think all the letters and education seminars will do a bit of good. Because TV is not suited to presenting detailed or sophisticated issues. TV is well-suited to telling exciting narratives full of thrills. Given that TV news must compete with Roseanne and Vanna (and Roseanne's writers do better narrative than Bosnian Serbs,) of course the Internet will be portrayed as a thrilling interzone of thugs (aryran nations), outlaws (Zimmerman), abominations (kiddieporn) and kooks (the EFF,) with a few good guys (Exon and Shimomura) from "High Noon". The whole thing will be presented as almost completely unrelated to the lives of the viewer (the fantasy element) except when it can be used melodramatically (cut to ur-bimbo gone good-nick and a blue binder full of GIFs, followed by mother hovering over child gravely asking for the 1st amendment to be torched for the good of the kiddies.) It's great theater, bad discourse. Of course, there are opportunists such as the Christian Coalition; Cold, Drug and Flu Warriors who exploit the theater and provide characters and plot points to inflence the show their way. Unfortunately, for all our nerdiness, many of us still think that civil discourse really exists. We think we can influence public debate through reasoned argument. We can't because reasoned argument isn't good TV. Does this mean the 'forces of light' (as John Leonard describes us anti-censorship types) should exploit the dominant means of persuasion and construct simple narratives that make our side look like the good guys? Turning anti-censorship into theater ignores the basic idea we're arguing for, and reduces us to another clade of marketing nerds. To carry the day, we have to take the arguement outside of the TV and other media influenced by TV. It means you have to talk to your neighbours, friends, and families and tell them why censorship is bad. Suggested Reading: Postman, Neil, _Amusing Ourselves to Death_, Balantine Paperback Leonard, John, _The Last Innocent White Man in America_, New Press, pp. 48-57 -- (c) 1996 by Bill Humphries Bill Humphries \/\/\/ bill.humphries at msn.fullfeed.com /\/\/\ Madison, WI, USA PGP Public Key Fingerprint = 84 05 17 9D B9 6E 2D FE A7 D1 E0 DC D0 96 63 FB From declan+ at CMU.EDU Fri Jan 12 11:01:45 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Sat, 13 Jan 1996 03:01:45 +0800 Subject: Mitnick #3: Markoff responds again to Platt Message-ID: Topic 1119 [media]: Media Appearances of WELLperns VI, S.F.Bay Area Division #212 of 296: john markoff (johnm) Wed Jan 3 '96 (16:58) 256 lines My response to Charles Platt's rebuttal..... JM Writes: "The darkside hacker label was created during the late 1980s by the Southern California press. It is a label that I noted, but I didn't create. However, he's right I don't regret using it. And also for the record, Kevin Mitnick used to drive around in Las Vegas with a stack of copies of Cyberpunk in the trunk of his car to give away to admirers. He is on record as saying the book is '20 percent inaccurate.'" >JM is confusing the issue. I never suggested he invented the "darkside >hacker" term. This is totally irrelevant. I said, very specifically, that >he was the first to *apply* this label to Mitnick. JM does not actually >deny this, and I believe it is true. Sorry, you're wrong. The "darkside hacker" label was used in the headlines of Southern California press coverage of Mitnick in 1987-8, in particular by John Johnson, an LA Times metro reporter. I was not the first one to use the term with respect to Mitnick. Re my description of his initial article about Mitnick for the NY Times, JM writes: "This is really inaccurate. Kevin Mitnick had become notorious nationally in the late 1980s as a result of his being arrested for attacks on Digital Equipment Computers. A menacing mug shot? It was the only photo available. No actual news? Not the way I remember it. The news was that he was being pursued by the FBI (three agents full time), the California DMV, US Marshalls, telco security, local police, etc. The further news was that the FBI had told cellular telephone companies that they believed the fugitive had stolen software from at least six cellular phone manufacturers. I thought then, and still think, this merited a story. I also think the story was a good yarn. Mitnick had succeeded in evading law enforcement for more than a year - again." >"Notorious" in what sense? This is another of those vague terms that JM >throws around without limiting or defining it. Mitnick may have been >"notorious" in hacker circles, but not in the eyes of the general public. >My point was, and is, that JM converted Mitnick from a relatively obscure >hacker into a public figure. JM tries to evade this point but cannot >specifically deny it. As for Mitnick being "actively pursued," I believe >this is a vast overstatement. As I understand it, law enforcement had >largely lost interest until JM's news item embarrassed them. Even after >that, according to JM's own book _Takedown,_ law enforcement had to be >prodded into taking action. They seemed not to share JM's perception of >Mitnick as a severe threat. They certainly didn't characterize him as one >of "America's most wanted." Since when is "notorious" a vague term? The dictionary def. of notorious is "generally known and talked of." Kevin Mitnick had national press attention in at least two cases (Los Angeles 1981 and Los Angeles 1987) and there were a number of articles in the Los Angeles Times, which the last time I checked was not a hacker quarterly, before Katie and I wrote about him in Cyberpunk. He was notorious. Charles is just plain wrong about the issue of pursuit: There was a US Marshalls search for him for a parole violation, a team of FBI agents in LA was detailed to finding Mitnick, telecommunications companies in Seattle and Southern California were pursuing him, California DMV had a special investigator looking for him. I could go on....Law enforcement did not have to be prodded into action. The first thing Tsutomu did when he was invited to the Well was meet with a US attorney and FBI agents who had an open case. In response to my statement that Kevin Mitnick has never been accused of intentionally damaging a computer, JM writes: "Wrong again. He was accused of doing more than $100,000 damage at US Leasing, a SF time sharing company in 1980. Their system was trashed by a group that Mitnick was a member of. After that, at various other times he cost companies tens of thousands of dollars trying to close the door on his attacks. >With all due respect, this is not fair or accurate journalism. Was Mitnick >*active* in the group that caused the alleged damage? Did he play a >personal role? Does JM know? If not, he's just slinging mud. This is a >smear and should not be presented as if it is a fact. On the other hand, >if there is evidence that Mitnick was indeed actively responsible, I will >gladly admit that I didn't know of this. Kevin was convicted in this case in the Spring of 1982. He spent 90 days in juvenile detention, he was given a year's probation. >As for the money that companies spent fixing the security weaknesses that >allowed Mitnick to gain access, it is grossly unfair and misleading for >JM to throw this into a paragraph discussing "intentional damage." This >is exactly the kind of deliberate blurring of different kinds of computer >misuse that I complained about in my review. I'm afraid that Charles has confused me here. I simply gave an example where intentional damage was done for which Kevin was convicted. I didn't say that he always damaged machines, I simply object to the portrayal of him as an innocent Regarding Mitnick's "most wanted" status, JM writes: "Sorry, but I didn't create the character, Kevin did. He has now been arrested six times in fifteen years. Each time, except for this last time, he was given a second chance to get his act together. He chose not too. It seems to me that he is an adult and makes choices. He chose to keep breaking in to computers. He knew what the penalty was. So what's the problem?" >Of course Mitnick is responsible for his actions. I never disputed this, >and never suggested he was innocent of the crimes for which he was >convicted. I merely suggested that the crimes were relatively trivial and >were exaggerated out of all proportion by JM's extravagant prose. >Exaggeration, imprecision, and innuendo: *that's* the problem, JM. In a passage above Charles accuses me of being vague, now he says that exaggeration, imprecision and innuendo are the problem. Boy, talk about being vague. But I guess we've descended to the nyah, nyah level.... 8) JM writes: "A witch hunt? Give me a break. It was an article describing a law enforcement hunt for a fugitive, who had been arrested five times previously, convicted at least three times, and was known to be attacking the computers of the nation's cellular telephone companies." >My review complained that JM throws around words such as "attack" without >ever defining them in computer terms. He's still doing it here in his >rebuttal. Kevin Mitnick never attacked any computer, by my understanding >of the word. Mitnick was persistent and frequently arrogant in his break-ins into dozens of different computers. Attack is not an exaggeration. Re Mitnick's dangerousness, JM writes: "This is just not true. Kevin Mitnick was actively sharing system vulnerabilities with other people on the net. That is about the most damaging thing that could be done to the Internet community." >Is JM aware that some highly respected security experts believe that >sharing news of vulnerabilities is the best way to encourage better >security? True, this is a controversial subject; but certainly the >sharing of vulnerabilities is NOT "the most damaging thing that could be >done to the Internet community." That's just another of those wildly >exaggerated phrases that JM throws out for emotional effect. I can think >of many politicians--and even a few journalists--who pose a far greater >danger to the future of the net than Kevin Mitnick ever did. Charles probably missed the followup discussion on this point, but I think there is a dramatic difference between distributing information publicly and sharing it in a clandestine fashion with a small gang of crackers the way Mitnick was doing it. I assume from his comments that Charles thinks that issues like Internet privacy and security are trivial and don't really matter very much. I disagree with him here. Re the petty gossip in _Takedown,_ JM writes: "The reason we described what happened at Toad Hall on Xmas was that the attacks first came from toad.com while Tsutomu and Julia were there. If we hadn't have been complete in our description someone would have charged us with a cover up. Please remember that David Bank, a San Jose Mercury reporter, spent several weeks pursuing the hypothesis that Tsutomu had attack his own computers." >Uh-huh. And I suppose the rest of the sordid, relentlessly personal thread >in _Takedown,_ describing every little nuance of Shimomura's campaign to >steal someone's long-term girlfriend, was merely included so that no one >could complain that the account was incomplete? Really! Sharon Fisher had a good response to the notion of girlfriend as property. Charles is being viciously innaccurate here. In my review, I complained about pejorative terms (such as "attack") that JM uses repeatedly. His response: "Perjorative?? Yikes! I mean we could go to the dictionary....." >Well, I guess JM *should* go to the dictionary. If he does, he will find >that pejorative is a perfectly good word which I spelled correctly. It's >ironic that he seems unaware of it, since it so aptly describes his >own journalistic technique. This is getting weird again. I still don't have any problem with using the word "attack" and would use it again. I think Charles has sort of run out of gas trying to mount a defense against something that is basicly indefensible. It's just not ok to read other people's mail, steal commercial software, leave trojan horses scattered around, and systematically alter system software. No matter how you dress it up, its criminal activity. Re my assertion that all charges but one against Mitnick have been dropped, JM replies: "Wrong. Kevin Mitnick is in jail in Los Angeles facing charges from more than six United States Federal Districts. He may go on trial or he may plea bargain." >I tried to contact Mitnick's attorney before I wrote my review. He did >not return my calls. I based my statement on information from three other >sources. If it's incorrect, obviously I stand corrected. As I understand >it, though, those charges from other federal districts may not have been >actually filed. Is "facing charges" another of those slightly misleading >terms that makes the situation sound worse than it really is? Are the >charges actual, or potential? Why didn't Charles think to give any of half a dozen US District Attorney's a call and chat with them about the charges that are being brought against Kevin Mitncik. For those who are curious there is a plea bargaining process going on now and Mitnick has a scheduled court date for January 29. Finally JM writes: "Myth and reality? I have been writing about Kevin Mitnick for a long time, since 1981 to be precise, but I didn't create a myth, he created his own story." >In his own rebuttal, JM has already referred to the Mitnick story as a >"good yarn." A yarn, of course, is a richly embroidered, sometimes >fictionalized version of the truth. This is precisely what I believe he >concocted, and it isn't my idea of decent journalism. Please Charles, which part is concocted? The part about Kevin being a criminal who was a fugitive and who was caught while he was breaking in to computers? >Would JM like to explain how Dan Farmer's perception of "the Mitnick >threat" can be so different from Shimomura's? To the outside observer, it >almost looks as if there wasn't a significant security threat, and >Shimomura must have been motivated by wounded vanity, while John Markoff >was motivated by his desire to tell a "good yarn" and make a lot of money. >Am I wrong? Yes you're wrong. I can't speak for Dan, but Tsutomu was invited by both the Well and Netcom to help them solve a persistent computer security problem. His advice to the Well was that they would never be secure unless the person who was attacking their computers was apprehended. The Well had no viable way to lock Kevin Mitnick out. Tsutomu's solution to actively pursue Mitnick was the only reasonable option, one which the Well management agreed with. There are several philosophies in the computer security world. One view is that rather than hiding in your shell it is necessary to track down offenders who have broken the law. I really don't see what's wrong with that approach. Do you Charles? From abostick at netcom.com Fri Jan 12 11:33:21 1996 From: abostick at netcom.com (Alan Bostick) Date: Sat, 13 Jan 1996 03:33:21 +0800 Subject: Novel use of Usenet and remailers to mailbomb from luzskru@cpcnet.com Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Somebody, too clever for their own good by half, has come up with a novel way of using Usenet and anonymous remailers to perpetrate mailbombs. The M.O. is to post a message to the naked-lady newsgroups saying "get pics in your mailbox! send this message to this address!), giving the email address of a cypherpunk-style anonymous remailer and including a pgp-encrypted message block. Thousands of horny net geeks will send in the message; some of them will even follow instructions correctly so the remailer forwards the message to its intended target. The result is that the target will be mailbombed -- and the remailer operator can't stop the abuse by blocking the abuser's address, because it's coming from all over the net. There is *no* chance that this is legitimate. The remailer discards the original message header. There is no way for the recipient to know who sent the email message. Cypherpunks: is there any way to respond to, or prevent, this sort of attack short of actually shutting down the remailer? What comes to my mind is the remailer operator grepping for a character string of ASCII-armored cyphertext from the known attack message and throwing messages containing it into the bit-bucket. It is highly unlikely that this would appear in any message except the attack message. The problem with this is that it works only for a known attack message -- it can shut down an ongoing attack, but it can't prevent new ones. I am including the widely-crossposted attack message below, including headers. Alan Bostick | He played the king as if afraid someone else Seeking opportunity to | would play the ace. develop multimedia content. | John Mason Brown, drama critic Finger abostick at netcom.com for more info and PGP public key > Xref: netcom.com alt.sex:292849 alt.sex.wizards:44144 alt.sex.magazines:11634 alt.binaries.pictures.erotica:364153 alt.binaries.pictures.erotica.blondes:48686 alt.binaries.pictures.erotica.female:130066 alt.sex.movies:91249 alt.sex.pictures:98757 > Newsgroups: alt.sex,alt.sex.wizards,alt.sex.magazines,alt.binaries.pictures.erotica,alt.binaries.pictures.erotica.blondes,alt.binaries.pictures.erotica.female,alt.sex.movies,alt.sex.pictures > Path: netcom.com!ix.netcom.com!howland.reston.ans.net!news.sprintlink.net!nuclear.microserve.net!luzskru.cpcnet.com!www-39-190 > From: luzskru at cpcnet.com (luzskru) > Subject: Get Penthouse and Playboy pics on your mail box!! > Message-ID: <1b7cc$12a26.20 at luzskru.cpcnet.com> > Date: Thu, 11 Jan 1996 18:10:37 GMT > Organization: http://www.cpcnet.com/~luzskru/home.htm > X-Newsreader: News Xpress Version 1.0 Beta #4 > Lines: 119 > > Follow these instructions. > 1) paste everything between the -------- into the body of your message. Be > sure to leave the first line blank and include everything including the :: > 2) Send the message to homer at rahul.net > 3) as the subject, specify playboy or penthouse and the month. > 4) if you don't get the file within a few hours, then send it again and be > sure that you didn't do something wrong. Here is the message: > > --------------------------------------------------------- > > :: > Encrypted: pgp > > -----BEGIN PGP MESSAGE----- > Version: 2.6.2i > > hIwDuhnKCI5qH1EBBACCHVVFVfrX6fQ9QzUFVe8aCb+2g1M71Utg1ZJKGrq1S16v > 0q/H8RvBa4bpg1RCx6IjhScaHqW66uubAUY1GOlzvWiMW4xw+3kEcO7lep8crvH0 > +/YXe6S2jlIUjMW7FncoFSrBIumrPXygkXHtkTjStvJiBdXyXlmgahyl9nlaNKYA > ABGCfXDZs31NP39/YeJmyP7M+edjKsKpTs8A9tW58Fm45Nlr/wStSsRsteTy/lQu > +O5Hft36bsci8B8Y4gsSLlZ71a1GLvBhSOx5qfXIOStAaLZobfbPYd+WWJMiIXcv > dGhl6SOoyUo5xc6ty7/Z4/vvxtOtndJMz7acsEk2pFQX8WNpBZRg+WRBOlTAKPDW > vQhnowKeIna8wq8FfOJFQzdM3uxgYBeoqRc6dRGlB8+V+aOicAtZHdRgTjH4hgAk > QF8W1lXDYc6OJZn3cR4WcoCYQnrGYLyFCEF/eU4umrFaCjs2HAql/ygBoK1AAloi > BE2HSeKI+gh6DXwbR3Ub9FWkMGr8t3S2AHe4FzbJlIrnJEvSQUcihro+aCG/wGr4 > 0KyvfZuuBgKX7XiSEnZeoO+UcF9yBlnvy7FhNT7skmjZ79JH0aCnSgSE0u9Ta/Dw > WGQT8nIz7Ex7T4sObGtKgSk2Ari86a+qM4McTBpelKmXIQLoivyuEW1r0OsRUJdA > 1iwk2ILNL2Sn6/cHQaZKnGCSasWqxlM3cDcfit6M2y/3Jryj4fh29B2rYY+A8fP1 > VU8uwFZ5whOBw7TcoS2dAoqOBOEYKz3pItCAxTMZ8UN1qu0EGXuBxSLLbNQtRShN > oGddR2jlv43Js07rumdMGUazTiAUUY27Pb1w3V9dcvL3YALFjtEB2Keg9A4foyaf > o1Krbxg/dMTVVcXuneP0ayhg3QGRlks5Gr+jGhTYUfrn9WetyI9nXeqzpvcwtXbc > GkxHpQboQNeWiRkhkbmnBvbT/IseehBcC7NsyP9P6K/XxY02ebimFo51xpxM4Bsy > MjMo1N/e9mvPuh1mzpbQwzuba9udM5Np2E9h7PKXO9F0PbMiLW1LMZ7lqfh4FHQO > vhV/FwjkhTtCc/+T4ZNgpYcJ7PwM9s8JKxNWB73AFkTKBx4gQNDnhHNty77YunYU > Rj8vUgiSRb+1hPejecxcfNAr5g3TAM/mJuVLg5njCkr3o2fuL4wGF5lz/GZ2l3sE > sOs+BDQhZcefX4MOq7Ys60rAMvNizzQUo4H5aIdYzT4MYfw+4xPjOLcaHvzAYU7M > WbeFoLdm7nC+//3ah5e1Bkk6POKUb6SnCJnUa/JyLV7+2PLo+YkwnokkSrB61bUf > 7blbc91VSjaQ+wsUwBoVHu2RRg9QCtxTQKDilKG3oYISnnA1LaOhMfFVm1XKm7Oe > 540eeJu7MGT+kLKjLe+UF1TDrZG7r9v/WK2SgTbliTvDzhj0dBhJ1MoDZxhx+h3m > GM/kyqyV8YcTpBC8ePmzYE+j8gMTakihRslWPZn2SxT18leerbyMsyplyXdAowdW > HXhTNuoolLJQPFpu9gK4kbr7U6KVdHPbUDDw+0km6pcJ8qWR4kCUD3Y8aMNfzggh > VxuCqbdJdfYL8YzS3Z0PknzorgdvuWR/BXAkf/Jh9+zTNRgLu5TnueA6Ae68uIqp > VDU0cetrD7ys5Wb+rq6Tg1WRgkpyg2iWdxdFpVb3w9zvdtV4MvfbVG8ckY1qYrAY > wZgJOdWHtCW37UWXXgHWTrifsjNLeKVSSSrOIDzsxbI0wuwTadFRG/4Ci7A0K/C8 > 2lGs+gluHw6iTV0uSwxyZXr3JQR7R1VH4zb3sjDDd5X6YmR2OwThT934G49W4Afa > 3F1gv4M5/9JVKTdRJGYPfYwDTbtfPHMWgj33rtsBbILBZ4HBJKoBDCygJfZzO6Jm > fbUOqzB9+rPQLbD0DcxOoUyVtynWr9xG2M/WbvzjN+y28/YAQLrNvkppxA4psjNQ > j/jS3od7HY1BWRvBGOgybrnovK9+ZbphLHHZzx+WcuG4ngtYriETlr5ZhlznT6Hv > 5+vCJjIZHwp7x+sscxbYsSgyrtzi+nam1kiljLowN+avbaA/Xt3K7zymMAVbFq3T > cM6Q4Gq07wAZkbmu69tCR41sdha7hWF9NM9DHAiOgdDknxljgKyHBcdKDOSsyzsU > Ow9fdjMlna45i0AoZ4YsFfGC8SFhnMrLGAu1f6RVlWIpt/avWtEdJ3VYCe7ZwYw8 > wtKHLMS3pSVrMNx3OuiQFykMs/TpBOGIdtR1AWqSRroE/SlxRtJWQjNt1yX24plZ > +MMASvIbi8wJPrxwCOiNI5EBg+3UFdcxnOvdt6Da0ElO22ucr9qiu2E246QCSyDT > j9jWAyRdxlevI1+O1OPqMO6LOGHL9pLw6FdsEKmpT49kWXYCIrxvSO25sq1ilIaH > 0IiTs0FkWUxMaiwS8owhX0KVNGPJgl0RdAzsTIMf28AjN16Ex1d/Z7tjUy3AKgxq > 7t6yaaot9sCIV2u5JD4DPnhG9pQ0gVPUTHbs/ImNA634Q/QK+mJTcFI+yweIaLCP > Rk5kECvk9UBS1wLUSy//EotQ7XMJOq0/Vadwh9vMGE36yJcgB9kUAAl7HMvxLZsC > ZgOiMqSNr5O8H0ulj1hqqaklR8xj1Dln9AVWsrh3gJP7NUiMrh0jnTWaHKGATDZ1 > 5wWiRTB5YqteRn7TW1R6+v/u9SHVriiQIvoL0ZtnZZzgZAsaJcGThPgWuyciB7ff > HIqsjtul3EFr9Fm2rhTiVAnW7E6HFq2buLrQixImImDyygtCI5/LXsQvsANVjg1m > qMZdBdOkc6Da6w0BXIgb14T1+O0uxnxAAxCDp93xmv/tsthW2mtYhESECTV93ph1 > pk+JegBEN37ivX5054tIVJfD+aVkDXXnN2KM/GhqzOdGJEhZHcWFqQ7RNCiTk9n5 > T/hF1FNcrf1mBIuM8U+tpyslhU4tOuHj4MTrbNA+zVNUHI0yhekLW89WwoIsDGCV > boA6B5qirvM+PZOniXyzFqUaEGGAEkIizt9UFvaJ50sn9OcVxTeirHQPrkjVPGWh > MXk8eBNzDmnO+/kWFLc9oOLmUiOmQDhboOtiHYMEaGNRxWw4i82XJi1fULSuj0s5 > YjdSnH+He5oawpnnR3CzkVOrJkXxJTEaKUhe0i0lrkYi5YTnsCkpz/dHC4n6dEyT > id1//eRfWqianNmyzbzkY89kUJu7XUn0iZPQhJgLCkx7JFLK2W/g4krgMkmQZc/L > C0gxWH5ZCJvutuZrDtFXFk9z3oxSEDyaxqSjVn5lxjHc28jrHLLDC0FZWNklrOWl > dK9Hjhh8aBWwsjcjKs71ibRs05Fmg6dxgR0K6UZm872WGgHUEwR1co4B9ArP1qVd > U64v3Izm8ojVM4tgFx3z4QFyitoaNhkdlf+Q+rdUaIgoQHLl+9orISFZrItLwCKn > gXtPrHwNRVcHs6hM9mxNjONufRhRMZUBpaeHhrNLMV9Coy9LROHFYbr0mT8+oyIh > 7PrAlDQE6nuaC11NVlkh22bCRyR1ExsJSQrbrsvsFePm3JMxMEcVSXSyxNZqLTkA > ueJtoW++RybT8VFe5w7DrPvKRVK5c23Ko081pBFfK2pWW5gYmnO61I1K+UOdZDET > uvoXfPQ66aB4LsEo7iTwc7tcko2SMbjBgIp1rXKSCHpJkH1WBdKcALZnDTnvPwp2 > mjpQlfy/OvHssjE+dNiWobHE8ymSzw1sOMAWNlEUCWNw0mGicO2XsnuG9AcN35oX > b5qpmqCNn83r9B5a+d5jKlJzHcIFSjHryrudHRgUY+VilxsoIzPKKpkhcqKrNA+N > GAl/tWA+oYBp/vhRQv0bqxMIYBSdrUKN52SNPIXmnDzAociBobnpcnr8zXEk7ITo > rQJObrYbMOh1meqDcNLt0+6gKhFwiGGQmuxAakR6NgfE9SKFciQXE1bDCF3/YaAA > 5V8YKA4Oe1z4AA5eRQiWJ7A1FbfJtxcl2ABcseyx2zHCPZv0a2zulqgyThhdMLNa > 6gbxg1nr2W6QlbYH43gU3eJrvunDBDTGpWBKwSBAnO15Pscia0CLWJ2P/j4hLyyU > 1nnswmdGaxluv/sSwwAR8OEWfj/lkQXrm1RPKyoFTifeFitmIOGtal2T3pf/NuR3 > lXE1u+z3T0LZPrZ7n3/k4xyKaD2H5vhtV8Dj+UhHbyqlxYE+E0s1JGhhSE8rbydx > +uFCk7MiQ4Y4QzUB+IomQDjK1U1FLKyTkFF6LihKXWbufvvDiGo8k61KsO5ebUAW > gAV9t0wGBD5oQHBa+92qyrkmK/5QIzXbUSRUpHpmM4geP6wiS/wRock4DT5Y8RFE > e8tlU365TbaYD+n1B87IZvggd6+i+tgszK6U7EslePOVOq+eJkgHtEHwqXMsC9BY > +mMjGK9IgDSl8o3eYR2aCC2ZPRc7FXCvkQyGoBvmbjKZC30JwrfRSnbhz8JeLO/2 > 9yBHGS+YDmLkzV2yr8d8u5AD0NI3bhDYvH6T0P3PK6rV27ITi7Pp6rzWRJDag2MO > cObv4YfGbopQ4j02NNy7KBq2xlcApPFvudCdHcVBdeKjaRBWvPei94Oy7/B8xazN > jZDcMuOogNEaE+zGbjSlnhp4P1lHILY7NcgoFzgF9bhb46k6RZRXnt/mlzYpNMAw > o3Ch6yJJNIQQx8c0Kka11ZPD4qVUCw8M85cFPVqhTOHQyao6q12exbT7WsZExzQn > AnOjHffkChpECDyhGcFlRkS20t9kgTxoaD/1z22i8jFZOX3BoHaRSJM0FxC620JE > cYxm7w3V1z9k1e4SfriI1rbLFZywYHyCglnV45pe4wkzRvw7OGdwtHYx56351m5j > GX5Ls+J1KHrZQPH3Gb6iiZEXT/Hndhm/JRsQqxi6mgf3/zBwZyqnC8nenRjIwKhN > x8eDG3jldBEFAjg1je4BQ1KoSKtqrRNPwg2FRW9D9ozGIxLn9cgjLyRWBwH3+J/P > v6OLiqpcufeTr3nABb58y51qpiXT65lpFLnsw5Wj9vX2nkneDB88l54ZmrH6e6Z1 > pSloilRAhzdWoXksUCSdxNXL7cH0ps0yGF9GWmUP3BaFv0q2YuV4Cfq3RF6zXO4e > /ANPVO3j/pl4rk8cmKOJHWPBMgV5pkdUt29I/dcCSI/z9yZlYJZ7PSac0Tn3kyg7 > 23/IYhTSPx4JIq+VqT4sgOIdPjxBpJqKX7BMGQqecynonS+isIwgbSP/J2cNUhp0 > 0N7VDfei4kVjU4sJaOdNi1zO4/nLk+rfZiyR1WP3o59b35JoKq3Vdln2Jubt7PMW > B6Ilmu6xVZj2QfhL1zGvY2C55uBcuqiIpKvmdgR8WAsvmtSPxSLE2ScanXUD1At0 > 2ej4+gr7K16pWLwLIcQ40B4BurxsZI+80kfUnx/LZjRLzc9Cdtw6b1VVhPp3qn9g > yv352SccnDbP3yzcprJuSWQbHd9BeGcoHJsy5rKtdS5LiAuRGZ02EJ3RAJAwUMwK > k430fYjY3ZX6giwKkpHunB9z59PQiGtI8s4OA0sEK+MuHWp8htbBP5kJddsP4k1G > VFUQDcvsvjWQoJnCVEbvE7kPYf00AeRLGm7vM7TQTdDkoRfCii35G5wYS1dVY3nc > luEu3b8aNwjXwH9Bh0aLXQIQVjvdpvr0/zUJ5hAi/YyZnYVqIsWkbWo8/i8Pw9jb > BdElQ9yU9RIYDPrqBSKi5gLoOts7YYnZbWLAKWylm5Hbn6imJ/qbhPi7Buy0h5dA > S/68ux55oW7FXc+rEfpjf0zBsrvxmT0SDu40S3l25SMUEO4A8oCB2sJgXafWE2Ea > RssohLtRar4x8VCFpcGPbNio2muTT9VwaQG9KHygOfH3i69VcuC6db18uah0b80O > WrXMeqK5M88JwjfJKe36kqPvLZD5llPeM7Sqj0wxUaKmnPW6ClXHm+mYeP+21BIY > AOtDh1Lxg3R+rob8J/OtA3U9TtHT4aSnafRNrxDT5sm3PKx8ajnR3fe0jLo4mgdi > Z1sLLK1wh9j21R4hy6XvrIOFCDqpbSR6KDCerYJyo371kd1mkpJKwdlsBIl5G4bN > Q6nbNKsVWpHTdF24zHNh+GZgiY4Q98HcSp2PeFa4vetVlYmV48Uf8tncEukox0pK > XIpWrirDXI+90zyVAwhKtjbNlC2a > =TKgw > -----END PGP MESSAGE----- > > ------------------------------------------------------------------------------ > Include everthing between the ------------------------------- and you will get > the pictures in your mail box. > > -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMPayLeVevBgtmhnpAQGKxgL9H4WsKLnIJAXGm5s1XPwWkRKsTHj2Ewhm sPVDYt697wflpqXy69oL4k8Jk/GUswuPcbO6/3zyeUGetm1hkVxrVCJSlW5sapQV tIT2MSZi1uz3Wwfn52uajm0d7ebF9bx3 =yoZx -----END PGP SIGNATURE----- From ghio at c2.org Fri Jan 12 11:55:54 1996 From: ghio at c2.org (Matthew Ghio) Date: Sat, 13 Jan 1996 03:55:54 +0800 Subject: p-NEW digital signatures In-Reply-To: <960112182626_72124.3234_EHJ93-1@CompuServe.COM> Message-ID: Kent Briggs wrote: >s is discarded and the signature is r and z. The verification is: > >m=zy^r mod p > >This slows down the signing but speeds up the verification. Here's the $64K >question: Does this compromise the signature's security? Yes. In this case a fake signature can be forged by picking a random r, and then z can be calculated as: z=my^(-r) mod p No security at all. From llurch at networking.stanford.edu Fri Jan 12 11:56:43 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sat, 13 Jan 1996 03:56:43 +0800 Subject: (none) [httpd finding your identity] In-Reply-To: <199601121631.IAA03887@infinity.c2.org> Message-ID: On Fri, 12 Jan 1996, sameer wrote: > > > control what information is passed out to the other end. > > > Specifically, I'd like http://anonymizer.cs.cmu.edu:8080/prog/snoop.pl > > > to come up nearly blank.) > > > > We do not send the HTTP 'From:' header. I will look into where > > they are getting the user name and location from. There is really > > nothing I can do in the Navigator to stop them from getting your > > IP address or DNS name. > > I beleive that it uses finger. If you really want to prevent > people from finding out where you're coming from, use the > anonymizer. Not at CMU? Don't worry. On most UNIX machines or a Mac or PC running most common talk clients? Worry. Not just finger, but also identd will identify you. I think Eudora Pro has an identd option, too. -rich From vznuri at netcom.com Fri Jan 12 12:27:01 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Sat, 13 Jan 1996 04:27:01 +0800 Subject: PRZ "battle lost" Message-ID: <199601122000.MAA18622@netcom2.netcom.com> regarding PRZ, SP wrote earlier that "we have gained nothing--the US can still harass people over cryptographic algorithms". that's true, but that's a side effect of our legal system, not of our secret government bureacracy (the NSA etc). it has always been the case that someone with lots of money, time, and lawyers can harass someone else in the courts without any leg to stand on. the government does not have a monopoly on this capability, and in fact they can arguably be shown to be a minor player when it comes to what happens every day in the business world. you can consume someone else's time and money significantly, and scare them into submission, without ever even going to trial, through pre-trial hearings and all that kind of thing. is there an alternative? yes, but it involves fewer lawyers than are in the US today. however I don't see lawyers as the problem, but a symptom of something deeper: the tendency of people to resort to legal action to settle even trivial disputes. I for example am aware of a case where someone threatened to sue a well-known kook on the internet for "libel" for material that was clearly satire, and the supposed "libel" was committed--AGAINST A PSEUDONYM!! so to me all the lawyers are not the problem, but the attitude in our society that if you have been offended in some way, you should use the legal system to get "justice". a rather immature kind of mentality, of course, but who am I to criticize an infant for being an infant? I suppose its partly my mistake if I run into an adult that is actually an infant and I don't realize it at first. From rsalz at osf.org Fri Jan 12 12:28:13 1996 From: rsalz at osf.org (Rich Salz) Date: Sat, 13 Jan 1996 04:28:13 +0800 Subject: Boston talk on offshore banks Message-ID: <9601122001.AA18808@sulphur.osf.org> I heard an ad on the radio for a free seminar on how to protect your assets using off-shore banks. I forget who the speaker is, I think they're with the English-Irish bank in Austria, or something like that. The thrust was to save assets for when you retire and Social Security isn't there for you. I'm posting this since off-shore banking touches on privacy issues and comes up here now and then. Two dates, Jan 17 (Newton, MA) or Jan 18 (Burlington, MA). Call 617 663 3299 for more info. From llurch at networking.stanford.edu Fri Jan 12 12:34:53 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sat, 13 Jan 1996 04:34:53 +0800 Subject: Novel use of Usenet and remailers to mailbomb from luzskru@cpcnet.com In-Reply-To: Message-ID: On Fri, 12 Jan 1996, Alan Bostick wrote: > Somebody, too clever for their own good by half, has come up with a > novel way of using Usenet and anonymous remailers to perpetrate > mailbombs. The M.O. is to post a message to the naked-lady newsgroups > saying "get pics in your mailbox! send this message to this address!), > giving the email address of a cypherpunk-style anonymous remailer and > including a pgp-encrypted message block. Yuck. Unless someone comes forward to say that they were the target of this attack, I'd guess that the target is the remailer network itself. > > Xref: netcom.com alt.sex:292849 alt.sex.wizards:44144 alt.sex.magazines:11634 alt.binaries.pictures.erotica:364153 alt.binaries.pictures.erotica.blondes:48686 alt.binaries.pictures.erotica.female:130066 alt.sex.movies:91249 alt.sex.pictures:98757 > > Newsgroups: alt.sex,alt.sex.wizards,alt.sex.magazines,alt.binaries.pictures.erotica,alt.binaries.pictures.erotica.blondes,alt.binaries.pictures.erotica.female,alt.sex.movies,alt.sex.pictures > > Path: netcom.com!ix.netcom.com!howland.reston.ans.net!news.sprintlink.net!nuclear.microserve.net!luzskru.cpcnet.com!www-39-190 > > From: luzskru at cpcnet.com (luzskru) > > Subject: Get Penthouse and Playboy pics on your mail box!! > > Message-ID: <1b7cc$12a26.20 at luzskru.cpcnet.com> > > Date: Thu, 11 Jan 1996 18:10:37 GMT > > Organization: http://www.cpcnet.com/~luzskru/home.htm > > X-Newsreader: News Xpress Version 1.0 Beta #4 > > Lines: 119 This article is still on nntp.stanford.edu. I've issued a cancel. Sites far removed from stanford.edu should consider doing the same. luzskru at cpcnet.com, of course, doesn't exist, *BUT* there is a luzskru.cpcnet.com in the DNS. And while every other port seems to be closed, there is an open NNTP port. N:~> telnet luzskru.cpcnet.com nntp Trying 198.70.185.5... Connected to luzskru.cpcnet.com. Escape character is '^]'. 200 luzskru.cpcnet.com NNS server version X2.06 ready - posting allowed quit 205 closing connection - goodbye Connection closed by foreign host. postmaster at cpcnet.com is probably a victim of this, but he should still be flayed with a wet noodle for letting this happen. -rich From koontz at MasPar.COM Fri Jan 12 12:41:30 1996 From: koontz at MasPar.COM (David G. Koontz) Date: Sat, 13 Jan 1996 04:41:30 +0800 Subject: Zimmermann case is dropped. Message-ID: <9601120231.AA24628@argosy.MasPar.COM> tcmay at got.net wrote: >Yes, I think it likely that another case will be filed, a case the >government senses is more winnable. In many ways, what Phil and/or some of >his friends may or may not have done was too "stale." None of the Four >Horsemen were involved directly, and Phil's case generated publicity that >tended to make him a hero, not an Enemy of the People. The question is, can Phil get through U.S. Customs at a point of entry in a reasonable time, now? From delznic at storm.net Fri Jan 12 12:47:33 1996 From: delznic at storm.net (Douglas F. Elznic) Date: Sat, 13 Jan 1996 04:47:33 +0800 Subject: Shimomura on TV? Message-ID: <2.2.16.19960112025419.2fd733a2@terminus.storm.net> At 07:38 PM 1/11/96 -0500, hallam at w3.org wrote: > >>Has anyone heard anything else about this? I am getting real sick of the >>media's portrayal of the internet. They never say anything good about it. > >At the last World Wide Web consortium meeting I said that the media were >pumping up the bubble and their favourite game is to see if they can >destroy what they have the arrogance to imagine they created. > >That is why we have to replace the press. Consider this in the next >election voters on the Internet will be able to read the press releases >of the candidates without the press filtering them. There is the potential >for the internet citizens to participate in shaping the political agenda >- another role the press likes to usurp for itself. > >I recently held a workshop on political use of the Web which was attended >by Republican and Democrat party workers and political activists from >6 other countries. One thing that suprized me was the consensus amongst the >politicians that the differences between them were smaller than their >differences with the press. > >To take one example. A collumnist in the New York Times recently received >much coverage for calling the First Lady "a congenital liar". Yet little >mention is made of the fact that said collumnist worked for both Nixon and >Spiro Agnew and has never condemned either for their actions. > > > Phill > > It is disgusting to me. I would really like to do something about it. I use to have a sig file(s) that said: "The revolution will not be televised but the proceeedings will be available oonline." During the french revolution someone said "Look their is a revolt" And another replied "No, a revolution." Or something to that affect. But anyway I say we as a community do something. Look around the potential is here for something big e.g. C2.org -- ==================Douglas Elznic=================== delznic at storm.net http://www.vcomm.net/~delznic/ (315)682-5489 (315)682-1647 4877 Firethorn Circle Manlius, NY 13104 "Challenge the system, question the rules." =================================================== PGP key available: http://www.vcomm.net/~delznic/pgpkey.asc PGP Fingerprint: 68 6F 89 F6 F0 58 AE 22 14 8A 31 2A E5 5C FD A5 =================================================== From llurch at networking.stanford.edu Fri Jan 12 12:47:48 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sat, 13 Jan 1996 04:47:48 +0800 Subject: Novel use of Usenet and remailers to mailbomb from luzskru@cpcnet.com In-Reply-To: Message-ID: I did an AltaVista search for "luzskru" and found it on a list of known open NNTP sites. They're almost certainly blameless. The list, btw, is http://dana.ucc.nau.edu/~jwa/open-sites.html Cc'd to the guy who generates that list. In case he doesn't know, cypherpunks is browseable at news://nntp.hks.net/hks.lists.cypherpunks -rich From frissell at panix.com Sat Jan 13 05:03:37 1996 From: frissell at panix.com (Duncan Frissell) Date: Sat, 13 Jan 96 05:03:37 PST Subject: (fwd) e$: Starting an Avalanche Message-ID: <2.2.32.19960113130559.00bc7dec@panix.com> At 01:33 PM 1/12/96 -0500, Robert Hettinga wrote: >The most interesting thing I've read in quite a while is a reprint of >the March 31,1995 issue of Esther Dyson's Release 1.0, which, I >understand, was the first time someone other than Esther herself edited >an issue. > >The editor was none other than Eric Hughes, of cypherpunks fame, and the >topic was, of course, e$. Well, he didn't up and say "e$" anywhere, >exactly, the title of the whole issue was "A Long-Term Perspective on >Electronic Commerce", I'll second that. I read part of the draft as Eric was working on it at CFP95. Good work. DCF From llurch at networking.stanford.edu Fri Jan 12 14:03:11 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sat, 13 Jan 1996 06:03:11 +0800 Subject: Novel use of Usenet and remailers to mailbomb from luzskru@cpcnet.com Message-ID: This seems to have been confirmed in private email. So, what's the real target? ---------- Forwarded message ---------- Date: Fri, 12 Jan 1996 13:15:37 -0800 (PST) From: Rich Graves To: Eric Murray Subject: Re: Novel use of Usenet and remailers to mailbomb from luzskru at cpcnet.com On Fri, 12 Jan 1996, Eric Murray wrote: > > Unless someone comes forward to say that they were the target of this > > attack, I'd guess that the target is the remailer network itself. > > The target, Homer Wilson Smith, is one of the people embroiled in > the Scientology wars. I don't want to get into the recent history > of repression and abuse by Scientology agents & sympathizers, but > my guess is that this is an attempt to harass someone that > Scientology doesn't like. Yes, I've heard of him. But doesn't the given address just forward to a remailer? Have you seen anything to indicate that the flood really goes to him? Actually, last time I saw, he was no longer really embroiled. He was backing off to become a neutral ISP. He still runs lazarus, of course. -rich From proff at suburbia.net Fri Jan 12 14:03:40 1996 From: proff at suburbia.net (Julian Assange) Date: Sat, 13 Jan 1996 06:03:40 +0800 Subject: Toad Hall In-Reply-To: <199601112030.PAA04786@pipe3.nyc.pipeline.com> Message-ID: <199601120936.UAA02076@suburbia.net> > From: "Takedown: The pursuit and Capture of Kevin Mitnick, > America's Most Wanted Outlaw -- By the Man Who Did It," by > Tsutomu Shimura, with John Markoff, Hyperion Press, a > subsidiary of The Disney Company, 1996, 326 pp. $24.95. > ISBN 0-7868-6210-6 This makes me ill. Tsutomu, when Mitnick croaks, will you dig up his grave and rent his hands out as ash trays? Don't worry, I'm sure Markoff will lend you his shovel and for a percentage even teach you how to use it. Knowledge of the final days of American wild west not my strong point, however I _do_ recall that the man who murdered one of the last notorious American gun-slinger-outlaws went on not long after to produce and act in stange show which described just how he Did It. Some years later he himself was murdered by a disgusted member of the audience. The jews have a good statement the benefits of recalling the past. -- +----------------------------------+-----------------------------------------+ |Julian Assange | "if you think the United States has | |FAX: +61-3-9819-9066 | stood still, who built the largest | |EMAIL: proff at suburbia.net | shopping centre in the world?" - Nixon | +----------------------------------+-----------------------------------------+ From zinc at zifi.genetics.utah.edu Fri Jan 12 14:04:23 1996 From: zinc at zifi.genetics.utah.edu (zinc) Date: Sat, 13 Jan 1996 06:04:23 +0800 Subject: PRZ grand jury - how about free accts for them... Message-ID: -----BEGIN PGP SIGNED MESSAGE----- cpunks, i was thinking about the whole PRZ thing last night and especially about our lack of information. One of the best things that could happen is to get some or all of the members of the grand jury on the net and subscribed to the CP list so we could ask questions. If they just had e-mail we could submit questions to them and ask that they reply to the whole list. In this vein, it would be nice if someone (c2??) would offer dialup access for any members of the grand jury who wanted it. i would be happy to offer shell accts to any member so they could enlighten us about the mysterious ways of the TLAs. Unfortunately, they would need to obtain telnet access for this. Is there any way we could offer these accts to them? i suppose their names are not known so this is obviously a problem and it wouldn't speak well of the cypherpunks to go violating someones privacy just so we could ask them to explain the government to us. Just some thoughts... - -pjf patrick finerty = zinc at zifi.genetics.utah.edu = pfinerty at nyx.cs.du.edu U of Utah biochem grad student in the Bass lab - zinc fingers + dsRNA! ** FINGER zinc-pgp at zifi.genetics.utah.edu for pgp public key - CRYPTO! zifi runs LINUX 1.3.56 -=-=-=WEB=-=-=-> http://zifi.genetics.utah.edu -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Processed by mkpgp1.6, a Pine/PGP interface. iQCVAwUBMPbV2U3Qo/lG0AH5AQEqPAP9EGSd1P9+Fubx+9RsMrjYphRVRBiHN/Ne DtlLgIx+g+i49lFfs0hAXfrpV5j/0l3fIDpUiUpUWEkJ+HJRfaAIdhgsYn1qNV+w /CZHaUjGBejd0BxD0WhxH6hMEgpWaTimgyGRRxJkABqsDzuqhnwEt2HFmChucTSy 3ibOq8y1cTs= =3TDU -----END PGP SIGNATURE----- From ericm at lne.com Fri Jan 12 14:22:07 1996 From: ericm at lne.com (Eric Murray) Date: Sat, 13 Jan 1996 06:22:07 +0800 Subject: Novel use of Usenet and remailers to mailbomb from luzskru@cpcnet.com In-Reply-To: Message-ID: <199601122105.NAA00876@slack.lne.com> Rich Graves writes: > > On Fri, 12 Jan 1996, Alan Bostick wrote: > > > Somebody, too clever for their own good by half, has come up with a > > novel way of using Usenet and anonymous remailers to perpetrate > > mailbombs. The M.O. is to post a message to the naked-lady newsgroups > > saying "get pics in your mailbox! send this message to this address!), > > giving the email address of a cypherpunk-style anonymous remailer and > > including a pgp-encrypted message block. > > Yuck. > > Unless someone comes forward to say that they were the target of this > attack, I'd guess that the target is the remailer network itself. The target, Homer Wilson Smith, is one of the people embroiled in the Scientology wars. I don't want to get into the recent history of repression and abuse by Scientology agents & sympathizers, but my guess is that this is an attempt to harass someone that Scientology doesn't like. They (Scientology) have shown a remarkable ability to grasp both the technical details and social implications of the Internet and use them to harass ex "church" members and people who say things that they don't like. The "church" undoubtably hates remailers because so many of their critics post anonymously through them. But as they discovered with Usenet news, the same technology can be used to harass those critics. I think we'll see more ingenous attacks like this, using CP-tech in perverted ways to harass people. Annoying for sure, but helpful in a way- they'll help debug the technology. Like cipherpunks hacking Netscape, in the end it just makes it stronger. -- Eric Murray ericm at lne.com ericm at motorcycle.com http://www.lne.com/ericm PGP keyid:E03F65E5 fingerprint:50 B0 A2 4C 7D 86 FC 03 92 E8 AC E6 7E 27 29 AF From froomkin at law.miami.edu Fri Jan 12 14:42:35 1996 From: froomkin at law.miami.edu (Michael Froomkin) Date: Sat, 13 Jan 1996 06:42:35 +0800 Subject: PRZ grand jury - how about free accts for them... In-Reply-To: Message-ID: sounds like jury tampering to me. a good way to go to jail quickly. A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) Associate Professor of Law | U. Miami School of Law | froomkin at law.miami.edu P.O. Box 248087 | http://www.law.miami.edu/~froomkin Coral Gables, FL 33124 USA | It's warm here. From nobody at REPLAY.COM Fri Jan 12 14:47:44 1996 From: nobody at REPLAY.COM (Anonymous) Date: Sat, 13 Jan 1996 06:47:44 +0800 Subject: Zimmermann case is dropped. Message-ID: <199601122220.XAA06261@utopia.hacktic.nl> I wrote: > ...and I'm sure they'll be watching VERY closely to see how >version 3.0 will be distributed.... John Young wrote: >AUSA William Keane in today's WSJ: > > "This decision shouldn't be interpreted as meaning > anything. I caution people against concluding the > Internet is now free for export." Alex Strasheim wrote: >The government's policy doesn't prevent crypto from spreading around the >world, but it does discourage a lot of people from distributing code >they've written or modified. That's the point of the policy, and from >their point of view it's probably a big success. My sentiments exactly. I tend to disbelieve in coincidences. Rather, I found the timing of dropping the investigation of PRZ and the anticipated release of version 3.0 extremely interesting. One might conclude that their attitude was: "Let's throw this fish back and aim for a 'keeper'. From lull at acm.org Fri Jan 12 15:08:15 1996 From: lull at acm.org (John Lull) Date: Sat, 13 Jan 1996 07:08:15 +0800 Subject: Novel use of Usenet and remailers to mailbomb from luzskru@cpcnet.com In-Reply-To: Message-ID: <30f6de9e.28100489@smtp.ix.netcom.com> On Fri, 12 Jan 1996 10:55:12 -0800, you wrote: > Cypherpunks: is there any way to respond to, or prevent, this sort of > attack short of actually shutting down the remailer? Yes, very simply. The remailer could calculate a hash for the body of each encrypted message received (the same portion which will be decrypted by PGP), tabulate the last few thousand hashes, and simply discard any messages with a duplicate hash. The target of the attack would receive only the first copy of the message. From bdolan at use.usit.net Fri Jan 12 15:17:33 1996 From: bdolan at use.usit.net (Brad Dolan) Date: Sat, 13 Jan 1996 07:17:33 +0800 Subject: PGP filter? Message-ID: InfoWorld, 1/8/96 Network Security: Software scans E-mail gateways for virus threats -- by Jessica Davis The increasing number of links between LANs and the internet has raised security concerns on private networks. To address this issue, Central House Technologies Inc. has acquired the North American rights to MimeSweeper Internet mail virus-protection sofware from Integralis Ltd., in Berkshire, England. [...] The Windows NT server application works by unbundling and unzipping messages at the gateway and returning the attached documents to their original file format. Then MimeSweeper uses a virus-checking utility installed by the customer to examine the attachments. Upon receipt of a suspect attachment, MimeSweeper notifies the postmaster and quarantines the message until the administrator can take action. [...] Integralis also plans to add the capability to scan outgoing documents for confidential information and add corporate disclaimers to outgoing mail. Integralis is also working on support for public key encryption to allow encrypted messages to enter private networks without delays from quarantines. [...] From nobody at flame.alias.net Fri Jan 12 15:18:50 1996 From: nobody at flame.alias.net (Anonymous) Date: Sat, 13 Jan 1996 07:18:50 +0800 Subject: NoneRe: Zimmermann case is dropped. In-Reply-To: <199601120023.TAA22279@homeport.org> Message-ID: <199601120726.IAA11381@utopia.hacktic.nl> adam at lighthouse.homeport.org (Adam Shostack) wrote: > If someone really is looking to get in trouble for exporting >crypto software, I'd suggest that they consider Crypto++ or Cryptolib >as good things to export. Well, so far the feds haven't prosecuted "Jim Bidzos" for posting Crypto++ to usenet. Anyway, both versions have been on utopia.hacktic.nl for months. From zinc at zifi.genetics.utah.edu Fri Jan 12 15:39:44 1996 From: zinc at zifi.genetics.utah.edu (zinc) Date: Sat, 13 Jan 1996 07:39:44 +0800 Subject: PRZ grand jury - how about free accts for them... In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Fri, 12 Jan 1996, Michael Froomkin wrote: > Date: Fri, 12 Jan 1996 17:17:35 -0500 (EST) > From: Michael Froomkin > To: zinc > Cc: cypherpunks > Subject: Re: PRZ grand jury - how about free accts for them... > > sounds like jury tampering to me. a good way to go to jail quickly. how can it be jury tampering if the jury has been disbanded? i did not mean to influence an active grand jury, but to ask questions of one that had finished it's job. - -pjf patrick finerty = zinc at zifi.genetics.utah.edu = pfinerty at nyx.cs.du.edu U of Utah biochem grad student in the Bass lab - zinc fingers + dsRNA! ** FINGER zinc-pgp at zifi.genetics.utah.edu for pgp public key - CRYPTO! zifi runs LINUX 1.3.56 -=-=-=WEB=-=-=-> http://zifi.genetics.utah.edu -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Processed by mkpgp1.6, a Pine/PGP interface. iQCVAwUBMPbke03Qo/lG0AH5AQFgPgQAoEs1YccZJVhSeUiFUTuvfe24+OJ1A07l 6eJBQpXPEX07V4udiAlSw9SQYoKO2ezwDVM0WW2Pr3lJnIfJ318neN5/OQe0YGxk PqsrfvwaC7SlnrrSub9D8DKlCIoMVesowDeebkVMXeReaa75tcZn67/PYnctaCYq cXhqg4TGoic= =V7jy -----END PGP SIGNATURE----- From rah at shipwright.com Fri Jan 12 15:40:47 1996 From: rah at shipwright.com (Robert Hettinga) Date: Sat, 13 Jan 1996 07:40:47 +0800 Subject: (fwd) e$: Starting an Avalanche Message-ID: --- begin forwarded text Sender: e$@thumper.vmeng.com Reply-To: e$@thumper.vmeng.com Mime-Version: 1.0 From: rah at shipwright.com (Robert Hettinga) Date: Fri, 12 Jan 1996 13:02:27 -0500 Precedence: Bulk To: Multiple recipients of Subject: e$: Starting an Avalanche -----BEGIN PGP SIGNED MESSAGE----- e$: Starting an Avalanche 1/12/96 Boston, Massachusetts The most interesting thing I've read in quite a while is a reprint of the March 31,1995 issue of Esther Dyson's Release 1.0, which, I understand, was the first time someone other than Esther herself edited an issue. The editor was none other than Eric Hughes, of cypherpunks fame, and the topic was, of course, e$. Well, he didn't up and say "e$" anywhere, exactly, the title of the whole issue was "A Long-Term Perspective on Electronic Commerce", but he was talking about e$ just the same. Eric told me about this magnum opus when he came to help me talk about e$ at Apple in December. It was the first time I had heard of it, and when I talk to people who are interested in these things, it's the first they've heard of it, too. Blink once, and you miss the good stuff, I guess.. I won't go too much into what he said there, as I'm still digesting it, and it's frightfully copyrighted, but I'm sure you can get reprints from EDventure Holdings, Esther's company, by sending e-mail to their circulation and fulfillment manager, Robyn Sturm, robyn at edventure.com . You can definitely tell Eric wrote it, though. When Eric's really cooking, it's like he invents this whole language to describe what he's talking about. In this case, that's a good thing, because most of what he talks about he has to invent as he goes along. Anyway, it's 28 single-spaced elite-pitched pages of pure Eric, and it's manditory reading for anyone who wants to sit in on an advanced e$ colloquium from the comfort of their own living room... I'm taking, as my text for today's sermon (say "amen!", somebody), the following, from Eric's Release 1.0 issue, page 19: "Multiparty compatibility. "A software product launch is a two-party negotiation. Software vendors write products for a given operating system and persuade consumers to buy it. This is a standard retail transaction. Prospective sellers of a money system, however, have a four-party negotiation: the money system vendor, consumers, merchants and financial intermediaries. That is, there is one seller and three buyers, each of which has different system requirements. "Consumers have microcomputers or PDAs or smart cards. Merchants vary widely by size; each will hve different requirements for operations size. Banks and other intermediaries require extremely reliable transaction processing systems. No single vendor will be able to meet all these requirements. Anybody who expects to provide the entire technology infrastructure for a new money system will fail outrightly and completely. Success will require partnerships at the very least. Open standards will be even more likely to succeed. "This criterion against isolation cuts out several would-be contenders from my book right away: Netbank, Digicash and the academic projects NetBill and NetCheque. This is not to say that these companies won't have businesses, but rather that their ventures will always remain small." Now, this was written in, say, February of last year. A year ago. What amazed me was that it was exactly what I was talking to someone about last week. I love this stuff... Now I'm not bashing any of the above payment schemes, here, but there is a lot of the old industrohierarchical (see, Eric, I do neologism too!) mindset in what a lot of e$ protocol developers are doing out there. With that in mind, I'm going to step into *my* version of e$-Life, - -the-Universe and -Everything, and I'm going to do it with a model for distributing digital bearer certificates of various kinds, starting with digital cash, but easily extensible to any kind of digital bearer certificate. Definitions As Eric said, there are at least 4 players in any money system. I hope I may be excused if I tweak this a bit... Consumer The first player is the consumer. This is the person who purchases a digital bearer certificate for some reason. In the case of a digital cash certificate, this person is buying a piece of digital cash from someone else, for some other kind of money, in order to effect a transaction on the net later. Merchant It gets more complicated a little later, but, for the time being, this is a person who accepts a digital bearer certificate in exchange for something else. Usually this person is a commercial entity, and thus needs to be able to test the certificate, on-line with the underwriter, before accepting it, in order to prevent double-spending and reduce the risk of the transaction. Underwriter This is the entity which issues the certificates, and is responsible for exchanging them into other forms of money or certificates of other kinds. The second most important thing an underwriter does is to verify that certificates haven't been double-spent. The most important thing an underwriter does is to market its certificates. Trustee A trustee holds the money for the underwriter while it's on the net. Like bond trustees, the trustee works for "shareholders", the holders of the digital certificates, according to an agreement between the underwriter and the certificate holders. Typically, the trustee is a bank, since certificates are usually settled for money. Software Developer Off of the net, there are consumers, underwriters and trustees of physical certificates. We haven't really introduced any really net-specific features. Here's where we do. Since digital certificates are digital objects, they're created and handled by software and moved around on networks. The second most important thing that developers of digital bearer certificate software do is to write software which issues, verifies, and handles digital bearer certificates. The most important thing that developers of digital bearer certificate software do is to market their software to consumers, to trustees, and to underwriters. A software developer can develop all kinds of different software and market that code to any market that's out there: vertical, functional, or any niche that makes money. A developer can make wallets, which can do peer-to-peer or client-server transactions, or cash registers, which do on-line transactions involving the underwriter to validate certificates against double spending, or mints, which produce and validate the digital certificates themselves. A developer can even subdivide those major software objects into smaller peices, if there's a market for it. Protocol Inventor Protocol inventors are the people who had the idea to begin with. They figured out how to generate, handle, verify, and transmit this particular type of digital bearer certificate, and typically have patents on the process. The second most important thing a protocol inventor does is design cryptographic protocols, licence them, and validate their implementation. The most important thing a protocol inventor does is market their protocols to software developers, to underwriters, and, in the early stages, to trustees. A prima facie retread Yes, it's time for Hettinga to trot out his now-threadbare (I'll say "time-tested") business model for digital cash, and show how this all works. Of course, you can use digital bearer certificates for all kinds of things besides cash, and I contend in my more unrestrained moments, that *any* security can be issued as a digital bearer certificate, but's let's stick with digital cash here, for the time being. The protocol inventor is a cryptographer who has a brainwave one day and invents a digital bearer certificate protocol. He announces it, patents it if possible, lots of other cryptographers vet it, and it works. Potential underwriters, software developers, and even trustees blow apart his e-mail server asking him when he's going to let them build code, businesses, or whatever it is they want him to let them build. The inventor convenes a group of interested developers, and they start working out how to implement the protocol into code. The inventor makes deals with all of them. When they've finished their code, he'll certify that their code adheres to the protocol, and they'll pay him a licence, or a certification fee, or whatever. The inventor also starts to chum the water for underwriters, even though the developers are the people who're going to be actually closing deals with them, and trustees, even though the underwriters are going to be actually closing deals with *them*. So, the day comes, and people are actually buying these certificates. The consumer buys, from one of many software developers, or is given, by one of many underwriters, a wallet, which allows the storage and disbursement of digital bearer certificates, either on-line or off-line. I personally believe that there will be off-line transactions between people who trust each other enough, caveat vendor ;-). The consumer goes to a web page. Think of this web page as the equivalent of an automatic teller machine. As such, it has at least link-, and hopefully internet-level encryption to the user's machine. Not only that, but the consumer's account information is probably encrypted so that not even the underwriter sees it, in the same way that the Cybercash protocol works now. If the consumer's machine has a card swiper, then he swipes a card and enters a pin number. He could also store this information encrypted on his hard drive, and just type a passphrase to release it. He could also have all this on a smart card. Software and hardware vendors will build what consumers, underwriters, and trustees want to use. The request and authorization for cash goes over the net, through the underwriter and the ATM network to the consumer's bank, who sends an authorization message back to the underwriter to disburse digital cash certificates in the amount of the consumer's request. At least that's the way it would work for the time being. It's easy to see that, if the consumer's bank was on the net, the transmission authorizing disbursement to the underwriter could just go over the net itself. The bank and the underwriter settle with a fed funds wire. For the time being, anyway. ;-). The underwriter then issues the certificates to the consumer in the desired denominations, in addition to whatever fee the underwriter charges, in the same way traveller's checks are sold at a premium at the time of sale. The money from the consumer's bank goes to the underwriter's account at his trustee bank, collecting interest, payable to the underwriter, until the money comes back off of the net someday, payable to the redeemer at par (the value of the denomination of the certificate). The consumer then buys something on-line from a merchant, or off-line from another consumer (or a merchant who can't afford the security of an on-line transaction, and believes the risks are worth it), who then either spends the cash certificate somewhere else or redeems the certificate through the underwriter, who in turn has his trustee wire the money to the merchant's bank. Wearing too many hats When you break the world up the way I have above, you see the world of digital certificates in very interesting terms. First of all, you can see what Eric was talking about. Lots of people in the digital cash business are trying to wear too many hats. Underwriters who are also trustees, protocol inventors developing software, merchants who are software developers. Remember my contention elsewhere that the worst thing you can do in a geodesic market is to create industrial scale-economy hierarchies. The more independent entities you have, doing different things in as market-driven a fashion, the better. The instantaneity of communication and the multiplicity of information processors continually lowers the cost to entry and makes markets very competitive, forcing lots of innovation and product evolution. Concentrations of information, or any other resource, get "surfacted" into the lowest possible reaches of the network as processor prices fall. In InfoWorld a couple of months ago, I compared Microsoft to a dog in the manger in this regard, and you can see what they're trying to do now that they figured out that their monopolistic desktop strategy won't hunt on the internet. Now What? So. You've developed the be-all, end-all digital bearer certificate protocol. What do you do? The most important thing you can do is to develop, validate, and above all, promote your protocol. Anything else is not only inefficient, but, in the worst scenario, it can be considered a threat to one or more of the other players in the system, and no one will adopt it. Your protocol is stillborn. The thing you want to do is to create as many software developers, as many underwriters, and as many trustees as possible. Why? The more underwriters you have, the more people are using your protocol. Remember, the underwriters are charged with actually marketing the certificates themselves. Also, the more underwriters there are, the more robust your certificate system is, because there is no single point of failure -- economic, operational, or otherwise -- in the system. The more trustees you have, the more faith everyone has in the system. The social and legal parts of your protocol are enforced by the trustees. They're there to hold the stakes and keep everyone honest. To prevent repudiation of the certificates by the underwriters themselves by making them hold a respectable reserve against the certificates outstanding, for instance. In addition, the trustees could be used to settle certificates from one underwriter against those of others. That's already built into the banking system, with various central bank wires and clearing associations. In the model above, the trustee is the link to the non-net economy. It is the ultimate settlement mechanism because, for the time being, digital cash has to be denominated in other currencies. Certainly, like any method of abstracting value, digital cash cannot exist if it is not immediately convertable into other things of value, so there will always be those who are responsible for guaranteeing those conversions. In my model, and in non-net securities markets, those people are the trustees. The more developers you have, the more competition there is to build software which creates, handles, and verifies the certificates as efficiently and reliably as possible. Like underwriters, software developers are responsible for marketing *their* products -- the wallets, the cash registers, the mints, that your protocol requires in order to function -- to the various participants in the digital certificate market. That means that you have to be as open with your protocol as possible. You have to create a set of reference documents which everyone can read and understand. You have to promote the hell out of the protocol by hosting conferences of current and potential underwriters. Then, when you have lots of developers, underwriters, trustees, and, by extension, users, of your certificate protocol, you have to keep the protocol honest by cryptographically validating the various software parts so that the market's participants can trust that the protocol is being adhered to. That means *not* writing software, paradoxically. The reason you have this great protocol is because you're a great cryptographer: not a great underwriter/marketer, not a great developer, not a great trustee/banker. The entire market can't function without you, and, in a geodesic market, you can add significant value and get paid for that value without owning all the other components of the system to get it. The great unwashed avalanche There's great benefit to having this great unwashed horde of people helping you put all this together. Most of that benefit comes from creating a large chaotic emergent system, a market. People can specialize in some small piece of the system and optimize it without you having to tell them what to do, for instance. In addition, very small investments yield rewards way out of proportion to the money invested. My favorite example for this is the prize that was offered for flying non-stop from New York to Paris. Many times the prize money was spent in achieving the feat by all the contenders, and some single teams probably spent more than the prize money all by themselves. The rewards to the person who finally completed the trip greatly exceeded the prize money he won. Finally, the rewards to aviation the aviation as a whole were much greater than all the money spent by all the teams trying to be first. That's the great thing about creating an emergent process like a digital certificate market. It's like kicking some snow down on top of an avalanche zone. You release all that stored energy, ambition, and talent. All at once. Cheers, Bob Hettinga -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMPagTfgyLN8bw6ZVAQHmqQP/RaD/2XPxO2Gx2otHjAPI8+H+xkT85JSX BqVyYEYo/8ilbf/bmZC9YDIhmi0vDpEODkj+7LJ0zsm8AX0LAOLj8N23f3R5LXX0 2QNvPczNN8v+9T1M2r4bhgtRUfy7OPFkOpvfbrJkkWT4XNL8PwojAA3UMVQ8UgYJ A0nLC/z+78s= =5TRr -----END PGP SIGNATURE----- -------------------------------------------------- The e$ lists are brought to you by: Making Commerce Convenient (tm) - Oki Advanced Products - Marlboro, MA Value-Checker(tm) smart card reader= http://www.oki.com/products/vc.html Where people, networks and money come together: Consult Hyperion http://www.hyperion.co.uk info at hyperion.co.uk See your name here. Be a charter sponsor for e$pam, e$, and Ne$ws! See http://thumper.vmeng.com/pub/rah/ or e-mail rah at shipwright.com for details... ------------------------------------------------- --- end forwarded text ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "Reality is not optional." --Thomas Sowell The NEW(!) e$ Home Page: http://thumper.vmeng.com/pub/rah/ From stend at grendel.texas.net Fri Jan 12 15:52:28 1996 From: stend at grendel.texas.net (Sten Drescher) Date: Sat, 13 Jan 1996 07:52:28 +0800 Subject: PRZ grand jury - how about free accts for them... In-Reply-To: Message-ID: <55g2dlqamz.fsf@galil.austnsc.tandem.com> Michael Froomkin said: MF> sounds like jury tampering to me. a good way to go to jail quickly. Just like O.J.? Or didn't you hear about the party he threw for his jurors? -- #include /* Sten Drescher */ 1973 Steelers About Three Bricks Shy of a Load 1994 Steelers 1974 Steelers And the Load Filled Up 1995 Steelers? To get my PGP public key, send me email with your public key and Subject: PGP key exchange Key fingerprint = 90 5F 1D FD A6 7C 84 5E A9 D3 90 16 B2 44 C4 F3 Unsolicited email advertisements will be proofread for a US$100 fee. From alanh at infi.net Fri Jan 12 16:09:01 1996 From: alanh at infi.net (Alan Horowitz) Date: Sat, 13 Jan 1996 08:09:01 +0800 Subject: PRZ grand jury - how about free accts for them... In-Reply-To: Message-ID: In Siskiyou County, the names of the foreman of the Grand Jury (local) are printed in the newspaper on appointment. You don't need to know the names. Go to the courthouse and ask the deputy Marshall to "give the foreman this letter". I'd have a "straight" looking person do it, since the deputy isn't *required* to assist. HEck, you could probably just address a letter to "Foreman of Grand Jury, Federal Courthouse". Alan Horowitz alanh at norfolk.infi.net From alanh at infi.net Fri Jan 12 16:11:47 1996 From: alanh at infi.net (Alan Horowitz) Date: Sat, 13 Jan 1996 08:11:47 +0800 Subject: PRZ grand jury - how about free accts for them... In-Reply-To: Message-ID: On Fri, 12 Jan 1996, Michael Froomkin wrote: > sounds like jury tampering to me. a good way to go to jail quickly. Horsepoop. The Grand Jury exists by itself. It doesn't need a judge's or a prosecutor's permission to receive letters. I know this must cause heartburn and gnashing of teeth, to lawyers. Imagine, making decisions without a lawyer in control...... From lull at acm.org Fri Jan 12 16:12:09 1996 From: lull at acm.org (John Lull) Date: Sat, 13 Jan 1996 08:12:09 +0800 Subject: Novel use of Usenet and remailers to mailbomb from luzskru@cpcnet.com In-Reply-To: Message-ID: <30f6ef04.32298803@smtp.ix.netcom.com> On Fri, 12 Jan 1996 22:25:53 GMT, I wrote: > The remailer could calculate a hash for the body of each encrypted > message received (the same portion which will be decrypted by PGP), > tabulate the last few thousand hashes, and simply discard any messages > with a duplicate hash. The target of the attack would receive only > the first copy of the message. To refine this a bit further, the hash need not cover the entire message. It could be sped up a bit by restricting it to the header containing the encrypted session key. Since the session key is selected randomly, that header (and its hash) should be unique for every message. The hash values could also be retained for a fixed period of time -- perhaps 23 hours -- following the most recent receipt of a given hash. Thus a message could be repeated by the legitimate sender after a delay of 24 hours, and would be forwarded. The original sender could re-encrypt the message (thus changing its hash) earlier than that, and it would be properly forwarded. A canned message on the other hand, being sent from multiple locations, would likely be received more often than this and not forwarded after the first time, even if each sender only sent it once a day. You could even penalize messages for which you've received massive dupes, by extending the hash retention time by, say, 12 hours for each dupe received. If you got a message 100 times in one day, you'd refuse to forward any duplicates for nearly 2 months. This would take care of those on vacation at the time of the original attack, and those with very slow news feeds. From wilcoxb at nagina.cs.colorado.edu Fri Jan 12 16:34:47 1996 From: wilcoxb at nagina.cs.colorado.edu (Bryce) Date: Sat, 13 Jan 1996 08:34:47 +0800 Subject: Novel use of Usenet and remailers to mailbomb from luzskru@cpcnet.com In-Reply-To: Message-ID: <199601130017.RAA20992@nagina.cs.colorado.edu> -----BEGIN PGP SIGNED MESSAGE----- An entity calling itself ABostick allegedly wrote: > > Somebody, too clever for their own good by half, has come up with a > novel way of using Usenet and anonymous remailers to perpetrate > mailbombs. The M.O. is to post a message to the naked-lady newsgroups > saying "get pics in your mailbox! send this message to this address!), > giving the email address of a cypherpunk-style anonymous remailer and > including a pgp-encrypted message block. > Cypherpunks: is there any way to respond to, or prevent, this sort of > attack short of actually shutting down the remailer? > > What comes to my mind is the remailer operator grepping for a character > string of ASCII-armored cyphertext from the known attack message and > throwing messages containing it into the bit-bucket. It is highly > unlikely that this would appear in any message except the attack > message. The problem with this is that it works only for a known attack > message -- it can shut down an ongoing attack, but it can't prevent new > ones. You could have remailers clamp down on multiple copies of the same message, but that is easily countered by convincing the UseNet stupes to insert their e-mail address or something. In general there is no way to prevent this kind of mail-bombing without compromising anonymity. By the way Alan--your message failed PGP verification. I received it by way of Bob Hettinga's "e$pam" list. While Hettinga gets double-plus good points for content, his technical performance as a list operator is lacking. Which is to say: the message might have gotten munged by the "e$pam" list processor. Regards, Bryce PGP sig follows -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.01 iQCVAwUBMPb5w/WZSllhfG25AQGtPwQAgoxim084bbBkXIQyhePSY63HttrqFZg9 JGJjbKBMc6fHgI+gylEEAhl75wVUgq5jKPJcHVfY23XVS4wfPRu+CIx8uHhVm9xB limA3BUscRutWsSXXe+tkKtyA97xUjpAMHpaE729pGeRForHEdpkRFb5jC3DjofX lNpRuRQ9+VE= =CyXg -----END PGP SIGNATURE----- From editor at cdt.org Fri Jan 12 16:38:22 1996 From: editor at cdt.org (editor at cdt.org) Date: Sat, 13 Jan 1996 08:38:22 +0800 Subject: CDT Policy Post No.34 - Victory for Zimmermann, Fundamental Privacy Issues Remain Message-ID: Apologies to those of you who are also on the CDT Policy Post distribution list, but I felt that this issue was sufficiently important to cc to the cypherpunks list. Hope you find this relevant, Jonah Seiger CDT editor ------------------------------------------------------------------------ ****** ******** ************** ******** ********* ************** ** ** ** *** POLICY POST ** ** ** *** ** ** ** *** January 12, 1996 ** ** ** *** Number 34 ******** ********* *** ****** ******** *** ------------------------------------------------------------------------ A briefing on public policy issues affecting civil liberties online ------------------------------------------------------------------------ CDT POLICY POST Number 34 January 12, 1996 CONTENTS: (1) A Victory for Phil Zimmermann, Fundamental Privacy Issues Remain (2) Press Release Announcing DOJ's Decision to Drop Case (3) Subscription Information (4) About CDT, Contacting Us This document may be re-distributed freely provided it remains in its entirety. Excerpts may be re-posted by permission (editor at cdt.org) ------------------------------------------------------------------------ (1) VICTORY FOR ZIMMERMANN, FUNDAMENTAL PRIVACY ISSUES REMAIN After 3 years of investigation, the United States Department of Justice Thursday (1/11) announced that it would not seek an indictment of Phil Zimmermann, the author of the widely popular encryption program known as Pretty Good Privacy (PGP). While this development is obviously good news for Zimmermann, who was the undeserved target of a long and arduous investigation, criminal threates against those who seek to protect their privacy remain in place. The Justice Department had been investigating Zimmermann for possible violations of Arms Control Regulations of after PGP was posted to Usenet newsgroups and subsequently distributed through the worldwide Internet in the spring of 1991. CDT wishes to extend heartfelt congratulations to Phil, who has demonstrated remarkable patience and perseverance in the face of harassment and intimidation by the Federal Government. Instead of laying low and waiting for the outcome of the investigation, Phil took the offensive and became the leading figure in the effort to provide easy to use, strong cryptographic applications to the masses. CDT hopes that Phil will remain active in the fight to encourage the relaxation of export restrictions and access to strong cryptography. FUNDAMENTAL ISSUES REMAIN -- EXPORT OF STRONG CRYPTOGRAPHY STILL PROHIBITED, FUTURE PROSECUTIONS OF CRYPTOGRAPHERS BY THE FEDERAL GOVERNMENT STILL POSSIBLE Although the announcement by the Justice Department is a tremendous personal victory for Phil Zimmermann, government restrictions on encryption exports remain firmly in place. As such, the current Administration policy is a major roadblock to privacy and security, as well as the future of commerce, on the Internet. The Clinton Administration continues to push for a national cryptography policy based on key-escrow and limited key lengths. In addition, the Administration's current policy proposal seeks to use export controls as a means to influence the domestic marketplace for cryptographic applications. The decision to drop the case against Zimmermann also leaves unresolved the question of whether posting materials on the Internet could result in the violation of export control regulations. Although Zimmermann's defense was based in part on the argument that the First Amendment protects such postings, that question remains undressed. As a result, developers of strong cryptographic applications who make their programs available on the Internet may in the future face harassment and indictments from the Federal Government. This issue is currently pending before Federal Judges in the Karn and Bernstein cases. BACKGROUND ON THE DISPUTE The export of cryptographic applications with key lengths above 40 bits is currently illegal under the International Trafficking in Arms Regulations (ITAR). The Government maintains that these restrictions are necessary in order to protect national security, and has successfully fought efforts to repeal or relax the export controls (including efforts by fmr. Rep. Maria Cantwell (D-WA) in 1994). Privacy advocates and the computer hardware and software industry argue that the export controls stifle the development of strong cryptography both domestically and internationally, undermining privacy and security on the global information infrastructure. When Zimmermann published PGP in 1990, it was among the first widely available and relatively easy to use cryptographic applications, and for the first time provided the average citizen with the ability to protect sensitive information on the relatively insecure Internet. In the eyes of the Government however, PGP represented a threat to national security and law enforcement. Although the government has announced that it will not prosecute Zimmerman, government efforts to restrict the distribution of strong cryptography will no dobut continue. As privacy advocates, we must not allow Zimmermann's victory to conceal the larger issues. Privacy, security, and commerce on the Internet remain hostage to export restrictions, the National Security Agency, and Clinton Administration efforts to impose an unworkable key-escrow regime. For more information on the Administration's current cryptography policy initiative and what CDT is doing to fight it, visit CDT's cryptography issues web page. URL:http://www.cdt.org/crypto.html For More Information Contact: Daniel J Weitzner, Deputy Director Center For Democracy and Technology +1.202.637.9800 ----------------------------------------------------------------------- (2) DOJ PRESS RELEASE ANNOUNCING THE DECISION TO DROP THE ZIMMERMANN CASE United States Attorney Northern District of California ______________________________________________________________________ San Jose Office (408) 535-5061 280 South First Street, Suite 371 San Jose, California 95113 FAX: (408) 535-5066 PRESS RELEASE FOR IMMEDIATE RELEASE January 11, 1995 Michael J. Yamaguchi, United States Attorney for the Northern District of California, announced today that his office has declined prosecution of any individuals in connection with the posting to USENET in June 1991 of the encryption program known as "Pretty Good Privacy." The investigation has been closed. No further comment will be made by the U.S. Attorney's office on the reasons for declination. Assistant U.S. Attorney William P. Keane of the U.S. Attorney's Office in San Jose at (408) 535-5053 oversaw the government's investigation of the case. ------------------------------------------------------------------------ (3) SUBSCRIPTION INFORMATION CDT Policy Posts, which is what you have just finished reading, are the regular news publication of the Center For Democracy and Technology. CDT Policy Posts are designed to keep you informed on developments in public policy issues affecting civil liberties online. In order to subscribe to CDT's Policy Post list, send mail to policy-posts-request at cdt.org with a subject: subscribe policy-posts If you ever wish to remove yourself from the list, send mail to the above address with a subject of: unsubscribe policy-posts ----------------------------------------------------------------------- (4) ABOUT THE CENTER FOR DEMOCRACY AND TECHNOLOGY/CONTACTING US The Center for Democracy and Technology is a non-profit public interest organization based in Washington, DC. The Center's mission is to develop and advocate public policies that advance constitutional civil liberties and democratic values in new computer and communications technologies. Contacting us: General information: info at cdt.org World Wide Web: URL:http://www.cdt.org/ FTP URL:ftp://ftp.cdt.org/pub/cdt/ Snail Mail: The Center for Democracy and Technology 1001 G Street NW * Suite 500 East * Washington, DC 20001 (v) +1.202.637.9800 * (f) +1.202.637.0968 ----------------------------------------------------------------------- End Policy Post No. 34 1/12/96 ----------------------------------------------------------------------- From cp at proust.suba.com Fri Jan 12 16:40:53 1996 From: cp at proust.suba.com (Alex Strasheim) Date: Sat, 13 Jan 1996 08:40:53 +0800 Subject: Zimmermann case is dropped. In-Reply-To: Message-ID: <199601121722.LAA04179@proust.suba.com> > "This decision shouldn't be interpreted as meaning > anything. I caution people against concluding the > Internet is now free for export." PRZ's experience underscores the importance of support from large institutions like MIT and AT&T. It's a lot easier to push around an individual who doesn't have a lot of money or clout than it is to push around MIT. We need a large sponser who is willing to run a more ambitious crypto archive. If an institution like MIT hosted a more generalized site where people could distribute code, it would go a long way towards thawing out the chill the government's managed to create by harassing PRZ. I know it took a lot of negotiating for MIT to set up the PGP distribution site. But now that they've provided a home for PGP, how much more risk would they be taking on if they added other crypto software to the archive? Would exporting other crypto software violate ITAR more significantly than exporting PGP would? The government's policy doesn't prevent crypto from spreading around the world, but it does discourage a lot of people from distributing code they've written or modified. That's the point of the policy, and from their point of view it's probably a big success. It would be a big win if we could come up with a system that would allow anyone to contribute code in relative safety. It would be the difference between having a lot of hand waving discussions about protocols and developing real tools. The groundwork is already there -- good crypto libraries exit. There's a lot of interest. We'd probably see an explosion of ideas and code if people weren't being intimidated. Even though it's possible for almost anyone to set up an archive that imposes the same sorts of rules as the MIT archive on downloaders, it's not the same thing. If Alice puts code up in MIT's archive, it's hard for the government to come at Alice without taking on MIT at the same time. Alice didn't export the code; she gave it to MIT. If they come after MIT, they know it will lead to lots of press coverage. People pay attention to what MIT has to say about technology, and if MIT says that it's important for people to be able to work on crypto code, it's going to carry a lot of weight. If I put up an archive, they can grind me out with legal fees in no time at all; MIT isn't so vulnerable to that kind of an attack. The point of the government's policy is to create a chilling effect on development. That's what we ought to fight against. Our position is similar to that of a little kid in grade school who's getting beat up by a bully every day. We need to make friends with a big guy who can keep the bully off our back. From alano at teleport.com Fri Jan 12 16:41:29 1996 From: alano at teleport.com (Alan Olsen) Date: Sat, 13 Jan 1996 08:41:29 +0800 Subject: Novel use of Usenet and remailers to mailbomb from luzskru@cpcnet.com Message-ID: <2.2.32.19960113002203.00906fc0@mail.teleport.com> At 10:25 PM 1/12/96 GMT, John Lull wrote: >On Fri, 12 Jan 1996 10:55:12 -0800, you wrote: > >> Cypherpunks: is there any way to respond to, or prevent, this sort of >> attack short of actually shutting down the remailer? > >Yes, very simply. > >The remailer could calculate a hash for the body of each encrypted >message received (the same portion which will be decrypted by PGP), >tabulate the last few thousand hashes, and simply discard any messages >with a duplicate hash. The target of the attack would receive only >the first copy of the message. I am afraid it is not that simple. Remember that the mailbombing consists of many, many horny little geeks responding to a single message. They are replying to the same message (and probibly adding a few "me too!" lines), not mailing the same one over and over again. Another idea would be to keep a md5 (or other) hash list of the reply block used and have a disabled list for such spam attacks. (Unfortunatly this requires code, thus time.) Pretty nasty variation on a "denial of service" attack. What next? Fake "David Rhodes does e-cash" messages with the target's e-mail address? Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "Is the operating system half NT or half full?" From 72124.3234 at compuserve.com Fri Jan 12 16:43:48 1996 From: 72124.3234 at compuserve.com (Kent Briggs) Date: Sat, 13 Jan 1996 08:43:48 +0800 Subject: p-NEW digital signatures Message-ID: <960112182626_72124.3234_EHJ93-1@CompuServe.COM> I've been experimenting with discrete logarithm digital signatures. Schneier describes a scheme call p-NEW on page 498 of "AP" (2nd ed). It has the advantage of not requiring an inverse calculation via the extended Euclid algorithm. The signature is shown as: r=mg^(-k) mod p s=k-r'x mod q The verification equation is m=(g^s)(y^r')r mod p r'=r mod q. If p is a strong prime then q=p-1 and r'=r. The public key is y=g^x mod p. x is the private key. k is a random number less than q. m is the message being signed. I'm confused about the negative k value in the r equation. This would lead to 1/g^k which is a fractional number. It seems the equation should be: r=mg^(q-k) mod p Or, I can rearrange both equations like this: r=mg^k mod p s=-k-rx mod p To avoid using negative numbers in the mod function, I can calc s as: s=q-((k+rx) mod q) I tried this with some small integers and the numbers work out. The s calculation will be quick since there is no exponentiation. Most of the time spent in signing a message will be the r calculation. However, the the verification equation [m=(g^s)(y^r)r mod p] has two exponentiation calculations and will take more time. Since a message is only signed once but could be verified many times, I could precompute rg^s during the signing: r=mg^k mod p s=q-((k+rx) mod q) z=rg^s mod p s is discarded and the signature is r and z. The verification is: m=zy^r mod p This slows down the signing but speeds up the verification. Here's the $64K question: Does this compromise the signature's security? Kent Briggs kbriggs at execpc.com CIS: 72124,3234 From liberty at gate.net Fri Jan 12 16:53:55 1996 From: liberty at gate.net (Jim Ray) Date: Sat, 13 Jan 1996 08:53:55 +0800 Subject: PRZ grand jury - how about free accts for them... Message-ID: <199601130041.TAA46336@osceola.gate.net> -----BEGIN PGP SIGNED MESSAGE----- patrick finerty wrote: >it would be nice if someone (c2??) would offer dialup >access for any members of the grand jury who wanted it. > and Professor Froomkin responded: >sounds like jury tampering to me. a good way to go to jail quickly. > >A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) >Associate Professor of Law | >U. Miami School of Law | froomkin at law.miami.edu >P.O. Box 248087 | http://www.law.miami.edu/~froomkin >Coral Gables, FL 33124 USA | It's warm here. I agree with the Professor (although as a native Floridian, I dispute his .sig about it being warm here!:)) but AFAIK, and unless there are court orders to the contrary, members of the jury may speak freely *after* dismissal from grand jury duty. Our problem is finding them (which shouldn't be *too* hard, given the technology we have). IMO, after the jury is dismissed we must _not_ contact them directly, but rather make it clear that we would be happy if they were to contact us. Hopefully, one of our journalist-types could manage this without yet-another article giving out the address. Presumably, grand-jurors who have carefully followed the court's instructions would have a bit of catch-up reading on the subject to do, thus giving us an opportunity for indirect contact with them. I don't think that this would be illegal, but best to check with a real-lawyer, and perhaps research the issue a bit, since PRZ's case (supposedly) has "national security" overtones which could possibly cause a court to want to hush things. JMR -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Freedom isn't Freeh. iQCVAwUBMPb+uG1lp8bpvW01AQHB4wP+MMFkH9sWknEksRmEDEYQTldnFIvZGoH0 R4oQeQiZhUOj9TNNpgLSldVHN0KqKtbs0oUS5n5tT+eNDgm7vguZVik/3pWvhQwQ ERUi/Bp2E0l7DPZ/lploUdqqmxJmSwO4MFaJtoHMiabH20S0cmcqDqkwiV+LCQkv u/CaLagzGi4= =E5Wl -----END PGP SIGNATURE----- From weld at l0pht.com Fri Jan 12 16:56:06 1996 From: weld at l0pht.com (Weld Pond) Date: Sat, 13 Jan 1996 08:56:06 +0800 Subject: AP Article on Zimmerman Case Message-ID: http://www.boston.com/globe/ap/cgi-bin/retrieve?%2Fglobe%2Fapwir%2F011%2Fnat%2Faa040011 Excerpt for the web impaired: ``Zimmermann never exported Pretty Good Privacy, so the U.S. Attorney seemed to be missing the point. Unfortunately there still is no clear ruling from our government as to whether or not making software available on the Internet counts as exporting it,'' said Simson Garfinkel, who wrote a book about the program. Zimmermann's supporters argued that without encryption, government could do widespread eavesdropping, perhaps for political reasons, scanning for words and phrases it considers subversive. They acknowledge that a few criminals may use programs like PGP to hide out in cyberspace, but believe that concern is outweighed by free speech and privacy rights. ``The case was part of the government effort to crack down on good technologies for privacy. We hope the government's decision signals a rethinking of federal policy in this very important area,'' said Marc Rotenberg of the Electronic Privacy Information Center in Washington, an on-line civil rights watchdog group. Others see the 2-year investigation of Zimmermann as intimidation. ``It seems to me is that all the U.S. Attorney is saying is that they don't want the public relations nightmare of prosecuting Philip Zimmermann, but they still want everyone scared so that they won't exercise their Constitutional rights,'' Garfinkel said. Weld Pond - weld at l0pht.com - http://www.l0pht.com/~weld L 0 p h t H e a v y I n d u s t r i e s Technical archives for the people - Bio/Electro/Crypto/Radio From lull at acm.org Fri Jan 12 17:22:24 1996 From: lull at acm.org (John Lull) Date: Sat, 13 Jan 1996 09:22:24 +0800 Subject: Novel use of Usenet and remailers to mailbomb from luzskru@cpcnet.com In-Reply-To: <2.2.32.19960113002203.00906fc0@mail.teleport.com> Message-ID: <30f70156.4588701@smtp.ix.netcom.com> On Fri, 12 Jan 1996 16:22:03 -0800, Alan Olsen wrote: > At 10:25 PM 1/12/96 GMT, John Lull wrote: > >On Fri, 12 Jan 1996 10:55:12 -0800, you wrote: > > > >> Cypherpunks: is there any way to respond to, or prevent, this sort of > >> attack short of actually shutting down the remailer? > > > >Yes, very simply. > > > >The remailer could calculate a hash for the body of each encrypted > >message received (the same portion which will be decrypted by PGP), > >tabulate the last few thousand hashes, and simply discard any messages > >with a duplicate hash. The target of the attack would receive only > >the first copy of the message. > > I am afraid it is not that simple. Remember that the mailbombing consists > of many, many horny little geeks responding to a single message. They are > replying to the same message (and probibly adding a few "me too!" lines), > not mailing the same one over and over again. The specific attack referred to had an entire encrypted message, not just a reply block. Obviously this solution does not work if only a reply block is encrypted. > Another idea would be to keep a md5 (or other) hash list of the reply block > used and have a disabled list for such spam attacks. (Unfortunatly this > requires code, thus time.) Even worse, it requires manual intervention for each attack unless you are willing to add reply blocks to the list based simply on the volume of messages using that reply block. That could prevent the remailer network being overwhelmed, but is not likely to be seen as adequate by the target, who would likely still see the first several dozen messages before the specified threshold was reached. There is another related solution for the attack using just a reply block, however. The final remailer could collect messages either using a given reply block, or addressed to a given address, if more that a few were received in a relatively short period of time. It could then forward the first half-dozen or so, along with a note that another X thousand messages were waiting, and asking if the intended recipient wanted them forwarded or trashed. Unfortunately this would not prevent the remailer network from being overwhelmed. Perhaps some combination of these solutions would be required -- rationing based on the reply block at each remailer, and collection & recipient notification at the final remailer. From campbelg at limestone.kosone.com Fri Jan 12 17:26:22 1996 From: campbelg at limestone.kosone.com (Gordon Campbell) Date: Sat, 13 Jan 1996 09:26:22 +0800 Subject: Mail to news gateways Message-ID: <2.2.32.19960113011131.006dc0e0@limestone.kosone.com> At 11:35 AM 1/12/96 -0800, you wrote: > >Could someone point me to a _current_ list of mail to news gateways? > >From ethe help file for Private Idaho 2.6b: You can get the most current USENET gateway information (as well as additional remailer info such as PGP keys) by: E-mailing mg5n+remailers at andrew.cmu.edu (no subject or text in the message body required) ----- Gordon R. Campbell, Owner - Mowat Woods Graphics P.O. Box 1902, Kingston, Ontario, Canada K7L 5J7 Ph: (613) 542-4087 Fax: (613) 542-1139 2048-bit PGP key available on request. From campbelg at limestone.kosone.com Fri Jan 12 17:27:25 1996 From: campbelg at limestone.kosone.com (Gordon Campbell) Date: Sat, 13 Jan 1996 09:27:25 +0800 Subject: PRZ "battle lost" Message-ID: <2.2.32.19960113011159.006d3228@limestone.kosone.com> -----BEGIN PGP SIGNED MESSAGE----- At 12:00 PM 1/12/96 -0800, "Vladimir Z. Nuri" wrote: > >is there an alternative? yes, but it involves fewer lawyers than are >in the US today. > >however I don't see lawyers as the problem, but a symptom of something >deeper: the tendency of people to resort to legal action to settle >even trivial disputes. Very true. Up here (Canada), we have _much_ less of the "use the courts as a weapon of harrassment" phenomenon. But, I don't believe we have a (much) lower percentage of lawyers than you do. It's part of the mindset. Somehow, over the course of several generations, you folks have become an entirely too litigious lot for your own good. The result is was PRZ just came through and the multitude of cases that the Church of Sceintology is involved in. How to fix it? Beats me. However, I think it will probably have to start with the judiciary. Justices from all levels of your court system will have to put their collective feet down and stop allowing this kind of nonsense. I don't know enough about the inner workings of the legal systems to know if this would be all that's needed. Perhaps some new legislation would also be required. Whatever happens, it can only be for the better. In the meantime, could you get your damn lawyers off my tv? ;-) We don't let our lawyers do that. They've only been able to advertise at all in the last 10 years or so. -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: Help! Help! The paranoids are after me! iQEVAwUBMPcDkXNDC2/K0TjxAQHLaAf/Q4d3CUrcANLozJGR/uv5JsVyq8c+uhxy cKvsA/oxHPVTUynvUkqG8av0zhXl0t9hdOoi5RC7Q6jmNrYGvj3cSEXY/VN2EDR8 +4wVPxHQ7Mt3G4ffeR6Qe3hPU3Q/fHXGL7rLoJOD3IDI3LgC+K57Com5KJfXQVGe 7lpbnKSoCiny3pEbanCMMhrp8sZVM00B6oH2Hh6hIMaVEFpBao/ncyGUBiZLkmSr PLqlU7bTk81BicrMka0ep28KQwOF8lyGYCN1dxq64UCuBe02VATIZ/GnStQFa/YZ dwTpZtqM7SgDibkEnRwuKeonXd06oyWba0/f1QQm/Y1Cjglw8YAwXA== =VB/L -----END PGP SIGNATURE----- ----- Gordon R. Campbell, Owner - Mowat Woods Graphics P.O. Box 1902, Kingston, Ontario, Canada K7L 5J7 Ph: (613) 542-4087 Fax: (613) 542-1139 2048-bit PGP key available on request. From sameer at c2.org Fri Jan 12 17:33:16 1996 From: sameer at c2.org (sameer) Date: Sat, 13 Jan 1996 09:33:16 +0800 Subject: Zimmermann case is dropped. In-Reply-To: <199601121722.LAA04179@proust.suba.com> Message-ID: <199601121726.JAA12197@infinity.c2.org> > archive. If an institution like MIT hosted a more generalized site where > people could distribute code, it would go a long way towards thawing out ftp.csua.berkeley.edu is a pretty general archive. Too bad no one's maintaining it. (It's not really official, though, it's run by a student group, not the university.) -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.org/ (or login as "guest") sameer at c2.org From abostick at netcom.com Sat Jan 13 09:35:42 1996 From: abostick at netcom.com (Alan Bostick) Date: Sat, 13 Jan 96 09:35:42 PST Subject: Digital postage and remailer abuse (was Re: Novel use of Usenet and remailers to mailbomb from luzskru@cpcnet.com) In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- In article , shamrock at netcom.com (Lucky Green) wrote: > I am not sure that postage would solve this problem. The geeks would > individually pay for it. Still, nominal postage would solve a lot of the > problems that plague remailnet. Maybe I'm misunderstanding how using digital postage with remailers would work. I was assuming that the postage stamp would be included *inside* the encrypted envelope, that what the remailer would do on receipt of mail would be: (a) decrypt the envelope; (b) validate the postage stamp; and (if the stamp is valid) (c) forward the message according to the now-decryped instructions. Using this model, if the perpetrator doesn't include a postage stamp, then the message is ignored. If the perp includes a stamp, the first horny net geek's message is relayed but subsequent ones get bounced for invalid postage. If the message requires external postage (remailer processing cycle is process postage *before* decrypting envelope), then at the very least the horny net geeks have to get their own postage stamps, putting a step in the way of instant gratification. What's more, doing this would require *some* understanding of how the remailer network operates. One should never underestimate the degree of cluelessness present on the net, but knowing how to use remailers makes it more likely that somebody could recognize this as a mailbomb rather than a legitimate offer. What's more, even external postage works to block this attack used with a chain of remailers, because the second remailer's stamp would have to be provided by the perpetrator, inside the encrypted envelope sent to the first one. The very nature of this attack makes me wonder whether it would be worthwhile to implement a digital postage scheme for remailers that doesn't happen to be backed by real money. The remailers would continue to be free to use, and currency exchange hassles would be avoided, but many of the benefits of abuse prevention would be in place. So would the infrastructure to upgrade to pay-to-play remailers at a later date. - -- Alan Bostick | He played the king as if afraid someone else Seeking opportunity to | would play the ace. develop multimedia content. | John Mason Brown, drama critic Finger abostick at netcom.com for more info and PGP public key -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMPfnweVevBgtmhnpAQH1egMAk1MK45EQGYPseEjBLQfXTW9Wxl2OGHpg 2JoVjs/9N8PMElcwTCRSpKvP9aZQ3UgEqDhDkcTe7z+W20VmcXOxZalj71t/NjeV vHqpa3rJ7vF0VcPl2OhKvZz1pBW1oia4 =6zkD -----END PGP SIGNATURE----- From tcmay at got.net Fri Jan 12 17:57:04 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 13 Jan 1996 09:57:04 +0800 Subject: Offshore Banks and Asset Protection Message-ID: At 8:57 PM 1/12/96, Rich Graves wrote: >Every issue of The Economist (and I'm sure lots of other publications) >has ads for this kind of thing. > >Anyone know a reference for ranking the "legitimacy" of these services >and seminars? I'd assume that many of them are scams that will gladly >take your money overseas, but you might never see it again. > >Probably follow up offline, because cpunk relevance is a bit tenuous. I'll follow up on the list, because it's a topic of interest (or curiousity) to several, and I favor writing for the list. I looked into "asset protection" [see note below] using offshore banks (Carribean, Channel Islands, Europe, etc.), and bought a couple of books on this. And I subscribed to some Net newsletters. I'm not an expert, and have not chosen (yet) to "protect" my assets by moving them offshore. I think the assumption that most of the ads in the back of "The Economist" are scams which will take your money is wrong. The banks will take your money, but most probably will return it on demand. And the seminar companies will in fact teach some things. However, they may be "scams" in a gentle sense: they won't provide easy solutions that many of us will feel fully comfortable with. By this I mean that one is hit with dozens of competing claims, by reports that the IRS and FinCen are infiltrating these banks, that treaty negotiations will soon close these tax havens, and all sorts of stuff like this. Things which do not inspire confidence. (In fact, the report that these back-of-the-Economist ads are "scams" is perhaps part of this disinformation/rumor campaign.) Like a lot of things, it may all be clearer once one has actually gone ahead and done something with these offshore banks. I don't personally know anyone who has, which adds to my uncertainty. [Note: Many advisors call their schemes "asset protection," rather than "tax sheltering" (or "tax evasion"). The idea is to put assets beyond the reach of tort judgments. For example, a doctor may fear the incredibly large "deep pockets" lawsuits that American society encourages, so he transfers a large fraction of his net worth to an offshore bank. He reports income from these assets to the IRS, so he is not a tax evader, just someone who has partially "judgment-proofed" himself (to use the term Duncan and Sandy use). This is not illegal, currently. Lots of issues to consider.] --Tim May We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From llurch at networking.stanford.edu Fri Jan 12 18:13:40 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sat, 13 Jan 1996 10:13:40 +0800 Subject: Microsoft's papers on NT C2 thang Message-ID: [Oops, signature is only valid if the > 80 column line is preserved] -----BEGIN PGP SIGNED MESSAGE----- I'd appreciate it if someone could critique these papers for me, probably off the list. [Note that 198.105.232.5 is just one of the IP addresses being load-balanced by www.microsoft.com. The servers seem to crash a lot with the current Gibraltar beta, so if one IP address doesn't work (like .5 isn't responding to pings right now), try another and it will work.] - -rich - ---------- Forwarded message ---------- Date: 12 Jan 1996 11:22:38 -0600 From: Richard P. Bainter Newgroups: comp.security.misc, alt.security, comp.os.ms-windows.networking.misc, comp.os.ms-windows.networking.windows, comp.os.ms-windows.nt.admin.networking Subject: Re: Microsoft continues to mislead public about Windows security bugs (a bit long, with references) In article , Rune Moberg wrote: >>This is true. In fact NT was never C2-certified as any kind of network >>server at all, but only as a standalone workstation. >I read a statement made by MS, that it doesn't matter, because if NT is >proved to be C2 secure in a standalone configuration, then it's secure >on the network as well. You believe everything MS tells you?! How naive. >C2 security, AFAIK, also requires that the server is protected (controlled >access). Once you have physical access to a machine, you could open it, >put in a floppy or hard drive, and access anything you'd like to on the >machine in question (with a disk editor, or with a fresh installation of >the OS in question). Atleast that's the only way I can think of to break in >on a NT Server. Otay, let me see. The server is protected if you aren't hooked up to a network. That implies *nothing* about the fact when a network is plugged into it. If I'm sitting at the console and have to enter a password to do things, doesn't mean I have to enter one from the network when I mount the entire disk. (Even if that is not the true case.) There are orange, red and blue books. This is all well pointed out on: http://www.windows.microsoft.com/TechNet/boes/bo/winntas/technote/security.htm What has Microsoft actually passed? I had heard it was only Orange book C2 and not Red book C2. Micrsoft also points it out on: http://198.105.232.5/NTServer/c2bltn.htm Ciao, - -- Richard Bainter Mundanely | OS Specialist - OMG/CSD Pug Generally | Applied Research Labs - U.Texas pug at arlut.utexas.edu | pug at eden.com | {any user}@pug.net Note: The views may not reflect my employers, or even my own for that matter. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMPcRpI3DXUbM57SdAQFbWgP9HrpdsuC/p3iURubYobgXRXlvlmrRgJot 5kDBCOrDHRtyjXQj7n0CLU6TsEpTLR2ZfTGNUrKoc2lE1q0+PSzF4WpOyywNKULw StB8d+0n0NPuN2Bcbb7mO0M0VbE9khL5CYrcfWB5FR6JPfXU18cfSTXCROgGu4U9 ASvbxOkVLeM= =L7so -----END PGP SIGNATURE----- From grafolog at netcom.com Sat Jan 13 10:48:30 1996 From: grafolog at netcom.com (Jonathon Blake) Date: Sat, 13 Jan 96 10:48:30 PST Subject: Digital postage and remailer abuse In-Reply-To: <2.2.32.19960113061303.0068e1f8@arn.net> Message-ID: David: On Sat, 13 Jan 1996, David K. Merriman wrote: > snailmail; particularly if the remailers were able to issue 'books' of stamps. > It might even be possible to have each remailer issue Estamps (tm) of > different 'kinds', much as there are different postage stamp 'themes'. I can see it now. The 1997 Scott Standard Estamp Catalog: Remailers of the World. > Having different stamps from each remailer would also allow some means of > tracking spammers and rip-off artists ("hmmm. an 'Elvis' Estamp. That came > from hactic; let's see if they can tell us who they sold this book to.....") OTOH, if hactic keeps records of who the stamps are sold to, that sort of defeats the anonymous nature of the remailers. xan jonathon grafolog at netcom.com ********************************************************************** * * * Opinions expressed don't necessarily reflect my own views. * * * * There is no way that they can be construed to represent * * any organization's views. * * * ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * ftp://ftp.netcom.com/pub/gr/graphology/home.html * * * *********************************************************************** From abostick at netcom.com Fri Jan 12 19:12:40 1996 From: abostick at netcom.com (Alan Bostick) Date: Sat, 13 Jan 1996 11:12:40 +0800 Subject: Novel use of Usenet and remailers to mailbomb from luzskru@cpcnet.com In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- If "digital postage" is ever implemented, this sort of distributed-origin mailbomb-through-a-remailer would be stopped immediately. All the messages that the horny net geeks send would necessarily contain the same postage stamp, and the remailer would notice this right away -- and throw away messages containing the used postage stamp. One more motivation for e$-like digital postage for remailers. - -- Alan Bostick | He played the king as if afraid someone else Seeking opportunity to | would play the ace. develop multimedia content. | John Mason Brown, drama critic Finger abostick at netcom.com for more info and PGP public key -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMPcY++VevBgtmhnpAQE4NQL/WOEumDEZL+EoJYjhg7ELHTIwoT0rEK/y dnvui3eJhUONPPBE3Dk/2kCc43ZlCxReo3Dizdf3CuGv9ypIiG/qYC1n3Gl1StM+ 2rKS3S0LMUrN9GrguTUwzL6Wy055XGG9 =mjFR -----END PGP SIGNATURE----- From bdolan at use.usit.net Fri Jan 12 19:12:44 1996 From: bdolan at use.usit.net (Brad Dolan) Date: Sat, 13 Jan 1996 11:12:44 +0800 Subject: c4 cellphones Message-ID: Israeli news sources report: PLO security authorities have prohibited the use of cellular telephones in public buildings. In addition, no person is permitted within 200 meters of Arafat's office with a cellular phone. Paranoia abounds. How safe is *your* cellphone? From holovacs at styx.ios.com Fri Jan 12 19:14:31 1996 From: holovacs at styx.ios.com (Jay Holovacs) Date: Sat, 13 Jan 1996 11:14:31 +0800 Subject: Novel use of Usenet and remailers to mailbomb from luzskru@cpcnet.com In-Reply-To: Message-ID: On Fri, 12 Jan 1996, zinc wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > regarding remailer spams: > > one way to prevent this sort of spamming is to put a cap on the number > of messages that can be delivered to a given address. of course, an > exception will have to be made for instances of chaining so that the > number of messages allowed to be forwarded to another remailer is not > limited. > > i'm trying to think of a scenario where this would not be a good > thing. i suppose if somone was conducting an anonymous poll their > address should not have a limit. > > i'm sure there are problems with a mesg quota system, but it does seem > like an easy solution. > Unrelated legitimate messages may arrive after the 'limit ' has been reached. Jay Holovacs PGP Key fingerprint = AC 29 C8 7A E4 2D 07 27 AE CA 99 4A F6 59 87 90 (KEY id 1024/80E4AA05) email me for key From mrm at netcom.com Fri Jan 12 20:06:10 1996 From: mrm at netcom.com (Marianne Mueller) Date: Sat, 13 Jan 1996 12:06:10 +0800 Subject: Reminder, Jan 13 noon-6 p.m. Bay Area CA mtg Message-ID: <199601130332.TAA27926@netcom20.netcom.com> Name: monthly Bay Area Cypherpunks meeting Date: Saturday January 13 Time: 12 p.m. - 6 p.m. Spot: Sparcy's, Building 21, Sun Microsystems Food: Bagels provided; feel free to bring lunch to munch The agenda is still forming. So far, there are two speakers lined up to talk about Mark Twain ECash. (Lucky Green and Sameer.) It might be interesting to have general discussions of ... CompuServe, where the censorship wave is going, and what to do in response Timing attacks on RSA algorithms So, can we all now band together and invest in PGP, The Company? What's needed in crypto APIs? What do you love or hate about current sets of APIs? (your favorite topic here ...) See you tomorrow, Marianne p.s. directions to Sun's B21: Take 101 South to Amphitheater Exit. Go to the end of the ramp and turn left on Charleston. This road is also known as Garcia. After about 1/3 mile, turn right onto the first city street on your right. In about 2 long blocks or so, you'll see purple signs for Building 21 of Sun Microsystems. The meeting is held in the cafeteria. From shamrock at netcom.com Fri Jan 12 20:43:25 1996 From: shamrock at netcom.com (Lucky Green) Date: Sat, 13 Jan 1996 12:43:25 +0800 Subject: Novel use of Usenet and remailers to mailbomb from luzskru@cpcnet.com Message-ID: At 18:22 1/12/96, Alan Bostick wrote: >-----BEGIN PGP SIGNED MESSAGE----- > >If "digital postage" is ever implemented, this sort of >distributed-origin mailbomb-through-a-remailer would be stopped >immediately. All the messages that the horny net geeks send would >necessarily contain the same postage stamp, and the remailer would >notice this right away -- and throw away messages containing the used >postage stamp. > >One more motivation for e$-like digital postage for remailers. I am not sure that postage would solve this problem. The geeks would individually pay for it. Still, nominal postage would solve a lot of the problems that plague remailnet. -- Lucky Green PGP encrypted mail preferred. From bdavis at thepoint.net Fri Jan 12 22:23:51 1996 From: bdavis at thepoint.net (Brian Davis) Date: Sat, 13 Jan 1996 14:23:51 +0800 Subject: PRZ grand jury - how about free accts for them... In-Reply-To: Message-ID: On Fri, 12 Jan 1996, Michael Froomkin wrote: > sounds like jury tampering to me. a good way to go to jail quickly. Probably not, especially once the grand jury's term has expired. What the non-lawyers must realize, however, is that (in most cases) relatively little of a "grand jury investigation" is conducted before the grand jury. It varies from case to case, and prosecutor to prosecutor, but gathering records using grand jury subpoenas (and reporting to the GJ that the records have been obtained), interviewing witnesses outside the GJ (and eventually summarizing the information when presenting a proposed indictment for consideration), is much more common. There are various reasons for this: minimize the inconvenience to the members of the grand jury (if they had to hear every witness, productive or otherwise ...), limited available grand jury time, unnecessary creation of Jencks Act material (testimony of trial witnesses which must be turned over to the defense), and simple lack of time. Know that agents cannot be present in the GJ except when they are testifying (and only one witness is allowed at a time). I, for example, have about 40 investigations going on for which I bear at least some responsibility. Most are conducted by the agents until they present the case to me for a final decision on whether to present a proposed indictment. Certain cases, of course, I am more involved in, and I would guess that the Mitnick investigation was one. But being more involved almost certainly doesn't mean bringing *every* witness to testify before the GJ. So even if a grand juror told you everything that went on in a particular case, you would not know everything the investigators/prosecutors know. EBD From wilcoxb at nagina.cs.colorado.edu Sat Jan 13 14:28:10 1996 From: wilcoxb at nagina.cs.colorado.edu (Bryce) Date: Sat, 13 Jan 96 14:28:10 PST Subject: bad PGP signatures In-Reply-To: Message-ID: <199601132227.PAA28717@nagina.cs.colorado.edu> -----BEGIN PGP SIGNED MESSAGE----- An entity calling itself Bob Hettinga is alleged to have written: > > How 'bout this one, Bryce? > > ;-) Yep. That one (mine, for those watching at home) verifies. My first guess is that it is because my messages are formatted for 64 columns and all the other messages that are failing to verify (like: To: mix-l at vishnu.alias.net, remailer-operators at c2.org, \ cypherpunks at toad.com Subject: New Mailing List (encrypted) Date: Sat, 13 Jan 1996 13:42:49 -0600 From: John Perry which just came through) are formatted for 80 or 79 or 78. Perhaps thumper is chewing on lines longer than 78 or 76 or something. Just a guess. Bryce PGP sig (New! With cleartext timestamp!) follows Sat Jan 13 15:26:48 MST 1996 -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.01 iQCVAwUBMPgxzfWZSllhfG25AQFu8QQAj/kc4jgYaKV4QAtvQDiZFIVSBPcgY1qR 4yJWNhlAioQ1I9g0WYiZjxUfa0hl+B77slSM362uaZxvotU1E440bpiZGMcaItBb ebUDW0UxyhLnUEgcMqo5S8B9mY8eVKiV8j/VASt4bu7RexTyCuRU7VM8FDxj8Vpv If1nqAsWTNg= =Hilf -----END PGP SIGNATURE----- From dubois at dubois.com Fri Jan 12 22:45:05 1996 From: dubois at dubois.com (Philip L. Dubois) Date: Sat, 13 Jan 1996 14:45:05 +0800 Subject: News Release Message-ID: <199601130542.WAA06898@teal.csn.net> -----BEGIN PGP SIGNED MESSAGE----- Yesterday morning, I received word from Assistant U.S. Attorney William Keane in San Jose, California, that the government's three-year investigation of Philip Zimmermann is over. Here is the text of Mr. Keane's letter to me: "The U.S. Attorney's Office for the Northern District of California has decided that your client, Philip Zimmermann, will not be prosecuted in connection with the posting to USENET in June 1991 of the encryption program Pretty Good Privacy. The investigation is closed." The U.S. Attorney also released this to the press: "Michael J. Yamaguchi, United States Attorney for the Northern District of California, announced today that his office has declined prosecution of any individuals in connection with the posting to USENET in June 1991 of the encryption program known as "Pretty Good Privacy." The investigation has been closed. No further comment will be made by the U.S. Attorney's Office on the reasons for declination. Assistant U.S. Attorney William P. Keane of the U.S. Attorney's Office in San Jose at (408) 535-5053 oversaw the government's investigation of the case." On receiving this news, Mr. Zimmermann posted this to the Cypherpunks list: - -----BEGIN PGP SIGNED MESSAGE----- My lead defense lawyer, Phil Dubois, received a fax this morning from the Assistant US Attorney in Northern District of California, William Keane. The letter informed us that I "will not be prosecuted in connection with the posting to USENET in June 1991 of the encryption program Pretty Good Privacy. The investigation is closed." This brings to a close a criminal investigation that has spanned the last three years. I'd like to thank all the people who helped us in this case, especially all the donors to my legal defense fund. Apparently, the money was well-spent. And I'd like to thank my very capable defense team: Phil Dubois, Ken Bass, Eben Moglen, Curt Karnow, Tom Nolan, and Bob Corn-Revere. Most of the time they spent on the case was pro-bono. I'd also like to thank Joe Burton, counsel for the co- defendant. There are many others I can thank, but I don't have the presence of mind to list them all here at this moment. The medium of email cannot express how I feel about this turn of events. -Philip Zimmermann 11 Jan 96 - -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMPDy4WV5hLjHqWbdAQEqYwQAm+o313Cm2ebAsMiPIwmd1WwnkPXEaYe9 pGR5ja8BKSZQi4TAEQOQwQJaghI8QqZFdcctVYLm569I1/8ah0qyJ+4fOfUiAMda Sa2nvJR7pnr6EXrUFe1QoSauCASP/QRYcKgB5vaaOOuxyXnQfdK39AqaKy8lPYbw MfUiYaMREu4= =9CJW - -----END PGP SIGNATURE----- I'd like to add a few words to those of my client. First, I thank Mr. Keane for his professionalism in notifying us of the government's decision. It has become common practice for federal prosecutors to refuse to tell targets of investigations that the government has decided not to prosecute. I appreciate Mr. Keane's courtesy. Let me add my thanks to the other members of the defense team-- Ken Bass in Washington D.C. (kbass at venable.com), Curt Karnow in San Francisco (karnow at cup.portal.com), Eben Moglen in New York (em21 at columbia.edu), and Tom Nolan in Palo Alto (74242.2723 at compuserve.com). Bob Corn-Revere in D.C. (rcr at dc1.hhlaw.com) was a great help on First Amendment issues. These lawyers are heroes. They donated hundreds of hours of time to this cause. Each is outstanding in his field and made a contribution that nobody else could have made. It has been an honor and a privilege to work with these gentlemen. Mr. Zimmermann mentioned a lawyer named Joe Burton (joebur at aol.com) of San Francisco. Mr. Burton deserves special mention. He represented another person who was under investigation. To have made this other person publicly known would have been an invasion of privacy, so we didn't. We still won't, but we can finally acknowledge Mr. Burton's enormous contribution. Whether we were getting paid or not, the rest of us at least received some public attention for representing Phil Zimmermann. Mr. Burton labored quietly on behalf of his client. He took the case pro bono and did an extraordinary job. He is a lawyer who exemplifies the finest traditions of the Bar and the highest standard of integrity. I am proud to know Joe Burton. The warriors at the Electronic Privacy Information Center (EPIC)-- Marc Rotenberg, David Sobel, and David Banisar-- and at the Electronic Frontier Foundation (EFF), Computer Professionals for Social Responsibility (CPSR), and the American Civil Liberties Union (ACLU) provided financial, legal, and moral support and kept the public informed. They continue to do so, and we all owe them thanks for it. Those members of the press who recognized the importance of this story and told the world about it should be commended. Undeterred by the absence of sex and violence, these reporters discussed the real issues and in so doing served the public well. Many other people, lawyers and humans alike, made invaluable contributions. My assistants Alicia Alpenfels, Suzanne Turnbull Paulman, and Denise Douglas and my investigator Eli Nixon kept us organized. Rich Mintz, Tom Feegel, and Nathaniel Borenstein of First Virtual put up a Web site and aggressively supported the Zimmermann Legal Defense Fund. Another site was built by Michael Sattler of San Francisco, and he and Dave Del Torto (also of S.F.) let me stay in their homes. Thanks also to MIT and The MIT Press: Hal Abelson, Jeff Schiller, Brian LaMacchia, Derek Atkins, Jim Bruce, David Litster, Bob Prior, and Terry Ehling. And there were many others. Finally, I offer my thanks to everyone who contributed to the Zimmermann Legal Defense Fund. People all over the world gave their hard-earned money to support not only Phil Zimmermann's defense but also the cause of privacy. It is impossible to be too pessimistic about our future when there are so many of you. Now, some words about the case and the future. Nobody should conclude that it is now legal to export cryptographic software. It isn't. The law may change, but for now, you'll probably be prosecuted if you break it. People wonder why the government declined prosecution, especially since the government isn't saying. One perfectly good reason might be that Mr. Zimmermann did not break the law. (This is not always a deterrent to indictment. Sometimes the government isn't sure whether someone's conduct is illegal and so prosecutes that person to find out.) Another might be that the government did not want to risk a judicial finding that posting cryptographic software on a site in the U.S., even if it's an Internet site, is not an "export". There was also the risk that the export-control law would be declared unconstitutional. Perhaps the government did not want to get into a public argument about some important policy issues: should it be illegal to export cryptographic software? Should U.S. citizens have access to technology that permits private communication? And ultimately, do U.S. citizens have the right to communicate in absolute privacy? There are forces at work that will, if unresisted, take from us our liberties. There always will be. But at least in the United States, our rights are not so much stolen from us as they are simply lost by us. The price of freedom is not only vigilance but also participation. Those folks I mention in this message have participated and no doubt will continue. My thanks, and the thanks of Philip Zimmermann, to each of you. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMPdHw7Z7C+AHeDONAQFR+QP/SJFD1DsIqUZhl5s8dtnUfe8l5a0YAWsa jOGvaK6gNpi1L4McEkb8Y4hOlI4n+X8HuRnzHai0UmSjAT6zHQmfN9UVbP27fYBR xKw1nTzEziHsbmHTua+fDvsWrsWa+A5hBxS7UAQkepDWtlc2EUCB1v5aOyGwnuco ppXLLSDHh1g= =N8iF -----END PGP SIGNATURE----- From dlv at bwalk.dm.com Fri Jan 12 22:52:27 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Sat, 13 Jan 1996 14:52:27 +0800 Subject: Next on "Geraldo": "Darkside Hackers in Love with their Trackers" In-Reply-To: Message-ID: tcmay at got.net (Timothy C. May) writes: > On this one I have to agree with Perry. Me too. :-) ObCrypto: I _finally_ received Schneier's 2nd edition today. Advertising someone you don't have ready to ship isn't nice. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From nobody at REPLAY.COM Fri Jan 12 22:56:51 1996 From: nobody at REPLAY.COM (Anonymous) Date: Sat, 13 Jan 1996 14:56:51 +0800 Subject: Zimmermann case is dropped. Message-ID: <199601121350.OAA20610@utopia.hacktic.nl> Julian Assange wrote: > >The more important point being missed of course that Phil has and no >doubt will continue to make certain elements of the U.S government >quite miserable indeed. ...and I'm sure they'll be watching VERY closely to see how version 3.0 will be distributed.... From dlv at bwalk.dm.com Fri Jan 12 22:57:33 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Sat, 13 Jan 1996 14:57:33 +0800 Subject: Novel use of Usenet and remailers to mailbomb from In-Reply-To: <2.2.32.19960113002203.00906fc0@mail.teleport.com> Message-ID: Alan Olsen writes: ... > Pretty nasty variation on a "denial of service" attack. What next? Fake > "David Rhodes does e-cash" messages with the target's e-mail address? I've seen worse on soc.culture.*. :-) I think, an appropriate response for the victim would be to accept only digitally signed e-mail from people he wishes to receive e-mail from, and to junk all other e-mail (unsigned or from strangers). --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From jimbell at pacifier.com Sat Jan 13 14:59:48 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 13 Jan 96 14:59:48 PST Subject: News Release Message-ID: -----BEGIN PGP SIGNED MESSAGE----- At 11:37 PM 1/12/96 -0700, you wrote: [stuff from Phil Zimmermann deleted for space.] [other stuff by Dubois, Zimmermann's lawyer, deleted for space.] >There are forces at work that will, if unresisted, take from us our >liberties. There always will be. But at least in the United States, our >rights are not so much stolen from us as they are simply lost by us. The >price of freedom is not only vigilance but also participation. Those >folks I mention in this message have participated and no doubt will >continue. My thanks, and the thanks of Philip Zimmermann, to each of >you. Dear Mr. Dubois, Thank you for your efforts on the behalf of Phil Zimmermann. You are to be praised. However, you should recognize that at best, all you have done is to reduce the harm done to him (or would otherwise have been done to him), which admittedly is a good and right thing for you to have done. However, I refer you to the 1964 movie, "Dr. Strangelove," whose title character stated that "deterrence is the art of making the enemy FEAR to attack." In my opinion, we (the ordinary members of the public) cannot consider ourselves to have won this encounter until the REAL enemy here, the government employees who targeted Zimmermann, FEAR to attack ("legally" or otherwise) people like Zimmermann. Ask Mr. Zimmerman about my essay, or I'd be happy to email it to you. Sadly, he did not appreciate its simplicity and potential effectiveness, and maybe you won't either, but someday it may protect your freedom in ways you can't currently even imagine. Jim Bell -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMPg1cvqHVDBboB2dAQGv7wP+JTKihlMH0zeDGq1bsWK04nTe6zAkpemL 1jMbl7/6J8MSbPQPVgL7fzP3TfQHRmIwAhAZzd7cf440jAgQ4MvQxsDqMkrESky6 jTL+h3j79Lnt8WMd63cCWa2mn++2etMy4XRCkiK59ft187qGGpwitsHIzF8tKsQL mm2K084tpO0= =PY58 -----END PGP SIGNATURE----- From hallam at w3.org Sat Jan 13 15:02:31 1996 From: hallam at w3.org (hallam at w3.org) Date: Sat, 13 Jan 96 15:02:31 PST Subject: Theory Question: Why isn't RSA a 0-knowledge Proof In-Reply-To: <9601132108.AA19991@rpcp.mit.edu> Message-ID: <9601132301.AA12607@zorch.w3.org> Zero knowledge means that the recipient obtains no information that they could not have obtained without knowing the secret information corresponding to the key. If I authenticate myself to you by giving a signature on a nonce you chose you have obtained information that you could not have obtained otherwise. If it wasn't for the fact that it is IAP and you apear to be a grad student I might wonder about somone doing their course assignments via the net... :-) Phill From adam at homeport.org Sat Jan 13 15:28:53 1996 From: adam at homeport.org (Adam Shostack) Date: Sat, 13 Jan 96 15:28:53 PST Subject: Boston talk on offshore banks In-Reply-To: <9601122001.AA18808@sulphur.osf.org> Message-ID: <199601132332.SAA26819@homeport.org> Rich Salz wrote: | I heard an ad on the radio for a free seminar on how to protect your assets | using off-shore banks. I forget who the speaker is, I think they're with | the English-Irish bank in Austria, or something like that. The thrust | was to save assets for when you retire and Social Security isn't there | for you. | Two dates, Jan 17 (Newton, MA) or Jan 18 (Burlington, MA). | Call 617 663 3299 for more info. "We're sorry, the number you've provided is invalid. Please check the number send your message again." :) I'd be interested in going, if anyone can get information. Nynex claims that thats not a valid listing. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From erc at dal1820.computek.net Fri Jan 12 23:50:45 1996 From: erc at dal1820.computek.net (Ed Carp [khijol SysAdmin]) Date: Sat, 13 Jan 1996 15:50:45 +0800 Subject: Novel use of Usenet and remailers to mailbomb from luzskru@cpcnet.com In-Reply-To: <30f6de9e.28100489@smtp.ix.netcom.com> Message-ID: <199601130053.SAA31834@dal1820.computek.net> > The remailer could calculate a hash for the body of each encrypted > message received (the same portion which will be decrypted by PGP), > tabulate the last few thousand hashes, and simply discard any messages > with a duplicate hash. The target of the attack would receive only > the first copy of the message. That wouldn't keep the mailer from getting choked up pretty quickly, though, especially if it's on the end of a < T1 line. -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 214/993-3935 voicemail/digital pager 800/558-3408 SkyPager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes From SudduthLM at SecureC2.com Sat Jan 13 00:14:37 1996 From: SudduthLM at SecureC2.com (Sudduth, Larry) Date: Sat, 13 Jan 1996 16:14:37 +0800 Subject: Reach out! Update 01 (CypherPurists trash this) Message-ID: (I know this is way off topic, but I wanted to apologize to all anyway for my last posting with the RTF crap in it. I tried unsuccessfully to correct the RTF problem as a result of previous list discourse, and fervently believe that it is fixed now. If not, I guess I'll find out about it. Anyway, thanks for your forbearance, and now for some noise.) The merchant must have been so impressed by the pent-up market demand for the "How to Beat and Kill Your Ex-Wife and an Unlucky Innocent . . . And Get Away With It" video, that the ordering procedure has been changed to a toll number. I'm sure the merchant desires potential customers to call collect, after all who in the world would pay money for the privilege of buying a product? I believe the new number is 0-818-879-0614, remember to say "operator" when prompted, so you can request a collect call. I have up to now always been greeted by a busy signal, so fear that I could have to validate the above number by calling the toll-free number (see original noise below) again. If one wants to directly dial the toll number, one can suppress one's phone number from being reported to the merchant via Caller ID by dialing *67 prior to the call, at least here in Bell Atlantic land. Check with your telco to be sure. (Interstate support for Caller ID is currently spotty so this could be a non-issue.) This strategy should be employed if one is leery of being on the receiving end of future direct mail campaigns offering products similar to the "How to Beat and Kill Your Ex-Wife and an Unlucky Innocent . . . And Get Away With It" video, just for discussing the particulars of the video with one of the merchant's staff. Direct mail campaigns target people who've previously inquired (and not necessarily bought) by phone. As an aside, I know y'all knew that your number (i.e., the number dialed from) is always reported to the recipient at an 800 number, and that this cannot be suppressed. After calling the toll-free number several times, I was able to write down the new telephone number for ordering the "How to Beat and Kill Your Ex-Wife and an Unlucky Innocent . . . And Get Away With It" video. It took several attempts because I kept encountering pens with no ink in them in my desk. The recording doesn't really describe the video at all, just refers to the oh-jay video. I haven't heard the actual title of the video, since I couldn't get through to a human at the merchant's telephone number. Since calling it the oh-jay video sounded so darned impersonal, I took a stab at a seemingly appropriate title. >William T. Rainbird wrote January 12, 1996 2:12 AM >I know this isn't a typical posting for this group, but I thought I'd >point out that O.J. Simpson has a video for sale, to further exploit his carnage. >You can buy it by dialing 1-800-OJTELLS 1-800-658-3557 it is a FREE CALL >(for you). I guess that means the MERCHANT PAYS for the calls, even if >NOTHING IS ORDERED... > >Please repost and tell your friends! -=-=-=-=-=-=-=-=-=-=-=-=-= SudduthLM at SecureC2.com The views expressed herein are the personal views of the author only, etc. y, etc. From doclulu at infobahnos.com Sat Jan 13 16:24:25 1996 From: doclulu at infobahnos.com (doclulu at infobahnos.com) Date: Sat, 13 Jan 96 16:24:25 PST Subject: (none) [httpd finding your identity] Message-ID: <199601140024.TAA20599@rizzo.infobahnos.com> -----BEGIN PGP SIGNED MESSAGE----- To: Rich Graves Cc: cypherpunks at toad.com Subject: Re: (none) [httpd finding your identity] At 11:28 96-01-12 -0800, you wrote: >On Fri, 12 Jan 1996, sameer wrote: > >> > > control what information is passed out to the other end. >> > > Specifically, I'd like http://anonymizer.cs.cmu.edu:8080/prog/snoop.pl >> > > to come up nearly blank.) >> > >> > We do not send the HTTP 'From:' header. I will look into where >> > they are getting the user name and location from. There is really >> > nothing I can do in the Navigator to stop them from getting your >> > IP address or DNS name. >> >> I beleive that it uses finger. If you really want to prevent >> people from finding out where you're coming from, use the >> anonymizer. Not at CMU? Don't worry. > >On most UNIX machines or a Mac or PC running most common talk clients? >Worry. Not just finger, but also identd will identify you. I think Eudora >Pro has an identd option, too. > >-rich > > On Win 3.1 using Netscape 1.22, you can improve your 'lack of output' by removing in the PREFERENCES menu: Your Name: Your Email: Your Organization: The bad side is that you cannot mail from Netscape without filling the Email entry with a valid Email address and putting an anonymous address (ex.:an123456 at anon.penet.fi) would cause http://anonymizer.cs.cmu.edu:8080/prog/snoop.pl to report your REAL hostname with your anonymous username (ex.:an123456 at myhost.com) so if privacy is a must and you cannot use the anonymizer, this could reduce your output to your computer type and operating system and your browser and version number. For my part, after removing my Email, it was all that was left (-: ( It will stay that way... ) -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMPhL8l0tVeSYE8qJAQFN9AQAgXcbJzhqbExyvVA+5VZXojCuUGxJsH0e qhmSmn9I6vInIzfJNoUi1I5tdwVqOFaheFTh6XPYjVIRnCNx4g0u3z2Mjx8V2B0a O66XsFFX3tgCHizIVFkXJ1rzOXRDXCBb4joo+500MOWi77GgfHBMd1F3IBTcS2i6 8QZshD4gF0U= =9rLo -----END PGP SIGNATURE----- ------------------------------------------------------------------------- Eric Francoeur | "One of the things Adolf Hitler E-Mail: doclulu at infobahnos.com | and Bill Clinton have in common http://www.infobahnos.com/~doclulu | is that both were democratically PGP Public key available at website | democratically elected leaders." | -Dr. Dimitri Vuli 1995. From perry at vishnu.alias.net Sat Jan 13 16:25:57 1996 From: perry at vishnu.alias.net (John Perry) Date: Sat, 13 Jan 96 16:25:57 PST Subject: Subscribing to cypher-list Message-ID: <199601140022.SAA05143@vishnu.alias.net> -----BEGIN PGP SIGNED MESSAGE----- Hello Everyone, First, the response to the PGPdomo list has been better than I expected. But I see some clarification is required. 1. I have had several inquiries as to why the list is closed. Not having a good reason as to why, I've opened the list. Anyone can subscribe that wants to. 2. In order to subscribe, you must encrypt your subscription request to: majordomo at vishnu.alias.net. You will NOT be auto-subscribed if it isn't encrypted. That's the whole point of the security. Other than the encryption, the subscription method is the same as most majordomos. 3. Please send you subscription requests to cypher-list-request at vishnu.alias.net rather than majordomo at vishnu.alias.net. I was willing to add the subscriptions that failed by hand, but the number of requests has made this a time-consuming job. 4. What is the PGP public key for majordomo at vishnu.alias.net? It's available by anonymous FTP from vishnu.alias.net as ftp://vishnu.alias.net/pub/majordomo.pgp. I'm also listing the key below. If you have any problems or questions, please feel free to send email to perry at vishnu.alias.net. - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCNAzD33YoAAAEEAJ7dUgVGfaj9V+aV3HMtr2D8tgWlMSDveh5zlzfYrOm6Yv65 p3aWSpQPdoEN16UbCrUUy0AItnFwDkdfYBu8Q7jtL3VCiHo3h8UT+VtdTEN7DT5O juUhSWuh7BBpmMbtnVvdQ3k1rx4ayh1SLufkgISy/HwP6A9VCdOhMeHnnvxhAAUR tEVNYWpvcmRvbW8gTGlzdCBTZXJ2ZXIgLSBWaXNobnUuQWxpYXMuTmV0IDxtYWpv cmRvbW9AdmlzaG51LmFsaWFzLm5ldD6JAJUDBRAw+Dpr06Ex4eee/GEBAd1eA/4y GJBATAR9yIcgYEUVwbWiJbBPSbjx0jUviTJmkJc0RY3CaDrUTIoJKLYJgc5x52N9 aH8zgULIjqDcxx9N1wBHyRjE3ZoDgCt4+7gY0GsUHezvaBph2Z6kSitQOIEgO/Os I7mOphPw6qgQLo0pnx6JWz6F1OqHTPDJW6QcvJA1wIkAlQMFEDD38cxTk6RE4a7Y bwEB6SID/iQXhleyRH2Ekeumg+kndjfJ60JLa+psrSReHvmOGGwDUdwtTphgSWkK p/LtLk6UGxjhcCOoXuRiAzolTl4inGbYewlclLKrV3wNm6XWM9NK5a8sfHkB40j2 wdnRiMrNrPDTH/ZDcpgW0z8AX8HkdNYFrISAFtPuxlL9eILHspfwiQEVAwUQMPfx naghiWHnUu4JAQHyGAf6AySIiVtFGXdMXmuZ+1AxhUoo/8ZaskLFbm1E6/sc+/8q ScBUAVcK8Ul/RVvL6dDv2th+lmgytZrsQ3FsiR6CDCXNoWG3t8QfuZn+zTt+vucw +WaiRVdqry6Gl411rgGSyYeYjp4YcScWG0TB+y4Urzc126OJstKJcYyJdqs6kB6z Vh0FHFPerWYzEvLjSiM/xxmTkRtUTaMH4qJ5txTnQlko4MxytUsi93Jz2cM46EWc YY+OgBT3Vi6kvBrl8qPqos263A8GfMsGJKAOF2FjsxjPMG/tyXijn2xZcHZyw7jG v6D4lLEhmW6zx2ki2AGvxZ82dc9yVkRafsYkW7SOsA== =YIvQ - -----END PGP PUBLIC KEY BLOCK----- John Perry - KG5RG - perry at vishnu.alias.net - PGP-encrypted e-mail welcome! Packet Radio - KG5RG at WA4IMZ.#SETX.TX.USA.NA WWW - http://www.alias.net PGP 2.62 key for perry at vishnu.alias.net is on the keyservers. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMPhMvKghiWHnUu4JAQHanQf+NdXGKkZWRGh6xYD+Vms526JjNTotgcEH 2aLoAWICOrLmPF/KbxhixG7YLBht8zXdnRWBjpAoNw9Uv19Sat7URE8NbVUyww12 0fHYLkGZUAb0gK6khH3rAMcciKHJWxfoY/LuObTxoVOX827ffvBEPO4M5p0HOcmP w6ieHzp9SphC9kMaj/Vpf+Kc3gYZjYfnn5xRCzexEiMrz/+EPKNUKyErl70TdLH6 KtoUnrSW5bQVyTmloSzBDYhkPxORWu3soQO3tC0UvUptAEpdl7z9zlLolpEYzlyk HxWNdtGgitMeUO+c4OlKG1tJuKLxJ09nkH/bWerkohFnBxS67IUDwA== =Q7Ft -----END PGP SIGNATURE----- From stewarts at ix.netcom.com Sat Jan 13 00:34:37 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sat, 13 Jan 1996 16:34:37 +0800 Subject: Zimmermann case is dropped. Message-ID: <199601120811.AAA25133@ix11.ix.netcom.com> Congratulations, Phil! And to all the EFF folks, Phil's lawyers, et al. At 07:00 PM 1/11/96 -0600, ecarp at netcom.com wrote: >Mike Godwin can speak to this a lot better than I can, but I believe that >by abandoning their case against PRZ, they have seriously weakened their >case against anyone else that they feel has violated the ITAR in a >similar manner - it's called "selective enforcement" and courts have been >taking a dim view of that sort of thing. They've weakened it far less than if they'd indicted Phil and lost, and they _would_ have lost if they'd had a trial. Indicting him would have done _him_ far more damage, of course, so I'm glad for his sake they dropped it. (Dan Bernstein may disagrees on whether they'd lose, and his suit against the government is the next chance to test this in court.) Prosecuting Kelly Goen would have been far more interesting; they _might_ have been able to win something against him, though the statute of limitations is probably about to cover him. Meanwhile, they've demonstrated that you can tie up a person for years, and cause him to spend huge legal expenses, without being stopped by the Constitutional right to a speedy trial, and by not prosecuting they're preserving the powers of Fear, Uncertainty, and Doubt. And while they've given PGP some extra publicity, they've also slowed down the adoption of high-quality privacy tools for several years; while they can't prevent hard-core privacy-addicts from getting it, but they can make sure that it's not included in everybody's first computer for a couple of years at least, until they get Clipper 2 or Exon 3 or Freeh-base Wire Taps or _something_ in place. And they can always argue that "Well, the case against Phil didn't have quite enough direct evidence to prosecute, but we caught SAMEER and three of his customers Red-handed, and plan to prosecute those crypto-narco-anarco-porno-terrorist Commie-sympathizing Nazi-protecting Foreign-looking money-laundering EEEVIL conspirators from BERKELEY to the fullest extent of the law!*" and spend a couple of years harassing them, and then find another victim after that. Enough of those cases in a row could eventually annoy a judge or two, but if it gets them a few more years, it gets them a few more years. ==== * Oh, "and your little dog, too!" ==== #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, Pager/Voicemail 1-408-787-1281 # # "The price of liberty is eternal vigilance" used to mean us watching # the government, not the other way around.... From reagle at rpcp.mit.edu Sat Jan 13 16:56:01 1996 From: reagle at rpcp.mit.edu (Joseph M. Reagle Jr.) Date: Sat, 13 Jan 96 16:56:01 PST Subject: Theory Question: Why isn't RSA a 0-knowledge Proof Message-ID: <9601140057.AA21183@rpcp.mit.edu> At 06:01 PM 1/13/96 -0500, you wrote: > >Zero knowledge means that the recipient obtains no information that they could >not have obtained without knowing the secret information corresponding to the >key. > >If I authenticate myself to you by giving a signature on a nonce you chose you >have obtained information that you could not have obtained otherwise. Seems right enough. Still pondering though... [1] If I (the signer) choose the series of messages to sign, this still demonstrates that I have a secret without telling you the secret (and without giving you the information you might have been fishing for..) You do get information you would not have been able to create otherwise,(whatever it is I choose to sign) ...but it doesn't matter if you wanted the information or not, what matters is that you got it??? You could get random information (entropy) as part of a protocol, would this destroy the 0-knowledge aspect as well (and make it merely a min-disclosure proof...?)) (if you aren't directly challanging me, there could be a replay or man in the middle attack or whatnot, but the man in the middle attack also applies to 0KP.) What I was thinking of, was a hamiltonian cycle example: [2]where the person that wants to see the proof is getting information regarding the iso-morphism between the various graphs... (For instance, say G is the real graph, Alice knows the path, and Bob wants proof that Alice knows it...) So in the first instance Alice produces H1 and shows it to Bob and proves it is iso-morphic, in the second example she produces H2 and shows the cycle, in the third instance, she provides H3 and it's isomorphism to G... Bob can then conclude that H1 and H2 are isomorphic... I'm not sure about this (this must be where I am in error) but I don't think Bob could have derived the fact easily (if it is plausible for him to believe H1~=H2 based on this protocol) that H1 and H2 are isomorphic without Alice's help here... So in this case, Bob picked up some info he would have not otherwise known for free (similar to the first example) even though this information isn't of any use to him with regard to the solution to G. >If it wasn't for the fact that it is IAP and you apear to be a grad student I >might wonder about somone doing their course assignments via the net... :-) The effect of the eggnaugh hasn't worn off and trying to vamp up... _______________________ Regards, Is this true or only clever? -Augustine Birrell Joseph Reagle http://farnsworth.mit.edu/~reagle/home.html reagle at mit.edu 0C 69 D4 E8 F2 70 24 33 B4 5E 5E EC 35 E6 FB 88 From jsw at netscape.com Sat Jan 13 17:22:40 1996 From: jsw at netscape.com (Jeff Weinstein) Date: Sat, 13 Jan 96 17:22:40 PST Subject: (none) [httpd finding your identity] In-Reply-To: <199601140024.TAA20599@rizzo.infobahnos.com> Message-ID: <30F8596B.5611@netscape.com> The snoop program is using FTP to find out the user's e-mail address. The image on the page is an ftp: URL. Our FTP code was sending the user's e-mail address as the password for anonymous FTP, which is the usually requested by FTP sites. The perl script was waiting for the FTP to happen, and then looking at its log to figure out the email address. I've removed the code that uses the e-mail address as the FTP password for anonymous FTPs. You can still enter it by hand by using a URL of this form 'ftp://anonymous at ftp.netscape.com'. This will cause the navigator to prompt the user for the password to send for anonymous. This is a little known feature that will also allow users to access non-anonymous ftp accounts via netscape. The fix for this will be in the next beta, and the final version of 2.0. --Jeff doclulu at infobahnos.com wrote: > To: Rich Graves > Cc: cypherpunks at toad.com > Subject: Re: (none) [httpd finding your identity] > > At 11:28 96-01-12 -0800, you wrote: > > >On Fri, 12 Jan 1996, sameer wrote: > > > >> > > control what information is passed out to the other end. > >> > > Specifically, I'd like http://anonymizer.cs.cmu.edu:8080/prog/snoop.pl > >> > > to come up nearly blank.) > >> > > >> > We do not send the HTTP 'From:' header. I will look into where > >> > they are getting the user name and location from. There is really > >> > nothing I can do in the Navigator to stop them from getting your > >> > IP address or DNS name. > >> > >> I beleive that it uses finger. If you really want to prevent > >> people from finding out where you're coming from, use the > >> anonymizer. Not at CMU? Don't worry. > > > >On most UNIX machines or a Mac or PC running most common talk clients? > >Worry. Not just finger, but also identd will identify you. I think Eudora > >Pro has an identd option, too. > > > >-rich > > > > > > On Win 3.1 using Netscape 1.22, you can improve your 'lack of > output' by removing in the PREFERENCES menu: Your Name: > Your Email: > Your Organization: > The bad side is that you cannot mail from Netscape without filling > the Email entry with a valid Email address and putting an anonymous address > (ex.:an123456 at anon.penet.fi) would cause > http://anonymizer.cs.cmu.edu:8080/prog/snoop.pl > to report your REAL hostname with your anonymous username > (ex.:an123456 at myhost.com) > so if privacy is a must and you cannot use the anonymizer, this could reduce > your output to your computer type and operating system and your browser and > version number. For my part, after removing my Email, it was all that was > left (-: ( It will stay that way... ) -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw at netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine. From gnu at toad.com Sat Jan 13 02:09:40 1996 From: gnu at toad.com (John Gilmore) Date: Sat, 13 Jan 1996 18:09:40 +0800 Subject: Shimomura on BPF, NSA and Crypto Message-ID: <9601130957.AA19298@toad.com> Tsutomu says the NSA is inept rather than inherently evil. I think he concluded this because they declined to fund his work. An ept and evil NSA would want Tsutomu on the payroll. Tsutomu's stealth version of the Berkeley packet filter did a lot more than modload into the kernel. He was paid by the Air Force to design one that could patch itself into SunOS kernels invisibly, even into kernels with no modload support at all. It had special code that would search through the kernel binary for references to the address of the Ethernet chip, and patch itself in during the very low level interrupt handling. It was highly optimized so it wouldn't show up by loading down the machine, and it did things like decrement the interrupt counter so that even the extra interrupts caused by running the Ethernet chip in 'receive every packet on the wire' mode wouldn't be visible. He talked about enhancements that would automatically forward packets of interest back out onto the Internet, so the whole shebang would hide in kernel memory, never visible to users, never running any processes or altering any files. Think of it as Digital Telephony wiretap technology for the Internet. The idea was to design something that you could run on a machine without the owner ever finding out about it. To break into that person's network. It's a tool customized for crackers. It's one of the tools that Mitnick was after when he broke into Tsutomu's machine. Tsutomu actually wrote and ran this stealth BPF code (as well as designing it) and got into a tiff with the Air Force. They wanted the code, not just the design paper they'd commissioned. He countered by offering to post the code to the net, with a copyright that let anyone EXCEPT the government use it, if they wouldn't pay him for the paper. I don't know how the situation was eventually resolved. Tsutomu has lots of glib rhetoric about how he just builds tools and they can be used for good or evil. This tool is custom-designed for evil. Maybe in wartime the Air Force will want to inflict evil on an opponent. Or maybe instead they'll pass it to a latter-day J. Edgar Hoover. Either way, it's evil. It doesn't become good when you inflict it on someone you dislike. -- John Gilmore gnu at toad.com -- gnu at eff.org Don't introduce that Tsutomu to your girlfriend. From graeme at chem2.chem.swin.edu.au Sat Jan 13 18:18:48 1996 From: graeme at chem2.chem.swin.edu.au (Graeme Cross) Date: Sat, 13 Jan 96 18:18:48 PST Subject: New! Improved! CryptoLib 1.1 now available. In-Reply-To: <199601131608.AA031019338@idea.sec.dsi.unimi.it> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Sat, 13 Jan 1996, David Vincenzetti wrote: > > Announcing CryptoLib - Release 1.1 12/21/95 > > Jack Lacy, AT&T Bell Labs > > > > CryptoLib is a portable and efficient library of primitives > > for building cryptographic applications. It runs under most versions > > of Unix as well as DOS, Windows and Windows-NT (and 95). > > > > We are pleased to make CryptoLib source code available without charge > > to researchers and developers in the US and Canada. (Because of export > > restrictions on cryptographic software, we are only able to make the > > software available within the US and Canada to US and Canadian citizens > > and US permanent residents.) > > also available in Europe as: > > ftp://ftp.dsi.unimi.it/pub/security/crypt/math/cryptolib_1.1.tar.gz > > Ciao, > David > Australasian cypherpunks can also grab it from: ftp://chem2.chem.swin.edu.au/pub/security/cryptolib_1.1.tar.gz Cheers Graeme ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Graeme Cross Phone: (61 +3) 9214 8185 E-mail: graeme at chem2.chem.swin.edu.au PGP key: http://www.chem.swin.edu.au/~graeme/key.html -----BEGIN PGP SIGNATURE----- Version: 2.6.i iQB1AgUBMPhnRGAiycRwLbVJAQEE0AMAjF8rmvMqWTe9RMtsUi/pLBmJUMwmB+VR G17+r7XXq2cDwyRzhIkWkm6WImBNzo+jc5gdpepnpHfwpII1BxyQqxi159mJUxIp p6HwlKkHwx/WTo3Fe66QByL1kU1bli9m =o4Ra -----END PGP SIGNATURE----- From jya at pipeline.com Sat Jan 13 02:20:36 1996 From: jya at pipeline.com (John Young) Date: Sat, 13 Jan 1996 18:20:36 +0800 Subject: Zimmermann case is dropped. Message-ID: <199601121406.JAA26445@pipe4.nyc.pipeline.com> Responding to msg by nobody at REPLAY.COM (Anonymous) on Fri, 12 Jan 2:50 PM > ...and I'm sure they'll be watching VERY closely to >see how version 3.0 will be distributed.... AUSA William Keane in today's WSJ: "This decision shouldn't be interpreted as meaning anything. I caution people against concluding the Internet is now free for export." From markm at voicenet.com Sat Jan 13 18:21:16 1996 From: markm at voicenet.com (Mark M.) Date: Sat, 13 Jan 96 18:21:16 PST Subject: PGP replay attack Message-ID: -----BEGIN PGP SIGNED MESSAGE----- There has been some discussion on using replay attacks against PGP recently. However, a timestamp is stored in the signature packet and is signed along with the plaintext intended to be signed. This eliminates the need to include a timestamp in clear-signed data. Someone can still send a signed e-mail to a third party that was not the original recipient and make it appear as though the sender did actually send the message to the third party (e.g. Alice sends signed message to Bob Bob sends message with faked headers signed by Alice to Carol Carol believes Alice actually sent the message to her) Such an attack would have to executed shortly after the message was originally clear-signed. However, including timestamps in text to be signed is not necessary. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMPhourZc+sv5siulAQHTTAP/XBlrV7nHd5pR9aTXr2Uk0M0fw4I6IjZZ xeCx++vuIjcQuo/k8xH9YvBbn+MuoE11xbVLD58xYbELuVSdMUzCQ1mpQMho8mzs O0ALr8dahq0N0Gl5kLwb97MzgJOgTwy6NSIK6883NCktAWJMsFoADpdzmDGWQbTc ZzXJ3w5OiAQ= =fWJb -----END PGP SIGNATURE----- -- finger -l markm at voicenet.com for PGP key http://www.voicenet.com/~markm/ Fingerprint: bd24d08e3cbb53472054fa56002258d5 Key-ID: 0xf9b22ba5 "The NSA can have my private key when they pry it from my cold, dead neurons." Unknown From llurch at networking.stanford.edu Sat Jan 13 02:23:19 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sat, 13 Jan 1996 18:23:19 +0800 Subject: Offshore Banks and Asset Protection) In-Reply-To: Message-ID: That's not what I wrote!!! :-) On Fri, 12 Jan 1996, Timothy C. May wrote: > I think the assumption that most of the ads in the back of "The Economist" > are scams which will take your money is wrong. The banks will take your > money, but most probably will return it on demand. And the seminar > companies will in fact teach some things. I did say "many," not "most," and I would assume that most if not all stuff that The Economist carries is completely legit. I'd been thinking of "other publications," such as the tax protester rags and my friend Clark's paper. > not inspire confidence. (In fact, the report that these > back-of-the-Economist ads are "scams" is perhaps part of this > disinformation/rumor campaign.) Yep, I'm just an FBI plant. (Yes, I know -- or rather assume -- that that's not what you meant.) Be careful of this paranoid stuff, even as a joke. The tax protester movement feeds on conspiracy BS. "The IRS knows that native born white Sovereign Citizens don't have to pay Federal taxes, but they've paid off all the Jew lawyers." There was a guy in misc.legal a while back making this so-called argument. People were actually sending him money, and not out of pity. Which is not to say that the guvmint isn't conspiring against us all, in the larger and some specific senses. Just not quite like that, and it's the wacky conspiracy theories that make otherwise intelligent people discard others. (Some people still don't believe in Watergate. *I* didn't believe the Feds could legally get a wiretap without a warrant until I was corrected here.) > Like a lot of things, it may all be clearer once one has actually gone > ahead and done something with these offshore banks. I don't personally know > anyone who has, which adds to my uncertainty. This falls under the category of Things That Only The Mega-Wealthy Clique (of all races, politics, and sexual colors) Know. Which is a category that shrinks more and more by the day. Some people actually used to believe in the Divine Right of Kings. We've come a long way, baby. Keep it up. -rich From nobody at REPLAY.COM Sat Jan 13 03:28:37 1996 From: nobody at REPLAY.COM (Anonymous) Date: Sat, 13 Jan 1996 19:28:37 +0800 Subject: DEC AltaVista Closer To Commercialization [NOISE] Message-ID: <199601131120.MAA03187@utopia.hacktic.nl> Digital's Samuel H. Fuller, VP of corporate research for Digital, and Alan Jennings, Digital's manager of advanced technology business development, also told Newsbytes that Alta Vista has "re-started its Web crawling," to add even more pages to the total of 60 million Web pages -- representing half of all pages on the Web -- that were already indexed by December 15, when the new "super spider" Web facility opened to the public. "And as Alta Vista took off as the fastest growing Web site, we have quadrupled the capacity of our AlphaServer 8400 system from two to eight processors, and doubled the memory," noted Fuller. This leaves a "factor of two headroom" in terms of both processing power and memory, meaning that a single 8400 system should be able to host and accommodate an index for the entire Web, the VP added. The Alta Vista site also uses a smaller Alpha server to house the "super spider" itself. As reported in Newsbytes on December 15, Jennings previously said that Alta Vista is able to search up to 2.5 million Web pages a day. Lycos, Alta Vista's closest competitor, had searched only 7 million Web pages up to that time, and the World Wide Web Worm about 3 million Web pages, in comparison to Alta Vista's 60 million pages, Newsbytes was told. Alta Vista's high search speeds are made possible by the ability of the super spider to algorithmically "breed" batches of smaller Web crawlers, together with the use of Alpha processing power and high-speed ATM (asynchronous transfer mode) networks, according to Jennings. Fuller and Jennings told Newsbytes this week that Digital is currently assessing Alta Vista usage patterns and the half dozen- or-so "business inquiries" received each day to decide where to take Alta Vista on a commercial basis. On Friday, December 15, Alta Vista received 300,000 hits, a number that grew to 600,000 on Monday, December 18, 1.5 million by Wednesday, December 20, and 2 million per day following the December holidays, according to Fuller. In earlier beta testing, some 10,000 users employed Alta Vista to look up references to themselves and their families, to locate old friends and college roommates, and to access market research, information about the Web, and facts about corporate travel destinations. Like their counterparts within Digital, many Web users among the public at large have been employing Alta Vista for genealogically search purposes, Jennings said. Alta Vista is also emerging as "a real solid research tool covering the breadth of the Web," he asserted. In addition to obtaining an index of all Web sites containing a specified search term, and being able to move to those sites through hotlinks, users can obtain "reasonably good information regarding the characteristics of Web sites," such as "how frequently (the sites) are referenced, and the number of pointers." You can also employ can also employ case-sensitive matches, and limit searches to titles or other specified sections of a document. Digital officials have been impressed by Web users' "ingenuity" in inventing applications for Alta Vista. One company, for example, wanted to get in touch with all other firms with links to its site, he illustrated. Upon learning that Alta Vista is able to search for URLs (user resource locators), or pointers, the user conducted a URL search, and then proceeded to send out a broadcast e-mail message over the Internet to all linked sites. Business inquiries, he reported, have fallen into three main categories: users who want to use Alta Vista internally, license the search engine, or advertise their goods and services on the Alta Vista home page. "We'll start to make decisions on these within the next 30 days, and by the end of the quarter, (the decisions) will be part of our general business plans," Jennings told Newsbytes. "Digital is inching toward decisions on what they're going to do," pointed out Jim Green, an analyst at Summit Strategies. "Clearly, this Web site has met with astounding success. Alta Vista lets you start to make sense of the Internet. It makes you think about exactly what you want, because it will give you everything," the analyst told Newsbytes. "I see Alta Vista as a very useful tool for competitive analysis," observed Greg Kline, director, Network Integration and Management Research, at the Business Research Group (BRG). "I think that as Digital gets closer to finalizing their plans, they'll be speaking more about Alta Vista's most sophisticated search capabilities. And as Web servers become the corporate infrastructure through the "IntraNet,' users will be seeing the need for a tool to index their information assets," Kline told Newsbytes. You can access the Alta Vista home page on the Web at http://www.digital.com . A.E.N. From cmerritt at intellinet.com Sat Jan 13 19:42:10 1996 From: cmerritt at intellinet.com (Charlie Merritt) Date: Sat, 13 Jan 96 19:42:10 PST Subject: exposure=deterence? Message-ID: <199601140345.VAA26416@intellinet.com> jimbell at pacifier.com (Jim Bell) wrote in part: >In my opinion, we (the ordinary members of the public) cannot consider >ourselves to have won this encounter until the REAL enemy here, the >government employees who targeted Zimmermann There is a group of government employees that decided to put William Keane on this case. Someone(s) started sending customs agents around the country. Someone(s) is responsible for making several defenders of privacy miserable. These government employees SHOULD NOT be allowed to hide in their government holes in complete privacy. We need the credits now that the movie is over. How much money was spent? [FOI anyone?] I am afraid that all I could provide is the name of one Customs Special Agent. I dont think she is responsible for anything - she was told go interview so-and-so and off she goes. Who sent her? ---> How could we find out? <--- It seems correct that the NAMES of the government employees and HOW MUCH MONEY THEY SPENT be made public. Deterent enough. I feel that public exposure is enough to put fear into these anonymous government employees. You will note that when they get the mad_bomber some FBI guy jumps right up and takes credit, live, on TV. But when the Air Force orders a $300 toilet seat NO ONE is credited. Boy! Am I pissed! ...cm From kolivet at alpha.c2.org Sat Jan 13 03:43:17 1996 From: kolivet at alpha.c2.org (kolivet at alpha.c2.org) Date: Sat, 13 Jan 1996 19:43:17 +0800 Subject: Mail to news gateways Message-ID: <199601121935.LAA01761@infinity.c2.org> Could someone point me to a _current_ list of mail to news gateways? - Kay Olivetti From jamesd at echeque.com Sat Jan 13 20:48:53 1996 From: jamesd at echeque.com (James A. Donald) Date: Sat, 13 Jan 96 20:48:53 PST Subject: (none) [httpd finding your identity] Message-ID: <199601140447.UAA12493@blob.best.net> At 05:16 PM 1/13/96 -0800, Jeff Weinstein wrote: > I've removed the code that uses the e-mail address as the > FTP password for anonymous FTPs. You can still enter it by > hand by using a URL of this form 'ftp://anonymous at ftp.netscape.com'. > > [...] > > The fix for this will be in the next [netscape] beta, and the final > version of 2.0. Thank you. This excellent new feature is more important than you know. The FTC is threatening to regulate the net, and is using as its excuse the claim that advertisers will or are threatening to send junk email to be people who browse their web pages. To protect the internet from this terrible threat they wish to regulate every computer that puts up a web page in a similar fashion to their regulation of TV and radio. This simple technical fix deprives the FTC of that excuse. It will have to concoct a new excuse. Unless someone deliberately configures their netscape browser to provide the information, no one can send them junk mail. > Jeff Weinstein - Electronic Munitions Specialist > Netscape Communication Corporation > jsw at netscape.com - http://home.netscape.com/people/jsw > Any opinions expressed above are mine. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From s1018954 at aix2.uottawa.ca Sat Jan 13 21:04:49 1996 From: s1018954 at aix2.uottawa.ca (s1018954 at aix2.uottawa.ca) Date: Sat, 13 Jan 96 21:04:49 PST Subject: Respect for privacy != Re: exposure=deterence? In-Reply-To: <199601140345.VAA26416@intellinet.com> Message-ID: My apologies for responding to a political post. On Sat, 13 Jan 1996, Charlie Merritt wrote: > I feel that public exposure > is enough to put fear into these anonymous government employees. > You will note that when they get the mad_bomber > some FBI guy jumps right up and takes credit, live, on TV. > But when the Air Force orders a $300 toilet seat NO ONE is credited. It's interesting how we advocate anonymity for ourselves but not for our opponents. Feeling righteous? Reminds me of the bit from True Names about all the warlocks trying to crack each other's nyms to enslave each other. Sad? From droelke at rdxsunhost.aud.alcatel.com Sat Jan 13 21:21:00 1996 From: droelke at rdxsunhost.aud.alcatel.com (Daniel R. Oelke) Date: Sat, 13 Jan 96 21:21:00 PST Subject: Respect for privacy != Re: exposure=deterence? Message-ID: <9601140520.AA26619@spirit.aud.alcatel.com> > From: s1018954 at aix2.uottawa.ca > > My apologies for responding to a political post. > > On Sat, 13 Jan 1996, Charlie Merritt wrote: > > > I feel that public exposure > > is enough to put fear into these anonymous government employees. > > You will note that when they get the mad_bomber > > some FBI guy jumps right up and takes credit, live, on TV. > > But when the Air Force orders a $300 toilet seat NO ONE is credited. > > It's interesting how we advocate anonymity for ourselves but not for our > opponents. Feeling righteous? There is a *big* difference between anonymity for individuals, and anonymity for government officials acting in the name of the government. Government has no right to privacy. Individuals do. > Reminds me of the bit from True Names about all the warlocks trying to > crack each other's nyms to enslave each other. Sad? > ------------------------------------------------------------------ Dan Oelke Alcatel Network Systems droelke at aud.alcatel.com Richardson, TX From llurch at networking.stanford.edu Sat Jan 13 21:55:08 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sat, 13 Jan 96 21:55:08 PST Subject: [noise] The economics of super-stars - partial cite In-Reply-To: Message-ID: On Sat, 13 Jan 1996, Simon Spero wrote: > This came up at the bay area cyherpunks meeting - I haven't got the full > citation, but the orignal paper was by Sherwin Rosen of the University of > Chicago; it was published in 1981, under the title "The Economics of > Superstars" - I think it might be in: > > TITLE: Studies in labor markets / edited by Sherwin Rosen. > PUBLICATION: Chicago : University of Chicago Press, 1981. > DESCRIPTION: ix, 395 p. ; 24 cm. > SERIES: Conference report / Universities--National Bureau > Committee for Economic Research ; no. 31 For anotehr view suggesting that Rosen is himself dazzled by superstars, see The Other Path, by Hernando de Soto, ISBN 0-06-091640-0 (paperback) and 0-06-016020-9 (hard). This is the 260-page executive summary of a study of the "informal economy" in the major Peruvian cities. I think the expanded El otro sendero with statistical appendices is only available in Spanish. Title refers to Sendero Luminoso, a particularly bizarre Maoist cult that has been brutally repressed by Fujimori in recent years. De Soto argues that the masses are a lot smarter than most economists and governments think, that most humans are entrepreneurs, and that the informal economy serves people a lot better than either Fordist capitalism or a "communist" revolution. As if anyone has time to read such a thing. -rich From jsw at netscape.com Sat Jan 13 22:22:54 1996 From: jsw at netscape.com (Jeff Weinstein) Date: Sat, 13 Jan 96 22:22:54 PST Subject: Respect for privacy != Re: exposure=deterence? In-Reply-To: <199601140345.VAA26416@intellinet.com> Message-ID: <30F89FD6.1942@netscape.com> s1018954 at aix2.uottawa.ca wrote: > > My apologies for responding to a political post. > > On Sat, 13 Jan 1996, Charlie Merritt wrote: > > > I feel that public exposure > > is enough to put fear into these anonymous government employees. > > You will note that when they get the mad_bomber > > some FBI guy jumps right up and takes credit, live, on TV. > > But when the Air Force orders a $300 toilet seat NO ONE is credited. > > It's interesting how we advocate anonymity for ourselves but not for our > opponents. Feeling righteous? > > Reminds me of the bit from True Names about all the warlocks trying to > crack each other's nyms to enslave each other. Sad? There is a big difference between private citizens going about their private business, and government officials acting in an official capacity. One of the tools of a free society is government oversite. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw at netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine. From jamesd at echeque.com Sat Jan 13 22:28:15 1996 From: jamesd at echeque.com (James A. Donald) Date: Sat, 13 Jan 96 22:28:15 PST Subject: [noise] The economics of super-stars - partial cite Message-ID: <199601140628.WAA23934@blob.best.net> At 09:55 PM 1/13/96 -0800, Rich Graves wrote: > Title refers to Sendero Luminoso, a particularly bizarre Maoist cult that > has been brutally repressed by Fujimori in recent years. Your use of the word "brutal" in this context is a little odd. Since Sendero Luminoso are extraordinarily cruel terrorists and mass murderers, it is entirely proper and appropriate for Fujimoro to attempt to physically exterminate them. Possibly what you meant to imply is that Fujimoro failed to make adequate distinction between support for the political ideas of terrorists, and actual participation in terror. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From jcobb at ahcbsd1.ovnet.com Sat Jan 13 07:18:48 1996 From: jcobb at ahcbsd1.ovnet.com (James M. Cobb) Date: Sat, 13 Jan 1996 23:18:48 +0800 Subject: ITAR Re-write ? Message-ID: Friend, Bloomberg, the business news agency, reports 01 12 96: The U.S. Commerce Department will recommend easing export controls on encryption software after a study by the department and the National Security Agency found that American firms are being hurt.... The report's release came on the same day federal pro- secutors dropped a three-year investigation...of...Philip Zimmerman.... The government study comes a week after [the Computer Systems Policy Project] released [its] own study showing ...American companies will lose [maybe $60 billion] in U.S. computer system sales expected in 2000.... The 13-member Project ...includes International Business Machines...and AT&T.... Perhaps the let-go of Zimmerman is less a triumph of right than of might? But economic might is not the only kind of might: [Easing export controls] may pit Brown's department a- gainst U.S. defense and spy agencies.... So... [Commerce Secretary] Brown said his department will pre- pare recommendations for easing [ITAR] controls that should be forwarded to the president "within a few months." Meaning: the 13 Project members should be prepared to pay through the nose in the runup to the '96 gala. And just so they get the big picture: It's unclear if the NSA, the super-secret eavesdropping agency, endorsed the Commerce Department's conclusions in the report it jointly prepared. The newsstory reports ...federal prosecutors dropped [the Zimmerman] investiga- tion without explanation.... No explanation's required. One hostage was released. 13 others were taken. But the one release does afford the new hostages, who have deep pockets, some hope... Cordially, Jim NOTE. The newsstory's headline? COMMERCE'S BROWN PROPOSES REWRITE OF ENCRYPTION EXPORT CONTROLS. Its dateline? WASHINGTON (Jan 12, 1996 5:34 p.m. EST). Its Nando News online filename? biz6_1893.html From dan at milliways.org Sat Jan 13 07:22:11 1996 From: dan at milliways.org (Dan Bailey) Date: Sat, 13 Jan 1996 23:22:11 +0800 Subject: Reach out! Update 01 (CypherPurists trash this) Message-ID: <199601131511.PAA06506@pop01.ny.us.ibm.net> Regarding the *67 feature to disable Caller ID: This does not stop your ANI information from travelling with your call. It just sets the "privacy bit" to on. So standard consumer-grade Caller ID systems won't see your number. But if the user on the other end is receiving your call over a T1, they can use a Dialogic voice processing card to yield your ANI, even with the privacy bit set. A *much* better way to do this is the following: Dial the Operator. Ask him/her to dial the 800 number for you. This will result in your ANI being (000) 000-5555 (or at least that's what it does in Bell Atlantic land). I tested this a couple months ago using AT&T's 1-800-MY-ANI-IS service. I directly dialed 1-800-MY-ANI-IS and it read back my phone number. Then I had the operator dial it for me and got (000) 000-5555. This service doesn't work anymore, YMMV. Dan *************************************************************** #define private public dan at milliways.org Worcester Polytechnic Institute and The Restaurant at the End of the Universe *************************************************************** From jimbell at pacifier.com Sat Jan 13 23:50:58 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 13 Jan 96 23:50:58 PST Subject: Respect for privacy != Re: exposure=deterence? Message-ID: At 12:02 AM 1/14/96 -0500, s1018954 at aix2.uottawa.ca wrote: >My apologies for responding to a political post. > >On Sat, 13 Jan 1996, Charlie Merritt wrote: > >> I feel that public exposure >> is enough to put fear into these anonymous government employees. >> You will note that when they get the mad_bomber >> some FBI guy jumps right up and takes credit, live, on TV. >> But when the Air Force orders a $300 toilet seat NO ONE is credited. > >It's interesting how we advocate anonymity for ourselves but not for our >opponents. Feeling righteous? Maybe I don't understand your point, but... 1. Individual private citizens acting on their own deserve privacy and anonymity. 2. Government employees receiving paychecks based on tax dollars stolen from members of the public do not. 3. Individuals not harming others deserve privacy and anonymity. 4. Government employees threatening citizens with large fines and jail time, for doing what we consider right and good, do not. Get the picture? From sameer at c2.org Sat Jan 13 08:22:57 1996 From: sameer at c2.org (sameer) Date: Sun, 14 Jan 1996 00:22:57 +0800 Subject: (none) [httpd finding your identity] In-Reply-To: Message-ID: <199601121956.LAA04644@infinity.c2.org> I'm sorry, I wasn't clear. That's not what I meant. (All I can say at this time) > > On most UNIX machines or a Mac or PC running most common talk clients? > Worry. Not just finger, but also identd will identify you. I think Eudora > Pro has an identd option, too. > > -rich > -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.org/ (or login as "guest") sameer at c2.org From vince at dsi.unimi.it Sat Jan 13 08:32:42 1996 From: vince at dsi.unimi.it (David Vincenzetti) Date: Sun, 14 Jan 1996 00:32:42 +0800 Subject: New! Improved! CryptoLib 1.1 now available. Message-ID: <199601131608.AA031019338@idea.sec.dsi.unimi.it> > Announcing CryptoLib - Release 1.1 12/21/95 > Jack Lacy, AT&T Bell Labs > > CryptoLib is a portable and efficient library of primitives > for building cryptographic applications. It runs under most versions > of Unix as well as DOS, Windows and Windows-NT (and 95). > > We are pleased to make CryptoLib source code available without charge > to researchers and developers in the US and Canada. (Because of export > restrictions on cryptographic software, we are only able to make the > software available within the US and Canada to US and Canadian citizens > and US permanent residents.) also available in Europe as: ftp://ftp.dsi.unimi.it/pub/security/crypt/math/cryptolib_1.1.tar.gz Ciao, David From don at cs.byu.edu Sat Jan 13 08:45:48 1996 From: don at cs.byu.edu (Don M. Kitchen) Date: Sun, 14 Jan 1996 00:45:48 +0800 Subject: Mail to news gateways In-Reply-To: <2.2.32.19960113011131.006dc0e0@limestone.kosone.com> Message-ID: > At 11:35 AM 1/12/96 -0800, you wrote: > > > >Could someone point me to a _current_ list of mail to news gateways? > > > > >From ethe help file for Private Idaho 2.6b: > > You can get the most current USENET gateway information (as well as > additional remailer info such as PGP keys) by: > > E-mailing mg5n+remailers at andrew.cmu.edu > (no subject or text in the message body required) I maintain a list that I believe to be more accurate than anything else out there. It's at http://students.cs.byu.edu/~don/mail2news.html. It's also linked from yahoo if you search for cypherpunk, gateway, mail, or news, or something like those. From thad at hammerhead.com Sat Jan 13 08:48:43 1996 From: thad at hammerhead.com (Thaddeus J. Beier) Date: Sun, 14 Jan 1996 00:48:43 +0800 Subject: Fwd: Scrambled software gets an OK Message-ID: <199601131630.IAA20078@hammerhead.com> This was printed in the San Jose Mercury News this morning. I'd have just posted a pointer to it, except that it was in the "private" part of their web pages... Scrambled software gets an OK -- Exports: Foreign encoding unfair to U.S. firms, Commerce Department says. Bloomberg Business News WASHINGTON -- The Commerce Department will recommend easing export controls on encryption software after a study by the department and the National Security Agency found the restrictions are hurting U.S. firms, Commerce Secretary Ron Brown said. Such a move may pit Brown's department against U.S. defense and spy agencies, however, setting the stage for a White House battle over one of the last computer technologies still covered by export controls. ``I'm interested in promoting American exports,'' Brown said. ``If your foreign competitors are exporting products with encryption capability and you are not, that puts you at a tremendous competitive disadvantage,'' he said. Encryption software turns information, such as files and credit card numbers, into indecipherable material that can be sent across networks without fear of tampering to the recipient, who can then unscramble it. Under current U.S. law, encryption technology that exceeds certain technical thresholds is considered a ``munition.'' Those who would export such technology need explicit permission from the government. The United States justifies the export restrictions by saying law-enforcement agencies would be hamstrung in their efforts to stop terrorists, spies and criminals without them. The computer industry counters that encryption software is available from other countries, and the restrictions simply rob U.S. companies of business. The Computer Systems Policy Project, a joint effort of 13 top technology companies released its own study showing that U.S. companies will lose as much as 30 percent of the $200 billion in U.S. computer system sales expected in 2000 because of federal laws limiting exports of encryption products. Brown said his department will prepare recommendations for easing those controls that should be forwarded to the president ``within a few months.'' It's unclear if the NSA endorsed the Commerce Department's conclusions in the report it jointly prepared. Representatives of the NSA were unavailable for comment. Brown's assertion comes a day after federal prosecutors dropped a three-year investigation of Boulder, Colo., software designer Philip Zimmermann, whose encryption program called Pretty Good Privacy was posted on the Internet, the worldwide computer network. Published 1/13/96 in the San Jose Mercury News. -- Thaddeus Beier thad at hammerhead.com Technology Development 408) 286-3376 Hammerhead Productions http://www.got.net/~thad From hallam at w3.org Sat Jan 13 10:01:30 1996 From: hallam at w3.org (hallam at w3.org) Date: Sun, 14 Jan 1996 02:01:30 +0800 Subject: Shimomura on BPF, NSA and Crypto In-Reply-To: <9601130957.AA19298@toad.com> Message-ID: <9601131747.AA11926@zorch.w3.org> >Tsutomu has lots of glib rhetoric about how he just builds tools and >they can be used for good or evil. This tool is custom-designed for >evil. Rubbish, it would allow me to do something I urgently need to do - measure the performance of the main internet links. This is presently very difficult to do since the berkley sockets provide no network performance information to the application layer. What I need is a means of determining the fragmentation, packet delay, throttling rate etc etc. This is information avaliable in the Kernel but I don't know how to get at it. The packet filters would provide a means to monitor, Tsutomu's kit would do the job better. The reason why I need this type of stuff is that a number of governments are asking how many T3 lines they need to string across the ocean to get into the Internet game. If hard figures are avaliable they can make the case to fund them. [No Libertarian flames about government subsidy please, I'm not interested] Phill From jhdeval at soho.ios.com Sat Jan 13 10:07:53 1996 From: jhdeval at soho.ios.com (Joseph Halstead) Date: Sun, 14 Jan 1996 02:07:53 +0800 Subject: Mailing List Message-ID: <30F7F0CC.2EE@soho.ios.com> I would like to be included in your mailing list. jhdeval at soho.ios.com From merriman at arn.net Sat Jan 13 10:25:50 1996 From: merriman at arn.net (David K. Merriman) Date: Sun, 14 Jan 1996 02:25:50 +0800 Subject: Digital postage and remailer abuse Message-ID: <2.2.32.19960113061303.0068e1f8@arn.net> -----BEGIN PGP SIGNED MESSAGE----- Thus bespoke Alan Bostick: > >The very nature of this attack makes me wonder whether it would be >worthwhile to implement a digital postage scheme for remailers that >doesn't happen to be backed by real money. The remailers would continue >to be free to use, and currency exchange hassles would be avoided, but >many of the benefits of abuse prevention would be in place. So would >the infrastructure to upgrade to pay-to-play remailers at a later date. Doing something like this might also further the analogy of email to snailmail; particularly if the remailers were able to issue 'books' of stamps. It might even be possible to have each remailer issue Estamps (tm) of different 'kinds', much as there are different postage stamp 'themes'. Having different stamps from each remailer would also allow some means of tracking spammers and rip-off artists ("hmmm. an 'Elvis' Estamp. That came from hactic; let's see if they can tell us who they sold this book to.....") IF the nature of the offense were sever enough. Too, Estamp-based remailers would be a start on reputation basing: if the email goes through a postage-based remailer, there will eventually be an increased level of confidence that it isn't some kind of scam or other nuisance ("This came through vox, a postage remailer; therefore, someone had to go through some degree of bother; therefore, it's a lot less likely that it's some Frosh playing with his new Internet toy."). Of course, I could be just spitting into the wind, or posting what is blatantly obvious to everyone else :-) Dave Merriman -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMPcwgcVrTvyYOzAZAQGK7wP+JItfxqHI/JGIKjPu9Yy7v1gVJQJTK+Bh hV/z4C22hoRweo1jnBrO47GSfjB3aJIrufPjzlm94sRyh/EM1AAGbFWEY/M30Oye fEN6paETcrE6W7arxJPZJFm2IggWYNgNrqwxToA3ZLFmC/8Sv1gH0y7PqNHxjFbz MEL/vQGpd54= =Su5o -----END PGP SIGNATURE----- ------------------------------------------------------------- "It is not the function of our Government to keep the citizen from falling into error; it is the function of the citizen to keep the Government from falling into error." Robert H. Jackson (1892-1954), U.S. Judge <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> My web page: http://www.geocities.com/CapitolHill/1148 From tcmay at got.net Sat Jan 13 10:37:12 1996 From: tcmay at got.net (Timothy C. May) Date: Sun, 14 Jan 1996 02:37:12 +0800 Subject: Digital postage and remailer abuse (was Re: Novel use of Usenet and remailersto mailbomb from luzskru@cpcnet.com) Message-ID: At 4:47 PM 1/13/96, Alan Bostick wrote: >-----BEGIN PGP SIGNED MESSAGE----- > >In article , >shamrock at netcom.com (Lucky Green) wrote: > >> I am not sure that postage would solve this problem. The geeks would >> individually pay for it. Still, nominal postage would solve a lot of the >> problems that plague remailnet. > >Maybe I'm misunderstanding how using digital postage with remailers would >work. I was assuming that the postage stamp would be included *inside* >the encrypted envelope, that what the remailer would do on receipt of >mail would be: (a) decrypt the envelope; (b) validate the postage stamp; >and (if the stamp is valid) (c) forward the message according to the >now-decryped instructions. The basic idea of digital postage means, as Lucky said, that individual users and individual messages would have their own stamps. (Being just numbers, it is certainly possible that multiple messages could have the same exact "stamp," but then only one of them would be valid...in the model I usually think in terms of, the first to "redeem" the stamp gets the money, all others get nothing.) So, each transmitter of a message would have to "pay the freight" with his own stamp. The idea of N different messages all carrying the "same" stamp is inconsistent with how digital postage would operate in practice. >Using this model, if the perpetrator doesn't include a postage stamp, >then the message is ignored. If the perp includes a stamp, the first >horny net geek's message is relayed but subsequent ones get bounced for >invalid postage. Yes. >If the message requires external postage (remailer processing cycle is >process postage *before* decrypting envelope), then at the very least >the horny net geeks have to get their own postage stamps, putting a step >in the way of instant gratification. What's more, doing this would >require *some* understanding of how the remailer network operates. One >should never underestimate the degree of cluelessness present on the >net, but knowing how to use remailers makes it more likely that somebody >could recognize this as a mailbomb rather than a legitimate offer. Yes. >The very nature of this attack makes me wonder whether it would be >worthwhile to implement a digital postage scheme for remailers that >doesn't happen to be backed by real money. The remailers would continue >to be free to use, and currency exchange hassles would be avoided, but >many of the benefits of abuse prevention would be in place. So would >the infrastructure to upgrade to pay-to-play remailers at a later date. I think someone tried this a couple of years ago, offering coupons for remailer use. The idea of "coupons" acting as stamps is the one most often discussed as an alternative to having full convertability to money. A person buys a block of numbers, each can be used once and only once. It's up to the user not to let the numbers out of his possession (as they can be used by whoever gets them). So long as the numbers are in the outer encrypted envelope, packet sniffers and sysadmins won't see them. So long as the remailer operator is honest enough not to claim the numbers have already been used--a reasonable assumption, at least at this time--then this should work. Coupons also get around laws about cash, banking, etc. --Tim May We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From proff at suburbia.net Sat Jan 13 10:49:05 1996 From: proff at suburbia.net (Julian Assange) Date: Sun, 14 Jan 1996 02:49:05 +0800 Subject: Shimomura on BPF, NSA and Crypto In-Reply-To: <9601131747.AA11926@zorch.w3.org> Message-ID: <199601131828.FAA01537@suburbia.net> > >Tsutomu has lots of glib rhetoric about how he just builds tools and > >they can be used for good or evil. This tool is custom-designed for > >evil. > > Rubbish, it would allow me to do something I urgently need to do - measure the > performance of the main internet links. This is presently very difficult to do > since the berkley sockets provide no network performance information to the > application layer. [..] The standard BPF does exactly what you want already. Can you say tcpdump? I think some research is inorder before you go shooting off your mouth. -- +----------------------------------+-----------------------------------------+ |Julian Assange | "if you think the United States has | |FAX: +61-3-9819-9066 | stood still, who built the largest | |EMAIL: proff at suburbia.net | shopping centre in the world?" - Nixon | +----------------------------------+-----------------------------------------+ From merriman at arn.net Sat Jan 13 11:18:14 1996 From: merriman at arn.net (David K. Merriman) Date: Sun, 14 Jan 1996 03:18:14 +0800 Subject: Digital postage and remailer abuse Message-ID: <2.2.32.19960113070712.00680b1c@arn.net> -----BEGIN PGP SIGNED MESSAGE----- At 10:47 AM 01/13/96 -0800, Jonathon Blake wrote: > >On Sat, 13 Jan 1996, David K. Merriman wrote: > >> snailmail; particularly if the remailers were able to issue 'books' of stamps. >> It might even be possible to have each remailer issue Estamps (tm) of >> different 'kinds', much as there are different postage stamp 'themes'. > > I can see it now. The 1997 Scott Standard Estamp Catalog: > Remailers of the World. > Or perhaps Famous Cypherpunks? So maybe a bad example, but the analogy is quasi-valid :-) >> Having different stamps from each remailer would also allow some means of >> tracking spammers and rip-off artists ("hmmm. an 'Elvis' Estamp. That came >> from hactic; let's see if they can tell us who they sold this book to.....") > > OTOH, if hactic keeps records of who the stamps are sold to, > that sort of defeats the anonymous nature of the remailers. > Perhaps a little, but considering *why* Estamps would be used, I think it would be an acceptable 'hazard'. Of course, it's not any kind of requirement, simply a means of resolving a *significant* problem. Or not. :-) Dave -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMPc9h8VrTvyYOzAZAQHl0wP+LY/Lw9EzM8kH5Eyr7rLRzEFwKSmWIeTf sElMTzxQbTyqXrmzI0nB43Dmx1Cpkb+8mSCFVnXwvZDQzrP8cFidYGlNF/hG00ig d16+D6Le07YgO65pCngNhv11CLKtd/1GZf4r8YXZV7zbMcbslooUHt/mVWkl5zGT AP0ssH0WAI4= =TQ04 -----END PGP SIGNATURE----- ------------------------------------------------------------- "It is not the function of our Government to keep the citizen from falling into error; it is the function of the citizen to keep the Government from falling into error." Robert H. Jackson (1892-1954), U.S. Judge <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> My web page: http://www.geocities.com/CapitolHill/1148 From nowhere at bsu-cs.bsu.edu Sat Jan 13 11:41:30 1996 From: nowhere at bsu-cs.bsu.edu (Anonymous) Date: Sun, 14 Jan 1996 03:41:30 +0800 Subject: No Subject Message-ID: <199601131931.OAA05150@bsu-cs.bsu.edu> > The U.S. Commerce Department will recommend easing > export controls on encryption software after a study by > the department and the National Security Agency found > that American firms are being hurt.... Avoid the rush, start generating those 42 bit keys now! And don't forget tonight's victory celebration in Shimomura's hot tub! From dm at amsterdam.lcs.mit.edu Sat Jan 13 11:46:30 1996 From: dm at amsterdam.lcs.mit.edu (David Mazieres) Date: Sun, 14 Jan 1996 03:46:30 +0800 Subject: A weakness in PGP signatures, and a suggested solution (long) In-Reply-To: <199601030407.UAA12551@comsec.com> Message-ID: <199601131820.NAA14561@amsterdam.lcs.mit.edu> > From: Rich Graves > Newsgroups: netcraft.cypherpunks,alt.security.pgp,sci.crypt,mail.cypherpunks > Date: Fri, 12 Jan 1996 02:04:13 -0800 > > An easy short-term partial solution would be to modify mailcrypt, bap, or > whatever front end you use to automatically put the current date and (a > shortened form of) the To: or Newsgroups: header into the PGP signature > Comments: line. Well, I'm not much of an elisp hacker so I resorted to using perl, but here's what I have. This doesn't address the issue of automatically verifying the headers in a message, but at least the headers are in the message so that you can manually verify things when there may be a problem. David -- #!/usr/local/bin/perl # # Put Header In Sig. # This script copies mail headers into the body of a message # before signing, so that your signed messages cannot be taken # out of context. # # To use with mailcrypt, put something like the following in your # .emacs file: # # (defun put-header-in-sig () # (call-process-region # (point-min) (point-max) # "~/bin/phis" # nil # (current-buffer) # nil)) # (add-hook 'mc-pre-signature-hook 'put-header-in-sig) while (<>) { last if /^--/; $header .= $_ unless /^(BCC|FCC):/; $date = 1 if /^Date:/i; } exit 0 unless $_; $header = "Date: " . `date` . $header unless $date; print $header, "\n"; while (<>) {} From froomkin at law.miami.edu Sat Jan 13 11:53:40 1996 From: froomkin at law.miami.edu (Michael Froomkin) Date: Sun, 14 Jan 1996 03:53:40 +0800 Subject: PRZ grand jury - how about free accts for them... In-Reply-To: Message-ID: On Fri, 12 Jan 1996, zinc wrote: > > how can it be jury tampering if the jury has been disbanded? It can't. > > i did not mean to influence an active grand jury, but to ask questions > of one that had finished it's job. > You can give them accounts, but they are still covered by their secrecy oath, so they can't answer questions about what the grand jury did (at least in most jurisdictions, YMMV). This got very contraversial in the Rocky Flats case, where the grand jurors hired a lawyer to get permission to go public to complain about a failure to prosecute. I don't recall ever reading about the outcome of that case, so I can't report the result. If the jurors had won, I would have expected to hear about it. It may still be pending. A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) Associate Professor of Law | U. Miami School of Law | froomkin at law.miami.edu P.O. Box 248087 | http://www.law.miami.edu/~froomkin Coral Gables, FL 33124 USA | It's warm here. From perry at vishnu.alias.net Sat Jan 13 11:54:29 1996 From: perry at vishnu.alias.net (John Perry) Date: Sun, 14 Jan 1996 03:54:29 +0800 Subject: New Mailing List (encrypted) Message-ID: <199601131942.NAA06288@vishnu.alias.net> -----BEGIN PGP SIGNED MESSAGE----- Hello everyone, I have installed PGPdomo on vishnu.alias.net. I've also created a new mailing list that you can join if you wish. It's a closed mailing list, so subscriptions must be approved. What makes this mailing list different is that all submissions are encrypted and all outbound messages are encrypted to the PGP key of the recipient. This means you can discuss whatever you wish without fear of discovery or retribution. The name of the mailing list is cypher-list and it's home is vishnu.alias.net. The theme of the mailing list is basically anything one might discuss about cryptography, crypto-politics, remailers, government, Kevin Mitnick, etc. It's kind of like cypherpunks but accepts a wider discussion base. The difference is encryption. As mentioned above, the list is handled in a secure fashion. I've included the help file for PGPdomo below to assist in subscribing to the list. Here is the simplified for for subscribing: Send email to cypher-list-request at vishnu.alias.net In the body of the message specify: subscribe cypher-list [your PGP public key in ascii-armored format] You will be added to the mailing list and emailed the welcome message. Here's the help file: You have reached the J. P. and Associates "Majordomo" mailing list manager, version 1.93. This is a modified version of Majordomo 1.93 that includes PGP support. Majordomo's public key is available at: ftp://vishnu.alias.net/pub/majordomo.pgp Additionally, the public key for Majordomo at vishnu.alias.net can be found on the PGP keyservers. Majordomo at vishnu.alias.net will accept the following commands in clear-text (i.e no encryption): help; lists; info; and which. All other clear-text commands must be sent to the specific list using the email address: -request at vishnu.alias.net Where is a valid listname without the <> characters. In the description below, items contained in []'s are optional. When providing the item, do not include the []'s around it. It understands the following commands: subscribe [

] [-----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCNAzBoq Your PGP version 2.6.2 EKOUFKNl+Ytk+O QphsZ8zNU compatible Public Key u0SDZVbcTP7lt6 mP+fZPdMq in ASC format goes here izFrag5L4ZAAUR tDxNYWpvc use pgp -kxa my_pubkey.asc to create pvcmRvbW9AaGF3 d3cuaGEub3NkLm1pbD4= =l3kH -----END PGP PUBLIC KEY BLOCK-----] Subscribe yourself (or
if specified) to the named . subscribe commands should always be sent in clear-text to -request at vishnu.alias.net. Only include your PGP public key for PGP protected lists. We prefer (but not require) 1024 bit key lengths. We reject Public keys with less than 512 bits. If subscribing to a PGP protected list, include contact information such as DSN or commerial phone number. unsubscribe [
] Unsubscribe yourself (or
if specified) from the named . get Get a file related to . index Return an index of files you can "get" for . which [
] Find out which lists you (or
if specified) are on. who Find out who is on the named . info Retrieve the general introductory information for the named . lists Show the lists served by this Majordomo server. help Retrieve this message. end Stop processing commands (useful if your mailer adds a signature). Commands should be sent in the body of an email message to -request at vishnu.alias.net. Commands in the "Subject:" are line NOT processed. If you have any questions or problems, please contact Majordomo-Owner at vishnu.alias.net@vishnu.alias.net. Additional PGP information: When submitting entries to a PGP protected list, please comply with the following: o encrypt the entire submission for Majordomo at vishnu.alias.net (-e option of pgp) o use Transport Armor (.asc, radix-64, the -a option of pgp) o sign your submissions (-s option of pgp) o use the linefeed conversion option (-t option of pgp) 'pgp -east submission Majordomo at vishnu.alias.net' where submission is your file should work nicely. John Perry - KG5RG - perry at vishnu.alias.net - PGP-encrypted e-mail welcome! Packet Radio - KG5RG at WA4IMZ.#SETX.TX.USA.NA WWW - http://www.alias.net PGP 2.62 key for perry at vishnu.alias.net is on the keyservers. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMPgLL6ghiWHnUu4JAQHB5gf/RAwOwOdFGNGLhdQUE1z4VrAl1jYb3efg a/C9nEAIb59VKZ3IwbehBzYqUxSDSXoarPQldoHfcKBJxfJahfu5U+09mMBbZ9VT WYnQ1+KQiltQmAP8hcOdOazs0JrlTTOQJxoX095T8ZInJ904OuXA+V3sd8Tg/Nyc Id/yfyfOeXndULj4UJxLWCsVGHSwx+CCa5Ct7g/yHZPQf7QtOPkDKF33vfsrQ+0d 04KemYL6PYLXPuLcgnOT1FiKccqR/q5340mUJBfs2yz7bx9UwFkexKuu/rkFDeno wTjvUavyPpvV17eCEQMDaUggW6hZbQz7C72NHQ8NPi2XG/QrOCZZhA== =kKgj -----END PGP SIGNATURE----- From Andrew.Spring at ping.be Sat Jan 13 12:09:49 1996 From: Andrew.Spring at ping.be (Andrew Spring) Date: Sun, 14 Jan 1996 04:09:49 +0800 Subject: CelBomb Message-ID: > Can anyone in IL, or elsewhere, report more on the head-job > of The Engineer: > I don't know beans about it, but I've never let that stop me before. > Any crypto used to authenticate the target for the boombox, > or to obscure links to the assassin? > > How was the blast specifically targeted at him and not a > phone borrower? > > How it was set off -- by user-dialing, remote control, some > other means? > Try this scenario. Bomb in cell phone's trigger is activated by a tone, say the DTMF tones for the numbers 8 and 6. Assassin calls phone number, and performs the following authentication protocol: "Hi, this is J.Random Assassin. May I speak to Mr. Intended Victim Please?" "Speaking." "Message for youuuuuuuuuuu...." Beep Boop BOOM!!! From mark at zang.com Sat Jan 13 12:52:59 1996 From: mark at zang.com (Mark (Mookie)) Date: Sun, 14 Jan 1996 04:52:59 +0800 Subject: tsu's bpf Message-ID: <199601122307.NAA09386@zang.com> >> Shimomura on BPF, NSA and Crypto: >> >> One of the tools I modified for my work was a sophisticated >> piece of software called the Berkeley Packet Filter. ... >> Unlike the original BPF, my version was designed to bury > ^^^^^^^^^^^^^^^^^^^^^^^ >> itself inside the operating system of a computer and watch >> for certain information as it flowed through the computer >> from the Internet. When a packet from a certain address, or >> for that matter any other desired piece of information >> designated by the user flashed by, BPF would grab it and >> place it in a file where it could be kept for later >> viewing. > >This is *exactly* what BPF does, always did and was designed to do. As >for writing the packets to a file, everything but opening and closing >the file are described in the man page. You could code it in 10 lines. Get off your high horse Julian, he means it's a modloadable version of bpf, much like the modloadable NIT that is also available. There are at least two sniffers that can use both the modloadable NIT and bpf packet interfaces, maybe more. It certainly is easier than recompiling your kernel to include the functionality which is generally the way things were done. I prefer bpf as it is much more efficient, typically 10% of the impact that NIT has on a machine. Some rough figures are a NIT might use one or two minutes of CPU a day to monitor a reasonably quiet network, whilst bpf will only use several seconds cpu time. (Most of the work is hidden in the kernel anyway). Mark From reagle at rpcp.mit.edu Sat Jan 13 13:16:37 1996 From: reagle at rpcp.mit.edu (Joseph M. Reagle Jr.) Date: Sun, 14 Jan 1996 05:16:37 +0800 Subject: Theory Question: Why isn't RSA a 0-knowledge Proof Message-ID: <9601132108.AA19991@rpcp.mit.edu> Simple question, why isn't the hard problem of proving that I know a secret key (d) for a given (e,n) (public key and modulus) a zero-knowledge proof? Is some amount of information leaked during challanges? _______________________ Regards, Is this true or only clever? -Augustine Birrell Joseph Reagle http://farnsworth.mit.edu/~reagle/home.html reagle at mit.edu 0C 69 D4 E8 F2 70 24 33 B4 5E 5E EC 35 E6 FB 88 From adam at lighthouse.homeport.org Sat Jan 13 13:30:12 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Sun, 14 Jan 1996 05:30:12 +0800 Subject: Novel use of Usenet and remailers to mailbomb from luzskru@cpcnet.com In-Reply-To: Message-ID: <199601122336.SAA24814@homeport.org> Some remailers (read: Mixmaster) include a destination.block capability. The target can be taught about mail filters. The target can ask the remailer op to remove the particular alias, after verifying that he receives mail sent to it. Too clever by half solutions such as ZKP would work, as would the remailer-op sending an arbitrary message encrypted to the complainer to the address in question. If the complainer gets the message, either he's sniffing well, mucking with the DNS, or is the intended recipient of the nym server. Adam Alan Bostick wrote: | Thousands of horny net geeks will send in the message; some of them | will even follow instructions correctly so the remailer forwards the | message to its intended target. The result is that the target will | be mailbombed -- and the remailer operator can't stop the abuse by | blocking the abuser's address, because it's coming from all over the | net. | Cypherpunks: is there any way to respond to, or prevent, this sort of | attack short of actually shutting down the remailer? -- "It is seldom that liberty of any kind is lost all at once." -Hume From ses at tipper.oit.unc.edu Sat Jan 13 13:38:04 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Sun, 14 Jan 1996 05:38:04 +0800 Subject: RSA accellerators on ISA/PCI cards? Message-ID: Does anybody have any recommendations for a good RSA accellerator available on an ISA/PCI card? I'm looking for something that can be used with numerous public/private keys, though the ability to have one tamperproof key would be a bonus. Thanks Simon ---- (defun modexpt (x y n) "computes (x^y) mod n" (cond ((= y 0) 1) ((= y 1) (mod x n)) ((evenp y) (mod (expt (modexpt x (/ y 2) n) 2) n)) (t (mod (* x (modexpt x (1- y) n)) n)))) From wilcoxb at nagina.cs.colorado.edu Sat Jan 13 13:42:10 1996 From: wilcoxb at nagina.cs.colorado.edu (Bryce) Date: Sun, 14 Jan 1996 05:42:10 +0800 Subject: Novel use of Usenet and remailers to mailbomb from luzskru@cpcnet.com In-Reply-To: Message-ID: <199601132129.OAA26992@nagina.cs.colorado.edu> -----BEGIN PGP SIGNED MESSAGE----- An entity calling itself ABostick probably wrote: > > -----BEGIN PGP SIGNED MESSAGE----- (BTW, it verified here.) > > If "digital postage" is ever implemented, this sort of > distributed-origin mailbomb-through-a-remailer would be stopped > immediately. All the messages that the horny net geeks send would > necessarily contain the same postage stamp, and the remailer would > notice this right away -- and throw away messages containing the used > postage stamp. > > One more motivation for e$-like digital postage for remailers. Unfortunately this is not the case. The perpetrator would simply have to convince the horny net geeks to pay their own postage. In fact, it is *in general* impossible to have both anonymity and prevention/control of mail-bombing. Of course digital postage will help the problem somewhat by making the bombers pay for it, and smarter filters on the recipient's end will help, but in general it is a problem we are going to have to live with if we want anonymity. Regards, Bryce PGP sig follows -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.01 iQCVAwUBMPgkE/WZSllhfG25AQFRhwQAnA9teB4oKYONpvSe++VaFR8vqi8t2Zs3 pI+qNPrFMyejrL84Vtwo7GKagUJCabEIYXuZ69X39kDjs3tiRIGllT0cqq9Ijb9Q pog4YklGDDSirnsgfYatkguRA2VWqNPr67hVyQ6KQLHTBHTnW5bfgWrwlT7PyxJ0 f9FOMrqrIPE= =zd6Y -----END PGP SIGNATURE----- From wilcoxb at nagina.cs.colorado.edu Sat Jan 13 14:01:36 1996 From: wilcoxb at nagina.cs.colorado.edu (Bryce) Date: Sun, 14 Jan 1996 06:01:36 +0800 Subject: bad PGP signatures In-Reply-To: Message-ID: <199601132149.OAA28011@nagina.cs.colorado.edu> -----BEGIN PGP SIGNED MESSAGE----- Yet another bad PGP signature via e$pam. Date: Sat, 13 Jan 1996 12:13:03 +0600 To: cypherpunks at toad.com From: "David K. Merriman" Subject: Re: Digital postage and remailer abuse That's the third today (although the second was fixable by concatenating the Subject: onto one line.) Would everyone please get into the habit of formatting their messages to be much less than 80 columns? All Phil's travails are ill- rewarded when we can't get basic clearsigning to work via mailing lists. (Or if we don't bother to *use* clearsigning via mailing lists, but that is another topic...) On a related subject, cpunks traffic recently alerted me to how effective replay attacks can be against PGP. Don't PGP signatures include a time-stamp from the system clock? I'm going to get into the habit of including a time-stamp in the clear-text from now on. (I have sent so many PGP-clearsigned messages, and many of them quite short, that an attacker could almost hold up my end of a conversation using them. :-) ) Bryce PGP sig follows Sat Jan 13 14:48:23 MST 1996 -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.01 iQCVAwUBMPgoy/WZSllhfG25AQGGlgP9HhxLLpfrsyTBc8ed9jjToJnUOl37S+3z 8zac6FJXk+3dsKhXe2UhiKQrLDx6wIodvy+6DkpBNEEWuzkaVlRkZ9QFiDIuKkm2 ixc8HaZ6yJQLKg5NX19vStpwyQGsDx9tCVAM8BtEYXHuzVqb7AuANVmS/EJWd5js yz+pz6COpxE= =PzVY -----END PGP SIGNATURE----- From jya at pipeline.com Sun Jan 14 07:14:10 1996 From: jya at pipeline.com (John Young) Date: Sun, 14 Jan 96 07:14:10 PST Subject: FIN_sin Message-ID: <199601141513.KAA01435@pipe1.nyc.pipeline.com> The January 22 New York magazine, a local weekly, reports in "The Money Plane": Five nights a week, at least $100 million in crisp new $100 dollar bills is flown from JFK nonstop to Moscow, where it is used to finance the Russian mob's vast and growing international crime syndicate. State and federal officials believe it is part of a multi-billion-dollar money-laundering operation. The Republic National Bank and The United States Federal Reserve prefer not to think so. "That money is used to support organized crime; it's used to support black-market operations," says one federal official. "In my personal opinion, this is an abomination. Yet it appears that at least part of the federal government sees nothing wrong with it." FINCEN director Stanley Morris is more blunt: "Russia's banking system is a cesspool." FIN_sin From attila at primenet.com Sun Jan 14 08:15:13 1996 From: attila at primenet.com (attila) Date: Sun, 14 Jan 96 08:15:13 PST Subject: COMMUNITY CONNEXION REFUSES TO CENSOR INTERNET SERVICES In-Reply-To: <199601110938.BAA10567@infinity.c2.org> Message-ID: an excellent statement, sameer. many of our population around the world will voice these sentiments, but how many will care to implement in the face of an onslaught by pressure groups, government, self- serving news services, etc? c2 provides a service that states exactly what it means --and then implements it. kudos due all the way around. the SWC is a prime example of very narrow view which is trying to "control" what we can say --unfortunately, SWC is guilty of the same mind-control tactics as the core Nazi party which persecuted them == a very poor example. In Germany, trading on collective guilt they will never stop feeding, they have effectively controlled the issue so that _any_ speech or revision against their agenda is a hate crime, and therefore a serious felony. thank you for standing up to the Simon Weisenthal Center! __________________________________________________________________________ go not unto usenet for advice, for the inhabitants thereof will say: yes, and no, and maybe, and I don't know, and fuck-off. _________________________________________________________________ attila__ To be a ruler of men, you need at least 12 inches.... From liberty at gate.net Sun Jan 14 08:22:33 1996 From: liberty at gate.net (Jim Ray) Date: Sun, 14 Jan 96 08:22:33 PST Subject: A pooled e-cash FOIA request Message-ID: <199601141620.LAA62254@osceola.gate.net> -----BEGIN PGP SIGNED MESSAGE----- I agree with Charlie Merritt and Declan that a well-placed FOIA request would be a good thing (tm). I am less interested in the identities of low-level Customs, etc. employees than I am in what orders were given, and which political appointees gave them. This action is an entirely reasonable one to take with regard to *our* employees. As a FOIA request can get a bit expensive, I'd suggest that those of us who are interested try to pool our efforts/$ as we did with the ZLDF. This method seems to have worked, :) and ecash should make it easy... JMR -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Freedom isn't Freeh. iQCVAwUBMPksuW1lp8bpvW01AQGzwwP+I0tKtaE22BjLbFaTNGePqjiFHwHUs3To s43nxKb8jroaCcvVM+5S5g9kl21/nTAqzPRQhk+7jntiQaCduNj7lRJ1dQiYRDgH pFq68ybG1J61zFLaYmbuiMFOjNZD1L6ZemZcd3RFXh7nx4bcnOy1piX5BH1lZTtr iXGNoHO+Xpo= =j5DH -----END PGP SIGNATURE----- From jk at digit.ee Sun Jan 14 08:28:21 1996 From: jk at digit.ee (Jyri Kaljundi) Date: Sun, 14 Jan 96 08:28:21 PST Subject: GNN on Crypto Message-ID: Global Network Navigator Web Review (http://gnn.com/wr/) has their main story this week on crypto. The articles are: Spymaster meets webmaster:NSA's Fortezza: stronger encryption or Internet spy strategy http://gnn.com/gnn/wr/96/01/12/features/nsa/index.html The Seduction of Crypto AG: How the NSA held the keys to a top-selling encryption machine http://gnn.com/gnn/wr/96/01/12/features/nsa/crypto.html Familiar faces, familiar places: Look who's working to implement Fortezza in the US and Europe http://gnn.com/gnn/wr/96/01/12/features/nsa/triteal.html What's that smell: Is the NSA sniffing your email? http://gnn.com/gnn/wr/96/01/12/features/nsa/sniff.html A back door for the NSA: Balancing the need for intelligence with privacy http://gnn.com/gnn/wr/96/01/12/features/nsa/conclude.html Juri Kaljundi jk at digit.ee Digiturg http://www.digit.ee/ From nobody at REPLAY.COM Sun Jan 14 09:34:58 1996 From: nobody at REPLAY.COM (Anonymous) Date: Sun, 14 Jan 96 09:34:58 PST Subject: COMMUNITY CONNEXION... Message-ID: <199601141734.SAA23618@utopia.hacktic.nl> Attila sez: > the SWC is a prime example of very narrow view which is trying to > "control" what we can say --unfortunately, SWC is guilty of the same > mind-control tactics as the core Nazi party which persecuted them == > a very poor example. In Germany, trading on collective guilt they > will never stop feeding, they have effectively controlled the issue > so that _any_ speech or revision against their agenda is a hate crime, > and therefore a serious felony. Sounds like you're a little weak on your history, Attila. Not that I agree with the SWC's policies one bit, but some basic dates and facts - when SW was born, when he founded his C, when WW2 was, what the Nazis did during it and what the SWC has done since, when and how the anti-Nazi and hate speech laws were passed in Germany, whether "any" speech or revision against the SWC's agenda (or do you just mean "JEWS"?), etc - would make pretty short work of your nonsense. From bruceab at teleport.com Sun Jan 14 10:48:12 1996 From: bruceab at teleport.com (Bruce Baugh) Date: Sun, 14 Jan 96 10:48:12 PST Subject: Hate Speech Ban Metaphor Message-ID: <2.2.32.19960114184910.0068d95c@mail.teleport.com> Saw this on news.admin.net-abuse.misc: In article , ebohlman at netcom.com (Eric Bohlman) wrote: :Banning this sort of discussion accomplishes nothing positive. It :creates the *appearance* of having fought bigotry without actually having :done so. It doesn't address the problem, it sweeps it under the rug, and :bigotry that's been swept under the rug has a nasty habit of catching :fire. Banning hate speech is sort of like sending a business card to :Craig Shergold; it lets you feel like you've done your good deed for the :day, even though you really haven't. That gets _my_ vote for metaphor of the day. Bruce Baugh bruceab at teleport.com http://www.teleport.com/~bruceab From ses at tipper.oit.unc.edu Sat Jan 13 19:09:29 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Sun, 14 Jan 1996 11:09:29 +0800 Subject: [noise] The economics of super-stars - partial cite Message-ID: This came up at the bay area cyherpunks meeting - I haven't got the full citation, but the orignal paper was by Sherwin Rosen of the University of Chicago; it was published in 1981, under the title "The Economics of Superstars" - I think it might be in: TITLE: Studies in labor markets / edited by Sherwin Rosen. PUBLICATION: Chicago : University of Chicago Press, 1981. DESCRIPTION: ix, 395 p. ; 24 cm. SERIES: Conference report / Universities--National Bureau Committee for Economic Research ; no. 31 Simon (defun modexpt (x y n) "computes (x^y) mod n" (cond ((= y 0) 1) ((= y 1) (mod x n)) ((evenp y) (mod (expt (modexpt x (/ y 2) n) 2) n)) (t (mod (* x (modexpt x (1- y) n)) n)))) From cmerritt at intellinet.com Sun Jan 14 11:27:01 1996 From: cmerritt at intellinet.com (Charlie Merritt) Date: Sun, 14 Jan 96 11:27:01 PST Subject: A pooled e-cash FOIA request Message-ID: <199601141930.NAA14451@intellinet.com> Jim Ray said in part: >a well-placed FOIA >request would be a good thing (tm). I am less interested in the >identities of low-level Customs, etc. employees than I am in what >orders were given, and which political appointees gave them. >As a FOIA request can get a bit expensive, I'd suggest >that those of us who are interested try to pool our efforts/$ as >we did with the ZLDF. This method seems to have worked, :) and >ecash should make it easy... I'm ready. I'm willing to put in some bucks. We need a lawyer, a [virtual] center. I think the easiest part to get would be a financial accounting (partial I bet). I'm sure the DOJ has a (cya) policy of never identifing goons of a failed persecution. It has been suggested to me that individual law suits against the the low level people that CAN be identified might be an approach. Sue for violation of constitutional rights. The depositions would work like a grand jury invrestigation. "Well, Agent Smith, if you were just following orders WHO gave them to you?" Sue your way up the line. Lotsa Ebucks :-( From mpd at netcom.com Sun Jan 14 11:45:48 1996 From: mpd at netcom.com (Mike Duvos) Date: Sun, 14 Jan 96 11:45:48 PST Subject: [NOISE] Re: COMMUNITY CONNEXION... In-Reply-To: <199601141734.SAA23618@utopia.hacktic.nl> Message-ID: <199601141945.LAA11478@netcom2.netcom.com> > Sounds like you're a little weak on your history, Attila. Not that I > agree with the SWC's policies one bit, but some basic dates and facts - > when SW was born, when he founded his C, when WW2 was, what the Nazis did > during it and what the SWC has done since, when and how the anti-Nazi and > hate speech laws were passed in Germany, whether "any" speech or revision > against the SWC's agenda (or do you just mean "JEWS"?), etc - would make > pretty short work of your nonsense. Congratulations. You win the award for this weeks longest run-on sentence. Is there some special reason you had to post this little history lesson anonymously? -- Mike Duvos $ PGP 2.6 Public Key available $ mpd at netcom.com $ via Finger. $ From cp at proust.suba.com Sun Jan 14 13:25:30 1996 From: cp at proust.suba.com (Alex Strasheim) Date: Sun, 14 Jan 96 13:25:30 PST Subject: [NOISE] Re: COMMUNITY CONNEXION... In-Reply-To: <199601141945.LAA11478@netcom2.netcom.com> Message-ID: <199601142126.PAA08538@proust.suba.com> > > Sounds like you're a little weak on your history, Attila. Not that I > > agree with the SWC's policies one bit, but some basic dates and facts - > > when SW was born, when he founded his C, when WW2 was, what the Nazis did > > during it and what the SWC has done since, when and how the anti-Nazi and > > hate speech laws were passed in Germany, whether "any" speech or revision > > against the SWC's agenda (or do you just mean "JEWS"?), etc - would make > > pretty short work of your nonsense. [...] > Is there some special reason you had to post this little history > lesson anonymously? Aha, at last some cypherpunk relevance. Would the post have been ok if it had been signed? Anonymity isn't the issue, content is. No one needs a reason or special justification for anonymity -- we're entitled to it. But we're also entitled to ignore people we don't want to communicate with, including anonymous people. This is Eric's list, and he's entitled to make a rule that anonymous posts aren't allowed, but he hasn't done so -- anonymous posts are ok. If we don't like Eric's rules, we're entitled to set up another list with different rules on another server and post there. And of course if you don't like anonymous posts, you're entitled to skip them. Banning anonymity doesn't give you any protection at all from off topic posts. Check the archives if you don't believe me. From alanh at infi.net Sun Jan 14 13:37:18 1996 From: alanh at infi.net (Alan Horowitz) Date: Sun, 14 Jan 96 13:37:18 PST Subject: A pooled e-cash FOIA request In-Reply-To: <199601141930.NAA14451@intellinet.com> Message-ID: > > It has been suggested to me that individual law suits against the > the low level people that CAN be identified might be an approach. > Sue for violation of constitutional rights. > The depositions would work like a grand jury invrestigation. > "Well, Agent Smith, if you were just following orders > WHO gave them to you?" Sue your way up the line. This is the way federal prosecutors work. They put the squeeze on some people to get them to squeel, or even wear a wire or testify against their erstwhile companions. From galactus at stack.urc.tue.nl Sun Jan 14 13:49:19 1996 From: galactus at stack.urc.tue.nl (Arnoud "Galactus" Engelfriet) Date: Sun, 14 Jan 96 13:49:19 PST Subject: A weakness in PGP signatures, and a suggested solution (long) In-Reply-To: <199601030407.UAA12551@comsec.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- In article , Rich Graves wrote: > An easy short-term partial solution would be to modify mailcrypt, bap, or > whatever front end you use to automatically put the current date and (a > shortened form of) the To: or Newsgroups: header into the PGP signature > Comments: line. That line can be clipped off by everyone, without even so much as a peep from PGP. Perhaps a better solution would be to copy the To: and Newsgroups: headers into the body of the message? Galactus - -- To find out more about PGP, send mail with HELP PGP in the SUBJECT line to me. E-mail: galactus at stack.urc.tue.nl - Please PGP encrypt your mail if you can. Finger galactus at turtle.stack.urc.tue.nl for public key (key ID 0x416A1A35). Anonymity and privacy page: -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQCVAgUBMPbYTDyeOyxBaho1AQGtvAQA2bVrvx7Argv/MjjA7cOGpJNzV0AGg96J PvOsknNKfUj9n/gRLDNlGeL+j8wcdpgpdv1h2udmL582nv1T6r/m1ZI6wxedDUvk eGt+KpNKijXuTdXRTvdVV/Wxahk2/3TgoA0U40CZmm1s1Ckk506T1dkGkt19UsvO /5sBQ/eKUhY= =S/aM -----END PGP SIGNATURE----- From llurch at networking.stanford.edu Sat Jan 13 23:12:56 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sun, 14 Jan 1996 15:12:56 +0800 Subject: [noise] The economics of super-stars - partial cite In-Reply-To: <199601140628.WAA23934@blob.best.net> Message-ID: [Token crypto relevance: there's some steganography in Mayta] On Sat, 13 Jan 1996, James A. Donald wrote: > At 09:55 PM 1/13/96 -0800, Rich Graves wrote: > > Title refers to Sendero Luminoso, a particularly bizarre Maoist cult that > > has been brutally repressed by Fujimori in recent years. > > Your use of the word "brutal" in this context is a little odd. Since Sendero > Luminoso are extraordinarily cruel terrorists and mass murderers, it is > entirely proper and appropriate for Fujimoro to attempt to physically > exterminate them. Possibly what you meant to imply is that Fujimoro > failed to make adequate distinction between support for the political > ideas of terrorists, and actual participation in terror. No, I meant "brutal." The word "brutal" is also clearly appropriate for Sendero, but I figured "bizarre Maoist cult" was sufficiently non-laudatory. I guess some people are into that kind of thing, though, so I'll add "brutal" in the future. Eye for an eye. Thankfully, it's calmed down now that the most nasty folks are either dead or educated by the experience. Peru moved on from terrorism to the soap opera within the Fujimori family (his wife threatened to run for President against him, was locked out of the house, etc.) Read anything from Mario Vargas Llosa for background. I'm told that his novels are actually more accurate than his nonfiction because he doesn't have to worry quite so much about specific people on both sides wanting to kill him, since he doesn't name names. I've recommended La vida de Alejandro Mayta to many a chardonnay revolutionary who thinks that Maoist revolution is "cool," and the human reality check is good for those with a more authoritarian bent, too. -rich From frissell at panix.com Sun Jan 14 15:13:16 1996 From: frissell at panix.com (Duncan Frissell) Date: Sun, 14 Jan 96 15:13:16 PST Subject: COMMUNITY CONNEXION REFUSES TO CENSOR INTERNET SERVICES Message-ID: <2.2.32.19960114231553.00943bb4@panix.com> At 04:14 PM 1/14/96 +0000, attila wrote: > > an excellent statement, sameer. many of our population around the > world will voice these sentiments, but how many will care to implement > in the face of an onslaught by pressure groups, government, self- > serving news services, etc? Of the 7000+ ISPs on Earth, more than 1000. More than enough. DCF From alano at teleport.com Sat Jan 13 23:28:40 1996 From: alano at teleport.com (Alan Olsen) Date: Sun, 14 Jan 1996 15:28:40 +0800 Subject: [Local] Portland Cypherpunks Meeting Update Message-ID: <2.2.32.19960114071832.00849bc0@mail.teleport.com> -----BEGIN PGP SIGNED MESSAGE----- There have been no changes to the time and date of the Portland Cypherpunks meeting. For those of you who have not seen the past notices of the meeting, here are the details: Place: The Habit Internet Cafe 2633 S.E. 21st Av. Portland OR 97202 SE 21st @ Clinton (503) 235-5321 http://www.teleport.com/~habit/ Date: January 20th, 1995 Time: 5:23pm (Discordian time) Activities: There will be a general discussion of assorted topics including planned projects of the various participants, a PGP key signing, and general socializing, among other things. If you need instructions on how to get to the Habit, send mail to alano at teleport.com or habit at teleport.com and I will send you directions. It has been requested that cameras not be brought to the meeting as some who are planning on attending would like to avoid having their soul captured by the evil magic of the lens. If you are planning on participating in the key signing (and you do not have to if you do not want to), please follow these instructions: Send a copy of your public key (ascii armored) to alano at teleport.com. (This will also help me determine how many people are planning on attending.) I will compile all of the keys into a keyring which will be handed out on diskette. (Please tell me the format you want the disk in. Nothing too exotic, (like IBM mainframe formats and the like) please.) I can also e-mail the keyring to you as well. I will hand out a list of the fingerprints of the keys on the keyring. At the meeting we will verify key fingerprints. When you get home, you can then sign the keys at your leisure and mail them back to me. I will then send them to the key servers and the participants of the keysigning. ***PLEASE DO NOT BRING YOUR PRIVATE KEYRINGS TO THE MEETING*** For more information on keysignings, check out: http://world.std.com/~franl/pgp/how-to-organize-keysigning.html If you have any more questions, just send me e-mail at alano at teleport.com. My public key is: - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQENAy9jYK0AAAEH/1nM2SOeaUJfF1iK+LlPEueZci3AIMDVDLGqjLStvwqKrD/g 8yKtw3oqrw3+bFsyW6EYAj1EFSRXO/9sFgbfQePOtyDoEHyx9jjROz+5zVmyAe4S KJwtNzmjBk6xfseR+0v7uKYcWQ2YYy4IL2d5zuUe+7HqxY+Mhr0jiViHFVvbIdXW 3Bnlob/8oprNsXl7MOqCAGMoL8WN2VIXJVU07Jm5XhEHIHVPtID5PjxCV9yT/XNV cJkSOi0/EYPG8EsCfwP8s8o1oVNya6mraDaIiAc/oPrwjb+XUrWiiELCBtInoy/8 wQYKq1GAmsnnCSk+2jTnNh7/WX195AI/e/fQJ5kABRG0H0FsYW4gT2xzZW4gPGFs YW5vQHRlbGVwb3J0LmNvbT6JAJUDBRAw3hjmZMnrupLu9OkBAYdFA/9wFA/VwaSH m46CADZNUaVuDPa6FJRIrI2cqZRxKS4Xo4mrYXfLlhDwWYRUPd65X2U32NAdO7WN TuvZL1lKNnq5Jd5WMxdzL3GEcONqIKPPWe+xbZtzaQxtKbuU1V9DlipZb+iL48Ca enhQKgYNnIiGtj5XxO/CLiSAbqju5z4pMokBFQMFEDBqUUXkAj9799AnmQEBvwQH /00LtGsFDi8Cpv3/hAyXdHDpfrzTo/Cr4UZkf6yeQjm75RyWLG2Dst10P//y52F5 Ixl/H2LDecnmYsYxZ9ij0Js1DfQqL1iu37+0O70z9I966DMizNeJ05nBNTHFOJu9 YXiHYSfLdr8OgS8rU78b+SsMdx1cufO0B5jMlW2wK9eBnNQ/V1gIl8X5dWvp5L6f nH0+g2eACPNs1TgFW9Z4Zh+cFMJPqIJ8x4LxQEqkC/174TzjM2KyDKJNMTBYeSCs apx76uAS8AlyNGgPC4jn0vOWsa++vPR/qddTLa+WZ/TEp4oYdxclgYzcR9szXn3d fE6Nn9ur2PFx7zWb5OL/GOCJAJUDBRAwagneGrGpUK3dPgUBAdMIA/9VjejKbiOe LmEcJP0yLx6xIVMzf0FcojsM4pF/rPQ2AbyNo2I8NR0XJTU8cq+8RntnYdk+GzEd l1F0pTg+vSE5mrYAFhqhjUTRmwFmyLl8DP6qeLZ1jrBbiFQzGa2ryJvFc101BLNo EH8Aw6rR0XpAGxdwAdTeizwDLxTxV8n/Eg== =NDqF - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMPitSOQCP3v30CeZAQF7Igf+JxGu1D3t33Xo9ME1w5bmQAYWIyVGCUGu OOVep+YcCxPK/xnEvul6BhyxMqAVXudw1u/U0kXvwJ366cWEts+AcTe7FdYBVt81 R/H9mJFCue9RvclyOPGL5th2fh94HtoslnqZ8Nu1CReMRjCU+kOrBsN4dZ9kMtxK fNKc8VHDQk2tYPcnhkeDvvg1CJhVQIE6Hn7IjOrkMnKn0xz7qKnsfhu+ECMGFfJH lC10iLS59BUztDtd+ye790lrEsk2Gp3OXrkBVR7ZE1QcehGUMOEspGJWq0bjsdW0 ftj4Nf+w+FVeYYCC+6XQSW7Dnvqs9tC1xV2LiSaCqdhS+KG1Iz2/+g== =K8VR -----END PGP SIGNATURE----- Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "Is the operating system half NT or half full?" From alano at teleport.com Sat Jan 13 23:33:44 1996 From: alano at teleport.com (Alan Olsen) Date: Sun, 14 Jan 1996 15:33:44 +0800 Subject: Good Riddance to Wiesenthal and His Nazis Message-ID: <2.2.32.19960114072240.0086b12c@mail.teleport.com> At 12:16 AM 1/11/96 -0800, you wrote: >At 6:26 PM 1/10/96, Adam Shostack wrote: >> The Wiesenthal center is very influential in Jewish circles. >>Attacking them directly would probably be a bad idea, and create bad >>associations for anonymity amongst Jews. (I'll come back to this.) > >I for one won't hesitate to criticize these Jew Nazis. This thread is near to the end as the "Nazi Card" has been played... It looks like "White Supremacists" are destined to become the "fifth horseman", thus preserving the "law of fives". I expect to see more uses of this horseman to attempt to reign in the internet under the yoke of Government control. There should be a story on one of the news tabloid shows any day now... OBNonSequiter: I was going through old mail and came upon a rant claiming that "the End of the Government was at hand!". It reminded me of some discussions here about a year ago where various on the anarchist side were declaring the "imminent death of the state" (GIF at 11). A quote came to mind... "The death of the state is not going to be like some old man dying in the corner. It will be like an old man in a crowded building having an epileptic seizure with lots of guns!" | Remember: Life is not always champagne. Sometimes it is REAL pain. | |"The moral PGP Diffie taught Zimmermann unites all| Disclaimer: | | mankind free in one-key-steganography-privacy!" | Ignore the man | |`finger -l alano at teleport.com` for PGP 2.6.2 key | behind the keyboard.| | http://www.teleport.com/~alano/ | alano at teleport.com | From declan+ at CMU.EDU Sun Jan 14 00:10:27 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Sun, 14 Jan 1996 16:10:27 +0800 Subject: exposure=deterence? In-Reply-To: <199601140345.VAA26416@intellinet.com> Message-ID: Excerpts from internet.cypherpunks: 13-Jan-96 exposure=deterence? by Charlie Merritt at intellin > We need the credits now that the movie is over. > How much money was spent? [FOI anyone?] If the investigation is indeed over, a FOI request is possible, no? -Declan From tcmay at got.net Sun Jan 14 03:00:15 1996 From: tcmay at got.net (Timothy C. May) Date: Sun, 14 Jan 1996 19:00:15 +0800 Subject: Buying Digital Postage Stamps Anonymously Message-ID: This came up in today's Bay Area Cypherpunks meeting (a very good meeting, by the way). It also has come up in a couple of the messages here, with mention made that the stamp seller may know who is using his remailer because he has records of who he sold the stamps (= numbers) to. There are several standard solutions: 1. Two-way anonymous communication, and two-way anonymous e-cash. ("Wrappers" and all that stuff, stuff I don't here us talking about much lately...) 2. "Stamp mixes," wherein users exchange stamps bought earlier. (This still depends on trust that the seller will not have kept copies of the stamps for his own use, thus wiping out the value of one's new stamps, or that he won't keep records. Anonymity techniques in the mix could help with some of these problems.) 3. Cash purchase with message pool posting. This last one I'll spend a moment describing, as it is very easy to understand, and is robust against a lot of attacks. Alice wishes to buy 100 remailer stamps, each worth 20 cents. She places a $20 U.S. banknote and a diskette containing a public key in an ordinary paper envelope and mails it from a random mailbox to Bob. She also includes a simple phrase to make it easier for her to later find the stamps, such as "Rosebud." Bob creates the digital stamps, encrypts the list of them with the public key provided, puts the name "Rosebud" on the file, and places it on his Web page which is visited by many people daily, or, for more security, posts it to a Usenet group devoted to such things (such as alt.anonymous.messages). Alice retrieves the digital stamps by either visiting Bob's Web site, with some small amount of identity leakage possible, or reads the messages in alt.anonymous.messages (with even less chance of leakage). Or, Alice could use a Web proxy to more securely visit the site. The net result is that Alice has $20 worth of digital stamps, Bob has a $20 bill and will honor the stamps he issued, and Bob doesn't know who he sold them to. This is how easily it could be done. Digital cash is not needed, at this granularity ($20 bills sent through the mail), and simple trust works. (We talk a lot about "reputations," and this is a concrete example. Protocols that "force" Bob to honor a digital stamp, instead of relying on his willingness to honor his promises, are vastly harder to design and use than are such simple, micro-trust transactions.) Different remailers would have different stamps, different rates, etc., and a remailer script (for a "premail"-like app?) could take the remailer hops planned, pull a stamp off the list of unused stamps, and put the number in a remailer-like header field, such as: :: Digital-Stamp: 5he20o#xL3p01SA29s The receiving remailer would decrypt the message with its private key, check the digital stamp field (as above, or in a real header format, whatever), and see if the stamp is in its list of "issued, but unused" stamps. And so on, in the obvious way. Seems straightforward to do. --Tim May We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From llurch at networking.stanford.edu Sun Jan 14 03:08:34 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sun, 14 Jan 1996 19:08:34 +0800 Subject: Respect for privacy != Re: exposure=deterence? In-Reply-To: Message-ID: On Sat, 13 Jan 1996, jim bell wrote: > 1. Individual private citizens acting on their own deserve privacy and > anonymity. > 2. Government employees receiving paychecks based on tax dollars stolen > from members of the public do not. Disregarding the high-falutin' diction, why not? Certainly, expose everything they do at work, but I don't see that tracking someone down personally serves any purpose. > 3. Individuals not harming others deserve privacy and anonymity. > 4. Government employees threatening citizens with large fines and jail > time, for doing what we consider right and good, do not. I strongly disagree, and the fact that it's a government is irrelevant. Everybody deserves privacy: criminals, government employees, and people you like as well. Of course, you have the right to investigate any person, in keeping with the law. Public figures must give up some privacy to help ensure that they are not involved in blatant (I did say blatant) conflicts of interest, and they lose certain points in libel cases, but it should not go beyond that. -rich "Microsoft has opted not to include certain components of NT in the evaluation process, not because they would not pass the evaluation, but to save time by reducing the load on the NSA." C2 Evaluation and Certification for Windows NT http://www.microsoft.com/kb/bussys/winnt/q93362.htm [Whether they mean saving load on the testing team or on subsequent NSA investigations involving NT machines is not specified.] From ghio at netcom.com Sun Jan 14 19:52:22 1996 From: ghio at netcom.com (Matthew Ghio) Date: Sun, 14 Jan 96 19:52:22 PST Subject: anonymizer.cs.cmu.edu Message-ID: <199601150349.TAA01319@myriad> I tried this site http://anonymizer.cs.cmu.edu:8080/prog/snoop.pl using Mosaic 2.7b2 and was told: Your computer is a X11;Linux 1.2.13 i486. Your Internet browser is NCSA Mosaic. You just visited the Anonymizer Home Page. With Arena it gave me: Your Internet browser is Arena/0.96s libwww/. Lynx came up with even less: Your computer is a Unix box. Your Internet browser is Lynx. I did manage to completely confuse it with: > myriad:~> telnet anonymizer.cs.cmu.edu 8080 > Trying 128.2.199.14... > Connected to LCON.PC.CS.CMU.EDU. > Escape character is '^]'. > GET /prog/snoop.pl > > I CAN SEE YOU > > > text="#FFFFFF" > vlink="#dbdb70" > link="#FFFF00" > alink="#1010ff" > > > >
> Anonymizer logo >
> >
> > Many people surf the web under the illusion that their actions are > private and anonymous. Unfortunately, it isn't so. Every time > you visit a site, you leave a calling card that reveals where > you're coming from, what kind of computer you have, and other > details. Most sites keep logs of all your visits. In many cases, > this logging may constitute a violation of your privacy. > >

> > Here's a sampling of the kind of information that a site can > collect on you (please wait a moment): > >

> > > >

> > >
> > Your name is probably ajurison, and you can be reached at ajurison at netcom20.netcom.com. > > >
Your Internet browser is [unknown browser]. This time it actually took a stab at the user name, and got it completely wrong, although the hostname (netcom20.netcom.com) was correct. I suspect it used finger and took a wild guess. The rest of the information is obvious from the User-Agent header, though I find it unusual that the new Mosaic reports the cpu/os type: User-Agent: NCSA_Mosaic/2.7b2 (X11;Linux 1.2.13 i486) libwww/2.12 modified Mosaic 2.4 reports only: User-Agent: NCSA Mosaic for the X Window System/2.4 (L10N-2.4.0) libwww/2.12 modified Lynx reports: User-Agent: Lynx/2.2 libwww/2.14 The statement "Your computer is a Unix box." seems to be just a likely guess, but it could be wrong, because there is a version of lynx for MSDOS. What suprises me is not the information this got, but what it *DIDN'T* get. It never managed to figure out my username, despite the fact that netcom runs identd, and all three web browsers give it my username when they opened the FTP connection. It only reported the hostname in one instance, and seems to be ignoring the info from the ftp session. This "snoop" script isn't getting half the information it could! From vznuri at netcom.com Sun Jan 14 20:35:45 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Sun, 14 Jan 96 20:35:45 PST Subject: Net Control is Thought Control In-Reply-To: <01BADFF7.0DBE4740@blancw.accessone.com> Message-ID: <199601150435.UAA11531@netcom3.netcom.com> >the problem that "covert thought control" becomes more possible with >an information age that does not handle identity in any "permanent" or >"enduring" way. agent provocateurs etc. may be more difficult to = >identify >and easier to create and maintain. in fact a single "government >thought control agent" might be able to create and maintain dozens of >convincing identities, all of them working to subtly manipulate the >population's thinking without detection. (...) >........................................................................= >................................... > >I read the book, too, Nuri, and I think you overlooked an important = >point. It doesn't matter about the identity of the provocateur. It is = >the identity of the "target" which is crucial. It is when the prisoner = >in a psychologically restricted setting begins to identify with their = >agent-provocateur cell mates, to sympathize with and accept their = >ideology, that change in that prisoner's mind becomes possible and the = >thought control is achieved. I don't understand your point. both the agent provocateur and "victim" are crucial to the process of brainwashing. they are the yin and yang of it all, of course, and I am certainly not arguing otherwise. what I was pointing out was that it is increasingly difficult to identify people's secret agenda in cyberspace. if in the real world, someone eventually successfully identifies an agent provacateur (or any kind of criminal for that matter) they are "outed" with their mug shot and fingerprints or whatever. now, in cyberspace you have no such "leash" or "handle" on identity. a single person could be a zillion different agent provocateurs all over cyberspace, but if you out him in one place, you don't out him anywhere else. if you find that some pseudonym is actually a government agent, you have little recourse. you could discredit that single pseudonym, but potentially the person behind it has plenty of others to play with. cypherpunks probably say, "oh yeah, that's cyberspace's greatest design feature". this tends to mask some of their assumptions: 1. you can't commit a crime in cyberspace. 2. so what if someone has a zillion identities all over the place. I disagree with both of these premises, but of course I'm not going to get anywhere arguing with anyone that starts with them as given. you were talking about prisoners identifying with the agent provocateur. I was trying to draw the analogy to a mailing list scenario where the people on the list are the "victims" (not "prisoners"). the situation is the same: the "victims" are in danger if they begin to identify with the brainwashing agent. the agent of course will show few signs of his true identity or actual agenda. > >This change in the prisoner's image of themselves is not so easily = >accomplished in a setting where they are free to leave, free to seek and = >hear other points of view - more importantly, the actual truth. that's very true, but you must realize how powerful peer groups are. a prison is just one kind of peer group. workplace employment, the cypherpunks, or really any kind of group *always* has a pecking order and peer pressure. there are all kinds of opinions on certain subjects that are wholly relevant to this list that are "taboo" to talk about on this list if the poster is interested in working his way up the "perceived reputation pecking order". any place you have a group, and peer pressure, you have the opportunity to manipulate people. > "The primary effect of unfreezing is that it makes the prisoner seek = >information > which will guide him in finding an adaptational solution to his = >problems. Such > information can be gotten to some extent from the propaganda input to = >him > via the mass media, lectures, loudspeakers, etc., but more likely is = ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >obtained > from cell mates or interrogators who begin to be models of how to adapt > successfully. I agree, a prison is the easiest place to brainwash people, but I think the authors were interested in writing their book precisely because they recognized the techniques they were describing are reflected in many "legitimate" social institutions. The prisoner who has been unfrozen begins to treat the = >inter- > personal cues he obtains from them as credible and valid, and begins to = > > take their point of view seriously, where previously he may have paid = >no > attention to it or even discounted it. "=20 again, the entire book is prison-specific. I would be very interested of course in a study dedicated to cyberspace, but lacking that the research is the closest analogy. Alcoholics Anonymous is another example of a group that is not prison oriented but shares all the brainwashing techniques the authors identify. (I am not saying AA is a brainwashing organization. neither am I saying they are not.) >A mistake people make even when they are not physically imprisoned, is = >that they seek to benefit by association: they will accept an = >appearance of confidence as equivalent to knowledge, accepting the word = >of those who "seem to know", instead of searching for definite facts. = >They come to depend upon their identification with groups of such = >like-minded people, and thus get themselves in trouble when the whole = >herd is suddenly corralled and taken for a ride (by their leaders). you are thinking too literally in terms of the research. the techniques are not at all required to be practiced in a prison. I can give you numerous examples of the same techniques used in many institutions, groups, and settings far removed from a prison atmosphere. they are not primarily religious either. >Rather than worry so much about anyone's actual identity as a = >determining factor in what one will accept from them, I think it is much = >more critical to consider the content of the information they offer; to = >develop one's judgement (to "know how to know")so to be able to evaluate = >that information and make realistic decisions for one'self about what to = >support or what actions to take. > classic cypherpunks argument. problematic in the real world. we have laws that require disclosure of who pays politicians in their campaigns, yet one could make the argument, "rather than worry about people's identity, let their money and interests speak for themselves." I agree that information should on one level be judged independently of the source. but there's just no doubt that the *origin* of the message is *itself* often *very*valuable* information. that is, the messenger's identity is *part* of the message. of course, it is not *the* message. this belief leads to things like the "genetic fallacy" (proof by discrediting reputation) course. agent provocateurs and brainwashers will benefit immensely from your attitude. they will be the first to emphasize, "why are we so concerned about people's backgrounds? let people say what they want to say and judge them on the message". I am not saying we should have a purity test on the cypherpunks list. I'm simply pointing out that the idea that identity and communication are not related is preposterous by strong refutation of the real world. another possibility is a whole army of false personas creating a nonexistent "consensus" by sheer force and magnitude of postings in cyberspace. would you care to deny such a thing is possible? there may be active research projects underway this very moment here or elsewhere. it would be difficult to establish a control to quantify efficacy for this kind of experiment, but probably not beyond someone with some ingenuity and malice. the next time you see a flamewar, ask yourself this question: what would I think if I found out every opinion and post on one side was manufactured by a single person? how can you be so sure they aren't? there is absolutely no doubt that humans are very strongly influenced by *who* is behind a message. it is one of the elements they use to judge reasonableness of a message when there are not other obvious factors to judge the message (such as: it is about the future, it is about what people "should" do, etc.). to deny this is to deny basic human nature. consensus, and perception of consensus, are two different animals, and the agent provocateur understands the subtle distinction and *exploits* it in his favor. I don't expect anyone to understand these points. such a contrarian position (here anyway) will likely be flamed. no surprise there. From rfb at lehman.com Sun Jan 14 20:39:30 1996 From: rfb at lehman.com (Rick Busdiecker) Date: Sun, 14 Jan 96 20:39:30 PST Subject: Bignum support added to XLISP 2.1h In-Reply-To: Message-ID: <9601150438.AA22146@cfdevx1.lehman.com> Date: Wed, 10 Jan 1996 11:26:49 -0500 From: Peter Wayner Many cypherpunks might enjoy programming in XLISP 2.1h because the freely available implementation of LISP now offers support for BIGNUMS. That means it is quite easy to write cryptographic algorithms that use very large numbers without adding extra support. The downside is that the language is interpretted and thus much slower than something like C. This is good to hear. However it's also worth noting that a number of other freely available lisps, e.g. CLISP, gcl (previously kcl and akcl) and CMU Common Lisp, also support bignums. CMU Common Lisp has the disadvantage of not being as portable as the others, but has the advantage of compiling to native code on supported architectures which include Sparc, Pmax, and HP. It should also be possible to write RSA in a very short XLISP program. I don't know if you can do 4 lines, but it should be quite short. Yup. I've written some code that generates large numbers, tests for primality and does RSA. The basic RSA enclode is just (mod-expt m e n) and decrypt is (mod-expt c d n) where mod-expt is just an optimized version of (mod (expt x p) n), ala Schneier, page 200 (1st edition). Even with CLISP (compiles to a byte code which is then interpreted), I've generated RSA keys in the range that PGP deals with. Rick From don at wero.cs.byu.edu Sun Jan 14 22:14:17 1996 From: don at wero.cs.byu.edu (Don) Date: Sun, 14 Jan 96 22:14:17 PST Subject: (none) [httpd finding your identity] In-Reply-To: <30F8596B.5611@netscape.com> Message-ID: <199601150454.VAA00449@wero.cs.byu.edu> -----BEGIN PGP SIGNED MESSAGE----- > I've removed the code that uses the e-mail address as the > FTP password for anonymous FTPs. Does that mean that general-purpose ftp won't be accepted unless the user gives up their email? Greaaaaaaat... Can't have it both ways, I guess. What can be added as far as user control; inline vs non-inline, for example. The FTP explanation certainly explains why my personal system is able to confuse the username part of it. And I know there's nothing anyone can do about the reverse-ip, but what about http referral field? Will there be a way to turn off (blank, actually) this field? Jeff, your efforts are certainly appreciated - your ability to get these things done is most valuable. Regarding the anonymizer: First, are there any working anonymizers yet? Second, is there any ISP that would be willing to give a home to the anonymizer? Don - -- fRee cRyPTo! jOin the hUnt or BE tHe PrEY PGP key - http://students.cs.byu.edu/~don or PubKey servers (0x994b8f39) June 7&14, 1995: 1st amendment repealed. Junk mail to root at 127.0.0.1 * This user insured by the Smith, Wesson, & Zimmermann insurance company * -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMPneFsLa+QKZS485AQFq6gMAqAfHurwzZe9KTvmfWsg40iGubTHjlB2m okvm6aHMjfOGRdHcSwD3sfSuuZ2suWS875qFDV06ITgbrWXJK3sb7lO9WPnU+0Of 8NFmEDZQNbQ8cqcio/NiT6PURp3NBc1+ =xQVe -----END PGP SIGNATURE----- From jcobb at ahcbsd1.ovnet.com Sun Jan 14 22:18:47 1996 From: jcobb at ahcbsd1.ovnet.com (James M. Cobb) Date: Sun, 14 Jan 96 22:18:47 PST Subject: DEC's MICROCASH Message-ID: Friend, 01 14 96 Edupage includes: MICROCASH Digital Equipment filed a patent last August for a payment system called Millicent, which enables Web-site operators to charge as little as a tenth of a cent for each customer "hit." The system relies on middle-men --credit card companies or digital banks -- to handle the transactions, but its novelty lies in its cost-effective design geared toward tracking minuscule amounts of cash. To keep disk storage at a minimum, security measures providing privacy and a trail of signed re- ceipts are not included in the system, but proponents point out that would-be cyberthieves would have to crack a lot of trans- actions -- 10,000 at 0.1 cent each -- to make just $10. "There are easier ways to make 10 bucks," says Millicent's inventor. (Business Week 15 Jan 96 p90) Cordially, Jim From attila at primenet.com Sun Jan 14 23:07:42 1996 From: attila at primenet.com (attila) Date: Sun, 14 Jan 96 23:07:42 PST Subject: COMMUNITY CONNEXION REFUSES TO CENSOR INTERNET SERVICES In-Reply-To: Message-ID: On Sun, 14 Jan 1996, Jonathan Zamick wrote: > > Ok, I know better than to get into: > a) Totally off topic discussions on lists > absolutely, I should have restrained my comment to sameer to: "thank you for standing up for all our rights." > and even worse > b) Political, off topic discussions. > political --yes, unfortunately. Off topic --well it is our liberties and our freedoms --and after CI$ using the German prosecuter as an excuse to preempt Exon... Yes, I agree, let's muff it; I did not completely or correctly express myself. I advocate the total conservative-libertarian belief in the absoluteness of the first amendment. Unfortunately, it is seems to be necessary to place a limit as to what constitutes constitution freedoms v. the public good. However, I abhor an ever expanding bureaucracy which can only degenerate into an ever more powerful thought police. This is the same concept we, as cryptologists, dedicated to freedom of expression, privacy, and a means to avoid the fear of government intervention, are willing to confront that very authority. > However, I really do feel its my obligation to offer a counterpoint to > Attila here. (Not a sanction of his own discussion, but a little debate.) > I do this because I had a long talk with someone who liked to use weighted > terms to speak against jews and jewish organizations, and am still a wee > bit sensitive. > no, I agree with your premise. I did not intend to imply the "jews are at fault" or any such hate drivel --only that the SWC was out of bounds and succumbing to the call for restrictions of the rights they themselves have so long championed. my real objection to the SWC is the expectation of guilt; the sins of the father shall be visited upon the sons and their sons, etc. you can not live and grow in history. there is _no_ present, only the future. and the future is NOW! > What the SWC asked was idiotic. However, they are in no way guilty of the > same 'mind-control tactics as the core Nazi party.' we can probably disagree forever --it is a semantical issue. unfortunately, both were built on general fear and hysteria. However, it is essential to fully understand the SWC has NEVER advocated any "final solution" or any other such rot against humanity. > > The reason I'm so sensitive about these things is that the person I had a > debate with over this area before could see nothing done by Jews in a positive > light. > well, I guess the person you were confronting was insecure with himself and perhaps even envious of the enormous contributions the Jews have been in the advancement of knowledge over history --the musicians, writers, statesmen, and so on. I take issue with their general politics, more so because it breeds a backlash which endangers all of us --including them, but that is not an issue to cast a negative pall. without trying to start another political war between the anarcho-libertarians, progressive libertarians, Jeffersonian democrats, Hamiliton-Madison-Jay Federalists, centrists, republicans, conservative democrats, liberal democrats, socialists, and marxists (did I miss too many shades other than the oligarchists, plutocrats, feudal, and totalitarian states), let's all take a little natural Melotrin and head for pleasant dreams! __________________________________________________________________________ go not unto usenet for advice, for the inhabitants thereof will say: yes, and no, and maybe, and I don't know, and fuck-off. _________________________________________________________________ attila__ To be a ruler of men, you need at least 12 inches.... From bruceab at teleport.com Sun Jan 14 23:40:47 1996 From: bruceab at teleport.com (Bruce Baugh) Date: Sun, 14 Jan 96 23:40:47 PST Subject: (fwd) Usenet, No Exit: A Theological Parable Message-ID: <199601150740.XAA29690@desiree.teleport.com> Path: nntp.teleport.com!psgrain!newsfeed.internetmci.com!in1.uu.net!CS.Arizona.EDU!news.Arizona.EDU!packrat.aml.arizona.edu!dsew From: dsew at packrat.aml.arizona.edu (David Sewell) Newsgroups: news.admin.net-abuse.misc,alt.culture.usenet,alt.usenet.kooks Subject: Usenet, No Exit: A Theological Parable Date: 15 Jan 1996 05:28:09 GMT Organization: Department of Geosciences, University of Arizona Lines: 116 Message-ID: <4dcol9$c4u at news.ccit.arizona.edu> NNTP-Posting-Host: packrat.aml.arizona.edu Summary: What if Boursy/Grubor/Slaton/Vulis went to Heaven... Keywords: satire spam abuse Xref: nntp.teleport.com news.admin.net-abuse.misc:35135 alt.culture.usenet:22509 alt.usenet.kooks:27121 Status: N USENET, NO EXIT A Theological Parable Once upon a time, Stephen Boursy, John Grubor, Jeff Slaton, and Dimitri Vulis were all travelling together on a bus--probably to "visit" someone, but the story doesn't say. While rounding a hairpin turn on a treacherous mountain road, the bus suddenly skidded, broke through the guardrail, and plunged two thousand feet, instantly killing everyone on board. Boursy, Grubor, Slaton, and Vulis awoke to find themselves floating on soft clouds before a massive pearly gate, where an old man with dazzling white robes and a long fleecy beard greeted them. "I am St. Peter," he said. "Tell me who you are and what you have done with your lives, to help me decide where you belong." The four eyed each other nervously. Finally Jeff Slaton stepped forward. "Saint Peter, I have aided millions of computer users by championing free enterprise and protecting the Internet from the forces of socialism and hypocritical elitism. I would be honored to offer my skills in the service of Heaven!" Next Boursy gathered courage. "I have fought evil outlaws who pretend to be other people in order to cancel their words!" Nearly elbowing him aside in his eagerness came Grubor: "St. Peter, I have valiantly rid the Internet of pushers of hard drugs, and defended the God-given American right of free speech!" Last of all Vulis came forward and flung out his chest as he said, "Like my mentor and countryman Solzhenitsyn, I have exposed the wiles of evil stukachi and the lying forger Pidor Vorobieff!" St. Peter scratched his head and sighed. "I'm afraid I'm not very up to date on computers, but Raphael surfs the Net. Please wait just a moment." Instantly there appeared a heroic archangel in shimmering armor. "What IS it, Peter?" he said. "I *finally* found a moment to install the ELF binaries on His Linux system..." St. Peter pointed to the four new arrivals, and began a whispered conference with the archangel. Finally St. Peter turned back to them, and with a wide smile said, "We have chosen accommodations for you; Raphael will show you to your quarters!" Everything faded; and when the four could focus their eyes again, they were with Raphael in a gleaming white room scented with incense and adorned with precious gems. A luxurious feather-bed stood against each wall, and next to each one a gleaming Pentium computer. "Here you are," said Raphael. "You've all got Windows 95 and Ethernet connections, plus full access to the Web." "What about Usenet?" asked Grubor, a mite suspiciously. Raphael smiled indulgently. "Would we offer an inferior product here? We who know the secrets of your hearts have designed for you a news network fit for eternity. Ten thousand newsgroups, no article cancellation, no charters, no FAQs, no vote-takers, no rules. As Augustine said, 'Love God, and post what thou wilt.'" "Do you carry heaven.admin.policy?" asked Boursy. "Yes, my child." "Heaven.is and heaven.is.too?" asked Grubor. "Of course." "You mean no cancelbots?" asked Slaton. "Goodness, no, the idea!" "Does heaven.culture.russian have a moderator?" asked Vulis. "Who but you, my dear Doctor?" "You've all got shell accounts on otherworld.org," Raphael continued. "Use trn to read news and Pnews to post. Of course our version of Pnews doesn't give you that silly scolding about how much money your post is going to cost the entire Net." The four rushed to their computers, and for some time nothing could be heard but the clacking of keys against the faint background of harp music. At length all were silent, until Slaton shouted, "Gather round, and let's see the fun!" As the others crowded about his terminal, he typed "trn", and tapped his fingers impatiently until a prompt appeared: ====== 4 unread articles in heaven.general -- read now? [+ynq] "Hmm, that's kind of odd..." Slaton murmured as he hit the + key. a Sanctified Spam 1 No more A P O L O G I E S, Suu--eeeee! b Doctor of Theology 2 Chris Lewis needs an angelic visitor! Stephen Boursy >Make that two angelic visitors! d Dr. Dimitri Vulis 1 First List of lying stukachi Seraphim (Mail) -- Select threads (date order) -- All [Z>] -- "WHAT??" the four cried, with one voice. "Where's the rest of the posts? Where's everybody else??!!" Raphael's eyes gleamed. "Who said anything about anyone else?" For the first time ever, Boursy had a clue. "Where... just where ARE we, anyway?" Raphael quickly strode to the door and turned as he passed through. "You know what Sartre said. L'Usenet, c'est les autres! Enjoy eternity!" And with that the door shut and the lock clicked with an authoritative "sneck!". And as the four rushed wild-eyed to their terminals to compose furious denunciations, eight eyes processed in horror the message that appeared there: Broadcast Message from root at otherworld (/dev/tty1) at 00:00 ... System going down in 2 minutes, back up in a few aeons --Chris Lewis, SysAdm *** *** THE END -- David Sewell * dsew at packrat.aml.arizona.edu | "Seekers for gold dig much Dep't of Geosciences, Univ. of Arizona | earth, and find little gold." WWW: http://packrat.aml.arizona.edu/~dsew/ | --Heraclitus bruceab at teleport.com - <*> - http://www.teleport.com/~bruceab/index.html List Manager, Christlib, where Christian & libertarian concerns hang out Science fiction readers: Preview S.M. Stirling's DRAKON and WORD OF NIGHT (the new Marid Audran novel by George Alec Effin ger) at my home page. New PGP key on Web key servers; old keys are toast. From sinclai at ecf.toronto.edu Mon Jan 15 05:04:21 1996 From: sinclai at ecf.toronto.edu (SINCLAIR DOUGLAS N) Date: Mon, 15 Jan 96 05:04:21 PST Subject: Respect for privacy != Re: exposure=deterence? In-Reply-To: Message-ID: <96Jan15.080404edt.1578@cannon.ecf.toronto.edu> > What _I_ meant was that government employees deserve NO privacy, if for no > other reason than that they've accepted tax dollars stolen from taxpayers. I am a Canadian student, so my education is largely funded by the state using stolen money. Do I deserve privacy? Do people receiving welfare deserve privacy? ~ Let him who is without sin cast the first stone ~ From s1018954 at aix2.uottawa.ca Mon Jan 15 05:11:28 1996 From: s1018954 at aix2.uottawa.ca (s1018954 at aix2.uottawa.ca) Date: Mon, 15 Jan 96 05:11:28 PST Subject: New Puzzle Palace? Re: CAQ - Secret ... In-Reply-To: Message-ID: On Sun, 14 Jan 1996, James M. Cobb wrote: > James Bamford > The Puzzle Palace (with a new Afterword) > Penguin Books > 1983 Schneier's new bibliography mentions a second edition of the book published in 1995. Is this really a substantively new edition with more material or is it just being repackaged with a new Afterword? I'm just wondering whether it is worth buying to someone who has the original. From stend at grendel.texas.net Mon Jan 15 06:48:13 1996 From: stend at grendel.texas.net (Sten Drescher) Date: Mon, 15 Jan 96 06:48:13 PST Subject: Zimmermann case is dropped. In-Reply-To: <199601150642.WAA16157@ix13.ix.netcom.com> Message-ID: <55g2dhy0o9.fsf@galil.austnsc.tandem.com> Bill Stewart said: BS> At 11:22 AM 1/12/96 -0600, Alex Strasheim BS> wrote: >> We need a large sponser who is willing to run a more ambitious crypto >> archive. If an institution like MIT hosted a more generalized site >> where people could distribute code, it would go a long way towards >> thawing out the chill the government's managed to create by harassing >> PRZ. BS> Oxford University, University of Milan, and Finnish University BS> Network not big enough for you? No, they are in the wrong countries for the desired purpose, which is to challenge ITAR. -- #include /* Sten Drescher */ 1973 Steelers About Three Bricks Shy of a Load 1994 Steelers 1974 Steelers And the Load Filled Up 1995 Steelers? To get my PGP public key, send me email with your public key and Subject: PGP key exchange Key fingerprint = 90 5F 1D FD A6 7C 84 5E A9 D3 90 16 B2 44 C4 F3 Unsolicited email advertisements will be proofread for a US$100 fee. From raph at CS.Berkeley.EDU Mon Jan 15 06:56:27 1996 From: raph at CS.Berkeley.EDU (Raph Levien) Date: Mon, 15 Jan 96 06:56:27 PST Subject: List of reliable remailers Message-ID: <199601151455.GAA11739@kiwi.cs.berkeley.edu> I operate a remailer pinging service which collects detailed information about remailer features and reliability. To use it, just finger remailer-list at kiwi.cs.berkeley.edu There is also a Web version of the same information, plus lots of interesting links to remailer-related resources, at: http://www.cs.berkeley.edu/~raph/remailer-list.html This information is used by premail, a remailer chaining and PGP encrypting client for outgoing mail, which is available at: ftp://ftp.csua.berkeley.edu/pub/cypherpunks/premail/premail-0.33a.tar.gz For the PGP public keys of the remailers, finger pgpkeys at kiwi.cs.berkeley.edu This is the current info: REMAILER LIST This is an automatically generated listing of remailers. The first part of the listing shows the remailers along with configuration options and special features for each of the remailers. The second part shows the 12-day history, and average latency and uptime for each remailer. You can also get this list by fingering remailer-list at kiwi.cs.berkeley.edu. $remailer{"extropia"} = " cpunk pgp special"; $remailer{"portal"} = " cpunk pgp hash"; $remailer{"alumni"} = " cpunk pgp hash"; $remailer{"bsu-cs"} = " cpunk hash ksub"; $remailer{"c2"} = " eric pgp hash reord"; $remailer{"penet"} = " penet post"; $remailer{"ideath"} = " cpunk hash ksub reord"; $remailer{"hacktic"} = " cpunk mix pgp hash latent cut post ek"; $remailer{"flame"} = " cpunk mix pgp. hash latent cut post reord"; $remailer{"rahul"} = " cpunk pgp hash filter"; $remailer{"mix"} = " cpunk mix pgp hash latent cut ek ksub reord ?"; $remailer{"ford"} = " cpunk pgp hash ksub ek"; $remailer{"hroller"} = " cpunk pgp hash latent ek"; $remailer{"vishnu"} = " cpunk mix pgp. hash latent cut ek ksub reord"; $remailer{"robo"} = " cpunk hash mix"; $remailer{"replay"} = " cpunk mix pgp hash latent cut post ek"; $remailer{"spook"} = " cpunk mix pgp hash latent cut ek reord"; $remailer{"rmadillo"} = " mix cpunk pgp hash latent cut ek"; $remailer{"ecafe"} = " cpunk mix"; $remailer{"wmono"} = " cpunk mix pgp. hash latent cut"; $remailer{"shinobi"} = " cpunk mix hash latent cut ek reord"; $remailer{"amnesia"} = " cpunk mix pgp hash latent cut ek ksub"; $remailer{"gondolin"} = " cpunk mix pgp hash latent cut ek reord"; $remailer{"tjava"} = " cpunk mix pgp hash latent cut"; $remailer{"pamphlet"} = " cpunk pgp hash latent cut ?"; $remailer{'alpha'} = ' alpha pgp'; $remailer{'gondonym'} = ' alpha pgp'; catalyst at netcom.com is _not_ a remailer. lmccarth at ducie.cs.umass.edu is _not_ a remailer. usura at replay.com is _not_ a remailer. Groups of remailers sharing a machine or operator: (c2 robo hroller alpha) (gondolin gondonym) (flame hacktic replay) (alumni portal) (vishnu spook wmono) Use "premail -getkeys pgpkeys at kiwi.cs.berkeley.edu" to get PGP keys for the remailers. Fingering this address works too. Note: all of the "ek" tags have been verified correct. Apologies to those who were inconvenienced by incorrect "ek" tags in the past. Last update: Mon 15 Jan 96 6:48:07 PST remailer email address history latency uptime ----------------------------------------------------------------------- bsu-cs nowhere at bsu-cs.bsu.edu ++#+*##*---* 20:42 100.00% c2 remail at c2.org *-+********* 17:00 99.99% replay remailer at replay.com ***+******** 5:47 99.99% ecafe cpunk at remail.ecafe.org *########### 2:12:32 99.99% flame remailer at flame.alias.net ++++++++++++ 52:25 99.99% mix mixmaster at remail.obscura.com ----------- 2:12:08 99.96% ford remailer at bi-node.zerberus.de .--.-.-*++++ 4:17:19 99.95% pamphlet pamphlet at idiom.com ++++++++++++ 44:27 99.93% vishnu mixmaster at vishnu.alias.net ++*+******** 22:18 99.89% hacktic remailer at utopia.hacktic.nl ***+******** 8:14 99.88% alumni hal at alumni.caltech.edu +*+**--*+*** 12:30 99.88% portal hfinney at shell.portal.com #####*##*+++ 10:33 99.85% penet anon at anon.penet.fi ----------- 10:09:06 99.83% rmadillo remailer at armadillo.com ###### ##+#* 2:00 99.71% tjava remailer at tjava.com +########+# 59:00 99.54% spook remailer at valhalla.phoenix.net --.-* * - * 1:54:34 94.25% extropia remail at extropia.wimsey.com - -.----- 6:01:55 93.81% hroller hroller at c2.org #-#####-# # 3:50 90.56% rahul homer at rahul.net #####+** ### :57 99.49% shinobi remailer at shinobi.alias.net _____.- 25:51:28 85.47% wmono wmono at valhalla.phoenix.net * - 1:02:01 70.76% History key * # response in less than 5 minutes. * * response in less than 1 hour. * + response in less than 4 hours. * - response in less than 24 hours. * . response in more than 1 day. * _ response came back too late (more than 2 days). cpunk A major class of remailers. Supports Request-Remailing-To: field. eric A variant of the cpunk style. Uses Anon-Send-To: instead. penet The third class of remailers (at least for right now). Uses X-Anon-To: in the header. pgp Remailer supports encryption with PGP. A period after the keyword means that the short name, rather than the full email address, should be used as the encryption key ID. hash Supports ## pasting, so anything can be put into the headers of outgoing messages. ksub Remailer always kills subject header, even in non-pgp mode. nsub Remailer always preserves subject header, even in pgp mode. latent Supports Matt Ghio's Latent-Time: option. cut Supports Matt Ghio's Cutmarks: option. post Post to Usenet using Post-To: or Anon-Post-To: header. ek Encrypt responses in reply blocks using Encrypt-Key: header. special Accepts only pgp encrypted messages. mix Can accept messages in Mixmaster format. reord Attempts to foil traffic analysis by reordering messages. Note: I'm relying on the word of the remailer operator here, and haven't verified the reord info myself. mon Remailer has been known to monitor contents of private email. filter Remailer has been known to filter messages based on content. If not listed in conjunction with mon, then only messages destined for public forums are subject to filtering. Raph Levien From perry at piermont.com Sun Jan 14 15:37:35 1996 From: perry at piermont.com (Perry E. Metzger) Date: Mon, 15 Jan 1996 07:37:35 +0800 Subject: Shimomura on BPF, NSA and Crypto In-Reply-To: <9601131747.AA11926@zorch.w3.org> Message-ID: <199601142325.SAA26223@jekyll.piermont.com> hallam at w3.org writes: > > >Tsutomu has lots of glib rhetoric about how he just builds tools and > >they can be used for good or evil. This tool is custom-designed for > >evil. > > Rubbish, it would allow me to do something I urgently need to do - > measure the performance of the main internet links. This is > presently very difficult to do since the berkley sockets provide no > network performance information to the application layer. There is no need to have the code to provide such information conceal the fact that it is on the machine, fake interrupt counts, etc. > What I need is a means of determining the fragmentation, packet > delay, throttling rate etc etc. This is information avaliable in the > Kernel but I don't know how to get at it. There are plenty of tools on the average unix box for asking such questions, and all kernel variables can be read via /dev/kmem in any case. Perry From jimbell at pacifier.com Sun Jan 14 15:45:08 1996 From: jimbell at pacifier.com (jim bell) Date: Mon, 15 Jan 1996 07:45:08 +0800 Subject: Respect for privacy != Re: exposure=deterence? Message-ID: At 02:59 AM 1/14/96 -0800, Rich Graves wrote: >On Sat, 13 Jan 1996, jim bell wrote: > >> 1. Individual private citizens acting on their own deserve privacy and >> anonymity. >> 2. Government employees receiving paychecks based on tax dollars stolen >> from members of the public do not. > >Disregarding the high-falutin' diction, why not? > >Certainly, expose everything they do at work, but I don't see that >tracking someone down personally serves any purpose. Tell that to Simon Weisenthal, who (until his recentconversion to statism) was under the impression that tracking down people who did bad things for the government was not only acceptable, but in fact laudatory. >> 3. Individuals not harming others deserve privacy and anonymity. >> 4. Government employees threatening citizens with large fines and jail >> time, for doing what we consider right and good, do not. > >I strongly disagree, and the fact that it's a government is irrelevant. Since government is funded by stolen dollars, it ISN'T irrelevant. >Everybody deserves privacy: criminals, I agree, to the extent that an unconvicted person who happens to be a criminal is also an ordinary citizen. > government employees, I _Disagree_, especially after they've committed crimes for the government. > and people >you like as well. Of course, you have the right to investigate any person, >in keeping with the law. If "the law" is used to protect government-employed criminals, then the law is wrong and we should disregard that portion of it. From GPB at goofy.ee.swin.oz.au Sun Jan 14 15:49:16 1996 From: GPB at goofy.ee.swin.oz.au (George Banky) Date: Mon, 15 Jan 1996 07:49:16 +0800 Subject: Membership of list Message-ID: Please advise on how I can join. Reagards, e-mail: gpb at goofy.swin.edu.au From llurch at networking.stanford.edu Sun Jan 14 15:56:50 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Mon, 15 Jan 1996 07:56:50 +0800 Subject: COMMUNITY CONNEXION REFUSES TO CENSOR INTERNET SERVICES In-Reply-To: <2.2.32.19960114231553.00943bb4@panix.com> Message-ID: On Sun, 14 Jan 1996, Duncan Frissell wrote: > At 04:14 PM 1/14/96 +0000, attila wrote: > > > > an excellent statement, sameer. many of our population around the > > world will voice these sentiments, but how many will care to implement > > in the face of an onslaught by pressure groups, government, self- > > serving news services, etc? > > Of the 7000+ ISPs on Earth, more than 1000. More than enough. To play Devil's Advocate here, I don't think this is as big a deal as either side is making it out to be. At least according to dgillmor's column in today's San Jose Mercury News, SW meant (or has "clarified" his statements to mean) that he favors only limited remedial (not prior) restraints on "hate speech" (whatever the hell that means) on Web pages that approach "publishing" quality and distribution. SW does not favor and in fact opposes censoring newsgroups and email. Throw that straw man away, and deal with these issues, as "clarified." Of course some ISPs with no backbone will, and already do, censor newsgroups, but this is not what SW is asking for (at least, not now). I don't think any media outlet should be forced to carry something it finds objectionable. Libertarian notions like freedom of association and the fact that freedom of the press belongs to the guy who owns the damn press come into play here. I very much applaud Sameer for his principles and hard work, but SW and the like have their own principles. They're not incompatible in a free society. I'd love it if the Christian Coalition would start an ISP (they already have a Web site and private local dialups for special staff), and control access however they wanted. I certainly wouldn't subscribe, but maybe my Dad would. Maybe then they'd start to understand the technical issues, and start leaving everyone else alone. To some extent, this has happened with CBN and Liberty University (Pat Robertson and Jerry Falwell), which have marginalized themselves. -rich owner-win95netbugs at lists.stanford.edu ftp://ftp.stanford.edu/pub/mailing-lists/win95netbugs/ gopher://quixote.stanford.edu/1m/win95netbugs http://www-leland.stanford.edu/~llurch/win95netbugs/faq.html From tjic at OpenMarket.com Mon Jan 15 08:09:37 1996 From: tjic at OpenMarket.com (Travis Corcoran) Date: Mon, 15 Jan 96 08:09:37 PST Subject: c'punks at RSA conference Message-ID: <199601151609.LAA03884@cranmore.openmarket.com> -----BEGIN PGP SIGNED MESSAGE----- Message-Signature-Date: Mon Jan 15 11:09:09 1996 Sorry if I've missed any previous posts on this topic, but... are any subscribers to this list going to be at the RSA conference this week? If so, anyone interested in doing a PGP key-signing? Please reply via email; I'm certain to read it before travelling. - -- TJIC (Travis J.I. Corcoran) http://www.openmarket.com/personal/tjic/index.html Member EFF, GOAL, NRA. opinions (TJIC) != opinions (employer (TJIC)) "Buy a rifle, encrypt your data, and wait for the Revolution!" PGP encrypted mail preferred. Ask me about mail-secure.el for emacs. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Auto-signed by mail-secure.el 1.006 using mailcrypt Comment: Processed by Mailcrypt 3.3, an Emacs/PGP interface iQCVAwUBMPp8KIJYfGX+MQb5AQExzQP/dVyyr9uQcMCd7UlFMD4+TVDaFBlRM7wL MrpDarq9QlZ8vYZd0ECjC8MyxUE5Kl95yVYl1BySRPohwD6wUFFn6loemDSDdF6c gS6ku68I2+kZukHSY8MI45V5zqJ9dNWGTAgRH5eAlekRkWujUsZGwOtpW9mKCTUd RIRPyNs/9tE= =5+i5 -----END PGP SIGNATURE----- From JonathanZ at consensus.com Sun Jan 14 16:22:28 1996 From: JonathanZ at consensus.com (Jonathan Zamick) Date: Mon, 15 Jan 1996 08:22:28 +0800 Subject: COMMUNITY CONNEXION REFUSES TO CENSOR INTERNET SERVICES Message-ID: > the SWC is a prime example of very narrow view which is trying to > "control" what we can say --unfortunately, SWC is guilty of the same > mind-control tactics as the core Nazi party which persecuted them == > a very poor example. In Germany, trading on collective guilt they > will never stop feeding, they have effectively controlled the issue > so that _any_ speech or revision against their agenda is a hate crime, > and therefore a serious felony. > > thank you for standing up to the Simon Weisenthal Center! Ok, I know better than to get into: a) Totally off topic discussions on lists and even worse b) Political, off topic discussions. However, I really do feel its my obligation to offer a counterpoint to Attila here. (Not a sanction of his own discussion, but a little debate.) I do this because I had a long talk with someone who liked to use weighted terms to speak against jews and jewish organizations, and am still a wee bit sensitive. What the SWC asked was idiotic. However, they are in no way guilty of the same 'mind-control tactics as the core Nazi party.' That is exibitionism, and is dangerous. They sent out a request asking ISPs to take an action. They did not demand it, imply any sort of economic response, or direct physical response. As for Germany, a number of different cultures were attacked in WWII. On the one hand Jews are most often discussed, because they were the most openly herded and vilified at the time. However, Russians, Poles, Gypsies, Gays and many others were also sent to camps. Germany is a very multicultural nation. The tensions, and issues of keeping a cap on racism are very important. When neonazis killed the turkish family, thousands of Germans turned out to show that they won't stand for such again. If that is the result of actions taken by the SWC in the media, and in politics then I'd say they have done a wonderful job overall. As for attempts of revision. What sort of revision? If you mean historical revision, like the groups which claim the Holocaust (again something which affected many different groups) never happened, or was a Jewish conspiracy, then I'm glad that sort of revision is seen as a hate crime. The reason I'm so sensitive about these things is that the person I had a debate with over this area before could see nothing done by Jews in a positive light. Use of the media was whining, use of the law was sneaky, actual action was nazism. Thus I'll stop now. I don't condone what the SWC asked for in this case, and those who know my postings should know I strongly support privacy and freedom of expression. I just equally feel that its my obligation when certain things are posted, to not let little loaded comments go unrebutted. (See whoever is there at the RSA conference this week.) Jonathan Sorry again for taking up the list's time. From llurch at networking.stanford.edu Sun Jan 14 16:25:43 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Mon, 15 Jan 1996 08:25:43 +0800 Subject: Respect for privacy != Re: exposure=deterence? In-Reply-To: Message-ID: On Sun, 14 Jan 1996, jim bell wrote: > At 02:59 AM 1/14/96 -0800, Rich Graves wrote: > >On Sat, 13 Jan 1996, jim bell wrote: > > > >> 1. Individual private citizens acting on their own deserve privacy and > >> anonymity. > >> 2. Government employees receiving paychecks based on tax dollars stolen > >> from members of the public do not. > > > >Disregarding the high-falutin' diction, why not? > > > >Certainly, expose everything they do at work, but I don't see that > >tracking someone down personally serves any purpose. > > Tell that to Simon Weisenthal, who (until his recentconversion to statism) > was under the impression that tracking down people who did bad things for > the government was not only acceptable, but in fact laudatory. And then, pausing for breath only once, he wrote: > >> 3. Individuals not harming others deserve privacy and anonymity. > >> 4. Government employees threatening citizens with large fines and jail > >> time, for doing what we consider right and good, do not. > > > >I strongly disagree, and the fact that it's a government is irrelevant. > > Since government is funded by stolen dollars, it ISN'T irrelevant. > > >Everybody deserves privacy: criminals, > > I agree, to the extent that an unconvicted person who happens to be a > criminal is also an ordinary citizen. > > > government employees, > > I _Disagree_, especially after they've committed crimes for the government. I find it difficult to equate the actions of a volunteer grand juror (which is what we were originally discussing before your knee started jerking so wildly) or IRS auditor with those of Mengele. I am aware that some so-called libertarian leaders accuse the IRS of crimes against humanity, but I think they're demagogic idiots. See the non-libertarian FAQ, at http://world.std.com/~mhuben/libindex.html SW does not go after any old Nazi, just those convicted in absentia for enumerated crimes against humanity. > > and people > >you like as well. Of course, you have the right to investigate any person, > >in keeping with the law. > > If "the law" is used to protect government-employed criminals, then the law > is wrong and we should disregard that portion of it. Of course I agree. Actually, at the Bay Area cpunks meeting the question whether any law that can't logically be enforced is valid was brought up. Examples include the illegality of using credit information more than eight (?) years old when evaluating a loan, proposed limitations on Web spiders and Usenet archives, the Swedish laws that are supposed to outlaw maintaining computerized records with just about any kind of information about people without a license, and censorship in general. Where we differ is that I think it's bad taste and bad ethics to invade anyone's privacy. It's a question of "justifiable force" for me. I believe just about everyone with any technical understanding who reads this list has similar ethics. I don't post private email. I don't investigate politicians' home phone numbers and past relationships. It's just not relevant, unless there's specific probable cause. The threat of investigation is valid, and has a positive deterrent effect. But no one should have to live under the assumption that she has no privacy at all. -rich owner-win95netbugs at lists.stanford.edu ftp://ftp.stanford.edu/pub/mailing-lists/win95netbugs/ gopher://quixote.stanford.edu/1m/win95netbugs http://www-leland.stanford.edu/~llurch/win95netbugs/faq.html From bshantz at nwlink.com Mon Jan 15 08:32:04 1996 From: bshantz at nwlink.com (Brad Shantz) Date: Mon, 15 Jan 96 08:32:04 PST Subject: Phil Z getting through customs Message-ID: <199601151632.IAA21061@montana.nwlink.com> attila wrote: > answer the questions truthfully and they can not detain you??? Not true, I've been detained by Canadian customs for doing just that. Everything went reasonably smoothly thanks to the customs officials lack of knowledge of NAFTA. However, one of my travelling partners had trouble with customs due to ...hmmm... their lack of knowledge of NAFTA. > Rule 1: smile regardless of the adversity That's a good rule for things other than customs dealings. > Rule 2: other than the three questions on the form, say nothing I was asked if I had any eggs. I still don't know why. > Rule 3: never use LA or Dulles -pick an airport with humans. Never use the airport in Ottawa, Ontario from out of the country. Fly to Detroit and get on a bus. Drive across the border to Windsor, Ont. Then, you can fly to Ottawa and not deal with customs at the airport. Later, Brad From nobody at REPLAY.COM Sun Jan 14 16:34:39 1996 From: nobody at REPLAY.COM (Anonymous) Date: Mon, 15 Jan 1996 08:34:39 +0800 Subject: COMMUNITY CONNEXION... Message-ID: <199601150023.BAA10721@utopia.hacktic.nl> Mike Duvos: > Congratulations. You win the award for this weeks longest run-on > sentence. And you win this week's ward for best diversionary grammar lesson. I know the difference between *actual* genocide (like, the kind a bunch of my family members died in) and what the SWC does. Is that a grammatical question? > Is there some special reason you had to post this little history > lesson anonymously? Is there any reason I should have done otherwise? I don't especialy *want* a reputation, good or bad, on this list - but that doesn't have anything to do with whether I want to or should *say* something. Tell me: Why do *you* want a name attached to my history lesson? From jya at pipeline.com Sun Jan 14 17:01:44 1996 From: jya at pipeline.com (John Young) Date: Mon, 15 Jan 1996 09:01:44 +0800 Subject: Above the Law Message-ID: <199601150045.TAA20327@pipe1.nyc.pipeline.com> David Burnham, a distinguished journalist, has published: Above the Law: Secret Deals, Political Fixes, and Other Misadventures of the U.S. Department of Justice; Scribner; 1996. 444 pp. $27.50. ISBN 0-684-80699-1 The chapter, "Keeping Track of the American People: The Unblinking Eye and Giant Ear," nails wizard surveillance, surreptitous entry and other security-beats-privacy technotoxins: A solid argument can be made that in shaping and directing the FBI's investigative technologies from the late 1970s to the mid-1990s, Al Bayse, assistant FBI director, Technical Services Division, may well be the nation's single most influential law enforcement official since J. Edgar Hoover. Burnham cogently details DOJ and NSA plots, the bull-market in federal prosecutors, the pathology of "national security" abuse, encryption nightmares, subservient politics, careerism absent ethics. He admonishes "sleeping watchdogs" complicit with the nation's leading agency for burgeoning instrusiveness. From sameer at c2.org Mon Jan 15 09:31:53 1996 From: sameer at c2.org (sameer) Date: Mon, 15 Jan 96 09:31:53 PST Subject: (none) [httpd finding your identity] In-Reply-To: <30F9FEF0.6EAA@netscape.com> Message-ID: <199601151725.JAA16853@infinity.c2.org> > I think that there are several. The one at CMU can be reached > at http://anonymizer.cs.cmu.edu:8080/open.html. I thought that > Sameer had one at c2.org, but a quick look at his web site didn't > turn up anything. c2.org will be hosting the anonymizer shortly. We can't exactly run it off of our T1 though, so we have to wait a little while until we get T3 access. -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.org/ (or login as "guest") sameer at c2.org From tcmay at got.net Mon Jan 15 09:33:18 1996 From: tcmay at got.net (Timothy C. May) Date: Mon, 15 Jan 96 09:33:18 PST Subject: New Puzzle Palace? Re: CAQ - Secret ... Message-ID: At 1:08 PM 1/15/96, s1018954 at aix2.uottawa.ca wrote: >On Sun, 14 Jan 1996, James M. Cobb wrote: > >> James Bamford >> The Puzzle Palace (with a new Afterword) >> Penguin Books >> 1983 > >Schneier's new bibliography mentions a second edition of the book published >in 1995. Is this really a substantively new edition with more material or is >it just being repackaged with a new Afterword? I'm just wondering whether >it is worth buying to someone who has the original. The new edition is supposed to be a substantial rewrite, updating the book to include a lot of the recent stuff on the NSA. Don't quote me, but I think Bamford has a co-author, though I've forgotten who it is. I paid the princely sum of $16.95 in 1982--expensive for a book back then--for "The Puzzle Palace," and read it cover-to-cover (well, I guess I skimmed the footnotes). Even before I got into crypto in a big way, I knew this stuff was important to me. I certainly plan to buy the Second Edition. --Tim May We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From grimm at MIT.EDU Mon Jan 15 09:36:41 1996 From: grimm at MIT.EDU (grimm at MIT.EDU) Date: Mon, 15 Jan 96 09:36:41 PST Subject: Bignum support added to XLISP 2.1h In-Reply-To: <9601150438.AA22146@cfdevx1.lehman.com> Message-ID: <9601151736.AA00893@w20-575-119.MIT.EDU> Also in the area of "bignum support", I have developed a C++ class for large integers. I haven't made in solid speed measurements yet, but it seems to be relatively fast. (More precisely, I was able to compute large Fibonacci numbers much faster than in scheme running under emacs. I don't claim this to be thorough measurement in any way!) If anyone is interested, send me email. -James From tcmay at got.net Mon Jan 15 09:39:06 1996 From: tcmay at got.net (Timothy C. May) Date: Mon, 15 Jan 96 09:39:06 PST Subject: Eggs at Customs Message-ID: At 8:32 AM 1/15/96, Brad Shantz wrote: > >I was asked if I had any eggs. I still don't know why. > Meaning you weren't cleared for expedited handling. My CIA and NSA friends had alerted me to this question and given me the special answer: Me: "Yes, I have green eggs, and ham, too. The eggs in Paris are especially fresh this time of year." This got me waved through. --Tim May We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From grimm at MIT.EDU Mon Jan 15 09:44:44 1996 From: grimm at MIT.EDU (grimm at MIT.EDU) Date: Mon, 15 Jan 96 09:44:44 PST Subject: DEC's MICROCASH In-Reply-To: Message-ID: <9601151744.AA00904@w20-575-119.MIT.EDU> My question becomes, "Is it harder to crack one encrypted transaction for $10,000, or 100,000 plaintext transactions for the same amount?" Answer: Don't know. That's why I am posting this message. -James Date: Sun, 14 Jan 1996 20:19:24 -0500 (EST) From: "James M. Cobb" Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-cypherpunks at toad.com Precedence: bulk Friend, 01 14 96 Edupage includes: MICROCASH Digital Equipment filed a patent last August for a payment system called Millicent, which enables Web-site operators to charge as little as a tenth of a cent for each customer "hit." The system relies on middle-men --credit card companies or digital banks -- to handle the transactions, but its novelty lies in its cost-effective design geared toward tracking minuscule amounts of cash. To keep disk storage at a minimum, security measures providing privacy and a trail of signed re- ceipts are not included in the system, but proponents point out that would-be cyberthieves would have to crack a lot of trans- actions -- 10,000 at 0.1 cent each -- to make just $10. "There are easier ways to make 10 bucks," says Millicent's inventor. (Business Week 15 Jan 96 p90) Cordially, Jim From mrm at netcom.com Sun Jan 14 17:51:23 1996 From: mrm at netcom.com (Marianne Mueller) Date: Mon, 15 Jan 1996 09:51:23 +0800 Subject: java security job Message-ID: <199601150139.RAA09298@netcom20.netcom.com> Sorry for posting this here if you consider it an abuse of the mailing list ... we have a dickens of a time finding people with the right skill set who are both interested and available for internet security work. And by the way, the applet security story is documented somewhat on http://java.sun.com/sfaq/ --Marianne --------------------------------------------------------------- Java, Sun's programming environment for internet applications, is building a great team. This is a key project for Sun, with high visibility both within the company and the industry. This position is located in the San Francisco Bay area in California. (Currently we're located in Palo Alto, but since we're growing, we'll have to move to a new building sometime this year. It'll be in the south bay somewhere.) Security Engineering Specialist Candidate will be responsible for implementing secure protocols and internet commerce in the Java language and the HotJava browser. Knowledge of current and emerging Net commerce protocols, including SSL, SHTTP, and the various forms of digitcal cash is required. Candidates should be familiar with programming in an object-oriented language. Good verbal and written communication skills are necessary. A BSCS required,; MSSCS highly desirable. At least 5 years of experience. You must be a US Citizen. Contact: E-mail: jobs at java.sun.com Please include resumes in ASCII (preferred) or PostScript format. Fax: (415) 786-7546
Attention: Gilda Montesino Post: Gilda Montesino Sun Microsystems, Inc. 2550 Garcia Ave., M/S MPK 17-201 Mountain View, CA 94043-1100 From sdavidm at iconz.co.nz Mon Jan 15 10:04:35 1996 From: sdavidm at iconz.co.nz (David Murray) Date: Mon, 15 Jan 96 10:04:35 PST Subject: Australian GAK? Message-ID: -----BEGIN PGP SIGNED MESSAGE----- I've just seen a note to the effect that the (Australian) Senate Economics References Committee has recommended, in their recently tabled report quaintly entitled _Connecting You Now...Telecommunications to the Year 2000_ the establishment of a third party body for the management of public key authentication. The Committee has also recommended the establishment of a national authentication system to be recognised internationally with credibility with the legal system - True Names, most probably. Any c'punks closer to Canberra with the real goods? Dm -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMPl3Vllo3j8JHzalAQEANgQAqXmbEi26osro0800FHzuDE999Kzfialr zRm4goMk04ZMI1+ciEsmvxZg7zbH3wppCTctPWmnl+Nv0Hrg32/eub3VJMRgeSCT +5pKUovyH7iPhxNxaC9rWSQ5trnndeJwx9FcfHuhOKUVYpMetFdrTWSaAw+GXeA7 3Sabvrab0lk= =ZOOl -----END PGP SIGNATURE----- [Palmtop News Reader - Version 1.0] From jimbell at pacifier.com Sun Jan 14 18:18:32 1996 From: jimbell at pacifier.com (jim bell) Date: Mon, 15 Jan 1996 10:18:32 +0800 Subject: Respect for privacy != Re: exposure=deterence? Message-ID: At 04:11 PM 1/14/96 -0800, Rich Graves wrote: >> >Everybody deserves privacy: criminals, >> >> I agree, to the extent that an unconvicted person who happens to be a >> criminal is also an ordinary citizen. >> >> > government employees, >> >> I _Disagree_, especially after they've committed crimes for the government. > >I find it difficult to equate the actions of a volunteer grand juror >(which is what we were originally discussing before your knee started >jerking so wildly) Are your political biases affecting your misinterpretation of my commentary? A "volunteer grand juror" (is there really such a thing?!?) is not really an "employee of government." ("Slave" is perhaps a more accurate terminology, especially if these people are unpaid and aren't really volunteers.) What _I_ meant was that government employees deserve NO privacy, if for no other reason than that they've accepted tax dollars stolen from taxpayers. > or IRS auditor with those of Mengele. Ah! A comparison that has MUCH more validity! > I am aware that >some so-called "so-called"? What do you mean, "so-called"? > libertarian leaders "Libertarian leaders"? _LEADERS_? I'm a libertarian, and I have been one in name for 20 years, and I've never followed a "libertarian leader." I don't even know if I could NAME a "libertarian leader." Maybe you're thinking of fascism, or communism, so some such movement that REQUIRES "leaders." > accuse the IRS of crimes against humanity, Here's a question for you: Is theft a "crime against humanity"? It may be a crime against an individual citizen, but "against humanity"? Is murder a "crime against humanity"? Again, it may be a crime against one citizen, but "against humanity"? Here's a CLUE, because you obviously need it so badly: It isn't necessary for an act to be a "crime against humanity" to be a serious crime. It sounds like you're trying to defend abusive government employees by setting up a "straw-man"-type argument: Unless what they do is a "crime against humanity," everything's okay and they should be immune from retribution. By this reasoning, merely threatening one individual with prosecution isn't a "crime against humanity" so they get to go home, safe and sound. I disagree. In spades. >but I think they're demagogic idiots. Your political philosophy is showing. >See the non-libertarian >FAQ, at http://world.std.com/~mhuben/libindex.html Sounds like it would be extraordinarily un-interesting. [deleted] >Where we differ is that I think it's bad taste and bad ethics to invade >anyone's privacy. It's a question of "justifiable force" for me. I believe >just about everyone with any technical understanding who reads this list >has similar ethics. > >I don't post private email. I don't investigate politicians' home phone >numbers and past relationships. It's just not relevant, unless there's >specific probable cause. If your philosophy is that people who have gotten away with crimes in the past should escape punishment, you are exercising a "consistent" philosophy, albeit one with which I will never agree. More likely, however, you are just excusing the actions of GOVERNMENT EMPLOYEES AND POLITICIANS, in particular, and trying to dress it up as simply a matter of general privacy. >The threat of investigation is valid, and has a positive deterrent effect. But it won't have a "positive deterrent effect" if it never happens. With respect to this case, those who investigated and harassed Zimmermann, it MUST occur. >But no one should have to live under the assumption that she has no >privacy at all. In my opinion, nobody should have his property stolen by government action, and those who do it are thieves and should face harsh punishment. If "your" government does this, and you tolerate it, YOU are part of the problem. From mpd at netcom.com Sun Jan 14 18:27:12 1996 From: mpd at netcom.com (Mike Duvos) Date: Mon, 15 Jan 1996 10:27:12 +0800 Subject: [NOISE] Re: COMMUNITY CONNEXION... In-Reply-To: <199601150023.BAA10721@utopia.hacktic.nl> Message-ID: <199601150216.SAA18182@netcom7.netcom.com> nobody at REPLAY.COM (Anonymous) writes: > I know the difference between *actual* genocide (like, the > kind a bunch of my family members died in) and what the SWC > does. Is that a grammatical question? No one has accused the Wiesenthalistas of genocide. We simply want a free Net where all forms of hate, including the particular flavor espoused by the Wiesenthalistas, may compete on a Darwinian basis. There is no need to support the tilting of the playing field by a small number of extremists, who represent neither the perspective of the public nor of most members of the Jewish faith. I personally don't plan to waste my time reading any of the aforementioned hate literature on the Net, and I care not at all whether it was authored by Whitopians, Zionists, Christers, or Ufologists. -- Mike Duvos $ PGP 2.6 Public Key available $ mpd at netcom.com $ via Finger. $ From grimm at MIT.EDU Mon Jan 15 10:41:13 1996 From: grimm at MIT.EDU (grimm at MIT.EDU) Date: Mon, 15 Jan 96 10:41:13 PST Subject: New Puzzle Palace? Re: CAQ - Secret ... In-Reply-To: Message-ID: <9601151840.AA00925@w20-575-119.MIT.EDU> Schneier has done a major rewrite, or at least included *lots* of new info. I haven't gotten a copy yet, but I saw one, and it was twice as thick as the first version. Now I just need the money to buy the book... -James From tcmay at got.net Sun Jan 14 18:51:04 1996 From: tcmay at got.net (Timothy C. May) Date: Mon, 15 Jan 1996 10:51:04 +0800 Subject: CAQ - Secret FISA Court Violates Rights (fwd) Message-ID: At 1:40 AM 1/15/96, Brad Dolan wrote: >operating in the U.S.13 Physical searches to gather foreign >intelligence depend on secrecy, argued Deputy Attorney General >Jamie Gorelick. If the existence of these searches were known to ^^^^^^^^ Odd that government officials are now being named after their main functions. Or perhaps he is related to pop music saxophonist Kenny G.? --Klaus! (banned by the SWC) We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From A5113643667 at attpls.net Sun Jan 14 19:02:03 1996 From: A5113643667 at attpls.net (Tom Jones) Date: Mon, 15 Jan 1996 11:02:03 +0800 Subject: No Subject Message-ID: <702E77E5> Dear Cypherpunks, I believe that ViaCrypt still has one available, altho it is not very popular. Peacd --- NOTICE: This message originally included graphics and/or sounds which can only be received by AT&T PersonaLink(sm) subscribers. You received only the text portion(s) of the message. Please contact the sender for information that was deleted. To learn how to send and receive graphics, voice and text messages via AT&T PersonaLink Services, call 1-800-936-LINK. ---------------- Received: by attpls.net with Magicmail;13 Jan 96 22:11:45 UT Date: 15 Jan 96 02:46:57 UT Sender: owner-cypherpunks at toad.com (owner-cypherpunks) From: owner-cypherpunks at toad.com (owner-cypherpunks) Subject: RSA accellerators on ISA/PCI cards? To: cypherpunks at toad.com (Cypherpunks) Message-Id: X-X-SENDER: ses at chivalry Does anybody have any recommendations for a good RSA accellerator available on an ISA/PCI card? I'm looking for something that can be used with numerous public/private keys, though the ability to have one tamperproof key would be a bonus. Thanks Simon ---- (defun modexpt (x y n) "computes (x^y) mod n" (cond ((= y 0) 1) ((= y 1) (mod x n)) ((evenp y) (mod (expt (modexpt x (/ y 2) n) 2) n)) (t (mod (* x (modexpt x (1- y) n)) n)))) ---------------- From corey at netscape.com Mon Jan 15 11:07:00 1996 From: corey at netscape.com (Corey Bridges) Date: Mon, 15 Jan 96 11:07:00 PST Subject: Commerce Dept Recommends Strong Crypto Export Message-ID: <199601151906.LAA19362@urchin.netscape.com> Well. Now that the government itself is taking up the charge, I'm sure we can expect a speedy resolution. Yeah, right. *** Scrambled software gets an OK -- Exports: Foreign encoding unfair to U.S. firms, Commerce Department says. Bloomberg Business News WASHINGTON -- The Commerce Department will recommend easing export controls on encryption software after a study by the department and the National Security Agency found the restrictions are hurting U.S. firms, Commerce Secretary Ron Brown said. Such a move may pit Brown's department against U.S. defense and spy agencies, however, setting the stage for a White House battle over one of the last computer technologies still covered by export controls. ``I'm interested in promoting American exports,'' Brown said. ``If your foreign competitors are exporting products with encryption capability and you are not, that puts you at a tremendous competitive disadvantage,'' he said. Encryption software turns information, such as files and credit card numbers, into indecipherable material that can be sent across networks without fear of tampering to the recipient, who can then unscramble it. Under current U.S. law, encryption technology that exceeds certain technical thresholds is considered a ``munition.'' Those who would export such technology need explicit permission from the government. The United States justifies the export restrictions by saying law-enforcement agencies would be hamstrung in their efforts to stop terrorists, spies and criminals without them. The computer industry counters that encryption software is available from other countries, and the restrictions simply rob U.S. companies of business. The Computer Systems Policy Project, a joint effort of 13 top technology companies released its own study showing that U.S. companies will lose as much as 30 percent of the $200 billion in U.S. computer system sales expected in 2000 because of federal laws limiting exports of encryption products. Brown said his department will prepare recommendations for easing those controls that should be forwarded to the president ``within a few months.'' It's unclear if the NSA endorsed the Commerce Department's conclusions in the report it jointly prepared. Representatives of the NSA were unavailable for comment. Brown's assertion comes a day after federal prosecutors dropped a three-year investigation of Boulder, Colo., software designer Philip Zimmermann, whose encryption program called Pretty Good Privacy was posted on the Internet, the worldwide computer network. Published 1/13/96 in the San Jose Mercury News. Reprinted digitally here without permission, and probably illegally. Corey Bridges Security Documentation Netscape Communications Corporation home.netscape.com/people/corey 415-528-2978 From tcmay at got.net Mon Jan 15 11:09:22 1996 From: tcmay at got.net (Timothy C. May) Date: Mon, 15 Jan 96 11:09:22 PST Subject: New Puzzle Palace? Message-ID: At 6:40 PM 1/15/96, grimm at MIT.EDU wrote: >Schneier has done a major rewrite, or at least included *lots* of new >info. I haven't gotten a copy yet, but I saw one, and it was twice as >thick as the first version. Are you talking about "The Puzzle Palace," or about "Applied Cryptography"? I thought the thread was about "The Puzzle Palace." It's certainly possible that Bruce Schneier has contributed to a second edition, beyond the Foreward or whatever it is, but your comments fit with "Applied Cryptography" closely, too. Have you seen a copy of "The Puzzle Palace," 2nd Ed.? --Tim May We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From grimm at MIT.EDU Mon Jan 15 11:11:14 1996 From: grimm at MIT.EDU (grimm at MIT.EDU) Date: Mon, 15 Jan 96 11:11:14 PST Subject: New Puzzle Palace? In-Reply-To: Message-ID: <9601151911.AA00945@w20-575-119.MIT.EDU> My apologies, I was referring to "Applied Cryptography". -James From grimm at MIT.EDU Mon Jan 15 11:17:05 1996 From: grimm at MIT.EDU (grimm at MIT.EDU) Date: Mon, 15 Jan 96 11:17:05 PST Subject: Bignum support in C++ In-Reply-To: <2.2.32.19960115191028.006dfe5c@mail.visi.net> Message-ID: <9601151916.AA00949@w20-575-119.MIT.EDU> I didn't realize that so many people would be interested in big integer support in C++. But since I have received several requests already, I will just post to the whole list. I will be setting up a small web site tonight or tomorrow, so that anyone who desires may view the code for supporting large integers in C++. Do not expect bulletproof optimized code. I will post the URL when it is ready. -James From ses at tipper.oit.unc.edu Mon Jan 15 11:18:32 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Mon, 15 Jan 96 11:18:32 PST Subject: Phil Z getting through customs In-Reply-To: <199601151632.IAA21061@montana.nwlink.com> Message-ID: On Mon, 15 Jan 1996, Brad Shantz wrote: > > I was asked if I had any eggs. I still don't know why. bad answer: No, I'm post-menopausal. Most countries strictly regulate the import of any kinds of produce. This is to try and prevent the introduction of new pests and diseases; the controls are even stricter for livestock, especially in the UK (which would like to remain rabies free). When I was a student and had long hair, I used to always get questioned when going throught customs. After graduating, and having normal length hair, I had a lot less trouble. Long serving customs officers develop models of characteristics that in the past have been indicative of smuggling or wrong doing. Given that most points of entry are under-staffed, there's not much else they can do. The strictest customs I've been through is at Lod (Tel Aviv); there the assumption is that everybody is going to try and bring in at least some sort of radio/fax machine to avoid the high taxes, so they check all baggage. They do have the best security team in general though, so it balances out. Simon From rsalz at osf.org Mon Jan 15 12:03:56 1996 From: rsalz at osf.org (Rich Salz) Date: Mon, 15 Jan 96 12:03:56 PST Subject: c'punks at RSA conference Message-ID: <9601152000.AA22464@sulphur.osf.org> I'll be there Thursday. I'm giving the talk scheduled to have been given by Tom Klejna. I'll be talking about DCE security architecture and future directions and how public key fits in. Red-eye flight back east. From mrm at netcom.com Mon Jan 15 12:04:49 1996 From: mrm at netcom.com (Marianne Mueller) Date: Mon, 15 Jan 96 12:04:49 PST Subject: They Thought They Were Free Message-ID: <199601152004.MAA04313@netcom20.netcom.com> As long as we're on the subject of recommending books ... a great one is Milton Mayer's "They Thought They Were Free", interviews with ten Germans post-war. The title pretty much sums it up. Mayer was an excellent writer and journalist. The book is hard to find. title: "they thought they were free: the germans, 1933-45" author: milton mayer University of Chicago Press, 1955 ISBN 0-226-51190-1 (cloth) ISBN 0-226-51192-8 (paper) Library of Congress Catalog Card Number 55-5137 One quote at the beginning of the book: The Pharisee stood and prayed thus with himself "God, I thank Thee, that I am not as other men are." Here's hoping cypherpunks don't start echoing that sentiment ... Marianne From tcmay at got.net Mon Jan 15 12:13:49 1996 From: tcmay at got.net (Timothy C. May) Date: Mon, 15 Jan 96 12:13:49 PST Subject: Crypto anarchist getting through customs Message-ID: At 7:21 PM 1/15/96, Simon Spero wrote: >When I was a student and had long hair, I used to always get questioned >when going throught customs. After graduating, and having normal length >hair, I had a lot less trouble. Long serving customs officers develop >models of characteristics that in the past have been indicative of >smuggling or wrong doing. Given that most points of entry are >under-staffed, there's not much else they can do. I was returning from France and Monte Carlo, where I'd given a talk about crypto anarchy, through U.S. Customs at San Francisco. Having just heard of Matt Blaze's experiences, I figured I'd be truthful and see what happened. (I can't recall the exact words, naturally, so this is just a rough version. Things were uncrowded at the Customs gate, and I was the only one in his line, in case it matters.) Young Customs Officer (YCO): "Where are you coming from?" Me: "Monte Carlo. And France." YCO: "Business or pleasure?" Me: "Business." YCO: "What was the business?" Me: "I met with cryptographers and bankers to discuss cryptography and political implications." YCO: " 'Cryptography'? " (A look of no comprehension.) Me: "Yes, cryptography. You know, secret codes, ciphers, stuff like that." YCO: "Were there any foreigners present?" Me: "Yes, it was in Monte Carlo. There were some Russians there, and lots of others." YCO: [brief pause] "Did you bring anything back with you?" Me: "No." YCO: [waved me through] In my carry-on luggage I had half a dozen magneto-optical disks, carring about a gigabyte of stuff. (As props to use during my talk on the France/Monte Carlo side, ironically, to show that borders are fully transparent.) By the way, there were no outgoing checks [unlike Matt, I didn't seek out permission to export anything], of course, and no checks at my entry point at De Gaulle Airport in Paris. [Though there were lots of cops with machine guns, and lots of dire warnings that bags left unattended might be destroyed, a precaution against bombs.] No checks into Monte Carlo, of course (I lived for a year near Monaco, so I knew this would be the case). Frequent travellers to Europe will no doubt confirm what I'm saying. I travelled to dozens of countries in Europe a while back, and never was checked at any borders, save for a quick glance at my passport. --Tim May We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From s1018954 at aix2.uottawa.ca Mon Jan 15 12:24:26 1996 From: s1018954 at aix2.uottawa.ca (s1018954 at aix2.uottawa.ca) Date: Mon, 15 Jan 96 12:24:26 PST Subject: New Puzzle Palace? In-Reply-To: <9601151840.AA00925@w20-575-119.MIT.EDU> Message-ID: On Mon, 15 Jan 1996 grimm at MIT.EDU wrote: > Schneier has done a major rewrite, or at least included *lots* of new > info. I haven't gotten a copy yet, but I saw one, and it was twice as > thick as the first version. > Huh? Oh you mean Applied Crypto 2. I was asking about Puzzle Palace 2 by Bamford, which I saw listed in AC2's bibliography. Can't seem to find it. I was just wondering if it's worth ordering. (Maybe I wasn't clear in my last msg.) Btw, anyone know what else Bamford's been doing since he wrote Puzzle Palace 1, in '82? Any other books, articles? He's a Washington lawyer, right? I hear the new edition has a collaborating author; anything on him? Curious. TIA. From jpb at miamisci.org Sun Jan 14 21:38:30 1996 From: jpb at miamisci.org (Joe Block) Date: Mon, 15 Jan 1996 13:38:30 +0800 Subject: Novel use of Usenet and remailers to mailbomb from luzskru@cpcnet.com Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Bear with me - original text follows all these quotes At 2:29 PM1/13/96, bryce wrote: >> If "digital postage" is ever implemented, this sort of >> distributed-origin mailbomb-through-a-remailer would be stopped >> immediately. All the messages that the horny net geeks send would >> necessarily contain the same postage stamp, and the remailer would >> notice this right away -- and throw away messages containing the used >> postage stamp. >> >> One more motivation for e$-like digital postage for remailers. > > >Unfortunately this is not the case. The perpetrator would >simply have to convince the horny net geeks to pay their own >postage. In fact, it is *in general* impossible to have both >anonymity and prevention/control of mail-bombing. Of course >digital postage will help the problem somewhat by making the >bombers pay for it, and smarter filters on the recipient's end >will help, but in general it is a problem we are going to have >to live with if we want anonymity. Impossible is an awfully strong word. If I was going to implement free digital stamps, I'd have a autoreply daemon (stamps at remailer.com) that when sent a mail, would respond with X number of valid stamps. If you're going to trust me not to log my remailer traffic, extending that trust to believing I won't log the stamp requests shouldn't be that much of a stretch. Alternatively, the stamp could consist of a unique-id, any unique-id, working identically to Usenet message ids. That way, the user can generate his own stamps without being forced to trust the remailer operator not to log them. I prefer the second option as it has both greater anonymity and allows for simple history file patching to the remailer. Either way, if the stamps/message-ids are forced to be inside the encrypted address block, mail-bombers can only get one message through. Even if the HNGs are instructed to add a stamp and re-encrypt the address block, when the spam-o-grams start getting routed through the pre-packaged route, they'll be stopped dead after one message gets through. Joseph Block "We can't be so fixated on our desire to preserve the rights of ordinary Americans ..." -- Bill Clinton (USA TODAY, 11 March 1993, page 2A) -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMPnluAF0VTodVW1dAQHilAgAmuvKLut8tR2uHuUkNTMEaYqYK+OR97W0 Wp9ZCNWSZl2pMNyHwmNPUk8L5x7O3OlbTXYMFd+oHAGavL199qCELij/QecBaT5U L+Nmm86KYvFuVgxvEGcRSZCY8UjQ3nuW7rQ8js9s1I2+uuDgge14qzMajTUYlh2i nI2ZlffJCv1OC3i5RIPrT6/piC0tAD7pBbFuZD5X3lk8bk90F3MgMiJJP26MPgZ3 23qjaaXLFM0JhnK+1p+7+gd97dh6D6G17OIRhu+9/XJbmR1Vz3sEHt77Xk1jFzYO tFS5c9k4xXT+DlY6TdOvXPlE5T5KvzHVkV8mJm3VJy/8aFpL/IlthQ== =faLt -----END PGP SIGNATURE----- No man's life, liberty or property are safe while the legislature is in session. 2048bit-Fingerprint: F8 A2 A5 15 56 42 9B 16 3F BD 57 0F 8A ED E3 21 ------------------------------------------------------------------------ Help Phil! email zldf at clark.net or see http://www.netresponse.com/zldf From EALLENSMITH at mbcl.rutgers.edu Mon Jan 15 13:44:30 1996 From: EALLENSMITH at mbcl.rutgers.edu (E. ALLEN SMITH) Date: Mon, 15 Jan 96 13:44:30 PST Subject: COMMUNITY CONNEXION REFUSES TO CENSOR INTERNET SERVICES Message-ID: <01I01O5R9B5OA0UGPP@mbcl.rutgers.edu> From: Rich Graves >To play Devil's Advocate here, I don't think this is as big a deal as either side is making it out to be. At least according to dgillmor's column in today's San Jose Mercury News, SW meant (or has "clarified" his statements to mean) that he favors only limited remedial (not prior) restraints on "hate speech" (whatever the hell that means) on Web pages that approach "publishing" quality and distribution. SW does not favor and in fact opposes censoring newsgroups and email. ---------- Yes, it's good that he's favoring less restraint on speech than had previously appeared to be the case... but that still doesn't mean it's right. Is the censorship of broadcast media any better (of "indecent" speech) any better because after some time in the evening it doesn't apply? ---------- >I don't think any media outlet should be forced to carry something it finds objectionable. Libertarian notions like freedom of association and the fact that freedom of the press belongs to the guy who owns the damn press come into play here. ------------ What the SWC appears to be doing is not saying that they'd refuse certain groups access if they were running an ISP. They're trying to make it look like any ISP that carries certain web pages is evil... and, to some degree, this appears to me that they're putting pressure on governments to ban the speech in question. I would guess that they support the ban in Germany, for instance. In addition, the fewer ISPs are carrying the information, the easier it is to ban entirely. ----------- >I very much applaud Sameer for his principles and hard work, but SW and the like have their own principles. They're not incompatible in a free society. ----------- The problem is not the principles of the SWC... it's their tactics. -Allen From jcobb at ahcbsd1.ovnet.com Sun Jan 14 21:46:56 1996 From: jcobb at ahcbsd1.ovnet.com (James M. Cobb) Date: Mon, 15 Jan 1996 13:46:56 +0800 Subject: CAQ - Secret FISA Court Violates Rights (fwd) In-Reply-To: Message-ID: Friend, The Foreign Intelligence Surveillance Court is dicussed in James Bamford The Puzzle Palace (with a new Afterword) Penguin Books 1983 ISBN 0 14 00.6748 5 at pages 463, 465-66. The Foreign Intelligence Surveillance Act is discussed at pages 462-69, 475. Cordially, Jim From mpj at netcom.com Mon Jan 15 13:50:17 1996 From: mpj at netcom.com (Michael Paul Johnson) Date: Mon, 15 Jan 96 13:50:17 PST Subject: Where to get PGP (short version of FAQ) Message-ID: -----BEGIN PGP SIGNED MESSAGE----- WHERE TO GET PGP FAQ (SHORT VERSION) Revised 15 January 1996 For questions not covered here, please see alt.security.pgp FAQs at rtfm.mit.edu. For the long version of this FAQ, get ftp://ftp.csn.net/mpj/getpgp.asc or send mail to mpjohnso at nyx.cs.du.edu or point your web browser at http://www.csn.net/~mpj. WHAT IS THE LATEST VERSION OF PGP? Platform(s) Latest Version Distribution File Names __________________________________________________________________________ | | | | |DOS, Unix, | Viacrypt PGP 2.7.1 | disk sets | |Mac, Windows, | | | |or WinCIM/CSNav | | | |________________|_____________________|_________________________________| | | | | |Hardware-based | Viacrypt 2.7.1 | disk sets | |PGP/Token | | | |________________|_____________________|_________________________________| | | | | |DOS, Unix, VAX, | MIT PGP 2.6.2 | pgp262.zip (DOS + docs) | |others | | pgp262s.zip (source) | | | | pg262s.zip source on CompuServe | | | | pgp262s.tar.gz (source) | | | | pgp262s.tar.Z (source) | | | | pgp262dc.zip (documentation) | | | | pg262d.zip (docs on CompuServe) | |________________|_____________________|_________________________________| | | | | |Macintosh | MIT PGP 2.6.2 | MacPGP2.6.2-130v1.hqx | | | Mac version 1.3.0 | m262pgp.hqx (same as above) | | | | MacPGP2.6.2-130v1.source.asc | | | | m262pgps.asc (same as above) | | | PGPfone 1.0 beta 5 | | |________________|_____________________|_________________________________| | | | | |Power Mac | Zbigniew's "beta" | Fatmacpgp262b131.sea.hqx | | | | f262pgp.hqx (same as above) | | | | Fatmacpgp262b131.src.hqx | | | | f262pgps.hqx (same as above) | |________________|_____________________|_________________________________| | | | | |Amiga | PGP 2.6.2 Amiga 1.4 | pgp262-a14-000.lha | | | | pgp262-a14-020.lha | | | | pgp262-a14-src.lha | | | | PGPAmi262is.lha (international) | |________________|_____________________|_________________________________| | | | | |Atari | Atari MIT PGP 2.6.2 | pgp262st.zip | | | Atari International | pgp262ib.zip | |________________|_____________________|_________________________________| | | | | |OS/2 | MIT PGP 2.6.2 | pgp262-os2.zip | | | | on ftp.gibbon.com | |________________|_____________________|_________________________________| | | | | |Non-USA version | PGP 2.6.2i from | pgp262i.zip (DOS executable) | |to avoid RSAREF | Stale Schumacher, | pgp262ix.zip (32-bit DOS) | |license. | Kai Uwe Rommel, | pgp262i-os2.zip (OS/2 exe) | | | Harald Denker, and | pgp262ib.zip (Atari) | | | Peter Simons | PGPAmi262is.lha (Amiga) | | | | pgp262is.zip (source) | | | | pgp262is.tar.gz (Unix source) | | | | | | | Canadian "mutant" | MacPGP262ca124.exe.sea.hqx | | | not for USA use | MacPGP262ca124.src.sea.hqx | |________________|_____________________|_________________________________| | | | | |Unofficial | PGP 2.6.2ui | pgp262iu.zip | |non-USA version | Not for use in the | | |fully under Gnu | USA because of | | |public license | probable patent | | |(based on 2.3a | infringement | | |code) | problems. | | |________________|_____________________|_________________________________| WHERE CAN I GET VIACRYPT PGP? Just call 800-536-2664 and read them your credit card number and your address. WHERE IS PGP ON THE WORLD WIDE WEB? * http://web.mit.edu/network/pgp-form.html (U. S. PGP primary distribution site) * http://web.mit.edu/network/pgpfone (PGP Fone primary distribution site) * http://www.ifi.uio.no/~staalesc/PGP/home.html (International PGP primary distribution site) * http://www.epic.org/privacy/tools.html * http://www.csua.berkeley.edu/cypherpunks/home.html * http://www.leo.org/archive/os2/crypt/ WHERE CAN I FTP PGP IN NORTH AMERICA? If you are in the USA or Canada, you can get PGP by following the instructions in any of: * ftp://net-dist.mit.edu/pub/PGP/README * ftp://ftp.csn.net/mpj/README.MPJ * ftp://miyako.dorm.duke.edu/pub/GETTING_ACCESS * ftp://ftp.csua.berkeley.edu/pub/cypherpunks/pgp/ * ftp://ftp.gibbon.com/pub/pgp/README.PGP * ftp://ftp.wimsey.bc.ca/pub/crypto/software/README WHERE IS PGP ON COMPUSERVE? GO NCSAFORUM. Follow the instructions there to gain access to Library 12: Export Controlled. AOL It is possible to get PGP from ftp sites with hidden directories with the following trick: (1) View the README file with the hidden directory name in it, then quickly (2) Start a new ftp connection, specifiying the hidden directory name with the ftp site's address, like ftp.csn.net/mpj/I_will_not_export/crypto_xxxxxxx (where the xxxxxxx is replaced with the current character string). WHAT BULLETIN BOARD SYSTEMS CARRY PGP? MANY BBS carry PGP. The following carry recent versions of PGP and allow free downloads of PGP. 303-772-1062 Colorado Catacombs BBS, Longmont CO 317-887-9568 Computer Virus Research Center (CVRC) BBS, Indianapolis, IN Login First Name: PGP Last Name: USER Password: PGP 914-667-4567 Exec-Net, New York, NY 915-587-7888, Self-Governor Information Resource, El Paso, Texas WHERE CAN I FTP PGP CLOSE TO ME? * DE ftp://ftp.informatik.uni-hamburg.de/pub/virus/crypt/pgp ftp://ftp.uni-kl.de/pub/aminet/util/crypt ftp://ftp.westfalen.de/pd/Atari/Pgp(Atari) * ES ftp://encomix.es/pub/pgp/pgp262i/pgp262i.zip * IT ftp://ftp.dsi.unimi.it/pub/security/crypt/PGP * FI ftp://ftp.funet.fi/pub/crypt * NL ftp://ftp.nl.net/pub/crypto/pgp ftp.nic.surfnet.nl/surfnet/net-security/encryption/pgp * SE ftp://leif.thep.lu.se * UK ftp://ftp.demon.co.uk/pub/amiga/pgp ftp://ftp.ox.ac.uk/pub/crypto/pgp HOW CAN I GET PGP BY EMAIL? If you have access to email, but not to ftp, send a message saying "help" to ftpmail at decwrl.dec.com, mailserv at nic.funet.fi, or ftp-request at netcom.com To get pgp 2.6.2i by email: Send a message to pgp at hypnotech.com with your request in the Subject: field. Subject What you will get GET pgp262i.zip MS-DOS executable (uuencoded) GET pgp262is.zip MS-DOS source code (uuencoded) GET pgp262is.tar.gz UNIX source code (uuencoded) For FAQ information, send e-mail to mail-server at rtfm.mit.edu with send usenet/news.answers/ftp-list/faq in the body of the message. WHAT ARE SOME GOOD PGP BOOKS? Protect Your Privacy: A Guide for PGP Users by William Stallings Prentice Hall PTR ISBN 0-13-185596-4 US $19.95 PGP: Pretty Good Privacy by Simson Garfinkel O'Reilly & Associates, Inc. ISBN 1-56592-098-8 US $24.95 E-Mail Security: How to Keep Your Electronic Mail Private "Covers PGP/PEM" by Bruce Schneier Wiley Publishing The Computer Privacy Handbook: A Practical Guide to E-Mail Encryption, Data Protection, and PGP Privacy Software by Andre Bacard Peachpit Press ISBN 1-56609-171-3 US $24.95 800-283-9444 or 510-548-4393 THE OFFICIAL PGP USER'S GUIDE by Philip R. Zimmerman MIT Press April 1995 - 216 pp. - paper - US $14.95 - ISBN 0-262-74017-6 ZIMPP PGP SOURCE CODE AND INTERNALS by Philip R. Zimmerman April 1995 - 804 pp. - US $55.00 - 0-262-24039-4 ZIMPH Ordering information for the last two books: Call US Toll Free 1-800-356-0343 or 617-625-8569. Cite code 5CSC and number 661. Allow 4-6 weeks for delivery within North America. Allow 8-12 weeks for delivery outside of North America. How to Use PGP, 61 pages, (Pub #121) from the Superior Broadcasting Company, Box 1533-N, Oil City, PA 16301, phone: (814) 678-8801 (about US $10-$13). WHERE CAN I GET PGP LANGUAGE MODULES? http://www.ifi.uio.no/~staalesc/PGP/language.html ftp://ftp.ifi.uio.no/pub/pgp/doc/ IS PGP LEGAL? Yes. See ftp://ftp.csn.net/mpj/getpgp.asc for some of the issues. WHAT IS PHILIP ZIMMERMANN'S LEGAL STATUS? Philip Zimmermann was under investigation for alleged violation of export regulations, with a grand jury hearing evidence for about 28 months, ending 11 January 1996. The Federal Government chose not to comment on why it decided to not prosecute, nor is it likely to. The Commerce Secretary stated that he would seek relaxed export controls for cryptographic products, since studies show that U. S. industry is being harmed by current regulations. Philip endured some serious threats to his livelihood and freedom, as well as some very real legal expenses, for the sake of your right to electronic privacy. Although there was no direct and open legal battle, there was a lot of behind the scenes work by Phil's legal team, headed by Philip L. Dubois (dubois at dubois.com). GREAT JOB! If you ever are in the situation of needing a good lawyer to help you with similar Federal harassment, consider yourself fortunate if Mr. Dubois will take your case. Philip Zimmermann is breathing more easily these days, still a free man and able to work to support his family. The battle is won, but the war is not over. The regulations that caused him so much grief and which continue to dampen cryptographic development, harm U. S. industry, and do violence to the U. S. National Security by eroding the First Ammendment of the U. S. Constitution and encouraging migration of cryptographic industry outside of the U. S. A. are still on the books. If you are a U. S. Citizen, please write to your U. S. Senators, Congressional Representative, President, and Vice President pleading for a more sane and fair cryptographic policy. WHERE CAN I GET WINDOWS & DOS SHELLS FOR PGP? http://www.ifi.uio.no/~staalesc/AutoPGP.html http://www.dayton.net/~cwgeib ftp://oak.oakland.edu/SimTel/msdos/security/apgp22b.zip ftp://oak.oakland.edu/SimTel/win3/security/pgpw40.zip http://alpha.netaccess.on.ca/~spowell/crypto/pwf31.zip ftp://ftp.netcom.com/pub/dc/dcosenza/pgpw40.zip ftp://Sable.ox.ac.uk/pub http://www.firstnet.net/~cwgeib/welcom.html ftp://ftp.netcom.com/pub/ec/ecarp/pgpwind.zip http://www.eskimo.com/~joelm(Private Idaho) ftp://ftp.eskimo.com/~joelm http://www.xs4all.nl/~paulwag/security.htm http://www.LCS.com/winpgp.html ftp://mirrors.aol.com/mir01/circa/pub/pc/win3/util/pwf31.zip ftp://ftp.leo.org/pub/comp/os/os2/crypt/gcppgp10.zip ftp://ftp.leo.org/pub/comp/os/os2/crypt/pmpgp.zip WHERE DO I GET PGPfone(tm)? PGPfone is in beta test for Macintosh users. A Windows 95 version is being developed. http://web.mit.edu/network/pgpfone ftp://net-dist.mit.edu/pub/PGPfone/README ftp.hacktic.nl/pub/pgp/pgpfone WHERE DO I GET NAUTILUS? Bill Dorsey, Pat Mullarky, and Paul Rubin have come out with a program called Nautilus that enables you to engage in secure voice conversations between people with multimedia PCs and modems capable of at least 7200 bps (but 14.4 kbps is better). See ftp://ripem.msu.edu/pub/crypt/GETTING_ACCESS ftp://ripem.msu.edu/pub/crypt/other/nautilus-phone-0.9.2-source.tar.gz ftp://ftp.csn.net/mpj/README ftp://ftp.csn.net/mpj/I_will_not_export/crypto_???????/voice/naut092.zip ftp://miyako.dorm.duke.edu/pub/GETTING_ACCESS ftp://miyako.dorm.duke.edu/mpj/crypto/voice/naut092.zip ftp://ftp.dsi.unimi.it/pub/security/crypt/cypherpunks/nautilus ftp://ftp.ox.ac.uk/pub/crypto/misc The Colorado Catacombs BBS 303-772-1062 HOW DO I ENCRYPT MY DISK ON-THE-FLY? Rather than manually encrypting and decrypting files, it is sometimes easier (and therefore more secure, because you are more likely to use it) to use a utility that encrypts or decrypts files on the fly as you use them in your favorite applications. This also allows you to automatically encrypt temporary files generated by your applications if they are on the encrypted volume. http://www.cs.auckland.ac.nz/~pgut01/sfs.html ftp://ftp.informatik.uni-hamburg.de/pub/virus/crypt/disk/ ftp://ftp.csn.net/mpj/I_will_not_export/crypto_???????/disk/ ftp://ftp.csn.net/mpj/README for the ???????) ftp://miyako.dorm.duke.edu/mpj/crypto/disk/ ftp://ftp.nic.surfnet.nl/surfnet/net-security/encryption/disk/ ftp://ftp.demon.co.uk/pub/ibmpc/secdev/secdev14.arj HOW DO I PUBLISH MY PGP PUBLIC KEY? Send mail to one of these addresses with the single word "help" in the subject line to find out how to use them. These servers sychronize keys with each other. pgp-public-keys at keys.pgp.net pgp-public-keys at keys.de.pgp.net pgp-public-keys at keys.no.pgp.net pgp-public-keys at keys.uk.pgp.net pgp-public-keys at keys.us.pgp.net pgp-public-keys at fbihh.informatik.uni-hamburg.de pgp-public-keys at kiae.su pgp-public-keys at pgp.ai.mit.edu pgp-public-keys at pgp.iastate.edu pgp-public-keys at pgp.mit.edu pgp-public-keys at pgp.ox.ac.uk pgp-public-keys at sw.oz.au WWW interface to the key servers: http://www-swiss.ai.mit.edu/~bal/pks-toplev.html For US $20/year or so, you can have your key officially certified and published in a "clean" key database that is much less susceptible to denial-of-service attacks than the other key servers. Send mail to info-pgp at Four11.com for information, or look at http://www.Four11.com/ CAN I COPY AND REDISTRIBUTE THIS FAQ? Yes. Permission is granted to distribute unmodified copies of this FAQ. Please e-mail comments to mpj at netcom.com -----BEGIN PGP SIGNATURE----- Version: 2.7.1 iQCVAwUBMPoQzfX0zg8FAL9FAQEKUgQAl2nu1KMT1txZV87pgiiSMmuZcHSIyGvY 0maabI+pPg8FjtxJwcrfWjVVgQVyQGSBsh+NC0eQvGpW4DFWt1p7bCaINunBcohn jf4xdqmejuIy0e52P0+Jgs88Y3UzudYcWnjAXP//fH569ThxlQoJmLiZI/IeKRk+ 9pAVQAmPLec= =YMrS -----END PGP SIGNATURE----- From mpj at netcom.com Mon Jan 15 13:50:20 1996 From: mpj at netcom.com (Michael Paul Johnson) Date: Mon, 15 Jan 96 13:50:20 PST Subject: Where to get PGP FAQ update Message-ID: -----BEGIN PGP SIGNED MESSAGE----- WHERE TO GET THE PRETTY GOOD PRIVACY PROGRAM (PGP) FAQ Revised 14 January 1996 Disclaimer -- I haven't recently verified all of the information in this file, and much of it is probably out of date. If you discover inaccurate or out of date information, please let me know at mpj at netcom.com. Thanks! For questions not covered here, please see the MAIN alt.security.pgp FAQ at rtfm.mit.edu. WHAT IS THE LATEST VERSION OF PGP? Platform(s) Latest Version Distribution File Names __________________________________________________________________________ | | | | |DOS, Unix, | Viacrypt PGP 2.7.1 | disk sets | |Mac, Windows, | | | |or WinCIM/CSNav | | | |________________|_____________________|_________________________________| | | | | |Hardware-based | Viacrypt 2.7.1 | disk sets | |PGP/Token | | | |________________|_____________________|_________________________________| | | | | |DOS, Unix, VAX, | MIT PGP 2.6.2 | pgp262.zip (DOS + docs) | |others | | pgp262s.zip (source) | | | | pg262s.zip source on CompuServe | | | | pgp262s.tar.gz (source) | | | | pgp262s.tar.Z (source) | | | | pgp262dc.zip (documentation) | | | | pg262d.zip (docs on CompuServe) | |________________|_____________________|_________________________________| | | | | |Macintosh | MIT PGP 2.6.2 | MacPGP2.6.2-130v1.hqx | | | Mac version 1.3.0 | m262pgp.hqx (same as above) | | | | MacPGP2.6.2-130v1.source.asc | | | | m262pgps.asc (same as above) | | | PGPfone 1.0 beta 5 | | |________________|_____________________|_________________________________| | | | | |Power Mac | Zbigniew's "beta" | Fatmacpgp262b131.sea.hqx | | | | f262pgp.hqx (same as above) | | | | Fatmacpgp262b131.src.hqx | | | | f262pgps.hqx (same as above) | |________________|_____________________|_________________________________| | | | | |Amiga | PGP 2.6.2 Amiga 1.4 | pgp262-a14-000.lha | | | | pgp262-a14-020.lha | | | | pgp262-a14-src.lha | | | | PGPAmi262is.lha (international) | |________________|_____________________|_________________________________| | | | | |Atari | Atari MIT PGP 2.6.2 | pgp262st.zip | | | Atari International | pgp262ib.zip | |________________|_____________________|_________________________________| | | | | |OS/2 | MIT PGP 2.6.2 | pgp262-os2.zip | | | | on ftp.gibbon.com | |________________|_____________________|_________________________________| | | | | |Non-USA version | PGP 2.6.2i from | pgp262i.zip (DOS executable) | |to avoid RSAREF | Stale Schumacher, | pgp262ix.zip (32-bit DOS) | |license. | Kai Uwe Rommel, | pgp262i-os2.zip (OS/2 exe) | | | Harald Denker, and | pgp262ib.zip (Atari) | | | Peter Simons | PGPAmi262is.lha (Amiga) | | | | pgp262is.zip (source) | | | | pgp262is.tar.gz (Unix source) | | | | | | | Canadian "mutant" | MacPGP262ca124.exe.sea.hqx | | | not for USA use | MacPGP262ca124.src.sea.hqx | |________________|_____________________|_________________________________| | | | | |Unofficial | PGP 2.6.2ui | pgp262iu.zip | |non-USA version | Not for use in the | | |fully under Gnu | USA because of | | |public license | probable patent | | |(based on 2.3a | infringement | | |code) | problems. | | |________________|_____________________|_________________________________| BUG Digital signatures made with keys 2034-2048 bits in length may be corrupt if made by MIT PGP 2.6.2, but I think this has been fixed in PGP 2.6.2i. To fix this in the source code, change the line in function make_signature_certificate in crypto.c from byte inbuf[MAX_BYTE_PRECISION], outbuf[MAX_BYTE_PRECISION]; to byte inbuf[MAX_BYTE_PRECISION], outbuf[MAX_BYTE_PRECISION+2]; See also http://www.ifi.uio.no/~staalesc/PGP/bugs.html. and http://www.mit.edu:8001/people/warlord/pgp-faq.html WHERE CAN I GET VIACRYPT PGP? Viacrypt has versions of PGP complete with licenses for commercial use of the RSA and IDEA encryption algorithms. Viacrypt PGP comes in executable code only (no source code), but it is based on (and just as secure as) the freeware PGP. Viacrypt PGP for Windows is the only real Windows PGP (and even it is partially a quickwin executable that looks like a DOS port). Still, it is much better from an interface standpoint than all the others. Please contact ViaCrypt for pricing (about US $100 up), the latest platforms, and availablity at 800-536-2664 8:30am to 5:00pm MST, Monday - Friday. They accept VISA, MasterCard, AMEX and Discover credit cards. Viacrypt is currently working on preparing the release of version 4.0 (personal) and version 4.0 (business). The business edition adds a few extra key management features (like master keys) that are of use to businesses, but not really useful for persnal email. ViaCrypt Products Mail: 9033 N. 24th Avenue Suite 7 Phoenix AZ 85021-2847 Phone: (602) 944-0773 Fax: (602) 943-2601 Internet: viacrypt at acm.org Compuserve: 70304.41 WHERE IS PGP ON THE WORLD WIDE WEB? * http://web.mit.edu/network/pgp-form.html (U. S. PGP primary distribution site) * http://web.mit.edu/network/pgpfone (PGP Fone primary distribution site) * http://www.ifi.uio.no/~staalesc/PGP/home.html (International PGP primary distribution site) * http://www.ifi.uio.no/~staalesc/PGP/language.html (Language file master list) * http://www.epic.org/privacy/tools.html * http://rschp2.anu.edu.au:8080/crypt.html * http://www.eff.org/pub/Net_info/Tools/Crypto/ * http://community.net/community/all/home/solano/sbaldwin * http://www.cco.caltech.edu/~rknop/amiga_pgp26.html * http://www.csua.berkeley.edu/cypherpunks/home.html * http://www.leo.org/archive/os2/crypt/ * http://colossus.net/wepinsto/wshome.html * http://www.cs.hut.fi/ssh/crypto/ WHERE CAN I FTP PGP IN NORTH AMERICA? If you are in the USA or Canada, you can get PGP by following the instructions in any of: * ftp://net-dist.mit.edu/pub/PGP/README * ftp://ftp.csn.net/mpj/README.MPJ * ftp://miyako.dorm.duke.edu/pub/GETTING_ACCESS * ftp://ftp.netcom.com/pub/dd/ddt/crypto/READ_ME_FIRST! * ftp://ftp.netcom.com/pub/dd/ddt/crypto/pgp_ftp_instructions.txt * ftp://ftp.eff.org * Follow the instructions found in README.Dist that you get from one of: * ftp://ftp.eff.org/pub/Net_info/Tools/Crypto/README.Dist * gopher.eff.org, 1/Net_info/Tools/Crypto * gopher://gopher.eff.org/11/Net_info/Tools/Crypto * http://www.eff.org/pub/Net_info/Tools/Crypto/ * ftp://ftp.csua.berkeley.edu/pub/cypherpunks/pgp/ * ftp://ftp.gibbon.com/pub/pgp/README.PGP * http://www.gibbon.com/getpgp.html (OS/2 users see also /pub/gcp/gcppgp10.zip) * ftp://ftp.wimsey.bc.ca/pub/crypto/software/README WHERE IS PGP ON COMPUSERVE? GO NCSAFORUM. Follow the instructions there to gain access to Library 12: Export Controlled. Compuserve file names used to be seriously limited, so look for PGP262.ZIP, PG262S.ZIP (source code), PGP262.GZ (Unix source code) and PG262D.ZIP (documentation only). AOL Go to the AOL software library and search "PGP" or ftp from ftp://ftp.csua.berkeley.edu/pub/cypherpunks/pgp or another site listed above or below. It is possible to get PGP from ftp sites with hidden directories with the following trick: (1) View the README file with the hidden directory name in it, then quickly (2) Start a new ftp connection, specifiying the hidden directory name with the ftp site's address, like ftp.csn.net/mpj/I_will_not_export/crypto_xxxxxxx (where the xxxxxxx is replaced with the current character string). WHAT BULLETIN BOARD SYSTEMS CARRY PGP? MANY BBS carry PGP. The following carry recent versions of PGP and allow free downloads of PGP. * US 303-343-4053 Hacker's Haven, Denver, CO Lots of crypto stuff here. 303-772-1062 Colorado Catacombs BBS, Longmont CO 8 data bits, 1 stop, no parity, up to 28,800 bps. Use ANSI terminal emulation. For free access: log in with your own name, answer the questions. 314-896-9309 The KATN BBS 317-887-9568 Computer Virus Research Center (CVRC) BBS, Indianapolis, IN Login First Name: PGP Last Name: USER Password: PGP 501-791-0124, 501-791-0125 The Ferret BBS, North Little Rock, AR Login name: PGP USER Password: PGP 506-457=0483 Data Intelligence Group Corporation BBS 508-668-4441 Emerald City, Walpole, MA 601-582-5748 CyberGold BBS 612-690-5556, !CyBERteCH SeCURitY BBS! Minneapolis MN, - write a letter to the sysop requesting full access. 914-667-4567 Exec-Net, New York, NY 915-587-7888, Self-Governor Information Resource, El Paso, Texas * UK 01273-688888 * GERMANY +49-781-38807 MAUS BBS, Offenburg - angeschlossen an das MausNet +49-521-68000 BIONIC-BBS Login: PGP WHERE CAN I FTP PGP CLOSE TO ME? * AU ftp://ftp.cc.adfa.oz.au/pub/security/pgp23/macpgp2.3.cpt.hqx ftp://ftp.iinet.net.au:mirrors/pgp(Australia ONLY) ftp://plaza.aarnet.edu.au/micros/mac/umich/misc/documentation/howtomacpgp2.7.txt * DE ftp://ftp.informatik.tu-muenchen.de/pub/comp/os/os2/crypt ftp://ftp.informatik.uni-hamburg.de/pub/virus/crypt/pgp ftp://ftp.fu-berlin.de/mac/sys/init/MacPGP2.6uiV1.2en.cpt.hqx.gz ftp://ftp.tu-clausthal.de/pub/atari/misc/pgp/pgp261b.lzh ftp://ftp.uni-kl.de/pub/aminet/util/crypt ftp://ftp.uni-paderborn.de/pub/aminet/util/crypt ftp://ftp.westfalen.de/pd/Atari/Pgp(Atari) ftp://tupac-amaru.informatik.rwth-aachen.de * ES ftp://goya.dit.upm.es ftp://encomix.es/pub/pgp/pgp262i/pgp262i.zip * IT ftp://ftp.dsi.unimi.it/pub/security/crypt/PGP * FI ftp://ftp.funet.fi/pub/crypt * NL ftp://ftp.nl.net/pub/crypto/pgp ftp.nic.surfnet.nl/surfnet/net-security/encryption/pgp * NZ ftp://ftphost.vuw.ac.nz ftp://rs950.phys.waikato.ac.nz/pub/incoming/pgp(New Zealand ONLY) * SE ftp://leif.thep.lu.se * TW ftp://nctuccca.edu.tw/PC/wuarchive/pgp/ * UK ftp://ftp.demon.co.uk/pub/amiga/pgp ftp://ftp.ox.ac.uk/pub/crypto/pgp ftp://src.doc.ic.ac.uk/aminet/amiga-boing ftp://unix.hensa.ac.uk/pub/uunet/pub/security/virus/crypt/pgp * USA ftp://atari.archive.umich.edu/pub/atari/Utilities/pgp261st.zip (Atari) ftp://ftp.leo.org/pub/comp/os/os2/crypt ftp://wuarchive.wustl.edu/pub/aminet/util/crypt ftp://ftp.netcom.com/pub/gr/grady/PGP_NOT_FOR_EXPORT/MacPGP262ca124.exe.sea.hqx ftp://ftp.netcom.com/pub/gr/grady/PGP_NOT_FOR_EXPORT/MacPGP262ca124.src.sea.hqx * ZA ftp://ftp.ee.und.ac.za/pub/crypto/pgp /pub/archimedes /pub/pgp /pub/mac/MacPGP HOW CAN I GET PGP BY EMAIL? If you have access to email, but not to ftp, send a message saying "help" to ftpmail at decwrl.dec.com, mailserv at nic.funet.fi, or ftp-request at netcom.com To get pgp 2.6.2i by email: Send a message to pgp at hypnotech.com with your request in the Subject: field. Subject What you will get GET pgp262i.zip MS-DOS executable (uuencoded) GET pgp262is.zip MS-DOS source code (uuencoded) GET pgp262is.tar.gz UNIX source code (uuencoded) For FAQ information, send e-mail to mail-server at rtfm.mit.edu with send usenet/news.answers/ftp-list/faq in the body of the message. WHERE IS MACPGP? ftp://ftp.csn.net/mpj/README.MPJ ftp://ftp.confusion.net/pub/pgp/mac-pgp/README ftp://highway.alinc.com/users/jordyn/mac-pgp/README ftp://miyako.dorm.duke.edu/pub/GETTING_ACCESS WHERE IS VAX PGP? Get the full PGP distribution, then get VAXPGP262.TAR.Z from the berkeley site for additional files needed to compile PGP for the VAX and a precompiled version for VAX/VMS 5.5-2. WHERE CAN I GET MORE PGP INFORMATION? http://www.csn.net/~mpj ftp://ftp.prairienet.org/pub/providers/pgp/pgpfaq.txt ftp://starfire.ne.uiuc.edu/preston/pgpquick.ps(and pgpquick.doc) http://www.prairienet.org/~jalicqui/ http://www.mit.edu:8001/people/warlord/pgp-faq.html http://draco.centerline.com:8080/~franl/crypto.html http://draco.centerline.com:8080/~franl/pgp/bug0.html http://www.eff.org/pub/EFF/Issues/Crypto/ITAR_export/cryptusa_paper.ps.gz http://www.eff.org/pub/EFF/Issues/Crypto/ITAR_export/cryptusa.paper http://www.cco.caltech.edu/~rknop/amiga_pgp26.html Email pgp-help at hks.net ftp://ds.internic.net/internet-drafts/draft-pgp-pgpformat-00.txt ftp://ds.internic.net/internet-drafts/draft-ietf-pem-mime-08.txt http://www.cis.ohio-state.edu/ ftp://ftp.csn.net/mpj/public/pgp/MacPGP262_manual.sit.hqx http://www-mitpress.mit.edu/mitp/recent-books/comp/pgp-source.html http://web.cnam.fr/Network/Crypto/(c'est en français) http://web.cnam.fr/Network/Crypto/survey.html(en anglais) http://www2.hawaii.edu/~phinely/MacPGP-and-AppleScript-FAQ.html ftp://ftp.prairienet.org/pub/providers/pgp/pgpbg11.asc(Beginner's Guide) http://pluto.cc.umr.edu/~steve/Privacy_Page.html/Where_is_PGP.html http://www.netresponse.com/zldf http://bookweb.cwis.uci.edu:8042/Orders/ubipgp.html http://www.geopages.com/Athens/1802/pgpfaq.html http://www.pgp.net/pgp http://www.sydney.sterling.com:8080/~ggr/pgpmoose.html Beginner's Guide: send email to slutsky at lipschitz.sfasu.edu, subject: bg2pgp WHAT ARE SOME GOOD PGP BOOKS? Protect Your Privacy: A Guide for PGP Users by William Stallings Prentice Hall PTR ISBN 0-13-185596-4 US $19.95 This is a good technical manual for PGP for most users, and makes a better reference than the "official" documentation that comes with PGP. I recommend it highly. PGP: Pretty Good Privacy by Simson Garfinkel O'Reilly & Associates, Inc. ISBN 1-56592-098-8 US $24.95 E-Mail Security: How to Keep Your Electronic Mail Private "Covers PGP/PEM" by Bruce Schneier Wiley Publishing The Computer Privacy Handbook: A Practical Guide to E-Mail Encryption, Data Protection, and PGP PRivacy Software by Andre Bacard Peachpit Press ISBN 1-56609-171-3 US $24.95 800-283-9444 or 510-548-4393 This is an interesting book on the sociology and politics of privacy in the computer age as well as a practical manual on using PGP. Must reading for all members of Congress, presidential staff, members of Parliament, and ordinary citizens who would like to take reasonable steps to protect themselves from some forms of crime that have been made easy by technology. THE OFFICIAL PGP USER'S GUIDE by Philip R. Zimmerman MIT Press April 1995 - 216 pp. - paper - US $14.95 - ISBN 0-262-74017-6 ZIMPP Standard PGP documentation neatly typeset and bound. PGP SOURCE CODE AND INTERNALS by Philip R. Zimmerman April 1995 - 804 pp. - US $55.00 - 0-262-24039-4 ZIMPH This is a handy printed reference with commented source code for PGP 2.6.2 with great educational value. This is a great way to study some of the computer science and information theory behind the world's best email privacy tool without having either a computer or reams of printouts handy. Recommended reading on long airline flights for serious students of computer science and computer security. Ordering information for the last two books: Call US Toll Free 1-800-356-0343 or 617-625-8569. Cite code 5CSC and number 661. Allow 4-6 weeks for delivery within North America. Allow 8-12 weeks for delivery outside of North America. How to Use PGP, 61 pages, (Pub #121) from the Superior Broadcasting Company, Box 1533-N, Oil City, PA 16301, phone: (814) 678-8801 (about US $10-$13). WHERE CAN I GET PGP LANGUAGE MODULES? These are suitable for most PGP versions. http://www.ifi.uio.no/~staalesc/PGP/language.html ftp://ftp.ifi.uio.no/pub/pgp/doc/ * German ftp://ftp.ox.ac.uk/pub/crypto/pgp/language/pgp23_german.txt ftp://ftp.csn.net/mpj/public/pgp/pgp_german.txt ftp://ftp.csn.net/mpj/public/pgp/PGP_german_docs.lha ftp://ftp.informatik.uni-hamburg.de:/pub/virus/crypt/pgp/language/pgp_german.asc ftp://ftp.leo.org/pub/comp/os/os2/crypt/pgp262i-german.zip * Italian ftp://ftp.dsi.unimi.it/pub/security/crypt/PGP/pgp-lang.italian.tar.gz ftp://ftp.funet.fi/pub/crypt/ghost.dsi.unimi.it/PGP/pgp-lang.italian.tar.gzPGPScripts1.5.sit ftp://ftp.csn.net/mpj/I_will_not_export/crypto_???????/pgp/mac/AppleScripts WHAT OTHER FILE ENCRYPTION (DOS, MAC) TOOLS ARE THERE? PGP can do conventional encryption only of a file (-c) option, but you might want to investigate some of the other alternatives if you do this a lot. Alternatives include Quicrypt and Atbash2 for DOS, DLOCK2 for DOS & UNIX, Curve Encrypt (for the Mac), HPACK (many platforms), and a few others. Quicrypt is interesting in that it comes in two flavors: shareware exportable and registered secure. Atbash2 is interesting in that it generates ciphertext that can be read over the telephone or sent by Morse code. DLOCK is a no-frills strong encryption program with complete source code. Curve Encrypt has certain user-friendliness advantages. HPACK is an archiver (like ZIP or ARC), but with strong encryption. A couple of starting points for your search are: ftp://ftp.csn.net/mpj/qcrypt11.zip ftp://ftp.informatik.uni-hamburg.de/pub/virus/crypt/file/ ftp://ftp.csn.net/mpj/I_will_not_export/crypto_???????/file/ ftp://ftp.csn.net/mpj/README for the ???????) ftp://ftp.miyako.dorm.duke.edu/mpj/crypto/file/ HOW DO I SECURELY DELETE FILES (DOS)? If you have the Norton Utilities, Norton WipeInfo is pretty good. I use DELETE.EXE in del110.zip, which is really good at deleting existing files, but doesn't wipe "unused" space. ftp://ftp.csn.net/mpj/public/del120.zip ftp://ftp.demon.co.uk/pub/ibmpc/security/realdeal.zip WHAT DO I DO ABOUT THE PASS PHRASE IN MY WINDOWS SWAP FILE? The nature of Windows is that it can swap any memory to disk at any time, meaning that all kinds of interesting things could end up in your swap file. ftp://ftp.firstnet.net/pub/windows/winpgp/wswipe.zip WHERE DO I GET PGPfone(tm)? PGPfone is in beta test for Macintosh users. A Windows 95 version is being developed. http://web.mit.edu/network/pgpfone ftp://net-dist.mit.edu/pub/PGPfone/README ftp.hacktic.nl/pub/pgp/pgpfone WHERE DO I GET NAUTILUS? Bill Dorsey, Pat Mullarky, and Paul Rubin have come out with a program called Nautilus that enables you to engage in secure voice conversations between people with multimedia PCs and modems capable of at least 7200 bps (but 14.4 kbps is better). See ftp://ripem.msu.edu/pub/crypt/GETTING_ACCESS ftp://ripem.msu.edu/pub/crypt/other/nautilus-phone-0.9.2-source.tar.gz ftp://ftp.csn.net/mpj/README ftp://ftp.csn.net/mpj/I_will_not_export/crypto_???????/voice/naut092.zip ftp://miyako.dorm.duke.edu/pub/GETTING_ACCESS ftp://miyako.dorm.duke.edu/mpj/crypto/voice/naut092.zip ftp://ftp.dsi.unimi.it/pub/security/crypt/cypherpunks/nautilus ftp://ftp.ox.ac.uk/pub/crypto/misc The Colorado Catacombs BBS 303-772-1062 HOW DO I ENCRYPT MY DISK ON-THE-FLY? Rather than manually encrypting and decrypting files, it is sometimes easier (and therefore more secure, because you are more likely to use it) to use a utility that encrypts or decrypts files on the fly as you use them in your favorite applications. This also allows you to automatically encrypt temporary files generated by your applications if they are on the encrypted volume. Secure File System (SFS) is a DOS device driver that encrypts an entire partition on the fly using SHA in feedback mode. Secure Drive also encrypts an entire DOS partition, using IDEA, which is patented. Secure Device is a DOS device driver that encrypts a virtual, file-hosted volume with IDEA. Cryptographic File System (CFS) is a Unix device driver that uses DES. http://www.cs.auckland.ac.nz/~pgut01/sfs.html ftp://ftp.informatik.uni-hamburg.de/pub/virus/crypt/disk/ ftp://ftp.csn.net/mpj/I_will_not_export/crypto_???????/disk/ ftp://ftp.csn.net/mpj/README for the ???????) ftp://miyako.dorm.duke.edu/mpj/crypto/disk/ ftp://ftp.nic.surfnet.nl/surfnet/net-security/encryption/disk/ ftp://ftp.demon.co.uk/pub/ibmpc/secdev/secdev14.arj WHERE IS PGP'S COMPETITION? RIPEM is the second most popular freeware email encryption package. I like PGP better for lots of reasons, but if for some reason you want to check or generate a PEM signature, RIPEM is available at ripem.msu.edu. There is also an exportable RIPEM/SIG. ftp://ripem.msu.edu/pub/GETTING_ACCESS HOW DO I PUBLISH MY PGP PUBLIC KEY? Send mail to one of these addresses with the single word "help" in the subject line to find out how to use them. These servers sychronize keys with each other. pgp-public-keys at keys.pgp.net pgp-public-keys at keys.de.pgp.net pgp-public-keys at keys.no.pgp.net pgp-public-keys at keys.uk.pgp.net pgp-public-keys at keys.us.pgp.net pgp-public-keys at burn.ucsd.edu pgp-public-keys at pgp.cc.gatech.edu pgp-public-keys at goliat.upc.es pgp-public-keys at demon.co.uk pgp-public-keys at dsi.unimi.it pgp-public-keys at ext221.sra.co.jp pgp-public-keys at fbihh.informatik.uni-hamburg.de pgp-public-keys at jpunix.com pgp-public-keys at kiae.su pgp-public-keys at kr.com pgp-public-keys at kram.org pgp-public-keys at kub.nl pgp-public-keys at nexus.hpl.hp.com pgp-public-keys at pgp.ai.mit.edu pgp-public-keys at pgp.barclays.co.uk pgp-public-keys at gondolin.org pgp-public-keys at pgp.dhp.com pgp-public-keys at pgp.hpl.hp.com pgp-public-keys at pgp.iastate.edu pgp-public-keys at pgp.kr.com pgp-public-keys at pgp.mit.edu pgp-public-keys at pgp.ox.ac.uk pgp-public-keys at pgp.pipex.net pgp-public-keys at srce.hr pgp-public-keys at sw.oz.au pgp-public-keys at uit.no pgp-public-keys at vorpal.com pgp-public-keys at nic.surfnet.nl WWW interface to the key servers: http://www-swiss.ai.mit.edu/~bal/pks-toplev.html http://www-lsi.upc.es/~alvar/pks/pks-toplev.html For US $20/year or so, you can have your key officially certified and published in a "clean" key database that is much less susceptible to denial-of-service attacks than the other key servers. Send mail to info-pgp at Four11.com for information, or look at http://www.Four11.com/ PGP public keys which are stored on SLED's Four11 Key Server are now retrievable by fingering UserEmailAddress at publickey.com. Example: My e-mail addresses is mpj at csn.org finger mpj at csn.org@publickey.com My key (mpj8) is at Four11.com, at ftp://ftp.csn.net/mpj/mpj8.asc, on the key servers, on my BBS, and available by finger. CAN I COPY AND REDISTRIBUTE THIS FAQ? Yes. Permission is granted to distribute unmodified copies of this FAQ. Please e-mail comments to mpj at netcom.com -----BEGIN PGP SIGNATURE----- Version: 2.7.1 iQCVAwUBMPoQnvX0zg8FAL9FAQHgAwP+Of94tn35tUAaXsZXk4yDLZaOsk0YEgpT 3sSKrvYS78iHjNgRQDE+cAntOHeexYDQZ17ecSGAMqvcC1oOiPoeb0lV4lxGRCPK plOnVQLSjgKyshb1mrOPnl25kZhiCOt6Std3nsNICgnMtz+SafRI5+hCLA+l+xUH 7fqHR8Dq6b0= =sbwR -----END PGP SIGNATURE----- From Ulf_Moeller at public.uni-hamburg.de Mon Jan 15 13:53:41 1996 From: Ulf_Moeller at public.uni-hamburg.de (Ulf Moeller) Date: Mon, 15 Jan 96 13:53:41 PST Subject: Bignum support added to XLISP 2.1h Message-ID: Rick Busdiecker writes: > it is quite easy to write cryptographic algorithms that use very large > numbers without adding extra support. The downside is that the language is >Yup. I've written some code that generates large numbers, tests for >primality and does RSA. The basic RSA enclode is just (mod-expt m e >n) and decrypt is (mod-expt c d n) where mod-expt is just an optimized >version of (mod (expt x p) n), ala Schneier, page 200 (1st edition). Actually, there is a modexpt (and a Fermat test) implementation in chapter 1 of Abelson/Sussman, with a footnote mentioning cryptography. I do wonder if they have an export license... :) From sjb at universe.digex.net Mon Jan 15 14:05:17 1996 From: sjb at universe.digex.net (Scott Brickner) Date: Mon, 15 Jan 96 14:05:17 PST Subject: (none) [httpd finding your identity] In-Reply-To: <30F8596B.5611@netscape.com> Message-ID: <199601152204.RAA18827@universe.digex.net> Jeff Weinstein writes: >The snoop program is using FTP to find out the user's e-mail >address. The image on the page is an ftp: URL. Our FTP code >was sending the user's e-mail address as the password for >anonymous FTP, which is the usually requested by FTP sites. >The perl script was waiting for the FTP to happen, and then >looking at its log to figure out the email address. > > I've removed the code that uses the e-mail address as the >FTP password for anonymous FTPs. You can still enter it by >hand by using a URL of this form 'ftp://anonymous at ftp.netscape.com'. >This will cause the navigator to prompt the user for the >password to send for anonymous. This is a little known feature >that will also allow users to access non-anonymous ftp >accounts via netscape. Or you can use 'ftp://anonymous:password at ftp.netscape.com/', and skip the prompt. Not really less secure (assuming you can prevent shoulder surfers) as FTP sends the password in the clear, anyway. From jcobb at ahcbsd1.ovnet.com Sun Jan 14 22:17:29 1996 From: jcobb at ahcbsd1.ovnet.com (James M. Cobb) Date: Mon, 15 Jan 1996 14:17:29 +0800 Subject: PRETTY GOOD PHONE PRIVACY, TOO Message-ID: Friends, 01 14 96 Edupage includes: PRETTY GOOD PHONE PRIVACY, TOO Now from the creator of PGP encryption software comes a new product for making your phone calls more private. Philip Zimmermann's PGPfone software scrambles phone calls made through a computer modem using a complex algorithm called Blowfish, which rearranges the digital version of your voice conversation and then decodes it at the other end. The result is an intelligible -- though not high-quality -- totally pri- vate conversation. The URL is: http://web.mit.edu/network/pgpfone (Popular Science Jan 96 p43) Cordially, Jim From stewarts at ix.netcom.com Sun Jan 14 22:57:32 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Mon, 15 Jan 1996 14:57:32 +0800 Subject: Zimmermann case is dropped. Message-ID: <199601150642.WAA16157@ix13.ix.netcom.com> At 11:22 AM 1/12/96 -0600, Alex Strasheim wrote: >We need a large sponser who is willing to run a more ambitious crypto >archive. If an institution like MIT hosted a more generalized site where >people could distribute code, it would go a long way towards thawing out >the chill the government's managed to create by harassing PRZ. Oxford University, University of Milan, and Finnish University Network not big enough for you? I usually get my PGP code from Oxford. Now, if MIT were willing to distribute other code from their server, it would make it easier for people to put their names on their postings, which would be a Good Thing, without the need for posting to sci.crypt with Distribution: usa or anonymously remailing encrypted copies or whatever. #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, Pager/Voicemail 1-408-787-1281 # # "Eternal vigilance is the price of liberty" used to mean us watching # the government, not the other way around.... From stewarts at ix.netcom.com Sun Jan 14 22:59:53 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Mon, 15 Jan 1996 14:59:53 +0800 Subject: Fwd: Scrambled software gets an OK Message-ID: <199601150642.WAA16107@ix13.ix.netcom.com> At 08:30 AM 1/13/96 -0800, thad at hammerhead.com (Thaddeus J. Beier) wrote: >Scrambled software gets an OK > >-- Exports: Foreign encoding unfair to U.S. firms, Commerce Department says. > >Bloomberg Business News > >WASHINGTON -- The Commerce Department will recommend easing export controls >on encryption software after a study by the department and the National >Security Agency found the restrictions are hurting U.S. firms, Commerce >Secretary Ron Brown said. We discussed this a bit at the Bay Area cpunks meeting yesterday. It'd be fun to know the politics involved and what we'll get out of this, but "easing export controls" could be anything from "dropping the limits on anything but designed-for-the-military crypto" to "64 bits with escrow". And, of course, "we'll release a policy statement in a few months" isn't highly informative either. On the other hand, it's an invitation for lobbying and public comment, so we might as well take advantage of it. #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, Pager/Voicemail 1-408-787-1281 # # "Eternal vigilance is the price of liberty" used to mean us watching # the government, not the other way around.... From 100611.3205 at compuserve.com Mon Jan 15 15:04:47 1996 From: 100611.3205 at compuserve.com (D.R.Madden) Date: Mon, 15 Jan 96 15:04:47 PST Subject: Net Control is Thought Control Message-ID: <960115230156_100611.3205_BHL49-1@CompuServe.COM> DIa!?ayyyyyyyyyyyyyyyyRyyyyyyyyyyyyyyyyNDyyyyyyyyyyyyyyyyyyyytNS e useful to set out, as I see it anyway, the main questions that need answering. Thanks for any info/insight that you can provide. 1. How is it possible -- in a legal sense -- for the laws of one state (Germany) to be imposed globally. I suspect the answer to this is : it isn't -- CompuServe seems to have pulled the plug without recourse to any legal battle (?). This makes it's protestations that it's all Germany's fault a little thin. 2. Even granted that Germany can impose it's porn laws on the world, how is CompuServe violating German law: it is *not* the case that CompuServe is producing the offending material *within* Germany. Rather , German netties are able to import the offending material from outwith. Hence it is the German netties (or at most the German connection banks) who are violating the pornography laws. Analogy: if a German stationary retailer buys a stack of smutty mags in Sweden, which wall foul of the German smut laws, and then brings them into Germany for resale in his store, do the Germans then have a case for closing down the Swedish publisher of the mags? Surely it is up to the German connection banks to comply with German law. CompuServe doesn't export anything -- users import. This kills the Satellite porn channel analogy which some people are using (UK censors some such channels). The Germans no doubt will argue that the above analogy is faulty in that whereas the import of smutty mags is (or can be) subject to border controls, the internet is, well, a net -- either the offending material is pulled at source or not at all. Not true: the offending material could be pulled from the German net servers. Of course, there are ways around the ban (cf. Duncan Frissel's emails passim) but the number of minors capable of effecting these would be negligible -- certainly not enough to justify 1. above (assuming that 1 can be justified upon any principle) 3. Why has Germany picked on CompuServe alone -- not only is it a daft law but one which quite obviously fails to capture the rationale behind the law (Thankfully). (Possibly a case of the Bavarians blowing the puritanical horn without actually wishing to upset the German cyber community too much. Although, interestingly, the silence on this issue amongst the German PC community is deafening -- I'll see if I can garner any response to this, and the other points, by sending this email to the Max-Planck Institute fuer Infomatik in Germany where I used to work). 4. 1 and 3 raise the question: why did CompuServe cave in so easily? The issue could have been in the European courts for the next few aeons allowing CompuServe to proceed as per normal (and since the whole of the EU is effected, surely this is precisely the sort of issue that should be settled by their courts). Can any lawyers out there give an indication of the chances CompuServe would have in such a case? 5. Bearing above, and previous cypherpunk emails on this issue, in mind, has anyone, or group actually challenged the German decision on legal grounds (as opposed to just discussing it)? 6. Has anyone heard any arguments emanating from Germany itself along the "thin end of the wedge" lines? There are plenty of dodgey states out there who will be only too willing to point at Germany, a "civilised Western culture", as a precedent to justify the removal of all sorts of topics which do not accord with their definitions of acceptability. I initially thought that Duncan's correlation of net control with thought control (cf. his email of 10th Jan, 12.52pm) was over-stepping the mark (on the grounds that we're not yet eating Clockwork Oranges in a Brave New World). But, bearing 6. in mind, if totalitarian states are able to dictate what appears on the net (and what is read by precisely the "young minds" which Germany purports to protect) then I'm beginning to think he's accurately characterised a potential state of affairs a few years down the line. Food for thought control. Peter Madden (formally of MPI, Germany, soon to be DRA, UK). P.S. Pity the average German nettie -- they're excruciatingly embarrassed by this whole business. yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy From jsimmons at goblin.punk.net Mon Jan 15 15:13:27 1996 From: jsimmons at goblin.punk.net (Jeff Simmons) Date: Mon, 15 Jan 96 15:13:27 PST Subject: New Puzzle Palace? In-Reply-To: Message-ID: <199601152313.PAA00494@goblin.punk.net> > > I thought the thread was about "The Puzzle Palace." It's certainly possible > that Bruce Schneier has contributed to a second edition, beyond the > Foreward or whatever it is, but your comments fit with "Applied > Cryptography" closely, too. > > Have you seen a copy of "The Puzzle Palace," 2nd Ed.? I wrote to Bruce Schneier about this a month or so ago. He said that he'd gotten the information about the new edition of "The Puzzle Palace" from the authors, and that while the reference in "Applied Cryptography" gave it a 1995 copyright, it actually won't be out until sometime in 1996. -- Jeff Simmons jsimmons at goblin.punk.net From alano at teleport.com Sun Jan 14 23:32:54 1996 From: alano at teleport.com (Alan Olsen) Date: Mon, 15 Jan 1996 15:32:54 +0800 Subject: An E-Cash service I would like to see Message-ID: <2.2.32.19960115072214.00863674@mail.teleport.com> After looking at the E-Cash site and all of the things to sign, the forms to fill and the like, I had an idea for a needed service. What is needed is a method to make e-cash more like how someone would purchace a money order. If the Mark Twain bank pitched their services to places that sold money orders, then you could exchange cash for e-cash with assured anonymity. A small fee could be charged (like it is with money orders) and everyone would be happy. It would at least introduce alot more people to e-cash... Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "Is the operating system half NT or half full?" From jsw at netscape.com Sun Jan 14 23:34:00 1996 From: jsw at netscape.com (Jeff Weinstein) Date: Mon, 15 Jan 1996 15:34:00 +0800 Subject: (none) [httpd finding your identity] In-Reply-To: <199601150454.VAA00449@wero.cs.byu.edu> Message-ID: <30F9FEF0.6EAA@netscape.com> Don wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > > I've removed the code that uses the e-mail address as the > > FTP password for anonymous FTPs. > > Does that mean that general-purpose ftp won't be accepted unless the > user gives up their email? Greaaaaaaat... Can't have it both ways, I > guess. What can be added as far as user control; inline vs non-inline, > for example. I'm not sure I understand what you are saying, so I will try to re-state what we are doing. By default for anonymous FTP we will send the string "mozilla@" for the anon password. This is similar to Mosaic and Internet Explorer, which send "webuser@". If the user wants to send their real address, or anything else, they can type an ftp URL that will allow them to enter the password. I hope to add an option so that the user can decide for themselves to send or not send their identity. Note that we do not currently send the HTTP 'From:' header. Some users would like an option to turn it on. > The FTP explanation certainly explains why my personal system is able > to confuse the username part of it. And I know there's nothing anyone > can do about the reverse-ip, but what about http referral field? Will > there be a way to turn off (blank, actually) this field? I would like to add a way to turn it off, but it won't happen in 2.0. > Jeff, your efforts are certainly appreciated - your ability to get these > things done is most valuable. Thanks. I just wish I had been able to attend yesterdays cypherpunk gathering rather than having to fix this bug. Sigh. > Regarding the anonymizer: > First, are there any working anonymizers yet? > Second, is there any ISP that would be willing to give a home to the > anonymizer? I think that there are several. The one at CMU can be reached at http://anonymizer.cs.cmu.edu:8080/open.html. I thought that Sameer had one at c2.org, but a quick look at his web site didn't turn up anything. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw at netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine. From fmouse at fmp.com Mon Jan 15 15:38:32 1996 From: fmouse at fmp.com (Lindsay Haisley) Date: Mon, 15 Jan 96 15:38:32 PST Subject: Eggs at Customs (fwd) Message-ID: <199601152336.RAA14733@gateway.fmp.com> There has (fortunately!) been a big crackdown recently on the illegal pet bird import trade, something akin to the slave trade of the 19th century for those of us who like pet birds. One of the methods people use to import birds is to wear special vests full of pockets for rare bird eggs. If the person who wrote this was coming in from SE Asia, especially Australia, then this was very possibly the meaning of the question. > >At 8:32 AM 1/15/96, Brad Shantz wrote: >> >>I was asked if I had any eggs. I still don't know why. >> > >Meaning you weren't cleared for expedited handling. My CIA and NSA friends >had alerted me to this question and given me the special answer: > >Me: "Yes, I have green eggs, and ham, too. The eggs in Paris are especially >fresh this time of year." > >This got me waved through. > >--Tim May > > >We got computers, we're tapping phone lines, we know that that ain't allowed. >---------:---------:---------:---------:---------:---------:---------:---- >Timothy C. May | Crypto Anarchy: encryption, digital money, >tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero >W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, >Higher Power: 2^756839 - 1 | black markets, collapse of governments. >"National borders aren't even speed bumps on the information superhighway." > > > > > (______) Lindsay Haisley (oo) "The bull FMP Computer Services /------\/ stops here!" fmouse at fmp.com / | || Austin, Texas, USA * ||---|| * * * * * * (512) 259-1190 ~~ ~~ http://www.fmp.com From jcobb at ahcbsd1.ovnet.com Mon Jan 15 15:43:58 1996 From: jcobb at ahcbsd1.ovnet.com (James M. Cobb) Date: Mon, 15 Jan 96 15:43:58 PST Subject: New Puzzle Palace? In-Reply-To: Message-ID: Friend, I believe the co-author is Wayne Madsen, who's written: Handbook of Personal Data Protection Stockton Press (an imprint of Groves Dictionaries, which is in turn a division of Macmillan Publica- tions, Ltd) 1992 1026 pages US $170 ISBN 1 56157 046 0 1 800 221 2123. Please see Jyri Kaljundi's message below. Madsen is interviewed in Web Review's series on NSA's subversion of the private sector, here at home as well as abroad. Cordially, Jim INCLOSURE 1: Date: Sun, 14 Jan 1996 18:27:59 +0200 (EET) From: Jyri Kaljundi To: cypherpunks at toad.com Subject: GNN on Crypto Global Network Navigator Web Review (http://gnn.com/wr/) has their main story this week on crypto. The articles are: Spymaster meets webmaster:NSA's Fortezza: stronger encryption or Internet spy strategy http://gnn.com/gnn/wr/96/01/12/features/nsa/index.html The Seduction of Crypto AG: How the NSA held the keys to a top-selling encryption machine http://gnn.com/gnn/wr/96/01/12/features/nsa/crypto.html Familiar faces, familiar places: Look who's working to implement Fortezza in the US and Europe http://gnn.com/gnn/wr/96/01/12/features/nsa/triteal.html What's that smell: Is the NSA sniffing your email? [http://gnn.com/gnn/wr/96/01/12/features/nsa/sniff.html A back door for the NSA: Balancing the need for intelligence with privacy http://gnn.com/gnn/wr/96/01/12/features/nsa/conclude.html Juri Kaljundi jk at digit.ee Digiturg http://www.digit.ee/ INCLOSURE 2: Date: Mon, 15 Jan 1996 15:21:44 -0500 (EST) From: s1018954 at aix2.uottawa.ca To: grimm at MIT.EDU Cc: cypherpunks at toad.com Subject: Re: New Puzzle Palace? On Mon, 15 Jan 1996 grimm at MIT.EDU wrote: > Schneier has done a major rewrite, or at least included *lots* of new > info. I haven't gotten a copy yet, but I saw one, and it was twice as > thick as the first version. > Huh? Oh you mean Applied Crypto 2. I was asking about Puzzle Palace 2 by Bamford, which I saw listed in AC2's bibliography. Can't seem to find it. I was just wondering if it's worth ordering. (Maybe I wasn't clear in my last msg.) Btw, anyone know what else Bamford's been doing since he wrote Puzzle Palace 1, in '82? Any other books, articles? He's a Washington lawyer, right? I hear the new edition has a collaborating author; anything on him? Curious. TIA. From attila at primenet.com Sun Jan 14 23:59:07 1996 From: attila at primenet.com (attila) Date: Mon, 15 Jan 1996 15:59:07 +0800 Subject: COMMUNITY CONNEXION... In-Reply-To: <199601141734.SAA23618@utopia.hacktic.nl> Message-ID: On Sun, 14 Jan 1996, Anonymous wrote: > Attila sez: > > > the SWC is a prime example of very narrow view which is trying to > > "control" what we can say --unfortunately, SWC is guilty of the same > > mind-control tactics as the core Nazi party which persecuted them == > > a very poor example. In Germany, trading on collective guilt they > > will never stop feeding, they have effectively controlled the issue > > so that _any_ speech or revision against their agenda is a hate crime, > > and therefore a serious felony. > > Sounds like you're a little weak on your history, Attila. Not that I > agree with the SWC's policies one bit, but some basic dates and facts - > when SW was born, when he founded his C, when WW2 was, what the Nazis did > during it and what the SWC has done since, when and how the anti-Nazi and > hate speech laws were passed in Germany, whether "any" speech or revision > against the SWC's agenda (or do you just mean "JEWS"?), etc - would make > pretty short work of your nonsense. > oh, I do not think so --I would answer you in private mail if you were not afraid to state a Reply-To address. history is a fascinating study in continual revisionism --to the victor goes the right to rewrite history, or: I do not fear history, I intend to write it. --Winston Churchill I could have stated my position much clearer: this particular demand is based on the same hysteria as has been found throughout history; and, see my other comments elsewhere. As to anonyminity, I remain, attila == Herr Doktor Professor Daniel Fluekiger __________________________________________________________________________ go not unto usenet for advice, for the inhabitants thereof will say: yes, and no, and maybe, and I don't know, and fuck-off. _________________________________________________________________ attila__ To be a ruler of men, you need at least 12 inches.... From iang at CS.Berkeley.EDU Mon Jan 15 16:14:41 1996 From: iang at CS.Berkeley.EDU (Ian Goldberg) Date: Mon, 15 Jan 96 16:14:41 PST Subject: How to make someone else lose ecash Message-ID: <199601160014.QAA20158@lagos.CS.Berkeley.EDU> I don't recall seeing this on cypherpunks or on ecash at digicash.com; it's being sent to both places, so set your replies appropriately. Dave and I were discussing the ecash protocols when we discovered what seems to be a way for Eve (a passive eavesdropper) to cause anyone to lose money. Note that she doesn't gain anything from it. Eve watches for any message that contains pcoins (a list of onl_coin). These messages are the Payment (from user to shop) and Deposit (from shop to mint). Neither of these are required to be encrypted. An onl_coin is the following: onl_coin = [ int keyversion ; low 5 bits are denomination MPI n ; coin number MPI sig ; encrypted coin signature ] sig is (f(n)^(1/h) XOR f(payment_hdr)), encrypted in the mint's public key. The reason sig is encrypted is so that the payment header can't be changed and so that Eve can't learn f(n)^(1/h). However, n is sitting there all nice and cleartext. Therefore: when Eve sees such a message, she uses the same value of n to withdraw a coin from her bank account, and then spends it (she could just pay it to herself). Eve does not gain or lose anything, but if she can deposit the coin before the original coin that she saw gets to the mint, the original coin will not clear. If Eve has the ability to drop or delay packets, she can accomplish this easily. The result is that whoever withdrew the coin originally has lost the use of that coin. Note that this is the same problem as if two users just happen to use the same value of n when they withdraw coins. We don't really care about that, since the probability is trivial. However, this attack lets Eve produce the same effect _on purpose_. How can we prevent this? Well, since a shop has no way of using the value n except for just sending it on to the mint, we lose nothing by encrypting it. Thus, an onl_coin should be: onl_coin = [ int keyversion ; low 5 bits are denomination Encrypt_with_mint_public_key( MPI n ; coin number MPI sig ; (f(n)^(1/h) XOR f(payment_hdr)) ) ] Note that it's not really necessary to have sig already encrypted if we're going to encrypt it again. Actually, I think an onl_coin should have an additional field (bankID) to the fields listed above, but that's another argument for another time. - Ian "Back from the North and ready to party!" From jimbell at pacifier.com Mon Jan 15 16:20:20 1996 From: jimbell at pacifier.com (jim bell) Date: Mon, 15 Jan 96 16:20:20 PST Subject: Phil Z getting through customs Message-ID: At 08:32 AM 1/15/96 +0000, Brad Shantz wrote: > attila wrote: >> answer the questions truthfully and they can not detain you??? > >Not true, I've been detained by Canadian customs for doing just that. >Everything went reasonably smoothly thanks to the customs officials >lack of knowledge of NAFTA. However, one of my travelling partners >had trouble with customs due to ...hmmm... their lack of knowledge of >NAFTA. > >> Rule 1: smile regardless of the adversity > >That's a good rule for things other than customs dealings. I haven't driven to Canada for well over a decade. But last time I did, when I was addressed the Canadian border guy, he asked me whether I had brought any firearms along. I said to him, "No. I didn't think I'd be needing them!" He didn't as much as crack a smile. From llurch at networking.stanford.edu Mon Jan 15 16:31:42 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Mon, 15 Jan 96 16:31:42 PST Subject: Eggs at Customs (fwd) In-Reply-To: <199601152336.RAA14733@gateway.fmp.com> Message-ID: On Mon, 15 Jan 1996, Lindsay Haisley wrote: > There has (fortunately!) been a big crackdown recently on the illegal pet > bird import trade, something akin to the slave trade of the 19th century for > those of us who like pet birds. One of the methods people use to import > birds is to wear special vests full of pockets for rare bird eggs. If the > person who wrote this was coming in from SE Asia, especially Australia, then > this was very possibly the meaning of the question. And here I thought it was because eggs were a good medium for transporting biotoxins. I've been hanging out with you conspiracy freaks too much :-) -rich From bdolan at use.usit.net Mon Jan 15 16:33:18 1996 From: bdolan at use.usit.net (Brad Dolan) Date: Mon, 15 Jan 96 16:33:18 PST Subject: Crypto anarchist getting through customs In-Reply-To: Message-ID: On Mon, 15 Jan 1996, Timothy C. May wrote: > > Frequent travellers to Europe will no doubt confirm what I'm saying. I > travelled to dozens of countries in Europe a while back, and never was > checked at any borders, save for a quick glance at my passport. > > --Tim May This may, in part, depend on your mode of transport. Or maybe the phase of the moon. In June of '93, I took a train from Rome to Nice, something which had worked nicely for me in the past. That time we were all uncermoniously dumped out at a whistle-stop border checkpoint and forced to carry our luggage past some guys in uniforms. I think some people got a quiz, though I did not. After an hour or two, they let us board a *different* train to complete the last little bit of our journey. That's the only border harassment I've experienced in Western Europe. Eastern Europe has been more interesting on occasion. Brad From attila at primenet.com Mon Jan 15 00:39:32 1996 From: attila at primenet.com (attila) Date: Mon, 15 Jan 1996 16:39:32 +0800 Subject: Phil Z getting through customs In-Reply-To: <199601121612.IAA06275@montana.nwlink.com> Message-ID: answer the questions truthfully and they can not detain you??? yeah, that's what it says. BS. ask any of us who have been detained by the zealots. I was detained 36 hours at LA, 18 at Dulles, etc. If you've made the list, you've made the list, and a custom's inspector with a bug up his ass is a nasty person. Rule 1: smile regardless of the adversity Rule 2: other than the three questions on the form, say nothing Rule 3: never use LA or Dulles -pick an airport with humans. well, I guess I had better admit it; the travelling public got their money's worth in LA. after customs had shredded and Xray'd everything and I was tired, very tired after the long one from New Delhi to LA, I was hostile enough to humiliate them sufficiently to close all nearby lines --then I mooned them. TS and the red mask can be a wonderful excuse! I guess I just havent learned --and I was over 50! Dulles was previous history.... oh, yeah, they have not bugged me for some time. __________________________________________________________________________ go not unto usenet for advice, for the inhabitants thereof will say: yes, and no, and maybe, and I don't know, and fuck-off. _________________________________________________________________ attila__ To be a ruler of men, you need at least 12 inches.... From tcmay at got.net Mon Jan 15 16:39:52 1996 From: tcmay at got.net (Timothy C. May) Date: Mon, 15 Jan 96 16:39:52 PST Subject: Eggs at Customs (fwd) Message-ID: At 11:36 PM 1/15/96, Lindsay Haisley wrote: >There has (fortunately!) been a big crackdown recently on the illegal pet >bird import trade, something akin to the slave trade of the 19th century for >those of us who like pet birds. One of the methods people use to import >birds is to wear special vests full of pockets for rare bird eggs. If the >person who wrote this was coming in from SE Asia, especially Australia, then >this was very possibly the meaning of the question. Yes, Cliff Stoll described how this plot was hatched in his book "The Cuckoo's Egg." (This was a yolk, folks. I stoll it.) P.S. I am persuaded that the importation of rare tropical birds into the U.S. is a GOOD THING, and that the attempts to ban such imports are misguided eco-fundie efforts. Diversity will be enhanced by having the birds in the U.S., and if left in their native jungles, most will die anyway. Better a pampered tropical bird in a gilded cage than lunch for some predator, or starvation as the jungles are cleared by slash-and-burn farmers. The same data transparency of borders, where truckloads of stuff come in easily, means that truckloads of birds, eggs, embryos, babies, etc. can also make it in. Most such shipments are only caught when surveillance yields a shipping schedule...such surveillance is becoming more and more difficult because of the technologies we push. --Tim May We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From mixmaster at anon.alias.net Mon Jan 15 16:50:24 1996 From: mixmaster at anon.alias.net (Mr. Nobody) Date: Mon, 15 Jan 96 16:50:24 PST Subject: None Message-ID: <199601160035.SAA00597@fuqua.fiftysix.org> > From: sameer > Cc: don at cs.byu.edu, cypherpunks at toad.com > Date: Mon, 15 Jan 1996 09:25:52 -0800 (PST) > > > I think that there are several. The one at CMU can be reached > > at http://anonymizer.cs.cmu.edu:8080/open.html. I thought that > > Sameer had one at c2.org, but a quick look at his web site didn't > > turn up anything. > > c2.org will be hosting the anonymizer shortly. We can't > exactly run it off of our T1 though, so we have to wait a little while > until we get T3 access. Is the source code for this anonymizer publicly available? Thanks. From unicorn at schloss.li Mon Jan 15 17:26:09 1996 From: unicorn at schloss.li (Black Unicorn) Date: Mon, 15 Jan 96 17:26:09 PST Subject: CelBomb In-Reply-To: <199601071609.LAA23989@pipe4.nyc.pipeline.com> Message-ID: On Sun, 7 Jan 1996, John Young wrote: > The New York Post, Jan 6, 1996. By Uri Dan from Jerusalem > > Palestinian police said Ayash [The Engineer] was killed > north of Gaza City when he answered a call on a cell > phone rigged with two ounces of explosives. > > Israeli sources said the phone had been secretly traded for > Ayash's real phone -- and the explosion was triggered by > remote control once it was determined he was on the line. This is misleading. The Engineer was known to be surrounded by cellphones all the time. Many of his closer supporters would take calls for him on their phones and hand the phone over for him to talk on. This is why the ploy worked. No real way to notice that his "regular" phone was exchanged for a new shiny one with a bulging battery pack or somesuch. > > ---------- > > No brand name given, however, another source writes that > Mot runs the IL cel net. So use that neat audio-vox > wire on MicroTAC Elites only with paid-up Shin Bet dues, > absent TS-immunization. > > > > > > > > > > --- My prefered and soon to be permanent e-mail address: unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From bdolan at use.usit.net Mon Jan 15 02:11:32 1996 From: bdolan at use.usit.net (Brad Dolan) Date: Mon, 15 Jan 1996 18:11:32 +0800 Subject: CAQ - Secret FISA Court Violates Rights (fwd) Message-ID: ---------- Forwarded message ---------- Subject: CAQ - Secret FISA Court Violates Rights C O V E R T A C T I O N I N F O R M A T I O N B U L L E T I N ========================================== CovertAction Quarterly has won numerous awards for investigative journalism. It is read around the world by investigative reporters, activists, scholars, intelligence buffs, news junkies, and anyone who wants to know the news and analysis behind the soundbites and headlines. Recommended by Noam Chomsky; targeted by the CIA. Each article in the 64-page magazine, which is in its 16th year of publication, is extensively footnoted and accompanied by photographs and graphics. ============================== For a single issues send $6. A one year subscription: US $22; / Canada/Mexico $27; Latin America/Europe $33; / Other areas $35. Please send check or money order in $US to: CAQ, 1500 Massachusetts Ave. #732 , Washington, DC 20005, USA Phone: 202-331-9763 / Fax: 202-331-9751 / E-mail: caq at igc.apc.org ================================================================= THE SECRET FISA COURT: RUBBER STAMPING ON RIGHTS by Philip Colangelo Part 1 of 3 SEVEN JUDGES ON A SECRET COURT HAVE AUTHORIZED ALL BUT ONE OF OVER 7,500 REQUESTS TO SPY IN THE NAME OF NATIONAL SECURITY. THEY MEET IN SECRET, WITH NO PUBLISHED ORDERS, OPINIONS, OR PUBLIC RECORD. THOSE SPIED ON MAY NEVER KNOW OF THE INTRUSION. NOW, CLINTON HAS EXPANDED THE POWERS TO INCLUDE NOT ONLY ELECTRONIC, BUT PHYSICAL SEARCHES. The aftershock of the Oklahoma City bombing sent Congress scurrying to trade off civil liberties for an illusion of public safety. A good ten weeks before that terrible attack, however with a barely noticed pen stroke President Bill Clinton virtually killed off the Fourth Amendment when he approved a law to expand the already extraordinary powers of the strangest creation in the history of the federal judiciary. *2 Since its founding in 1978, a secret court created by the Foreign Intelligence Surveillance Act (FISA rhymes with ice -a) has received 7,539 applications to authorize electronic surveillance within the U.S. In the name of national security, the court has approved all but one of these requests from the Justice Department on behalf of the Federal Bureau of Investigation and the National Security Agency. *3 Each of these decisions was reached in secret, with no published orders, opinions, or public record. The people, organizations, or embassies spied on were not notified of either the hearing or the surveillance itself. The American Civil Liberties Union was not able to unearth a single instance in which the target of a FISA wiretap was allowed to review the initial application. Nor would the targets be offered any opportunity to see transcripts of the conversations taped by the government and explain their side of the story. Without access to such materials, said Kate Martin of the ACLU, targets of FISA searches are denied any meaningful opportunity to contest the basis for the execution of the FISA search. *4 ======================================== OPEN-ENDED SURVEILLANCE When Clinton signed Executive Order 12949 on February 9, the frightening mandate of the FISA, court was greatly expanded: It now has legal authority to approve black-bag operations to authorize Department of Justice (DoJ) requests to conduct physical as well as electronic searches, without obtaining a warrant in open court, without notifying the subject, without providing an inventory of items seized. The targets need not be under suspicion of committing a crime, but may be investigated when probable cause results solely from their associations or status: for example, belonging to, or aiding and abetting organizations deemed to pose a threat to U.S. national security. Furthermore, despite a lowered standard for applying the Fourth Amendment against unreasonable search and seizure than is necessary in other U.S. courts,5 under the 1995 expansion, evidence gathered by the FISA court may now be used in criminal trials. Previously, evidence was collected and stockpiled solely for intelligence purposes. ========================================================== LEGALIZING THE AMES SEARCH Granting new powers to the FISA court was accomplished quietly and treated as a non-event in the national media. The lack of reporting was somehow fitting, though, following as it did the silent debate last year when Congress rubberstamped the annual Intelligence Authorization Act. *6 Some legal minds found the whole exercise positively refreshing. The fact that this was done with a minimum of fuss and posturing on both sides, and without having to have a debate that tries to roll up the corners of classified information is very impressive, cheered former NSA General Counsel Stewart Baker. *7 Reportedly, the Clinton administration had not always been enthusiastic about expanding the court's powers. Like its predecessors, it operated under the assumption that the executive already had inherent authority to exempt itself from Fourth Amendment constraints and could order warrantless searches to protect national security. Nonetheless, the government avoided allowing this inherent authority to be tested in the courts. *8 Then along came Aldrich Ames. The spy case proved a convenient vehicle on which to hitch expansion of state power. It also offered a glimpse at the state-of-the-art domestic counterintelligence techniques that might well be turned on an activist group near you. Following months of electronic and physical surveillance which included a break-in of Ames' car and searches through his office and family trash FBI agents were finally turned loose in the early morning hours of October 9, 1993. They didn't `pick' locks like in the movies; they made their own keys. Among other agents in the FBI, the consensus was unanimous: The tech agents were geniuses. *9 Thanks to a warrant authorized by Attorney General Janet Reno, a team of agents from the sprawling National Security Division had permission to enter the Ames home in Arlington, Va.10 There was only one minor problem. The attorney general of the United States does not have the authority to order a warrantless physical search of a citizen's home, argued Professor Jonathan Turley of George Washington University National Law Center. The Aldrich Ames search in my view was obviously and egregiously unconstitutional. 11 Other civil liberties lawyers agree with this evaluation, and the Justice Department itself was concerned enough about the question to refer to this problem when it negotiated a deal with Ames in order to avoid trial. While Ames was sentenced to life in prison, his wife Rosario received five years. We didn't get to the point of litigation, I regret to say, said Ames' lawyer Plato Cacheris. The problem was that Ames very much wanted to see that his wife was treated a little more softly than he was being treated. *12 Now eager to put a stamp of judicial impartiality on the hazy executive branch doctrine of inherent authority, the Justice Department immediately got behind the bill to expand the FISA court's power. Soon after Ames pleaded guilty last year to spying, administration officials began arguing that adherence to traditional Fourth Amendment protections for American citizens would unduly frustrate counterintelligence efforts against spies operating in the U.S.13 Physical searches to gather foreign intelligence depend on secrecy, argued Deputy Attorney General Jamie Gorelick. If the existence of these searches were known to the foreign power targets, they would alter their activities to render the information useless. 14 Gorelick went on to explain that A [traditional] search can only be made when there's probable cause to believe a crime is involved, whereas a national-security search can be made at a substantially earlier stage. We often don't know what we're looking for when we go in, she observed.15 ====================================================== From llurch at networking.stanford.edu Mon Jan 15 18:17:39 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Mon, 15 Jan 96 18:17:39 PST Subject: Eggs at Customs (fwd) In-Reply-To: Message-ID: On Mon, 15 Jan 1996, Timothy C. May wrote: > At 11:36 PM 1/15/96, Lindsay Haisley wrote: > >There has (fortunately!) been a big crackdown recently on the illegal pet > >bird import trade, something akin to the slave trade of the 19th century for > >those of us who like pet birds. One of the methods people use to import > >birds is to wear special vests full of pockets for rare bird eggs. > > Yes, Cliff Stoll described how this plot was hatched in his book "The > Cuckoo's Egg." > > (This was a yolk, folks. I stoll it.) For that you must be punished. > P.S. I am persuaded that the importation of rare tropical birds into the > U.S. is a GOOD THING, and that the attempts to ban such imports are > misguided eco-fundie efforts. Diversity will be enhanced by having the > birds in the U.S., and if left in their native jungles, most will die > anyway. Better a pampered tropical bird in a gilded cage than lunch for > some predator, or starvation as the jungles are cleared by slash-and-burn > farmers. Scientifically invalid. Releasing non-native species can really wreck an ecosystem because of the lack of evolved countermeasures. See kudzu weeds in the South, or the Mediterranean fruit fly in California, or pigs and sheep on tropical islands, or humans with big brains and opposable thumbs anywhere but Africa. The better engineered solution would be to feed the slash-and-burn farmers some other way. Kind of analogous to an engineer like Paul Kocher taking a hard look at crypto systems that had only been analyzed by pure mathematicians. You need to feed the sniffers real entropy, not just highly evolved math. -rich From jimbell at pacifier.com Mon Jan 15 18:31:18 1996 From: jimbell at pacifier.com (jim bell) Date: Mon, 15 Jan 96 18:31:18 PST Subject: Phil Z getting through customs Message-ID: At 11:21 AM 1/15/96 -0800, Simon Spero wrote: >When I was a student and had long hair, I used to always get questioned >when going throught customs. After graduating, and having normal length >hair, I had a lot less trouble. This seems odd. Logically (okay, I know logic doesn't work with the government) any smuggler is going to try to be as innocuous as possible. He's cut his hair, and shave, and probably wear a tie, etc. Which means the government should pay more attention to.... Oh, never mind! >The strictest customs I've been through is at Lod (Tel Aviv); there the >assumption is that everybody is going to try and bring in at least >some sort of radio/fax machine to avoid the high taxes, so they check all >baggage. They do have the best security team in general though, so it >balances out. Some comedian 15 years or so ago (David Brenner, maybe?) had a joke which went something like this: "The odds of there being a bomb on a commercial airliner is one in a million. The odds of there being TWO bombs on a commercial airliner are one in a _million_million_. Therefore, if you are taking an airplane flight and want to feel REALLY safe....Take a bomb!" From jimbell at pacifier.com Mon Jan 15 18:34:07 1996 From: jimbell at pacifier.com (jim bell) Date: Mon, 15 Jan 96 18:34:07 PST Subject: PGP for CP/M? Message-ID: Okay, everybody, you can stop laughing now. I don't really want a copy of PGP for CP/M, but I was just a bit curious as to whether anybody had ever ported it to CP/M. Nostalgia reasons, primarily. From tcmay at got.net Mon Jan 15 18:41:08 1996 From: tcmay at got.net (Timothy C. May) Date: Mon, 15 Jan 96 18:41:08 PST Subject: Eggs, or, To Get Some Entropy You Gotta Break Some Eggs... Message-ID: (Amazing that a discussion of eggs could come back to crypto...) At 2:17 AM 1/16/96, Rich Graves wrote: >Kind of analogous to an engineer like Paul Kocher taking a hard look at >crypto systems that had only been analyzed by pure mathematicians. You >need to feed the sniffers real entropy, not just highly evolved math. I keep thinking of different ways of looking at Kocher's timing attack. (Paul Kocher gave a nice talk at the Bay Area Cypherpunks meeting on Saturday.) Rich's point above suggests yet another way of looking at this: that a chip or algorithm that can be "instrumented" (timing measured) is in some sense too predictable. The chip itself lacks sufficient entropy. (Before the purists, especially those who've read the paper closely, jump on me here, I'm not saying adding random delays is the best way to deter the attack. In fact, a variation of blinding is the best approach it seems. (Though blinding does not affect attacks which monitor the crypto chip's or CPU's power dissipation.)) My point, or this angle on it, is that to some extent the mechanistic nature of the encryption process (such as Diffie-Hellman) can leak information to an attacker who can watch the mechanistic process unfolding. This is a result which is not surprising, in retrospect. --Tim May We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From ses at tipper.oit.unc.edu Mon Jan 15 22:54:20 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Mon, 15 Jan 96 22:54:20 PST Subject: Eggs at Customs AND a quick question In-Reply-To: Message-ID: > > PS -- Going to consolidate posts here. Can someone recommend a good > text for an intro to Number Theory? I've been reading "Number Theory and it's History" by Oystein Ore (1948, reprinted by Dover books, $9.95). It's old, but it's understandable to a computist like me, and if it's in print after 58 years, it can't be bad :) Simon From shamrock at netcom.com Mon Jan 15 23:45:09 1996 From: shamrock at netcom.com (Lucky Green) Date: Mon, 15 Jan 96 23:45:09 PST Subject: Digital postage and remailer abuse (was Re: Novel use of Usenet and remailersto mailbomb from luzskru@cpcnet.com) Message-ID: At 8:47 1/13/96, Alan Bostick wrote: >Maybe I'm misunderstanding how using digital postage with remailers would >work. I was assuming that the postage stamp would be included *inside* >the encrypted envelope, that what the remailer would do on receipt of >mail would be: (a) decrypt the envelope; (b) validate the postage stamp; >and (if the stamp is valid) (c) forward the message according to the >now-decryped instructions. > >Using this model, if the perpetrator doesn't include a postage stamp, >then the message is ignored. If the perp includes a stamp, the first >horny net geek's message is relayed but subsequent ones get bounced for >invalid postage. You are right. -- Lucky Green PGP encrypted mail preferred. From dl at hplyot.obspm.fr Tue Jan 16 01:38:47 1996 From: dl at hplyot.obspm.fr (Laurent Demailly) Date: Tue, 16 Jan 96 01:38:47 PST Subject: (none) [httpd finding your identity] In-Reply-To: <199601150454.VAA00449@wero.cs.byu.edu> Message-ID: <9601160932.AA03324@hplyot.obspm.fr> Jamie Zawinski writes: [...] > Very, very early betas of Netscape (around 0.6 or so, I think) did give > away whatever the previous page was, and I think old versions of Mosaic > did so as well. Netscape still had this bug in late 0.9x beta versions (that you still got plenty of url encoded passwords early last year) Lynx had it at least up to 2.3.7, etc... dl -- Laurent Demailly * http://hplyot.obspm.fr/~dl/ * Linux|PGP|Gnu|Tcl|... Freedom Prime#1: cent cinq mille cent cinq milliards cent cinq mille cent soixante sept From s1018954 at aix2.uottawa.ca Tue Jan 16 04:10:16 1996 From: s1018954 at aix2.uottawa.ca (s1018954 at aix2.uottawa.ca) Date: Tue, 16 Jan 96 04:10:16 PST Subject: Number theory text In-Reply-To: Message-ID: On Tue, 16 Jan 1996, Mark Rogaski wrote: > PS -- Going to consolidate posts here. Can someone recommend a good > text for an intro to Number Theory? My school's using Elementary Number Theory and Its Applications 3rd edition (I think it is just out) by Kenneth H. Rosen, Addison-Wesley, it seems to cover a bit of crypto and the latest improvements in factoring. For more crypto orientation, Schneier recommends A Course in Number Theory and Cryptography 2nd ed, Neal Koblitz, Springer-Verlag, 1994. The intro to number theory is more of a review, but the crypto part kicks in after page 54 and spans the rest of the book. Getting your Num Theory from Rosen and your crypto from Koblitz is a good bet, as your local university library's likely to have both (mine had both 2nd eds, just picked 'em up as a matter of coincidence). Rosen seems to be one of those "standard textbooks" (we're using his Discrete Math text too) and as for Koblitz, books by Springer have extremely high chances of turning up in universities. (It's in the yellow Grad Texts in Math series, not the familiar silver Lecture Notes in CS series) From jya at pipeline.com Tue Jan 16 04:29:46 1996 From: jya at pipeline.com (John Young) Date: Tue, 16 Jan 96 04:29:46 PST Subject: TOR_del Message-ID: <199601161229.HAA27278@pipe1.nyc.pipeline.com> 1-16-96. NYPaper: "Louis W. Tordella, 84, Who Helped Break Cerman Military Code in World War II." A mathematician who helped break Enigma, and later spent 16 years as the deputy director of the National Security Agency. An intelligence visionary who had helped create and shape NSA even before he became its deputy director in 1958, Dr. Tordella was regarded both as a pioneer in the development of ever more powerful and sophisticated computers to break enemy codes and as a master administrator who established a combined code-breaking operation and then ran it. Since decryption devices did not exist, he and his colleagues simply designed and built them, not only breaking the enemy codes but helping to lay the theoretical and practical groundwork for what has become a vast computer industry. TOR_del [For more on Tordella, see Bamford's "The Puzzle Palace."] From hallam at w3.org Tue Jan 16 09:04:03 1996 From: hallam at w3.org (hallam at w3.org) Date: Tue, 16 Jan 96 09:04:03 PST Subject: Crypto anarchist getting through customs In-Reply-To: <199601161622.IAA28208@blob.best.net> Message-ID: <9601161703.AA24201@zorch.w3.org> >> Bubba signed PPD 25 which permits UN control of US >> forces, _in America_! and allows the UN to bring in UN troops. >While there are undoubtedly people plotting a one world government, >the miserable performance of the blue helmets means that there >is no present danger. Soldiers are just not willing to die for >the greater glory of the United Nations. This type of world government talk is a peculiarly US type of paranoia. It is clear that the people who indulge in this class of consipiracy theory do not believe in the US system of government, and consider it to be a failure. Hence the constant denigration of the political institutions, the belief that all institutions of government are inherently corrupt etc etc etc. Sounds like the sort of people who should be pressing for the US to be taken under UN administration. After all the UNs major role is to replace governments where governance has failed. A little known fact to bear in mind is that when the Treaty of Paris was signed the British signatory had his fingers crossed behind his back! The entire US constitution is thus invalid and the US is in reality still a part of the British Empire! Phill From attila at primenet.com Mon Jan 15 19:12:15 1996 From: attila at primenet.com (attila) Date: Tue, 16 Jan 1996 11:12:15 +0800 Subject: mailbombing and anonymity -- inseparable In-Reply-To: <199601152251.PAA07589@nagina.cs.colorado.edu> Message-ID: if you get the usual 150+ msg/day I do, you break it up into folders, set the reader to proceed sequentially through the folders, in an order defined in .pinerc. I have 30 folders current. when a particular person becomes annoying: # net assholes :0 HB * ( Fred.*Cohen|fc at all.net|vznuri|kevin.dirks ) assholes takes care of the problem nicely. If you get bored with a newsletter, etc. I move its folder address in procmail to "bigsleep" and every so often I try to cancel the group. Now, if I wish to really get hostile, I have a little program which returns the message showing "bounce at ..." in the From:, Reply-To:, and Sent-By: fields. At the top of the body it 'shouts' the sender is objectionable and the mail returned. It does keep a log of who it bounced and if it one of the no-return types, it 'learns' from another list to use /dev/null. There is no limit to how far you can go, including mail bombing. spoofing the top line From is hard to do for lack of insecure mailers, but it can be done by other means. The only spammer I have had trouble discouraging is nashville.net. But I really do not believe in mail bombing as it hurts too many bystanders --cheap to generate, but expensive to clean up after. So, indulge in procmail(), premail(), formail(), and older versions of smail() and join the fun. __________________________________________________________________________ go not unto usenet for advice, for the inhabitants thereof will say: yes, and no, and maybe, and I don't know, and fuck-off. _________________________________________________________________ attila__ To be a ruler of men, you need at least 12 inches.... From tcmay at got.net Tue Jan 16 11:36:59 1996 From: tcmay at got.net (Timothy C. May) Date: Tue, 16 Jan 96 11:36:59 PST Subject: Spiderspace Message-ID: At 7:22 PM 1/16/96, Mike McNally wrote: >Ed Carp writes: > > ... I was under the impression that the only documents that most web >crawlers > > will search are documents that are link-accessible. Are you saying >that this > > isn't true? Are you saying that Alta-Vista will search EVERYTHING that's > > publicly accessible, whether by anonymous FTP or web? > >Ah, but if it hits a site that's set up with a top-level directory >which *does* contain an "index" page but whose server *doesn't* >recognize the index page name, then when you hit the site you >(probably) get one of those server-generated indices. Those things >generally have *everything* in the directory visible (except those >files blocked by the server configuration, usually stuff like emacs >temp files), and so there you go... What I've found are a lot of files which are sitting in directories. I'm not sure I have the terminology down perfectly, but the Alta Vista search reveals a link, I click on it, and I'm in the fairly common "Web access to a file system" situation, where I can click on files, directories, move up and down the directory structure, etc. The files are not "Web documents" in the sense of having been prepared for the Web (with fancy fonts, pictures, etc.), but they are certainly fully accessible via the Web. --Tim We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From dlv at bwalk.dm.com Mon Jan 15 19:43:16 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Tue, 16 Jan 1996 11:43:16 +0800 Subject: New Puzzle Palace? Re: CAQ - Secret ... In-Reply-To: <9601151840.AA00925@w20-575-119.MIT.EDU> Message-ID: grimm at MIT.EDU writes: > Schneier has done a major rewrite, or at least included *lots* of new > info. I haven't gotten a copy yet, but I saw one, and it was twice as > thick as the first version. > > Now I just need the money to buy the book... I think I paid $40 for the first edition. I wish I could trade it in for a discount. :-) --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From bshantz at nwlink.com Mon Jan 15 19:44:35 1996 From: bshantz at nwlink.com (Brad Shantz) Date: Tue, 16 Jan 1996 11:44:35 +0800 Subject: [NOISE] Re: Eggs at Customs Message-ID: <199601152213.OAA19487@montana.nwlink.com> Tim May wrote: > Me: "Yes, I have green eggs, and ham, too. The eggs in Paris are especially > fresh this time of year." I would like to announce that from all of the mail I've received about the egg question, Tim receives the special award for the best answer. I would like to say though that at the time I was in Ottawa, it was right during the Quebec Referendum vote. Making a joke about the French (i.e. Parisian eggs) could have stuck me in a little room with a customs officer for much, much longer. Who knows, maybe I was a French Canadian spy!!! hmmmm.... Brad From alanh at infi.net Mon Jan 15 20:00:49 1996 From: alanh at infi.net (Alan Horowitz) Date: Tue, 16 Jan 1996 12:00:49 +0800 Subject: Eggs at Customs (fwd) In-Reply-To: Message-ID: Well, who is a non-native? If it walked across the Bering Sea land bridge a few thousand years ago, does it have a higher moral value than if it hopped a ride on the bilges of a cargo ship in 1957? If you want to isolate the rainforest until mankind has had time to completely inventory all the species and test them to see if they are the next cure for malaria or an exploitable raw material, well, now you have my sympathy. Alan Horowitz alanh at norfolk.infi.net From jlasser at rwd.goucher.edu Mon Jan 15 20:15:41 1996 From: jlasser at rwd.goucher.edu (Jon Lasser) Date: Tue, 16 Jan 1996 12:15:41 +0800 Subject: Novell & Microsoft Settle Largest BBS Piracy Case Ever In-Reply-To: <199601152123.QAA28777@jekyll.piermont.com> Message-ID: On Mon, 15 Jan 1996, Perry E. Metzger wrote: > Gary Edstrom writes: > > I saw this in a news summary today and thought that it might be of > > interest to the list. Sorry, but this is all of the article that I > > have. > > Repeat after me: > > This is not software piracy punks. This is CYPHERpunks. We talk about > cryptography and its implications on society. Software piracy isn't a > topic around here. Except, of course, if truly anonymous transactions were easily available now, the people wouldn't have gotten caught AND could have made a bundle in the process... End of goverments = decline (but not end) of software markets? Jon Lasser ------------------------------------------------------------------------------ Jon Lasser (410)494-3072 Visit my home page at http://www.goucher.edu/~jlasser/ You have a friend at the NSA: Big Brother is watching. Finger for PGP key. From tcmay at got.net Mon Jan 15 20:17:59 1996 From: tcmay at got.net (Timothy C. May) Date: Tue, 16 Jan 1996 12:17:59 +0800 Subject: Crypto anarchist getting through customs Message-ID: At 3:27 AM 1/16/96, Alan Horowitz wrote: >My bullshit detector is starting to pin the needle. > >US Customs doesn't care about your political status or leanings. >They want to collect the proper excise and catch contraband. > >There are INS people at passport control. I am skeptical that they >would detain a US passport holder for 36 hours. I would like to see some >evidence that this actually happened. > >US citizens can't be excluded from the country, nor have their >citizenship taken away from them. Since you're addressing this to me, what exactly did I say--be specific--that you think I was bullshitting about? They can, and do, detain entering citizens, as the Zimmermann case showed. And our own Fred Cohen confirms that he was detained upon re-entering the U.S. from Canada. --Tim May We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From s1018954 at aix2.uottawa.ca Mon Jan 15 20:31:54 1996 From: s1018954 at aix2.uottawa.ca (s1018954 at aix2.uottawa.ca) Date: Tue, 16 Jan 1996 12:31:54 +0800 Subject: Respect for privacy != Re: exposure=deterence? In-Reply-To: <199601152213.RAA19247@universe.digex.net> Message-ID: *Overlong and badly edited argument in underhanded support of government anonymity follows, it gets better towards the end, feel free to skim* On Mon, 15 Jan 1996, Scott Brickner wrote: > s1018954 at aix2.uottawa.ca writes: > >My apologies for responding to a political post. Here I go again. > I agree with Charlie. These government employees claim to be working > for the american taxpayers, of which group I am a member. Government > agents must, therefore, expect to be accountable to the citizens, while > accountability in the other direction is virtually the definition of > tyranny. I mostly agree with that argument on even days and mostly disagree with it on odd ones. The way I see it mostly depends on whether or not you believe in organizational thermodynamics ("the center cannot hold, entropy increases...") and positive and practical uses of absolute freedom of speech (and by extension the anonymity to keep it that way). Should government employees be "allowed" to have access to the package deal of anonymity (and money laundering) that we are pushing? First you should check whether or not they already do and in what form it comes. As we've seen in (among many other things) the persecution of Phil Z., there definitely are the proverbial nameless bureaucrats. Is this not anonymity? FOIA filings or suits cost money, time and sanity. While you can get the odd tidbit out of this method, it is not for the faint-hearted and will not get you anything that the government wants to keep classified (except in the really odd case that it was temporarily unclassified by accident). If government accountability is to be based upon this disclosure method, then it is on very shaky footing. This is anonymity, not the overt and freely usable anonymity of the cypherpunk style, but covert anonymity, that which is exists for an entrenched institution while giving the public impression of not being there and justifying inadequate measures like the FOIA. This is a form of organizational stegonography, I guess. Consider on the other hand if a large part of the govermental communications infrastructure, let's say email and groupware were conducted through a remailernet or somesuch cpunk-style anonymizing scheme. Would bureaucratic secrecy get any worse? Since I am neither an active activist nor a journalist, I cannot say. I do know that besides the natural desire of the spook agencies to work this way, many businesses have often claimed that there are pruductivity advantages to anonymous offices communications and boardroom meetings. They tend to generate creative ideas and encourage honesty and outspokenness by those lower on the pecking order. So there are legitimate business uses for it. The more legitimate the concept becomes, the more people get used to it and start thinking about the advantages and the implications of not using True Names. (I realize this has been said before, bide with me.) Think of it as grass-roots crypto vs. institutional stego. Legitimacy, publicity and widespread use are one thing, giving it to government is another. The argument is that if we legitimize privacy for the gov, that's the end of democracy. IMO, if you sell people on the illusion of fourth estate power to verify gov action and render them accountable, you are living in an even more dangerous form of self-denial and willful ignorance. So far so good, nothing new. But what if there are actual benefits to be had? If cypherpunks have some latent desire to speak freely, maybe this is a natural tendency for everyone else too. Ottawa is the bureaucratic capital of this country. In my short stay here, the most vehement opposition to the bureaucracy and red tape I have heard has been from the fed-up bureaucrats themselves. They are the poor saps who must deal with this stupidity and waste day-in day-out. I assume the military and the spooks have it the worst (and I have heard them say just that). AFAIK this is our best constituency. Notice that Tim, of all people, is from a government town. Journalists frequently get anonymous tips, the gov even occasionally pays lip-service to setting up an anonymous whistleblowers BBS. How were books like The Puzzle Palace written if not with inside help and off-the-record interviews. Need I mention the Pentagon Papers? Anonymity is something the government (the organization) craves, yet allowing its employees to use the anonymity we as cypherpunks want could be the most underhanded present possible. Not only does it entrench it (if the entire government has it, how could they ban it?) but allows individuals within it to pass on the info they please without fear of persecution. If we are ever to get, let's say, the Skipjack algorithm, this scenario is much more likely than reverse-engineering of Clipper. This has many implications. Anonymous government employees are IMHO a far more effective check on power than a disinterested easy-profit oriented mainstream press and overstretched civil liberties lobbies. Think of it as one organization with 3 million potential unions. Can anyone imagine what would have happenned if even one of the pilots during the Gulf War had been able to anonymously post a video of the carpet-bombing of Iraq or any other contradiction of official reporting? No journalist could have done this. The decentralizing, entropic power of masses of thinking individuals has more power than centralized paper-shuffling court-martialing rule. The gov is already out of control, maybe it will go out of control in a different direction once the technology of free speech permits it. There is also very little we can do to stop anyone from using it. As Louis Freeh has discovered, once the technological genie is out of the bottle, it stays out. Should I be wrong about these positive implications, once the code written, just as the inventors of nukes turned pacifist, the authors of crypto software will have no control over their creation. Giving to the public amounts to giving it to the gov. I simply prefer that it be overt rather than covert. I will not even go into the positively underhanded benefits of giving the gov anon digicash. The issues are the same, but even moreso. Three cheers for capitalism. From sjb at universe.digex.net Mon Jan 15 20:55:21 1996 From: sjb at universe.digex.net (Scott Brickner) Date: Tue, 16 Jan 1996 12:55:21 +0800 Subject: Respect for privacy != Re: exposure=deterence? In-Reply-To: Message-ID: <199601152213.RAA19247@universe.digex.net> s1018954 at aix2.uottawa.ca writes: >My apologies for responding to a political post. > >On Sat, 13 Jan 1996, Charlie Merritt wrote: > >> I feel that public exposure >> is enough to put fear into these anonymous government employees. >> You will note that when they get the mad_bomber >> some FBI guy jumps right up and takes credit, live, on TV. >> But when the Air Force orders a $300 toilet seat NO ONE is credited. > >It's interesting how we advocate anonymity for ourselves but not for our >opponents. Feeling righteous? I agree with Charlie. These government employees claim to be working for the american taxpayers, of which group I am a member. Government agents must, therefore, expect to be accountable to the citizens, while accountability in the other direction is virtually the definition of tyranny. From unicorn at schloss.li Mon Jan 15 21:45:35 1996 From: unicorn at schloss.li (Black Unicorn) Date: Tue, 16 Jan 1996 13:45:35 +0800 Subject: CelBomb In-Reply-To: <199601061349.IAA11236@pipe4.nyc.pipeline.com> Message-ID: On Sat, 6 Jan 1996, John Young wrote: > Can anyone in IL, or elsewhere, report more on the head-job > of The Engineer: > > Any crypto used to authenticate the target for the boombox, > or to obscure links to the assassin? No. It was not assumed that the victim would take special notice of the phone call, or certainly not enough to bother to try and track the signal realtime BEFORE accepting the phone. Hence, crypto is serious overkill. > > How was the blast specifically targeted at him and not a > phone borrower? The phone was given to a trusted traitor, a call comes in, trusted agent tells hapless victim that he should talk to this person, caller estlablishes that this is the target by voice or otherwise, then hits e.g., the pound key, which triggers the explosive concealed in the battery. The charge was shaped to deliver the most available force into the ear. Not much explosive is required for such an application. > How it was set off -- by user-dialing, remote control, some > other means? DTMF dialing. It may also have been a special frequency not available from the keypad, but I don't believe so. > Any fishy smelling brand names to immediately run from? Whatever is being used. The installation was a totally custom job, and incidently, quite simple in implementation. Never take anything from others without close scrutiny if you are this wanted. Such devices on normal phones are common methods. Moving them to keep up with technology is a simple matter. > Answers urgent. Uh huh. Sure. --- My prefered and soon to be permanent e-mail address: unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From attila at primenet.com Mon Jan 15 21:50:53 1996 From: attila at primenet.com (attila) Date: Tue, 16 Jan 1996 13:50:53 +0800 Subject: Crypto anarchist getting through customs In-Reply-To: Message-ID: On Mon, 15 Jan 1996, Timothy C. May wrote: > YCO: " 'Cryptography'? " (A look of no comprehension.) > > Me: "Yes, cryptography. You know, secret codes, ciphers, stuff like that." > > YCO: "Were there any foreigners present?" > > Me: "Yes, it was in Monte Carlo. There were some Russians there, and lots > of others." > > YCO: [brief pause] "Did you bring anything back with you?" > > Me: "No." > > YCO: [waved me through] > You were lucky. had the YCO understood the implications of crypto, he probably would not have been so genial. San Fransisco is a good entry port for that reason --it does not seem to be a major drug entry point via commercial airlines. Secondly, the four or five times I have gone through there have been hi-bye even though I am flagged --however, carrying a foreign service passport (which has no relation to immunity) requires them to manually enter the number... end of story in loose ports. > > In my carry-on luggage I had half a dozen magneto-optical disks, carring > about a gigabyte of stuff. (As props to use during my talk on the > France/Monte Carlo side, ironically, to show that borders are fully > transparent.) > For the record, I have _never_ imported or exported anything relevant as my own courier; there are far too many easy ways... > > Frequent travellers to Europe will no doubt confirm what I'm saying. I > travelled to dozens of countries in Europe a while back, and never was > checked at any borders, save for a quick glance at my passport. > > --Tim May > For the most part that is very true. The only places I ever get hassled is at obscure German-Swiss borders at night (driving). Usually an older officer stuck with nights to encourage resignation --breeds a foul temper and absolute lack of humour --not that the Swiss ever had one "National borders aren't even speed bumps on the information superhighway." > yup, there's always high bandwidth spread spectrum in a truck. attila __________________________________________________________________________ go not unto usenet for advice, for the inhabitants thereof will say: yes, and no, and maybe, and I don't know, and fuck-off. _________________________________________________________________ attila__ To be a ruler of men, you need at least 12 inches.... From llurch at networking.stanford.edu Mon Jan 15 22:03:26 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Tue, 16 Jan 1996 14:03:26 +0800 Subject: Respect for privacy != Re: exposure=deterence? In-Reply-To: <199601152213.RAA19247@universe.digex.net> Message-ID: On Mon, 15 Jan 1996, Scott Brickner wrote: > s1018954 at aix2.uottawa.ca writes: > >My apologies for responding to a political post. > > > >On Sat, 13 Jan 1996, Charlie Merritt wrote: > > > >> I feel that public exposure > >> is enough to put fear into these anonymous government employees. > >> You will note that when they get the mad_bomber > >> some FBI guy jumps right up and takes credit, live, on TV. > >> But when the Air Force orders a $300 toilet seat NO ONE is credited. > > > >It's interesting how we advocate anonymity for ourselves but not for our > >opponents. Feeling righteous? > > I agree with Charlie. These government employees claim to be working > for the american taxpayers, of which group I am a member. Government > agents must, therefore, expect to be accountable to the citizens, while > accountability in the other direction is virtually the definition of > tyranny. Absitively. But government employees should only be held accountable for their actions as government employees. If the situation warrants, go ahead and tap their offices, break into their work computers, etc. But don't fuck with their personal lives. Lots of people on this list have the power to carry out their own tyranny over both individuals and groups. All it takes in today's fragile online world is a little specialized knowledge. I don't think it's ethical to use this power without serious thought. The line between government and non-government is increasingly blurry anyway. Everybody gets something from the government, be it roads or an education. Why should you be more suspicious of the guy getting paid $10/hour to deliver your mail by the government than the private businessman getting millions of dollars in government subsidies? I think we're fundamentally asking the wrong question. I only see relative power. I'd estimate that Bill Gates is more powerful than Fidel Castro in many respects. He's certainly a lot more powerful than your average postal clerk. -rich P.S. For the Good of the Order, I'm temporarily ignoring jimbell From mark at zang.com Mon Jan 15 22:04:31 1996 From: mark at zang.com (Mark (Mookie)) Date: Tue, 16 Jan 1996 14:04:31 +0800 Subject: The Last Mitnick Post/Thread Message-ID: <199601160544.TAA08002@zang.com> >Markoff, and Tsutomo acted reprehensibly by quoting sniffer sessions with Kevin >and jsz in which my site was mentioned. Not only were the facts wrong At the time everyone knew Kevin was getting very warm, the simple social contacts people had with him were becoming insidious due to the increased attention being put on him. He was becoming rather infatuated with some people too which some of his antics show. It was in this climate that a process of alientation began where lies were fed him and procrastination was offered as a reason for avoiding his spheres and requests. Noone wants to hold the hot potato. I'm actually observing similar activities today as someone who has a court date approaching is becoming alienated by his own actions and the attitudes of others. Preparing to go to jail was my first thought. Some people never learn. >who/what netsys.com/Len Rose is, they only bothered to mention the past and not What do you expect? They are out for emotive impact, bugger the facts. You being an internet service provider doesnt sell, but a couple of events in the past can be made to give everything a dark and dangerous flavour. Pique interest and generate another percent of sales. >perhaps someone could clear jsz's name which seems to be pretty muddied by the >somewhat irresponsible literary excesses which seem to fill the Tsutomo/Markoff Him and all the others I've heard bandied about. It's a case of tall poppy syndrome where anyone who has a brain is pushed into a higher status than they want or deserve. I've seen a number of people recently who have been spoken of in vaulted tones or thought of as bleeding edge merely because they have had exposure to a lot of systems and their skill set is more than passable. I think jsz's name was mentioned because it was the only intelligent converstion Shimomura actually got. Mitnik was always warezing and trading around and doing the 3133+ $p34K crap so prevalent today. I found him boorish and didn't pay much attention to him. It was only when this Shimomura crap started anyone cared who he spoke to. I regard the whole sordid deal as a hollywood driven sales and marketing machine, most likely coached to the two players by their media backers. When they stop trying to make things into something they aren't is when I'll bother to pay any attention to their ravings. nuff said. Mark From wendigo at pobox.com Mon Jan 15 22:09:12 1996 From: wendigo at pobox.com (Mark Rogaski) Date: Tue, 16 Jan 1996 14:09:12 +0800 Subject: Eggs at Customs AND a quick question In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- - From the node of Timothy C. May: : : P.S. I am persuaded that the importation of rare tropical birds into the : U.S. is a GOOD THING, and that the attempts to ban such imports are : misguided eco-fundie efforts. Diversity will be enhanced by having the : birds in the U.S., and if left in their native jungles, most will die : anyway. Better a pampered tropical bird in a gilded cage than lunch for : some predator, or starvation as the jungles are cleared by slash-and-burn : farmers. Aside from the amusing belief that caged life is preferrable, let me point out that importation of species can be pretty nasty. Zebra mussels in the Great Lakes, Mongooses in Hawaii, those nasty snakes from Guam ... etc, etc. : : The same data transparency of borders, where truckloads of stuff come in : easily, means that truckloads of birds, eggs, embryos, babies, etc. can : also make it in. Most such shipments are only caught when surveillance : yields a shipping schedule...such surveillance is becoming more and more : difficult because of the technologies we push. All right! Horseman #5 ... the bird smuggler ;) PS -- Going to consolidate posts here. Can someone recommend a good text for an intro to Number Theory? - ----- Mark Rogaski 100,000 lemmings rogaski at pobox.com aka Doc, wendigo can't be wrong! http://www.pobox.com/~rogaski/ VMS is as secure as a poodle encased in a block of lucite ... about as useful, too. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMPs+AdT48ZIkMoEtAQEd0Qf7BPYNJJCqRXmrA76oEFZ0PJdaQ5A7YXRh bgvBlH1AwLTRCRooqR1lNdp1+Hc8Y2KuYu3GXWHKhttoVRVMkdnBqgzKv/9nZWw/ bCfUxmhDgdVbEBuxxg3Czpzov72g1rqDisFzr6v6ukz8Q9mJKzLI6lPuPMIP4Ebi HI58uDXokdCjp7atL6ubndX2TptHiz00qszPZp9NUphJJAtAqB4N0geTzK1JK1/B xSdhsDtYT4fVV2DbFZUu+K/0jPBDCRGDD5pOkATmR79utmspYCScTRAYlnumVoPS ALKME0ATPdbeSE1Kjn1Yf++20XxnSAb9JjSO19e3X9ZcMKeq7Vw/CQ== =iJzW -----END PGP SIGNATURE----- From tallpaul at pipeline.com Mon Jan 15 22:18:46 1996 From: tallpaul at pipeline.com (tallpaul) Date: Tue, 16 Jan 1996 14:18:46 +0800 Subject: Eggs at Customs (fwd) Message-ID: <199601160518.AAA05251@pipe10.nyc.pipeline.com> On Jan 15, 1996 16:30:29, 'Rich Graves ' wrote: >On Mon, 15 Jan 1996, Lindsay Haisley wrote: > >> There has (fortunately!) been a big crackdown recently on the illegal pet >> bird import trade,... >> > >And here I thought it was because eggs were a good medium for >transporting biotoxins. > >I've been hanging out with you conspiracy freaks too much :-) > >-rich > You mean you actually believe the Jesuit/Masonic/ cover story about pet birds!! How naive can you get!!! -- tallpaul From llurch at networking.stanford.edu Mon Jan 15 22:31:48 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Tue, 16 Jan 1996 14:31:48 +0800 Subject: Need confirmation of Win95 password encryption back door Message-ID: -----BEGIN PGP SIGNED MESSAGE----- A Major Media Outlet requires confirmation that Windows 95, to facilitate its automatic reconnect feature for sleeping laptops and temporary network outages, caches all network passwords (NetWare, NT, UNIX running Samba, SLIP/PPP dialup) in unprotected memory in clear text, whether you've disabled persistent "password caching" to disk and applied the December 14th 128-bit RC4 .PWL patch, or not. There seems to be no way to turn this off. The idea, of course, is that a simple trojan horse could do whatever it wanted with this information. We know that this vulnerability exists in Windows for Workgroups, and Peter wrote a little demo (on hackmsoft page below, without source), but the APIs appear to have changed in Win95. So, anyone have Win95 and some time to kill, or can anyone recommend a good DOS/Windows RAM grepper? - -rich at c2.org http://www.c2.org/hacknmsoft/ $ Mon Jan 15 22:17:10 PST 1996 $ $ From llurch at networking.stanford.edu to cypherpunks at toad.com $ -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMPtDLo3DXUbM57SdAQEN7QP+J6Gmk6m8dv3X96SKZciI/L7DM04bDSoi HZa+dIoajAiRrfG9oSNcIYbVDDs67qwCSKGFg9hc5K3x99nhbq3Aw2mio62YQj+2 K62pBT9hQLe4dv8AMhLtIqyG4ZztYy+dDjGzsaUIkBUZKo5//Eh8c81xXLQrqXtk RFV+xkXBgww= =12rk -----END PGP SIGNATURE----- From perry at piermont.com Mon Jan 15 22:34:49 1996 From: perry at piermont.com (Perry E. Metzger) Date: Tue, 16 Jan 1996 14:34:49 +0800 Subject: Novell & Microsoft Settle Largest BBS Piracy Case Ever In-Reply-To: <30fac193.340341789@mailhost.primenet.com> Message-ID: <199601152123.QAA28777@jekyll.piermont.com> Gary Edstrom writes: > I saw this in a news summary today and thought that it might be of > interest to the list. Sorry, but this is all of the article that I > have. Repeat after me: This is not software piracy punks. This is CYPHERpunks. We talk about cryptography and its implications on society. Software piracy isn't a topic around here. Perry From llurch at networking.stanford.edu Mon Jan 15 22:37:59 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Tue, 16 Jan 1996 14:37:59 +0800 Subject: [NOISE] Re: Eggs at Customs (fwd) In-Reply-To: Message-ID: On Mon, 15 Jan 1996, Alan Horowitz wrote: > Well, who is a non-native? If it walked across the Bering Sea land > bridge a few thousand years ago, does it have a higher moral value than > if it hopped a ride on the bilges of a cargo ship in 1957? Morality has nothing to do with it. It's the speed of the evolution. If you walk across the straits, the system has the time to react and restore a dynamic equilibrium. If you immediately release a new species with no natural predators, the system is shattered, and it might not survive. This is not to say that ecosystems and societies are static -- they evolve constantly, displaying unpredictable punctuated equilibrium (Steven J. Gould was right, Edmund Burke and Karl Marx were wrong). Usually, the mutations (in biology or politics) are minor, and almost always, they are localized. Large-scale catastrophes like a meteor hitting the earth and killing all the dinosours (or whatever happened), or nuclear war, or whatever, are larger punctuation than normal. Sometimes the ecosystem recovers, sometimes a completely new ecosystem forms, sometimes all life but the cockroaches is wiped out. Politically and morally, I'm a follower of the realist school (Morgenthau et al). It is right for the US to dominate the world because it has the most power. On the level of international relations, it doesn't matter how it got that way; trying to reverse the power realities would be like trying to dam the Pacific Ocean. Of course, in specific cases in the present, we can make moral choices, and if we feel like it, we can help out the present victims of historical "immorality" (like the fact that the descendants of slaves weren't born into the same inheritance as the descendants of the Carnegies and Vanderbilts). > If you want to isolate the rainforest until mankind has had time to > completely inventory all the species and test them to see if they are the > next cure for malaria or an exploitable raw material, well, now you have > my sympathy. Sympathy is the wrong emotion for both politics and science, but then, what you're talking about isn't sympathy. Cute cuddly seals and frieldly dolphins and teddy bears get "sympathy" among mainstrean "environmentalists," and the Sierra Club and World Wildlife Federation calendars raise a lot of money, but it's the plants and bugs and bacteria that are really important. Elephants and blue whales look big and important to us, but they're really inconsequential in the larger scheme of biodiversity. They could go extinct and the planet doesn't really care. But kill the blue-green algae and the trees, and we're all dead. -rich From jfricker at vertexgroup.com Tue Jan 16 15:02:39 1996 From: jfricker at vertexgroup.com (John F. Fricker) Date: Tue, 16 Jan 96 15:02:39 PST Subject: Spiderspace Message-ID: <2.2.32.19960116231023.00616ea8@vertexgroup.com> At 11:38 AM 1/16/96 -0800, you wrote: > >I've been thinking a lot about the problems and opportunities that are >coming up as more and more "spiders" (Web searchers, crawlers) are indexing >directories and files on systems they can find. I haven't checked my logs for Alta Vista but many of the spiders do follow the robot exclusion standard. A simple text file that should be retrieved first by any spider that explains where one may not go. The standard is fully explained at: http://info.webcrawler.com/mak/projects/robots/norobots.html But this does nothing for those items sitting in more traditional public space. Obscurity is no longer security. From jwz at netscape.com Mon Jan 15 23:12:29 1996 From: jwz at netscape.com (Jamie Zawinski) Date: Tue, 16 Jan 1996 15:12:29 +0800 Subject: (none) [httpd finding your identity] In-Reply-To: <199601150454.VAA00449@wero.cs.byu.edu> Message-ID: <30FB18FC.5CD9BFF6@netscape.com> Jeff Weinstein wrote: > > > can do about the reverse-ip, but what about http referral field? Will > > there be a way to turn off (blank, actually) this field? > > I would like to add a way to turn it off, but it won't happen in 2.0. Something that a lot of people don't realize is that the HTTP referrer field is only sent when you've actually clicked on a link -- it does not just give away the last page you happened to be looking at, it only gives away pages that actually refer to the one you're going to. So if you're concerned about leaving a trail to a particular page, you can go there by pasting the URL into the Location field, or via a bookmark (menu item, not page), etc. Very, very early betas of Netscape (around 0.6 or so, I think) did give away whatever the previous page was, and I think old versions of Mosaic did so as well. -- Jamie Zawinski jwz at netscape.com http://www.netscape.com/people/jwz/ ``A signature isn't a return address, it is the ASCII equivalent of a black velvet clown painting; it's a rectangle of carets surrounding a quote from a literary giant of weeniedom like Heinlein or Dr. Who.'' -- Chris Maeda From blancw at accessone.com Tue Jan 16 00:00:55 1996 From: blancw at accessone.com (blanc) Date: Tue, 16 Jan 1996 16:00:55 +0800 Subject: FW: Net Control is Thought Control Message-ID: <01BAE3A0.1232C6A0@blancw.accessone.com> From: Vladimir Z. Nuri at LD.com I don't understand your point. both the agent provocateur and "victim" are crucial to the process of brainwashing. they are the yin and yang of it all, of course, and I am certainly not arguing otherwise. what I was pointing out was that it is increasingly difficult to identify people's secret agenda in cyberspace. .............................................................................................. "What distinguishes coercive persuasion from other kinds of influence processes is the degree to which the person who is to be influenced is physically or psychologically confined to a situation in which he must continue to expose himself to unfreezing pressures. Not only did the prison confine him physically, but the round-the-clock vigilance and pressure from cellmates confined the person psychologically to an environment in which unusually intense unfreezing pressures were present at all times...." (from the book) Now, you know that no one either on this list or anywhere in cyberspace is confined, either physically or psychologically, to continuously & unwillingly expose themselves to alt.usenet.kooks or http://www.ho-hum.com or cypherpunks, etc.. If they continue to do so it is because they themselves have put themselves there or have not seen fit to leave when it behooved them (sometimes requiring the use of kill files to avoid them). A person in an unrestricted setting, who is so easily persuaded by others that they cannot resist being influenced, has a lot of work to do in finding out about their own lack of self-confidence & direction. A "victim of information" must study & discover the difference between valid info & dangerous nonsense. There are ways to know when someone is trying to supplant one's own initiative with their own preferences. And here's plenty of debate & unrestricted flaming in cyberspace to challenge anyone's passive acceptance of another's conclusions (or of their own unexamined presumptions). And there's always new software tools to enable participants to make a quick exit if they feel uncomfortable with a conversation. "the next time you see a flamewar, ask yourself this question: what would I think if I found out every opinion and post on one side was manufactured by a single person? how can you be so sure they aren't?" Unless I was thinking of going out to lunch with one of them, I can't see why I would care. i.e., unless I needed to make a decision for action based on what they had said, it wouldn't really matter to me. I expect I would have more effect on them than vice-versa. :>) .. Blanc From attila at primenet.com Tue Jan 16 00:38:19 1996 From: attila at primenet.com (attila) Date: Tue, 16 Jan 1996 16:38:19 +0800 Subject: Crypto anarchist getting through customs In-Reply-To: Message-ID: well, Mr. Horrowitz, I once had a strong belief in democracy and the U.S. Constitution, particularly the Bill of Rights. ****** IMPORTANT, get your BS detector working! you'd probably call me a lying asshole if I told you your _beloved_ Bubba signed PPD 25 which permits UN control of US forces, _in America_! and allows the UN to bring in UN troops. and, your meter will really peg out if I told you the DOD gave Navy Seals and Marine Recon units a long questionaire to determine their "loyalty" and they even asked "under an order to confiscate weapons from US citizens ...would you shoot to kill [US citizens] who refused to surrender their weapons if so ordered by UN officers? and, you'll scream "liar" if I tell you that the Department of the Navy is not subject to the posse comitase act which prevents the Army from being used in civilian affairs. Guess where the United States Marine Corps, the finest shock troops in history are (125,000 fighting men currently) --Navy. maybe you should review the procedures for the Feds --they have 72 hours to charge you or release you --more if they are lucky enough to bag their prey after 4pm Friday --they are not even required to give you a phone call until you have been read your rights. And, they don't read you your rights unless they charge you. second, check just what your rights are in US border check points --how about probable cause before they subject you to a strip search and body cavity check? how about liability for shredding your possessions if they want to be assholes, and still find nothing? (you're real lucky if you get some Polish luggage (shopping bags) how about some help to put your shit back together? how about a grievance procedure? --that's the big joke. it's not INS, they couldn't give a shit about your politics, but if you name pops up when they "stripe" your passport, they pass that along to the FBI, DEA, and other LEs check out LA next time you go through the Bradley gauntlet. LA will take the time to punch in the numbers on a US FS passport, and US DP passports aint worth a shit in the US. If they get a match, there's an army of those Fed blue jackets with the agency name on the back in large letters --they're highly visible. On Mon, 15 Jan 1996, Alan Horowitz wrote: > My bullshit detector is starting to pin the needle. > your option. I'm not proselytizing! > US Customs doesn't care about your political status or leanings. > They want to collect the proper excise and catch contraband. > what ever you say... but they get extra bonus points for a rather large number of things. > There are INS people at passport control. I am skeptical that they > would detain a US passport holder for 36 hours. I would like to see some > evidence that this actually happened. > well, I'm not passing my jacket --and you cant get it with FOIA anyway, it isn't the INS that detains... > US citizens can't be excluded from the country, nor have their > citizenship taken away from them. > which rock you been hiding under? > Alan Horowitz > alanh at norfolk.infi.net > remember, a conservative is a liberal, who had his ass mugged last night. __________________________________________________________________________ go not unto usenet for advice, for the inhabitants thereof will say: yes, and no, and maybe, and I don't know, and fuck-off. _________________________________________________________________ attila__ To be a ruler of men, you need at least 12 inches.... From s1018954 at aix2.uottawa.ca Tue Jan 16 16:43:33 1996 From: s1018954 at aix2.uottawa.ca (s1018954 at aix2.uottawa.ca) Date: Tue, 16 Jan 96 16:43:33 PST Subject: Better S/N through moderation. In-Reply-To: <199601162143.QAA05083@nrk.com> Message-ID: On Tue, 16 Jan 1996, David Lesher wrote: > Can't we just solve the problem by making it a moderated list; > and make Perry the moderator? There are moderated versions of the list, I think cypherpunks-lite is one of them. You have to pay for the privilege. IMHO noise is self-regulating on mailing lists (as opposed to usenet). My preferred method of accessing cypherpunks is through news://nntp.hks.net/hks.* ,which also gets you a few other worthwhile related lists (like cyberia-l, ipsec, mixmaster...). All the benefits of being a newsgroup without having to be on usenet. I am only currently subscribed directly because it is the beginning of the term and I can afford the time. I subscribe and unsubscribe several times a year as time constraints permit. I think this is far preferable to having the raw master list edited according to someone's tastes. You get the flavour you prefer. Killfiles exist. It is a tribute to the usefullness of the forum and the flexibility of the medium that there are so many ways of accessing this source of info. Back to your regularly scheduled crypto. (Speaking of sublists, whatever happenned to the DC-net list mentioned in the cyphernomicon? Is this a figment of my imagination or was there any code written that I might partake of? Btw, why call it a DC network when it is really a ring? Maybe I haven't taken a good enough look at the protocol. Dinner calls. :> ) From jimbell at pacifier.com Tue Jan 16 00:52:09 1996 From: jimbell at pacifier.com (jim bell) Date: Tue, 16 Jan 1996 16:52:09 +0800 Subject: Respect for privacy != Re: exposure=deterence? Message-ID: At 12:27 AM 1/15/96 -0800, Rich Graves wrote: >On Sun, 14 Jan 1996, jim bell wrote: Richard Graves wrote: >However, you won't consider looking at a dissenting FAQ. Aha! Now you identify it as a "dissenting FAQ"! Let's play a little game. Let's say, for purposes of the argument, that there are people who are "pro-libertarian," "neutral", and "anti-libertarian." I know plenty of people who hardly even know what libertarianism is about, but in fact are more-or-less libertarian in philosophy. Let's call these people "neutral." But in general, people who identify themselves as "dissenters" from libertarianism (claiming they know what it is, and assuming for the purposes of the argument that they are correct about this knowledge) are fucking statists. Somehow, I think I've got you pegged correctly. >> "Proposition 187"? Isn't that from CALIFORNIA, not Pennsylvania? Your >> commentary is very confusing. > >Sorry, an old irrelevant battle. Then don't confuse people with things like that! >There was quite a row between Californian "libertarians" and >non-Californian "libertarians" about Prop 187, with those in California >saying that the illegal people were STEALING MONEY, and those outside the >state, including Reason Magazine, saying it was hypocritical at best to >use government force to deny freedom of movement, especially when neutral >studies showed that the illegal people were a net plus for society. In >effect, Reason Magazine was calling them selfish. You miss the point. (this is probably congenital.) There is a generic problem with "asking a libertarian his position on an issue." See, the question assumes how much of an opinion you want, and what assumptions you're making. I'll try to formulate a relevant analogy: Suppose you're building a new house, you have your plans, I'm your friend, and you ask me over for an opinion on how it ought to be done. On the one hand, my advice might simply be to "change the color of the paint." Or, I could say something more detailed, like, "you should add another floor." Or, finally, I could say, "I don't think you should be building a house THERE, in that low area subject to flooding, you should build it 10 feet higher, 100 yards away." Finally, I could say, "No, I don't think you should build that house AT ALL." Each of these is a form of advice. The difference is the scope of the advice. __YOU__ may only have wanted me to advise you on the color of the paint. My advice was to change EVERYTHING. Both may be quite valid and correct opinions. A third party, observing the discussion, would think that there was some sort of contradiction going on, when in reality (remember reality?!?) it is simply a matter of scope being determined. Now, proposition 187, as I _vaguely_ recall, deals with immigrants, primarily illegal immigrants, and the services a community provides them. So if you ask a libertarian, "what should we do," there are a number of separate and distinct types of advise he could give you, depending on the scope of the question. On the one hand, the natural response of an unrestrained libertarian is to say, "There should be no borders, no governments, no taxes, and no welfare, as well as no public schools, etc." And that would be correct, as far as it went. If you responded to that libertarian, "Uh, sorry, we're not interested in changing EVERYTHING; we're just asking you to decide whether or not we should get public services (paid for by tax dollars stolen from citizens by government) to people who got into the country in violation of the law," then he might provide a more limited form of advice based on this restrictive set of parameters. The important thing to remember, however, is that exactly which kind of advice he gives may be entirely dependent on how restrictive the set of parameters you've insisted that he follow. An intelligent libertarian could give a good and valid piece of advise, with the proviso that since he's being restricted in the scope of his advice, it will not necessarily be a "completely libertarian" position. This should be ASSUMED. Which means that you could ask essentially the same question of two different libertarians, and by subtle manipulation of the parameters, get what might otherwise appear to be two contradictory opinions, depending on how much latitude each is given in his advice. >Obviously, I was on the right side. Obviously, you always THINK you are on the right side. > >> >Where, exactly, do you get off disparaging my political philosophy, with >> >which you are completely unfamiliar? >> > >> >> >See the non-libertarian >> >> >FAQ, at http://world.std.com/~mhuben/libindex.html >> >> >> >> Sounds like it would be extraordinarily un-interesting. >> > >> >Good to see you're as open-minded as I thought. >> >> Well, you called it, and I quote, a "non-libertarian FAQ." Well, I know >> what a "libertarian FAQ" would generally contain, information to teach the >> uninformed about libertarianism. These FAQs are generally prepared by >> libertarians, and are often (usually?) intended to convince people to >> support the libertarian cause. >> >> But what, pray tell, is a "non-libertarian FAQ"? > >Information to teach the uninformed about libertarianism. Then you should have called it a "FAQ _for_ pre-libertarians." Or a "FAQ for those not yet informed about libertarianism." But in fact, since above you called it a "dissenting FAQ," more likely, "a FAQ intended to dissuade people from being (or thinking) in a libertarian manner." Far more informative. Which is why I said that I would consider it to be extraordinarily UN-interesting. >> And thus, as I said, I think that would be extraordinarily un-interesting. >> I've heard PLENTY of idiots try to debunk libertarian philosophy, the vast >> majority of which know so little about it as to make their attempt not only >> totally ineffective, but also counter-productive to their intention. > >How many is plenty? In 4 years on FIDOnet? Dozens. >> >I see no sequitur here. Where have I excused anyone's actions? I was >> >talking about ethics, justifiable force, >> >> Libertarians have a principle called "Non-initiation of Force/Fraud." (or >> "Non-Agression principle.") Anyone who collects taxes has AUTOMATICALLY >> initated agression. Violence against him is not a violation of any >> libertarian principle. > >Libertarians have a practice of USING CAPITAL LETTERS and RIDICULOUS JESSE >JACKSON-ESQUE RHETORIC to define anything they DISAGREE WITH as VIOLENCE >AND FRAUD, a non-falsifiable approach that leads to ludicrous conclusions. And you appear to be a fucking statist. >> > and probable cause. If you have >> >probable cause that Watergate or Whitewater has occurred, then further >> >investigation is justified. If you don't, then the customary financial >> >disclosure statements should do. >> >> You're hiding behind the rules of the GOVERNMENT. Rules written for the >> benefit of GOVERNMENT people. Violations of law by GOVERNMENT people are >> hardly ever prosecuted; Rodney King's assaulters were prosecuted only >> because somebody JUST HAPPENED to have a camcorder on at "just the right >> time." > >> >Eternal vigilance is the price of liberty, but that doesn't mean you need >> >to spy on everybody. >> >> When my system is in place, we won't have to worry about that ever again. >... >> >No matter what rhetoric you use, it is not nice to respond to a tax >> ----------------------------------------^^^^^^^^ >> >> >collector COMING TO STEAL YOUR MONEY by invading his privacy. >> >> Huh? You're crazier than I thought! You would deny even the principle of >> self-defense! You're truly crazy; you're just about as far as you can >> possibly get from being a libertarian. No wonder you had so many questions >> above! "Nice" has NOTHING to do with it! > >A restaurant denying you a free lunch is the initiation of violence. Do you really believe this, or were you merely trying to misuse this as a contrary (though extremely weak) example? > If >you try to skip a debt What kind of "debt"? One that you agree to?!? > and your creditor finds you, are you then >justified by the principle of self-defense to kill him? After all, if he >pulls a gun on you first, he's the one initiating violence. Your misunderstanding of libertarianism exceeds only your misunderstanding of simple logic. >Measured response and justifiable force. Contracts and justice. When your >kid misbehaves, you spank them. When someone cuts you off on the freeway, >you flip them off. When you disagree with someone, you are supposed to >construct a logical counterargument. When someone insults you, you insult >them back. When someone pulls a gun on you, you blow their head off. > >Nobody's "stealing" "your" money. The IRS is enforcing a contract. I've signed no such "contract." I agreed to no such contract. I'm AWARE of no such contract. The "contract" or "social contract" argument is debunked repeatedly in the various libertarian-oriented political echoes. Actually, it's debunked in non- (not to be confused with "anti-") libertarian echoes too, because even if you ignore all the people who don't yet claim themselves to be libertarians, the rest of the public can't agree on exactly what this "contract" really says. The "social contract" of a liberal contradicts the "social contract" of the conservative. The "social contract" of a Republican contradicts the "social contract" of a Democrat. Even if you take a generous position and say that we owe taxes, it has been repeatedly demonstrated by media/reporter types (by visiting a number of IRS offices, presenting them with the same identical numbers, and asking them how much taxes are owed, and each office gives a DIFFERENT amount. In other words, even if we ASSUME the existence of some sort of "contract," nobody seems to be able to agree on what the terms of that "contract" are. Now, I'm not a lawyer, and I don't even play one on TV, but one thing that I do know about law is that for there to be a "contract" there is necessary to be a "meeting of the minds" about what that contract is actually for. Both (all?) parties to the contract must have the same UNDERSTANDING of the terms of the contract in order for it to be valid. Clearly that is not the case about the "social contract" statist lunatics speak of. Furthermore, in order for there to be a valid "contract" there must be CONSENT. One party cannot threaten or extort from the other, getting the other party to agree to terms that are coercive. Both parties must have the option of NOT entering into that "contract." Yet, practically the whole reason for the existence of governments is "coercion," meaning that absent some clear evidence of arms-length negotiation, it is impossible to come to a valid "contract" with the government. Like I said before, you're a fucking statist. >> Remember the following words: >> "Klaatu Burada Nikto." I'm working on a similar system. You'll >> eventually hear of it. > >You're building a giant robot? Oh my. I thought this was starting to read >like bad science fiction. Just wait. I've decided to post this to Cypherpunks. Forgive me, it's only marginally on-topic, but I think it's vital for the public to know how Richard Graves thinks. From llurch at networking.stanford.edu Tue Jan 16 01:01:50 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Tue, 16 Jan 1996 17:01:50 +0800 Subject: [NOISE] Re: Respect for privacy != Re: exposure=deterence? In-Reply-To: Message-ID: On Mon, 15 Jan 1996, someone using the name jim bell wrote: > I've decided to post this to Cypherpunks. Forgive me, it's only marginally > on-topic, but I think it's vital for the public to know how Richard Graves > thinks. [Apologies to everyone for not just kill-filing this.] If it's all the same to you, I'd prefer to tell them myself, in context, in public posts rather than in off-topic redistributed private email. In the last year I've inaccurately been labeled a Nazi, a Communist, a Maoist, a Jew, an Anti-Semite, a KKK tool, an Anarchist, a Spic-Lover, a Capitalist Stooge, a Tool of the Ruling Class if not an Oppressor Myself, and a lawyer. Now I'm a Fucking Statist. Oh well. I defer to your four years' experience on FIDONet, where you talked to "dozens" of people, who I am sure know more about alternative political systems than the folks I worked with in my four years studying Latin American history and political science at Stanford. For example, Roberta Lajous, international affairs chair of the Mexican PRI, who is a very intelligent and fair-minded person, but who can accurately be described as a Fucking Statist, and Rodolfo Stavenhagen, a Professor at el Colegio de Mexico who spoke at the recent Conference of Indigenous Peoples called by el Ejercito zapatista de liberacion nacional. Not to mention the Cubans, Sandinistas, Contras, and Salvadoran liberation theologists I've known, four of whom were murdered in cold blood at their seminary, in 1992 I believe. My good friend Istvan Feher lobbed Molotav cocktails at Russian tanks on his way out of Budapest in 1956, and my last serious girlfriend was a political refugee from Czechoslovakia who was studying Soviet politics (you see, I haven't had a serious relationship for a while). I simply prefer civilization to revolution, and structured ethical restraint to retaliation. I believe government derives its just powers from the consent of the governed with the purpose of securing fundamental rights, and that there are such things as justice, consent, and fundamental rights such as personal privacy that must not be abridged by any body, whether defined as a government or not. Since I'm obviously a tool of the government who doesn't deserve privacy, why not post everything you can find about me? I assure you that you could find something quite damaging if you tried. I'll even give you hints in private email if you like. I *double-dare* you. *PLONK* -rich From jsw at netscape.com Tue Jan 16 01:14:34 1996 From: jsw at netscape.com (Jeff Weinstein) Date: Tue, 16 Jan 1996 17:14:34 +0800 Subject: Information Sent by Netscape during Queries In-Reply-To: Message-ID: <30FB47ED.416B@netscape.com> Bill Humphries wrote: > > Here's some questions I hope some of the Netscape staffers on the list can > help with. > > 1) Can we delete/rename or otherwise disable the MagicCookie file and still > use Navigator? Is your attempt to disable cookies all together or just disable persistent (last across multiple sessions) cookies? If you want to disable persistent cookies and you are running on unix you can just chmod the cookies file to be un-writable. I don't believe that there is a way to disable cookies in general. > 2) Are there headers besides the standard HTTP/1.0 fields sent with our > http transactions? What are they? We send headers for proxies, caching, fetching byte ranges, and cookies. Some of these are part of HTTP 1.0 or extensions that are being worked on in IETF or W3C working groups. > 3) Can we go completely stealth inside of Netscape without a proxy server? No. Right now you can't disable cookies, you can't disable referer, and you can't mask your IP address. I'd like to add an option to disable everything that we can in some future release, but there is nothing I can do about the IP address. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw at netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine. From warlord at MIT.EDU Tue Jan 16 01:30:12 1996 From: warlord at MIT.EDU (Derek Atkins) Date: Tue, 16 Jan 1996 17:30:12 +0800 Subject: Bignum support in C++ In-Reply-To: <9601151916.AA00949@w20-575-119.MIT.EDU> Message-ID: <199601160319.WAA02872@toxicwaste.media.mit.edu> Actually, Wei Dai's Crypto++ library contains a fairly good BigNum package (actually, the MPI code from PGP 2.6.2, I believe ;) wrapped in C++. So, there is no need to do any work, just grab Wei's library and use the bignums out of there. -derek From jeremym at area1s220.residence.gatech.edu Tue Jan 16 01:32:14 1996 From: jeremym at area1s220.residence.gatech.edu (Jeremy Mineweaser) Date: Tue, 16 Jan 1996 17:32:14 +0800 Subject: Reach out! Update 01 (CypherPurists trash this) Message-ID: <9601160313.AA22027@toad.com> At 10:10 AM 1/13/96 EST, Dan Bailey wrote: >Regarding the *67 feature to disable Caller ID: >This does not stop your ANI information from travelling >with your call. >A *much* better way to do this is the following: >Dial the Operator. >Ask him/her to dial the 800 number for you. > >This will result in your ANI being (000) 000-5555 >I tested this a couple months >ago using AT&T's 1-800-MY-ANI-IS service. I directly dialed >1-800-MY-ANI-IS and it read back my phone number. Then I had >the operator dial it for me and got (000) 000-5555. This >service doesn't work anymore, YMMV. From dl at hplyot.obspm.fr Tue Jan 16 01:51:46 1996 From: dl at hplyot.obspm.fr (Laurent Demailly) Date: Tue, 16 Jan 1996 17:51:46 +0800 Subject: Anon Proxy / Re: Information Sent by Netscape during Queries In-Reply-To: Message-ID: <9601160936.AA03366@hplyot.obspm.fr> Just to remind that I'm running and made available a couple of months ago an anonymous proxy which drops all those nasty infos see http://hplyot.obspm.fr:6661/ to have a look at those headers dl -- Laurent Demailly * http://hplyot.obspm.fr/~dl/ * Linux|PGP|Gnu|Tcl|... Freedom Prime#1: cent cinq mille cent cinq milliards cent cinq mille cent soixante sept Greenpeace [Hello to all my fans in domestic surveillance] Clinton radar Croatian AK-47 security From llurch at networking.stanford.edu Tue Jan 16 02:01:48 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Tue, 16 Jan 1996 18:01:48 +0800 Subject: Novell & Microsoft Settle Largest BBS Piracy Case Ever In-Reply-To: <199601160904.BAA27439@infinity.c2.org> Message-ID: On Tue, 16 Jan 1996, Anonymous wrote: > jlasser at rwd.goucher.edu (Jon Lasser) wrote: > > End of goverments = decline (but not end) of software markets? > > It's already happening anyway. In a few years (if not today) Microsoft is > going to be hard pressed to come up with excuses why someone should pay $90 > for Doze-95 when they can get a Linux CDROM for less than $20 (or ftp it > for free). With WINE and DOSEMU, that Linux system will run most of the > same software too. Willows software recently released their own windoze > emulator for Linux for practically nothing (there is a small fee for > commercial use, free otherwise). Hogwash. WINE isn't nearly finished, and DOSEMU won't run a lot. They certainly won't run the newer 32-bit applications that MS wrote to require DDE and other stuff. > Look at Netscape, giving away their browser for free and how Microsoft > finally gave in and did the same because they couldn't sell theirs. Netscape does not give away its browser for free, or at least they don't intend to. You're supposed to pay for it if you use it for anything other than educational or non-profit org use (not non-commercial use -- for personal non-commercial use, you're supposed to pay). Of course this isn't very tightly enforced. > Selling software is going to become practically impossible within a few > years, and prosecuting piracy will become even more fruitless. Rather, > more and more companies will give the software away for free, and sell > their expertise. > > Sure, they will still package it nicely in a box to sell it to corporate > types who are afraid of ftp, but what they're really selling is not the > software but the tech support number. Have you ever tried tech support? Microsoft has never offered toll-free tech support as a matter of policy. You get a limited amount of support via a toll call to Redmond. Other companies are only a little better. People still buy software, and a lot of it. > Companies like Red Hat and Walnut Creek are doing brisk business selling > cdroms full of software that you can get for free. You can search the net > for interesting stuff for months on end, or you can get all the best stuff > on one disk from them for twenty bucks. > > And look at Sun Microsystems - they're giving away all their software for > free. But when someone wants a reliable network server, who are they > going to call? Sun. Software doesn't sell, but expertise does, and > giving away well-written software is an excellent way to demonstrate your > expertise to a large audience. > > The concept of copyright is pretty much dead; the free market has invented > new solutions. I agree that copyright is dying, or should die, but I am not convinced that we have a solution. -rich From cp at proust.suba.com Tue Jan 16 19:48:33 1996 From: cp at proust.suba.com (Alex Strasheim) Date: Tue, 16 Jan 96 19:48:33 PST Subject: remarkable recent stories In-Reply-To: Message-ID: <199601170347.VAA00620@proust.suba.com> > Caveat: After decades of secrecy, the NSA has come out > of the cold so to speak. Are we to safely assume that > the NSA has not had it's major mission changed in a few > major ways when it came into the open? Banning crypto is stupid. Banning crypto doesn't keep solid tools out of the reach of the four horemen. More importantly, it won't put a dent in the underlying problems -- drug trafficking, money laundering, child pornography, or terrorism. Anyone in America can buy any kind of drug at any time with almost no risk of arrest. How much worse is crypto going to make things? The crypto rules in ITAR cost US businesses a lot of money. They're not doing any good, and they're doing a lot of deomonstrable harm. If we don't sell crypto abraod, other countries will. We've got a choice: we can export crypto code or crypto jobs. Let's keep the jobs. Demonization of anyone -- even the NSA -- ought to be avoided. Remember when Jim Bidzos was evil incarnate? It wasn't so long ago that he was hassling with PRZ over the use of RSA in PGP. Take a look at your source trees for pgp, mixmaster, and the apache-ssl web server -- a lot of good tools use rsaref. Why does Bidzos let us use rsaref? Is it altruism? I doubt it -- he probably felt that it was in his best interests to maintain as much control over his patents as he could. Better to have everyone use rsaref under a legitimate license than to have scofflaws ignoring your authority all together. If he had sued PRZ, what would he have gotten? When you give away PEM for nothing, what are your damages from a free PGP? If you go into court and PRZ wins, what then? Anything can happen in court -- the patent could even get tossed out. Bizdos gives away rsaref because it's in his interest to do so. Adversaries become allies when common interests develop. The NSA ought to flip on crypto exports because it's in the national interest to do so. Passive surveillance is dying, no one can keep it alive, and we should stop trading jobs, rights, and dollars to prop it up. From a-kurtb at microsoft.com Tue Jan 16 19:55:11 1996 From: a-kurtb at microsoft.com (Kurt Buff (Volt Comp)) Date: Tue, 16 Jan 96 19:55:11 PST Subject: Crypto anarchist getting through customs Message-ID: To expand a bit: I don't remember if it was a lieutenant, captain, or whatever, but he passed out the questionnaire in futherance of his master's degree in something or other. One question dealt with shooting civilians who disobeyed orders to turn over their arms, even if they were owned under what would now be considered legal circumstances. Shockingly, upwards of 25% of the soldiers (Marines, actually, as I remember it, I'll check my references if anyone wants) would have no problem doing so! This in spite of the fact that officers in the armed forces (not sure about enlisted men, but I believe it's true of them as well) swear an oath to uphold the Constitution against all enemies foreign and domestic - and I think that under the Constitution as it is now, forcibly depriving people of their arms would probably be a reasonable basis for considering them in contravention of the Constitution, and therefore enemies of it. Kurt ---------- From: Alan Horowitz[SMTP:alanh at infi.net] Sent: Tuesday, January 16, 1996 15:20 To: attila Cc: Timothy C. May; cypherpunks at toad.com Subject: Re: Crypto anarchist getting through customs The notorious questionaire to the SEALS wasn't an official action. It was one lieutenient doing an assignment for a night class. I never said that the federal government was good, or nice, or useful. Alan Horowitz alanh at norfolk.infi.net From bart at netcom.com Tue Jan 16 04:10:48 1996 From: bart at netcom.com (Harry Bartholomew) Date: Tue, 16 Jan 1996 20:10:48 +0800 Subject: Job offer for Computer Security Researcher Message-ID: <199601161158.DAA20583@netcom14.netcom.com> Seen on ba.jobs.offered: Computer Security Research Position The Distributed Information Technologies Center at Sandia National Laboratories, in Livermore, California, is seeking a qualified candidate for the position of Senior Member of the Technical Staff in the area of computer security research. The scope of security research and development at Sandia is very broad, encompassing elements that relate to networking, hosts, and protocols. Examples include high-speed encryption, advanced firewalls, detection systems, and secure agents. The focus of the research is to provide both solutions to security issues relevant to the Laboratory as well as contributions to the security technology base needed by the National Information Infrastructure. The security research staff collaborate closely with the research groups that are involved with distributed computing and advanced networking, with the goal of providing a totally integrated solution to the information infrastructure. In addition to having the technical depth necessary to conduct extensive research projects, this Senior Staff Member will be expected to lead proposal efforts, serve as team leader for projects, and maintain active membership in national organizations that influence the direction of security research. The successful candidate will have an advanced degree in computer security or a related field. In addition, candidates will be evaluated on their demonstrated ability to formulate proposals, perform in-depth research, and report results in the form of papers and presentations. A U.S. citizenship is required for this position. Interested candidates should send their resumes to: Peter Dean, Manager Networking Research Department 8910 Sandia National Laboratories PO Box 969, MS9011 Livermore, CA 94551-0969 (510) 294-2656 pwdean at sandia.gov From wlkngowl at unix.asb.com Tue Jan 16 20:26:14 1996 From: wlkngowl at unix.asb.com (Beethoven) Date: Tue, 16 Jan 96 20:26:14 PST Subject: Alta Vista, Great Stuff! Message-ID: <199601170427.XAA27753@UNiX.asb.com> Hey, I saw a message on the list about personal mail showing up in an A.V. search, and figured why not try it out and see what comes up under one of my nyms... Lo and behold, my nym corresponds with the title of a popular comic strip and an episode in a bad TV show... Crypto related? Imagine your nym is related to something common-place at the time of posting. Even though you may be well known under that nym, simple searches for that name will turn up loads of crapola, or at least some light entertainment for someone searching for oyur past posts. (It can also turn some unsuspecting people looking for the crapola onto your interests...) Yes, I know that sophisticated search engines and simple expressions can filter out most of the unwanted junk, but not all of it. Likewise filtering will let some of your posts fall through the web-crawler-cracks. From alano at teleport.com Tue Jan 16 21:07:35 1996 From: alano at teleport.com (Alan Olsen) Date: Tue, 16 Jan 96 21:07:35 PST Subject: new web security product Message-ID: <2.2.32.19960117050925.00867c9c@mail.teleport.com> At 04:22 PM 1/16/96 +0000, you wrote: >Perry Metzger wrote: >> I don't think its going to fly. No one wants to pay for an unneeded >> $100 piece of hardware to encrypt the same credit card over and over >> again, when a nearly zero marginal cost piece of software can do the >> same thing. > >I agree with Perry. Hardware encryption does add a layer of security >not normally found in software, but it is hardware. > >Shoot, I don't even have a 28.8 modem yet, why would I want a black >box that supposedly does something with my Credit Cards? This is not something that will wind up being used by the average person at home. It will be used by the small businessman/woman who needs to do some credit card transactions on-line. The media is so hyped on this "credit card on the net" train of thought that any credit card encryption scheme will be presented as if it is for the home user. Just another case of the media not understanding the technology they are reporting on... Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "Is the operating system half NT or half full?" From pcw at access.digex.net Tue Jan 16 07:35:14 1996 From: pcw at access.digex.net (Peter Wayner) Date: Tue, 16 Jan 1996 23:35:14 +0800 Subject: Crypto anarchist getting through customs Message-ID: At 1:38 PM 1/15/96, Timothy C. May wrote: >Frequent travellers to Europe will no doubt confirm what I'm saying. I >travelled to dozens of countries in Europe a while back, and never was >checked at any borders, save for a quick glance at my passport. > While this is generally true, I do remember that I decided to take an overnight ferry/train ride between Paris and London to save money by spending one less night on the hotel. I didn't get seasick, but I was very disheveled when I got off the boat. The hours of 3 to 6 am were spent in the ferry's duty-free shop because I was bored and I couldn't sleep. The British customs guy pulled me over and started searching my bags and questioning me. It went something like this: "Are you aware of the duty-free restrictions?" "Yes. You can bring in up to four liters of wine and one liter of hard liquor. Or you can use your one liter alotment of hard liquor on wine and bring in a five liter jug. Cigarettes must be limited to..........." "Okay, you can go on." From jamesd at echeque.com Tue Jan 16 08:40:02 1996 From: jamesd at echeque.com (James A. Donald) Date: Wed, 17 Jan 1996 00:40:02 +0800 Subject: Crypto anarchist getting through customs Message-ID: <199601161622.IAA28208@blob.best.net> At 08:20 AM 1/16/96 +0000, attila wrote: > Bubba signed PPD 25 which permits UN control of US > forces, _in America_! and allows the UN to bring in UN troops. While there are undoubtedly people plotting a one world government, the miserable performance of the blue helmets means that there is no present danger. Soldiers are just not willing to die for the greater glory of the United Nations. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From rfb at lehman.com Tue Jan 16 10:05:38 1996 From: rfb at lehman.com (Rick Busdiecker) Date: Wed, 17 Jan 1996 02:05:38 +0800 Subject: Better diversity through cages (?!) In-Reply-To: Message-ID: <9601161734.AA27525@cfdevx1.lehman.com> [ Dear Perry, this is CYPHERpunks, not WHINERpunks. Please resist the temptation to flame me for being off-topic since flaming for being off-topic is just as off-topic as this is. ] -----BEGIN PGP SIGNED MESSAGE----- To: Mark Rogaski cc: Cypherpunks Subject: Better diversity through cages (?!) In-reply-to: Mark Rogaski's message of "Tue, 16 Jan 1996 00:58:49 EST." Date: Tue, 16 Jan 1996 00:58:49 -0500 (EST) From: Mark Rogaski - From the node of Timothy C. May: : : Diversity will be enhanced by having the birds in the U.S., and : if left in their native jungles, most will die anyway. Better a : pampered tropical bird in a gilded cage than lunch for some : predator, or starvation as the jungles are cleared by : slash-and-burn farmers. Aside from the amusing belief that caged life is preferrable, let me point out that importation of species can be pretty nasty. Zebra mussels in the Great Lakes, Mongooses in Hawaii, those nasty snakes from Guam ... etc, etc. Good point. If you view nature as a market system of survival capital, trying to seriously alter it rather than just living off of it is asking for trouble. This is true for command economy governments, slash-and-burn farmers, and species importers. Nature (the market) will continue, but the meddlers (humans) are risking their chance to be players. Two more reasons why the better-diversity-through-cages is weak: - many (most?) species tend not to reproduce in captivity. - most illegal imported animals die in transit. The tropical bird has better odds of survival against the predator and starvation than it has against smugglers and gilded cage operators. If you consider the odds of reproducing, they're *much* better with the predator and starvation than with the smugglers and cagers. Rick -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMPvhVJNR+/jb2ZlNAQHIvQQApvMNs63M5XRtMvvpKlG7kR6PSF3xUI1r 6yGn6KtMAJKY5vW/bbF7EIo7azakiMein8QGlNdpBXjXfuvBs2RM/oPTq2qcKPQH 7f3DdLYcCmbXwElE35KpowJbqRG7cXpzV426W7YJi3ZuUCBA/uUaISyDMrgCPIVI aquISSze6ko= =fHbg -----END PGP SIGNATURE----- -- Rick Busdiecker Please do not send electronic junk mail! net: rfb at lehman.com or rfb at cmu.edu PGP Public Key: 0xDBD9994D www: http://www.cs.cmu.edu/afs/cs.cmu.edu/user/rfb/http/home.html send mail, subject "send index" for mailbot info, "send pgp key" gets my key A `hacker' is one who writes code. Breaking into systems is `cracking'. From abostick at netcom.com Tue Jan 16 10:11:12 1996 From: abostick at netcom.com (Alan Bostick) Date: Wed, 17 Jan 1996 02:11:12 +0800 Subject: Eggs at Customs (fwd) In-Reply-To: <199601160518.AAA05251@pipe10.nyc.pipeline.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- In article <199601160518.AAA05251 at pipe10.nyc.pipeline.com>, tallpaul at pipeline.com (tallpaul) wrote: > > You mean you actually believe the Jesuit/Masonic/ cover story about pet > birds!! How naive can you get!!! The truth is that there is an exotic Brazilian/African animist cult, similar to Vodoun and Santeria, one of whose rituals involves the sacrifice of tropical birds to the loa. Career diplomats in the State Department have covertly joined this cult while in Brazil and have been spreading through the U.S. government. There is a deadly struggle going on right now between the cultists and right-thinking Christians. Currently the State Department, the FAA, the Department of Energy (responsible for our nation's nuclear weapons arsenal), and the Federal Aviation Administration are under the control of the voodoo cultists; At the forefront of the fight is the BATF, Customs (hence the scrutiny at eggs on the border), and the Interior Department. The Social Security Administration is the current battleground. This is the real reason for the recent government closures. (The conveniently arranged budget standoff is another cover story.) ObCypherpunks: The head of the NSA is said to have attended two voodoo rituals, although it has not been confirmed that he is a full member of the cult. - -- Alan Bostick | He played the king as if afraid someone else Seeking opportunity to | would play the ace. develop multimedia content. | John Mason Brown, drama critic Finger abostick at netcom.com for more info and PGP public key -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMPvfquVevBgtmhnpAQGnMAL/fC/TIg7R7kx2jRB8FV259cxqNwc/hZmf /QuqBB2oWQXuYGbEAj7AYoKyqSPdS/Z6U3IDRsowi9QrCBlvqgMsrQsuc8zbE0ql dtiL9fCTraWVMHQehmKX2FpnewaMqVye =dCnF -----END PGP SIGNATURE----- From perry at piermont.com Tue Jan 16 10:13:08 1996 From: perry at piermont.com (Perry E. Metzger) Date: Wed, 17 Jan 1996 02:13:08 +0800 Subject: Better diversity through cages (?!) In-Reply-To: <9601161734.AA27525@cfdevx1.lehman.com> Message-ID: <199601161745.MAA02159@jekyll.piermont.com> Rick Busdiecker writes: > [ Dear Perry, this is CYPHERpunks, not WHINERpunks. Please resist > the temptation to flame me for being off-topic since flaming for > being off-topic is just as off-topic as this is. ] Sorry, but no. If you know that your posting is off topic, you shouldn't be posting it, period. Reply in private or some such. The S to N ratio in these parts is dropping rapidly, and its largely the fault of people who think "just one more off topic post can't hurt". One person doing it causes little damage, but unfortunately dozens upon dozens feel the urge every day. I usually just reply to such posts in private and note that they are off topic, but since you insisted on bringing it up in public... Perry From tcmay at got.net Tue Jan 16 10:50:16 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 17 Jan 1996 02:50:16 +0800 Subject: Spiderspace Message-ID: I've been thinking a lot about the problems and opportunities that are coming up as more and more "spiders" (Web searchers, crawlers) are indexing directories and files on systems they can find. For the sake of this post, the files and whatnot these spiders and super-spiders can hit constitute a universe I'll call "spiderspace," as it semi-euphoniously matches cyberspace and cypherspace. Two things caused me to think more intensely abou this: 1. At the Saturday Cypherpunks physical meeting, Marianne Mueller (I think) was telling me about an experience where an old letter she'd written to someone showed up in an Alta Vista search. A personal letter, that is. How this happened was that the letter to her friend was buried several subdirectories deep in a directory he made accessible to the outside world. Presto, Alta Vista found it, indexed it, and made it keyword-searchable! (Humans are pretty bad at doing such meticulous file prep work, but all-seeing spiders are very good at seeing everything.) 2. Someone on the Cyberia-l list, Mike Godwin in fact, asked if anyone had a particular post he'd written last summer, a post he'd neglected to save but that he needed. I had not kept that post, according to my own archives, but I decided to see what Alta Vista might turn up. (The Cyberia-l list is not officially archived, and I believe archives of it are discouraged by the list owner, for various reasons especially worrisome to lawyers and law professors!) Sure enough, a search of "Cyberia-l" in Alta Vista showed all sorts of hits, including what appeared to be several _private archives_ of parts of the traffic. (By "private" I mean in the sense that they were someone's personal archives, and not necessarily complete or even semi-officially sanctioned.) And a search of "Cyberia-l AND Godwin AND parental AND Ferber" (some of the keywords in the post he knew he was looking for) produced two hits, most probably of the post he was seeking. (They were on a Kent Law School archive site that, I believe, is no longer accessible to the outside...the Alta Vista spiders must have gotten to it and indexed it before the site was made less accessible...just a thought.) This fits with the point made above, that increasing numbers of odd things--letters, love letters, resumes, job applications, even things like PGP passwords!--will likely show up by accident in spiderspace. I've started to look for things like PGP files laying around buried in subdirectories. I can imagine attacks based on this. Declan McCullagh, on the Cyberia-l list, followed up to my post on this topic by noting that things will really get interesting when the internal file systems of many sites are made searchable, such as with the Andrew File System (AFS) at CMU and elsewhere. Apparently most users make their directories accessible to others. Implications for Cypherpunks? First, an alert for you to be very careful about what you make accessible to the outside world. It's no longer just a matter of people taking the time to rummage through your subdirectories, it's now trivial to find things with the new Web search engines. Second, what is out there in spiderspace is incredibly useful for building dossiers, for compiling correlations, and for doing competitive analyses. Third, more and more kinds of files are going into spiderspace. This may include files compiled by others, such as files containing Web accesses! (All it takes is for someone to keep a record of site accesses, subscriptions, etc., and then put record in a searchable place: it then becomes trivial to search on a name and find out interesting things.) Fourth...left to your imagination. --Tim May We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From rfb at lehman.com Tue Jan 16 10:52:22 1996 From: rfb at lehman.com (Rick Busdiecker) Date: Wed, 17 Jan 1996 02:52:22 +0800 Subject: Better diversity through cages (?!) In-Reply-To: <199601161745.MAA02159@jekyll.piermont.com> Message-ID: <9601161749.AA28041@cfdevx1.lehman.com> Date: Tue, 16 Jan 1996 12:45:03 -0500 From: "Perry E. Metzger" Rick Busdiecker writes: > [ Dear Perry, this is CYPHERpunks, not WHINERpunks. Please resist > the temptation to flame me for being off-topic since flaming for > being off-topic is just as off-topic as this is. ] Sorry, but no. Then either you must think that this *is* WHINERpunks, or you are a hypocrit. I usually just reply to such posts in private and note that they are off topic, but since you insisted on bringing it up in public... Well, you sure post a hell of a lot of them to the list. Rick From s1018954 at aix2.uottawa.ca Tue Jan 16 11:35:44 1996 From: s1018954 at aix2.uottawa.ca (s1018954 at aix2.uottawa.ca) Date: Wed, 17 Jan 1996 03:35:44 +0800 Subject: Better diversity through Perrymoose. In-Reply-To: <199601161745.MAA02159@jekyll.piermont.com> Message-ID: (Sorry Perry, I just couldn't resist :-> ) On Tue, 16 Jan 1996, Perry E. Metzger wrote: > Sorry, but no. > > If you know that your posting is off topic, you shouldn't be posting > it, period. Reply in private or some such. The S to N ratio in these > parts is dropping rapidly, and its largely the fault of people who > think "just one more off topic post can't hurt". One person doing it > causes little damage, but unfortunately dozens upon dozens feel the > urge every day. What is a toad machine? In the spirit of John's evolutionary programming post, I submit that cypherpunks and all its components (on topic posts, jya's news reports, sheer paranoia, clueless newbies wanting to join or leave, Klaus! VFP, flamewars, perryflames...) constitute a dynamic and evolving optimizing computational (enough fuzzy words for you?) system of which we are the calculators. Think of toad.com as an input/output box to interface us cells(not to mention a strange attractor for every cook on the net). We have a topic (or goal) of cryptography and anonymity, codewriters to give us something other than politics to talk about, a persistent random noise function to increase diversity, and Perry as a factor of noise limitation. Obviously massively parallel. Is this a genetic algorithm, a semantic net, or some other model? I dunno. As I hear the *plonking* sound of killfiles closing in on me and my inane post, I wonder...where will it go? A topic for further study. ;-) From alanh at infi.net Tue Jan 16 11:55:50 1996 From: alanh at infi.net (Alan Horowitz) Date: Wed, 17 Jan 1996 03:55:50 +0800 Subject: Crypto anarchist getting through customs In-Reply-To: Message-ID: My bullshit detector is starting to pin the needle. US Customs doesn't care about your political status or leanings. They want to collect the proper excise and catch contraband. There are INS people at passport control. I am skeptical that they would detain a US passport holder for 36 hours. I would like to see some evidence that this actually happened. US citizens can't be excluded from the country, nor have their citizenship taken away from them. Alan Horowitz alanh at norfolk.infi.net From ecarp at tssun5.dsccc.com Tue Jan 16 12:06:48 1996 From: ecarp at tssun5.dsccc.com (Ed Carp @ TSSUN5) Date: Wed, 17 Jan 1996 04:06:48 +0800 Subject: Spiderspace Message-ID: <9601161853.AA13284@tssun5.> > From: tcmay at got.net (Timothy C. May) > Sure enough, a search of "Cyberia-l" in Alta Vista showed all sorts of > hits, including what appeared to be several _private archives_ of parts of > the traffic. (By "private" I mean in the sense that they were someone's > personal archives, and not necessarily complete or even semi-officially > sanctioned.) There are any number of reasons this migh have shown up - if the private archives are accessible to the public, for example ... but ... > Declan McCullagh, on the Cyberia-l list, followed up to my post on this > topic by noting that things will really get interesting when the internal > file systems of many sites are made searchable, such as with the Andrew > File System (AFS) at CMU and elsewhere. Apparently most users make their > directories accessible to others. ... I was under the impression that the only documents that most web crawlers will search are documents that are link-accessible. Are you saying that this isn't true? Are you saying that Alta-Vista will search EVERYTHING that's publicly accessible, whether by anonymous FTP or web? From gorkab at sanchez.com Tue Jan 16 12:09:16 1996 From: gorkab at sanchez.com (Brian Gorka) Date: Wed, 17 Jan 1996 04:09:16 +0800 Subject: Need confirmation of Win95 password encryption back door Message-ID: <01BAE3EF.2418BD80@loki> A friend and I were working on an exploit of this. It is true. We were not working on a grepper, but we found the offset where the passwords reside and were going to dump them into a dialog box. If you are planning to exploit this, we will stop our previous efforts. ---------- From: Rich Graves[SMTP:llurch at networking.stanford.edu] Sent: Monday, January 15, 1996 5:20 PM To: cypherpunks at toad.com Cc: frank at funcom.no; pgut01 at cs.auckland.ac.nz Subject: Need confirmation of Win95 password encryption back door -----BEGIN PGP SIGNED MESSAGE----- A Major Media Outlet requires confirmation that Windows 95, to facilitate its automatic reconnect feature for sleeping laptops and temporary network outages, caches all network passwords (NetWare, NT, UNIX running Samba, SLIP/PPP dialup) in unprotected memory in clear text, whether you've disabled persistent "password caching" to disk and applied the December 14th 128-bit RC4 .PWL patch, or not. There seems to be no way to turn this off. The idea, of course, is that a simple trojan horse could do whatever it wanted with this information. We know that this vulnerability exists in Windows for Workgroups, and Peter wrote a little demo (on hackmsoft page below, without source), but the APIs appear to have changed in Win95. So, anyone have Win95 and some time to kill, or can anyone recommend a good DOS/Windows RAM grepper? - -rich at c2.org http://www.c2.org/hacknmsoft/ $ Mon Jan 15 22:17:10 PST 1996 $ $ From llurch at networking.stanford.edu to cypherpunks at toad.com $ -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMPtDLo3DXUbM57SdAQEN7QP+J6Gmk6m8dv3X96SKZciI/L7DM04bDSoi HZa+dIoajAiRrfG9oSNcIYbVDDs67qwCSKGFg9hc5K3x99nhbq3Aw2mio62YQj+2 K62pBT9hQLe4dv8AMhLtIqyG4ZztYy+dDjGzsaUIkBUZKo5//Eh8c81xXLQrqXtk RFV+xkXBgww= =12rk -----END PGP SIGNATURE----- ---------- Brian Gorka Key fingerprint = ED 7D 78 7E 95 E8 05 01 27 01 A1 74 FA 4B 86 53 From ckey2 at eng.ua.edu Tue Jan 16 12:10:39 1996 From: ckey2 at eng.ua.edu (Christopher R. Key) Date: Wed, 17 Jan 1996 04:10:39 +0800 Subject: A weakness in PGP signatures, and a suggested solution (long) In-Reply-To: <199601030407.UAA12551@comsec.com> Message-ID: <1996Jan11.152134.127675@ua1ix.ua.edu> In article , Jeffrey Goldberg says: {SNIP} >I have omitted the other scenarios for reasons of space. All of >them are based on the fact that information about the intended >recipient (including newsgroup) is not part of the information signed. > >I proposal is made for a mechanism to have some header information >signed as well. > {SUPER-SNIP} First of all, if the recipient is a newsgroup, why would that particular information need to be part of the signed information? If you post to a newsgroup a message that is only signed (as opposed to encrypted also), then you are obviously not worried about who reads it. The signature is only a method of proving that the important text (message) is unchanged and intact, and that the person who it is supposed to be from is the same who signed it. Secondly, if you are sending email to some one and sign it using pgp, wouldn't that person need pgp to prove that in fact you did sign it? Then it can be reasonable that if that person has pgp to prove the signature, that person has pgp to decrypt mail sent to them. Simply sign you message and encrypt it using that person's public key. All of this (from what I remember reading) is in the pgp manual, and is one of the key methods for using public key encryption. So if all that needs be done to a message to insure that the appropriate person reads it is encrypt it using their public key, why does pgp (or one of the pgp interfaces) need to be changed to include header information? I think it just includes more well already. "If it ain't broke, don't fix it." "That's all Ah've got to say about that." From jcorgan at aeinet.com Tue Jan 16 12:32:15 1996 From: jcorgan at aeinet.com (Johnathan Corgan) Date: Wed, 17 Jan 1996 04:32:15 +0800 Subject: Spiderspace In-Reply-To: Message-ID: On Tue, 16 Jan 1996, Timothy C. May wrote: > 1. At the Saturday Cypherpunks physical meeting, Marianne Mueller (I think) > was telling me about an experience where an old letter she'd written to > someone showed up in an Alta Vista search. A personal letter, that is. How > this happened was that the letter to her friend was buried several > subdirectories deep in a directory he made accessible to the outside world. > Presto, Alta Vista found it, indexed it, and made it keyword-searchable! Minor correction, it was a private e-mail that I had sent to Marianne over a year ago that showed up in an AltaVista search. (It was a completely inadvertant mistake on her part that this happened.) Funny to me, embarrassing to her, and a perfect (though trivial) example of how the evolution of "spiderspace" will, until people become more familiar with it, reveal all sorts of unexpected surprises. -- Johnathan Corgan jcorgan at aeinet.com http://www.aeinet.com/jcorgan.htm From Doug.Hughes at Eng.Auburn.EDU Tue Jan 16 12:33:53 1996 From: Doug.Hughes at Eng.Auburn.EDU (Doug Hughes) Date: Wed, 17 Jan 1996 04:33:53 +0800 Subject: CelBomb In-Reply-To: Message-ID: Just FYI: Time has a different twist on the entire story than the 'trusted compatriot hands over rigged phone' story that has been the basis for comment around here. Their take on it was that Israeli intelligence was gradually triangulating the frequency of his phone over time, and was eventually able to setup some interference on his frequency such that he thought the phone was going bad (dropped calls and such I suppose). So, he sent the phone back to the factory. The Intelligence service, with the cooperation of the factory, intercepted the phone, placed the bomb, and then sent it back. Sometime later, they (somehow) get him on the phone, confirm it is him, and send the detonate code/tone/beep. Instant lobotomy. -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug at eng.auburn.edu Pro is to Con as progress is to congress From m5 at dev.tivoli.com Tue Jan 16 13:10:51 1996 From: m5 at dev.tivoli.com (Mike McNally) Date: Wed, 17 Jan 1996 05:10:51 +0800 Subject: Spiderspace In-Reply-To: <9601161853.AA13284@tssun5.> Message-ID: <9601161922.AA13227@alpha> Ed Carp writes: > ... I was under the impression that the only documents that most web crawlers > will search are documents that are link-accessible. Are you saying that this > isn't true? Are you saying that Alta-Vista will search EVERYTHING that's > publicly accessible, whether by anonymous FTP or web? Ah, but if it hits a site that's set up with a top-level directory which *does* contain an "index" page but whose server *doesn't* recognize the index page name, then when you hit the site you (probably) get one of those server-generated indices. Those things generally have *everything* in the directory visible (except those files blocked by the server configuration, usually stuff like emacs temp files), and so there you go... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Nobody's going to listen to you if you just | Mike McNally (m5 at tivoli.com) | | stand there and flap your arms like a fish. | Tivoli Systems, Austin TX | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From wb8foz at nrk.com Tue Jan 16 14:46:35 1996 From: wb8foz at nrk.com (David Lesher) Date: Wed, 17 Jan 1996 06:46:35 +0800 Subject: Better diversity through Perrymoose. In-Reply-To: Message-ID: <199601162143.QAA05083@nrk.com> Can't we just solve the problem by making it a moderated list; and make Perry the moderator? -- A host is a host from coast to coast.................wb8foz at nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433 From mdiehl at dttus.com Tue Jan 16 15:12:47 1996 From: mdiehl at dttus.com (Martin Diehl) Date: Wed, 17 Jan 1996 07:12:47 +0800 Subject: Spiderspace Message-ID: <9600168218.AA821836310@cc2.dttus.com> On 1/16/96 12:35 PM, tcmay at got.net (Timothy C. May) at Internet-USA wrote: > I've been thinking a lot about the problems and opportunities that are > coming up as more and more "spiders" (Web searchers, crawlers) are > indexing directories and files on systems they can find. [snip] > Sure enough, a search of "Cyberia-l" in Alta Vista showed all sorts of > hits, including what appeared to be several _private archives_ of parts > of the traffic. (By "private" I mean in the sense that they were > someone's personal archives, and not necessarily complete or even > semi-officially sanctioned.) [snip] > I've started to look for things like PGP files laying around buried in > subdirectories. I can imagine attacks based on this. [snip] > Fourth...left to your imagination. > --Tim May > We got computers, we're tapping phone lines, we know that that ain't > allowed. > ---------:---------:---------:---------:---------:---------:---------:---- > Timothy C. May | Crypto Anarchy: encryption, digital money, > tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero > W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, > Higher Power: 2^756839 - 1 | black markets, collapse of governments. > "National borders aren't even speed bumps on the information superhighway." I gather that it would be a Bad Thing (TM) to have someone get both the encrypted and clear text forms of your message (from either you or from the recipient) Maybe regularly changing your encryption keys is a Good Thing (TM) Martin G. Diehl From perry at piermont.com Tue Jan 16 15:28:37 1996 From: perry at piermont.com (Perry E. Metzger) Date: Wed, 17 Jan 1996 07:28:37 +0800 Subject: new web security product In-Reply-To: <199601161933.OAA10516@dal1820.computek.net> Message-ID: <199601161948.OAA02322@jekyll.piermont.com> "Ed Carp, KHIJOL SysAdmin" writes: > I wouldn't pass this along normally, but it seems to allow folks to use > their credit cards at home securely. Bye-bye, First Virtual... ;) > > http://www.cnn.com/TECH/9601/encryption/index.html I don't think its going to fly. No one wants to pay for an unneeded $100 piece of hardware to encrypt the same credit card over and over again, when a nearly zero marginal cost piece of software can do the same thing. Perry From erc at dal1820.computek.net Tue Jan 16 15:48:28 1996 From: erc at dal1820.computek.net (Ed Carp, KHIJOL SysAdmin) Date: Wed, 17 Jan 1996 07:48:28 +0800 Subject: new web security product Message-ID: <199601161933.OAA10516@dal1820.computek.net> I wouldn't pass this along normally, but it seems to allow folks to use their credit cards at home securely. Bye-bye, First Virtual... ;) http://www.cnn.com/TECH/9601/encryption/index.html -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 214/993-3935 voicemail/digital pager 800/558-3408 SkyPager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes From gbe at primenet.com Tue Jan 16 15:56:35 1996 From: gbe at primenet.com (Gary Edstrom) Date: Wed, 17 Jan 1996 07:56:35 +0800 Subject: Novell & Microsoft Settle Largest BBS Piracy Case Ever Message-ID: <30fac193.340341789@mailhost.primenet.com> I saw this in a news summary today and thought that it might be of interest to the list. Sorry, but this is all of the article that I have. >From PR Newswire: "Microsoft Corporation and Novell, Inc. Jointly announced today they have reached a settlement with Scott W. Morris, who was doing business as the Assassins Guild Bulletin Board Service, in what is belived to be the largest settlement ever..." -- Gary Edstrom | Sequoia Software PO Box 9573 | Programming & Technical Services Glendale CA 91226-0573 | PGP Key ID: 0x1A0D44BD PGP Fingerprint: 72 AA 4F 73 05 53 89 C6 8A EE F4 EE D1 C0 13 8D From jya at pipeline.com Tue Jan 16 16:21:04 1996 From: jya at pipeline.com (John Young) Date: Wed, 17 Jan 1996 08:21:04 +0800 Subject: FEY_kry Message-ID: <199601161409.JAA02954@pipe1.nyc.pipeline.com> Supporting Kocher's feynmanesque cracking of sec systems, the WSJ reports today on new ways science "seeks answers to high-tech puzzles by examining the reckless and random ways of nature." The cold, digital domain of silicon-based technology is drawing inspiration from an unlikely source: the living, breathing realm of nature. Scientists are turning to a wide variety of natural models -- from the way salmon migrate to how the human body fights viruses to evolution -- for new approaches to problem-solving. "Our view of computer science is rationalistic, mechanistic. But nature winds up doing things in a way we'de never think of," one scientist says. FEY_kry From alanh at infi.net Tue Jan 16 16:51:50 1996 From: alanh at infi.net (Alan Horowitz) Date: Wed, 17 Jan 1996 08:51:50 +0800 Subject: Crypto anarchist getting through customs In-Reply-To: Message-ID: I didn't say I like the State. I said that there isn't, relatively speaking, much *political* content to the police-state that is the border. Remember when those Sandanista sympathizers made the news, quite a number of years ago, for getting detained /FBI-interogated/harrassed when they crossed back into the USA? It made the news because that sort of thing *is out of the ordinary* for the USA. And, while I will certainly entertain the suggestion that their actions had a political underpinning, the Feds didn't lack for allegations of violation of United States Statutes to justify the harrasment. If these do-gooders had been doing something that comported with the sympathys of the (then) Administration, if they were in step with the Emperor's current "party line", then any such criminal violations would have been ignored. We all know that. So what? Welcome to realpolitic. Alan Horowitz alanh at norfolk.infi.net From jirib at sweeney.cs.monash.edu.au Tue Jan 16 16:52:07 1996 From: jirib at sweeney.cs.monash.edu.au (Jiri Baum) Date: Wed, 17 Jan 1996 08:52:07 +0800 Subject: A weakness in PGP signatures, and a suggested solution (long) In-Reply-To: <1996Jan11.152134.127675@ua1ix.ua.edu> Message-ID: <199601162319.KAA09830@sweeney.cs.monash.edu.au> -----BEGIN PGP SIGNED MESSAGE----- Hello ckey2 at eng.ua.edu (Christopher R. Key) and cypherpunks at toad.com > In article , Jeffrey Goldberg says: ... > First of all, if the recipient is a newsgroup, why would that particular > information need to be part of the signed information? If you post to a ... Somebody already pointed out an adult message being re-posted to a kidgroup. ... > Secondly, if you are sending email to some one and sign it using pgp, wouldn't > that person need pgp to prove that in fact you did sign it? Then it can be ... > So if all that needs be done to a message to insure that the appropriate > person reads it is encrypt it using their public key, why does pgp (or one > of the pgp interfaces) need to be changed to include header information? ... But then the recipient has a PGP-signed message from you which isn't encrypted (using pgp -d). That person could then impersonate you. Eg Alice the jilted lover could resend the goodbye message with forged headers to Bob's new girlfriend to get back at him. What a sentence. Here it is again, hopefully understandable: Bob->Alice From:Bob; Encrypted(Signed("We're through",Bob),Alice) Alice does pgp -d, leaving her with Signed("We're through",Bob) Alice->Carol From:Bob; Encrypted(Signed("We're through",Bob),Carol) Later, when Bob gets another girlfriend, Alice->Danielle From:Bob; Encrypted(Signed("We're through",Bob),Danielle) Later still, Alice->Eve From:Bob; Encrypted(Signed("We're through",Bob),Eve) From alanh at infi.net Tue Jan 16 16:52:17 1996 From: alanh at infi.net (Alan Horowitz) Date: Wed, 17 Jan 1996 08:52:17 +0800 Subject: Crypto anarchist getting through customs In-Reply-To: Message-ID: The notorious questionaire to the SEALS wasn't an official action. It was one lieutenient doing an assignment for a night class. I never said that the federal government was good, or nice, or useful. Alan Horowitz alanh at norfolk.infi.net From grimm at MIT.EDU Tue Jan 16 16:53:02 1996 From: grimm at MIT.EDU (grimm at MIT.EDU) Date: Wed, 17 Jan 1996 08:53:02 +0800 Subject: Bignum support in C++ In-Reply-To: <199601160319.WAA02872@toxicwaste.media.mit.edu> Message-ID: <9601162318.AA06850@w20-575-14.MIT.EDU> Okay, I setup a quick web site for the large integer class I talked about yesterday. The URL is http://www.mit.edu:8001/people/grimm/Int/Int.home.html Included in the package is a quick demonstration using Fibonacci numbers. (Beware: the code as-is spits everything out in hex.) Comments, suggestions, etc. are always welcome. -James From frissell at panix.com Wed Jan 17 08:58:27 1996 From: frissell at panix.com (Duncan Frissell) Date: Wed, 17 Jan 96 08:58:27 PST Subject: A Modest Proposal: Fattening up the Proles Message-ID: <2.2.32.19960117165226.006b21e4@panix.com> At 07:24 AM 1/17/96 -0500, Timothy C. May wrote: >(Ironically, I brought up the new book, "The Winner Take All Society," at >the last Cypherpunks meeting. No time to discuss it here, but it confirms >my strong belief that we are heading for a economy in which a shrinking >fraction of workers have really valuable things to contribute, and a >growing fraction of the population does not. The book suggests that small differences in perceived quality (or even 'luck') result in a big difference in marketplace results (whether for product or labor). The title is a bit misleading. It should be "The Winner-Take-Lots Society" since it does not say that non-winners are left with nothing (that thesis is promoted in other recent works of fiction.) These GenX whining tomes and commie sociology texts are just the latest examples of the old automation-will-cause-mass-unemployment so-we-need-Socialism-to-feed the-unemployed arguments. So far, a higher percentage of Americans are in paid employment than ever before in history. Likewise once you factor out changes in the workforce mix, similarly situated workers continue to rake in more "total compensation" than ever before. Remember comparative advantage. Just because Tim can apply his knowledge of physics to the chip fab process better than anyone and make big bucks, doesn't mean that everyone else is not needed. Even Tim can't be everywhere at once. There is plenty for us lesser lights to do. Tim himself certainly purchases the goods and labor of many other people. It may be true that a disproportionate share of the gains accrue to "the elite" but if everyone else is vastly richer than their forebearers, what difference does it make? That is the likely effect of the nanotechnolgy revolution of which the computer revolution is just the first part. "The End of Work" is a real world example of the "Imminent Death of Usenet" threads that wander their way throughout the Net. DCF "If everyone is so poor these days, why have air travel, dining out, and retail floor space all tripled since the Carter administration?" From frissell at panix.com Wed Jan 17 08:59:44 1996 From: frissell at panix.com (Duncan Frissell) Date: Wed, 17 Jan 96 08:59:44 PST Subject: on being elitist... Message-ID: <2.2.32.19960117165241.006c49c8@panix.com> At 07:48 AM 1/17/96 -0600, Ed Carp, KHIJOL SysAdmin wrote: >I would say that an "elitist" is one who believes that the masses (or the >great unwashed, depending on your point of view) are somehow "not >deserving" of surviving or "not worth it" The contemporary PC definition of elitist is "One who believes that people are capable of excellence." And an anti-elitist is "One who believes that people are utterly incapable of excellence." Hence Public Education. I'm sure that some on this list think that people will prosper at different rates but I don't think too many expect a great die off of the masses because of their inability to compete. The cypherpunks relevance is that some members of this list want to use cypherpunk tools to protect their differential income from *greedy* governments who want to get their bloody hands on it. DCF "And Hillary said, 'Bill Gates is greedy because he has amassed a fortune of US$15,000,000,000 but the US Government is a helpful Village because it takes US$1,400,000,000,000 from us each year and does good things with it.'" From jcorgan at aeinet.com Wed Jan 17 09:00:42 1996 From: jcorgan at aeinet.com (Johnathan Corgan) Date: Wed, 17 Jan 96 09:00:42 PST Subject: Alta Vista, Great Stuff! In-Reply-To: <2.2.32.19960117111232.0095a67c@panix.com> Message-ID: On Wed, 17 Jan 1996, Duncan Frissell wrote: > My name is rare and matched mostly by lists of the highest points of > elevation in each state (Mt. Frissell in Connecticut) and museum shows of > the work of a distant cousin Toni Frissell who was a fashion photographer in > NYC. Most of the rest is mine. If you have a common name/nym it would be > harder to track (except by searching for email address rather than name). I have a similar situation--"Corgan" is an invented name, so it is quite rare. Most hits on my name are either Cpunks archives at hks.net or the motherlode of Billy Corgan (Smashing Pumpkins) stuff out there. -- Johnathan Corgan jcorgan at aeinet.com http://www.aeinet.com/jcorgan.htm From cp at proust.suba.com Tue Jan 16 18:33:01 1996 From: cp at proust.suba.com (Alex Strasheim) Date: Wed, 17 Jan 1996 10:33:01 +0800 Subject: pgp broken? In-Reply-To: <9601162346.AA22192@toad.com> Message-ID: <199601170205.UAA00460@proust.suba.com> > In speaking with an associate, he mentioned in passing that PGP had > been broken a few weeks ago in San Diego by the DoD using a Cray. > All questioning about said subject was ended immediately as he felt > that he might have said too much how it was. Was PGP "broken"? There's a store here in Chicago that sells surveillance equipment. I had driven by it for years and never gone in, and a few weeks ago I finally gave in to curiosity and checked it out. One of the things they were selling was a $100 floppy disk labeled "public key encryption". Is that like PGP? "No, this is much better. PGP can be broken, this uses DES." (DES isn't a public key algorithm, of course, and it's no longer considered secure.) There have been hundreds of reports like yours throughout PGP's short history. They're always second hand, and there's never any information about the specifics of the attack. It's hard to take such reports seriously. What do you mean when you speak of "breaking PGP"? Decrypting a single message? Forging a single signature? Producing a private key from a public one? Figuring out a way to make one of those other problems easier by exploiting a weakness in PGP's implementation? A new attack on RSA, IDEA, or MD5? Coming up with a technique for factoring big numbers? I'd be willing to bet that most people -- literally, more than half -- who use PGP have made the mistake of picking a weak passphrase. If I'm right about that, it would mean that an awful lot of people who think they have security don't. If you pick a weak passphrase, your key could fall to a dictionary attack. But that's a problem with the user, not PGP. It's most likely that the person who told you that PGP had been broken was mistaken. If there's anything at all to the story, chances are overwhelming that he was referring to a successful dictionary attack against a single key. A lot of people seem to feel a little uneasy about MD5, which PGP uses to make signatures; perhaps some super spook has put a dent in that. Anything is possible. It's only "Pretty Good" privacy. But you can rest assured that if credible evidence that PGP has been compromised ever emerges, you won't have to go digging around for it. It will be all over the net and the traditional media. From grafolog at netcom.com Tue Jan 16 18:46:28 1996 From: grafolog at netcom.com (Jonathon Blake) Date: Wed, 17 Jan 1996 10:46:28 +0800 Subject: remarkable recent stories In-Reply-To: <199601170017.QAA19922@netcom2.netcom.com> Message-ID: Vladimir: On Tue, 16 Jan 1996, Vladimir Z. Nuri wrote: > - what this all suggests to me is a possible major policy/political > switch inside the NSA in which possibly someone who is more in favor of > code making than code breaking is gaining the reigns. its tough to > guess based on the NSA's entrails, but recent events are some pretty > odiferous entrails, I'd be interested to here what others think. Interesting theory. Maybe even factual. I don't know. Caveat: After decades of secrecy, the NSA has come out of the cold so to speak. Are we to safely assume that the NSA has not had it's major mission changed in a few major ways when it came into the open? Suppose the NSA was simply being used as a cutout for its replacement, which is even more sub rosa? xan jonathon grafolog at netcom.com ********************************************************************** * * * Opinions expressed don't necessarily reflect my own views. * * * * There is no way that they can be construed to represent * * any organization's views. * * * ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * ftp://ftp.netcom.com/pub/gr/graphology/home.html * * * *********************************************************************** From alano at teleport.com Tue Jan 16 18:58:48 1996 From: alano at teleport.com (Alan Olsen) Date: Wed, 17 Jan 1996 10:58:48 +0800 Subject: [NOISE]cypherpunks meeting Message-ID: <2.2.32.19960116223852.0087a680@mail.teleport.com> This is one of the strangest pieces of mail I have recieved in a while. I know it is not nice to publish private mail, but this has got to be the most clueless response i have gotten yet on the portland Cypherpunks meeting. Either this guy has lost total connection to his clue-server or he left his terminal logged in... Either way it is pretty funny. (At least he did not make any references to the "tentacles" of Tim May... ]:> ) >Date: Tue, 16 Jan 1996 07:39:55 -0500 (EST) >From: paul >X-Sender: phoffman at oven >To: alano at teleport.com >Subject: cypherpunks meeting > >I THINK THAT ALL CYPHER PUNKS ARE S BUNCH OF FAGGOTS HAVING MEETINGS TO >SEE WHO THEY "WANT" ALL OF YOU CAN SEND YOUR GAY MESSAGES WITH KEYS >SOMEWHER ELSE YOU DAMN FAGGOTS! > >paul > >*************************************************** >*copyright 1995 phoffman at oven.ccds.charlotte.nc.us* >* 1996 foffman at aol.com * >*************************************************** > > Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "Is the operating system half NT or half full?" From wlkngowl at unix.asb.com Tue Jan 16 19:02:52 1996 From: wlkngowl at unix.asb.com (Mutatis Mutantdis) Date: Wed, 17 Jan 1996 11:02:52 +0800 Subject: Ann: NOISE.SYS v0.4.1 (should be) available... Message-ID: <199601170238.VAA25799@UNiX.asb.com> Latest version of NOISE.SYS has been uploaded to ftp.funet.fi, and a few other sites, as "noise04.zip". It is a random-noise device driver for DOS, which samples fast timings between keystrokes, disk access, clock-drift, and even mouse movement or audio card and hashes with SHA-2 algorithm to generate some good-quality randomness. Note changes since previous version: this one defines two devices akin to random.c patch for Linux, /dev/random and /dev/urandom. The latter will output as many bytes as are requested, while the first will only output as many bits as are estimated to be in the pool. Source included. 386 req'd. Take care, --Rob (Still waiting on comments or suggestions about earlier versions...) From pitz at onetouch.com Tue Jan 16 19:21:07 1996 From: pitz at onetouch.com (greg pitz) Date: Wed, 17 Jan 1996 11:21:07 +0800 Subject: pgp broken? Message-ID: <9601162346.AA22192@toad.com> In speaking with an associate, he mentioned in passing that PGP had been broken a few weeks ago in San Diego by the DoD using a Cray. All questioning about said subject was ended immediately as he felt that he might have said too much how it was. Was PGP "broken"? His background: Prez of a firm with offices in D.C. & Silicon Valley. He is a former Thunderbird pilot, and so has some connections in the military. He has designed many hardware encrypting configurations using the VLSI007 chip as well as other chips that I am not familiar with. One of his present projects is designing a hardware encryption layout for Apple. Could this be part of the reason the charges were dropped against Phil as well? >>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<< greg pitz pitz at onetouch.com >>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<< From tallpaul at pipeline.com Tue Jan 16 21:32:52 1996 From: tallpaul at pipeline.com (tallpaul) Date: Wed, 17 Jan 1996 13:32:52 +0800 Subject: Crypto hate mail Message-ID: <199601170257.VAA16456@pipe9.nyc.pipeline.com> On Jan 16, 1996 14:38:52, 'Alan Olsen ' wrote: >This is one of the strangest pieces of mail I have recieved in a while. I >know it is not nice to publish private mail, but this has got to be the most >clueless response i have gotten yet on the portland Cypherpunks meeting. > >Either this guy has lost total connection to his clue-server or he left his >terminal logged in... Either way it is pretty funny. (At least he did not >make any references to the "tentacles" of Tim May... ]:> ) > >>Date: Tue, 16 Jan 1996 07:39:55 -0500 (EST) >>From: paul >>X-Sender: phoffman at oven >>To: alano at teleport.com >>Subject: cypherpunks meeting > >> >>I THINK THAT ALL CYPHER PUNKS ARE S BUNCH OF FAGGOTS HAVING MEETINGS TO >>SEE WHO THEY "WANT" ALL OF YOU CAN SEND YOUR GAY MESSAGES WITH KEYS >>SOMEWHER ELSE YOU DAMN FAGGOTS! >> >>paul >> A. Olsen is too optimistic by far in his characterization of the likely psychological state of the person who sent the above message. I just published my CyberAngel piece in _Computer underground Digest_ and, during my researches, I heard a lot of material as least as hostile as the mail Olsen posted. The hysteria over the Four Horseman, particularly the "kiddie pornographers" is *intense.* So is the ignorance. To repeat in a different form: the word is "hysteria" as in "Salem Witch Trials." the ignorance is intense, e.g. ".gif" is a "kiddie porn" code word for "girlie interchage files" etc.etc. -- tallpaul "To understand the probable outcome of the Libertarian vision, see any cyberpunk B movie wherein thousands of diseased, desparate and starving families sit around on ratty old couches on the streets watching television while rich megalomaniacs appropriate their body parts for their personal physical immortality." R. U. Sirius _The Real Cyberpunk Fakebook_ From jcorgan at aeinet.com Wed Jan 17 14:15:31 1996 From: jcorgan at aeinet.com (Johnathan Corgan) Date: Wed, 17 Jan 96 14:15:31 PST Subject: A Modest Proposal: Fattening up the Proles In-Reply-To: <2.2.32.19960117165226.006b21e4@panix.com> Message-ID: On Wed, 17 Jan 1996, Duncan Frissell wrote: > The book suggests that small differences in perceived quality (or even > 'luck') result in a big difference in marketplace results (whether for > product or labor). The title is a bit misleading. It should be "The > Winner-Take-Lots Society" since it does not say that non-winners are left > with nothing (that thesis is promoted in other recent works of fiction.) While I've not read the book, what you describe fits with the concept of "sensitivity to initial conditions" that chaos theory discusses. In this context, what Tim describes is a "sharpening" effect--i.e., the differences in initial conditions necessary to distinguish between the two eventual outcomes described is becoming smaller. A neat way to visualize this is to picture what happens when you crank up the contrast on a black and white TV. Eric Hughes made an interesting comment, something to the effect that this process only seems to be occurring in occupations that have something in common, like easy transfer of job skill from one worker to another, I don't quite remember. Anyone remember specifically? -- Johnathan M. Corgan jcorgan at aeinet.com http://www.aeinet.com/jcorgan.htm From stewarts at ix.netcom.com Tue Jan 16 22:41:10 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Wed, 17 Jan 1996 14:41:10 +0800 Subject: Number theory text Message-ID: <199601170613.WAA08890@ix5.ix.netcom.com> >> PS -- Going to consolidate posts here. Can someone recommend a good >> text for an intro to Number Theory? When I asked this a year or so ago, somebody recommended Levecque (sp?). Thin book published by Dover that I bought for about $4 new, very readable and clear, and the elementary stuff has probably not changed significantly since ~1960. You may want something fancier and more detailed after you finish it, but it was a good start. Now it's time to finish that book on Group Theory :-) #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, Pager/Voicemail 1-408-787-1281 # # "Eternal vigilance is the price of liberty" used to mean us watching # the government, not the other way around.... From ses at tipper.oit.unc.edu Tue Jan 16 23:11:39 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Wed, 17 Jan 1996 15:11:39 +0800 Subject: Spiderspace In-Reply-To: <199601170613.WAA08830@ix5.ix.netcom.com> Message-ID: Bill mentions 'archie'; it's interesting to note that the problem of stuff that wasn't supposed to be public turning up in archie listings dates back to at least 1991. Amongst the problems were hosts of the form ftp..com which had anyonmous ftp, but which weren't supposed to be public, and of files put up on such sites but not announced, usually by support people transferring a file to some customer which then got picked up in the sweep. Then of course, there was the time in 1993 when someone left a world-writable directory on the X consortium web site intowhich someone uploaded 300Mb of pornographic jpegs. This happened over the weekend, so they had a nice long chance to sit there while all the mirror sites happily duplicated them. If it was your turn to be archied whilst those files were there, you were in the database till your next sweep. All those Horny net geeks who found the directories empty would then send plaintive messages asking where the files were, and how to join the gif club. Simon (defun modexpt (x y n) "computes (x^y) mod n" (cond ((= y 0) 1) ((= y 1) (mod x n)) ((evenp y) (mod (expt (modexpt x (/ y 2) n) 2) n)) (t (mod (* x (modexpt x (1- y) n)) n)))) From jpb at miamisci.org Tue Jan 16 23:51:38 1996 From: jpb at miamisci.org (Joe Block) Date: Wed, 17 Jan 1996 15:51:38 +0800 Subject: Orlando Key Signing Message-ID: I recently moved to Orlando, FL and I would like to know if there are any cypherpunks in this area interested in getting together for a key signing. Joseph Block "We can't be so fixated on our desire to preserve the rights of ordinary Americans ..." -- Bill Clinton (USA TODAY, 11 March 1993, page 2A) No man's life, liberty or property are safe while the legislature is in session. 2048bit-Fingerprint: F8 A2 A5 15 56 42 9B 16 3F BD 57 0F 8A ED E3 21 From alano at teleport.com Wed Jan 17 00:00:46 1996 From: alano at teleport.com (Alan Olsen) Date: Wed, 17 Jan 1996 16:00:46 +0800 Subject: Cybercrime & Privacy Issues AOL FBI discussion Message-ID: <2.2.32.19960116080509.009d98fc@mail.teleport.com> This will be of some interest to the people on this list... >From: freematt at coil.com (Matthew Gaylor) >Subject: Cybercrime & Privacy Issues AOL FBI discussion > >If you have an AOL account you may wish to join the below online discussion. > >Cybercrime & Privacy Issues > >On Wednesday evening, January 24, 1996 at 9pm EST in the Globe Auditorium >of America Online (AOL), Mobile Office Productions will be hosting a candid >interactive discussion with the FBI's Jim Kallstrom, who is working to >shape procedures regarding computer privacy issues and cybercrime. > >This topic is of vital importance to all of us and we urge you to join us on >January 24th at 9pm EST in the Globe Auditorium with your comments, questions >and experiences. > >************** E-Mail: freematt at coil.com ************ >Matthew Gaylor >1933 E.Dublin-Granville Rd., # 176 >Columbus, OH 43229 > >I maintain the Electronic Frontier Foundations' Online Activism Resource >List FAQ. An ACTION/EFF FAQ. Please send me sources of privacy/free-speech >civil-liberties advocacy and general online activism tool/resources. Please >send your hardcopy materials to my snail address. > >Available on the web at: http://www.eff.org/pub/Activism/activ_resource.faq >And archived at: ftp.eff.org, /pub/Activism/activ_resource.faq > >######################TANSTAAFL >"We can foresee a time when...the only people at liberty will be prison guards >who will then have to lock up one another. When only one remains, he will be >called the 'Supreme Guard; and that will be the ideal society in which >problems of opposition, the headache of all twentieth century governments, >will be settled once and for all." Albert Camus > > > Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "Is the operating system half NT or half full?" From jim at bilbo.suite.com Wed Jan 17 00:02:15 1996 From: jim at bilbo.suite.com (Jim Miller) Date: Wed, 17 Jan 1996 16:02:15 +0800 Subject: Article on E-money Message-ID: <9601170216.AA21093@bilbo.suite.com> > Hi- > > I'm a journalist writing an article for an on-line > magazine about emoney.Seeing your site on the web... > Hi, I have no Web site of my own. You probably saw my E-Money FAQ on someone else's site and thought I was the site manager. That's ok, you're not the first to make that mistake. > I was hoping I might ask you a few very general questions > about the future on emoney as you see it. My article is > called a "futureview" article, meaning it makes some > guesses at what changes people can expect because of new > technology. > I'll be happy to answer your questions as best I can. > -How will the adoption of e-money or e-cash change the > workplace? Will some kinds of businesses or practices > prosper while others fail? > > -How will emoney or ecash change people's daily lives at > home? (More home shopping?) > > -If you had to guess, what do you think the future of emoney > will be? > > -Are there any words of hope/caution you'd like people to > know? > > Thanks in adviance for any help you can give. If you have > more questions about myself or the artcle, feel free to > call or write me. > > Mary Leontovich xxx/xxx-xxxx email: maryl at efn.org > Rather than answer each question individually, I'll just ramble on about e-money for a bit and hopefully I'll convey some interesting opinions. The first thing to recognize is that there are two arenas to consider when discussing e-money; the on-line arena and the "about town" arena. I'll first discuss the "about town" arena. It will take a decade or more, but eventually e-money purchases will be as common as credit card purchases. People will carry e-money cards right along side their credit cards. Rather than handing over a few dollar bills, people will insert e-money cards into readers. ATM machines will provide an option to charge up e-money cards. Credit card systems and e-money system will co-exist, and in fact you will be able to easily transfer value between credit cards and e-money cards. It is quite likely that the major credit card companies will issue multi-purpose super-cards(tm) that can act as either credit or e-money cards, reducing the number of cards people carry. Paper money will never go away completely (unless government stops backing paper money), but there are a variety of reasons most people will switch from using paper money to using e-money cards: 1) The card can easily keep a record of all a person's e-money purchases. The record can be up-loaded into popular PC-based money management software. 2) The card can hold "change" and well as "large bills". No need to carry around a pocketful of coins. 3) The money in the card can't be spent unless the proper PIN number (or thumb print, etc) is provided. Paper money can be spent by any thief. Some e-money cards may allow you get reimbursed for lost or stolen e-money. Others may only be able to "void" the lost money. 4) Some e-money system may allow you to make back-up copies of your e-money, in case the card gets damaged. 5) Paper money wears out, gets torn, etc. 6) Paper money, even in moderate quantities, is bulky. 7) Paper money has to be counted, and people must wait around while change is tallied up. Mistakes could be made. E-money cards will be relatively fool-proof and will work as fast or faster than current credit cards. And now the online arena... People will be able to purchase inexpensive devices that can be connected to their PC to transfer e-money from card to computer, and vice versa. This device may become a pseudo-standard peripheral, much like a sound card is today. People will be able to purchase items securely over the Internet using either credit card numbers or e-money. A good question to ask might be "If people can make secure credit card purchases over the Internet, why would they use e-money over the Internet?" There are a variety of reasons people might use e-money rather that credit cards online: 1) The item may cost only a few pennies, or less. Not enough to warrant using a credit card. 2) The vender may not accept credit cards. 3) You may not wish to give the vender your credit card number until you have established that the vender is trustworthy. 4) You may wish to pay in "cash" rather than add to your credit card balance. 5) You may wish to avoid revealing your "about town" identity to the vendor. Why might a vender accept e-money, but not credit cards? Well, it costs money to accept credit cards. It will probably cost less money to accept e-money. Very small companies that exist only on-line may not want to pay the expense to hook up to the credit card infrastructure. Cheap e-money will lower the barriers to entry for online business. Huge numbers of very small players will come online. The meaning of the term online "business" will change as it becomes easy and economical for individuals to charge very small amounts for data or services. When something become cheap and easy (ala World Wide Web), it will become very popular. When it is also a way to make money, it will become common-place. Most everyone with a PC will find a way to make a little money on the side by selling something online. Maybe people will sell idle CPU time or unused disk space on their home PCs to people using future Java-like distributed applications. All this new economic activity will of course be taxed. That is, if government has any say in the matter. And you can be sure government will do its best to have a say. From reading my E-money FAQ you know there are two possible kinds of e-money systems: identified and anonymous. For both tax reasons and law enforcement reasons, governments will do their best to insure that anonymous e-money systems fail in the marketplace. Perhaps by outright banning them, or by subsidizing identified e-money systems, or by not insuring bank accounts that accept anonymous e-money, or by mandating accounting or identification systems that preclude the use of anonymous e-money. I'm sure there are other tactics government could use. Should people care? What's so bad about identified e-money? What's so good about anonymous e-money? Most people don't seem terribly upset about the personal information they reveal by using credit cards so it is reasonable to assume most people will not be upset about the personal information they reveal by using identified e-money. I predict that anonymous e-money systems will not fare well in the marketplace for the following reasons: 1) Government pressure against anonymous e-money. 2) Identified e-money systems are easier to build. 3) Certain technologies necessary for anonymous e-money are patented. E-money system builders will tend to roll their own identified e-money systems, rather than pay fees or royalties to the patent holders. 4) The financial risks associated with anonymous e-money are more complex and harder to evaluate than the financial risks associated with identified e-money. The conservative money will tend to back systems with the lower perceived risk, even if the risks associated with anonymous e-money are manageable. 5) Identified e-money systems can provide the same external features and conveniences as anonymous e-money systems and will most likely become widely deployed sooner than anonymous e-money systems. Once people become accustomed to identified e-money systems, it is unlikely they will push for a change to anonymous e-money systems. It is hard for me to explain the reasons why anonymous e-money is preferred over identified e-money. The reasons fall into the "Do you trust government, or not" category. "Do you want the government to know about every penny you spend?" These sort of concerns are easily dismissed as alarmist. After all, say many people, if the government gets out of hand we can just vote in different law makers. That's how democracy works. Well, I don't believe it would be that easy. Imagine how hard it would be to get rid of social security cards. The information conveyed via identified e-money is directly useful to tax agencies and law enforcement. The information has other governmental and commercial uses, too. As with social security numbers, the infrastructure that utilizes identified e-money information will become larger the longer the systems are in use. After a time, it will take a ideological revolution to convince government and business it must do without such detailed personal information. And revolutions, ideological or otherwise, are never painless. I hope I'm wrong and identified e-money is nothing to worry about. And maybe big government can be trusted. :-) Jim_Miller at suite.com P.S. I CC'ed this reply to the cypherpunks mailing list. You might get additional replies from people on that list. ____________________________________________________________________ The Internet is a land bridge for memes ____________________________________________________________________ From tcmay at got.net Wed Jan 17 00:33:01 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 17 Jan 1996 16:33:01 +0800 Subject: A Modest Proposal: Fattening up the Proles Message-ID: At 2:57 AM 1/17/96, tallpaul wrote: >-- >tallpaul > >"To understand the probable outcome of the Libertarian vision, see any >cyberpunk B movie wherein thousands of diseased, desparate and starving >families sit around on ratty old couches on the streets watching television >while rich megalomaniacs appropriate their body parts for their personal >physical immortality." > R. U. Sirius > _The Real Cyberpunk Fakebook_ The absurdity of this point is obvious to anyone with a brain. Why would we want the donors to be "diseased" and "starving"? It is imperative that donors be healthy and non-anorexic (we used to use the phrase "fattened up," but this is no longer au courant). To keep the proles reasonably healthy, the plutocrats are encouraging the current wave of exercise videos, ThighMasters, Buns of Steel, etc. And lots of beer, as the Kobe beef quakers have shown. Other than this, R. U. has it about right, I think. (Ironically, I brought up the new book, "The Winner Take All Society," at the last Cypherpunks meeting. No time to discuss it here, but it confirms my strong belief that we are heading for a economy in which a shrinking fraction of workers have really valuable things to contribute, and a growing fraction of the population does not. I had not recalled the authors, but Strick had a battery-powered laptop and Metricom wireless modem, and ran an Alta Vista search from where he was sitting: ROBERT FRANK & PHILIP COOK, The Winner-Take-All Society, New York: The Free Press.) This may shock some of the newcomers here, who haven't heard this, or who haven't deduced it from our posts, but many of us are elitists. Or, more precisely, we are for people looking out for Number One, with the expectation that many other people simply won't make it. Think of it as evolution in action. --Tim May We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From EALLENSMITH at ocelot.Rutgers.EDU Wed Jan 17 00:56:04 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 17 Jan 1996 16:56:04 +0800 Subject: A weakness in PGP signatures, and a suggested solution (long) Message-ID: <01I038C6R8X2A0UHYW@mbcl.rutgers.edu> From: ckey2 at eng.ua.edu (Christopher R. Key) >First of all, if the recipient is a newsgroup, why would that particular information need to be part of the signed information? If you post to a newsgroup a message that is only signed (as opposed to encrypted also), then you are obviously not worried about who reads it. The signature is only a method of proving that the important text (message) is unchanged and intact, and that the person who it is supposed to be from is the same who signed it. -------------- How about proving that you _weren't_ spamming? I.e., an enemy spots a message on a newsgroup from you with a signature, then duplicates it with header modifications on 500 newsgroups including news.admin.net-abuse.misc (to add insult to injury). Sorry if a bunch of other people have pointed this out by the time my message gets to toad.com, but... -Allen From vznuri at netcom.com Wed Jan 17 01:00:51 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Wed, 17 Jan 1996 17:00:51 +0800 Subject: remarkable recent stories Message-ID: <199601170017.QAA19922@netcom2.netcom.com> I haven't seen much dialogue on some key things that have popped up recently of high relevance to this list; forgive me if these are covered in threads (inappropriately named?): 1. GNN had an article in which Madsen (puzzle palace coauthor I believe) stated that the NSA was trying to restrict anonymity by working behind the scenes with Lotus, Microsoft, etc. major meat for TCM's "NSA visits" compendium assuming he's still working on it. also, it sounds like the most direct evidence that the NSA is working against anonymity in cyberspace, something that really surprises me. 2. the same article had Madsen stating that the NSA is vacuuming down Internet traffic. he gave the likely entry points that they are doing this. this is one of the first major credible insistences I've seen that the NSA is doing this. (there are of course a bazillion urban legends that the NSA does this). Madsen claimed that some private companies were getting contracts for the work. hmmmmmmm, possibility of some cyphersabotage here, like what went on with mycotronix? (sp?) 3. the absolute biggest blockbuster of them all: the NSA supposedly did a study about how crypto regulations affect US competitiveness in the international marketplace and *concluded* they were damaging it. (surprise!!) the Commerce Dept. has recommended *easing* export regulations. this is very notable for several reasons: - The NSA would probably not release the study unless they were hinting at a new policy decision. they do a bazillion studies surely but none of them see the light of the public day. why would they release *this* one? - the commerce dept is probably heavily influenced by the NSA-- i.e. I doubt that they would come out with a favorable recommendation for crypto unless the NSA approved. however, on the other hand, in the articles there was a caveat that "if the military and spy agencies allow it". not sure what was meant by that. - what I wonder is if the same NSA study was more comprehensive and tried to look at the overall implications of current or altered crypto export policy. i.e., did they try to address the question, "what would really happen to overall US situation if crypto were unregulated? would it mean better business? more or less crime?" etc. I have said this before, but everyone seems to *assume* that unrestricted crypto necessarily releases the 4 horsemen of the infocalypse, but what if an actual *study* was done, that potentially *contradicts* this idea? there are many examples of new technology being introduced that has an effect far different than that anticipated by the masses or the conventional wisdom, and often much more benign than expected. - what this all suggests to me is a possible major policy/political switch inside the NSA in which possibly someone who is more in favor of code making than code breaking is gaining the reigns. its tough to guess based on the NSA's entrails, but recent events are some pretty odiferous entrails, I'd be interested to here what others think. From bruceab at teleport.com Wed Jan 17 17:08:26 1996 From: bruceab at teleport.com (Bruce Baugh) Date: Wed, 17 Jan 96 17:08:26 PST Subject: Remailers and Me Message-ID: <2.2.32.19960118010838.00697400@mail.teleport.com> -----BEGIN PGP SIGNED MESSAGE----- This may sound like a clueless newbie question, but then it pretty much _is_, redeemed only by the fact that I know it. :-) Following a lead provided by another local newbie, I've been doing a bunch of amateur remailer testing, looping messages from here through a given remailer to a nym server, back through the remailer, to here, and toting up the travel times. The latency and reliability figures I'm getting bear little or no resemblance to the info included with Private Idaho, discussed here, and like that. Question: is this anything to be concerned about? I'm assuming that the folks doing ping testing are throwing far more clueful and automated procedures at the problem, just for starters. But then I get the impression that their methodology differs from what I'm doing here, too. (My aim was to simulate "normal" use, at least for me, and to go on to test times through combos of the most reliable sites later.) Bruce "One ringy-dingy, two ringy-dingy" Baugh bruceab at teleport.com http://www.teleport.com/~bruceab -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEQAwUBMP2cxH3AXR8sjiylAQF0dgfRAZ1Mm6OxLhIQmcWA/gli96RVsZWnODLw HV5eUF8llVVL+XIzl7wuY9u9uiDdbi13mgWYx2PReYYoRZ6cGqCOMmqYyoCCS0Mr drUckoohuERMMi6Yh8V9rHVLSdK49BXril8E/lQo7TxxwRyVASINrh7B22B6Ka1o Ymd+kkjah2WkL0oE+qnNoMylhUc5WYbKaO5BskP91zmV6S4MTHinKDOs8EPGEM1H ZzNBLXJk0C/kYwxTIaqq7I70BzYkSEPqXaT/2LMjzCvuz20pMN5jGGof6EmAQi3B R2wbVKp9A8SmBtFHah+HkROFqulSzLKxglGkPKVGFIVK0Ao= =JsYr -----END PGP SIGNATURE----- Bruce Baugh bruceab at teleport.com http://www.teleport.com/~bruceab From jcorgan at aeinet.com Wed Jan 17 01:25:58 1996 From: jcorgan at aeinet.com (Johnathan Corgan) Date: Wed, 17 Jan 1996 17:25:58 +0800 Subject: Ooops Message-ID: Some rather, uh... uncreative bash scripting resulted in my trashing beyond reasonable repair all my inbox mail for the last half a day or so. Looks like there were a few posts from some list members--please resend any important mail. Thanks. -- Johnathan M. Corgan jcorgan at aeinet.com http://www.aeinet.com/jcorgan.htm From blancw at accessone.com Wed Jan 17 01:32:25 1996 From: blancw at accessone.com (blanc) Date: Wed, 17 Jan 1996 17:32:25 +0800 Subject: FW: Net Control is Thought Control Message-ID: <01BAE458.9E49C680@blancw.accessone.com> From: Vladimir Z. Nuri "how can you be so sure that the cypherpunks lists is really what you think it is?" 'Cause I'm real, real smart. "a bunch of people from around the country independently interested in crypto?" "An effete corp of impudent snobs who fancy themselves intellectuals." (Spiro Agnew) "an agent provacteur, or agent saboteur, could create a vastly different perception regardless of the input of other people." It's true there are juveniles who occasionally disturb the list, but I expect that most members have a real interest in the subjects discussed and wish to bring out pithy points of truth & wisdom for all to behold, taking full credit for their contribution to the general atmosphere of learned intelligence. People have to grow up from childhood, Nuri-logical, and even then it's possible to be mistaken & to be misled. But there is no substitute for work, for the work of thought, which is the only means any human being has to solve the problems of living as a conscious, sensitive being. The only way to deal with all of the problems you mentioned is to continue to work to solve them in the way which will be most satisfactory to moral creatures. .. Blanc From attila at primenet.com Wed Jan 17 01:41:07 1996 From: attila at primenet.com (attila) Date: Wed, 17 Jan 1996 17:41:07 +0800 Subject: Crypto anarchist getting through customs In-Reply-To: Message-ID: On Tue, 16 Jan 1996, Alan Horowitz wrote: > > The notorious questionaire to the SEALS wasn't an official action. It was > one lieutenient doing an assignment for a night class. > > I never said that the federal government was good, or nice, or useful. > > Alan Horowitz > alanh at norfolk.infi.net > that's the bullshit they would like you to believe. in the first place, under military regs, a degree research would be illegal without full permission. It also was not given to just one unit, but to many ==and all identified ones were either SEALS or USMC recon and special units --why just he elite and why so many groups --all with a blessing...? you take your liberal idealism and see how long you have your freedom. your probably one of those who would say "...I have the gold so I can buy the gun!" to which I would say, "...ah, but I have the gun, so I will have both your gold and my gun." no, I don't follow Bo Geitz, or belong to any of the militias, but I expect I am a bit more pragmatic than a liberal. __________________________________________________________________________ go not unto usenet for advice, for the inhabitants thereof will say: yes, and no, and maybe, and I don't know, and fuck-off. _________________________________________________________________ attila__ To be a ruler of men, you need at least 12 inches.... From a-kurtb at microsoft.com Wed Jan 17 02:17:36 1996 From: a-kurtb at microsoft.com (Kurt Buff (Volt Comp)) Date: Wed, 17 Jan 1996 18:17:36 +0800 Subject: Spiderspace Message-ID: I think Tim was referring to someone gleaning your private key, which would be a Disastrous Thing (tm). If that's not what he was referring to, I still think it's a possiblity. Kurt ---------- From: Martin Diehl[SMTP:mdiehl at dttus.com] Sent: Tuesday, January 16, 1996 13:59 To: cypherpunks at toad.com Subject: Re: Spiderspace On 1/16/96 12:35 PM, tcmay at got.net (Timothy C. May) at Internet-USA wrote: > I've been thinking a lot about the problems and opportunities that are > coming up as more and more "spiders" (Web searchers, crawlers) are > indexing directories and files on systems they can find. [snip] > Sure enough, a search of "Cyberia-l" in Alta Vista showed all sorts of > hits, including what appeared to be several _private archives_ of parts > of the traffic. (By "private" I mean in the sense that they were > someone's personal archives, and not necessarily complete or even > semi-officially sanctioned.) [snip] > I've started to look for things like PGP files laying around buried in > subdirectories. I can imagine attacks based on this. [snip] > Fourth...left to your imagination. > --Tim May > We got computers, we're tapping phone lines, we know that that ain't > allowed. > ---------:---------:---------:---------:---------:---------:---------:---- > Timothy C. May | Crypto Anarchy: encryption, digital money, > tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero > W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, > Higher Power: 2^756839 - 1 | black markets, collapse of governments. > "National borders aren't even speed bumps on the information superhighway." I gather that it would be a Bad Thing (TM) to have someone get both the encrypted and clear text forms of your message (from either you or from the recipient) Maybe regularly changing your encryption keys is a Good Thing (TM) Martin G. Diehl From markm at voicenet.com Wed Jan 17 02:22:28 1996 From: markm at voicenet.com (Mark M.) Date: Wed, 17 Jan 1996 18:22:28 +0800 Subject: pgp broken? In-Reply-To: <9601162346.AA22192@toad.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Tue, 16 Jan 1996, greg pitz wrote: > In speaking with an associate, he mentioned in passing that PGP had > been broken a few weeks ago in San Diego by the DoD using a Cray. > All questioning about said subject was ended immediately as he felt > that he might have said too much how it was. Was PGP "broken"? > PGP has already been "broken" -- the 384-bit Blacknet key was factored. Just because the government may be able to factor a 512-bit key, it does not mean that they can break 2048, 1024, or even a 709-bit key. If this person was telling the truth, the government probably only broke a small key. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMPxN6LZc+sv5siulAQHlKQP/cdHOmErMIUuIEGWdQ1EL+PhW5RexaxsA bUDv0eLZ8vPnRDShhWuA6Mo01Vvyej4hu+FkBomqKlmMSjl0YRK9UisoJ30gbrbj N1obHDsa7BK+jVt1rSujEECDS/GFJ+m4iPyJcnKVRlKK10n+2iTbQ24r2e3ZdcP0 59jYpfbYE8o= =ReUZ -----END PGP SIGNATURE----- -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xf9b22ba5 http://www.voicenet.com/~markm/ | bd24d08e3cbb53472054fa56002258d5 PGP: Because sometimes, a _Captain Midnight_ decoder ring simply isn't enough. From EALLENSMITH at ocelot.Rutgers.EDU Wed Jan 17 02:39:44 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 17 Jan 1996 18:39:44 +0800 Subject: [NOISE] Re: Eggs at Customs (fwd) Message-ID: <01I037KU6I7OA0UHYW@mbcl.rutgers.edu> From: IN%"llurch at networking.stanford.edu" "Rich Graves" 16-JAN-1996 00:12:29.92 >Morality has nothing to do with it. It's the speed of the evolution. If you walk across the straits, the system has the time to react and restore a dynamic equilibrium. If you immediately release a new species with no natural predators, the system is shattered, and it might not survive. This is not to say that ecosystems and societies are static -- they evolve constantly, displaying unpredictable punctuated equilibrium (Steven J. Gould was right, Edmund Burke and Karl Marx were wrong). ------------- A few things from the biological point of view (and I _will_ try to bring in a bit of cypherpunks relevance). First, if the ecosystem were as unstable as the Greens in the 1960's and later kept predicting (Silent Spring and all that), it would have collapsed already. Look at how many species we've taken out already. Second, almost all ecosystems that are that vulnerable (to extinction of a keystone species or to import of something that starts eating) are small ones that don't really matter in the long run. For one thing, the more biodiversity _within_ an ecosystem exists, the more likely it is that something from outside (or something removed from within) will have a control (or a replacement). In other words, there are fewer and fewer true keystone species as the internal biodiversity of an ecosystem goes up. ------------- [...] >Cute cuddly seals and frieldly dolphins and teddy bears get "sympathy" among mainstrean "environmentalists," and the Sierra Club and World Wildlife Federation calendars raise a lot of money, but it's the plants and bugs and bacteria that are really important. Elephants and blue whales look big and important to us, but they're really inconsequential in the larger scheme of biodiversity. They could go extinct and the planet doesn't really care. But kill the blue-green algae and the trees, and we're all dead. ------------- The algae? Sure, they're important... they're also thoroughly likely to not be affected significantly. One, they've got so many things acting on them in the first place. Two, there is quite a bit of diversity within the algal group. What takes out one strain (I have always had my doubts about "species" with mitotically reproducing organisms) is unlikely to take out the rest... and they mutate quickly enough to give rise to more strains pretty rapidly when one "niche" is freed up. The trees, on the other hand, are in the classification of "nice to look at but not really neccessary," like the elephants. They're a great carbon _sink_, but they don't really do that much CO2 recycling. And even if they were... we can replant trees very quickly. It's the rain forests and the old growth forests that are hard to replace as such. Cypherpunks relevance? Well, digital cash and encrypted messaging make it a lot easier to do the type of deals you're talking about... they also make it harder for people to place irrelevant prerequisites (like "not from rain forest land") on their purchases. So far, most of the anti-cypherpunks arguments have come from the conservative side. Be prepared for some from the liberal environmentalists (as well as the liberal socialists who want to keep lots of tax dollars flowing). -Allen From jhupp at novellnet.gensys.com Wed Jan 17 02:52:15 1996 From: jhupp at novellnet.gensys.com (Jeff Hupp) Date: Wed, 17 Jan 1996 18:52:15 +0800 Subject: new web security product Message-ID: <179FD40110D@Novellnet.Gensys.com> -----BEGIN PGP SIGNED MESSAGE----- On 16 Jan 96 at 14:48, Perry E. Metzger wrote: : : "Ed Carp, KHIJOL SysAdmin" writes: : > I wouldn't pass this along normally, but it seems to allow folks to use : > their credit cards at home securely. Bye-bye, First Virtual... ;) : > : > http://www.cnn.com/TECH/9601/encryption/index.html : : I don't think its going to fly. No one wants to pay for an unneeded : $100 piece of hardware to encrypt the same credit card over and over : again, when a nearly zero marginal cost piece of software can do the : same thing. : I am not even sure it IS an encryption device. They say "Potentially vulnerable personal account information is scrambled or encrypted on the magnetic stripe on the card. It is electronically transferred through the hardware. That eliminates the need to say or "key in" the account number or expiration date. " It may just be a low cost? mag stripe reader... -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMPw78DUjeCeeebC9AQFmnAf/Sa/2jeRj/Oe7Vd5JEcIZZOIAhQK9XJI5 LQQGmKI9T2ZrzAeBI5eL+SdVvEs7PFqaW3tRVWaZDmW90uuL7qWcR732pRPOJ39k CL3SuHx0sUrPakjw2S+1JNZjLxQfgJNgMDGWLYVKIFvKPKjgUh2xAl6BagwaLJCa P5U4HwHWdmF8zQgBkFPzBKYYBZBJU7oqz2G9NV2H0cYtkQ2rZJS1sVk5ng8/RsYx b3Sw99WCBk9zVAy37NWKOJGlemk114ktgO4iL4iii23/lZR1zYhZDGJ+47ZPsSy7 Gt6JtQUWHzcnuQBoqwLYOog15GnWF9jIli/RK1K25wsDyCk5mMQsvA== =nW8l -----END PGP SIGNATURE----- -- JHupp at gensys.com |For PGP Public Key: http://gensys.com |finger jhupp at gensys.com Certainly the game is rigged. Don't let that stop you; If you don't bet, you can't win. From nobody at REPLAY.COM Wed Jan 17 19:13:42 1996 From: nobody at REPLAY.COM (Anonymous) Date: Wed, 17 Jan 96 19:13:42 PST Subject: Ozzie on Notes Crater Message-ID: <199601180313.EAA00883@utopia.hacktic.nl> Ozzie Outlines New Feature At RSA Data Security Conference San Francisco, Jan. 17 -- Ray Ozzie, president of Iris Associates, the developer of Lotus Notes, informed an audience at the RSA Data Security Conference here today that Notes Release 4, which began shipping this month, utilizes a new method of security called "differential workfactor cryptography." This new method allows the International Edition of Notes to use an encryption key equal in strength to the 64-bit key in the North American Edition, without the use of "key escrow" technologies. Ozzie explained that in the International Edition of Lotus Notes Release 4, whenever an encrypted 64-bit bulk data key is generated by the product, it is bound to a "workfactor reduction field," giving the U.S. government exclusive access to 24 of the 64 bits. When using the North American Edition of Lotus Notes within the U.S. and Canada, however, full 64-bit encryption is employed without the "workfactor reduction field." The two editions of Notes are fully interoperable. "We are very pleased to have arrived at a pragmatic short-term solution that addresses our international customers' requests for greater security within Notes," Ozzie said. "However, we continue to argue vigorously that, due to clear and present threats to our global information systems, all interests would be well served by widespread use of strong, high-grade cryptography. Without substantial rethinking of U.S. cryptography policy, particularly as it pertains to export controls, our global and national economic security is at risk." From pgut01 at cs.auckland.ac.nz Wed Jan 17 19:15:22 1996 From: pgut01 at cs.auckland.ac.nz (pgut01 at cs.auckland.ac.nz) Date: Wed, 17 Jan 96 19:15:22 PST Subject: A WfW security curiosity (possibly another security hole) Message-ID: <199601180314.QAA19064@cs26.cs.auckland.ac.nz> When WfW is installed, it creates a file in the Windows directory called WFWSYS.CFG. This is a standard Windows password file and may be decrypted with the password "23skidoo" (note that this is lowercase, since it's passed to the .PWL-handling code at a level which bypasses the usual password case smashing. The mangled 32-bit form which is passed to the RC4 key setup routine is { 0x67, 0x6F, 0xE3, 0x81 }). WFWSYS.CFG seems to be mostly identical for the few copies I could get to, and WfW networking won't work without it. Decrypting the file doesn't seem to give anything useful, the string "SYSTEM" and what looks like a few 8 or 16-numbers. I don't know enough about how WfW networking works, but my (very vague) guess is that it contains some sort of cookie to uniquely ID each machine for resource sharing over a network. If it does then it it's (yet another) pretty serious security hole, since it's encrypted with a fixed password and seems to be mostly identical over multiple machines. OTOH it may be something to do with serial numbers so you can't install the same copy of WfW on multiple machines on a LAN. Can anyone shed more light on it? Peter. From frissell at panix.com Wed Jan 17 03:25:34 1996 From: frissell at panix.com (Duncan Frissell) Date: Wed, 17 Jan 1996 19:25:34 +0800 Subject: Alta Vista, Great Stuff! Message-ID: <2.2.32.19960117111232.0095a67c@panix.com> At 11:26 PM 1/16/96, Beethoven wrote: >Imagine your nym is related to something common-place at >the time of posting. Even though you may be well known >under that nym, simple searches for that name will turn up >loads of crapola, or at least some light entertainment >for someone searching for oyur past posts. My name is rare and matched mostly by lists of the highest points of elevation in each state (Mt. Frissell in Connecticut) and museum shows of the work of a distant cousin Toni Frissell who was a fashion photographer in NYC. Most of the rest is mine. If you have a common name/nym it would be harder to track (except by searching for email address rather than name). DCF "Now everyone knows that Mohammed and Lee are the most common names in the world. Maybe I should change my name to Mohammed Lee." From nobody at alpha.c2.org Wed Jan 17 03:33:48 1996 From: nobody at alpha.c2.org (Anonymous) Date: Wed, 17 Jan 1996 19:33:48 +0800 Subject: Novell & Microsoft Settle Largest BBS Piracy Case Ever In-Reply-To: Message-ID: <199601160904.BAA27439@infinity.c2.org> jlasser at rwd.goucher.edu (Jon Lasser) wrote: > End of goverments = decline (but not end) of software markets? It's already happening anyway. In a few years (if not today) Microsoft is going to be hard pressed to come up with excuses why someone should pay $90 for Doze-95 when they can get a Linux CDROM for less than $20 (or ftp it for free). With WINE and DOSEMU, that Linux system will run most of the same software too. Willows software recently released their own windoze emulator for Linux for practically nothing (there is a small fee for commercial use, free otherwise). Look at Netscape, giving away their browser for free and how Microsoft finally gave in and did the same because they couldn't sell theirs. Selling software is going to become practically impossible within a few years, and prosecuting piracy will become even more fruitless. Rather, more and more companies will give the software away for free, and sell their expertise. Sure, they will still package it nicely in a box to sell it to corporate types who are afraid of ftp, but what they're really selling is not the software but the tech support number. Anyone can get more software than they will ever use from the various ftp sites. Mr. Corporate Executive doesn't want to waste his time checking out the latest offerings on the net, but he will pay to have a reliable program delivered to him that can be installed easily, by a company that will be happy to answer his questions about it. Companies like Red Hat and Walnut Creek are doing brisk business selling cdroms full of software that you can get for free. You can search the net for interesting stuff for months on end, or you can get all the best stuff on one disk from them for twenty bucks. And look at Sun Microsystems - they're giving away all their software for free. But when someone wants a reliable network server, who are they going to call? Sun. Software doesn't sell, but expertise does, and giving away well-written software is an excellent way to demonstrate your expertise to a large audience. The concept of copyright is pretty much dead; the free market has invented new solutions. From rsalz at osf.org Wed Jan 17 05:17:50 1996 From: rsalz at osf.org (Rich Salz) Date: Wed, 17 Jan 1996 21:17:50 +0800 Subject: remarkable recent stories Message-ID: <9601170059.AA24758@sulphur.osf.org> >odiferous entrails, I'd be interested to here what others think. Several times I have heard NSA staffers talk about securing our secrets vs. reading theirs. It seems that right now the first side is "winning." From jimbell at pacifier.com Wed Jan 17 05:17:55 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 17 Jan 1996 21:17:55 +0800 Subject: Spiderspace Message-ID: At 11:38 AM 1/16/96 -0800, Timothy C. May wrote: > >I've been thinking a lot about the problems and opportunities that are >coming up as more and more "spiders" (Web searchers, crawlers) are indexing >directories and files on systems they can find. > >For the sake of this post, the files and whatnot these spiders and >super-spiders can hit constitute a universe I'll call "spiderspace," as it >semi-euphoniously matches cyberspace and cypherspace. [stuff deleted] >Implications for Cypherpunks? > >First, an alert for you to be very careful about what you make accessible >to the outside world. It's no longer just a matter of people taking the >time to rummage through your subdirectories, it's now trivial to find >things with the new Web search engines. > >Second, what is out there in spiderspace is incredibly useful for building >dossiers, for compiling correlations, and for doing competitive analyses. > >Third, more and more kinds of files are going into spiderspace. This may >include files compiled by others, such as files containing Web accesses! >(All it takes is for someone to keep a record of site accesses, >subscriptions, etc., and then put record in a searchable place: it then >becomes trivial to search on a name and find out interesting things.) >--Tim May Consider this: In about 10-20 years, the people who have been using Internet about now will come into the age from which (statistically) American presidents are usually chosen. Look at what just one letter Clinton sent (draft-dodge, etc) did. Now imagine literally YEARS of messages online, archived on terabytes of optical tape, searchable... From ue at alpha.c2.org Wed Jan 17 06:11:43 1996 From: ue at alpha.c2.org (Unseen Entity) Date: Wed, 17 Jan 1996 22:11:43 +0800 Subject: PGP for CP/M? In-Reply-To: Message-ID: <199601160814.AAA23090@infinity.c2.org> jimbell at pacifier.com (jim bell) wrote: >Okay, everybody, you can stop laughing now. I don't really want a copy of >PGP for CP/M, but I was just a bit curious as to whether anybody had ever >ported it to CP/M. Nostalgia reasons, primarily. Dunno about CP/M, but I started a port to the Apple II. I never finished it, but I've got a nice MD5 written in 6502 assembly if you want it. :) From jcobb at ahcbsd1.ovnet.com Wed Jan 17 06:15:10 1996 From: jcobb at ahcbsd1.ovnet.com (James M. Cobb) Date: Wed, 17 Jan 1996 22:15:10 +0800 Subject: Crypto-related Pointers Message-ID: Friend, Below are pointers to crypto-related items in 01 16 94 Edupage: CREDIT CARD SOFTWARE FOR INTERNET SPY AGENCY WARNS OF CORPORATE SPIES To subscribe to Edupage: send a message to: listproc at educom.unc.edu and in the body of the message type: subscribe edupage Andrew Sullivan (assuming that your name is Andrew Sullivan; if it's not, substitute your own name). For archive copies of Edupage, ftp or gopher to educom.edu or see URL: http://www.educom.edu Cordially, Jim From stewarts at ix.netcom.com Wed Jan 17 06:15:44 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Wed, 17 Jan 1996 22:15:44 +0800 Subject: Spiderspace Message-ID: <199601170613.WAA08830@ix5.ix.netcom.com> >... I was under the impression that the only documents that most web crawlers >will search are documents that are link-accessible. Are you saying that this >isn't true? Are you saying that Alta-Vista will search EVERYTHING that's >publicly accessible, whether by anonymous FTP or web? Don't archie servers already pick up the anonymous ftp fairly well? Also, aside from no-robots conventions, you can build a cgi program for access to files that might be more effective at blocking searches while still preserving access. Also, it wouldn't be hard for a web-crawler to follow ftp links, as long as the root of an anon-ftp site is pointed to by a URL somewhere. #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, Pager/Voicemail 1-408-787-1281 # # "Eternal vigilance is the price of liberty" used to mean us watching # the government, not the other way around.... From bdavis at thepoint.net Wed Jan 17 06:16:15 1996 From: bdavis at thepoint.net (Brian Davis) Date: Wed, 17 Jan 1996 22:16:15 +0800 Subject: Phil Z getting through customs In-Reply-To: Message-ID: On Mon, 15 Jan 1996, jim bell wrote: > At 11:21 AM 1/15/96 -0800, Simon Spero wrote: > > >When I was a student and had long hair, I used to always get questioned > >when going throught customs. After graduating, and having normal length > >hair, I had a lot less trouble. > > This seems odd. Logically (okay, I know logic doesn't work with the > government) any smuggler is going to try to be as innocuous as possible. > He's cut his hair, and shave, and probably wear a tie, etc. Which means the > government should pay more attention to.... "Logically" works for "criminals" too. A drug dealer of any significance should never talk about business on the phone. Yet there are countless consensually monitored or tapped conversations in which someone says "we really shouldn't talk over the phone, but the shipment will be in Tuesday at 3:00. Have the $$$ ready." EBD From erc at dal1820.computek.net Wed Jan 17 06:16:41 1996 From: erc at dal1820.computek.net (Ed Carp, KHIJOL SysAdmin) Date: Wed, 17 Jan 1996 22:16:41 +0800 Subject: on being elitist... Message-ID: <199601171348.IAA16696@dal1820.computek.net> Tim May said in a recent missive, of which I've deleted (unfortunately) that "most of us on the list are elitist" because we don't believe that most people will make it, or some such (please correct or clarify, Tim?) I would say that an "elitist" is one who believes that the masses (or the great unwashed, depending on your point of view) are somehow "not deserving" of surviving or "not worth it", and I would say that that definition would *not* fit a great many people here. I think that most people here are *for* getting crypto out in the hands of *everyone* - good, easy-to-use, cheap, uunbreakable (for all practical purposes, anyway) crypto, to use for everything, ranging from telnet sessions to email. True, there will be some who will *not* make it into the future, and those numbers vary (depending on whose vision of the future you subscribe to), but the point is, those who do survive aren't somehow *better* that those who do not - it may simply be that they are in the right place at the right time. Whether or not that place includes the Bay Area is a subject of debate. -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 214/993-3935 voicemail/digital pager 800/558-3408 SkyPager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes From stewarts at ix.netcom.com Wed Jan 17 06:16:49 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Wed, 17 Jan 1996 22:16:49 +0800 Subject: [NOISE] Re: [NOISE] Re: Eggs at Customs (fwd) Message-ID: <199601170613.WAA08844@ix5.ix.netcom.com> At 09:02 PM 1/15/96 -0800, you wrote: >Morality has nothing to do with it. It's the speed of the evolution. If >you walk across the straits, the system has the time to react and restore >a dynamic equilibrium. If you immediately release a new species with no >natural predators, the system is shattered, and it might not survive. >This is not to say that ecosystems and societies are static -- they evolve >constantly, displaying unpredictable punctuated equilibrium (Steven J. >Gould was right, Edmund Burke and Karl Marx were wrong). This appears to have happened in North America about 12000 years ago; a highly competitive omnivorous predator/scavenger species appeared, and either out-competed or killed off a number of other large predator species, as well as some of the large grazing species. Seen any dire-wolves looking through your windows lately? >Politically and morally, I'm a follower of the realist school (Morgenthau >et al). It is right for the US to dominate the world because it has the >most power. Please don't abuse words like "right" for that sort of thing; it's as tacky as abusing "one-time pad", and there are other words that will do perfectly well, such as "unsurprising".... #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, Pager/Voicemail 1-408-787-1281 # # "Eternal vigilance is the price of liberty" used to mean us watching # the government, not the other way around.... From bdavis at thepoint.net Wed Jan 17 06:17:41 1996 From: bdavis at thepoint.net (Brian Davis) Date: Wed, 17 Jan 1996 22:17:41 +0800 Subject: Respect for privacy != Re: exposure=deterence? In-Reply-To: <199601152213.RAA19247@universe.digex.net> Message-ID: On Mon, 15 Jan 1996, Scott Brickner wrote: > s1018954 at aix2.uottawa.ca writes: > >My apologies for responding to a political post. > > > >On Sat, 13 Jan 1996, Charlie Merritt wrote: > > > >> I feel that public exposure > >> is enough to put fear into these anonymous government employees. > >> You will note that when they get the mad_bomber > >> some FBI guy jumps right up and takes credit, live, on TV. > >> But when the Air Force orders a $300 toilet seat NO ONE is credited. > > > >It's interesting how we advocate anonymity for ourselves but not for our > >opponents. Feeling righteous? > > I agree with Charlie. These government employees claim to be working > for the american taxpayers, of which group I am a member. Government > agents must, therefore, expect to be accountable to the citizens, while ^^^^^^^^^^^ That all depends, of course, by what you mean by "accountable." And government employees are also taxpayers ... And what of those using government-funded scholarships/computers/univerisities/roads & bridges/etc. Perhaps all should be "accountable." Wouldn't want to waste bridge use! > accountability in the other direction is virtually the definition of > tyranny. > EBD From vin at shore.net Wed Jan 17 06:18:01 1996 From: vin at shore.net (Vin McLellan) Date: Wed, 17 Jan 1996 22:18:01 +0800 Subject: Prejudice on the Internet: freedom and a whiff of danger Message-ID: Replayed (w/out permission) from Netfuture #4, the 1/15 issue of a new and unusually thoughtful mailing list Digest from O'Reilly & Associates. Moderator and editor: Stephen L. Talbot. Check it out at: The signal/noise ratio is delightful, and there were several mini-essays that many here might enjoy and might wish to respond to. Recommended by one stimulated reader. _Vin -------------------------------------------------------------------------- Response to "The Internet As Terminator" (Netfuture-3) >From Mark Grundy Give us inkblots on a page, and we'll read into them creatures of our fantasy. In the shapes of clouds we see the images of our lives, our dreams, and our hopes and fears. We've always made myths out of our jumbled and incomplete experiences. We've done it with weather, we've learned to do it with newspapers and tv bites, and we're starting to do it with the internet. We judge our world before we experience it. Our judgement is creative. It fills in the gaps where our knowledge fails. It focuses our efforts, clarifying our visions, identifying our opportunities and threats. Prejudice -- to judge before experiencing -- is not limited to just one culture, and it's not a blight on humanity as a species. Every mammal has prejudice as part of its survival training. The trick to mastering our prejudice is not to purge it and cripple our efficacy, but to accept its value in the moment, and to rise to the need to change it as imagination yields to experience. The main difference between the internet and other social experiences is not its diversity or complexity, because we can find diversity and complexity in every community. What distinguishes the internet most from other social experiences is how well we can control the experience itself. We can walk down a crowded city street and see plenty to challenge us, but we cannot control the bandwidth of that street. We cannot choose to encounter people wearing only yellow shirts, or remove anyone from the street who wears a green shirt. Yet these facilities come free on the internet. Our right to censor our environment no longer wars with our desire for society and community. We can have our cake and eat it too. This heady power -- to give ourselves just the world we want to see, appeals very strongly to our self-determination. Ideally, it could help us make great leaps between who we think we are, and who we believe we could be. It can surround us with saints, and screen us from sinners. But it brings with it some whiff of danger. If all we see of the internet is the community we've created for ourselves, then will the internet make us more or less parochial in our views? Will our society become more or less divisive? Will we see more or less conflict in our community? Moreover, the internet is not just a passive world of data sops, as television has been. Through the internet, we can not only dream our lotus dreams, but also act on them remotely, screening ourselves from direct consequence by distance and anonymity, taking action while preserving our little myths. It's not just that we can engage in infantile flamefests with people we've never met, cackling over our own supposed cleverness, and ignorant of whatever harm we might have done their feelings. Sitting in our comfy chairs at home and armed with a mouse and credit card, we could contribute money and ideas to the liberation of political prisoners in Turkey, or to the bombing of a bank in London -- all without changing our current, perhaps quite sedentary, lifestyles. We can wreak change on the world without being changed by our acts ourselves. What I would like to ask this group is twofold: Firstly as we're forced by the growing volume of internet traffic to make balder value judgements on what we expose ourselves to, how do we keep from becoming social ostriches? How do we balance tolerance against efficiency and purpose? Secondly, how can we make ourselves accountable for the material consequences of our broadcasts? What support, infrastructure and personal code is necessary before our global internet citizenship becomes at least as responsible as our national citizenships? On a cheerier note, can anyone think of ways that internet citizenship is already more responsible than national citizenship? Dr Mark Grundy, | Phone: +61-6-249 0159 Education Co-ordinator, | Fax: +61-6-249 0747 CRC for Advanced Computational Systems,| Web: http://cs.anu.edu.au/~Mark.Grundy The Australian National University, | ACSys: 0200 Australia -------------------------------------------------------------------------- Vin McLellan +The Privacy Guild+ 53 Nichols St., Chelsea, Ma. 02150 USA Tel: (617) 884-5548 <*><*><*><*><*><*><*><*><*> From tallpaul at pipeline.com Wed Jan 17 06:19:42 1996 From: tallpaul at pipeline.com (tallpaul) Date: Wed, 17 Jan 1996 22:19:42 +0800 Subject: [NOISE] Re: Better diversity through Perrymoose. Message-ID: <199601171348.IAA11579@pipe1.nyc.pipeline.com> On Jan 16, 1996 18:09:44, 'Ray Arachelian ' wrote: > >On Tue, 16 Jan 1996, David Lesher wrote: > >> Can't we just solve the problem by making it a moderated list; >> and make Perry the moderator? >> > >SHIT NO! NO NO NO NO NO! NO WAY IN HELL NO! :) Cypherpunks will NOT >be moderated. Filtered, spindled and stapled, but never moderated. > Why not two cypherpunk lists: AM & FM. AM = Attitude Moderated FM = Frequency Moderated -- tallpaul From tallpaul at pipeline.com Wed Jan 17 06:32:04 1996 From: tallpaul at pipeline.com (tallpaul) Date: Wed, 17 Jan 1996 22:32:04 +0800 Subject: remarkable recent stories Message-ID: <199601170248.VAA14859@pipe9.nyc.pipeline.com> On Jan 16, 1996 18:16:09, 'Jonathon Blake ' wrote: > Suppose the NSA was simply being used as a cutout > for its replacement, which is even more sub rosa? > Paranoid, but not, I think, paranoid enough to be true. -- tallpaul From jya at pipeline.com Wed Jan 17 06:32:47 1996 From: jya at pipeline.com (John Young) Date: Wed, 17 Jan 1996 22:32:47 +0800 Subject: A Modest Proposal: Fattening up the Proles Message-ID: <199601171354.IAA12112@pipe1.nyc.pipeline.com> TM's statement fits the scientist-become-statesperson predilection. It's adduced by the indolent superior-minded who relish policy pronouncements over grunge lab work. Why else would the fey conceit of worldly wisdom be flaunted if not in repugnance at sweaty labor? This presumes that nobody in right mind wants a job, but desires an esteemed position in society, a title and the perks of privilege, with underlings serving. Isn't it such delusionary evangelism that keep recruits coming to endure the small-minded mono-cultural insultery confabulated by these lazy and shiftless pastors, happy as pigs in shit, grateful that the heirarchical mindset scam works -- even if only through the nauseous flattering of their moreso lazy and shiftless benefactors? By any means, emulate elitist indolents and avoid anxiety. Display iron-fisted civilized beliefs, practice tough-love humiliation and master-over-slave manners and militant mind-couture, but do nothing truly disruptive of the status quo that so rewards niche market exploiters of genuine dissent. From perry at piermont.com Wed Jan 17 06:33:07 1996 From: perry at piermont.com (Perry E. Metzger) Date: Wed, 17 Jan 1996 22:33:07 +0800 Subject: pgp broken? In-Reply-To: <9601162346.AA22192@toad.com> Message-ID: <199601162359.SAA02856@jekyll.piermont.com> "greg pitz" writes: > In speaking with an associate, he mentioned in passing that PGP had > been broken a few weeks ago in San Diego by the DoD using a Cray. > All questioning about said subject was ended immediately as he felt > that he might have said too much how it was. Was PGP "broken"? How could you break "PGP" per se using lots of computer power? Its an encryption system, not a particular key. What would the Cray have been doing? Running an AI program trying to come up with new factoring algorithms? Now, I could believe that someone could break PGP -- perhaps by finding some weakness in the implementation of RSA, or the RNG, or maybe even a weakness in RSA itself. However, I have a great deal of trouble believing that PGP *itself* was broken "using a Cray". If it is going to be broken, it will be done using a few pounds of neurons fed by a blood supply (at least until real AIs are out there publishing math papers). > Could this be part of the reason the charges were dropped against > Phil as well? I doubt it. The statute of limitations was going to expire soon in any case. Perry From tjm at easynet.co.uk Wed Jan 17 06:42:44 1996 From: tjm at easynet.co.uk (Terence Joseph Mallon) Date: Wed, 17 Jan 1996 22:42:44 +0800 Subject: THE RECIPROCAL ?...... Message-ID: Dear Cypherpunks, Speaking to a colleague who works at Queen's University of Belfast about the speculation of someone recently breaking PGP her response was, although short, very interesting which I thought may be of interest to the group..... "When people talk of encryption they use the word break, they are approaching from one way but not the only way. I am at present trying the reciprocal, that is, to mend." I asked her to go into more detail but she declined saying that..... "The early experiments have worked." What this means I don't know and she never anwsered whom the work was for but maybe this is a route which one has not considered - if at all it exists......the reciprocal ?..... -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCPAzCsvtYAAAEEANjIsO3Q0cSdEgYifAiA5+aUEVSBFFZTZIpqQXbgXxExsrjk bFiJ6haaWaD60KPjxH8QJ8PHr9x2tk2K1ktpbcL2+YjPHd+fJzqgz3llu2FV1Xu/ k1C7SWA5G8Do66I0MrQD3/jbAI2zp/0LnVoiI7LWCvPPKoxYCiHdIQ/n5PcJABEB AAG0JVRlcmVuY2UgSi4gTWFsbG9uIDx0am1AZWFzeW5ldC5jby51az6JAJUDBRAw uju1Id0hD+fk9wkBAXuUBACjGEmj3AO/rSUD0WRRHdYjDfR8L1FvcV0J/ZNwp7WJ 2cmHvtecLaOlTVWulRhVI6suUSwwzBYZFWmHJA7lR67gLZN8xqWyo/jWPVLDxAte pdC7ruZI1ZrFc90uPpymnVdC00gwgcG3F4RDQ9B1uY+4KiNG//fULwT6xUVzthak qA== =QN61 -----END PGP PUBLIC KEY BLOCK----- From gorkab at sanchez.com Wed Jan 17 07:11:33 1996 From: gorkab at sanchez.com (Brian Gorka) Date: Wed, 17 Jan 1996 23:11:33 +0800 Subject: MS story Message-ID: <01BAE4C0.F4B0EF40@loki> From: Rich Graves[SMTP:llurch at networking.stanford.edu] Sent: Tuesday, January 16, 1996 2:00 PM To: Simson L. Garfinkel Subject: Re: MS story Peter explained a bit about what he *could have* done when he provided the source code, and Frank Andrew Stevenson also had some ideas. The people below are working on an independent hack that will pop up stored passwords for Windows 95, again whether you have the 128-bit RC4 patch applied, and have turned off persistent password caching to disk, or not. Brian Gorka described the exploit they're working on (but have not finished, no) on in a message to cypherpunks: A friend and I discovered this 'feature' accidentally. (now that I checked c2's Hack MSoft page I see someone else exploited it in WFW) Using heapwalker on WFW, we noticed the password cache was not encrypted. I wanted an official C2 I hacked Micro$oft Tee-Shirt and we wondered if this was still true after the Windows 95 password cache 'fix'. We fired up h eapwalker and found nothing. It won't let you look in that area. BUT, After firing up SoftICE for Windows 95, we found the area in less than 5 minutes. It is in the C000 0000 memory area (the system area), and the password information is ALWAYS a constant offset from some text. (IFSMGR I think) Dumping it out is pretty easy, and as soon as we get some free time, the rest of the code will flow, we have something in the way of output, but it's not pretty. From lphq at access.digex.net Wed Jan 17 07:22:20 1996 From: lphq at access.digex.net (Libertarian Party Headquarters) Date: Wed, 17 Jan 1996 23:22:20 +0800 Subject: LP RELASE: Government must end attacks on electronic privacy Message-ID: ----------------------------------------- NEWS FROM THE LIBERTARIAN PARTY 2600 Virginia Avenue, NW, Suite 100 Washington DC 20037 ----------------------------------------- For release: January 16, 1996 For additional information: Bill Winter, Director of Communications (202) 333-0008 Internet:73163.3063 at CompuServe.com ----------------------------------------- Government must end attacks on electronic privacy, says Libertarian Party WASHINGTON, DC -- The Justice Department's decision not to prosecute Philip R. Zimmermann for violating encryption law is a victory for the First Amendment -- but unfortunately won't end the government's attack on electronic privacy, the Libertarian Party warned today. "The battle for free speech and privacy still rages on the electronic frontier," said Steve Dasbach, Chairman of America's third largest political party. "One hero -- Phil Zimmermann -- won a great personal victory. But government laws restricting cryptography still threaten the privacy and security of everyone on the Internet. As long as the government has the power to obstruct encryption use, the electronic privacy of all American citizens will be in danger," said Dasbach. After a three-year investigation, the Justice Department announced late last week that it would not prosecute Zimmermann, a software developer, for posting a cryptography program to the Internet in 1991. Zimmermann's program -- entitled Pretty Good Privacy (PGP) -- was an immediate hit, gaining worldwide popularity as "encryption for the masses." It was among the first programs to give ordinary computer users the power to protect sensitive communications. PGP and similar encryption software turns electronically transmitted information -- such as personal e-mail -- into undecipherable gibberish. Messages can then be securely sent across networks, using "keys" that are almost impossible to crack. Under current federal law, complex encryption software such as PGP is considered a "munition," and is restricted under the International Trafficking in Arms Regulations (ITAR). Exporting such software requires a license from the government. "Unfortunately, the government's decision to drop the Zimmermann case leaves unanswered the question of whether posting such materials to the Internet constitutes a violation of ITAR export regulations," said Dasbach. "And the laws that were used to harass Zimmermann were not changed. So, developers of cryptographic programs still run the risk of investigation, prosecution, and jail time. For Americans working to protect their electronic privacy, the threat remains." "The government justifies such restrictions by saying that law-enforcement agencies would be hindered in their efforts to stop terrorists, spies, drug-dealers, and pornographers without them," noted Dasbach. "These regulations do nothing of the sort, since strong encryption technology is freely available worldwide. All these laws do is put U.S. software companies at a competitive disadvantage, and chip away at the First Amendment's protection -- which apply even to 21st century communications. The Justice Department needs to remember that before they launch their next investigation." The Libertarian Party platform includes a forceful statement in support of electronic privacy: "We oppose all regulations of civilian research on encryption methods. We also oppose government classification of such research, or requirements that deciphering methods be disclosed to the government." # # # The Libertarian Party America's third largest political party 2600 Virginia Ave NW Suite 100 (202) 333-0008 LPHQ at digex.net Washington DC 20037 http://www.lp.org/lp/ ***Send email or call 1-800-682-1776 for free information package by mail*** From mab at research.att.com Wed Jan 17 07:25:30 1996 From: mab at research.att.com (Matt Blaze) Date: Wed, 17 Jan 1996 23:25:30 +0800 Subject: Microsoft's CAPI Message-ID: <199601171502.KAA16060@nsa.tempo.att.com> I attended a meeting at Microsoft the other day at which they described their Crypto API project. As CAPIs go, it's reasonable enough; nothing particularly exciting about it or especially wrong with it (though they don't yet support nonblocking calls to crypto modules). They've defined 23 cryptographic services (establish key, encrypt, etc.) that an application is expected to use for its cryptographic needs. The idea is to hide the crypto details (and keys) from applications, and to make it easy to switch from, say, wimpy export-approved crypto to good crypto just by switching to another DLL at load-time. The cryptography used depends on the crypto modules in use at runtime. The API will be part of the WIN32 interface. The next version of NT (and windows 95, I think), to be released in a few months will support loading ``Cryptographic Service Providers'' (CSPs) that contain the crypto functions that sit below the API. They have (or will have soon) an application development kit to allow you to write code that uses the API, and a CSP development kit to let you write the crypto functions. The interesting part is that they say they've made a deal with the government to allow applications that use the API to be exportable as long as they don't also try to implement crypto on their own. Ordinarily, the government claims that ``crypto with a hole'' (applications that call a crypto API) are just as export-controlled as crypto functions themselves, so this is something of a surprise and would represent considerable forward progress. But, of course, there's a catch. The OS will not load just any old CSP. CSPs have to be signed by Microsoft. The kernel contains a (hardcoded?) 1024 RSA public key that it uses to check the signature when the user tries to load a CSP. If the signature check fails, the CSP won't load. Microsoft says it will sign any CSP from anyone AS LONG AS THEY CERTIFY THAT THEY WILL FOLLOW THE EXPORT RULES. So you can get your CSP signed if you use exportable cryptography or if you agree not to send it outside the US and Canada, etc. But an end user can't just compile crypto code and use it as a CSP, even for his or her own use, without getting it signed by Microsoft first (actually, the CSP development kit does allow this, but it uses a special version of the OS). I'm not sure whether this whole thing is good or bad. One important issue is whether MS will really sign anyone's CSP or whether they will start charging high fees or making business-based decisions on who's CSPs they will allow (with they sign Netscape's CSP, for example). They say they won't even look or keep a copy of your CSP (at my suggestion, they are probably going to change the process so that you send them a hash of your CSP instead of your CSP code when you get the signature). For now they promise to sign CSPs for anyone who returns the export certificate, at no charge. We (Jack Lacy and I) will probably implement, get signed, and give away a CryptoLib-based CSP (not for export) for which we will also make source available so people examine the source to their crypto (most CSPs will, presumably, not include source). Despite all this, I think it will be easy to get around the CSP signature requirements and use homebrew, unsigned crypto even with pre-compiled .exe files from other sources. I suspect it will be easy to write a program, for example, that takes an executable program and converts CryptoAPI calls to calls that look like just another DLL. And I'm sure someone will write a program to patch the NT/Windows kernel to ignore the signature check. Needless to say, it would be nice if someone outside the US were to write and distribute programs to do this. It would also be nice if someone would write a Unix/Linux version of the API/CSP mechanism. It might make it possible to export applications for those platforms as well. I haven't tried any of this out yet, but they say they will have beta versions of the API and CSP developers kits out in a few weeks. They say that the API kit will not be export-controlled but the CSP kit will be. They plan to announce all this at the RSA conference this week. -matt From anon-remailer at utopia.hacktic.nl Wed Jan 17 07:38:09 1996 From: anon-remailer at utopia.hacktic.nl (Anonymous) Date: Wed, 17 Jan 1996 23:38:09 +0800 Subject: Information Sent by Netscape during Queries In-Reply-To: <199601161954.UAA19735@utopia.hacktic.nl> Message-ID: <199601171520.QAA27492@utopia.hacktic.nl> anon-remailer at utopia.hacktic.nl (Anonymous) said: A> Just back up your Netscape executable, then load it into Emacs (or A> any editor which can handle arbitrary binary files), search for the A> "Referer:" string, and change it to an appropriate string of the same A> length. A> "MYOB: " sounds like an appropriate string to me... I prefer "FuckOff:". From Bill.Humphries at msn.fullfeed.com Wed Jan 17 07:54:11 1996 From: Bill.Humphries at msn.fullfeed.com (Bill Humphries) Date: Wed, 17 Jan 1996 23:54:11 +0800 Subject: Information Sent by Netscape during Queries Message-ID: Here's some questions I hope some of the Netscape staffers on the list can help with. 1) Can we delete/rename or otherwise disable the MagicCookie file and still use Navigator? 2) Are there headers besides the standard HTTP/1.0 fields sent with our http transactions? What are they? 3) Can we go completely stealth inside of Netscape without a proxy server? In a privacy seeking frame of mind, Bill Bill Humphries \/\/\/ bill.humphries at msn.fullfeed.com /\/\/\ Madison, WI, USA PGP Public Key Fingerprint = 84 05 17 9D B9 6E 2D FE A7 D1 E0 DC D0 96 63 FB From ecarp at tssun5.dsccc.com Wed Jan 17 08:02:44 1996 From: ecarp at tssun5.dsccc.com (Ed Carp @ TSSUN5) Date: Thu, 18 Jan 1996 00:02:44 +0800 Subject: Alta Vista searches WHAT?!? Message-ID: <9601171537.AA07968@tssun5.> ----- Begin Included Message ----- From: Subject: Re: Alta Vista searches WHAT?!? Date: Tue, 16 Jan 96 14:47:51 -0800 X-Mts: smtp Hum, one more time. Scooter, the robot behind Alta Vista, follows links, and only follows links. If the "directory browsing" option is enabled on a server, and someone publishes the URL for a directory, then the robots gets back a page of HTML which lists every file as a link, but that is not intentional. And yes, this has led to embarrassing situations, but again, it's not intentional. In the absence of strong conventions about directory names or file extensions it is hard for a robot to exclude anything a-priori. I wish it was easier... To keep a document private, list it in /robots.txt, password-protect it, change the protection on the file, or simpler: do not leave it in your Web hierarchy. Can you imagine what happens when someone uses / as web root, exposing for example the password file? It has happened! Remember that what a robot does, anyone with a browser can do: find this private file and then post to usenet for example, robots have no magic powers! The bottom line is that the usual danger is not aggressive robots, but clueless Web masters. --Louis ----- End Included Message ----- From pitz at onetouch.com Wed Jan 17 08:03:24 1996 From: pitz at onetouch.com (greg pitz) Date: Thu, 18 Jan 1996 00:03:24 +0800 Subject: pgp broken? Message-ID: <9601171542.AA13630@toad.com> On 16 Jan 96 at 19:16, Derek Atkins wrote: > Also, it could be that a small PGP key has been broken. A 384-bit > PGP key has already been broken by a factoring attack. That is > neither surprising nor alarming to say the least. Without more > information it really is impossible to analyze what happened. I focused my interrogation in this direction, because, as many of you have pointed out, it is VERY doubtful that PGP itself was "broken". To give further perspective, he kept claiming that a "triple DES with RS4 overlay" was the most secure method of encryption. >>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<< greg pitz pitz at onetouch.com >>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<< From tcmay at got.net Wed Jan 17 08:16:21 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 18 Jan 1996 00:16:21 +0800 Subject: DC-Nets and Noise Message-ID: At 12:40 AM 1/17/96, s1018954 at aix2.uottawa.ca wrote: >(Speaking of sublists, whatever happenned to the DC-net list mentioned in >the cyphernomicon? Is this a figment of my imagination or was there any code >written that I might partake of? Btw, why call it a DC network when it is >really a ring? Maybe I haven't taken a good enough look at the protocol. >Dinner calls. :> ) Without consulting the Cyphernomicon, my memory is that there were two main proposals for a DC-Net (Dining Cryptographers Net) mailing list. The first was by Yanek Martinson, a Russian emigre, circa 1992. The second was by Jim McCoy, of Austin. Yanek I have not heard from in a few years. Jim McCoy has also not been active on our list in at least a year, maybe longer. I recently heard from Doug Barnes that Jim may be coming to the Bay Area, so things may change. Neither of these proposed mailing lists seemed to have gotten to a critical mass. There are many reasons why mailing lists and subgroups fade out. DC-Nets are a hard thing to pull off (anyone see any working versions lately?), about as hard to pull off as true digital cash; and with less economic benefit, less incentive to do the work. So, I can't say I am, or was, surprised that such mailing lists atrophied. An equally interesting question is why the Cypherpunks list has kept on growing in size, given the nontechnical digressions that some subscribers so object to. My view, shared by others I think, is that too technical a list will atrophy...only a handful of folks are usually competent to contribute, and so message volume drops to only a few messages a day, then a few per week, then it fades out altogether. The "noise" that some decry may help to keep lists vital. (In any case, even for those who disagree, modern filtering techniques make it trivial for the "gurus" to filter out all messages except by the several of themselves, so I've never understood the point about how the list must purge itself of "noise.") --Tim May We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From tjm at easynet.co.uk Wed Jan 17 08:17:38 1996 From: tjm at easynet.co.uk (Terence Joseph Mallon) Date: Thu, 18 Jan 1996 00:17:38 +0800 Subject: The object.... Message-ID: Dear Mr. McNally, A correction. I did not say the statement. I submitted it. You have constructed a context which was not in the original email. By posting just a segment to the list you no doubt have created what you wanted.....you remind me of a person that I know - a journalist..... The submission was because I felt that it would be of interest to someone, if you did not find it so, such is life........ Your comments at the bottom of the email.....well....good luck with your monoply, I hope you pass go soon...... Terence. "Its funny how those who fight against tyranny eventually become tyrants." Mr. McNally, I did write this. From blane at eskimo.com Wed Jan 17 08:39:17 1996 From: blane at eskimo.com (Brian C. Lane) Date: Thu, 18 Jan 1996 00:39:17 +0800 Subject: A weakness in PGP signatures, and a suggested solution Message-ID: <199601171613.IAA11904@mail.eskimo.com> -----BEGIN PGP SIGNED MESSAGE----- > > In article , Jeffrey Goldberg says: > > But then the recipient has a PGP-signed message from you which > isn't encrypted (using pgp -d). That person could then impersonate > you. Eg Alice the jilted lover could resend the goodbye message > with forged headers to Bob's new girlfriend to get back at him. Ah ha! Now I understand what this argument has been all about. This is not a flaw with PGP, but with the software doing the signing. It should/could add a line with a time and date stamp inside the signature envelope, or Bob could add more information, making the message more specific. I don't think PGP needs to be 'fixed', but the signing software does. Brian -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMP0gGHIWObr6ZnuNAQFqpQMAhEDxcClXzwqS5QLSYgbGC0SdPwOSppgG cbEcHEamA+C/fzlCRl1FoCkvA/SPHoZB29FNJSH8hnP6s5OZQfFf3LZXPL+/UFiL 64i7dlt6Ajtg58eDiMj/+qPsHd8hbAuV =jj8n -----END PGP SIGNATURE----- --- -------------------- --- Embedded System Programmer, EET Student, Interactive Fiction author (RSN!) ============== 11 99 3D DB 63 4D 0B 22 15 DC 5A 12 71 DE EE 36 ============ From warlord at MIT.EDU Wed Jan 17 08:52:05 1996 From: warlord at MIT.EDU (Derek Atkins) Date: Thu, 18 Jan 1996 00:52:05 +0800 Subject: pgp broken? In-Reply-To: <9601162346.AA22192@toad.com> Message-ID: <199601170016.TAA25341@toxicwaste.media.mit.edu> Although there is always the possibility that PGP could be broken, it is highly unlikely that the program as a whole has been broken. I would think that it would be much easier to attempt to guess someone's passphrase than to brute-force the crypto in the program. Also, if it is the DoD that is purporting this supposed break, I doubt the public will ever hear about it. It would be interesting to know "how" PGP was supposedly broken. Was a cryptographic routine broken, or was it a user interface break? I.e., was a signature forged or a message decrypted? Or was an old message replayed as a new one? Also, it could be that a small PGP key has been broken. A 384-bit PGP key has already been broken by a factoring attack. That is neither surprising nor alarming to say the least. Without more information it really is impossible to analyze what happened. -derek From frissell at panix.com Wed Jan 17 08:58:51 1996 From: frissell at panix.com (Duncan Frissell) Date: Thu, 18 Jan 1996 00:58:51 +0800 Subject: Spiderspace, Privacy & Control Message-ID: <2.2.32.19960116224108.006ae91c@panix.com> At 11:38 AM 1/16/96 -0800, Timothy C. May wrote: > >I've been thinking a lot about the problems and opportunities that are >coming up as more and more "spiders" (Web searchers, crawlers) are indexing >directories and files on systems they can find. > >Second, what is out there in spiderspace is incredibly useful for building >dossiers, for compiling correlations, and for doing competitive analyses. All of these capabilities might seem to increase the control opportunities of others but for the fact that our opportunities for independent interaction have increased much faster. All the modern control technologies have been blown out of the water because of the single significant fact that a network creates more connections than anyone else can block. And this is true whether that network is called a "market" or an "Internet." Liberty can be defined as an opportunity to complete "transactions." Control may be defined as the capability to block another from completing "transactions." The "lowest chained serf in the fields" has few opportunities to complete "transactions" or to make choices. Even if his legal status were different, the fact that he is bound to the soil by necessity if not law restrains his liberty. He can't go anywhere or do anything. If he is in a lightly populated place like the Northern Europe of old, his "world" contains about 100 people. If he is in a densely populated place like a Chinese river valley he still only has about 1000 people in his village to deal with. Nature constrains his choices so much that only a minor effort by "society" is required to completely restrain him. A modern market and a modern telecoms infrastructure is so vast and is made up of so many potential links that it takes a major and very expensive application of human force to even slightly restrain other people. Since each of us can buy from or sell to, talk to, form attachments with literally millions (and soon billions) of other people (and companies and software robots, etc) the opportunities for others to control us are limited. Very expensive prisons, criminal justice systems, credit bureaus, and employment records systems are inadequate to keep us from doing much of what we want. Which is why an allegedly "controlled" world seems a lot less controlled than the world of the past. Among all of the potential "transactions" that we can choose to complete (T) are a subset of transactions (t) that give us outcomes closer to what we actually want. In the past, the best representation of this transaction space was T=t=1. The total transactions were very limited (subsistence farming in the place and among the people of our birth). We were stuck. Today we are approaching a situation in which for all practical purposes T=~ and t=~ and the all of the possibilities make the match between what we want and what we can get very close. So if one government or one employer or one friend is not "right" for us, there are millions more where that came from. We aren't there yet but we are getting there. No matter how peculiar your exact nature, there are so many markets and people out there that very few people on earth will be unable to find a niche. If your needs are esoteric, you may have to shop around a bit but all these great search tools sure make that easier. Thus if I write something that upsets a government or an employer, there are other governments and other employers (including myself in both cases). In fact, I am likely to find some "small, deeply disturbed following" that actually likes what I have to say. There are an awful lot of people out there. It's like the Bill Mauldin cartoon featuring a skinny, ugly, GI with a funny big curl on his head driving through an Italian hill town full of ugly, skinny people with giant curls on their heads -- "Gee, my Daddy told me I'd find a place like this." That village is already part of Market Earth (tm) and is (or soon will be on the Net). With the millions of choices each of us has, restricting those choices quickly becomes impossible outside of prison and prisons become ever harder to maintain because of cost and countermeasures. (The Soviet Union, for example). DCF "An ISP that restricts access isn't an *Internet* Service Provider but rather a proprietary online service." From shamrock at netcom.com Wed Jan 17 09:00:18 1996 From: shamrock at netcom.com (Lucky Green) Date: Thu, 18 Jan 1996 01:00:18 +0800 Subject: DC-Nets and Noise Message-ID: At 1:38 1/17/96, Timothy C. May wrote: >There are many reasons why mailing lists and subgroups fade out. DC-Nets >are a hard thing to pull off (anyone see any working versions lately?), >about as hard to pull off as true digital cash; and with less economic >benefit, less incentive to do the work. So, I can't say I am, or was, >surprised that such mailing lists atrophied. David Chaum told me last year that someone has created a DC net that works over AppleTalk. Supposedly, it was mentioned at Eurocrypt. Any pointers? TIA, -- Lucky Green PGP encrypted mail preferred. From perry at piermont.com Wed Jan 17 09:01:13 1996 From: perry at piermont.com (Perry E. Metzger) Date: Thu, 18 Jan 1996 01:01:13 +0800 Subject: Cybercrime & Privacy Issues AOL FBI discussion In-Reply-To: <2.2.32.19960116080509.009d98fc@mail.teleport.com> Message-ID: <199601162133.QAA02541@jekyll.piermont.com> > >On Wednesday evening, January 24, 1996 at 9pm EST in the Globe Auditorium > >of America Online (AOL), Mobile Office Productions will be hosting a candid > >interactive discussion with the FBI's Jim Kallstrom, who is working to > >shape procedures regarding computer privacy issues and cybercrime. Ah, yes, Jim "I'll say anything to get the FBI its way" Kallstrom. I remember when he spoke at length about snuff films in public without flinching during the Clipper debate at the NY Bar Association. I suspect, of course, that no one will have a chance to call him on his lies in the line of duty. Too bad. Perry From wilcoxb at nagina.cs.colorado.edu Wed Jan 17 09:37:19 1996 From: wilcoxb at nagina.cs.colorado.edu (Bryce) Date: Thu, 18 Jan 1996 01:37:19 +0800 Subject: mailbombing and anonymity -- inseparable In-Reply-To: Message-ID: <199601152251.PAA07589@nagina.cs.colorado.edu> -----BEGIN PGP SIGNED MESSAGE----- I wrote: > > In fact, it is *in general* impossible to have both > anonymity and prevention/control of mail-bombing. Of course > digital postage will help the problem somewhat by making the > bombers pay for it, and smarter filters on the recipient's end > will help, but in general it is a problem we are going to have > to live with if we want anonymity. An entity calling itself Joe Block allegedly wrote: > > Impossible is an awfully strong word. Indeed. And I would be delighted (sort of) if someone could show me how my assertion above is incorrect. > If I was going to implement free digital stamps, I'd have a autoreply > daemon (stamps at remailer.com) that when sent a mail, would respond with X > number of valid stamps. Look I don't actually understand how remailers are currently implemented, but for the purpose of this discussion it doesn't matter. Any sequence of steps that a legitimate correspondant can use to send a letter a mailbomber can use to send an e-mailbomb. Now you can make the sequence of steps more complex in the hope of weeding out the less technically competent mailbombers, but this is a weak solution which will also make remailnet even more inaccessible to the barely technically competent people who make up the vast majority of e-mail users. Look at it this way. How can one ensure that one receives only the kind of e-mail that one likes? I can think of only 3 ways: 1. Discriminate based on content. (killfiles, etc.) 2. Discriminate based on authorship. (PGP sigs, reputations, etc.) 3. Retaliate against those who send you mail that you didn't want. (mail-bombing, reputation-trashing, social or legal penalties, violence, assassination, etc.) Now unconditional anonymity (or even "Pretty Good" anonymity a la cpunks remailers) does away with option #3, right? (I take a moment to note that this is precisely *why* we advocate anonymity in the first place...) So that leaves us with option #1 and option #2. It is impossible for current computers to reliably identify for us whether a given e-mail message is junk mail or not. (I take a moment to note that when it becomes possible for computers to do so we will probably have bigger things to worry about...) *But* there is a lot that done with regard to discrimination based on content. First there's the obvious stuff-- killfiling topics and keywords (like "NSA" and "ITAR" on cpunks...) and splitting messages into different folders based on which list they are from-- and then what about this idea: someday people will include a few micro-dollars in their messages to encourage you to read them. Now that would be interesing. Now the schemes that I have seen aired here about how to prevent these kinds of distributed e-mailbombs generally focussed on a rough version of option #1-- just discriminate against multiple copies of the same content. That's fine (although some of my friends who are always sending me the same jokes might get left out in the cold...) but you have to realize that it is a weak fix that can be easily overcome by a technically sophisticated attacker. Also I think all such things should be done on the user's end. I would thank *my* anonymous remailers to let me and my computer decide what mail to trash. Of course as always people should pay as they go to send mail. Thus no direct financial harm is done to the recipient (or even a pecuniary bonus! See above) and the remailers could probably make a profit off of mailbombers. I'll leave option #2 alone. No fresh ideas today. Okay I've wandered, but to restate my main point mailbombing and anonymity are *in general* inseparable. Just as harassment, intimidation, blackmail, libel, copyright violations and other "information crimes" will be encouraged by anonymity. Get used to it, or else stop advocating anonymity. Regards, Bryce PGP sig and clear-text timestamp follow Mon Jan 15 15:46:21 MST 1996 -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.01 iQCVAwUBMPraYfWZSllhfG25AQGcZwP+L7DwXIksx1cNkqpUDxqlRcfsTw7bmRih sB5Ib1QQOoP53R9XinFHWdvvrfWx/M5sIlnZ2CweOnGyL8MgpYA+5FBjfrDvkGm9 B1EOzHMsfc0rQBOzERFvque/Kg+ojkIsoCXcvu3K9XUPpBv4iGs7E/oBSkKYX0pC 1cg35pR7SaQ= =m85b -----END PGP SIGNATURE----- From hallam at w3.org Wed Jan 17 09:41:29 1996 From: hallam at w3.org (hallam at w3.org) Date: Thu, 18 Jan 1996 01:41:29 +0800 Subject: Crypto anarchist getting through customs In-Reply-To: Message-ID: <9601171713.AA28904@zorch.w3.org> Looney tune #4535 writes > that's the bullshit they would like you to believe. > > in the first place, under military regs, a degree research would > be illegal without full permission. It also was not given to just one > unit, but to many ==and all identified ones were either SEALS or > USMC recon and special units --why just he elite and why so many > groups --all with a blessing...? Could you please remove yourself from cypherpunks to a place where conspiracy theories are wanted. This list is for discussion of cryptography and the only conspiracy theories we are interested involve the NSA, MI5 or the Stay-Puffed Marshmellowman. There is plenty of material to fuel whatever conspiracy theories you like. Please consult Noam Chomsky for details. Just please take the gun.nut conversation somewhere else. After allits in your own best interests, it doesn't take much to realise that the government is monitoring cypherpunks very carefully and that it when they come round collecting the guns in October they will know where to look first. So if the most important thing in your life is lethal weaponry best not take any risks eh? Phill From holovacs at styx.ios.com Wed Jan 17 09:45:52 1996 From: holovacs at styx.ios.com (Jay Holovacs) Date: Thu, 18 Jan 1996 01:45:52 +0800 Subject: Crypto on private files Message-ID: In a brief NPR report on the Leary case (he is alleged to have firebombed the NYC subway) there is a decision due on whether prosecutors can force him to give up passwords for his personal computer files (he was a computer professional). His attorney is claiming 5th amendment privilige. According to the newscaster, the NY state court decision should be a first in this type of case. Prosecutors argue it is no different from being forced to turn over a diary. The report does not say what type of protection was used. Jay Holovacs PGP Key fingerprint = AC 29 C8 7A E4 2D 07 27 AE CA 99 4A F6 59 87 90 From perry at piermont.com Wed Jan 17 09:57:26 1996 From: perry at piermont.com (Perry E. Metzger) Date: Thu, 18 Jan 1996 01:57:26 +0800 Subject: Crypto on private files In-Reply-To: Message-ID: <199601171727.MAA04956@jekyll.piermont.com> Jay Holovacs writes: > According to the newscaster, the NY state court decision should be a > first in this type of case. Prosecutors argue it is no different from > being forced to turn over a diary. This is probably a good reason that it would be important for EFF or similar right thinking attorneys to become involved in the case. Perry From scox at factset.com Wed Jan 17 10:06:44 1996 From: scox at factset.com (Sean Cox) Date: Thu, 18 Jan 1996 02:06:44 +0800 Subject: Microsoft's CAPI In-Reply-To: <199601171502.KAA16060@nsa.tempo.att.com> Message-ID: <9601171731.AA03797@sundog.factset.com.factset.com> According to Matt Blaze: [[ Prelude about MS Cryptography API deleted ]] >Despite all this, I think it will be easy to get around the CSP >signature requirements and use homebrew, unsigned crypto even with >pre-compiled .exe files from other sources. I suspect it will be easy >to write a program, for example, that takes an executable program >and converts CryptoAPI calls to calls that look like just another DLL. >And I'm sure someone will write a program to patch the NT/Windows >kernel to ignore the signature check. Needless to say, it would be >nice if someone outside the US were to write and distribute programs >to do this. It would also be nice if someone would write a Unix/Linux >version of the API/CSP mechanism. It might make it possible to export >applications for those platforms as well. Did MS mention how the crypto DLL's would be "protected" from surreptitious tampering? What I'm wondering is if it will be possible to "drop in" a new (signed) crypto.dll (that just happens to forward cleartext to the DLL author, or perhaps uses intentionally deficient (or just fixed) keys) when installing, for example, the latest game craze distributed on the Internet? It would seem to be fairly sketchy (and dangerous) to allow drop-in crypto engines if those can be replaced with *ANY* other crypto engine at any time (note for the paranoid: Imagine "NSA the Game" for Windows(TM) with the new "Send the Feds a copy" encryption DLL--that last part in fine print of coures :) I am hoping that they do have some for of protection against this that hasn't been mentioned yet, but this kind of jumps out at me when I think of drop-in DLLs (anyone ever see how well the WINSOCK.DLL scheme works? God Forbid that an encryption scheme be subject to the same problems!) --Sean #include From s1018954 at aix2.uottawa.ca Wed Jan 17 10:16:42 1996 From: s1018954 at aix2.uottawa.ca (s1018954 at aix2.uottawa.ca) Date: Thu, 18 Jan 1996 02:16:42 +0800 Subject: SHA-2 In-Reply-To: <199601170238.VAA25799@UNiX.asb.com> Message-ID: On Wed, 17 Jan 1996, Mutatis Mutantdis wrote: > It is a random-noise device driver for DOS, which samples fast > timings between keystrokes, disk access, clock-drift, and even mouse > movement or audio card and hashes with SHA-2 algorithm to generate > some good-quality randomness. Schneier mentioned last year in one of his conference reports that SHA was being revised, yet I couldn't find it in Applied Crypto 2 (I admit that I don't yet own the new one, and I haven't taken a good enough look while browsing it in the bookstores), anyone have any pointers to the new spec? Please correct me if I am wrong. TIA From jeffb at sware.com Wed Jan 17 10:17:24 1996 From: jeffb at sware.com (Jeff Barber) Date: Thu, 18 Jan 1996 02:17:24 +0800 Subject: Crypto anarchist getting through customs In-Reply-To: <9601171713.AA28904@zorch.w3.org> Message-ID: <199601171817.NAA08086@jafar.sware.com> hallam at w3.org writes: > > that's the bullshit they would like you to believe. > Could you please remove yourself from cypherpunks to a place where conspiracy > theories are wanted. > Just please take the gun.nut conversation somewhere else. Yes. Only left-wing, anti-libertarian rants are permitted under the new list rules. Contact Phill directly for a permit. From hallam at w3.org Wed Jan 17 10:17:55 1996 From: hallam at w3.org (hallam at w3.org) Date: Thu, 18 Jan 1996 02:17:55 +0800 Subject: Crypto anarchist getting through customs In-Reply-To: <199601171817.NAA08086@jafar.sware.com> Message-ID: <9601171748.AA29071@zorch.w3.org> >Yes. Only left-wing, anti-libertarian rants are permitted under the >new list rules. Contact Phill directly for a permit. Your permit is enclosed in the header of this message. Glad to be of service. Phill From perry at piermont.com Wed Jan 17 10:32:39 1996 From: perry at piermont.com (Perry E. Metzger) Date: Thu, 18 Jan 1996 02:32:39 +0800 Subject: Crypto anarchist getting through customs In-Reply-To: <199601171817.NAA08086@jafar.sware.com> Message-ID: <199601171758.MAA05027@jekyll.piermont.com> Jeff Barber writes: > > Just please take the gun.nut conversation somewhere else. > > Yes. Only left-wing, anti-libertarian rants are permitted under the > new list rules. Contact Phill directly for a permit. I'm as libertarian as they come, but really, random non-crypto talk that has a home elsewhere doesn't belong here on cypherpunks. From foodie at netcom.com Wed Jan 17 10:45:02 1996 From: foodie at netcom.com (foodie at netcom.com) Date: Thu, 18 Jan 1996 02:45:02 +0800 Subject: Netscape & the NSA Message-ID: Folks interested might want to check out http://gnn-e2a.gnn.com/gnn/wr/96/01/12/features/nsa/index.html Not much new to those who follow it. -j From tn0s+ at andrew.cmu.edu Wed Jan 17 11:00:37 1996 From: tn0s+ at andrew.cmu.edu (Timothy L. Nali) Date: Thu, 18 Jan 1996 03:00:37 +0800 Subject: Random Number Generators Message-ID: <0kzHl6200bky0_dkQ0@andrew.cmu.edu> Hi all For a class project, I will be designing a VLSI cmos chip to generate truly random numbers (The chip will be fabricated). I'm limited to a 2-micron standard cmos technology (no fancy BiCMOS, MISC, or anthing else). The most promising design I've seen so far (that I can actually do) is based on clocking a D flip-flop in the following way: ----- 8Khz clock ------ | |----- Random output | | | | (sloppy) slow clock ---- |> | | | ----- The slow clock has enough random variation in it's period for the Dff to generate random numbers. The random bits will , of course, have biases that will need to be corrected with things like Xor gates. Can anyone give me pointers or references to other types of true random number generators and to ways of correcting the biases and other problems in the resulting random bitstream? I'd also appreciate a pointer to an intro text (if such a thing exists) on what makes random numbers good random numbers. (and before you say it, yes I have Applied Cyptography. It's a great book.) One thing I'm concerned about is making sure the random bitstream is uniformly random. What effects, if any, will things like thermal noise, power comsumption (what if there is a sudden rise in power comsumption in another part of the circuit), etc. have on the randomness of the bitstream? I'd also appreciate any other suggestions or advice you have on RNGs. Thanks in advance. From llurch at networking.stanford.edu Wed Jan 17 11:16:14 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Thu, 18 Jan 1996 03:16:14 +0800 Subject: Non-bogus reporter seeks sources for story on MS Windows networking/security problems Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Free-lance writer and co-author of "Practical UNIX Security" seeks substantive reliable sources, preferably for attribution, on the history of the SMB, C$, and .PWL encryption bugs in both Windows 95 and Windows for Workgroups, but especially on what problems will remain after next week's "Service Pack 1." He might drop the story because of a dearth of sources and promises from Microsoft that everything has already been fixed, and will be distributed to the Netless masses via the SP 1 CD (the contents of which are not public knowledge, but which surely went to manufacturing some time ago...). I don't want to spam his mailbox, but his PGP key is 0x903C9265, with fingerprint 68 06 7B 9A 8C E6 58 3D 6E D8 0E 90 01 C5 DE 01. You might also run into him in person at this week's RSA Data conference in San Francisco. Please reply directly to the reporter with a subject line starting with "MS*" (assuming that's not too maudlin for you) because he gets a lot of mail. He isn't seeking any more mail on unrelated subjects. Stuff funnelled through me, especially from anonymous sources, is properly not considered relibable (though I might appreciate a Cc). Bcc'd to the reporter. - -rich -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMP1D1o3DXUbM57SdAQER4wQAnmmESUU8WW4awrHiBTzSVn8j1cN1gUI/ xxfRHVZ5AQGmQPMRNgr9tJaeN4c+5LsR7CzVxhTlGNTnU5B5cg6w3LvOgXpfhhVW MdNvxB/b8XJBs3XybuTtTnxYC+Qv8Hm1PPt63ULaurFW9c2BPhJk7ZcHo1Ju3X72 e/9VZtmSIBo= =WslA -----END PGP SIGNATURE----- From declan+ at CMU.EDU Wed Jan 17 11:19:27 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Thu, 18 Jan 1996 03:19:27 +0800 Subject: WP: Encryption rules hurt exporters Message-ID: <4kzA0im00YUv8xUlh3@andrew.cmu.edu> The Washington Post January 17, 1996 Study: Encryption Rules Hurt Exporters By Elizabeth Corcoran Washington Post Staff Writer U.S. export restrictions on technology for encrypting information are slowing American companies' success in some foreign countries and retarding the growth of an international market for such technology, according to a new report released by the U.S. Commerce Department. The study is likely to become the latest ammunition in the struggle between the administration and many U.S. high-tech companies and civil liberties advocates over how tightly the United States should control the export of sophisticated data scrambling, or encryption, technology. Both sides are likely to try to use the report to their advantage. U.S. businesses contend that they are losing market share to foreign competitors because they are not allowed to include the most sophisticated encryption technology in their software products. "The day we show lost market share [in the overall market for software] is the day that we start losing the whole ballgame," said Rebecca Gould, director of policy for the Business Software Alliance. The report, which was commissioned in late 1994 by the national security adviser and carried out by the Commerce Department's Bureau of Export Administration and the National Security Agency, aimed to assess the impact of encryption export controls. It assigns no dollar values to any sales lost by U.S. companies, but notes that there are many foreign-made encryption products available overseas. On the other hand, some of those products do not work well, the report says. Still, it cites evidence that U.S firms are not making significant progress in the business of selling encryption technology. In three countries -- Switzerland, Denmark and the United Kingdom -- market share for U.S. encryption products declined during 1994, the report said. Sources in 14 countries said that export controls "limit" U.S. market share, while those in another seven countries said such controls have "either no impact or no major impact." Although the report maintains that sources in "most" countries indicated that U.S. market share is "keeping pace" with overall demand, in many of the countries surveyed, "exportable U.S. encryption products are perceived to be of unsatisfactory quality." Today, a Washington-based policy group supported by a dozen major computer companies plans to release its own commentary on export encryptions, calling for the government to lift its export restrictions. From perry at piermont.com Wed Jan 17 11:19:50 1996 From: perry at piermont.com (Perry E. Metzger) Date: Thu, 18 Jan 1996 03:19:50 +0800 Subject: Random Number Generators In-Reply-To: <0kzHl6200bky0_dkQ0@andrew.cmu.edu> Message-ID: <199601171900.OAA05127@jekyll.piermont.com> "Timothy L. Nali" writes: > For a class project, I will be designing a VLSI cmos chip to generate > truly random numbers (The chip will be fabricated). I'm limited to a > 2-micron standard cmos technology > The most promising design I've seen so far (that I can actually > do) is based on clocking a D flip-flop in the following way: I'd say that the design you have picked has a couple of problems with it. The first is that you are, from what I can tell, building a synchronizer, which means that you may have metastability problems. (Your diagram wasn't completely clear so I can't tell). Also, you are depending on a sloppy clock and a not sloppy clock actually having the stated properties, which means you aren't really generating randomness so much as hoping you can detect and exploit it. As it is very hard to determine if a stream is really random, this makes your life difficult. Far better to try to use some analog tricks in the circuit itself to generate the random numbers for you. Of course, some of these end up producing metastability problems of their own... Can anyone point this guy at good texts on all of this? I've never found one... Perry From pmonta at qualcomm.com Wed Jan 17 11:31:54 1996 From: pmonta at qualcomm.com (Peter Monta) Date: Thu, 18 Jan 1996 03:31:54 +0800 Subject: Random Number Generators In-Reply-To: <0kzHl6200bky0_dkQ0@andrew.cmu.edu> Message-ID: <199601171909.LAA05247@mage.qualcomm.com> Timothy Nali writes: > [ CMOS RNG chip ] > ... The most promising design I've seen so far (that I can actually > do) is based on clocking a D flip-flop in the following way: > ... > The slow clock has enough random variation in it's period for the Dff > to generate random numbers. While a scheme like this will work, one of the needs in a design like this is convincing yourself of how much entropy is available from the noisy clock and where it comes from. It's nontrivial to evaluate the phase noise of a CMOS relaxation oscillator, for example. Also, at what rate do you want random bits? > Can anyone give me pointers or references to other types of true random > number generators and to ways of correcting the biases and other > problems in the resulting random bitstream? The references in Applied Cryptography are pretty useful; the only other ones I know of are a tech report by Gifford at MIT/LCS and a thesis by Sridhar Vembu (who also works here at Qualcomm) on optimal extraction of entropy from biased sources. > One thing I'm concerned about is making sure the random bitstream is > uniformly random. What effects, if any, will things like thermal noise, > power comsumption (what if there is a sudden rise in power comsumption > in another part of the circuit), etc. have on the randomness of the > bitstream? I'd say thermal noise is your friend; the other systematics, as you say, are a slight issue, but their effect on the entropy is very small and they'll be taken out by the postprocessing (hash function, etc.). > I'd also appreciate any other suggestions or advice you have on RNGs. I plan to make a simple board-level RNG design available to the net Real Soon Now. I'd be interested to see your CMOS design when it's finished. (By the way, try searching the cypherpunks and sci.crypt archives on the subject. There's lots of good discussion.) Cheers, Peter Monta pmonta at qualcomm.com Qualcomm, Inc./Globalstar From alano at teleport.com Thu Jan 18 03:45:14 1996 From: alano at teleport.com (Alan Olsen) Date: Thu, 18 Jan 96 03:45:14 PST Subject: Win95 Registration Wizard info Message-ID: <2.2.32.19960118114705.008ccef8@mail.teleport.com> I picked this link up from the Fringewear list. It has some interesting information for quelling rumors and starting new ones. ftp://ftp.ora.com/pub/examples/windows/win95.update/regwiz.html The author takes the registration Wizard in Win95 apart and shows exactly what it does and what it looks for. Some interesting information about the encrypted database of product information it uses. It has a complete list of all of the products that the registration looks for. (PGP is not one of them.) Some interesting facts about what it does look for however... Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "Is the operating system half NT or half full?" From JR at ROCK.CNB.UAM.ES Thu Jan 18 03:45:16 1996 From: JR at ROCK.CNB.UAM.ES (JR at ROCK.CNB.UAM.ES) Date: Thu, 18 Jan 96 03:45:16 PST Subject: Random Number Generators Message-ID: <960118135615.204012d1@ROCK.CNB.UAM.ES> From: SMTP%"tcmay at got.net" 18-JAN-1996 06:33:11.77 >At 11:40 PM 1/17/96, Kurt Buff (Volt Comp) wrote: >>If you're going to work with hardware to get really random numbers, why not >>go to the back of any of several PC-type magazines, and order the radiation >>detector board that someone is hawking? Can't really do any better than >>that, can you? Counting cosmic ray hits and noting their time differentials > ^^^^^^^^^^^^^^^ >>should be just what the doctor ordered, right? > >Almost all of the counts in simple radiation detectors are from earthly >sources, not from cosmic rays. For Geiger tube counters (not very common >these days), the main counts are for gamma rays and for beta particles (if > ... stuff deleted ... The main problem I see on these sources is not their ramdomness, which, in some instances may be not so good as one would expect, but their subscep- tibility to tampering. First, randomness: for radiactivity counters, decay is a log function of time. This could be used to reduce keyspace search. Second, radiactivity can be quenched. If you are measuring background levels, then you are exposed to external influences too: to be extreme, one can expect your counter to go mad after an atomic explosion in the neighborhood. This reduces randomness and keyspace. Second, tampering: the atomic bomb explosion is a good example: it is possible to produce an external source of radiactivity and influence your detector. Unless you measure alpha particles from a radioactive source of yours... And even then, you'll have to buy your source... >From whom? Just imagine a spy porting a radiating gun and pointing it to your detector. Also, the technology used is normally electromagnetical. One could think of a method to storm a detector with a em field... thus reducing randomness. The point is: since you don't notice these fields or radiations, you are prone to fall in the trap: one gets used to rely on the technology 'cos it always works, and when the day comes since you don't notice anything unusual you don't suspect anything wrong. Your detector may be overloaded and only outputs zeros for a while and you won't notice anything wrong. >RNGs based on thermal noise and natural radioactivity have been discussed >on our list at least a dozen times (multiple posts each time), so I suggest >further research be done there. > >--Tim May This sounds to me more like the way to go: you need to rely on something of which you have full control. Either a RNG function or something that can not be tampered without you noticing. It would be very difficult to produce big changes in temperature without you noticing... Though still you are left with electromagnetic interferences on the detector. My view is that what is needed is something that a) you can fully control or b) nobody can control/interfere/mimic in any way. In this sense, my point of view is: anything that can be influenced from the outside is not reliable. This means you need something that's totally inside and controlable. It should be fairly random, and not able to be influenced from the outside. And possibly originate its own electrical current which is not dependable on external influences of any type. Specially electrical/radiation influences. It should be easy to monitor and difficult to tamper with temporarily (so that tampering could pass unnoticed). The only thing I can think of is a biological source converting chemical products into random electrical data. Biological sources are very difficult to influence rapidly (other than by death which is irreversible), they can't be switched on/off, their range of values is always bounded to physiological limits (i.e. the only way to "overload" them is by killing them or some other drastical and evident measure), have normally a strong resilience to external influences, and as long as you can keep an eye on them, you can remain sure they are alive and not horribly sick. And finally, if you are the source, then you have the highest availability possible and the fullest control. You could measure the changes in charge induced by a electrical fish as it swims. Or changes in conductivity of some plant/animal tissues. Or have a culture of electrical microorganisms. Or just use your own electroencephalogram with the appropriate corrections to remove waves. There are also some biological processes whose production is intrinsically random. Things like some biochemical cycles, or some muscle movements. It's all a matter of finding the best one(s) according to randomness and ease of measure. And you can always combine several sources. There are even some studies already done about the randomness of different biological processes, their predictability and to which extent they can be influenced. The technology to measure most of them is already well developed and highly reliable. It's all a matter of adapting it to a new use. Just my 2c. jr From eli+ at GS160.SP.CS.CMU.EDU Wed Jan 17 11:50:23 1996 From: eli+ at GS160.SP.CS.CMU.EDU (eli+ at GS160.SP.CS.CMU.EDU) Date: Thu, 18 Jan 1996 03:50:23 +0800 Subject: FW: Net Control is Thought Control In-Reply-To: <+cmu.andrew.internet.cypherpunks+4kz3qSq00UfAM0yv9n@andrew.cmu.edu> Message-ID: <9601171916.AA20225@toad.com> In article <+cmu.andrew.internet.cypherpunks+4kz3qSq00UfAM0yv9n at andrew.cmu.edu> Mr. Nuri writes: >that 9 of the last 10 flamewars on this list were actually carefully >orchestrated, *manufactured* by a single person interested in making >this point, and teasing people that refused to believe that rampant >dischord can be sown through a barrage of pseudonyms. Enough already. We all know that discussion groups are subject to disruption by flamers, and that anonymity can reduce accountability. What is more interesting is whether the use of pseudonyms adds any new possibilities. >how can you be so sure that the cypherpunks lists is really what you >think it is? a bunch of people from around the country independently >interested in crypto? an agent provacteur, or agent saboteur, could >create a vastly different perception regardless of the input of other >people. Ah, conspiracy theories again. A conspiracy of one does have certain advantages over the old-fashioned approach of gathering several like-minded people. Communication costs are reduced, and the problem of trust is eliminated. On the other hand, a conspiracy of one isn't much good for anything but playing games on the net -- cattle mutilation is really a two-man job, and infiltrating the U.S. Government is right out. Being a good Medusa may be easier than controlling the banking system, but it seems to be quite hard. Your history suggests that stylistic analysis may be used to link nyms. A sufficiently skilled writer might be able to avoid this. An individual known to me was wanking around with pseudonyms (from nyx, I think) on rec.music.industrial in '92-93; he did a decent job of stylistic variation, but was noticed on the basis of the response patterns of his articles (and nailed by nyx usage logs, but that's another matter). There are several Usenet examples of people trying to use inapparent pseudonyms without lasting success. The classic response, of course, is that the real conspiracies are too good to be detected, and/or they off the investigative reporters. This is not falsifiable, but we can compare pseudonym conspiracies to meat ones: the risk is lower, particularly in an regime of unconditionally-secure pseudonyms from which the Medusa can simply walk away. But you don't get real-world power or money. You get to put in a lot of effort for a chance at unduly swaying public opinion on one forum. (And if you screw up, you get a lot of attention -- this may be a major draw for some.) But there are easier and more effective techniques: press releases and paid advertising, for example. Who needs pseudonyms? Side note: >another very interesting effect to measure is the following: if there >is already a lot of mail on a list, people tend to post less. I would say the opposite. -- Eli Brandt eli+ at cs.cmu.edu From rah at shipwright.com Wed Jan 17 11:54:07 1996 From: rah at shipwright.com (Robert Hettinga) Date: Thu, 18 Jan 1996 03:54:07 +0800 Subject: Crypto anarchist getting through customs Message-ID: At 12:13 PM 1/17/96, hallam at w3.org wrote: >...only >conspiracy theories we are interested involve the NSA, MI5 or the Stay-Puffed ^^^^^^^^^^^ >Marshmellowman. ^^^^^^^^^^^^^^ ROTFL. Yes. Well. He just seemed so soft and friendly. I figured thinking about *him* couldn't hurt... Cheers, Bob ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "Reality is not optional." --Thomas Sowell The NEW(!) e$ Home Page: http://thumper.vmeng.com/pub/rah/ From bshantz at nwlink.com Wed Jan 17 11:56:20 1996 From: bshantz at nwlink.com (Brad Shantz) Date: Thu, 18 Jan 1996 03:56:20 +0800 Subject: new web security product Message-ID: <199601170021.QAA01255@montana.nwlink.com> Perry Metzger wrote: > I don't think its going to fly. No one wants to pay for an unneeded > $100 piece of hardware to encrypt the same credit card over and over > again, when a nearly zero marginal cost piece of software can do the > same thing. I agree with Perry. Hardware encryption does add a layer of security not normally found in software, but it is hardware. Shoot, I don't even have a 28.8 modem yet, why would I want a black box that supposedly does something with my Credit Cards? Brad From sunder at amanda.dorsai.org Wed Jan 17 11:57:53 1996 From: sunder at amanda.dorsai.org (Ray Arachelian) Date: Thu, 18 Jan 1996 03:57:53 +0800 Subject: Better diversity through Perrymoose. In-Reply-To: <199601162143.QAA05083@nrk.com> Message-ID: On Tue, 16 Jan 1996, David Lesher wrote: > Can't we just solve the problem by making it a moderated list; > and make Perry the moderator? > SHIT NO! NO NO NO NO NO! NO WAY IN HELL NO! :) Cypherpunks will NOT be moderated. Filtered, spindled and stapled, but never moderated. ========================================================================== + ^ + | Ray Arachelian | Amerika: The land of the Freeh. | _ |> \|/ |sunder at dorsai.org| Where day by day, yet another | \ | <--+-->| | Constitutional right vanishes. | \| /|\ | Just Say | | <|\ + v + | "No" to the NSA!| Jail the censor, not the author!| <| n ===================http://www.dorsai.org/~sunder/========================= From norm at netcom.com Wed Jan 17 12:03:35 1996 From: norm at netcom.com (Norman Hardy) Date: Thu, 18 Jan 1996 04:03:35 +0800 Subject: "trust management" vs. "certified identity" Message-ID: This is reminiscent of a recent idea of mine. Imagine the following signed declaration: I (fingerprint = ...) claim that the code X with SH (secure hash) = ... satisfies contract with SH= ... when its free code pointers are bound to other code conforming to contracts identified within X by their SH's. The contracts would be either formal or informal. When a Java program arrives at a client it can warrant its services if it finds local access to warranted sub-routines. (For this purpose behaviors of objects are sub-routines.) The Java loader can build warrants recursively with such declarations. They would, of course, be relative to the reputation of signers of the above declarations. I have just sent for your paper. From frissell at panix.com Thu Jan 18 04:07:34 1996 From: frissell at panix.com (Duncan Frissell) Date: Thu, 18 Jan 96 04:07:34 PST Subject: underground digital economy Message-ID: <2.2.32.19960118121001.00943868@panix.com> At 10:27 PM 1/17/96 -0600, Jim Miller wrote: >This is the part that bothers me. Wouldn't a gateway between anonymous >e-money and identified e-money would stick out like a sore thumb to >agencies tracking the flow of identified e-money? Wouldn't identified >e-money trails start and/or terminate at the gateway? Once the gateway is >discovered, all clients on the identified e-money side of the gateway >would be discovered. But those clients could be shell companies given to the "real" users. As long as one has a continuing opportunity for anonymous *spending* you can transfer the value of the underground e-cash into useful goods and services. DCF From wb8foz at nrk.com Wed Jan 17 12:11:09 1996 From: wb8foz at nrk.com (David Lesher) Date: Thu, 18 Jan 1996 04:11:09 +0800 Subject: remarkable recent stories In-Reply-To: <9601170059.AA24758@sulphur.osf.org> Message-ID: <199601171326.IAA07807@nrk.com> rsaltz: > Several times I have heard NSA staffers talk about securing our > secrets vs. reading theirs. It seems that right now the first > side is "winning." This "Chinese Wall" exists in many other branches of the IC. I saw this in a specific physical security area; Red Team tried to (say) build a wall; Black Team worked on new ways through it. We (another agency with an interest in walls) could & did get advice on wall-building from Red; but the Blacks would not talk to either the Red Team nor us. Trying to predict the posture of the Fort _in general_ from the PhilZ case strikes me as a less accurate than throwing darts blindfolded... from a rollercoaster. -- A host is a host from coast to coast.................wb8foz at nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433 From steve at aztech.net Wed Jan 17 12:16:29 1996 From: steve at aztech.net (Steve Gibbons) Date: Thu, 18 Jan 1996 04:16:29 +0800 Subject: new web security product Message-ID: <0099C802.AA1011C0.13@aztech.net> # Perry Metzger wrote: # > I don't think its going to fly. No one wants to pay for an unneeded # > $100 piece of hardware to encrypt the same credit card over and over # > again, when a nearly zero marginal cost piece of software can do the # > same thing. Merchants might. Current credit-card processing terminals are increadibly overpriced for what you get. $100.00 plus the price of an inexpensive PC, plus proprietary software isn't too far of the mark, in comparison. # I agree with Perry. Hardware encryption does add a layer of security # not normally found in software, but it is hardware. I've been a fan of unrelated encryption at each layer of the 7 (5, 4, whatever) layers, lateley. In military/financial terms, the question of "who has access to what" and "needs to know what" at different levels of the protocol stack make a big difference. Network guys should be able to perform traffic analysis, application guys should be able to debug application-specific traffic, but not visce versca. # Shoot, I don't even have a 28.8 modem yet, why would I want a black # box that supposedly does something with my Credit Cards? If you think "Not _my_ credit cards, but my _customers'_...", then it starts to make sense. -- Steve at AZTech.Net From reagle at rpcp.mit.edu Wed Jan 17 12:18:34 1996 From: reagle at rpcp.mit.edu (Joseph M. Reagle Jr.) Date: Thu, 18 Jan 1996 04:18:34 +0800 Subject: Message-ID: <9601162050.AA12531@rpcp.mit.edu> At 03:41 PM 1/16/96, you wrote: >I thought you might find this interesting... Thanks, that is very cool beyond just ecommerce, because what does it mean for personal encryption? If I buy one of these doo-hickeys for $100, and so do you, does that mean we don't have to buy an AT&T 3600 (secure phone) to talk securely, and also not have to worry about Clipper crap? Or (as it probably is) does that mean we _have_ to talk through this company and it only sends tiny bits of info from the card reader... (it'd be cool if you could modify it...) Interesting. > >found at:http://www.cnn.com/TECH/9601/encryption/index.html >New security device may broaden business on the web > >January 16, 1996 >Web posted at: 9:30 p.m EST (1430 GMT) > >>From Correspondent Marsha Walton > >ATLANTA (CNN) -- For cyberspace marketers, The World Wide Web is a potential >world wide mall, an electronic marketplace for consumer goods and services. > > But for now, most visitors are window-shopping, not buying. A new survey by >the University of Michigan shows consumers are wary of purchasing goods >online for fear their credit card numbers will be misappropriated. > > People who think nothing of giving their credit card number to an anonymous >voice over the phone or handing their card to a waitress at a restaurant, >flinch at the thought of putting that number into a computer. > > But a New Jersey, ISED Corp., has created a device that >secures transactions, both on the Internet and over the telephone. It's >called SED, or secure encryption >device. It costs about a hundred dollars, attaches to a >phone or a PC and operates with the swipe of either a credit or ATM card. > > "What the device will really allow is consumers a new form >of payment from home using their ATM card. They'll be able to purchase goods >and services or whatever on the internet, " said Roger Payne, an engineer >for BT Labs which is testing the product. > > Potentially vulnerable personal account information is >scrambled or encrypted on the magnetic stripe on the card. It is >electronically transferred through the hardware. That eliminates the need >to say or "key in" the account number or expiration date. > > "So that if somebody who is not supposed to be looking at it, they can't >understand what's in there," said Grant Helmendach whose company BUYPASS >processes three quarters of a billion financial transactions a year. > > BUYPASS is marketing SED to "mom and pop" retailers which charge goods by >making an imprint of credit cards, relying on paper transactions that are >costlier, and less secure. > > "Lots of folks want to focus on the Walmarts of the world. not a lot of >people have focused on the smaller specialty shops, specialty retailers, and >what folks at SED have done, is built a terminal that's very inexpensive, >so they can play in this game. They have financial incentive to do that," >said Helmendach. > > As buying by computer catches on, the device could eventually be used to pay >for everything from a pizza delivery to bailing a friend out of jail, and >would be as much a part of the home computer as a floppy disk or a hard drive. > > And just as consumers have grown accustomed to computers and ATM cards, the >combination of the two could be another step toward a "cashless" society. _______________________ Regards, If God intended one space between sentences, why do we have two thumbs? - ? Joseph Reagle http://farnsworth.mit.edu/~reagle/home.html reagle at mit.edu 0C 69 D4 E8 F2 70 24 33 B4 5E 5E EC 35 E6 FB 88 From vznuri at netcom.com Wed Jan 17 12:54:27 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Thu, 18 Jan 1996 04:54:27 +0800 Subject: FW: Net Control is Thought Control In-Reply-To: <01BAE3A0.1232C6A0@blancw.accessone.com> Message-ID: <199601170001.QAA18231@netcom2.netcom.com> BW: >Now, you know that no one either on this list or anywhere in cyberspace = >is confined, either physically or psychologically, to continuously & = >unwillingly expose themselves to alt.usenet.kooks or = >http://www.ho-hum.com or cypherpunks, etc.. I have already conceded this point. hence there is definitely a difference between "coercive persuasion" and "persuasion". but my point is that there are other shades of "persuasion" that still have the smell of brainwashing and propaganda techniques (even though they aren't "coercive" in the sense there is a prisoner involved). >A person in an unrestricted setting, who is so easily persuaded by = >others that they cannot resist being influenced, has a lot of work to do = >in finding out about their own lack of self-confidence & direction. but humans are subject to influence no matter how paranoid they are about being influenced. its a basic human instinct. that's my point. peer pressure always arises in all groups, not because humans are malicious, but because they are humans, and humans are social animals. (perhaps you consider yourself an exception to this rule) > A = >"victim of information" must study & discover the difference between = >valid info & dangerous nonsense. There are ways to know when someone is = >trying to supplant one's own initiative with their own preferences. =20 then why can entire societies fall victim, such as Nazi germany? answer: because individuals are fallible. and unlike you, I don't necessarily blame the victim if they fall victim to extremely sophisticated brainwashing techniques. >And here's plenty of debate & unrestricted flaming in cyberspace to = >challenge anyone's passive acceptance of another's conclusions (or of = >their own unexamined presumptions). And there's always new software = >tools to enable participants to make a quick exit if they feel = >uncomfortable with a conversation. true, but this has little to do with what I was talking about. my point was that consensus and its perception (not presence or absence of various opinions) is what can be subject to manipulation in cyberspace. [flamewar manufactured by one person] >Unless I was thinking of going out to lunch with one of them, I can't = >isee why I would care. i.e., unless I needed to make a decision for = >action based on what they had said, it wouldn't really matter to me. I = >expect I would have more effect on them than vice-versa. :>) it is easy to say you don't care, but this is patently false in the grand scheme of things. suppose that 9 of the last 10 flamewars on this list were actually carefully orchestrated, *manufactured* by a single person interested in making this point, and teasing people that refused to believe that rampant dischord can be sown through a barrage of pseudonyms. the numerous yellings and screechings on this list are ample evidence that most people *do* care about excessive flamewars, and various opinions, posted to this list. how can you be so sure that the cypherpunks lists is really what you think it is? a bunch of people from around the country independently interested in crypto? an agent provacteur, or agent saboteur, could create a vastly different perception regardless of the input of other people. another very interesting effect to measure is the following: if there is already a lot of mail on a list, people tend to post less. hence, if someone (individual) littered the list with many pseudonymous posts under different names, then people who might have contributed otherwise could tend not to post. hence the problem of "real" dialogue is aggravated as a larger percentage of pseudonymous posts appear. don't care? fine by me. (g) just provides a good opportunity for someone to work with "willing research subjects". From hoz at univel.telescan.com Wed Jan 17 13:12:09 1996 From: hoz at univel.telescan.com (rick hoselton) Date: Thu, 18 Jan 1996 05:12:09 +0800 Subject: pgp broken?: my mistake Message-ID: <9601171819.AA18488@toad.com> I apologise for including the following line: >>On 16 Jan 96 at 19:16, Derek Atkins wrote: Making it appear that Mr Atkins had something to do with the quote, which he did not. After rereading, the entire post has a sort of nasty tone that I did not intend. Oh, well, maybe I should return to lurk mode for a while... Rick F. Hoselton (who doesn't claim to present opinions for others) From jcobb at ahcbsd1.ovnet.com Thu Jan 18 05:13:17 1996 From: jcobb at ahcbsd1.ovnet.com (James M. Cobb) Date: Thu, 18 Jan 96 05:13:17 PST Subject: 01 16 96 CuD Cypherpunks-related Items Message-ID: Friend, Cypherpunks-related items in 01 16 96 Computer under- ground Digest: Cryptography and Privacy Justice Dept. press release: no PGP prosecution (fwd) FLASH: Phil Zimmermann case dropped! Letter to Wiesenthal Center in re "hate speech" ban AP/NYT: Jewish Groups Call for Internet Censorship CuD is available as a Usenet newsgroup: comp.society.cu-digest The most recent issues of CuD can be obtained from the Cu Digest WWW site at: http://www.soci.niu.edu/~cudigest Cordially, Jim From trei at process.com Wed Jan 17 13:16:19 1996 From: trei at process.com (Peter Trei) Date: Thu, 18 Jan 1996 05:16:19 +0800 Subject: Lotus to export 64 bit, partially-escrowed Notes Message-ID: <9601172038.AA22875@toad.com> Alerted by a colleague at the RSA Data Security conference today, I just checked the Lotus site. Folks may wish to look at http://www.lotus.com/home/whatsnew.htm A new 'international' version of Lotus notes is being released, with 64 bit session keys, as opposed to the old 40 bit version. 24 bits of the session key are stored encrypted under a special, government-access RSA public key. This is in addittion to the full 64 bit key being available under the recipient's public RSA key. The idea is that the USG would have to search only a 40-bit keyspace, while others will need to search a 64-bit keyspace. Reportedly, this 'workfactor reduction key' will NOT be available to foreign governments. My colleague reports that opinion at the conference was divided over whether Lotus was doing something which made good business sense, or whether this was 'caving-in'. Speaking only for myself Peter Trei trei at process.com From alano at teleport.com Wed Jan 17 13:18:07 1996 From: alano at teleport.com (Alan Olsen) Date: Thu, 18 Jan 1996 05:18:07 +0800 Subject: THE RECIPROCAL ?...... Message-ID: <2.2.32.19960117204930.008b9dd4@mail.teleport.com> At 08:33 AM 1/17/96 -0600, you wrote: > >Terence Joseph Mallon writes: > > "When people talk of encryption they use the word break, they are > > approaching from one way but not the only way. I am at present trying the > > reciprocal, that is, to mend." > >Why do I sometimes feel that personalities that once were drawn to >design of perpetual motion machines or techniques for squaring circles >may very soon flock to cryptographic "research"? Actually, I think she was just fucking with his mind... It sounds like an answer that I would give to a paranoid newbie, given half the chance. (If I had thought of it...) "A mindfuck is a terrible thing to waste." I am sometimes surprised at the number of "They have broken PGP" stories I keep hearing. People who know NOTHING about cryptography somehow "know" that PGP has somehow been "broken". I wonder how these memes are getting into the culture at large? Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "Is the operating system half NT or half full?" From attila at primenet.com Wed Jan 17 13:30:37 1996 From: attila at primenet.com (attila) Date: Thu, 18 Jan 1996 05:30:37 +0800 Subject: Random Number Generators In-Reply-To: <0kzHl6200bky0_dkQ0@andrew.cmu.edu> Message-ID: On Wed, 17 Jan 1996, Timothy L. Nali wrote: > Hi all > > For a class project, I will be designing a VLSI cmos chip to generate > truly random numbers (The chip will be fabricated). I'm limited to a > 2-micron standard cmos technology (no fancy BiCMOS, MISC, or anthing > else). The most promising design I've seen so far (that I can actually > do) is based on clocking a D flip-flop in the following way: > > > ----- > 8Khz clock ------ | |----- Random output > | | > | | > (sloppy) slow clock ---- |> | > | | > ----- > you can enhance the thermal stability with a temperature control scheme. and you can virtually eliminate voltage problems with separate regulation. use a digital oscillator and clean up the edges. would you not be better off for true randomness to use a) a > 8Mz clock, and b) to chain the output of one into the control gate of a second? I think that gives you better spectral distribution presuming you use a second clock frequency. unlike most, I am still of the opinion that digital means of generating this should be more uniform. otherwise, use a high-frequency diode, analog weight the curve, analog high-pass it, sample it, and go for it. or take several TV stations, phase and mix the horizontal scans, etc. --but I thought this was a digital project for CMOS --actually CMOS can generate white noise, but you probably will end up with a DSP on your chip! biasing should be controllable with edge control. However, all of above needs to be bench tested for the practical results --keeping in mind measuring randomness of segments of a bit stream are "impossible" --thoroughly frustating. another schema is to play the old enigma game of lining up the spinning wheels -that works digitally, the gates on CMOS are not too hairy -the question is how many wheels and their relative rotation (including direction)? and, how many levels? how much real estate do you have at 2u? I ask because the use of the rotating wheels has been an old project I dumped since fab was far to expensive in the 70s --but it has held my interest. there has also been a thorough trashing or thrashing of RNG recently which should be in the archives. > I'd also appreciate any other suggestions or advice you have on RNGs. > > Thanks in advance. > __________________________________________________________________________ go not unto usenet for advice, for the inhabitants thereof will say: yes, and no, and maybe, and I don't know, and fuck-off. _________________________________________________________________ attila__ To be a ruler of men, you need at least 12 inches.... From hallam at w3.org Wed Jan 17 13:34:49 1996 From: hallam at w3.org (hallam at w3.org) Date: Thu, 18 Jan 1996 05:34:49 +0800 Subject: Lotus to export 64 bit, partially-escrowed Notes In-Reply-To: <9601172038.AA22875@toad.com> Message-ID: <9601172102.AA29445@zorch.w3.org> Note that it is slightly easier to break this encryption than the 128 bit encryption with 68 bits sent in the clear used by Netscape. I think in general that any steps taken to reduce the amount of information avaliable. I'm happier if only the US government has access to the extra 28 bits of privacy than if everyone does. That is not to say that I am happy. This is better than the government proposal for GAK which would have very easy access to the message content. 40 bits of privacy means that they do at least need to do some work. I would prefer it to be 48 at the very least. Phill From mpd at netcom.com Wed Jan 17 13:51:31 1996 From: mpd at netcom.com (Mike Duvos) Date: Thu, 18 Jan 1996 05:51:31 +0800 Subject: Lotus to export 64 bit, partially-escrowed Notes In-Reply-To: <9601172102.AA29445@zorch.w3.org> Message-ID: <199601172109.NAA12724@netcom13.netcom.com> > Note that it is slightly easier to break this encryption than the 128 bit > encryption with 68 bits sent in the clear used by Netscape. > > I think in general that any steps taken to reduce the amount of information > avaliable. I'm happier if only the US government has access to the extra 28 bits > of privacy than if everyone does. That is not to say that I am happy. Of course, if someone patches the program to incorrectly encrypt the 28 bits for the government, it will be transparent until some nasty TLA tries decrypting the key. This was the same problem that existed with the Clipper LEAF, if I recall correctly, in that systems with hacked LEAF fields interoperated perfectly with unmodified ones. -- Mike Duvos $ PGP 2.6 Public Key available $ mpd at netcom.com $ via Finger. $ From alanh at infi.net Wed Jan 17 13:56:23 1996 From: alanh at infi.net (Alan Horowitz) Date: Thu, 18 Jan 1996 05:56:23 +0800 Subject: Crypto anarchist getting through customs In-Reply-To: Message-ID: > you take your liberal idealism Permission to quote this to my friends and colleagues? They'll die laughing to think that someone classifies me as a liberal. From jcobb at ahcbsd1.ovnet.com Thu Jan 18 05:58:17 1996 From: jcobb at ahcbsd1.ovnet.com (James M. Cobb) Date: Thu, 18 Jan 96 05:58:17 PST Subject: 02 96 Wired: Cyperpunks-related Message-ID: Friend, Cypherpunks-related items in 02 96 Wired: TITLES PAGES Surveillance-on-Demand 72 Spam King! 84 Cyphermilitia 95 Steve Jobs 102 [interview; see 162.2: "If the Web becomes too complicated, too fraught with security concerns...."] Catching Kevin 119 Privacy Is History 124 How Good People Helped Make A Bad Law 132 [FBI reverse-engineers EFF] I may have overlooked some items. Wired subscription requests: 1 800 SO WIRED. Cordially, Jim From m5 at dev.tivoli.com Thu Jan 18 06:00:37 1996 From: m5 at dev.tivoli.com (Mike McNally) Date: Thu, 18 Jan 96 06:00:37 PST Subject: CryptoAPI and export question Message-ID: <9601181354.AA22368@alpha> Tom Johnston writes: > We would ship a CSP development kit to a foreign vendor, and sign a CSP > developed by the foreign vendor, but only with the appropriate export licenses. So you'll only perform the signing operations in the United States? In other words, what if I'm in Egypt, and I develop a CAPI-compliant DLL (or whatever). Could I go down to the Cairo Microsoft office and get my stuff signed there? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Nobody's going to listen to you if you just | Mike McNally (m5 at tivoli.com) | | stand there and flap your arms like a fish. | Tivoli Systems, Austin TX | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From alanh at infi.net Wed Jan 17 14:00:59 1996 From: alanh at infi.net (Alan Horowitz) Date: Thu, 18 Jan 1996 06:00:59 +0800 Subject: Crypto anarchist getting through customs In-Reply-To: Message-ID: So Attila, what exactly is your extent of familiarity with active-duty military folk? You think that some O-4 going to night school has to get permission from the Pentagon when choosing topics for a Sociology paper? Alan Horowitz alanh at norfolk.infi.net From alano at teleport.com Wed Jan 17 14:01:34 1996 From: alano at teleport.com (Alan Olsen) Date: Thu, 18 Jan 1996 06:01:34 +0800 Subject: [Local] Update Information for Portland Cpunks Meeting Message-ID: <2.2.32.19960117212104.008c6dc8@mail.teleport.com> -----BEGIN PGP SIGNED MESSAGE----- The Portland Cypherpunks meeting is still on. We will be having a key signing. Reminder about time and location: Location: The Habit Internet Cafe 21st and Clinton in Portland OR http://www.teleport.com/~habit/ for more info. Date: January 20th, 1996 (THIS SATURDAY) Time: 5:23pm So far I have received only four keys for the key signing. I am kind of disappointed about the results of the proposed key signing for the meeting... If you are planning on attending, even if you are not planning on participating in the key signing, I need to know so the Habit can plan for the added influx of people. So far I have a large pile of "maybes" and few confirmations. If you have topics you would like to do a presentation on, please give me information on it so that I can distribute it to the other participants. (Or bring it up before the meeting.) *** NOTE *** Teleport (my ISP) has been having mail problems. If you have sent me mail and not received an confirmation, please resend. I may not have received it. Currently, there is only one other speaker confirmed (besides myself). I would like to see more input from the rest, so this does not just become a one way spouting of information. The one confirmed speaker will be presenting some of his findings on remailers involving reliability and getting nyms to function for those not versed in the field. It should be useful information for anyone using remailers. (He had a few findings that surprised me...) I have had a few interesting "maybes", but I will wait until (or if) they show up... -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMP1nl+QCP3v30CeZAQFtGAf8DEofknvToxZWO5upwZoFiSUCaENrPtM/ 6t6Mdl3eTZHan28qJV9vXkKAG6Q9gANQ342NQeH1CbmOalNLxnVrETbKTKv8llNG ASH1iZML//JEQJT3XeHYHAPBBCg18zIfskjU0h0of60MzmcsykHN/ZJTIpps8UIq sgB8fk2Uh9LVg/VFyIvnVnpIMQPZ1W+Z5YQco3rEnqKycKjOi0E0XoKsaJFoWelj 1aHtmWrXxC1Lr2H7fVa0DsF5Vh3w5h2RaelpZBR8QB7Uz8JwYb4jaBtdkrSMlqeg IGZaKirdZDX7i0geB905aVVdiRrahbAz4nV82DxkVEbn/h56XHAtvg== =3PKR -----END PGP SIGNATURE----- Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "Is the operating system half NT or half full?" From llurch at networking.stanford.edu Wed Jan 17 14:07:30 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Thu, 18 Jan 1996 06:07:30 +0800 Subject: Hack Microsoft Promotion Gets some Press Message-ID: Just FYI, and patting everybody on the back. I've tried to deflect the credit, and at least in PC Week I was successful. January 8th PC Week, Netwired section, only distributed in print I think (which is odd). It mentions c2.org as a "controversial link" on the win95netbugs FAQ, which is odd because nobody has ever complained to me or on the newsgroups about it. But controversy sells, so that's probably a plus anyway. http://www.zdnet.com/~pcweek/ (their Web server sucks, though, you might not get through) InfoWorld, next issue, probably on the cover. http://www.infoworld.com/pageone/nickextra.htm San Jose Mercury News, probably tomorrow or the next day, not sure whether it's the main section or the computing/business section. http://www.sjmercury.com/ MERCURY on America "Online" Simson is rapidly approaching deadline and has frozen his sources, so please disregard my last about sending anything further to him. I will accept it and pass it on to anyone who inquires in the future. I think I was probably too timid by half in not violating anyone's anonymity by even forwarding notes to Simson and by not spamming Simson's mailbox, but that's OK, it'll all come out eventually. Watch these spaces for Microsoft's response. http://www.microsoft.com/windows/pr/clarifications.htm http://www.wagged.com/ Three cheers especially for Peter, Frank, and Sameer. -rich at c2.org http://www.c2.org/hackmsoft/ llurch at networking.stanford.edu http://www-leland.stanford.edu/~llurch/win95netbugs/faq.html From alanh at infi.net Thu Jan 18 06:32:10 1996 From: alanh at infi.net (Alan Horowitz) Date: Thu, 18 Jan 96 06:32:10 PST Subject: Returned mail: User unknown (fwd) Message-ID: Alan Horowitz alanh at norfolk.infi.net ---------- Forwarded message ---------- Date: Thu, 18 Jan 1996 08:27:15 -0500 From: Mail Delivery Subsystem To: alanh at larry.infi.net Subject: Returned mail: User unknown The original message was received at Thu, 18 Jan 1996 08:26:56 -0500 from alanh at localhost ----- The following addresses had delivery problems ----- Name Withheld by Request (unrecoverable error) ----- Transcript of session follows ----- ... while talking to utopia.hacktic.nl.: >>> RCPT To: <<< 550 ... User unknown 550 Name Withheld by Request ... User unknown ----- Original message follows ----- Received: by larry.infi.net (Infinet-S-3.3) id IAA19226; Thu, 18 Jan 1996 08:26:56 -0500 Return-Path: alanh Date: Thu, 18 Jan 1996 08:26:56 -0500 (EST) From: Alan Horowitz To: Name Withheld by Request cc: "Alan Horowitz \"Timothy C. May\"" Subject: Re: PPF #25 and the UN test In-Reply-To: <199601180540.GAA14063 at utopia.hacktic.nl> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Very interesting. You make bona-fide sounding noises. Now let me ask you this. Do you think that USA has, or will ever have, security organs as kick ass as the East Germans had? Yet within a short time after the Soviets decided, to cede that whole part of Europe, to the Bonn sphere of influence, those East German operatives were running to cover their ass. Love of Liberty runs deep within the American psyche, analogously to the way that devotion to Islam runs deep in the Arab countries. The Islamists have plenty of sympathizers in various Arab security organs. Let's recall that President Sadat was shot by bona fide memmbers of the Egyptian military, in a highly organized operation. If you were a CFR guy, would you bet your life that you could order 500 more Wacos, without having to fear that thre would be no loyalty problems inside your chosen operating units? Let's accept that 20% of the SEALS said they'd confiscate legally-owned firearms from Americans....is 20% enough? Of the other 80%, could you rely on _none_ of them to casue major, major problems? The secret government has had total control of the economy, since the day the Federal Reserve was delegated the authority to create national debt. America is already well-controlled for the benefit of Insiders. They really don't need to attain higher visibility or more power. They are anglo-saxons, not banana-republic cult-of-personality types. Does Walter Wriston have to worry about Tim May deciding to stockpile blackpowder rifles? The SEALs are cannon fodder. They know it. Alan Horowitz alanh at norfolk.infi.net From gaffney at emba.uvm.edu Thu Jan 18 06:36:28 1996 From: gaffney at emba.uvm.edu (Don Gaffney) Date: Thu, 18 Jan 96 06:36:28 PST Subject: A WfW security curiosity (possibly another security hole) In-Reply-To: <199601180314.QAA19064@cs26.cs.auckland.ac.nz> Message-ID: On Thu, 18 Jan 1996 pgut01 at cs.auckland.ac.nz wrote: > When WfW is installed, it creates a file in the Windows directory called > WFWSYS.CFG. This is a standard Windows password file and may be decrypted with > the password "23skidoo" (note that this is lowercase, since it's passed to the > .PWL-handling code at a level which bypasses the usual password case smashing. > The mangled 32-bit form which is passed to the RC4 key setup routine is { 0x67, > 0x6F, 0xE3, 0x81 }). > > WFWSYS.CFG seems to be mostly identical for the few copies I could get to, and > WfW networking won't work without it. Decrypting the file doesn't seem to give > anything useful, the string "SYSTEM" and what looks like a few 8 or 16-numbers. > I don't know enough about how WfW networking works, but my (very vague) guess > is that it contains some sort of cookie to uniquely ID each machine for > resource sharing over a network. If it does then it it's (yet another) pretty > serious security hole, since it's encrypted with a fixed password and seems to > be mostly identical over multiple machines. OTOH it may be something to do > with serial numbers so you can't install the same copy of WfW on multiple > machines on a LAN. > > Can anyone shed more light on it? > > Peter. > > This is the file used by admincfg.exe (on WFW3.11 disk 8). This file contains "security" settings, such as whether or not to cache passwords on disk (*.PWL files). There is no feature in WFW to prevent use of one copy on multiple machines on a lan. In terms of security, yes, the whole of Windows Networking is a bad joke. (An interesting aside, it is possible to get a WfW "security" error on start-up by having subst drives - weird, eh?) _____________________________________________________________________ Don Gaffney Engineering, Mathematics & Business Administration Computer Facility University of Vermont 237 Votey Building Burlington, VT 05405 (802) 656-8490 Fax: (802) 656-8802 From trei at iii.net Thu Jan 18 06:52:17 1996 From: trei at iii.net (Trei Family) Date: Thu, 18 Jan 96 06:52:17 PST Subject: Espionage-enabled Lotus notes. Message-ID: <199601181451.JAA25153@iii2.iii.net> I've come up with a new term to describe the type of 'improved' security in the new International edition of Lotus Notes: 'espionage-enabled' It's specifically built for export, and has a backdoor to enable USG agents to read the messages more easily. From the viewpoint of a foreign purchaser, 'espionage-enabled' seems an appropriate term. If we spread this term sufficiently, we may be able to discourage the widespread adoption of this half-measure, and increase the pressure for good, unencumbered crypto. speaking only for myself, Peter Trei ptrei at acm.org From steve at aztech.net Wed Jan 17 14:59:06 1996 From: steve at aztech.net (Steve Gibbons) Date: Thu, 18 Jan 1996 06:59:06 +0800 Subject: Alta Vista, Great Stuff! Message-ID: <0099C7F3.921D3B60.3@aztech.net> In Article: <199601170427.XAA27753 at UNiX.asb.com>, Beethoven wrote: # Hey, I saw a message on the list about personal mail # showing up in an A.V. search, and figured why not try # it out and see what comes up under one of my nyms... # Lo and behold, my nym corresponds with the title of a # popular comic strip and an episode in a bad TV show... # Crypto related? # Imagine your nym is related to something common-place at # the time of posting. Even though you may be well known # under that nym, simple searches for that name will turn up # loads of crapola, or at least some light entertainment # for someone searching for oyur past posts. # (It can also turn some unsuspecting people looking for the # crapola onto your interests...) # Yes, I know that sophisticated search engines and simple # expressions can filter out most of the unwanted junk, but # not all of it. Likewise filtering will let some of your # posts fall through the web-crawler-cracks. I've ran into three similar situations lateley. 1) Quite a few people assume that aztech.com is Aztech Labs, the makers of various sound cards, video cards, and CD-ROM drives. (I _wish_ these fols would use the various search engines to find who/what they're looking for.) 2) I'm hosting a web-page for a band called One Foot In The Grave. There's a (fairly popular, I guess) British sit-com by the same name, with quite a few followers that have set up pages for the TV show. 3) There happens to be a steve at tezcat.com, and we occasionally receive email from long-lost aquaintances that was intended for the other. Generally this is in response to something that either one of us posted to Usenet. Crypto relevance? Only on item 3, if PK encryption was in wide-spread use, and easy to use, this wouldn't happen. The MUA would realize that it didn't have a local PK key for steve at tezcat.com, and inform the user (who could then perform a soundex lookup on their existing keys, and realize that they meant to contact steve at aztech.com.) Soundex (or equivilant technology) search spiders are going to make the whole mess even worse... ObPunk: I decided that the easiest way to hide from item 1 was to change domain names. By chance, someone else was interested in aztech.com, so I even made a profit. :) I keep meaning to write something up, and submit it to comp.risks, but who has the time?... -- Steve at AZTech.Net From jim at bilbo.suite.com Wed Jan 17 15:01:06 1996 From: jim at bilbo.suite.com (Jim Miller) Date: Thu, 18 Jan 1996 07:01:06 +0800 Subject: underground digital economy Message-ID: <9601172240.AA06559@bilbo.suite.com> Question: The existing underground economy uses the same money as the aboveground economy (i.e. paper money, for the most part). Could a significant underground digital economy develop if the aboveground digital economy used only identified e-money? Jim_Miller at suite.com ____________________________________________________________________ The Internet is a land bridge for memes ____________________________________________________________________ From perry at piermont.com Thu Jan 18 07:03:56 1996 From: perry at piermont.com (Perry E. Metzger) Date: Thu, 18 Jan 96 07:03:56 PST Subject: Win95 Registration Wizard info In-Reply-To: <2.2.32.19960118114705.008ccef8@mail.teleport.com> Message-ID: <199601181503.KAA06603@jekyll.piermont.com> Alan Olsen writes: > I picked this link up from the Fringewear list. [...] > The author takes the registration Wizard in Win95 apart and shows exactly > what it does and what it looks for. Some interesting information about the > encrypted database of product information it uses. What, exactly, does this have to do with cypherpunks? Perry From harmon at tenet.edu Wed Jan 17 15:09:07 1996 From: harmon at tenet.edu (Dan Harmon) Date: Thu, 18 Jan 1996 07:09:07 +0800 Subject: Scientic American Message-ID: The latest issue of SA has a small piece in zero knowledge transactions in the Math Rec section. Dan From jeffb at sware.com Wed Jan 17 15:16:29 1996 From: jeffb at sware.com (Jeff Barber) Date: Thu, 18 Jan 1996 07:16:29 +0800 Subject: A Modest Proposal: Fattening up the Proles In-Reply-To: Message-ID: <199601171433.JAA06658@jafar.sware.com> Timothy C. May writes: At 2:57 AM 1/17/96, tallpaul wrote (quoting): > >"To understand the probable outcome of the Libertarian vision, see any > >cyberpunk B movie wherein thousands of diseased, desparate and starving > >families sit around on ratty old couches on the streets watching television > >while rich megalomaniacs appropriate their body parts for their personal > >physical immortality." > The absurdity of this point is obvious to anyone with a brain. Why would we > want the donors to be "diseased" and "starving"? It is imperative that > donors be healthy and non-anorexic (we used to use the phrase "fattened > up," but this is no longer au courant). > > To keep the proles reasonably healthy, the plutocrats are encouraging the > current wave of exercise videos, ThighMasters, Buns of Steel, etc. And lots > of beer, as the Kobe beef quakers have shown. Plus, we'll be feeding them tasty and nutritious Soylent Green(tm)... -- Jeff From pgut01 at cs.auckland.ac.nz Thu Jan 18 07:19:02 1996 From: pgut01 at cs.auckland.ac.nz (pgut01 at cs.auckland.ac.nz) Date: Thu, 18 Jan 96 07:19:02 PST Subject: A WfW security curiosity (possibly another security hole) Message-ID: <199601181518.EAA17585@cs26.cs.auckland.ac.nz> >>[WFWSYS.CFG file] > >This is the file used by admincfg.exe (on WFW3.11 disk 8). This file >contains "security" settings, such as whether or not to cache passwords >on disk (*.PWL files). Ahh, so you can silently reenable password cacheing by manipulating this file, thereby defeating Microsoft's "turn off password cacheing" kludge. Wonderful. I'll have a poke around on Monday to figure out what bits to flip and post the results here. Thanks for the info... Peter. From perry at piermont.com Thu Jan 18 07:20:16 1996 From: perry at piermont.com (Perry E. Metzger) Date: Thu, 18 Jan 96 07:20:16 PST Subject: noise levels Message-ID: <199601181520.KAA06653@jekyll.piermont.com> The noise levels around here are getting astounding. Posts on windows registration wizards, gun control, unemployment, Kevin Mitnick's underwear, and all the rest are most certainly NOT doing us any good. Here we are in the midst of IBM putting espionage enabled versions of Lotus Notes out (someone should be putting out a hack to change the embedded public key), Microsoft putting out a crypto API that could potentially be of enormous interest, activity moving in the Karn lawsuit, and all sorts of other important events, and YOU DUNDERHEADS ARE MAKING IT IMPOSSIBLE TO CARRY OUT IMPORTANT DISCUSSIONS. If you want to help the NSA in its mission to stop the dissemination of strong crypto, by all means, continue posting garbage. Perry From tc at phantom.com Wed Jan 17 15:35:12 1996 From: tc at phantom.com (Dave Banisar) Date: Thu, 18 Jan 1996 07:35:12 +0800 Subject: EPIC: Commerce Report on Crypto Availability Message-ID: Commerce Releases Crypto Availability Report The US Department of Commerce today released a report on the international market for encryption software. The report, which was jointly produced by the Commerce Department's Bureau of Export Administration and the National Security Agency reviews the foreign availability of encryption products and other nations' import, export and domestic use policies. The report finds that there are foreign products available which "can have an impact on US competativeness" and that US export controls "may have discouraged US software producers from enhancing the softare features of general purpose software to meet the anticipated growth demand by foreign markets. It anticipated that there is a steadily increasing demand for crypto to be included in general use software products becuase of well publicized break-ins. A large portion of the report has been redacted by the NSA. EPIC filed suit under the Freedom of Information Act in December 1995 to obtain a full copy of the report and will continue to demand its release. EPIC believes that the US goverment should remove export controls on public domain and commerical software that contains encryption and end the policy of demanding that key escrow be implimented in all encryption software. Enclosed in the Commerce Department Press Release and Executive Summary of the report. The full report is over 100 pages. EPIC will make every effort to make the full report available in electronic form as soon as possible. More information on crypto policy is available at the EPIC Web Site at http://www.epic.org/crypto/ UNITED STATES DEPARTMENT OF COMMERCE NEWS   WASHINGTON DC.20230 OFFICE OF THE SECRETARY FOR IMMEDIATE RELEASE CONTACT: Carol Hamilton Thursday, January 11,1996 (202) 482-4883 Eugene Cottilli (202) 482-2721 DEPARTMENT OF COMMERCE RELEASES STUDY ON THE INTERNATIONAL MARKET FOR ENCRYPTION SOFTWARE Washington, D.C. -- The growth of an international market for encryption software is being slowed by strong export controls, both in the United States and other major countries. Moreover,the quality of products offered abroad varies greatly, with some not providing the level of protection advertised. The study, jointly prepared by the Commerce Department's Bureau of Export Administration (BXA) and the National Security Agency (NSA), evaluates the current and future market for computer software with encryption, which allows users to protect their data using codes. The study also reviews the availability of foreign encryption software and assesses the impact that U. S. export controls on encryption have on the competitiveness of the software industry. "Our study provides a clear snapshot of the international competition in this segment that the software industry faces," said Cornmerce Secretary Ron Brown. "Better understanding of the products and the marketplace gives us the tools to ensure that our export control policies are appropriate," he added. The study noted encryption software presently accounts for only a small percentage of the total computer software but should grow substantially as the U.S. and other countries deveiop and expand public networks and electronic commerce. The study found that the U.S. software industry still dominates world markets. In those markets not offering strong encryption locally, U.S. software encryption remains the dominant choice. However, the existence of foreign products with labels indicating DES (Data Encryption Standard) or other strong algorithms, even if they are less secure than claimed, can nonetheless have a negative effect on U. S competitiveness. The study also notes that the existence of strong U.S. export controls on encryption may have discouraged U.S software producers from enhancing the security features of general purpose software products to meet the anticipated growth in demand by foreign markets. page 2 All countries that are major producers of commercial encryption products were found to control exports of the products to some extent. A few countries (e.g., France, Russia, and Israel) control imports and domestic use of encryption, as well. As part of the study, NSA evaluated twenty-eight different foreign encryption software products, finding that some were less secure than advertised. Because customers lack a way to determine actual encryption strength, they sometimes choose foreign products over apparently weaker U.S. ones, giving those foreign products a competitive advantage. -30- A STUDY OF THE INTERNATIONAL MARKET FOR COMPUTER SOFTWARE WITH ENCRYPTION [Note: This is a redacted copy of the ogigional secret decoment. Brackets [] accompanied by the origional classifications have been used to indicate location and size of excised classified text] Prepared by the U.S. Department of Commerce and the National Security Agency for the Interagency Working Group on Encryption and Telecommunications Policy EXECUTIVE SUMMARY BACKGROVND In late 1994, the President's National Security Advisor directed that an interagency report be prepared assessing the current and future international market for software products containing encryption and the impact of export controls on the U.S. software industry. The report was to include an assessment ofthe impact of U.S. encryption export controls on the international competitiveness of the U.S. computer software industry and a review of the types, quality, and market penetration of foreign-produced encryption software products. This paper presents the joint efforts of the Department of Commerce/Bureau of Export Administration and the National Security Agency to complete this tasking. (U) EXPORT CONTROLS All countries that are major producers of commercial encryption products control exports of those products to some extent. Control methodologies and licensing practices vary, however, and a few countries, most notably France, Russia and Israel also control imports and/or domestic use of encryption. There is a significant amount of international cooperation in controlling encryption exports. (U) Some European and other countries apparently treat exports to the United States of DES- based software more liberally than the United States treats DES exports to those countries. Some countries have stated that they generally restrict DES exports to financial end-uses. In general, no independent verification of these licensing practices was obtained. However, in some cases the U.S. was able to obtain DES products from them for non-financial end-uses. It is possible that some countries may allow these exports based on their political/economic/military relationship with the destination country (e.g., within the European Comrnunity, or former COCOM), for end uses that are considered legitimate commercial applications of the technology, or, in the case of exports to the United States, because DES is a national standard. (U) As the technology and the marketplace have evolved, the USG export control authorities have relaxed licensing constraints on cryptographic products several times over the past 10 years. These changes have usually been made after industry pressures and internal debate to balance national security and economic concerns. (U) DOMESTIC AND INTERNATIONAL MARXETS While presently encryption software accounts for only a small percentage of the total software market (1-3%), according to numerous information security experts contacted in the course of the study, the future growth trend for this sector is expected to be great. The market for encryption in distributed computation, databases, and electronic mail is beginning to expand exponentially as the U.S. and other countries develop and popularize electronic commerce, public networks, and distributed processing. (U) Encryption in these environments will often be implemented in software, as opposed to hardware, because it is generally less expensive and simpler to install and upgrade. Absent changes in government standards, for the next ten years, encryption software will primarily use DES and RSA-licensed encryption algorithms. Other non-standard and company proprietary algorithrns will be used primarily for security-specific products for small niche markets. (U) Certain developments are promoting greater use by the general public of software-based network security features, including encryption, throughout the industrialized world. They include ever increasing use, fueled by well publicized "break-ins," of distributed databases, popular acceptance and usage of global networks, and the development and use of electronic commerce. (U) These developments are ongoing at one stage or another in practically all of the countries surveyed for this assessment. Less technologically advanced countries, where demand for encryption software is reportedly negligible, will soon undergo widespread development and computerization leading to increased demand for encryption so~ware within the next 10 years. (U) The overwhelming majority (75%) of general-purpose software products (e.g., word processors, spread sheet programs, and database programs) available on foreign markets today are of U.S. origin. Cornmerce Department analyses indicate that the U.S. has few viable foreign competitors for such products, and of those general-purpose products with encryption features, all were found to be of U.S. origin. (U) In the security specific software market, however, U. S. manufacturers face competition in several foreign markets from such encryption exporting countries as the United Kingdom, Germany, and Israel. To a large extent, markets for these products tend to be "national. " Not only do export controls affect sales, but local vendors of security-specific products are at a competitive advantage in that they are better situated to work closely with end- users and develop encryption solutions tailored to meet the conditions of the local environment. (U) NSA confirmed the existence of a significant number of foreign security-specific software products with encryption features, predominantly from Western European suppliers. Security-specific products are usually not available on the shelf at retail stores either in the U.S. or abroad, but can be purchased through direct contact with the manufacturer. (U) ES-2 BXA attempted to quantify U.S. competitiveness and market share in 31 foreign countries where encryption is thought to have significant demand. While sources in the countries surveyed had limited access to import statistics or market literature on encryption software and encountered nwnerous difficulties in evaluating this complex market, definite conclusions may be drawn from the responses. (U) Sources in 14 countries indicated that U.S. export controls limit U.S. market share in their countries. Sources in seven countries indicated that export controls have either no impact or no major impact. (U) Sources in most countries indicated that the U.S. market share is keeping pace with overall demand despite the impact of U.S. export controls, which may promote indigenous production or reduce U. S. market penetration. In all known cases, the U.S. holds the majority of the general-purpose encryption software market. (U) Three exceptions are Switzerland (where the U.S. market share reportedly declined in 1994, while the market shares of other European countries rose), Denmark and the United Kingdom, which reported unspecified declines from previous years. Sources in all three countries attribute the decline to U.S. export controls, which they claim promote the development and sale of indigenous encryption products. (U) In many countries surveyed, exportable U. S. encryption products are perceived to be of unsatisfactory quality. (U) ANALYSIS OF FOREIGN PRODUCTS NSA used various methods to procure encryption software products from a variety of countries and companies, as reflected in the TIS database and other sources. Altogether, 28 products from 22 foreign producers in 10 countries were acquired for the purposes of this study. Of these, 21 purportedly use the DES algorithm, while the remaining 7 use proprietary algorithms. (U) [ ] (S) ES-3 ECONOMIC IMPACT In the absence of significant foreign competition, the impact of U.S. export controls on the international market shares of general-purpose products is probably negligible. Customers are often unaware of the encryption features in these products and primarily base purchases on the features implementing the primary function of the product (e.g., word processing or database). (U) [ ] (S) BXA attempted to quantify the economic impact of export controls on the U.S. software industry by forwarding a detailed voluntary questionnaire to 206 software vendors and other interested parties. Thirty six encryption software manufacturers provided completed surveys out of the 71 returned. By and large, the companies were unable or unwilling to quantify the costs of export controls, but did provide substantive explanations of how and why they believe they are adversely affected. (U) Some general-purpose software companies claim that export controls have affected their plans to expand security features to meet anticipated growing demand. These companies believe that they could expand their domestic and international customer base with such features. (U) The export licensing process itself is not a major obstacle to U. S. competitiveness. Only seven survey respondents use the Department of State licensing system. While they continue to have some complaints about the administrative burdens and time delays associated with State's process, several noted that there had been improvements in recent years. Only two of the survey respondents had been denied licenses by the Department of State. (U) Numerous survey respondents indicated that they avoided applying for export licenses from the Department of State altogether. Some larger companies whose products tended to be general-purpose in nature either developed two ~fersions of so~ware, or incorporated an encryption algorithm they knew would qualify for Commerce general licenses. (U) Many smaller, security-specific software firms, on the other hand, elected to limit their sales to the domestic market only. These companies indicated a high level of foreign interest in purchasing their products, and therefore lost potential sales. While it is difficult for them to quantify their potential market, they believe it to be sizeable. They claim their small size limited their ability to develop two versions of their products, and the fact that their products were for secunty purposes ES-4 specifically requires them to incorporate strong encryption. Only one company was able to provide specific examples where a foreign competitor o~ta ned a sale due to an export license denied by U.S. authorities. (U) There is little evidence that U.S. export controls have had a negative effect on the availability of products in the U.S. marketplace. A broad range of products with secure algorithms exist in the U. S. market and availability of products is based principally on the level of customer demand. Export controls may have hindered incorporation of strong encryption algorithms in some domestic mass-market, general-purpose products, since some companies find developing and maintaining two versions of a product infeasible. (U) The existence of foreign products with labels indicating DES or other strong encryption algorithms, even if they are less secure than claimed, can nonetheless have a negative effect on U.S. competitiveness. Most encryption users base their purchasing decisions on the advertised product features, along with price, company reputation, etc. (U) From jimbell at pacifier.com Wed Jan 17 15:42:18 1996 From: jimbell at pacifier.com (jim bell) Date: Thu, 18 Jan 1996 07:42:18 +0800 Subject: Lotus to export 64 bit, partially-escrowed Notes Message-ID: At 03:45 PM 1/17/96 -6, Peter Trei wrote: >A new 'international' version of Lotus notes is being released, with >64 bit session keys, as opposed to the old 40 bit version. > >24 bits of the session key are stored encrypted under a special, >government-access RSA public key. This is in addittion to the full >64 bit key being available under the recipient's public RSA key. > >The idea is that the USG would have to search only a 40-bit keyspace, >while others will need to search a 64-bit keyspace. >Reportedly, this 'workfactor reduction key' will NOT be available to >foreign governments. >My colleague reports that opinion at the conference was divided over >whether Lotus was doing something which made good business >sense, or whether this was 'caving-in'. My "vote"? They're "caving-in." From Alan.Pugh at internetMCI.COM Wed Jan 17 15:59:40 1996 From: Alan.Pugh at internetMCI.COM (Alan Pugh) Date: Thu, 18 Jan 1996 07:59:40 +0800 Subject: Crippled Notes export encryption Message-ID: <199601172347.SAA19227@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- - -- [ From: Alan Pugh * EMC.Ver #2.3 ] -- Since this is definitely on-list, and I haven't seen anything on it here yet, I'm posting the whole thing. Apologies for duplication. Date: Wednesday, 17-Jan-96 04:23 PM Subject: infoMCI FLASH - Lotus-Security - Lotus Announces C [infoMCI FLASH] i n f o M C I F L A S H infoMCI (sm) Lotus-Security - Lotus Announces Compromise for Export of Strong Encryption By ELIZABETH WEISE AP Cyberspace Writer SAN FRANCISCO (AP) _ Lotus Development Corp. announced a compromise with the federal government Wednesday that will allow it to put better security features into the international version of its Notes program. While the arrangement assures the government it can access data under extreme circumstances, it represents an advance in the strength of security allowed in software exported from the United States. Federal law prohibits the export of certain high-level encryption programs, which are defined as a munition under a Cold War-era arms control act. Encryption programs take ordinary data and put it in secret form that cannot be accessed without the proper data ``key.'' The government's arbitrary standard for cracking encryption programs when needed is at a technical level described as ``40-bit.'' Some software programs sold in the United States, including Lotus Notes, now use stronger 64-bit encryption. Lotus has been under pressure to bring such security to Notes users overseas. Although 40-bit encryption is quite strong, highly-sophisticated attacks using several computers have been able to break it recently. ``Our customers have basically lost confidence in 40-bit cryptography,'' said Ray Ozzie, president of Iris Associates, the unit of Lotus that developed Notes. ``That left us in a bind. We are the vendor that's supposedly selling a secure system to them and they are saying it's no good,'' Ozzie told a standing room audience at the RSA Data Security conference. Changes in the general export laws seemed unlikely so Lotus negotiated an interim solution. The export version of Lotus Notes 4.0, which went on sale last week, includes 64-bit encryption but the company has given the U.S. government a special code that unlocks the final 24 bits. For companies that use the international version of Notes, it's as if Lotus put two strong locks on a door and gave a key for one to the U.S. government. Thieves have to get break through two locks, the government only one. ``This protects corporate information from malicious crackers but permits the government to retain their current access,'' Ozzie said. He acknowledged the solution was only a compromise and said Lotus wants to see better data security methods developed worldwide. However, many participants at the conference saw the move as a cosmetic answer to the tension between corporate desires for the best security and government's interest to access data when necessary. ``It's a useful stopgap measure that has no value in the long run,'' said Donn Parker, a senior security consultant with SRI International, a computer research company in Menlo Park, Calif. Simson Garfinkel, author and computer security expert, said he's not sure international buyers of Notes will like the solution. ``Foreign companies don't want the U.S. government to spy on their data any more than the U.S. government wants foreign companies to be able to spy on theirs,'' Garfinkel said. International Business Machines Corp. bought Lotus in July, citing the success of Notes, a sophisticated communications and database program. AP-DS-01-17-96 1619EST (66413) *** End of story *** - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMP2KdioZzwIn1bdtAQGdegF9GVCEfL50vWd7e5XX/mKEnzGy5YGvW0iD rNPCmz3Xxf3h9wOVJMLrCeDGwe4/m84g =6jpa -----END PGP SIGNATURE----- From abostick at netcom.com Wed Jan 17 16:08:00 1996 From: abostick at netcom.com (Alan Bostick) Date: Thu, 18 Jan 1996 08:08:00 +0800 Subject: Microsoft's CAPI In-Reply-To: <199601171502.KAA16060@nsa.tempo.att.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- In article <199601171502.KAA16060 at nsa.tempo.att.com>, Matt Blaze wrote: > The OS will not load just any old CSP. CSPs have to be signed by > Microsoft. The kernel contains a (hardcoded?) 1024 RSA public key > that it uses to check the signature when the user tries to load a CSP. > If the signature check fails, the CSP won't load. Microsoft says it > will sign any CSP from anyone AS LONG AS THEY CERTIFY THAT THEY WILL > FOLLOW THE EXPORT RULES. So you can get your CSP signed if you use > exportable cryptography or if you agree not to send it outside the US > and Canada, etc. But an end user can't just compile crypto code and > use it as a CSP, even for his or her own use, without getting it > signed by Microsoft first (actually, the CSP development kit does > allow this, but it uses a special version of the OS). The next obvious question is: Will Microsoft sign strong-crypto CSPs developed by foreign developers for out-of-USA use? - -- Alan Bostick | He played the king as if afraid someone else Seeking opportunity to | would play the ace. develop multimedia content. | John Mason Brown, drama critic Finger abostick at netcom.com for more info and PGP public key -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMP09JuVevBgtmhnpAQHbyQMAw3yh1qhIrBD0RF2ppiiiJnwJkF45qMKm vsjXXZY92dJPbdLcOebxBRPCBxpyRSVqVKsy6QPA0KsYdLIgFt+ziFYWRrv3PFjz f3Jf2dg+rhJ6G4dhDhTqp4/pdUT0huzy =78Il -----END PGP SIGNATURE----- From bruceab at teleport.com Wed Jan 17 16:29:24 1996 From: bruceab at teleport.com (Bruce Baugh) Date: Thu, 18 Jan 1996 08:29:24 +0800 Subject: [NOISE] Re: A Modest Proposal: Fattening up the Proles Message-ID: <2.2.32.19960118001348.00677b44@mail.teleport.com> -----BEGIN PGP SIGNED MESSAGE----- At 08:54 AM 1/17/96 -0500, John Young wrote: > By any means, emulate elitist indolents and avoid anxiety. > Display iron-fisted civilized beliefs, practice tough-love > humiliation and master-over-slave manners and militant > mind-couture, but do nothing truly disruptive of the status > quo that so rewards niche market exploiters of genuine > dissent. The patient displays advanced signs of Stephen Donaldson's Disease. We recommend _immediate_ replacement of the TrendyLeft thesaurus and spelling checker package with more robust models. Strunk&White GoodWrite , say, or perhaps RichardScarrySoft . More seriously, I recommend a re-reading (or first reading, as it may be) of Orwell's "Politics and the English Language". I quote: "In our time it is broadly true that political writing is bad writing. ... Orthdoxy, of whatever color, seems to demand a lifeless, imitative style. The political dialects to be found in pamphlets, leading articles, manifestos, White Papers and the speeches of under-secretaries do, of course, vary from party to party, but they are all alike in that one almost never finds in them a fresh, vivid, home-made turn of speech. When one watches some tired hack on the platform mechanically repeating the familiar phrases - bestial atrocities, iron heel, bloodstained tyranny, free peoples of the world, stand shoulder to shoulder - one often has a curious feeling that one is not watching a live human being but some kind of dummy. ... And this is not altogether fanciful. A speaker who uses that kind of phraseology has gone some distance towards turning himself into a machine. ... "Consider for instance some comfortable English professor defending Russian totalitarianism. He cannot say outright, 'I believe in killing off your opponents when you can get good results by doing so.' Probably, therefore, he will say something like: 'While freely conceding that the Soviet regime exhibits certain features which the humanitarian may be inclined to deplore, we must, I think, agree that a certain curtailment of the right to political opposition is an unavoidable concomitant of transitional periods, adn that the rigors which the Russian people have been called upon to undergo have been amply justified in the sphere of concrete acheivement.' "The inflated sytle is itself a kind of euphemism. A mass of Latin words falls upon the facts like soft now, blurring the outlines and covering up all the details." Ironically, of course, Tim May's brutal honesty (right or wrong, he's almost always clear) is lots more "populist", the sense of being readily and widely understood, than John Young's stale academese. Bruce Baugh bruceab at teleport.com http://www.teleport.com/~bruceab -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEPAwUBMP2PZX3AXR8sjiylAQG6gAfPVudIcO/WocUGwVYF7GVk5GvYT7ToYnR0 76SQXeEmwuvoG0reFoJdKJEGpJ5IQTboIgIyHYmEtirteH3y1vGeeiqQfmIhtx+S aUUtNHSOGKNUfSNvwY2Fw0Ij/3sAR16jZFmh4T1TPRW1xwgo0KYUkvB4tk5tx1sD Hzd+D2cPJNP/WhmwntkaXhynwnlgcYyLxqwjoD4QfiEHHS0Lbv+JVWuutJpKTih0 yFnhStoD9YL0ynZwIbfqZpl7HiX3FAAQ7aNLFPyqqRajJmTO7GuQLju8T1cWT+n+ oUTzgmXLtw5FY4OOLPR6mKkLvilyb1UzmX+GG/AlA671Ng== =qBu4 -----END PGP SIGNATURE----- Bruce Baugh bruceab at teleport.com http://www.teleport.com/~bruceab From fstuart at vetmed.auburn.edu Thu Jan 18 08:53:09 1996 From: fstuart at vetmed.auburn.edu (Frank Stuart) Date: Thu, 18 Jan 96 08:53:09 PST Subject: Ozzie Apes Jim Clark, Fix Is In to Cave and Cry Message-ID: <199601181652.KAA13172@snoopy.vetmed.auburn.edu> >Wall Street Journal, Jan 18, 1996 > >IBM Compromises on Encryption Keys, U.S. Allows Export of >More-Secure Notes [...] >The new overseas version of Notes, tagged Release 4, will give >foreign users 64-bit security. But to get permission to export >the software, Lotus agreed to give the government access to 24 >of those bits by using a special 24-bit key supplied by the ^ >National Security Agency. [...] Does anyone know if there really is just one 24-bit key for every copy of Lotus Notes or is this a miscommunication? If there really is just one 24-bit key for everyone, can't you just look for the bits that don't change among different 64 bit keys? (e.g. AND a "sufficiently large" number of 64-bit keys together to find the 1's that don't change and then OR them to find the 0's until you've got the 24 bit key). Someone, please tell me that's not how it works (or post the 24-bit key :>). | (Douglas) Hofstadter's Law: Frank Stuart | It always takes longer than you expect, even fstuart at vetmed.auburn.edu | when you take into account Hofstadter's Law. From hallam at w3.org Thu Jan 18 09:00:48 1996 From: hallam at w3.org (hallam at w3.org) Date: Thu, 18 Jan 96 09:00:48 PST Subject: CryptoAPI and export question Message-ID: <9601181700.AA02008@zorch.w3.org> >Two points: the CSP development kit is export-controlled; and signing a >CSP developed by a foreign vendor is treated as a export -- so the signature >is export-controlled. >We would ship a CSP development kit to a foreign vendor, and sign a CSP >developed by the foreign vendor, but only with the appropriate export licenses. This could lead to problems. I'm not sure what the European Community reaction to US attempts to export its legal system will be. The problem is that the Lotus Notes scheme changes the previous deal. Before the European governments benefited from the US export control laws because they had wiretap abilities. Now they are denied wiretap capabilities and have the US able to snoop on all their traffic. Could find yourselves in the middle of a nasty battle... Phill From pati at ipied.tu.ac.th Wed Jan 17 17:09:29 1996 From: pati at ipied.tu.ac.th (Patiwat Panurach (akira rising)) Date: Thu, 18 Jan 1996 09:09:29 +0800 Subject: Offshore Banks and Asset Protection In-Reply-To: Message-ID: On Fri, 12 Jan 1996, Timothy C. May wrote: > At 8:57 PM 1/12/96, Rich Graves wrote: > >Every issue of The Economist (and I'm sure lots of other publications) > >has ads for this kind of thing. And The Economist wisely puts notices warning readers to use there own discretion on such services. Great mag, it gave some of the best and sanest articles on the internet ever printed in the "popular press". > >Anyone know a reference for ranking the "legitimacy" of these services > >and seminars? I'd assume that many of them are scams that will gladly > >take your money overseas, but you might never see it again. > > I looked into "asset protection" [see note below] using offshore banks > (Carribean, Channel Islands, Europe, etc.), and bought a couple of books on > this. And I subscribed to some Net newsletters. I'm not an expert, and have > not chosen (yet) to "protect" my assets by moving them offshore. > > "tax sheltering" (or "tax evasion"). The idea is to put assets beyond the > reach of tort judgments. For example, a doctor may fear the incredibly > large "deep pockets" lawsuits that American society encourages, so he > transfers a large fraction of his net worth to an offshore bank. He reports Beside there rather ambigous value as "asset protection" and "tax sheltering", the main reason people use offshore banking is to gain better interest rates. In Thailand, the Bangkok International Banking Facility offers interest rates on deposits that are several percentages higher than normal banks. The banks of the facility work under a different set of banking laws from normal banks. Also, the interest rate on loans also tends to be lower. I'm not sure whether international funds are subject to local (thai) or international (us) tort judgements though, but many of the banks in the BiBF advertise to offer high privacy and security. ------------------------------------------------------------------------------- Patiwat Panurach Whatever you can do, or dream you can, begin it. eMAIL: pati at ipied.tu.ac.th Boldness has genius, power and magic in it. m/18 junior Fac of Economics -Johann W.Von Goethe ------------------------------------------------------------------------------- From dlv at bwalk.dm.com Wed Jan 17 17:11:36 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Thu, 18 Jan 1996 09:11:36 +0800 Subject: A weakness in PGP signatures, and a suggested solution In-Reply-To: <199601171613.IAA11904@mail.eskimo.com> Message-ID: "Brian C. Lane" writes: > > > In article , Jeffrey Gol > > > > But then the recipient has a PGP-signed message from you which > > isn't encrypted (using pgp -d). That person could then impersonate > > you. Eg Alice the jilted lover could resend the goodbye message > > with forged headers to Bob's new girlfriend to get back at him. > > Ah ha! Now I understand what this argument has been all about. This > is not a flaw with PGP, but with the software doing the signing. It > should/could add a line with a time and date stamp inside the > signature envelope, or Bob could add more information, making the > message more specific. > > I don't think PGP needs to be 'fixed', but the signing software > does. I think a two-fold fix would be welcome; 1. The signing software needs to copy these headers within the body in a standard way. I think I've seen a couple of such hacks already. That's a welcome idea. 2. When PGP verified the signature, it should have an option to look outside the signed portion for RFC 822 headers and compare them to the signed copy of he headers inside. If this is not in PGP, then then function would have to be done by some non-portable wrapper. (Of course, if your headers aren't RFC 822, you're out of luck.) (As someone pointed out, PGP already time-stamps the signature.) --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From rmartin at aw.sgi.com Thu Jan 18 09:17:16 1996 From: rmartin at aw.sgi.com (Richard Martin) Date: Thu, 18 Jan 96 09:17:16 PST Subject: Espionage-enabled Lotus notes. In-Reply-To: <9601181638.AA01736@zorch.w3.org> Message-ID: <9601181216.ZM26755@glacius.alias.com> -----BEGIN PGP SIGNED MESSAGE----- On Jan 18, 11:38am, hallam at w3.org wrote: > The problem with this system is that it is quite likely to suceed. Unlike > Clipper which made unfettered access to encrypted material possible the > escrowed key strength reduction means that the FBI can tap a significant > number of locations, just not all of them. The Lotus `solution' seems to be the action of an American company shipping a product which effectively says to foreign users, "We don't care about you as a market." That this is the so-called "export" version is ironic. The keys are escrowed with the U.S. government, and no one else. The French government should rightly cry foul, for this is (a) encryption where they don't have the keys and (b) encryption where another government *does*. For the world where industrial espionage is supposed to be becoming the top priority and where there have already been ugly accusations among teams at trade talks, the NSA has just scored a victory on two fronts. They've forced a major company (they don't come much more major than IBM) to ship a product which actually helps them in both aspects of their mandate. Communications interception of foreign industries' groupware is now easier for the U.S. than for any other country, while (and this must be granted) the communications security of American industries will be somewhat improved by this move. This is a win for the NSA, whose mandate (much as their Canadian counterpart) would appear to read: We help you make sure that no-one can read your e-mail, except us. The sick thing is, Notes will probably *still* be the best choice, despite these matters (compared to competition from other similar software, and from the web). For all the `Notes is dead, long live the web' talk, the web as I've used it lacks authentication and access control beyond an all-or-none system. I'll go check w3.org again. richard - -- Richard Martin Alias|Wavefront - Toronto Office [Co-op Software Developer, Games Team] rmartin at aw.sgi.com/g4frodo at cdf.toronto.edu http://www.io.org/~samwise Trinity College UofT ChemPhysCompSci 9T7+PEY=9T8 Shad Valley Waterloo 1992 -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMP6AYx1gtCYLvIJ1AQHd1gP9GkTInUub19NPVtIHARULq4g/ifCpMp4g P1U5FwtHrAfoDvgmwP275JUj/4zfJZ6p7YYnI10ihPD/Jjt6RmEmU/1D6N2XAeuc chr70nuWVpnUxUXhkSvhDcebDz/FejMAFx9ko3xIkQQDYYstsA+tJBadMPosC8Ec PEMPVbdfkRA= =zPD2 -----END PGP SIGNATURE----- From grimm at MIT.EDU Wed Jan 17 17:37:22 1996 From: grimm at MIT.EDU (grimm at MIT.EDU) Date: Thu, 18 Jan 1996 09:37:22 +0800 Subject: Base conversion Message-ID: <9601170548.AA04146@vongole.MIT.EDU> I am trying to write some code to perform base conversions on very large numbers (possibly as large as 256^(2^(ULONG_MAX))). Specifically, I store the numbers in base 256, but I would like to be able to print them in base 10. Any really brillant ideas? -James From hoz at univel.telescan.com Wed Jan 17 18:05:14 1996 From: hoz at univel.telescan.com (rick hoselton) Date: Thu, 18 Jan 1996 10:05:14 +0800 Subject: pgp broken? Message-ID: <9601171631.AA15064@toad.com> At 07:42 AM 1/17/96 -8, you wrote: >On 16 Jan 96 at 19:16, Derek Atkins wrote: >To give further perspective, he kept claiming that a "triple DES with >RS4 overlay" was the most secure method of encryption. Well, he's wrong. A one time pad (properly generated and used) is provably secure as the "most" secure cipher. Speaking of "provably", ask him if he's sure that "triple DES with an RC4 overlay" is more secure than, say, "quintuple DES with an RC4 overlay" (since we're making up combinations). I would be VERY interested in any mathematical proof or empirical evidence that putting the RC4 on top of the encryption would be more secure than doing it first or between the DES rounds. Some pretty good mathemeticians have failed to produce such sweeping results (for the public domain, anyway.) Let's see if I have this right. Someone with access to the internet claims that someone with access to the DOD claims that some cipher system is good and another is bad. I have no reason to believe you. You seem to have no reason to believe him. He does not seem to know what he's talking about, on a subject where a great deal of effort is expended to promote confusion... I think I've got it! Rick F. Hoselton (who doesn't claim to present opinions for others) From a-kurtb at microsoft.com Wed Jan 17 18:06:51 1996 From: a-kurtb at microsoft.com (Kurt Buff (Volt Comp)) Date: Thu, 18 Jan 1996 10:06:51 +0800 Subject: underground digital economy Message-ID: Certainly. There are a couple of ways, but all one needs is some sort of gateway to an e-cash, which is simply e-money without identification. The gateway could take the form of a human intermediary, with either services or physical goods being the medium of exchange, or simply an exchange server which takes a cut off the top, as happens in the street all the time in countries that have currency restrictions. Kurt ---------- From: jim at bilbo.suite.com[SMTP:jim at bilbo.suite.com] Sent: Wednesday, January 17, 1996 14:39 To: cypherpunks at toad.com Subject: underground digital economy Question: The existing underground economy uses the same money as the aboveground economy (i.e. paper money, for the most part). Could a significant underground digital economy develop if the aboveground digital economy used only identified e-money? Jim_Miller at suite.com ____________________________________________________________________ The Internet is a land bridge for memes ____________________________________________________________________ From a-kurtb at microsoft.com Wed Jan 17 18:08:57 1996 From: a-kurtb at microsoft.com (Kurt Buff (Volt Comp)) Date: Thu, 18 Jan 1996 10:08:57 +0800 Subject: Random Number Generators Message-ID: If you're going to work with hardware to get really random numbers, why not go to the back of any of several PC-type magazines, and order the radiation detector board that someone is hawking? Can't really do any better than that, can you? Counting cosmic ray hits and noting their time differentials should be just what the doctor ordered, right? Kurt ---------- From: Perry E. Metzger[SMTP:perry at piermont.com] Sent: Wednesday, January 17, 1996 11:00 To: Timothy L. Nali Cc: cypherpunks at toad.com Subject: Re: Random Number Generators "Timothy L. Nali" writes: > For a class project, I will be designing a VLSI cmos chip to generate > truly random numbers (The chip will be fabricated). I'm limited to a > 2-micron standard cmos technology > The most promising design I've seen so far (that I can actually > do) is based on clocking a D flip-flop in the following way: I'd say that the design you have picked has a couple of problems with it. The first is that you are, from what I can tell, building a synchronizer, which means that you may have metastability problems. (Your diagram wasn't completely clear so I can't tell). Also, you are depending on a sloppy clock and a not sloppy clock actually having the stated properties, which means you aren't really generating randomness so much as hoping you can detect and exploit it. As it is very hard to determine if a stream is really random, this makes your life difficult. Far better to try to use some analog tricks in the circuit itself to generate the random numbers for you. Of course, some of these end up producing metastability problems of their own... Can anyone point this guy at good texts on all of this? I've never found one... Perry From tomj at microsoft.com Wed Jan 17 18:22:38 1996 From: tomj at microsoft.com (Tom Johnston) Date: Thu, 18 Jan 1996 10:22:38 +0800 Subject: CryptoAPI and export question Message-ID: Two points: the CSP development kit is export-controlled; and signing a CSP developed by a foreign vendor is treated as a export -- so the signature is export-controlled. We would ship a CSP development kit to a foreign vendor, and sign a CSP developed by the foreign vendor, but only with the appropriate export licenses. -TJ ---------- From: Dr. Dimitri Vulis To: Subject: Re: FW: CrytoAPI on Cypherpunks Date: Wednesday, January 17, 1996 8:37PM Tom Johnston writes: > >>> We won't charge high fees (right now, it's free!). Our policy is > >>> simple: we'll sign the CSP of anyone who follows the rules. Would you sign a foreign-developed CSP (which isn't subject to the rules)? --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From harveyrj at vt.edu Thu Jan 18 10:42:17 1996 From: harveyrj at vt.edu (R. J. Harvey) Date: Thu, 18 Jan 96 10:42:17 PST Subject: noise levels and hack-Microsoft Message-ID: <199601181841.NAA19754@sable.cc.vt.edu> At 10:47 AM 1/18/96 -0500, you wrote: > >"R. J. Harvey" writes: >> At 10:20 AM 1/18/96 -0500, Perry wrote: >> > >> >Posts on windows registration wizards, gun control, unemployment, >> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >> Well, I'm sure you're correct on most of those, >> but the post on Microsoft using ENCRYPTED databases >> of competitor programs as part of its plan to surreptitiously > >Actually, the database isn't encrypted -- its plaintext -- and the >wizard isn't surreptitious and tells you everything its doing and lets >you stop it if you like. In short, the topic has no cryptography >or security relevance *AT ALL*. > I don't mean to sound argumentative, but I'm wondering if you actually read the article cited earlier today by the person you were criticizing for 'noise.' To quote from Andrew Schulman, the author of the piece he referenced, and a person who has more than a little credibility on such topics, REGWIZ.EXE in turn loads a dynamic-link library, \WINDOWS\SYSTEM\PRODINV.DLL. This is the "Product Inventory DLL," normally used for compliance checking of upgrades to Microsoft Office programs such as WinWord. (In fact, PRODINV.DLL's internal module name is "COMPLINC," for "compliance checking.") Of course, when you buy the upgrade edition of something like WinWord, there needs to be a mechanism to check that in fact you really are upgrading from some previous word processor -- be it a previous version of WinWord, or a competitor's word processor, such as AmiPro or WordPerfect. So there's an encrypted database (the reasons ^^^^^^^^^^^^^^^^^^^^^ for this encryption are discussed below) inside PRODINV of about 100 products, ... At this point, it was trivial to locate the beginning and end of the buffer, and write it to disk. (Recall that the database is stored on disk in encrypted form; this is why a search of ^^^^^^^^^^^^^^^^^ the entire hard disk did not find it.) ... The database is encrypted because otherwise it would be trivial to fool this "wizard" (hmm...; examination of RegWiz/ProdInv shows it to be anything but wizardly) simply by creating an appropriately-sized file with the appropriate name in the appropriate subdirectory. Although I haven't personally verified the above, I'm quite confident that Schulman is correct here. Of perhaps greater relevance to this list, the final passage cited above should provide a potentially very interesting "project" for those list-readers who are interested in the "hack Microsoft" project. Schulman got at the cleartext by looking at the program in a debugger, AFTER it had decrypted the database and loaded its contents into memory; he didn't try to crack the encryption method itself. My point is, if the crypto used here is as poor as has been seen in the password area, and somebody were to come up with a way to fool this "compliance checking" protocol (which would defeat BOTH the "voluntary" registration function and the potentially much more interesting reduced- price product upgrading authentication mechanism), I think that might constitute very poor PR for Micro$oft, as well as a highly crypto-relevant issue. That is, a hell of a lot more people might exploit a flaw like that in order to falsely qualify for cheap upgrades than would ever be involved in exploiting the password cache problem. For those who missed it, and who care, the URL is ftp://ftp.ora.com/pub/examples/windows/win95.update/regwiz.html rj From stevenw at best.com Wed Jan 17 19:09:08 1996 From: stevenw at best.com (Steven Weller) Date: Thu, 18 Jan 1996 11:09:08 +0800 Subject: A Modest Proposal: Fattening up the Proles Message-ID: Tim May: >(Ironically, I brought up the new book, "The Winner Take All Society," at >the last Cypherpunks meeting. No time to discuss it here, but it confirms >my strong belief that we are heading for a economy in which a shrinking >fraction of workers have really valuable things to contribute, and a >growing fraction of the population does not. I had not recalled the >authors, but Strick had a battery-powered laptop and Metricom wireless >modem, and ran an Alta Vista search from where he was sitting: ROBERT FRANK >& PHILIP COOK, The Winner-Take-All Society, New York: The Free Press.) See also _The End of Work_ by Rifkin. It chronicles changing work patterns from agriculture through mass manufacturing and the service age on to an uncertain future. Lots of interesting numbers and "look what is already happening" statements. It also shows that the changes are inexorable, just as the decline in agriculture based on human and animal labor was. ------------------------------------------------------------------------- Steven Weller | "The Internet, of course, is more | than just a place to find pictures | of people having sex with dogs." stevenw at best.com | -- Time Magazine, 3 July 1995 From Steve_Makrecky at msn.com Thu Jan 18 11:24:40 1996 From: Steve_Makrecky at msn.com (Steve Makrecky) Date: Thu, 18 Jan 96 11:24:40 PST Subject: Keyboard emulation Message-ID: Looking for a design of a keyboard & mouse emulator. What I would like to do is control a main computer's keyboard and mouse functions by a second RS232 remote IBM PC. Has anybody tried this? Do you foresee any problems? From myrkul at limestone.kosone.com Wed Jan 17 20:04:15 1996 From: myrkul at limestone.kosone.com (myrkul at limestone.kosone.com) Date: Thu, 18 Jan 1996 12:04:15 +0800 Subject: mailing list Message-ID: <9601180323.AA27800@limestone.kosone.com> please add my address to the mailing list. From tcmay at got.net Wed Jan 17 20:12:23 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 18 Jan 1996 12:12:23 +0800 Subject: Random Number Generators Message-ID: At 11:40 PM 1/17/96, Kurt Buff (Volt Comp) wrote: >If you're going to work with hardware to get really random numbers, why not >go to the back of any of several PC-type magazines, and order the radiation >detector board that someone is hawking? Can't really do any better than >that, can you? Counting cosmic ray hits and noting their time differentials ^^^^^^^^^^^^^^^ >should be just what the doctor ordered, right? Almost all of the counts in simple radiation detectors are from earthly sources, not from cosmic rays. For Geiger tube counters (not very common these days), the main counts are for gamma rays and for beta particles (if a beta window is included). For solid-state detectors, most of the counts are still betas and gammas, even though solid-state detectors (e.g., PIN diodes) are certainly _capable_ of detecting alpha particles. The reason is that alphas are very nonpenetrating, so alpha detectors for intentional use must have extremley thin (and hence fragile and expensive) windows or protective layers. Basically, it makes little sense to count alphas when a rough radioactivity measurement is sought, as with cheap detectors. Solid state detectors specially set up with alpha sources in proximity to the detector are possible, but are a specialty item. RNGs based on thermal noise and natural radioactivity have been discussed on our list at least a dozen times (multiple posts each time), so I suggest further research be done there. --Tim May We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From ericm at lne.com Wed Jan 17 20:54:34 1996 From: ericm at lne.com (Eric Murray) Date: Thu, 18 Jan 1996 12:54:34 +0800 Subject: A weakness in PGP signatures, and a suggested solution In-Reply-To: <199601180344.WAA26221@charon.MIT.EDU> Message-ID: <199601180442.UAA15648@slack.lne.com> Derek Atkins writes: [Dr Dimitri writes:] > > > 2. When PGP verified the signature, it should have an option to look outside > > the signed portion for RFC 822 headers and compare them to the signed copy > > of he headers inside. If this is not in PGP, then then function would have to > > be done by some non-portable wrapper. > > (Of course, if your headers aren't RFC 822, you're out of luck.) [..] > PGP really only looks at the contents between the BEGIN and END. It > can't do anything else. In fact, only the PGP Armor code even deals > with that. By definition, PGP is a binary protocol and deal with > binary data objects. So how can it look at any "RFC 822 Headers"? > There are no such animals in PGP. It is perfectly legal to remove all > data before the BEGIN and all data after then END and feed the result > to PGP... > > As I said, armor is a convenience to the user only. > > PGP will not be modified in this way; it is the job of the mailer > (MUA) to do this sort of thing. Sorry. I agree. PGP should be as generic as possible; making it "know" about RFC822 and mailers makes it less generic. Your PGP-aware mail agent should add a line to the text to be encrypted, consisting of a random number (hopefully very unguessable and fairly random) and an RFC822 header: X-PGP-nonce: b1de70694f5f0824f89cb3f09aece01d and replicate that in the RFC822 envelope. Put just the nonce value and not the header in the block to be encrypted if you're concerned about assisting a known-plaintext attack. The nonce can't be extracted from the PGP ciphertext unless the attacker has the ability to crack PGP, in which case merely re-directing PGP encrypted messages to different recipients is beneath them. :-) It is small and is easily verified by the human looking at the message. PGP, or more accurately the MUA, won't need to check it (although that would be fairly easy to do). But like Derek says, PGP shouldn't do it, the MUA should. -- Eric Murray ericm at lne.com ericm at motorcycle.com http://www.lne.com/ericm PGP keyid:E03F65E5 fingerprint:50 B0 A2 4C 7D 86 FC 03 92 E8 AC E6 7E 27 29 AF From warlord at ATHENA.MIT.EDU Wed Jan 17 21:03:43 1996 From: warlord at ATHENA.MIT.EDU (Derek Atkins) Date: Thu, 18 Jan 1996 13:03:43 +0800 Subject: A weakness in PGP signatures, and a suggested solution In-Reply-To: <199601180442.UAA15648@slack.lne.com> Message-ID: <199601180452.XAA26447@charon.MIT.EDU> > Your PGP-aware mail agent should add a line to the text to be > encrypted, consisting of a random number (hopefully very unguessable > and fairly random) and an RFC822 header: > > X-PGP-nonce: b1de70694f5f0824f89cb3f09aece01d > > and replicate that in the RFC822 envelope. > Put just the nonce value and not the header in the block to be > encrypted if you're concerned about assisting a known-plaintext attack. Actually, that doesn't work either -- if I wanted to forward the message you sent me to someone else to make them think that you sent it to them, I could just take the nonce and put that in the header of my forwarded message and it would match... No, you need to include the "to" and "cc" fields as well inside the signed message. But again, the MUA should do this, not PGP. -derek From nobody at REPLAY.COM Wed Jan 17 21:15:22 1996 From: nobody at REPLAY.COM (Anonymous) Date: Thu, 18 Jan 1996 13:15:22 +0800 Subject: Attack Simulator Message-ID: <199601180250.DAA29088@utopia.hacktic.nl> Internet Scanner Software Checks Network Security Atlanta, Jan. 17 -- Internet Security Systems has released version 3.2 of its Internet Scanner software. The company said the program is an "attack simulator" that tests your organization's network for security holes. ISS said Internet Scanner 3.2 has enhanced reporting capabilities and added tests for more than 130 security vulnerabilities, including the recently revealed Microsoft File Sharing bug. "Our added focus on Microsoft security holes stems from our customers' rapid adoption of TCP/IP (Transmission Control Protocol/Internet Protocol)-enabled Microsoft Windows NT and Windows 95," said Chris Klaus, founder and chief executive officer of ISS. According to Don Ulsch, a security consultant affiliated with the National Security Institute in Westborough, Massachusetts, The movement to Windows 95 created a whole new set of security concerns for network administrators. "Similar to virus scanning software, a security scanning tools' value to a corporation declines quickly unless it can detect the latest security holes. In the security arena, every upgrade is crucial," said Ulsch. New features of Internet Scanner 3.2 include added reporting capabilities including hyperlinks that connect to CERT advisories and vendor World Wide Web sites to pull down patches and information regarding network holes, and addition of Linux as a supported platform. The company said that will allow easy scanning from laptop PCs. The additional tests added to the new version include the Microsoft File Sharing bug, the TelnetD bug, the Stealth Scan, Finger Bomb, and misconfigured Linux NIS services. The company said its customers who have current maintenance contracts can now electronically download the updated version from the USS Web home page at http://iss.net. Internet Security Systems, tel 770-441-2531, fax 770-441-2431 From m5 at dev.tivoli.com Wed Jan 17 21:22:56 1996 From: m5 at dev.tivoli.com (Mike McNally) Date: Thu, 18 Jan 1996 13:22:56 +0800 Subject: THE RECIPROCAL ?...... In-Reply-To: Message-ID: <9601171433.AA20281@alpha> Terence Joseph Mallon writes: > "When people talk of encryption they use the word break, they are > approaching from one way but not the only way. I am at present trying the > reciprocal, that is, to mend." Why do I sometimes feel that personalities that once were drawn to design of perpetual motion machines or techniques for squaring circles may very soon flock to cryptographic "research"? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Nobody's going to listen to you if you just | Mike McNally (m5 at tivoli.com) | | stand there and flap your arms like a fish. | Tivoli Systems, Austin TX | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From wilcoxb at nag.cs.colorado.edu Wed Jan 17 22:00:30 1996 From: wilcoxb at nag.cs.colorado.edu (Bryce) Date: Thu, 18 Jan 1996 14:00:30 +0800 Subject: A weakness in PGP signatures, and a suggested solution (long) Message-ID: <199601172309.QAA12674@nag.cs.colorado.edu> -----BEGIN PGP SIGNED MESSAGE----- An entity calling itself Rich Graves allegedly wrote: > > An easy short-term partial solution would be to modify mailcrypt, bap, or > whatever front end you use to automatically put the current date and (a > shortened form of) the To: or Newsgroups: header into the PGP signature > Comments: line. I wrote: > > A good idea, and one I was about to implement for BAP, but > doesn't PGP itself stick a timestamp into the signature? > When I verify a signature it says "verified, signed at > XXX time & date.". Whoops! I misunderstood. The fix I am considering is putting some information inside the *body* of the message, probably at the end just before the signature. Regards, Bryce -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.01 iQCVAwUBMP2Bj/WZSllhfG25AQHxWwP/bHmOcuAPAHdCShaeZhpLYQPJEJWyApuV EQhA/k1TSxmowH0cPff1rBZw4+2HFzfKiWHgBO12lf6gO+ihVGq/7GAJuwEVmMb6 aNKhSRESmb2YgV8/luj401KnknSP1x3xC56wzE1mhIiN8LOtav2J+rxM398DTzEc 8mzb7dETBRU= =ZDiw -----END PGP SIGNATURE----- From anon-remailer at utopia.hacktic.nl Wed Jan 17 22:08:59 1996 From: anon-remailer at utopia.hacktic.nl (Anonymous) Date: Thu, 18 Jan 1996 14:08:59 +0800 Subject: Information Sent by Netscape during Queries Message-ID: <199601161954.UAA19735@utopia.hacktic.nl> Jeff Weinstein writes: > > 3) Can we go completely stealth inside of Netscape without a proxy server? > No. Right now you can't disable cookies, you can't disable > referer, and you can't mask your IP address. But on Unix systems, at least, you can make "referer" more difficult for nosy servers to use -- subject to the "applicable laws" where you live. (The license agreement says, "...you agree not to modify the Software ... except to the extent [that] applicable laws specifically prohibit such restriction.") Just back up your Netscape executable, then load it into Emacs (or any editor which can handle arbitrary binary files), search for the "Referer:" string, and change it to an appropriate string of the same length. "MYOB: " sounds like an appropriate string to me... -----//---------------------------------------------------------------- Please note: This message has been anonymized on request of its sender. If you would prefer not to receive anonymous mails from this machine, please contact postmaster at bi-node.zerberus.de and say so. For further information regarding this service, please send mail to remailer at bi-node.zerberus.de with subject 'remailer-help'. From jthomas at access.digex.net Wed Jan 17 22:21:50 1996 From: jthomas at access.digex.net (Joe Thomas) Date: Thu, 18 Jan 1996 14:21:50 +0800 Subject: CryptoAPI and export question Message-ID: On Wed, 17 Jan 1996, Tom Johnston wrote: > Two points: the CSP development kit is export-controlled; and signing a > CSP developed by a foreign vendor is treated as a export -- so the signature > is export-controlled. The *signature* is export controlled?!? What the hell kind of sophistry could the State Department use to deny an export license to a signature? Joe From mdeindl at vnet.ibm.com Wed Jan 17 23:05:40 1996 From: mdeindl at vnet.ibm.com (Michael Deindl) Date: Thu, 18 Jan 1996 15:05:40 +0800 Subject: A weakness in PGP signatures, and a suggested solution (long) In-Reply-To: <199601030407.UAA12551@comsec.com> Message-ID: >>>>> Christopher R Key writes: > First of all, if the recipient is a newsgroup, why > would that particular information need to be part of the signed > information? E.g. if I post some Emacs-worshipping to alt.religion.emacs --- fine. But if someone forwards this to some serious comp.editor group, maybe some people don't understand the jokes... Only one example why it can be neccessarry to include the context (e.g. the recipient) into the signature. > If you post to a newsgroup a message that is only > signed (as opposed to encrypted also), then you are obviously not > worried about who reads it. The question is not if I care who reads it. The question is in which context (i.e. in which newsgroup) someone reads it. > The signature is only a method of > proving that the important text (message) is unchanged and intact, > and that the person who it is supposed to be from is the same who > signed it. Probably many people don't make this destinction between the message and the context. And additionally: I can only proove that someone forwarded my message to a wrong context, when the context is signed, too. Sure, I can include context-information manually, but when we want as many people as possible using strong-crypto, it should be as fool-proof as possible. Therefore I think it would be a good idea to include the context into the signature. > Secondly, if you are sending email to some one and sign it using > pgp, wouldn't that person need pgp to prove that in fact you did > sign it? Then it can be reasonable that if that person has pgp to > prove the signature, that person has pgp to decrypt mail sent to > them. Simply sign you message and encrypt it using that person's > public key. {SNIP} Then the receipient decrypts the message, encrypts it under another person's public-key and forwards it to them. And so the context has changed, while my signature is still valid..... Have a nice day! Michael Deindl -- DISCLAIMER: My oppinions are my own, not those of my employer IBM. From leefi at microsoft.com Thu Jan 18 00:14:02 1996 From: leefi at microsoft.com (Lee Fisher) Date: Thu, 18 Jan 1996 16:14:02 +0800 Subject: Microsoft's CAPI Message-ID: Matt Blaze writes: | I attended a meeting at Microsoft the other day at which they | described their Crypto API project. As CAPIs go, it's reasonable | enough; ... As of today, some basic information on "Microsoft CrytoAPI" is available at http://www.microsoft.com/intdev/inttech/cryptapi.htm. It looks like this page has an overview, a 25-page Programmer's Guide, and 5 sample apps which use the API. In general, http://www.microsoft.com/intdev/ is the best place to check for any new for Internet developer-related stuff from MSFT. __ Lee Fisher, leefi at microsoft.com, 206.936.8621 From Matthew.Sheppard at Comp.VUW.AC.NZ Thu Jan 18 01:09:51 1996 From: Matthew.Sheppard at Comp.VUW.AC.NZ (Matthew James Sheppard) Date: Thu, 18 Jan 1996 17:09:51 +0800 Subject: Microsoft's CAPI In-Reply-To: Message-ID: <199601180110.OAA12788@bats.comp.vuw.ac.nz> The shadowy figure took form and announced "I am Alan Bostick and I say ... > The next obvious question is: Will Microsoft sign strong-crypto CSPs > developed by foreign developers for out-of-USA use? To obvious really, if they signed strong foreign crypto MS would neither be exporting strong crypto or exporting an application that had general purpose crypto hooks, since technically only that specific foreign implementation could be used. However I would guess that the arrangement with the guvmint would label the signing to be the equivalent of MS exporting an application with strong crypto and subject to the same disciplinary measures, just transfered to the time of signing. Perhaps there will be some modification to the itar - thou shalt not _enable_ foreign markets to have strong crypto. I assume MS would be free to sign weak foreign crypto, but as "weak" crypto is hard/expensive to determine I think they would take the easy way out. Id also expect a kernel patch to be part of the install procedure of foreign crypto. --Matt From sandoval at cic.teleco.ulpgc.es Thu Jan 18 02:38:48 1996 From: sandoval at cic.teleco.ulpgc.es (Juan D. Sandoval) Date: Thu, 18 Jan 1996 18:38:48 +0800 Subject: ITSEC? Message-ID: <01BAE590.53F311C0@pcjdsandoval.teleco.ulpgc.es> does anyone know where I can get info on Information Technology Secure Evaluation Criteria (ITSEC)? I think it is more or less like "the orange book" but in Europe. Thanks From frissell at panix.com Thu Jan 18 03:22:04 1996 From: frissell at panix.com (Duncan Frissell) Date: Thu, 18 Jan 1996 19:22:04 +0800 Subject: A Modest Proposal: Fattening up the Proles Message-ID: <2.2.32.19960118110434.0092d8d8@panix.com> At 06:46 PM 1/17/96 -0800, Steven Weller wrote: >See also _The End of Work_ by Rifkin. It chronicles changing work patterns >from agriculture through mass manufacturing and the service age on to an >uncertain future. Lots of interesting numbers and "look what is already >happening" statements. It also shows that the changes are inexorable, just >as the decline in agriculture based on human and animal labor was. Except when I had Rifkin on the phone on a National Commie Radio talk show he dishonestly refused to admit the fact that -- so far -- employment in the US (total and percentage workforce participation) is higher than it's ever been. A lot of that is the commie belief that a job is something someone else gives you rather than something that you do. It's a bit hard to be without work if you assign it to yourself. And if wants are unlimited then one of the "goods" for which wants are unlimited is labor. DCF "A job he calls it! Reading the legal notices in the Times searching for unclaimed bequests in his name." -- The New Yorker From pati at ipied.tu.ac.th Thu Jan 18 03:37:58 1996 From: pati at ipied.tu.ac.th (Patiwat Panurach (akira rising)) Date: Thu, 18 Jan 1996 19:37:58 +0800 Subject: underground digital economy In-Reply-To: <2.2.32.19960118010840.00e13e78@netcom.com> Message-ID: On Wed, 17 Jan 1996, Alexander 'Sasha' Chislenko wrote: > If you sell a new version of CryptoDoom for digicash, and would like to > buy a car that is only sold for paper money, and I have a car to sell and > want to buy your CryptoDoom, *somewhere* in the market there will appear > an exchange agent that would help us complete the transaction. In the > case of parallel digital currencies this exchange market would be very > liquid because of the high speed, low cost, and security/privacy of the > transactions. This model isn't as practical as it seems. For one thing, it is a classic case of barter: exchange for things that you want but don't have. This becomes extremely difficult with specialization. Letsay I make only CryptoDoom, its the only thing that I have the skills to make. The things that I want but can't produce each day are numerous: food, transport, housing, ad infinitum. One-to-one barter is only usefull if both agents (in a 2 agent economy) need only 2 goods and specialize. This is the root of money: a means of exchange between heterogenous products. Allthough a parallel digital internetwork would allow occasional barters to increase there viability, it does not mean that barter will replace money. But there's some ambiguity here: What is implied by "The case of parallel digital currencies this exchange market would...."? Does this recomend exchange markets (barter) or fiat (currency)? ------------------------------------------------------------------------------- Patiwat Panurach Whatever you can do, or dream you can, begin it. eMAIL: pati at ipied.tu.ac.th Boldness has genius, power and magic in it. m/18 junior Fac of Economics -Johann W.Von Goethe ------------------------------------------------------------------------------- From proff at suburbia.net Thu Jan 18 19:40:23 1996 From: proff at suburbia.net (Julian Assange) Date: Thu, 18 Jan 96 19:40:23 PST Subject: Attack Simulator In-Reply-To: <199601190129.UAA22928@dal1820.computek.net> Message-ID: <199601190337.OAA09829@suburbia.net> > > ISS and SATAN are different tools. There is a non-commercial version of ISS available. ISS didn't > get as much notice as SATAN - I guess it's because it's author isn't as widely known as Dan Farmer. > -- Err, no its just because ISS is called ISS. Though if Klaus was into B&D, bisexuality, gutter philosophy courses, exhibitionism and tight blank pants perhaps it/he would be better known. Wadda you reckon Klaus? Could this be the new you :)? -- +----------------------------------+-----------------------------------------+ |Julian Assange | "if you think the United States has | |FAX: +61-3-9819-9066 | stood still, who built the largest | |EMAIL: proff at suburbia.net | shopping centre in the world?" - Nixon | +----------------------------------+-----------------------------------------+ From sandfort at crl.com Thu Jan 18 19:42:49 1996 From: sandfort at crl.com (Sandy Sandfort) Date: Thu, 18 Jan 96 19:42:49 PST Subject: PARTY-PARTY-PARTY Message-ID: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks, You are all invited to the party I am having on 10 February. Instead of using old-fashioned e-mail to give you the details, I'm using a Web page donated by co-host Sameer. Check it out: http://www.c2.org/party/masquerade/html By the time you read this, there should be a map on the page. If not, try back in a day or two. If you do not have a browser, send me e-mail and I'll send you an ASCII invitation. Cheers, S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From shamrock at netcom.com Thu Jan 18 19:46:31 1996 From: shamrock at netcom.com (Lucky Green) Date: Thu, 18 Jan 96 19:46:31 PST Subject: Blacknet & Lotus Notes Message-ID: At 19:13 1/18/96, Adam Shostack wrote: [...] > So...Is Notes V4 shipping yet? Do we know how many bits of >key we're after? (NB: I'm assuming that (some part of) the US >government has an RSA private key which is used to encrypt the 24 bits >of GAK'd key.) What I would like to know is which agencies have the key. Any hard info? -- Lucky Green PGP encrypted mail preferred. From jya at pipeline.com Thu Jan 18 20:33:41 1996 From: jya at pipeline.com (John Young) Date: Thu, 18 Jan 96 20:33:41 PST Subject: The I Bomb Message-ID: <199601190433.XAA09367@pipe1.nyc.pipeline.com> A&E presents this week the BBC Horizons show, "The I Bomb," featuring Tim May smart-bombing various brass and infowar chicken littlers. It also shows an SAIC wizard sniffing a system to plant evil polymorphous code a la Shimomura -- presaging the recent GNN report on NSA's net traps. ---------- From: http://www.aetv.com A&E _________________________________________________________________ Series: Voyages. The I-Bomb. A look at how information--not bombs--is becoming the most important weapon in war. Includes interviews with top U.S. military strategists and futurists Alvin and Heidi Toffler. Duration: 1 hour DateTime Thursday1/18 10pm [EST, presumably, since the show just finished] Friday1/19 2am Saturday1/20 11am _______________________________________________________________ From perry at piermont.com Thu Jan 18 04:58:21 1996 From: perry at piermont.com (Perry E. Metzger) Date: Thu, 18 Jan 1996 20:58:21 +0800 Subject: Crippled Notes export encryption In-Reply-To: <199601172347.SAA19227@bb.hks.net> Message-ID: <199601180132.UAA00759@jekyll.piermont.com> Alan Pugh writes: > infoMCI (sm) > Lotus-Security - Lotus Announces Compromise for Export of Strong > Encryption So, Lotus thinks they can fool people by back-dooring in key escrow, eh? Time to break out the artillery. Perry From Jeremym at area1s220.residence.gatech.edu Thu Jan 18 07:03:33 1996 From: Jeremym at area1s220.residence.gatech.edu (Jeremy Mineweaser) Date: Thu, 18 Jan 1996 23:03:33 +0800 Subject: ITSEC? Message-ID: <2.2.32.19960118133432.00923e2c@area1s220.residence.gatech.edu> At 10:32 AM 1/18/96 -0000, Juan D. Sandoval wrote: >does anyone know where I can get info on Information Technology >Secure Evaluation Criteria (ITSEC)? Here's what I found: ------------------------> Excerpted from _Computer_Security_Handbook,_Third_Edition_ by Hutt, Bosworth, & Hoyt (C) 1995 by John Wiley and Sons: (d) European and Canadian Security Standards. Since its original publication in 1983, the TCSEC has greatly influenced It security. It is widely recognized as a yardstick for evaluating products in relation to security features and assurances needed to support security objectives. TCSEC has also influenced the development of other documents both in the US and abroad, forming a foundation of second-generation requirements. In 1991, the European Community adopted the Information Technology Security Evaluation Criteria (ITSEC) for a two year trial period. The ITSEC approach uses "Security Targets" for expressing security functionality profiles. ITSEC was builtin upon various national initiatives, including the TCSEC, and represents a /harmonized/ effort among Franfce, Germany, the Netherlands, and the United Kingdom. ------------------------> A quick search of INSPEC (described below) turned up some useful results, as well. INSP (INSPEC) Citations and abstracts of articles in physics, electronics, engineering, computer and information technology journals. A keyword search for ITSEC revealed 30+ documents related to IT and systems security measures. The citation below seemed the most useful: Sizer, R. "Information technology security evaluation criteria (ITSEC)." _Computer_Bulletin_, vol.5, pt.5, p.7. Oct. 1993. ISSN: 00104531 ;;gtec. Keywords: data integrity. data privacy. security of data. Class codes: C0310D. C6130S. Date indexed: 12/93. Abstract: The insecurity of IT systems (typified by unauthorised access) is a complex and increasingly aggravating social problem. All sectors of society-commerce, industry, government (local and national) and domestic are at risk. People who have the responsibility for choosing, installing or using IT systems have faced considerable difficulty in choosing IT security products purporting to provide a 'secure environment' employing technical security mechanisms in hardware and software. The problem has, in the main, been the highly subjective claims for, and interpretation of, those security mechanisms. The ITSEC criteria involve the independent evaluation of IT products and systems (hardware and software) which claim security features. Security includes confidentiality, integrity and availability ------------------------> This citation may also be useful, but the text of the paper is in German. Peleska, J. and Reichel, H. of Deutsche Syst.-Tech. GmbH, Kiel, Germany. "Formal specification of generic ITSEC functionality classes." _Informatik_-_Wirtschaft_-_Gesellschaft_ (Informatics - Economy - Society). p.354-64, 1993. ISSN: 3540571922;;gtec. Conference: Informatik Wirtschaft Gesellschaft (Informatics, Economy, Society), Dresden, Germany, 27 Sept.-1 Oct. 1993. Keywords: formal specification. software quality. standards. Class. Codes: C6110B. Date Indexed: 10/94. Abstract: On the basis of the formal specification, the consistency of specification of a concrete product to the ITSEC standards is not only informally motivatable, but also mathematically provable. In this way, the objective visability, quality and efficiency of the evaluation process are increased. For the evaluation of products at Stage E6, use of the described concepts (or of comparable ones) is indispensable ------------------------> I have access via my local library to the first document (the actual ITSEC specification) but not to the second. You should be able to find the _Computer_Bulletin_ at most universities with CS majors. Hope this helps, Jeremy --- Jeremy Mineweaser | GCS/E d->-- s:- a--- C++(+++)$ ULC++(++++)>$ P+>++$ j.mineweaser at ieee.org | L+>++ E-(---) W++ N+ !o-- K+>++ w+(++++) O- M-- | V-(--) PS+(--) PE++ Y++>$ PGP++>+++$ t+() 5 X+ R+() *ai*vr*vx*crypto* | tv(+) b++>+++ DI+(++) D+ G++ e>+++ h-() r-@ !y- From harveyrj at vt.edu Thu Jan 18 08:10:12 1996 From: harveyrj at vt.edu (R. J. Harvey) Date: Fri, 19 Jan 1996 00:10:12 +0800 Subject: noise levels Message-ID: <199601181533.KAA28653@sable.cc.vt.edu> At 10:20 AM 1/18/96 -0500, Perry wrote: > >The noise levels around here are getting astounding. > >Posts on windows registration wizards, gun control, unemployment, ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >Kevin Mitnick's underwear, and all the rest are most certainly NOT >doing us any good. >... >, and YOU DUNDERHEADS >ARE MAKING IT IMPOSSIBLE TO CARRY OUT IMPORTANT DISCUSSIONS. > Well, I'm sure you're correct on most of those, but the post on Microsoft using ENCRYPTED databases of competitor programs as part of its plan to surreptitiously collect information from unsuspecting users when they allow their "wizard" to violate their PRIVACY seems to be quite germane to this lists's topics (which include encryption and privacy, as I recall). I found the reference it pointed to very interesting reading indeed. rj From jamesd at echeque.com Fri Jan 19 00:21:43 1996 From: jamesd at echeque.com (James A. Donald) Date: Fri, 19 Jan 96 00:21:43 PST Subject: CryptoAPI and export question Message-ID: <199601190811.IAA01481@mailx.best.com> At 07:36 PM 1/17/96 -0800, Lucky Green wrote: >So the main thing that the new MS CSP accomplishes is to establish a >standard that will prevent foreigners at the OS level from using real >crypto with popular applications. Way to go Microsoft. It seems to me that Microsofts plan is carefully and ingeniously designed to fail: They will do their best to restrain the export of real crypto, but alas, in the end, they will regretfully admit that they failed. Some evil person will have illegally exported real crypto after they signed it. Too bad. How sad. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From wb8foz at nrk.com Thu Jan 18 08:25:37 1996 From: wb8foz at nrk.com (David Lesher) Date: Fri, 19 Jan 1996 00:25:37 +0800 Subject: Lotus to export 64 bit, partially-escrowed Notes In-Reply-To: Message-ID: <199601181533.KAA00501@nrk.com> Bell: > > >A new 'international' version of Lotus notes is being released, with > >64 bit session keys, as opposed to the old 40 bit version. > > > My "vote"? They're "caving-in." > WSJ called it that today....... "caving in to intense government pressure" -- A host is a host from coast to coast.................wb8foz at nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433 From adam at lighthouse.homeport.org Thu Jan 18 08:26:28 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Fri, 19 Jan 1996 00:26:28 +0800 Subject: underground digital economy In-Reply-To: <9601180428.AA11604@bilbo.suite.com> Message-ID: <199601181543.KAA09099@homeport.org> Jim Miller wrote: | > Certainly. There are a couple of ways, but all one needs is | > some sort of gateway to an e-cash | This is the part that bothers me. Wouldn't a gateway between anonymous | e-money and identified e-money would stick out like a sore thumb to | agencies tracking the flow of identified e-money? Wouldn't identified | e-money trails start and/or terminate at the gateway? Once the gateway is | discovered, all clients on the identified e-money side of the gateway | would be discovered. Anonymity only works when many people use it. So yes, if the gateway is discovered, the client list might be obtainable (unless there are many entry points, each funnelling out through an point thats designed to go down & be replaced. Think remailer chains.) An ecash gateway could provide other services as well, say currency conversion. By offering rates slightly better than todays market,* you can draw a lot of legit money through the system to act as cover for other money. Heck, people might even find its easier to do business in the Seychelles than in New Orleans. *a trick which some shops play by timing their trades; if the dollar is low today, buy a stack of dollars, when its high, sell your excess. Pass great rates onto your customers, and make very little on each transaction. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From wb8foz at nrk.com Thu Jan 18 08:29:43 1996 From: wb8foz at nrk.com (David Lesher) Date: Fri, 19 Jan 1996 00:29:43 +0800 Subject: Crippled Notes export encryption In-Reply-To: <199601172347.SAA19227@bb.hks.net> Message-ID: <199601181539.KAA00520@nrk.com> How long before someone posts a patch to break the ""feature"" that does this? -- A host is a host from coast to coast.................wb8foz at nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433 From perry at piermont.com Thu Jan 18 08:43:19 1996 From: perry at piermont.com (Perry E. Metzger) Date: Fri, 19 Jan 1996 00:43:19 +0800 Subject: noise levels In-Reply-To: <199601181533.KAA28653@sable.cc.vt.edu> Message-ID: <199601181547.KAA06697@jekyll.piermont.com> "R. J. Harvey" writes: > At 10:20 AM 1/18/96 -0500, Perry wrote: > > > >The noise levels around here are getting astounding. > > > >Posts on windows registration wizards, gun control, unemployment, > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > Well, I'm sure you're correct on most of those, > but the post on Microsoft using ENCRYPTED databases > of competitor programs as part of its plan to surreptitiously Actually, the database isn't encrypted -- its plaintext -- and the wizard isn't surreptitious and tells you everything its doing and lets you stop it if you like. In short, the topic has no cryptography or security relevance *AT ALL*. The posts on Microsoft's bad encryption for Windows passwords are perfectly relevant, and I hope people don't confuse these issues. Perry From jamesd at echeque.com Thu Jan 18 08:52:07 1996 From: jamesd at echeque.com (James A. Donald) Date: Fri, 19 Jan 1996 00:52:07 +0800 Subject: Random Number Generators Message-ID: <199601181557.PAA06221@mailx.best.com> "Timothy L. Nali" writes: > The most promising design I've seen so far (that I can actually > do) is based on clocking a D flip-flop in the following way: > > [Shifts the output of a clock that he hopes will be sloppy into > a shift register] If you want noise, your circuit needs a known noise source, with known good properties Your circuit has no known noise source, you are just hoping that there will be noise in it somewhere. Johnson noise is amplified thermal noise thus it is known to be good: Amplify johnson noise to signal levels, and then shift this random analog output into a long shift register. (You will need a long shift register to suppress metastable states.) You should set up your low frequency analog feedback to get near equality of ones and zeros, and you should have digital feedback (similar to a CRC generator) to get perfect equality of ones and zeros. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From nobody at REPLAY.COM Thu Jan 18 08:57:28 1996 From: nobody at REPLAY.COM (Anonymous) Date: Fri, 19 Jan 1996 00:57:28 +0800 Subject: Ozzie Apes Jim Clark, Fix Is In to Cave and Cry Message-ID: <199601181602.RAA04965@utopia.hacktic.nl> Wall Street Journal, Jan 18, 1996 IBM Compromises on Encryption Keys, U.S. Allows Export of More-Secure Notes By Thomas E. Weber New York -- International Business Machines Corp., caving in to intense government pressure, agreed to include a special key that helps investigators tap into data messages in return for permission to export a more-secure version of its Lotus Notes software. The U.S. has prevented software makers from exporting sophisticated encryption technology for fear that terrorists and other criminals would gain access to a snoop-proof communications system. Industry observers said IBM's move marked the first time a supplier agreed to give the government special access to its software's security code. Encryption keys have stirred the concern of privacy experts in the past. While IBM's Lotus Development Corp. software unit defended the move as a stopgap compromise until a broader agreement on data security can be reached, Notes creator Ray Ozzie clearly found the controversial plan somewhat distasteful. "We were desperate enough to try to negotiate a short-term, pragmatic solution," Mr. Ozzie said. "But we do not believe this is the right long-term solution." One privacy advocate would agree. "The irreducible fact is that foreign customers are reluctant to rely on security products that have been compromised in some way" by federal intelligence agencies, said Mike Godwin, staff counsel for the Electronic Frontier Foundation. Several years ago the government proposed the "Clipper" computer chip that was programmed to let investigators tap into phone calls and data messages transmitted digitally. While that plan died after privacy advocates accused the government of trying to spy on users, the idea of leaving a back door open for government agents has remained alive. Under the Lotus plan, government investigators would still need to employ sophisticated code breaking to read messages sent via Notes software, which lets users at different computers collaborate. Security software encrypts information by using a unique key of software code. The length of a key is measured in computer bits, and longer keys are better -- they're more complex and more difficult for would-be spies, not to mention government agents, to unravel. Until now, to obtain an export license for Notes, Lotus has been restricted to an encryption system of 40 bits in its international version. Domestic users have been permitted to use a higher-level, more-secure 64-bit system. The new overseas version of Notes, tagged Release 4, will give foreign users 64-bit security. But to get permission to export the software, Lotus agreed to give the government access to 24 of those bits by using a special 24-bit key supplied by the National Security Agency. The plan effectively gives the government a headstart in trying to break the encryption scheme. With 24 bits of the key already in hand, the government need only crack the remaining 40 bits -- a task considered trivial for the code-masters at the NSA. As far as the U.S. government is concerned, this version of Notes is no more difficult to crack than the previous one. The advantage to customers, Mr. Ozzie said, is that anyone other than the U.S. government -- say, a malevolent criminal or computer hacker -- would face the more daunting task of breaking the 64-bit key. Mr. Ozzie said the move was a response to complaints from foreign purchasers of Notes. "Our customers have been telling us that, unless we did something about the security, we could no longer call it a secure system," Mr. Ozzie said. It remains to be seen whether Lotus's move will allow it to sell more software. "The idea is a good stopgap measure," said Stephen Franco, an analyst at Yankee Group in Boston. "But the most important thing is pushing the U.S. government to relax some of its restrictions" on exports. -- From rah at shipwright.com Thu Jan 18 09:03:38 1996 From: rah at shipwright.com (Robert Hettinga) Date: Fri, 19 Jan 1996 01:03:38 +0800 Subject: (fwd) Crypto SmartDisk(tm) Message-ID: --- begin forwarded text Sender: Postmaster at thumper.vmeng.com Reply-To: e$@thumper.vmeng.com Mime-Version: 1.0 From: rah at shipwright.com (Robert Hettinga) Date: Thu, 18 Jan 1996 08:02:46 -0500 Precedence: Bulk To: Multiple recipients of e$pam - Sent by Subject: Crypto SmartDisk(tm) --- begin forwarded text `Computer Within a Floppy Disk` puts secure electronic commerce in the palm of your hand SAN FRANCISCO--(BUSINESS WIRE)--Jan. 17, 1996--Fischer International Systems Corp. (FISC) announced Wednesday the availability of Crypto SmartDisk(tm), the world's first intelligent security token housed in a floppy disk-sized device. The announcement was made at the annual conference of RSA Data Security Inc., a leading encryption algorithm vendor. Addison M. Fischer, founder and chairman of FISC and a world-recognized leader in systems and data security, attended the meeting with fellow experts in cryptography. Crypto SmartDisk is a self-contained computer, complete with crypto coprocessor, memory, real time clock, and resident operating system. It fits in any of the 150 million installed standard 3.5 inch floppy disk drives; no additional hardware is required. Crypto SmartDisk supports RSA, DSA and DES algorithms for encryption and digital signatures. The RSA public key cryptographic system is the de facto standard and is commonly used to create digital envelopes for secure electronic commerce. DSA is a standard for digital signatures that is endorsed by the U.S. government, and DES is the most widely used and tested encryption algorithm available. `Crypto SmartDisk breaks barriers in the world of secure electronic commerce,` said Michael S. Battaglia, FISC president and CEO. `It literally puts in any user's hands the power to use any PC with a 3.5 inch floppy drive as a secure electronic transaction station. Businesses, government agencies, even private citizens can use Crypto SmartDisk to engage in secure electronic commerce with complete confidence that their transactions will be read only by those people the users intend.` Crypto SmartDisk is positioned to gain rapid acceptance among agencies of the U.S. federal government, particularly those that manage civilian applications. It offers the benefits of hardware-based encryption without the expense of retrofitting PCs that don't have card readers. By using a Crypto SmartDisk, for example, private citizens could conduct secure electronic transactions with agencies like the U.S. Postal Service (USPS), Social Security Administration (SSA), and IRS from their home computers. The General Services Administration Security Infrastructure Program Management Office is planning just such a pilot project, with hundreds to thousands of participants including private citizens. Using Crypto SmartDisk, participants may conduct electronic transactions such as requesting SSA benefit information, inquiring about the availability of federal loans, and potentially even filing on-line tax returns with the IRS. Crypto SmartDisk also offers a developer's toolkit so users can create their own applications featuring encryption capabilities. The toolkit provides both software tools and libraries and is fully compliant with the PKCS No. 11 standard and the ISO 7816 standard. Fischer International Systems Corp. is a leading worldwide supplier of software solutions for secure Electronic Commerce. Founded in 1982, it is one of the largest privately held software companies in the United States. Its products include Watchdog(r) and SmartDisk(tm) for PC data security, TAO(tm) (Totally Automated Office) for cross-platform, multilingual messaging and office automation; EDI/comm(tm) for Electronic Data Interchange; and WorkFlow.2000(tm) for cross-platform automated forms and process management. Crypto SmartDisk and the Crypto SmartDisk toolkit are available for immediate shipment. -0- NOTE TO EDITORS: In the Internet/email address noted in the contact information in this news release, there is an `at` symbol between Chamberlain and fisc.com. This symbol may not appear properly in some systems. --30--jd/mi.. CONTACT: Fischer International Systems Corp., Naples, Fla. Katharen Chamberlain Phone: 941/436-2678; Fax: 941/436-2586 Internet: Kathy.Chamberlain at fisc.com ============================================================================ --- end forwarded text -------------------------------------------------- The e$ lists are brought to you by: Making Commerce Convenient (tm) - Oki Advanced Products - Marlboro, MA Value-Checker(tm) smart card reader= http://www.oki.com/products/vc.html Where people, networks and money come together: Consult Hyperion http://www.hyperion.co.uk info at hyperion.co.uk See your name here. Be a charter sponsor for e$pam, e$, and Ne$ws! See http://thumper.vmeng.com/pub/rah/ or e-mail rah at shipwright.com for details... ------------------------------------------------- --- end forwarded text ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "Reality is not optional." --Thomas Sowell The NEW(!) e$ Home Page: http://thumper.vmeng.com/pub/rah/ From hallam at w3.org Thu Jan 18 09:13:49 1996 From: hallam at w3.org (hallam at w3.org) Date: Fri, 19 Jan 1996 01:13:49 +0800 Subject: Espionage-enabled Lotus notes. In-Reply-To: <199601181451.JAA25153@iii2.iii.net> Message-ID: <9601181638.AA01736@zorch.w3.org> I've been discussing the Lotus notes escrowed key reduction with some knowledgeable people. The first time I heard it suggested was by Adi Shamir at a talk by the deputy director of the NSA at MIT. The problem with this system is that it is quite likely to suceed. Unlike Clipper which made unfettered access to encrypted material possible the escrowed key strength reduction means that the FBI can tap a significant number of locations, just not all of them. It will be very hard to argue effectively against this idea in Congress. Much harder than the Clipper chip which was dead on arrival. Phill From SEAN at SDG.DRA.COM Thu Jan 18 10:29:35 1996 From: SEAN at SDG.DRA.COM (Sean Donelan) Date: Fri, 19 Jan 1996 02:29:35 +0800 Subject: Crypto on private files Message-ID: <960117134408.5492@SDG.DRA.COM> >According to the newscaster, the NY state court decision should be a >first in this type of case. Prosecutors argue it is no different from >being forced to turn over a diary. No, its the same as being forced to translate or interpret a diary entry. Prosecutor: Please turn over the name you have 'encrypted' as "Mr. X" in your diary. -- Sean Donelan, Data Research Associates, Inc, St. Louis, MO Affiliation given for identification not representation From tomj at microsoft.com Thu Jan 18 10:33:14 1996 From: tomj at microsoft.com (Tom Johnston) Date: Fri, 19 Jan 1996 02:33:14 +0800 Subject: FW: CrytoAPI on Cypherpunks Message-ID: General comments: please take a look at our web page: http://www.microsoft.com/intdev/inttech/cryptapi.htm, and e-mail cryptapi.com with questions. Comments in-line >>> below. >From: Matt Blaze To: cypherpunks at toad.com Subject: Microsoft's CAPI Date: Wed, 17 Jan 1996 10:02:27 -0500 I attended a meeting at Microsoft the other day at which they described their Crypto API project. As CAPIs go, it's reasonable enough; nothing particularly exciting about it or especially wrong with it (though they don't yet support nonblocking calls to crypto modules). >>> We received several requests at the design review to add >>> non-blocking calls. We're looking to add this. ... They have (or will have soon) an application development kit to allow you to write code that uses the API, and a CSP development kit to let you write the crypto functions. >>> Doc's and sample code from the SDK are available now on >>> our web page: http://www.microsoft.com/intdev/inttech/cryptapi.htm. >>> Please e-mail cryptapi at microsoft.com if you're interested in a >>> CSP development kit. ...One important issue is whether MS will really sign anyone's CSP or whether they will start charging high fees or making business-based decisions on who's CSPs they will allow (with they sign Netscape's CSP, for example). They say they won't even look or keep a copy of your CSP (at my suggestion, they are probably going to change the process so that you send them a hash of your CSP instead of your CSP code when you get the signature). For now they promise to sign CSPs for anyone who returns the export certificate, at no charge. >>> We won't charge high fees (right now, it's free!). Our policy is >>> simple: we'll sign the CSP of anyone who follows the rules. >>> Yes, we would sign a CSP from Netscape if they follow the rules. >>>We won't look at or keep a copy of the CSP, and >>> we won't tell your competitors about it (unless you ask us to). ... They say that the API kit will not be export-controlled but the CSP kit will be. >>> The SDK is not export-controlled. The CSP development >>> kit is export-controlled. From wendigo at pobox.com Thu Jan 18 12:57:19 1996 From: wendigo at pobox.com (Mark Rogaski) Date: Fri, 19 Jan 1996 04:57:19 +0800 Subject: Ozzie Apes Jim Clark, Fix Is In to Cave and Cry In-Reply-To: <199601181652.KAA13172@snoopy.vetmed.auburn.edu> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- - From the node of Frank Stuart: : : >The new overseas version of Notes, tagged Release 4, will give : >foreign users 64-bit security. But to get permission to export : >the software, Lotus agreed to give the government access to 24 : >of those bits by using a special 24-bit key supplied by the : ^ : Does anyone know if there really is just one 24-bit key for every copy of : Lotus Notes or is this a miscommunication? If there really is just one 24-bit : key for everyone, can't you just look for the bits that don't change among : different 64 bit keys? (e.g. AND a "sufficiently large" number of 64-bit keys : together to find the 1's that don't change and then OR them to find the 0's : until you've got the 24 bit key). Someone, please tell me that's not how it : works (or post the 24-bit key :>). : That was the question that came to mind when I read the article, too. How exactly are they planning on implementing this? I admit my ignorance concerning the working of Lotus Notes and how it handles keys. Do they plan on escrowing a unique partial key for each licence? For each user? Can users have multiple keys? If so, how does this affect the key generation process. At first glance, unless the feds are gonna hand out keys via men-with-shiny-black-shoes-and-handcuffed-to-briefcases, the key generation process is going to have to contact the feds and reveal the key. Of course, I'm relatively new to this (gonna read Schneier real soon now ;) ) so I may be woefully off base, but this is my first reaction. Is this partial escrow similar to saying, "We won't kill you, we'll just amputate at the neck?" - ----- Mark Rogaski 100,000 lemmings rogaski at pobox.com aka Doc, wendigo can't be wrong! http://www.pobox.com/~rogaski/ VMS is as secure as a poodle encased in a block of lucite ... about as useful, too. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMP6hltT48ZIkMoEtAQGXoAf/WvtLJNlK7TobMfRKUMMwPP8C/kyaV7Kp Jkz3kzoCYUCg0+5XovHdlukVb1Bt+McgJAIEg6TABEyE2R/Le1oDp2HFc6R/k5Lm q25yiqi2UyXECnozH4mVO+nS2kTgEn74Y66wFYggIzp8mgIgRmFSIesyGYPIxWAd +N/m5edR+fKEFQgOqg7dsOid9pmpPHEDJiTVLB3xwnS1GPiIUf03eHilCutsANmS 4lAlIdGftVCGfo3iNkTPkGj+iXpmPF8IFfM/4oeiIhzl9tqXv8ZkOnV7uHCn5k7N puyE9bJ5pDnByEnHs2qIKRdi3+QADK9uq1meoPNEyllsK+uNdpeQwg== =CZ8F -----END PGP SIGNATURE----- From m5 at dev.tivoli.com Thu Jan 18 13:09:25 1996 From: m5 at dev.tivoli.com (Mike McNally) Date: Fri, 19 Jan 1996 05:09:25 +0800 Subject: CAPI signing Message-ID: <9601181940.AA22979@alpha> A Microsoft person just responded via direct e-mail that they'll do CAPI signing in the United States (the word "only" wasn't in there, but that certainly was the implication). This means, to me, that there won't be much CAPI-compliant software produced outside the US, or at least that people who do it will have to bear that insult. It's reminiscent of the Lotus thing. I see no reason for Microsoft to be reluctant to have non-USA signings other than fear of USGov reprisals. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Nobody's going to listen to you if you just | Mike McNally (m5 at tivoli.com) | | stand there and flap your arms like a fish. | Tivoli Systems, Austin TX | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From alano at teleport.com Thu Jan 18 13:14:22 1996 From: alano at teleport.com (Alan Olsen) Date: Fri, 19 Jan 1996 05:14:22 +0800 Subject: Win95 Registration Wizard info Message-ID: <2.2.32.19960118194900.008a53d0@mail.teleport.com> At 10:03 AM 1/18/96 -0500, Perry E. Metzger wrote: > >Alan Olsen writes: >> I picked this link up from the Fringewear list. >[...] >> The author takes the registration Wizard in Win95 apart and shows exactly >> what it does and what it looks for. Some interesting information about the >> encrypted database of product information it uses. > >What, exactly, does this have to do with cypherpunks? I posted it for two reasons. 1) There have been alot of rumors spread about what the Registration Wizard does and does not do to comprimise your privacy. This dispells many of those rumors. 2) The program's use of encryption to conceal what products it looks for. If I was going to post unrelated articles of that site, it would have been the Win95 dirtly little secrets article and/or the Softram hoax. Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "Is the operating system half NT or half full?" From alano at teleport.com Thu Jan 18 13:15:46 1996 From: alano at teleport.com (Alan Olsen) Date: Fri, 19 Jan 1996 05:15:46 +0800 Subject: Hack Lotus? Message-ID: <2.2.32.19960118195838.008a4944@mail.teleport.com> In reading the various descriptions of the mechanism used by Lotus, it seems that such a method of GAKing the software is vulnerable to reverse engeneering. I am certain that comparisons between the export and non-export (with softice and other debugger-type software) will show some interesting things. Hopefully such an action will reveal the backdoor. After that point, just publishing the hack will do more to remove the bogus gaking than any protest will ever do... | Remember: Life is not always champagne. Sometimes it is REAL pain. | |"The moral PGP Diffie taught Zimmermann unites all| Disclaimer: | | mankind free in one-key-steganography-privacy!" | Ignore the man | |`finger -l alano at teleport.com` for PGP 2.6.2 key | behind the keyboard.| | http://www.teleport.com/~alano/ | alano at teleport.com | From tcmay at got.net Thu Jan 18 13:20:32 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 19 Jan 1996 05:20:32 +0800 Subject: Espionage-enabled Lotus notes. Message-ID: At 2:51 PM 1/18/96, Trei Family wrote: >I've come up with a new term to describe the type of 'improved' security >in the new International edition of Lotus Notes: > >'espionage-enabled' > >It's specifically built for export, and has a backdoor to enable USG agents >to read the messages more easily. From the viewpoint of a foreign purchaser, >'espionage-enabled' seems an appropriate term. > >If we spread this term sufficiently, we may be able to discourage the >widespread adoption of this half-measure, and increase the pressure for >good, unencumbered crypto. I like this idea, and have already begun to use it. Even adding it to my already long .sig. Here's a post I sent to talk.politics.crypto and soc.culture.german. (I included the German group because of the CompuServe situation and the fact that they are already incensed by American criticisms of them...I figure this could get them even more riled up, and even get a groundswell of sentiment to boycott espionage-enabled software.) Here it is: You Germans need to be monitored. The French, too. This has become painfully clear. Fortunately, IBM and its Lotus Development division have come up with an answer: software such as Lotus Notes which is shipped to Germany (and elsewhere outside the U.S.) will have an espionage-enabled encryption system that allows the National Security Agency, CIA, and other intelligence agencies to have easy access to your data. The 64-bit key versions of software will actually be crippled, to allow the NSA and CIA access to your communications. And the NSA has been exploring options for "economic espionage," as a means of helping U.S. industry to compete. Thus, your BMW and Daimler-Benz secrets can be detected and passed on to Ford, General Motors, and Chrysler. Brief excerpts from today's "Wall Street Journal": ------- IBM Compromises on Encryption Keys, U.S. Allows Export of More-Secure Notes By Thomas E. Weber New York -- International Business Machines Corp., caving in to intense government pressure, agreed to include a special key that helps investigators tap into data messages in return for permission to export a more-secure version of its Lotus Notes software. ... "We were desperate enough to try to negotiate a short-term, pragmatic solution," Mr. Ozzie said. "But we do not believe this is the right long-term solution." .... The new overseas version of Notes, tagged Release 4, will give foreign users 64-bit security. But to get permission to export the software, Lotus agreed to give the government access to 24 of those bits by using a special 24-bit key supplied by the National Security Agency. ... ------- Welcome to the New American World Order. (Of course, another possibility is the Europeans, Asians, and others will reject this espionage-enabled software and will instead rely on robust software using the Web, software with full cryptographic security and without the special NSA "back doors." Some may even boycott Lotus Development products on general principal.) --Tim May Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From pdlamb at iquest.com Thu Jan 18 13:23:02 1996 From: pdlamb at iquest.com (Patrick Lamb) Date: Fri, 19 Jan 1996 05:23:02 +0800 Subject: Attack Simulator Message-ID: <199601182006.OAA26389@vespucci.iquest.com> At 03:50 1/18/96 +0100, you wrote: > >Internet Scanner Software Checks Network Security > >Atlanta, Jan. 17 -- Internet Security Systems has >released version 3.2 of its Internet Scanner software. >The company said the program is an "attack simulator" >that tests your organization's network for security >holes. > ...remainder of ad elided Is it just me, or does this sound like a commercial version of SATAN? I wonder what makes SATAN unacceptable (besides the name) while something like this is apparently acceptable? Pat -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQENAzACleQAAAEH/2+41W3bZPuWU1gv6A0bq3a57bgCiCAbU1QY41f+NI1I8i/+ a/L314RIpCR0iCZhsNMHNI9rVovsbmOQE4Cf9YYL3cClUoE2VAsLOi9LAjlN8qYc kmAqpsGQ39eaKrnlC/0lxJtFZgypT4m9UIsTU986y3gyy+ZTWwxtbDaLBEdsTiH/ e+zosoBiXmwWYY1n+5yvaKLGMUwa20AKdoRCUgqhJQpkW0nAvItU6WhaqxwH6JXp KCNsuP6k8FBmcKZfSSvUphSOIJnARAq9K9UPhj5BeAy1vKZ416jfgeYQUTxHQOMT rTiQOYR/oAR35gBpGYg6p1lu6Ma5eDPtpBPadUUABRG0IFBhdHJpY2sgTGFtYiA8 cGRsYW1iQGlxdWVzdC5jb20+ =DZzp -----END PGP PUBLIC KEY BLOCK----- From Steve_Makrecky at msn.com Thu Jan 18 13:43:21 1996 From: Steve_Makrecky at msn.com (Steve Makrecky) Date: Fri, 19 Jan 1996 05:43:21 +0800 Subject: Keyboard & Mouse Recorder Message-ID: Does anyone know where I can get a keyboard recorder for WIN95 and OS/2 I would like to record the mouse and keyboard strokes. Then re-run the host program at a pre-determined time. From llurch at networking.stanford.edu Thu Jan 18 13:46:34 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Fri, 19 Jan 1996 05:46:34 +0800 Subject: [NOISY 'cept to Peter et al] Potential Windows hack (fwd) Message-ID: Yes, this would seem to be an intriguing new way to intruduce a trojan horse. -rich ---------- Forwarded message ---------- Date: Thu, 18 Jan 96 10:57:40 -0500 To: hackmsoft at c2.org Subject: Potential Windows hack I was messing around with Delphi last night, and for the first time checked out the help files for creating Windows help. I was surprised to find that a Windows Help file can call functions from any DLL. Is it just me, or does this seem like a hole big enough to drive a truck through? From rishab at m-net.arbornet.org Thu Jan 18 13:46:41 1996 From: rishab at m-net.arbornet.org (Rishab Aiyer Ghosh) Date: Fri, 19 Jan 1996 05:46:41 +0800 Subject: Netscape and NSA Message-ID: Any special reason why Netscape is working with the NSA to support their Fortezza encryption card? ObConspiracyTheory: Hmmmmm.... Nice government-friendly Jim Clark quote, with the rest of the story http://www-e1c.gnn.com/gnn/wr/96/01/12/features/nsa/index.html -Rishab From jcobb at ahcbsd1.ovnet.com Thu Jan 18 14:00:46 1996 From: jcobb at ahcbsd1.ovnet.com (James M. Cobb) Date: Fri, 19 Jan 1996 06:00:46 +0800 Subject: Article on E-money Message-ID: Jim, Thank you for an exceptionally well thought out message. I notice your point that ....governments will do their best to insure that anonymous e-money systems fail in the marketplace. Perhaps by...subsi- dizing identified e-money systems.... 12 26 95 / 01 02 96 Computerworld 38 reports: CyberCash...is a more comfortable partner to banks and offers an easier system for regulators to audit than those of some rivals, says John Pescatore, research director for information security at International Data Group in Falls Church, Va. A Netherlands-based firm called DigiCash BV...offers a system that ensures a buyer's anonymity.... "An approach like CyberCash would still keep financial insti- tutions in the loop. That's much more palatable to governments and banks and their lobbyists," he says. Publicizing the palatable is one form of subsidizing. Another is suggested: CyberCash...earns transaction fees from banks. Regulating those fees can be an exercise in ingenuity. But there may be more... In Implementing Internet Security, a 1995 book recommended by Pournelle, Lisa Morgan writes at page 199: Currently, DigiCash technology is being used in electronic wallets and smart cards; but in the long-term, the technology will be used for many more applications. In the long-term? Lisa writes at page 195: Internet commerce, when it becomes big business several years from now.... By then "NSA's pet Fortezza card project" may be all the rage. Stephen Pizzo, Web Review's senior reporter, says: The agency is also heavily subsidizing through private com- panies the development of a commercial version to be sold worldwide. Cordially, Jim NOTES: The Computerworld newsstory is headlined "Virtual credit-card swiper makes banks feel secure." The book is by Frederic Cooper et al. Its publisher: New Riders Publishing. Pizzo's report can be accessed beginning at: http://gnn.com/gnn/wr/96/01/12/features/nsa/index.html From shamrock at netcom.com Thu Jan 18 14:08:57 1996 From: shamrock at netcom.com (Lucky Green) Date: Fri, 19 Jan 1996 06:08:57 +0800 Subject: (fwd) Crypto SmartDisk(tm) In-Reply-To: Message-ID: On Thu, 18 Jan 1996, Robert Hettinga wrote: > `Computer Within a Floppy Disk` puts secure electronic commerce in the palm of > your hand > SAN FRANCISCO--(BUSINESS WIRE)--Jan. 17, 1996--Fischer International Systems > Corp. (FISC) announced Wednesday the availability of Crypto SmartDisk(tm), the > world's first intelligent security token housed in a floppy disk-sized device. The showed that disk at the RSA conference last year. Pretty neat. Got a transducer in it that emulates a floppy. They gave them away to all exhibitors. I got one myself. --Lucky From zoo at armadillo.com Thu Jan 18 14:12:27 1996 From: zoo at armadillo.com (david d `zoo' zuhn) Date: Fri, 19 Jan 1996 06:12:27 +0800 Subject: Ozzie Apes Jim Clark, Fix Is In to Cave and Cry Message-ID: <199601182115.PAA10170@monad.armadillo.com> // : >The new overseas version of Notes, tagged Release 4, will give // : >foreign users 64-bit security. But to get permission to export // : >the software, Lotus agreed to give the government access to 24 // : >of those bits by using a special 24-bit key supplied by the // That was the question that came to mind when I read the article, too. // How exactly are they planning on implementing this? Looks straightforward to me. Any time a bulk key is generated (aka session key), take a known number of bits in a known location (top n or bottom n) and encrypt those with the public key of the agent you want to give the n key bits to. Then send the encrypted key bits as part of the message protocol. This is similar to what Netscape's SSL does, except that the top n bits of an SSL key are a public part of the exchange, and the top n bits of a Notes key are only readable by the private key holder (which is presumably in the hands of every major government agency that cares). Neither give away the entire key directly, so it's not a trivial decoding operation. But 40 bits isn't terribly difficult to decode either. The advantage, as seen by many people, is that the full key is much larger in the Notes implementation style so non-governmental attackers have a much harder problem to solve in order to crack the message. This is roughly akin to what ViaCrypt has announced for their next PGP release. You have a public key for the "escrow" agent, and every person who encrypts using PGP would add (or would have added by PGP) the agent to the list of recipients. The message might not be given to the agent, but if it lands in their hands, they will be able to decrypt it. GAK is reasonable, to those who trust the government. Now the subset of this list who do so may be a much smaller percentage than the subset of the VPs of IS that do. But that's a different message. -- - david d `zoo' zuhn -| armadillo zoo software -- St. Paul, Minnesota -- zoo at armadillo.com --| unix generalist (and occasional specialist) ------------------------+ http://www.armadillo.com/ for more information pgp key upon request +---------------------------------------------------- From hallam at w3.org Thu Jan 18 14:18:44 1996 From: hallam at w3.org (hallam at w3.org) Date: Fri, 19 Jan 1996 06:18:44 +0800 Subject: Netscape and NSA In-Reply-To: Message-ID: <9601182117.AA02942@zorch.w3.org> >Any special reason why Netscape is working with >the NSA to support their Fortezza encryption card? >ObConspiracyTheory: Hmmmmm.... I think it was a very special reason, $5 million by some accounts. Given the govt. internal needs it is not unreasonable to supply them with the equipment they need. The problem is in the forcing of non governmental personnel to use them. There are an awfully large number of people on cypherpunks who have taken money from the NSA in some form or another. About 5 ft from my office is the old CIA safe from the days they had an office in this building. The US govt does not believe in socialist subsidies to industy. It beleives in corporativist subsidies in inflated military contracts. Boeing got them to build the 747 and now its time for Netscape to get their handout. If this upsets people I'd just like to point out that the farming lobby is even worse, taking those snouts out of the trough is long overdue in almost every industrialised country. Phill From alano at teleport.com Thu Jan 18 14:18:45 1996 From: alano at teleport.com (Alan Olsen) Date: Fri, 19 Jan 1996 06:18:45 +0800 Subject: [noise] Re: Attack Simulator Message-ID: <2.2.32.19960118205437.008885a4@mail.teleport.com> At 02:04 PM 1/18/96 -0600, Patrick Lamb wrote: >Is it just me, or does this sound like a commercial version of SATAN? I >wonder what makes SATAN unacceptable (besides the name) while something like >this is apparently acceptable? It is very similar, both in tests and in basic principle, to Satan. The differences between the two are hype and Satan is free to anyone who can figure how to make it work. (Not always an easy task... Especially on Linux.) Such tools are very useful for system admin types to fix holes and for hackers to find them. It is not the "all powerful hacker tool" the media makes it out to be. What this has to do with crypto, I have no idea... Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "Is the operating system half NT or half full?" From jcobb at ahcbsd1.ovnet.com Thu Jan 18 14:19:07 1996 From: jcobb at ahcbsd1.ovnet.com (James M. Cobb) Date: Fri, 19 Jan 1996 06:19:07 +0800 Subject: POINTER: 01 17 96 CDT Policy Post Message-ID: Friend, Cypherpunks-related item in 01 17 96 CDT Policy Post: FBI Surveillance Capacity Request Fails to Meet Public Accountability Requirements of Digital Telephony Bill. CDT = The Center for Democracy and Technology. To subscribe to CDT's Policy Post list, send mail to: policy-posts-request at cdt.org with the subject: subscribe policy-posts Cordially, Jim From andrew_loewenstern at il.us.swissbank.com Thu Jan 18 14:58:03 1996 From: andrew_loewenstern at il.us.swissbank.com (Andrew Loewenstern) Date: Fri, 19 Jan 1996 06:58:03 +0800 Subject: Espionage-enabled Lotus notes. Message-ID: <9601182245.AA01500@ch1d157nwk> Peter Trei writes: > >It's specifically built for export, and has a backdoor to enable USG agents > >to read the messages more easily. From the viewpoint of a foreign purchaser, > >'espionage-enabled' seems an appropriate term. TC May responds: > I like this idea, and have already begun to use it. Even adding it to my > already long .sig. I think it's also time to break out the old "Big Brother Inside" stickers and start applying them to copies of Notes... andrew From erc at dal1820.computek.net Thu Jan 18 17:42:48 1996 From: erc at dal1820.computek.net (Ed Carp, KHIJOL SysAdmin) Date: Fri, 19 Jan 1996 09:42:48 +0800 Subject: Attack Simulator In-Reply-To: <199601182006.OAA26389@vespucci.iquest.com> Message-ID: <199601190129.UAA22928@dal1820.computek.net> > Is it just me, or does this sound like a commercial version of SATAN? I > wonder what makes SATAN unacceptable (besides the name) while something like > this is apparently acceptable? ISS and SATAN are different tools. There is a non-commercial version of ISS available. ISS didn't get as much notice as SATAN - I guess it's because it's author isn't as widely known as Dan Farmer. -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 214/993-3935 voicemail/digital pager 800/558-3408 SkyPager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes From daveg at pakse.mit.edu Thu Jan 18 17:57:44 1996 From: daveg at pakse.mit.edu (David Golombek) Date: Fri, 19 Jan 1996 09:57:44 +0800 Subject: Single computer breaks 40-bit RC4 in under 8 days Message-ID: <9601190145.AA11333@pakse.mit.edu> MIT Student Uses ICE Graphics Computer To Break Netscape Security in Less Than 8 Days Cost to crack Netscape security falls from $10,000 to $584 CAMBRIDGE, Mass., January 10, 1996 -- An MIT undergraduate and part-time programmer used a single $83,000 graphics computer from Integrated Computing Engines (ICE) to crack Netscape's export encryption code in less than eight days. The effort by student Andrew Twyman demonstrated that ICE's advances in hardware price/performance ratios make it relatively inexpensive -- $584 per session -- to break the code. While being an active proponent of stronger export encryption, Netscape Communications (NSCP), developer of the SSL security protocol, has said that to decrypt an Internet session would cost at least $10,000 in computing time. Twyman used the same brute-force algorithm as Damien Doligez, the French researcher who was one of the first to crack the original SSL Challenge. The challenge presented the encrypted data of a Netscape session, using the default exportable mode, 40-bit RC4 encryption. Doligez broke the code in eight days using 112 workstations. "The U.S. government has drastically underestimated the pace of technology development," says Jonas Lee, ICE's general manager. "It doesn't take a hundred workstations more than a week to break the code -- it takes one ICE graphics computer. This shuts the door on any argument against stronger export encryption." Breaking the code relies more on raw computing power than hacking expertise. Twyman modified Doligez's algorithm to run on ICE's Desktop RealTime Engine (DRE), a briefcase-size graphics computer that connects to a PC host to deliver performance of 6.3 Gflops (billions of floating point instructions per second). According to Twyman, the program tests each of the trillion 40-bit keys until it finds the correct one. Twyman's program averaged more than 830,000 keys per second, so it would take 15 days to test every key. The average time to find a key, however, was 7.7 days. Using more than 100 workstations, Doligez averaged 850,000 keys per second.ICE used the following formula to determine its $584 cost of computing power: the total cost of the computer divided by the number of days in a three-year lifespan (1,095), multiplied by the number of days (7.7) it takes to break the code. ICE's Desktop RealTime Engine combines the power of a supercomputer with the price of a workstation. Designed for high-end graphics, virtual reality, simulations and compression, it reduces the cost of computing from $160 per Mflop (millions of floating point instructions per second) to $13 per Mflop. ICE, founded in 1994, is the exclusive licensee of MeshSP technology from the Massachusetts Institute of Technology (MIT). ### INTEGRATED COMPUTING ENGINES, INC. 460 Totten Pond Road, 6th Floor Waltham, MA 02154 Voice: 617-768-2300, Fax: 617-768-2301 FOR FURTHER INFORMATION CONTACT: Bob Cramblitt, Cramblitt & Company (919) 481-4599; cramco at interpath.com Jonas Lee, Integrated Computing Engines (617) 768-2300, X1961; jonas at iced.com Note: Andrew Twyman can be reached at kurgan at mit.edu. From sasha1 at netcom.com Thu Jan 18 18:03:50 1996 From: sasha1 at netcom.com (Alexander 'Sasha' Chislenko) Date: Fri, 19 Jan 1996 10:03:50 +0800 Subject: underground digital economy Message-ID: <2.2.32.19960118010840.00e13e78@netcom.com> At 04:39 PM 1/17/96 -0600, jim at bilbo.suite.com (Jim Miller) wrote: > >The existing underground economy uses the same money as the aboveground >economy (i.e. paper money, for the most part). Could a significant >underground digital economy develop if the aboveground digital economy >used only identified e-money? > Let's consider a general case: we have a number of market segments, and a number of currencies. The currencies may float between the markets and translate into one another. If the currencies are independent from the markets, the flow of funds may cross the currency boundary, then a market boundary (or vice versa). If not, these crossings maybe synchronized - to enter the next market segment, you have to exchange the currency. All you need to have all the "economies" running is some gates between the currencies somewhere in the system. There are lots of alternative currencies in any society, including balances of personal favors between people; usually they do not have currency conversion problems, even if explicitly regulated. If you sell a new version of CryptoDoom for digicash, and would like to buy a car that is only sold for paper money, and I have a car to sell and want to buy your CryptoDoom, *somewhere* in the market there will appear an exchange agent that would help us complete the transaction. In the case of parallel digital currencies this exchange market would be very liquid because of the high speed, low cost, and security/privacy of the transactions. I have some personal experience with similar issues, in my attempts to move money in and out of Russia. In these transactions cash rarely crosses the border. If an American A1 wants to send some dollars to a Russian R1 who needs roubles, and a Russian R2 wants to send some roubles to American A2 who needs dollars, then A1 pays dollars to A2, and R2 pays roubles to R1. Since both inter-market and inter-currency transactions should be balanced, such schemes would always be possible. ----------------------------------------------------------------------- Alexander Chislenko Public Home page: http://www.lucifer.com/~sasha/home.html World Future Society[B]: http://www.lucifer.com/~sasha/refs/wfsgbc.html ----------------------------------------------------------------------- From daw at beijing.CS.Berkeley.EDU Thu Jan 18 18:09:22 1996 From: daw at beijing.CS.Berkeley.EDU (David A Wagner) Date: Fri, 19 Jan 1996 10:09:22 +0800 Subject: Hack Lotus? Message-ID: <199601190154.UAA24710@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- In article <2.2.32.19960118195838.008a4944 at mail.teleport.com>, Alan Olsen wrote: > I am certain that comparisons between the export and non-export (with > softice and other debugger-type software) will show some interesting things. Hack Lotus? Please do. I would love to see the internals of how Lotus Notes does the escrow. Every conceivable way I can see to do it seems very vulnerable to attack. If the receiving Lotus Notes program doesn't check whether the high 24 bits have been escrowed correctly in the LEEF-like field, then a simple hack to the sending Lotus Notes program to not send the LEEF field should give foreigners true 64 bit encryption. [LEEF = Law-enforcement / Espionage Exploitation Field = the RSA-encrypted high 24 bits of the key] If the receiving Lotus Notes program does verify that the high 24 bits are escrowed correctly, then anyone can verify that, so in 2^24 trials, I can recover the high 24 bits, and with 2^40 more trials, I can recover the high 40 bits. Therefore 2^40 + 2^24 trials should suffice to hack Lotus if this is how it works. Or maybe it works in some other crazy manner. Waiting to hear the technical details of how it works, - -- Dave Wagner - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMP751yoZzwIn1bdtAQGvzgF/RPhioKYfwXcqHoDCwyyVHZFgyR26KQCz swwAnSDPydO5jKFjFNK5XaM9XRh2Vi3a =HLSf -----END PGP SIGNATURE----- From ses at tipper.oit.unc.edu Thu Jan 18 18:47:06 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Fri, 19 Jan 1996 10:47:06 +0800 Subject: Espionage-enabled Lotus notes. In-Reply-To: <9601182245.AA01500@ch1d157nwk> Message-ID: On Thu, 18 Jan 1996, Andrew Loewenstern wrote: > > I think it's also time to break out the old "Big Brother Inside" stickers and > start applying them to copies of Notes... I'd love to know what Mitch Kapor has to say about all this.. Simon From adam at lighthouse.homeport.org Thu Jan 18 18:47:06 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Fri, 19 Jan 1996 10:47:06 +0800 Subject: Blacknet & Lotus Notes Message-ID: <199601190013.TAA10250@homeport.org> Espionage Enabling in Action, or "How much is that escrow key in the window?" We all know how cheaply spies sell out. The Falcon and the Snowman got a few tens of thousands for years of crypto keys and satelite data. Pollard got 50,000 for cubic yards of documents on all sorts of subject. The Walkers gave the Soviets a volume purchase discount, and Ames got 2 million for running the CIA's counter-espionage program on behalf of the KGB. This little key to handle 24 bits of data is nothing. It can easily be smuggled out on a floppy, in an encrypted email message, or even printed out and sent through the mail. Assuming many federal employees will all have access to the same key, its not much of a secret. So, lets buy the espionage enabling secret key. Its an obvious target, not just for cypherpunks, but for the KGB, Mossad, Toshiba, IBM, and anyone else who wants to read their competitors correspondance. Lets face it, this key will get out there, and be available to all the big players; lets make it available to everyone! This is a job for ... Blacknet! This is exactly the kind of information thats easy to resell. Its small; no smuggling DATs full of B2 bomber plans out, just a small file on a floppy disk. Its easily checked, if the Lotus message formats are public, slightly less so if they're not. Who would buy? Pick an intelligence agency. Pick any large company whose compitition uses Notes. Heck, I'd bet there are US government agencies (FBI, BATF, LAPD) who would buy it once we made it available. Its a near perfect demonstration of the foolishness of the government's position. Once this key, like the clipper keys, becomes easily available, the foolishness of the idea of GAK becomes magnified. Its ANOTHER government program that can't be run properly, thats opposed by 80% of Americans, and that doesn't even sell overseas. The persons responsible might even get to claim to be whistleblowers, demonstrating how easy it is to subvert this foolish plan that will continue to cost American business 60 billion a year in lost sales overseas. So...Is Notes V4 shipping yet? Do we know how many bits of key we're after? (NB: I'm assuming that (some part of) the US government has an RSA private key which is used to encrypt the 24 bits of GAK'd key.) Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From nobody at REPLAY.COM Thu Jan 18 18:51:34 1996 From: nobody at REPLAY.COM (Anonymous) Date: Fri, 19 Jan 1996 10:51:34 +0800 Subject: Junk Notes Message-ID: <199601182338.AAA21899@utopia.hacktic.nl> New York (AP) -- For the first time in years, there were no major trouble spots in IBM's vast product line. Both personal computers and large systems sold well and Lotus Development Corp., which IBM acquired last summer, shipped an astounding 1.2 million copies of its Notes program. "Our fundamental strategies are working," IBM chief executive Louis V. Gerstner Jr. said in a statement. ... Changes in the general export laws seemed unlikely so Lotus negotiated an interim solution. "This protects corporate information from malicious crackers but permits the government to retain their current access," Ozzie said. Simson Garfinkel, author and computer security expert, said he's not sure international buyers of Notes will like the solution. "Foreign companies don't want the U.S. government to spy on their data any more than the U.S. government wants foreign companies to be able to spy on theirs," Garfinkel said. ... But IBM said nothing about the future, causing some nervousness among the investors who have seen other technology companies project a flat performance in the next few months. "It was a good quarter but the bad news is we've got to go and find out what's going to happen in 1996," said David Wu, analyst at Chicago Corp. Questions have been raised about the timing of IBM's June acquisition of Lotus -- a $3.5 billion deal that was the software industry's largest ever -- because World Wide Web-related programs seemed to be eclipsing the need for Lotus' Notes, a communications and database program. From jimbell at pacifier.com Thu Jan 18 19:58:33 1996 From: jimbell at pacifier.com (jim bell) Date: Fri, 19 Jan 1996 11:58:33 +0800 Subject: Microsoft's CAPI Message-ID: At 10:14 AM 1/17/96 -0800, Alan Bostick wrote: >> The OS will not load just any old CSP. CSPs have to be signed by >> Microsoft. The kernel contains a (hardcoded?) 1024 RSA public key >> that it uses to check the signature when the user tries to load a CSP. >> If the signature check fails, the CSP won't load. Microsoft says it >> will sign any CSP from anyone AS LONG AS THEY CERTIFY THAT THEY WILL >> FOLLOW THE EXPORT RULES. So you can get your CSP signed if you use >> exportable cryptography or if you agree not to send it outside the US >> and Canada, etc. But an end user can't just compile crypto code and >> use it as a CSP, even for his or her own use, without getting it >> signed by Microsoft first (actually, the CSP development kit does >> allow this, but it uses a special version of the OS). > >The next obvious question is: Will Microsoft sign strong-crypto CSPs >developed by foreign developers for out-of-USA use? And, as well, for in-USA-use. Currently, it is only the export of cryptographic devices and programs which is restricted. Are they going to prohibit the export of digital signatures which enable the use of foreign-developed software?!? From alano at teleport.com Thu Jan 18 21:05:05 1996 From: alano at teleport.com (Alan Olsen) Date: Fri, 19 Jan 1996 13:05:05 +0800 Subject: Elitism on Cypherpunks Message-ID: <2.2.32.19960119045517.008842f4@mail.teleport.com> -----BEGIN PGP SIGNED MESSAGE----- I have seen a number of posts on "Cypherpunk Elitism". I have seen more examples of it here on the list. I think that this attitude will be more destructive to the list than noise in the long run. It has been said that "Cypherpunks write code". They must do more than that. Cypherpunks need to teach. All the cryptotools in the world are of no use if no one knows how to use them. (Or know how to use them correctly.) All of the protocols are of no use if no one knows how to impliment them correctly or WHY they need them in the first place. There are alot of bogus security methods. Many of them exist because people do not know better. Without someone to instruct them in the ways of these things, they will continue to go on with bad crypto, not knowing any better. Not all of the non-cypherpunks are beyond hope. Many of them are teachable. If we leave them to flounder on their own, cryptography will be something used only by an elite. It will be of little or no threat to the powers that be because only a small amount of people will have the ability to use it. The TLAs will have less encrypted trafic to sort through. They will have won a big battle, not through force of arms but force of egos. What can be done? Alot. Teach people how to use PGP. Help them generate keys. Help them get them signed. Show them how to use remailers. Teach them the secret of nyms. Friends teach friends how to use crypto. Adopt a BBS. They may be young, but they may also become the cypherpunks of tommorow. Upload current versions of programs. Keep them current. Organize keysignings on the board. Host crypto discussions. Help stamp out the misinformation that breeds on such systems. Instilling the interest in the field and teaching will do more for the cause than all of the "this is noise" postings in the world. Helping those who have questions will help the newbies no longer be newbies. There are some on the list who have already taken this tact and must be commended. There are others who have taken the "fuck you" attitude to anyone they do not find worthy opon first contact. Bad attitudes are counter productive. To prevent the fall of a new dark ages, we must make sure that the information is spread far and wide. I think the statement that descibes it best is: "UN-altered REPRODUCTION and DISSEMINATION of this IMPORTANT information is ENCOURAGED." There is alot that cypherpunks can do to encourage the use of cryptography by "the common man". Elitism is not one of them. In the long run it will be counterproductive. And maybe in the short run as well... -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMP8jQeQCP3v30CeZAQHtjAf9FfJWRAe0ZDLNOLsFDMBGQvi9kXKZR3sw WDmOb3K/y8syCdADqqC4UjqoZ0pQ/XHEt6qKd8A7qx6D1FVQauTocEp1vqwE645h zGirsApDjiCYFmV/+Lbpor5Uf9F2rFbjya64lOTbiKW+XEGukpI3ghgbGxGPqPGF fIIT2QxqMl1MDd1sSGIXzvpniOsHI6HoVbPwUx8S2tbMR0dqh5AQObOKdna0D4x4 beAxEVyNd6atqdkZPEZy2XaSO6Y4hmRZx3I4CuqCM2wqbsboETQLpELBSn/dnxet 0Fe82xHHZQSuh0gMXEP+znaKYOq/38mijwjF3zpX+5RRHIVrjMu2+w== =ojHr -----END PGP SIGNATURE----- Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "Is the operating system half NT or half full?" From phorgan at broadvision.com Fri Jan 19 13:25:34 1996 From: phorgan at broadvision.com (Patrick Horgan) Date: Fri, 19 Jan 96 13:25:34 PST Subject: What's a good math text? Message-ID: <9601192124.AA27738@star.broadvision.com> I'm not on the list just now, my work won't allow me the time to follow it. I'm still just as interested in cryptography though, and would like y'all to email me recommendations on good math books that will give me the background to understand the papers in the field. I'm sure that will include a good numbers theory text. If a beginner at number theory would have a hard time understanding it, please recommend background texts as well:) What else would I need? My computer science texts explain complexity theory well, what would I need in information theory. What would I have to read to understand factoring complexity? Are there any new texts that cover the recent breakthroughs in factoring? Thanks:) Patrick Patrick J. Horgan Broadvision Inc. phorgan at broadvision.com 333 Distel Circle Have horse Phone : (415)943-3677 Los Altos, CA 94022-1404 will ride. FAX : (415)934-3701 Opinions mine, not my employers except by coincidence. From jcobb at ahcbsd1.ovnet.com Thu Jan 18 22:00:36 1996 From: jcobb at ahcbsd1.ovnet.com (James M. Cobb) Date: Fri, 19 Jan 1996 14:00:36 +0800 Subject: remarkable recent stories Message-ID: Vladimir, On 01 16 96 you wrote: I haven't seen much dialogue on...key things that have popped up recently.... Among those key things: the absolute biggest blockbuster of them all: the NSA... did a study about how crypto regulations affect US com- petitiveness in the international marketplace.... And you ask: why would they release *this* one? meaning the NSA study on how crypto regulations affect US competitiveness abroad. On 01 13 96 I wrote a message to the list headed "ITAR Re-write?" In it I attempt to answer your question. I include it below for your convenience. Cordially, Jim INCLOSURE: Date: Sat, 13 Jan 1996 05:04:52 -0500 (EST) From: "James M. Cobb" To: cypherpunks at toad.com Subject: ITAR Re-write ? Friend, Bloomberg, the business news agency, reports 01 12 96: The U.S. Commerce Department will recommend easing export controls on encryption software after a study by the department and the National Security Agency found that American firms are being hurt.... The report's release came on the same day federal pro- secutors dropped a three-year investigation...of...Philip Zimmerman.... The government study comes a week after [the Computer Systems Policy Project] released [its] own study showing ...American companies will lose [maybe $60 billion] in U.S. computer system sales expected in 2000.... The 13-member Project ...includes International Business Machines...and AT&T.... Perhaps the let-go of Zimmerman is less a triumph of right than of might? But economic might is not the only kind of might: [Easing export controls] may pit Brown's department a- gainst U.S. defense and spy agencies.... So... [Commerce Secretary] Brown said his department will pre- pare recommendations for easing [ITAR] controls that should be forwarded to the president "within a few months." Meaning: the 13 Project members should be prepared to pay through the nose in the runup to the '96 gala. And just so they get the big picture: It's unclear if the NSA, the super-secret eavesdropping agency, endorsed the Commerce Department's conclusions in the report it jointly prepared. The newsstory reports ...federal prosecutors dropped [the Zimmerman] investiga- tion without explanation.... No explanation's required. One hostage was released. 13 others were taken. But the one release does afford the new hostages, who have deep pockets, some hope... Cordially, Jim NOTE. The newsstory's headline? COMMERCE'S BROWN PROPOSES REWRITE OF ENCRYPTION EXPORT CONTROLS. Its dateline? WASHINGTON (Jan 12, 1996 5:34 p.m. EST). Its Nando News online filename? biz6_1893.html From mixmaster at obscura.com Fri Jan 19 14:01:20 1996 From: mixmaster at obscura.com (Mixmaster) Date: Fri, 19 Jan 96 14:01:20 PST Subject: WSJ: IBM Corp. Compromises On Encryption Keys (fwd) Message-ID: <199601192200.OAA08481@obscura.com> You might want to disregard the paranoid, irrelevant head and tail, but the included article is very good, especially considering the establishment source. Nice headline, for the WSJ. Forwarded message: > Have you heard of problems with the equations that Excel 95 generates when > using the trendline analysis function in a chart? I haven't seen this, but because of all the math stuff on my web, I'm getting both phone calls and a lot of odd math feed back. We think we do have a real carry bit error between the Win 3.x and Win95. Some of the data I've reviewed is pretty scarry. Microsoft lost a lot of their older programmers over the past 3 years. It was literally an Exodis out. Now they have a lot of people that can't read the old code and this is a real mess. They also can't get anyone with much experience to work there. Here in Redmond good people just stay away. I saw this article today in Dow Jones and thought it might shed some light on the security issues. I know what MS's 10 year strategy was from 1990. Steve Ballmer is the one making all the decisions on international markets. It's his baby. When I read this about IBM and Lotus all I could think of was Steve ordering the guys to make something exceptable for their license by the FED so they could gain market share over their competitors. This is just who he is. He doesn't understand the techincal issues and hasn't listened to Gates in years. MS is pretty thick with DC and must pay off lots of people there. That is what they were doing when I worked for their government group. It's weird working with the FED. They are all into their power groups. AND they are very low tech. I swear the FED is scrapping the bottom of the technical pool. The FBI is the worse. ------------------------------------ 1/18/96 IBM Corp. Compromises On Encryption Keys By Thomas E. Weber Staff Reporter of The Wall Street Journal NEW YORK -- International Business Machines Corp., caving in to intense government pressure, agreed to include a special key that helps investigators tap into data messages in return for permission to export a more-secure version of its Lotus Notes software. The U.S. has prevented software makers from exporting sophisticated encryption technology for fear that terrorists and other criminals would gain access to a snoop-proof communications system. Industry observers said IBM's move marked the first time a supplier agreed to give the government special access to its software's security code. But other companies also are negotiating with the government to find ways around export restrictions. Microsoft Corp., for example, has been seeking industry support for a new scheme that separates encryption technology from application programs so that those products don't need export licenses. Encryption keys have stirred the concern of privacy experts in the past. While IBM's Lotus Development Corp. software unit defended the move as a stopgap compromise until a broader agreement on data security can be reached, Notes creator Ray Ozzie clearly found the controversial plan somewhat distasteful. "We were desperate enough to try to negotiate a short-term, pragmatic solution," Mr. Ozzie said. "But we do not believe this is the right long-term solution." One privacy advocate would agree. "The irreducible fact is that foreign customers are reluctant to rely on security products that have been compromised in some way" by federal intelligence agencies, said Mike Godwin, staff counsel for the Electronic Frontier Foundation. Several years ago the government proposed the "Clipper" computer chip that was programmed to let investigators tap into phone calls and data messages transmitted digitally. While that plan died after privacy advocates accused the government of trying to spy on users, the idea of leaving a back door open for government agents has remained alive. Under the Lotus plan, government investigators would still need to employ sophisticated code breaking to read messages sent via Notes software, which lets users at different computers collaborate. Security software encrypts information by using a unique key of software code. The length of a key is measured in computer bits, and longer keys are better -- they're more complex and more difficult for wouldbe spies, not to mention government agents, to unravel. Until now, to obtain an export license for Notes, Lotus has been restricted to an encryption system of 40 bits in its international version. Domestic users have been permitted to use a higher-level, more-secure 64-bit system. The new overseas version of Notes, tagged Release 4, will give foreign users 64-bit security. But to get permission to export the software, Lotus agreed to give the government access to 24 of those bits by using a special 24-bit key supplied by the National Security Agency. (END) DOW JONES NEWS 01-18-96 6 02 A ---------------------------- Gates is the kind of person who will do just what they want if he gets dicked with. He'll have a ranting fit (Gates is a functional autist) about how stupid it is and then he will just get eccentric and say, give them what they want with a grin. He is still a hacker at the core. You understand the problem here. The FED is making them use lower security and then patting them on the back and buying their products for our own government and militery. Gates use to brag that he would crash the fed. I really believe he is still trying. NO ONE hates the FED more than GATES! He was a page in DC at 17 and got a good taste of our government. I've had it with these people too. DC is so discusting. All these attorneys who don't know shit about anything but words and lying... Hey, I updated my web... : ) To day I filed an appearance in court and fired my attorney. I'm still being dicked with here. If I don't look both way when I cross the street, I get busted. This week it was an unwanted touch. I touched someone's shopping bag getting into my car. Next week its an non-contact order by my daughter's guidence counselor. She considers a phone call from me about my daughter's possible college programs a threat! When I got the complaint it was totally nuts. Everything she knows about me is based on gossip. It reads like total hysteria. The way Microsoft has attempted to play me locally is really amazing. I was 40 when this started. Never had a problem before that. So when I say, 'Watch your back!' I mean it. : ) J~ http://www.halcyon.com/redrose/ From daw at quito.CS.Berkeley.EDU Fri Jan 19 14:17:37 1996 From: daw at quito.CS.Berkeley.EDU (David A Wagner) Date: Fri, 19 Jan 96 14:17:37 PST Subject: Hack Lotus? Message-ID: <199601192214.RAA28470@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- In article <199601190610.RAA17232 at sweeney.cs.monash.edu.au>, Jiri Baum wrote: > > Hack Lotus? Please do. > > I have no idea how Lotus actually does this, but: > > How about a salt determined by the forty bit part? > > Ie if the key is s.g (s=secret, g=gaked), the BARF (="Big-brother Access > Required Field") could contain Encrypt(Hash(s).g,BigBrother). > > The receiving end, knowing both s and g, could re-calculate the > BARF and only function when it's correct. Unless it's been hacked too, > in which case it could barf when the BARF is correct :-) Looks good to me -- I think that should work. I guess that goes to show my lack of creativity. :-) I was talking to Avi Rubin from Bellcore last night, and he speculated that maybe the 64 bit key was a fixed one, generated once at installation time and escrowed with the government then. With a fixed pre-escrowed key, the receiver wouldn't have to do any checking; and it would obviate the need for a LEEF/BARF/... field. On the other hand, it seems to me like one should be able to disable this fixed pre-escrowed key mechanism with a little binary patch. I guess we need hard technical details. - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMQAXySoZzwIn1bdtAQFQxgF/d72pj3qiRVIxCBPvhBEsLwWtTiO9tibv HEa8VbFTwMWoWY70XAMd8meFG5ktMRob =8JMW -----END PGP SIGNATURE----- From mdiehl at dttus.com Fri Jan 19 14:33:57 1996 From: mdiehl at dttus.com (Martin Diehl) Date: Fri, 19 Jan 96 14:33:57 PST Subject: Keyboard emulation Message-ID: <9600198220.AA822098037@cc2.dttus.com> Steve, Yes, it's called PC Anywhere by Symantic MGD ______________________________ Reply Separator _________________________________ Subject: Keyboard emulation Author: "Steve Makrecky" at Internet-USA Date: 1/18/96 7:21 PM Looking for a design of a keyboard & mouse emulator. What I would like to do is control a main computer's keyboard and mouse functions by a second RS232 remote IBM PC. Has anybody tried this? Do you foresee any problems? From llurch at networking.stanford.edu Fri Jan 19 15:09:33 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Fri, 19 Jan 96 15:09:33 PST Subject: Code demonstrating Microsoft Windows insecurity on networks (fwd) Message-ID: What "anonymous" said (below). I had permission to forward this, but I figured it might attract more interest if it were "anonymous" to people who can't read headers. Almost two months after Peter and Frank demonstrated that it was untrue, and one month and five days after Microsoft "significantly improved" Windows 95 by providing a patch for the exact same algorithm, Microsoft this very second still says that the .PWL algorithm as used in Windows for Workgroups is secure. http://www.microsoft.com/kb/peropsys/windows/q90271.htm This article will also be included on thousands of copies of the February TechNet CD-ROM. Other Knowledge Base articles have been corrected in less than a day. Yusuf's statement that my January 16th email is the first that he had heard of the .PWL problem is both patently ridiculous and directly contradicted by private email from anonymous sources on this list whom T. C. May has killfiled. In other news, the international versions of the SMB and C$ bug fixes exploited by Samba and Paul Brainard were finally posted today (as usual, they're dated yesterday). So the non-US public shares listed on, for example, www.winserve.com no longer have to be completely open to everyone on the Internet. Yusuf Mehdi, the Windows 95 Product Manager, had told me on November 9th that these internationalized patches would be posted "within two weeks." No excuse for this two-month delay has been offered. Yusuf also, well, lied on November 9th when he said that Microsoft had "sent mail to the newsgroups" retracting their statement that the SMB bug was caused by Samba sending "illegal network commands," and clarifying that the patches dated October 20th only work on US/English versions of Windows 95. The original Microsoft announcement as released to the media and WinNews is at: gopher://quixote.stanford.edu/0R593020-600291-/win95netbugs The current version, which contrary to Yusuf's statements on November 9th does not indicate that there has been any change, is at: http://www.microsoft.com/windows/software/w95fpup.htm By the way, MSN is going to allow access via TCP/IP soon. Let's make sure they do it securely. -rich ---------- Forwarded message ---------- Newsgroups: comp.security.misc,comp.os.ms-windows.nt.admin.networking,alt.security,comp.os.ms-windows.networking.windows,comp.os.ms-windows.programmer.networks Path: nntp.Stanford.EDU!news.Stanford.EDU!nntp-hub2.barrnet.net!newsfeed.internetmci.com!nuclear.microserve.net!luzskru.cpcnet.com!not-for-mail From: anonymous at alpha.c2.org Subject: Code demonstrating Microsoft Windows insecurity on networks Sender: rich at infinity.c2.org Message-ID: <4dnmcu$pt4 at infinity.c2.org> Date: 19 Jan 1996 00:57:02 -0800 Organization: http://www.c2.org/hackmsoft/ Summary: Cypherpunks share code Lines: 210 Just a little something to hurry this liar up: Received: from tide10.microsoft.com (firewall-user at tide10.microsoft.com [131.107.3.20]) by infinity.c2.org (8.7.1/8.6.9) with SMTP id JAA14902 for ; Tue, 16 Jan 1996 09:07:26 -0800 (PST) Community ConneXion: Privacy & Community: Received: by tide10.microsoft.com; id JAA00999; Tue, 16 Jan 1996 09:28:16 -0800 Received: from unknown(157.54.17.74) by tide10.microsoft.com via smap (g3.0.3) id xma000913; Tue, 16 Jan 96 09:27:48 -0800 Received: from xnet2 (xnet2.microsoft.com [157.54.17.205]) by imail2.microsoft.com (8.7.1/8.7.1) with SMTP id JAA02991 for ; Tue, 16 Jan 1996 09:15:28 -0800 (PST) X-Received: from xmtp4 by xnet2 with receive; Tue, 16 Jan 1996 09:12:22 -0800 X-Received: from RED-02-IMC by xmtp4 with recvsmtp; Tue, 16 Jan 1996 09:08:41 -0800 Received: by red-02-imc.itg.microsoft.com with Microsoft Exchange (IMC 4.22.611) id <01BAE3F2.39A25280 at red-02-imc.itg.microsoft.com>; Tue, 16 Jan 1996 09:08:39 -0800 Message-ID: From: Yusuf Mehdi To: Rich Graves , Yves Michali Cc: "pgut01 at cs.auckland.ac.nz" , "hackmsoft at c2.org" , Robert Bennett , Michael Ahern , Russell Stockdale Subject: RE: Need confirmation of Win95 password encryption back door (fwd) Date: Tue, 16 Jan 1996 09:08:30 -0800 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.22.611 Encoding: 204 TEXT X-MsXMTID: xmtp4960116170841RECVSMTP[01.52.00]000000fb-49231 Rich, Thanks for your email. This is the first I've seen of your email. I'm forwarding to Mike Ahearn who will handle any issues. If we have outdated information in the knowledge base, I apologize and we will certainly correct asap. Mike will investigate and let you know the outcome. As always we appreciate your feedback. Yusuf ---------- From: Rich Graves[SMTP:llurch at networking.stanford.edu] Sent: Tuesday, January 16, 1996 5:06 AM To: Yusuf Mehdi; Yves Michali Cc: pgut01 at cs.auckland.ac.nz; hackmsoft at c2.org Subject: Re: Need confirmation of Win95 password encryption back door (fwd) [A reply to a cypherpunks post] Peter, I'm forwarding this to the Windows 95 Product Manager, who does not seem to be taking this at all seriously, and Bcc'ing it to the technically knowledgeable reporters I mentioned in my other message and to four Microsoft engineers who have sent me mail, two of them on condition of anonymity (at least one of whom fears management reprisals). I don't see any particular reason to tell Microsoft everyone I am talking to, especially since they have been less than completely honest with me. Yusuf, please ask the Windows for Workgroups group to at least acknowledge the .PWL encryption bugs they have known about since at least November 29th, correct the Knowledge Base articles that explain how secure .PWL files are, and let the public know whether they have any plans to fix these bugs and fundamental architectural weaknesses. To put this more succinctly, the below, from Q90271, is complete bullshit, and you know it. The password list file is encrypted with an algorithm that meets the U.S. government Data Encryption Standard (DES). This encryption technology is the highest security allowed in software exported from the United States. The odds of breaking the encryption algorithm are less than those for random guesses of what the password might be. If you don't spread the word, we will. All it takes is a couple of free hours on CompuServe, America Online, Prodigy, Delphi, and the Microsoft Network, not to mention the Internet itself. Right now, my mailing list has 600 serious network managers in 20 countries, and my Web site gets about 1,000 hits per day (that's the main site; there are also mirrors in Russia, the UK, and Australia). -rich ---------- Forwarded message ---------- Date: Wed, 17 Jan 1996 01:15:20 +1300 (NZDT) From: pgut01 at cs.auckland.ac.nz To: llurch at networking.stanford.edu Subject: Re: Need confirmation of Win95 password encryption back door >A Major Media Outlet requires confirmation that Windows 95, to facilitate its >automatic reconnect feature for sleeping laptops and temporary network >outages, caches all network passwords (NetWare, NT, UNIX running Samba, >SLIP/PPP dialup) in unprotected memory in clear text, whether you've disabled >persistent "password caching" to disk and applied the December 14th 128-bit >RC4 .PWL patch, or not. There seems to be no way to turn this off. Would you like me to confirm it for WfW? Actually you can problably do it for Win95 by removing the password file after the initial connect. If Win95 can reconnect with the password file missing, then the passwords are still in memory. You'll have to be careful though to make sure they're not being read from the Windows disk cache, loading Word in between killing the connection and trying to reconnect should clear the password file from the cache. >So, anyone have Win95 and some time to kill, or can anyone recommend a good >DOS/Windows RAM grepper? Given that the descriptor tables are apparently unprotected in Win95 (which is pretty incredible), it shouldn't be too hard to get access to all of memory >from a user process. In any case a VxD should be able to grep all of memory in the background without the user even being aware of it. >We know that this vulnerability exists in Windows for Workgroups, and Peter >wrote a little demo (on hackmsoft page below, without source), but the APIs >appear to have changed in Win95. Sorry about the delay in getting this to you, as I mentioned before it was on a machine a fair way away, stuck behind a firewall. I haven't included all the SMTP stuff and whatnot because there's quite a bit of it and it's boring, the routines which do all the work are the following... This is the function called by WNetEnumCachedPasswords() to enumerate each password: [*CODE DELETED*] /* Record the password information */ [*CODE DELETED*] /* Signify that we want to move to the next entry */ [*CODE DELETED*] This is the function which actually does the enumeration. The for() loop defines what resources you want to get passwords for. [*CODE DELETED*] /* Get the proc. address of the password manipulation function */ [*CODE DELETED*] /* Enumerate the passwords */ [*CODE DELETED*] To find out (for example) what disk drive resources you're using: /* Check each drive to see if it's a network resource */ for( driveNo = 2; driveNo < 26; driveNo++ ) if( GetDriveType( driveNo ) == DRIVE_REMOTE ) { char password[ 100 ], resource[ 100 ]; char *driveName = "x:"; WORD passwordLength = 100, resourceLength = 100; BYTE resourceNo; int i; /* Find the name of the network resource for this drive number */ *driveName = 'A' + driveNo; WNetGetConnection( driveName, resource, &resourceLength ); } This code should be modifiable by anyone to get any password for any resource. I'll leave it to you to decide how much to publish, the worry is that if you publish all of it people will whine about it helping hackers. Might I suggest something like: /* Get the proc. address of the password manipulation function */ WNetEnumCachedPasswords = ( LPWNETENUMCACHEDPASSWORDS ) \ GetProcAddress( WNetGetCaps( 0xFFFF ), \ MAKEINTRESOURCE( ORD_WNETENUMCACHEDPASSWORDS ) ); if( WNetEnumCachedPasswords == NULL ) exit( EXIT_FAILURE ); /* Enumerate the passwords for the resources we want. This only gets the first password, in practice we'd keep calling WNetEnumCachedPasswords() until the enumPasswordProc() tells us (via the returned status) to stop, then move on to the next resource */ for( resourceNo = START_RESOURCE; resourceNo <= END_RESOURCE; resourceNo++ ) status = ( *WNetEnumCachedPasswords )( "", 0, ( BYTE ) resourceNo, \ enumPasswordProc ); This shows how simple it is, but doesn't give people something they can just cut and paste into their own code to get something which will give them all passwords. You may want to include the "find drive resources" code fragment as well as an example of how to do this, although it's not really necessary. Feel free to forward this to whoever you think is appropriate, although it's probably best not to give the get-any-password capable version to the masses. Peter. From hallam at w3.org Fri Jan 19 15:16:13 1996 From: hallam at w3.org (hallam at w3.org) Date: Fri, 19 Jan 96 15:16:13 PST Subject: Hack Lotus? In-Reply-To: <199601192214.RAA28470@bb.hks.net> Message-ID: <9601192315.AA08094@zorch.w3.org> I've been thinking about how I would do the lotus hack. I certainly would not be wanting to do a public key operation for the benefit of the government on every message. How about the following: During installation of program: Select a random key ER, encrypt it under the govt. public key to give Eg(ER). To start encrypting, chose a random value R, encrypt under destination public key to give Ek(R) set 40 bits of R to 0 to produce R' Encrypt R' under ER to give E-ER(R') Hash R, E-ER(R') and Eg(ER) with a one way function (MDMF like) to produce the actual key. Send across Ek(R), E-ER(R'), Eg(ER) To decrypt the message one needs the information for the escrow authority. Phill From unicorn at schloss.li Fri Jan 19 17:03:17 1996 From: unicorn at schloss.li (Black Unicorn) Date: Fri, 19 Jan 96 17:03:17 PST Subject: CelBomb In-Reply-To: Message-ID: On Tue, 16 Jan 1996, Doug Hughes wrote: > > Just FYI: > > Time has a different twist on the entire story than the 'trusted > compatriot hands over rigged phone' story that has been the basis > for comment around here. Is it any mystery that of the four publications quoted on the list, there are four different versions of the event? "Sources and Methods" ya know. > -- > ____________________________________________________________________________ > Doug Hughes Engineering Network Services > System/Net Admin Auburn University > doug at eng.auburn.edu > Pro is to Con as progress is to congress --- My prefered and soon to be permanent e-mail address: unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From nobody at REPLAY.COM Fri Jan 19 01:29:24 1996 From: nobody at REPLAY.COM (Anonymous) Date: Fri, 19 Jan 1996 17:29:24 +0800 Subject: Respect for privacy != Re: exposure=deterence? Message-ID: <199601190919.KAA10339@utopia.hacktic.nl> -----BEGIN PGP SIGNED MESSAGE----- On 15 Jan 96, Rich Graves wrote: > But government employees should only be held accountable for > their actions as government employees. If the situation > warrants, go ahead and tap their offices, break into their work > computers, etc. But don't fuck with their personal lives. Oh, my! A little sensitive, are we? Aren't you even a *little* struck by the fact that fucking with people's personal lives is *precisely* what errant government officials *do*??? > Lots of people on this list have the power to carry out their > own tyranny over both individuals and groups. All it takes in > today's fragile online world is a little specialized knowledge. > I don't think it's ethical to use this power without serious > thought. Some might opine that the reason we have so many abuses is that so *few* people use the power they hold in their hands to set things right. Even the well-intentioned seem to expect someone *else* to do their maintenance of the republic for them. > The line between government and non-government is increasingly > blurry anyway. That's part of The Game, Rich. It makes it all that much easier for people to dismiss attempts at delineation by saying things like, oh, "The line between government and non-government is increasingly blurry anyway." > Everybody gets something from the government, be it roads or an > education. Oh. Okay, then. That makes it OK for them to indict you to keep their statistics up. Works for me! > Why should you be more suspicious of the guy getting paid > $10/hour to deliver your mail by the government than the > private businessman getting millions of dollars in government > subsidies? I'm not. Maybe *you* should be more suspicious of the guy getting paid $100K of direct government money to manage a national campaign of low-key terror than you should of the private businessman unable to pay himself because he *must* pay his employees and the government doesn't leave him enough for his own paycheck. This last is a *lot* more common than the "private businessman getting millions of dollars in government subsidies." > I think we're fundamentally asking the wrong question. I only > see relative power. I'd estimate that Bill Gates is more > powerful than Fidel Castro in many respects. He's certainly a > lot more powerful than your average postal clerk. "Looking for pow'r... in all the wrong places, (la-tee-dah)..." Admit it, Rich, you only see harmful power where you want to see it, and that isn't in government -- it is in private hands, particularly *corporate* hands. Geez, but you'd think that left-handed university cookie cutter would have gotten dulled and broken by now, and that they'd have fashioned a new one. I'd estimate that the Postmaster General is more powerful than Fidel Castro in many respects. He's certainly a lot more powerful than your average private businessman. > P.S. For the Good of the Order, I'm temporarily ignoring > jimbell That's quite all right. We can be sure he won't ignore *you*. We Jurgar Din (that will have to suffice: I do not yet live in a free country) +"The battle, Sir, is not to the strong alone. It is to the+ +vigilant, the active, the brave. Besides, Sir, we have no + +election. If we were base enough to desire it, it is now + +too late to retire from the contest." -Patrick Henry 1775 + -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQBVAwUBMP9aREjw99YhtpnhAQG1ggIAhKmRWWIAIxCrmBemK79MDnnvko2Y+ooj i2GoxrHhDC9cr98O45iEdo+spcVETbMryvVgf3i4MCRr7t2iRwoRxQ== =nMvR -----END PGP SIGNATURE----- From nobody at REPLAY.COM Fri Jan 19 01:39:57 1996 From: nobody at REPLAY.COM (Anonymous) Date: Fri, 19 Jan 1996 17:39:57 +0800 Subject: NSA vacuuming down Internet traffic Message-ID: <199601190923.KAA10526@utopia.hacktic.nl> -----BEGIN PGP SIGNED MESSAGE----- WRT: "...the same article had Madsen stating that the NSA is vacuuming down Internet traffic. he gave the likely entry points that they are doing this." It's a virtual lead-pipe cinch that this is being done and probably has been going on for longer than anyone would like to think. In the 1960's - 1970's when international cable traffic was in its computer infancy, access was had to EVERY CABLE MESSAGE passing through the message switches of U.S. common carriers. This means no only every international cable message originating from or destined to a U.S. point, but also included every message ROUTED THROUGH the U.S., such as Europe <--> South America. There was no great skullduggery involved -- the common carriers simply made copies of their own log tapes and handed them to messengers from the, ah, FCC (ahem). It was on the operations checklist and no one thought twice about it. It may be urban legend to some, but I've seen it with my own eyes, handled the tapes with my own hands. If anyone else wishes to move this from the status of urban legend to something more solid, all they have to do is locate and ask people who worked in message switch operations at RCA Global Communications, ITT World Communications, or Western Union International, the three common carriers of that time. Knowing this, I would assume something similar was done at overseas locations of the same carriers and at such other access points as could be compromised. An organization such as NSA that viewed this as SOP would have to be brain dead not to be doing the same thing with the Internet. The only question in my mind is how far they have gone beyond USENET and the newer, fertile ground of web sites. Are they vacuuming packets and reassembling email? Just how many laser discs have been filled with coherent traffic? Time to exercise those plain, brown envelopes. We Jurgar Din (that will have to suffice: I do not yet live in a free country) +"The battle, Sir, is not to the strong alone. It is to the+ +vigilant, the active, the brave. Besides, Sir, we have no + +election. If we were base enough to desire it, it is now + +too late to retire from the contest." -Patrick Henry 1775 + -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQBVAwUBMP9XX0jw99YhtpnhAQEH1gH+KiIxJ3eXZCNGq5mG9UB1A68+TOLe9tCk NG170tzIBtwjlXw09B83Oxx16WineBqlZ7NJJiRazssBpFqDnWEh4A== =tUWW -----END PGP SIGNATURE----- From jirib at sweeney.cs.monash.edu.au Fri Jan 19 02:25:01 1996 From: jirib at sweeney.cs.monash.edu.au (Jiri Baum) Date: Fri, 19 Jan 1996 18:25:01 +0800 Subject: Hack Lotus? In-Reply-To: <199601190154.UAA24710@bb.hks.net> Message-ID: <199601190610.RAA17232@sweeney.cs.monash.edu.au> -----BEGIN PGP SIGNED MESSAGE----- Hello cypherpunks at toad.com and daw at beijing.CS.Berkeley.EDU (David A Wagner) ... > Hack Lotus? Please do. ... > If the receiving Lotus Notes program does verify that the high 24 bits > are escrowed correctly, then anyone can verify that, so in 2^24 trials, > I can recover the high 24 bits, and with 2^40 more trials, I can recover > the high 40 bits. Therefore 2^40 + 2^24 trials should suffice to hack > Lotus if this is how it works. ... I have no idea how Lotus actually does this, but: How about a salt determined by the forty bit part? Ie if the key is s.g (s=secret, g=gaked), the BARF (="Big-brother Access Required Field") could contain Encrypt(Hash(s).g,BigBrother). The receiving end, knowing both s and g, could re-calculate the BARF and only function when it's correct. Unless it's been hacked too, in which case it could barf when the BARF is correct :-) Would that work or have I missed something? As I said, I've no idea what Lotus actually does. Jiri - -- If you want an answer, please mail to . On sweeney, I may delete without reading! PGP 463A14D5 (but it's at home so it'll take a day or two) PGP EF0607F9 (but it's at uni so don't rely on it too much) -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQCVAwUBMP81zCxV6mvvBgf5AQGcZgP+PZyX+uZsHcG/RM29onq8d7FB402nHiqM QgZi6dXb7AkilYrw0YGt1fDDzi1W7+0bufmX2sa02r6Yh/MkJ8Lw+O/WHYau5eDP XC91pTFQHAYlvi9zNIKoclh1x2Z3dDUkly5yBA3nAhDuY2tcteop8nPLewA49qm5 H61a7l3o+Ys= =Prxc -----END PGP SIGNATURE----- From jirib at sweeney.cs.monash.edu.au Fri Jan 19 03:11:02 1996 From: jirib at sweeney.cs.monash.edu.au (Jiri Baum) Date: Fri, 19 Jan 1996 19:11:02 +0800 Subject: Ozzie Apes Jim Clark, Fix Is In to Cave and Cry In-Reply-To: <199601182115.PAA10170@monad.armadillo.com> Message-ID: <199601190944.UAA17814@sweeney.cs.monash.edu.au> -----BEGIN PGP SIGNED MESSAGE----- Hello "david d `zoo' zuhn" and wendigo at pobox.com (Mark Rogaski), cypherpunks at toad.com ... > // : >of those bits by using a special 24-bit key supplied by the > > // That was the question that came to mind when I read the article, too. > // How exactly are they planning on implementing this? > > Looks straightforward to me. Any time a bulk key is generated (aka session > key), take a known number of bits in a known location (top n or bottom n) > and encrypt those with the public key of the agent you want to give the n > key bits to. ... Not so easy - as somebody pointed out in another thread, this will be very easy to brute - only 2^24 cleartexts to try... You have to put in some salt to prevent this. If you want the recipient to be able to check that the key is correctly there, you need to make the salt known to both (eg a 1-way hash of the whole key). You might want to do this to make the program refuse to interoperate with hacked versions. ... > Neither give away the entire key directly, so it's not a trivial decoding > operation. But 40 bits isn't terribly difficult to decode either. > > The advantage, as seen by many people, is that the full key is much larger > in the Notes implementation style so non-governmental attackers have a much > harder problem to solve in order to crack the message. ... I suppose it'll be safe for a while yet (esp. for session keys), but has anyone multiplied that graphics-workstation-40bit price by 2^24? It's only 10 billion! (billion=10^9) A lot of money, sure, but given that it's not very expensive to go to 128 bits or more, why ??? (Please, do NOT post c*nspiracy theories --- they are obvious to everyone and therefore unpatentable.) ... > GAK is reasonable, to those who trust the government. Now the subset of > this list who do so may be a much smaller percentage than the subset of the > VPs of IS that do. But that's a different message. ... Now how about the percentage of *foreign* people who trust the US govt.? Given that it has said that it'll spy commercially... (if memory serves). Hope I'm making sense... (well, they say "hope dies last"...) Jiri - -- If you want an answer, please mail to . On sweeney, I may delete without reading! PGP 463A14D5 (but it's at home so it'll take a day or two) PGP EF0607F9 (but it's at uni so don't rely on it too much) -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQCVAwUBMP9n2ixV6mvvBgf5AQEmYAQAuaEVsUgZ/W5FwMC9gJdLUN73UTi4A+ur KE32A3sQrlC0yFIkRgfjusRu7emJQjlTphJVX/Zwb4l4nwF+1eDpstELL9ccKpW2 E+hvLF2Qn8mqdTFnkHWKAvAqGUcNFm8thPcDzmgGnKMFGODZJnNyI/DfgikLzdQw asjL5+/9RWs= =2K0T -----END PGP SIGNATURE----- From zoo at armadillo.com Fri Jan 19 03:13:47 1996 From: zoo at armadillo.com (david d `zoo' zuhn) Date: Fri, 19 Jan 1996 19:13:47 +0800 Subject: Ozzie Apes Jim Clark, Fix Is In to Cave and Cry In-Reply-To: <199601190944.UAA17814@sweeney.cs.monash.edu.au> Message-ID: <199601191106.FAA15561@monad.armadillo.com> -----BEGIN PGP SIGNED MESSAGE----- // I suppose it'll be safe for a while yet (esp. for session keys), but // has anyone multiplied that graphics-workstation-40bit price by 2^24? // It's only 10 billion! (billion=10^9) A lot of money, sure, but given // that it's not very expensive to go to 128 bits or more, why ??? Probably to satisfy the spirit of the proposed new export regulations that require a max of 64 bits. They would have to get US Gov't approval for this workfactor-reduction export as well, so there could be additional pressure applied to keep it to 64 bits. What if the workfactor-reduction bits got encrypted with a different key that the Gov't didn't have (via a patch binary for example)? Then the work is only 64 bits and not 128. Given the size of the NSA budgets, the equipment to break 64 bits is almost certainly available. They'd probably much rather break 2^24 40 bit key than 1 64 bit key, but they'll do what they have to in order to make sure they can read the keys. // Now how about the percentage of *foreign* people who trust the US govt.? // Given that it has said that it'll spy commercially... (if memory // serves). Memory serves me oppositely -- denial that it has done so in the past and saying that they would not do so in the future. This came a couple of months ago during trade negotiations with the Japanese government. - -- - - david d `zoo' zuhn -| armadillo zoo software -- St. Paul, Minnesota - -- zoo at armadillo.com --| unix generalist (and occasional specialist) - ------------------------+ http://www.armadillo.com/ for more information pgp key upon request +---------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Processed by Mailcrypt 3.3, an Emacs/PGP interface iQCVAwUBMP97Cu80ah2ymxnRAQGquQP+LXaSHcPvbVfntcyw+f86am9fbyzWwITE fpIl13Hp560BXFnF/gQCGt1a87aShEIqQbhkOEHTty2ORjOrGHExjxYWZTuZS/UI JyfhN/n/0oi7yGHk5BSN31PtnFKU7JbLyBKAujaUvsmPGttz+8Hr+wZXhEwzJ4XA Cl3OAO2AAAg= =Npod -----END PGP SIGNATURE----- [ At home now, so it's signed...] From jleppek at suw2k.hisd.harris.com Fri Jan 19 03:13:57 1996 From: jleppek at suw2k.hisd.harris.com (James Leppek) Date: Fri, 19 Jan 1996 19:13:57 +0800 Subject: authenticating intrahost crypto providers Message-ID: <9601181637.AA01592@suw2k.hisd.harris.com> I have been doing some research on the development of an abstract security services API(not just a CAPI) and have hit a road block. The problem revolves around the need to authenticate a security service provider to an application. I noticed that microsoft has followed a path of providing a signature in each external provider but the feeling is that this is not that difficult to circumvent. I have the same misgivings but cannot come up with anything else. Are my misgivings unfounded??? What are some other possibilities to allow intrahost (application) authentication of services. Do you need to actually have a cryptographic binding of services? Comments.... Jim Leppek jleppek at suw2k.hisd.harris.com Harris Corporation From nobody at REPLAY.COM Fri Jan 19 03:16:17 1996 From: nobody at REPLAY.COM (Anonymous) Date: Fri, 19 Jan 1996 19:16:17 +0800 Subject: Indecent Trash Message-ID: <199601190944.KAA10937@utopia.hacktic.nl> -----BEGIN PGP SIGNED MESSAGE----- On 10 Jan 96 at 10:42, t byfield wrote: > At 10:26 PM 1/9/96, Alexander 'Sasha' Chislenko wrote: > > >- Landfills: They are probably the richest source of detailed > > historical information that is not obtainable from any > > other source and can be used to reconstruct the detailed > > history of society, economy, technology and any single > > person with incredible detail. > I ain't holding my breath until someone develops a search > engine for Fresh Kills. I can see it now... about the time that Grandson of Altavista finally yields a URL for Jimmy Hoffa's body in some dump somewhere the government will have figured out that it's so much simpler to catalog the stuff on the way IN, when all the artifacts are fresh and unmixed. While we're all watching what the government does to intercept packets, they will be routing *trash* packets through mysterious "garbage routers." As the stink grows stronger, someone will conceive of anonymous trash forwarders. They will accept unidentified trash, no questions asked, anonymize it with random DNA and fingerprint whorls, and sneak it into public trash receptacles. DNA generators will enable the mischievous to plant fabricated indications that Hillary did indeed have something going with Vince, the late Khomeini (hey, hard is hard, right?) as well as legions of four-footed friends, confirming the suspicions of multitudes. As the piles of trash-based data grow, some Senator from Nebraska will sound the alarm that kids are too easily exposed to the indecent signs of private behavior retrievable on the Net and will propose draconian measures to hold everyone responsible for their contributions to the city landfill. Public receptacles will be closed. Trash will only be collected from registered Identifed Surplus Providers (ISP's). $250,000 fine for disposing of a condom in a dump accessible from the Internet... 10 years in prison for carelessly tossing those nasty Polaroids in the kitchen compactor. The trash of the world will have to be made safe for kids to view. Everything will be a lot easier to trace and control if the garbage input is fully identified. Barcodes on trash bags might do for starters. Access to the garbage system might have to be restricted to those 18 and over. Trash collectors could be made responsible for content, drafting them without pay into the ranks of the trash police. People could be encouraged to report suspicious trash, and trash-related activities like neighbors sneaking out at night to place an innocent-looking compactor bag down the block with someone else's trash. For their own protection, youngsters might be required to retain all their garbage until age 18 and then, in a solemn ceremony worthy of the true significance of coming of age, pitch it all (duly anonymized to prevent abuse of minor indiscretions) from their new position as lawful participants in the world garbage system, friends and well-wishers trying to applaud and hold their noses at the same time (try it -- if you're not careful you can break your own nose, but hey, that'll work, too!). Who knows? Maybe Heinlein's advocacy of keeping kids in a barrel and feeding them through a hole until age 18 will enjoy resurgence among the compulsively protective while the Web meanwhile will provide real time underground data on Heinlein's rpm rate. Protecting the trash of youth will, however, give rise to the hiding of adult trash among that of the underaged. The government will have to root out offenders and "impute" suspicious trash to the parents. Those with no visible source of trash will of course be suspect, and will have to emit innocent trash to cover themselves. This will give rise to the practice of "trash laundering," in which agents convert nasty trash to innocuous trash that may then be tossed into any monitored, controlled channels with no repercussions. Trash laundering will become a grave offense to the accompaniment of government and Ad Council PSA's and free brochures from Pueblo, Colorado. Blatant offenders who have fled to foreign climes will be kidnapped, some will be tortured, because the War Against Filth will be a moral commitment of the national body. Foreign governments headed by suspected trash traffickers will be toppled in quickie invasions, their leaders brought back in chains to disappear into federal dungeons. Public debate will center on the legalities and rationalizations of using the military in policing domestic trash, while agencies such as the FBI cry for more budget to fight the scourge that threatens the decency of the nation's repositories. Control of trash will spread inevitably to control of liquid wastes, whereupon a terrible discovery will be made: Everyone, but everyone, emits unspeakable bodily products. At that point the government will have no choice but to reluctantly declare everyone an outlaw and execute the populace. It's all as logical as what happens when you introduce division by zero way down at the bottom of the complex equation where it isn't so noticeable. We Jurgar Din (that will have to suffice: I do not yet live in a free country) +"The battle, Sir, is not to the strong alone. It is to the+ +vigilant, the active, the brave. Besides, Sir, we have no + +election. If we were base enough to desire it, it is now + +too late to retire from the contest." -Patrick Henry 1775 + -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQBVAwUBMPS/PEjw99YhtpnhAQH1UQH5AdXBd7AvG6xT7x/cTXf5W1cAUXzoJ+GB N0/SPrdoJnbUSN5LkJDwoVwA/eiL6/LVN9CjtmQwmydyBysM7M/7Xw== =q+CF -----END PGP SIGNATURE----- From jya at pipeline.com Fri Jan 19 06:26:13 1996 From: jya at pipeline.com (John Young) Date: Fri, 19 Jan 1996 22:26:13 +0800 Subject: NSA vacuuming down Internet traffic Message-ID: <199601191410.JAA09163@pipe2.nyc.pipeline.com> Responding to msg by nobody at REPLAY.COM (Anonymous) on Fri, 19 Jan 10:23 AM >In the 1960's - 1970's when international cable traffic >was in its computer infancy, access was had to EVERY >CABLE MESSAGE passing through the message switches of >U.S. common carriers. > >If anyone else wishes to move this from the status of >urban legend to something more solid, all they have to >do is locate and ask people who worked in message >switch operations at RCA Global Communications, ITT >World Communications, or Western Union International, >the three common carriers of that time. > >We Jurgar Din Yes, indeed. James Bamford in "The Puzzle Palace" details the long-term TLA-access to international cable traffic -- via Operation Shamrock -- beginning in 1945 and ostensibly ending in 1975. See Chapter 6, "Targets." Aside, in this chapter Bamford writes that Louis Tordella, who died earlier this week, "The Agency's chief keeper of the secrets," was central to targeting of thousands of Americans. Bamford says of Tordella, "If NSA was the darkest part of the government, Tordella was the darkest part of the NSA." Tordella allegedly shielded various NSA heads by not telling them what was going on -- to their great relief. David Kahn in "The Codebreakers" more extensively examines the history of spying on citizens in the national interest. It will be interesting to read what he is currently researching at the more PR-oriented NSA -- and perhaps provide pointers to deep-blacker orgs that have supplanted it through non-FOIA arrangements like those of Shamrock. From stend at grendel.texas.net Fri Jan 19 07:23:05 1996 From: stend at grendel.texas.net (Sten Drescher) Date: Fri, 19 Jan 1996 23:23:05 +0800 Subject: Single computer breaks 40-bit RC4 in under 8 days In-Reply-To: Message-ID: <55buo0z0bc.fsf@galil.austnsc.tandem.com> Rich Graves said: >> workstations, Doligez averaged 850,000 keys per second.ICE used the >> following formula to determine its $584 cost of computing power: the >> total cost of the computer divided by the number of days in a >> three-year lifespan (1,095), multiplied by the number of days (7.7) >> it takes to break the code. RG> This assumes, of however, that collecting encrypted communications, RG> feeding them to the computer with 100% efficiency, electricity, RG> labor, etc. are completely free. RG> I hope everyone recognizes this as more old news and ICE RG> marketing. In a fantasy world, the press et al would see this and RG> clamor for the revocation of ITAR. This is old news to those of us who understand it. But this new way of presenting the information is newsworthy. Yes, it over-simplifies the costs of collecting the transactions to force, but the sound bite nature of reporting today requires that. The government is trying to give people warm fuzzies about the 'security' of 40-bit encryption, and we, unfortunately, need to be spreading FUD about that. This helps to do that. -- #include /* Sten Drescher */ 1973 Steelers About Three Bricks Shy of a Load 1994 Steelers 1974 Steelers And the Load Filled Up 1995 Steelers? To get my PGP public key, send me email with your public key and Subject: PGP key exchange Key fingerprint = 90 5F 1D FD A6 7C 84 5E A9 D3 90 16 B2 44 C4 F3 Unsolicited email advertisements will be proofread for a US$100/page fee. From jya at pipeline.com Fri Jan 19 08:25:15 1996 From: jya at pipeline.com (John Young) Date: Sat, 20 Jan 1996 00:25:15 +0800 Subject: FAT_bet Message-ID: <199601191611.LAA12645@pipe4.nyc.pipeline.com> Saturday The Wash Post reported on the spies of many stripes invading Bosnia to strut stuff and ward off extinction. Today, TWP and NYT cover an IC briefing yesterday -- prompted by the Post story -- on the campaign of global spying cooperation to survive liposuction. FAT_bet (the 3 articles) From shamrock at netcom.com Fri Jan 19 08:44:40 1996 From: shamrock at netcom.com (Lucky Green) Date: Sat, 20 Jan 1996 00:44:40 +0800 Subject: CryptoAPI and export question Message-ID: At 18:07 1/17/96, Tom Johnston wrote: >Two points: the CSP development kit is export-controlled; and signing a >CSP developed by a foreign vendor is treated as a export -- so the signature >is export-controlled. > >We would ship a CSP development kit to a foreign vendor, and sign a CSP >developed by the foreign vendor, but only with the appropriate export licenses. So the main thing that the new MS CSP accomplishes is to establish a standard that will prevent foreigners at the OS level from using real crypto with popular applications. Way to go Microsoft. -- Lucky Green PGP encrypted mail preferred. From jim at bilbo.suite.com Fri Jan 19 08:48:00 1996 From: jim at bilbo.suite.com (Jim Miller) Date: Sat, 20 Jan 1996 00:48:00 +0800 Subject: underground digital economy Message-ID: <9601180428.AA11604@bilbo.suite.com> > Certainly. There are a couple of ways, but all one needs is > some sort of gateway to an e-cash > This is the part that bothers me. Wouldn't a gateway between anonymous e-money and identified e-money would stick out like a sore thumb to agencies tracking the flow of identified e-money? Wouldn't identified e-money trails start and/or terminate at the gateway? Once the gateway is discovered, all clients on the identified e-money side of the gateway would be discovered. I think the gateway could only succeed if there was a way to perform the conversion anonymously. But how do you anonymously generate/propagate identified e-money? There is probably an obvious solution, but I'm not devious enough to see it. One unstated assumption I have that may be confounding me is that I assume the identified e-money system will completely replace paper money, which will then be "discontinued". Jim_Miller at suite.com From merriman at arn.net Fri Jan 19 08:48:06 1996 From: merriman at arn.net (David K. Merriman) Date: Sat, 20 Jan 1996 00:48:06 +0800 Subject: CAPI endorsements Message-ID: <2.2.32.19960117160205.0068a0fc@arn.net> -----BEGIN PGP SIGNED MESSAGE----- - From MS's Web page on their CryptoAPI, under the 'Endorsements' section: RSA "We're pleased to see Microsoft's announcement of CryptoAPI and CryptoAPI's use of RSA technology. This announcement makes more robust cryptography more easily available to more people--and RSA believes that's always a good thing." ������-- Jim Bidzos, President, RSA Data Security, Inc. I gotta wonder if that's why RSA wants Too Damn Much (tm) for licenses..... Dave Merriman -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMP0A6cVrTvyYOzAZAQErUAQAsOc6acpfRtytyjeyxpGpMzSPEnvqXUqr vYHEIWWqm7On/qWDbkqrsl47EBc7K57hpXIX3kzeiYbko7P+4ndIFlA/yRVs+L6X mpUrqsvGy6/kadAy2AnwPefRkaTbflrtamSMfdQwF+7Du6x/tL/z/UpASA/2sx8e p5IdH9kYmfs= =RPRO -----END PGP SIGNATURE----- ------------------------------------------------------------- "It is not the function of our Government to keep the citizen from falling into error; it is the function of the citizen to keep the Government from falling into error." Robert H. Jackson (1892-1954), U.S. Judge <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> My web page: http://www.geocities.com/CapitolHill/1148 From awestrop at nyx.net Fri Jan 19 09:05:40 1996 From: awestrop at nyx.net (Alan Westrope) Date: Sat, 20 Jan 1996 01:05:40 +0800 Subject: Denver area meeting, SUPER SUNDAY, Jan. 21, 2 pm Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Some locals will flout this most sacred of American holidays by gathering to discuss crypto and ancillary issues at the Tivoli, on the Auraria campus between Speer, Larimer, and the Auraria Parkway. If you're not sure of the location, send email for Mo' Better Clues. Alan Westrope PGP public key: http://www.nyx.net/~awestrop PGP 0xB8359639: D6 89 74 03 77 C8 2D 43 7C CA 6D 57 29 25 69 23 -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMP/JO1RRFMq4NZY5AQGfnAP/ajy9KYmsXp4G2hFO5AvKkahk/qIQEFPV d9AZrTGylRDep+6jrDbdoOlr7BKEhRebwtweaupQ+fKCiVQQJvxlcCccaCfd11hD D2okx9N1Q3KRhCgtk6fglkfZ6STDUF+maHUK83t7NclW41lp75uppwfZw//qVWr2 VreutUqu16I= =QDzQ -----END PGP SIGNATURE----- From vingun at rgalex.com Fri Jan 19 09:13:01 1996 From: vingun at rgalex.com (Vincent S. Gunville) Date: Sat, 20 Jan 1996 01:13:01 +0800 Subject: Crippled Notes export encryption In-Reply-To: <199601172347.SAA19227@bb.hks.net> Message-ID: <30FFCD3B.13B5@rgalex.com> Alan Pugh wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > - -- [ From: Alan Pugh * EMC.Ver #2.3 ] -- > > Since this is definitely on-list, and I haven't seen > anything on it here yet, I'm posting the whole thing. > Apologies for duplication. > > Date: Wednesday, 17-Jan-96 04:23 PM > > Subject: infoMCI FLASH - Lotus-Security - Lotus Announces C > > [infoMCI FLASH] > i n f o M C I F L A S H > > infoMCI (sm) > Lotus-Security - Lotus Announces Compromise for Export of Strong > Encryption > > By ELIZABETH WEISE > AP Cyberspace Writer > > SAN FRANCISCO (AP) _ Lotus Development Corp. announced a > compromise with the federal government Wednesday that will allow it > to put better security features into the international version of > its Notes program. > > While the arrangement assures the government it can access data > under extreme circumstances, it represents an advance in the > strength of security allowed in software exported from the United > States. > > Federal law prohibits the export of certain high-level > encryption programs, which are defined as a munition under a Cold > War-era arms control act. > > Encryption programs take ordinary data and put it in secret form > that cannot be accessed without the proper data ``key.'' The > government's arbitrary standard for cracking encryption programs > when needed is at a technical level described as ``40-bit.'' > > Some software programs sold in the United States, including > Lotus Notes, now use stronger 64-bit encryption. Lotus has been > under pressure to bring such security to Notes users overseas. > > Although 40-bit encryption is quite strong, highly-sophisticated > attacks using several computers have been able to break it > recently. > > ``Our customers have basically lost confidence in 40-bit > cryptography,'' said Ray Ozzie, president of Iris Associates, the > unit of Lotus that developed Notes. > > ``That left us in a bind. We are the vendor that's supposedly > selling a secure system to them and they are saying it's no good,'' > Ozzie told a standing room audience at the RSA Data Security > conference. > > Changes in the general export laws seemed unlikely so Lotus > negotiated an interim solution. > > The export version of Lotus Notes 4.0, which went on sale last > week, includes 64-bit encryption but the company has given the U.S. > government a special code that unlocks the final 24 bits. > > For companies that use the international version of Notes, it's > as if Lotus put two strong locks on a door and gave a key for one > to the U.S. government. Thieves have to get break through two > locks, the government only one. > > ``This protects corporate information from malicious crackers > but permits the government to retain their current access,'' Ozzie > said. He acknowledged the solution was only a compromise and said > Lotus wants to see better data security methods developed > worldwide. > > However, many participants at the conference saw the move as a > cosmetic answer to the tension between corporate desires for the > best security and government's interest to access data when > necessary. > > ``It's a useful stopgap measure that has no value in the long > run,'' said Donn Parker, a senior security consultant with SRI > International, a computer research company in Menlo Park, Calif. > > Simson Garfinkel, author and computer security expert, said he's > not sure international buyers of Notes will like the solution. > > ``Foreign companies don't want the U.S. government to spy on > their data any more than the U.S. government wants foreign > companies to be able to spy on theirs,'' Garfinkel said. > > International Business Machines Corp. bought Lotus in July, > citing the success of Notes, a sophisticated communications and > database program. > > AP-DS-01-17-96 1619EST > > (66413) > > *** End of story *** > > - --- > [This message has been signed by an auto-signing service. A valid signature > means only that it has been received at the address corresponding to the > signature and forwarded.] > > -----BEGIN PGP SIGNATURE----- > Version: 2.6.2 > Comment: Gratis auto-signing service > > iQBFAwUBMP2KdioZzwIn1bdtAQGdegF9GVCEfL50vWd7e5XX/mKEnzGy5YGvW0iD > rNPCmz3Xxf3h9wOVJMLrCeDGwe4/m84g > =6jpa > -----END PGP SIGNATURE----- -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= |Vincent S. Gunville |Robbins-Gioia |209 Madison St Email vingun at rgalex.com |Alexandria, Va 22309 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- From cp at proust.suba.com Fri Jan 19 09:21:01 1996 From: cp at proust.suba.com (Alex Strasheim) Date: Sat, 20 Jan 1996 01:21:01 +0800 Subject: Netscape and NSA In-Reply-To: <30FF642C.400@netscape.com> Message-ID: <199601191702.LAA12547@proust.suba.com> Let's not get carried away here. Netscape's done a lot for privacy, and every indication we have is that they'll continue to do so. They've introduced strong crypto to the consumer software market for the first time. Giving users control over CAs says a lot about where Netscape is coming from -- it's an obscure thing for which there was no public demand, and which might hurt Netscape's position by opening up the market to competitors. But it destroys the choke point which would have made it possible to impose GAK. Our interests and Netscape's interests coincide. Netscape needs to export strong crypto to be competitive in the global marketplace. As a consequence, Netscape has been making public statements pushing for unrestricted exports of strong crypto. I have no doubt that they're pushing hard for the same thing in private discussions with government officials. Where do people think things like the recent statements from Ron Brown come from? Big companies -- like Netscape -- have ongoing dialogues with the Commerce Department, and apparently they've been pushing for exports. In and of itself that statement wasn't much -- nothing has changed. But it's a sign that the tide is turning. Parts of the government are starting to admit that we're right, and that giving people free access to strong crypto is in everyone's best interest. That's important. But at the same time, it's important for companies like Netscape and Lotus to know that we'll do everything we can to make it painful to back down on these issues. What Lotus is doing is wrong, and we have to do whatever we can to make their decision painful to them. It's absolutely essential that we do whatever we can to make the right decision less painful than the wrong one. We don't have a lot of options in terms of strategy. An immediate, strong, and strident negative reaction may not be the best weapon imaginable, but it's one of the only ones we've got. To those of you who work for these companies, and who are pushing for what's right -- don't take it personally. We have to do it. The Lotus approach is totally unacceptable. A 64 bit key is only a 40 bit key when your opponent already has 24 bits, and a 40 bit key just isn't good enough. But Lotus' plan is much worse than another plan which only provides 40 bits of security. Anything that involves government storehouses of keys is extremely dangerous. Lotus is doing everyone a big disservice when they pretend that this is a step forward. It's gak, and it's not just a proposal anymore -- it's real this time. This is the first wave of guys hitting the beach. Netscape is never going to convince everyone that they're on the right side. Some people will never trust a large company, no matter who works there or what the company does. But by widening the scope of its public efforts on behalf of privacy, Netscape could generate a lot of good will and do a lot of good for its own interests (and its bottom line) as well. It would be good for everyone if Netscape took a more aggressive political stand for free access to strong crypto. How? Expand the crypto coverage on Netscape's web server. Hire a full time person to write about crypto technology and issues. Put a link to the site on the Netscape home page. Netscape's home page links are the most visible on the net -- use them. Get together with companies like Sun and Microsoft to form a lobbying and publicity organization similar to the Tobacco Institute. (I know that's a bad example -- many people think the Tobacco Institute is an evil organization. But it's a good tactic.) I'm personally a little frustrated by the timidity of industry's response. I don't understand it. Netscape's interests are clear, their voice is loud, and their resources are vast. Where's John D. Rockefeller when you need him? From vznuri at netcom.com Fri Jan 19 09:40:09 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Sat, 20 Jan 1996 01:40:09 +0800 Subject: "cybertage" Message-ID: <199601191722.JAA04520@netcom18.netcom.com> how about a new term for all the various enemies of cyberspatial advancement? the censors, the luddites, the spooks, the politicians, the demagogues, the rabid media (all of which there seems to be no shortage of lately): "cyberteurs" engaging in "cybertage" now if we can only get a strong stigma associated with the words and label all the enemies with it. I think it could really stick. a sort of reaction by cyberspatial citizens against all the encroachments and disrespect. From jwa at nbs.nau.edu Fri Jan 19 10:21:21 1996 From: jwa at nbs.nau.edu (James W. Abendschan) Date: Sat, 20 Jan 1996 02:21:21 +0800 Subject: "cybertage" In-Reply-To: Message-ID: <199601191805.LAA16786@ecosys.nbs.nau.edu> Way back on Jan 19, 9:22am, "Vladimir Z. Nuri" wrote: > how about a new term for all the various enemies of cyberspatial > advancement? the censors, the luddites, the spooks, the politicians, > the demagogues, the rabid media (all of which there seems to be no > shortage of lately): > > "cyberteurs" engaging in "cybertage" Augh! No! No more "cyber" anything, please! Instead, how about a filter (implemented at some key top-level, NSA-funded routers, of course) that simply s/cyber//g ? - - - How "tight" is the encryption that ssh (secure shell) uses? I'm trying to push it for use across potentially insecure subnets at our University, and would like all the ammo I can get :) Has anyone tried to sniff & brute force a ssh-encrypted session? James -- James W. Abendschan Email: jwa at nbs.nau.edu UNIX Systems Programmer/Administrator Voice: (520) 556-7466 Colorado Plateau Research Station, Flagstaff, AZ FAX: (520) 556-7500 From tcmay at got.net Fri Jan 19 10:43:42 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 20 Jan 1996 02:43:42 +0800 Subject: Economic Surveillance, the NSA, and the 40+24 Lotus Position Message-ID: [Note: Once again, could I suggest that people take the effort to trim the distribution list? I've trimmed out the several names getting separate copies.] At 11:06 AM 1/19/96, david d `zoo' zuhn wrote: >// Now how about the percentage of *foreign* people who trust the US govt.? >// Given that it has said that it'll spy commercially... (if memory >// serves). > >Memory serves me oppositely -- denial that it has done so in the past and >saying that they would not do so in the future. This came a couple of >months ago during trade negotiations with the Japanese government. I don't think anything is resolved on this "economic espionage" issue. I've been interested in this topic since around 1988 (for an unfinished novel I was working on then--don't ask). Here are a few misc. points: * There is direct information that business information was intercepted by the NSA and other SIGINT agencies and used by the U.S. for economic advantage. This goes back to the 1940s, with intercepts of ITT and other cable traffic, and continues up to the present. Bamford gives a bunch of examples. * However, there is no direct knowledge that I am aware of that non-DOD-linked companies (i.e., ordinary American companies) received significant amounts of economic intelligence on their competitors. Thus, I doubt that General Motors was fed production data on Nissan that NSA plucked out of the ether in its Japanese listening posts (such as the huge NSA SIGINT facility at Misawa). Some companies may have received selected intercepts, sub rosa, but I doubt that this was a matter of regular policy. * Reports came out in the last couple of years that the NSA aided the U.S. trade negotiators in talks with Japan by providing intercepts covering the Japanese trade position. (I'm not sure if this was denied by the Administration, or acknowledged, or what. But it's pretty likely to be true. This is of course a different type of economic intelligence than helping individual American companies, though the effects are similar.) * Over the past 5-7 years there have been noises coming out of the intelligence community about redefining their mission to include economic espionage of various sorts (from the type they have always done, as above, to more direct aid to American industry). I first heard comments on this circa 1990, and they may have even come from a current or former DIRNSA...I can't recall. (I took meticulous notes on what I was reading in the press, but these notes are squirrelled away in "Tornado Notes" (Info Select) on an old Toshiba laptop!) * Shifting to more active economic intelligence gathering has *NOT* been announced as a new mission for the NSA, despite rumors here on the Cypherpunks list. If anyone can show us a real statement, or a plausible report that deduces this to be a new mission, I would be grateful. Rather, what I think we've been hearing are a bunch of reports and rumors that such a shift is being considered. (One list member contacted me by phone when I expressed similar doubts, some months back, and offered to put me in touch with a friend of his who claims to have evidence that such a shift has occurred. Not being an investigative reporter, and not being in the Beltway, I declined.) * Having said all this, that a certain type of economic surveillance and espionage is unlikely (e.g., Intel isn't being informed of Japanese chip yields), certainly other types of surveillance of foreign companies is likely. The NSA and its affiliated agencies are of course likely to surveil Western companies for evidence of arms shipments to other countries (a la Toshiba's propeller-quieting technology shipped the U.S.S.R., France's shipments of Exocets to various countries, nerve gas precursors, etc.). In this sense, economic surveillance _is_ one of the main missions of the NSA. I think it unlikely that the "NSA-enabled" Lotus solution will fly in these countries. Will Matra really be happy to use the "40+24" solution for sensitive inter-site communications, knowing full well about the many large NSA SIGINT dishes scattered throughout Europe? Knowing that the NSA has the 24-bit extra key material and that 40-bit keys are easily breakable? Somehow I think that these foreign governments, notably Germany and France, will explicitly block these products from being imported into their countries. A matter of national pride and all. (After all, imagine a product made in Japan that is known to be "Chobetsu-enabled." The U.S. government would not be too happy to see U.S. companies embracing such a product.) By making crypto restrictions "slide down easily," Lotus and IBM have not done us any favors. Fortunately, I think their scheme is doomed. --Tim May Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From cp at proust.suba.com Fri Jan 19 11:16:58 1996 From: cp at proust.suba.com (Alex Strasheim) Date: Sat, 20 Jan 1996 03:16:58 +0800 Subject: "cybertage" In-Reply-To: <199601191722.JAA04520@netcom18.netcom.com> Message-ID: <199601191846.MAA12766@proust.suba.com> > how about a new term for all the various enemies of cyberspatial > advancement? I think this is a bad idea. We should be moving away from demonization, not towards it. We are right, and they are wrong. The good thing about being right is that logic and the facts will bear us out. Let's use rational arguments, not name calling. Save the nasty names for another fight when you're wrong and the other guy is right. We should build a case to show that everyone -- including those who disagree with us -- will be better off if we win. It's the truth, so we ought to be able to come up with good arguments. Unfettered access to strong crypto is in everyone's intrest. It's good for business and it's good for civil liberties and freedom around the world. These are not complicated things to grasp. If we get our message out there, we will win. Lotus has made a mistake. Their gak plan won't reassure international customers, which is to say it won't do what they want it to do. So why do it? Instead of calling them names, let's explain why it was a bad idea. Let's try to explain to Lotus customers why it's a bad idea. If we can do that, we'll get a response. From jsw at netscape.com Fri Jan 19 12:20:48 1996 From: jsw at netscape.com (Jeff Weinstein) Date: Sat, 20 Jan 1996 04:20:48 +0800 Subject: Netscape and NSA In-Reply-To: Message-ID: <30FF642C.400@netscape.com> Rishab Aiyer Ghosh wrote: > > Any special reason why Netscape is working with > the NSA to support their Fortezza encryption card? > > ObConspiracyTheory: Hmmmmm.... > > Nice government-friendly Jim Clark quote, with the rest of the story > http://www-e1c.gnn.com/gnn/wr/96/01/12/features/nsa/index.html Here is another quote for you: "Netscape will fight in all forums for totally private encryption." -- Jim Barksdale Netscape CEO One particularly interesting paragraph from the GNN article is: "One senior Federal Government source has reported that NSA has been particularly successful in convincing key members of the US software industry to cooperate with it in producing software that makes Internet messages easier for NSA to intercept, and if they are encrypted, to decode," Madsen wrote. "A knowledgeable government source claims that the NSA has concluded agreements with Microsoft, Lotus and Netscape to permit the introduction of the means to prevent the anonymity of Internet electronic mail, the use of cryptographic key-escrow, as well as software industry acceptance of the NSA-developed Digital Signature Standard (DSS)." I believe that the reference to Netscape in this paragraph is a distortion of our agreement with the NSA. They agreed to buy some of our current products, which they paid for, and to buy products in the future that support Fortezza. Given the large number of organizations within the government that are standardizing on fortezza, our motivation for producing such a product should be obvious. I think in the end the non-NSA purchases of Fortezza based products within the government will be much larger than what the NSA buys. Once we have implemented Fortezza we would like to add support for many alternative crypto cards that are not GAK'd and are more apropriate for commercial or personal use. We will also continue to offer software encryption. Management here has never asked me not to implement anonymity enhancing features. They have not asked me to implement DSS. They have not asked me to implement GAK. Management has let me hold up a release to fix a bug that was causing a user's identity to be accessible from a server. We have awarded several bugs bounty prizes to people who found bugs related to privacy. I understand that in his keynote speach at the RSA Security Conference Jim Barksdale repeated our strong opposition to GAK. Perhaps someone who attended could provide more details. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw at netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine. From cp at proust.suba.com Fri Jan 19 13:17:37 1996 From: cp at proust.suba.com (Alex Strasheim) Date: Sat, 20 Jan 1996 05:17:37 +0800 Subject: Espionage-enabled Lotus notes. In-Reply-To: Message-ID: <199601190158.TAA03403@proust.suba.com> A couple of days ago there were reports that the NSA was considering easing up a bit on export restrictions. Is the Lotus Notes approach what they were talking about? I suppose it's a good thing that they're starting to see the value of at least paying lip service to relaxing the rules, but that's all this is, lip service. It's the worst of both worlds, the security of a 40 bit key with the spectre of gak thrown in to boot. From dlv at bwalk.dm.com Fri Jan 19 13:34:13 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Sat, 20 Jan 1996 05:34:13 +0800 Subject: FW: CrytoAPI on Cypherpunks Message-ID: Tom Johnston writes: > >>> We won't charge high fees (right now, it's free!). Our policy is > >>> simple: we'll sign the CSP of anyone who follows the rules. Would you sign a foreign-developed CSP (which isn't subject to the rules)? --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From eb at comsec.com Fri Jan 19 13:38:28 1996 From: eb at comsec.com (Eric Blossom) Date: Sat, 20 Jan 1996 05:38:28 +0800 Subject: "Noise Filter" : Cypherpunks Lite Reminder... Message-ID: <199601192019.MAA01779@comsec.com> Just a friendly reminder to those of you overwhelmed by the noise... I provide a moderated version of the Cypherpunks list called "Cypherpunks Lite". A one year subscription costs US$20 and is payable by check or money order to "COMSEC Partners". Cypherpunks Lite is available in either individual messages or a more-or-less daily message digest. The content of both are the same. In either case, I forward approximately 5 - 10% of the total Cypherpunks feed. This works out to about 5 - 10 messages / day. To take a look at what you can expect there is an archive of the previous selections organized by month at ftp://ftp.crl.com/users/co/comsec/cp-lite. The files with the extension .gz are compressed using gzip. If you would like to subscribe, please send payment to: COMSEC Partners 1275 Fourth Street, Suite 194 Santa Rosa, CA 95404 USA Be sure to provide the email address you want us to use, as well as indicating your preference for individual messages or the digest. Thanks again, Eric Blossom From jsw at netscape.com Fri Jan 19 13:50:34 1996 From: jsw at netscape.com (Jeff Weinstein) Date: Sat, 20 Jan 1996 05:50:34 +0800 Subject: Netscape and NSA In-Reply-To: <30FF642C.400@netscape.com> Message-ID: <31000A18.1DB7@netscape.com> Alex Strasheim wrote: > It would be good for everyone if Netscape took a more aggressive political > stand for free access to strong crypto. How? Expand the crypto coverage > on Netscape's web server. Hire a full time person to write about crypto > technology and issues. Put a link to the site on the Netscape home page. > Netscape's home page links are the most visible on the net -- use them. > Get together with companies like Sun and Microsoft to form a lobbying and > publicity organization similar to the Tobacco Institute. (I know that's a > bad example -- many people think the Tobacco Institute is an evil > organization. But it's a good tactic.) This is the sort of stuff we are starting to do. Expect to see it over the next few months. Jim Barksdale's comments at the RSA conference this week are part of this effort. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw at netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine. From llurch at networking.stanford.edu Fri Jan 19 15:07:25 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sat, 20 Jan 1996 07:07:25 +0800 Subject: Single computer breaks 40-bit RC4 in under 8 days In-Reply-To: <9601190145.AA11333@pakse.mit.edu> Message-ID: This takes "cracking Netscape security as a new benchmark" to a whole new level. On Thu, 18 Jan 1996, David Golombek wrote: > MIT Student Uses ICE Graphics Computer > > To Break Netscape Security in Less Than 8 Days What does this have to do with Netscape? This is about brute-forcing 40-bit RC4. While Netscape does deserve flogging with a wet noodle down to the seventh generation for their initial press response, this singling out Netscape is annoying me a little. > While being an active proponent of stronger export encryption, Netscape > Communications (NSCP), developer of the SSL security protocol, has said that > to decrypt an Internet session would cost at least $10,000 in computing time. OK, well, in that case. > workstations, Doligez averaged 850,000 keys per second.ICE used the > following formula to determine its $584 cost of computing power: the total > cost of the computer divided by the number of days in a three-year lifespan > (1,095), multiplied by the number of days (7.7) it takes to break the code. This assumes, of however, that collecting encrypted communications, feeding them to the computer with 100% efficiency, electricity, labor, etc. are completely free. I hope everyone recognizes this as more old news and ICE marketing. In a fantasy world, the press et al would see this and clamor for the revocation of ITAR. -rich From jathomas at netcom.com Sat Jan 20 07:59:51 1996 From: jathomas at netcom.com (John A. Thomas) Date: Sat, 20 Jan 96 07:59:51 PST Subject: Random Number Generators In-Reply-To: <0kzHl6200bky0_dkQ0@andrew.cmu.edu> Message-ID: You might find this article instructive: Herschell F. Murry, "A General Approach for Generating Natural Random Numbers," IEEE Transactions on Computers, December 1970, p. 1210. A fairly recent patent uses your approach of two oscillators: No. 4,855,690 by Dias, assigned to Dallas Semiconductor Corp., "Integrated Circuit Random Number Generator using sampled output of variable frequency oscillator." I'd suggest using Johnson noise; reverse-biased diodes generate noise which is pink. Ive built devices using amplified Johnson noise, squared up with a comparator, then averaged by a D flip-flop. The preliminary results look pretty good. Please post your results here -- and good luck. John A. Thomas jathomas at netcom.com From jya at pipeline.com Sat Jan 20 08:33:39 1996 From: jya at pipeline.com (John Young) Date: Sat, 20 Jan 96 08:33:39 PST Subject: QLG_ate Message-ID: <199601201633.LAA19074@pipe4.nyc.pipeline.com> Two articles comment on the creation of a quantum logic gate by NIST researchers, as reported in Physical Review Letters recently: "Quantum leap for code-cracking computers," Mark Ward, New Scientist, 23 Dec 95. "Approaching the Quantum Gate," David Voss, Science, 12 Jan 96. QLG_ate From corey at netscape.com Fri Jan 19 17:51:53 1996 From: corey at netscape.com (Corey Bridges) Date: Sat, 20 Jan 1996 09:51:53 +0800 Subject: Elitism on Cypherpunks Message-ID: <199601200131.RAA26034@urchin.netscape.com> At 08:55 PM 1/18/96 -0800, Alan Olsen wrote: >It has been said that "Cypherpunks write code". They must do more than >that. Cypherpunks need to teach. Just remember you brought this up... Not all of us even write code. Some of us write (horrors!) books! Yes, my brethren, I earn my pay as a lowly scribe. Do I code? Nope. Am I a Cypherpunk? Christ, I don't care. I'm on this mailing list; that works fine for me. My brain expands almost daily from contact with such seditious sods. Do I contribute to the health and growth of this list? Maybe. Do I preach the Cypherpunk doctrine through my work at my company? Definitely. Just thought I'd point out that we aren't all code-monkeys. (And I mean that in the best sense of the word.) Corey Bridges Security Documentation Netscape Communications Corporation home.netscape.com/people/corey 415-528-2978 From dwa at corsair.com Fri Jan 19 18:14:22 1996 From: dwa at corsair.com (Dana W. Albrecht) Date: Sat, 20 Jan 1996 10:14:22 +0800 Subject: What's a good math text? Message-ID: <199601200004.QAA21392@vishnu.corsair.com> > I'm not on the list just now, my work won't allow me the time to follow it. > I'm still just as interested in cryptography though, and would like > y'all to email me recommendations on good math books that will give me > the background to understand the papers in the field. I'm sure that will > include a good numbers theory text. If a beginner at number theory > would have a hard time understanding it, please recommend background > texts as well:) What else would I need? My computer science texts > explain complexity theory well, what would I need in information theory. > What would I have to read to understand factoring complexity? Are there > any new texts that cover the recent breakthroughs in factoring? An excellent introductory cryptography textbook that's oriented toward number theory is: A Course in Number Theory and Cryptography, 2nd ed. by Neal Koblitz Springer Verlag If you want a "classic" number theory text, I recommend: An Introduction to the Theory of Numbers, 5th ed. by G.H. Hardy and E.M. Wright Clarendon Press, Oxford University Press If you'd like a good introduction to factoring, try: Factorisation and Primality Testing by David Bressoud Springer Verlag Of course, it goes without saying that anyone studying cryptography ought to have a copy of: Applied Cryptography, 2nd ed. by Bruce Schneier John Wiley Hope that helps. Dana W. Albrecht dwa at corsair.com From llurch at networking.stanford.edu Fri Jan 19 18:15:33 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sat, 20 Jan 1996 10:15:33 +0800 Subject: Respect for privacy != Re: exposure=deterence? In-Reply-To: <199601190919.KAA10339@utopia.hacktic.nl> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Fri, 19 Jan 1996, Anonymous (signed We Jurgar Din, allegedly 0x21B699E1, not on MIT key server) wrote: > I'm not. Maybe *you* should be more suspicious of the guy getting > paid $100K of direct government money to manage a national > campaign of low-key terror than you should of the private > businessman unable to pay himself because he *must* pay his > employees and the government doesn't leave him enough for his > own paycheck. This last is a *lot* more common than the "private > businessman getting millions of dollars in government subsidies." Er, yes. And I am. Struggling businessmen are also a lot more common than guys and gals getting paid direct and indirect government money for high- key terror and murder, of which there's a lot. What's your point? > > I think we're fundamentally asking the wrong question. I only > > see relative power. I'd estimate that Bill Gates is more > > powerful than Fidel Castro in many respects. He's certainly a > > lot more powerful than your average postal clerk. > > "Looking for pow'r... in all the wrong places, (la-tee-dah)..." > Admit it, Rich, you only see harmful power where you want to see > it, and that isn't in government -- it is in private hands, > particularly *corporate* hands. Governments and religions of all kinds have killed more people than anything else besides old age and disease. There's no denying that. But who has more influence over most people's daily lives? What are the instruments of government, and for what interests is government an instrument? Isn't it a good tactic to go after lazy or stupid corporations friendly with the government who are providing poor tools injurious to personal privacy and security? [Timed essay, 30 points. Use both sides of the CRT if necessary. Spelling counts.] > Geez, but you'd think that > left-handed university cookie cutter would have gotten dulled and > broken by now, and that they'd have fashioned a new one. For whatever it's worth, I'm right-handed. I see you use public key cryptography, which like many good things was developed at a left-handed university with great respect for academic freedom. You might try visiting one to see what they're like. > I'd estimate that the Postmaster General is more powerful than > Fidel Castro in many respects. He's certainly a lot more powerful > than your average private businessman. No, he's got a sinecure with a common carrier that doesn't mean much. If you meant that the folks who would intercept your mail if you're "suspected" are more powerful than Castro, I might agree, but that's not the Postmaster General. He has no power to order or stop that. I'll certainly grant you that there is a conspiracy and a secret government (broadly defined), but not everyone paid by the government is in on it, and not everyone involved is in the government. > We Jurgar Din > (that will have to suffice: I do not yet live in a free country) > > +"The battle, Sir, is not to the strong alone. It is to the+ > +vigilant, the active, the brave. Besides, Sir, we have no + > +election. If we were base enough to desire it, it is now + > +too late to retire from the contest." -Patrick Henry 1775 + While I firmly support the right to anonymonity, I find this juxtaposition ironic. I do hope that you are speaking out on the record as well. Your "Indecent Garbage" piece, <199601190944.KAA10937 at utopia.hacktic.nl>, was excellent, but you can't get it published widely unless you're willing to put your "real life" John Hancock or Patrick Henry on it. Gratuitous use of pseudonymity can be counterproductive. Now nobody's going to be able to use your "bar-coded garbage" essay without being suspected of being you, which I doubt is what you want. Is anyone going to quote you in the future, as you quote Patrick Henry? I helped get Sameer quoted in PC Week and InfoWorld. Not exactly the way we'd all like, but it does point people who otherwise wouldn't think twice about crypto and privacy to www.c2.org. My 3 1/2 years in the "cookie cutter" were mostly a study of revolutions betrayed. First the Bolsheviks and their later rampage through Eastern Europe (I have a couple of close friends from Budapest, Praha, Bratislava, and Shanghai), then when that died the Cuban, Sandinista, Contra, Sendero, and Mexican. The only revolution I can think of that did not *completely* betray its principles was the American War of Independence, which wasn't really a revolution at all but a secession from a tyrannical regime. Part of the reason it did well was that remoteness and bravery led those involved to stand up for what they believed in. You can only go so far with subversion. (It also helped that the Colonial goals were very modest. Yet they still ended up with the Whiskey Rebellion, a great expansion of the practice of slavery, and the Native American genocide in short order.) Get yourself a broader education and elevate the culture. Mario Vargas Llosa, Boris Pasternak, and Milan Kundera would be particularly good for you. - -rich -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMQAEjo3DXUbM57SdAQEg0gP+Nhht/Zp39p/mcQ7GNgS3x/Db4b+CZohb QmkeC50sSEAoxOjGuV8N2PLr0yYaSdFhU/GyUeGNKbHg8acjb9D7IzsKrdXBze6F 5hWYz78O08xDST0NTMSCbRqcM2o8qKQBfgIjKGCMSc4tFnBvoLT+fG/S+wKejeID NG9NbEQuYOs= =GPRY -----END PGP SIGNATURE----- From trei at process.com Fri Jan 19 18:28:21 1996 From: trei at process.com (Peter Trei) Date: Sat, 20 Jan 1996 10:28:21 +0800 Subject: Hack Lotus? Message-ID: <9601200158.AA07776@toad.com> Phill writes: > > I've been thinking about how I would do the lotus hack. I certainly would not be > wanting to do a public key operation for the benefit of the government on every > message. How about the following: > > During installation of program: > Select a random key ER, encrypt it under the govt. public key to give Eg(ER). > To start encrypting, > > chose a random value R, encrypt under destination public key to give Ek(R) > set 40 bits of R to 0 to produce R' > Encrypt R' under ER to give E-ER(R') > Hash R, E-ER(R') and Eg(ER) with a one way function (MDMF like) to produce the > actual key. > Send across Ek(R), E-ER(R'), Eg(ER) > To decrypt the message one needs the information for the escrow authority. > > Phill Wouldn't this interoperate only with other systems which had a similar setup? I suspect the Lotus wants the US-Domestic and the International versions to interoperate transparently, including with their older versions. Kaufman describes the encryption setup of Notes in moderate detail on pages 448-454 of 'Network Security'. It's a typical mixed system, with a secret key encrypted under the recipient's Public key (a short one or a long one, depending on the local of the recipient and/or sender). I suspect that Lotus has not completely reworked it's security system for the international version, and that they are in fact doing a second public key operation on the 3 bytes of GAK'd data. If they're nasty, they'll check on the receiving side as well, to ensure that the LEAF and/or the espionage-enabling key have not been patched in the sending 'International' version. Peter Trei trei at process.com Peter Trei Senior Software Engineer Purveyor Development Team Process Software Corporation http://www.process.com trei at process.com From die at pig.die.com Fri Jan 19 18:42:52 1996 From: die at pig.die.com (Dave Emery) Date: Sat, 20 Jan 1996 10:42:52 +0800 Subject: NSA vacuuming down Internet traffic In-Reply-To: Message-ID: <9601200206.AA22470@pig.die.com> Alan Horowitz asks ... > > If I were standing in one of the places where NSA has it's taps of the > Net - what would I see? Alligator clips across terminal strips, leading > to a bunch of T3 lines? > I can't say I have a reliable answer to your question (although I can say fairly confidently that it is unlikely to be done with alligator clips at T3 and Sonet rates). In the past a good bit of this stuff was apparently done by intercepting microwave tail circuits (such as on the older FDM type undersea cables). For some random reason all the traffic on the undersea cable just happened to always be routed via a microwave link (sometimes as a "backup" to a cable link sent to a satellite ground station in case it had to carry the traffic if the cable failed). It is remarkable how many of the undersea cable terminals have microwave links to the rest of the world. Now with everything digital and almost always on fiber, one would probably expect that the main Internet backbone Sonet or FDDI rings have little diversions or bridges that feed undocumented fibers going somewhere that nobody at the carriers quite knows where. There is a great deal of dark fiber installed (around the Beltway area especially) for the spook agencies that was put in without any normal cable records being kept by the carriers regarding where the fibers in the bundle terminate or what they are used for or even where the actual cables really go. The amount of fiber going into some of the beltway CIA sites is truly impressive (several major runs). The DACS digital crossconnect points (high speed space/time division DS-1/DS-3 switches used for routing and and interconnecting digital circuits from one fiber pipe to another) could certainly be programmed to route a copy of the traffic on some interesting backbone T3 line out another port as well - and like all complex software driven devices this capability could be covertly activated and controlled without notice to the normal operators who certainly don't have source code or the expertise to vet it. As one might expect I've so far not met anyone at a carrier who knows exactly where the NSA taps are, but other possibilities certainly exist at repeater sites (where used) and even by optical taps (bending the fiber to make it leak a little light) in some manhole somewhere. And obviously buggering the firmware in central routers to forward selected packets is available as a last ditch option. Dave From gnu at toad.com Fri Jan 19 18:48:04 1996 From: gnu at toad.com (John Gilmore) Date: Sat, 20 Jan 1996 10:48:04 +0800 Subject: EE Times mentions c'punks scrutiny as helping Netscape Message-ID: <9601200213.AA08059@toad.com> Electronic Engineering Times, Jan 8, 1996, pg. 22 "Net battleground awaits Microsoft's salvo", by Larry Lange. [skip half a page]... Security stand-off The side skirmish over security protocols for credit-card payments over the Net is just beginning to heat up. The major combatants here are Netscape's Secure Socket Layer (SSL), Enterprise Integration Technologies' Secure Hypertext Protocol (S-HTTP) -- which may yet wind up under Netscape's wing -- and Microsoft's fairly recent stab at the issue in the form of its Secure Transaction Technology (STT). Netscape is way ahead of the game here, having successfully weathered the scrutiny of the ``cypherpunks'' -- above-board encryption hackers who look for security holes. ... John From perry at piermont.com Fri Jan 19 18:58:12 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sat, 20 Jan 1996 10:58:12 +0800 Subject: Hack Lotus? In-Reply-To: <9601200158.AA07776@toad.com> Message-ID: <199601200222.VAA01246@jekyll.piermont.com> "Peter Trei" writes: > I suspect that Lotus has not completely reworked it's security > system for the international version, and that they are in fact > doing a second public key operation on the 3 bytes of GAK'd data. Likely. > If they're nasty, they'll check on the receiving side as well, to > ensure that the LEAF and/or the espionage-enabling key have not been > patched in the sending 'International' version. Nearly impossible. Why? Because they can only include the public key, and not the private key, of the GAK authority in the code. You can encrypt the three bytes of key, but it is very hard for a receiver other than the govvies to read them. There is no shared secret information or private information available, ergo, they can't check their LEAF equivalent. This is likely where the flaw in the scheme is -- it should be trivial to drop another public key in place of the government one and foil the entire thing with minimal effort. All will look normal until someone tries to use the GAK private key. Of course, I'll point out that 64 bit RC4 keys are still not particularly heartwarming... Perry From erc at dal1820.computek.net Fri Jan 19 19:16:59 1996 From: erc at dal1820.computek.net (Ed Carp, KHIJOL SysAdmin) Date: Sat, 20 Jan 1996 11:16:59 +0800 Subject: Win95 Registration Wizard info In-Reply-To: <199601181503.KAA06603@jekyll.piermont.com> Message-ID: <199601190126.UAA22698@dal1820.computek.net> > Alan Olsen writes: > > I picked this link up from the Fringewear list. > [...] > > The author takes the registration Wizard in Win95 apart and shows exactly > > what it does and what it looks for. Some interesting information about the > > encrypted database of product information it uses. > > What, exactly, does this have to do with cypherpunks? I guess Perry didn't see the word 'encrypted'... Perry, you really ought to see the web page - it's quite good, and has a lot of good information. It also illustrates some of the pitfalls inherent in writing such applications, and exposes bad code written by commercial vendors. I thought that that was part of what Cypherpunks is for, but maybe it's just for Perry-approved posts. -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 214/993-3935 voicemail/digital pager 800/558-3408 SkyPager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes From wilcoxb at nagina.cs.colorado.edu Fri Jan 19 19:26:45 1996 From: wilcoxb at nagina.cs.colorado.edu (Bryce) Date: Sat, 20 Jan 1996 11:26:45 +0800 Subject: noise levels In-Reply-To: <199601181520.KAA06653@jekyll.piermont.com> Message-ID: <199601190051.RAA28314@nagina.cs.colorado.edu> -----BEGIN PGP SIGNED MESSAGE----- An entity calling itself Perry allegedly wrote: > > The noise levels around here are getting astounding. Perry, I quite agree with you. I am having a very difficult time wading through cpunks, and I am currently reduced to grepping for my name, and then picking out a topic or two by subject line before junking 95% of the posts. Since you have such enthusiasm for solving the noise problem I suggest that we do the following: 1. Establish a "one-way" mailing list. If you don't have an ISP which makes this convenient then I recommend Sameer's Community ConneXion. It costs merely $7.50/month, it is very easy to create a mailing list, Sameer respects your privacy and understands the importance of privacy and security issues, and you can pay in Mark Twain Ecash. 2. Write a script for your mail agent so that when you see a noise post you can hit a key combination and send off a message to all the recipients of your mailing list which identifies the message (by its Message-ID, I suppose?) as trash. 3. I will subscribe to your list. 4. I will configure my mail user-agent to automatically delete messages which have been identified by you as trash. What do you say? I'm up for it. Hey, come to think of it I have a mailing list at C2 that isn't being used for anything. It is fortuitously named "c2punks". Go ahead and send your "trash-o-meter" messages there and I will receive them. (That's "c2punks at c2.org".) Of course there are some things we should work out as we go: 1. You should PGP-sign your trash-o-meter messages. Don't worry about doing it on a secure box (who's going to crack your e-mail hardware just so they can force me to read trash or delete cpunks mail from my inbox?). You can configure your MUA to pass the passphrase to PGP (or have no passphrase) so that all you have to do is hit a single key combination to activate the "trashit" script. 2. You might wonder what you are getting out of this? I can name 3 things: a. Reducing the amount of c'groupies noise that I read, and the amount of c'groupies noise that anyone else who subscribes to "c2punks" reads. b. Advancing the theory and practice of distributed ratings systems. c. I and others will reciprocate-- we will mail "trash-o-meter" messages to c2punks which you can use so as to read less trash yourself. 3. I'll write some scripts that people can use to process trash-o-meter messages. The first version will probably be in sh and written for the mh mail-handling system. Later versions will work with different mail-handling systems, incorporate such nifty features as author- and subject- trashing in addition to message-trashin, having weighted scalar ratings, different ratings categories, and so forth. I'm entirely serious about this. For the first iteration just send something like "TRASH Message-ID: XXXXXXXXX" in the subject line or the body. We can discuss this in detail on c2punks if it gets too specific to be on-topic in cpunks. (What's your flavor of MUA? I'll write the trashit script for you.) Regards, Bryce signatures follow "To strive, to seek, to find and not to yield." -Tennyson bryce at colorado.edu -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.01 iQCVAwUBMP7qj/WZSllhfG25AQHmmwP9FbAxfvWz1SwQP0AeEUFODVnGVFSCgkxS YzqzskooI8BZYEhBJVKSidM/jf3Hr/D+T5MsXsavH3hZ9aS5O4qYjuJO+7Y78bGe NaCszo+OcScJXWQn2UdLEo3bsYNoNF3smXD/nndce5pMucAjxTb2Mzd/T3UbKAtH AJZl7W2wUNw= =Ulv6 -----END PGP SIGNATURE----- From daw at quito.CS.Berkeley.EDU Fri Jan 19 19:46:24 1996 From: daw at quito.CS.Berkeley.EDU (David A Wagner) Date: Sat, 20 Jan 1996 11:46:24 +0800 Subject: Netscape and NSA Message-ID: <199601192231.RAA28578@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- In article <199601191702.LAA12547 at proust.suba.com>, Alex Strasheim wrote: > The Lotus approach is totally unacceptable. [...] > This is the first wave of guys hitting the beach. [...] > We don't have a lot of options in terms of strategy. Let's hack Lotus. Let's put out a binary patch which defeats Lotus's GAK. Let's look for weaknesses in their crypto implementation. Time for me to go looking for a Unix version of Lotus Notes 4. - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMQAbwyoZzwIn1bdtAQGliAF/bz+i9Uu6N1gK0g/2G7WfN3Wv7zQJVRFG csq1ROPrZE65kzRYa8uwo8xjVszSDbrf =0yvk -----END PGP SIGNATURE----- From trei at process.com Fri Jan 19 19:51:46 1996 From: trei at process.com (Peter Trei) Date: Sat, 20 Jan 1996 11:51:46 +0800 Subject: Hack Lotus? Message-ID: <9601200326.AA09366@toad.com> > "Peter Trei" writes: > > I suspect that Lotus has not completely reworked it's security > > system for the international version, and that they are in fact > > doing a second public key operation on the 3 bytes of GAK'd data. > > Likely. > > > If they're nasty, they'll check on the receiving side as well, to > > ensure that the LEAF and/or the espionage-enabling key have not been > > patched in the sending 'International' version. > > Nearly impossible. Why? Because they can only include the public key, > and not the private key, of the GAK authority in the code. You can > encrypt the three bytes of key, but it is very hard for a receiver > other than the govvies to read them. There is no shared secret > information or private information available, ergo, they can't check > their LEAF equivalent. Think it through. 1 Alice generates session key K 2 encrypts with Bob's public key, producing Epb(K) 3 extracts 24 bits of K to make K' 4 encrypts with Eve's (spy) public key, producing Epe(K') 5 encrypts message under K, producing EsK(M) 6 sends EsK(M), Epb(K), Epge(K') to recipient (and possibliy Eve) 7 Bob's copy of lotus decrypts Epb(K), recovering K 8 Bob's copy of lotus repeats steps 4 & 5 above, and checks if it's version of Epe(K') matches the one sent. 9 If it does, decrypt EsK(M), and give it to Bob If it does not, send a copy to the NSA, blowing the whistle on Alice, who's running a hacked copy. Thus, you can prevent a non-complying copy of Lotus from talking to a complying copy of Lotus, which is one of the goals of the GAKers. > This is likely where the flaw in the scheme is -- it should be trivial > to drop another public key in place of the government one and foil the > entire thing with minimal effort. All will look normal until someone > tries to use the GAK private key. > Of course, I'll point out that 64 bit RC4 keys are still not > particularly heartwarming... Granted, but we don't know if they use RC4, DES, or what. > Perry Peter Trei Senior Software Engineer Purveyor Development Team Process Software Corporation http://www.process.com trei at process.com From tcmay at got.net Fri Jan 19 19:56:55 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 20 Jan 1996 11:56:55 +0800 Subject: "whom T. C. May has killfiled" Message-ID: At 11:09 PM 1/19/96, Rich Graves wrote: >Yusuf's statement that my January 16th email is the first that he had >heard of the .PWL problem is both patently ridiculous and directly >contradicted by private email from anonymous sources on this list whom >T. C. May has killfiled. ^^^^^^^^^^^^^^^^^^^^^^^ ??? Mind explaining this reference? In public, preferably, as the charge was made here. If it's a joke, I don't get it. --Tim May Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From anon-remailer at utopia.hacktic.nl Fri Jan 19 20:19:16 1996 From: anon-remailer at utopia.hacktic.nl (Name Withheld by Request) Date: Sat, 20 Jan 1996 12:19:16 +0800 Subject: Cypherpunk Enquirer Message-ID: <199601200350.EAA12520@utopia.hacktic.nl> THE CYPHERPUNK ENQUIRER "Encyphering minds want to know." Lotus Development, a division of IBM, today announced a new, "international" version of its popular "Lotus Notes" program. The new program features, in addition to the standard 40 bit RC4 encoding allowed in exportable software by the ITAR, the use of the proven Unix (tm) encryption program, ROT 13. "Now our international customers can use the same, tamper-proof encryption standards that our domestic customers already enjoy," stated an IBM spokesperson, who was reportedly whisked to the Mayo Clinic for nose reduction surgery. In related news, the International Society for the Prevention of Cruelty to Animals announced that the new Lotus Notes International does allow the snakes to move more easily and freely, and that it virtually eliminates that irritating squeaking sound when they shed their skins. In related medical news, proctologists at the Bethesda Naval Clinic reported that, despite 12 hour emergency surgery, Louis Freeh's head remains firmly stuck. The Center for Disease Control in Altanta has also reported that Mr. Freeh's condition is evidently highly contagious, as he has reportedly infected noted cryptographic researcher Dorothy Denning during a late night strategy session in Washington. CDC spokespersons also recommended that people avoid personal contact with David Sternlight for at least the next 48 hours. The FBI today announced the arrest of Timothy May on child pornography charges after an unnamed 13 year old FBI informant downloaded a .GIF of Mr. May naked in a hot tub at a recent 'cypherpunks' Christmas party. Mr. May, who is already under investigation by the SEC in the Netscape stock manipulation scandal, has referred all questions to his attorney. The FBI's attention was apparently drawn to the case when the 13 year old informant in question was heard to exclaim, "What's this naked hippie doing in my Penthouse downloads?" Matt Blaze today announced a new Random Number Generator based on President Clinton's Bosnia policy speeches of the last year. Mr. Blaze stated that each of the President's speeches was yielding at least 1024 bits of pure entropy, and that when added to the 512 bits of entropy found in each of Speaker of the House Newt Gingrich's policy papers on the Internet, should be enough to encypher an average household's grocery shopping over the Internet for at least a month. In related RNG news, University of California at Berkeley officials today confirmed that the campus's new symbol, the glow-in-the-dark Campanile, was actually the result of graduate student Ian Goldberg's attemps to hook the Lawrence Laboratory Bevatron up to his Unix workstation to use as a Random Number Generator. Noted anti-conspiracy lecturer Perry Metzger was hired today by Hillary Clinton's defense team. "He's done a great job on cypherpunks, let's see what he can do with the U.S. Senate," one of her lawyers stated at today's press conference. Jeff Weinstein of Netscape Communications today announced the long awaited 128 bit RC4 encryption Netscape Navigator for the Linux operating system. The new kit, consisting of a standard 2.05b binary, a disassembler, and a copy of "The C Programming Language" by Kernighan and Ritchie, should be available later this week. "This new kit should enable the average Linux user to enjoy the same level of Internet security that our Windoze users have, without violation of the International Trafficking in Armaments Regulations," stated Mr. Weinstein, "and will be made available to anyone free of charge who appears at our Mountain View offices with a U.S. pass- port, a birth certificate, a valid driver's license, two credit cards, and his or her Social Security Number tattooed on their upper left forearm." Alex de Joode announced that the kit had been available for the past week on ftp.hacktic.nl as /pub/linux/crypto/up.your.netscape. Lucky Green, spokesperson for the Mark Twain Bank, today announced the first truly anonymous 10 cents off coupon for the Internet. Attila was detained for 72 hours at the Swiss border while customs officials determined that an egg salad sandwich found in his luggage was indeed made of chicken eggs and was not harboring any biological weapons or contagious neurotoxins. Reliable sources reported today that the NSA has purchased a absolutely no intention of engaging in domestic surveillance or censorship." From mbartels at astro.ocis.temple.edu Fri Jan 19 20:24:28 1996 From: mbartels at astro.ocis.temple.edu (mbartels) Date: Sat, 20 Jan 1996 12:24:28 +0800 Subject: mailing list Message-ID: You come recommended by the Happy Mutant Handbook. Was just wondering what you suggestions/imput/stuff you guys have up your sleeve. Happy, Happy!! tanks. Weaselicious Inc. From ponder at wane-leon-mail.scri.fsu.edu Fri Jan 19 20:38:42 1996 From: ponder at wane-leon-mail.scri.fsu.edu (P.J. Ponder) Date: Sat, 20 Jan 1996 12:38:42 +0800 Subject: What news along the Rialto? Message-ID: Well, we're waiting. . . Those of us who didn't make it to the RSADSI conference are anxious to hear interesting tales of the Left Coast & crypto. One need not have the stylistic piquancy of John Young; one need only type up one's notes, optionally sign the missive, and mail or remail on to the list, posterity, and the Hoover Palace. I think maybe Bob H. went[?]; he e$pammed a press release from Florida's own Fischer Int'l. Sys. Corp. re: SmartDisk, which isn't really news, having been out for quite some time. When I first saw it, I smacked my forehead sharply with my open hand and said, "Exon the Contented Catamite! Why didn't I think of that?" I hope they sell a million of them. Any news from field agents appreciated. Any news from RSADSI re: prices and availablity of videos, etc., is also OK as far as I'm concerned. -- pj Defending the home, regret vanishes. - 19Jan96 at I_Ching.tao p.s. noise.sys is neato! Thanks, Robt. Rothenburg Walking-Owl and funet.fi folks From tcmay at got.net Fri Jan 19 20:40:14 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 20 Jan 1996 12:40:14 +0800 Subject: mailing list Message-ID: At 10:35 PM 1/19/96, mbartels wrote: >You come recommended by the Happy Mutant Handbook. Was just wondering >what you suggestions/imput/stuff you guys have up your sleeve. Happy, >Happy!! >tanks. >Weaselicious Inc. "Tanks"? We have no tanks, only cryptography. Looks like the cypherpunks at toad.com address, instead of majordomo at toad.com address, has again been put out in some book. (In this case, something called the "Happy Mutant Handbook.") Get read for another onslaught. For "Weaselicious," you can subscribe to the Cypherpunks mailing list by sending a message to majordomo at toad.com with a body message of subscribe cypherpunks (Send this from the e-mail address which you wish subscribed to the list.) You will receive a welcome message with more information, including the all-important information on how to UNSUBSCRIBE. Don't lose this message, as yoy may need it. --Tim May Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From blancw at accessone.com Fri Jan 19 20:50:24 1996 From: blancw at accessone.com (blanc) Date: Sat, 20 Jan 1996 12:50:24 +0800 Subject: Cypherpunk Enquirer Message-ID: <01BAE6AE.99B23140@blancw.accessone.com> Hee-hee-hee-haa-haa-haaaaaaa. The UpYours CPunk News Update. .. Blanc From stewarts at ix.netcom.com Fri Jan 19 21:07:23 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sat, 20 Jan 1996 13:07:23 +0800 Subject: CryptoAPI and export question Message-ID: <199601200402.UAA01863@ix6.ix.netcom.com> Tom Johnston : At 06:07 PM 1/17/96 EST, you wrote: >Two points: the CSP development kit is export-controlled; and signing a >CSP developed by a foreign vendor is treated as a export -- so the signature >is export-controlled. > >We would ship a CSP development kit to a foreign vendor, and sign a CSP >developed by the foreign vendor, but only with the appropriate export licenses. Thanks for your reply to Dr. Vulis's question. I'd recommend examining this policy somewhat critically, for a couple of reasons: 1) Development kits are useful, but if you've got an open, documented interface, it's possible to develop code to use it without the kit. (Ignoring, of course, the risk of smuggling. :-) 2) By "is treated as an export", do you mean by explicit government policy, or by Microsoft? Digital signatures and encrypted documents are perfectly legal to export, as is authentication code to make digital signatures. 3) Consider the case of a contractor who buys the development kit, and gives you code to sign. You have no way to differentiate between code that he developed himself, and code developed by some foreign company that hired him and gave him the code (which is legal to import into the US.) He probably can't legally re-export the code, or export the signed version of it, but he can export the signature itself, since that's not cryptographic code, and the foreign company can reattach it to their original document, which you have now signed.... #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, Pager/Voicemail 1-408-787-1281 # # "Eternal vigilance is the price of liberty" used to mean us watching # the government, not the other way around.... From tcmay at got.net Fri Jan 19 22:03:38 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 20 Jan 1996 14:03:38 +0800 Subject: The Lotus Position Message-ID: At 4:03 AM 1/20/96, Bill Stewart wrote: >40-unknown-bit RC4 may take a week for an ICE workstation or a herd of >net-coordinated workstations, but it would be much faster to crack on >a specialized machine actually designed for RC4. I think Eric's estimate >was $25-50K for a machine that could do it in 15 minutes, built out of >programmable gate arrays. That's not $10,000/crack, or $584, but $0.25-.50. >Would they crack all the keys they wanted for a quarter each? Sure; >at that rate it's probably cheaper to crack them than read them >(though in reality they'd feed most of them to keyword scanners.) I take it as self-evidently true that NSA would spend the relatively small amount of money to build a dedicated key cracker...probably at least several for each major cipher. "In this room, where we used to have the famed acre of Crays, now we have tenth of an acre of superfast custom key crackers." (Yes, I know the Crays are used for other things besides key cracking. In fact, their main use probably is not for crypanalysis. Also, I'm not talking about cracking ciphers that are essentially uncrackable with any amount of compute power, I'm talking about cracking specific instances of ciphers with NSA-approved key lengths.) To consider just how _cheap_ such a dedicated machine is to them, consider that in the late 50s and early 60s they built the "Harvest" machine, in conjunction with IBM and based to some extent on IBM's "Stretch" machine, as I recall. (Bamford has a bunch of stuff on it, and our own Norm Hardy worked on it for IBM in the early 60s...he gave a good talk at a Cypherpunks meeting on how big it was, how much it cost, its capabilities, etc.) The Harvest machine, and its ancillary units, such as the world's largest and fastest tractor tape drive, cost something like $100 million in today's dollars, according to Norm and others. And Harvest was still running in 1975-6, when it was finally replaced by the Cray 1. NSA also funded the early efforts that later became Control Data Corporation (CDC), and NSA was a major customer of Seymour Cray's CDC 6600, and the later 7600 (and maybe even the ill-fated Star). NSA and AEC were also the early customers for the Cray-1, of course. This gives you some feel for what kind of expenditures "the Fort" is prepared to make when it sees the need. And the black budgets of other intelligence agencies, as described in Richelson's excellent books and other books (such as "Deep Black," an unauthorized history of the National Reconnaissance Organization), can only be described as "stupefyingly large." A surveillance satellite can run upwards of $1.5 billion, so spending a tiny fraction of that to decrypt what you've sniffed out of the airwaves is a gimme. The deep black budget is estimated to be something like $25 billion a year. Recall that the Wiretap Bill _alone_ provided for up to $500 million for compliance measures. Clearly the FBI somehow view their surveillance capabilities as being worth at least this much to them, and probably a lot more. Throw in the budgets for the DEA, IRS, FinCen, FBI, BATF, and all the other agencies fighting the Four Horsemen and the citizen-units who stray outside the drawn lines, and it's clear that NSA could budget several hundred million dollars *each and every year* for breaking its "approved ciphers." Like many, I take it for granted that 40-bit RC4 can be broken for "small change." Moreover, my guess is that foreign traffic is routinely cracked if it is encrypted. After all, it's the encrypted traffic that is likeliest to be interesting. (Sure, some dumbos like Pablo Escobar speak in the clear on cellphones, but the correlation is definitely in the direction of encrypted traffic being likelier than unencrypted traffic to contain interesting stuff. This will become even more the case as more people become educated and as crypto gets built into more things...this is the intelligence and law enforcement communities' worse nightmare.) A $25,000 machine. 4 cracks per hour, 100 per day, and 36,000 per year. Running for an active life of several years (before being replaced, of course, by something several times faster/cheaper), there you have the $0.25 per crack that Bill cites above. Even at 100 times this estimate, it's cheap. (Not for random vacuuming, but for anything targetted, even casually.) And think of what just a few percent of the "Harvest" budget buys you: 100 of these machines. Several million cracks per year. And from these cracks, think of the correlations, the contact lists, and the further targetting that can be done. [Sidebar: One thing that bothers me about any of these LEAF-related schemes--and I don't know if and how the Lotus scheme checks both ends for compliance, etc.--is that they are fundamentally at odds with remailers which hide the origin. If remailers are allowed to continue to exist, schemes involving LEAF fields won't work. Unless I've forgotten how these things work in the couple of years since I last looked at Clipper et. al. in depth. So, I expect a move against remailers as part of the campaign. And with no remailers, if this could ever be enforced, the ability to make contact lists based on random decryption is frightening.] Back to their 100 machines.... My guess is that they haven't even bothered to buy this many machines, that the intelligence they get from a few tens of thousands of cracks is more than enough to point to further leads, to trigger additional HUMINT, etc. But even if the estimates are off by orders of magnitude, we know that a 40-bit RC4 can be cracked in ~hours with ~hundreds of Sun-class machines. (Personally, I think it obvious the NSA has at least speeded up this work factor by at least a factor of ten.) This is also essentially a minor consideration compared to the amount of work done in ordinary wiretaps. And in a few years, 40-bit RC4 will be even more ludicrously weak. The Lotus position is untenable. --Tim May Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From nobody at alpha.c2.org Fri Jan 19 23:26:18 1996 From: nobody at alpha.c2.org (Anonymous) Date: Sat, 20 Jan 1996 15:26:18 +0800 Subject: "whom T. C. May has killfiled" In-Reply-To: Message-ID: <199601200711.XAA12262@infinity.c2.org> Timothy C. May (tcmay at got.net) wrote: : At 11:09 PM 1/19/96, Rich Graves wrote: : : >Yusuf's statement that my January 16th email is the first that he had : >heard of the .PWL problem is both patently ridiculous and directly : >contradicted by private email from anonymous sources on this list whom : >T. C. May has killfiled. : ^^^^^^^^^^^^^^^^^^^^^^^ : : ??? : : Mind explaining this reference? In public, preferably, as the charge was : made here. : : If it's a joke, I don't get it. You killfiled microsoft.com, remember? sheez... From anonymous-remailer at shell.portal.com Sat Jan 20 00:13:13 1996 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Sat, 20 Jan 1996 16:13:13 +0800 Subject: No Subject Message-ID: <199601200759.XAA17860@jobe.shell.portal.com> I know this is a little off-topic, but does anyone know of a good swap file deleter? I know Real Delete is a good program, but I want something I can call in a batch file after windows to automatically do a secure wipe of the permanent swap file and then replace it. I have heard of a couple programs but I am not sure about their reliability. Any pointers to a good program would be appreciated. From jamesd at echeque.com Sat Jan 20 00:40:09 1996 From: jamesd at echeque.com (James A. Donald) Date: Sat, 20 Jan 1996 16:40:09 +0800 Subject: authenticating intrahost crypto providers Message-ID: <199601200830.AAA07615@mailx.best.com> At 11:37 AM 1/18/96 EST, James Leppek wrote: > > I have been doing some research on the development of an abstract > security services API(not just a CAPI) and have hit a road block. > The problem revolves around the need to authenticate a > security service provider to an application. No such need. If the attacker can introduce his own module to supply crypto services then he must have administrator (NT equivalent of root) privileges, in which case your are stuffed regardless. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From karn at unix.ka9q.ampr.org Sat Jan 20 03:30:49 1996 From: karn at unix.ka9q.ampr.org (Phil Karn) Date: Sat, 20 Jan 1996 19:30:49 +0800 Subject: ITAR and hash functions (Perry's question) Message-ID: <199601201124.DAA09482@unix.ka9q.ampr.org> Perry quoted part of the joint declaration of facts in my case and asked >Would this not mean that the government is estopped from ever again >claiming that hash functions are export controlled under the ITAR? Not according to them. They have made it clear throughout their filings that they consider each CJ request on a case-by-case basis. Furthermore, they repeatedly assert that under the power delegated to them by the President, they have the absolute power to add and delete items from the Munitions List and to make inexplicable, inconsistent and arbitrary rulings whenever they damn well feel like it, and no court can overrule them. They even feel free to ignore their own rules whenever they get too inconvenient. See my attorneys' brilliant analysis of why the ITAR as written clearly permits the export of public domain crypto code under the public domain exemption. It's about halfway through http://www.qualcomm.com/people/pkarn/export/karnresp.html But State wrote the rules, so they can ignore 'em whenever they feel like it. Why gosh, National Security is at stake! And that's something we mere mortals can't possibly know anything about. Grep for the word "estoppel" in their arguments -- I know they used it at least once to discuss this exact point. So the bottom line is this: at the moment the ODTC will let you export hash functions as long as they don't encrypt data. They'll probably grant CJ requests to that effect. But they could change their minds at any time if they feel like it. Isn't it wonderful to live under a government of laws, not of men? Phil From attila at primenet.com Sat Jan 20 03:38:26 1996 From: attila at primenet.com (attila) Date: Sat, 20 Jan 1996 19:38:26 +0800 Subject: Cypherpunk Enquirer Message-ID: OK, who's the 'wise guy' among us? is it the aging hippy in a hot top? is it Samuel Clemmons revenge? who cares? write on! as blanc might have said: Hee-hee-hee-haa-haa-haaaaaaa. The UpOurs CPunk News Update. ^ __________________________________________________________________________ go not unto usenet for advice, for the inhabitants thereof will say: yes, and no, and maybe, and I don't know, and fuck-off. _________________________________________________________________ attila__ To be a ruler of men, you need at least 12 inches.... ---------- Forwarded message ---------- Date: Fri, 19 Jan 1996 20:41:31 -0800 From: blanc To: "cypherpunks at toad.com" Subject: RE: Cypherpunk Enquirer Hee-hee-hee-haa-haa-haaaaaaa. The UpYours CPunk News Update. .. Blanc From jirib at sweeney.cs.monash.edu.au Sat Jan 20 03:50:03 1996 From: jirib at sweeney.cs.monash.edu.au (Jiri Baum) Date: Sat, 20 Jan 1996 19:50:03 +0800 Subject: CryptoAPI and export question In-Reply-To: <199601200402.UAA01863@ix6.ix.netcom.com> Message-ID: <199601201137.WAA20395@sweeney.cs.monash.edu.au> -----BEGIN PGP SIGNED MESSAGE----- Hello Tom Johnston and Bill Stewart and cypherpunks at toad.com Bill Stewart wrote: ... > 3) Consider the case of a contractor who buys the development kit, ... > into the US.) He probably can't legally re-export the code, or export > the signed version of it, but he can export the signature itself, > since that's not cryptographic code, and the foreign company can > reattach it to their original document, which you have now signed.... ... This is not that difficult for MS to work around - for example, they could modify the code harmlessly before signing it. Unless you know *how* they modified it, you can't reproduce it. Example: some assembly instructions have more than one machine code representation. MS could put some kind of cryptographically strong pattern into these (ie one that can't be reverse-engineered). ObCrypto: Stego in .EXE files? Jiri - -- If you want an answer, please mail to . On sweeney, I may delete without reading! PGP 463A14D5 (but it's at home so it'll take a day or two) PGP EF0607F9 (but it's at uni so don't rely on it too much) -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQCVAwUBMQDT7ixV6mvvBgf5AQEEAwP/fJqfsCP1sA4ojwivHBeVxLpSfpKXEjpp MgcHSVnFWkw1ezPUAmC9tugT0NEtIIDDs4ntDHUUa6Ki/bH1QFxqD5Gw8OCeGDJU UQc/Y1o0K6XSAsiYWfEOE6fCnG3pbxGAc8s3Sz+TZbAhr0pqXIf3t1t6CNP3+dBn Gnuq+OyIv5E= =tfG3 -----END PGP SIGNATURE----- From jirib at sweeney.cs.monash.edu.au Sat Jan 20 04:13:25 1996 From: jirib at sweeney.cs.monash.edu.au (Jiri Baum) Date: Sat, 20 Jan 1996 20:13:25 +0800 Subject: Hack Lotus? In-Reply-To: <9601200326.AA09366@toad.com> Message-ID: <199601201202.XAA20449@sweeney.cs.monash.edu.au> -----BEGIN PGP SIGNED MESSAGE----- Hello "Peter Trei" and , cypherpunks at toad.com, trei at process.com P.T. writes: > > "Peter Trei" writes: ... > > > If they're nasty, they'll check on the receiving side as well, to ... > > Nearly impossible. Why? Because they can only include the public key, ... > 1 Alice generates session key K > 2 encrypts with Bob's public key, producing Epb(K) > 3 extracts 24 bits of K to make K' > 4 encrypts with Eve's (spy) public key, producing Epe(K') ... Eeek! that gives 2^24 possible plaintext/ciphertext pairs. Trivial to brute. 3 should be: extracts 24 bits of K and concatenates it with H(K) to make K' where H is a strong one-way hash. Hope that makes sense... Jiri - -- If you want an answer, please mail to . On sweeney, I may delete without reading! PGP 463A14D5 (but it's at home so it'll take a day or two) PGP EF0607F9 (but it's at uni so don't rely on it too much) -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQCVAwUBMQDZqCxV6mvvBgf5AQFrMgP/fE6wLHoJYZP6bI5Q29nuqvJNk5pR2WW9 L5URPg2Mc2HsGtjlyZYLEEpnCUAbWWgJ0cM/vHz/1VSApCLkeekZ73IhmEngijGc HoHbl2krgVcKv3D6Rhlhoq4t5JgPbhU3hVpb2MiozxFmOBkZgzUYFC82Sk2leE5O /P8lgTahzNE= =mgkS -----END PGP SIGNATURE----- From ddt at lsd.com Sat Jan 20 04:43:58 1996 From: ddt at lsd.com (Dave Del Torto) Date: Sat, 20 Jan 1996 20:43:58 +0800 Subject: [NOISE] FIG_newt/on CIA Message-ID: [ This came to me from someone at Apple, through our pal Stephan Somogyi ] [ ...another "your tax dollars hard at work" story... heh. --dave ] ................................. cut here ................................. There's an easter egg in the 2.0 Newton (MessagePad 120) which was "censored" by, yes, the CIA. Back in '94, one of the Newton software types make a trek to the (very) small town of Rachel, Nevada, which is located at the edge of a secret government airbase. The base, called "Area 51," is thought by UFO-enthusiasts to be filled with alien technology which the government is in the process of reverse engineering. Meanwhile, the government denies the very existence of the base, in spite of widespread media coverage ("Larry King Live from Area 51", etc.). We figured it'd be funny to put a reference to Area 51 in the Newton -- especially given the substantial overlap between conspiracy buffs and computer nerds. So, in the "Time Zones" application, contains a world map, we put an entry for Area 51 in its correct location. Later, we added a twist -- if the user picks Area 51 from the map, the icons in the datebook application take on an alien theme. Normally, meetings are represented by an icon of two people face-to-face, events are represented by a flag, etc., etc. But when Area 51 has been chosen, the icon for a meeting is a person facing an alien, the icon for an event is a flying saucer, a to-do task is represented by a robot, an so on. Okay, cute enough. Now cut to August 1995, when the 2.0 ROM has been declared final, seed units have been in customers' hands for a little while, and the release is just about ready to go. One of the seed units, it turns out, was sent to a cryptographer working for the CIA. When he found that Area 51 was listed at the correct latitude/longitude, he complained to Apple, demanding the removal of the easter egg and threatening to have his superiors take the issue to Spindler if necessary. In the end, Newton management caved in to the demand, and decided to pull the joke out of the system. But the ROM was already done -- so the feature was hidden by a software patch ("System Update") -- but this part of the patch can itself be removed, and "Area 51" returned to its rightful glory. Here's how to get the easter egg back: 1) Open the Extras drawer. 2) Switch the folder of the Extras drawer to "Storage". 3) Tap on the icon "Time Zones" and press the "Delete" button. Warning -- any cities you've added to your Newton will be lost. 4) Switch the folder of the extras drawer back to "Unfiled icons." 5) Tap on "Time Zones." You'll find that Area 51 is on the map -- just tap near Las Vegas and choose Area 51 from the popup. Now look at the icons in Dates. (To purge the aliens from your PDA, open the back and press reset). From perry at piermont.com Sat Jan 20 07:54:19 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sat, 20 Jan 1996 23:54:19 +0800 Subject: ITAR and hash functions (Perry's question) In-Reply-To: <199601201124.DAA09482@unix.ka9q.ampr.org> Message-ID: <199601201534.KAA03043@jekyll.piermont.com> Phil Karn writes: > Perry quoted part of the joint declaration of facts in my case and asked > > >Would this not mean that the government is estopped from ever again > >claiming that hash functions are export controlled under the ITAR? > > Not according to them. Yeah, I know not according to them. Thats not what counts. I'd like to know what a lawyer thinks. Once they have declared that something doesn't fit the munitions criteria I suspect they are estopped from ever claiming again that it is munitions -- basic legal principle. Sure, they can claim otherwise, but they aren't forbidden by law from asserting their power to make buildings levitate, either. > Furthermore, they repeatedly assert that under the power delegated to > them by the President, they have the absolute power to add and delete > items from the Munitions List and to make inexplicable, inconsistent > and arbitrary rulings whenever they damn well feel like it, and no > court can overrule them. They can claim that they have the right to declare fingernail clippers to be munitions, but that certainly couldn't stand up in court. > So the bottom line is this: at the moment the ODTC will let you export > hash functions as long as they don't encrypt data. They'll probably > grant CJ requests to that effect. But they could change their minds at > any time if they feel like it. > > Isn't it wonderful to live under a government of laws, not of men? Joy. Perry From pfarrell at netcom.com Sat Jan 20 07:58:48 1996 From: pfarrell at netcom.com (Pat Farrell) Date: Sat, 20 Jan 1996 23:58:48 +0800 Subject: DC area cypherpunks physical meeting, January 27 Message-ID: <38432.pfarrell@netcom.com> The next DC-area cypherpunks meeting will be Satyurday, January 27 at Digex Headquarters offices in Greenbelt MD from 3PM until 6PM. There was talk of obtaining a cypherpunk-related video to show as a social event after the meeting. More on that as details become available. For more information, agenda, directions, etc. see URL: http://www.isse.gmu.edu/~pfarrell/dccp/index.html Pat Pat Farrell Grad Student http://www.isse.gmu.edu/students/pfarrell Info. Systems & Software Engineering, George Mason University, Fairfax, VA PGP key available on homepage #include From dlv at bwalk.dm.com Sat Jan 20 08:14:31 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Sun, 21 Jan 1996 00:14:31 +0800 Subject: Wipe Swap File In-Reply-To: <199601201421.JAA01170@pipe10.nyc.pipeline.com> Message-ID: <8me1HD60w165w@bwalk.dm.com> tallpaul at pipeline.com (tallpaul) writes: > Remember that one simple wipe is *not* secure. Current Department of > Defense security regs call for wiping the same space something like 8 or 9 > times. Even then the wipe is not secure enough for higher level DofD > classified material. There the regs call for the physical destruction of > the medium after it has been wiped. Degaussing the media (running a household magnet over it :-) may be an option. Two semi-on-topic questions: 1. Does anyone know a cheap way to recover the traces of the previous (overwritten) recordings on the media? 2. If a cheap way exists, has anyone considered stego use of it? (I don't need this right now, just for future reference, and any such discussion would improve the s/n on this list.) --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From froomkin at law.miami.edu Sat Jan 20 08:42:10 1996 From: froomkin at law.miami.edu (Michael Froomkin) Date: Sun, 21 Jan 1996 00:42:10 +0800 Subject: DES in real life Message-ID: Recognizing that DES is not the best thing out there, but that it is better than RC40 and life is a series of cost/benefit tradeoffs and that there is a large installed base to interoperate with, I'd like your opinions on the following: 1) Suppose you are approached by a corporate client who believes that they can get export permission for DES (but nothing stronger, i.e. no 3DES). What kind of real-world, non-banking, applications is DES just too weak for today? In answering keep in mind that most US corporate clients are not too worried about the US government reading their email. Some do worry about foreign governments and many worry about competitors. [I've limited this to "non-banking" because banks seem to be gearing up for 3DES.] 2) How long before DES becomes generally unsuitable for (A) corporate (B) personal use [please keep the threat model on which this question is based in mind -- threats *other than* the US government wiretapping you]? 3) Do you have a view as to whether DES (A) will and (B) should be recertified next time the issue arises? A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) Associate Professor of Law | U. Miami School of Law | froomkin at law.miami.edu P.O. Box 248087 | http://www.law.miami.edu/~froomkin Coral Gables, FL 33124 USA | It's warm here. From froomkin at law.miami.edu Sat Jan 20 08:52:29 1996 From: froomkin at law.miami.edu (Michael Froomkin) Date: Sun, 21 Jan 1996 00:52:29 +0800 Subject: Encryption and the 2nd Amendment In-Reply-To: <960119164917_22857929@hp1.online.apple.com> Message-ID: IMHO the 2nd amendment argument is bunk. [I haven't seen the Wired article BTW, so this is just a general point.] The definition of crypto as arms was accomplished as an administrative convenience by an agency of the US govt. It is not a definition of constitutional significance. To oversimplify only a little bit, agencies don't get to define terms in the constitution -- and a good thing too, or they might try to define e.g. "speech" in some funny way. The issue is whether under any fair reading of the 2nd Am. you can read "arms" to include encryption. You might try to do this by "original intent" (except that I've never seen a shred of evidence for this). Or you might try to do it by arguing that the meaning of the term "arms" should change with the times and crypto fits the purposes (defending your home?) of the amendment. But this is a very tough argument to make, and I've never seen anyone try it. I suspect it is also bound to fail; indeed any interpretive system that would stretch the constitutional use of the word "arms" so wide as to fit crypto could equally well be used to exclude anything more advanced than muskets and early rifles... which probably explains why I know of no such arguments either. I must be posting some version of this every nine months or so. Each time I get hate mail. Let's make this an exception shall we? A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) Associate Professor of Law | U. Miami School of Law | froomkin at law.miami.edu P.O. Box 248087 | http://www.law.miami.edu/~froomkin Coral Gables, FL 33124 USA | It's warm here. From jamesd at echeque.com Sat Jan 20 09:02:52 1996 From: jamesd at echeque.com (James A. Donald) Date: Sun, 21 Jan 1996 01:02:52 +0800 Subject: CAPI signing Message-ID: <199601201647.IAA22500@mailx.best.com> At 01:40 PM 1/18/96 -0600, Mike McNally wrote: > > A Microsoft person just responded via direct e-mail that they'll do > CAPI signing in the United States (the word "only" wasn't in there, > but that certainly was the implication). In order to get government approval of CAPI, Microsoft made concessions that we will doubtless find offensive. But once CAPI is in place and working, then those concessions can be taken back. CAPI is a good thing: It is sound design and it will open another front in the conflict. Once software is around that has crypto hooks in it, we can then deal with restrictions on CAPI modules using technical and political means. I expect that technical means will be effective and successful. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From alanh at infi.net Sat Jan 20 09:54:21 1996 From: alanh at infi.net (Alan Horowitz) Date: Sun, 21 Jan 1996 01:54:21 +0800 Subject: NSA vacuuming down Internet traffic In-Reply-To: <199601190923.KAA10526@utopia.hacktic.nl> Message-ID: If I were standing in one of the places where NSA has it's taps of the Net - what would I see? Alligator clips across terminal strips, leading to a bunch of T3 lines? Is there any open source - or otherwise - knowledge or speculation about which words/phrases the Terra-cycle cpu's are text-searching *for*? If it were your responsibility to eavesdrop on Iranian terrorists - or French Commercial Attache reports to Paris - or to have UK nationals, off in their private room of your building, write down the name of every in America who expresses a libertarian dissatisfaction with the Republicrat regime - would you know for sure which words/phrases to key on? It doesn't sound like a tractable problem to me. Of course, some people don't need to worry about the GAO doing their own evaluation of how well an agency is doing its assigned mission! Alan Horowitz alanh at norfolk.infi.net From tcmay at got.net Sat Jan 20 10:26:22 1996 From: tcmay at got.net (Timothy C. May) Date: Sun, 21 Jan 1996 02:26:22 +0800 Subject: Encryption and the 2nd Amendment Message-ID: At 4:39 PM 1/20/96, Michael Froomkin wrote: >IMHO the 2nd amendment argument is bunk. [I haven't seen the Wired >article BTW, so this is just a general point.] I haven't seen the "Wired" article either, as I no longer read it. I agree with Michael that an association of crypto with arms is a long reach, unsupported in anything I've seen in the Constitution or related papers. Moreover, any successful link made could be disastrous. After all, it is well-established--whether we like it or not--that the government can regulate and control access to hydrogen bombs, bazookas, nerve gases, grenades, fully-automatic weapons, and even various kinds of rifles and handguns. I would hate to see crypto truly classified as an armament (beyond what the ITARs say) and thus be subject to the same kinds of regulations as above. Be careful what you wish for, you might get it. A much stronger claim can be made, I think, that crypto is a form of language or speech, clearly protected by the First Amendment. Thus, writing one's diary in an encrypted form (a common practice in colonial days, interestingly) is a form of language one uses. Thus, "Congress shall make no law..." about this speech or writing. That two people choose to converse in ROT-13 or in RSA or in their own private code is not something the government is authorized to interfere with. Ikewiselay, itingwray inlay igpay atinlay islay otectedpray. --Imtay Aymay Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From tcmay at got.net Sat Jan 20 10:32:28 1996 From: tcmay at got.net (Timothy C. May) Date: Sun, 21 Jan 1996 02:32:28 +0800 Subject: Wipe Swap File Message-ID: At 3:38 PM 1/20/96, Dr. Dimitri Vulis wrote: >tallpaul at pipeline.com (tallpaul) writes: >> Remember that one simple wipe is *not* secure. Current Department of >> Defense security regs call for wiping the same space something like 8 or 9 >> times. Even then the wipe is not secure enough for higher level DofD >> classified material. There the regs call for the physical destruction of >> the medium after it has been wiped. > >Degaussing the media (running a household magnet over it :-) may be an option. Ordinary household magnets fail for a couple of reasons: 1. Their field strength is not high enough to affect modern media, due to the extremely high coercivity of modern media. (Try it out, you'll be surprised at hard it is to really change a lot of bits with a household magnet.) 2. Most "swap files," as used above, are of course on hard drives. Encased in metal. In any case, the nearest a household magnet can get to the surface is several centimeters. Unless the magnet is very large (such as the 20-pounder I have from my childhood days), the field strength will drop drastically in several centimeters. (Modern disk drives, and even modern videotape machines, use very high-coercivity coatings, including pure metal, and the heads must ride very close to the media to flip the domains. A magnet several centimeters away is effectively at infinity.) 3. A time-varying field is preferred. Bulk erasers work this way, by plugging into an a.c. socket and generating a time-varying field. And even these are getting harder to use to erase video tapes, for example, due to the high coercivity of modern media. Most folks I know no longer even try to bulk erase tapes. >1. Does anyone know a cheap way to recover the traces of the previous >(overwritten) recordings on the media? There are custom drives for various media which have multiple heads, and heads that can be "jogged" a little bit. This allows, I have read, the subtle variations of multiple writes to be extracted. Much more expensive would be various electron microscope-based imaging methods to directly image the domains and extract subtle signs of past write cycles. --Tim May Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From erc at dal1820.computek.net Sat Jan 20 10:56:14 1996 From: erc at dal1820.computek.net (Ed Carp, KHIJOL SysAdmin) Date: Sun, 21 Jan 1996 02:56:14 +0800 Subject: Encryption and the 2nd Amendment In-Reply-To: Message-ID: <199601201842.NAA02090@dal1820.computek.net> > I agree with Michael that an association of crypto with arms is a long > reach, unsupported in anything I've seen in the Constitution or related > papers. Moreover, any successful link made could be disastrous. > > After all, it is well-established--whether we like it or not--that the It is? Not by precedent, as far as I know. By statute, yes. I'd like to see some cites on this - the only reasonable cite that I know of concerning the ability of the government is the one back in the 40's (I think) that concerned someone possessing an "illegal shotgun" - and, of course, the pseudo-famous case regarding whether or not a convicted felon filling out certain government forms is protected by the 5th amendment. Michael, can you point me in the general direction here? > government can regulate and control access to hydrogen bombs, bazookas, > nerve gases, grenades, fully-automatic weapons, and even various kinds of > rifles and handguns. I would hate to see crypto truly classified as an > armament (beyond what the ITARs say) and thus be subject to the same kinds > of regulations as above. > A much stronger claim can be made, I think, that crypto is a form of > language or speech, clearly protected by the First Amendment. Thus, writing > one's diary in an encrypted form (a common practice in colonial days, > interestingly) is a form of language one uses. Thus, "Congress shall make > no law..." about this speech or writing. That two people choose to converse > in ROT-13 or in RSA or in their own private code is not something the > government is authorized to interfere with. Not *that's* a novel argument, one I hadn't heard before! If true, this could cover a very wide variety of circumstances. If I send my wife email from work and encrypt it, then that's the same as if I sent her a note in Farsi. Interesting implications here... I wonder if there are any cases where, for example, the government took people to court during WWII to prevent them from talking in German or Japanese over the phone, or in letters? > Ikewiselay, itingwray inlay igpay atinlay islay otectedpray. I know you probably did this by hand, but I think in the dim mists of time, someone posted a program (to net.sources, no less!) that converts text into pig latin. Of course, such a thing is almost trivial to write but it would be interesting . On the other hand, compression isn't illegal, but crypto is. What's the difference? Both render text in a form that is unreadable to the casual observer, and both require some effort on the part of the observer to "decrypt". -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 214/993-3935 voicemail/digital pager 800/558-3408 SkyPager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes From stewarts at ix.netcom.com Sat Jan 20 11:55:50 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sun, 21 Jan 1996 03:55:50 +0800 Subject: Espionage-enabled Lotus notes. Message-ID: <199601200403.UAA01942@ix6.ix.netcom.com> At 11:38 AM 1/18/96 -0500, hallam at w3.org wrote: >The problem with this system is that it is quite likely to suceed. Unlike >Clipper which made unfettered access to encrypted material possible the escrowed >key strength reduction means that the FBI can tap a significant number of >locations, just not all of them. 40-unknown-bit RC4 may take a week for an ICE workstation or a herd of net-coordinated workstations, but it would be much faster to crack on a specialized machine actually designed for RC4. I think Eric's estimate was $25-50K for a machine that could do it in 15 minutes, built out of programmable gate arrays. That's not $10,000/crack, or $584, but $0.25-.50. Would they crack all the keys they wanted for a quarter each? Sure; at that rate it's probably cheaper to crack them than read them (though in reality they'd feed most of them to keyword scanners.) >It will be very hard to argue effectively against this idea in Congress. >Much harder than the Clipper chip which was dead on arrival. You may be right. They keep making outrageous demands, and "compromising" on less outrageous ones. Something prominently not mentioned in the article was "escrow agents" for the 24 bits of wiretap-support key; apparently foreigners don't get even that much due process. Nor was there a clarification of whether all the software has the same wiretap key (probable) or each copy has a different wiretap key (the Clipper model.) If it's just one key, then nobody's mail is safe. #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, Pager/Voicemail 1-408-787-1281 # # "Eternal vigilance is the price of liberty" used to mean us watching # the government, not the other way around.... From JR at ns.cnb.uam.es Sat Jan 20 12:36:05 1996 From: JR at ns.cnb.uam.es (JR at ns.cnb.uam.es) Date: Sun, 21 Jan 1996 04:36:05 +0800 Subject: Win95 Registration Wizard info Message-ID: <960119121126.204013d9@ROCK.CNB.UAM.ES> From: SMTP%"alano at teleport.com" 18-JAN-1996 23:29:11.16 >At 10:03 AM 1/18/96 -0500, Perry E. Metzger wrote: >> >>Alan Olsen writes: >>> I picked this link up from the Fringewear list. >>[...] >>> The author takes the registration Wizard in Win95 apart and shows exactly >>> what it does and what it looks for. Some interesting information about the >>> encrypted database of product information it uses. >> >>What, exactly, does this have to do with cypherpunks? > >I posted it for two reasons. > ... reason one deleted ... >2) The program's use of encryption to conceal what products it looks for. > ... rest of message deleted ... I also found interesting the use of a debugger to break Microsoft's crypto. When we speak about crypto, we do not only refer to algorithms, we must also consider insiders, eavesdroppers, etc... Well, this is a good example of a technique to break encrypted messages that has proven useful and, what's more, has the support of the operating system. A big mistake from Microsoft. And also in many other vendors. While not interesting in many protocols, it is worthy in those where one of the parts doesn't trust the other. The point is that any non-trusted party can try a similar approach -using a debugger- to gather information from within their computer (passwords, keys, data...) unless there is some way to prevent it (like using a better approach or protocol). It's silly to send text in the clear through an insecure channel. So it is to store passwords in the clear in world-readable files. Or to keep data in memory which can be paged to disk... The article comes to point out that it is also as silly to store cleartext in any program memory that can be accessed/traced/dissected by an untrusted user. And that Microsoft obviously choose again a too weak (mean?) approach to secure their data. I wonder now wether one could still rely on Microsoft to provide a reasonable Crypto API as they are bragging lately... jr From llurch at networking.stanford.edu Sat Jan 20 12:41:21 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sun, 21 Jan 1996 04:41:21 +0800 Subject: "whom T. C. May has killfiled" In-Reply-To: Message-ID: On Fri, 19 Jan 1996, Timothy C. May wrote: > At 11:09 PM 1/19/96, Rich Graves wrote: > > >T. C. May has killfiled. > ^^^^^^^^^^^^^^^^^^^^^^^ > > ??? > > Mind explaining this reference? In public, preferably, as the charge was > made here. > > If it's a joke, I don't get it. I just spent several minutes on a longer response, but on second thought I think it suffices to say publicly that this was a particularly elliptical joke, not at Tim's expense, that I retract and apologize for. And I've received other mail that suggests that my primary assumption was wrong anyway, about which I'm happy. I hadn't meant to post that paragraph publicly anyway, since it was a stupid bluff. Oops. I've verified that it didn't go the other places I'd sent a version of the article. And now back to our regularly scheduled programming... -rich From jrochkin at cs.oberlin.edu Sat Jan 20 12:47:20 1996 From: jrochkin at cs.oberlin.edu (Jonathan Rochkind) Date: Sun, 21 Jan 1996 04:47:20 +0800 Subject: Respect for privacy != Re: exposure=deterence? Message-ID: At 9:03 PM 01/19/96, Rich Graves wrote: >I'll certainly grant you that there is a conspiracy and a secret >government (broadly defined), but not everyone paid by the government is >in on it, and not everyone involved is in the government. Nah, many conspiracies. Lots of government folks doing their own secret, non-secret, and semi-secret stuff in cooperation with other government folks and non-government folks. Adam Smith either said, or is frequently misquoted as saying, that whenever two business people of the same profession meet, it's a conspiracy. That goes double for two government agents. [What's a double conspiracy? You'd know if you were in on it.] >Gratuitous use of pseudonymity can be counterproductive. Now nobody's >going to be able to use your "bar-coded garbage" essay without being >suspected of being you, which I doubt is what you want. > >Is anyone going to quote you in the future, as you quote Patrick Henry? Or as everyone quotes Publius? Who is Publius anyway? Alexander Hamilton or Tom Jefferson, or someone like that, I forget. Would they quote Publius if they never figured out who "really" wrote Publius' stuff? I dunno. Maybe eventually we'll know who We Jurgar Din "really" is. But probably not, becuase we won't even remember what he wrote, let alone be interested in who he "really" is. And I guess everyone doesn't quote Publius anyway. But every American Constitutional Law textbook probably does, and most American History textbooks. Maybe future American Bar Code textbooks will quote We Jurgar Din. Somehow I doubt it, though. From stewarts at ix.netcom.com Sat Jan 20 12:50:25 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sun, 21 Jan 1996 04:50:25 +0800 Subject: Espionage-enabled Lotus notes. Message-ID: <199601200403.UAA01951@ix6.ix.netcom.com> At 12:16 PM 1/18/96 -0500, "Richard Martin" wrote: >The Lotus `solution' seems to be the action of an American company >shipping a product which effectively says to foreign users, "We don't >care about you as a market." To play Sternlight's Advocate for the moment, I'll have to disagree with you here. 40-bit encryption really is a joke, for any business data worth protecting (and Lotus Notes is primarily a business product.) 64-bit RC4 encryption, while less than ideal, is still usable for most applications; it's certainly stronger than DES by a couple orders of magnitude, which is probably enough for now. Yes, the Yanquis can wiretap you, but it's better than having _everybody_ wiretap you. (And besides, you're probably going to use the 128-bit smuggled version anyway.) This at least provides a product you can use with _some_ credibility, assuming it interoperates with the US version, which I think the 40-bit version did. >That this is the so-called "export" >version is ironic. The keys are escrowed with the U.S. government, >and no one else. The French government should rightly cry foul, for >this is (a) encryption where they don't have the keys and (b) encryption >where another government *does*. The French can still ban it, or require you to register your keys, just as they can with the 40-bit version. Or ban products with menu items in English, if they think that's too encrypted for them. :-) C'est la guerre. #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, Pager/Voicemail 1-408-787-1281 # # "Eternal vigilance is the price of liberty" used to mean us watching # the government, not the other way around.... From mrm at netcom.com Sat Jan 20 12:55:08 1996 From: mrm at netcom.com (Marianne Mueller) Date: Sun, 21 Jan 1996 04:55:08 +0800 Subject: Jan 27 special Bay Area CA mtg Message-ID: <199601200224.SAA07329@netcom20.netcom.com> Out-of-band cypherpunk meeting Saturday Jan 27 12 noon - 3 p.m. Sparcy's cafeteria, B21, Sun Microsystems, Mountain View, California The reason to call a special half-meeting on January 27th is that a producer/videographer for PBS would like to film a discussion among cypherpunks about 1st amendment issues, for a PBS show named "Freedom Speaks." The show airs nationally on PBS. In San Francisco, currently on KMPT Thursdays at 5 p.m., and starting in March, on KQED. The producer is Roger Masterton and he describes his goals like so: (the parts in between [] are my paraphrasing of what he said, for brevity) I am currently working on the story for a program we will tape in 2 weeks about Cryptography, focusing on the Free Speech aspect as well as the governments attempt to limit export of programs. ... The reason that I'm writing to you is that we would like to shoot a cypherpunks meeting as a way of introducing the [program.] [We want to film cypherpunks talking on camera] about the need for cryptograpy and the government's attempt to control access. ... I talked with him on the phone. He is affiliated with a group known as the Freedom Forum in Arlington, VA, which is non-partisan and non-profit. I said, sure, I'd be glad to reserve the room and call for a meeting, but that it would be up to the local Bay Area cypherpunk community as to whether or not folks could make this meeting. I also mentioned that a number of us have had mixed experiences with the media, and that we're pretty cynical about being presented fairly. I told him a several of us have endured the problem of spending all day in some video shoot, only to have 10 seconds of out-of-context inflammatory sound byte show up on the eventual program. If you want to, it would help me to know if you think you can make the meeting on Jan 27th, so we have some idea how long to wait for people to show up before starting the "official" agenda. Marianne mrm at eng.sun.com mrm at netcom.com p.s. directions to B21 of Sun: Take 101 south to Amphitheater Parkway. Turn left at the light at the bottom of the exit ramp onto Charleston. (This street is also known as Garcia.) After about 1/3 mile, turn right onto the first real side street. In about 2 long city blocks, you'll see big purple and white signs for B21 of Sun. The meeting is held in the cafeteria. This time I'll bring blank foils and pens. :-) From grimm at MIT.EDU Sat Jan 20 13:53:56 1996 From: grimm at MIT.EDU (grimm at MIT.EDU) Date: Sun, 21 Jan 1996 05:53:56 +0800 Subject: Hack Lotus? In-Reply-To: <199601192214.RAA28470@bb.hks.net> Message-ID: <9601202117.AA28623@w20-575-84.MIT.EDU> Pardon my lack of faith in most crypto implementations, but do you think it is possible that (in the first version of Notes at least) the escrowed 24-bits will just be stored plaintext in the executable? In which case, a little disassembly, and we can create a hack to enable all 64-bits. (Of course, communications from this hacked version will only be readable by other hacked versions or US versions.) Anyone else think is probable? -James From tallpaul at pipeline.com Sat Jan 20 17:46:57 1996 From: tallpaul at pipeline.com (tallpaul) Date: Sun, 21 Jan 1996 09:46:57 +0800 Subject: NSA vacuuming down Internet traffic Message-ID: <199601201448.JAA03919@pipe10.nyc.pipeline.com> On Jan 20, 1996 04:05:50, 'Tatu Ylonen ' wrote: >As for the keyword search problem, it would easily be possible to scan >much of the data (say, tcp ports smtp, nntp, login, exec, ident) in >real time against a million-phrase dictionary (containing keywords, >e-mail addresses, names, abbreviations, etc.). If there are >performance problems, you can first limit by >source/destination/protocol/port. Only intercepts (e.g., entire tcp >connections) that pass this initial screening are passed on to other >machines for more complicated analysis. > >Note also that many parts of the filtering problem parallelize quite >nicely. Or simply pipeline it. Bare bones Pentium systems go for under $US 1,000 (quantity one) on the open market. Buy them in quantity and a private company can set up a thousand Pentium pipeline for under a million dollars. Easily affordable for even medium-sized corporations. -- tallpaul "To understand the probable outcome of the Libertarian vision, see any cyberpunk B movie wherein thousands of diseased, desparate and starving families sit around on ratty old couches on the streets watching television while rich megalomaniacs appropriate their body parts for their personal physical immortality." R. U. Sirius _The Real Cyberpunk Fakebook_ From perry at piermont.com Sat Jan 20 18:03:55 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sun, 21 Jan 1996 10:03:55 +0800 Subject: DES in real life In-Reply-To: Message-ID: <199601210001.TAA03292@jekyll.piermont.com> Michael Froomkin writes: > Recognizing that DES is not the best thing out there, but that it is > better than RC40 and life is a series of cost/benefit tradeoffs and that Thats RC4, and it isn't neccessarily better than RC4, especially if the RC4 key length is reasonable. No one really knows the strength of RC4. > 1) Suppose you are approached by a corporate client who believes that they > can get export permission for DES (but nothing stronger, i.e. no 3DES). > What kind of real-world, non-banking, applications is DES just too weak > for today? I'd guess that anyone who consideres their messages to be worth more than a few hundred bucks a pop has cause to worry, because thats the upper limit on the cost of cracking DES keys these days. > 2) How long before DES becomes generally unsuitable for (A) corporate > (B) personal use [please keep the threat model on which this question is > based in mind -- threats *other than* the US government wiretapping you]? I'd say it is unsuitable for anything approaching a valued corporate secret today. Personal use? Well, the threat model there is all important. Certainly your cousin can't crack DES keys -- yet. > 3) Do you have a view as to whether DES (A) will and (B) should be > recertified next time the issue arises? DES should not be recertified. I have no opinions on what the government will do. Perry From perry at piermont.com Sat Jan 20 18:32:02 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sun, 21 Jan 1996 10:32:02 +0800 Subject: Hack Lotus? In-Reply-To: <9601200326.AA09366@toad.com> Message-ID: <199601201509.KAA02967@jekyll.piermont.com> "Peter Trei" writes: > Think it through. [...] > 8 Bob's copy of lotus repeats steps 4 & 5 above, and checks if > it's version of Epe(K') matches the one sent. Hmm, it could, but it isn't going to be trivial unless the thing is running straight RSA without a random pad. If it isn't randomly padding, then it possible to make a table of the 2^24 possible encryptions and break traffic without knowing the RSA key the government uses. It would require about 16GB of storage, granted, but that isn't exactly impossible in todays world -- that only costs about $4000. It would also require a lot of CPU, but not an impossible amount and the investment would be one time. Given such a table properly indexed, you could crack any passing key just by indexing to find out three bytes of the 64 bit key and then go after the other 40 in fairly short order. That would make a new "Hack IBM" (Lotus is owned by them) promotion on C2 rather fun! If they are randomly padding, then they would have to send the pad along, presumably encrypted under the RC4 key or under Bob's RSA key. Someone has to deconstruct the code. At this point, we are starting to fly off into the world of speculation. > > Of course, I'll point out that 64 bit RC4 keys are still not > > particularly heartwarming... > > Granted, but we don't know if they use RC4, DES, or what. They are RC4 if they haven't changed that part of the design. Perry From sameer at c2.org Sat Jan 20 19:00:04 1996 From: sameer at c2.org (sameer) Date: Sun, 21 Jan 1996 11:00:04 +0800 Subject: PARTY-PARTY-PARTY In-Reply-To: Message-ID: <199601190607.WAA10545@infinity.c2.org> > > http://www.c2.org/party/masquerade/html that's http://www.c2.org/party/masquerade.html -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.org/ (or login as "guest") sameer at c2.org From nobody at REPLAY.COM Sat Jan 20 19:10:27 1996 From: nobody at REPLAY.COM (Anonymous) Date: Sun, 21 Jan 1996 11:10:27 +0800 Subject: New China Ruling Threatens Closure Of News Agencies 01/19/96 Message-ID: <199601210114.CAA26108@utopia.hacktic.nl> In effect, the edict puts Xinhua, the world's unnewsiest news agency, in charge of agencies normally beyond the grasp of cadre communists -- even in Hong Kong, Macau and, Taiwan. On this basis, the next time Hong Kong billionaire Li Ka-shing did a deal with state authorities that relieved McDonald's Corp. or any other legal entity of its contractual rights (as happened last year), the story would have to be vetted by Xinhua. Xinhua already made information-control history when it established a service that both disseminates outgoing commercial data on the Internet and filters any incoming information. Although the State Council's directive gives Xinhua control over strictly "economic" news, the government body has licensed Xinhua to control everything, effectively ruling out reliable news. Stock markets and business plans are driven by market forces -- even in highly manipulated China. Even when one is tempted to think business is market driven, the whims of China's central controllers can skew everything -- as merchandisers in the casual wear clothing market found when that suddenly dried up because the bosses on top didn't like then Giordano clothing store chairman Jimmy Lai. The State Council's directive will in all likelihood force the New York Times, Reuters and other news organizations to reassess their operations in territories Xinhua is authorized to control. Controls go beyond editorial conventions. According to Xinhua, foreign wire services will not be allowed to increase subscribers in China "directly nor by ways of establishing joint ventures, solely funded companies or agents." The Xinhua report said that foreign news providers "will be punished in accordance with the law if their released information to Chinese users contains anything forbidden by Chinese laws and regulations, or slanders or jeopardizes the national interests of China." Jeopardizing the national interest of China is now taken to mean jeopardizing the interests of the communist party, or the roughly 5% of the population controlling the country from "the barrel of a gun," to borrow from Mao Zedong. Agencies only learned of the new rules Tuesday night when Xinhua, skirting the usual practice of circulating advisories on operational changes internally, simply put the story on the wire. One Hong Kong agency man told Newsbytes: "We always knew writing stories from China was a problem. Now you have to wonder if we'll be able to send stories from Hong Kong, without having to pass them by Xinhua for approval. The directive indicates stories will have to pass through Xinhua first -- pointing to a major evacuation of news services, and technology vendors who handle them. (Nigel Armstrong & I.T. Daily/19960117) From llurch at networking.stanford.edu Sat Jan 20 19:27:34 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sun, 21 Jan 1996 11:27:34 +0800 Subject: Idea for "friendly" Windows password hack Message-ID: [Let me say up front that beyond a lot of perl hacking, I've never had a need to code my way out of a paper bag, so this is not something I'd be able to implement myself, at least not without a month of study.] OK, so we know how to crack .PWL files, and how any program (virus, trojan horse, Windows Help file calling a DLL beginning with ASCII 229 so that virus scanners can't see it) can obtain usernames, passwords, etc. even if persistent "password caching" to disk has been turned off. How might Microsoft (or someone else) address this without forcing users to quit all applications and "log out" of Windows to purge the temporary "password cache" in RAM? I.e., I don't care much about and know I can't count on the security of my PC as such, and it's really convenient to leave a zillion Popular Web Browser windows open when I walk out of my office, but I don't like the idea that anyone might walk up to my PC and log on as me to the otherwise (more or less) secure servers I use. In thinking about how MacOS PowerTalk deals with this by allowing the user to "lock" and "unlock" their keychain at will, it occurred to me that there's no particular reason we should just have to "look, don't touch" the password cache in RAM. After all, it's our insecure single-user operating system, and our passwords. Why not provide a way to grab the passwords cached in RAM, encrypt them securely, put them away somewhere, and scramble the original copy of the passwords in RAM so that Microsoft's code can't get to them? We don't need no steenking user interface. Actually, the first cut at this wouldn't really need to encrypt them securely, but just deny them to the OS, and restore them to the OS, on demand. Just a quick demo of how Microsoft can and should resolve this issue would have people beating down our door, and we'd unambiguously be the good guys. Because we'd be providing the solution, there would be no further moral qualms about posting full details and full source code. -rich owner-win95netbugs at lists.stanford.edu ftp://ftp.stanford.edu/pub/mailing-lists/win95netbugs/ gopher://quixote.stanford.edu/1m/win95netbugs http://www-leland.stanford.edu/~llurch/win95netbugs/faq.html From stewarts at ix.netcom.com Sat Jan 20 19:33:17 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sun, 21 Jan 1996 11:33:17 +0800 Subject: Hack Lotus? Message-ID: <199601210319.TAA23787@ix4.ix.netcom.com> At 05:14 PM 1/19/96 -0500, daw at quito.CS.Berkeley.EDU (David A Wagner) wrote: >I was talking to Avi Rubin from Bellcore last night, and he speculated >that maybe the 64 bit key was a fixed one, generated once at installation >time and escrowed with the government then. To do that, the user's system have to communicate with the government, which would be unlikely and avoidable. Alternatively, if Lotus is willing to release copies with different serial numbers (either on the disk or printed on the label), the installation process could include public-key encrypting a 64-bit key for the user with the GAK key, generating a (say) 512-bit encrypted key which could be dragged around in the headers or (if they wanted to minimize overhead) handed out in 64-bit chunks with every message or some such silliness. #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, Pager/Voicemail 1-408-787-1281 # # "Eternal vigilance is the price of liberty" used to mean us watching # the government, not the other way around.... From stewarts at ix.netcom.com Sat Jan 20 19:34:05 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sun, 21 Jan 1996 11:34:05 +0800 Subject: Web site with Updated Telecom Bill Info Message-ID: <199601210319.TAA23764@ix4.ix.netcom.com> At 04:05 AM 1/20/96 -0500, you wrote: >Our beloved Vice President said: "We are very gratified that the bill >contains the provisions for the V-chip that will enable families to >control the contract of television programming that comes into their homes yeaj, families like Al & Tipper Gore.... >and that it contains a provision to make advanced telecommunications >services available at low cost to schools, libraries and hospitals" #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, Pager/Voicemail 1-408-787-1281 # # "Eternal vigilance is the price of liberty" used to mean us watching # the government, not the other way around.... From WlkngOwl at UNiX.asb.com Sat Jan 20 19:46:09 1996 From: WlkngOwl at UNiX.asb.com (Deranged Mutant) Date: Sun, 21 Jan 1996 11:46:09 +0800 Subject: HAVAL (was Re: crypto benchmarks) Message-ID: <199601202200.RAA09207@UNiX.asb.com> > Thanks. It looks like F4 and F5 are improved. Do you know how these > optimizations can be done in general? I tried playing with F2 > as a multivariate polynomial with coefficients in GF(2) in Mathematica. > This seems to work and I found several equivalent expressions that take > 13 operations (the original also takes 13 operations). Is there a tool > that can do this automaticly? I did the optimizations by hand. Simple rules of boolean arithmetic and logic (you know, things like Demorgan's Law applied to binary operations). Other processor-related optimizations can be done by hand, such as add x,x instead of shl x,1. I think I had the same proglems with F2 as well. Couldn't find a way to optimize it reasonably. > The biggest problem I have with HAVAL now is that with 4 or 5 passes the > transform functions are larger than 10k even with compiler optimzation for > size. Since the Pentium L1 instruction cache is only 8k, this makes HAVAL > with 4 or 5 passes extremely slow. Do you have ideas how I can fit the > transform functions into L1 cache? You might do some creative optimization to use more registers than it does. I haven't looked at it in a while. The code was so huge and slow compared to optimized MD5 and SHS that I have up using it for an unfinished encrypted file system. Rob. --- "Mutant" Rob Send a blank message with the subject "send pgp-key" (not in quotes) for a copy of my PGP key. From grimm at MIT.EDU Sat Jan 20 19:58:42 1996 From: grimm at MIT.EDU (grimm at MIT.EDU) Date: Sun, 21 Jan 1996 11:58:42 +0800 Subject: Elitism on Cypherpunks In-Reply-To: <199601200131.RAA26034@urchin.netscape.com> Message-ID: <9601202118.AA28626@w20-575-84.MIT.EDU> Point well made, dear sir! i, 19 Jan 1996 17:31:29 -0800 X-Sender: corey at engmail.mcom.com X-Mailer: Windows Eudora Version 2.1.1 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 19 Jan 1996 17:29:22 -0800 From: Corey Bridges Sender: owner-cypherpunks at toad.com Precedence: bulk At 08:55 PM 1/18/96 -0800, Alan Olsen wrote: >It has been said that "Cypherpunks write code". They must do more than >that. Cypherpunks need to teach. Just remember you brought this up... Not all of us even write code. Some of us write (horrors!) books! Yes, my brethren, I earn my pay as a lowly scribe. Do I code? Nope. Am I a Cypherpunk? Christ, I don't care. I'm on this mailing list; that works fine for me. My brain expands almost daily from contact with such seditious sods. Do I contribute to the health and growth of this list? Maybe. Do I preach the Cypherpunk doctrine through my work at my company? Definitely. Just thought I'd point out that we aren't all code-monkeys. (And I mean that in the best sense of the word.) Corey Bridges Security Documentation Netscape Communications Corporation home.netscape.com/people/corey 415-528-2978 From trei at process.com Sat Jan 20 20:00:54 1996 From: trei at process.com (Peter Trei) Date: Sun, 21 Jan 1996 12:00:54 +0800 Subject: Restricted FTP & Web servers wanted. Message-ID: <9601210348.AA07059@toad.com> I'm trying to persuade the powers-that-be at my employer that we can use a restricted access, encrypted Web server to distribute beta copies of our products (which include encryption) to test sites. We're mainly interested in avoiding any confrontation with ITAR. Since we can restrict by IP address, and unlike the MIT PGP site, will be encrypting the link, I think we're in the clear. However, to aid me in making the case, I'm looking for other IP restricted servers to show that this is an accepted practice. Please drop me a line if you know of any, and I'll summarise next week. thanks, Peter PS: Does anyone know of a Domestic strength SSL web browser which allows you to install trusted roots (Netscape does not meet these conditions, in any released version). Peter Trei Senior Software Engineer Purveyor Development Team Process Software Corporation http://www.process.com trei at process.com From jamesd at echeque.com Sat Jan 20 20:02:07 1996 From: jamesd at echeque.com (James A. Donald) Date: Sun, 21 Jan 1996 12:02:07 +0800 Subject: DES in real life Message-ID: <199601210352.TAA20749@mailx.best.com> At 07:01 PM 1/20/96 -0500, Perry E. Metzger wrote: >Thats RC4, and it isn't neccessarily better than RC4, especially if >the RC4 key length is reasonable. No one really knows the strength of RC4. The shortness and simplicity of RC4 leads me to believe that it must be strong. If something that simple had a flaw, the flaw would have been found by now, whereas more complicated algorithms, such as DES, might well avoid discovery of their flaws merely by their irregularity and complexity, which makes analysis tedious. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From goldberg at mars.superlink.net Sat Jan 20 20:27:56 1996 From: goldberg at mars.superlink.net (goldberg at mars.superlink.net) Date: Sun, 21 Jan 1996 12:27:56 +0800 Subject: Guerilla Internet Service Providers Message-ID: <199601210258.VAA17721@mars.superlink.net> At 09:21 PM 1/4/96 -0800, jim bell wrote: >At 10:54 AM 1/4/96 -0800, you wrote: >>>Previous exchanges deleted... >> >>(1) No single communication technology is appropriate for every problem. >> >>(2) A technical fix could include having the receiver send steering orders >>to the transmitter. This solution would, of course, be a long way from the >>low tech scavenged lens and 1/2 meter cardboard mailing tube technology I >>was thinking of. > >I think you guys (further up the reply chain) are missing the point. While >IR does have stealth advantages in, say, wartime, for routine network usage >everyone can be assumed to know where everyone else is, and where all the >optical links are, etc. There's no point trying to use link-location >secrecy. And presumably, encryption will provide all the >message-secrecy/anti-spoofing functions required. Simply ASSUME that the >beams can be intercepted (although probably not intentionally cut). That's >why we're "cypherpunks," right?!? > >Secondly, IR beams can be plenty narrow enough to avoid inter-link >interference, but at the same time wide enough to avoid beam-steering >problems. Note: I'm assuming link distances of under, say 300 meters here. > >Previously, a point was made about the effects of fog cutting links: Due to >scattering, one of the reasons automobile fog lamps are 550 nanometer >yellow/orange is to minimize the scattering that shorter wavelengths (400 nm >blue, 450 nm green) are more prone to. I would imagine that near IR at, >say, 890 nm would be dramatically less sensitive to such scattering. 1400 >nm might be even better. Rain might be a different story. But then again, >if we're limiting the links to around 300 meters, the total amount of water >between "here" and "there" CAN'T be all that great. And in addition, one of >the advantages of computer networking over telephone-type networking is that >we can "tolerate" (although, not LIKE) the occasional necessity of >re-transmitting data. And dynamic re-routing is probably far easier than >for real-time telephone-type data. > >>From the standpoint of computer networking, the main benefit of IR is to >cross rights-of-way without permission or trenching (or stringing cables >from telephone poles) in urban and suburban areas, allowing data transfer >near-fiber speeds. In an urban setting, a single tall building could >become a central hub for most of its nearest neighbors. I don't anticipate >IR being used "to the home" (especially since residential areas have trees, >etc); rather, I would imagine that it would be used to feed the occasional >top-of-the-telephone-pole microcell, with very-low-milliwatt (or high >microwatt) RF going the last 100 meters or so to the home. This would allow >a non-phoneco, non-cableco company to offer bidirectional networking in an >entire residential area with an absolute minimum of costs/rights aquisition. > > I can give you the benefit of some experience I have had with optical data transmission systems. We used IR lasers to span an approximately 800 meter distance between buildings, and the results were dreadful. Never again! Fog took the system down completely, on a regular basis here in New Jersey, as did even moderate snow. Rain was much less of a problem, surprisingly, even heavy rain rarely did more than raise the retransmission rate and lower throughput somewhat. Further, the beams were very narrow, and over that distance minute changes in transmitter orientation would cause the link to go down. I am talking about changes due to expansion and contraction of metal mountings with temperature, for instance. Mounting direct to masonry would probably have helped a lot. Then, there are the things like trees growing into the path over the course of the summer, telephone cables swinging into it intermittently in high winds, etc. Shorter paths allow greater control over environment, certainly, but I would be very careful about deploying large numbers of these types of systems. Spread spectrum microwave radio is a great improvement, but nothing seems to beat properly installed glass fiber for reliability. Frederic M. Goldberg WA2BJZ EMT-D From lull at acm.org Sat Jan 20 20:29:31 1996 From: lull at acm.org (John Lull) Date: Sun, 21 Jan 1996 12:29:31 +0800 Subject: HAVAL (was Re: crypto benchmarks) In-Reply-To: <199601202200.RAA09207@UNiX.asb.com> Message-ID: <31017081.19731341@smtp.ix.netcom.com> Wei: I didn't see your original post, but did see Deranged's response. I would be interested to see whatever you come up with. On Sat, 20 Jan 1996 16:57:07 +0000, Deranged Mutant wrote: > > The biggest problem I have with HAVAL now is that with 4 or 5 passes the > > transform functions are larger than 10k even with compiler optimzation for > > size. Since the Pentium L1 instruction cache is only 8k, this makes HAVAL > > with 4 or 5 passes extremely slow. Do you have ideas how I can fit the > > transform functions into L1 cache? > > You might do some creative optimization to use more registers than it > does. I haven't looked at it in a while. The code was so huge and > slow compared to optimized MD5 and SHS that I have up using it for an > unfinished encrypted file system. The reference implementation is TERRIBLE for small caches. You can shrink it significantly, however, by simply looping 4x across code that does the basic round operation for each of the 8 rotations -- something like: for( i = 4; --i; ) { FF_1(t7, t6, ...); FF_1(t6, t5, ...); FF_1(t5, t4, ...); FF_1(t4, t3, ...); FF_1(t3, t2, ...); FF_1(t2, t1, ...); FF_1(t1, t0, ...); FF_1(t0, t7, ...); } The basic macro for this is almost unchanged from the reference implementation. You can shrink it even further by, instead of coding the basic macro 8 times for each round, writing a round step that works on an array of 9 words (out of an array of 16), using 8 words as input and producing the ninth as output. You then have a two-level loop that invokes this 4x8 times, walking your working set 1 element in the array each time, and every 8 passes moving the 8 current variables back where they belong. The first pass through the loop, you use elements 15..8 as input, and produce element 7. The second pass, you use elements 14..7 as input, and produce element 6, etc. After 8 passes, you move elements 7..0 back up to 15..8, and start the inner loop over. Alternatively, you can begin with an array of 40 words (only 8 of which contain data), use a single loop that invokes the basic processing 32 times, walk your working set 1 word each time, and only move the working set back where it belongs at the end of the full round. From jimbell at pacifier.com Sat Jan 20 20:47:46 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 21 Jan 1996 12:47:46 +0800 Subject: Wipe Swap File Message-ID: -----BEGIN PGP SIGNED MESSAGE----- At 10:38 AM 1/20/96 EST, Dr. Dimitri Vulis wrote: >tallpaul at pipeline.com (tallpaul) writes: >> Remember that one simple wipe is *not* secure. Current Department of >> Defense security regs call for wiping the same space something like 8 or 9 >> times. Even then the wipe is not secure enough for higher level DofD >> classified material. There the regs call for the physical destruction of >> the medium after it has been wiped. > >Degaussing the media (running a household magnet over it :-) may be an option. Degaussing using a common, AC-driven bulk tape eraser is FAR FAR FAR better than using a permanent magnet. DO NOT USE A 'HOUSEHOLD MAGNET"!!!! (Except in an absolute dire emergency, such as when the government thugs are breaking down the door, and you have to wipe that disk in a second, and didn't think to keep the bulk eraser plugged in and immediately available, etc. Even then, use a Neodymium Iron Boron magnet, because floppies are actually remarkably insensitive to demagnetization...) Here is why: Magnetic materials have "hysteresis curves." If you merely apply a "DC" magnetic field to a floppy disk, this orients "all" the domains in one direction, but perhaps with a small residual bias based on the previously-magnetized direction. Such data won't be readable on an ordinary floppy drive, of course, but it might be recovered, with substantial (read, "money") effort. This gives uninformed people a false sense of security. AC-powered tape demagnetizers, on the other hand, produce a 60-hertz (actually, 120 hertz, depending on how you look at it) pulsing magnetic field, which REPEATEDLY saturates and re-saturates the magnetic domains in one direction and then the other, taking a "trip around the hysteresis curve" 60 times per second. Residual magnetic fields are repeatedly reversed and thus overwritten, and quickly become totally and completely unrecoverable in a second or so. (actually, far less, I'm just not proposing you stand there for a minute degaussing a single floppy!!!) And there is a far more practical reason to NOT use a permanent magnet, and CERTAINLY not on audio-quality tapes. Read heads can get inadvertently magnetized, and if you insert a disk or tape with a DC-magnetization on it "who knows what" might go wrong. (it would take a reasonably technical audiophile to tell you how much of a problem this could be on audio cassette tapes. It is possible that digital-writing floppy disks heads are comparatively immune from this effect, but don't count on it!) (However, using an AC demagnetizer on a floppy after you've zapped it with a permanent magnet will remove whatever residual DC magnetiziation was present. >Two semi-on-topic questions: > >1. Does anyone know a cheap way to recover the traces of the previous >(overwritten) recordings on the media? Cheap? No. >2. If a cheap way exists, has anyone considered stego use of it? Doesn't sound particularly practical. I can think of a slightly better way, MAYBE. There are, what, 80 tracks on the typical floppy disk, right? (okay, I may be wrong about this...). But it would be physically possible to write a few more tracks onto the floppy before you hit a mechanical stop. Putting data THERE while the typical system thinks there are "only" 80 tracks would hide it reasonably effectively. Note: I'm not over-rating the effectiveness of such a system. It wouldn't faze the CIA or the NSA, but it would probably get by the local police, the state police, and maybe even the FBI unless they had written a program specifically designed to search "illegal" tracks. Label the floppy, "Doom program, great game!" and they'll probably waste most of their time blasting monsters rather than looking for tracks 80, 81, 82, etc.) Also, this is certainly not a new idea. My public key. - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCNAi1zvWcAAAEEAKmSqngLWK2N2gOJKPtjF9VCfSkXY+XUZBRCbbFU71uH/dLX C2Uq6wFS8alRgMc3rp90JnnJ/6eJqXwMjCunogwucWOaU7S/w+OwjOG9fUqsXIA6 2j25Wtjce65mbp0TKLAzwMb/P/Qq7BlclqhuKzfVBH7dIHnVAvqHVDBboB2dAAUR tBFKYW1lcyBEYWx0b24gQmVsbA== =G3LA - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMQFn5/qHVDBboB2dAQG1BgP/Wbx4lda9RCp9mjeqBGEOUxRtR98/ZoQY QH4QbreNEtskiHKjEPVpaab5oqCzpnkz3wX+Ve1EZ45kMNYs86gpWqb36IcsDBAi Ic9ZeUr2l0BEz0cZbyTiZPhN1J9LW0mDjLW5Zg83uaUKCwCa6MFuZP7iObmlAUjL GC3CsymuBSo= =xx4B -----END PGP SIGNATURE----- From vznuri at netcom.com Sat Jan 20 20:57:45 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Sun, 21 Jan 1996 12:57:45 +0800 Subject: "cybertage" In-Reply-To: <199601191846.MAA12766@proust.suba.com> Message-ID: <199601202037.MAA01384@netcom19.netcom.com> From: Alex Strasheim >> how about a new term for all the various enemies of cyberspatial >> advancement? > >I think this is a bad idea. We should be moving away from demonization, >not towards it. well, around the turn of the century, Luddites were smashing looms with hammers. we have not quite reached that stage, but the negativity, hyperbole, and paranoia sown by "cyberteurs" engaging in "cybertage" has a similar effect, and may eventually turn into the same form. by "demonization" I tend to imagine that this means one insists the evil soul must get no sympathy, compassion, or help. quite the opposite I believe with "cyberteurs"-- they just need a little education to lose their own antagonism. I am no way advocating a holy war; only suggesting that we try to create a STIGMA with the position that there is something evil about cyberspace, just as the opponents have already created a STIGMA associated with cyberspace to some degree. there is already a stigma associated with cyberteurs and cybertage-- I am only suggesting that it be made more distinct through the terminology. >We are right, and they are wrong. The good thing about being right is >that logic and the facts will bear us out. Let's use rational arguments, >not name calling. Save the nasty names for another fight when you're >wrong and the other guy is right. its a label. what is the difference between calling someone a "saboteur" or a "cyberteur"? are you going to argue that the media etc. are *not* sabotaging cyberspace through some of their more odious actions? to the contrary, I see these terms as "reality checks". your smugness and complacency is alarming. I agree that they hold the losing position in *theory*, but reality is not about what is best in theory. that which is best doesn't win out to an extensive PR campaign, often. being "correct" is not enough in a world of people who believe in incorrect philosophies; one must broadcast one's correctness to the world, and terminology is heavily important in this endeavor. >We should build a case to show that everyone -- including those who >disagree with us -- will be better off if we win. It's the truth, so we >ought to be able to come up with good arguments. I am all for this, while at the same time suggesting that "cybertage" being sown by some demagogues is out of line. I am not proposing that every opponent of some form of "cyberspace" be labelled a "cyberteur", only the more radical ones, such as Exon etc. >Unfettered access to strong crypto is in everyone's intrest. It's good >for business and it's good for civil liberties and freedom around the >world. These are not complicated things to grasp. If we get our message >out there, we will win. a big part of getting a message out is terminology. >Lotus has made a mistake. Their gak plan won't reassure international >customers, which is to say it won't do what they want it to do. So why do >it? Instead of calling them names, let's explain why it was a bad idea. >Let's try to explain to Lotus customers why it's a bad idea. If we can do >that, we'll get a response. you seem to be awfully naive. from their perspective, the product may become a rousing success, moving into areas they weren't able to penetrate prior to their decision. why do you think they "made a mistake"? I doubt any executive will think that even after a lot of attempted persuasion. I'm all for your approaches. I wouldn't call Lotus a "cyberteur" engaging in "cybertage". I would however talk about them in the following way: "Lotus must be careful not to continue to pursue their course of action or they may begin to bear the stigma of a cyberteur engaging in cybertage". you see? I didn't actually *call* them anything. the stigma of the term can be useful. again, I am not in favor of holy wars. if something can be accomplished through modest and minor means, by all means go for it. however in many situations these means may have been exhausted and more shrill, guerrilla tactics are required. I believe we are rapidly entering that realm this moment with things like Digitial Telephony, Exon, NSA secret company visits, etc. From jcobb at ahcbsd1.ovnet.com Sat Jan 20 21:41:19 1996 From: jcobb at ahcbsd1.ovnet.com (James M. Cobb) Date: Sun, 21 Jan 1996 13:41:19 +0800 Subject: A Modest Proposal Message-ID: Tim, On 01 17 96 you say: ...we are for people looking out for Number One, with the expectation that many other people simply won't make it. I'm reading Christopher Hill's The English Bible and the Seventeenth-Century Revolution. At page 270: In 1616 John Rolfe, Secretary to the Virginia Company, attributed to Sir Thomas Dale the view that the English were 'a peculiar people marked and chosen by the finger of God' to possess North America. But the phrase [pecu- liar people] soon ceased to be equivalent to 'the chosen people' and came to be restricted to descriptions of them- selves by the saints. In 1659 Christopher Feake urged 'the real fifth-kingdom men' to 'become a peculiar people (or, as it were, a nation in the midst of the nation) wait- ing for the word of command from their leader [i.e. God] to execute the vengeance against Babylon'. Christ's cause will 'be amiable in the eyes of all the nations in due time'. Quakers and Bunyan also used the phrase. It indicated a group conscious of its superiority but also aware that it was a minority. Time tests prophecy and expectation alike. Hill's book has other pertinent things to say. At p 248: There are two (at least) ways of using the Bible for political controversy, which are not easily separated. First as CODE. When Thomas Goodwin in 1639 asked 'How, by degrees, do these Gentiles win ground upon the outward court in England?' he had already told us that Gentiles mean Papists. 'The outward court' continues a metaphor about the Jewish temple; but it was at Charles I's court that the Papists were making headway. At 249: Secondly, the symbols of the myth can be interpreted to taste. We have seen Cain pass from being all the reprobate to 'all great landlords', Nimrod from a tyrannical king to all kings, all persecutors; Samson from a type of Christ to a freedom fighter or a terrorist. There seemed to be no limits. Cen- sorship had to be restored.... Some of the myths came to be put to secular uses. John Bull with his cudgel, the bully of the waves, the master slave- trader, becomes the symbol of the chosen Anglo-Saxon people, of their manifest destiny to bring the world to protestant Christianity, to civilization, and in our century to 'demo- cracy'. But long before that the Bible had lost its function as final arbiter. At 176: But it is not totally absurd to suggest that the role of the [church] elders who decide and whose decisions are taken over by 'the people' is performed in our [present-day] society by the media. The main difference is in the way in which spokes- men of the latter find their way to such powerful positions: unlike elders, they are not elected. I expect those spokesmen are simply looking out for their Number Ones --their employers. Cordially, Jim NOTE. The first bracketed insertion in the first quotation is mine; the second is not. I capitalized CODE in the second quotation for the minority who can't see all that well. The book was published in 1993 by Allen Lane / The Penguin Press. Its ISBN: 0 713 99078 3. Pages: xiv + 466. From daw at quito.CS.Berkeley.EDU Sun Jan 21 13:45:22 1996 From: daw at quito.CS.Berkeley.EDU (David A Wagner) Date: Sun, 21 Jan 96 13:45:22 PST Subject: Hack Lotus? Message-ID: <199601212142.QAA06506@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- In article <9601200326.AA09366 at toad.com>, Peter Trei wrote: > > > If they're nasty, they'll check on the receiving side as well, to > > > ensure that the LEAF and/or the espionage-enabling key have not been > > > patched in the sending 'International' version. > > > > Nearly impossible. Why? Because they can only include the public key, > > and not the private key, of the GAK authority in the code. You can > > encrypt the three bytes of key, but it is very hard for a receiver > > other than the govvies to read them. There is no shared secret > > information or private information available, ergo, they can't check > > their LEAF equivalent. > > Think it through. [suggesting that Alice encrypts 24 bits of key under NSA's public key, Bob repeats calculation and checks that the two LEAFS are the same] > Thus, you can prevent a non-complying copy of Lotus from talking to > a complying copy of Lotus, which is one of the goals of the GAKers. No, you're wrong, the process you've described does not work. Note that RSA normally is used as probabilistic encryption: encrypt the same plaintext twice, and you'll likely get two different ciphertexts. Thus, if RSA is used in the normal probabilistic way, the receiver can't tell whether the sender was compliant. Now you might suggest that the sender should not include probabilistic padding, and use RSA deterministically, so that (somehow) the receiver can check whether those 24 bits are correct. That again won't work, since a third-party eavesdropper will be able to do a 2^24 brute force calculation to recover those 24 bits. There are complicated ways to prevent a non-compliant copy of Lotus from inter-operating with a compliant copy (as others on cypherpunks have kindly pointed out), but they are complicated, and would require a re-design of Lotus Notes' encryption module. Since the export version is interoperable with the non-export version, this would seem to require too much foresight and work to be very likely. In any event, I've heard that the export version of Lotus Notes 4 always sends a LEAF, but the receiver never checks it. So I think a simple binary patch to change the NSA's public key should work. P.S. So does anyone know how large the NSA's public LEAF key is? - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMQKzSyoZzwIn1bdtAQF/zAGAxODShPqrBQLsWzRVAkW7+jbVJidQIF5q 1Jyisn2EedTQoBLHnZD7ojnmws807XZK =bRAO -----END PGP SIGNATURE----- From bdavis at thepoint.net Sat Jan 20 21:54:52 1996 From: bdavis at thepoint.net (Brian Davis) Date: Sun, 21 Jan 1996 13:54:52 +0800 Subject: You want to read MY e-mail? In-Reply-To: <199601210259.UAA08926@ion1.ionet.net> Message-ID: On Sat, 20 Jan 1996, Scott Staedeli wrote: > from the Nando Times- > > > DENVER (Jan 20, 1996 01:16 a.m. EST) -- A college student's request to look at > the electronic mail of several high-profile state politicians got lawmakers' > attention Friday. > > ... > OK, if _I_ can't read your e-mail Mr. Legislator, why should you > be able to read _mine_? The Colorado state legislature has nothing to do with federal wiretapping laws and with federal laws relating to encryption. Rather than the "government is inconsistent and bad" spin, why not "Colorado legislators and the Colorado governor agree that privacy is paramount in electronic communications. In opposing a request for blanket access to their private electronic mail, they necessarily oppose federal attempts to have access to all electronic mail, once again showing that Washington is out of touch with the rest of the country. Parts of the federal government are catching on, however. The U.S. Commerce Department recently agreed that federal attempts to eavesdrop on electronic transmissions counterproductive in that they are causing problems for U.S. companies which create computer programs designed to allow secure use of the Internet to engage in private discussions and secure commerce. Estimates the dollar value of exports lost range up to $xxx, and continued chilling of U.S. programmers will give foreign programmers the chance to catch up in a field where U.S. expertise presently leads the world. ...." Needs to be re-written and juiced up, but you get the idea. Have at it, Sameer. EBD From jamesd at echeque.com Sat Jan 20 22:15:02 1996 From: jamesd at echeque.com (James A. Donald) Date: Sun, 21 Jan 1996 14:15:02 +0800 Subject: Censorship Message-ID: <199601210327.TAA18777@mailx.best.com> Censorship: In the past, whenever a new medium came into play, the new medium was subjected to extraordinarily restrictive censorship, while censorship was radically relaxed, or abandoned altogether, on the old media. Thus when the talkies came in, censorship on books was relaxed. When TV came in censorship on movies was relaxed. I conjecture that this represents the power of vested interests, and the relative weakness of new interests. Now if this pattern is going to be repeated, we would expect the FTC to attempt to utterly strangle the internet in a straightjacket, on behalf of the television interests that have largely captured the FTC. Note that current proposed legislation, legislation containing Exxon's severe censorship rules, gives the FTC ownership of the internet. They may claim to own it. Let us see them try. Censorship on television is now much tighter than it used to be: Expect a radical relaxation when internet use starts to cut into television time. Remember the original Star Treck: Every episode would have a fistfight, a gunfight, a space battle between starships with really cheap cheesy special effects, Captain Kirk would dip his wick (off screen) in a new exotic alien female, and he would defy orders, or Starfleet regulations, and most regularly and spectacularly, he would violate the prime directive. In most episodes a redcoat or two would be killed in a completely senseless and unnecessary manner, illustrating the cold indifference of the universe, or the casual evil of sentient beings. Whenever they introduced a new character with a red coat, you knew that violent death was on tonight's menu. Now consider the bland successor show "Star Treck the Next Generation": In a bow to political correctness they changed the words from "To boldly go where no man has gone before" to "To boldly go where no one has gone before". The "Next Generation" universe is socialist, and socialism is boring. Worse still, on "Next Generation" socialism actually works, and if there is anything even more boring that actual real life socialism, it is socialism that works because everyone cares about each other and they are all such very nice people. Well it came to pass that our TV executives woke up to the fact that there was something missing from the boring "Next Generation" universe, so they shift their plots to less perfect places. In an upcoming science fiction series "Osiris" the story universe has social collapse and reversion to barbarism, the exact opposite of the sickeningly perfect "Next Generation" universe. A logical continuation of the gimmick they pulled in "Deep Space Nine" in order to get the story out from the deadly grip of socialism. So far so good. But guess what? Nobody in the "Osiris" story suffers violent death, and the bad guys reproduce asexually. Asexually!! What would Captain Kirk do? Probably sodomy. And now let us consider the cartoons. Remember Yosemite Sam with his fiery temper and his two six guns? Pow! Blam! Well guess what? In today's cartoons, Yosemite Sam has no guns! Poor Captain Kirk. Poor Yosemite Sam. Under these circumstances we should expect a certain amount of friction around such newsgroups as alt.binaries.pictures.erotica.children, alt.conspiracy, alt.sex.bestiality.barney, alt.nationalism.white, and so forth. You will notice that political censorship goes hand in hand with censorship of sex and violence: Not only does Captain Whazisname of the "Next Generation" and "Deep Space Nine" refrain from spreading his semen indiscriminately across the galaxy and refrain from beating people up man on man, he also obeys orders and regulations and never says anything that would be controversial in his universe or ours. They had to make Captain Whazisname of "Deep Space Nine" black instead of the white Captain Whazisname in "Next Generation" and young instead of old, because otherwise nobody would have noticed that he was supposed to be different person, played by a different actor. Typical politically correct diversity: Different colors, but only one voice. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From jimbell at pacifier.com Sat Jan 20 22:15:14 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 21 Jan 1996 14:15:14 +0800 Subject: Respect for privacy != Re: exposure=deterence? Message-ID: At 10:19 AM 1/19/96 +0100, Anonymous wrote: >On 15 Jan 96, Rich Graves wrote: > >> But government employees should only be held accountable for >> their actions as government employees. If the situation >> warrants, go ahead and tap their offices, break into their work >> computers, etc. But don't fuck with their personal lives. > >Oh, my! A little sensitive, are we? Aren't you even a *little* >struck by the fact that fucking with people's personal lives >is *precisely* what errant government officials *do*??? I LOVE this response! This is the kind of comment that totally destroys Rich Graves' position: Graves' would allow the government to screw with US, as ordinary citizens, while we're denied the ability to defend ourselves. Maybe I was excessively rude by calling Rich Graves a "fucking statist" on this list, but I don't think I was at all inaccurate. >We Jurgar Din Thank you for putting Rich Graves in his place. Jim Bell From ylo at cs.hut.fi Sat Jan 20 23:06:32 1996 From: ylo at cs.hut.fi (Tatu Ylonen) Date: Sun, 21 Jan 1996 15:06:32 +0800 Subject: NSA vacuuming down Internet traffic In-Reply-To: <199601190923.KAA10526@utopia.hacktic.nl> Message-ID: <199601200205.EAA07759@trance.olari.clinet.fi> > Is there any open source - or otherwise - knowledge or speculation about > which words/phrases the Terra-cycle cpu's are text-searching *for*? If it > were your responsibility to eavesdrop on Iranian terrorists - or French > Commercial Attache reports to Paris - or to have UK nationals, off in > their private room of your building, write down the name of every in > America who expresses a libertarian dissatisfaction with the Republicrat > regime - would you know for sure which words/phrases to key on? It > doesn't sound like a tractable problem to me. To me it does sound completely feasible (you don't need very good accuracy). I've personally run packet filters (for statistical purposes only) on busy 10-mbit ethernets using BPF, FreeBSD, and 486 or pentium machines. They easily keep up with little packet loss. I understand T3 is 34 mbits, so only three times faster. No problem to optimize that much by specially written software, especially if you can do some of the low level stuff in hardware. As for the keyword search problem, it would easily be possible to scan much of the data (say, tcp ports smtp, nntp, login, exec, ident) in real time against a million-phrase dictionary (containing keywords, e-mail addresses, names, abbreviations, etc.). If there are performance problems, you can first limit by source/destination/protocol/port. Only intercepts (e.g., entire tcp connections) that pass this initial screening are passed on to other machines for more complicated analysis. Note also that many parts of the filtering problem parallelize quite nicely. For example, you can split the traffic to a number of machines based on the value of the numerically smaller of the source/destination addresses. I don't see any technical problems in doing large-scale internet monitoring. The equipment needed is even cheap enought to be done by motivated amateurs/individuals, assuming they can get a copy of the raw data from the T3. This is one of the reasons why strongly encrypting internet data is so important. Tatu See http://www.cs.hut.fi/ssh for information on SSH, the secure remote login program. See http://www.cs.hut.fi/crypto for information cryptography available to anyone worldwide. From twcook at cts.com Sat Jan 20 23:08:00 1996 From: twcook at cts.com (Tim Cook) Date: Sun, 21 Jan 1996 15:08:00 +0800 Subject: Cypherpunk Enquirer Message-ID: > THE CYPHERPUNK ENQUIRER > > "Encyphering minds want to know." > ROTFLM?O..... We NEED stuff like this in these stressful times. . Another "Logical Conclusion" by: Tim Cook Support THE US Constitution... Vote Alexander in '96 and '00! From alanh at infi.net Sat Jan 20 23:37:12 1996 From: alanh at infi.net (Alan Horowitz) Date: Sun, 21 Jan 1996 15:37:12 +0800 Subject: Encryption and the 2nd Amendment In-Reply-To: Message-ID: > After all, it is well-established--whether we like it or not--that the > government can regulate and control access to [...] I *think* the only thing that's been affirmed, is that the feds can *tax* weapons transfers. I think the one particular case is called "Rock Island" or something like that. The defendant was *acquitted* of possessing an un-registered machine gun, because the authority to tax transfers of newly-manufactured machine guns, no longer exists. This is an over-simplifaction. Anyway, the point is, the defendant was acquitted right there in district court. Tim, I don't think you'll be able to find anything in the Code of federal Regulations or the United States Statutes, which outlaws the manufacture or possession of a fission device in your basement. I'm not even positive if it fits the legal definition of a "destructive device", whose *transfers* are taxed. From tallpaul at pipeline.com Sat Jan 20 23:38:15 1996 From: tallpaul at pipeline.com (tallpaul) Date: Sun, 21 Jan 1996 15:38:15 +0800 Subject: Wipe Swap File Message-ID: <199601201421.JAA01170@pipe10.nyc.pipeline.com> On Jan 19, 1996 23:59:46, 'anonymous-remailer at shell.portal.com' wrote: >I know this is a little off-topic, but does anyone know of a good swap file >deleter? I know Real Delete is a good program, but I want something I can call >in a batch file after windows to automatically do a secure wipe of the >permanent swap file and then replace it. I have heard of a couple programs but >I am not sure about their reliability. Any pointers to a good program would be >appreciated. > One way: 1) Go to DOS prompt; 2) Change mode of the permanent swap file to make it writable; 3) Run WIPEFILE by Norton, or any other similar program, without setting up the file for deletion after wiping; 4) Change mode of the permanent swap file back to the original attributes; 5) Leave DOS prompt. Another way: 1) Remove permanent character of swap file from within Windows; 2) Go to DOS prompt. 3) Erase the swap file. 4) Run Norton etc. WIPEDISK utility on all areas of disk not used by files; 5) Return to WIndows; 6) Rebuild permanent swap file. Remember that one simple wipe is *not* secure. Current Department of Defense security regs call for wiping the same space something like 8 or 9 times. Even then the wipe is not secure enough for higher level DofD classified material. There the regs call for the physical destruction of the medium after it has been wiped. Norton handles DoD-level wipes as an option. -- tallpaul What part of "know" don't you understand? From cpunk at remail.ecafe.org Sat Jan 20 23:40:59 1996 From: cpunk at remail.ecafe.org (ECafe Anonymous Remailer) Date: Sun, 21 Jan 1996 15:40:59 +0800 Subject: E-Cash and the Treasury Department Message-ID: <199601201435.OAA19801@pangaea.hypereality.co.uk> [POSTED BY: PUBLICUS ANONYMOUS ("Oh! That Publicus.") ("Oh! That Anonymous.") INTELLIGENCE N. 269, 24 July 1995 (Vol. 16, N. 15) Publishing since 1980 Editor Olivier Schmidt Intelligence, N. 269, 24 July 1995, p. 11 RONALD K. NOBLE - U.S.A. This time the U.S. Treasury Department hasn't jumped the gun in announcing that Ronald K. Noble, the hard-line Undersecretary for Enforcement at Treasury, was the new chairman of the Financial Action Task Force on Money Laundering (FATF) set up in Paris by the G-7 group of industrialized nations in 1988. Last year at this time, the Netherlands took over the chair but U.S. Treasury wrongly issued an announcement that Noble was occupying the post. Asked by "Intelligence" for an explanation, Treasury simply stated that it had "made a mistake." Last year in Washington, Noble backed bankers complaining about the several million Currency Transaction Reports (CTR) they were required to file every year. Noble and the banks said that filing was not necessary on deposits by businesses like department, grocery and convenience stores that routinely make fluctuating large deposits in cash, and Treasury intended to slash CTR filings by 30 percent. Critics contend that businesses exempt from CTR filing will quickly be used by criminal organizations to launder their cash. As Undersecretary for Enforcement at Treasury, Noble oversees five of the eight largest federal law enforcement agencies in the U.S.: the Secret Service, U.S. Customs, the Bureau of Alcohol, Tobacco and Firearms (ATF), and the IRS Criminal Investigation Division, and the Financial Crimes Enforcement Network (FinCEN) which was taken over by Treasury's Office of Financial Enforcement under Noble last year at this time. At the FATF, Noble replaced Leo Verwoerd of the Netherlands on 1 July 1995 and will direct the FATF for one year. Following last year's resolution to "monitor implementation of the forty Recommendations of 1990 by its members," Noble intends to use forceful methods including open criticism in annual FATF reports of non-complying members, followed by written reprimands from the FATF chairman to recidivist member countries, and finally high-level mission visits to the faulty country. Greece has already been criticized twice for its lack of progress in implementing FATF recommendations. . From llurch at networking.stanford.edu Sun Jan 21 15:44:22 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sun, 21 Jan 96 15:44:22 PST Subject: Innaresting Fortune article on "Garbage Goodfellas" in NYC Message-ID: January 15th Fortune (don't normally read it, but I picked up a free copy) has a lengthy and evidently well-researched article bylined Richard Behar on the efforts of BFI, a large regional trash hauler and recycler, to break into the (by most accounts) Mafia-controlled garbage collection industry in New York City. Cypherpunk relevance: BFI is cooperating closely with the DA in helping to prosecute its allegedly mob-affiliated competitors, which raises a lot of very interesting questions, for which I have yet to formulate any answers. Also a sidenote about how NYC's disclosure laws actually aid organized crime by helping the various bosses track who owns what territory. Electronic surveillance. Money laundering. Steganography (sending messages by way of the disembodied head of a dog). Open access to information and free-market capitalism versus violent bozos, with and without uniforms. Pen trumps sword. Rich says check it out. -- Rich Graves Fucking Statist From tedwards at Glue.umd.edu Sat Jan 20 23:50:08 1996 From: tedwards at Glue.umd.edu (Thomas Grant Edwards) Date: Sun, 21 Jan 1996 15:50:08 +0800 Subject: Web site with Updated Telecom Bill Info Message-ID: http://bell.com/ (Alliance for Competitive Communications) has updated Telecom Bill info including "A concise resource guide to the House Senate Conference on H.R. 1555/S. 652.", 12/22/95 draft of the Telecommunications Conference Bill, and a statement by VP Gore. (Beware of editorial bias at this site, as these people are not a disinterested party). Our beloved Vice President said: "We are very gratified that the bill contains the provisions for the V-chip that will enable families to control the contract of television programming that comes into their homes and that it contains a provision to make advanced telecommunications services available at low cost to schools, libraries and hospitals" -Thomas From llurch at networking.stanford.edu Sun Jan 21 00:54:51 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sun, 21 Jan 1996 16:54:51 +0800 Subject: You want to read MY e-mail? Message-ID: <199601210839.DAA04781@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- bdavis at thepoint.net (Brian Davis) shared with the world: >On Sat, 20 Jan 1996, Scott Staedeli wrote: > >> from the Nando Times- >> >> DENVER (Jan 20, 1996 01:16 a.m. EST) -- A college student's request to look >> at the electronic mail of several high-profile state politicians got >> lawmakers' attention Friday. >> >> ... >> OK, if _I_ can't read your e-mail Mr. Legislator, why should you >> be able to read _mine_? > >The Colorado state legislature has nothing to do with federal wiretapping >laws and with federal laws relating to encryption. Mostly true. But state governments and state politicians have been naughty as well. Certain southern governors in the 50's and 60's spring immediately to mind. However, I think "an eye for an eye" is the wrong approach in the first place. There's an opportunity for education here, and progress. >Rather than the "government is inconsistent and bad" spin, why not >"Colorado legislators and the Colorado governor agree that privacy is >paramount in electronic communications. In opposing a request for >blanket access to their private electronic mail, they necessarily oppose >federal attempts to have access to all electronic mail, once again >showing that Washington is out of touch with the rest of the country. This is clever, but I don't think it works. There is a legitimate public interest here. Even if there's nothing incriminating in the email messages themselves, the questions of how much government business is conducted electronically, and how much non-government business (personal matters, political fund-raising) is conducted on publicly funded computers on government time are legitimate. Pertsonally, I'd be reluctant to peep into every message ever sent on a government computer -- it's too voyeuristic for my tastes. I'm especially thinking about that poor staffer who was grilled by the Whitewater Committee about one use of the word "bastard" in an unrelated email message to a friend that had been deleted years before. It doesn't seem right to grep for out-of-context soundbytes. Not that the new book "White House Email" isn't good for hours of entertainment. I'd like to see politicians put on official notice that all email on publicly owned computers is public property, though it would be hard to draw the line where politicians and political appointees end and the innocent line employee begins. If the politicians end up using crypto on government computers, great -- maybe they'd start to "get it." If the politicians want to open accounts with outside ISPs on their own (or their political party's) dime, great -- that's what a lot of other people on this list have had to do. Of course if some politician starts using an outside account for official business (and only then), then that account becomes fair game for public disclosure as well. It's a matter of ethics and accountability. Because politicians have not yet been put on official notice that this is the policy, though, I would not endorse making this policy retroactive and grepping all their email for dirt, unless the public has something like probable cause to do so. Next year, sure, it's all public record. Politicians should be educated that privacy without strong encryption is illusory anyway. Making a law that the public can't read their email simply isn't going to work. It's unenforceable. Sure it'll slow down the rate of public disclosure a bit. Still, some disgruntled ex-employee, or some Woodward & Bernstein type, or Jim Bell :-), is bound to get through. Scandals long to be free. >Parts of the federal government are catching on, however. The U.S. Commerce >Department recently agreed that federal attempts to >eavesdrop on electronic transmissions counterproductive in that they are >causing problems for U.S. companies which create computer programs >designed to allow secure use of the Internet to engage in private >discussions and secure commerce. Estimates the dollar value of exports >lost range up to $xxx, and continued chilling of U.S. programmers will >give foreign programmers the chance to catch up in a field where U.S. >expertise presently leads the world. ...." > >Needs to be re-written and juiced up, but you get the idea. Might play to the right crowd (for example, preaching to the choir here), but sounds like a non sequitur to me. Not that clever non sequiturs aren't useful. By the way, I read something about something similar happening in California. The new Republican Assembly "leadership" was trying to hold the computers of the previous Democtatic "leadership" in escrow so that they could look for dirt. Anyone know the outcome of that? - -rich - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMQH7yioZzwIn1bdtAQHC/wF8DHUhQpWkNAE8bVHeB9zUbXG7ju2Y1+Bo LHsVK6M4Qwd8Q2HMbaMe2/y5xBpryyVh =A+29 -----END PGP SIGNATURE----- From warlord at ATHENA.MIT.EDU Sun Jan 21 01:19:12 1996 From: warlord at ATHENA.MIT.EDU (Derek Atkins) Date: Sun, 21 Jan 1996 17:19:12 +0800 Subject: A weakness in PGP signatures, and a suggested solution In-Reply-To: Message-ID: <199601180344.WAA26221@charon.MIT.EDU> > 2. When PGP verified the signature, it should have an option to look outside > the signed portion for RFC 822 headers and compare them to the signed copy > of he headers inside. If this is not in PGP, then then function would have to > be done by some non-portable wrapper. > (Of course, if your headers aren't RFC 822, you're out of luck.) How? PGP has no idea what is around the PGP message. Also, the PGP armor is, by definition, not a cryptographic manipulation, rather it is just a tool for convenience. The Armoring done by PGP could just as easily be done by MIME or UUEncode; the functionality is just the same as far as PGP is concerned. The only difference is for the user, who knows that "BEGIN PGP MESSAGE" means feed this data to PGP rather than feeding it to some other program. PGP really only looks at the contents between the BEGIN and END. It can't do anything else. In fact, only the PGP Armor code even deals with that. By definition, PGP is a binary protocol and deal with binary data objects. So how can it look at any "RFC 822 Headers"? There are no such animals in PGP. It is perfectly legal to remove all data before the BEGIN and all data after then END and feed the result to PGP... As I said, armor is a convenience to the user only. PGP will not be modified in this way; it is the job of the mailer (MUA) to do this sort of thing. Sorry. -derek From nelson at santafe.edu Sun Jan 21 01:19:18 1996 From: nelson at santafe.edu (Nelson Minar) Date: Sun, 21 Jan 1996 17:19:18 +0800 Subject: Spiderspace In-Reply-To: <199601170613.WAA08830@ix5.ix.netcom.com> Message-ID: <199601180354.UAA14857@nelson.santafe.edu> >... I was under the impression that the only documents that most web crawlers >will search are documents that are link-accessible. Are you saying that this >isn't true? Are you saying that Alta-Vista will search EVERYTHING that's >publicly accessible, whether by anonymous FTP or web? I'm not sure about alta-vista, but most spiders just follow the Web doing some sort of graph search algorithm: pages are nodes and links are directed edges. If a page is not linked anywhere, I don't see how a spider could find it. But you might be suprised at how quickly links to your pages can be made, in unexpected ways. Before alta-vista went online, I set up an archive of a private mailing list for a class, put it on the web, and figured obscurity would keep it safe. Within six hours of putting this page online and emailing about it to my class, the alta-vista spider had found it. Now maybe that six hours was just random chance, but I was pretty impressed. I still don't know how the spider found it - my guess is someone had made a Netscape bookmark to my page and had put their bookmark file online. All the spiders and Usenet search engines imply is that the haystack is becoming easier to search for needles. The Web and the Usenet are fundamentally public media - a spider has as much right to index your pages as JoeBob has a right to make a bookmark to it. The good thing is these spiders are fundamentally useful critters. alta-vista is about to replace Yahoo for my preferred way to find things. See http://www.santafe.edu/~nelson/hugeweb.html for a little thought I had one evening. From alano at teleport.com Sun Jan 21 01:27:41 1996 From: alano at teleport.com (Alan Olsen) Date: Sun, 21 Jan 1996 17:27:41 +0800 Subject: Update on Netscape and the Anonymiser site Message-ID: <2.2.32.19960121091759.008954c0@mail.teleport.com> Netscape 2.0b6a (win32 version) now reports the user name as "Mozilla". Name is no longer fed out through the ftp... Thanks Jeff! Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "Is the operating system half NT or half full?" From weidai at eskimo.com Sun Jan 21 01:41:27 1996 From: weidai at eskimo.com (Wei Dai) Date: Sun, 21 Jan 1996 17:41:27 +0800 Subject: HAVAL (was Re: crypto benchmarks) In-Reply-To: <31017081.19731341@smtp.ix.netcom.com> Message-ID: On Sat, 20 Jan 1996, John Lull wrote: > I didn't see your original post, but did see Deranged's response. I > would be interested to see whatever you come up with. I ended up doing it like this: for (i=0; i<4; i++) { FF_42(t7, t6, t5, t4, t3, t2, t1, t0, w[wi2[8*i+0]], mc2[8*i+0]); FF_42(t6, t5, t4, t3, t2, t1, t0, t7, w[wi2[8*i+1]], mc2[8*i+1]); FF_42(t5, t4, t3, t2, t1, t0, t7, t6, w[wi2[8*i+2]], mc2[8*i+2]); FF_42(t4, t3, t2, t1, t0, t7, t6, t5, w[wi2[8*i+3]], mc2[8*i+3]); FF_42(t3, t2, t1, t0, t7, t6, t5, t4, w[wi2[8*i+4]], mc2[8*i+4]); FF_42(t2, t1, t0, t7, t6, t5, t4, t3, w[wi2[8*i+5]], mc2[8*i+5]); FF_42(t1, t0, t7, t6, t5, t4, t3, t2, w[wi2[8*i+6]], mc2[8*i+6]); FF_42(t0, t7, t6, t5, t4, t3, t2, t1, w[wi2[8*i+7]], mc2[8*i+7]); } This allows all the transform functions to fit into L1 cache, but at a cost. Besides the overhead of the for loop, each macro call now does two extra table lookups (in wi2 and mc2). The net result is a ~100% speedup over the reference implementation. Also, FYI, the boolean functions used in the reference implementation can be optimized. Thanks to Deranged Mutant for these: /* #define f_2(x6, x5, x4, x3, x2, x1, x0) \ ((x2) & ((x1) & ~(x3) ^ (x4) & (x5) ^ (x6) ^ (x0)) ^ \ (x4) & ((x1) ^ (x5)) ^ (x3) & (x5) ^ (x0)) */ #define f_2(x6, x5, x4, x3, x2, x1, x0) \ (((x4&x5)|x2) ^ (x0|x2) ^ x2&(x1&(~x3)^x6) ^ x3&x5 ^ x1&x4) /* #define f_4(x6, x5, x4, x3, x2, x1, x0) \ ((x4) & ((x5) & ~(x2) ^ (x3) & ~(x6) ^ (x1) ^ (x6) ^ (x0)) ^ \ (x3) & ((x1) & (x2) ^ (x5) ^ (x6)) ^ \ (x2) & (x6) ^ (x0)) */ #define f_4(x6, x5, x4, x3, x2, x1, x0) \ ((((~x2&x5)^(x3|x6)^x1^x0)&x4) ^ ((x1&x2^x5^x6)&x3) ^ (x2&x6) ^ x0) /* #define f_5(x6, x5, x4, x3, x2, x1, x0) \ ((x0) & ((x1) & (x2) & (x3) ^ ~(x5)) ^ \ (x1) & (x4) ^ (x2) & (x5) ^ (x3) & (x6)) */ #define f_5(x6, x5, x4, x3, x2, x1, x0) \ ((((x0&x2&x3)^x4)&x1) ^ ((x0^x2)&x5) ^ (x3&x6) ^ x0) Wei Dai From pgut01 at cs.auckland.ac.nz Sun Jan 21 01:49:30 1996 From: pgut01 at cs.auckland.ac.nz (pgut01 at cs.auckland.ac.nz) Date: Sun, 21 Jan 1996 17:49:30 +0800 Subject: Idea for "friendly" Windows password hack Message-ID: <199601210936.WAA22159@cs26.cs.auckland.ac.nz> >Why not provide a way to grab the passwords cached in RAM, encrypt them >securely, put them away somewhere, and scramble the original copy of the >passwords in RAM so that Microsoft's code can't get to them? Ahh, the problem is the "put them away somewhere" part. There's nowhere to put them. The solution I'm using now for an (unreleased) variant of SFS is to store encryption keys in write-only hardware as per FIPS PUB 140-1, but that's hardly practical for most systems. The same standard also allows for key storage in software, but at the minimum useful level (level 2) you need at least a C2-certified OS to protect the keys (the standard is good reading when it comes to protecting encryption subsystems BTW, as are the specs for things like GSS-API and GCS-API). This isn't going to happen under Win'95 (for example, here's how to get to any keys held in memory by the OS: Win'95 allows for demand-loaded VxD's, so you run a trojan with an embedded VxD which searches the system VM for the keys and then unloads itself). It would require a significant reengineering of Win'95 to make it even passably secure (assuming MS don't screw up the implementation), and I don't think it's practical to do. Under NT you can do it to some extent because this level of security was designed in from the start. Peter. From bdavis at thepoint.net Sun Jan 21 02:08:28 1996 From: bdavis at thepoint.net (Brian Davis) Date: Sun, 21 Jan 1996 18:08:28 +0800 Subject: You want to read MY e-mail? In-Reply-To: <199601210839.DAA04781@bb.hks.net> Message-ID: On Sun, 21 Jan 1996, Rich Graves wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > bdavis at thepoint.net (Brian Davis) shared with the world: > >On Sat, 20 Jan 1996, Scott Staedeli wrote: > > > >> from the Nando Times- > >> ... > >> OK, if _I_ can't read your e-mail Mr. Legislator, why should you > >> be able to read _mine_? > > > >The Colorado state legislature has nothing to do with federal wiretapping > >laws and with federal laws relating to encryption. > > Mostly true. But state governments and state politicians have been naughty > as well. Certain southern governors in the 50's and 60's spring immediately > to mind. > > However, I think "an eye for an eye" is the wrong approach in the first > place. There's an opportunity for education here, and progress. > > >Rather than the "government is inconsistent and bad" spin, why not > >"Colorado legislators and the Colorado governor agree that privacy is > >paramount in electronic communications. In opposing a request for > >blanket access to their private electronic mail, they necessarily oppose > >federal attempts to have access to all electronic mail, once again > >showing that Washington is out of touch with the rest of the country. > > This is clever, but I don't think it works. There is a legitimate public > interest here. Even if there's nothing incriminating in the email messages > themselves, the questions of how much government business is conducted > electronically, and how much non-government business (personal matters, > political fund-raising) is conducted on publicly funded computers on > government time are legitimate. > I agree that there is a legitimate public interest in the records (recall the dispute when the White House planned to delete all emails, leaving no backups, during a change of Administration). That doesn't mean that spin can't be placed on the news. What if Congress decided to reduce its salary by 28% and exempt its members from filing tax returns -- to save wear and tear on IRS computers and service centers? My point, however, is that privacy advocates can, and should, use their own equivalent of the Four Horsemen (tm) in making their arguments to the masses. I can't recall a single statement as short and catchy as the pornographers, terrorists, drug dealers, and money launderers argument the FBI uses. Tim's (?) "Four Horsemen" idea cleverly attempts to turn the argument on its head, but I fear that his implicit statment will be lost on those with less background on why privacy is important. Demagoguery frequently works, even if it can be distasteful. And short catchy ideas sell. Remember that Miami Vice was described in the beginning stages as "MTV Cops" and the network bought. > ... > Because politicians have not yet been put on official notice that this is > the policy, though, I would not endorse making this policy retroactive and > grepping all their email for dirt, unless the public has something like > probable cause to do so. Next year, sure, it's all public record. Should the same policy apply to altavista? (I recognize the difference, just throwing grenades!) > Politicians should be educated that privacy without strong encryption is > illusory anyway. Making a law that the public can't read their email simply > isn't going to work. It's unenforceable. Sure it'll slow down the rate of ^^^^^^^^^^^^^ ??? I'm assuming the email was in a closed system, not on the net ... > public disclosure a bit. Still, some disgruntled ex-employee, or some > Woodward & Bernstein type, or Jim Bell :-), is bound to get through. > > Scandals long to be free. > > >Parts of the federal government are catching on, however. The U.S. Commerce > >Department recently agreed that federal attempts to > >eavesdrop on electronic transmissions counterproductive in that they are > >causing problems for U.S. companies which create computer programs > >designed to allow secure use of the Internet to engage in private > >discussions and secure commerce. Estimates the dollar value of exports > >lost range up to $xxx, and continued chilling of U.S. programmers will > >give foreign programmers the chance to catch up in a field where U.S. > >expertise presently leads the world. ...." > > > >Needs to be re-written and juiced up, but you get the idea. > > Might play to the right crowd (for example, preaching to the choir here), ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Absolutely. Different spins/messages for different audiences. Just like the politicians. I think the crowd may be broader than the Cypherpunks list, however. > but sounds like a non sequitur to me. Not that clever non sequiturs aren't > useful. Indeed. >... > - -rich EBD From herbs at connobj.com Sun Jan 21 18:08:53 1996 From: herbs at connobj.com (Herb Sutter) Date: Sun, 21 Jan 96 18:08:53 PST Subject: The Lotus Position Message-ID: <2.2.32.19960122012052.006d87c0@mail.interlog.com> At 23:17 01.19.1996 -0800, Timothy C. May wrote: >Like many, I take it for granted that 40-bit RC4 can be broken for "small >change." Moreover, my guess is that foreign traffic is routinely cracked if >it is encrypted. On Friday morning, Whit Diffie took five minutes to announce a report that he and other big names (including Rivest, Wiener, etc.) produced a week or two ago in Chicago. The subject of the report was recommended minimum symmetric key lengths... the paper should be published at http://www.bsa.org (Whit threatened them if they didn't get it up by Monday morning, but the BSA site currently just says that they'll add a pointer to the report within the next week). To avoid keeping everyone in suspense, here's the basic result Diffie announced: the world's leading cryptographers (outside the walls of the NSA) agree that 75-bit keys are the minimum (I think this was for protecting commercial communications). To build in time-sensitivity, add one bit per year... i.e. if the information needs to be kept secret for 20 years, use at least 95 bits. That said, talk to the NSA about 40-bit keys -- and to Lotus about its max. 64-bit keys, for that matter! When he made the announcement on Wednesday morning, Ray Ozzie (of Notes fame) knew he might get flak about keeping Notes at 64 bits, so as soon as he mentioned it he added a phrase something like (going from memory) 'but let's leave aside for now the question about whether 64 bits is enough.' Interesting comment in light of Diffie et al's answer announced two days later. :-/ In answer to a question from the floor, Ozzie did say that yes, the agreement reached with the NSA was scalable -- IOW, that you could use 128-bit keys and give the government 88 of them, instead of 64-and-give-24 -- but in retrospect I wonder whether keeping Notes at 64 bits was a condition of the NSA deal. I'm not normally a conspiracy theorist, but considering that Ray was clearly aware that the 64-bitness was going to raise eyebrows and still somehow didn't get around to simply strengthening it... well, it makes you wonder. >And in a few years, 40-bit RC4 will be even more ludicrously weak. > >The Lotus position is untenable. Hear hear... but unfortunately industry doesn't seem to "hear hear" well enough yet, though they've been learning lately. Instead of hammering Markoff for his NYT articles, we should be thanking him that at least he's helping to raise public awareness -- even if he does tend to overplay things. Herb ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Herb Sutter (herbs at connobj.com) Connected Object Solutions 2228 Urwin - Suite 102 voice 416-618-0184 http://www.connobj.com/ Oakville ON Canada L6L 2T2 fax 905-847-6019 From delznic at storm.net Sun Jan 21 18:30:14 1996 From: delznic at storm.net (Douglas F. Elznic) Date: Sun, 21 Jan 96 18:30:14 PST Subject: "Trustworthy" PGP Timestamping Service ?? Message-ID: <2.2.16.19960122023012.30973cd0@terminus.storm.net> At 03:42 PM 1/21/96 -0800, Timothy C. May wrote: >At 6:51 PM 1/21/96, Matthew Richardson wrote: >>-----BEGIN PGP SIGNED MESSAGE----- >> >>I have recently setup a free PGP timestamping service which operates >>by email. >> >>The objective of the service is to be able to produce "trustworthy" >>timestamps which cannot be backdated without detection. It achieves >>this by:- >> >>(a) giving every signature a unique sequential serial number; >> >>(b) every day making a ZIP file of that day's detached signatures >>and feeding the ZIP file back for signing (and hence the assignment >>of another serial number); >... > >It sounds like a variant of the Haber and Stornetta work on digital >timestamping, about which much has been written on our list (check the >archives, and/or sections of my Cyphernomicon). > >They have a company, Surety, which is doing this (or was, last time I heard). > >www.surety.com will get you there. > >My hunch is that your scheme implements a version of a hash (the idea of >hashing the doc and then publishing the hash as a "widely witnessed event," >in Haber and Stornetta terms) that could infringe on their patents >(assuming they applied, as I recall hearing they did). > >Before you go much further on this, it would behoove you to check on what >they are doing and on what patents, if any, you might need to license. > >--Tim May > >Boycott espionage-enabled software! >We got computers, we're tapping phone lines, we know that that ain't allowed. >---------:---------:---------:---------:---------:---------:---------:---- >Timothy C. May | Crypto Anarchy: encryption, digital money, >tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero >W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, >Higher Power: 2^756839 - 1 | black markets, collapse of governments. >"National borders aren't even speed bumps on the information superhighway." > > > > > > What was the web page for the first mentioned service? -- ==================Douglas Elznic=================== delznic at storm.net http://www.vcomm.net/~delznic/ (315)682-5489 (315)682-1647 4877 Firethorn Circle Manlius, NY 13104 "Challenge the system, question the rules." =================================================== PGP key available: http://www.vcomm.net/~delznic/pgpkey.asc PGP Fingerprint: 68 6F 89 F6 F0 58 AE 22 14 8A 31 2A E5 5C FD A5 =================================================== From wlkngowl at unix.asb.com Sun Jan 21 18:32:13 1996 From: wlkngowl at unix.asb.com (Mutatis Mutantdis) Date: Sun, 21 Jan 96 18:32:13 PST Subject: HAVAL (was Re: crypto benchmarks) Message-ID: <199601220235.VAA11495@UNiX.asb.com> On Sun, 21 Jan 1996 01:29:49 -0800 (PST), you wrote: [..] Now, the *big* question is... any new cryptanalysis that sheds light on the security of HAVAL? (I haven't yet gotten AC2 if there's info in there.) Email to one of the authors of HAVAL said he knew of nothing but that a recent attack on MD5 didn't apply. From wlkngowl at unix.asb.com Sun Jan 21 18:35:10 1996 From: wlkngowl at unix.asb.com (Mutatis Mutantdis) Date: Sun, 21 Jan 96 18:35:10 PST Subject: [NOISE] Re: mailing list Message-ID: <199601220238.VAA11551@UNiX.asb.com> On Fri, 19 Jan 1996 17:35:50 -0500 (EST), someone wrote: >You come recommended by the Happy Mutant Handbook. Was just wondering ^^^^^^^^^^^^^^^^ Uh-oh. I have nothing to do with that. More fodder for Alta-Vista.... From pmonta at qualcomm.com Sun Jan 21 18:43:58 1996 From: pmonta at qualcomm.com (Peter Monta) Date: Sun, 21 Jan 96 18:43:58 PST Subject: Wipe Swap File In-Reply-To: Message-ID: <199601220243.SAA24710@mage.qualcomm.com> Tim May writes: > Much more expensive would be various electron microscope-based imaging > methods to directly image the domains and extract subtle signs of past > write cycles. I recently took a tour of Park Scientific, the scanning-probe microscopy people, in Sunnyvale. One of their demo-stations showed a small portion of a hard disk (taken with an AFM tip fitted with a small magnet to generate the force). Most impressive. (I did look closely at the edges of the track, but saw no sign of previous writes.) Cheers, Peter Monta pmonta at qualcomm.com Qualcomm, Inc./Globalstar From attila at primenet.com Sun Jan 21 03:00:23 1996 From: attila at primenet.com (attila) Date: Sun, 21 Jan 1996 19:00:23 +0800 Subject: good background on CitiBank/Russian caper Message-ID: The folling article was culled from the current issue of the journal of internet banking. ---------- Forwarded message ---------- Date: Fri, 19 Jan 1996 18:01:32 -0500 Journal Of Internet Banking And Commerce Vol. 1, no. 1, January 19, 1996 --------------------------------------------- The Citibank Affair: A Purely Russian Crime? --------------------------------------------- Nahum Goldmann ARRAY Development Nahum.Goldmann at ARRAYdev.com> http://www.ARRAYdev.com/ --------------------------------------------------------------------- Nahum Goldmann has been employed as a manager, scientist and lecturer in leading industrial high-tech firms and academia. Mr. Goldmann has published several critically acclaimed books that deal with knowledge transfer issues. --------------------------------------------------------------------- Novoye Russkoe Slovo (NRS), a NY-published newspaper which acclaims itself as the largest Russian-language daily outside of the x-USSR, published an engaging account of the so-called Citibank Affair in September 1995. A fairly large article ("Purely Russian Crime..." NRS, Sept. 15, 1995, pp. 13-14) was written by Vladimir Strizhevsky but was actually based on the original investigative materials submitted by several contributors from Moscow and St. Petersburg, as well as from NY, London, Brussels and other world financial capitals. Undoubtedly, NRS have done quite a good job in clarifying and illuminating the background of the Citibank Affair. For whatever reasons, the English-language media have not covered the background of Russian participants that well. However, an expert in electronic banking and commerce on Internet might find utterly fascinating the very minute details of this complex crime scheme that involved many people and spread across several continents. The story at NRS starts at the end of August, 1994 in Tel-Aviv. A certain Alexei Lachmanov, a Georgian national and a holder of a false Greek passport to the name of Alexios Palmidis, had been arrested by Israeli police when he tried to withdraw nearly US$1M. The funds in question were electronically transferred to five Israeli banks from Invest-capital, an Argentinean subsidiary of the Citibank. The Israelis had been tipped by the Citibank through the FBI with the information that all the money transfers had been done with the illegal use of Invest-capital's own secret codes. The subsequent multinational investigation has shown that it was a leading St. Petersburg's, Russia computer expert Vladimir Levin who was able to conduct numerous electronic transfers from several Citibank's subsidiaries in Argentina and Indonesia to various financial institutions in San Francisco, Tel-Aviv, Amsterdam, Germany and Finland. According to NRS's speculations, Mr. Levin's succeeded so well because, in addition to Citibank's own electronic cash- management hub in NY, he was also able to crack down the electronic defense of several SWIFT's branch offices in the third-world countries. SWIFT, a secretive Belgium-based electronic telecommunication consortia of World-leading banks, is primarily involved in mutual settlement payments amongst its members. On the other hand, in the interview with an NRS correspondent V. Kaminsky, Citibank's spokesman rejected the newspaper's version of SWIFT's penetration. Instead he claimed that Citibank knew all along about Mr. Levin's infiltration, playing with him a sophisticated multistep deception game. Of course, the Citibank's face-saving version of events sounds not that convincing, taking into account a large number of uncontrollable players, a sizable amount of real cash involved, multicontinental reach of the overall crime scheme and the fact that the bank was ultimately unable to recover a substantial chunk of its own money. Not your ordinary self-taught hacker, Mr. Levin, 31, an aloof man and a graduate of a prestigious Department of Applied Mathematics, was considered somewhat of a computer genius in the St. Petersburg's University circles. The scheme started when Mr. Levin's acquaintance, a Russian-American wholesale trader, asked him to develop programming support for his international trading business. According to Mr. Levin's university friends, the idea of breaking into secure bank networks has been born somewhat spontaneously during a purely technical discussion on the advantages and disadvantages of different bank networking programs. The debaters were members of a St. Petersburg's group of elite computer experts that could best be described as a local response to the Internet's own Cypherpunk community. I found it fascinating and somewhat ironic that the infiltration plot had actually started as a low-key bet that the Russian famous resourcefulness would triumph where the famed Yankee ingenuity has already proven to be unsuccessful! In the overall crime scheme, Levin was supported by as many as 30 collaborators, at least some of them computer experts. Several of his partners-in-crime, arrested in the U.S., Russia, Israel and the Netherlands, were primarily involved in cash retrieval and laundering, ultimately the most vulnerable part in any grand scheme of electronic theft. It is hardly a secret that most professional bankers are routinely trained to contest, or at least report to authorities, any suspicious withdrawal of large sums of cash. Some of the U.S. arrests have been successfully kept in secret for many months, for the fear of alerting the criminals back in Russia. Mr. Levin himself was arrested in September 1995 in a UK airport, en- route through that country. Apparently, in the best tradition of this fledging industry, Citibank have already used the lessons obtained from Mr. Levin's penetration to beef up the security of its own electronic payment system. COPYRIGHT ========= The Journal Of Internet Banking And Commerce is Copyright (C) 1996 by ARRAY Development, Ottawa, Canada. All Rights Reserved. Copying is permitted for noncommercial, educational use by academic computer centers, individual scholars, and libraries. This message must appear on all copied material. All commercial use requires permission. __________________________________________________________________________ go not unto usenet for advice, for the inhabitants thereof will say: yes, and no, and maybe, and I don't know, and fuck-off. _________________________________________________________________ attila__ To be a ruler of men, you need at least 12 inches.... From jimbell at pacifier.com Sun Jan 21 19:57:51 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 21 Jan 96 19:57:51 PST Subject: Wipe Swap File Message-ID: -----BEGIN PGP SIGNED MESSAGE----- At 12:56 PM 1/21/96 EST, Dr. Dimitri Vulis wrote: >tcmay at got.net (Timothy C. May) writes: >> >Degaussing the media (running a household magnet over it :-) may be an optio >> >> Ordinary household magnets fail for a couple of reasons: > >I've just established experimentally that thoroughly running a household magnet >over a 3.5" floppy messed up less than 1/2 the sectors I tried to read. Was that with the floppy in the case, or with the case popped open... Also: Did you rotate the disk physically to expose the data normally partially shielded by the door slider? And was it an ordinary ferrite magnet, or an alnico, or...? >Not a good option even for floppies. Ditto! >(Actually, there _was a smiley up there) Yes, I noticed. [stuff deleted] >Jim Bell mentioned the trick of hiding information into 'extra' tracks and >sectors not used by the usual DOS formatting. It's very old too. I will admit that at this point, even calling it a "trick" is giving it excessive credence. Actually, I think it wasn't really used initially for "data hiding" purposes. I'm talking about the early days of CP/M and other such systems, circa 1977 and such, when individuals "discovered" that floppy drives had no hard mechanical stop past the "last" good track, and they "stole" a few percent of extra capacity from a floppy by simply ignoring the recommended "last" track. Naturally, it would work okay on some drives but not on others... which is why it was a bad idea. In addition, I also discovered that it was possible to put a few more than 26 sectors on each track of an 8" single-density (240 kilobytes!) floppy disk. The main problem with using these "tricks" is that the floppy had no method of conveying formatting information to the system it was in, which meant that any floppy using this trick was by definition non-standard. ("feature" or "bug" depending on your goal...) > I think I saw >copy protection schemes circa 1982 that hid important data on tracks 41--43. >360K diskettes normally had 40 tracks. If the diskette was copies by DISKCOPY, >it didn't know about the extra tracks, and the copy didn't have the info >(usually, a piece of the program). It's very easy to do with just BIOS calls to >format/read/write the track. Problem is, many cheap floppy drives these days >aren't capable of seeking beyond track 80 when the FDC asks them to. You can >write the data there and give the floppy to a friend who won't be able to read >it from there. I started building my own 12.5 MHz Z-80 -based CP/M system in 1978, fully designed and wire-wrapped by myself, and wrote my own BIOS. (Used a WDC 1791 FDC) Had total control. I didn't try this trick even then because of compatibility reasons, but one thing I _DID_ do was to write a floppy formatter that "undid" the 6-sector skewing that standard CP/M had to do to keep up with the data read/write. (in other words, I physically re-skewed the sector numbering to make the next "desired" sector come faster...) I ended up with an effective skew-factor of 2. Even a skew factor of 1 worked on my system (no skew at all), but the problem was that when I gave the most extreme of these oddly skewed floppies to my friends with 8" floppies, they took A LONG TIME to read the data! (Their systems always missed the next sector because their systems were too slow, so they only ended up being able to read one sector per disk rotation.) All this helps to explain why I asked if PGP had ever been ported to CP/M. Nostalgia! -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMQMF6vqHVDBboB2dAQG1+QP7BpyrLaVbTJISLo12rWMo9sqyfwtpv6A2 r7GGTvQTw6MwACA3pTh6HnnjpllveQSznNLpHaUeEjfpQX9NUXuJc4Z63E+EBFYw Xp3c0rygdC4fHS2WJbrhn0JUpC1C5V+Cn/oEpL5qygfaoqE1mAvsw7cCAht44ne+ /dJvdnm+N9M= =CbtQ -----END PGP SIGNATURE----- From lzirko at isdn.net Sun Jan 21 19:59:49 1996 From: lzirko at isdn.net (Lou Zirko) Date: Sun, 21 Jan 96 19:59:49 PST Subject: THE MIND OF A SERIAL HACKER Message-ID: <2.2.32.19960122035939.002dde6c@isdn.net> Thought you might find this of interest. >From PATHFINDER Compass Issue 3: * THE MIND OF A SERIAL HACKER: Kevin Mitnick was cyberspace's most wanted hacker. But while Mitnick's alleged crimes have been publicized, his story has never been told. Until now. Chat live with Jonathan Littman, author of THE FUGITIVE GAME: ONLINE WITH KEVIN MITNICK on Monday, January 22nd at 2:00 pm (EST). http://pathfinder.com/Chat/chat.html Lou Z. Lou Zirko (615)851-1057 Zystems lzirko at isdn.net "We're all bozos on this bus" - Nick Danger, Third Eye -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCNAzBLJocAAAEEAMlDzYJPYq0pvfMuSiKU0Y65L2nJql+qEJHYGjO5Pys4prDw YW1ooPWaqrPQAy/eyqrM7I9KNFDCtmaPxtgcPw2oEDfc/w6cPkrVzvovKLfHQvtg V/hHUekptSf6j525omrVAoM9MxVL3sEGCjn9VrTeC3h9upkfntHOJeL88i2NAAUR tB5Mb3UgWmlya28gPHppcmtvbEBkYXRhdGVrLmNvbT4= =Qlxm -----END PGP PUBLIC KEY BLOCK----- From lull at acm.org Sun Jan 21 20:04:42 1996 From: lull at acm.org (John Lull) Date: Sun, 21 Jan 96 20:04:42 PST Subject: "Trustworthy" PGP Timestamping Service ?? In-Reply-To: Message-ID: <31030b34.44240810@smtp.ix.netcom.com> On Sun, 21 Jan 1996 15:42:32 -0800, Timothy C. May wrote: > At 6:51 PM 1/21/96, Matthew Richardson wrote: > >-----BEGIN PGP SIGNED MESSAGE----- > > > >I have recently setup a free PGP timestamping service which operates > >by email. > > > >The objective of the service is to be able to produce "trustworthy" > >timestamps which cannot be backdated without detection. It achieves > >this by:- > > > >(a) giving every signature a unique sequential serial number; > > > >(b) every day making a ZIP file of that day's detached signatures > >and feeding the ZIP file back for signing (and hence the assignment > >of another serial number); > ... > > It sounds like a variant of the Haber and Stornetta work on digital > timestamping, about which much has been written on our list (check the > archives, and/or sections of my Cyphernomicon). > > They have a company, Surety, which is doing this (or was, last time I heard). They were a month ago, at least. Their patent was re-issued 5/30/95 (# R34,954). > www.surety.com will get you there. > > My hunch is that your scheme implements a version of a hash (the idea of > hashing the doc and then publishing the hash as a "widely witnessed event," > in Haber and Stornetta terms) that could infringe on their patents > (assuming they applied, as I recall hearing they did). I would be very surprised if it did. Haber & Stornetta's work is based on building a tree of hashes for all documents within a given time period (1 second in their commercial service), and then chaining the hashes for successive time periods. Once a week they publish one hash from the chain in the New York Times, and have been doing so for many years. The certificate apparently consists of the hashes from the root of the tree to your document, plus one hash for each branch not taken along that route. This permits you to verify that the hash for the time period was indeed partially derived from the document in question. As I understand it you then have to check the chain of hashes for the week, and verify that the ending hash matches the published value. To make this whole process more secure, they use a 288 bit hash created by concatenating an MD5 hash and an SHA hash. There is no digital signature involved and no information which must be kept private -- only the hashes. From jimbell at pacifier.com Sun Jan 21 20:53:20 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 21 Jan 96 20:53:20 PST Subject: Wipe Swap File Message-ID: At 06:43 PM 1/21/96 -0800, Peter Monta wrote: >Tim May writes: > >> Much more expensive would be various electron microscope-based imaging >> methods to directly image the domains and extract subtle signs of past >> write cycles. > >I recently took a tour of Park Scientific, the scanning-probe >microscopy people, in Sunnyvale. One of their demo-stations >showed a small portion of a hard disk (taken with an AFM >tip fitted with a small magnet to generate the force). Most >impressive. (I did look closely at the edges of the track, >but saw no sign of previous writes.) >Peter Monta pmonta at qualcomm.com While I admit that I'm not particularly familiar with modern hard disk head design, I think it is futile to look for data in this way. If they "tunnel erase" the edges of the data track, even small misalignments will not allow remnants of data to remain. (And I assume that "all" modern hard disk drives employ high-precision data-read feedback mechanisms to maintain track alignment down to the submicron level... thermally-sensitive stepper motors and linear positioners of the 1980's are (or at least should be) gone!) Further, modern read-channel techniques (PRML; partial response, maximum likelihood) bring the normally readable signal closer to the noise level than ever before, and the PREVIOUSLY written signal is that much more difficult to resurrect. As a method for gathering intelligence on anyone, I think that this is dead and buried. However, I _still_ want to see brainless operating systems like MSDOS changed to erase (zero) allocated data buffers before and after use (and especially before re-use!), so that parts of vital files don't accidentally get written to the ends of other files. From jimbell at pacifier.com Sun Jan 21 05:28:00 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 21 Jan 1996 21:28:00 +0800 Subject: Wipe Swap File Message-ID: -----BEGIN PGP SIGNED MESSAGE----- At 11:23 AM 1/20/96 -0800, Timothy C. May wrote: >At 3:38 PM 1/20/96, Dr. Dimitri Vulis wrote: >>tallpaul at pipeline.com (tallpaul) writes: Interestingly, we wrote almost identical responses to Dmitri, although admittedly you won the "time race." Is it: 1. "Great minds run on the same path"? or 2. "Fools think alike" >3. A time-varying field is preferred. Bulk erasers work this way, by >plugging into an a.c. socket and generating a time-varying field. And even >these are getting harder to use to erase video tapes, for example, due to >the high coercivity of modern media. Most folks I know no longer even try >to bulk erase tapes. Video tapes, yes. Audio cassette tapes, maybe. However, they should still be useful for floppies, for two reasons: 1. Distance to the media is far smaller than to the average distance to the inside of a videotape cartridge. (floppy cases are thinner.) 2. The volume of material to be erased is FAR smaller than a typical videotape cartridge. The middle of the tape of a 1/2" wide videotape spool is self-shielded by at least 1/4" of videotape; a 3.5" floppy disk is shielded only by distance. (actually, the sliding doo-hickey over 3.5" floppies probably acts as a shield, too. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMQF04vqHVDBboB2dAQGlhwQAmS2fbPTCdcyRsqsKukaUfgesqultJ15J ZaAM0CUK1MH96szfHltSM7JkVr/t2wuDxY8gMZnmW5Jz1XUxDy+/a0NsJxkDWV+R 9eNOAKdsFaaV3xmIOBvZyIIU8RHgSw16Z0DZIDJhV/kZgACqfndn0YOHG4ESNe5T VrpCuKLBdSo= =T9tq -----END PGP SIGNATURE----- From fletch at ain.bls.com Sun Jan 21 05:29:03 1996 From: fletch at ain.bls.com (Mike Fletcher) Date: Sun, 21 Jan 1996 21:29:03 +0800 Subject: Hack Lotus? In-Reply-To: <199601200222.VAA01246@jekyll.piermont.com> Message-ID: <9601202044.AA15816@outland> > > If they're nasty, they'll check on the receiving side as well, to > > ensure that the LEAF and/or the espionage-enabling key have not been > > patched in the sending 'International' version. > > Nearly impossible. Why? Because they can only include the public key, > and not the private key, of the GAK authority in the code. You can > encrypt the three bytes of key, but it is very hard for a receiver > other than the govvies to read them. There is no shared secret > information or private information available, ergo, they can't check > their LEAF equivalent. If the 3 GAK bytes are derived from the key & the secret key, couldn't it be done this way: * sender creates 64-bit session key K * sender encrypts K with recepient's public key (say P_r(K)) * sender encrypts top 3 GAK bytes w/GAK key The recipent can verify the GAK bytes by using it's copy of the GAK key on the top bytes of the session key. If the encrypted GAK bytes match what was sent, then they're valid. No need to have the secret key. --- Fletch __`'/| fletch at ain.bls.com "Lisa, in this house we obey the \ o.O' ______ 404 713-0414(w) Laws of Thermodynamics!" H. Simpson =(___)= -| Ack. | 404 315-7264(h) PGP Print: 8D8736A8FC59B2E6 8E675B341E378E43 U ------ From tcmay at got.net Sun Jan 21 05:30:14 1996 From: tcmay at got.net (Timothy C. May) Date: Sun, 21 Jan 1996 21:30:14 +0800 Subject: Encryption and the 2nd Amendment Message-ID: [A comment: I will _not_ be drawn into a general Second Amendment discussion here, for several reasons. This note is only to respond to the first comments I've seen on my post...if a lot more people get into the act, I'll just let others fight it out and ignore the thread. Crypto = Guns has been debated many times in many places. I won't debate gun control, which I'm against, nor will I get into debates about how a ban on biological warfare research would be unenforceable, would interfere with bread-making and wine-making research, blah blah. This is a kind of nit-picking that echoes the libertarian disease.] At 7:23 PM 1/20/96, Alan Horowitz wrote: >> After all, it is well-established--whether we like it or not--that the >> government can regulate and control access to [...] > > > I *think* the only thing that's been affirmed, is that the feds >can *tax* weapons transfers. I think the one particular case is >called "Rock Island" or something like that. The defendant was >*acquitted* of possessing an un-registered machine gun, because the >authority to tax transfers of newly-manufactured machine guns, no longer >exists. This is an over-simplifaction. Anyway, the point is, the >defendant was acquitted right there in district court. And what about the Assault Weapons laws? Bush signed one, limiting transfers of certain types of assault rifles, assault pistols, etc. (their choice of terms, not mine). Without getting into specifics of which models were banned for import and banned for transfer to private parties, this is a very real law. Taxes have almost nothing to do with it. That some defendants were acquitted in some jurisdictions on some charges says little about the more general laws. Likewise, there are specific laws on the books banning the private possession of chemical and biological warfare agents. (This was discussed on the list a couple of years ago--a specific law was passed outlawing private research into biological warfare agents unless authorized to do so by the governemnt.) Without spending a lot of time searching for the specific laws, I recall that the Atomic Energy Act placed stringent restrictions on the dissemination of nuclear materials. One can argue that these laws are not "weapons" laws per se, but the effect is the same. Anyone possessing a nuclear warhead in the U.S. would be subject to many laws, ranging from national security laws to public endangerment laws to hazardous materials laws. --Tim May Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From scottst at ionet.net Sun Jan 21 05:30:45 1996 From: scottst at ionet.net (Scott Staedeli) Date: Sun, 21 Jan 1996 21:30:45 +0800 Subject: You want to read MY e-mail? Message-ID: <199601210259.UAA08926@ion1.ionet.net> from the Nando Times- DENVER (Jan 20, 1996 01:16 a.m. EST) -- A college student's request to look at the electronic mail of several high-profile state politicians got lawmakers' attention Friday. Becky O'Guin, a senior journalism student at Metropolitan State College of Denver and a reporter for The Capitol Reporter, a student newspaper that covers legislative action, stirred up the ruckus. She sent a letter to Sen. Charles Duke, R-Monument, asking for all of his e-mail messages from Jan. 1 to Jan. 16 and cited the Colorado Open Records Act as her right to get it. The letter noted that Colorado law would force him to pay court costs and attorney fees if a member of the public "has to take official action to enforce his or her right to view a public record." That really miffed legislators. Lawmakers said they'd get a legal opinion on whether they must disclose their electronic-age messages and may pass legislation to make sure their messages have some protection of privacy. Senate Majority Leader Jeff Wells, R-Colorado Springs, said he and Senate President Tom Norton, R-Greeley, got similar requests, but verbally. Personally, Wells said, he believes e-mail is privileged information unless it is specifically identified as public information under existing law. A bill by Sen. Paul Weissmann, R-Louisville, to make e-mail as privileged as telephone conversations was killed in a Senate committee. A somewhat stronger bill still rests in the House. O'Guin, meanwhile, was standing her ground, although she admitted to being a little surprised about the uproar. "The way I read the open records statute, those are open records," O'Guin said. "I was very serious about the request. What I was looking for was to find out how much public business is conducted through e-mail. "If they're using e-mail to send memos back and forth discussing public business, I see that as public record," she said. "Most of them don't (have e-mail), but about 30 people have software that allows them to send e-mail back and forth." She said only Duke and Gov. Roy Romer have been sent letters so far, but she intends to send them to other high-profile politicians. Jim Carpenter, press secretary for Romer, said his office was "looking at all the issues, all the options." Duke said he has always complied with requests for public records, but said the request for e- mail messages goes too far. "I'm disturbed by it," Duke said. (John Sanko writes for the Rocky Mountain News in Denver.) OK, if _I_ can't read your e-mail Mr. Legislator, why should you be able to read _mine_? - --scottst at ionet.net---------------------Scott Staedeli-- >~<^xXx | "There is no reason for any indiv- xX # | idual to have a computer in their (XXX) # | home." (XXXXXXX) | DON'T TREAD ON ME| -- Ken Olsen, president of DEC, 1977 ======================================================== From dmonjar at vnet.net Sun Jan 21 05:59:41 1996 From: dmonjar at vnet.net (Daniel A. Monjar) Date: Sun, 21 Jan 1996 21:59:41 +0800 Subject: Hassles taking App. Crypt. to Taiwan? Message-ID: I've lurked for quite a while now. It is time to ask my first newbie question. I'll be going to Taiwan for three weeks in March. Is there likely to be any problems at US or Taiwan customs if I take Applied Cryptology 2/e along for personal study? Dan -- Daniel A. Monjar | "All opinions are my alone... dmonjar at vnet.net | and possibly my children's." PGP Public Key fingerable -- From declan+ at CMU.EDU Sun Jan 21 22:06:48 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Sun, 21 Jan 96 22:06:48 PST Subject: VTW: "Lotus blinks in industry/NSA crypt standoff" Message-ID: =========================================================================== VTW BillWatch #33 VTW BillWatch: A weekly newsletter tracking US Federal legislation affecting civil liberties. BillWatch is published at the end of every week as long as Congress is in session. (Congress is in session) BillWatch is produced and published by the Voters Telecommunications Watch (vtw at vtw.org) (We're not the EFF :-) Issue #33, Date: Mon Jan 22 00:42:06 EST 1996 Do not remove this banner. See distribution instructions at the end. ___________________________________________________________________________ TABLE OF CONTENTS Announcements Oregon ISPs stand up for your rights Recap of ECHO Virtual Culture Event 1/21/96 Lotus blinks in industry/NSA crypt standoff Subscription Information (unchanged since 10/21/95) ___________________________________________________________________________ ANNOUNCEMENTS Each week never fails to bring us some interesting development in the world of telecommunications and civil liberties and this one is no different. Keep an eye on http://www.vtw.org/. We'll be posting an alert on the New York State cyberporn bill later tonight. Also, if you haven't yet scheduled a meeting with your legislator and your local ISP to talk about the Exon bill, you're wasting valuable time. Do so now! Shabbir J. Safdar Advisory Board Member Voters Telecommunications Watch This issue can be found in HTML form at URL:http://www.vtw.org/billwatch/issue.33.html ___________________________________________________________________________ [...] LOTUS BLINKS IN INDUSTRY/NSA CRYPT STANDOFF It's not clear why this hasn't made a larger impression on the net yet, because we think its of crucial importance in the ongoing debate about cryptography. For years since the original introduction of the Clipper Chip, the debate over cryptography has continued to gain momentum. Recently, the Administration, embarrassed by its defeat over the Clipper Chip proposal, put forth it's Commercial Key Escrow proposal. What is all the fuss about? It's about cryptography, and who has the right to encrypt information and who has the right to keep the key. Right now, you do, but that could all change. Think of cryptography as a really good front door on your house or apartment. The door key is yours to hold, isn't it? It's your right to give a copy to someone you trust, or if you choose, nobody at all. The Administration contends that this is not so. With their "commercial key escrow" scheme, they contend that you shouldn't be able to build a door they cannot break down, but they also contend that they should be able to order you to give a copy of the key to a government-approved individual, so that they can come enter your house (with a warrant, of course) when they wish. Industry, of course, panned this plan when it proposed late 1995, and continues to object to it. All the while, a standoff continues: the Administration refuses to allow cryptographic software with keys longer than 40 bits to be exported, and industry refuses to build Big Brother into their products. And this is where the standoff stayed until last Wednesday, when Lotus blinked. On Wed, Jan. 17th, 1996, Lotus announced that it had increased the key length of its International version of the Lotus Notes product to 64 bits. They did this by building in a back door for the Administration to use to decrypt any international traffic that it might desire to read. Although there are a lot of reasons why we think this is a terrible idea, the first one that springs to mind is the fact that the one public key that Lotus has embedded in all their software is a single point of failure for every International Lotus user throughout the world. Sure, this key is held with a high security clearance by the government, but then Aldritch Ames also had some of the most sensitive information available to him, and he proved untrustworthy. After all, if $1.5 million can buy a CIA counter-intelligence agent, I wonder how much a Lotus Notes key escrow holder goes for these days? You can find a copy of the Lotus press releases at http://www.lotus.com [...] From dm at amsterdam.lcs.mit.edu Sun Jan 21 23:01:04 1996 From: dm at amsterdam.lcs.mit.edu (David Mazieres) Date: Sun, 21 Jan 96 23:01:04 PST Subject: Why is blowfish so slow? Other fast algorithms? Message-ID: <199601220700.CAA13713@amsterdam.lcs.mit.edu> First, can someone tell me if the latest version of blowfish (the one in Applied Crypto 2nd edition) is available online somewhere? I looked at a bunch of crypto ftp servers and could only find an older version of blowfish that did not have the blf_ctx structure allowing multiple keys to be active at a time. More importantly, however, on a 120 MHz Pentium, the old blowfish (compiled with gcc version 2.7.2 optimization -O6) seems to take about 12.6 microseconds for 1 M encryptions and decryptions, which works out to about 95 cycles per byte. This is significantly more than the 26 cycles/byte number cited in Applied Crypto 2nd edition. Can anyone suggest what I might do to speed this up? Failing that, can anyone suggest other secure, preferably unpatented, shared-key encryption algorithms that could encrypt at ethernet speeds (1 MByte/sec) without using most of the CPU on a fast Pentium or equivalent processor? Thanks a lot, David From llurch at networking.stanford.edu Sun Jan 21 23:19:00 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sun, 21 Jan 96 23:19:00 PST Subject: Microsoft to digitally certify other manufacturers' code? Message-ID: <199601220718.XAA12594@Networking.Stanford.EDU> This is old news, but I don't remember it being brought up. This is interesting in light of recent discussions regarding the CryptoAPI, the uncertainty of Microsoft's support for Java (it won't be in Internet Explorer 3.0, but Visual Basic will), and Microsoft's Internet Developers' conference scheduled for mid-March. One of a set of press releases on http://www.microsoft.com/internet/ I thought I remembered seeing an announcement of Microsoft's plans to license Java there before, but it's not there. I know they've revised press releases without changing the date before (most notably the October 20th SMB security bug acknowledgement). > [Microsoft] > Microsoft Announces Internet Code Safety Initiative > Microsoft Previews Internet Digital Signature Initiative to 150 ISVs > > REDMOND, Wash. - Dec. 7, 1995 -At the Internet Control Developers' > Workshop on December 6, Microsoft Corporation proposed to the top > 150 software companies in the world, an Internet digital signature > initiative which provides a safer environment for executable code on > the Internet. To address concerns about potentially malicious code > or viruses, this technology will enable users to verify that a > program's integrity is free of third-party tampering. Browsers such > as Microsoft Internet Explorer will be equipped with the ability to > automatically download applications from a list of vendors approved > by the user. If the author is not on the user's pre-approved list, > the browser can display the signature of the executable code and > allow users to make an informed decision on whether to proceed with > the download. > > Microsoft plans to propose the Internet digital signature > specifications to the W3 Consortium (W3C) and the Internet > Engineering Task Force (IETF) as an open Internet standard. The > technology will be an open, proposed specification available to the > entire Internet community. In addition, as part of the Open Process > Design Review, Microsoft will host a digital signature design > preview in January to solicit feedback from the Internet community. > > Ken Wasch, president of the Software Publishers' Association (SPA) > said "The Software Publisher's Association applauds this important > initiative. Independent software publishers large and small will > have greater business opportunities publishing powerful software > with this mechanism. Users will buy more signed software over the > Internet because it will be more powerful and users will have > confidence in the accountability of its creator." > > "Digital signatures allow people to interact over the Internet with > the same confidence that they interact with each other in everyday > life," said Bob Atkinson, digital signature architect. "A reliable > accountability mechanism like this allows users to avoid walking > around in a virtual suit of armor, giving users the flexibility to > download and run the most powerful and interesting programs without > undo fear of anonymous computer vandalism." > > Founded in 1975, Microsoft (NASDAQ "MSFT") is the worldwide leader > in software for personal computers. The company offers a wide range > of products and services for business and personal use, each > designed with the mission of making it easier and more enjoyable for > people to take advantage of the full power of personal computing > every day. > > Microsoft is either a registered trademark or trademark of Microsoft > Corporation in the United States and/ or other countries. From shamrock at netcom.com Sun Jan 21 23:33:26 1996 From: shamrock at netcom.com (Lucky Green) Date: Sun, 21 Jan 96 23:33:26 PST Subject: Wipe Swap File Message-ID: At 20:27 1/21/96, jim bell wrote: >However, I _still_ want to see brainless operating systems like MSDOS >changed to erase (zero) allocated data buffers before and after use (and >especially before re-use!), so that parts of vital files don't accidentally >get written to the ends of other files. Not only DOS suffers from this problem. The MacOS does as well. All 'wipe unused space' utilities for the Mac fail on a typical hard drive to overwrite several hundred kB of data. Few people seem to care that the OS fills the unused parts of the last block of a file with whatever happens to be in the buffer. Not good. -- Lucky Green PGP encrypted mail preferred. From stewarts at ix.netcom.com Sun Jan 21 23:40:40 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sun, 21 Jan 96 23:40:40 PST Subject: Hassles taking App. Crypt. to Taiwan? Message-ID: <199601220740.XAA07983@ix4.ix.netcom.com> >At 1:49 PM 1/21/96, Daniel A. Monjar wrote: >>I've lurked for quite a while now. It is time to ask my first newbie >>question. I'll be going to Taiwan for three weeks in March. Is there >>likely to be any problems at US or Taiwan customs if I take >>Applied Cryptology 2/e along for personal study? The first edition of Applied Cryptography has explicit permission to be exported, thanks to Phil Karn. It's not clear that he needed to ask, except as a setup for asking permission to export the same material on floppy disks; books normally get lots of slack because they look surprisingly like the kind of thing the First Amendment covers. (It's also not clear that he _didn't_ need to ask, given Dan Bernstein's attempts to get official permission to teach cryptography.) >On the Taiwan side, though, they may wonder why you brought an expensive >U.S.-printed copy when you get the special rice-paper edition of "Applied >Cryptography, 2nd Ed." for the equivalent of $2.25 in Taipei's book stalls. If this were Singapore, they might consider it subversive literature, because it is :-) Don't know about Taiwan; you can tell them it's a computer textbook or math textbook if they ask any questions. Rice-paper editions of books are especially good if you need to eat them in a hurry when the Feds are raiding you.... #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, Pager/Voicemail 1-408-787-1281 # # "Eternal vigilance is the price of liberty" used to mean us watching # the government, not the other way around.... From tallpaul at pipeline.com Sun Jan 21 07:44:19 1996 From: tallpaul at pipeline.com (tallpaul) Date: Sun, 21 Jan 1996 23:44:19 +0800 Subject: Wipe delete Message-ID: <199601201840.NAA05671@pipe11.nyc.pipeline.com> On Jan 20, 1996 10:24:34, 'sheol at downdeep.com' wrote: >How can data be recovered after it has been wipe by being >overwritten? You say even 8 or 9 times is not secure? That's kind of >scary. > Let me "answer" this and another post first by saying, re the tekkie stuff, "I do not know." However, my non-technical understanding goes something like this: Reading and writing/erasing from a disk platter are pure only in the abstract. A bit interpreted as a 1 or 0 has a certain level of magnetism that the software accepts as defining it as a 1 or 0. The level of defined magnteism is never 100% on the specification; it always varies a little. How much it varies can be read by different grades of hardware. Think of a simple erasure of data that has been written once and erased once. The different patterns of writing will have slightly different values. These can be read with specialized hardware and the raw data analyzed with special software programs. Is there a cheap way that *we* can do such things? I do not think so. The normal read/write head(s) on our normal hard disks have a limited sensitivity, fine for normal read/write operations but not sensitive enough the gather the minute variations described above. Doing a military grade analysis of heavily overwritten data involves, to my knowledge, first opening the disk drive, removing the platters, inserting the platters in a second drive with much more sensitive heads, initializing the new drive to make sure that the extra-sensitive heads can locate the proper tracks/sectors etc. on the old platter, and then gathering the data. That is, the first steps in the process are hardware, not software, steps. Now one way to increse the sensitivity of a read/write head is to run it closer to the physical media on which the magnetic signal resides. In other words, the intensity of magnetic flux decreases as a function of distance; get closer to the source and you can read weaker signals. This also means that, as you postion a new read/write head closer to the platters you significantly increase the likelihood that it will physically crash into the platter itself with the data intensity of an army tank running over a stack of bowling pins. This, in turn means that the new combination of extra-sensitive read/write head and old disk platter is especially sensitive to contaminates. (Forgetting the width of the gap in the head which is another way of increasing sensitivity), the level of contamination like smoke particles, dust, etc. must be less than that called for in the original factory specifications. This, I think, means you need a physical "clean room" to perform the reassembly that is cleaner than that used by the original factory. Those aren't cheap and that is (one) reason why there isn't a cheap way for us to do this. At least some aspects of this service is commercially available today. One easy way to locate services is to look at the small ads in the back of _PC Magaxine_. You might try Vogon USA. voice is 405-321-2485. fax is 405-321-2741. They have no WWW page or even e-mail address because they are not on the net. I don't even think they permit modems on their factory site. I spoke to Bob Emerson, Vogon's Service Manager, about this. He explained it as a security matter: you don't get hacked over the net if you aren't on the net; you don't get penetrated over the phone lines if you don't have modems in your shop. Sorry for the excessively broad non-technical character of this post. I'm sure other people on the list can go into the privacy issue of data recovery in far greater detail while ROFLTAO at my low level of knowledge. tallpaul From rah at shipwright.com Sun Jan 21 08:01:42 1996 From: rah at shipwright.com (Robert Hettinga) Date: Mon, 22 Jan 1996 00:01:42 +0800 Subject: "Noise Filter" : Cypherpunks Lite Reminder... Message-ID: >Just a friendly reminder to those of you overwhelmed by the noise... While we're plugging things, Don't forget e$pam, which has (mostly) e$-related cypherpunks postings, and e$-filtered stuff from usenet newsgroups, and from as many mail groups as the subscribers find for me to look at. The AustrianECON list has talks about Hayek, Mises, et. al., and I zinged something to e$pam from it recently about currency boards, fiat money and all that stuff. Both e$spam, and it's companion discussion list, e$, are free. They're sponsored by OKI Advanced Products and Hyperion, and anyone else who cares to, for a rediculously cheap charter sponsorship rate ;-). The sponsor tags are in the .sig of each message. You can subscribe to e$pam and e$ by looking at the e$ home page, http://thumper.vmeng.com/pub/rah/ . Cheers, Bob Hettinga ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "Reality is not optional." --Thomas Sowell The NEW(!) e$ Home Page: http://thumper.vmeng.com/pub/rah/ From jseng at stf.org.sg Mon Jan 22 00:34:44 1996 From: jseng at stf.org.sg (James Seng) Date: Mon, 22 Jan 96 00:34:44 PST Subject: Hassles taking App. Crypt. to Taiwan? In-Reply-To: <199601220740.XAA07983@ix4.ix.netcom.com> Message-ID: On Sun, 21 Jan 1996, Bill Stewart wrote: > If this were Singapore, they might consider it subversive literature, > because it is :-) Don't know about Taiwan; you can tell them it's a computer > textbook or math textbook if they ask any questions. Rice-paper editions > of books are especially good if you need to eat them in a hurry when the > Feds are raiding you.... Just to clearify. I havent heard of any Cyptography book been ban or listed as 'subversive literature' in Singapore. Where did you hear that from? *8) *cheer* -James Seng From wlkngowl at unix.asb.com Sun Jan 21 09:10:27 1996 From: wlkngowl at unix.asb.com (Mutatis Mutantdis) Date: Mon, 22 Jan 1996 01:10:27 +0800 Subject: NOISE.SYS Stupid Bugs w/Int13h Message-ID: There's an unpleasant bug in NOISE.SYS, BTW. It doesn't properly return the flags from the Int 13h handler, so disable that for now unless you'd like to do funky things to your disks. Sorry 'bout that. Rob. From ngps at cbn.com.sg Mon Jan 22 01:19:57 1996 From: ngps at cbn.com.sg (Ng Pheng Siong) Date: Mon, 22 Jan 96 01:19:57 PST Subject: Hassles taking App. Crypt. to Taiwan? In-Reply-To: <199601220740.XAA07983@ix4.ix.netcom.com> Message-ID: On Sun, 21 Jan 1996, Bill Stewart wrote: > If this were Singapore, they might consider it subversive literature, > because it is :-) Duh! Bought my 1st edition in a prominent local bookstore, which had only 2 copies left. (Or maybe they only carried 2 copies. ;) Am waiting for the 2nd edition to arrive. Or may just order it myself. - PS -- Ng Pheng Siong NetCentre Pte Ltd * Singapore Finger for PGP key. From cwchang at cs.tamu.edu Mon Jan 22 01:44:20 1996 From: cwchang at cs.tamu.edu (Chih-Wei Chang) Date: Mon, 22 Jan 96 01:44:20 PST Subject: Hassles taking App. Crypt. to Taiwan? (fwd) Message-ID: <199601220943.DAA23213@photon.cs.tamu.edu> > >On the Taiwan side, though, they may wonder why you brought an expensive > >U.S.-printed copy when you get the special rice-paper edition of "Applied > >Cryptography, 2nd Ed." for the equivalent of $2.25 in Taipei's book stalls. > > If this were Singapore, they might consider it subversive literature, > because it is :-) Don't know about Taiwan; you can tell them it's a computer > textbook or math textbook if they ask any questions. Rice-paper editions > of books are especially good if you need to eat them in a hurry when the > Feds are raiding you.... There will be no problem to bring it to Taiwan. I think you can buy a cheaper one at Taipei, but not as cheap as $2.25. Everything there is very expensive now, except books. Unfortunately, they are not rice-paper editions. You will have a hard time to eat them. -- ============================================================================ Name : Chih-Wei Chang (Ray) Computer Science, Texas A&M University, E-mail : cwchang at cs.tamu.edu College Station, TX-77843-3112, USA. ============================================================================ From matthew at itconsult.co.uk Sun Jan 21 11:02:30 1996 From: matthew at itconsult.co.uk (Matthew Richardson) Date: Mon, 22 Jan 1996 03:02:30 +0800 Subject: "Trustworthy" PGP Timestamping Service ?? Message-ID: <310288d0.13035213@itconsult.co.uk> -----BEGIN PGP SIGNED MESSAGE----- I have recently setup a free PGP timestamping service which operates by email. The objective of the service is to be able to produce "trustworthy" timestamps which cannot be backdated without detection. It achieves this by:- (a) giving every signature a unique sequential serial number; (b) every day making a ZIP file of that day's detached signatures and feeding the ZIP file back for signing (and hence the assignment of another serial number); (c) making available details of the highest serial number on each day as well as the signed ZIP files via email (and shortly WWW); (d) weekly publishing details of the DETACHED signatures of the ZIP file in alt.security.pgp and to users requesting them on a list server. I would be interested in folks comments on this "trustworthiness", including any weaknesses or possible improvements. Full details of the service can be found at:- http://www.itconsult.co.uk/stamper.htm Thank you in advance. Best wishes, Matthew -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQCVAgUBMQKHtAKwLwcHEv69AQFVLgQAjVyX5w0YM75gskinZ74dkqQ9vDfnOlWt OD28p/0ot+85q+UP8hreS61Fs1bGDqgH5YL3/2Lviy+xhlIj9x8kVw+Rj1KrZvI+ Jt7pInfqwdx9gYxVGDuP0rIcCH+74vFWQJu1UMpZWORq4gv4t/IS1cBJJRaYSyrM hhcdHPRU6RE= =qD+L -----END PGP SIGNATURE----- From tcmay at got.net Sun Jan 21 11:09:29 1996 From: tcmay at got.net (Timothy C. May) Date: Mon, 22 Jan 1996 03:09:29 +0800 Subject: Hassles taking App. Crypt. to Taiwan? Message-ID: At 1:49 PM 1/21/96, Daniel A. Monjar wrote: >I've lurked for quite a while now. It is time to ask my first newbie >question. I'll be going to Taiwan for three weeks in March. Is there >likely to be any problems at US or Taiwan customs if I take >Applied Cryptology 2/e along for personal study? No. The U.S. rarely inspects outgoing stuff (I've never even seen an international departure area that has the facilities for Customs inspection). Unless tipped-off that some crime they are investigating is involved. Even if it ultimately gets established that printed books can require export permits--something I don't expect--the enforcement of such a situation would be problematic in the extreme. They might stop a cargo pallet from being shipped to Slobostan, but not individual books carried in luggage. "Don't ask, don't tell." On the Taiwan side, though, they may wonder why you brought an expensive U.S.-printed copy when you get the special rice-paper edition of "Applied Cryptography, 2nd Ed." for the equivalent of $2.25 in Taipei's book stalls. --Tim May Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From nobody at REPLAY.COM Mon Jan 22 03:10:18 1996 From: nobody at REPLAY.COM (Anonymous) Date: Mon, 22 Jan 96 03:10:18 PST Subject: Ultimate Paranoia Message-ID: <199601221110.MAA08368@utopia.hacktic.nl> Fellow Cypherpunks, I have been lurking around for some time and I have learned alot, But I have a few questions that I either haven't seen posted or I've missed all together. I keep PGP stored on a removable hard drive and keep it under lock and key when it's not in use. I write and encrypt messages on a stand-alone computer, that I only have access to. My passphrase is rather long and full of gibberish, But I still fear the other things that I can not control. Does anyone make and sell a device that emits white and pink noise? How do you take the randomness collected from radation sensors to create a truly random sample for creating a PGP key? Is there anything else that I might be missing besides lining the walls & computer in tin foil? :^) Thanks for your help! -Murphy -- From junger at pdj2-ra.F-REMOTE.CWRU.Edu Mon Jan 22 03:38:38 1996 From: junger at pdj2-ra.F-REMOTE.CWRU.Edu (Peter D. Junger) Date: Mon, 22 Jan 96 03:38:38 PST Subject: ITAR and hash functions (Perry's question) In-Reply-To: <199601201534.KAA03043@jekyll.piermont.com> Message-ID: "Perry E. Metzger" writes: : : Phil Karn writes: : > Perry quoted part of the joint declaration of facts in my case and asked : > : > >Would this not mean that the government is estopped from ever again : > >claiming that hash functions are export controlled under the ITAR? : > : > Not according to them. : : Yeah, I know not according to them. Thats not what counts. But that is what counts initially : I'd like to : know what a lawyer thinks. Once they have declared that something : doesn't fit the munitions criteria I suspect they are estopped from : ever claiming again that it is munitions -- basic legal : principle. Sure, they can claim otherwise, but they aren't forbidden : by law from asserting their power to make buildings levitate, either. In general, the doctrine of estoppel is not applied against governmental agencies. To the extent that an agency is purportedly making decisions as to what the law is, it may or may not be bound by its earlier decisions, but it usually won't be. And it is not bound by its factual determinations. : > Furthermore, they repeatedly assert that under the power delegated to : > them by the President, they have the absolute power to add and delete : > items from the Munitions List and to make inexplicable, inconsistent : > and arbitrary rulings whenever they damn well feel like it, and no : > court can overrule them. : : They can claim that they have the right to declare fingernail clippers : to be munitions, but that certainly couldn't stand up in court. That would stand up in court and in any case the statute that is the basis for the ITAR says that the determination that something--including fingernail clippers--is on the Munitions Lists is not reviewable by the courts. (And a court held before that provision was passed that the question of whether commercial television descramblers were properly on the munitions list, as cryptographic devices, was a political question that could not be reviewed by the court. And that was, as I recall, a criminal case.) : > So the bottom line is this: at the moment the ODTC will let you export : > hash functions as long as they don't encrypt data. They'll probably : > grant CJ requests to that effect. But they could change their minds at : > any time if they feel like it. : > : > Isn't it wonderful to live under a government of laws, not of men? I am convinced that most, if not all, the restrictions in the ITAR on disclosing cryptographic software will be struck down by the courts as being unconstitutional under the first amendment, but it will not be an easy process. There are all sorts of constitutional provisions that are violated every day and though some of these violations will be overturned by courts, if and only if someone like Phil Karn challenges them in court, but the wheels of the law grind slowly. -- Peter D. Junger--Case Western Reserve University Law School--Cleveland, OH Internet: junger at pdj2-ra.f-remote.cwru.edu junger at samsara.law.cwru.edu From Roger.Clarke at anu.edu.au Mon Jan 22 03:48:52 1996 From: Roger.Clarke at anu.edu.au (Roger Clarke) Date: Mon, 22 Jan 96 03:48:52 PST Subject: (cpx) Australian GAK? Message-ID: sdavidm at iconz.co.nz (David Murray) asked cypherpunks at toad.com: >I've just seen a note to the effect that the (Australian) Senate Economics >References Committee has recommended, in their recently tabled report >quaintly entitled _Connecting You Now...Telecommunications to the Year >2000_ the establishment of a third party body for the management of public >key authentication. > >The Committee has also recommended the establishment of a national >authentication system to be recognised internationally with credibility >>with the legal system - True Names, most probably. > >Any c'punks closer to Canberra with the real goods? So far, very few Australian Senate documents are up on the net (honourable exception: those of those of the Committee on 'Community Standards' and on-line services); but keep your eye on them, and maybe they'll catch up: http://senate.aph.gov.au/ Steve Orlowski from the Australian Attorney-General's Department wrote a paper in November/December 1995 which outlined the idea. He's given me permission to put it up. Me? I'm just playing proxy until A-G's really come to believe in this medium (:-)} http://www.anu.edu.au/people/Roger.Clarke/II/Orlowski3 While you're at it, check these two out as well, and hit me with anything that'll improve them: - hot-links concerned with regulation of the net: http://www.anu.edu.au/people/Roger.Clarke/II/Regn - a compendium of things that go bump on the net: http://www.anu.edu.au/people/Roger.Clarke/II/Netethiquettecases Roger Clarke http://www.anu.edu.au/people/Roger.Clarke/ Xamax Consultancy Pty Ltd, 78 Sidaway St, Chapman ACT 2611 AUSTRALIA Tel: +61 6 288 6916 Fax: +61 6 288 1472 Visiting Fellow, Faculty of Email: Roger.Clarke at anu.edu.au Engineering and Information Technology Information Sciences Building Room 211 Tel: +61 6 249 3666 The Australian National University Canberra ACT 0200 AUSTRALIA Fax: +61 6 249 0010 From pati at ipied.tu.ac.th Mon Jan 22 03:52:32 1996 From: pati at ipied.tu.ac.th (Patiwat Panurach (akira rising)) Date: Mon, 22 Jan 96 03:52:32 PST Subject: Econo-terrorism against Iraq In-Reply-To: <199601200830.AAA07615@mailx.best.com> Message-ID: I remember once reading in cypherppunks about how the US government used counterfeit money as an economic warfare tool against Iraq during the war. Can anyone give me anymore pointers to this? Is it comfirmed? If you feel this is of topic, pleasea email me personally. ------------------------------------------------------------------------------- Patiwat Panurach Whatever you can do, or dream you can, begin it. eMAIL: pati at ipied.tu.ac.th Boldness has genius, power and magic in it. m/18 junior Fac of Economics -Johann W.Von Goethe ------------------------------------------------------------------------------- From dlv at bwalk.dm.com Sun Jan 21 11:52:38 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Mon, 22 Jan 1996 03:52:38 +0800 Subject: Wipe Swap File In-Reply-To: Message-ID: <9oF3HD85w165w@bwalk.dm.com> tcmay at got.net (Timothy C. May) writes: > >Degaussing the media (running a household magnet over it :-) may be an optio > > Ordinary household magnets fail for a couple of reasons: I've just established experimentally that thoroughly running a household magnet over a 3.5" floppy messed up less than 1/2 the sectors I tried to read. Not a good option even for floppies. (Actually, there _was a smiley up there) > >1. Does anyone know a cheap way to recover the traces of the previous > >(overwritten) recordings on the media? > > There are custom drives for various media which have multiple heads, and > heads that can be "jogged" a little bit. This allows, I have read, the > subtle variations of multiple writes to be extracted. > > Much more expensive would be various electron microscope-based imaging > methods to directly image the domains and extract subtle signs of past > write cycles. I'll go on a tangent (this has more of a stego than crypto code relevance): In the early '80s there was much activity related to floppy disk based copy protection schemes (we got our first PC in Dec 81; most folks today know dongles, but may not remember disk-based copy protection). The original IBM PC came with 360K 5.25" floppy drives and a very smart floppy disk controller chip that was capable of much more than what the IBM BIOS normally asked of it; and even the BIOS was capable of much more (floppy disk related) than PC DOS required. One of the neater tricks I've seen were the so called "weak bits". One could confuse the FDC and write a sector in such a way that when subsequently someone read it, he saw 1's some of the times and 0's at other times. Naturally, the FDC noted the CRC error on the sector. The copy protection checker could read the sector several times into different buffers and see that it got different results every time. I rummaged around my archives and found an assembly program (about 10K) that I once wrote (dated Jan 84) which I think did exactly this. I can e-mail it to anyone who cares to take a look. (Disclaimer: I no longer remember what it does, but I think this is the one with weak bits.) I would not be very surprised if it turned out to be possible to confuse the floppy disk controller (or some hard disk controllers) by software alone, so that instead of operating "correctly" and reading the most recently written data, it would operate "incorrectly" and pick up traces of the overwritten bits from the media. Jim Bell mentioned the trick of hiding information into 'extra' tracks and sectors not used by the usual DOS formatting. It's very old too. I think I saw copy protection schemes circa 1982 that hid important data on tracks 41--43. 360K diskettes normally had 40 tracks. If the diskette was copies by DISKCOPY, it didn't know about the extra tracks, and the copy didn't have the info (usually, a piece of the program). It's very easy to do with just BIOS calls to format/read/write the track. Problem is, many cheap floppy drives these days aren't capable of seeking beyond track 80 when the FDC asks them to. You can write the data there and give the floppy to a friend who won't be able to read it from there. Microsoft uses a variation of this scheme when it formats its distribution diskettes for some products with additional sectors on every track (and presumably a smaller inter-sector gap, and good media). Some may recall that the original PC DOS 1.x formatted disks with 8 sectors/track (for 160K/320K) and 2.x and later started formatting 9 sectors. There was a popular hack to put 10 sectors on a track (including a DOS device driver to read such disks). This too can be accomplished by BIOS without any FDC hacking. (Thanks also to tallpaul for info on Vogons) --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From wlkngowl at unix.asb.com Sun Jan 21 11:52:49 1996 From: wlkngowl at unix.asb.com (Mutatis Mutantdis) Date: Mon, 22 Jan 1996 03:52:49 +0800 Subject: SHA-2 In-Reply-To: Message-ID: I don't know if the revision is official or proposed. I first heard about it in a post to alt.security (I saved the message somewhere) which contained ref's in the federal register. I've seen other implementations that make the same fix. The difference that when the expansion function is performed, it rolls the dword 1 bit left before putting it in the W[] array. --Rob s1018954 at aix2.uottawa.ca writes: [..] >Schneier mentioned last year in one of his conference reports that SHA >was being revised, yet I couldn't find it in Applied Crypto 2 (I admit >that I don't yet own the new one, and I haven't taken a good enough look >while browsing it in the bookstores), anyone have any pointers to the new >spec? >Please correct me if I am wrong. >TIA From pati at ipied.tu.ac.th Mon Jan 22 04:35:08 1996 From: pati at ipied.tu.ac.th (Patiwat Panurach (akira rising)) Date: Mon, 22 Jan 96 04:35:08 PST Subject: double-spending ecash In-Reply-To: <9601112011.AA25213@toad.com> Message-ID: Double spending using ecash isn't possible, but why so? Is it because of the verification protocol? Or is it an implication of the isueing intricacies? And how about tracing, is it merely unfeasable that ecash spending can be traced, or is it mathamatically impossible to trace? Any explanations or pointers would be extremely helpful. ------------------------------------------------------------------------------- Patiwat Panurach Whatever you can do, or dream you can, begin it. eMAIL: pati at ipied.tu.ac.th Boldness has genius, power and magic in it. m/18 junior Fac of Economics -Johann W.Von Goethe ------------------------------------------------------------------------------- From roy at sendai.cybrspc.mn.org Mon Jan 22 05:06:45 1996 From: roy at sendai.cybrspc.mn.org (Roy M. Silvernail) Date: Mon, 22 Jan 96 05:06:45 PST Subject: (none) In-Reply-To: Message-ID: <960122.061235.3y2.rnr.w165w@sendai.cybrspc.mn.org> -----BEGIN PGP SIGNED MESSAGE----- In list.cypherpunks, someone wrote: > Note that RSA normally is used as probabilistic encryption: encrypt the > same plaintext twice, and you'll likely get two different ciphertexts. I think you're confusing PGP's use of random session keys and random padding with actual RSA encryption. Using RSA alone on a given plaintext will always give you the same ciphertext. - -- Roy M. Silvernail [ ] roy at cybrspc.mn.org PGP Public Key fingerprint = 31 86 EC B9 DB 76 A7 54 13 0B 6A 6B CC 09 18 B6 Key available from pubkey at cybrspc.mn.org -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMQN/6Rvikii9febJAQGCwwP+LGSeA56pCk9kFIULEuNX9B7VxBV5oYho y2JsyjdrJayUzVDS6iqhzFSrHHM8QSq3C3MlAmriXx52BdbFOZZ6lduV35hZKAjb TELDjeKixe/8BiDajP+98XcOSABqhTgvG/QgXV12dyuvr6uJETw8v1m5VkHH+svn BElJdmt5ZL8= =Dc+e -----END PGP SIGNATURE----- From nsb at nsb.fv.com Mon Jan 22 05:13:29 1996 From: nsb at nsb.fv.com (Nathaniel Borenstein) Date: Mon, 22 Jan 96 05:13:29 PST Subject: new web security product In-Reply-To: <199601161948.OAA02322@jekyll.piermont.com> Message-ID: Ed Carp writes: > : > I wouldn't pass this along normally, but it seems to allow folks to use > : > their credit cards at home securely. Bye-bye, First Virtual... ;) Perry Metzger writes: > : I don't think its going to fly. No one wants to pay for an unneeded > : $100 piece of hardware to encrypt the same credit card over and over > : again, when a nearly zero marginal cost piece of software can do the > : same thing. Jeff Hupp writes: > I am not even sure it IS an encryption device. ...... > It may just be a low cost? mag stripe reader... Let's assume that it is an encryption device, though I agree that this is left unclear. This is by no means the first announcement of such a device. I suspect it is targeted at physical merchants, and intended more to compete with the likes of Verifone terminals than anything else. I doubt that anyone's basing their business plan on the idea that consumers will spend $100 each for a device that helps them to spend more money, but has no other direct utility. -- Nathaniel -------- Nathaniel Borenstein (FAQ & PGP key: nsb+faq at nsb.fv.com) Chief Scientist, First Virtual Holdings VIRTUAL YELLOW RIBBON==> http://www.netresponse.com/zldf From rjc at clark.net Mon Jan 22 05:31:27 1996 From: rjc at clark.net (Ray Cromwell) Date: Mon, 22 Jan 96 05:31:27 PST Subject: Microsoft to digitally certify other manufacturers' code? In-Reply-To: <199601220718.XAA12594@Networking.Stanford.EDU> Message-ID: <199601221331.IAA17057@clark.net> The question is, if Microsoft is proposing this to the W3C and IETF, will they provide a reference implementation with source freely available? Microsoft has a habit of proposing "open" standards, of which they have the only implementation, which quickly becomes a defacto standard along with any "extensions" they make. -Ray From raph at CS.Berkeley.EDU Mon Jan 22 06:59:32 1996 From: raph at CS.Berkeley.EDU (Raph Levien) Date: Mon, 22 Jan 96 06:59:32 PST Subject: List of reliable remailers Message-ID: <199601221458.GAA13304@kiwi.cs.berkeley.edu> I operate a remailer pinging service which collects detailed information about remailer features and reliability. To use it, just finger remailer-list at kiwi.cs.berkeley.edu There is also a Web version of the same information, plus lots of interesting links to remailer-related resources, at: http://www.cs.berkeley.edu/~raph/remailer-list.html This information is used by premail, a remailer chaining and PGP encrypting client for outgoing mail, which is available at: ftp://ftp.csua.berkeley.edu/pub/cypherpunks/premail/premail-0.33a.tar.gz For the PGP public keys of the remailers, finger pgpkeys at kiwi.cs.berkeley.edu This is the current info: REMAILER LIST This is an automatically generated listing of remailers. The first part of the listing shows the remailers along with configuration options and special features for each of the remailers. The second part shows the 12-day history, and average latency and uptime for each remailer. You can also get this list by fingering remailer-list at kiwi.cs.berkeley.edu. $remailer{"extropia"} = " cpunk pgp special"; $remailer{"portal"} = " cpunk pgp hash"; $remailer{"alumni"} = " cpunk pgp hash"; $remailer{"bsu-cs"} = " cpunk hash ksub"; $remailer{"c2"} = " eric pgp hash reord"; $remailer{"penet"} = " penet post"; $remailer{"ideath"} = " cpunk hash ksub reord"; $remailer{"hacktic"} = " cpunk mix pgp hash latent cut post ek"; $remailer{"flame"} = " cpunk mix pgp. hash latent cut post reord"; $remailer{"rahul"} = " cpunk pgp hash filter"; $remailer{"mix"} = " cpunk mix pgp hash latent cut ek ksub reord ?"; $remailer{"ford"} = " cpunk pgp hash ksub ek"; $remailer{"hroller"} = " cpunk pgp hash latent ek"; $remailer{"vishnu"} = " cpunk mix pgp. hash latent cut ek ksub reord"; $remailer{"robo"} = " cpunk hash mix"; $remailer{"replay"} = " cpunk mix pgp hash latent cut post ek"; $remailer{"spook"} = " cpunk mix pgp hash latent cut ek reord"; $remailer{"rmadillo"} = " mix cpunk pgp hash latent cut ek"; $remailer{"ecafe"} = " cpunk mix"; $remailer{"wmono"} = " cpunk mix pgp. hash latent cut"; $remailer{"shinobi"} = " cpunk mix hash latent cut ek reord"; $remailer{"amnesia"} = " cpunk mix pgp hash latent cut ek ksub"; $remailer{"gondolin"} = " cpunk mix pgp hash latent cut ek reord"; $remailer{"tjava"} = " cpunk mix pgp hash latent cut"; $remailer{"pamphlet"} = " cpunk pgp hash latent cut ?"; $remailer{'alpha'} = ' alpha pgp'; $remailer{'gondonym'} = ' alpha pgp'; catalyst at netcom.com is _not_ a remailer. lmccarth at ducie.cs.umass.edu is _not_ a remailer. usura at replay.com is _not_ a remailer. Groups of remailers sharing a machine or operator: (c2 robo hroller alpha) (gondolin gondonym) (flame hacktic replay) (alumni portal) (vishnu spook wmono) Use "premail -getkeys pgpkeys at kiwi.cs.berkeley.edu" to get PGP keys for the remailers. Fingering this address works too. Note: The remailer list now includes information for the alpha nymserver. Last update: Mon 22 Jan 96 6:49:09 PST remailer email address history latency uptime ----------------------------------------------------------------------- c2 remail at c2.org *******+**+* 16:05 100.00% ecafe cpunk at remail.ecafe.org ######*##### 28:53 99.99% pamphlet pamphlet at idiom.com ++++++++-+++ 53:51 99.99% vishnu mixmaster at vishnu.alias.net *******+**** 15:49 99.98% flame remailer at flame.alias.net +++++..++-+* 2:48:04 99.96% alpha alias at alpha.c2.org #**** 3:24 99.96% tjava remailer at tjava.com ##+#-#*** ## 11:04 99.69% mix mixmaster at remail.obscura.com ----------- 1:41:10 99.58% rmadillo remailer at armadillo.com ##+#*### ## :57 99.39% portal hfinney at shell.portal.com #*+++*-*## # 4:56 99.29% alumni hal at alumni.caltech.edu *+****+*#+ # 4:35 99.23% extropia remail at extropia.wimsey.com ----__....- 18:15:09 98.38% hroller hroller at c2.org -# ######## 1:11 97.93% penet anon at anon.penet.fi ------.. - 15:40:28 92.22% rahul homer at rahul.net * ##*#**+*** 1:30 99.87% shinobi remailer at shinobi.alias.net .- + #+# 8:52:40 79.39% ford remailer at bi-node.zerberus.de *++++++-+ 2:30:08 63.32% bsu-cs nowhere at bsu-cs.bsu.edu *---*##* 8:49 56.61% replay remailer at replay.com **** *+ 6:03 41.80% hacktic remailer at utopia.hacktic.nl ******* 8:05 41.23% History key * # response in less than 5 minutes. * * response in less than 1 hour. * + response in less than 4 hours. * - response in less than 24 hours. * . response in more than 1 day. * _ response came back too late (more than 2 days). cpunk A major class of remailers. Supports Request-Remailing-To: field. eric A variant of the cpunk style. Uses Anon-Send-To: instead. penet The third class of remailers (at least for right now). Uses X-Anon-To: in the header. pgp Remailer supports encryption with PGP. A period after the keyword means that the short name, rather than the full email address, should be used as the encryption key ID. hash Supports ## pasting, so anything can be put into the headers of outgoing messages. ksub Remailer always kills subject header, even in non-pgp mode. nsub Remailer always preserves subject header, even in pgp mode. latent Supports Matt Ghio's Latent-Time: option. cut Supports Matt Ghio's Cutmarks: option. post Post to Usenet using Post-To: or Anon-Post-To: header. ek Encrypt responses in reply blocks using Encrypt-Key: header. special Accepts only pgp encrypted messages. mix Can accept messages in Mixmaster format. reord Attempts to foil traffic analysis by reordering messages. Note: I'm relying on the word of the remailer operator here, and haven't verified the reord info myself. mon Remailer has been known to monitor contents of private email. filter Remailer has been known to filter messages based on content. If not listed in conjunction with mon, then only messages destined for public forums are subject to filtering. Raph Levien From pclow at pc.jaring.my Mon Jan 22 07:23:11 1996 From: pclow at pc.jaring.my (Peng-chiew Low) Date: Mon, 22 Jan 96 07:23:11 PST Subject: Hassles taking App. Crypt. to Taiwan? Message-ID: <199601221522.XAA29618@relay3.jaring.my> >If this were Singapore, they might consider it subversive literature, >because it is :-) ...............and the next thing you'll probably say is that Asians live in tree houses and have pet gorillas or whatever :)...... From jwarren at well.com Sun Jan 21 15:33:13 1996 From: jwarren at well.com (Jim Warren) Date: Mon, 22 Jan 1996 07:33:13 +0800 Subject: Netscape and NSA Message-ID: At 11:02 AM 01/19/96, Alex Strasheim wrote: >... > >I'm personally a little frustrated by the timidity of industry's >response. I don't understand it. Netscape's interests are clear, their >voice is loud, and their resources are vast. Where's John D. Rockefeller >when you need him? Having served on the Board of a half-billion-buck revenue software for half a decade, I will tell you -- from having once been on "the inside" -- that there is one and only one focus for almost all publicly-traded corporations ... optimization of profits in the next quarter. This *often* involves a broad range of cooperation with government agencies -- especially if/when the corporation is trying to peddle its products to the guv'ment. Corp management *know* how helpful -- or foot-dragging harmful -- bureaucrats can be ... and our current administration has been *hot* to have crypto suppression and wiretap expansion, big time! (The [unproven] word I've gotten from inside of Washington legal circles is that when Clinton hit the White House, the spooks and enforcers were there with endless horror stories about how the sky will fall and vile terrorists will bomb every building if they don't have unfettered electronic snooping freedom. And Clinton, never having dealt with national security issues before and having a total non-record re enforcement or int'l affairs, was totally cowed by the very effective bureau and agency terrorists ... uh, fear peddlers. --jim There is no safety this side of the grave. Never was; never will be. From jya at pipeline.com Mon Jan 22 07:51:17 1996 From: jya at pipeline.com (John Young) Date: Mon, 22 Jan 96 07:51:17 PST Subject: NSC_lub Message-ID: <199601221551.KAA17313@pipe2.nyc.pipeline.com> 1-22-96. W$J: "VeriFone and Netscape Plan Software To Ease Internet Credit-Card Payments." They aim to simplify payments with software for both banks and merchants. The bank software would allow banks to use their existing computer systems to read and process transactions. The merchant software would allow merchants to buy just one software package to put up an electronic storefront and payment system on the Web. Netscape said the software will include a new encryption technology that Visa and MasterCard are expected to announce in two to three weeks. That technology would break sensitive information into 1,024 bits instead of the 128 bits used currently. "AOL, Netscape Are Discussing An Alliance." Netscape and America Online Inc. are in talks to forge an alliance aimed at furthering their lead over the on-line push by software giant Microsoft Corp. "If you can't beat 'em, unguent 'em," Case-squirted an a-oiler. NSC_lub From jamesd at echeque.com Mon Jan 22 07:59:09 1996 From: jamesd at echeque.com (James A. Donald) Date: Mon, 22 Jan 96 07:59:09 PST Subject: Why is blowfish so slow? Other fast algorithms? Message-ID: <199601221601.IAA14610@mailx.best.com> At 02:00 AM 1/22/96 -0500, David Mazieres wrote: >Failing that, can anyone suggest other secure, preferably unpatented, >shared-key encryption algorithms that could encrypt at ethernet speeds >(1 MByte/sec) without using most of the CPU on a fast Pentium or >equivalent processor? RC4 is of course unpatented and faster than anything else. Of course the name RC4 is trademarked, so you could simply call it "the well known algorithm" in your documentation and give the algorithm explicitly. RSA's present legal gimmicks seem to me to be based on the "trade secret" that RC4 really is the well known algorithm, so if you refrain from using the name "RC4", you should be OK. (I am not a lawyer.) T > >Thanks a lot, >David > > --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From jya at pipeline.com Sun Jan 21 16:06:40 1996 From: jya at pipeline.com (John Young) Date: Mon, 22 Jan 1996 08:06:40 +0800 Subject: CIA Stashes Message-ID: <199601212341.SAA02445@pipe2.nyc.pipeline.com> Reuter has a brief story today about "80 secret U.S. weapons arsenals that remain scattered across Austria for 40 years after they were hidden in case of a Soviet invasion" for use by resistance fighters. It says the CIA stockpiled the weapons without telling the Austrian government. The Austrian paper Kurier quotes the U.S. Ambassor as saying the CIA only recently informed Congress about the weapons stash. Does anyone in Austria or elsehere have more on this? ----- In a related matter, on Friday C-SPAN 2 aired several hours of comments and proposals by intel experts before the US Commission on Intelligence Reform. Mephistophelean former NSA head Admiral Bobby Ray Inman proposed among other brain-wavers to reorganize the thirteen or so bloated, bumbling, cat-fighting intelligence agencies: 1. Establish a new International Operations Agency to combine all operations units -- civilian and military -- into one, separate from the CIA -- which he thinks has irretrievably lost operations credibility. 2. CIA to do all intelligence analysis, but no collecting, to avoid contamination caused by "ownership of the data." The military to do intelligence collection and analysis only needed for immediate operations. 3. FBI to do all counter-intelligence, domestic and international, with agents stationed overseas. 4. Defense to do all imagery. 5. NSA/NRO/???, though not named in open session, presumably would continue ELINT and SIGINT. 6. All this will be very expensive, he roostered, intelligence on the cheap is worthless. 7. The total intelligence budget to be made public but no further breakdown of how the the pot of gold is distributed to supplicants is to be confessed. Former Ambassador to China Tilley, a 25-year veteran of CIA operations, emphasized the importance of continuing Non Official Cover operations, which, he said, are invaluable very-long term penetrations. He cited those he set up in China as COS and then revisited fifteen years later as ambassador -- still ferreting deepest of demon red-commie secrets, he black-comicly glowered to the glazed-eyes. NOC, while very expensive, is crucial, he, too, parroted. For the full eye-opening pack of lies to replenish the pot of gold, Tilley co-conspired that a closed session was needed. But all the intel gold-digging experts testified to that, grinning malevolently, thus continuing the grand tradition of looting national treasuries top-secret cloaked by national interest. So, where are all those not-yet-reported CIA Non Official Cover stashes of gold bullion (or $100 bills) to pay the world-wide "resistance fighters" for illusory supremacy? From adam at homeport.org Mon Jan 22 08:16:47 1996 From: adam at homeport.org (Adam Shostack) Date: Mon, 22 Jan 96 08:16:47 PST Subject: Why is blowfish so slow? Other fast algorithms? In-Reply-To: <199601220700.CAA13713@amsterdam.lcs.mit.edu> Message-ID: <199601221620.LAA20745@homeport.org> David Mazieres wrote: | First, can someone tell me if the latest version of blowfish (the one | in Applied Crypto 2nd edition) is available online somewhere? I | looked at a bunch of crypto ftp servers and could only find an older | version of blowfish that did not have the blf_ctx structure allowing | multiple keys to be active at a time. Did you check ftp.dsi.unimi.it? I seem to remember them having the latest source right after Crypto95. Also, ftp.csua.berkeley.edu should have it. (Their code is version 1.3; do you know what version you're after?) Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From jya at pipeline.com Mon Jan 22 08:18:27 1996 From: jya at pipeline.com (John Young) Date: Mon, 22 Jan 96 08:18:27 PST Subject: NYT New Web Site Message-ID: <199601221618.LAA19733@pipe2.nyc.pipeline.com> NYT reported today that it has set up a new web site: http://www.nytimes.com It offers most of the daily articles as well as some from archives. More info on subscription and the offerings at the home page. Subscription is free, for now. Though there is a charge for downloading, and a battery of whistling-in-the-dark copyright proclamations and threats and pleadings. For the Times-addicted, today's WSJ has a page one article on NYT-leadership squabbling, fomented by board member Gerstner, infamous IBM-Lotus espionage-enabler. From lws at transarc.com Mon Jan 22 08:21:38 1996 From: lws at transarc.com (lws at transarc.com) Date: Mon, 22 Jan 96 08:21:38 PST Subject: Lan Manager security Message-ID: <9601221620.AA11356@capybara.transarc.com> Have you seen an analysis of the security of the LanMan authentication scheme? It strikes me as better than K4, but worse than K5. I wonder if you concur. Since Don and Ted have probably not seen this before, here's the technique as I understand it (summarized from the SAMBA docs). The password is uppercased and truncated to 14 bytes (or padded to 14 bytes with nulls). This is split (0..6,7..13) into two DES keys which are each used to encrypt a static 8-byte value. The resulting 16 byte key is stored at the server. To authenticate a connection, the server issues an 8 byte random challenge. I presume this is returned in the clear since the docs don't specify otherwise, but I haven't sniffed one. The randomness of the challenge doesn't matter so much if it crosses the network in the clear (though I can't understand why they did this), as long as the period of the generator is large enough to prevent replay attacks. The client then pads the 16-byte key to 21 bytes (with zeros, natch), splits it in thirds, {0..6}, {7..13}, {14,15,NUL,NUL,NUL,NUL,NUL}, uses each third to DES-encrypt the challenge, concatenates the ciphertexts, and returns the response to the server. I don't want to prejudice you too much by posting my own thoughts on this protocol, but here are a couple of things that should be obvious: 1. It doesn't hand back free samples of enciphered known plaintexts to all comers for offline attack. This is a Good Thing, unlike some other NOTABLE EXAMPLES. 2. This business with padding the keys out with zero bits really simplifies cryptanalysis. Where my limited expertise breaks down, is identifying just how easy it makes things. 3. I'm kind of boggled as to why they do this multiple encryption of things and then *concatenate* the ciphertexts. If you're going to do multiple encryption, it seems to make sense to pipeline the stages. Doesn't it? From bdolan at use.usit.net Sun Jan 21 16:45:37 1996 From: bdolan at use.usit.net (Brad Dolan) Date: Mon, 22 Jan 1996 08:45:37 +0800 Subject: CIA Stashes In-Reply-To: <199601212341.SAA02445@pipe2.nyc.pipeline.com> Message-ID: On Sun, 21 Jan 1996, John Young wrote: [...] > > In a related matter, on Friday C-SPAN 2 aired several hours > of comments and proposals by intel experts before the US > Commission on Intelligence Reform. Mephistophelean former > NSA head Admiral Bobby Ray Inman proposed among other > brain-wavers to reorganize the thirteen or so bloated, > bumbling, cat-fighting intelligence agencies: > [...] > > Former Ambassador to China Tilley, a 25-year veteran of CIA > operations, emphasized the importance of continuing Non > Official Cover operations, which, he said, are invaluable > very-long term penetrations. He cited those he set up in > China as COS and then revisited fifteen years later as > ambassador -- still ferreting deepest of demon red-commie > secrets, he black-comicly glowered to the glazed-eyes. NOC, > while very expensive, is crucial, he, too, parroted. > [...] My eyes were glazing over but I think I heard him say that it was a nice intelligence service practice to pass along useful info to friendly businessmen in exchange for their help. So there you have confirmation of at least some "economic intelligence" activity. bd From rah at shipwright.com Mon Jan 22 09:01:07 1996 From: rah at shipwright.com (Robert Hettinga) Date: Mon, 22 Jan 96 09:01:07 PST Subject: (fwd) e$: PBS NewsHour, Path Dependency, IPSEC, Cyberdog, and the Melting of Mr.Bill. Message-ID: -----BEGIN PGP SIGNED MESSAGE----- - --- begin forwarded text Sender: e$@thumper.vmeng.com Reply-To: e$@thumper.vmeng.com Mime-Version: 1.0 From: rah at shipwright.com (Robert Hettinga) Date: Mon, 22 Jan 1996 10:37:28 -0500 Precedence: Bulk To: Multiple recipients of Subject: e$: PBS NewsHour, Path Dependency, IPSEC, Cyberdog, and the Melting of Mr. Bill. I thought I'd crank this out in light of Friday's NewsHour segment about Apple and the path-dependency of the microcomputer market. Contrary to what PBS would have us believe, ;-), the concept of path dependency in technology, and in economics, for that matter, is a proven fallacy. At the risk of sounding credentialist (*I'm* not an economist, either), the NewsHour's Mr. Solman seems to be proof that journalism isn't economics, no matter the journalist's academic credentials. Journalists have to get a story out, and sometimes there's no story in the actual economics of a situation. Certainly there's no story in the non-existance of path dependency. The most famous example of path dependency, the idea that our previous economic choices doom us to repeat those choices forever, is the QWERTY keyboard, which has been proven *not* to be significantly slower than the Dvorak keyboard, its supposedly more efficient alternative. Dvorak, the designer of the alternative keyboard, was also the same person who conducted the "ergonomic" studies (spending our WWII tax dollars, I might add) "proving" it's efficacy, and elevated his keyboard to the status of an urban legend. Dvorak was at worst a fraud and at best deluded with his own grandeur. Reviews of Dvorak's own data show some significant flaws in both research methdology and data handling. In addition, several independent studies since then have shown that randomly selected beginning typists, starting out on one keyboard or the other, have *never* shown any significant difference in typing speed. The Betamax/VHS videocassete war, another example of path dependence, was more one of Sony not having an open standard than anything else. Sony played dog-in-the-manger with it's own technology, and consequently ended up owning the most lucrative market on a profit-per-machine basis, the one in television broadcasting. It also means they were leaving big money on the table where the largest market was, in consumer electronics. Doesn't this sound familiar to Mac fans? Path dependence had nothing to do with it. Consumer Reports did comparisons at the time showing only a marginal difference between Betamax and JVC, and nowadays there is absolutely no percievable difference between the two. I now challenge anyone (including, unfortunately, Apple's own *psychologist*, quoted in the NewsHour piece) to *prove* path-dependence in the current market "hegemony" of Microsoft on the desktop. It ain't so. The reason that Microsoft has business computer market dominance today is *not* because of it's original *perceived* incompatibility with legacy mainframe equipment ("nobody ever got fired for buying IBM -- or Microsoft"). Technically, mainframe compatibility was a non-issue at the time. It certainly wasn't for the first 5 years of the Mac's life, anyway. Apple could have done something about the mainframe compatibility issue with simple marketing communications if they had paid any attention to it at all. Apple's heart was never in the business market. First of all, for all their lip service to business, they really weren't ever attracted to the idea of building better word-processing and spreadsheet boxes, even if they did have the best one, before Excel and Word moved to Windows, at the time of the big ramp up of the business microcomputer market. It showed in their attitude to most business people. Outside consultants and mavericks were always the heroes in Apple's commercials, and so outside consultants and mavericks were attracted to the Mac as a computing platform, but large businesses and conformists weren't. When compatibility with mainframes actually did become an issue, for the short time when people were offloading their mainframe data onto LANs, Apple didn't want to be there anyway. With the advent of LANs, Apple didn't build the technology to deal with LANs head on on their own turf, large corporations. Apple built peer-to-peer networks of collegial desktop machines. Unfortunately, they never paid attention to the bandwidth or the multitasking premia necessary for those networks to function properly from the high-volume user's point of view, and, so, when someone downloaded a file from your machine, and you printed something in the background at the same time, you suffered a performance hit if you tried to do anything else. Your mouse jerked around the screen, or your words wouldn't show up in a window as fast as you typed them. With PC file and print servers, this was less of a problem, because those two jobs were offloaded to a seperate machine, whose job it was to do nothing but run a printer, or to serve files. Since everyone had to be connected to these servers the local area network, or LAN, was born. On Apple networks, every machine is potentially a server for everyone else, and everyone is their own print server. Only after PC LANs became ubiquitous did Apple ever build servers of their own. Again, their hearts weren't in it, because they were more interested in the possiblities of more distributed, collegial, peer-to-peer networks. Fortunately, the first problem, network bandwidth, has been solved, because almost all Macs now come with ethernet, while the second problem, preemptive multitasking on faster processors, is being solved slowly. This is all very good for Apple, because peer-to-peer architecture is where the world's going to go anyway. The whole internet is a peer-to-peer, "geodesic" network, where each machine is optimized for it's own particular function, be it serving, or switching information. There is no central repository of anything. That has been Apple's view of networks since day one. If it's any consolation, we won't even need LANs to do business with, anyway. A couple months ago, I saw Netscape running in the bond trading room of this country's largest institutional trustee bank, of all places. In their case, Netscape beat Powerbuilder hands-down in a prototype development shootout. The prototype *was* the production version. Netscape can do anything from secure outside-the-firewall SQL calls to actually conducting cash commerce. Game over. By the way, Netscape is not special in this regard at all. So can any other sufficiently secure browser server combination. Either one, client or server, can be developed for a dime a dozen even now. This is especially true when compound document architectures come on-line, like Apple's Cyberdog, an internet implementation of their OpenDoc software object technology. The reason we won't need LANs is because the only real difference between a LAN and the internet is a firewall for security, and the need for clients to speak Novell's TCP/IP-incompatible proprietary network protocol. With internet-level encryption protocols like the IETF IPSEC standard, you won't even need a firewall anymore. The only people who can establish a server session with *any* machine connected to the net will be those issuing the digital signatures authorized to access that machine, no matter where those people are physically. When that happens, networks will need to be as public as possible, which means, of course, TCP/IP, and not Netware. It's like Heinlein's old joke about space, "once you're in Earth orbit, you're halfway to anywhere". So, once you've gotten *rid* of the firewall, you're everywhere. So much for the path dependence of the LAN market. What happens to the information concentrated behind those firewalls -- or proprietary software markets, for that matter -- when, because of strong cryptography, firewalls disappear? Remember what happened to those floating globs of grease in the detergent commercial? Surfacted away into little tiny bits. I can hear Bill Gates now: "I'm melting!, I'm melting!". Ding, dong, Mr. Bill is dead... Game over. Now you see why he's fighting so hard to be net-compatible all of the sudden. In this "decade of the internet", the [user interface, platform, desktop, LAN, whatever] is meat, and real life is on the net, to paraphrase William Gibson. For the time being, I have come to the conclusion that the Mac, at least as long as Apple makes most of them, is the computer for the "best of us", and, unfortunately, not "the rest of us". I've learned to live with that. I no more worry about Apple's prospects than I do about Porsche's. I expect that Apple management, like Herr Doktor Porsche, is just waking up to the fact that even though they designed the Volkswagen, they can't possibly mass produce them efficiently at a decent enough profit to advance the state of the art, which is really where their hearts have been all along. Sooner or later, Apple will go back to cranking out 917s, to demonstrate the power of the technology, 911s, for a more affordable version of that power, and 928s, for those of us who only want to look the part. ;-). Fortunately, there are lots of companies, like Power Computing, to produce those Volkswagens for those of us who can't afford Porches, and "Macintosh" won't mean just "Apple" anymore. So, for developers, and for me, a fully-credentialled Mac Bigot and camp-follower, the future for Apple means Cyberdog, because Cyberdog means breaking down large "glops" of information and software "grease" and surfacting them, fractally, into little bitty bits out into the net, where *all machines*, not just dumb Java-terminals, can use them better. It also means developing cryptographically strong internet-level security, so that anyone can talk to any machine from anywhere if they have permission to do so, and *nobody* with out permission can either get in or see what those authorized people are doing, with a packet sniffer, or worse, with a key-cracker. It means building into all network applications the ability to do digital commerce. That is, the ability to handle digital bearer certificates, like Digicash's ecash, and the ability to handle micropayments, like the MicroMint protocol or it's successor technologies. Imagine if your code could send you money in the mail, or if a router did real-time load balancing by changing it's micropayment price-per-thru-packet when traffic got too high or too low. The future of the net's going to be a strange place, indeed. Until that happens, I suppose Porsche parts is still a lucrative business, as long as developers keep in mind what business they're really in. Cheers, Bob Hettinga - -------------------------------------------------- The e$ lists are brought to you by: Making Commerce Convenient (tm) - Oki Advanced Products - Marlboro, MA Value-Checker(tm) smart card reader= http://www.oki.com/products/vc.html Where people, networks and money come together: Consult Hyperion http://www.hyperion.co.uk info at hyperion.co.uk See your name here. Be a charter sponsor for e$pam, e$, and Ne$ws! See http://thumper.vmeng.com/pub/rah/ or e-mail rah at shipwright.com for details... - ------------------------------------------------- - --- end forwarded text -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMQO/sPgyLN8bw6ZVAQGuSgP/fkKrI6aTSmPIGOu+LOxRzO5Ptt7QZNxh 48+b7975jIfUMgovphKBWdWtO+jGMCyUWxUVqjVbN8nmwfLT1RZFckOdLK0iM4nD Fgl5+s9yoI0OllHS+oOMcAIyuLIkzazUgtQojm8qBFGSGulW0Keq2dIRNsThGLrk Kk7K3oGMrQs= =71fv -----END PGP SIGNATURE----- ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "Reality is not optional." --Thomas Sowell The NEW(!) e$ Home Page: http://thumper.vmeng.com/pub/rah/ From tcmay at got.net Sun Jan 21 17:02:58 1996 From: tcmay at got.net (Timothy C. May) Date: Mon, 22 Jan 1996 09:02:58 +0800 Subject: "Trustworthy" PGP Timestamping Service ?? Message-ID: At 6:51 PM 1/21/96, Matthew Richardson wrote: >-----BEGIN PGP SIGNED MESSAGE----- > >I have recently setup a free PGP timestamping service which operates >by email. > >The objective of the service is to be able to produce "trustworthy" >timestamps which cannot be backdated without detection. It achieves >this by:- > >(a) giving every signature a unique sequential serial number; > >(b) every day making a ZIP file of that day's detached signatures >and feeding the ZIP file back for signing (and hence the assignment >of another serial number); ... It sounds like a variant of the Haber and Stornetta work on digital timestamping, about which much has been written on our list (check the archives, and/or sections of my Cyphernomicon). They have a company, Surety, which is doing this (or was, last time I heard). www.surety.com will get you there. My hunch is that your scheme implements a version of a hash (the idea of hashing the doc and then publishing the hash as a "widely witnessed event," in Haber and Stornetta terms) that could infringe on their patents (assuming they applied, as I recall hearing they did). Before you go much further on this, it would behoove you to check on what they are doing and on what patents, if any, you might need to license. --Tim May Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From smith at sctc.com Mon Jan 22 09:06:32 1996 From: smith at sctc.com (Rick Smith) Date: Mon, 22 Jan 96 09:06:32 PST Subject: NSA vacuuming down Internet traffic Message-ID: <199601221707.LAA12234@shade.sctc.com> alanh at infi.net (Alan Horowitz) asks: >Is there any open source - or otherwise - knowledge or speculation about >which words/phrases the Terra-cycle cpu's are text-searching *for*? If it >were your responsibility to eavesdrop on Iranian terrorists ... >... would you know for sure which words/phrases to key on? It >doesn't sound like a tractable problem to me. There are two parts to this question. First, how do you choose targets? It's been a few years since I read Bamford's book (when *is* the next edition coming out, anyway?) but I seem to remember that there is some sort of "committee" that agrees on what to aim at. It probably contains the usual collection of bureaucrats from military and civilian agencies. Despite the lofty budgets, even the NSA's vacuum cleaner has a hose of limited size. The committee allocates the available resources to prioritized objectives. You can probably predict targets by estimating political priorities and clout of the various agencies, and, of course, by watching CNN. Second, how do you ensure that you capture relevant traffic? I'm sure you start with the obvious -- look at traffic that's definitely relevant and set up filters to find more of it. While it's attractive to want to treat this as a state detection problem (message is/isn't relevant) you really want more of a signal analysis solution (measure likelihood of relevance). Also, a high priority target would probably have its hit behavior evaluated by real humans to ensure that the expected amount of relevant traffic is continuously sucked up. My first job, twenty years ago, involved a prototype speech recognition system under contract for Rome Air Development Center (a traditional cover for TLA research). The machine was supposed to go beep whenever a specified word or phrase was heard over the input voice stream. We joked about testing for the term "Russian Spy" but settled on looking for "Kissinger" instead. That let us run tests by listening to news broadcasts of the time. We built custom boards with Schottky TTL and a blazing fast 120ns cycle time. Times change, eh? Rick. smith at sctc.com secure computing corporation From pmarc at fnbc.com Sun Jan 21 17:10:06 1996 From: pmarc at fnbc.com (Paul M. Cardon) Date: Mon, 22 Jan 1996 09:10:06 +0800 Subject: Espionage-enabled Lotus notes. In-Reply-To: <9601181638.AA01736@zorch.w3.org> Message-ID: <199601212208.QAA00308@abernathy.fnbc.com> An individual almost but not quite entirely unlike Richard Martin wrote: > They've forced a major company (they don't come much more major > than IBM) to ship a product which actually helps them in both > aspects of their mandate. Communications interception of foreign > industries' groupware is now easier for the U.S. than for any other > country, while (and this must be granted) the communications > security of American industries will be somewhat improved by this > move. But how does this affect the use of Notes for US companies with foreign offices? If foreign offices are required to use the "export version" (which IS supposedly interoperable with the domestic version), then Notes use between a foreign office and US office will have a 40 bit key as far as the government is concerned. This assumption may be incorrect, but until I know what the effective key size is as seen by the government when the export and domestic versions communicate, I have to assume that the export version will have to dominate the effective key length. In other words, the domestic version will be able to handle and generate keys with the 24 government accesible bits, but naturally, keys generated by the domestic version will not be usable by the export version. Are US businesses willing to swallow this when the use is purely internal to the company? Does the national security argument hold up in this situation? This really does so little to improve the security situation that I can see why Mr. Ozzie is not comfortable with this compromise as anything but a short-term solution. I hope his statement is sincere. I'm asking a lot of questions at this point because my own opinions are not fully formed on all of the relevant issues. --- Paul M. Cardon System Officer - Capital Markets Systems First Chicago NBD Corporation (for whom I do not opine) MD5 (/dev/null) = d41d8cd98f00b204e9800998ecf8427e From take at imasy.or.jp Mon Jan 22 09:29:29 1996 From: take at imasy.or.jp (Hayashi_Tsuyoshi) Date: Mon, 22 Jan 96 09:29:29 PST Subject: NYT New Web Site Message-ID: <199601221728.CAA28295@tasogare.imasy.or.jp> Dear Mr. John Young, This is Tsuyoshi Hayashi. At 11:18 AM 96.1.22 -0500, John Young wrote: >NYT reported today that it has set up a new web site: >http://www.nytimes.com Now I visiting there. It's very worth for me. Very very thanks for your info. (^^) >For the Times-addicted, today's WSJ has a page one article on Does WSJ have there own web site, too? - Tsuyoshi Hayashi --- hayashi at scs.sony.co.jp is no longer valid. --- Please update to take at imasy.or.jp From JonathanZ at consensus.com Mon Jan 22 09:40:05 1996 From: JonathanZ at consensus.com (Jonathan Zamick) Date: Mon, 22 Jan 96 09:40:05 PST Subject: An IDEA whose time has come (Notes from the RSA Conference) Message-ID: Well the RSA Security Conference is over, and I finally had time to sleep. Thus, I'll give you all a bit of my impressions. First, there were a heck of a lot more merchants this year. Last year, there were about 400 people. This year it was 1100, with a couple hundred waiting. Thus the conferences were a bit more mixed in level of topic. (As one person put it, the more interesting the title, the more likely it is a blatant plug for a product.) On the other hand there were a number of great conferences too. Sadly, I was busy at the Consensus booth and didn't have time for many of them. Last year Clipper was the big issue, but export controls were predicted to be the big issue this year. This year export controls were the big issue, but certificates were predicted to be the big issue next year. Lotus got low marks in everyone's book for setting the precedent of giving the government 24 bits of their key. (As if France is going to be satisfied with that solution.) I didn't meet many Cypherpunks at this conference. Partially it may have been because I was dirt tired after planning the booth in only two weeks, and running it. They had a lot of nice giveaways. I have a metal backed dayrunner which is cute, an etch-a-sketch keychain which is causing rabid jealousy in the office, and a nifty t-shirt with the logo 'A good marketing organization listens to its customers'... then the picture of a woman on the phone w/ two spooks listening in.. finally 'We Hear You... Your NSA'. Needless to say, I like it. Anyway here is the point of the subject from this message. A while back I asked for all your wish lists. One of the big issues was making IDEA available w/ RSAREF. Well, I did even better, you can now license IDEA from Consensus whether you use RSAREF or not. This was the biggest hit at our booth. A number of groups saw a very strong, fast, Swiss block cypher as a nifty thing. Imagine, you can use 128 bits in Europe. Right now I'm trying to convince Ascom to develop a crippled version of IDEA to simply give away if anyone wants it for export. (Like most of the folk here, I don't see a 40 bit key as very valuable, but it is useful for companies which don't have contacts in Europe.) As a little promo, Ascom, the company which developed IDEA, and will be licensing it in Europe, announced a challenge. If you can break one ciphered message in the next year, they'll send you on a vacation to the Matterhorn, give you a nice dinner w/ the creators of IDEA, and be really impressed. :) Anyway, I'll be putting more information up on our web pages about IDEA. If anyone wants info on my Etch-A-Sketch keychain, feel free to send me some mail. If you want info on anything else, you can send email for that too. Take care all. Jonathan ------------------------------------------------------------------------ ..Jonathan Zamick Consensus Development Corporation.. .. 1563 Solano Ave, #355.. .. Berkeley, CA 94707-2116.. .. o510/559-1500 f510/559-1505.. ..Mosaic/WWW Home Page: .. .. Consensus Home Page .. From abostick at netcom.com Mon Jan 22 09:59:27 1996 From: abostick at netcom.com (Alan Bostick) Date: Mon, 22 Jan 96 09:59:27 PST Subject: More thoughts about digital postage (was Re: Digital postage and remailer abuse) In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- People asked in earlier in this thread how remailers could issue digital postage stamps without being able to know who is using which stamp issued. One obvious approach is to use blind signatures. Rather than issuing a stamp to the user who requests/purchases it, the user could send an unsigned stamp, encrypted in an RSA envelope, to the remailer. The remailer would then blind-sign the envelope and return it to the user. The user then decrypts the envelope and has a stamp ready for use. At the time of use, the remailer checks the signature. If it is valid, it checks to see if the stamp has been used before. If so, it forwards the message to /dev/null; if not, it records the stamp (or perhaps a hash of the stamp) in its database. How does the remailer know that it is signing a stamp rather than (say) money orders, or a confession of sending kiddy porn over the net? The textbook answer is to use a cut-and-choose protocol -- which requires some subsequent communication with the user. But I'm not convinced that this is necessary. If the remailer's postage key is used only for postage and known to be used only for postage, then tricking it into signing something else would have the same significance as "signing" a paper check with the Pitney-Bowes postage meter. I'm assuming that the postage stamp would look something like: - -----BEGIN POSTAGE STAMP----- Kibo's remailer 3FA610092DB3FE12554AE98F66705601 - -----END POSTAGE STAMP----- where the random bits are generated by the user prior to submission to the remailer. (Actually its appearance would be implementation-dependent, of course.) This is all cryptology 101, of course, but hey, it's a start. - -- Alan Bostick | He played the king as if afraid someone else Seeking opportunity to | would play the ace. develop multimedia content. | John Mason Brown, drama critic Finger abostick at netcom.com for more info and PGP public key -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMQPF+uVevBgtmhnpAQEgAQL/aYgGUvvW4jTLSnqxheid006I85sUdk2H l4GxtjW7obMI8rZ0c4kEYsXHnbDyFaREOpSjhSDzeqV2pkogesea0j/xXRqM7UQ3 hG5NBc56Nhr78+hqIOuyo3t6RaRjXi75 =qYXn -----END PGP SIGNATURE----- From owner-cypherpunks at toad.com Sun Jan 21 18:01:41 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Mon, 22 Jan 1996 10:01:41 +0800 Subject: No Subject Message-ID: January 15th Fortune (don't normally read it, but I picked up a free copy) has a lengthy and evidently well-researched article bylined Richard Behar on the efforts of BFI, a large regional trash hauler and recycler, to break into the (by most accounts) Mafia-controlled garbage collection industry in New York City. Cypherpunk relevance: BFI is cooperating closely with the DA in helping to prosecute its allegedly mob-affiliated competitors, which raises a lot of very interesting questions, for which I have yet to formulate any answers. Also a sidenote about how NYC's disclosure laws actually aid organized crime by helping the various bosses track who owns what territory. Electronic surveillance. Money laundering. Steganography (sending messages by way of the disembodied head of a dog). Open access to information and free-market capitalism versus violent bozos, with and without uniforms. Pen trumps sword. Rich says check it out. -- Rich Graves Fucking Statist From tcmay at got.net Mon Jan 22 10:23:44 1996 From: tcmay at got.net (Timothy C. May) Date: Mon, 22 Jan 96 10:23:44 PST Subject: The Collapse of Ideas in a Pop Culture Message-ID: Someone sent me a note asking about my recent comment that I no longer read "Wired." I replied to him by citing the trendy, busy, information-overloaded, and personality-oriented nature of "Wired"...and its dozen or so direct competitors, mostly GenX rags, plus the several dozen or so tangentially similar magazines that fill shelf after shelf in the Barnes and Noble and Supercrown sorts of superstores. Here's what I said to him: --- And "Wired" is frustratingly repetitive, trendy, over-busy with graphics, sidebars, etc. And the mine of good topics is being mined by several dozen other mags, such as Access, RayGun, Mondo, Details, etc. etc. Many of these are aimed at GenXers, with an explicit focus on personalities rather than ideas. (How many of these mags have had Traci Lords on the cover, for example?) I grew up with "Scientific American" as my standard: long, detailed articles. (And even their articles are getting shorter and more pop-oriented.) --- The Cypherpunks relevance, I think, is that many of the ideas we espouse just cannot easily be covered in a "personality" piece, or in a "freak of the week" (to paraphrase Dave Mandl) photo shoot. Journalists who want "some quick shots" of "Cypherpunks talking about privacy" do a disservice to the deeper ideas. To be fair to journalism, I think several journalists--whose names I have mentioned before, but won't here--do a fine job of in-depth reporting. They are the Jules Bergmanns of our modern age. (If you don't know who Jules Bergmann was, you're a GenXer and can't be held responsible for your ignorance :-}.) There is some hope. When people ask questions about what terms mean, about where to find more information, we don't refer them to articles in "Access" about how former porn queen is really big on PGP, or squibs in "Interview" about how Seattle's java houses are going apeshit over Java....we refer them to "Applied Cryptography," to "The Puzzle Palace," and even to articles on digital cash in "Scientific American." I wander through the cavernous bookstores that are so common these days, with miles of aisles, and wonder how I ever got educated in an era when a "big" bookstore was a Brentano's that would now fit in just the _magazine_ section of a Borders or Bookstar or Barnes and Noble. (Hmmmmh, attack of the killer Bs?). The answer is that in-depth study of ideas hasn't changed much. The Tofflerian idea of "overchoice" is solvable by simply ignoring the ephemeral cruft that threatens to engulf us. --Tim May Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From p.ruhnau at jinxed.dinoco.de Mon Jan 22 10:26:06 1996 From: p.ruhnau at jinxed.dinoco.de (p.ruhnau at jinxed.dinoco.de) Date: Mon, 22 Jan 96 10:26:06 PST Subject: Hassles taking App. Crypt. to Taiwan? Message-ID: On 21 Jan 96, TCMAY at GOT.NET wrote: > On the Taiwan side, though, they may wonder why you brought an > expensive > U.S.-printed copy when you get the special rice-paper edition of "Applied > Cryptography, 2nd Ed." for the equivalent of $2.25 in Taipei's book stalls. Can anybody tell me the addresses of taiwanese mail-order bookstores, please? MfG, Peter -- #define putc(c,fp) (--(fp)->_pc<0 ? (*(fp)->_pt)(c,fp) : (*(fp)->_cp++=c)) From wilcoxb at nagina.cs.colorado.edu Mon Jan 22 10:26:35 1996 From: wilcoxb at nagina.cs.colorado.edu (Bryce) Date: Mon, 22 Jan 96 10:26:35 PST Subject: DigiCash Ecash - 2 security topics In-Reply-To: <199601221635.RAA13080@digicash.com> Message-ID: <199601221826.LAA04610@nagina.cs.colorado.edu> -----BEGIN PGP SIGNED MESSAGE----- An entity calling itself "Marcel van der Peijl" is alleged to have written: > > (I wrote:) > > E.g. has there been a DigiCash response to Ian Goldberg's > > publication of a denial-of-service attack which operates by > > spending a coin with the same serial number as your victim's > > coin? > After discussing things with Ian we came up with several solutions. > One is encrypting more messages (which we will do in a next revision > of the protocol), the other is enabling ecash to work over ssl > servers. You may not see the answer directly in the list, but you > will see it in the next protocol revision. What kind of performance hit does this new encryption entail? (No additional performance hit if SSL does it, I know.) Are you considering having different protocols for SSL-protected transactions versus unprotected ones? Let me repeat something I said a couple of weeks ago: I suspect that the weakest point in DigiCash security is on the end-user's own harddrive. A malicious cracker could write a Trojan horse or even a virus which would steal the user's coins and send them to himself. Hm. Now that I think about it, if the user has a back-up copy of those coins then he can reveal their blinding factors to the bank after the theft, thus catching the thief! So the thief program would have to deposit those coins with the bank, make a new withdrawal (ouch!) and then steal the new coins. I'm not sure that anything can be done by DigiCash or by Ecash- issuing banks to prevent this, but I thought I'd mention it. (Hm. The program also has to steal the user's password in order to make the withdrawal.. This is getting to be a pretty smart program!) Regards, Bryce "Toys, Tools and Technologies" the Niche New Signal Consulting -- C++, Java, HTML, Ecash Bryce PGP sig follows -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.01 iQCVAwUBMQPWs/WZSllhfG25AQHv2gQAuJsZqQh+IF0vk8C2OY9zsvMlbqN0+GxN LinbZhWRDlqcRJ69dtzYDhbuvDphHuQYdNUJka5r3Bzplj5tim3sJ+wvEF2eiXTO vUSXrJ8DvnZPji+qEuv1Zs5D8gXdFs2ALsUbsDxQxVrVlcTbDKnz2EQel0apzqld VTV8CFvHaRY= =i3hX -----END PGP SIGNATURE----- From ses at tipper.oit.unc.edu Mon Jan 22 10:36:02 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Mon, 22 Jan 96 10:36:02 PST Subject: (none) In-Reply-To: <960122.061235.3y2.rnr.w165w@sendai.cybrspc.mn.org> Message-ID: On Mon, 22 Jan 1996, Roy M. Silvernail wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > > Note that RSA normally is used as probabilistic encryption: encrypt the > > same plaintext twice, and you'll likely get two different ciphertexts. > > I think you're confusing PGP's use of random session keys and random > padding with actual RSA encryption. Using RSA alone on a given > plaintext will always give you the same ciphertext. RSA used in a raw mode will always give the same plaintext for the same cyphertext; however most uses of RSA use (or at least should use) PKCS1 random padding - thus the plaintext passed to RSA will be different each time. Simon From dm at amsterdam.lcs.mit.edu Mon Jan 22 10:51:25 1996 From: dm at amsterdam.lcs.mit.edu (David Mazieres) Date: Mon, 22 Jan 96 10:51:25 PST Subject: Why is blowfish so slow? Other fast algorithms? In-Reply-To: <199601221601.IAA14610@mailx.best.com> Message-ID: <199601221851.NAA16938@amsterdam.lcs.mit.edu> In article <199601221601.IAA14610 at mailx.best.com> "James A. Donald" writes: > From: "James A. Donald" > Date: Mon, 22 Jan 1996 19:56:43 -0800 > X-From-Line: jamesd at echeque.com Mon Jan 22 10:59:02 1996 > X-Sender: jamesd at best.com > X-Mailer: Windows Eudora Version 2.1 > Mime-Version: 1.0 > Content-Type: text/plain; charset="us-ascii" > Lines: 32 > > At 02:00 AM 1/22/96 -0500, David Mazieres wrote: > >Failing that, can anyone suggest other secure, preferably unpatented, > >shared-key encryption algorithms that could encrypt at ethernet speeds > >(1 MByte/sec) without using most of the CPU on a fast Pentium or > >equivalent processor? > > RC4 is of course unpatented and faster than anything else. > Of course the name RC4 is trademarked, so you could simply > call it "the well known algorithm" in your documentation > and give the algorithm explicitly. The problem with RC4 is that it works in OFB only. If I need data integrity in the face of known plaintext, I will need to compute a MAC in paralell with the encryption which could significantly slow things down. With a block cypher in CFB, I can just re-encrypt the last block of data. That said, OFB has the advantage that I can overlap computation of the RC4 stream with I/O, which might be a win for me. Are there any MACs significantly faster than say ~50 cycles per byte? Thanks, David From perry at piermont.com Mon Jan 22 11:13:09 1996 From: perry at piermont.com (Perry E. Metzger) Date: Mon, 22 Jan 96 11:13:09 PST Subject: Netscape + Verifone Message-ID: <199601221912.OAA07923@jekyll.piermont.com> My pager delivers me selected miniaturized Reuters news stories. I just got one that reads: REDWOOD CITY, CA - Netscape Communications Corp. and Verifone Inc. will devise a system to make electronic payments on the internet more secure. Anyone know anything about this? I'm away from my normal sources of such things (like Bloomberg terminals)... .pm From tedwards at isr.umd.edu Mon Jan 22 11:51:44 1996 From: tedwards at isr.umd.edu (Thomas Grant Edwards) Date: Mon, 22 Jan 96 11:51:44 PST Subject: Lotus key breaking? Message-ID: <199601221950.OAA21605@thrash.src.umd.edu> Hmmm...how long is the single private key of Lotus Notes? Is it time to warm up the key-cracking net again? VTW Billwatch #33 said that: >LOTUS BLINKS IN INDUSTRY/NSA CRYPT STANDOFF ... >On Wed, Jan. 17th, 1996, Lotus announced that it had increased the key >length of its International version of the Lotus Notes product to 64 >bits. They did this by building in a back door for the Administration to >use to decrypt any international traffic that it might desire to read. >Although there are a lot of reasons why we think this is a terrible idea, >the first one that springs to mind is the fact that the one public key that >Lotus has embedded in all their software is a single point of failure >for every International Lotus user throughout the world. ... >You can find a copy of the Lotus press releases at >http://www.lotus.com From melman at osf.org Mon Jan 22 11:55:40 1996 From: melman at osf.org (Howard Melman) Date: Mon, 22 Jan 96 11:55:40 PST Subject: Netscape + Verifone In-Reply-To: <199601221912.OAA07923@jekyll.piermont.com> Message-ID: <9601221954.AA11984@absolut.osf.org.osf.org> On Mon Jan 22, 1996, Perry E. Metzger wrote: > REDWOOD CITY, CA - Netscape Communications Corp. and Verifone > Inc. will devise a system to make electronic payments on the internet > more secure. > > Anyone know anything about this? Reported in today's Wall Street Journal http://update.wsj.com/update/edit/w-netsca.html Basically Verifone's credit card processing technology (credit card verification) will be bundled with Netscape's Commerce server. Netscape also announced that the software will use new encryption technology being developed by MasterCard and Visa. I don't know what this quote means: That technology would break sensitive information like credit-card data into 1,024 bits of information, instead of the 128 bits used currently, theoretically making it much more difficult to steal. Howard From dmandl at panix.com Mon Jan 22 12:15:21 1996 From: dmandl at panix.com (David Mandl) Date: Mon, 22 Jan 96 12:15:21 PST Subject: Crypto comedy Message-ID: During some free time over the holidays, I finally got around to HTML-izing a bunch of articles I've had published over the years. These are among the most riotously funny things ever written. However, one of these pieces may be of particular interest to cypherpunks, as it revolves around cryptography. Be warned that the piece has no scientific merit whatsoever, and even misuses some archaic crypto terms. I was aware of it at the time, but I knew that 99.9% of people would never notice. (This was six years ago, long before cryptography became hip.) The piece is called "Ching Chow's Hidden Agenda." (Ching Chow was a comic that used to appear in the New York Daily News.) That's: http://www.wfmu.org/~davem (choose the "Some things I've written" option). There's some other interesting stuff on my web pages as well, with equally little scientific merit. --Dave. -- Dave Mandl dmandl at panix.com http://www.wfmu.org/~davem From lzirko at isdn.net Mon Jan 22 12:39:54 1996 From: lzirko at isdn.net (Lou Zirko) Date: Mon, 22 Jan 96 12:39:54 PST Subject: Ultimate Paranoia Message-ID: <2.2.32.19960122203914.002e0108@isdn.net> At 12:10 PM 1/22/96 +0100, Anonymous wrote: >Fellow Cypherpunks, > >I have been lurking around for some time and I have learned alot, But I have >a few questions that I either haven't seen posted or I've missed all together. > >I keep PGP stored on a removable hard drive and keep it under lock and >key when it's not in use. I write and encrypt messages on a stand-alone >computer, >that I only have access to. My passphrase is rather long and full of gibberish, >But I still fear the other things that I can not control. > >Does anyone make and sell a device that emits white and pink noise? > >How do you take the randomness collected from radation sensors to create >a truly random sample for creating a PGP key? > >Is there anything else that I might be missing besides lining the walls & >computer >in tin foil? :^) > >Thanks for your help! > >-Murphy > >-- There is a windows sond package that will generate brown, pink and white noise. The package is called Cool Edit. The currrent version is 1.52 and is available from : http://www.netzone.com/syntrillium/ Hope this helps. Lou Z. Lou Zirko (615)851-1057 Zystems lzirko at isdn.net "We're all bozos on this bus" - Nick Danger, Third Eye -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCNAzBLJocAAAEEAMlDzYJPYq0pvfMuSiKU0Y65L2nJql+qEJHYGjO5Pys4prDw YW1ooPWaqrPQAy/eyqrM7I9KNFDCtmaPxtgcPw2oEDfc/w6cPkrVzvovKLfHQvtg V/hHUekptSf6j525omrVAoM9MxVL3sEGCjn9VrTeC3h9upkfntHOJeL88i2NAAUR tB5Mb3UgWmlya28gPHppcmtvbEBkYXRhdGVrLmNvbT4= =Qlxm -----END PGP PUBLIC KEY BLOCK----- From owner-cypherpunks at toad.com Sun Jan 21 20:43:55 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Mon, 22 Jan 1996 12:43:55 +0800 Subject: No Subject Message-ID: -----BEGIN PGP SIGNED MESSAGE----- In article <9601200326.AA09366 at toad.com>, Peter Trei wrote: > > > If they're nasty, they'll check on the receiving side as well, to > > > ensure that the LEAF and/or the espionage-enabling key have not been > > > patched in the sending 'International' version. > > > > Nearly impossible. Why? Because they can only include the public key, > > and not the private key, of the GAK authority in the code. You can > > encrypt the three bytes of key, but it is very hard for a receiver > > other than the govvies to read them. There is no shared secret > > information or private information available, ergo, they can't check > > their LEAF equivalent. > > Think it through. [suggesting that Alice encrypts 24 bits of key under NSA's public key, Bob repeats calculation and checks that the two LEAFS are the same] > Thus, you can prevent a non-complying copy of Lotus from talking to > a complying copy of Lotus, which is one of the goals of the GAKers. No, you're wrong, the process you've described does not work. Note that RSA normally is used as probabilistic encryption: encrypt the same plaintext twice, and you'll likely get two different ciphertexts. Thus, if RSA is used in the normal probabilistic way, the receiver can't tell whether the sender was compliant. Now you might suggest that the sender should not include probabilistic padding, and use RSA deterministically, so that (somehow) the receiver can check whether those 24 bits are correct. That again won't work, since a third-party eavesdropper will be able to do a 2^24 brute force calculation to recover those 24 bits. There are complicated ways to prevent a non-compliant copy of Lotus from inter-operating with a compliant copy (as others on cypherpunks have kindly pointed out), but they are complicated, and would require a re-design of Lotus Notes' encryption module. Since the export version is interoperable with the non-export version, this would seem to require too much foresight and work to be very likely. In any event, I've heard that the export version of Lotus Notes 4 always sends a LEAF, but the receiver never checks it. So I think a simple binary patch to change the NSA's public key should work. P.S. So does anyone know how large the NSA's public LEAF key is? - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMQKzSyoZzwIn1bdtAQF/zAGAxODShPqrBQLsWzRVAkW7+jbVJidQIF5q 1Jyisn2EedTQoBLHnZD7ojnmws807XZK =bRAO -----END PGP SIGNATURE----- From ses at tipper.oit.unc.edu Mon Jan 22 12:58:16 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Mon, 22 Jan 96 12:58:16 PST Subject: Netscape + Verifone In-Reply-To: <199601221912.OAA07923@jekyll.piermont.com> Message-ID: On Mon, 22 Jan 1996, Perry E. Metzger wrote: > > REDWOOD CITY, CA - Netscape Communications Corp. and Verifone > Inc. will devise a system to make electronic payments on the internet > more secure. > > Anyone know anything about this? I'm away from my normal sources of > such things (like Bloomberg terminals)... The first I heard of this was when John Young posted the cite this morning . Maybe he can find out which cubicle they're going to be moving me to :-/ The full text of the press release is available at http://www.eit.com/people/announcements/012296.html From Kevin.L.Prigge-2 at cis.umn.edu Mon Jan 22 13:05:15 1996 From: Kevin.L.Prigge-2 at cis.umn.edu (Kevin L Prigge) Date: Mon, 22 Jan 96 13:05:15 PST Subject: The Lotus Position In-Reply-To: <2.2.32.19960122012052.006d87c0@mail.interlog.com> Message-ID: <3103fbba05e7002@noc.cis.umn.edu> Herb Sutter said: > In answer to a question from the floor, Ozzie did say that yes, the > agreement reached with the NSA was scalable -- IOW, that you could use > 128-bit keys and give the government 88 of them, instead of 64-and-give-24 > -- but in retrospect I wonder whether keeping Notes at 64 bits was a > condition of the NSA deal. I'm not normally a conspiracy theorist, but > considering that Ray was clearly aware that the 64-bitness was going to > raise eyebrows and still somehow didn't get around to simply strengthening > it... well, it makes you wonder. Not really. I think the governments position has been 64 bits with escrow. I doubt that they'd actually ship a 128 bit version with 88 bits escrowed, as I believe the government has stated in the past that they don't want to give away the store even with escrow. -- Kevin L. Prigge |"Have you ever gotten tired of hearing those UofM Central Computing | ridiculous AT&T commercials claiming credit email: klp at tc.umn.edu | for things that don't even exist yet? 010010011101011001100010| You will." -Emmanuel Goldstein From shamrock at netcom.com Mon Jan 22 13:17:55 1996 From: shamrock at netcom.com (Lucky Green) Date: Mon, 22 Jan 96 13:17:55 PST Subject: More thoughts about digital postage (was Re: Digital postage and remailerabuse) Message-ID: At 8:42 1/22/96, Alan Bostick wrote: >People asked in earlier in this thread how remailers could issue digital >postage stamps without being able to know who is using which stamp issued. > >One obvious approach is to use blind signatures. Sure. That is the obvious approach. It also is, IMHO, by far the best. One minor problem is that the blind signature technology has been patented by its inventor, David Chaum the ower of DigiCash. You can't just write your own implementation. You also don't need to. Just use DigiCash's Ecash for postage. There is some work being done on a new MIME based remailer standard that would allow this to happen. At this time, the big problem seems to be keeping the message size constant between hops. See the remailer-operators list for the current discussion. -- Lucky Green PGP encrypted mail preferred. From shamrock at netcom.com Mon Jan 22 13:18:39 1996 From: shamrock at netcom.com (Lucky Green) Date: Mon, 22 Jan 96 13:18:39 PST Subject: DigiCash Ecash - 2 security topics Message-ID: At 11:26 1/22/96, Bryce wrote: >What kind of performance hit does this new encryption entail? >(No additional performance hit if SSL does it, I know.) Very little. >Are you considering having different protocols for SSL-protected >transactions versus unprotected ones? It isn't just an issue of SSL vs. unprotected. The new Ecash API that DigiCash is jointly designing with developers, will support two basic levels of operation. The first is similar to today's Ecash software. The client handles the transport. The second just generates the messages. Your application is responsible for getting them to where they should go. Presumably securely. >Let me repeat something I said a couple of weeks ago: I suspect >that the weakest point in DigiCash security is on the end-user's >own harddrive. A malicious cracker could write a Trojan horse >or even a virus which would steal the user's coins and send them >to himself. Given the amounts likely to be found on a drive, I doubt it would be worth the effort. -- Lucky Green PGP encrypted mail preferred. From trance at techno.magna.com.au Mon Jan 22 14:21:25 1996 From: trance at techno.magna.com.au (Juzzy) Date: Mon, 22 Jan 96 14:21:25 PST Subject: ecash Message-ID: Hello, I'm new to this mailing list and i was wondering if someone could post me some information on ecash, what it is, and its implementation. Thank You Justin Walker From an253362 at anon.penet.fi Mon Jan 22 14:35:31 1996 From: an253362 at anon.penet.fi (Hell's Angel) Date: Mon, 22 Jan 96 14:35:31 PST Subject: request mailing list Message-ID: <9601222229.AA07479@anon.penet.fi> please include in mailing list --****ATTENTION****--****ATTENTION****--****ATTENTION****--***ATTENTION*** Your e-mail reply to this message WILL be *automatically* ANONYMIZED. Please, report inappropriate use to abuse at anon.penet.fi For information (incl. non-anon reply) write to help at anon.penet.fi If you have any problems, address them to admin at anon.penet.fi From grimm at MIT.EDU Mon Jan 22 14:35:57 1996 From: grimm at MIT.EDU (grimm at MIT.EDU) Date: Mon, 22 Jan 96 14:35:57 PST Subject: Ultimate Paranoia In-Reply-To: <199601221110.MAA08368@utopia.hacktic.nl> Message-ID: <9601222235.AA13397@w20-575-75.MIT.EDU> For the ultimately paranoid: Don't forget to keep all sensitive info on your standalone machine on an encrypted filesystem. You never know who might show up with guns and a search warrant. But this is truly paranoid. -James ****************************** "Even paranoids have enemies." -Unknown ****************************** From daw at beijing.CS.Berkeley.EDU Mon Jan 22 15:08:34 1996 From: daw at beijing.CS.Berkeley.EDU (David A Wagner) Date: Mon, 22 Jan 96 15:08:34 PST Subject: Lan Manager security Message-ID: <199601222305.SAA11398@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- In article <9601221620.AA11356 at capybara.transarc.com>, wrote: [ ... the LanMan / Samba(?) password authentication protocol ... ] > The password is uppercased and truncated to 14 bytes (or padded to 14 > bytes with nulls). This is split (0..6,7..13) into two DES keys > which are each used to encrypt a static 8-byte value. The resulting > 16 byte key is stored at the server. [...] > To authenticate a connection, the server issues an 8 byte random challenge. [...] > The client then pads the 16-byte key to 21 bytes (with zeros, natch), > splits it in thirds, {0..6}, {7..13}, {14,15,NUL,NUL,NUL,NUL,NUL}, > uses each third to DES-encrypt the challenge, concatenates the > ciphertexts, and returns the response to the server. Oh yeah, this protocol again. I remember looking at it a while ago; many thanks to Andy Brown , who showed it to me and kindly gave me lots of information. It's pretty crappy, IMHO. It's very weak against dictionary attacks (assuming I have a sniffer). For instance, if you use a password which is less than 12-14 characters long, it will be very easy to recover bytes 7..13 of your password. After that, it will often be simple enough to extend the password backwards if it is based on a dictionary word; even if the password is purely random, this reduces the strength of the password to an effective length of 7 bytes. Also, there is no salt used in the password hashing function, so precomputed dictionary attacks are easy (e.g. the "Exabyte attack", where you precompute the hash of each likely password and store each result on a huge tape.) Unfortunately, I don't have time right now to follow up with a sample exploit program or anything. Sorry 'bout that. Microsoft should have used a real crypto-quality hash function (e.g. MD5), instead of trying to synthesize one from multiple concatenations of DES. The technical details on the attacks follow. Call the bytes of the password P_0 .. P_13, the 16-byte key K_0 .. K_15, and the response R_0 .. R_23; and call the challenge C and the static 8-byte server key S; K is generated by DES encrypting S with P, and R by DES encrypting C with K. I know C,R and want to find P_7 .. P_13. First, try all possible values of K_14, K_15; the right value can be recognized when C_16 .. C_23 encrypts to R_16 .. R_23 under K_14, K_15, 0, 0, 0, .. Now that we know K_14, K_15, I can try the likely values of P_7 .. P_13; wrong values can be quickly discarded by trial encrypting S under P_7 .. P_13 and noting whether the last two bytes of the ciphertext equal K_14, K_15. Each remaining guess for P_7 .. P_13 gives me a candidate for K_8 .. K_13; I can check all K_7 possibilities to see if there's any for which C_8 .. C_15 encrypts to R_8 .. R_15 under the K_7 .. K_13 candidate. If there is such a K_7, the guess for P_7 .. P_13 is almost certainly correct; if not, try another candidate for P_7 .. P_13. If there are N likely values of P_7 .. P_13, this recovers the true value of P_7 .. P_13 with about N trial encryptions. Note that there is no salt used; in fact, if I'm willing to do N precomputed trial encryptions, recovering the true value of P_7 .. P_13 takes N / 2^16 work. Once I've found P_7 .. P_13, if I'm willing to do M precomputations [where M is the number of likely values of P_0 .. P_6], then recovering the true value of P_0 .. P_6 can be done with about M / 2^8 trial encryptions. (If I'm not willing to do precomputations, it'll take M trials.) Did that make any sense? - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMQQYSioZzwIn1bdtAQFKkAGAqcC2ZoZsSHEUiqU8envvqHLI9vfi4xnf aexUGBX10peIeh3TSzq9RcMU2c8FxT45 =xQGr -----END PGP SIGNATURE----- From nobody at REPLAY.COM Mon Jan 22 15:30:07 1996 From: nobody at REPLAY.COM (Anonymous) Date: Mon, 22 Jan 96 15:30:07 PST Subject: CIA Stashes and Looted Gold? Message-ID: <199601222329.AAA04627@utopia.hacktic.nl> U.S. Hid Weapons In Austria Vienna, Austria, Jan 21 (AP) -- Fearful of a Soviet takeover after World War II, the United States hid at least 79 weapons caches in Austria for anti-communist partisans. According to the newspaper Kurier, a U.S. congressional committee monitoring CIA activities found documents on the weapons caches that had not been known to the Clinton administration. A report Saturday in the Boston Globe prompted Hunt to inform the Austrian government, Kurier said. The Boston Globe report said CIA agents stashed the weapons while the U.S. military conducted loud military maneuvers. However, Fritz Molden, a former Austrian journalist, said Sunday that the secret weapons depots were established at the initiative of the Austrian government led by Chancellor Leopold Figl, and planning for them began in 1948. He claimed that some depots were also placed in the Soviet occupation zone in eastern Austria. Molden told the APA he had acted as a liaison between the Americans and the postwar Austrian government. However, it was not clear why the information was not handed down to subsequent governments. -- Austria demands details on secret US arms depots Vienna, Austria, Jan. 21 (Reuter) -- Austria's leadership Sunday demanded the United States supply details of 79 secret U.S. arsenals scattered across Austria. "The Americans should give us a plan indicating where the weapons depots are, how serious they have to be taken and what dangers they pose," Chancellor Franz Vranitzky said. Speaking on television Sunday, Vranitzky cautiously indicated the possibility of secret stockpiles from the other occupation forces -- France, Britain and the Soviet Union. "Approaching the other three occupation powers and asking them whether they too still have secret depots on Austrian soil will be dealt with in a very pragmatic and sensible way," Vranitzky said. The chancellery said the U.S. government was working on an exact list detailing the locations of the depots, and U.S. Ambassador Hunt promised to furnish details as quickly as possible. The television said experts assume each of the arsenals contained sufficient weapons and explosives for 150 anti-communist guerrillas and could also contain significant amounts of gold. Austrian television said that while the U.S. foreign ministry had assured Austria it would act as soon as possible, the CIA, which alone knows the exact locations of the arsenals, has remained silent on the issue. -- Postwar leaders acted with U.S. on arms caches Vienna, Austria, Jan. 22 (Reuter) - Austria's postwar leaders cooperated with the United States to stockpile arms around the country in a top-secret operation to safeguard against a Soviet attack, an ex-resistance fighter said Monday. Fritz Molden, who acted as a liaison officer between the resistance and the allied powers, said that if the Kremlin had discovered the plan to organize an anti-communist underground, Soviet troops would have immediately annexed eastern Austria. "It was all top secret. There were no archives, no papers made, no protocols written," Molden told Reuters. Molden said he was surprised that Austria's current political leaders were unaware of the arsenals. Details had appeared in two books, one of which he wrote 16 years ago. Austrian media speculated that the arsenals were part of a wider anti-communist strategy by the United States, which feared Soviet expansionism following the end of World War II. Newspapers cited the Gladio operation in Italy, set up as a secret Cold War resistance group in the 1950s to fight any Warsaw Pact invasion. Austrian experts estimated the depots held enough weapons and explosives for 150 anti-communist guerrillas and might also contain gold. They said likely sites included graveyards where digging would have gone unnoticed. Molden said arms were transported on U.S. trucks and trains into Vienna, which was surrounded by the Soviet eastern zone, and then secretly passed on to Austrians who risked their lives stashing the weapons away. He suspected most arsenals in western Austria were handed over to the Austrian army and gendarmerie after 1955 and that the arms sites in eastern Austria might now also be empty. -- From erc at dal1820.computek.net Mon Jan 22 16:26:42 1996 From: erc at dal1820.computek.net (Ed Carp, KHIJOL SysAdmin) Date: Mon, 22 Jan 96 16:26:42 PST Subject: The Collapse of Ideas in a Pop Culture In-Reply-To: Message-ID: <199601230026.TAA29395@dal1820.computek.net> > Tim May sez: > And "Wired" is frustratingly repetitive, trendy, over-busy with graphics, I stopped buying Wired because I never could find anything but page after page of print that looked like it had been cut out of several different newspapers and magazines and glued to the page, along with gaudy, hard-on-the-eyes graphics. I never got past the graphics to the less-than-stellar articles. > are the Jules Bergmanns of our modern age. (If you don't know who Jules > Bergmann was, you're a GenXer and can't be held responsible for your > ignorance :-}.) Gee ... someone who knows *real* reporting! I'm suitably impressed, Tim ;) > them to "Applied Cryptography," to "The Puzzle Palace," and even to > articles on digital cash in "Scientific American." The problem is, books aren't getting any cheaper, and to build a decent technical library takes several hundred dollars - not to mention the $200 or $300 a year it takes just to stay current. > The answer is that in-depth study of ideas hasn't changed much. The > Tofflerian idea of "overchoice" is solvable by simply ignoring the > ephemeral cruft that threatens to engulf us. Read lots of book reviews by people you trust. :) If I looked at every book on the shelf that had the word "Internet" in the title, I'd be in the bookstore from dawn till dusk. There used to be two or three really good books on VB on the shelves - and a couple of ones that I'd classify as "fair". Yesterday, I counted almost 50 different books on VB at Barnes & Noble. It's getting rediculous. Like someone's claim to fame is they've written a computer book. The market's *way* oversaturated, yet the clueless publishing houses keep cranking 'em out, all in an attempt to get a piece of the pie, I suppose. Buyer beware is my new motto. -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 214/993-3935 voicemail/digital pager 800/558-3408 SkyPager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes From jsw at netscape.com Mon Jan 22 16:32:00 1996 From: jsw at netscape.com (Jeff Weinstein) Date: Mon, 22 Jan 96 16:32:00 PST Subject: [Fwd: Re: Netscape + Verifone] Message-ID: <31042B07.5664@netscape.com> Howard Melman wrote: > > On Mon Jan 22, 1996, Perry E. Metzger wrote: > > > REDWOOD CITY, CA - Netscape Communications Corp. and Verifone > > Inc. will devise a system to make electronic payments on the internet > > more secure. > > > > Anyone know anything about this? > > Reported in today's Wall Street Journal > > http://update.wsj.com/update/edit/w-netsca.html > > Basically Verifone's credit card processing technology > (credit card verification) will be bundled with Netscape's > Commerce server. > > Netscape also announced that the software will use new > encryption technology being developed by MasterCard and > Visa. I don't know what this quote means: > > That technology would break sensitive information like > credit-card data into 1,024 bits of information, instead > of the 128 bits used currently, theoretically making it > much more difficult to steal. This is typical "the reporter doesn't understand the difference between RSA and symetric cipher key sizes" reporting. What it really boils down to is that export software can use larger key sizes for certain application specific encryption. For example if you limit what is being encrypted to fixed length financial information such as credit card numbers and ammounts you can use keys larger than 40 bits. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw at netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine. Subject: Re: Netscape + Verifone From: melman at osf.org (Howard Melman) Date: 22 Jan 1996 12:05:53 -0800 Approved: usenet at netscape.com Newsgroups: mcom.list.cypherpunks Organization: Local Mail/News Gateway References: <199601221912.OAA07923 at jekyll.piermont.com> Sender: daemon at tera.mcom.com On Mon Jan 22, 1996, Perry E. Metzger wrote: > REDWOOD CITY, CA - Netscape Communications Corp. and Verifone > Inc. will devise a system to make electronic payments on the internet > more secure. > > Anyone know anything about this? Reported in today's Wall Street Journal http://update.wsj.com/update/edit/w-netsca.html Basically Verifone's credit card processing technology (credit card verification) will be bundled with Netscape's Commerce server. Netscape also announced that the software will use new encryption technology being developed by MasterCard and Visa. I don't know what this quote means: That technology would break sensitive information like credit-card data into 1,024 bits of information, instead of the 128 bits used currently, theoretically making it much more difficult to steal. Howard From jf_avon at citenet.net Mon Jan 22 16:44:38 1996 From: jf_avon at citenet.net (Jean-Francois Avon JFA Technologies, QC, Canada) Date: Mon, 22 Jan 96 16:44:38 PST Subject: No Subject Message-ID: <9601230044.AA21218@cti02.citenet.net> -----BEGIN PGP SIGNED MESSAGE----- To: cypherpunks at toad.com From: jf_avon at citenet.net date: jan 22 1996 Hi! I read the work Cypherpunk often in alt.security.pgp and alt.privacy I had no idea what it is. So I hit Lycos and it led me to various, but unfortunately unclear articles. So, here is my question: what is cypherpunk? I suppose, from the adress, that it is some type of mailing list. If yes, could anybody send me the "how to subscribe" file? Thanks. JFA -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMQQtqgOWptJXIUrtAQHUOwQAr5vF68AwsnWE39eMKhy6Vj67ke0JkjRM GN8q+6hSO5egg7l/T7XZidrnHDa7hpK0xJ8SoUJXAgG6oIpGJZcjzS3FqgxVeFiL lVONV/ac1PQt0cDDTQ2kTdFEYWOCAGJBRjVa0tO4W2CKY1IavqrQ+23cJkDxVh8e O1a/X1n5TVA= =HSGk -----END PGP SIGNATURE----- From jimbell at pacifier.com Mon Jan 22 17:01:56 1996 From: jimbell at pacifier.com (jim bell) Date: Mon, 22 Jan 96 17:01:56 PST Subject: NSA vacuuming down Internet traffic Message-ID: At 11:07 AM 1/22/96 -0600, Rick Smith wrote: >My first job, twenty years ago, involved a prototype speech >recognition system under contract for Rome Air Development Center (a >traditional cover for TLA research). The machine was supposed to go >beep whenever a specified word or phrase was heard over the input >voice stream. We joked about testing for the term "Russian Spy" but >settled on looking for "Kissinger" instead. That let us run tests by >listening to news broadcasts of the time. We built custom boards with >Schottky TTL and a blazing fast 120ns cycle time. Times change, eh? > >Rick. >smith at sctc.com secure computing corporation Don't tell me, let me guess: 20 years ago, if you had told anyone about this project, you would have had to kill them. Now, 20 years later, after a few levels of re-classifications and de-classifications, all you have to do is to sneer in our general direction. From alanh at infi.net Mon Jan 22 17:18:14 1996 From: alanh at infi.net (Alan Horowitz) Date: Mon, 22 Jan 96 17:18:14 PST Subject: CIA Stashes and Looted Gold? In-Reply-To: <199601222329.AAA04627@utopia.hacktic.nl> Message-ID: The weapons and the gold are property of US taxpayers. We should not give anything to the Austrians. If they are too stupid to quietly maintain an emplaced civil-defense network, let them not come crying to CNN when it's their turn to be Chechnya'd. The russkies have more balls than the US Congress. I bet Ivan won't be meekly handing over anything to this Vranitsky fellow. Alan Horowitz alanh at norfolk.infi.net From perry at piermont.com Mon Jan 22 17:42:08 1996 From: perry at piermont.com (Perry E. Metzger) Date: Mon, 22 Jan 96 17:42:08 PST Subject: CIA Stashes and Looted Gold? In-Reply-To: Message-ID: <199601230141.UAA08506@jekyll.piermont.com> Could someone please explain why guns in the hills in Austria is Cypherpunks material? .pm Alan Horowitz writes: > The weapons and the gold are property of US taxpayers. We should not give > anything to the Austrians. If they are too stupid to quietly maintain an > emplaced civil-defense network, let them not come crying to CNN when it's > their turn to be Chechnya'd. > > The russkies have more balls than the US Congress. I bet Ivan won't be > meekly handing over anything to this Vranitsky fellow. > > Alan Horowitz > alanh at norfolk.infi.net > > From nelson at santafe.edu Mon Jan 22 18:00:11 1996 From: nelson at santafe.edu (Nelson Minar) Date: Mon, 22 Jan 96 18:00:11 PST Subject: IPSEC == end of firewalls (was Re: (fwd) e$: PBS NewsHour, Path Dependency, IPSEC, Cyberdog, and the Melting of Mr.) In-Reply-To: Message-ID: <199601230159.SAA00256@nelson.santafe.edu> rah at shipwright.com (Robert Hettinga) writes: [interesting article about the future, which includes..] >The reason we won't need LANs is because the only real difference between a >LAN and the internet is a firewall for security, and the need for clients >to speak Novell's TCP/IP-incompatible proprietary network protocol. With >internet-level encryption protocols like the IETF IPSEC standard, you won't >even need a firewall anymore. The only people who can establish a server >session with *any* machine connected to the net will be those issuing the >digital signatures authorized to access that machine, no matter where those >people are physically. When that happens, networks will need to be as >public as possible, which means, of course, TCP/IP, and not Netware. I'm all for the end of ridiculous non-TCP/IP protocols, but does anyone believe this point about encrypted IP traffic eliminating the need for firewalls? I guess I don't trust the ability for people to keep secrets secret. Nothing like refusing to pass packets at all.. From perry at piermont.com Mon Jan 22 18:08:06 1996 From: perry at piermont.com (Perry E. Metzger) Date: Mon, 22 Jan 96 18:08:06 PST Subject: IPSEC == end of firewalls (was Re: (fwd) e$: PBS NewsHour, Path Dependency, IPSEC, Cyberdog, and the Melting of Mr.) In-Reply-To: <199601230159.SAA00256@nelson.santafe.edu> Message-ID: <199601230207.VAA08601@jekyll.piermont.com> Nelson Minar writes: > I'm all for the end of ridiculous non-TCP/IP protocols, but does > anyone believe this point about encrypted IP traffic eliminating the > need for firewalls? There is division in the IETF community on this point. Phil Karn (who I have the greatest respect for) thinks IPSEC means we can get rid of the firewalls. I, for one, don't -- they are there largely because people don't trust that their networking software is free of security holes, and cryptography doesn't fix security holes for the most part. Perry From cpunk at remail.ecafe.org Mon Jan 22 18:22:03 1996 From: cpunk at remail.ecafe.org (ECafe Anonymous Remailer) Date: Mon, 22 Jan 96 18:22:03 PST Subject: RC4 for HP48 Message-ID: <199601230223.CAA11426@pangaea.hypereality.co.uk> -----BEGIN PGP SIGNED MESSAGE----- Here is the RC4 cipher for the HP-48 calculator. It complements the DES implementation by William E. Sommerfeld. RC4 has a higher throughput than DES, but its key setup is slower. The key may be up to 256 characters (2048 bits) -- the maximum supported by the RC4 algorithm. Here are sample timings for a HP-48GX. The SX will be correspondingly slower. Key Setup (200 bits) 25.18 sec RC4 throughput 5.06 cps String to Array 61.83 cps Array to String 56.12 cps The HP-48 comes with a 2400 baud IR link and a 1200/2400/9600 baud RS232 port. The 48S, 48SX and 48G have 32Kb of RAM, almost none of which is used by the operating system. The 48GX has 128Kb of RAM. With an entry price of ~100$ US, I feel that the HP-48 series would be a good choice for a smart token. Possible uses are as digital cash wallets and authentication tokens, not the mention simple encrypted dumb terminals. Installation: If you have a serial cable, download the code below to your HP and call it 'RC4'. This will create a directory called 'RC4' with four programs in it. If you don't have a cable you can type the whole thing in; it's not too large. Store it as 'RC4' and again it will create a directory. Remember not to type the "%%HP: T(3)A(D)F(.);" -- it's only needed for a serial download. Instructions: These instructions assume that you are familiar with stream-ciphers in general. If you are not, you might want to get _Applied Cryptography_ by Bruce Schneier from your library or book store. Bit streams are represented as one dimensional arrays of real numbers between 0 and 255. Yes, that's right, this cipher uses floating-point! In User-RPL it's the fastest way. To convert between strings and arrays use the commands S2A and A2S. S2A "String" -> [Array] A2S [Array] -> "String" To setup a key, use the SK command. It takes a bitstream representing the keytext and returns the key context. They keytext can be up to 256 bytes long. Additional bytes will not be used. The key context is another bitstream with 256 values in it. Because of time/memory tradeoffs, a key context takes 2082 bytes of RAM to store. If memory is tight, use A2S to compress the key context to a string. SK [Key text] -> [Key context] To encrypt something use the RC4 command. The first argument is the key context, the second is the plaintext or ciphertext, both in bitstream form. It returns the updated key context and the ciphertext or plaintext. RC4 [Key context], [Plaintext] -> [New key context], [Ciphertext] or RC4 [Key context], [Ciphertext] -> [New key context], [Plaintext] Enjoy The Cunning Artificers - -- CUT HERE -- %%HP: T(3)A(D)F(.); DIR SK \<< DTAG OBJ\-> OBJ\-> DROP 0 255 FOR N N NEXT 259 258 PICK + 0 259 4 FOR N OVER PICK N PICK + + 256 MOD DUP 255 - NEG N 4 - DUP2 IF \=/ THEN DUP2 IF > THEN SWAP END DUP2 6 + ROLL SWAP 6 + ROLL SWAP 4 ROLL 5 + ROLLD SWAP 3 + ROLLD ELSE DROP2 END SWAP 1 - DUP IF 260 < THEN DROP 258 PICK 259 + END SWAP -1 STEP DROP2 0 0 258 \->ARRY OVER 2 + ROLLD DROPN "Key" \->TAG \>> RC4 \<< DTAG DUP SIZE OBJ\-> DROP 3 PICK 258 GET 4 PICK 257 GET 1 + 1 4 ROLL FOR N 256 MOD 1 + DUP 5 PICK SWAP GET 3 ROLL + 256 MOD 1 + DUP 5 ROLL SWAP 4 PICK CSWP DUP DUP 5 PICK GET OVER 5 PICK GET + 256 MOD 1 + GET 5 ROLL DUP N GET R\->B 3 ROLL R\->B XOR B\->R N SWAP PUT 4 ROLL 4 ROLL 1 - SWAP NEXT 4 ROLL 257 3 ROLL 1 - PUT 258 3 ROLL PUT "Updated key" \->TAG SWAP "Result" \->TAG \>> S2A \<< DUP SIZE \<< \-> LEN \<< 1 LEN START DUP NUM SWAP TAIL NEXT DROP LEN \>> \>> EVAL 1 \->LIST \->ARRY \>> A2S \<< DTAG OBJ\-> OBJ\-> DROP "" SWAP 1 SWAP START SWAP CHR SWAP + NEXT \>> END - -- CUT HERE -- - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCNAzEAEf4AAAEEAMONoLHj5CwKvaM6ch9GOcUjgoVS5sjXa4TzD2ohhtHFYR9l QzNj0vNASBQKE/Mk9Flqg+dtitS7S7B0qZQ+mQmMT73yniun596jt1NCJ5sLBKrM jDvYK3wGbycVX43RBiR3iwJZGq5blfWqNRE7kFdTxgu+bCdtLOFNVew9oBf9AAUR tBZUaGUgQ3VubmluZyBBcnRpZmljZXJz =pf3Y - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMQRCWuFNVew9oBf9AQEPJgP/QzwxGIWU0sf+a8Vzj2tXtMqRhRQjG4Qp Pcrwr76WhM/2KnHGNAdC3lKwyEK17cu32zbmPePhOvtdUNyV3L1KZlBioURK5Kxu ZspnOLCmlKo8lbOa5mJl2bmV55W49B96ua+yxst1XaOzhfYDN/KjZsztGRnEbQx9 VovMpLXooLo= =4pzv -----END PGP SIGNATURE----- From edgar at Garg.Campbell.CA.US Mon Jan 22 18:32:06 1996 From: edgar at Garg.Campbell.CA.US (Edgar Swank) Date: Mon, 22 Jan 96 18:32:06 PST Subject: IBM knuckles under Message-ID: IBM TO PROVIDE GOVERNMENT WITH ENCRYPTION KEY FOR NOTES IBM has agreed to provide the U.S. government with a special key that would enable government agents to more easily decode electronic messages, in exchange for permission to export a version of Lotus Notes that includes 64-bit security. The arrangement provides government officials with a key to the first 24 bits of security code, meaning that they only have to crack the remaining 40 bits to decrypt a message. U.S. Notes customers already use a 64-bit system. "We were desperate enough to try to negotiate a short-term, pragmatic solution," says Notes developer Ray Ozzie. "But we do not believe this is the right long-term solution... Our customers have been telling us that, unless we did something about the security, we could no longer call it a secure system." (Wall Street Journal 18 Jan 96 B7) -- edgar at Garg.Campbell.CA.US (Edgar Swank) The Land of Garg BBS -- +1 408 378-5108 From adam at homeport.org Mon Jan 22 18:34:01 1996 From: adam at homeport.org (Adam Shostack) Date: Mon, 22 Jan 96 18:34:01 PST Subject: IPSEC == end of firewalls (was Re: (fwd) e$: PBS NewsHour, Path Dependency, IPSEC, Cyberdog, and the Melting of Mr.) In-Reply-To: <199601230159.SAA00256@nelson.santafe.edu> Message-ID: <199601230238.VAA00706@homeport.org> IPsec will not change the role of firewalls. It will change some technical details about them. Firewalls do a couple of things: Enforce a policy boundary between us & them. Reduce the number of systems to be 'well secured' (This is because really securing a machine is tough, and often involves sacrifices of useability.) Provide job security/ass covering (see also, satisfy auditors.) The fact that some traffic passing through is encrypted will not change any of this. Only allowing traffic to people who provide a signature is only useful for some things. Besides, there will always be shitty protocols, like NFS, yp, SMTP, etc that need a firewall to protect them. Legacy systems are with us forever. (I was in a meeting last Thursday where we discussed how to handle a Sun3 that needs to be a router in a CIDR environment. No option to upgrade this box for complex reasons. I bring it up to illustrate the persistance of legacy systems.) Nelson Minar wrote: | rah at shipwright.com (Robert Hettinga) writes: | [interesting article about the future, which includes..] | | >The reason we won't need LANs is because the only real difference between a | >LAN and the internet is a firewall for security, and the need for clients | >to speak Novell's TCP/IP-incompatible proprietary network protocol. With | >internet-level encryption protocols like the IETF IPSEC standard, you won't | >even need a firewall anymore. The only people who can establish a server | >session with *any* machine connected to the net will be those issuing the | >digital signatures authorized to access that machine, no matter where those | >people are physically. When that happens, networks will need to be as | >public as possible, which means, of course, TCP/IP, and not Netware. | | I'm all for the end of ridiculous non-TCP/IP protocols, but does | anyone believe this point about encrypted IP traffic eliminating the | need for firewalls? -- "It is seldom that liberty of any kind is lost all at once." -Hume From wlkngowl at unix.asb.com Mon Jan 22 19:11:22 1996 From: wlkngowl at unix.asb.com (Mutatis Mutantdis) Date: Mon, 22 Jan 96 19:11:22 PST Subject: NOISE.SYS Stupid Bugs w/Int13h Message-ID: <199601230207.SAA05626@comsec.com> There's an unpleasant bug in NOISE.SYS, BTW. It doesn't properly return the flags from the Int 13h handler, so disable that for now unless you'd like to do funky things to your disks. Sorry 'bout that. Rob. From jimbell at pacifier.com Mon Jan 22 19:43:10 1996 From: jimbell at pacifier.com (jim bell) Date: Mon, 22 Jan 96 19:43:10 PST Subject: Ultimate Paranoia Message-ID: -----BEGIN PGP SIGNED MESSAGE----- At 12:10 PM 1/22/96 +0100, Anonymous wrote: >Fellow Cypherpunks, > >I have been lurking around for some time and I have learned alot, But I have >a few questions that I either haven't seen posted or I've missed all together. > >I keep PGP stored on a removable hard drive and keep it under lock and >key when it's not in use. I write and encrypt messages on a stand-alone >computer, >that I only have access to. My passphrase is rather long and full of gibberish, >But I still fear the other things that I can not control. Gives you a headache, doesn't it? Welcome to the club! > >Does anyone make and sell a device that emits white and pink noise? Reverse-biased zener diodes produce bandwidth-limited white noise. Pink noise is (I think) white noise filtered 3db per octave with a lowpass filter. > >How do you take the randomness collected from radation sensors to create >a truly random sample for creating a PGP key? Dunno. I'm not a programmer. >Is there anything else that I might be missing besides lining the walls & >computer >in tin foil? :^) The best defense is a good offense. Klaatu Burada Nikto. (Remember this... It'll become important...soon.) -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMQRNTvqHVDBboB2dAQGTyQP/Vkf84+SUZLkQ1o/yXqma4M/vh5gy/KBp uyM2LarS8wL361qo8SBj8wxt1htclJmOYEyoI0A4vEdAKircsnLNK35NLA4ZZQyx oBrMGo+KY6wpz28/SbOLeslk6DcjIhbkd/r1+ntGt62QQESb7TMjG+XLaVJiu/Ri HD9vwrhrJs8= =qDYN -----END PGP SIGNATURE----- From die at pig.die.com Mon Jan 22 19:59:31 1996 From: die at pig.die.com (Dave Emery) Date: Mon, 22 Jan 96 19:59:31 PST Subject: IPSEC == end of firewalls (was Re: (fwd) e$: PBS NewsHour, Path Dependency, IPSEC, Cyberdog, and the Melting of Mr.) In-Reply-To: <199601230207.VAA08601@jekyll.piermont.com> Message-ID: <9601230342.AA04490@pig.die.com> Perry writes... > > can get rid of the firewalls. I, for one, don't -- they are there > largely because people don't trust that their networking software is > free of security holes, and cryptography doesn't fix security holes > for the most part. Perhaps I'm nieve, but I've always understood that one of the primary functions firewalls accomplish is insulating from most easy attacks large numbers of random machines in an organization that may not be all perfectly administered, 100% under control of competant security wise users, and configured correctly for maximum security with all the latest rev's of stuff. Seems unclear that IP level security and authentication will totally eliminate the problems caused by buggy software and clueless or careless users, or overloaded security staffs who don't have time to update everybody and check everything immediately on networks with thousands of machines. Having one or two machines to keep secure instead of thousands seems like a big win. Dave Emery From nobody at c2.org Mon Jan 22 20:23:15 1996 From: nobody at c2.org (Anonymous User) Date: Mon, 22 Jan 96 20:23:15 PST Subject: PZ a Nazi? Message-ID: <199601230400.UAA29972@infinity.c2.org> Original dated: Jan 21 '96, 09:26 The UK's Sunday Telegraph has today featured an article by Robin Gedye entitled "Neo-Nazis are marching on the Internet" in which apart the the usual nonsense about neo-Nazis being about to take over the world by means of their "Thule Net" accuses the deviser of PGP of being a Nazi sympathiser: "Private communications between neo-Nazis on the network are effected under a program called "Pretty Good Privacy", devised by an American neo-Nazi sympathiser." Robin Gedye (in Bonn) p.23 of "The Sunday Telegraph" January 21, 1996 From rsalz at osf.org Mon Jan 22 20:35:21 1996 From: rsalz at osf.org (Rich Salz) Date: Mon, 22 Jan 96 20:35:21 PST Subject: Random noise from disk drives Message-ID: <9601230431.AA06742@sulphur.osf.org> Don Davis has done some interesting/important/widely-referenced work on using disk latencies as a random number source. We were talking about some of his techniques, and he kindly gave me permission to forward along his email. He's not on the list, so I cc'd him. /r$ --------------------forwarded message----------------- well, if you're willing to accept a temporary peak load on your machine, then a paging rng is easy to write. the basic idea that worked is: * allocate a little more memory than is available in ram; * walk through it in steps of a prime # near 4kb or 5kb; * time each access with whatever system clock is easiest; * throw away accesses that take less than 5 millisec or so; * keep only the parity of each access that remains. naturally, on the first passes through the array, you'll get mostly fast accesses; thereafter, most accesses will cause page-faults. mostly a page-fault's access-time reflects where the page was on the disk, where the head and spindle were before the page-fault, etc. that's why you keep only the parity. however, you're not going to get a bit of entropy from every access, by any means. the reason for a prime-valued step is that you want to be sure of visiting every page, but you don't want to have to know the page-size. (i haven't checked this trick yet; i used 2kb or 4kb steps, if i remember correctly). the reason for the 5 msec cutoff is that it's rare for a disk access to happen so fast, and you want to screen out other causes of non-immediate memory accesses. you'll only get a real access that fast, if at the moment of the page-fault, the head's already in the right track, and if the block you want is less than a third of a rev away from the head. i used a byte-indexed table to get the parity quickly. you don't really need to bother packing the parity bits into bytes; store the 1's and 0's as chars into the md5 buffer, & hash it; then, put the hash itself into the buffer, xor more 1's & 0's back in on top, rehash, etc. running md5 8 times as often as necessary doesn't matter. note that this algorithm should defeat caching disk controllers, but i haven't checked for sure. if it doesn't, the symptom will be long stretches of fast access-times. any fancy stuff you put in, like feeding noise-bits back into your path through the array, is a bad idea; first, it really only adds pseudo-randomness; second, it's liable to reduce the frequency of page-faults. though i knew it was a bad idea, i tried it anyway, lots of ways, and that's what i found. simple is best. really, the only complicated code should be outside the rng: reallocating when memory availability changes, minimizing the ui, stuff like that. it is worthwhile to run find, or some other filesys- traversing program, while you're running the paging-rng. the benefit is not from the changed paging-times, but from the extra head-motion, which perturbs the spindle speed. if you choose to measure the rng's quality, study the raw parity-bits, not the hashed output. the hashes would look perfectly random, even if the parity bits were periodic. look for periodicity (fft), long-term autocorrelation, and measure the entropy with an entropy estimator. don't bother with runs tests and the others; the hashing will produce nice output bits, even if the parity inputs are periodic or are highly correlated in the long-run. but if they're not periodic and uncorrelated, the output bits will be random, instead of pseudo-random. on the only machine i studied closely, i got 100 bits/min, with a 1 khz interrupt-clock; if your interrupt schedule is more frequent, then you can expect proportionally more entropy. remember that even for long rsa keys, you only need enough entropy to prevent exhaustive key-search. use 100 bits or so to seed the prng, then use the prng to generate a prime. reseed for each prime, and as often as you can for symmetric session-keys. i don't trust pseudo-random key-generation (it's no surprise that i don't, i suppose). please let me know if anything comes of this, like if someone builds it properly before i get around to it. i suppose i ought to build it, test it, and write a paper about how much fun it was, but i have too much work, and too many papers to write. -don davis, boston -----------------egassem dedrawrof-------------------- From teg at one.net Mon Jan 22 20:39:26 1996 From: teg at one.net (teg) Date: Mon, 22 Jan 96 20:39:26 PST Subject: FORSALE: HP48GX Message-ID: <199601230436.XAA12758@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- Given the usefulness of an HP calculator as a secure point of encryption, someone might be interested in my old calculator. I haven't used it since I graduated, except for balancing my old business books, way overkill. I'd love to give it a good home. HP 48 GX Calculator The most powerful calculator in the world Currently loaded with many Applied Math and Engineering programs written by myself (yours free with the calculator ;-) About 2 years old, excellent condition $125, negotiable HP IR Calculator Printer Infrared printer for the HP line of calculators Very light, battery operated About 2 years old, excellent condition $75, negotiable Please contact me if you are interested. My apologies if you consider this post selfinterest and off topic. - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMQRl3CoZzwIn1bdtAQGoYQF9GrClhiKQZgx9RApC2G7fwRZllDV8sNcx sX+Vr8tk1FqXRqZkCHa6UrZRS3xm/91o =pzQ7 -----END PGP SIGNATURE----- From rsalz at osf.org Mon Jan 22 20:49:32 1996 From: rsalz at osf.org (Rich Salz) Date: Mon, 22 Jan 96 20:49:32 PST Subject: Random noise from disk drives Message-ID: <9601230445.AA06760@sulphur.osf.org> **I blew it.** Don's address is don at cam.ov.com. Sorry. From tallpaul at pipeline.com Mon Jan 22 21:03:19 1996 From: tallpaul at pipeline.com (tallpaul) Date: Mon, 22 Jan 96 21:03:19 PST Subject: Query over PZ Message-ID: <199601230500.AAA20166@pipe4.nyc.pipeline.com> Anonymous User had a question over PZ's politics. PZ has posted to the list and thus has, I believe, his address available to list subscribers. How did PZ answer the question privately when Anonymous User posed the question to PZ on private e-mail? If Anonymous User did not first pose the question to PZ privately, why did he post it to the list publically? -- tallpaul PS: I'm likely to have some followup on these questions, but wanted to pose them to AU first. From pete at loshin.com Mon Jan 22 21:23:30 1996 From: pete at loshin.com (Pete Loshin) Date: Mon, 22 Jan 96 21:23:30 PST Subject: FW: Veriphone and Netscape Team to Provide Internet Payment Solutions Message-ID: <01BAE929.12D6ADE0@ploshin.tiac.net> Here's the Netscape press release on their Verifone collaboration; note that they explain nothing about 128 bits or 1024 bits--but Netscape now appears to claim to be the sole developers of SEPP. It looks like Verifone will be building their approval/verification mechanism into a Netscape product, and selling it themselves. I've removed contact info and the source at Netscape (in their PR dept), just to avoid unnecessarily nettling anyone. Presumably Netscape shouldn't be able to complain about it getting passed around since it will likely be the basis of reports in various trade/news rags by next week anyway. Enjoy. -Pete Loshin pete at loshin.com ---------- COPITHORNE & BELLOWS (for VeriFone) [contact info deleted] VERIFONE, INC. [contact info deleted] NETSCAPE [contact info deleted] VeriFone and Netscape Team To Provide Internet Payment Solutions Worldwide Leaders To Accelerate Commerce on the Internet REDWOOD CITY, Calif. - January 22, 1996 - VeriFone, Inc. (NYSE: VFI), and Netscape Communications Corporation (NASDAQ: NSCP) today announced an agreement to create comprehensive Internet payment solutions, enabling merchants, banks, credit card companies and consumers to expand the use of the Internet for electronic commerce. The agreement between VeriFone, the world leader in retail electronic payment systems, and Netscape, the premier provider of open software for linking people and information over enterprise networks and the Internet, is designed to accelerate acceptance of the Internet as a mainstream vehicle for commerce. Under terms of the agreement, the two companies will join forces to address the transaction processing needs of both financial institutions and merchants. For financial institutions, Netscape's gateway software and VeriFone's payment technology will be combined to create a seamless interface between the Internet and existing financial networks. VeriFone will also provide customization, installation and support services for these customers. To serve merchants, VeriFone will resell Netscape's server and commerce products bundled with VeriFone payment functionality to deliver complete software solutions for merchants who want to broaden their reach by establishing a commercial presence on the Internet. VeriFone will provide merchants with these solutions through its existing customers and channels. Netscape and VeriFone create a combination that is uniquely qualified to fulfill the promise of global electronic commerce. VeriFone's point-of-sale systems for online payment processing and credit card verification are among standards recognized by thousands of banks, credit card and debit card processors, and millions of merchants and consumers throughout the world. VeriFone's solutions today address the technology standards, payment methods and government regulations of over 90 countries around the world, enabling the two companies to accelerate their goal of deploying Internet payment systems worldwide. "Netscape's agreement with VeriFone will bring a comprehensive Internet payment solution to merchants, banks, credit card companies and consumers which will continue to fuel electronic commerce worldwide," said James Barksdale, chief executive officer at Netscape. "By combining VeriFone's electronic payment technology with Netscape's complete line of server and commerce software products, financial institutions and merchants can implement a complete payment solution." Creating Comprehensive Payment Solutions The new solutions will be designed to be compatible with current and future credit card payment protocols, including Secure Electronic Payment Protocol (SEPP), developed by Netscape. The two companies are working with leading card associations and processors to include additional protocols, supporting future payments instruments such as micropayments and debit transactions. "To truly enable Internet commerce, banks, credit card companies, merchants and consumers need a trusted interoperable system as accessible and secure as current payment systems," said Hatim A. Tyabji, chairman, president and chief executive officer of VeriFone. "Consumers need to know they can safely pay for something electronically, merchants need to know they can safely accept it, and banks and other financial organizations need to be able to process it. Our goal is to give merchants the same 'plug and play' payment access on the Internet that they have come to expect in their retail stores." VeriFone expects the integrated Netscape/VeriFone Internet gateway systems for financial institutions and the merchant systems to become available in the second to third quarters of 1996 from VeriFone, with increasing payment protocols and enhancements becoming available throughout the year. Company Backgrounds Netscape Communications Corporation (http://www.netscape.com) is a premier provider of open software for linking people and information over enterprise networks and the Internet. The company offers a full line of Netscape Navigator clients, servers, development tools, and Netscape Internet Applications to create a complete platform for next-generation, live online applications. Traded on NASDAQ under the symbol "NSCP," Netscape Communications Corporation is based in Mountain View, California. VeriFone, Inc. (http://www.verifone.com) is a leading global provider of Transaction Automation and Internet commerce solutions used to deliver electronic payment services to financial institutions, retail merchants and consumers, as well as government agencies, healthcare providers and benefits recipients. The company's more than 30 facilities -- including regional offices, development centers, and manufacturing and distribution centers -- are located throughout North and South America, Europe, Asia, Africa and Australia. To date, VeriFone has shipped more than 4.8 million Transaction Automation systems, which have been installed in over 90 countries. The company's 1994 net revenues totaled $309.1 million. In 1995, VeriFone acquired Enterprise Integration Technologies (http://www.eit.com) -- a leading provider of software and consulting services for electronic commerce on the Internet. (30) VeriFone is a registered trademark of VeriFone, Inc. All other brand names and trademarks are the property of their respective owners. From pete at loshin.com Mon Jan 22 21:23:31 1996 From: pete at loshin.com (Pete Loshin) Date: Mon, 22 Jan 96 21:23:31 PST Subject: IPSEC == end of firewalls (was Re: (fwd) e$: PBS NewsHour, Path Dependency, IPSEC, Cyberdog, and the Melting of Mr.) Message-ID: <01BAE929.17AF3800@ploshin.tiac.net> More to the point, I don't think it's possible to trust the security of the network software USERS in any case. -Pete Loshin pete at loshin.com Perry Metzger wrote: >Nelson Minar writes: >> I'm all for the end of ridiculous non-TCP/IP protocols, but does >> anyone believe this point about encrypted IP traffic eliminating the >> need for firewalls? > >There is division in the IETF community on this point. > >Phil Karn (who I have the greatest respect for) thinks IPSEC means we >can get rid of the firewalls. I, for one, don't -- they are there >largely because people don't trust that their networking software is >free of security holes, and cryptography doesn't fix security holes >for the most part. > >Perry From pete at loshin.com Mon Jan 22 21:23:35 1996 From: pete at loshin.com (Pete Loshin) Date: Mon, 22 Jan 96 21:23:35 PST Subject: [noise] Internet censorship in the workplace Message-ID: <01BAE929.1949AE20@ploshin.tiac.net> A front-page article today in Network World about censoring access to sex-related Internet resources at the office. Apparently, at Texaco, "a woman vehemently opposed to pornography" has been assigned to review logs showing who's been looking at what. Workers who log onto remote sites from Texaco to disguise their interests have not been fooling this individual. -Pete Loshin pete at loshin.com From dmandl at panix.com Mon Jan 22 21:32:09 1996 From: dmandl at panix.com (David Mandl) Date: Mon, 22 Jan 96 21:32:09 PST Subject: Query over PZ Message-ID: At 12:00 AM 1/23/96, tallpaul wrote: >Anonymous User had a question over PZ's politics. > >PZ has posted to the list and thus has, I believe, his address available to >list subscribers. > >How did PZ answer the question privately when Anonymous User posed the >question to PZ on private e-mail? > >If Anonymous User did not first pose the question to PZ privately, why did >he post it to the list publically? Seems to me Ms. Anonymous wasn't taking it seriously, but was posting the news clip here for our amusement, or to show the kind of shabby work some journalists do, or to scare us by demonstrating how insane rumors get started. I can't imagine that anyone who knows the address of the cypherpunks list and can use an anonymous remailer could take a ridiculous claim like that seriously. --Dave. -- Dave Mandl dmandl at panix.com http://www.wfmu.org/~davem From attila at primenet.com Mon Jan 22 21:36:12 1996 From: attila at primenet.com (attila) Date: Mon, 22 Jan 96 21:36:12 PST Subject: IPSEC == end of firewalls (was Re: (fwd) e$: PBS NewsHour, Path , Dependency, IPSEC, Cyberdog, and the Melting of Mr.) In-Reply-To: <199601230159.SAA00256@nelson.santafe.edu> Message-ID: reply from attila: I agree there will be "universal" secrecy --there will always someone who manages to decode one or two "signatures" including handshakes, and spoofs them, after burying the sucker machine in response commands so it has a chance to grab the handshaking. a little group effort, a couple of fast machines to coordinate the attack, and rest just might be history. seems to me both Netscape and the abominable creature from the Pacific Northwest said they could not be broken.... Personally, I think NSA has figured out how to break PGP -- enough specialized DSPs and prime factoring tables on magneto- optical disks can go along way. If you have traffic both ways, you have the hash as well. dropping Phil accomplished two basic things: a cheap give- away to look good in public; and, they avoided defending ITAR in court --and the ninth circuit can be pretty cranky on the Bill of Rights --they don't follow Washington's line too well. On Mon, 22 Jan 1996, Nelson Minar wrote: > rah at shipwright.com (Robert Hettinga) writes: > [interesting article about the future, which includes..] > > >The reason we won't need LANs is because the only real difference between a > >LAN and the internet is a firewall for security, and the need for clients > >to speak Novell's TCP/IP-incompatible proprietary network protocol. With > >internet-level encryption protocols like the IETF IPSEC standard, you won't > >even need a firewall anymore. The only people who can establish a server > >session with *any* machine connected to the net will be those issuing the > >digital signatures authorized to access that machine, no matter where those > >people are physically. When that happens, networks will need to be as > >public as possible, which means, of course, TCP/IP, and not Netware. > > I'm all for the end of ridiculous non-TCP/IP protocols, but does > anyone believe this point about encrypted IP traffic eliminating the > need for firewalls? > > I guess I don't trust the ability for people to keep secrets secret. > Nothing like refusing to pass packets at all.. > __________________________________________________________________________ go not unto usenet for advice, for the inhabitants thereof will say: yes, and no, and maybe, and I don't know, and fuck-off. _________________________________________________________________ attila__ To be a ruler of men, you need at least 12 inches.... There is no safety this side of the grave. Never was; never will be. From attila at primenet.com Mon Jan 22 21:53:14 1996 From: attila at primenet.com (attila) Date: Mon, 22 Jan 96 21:53:14 PST Subject: PZ a Nazi? In-Reply-To: <199601230400.UAA29972@infinity.c2.org> Message-ID: On Mon, 22 Jan 1996, Anonymous User wrote: > Original dated: Jan 21 '96, 09:26 > [snip] > "Private communications between neo-Nazis on the network are > effected under a program called "Pretty Good Privacy", devised by > an American neo-Nazi sympathiser." > > Robin Gedye (in Bonn) p.23 of "The Sunday Telegraph" January 21, > 1996 > reply from attila: I would say we have two clueless mud slingers amongst us. 1. Robin Gedye (in Bonn) for ET who is not only clueless, but totally without journalistic ethicss in the of the muckraker and yellow journalism of the old line Hearst tabloid size newspapers. to stir a fire on PZ sinc he wrote a virtually universal world wide crypto program is.... 2. and closer to home, we have a yea-sayer mouse: "anonymous- user at c2.org" whose does not have the courtesy to pose the question to PZ; and EVEN WORSE, slings mud anonymously. granted, PZ is just a man, but he's like you and I. would you not consider the source before opening the floodgates of character smear? It sounds like you forgot to clutch in your brain before shooting from a duck-blind with your fingers. __________________________________________________________________________ go not unto usenet for advice, for the inhabitants thereof will say: yes, and no, and maybe, and I don't know, and fuck-off. _________________________________________________________________ attila__ To be a ruler of men, you need at least 12 inches.... There is no safety this side of the grave. Never was; never will be. From Steve_Makrecky at msn.com Mon Jan 22 22:03:17 1996 From: Steve_Makrecky at msn.com (Steve Makrecky) Date: Mon, 22 Jan 96 22:03:17 PST Subject: Netscape + Verifone Message-ID: What is the frequency on the back of your pager? Some people would like to monitor this type of information. ---------- From: owner-cypherpunks at toad.com on behalf of Perry E. Metzger Sent: Monday, January 22, 1996 11:13 To: cypherpunks at toad.com Subject: Netscape + Verifone My pager delivers me selected miniaturized Reuters news stories. I just got one that reads: REDWOOD CITY, CA - Netscape Communications Corp. and Verifone Inc. will devise a system to make electronic payments on the internet more secure. Anyone know anything about this? I'm away from my normal sources of such things (like Bloomberg terminals)... .pm From mpd at netcom.com Mon Jan 22 22:36:37 1996 From: mpd at netcom.com (Mike Duvos) Date: Mon, 22 Jan 96 22:36:37 PST Subject: SS Obergruppenfuhrer Zimmermann (NOT!) Message-ID: <199601230635.WAA22844@netcom19.netcom.com> Anonymous User writes: > "Private communications between neo-Nazis on the network are > effected under a program called "Pretty Good Privacy", > devised by an American neo-Nazi sympathiser." > Robin Gedye (in Bonn) p.23 of "The Sunday Telegraph" > January 21, 1996 Before anyone takes this nonsense too seriously, one should realize that the exhibition of such microscopic views of technology by journalists and politicians is fairly common. Who can forget Caspar Weinburger's stirring speech in front of an illegally exported low-end VAX, explaining that the machine was a sophisticated electronic device for the tracking of missiles and troop movements, now in the hands of America's enemies. Then there was the newspaper article which explained in perfect seriousness that "GIF" was a secret computer code used by child molesters to encode images of their victims. Characterizing PGP as a neo-Nazi tool for private communications written by a sympathizer, while absurd in a larger sense, is hardly sillier than the prior examples. And all such scenarios contain a microscopic grain of truth as seen by someone somewhere with a severe case of tunnel vision. The reporter no doubt reports correctly that some neo-Nazis use PGP to communicate privately. Doubtless PKZ supports the right of all people, including those with diverse political views, to conduct legal private conversations which cannot be overheard by their governments, as do most of the people on this list. I suppose in some obtuse sense this is sympathy. It is highly unlikely that anyone who uses Cypherpunk technology is as ignorant as this reporter. So let's just mail the poor guy a clue and move on. Things like this happen often, and it's not really worth a prolongued debate. -- Mike Duvos $ PGP 2.6 Public Key available $ mpd at netcom.com $ via Finger. $ From dm at amsterdam.lcs.mit.edu Mon Jan 22 22:55:16 1996 From: dm at amsterdam.lcs.mit.edu (David Mazieres) Date: Mon, 22 Jan 96 22:55:16 PST Subject: Why is blowfish so slow? Other fast algorithms? In-Reply-To: <199601221620.LAA20745@homeport.org> Message-ID: <199601230654.BAA21318@amsterdam.lcs.mit.edu> > From: Adam Shostack > Date: Mon, 22 Jan 1996 11:20:57 -0500 (EST) > Cc: cypherpunks at toad.com > X-Mailer: ELM [version 2.4 PL24 ME8b] > Content-Type: text > Content-Length: 662 > > David Mazieres wrote: > > | First, can someone tell me if the latest version of blowfish (the one > | in Applied Crypto 2nd edition) is available online somewhere? I > | looked at a bunch of crypto ftp servers and could only find an older > | version of blowfish that did not have the blf_ctx structure allowing > | multiple keys to be active at a time. > > Did you check ftp.dsi.unimi.it? I seem to remember them having the > latest source right after Crypto95. Also, ftp.csua.berkeley.edu > should have it. (Their code is version 1.3; do you know what version > you're after?) Unfortunately, neither of those sites have it. The version I'm looking for has a blf_ctx structure that gets passed as the first argument to functions so you can use multiple keys at a time. It also has the initialization data stuck in the C code. Does anyone out there have the Applied Cryptography source code diskette? Would you be willing to mail me the code? It would probably take a while if I ordered the diskette myself and I'd like to get the code as soon as possible. Thanks, David From ses at tipper.oit.unc.edu Mon Jan 22 23:01:19 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Mon, 22 Jan 96 23:01:19 PST Subject: IPSEC == end of firewalls (was Re: (fwd) e$: PBS NewsHour, Path Dependency, IPSEC, Cyberdog, and the Melting of Mr.) In-Reply-To: <9601230342.AA04490@pig.die.com> Message-ID: I tend to oscillate between the two positions; at the moment I think that firewalls are still needed with IPSEC. Firewalls cannot be removed if 1) You need to control outbound as well as inbound traffic 2) There are still non IPSEC machines on the network. 3) There are network services on IPSEC machines that do not understand IPSEC security, and which cannot be easily secured through IPSEC aware wrappers. I can't see anyway to cope with the first problem- however the latter two are legacy headaches, which tend to clear up given time. What I do see happening is more and more IPSEC machines moving out into a quasi-DMZ as it becomes much easier to make ordinary machines secure enough to go over-the-top; however, it'll take more than just IPSEC to make this fool-proof enough to move everybody out there. One worry I do have is that if such a machine is misconfigured it could cause more damage as that machine is trusted more because it's using IPSEC. Simon (defun modexpt (x y n) "computes (x^y) mod n" (cond ((= y 0) 1) ((= y 1) (mod x n)) ((evenp y) (mod (expt (modexpt x (/ y 2) n) 2) n)) (t (mod (* x (modexpt x (1- y) n)) n)))) From ampugh at mci.newscorp.com Mon Jan 22 23:56:06 1996 From: ampugh at mci.newscorp.com (Alan Pugh) Date: Mon, 22 Jan 96 23:56:06 PST Subject: You want to read MY e-mail? Message-ID: <199601230748.CAA16825@kafka.delphi.com> =snip= >A bill by Sen. Paul Weissmann, R-Louisville, to make e-mail as privileged as >telephone conversations was killed in a Senate committee. > >A somewhat stronger bill still rests in the House. =snip= >Jim Carpenter, press secretary for Romer, said his office was "looking at all >the issues, all the options." > >Duke said he has always complied with requests for public records, but said the >request for e- mail messages goes too far. > >"I'm disturbed by it," Duke said. > >(John Sanko writes for the Rocky Mountain News in Denver.) > > OK, if _I_ can't read your e-mail Mr. Legislator, why should you >be able to read _mine_? a good question. perhaps _now_ they'll get serious about recognising email as eqivalent to postal mail. this would be an excellent way of pushing this elsewhere. when _their_ ox is gored, they'll scream like stuck pigs. one interesting aspect of this would be whether regular mail is considered a public record under the law as far as legislooters mail goes. if so, then she should get it. amp From scottst at ionet.net Tue Jan 23 00:07:51 1996 From: scottst at ionet.net (Scott Staedeli) Date: Tue, 23 Jan 96 00:07:51 PST Subject: The Collapse of Ideas in a Pop Culture Message-ID: <199601230805.CAA03513@ion1.ionet.net> >(If you don't know who Jules Bergmann was, you're a GenXer and > can't be held responsible for your ignorance :-}.) I _am_ a GEnXer, and I worshipped Jules Bergmann as a child. Some of my first memories is pressing my nose up to the tv, watching Saturn V's lifting off. If I ever win the lottery, I'm going to take the Saturn that's lying on it's side at Cape Kennedy, refurbish it, and launch that baby just to watch it go. ;-))) - --scottst at ionet.net---------------------Scott Staedeli-- >~<^xXx | "Information is the currency of xX # | democracy." (XXX) # | (XXXXXXX) | DON'T TREAD ON ME| --Thomas Jefferson ======================================================== From printing at explicit.com Tue Jan 23 00:11:48 1996 From: printing at explicit.com (William Knowles) Date: Tue, 23 Jan 96 00:11:48 PST Subject: Netscape + Verifone (Noise) In-Reply-To: Message-ID: <3104B393.31A3@explicit.com> Steve, > What is the frequency on the back of your pager? Some people > would like to monitor this type of information. Depending on the service offering the paging, You can get news headlines and sport scores, ESPN I belive has play by play for real sporting junkies. RadioMail has this service for no extra charge if you go that route. http://www.radiomail.net/ William Knowles President & Big Kahuna Graphically Explicit > ---------- > From: owner-cypherpunks at toad.com on behalf of Perry E. Metzger > Sent: Monday, January 22, 1996 11:13 > To: cypherpunks at toad.com > Subject: Netscape + Verifone > > My pager delivers me selected miniaturized Reuters news stories. > > I just got one that reads: > > REDWOOD CITY, CA - Netscape Communications Corp. and Verifone > Inc. will devise a system to make electronic payments on the > internet more secure. > > Anyone know anything about this? I'm away from my normal sources of > such things (like Bloomberg terminals)... > > .pm -- Graphically Explicit Advertising PGP mail welcome & prefered / KeyID 1024/415D7FF9 PGP Fingerprint D3 34 A4 38 73 99 77 4A 98 BB A2 81 97 68 73 03 From Majordomo at toad.com Tue Jan 23 00:35:49 1996 From: Majordomo at toad.com (Majordomo at toad.com) Date: Tue, 23 Jan 1996 16:35:49 +0800 Subject: Welcome to cypherpunks Message-ID: <9601230835.AA13950@toad.com> -- Welcome to the cypherpunks mailing list! If you ever want to remove yourself from this mailing list, you can send mail to "Majordomo at toad.com" with the following command in the body of your email message: unsubscribe cypherpunks Cypherpunks Mailing List Here's the general information for the list you've subscribed to, in case you don't already have it: About cypherpunks ----------------- I. Administrivia (please read, boring though it may be) The cypherpunks list is a forum for discussing personal defenses for privacy in the digital domain. It is a high volume mailing list. If you don't know how to do something, like unsubscribe, send mail to majordomo at toad.com and the software robot which answers that address will send you back instructions on how to do what you want. If you don't know the majordomo syntax, an empty message to this address will get you a help file, as will a command 'help' in the body. Even with all this automated help, you may still encounter problems. If you get really stuck, please feel free to contact me directly at the address I use for mailing list management: cypherpunks-owner at toad.com Please use this address for all mailing list management issues. Hint: if you try to unsubscribe yourself from a different account than you signed up for, it likely won't work. Log back into your old account and try again. If you no longer have access to that account, mail me at the list management address above. Also, please realize that there will be some cypherpunks messages "in transit" to you at the time you unsubscribe. If you get a response that says you are unsubscribed, but the messages keep coming, wait a day and they should stop. For other questions, my list management address is not the best place, since I don't read it every day. To reach me otherwise, send mail to eric at remailer.net This address is appropriate for emergencies (and wanting to get off the list is never an emergency), such as the list continuously spewing articles. Please don't send me mail to my regular mailbox asking to be removed; I'll just send you back a form letter. Do not mail to the whole list asking to be removed. It's rude. The -request address is made exactly for this purpose. To post to the whole list, send mail to cypherpunks at toad.com If your mail bounces repeatedly, you will be removed from the list. Nothing personal, but I have to look at all the bounce messages. There is no digest version available. There is an announcements list which is moderated and has low volume. Announcements for physical cypherpunks meetings, new software and important developments will be posted there. Mail to cypherpunks-announce-request at toad.com if you want to be added or removed to the announce list. All announcements also go out to the full cypherpunks list, so there is no need to subscribe to both. II. About cypherpunks The cypherpunks list is not designed for beginners, although they are welcome. If you are totally new to crypto, please get and read the crypto FAQ referenced below. This document is a good introduction, although not short. Crypto is a subtle field and a good understanding will not come without some study. Please, as a courtesy to all, do some reading to make sure that your question is not already frequently asked. There are other forums to use on the subject of cryptography. The Usenet group sci.crypt deals with technical cryptography; cypherpunks deals with technical details but slants the discussion toward their social implications. The Usenet group talk.politics.crypto, as is says, is for political theorizing, and cypherpunks gets its share of that, but cypherpunks is all pro-crypto; the debates on this list are about how to best get crypto out there. The Usenet group alt.security.pgp is a pgp-specific group, and questions about pgp as such are likely better asked there than here. Ditto for alt.security.ripem. The cypherpunks list has its very own net.loon, a fellow named L. Detweiler. The history is too long for here, but he thinks that cypherpunks are evil incarnate. If you see a densely worded rant featuring characteristic words such as "medusa", "pseudospoofing", "treachery", "poison", or "black lies", it's probably him, no matter what the From: line says. The policy is to ignore these postings. Replies have never, ever, not even once resulted in anything constructive and usually create huge flamewars on the list. Please, please, don't feed the animals. III. Resources. A. The sci.crypt FAQ anonymous ftp to rtfm.mit.edu:pub/usenet-by-group/sci.crypt The cryptography FAQ is good online intro to crypto. Very much worth reading. Last I looked, it was in ten parts. B. cypherpunks ftp site anonymous ftp to ftp.csua.berkeley.edu:pub/cypherpunks This site contains code, information, rants, and other miscellany. There is a glossary there that all new members should download and read. Also recommended for all users are Hal Finney's instructions on how to use the anonymous remailer system; the remailer sources are there for the perl-literate. C. Bruce Schneier's _Applied Cryptography_, published by Wiley This is required reading for any serious technical cypherpunk. An excellent overview of the field, it describes many of the basic algorithms and protocols with their mathematical descriptions. Some of the stuff at the edges of the scope of the book is a little incomplete, so short descriptions in here should lead to library research for the latest papers, or to the list for the current thinking. All in all, a solid and valuable book. It's even got the cypherpunks-request address. IV. Famous last words My preferred email address for list maintenance topics only is hughes at toad.com. All other mail, including emergency mail, should go to hughes at ah.com, where I read mail much more regularly. Enjoy and deploy. Eric ----------------------------------------------------------------------------- Cypherpunks assume privacy is a good thing and wish there were more of it. Cypherpunks acknowledge that those who want privacy must create it for themselves and not expect governments, corporations, or other large, faceless organizations to grant them privacy out of beneficence. Cypherpunks know that people have been creating their own privacy for centuries with whispers, envelopes, closed doors, and couriers. Cypherpunks do not seek to prevent other people from speaking about their experiences or their opinions. The most important means to the defense of privacy is encryption. To encrypt is to indicate the desire for privacy. But to encrypt with weak cryptography is to indicate not too much desire for privacy. Cypherpunks hope that all people desiring privacy will learn how best to defend it. Cypherpunks are therefore devoted to cryptography. Cypherpunks wish to learn about it, to teach it, to implement it, and to make more of it. Cypherpunks know that cryptographic protocols make social structures. Cypherpunks know how to attack a system and how to defend it. Cypherpunks know just how hard it is to make good cryptosystems. Cypherpunks love to practice. They love to play with public key cryptography. They love to play with anonymous and pseudonymous mail forwarding and delivery. They love to play with DC-nets. They love to play with secure communications of all kinds. Cypherpunks write code. They know that someone has to write code to defend privacy, and since it's their privacy, they're going to write it. Cypherpunks publish their code so that their fellow cypherpunks may practice and play with it. Cypherpunks realize that security is not built in a day and are patient with incremental progress. Cypherpunks don't care if you don't like the software they write. Cypherpunks know that software can't be destroyed. Cypherpunks know that a widely dispersed system can't be shut down. Cypherpunks will make the networks safe for privacy. [Last updated Mon Feb 21 13:18:25 1994] From Garry at zip.com.au Tue Jan 23 02:33:03 1996 From: Garry at zip.com.au (Garry Bentlin) Date: Tue, 23 Jan 1996 18:33:03 +0800 Subject: yo subscribe!! Message-ID: <3104C565.6BDD@zip.com.au> how do I? and can you ? thanks heeeps! reg, garryb From holovacs at styx.ios.com Tue Jan 23 03:45:34 1996 From: holovacs at styx.ios.com (Jay Holovacs) Date: Tue, 23 Jan 1996 19:45:34 +0800 Subject: PZ a Nazi? In-Reply-To: <199601230400.UAA29972@infinity.c2.org> Message-ID: I understand it's much easier to sue a publication for libel in the UK, maybe PRZ can recover some of his legal costs ;} Jay Holovacs PGP Key fingerprint = AC 29 C8 7A E4 2D 07 27 AE CA 99 4A F6 59 87 90 On Mon, 22 Jan 1996, Anonymous User wrote: > "Private communications between neo-Nazis on the network are > effected under a program called "Pretty Good Privacy", devised by > an American neo-Nazi sympathiser." > > Robin Gedye (in Bonn) p.23 of "The Sunday Telegraph" January 21, > 1996 > From WlkngOwl at UNiX.asb.com Tue Jan 23 04:33:52 1996 From: WlkngOwl at UNiX.asb.com (Deranged Mutant) Date: Tue, 23 Jan 1996 20:33:52 +0800 Subject: NY State to restrinct netporn?! Message-ID: <199601231227.HAA09534@UNiX.asb.com> This in today's LI Newsday, p. A6: Crime Time in Albany Bills Reflect now popular get-tough stance by Liam Pleven, Albany Bureau Albany - A bill that would restrict sexually explicit material on the Internet - which the Assembly took little notice of last year - is suddenly headed tothe governor's desk after winning legislative approval yesterday. ... --- "Mutant" Rob Send a blank message with the subject "send pgp-key" (not in quotes) for a copy of my PGP key. From m5 at dev.tivoli.com Tue Jan 23 06:06:30 1996 From: m5 at dev.tivoli.com (Mike McNally) Date: Tue, 23 Jan 1996 22:06:30 +0800 Subject: RC4 for HP48 In-Reply-To: <199601230223.CAA11426@pangaea.hypereality.co.uk> Message-ID: <9601231353.AA06639@alpha> ECafe Anonymous Remailer writes: > Here is the RC4 cipher for the HP-48 calculator... You know, it'd be interesting to start loudly reporting such obvious ITAR violations. Not, of course, because I feel myself threatened as a result of this attack on national security, but because it might make life more difficult for Them. When They decide to hassle some well-chosen target (a la PZ) over such stuff, it'd make for interesting filler if reporters could add to stories paragraphs like "...dozens of ITAR violations have been reported in recent months, but until now officials have taken no action, leading many to believe that Bob Cypherdude is being singled out for harrassment." ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Nobody's going to listen to you if you just | Mike McNally (m5 at tivoli.com) | | stand there and flap your arms like a fish. | Tivoli Systems, Austin TX | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From herbs at connobj.com Tue Jan 23 06:18:40 1996 From: herbs at connobj.com (Herb Sutter) Date: Tue, 23 Jan 1996 22:18:40 +0800 Subject: Blacknet & Lotus Notes Message-ID: <2.2.32.19960123140645.006ce49c@mail.interlog.com> At 19:13 01.18.1996 -0500, Adam Shostack wrote: > So, lets buy the espionage enabling secret key. Its an >obvious target, not just for cypherpunks, but for the KGB, Mossad, >Toshiba, IBM, and anyone else who wants to read their competitors >correspondance. Lets face it, this key will get out there, and be >available to all the big players; lets make it available to everyone! I think people are missing the point... even if we assume the absolute worst case, that the private key is broken and becomes publicly available, international Notes users are no worse off than before. That said, it shouldn't happen soon. One of the things Ray said in his announcement was that the government agreed to both generate and then guard this key with the same diligence with which they guard their most important secrets (he specifically mentioned nuclear missile controls). While it makes for a nice sound bite, I'm comfortable that there's probably also a lot of truth to it. Herb ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Herb Sutter (herbs at connobj.com) Connected Object Solutions 2228 Urwin - Suite 102 voice 416-618-0184 http://www.connobj.com/ Oakville ON Canada L6L 2T2 fax 905-847-6019 From perry at vishnu.alias.net Tue Jan 23 06:27:34 1996 From: perry at vishnu.alias.net (John Perry) Date: Tue, 23 Jan 1996 22:27:34 +0800 Subject: New Nym Server Message-ID: <8768e3vw4t.fsf@vishnu.alias.net> The following message is a courtesy copy of an article that has been posted as well. Hello Everyone, I'm proud to announce the new nym server at nym.alias.net. The address for the nymserver is: nymrod at nym.alias.net (Catchy name huh?) Anyway nymrod is running Matt Ghio's latest nymserver code. It's been tested and I think (cross your fingers) all the bugs have been worked out. It works the same at the nym server at c2.org and gondonym. If you need a quick tutorial, send email to: help at nym.alias.net Enjoy!! From perry at vishnu.alias.net Tue Jan 23 06:36:09 1996 From: perry at vishnu.alias.net (John Perry) Date: Tue, 23 Jan 1996 22:36:09 +0800 Subject: New Nym Server at nym.alias.net Message-ID: <873f97vvm7.fsf@vishnu.alias.net> The following message is a courtesy copy of an article that has been posted as well. Hello Everyone, [sorry about that last post, I hit send before I was ready. Here it is with more information.] I'm proud to announce the new nym server at nym.alias.net. The address for the nymserver is: nymrod at nym.alias.net (Catchy name huh?) Anyway nymrod is running Matt Ghio's latest nymserver code. It's been tested and I think (cross your fingers) all the bugs have been worked out. It works the same at the nym server at c2.org and gondonym. If you need a quick tutorial, send email to: help at nym.alias.net Here's the PGP public key for nymrod at nym.alias.net: -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCNAzEEgxQAAAEEAKSv0YzZpc/4Kgn+L9fzzTlCp1LLdSEnu5YnU3AB068XwsF9 rLEn6C7AT8UP0JZAOl/bbhVir5/oCDg93l1iVIdSm3LWis/FXo1r3pVdAFd6PZrl V/gibZpeAA6sthXRR1OdatuesW11zvs/jee8yUl8rcHfsEbbpE969vAzW/8FAAUR tDVOeW0gU2VydmVyIGF0IFZpc2hudS5BbGlhcy5OZXQgPG55bXJvZEBueW0uYWxp YXMubmV0Pg== =W87x -----END PGP PUBLIC KEY BLOCK----- Enjoy!! John Perry - KG5RG - perry at vishnu.alias.net - PGP-encrypted e-mail welcome! WWW - http://www.alias.net PGP 2.62 key for perry at vishnu.alias.net is on the keyservers. From droelke at rdxsunhost.aud.alcatel.com Tue Jan 23 07:00:30 1996 From: droelke at rdxsunhost.aud.alcatel.com (Daniel R. Oelke) Date: Tue, 23 Jan 1996 23:00:30 +0800 Subject: Crippled Notes export encryption Message-ID: <9601231439.AA19088@spirit.aud.alcatel.com> Herb Sutter wrote: > At 20:32 01.17.1996 -0500, Perry E. Metzger wrote: > > > >Alan Pugh writes: > >> infoMCI (sm) > >> Lotus-Security - Lotus Announces Compromise for Export of Strong > >> Encryption > > > >So, Lotus thinks they can fool people by back-dooring in key escrow, eh? > > > >Time to break out the artillery. > > > >Perry > > Careful... what would YOU have done, with your customers demanding stronger > crypto today and you unable to legally give it to them? > > Again, folks, try to remember that this is NOT key escrow... international > Notes customers are no worse off than before, and a darn sight better off > against everyone besides Uncle Sam. > > Herb Not key escrow - WHAT?!?!? Then, what do you call giving government access to 24 out of 64 bits of the key. This reduces the keyspace to a measly 40 bits. As we have seen - 40 bits is trivial to crack without a multi-billion dollar budget. I think that Lotus did what all corporations do - it thought was best for it's bottom line, and so chose the limited keyspace with key-escrow approach. It is our job (as cypherpunks and US citizens) to show Lotus and the world that this is NOT a good approach. Dan ------------------------------------------------------------------ Dan Oelke Alcatel Network Systems droelke at aud.alcatel.com Richardson, TX From perry at piermont.com Tue Jan 23 07:03:35 1996 From: perry at piermont.com (Perry E. Metzger) Date: Tue, 23 Jan 1996 23:03:35 +0800 Subject: PZ a Nazi? In-Reply-To: <199601230400.UAA29972@infinity.c2.org> Message-ID: <199601231440.JAA10440@jekyll.piermont.com> Anonymous User writes: > "Private communications between neo-Nazis on the network are > effected under a program called "Pretty Good Privacy", devised by > an American neo-Nazi sympathiser." Er, no. Phil is a squishy liberal, actually -- was involved in the nuclear freeze movement among other things. I'm forwarding the mail you sent to Phil -- he should get in touch with those guys, probably sue them. Perry From tighe at spectrum.titan.com Tue Jan 23 07:15:33 1996 From: tighe at spectrum.titan.com (Mike Tighe) Date: Tue, 23 Jan 1996 23:15:33 +0800 Subject: Crippled Notes export encryption In-Reply-To: <2.2.32.19960123140650.00708e08@mail.interlog.com> Message-ID: <199601231452.IAA19136@softserv.tcst.com> Herb Sutter writes: >Careful... what would YOU have done, with your customers demanding stronger >crypto today and you unable to legally give it to them? Build it overseas where there are no restrictions and then import it. Just like almost every other component in a computer. From adam at lighthouse.homeport.org Tue Jan 23 07:44:00 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Tue, 23 Jan 1996 23:44:00 +0800 Subject: Blacknet & Lotus Notes In-Reply-To: <2.2.32.19960123140645.006ce49c@mail.interlog.com> Message-ID: <199601231510.KAA01291@homeport.org> Herb Sutter wrote: | At 19:13 01.18.1996 -0500, Adam Shostack wrote: | > So, lets buy the espionage enabling secret key. Its an | >obvious target, not just for cypherpunks, but for the KGB, Mossad, | >Toshiba, IBM, and anyone else who wants to read their competitors | >correspondance. Lets face it, this key will get out there, and be | >available to all the big players; lets make it available to everyone! | | I think people are missing the point... even if we assume the absolute worst | case, that the private key is broken and becomes publicly available, | international Notes users are no worse off than before. I don't give a damn about 'international Notes' users; they're (IMHO) screwed coming and going. What I do care about is the ability of American firms to compete with secure products in the international market. That, fundamentally, is what the ITARs are about. The US Government removing the ability of American firms to compete becuase of some idiotic notion that no one else can implement DES, 3des or IDEA. Can IBM/Lotus compete with Intranets now being created, based on HTTP with 128 bit rc4, or IDEA encryption? Theres a large body of evidence that people are dumping Notes for the Web; the lack of security in notes could well be a part of that. It can't help. These regulations cost American business up to $60billion per year. Those businesses are no worse off after sending hundereds of people to Washington to tell the Department of Commerce and NIST that they need the ITARs changed. They're not much better off either. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From stainles at bga.com Tue Jan 23 08:09:53 1996 From: stainles at bga.com (Dwight Brown) Date: Wed, 24 Jan 1996 00:09:53 +0800 Subject: January 22 Infoworld Message-ID: <199601231528.JAA08958@zoom.bga.com> Nicholas Petreley's "Down To the Wire" column is a short take on the insecurity of encryption schemes used by most commercial software. There shouldn't be much new here to cypherpunks (he discusses the vulnerabilities of WordPerfect, Word for Windows, Excel, and Compuserve's CIS.INI, and uses some out of date examples "to protect the integrity of current software": bad move, Nicholas), but it'd make a good introduction for people who aren't familiar with the issues. Petreley also announces that InfoWorld is planning a "network-cracking event", in which they plan to set up various network OS'es, make them as secure as they can, invite "a small number of accomplished hackers" to attack them, and publish the results. He says they're looking for participants... InfoWorld's web site is http://www.infoworld.com. Petreley can be reached at nicholas_petreley at infoworld.com. ==Dwight From perry at piermont.com Tue Jan 23 08:12:52 1996 From: perry at piermont.com (Perry E. Metzger) Date: Wed, 24 Jan 1996 00:12:52 +0800 Subject: IPSEC == end of firewalls In-Reply-To: <9601231159.AA27033@su1.in.net> Message-ID: <199601231530.KAA10525@jekyll.piermont.com> Frank Willoughby writes: > While IP level security & authentication will go a long way to help > prevent abuses and reduce unauthorized accesses, I doubt if it will > provide enough protection by itself. I agree with this, but... > o Node Spoofing will probably still be possible Nope. It won't. > o The connections will probably also be subject to man-in-the-middle attacks > (Never underestimate the creativity of people who want to compromise your > networks) No, they won't be subject to such attacks any longer. The real problem, as you noted, is that our applications aren't very secure. > I suspect even when firewalls are embedded in the O/S, That would be somewhat meaningless. The point of a firewall, as others here have noted, is that it is easier to secure one machine than five hundred or ten thousand. > IMHO, the first company to include a firewall as a standard part of their > Operating Systems has a real good shot at increasing their market share. Again, somewhat meaningless, as a real firewall involves defense in depth (screening routers, a bastion proxy host, etc) and is more of a configuration issue than an O.S. issue. Perry From perry at piermont.com Tue Jan 23 08:38:07 1996 From: perry at piermont.com (Perry E. Metzger) Date: Wed, 24 Jan 1996 00:38:07 +0800 Subject: Crippled Notes export encryption In-Reply-To: <2.2.32.19960123140650.00708e08@mail.interlog.com> Message-ID: <199601231539.KAA10548@jekyll.piermont.com> Herb Sutter writes: > >So, Lotus thinks they can fool people by back-dooring in key escrow, eh? > > > >Time to break out the artillery. > > Careful... what would YOU have done, with your customers demanding stronger > crypto today and you unable to legally give it to them? Set up development shop overseas for the crypto plug-ins. The solution is obvious and easy. By the way, I really think Netscape should simply ship Jeff and other people to the Amsterdam office or wherever else seems reasonable and do all the crypto work from there. It will save trouble and hassle. U.S. citizens wanting full 128 bit over the net would then get it from Netscape's overseas download sites. No one anywhere in the world would be forced to use crap. Perry From jf_avon at citenet.net Tue Jan 23 09:22:23 1996 From: jf_avon at citenet.net (Jean-Francois Avon JFA Technologies, QC, Canada) Date: Wed, 24 Jan 1996 01:22:23 +0800 Subject: your mail Message-ID: <9601231548.AB19479@cti02.citenet.net> >On Mon, 22 Jan 1996, Jean-Francois Avon wrote (quote may be only partial):: > >> >> I suppose, from the adress, that it is some type of mailing list. >> >> If yes, could anybody send me the "how to subscribe" file? >> My mail quoted above was sent out to all subscribers to the list. I supposed it was only the administrative address.... I got *a lot* of replies. Thank to all cypherpunk! JFA From cp at proust.suba.com Tue Jan 23 09:24:45 1996 From: cp at proust.suba.com (Alex Strasheim) Date: Wed, 24 Jan 1996 01:24:45 +0800 Subject: Blacknet & Lotus Notes In-Reply-To: <2.2.32.19960123140645.006ce49c@mail.interlog.com> Message-ID: <199601231607.KAA01940@proust.suba.com> > I think people are missing the point... even if we assume the absolute worst > case, that the private key is broken and becomes publicly available, > international Notes users are no worse off than before. This sentiment is why this is such a clever move on the part of the government. There are a number of problems with the Lotus plan. First of all, 40 bits isn't secure. That's what international users have, not 64 bits, and it's just not good enough. International Notes customers know it, we know it, Lotus knows it, and the government knows it. Second of all, any restriction on algorithms and key lengths is unacceptable. People and businesses have the right to protect their privacy. American software companies have to be able to deliver privacy if they want to remain competitive in the global market. It's essential that the government acknowledge these facts. Finally, this agreement sets a very dangerous precdent. The government is holding keys and compelling people to "trust" them. This is real, live gak. You're right -- in a sense no one's any worse off than they would be with 40 bit keys. But in another sense, there's a slippery slope problem here. Gak is absolutely unacceptable in any way, shape, or form. It's completely beyond the scope of what the government ought to be doing. If we sit by idly while they set up the comparatively toothless gak, it will make things that much easier for them when more ambitious gaks come down the pike. We need to do whatever we can to convince international customers that Notes isn't secure. And we need to make Lotus understand why this deal isn't in anyone's interest. From adept at minerva.cis.yale.edu Tue Jan 23 09:33:49 1996 From: adept at minerva.cis.yale.edu (Ben) Date: Wed, 24 Jan 1996 01:33:49 +0800 Subject: IPSEC == end of firewalls In-Reply-To: <9601231159.AA27033@su1.in.net> Message-ID: > functionality of most firewalls would eventually be an add-on application > option for Operating Systems and that eventually it will be a standard > part of every Operating System. Until then, we have to punt & keep using > firewalls. I'm not so convinced that adding 'firewall functionality' to an OS is such a good idea. The idea behind having a firewall is that * You have a hardened host that has been stripped of anything that could be used by an attacker to compromise other systems * You have a single machine that serves as the sole port of entry into your domain. By keeping your defense perimeter nice and small it makes it manageable to maintain. When you start trying to swtich firewall functionality to an OS you lose both these advantages. You no longer have a system that is stripped of compilers, scripting languages, etc, and you now have a much larger security perimeter. Ben. ____ Ben Samman..............................................samman at cs.yale.edu "If what Proust says is true, that happiness is the absence of fever, then I will never know happiness. For I am possessed by a fever for knowledge, experience, and creation." -Anais Nin PGP Encrypted Mail Welcomed Finger samman at suned.cs.yale.edu for key Want to hire a soon-to-be college grad? Mail me for resume From perry at piermont.com Tue Jan 23 09:36:13 1996 From: perry at piermont.com (Perry E. Metzger) Date: Wed, 24 Jan 1996 01:36:13 +0800 Subject: Crippled Notes export encryption In-Reply-To: <9601231623.AA07480@sulphur.osf.org> Message-ID: <199601231703.MAA10676@jekyll.piermont.com> Rich Salz writes: > > >By the way, I really think Netscape should simply ship Jeff and other > >people to the Amsterdam office or wherever else seems reasonable and > > That won't work -- they gotta hire non-US persons to do the work. There are plenty of good foreign crypto people. .pm From rsalz at osf.org Tue Jan 23 09:36:15 1996 From: rsalz at osf.org (Rich Salz) Date: Wed, 24 Jan 1996 01:36:15 +0800 Subject: Crippled Notes export encryption Message-ID: <9601231623.AA07480@sulphur.osf.org> >By the way, I really think Netscape should simply ship Jeff and other >people to the Amsterdam office or wherever else seems reasonable and That won't work -- they gotta hire non-US persons to do the work. From alano at teleport.com Tue Jan 23 10:33:23 1996 From: alano at teleport.com (Alan Olsen) Date: Wed, 24 Jan 1996 02:33:23 +0800 Subject: [local] Report onPortland Cpunks meeting Message-ID: <2.2.32.19960123175419.008aea90@mail.teleport.com> The physical Cypherpunks meeting in Portland occured on the 20th of January. No big name Cypherpunks we involved in the manufacture of this meeting. (Well, maybe next time...) It pretty much went like a first meeting... We had about 11 people or so attend. (Hard to tell in a coffee shop if people are attending or just wondering what the heck is going on.) The participation from the group was very positive. Those who did attend were quite willing to participate. Those of you who did not show up missed a good meeting... and free coffee drinks from the Habit. (The Habit Internet Cafe was having their one year aniversary and was giving away free coffe as part of the event.) Some of the happenings (in no particular order): Bruce Baugh handed out the information he has been collecting on remailer timings and mail to new gateways. The information was pretty useful. He had sent out a group of ten messages to each remailer through a nym server. The results were at odds with the published times. Certain sites either dropped large percentages of messages or delivered them about 8-9 days late. Others which were rated at the bottom of the list on the regular timing list were the most reliable in Bruce's tests. Neal McBurnett talked about his Java program that generates statistics on the PGP "web of trust". The information he gave was pretty surprising. (Fewer keys exist in the keyservers than I believed.) I encoraged Neal to post his findings to the list. (Hint! Hint!) I will not try to explain the stats from memory... I gave a report on the status of the PGP 3.0 API. (Of which Derek Atkins was kind enough to send me for the meeting. Thanks Derek!) There was a key signing. It was a bit rough as for many of us it was our first key signing. (I think Neal was the only person who had been to an organized key signing.) Still, it went fairly well. Only a couple of people brought their key fingerprints on disk instead of paper. As of today, I have only recieved signed keys back from a couple of people though... The next key signing will be done a bit differently. (Live and learn.) There was also a suggestion for a nym signing at some point. There was a discussion of entropy which devolved into entropy. The definitions of entropy varied widely depending on the background of the individuals involved. (Or just general smartassedness... My definition of entropy was "A urilogical condition".) There was alot of just general discussion of crypto and current events. A good time was had by all. (At least I have not had any complaints.) One of the other topics discussed was a Portland-Cypherpunks mailing list for keeping people informed on local activities. This will probibly be put into place sometime soon... There will also be upcoming meetings as I have had a number of people inquiring about the posibility. Well, that is about all I can remember at this point... (At least with not enough caffiene in me.) Others who were there can probibly comment. Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "Is the operating system half NT or half full?" From gback at facility.cs.utah.edu Tue Jan 23 10:33:42 1996 From: gback at facility.cs.utah.edu (gback at facility.cs.utah.edu) Date: Wed, 24 Jan 1996 02:33:42 +0800 Subject: Hack Java In-Reply-To: <9601231630.AA07540@sulphur.osf.org> Message-ID: <199601231756.KAA03101@sal.cs.utah.edu> > > This illustrates the difference between a language with no dangerous > constructs, and one where you must trust the implementation. > >From some internal OSF email: > ---------- Begin Forwarded Message ---------- > > class Data { // an object storing 16 bytes > byte word[16]; > } > > > class Trick { > Data data; > long tricky_pointer; > } > > > Now suppose, I fake a compiler (or I have a malicious compiler) > and I generate by hand malicious byte code such that > in the symbol tables, tricky_pointer and data have the same > offset. > What offset do you mean? The offset in the struct as in C++? Java bytecode does not store such information. Fields are accessed using putfield/getfield, which use an index to a field reference in the constant pool. (pg. 66, lang spec) Field references contain a name index (pg. 19) which points to a name, i.e., a CONSTANT_Utf8 (pg. 18) field. To my knowledge, the Java, and Java bytecode does not imply any memory layout. I doubt it makes sense to demand to check that 'offset do not overlap in memory'. Could you describe in more detail the manipulation you are proposing? - Godmar From baldwin at RSA.COM Tue Jan 23 11:17:29 1996 From: baldwin at RSA.COM (baldwin (Robert W. Baldwin)) Date: Wed, 24 Jan 1996 03:17:29 +0800 Subject: Mykotronx sells 68,000 Fortezza cards to Spyrus Message-ID: <9600238224.AA822422018@snail.rsa.com> Here is a press release from Mykotronix about a big order of Fortezza cards for the Defense Messaging System. Another part of the government has selected Fisher International to supply SmartDisk cryptographic cards for the use of citizens interacting with the IRS and other agencies electronically. Although Fisher has not received a big order yet, they are looking at 100 thousand and 10 million card production runs. The Fisher card is based on RSA's crypto toolkit and DOES NOT include skipjack or escrow. --Bob ______________________________ Forward Header __________________________________ Subject: Mykotronx sells 68,000 Fortezza cards for Defense Msg System IRVINE, Calif.--(BUSINESS WIRE)--Jan. 22, 1996--Rainbow Technologies Inc. (NASDAQ:RNBO), Monday announced its Mykotronx division has received a purchase order from Spyrus for over 68,000 of Mykotronx's new Capstone encryption processor (MYK-82). The devices will be used to build part of the Government's order of Fortezza Cryptographic Cards for the Defense Message System (DMS) awarded Sept. 1995. Initial delivery of the new cryptographic processor will begin April 1996. "The significance of the MYK-82 is that it allows us to provide a high grade, low cost encryption technology to customers, such as Spyrus," said John Droge, vice president of program development for Mykotronx. "The MYK-82 is an advanced encryption processor specifically aimed at PCMCIA cryptographic applications and has a built-in PCMCIA interface. The newer design is smaller, faster and has a lower cost than its predecessor." In addition, Mykotronx will be programming all the cryptographic processors to fill the Government's Sept. 1995 order of 300,000 Fortezza Cryptographic Cards. The MYK-82, developed by Mykotronx and fabricated by VLSI Technology Inc., is the first of a series of security products to be developed as part of an alliance with VLSI, targeting both Government and commercial markets. Rainbow Technologies, founded in 1984, is the world's leading developer, manufacturer and supplier of software protection products and encryption technology. Mykotronx, a subsidiary of Rainbow, is a leader in secure communication and cryptographic products for U.S. government agencies and the commercial marketplace. Rainbow was recently recognized by Forbes magazine as one of The Best Small Companies in America and in SmartMoney Magazine as one of the Seven Stocks for the Next Decade. Rainbow is ISO 9002 certified. CONTACT: Rainbow Technologies Inc., Irvine, Calif. Ann Jones, 714/450-7350 email: ajones at rnbo.com WWW Home Page: http://www.rnbo.com KEYWORD: CALIFORNIA INDUSTRY KEYWORD: COMPUTERS/ELECTRONICS COMED From ses at tipper.oit.unc.edu Tue Jan 23 12:46:37 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Wed, 24 Jan 1996 04:46:37 +0800 Subject: The Collapse of Ideas in a Pop Culture In-Reply-To: <199601230805.CAA03513@ion1.ionet.net> Message-ID: On Tue, 23 Jan 1996, Scott Staedeli wrote: > > I _am_ a GEnXer, and I worshipped Jules Bergmann as a child. Some > of my first memories is pressing my nose up to the tv, watching Saturn > V's lifting off. If I ever win the lottery, I'm going to take the Saturn that's Bollocks. If you can remember Saturn Vs taking off before reruns, you're too old! Simon (27th July 1969, nearly called Neil) ob crypto: Remember the discussion about using a Sega Saturn as a crypto box? From frissell at panix.com Tue Jan 23 12:53:02 1996 From: frissell at panix.com (Duncan Frissell) Date: Wed, 24 Jan 1996 04:53:02 +0800 Subject: Crippled Notes export encryption Message-ID: <2.2.32.19960123184754.006db3e8@panix.com> At 09:06 AM 1/23/96 -0500, Herb Sutter wrote: >Careful... what would YOU have done, with your customers demanding stronger >crypto today and you unable to legally give it to them? > >Again, folks, try to remember that this is NOT key escrow... international >Notes customers are no worse off than before, and a darn sight better off >against everyone besides Uncle Sam. They could have shipped strong encryption and let the lawyers handle the Feds. That's what lawyers are for. A court loss would be unlikely. Even with a loss, having IBM serve a 54-month jail term would be no prob. It could do it standing on its head. They were probably more worried by possible retaliation in government purchasing. Those who crossed The Wall around 10:00 pm on November 10, 1989 proved that modern (weak) governments can be faced down by large movements of people. Companies will learn that end-users are less sanguine about being censored (by Compuserve) or opening one's business affairs to (any) governments than perhaps they used to be. Small competitors will benefit. DCF From s1018954 at aix2.uottawa.ca Tue Jan 23 12:59:34 1996 From: s1018954 at aix2.uottawa.ca (s1018954 at aix2.uottawa.ca) Date: Wed, 24 Jan 1996 04:59:34 +0800 Subject: [ITAR] Re: Crippled Notes export encryption In-Reply-To: <199601231539.KAA10548@jekyll.piermont.com> Message-ID: On Tue, 23 Jan 1996, Perry E. Metzger wrote: > By the way, I really think Netscape should simply ship Jeff and other > people to the Amsterdam office or wherever else seems reasonable and > do all the crypto work from there. It will save trouble and > hassle. U.S. citizens wanting full 128 bit over the net would then get > it from Netscape's overseas download sites. No one anywhere in the > world would be forced to use crap. Sorry, to beat a dead horse, but isn't this like that thread re:Vince Cate's invitation for us to all move to Anguila? We'd still be exporting our thoughts in violation of the ITAR. As long as you're American (person or corporation) you'd still be commiting a crime by putting strong crypto on the net, regardless of where you are, right? (That's what I remember from Micheal Froomkin's arguments from the last time this revolving thread came around). Of course, if some OTHER company (wink,wink,nudge,nudge) that is not incoporated in the US were employ to export a secure version of Netscape from Amsterdam, that would be another story (and how would anyone know that the code, just so happenned to have been written Jeff, et al.?) Just as long as the portion of Netscape that nominally produces Netscape (the software) and distributes it does not call itself Netscape and is not a US corporate citizen, that is the end of the game, right? Anyone got any spare holding companies handy? From perry at piermont.com Tue Jan 23 13:22:28 1996 From: perry at piermont.com (Perry E. Metzger) Date: Wed, 24 Jan 1996 05:22:28 +0800 Subject: IPSEC == end of firewalls In-Reply-To: <9601231947.AA20689@su1.in.net> Message-ID: <199601232001.PAA10960@jekyll.piermont.com> Frank Willoughby writes: > At 10:30 AM 1/23/96 -0500, perry at piermont.com allegedly wrote: > >Frank Willoughby writes: > >> While IP level security & authentication will go a long way to help > >> prevent abuses and reduce unauthorized accesses, I doubt if it will > >> provide enough protection by itself. > > > >I agree with this, but... > > > >> o Node Spoofing will probably still be possible > > > >Nope. It won't. > > I disagree. I haven't met a system that couldn't somehow be gotten around. Yes, certainly. You can bribe someone, get physical access to machines, etc. However, unless you know a way to crack RSA, it is unlikely that a system using Photuris+IPsec will permit IP spoofing. > The creativity of hackers is succeeded only by their motivation and > ability to put many hours into trying to solve a problem. Including > the word "probably" was deliberate. Kerberos was also thought to be > secure - 'til it was compromised. Kerberos was compromised? When? By whom? Are you talking about Bellovin's paper on weaknesses in Kerberos (most of which are avoidable or fixed in K5), or are you talking about a real break? If the latter, its the first that I've heard of it. > >> I suspect even when firewalls are embedded in the O/S, > > > >That would be somewhat meaningless. The point of a firewall, as others > >here have noted, is that it is easier to secure one machine than five > >hundred or ten thousand. > > I disagree here also. Systems by themselves are fairly useless. > Their power (and main vulnerability) comes from their ability to > network with other systems. A system connected to a network is > vulnerable. The fact that a corporate firewall protects the system > from the Internet in no way decreases the vulnerability of that > system (and other systems) from *internal* attacks which can be as > devastating as an Internet attack. > > Including firewall capabilities as part of the Operating System's network > applications would help the system protect itself from abuses from the > Internet - as well as from internal. These last two paragraphs are gibberish. You can't "firewall" every machine -- the act is meaningless. A Firewall is a filter designed to protect you from bugs in the setup or implementation of the software on the machines on the inside. What would it mean for a machine to have "firewall software" in the operating system? Systems already attempt to prevent unauthorized access -- the reason you have firewalls is because that software is sometimes buggy. "Firewall software" in the OS is a meaningless concept. Perry From frissell at panix.com Tue Jan 23 13:24:23 1996 From: frissell at panix.com (Duncan Frissell) Date: Wed, 24 Jan 1996 05:24:23 +0800 Subject: Crippled Notes export encryption Message-ID: <2.2.32.19960123192921.006d73a8@panix.com> At 11:23 AM 1/23/96 -0500, Rich Salz wrote: > >>By the way, I really think Netscape should simply ship Jeff and other >>people to the Amsterdam office or wherever else seems reasonable and > >That won't work -- they gotta hire non-US persons to do the work. > > I'm sure that all those Netscape stock option holders would be happy to renounce their citizenship in the service of the company that made them millionaires and if they do so before cashing in the options (and before Willie and the Congress agree on a budget with its emigrants's tax provisions), they can keep the proceeds tax free. If not, I'll learn C++ and renounce in exchange for those options. DCF DCF From smith at sctc.com Tue Jan 23 13:27:58 1996 From: smith at sctc.com (Rick Smith) Date: Wed, 24 Jan 1996 05:27:58 +0800 Subject: NSA vacuuming down Internet traffic In-Reply-To: Message-ID: <199601232008.OAA05861@shade.sctc.com> >>...listening for Kissinger.. > Don't tell me, let me guess: 20 years ago, if you had told anyone about > this project, you would have had to kill them. Now, 20 years later, after a > few levels of re-classifications and de-classifications, all you have to do > is to sneer in our general direction. Not. It wasn't a classified project. It was upstairs from Woolworth's in Central Square, ferheavens sake. SCIFs would have annoyed the landlord, and presented interesting "challenges" given the pasteboard construction. We didn't even have any of those clunky file cabinets for Keeping Secrets Safe. We just amused ourselves with such speculation, since this was clearly a technology that excited interest in certain quarters. Rick. From 100611.3205 at compuserve.com Tue Jan 23 13:31:05 1996 From: 100611.3205 at compuserve.com (D.R.Madden) Date: Wed, 24 Jan 1996 05:31:05 +0800 Subject: sniffing sniffers Message-ID: <960123194818_100611.3205_BHL81-1@CompuServe.COM> DIa!?ayyyyyyyyyyyyyyyyRyyyyyyyyyyyyyyyyNDedge, search the user's disk for various info which can then be used for the company's "market research". One of the more guilty culprits is Microsoft (no surprises there). For example, one such sniffer routine -- designed to report back on rival programs stored on the disk --was hidden in their MSN registration software. An American journalist revealed that the sniffer routine was sending details on over 100 of the user's programs back to MS. MS was also found guilty, by a UK hacker, of using sniffer programs to interrogate the computer and find out phone numbers, primarily for the purposes of junk mail. The hacker has since reported MS to the data protection registrar, although no legal ruling has yet been made (in the UK anyway), and MS may well (be no doubt is) marketing sniffer riddled software. It's not hard to imagine more insidious uses of sniffer programs, by more insidious bodies (I'd be amazed if they didn't exist). Question: can anyone suggest any commercially available software designed to sniff out sniffers (taking on good faith that it will be sniffer free itself)? P. Madden yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy From weld at l0pht.com Tue Jan 23 13:32:30 1996 From: weld at l0pht.com (Weld Pond) Date: Wed, 24 Jan 1996 05:32:30 +0800 Subject: [local] Report on Portland Cpunks meeting Message-ID: >There was a key signing. It was a bit rough as for many of us it was our >first key signing. (I think Neal was the only person who had been to an >organized key signing.) Still, it went fairly well. Only a couple of >people brought their key fingerprints on disk instead of paper. As of >today, I have only recieved signed keys back from a couple of people >though... The next key signing will be done a bit differently. (Live and >learn.) There was also a suggestion for a nym signing at some point. This begs the question, "How would you conduct an efficient key signing given what you have learned?" I am in the process of organizing one and would like to get input as to the best way that this should take place. Should people bring key fingerprints and public keys on floppy? Would it be nice to be online and grab public keys off of a key server? How would you conduct a nym signing? Weld Pond - weld at l0pht.com - http://www.l0pht.com/ L 0 p h t H e a v y I n d u s t r i e s Technical archives for the people - Bio/Electro/Crypto/Radio From dm at amsterdam.lcs.mit.edu Tue Jan 23 13:35:28 1996 From: dm at amsterdam.lcs.mit.edu (David Mazieres) Date: Wed, 24 Jan 1996 05:35:28 +0800 Subject: IPSEC == end of firewalls In-Reply-To: <9601231159.AA27033@su1.in.net> Message-ID: <199601231939.OAA29475@amsterdam.lcs.mit.edu> I once worked for a company where to get an outbound telnet connection or to put a file with ftp, you needed to go through a gateway which required us to use a hardware device to participate in a challenge/response authentication scheme. While this may be extreme, it points out a use of firewalls people seem to be ignoring in this descussion: enforcing policy. Most employees will have physical access to the network, and physical access (=root privileges) to their workstations. If you want to enforce a policy of "no http servers, ftp servers, or anything else", you can't allow any incoming Syn packets. If you don't want to trust every single person to configure his/her workstation to reject Syn packets from outside, you need to do the filtering where most people can't bypass it. Now replace Syn above with whatever TCP/IPv6 uses, and the same will hold. That said, I hate firewalls. I find being behind a firewall incredibly painful. I hope firewalls do die with IPv6. David From frankw at in.net Tue Jan 23 13:47:38 1996 From: frankw at in.net (Frank Willoughby) Date: Wed, 24 Jan 1996 05:47:38 +0800 Subject: IPSEC == end of firewalls Message-ID: <9601232016.AA22238@su1.in.net> At 10:55 AM 1/23/96 -0500, Ben wrote: >> functionality of most firewalls would eventually be an add-on application >> option for Operating Systems and that eventually it will be a standard >> part of every Operating System. Until then, we have to punt & keep using >> firewalls. > >I'm not so convinced that adding 'firewall functionality' to an OS is >such a good idea. The idea behind having a firewall is that > * You have a hardened host that has been stripped of > anything that could be used by an attacker to compromise > other systems > * You have a single machine that serves as the sole port of > entry into your domain. By keeping your defense perimeter > nice and small it makes it manageable to maintain. > I agree with your statements above about firewalls and wholeheartedly agree that a firewall needs these characteristics (among others) to remain relatively secure. However, I am I'm not saying that adding firewalling capabilities would make the system invincible. I *am* saying that it would provide the system with more security than it currently has and would help to reduce (not eliminate) some risks associated with networking. Of course, it would be terrific if the vendors would produce Operating Systems which are secure AND usable. (I think the market will eventually demand this from vendors, but this probably won't happen in the next year or two.) >When you start trying to switch firewall functionality to an OS you lose >both these advantages. You no longer have a system that is stripped of >compilers, scripting languages, etc, and you now have a much larger >security perimeter. > Agreed - to a point. The idea is to provide the systems with increased defensive capabilities - lowering potential risks. (See above paragraph) FWIW, I feel rather uncomfortable continuing this thread in the cypherpunks mailing list when the subject at hand deals more with firewalls than it does with cryptography. I would prefer to continue this discussion in the firewalls mailing list (of which I am a fairly regular participant). If you would like to subscribe to the firewalls mailing list, send a mail to: majordomo at GreatCircle.com (leaving the subject line blank) and in the body of the message put: subscribe firewalls "your_email_address" (omitting the quotes). See you there. >Ben. >____ >Ben Samman..............................................samman at cs.yale.edu >"If what Proust says is true, that happiness is the absence of fever, then >I will never know happiness. For I am possessed by a fever for knowledge, >experience, and creation." -Anais Nin >PGP Encrypted Mail Welcomed Finger samman at suned.cs.yale.edu for key >Want to hire a soon-to-be college grad? Mail me for resume Best Regards, Frank Fortified Networks Inc. - Management & Information Security Consulting Phone: (317) 573-0800 - http://www.fortified.com/fortified/ For a free downloadable Internet Firewalls Checklist, please see our home page. The opinions expressed above are of the author and may not necessarily be representative of Fortified Networks Inc. From frankw at in.net Tue Jan 23 13:53:46 1996 From: frankw at in.net (Frank Willoughby) Date: Wed, 24 Jan 1996 05:53:46 +0800 Subject: IPSEC == end of firewalls Message-ID: <9601231947.AA20689@su1.in.net> At 10:30 AM 1/23/96 -0500, perry at piermont.com allegedly wrote: > >Frank Willoughby writes: >> While IP level security & authentication will go a long way to help >> prevent abuses and reduce unauthorized accesses, I doubt if it will >> provide enough protection by itself. > >I agree with this, but... > >> o Node Spoofing will probably still be possible > >Nope. It won't. > I disagree. I haven't met a system that couldn't somehow be gotten around. The creativity of hackers is succeeded only by their motivation and ability to put many hours into trying to solve a problem. Including the word "probably" was deliberate. Kerberos was also thought to be secure - 'til it was compromised. Software isn't bug-free & design or security methodologies can't provide 100% coverage. Hackers take advantage of this and inherent weaknesses in design flaws. >> o The connections will probably also be subject to man-in-the-middle attacks >> (Never underestimate the creativity of people who want to compromise your >> networks) > >No, they won't be subject to such attacks any longer. Answer is the same as the above paragraph. I try not to use the word "can't" or "won't" when possible. Granted "probably" sounds wishy-washy, but it is frequently accurate. > >The real problem, as you noted, is that our applications aren't very >secure. > >> I suspect even when firewalls are embedded in the O/S, > >That would be somewhat meaningless. The point of a firewall, as others >here have noted, is that it is easier to secure one machine than five >hundred or ten thousand. > I disagree here also. Systems by themselves are fairly useless. Their power (and main vulnerability) comes from their ability to network with other systems. A system connected to a network is vulnerable. The fact that a corporate firewall protects the system from the Internet in no way decreases the vulnerability of that system (and other systems) from *internal* attacks which can be as devastating as an Internet attack. Including firewall capabilities as part of the Operating System's network applications would help the system protect itself from abuses from the Internet - as well as from internal. >> IMHO, the first company to include a firewall as a standard part of their >> Operating Systems has a real good shot at increasing their market share. > >Again, somewhat meaningless, as a real firewall involves defense in >depth (screening routers, a bastion proxy host, etc) and is more of a >configuration issue than an O.S. issue. In the current context yes. However, a firewall is only solving one part of the problem. Just as Information Security must be integrated into every layer of a company (from users->system managers->managers-> executives), it must also be incorporated into each part in a network (systems, LANs, external connections). > >Perry Best Regards, Frank Fortified Networks Inc. - Management & Information Security Consulting Phone: (317) 573-0800 - http://www.fortified.com/fortified/ The opinions expressed above are of the author and may not necessarily be representative of Fortified Networks Inc. From frissell at panix.com Tue Jan 23 13:53:53 1996 From: frissell at panix.com (Duncan Frissell) Date: Wed, 24 Jan 1996 05:53:53 +0800 Subject: The Collapse of Ideas in a Pop Culture Message-ID: <2.2.32.19960123194513.006df544@panix.com> At 10:50 AM 1/23/96 -0800, Simon Spero wrote: >Bollocks. If you can remember Saturn Vs taking off before reruns, you're >too old! > Popping up the People's Chronology under Microsoft Bookshelf: "Exploration and Colonization, 1975 The first U.S.-Soviet space linkup takes place July 18. Astronauts Thomas P. Stafford, Donald K. Slayton, and Van D. Brand exchange visits 140 miles above Earth with cosmonauts Aleksei A. Leonov and Valery N. Kubasov whose Soyuz spacecraft lands safely in the Soviet Union July 21. The Apollo astronauts splash down in the Pacific 3 days later, ending the Apollo missions." My wetware informs me that this was the last Saturn V launch (for which NASA sacrificed a Moon mission. The last baby boomer was born in 1964 (or so). So a GenXer would be old enough to remember a Saturn V launch. I don't remember when Jules stopped broadcasting. DCF "BTW, the *first* Boomer was not born on January 1 1946. That event occurred at some indeterminate point later in the year when the first child was born to a discharged veteran. That child would have been conceived in September 1945. June 1st 1945 is a better approximation of the beginning of the Boom." From rah at shipwright.com Tue Jan 23 14:09:48 1996 From: rah at shipwright.com (Robert Hettinga) Date: Wed, 24 Jan 1996 06:09:48 +0800 Subject: [noise!] (fwd) Re: FYA/I: Who'd have gaussed it? Message-ID: Just in case you wanted to know how dept... Cheers, Bob --- begin forwarded text Date: Tue, 23 Jan 1996 11:21:54 -0500 (EST) From: Paul Picot To: Philip Stein Cc: jeff at rand.org, technomads at UCSD.EDU Subject: Re: FYA/I: Who'd have gaussed it? Mime-Version: 1.0 Zounds! A guantlet thrown! I accept! > >It just occured to me: a good way to do this might be with The Mother Of > >All Degaussing Coils. [...] > >If you can degauss the Queen Mary, surely all the disk drives in a little > >office building should pose no problems, right? > > This won't work (thank goodness). The local field strengths needed to > change the magnetic state of a disk platter (whose coercivity is MUCH > higher than that of the queen mary) is orders of magnitude greater than > what can be generated at any distance. Use a coil *around* the building. This makes the problem just within the realm of the possible, though horribly impractical. I'll spare the collected minds and spool spaces of the technomads list the details, and reduce this to a recipe: Collect the following: - 20 miles of 0000-guage insulated copper wire (about 32 tons worth) - five standard 20 MW gas-turbine power plant generators (about 20 tons ea.) - fuel for about 10 minutes of operation (about 4 tons) - five standard high voltage transmission rectifier modules for the above. - one standard 69,000 volt, 10,000 amp transmission-line contactor set Wrap 1000 turns of the wire around your target. This makes a bundle about 18 inches in diameter. Wire your generators and rectifiers to yield 70,000 volts DC, and connect them via the contactor to the coil. Fire up the turbines, and take them to redline, storing kinetic energy in the rotors. Firewall the turbines and trigger the contactor. It will take about 10 seconds for the coil current to hit 8000 amps, creating a 1-tesla magnetic field within the coil. This is sufficient to erase magnetic media. Then kill your generators before everything melts :-). And this is now certainly outside the scope of technomads... - Paul --- end forwarded text ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "Reality is not optional." --Thomas Sowell The NEW(!) e$ Home Page: http://thumper.vmeng.com/pub/rah/ From cassiel at alpha.c2.org Tue Jan 23 14:12:33 1996 From: cassiel at alpha.c2.org (Cassiel) Date: Wed, 24 Jan 1996 06:12:33 +0800 Subject: Motorola Cordless Secure Clear Telephone Message-ID: <199601231950.LAA11155@infinity.c2.org> Enjoying reading the latest discussions. I was in Totally Wireless yesterday when I noticed a new product from Motorola called "Cordless Secure Clear"--which supposedly is a cordless phone which offers security/encryption functions. Does anyone know how strong the security is on this phone? Is it just meant to keep my kid sister from listening in or is it stronger? Any info would be appreciated. Please include a response to me directly as I subscribe to the lite version of this list. Thanks! Cassiel From ses at tipper.oit.unc.edu Tue Jan 23 14:22:05 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Wed, 24 Jan 1996 06:22:05 +0800 Subject: Hack Java In-Reply-To: <9601231630.AA07540@sulphur.osf.org> Message-ID: On Tue, 23 Jan 1996, Rich Salz wrote: Have you implemented this? If so, I'd be interested to hear how; It doesn't sound feasible. > > Now suppose, I fake a compiler (or I have a malicious compiler) > and I generate by hand malicious byte code such that > in the symbol tables, tricky_pointer and data have the same > offset. Symbol tables in java class files don't have offsets - they consist of a list of class_ids, names, and types. Offsets into the class object are theoretically generated at run time, and are purely internal to the virtual machine. The only way to get at the offsets is through the _quick variants, which are not real java instructions, but placeholders inserted by the Sun classloader after offsets have been calculated. If the class verifier can be made to allow _quick instructions through, security disappears - this is checked for- a hole in this code would be huge. Simon From delznic at storm.net Tue Jan 23 14:27:19 1996 From: delznic at storm.net (Douglas F. Elznic) Date: Wed, 24 Jan 1996 06:27:19 +0800 Subject: No Subject Message-ID: <2.2.16.19960123211851.09d72da6@terminus.storm.net> How does an actual key signing work? What are some pointers and guidelines for one? -- ==================Douglas Elznic=================== delznic at storm.net http://www.vcomm.net/~delznic/ (315)682-5489 (315)682-1647 4877 Firethorn Circle Manlius, NY 13104 "Challenge the system, question the rules." =================================================== PGP key available: http://www.vcomm.net/~delznic/pgpkey.asc PGP Fingerprint: 68 6F 89 F6 F0 58 AE 22 14 8A 31 2A E5 5C FD A5 =================================================== From llurch at networking.stanford.edu Tue Jan 23 15:07:47 1996 From: llurch at networking.stanford.edu (Rich Graves, Fucking Statist) Date: Wed, 24 Jan 1996 07:07:47 +0800 Subject: January 22 Infoworld Message-ID: <199601232125.QAA16020@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- stainles at bga.com (Dwight Brown) kindly shared with the group: > >Nicholas Petreley's "Down To the Wire" column is a short take on the >insecurity of encryption schemes used by most commercial software. >There shouldn't be much new here to cypherpunks (he discusses the >vulnerabilities of WordPerfect, Word for Windows, Excel, and Compuserve's >CIS.INI, and uses some out of date examples "to protect the integrity of >current software": bad move, Nicholas), but it'd make a good introduction >for people who aren't familiar with the issues. > >Petreley also announces that InfoWorld is planning a "network-cracking >event", in which they plan to set up various network OS'es, make them as >secure as they can, invite "a small number of accomplished hackers" to >attack them, and publish the results. He says they're looking for >participants... > >InfoWorld's web site is http://www.infoworld.com. Petreley can be reached at >nicholas_petreley at infoworld.com. Unfortunately, Petreley's latest article isn't on the Web yet. But it's worth checking out last midweek's column, if only t see Sameer's name. This was only posted online. - -rich - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMQVSWSoZzwIn1bdtAQHMFAGAhQrzSNtsRsv79f9dTKeLDb1eYB5NHUHT ZJHY+unUNYCOhrJpxa0FRrQU8CxEKNV9 =zWhM -----END PGP SIGNATURE----- From cp at proust.suba.com Tue Jan 23 15:07:59 1996 From: cp at proust.suba.com (Alex Strasheim) Date: Wed, 24 Jan 1996 07:07:59 +0800 Subject: Crippled Notes export encryption In-Reply-To: <199601231539.KAA10548@jekyll.piermont.com> Message-ID: <199601231700.LAA02072@proust.suba.com> > By the way, I really think Netscape should simply ship Jeff and other > people to the Amsterdam office or wherever else seems reasonable and > do all the crypto work from there. It will save trouble and > hassle. U.S. citizens wanting full 128 bit over the net would then get > it from Netscape's overseas download sites. No one anywhere in the > world would be forced to use crap. I've wondered why they don't do this as well. For people around the world in general, it would be a very good thing. But what kind of an effect would it have on this country? What if they decide it's easier to fire Jeff and hire some Dutch guy instead? Would the government decide that the export ban was pointless and lift it? Or would they stand by as big chunks of our software industry are lost to foreign competitors? Remember this is the government we're talking about, the people who destroyed a villiage in order to save it. It seems to me that loss of jobs is inevitable if the rules aren't changed. But I'm not sure it's a good thing to accelerate the process. I'm not sure it's not, either -- both options are unpleasant. There's probably a big opportunity here for some enterprising cypherpunk who's willing to move to Amsterdam (or who lives there already). Set up a company that provides crypto guts and distribution services for American software companies. Stand alone computers are becoming less useful and less common all the time. Networking is a fact of life in the computer industry. If you're doing networking you have to think about security, and if you're serious about security you have to use crypto. A software industry that can't deploy crypto without hindrance is living on borrowed time. We in America are extremely vulnerable to flight. We will lose jobs and market share if we don't change our policies. Because other countries will deploy crypto, our polices will be completely ineffective in preserving the government's ability to do surveillance. What's the point? It would be very interesting to see what would happen if Netscape announced that it's considering moving its crypto operations overseas in a year if the export restrictions aren't lifted. From ses at tipper.oit.unc.edu Tue Jan 23 15:29:51 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Wed, 24 Jan 1996 07:29:51 +0800 Subject: IPSEC == end of firewalls In-Reply-To: <9601232016.AA22238@su1.in.net> Message-ID: This thread definitely belongs as cypherpunks, as the whole point of the discussion is to debate the limits of what cryptography on its own can achieve. What do you need as well as crypto before you can remove all firewalls? Simon (defun modexpt (x y n) "computes (x^y) mod n" (cond ((= y 0) 1) ((= y 1) (mod x n)) ((evenp y) (mod (expt (modexpt x (/ y 2) n) 2) n)) (t (mod (* x (modexpt x (1- y) n)) n)))) From crypto at midex.com Tue Jan 23 15:41:38 1996 From: crypto at midex.com (Matt Miszewski) Date: Wed, 24 Jan 1996 07:41:38 +0800 Subject: Hack Java In-Reply-To: <199601231756.KAA03101@sal.cs.utah.edu> Message-ID: On Tue, 23 Jan 1996 gback at facility.cs.utah.edu wrote: [much elided stuff] > > Now suppose, I fake a compiler (or I have a malicious compiler) > > and I generate by hand malicious byte code such that > > in the symbol tables, tricky_pointer and data have the same > > offset. > > > [more stuff taken out] Godmar Said: > > To my knowledge, the Java, and Java bytecode does not imply > any memory layout. I doubt it makes sense to demand to check > that 'offset do not overlap in memory'. > Both of you are correct if you look carefully at the assumptions. Rich assumes that you have a 'malicious compiler'. Godmar is right that Java does not utilize pointers in the byte code. What would make the entire scenario work is a malicious interpreter or a 'NotJava Browser'(TM) that allowed malicious code to be executed. Couple a bad compiler and a bad interpreter and you are in buisness (nasty business that is). Matt From alanh at infi.net Tue Jan 23 15:44:14 1996 From: alanh at infi.net (Alan Horowitz) Date: Wed, 24 Jan 1996 07:44:14 +0800 Subject: SS Obergruppenfuhrer Zimmermann (NOT!) In-Reply-To: <199601230635.WAA22844@netcom19.netcom.com> Message-ID: The reporter's slander against Zimmerman was not accidental, or the result of ignorance. Calling someone a Naxi sympathizer is not something that one should do without a smoking gun. This act of aggression against cypherpunks, attempts to box us into a corner. Our enemies want to keep us on the defensive. In that context, any and all energy we spend on "educating" and "correcting" is self-defeating. The hoplophobe lobby has shown, that enemies of freedom will not permit themselves to be "corrected". They will merely escalate the rate and size of their lies. Before slanders about "cop-killer bullets" could be corrected, they had moved onto "assault weapons". We need to find a way to take back the initiative. We need to find a way to put the fear of God into liers. Violence won't work, since they are capable of human-wave attacks. I honestly don't know what reporters and editors fear the most. But, even a snake can be trained, if you can pinpoint the proper negative feedback. Alan Horowitz alanh at norfolk.infi.net From frankw at in.net Tue Jan 23 15:45:37 1996 From: frankw at in.net (Frank Willoughby) Date: Wed, 24 Jan 1996 07:45:37 +0800 Subject: IPSEC == end of firewalls Message-ID: <9601232209.AA29864@su1.in.net> At 03:01 PM 1/23/96 -0500, you wrote: >Frank Willoughby writes: Egads. Let's take this off-line & stop bothering the cypherpunks folks with this discussion. Those not interested in this thread are kindly requested to hit the key now. Thanks. 8^) >Yes, certainly. You can bribe someone, get physical access to >machines, etc. > >However, unless you know a way to crack RSA, it is unlikely that >a system using Photuris+IPsec will permit IP spoofing. I re-iterate, any system can be gotten around - and frequently will. As far as IPsec goes, it is probably just a matter of time before we see the first CERT Advistory (maybe in a couple of years) on this. Nothing is invincible. > >> The creativity of hackers is succeeded only by their motivation and >> ability to put many hours into trying to solve a problem. Including >> the word "probably" was deliberate. Kerberos was also thought to be >> secure - 'til it was compromised. > >Kerberos was compromised? When? By whom? Are you talking about >Bellovin's paper on weaknesses in Kerberos (most of which are >avoidable or fixed in K5), or are you talking about a real break? If >the latter, its the first that I've heard of it. Actually, I was refering to Bellovin's paper. Surely you don't think that the bugs that were discovered are the only ones which can be exploited and that Kerberos (or any other software product) is invincible? I don't. >> >> I suspect even when firewalls are embedded in the O/S, >> > >> >That would be somewhat meaningless. The point of a firewall, as others >> >here have noted, is that it is easier to secure one machine than five >> >hundred or ten thousand. >> Of course it is easier to secure one machine that 500 or 10K. However, NOT securing the 500 or 10K systems still leaves them vulnerable to network attacks. Providing the O/S with rudimentary firewalling capabilities helps to increase the security of those systems. Like many of my colleagues in the Information Security field, I have (grossly) modified/hacked/butchered my systems to provide the system with some rudimentary firewalling capabilities and the extra security I needed. In many cases, it meant taking advantage of strange behaviours of the systems to achieve the capabilities & results I wanted. >> I disagree here also. Systems by themselves are fairly useless. >> Their power (and main vulnerability) comes from their ability to >> network with other systems. A system connected to a network is >> vulnerable. The fact that a corporate firewall protects the system >> from the Internet in no way decreases the vulnerability of that >> system (and other systems) from *internal* attacks which can be as >> devastating as an Internet attack. >> >> Including firewall capabilities as part of the Operating System's network >> applications would help the system protect itself from abuses from the >> Internet - as well as from internal. > >These last two paragraphs are gibberish. > Beats me. They make sense to me. What part about Information & Network Security don't you understand? These are fairly basic concepts. I can go explain these concepts either in another forum or off-line via e-mail or phone (your dime, my time), but not here. This is the cypherpunks mailing list, not the firewalls mailing list. >You can't "firewall" every machine -- the act is meaningless. A >Firewall is a filter designed to protect you from bugs in the setup or >implementation of the software on the machines on the inside. What >would it mean for a machine to have "firewall software" in the >operating system? Systems already attempt to prevent unauthorized >access -- the reason you have firewalls is because that software is >sometimes buggy. "Firewall software" in the OS is a meaningless >concept. > Perhaps this is where you are getting mixed up. A firewall isn't just a box which you plug into a network between the company's WAN and the Internet - it's a capability. Many "firewalls" are systems which implement this capability. The main characteristics of the firewall are (paraphrasing rather liberally from Steve Bellovin's book): o The firewall is designed to protect an entity from a particular network connection. Usually, we think of the entity as being another network. In this particular case, we are putting in a firewall (or the ability to filter out what we don't to deal with) on the O/S itself to reduce the risks of potential attacks from a network (internal LAN, Internet, etc). o All traffic from the insecure network has to go through the firewall. Logical. If the "firewall" is a piece of software which is installed on the O/S to "filter out" certain network connections, then we have "firewalled" our system. Commercial firewall products such as: DEC's DECseal, Raptor's Eagle, V-ONE's SmartWall, etc, actually provide two levels of protection: 1) They protect the internal network from hazards of the Internet (or untrusted network) 2) The protect themselves from hazards of the Internet or other untrusted network (such as the internal LAN) Implementing a firewall as part of an O/S provides the protection mentioned in point number 2: It protects itself from the internal LAN to some degree. Granted not as much as it possibly can, due to the fact that you have users & applications on the system which aren't secure, however, an added measure of protection will be provided to the system. >Perry Perry, (and others who may be interested in this thread) This is my last mail on this thread in this list. If you or others would like to discuss this further, please feel free to send me an e-mail directly or join me in discussing this in the firewalls mailing list. Fellow cypherpunks, I'm sorry about the bandwidth used in responding to Perry's question. Unfortunately, it was addressed to the list and required a response from me. Thanks for your patience. Back to the subject at hand (cryptography) Best Regards, Frank Fortified Networks Inc. - Management & Information Security Consulting Phone: (317) 573-0800 - http://www.fortified.com/fortified/ The opinions expressed above are of the author and may not necessarily be representative of Fortified Networks Inc. From tjic at OpenMarket.com Tue Jan 23 15:53:52 1996 From: tjic at OpenMarket.com (Travis Corcoran) Date: Wed, 24 Jan 1996 07:53:52 +0800 Subject: DC-Nets and Noise Message-ID: <199601232218.RAA01328@cranmore.openmarket.com> -----BEGIN PGP SIGNED MESSAGE----- Message-Signature-Date: Tue Jan 23 17:18:12 1996 In article tcmay at got.net (Timothy C. May) writes: > Date: Wed, 17 Jan 1996 01:38:47 -0800 > From: tcmay at got.net (Timothy C. May) > Newsgroups: omi.mail.cypherpunks > > (In any case, even for those who disagree, modern filtering techniques make > it trivial for the "gurus" to filter out all messages except by the several > of themselves, so I've never understood the point about how the list must > purge itself of "noise.") To support Tim's thesis, I'll point out that I use the following lisp configuration directives (among others) along with a news-highlighting package that I hacked up (gnus-live.el) in order to make reading this list (bridged to a newsgroup at my site) a much nicer experience. When I enter the newsgroup, the authors and topics that I like are highlighted. I read this 5% of the list in about 15 min, skim another 5%, and then delete the other 90%. - From my perspective cypherpunks seems to be pretty * HIGH * bandwidth! ------------------------------ snip! ------------------------------ (gnus-live "Subject" "GAK Hacks and Position Surveillance") (gnus-live "Subject" "Libertarian Party and Crypto Anarchy") (gnus-live "Subject" "List of reliable remailers") (gnus-live "Subject" "^[A-Z][A-Z][A-Z]_[a-z][a-z][a-z] *$") ; jya's -paper articles (gnus-live "From" "Steven Levy ") (gnus-live "From" "Bruce Schneier ") (gnus-live "From" "payne at openmarket\\.com") (gnus-live "From" "tjic at .*openmarket\\.com") (gnus-live "From" "[a-z\.]+ at .*openmarket\\.com") (gnus-live "From" "tcmay@[mail\.]?got\\.net") (gnus-live "From" "bsg at basistech\\.com (Bernard S\\. Greenberg)") (gnus-live "From" "rah at shipwright\\.com (Robert Hettinga)") ------------------------------ snip! ------------------------------ - -- TJIC (Travis J.I. Corcoran) http://www.openmarket.com/personal/tjic/index.html Member EFF, GOAL, NRA. opinions (TJIC) != opinions (employer (TJIC)) "Buy a rifle, encrypt your data, and wait for the Revolution!" PGP encrypted mail preferred. Ask me about mail-secure.el for emacs. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Auto-signed by mail-secure.el 1.006 using mailcrypt Comment: Processed by Mailcrypt 3.3, an Emacs/PGP interface iQCVAwUBMQVepoJYfGX+MQb5AQGC+AP/ZgiOzJKNuz3ifGCsS4VHEqbA74D1NuT3 auOTUPi7qIUuGLy4GlNGTdv+tPileNuk66FCzAQ8jU+WjVjcUrqFHLoiGCEAAPeX kOJYIf0McaMNO0osz4pJU3//BzHz9HAP2YF8kCfytA+nfPihOtMaCfSpal66ALfl o9kWE4ue1+Q= =fRtA -----END PGP SIGNATURE----- From perry at piermont.com Tue Jan 23 15:59:26 1996 From: perry at piermont.com (Perry E. Metzger) Date: Wed, 24 Jan 1996 07:59:26 +0800 Subject: [local] Report on Portland Cpunks meeting In-Reply-To: Message-ID: <199601232140.QAA11115@jekyll.piermont.com> Weld Pond writes: > This begs the question, "How would you conduct an efficient key signing > given what you have learned?" I am in the process of organizing one and > would like to get input as to the best way that this should take place. The IETF key signing parties are the largest in existance -- about 100 people exchange signatures. The way you handle it is this: Every person's key is pre-submitted to key signing party organizer, who prints a list of names and fingerprints on paper and xeroxes enough for everyone attending. Each person gets a sheet. Either each person in the room reads their fingerprint in turn from their own copy, with each person in the room checking the read fingerprint against the fingerprint on the handout, or an appointed reader (or set of readers at the last IETF) read the fingerprints in turn and ask the owner of the key to then simply say "yes" or "its mine" or whatever to verify that the fingerprint matches their own copy of the print. Afterwards, each person will have a sheet with checkmarks next to every fingerprint they think really belongs to a particular person's key. They then go off later on, download the keyring for the party from sonewhere, and sign everything they want to sign and mail back the signed keys to the party organizer. This is about the only way to handle things -- it turns the N squared problem into an O(N) problem, which is still very bad if there are more than about twenty people around. Perry From llurch at networking.stanford.edu Tue Jan 23 16:10:46 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Wed, 24 Jan 1996 08:10:46 +0800 Subject: Kerberos holes (was Re: IPSEC == end of firewalls) In-Reply-To: <9601231947.AA20689@su1.in.net> Message-ID: On Tue, 23 Jan 1996, Frank Willoughby wrote: > At 10:30 AM 1/23/96 -0500, perry at piermont.com allegedly wrote: > > > >Frank Willoughby writes: > >> While IP level security & authentication will go a long way to help > >> prevent abuses and reduce unauthorized accesses, I doubt if it will > >> provide enough protection by itself. > > > >I agree with this, but... > > > >> o Node Spoofing will probably still be possible > > > >Nope. It won't. > > > I disagree. I haven't met a system that couldn't somehow be gotten around. > The creativity of hackers is succeeded only by their motivation and ability > to put many hours into trying to solve a problem. Including the word > "probably" was deliberate. Kerberos was also thought to be secure - 'til > it was compromised. Software isn't bug-free & design or security > methodologies can't provide 100% coverage. Hackers take advantage of > this and inherent weaknesses in design flaws. Clearly. I keep hearing references to weaknesses in kerberos, which I more or less rely on. What are the problems I should be worrying about? Preferably as URLs. Also, we have a new kerberos implementation for Macs that we're going to roll out soon. I'll see if the project manager would be willing to let other people take a look at it. -rich From perry at piermont.com Tue Jan 23 16:22:59 1996 From: perry at piermont.com (Perry E. Metzger) Date: Wed, 24 Jan 1996 08:22:59 +0800 Subject: SS Obergruppenfuhrer Zimmermann (NOT!) In-Reply-To: Message-ID: <199601232226.RAA11199@jekyll.piermont.com> Alan Horowitz writes: > The reporter's slander against Zimmerman was not accidental, or the > result of ignorance. [...] > This act of aggression against cypherpunks, attempts to box us into a > corner. Okay. I think I understand. You're a fruitcake. Easy enough. Perry From m5 at dev.tivoli.com Tue Jan 23 16:24:52 1996 From: m5 at dev.tivoli.com (Mike McNally) Date: Wed, 24 Jan 1996 08:24:52 +0800 Subject: IPSEC == end of firewalls In-Reply-To: <9601232209.AA29864@su1.in.net> Message-ID: <9601232236.AA07231@alpha> Frank Willoughby writes: > Egads. Let's take this off-line & stop bothering the cypherpunks > folks with this discussion. Those not interested in this thread > are kindly requested to hit the key now. Thanks. 8^) Actually I find it quite relevant, unlike many cypherpunk debates. Please, don't stop on my account. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Nobody's going to listen to you if you just | Mike McNally (m5 at tivoli.com) | | stand there and flap your arms like a fish. | Tivoli Systems, Austin TX | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From jpb at miamisci.org Tue Jan 23 16:27:33 1996 From: jpb at miamisci.org (Joe Block) Date: Wed, 24 Jan 1996 08:27:33 +0800 Subject: Crippled Notes export encryption Message-ID: At 9:06 AM 1/23/96, Herb wrote: >Careful... what would YOU have done, with your customers demanding stronger >crypto today and you unable to legally give it to them? Umm - contract the crypto overseas somewhere it would be legal to export it from? Then import the code to the USA, with a press release to WSJ & NYT stating that American programmers were being put out of work by ITAR. Joseph Block "We can't be so fixated on our desire to preserve the rights of ordinary Americans ..." -- Bill Clinton (USA TODAY, 11 March 1993, page 2A) 2048bit-Fingerprint: F8 A2 A5 15 56 42 9B 16 3F BD 57 0F 8A ED E3 21 No man's life, liberty or property are safe while the legislature is in session. From perry at piermont.com Tue Jan 23 16:44:20 1996 From: perry at piermont.com (Perry E. Metzger) Date: Wed, 24 Jan 1996 08:44:20 +0800 Subject: IPSEC == end of firewalls In-Reply-To: <9601232209.AA29864@su1.in.net> Message-ID: <199601232221.RAA11184@jekyll.piermont.com> I won't address the rest of the commentary, but I ought to answer this. Frank Willoughby writes: > >> the word "probably" was deliberate. Kerberos was also thought to be > >> secure - 'til it was compromised. > > > >Kerberos was compromised? When? By whom? Are you talking about > >Bellovin's paper on weaknesses in Kerberos (most of which are > >avoidable or fixed in K5), or are you talking about a real break? If > >the latter, its the first that I've heard of it. > > Actually, I was refering to Bellovin's paper. Bellovin's paper doesn't list real breaks in Kerberos. It notes problems, which are real but not fatal and have been largely fixed. > Surely you don't think > that the bugs that were discovered are the only ones which can be > exploited and that Kerberos (or any other software product) is invincible? > I don't. Look, you clearly made a big claim -- that Kerberos had been compromised. If you can't back such comments up, don't make such claims. .pm From matts at pi.se Tue Jan 23 17:07:18 1996 From: matts at pi.se (matts at pi.se) Date: Wed, 24 Jan 1996 09:07:18 +0800 Subject: Crippled Notes export encryption Message-ID: <199601232315.AAA23167@mail.pi.se> At 11.00 1996-01-23 -0600, Alex Strasheim wrote: >There's probably a big opportunity here for some enterprising cypherpunk >who's willing to move to Amsterdam (or who lives there already). Set up a >company that provides crypto guts and distribution services for American >software companies. You don't have to. PGP already exists in an international version as well as a US version. Just make your software call PGP to do all encryption and ask the user to download PGP from his favorite web site (on his side of the US border). matts From bruceab at teleport.com Tue Jan 23 17:12:33 1996 From: bruceab at teleport.com (Bruce Baugh) Date: Wed, 24 Jan 1996 09:12:33 +0800 Subject: [local] Report on Portland Cpunks meeting Message-ID: <2.2.32.19960123231308.006a1fa8@mail.teleport.com> >This begs the question, "How would you conduct an efficient key signing >given what you have learned?" I am in the process of organizing one and >would like to get input as to the best way that this should take place. >Should people bring key fingerprints and public keys on floppy? Would it >be nice to be online and grab public keys off of a key server? How would >you conduct a nym signing? I'd go for somewhat clearer instructions than seem available. To wit: 1) Each participant, send your public key in ASCII armored form to the one coordinating the signing. 2) The coordinator will collate these into a single key file and have a list of key IDs and fingerprints. 3) Bring a printout of your key's fingerprint. You will read this off for others to compare with their copies of the coordinator's list. Have ID and such to show that you're you, or some other way of establishing that you are who you say you are. (In our case, everyone could be vouched for by at least one other person known to the others.) 4) The coordinator will [send by email|pass out on disk|whatever] the collated key file. Back home, sign each of the keys that actually got verified at the signing. Mail this back to the coordinator. 5) The coordinator will collate the results of this, and send you the new version. Add these. Now you've got your key and the other keys, all signed by everyone there. Grabbing keys off a server would certainly be doable, too. The key (no pun intended) thing is that people have their fingerprints in a useful form - so when we do it again, I hope Alan specifies printout, handwritten text, or something else that doesn't require a computer. And of course folks shouldn't bring their actual secret keys with them. The nym signing is an idle thought of mine. I have a nym key which is, at the moment, signed only by itself. I know friends of mine have nym accounts. if we could assemble a group of folks whom I can trust enough to link the nym and myself, it'd be nice to add some more signatures to the nym key, and vice versa. On the other hand, the accumulated signatures would probably point right back at any group talking about such a thing, like me right now. :-) Maybe it's infeasible. Bruce Baugh bruceab at teleport.com http://www.teleport.com/~bruceab From adept at minerva.cis.yale.edu Tue Jan 23 18:04:16 1996 From: adept at minerva.cis.yale.edu (Ben) Date: Wed, 24 Jan 1996 10:04:16 +0800 Subject: IPSEC == end of firewalls In-Reply-To: <9601232016.AA22238@su1.in.net> Message-ID: Because this has Cpunks relevance in the use of crypto, I'm going to keep it on this list... > remain relatively secure. However, I am I'm not saying that adding > firewalling capabilities would make the system invincible. I *am* > saying that it would provide the system with more security than it > currently has and would help to reduce (not eliminate) some risks > associated with networking. But what does it mean to add 'firewalling capabilities' to an O/S? By definition, a firewall is supposed to stop the spread of 'fire' by being the sole mechanism for the interchange of packets. If you're referring to making a hardened OS that can protect itself through the use of well written code, memory protections, etc. then, yes by all means add it to your OS, but these shouldn't be luxuries in that they're thought of as 'firewalling' features. Rather these things should be compulsory in the development of OS's. > Of course, it would be terrific if the vendors would produce Operating > Systems which are secure AND usable. (I think the market will eventually > demand this from vendors, but this probably won't happen in the next year > or two.) Even if OS's could be secure(lets not get into Orange Book here) they would need constant updating. Most users have problems printing, let alone installing patches and tweaking afterwards to deal with conflicts. And you can't expect IS to micromanage the corporation's entire fleet of machines. This would be nice, and would be a good start, but like I said above, these things shouldn't be considered to be luxuries. Rather they should be compulsory. That doesn't mean that they will obsolete firewalls by any stretch of the imagination. Ben. (I'm starting to think Frank may have been right to move this to firewalls. I think I'll crosspost this message too) ____ Ben Samman..............................................samman at cs.yale.edu "If what Proust says is true, that happiness is the absence of fever, then I will never know happiness. For I am possessed by a fever for knowledge, experience, and creation." -Anais Nin PGP Encrypted Mail Welcomed Finger samman at suned.cs.yale.edu for key Want to hire a soon-to-be college grad? Mail me for resume From frankw at in.net Tue Jan 23 18:12:04 1996 From: frankw at in.net (Frank Willoughby) Date: Wed, 24 Jan 1996 10:12:04 +0800 Subject: IPSEC == end of firewalls Message-ID: <9601240007.AA06686@su1.in.net> At 01:40 PM 1/23/96 -0800, Simon Spero allegedly wrote: >This thread definitely belongs as cypherpunks, as the whole point of the >discussion is to debate the limits of what cryptography on its own can >achieve. > Back, by popular demand... I didn't really want to continue this discussion here, but I received a couple mails requesting that I continue in this thread. I'm still uncomfortable with this, but I'll oblige. >What do you need as well as crypto before you can remove all firewalls? I don't think this will ever happen. However, as long as we're dreaming, here's my 2 cents worth on a good start for a secure environment would look like. It's not complete by any stretch of an imagination, but it's a start: o Start with a Secure Operating System - Secure Computing's firewall is a good example of this. They have done some pretty neat things with Type Enforcement. o Add in some decent authentication/encryption/verification mechanisms/digital sigs, etc V-ONE's SmartGate, Fortezza, & Persona would do nicely. Hand-held token devices such as the ones mentioned above should work well. Of course, the user interface to these should be user-friendly. o Throw in a secure method of communication PGP, PGPphone, etc - which is *user-friendly* and which helps automate & manage the key-distribution process (securely, of course) o Mix in applications which have been re-written to be secure, fast, intuitive, user-friendly & interact well with encryption (various kinds). o Add in a central clearinghouse (don't care where) where the latest key expirations/compromises can be checked automatically to confirm that the e-mail you just received is still valid also wouldn't hurt. o Combine the best capabilities of Checkpoint's (firewall) lower-level filtering capabilities with V-0NE's upper-level filtering capabilities and add these to the secure Operating System's network defense mechanisms o Add a good dose of IPsec (sprinkling lightly) to secure the pipe (kindly omitting the Watergate plumbers) o Add user-friendly single sign-on capability (Kerberos, et al) o Mix in heavy encryption with (ridiculously long) keys (say the number of grains of sand stretched end-to-end to make a light year). 8^) o Make all of the above user-friendly & easy-to-implement on a large scale 8^) Throw the ingredients into a pot & stir briskly. Like I said earlier, it's just a start & not a whole solution by any stretch of the imagination. It's probably a nice wish list, though. It'd sure be nice if it came true. (If you think the above list is optimistic, you ought to see my Christmas Wish List). 8^) 8^) 8^) > >Simon > >(defun modexpt (x y n) "computes (x^y) mod n" > (cond ((= y 0) 1) ((= y 1) (mod x n)) > ((evenp y) (mod (expt (modexpt x (/ y 2) n) 2) n)) > (t (mod (* x (modexpt x (1- y) n)) n)))) Best Regards, Frank Fortified Networks Inc. - Management & Information Security Consulting Phone: (317) 573-0800 - http://www.fortified.com/fortified/ The opinions expressed above are of the author and may not necessarily be representative of Fortified Networks Inc. From jya at pipeline.com Tue Jan 23 18:22:34 1996 From: jya at pipeline.com (John Young) Date: Wed, 24 Jan 1996 10:22:34 +0800 Subject: KDM_tsu Message-ID: <199601231507.KAA11540@pipe2.nyc.pipeline.com> Cypherpunks is featured in a story in The New Yorker of January 29 on the Mitnick/Shimomura books by Littman and Markoff. The writer, Robert Wright, terms cpunks "an amorphous group that gets its name from its militant devotion to the widesrpead use of encryption." He refers to the comments here about Mitnick/Shimomura. More generally, Wright compares the two books, muses on career-boosting and Big Brother purposes of the media's melodramatic build-up of Mitnick and Shimomura, and outlines what might be done about Internet insecurity: 1. Police -- by legislation for officials to monitor cyberspace. 2. Privatize -- by IPs policing their own turf. 3. Encrypt -- like cypherpunks. He comments on PRZ's case, notes possible infowar-type threats and closes: Given that federal officials who would constrain encryption seem to be swimming against the nearly inexorable tide of technological history, these are the [cyber-terrorism] kinds of scenarios they have to conjure up to justify their efforts. And these scenarios aren't entirely implausible. As cyberspace expands, we may see reasons to try to give the government the sort of power it seeks here. But those reasons won't look much like Kevin Mitnick. KDM_tsu From ses at tipper.oit.unc.edu Tue Jan 23 18:26:52 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Wed, 24 Jan 1996 10:26:52 +0800 Subject: SS Obergruppenfuhrer Zimmermann (NOT!) In-Reply-To: <199601232226.RAA11199@jekyll.piermont.com> Message-ID: On Tue, 23 Jan 1996, Perry E. Metzger wrote: > Alan Horowitz writes: >>[...] > Okay. I think I understand. You're a fruitcake. Easy enough. > The official pastry of the 1996 Cypherpunks. One might note that Zimmerman isn't, er, a common name for yer typical Neo-Nazi... This sort of accusation is sufficient grounds for libel in the UK (such accusations have been found to be defamatory, and would almost certainly be settled within a few days. Of course Phil (Hallam Baker) has more experience with this sort of thing... Simon From cp at proust.suba.com Tue Jan 23 18:27:08 1996 From: cp at proust.suba.com (Alex Strasheim) Date: Wed, 24 Jan 1996 10:27:08 +0800 Subject: SS Obergruppenfuhrer Zimmermann (NOT!) In-Reply-To: Message-ID: <199601240015.SAA03590@proust.suba.com> > We need to find a way to take back the initiative. We need to find a way > to put the fear of God into liers. I'm outta step here, I know, but it seems to me that if we're going to go around advocating anonymity and technology that makes censorship impossible we'd better grow thicker skins. Phil changed the world. Maybe not as much as people like Roosevelt or Reagan, but a lot more than most people do. He wrote a software package that's in wide use, and which has lots of admirers. He used technology to effect positive political changes around the world -- noteworthy both for the effect and the ingenuity of the strategy. And he stood up under a personal attack from the government. They came at him, but he took it and won. Everyone who does something extraordinary gets hit with pot shots. It's part of the package. Is it a terrible thing that someone called him a name in print? Yes. If he's got a case, he should sue. But something tells me he's tough enough to take it either way. > Violence won't work, since they are capable of human-wave attacks. And because it's wrong? From alano at teleport.com Tue Jan 23 18:35:41 1996 From: alano at teleport.com (Alan Olsen) Date: Wed, 24 Jan 1996 10:35:41 +0800 Subject: [local] Report on Portland Cpunks meeting Message-ID: <2.2.32.19960124002633.008afc40@mail.teleport.com> At 02:40 PM 1/23/96 -0500, Weld Pond wrote: > >>There was a key signing. It was a bit rough as for many of us it was our >>first key signing. (I think Neal was the only person who had been to an >>organized key signing.) Still, it went fairly well. Only a couple of >>people brought their key fingerprints on disk instead of paper. As of >>today, I have only recieved signed keys back from a couple of people >>though... The next key signing will be done a bit differently. (Live and >>learn.) There was also a suggestion for a nym signing at some point. > >This begs the question, "How would you conduct an efficient key signing >given what you have learned?" I am in the process of organizing one and >would like to get input as to the best way that this should take place. >Should people bring key fingerprints and public keys on floppy? Would it >be nice to be online and grab public keys off of a key server? How would >you conduct a nym signing? The things that I learned was that instructions should be sent to the participants well in advance. Key fingerprints should be brought on paper becuase it is not always assured of having a computer there to read the disk. (We had a lap top that was refusing to read disks effectivly. We had to use on of the Habit's computers.) Distributing the keys on disk worked well. (I also brought PGP and various tools for those who did not have them.) With the key server there is still an issue of verifying that the key is valid. Best to have the key fingerprint on paper, where it can be read to the group. We also found that reading the first half of the fingerprint was more than attiquite and saved a great deal of time. (Which was later wasted on getting keys off of disks.) I will also be distributing batch files for those dos users who are not familiar with how to sign keys and creating extra keyrings. Most of the problems were procedural rather than technical. It went well for a first run... Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "Is the operating system half NT or half full?" From frantz at netcom.com Tue Jan 23 19:36:54 1996 From: frantz at netcom.com (Bill Frantz) Date: Wed, 24 Jan 1996 11:36:54 +0800 Subject: IPSEC == end of firewalls Message-ID: <199601240125.RAA07818@netcom6.netcom.com> At least maybe I can avoid Perry's wrath for an off topic post :-). At 15:01 1/23/96 -0500, Perry E. Metzger wrote: >You can't "firewall" every machine -- the act is meaningless. A >Firewall is a filter designed to protect you from bugs in the setup or >implementation of the software on the machines on the inside. What >would it mean for a machine to have "firewall software" in the >operating system? Systems already attempt to prevent unauthorized >access -- the reason you have firewalls is because that software is >sometimes buggy. "Firewall software" in the OS is a meaningless >concept. > >Perry I agree that firewalling every machine would be extreemly difficult with Unix based systems (including MSDOS and MacOS) because so many usefull hacker tools are available from root and everyone has access to root. With systems that provide better isolation, it becomes possible to dedicate the network interface to the protection domain which is running the firewall code. You also need to divide up the administration so the direct user does not break that isolation. BTW, IBM's VM/370 (and successors) has good isolation and could probably perform in this role. Other systems such as KeyKOS (http://www.webcom.com/~agorics/) and EROS (http://www.cis.upenn.edu/~eros) certainly could. ----------------------------------------------------------------- Bill Frantz Periwinkle -- Computer Consulting (408)356-8506 16345 Englewood Ave. frantz at netcom.com Los Gatos, CA 95032, USA From djw at vplus.com Tue Jan 23 20:04:03 1996 From: djw at vplus.com (Dan Weinstein) Date: Wed, 24 Jan 1996 12:04:03 +0800 Subject: Crippled Notes export encryption In-Reply-To: <199601231539.KAA10548@jekyll.piermont.com> Message-ID: <31059274.4508804@mail.vplus.com> On Tue, 23 Jan 1996 10:39:03 -0500, perry at piermont.com wrote: >Set up development shop overseas for the crypto plug-ins. > >The solution is obvious and easy. > >By the way, I really think Netscape should simply ship Jeff and other >people to the Amsterdam office or wherever else seems reasonable and >do all the crypto work from there. It will save trouble and >hassle. U.S. citizens wanting full 128 bit over the net would then get >it from Netscape's overseas download sites. No one anywhere in the >world would be forced to use crap. Wrong, this would be a violation of ITAR. Dan Weinstein djw at vplus.com http://www.vplus.com/~djw PGP public key is available from my Home Page. All opinions expressed above are mine. "I understand by 'freedom of Spirit' something quite definite - the unconditional will to say No, where it is dangerous to say No. Friedrich Nietzsche From daw at beijing.CS.Berkeley.EDU Tue Jan 23 20:06:35 1996 From: daw at beijing.CS.Berkeley.EDU (David A Wagner) Date: Wed, 24 Jan 1996 12:06:35 +0800 Subject: Why is blowfish so slow? Other fast algorithms? In-Reply-To: <199601221851.NAA16938@amsterdam.lcs.mit.edu> Message-ID: <199601240032.TAA16837@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- In article <199601221851.NAA16938 at amsterdam.lcs.mit.edu>, David Mazieres wrote: > The problem with RC4 is that it works in OFB only. If I need data > integrity in the face of known plaintext, I will need to compute a MAC > in paralell with the encryption which could significantly slow things > down. If you want authentication, you must use a crypto-strength MAC. Encryption (be it RC4, DES, etc.) is not enough. > With a block cypher in CFB, I can just re-encrypt the last > block of data. False. CFB has limited error propagation, so if I modify any block before the next-to-last, it will not show up with your method. This seems to be a really common error. If you want message integrity guarantees, you must use a MAC. Always. - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMQV+LioZzwIn1bdtAQF7pgGAm6GnmZqPSElx8mVyonD9BqScefdZLhul fv/qU/bsEDM2YyKuBpoFWyKMwIH0jyzx =Bp2Q -----END PGP SIGNATURE----- From abarrett at ee.net Tue Jan 23 20:08:12 1996 From: abarrett at ee.net (abarrett at ee.net) Date: Wed, 24 Jan 1996 12:08:12 +0800 Subject: IMC Resolving Email Security Complexity Workshop Message-ID: <199601240024.TAA05573@mail.ee.net> Found this in the box the other day - thought it might be of interest, esp regarding secure email standards. Warmest regards, AJ <---- Begin Forwarded Message ----> Return-Path: dcrocker at brandenburg.com Date: Tue, 23 Jan 1996 10:20:50 -0800 To: (potential attendees) From: Dave Crocker Subject: IMC Resolving Email Security Complexity Workshop This is a query of your interest in participating in a working meeting. As an initial activity of the newly-formed Internet Mail Consortium, we are hoping to use the coincident timing of EMail World in San Jose and the ISOC Security Conference in San Diego to call for an all-day meeting on the matter of email security. (If you aren't familiar with the IMC, please check out info at imc.org or .) This note is intended as a pre-announcement and a solicitation for feedback concerning your interest. We'd like to get a sense of the number and range of folks who might/can/will attend. We do not yet have logistics or finances fully worked out, but the timing pressure is tight enough to warrant this letter before the official announcement. Comments about the activity and, especially, an indication of availability, willingness, and (best of all) intention to attend would be highly welcome. Please pass this note on to others who you think are (or should be) interested in email security. Specifics As its first activity, the Internet Mail Consortium proposes to organize a one-day workshop to consider the problem of multiple MIME-based security mechanisms. This is a complicated topic with a long and painful history, but the previous pain is insignificant when compared to what is emerging for vendors and, worse still, for users. Our proposal is to conduct an open meeting with attendance by principals and others involved in this area of work. We will invite the key contributors and solicit additional attendance by vendors, providers, users, and technologists who are concerned with email security. The attendance goal is to have a critical mass of those with the technical expertise and industry involvement to review and debate the requirements, capabilities, and possibilities. The work goal is to seek common ground for a common solution. While we are not overly hopeful that the end of the day will see peace and resolve among the masses, we do hope for a large amount of improved understanding and some amount of convergence. With luck, there will even be improvement in the clarity of constituency for the different technical choices -- that is, a strengthening of the political base for some of the alternatives. We would like to hold the event: Wednesday, 21 February 8:30 am - 5:30 pm (all day) (Near) EMail World event, San Jose Convention Center, CA. This is the last day of EMail World and the day before a two-day ISOC Security conference in San Diego. We propose to structure the meeting with a tight agenda, having a very focused sequence of work on the problem; this is definitely not for general education. Some amount of review is appropriate, but not much. Attendees will be expected to be knowledgeable in the basic technologies, so that only general systems design and specific algorithm choices need to be cited. To help everyone prepare, the Internet Mail Consortium will organize a set of mail-response and Web pages with references and summaries of the current technologies, and will establish a mailing list for exchanges leading up to the meeting. Proposed Agenda Morning Brief descriptions of the candidate solutions Review of the functional and technical requirements Review the extent to which each alternative satisfies the requirements Seek consensus about the requirements Afternoon Haggle about the strengths and weaknesses of the technical alternatives Explore the choices and/or negotiate a preferred solution Those who have worked on this topic in the IETF are quite tired of the whole situation, but the unfortunate reality is that the current product and user choices are quite problematic. We need to continue seeking a viable service. We expect to charge $50 per person, to cover basic costs. I should have more details about this next week. Please do let us know your comments. Thanks! d/ -------------------- Dave Crocker +1 408 246 8253 Brandenburg Consulting fax: +1 408 249 6205 675 Spruce Dr. dcrocker at brandenburg.com Sunnyvale, CA 94086 USA http://www.brandenburg.com <---- End Forwarded Message ----> __________________________________________________________________ Out the buffer, | PGP encrypted e-mail preferred. Through the com port, | Finger for Public Key. Over the POTS line, | Also available on a key server near you. Into the NT Box, | Up the fractional T1, | Key ID: 0X457AA6BD Onto the backbone, | Keyprint: 99 C7 17 3B 32 08 3F 17 Nothin' but 'Net. | F4 A9 42 A9 2F BC 39 B1 ------------------------------------------------------------------ From perry at piermont.com Tue Jan 23 20:09:27 1996 From: perry at piermont.com (Perry E. Metzger) Date: Wed, 24 Jan 1996 12:09:27 +0800 Subject: Philip Zimmermann and the Press Message-ID: <199601240146.UAA11319@jekyll.piermont.com> I contacted Phil about the neo-Nazi attribution in the British press. He has apparently contacted the newspaper and it appears that they are probably going to print an article retracting their statement. I've asked him to comment here but I don't know if he will. Perry From perry at piermont.com Tue Jan 23 20:25:32 1996 From: perry at piermont.com (Perry E. Metzger) Date: Wed, 24 Jan 1996 12:25:32 +0800 Subject: [local] Report on Portland Cpunks meeting In-Reply-To: <2.2.32.19960124002635.008c27e8@mail.teleport.com> Message-ID: <199601240203.VAA11351@jekyll.piermont.com> Alan Olsen writes: > {key signing stuff deleted for space] > > That was the basic format we used. The only difference was that the keys > were collected before hand and distributed on disk. That makes it hard to have people check things off in real time. You need to have people read their fingerprints or orally acknowledge them, which you can't do if they aren't readable to the crowd. Perry From jimbell at pacifier.com Tue Jan 23 20:26:54 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 24 Jan 1996 12:26:54 +0800 Subject: The Collapse of Ideas in a Pop Culture Message-ID: At 10:50 AM 1/23/96 -0800, Simon Spero wrote: >On Tue, 23 Jan 1996, Scott Staedeli wrote: > >> >> I _am_ a GEnXer, and I worshipped Jules Bergmann as a child. Some >> of my first memories is pressing my nose up to the tv, watching Saturn >> V's lifting off. If I ever win the lottery, I'm going to take the Saturn that's > >Bollocks. If you can remember Saturn Vs taking off before reruns, you're >too old! > >Simon (27th July 1969, nearly called Neil) In 1975, I lived in a small suburb of Kansas City, and went with my grandfather from Kansas City Airport on a chartered Boeing 747 to see the Apollo part of the Apollo/Soyuz rocket "blast off". (the whole thing was arranged my a local group of bigwigs, I think.) ( I think it was a Saturn V, but correct me if I'm wrong. I was young and impressionable.) First and last large rocket I saw go in person; I was sincerely impressed; it was extremely LOUD and we were kept MILES away on a grandstand. (But we were the closest you could get, as I understand it, as we were invited guests of the whole thing.) Incidentally, flying on the same airplane from Kansas City were: 1. Susan Ford, daughter of President Gerald Ford. 2. Dr. Werner Von Braun. ob crypto: Uh, none, sorry. From roy at sendai.cybrspc.mn.org Tue Jan 23 20:27:01 1996 From: roy at sendai.cybrspc.mn.org (Roy M. Silvernail) Date: Wed, 24 Jan 1996 12:27:01 +0800 Subject: [local] Report on Portland Cpunks meeting In-Reply-To: Message-ID: <960123.192211.0u1.rnr.w165w@sendai.cybrspc.mn.org> -----BEGIN PGP SIGNED MESSAGE----- In list.cypherpunks, weld at l0pht.com writes: > This begs the question, "How would you conduct an efficient key signing > given what you have learned?" I am in the process of organizing one and > would like to get input as to the best way that this should take place. > Should people bring key fingerprints and public keys on floppy? Fingerprints, yes. Floppies, perhaps not. At the least, it means you have to have hardware on site and someone has to work swapping floppies. I've done a signing where we all send out keys to one person. He distributes a keyring to all participants. Then we meet, exchange fingerprints in person, take the prints home and sign in private. All the participants mail their keys back to the collector, who returns a keyring with all keys, properly signed. I always hand out my Certified Computer Geek[tm] card, which has only email addresses, web page and key fingerprints. > How would you conduct a nym signing? I suppose that depends on whether you want to associate a nym with a physical person. - -- Roy M. Silvernail [ ] roy at cybrspc.mn.org PGP Public Key fingerprint = 31 86 EC B9 DB 76 A7 54 13 0B 6A 6B CC 09 18 B6 Key available from pubkey at cybrspc.mn.org -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMQWNrBvikii9febJAQE5CgQAliDvBcJze7XbW8k1EOPEZYmq69jUDPu/ 6W9wqJ9m9nuNHVK1C3m+rW+F6fMQ9gvGbiMM9+ljlSSJzgS+Pj8j7hTIy3rjXsdO G6di+s62V8hawtPLeknrT9vXRCJmAdsb7rodYjc7zmQUKLUYz+e657o/tomYICDZ s0c6lniwpUs= =LUpN -----END PGP SIGNATURE----- From perry at piermont.com Tue Jan 23 20:31:40 1996 From: perry at piermont.com (Perry E. Metzger) Date: Wed, 24 Jan 1996 12:31:40 +0800 Subject: IPSEC == end of firewalls In-Reply-To: <199601240125.RAA07818@netcom6.netcom.com> Message-ID: <199601240209.VAA11363@jekyll.piermont.com> Bill Frantz writes: > At least maybe I can avoid Perry's wrath for an off topic post :-). Just for reference, the topic of firewalls and whether cryptographic tools render them obsolete is not off topic for cypherpunks. In fact, its one of the rare topics that is actually totally proper here... .pm From frissell at panix.com Tue Jan 23 20:51:42 1996 From: frissell at panix.com (Duncan Frissell) Date: Wed, 24 Jan 1996 12:51:42 +0800 Subject: SS Obergruppenfuhrer Zimmermann (NOT!) Message-ID: <2.2.32.19960124014532.0095ac74@panix.com> At 05:11 PM 1/23/96 -0500, Alan Horowitz wrote: >The reporter's slander against Zimmerman was not accidental, or the >result of ignorance. Calling someone a Naxi sympathizer is not something >that one should do without a smoking gun. > >This act of aggression against cypherpunks, attempts to box us into a >corner. Our enemies want to keep us on the defensive. Phil is not a cypherpunk. On the whole, the cypherpunks have gotten very favorable press for a group who's actions may render government policies irrelevant and possibly the governments themselves. DCF From dcrocker at brandenburg.com Tue Jan 23 21:01:39 1996 From: dcrocker at brandenburg.com (Dave Crocker) Date: Wed, 24 Jan 1996 13:01:39 +0800 Subject: IMC Resolving Email Security Complexity Workshop Message-ID: At 4:24 PM 1/23/96, abarrett at ee.net wrote: >Found this in the box the other day - thought it might be of interest, esp >regarding secure email standards. thanks for forwarding. thought I hit all the relevant lists but it looks like I didn't even come close. How COULD I have missed the illustrious cypherpunks list. tsk. tsk. d/ -------------------- Dave Crocker Brandenburg Consulting +1 408 246 8253 675 Spruce Dr. dcrocker at brandenburg.com (f) +1 408 249 6205 Sunnyvale CA 94086 USA http://www.brandenburg.com (p) +1 408 581 1174 From jimbell at pacifier.com Tue Jan 23 21:21:24 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 24 Jan 1996 13:21:24 +0800 Subject: NSA vacuuming down Internet traffic Message-ID: At 02:08 PM 1/23/96 -0600, Rick Smith wrote: >>>...listening for Kissinger.. > >> Don't tell me, let me guess: 20 years ago, if you had told anyone about >> this project, you would have had to kill them. Now, 20 years later, after a >> few levels of re-classifications and de-classifications, all you have to do >> is to sneer in our general direction. > >Not. It wasn't a classified project. It was upstairs from Woolworth's >in Central Square, ferheavens sake. SCIFs would have annoyed the >landlord, and presented interesting "challenges" given the pasteboard >construction. We didn't even have any of those clunky file cabinets >for Keeping Secrets Safe. We just amused ourselves with such >speculation, since this was clearly a technology that excited interest >in certain quarters. >Rick. I heard vague rumors of such capabilities about 20 years ago. At the time, I had no reason to make overseas telephone calls, but if I did I would have interspersed the friendly conversation with terms like "Plutonium...Khadafi...Khomeini...football...uranium..." From llurch at networking.stanford.edu Tue Jan 23 21:30:25 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Wed, 24 Jan 1996 13:30:25 +0800 Subject: SS Obergruppenfuhrer Zimmermann (NOT!) In-Reply-To: <199601240015.SAA03590@proust.suba.com> Message-ID: On Tue, 23 Jan 1996, Alex Strasheim wrote: > > We need to find a way to take back the initiative. We need to find a way > > to put the fear of God into liers. > > I'm outta step here, I know, but it seems to me that if we're going to go > around advocating anonymity and technology that makes censorship > impossible we'd better grow thicker skins. (Hear)^2 > Is it a terrible thing that someone called him a name in print? Yes. If > he's got a case, he should sue. But something tells me he's tough enough > to take it either way. Geez, guys, they didn't even do that. Some rag said that Nazis used PGP. Some anonymous guy forwarded, without substantive comment, a report of the above. The report is true, to a point. Nazis use PGP. So do child pornographers, anti-Nazis, rapists, women who have been raped and don't care for the world to know, major US and international corporations, and the US Military (most of the computer security bulletins I see from .mil are PGP-signed). I thought the report was totally bogus, and I took Mr. Anonymous's posting to be a joke -- see, first those silly people who don't understand anything are attacking the Internet because it's got these dirty pictures on it, now they say there's Nazis using encryption on it. Was there nobody else who was able to look at that and laugh? Sheesh. > > Violence won't work, since they are capable of human-wave attacks. > > And because it's wrong? "Wrong" is irrelevant, because it's unenforceable. Right, guys? Don't be such a girlie, Alex. What we need is amoral deterrence at the most atomistic level, right? Heck, it's the only thing that we know works. -rich Fucking Statist From jimbell at pacifier.com Tue Jan 23 21:34:26 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 24 Jan 1996 13:34:26 +0800 Subject: [noise!] (fwd) Re: FYA/I: Who'd have gaussed it? Message-ID: -----BEGIN PGP SIGNED MESSAGE----- At 01:55 PM 1/23/96 -0500, Robert Hettinga wrote: >Just in case you wanted to know how dept... > >Cheers, >Bob > >--- begin forwarded text > >Date: Tue, 23 Jan 1996 11:21:54 -0500 (EST) >From: Paul Picot >To: Philip Stein [stuff deleted for space] >Use a coil *around* the building. This makes the problem just >within the realm of the possible, though horribly impractical. > >I'll spare the collected minds and spool spaces of the technomads list the >details, and reduce this to a recipe: > >Collect the following: > >- 20 miles of 0000-guage insulated copper wire (about 32 tons worth) >- five standard 20 MW gas-turbine power plant generators (about 20 tons ea.) >- fuel for about 10 minutes of operation (about 4 tons) >- five standard high voltage transmission rectifier modules for the above. >- one standard 69,000 volt, 10,000 amp transmission-line contactor set > >Wrap 1000 turns of the wire around your target. This makes a bundle about >18 inches in diameter. Wire your generators and rectifiers to yield >70,000 volts DC, and connect them via the contactor to the coil. Suppose, however, the goal was NOT to erase the media, but simply to reset (temporarily crash) the computers inside. Please recalculate based on: 1. A 72,000 volt, 0.8 microfarad capacitor, fully charged. 2. One turn of, say, #16 wire around the building. 3. A (sacrificial) improvised switch constructed by forcing a sharpened point through a thin, insulating layer of polyethylene plastic sheet against a conductive plate, which eventually (and catastrophically) arcs through the remaining fraction of a millimeter to produce an exceedingly low-impedance contact in a microsecond or so. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMQWb3/qHVDBboB2dAQF0YgP+M8pc9nYzp0fwBblcd6TNC3kDt88NZbpy WiyeCxfW8tx8KNgniERKMIRrCFXfciUew9Bs1orX3CdJeDgUG2ByiLoSbGcco3Jm Vtw4MIVhhyITOhF2ocZBsReutm5WonnZlj+0upxgzYOwC0NyXR5jtHmsUMksa9Sq jy0mW2rdLxw= =1GMF -----END PGP SIGNATURE----- From perry at piermont.com Tue Jan 23 21:42:08 1996 From: perry at piermont.com (Perry E. Metzger) Date: Wed, 24 Jan 1996 13:42:08 +0800 Subject: SS Obergruppenfuhrer Zimmermann (NOT!) In-Reply-To: Message-ID: <199601240336.WAA11471@jekyll.piermont.com> jim bell writes: > Maybe this is common knowledge, but the name "Zimmermann" and crypto had > another relationship, in World War I. If anybody knows more about this > incident than my vague recollection of the famous "Zimmermann cipher" would > you care to tell the story? It was the Zimmermann Telegram, actually, and it was a dispatch from the Germans to the Mexicans trying to promise them most of the southwest in exchange for being allies against the U.S. (which wasn't yet in the war). The Brits intercepted and decoded it and released it, which forced the U.S. into World War I. Perry From jimbell at pacifier.com Tue Jan 23 21:42:47 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 24 Jan 1996 13:42:47 +0800 Subject: [local] Report on Portland Cpunks meeting Message-ID: At 04:26 PM 1/23/96 -0800, Alan Olsen wrote: >>This begs the question, "How would you conduct an efficient key signing >>given what you have learned?" I am in the process of organizing one and >>would like to get input as to the best way that this should take place. >>Should people bring key fingerprints and public keys on floppy? Would it >>be nice to be online and grab public keys off of a key server? How would >>you conduct a nym signing? > >The things that I learned was that instructions should be sent to the >participants well in advance. > >Key fingerprints should be brought on paper becuase it is not always assured >of having a computer there to read the disk. (We had a lap top that was >refusing to read disks effectivly. We had to use on of the Habit's >computers.) ...which, of course, had been infected the night before by a black-bag job by some NSA operatives with a "fiddle with PGP and make the key signatures come out wrong" virus... Paranoia strikes deep... From tallpaul at pipeline.com Tue Jan 23 21:45:31 1996 From: tallpaul at pipeline.com (tallpaul) Date: Wed, 24 Jan 1996 13:45:31 +0800 Subject: Philip Zimmermann and the Press Message-ID: <199601240345.WAA00570@pipe11.nyc.pipeline.com> Immediately after posting my message on press queries re AU and PZ, Perry Metzger's post hit. On Jan 23, 1996 20:46:37, '"Perry E. Metzger" ' wrote: > >I contacted Phil about the neo-Nazi attribution in the British >press. He has apparently contacted the newspaper and it appears that >they are probably going to print an article retracting their >statement. I've asked him to comment here but I don't know if he will. > >Perry > I wrote in the previous post that I do not think that AU adopted a responsible method of getting answers to his questions. I think that Perry did. Of course the question by both people was (in a limited sense) the same. So was the importance of the question. But the method that Perry adopted was much more responsible. I suspect it is also more likely to elicit an answer to the question. -- tallpaul "To understand the probable outcome of the Libertarian vision, see any cyberpunk B movie wherein thousands of diseased, desparate and starving families sit around on ratty old couches on the streets watching television while rich megalomaniacs appropriate their body parts for their personal physical immortality." R. U. Sirius _The Real Cyberpunk Fakebook_ From thad at hammerhead.com Tue Jan 23 21:48:34 1996 From: thad at hammerhead.com (Thaddeus J. Beier) Date: Wed, 24 Jan 1996 13:48:34 +0800 Subject: Crippled Notes export encryption Message-ID: <199601240313.TAA02133@hammerhead.com> Dan Weinstein wrote: > On Tue, 23 Jan 1996 10:39:03 -0500, perry at piermont.com wrote: > > > >Set up development shop overseas for the crypto plug-ins. > > > >The solution is obvious and easy. > > > >By the way, I really think Netscape should simply ship Jeff and other > >people to the Amsterdam office or wherever else seems reasonable and > >do all the crypto work from there. It will save trouble and > >hassle. U.S. citizens wanting full 128 bit over the net would then get > >it from Netscape's overseas download sites. No one anywhere in the > >world would be forced to use crap. > > Wrong, this would be a violation of ITAR. David Chaum is doing it, why can't Netscape? I agree that it's probably technically a violation. I think that the real thing that's stopping Netscape is the golden government handcuffs, they don't want to piss off a big customer. thad -- Thaddeus Beier thad at hammerhead.com Technology Development 408) 286-3376 Hammerhead Productions http://www.got.net/~thad From mixmaster at vishnu.alias.net Tue Jan 23 21:51:16 1996 From: mixmaster at vishnu.alias.net (Mr. Boffo) Date: Wed, 24 Jan 1996 13:51:16 +0800 Subject: No Subject Message-ID: <199601240416.WAA10297@vishnu.alias.net> Speaking of the security of networks, and the entertainment value of possible hacks... Uri Geller offers $1 million to spoon benders on World Wide Web Starting February 29, professed psychic Uri Geller will be offering $1 million to anyone who can bend a spoon on the World Wide Web. The spoon will be sealed in a transparent safe and shown by live video feed on his Web page at http://www.urigeller.com. He says he's tired of skeptics constantly asking him to proove his mental abilities, which he can't do on command, so he's looking for someone who -can- perform on command. You won't be able to just hit the page and stare at the spoon for free, though... This golden opportunity will cost $4.50 a glare. From tallpaul at pipeline.com Tue Jan 23 21:51:19 1996 From: tallpaul at pipeline.com (tallpaul) Date: Wed, 24 Jan 1996 13:51:19 +0800 Subject: Journalistic Questions: Re PZ. [NOISE] Message-ID: <199601240344.WAA00407@pipe11.nyc.pipeline.com> On Jan 24, 1996 02:02:41, 'djw at vplus.com (Dan Weinstein)' wrote in response to a series of questions I asked of Anonymous User over PZ:: > >Phil Zimmerman doesn't owe anyone an explaination of his politics. > There are many times and areas where people may "owe" an explanation of their politics. I strongly suspect, however, that the issue raised by the German (?) journalist was not likely one of them nor was the original query by AU. I was not bothered my AU's desire for accurate information on PZ's politics. I was bothered my my inference of how AU was going about getting that information, particulaly given the prejudicial aspects of asking questions on the topic to the entire cypherpunks list. I did not want to assume that my inferences of AU's behavior were automatically accurate. Thus, I posed the questions to AU directly. Could I have posted the questions to AU in a private message. Yup. Do I think this would normally have been the proper method? Yup. But I decided to follow AU's method, particularly since my questions to AU were less damaging of his reputation than his questions to PZ. In other words, since AU decided to ask public questions, so would I. Let me illustrate another way of getting answers to questions where the issues behind the questions are important but the very questions asked can be prejudicial. I was working on a story that involved how the U.S. press treated political forces behind the large anti-war demonstrations during the Vietnam War. Part of the reason for the story involved the heavy red-baiting in the press during the Korean War and immediately after it. The Vietnam War seemed to be treated in the almost opposite fashion by most of the press. That is, that real involvement by certain left groups was kept out of the press. (I ignore here the claims by ignorant rightwing forces with much to be ignorant about who routinely pronouced "Hanoi Jane" Fonda as *the* communist antiwar leader.) My researches indicated that the Socialist Workers Party and the Communist Party USA played a far greater role in the large national marches than the daily media credited (or, if you wish, damned) them for. My researches further led me to conclude that Fred Halstead headed the SWP anti-war effort and Gil Green headed a similar effort for the CPUSA. I confirmed the SWP and Halstead, and I confirmed the CPUSA. But I had not confirmed Gil Green. How to proceed? One way was the way that Anonymous User seemed to adopt. I just ask a large number of different people if Green did. I was uncomfortable with that method. First, even suggesting that somebody is a member of the CPUSA tends to injure their reputation if they are not members. Second, the people I asked may not have known shit about whether Green was, or was, not the leader. So, I did some more research, got Green's home phone number and gave him a call. At this point, Green did not owe me shit. He could have easily told me to "fuck off!" I told him who I was, what I was researching, why I was researching the story, and provided enough information for Green to know how I got his home phone number. He asked me a few questions that permitted him to get some confirmation of the material about me I had just spoken about. Did I owe Green answers to his questions? Under contract law, no. But I think at some point along the line I had at least *some* obligation ethically to answer his questions. In any case, I answered his few questions sufficiently for him to invite me over to his apartment and I got the information I wanted in the course of about a two-hour interview. That I think was a responsible way of getting the answer to my question. It was responsible to my editor, responsible to my readers, and responsible to my (potential) source. I do not think it likely that AU behaved in an equally responsible manner. But neither had anything to do with what PZ did, or did not, "owe" people. -- tallpaul "To understand the probable outcome of the Libertarian vision, see any cyberpunk B movie wherein thousands of diseased, desparate and starving families sit around on ratty old couches on the streets watching television while rich megalomaniacs appropriate their body parts for their personal physical immortality." R. U. Sirius _The Real Cyberpunk Fakebook_ From frankw at in.net Tue Jan 23 22:01:14 1996 From: frankw at in.net (Frank Willoughby) Date: Wed, 24 Jan 1996 14:01:14 +0800 Subject: IPSEC == end of firewalls Message-ID: <9601240513.AA22267@su1.in.net> At 06:56 PM 1/23/96 -0500, Ben allegedly wrote: >Because this has Cpunks relevance in the use of crypto, I'm going to keep >it on this list... > >> remain relatively secure. However, I am I'm not saying that adding >> firewalling capabilities would make the system invincible. I *am* >> saying that it would provide the system with more security than it >> currently has and would help to reduce (not eliminate) some risks >> associated with networking. > >But what does it mean to add 'firewalling capabilities' to an O/S? By >definition, a firewall is supposed to stop the spread of 'fire' by being >the sole mechanism for the interchange of packets. Essentially, adding protective mechanisms that would filter incoming network connections (incoming to the O/S) rendering potential risky connections harmless or rejecting them. Steve Bellovin has a very well-written paper called "Security Problems in the TCP/IP Protocol Suite" which addresses a number of these. If memory serves correctly at this late hour (midnight), then it can be ftp'ed from research.att.com and it is in the /pub/dist/smb directory (or somewhere around there). >If you're referring to making a hardened OS that can protect itself >through the use of well written code, memory protections, etc. then, yes >by all means add it to your OS, but these shouldn't be luxuries in that >they're thought of as 'firewalling' features. Rather these things should >be compulsory in the development of OS's. > I agree with you 100%. Eventually, I think the market will demand it and the vendors will have to begin delivering hardened O/S's. >> Of course, it would be terrific if the vendors would produce Operating >> Systems which are secure AND usable. (I think the market will eventually >> demand this from vendors, but this probably won't happen in the next year >> or two.) > >Even if OS's could be secure(lets not get into Orange Book here) they >would need constant updating. Most users have problems printing, let >alone installing patches and tweaking afterwards to deal with conflicts. Good points. As stated above, the systems should be secure AND usable. >And you can't expect IS to micromanage the corporation's entire fleet of >machines. True. However, the systems can be monitored for compliance to Corporate Security policies and the non-compliant (read insecure) systems can be quickly brought back into compliance - frequently using automated scripts. NOTE: Implementing a high level of Information Security should be as user-friendly, as non-intrusive to business operations as possible, and as cheaply as possible. (Yes, it is possible to achieve all three objectives). >This would be nice, and would be a good start, but like I said above, >these things shouldn't be considered to be luxuries. Rather they should >be compulsory. That doesn't mean that they will obsolete firewalls by >any stretch of the imagination. I agree with you 100% Nice posting, BTW. (And not just because I agree with you). 8^) >Ben. >(I'm starting to think Frank may have been right to move this to >firewalls. I think I'll crosspost this message too) >____ >Ben Samman..............................................samman at cs.yale.edu >"If what Proust says is true, that happiness is the absence of fever, then >I will never know happiness. For I am possessed by a fever for knowledge, >experience, and creation." -Anais Nin >PGP Encrypted Mail Welcomed Finger samman at suned.cs.yale.edu for key >Want to hire a soon-to-be college grad? Mail me for resume > Fortified Networks Inc. - Management & Information Security Consulting Phone: (317) 573-0800 - http://www.fortified.com/fortified/ The opinions expressed above are of the author and may not necessarily be representative of Fortified Networks Inc. From Matthew.Sheppard at Comp.VUW.AC.NZ Tue Jan 23 22:05:38 1996 From: Matthew.Sheppard at Comp.VUW.AC.NZ (Matthew Sheppard) Date: Wed, 24 Jan 1996 14:05:38 +0800 Subject: Hack Java In-Reply-To: <9601231630.AA07540@sulphur.osf.org> Message-ID: <199601240433.RAA30064@bats.comp.vuw.ac.nz> The shadowy figure took form and announced "I am Rich Salz and I say ... > Then if I have the code > > tricky_pointer = 10000; > for (; tricky_pointer < 50000 ;) { > dumptofile(trick.data) > tricky_pointer += 16; > } Aside from memory management in java being internal to the virtual machine as covered in other posts Java is a strongly typed language. There is no notion of void * (pointers that point to anything) and the current implementation ensures the pointer is either null or valid. Even if you could the current implementation disallows any pointer arithmetic at all! i.e no pointer++; Also if the object your pointing at is destroyed your pointer will be updated to null or you will generate an exception when you next use it as per the bargabe collection policy. --Matt From nobody at replay.com Tue Jan 23 22:54:40 1996 From: nobody at replay.com (Name Withheld by Request) Date: Wed, 24 Jan 1996 14:54:40 +0800 Subject: Crippled Notes export encryption Message-ID: <199601240645.HAA10042@utopia.hacktic.nl> "Perry E. Metzger" writes: >> >By the way, I really think Netscape should simply ship Jeff and other >> >people to the Amsterdam office or wherever else seems reasonable and >> >> That won't work -- they gotta hire non-US persons to do the work. > >There are plenty of good foreign crypto people. One of them already has implemented SSL... From futplex at pseudonym.com Tue Jan 23 23:16:59 1996 From: futplex at pseudonym.com (Futplex) Date: Wed, 24 Jan 1996 15:16:59 +0800 Subject: Reporting ITAR Violations In-Reply-To: <9601231353.AA06639@alpha> Message-ID: <199601240707.CAA02492@thor.cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- ECafe Anonymous Remailer writes: # Here is the RC4 cipher for the HP-48 calculator... Mike McNally writes: > You know, it'd be interesting to start loudly reporting such obvious > ITAR violations. Not, of course, because I feel myself threatened as > a result of this attack on national security, but because it might > make life more difficult for Them. [...] I would feel a bit more comfortable if violations by non-anonymous entities were well publicized. Otherwise, we may force the TLAs to cash in the "weapons export" card against the anonymizers, and hasten a crackdown on them. (In this particular instance, the remailer resides outside the ITAR zone, but that detail could be conveniently ignored in calling for a ban on U.S. remailers.) I'm still hoping for a test of the PA anonymity prohibition.... Futplex , still catching up on last week's mail -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMQXagSnaAKQPVHDZAQHZTwf/WrHgbZjgiJIXxW886mKO/E/eoSLh0eSE IBnfnDABTmAUcbvUEo/UMn7n7Gsq03mJgyo9z1+6SUGxhqt45MV41d7rZQVhkBWs +woh7YqGIiqGF9elvaVUlp7xsqyKLdXVQYqkahe0M4Ouw7S033HYIC+6lW6kTBeC C0vOnwyoB82WJ1x2SRH8iz7/lCWJkQkDSiRJ3yaAB4UtXvsikug3ddvOGz2tbL19 sxlxoJslD5MlqcH8ubKqDvHR++N432cOKMOHR82GjAm8b2f4/0lmaDWAxDaaWNFb jk0EH5Ax8gECoBWl6dw3Sw3asWNbM0M9UIthEmOTjiJoOb9cRxjoNw== =O3fc -----END PGP SIGNATURE----- From herbs at connobj.com Tue Jan 23 23:25:36 1996 From: herbs at connobj.com (Herb Sutter) Date: Wed, 24 Jan 1996 15:25:36 +0800 Subject: Crippled Notes export encryption Message-ID: <2.2.32.19960123140650.00708e08@mail.interlog.com> At 20:32 01.17.1996 -0500, Perry E. Metzger wrote: > >Alan Pugh writes: >> infoMCI (sm) >> Lotus-Security - Lotus Announces Compromise for Export of Strong >> Encryption > >So, Lotus thinks they can fool people by back-dooring in key escrow, eh? > >Time to break out the artillery. > >Perry Careful... what would YOU have done, with your customers demanding stronger crypto today and you unable to legally give it to them? Again, folks, try to remember that this is NOT key escrow... international Notes customers are no worse off than before, and a darn sight better off against everyone besides Uncle Sam. Herb ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Herb Sutter (herbs at connobj.com) Connected Object Solutions 2228 Urwin - Suite 102 voice 416-618-0184 http://www.connobj.com/ Oakville ON Canada L6L 2T2 fax 905-847-6019 From shamrock at netcom.com Tue Jan 23 23:48:42 1996 From: shamrock at netcom.com (Lucky Green) Date: Wed, 24 Jan 1996 15:48:42 +0800 Subject: Crippled Notes export encryption Message-ID: At 19:13 1/23/96, Thaddeus J. Beier wrote: >David Chaum is doing it, why can't Netscape? I agree that it's >probably technically a violation. I think that the real thing >that's stopping Netscape is the golden government handcuffs, they >don't want to piss off a big customer. The people working on crypto for Chaum aren't US citizens. -- Lucky Green PGP encrypted mail preferred. From shamrock at netcom.com Tue Jan 23 23:54:03 1996 From: shamrock at netcom.com (Lucky Green) Date: Wed, 24 Jan 1996 15:54:03 +0800 Subject: Who would sign Lucky Green's key? Message-ID: The latest discussion about key signing parties and related questions asked in private email got me thinking about signing keys for nyms. What would one have to know to sign a key for a nym? Would you sign my key? Why? -- Lucky Green PGP encrypted mail preferred. From frantz at netcom.com Wed Jan 24 00:02:14 1996 From: frantz at netcom.com (Bill Frantz) Date: Wed, 24 Jan 1996 16:02:14 +0800 Subject: IPSEC == end of firewalls Message-ID: <199601240726.XAA16476@netcom6.netcom.com> >Bill Frantz writes: >> At least maybe I can avoid Perry's wrath for an off topic post :-). > >Just for reference, the topic of firewalls and whether cryptographic >tools render them obsolete is not off topic for cypherpunks. In fact, >its one of the rare topics that is actually totally proper here... Expressed that way, I must agree. However, I think we also agree that firewalls in general should be elsewhere. Bill From stewarts at ix.netcom.com Wed Jan 24 00:10:33 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Wed, 24 Jan 1996 16:10:33 +0800 Subject: An IDEA whose time has come (Notes from the RSA Conference) Message-ID: <199601240749.XAA22962@ix7.ix.netcom.com> At 09:52 AM 1/22/96 -0800, Jonathan Zamick wrote: > Right now I'm trying to convince Ascom to develop a > crippled version of IDEA to simply give away if anyone wants it for export. > (Like most of the folk here, I don't see a 40 bit key as very valuable, but > it is useful for companies which don't have contacts in Europe.) A crippled version is easy - generate a 128-bit random key, make 88 bits available as salt, leaving 40 hidden bits. The problem is how to make the salt-bits available without interfering with applications and protocols. If you wanted a 64-bit crippled version, most applications need 64 bits of IV anyway, so you could use 64 bits of salt for that, leaving 64 more. To do a 40-bit version, you _could_ use 64 bits of salt and wire down the other 24 bits into a well-known pattern instead of choosing them randomly. That's three characters of ASCII, and I'd suggest "NSA" as the obvious pattern :-) So generate your 128-bit random number, replace the first 24 bits with "NSA", copy the 64 bits into the IV, and use it for your key. #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, Pager/Voicemail 1-408-787-1281 # # "Eternal vigilance is the price of liberty" used to mean us watching # the government, not the other way around.... From stewarts at ix.netcom.com Wed Jan 24 00:16:39 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Wed, 24 Jan 1996 16:16:39 +0800 Subject: Crippled Notes export encryption Message-ID: <199601240750.XAA23177@ix7.ix.netcom.com> At 05:53 PM 1/23/96 -0500, jpb at miamisci.org (Joe Block) wrote: >At 9:06 AM 1/23/96, Herb wrote: >>Careful... what would YOU have done, with your customers demanding stronger >>crypto today and you unable to legally give it to them? > >Umm - contract the crypto overseas somewhere it would be legal to export it >from? Then import the code to the USA, with a press release to WSJ & NYT >stating that American programmers were being put out of work by ITAR. The problem is whether you can separate the functionality of what you're exporting sufficiently from what you're contracting out that the exported material isn't a "component of a cryptosystem"; it's tough to do a good bones version of code if you're concerned about satisfying both the letter and spirit of a law to avoid hassles with the government. On the other hand, if you're as big as IBM or even MIT, sometimes you can do it.... #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, Pager/Voicemail 1-408-787-1281 # # "Eternal vigilance is the price of liberty" used to mean us watching # the government, not the other way around.... From alano at teleport.com Wed Jan 24 00:26:14 1996 From: alano at teleport.com (Alan Olsen) Date: Wed, 24 Jan 1996 16:26:14 +0800 Subject: Who would sign Lucky Green's key? Message-ID: <2.2.32.19960124081315.008c4a88@mail.teleport.com> At 11:24 PM 1/23/96 -0800, Lucky Green wrote: >The latest discussion about key signing parties and related questions asked >in private email got me thinking about signing keys for nyms. What would >one have to know to sign a key for a nym? Would you sign my key? Why? There are nym keys i have signed before. They are usually for nyms of friends and they are usually signed with another nym key. Kind of a fictional web of trust... I normally only sign keys for people I have met and trust to be the individual with the key claimed. "True names" and other legal fictions do not interest me as much as the individuals involved. Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "Is the operating system half NT or half full?" From alano at teleport.com Wed Jan 24 00:43:17 1996 From: alano at teleport.com (Alan Olsen) Date: Wed, 24 Jan 1996 16:43:17 +0800 Subject: [local] Report on Portland Cpunks meeting Message-ID: <2.2.32.19960124080823.008ccf80@mail.teleport.com> At 07:11 PM 1/23/96 -0800, jim bell wrote: >At 04:26 PM 1/23/96 -0800, Alan Olsen wrote: >>Key fingerprints should be brought on paper becuase it is not always assured >>of having a computer there to read the disk. (We had a lap top that was >>refusing to read disks effectivly. We had to use on of the Habit's >>computers.) > >...which, of course, had been infected the night before by a black-bag job >by some NSA operatives with a "fiddle with PGP and make the key signatures >come out wrong" virus... Well, it was only YOUR key that we were verifying! >Paranoia strikes deep... Into your keyring it creeps... It starts when your always afraid... Step out of line and the orbital mindcontrol lasers will zap you away... Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "Is the operating system half NT or half full?" From shamrock at netcom.com Wed Jan 24 00:51:16 1996 From: shamrock at netcom.com (Lucky Green) Date: Wed, 24 Jan 1996 16:51:16 +0800 Subject: [local] Report on Portland Cpunks meeting Message-ID: At 16:40 1/23/96, Perry E. Metzger wrote: >Each person gets a sheet. Either each person in the room reads their >fingerprint in turn from their own copy, with each person in the room >checking the read fingerprint against the fingerprint on the handout, >or an appointed reader (or set of readers at the last IETF) read the >fingerprints in turn and ask the owner of the key to then simply say >"yes" or "its mine" or whatever to verify that the fingerprint matches >their own copy of the print. How do they verify that the person confirming the fingerprint is indeed the person supposedly owning the key? -- Lucky Green PGP encrypted mail preferred. From heesen at zpr.uni-koeln.de Wed Jan 24 01:07:39 1996 From: heesen at zpr.uni-koeln.de (Rainer Heesen) Date: Wed, 24 Jan 1996 17:07:39 +0800 Subject: Hack Java In-Reply-To: <199601240433.RAA30064@bats.comp.vuw.ac.nz> Message-ID: <9601240930.ZM24939@Sysiphos.MI.Uni-Koeln.DE> On Jan 24, 5:33pm, Matthew Sheppard wrote: > Aside from memory management in java being internal to the virtual > machine as covered in other posts Java is a strongly typed language. > There is no notion of void * (pointers that point to anything) and the > current implementation ensures the pointer is either null or valid. > > Even if you could the current implementation disallows any pointer > arithmetic at all! i.e no pointer++; > >-- End of excerpt from Matthew Sheppard I think the mentioned security hole is not a source level problem. The question is how will the Java interpreter act, if there is a patched applet. Is there any control of pointer assignments? - Rainer --- RAINER HEESEN Adresse: Zentrum fuer Paralleles Rechnen Universitaet zu Koeln 50923 Koeln Telefon: +49 221 470 6021 Fax: +49 221 470 5160 eMail: heesen at zpr.uni-koeln.de WWW: http://www.zpr.uni-koeln.de/~heesen/ From cwe at it.kth.se Wed Jan 24 01:08:11 1996 From: cwe at it.kth.se (Christian Wettergren) Date: Wed, 24 Jan 1996 17:08:11 +0800 Subject: Hack Java In-Reply-To: Message-ID: <199601240847.JAA08706@piraya.electrum.kth.se> | On Tue, 23 Jan 1996, Benjamin Renaud wrote: | | > Yes. And if you also let an intruder in your house, have them sit at | > your computer with your newborn child in the room and go on vacation, | > things can get really, really nasty. | | I guess that wu-ftp never was distributed with security holes. Never | heard of anyone distributing maliscious lookalike packages. How many | folks do you think downloaded the linux-JDK and use it without checking | it out first. That takes care of the compiler. And distributing bad | netscape or other browsers is childs play. So I guess your newborn is | relevant. | | Stick to your belief that Java is secure because, darn it, it just would | be hard for anyone to do bad things with it. Please. I think what we should worry about is the second-order effects of Java; how will the world look like when Java is everywhere? We should also not discount the "social" effects; what will people do to try to circumvent the "stupid" safeguards that Java will be distributed with. I have earlier heard the opinion from the Java team (I believe) that this is not "Java's fault", and I can understand that standpoint. My opinion is still that the net result (pun intended!) is even weaker security, because of these two reasons above. (In my darker moments, I feel that the whole field of computer security is in a major crisis. Ever heard of the Emperor's New Clothes? ;-)) Just some mumbling from, Christian Wettergren From mixmaster at anon.alias.net Wed Jan 24 01:17:40 1996 From: mixmaster at anon.alias.net (Mr. Nobody) Date: Wed, 24 Jan 1996 17:17:40 +0800 Subject: None In-Reply-To: Message-ID: <199601240850.CAA06981@fuqua.fiftysix.org> In article zinc writes: > i got this in the mail this morning. here's another blatant case > of illegal export. names and exact addresses removed to protect the > clueless. Why exactly did you post this message? I personally don't mind, but am just curious. From WlkngOwl at UNiX.asb.com Wed Jan 24 01:26:04 1996 From: WlkngOwl at UNiX.asb.com (Deranged Mutant) Date: Wed, 24 Jan 1996 17:26:04 +0800 Subject: NY State to restrinct netporn?! Message-ID: <199601240918.EAA15158@UNiX.asb.com> You wrote: > I heard about it and want to search NY's gopher site for the bill to get > the exact wording. Did the article give any more specifics, i.e., who > proposed it, the specific name of the bill, etc.? Not much info in the article. It wasn't the central focus... actually, the article dealt with the political cynicism of the new measures. More from the article (all that really mentions the bill at all): The cyberspace bill, passed by the Senate last week, could make it a felony to have sexually explicit communication with a minor through a computer network, especially if the communication included pictures of sexual activity or an invitation to have sex. Which doesn't say much about the bills content. Technically this is already illegal, so why pass a cybespce-specific bill? What are the responsibilities of publishers, ISPs, SysAdmins, etc.? What if a minor pretentds not to be a minor? IMO, It sounds like another meaningless bill that looks good on political mailings... What's the NYS gopher address again? Rob. > At 07:23 AM 1/23/96 +0000, you wrote: > >This in today's LI Newsday, p. A6: > > > >Crime Time in Albany > >Bills Reflect now popular get-tough stance > > > >by Liam Pleven, Albany Bureau > > > > Albany - A bill that would restrict sexually explicit material on > >the Internet - which the Assembly took little notice of last year - > >is suddenly headed tothe governor's desk after winning legislative > >approval yesterday. > >... --- "Mutant" Rob Send a blank message with the subject "send pgp-key" (not in quotes) for a copy of my PGP key. From iagoldbe at calum.csclub.uwaterloo.ca Wed Jan 24 01:34:25 1996 From: iagoldbe at calum.csclub.uwaterloo.ca (Ian Goldberg) Date: Wed, 24 Jan 1996 17:34:25 +0800 Subject: DigiCash Ecash - 2 security topics In-Reply-To: <199601221635.RAA13080@digicash.com> Message-ID: <4e3von$8ut@calum.csclub.uwaterloo.ca> >> > E.g. has there been a DigiCash response to Ian Goldberg's >> > publication of a denial-of-service attack which operates by >> > spending a coin with the same serial number as your victim's >> > coin? >> After discussing things with Ian we came up with several solutions. >> One is encrypting more messages (which we will do in a next revision >> of the protocol), the other is enabling ecash to work over ssl >> servers. You may not see the answer directly in the list, but you >> will see it in the next protocol revision. Actually, my original suggestion was to include 'n' in the value encrypted in the bank's public key. The less we have to _rely_ on ecash-enabled apps having to do their own encryption (like SSL), the better. Of course, extra encryption is OK, too. I wonder if Dave and I will get Digicash's reward for this one... I still haven't seen anything from them (though various individuals keep promising), or from Netscape either, for that matter... [emoticon elided] - Ian "starving grad student (sigh)" From jsw at netscape.com Wed Jan 24 01:54:03 1996 From: jsw at netscape.com (Jeff Weinstein) Date: Wed, 24 Jan 1996 17:54:03 +0800 Subject: Crippled Notes export encryption In-Reply-To: <2.2.32.19960123140650.00708e08@mail.interlog.com> Message-ID: <3105FBFC.4DC9@netscape.com> Perry E. Metzger wrote: > > Herb Sutter writes: > > >So, Lotus thinks they can fool people by back-dooring in key escrow, eh? > > > > > >Time to break out the artillery. > > > > Careful... what would YOU have done, with your customers demanding stronger > > crypto today and you unable to legally give it to them? > > Set up development shop overseas for the crypto plug-ins. > > The solution is obvious and easy. > > By the way, I really think Netscape should simply ship Jeff and other > people to the Amsterdam office or wherever else seems reasonable and > do all the crypto work from there. It will save trouble and > hassle. U.S. citizens wanting full 128 bit over the net would then get > it from Netscape's overseas download sites. No one anywhere in the > world would be forced to use crap. I can see two practical ways to build a netscape product outside the US. The first is to export the source code for the Navigator with the crypto code removed. All of the calls to crypto would have to be removed as well. I've heard some people claim that the government could come after us on the grounds that we were taking part in a conspiracy to export strong crypto. The other way would be to export a binary with pluggable crypto, which is generally agreed to be regulated by the ITAR in the same way as software that actually contains crypto. I suspect that to get around the US government in this way we would have to develop the entire product outside of the US. That would be a very drastic move that is not likely to happen any time soon. We are going to invest some money and effort into trying to get the current restrictions lifted first. Of course there are some of us who are ready and willing to go if it comes to that... --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw at netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine. From jsw at netscape.com Wed Jan 24 01:56:14 1996 From: jsw at netscape.com (Jeff Weinstein) Date: Wed, 24 Jan 1996 17:56:14 +0800 Subject: Crippled Notes export encryption In-Reply-To: <199601240313.TAA02133@hammerhead.com> Message-ID: <3105FCD1.27FB@netscape.com> Thaddeus J. Beier wrote: > I think that the real thing > that's stopping Netscape is the golden government handcuffs, they > don't want to piss off a big customer. I think that the potential sales lost overseas due to weak crypto could be much bigger than sales to the government. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw at netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine. From Majordomo at toad.com Wed Jan 24 02:47:27 1996 From: Majordomo at toad.com (Majordomo at toad.com) Date: Wed, 24 Jan 1996 18:47:27 +0800 Subject: Your Majordomo request results Message-ID: <9601230834.AA13943@toad.com> -- Your request of Majordomo was: >>>> subscribe cypherpunks Succeeded. Your request of Majordomo was: >>>> end END OF COMMANDS From tcmay at got.net Wed Jan 24 03:06:52 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 24 Jan 1996 19:06:52 +0800 Subject: Crippled Notes export encryption Message-ID: At 9:29 AM 1/24/96, Jeff Weinstein wrote: > I suspect that to get around the US government in this way we >would have to develop the entire product outside of the US. That >would be a very drastic move that is not likely to happen any >time soon. We are going to invest some money and effort into >trying to get the current restrictions lifted first. For what it's worth, this is what I've heard several knowledgeable lawyers say is the case, that merely sending the crypto experts abroad is no solution, that the entire product (or some large fraction of it) must be foreign-originated. The usual issue: That if a foreign-originated product even appears to be a standard (so far, none have been), and includes strong crypto, then the NSA and other agencies will simply change the rules. Thus, if extremely strong crypto from "Netscape-Zurich" starts to have a significant market presense in the U.S., then some law will be passed to restrict it. --Tim May Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From frissell at panix.com Wed Jan 24 03:46:45 1996 From: frissell at panix.com (Duncan Frissell) Date: Wed, 24 Jan 1996 19:46:45 +0800 Subject: Reporting ITAR Violations Message-ID: <2.2.32.19960124113319.0081a4c4@panix.com> At 02:07 AM 1/24/96 -0500, Futplex wrote: >I would feel a bit more comfortable if violations by non-anonymous entities >were well publicized. Otherwise, we may force the TLAs to cash in the >"weapons export" card against the anonymizers, and hasten a crackdown on >them. Would that the remailer network were significant enough to call forth a legislative response. DCF From jimbell at pacifier.com Wed Jan 24 05:00:08 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 24 Jan 1996 21:00:08 +0800 Subject: Philip Zimmermann and the Press Message-ID: At 08:46 PM 1/23/96 -0500, Perry E. Metzger wrote: > >I contacted Phil about the neo-Nazi attribution in the British >press. He has apparently contacted the newspaper and it appears that >they are probably going to print an article retracting their >statement. I've asked him to comment here but I don't know if he will. > >Perry What _I_ want to see is NOT MERELY an apology and retraction, but ALSO a statement of where the hell this claim came from in the first place. WHY? From packrat at ratbox.rattus.uwa.edu.au Wed Jan 24 05:22:07 1996 From: packrat at ratbox.rattus.uwa.edu.au (Bruce Murphy) Date: Wed, 24 Jan 1996 21:22:07 +0800 Subject: [Ramble] Re: Hassles taking App. Crypt. to Taiwan? In-Reply-To: <199601221522.XAA29618@relay3.jaring.my> Message-ID: <199601241311.VAA00525@ratbox.rattus.uwa.edu.au> In message <199601221522.XAA29618 at relay3.jaring.my>, Peng-chiew Low wrote: > >If this were Singapore, they might consider it subversive literature, > >because it is :-) > > ...............and the next thing you'll probably say is that Asians live in > tree houses > and have pet gorillas or whatever :)...... *puzzled look* They don't? And before I get totally off topic, on the subject of the Singaporean government and their attitude to do-what-you-will liberalism (hah!), just as a bit of noise, what sexual practices are illegal in Singapore? Now that's *way* off topic, but what is there in the way of enforcement for said regulations. More specifically, any info generally on the whole Singapore law-enforcement system. Not of course the public things, but it's intelligence stuff. if AC is considered subversive... Mass media has had some interesting articles about the Singapore govt being a little worried about being either isolated or forced to abandon their vaunted censorship role. Article itself was rubbish, but the idea behind it was interesting. -- Packrat (BSc/BE;COSO;Wombat Admin) Nihil illegitemi carborvndvm. From pati at ipied.tu.ac.th Wed Jan 24 05:30:54 1996 From: pati at ipied.tu.ac.th (Patiwat Panurach (akira rising)) Date: Wed, 24 Jan 1996 21:30:54 +0800 Subject: SS Obergruppenfuhrer Zimmermann (NOT!) In-Reply-To: <2.2.32.19960124014532.0095ac74@panix.com> Message-ID: On Tue, 23 Jan 1996, Duncan Frissell wrote: > >This act of aggression against cypherpunks, attempts to box us into a > >corner. Our enemies want to keep us on the defensive. > > Phil is not a cypherpunk. > > On the whole, the cypherpunks have gotten very favorable press for a group > who's actions may render government policies irrelevant and possibly the > governments themselves. Would you call cypherpunks (as a group and as a philosophy) to be influential? Do you think governments listen to us much? Are they forced to listen to us? Any stuff to support this? Please give me your comments. ------------------------------------------------------------------------------- Patiwat Panurach Whatever you can do, or dream you can, begin it. eMAIL: pati at ipied.tu.ac.th Boldness has genius, power and magic in it. m/18 junior Fac of Economics -Johann W.Von Goethe ------------------------------------------------------------------------------- From djw at vplus.com Wed Jan 24 05:41:40 1996 From: djw at vplus.com (Dan Weinstein) Date: Wed, 24 Jan 1996 21:41:40 +0800 Subject: Blacknet & Lotus Notes In-Reply-To: <2.2.32.19960123140645.006ce49c@mail.interlog.com> Message-ID: <31058de2.3338398@mail.vplus.com> On Tue, 23 Jan 1996 09:06:45 -0500, Herb Sutter wrote: >I think people are missing the point... even if we assume the absolute worst >case, that the private key is broken and becomes publicly available, >international Notes users are no worse off than before. True, but they aren't any better off either. 40-bits is not secure, neither is 64-bits. >That said, it shouldn't happen soon. One of the things Ray said in his >announcement was that the government agreed to both generate and then guard >this key with the same diligence with which they guard their most important >secrets (he specifically mentioned nuclear missile controls). While it >makes for a nice sound bite, I'm comfortable that there's probably also a >lot of truth to it. That just means that it will be classified Top Secret and only those with a "need to know" will have access. The government can set the need to know at any level they want. Even if they truly try to restrict access to their key, this does not even imply that they will not allow it to be freely used. If I want a message read and am not cleared for access to the key, I just send it to someone that does. I have seen nothing from the government saying that they agree to only use it if they have a warrant or even any reason to believe that the message contains data that is important to national interests. They are free to decode messages and give the information they obtain to a competing company. IBM made the deal to help provide an illusion of greater security, at least before the insecurity of 40 bits was well known. They are actually doing a diservice to their customers by trying to make them believe that their communitcations are actually secure using just Notes. Does the packaging indicate that the U.S. government has access to more than a third of the key? Dan Weinstein djw at vplus.com http://www.vplus.com/~djw PGP public key is available from my Home Page. All opinions expressed above are mine. "I understand by 'freedom of Spirit' something quite definite - the unconditional will to say No, where it is dangerous to say No. Friedrich Nietzsche From packrat at ratbox.rattus.uwa.edu.au Wed Jan 24 06:20:46 1996 From: packrat at ratbox.rattus.uwa.edu.au (Bruce Murphy) Date: Wed, 24 Jan 1996 22:20:46 +0800 Subject: SS Obergruppenfuhrer Zimmermann (NOT!) In-Reply-To: <2.2.32.19960124014532.0095ac74@panix.com> Message-ID: <199601241406.WAA00594@ratbox.rattus.uwa.edu.au> In message <2.2.32.19960124014532.0095ac74 at panix.com>, Duncan Frissell wrote: > At 05:11 PM 1/23/96 -0500, Alan Horowitz wrote: > >The reporter's slander against Zimmerman was not accidental, or the > >result of ignorance. Calling someone a Naxi sympathizer is not something > >that one should do without a smoking gun. > > > >This act of aggression against cypherpunks, attempts to box us into a > >corner. Our enemies want to keep us on the defensive. "Never attribute to malice that which can be adequately explained by stupidity" (or journalists) Of course with paranoia being almost compulsory around here, it's probably a government plot to discredit all people who want privacy. To be frank I doubt the NSA or anyone else is going to bother, they can get what they want *anyway* > > Phil is not a cypherpunk. He probably should be. I mean, it would mean he only got *one* copy of mail rather than all those concerned people cc:ing him a copy. > > On the whole, the cypherpunks have gotten very favorable press for a group > who's actions may render government policies irrelevant and possibly the > governments themselves. Mind you, its not as though the government's policies have *ever* been relevant. Of course, having a less open government in my own country, no-one has bothered to define what the goverment is going to do re: trying to enforce low encryption standards or (hah!) censoring the net in general. In fact, at least the US *has* a centralish government. Here, where we have only a handful of quite autonomous states, any one of which could decide to implement some ridiculous scheme to "crack down on kiddie porn" which would have the unfortunate effect of removing individual's rights to privacy. Which brings me to another point. At least you people *have* a free speech bit in your constitution. While it's generally considered a right here, legally that's not really good enough. -- Packrat (BSc/BE;COSO;Wombat Admin) Nihil illegitemi carborvndvm. From m5 at dev.tivoli.com Wed Jan 24 06:27:59 1996 From: m5 at dev.tivoli.com (Mike McNally) Date: Wed, 24 Jan 1996 22:27:59 +0800 Subject: Crippled Notes export encryption In-Reply-To: <199601231539.KAA10548@jekyll.piermont.com> Message-ID: <9601241359.AA07750@alpha> Dan Weinstein writes: > >By the way, I really think Netscape should simply ship Jeff and other > >people to the Amsterdam office... > > Wrong, this would be a violation of ITAR. I don't understand; are you saying Jeff's brain is a munition under the ITAR? (Is it a citizenship thing? If so, that's an easily solved problem: hire Dutch (or Egyptian or Bangali or whatever) engineers.) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Nobody's going to listen to you if you just | Mike McNally (m5 at tivoli.com) | | stand there and flap your arms like a fish. | Tivoli Systems, Austin TX | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From frankw at in.net Wed Jan 24 06:29:44 1996 From: frankw at in.net (Frank Willoughby) Date: Wed, 24 Jan 1996 22:29:44 +0800 Subject: IPSEC == end of firewalls Message-ID: <9601231159.AA27033@su1.in.net> While IP level security & authentication will go a long way to help prevent abuses and reduce unauthorized accesses, I doubt if it will provide enough protection by itself. While I would love to be proven wrong, I believe firewalls are here to stay (at least for the next year or two). A couple of reasons why: o Node Spoofing will probably still be possible o The connections will probably also be subject to man-in-the-middle attacks (Never underestimate the creativity of people who want to compromise your networks) o Authentication by itself will *not* provide adequate protection against many abuses o End-to-end encryption by itself won't completely solve the problems either (however, it *does* go a long way to prevent man-in-the-middle attacks o While IP security & authentication helps to secure the pipe between the two systems which want to communicate with each other, it does not provide any security about the applications running over the pipe. (ie - if you and I have a secure pipe between your system and mine & you have a worm running loose on your network, the only thing the secure pipe will do is ensure that other systems (not in the pipe) won't be damaged as the worm propagates out of your network into mine). Also. Which version of sendmail are we up to now? As far as the future of firewalls goes, I would probably guess that the functionality of most firewalls would eventually be an add-on application option for Operating Systems and that eventually it will be a standard part of every Operating System. Until then, we have to punt & keep using firewalls. I suspect even when firewalls are embedded in the O/S, that some type of firewall will still be needed to quasi-isolate a company's network from the Internet (and establish them as one entity) and to contain potential networking problems which arise when someone configures their system with the wrong IP address (or other type of problem). IMHO, the first company to include a firewall as a standard part of their Operating Systems has a real good shot at increasing their market share. Perhaps the O/S vendors are paying attention to this list & will implement this (would be nice). 8^) Of course, it would also help, if their systems were delivered secure - out-of-the-box and we didn't have to spend so much time continually locking them down & keeping up with the latest CERT Advisories. 8^) 8^) Best Regards, Frank Fortified Networks Inc. - Management & Information Security Consulting Phone: (317) 573-0800 - http://www.fortified.com/fortified/ The opinions expressed above are of the author and may not necessarily be representative of Fortified Networks Inc. From perry at piermont.com Wed Jan 24 06:51:07 1996 From: perry at piermont.com (Perry E. Metzger) Date: Wed, 24 Jan 1996 22:51:07 +0800 Subject: [local] Report on Portland Cpunks meeting In-Reply-To: Message-ID: <199601241431.JAA13316@jekyll.piermont.com> Lucky Green writes: > At 16:40 1/23/96, Perry E. Metzger wrote: > > >Each person gets a sheet. Either each person in the room reads their > >fingerprint in turn from their own copy, with each person in the room > >checking the read fingerprint against the fingerprint on the handout, > >or an appointed reader (or set of readers at the last IETF) read the > >fingerprints in turn and ask the owner of the key to then simply say > >"yes" or "its mine" or whatever to verify that the fingerprint matches > >their own copy of the print. > > How do they verify that the person confirming the fingerprint is indeed the > person supposedly owning the key? Thats up to the people signing. In most cases in that sort of environment, you know about 30% of the people in the room, and you sign their keys (and no one elses, which is reasonable). In other environments, people could go about afterwards and examine ID or whatever it would be that they would want to do. .pm From prz at acm.org Wed Jan 24 07:17:13 1996 From: prz at acm.org (Philip Zimmermann) Date: Wed, 24 Jan 1996 23:17:13 +0800 Subject: "PRZ a nazi" to be retracted Message-ID: <31064c10.idoc@idoc.idoc.ie> The Sunday Telegraph of London printed a story last Sunday about neo-nazis using PGP to encrypt their communications. The story said that PGP was devised by an American neo-nazi sympathizer. As the creator of PGP, and a human rights activist, I was outraged by such a defamation from a major newspaper. I called my lawyer Phil Dubois, who seemed to look forward to having some fun with this newspaper. Not wanting to wait around till the morning, and slow lawyers, I called Robin Gedye, the reporter in Bonn who wrote the story, at 7am Monday morning Bonn time, and woke him up at home. I introduced myself and told him how I felt about it. He had never heard of me, the Clipper chip, the controversies of cryptography, and knew nothing about PGP outside of the couple of sentences in his story that mentioned PGP. He said it wasn't really so bad, because he didn't specifically identify me by name. One can imagine the effectiveness of that excuse with me. I then went into some detail with him to bring him up to speed. I also called his editor in London, who also had never heard of me or PGP. After some checking, they discovered that the Daily Telegraph, a related newspaper, had run an article about my case just a week before. They also found about 20 recent articles on me in the UK press. The editor said that my story "checks out". It was good to know that they now believed that I was not a neo-nazi after all. Anyway, Mr. Gedye says that the Sunday Telegraph will print a retraction next Sunday. Not just a little retraction, but a whole article on the subject, written by Mr. Gedye himself. I'm glad to see that this probably means that he will dig into the subject more, in order to write such an article. I guess this means maybe I'll find some other things to occupy Phil Dubois's time. -Philip Zimmermann 23 Jan 96 From bplib at wat.hookup.net Wed Jan 24 07:55:19 1996 From: bplib at wat.hookup.net (Tim Philp) Date: Wed, 24 Jan 1996 23:55:19 +0800 Subject: SS Obergruppenfuhrer Zimmermann (NOT!) In-Reply-To: <199601240336.WAA11471@jekyll.piermont.com> Message-ID: If I recall correctly, the Zimmermann Telegram did NOT bring the US into the war. It was however one of the many things that lead to a US decision to enter the war. In itself it did not cause the US entry. Just my $0.02 Tim Philp =================================== For PGP Public Key, Send E-mail to: pgp-public-keys at swissnet.ai.mit.edu In Subject line type: GET PHILP =================================== On Tue, 23 Jan 1996, Perry E. Metzger wrote: > > jim bell writes: > > Maybe this is common knowledge, but the name "Zimmermann" and crypto had > > another relationship, in World War I. If anybody knows more about this > > incident than my vague recollection of the famous "Zimmermann cipher" would > > you care to tell the story? > > It was the Zimmermann Telegram, actually, and it was a dispatch from > the Germans to the Mexicans trying to promise them most of the > southwest in exchange for being allies against the U.S. (which wasn't > yet in the war). The Brits intercepted and decoded it and released it, > which forced the U.S. into World War I. > > Perry > From ses at tipper.oit.unc.edu Wed Jan 24 07:56:41 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Wed, 24 Jan 1996 23:56:41 +0800 Subject: [local] Report on Portland Cpunks meeting In-Reply-To: <199601241431.JAA13316@jekyll.piermont.com> Message-ID: On Wed, 24 Jan 1996, Perry E. Metzger wrote: > > How do they verify that the person confirming the fingerprint is indeed the > > person supposedly owning the key? > > Thats up to the people signing. In most cases in that sort of > environment, you know about 30% of the people in the room, and you > sign their keys (and no one elses, which is reasonable). This is pretty much the pure web-o-trust model - the identity of the person is assmed to be known at the start of the process, and what is verified is the key- closure gets you the other folks. I'm usually not to keen on WOT, but if it was an AI project, this is the example that would be in the writeup :-) From tighe at spectrum.titan.com Wed Jan 24 08:19:38 1996 From: tighe at spectrum.titan.com (Mike Tighe) Date: Thu, 25 Jan 1996 00:19:38 +0800 Subject: Crippled Notes export encryption In-Reply-To: <3105FBFC.4DC9@netscape.com> Message-ID: <199601241509.JAA26060@softserv.tcst.com> Jeff Weinstein writes: > I can see two practical ways to build a netscape product outside >the US. The first is to export the source code for the Navigator >with the crypto code removed. All of the calls to crypto would >have to be removed as well. I've heard some people claim that the >government could come after us on the grounds that we were taking >part in a conspiracy to export strong crypto. Didn't Netscape already promise to remove the hooks? It seems to me all of the major software players are already in bed with the government. From stevenw at best.com Wed Jan 24 08:23:10 1996 From: stevenw at best.com (Steven Weller) Date: Thu, 25 Jan 1996 00:23:10 +0800 Subject: German home banking (fromn RISKS) Message-ID: ---------------------------------------------------------------------- Date: Tue, 23 Jan 1996 17:32:56 +0100 From: Klaus Brunnstein Subject: Homebanking NonSecurity demo A German private TV channel (SAT 1) displayed, Monday Jan.22 night (10 pm), a demonstration of how easily homebanking may be attacked in Germany. In this demo, a person used T-Online (a navigation tool similar to CompuServe) to send his ID, PIN, the amount to be transferred (500 DM) and the account to which to transfer, plus a transaction number (TAN) via telephone line. All these data were intercepted on a portable connected to the user's phone line in the basement of the building (indeed, most telephone boxes are rarely locked). Actions of the customer and the "hacker" were shown in parallel, so one could see all data (including PIN which was not displayed on the Customers' screen) on the hackers' display. Before the customer could start the booking process on the bank computer by sending the requestor, the hacker interrupted the telephone connection. As he now possessed all relevant "secret" information of the user, he now started an order to transmit 5,000 DM from his victim's account to another one, successfully (as the customers' vouchers proved. After the demo (about 10 minutes), a short interview (with the author of this report) discussed evident risks; it was made clear that software solutions are available since some time, to replace the old PIN/TAN structure with digital signatures and to encrypt sensitive data using asymmetric encryption. Risks? Presently, there are several risks in telephone-based homebanking. First, ALL sensitive information is transmitted in cleartext. Secondly, interception of line-based communications of German Telekom is easily possible at several sites, from the basement of a customers' house where lines from different customers are collected in a unit, to units collecting lines from several blocks, streets etc. Thirdly, in contracts between banks and customers, the latter will often have difficulties to prove that an order carrying their personal ID, TAN etc was NOT issued from them, esp. when there is evidence that the order came from the customers' telephone line (though not from his telephone :-). Customer protection (both technically and legally) therefore requires immediate action, as Chaos Computer Club commented in press. Interestingly, German banks offer enterprises a secure solution based on RSA-licensed encryption software. So far, this is NOT offered to private customers as it canNOT interoperate with T-Online. Financial institutions are discussing presently a solution (either with a chipcard including sort of DES or a solution using an RSA-implementation with 784 bit key, which may be distributed via diskettes) but it is unclear when this solution will be available. As long as such solution is not available, "every day may become payment day even for the most lousy hackers" as one German newspaper (TAZ) wrote. Klaus Brunnstein (Jan.23,1996) ------------------------------ ------------------------------------------------------------------------- Steven Weller | "The Internet, of course, is more | than just a place to find pictures | of people having sex with dogs." stevenw at best.com | -- Time Magazine, 3 July 1995 From cjl at welchlink.welch.jhu.edu Wed Jan 24 08:27:16 1996 From: cjl at welchlink.welch.jhu.edu (cjl) Date: Thu, 25 Jan 1996 00:27:16 +0800 Subject: Zimmermann Telegram (crypto history) In-Reply-To: <199601240336.WAA11471@jekyll.piermont.com> Message-ID: On Tue, 23 Jan 1996, Perry E. Metzger wrote: > > It was the Zimmermann Telegram, actually, and it was a dispatch from > the Germans to the Mexicans trying to promise them most of the > southwest in exchange for being allies against the U.S. (which wasn't > yet in the war). The Brits intercepted and decoded it and released it, > which forced the U.S. into World War I. > Why is it that I seem to recall that one of the responses by a govt. official to the intercept was the infamous diplomatic quote "Gentlemen do not read other gentlemen's mail" Ah, would that this sentiment were more common in government circles today (sigh) . . . . C. J. Leonard ( / "DNA is groovy" \ / - Watson & Crick / \ <-- major groove ( \ Finger for public key \ ) Strong-arm for secret key / <-- minor groove Thumb-screws for pass-phrase / ) From perry at piermont.com Wed Jan 24 09:18:30 1996 From: perry at piermont.com (Perry E. Metzger) Date: Thu, 25 Jan 1996 01:18:30 +0800 Subject: Zimmermann Telegram (crypto history) In-Reply-To: Message-ID: <199601241616.LAA13409@jekyll.piermont.com> cjl writes: > Why is it that I seem to recall that one of the responses by a govt. > official to the intercept was the infamous diplomatic quote > > "Gentlemen do not read other gentlemen's mail" It wasn't. That was in response to the entire Yardley "Black Chamber" incident. .pm From jamesd at echeque.com Wed Jan 24 09:31:06 1996 From: jamesd at echeque.com (James A. Donald) Date: Thu, 25 Jan 1996 01:31:06 +0800 Subject: Free speech and written rights. Message-ID: <199601241624.IAA23975@mailx.best.com> At 10:06 PM 1/24/96 +0800, Bruce Murphy wrote: > Which brings me to another point. At least [Americans] *have* a free > speech bit in your constitution. While it's generally considered a > right [in Australia], legally that's not really good enough. About twenty or thirty years ago, there was big debate on in Australia on whether Australia should have a bill of rights. The natural rights crowd popped up from obscurity and vigorously opposed a bill of rights. They successfully argued that if a bill of rights were written down on paper, these rights would then become mere creations of the courts. This same concern is voiced in Article nine of the American bill of rights. In my judgement, America is reasonably free despite having a bill of rights, rather than because of a bill of rights. The American nation derived its cohesion from the ideology of liberty, not from a race or religion. This is the reason America has a bill of rights, and this is the reason it remains somewhat free despite possessing a bill of rights. Despite this debate and referendum in Australia, the government has been sneaking some rights into the Australian constitution by various stratagems, and I think that this will have the effect of undermining liberty. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From karl at cosmos.cosmos.att.com Wed Jan 24 09:38:23 1996 From: karl at cosmos.cosmos.att.com (Karl A. Siil) Date: Thu, 25 Jan 1996 01:38:23 +0800 Subject: Associating Local Port Number to PID Message-ID: <2.2.32.19960124164913.006a5fa0@cosmos.cosmos.att.com> Folks, I'm working on a program for UNIX (SVR4, Solaris 2.4) systems that needs to associate PID with local TCP/IP port number, so as to pass session keys accordingly to already running processes. This sounds like such an obviously needed association that someone must have done it already. Pointers to code would be best, but any references would be helpful (e.g., the appropriate /dev/kmem data structure(s), offset(s), etc.). If necessary, the program is allowed to be in any group (e.g., "sys" to get at /dev/kmem) and may even run as root, as a last resort. I see no reason for the latter, however. Running set-gid to "sys" is sufficient for netstat(1) and ps(1) and I think is the upper bound for process privilege that I would need. Thanks in advance. Karl From pfarrell at netcom.com Wed Jan 24 09:57:19 1996 From: pfarrell at netcom.com (Pat Farrell) Date: Thu, 25 Jan 1996 01:57:19 +0800 Subject: [local] Report on Portland Cpunks meeting Message-ID: <43073.pfarrell@netcom.com> In message Wed, 24 Jan 1996 00:32:37 -0800, shamrock at netcom.com (Lucky Green) writes: > How do they verify that the person confirming the fingerprint is indeed > the person supposedly owning the key? It is pretty hard, that is one of the reasons the web-o-trust is broken. You can make it better by requiring the person to actually use the key, which proves that he/she has the passphrase. At the last key signing at the DC-area cypherpunks meeting, I told everyone my name was Boris Badanov. Even tho the key's userid said pfarrell at netcom.com. Carl Ellison suggests that the signature should have a much weaker meaning, roughly: "The person owning the secret key associated with this public key's tag has characteristic X." Obviously X could be "claims to be Pat" Thus if Lucky gives me a key, I don't know what his/her real name is, and don't care. All I have to do is see them actually sign something I give him/her with the key. Of course we need to rule out man-in-the-middle attacks. For me, I would buy off on watching the signing on a standalone laptop while I watch from accross the room. Interesting atack: Assume there is a chain of keys, with Lucky feeding keys to Klaus inside the laptop. I'd be signing what I thought was Lucky's key, but it was really Klaus'. Of course "Lucky" would have to have the secret passphrase for both Lucky's and Klaus' keys. It isn't clear to me if this is an important case. Equally questionable are tricks such as using an IR or wireless transmitter to send my test data to another computer so that the chain of MITM can be longer. Pat Pat Farrell Grad Student http://www.isse.gmu.edu/students/pfarrell Info. Systems & Software Engineering, George Mason University, Fairfax, VA PGP key available on homepage #include From pcw at access.digex.net Wed Jan 24 10:10:06 1996 From: pcw at access.digex.net (Peter Wayner) Date: Thu, 25 Jan 1996 02:10:06 +0800 Subject: "Concryption" Prior Art Message-ID: I haven't read the supposed Concryption patent so I don't know what the claim structure is. But if they truly claim the right to do encryption and compression simultaneously, then I've got some prior art that should knock out such a broad claim. The paper is "A Redundancy Reducing Cipher" (Cryptologia, May 88). It's not very secure, but it does do some manner of encryption at the same time as compressing a file with a Huffman-like system. The journal is found in many university libraries so it should be easy to produce a solid counterclaim. If anyone has the plaintext to the Concryption patent (5479512), I would like to read it. -Peter From Kevin.L.Prigge-2 at cis.umn.edu Wed Jan 24 10:20:21 1996 From: Kevin.L.Prigge-2 at cis.umn.edu (Kevin L Prigge) Date: Thu, 25 Jan 1996 02:20:21 +0800 Subject: Who would sign Lucky Green's key? In-Reply-To: Message-ID: <31066e6104dd002@noc.cis.umn.edu> A non-text attachment was scrubbed... Name: not available Type: application/pgp Size: 14 bytes Desc: not available URL: From Chris.Claborne at SanDiegoCA.ATTGIS.com Wed Jan 24 10:21:55 1996 From: Chris.Claborne at SanDiegoCA.ATTGIS.com (Chris Claborne) Date: Thu, 25 Jan 1996 02:21:55 +0800 Subject: San Diego Cpunks Physical Meeting Message-ID: <2.2.32.19960124145536.006b5a94@opus.SanDiegoCA.ATTGIS.com> San Diego Area CPUNKS symposium .... will be in conjunction with USENIX "birds of feather" session titled "Remailers & Cypherpunk". Where: San Diego Mariott Hotel and Marina, 333 West Harbor Drive. Date : 1/25/96 Time : 6:30 - 8:30 SORRY for the late notice. I spaced the announcement. Hope you can join us. Thursday, January 25, 1996 Invitation to all Cypherpunks to join the San Diego crowd at this special session lead by our very own Lance Cottrell. Get the latest update of Lance Cottrell's anonymous e-mail server, "mixmaster", exchange keys, and discuss other topical subjects. If you are in to what's happening on the list, encryption, privacy, this is the place to be. The group may retire somewhere else after 8:30 to continue with other CP related issues, so join us. Don't forget to bring your public key fingerprint and two forms of identification. If you can figure out how to get it on the back of a business card, that would be cool. Drop me a note if you plan to attend. See you there! 2 -- C -- ... __o .. -\<, Chris.Claborne at SanDiegoCA.ATTGIS.Com ...(*)/(*). CI$: 76340.2422 http://bordeaux.sandiegoca.attgis.com/ PGP Pub Key fingerprint = A8 FA 55 92 23 20 72 69 52 AB 64 CC C7 D9 4F CA Avail on Pub Key server. From jya at pipeline.com Wed Jan 24 10:22:18 1996 From: jya at pipeline.com (John Young) Date: Thu, 25 Jan 1996 02:22:18 +0800 Subject: Underground Radio Message-ID: <199601241732.MAA06899@pipe1.nyc.pipeline.com> For hams and other techno-libertines, The NY Times reports today on underground radio stations and bucking the FCC and global techno-tyrant-winner-takes-alls. http://www.nytimes.com/96/01/24/early/underground-radio.html From joee at li.net Wed Jan 24 10:27:33 1996 From: joee at li.net (j. ercole) Date: Thu, 25 Jan 1996 02:27:33 +0800 Subject: mouse droppings Message-ID: In the march '96 issue of macworld there's a "Viewpoint" reporting on the progress of the info superhighway. Privacy and security issues predominate the text, the primary source of which is larry irving --- "a top administration adviser on telecommunications." One issue, "mouse droppings" --- "a trail of every site they visit and for how long [on the www], was highlighted as an example of existing privacy regulations falling short of consumer expectations. Apparently, the amorphous public is shocked, *SHOCKED* I tell you , to discover that their service providers are selling the personal preference information to the highest bidder. More info in article. Would some rocket scientist speak to this terrifying mouse droppings issue? j. ercole ny, usa pgp public key at: http://www.li.net/~joee/autumn2.html $$$$$$$$$$$$$$$$********************&&&&&&&&&&&&&&&&& Stand By---.sig presently being unearthed in regression therapy. From alano at teleport.com Wed Jan 24 10:28:25 1996 From: alano at teleport.com (Alan Olsen) Date: Thu, 25 Jan 1996 02:28:25 +0800 Subject: [local] Report on Portland Cpunks meeting Message-ID: <2.2.32.19960124002635.008c27e8@mail.teleport.com> At 04:40 PM 1/23/96 -0500, Perry E. Metzger wrote: > >Weld Pond writes: >> This begs the question, "How would you conduct an efficient key signing >> given what you have learned?" I am in the process of organizing one and >> would like to get input as to the best way that this should take place. > >The IETF key signing parties are the largest in existance -- about 100 >people exchange signatures. > >The way you handle it is this: {key signing stuff deleted for space] That was the basic format we used. The only difference was that the keys were collected before hand and distributed on disk. The biggest problems were due to unfamiliarity was to what to bring and procedure from an experience point of view. (Lack of key fingerprints were a problem.) The key signing rules were published, but many people attending did not read them. (They were part of an update announcement. Many people read the top part, saw nothing had changed and skipped the rest of it...) Now that we have done it once, it will be alot easier the next time. Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "Is the operating system half NT or half full?" From shamrock at netcom.com Wed Jan 24 11:06:58 1996 From: shamrock at netcom.com (Lucky Green) Date: Thu, 25 Jan 1996 03:06:58 +0800 Subject: Crippled Notes export encryption Message-ID: At 4:17 1/24/96, Timothy C. May wrote: >The usual issue: That if a foreign-originated product even appears to be a >standard (so far, none have been), and includes strong crypto, then the NSA >and other agencies will simply change the rules. Thus, if extremely strong >crypto from "Netscape-Zurich" starts to have a significant market presense >in the U.S., then some law will be passed to restrict it. I agree. The reason for enforcing ITAR is to keep good crypto of the *domestic* market. If ITAR no longer accomplishes that, new laws will be passed. -- Lucky Green PGP encrypted mail preferred. From bplib at wat.hookup.net Wed Jan 24 11:11:12 1996 From: bplib at wat.hookup.net (Tim Philp) Date: Thu, 25 Jan 1996 03:11:12 +0800 Subject: Articles re Crypto Message-ID: FYI In the January issue of InfoCanada, the front page has what amounts to a press release on Digital Equipment's Digital Internet Personal Tunnel for Windows 95. There is also info on a companian product for Unix. I am trying to get some information on this. Has anyone heard of this technology? In the January 18th 96 issue of EDN, Pg 57 has an article about secure wireless designs. In this article they talk about securing devices such as garage-door openers, and keyless entry systems for cars and buildings. It is a little shy on cryptographic info, but they do talk about crypto applications for these products. =================================== For PGP Public Key, Send E-mail to: pgp-public-keys at swissnet.ai.mit.edu In Subject line type: GET PHILP =================================== From iang at CS.Berkeley.EDU Wed Jan 24 11:17:59 1996 From: iang at CS.Berkeley.EDU (Ian Goldberg) Date: Thu, 25 Jan 1996 03:17:59 +0800 Subject: Guess what I found... Message-ID: <199601241824.KAA01604@lagos.CS.Berkeley.EDU> Guess what I found in my mailbox this morning: A cheque (that's check for those Americans out there) for $500 from Netscape Comm. Corp. It seems they decided to split a "Bugs Bounty" prize between Dave and me retroactively for the PRNG thing. :-) - Ian "This may turn out to be a good day..." From jpb at miamisci.org Wed Jan 24 11:44:58 1996 From: jpb at miamisci.org (Joe Block) Date: Thu, 25 Jan 1996 03:44:58 +0800 Subject: Crippled Notes export encryption Message-ID: At 11:50 PM 1/23/96, you wrote: >The problem is whether you can separate the functionality of what you're >exporting sufficiently from what you're contracting out that the exported >material isn't a "component of a cryptosystem"; it's tough to do a good bones >version of code if you're concerned about satisfying both the letter and >spirit of a law to avoid hassles with the government. On the other hand, >if you're as big as IBM or even MIT, sometimes you can do it.... So move 100% of the development overseas. Pick someplace where the labor is cheaper (maybe the former Soviet Union, but I don't know what their crypto export laws are like) and develop 100% of the product overseas. Put a notice inside each shrink-wrapped box that "This product was forced to be written overseas, costing American programmers their jobs, by the shortsightedness of Congress." 2048bit-Fingerprint: F8 A2 A5 15 56 42 9B 16 3F BD 57 0F 8A ED E3 21 No man's life, liberty or property are safe while the legislature is in session. From jrochkin at cs.oberlin.edu Wed Jan 24 11:49:14 1996 From: jrochkin at cs.oberlin.edu (Jonathan Rochkind) Date: Thu, 25 Jan 1996 03:49:14 +0800 Subject: [local] Report on Portland Cpunks meeting Message-ID: At 11:13 PM 01/23/96, Bruce Baugh wrote: >The nym signing is an idle thought of mine. I have a nym key which is, at >the moment, signed only by itself. I know friends of mine have nym accounts. >if we could assemble a group of folks whom I can trust enough to link the >nym and myself, it'd be nice to add some more signatures to the nym key, and >vice versa. I don't understand--what would signatures on a nym's key be good for? If I sign your key named "Bruce Baugh", I'm basically saying that I feel confident that this key really _does_ belong to Bruce Baugh. Others see my signature, and say "Jonathan, he's a groovy guy, if he feels confident that this belons to Bruce, well, he's probably gotten the fingerprint directly from Bruce in person, and I'm happy to use this key to send mail to Bruce." If, on the other hand, I sign "Toxic Avenger"'s key, then what benefit is this for third parties? Since Toxic Avenger is, by intention, _not_ linked to a real person, I'm not saying that I feel confident that this key really belongs to any particular real person. What am I saying? From sperkins at andromeda.rutgers.edu Wed Jan 24 12:04:45 1996 From: sperkins at andromeda.rutgers.edu (Steven C. Perkins) Date: Thu, 25 Jan 1996 04:04:45 +0800 Subject: Rutgers symposium on Copyright and NII 14-15 Feb 96 Message-ID: <1.5.4b11.16.19960124185525.546f5062@andromeda.rutgers.edu> Please forward as appropriate. Conference Program will be at "http://www.rutgers.edu/RUSLN/copyconf.html" this weekend. Roundtable Conference: Copyright Issues and the National Information Infrastructure Rutgers School of Law - Newark February 14-15, 1996 Rutgers School of Law - Newark is hosting an important conference dealing with major issues presented by the White Paper and electronic distribution of information products. Three roundtable sessions will engage 40-50 leading scholars, lawyers, corporate counsel, and government officials in a day-long discussion and debate of critical law and policy issues. The scheduling of this conference anticipates further policy debates and congressional hearings on pending proposals. It will join leading actors in an in-depth exploration of core issues through an exchange that identifies and addresses a diversity of interests and searches for greater mutual understanding and expansion of areas of agreement. Registration fee: $125 Registration deadline: February 10, 1996 (Walk-in registration permitted beginning at 8:30 AM.) Rutgers School of Law - Newark 15 Washington Street Newark, NJ 07102-3192 Attn: Assistant Dean Margaret C. Bridge For further information, call Assistant Dean Margaret C. Bridge at (201) 648-5094, or send email to Professor David A. Rice at drice at world.std.com. ------------------------------------------------------------- **********||||||||||\\\\\\\\\\*//////////||||||||||********** Steven C. Perkins sperkins at andromeda.rutgers.edu User Services Coordinator Ackerson Law Library http://www.rutgers.edu/lawschool.html Rutgers, The State University of New Jersey, School of Law at Newark http://www.rutgers.edu/RUSLN/rulnindx.html VOX: 201-648-5965 FAX: 201-648-1356 |||||||||||||||\\\\\\\\\\\\\||*||///////////////||||||||||||||| From jlasser at rwd.goucher.edu Wed Jan 24 12:15:45 1996 From: jlasser at rwd.goucher.edu (Jon Lasser) Date: Thu, 25 Jan 1996 04:15:45 +0800 Subject: [local] Report on Portland Cpunks meeting In-Reply-To: Message-ID: On Wed, 24 Jan 1996, Jonathan Rochkind wrote: > If, on the other hand, I sign "Toxic Avenger"'s key, then what benefit is > this for third parties? Since Toxic Avenger is, by intention, _not_ linked > to a real person, I'm not saying that I feel confident that this key really > belongs to any particular real person. What am I saying? "Toxic Avenger" may be known to a group of people (ie he may be a member of a terrorist cell). You're claiming that the key belongs to the "legitimate" TA... Jon Lasser ------------------------------------------------------------------------------ Jon Lasser (410)494-3072 Visit my home page at http://www.goucher.edu/~jlasser/ You have a friend at the NSA: Big Brother is watching. Finger for PGP key. From frantz at netcom.com Wed Jan 24 12:23:54 1996 From: frantz at netcom.com (Bill Frantz) Date: Thu, 25 Jan 1996 04:23:54 +0800 Subject: Hack Java Message-ID: <199601241905.LAA06733@netcom6.netcom.com> At 9:47 1/24/96 +0100, Christian Wettergren wrote: >(In my darker moments, I feel that the whole field of computer security >is in a major crisis. Ever heard of the Emperor's New Clothes? ;-)) We reduce the problem of an infected Java Interpreter to the previously unsolved problem of virus protection in general. I think it is possible to build highly virus resistant systems, but the cost in user retraining will be huge. ----------------------------------------------------------------- Bill Frantz Periwinkle -- Computer Consulting (408)356-8506 16345 Englewood Ave. frantz at netcom.com Los Gatos, CA 95032, USA From futplex at pseudonym.com Wed Jan 24 12:25:54 1996 From: futplex at pseudonym.com (Futplex) Date: Thu, 25 Jan 1996 04:25:54 +0800 Subject: DEC Digital Internet Tunnel test server In-Reply-To: Message-ID: <199601241843.NAA01971@opine.cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- Tim Philp writes: > In the January issue of InfoCanada, the front page has what amounts to a > press release on Digital Equipment's Digital Internet Personal Tunnel for > Windows 95. There is also info on a companian product for Unix. I am > trying to get some information on this. Has anyone heard of this technology? DEC had a booth at RSADSC last week. I chatted with the reps. there during my sticker collection tour. They had run out of brochures for the tunnel product when I arrived, but I was directed to a web site that features some demo kits and a public tunnelling server using their product. I haven't really looked at it yet, so I don't have an opinion to offer. http://www.spitbrook.destek.com/ Futplex -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMQZ9qynaAKQPVHDZAQFuuwf+NKuclk1UubZ+Meuo6lBxku6LBYG6jBeL HNRvY7LcwF9K5DpFzUs6zmPPaegLfQN85gwCR4tS+AitF3r4AdWEZOy6EwCBOjk7 Im3/FMLvi8W9R8V7uXAG8GiO2p9VLI7ybgnWKvQeFZIGXFomO6kWBl6klXlw4A1t MX0dOFBCJeC+4r3wf6t53Rv2CJFBl2b/IkIWhJFq598we/t7AOCVbWeTXRwTAneW W/Q9W0pTeHIPLRl2B65kVdn17HnmGFFa/L8H4U0k9OAGJILx462QGVjsDQlerNgg ba5sb7LtQfAYhN17EvWUZgcuqhX/tiPU/rm/agjku4xperYsVAFgYA== =yE6d -----END PGP SIGNATURE----- From frantz at netcom.com Wed Jan 24 12:32:12 1996 From: frantz at netcom.com (Bill Frantz) Date: Thu, 25 Jan 1996 04:32:12 +0800 Subject: Crippled Notes export encryption Message-ID: <199601241920.LAA09269@netcom6.netcom.com> At 10:28 1/24/96 -0800, Lucky Green wrote: >I agree. The reason for enforcing ITAR is to keep good crypto of the >*domestic* market. If ITAR no longer accomplishes that, new laws will be >passed. I think this is likely to be an oversimplification. While there are probably a number of people in e.g. FBI, DEA, DOJ who want to restrict domestic crypto, I suspect there are also a number of people in e.g. NSA who are sincerly interested in using SIGINT to protect the US from foreign threats and want strong domestic crypto as part of that protection. As always, public policy is a compromise between competing interests (INSIDE the beltway). However, the current policy is a holdover from the days when strong crypto was a closely held trade secret. Since this assumption is no longer true, the policy becomes more and more disfunctional every day. ----------------------------------------------------------------- Bill Frantz Periwinkle -- Computer Consulting (408)356-8506 16345 Englewood Ave. frantz at netcom.com Los Gatos, CA 95032, USA From don at cam.ov.com Wed Jan 24 12:35:56 1996 From: don at cam.ov.com (Donald T. Davis) Date: Thu, 25 Jan 1996 04:35:56 +0800 Subject: disk randomness Message-ID: <199601241850.NAA21039@gza-client1.cam.ov.com> rich salz posted to this list a message i sent him about a portable way to gather disk-noise for a true rng. he also was kind enough to forward a reply to me from the list, because i wasn't subscribed at the time. the reply's author pointed out that my approach is not a practical one, and that NOISE.SYS gathers disk timings and other noise more efficiently, anyway. now that i'm subscribed, i'll answer on my own behalf: i agree that my algorithm isn't practical. in fact, that's why i agreed to rich's request that i let him post my message here. i don't recommend paging-timings to my clients, because it's not a workable approach for production-quality code. memory-paging's only virtue as a noise-source is that it's uniquely portable. i failed to emphasize this, in the message rich forwarded for me. the code needs no device-specific calls, and the only OS-specific call is the gettime() call. even with this virtue, i don't recommend it as a production-quality algorithm, unless the process that needs the rng is already memory-bound. i'm sorry that my original msg was unclear on this point; that's my fault, not rich's. by the way, i think the "interesting work" of mine to which rich referred, is my paper on disk randomness, which appeared in the crypto '94 proceedings. it presents work i did at mit from '88-9, and shows mathematically why disk-timings can contain true entropy: a disk's speed variations come from air turbulence, which now is known mathematically to be unpredictable in the long run. my coauthors were p.r. fenstermacher, a chaos-theory physicist, and r. ihaka, a statistician. -don davis, boston From EALLENSMITH at ocelot.Rutgers.EDU Wed Jan 24 12:43:32 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Thu, 25 Jan 1996 04:43:32 +0800 Subject: NSA says strong crypto to china?? Message-ID: <01I0E49IAYZGA0UM4U@mbcl.rutgers.edu> From: IN%"perry at piermont.com" 9-JAN-1996 12:05:32.69 Alex Strasheim writes: > If this is true, it's great news. It would mean that the NSA is adopting > both cypherpunk analysis and tactics. Who would have thought? An NSA > remade in Tim May's image. I suspect that the NSA was thinking in our terms long before many of us were aware of cryptography. I actually think that in many cases, their behavior is perfectly rational. Their goals are merely different. If you are in SIGINT, I believe that the possibility of totally losing a valued intelligence tool must heavily weigh on your mind. Of course, they are hardly monolithic, and different groups at the NSA necessarily have different goals. Once SIGINT becomes much harder regardless of their previous attempts to stop it, I suspect that the NSA will become a friend and not an impediment. By that time, of course, the "we have to protect our people" types will be the only ones producing results and getting funding, and the "we have to gather information" types will have long ceased to produce. Thats probably a decade or more off, though. --------------- I suspect that the NSA can basically be divided into four groups: A. Those who are interested in protecting American individual liberties, and are thus (possibly potential) allies. This bunch may have a subgroup of those who already are allies, who have unfortunately been rather unsuccessful (or perhaps we simply haven't seen their successes). B. Those who realize about the potentials for individual liberty from cryptography, but believe that something else about America is more important. For instance, they may believe that the voters in a democracy should be able to institute whatever rules they like. Various left- and right-wing viewpoints are also possible here; the former would include worrying about lost tax dollars because of wanting big government, the latter would include concerns about pornography, etcetera. C. Those who are in the NSA because they want power, and strong cryptography's dissemination would hinder this. This group is likely to be concealed as one of the other groups. D. Those who haven't thought about it, and are simply following orders. I suspect that this is the largest group; while the overall level of intellect at the NSA may be higher than in the average population, the intelligence mindset of "need to know" may be keeping many people from realizing everything the NSA is doing. -Allen From mixmaster at anon.alias.net Wed Jan 24 12:49:50 1996 From: mixmaster at anon.alias.net (Mr. Nobody) Date: Thu, 25 Jan 1996 04:49:50 +0800 Subject: None Message-ID: <199601241930.NAA09159@fuqua.fiftysix.org> In article <9601241720.AB13251 at envirolink.org> Daniel Miskell writes: > Mr. Nobody writes: Dr. Nobody, to you. > >In article > >zinc writes: > >> i got this in the mail this morning. here's another blatant case > >> of illegal export. names and exact addresses removed to protect the > >> clueless. > > > >Why exactly did you post this message? I personally don't mind, but > >am just curious. > > Why exactly did YOU post this message? I personally dont mind, but am just > curious. I thought it was pretty clear from my message: curiosity. From andrew_loewenstern at il.us.swissbank.com Wed Jan 24 12:56:21 1996 From: andrew_loewenstern at il.us.swissbank.com (Andrew Loewenstern) Date: Thu, 25 Jan 1996 04:56:21 +0800 Subject: Crippled Notes export encryption Message-ID: <9601241906.AA00705@ch1d157nwk> > I can see two practical ways to build a netscape product outside > the US. The first is to export the source code for the Navigator > with the crypto code removed. All of the calls to crypto would > have to be removed as well. I've heard some people claim that the > government could come after us on the grounds that we were taking > part in a conspiracy to export strong crypto. Why not just print out all of the source code to Navigator (crypto and all) in a nice OCR font? Paper is exportable. Then you would 'only' have to scan it back in and debug it. andrew From smith at sctc.com Wed Jan 24 13:02:14 1996 From: smith at sctc.com (Rick Smith) Date: Thu, 25 Jan 1996 05:02:14 +0800 Subject: IPSEC == end of firewalls Message-ID: <199601242003.OAA23388@shade.sctc.com> Discussing firewalls, ses at tipper.oit.unc.edu (Simon Spero) writes: >What do you need as well as crypto before you can remove all firewalls? What firewalls do is they allow an independent group of people to track external network access and enforce rules over a large population of hosts. Given that just about any security installed on a workstation can be overcome (inadvertently or consciously) by someone with physical access to it, I doubt firewalls will ever go away entirely. Today's techniques will no doubt evolve and change in varous ways over time. But I'd be surprised if the function went away entirely. Until Netscape came out I suspected that desktop crypto wouldn't make the bigtime soon, simply because there are too many ways to do it wrong. Netscape has demonstrated that doing it wrong is no impediment to deployment. Organizations that want to do crypto well are probably going to concentrate crypto services in a few closely managed hosts to reduce the risk of messing things up. Rick. smith at sctc.com secure computing corporation From bruceab at teleport.com Wed Jan 24 13:04:52 1996 From: bruceab at teleport.com (Bruce Baugh) Date: Thu, 25 Jan 1996 05:04:52 +0800 Subject: [local] Report on Portland Cpunks meeting Message-ID: <2.2.32.19960124195005.006b9940@mail.teleport.com> At 01:33 PM 1/24/96 -0500, Jonathan Rochkind wrote: >If, on the other hand, I sign "Toxic Avenger"'s key, then what benefit is >this for third parties? Since Toxic Avenger is, by intention, _not_ linked >to a real person, I'm not saying that I feel confident that this key really >belongs to any particular real person. What am I saying? Over time, some nyms take on a distinct identity of their own. In fact, some do it very quickly, a with the neo-Nazi twits now arguing in favor of rec.music.white-power over on news.groups, some with distinct "voices". The thought, therefore, as I imagine it would be "You don't know I am in person, but you can count on me to be who I am, with this style and set of views, and I say that this guy is another actual person with the same." Bruce Baugh bruceab at teleport.com http://www.teleport.com/~bruceab From winn at Infowar.Com Wed Jan 24 13:28:15 1996 From: winn at Infowar.Com (winn at Infowar.Com) Date: Thu, 25 Jan 1996 05:28:15 +0800 Subject: InfoWarCon Europe 1996 Updated Schedule Message-ID: <199601242051.PAA01047@mailhost.IntNet.net> ---------- Revised Short Draft DOI: 18 Jan 96 ---------- P L E A S E D I S T R I B U T E W I D E L Y InfoWarCon (Europe) '96 Defining the European Perspective Brussels, Belgium May 23-24 1996 Sponsored by: National Computer Security Association Winn Schwartau, President and CEO, Interpact, Inc. Robert David Steele, Chairman & CEO, Open Source Solutions Group May 22, 1996 17:00 - 20:00 Pre-Registration 18:00 - 21:00 Hosted Cocktail Party with Music Most conference speakers will be in attendance. Meet Mr. Schwartau and Mr. Steele. May 23, 1995 07:00 - 08:30 Registration 07:00 - 08:30 Sponsored Continental Breakfast PLENARY SESSIONS 08:30 - 09:00 Keynote Speech Major General William Robbins Director General of Information and Communications Services Ministry of Defence, United Kingdom (Invited) 09:00 - 10:00 "Information Warfare: Chaos on the Electronic Superhighway" Winn Schwartau, President and CEO, Interpact, Inc., USA 10:00 - 11:15 East Versus West: Military Views of Information Warfare Moderator: Robert Steele East: General Nikolai Ivanovich Turko, Information Warfare Expert Russia (invited) West: Captain Patrick Tyrell Assistant Director, Information Warfare Policy, Ministry of Defence, United Kingdom 11:15 - 11:45 Sponsored Break 11:45 - 13:00 Law Enforcement in Cyberspace: Cooperation is the Key Moderator: Winn Schwartau Miguel Chyamorro, (invited) Executive Assistant Director, Interpol Sweden Netherlands--Rotterdam Police (invited) 13:00 - 14:30 Lunch 13:30 - 14:00 Special Luncheon Presentation BREAKOUT SESSIONS 14:30 - 16:00 Breakout I: Threats to European Civil Prosperity Moderator: Winn Schwartau:) Private Businesses Germany, France, UK Breakout II: Information Warfare: Support for Conventional War Fighting Moderator: SHAPE - NATO (invited) Panel: US - Gen. Jim McCarthy USAF (Ret) Russia: Admiral Vladimir Semenovich Pirumov (Ret) Chairman of Scientific Counsel of the Russian Security Counsel (invited) Sweden - (Invited) 16:00-16:30 Sponsored Break PLENARY SESSION 16:30 - 18:00 "Hackers: National Resources or Merely Cyber-Criminals?" Co-Moderators: Mich Kabay, Ph.D., Director of Education, NCSA and Robert Steele, President, OSS, Inc. Panel: Rop Gonggrijp - Hactic and The Digital City Amsterdam, Netherlands Chris Goggans, co-founder Leagion of Doom, US CHAOS Computer Club, Germany (invited) "Frantic" Convicted French Hacker (invited) 18:00 - 21:00 Hosted Reception 21:00 - 23:00 "Dutch Dinners" for Birds of a Feather Rallying points will be provided. May 24, 1996 07:00 - 8:30 Sponsored Continental Breakfast 08:30 - 9:00 Keynote Speech "Efforts to Maximize Information As New Age Weapon" General Pichot-Duclos, France PLENARY SESSIONS 9:00 - 10:00 "Creating Smart Nations Through National Information Strategies: Intelligence And Security Issues" Robert David Steele, President, OSS, Inc. US 10:00 - 11:15 "The Convergence of Military and Commercial Vulnerabilities" Moderator: Winn Schwartau Panel: Bob Ayers, DISA, Department of Defense, US Dr. Leroy Pearce, Sr. Tech. Advisor, representing MajGen Leech, Asst. Dep. Minister, Defence Information Services, Canada Holland / Belgium Captain. Pat Tyrell, Ministry of Defence, UK 11:15 - 11:45 Sponsored Break 11:45 - 13:00 Societal Impact of Information Warfare Moderator: Winn Schwartau, Panel: The Croatian View: Pedrag Pale, Chairman InfoTech Coordinating Committee, Ministry of Science, Technology, and Informatics. General James McCarthy (ret) US 13:00 - 14:30 Lunch 13:30-14:00 Special Luncheon Presentation BREAKOUT SESSIONS 14:30 - 16:00 Breakout I: Legislation & Personal Privacy: A Global Electronic Bill of Rights? Moderator: Dr. Mich Kabay, NCSA Simon Davies, Electronic Privacy International, UK Breakout II: "Industrial Espionage: An Update" Moderator: Winn Schwartau Phillipe Parant, Diecteur, DST, France (invited) Miguel Chamorro, Exec. Director, Interpol (invited) Kroll Associates US 16:00 - 16:30 Sponsored Break PLENARY 16:30 - 18:00 Defining War in the Information Age "The New National Security" Brief comments by Winn Schwartau and Robert Steele - and then a lively interactive audience debate. 18:00 - 18:10 Closing Comments 18:00 - 20:00 No-Host Reception To obtain the latest edition of this program, send EMail to: euroinfowar at ncsa.com For more information about NCSA: WWW: http://www.ncsa.com CompuServe: GO NCSA EMail: info at ncsa.com Sponsorships for various InfoWarCon (Europe) 96 events are still available. To find out how to sponsor portions: Contact Paul Gates at the NCSA: pgates at ncsa.com To reach: Winn Schwartau: Winn at Infowar.Com Robert Steele: ceo at oss.net V 1.3/1.18.96-Short Peace Winn Winn Schwartau - Interpact, Inc. Information Warfare and InfoSec V: 813.393.6600 / F: 813.393.6361 Winn at InfoWar.Com From cp at proust.suba.com Wed Jan 24 13:30:49 1996 From: cp at proust.suba.com (Alex Strasheim) Date: Thu, 25 Jan 1996 05:30:49 +0800 Subject: Crippled Notes export encryption Message-ID: <199601242049.OAA06143@proust.suba.com> > The usual issue: That if a foreign-originated product even appears to be a > standard (so far, none have been), and includes strong crypto, then the NSA > and other agencies will simply change the rules. Thus, if extremely strong > crypto from "Netscape-Zurich" starts to have a significant market presense > in the U.S., then some law will be passed to restrict it. But what would they restrict? The use of strong crypto between two domestic points, or strong crypto where one end is within the US and the other without? We already have the former -- wouldn't it be hard for them to take it away? Especially if the software already has a large installed base, which is your premise? I'm not denying that there are people in the NSA who would want to react that way, but I don't think they'd be able to pull it off. It is true that the National Security establishment has a lot of power and influence here. But there are other groups with power as well, and the security types don't have the ability to do whatever they want without regard to the opinions and interests of those other groups. I think America's commercial interests will carry the day. The NSA isn't capable of achieving its objective, which is to preserve passive surveillance. It doesn't matter what the rules are or what Congress passes. It's over. There are a lot of smart people in the NSA, and some of them have to know that. Big companies like Netscape, Sun, Microsoft, and IBM/Lotus, on the other hand, will almost certainly achieve their objectives if they win the political fight. They'll make buckets of money selling crypto software abroad. And if they lose the fight, they're going to be handing big opportunities to foreign competitors. Who's going to fight harder? You add to that the fact that impartial observers will say, for the most part, that Netscape's right and the NSA is wrong, and the tremendous interest world wide in creating a trustworthy net based infrastructure for commerce, and the NSA starts to look a good poker player with a bad hand. They used to say that "what's good for General Motors is good for the country." A lot of people still feel that way about our biggest companies. When they get their acts together and stare down the NSA in a block, it will all be over. I feel a little strange about constantly playing the corporate shill here. I'm not a corporate person, and all of the companies I talk about here would probably find me unsuitable for employment. I'm certainly not going to participate in the crypto profits that they'll realize. My interest in this isn't the same as Netscape's. But it's going to be Netscape that pushes this thing over the top. Crypto is a big tent issue. Some people want the restrcitions eased so they can make money, some are afraid of the government, some want to protect civil liberties, some love the math and technology, and others just want to thumb their noses at Mr. Freeh. I want to see censorship become technically infeasible. There's very little popular support for that position among the general public; everyone wants censorship as long as they agree with the censor. Arguing for crypto from the vantage point of a civil libertarian is pointless. Even here on cypherpunks the bill of rights doesn't get much respect. The point is that the only guy in the big tent with any clout at all is the corporate manager. When the kids get together on the street and protest net censorship, does anyone care? Is a militia movement argument going to play in Peoria? (I think those are counter productive -- at times I've been scared enough by them to re-examine my own position.) I agree with Noam Chomsky when he says that corporate interests dominate our politics, but I also agree with Milton Friedman when he says its for the best. We should focus our efforts on energizing corporate America for the fight. The best way to do that is to demonstrating to customers that exportable security is nothing more than snake oil under the current rules. Another way it is to explain to people -- journalists and managers alike -- exactly why the current rules are bad for business. Lets develop and popularize arguments against the NSA position, not radical or esoteric arguments, but the kind of arguments that sensible people who go to work and read the paper every day can repeat to one another when they talk about politics. If we can get this stuff onto the editorial page of the WSJ -- which is where it belongs -- we'll be in spitting distance of a victory. From cminter at mipos2.intel.com Wed Jan 24 13:57:12 1996 From: cminter at mipos2.intel.com (Corey Minter) Date: Thu, 25 Jan 1996 05:57:12 +0800 Subject: Crippled Notes export encryption In-Reply-To: Message-ID: <199601242052.PAA08155@zws388.sc.intel.com> joe wrote: > ... crypto export laws are like) and develop 100% of the product > overseas. Put a notice inside each shrink-wrapped box that "This > product was forced to be written overseas, costing American > programmers their jobs, by the shortsightedness of Congress." Better yet, specifically point to those who should be held accountable and list the names, addresses, email address, etc. of all those who are involved. Even better, where practical build into the software an option (that you could turn on/off) which would email every piece of information that you encrypted directly to the congressman as a kind reminder of their position. [This is a joke: spamming is not a good way to deal with the issue.] -- ______________________________________________________________________ Corey Minter | cminter at mipos2.intel.com | (408) 765-1714 Views expressed in this message in no way represent Intel (duh). From junger at pdj2-ra.F-REMOTE.CWRU.Edu Wed Jan 24 14:11:47 1996 From: junger at pdj2-ra.F-REMOTE.CWRU.Edu (Peter D. Junger) Date: Thu, 25 Jan 1996 06:11:47 +0800 Subject: Crippled Notes export encryption In-Reply-To: Message-ID: Lucky Green writes: : At 4:17 1/24/96, Timothy C. May wrote: : : >The usual issue: That if a foreign-originated product even appears to be a : >standard (so far, none have been), and includes strong crypto, then the NSA : >and other agencies will simply change the rules. Thus, if extremely strong : >crypto from "Netscape-Zurich" starts to have a significant market presense : >in the U.S., then some law will be passed to restrict it. : : I agree. The reason for enforcing ITAR is to keep good crypto of the : *domestic* market. If ITAR no longer accomplishes that, new laws will be : passed. That is not so clear. The ITAR are regulations, not a law passed by Congress. The ITAR regulations relating to the export of cryptography are probably not authorized by any law (as well as being unconstitutional). The reason for all the silly twists and turns under the ITAR is that the censors never succeeded in getting any law forbidding the use of cryptography, and it is not at all certain that they could get such a law passed. There is very little that can be done under the ITAR to keep Netscape-Zurich from spreading and it is Congress, not the Office of Defense Trade Controls or the NSA that passes laws. -- Peter D. Junger--Case Western Reserve University Law School--Cleveland, OH Internet: junger at pdj2-ra.f-remote.cwru.edu junger at samsara.law.cwru.edu From janzen at idacom.hp.com Wed Jan 24 14:19:11 1996 From: janzen at idacom.hp.com (Martin Janzen) Date: Thu, 25 Jan 1996 06:19:11 +0800 Subject: Signing nyms' keys (Was: Report on Portland Cpunks...) In-Reply-To: <2.2.32.19960124195005.006b9940@mail.teleport.com> Message-ID: <9601242142.AA19654@sabel.idacom.hp.com> -----BEGIN PGP SIGNED MESSAGE----- Bruce Baugh writes: > >If, on the other hand, I sign "Toxic Avenger"'s key, then what benefit is > >this for third parties? Since Toxic Avenger is, by intention, _not_ linked > >to a real person, I'm not saying that I feel confident that this key really > >belongs to any particular real person. What am I saying? > Over time, some nyms take on a distinct identity of their own. [...] The > thought, therefore, as I imagine it would be "You don't know I am in person, > but you can count on me to be who I am, with this style and set of views, > and I say that this guy is another actual person with the same." So are you saying that by signing a nym's key, you're asserting that you know _the individual(s) behind the nym_? If so, would this association not weaken the anonymity of the nym whose key you've signed? Furthermore, by signing a nym's key you place yourself at risk. If you sign the nym's key with your own key -- or sign using the key of your own nym, and that nym is subsequently "outed" -- then anyone wishing to find the individual(s) behind any nym whose key you've signed can attempt to coerce you into revealing this information, since you have claimed to know it. - -- Martin Janzen janzen at idacom.hp.com -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMQand23Fsi8cupgZAQGmqQQAk7bRYJNxhsw9xHDgoL7fEiZ7faLDeuR9 bYEYnj7tZRWMRaVudEn1G3tsaHF7MS/DuOPRWci6v3dQ742Y8amlqytGWcdpNLn+ qR5RtRvKyDaWR0pi3j+WQ6y8y0WyFrVk1z8/cFKVQWfZvgs1Zjs6R87DWreiN2hr 1Ywm0AA+BIg= =4phF -----END PGP SIGNATURE----- From pete at loshin.com Wed Jan 24 14:50:16 1996 From: pete at loshin.com (Pete Loshin) Date: Thu, 25 Jan 1996 06:50:16 +0800 Subject: Crippled Notes export encryption Message-ID: <01BAEA7E.07613560@ploshin.tiac.net> Joe Block wrote: > >At 11:50 PM 1/23/96, you wrote: >>The problem is whether you can separate the functionality of what you're >>exporting sufficiently from what you're contracting out that the exported >>material isn't a "component of a cryptosystem"; it's tough to do a good bones >>version of code if you're concerned about satisfying both the letter and >>spirit of a law to avoid hassles with the government. On the other hand, >>if you're as big as IBM or even MIT, sometimes you can do it.... > >So move 100% of the development overseas. Pick someplace where the labor >is cheaper (maybe the former Soviet Union, but I don't know what their >crypto export laws are like) and develop 100% of the product overseas. Put [deletia...] I've heard that India is the place to be for software development these days (top talent for 10% the price of Americans, or some such). I've also heard that, for example, CyberCash has a development office there. -Pete Loshin pete at loshin.com From aba at atlas.ex.ac.uk Wed Jan 24 14:56:14 1996 From: aba at atlas.ex.ac.uk (aba at atlas.ex.ac.uk) Date: Thu, 25 Jan 1996 06:56:14 +0800 Subject: Crippled Notes export encryption Message-ID: <14925.9601242204@avon.dcs.exeter.ac.uk> Lucky Green writes: > At 4:17 1/24/96, Timothy C. May wrote: > > >The usual issue: That if a foreign-originated product even appears to be a > >standard (so far, none have been), and includes strong crypto, then the NSA > >and other agencies will simply change the rules. Thus, if extremely strong > >crypto from "Netscape-Zurich" starts to have a significant market presense > >in the U.S., then some law will be passed to restrict it. > > I agree. The reason for enforcing ITAR is to keep good crypto of the > *domestic* market. If ITAR no longer accomplishes that, new laws will be > passed. No need for any new laws or regulations, all that needs to be done is to add crypto to the import list (the opposite, and currently not so widely discussed counter part to the export list). In fact I wouldn't be suprised if the ODTC and NSA could interpret ITAR and the current import list to allow this. (Anyone have an electronic copy of the import restricted list?) Of course this wouldn't be a very popular move, so I'd guess that it wouldn't be tried until a) foreign crypto apps become a significant obstacle to the NSA, and b) other methods have been exhausted. Adam -- #!/bin/perl -s-- -export-a-crypto-system-sig -RSA-3-lines-PERL $m=unpack(H.$w,$m."\0"x$w),$_=`echo "16do$w 2+4Oi0$d*-^1[d2%Sa 2/d0 Article of that title in Jan 22 issue of EE Times: "San Francisco - IBM subsidiary Lotus Development Corp. offered an olive branch of sorts to the National Security Agency (NSA) last week, at the opening of the RSA Data Security Conference at the Fairmont Hotel. The Iris Associates unit of Lotus that developed Lotus Notes will be able to ship an international version with the equivalent [!!] of 64-bit encryption, using a concept Lotus calls "Differential Workfactor Cryptography". In the past, NSA has blocked the State Department from issuing broad licenses for packages with encryption of 40 bits or stronger. The Business Software Alliance argues that this has jeopardized sales of U.S. software overseas. The NSA has unsuccessfully tried to get U.S. manufacturers to use the Clipper chip or its software equivalent (based on a classified encryption algorithm) or an unclassified "key escrow" algorithm in which decryption keys must be held by third parties. OEMs have rejected all key-escrow concepts and have demanded international export rights for public-key cryptography methods promoted by vendors such as RSA. Lotus's compromise with the NSA concedes the agency's right to conduct signals intelligence on foreign targets. The encryption in Notes Release 4 is based on a 64-bit random number. But for the exported version of Release 4, the NSA generates a public-key algorithm and encrypts 24 bits of the key using the public RSA key. The result of this operation, the Workfactor Reduction Field [!?], is bound to the encrypted data. Foreign hackers will find the encrypted messages as difficult to decrypt as a message with a 64-bit RSA key, but the NSA will find it as easy to crack as a message with a 40-bit key." EE Times, Jan 22, 1996, page 116 sidebar ------------------------------------------------------------- "It is not the function of our Government to keep the citizen from falling into error; it is the function of the citizen to keep the Government from falling into error." Robert H. Jackson (1892-1954), U.S. Judge <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> My web page: http://www.geocities.com/CapitolHill/1148 From jya at pipeline.com Wed Jan 24 15:11:33 1996 From: jya at pipeline.com (John Young) Date: Thu, 25 Jan 1996 07:11:33 +0800 Subject: NON_nsa Message-ID: <199601242224.RAA11535@pipe2.nyc.pipeline.com> February Byte reviews nine non-US (non-NSA, wah?) crypto programs, ranging from uses for a single laptop to company networks to transmissions on the Internet, by Martin Banks, a UK writer. Admire these deadpan marketing names: Deadlock (uk) EasySafe and MasterSafe (il) Latches for Windows (uk) Safeguard Easy (de) SecureData (uk) SmartLock (it) StopLock (uk) TeamWare Crypto (uk) and, more Jim Carey-ly: Visage (uk) -- which uses faces as passphrase! NON_nsa (For those with non-key-access to Byte) From dm at amsterdam.lcs.mit.edu Wed Jan 24 15:25:17 1996 From: dm at amsterdam.lcs.mit.edu (David Mazieres) Date: Thu, 25 Jan 1996 07:25:17 +0800 Subject: Crippled Notes export encryption In-Reply-To: <2.2.32.19960123140650.00708e08@mail.interlog.com> Message-ID: <199601242303.SAA14589@amsterdam.lcs.mit.edu> In article <3105FBFC.4DC9 at netscape.com> Jeff Weinstein writes: > The other way would be to export a binary with pluggable crypto, > which is generally agreed to be regulated by the ITAR in the same > way as software that actually contains crypto. How did kerberos avoid this? The "bones" distribution of kerberos without crypto was not regulated by ITAR, right? David From trei at process.com Wed Jan 24 15:56:38 1996 From: trei at process.com (Peter Trei) Date: Thu, 25 Jan 1996 07:56:38 +0800 Subject: SS Obergruppenfuhrer Zimmermann (NOT!) Message-ID: <9601242309.AA08202@toad.com> Patiwat Panurach asks: > On Tue, 23 Jan 1996, Duncan Frissell wrote: > > On the whole, the cypherpunks have gotten very favorable press for a group > > who's actions may render government policies irrelevant and possibly the > > governments themselves. > Would you call cypherpunks (as a group and as a philosophy) to be > influential? Do you think governments listen to us much? Are they forced > to listen to us? Any stuff to support this? Please give me your comments. Yes, I would say the actions of the people active on this list have had significant effectst. To give one example: Last summer, 'we' broke 40-bit RC4. Within a week or two, the US government started to discuss making 64-bit escrowed crypto exportable (not acceptable, but it's a change). In the private sector, the opinion in a lot of US firms was 'yeah, 40 bits may be weak, but marketing wants to have a single "secure version" of the product, so we'll sell the 40 bit version domestically and abroad - after all, 40 bits is only theoretically weak - no one's ever broken it." After the highly publicized SSL crack, it suddenly became a *lot* easier for engineers to argue for separate domestic versions with stronger encryption. I personally know of three firms where this occured, and I'm sure there are more. Peter Trei Senior Software Engineer Purveyor Development Team Process Software Corporation http://www.process.com trei at process.com From warlord at MIT.EDU Wed Jan 24 16:06:55 1996 From: warlord at MIT.EDU (Derek Atkins) Date: Thu, 25 Jan 1996 08:06:55 +0800 Subject: Crippled Notes export encryption In-Reply-To: <199601242303.SAA14589@amsterdam.lcs.mit.edu> Message-ID: <199601242330.SAA08632@toxicwaste.media.mit.edu> > How did kerberos avoid this? The "bones" distribution of kerberos > without crypto was not regulated by ITAR, right? Kerberos didn't leave the crypto plugable. The bones distribution removed not only the crypto routines but also the calls to the crypto routines. It would be hard to call that "pluggable". It took a lot of work for someone down under to replace all those crypto calls! -derek From tcmay at got.net Wed Jan 24 16:09:59 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 25 Jan 1996 08:09:59 +0800 Subject: Crypto Exports, Europe, and Conspiracy Theories Message-ID: At 8:49 PM 1/24/96, Alex Strasheim wrote: (quoting me) >> The usual issue: That if a foreign-originated product even appears to be a >> standard (so far, none have been), and includes strong crypto, then the NSA >> and other agencies will simply change the rules. Thus, if extremely strong >> crypto from "Netscape-Zurich" starts to have a significant market presense >> in the U.S., then some law will be passed to restrict it. > >But what would they restrict? The use of strong crypto between two >domestic points, or strong crypto where one end is within the US and the >other without? We already have the former -- wouldn't it be hard for them >to take it away? Especially if the software already has a large installed >base, which is your premise? Specifically, I believe--though obviously cannot prove, given the nature of time--that a cryptographically strong version of Netscape developed outside the borders of the U.S. would not be freely importable into the U.S. I don't know what form such a law would take, to answer the point raised in another post by Peter Junger. Nor am I saying either State or NSA passes the laws...the ITARs have worked largely because they have never been challenged; if they were to be successfully challenged and stricken, as even some folks inside the NSA think is likely if tested in a proper case, then a Four Horseman-scared Congress will likely step in with some restrictions. >I'm not denying that there are people in the NSA who would want to react >that way, but I don't think they'd be able to pull it off. > >It is true that the National Security establishment has a lot of power >and influence here. But there are other groups with power as well, and >the security types don't have the ability to do whatever they want >without regard to the opinions and interests of those other groups. And now here's where I will speculate openly, although my speculation is informed by having followed these debates (and even contributing to them) for many years. You have to ask yourself this question: "Why are there no cryptographically strong products--finished products, not specific ciphers or chunks of code--developed in Europe and freely imported into the U.S.?" More specifically, given that the situation with crypto exports being limited (the so-called $60 billion a year problem...even if inflated, still a lot of money) has been known about for a long time, and given that Europe, and to a lesser extent Japan, India, etc., has a strong software infrastructure, you have to ask why "Netscape-Zurich" is not now being imported into the U.S., as a core module that then (for example) the American developers could add additional stuff to. Or why Lotus Notes-Tel Aviv is not being imported, with at least an 80-bit work factor. Or why Digicash is not taking the relatively trivial step of offering extremely strong ciphers (maybe something like Haval?) and blitzing the U.S. market? ("Only Digicash is offering _all_ of our customers the same level of communications security.") (I'll get to some of the practical issues, that the culture of Europe is not quite as conducive as the culture of the U.S. to startups, such as Netscape, Spry, Intuit, etc., but I don't think this gets at the main point of why strong crypt is not being _imported_ into the U.S.) If the business losses are anything really close to $60 billion a year, then companies wishing to have strong crypto should be *screaming* for Europe-developed products to be brought back in to the U.S. There are of course two components to the alleged $60 B a year losses, broadly speaking: * the losses of companies not in the crypt tools business who are losing out because the crypto they are allowed to export weakens their product's attractiveness. * the losses of crypto tool makers who are losing out because their products are not attractive to non-U.S. buyers (Does anyone else out there see a disconnect in the logic here? If Company A is losing business to a non-U.S. Company B, then why is whatever Company B is providing (such as stronger crypto) not being imported into the U.S. For example, if Netscape is losing out to "CERNScape," the hypothetical browser company out of the CERN WWW groups, then why is CERNScape not selling here? In fact, where _are_ the products that are winning out over the crippled American products?) (Understand that I'm not claiming there are no losses, that the $60 B a year figure is not accurate (though I think it inflated a bit), I'm just trying to figure out what's really going on here.) Let's review some points that may be relevant to why "offshore development" has not become a reality, even though one might think it would (given the $60 B figure...that pays for an awful lot of overseas programmers!). First, the "crypto hooks" point we discuss so often. Merely having hooks that link to offshore crypto is a problem, as the ITARs make clear. Thus, Lotus cannot simply say to its non-U.S. customers, "We are shipping a version overseas that contains only 40-bit crypto; you are advised to download 80-bit crypto from http://defeat-itars.lotus-geneva...." I don't know precisely how the NSA and State would react, and what law would be cited (beyond a reading of the ITARs), but pretty clearly this would not fly in the current climate. Lotus might get visits from the NSA, might be threatened with conspiracy to violate the Munitions Act charges, might have its shipments seized, etc. Second, folks at RSADSI told me several years ago that it even violates the ITARs to send cryptographic knowledge out of the country (especially, in this context, with the intention of the folks with the knowledge being the "Geneva" operation of RSADSI, for example). [Note: This is really where all the stuff about exporting code comes from, and why the debate about exporting the RSA-in-Perl t-shirt is not really hitting the main point. The NSA and State have no real concern about copies of Schneier's book going out, given that they know they can't stop it anyway and the stuff in it has already been published worldwide. No, their real concern is ensuring that Lotus does not skirt the whole crypto exports issue by sending a team to an overseas location to develop a core module _there_. Before someone like Duncan protests that this strategy is ultimately--and maybe even soon--doomed to fail, for the many reasons we discuss often, I agree. But for the nonce, NSA and State are trying to fight a holding action, and keeping U.S. companies from distributing strong crypto is currently within their powers in a way that domestic control of crypto is not.] Third, even _interoperability_ is disliked by the NSA. Thus, if Lotus Notes says that it will support an open standard such that its package can communicate easily with Europe-developed crypto modules, the NSA will consider this to be a means of skirting the ITARs. (This was actually the main strength of PGP, as I saw it, that a "standard" could be supported on many platforms, and once the program was proliferated to many countries, all could interoperate. Note that there are very few other such interoperable crypto programs---Lotus Notes talks to other Lotus Notes sites (a chokepoint in controlling distribution), MicrosoftMail and other products talk to other MS products, RSADSI's own standalone crypto program, Mailsafe, talks to other Mailsafe users (again, a chokepoint for distribution), and so on. [Side note: this situation is changing as standards are adopted, as the Web takes on a more prominent role. But I believe it to still be true that strong crypto in the U.S. cannot easily talk to strong crypto in Europe and Asian, except via things like PGP. If I'm wrong, I'd appreciate hearing about some examples.] Fourth, bizarre as it may sound, _imported_ strong crypto may face the same restrictions if attempts are made to _export_ it! Even if the code is unchanged. (The only justification for this position is that the U.S. is trying to create a chokepoint for control...there is no logical reason for a product imported from Israel to then not be allowed for export back to Israel, except that NSA and State hope to interfere with markets and thus have more control over things.) The effect of this restriction is that companies planning to import crypto from, say, Switzerland, and integrate it into their products will still face the ITARs when they try to export the product. And even having _two_ versions, one developed in the U.S. and one developed in Switzerland, will then run into the issues already cited: skirting the law by having hooks, (maybe) engaging in a conspiracy to export cryptographic talent for the purposes of skirting the ITARs, and having interoperable versions. Fifth, there are cryptographically-competent companies and programmers in Europe. Companies such as Crypto AG, companies in Israel, programmers in the U.K., Slovenia, Romania, and all over. (Many on this list, in fact.) And programmers and very competent crypto folks in Australia, New Zealand, etc. Given the relatively small teams that built capable browsers, and given the capable programmers, and given the (alleged) huge losses American companies are suffering for lack of secure products, why are there no Europe-developed browsers with strong crypto? I promised conspiracies. My points above implicitly involve some behind-the-scenes pressuring (and I know this to be the case from first-hand accounts), but here are some more: -- maybe even the European companies have been threatened, perhaps by their own crypto-fearful intelligence agencies (recall the many reports of key escrow talk in Germany, France, Sweden, etc.) -- maybe, as some have claimed, the European crypto companies, such as Zug-based Crypto AG, are actually controlled or influenced by the NSA. (This was a recent thread here, dismissed by the list.censors as "off-topic," but, I think, in actuality a terribly important topic to consider.) -- maybe the Europeans just don't want a piece of the Web browser market, maybe the prospect of a software company reaching a capitalization of $5 billion in less than two years doesn't excite them. (Maybe Clinton didn't inhale.) In a kind of variant of the Fermi Paradox ("Why aren't they here?," referrring to alien visitors), my question is this: "Why aren't we able to solve this pressing problem of not being able to export strong crypto by _importing_ it?" I don't think it's an accident, or laziness on the part of European and Asian companies, that we haven't gotten around the U.S.'s laws about exporting crypto by getting our crypto from competent programmers and companies outside the U.S. Comments? --Tim May Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From walrus at ans.net Wed Jan 24 16:10:51 1996 From: walrus at ans.net (michael shiplett) Date: Thu, 25 Jan 1996 08:10:51 +0800 Subject: Crippled Notes export encryption In-Reply-To: <199601242303.SAA14589@amsterdam.lcs.mit.edu> Message-ID: <199601242318.SAA08161@fuseki.aa.ans.net> "dm" == David Mazieres writes: dm> How did kerberos avoid this? The "bones" distribution of kerberos dm> without crypto was not regulated by ITAR, right? In the ``bones'' version not only was the encryption code eliminated (e.g., the functionality of libdes.a), but the hooks to call such code disappeared as well. michael From djw at vplus.com Wed Jan 24 17:15:32 1996 From: djw at vplus.com (Dan Weinstein) Date: Thu, 25 Jan 1996 09:15:32 +0800 Subject: Crippled Notes export encryption Message-ID: <199601242348.PAA03565@ns1.vplus.com> -----BEGIN PGP SIGNED MESSAGE----- m5 at dev.tivoli.com (Mike McNally) Wrote: > Dan Weinstein writes: > > >By the way, I really think Netscape should simply ship Jeff and other > > >people to the Amsterdam office... > > > > Wrong, this would be a violation of ITAR. > > I don't understand; are you saying Jeff's brain is a munition under > the ITAR? > > (Is it a citizenship thing? If so, that's an easily solved problem: > hire Dutch (or Egyptian or Bangali or whatever) engineers.) I forget how it is termed in ITAR, but expertise can't be exported either. Another thing to remember is that Jeff and the others at Netscape aren't writing the encryption algorithms themselves, they implement the code that they get from RSA. Though most of the code they get from RSA is already available abroad, if they wanted to import it they would face serious copywrite problems with RSA. Also, like I suggested before any programers who gained their knowledge of crypto programing in the U.S. and then went abroad and developed crypto software would be in danger of prosecution under ITAR if they ever returned to the U.S.. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMQbINb6vSB2TMALlAQG8zAf9FFlCiiYS86Q/ZsiycSXN0w7hT+NdVHI5 8fBVaT+w+OP5DZAbEMg7gM37ryujuDXnRO12WJTa8HTT5+W81TDf6vzgK2yWqShZ kCM6j48nUttwYsXVGUpK2uSSBhLs1+y7lLPObs0I9BNZ9QZ3o/68jpRXnsph3+Oc J4XEe6Yf1u/V4wM58hO8v1fClcCHSyeIFZL+i8NdhcO+BO71qBhOntsGWuVu+sM0 jN7/hix1do+xA856EkRzPoqv0LPcJkCjF3qw+iCKdI7y6LWljA91LJvrYedONu9V cigMrsQF4QFJ2CHrxulolzMPuz4ZNg9K/ZjWoY2t8wgs57dDiojKTQ== =ehWV -----END PGP SIGNATURE----- Dan Weinstein djw at vplus.com http://www.vplus.com/~djw PGP public key is available from my Home Page. All opinions expressed above are mine. "I understand by 'freedom of Spirit' something quite definite - the unconditional will to say No, where it is dangerous to say No. Friedrich Nietzsche From zinc at zifi.genetics.utah.edu Wed Jan 24 18:25:05 1996 From: zinc at zifi.genetics.utah.edu (zinc) Date: Thu, 25 Jan 1996 10:25:05 +0800 Subject: Unzipping pgp for vax (fwd) Message-ID: -----BEGIN PGP SIGNED MESSAGE----- cpunks, i got this in the mail this morning. here's another blatant case of illegal export. names and exact addresses removed to protect the clueless. - -- "Those that give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -- Benjamin Franklin (1773) zifi runs LINUX 1.3.57 -=-=-=WEB=-=-=-> http://zifi.genetics.utah.edu - ---------- Forwarded message ---------- Date: Tue, 23 Jan 1996 16:40:30 +0100 (MET) From: XXXXX XXXXXX To: finerty at MSSCC.MED.UTAH.EDU Subject: Unzipping pgp for vax Patrick, I got a copy of vaxpgp262.tar.Z from ftp.csua.kerkeley.edu. I have a problem using unzip to decompress it. What kind of unzip I need ? Thanks a lot. XXXXXXX -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Processed by mkpgp1.6, a Pine/PGP interface. iQCVAwUBMQWYGk3Qo/lG0AH5AQFRIAP/VcJdbDyebUti3IO19IrH3FBlfk4laxDJ 8S3zTHmlFu4PVCMnLTvMa+JBQFy9nrY2Yv9L9Q4B/Y+ppkEJISjNuI4RXdJCebHo 5Flq61ycBUsyawWojjp2b2p2zURLlqv0WTkfkl6GvJZyWMbOdCId0212j/E2C/ze dVkumDfGqwk= =71Fx -----END PGP SIGNATURE----- From dm at amsterdam.lcs.mit.edu Wed Jan 24 18:46:47 1996 From: dm at amsterdam.lcs.mit.edu (David Mazieres) Date: Thu, 25 Jan 1996 10:46:47 +0800 Subject: German home banking (fromn RISKS) In-Reply-To: Message-ID: <199601250030.TAA15203@amsterdam.lcs.mit.edu> Was the person in the basement eavesdroping or actuall performing a man-in-the-middle attack? Don't high speed modems transmit and receive on the same frequencies, using echo cancelation to decode the receive signals? Does that make it impossible to eavesdrop on high-speed (i.e. V32bis) modems? David From stephen_albert at alpha.c2.org Wed Jan 24 19:04:29 1996 From: stephen_albert at alpha.c2.org (Stephen Albert) Date: Thu, 25 Jan 1996 11:04:29 +0800 Subject: Netscape & open NNTP servers Message-ID: <199601250101.RAA01312@infinity.c2.org> -----BEGIN PGP SIGNED MESSAGE----- I've got a question that I feel like I *should* know the answer to, but don't. Say I configure Netscape to point through an open http proxy, and then connect t an open NNTP server. I don't know much about how proxies work. Does the NNTP connection go through the proxy or directly from my machine? As I understand it if it does the first, then I don't have to worry about the NNTP server's log file, if any. But if it does the second, I do. Am I in the ballpark here? ObCrypto: Not-readily-traceable posting with less hassle than a mail-to-news gateway seems to have some privacy relevance, even if it's not directly crypto. Stephen "To NNTP Serve Man" Albert stephen_albert at alpha.c2.org <*> PGP key on request and on servers -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMQbVikimCtQtWVIdAQEjZgf+KFK8AzLY8ndSBAmWzQAwqMCmbA3IR8yl TU/c2f/FAMRypAGf+IcKIgmLAPxjbOBSvCmYv8cSXBtb/hhOFbmzIf5EY5QyfcMt OVsMk80gHJxBiUaSYetwklkRub1dqan0R2fUfQq1ey2ZUZk3OvUB4gTW5XPKNpND HxLINjJ2Ph6SH4AqCZ0hNwFkk3gtZsLGTgUHhdrkhaAKnEBSXWN9mMvkNHngScRq A0SlVehxwj8yFLF5rf1G82AM3fdZrdWhMDlWmVCkgpo5mr5AXtYpfHKa9ZsesM8O eRVvlVzXU+w4Y1B5swM5QDpezsPqxBtTn0JEb78mGM4gCoVyEi06Ow== =gwrx -----END PGP SIGNATURE----- From frissell at panix.com Wed Jan 24 19:05:28 1996 From: frissell at panix.com (Duncan Frissell) Date: Thu, 25 Jan 1996 11:05:28 +0800 Subject: Crypto Exports, Europe, and Conspiracy Theories Message-ID: <2.2.32.19960125010506.0099a208@panix.com> At 04:59 PM 1/24/96 -0800, Timothy C. May wrote: >In a kind of variant of the Fermi Paradox ("Why aren't they here?," >referrring to alien visitors), my question is this: "Why aren't we able to >solve this pressing problem of not being able to export strong crypto by >_importing_ it?" > >I don't think it's an accident, or laziness on the part of European and >Asian companies, that we haven't gotten around the U.S.'s laws about >exporting crypto by getting our crypto from competent programmers and >companies outside the U.S. > >Comments? How about time. We're less than a year on from the "Internet Breakthrough." It is not obvious to the non-political that stand alone desktops or enterprise LANs need crypto. The "need" for the product only develops with telecoms. Recall the fact that hardly anyone was online (or even knew what the term meant) only a short time ago as product development cycles run. We'll see. Markets are efficient but not perfect. DCF From rsalz at osf.org Wed Jan 24 19:27:36 1996 From: rsalz at osf.org (Rich Salz) Date: Thu, 25 Jan 1996 11:27:36 +0800 Subject: Crippled Notes export encryption Message-ID: <9601250008.AA12407@sulphur.osf.org> >So where exactly do they draw the line? You can still construct your >software in such a way that there is a clean boundary between the >crypto stuff and the rest. Right. However, if you call things like "keysize" as oposed to "state" then they will look askance. >How exactly are crypto-hooks defined? On a case-by-case basis. /r$ From JMKELSEY at delphi.com Wed Jan 24 19:31:19 1996 From: JMKELSEY at delphi.com (JMKELSEY at delphi.com) Date: Thu, 25 Jan 1996 11:31:19 +0800 Subject: Lotus Notes Message-ID: <01I0D1I8O4VI98E2HT@delphi.com> -----BEGIN PGP SIGNED MESSAGE----- >Date: Thu, 18 Jan 1996 20:54:33 -0500 >From: daw at beijing.CS.Berkeley.EDU (David A Wagner) >Subject: Re: Hack Lotus? >Hack Lotus? Please do. Perhaps in this case, c2.org could have a "patch Lotus" contest, instead. Help us patch this dumb security hole, by which we're leaking 24 bits of each session key. >I would love to see the internals of how Lotus Notes does the escrow. >Every conceivable way I can see to do it seems very vulnerable to attack. > >If the receiving Lotus Notes program doesn't check whether the high 24 >bits have been escrowed correctly in the LEEF-like field, then a simple >hack to the sending Lotus Notes program to not send the LEEF field >should give foreigners true 64 bit encryption. I think this is the case. The guy who spoke at the RSA conference made reference to the fact that this new version would interoperate with full-strength domestic versions. Getting domestic versions to check for LEAFs only from foreign users is possible, but it would seem to require that Lotus was working on this idea several versions back. Otherwise, when an old domestic version gets a message from a new foreign version, it's going to accept the message without a LEAF. Depending on how Lotus Notes does their key exchange protocol, it may be possible to graft this kind of checking on, so that the older programs will work with it, too, but this doesn't seem likely at all. >If the receiving Lotus Notes program does verify that the high 24 bits >are escrowed correctly, then anyone can verify that, so in 2^24 trials, >I can recover the high 24 bits, and with 2^40 more trials, I can recover >the high 40 bits. Therefore 2^40 + 2^24 trials should suffice to hack >Lotus if this is how it works. This problem is solvable, though I doubt they've bothered. Two ways come to mind--both using information that third parties won't have to fix the problem. 1. Put another 64 bits of random salt into the RSA key exchange blob. Use this to pad the LEAF, so that it's not feasible to dictionary search the LEAF. 2. Define the LEAF as part of the RSA key exchange blob. Pad the LEAF with random bits, unknown to the receiver. Sign the whole key exchange blob. Note that #2 can be countered by hacking the software's copy of the public key. I don't see a way of countering #1 on the sender side only. (Once you get the sender and receiver working together, key escrow seems to become really hard to do.) Now, I'm very interested in whether they thought about this as a potential problem, and thus padded their LEAF intelligently, or left themselves vulnerable to a dictionary-style attack on the LEAF. This translates, roughly, to "was someone with a basic understanding of cryptography involved in this design?" Clearly, IBM has some really good people, and I suspect Lotus did/does, as well. But were they involved enough in the implementation to ensure that this was done intelligently? - From what I heard at the conference, though, I don't think they're even checking to ensure compliance. This implies that the security patch can be pretty simple--clobber the LEAF field with a bunch of random-looking bits. Of course, this tells us nothing about the other possible weaknesses. How well does Notes generate key material? How big are the RSA keys? How well do things like the key exchange protocols work? It looks to me like there are a lot of programs with encryption out there that are lucky to manage even 40 bits of actual security, even if they're allowed 64- or 128-bit keys. >Waiting to hear the technical details of how it works, >- -- Dave Wagner Note: Please respond via e-mail as well as or instead of posting, as I get CP-LITE instead of the whole list. --John Kelsey, jmkelsey at delphi.com / kelsey at counterpane.com PGP 2.6 fingerprint = 4FE2 F421 100F BB0A 03D1 FE06 A435 7E36 -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMQUVGkHx57Ag8goBAQHaRwP/er3/94io/Aa5MQyyluVqohHGyLcP5JBr ZGZMoMydeGnWp5HJ5oGO4WuWDmmqk1NNiHNFd3z8Yxt9S73LR7PvGtoyoucMkX69 f9p4DMED+bJoMWtfukxhtWufeTKDE136eUi/V8155869nAZSHngIF3WLaQCBWFqe 01WEP/GbZtg= =IDZU -----END PGP SIGNATURE----- From iagoldbe at calum.csclub.uwaterloo.ca Wed Jan 24 19:34:10 1996 From: iagoldbe at calum.csclub.uwaterloo.ca (Ian Goldberg) Date: Thu, 25 Jan 1996 11:34:10 +0800 Subject: Crippled Notes export encryption In-Reply-To: <199601242348.PAA03559@ns1.vplus.com> Message-ID: <4e6m48$npf@calum.csclub.uwaterloo.ca> In article <9601242357.AA02688 at alpha>, Mike McNally wrote: >This sounds fishy to me. I don't recall reading anything to suggest >that export of cryptographic software (or any other munition) requires >that the stuff be *used* outside the US for an offense to be >committed; why should export of a cryptographer's wetware be any >different? Either the expertise leaves the country or it doesn't, I'd >think. Here's section 120.17 of ITAR: @ 120.17 -- Export. Export means: (1) Sending or taking a defense article out of the United States in any manner, except by mere travel outside of the United States by a person whose personal knowledge includes technical data; or (2) Transferring registration, control or ownership to a foreign person of any aircraft, vessel, or satellite covered by the U.S. Munitions List, whether in the United States or abroad; or (3) Disclosing (including oral or visual disclosure) or transferring in the United States any defense article to an embassy, any agency or subdivision of a foreign government (e.g., diplomatic missions); or (4) Disclosing (including oral or visual disclosure) or transferring technical data to a foreign person, whether in the United States or abroad; or (5) Performing a defense service on behalf of, or for the benefit of, a foreign person, whether in the United States or abroad. (6) A launch vehicle or payload shall not, by reason of the launching of such vehicle, be considered an export for purposes of this subchapter. However, for certain limited purposes (see @ 126.1 of this subchapter), the controls of this subchapter may apply to any sale, transfer or proposal to sell or transfer defense articles or defense services. Item (1) allows people to travel abroad if they know crypto. It's unclear that it allows them to emigrate or return to their country of origin. Items (3),(4),(5) seem to prevent such a person from using, or even mentioning, crypto to or "on behalf of" a foreign person. (6) is cute. Launching a missle at Iraq isn't considered export... - Ian From dagmar at accessus.net Wed Jan 24 19:41:13 1996 From: dagmar at accessus.net (Dagmar the Surreal) Date: Thu, 25 Jan 1996 11:41:13 +0800 Subject: Ultimate Paranoia Message-ID: <199601250101.TAA30420@mtvernon1.accessus.net> At 05:35 PM 1/22/96 -0500, you wrote: >For the ultimately paranoid: > Don't forget to keep all sensitive info on your standalone >machine on an encrypted filesystem. You never know who might show up >with guns and a search warrant. But this is truly paranoid. And _what_, may I ask exactly, is worng with this sort of security? ----- "In the vacuum of cyberspace, no one can hear the pedestrians scream." -- Dagmar the Surreal (as sold on TV!) From jya at pipeline.com Wed Jan 24 20:07:12 1996 From: jya at pipeline.com (John Young) Date: Thu, 25 Jan 1996 12:07:12 +0800 Subject: Crypto Exports, Europe, and Conspiracy Theories Message-ID: <199601250016.TAA16471@pipe3.nyc.pipeline.com> Responding to msg by tcmay at got.net (Timothy C. May) on Wed, 24 Jan 4:59 PM A welcome inquiry, Tim. Is it not likely that the best crypto in many of the countries is kept off the market in the national interest, cloaked in the greatest secrecy like other crucial weapons of survival? Especially to defend it from NSA-like predators. Was this not the practice in the US before public key genie escaped? And is surely still the case for the very best US crypto -- not that which can be readily purchased or purloined. The market, and PGP, are probably condoned as a cloak for the best, in the US and elsewhere. Or bait. Or traps. From jimbell at pacifier.com Wed Jan 24 20:31:48 1996 From: jimbell at pacifier.com (jim bell) Date: Thu, 25 Jan 1996 12:31:48 +0800 Subject: SS Obergruppenfuhrer Zimmermann (NOT!) Message-ID: At 04:21 PM 1/23/96 -0800, Simon Spero wrote: >On Tue, 23 Jan 1996, Perry E. Metzger wrote: > >> Alan Horowitz writes: >>>[...] >> Okay. I think I understand. You're a fruitcake. Easy enough. > >The official pastry of the 1996 Cypherpunks. > >One might note that Zimmerman isn't, er, a common name for yer typical >Neo-Nazi... This sort of accusation is sufficient grounds for libel in >the UK (such accusations have been found to be defamatory, and would >almost certainly be settled within a few days. > >Of course Phil (Hallam Baker) has more experience with this sort of >thing... >Simon Maybe this is common knowledge, but the name "Zimmermann" and crypto had another relationship, in World War I. If anybody knows more about this incident than my vague recollection of the famous "Zimmermann cipher" would you care to tell the story? From prz at acm.org Wed Jan 24 20:37:34 1996 From: prz at acm.org (Philip Zimmermann) Date: Thu, 25 Jan 1996 12:37:34 +0800 Subject: "PRZ a nazi" to be retracted Message-ID: <199601240458.EAA28033@maalox> The Sunday Telegraph of London printed a story last Sunday about neo-nazis using PGP to encrypt their communications. The story said that PGP was devised by an American neo-nazi sympathizer. As the creator of PGP, and a human rights activist, I was outraged by such a defamation from a major newspaper. I called my lawyer Phil Dubois, who seemed to look forward to having some fun with this newspaper. Not wanting to wait around till the morning, and slow lawyers, I called Robin Gedye, the reporter in Bonn who wrote the story, at 7am Monday morning Bonn time, and woke him up at home. I introduced myself and told him how I felt about it. He had never heard of me, the Clipper chip, the controversies of cryptography, and knew nothing about PGP outside of the couple of sentences in his story that mentioned PGP. He said it wasn't really so bad, because he didn't specifically identify me by name. One can imagine the effectiveness of that excuse with me. I then went into some detail with him to bring him up to speed. I also called his editor in London, who also had never heard of me or PGP. After some checking, they discovered that the Daily Telegraph, a related newspaper, had run an article about my case just a week before. They also found about 20 recent articles on me in the UK press. The editor said that my story "checks out". It was good to know that they now believed that I was not a neo-nazi after all. Anyway, Mr. Gedye says that the Sunday Telegraph will print a retraction next Sunday. Not just a little retraction, but a whole article on the subject, written by Mr. Gedye himself. I'm glad to see that this probably means that he will dig into the subject more, in order to write such an article. I guess this means maybe I'll find some other things to occupy Phil Dubois's time. -Philip Zimmermann 23 Jan 96 From warlord at MIT.EDU Wed Jan 24 20:43:27 1996 From: warlord at MIT.EDU (Derek Atkins) Date: Thu, 25 Jan 1996 12:43:27 +0800 Subject: (JOKE) Re: Crippled Notes export encryption In-Reply-To: <4e6j28$g49@calum.csclub.uwaterloo.ca> Message-ID: <199601250158.UAA10951@toxicwaste.media.mit.edu> So does that mean that it is legal to ship PGP out of the US by shooting a diskette in a rocket??? It's launching the munition, no? Therefore by sentence (6) it should be allowed. ;) -derek From rsalz at osf.org Wed Jan 24 20:57:45 1996 From: rsalz at osf.org (Rich Salz) Date: Thu, 25 Jan 1996 12:57:45 +0800 Subject: NSA advanced knowledge Message-ID: <9601250034.AA12539@sulphur.osf.org> Is there any indication that the NSA knew about public-key before it entered the open literature? From jsw at netscape.com Wed Jan 24 21:15:05 1996 From: jsw at netscape.com (Jeff Weinstein) Date: Thu, 25 Jan 1996 13:15:05 +0800 Subject: Crippled Notes export encryption In-Reply-To: Message-ID: <310612A1.69E7@netscape.com> -- Timothy C. May wrote: > > At 9:29 AM 1/24/96, Jeff Weinstein wrote: > > > I suspect that to get around the US government in this way we > >would have to develop the entire product outside of the US. That > >would be a very drastic move that is not likely to happen any > >time soon. We are going to invest some money and effort into > >trying to get the current restrictions lifted first. > > For what it's worth, this is what I've heard several knowledgeable lawyers > say is the case, that merely sending the crypto experts abroad is no > solution, that the entire product (or some large fraction of it) must be > foreign-originated. > > The usual issue: That if a foreign-originated product even appears to be a > standard (so far, none have been), and includes strong crypto, then the NSA > and other agencies will simply change the rules. Thus, if extremely strong > crypto from "Netscape-Zurich" starts to have a significant market presense > in the U.S., then some law will be passed to restrict it. Another problem is that the government may consider any "help" provided to the foreign entity to be evidence of a conspiracy. When Eric Young released SSLEAY we got a call from someone in the State Department (probably some lackey paid for by the NSA) to find out if we provided him with any "help" in doing his implementation. Since he did it all on his own from the published spec and was able to test interoperability over the internet we were off the hook, but they seemed to be prepared to come down on us if we had "conspired" with him. --Jeff Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw at netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine. From jsw at netscape.com Wed Jan 24 21:31:14 1996 From: jsw at netscape.com (Jeff Weinstein) Date: Thu, 25 Jan 1996 13:31:14 +0800 Subject: Crippled Notes export encryption In-Reply-To: <199601242303.SAA14589@amsterdam.lcs.mit.edu> Message-ID: <3106E47B.1CAB@netscape.com> David Mazieres wrote: > > In article <3105FBFC.4DC9 at netscape.com> Jeff Weinstein writes: > > The other way would be to export a binary with pluggable crypto, > > which is generally agreed to be regulated by the ITAR in the same > > way as software that actually contains crypto. > > How did kerberos avoid this? The "bones" distribution of kerberos > without crypto was not regulated by ITAR, right? As others have noted, they removed the calls to the crypto code. I don't think that the TLAs are concerned about people at foreign universities using kerberos. They are much more worried about mass market products. If we did the same thing as was done for kerberos, then exported the code to a foreign subsidiary, I believe that the government would try to make a case against us that we had participated in a conspiracy to circumvent the export restrictions. The government continues to use FUD to impose defacto restrictions on what we can do. When they decided not to prosecute PRZ they did not clarify and said that they may decide at any time to go after someone else. They continue to try to wiggle out of stating a clear, firm policy. I think that our current efforts should be geared towards pinning them down, then once we have specific restrictions we can attack them. The Phil Karn case is important because it will help to clarify the ITAR restrictions. Even Raph's RSA T-shirt CJR may help to clarify the restrictions into something that we can really fight. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw at netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine. From Ulf_Moeller at public.uni-hamburg.de Wed Jan 24 21:44:21 1996 From: Ulf_Moeller at public.uni-hamburg.de (Ulf Moeller) Date: Thu, 25 Jan 1996 13:44:21 +0800 Subject: Crippled Notes export encryption In-Reply-To: <3105FBFC.4DC9@netscape.com> Message-ID: > I can see two practical ways to build a netscape product outside >the US. The first is to export the source code for the Navigator >with the crypto code removed. All of the calls to crypto would >have to be removed as well. I've heard some people claim that the >government could come after us on the grounds that we were taking >part in a conspiracy to export strong crypto. If you properly apply for a license to export the source code (explainig that the source code licensee might add the features that he feels are appropriate), is it still a conspiracy? From warlord at MIT.EDU Wed Jan 24 21:47:25 1996 From: warlord at MIT.EDU (Derek Atkins) Date: Thu, 25 Jan 1996 13:47:25 +0800 Subject: Crippled Notes export encryption In-Reply-To: <199601242346.SAA14838@amsterdam.lcs.mit.edu> Message-ID: <199601250034.TAA09745@toxicwaste.media.mit.edu> > So where exactly do they draw the line? You can still construct your > software in such a way that there is a clean boundary between the > crypto stuff and the rest. The line is drawn, AFAIK, at the actual crypto routines. You cannot export the crypto routines, and the functions that call the crypto routines. > For example, could you have an application with a function: > > authenticate_user (int file_descriptor) > > which in the exportable version sends a password, and in the domestic > version constructs some sort of authenticator? Yes. In fact, this is what Bones did. > Could you have an xdr-like function which on in an exportable version > just does argument marshaling and in a domestic version also encrypts? Yes. However the exported code cannot have the encryption hooks in the code. > How exactly are crypto-hooks defined? This restriction seems orders > of magnitude more bogus than even the ban on exporting actual > encryption. Very vaguely. If I have a function that does something like this: authenticate (args) { ... des_encrypt (); ... } I would have to remove the des_encrypt() call from the authenticate() routine before it can be exported... -derek From alano at teleport.com Wed Jan 24 21:54:45 1996 From: alano at teleport.com (Alan Olsen) Date: Thu, 25 Jan 1996 13:54:45 +0800 Subject: Signing nyms' keys (Was: Report on Portland Cpunks...) Message-ID: <2.2.32.19960125024933.008d5c4c@mail.teleport.com> At 05:12 PM 1/24/96 -0800, Bruce Baugh wrote: >At 01:42 PM 1/24/96 PST, janzen at idacom.hp.com wrote: > >>Furthermore, by signing a nym's key you place yourself at risk. If you >>sign the nym's key with your own key -- or sign using the key of your >>own nym, and that nym is subsequently "outed" -- then anyone wishing to >>find the individual(s) behind any nym whose key you've signed can >>attempt to coerce you into revealing this information, since you have >>claimed to know it. > >This is the real problem, one which doesn't (to me) have a ready solution. >If others can demonstrate that there [is|is not] some fairly straightforward >way around it, I'd be happy to read it. This is a problem with the web of trust in general. It is known as "Guilt by Association". Person X commits treasonable act A. All of the persons who are signed on to his key could be considered to be co-conspirators. The same applies to nyms. The difficulty with prosecuting nyms is finding the link to the real world individual. Anyone associated with him/her/it will be considered to be guilty by reason of key signage or a way of determining who the real person is... The only way I see getting around this is only signing nyms with nyms or having some sort of zero knowlege proof on a key signing authority. Something where you can issue some sort of proof to the signing authority that you are who you say you are without giving any information about your "real" identity. I know of no foolproof way of doing this... I guess we are stuck with the "Web of Guilt"... Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "Is the operating system half NT or half full?" From fair at clock.org Wed Jan 24 21:54:51 1996 From: fair at clock.org (Erik E. Fair (Time Keeper)) Date: Thu, 25 Jan 1996 13:54:51 +0800 Subject: another thought about random numbers Message-ID: While musing over a roulette table, and noticing the preponderence of electronic games in the various Casinos in Stateline, NV, a thought occurred: does anyone know what sorts of random number generators those electronic games use, and how (if at all) they are measured and regulated by the Nevada Gaming Commission? They might have something to teach us. Erik Fair From rsalz at osf.org Wed Jan 24 22:02:02 1996 From: rsalz at osf.org (Rich Salz) Date: Thu, 25 Jan 1996 14:02:02 +0800 Subject: Crippled Notes export encryption Message-ID: <9601250304.AA13006@sulphur.osf.org> >If you properly apply for a license to export the source code >(explainig that the source code licensee might add the features >that he feels are appropriate), is it still a conspiracy? No it's not a conspiracy. But they will not normally allow you to export such source. /r$ From Kevin.L.Prigge-2 at cis.umn.edu Wed Jan 24 22:09:12 1996 From: Kevin.L.Prigge-2 at cis.umn.edu (Kevin L Prigge) Date: Thu, 25 Jan 1996 14:09:12 +0800 Subject: NSA advanced knowledge In-Reply-To: <9601250034.AA12539@sulphur.osf.org> Message-ID: <3106f4fd4bdc002@noc.cis.umn.edu> A non-text attachment was scrubbed... Name: not available Type: application/pgp Size: 14 bytes Desc: not available URL: From paul.elliott at hrnowl.lonestar.org Wed Jan 24 22:10:56 1996 From: paul.elliott at hrnowl.lonestar.org (Paul Elliott) Date: Thu, 25 Jan 1996 14:10:56 +0800 Subject: Hack Lotus? Message-ID: <3106df37.flight@flight.hrnowl.lonestar.org> -----BEGIN PGP SIGNED MESSAGE----- I have no doubt that enterprising hackers will be able to hack the international version of lotus Notes to make it as secure as the domestic version. It is probably just a matter of NOPing some code. The real problem is the 64 bit key in the domestic version. This conforms to the NIST "standard" for an exportable system. In other words to allow the international people to have almost non-existant 40 bit security, they have limited domestic users to 64 bit secuity. The 64 bits keys must be breakable at least in some sense or the limitation would not be in the NIST "standard". The 64 bit keys are probably allocated in structures and stack allocations, so the hacking past the 64 bit limitation will probably be extremely difficult and error prone! (To increase the size of data in a structure or data on the stack means moving all the data beond it. This means increasing the memory allocated and changing all references to data beond the data whose size is increased.) To do this in a patch, may be difficult. In any case, I do not trust the code any large company if I do not have the source code. Big companies are too subject to presure. What we really need is a hack to completely substitute our own external code such as PGP! - -- Paul Elliott Telephone: 1-713-781-4543 Paul.Elliott at hrnowl.lonestar.org Address: 3987 South Gessner #224 Houston Texas 77063 -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: cp850 iQCVAgUBMQbe8fBUQYbUhJh5AQHDoAQAg9eWu4aJrhQ87n+JqxfTjCOJKEKm8Bfr J9Gggh/jnzW1MY4ApjOtQes7sHR5+66i43E4nUnN0CJYyD+aMCjbJEhwLPU4uHy2 1nF36X0vCYe0+4uSrebW/eMpFBj6fFrVbrmF8tiGD2VrqSQ2Fda00PY9erKKD2KN GTmeqFL/QVY= =SDNt -----END PGP SIGNATURE----- From pete at stc.com Wed Jan 24 22:16:07 1996 From: pete at stc.com (Pete Wenzel) Date: Thu, 25 Jan 1996 14:16:07 +0800 Subject: Associating Local Port Number to PID In-Reply-To: Message-ID: <4e6t2t$h2f@loki.stc.com> "Karl A. Siil" writes: > I'm working on a program for UNIX (SVR4, Solaris 2.4) systems that needs to > associate PID with local TCP/IP port number, so as to pass session keys > accordingly to already running processes. This sounds like such an obviously > needed association that someone must have done it already. Take a look at how implementations of identd (RFC 1413) do it. This daemon associates a TCP port with its UID, but I'm sure the PID is very close by in the netstat data structures. It might actually find the PID first, then look up its owner's UID. Anyway, look at the pidentd stuff at ftp://ftp.lysator.liu.se/pub/ident/. --Pete ======= Pete Wenzel === Senior Member, Technical Staff and DNRC ======= == Software Technologies Corp., P. O. Box 661090, Arcadia, CA 91066 == == Phone: 818-445-7000 x311 = http://www.stc.com = FAX: 818-447-0879 == http://PGP.ai.mit.edu/htbin/pks-extract-key.pl?op=get&search=pete at stc.com From lead at zifi.genetics.utah.edu Wed Jan 24 22:31:17 1996 From: lead at zifi.genetics.utah.edu (lead remailer) Date: Thu, 25 Jan 1996 14:31:17 +0800 Subject: ANNOUNCE: NEW MIXMASTER REMAILER Message-ID: <199601250341.UAA01330@zifi.genetics.utah.edu> Hello all, I am pleased to announce a new mixmaster remailer. This remailer was compiled and installed primarily using the mix-installer script available from Adam Shostack. To get the script, send a message to adam at lighthouse.homeport.org with Subject: get mix-installer. here is the relevant info: address: mix at zifi.genetics.utah.edu long name: lead remailer short name: lead for your type2.list file: lead mix at zifi.genetics.utah.edu a76c3fda7294a6695c5e6a931d1c0b73 2.0.3 Here is the public key for lead remailer: =-=-=-=-=-=-=-=-=-=-=-= lead mix at zifi.genetics.utah.edu a76c3fda7294a6695c5e6a931d1c0b73 2.0.3 -----Begin Mix Key----- a76c3fda7294a6695c5e6a931d1c0b73 258 AATH5fR56oEcdVRNn2SrjJ4XsoWb+lP2E2GgGdgI 2A3//3ctBkQ13xb5MHOfix8ra63PZmeCrK+6QbbV Ql1iwboMMaWz8NPmNpQz2K0/vnTnp8tWEyL5vo95 jlRmACXPefXdLOzszAgfMn02rzzXrq+9AnaUAUxD idxVglBkXRkriwAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAQAB -----End Mix Key----- Here is the mix-help file: From: mix at zifi.genetics.utah.edu (Mixmaster remailer at zifi) Subject: Instructions for using anonymous remailer This message is being sent to you automatically in response to the message you sent to mix at zifi.genetics.utah.edu with subject "remailer-help". This is a Mixmaster remailer. It provides an extremely high level of security. To use it, you must have a client program to produce the messages. This software is available from ftp://flame.alias.net:/pub/replay/pub/remailer Read the README file for instructions. Some information can be sent to you by the remailer by including the following commands (one per message) in the subject line of mail to the remailer. remailer-help This file. remailer-stats Useage statistics for the last 24 hours. remailer-key The mixmaster key file for this remailer. This section of the helpfile is blatantly plagarized from the mixmaster faq located at: http://www.obscura.com/~loki/remailer/mixmaster-faq.html. --- What is Mixmaster? Mixmaster is a new class of anonymous remailers. Inspired by the existing "cypherpunk" remailers and discussions on the Cypherpunk mailing list. Mixmaster is the next generation in the evolution of remailer technology. What is an anonymous remailer? Quoting from Andre Bacard's remailer FAQ: An anonymous remailer (also called an "anonymous server") is a free computer service that privatizes your e-mail. A remailer allows you to send electronic mail to a Usenet news group or to a person without the recipient knowing your name or your e-mail address. What do I need to use Mixmaster remailers? Unlike other remailers, you can't just make your own message and send it to the remailer. Mixmaster's security comes in part from using a special message format. The disadvantage of this is that you need a special program to make the message for you. Once you have that program (the client) remailing is as easy as running the program, and telling it which remailers you want to use. How do I get the Mixmaster client software? There are two sites for distribution. First, is ftp to obscura.com and read /pub/remail/README.no-export. The other is by anonymous ftp to jpunix.com. You will have to follow the instructions there to get Mixmaster. Because Mixmaster contains cryptography, it may not be exported from the U.S and Canada. The reason for the circuitous route to download Mixmaster is to show my good faith efforts to keep Mixmaster from being exported. I have heard rumors that someone has already broken this law, and that Mixmaster is available from Europe. I do not approve of this and will not support that site. Does Mixmaster use PGP? No, Mixmaster uses the rsaref package from RSA. Mixmaster uses its own keys and key file formats. To add a key to a key ring, simply append the key to your key file using your favorite text editor. Can mix at zifi.genetics.utah.edu post to News? No. News posting is not supported at this time. Abuse Policy: I consider the following to be inappropriate use of this anonymous remailer, and will take steps to prevent anyone from doing any of the following: - Sending messages intended primarilly to be harassing or annoying. - Use of the remailer for any illegal purpose. If you don't want to receive anonymous mail, send me a message, and I will add your email address to the block list. From tcmay at got.net Wed Jan 24 22:31:30 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 25 Jan 1996 14:31:30 +0800 Subject: NSA advanced knowledge Message-ID: At 12:34 AM 1/25/96, Rich Salz wrote: >Is there any indication that the NSA knew about public-key before >it entered the open literature? I've asked Whit Diffie about this issue more than once. He, too, is very interested in the real answer to this. In the Gus Simmons book, there are cryptic (sorry) references to what the NSA may have known. And certainly Don Coppersmith was no slouch, having been a Putnam winner in the early 70s (I was invited to take the Putnam about that time, and was so overwhelmed and unprepared--especially being that I was studying physics then--that I just gave up and left the room!). On the other hand, the comments are sufficiently elliptical that it may just be the NSA putting the best face on an embarrassing development. At Crypto '88, I put this question to NSA cryptographer Brian Snow. He just played the Cheshire cat. Which told me nothing. A friend of mine who was an active amateur cryptographer in the 1970s pointed out to me--much later--that there were NSA boxes used on ships and similar remote outposts which appeared to have no provision for providing keying material, suggesting a sealed-box public-key system. He was just speculating, of course. Here's to hoping the Bamford-Madsen 2nd edition sheds more light on this subject. I can't say I'll be surprised to learn that NSA was as surprised as the rest of us. --Tim Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From beavis at bioanalytical.com Wed Jan 24 22:33:22 1996 From: beavis at bioanalytical.com (Beavis B. Thoopit) Date: Thu, 25 Jan 1996 14:33:22 +0800 Subject: Free speech and written rights. In-Reply-To: <199601241624.IAA23975@mailx.best.com> Message-ID: <199601250346.WAA00955@bioanalytical.com> > James Donald said... > In my judgement, America is reasonably free despite having a bill of rights, > rather than because of a bill of rights. This is a point that is difficult to get across to people, but is indeed important and applicable to rampant law-passing today. I explain to people that _before_ the Bill of Rights, the Constitution of the United States placed the federal government in a very small box. The rights of people were not discussed; this was a document to limit government, not legislate rights. The rights of people are preassumed. The Bill of Rights "undid" this a little (lot) by putting the peoples' rights into a box (maybe a somewhat roomy box, but a box none-the-less). Thus we get ridiculous statements like, "The Constitution does not grant you the right to..." (Rights of people are preassumed ("endowed").) We ought all be saying, "The Constitution does not grant federal gov't the power to..." The "Creator" grants rights; the Constitution limits federal government. Another analogy draws on computer science (mathematics). In computer science an "enumerated type" is much more restrictrive than an unbounded data type. Consider the Bill of Rights an attempt to enumerate the rights of people. From EALLENSMITH at ocelot.Rutgers.EDU Wed Jan 24 22:34:14 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Thu, 25 Jan 1996 14:34:14 +0800 Subject: Several Edupage mentions Message-ID: <01I0ELTY7MXGA0UN4F@mbcl.rutgers.edu> The first is nice, given the vulnerability of international services to pressure from one country. The second could be a problem. The third shows, like the ITAR, that sometimes one government department can have a lot more sense than the others. Possibly Commerce is benefiting from private sector contacts? -Allen From: Educom ***************************************************************** Edupage, 18 January 1996. Edupage, a summary of news items on information technology, is provided three times each week as a service by Educom, a Washington, D.C.-based consortium of leading colleges and universities seeking to transform education through the use of information technology. ***************************************************************** EXODUS FROM COMMERCIAL SERVICES? Commercial online services are having a difficult time keeping customers and differentiating themselves, as more savvy computer users switch over to small Internet access providers. "Most everything I find on the online services, I can find using an Internet service provider," says one customer who's made the switch. "For me, the need for an online service is diminishing." "AOL is like the Internet on training wheels," says another, who feels he's "graduated." In tandem with subscriber defection is the problem of content providers who increasingly are setting up their own shops on the Web, bypassing the commercial services altogether. The popularity of the Web "turns the model of the online services industry upside down," says Scott Kurnit, the former No. 2 executive at Prodigy, who's now running an Internet service for MCI and News Corp. While the number of commercial service subscribers has grown to about 12.5 million over the past decade (doubling in the past year), the number of World Wide Web users increased eight-fold, to eight-million, in just the past year, according to International Data Corp. (Wall Street Journal 18 Jan 96 A6) ONE IS ENOUGH The number of people subscribing to more than one online service has dropped significantly since 1991 when almost a third of online users carried multiple subscriptions. Now, 97% report they can do everything they need to using a single service. (Business Week 22 Jan 96 p8) [...] CROSS-BORDER CULTURE WAR LOOMS Canada's federal regulator is in Washington trying to persuade a skeptical U.S. government that Canadian efforts to black out American TV signals that contravene standards on violence and nudity do not violate NAFTA. U.S. Trade Representative Mickey Kantor has warned Canadian Trade Minister Roy MacLaren that the U.S. government, while supporting the development of a V-chip to allow parental control, will react negatively if Ottawa takes wholesale action to block American programming from distribution through Canadian cable systems. (Toronto Financial Post 18 Jan 96 p5) Meanwhile, Power DirecTV says the explosive growth of satellite TV piracy and the flood of American direct-to-home dishes into Canada is threatening to wipe out Canadian broadcasting. The company urged the Canadian government to create rules that aid new Canadian DTH companies and to enforce laws that prohibit the import of American dishes into Canada. (Toronto Star 17 Jan 96 B3) [...] *************************************************************** [...] EDUPAGE is what you've just finished reading. (Please note that it's "Edupage" and not "EduPage.") To subscribe to Edupage: send a message to: listproc at educom.unc.edu and in the body of the message type: subscribe edupage Jane Austen (assuming that your name is Jane Austen; if it's not, substitute your own name). ... To cancel, send a message to: listproc at educom.unc.edu and in the body of the message type: unsubscribe edupage. (Subscription problems? Send mail to educom at educom.unc.edu.) [...] ARCHIVES & TRANSLATIONS. For archive copies of Edupage or Update, ftp or gopher to educom.edu or see URL: < http://www.educom.edu/>. For the French edition of Edupage, send mail to edupage-fr at ijs.com with the subject "subscribe"; or see < http://www.ijs.com >. For the German edition, genugt eine E-Mail an: infomat at stern.de mit der Betreff- oder Textzeile "STERN Online Edupage". For the Hebrew edition, send mail to listserv at kinetica.co.il containing : SUBSCRIBE Leketnet-Word6 or see < http://www.kinetica.co.il/newsletters/leketnet/ >. For the Hungarian edition, send mail to: send mail to subs.edupage at hungary.com. For the Italian edition : < http://dbweb.agora.stm.it/webforum/infotech > or send mail to: b.parrella at agora.stm.it. for info. For the Portuguese edition, contact edunews at nc-rj.rnp.br with the message SUB EDUPAGE-P Seu Primeiro Nome Seu Sobrenome. For the Spanish edition, send mail edunews at nc-rj.rnp.br with the message SUB EDUPAGE-E Su Primer Nombre, Su Apellido. From master at internexus.net Wed Jan 24 22:38:06 1996 From: master at internexus.net (Laszlo Vecsey) Date: Thu, 25 Jan 1996 14:38:06 +0800 Subject: Export Regulations Message-ID: What if you encrypt the encrypted software and put it on a server, and then have the key to it printed out on paper... you take the key with you to another country and fetch the 'incomplete' software through the net. It only becomes useful data once you apply your legally obtained key. I guess this would be the same as putting the software on a private ftp site though, where only you would know the password. From rah at shipwright.com Wed Jan 24 22:38:14 1996 From: rah at shipwright.com (Robert Hettinga) Date: Thu, 25 Jan 1996 14:38:14 +0800 Subject: Crippled Notes export encryption Message-ID: > The problem is that the government refuses to publish the rules. >They make people ask for approval for every piece of code that is >exported. This gives them lots of wiggle room so that they can keep >changing the rules in the face of technical, legal, or political >innovation. In the legal trade, this is what's called an unpromulgated (secret) law. It's a no-no in the philosophy of law, but a nation state can do whatever it wants and still call it "legal". At least our esteemed congress doesn't do retroactive legislation, like the 1KY reich did. Well, we only do tax hikes that way, anyway. We had a revolution to stop crap like in 1776, but we resurrected unpromulgated laws with the advent of the ICC at the end of the last century, and the IRS at the beginning of this one. It's encouraging to note that the ICC has finally been "sunset". Too bad we can't do the same for the IRS, and maybe even State Department. Maybe in some future world of instant full-sensorium telepresence, encrypted, of course... ;-). Cheers, Bob Hettinga ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "Reality is not optional." --Thomas Sowell The NEW(!) e$ Home Page: http://thumper.vmeng.com/pub/rah/ From froomkin at law.miami.edu Wed Jan 24 22:40:16 1996 From: froomkin at law.miami.edu (Michael Froomkin) Date: Thu, 25 Jan 1996 14:40:16 +0800 Subject: Crypto Exports, Europe, and Conspiracy Theories In-Reply-To: Message-ID: On Wed, 24 Jan 1996, Timothy C. May wrote: [...] > > Specifically, I believe--though obviously cannot prove, given the nature of > time--that a cryptographically strong version of Netscape developed outside > the borders of the U.S. would not be freely importable into the U.S. I Nope. Nope. Nope. Nope. Donuts to dollars that it's freely importable. Now, whether you could freely use it becomes another version of the "could they ban strong crypto for domestic use" issue. I don't think so. Why? See my articles on my homepage, www.law.miami.edu/~froomkin I also (to pick on Tim's excellent "you got to think like them" thread) don't really see why they need to expend massive energies fighting this battle once it looks lost (I do see why they would want to fight and have fought delaying actions; every delay is a win in that mindset). A cryptographically strong browser isn't such a threat to policy, except that you get more encrypted traffic messing up traffic analysis, and that's happening gradually anyway. Not to mention that traffic volumes going up must strain some capacity somewhere. No, the real threats to LEAs/traditional ways of doing things are more likely to be anonymity and anonymous cash. And these are things that may well be within the power of governments to at least make difficult if not eliminate for some time. "Chokepoints" is indeed the key word here, with banks and remailer operators as chokees. If you are a government strategist, you might think, Why not make people strictly liable for, e.g., any crimes planned with their remailers? And make ISPs strictly liable for crimes panned or executed on their systems? Those things stand more chance of being upheld than a ban on domestic use of strong crypto, whether foreign or domestic coded. I won't go so far as to say "would be upheld" but it's much easier for me to imagine than a ban on importing or using strong crypto. I'm going to expand on this in the next draft of my "oceans" paper; the draft currently on the web page does not really do these issues much justice. > don't know what form such a law would take, to answer the point raised in > another post by Peter Junger. Nor am I saying either State or NSA passes > the laws...the ITARs have worked largely because they have never been > challenged; if they were to be successfully challenged and stricken, as > even some folks inside the NSA think is likely if tested in a proper case, > then a Four Horseman-scared Congress will likely step in with some > restrictions. [...] OK, Tim, what am I missing? How will Enhanced-crypto-Netscape match remailers for their ability to keep TLAs up at night? A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) Associate Professor of Law | U. Miami School of Law | froomkin at law.miami.edu P.O. Box 248087 | http://www.law.miami.edu/~froomkin Coral Gables, FL 33124 USA | It's warm here. From mpd at netcom.com Wed Jan 24 22:51:40 1996 From: mpd at netcom.com (Mike Duvos) Date: Thu, 25 Jan 1996 14:51:40 +0800 Subject: V-chip? In-Reply-To: Message-ID: <199601250433.UAA12187@netcom19.netcom.com> oO F145C0 Oo writes: > Apparently the US government is planning on starting up its > V-chip program again, which will allow public/cable TV to be > censored at will. What does everyone thing about this ploy? > And whats next? Chips in my radio, to prevent music, or a > chip in my phone to make sure i dont call anyone bad? The > V-chip is just as much a privacy/1st amendment violation as > the clipper chip is/was. I believe the worst part of the > V-chip plan, is to force all new TV's manufactured or > imported to the US, to have this new chip. Could this chip > even be part of a Chinese lottery? As I understand it, the basic concept behind the V-Chip is to allow selective blocking of material a particular viewer might find offensive based on content information transmitted along with the program. As long as the program material itself is transmitted unaltered, and there are multiple non-governmental providers of content descriptions catering to the spectrum of human likes and dislikes, this sounds like ideal Cypherpunk technology. Concerned Parent can set the V-Chip to read from the Children's Television Workshop content service, available for a small monthly fee, and be certain that graphic violence and sex are pixelated on screen, and that bleep words that the child might practice in front of Grandma are garbled. Mr. Islamic Fanatic can filter out all blasphemy against Allah and his one and only prophet, pork commercials, and women showing more than 100 square centimeters of exposed epidermis. Uncle Ernie can program his set to beep loudly when shots of nude adolescent boys are about to appear in foreign films. Everyone has a filter which they can tune for their own viewing and listening enjoyment, and a free market system of content description services will cater to every conceivable taste. What are the dangers of this new technology? First, the government might want only one description of content, which it controls. My notion of what is offensive probably differs greatly from that of Jesse Helms, for instance. Second, once content descriptions become available, they might be used to control content at the transmission end, not the viewing end. Congress could mandate that the same information that Uncle Ernie uses to alert himself to "interesting" scenes, be used at the transmitting end to pixelate the same material. V-Chips for consumer products are our friend. V-Chips for broadcasters and publishers are not. It should be noted that the V-Chip is currently vaporware, and exists only in the minds of politicians. There probably will never be an actual "V-Chip", just a little additional software in our already heavily computerized televisions, radios, and personal computers. One desirable side effect of the V-Chip. It will probably have the effect of extinguishing hysterical reactions to nudity, sex, bleep words, and special effects violence, by allowing people to gradually increase what they are exposed to as they become tolerant of it. Sort of the opposite of aversion therapy. Perhaps in the distant future, the population will wonder what the thing was ever used for, and why anyone bothered to develop it. Just a few random thoughts... -- Mike Duvos $ PGP 2.6 Public Key available $ mpd at netcom.com $ via Finger. $ From die at pig.die.com Wed Jan 24 22:53:48 1996 From: die at pig.die.com (Dave Emery) Date: Thu, 25 Jan 1996 14:53:48 +0800 Subject: German home banking (fromn RISKS) In-Reply-To: <199601250030.TAA15203@amsterdam.lcs.mit.edu> Message-ID: <9601250411.AA16294@pig.die.com> > > Was the person in the basement eavesdroping or actuall performing a > man-in-the-middle attack? > Very much the easiest way of doing this is a classic man in the middle attack with two vanilla off the shelf modems and a vanilla off the shelf central office simulator. The modems would be tied more or less back to back through two serial ports and software on a laptop in the basement, one modem connected to the actual phone line to the central office and the other connected to the local wires to the targets home through the central office simulator. This way all traffic in both directions would go through the modems and software on the laptop allowing the connection to be taken over cleanly between packets, and packets to be injected and deleted as needed. I beleive that it would not be hard to make such a MITM decode the DTMF dialing from the target and dial the same number on its outgoing modem thus enabling the MITM to passively relay modem calls it wasn't interested in spoofing. And incoming modem calls could be similarly handled. While I might hasten to add that my interest is entirely academic and I've never tried configuring such a thing, I'm quite sure that standard off the shelf consumer modems and cheap and widely available central office simulators could be configured to set up such a MITM without requiring any special hardware, hardware modifications, or modified modem firmware, or special programming expertise beyond that required to operate modems through a serial port, And obviously the cost of such a thing might well be kept under $1000 and perhaps under $500 compared to the multiple tens or hundreds of thousands that the specialized modem and protocol analyzer test equipment that can do this sort of thing costs. A slightly more realistic version with a sound card and some simple coupling transformers available at Radio Shack (or free from an old junk modem) would allow full simulation/cutover of the call progress tones and wrong number announcements and so forth and might make such a device rather difficult to detect for a casual non technical modem user. While this is not 100% off the shelf hardware, the technical skills required are rather low. > Don't high speed modems transmit and receive on the same frequencies, > using echo cancelation to decode the receive signals? Does that make > it impossible to eavesdrop on high-speed (i.e. V32bis) modems? That has been widely reported. In fact given a four wire (directional) tap this is probably not true in many cases, in that the inherent directionality (echo return loss) of the line gives enough separation between the data going in one direction and the data going in the other for successful separation. This is further enhanced by the generally true fact that the line is idle in at least one direction for most of the time, and the pattern of date transmitted on an idle line under LAPM is predictable and can be subtracted out even if the actual SNR is not good enough to reliably demodulate it. As far as I know, the firmware to allow passive monitoring of V.32 and V.34 data is not part of any standard modem firmware, but many modems can passively monitor the lower speed transmissions. > > David > Dave Emery die at die.com From stephen_albert at alpha.c2.org Wed Jan 24 22:59:13 1996 From: stephen_albert at alpha.c2.org (Stephen Albert) Date: Thu, 25 Jan 1996 14:59:13 +0800 Subject: Netscape and NNTP Message-ID: <199601250438.UAA26778@infinity.c2.org> -----BEGIN PGP SIGNED MESSAGE----- I've got a question that I feel like I *should* know the answer to, but don't. Say I configure Netscape to point through an open http proxy, and then connect t an open NNTP server. I don't know much about how proxies work. Does the NNTP connection go through the proxy or directly from my machine? As I understand it if it does the first, then I don't have to worry about the NNTP server's log file, if any. But if it does the second, I do. Am I in the ballpark here? ObCrypto: Not-readily-traceable posting with less hassle than a mail-to-news gateway seems to have some privacy relevance, even if it's not directly crypto. Stephen "To NNTP Serve Man" Albert stephen_albert at alpha.c2.org <*> PGP key on request and on servers -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMQbVikimCtQtWVIdAQEjZgf+KFK8AzLY8ndSBAmWzQAwqMCmbA3IR8yl TU/c2f/FAMRypAGf+IcKIgmLAPxjbOBSvCmYv8cSXBtb/hhOFbmzIf5EY5QyfcMt OVsMk80gHJxBiUaSYetwklkRub1dqan0R2fUfQq1ey2ZUZk3OvUB4gTW5XPKNpND HxLINjJ2Ph6SH4AqCZ0hNwFkk3gtZsLGTgUHhdrkhaAKnEBSXWN9mMvkNHngScRq A0SlVehxwj8yFLF5rf1G82AM3fdZrdWhMDlWmVCkgpo5mr5AXtYpfHKa9ZsesM8O eRVvlVzXU+w4Y1B5swM5QDpezsPqxBtTn0JEb78mGM4gCoVyEi06Ow== =gwrx -----END PGP SIGNATURE----- From jsw at netscape.com Wed Jan 24 23:40:18 1996 From: jsw at netscape.com (Jeff Weinstein) Date: Thu, 25 Jan 1996 15:40:18 +0800 Subject: Netscape & open NNTP servers In-Reply-To: <199601250101.RAA01312@infinity.c2.org> Message-ID: <310713C3.4CE5@netscape.com> Stephen Albert wrote: > I've got a question that I feel like I *should* know the answer to, but don't. > > Say I configure Netscape to point through an open http proxy, and then connect t > an open NNTP server. I don't know much about how proxies work. Does the NNTP > connection go through the proxy or directly from my machine? As I understand it > if it does the first, then I don't have to worry about the NNTP server's log > file, if any. But if it does the second, I do. I believe that it will use a SOCKS proxy if configured, but that NNTP will not use the HTTP proxy. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw at netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine. From jamesd at echeque.com Wed Jan 24 23:58:26 1996 From: jamesd at echeque.com (James A. Donald) Date: Thu, 25 Jan 1996 15:58:26 +0800 Subject: Why is blowfish so slow? Other fast algorithms? Message-ID: <199601250629.WAA16623@mailx.best.com> At 07:32 PM 1/23/96 -0500, David A Wagner wrote: >If you want authentication, you must use a crypto-strength MAC. >Encryption (be it RC4, DES, etc.) is not enough. Not so: If the message is encrypted and checksummed with a simple not non cryptographic checksum, this gives you everything a MAC gives you, plus the message is secret. MACs are only useful in the strange and unsual case where you want authentification using a symmetric key, but you want to transmit in the clear. I cannot see any reason why anyone would ever wish to use a MAC except perhaps to obey government bans on encrypted messages. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From perry at piermont.com Thu Jan 25 00:22:16 1996 From: perry at piermont.com (Perry E. Metzger) Date: Thu, 25 Jan 1996 16:22:16 +0800 Subject: Why is blowfish so slow? Other fast algorithms? In-Reply-To: <199601250629.WAA16623@mailx.best.com> Message-ID: <199601250638.BAA14178@jekyll.piermont.com> "James A. Donald" writes: > At 07:32 PM 1/23/96 -0500, David A Wagner wrote: > > >If you want authentication, you must use a crypto-strength MAC. > >Encryption (be it RC4, DES, etc.) is not enough. > > Not so: If the message is encrypted and checksummed with a simple > not non cryptographic checksum, this gives you everything a MAC > gives you, plus the message is secret. Not so. There are unfortunate tricks that can be played here because some encryptions preserve properties of the underlying text (like parity) and some checksums can be manipulated because of the same. I've asked the crypto types for information on simplified faster MACs for use in authentication protocols for IPSEC and I have yet to get a straight answer, so for the moment I'm erring on the side of caution, too. Perry From koontz at MasPar.COM Thu Jan 25 00:46:20 1996 From: koontz at MasPar.COM (David G. Koontz) Date: Thu, 25 Jan 1996 16:46:20 +0800 Subject: NSA advanced knowledge Message-ID: <9601250609.AA28967@argosy.MasPar.COM> received from John Young : > >Responding to msg by rsalz at osf.org (Rich Salz) on Wed, 24 Jan >7:34 PM >>Is there any indication that the NSA knew about >>public-key before it entered the open literature? > > > Fred B. Wrixon writes in "Codes and Ciphers," under the > "Public Key" entry: > > ... This Hellman-Diffie proposal was apparently > anticipated by a similar version developed by the > National Security Agency (NSA) a decade earlier. > (p. 164) > > No citation or elaboration is given for this claim. > > Wrixon's book is a simply written compendium: > > Codes and Ciphers: An A to Z of Covert Communication, > from the Clay Tablet to the Microdot. > Fred B. Wrixon > Prentice Hall, 1992. Paper $18.00 > ISBN 0-13-277047-4 It was originally called FIREFLY or somesuch thing. I may have some of the early papers. (The same ones leading to the statement in the book). This should predate the STU-II to STU-III transition. From shamrock at netcom.com Thu Jan 25 00:47:38 1996 From: shamrock at netcom.com (Lucky Green) Date: Thu, 25 Jan 1996 16:47:38 +0800 Subject: Crippled Notes export encryption Message-ID: At 18:01 1/24/96, Jeff Weinstein wrote: > I don't think that the TLAs are concerned about people at >foreign universities using kerberos. They are much more worried >about mass market products. If we did the same thing as was done >for kerberos, then exported the code to a foreign subsidiary, I >believe that the government would try to make a case against us >that we had participated in a conspiracy to circumvent the >export restrictions. I think the only reason why the NSA has been getting away with this garbage is because they convinced others that challenging the party line will destroy you. I also think that they are bluffing. It is time that some party with financial resources and public credibility makes a test case out of themselves. An educational institution would be suited best. Any takers? -- Lucky Green PGP encrypted mail preferred. From sameer at c2.org Thu Jan 25 00:53:43 1996 From: sameer at c2.org (sameer) Date: Thu, 25 Jan 1996 16:53:43 +0800 Subject: Crippled Notes export encryption In-Reply-To: <01BAEA7E.07613560@ploshin.tiac.net> Message-ID: <199601250611.WAA08100@infinity.c2.org> > example, CyberCash has a development office there. > "has a development office" is a bit of an understatement. -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.org/ (or login as "guest") sameer at c2.org From shamrock at netcom.com Thu Jan 25 00:54:59 1996 From: shamrock at netcom.com (Lucky Green) Date: Thu, 25 Jan 1996 16:54:59 +0800 Subject: Crypto Exports, Europe, and Conspiracy Theories Message-ID: At 23:12 1/24/96, Michael Froomkin wrote: >If you are a government strategist, you might think, Why not make people >strictly liable for, e.g., any crimes planned with their remailers? And >make ISPs strictly liable for crimes panned or executed on their systems? No doubt in my mind that will happen within the next few years. Remember from past posts that remailers already are technically illegal in a few states, though the legislators probably didn't think of remailers, when they wrote the laws. A law making remailer operators responsible for their traffic will pass by a margin customary for similar bills in the past (>90%). Remailers in the US and most of Western Europe will be outlawed or shut down on their own once a few of their owners are held liable for some Four Horsemen traffic flowing through. It is precisely because remailers, and by extension future encrypted TCP redirectors, are a much greater danger to the statist than 128 bit Netscape will ever be. -- Lucky Green PGP encrypted mail preferred. From jimbell at pacifier.com Thu Jan 25 01:27:00 1996 From: jimbell at pacifier.com (jim bell) Date: Thu, 25 Jan 1996 17:27:00 +0800 Subject: Signing nyms' keys (Was: Report on Portland Cpunks...) Message-ID: At 06:49 PM 1/24/96 -0800, Alan Olsen wrote: >Person X commits treasonable act A. All of the persons who are signed on to >his key could be considered to be co-conspirators. The same applies to >nyms. The difficulty with prosecuting nyms is finding the link to the real >world individual. Anyone associated with him/her/it will be considered to >be guilty by reason of key signage or a way of determining who the real >person is... > >The only way I see getting around this is only signing nyms with nyms or >having some sort of zero knowlege proof on a key signing authority. >Something where you can issue some sort of proof to the signing authority >that you are who you say you are without giving any information about your >"real" identity. I know of no foolproof way of doing this... > >I guess we are stuck with the "Web of Guilt"... Doesn't all this stuff give you a headache ? From perry at piermont.com Thu Jan 25 01:28:43 1996 From: perry at piermont.com (Perry E. Metzger) Date: Thu, 25 Jan 1996 17:28:43 +0800 Subject: NSA advanced knowledge In-Reply-To: <9601250609.AA28967@argosy.MasPar.COM> Message-ID: <199601250627.BAA14153@jekyll.piermont.com> David G. Koontz writes: > > > > ... This Hellman-Diffie proposal was apparently > > anticipated by a similar version developed by the > > National Security Agency (NSA) a decade earlier. > > (p. 164) [...] > It was originally called FIREFLY or somesuch thing. I may have some of > the early papers. (The same ones leading to the statement in the book). > > This should predate the STU-II to STU-III transition. I thought that FIREFLY was just the NSA's name for the STS variant that they use for STU-IIs and STU-IIIs. Perry From tnaggs at cddotdot.mikom.csir.co.za Thu Jan 25 01:29:32 1996 From: tnaggs at cddotdot.mikom.csir.co.za (Anthony Naggs) Date: Thu, 25 Jan 1996 17:29:32 +0800 Subject: UK newspaper names Zimmermann a "neo-Nazi sympathiser" In-Reply-To: Message-ID: Declan McCullagh kindly forwarded Mike Godwin's comments thusly: > > From: Mike Godwin > Subject: Re: UK newspaper names Zimmermann a "neo-Nazi sympathiser" > To: Declan McCullagh > Date: Wed, 24 Jan 1996 18:13:11 -0800 (PST) > Cc: fight-censorship+ at andrew.cmu.edu > > > Zimmermann stands to recover a lot if he sues the Telegraph under British > libel laws. > > > --Mike > > [...] Er no, in practice it is hard to persue a libel case in the UK where the publication has responded immediately with a printed apology - especially if the apology is prominently placed. The mail catenated to Godwin's comments (from PRZ himself) indicates that the Sunday Telegraph will be publishing such an apology in their next edition. An out of court settlement, apart from lawyers costs, may yield a charitable donation but it certainly looks like PRZ will benefit from a sympathetic article which seems to me to be a pretty good result! Cheers, -- Anthony Naggs - Computer Security & Anti-Virus Engineer, CSIR, South Africa Disclaimer: these are my personal views and opinions, and do not represent my employers; past, present or future. From tcmay at got.net Thu Jan 25 01:29:34 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 25 Jan 1996 17:29:34 +0800 Subject: V-chip? Message-ID: At 4:33 AM 1/25/96, Mike Duvos wrote: >As I understand it, the basic concept behind the V-Chip is to >allow selective blocking of material a particular viewer might >find offensive based on content information transmitted along >with the program. As long as the program material itself is >transmitted unaltered, and there are multiple non-governmental >providers of content descriptions catering to the spectrum of >human likes and dislikes, this sounds like ideal Cypherpunk >technology. > >Concerned Parent can set the V-Chip to read from the Children's >Television Workshop content service, available for a small >monthly fee, and be certain that graphic violence and sex are >pixelated on screen, and that bleep words that the child might >practice in front of Grandma are garbled. > >Mr. Islamic Fanatic can filter out all blasphemy against Allah >and his one and only prophet, pork commercials, and women showing The V-chip described heretofore is considerably less nuanced than this, having only a few states (roughly corresponding to MPAA movie ratings). No switch settings to block Democrat programs, or Feminist programs, or Mormon programs. Just your basic "indecency," with "violence" as lagniappe. And most Cypherpunks would tend to reject it because it is not voluntary (unless you think "so don't buy a television" is a viable voluntary choice). It will add to the cost of t.v.s and VCRs, and possibly interfere with the computer-based options to come. And it's easily defeatable. For one thing, most households have multiple t.v.s or VCRs, any one of which without the V-chip will defeat the system. Also, it is likely that the households "most in need" of this chip--using the logic about unattended children watching violent programs while their parents are away--will be the least likely to buy the brand-new sets and VCRs that have this chip. (I would guess that most families will have existing sets and VCRs for at least the next decade or more.) >What are the dangers of this new technology? > >First, the government might want only one description of content, >which it controls. My notion of what is offensive probably >differs greatly from that of Jesse Helms, for instance. This is mostly the case. My objection to ratings systems imposed by government is a general one. If video and music is to be rated, why not articles and Usenet posts? The principle is the same. Anyone telling me I have to rate my work, or submit it to a ratings agency, is aggressing against me. Now, if others rate my work (which is already happening with digest services such as "CP-Lite"), this is their business, not mine. But the V-Chip precedent is a precedent for the government to insist that all sorts of content be rated. This should be fought in a free society. --Tim May Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From jimbell at pacifier.com Thu Jan 25 01:29:54 1996 From: jimbell at pacifier.com (jim bell) Date: Thu, 25 Jan 1996 17:29:54 +0800 Subject: German home banking (fromn RISKS) Message-ID: At 07:34 PM 1/24/96 -0600, Andrew Loewenstern wrote: >> Don't high speed modems transmit and receive on the same frequencies, >> using echo cancelation to decode the receive signals? Does that >> make it impossible to eavesdrop on high-speed (i.e. V32bis) modems? > >No, and a lot of crackers and phone phreaks found out the hard way. You can >buy protocol analysers off-the-shelf that will give a dump of the entire >communication by just passively listening in (or possibly playing back a >recording). Assuming it were possible, it would have to have a rather good quality, although DAT should be adequate, I should think. > I have seen units that could decode all of the popular Blue Book >protocols for consumer equipment such as faxes and high-speed modems as well >as ISDN, T1, DS3, ATM, Hey! Justa sec! ISDN is basically digital (broadband), so (obviously) is T1, likewise DS3 and ATM. Except for ISDN, unidirectional signals (at least at one time...), I think. This is NOTHING compared to the difficulty of doing simultaneous bidirectional analysis in a 3 khz bandwidth of 28 kbps each way! Maybe you're far more familiar with what equipment is available for telephone analysis than I am, but I have serious doubts that the capacities you list above are even close to what the other guy asked about. etc... Most are programmable and some are full-blown >computers running stripped down versions of Unix and can also be controlled >over the network from RealComputers. With multiple analysers and a little >custom software you could easily perform MITM attacks. The hardest part is >getting in the middle. > >Modulation, comm-protocols, and compression techniques are not a replacement >for honest to goodness crypto. Agreed, but let's not underestimate the amount of effort involved. This is important, because of that "Digital Telephony" bill crapola they're trying to foist on us. Their argument will be, we presume, that "we've gotta be able to bug all these lines because of all the drug dealers talking on the phone. Well, unless the government is proposing installing the capability of bugging data the vast majority of data calls (including those that, hypothetically, use Clipper) then they're NOT going to get any traffic they claim to want to hear. We should ask, "How much will it cost to even UNDERSTAND a data phone call, let alone decrypt it, and if it's too high let's give up while we're behind." From decius at montag33.residence.gatech.edu Thu Jan 25 01:37:18 1996 From: decius at montag33.residence.gatech.edu (Decius) Date: Thu, 25 Jan 1996 17:37:18 +0800 Subject: another thought about random numbers In-Reply-To: Message-ID: <199601250752.CAA06216@montag33.residence.gatech.edu> > > While musing over a roulette table, and noticing the preponderence of > electronic games in the various Casinos in Stateline, NV, a thought > occurred: does anyone know what sorts of random number generators those > electronic games use, and how (if at all) they are measured and regulated > by the Nevada Gaming Commission? They might have something to teach us. hmmm... probably just a cheapo pseudo-rng.... With a copy of their squematics and a whole lot of analysis you could probably make some serious money!! :) -- */^\* Tom Cross AKA Decius 615 AKA The White Ninja */^\* Decius at montag33.residence.gatech.edu -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCNAzA6oXIAAAEEAJ6ZWl7AwF9rDZhREQ2b9aPxJKL7dxQNx6QQ0pB5o9olvNtG tIjA47KxWmZAx47m2JEWRgAIaiDHx00dEza5GX4FuFHL7wSXW7qOtqj7CmVLEg4e 0F/Mx0z7Q/aNsn34JrZUWbMLKkAOOB9sJARRynPRVNokAS30ampImlrLbQDFAAUT tCZEZWNpdXMgNmk1IDxkZWNpdXNAbmluamEudGVjaHdvb2Qub3JnPg== =0qgN -----END PGP PUBLIC KEY BLOCK----- From shamrock at netcom.com Thu Jan 25 01:44:07 1996 From: shamrock at netcom.com (Lucky Green) Date: Thu, 25 Jan 1996 17:44:07 +0800 Subject: Crippled Notes export encryption Message-ID: At 13:06 1/24/96, Andrew Loewenstern wrote: >Why not just print out all of the source code to Navigator (crypto and all) >in a nice OCR font? Paper is exportable. Then you would 'only' have to scan >it back in and debug it. That would be giving away the store to the competition. -- Lucky Green PGP encrypted mail preferred. From jwz at netscape.com Thu Jan 25 01:49:32 1996 From: jwz at netscape.com (Jamie Zawinski) Date: Thu, 25 Jan 1996 17:49:32 +0800 Subject: Crippled Notes export encryption In-Reply-To: Message-ID: <310738C8.52BF@netscape.com> Lucky Green wrote: > >> I would have to remove the des_encrypt() call from the authenticate() >> routine before it can be exported... > > What if you replaced it by rot_13 () ? Surely, they can't ban that. And > someone later could just swap all rot_13 () for des_encrypt () But that's exactly the point: they can ban whatever they like, because they refuse to tell you the rules. You show them the code, and they say "yes" or "no" without sharing with you their reasoning. And their reasoning can change at any time, and can be based on any number of factors which you might consider unfair. Logic and fairness have no place in this, because "National Security" is the root password to the Constitution. -- Jamie Zawinski jwz at netscape.com http://www.netscape.com/people/jwz/ ``A signature isn't a return address, it is the ASCII equivalent of a black velvet clown painting; it's a rectangle of carets surrounding a quote from a literary giant of weeniedom like Heinlein or Dr. Who.'' -- Chris Maeda From shamrock at netcom.com Thu Jan 25 01:51:27 1996 From: shamrock at netcom.com (Lucky Green) Date: Thu, 25 Jan 1996 17:51:27 +0800 Subject: Crippled Notes export encryption Message-ID: At 16:07 1/24/96, Peter D. Junger wrote: >The ITAR are regulations, not a law passed by >Congress. The ITAR regulations relating to the export of cryptography >are probably not authorized by any law (as well as being >unconstitutional). The reason for all the silly twists and turns >under the ITAR is that the censors never succeeded in getting any law >forbidding the use of cryptography, and it is not at all certain that >they could get such a law passed. They couldn't get a law passed _then_. Nor did they need to. They also don't need one now, because they have rubber regulations at their disposal. They will be able to get a law passed, should their interpretation of the regulations be thrown out by a court. Passing such a law will be *trivial*. Just put in the exceptions for the powerful special interest groups, such as banks. The vote will be near unanimous, as it always is in similar cases. See Digital Telephony. -- Lucky Green PGP encrypted mail preferred. From nobody at REPLAY.COM Thu Jan 25 01:51:51 1996 From: nobody at REPLAY.COM (Anonymous) Date: Thu, 25 Jan 1996 17:51:51 +0800 Subject: No Subject In-Reply-To: Message-ID: <199601250725.IAA02599@utopia.hacktic.nl> fair at clock.org ("Erik E. Fair" (Time Keeper)) writes: >does anyone know what sorts of random number generators those >electronic games use, and how (if at all) they are measured and regulated >by the Nevada Gaming Commission? They might have something to teach us. There was some conversation about this recently on rec.gambling.other-games. Several people who work in the industry said that electronic machines use some sort of PRNG, but with a nice added bit of random input - the player's timing of hitting the buttons. One poster described it as the machine constantly generating numbers, and choosing the payoff based on the last number generated when the user hit a button. I think that'd work pretty well. It's nice that this is in a slot machine: typical computers can't afford to waste lots of time throwing away random numbers. There was also some speculation about whether the machines were immune to electronic tampering. From shamrock at netcom.com Thu Jan 25 02:03:26 1996 From: shamrock at netcom.com (Lucky Green) Date: Thu, 25 Jan 1996 18:03:26 +0800 Subject: Crippled Notes export encryption Message-ID: At 22:11 1/24/96, sameer wrote: >> example, CyberCash has a development office there. >> > "has a development office" is a bit of an understatement. Would you like to share? -- Lucky Green PGP encrypted mail preferred. From rsalz at osf.org Thu Jan 25 02:07:52 1996 From: rsalz at osf.org (Rich Salz) Date: Thu, 25 Jan 1996 18:07:52 +0800 Subject: Hack Java Message-ID: <9601231630.AA07540@sulphur.osf.org> This illustrates the difference between a language with no dangerous constructs, and one where you must trust the implementation. >From some internal OSF email: ---------- Begin Forwarded Message ---------- class Data { // an object storing 16 bytes byte word[16]; } class Trick { Data data; long tricky_pointer; } Now suppose, I fake a compiler (or I have a malicious compiler) and I generate by hand malicious byte code such that in the symbol tables, tricky_pointer and data have the same offset. Then if I have the code tricky_pointer = 10000; for (; tricky_pointer < 50000 ;) { dumptofile(trick.data) tricky_pointer += 16; } what I am doing with this code is that I am actually setting the data object reference to point to address 10000, then I am core dumping the contents of memory upto address 50000, 16 bytes at a time! The byte code is completely legal, I have cheated with the field offsets so that I can access to the same memory as two different types. In order to detect that the byte code verifier must verify that all the fields of an object do not overlap in their memory layout. That's what has to be checked. ----------- End Forwarded Message ----------- From an146908 at anon.penet.fi Thu Jan 25 02:11:44 1996 From: an146908 at anon.penet.fi (an146908 at anon.penet.fi) Date: Thu, 25 Jan 1996 18:11:44 +0800 Subject: (FWD) UUNET Offers Web Security Services 01/22/96 Message-ID: <9601250846.AA23528@anon.penet.fi> FAIRFAX, VIRGINIA, U.S.A., 1996 JAN 22 (NB) -- UUNET Technologies (Nasdaq:UUNT) is offering a World Wide Web hosting service that includes a full range of security services for commercial and private applications, including use of PGP (pretty good privacy) encryption. The company says the introduction of secure Web services supports served-based SSL (secure socket level) encryption that works with Netscape browsers to transmit sensitive data such as credit card numbers. The inclusion of PGP also allows companies to encrypt and forward data they have received on the Web, which can then be redistributed to other system, such as credit bard billing systems, via e-mail or FTP (File Transfer Protocol). UUNET says the combination of security measures is available for UUNET's standard, premium, and new dedicated Web hosting services. Alan Taffel, UUNET vice president of marketing, said the new measures are "a significant step toward the goal of making Web-based electronic commerce a reality. Previously, companies wishing to take advantage of available secure server technology had to undertake a challenging and lengthy process. UUNET's secure Web service alleviates the hassle associated with deploying a secure server." Customers choosing the secure service will get the same Internet service as regular customers, says UUNET. Also, UUNET will take care of details such as applying to Verisign for a company digital identification. UUNET is also now offering a dedicated server option for high volume and high value customers. This service includes a dedicated 130 megahertz (MHz) Pentium machine, a gigabyte (GB) of storage and up to 5GB of traffic per month. The price involves a $3,500 startup fee, and monthly fees beginning at $2,000 per month. UUNET's standard service starts at $300 a month and includes T1 bandwidth. Premium service (10 megabits-per-second connectivity) starts at $900 per month. For standard service, the security service cost an additional $200 in startup fees and $200 per month above the normal fee. There is no startup fee for premium service, but the monthly surcharge remains. FTP hosting service is available for $100 per month for up to 2.5GB per month in traffic. (Kennedy Maize/19960122/Press Contact: Alan Taffell, 703-206-5600) --****ATTENTION****--****ATTENTION****--****ATTENTION****--***ATTENTION*** Your e-mail reply to this message WILL be *automatically* ANONYMIZED. Please, report inappropriate use to abuse at anon.penet.fi For information (incl. non-anon reply) write to help at anon.penet.fi If you have any problems, address them to admin at anon.penet.fi From tcmay at got.net Thu Jan 25 02:13:13 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 25 Jan 1996 18:13:13 +0800 Subject: Crippled Notes export encryption Message-ID: At 7:25 AM 1/25/96, Lucky Green wrote: >The big companies are fighting? Where did you get that idea? IBM/Lotus just >gave the feds the keys. Not a single one of the major players has >challenged the government in any meaningful way. Sure, they make a lot of >noise as to how they dislike the regulations, but they certainly aren't >making a sincere effort of trying to change them. I have several pieces of evidence which suggest to me that the government is leaning on companies in ways which are not always apparent. (I can't share all of the evidence I have...I know this is unsatisfying. I'm not asking you to "trust me," just noting that this is what I have either heard from usually reliable sources or from direct participants.) I am reluctant to ascribe malice to any of the players in this drama, just differing goals (in the Great Game). --Tim Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From alano at teleport.com Thu Jan 25 02:16:47 1996 From: alano at teleport.com (Alan Olsen) Date: Thu, 25 Jan 1996 18:16:47 +0800 Subject: [noise] Re: Crippled Notes export encryption Message-ID: <2.2.32.19960125090719.008efa3c@mail.teleport.com> At 08:24 PM 1/24/96 -0500, you wrote: >In article <9601242357.AA02688 at alpha>, Mike McNally wrote: >>This sounds fishy to me. I don't recall reading anything to suggest >>that export of cryptographic software (or any other munition) requires >>that the stuff be *used* outside the US for an offense to be >>committed; why should export of a cryptographer's wetware be any >>different? Either the expertise leaves the country or it doesn't, I'd >>think. > >Here's section 120.17 of ITAR: > >@ 120.17 -- Export. > > Export means: > > (6) A launch vehicle or payload shall not, by reason of the launching of such >vehicle, be considered an export for purposes of this subchapter. However, for >certain limited purposes (see @ 126.1 of this subchapter), the controls of this >subchapter may apply to any sale, transfer or proposal to sell or transfer >defense articles or defense services. So we could launch Jeff Wienstien in a rocket without violating ITAR as long as we do not sell him. "Hey Jeff... Want a ride?" ];> Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ National Security uber alles! From alano at teleport.com Thu Jan 25 02:19:04 1996 From: alano at teleport.com (Alan Olsen) Date: Thu, 25 Jan 1996 18:19:04 +0800 Subject: Hack Lotus? Message-ID: <2.2.32.19960125090041.008e7488@mail.teleport.com> At 01:38 AM 1/25/96 +0000, you wrote: >I have no doubt that enterprising hackers will be able to hack >the international version of lotus Notes to make it as secure >as the domestic version. It is probably just a matter of NOPing >some code. > >The real problem is the 64 bit key in the domestic version. This >conforms to the NIST "standard" for an exportable system. In other >words to allow the international people to have almost non-existant >40 bit security, they have limited domestic users to 64 bit secuity. >The 64 bits keys must be breakable at least in some sense or the limitation >would not be in the NIST "standard". {stuff deleted] Something just came to mind... What if there is not difference between the exportable and non-exportable versions? Could it be that they are *both* GAKed? Maybe I am just being paranoid (or thinking that IBM might just be lazy enough to push out a single version under two versions), but it is something that needs to be determined. Does anyone out there have access to both versions for a comparison? Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "Is the operating system half NT or half full?" From postmaster at ncr-sd.SanDiegoCA.ATTGIS.COM Thu Jan 25 02:22:34 1996 From: postmaster at ncr-sd.SanDiegoCA.ATTGIS.COM (postmaster at ncr-sd.SanDiegoCA.ATTGIS.COM) Date: Thu, 25 Jan 1996 18:22:34 +0800 Subject: SMTP mail warning Message-ID: <9601250937.AB19972@toad.com> message From nobody at REPLAY.COM Thu Jan 25 02:24:50 1996 From: nobody at REPLAY.COM (Anonymous) Date: Thu, 25 Jan 1996 18:24:50 +0800 Subject: Pssst......Wanna buy a mailing list? Message-ID: <199601250940.KAA05908@utopia.hacktic.nl> -----BEGIN PGP SIGNED MESSAGE----- A wonderful little annoucement for a new WWW site appeared in my anon mail this evening, It was for a site offering Privacy Tools and Offshore Activities, Poor guy who sent the message, sent it without BCCing it and hence, Everyone who requested his autoresponder file on Anonymous Banking is listed. (At least 100+ addresses!) Highlighs of the domains in the mailing: nea.org Gotta keep some money stashed for education! uspto.gov Nym's requesting infomation for hiding patent $$$ mot.com Good year for Motorola stocks! fmr.com Fidelity Investments....Hmmmmm I'll bet my last E-Ca$h coin that there will be alot of these people learning about anonymous remailers the hard way. Malthus -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMQclaQJo+wOswDgJAQGUJgP+Jf2XnmRf9EHtVUI18cd1ipAme9KyyOfO MBrsDsRKBCFdT7HbTshqjULXQTd5kvI62PmnDEbVQ52L30tSs/Dp9tTbg8HYVIbS Vpcs/RvB0KeiMy+x6RniVljvGPRgRzefidTqtiKADQc76xl/gNW1JK6rySFQLMRO kHRP4btnqkM= =GL1y -----END PGP SIGNATURE----- L. Malthus PGP key listed at MIT -- From don at cs.byu.edu Thu Jan 25 02:37:52 1996 From: don at cs.byu.edu (Don) Date: Thu, 25 Jan 1996 18:37:52 +0800 Subject: Crippled Notes export encryption In-Reply-To: Message-ID: > At 13:06 1/24/96, Andrew Loewenstern wrote: > Lucky sez: > >Why not just print out all of the source code to Navigator (crypto and > That would be giving away the store to the competition. Not to mention all those hidden easter eggs. Err, I think the idea was to "sell" the OCR source to a foreign puppet company which then pays any royalties it would be responsible for back to the real McCoy. Don From gary at kampai.euronet.nl Thu Jan 25 03:20:08 1996 From: gary at kampai.euronet.nl (Gary Howland) Date: Thu, 25 Jan 1996 19:20:08 +0800 Subject: another thought about random numbers Message-ID: <199601251055.FAA25587@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- Decius writes: > hmmm... probably just a cheapo pseudo-rng.... I'm sure you're right. > With a copy of their squematics and a whole lot of analysis you could > probably make some serious money!! :) Perhaps, but only to the extent that you could win what others have lost. These machines only ever pay out a percentage of what is put in - it is not possible to beat the machine (long gone are the days when the designers calculated all the probablities and relied on "the law of averages" in order for the machine to win). Gary - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMQdhoioZzwIn1bdtAQHk6AF/foseD0Wg3ezlf7XIHPkkwYcYz7OuQdQH mxyFFcFYxU6TLxjdn/FG8s1ehtegfqQD =LtQC -----END PGP SIGNATURE----- From wb8foz at nrk.com Thu Jan 25 05:55:27 1996 From: wb8foz at nrk.com (David Lesher) Date: Thu, 25 Jan 1996 21:55:27 +0800 Subject: Crypto Exports, Europe, and Conspiracy Theories In-Reply-To: Message-ID: <199601251332.IAA03055@nrk.com> froomkin at law.miami.edu: > No, the real threats to LEAs/traditional ways of doing things are more > likely to be anonymity and anonymous cash. And these are things that may > well be within the power of governments to at least make difficult if not > eliminate for some time. "Chokepoints" is indeed the key word here, with > banks and remailer operators as chokees. But look at the recent NYT story re: Russian banks.... (The Fed even supplies the greenbacks.....) -- A host is a host from coast to coast.................wb8foz at nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433 From olbon at dynetics.com Thu Jan 25 06:35:50 1996 From: olbon at dynetics.com (Clay Olbon II) Date: Thu, 25 Jan 1996 22:35:50 +0800 Subject: Crippled Notes export encryption Message-ID: At 10:49 PM 1/24/96, Lucky Green wrote: >At 19:34 1/24/96, Derek Atkins wrote: >>If I have a function that does something like this: >> >>authenticate (args) >>{ >> ... >> >> des_encrypt (); >> ... >>} >> >>I would have to remove the des_encrypt() call from the authenticate() >>routine before it can be exported... > >What if you replaced it by rot_13 () ? Surely, they can't ban that. And >someone later could just swap all rot_13 () for des_encrypt () > > >-- Lucky Green > PGP encrypted mail preferred. Better idea: replace des_encrypt() with fuck_the_itar(). Seriously, this just illustrates the idiocy of banning "hooks" in software. How does one define a "hook"? Just providing source code could be defined as providing a hook, since a good programmer could then modify it to do crypto. Also, how about the various kits and tools used to integrate pgp with pine, eudora, etc -- are these not "hooks"? Clay --------------------------------------------------------------------------- Clay Olbon II | olbon at dynetics.com Systems Engineer | ph: (810) 589-9930 fax 9934 Dynetics, Inc., Ste 302 | http://www.msen.com/~olbon/olbon.html 550 Stephenson Hwy | PGP262 public key: finger olbon at mgr.dynetics.com Troy, MI 48083-1109 | pgp print: B97397AD50233C77523FD058BD1BB7C0 "To escape the evil curse, you must quote a bible verse; thou shalt not ... Doooh" - Homer (Simpson, not the other one) --------------------------------------------------------------------------- From tighe at spectrum.titan.com Thu Jan 25 07:49:46 1996 From: tighe at spectrum.titan.com (Mike Tighe) Date: Thu, 25 Jan 1996 23:49:46 +0800 Subject: Crippled Notes export encryption In-Reply-To: <3106A21E.33E3@netscape.com> Message-ID: <199601251504.JAA04039@softserv.tcst.com> Jeff Weinstein writes: >> Didn't Netscape already promise to remove the hooks? It seems to me all of >> the major software players are already in bed with the government. > > What do you mean by "promise to remove the hooks"? I mean they planned to have some type of crypto, but then after a visit from the USG, they removed that plan, and even withdrew the interface so that someone else couldn't "drop in" the crypto. The press release describing it was within the past 12 months or so. I will find it eventually. From dan at milliways.org Thu Jan 25 07:53:59 1996 From: dan at milliways.org (Dan Bailey) Date: Thu, 25 Jan 1996 23:53:59 +0800 Subject: Bernie S. Sentencing Message-ID: <199601251509.KAA21760@remus.ultranet.com> I believe that Ed was the first person to be sentenced under PA's new anti-toll fraud law which makes it illegal to build, distribute, or distribute plans for, or use "toll-fraud" devices which include EEPROM burners, cellular diagnostic equipment, etc. The Man couldn't put him away for any length of time for that, so they're trying another angle. ObCrypto: When they pass laws against "info-laundering"/"electronic identity hiding" tools, it'll probably go something like this. =========BEGIN FORWARDED MESSAGE========= Date: Mon, 22 Jan 1996 06:48:44 -0500 (EST) From: Emmanuel Goldstein Subject: Bernie S. Sentencing Friday I just found out that Bernie S. will be sentenced this Friday morning at 9 am in Easton, PA for the crime of removing batteries from a tone dialer several years ago. This is defined as a victimless misdemeanor for which the judge in this small town (under considerable influence from the Secret Service) set bail at $250,000. He could get two years in prison at sentencing. Press attention could be very helpful in avoiding a sentence as irrational as the bail setting - right now the only influence these people are getting is from the Secret Service and they want to put Bernie S away for as long as they can. If you're not entirely up to date on this story, finger bernies at 2600.com for all of the details. If you know of anyone who will cover this story, please get ahold of them right away so they can plan on being there. If anyone is interested in going, let me know so we can hopefully fill some cars from NYC. Sentencing is scheduled for Friday, January 26 at 9 am Courtroom 5 Northampton County Government Center 7th and Washington Street Easton, PA 18042-7492 (610) 559-3020 (district attorney) case # 2173-1993 The Commonwealth of Pennsylvania vs. Edward E. Cummings Misdemeanor 2 - tampering with physical evidence Please help spread the word. emmanuel at 2600.com =========END FORWARDED MESSAGE========= From jeffb at sware.com Thu Jan 25 08:24:46 1996 From: jeffb at sware.com (Jeff Barber) Date: Fri, 26 Jan 1996 00:24:46 +0800 Subject: Crippled Notes export encryption In-Reply-To: <199601251504.JAA04039@softserv.tcst.com> Message-ID: <199601251555.KAA01850@jafar.sware.com> Mike Tighe writes: > Jeff Weinstein writes: > >> Didn't Netscape already promise to remove the hooks? It seems to me all of > >> the major software players are already in bed with the government. > > > > What do you mean by "promise to remove the hooks"? > > I mean they planned to have some type of crypto, but then after a visit > from the USG, they removed that plan, and even withdrew the interface so > that someone else couldn't "drop in" the crypto. The press release > describing it was within the past 12 months or so. I will find it > eventually. I think you may be confused. I do recall a report that some NSA folks visited NCSA and recommended they remove crypto hooks from the NCSA httpd. Is this maybe what you're thinking of? -- Jeff From tighe at spectrum.titan.com Thu Jan 25 08:30:50 1996 From: tighe at spectrum.titan.com (Mike Tighe) Date: Fri, 26 Jan 1996 00:30:50 +0800 Subject: Crippled Notes export encryption In-Reply-To: <199601251555.KAA01850@jafar.sware.com> Message-ID: <199601251530.JAA04672@softserv.tcst.com> Jeff Barber writes: >> Didn't Netscape already promise to remove the hooks? It seems to me all of >> the major software players are already in bed with the government. >I think you may be confused. I do recall a report that some NSA folks >visited NCSA and recommended they remove crypto hooks from the NCSA httpd. >Is this maybe what you're thinking of? Yes, I guess that was it. Thanks for the correction. Anyway, moving to the actual point, it does seem most major software players are agreeing to the USG demands. From rsalz at osf.org Thu Jan 25 08:34:45 1996 From: rsalz at osf.org (Rich Salz) Date: Fri, 26 Jan 1996 00:34:45 +0800 Subject: Crippled Notes export encryption Message-ID: <9601251543.AA14741@sulphur.osf.org> > Seriously, this just illustrates the idiocy of banning "hooks" in software. Yes. That's why an API that supported generic data transforms and that included compression and for non-export encryption would be a useful thing. I have a start toward such an API definition that I will email to anyone who might wanna finish it off. I started doing it around the time that Raph talked about his per-user crypto server. > How does one define a "hook"? Just providing source code could be defined > as providing a hook, since a good programmer could then modify it to do > crypto. Also, how about the various kits and tools used to integrate pgp > with pine, eudora, etc -- are these not "hooks"? They define a hook. They define it on a case-by-case basis. "They" is the Office of Defence Trade Controls, in conjunction with their consulting experts primarily people in the department of Export Control at the NSA. Luckily the ITAR talks about willful violations. /r$ From adam at lighthouse.homeport.org Thu Jan 25 09:05:47 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Fri, 26 Jan 1996 01:05:47 +0800 Subject: Bernie S. Sentencing In-Reply-To: <199601251509.KAA21760@remus.ultranet.com> Message-ID: <199601251550.KAA08091@homeport.org> Before anyone complains of a lack of crypto relevance to this, Bernie S is the guy who brought Clipper phones & actual clipper chips which he convinced Mykrotronix to send him to the HOPE conference in NYC two years ago. These clipper phones added a new argument to the long list against clipper, and that was the phones barely worked, despite Bernie's efforts. He also gave away one of the two clippers that he brought, which was destroyed with a small explosive device, showing the truth of the old saw about there being few problems not solvable with a suitable application of high explosives. :) If any of our writers could be at his sentencing, a little press attention for the guy would be real helpful. Adam Dan Bailey wrote: | I believe that Ed was the first person to be sentenced under PA's new | anti-toll fraud law which makes it illegal to build, distribute, or | distribute plans for, or use "toll-fraud" devices which include EEPROM | burners, cellular diagnostic equipment, etc. The Man couldn't put him | away for any length of time for that, so they're trying another angle. | | ObCrypto: When they pass laws against "info-laundering"/"electronic | identity hiding" tools, it'll probably go something like this. | =========BEGIN FORWARDED MESSAGE========= | Date: Mon, 22 Jan 1996 06:48:44 -0500 (EST) | From: Emmanuel Goldstein | Subject: Bernie S. Sentencing Friday | | I just found out that Bernie S. will be sentenced this Friday morning | at 9 am in Easton, PA for the crime of removing batteries from a tone | dialer several years ago. This is defined as a victimless misdemeanor | for which the judge in this small town (under considerable influence | from the Secret Service) set bail at $250,000. He could get two years | in prison at sentencing. Press attention could be very helpful in | avoiding a sentence as irrational as the bail setting - right now the | only influence these people are getting is from the Secret Service and | they want to put Bernie S away for as long as they can. If you're not | entirely up to date on this story, finger bernies at 2600.com for all of | the details. | | If you know of anyone who will cover this story, please get ahold of | them right away so they can plan on being there. If anyone is | interested | in going, let me know so we can hopefully fill some cars from NYC. | | Sentencing is scheduled for Friday, January 26 at 9 am | Courtroom 5 | Northampton County Government Center | 7th and Washington Street | Easton, PA 18042-7492 | | (610) 559-3020 (district attorney) | | case # 2173-1993 | The Commonwealth of Pennsylvania vs. Edward E. Cummings | Misdemeanor 2 - tampering with physical evidence | | Please help spread the word. | | emmanuel at 2600.com | | | | =========END FORWARDED MESSAGE========= | | -- "It is seldom that liberty of any kind is lost all at once." -Hume From jya at pipeline.com Thu Jan 25 09:39:10 1996 From: jya at pipeline.com (John Young) Date: Fri, 26 Jan 1996 01:39:10 +0800 Subject: TOP_tap Message-ID: <199601251559.KAA02710@pipe1.nyc.pipeline.com> 1-25-96. TWPsst: "Military Men Named to Top Intelligence Posts." AF Gen. Kenneth Minihan to run all US eavesdropping on foreign governments and citizens at NSA, which is responsible for providing US officials with a steady stream of intercepted electronic data on foreign weapons and conversations involving foreign politicians. The NSA's eavesdropping costs an estimated $3.5 billion a year, a large portion of which supports its computer operations at Fort Meade and its world-class experts in mathematics. TOP_tap From williams at va.arca.com Thu Jan 25 09:58:14 1996 From: williams at va.arca.com (Jeff Williams) Date: Fri, 26 Jan 1996 01:58:14 +0800 Subject: V-chip? Message-ID: <65534.297195739@va.arca.com> Tim May writes: > Anyone telling me I have to rate my work, or submit it to a ratings agency, > is aggressing against me. Now, if others rate my work (which is already > happening with digest services such as "CP-Lite"), this is their business, > not mine. But the V-Chip precedent is a precedent for the government to > insist that all sorts of content be rated. This should be fought in a free > society. But what if they *ask* you nicely to label your work? "If you think your message is offensive, violent, or racist, would you please consider labelling it?" I don't think I'd mind. In fact, *optional* labels would make me more likely to post such material, because I'd have some confidence that it would only be read by people who want to read it. (And they could even find it more quickly!) There's nothing inherently wrong with labelling information. When messages here are labelled [NOISE], I know to avoid them. This sort of meta-information is helpful and good. The precedent is what's troubling. Someone will probably try to mandate the labels...Someone will try to write a law that says "Anyone who posts what I consider offensive without a label is guilty." This is what should be fought...not labels. --Jeff From cea01sig at gold.ac.uk Thu Jan 25 10:01:32 1996 From: cea01sig at gold.ac.uk (Sean Gabb) Date: Fri, 26 Jan 1996 02:01:32 +0800 Subject: UK newspaper names Zimmermann a "neo-Nazi sympathiser" In-Reply-To: Message-ID: Hi! Can someone out there send me a copy of the ST article on Zimmermann? I'm currently too busy with marking to bother buying newspapers. Many thanks, Sean Gabb, Editor Free Life. ====================================================================== $$$$$$ $$$$$ $$$$$$ $$$$$$ $$ $$ $$$$$$ $$$$$$ $$ $$ $ $$ $$ $$ $$ $$ $$ $$ $$ $ $$ $$ $$ $$ $$ $$ $$$$ $$$ $$$$ $$$$ $$ $$ $$$$ $$$$ $$ $$ $ $$ $$ $$ $$ $$ $$ $$ $$ $ $$ $$ $$ $$ $$ $$ $$ $$ $ $$$$$$ $$$$$$ $$$$$$ $$ $$ $$$$$$ A Journal of Classical Liberal and Libertarian Thought Production: Editorial: c/o the Libertarian Alliance 123a Victoria Way 25 Chapter Chambers Charlton London SW1P 4NN London SE7 7NX Tel: **181 858 0841 Fax: **171 834 2031 E-mail: cea01sig at gold.ac.uk EDITOR OF FREE LIFE: SEAN GABB ______________________________________________________________________ How to subscribe: Send cheque for GBP10 or US$20 made out to the Libertarian Alliance. ====================================================================== FOR LIFE, LIBERTY AND PROPERTY ====================================================================== From mgursk1 at gl.umbc.edu Thu Jan 25 10:11:03 1996 From: mgursk1 at gl.umbc.edu (Mike Gurski) Date: Fri, 26 Jan 1996 02:11:03 +0800 Subject: Crippled Notes export encryption In-Reply-To: <199601250034.TAA09745@toxicwaste.media.mit.edu> Message-ID: On Wed, 24 Jan 1996, Derek Atkins wrote: > > How exactly are crypto-hooks defined? This restriction seems orders > > of magnitude more bogus than even the ban on exporting actual > > encryption. > > Very vaguely. If I have a function that does something like this: > > authenticate (args) > { > ... > > des_encrypt (); > ... > } > > I would have to remove the des_encrypt() call from the authenticate() > routine before it can be exported... Would removing the call to des_encrypt() and replacing it with a comment violate the restriction? something like: authenticate (args) { ... /* squeamish ossifrage */ ... } -- |\/|ike Gurski mgursk1 at gl.umbc.edu FidoNet: 1:261/1062 http://www.gl.umbc.edu/~mgursk1/ finger -l for PGP public key |Member, 1024/39B5BADD PGP Keyprint=3493 A994 B159 48B7 1757 1E4E 6256 4570| Team My opinions are mine alone, even if you should be sharing them. | OS/2 From perry at piermont.com Thu Jan 25 10:14:07 1996 From: perry at piermont.com (Perry E. Metzger) Date: Fri, 26 Jan 1996 02:14:07 +0800 Subject: Bernie S. Sentencing In-Reply-To: <199601251509.KAA21760@remus.ultranet.com> Message-ID: <199601251650.LAA16112@jekyll.piermont.com> Dan Bailey writes: > I believe that Ed was the first person to be sentenced under PA's new > anti-toll fraud law which makes it illegal to build, distribute, or > distribute plans for, or use "toll-fraud" devices which include EEPROM > burners, cellular diagnostic equipment, etc. The Man couldn't put him > away for any length of time for that, so they're trying another angle. Quite seriously, this is not "Evil Hacker D00DZ" punks. Can we cut the posts on that topic? Perry From ses at tipper.oit.unc.edu Thu Jan 25 10:14:18 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Fri, 26 Jan 1996 02:14:18 +0800 Subject: mouse droppings In-Reply-To: Message-ID: On Wed, 24 Jan 1996, j. ercole wrote: > In the march '96 issue of macworld there's a "Viewpoint" reporting on the > progress of the info superhighway. Privacy and security issues predominate > the text, the primary source of which is larry irving --- "a top > administration adviser on telecommunications." Larry Irving is a deputy secretary at the Commerce Department, and heads up the NTIA and NII initiatives. He has a strong civil rights background, and actually uses the net rather than just having some aide send him some clippings. From perry at piermont.com Thu Jan 25 10:31:26 1996 From: perry at piermont.com (Perry E. Metzger) Date: Fri, 26 Jan 1996 02:31:26 +0800 Subject: Bernie S. Sentencing In-Reply-To: <199601251550.KAA08091@homeport.org> Message-ID: <199601251653.LAA16128@jekyll.piermont.com> Adam Shostack writes: > Before anyone complains of a lack of crypto relevance to this, > Bernie S is the guy who brought Clipper phones & actual clipper chips > which he convinced Mykrotronix to send him to the HOPE conference in > NYC two years ago. Okay, but no one said that in the original message, and it still isn't clear how relevant this is. If someone like Tim or me were put in jail for, say, drunk driving, I'm not sure it would be proper news here. Perry From ses at tipper.oit.unc.edu Thu Jan 25 10:39:34 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Fri, 26 Jan 1996 02:39:34 +0800 Subject: TOP_tap In-Reply-To: <199601251559.KAA02710@pipe1.nyc.pipeline.com> Message-ID: On Thu, 25 Jan 1996, John Young wrote: > > "Military Men Named to Top Intelligence Posts." > > AF Gen. Kenneth Minihan to run all US eavesdropping on > foreign governments and citizens at NSA, which is Here's an embarassing question to show my ignorance - I thought the NSA was a Military organisation. Is it under the Pentagon, State, or is it a separate part of the executive? From andr0id at midwest.net Thu Jan 25 10:39:55 1996 From: andr0id at midwest.net (andr0id at midwest.net) Date: Fri, 26 Jan 1996 02:39:55 +0800 Subject: Crippled Notes export encryption Message-ID: <199601251654.KAA14124@cdale1.midwest.net> > >Item (1) allows people to travel abroad if they know crypto. It's unclear >that it allows them to emigrate or return to their country of origin. >Items (3),(4),(5) seem to prevent such a person from using, or even mentioning, >crypto to or "on behalf of" a foreign person. > Okay, question.. Is "crypto" and "defense" the same thing? From m5 at dev.tivoli.com Thu Jan 25 10:48:01 1996 From: m5 at dev.tivoli.com (Mike McNally) Date: Fri, 26 Jan 1996 02:48:01 +0800 Subject: V-chip? In-Reply-To: <65534.297195739@va.arca.com> Message-ID: <9601251636.AA09314@alpha> Jeff Williams writes: > But what if they *ask* you nicely to label your work? > > "If you think your message is offensive, violent, or racist, > would you please consider labelling it?" > > I don't think I'd mind. Yea! And I'm sure you won't mind assuming the liability when somebody disagrees with your label and files a civil suit against you. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Nobody's going to listen to you if you just | Mike McNally (m5 at tivoli.com) | | stand there and flap your arms like a fish. | Tivoli Systems, Austin TX | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From geeman at best.com Thu Jan 25 10:52:20 1996 From: geeman at best.com (geeman at best.com) Date: Fri, 26 Jan 1996 02:52:20 +0800 Subject: Microsoft's CryptoAPI - thoughts? Message-ID: >What does everyone think about this? Perhaps I already missed the boat, but >I just found out about it. How would international apps work? Would a data >file encrypted with an app compiled with a US-only CSP (cryptographic >service provider) be able to be loaded by a European equivalent app? > >[Info can be found at: http://www.microsoft.com/intdev/inttech/cryptapi.htm] > > >-- >rickt at psa.pencom.com >egalitarian, philosopher, unix cowboy, '68 chevy pickup hacker > > To which I would like to generalize: what do you (all those with an opinion on the matter) think/feel/intuit about general crypto API's overall? How would you compare some of the simultaneous threads of development going on now in different orgs? Any strong positions out there? From jsw at netscape.com Thu Jan 25 10:52:24 1996 From: jsw at netscape.com (Jeff Weinstein) Date: Fri, 26 Jan 1996 02:52:24 +0800 Subject: Crippled Notes export encryption In-Reply-To: <199601242303.SAA14589@amsterdam.lcs.mit.edu> Message-ID: <3106E81E.1CBB@netscape.com> Ian Goldberg wrote: > OK; so what if I have code that says: > > RNG_GenerateRandomBytes(buf, size); > Hash(outbuf, buf, size); > /* > * It would be really nice if outbuf were RSA-encrypted > * with (expon,modulus) at this point and the result placed in > * outbuf2, but we have to do the following instead: > */ > for(i=0;i fwrite(outbuf2, hashsize, 1, fp); > > Would the above code be export-restricted because it contained wishful > thinking about how nice it would be to use encryption? The problem is that the government refuses to publish the rules. They make people ask for approval for every piece of code that is exported. This gives them lots of wiggle room so that they can keep changing the rules in the face of technical, legal, or political innovation. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw at netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine. From norm at netcom.com Thu Jan 25 11:14:47 1996 From: norm at netcom.com (Norman Hardy) Date: Fri, 26 Jan 1996 03:14:47 +0800 Subject: The cost of breaking RC4 with a 40 bit key. Message-ID: I think that special hardware to break RC4 would require 256 bytes of registers and only a few hundred control gates. Lets say 5000 transistors per "module". You can put several hundred modules on a chip. Each module can easily do one step in 5 ns. I havn't figured out what the attack would be (known plain text etc.) and hardware to handle that might be more. In mass production the marginal cost of such a chip might be $100. Perhaps trying one key requires 100 steps. I get the cost per key trial as follows: (100 $/chip)(100 steps/trial)(5 (module*ns)/step)/ ((10^9 ns/sec)(10^8 sec/(economic lifetime))(200 modules / chip)) 10^(2+2+.7 - (9+8+2.3)) $/keytrial= 10^(-15+.4) $/keytrial = 2.5*10^(-15) $/keytrial I compute the cost of breaking a 40 bit key as 2.5*10^(-3) $ or one quarter of a cent. From mpd at netcom.com Thu Jan 25 11:49:03 1996 From: mpd at netcom.com (Mike Duvos) Date: Fri, 26 Jan 1996 03:49:03 +0800 Subject: V-chip? In-Reply-To: <65534.297195739@va.arca.com> Message-ID: <199601251753.JAA18561@netcom7.netcom.com> williams at va.arca.com (Jeff Williams) writes: > But what if they *ask* you nicely to label your work? > "If you think your message is offensive, violent, or racist, > would you please consider labelling it?" > I don't think I'd mind. In fact, *optional* labels would > make me more likely to post such material, because I'd have > some confidence that it would only be read by people who > want to read it. (And they could even find it more quickly!) For Usenet, a similar function is provided automatically by search engines. This is why I almost always read news now using Alta Vista. The database is updated with new articles in real time, and I can use any label I choose (i.e. search criteria) to find material in my chosen subject areas across all newsgroups. In some sense, search engines are automatic labeling devices for Usenet traffic. I find them useful. With a few more orders of magnitude computing power, such technology could easily be applied to audiovisual material as well. > There's nothing inherently wrong with labelling > information. When messages here are labelled [NOISE], I > know to avoid them. This sort of meta-information is helpful > and good. Yes. Voluntary labeling of publicly available information, or services which permit selection of such information based on personal criteria, is a Good Thing(tm). Government labeling of publicly available information and laws which mandate the use of such labels at the distribution end are a Bad Thing(tm). > The precedent is what's troubling. Someone will probably > try to mandate the labels...Someone will try to write a law > that says "Anyone who posts what I consider offensive > without a label is guilty." This is what should be > fought...not labels. A nice example of this in the private sector is TV Guide's labeling of cable movies by content. This goes beyond the MPAA rating and includes such terms as "strong language", "nudity", "violence", "adult themes", and "sexual situations." Were TV Guide available in computer readable form, one could easily grep the guide based on such keyphrases and plot summaries to find everything from "DuckTales" to "Marilyn Chambers' Bikini Bistro." Certainly easier than reading more than a dozen pages of tiny print. Again, I find this sort of thing useful, although I would be among the first to protest if the government mandated it in law, or required extra circuitry in all television sets to take advantage of it. -- Mike Duvos $ PGP 2.6 Public Key available $ mpd at netcom.com $ via Finger. $ From cp at proust.suba.com Thu Jan 25 11:54:42 1996 From: cp at proust.suba.com (Alex Strasheim) Date: Fri, 26 Jan 1996 03:54:42 +0800 Subject: mouse droppings In-Reply-To: Message-ID: <199601251757.LAA01686@proust.suba.com> > Larry Irving is a deputy secretary at the Commerce Department, and heads > up the NTIA and NII initiatives. He has a strong civil rights > background, and actually uses the net rather than just having some aide > send him some clippings. Is Mr. Irving one of the people responsible for the recent positive statements coming out of Commerce? From jya at pipeline.com Thu Jan 25 12:06:13 1996 From: jya at pipeline.com (John Young) Date: Fri, 26 Jan 1996 04:06:13 +0800 Subject: QCD_566 Message-ID: <199601251759.MAA10861@pipe3.nyc.pipeline.com> Donald Weingarten, IBM TJW Research Center, writes in February SciAm about the center's investigations of quark theory by the "GF11" parallel processing computer dedicated solely to quantum chromodynamics (QCD) -- a computer which uses 566 parallel processors. He describes building the hardware and software of this unique tool and what two years of continuous computations revealed. An aside explains a die-rolling shortcut method called Monte Carlo to circumvent the enormous amount of computation that lattice QCD would otherwise entail. QCD_566 From tcmay at got.net Thu Jan 25 12:16:43 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 26 Jan 1996 04:16:43 +0800 Subject: "This post is G-Rated" Message-ID: [This post is classified as G-Rated by Tim May. G-Rated for children of all ages, children who need to learn about the facts of life as quickly as possible. G-Rated for "This post really tickles your G-spot!" You asked for voluntary self-ratings, you got it.) At 2:16 PM 1/25/96, Jeff Williams wrote: >But what if they *ask* you nicely to label your work? > > "If you think your message is offensive, violent, or racist, > would you please consider labelling it?" > >I don't think I'd mind. In fact, *optional* labels would make me more likely >to post such material, because I'd have some confidence that it would only be >read by people who want to read it. (And they could even find it more >quickly!) If the League of Usenet Ladies makes this request, I have no problems (though I'm almost certain to delete their request and do nothing one way or another about it). If the Islamic Students Association makes the same request, I also have no problems (and will also likely discard the request). These are non-governmental entities, merely requesting actions (and, of course, gettting about 2% compliance, or less, with their requests). (Note of course that the League of Usenet Ladies and the Islamic Students Association are very likely to have very different ideas about what the labels should reflect! Not to mention the several hundred other major special interest groups who will want their ideologies reflected in a ratings system.) However, it is not a role for _government_ to ask that I "voluntarily" rate speech. "Congress shall make no law..." A government that faces a 2% compliance rate will be sorely tempted to make it less than voluntary. And what standards? What happens if I indeed voluntarily rate my message "G-rated"? And it contains descriptions highly unsuitable for children (in the minds of others). What if I use _my_ conceptions of what is right for children to read or see to actually _attract_ them to my writings? A ratings system inevitably means a debate about what the ratings mean, and whether some work is properly rated. Self-rating runs into this problem big time. Especially when people like me like to throw grenades into discussions to challenge the orthodoxy. (Note that the MPAA movie rating system is _not_ run by the government, nor is it even "suggested" by government...though I don't deny that the movie theater owners adopted the MPAA ratings to forestall talked-of government actions. But of course movies pass through the chokepoint of distribution, and time usually exists to rate them. Usenet posts would of course not fit this model.) >There's nothing inherently wrong with labelling information. When messages >here are labelled [NOISE], I know to avoid them. This sort of >meta-information is helpful and good. > >The precedent is what's troubling. Someone will probably try to mandate the >labels...Someone will try to write a law that says "Anyone who posts what I >consider offensive without a label is guilty." This is what should be >fought...not labels. So deal with the hypothetical I gave: someone like me sets out to "nuke" the labelling system by deliberately mislabelling his posts! If you have labels but no means of stopping my actions, see what results. In any case, if people want to label their posts, fine. Personally, I find such simple labels as "NOISE" or "OBSCENITY" to be meaningless. Many of the most interesting posts have that stupid "NOISE" label attached, many of the most noisome posts don't. I see no agreed-upon labelling convention emerging. Fortunately. --Tim May Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From vingun at rgalex.com Thu Jan 25 12:18:16 1996 From: vingun at rgalex.com (Vincent S. Gunville) Date: Fri, 26 Jan 1996 04:18:16 +0800 Subject: Netscape and NNTP In-Reply-To: <199601250438.UAA26778@infinity.c2.org> Message-ID: <3107C9BF.1B31@rgalex.com> Stephen Albert wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > I've got a question that I feel like I *should* know the answer to, but don't. > > Say I configure Netscape to point through an open http proxy, and then connect t > an open NNTP server. I don't know much about how proxies work. Does the NNTP > connection go through the proxy or directly from my machine? As I understand it > if it does the first, then I don't have to worry about the NNTP server's log > file, if any. But if it does the second, I do. > > Am I in the ballpark here? > > ObCrypto: Not-readily-traceable posting with less hassle than a mail-to-news > gateway seems to have some privacy relevance, even if it's not directly crypto. The is a log file that stays on the server... spcifically the newsrc it contains the news groups and the messages that were read. As far as posting netscape handles the mail by coping the letters that you send out into the file called outbox in the nsmail directory. need more info ask -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= |Vincent S. Gunville |Robbins-Gioia |209 Madison St Email vingun at rgalex.com |Alexandria, Va 22309 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- From tcmay at got.net Thu Jan 25 12:26:11 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 26 Jan 1996 04:26:11 +0800 Subject: PGP in Eudora and other mail programs Message-ID: At 2:13 PM 1/25/96, Clay Olbon II wrote: >Seriously, this just illustrates the idiocy of banning "hooks" in software. >How does one define a "hook"? Just providing source code could be defined >as providing a hook, since a good programmer could then modify it to do >crypto. Also, how about the various kits and tools used to integrate pgp >with pine, eudora, etc -- are these not "hooks"? And yet how many of these programs actually can transparently (automatically, push-button, etc.) support PGP? I've been a user of Eudora for several years, and have pressed for PGP hooks. The company, Qualcomm, once told me it was on their list of things to do, but.... A few years later, still no PGP-in-Eudora. One would think that this would be a powerful way of distinguishing their product from other mail packages. (I understand from this list that Eudora for Windows is now doing this much more automatically, that someone has a PGP-in-Eudora package. I don't think it was from Qualcomm, but I could be wrong. As a Macintosh version user, I'm hoping this comes to the Mac version as well.) Food for thought. --Tim May Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From crypto at midex.com Thu Jan 25 12:33:48 1996 From: crypto at midex.com (Matt Miszewski) Date: Fri, 26 Jan 1996 04:33:48 +0800 Subject: Hack Java In-Reply-To: <199601240001.QAA25104@springbank.Eng.Sun.COM> Message-ID: On Tue, 23 Jan 1996, Benjamin Renaud wrote: > Yes. And if you also let an intruder in your house, have them sit at > your computer with your newborn child in the room and go on vacation, > things can get really, really nasty. I guess that wu-ftp never was distributed with security holes. Never heard of anyone distributing maliscious lookalike packages. How many folks do you think downloaded the linux-JDK and use it without checking it out first. That takes care of the compiler. And distributing bad netscape or other browsers is childs play. So I guess your newborn is relevant. Stick to your belief that Java is secure because, darn it, it just would be hard for anyone to do bad things with it. Please. > > -- Benjamin > Java Products Group > Matt From shamrock at netcom.com Thu Jan 25 12:34:11 1996 From: shamrock at netcom.com (Lucky Green) Date: Fri, 26 Jan 1996 04:34:11 +0800 Subject: Lotus Notes Message-ID: At 20:02 1/23/96, JMKELSEY at delphi.com wrote: [...] >Now, I'm very interested in whether they thought about this as a >potential problem, and thus padded their LEAF intelligently, or left >themselves vulnerable to a dictionary-style attack on the LEAF. >This translates, roughly, to "was someone with a basic understanding >of cryptography involved in this design?" Clearly, IBM has some >really good people, and I suspect Lotus did/does, as well. But were >they involved enough in the implementation to ensure that this was >done intelligently? You are assuming that they *want* the hole to be unpatchable. I see no reason why they should. "We tried out best, but these darn hackers found a way to enable full 64 bits. Sorry, but we tried." Perhaps the most intelligent thing to do was to keep the GAK subject to a simple patch. -- Lucky Green PGP encrypted mail preferred. From hallam at w3.org Thu Jan 25 12:56:03 1996 From: hallam at w3.org (hallam at w3.org) Date: Fri, 26 Jan 1996 04:56:03 +0800 Subject: PZ a Nazi? In-Reply-To: <199601230400.UAA29972@infinity.c2.org> Message-ID: <9601251903.AA12292@zorch.w3.org> >"Private communications between neo-Nazis on the network are >effected under a program called "Pretty Good Privacy", devised by >an American neo-Nazi sympathiser." Not to my knowledge. If the Sunday Times have screwed up here (as appears the case). PZ has hit the UK libel jackpot. The UK libel laws prevent a defendant from making practically any defense so even if PZ spent his afternoons walking arroung in an SS uniform it probably could not be admitted as evidence by the ST. So get your lawyers to put in a demand for damages PZ, should net you approx $5K plus appology. The Telegraph are unlikely to want to try to defend the case. Phill From weld at l0pht.com Thu Jan 25 12:56:52 1996 From: weld at l0pht.com (Weld Pond) Date: Fri, 26 Jan 1996 04:56:52 +0800 Subject: Crypto Exports, Europe, and Conspiracy Theories Message-ID: At 23:12 1/24/96, Michael Froomkin wrote: >If you are a government strategist, you might think, Why not make people >strictly liable for, e.g., any crimes planned with their remailers? And >make ISPs strictly liable for crimes panned or executed on their systems? But if all traffic is required to be encrypted which is going through the remailer or ISP, how can they be liable for what they cannot possibly know? This will be the state of the net in a few years. Can a courier be held liable for delivering encrypted documents that contained illegal information or were used in a crime? I don't think so. Only if he knew there was something illegal going on. How are remailers any different? What about a car rental agency that rented a car to a criminal with bogus ID that is used to commit a crime. Was Ryder held liable for the Oklahoma bombing? No. In these two situations, people are in business and profitting by providing a service that can be used to commit crimes. Shouldn't they be shut down too if remailers are. I don't know where the idea got started that the govenment has it within its power to make illegal any new technology that *can* and *is* used to commit crimes. It is a pretty scary one though. Weld Pond - weld at l0pht.com - http://www.l0pht.com/ L 0 p h t H e a v y I n d u s t r i e s Technical archives for the people - Bio/Electro/Crypto/Radio From hallam at w3.org Thu Jan 25 13:03:16 1996 From: hallam at w3.org (hallam at w3.org) Date: Fri, 26 Jan 1996 05:03:16 +0800 Subject: Zimmermann Telegram (crypto history) In-Reply-To: Message-ID: <9601251923.AA06625@zorch.w3.org> >"Gentlemen do not read other gentlemen's mail" Bzzt. This was said in the Thirties by the twit who closed down the Black Chamber. The quote on the Z. telegram was "Why not give them Califonia as well". Phill From rickt at psisa.com Thu Jan 25 13:09:28 1996 From: rickt at psisa.com (Rick Tait) Date: Fri, 26 Jan 1996 05:09:28 +0800 Subject: Microsoft's CryptoAPI - thoughts? Message-ID: What does everyone think about this? Perhaps I already missed the boat, but I just found out about it. How would international apps work? Would a data file encrypted with an app compiled with a US-only CSP (cryptographic service provider) be able to be loaded by a European equivalent app? [Info can be found at: http://www.microsoft.com/intdev/inttech/cryptapi.htm] -- rickt at psa.pencom.com egalitarian, philosopher, unix cowboy, '68 chevy pickup hacker From tcmay at got.net Thu Jan 25 13:23:30 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 26 Jan 1996 05:23:30 +0800 Subject: Crypto Exports, Europe, and Conspiracy Theories Message-ID: At 4:12 AM 1/25/96, Michael Froomkin wrote: >On Wed, 24 Jan 1996, Timothy C. May wrote: >[...] >> >> Specifically, I believe--though obviously cannot prove, given the nature of >> time--that a cryptographically strong version of Netscape developed outside >> the borders of the U.S. would not be freely importable into the U.S. I > >Nope. Nope. Nope. Nope. Donuts to dollars that it's freely importable. First of all let me say that I take no offense at Michael's "Nope. Nope. Nope. Nope." opening. This is the kind of interesting debate we need to have! But let me address a specific question first: >> don't know what form such a law would take, to answer the point raised in >> another post by Peter Junger. Nor am I saying either State or NSA passes >> the laws...the ITARs have worked largely because they have never been >> challenged; if they were to be successfully challenged and stricken, as >> even some folks inside the NSA think is likely if tested in a proper case, >> then a Four Horseman-scared Congress will likely step in with some >> restrictions. >[...] > >OK, Tim, what am I missing? How will Enhanced-crypto-Netscape match >remailers for their ability to keep TLAs up at night? Once one has good encrypted links, including access to a variety of offshore sites, remailers cannot be stopped. The TLAs may not like them, and the courts may rule that a remailer site is strictly liable for misdeeds which impinge on its remailers (I'm not convinced this is so, but no matter), but what do U.S. courts have to say about Dutch remailer sites? What will the Fifth Circuit be able to do to hactic.nl? Or chains of remailers that pass through Norway, Japan, Estonia, Italy, and Lower Slobovia? We've already got that with PGP, of course, so it's to some extent moot. All of the mentions recently about strong crypto built into Netscape, Mosaic, AOL, etc., have to do with the _popularity_ and _ease of use_ issues, not the existence proof. That is, having strong crypto built in to Netscape will not give us a capability we don't already have, just give it to more people and more conveniently. Back to the issue of remailers and anonymous servers as choke points. I agree. These are the real threats to traffic analysis, which is of course why I have so emphasized them in my own writings for so many years!! I take it as a given that no remailer services will operate for profit, publically, and with support built in to Netscape, at least not openly and identifiably within the U.S....it is too controversial. (I don't mean that most of the remailers are not U.S., now, I mean after the heat gets turned up, after the next "Oklahoma City bomber" is found to have been communicating with remailers! An awful lot of remailer sites will vanish overnight. In act, evidence that remailers are being used may be manufactured.) Fortunately, and I keep coming back to this, the beauty of PGP is that the encryption is in the text blocks within mailers, browsers, etc., and little or no hooks to external programs are needed. (We often moan about this, and wish for PGP 3.0 or 4.0 to have all kinds of hooks, but there is a certain elegance about a text-block-centric program, with hooks made later on an ad hoc basis....it is so terribly difficult to control what's in a text block that suppression of PGP is very hard.) --Tim May Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From froomkin at law.miami.edu Thu Jan 25 13:26:10 1996 From: froomkin at law.miami.edu (Michael Froomkin) Date: Fri, 26 Jan 1996 05:26:10 +0800 Subject: Crypto Exports, Europe, and Conspiracy Theories In-Reply-To: Message-ID: It's important to distinguish between what IS the law and what COULD BE the law. And to recall that I at least am not talking here about what SHOULD be the law. On Thu, 25 Jan 1996, Weld Pond wrote: > At 23:12 1/24/96, Michael Froomkin wrote: > > >If you are a government strategist, you might think, Why not make people > >strictly liable for, e.g., any crimes planned with their remailers? And > >make ISPs strictly liable for crimes panned or executed on their systems? > > But if all traffic is required to be encrypted which is going through the > remailer or ISP, how can they be liable for what they cannot possibly > know? This will be the state of the net in a few years. > It's called "strict liability" -- you are liable when you didn't know. The economic justification is that you were in the best position to avoid the harm (either by doing some checking, or, in this case (they, not I, would say) not offering the service at all. > Can a courier be held liable for delivering encrypted documents that > contained illegal information or were used in a crime? I don't think so. they are not now, but why couldn't they? E.g. tell courriers that they have a duty not to carry drugs, and must pass all packages by drug sniffing dogs? I don't think that's a good rule, but it's probably constitutonal. > Only if he knew there was something illegal going on. How are remailers > any different? > They are not. > What about a car rental agency that rented a car to a criminal with bogus > ID that is used to commit a crime. Was Ryder held liable for the Oklahoma > bombing? No It wasn't but that's because we don't have that rule. the question is *could* they be? . > > In these two situations, people are in business and profitting by > providing a service that can be used to commit crimes. Shouldn't they be > shut down too if remailers are. I don't know where the idea got started > that the govenment has it within its power to make illegal any new > technology that *can* and *is* used to commit crimes. It is a pretty > scary one though. No, we are not talking about "should" here. I, at least, am talking about "can they" not "should they". A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) Associate Professor of Law | U. Miami School of Law | froomkin at law.miami.edu P.O. Box 248087 | http://www.law.miami.edu/~froomkin Coral Gables, FL 33124 USA | It's warm here. From hallam at w3.org Thu Jan 25 13:30:27 1996 From: hallam at w3.org (hallam at w3.org) Date: Fri, 26 Jan 1996 05:30:27 +0800 Subject: SS Obergruppenfuhrer Zimmermann (NOT!) In-Reply-To: Message-ID: <9601251918.AA11120@zorch.w3.org> >Maybe this is common knowledge, but the name "Zimmermann" and crypto had >another relationship, in World War I. If anybody knows more about this >incident than my vague recollection of the famous "Zimmermann cipher" would >you care to tell the story? I think you mean Zimmerman Telegram. This was sent by the Germans to the Mexicans through the US Embassy in London and offered Mexico the retur of Texas in return for entering the war on the German side. The Brits were tapping the US cables as a matter of course and intercepted and decrypted the telegram. They could not show it to the US types saying it came from tapping their embassy so they broke into the German embassy in Mexico and pilfered another copy of the cipher in another code. When the Americans were shown how easy it was to decrypt the German telegram they said "gosh how clever these guys are - no wonder they have an empire". MI5 then managed to get their contact person at the British Embassy in Washington to effectively suplant the official British Ambassador, setting up a US Intelligence service for the Americans, in the process practically becomming a mamber of the US cabinet. [As a footnote Ian Flemming enjoied a similar position but with considerably less influence during WWII]. Now you see why uncle Sam is so nervous about Simon and Myself... There is a good book about all this "For the President's Eyes Only". Phill From iagoldbe at calum.csclub.uwaterloo.ca Thu Jan 25 13:45:36 1996 From: iagoldbe at calum.csclub.uwaterloo.ca (Ian Goldberg) Date: Fri, 26 Jan 1996 05:45:36 +0800 Subject: Crippled Notes export encryption In-Reply-To: Message-ID: <4e8k70$bje@calum.csclub.uwaterloo.ca> In article <310612A1.69E7 at netscape.com>, Jeff Weinstein wrote: > Another problem is that the government may consider any "help" provided >to the foreign entity to be evidence of a conspiracy. When Eric Young >released SSLEAY we got a call from someone in the State Department >(probably some lackey paid for by the NSA) to find out if we provided >him with any "help" in doing his implementation. Since he did it all >on his own from the published spec and was able to test interoperability >over the internet we were off the hook, but they seemed to be prepared >to come down on us if we had "conspired" with him. > You don't have to go as far as calling it a conspiracy. Remember statement (5) that I posted yesterday: (5) Performing a defense service on behalf of, or for the benefit of, a foreign person, whether in the United States or abroad. If Netscape had "helped" Eric write SSLEAY, that would count as a defense service for the benefit of a foreign person. Section 120.9: @ 120.9 -- Defense service. Defense service means: (1) The furnishing of assistance (including training) to foreign persons, whether in the United States or abroad in the design, development, engineering, manufacture, production, assembly, testing, repair, maintenance, modification, operation, demilitarization, destruction, processing or use of defense articles; or (2) The furnishing to foreign persons of any technical data controlled under this subchapter (see @ 120.10), whether in the United States or abroad. - Ian From koontz at MasPar.COM Thu Jan 25 13:47:22 1996 From: koontz at MasPar.COM (David G. Koontz) Date: Fri, 26 Jan 1996 05:47:22 +0800 Subject: NSA advanced knowledge Message-ID: <9601252014.AA03836@argosy.MasPar.COM> In 1987 there were a series of papers given out as part of the package to CCEP vendors (or prospective vendors): The Secure Data Network System: An Overview (NSA) By: Gary L. Tater Edmund G. Kerut SDNS Products in the Type II Environment (contains refer to 1987 paper) John Linn BBN Communications Corporation (need for easy Key Management) Cambridge, Massachusetts SDNS Services and Architecture Ruth Nelson Electronic Defense Communications Directorate GTE Government Systems Corporation 77 A Street Needham, MA 02194 .... Key Management -------------- The heart of SDNS is the Firefly keying system, which is based on public key en- cryption. Each terminal has a unique Fire- fly key which is bound together with a non-forgeable certificate. The certificate identifies the terminal and specifies its security-relevent characteristics. Two SDNS terminals desiring to communicate ex- change certificates and keying information (the Firefly excange) and make access con- trol decisions based on the identifying in- formation. The exchange generates a traf- fic key which is unique to the two terminals and which is new for that key ex- change. If communication is permissible, the terminals then negotiate the communca- tions parameters for use of the traffic key. ... SP4: A Transport Encapsulation Security Protocol Dennis Branstad, National Bureau of Standards Joy Dorman, Digital Equipment Corporation Russell Housley, Xerox Corporation James Randall, International Business Machines Corporation Access Control Within SDNS by Edward R. Sheehan Analytics Incorporated 9821 Broken Land Parkway Columbia, Maryland 21046 None of these contained any dates except the 1987 paper reference ------------------------------------------------------------------ This is the earliest reference I know of to government public key cryptography, and I was under the impression this was where the reference in Gus Simmons book came from. From perry at piermont.com Thu Jan 25 13:49:06 1996 From: perry at piermont.com (Perry E. Metzger) Date: Fri, 26 Jan 1996 05:49:06 +0800 Subject: "Gentlemen do not read each other's mail" Message-ID: <199601251947.OAA16586@jekyll.piermont.com> Phill refers to the man who said "Gentlemen do not read each other's mail", (Henry L. Stimson) as a twit. I highly disagree. In some ways I regard him as our patron saint (although the man was actually far from saintly and later as a member of the Roosevelt cabinet adopted an opposite policy of aggressive signals intelligence.) Why is he our patron saint? He was a government official coming out against invasion of privacy. Isn't that what we are all after, in the end? The reason we deploy cryptography is to assure privacy for all. We often refer to those who listen in on conversations (regardless of who they are) as, in some sense, our opposition. Therefore, is not Stimson's remark in closing down Yardley's "Black Chamber" to be praised rather than attacked? Perry From tcmay at got.net Thu Jan 25 13:52:46 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 26 Jan 1996 05:52:46 +0800 Subject: Secrecy of NSA Affiliation Message-ID: At 5:55 PM 1/25/96, Rich Salz wrote: >Up until recently (18-30 months ago) NSA employees were only allowed >to identify themselves as employees of DoD. It was common knowledge, >that unspecific references to Fort Meade meant NSA; and if you saw >a P.O. from Procurement Office, Fort Meade, it meant the NSA was buying >it. When I attended Crypto '88, nearly 8 years ago, at least several of the NSA attendees had "National Security Agency" on their name badges. It may be that run-of-the-mill employees still maintain the fiction for public consumption that they are DOD employees, but such was not the case in 1988 at "Crypto." (Recall the "NSA Employees Manual" which 2600 liberated, and which Grady Ward then redistributed. It had some tips, as I recall, on what employees should tell the curious.) When I visited the D.C. area in early '91 or '92 (I forget which year it was), I stopped by Fort Meade to see the place. The sign out front prominently said "National Security Agency," complete with the NSA seal (an eagle lifting a hacker up in its talons). Also, much other evidence points to the NSA having "gone public" much farther back in time than 18-30 months ago. Former DIRNSAs on the MacNeil-Lehrer Newshour were always introduced as former directors of the NSA. As early as the mid-80s, as I recollect. I think Bamford's book pretty much outed the name, though it was widely known before that, of course. (I attended my freshman year of high school in Langley, VA. Through the woods on one side of the school was CIA headquarters. At that time, 1967, it was still only labelled as something like "Department of Transportation Road Testing Facility." Everyone knew what it really was, of course. Rick Smith, on this list, was a classmate of mine and can attest to this. The CIA "went public" in the early 70s, the NSA in the early 80s, the NRO in the early 90s...I sense a pattern. This means the ultra-secret ERO (Extraterrestrial Research Organization) will be outed in the opening years of the next decade.) --Tim May Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From warlord at MIT.EDU Thu Jan 25 14:07:49 1996 From: warlord at MIT.EDU (Derek Atkins) Date: Fri, 26 Jan 1996 06:07:49 +0800 Subject: PGP in Eudora and other mail programs In-Reply-To: Message-ID: <199601252017.PAA26736@toxicwaste.media.mit.edu> Tim, > A few years later, still no PGP-in-Eudora. One would think that this would > be a powerful way of distinguishing their product from other mail packages. You clearly haven't looked very hard. I know that there exist (on MIT's server, I'm fairly sure) a set of applescripts which interface MacPGP 2.6.2 with MacEudora 1.5.1 (I think -- I'm not a Mac person so this may be the wrong Eudora version) In any event, this integration _does_ exist, and I know it works (from people who have told me it workss). I'm not sure how "seamless" it is, but supposedly it is fairly point-and-click-and-encrypt without requiring you to cut-and-paste. Enjoy! -derek From aleph1 at dfw.net Thu Jan 25 14:07:57 1996 From: aleph1 at dfw.net (Aleph One) Date: Fri, 26 Jan 1996 06:07:57 +0800 Subject: Bernie S. Sentencing In-Reply-To: <199601251550.KAA08091@homeport.org> Message-ID: On Thu, 25 Jan 1996, Adam Shostack wrote: > He also gave away one of the two clippers that he brought, > which was destroyed with a small explosive device, showing the truth > of the old saw about there being few problems not solvable with a > suitable application of high explosives. :) Just like to point out that it was me that blew the thing up. I'am still looking for anyone that took photos of it. Aleph One / aleph1 at dfw.net http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 From bea at algonet.se Thu Jan 25 14:39:49 1996 From: bea at algonet.se (Bjorn E. Andersson) Date: Fri, 26 Jan 1996 06:39:49 +0800 Subject: PGP in Eudora and other mail programs Message-ID: At 11.54 96-01-25, Timothy C. May wrote: >At 2:13 PM 1/25/96, Clay Olbon II wrote: > >>Seriously, this just illustrates the idiocy of banning "hooks" in software. >>How does... [snip] > >And yet how many of these programs actually can transparently >(automatically, push-button, etc.) support PGP? I've been a user of Eudora >for several years, and have pressed for PGP hooks. The company, Qualcomm, >once told me it was on their list of things to do, but.... > >A few years later, still no PGP-in-Eudora. One would think that this would >be a powerful way of distinguishing their product from other mail packages. > >(I understand from this list that Eudora for Windows is now doing this much >more automatically, that someone has a PGP-in-Eudora package. I don't think >it was from Qualcomm, but I could be wrong. As a Macintosh version user, >I'm hoping this comes to the Mac version as well.) > >Food for thought. > >--Tim May Why don't try Raif Naffah's MacPGP Control, now in version 1.0b2, version 1.0b3 soon to be released. It covers whatever the Windoze interfaces does and actually they don't even play in the same league. Bjorn A. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Bjorn E. Andersson or PGP key available at Public Key-servers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From fiasco at echo.sound.net Thu Jan 25 14:41:28 1996 From: fiasco at echo.sound.net (oO F145C0 Oo) Date: Fri, 26 Jan 1996 06:41:28 +0800 Subject: V-chip? Message-ID: Apparently the US government is planning on starting up its V-chip program again, which will allow public/cable TV to be censored at will. What does everyone thing about this ploy? And whats next? Chips in my radio, to prevent music, or a chip in my phone to make sure i dont call anyone bad? The V-chip is just as much a privacy/1st amendment violation as the clipper chip is/was. I believe the worst part of the V-chip plan, is to force all new TV's manufactured or imported to the US, to have this new chip. Could this chip even be part of a Chinese lottery? ......fiasco From chiniet at pr.erau.edu Thu Jan 25 14:56:31 1996 From: chiniet at pr.erau.edu (Thomas Chiniewicz) Date: Fri, 26 Jan 1996 06:56:31 +0800 Subject: TOP_tap In-Reply-To: <9601251755.AA15764@sulphur.osf.org> Message-ID: On Thu, 25 Jan 1996, Rich Salz wrote: > The NSA is a branch of the DOD. > > Up until recently (18-30 months ago) NSA employees were only allowed > to identify themselves as employees of DoD. It was common knowledge, > that unspecific references to Fort Meade meant NSA; and if you saw > a P.O. from Procurement Office, Fort Meade, it meant the NSA was buying > it. > /r$ > > isn't the NSA a branch of the CIA? And I thought the CIA and DOD were seperate organizations or was that an incorrect assumption? From trei at process.com Thu Jan 25 15:01:09 1996 From: trei at process.com (Peter Trei) Date: Fri, 26 Jan 1996 07:01:09 +0800 Subject: Secrecy of NSA Affiliation Message-ID: <9601252043.AA06648@toad.com> Tim writes: > Also, much other evidence points to the NSA having "gone public" much > farther back in time than 18-30 months ago. Former DIRNSAs on the > MacNeil-Lehrer Newshour were always introduced as former directors of the > NSA. As early as the mid-80s, as I recollect. I think Bamford's book pretty > much outed the name, though it was widely known before that, of course. Datapoint: My 1967 HB copy of The Codebreakers discusses the agency, and includes a photo of the HQ. Peter Trei Senior Software Engineer Purveyor Development Team Process Software Corporation http://www.process.com trei at process.com From Kevin.L.Prigge-2 at cis.umn.edu Thu Jan 25 15:03:18 1996 From: Kevin.L.Prigge-2 at cis.umn.edu (Kevin L Prigge) Date: Fri, 26 Jan 1996 07:03:18 +0800 Subject: Secrecy of NSA Affiliation In-Reply-To: Message-ID: <3107db204068002@noc.cis.umn.edu> Timothy C. May said: > > At 5:55 PM 1/25/96, Rich Salz wrote: > > >Up until recently (18-30 months ago) NSA employees were only allowed > >to identify themselves as employees of DoD. It was common knowledge, > >that unspecific references to Fort Meade meant NSA; and if you saw > >a P.O. from Procurement Office, Fort Meade, it meant the NSA was buying > >it. > > When I attended Crypto '88, nearly 8 years ago, at least several of the NSA > attendees had "National Security Agency" on their name badges. It may be > that run-of-the-mill employees still maintain the fiction for public > consumption that they are DOD employees, but such was not the case in 1988 > at "Crypto." At the RSA conference last week, there were approximately 10 people from the NSA. Only 2 of those were registered as DOD, the rest were NSA. I mentioned this at lunch to a guy from the NSA, and he said that only oldtimers do the DOD identification anymore. -- Kevin L. Prigge |"Have you ever gotten tired of hearing those UofM Central Computing | ridiculous AT&T commercials claiming credit email: klp at tc.umn.edu | for things that don't even exist yet? 010010011101011001100010| You will." -Emmanuel Goldstein From bruceab at teleport.com Thu Jan 25 15:31:43 1996 From: bruceab at teleport.com (Bruce Baugh) Date: Fri, 26 Jan 1996 07:31:43 +0800 Subject: Remailer stats Message-ID: <2.2.32.19960125205454.00681468@mail.teleport.com> The following is the result of my own experiments, performed when a) I started noticing that my remailing times didn't seem to match the ping lists available and b) another local guy posted a format that seemed useful, so I swiped it. I mailed through each of the remailers listed below ten times over the course of eight days (10 Jan 96 to 18 Jan 96) - posts went out spread across all hours of the day and night, to compensate for congestion at high-traffic times. (Insomnia's value as a research aid, coming soon to a major scientific journal.) Each post went through the remailer, to a nym server, back through the remailer, and then to me. The trip time is the interval from the end of a posting session with Eudora and PPP connection to Teleport to the arrival of a message in my mailbox at Teleport. Times are given in hours and minutes. "Failure" means that I hadn't gotten a reply back within four days of posting it. I anticipate doing this on a monthly basis, and would be delighted to hear from anyone else doing the same. Joel McNamara has raised the possibility of a net resource that would feed back the data for whatever region is closet to the inquirer, which sounds seriously cool to me. REMAILER PERFORMANCE, MID-JANUARY FAILURES REMAILER AVG MIN MAX NOTES 0 hroller at c2.org 00:05 00:02 00:18 0 homer at rahul.net 00:06 00:03 00:14 0 hfinny at shell.portal.com 00:08 00:02 00:38 0 remailer at armadillo.com 00:09 00:06 00:12 0 hal at alumni.caltech.edu 00:09 00:02 00:24 0 remailer at utopia.hacktic.nl 00:19 00:03 01:20 0 mixmaster at vishnu.alias.net 00:56 00:23 02:38 0 remailer at valhalla.phoenix.net 01:35 00:20 05:49 0 mixmaster at remail.obscura.com 02:36 00:23 06:55 0 remailer at bi-node.zerberus.de 07:43 00:15 19:54 1 remailer at replay.com 00:31 00:13 01:14 2 remail at c2.org 00:52 00:14 03:00 8 remailer at extropia.wimsey.com 01:46 01:19 02:13 [1] 8 mix at remail.gondolin.org 11:17 03:58 18:36 10 amnesia at chardos.connix.com ? ? ? [1] On the 19th or 20th, extropia.wimsey.com suddenly cleared backlog, and all my messages did go through. So I'll see how it does in February; looks like they had a week-long weirdness of some kind. Comments welcome. Bruce Baugh bruceab at teleport.com http://www.teleport.com/~bruceab From alano at teleport.com Thu Jan 25 15:36:03 1996 From: alano at teleport.com (Alan Olsen) Date: Fri, 26 Jan 1996 07:36:03 +0800 Subject: Netscape & open NNTP servers Message-ID: <2.2.32.19960125085148.008bea88@mail.teleport.com> At 09:23 PM 1/24/96 -0800, you wrote: > I believe that it will use a SOCKS proxy if configured, but that >NNTP will not use the HTTP proxy. I am not certain about 2.x, but the 1.x would read mail through an NNTP proxy, but not post it. SOCKS would work, but not for the type of connection the poster was looking for... In 1.2 and 1.22, the NNTP proxy was hidden in the netscape.ini file. (It was considered "broken" becuase you could not post to news.) No good answers... Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "Is the operating system half NT or half full?" From delznic at storm.net Thu Jan 25 15:48:18 1996 From: delznic at storm.net (Douglas F. Elznic) Date: Fri, 26 Jan 1996 07:48:18 +0800 Subject: Secrecy of NSA Affiliation Message-ID: <2.2.16.19960125211323.0ef75aae@terminus.storm.net> At 12:35 PM 1/25/96 -0800, Timothy C. May wrote: >At 5:55 PM 1/25/96, Rich Salz wrote: > >>Up until recently (18-30 months ago) NSA employees were only allowed >>to identify themselves as employees of DoD. It was common knowledge, >>that unspecific references to Fort Meade meant NSA; and if you saw >>a P.O. from Procurement Office, Fort Meade, it meant the NSA was buying >>it. > >When I attended Crypto '88, nearly 8 years ago, at least several of the NSA >attendees had "National Security Agency" on their name badges. It may be >that run-of-the-mill employees still maintain the fiction for public >consumption that they are DOD employees, but such was not the case in 1988 >at "Crypto." > >(Recall the "NSA Employees Manual" which 2600 liberated, and which Grady >Ward then redistributed. It had some tips, as I recall, on what employees >should tell the curious.) > >When I visited the D.C. area in early '91 or '92 (I forget which year it >was), I stopped by Fort Meade to see the place. The sign out front >prominently said "National Security Agency," complete with the NSA seal (an >eagle lifting a hacker up in its talons). > >Also, much other evidence points to the NSA having "gone public" much >farther back in time than 18-30 months ago. Former DIRNSAs on the >MacNeil-Lehrer Newshour were always introduced as former directors of the >NSA. As early as the mid-80s, as I recollect. I think Bamford's book pretty >much outed the name, though it was widely known before that, of course. > >(I attended my freshman year of high school in Langley, VA. Through the >woods on one side of the school was CIA headquarters. At that time, 1967, >it was still only labelled as something like "Department of Transportation >Road Testing Facility." Everyone knew what it really was, of course. Rick >Smith, on this list, was a classmate of mine and can attest to this. The >CIA "went public" in the early 70s, the NSA in the early 80s, the NRO in >the early 90s...I sense a pattern. This means the ultra-secret ERO >(Extraterrestrial Research Organization) will be outed in the opening years >of the next decade.) > >--Tim May > > >Boycott espionage-enabled software! >We got computers, we're tapping phone lines, we know that that ain't allowed. >---------:---------:---------:---------:---------:---------:---------:---- >Timothy C. May | Crypto Anarchy: encryption, digital money, >tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero >W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, >Higher Power: 2^756839 - 1 | black markets, collapse of governments. >"National borders aren't even speed bumps on the information superhighway." > > > > > > Phrack actualy published the manual. I have a local copy if anyone is interested. -- ==================Douglas Elznic=================== delznic at storm.net http://www.vcomm.net/~delznic/ (315)682-5489 (315)682-1647 4877 Firethorn Circle Manlius, NY 13104 "Challenge the system, question the rules." =================================================== PGP key available: http://www.vcomm.net/~delznic/pgpkey.asc PGP Fingerprint: 68 6F 89 F6 F0 58 AE 22 14 8A 31 2A E5 5C FD A5 =================================================== From tcmay at got.net Thu Jan 25 15:53:15 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 26 Jan 1996 07:53:15 +0800 Subject: Guilt by Association? Message-ID: At 2:49 AM 1/25/96, Alan Olsen wrote: >This is a problem with the web of trust in general. It is known as "Guilt >by Association". > >Person X commits treasonable act A. All of the persons who are signed on to >his key could be considered to be co-conspirators. The same applies to >nyms. The difficulty with prosecuting nyms is finding the link to the real >world individual. Anyone associated with him/her/it will be considered to >be guilty by reason of key signage or a way of determining who the real >person is... .... >I guess we are stuck with the "Web of Guilt"... Although I disagree with many things the U.S. government has declared unlawful, and think we are on the wrong track in many ways, I don't see any evidence for a "web of guilt." I could have signed the keys of Timothy McVeigh, O.J. Simpson, and Hilary Clinton, and yet this would not cause any prosecutor to indict me, per se. (Brian Davis, do you disagree?) Obviously if one of these persons I was known to have associated with, to the point of signing their keys, were under investigation, then some detectives might follow up some leads to find out who I was. This is ordinary detective work, not guilt by association. Key-signing is overrated, in my view. It is just an affidavit from someone that they think a person is related to a key. I've signed a few keys (not many, and don't ask me to!), and I've never once asked for any form of state-sanctioned ID. --Tim May Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From prm-ml at rome.isl.sri.com Thu Jan 25 16:18:07 1996 From: prm-ml at rome.isl.sri.com (Philip R. Moyer) Date: Fri, 26 Jan 1996 08:18:07 +0800 Subject: "Gentlemen do not read each other's mail" In-Reply-To: <199601251947.OAA16586@jekyll.piermont.com> Message-ID: <9601252133.AA08399@toad.com> -----BEGIN PGP SIGNED MESSAGE----- Perry writes: > Why is he our patron saint? He was a government official coming out > against invasion of privacy. Isn't that what we are all after, in the > end? The reason we deploy cryptography is to assure privacy for > all. We often refer to those who listen in on conversations > (regardless of who they are) as, in some sense, our > opposition. Therefore, is not Stimson's remark in closing down > Yardley's "Black Chamber" to be praised rather than attacked? At the risk of sounding like an NSA apologist, I have to take issue with Perry's position on this matter. I see a distinct difference between broad monitoring of a nation's citizens and focused signals intelligence gathering in support of national security. The Black Chamber was not out to subvert the national communications infrastructure, or prevent citizens from obtaining or developing cryptographic tools. The Black Chamber was there to cryptanalyze traffic from _governments_. In other words, I see a distinction between Intelligence activities and Law Enforcement activities. Yes, I recognize that there is a gray area where the two overlap; I believe, however, that signals intelligence is still a necessary evil in the global environment. Just saying, "Oh heck, we don't some of the things the NSA does," and dismantling it is a bit unrealistic, isn't it? Cheers, Phil -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMQf3cX6yjLZHwr45AQGokQQApYsv5k1xY7AiMga30+NEPfdogSkIyoQj 8F1b9ZWCqUP7WIdjXUUVttQkpzlm2+v3NMMKp3sbsyLgf/sA+5sqO/S4C1HrKYdv UbqvnwpxDQpwZxPvsoV7exTqvWrvSj4sNl3Ea09OxcJUVVzwnEgZBKupLW63Ju60 nQ3A8x9qK5I= =Nbyu -----END PGP SIGNATURE----- From crypto at midex.com Thu Jan 25 16:23:47 1996 From: crypto at midex.com (Matt Miszewski) Date: Fri, 26 Jan 1996 08:23:47 +0800 Subject: "Gentlemen do not read each other's mail" In-Reply-To: <199601251947.OAA16586@jekyll.piermont.com> Message-ID: On Thu, 25 Jan 1996, Perry E. Metzger wrote: > > Phill refers to the man who said "Gentlemen do not read each other's > mail", (Henry L. Stimson) as a twit. > > I highly disagree. In some ways I regard him as our patron saint > (although the man was actually far from saintly and later as a member > of the Roosevelt cabinet adopted an opposite policy of aggressive > signals intelligence.) > > Why is he our patron saint? He was a government official coming out > against invasion of privacy. Isn't that what we are all after, in the > end? The reason we deploy cryptography is to assure privacy for > all. We often refer to those who listen in on conversations > (regardless of who they are) as, in some sense, our > opposition. Therefore, is not Stimson's remark in closing down > Yardley's "Black Chamber" to be praised rather than attacked? The crypto relevance of this post is tenuous at best :-). Please keep your comments to relevant code or technical discussions of crypto. This is *not* patronSaintPunks! Come on! For the humor impaired *this is a joke*. Not flame bait. Just trying to get Perry to lighten up a bit. > > Perry > Matt From perry at piermont.com Thu Jan 25 16:31:43 1996 From: perry at piermont.com (Perry E. Metzger) Date: Fri, 26 Jan 1996 08:31:43 +0800 Subject: "Gentlemen do not read each other's mail" In-Reply-To: <9601252108.AA13595@zorch.w3.org> Message-ID: <199601252139.QAA16761@jekyll.piermont.com> hallam at w3.org writes: > There is a considerable difference between running a government and > being an individual. It is not merely ethical for one government to > read another's mail, it is a duty. I am a funny sort of person. I don't believe that governments should be able to do anything that individuals cannot. If it is bad for me to steal, it is also bad for a government official to steal. If it is bad for me to listen in on my neighbor's phone calls, it is bad for the government, too. I have no evidence that becoming a member of a government agency grants one absolution from sin. By my book, murdering, invading privacy, and all the rest are bad, and I see no reason to expect that just because you've been "ordered" to do them they become good. > By not taking adequate steps to inform itself of the Japaneese > intentions the US suffered the loss of a substantial part of the US > fleet at Pearl Harbour. Had sufficient resources been avaliable the > naval codes could have been cracked in time. I suspect that mass surveilance of the entire U.S. population by the government could in fact dramatically reduce crime. Should we do it? I suspect that I could substantially improve my position in life by listening in on other people's phone calls and reading their mail. I might even be able to stop crimes directed against my person by doing so. Should I do it? I do not mean to pretend that there is an absolute ethics. I merely claim that I do not find in my mind an easy distinction between the acts of a government official under color of authority and the acts of any other individual. Perry From jlasser at rwd.goucher.edu Thu Jan 25 16:32:12 1996 From: jlasser at rwd.goucher.edu (Jon Lasser) Date: Fri, 26 Jan 1996 08:32:12 +0800 Subject: V-chip? In-Reply-To: <65534.297195739@va.arca.com> Message-ID: On 25 Jan 1996, Jeff Williams wrote: > Tim May writes: > > > Anyone telling me I have to rate my work, or submit it to a ratings agency, > > is aggressing against me. Now, if others rate my work (which is already > > happening with digest services such as "CP-Lite"), this is their business, > > not mine. But the V-Chip precedent is a precedent for the government to > > insist that all sorts of content be rated. This should be fought in a free > > society. > > But what if they *ask* you nicely to label your work? > > "If you think your message is offensive, violent, or racist, > would you please consider labelling it?" > > I don't think I'd mind. In fact, *optional* labels would make me more likely > to post such material, because I'd have some confidence that it would only be > read by people who want to read it. (And they could even find it more > quickly!) [...commentary on labeling deleted...] The problem is that labeling which begins as voluntary often has other consequences... for example, the voluntary labeling in the music industry. Although it's voluntary labeling, one state (Washington, I believe) at one point nearly passed (or possibly did pass - I can't remember) legislation making it illegal to sell labeled albums to minors. The label itself, of course, was still voluntary. I'm not opposed to *truly* and *permanantly* voluntary labeling; I'm just afraid of such labeling becoming permanant and mandatory... Jon ------------------------------------------------------------------------------ Jon Lasser (410)494-3072 Visit my home page at http://www.goucher.edu/~jlasser/ You have a friend at the NSA: Big Brother is watching. Finger for PGP key. From frissell at panix.com Thu Jan 25 16:37:25 1996 From: frissell at panix.com (Duncan Frissell) Date: Fri, 26 Jan 1996 08:37:25 +0800 Subject: Crypto Exports, Europe, and Conspiracy Theories Message-ID: <2.2.32.19960125213709.006da5ec@panix.com> At 02:58 PM 1/25/96 -0500, Michael Froomkin wrote: >It's called "strict liability" -- you are liable when you didn't know. >The economic justification is that you were in the best position to avoid >the harm (either by doing some checking, or, in this case (they, not I, >would say) not offering the service at all. Vague memories of Law School... Doesn't strict liability apply to "inherently dangerous activities." Like using explosives to demolish buildings or something. Is carrying message traffic an inherently dangerous activity? Any strict liability situations today not involving inherently dangerous activity? I suppose having disposed of waste in a "Superfund Site" leads to automatic liability but does not necessarily involve an inherently dangerous activity. Is this a "strict liability" situation? I'm trying to think of other sorts of examples. DCF "If we're so poor these days, why do we have more of everything?" From vznuri at netcom.com Thu Jan 25 16:41:15 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Fri, 26 Jan 1996 08:41:15 +0800 Subject: RANT: cypherpunks do NSA's job for them!! In-Reply-To: Message-ID: <199601252144.NAA27728@netcom22.netcom.com> TCM wrote a long post about how the ITAR tends to prevent just about any kind of crypto software and hardware development, and that even importing crypto into the U.S. is likely to be outlawed if not already illegal. but I think this whole line of complex thinking and pontificating is really yucky, and it embarrasses and exasperates me to see it here of all places, and from TCM of all people. it really bugs me how much cypherpunks try to point out the "gotchas" in all the laws with crypto. when we become *experts* on these laws, and tell people why they prevent them from doing various things, we are actually *supporting* them. that is the ultimate test of legitimacy: what do you do when you hear someone wants to do something that would seem to "break a law"? when you tell them that "what you are doing breaks the law", you are implicitly revealing that *you*support*that*law*. the way to *not*support*a*law* is *not* to play these games. not to second guess what the NSA is doing, how they would react to some situation, etc. not to point out what you think they would do if someone violated their list of "naughty no-nos" the NSA benefits from the *perceived* straightjacket. the NSA succeeds by creating a *perception* of restriction, regardless of enforcement. you *perpetuate* this perception by keeping a handy list of all the ways that crypto software and hardware development is *impossible* and repeatedly rebroadcasting it to your friends and public forums like this. the NSA *loses* through public confrontation, which focuses the spotlight on the atrociousness of their agenda. isn't this list the first place that people should say and emphasize, THE LAWS ARE NOT EXACT. THERE IS ROOM FOR MANEUVERING. PEOPLE SHOULD CHALLENGE THEM IN COURT. we are *not* breaking the law or encouraging breaking the law in saying this. we are *challenging* the law. we are saying, "no matter what law is passed, the ultimate test of legitimacy of any law is whether it is supported by our judicial system. many NSA 'laws' have *never* been tested, and therefore they are *all* suspect!! we *encourage* people to challenge them, and do a noble service for our country in clarifying what the laws *really* are!!" do you think these ITAR laws are legitimate, or not? if they are *not*, then why do you *treat*them*as*such???? the ridiculous debate about whether the 4 line perl code was illegal or legal was PLAYING INTO THE HANDS OF THE NSA. the NSA *wants* people to think twice every time they write a modulo function, and all the endless legal pontificating on this list is a gift from heaven to them. what *really* exasperates me is TCM saying that "even importing code is likely to be illegal, because if it is legal now it is likely to be outlawed". well, WHO SAYS?? this is a *beautiful* example of a place where some REAL CYPHERPUNKS WITH SOME BALLS could challenge the government, and possibly get the support of some strong allies (EFF, business interested in crypto such as Netscape, Microsoft, Lotus, etc) if they were challenged in court. this is a *perfect* opportunity for someone to import the crypto, and get it into the market-- don't you see that the government would then be put at a *disadvantage* *even*if* they decided they were against it and tried to introduce bills-- it would get the publicity of newspapers and the focus of people watching congress do something that has been done in the shadows by the NSA for so long (and one of the main reasons they have gotten away with it). imagine the brilliant "photo opportunity" of customs agents trying to stop someone at an airport because of them taking in computer disks!!! there is a line of thinking here that goes, "keep your head down, and don't challenge anything that even *might* be illegal". but I tell you that is NOT how odious laws are removed. that is exactly how they are PERPETUATED. we *win* through major public confrontation over crypto issues. are we *ashamed* because we want strong crypto? is it something to *hide*?? what TCM's whole essay epitomizes is the *exact*chilling*effect* that the NSA is aiming for. all this debate about what the current laws actually allow *begs*the*point* and does not support our agenda for the spread of crypto, and in fact is detrimental to it. instead, we need to broadcast to the world the message "its a gray area, and we cypherpunks are *dying* for someone to challenge this in court, we would actually lend them our support and rally around them as we did with PRZ". ok, now someone is going to say, OK wiseguy, why don't YOU do it. that is not my point. my point is that we merely need to get the message that even though many cpunks are spineless sheep who don't have the balls to challenge the laws themselves, or even suggest this in public, instead endlessly yammering about what is 100% kosher and what isn't (you don't have to say that part (g), ... "we would support someone who challenges these laws!!!" the idea that MS signing a cryptographic package from outside this country constitutes EXPORT OF AN ALGORITHM is OUTRAGEOUS. of course you agree with me, but the way to demonstrate you agree is to not put up with it. DEFY any bogus law that you think is bogus!! the test of the legitimacy of a law is our *court*system*, not what government bureacrats tell you to do!! and every day that someone listens to a government bureacrat, and not *what*a*court*thinks*, a little bit of our precious freedom is eroded. what scares and infuriates me is that by the NSA's standards, the cypherpunks turn out to me some of the most "law abiding" citizens regarding crypto than anyone else in the entire country...!!! maybe TCM, who in this case imho is part of the PROBLEM and not part of the SOLUTION, and an example of how our own behavior is sabotaging our key goals, will think twice when he writes another *sskissing, tedious "what the NSA thinks about [x]" post. this ends my semi-periodic rant-of-the-moment. we return you to your regular listless dialogue. From hallam at w3.org Thu Jan 25 16:44:30 1996 From: hallam at w3.org (hallam at w3.org) Date: Fri, 26 Jan 1996 08:44:30 +0800 Subject: "Gentlemen do not read each other's mail" In-Reply-To: <199601251947.OAA16586@jekyll.piermont.com> Message-ID: <9601252108.AA13595@zorch.w3.org> >Why is he our patron saint? He was a government official coming out >against invasion of privacy. Isn't that what we are all after, in the >end? There is a considerable difference between running a government and being an individual. It is not merely ethical for one government to read another's mail, it is a duty. By not taking adequate steps to inform itself of the Japaneese intentions the US suffered the loss of a substantial part of the US fleet at Pearl Harbour. Had sufficient resources been avaliable the naval codes could have been cracked in time. The closure of the Black chamber was a key reason why US espionage efforts were inadequate at the start of WWII. Given the choice between the US Army and the CIA plus NSA I would choose the latter any day. The millitary hardware is useless without intelligence operatives. Unless Perry is advocating an absolutist pacifist stance I don't see that his stance is credible. I don't know many pacifists who oppose intelligence gathering. Diplomatic trafic has always been considered fair game. Long may it remain so. Phill From tallpaul at pipeline.com Thu Jan 25 16:50:13 1996 From: tallpaul at pipeline.com (tallpaul) Date: Fri, 26 Jan 1996 08:50:13 +0800 Subject: PGP in Eudora and other mail programs Message-ID: <199601252003.PAA08322@pipe6.nyc.pipeline.com> On Jan 25, 1996 11:54:46, 'tcmay at got.net (Timothy C. May)' wrote: > >(I understand from this list that Eudora for Windows is now doing this much >more automatically, that someone has a PGP-in-Eudora package. I don't think >it was from Qualcomm, but I could be wrong. As a Macintosh version user, >I'm hoping this comes to the Mac version as well.) > [REPOSTED FROM ALT.PRIVACY.ANON-SERVER] > >John Doe is a Windows program that makes creating and >operating a Nymserver account a *lot* easier > >A Nymserver allows you to: > >* Create an address of the form your-choice at alpha.c2.org >* Cannot easily be traced back to you >* Your Internet Service provider cannot snoop on you >* Can post to Usenet and Mailing Lists >* Your correspondents do not need to do anything special >* Can receive replies addressed to your pseudonym > >These facilities have been available for some time but >John Doe simplifies operation. > >This is a "try before you buy" version expiring 30 days >after installation. The registered version is only 15 >pounds (UK) that's about $25 (US) > >More information and a download are available on: > >http://www.compulink.co.uk/~net-services/jd.htm > >Steve Harris - Net Services > I then posted to alt.privacy.anon-server the following preliminary review: I downloaded a trial version of John-Doe and have been playing with it for a day. Herewith my initial impressions of it: Downloading it from the source: as described. easy. Performing basic installation on my hard disk: essentially automated. should not trouble or even hassle anyone with even a marginal knowledge of Windows. Performing installation as WinsockApp in my Pipeline e-mail software: moderately easy to impossible. Pipeline uses an odd e-mail system that automatically fills an empty SUBJECT field with the phrase "[NO SUBJECT]" that jams everything and caused every test message I sent to bounce back to me. However, I then downloaded a copy of Eudora Light to use with John-Doe. This seems to be working. I really hated the need to do this and the extra hassle but it is not a specific bug in John-Doe. (On the other hand Steve, since installation programs are constantly being improved even to deal with other company's brain-damaged software ... Hint, hint, hint...) Does it work as Steve says: as far as I can tell, yes. Overall impressions (very preliminary): John-Doe is a classical example of how elite technology pulls mass technology in its wake. PZ developed PGP and got it widely out, even if the command line structure kept most people from learning it. Then other people (penet not included here) developed Mixmaster etc. tech that worked well but was so complex that only an estimated 500 people worldwide could use it. Then other people developed front ends for PGP etc., like PGPSH and Private Idaho. Finally, people like Steve develop real front ends for the complex tech that puts the ability to use the previously elite tech in the hands of people who want the earlier complexity to disappear. I suspect that John-Doe will go through the normal new-product cycle -- discovery of bugs, slight improvements, and then better integration of user needs. Ultimately, as the product matures, I think that Steve's John Doe will be seen as a revolutionary development in privacy equal to (in a far less technical but more end-user way) PZ's original PGP. -- tallpaul "To understand the probable outcome of the Libertarian vision, see any cyberpunk B movie wherein thousands of diseased, desparate and starving families sit around on ratty old couches on the streets watching television while rich megalomaniacs appropriate their body parts for their personal physical immortality." R. U. Sirius _The Real Cyberpunk Fakebook_ From dneal at electrotex.com Thu Jan 25 16:51:57 1996 From: dneal at electrotex.com (David Neal) Date: Fri, 26 Jan 1996 08:51:57 +0800 Subject: another thought about random numbers Message-ID: <199601252102.PAA26495@etex.electrotex.com> > Date: Wed, 24 Jan 1996 18:58:27 -0800 > To: cypherpunks at toad.com > From: "Erik E. Fair" (Time Keeper) > Subject: another thought about random numbers > While musing over a roulette table, and noticing the preponderence of > electronic games in the various Casinos in Stateline, NV, a thought > occurred: does anyone know what sorts of random number generators those > electronic games use, and how (if at all) they are measured and regulated by > the Nevada Gaming Commission? They might have something to teach us. > > Erik Fair I cannot speak for what algorithms are used in the devices, but someone made a low-tech analysis and hack for these machines a while back. He noticed that a certain brand of keno machine reseeded its random number generated with a constant each time power to the machine was lost. Unfortunately he hit the same casino three times (the stainless steel rat says always be prepared to walk away no matter how much is at stake to steal again another day) and he was forced to divulge his method. The machine were consequently fixed. I doubt those machines use crypto strength RNGs because who is going to spend the time, energy and money to hack a .25c slot machine? The payout is too small. For an excellent real-world example of this try 'The Eudaemonicus Pie.' Briefly, its a book about people who successfully hacked roulette machines but at a net loss because of all the time and energy spent developing their technique. > > From ses at tipper.oit.unc.edu Thu Jan 25 17:05:49 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Fri, 26 Jan 1996 09:05:49 +0800 Subject: mouse droppings In-Reply-To: <199601251757.LAA01686@proust.suba.com> Message-ID: On Thu, 25 Jan 1996, Alex Strasheim wrote: > > Is Mr. Irving one of the people responsible for the recent positive > statements coming out of Commerce? In general the whole Commerce team is pretty good on this; their goal in life is to help US companies sell stuff; it's State and defense that are interested in controlling exports. Ron Brown has a top-notch team, and he's one of the best politicans (in the good sense) in the country today, and is willing to really fight for the interests of Commence. Of course, the downside shows in the ethics questions (sigh) Of course, State tends to treat arms sales the way other departments treat logoes boxes of chocolates, to be given away as parting gifts make guests feel welcome. F-15Es to the Saudi's? Kind of like giving F-4s to the Shah. From frantz at netcom.com Thu Jan 25 17:06:48 1996 From: frantz at netcom.com (Bill Frantz) Date: Fri, 26 Jan 1996 09:06:48 +0800 Subject: "This post is G-Rated" Message-ID: <199601252156.NAA28375@netcom6.netcom.com> ... Discussion of rating systems elided. Does anyone have suggestions for achieving the goals of the V-Chip with many non-govermental rating agencies? It seems to me that empowering parents would head off the TV/Internet censors. Any parent who was interested in acting as a censor for their children's TV/Internet would be happy to pay an extra $20 or so for the technical means to achieve that goal. The big problem is how are the labels attached to the programs. I agree with Tim that it is probably imposible for individual Usenet postings. However is should be possible for TV programs, and whole newsgroups. BTW - I think that such hardware/software is a wonderful way train hackers. Most of the teenagers I know, know more about their home electronics than their parents do. And the teenagers RTFM. Bill From shamrock at netcom.com Thu Jan 25 17:15:23 1996 From: shamrock at netcom.com (Lucky Green) Date: Fri, 26 Jan 1996 09:15:23 +0800 Subject: PGP in Eudora and other mail programs Message-ID: At 11:54 1/25/96, Timothy C. May wrote: >(I understand from this list that Eudora for Windows is now doing this much >more automatically, that someone has a PGP-in-Eudora package. I don't think >it was from Qualcomm, but I could be wrong. As a Macintosh version user, >I'm hoping this comes to the Mac version as well.) There exist two Eudora/PGP packets. The MacPGP Kit and MacPGP Control. I'd use MacPGP Control. Just do a search for it. -- Lucky Green PGP encrypted mail preferred. From fstuart at vetmed.auburn.edu Thu Jan 25 17:16:58 1996 From: fstuart at vetmed.auburn.edu (Frank Stuart) Date: Fri, 26 Jan 1996 09:16:58 +0800 Subject: another thought about random numbers Message-ID: <199601252156.PAA17976@snoopy.vetmed.auburn.edu> >While musing over a roulette table, and noticing the preponderence of >electronic games in the various Casinos in Stateline, NV, a thought >occurred: does anyone know what sorts of random number generators those >electronic games use, and how (if at all) they are measured and regulated >by the Nevada Gaming Commission? They might have something to teach us. I don't have a reference, I'm afraid, but I think I remember hearing about someone using past keno numbers to predict future ones. When they correctly guessed all the numbers twice in a row, casino officials stopped the game and were reluctant to pay (though, I think they eventually did). Assuming I didn't dream the whole thing, it seems like it wasn't in Nevada... possibly on an Indian reservation? I think it happened 6 months to a year ago. I'm sorry I can't be more specific. | (Douglas) Hofstadter's Law: Frank Stuart | It always takes longer than you expect, even fstuart at vetmed.auburn.edu | when you take into account Hofstadter's Law. From frantz at netcom.com Thu Jan 25 17:18:03 1996 From: frantz at netcom.com (Bill Frantz) Date: Fri, 26 Jan 1996 09:18:03 +0800 Subject: TOP_tap Message-ID: <199601252156.NAA28359@netcom6.netcom.com> At 12:55 PM 1/25/96 -0500, Rich Salz wrote: >Up until recently (18-30 months ago) NSA employees were only allowed >to identify themselves as employees of DoD. It was common knowledge, >that unspecific references to Fort Meade meant NSA; and if you saw >a P.O. from Procurement Office, Fort Meade, it meant the NSA was buying >it. Back in the dark ages (I think early 1980s), I attended a Symposium on Operating System Princples at Asilomar, California. My luck-of-the-draw room mate was wearing a badge which proclaimed that he was from NSA, Fort Mead, MD. A story of California hippy meets US-DOD. Bill From ses at tipper.oit.unc.edu Thu Jan 25 17:21:58 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Fri, 26 Jan 1996 09:21:58 +0800 Subject: TOP_tap In-Reply-To: <199601252156.NAA28359@netcom6.netcom.com> Message-ID: On Thu, 25 Jan 1996, Bill Frantz wrote: > > Back in the dark ages (I think early 1980s), I attended a Symposium on > Operating System Princples at Asilomar, California. My luck-of-the-draw > room mate was wearing a badge which proclaimed that he was from NSA, Fort > Mead, MD. A story of California hippy meets US-DOD. > I kinda feel sorry for the NSA staffers sometimes - they're basically a bunch of computer geeks and math whizs who don't get to wear jeans and T-shirts From shamrock at netcom.com Thu Jan 25 17:29:44 1996 From: shamrock at netcom.com (Lucky Green) Date: Fri, 26 Jan 1996 09:29:44 +0800 Subject: Crypto Exports, Europe, and Conspiracy Theories Message-ID: At 13:41 1/25/96, Weld Pond wrote: >But if all traffic is required to be encrypted which is going through the >remailer or ISP, how can they be liable for what they cannot possibly >know? This will be the state of the net in a few years. > >Can a courier be held liable for delivering encrypted documents that >contained illegal information or were used in a crime? I don't think so. >Only if he knew there was something illegal going on. How are remailers >any different? But it will be assumed that the remailer operator knew that his site was to be used for illegal purposes. >What about a car rental agency that rented a car to a criminal with bogus >ID that is used to commit a crime. Was Ryder held liable for the Oklahoma >bombing? No. In the view of the authorities, the benefits to society provided by rental car agencies outweigh their dangers. The opinon on remailers will be just the opposite. That's why rental car agencies will remain legal, while remailers will be outlawed. -- Lucky Green PGP encrypted mail preferred. From attila at primenet.com Thu Jan 25 17:31:23 1996 From: attila at primenet.com (attila) Date: Fri, 26 Jan 1996 09:31:23 +0800 Subject: [NOISE] are you a liberal? Re: SS Obergruppenfuhrer Zimmermann (NOT!) In-Reply-To: Message-ID: gee, Alan, maybe I was a bit hasty calling you a liberal! but at least your friends got a laugh out of it. they say as you get older, you are supposed to mellow... Tim --any comment, are you more or less irrascable? I know my answer! looks like the Telegraph is retracting the stories in a big way, including the possibility PRZ may be a hero for freedom! This is a contest: 1. "The Constitution is not a law, but it empowers the people to make laws.... The Constitution tells us what shall not be a lawful tender.... The legislature has ceded up to us the privilege of enacting laws as are not in consistent with the Constitution of the United States.... The different states, and even Congress itself, have passed many laws diametrically contrary to the Constitution of the United States. "...Shall we be such fools as to be governed by its laws, which are unconstitutional? No! ...The Constitution acknowledges that the people have all the power not reserved to itself. I am a lawyer, a big lawyer and comprehend heaven, earth, and hell, to bring forth knowledge that shall cover up all lawyers, doctors and other big bodies. This is the doctrine of the Constitution, so help me God. The Constitution is not law to us, but it makes provisions for us whereby we can make laws. Where it provides that no one shall be hindered from worshipping God according to his own conscience, is a law. No legislature can enact a law to prohibit it. The Constitution provides to regulate bodies of men and not individuals." 2. "If we have to give up our chartered rights, privileges, and freedom, which our fathers fought, bled, and died for, and which the constittion of the United States and of this state guarantee unto us, we will do so only at the point of the sword and the bayonet." !!! the test: who said this, and when, and where is it referenced? I haven't figured out a prize, but maybe a character mode face --how about Bubba? or even better yet, King Hillary, standing up to give the oath before Congress tomorrow --do you think she will finish the oath as written: "So help me God" -? too bad I do not even own a television (snake oil makes me break out in hives); Hillary should be great as my money says she will still lie --until she learns that the only way of not trapping yourself in contradictions eventually means your tell the truth On Tue, 23 Jan 1996, Alan Horowitz wrote: > The reporter's slander against Zimmerman was not accidental, or the > result of ignorance. Calling someone a Naxi sympathizer is not something > that one should do without a smoking gun. > I agree, except the press forgets rights in favour of scandal which means money, and money begets money (advertisers). > This act of aggression against cypherpunks, attempts to box us into a > corner. Our enemies want to keep us on the defensive. In that context, > any and all energy we spend on "educating" and "correcting" is > self-defeating. The hoplophobe lobby has shown, that enemies of freedom > will not permit themselves to be "corrected". They will merely escalate > the rate and size of their lies. Before slanders about "cop-killer > bullets" could be corrected, they had moved onto "assault weapons". > > We need to find a way to take back the initiative. We need to find a way > to put the fear of God into liers. Violence won't work, since they are > capable of human-wave attacks. > > I honestly don't know what reporters and editors fear the most. But, even a > snake can be trained, if you can pinpoint the proper negative feedback. > advertising dollars going down the drain. litigation, even if frivolous against corporate advertisers for supporting falsehoods and innuendos which will destroy the american way of life. Stockholder lawsuits are often the most effective. I do not like the "means" of U.S. Courts, but they are always using the courts against us, so turnabout is fair play. attila > Alan Horowitz > alanh at norfolk.infi.net > __________________________________________________________________________ go not unto usenet for advice, for the inhabitants thereof will say: yes, and no, and maybe, and I don't know, and fuck-off. _________________________________________________________________ attila__ To be a ruler of men, you need at least 12 inches.... There is no safety this side of the grave. Never was; never will be. From corey at netscape.com Thu Jan 25 17:33:57 1996 From: corey at netscape.com (Corey Bridges) Date: Fri, 26 Jan 1996 09:33:57 +0800 Subject: "This post is G-Rated" Message-ID: <199601252200.OAA28468@urchin.netscape.com> Rated N for Noise (perhaps much to the consternation of Tim). At 11:18 AM 1/25/96 -0800, Timothy C. May wrote: >(Note that the MPAA movie rating system is _not_ run by the government, nor >is it even "suggested" by government...though I don't deny that the movie >theater owners adopted the MPAA ratings to forestall talked-of government >actions. But of course movies pass through the chokepoint of distribution, >and time usually exists to rate them. Usenet posts would of course not fit >this model.) I don't know the particulars of how the movie rating system came into being, but I know about the last few years' government flack about "unsuitable" material on TV. A couple years back, Senator Paul Simon (D-Illinois) warned that Congress would use the law to compel the entertainment industry if it did not voluntarily adjust television content. He said, "If there is not some sort of positive response by the industry, we are headed for some sort of legislative response." Amusingly enough, he also admitted that he would prefer industry restrictions on artistic freedoms because legally mandated limits to free speech would probably be ruled unconstitutional. Claiming that such "voluntary compliance" crap is not censorship is ridiculous. Not that you were implying that, Tim--I just want people to understand that this is the same thing as a mugger claiming that, since he didn't actually shoot his victim, the wallet he received was a gift rather than stolen goods. Corey Bridges Security Documentation Netscape Communications Corporation home.netscape.com/people/corey 415-528-2978 From daw at CS.Berkeley.EDU Thu Jan 25 17:34:21 1996 From: daw at CS.Berkeley.EDU (David A Wagner) Date: Fri, 26 Jan 1996 09:34:21 +0800 Subject: Why is blowfish so slow? Other fast algorithms? In-Reply-To: <199601250629.WAA16623@mailx.best.com> Message-ID: <199601252213.OAA02708@lagos.CS.Berkeley.EDU> > > At 07:32 PM 1/23/96 -0500, David A Wagner wrote: > >If you want authentication, you must use a crypto-strength MAC. > >Encryption (be it RC4, DES, etc.) is not enough. > > Not so: If the message is encrypted and checksummed with a simple > not non cryptographic checksum, this gives you everything a MAC > gives you, plus the message is secret. > Not true. For instance, suppose you append a standard simple CRC-32 of the plaintext, and then encrypt with CBC mode. Because CRC-32 is linear, it's trivial to construct a collision by flipping some of the first 33 bits of the plaintext; but this, in turn, is easy to do by just flipping the corresponding bits in the IV. (The attack is even easier if you're using a stream cipher.) I'm sure you can come up with a non-cryptographic checksum which looks (at first glance) like it'll work ok. Maybe you'll be completely safe. Still, the security of any such scheme will inherently depend on very subtle issues of whether the encryption and the checksum can interact-- and there are probably only a handful of people in the free world who are really qualified to do a full analysis of these effects, I'd guess. You can use a non-crypto checksum to attempt to provide integrity if you want, I suppose. Is that prudent system engineering? Personally, I don't think so. At the risk of sounding like a broken record, I suggest Design principle: if you want message integrity/authentication guarantees, use a crypto-strength MAC, damnit! > MACs are only useful in the strange and unsual case where you want > authentification using a symmetric key, but you want to transmit in > the clear. False. MACs are useful & necessary in a encrypted packet network, to prevent message tampering by active attackers. (Unless you prefer to sign *every* packet with RSA, which is insanely slowwww...) MACs are useful in conjunction with encryption, I should add. They're not mutually exclusive. :-) From llurch at networking.stanford.edu Thu Jan 25 17:44:17 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Fri, 26 Jan 1996 09:44:17 +0800 Subject: "Gentlemen do not read each other's mail" In-Reply-To: <199601251947.OAA16586@jekyll.piermont.com> Message-ID: On Thu, 25 Jan 1996, Perry E. Metzger wrote: > Phill refers to the man who said "Gentlemen do not read each other's > mail", (Henry L. Stimson) as a twit. > > I highly disagree. In some ways I regard him as our patron saint > (although the man was actually far from saintly and later as a member > of the Roosevelt cabinet adopted an opposite policy of aggressive > signals intelligence.) > > Why is he our patron saint? He was a government official coming out > against invasion of privacy. Isn't that what we are all after, in the > end? The reason we deploy cryptography is to assure privacy for > all. We often refer to those who listen in on conversations > (regardless of who they are) as, in some sense, our > opposition. Therefore, is not Stimson's remark in closing down > Yardley's "Black Chamber" to be praised rather than attacked? Sorta, but not really. Relying on gentlemanliness to protect privacy is a fallacy. Assuming that gentlemen run the government (or any other entity with power over you) can be quite dangerous. Being a gentleman (or a lady, in the classical sense), though, is a Good Thing. The fact that the well-informed people on this list tend to be good ladies and gentlemen is a Very Good Thing. I believe that the choice not to read other people's personal mail is an ethical imperative, since we do not have and probably can not have total privacy enforced by technology and law alone. Sure, strong crypto helps, and should be spread, but there will always be back doors and implementation bugs, and in the worst case, most people will give in to moderate torture. It's hard to say what the ethical role of individuals in the government (or Jim Bell's "assassination politics" organization, which quacks like a government for me) is. The realist (Morgenthau, Fromkin, Krasner) school of IR, not to mention Machiavelli, holds that it is an ethical imperative to lie, cheat, and steal to further the national interest. A diplomat was defined, by whom I don't recall, as "a gentleman sent abroad to lie for his country." -rich From m5 at dev.tivoli.com Thu Jan 25 17:50:39 1996 From: m5 at dev.tivoli.com (Mike McNally) Date: Fri, 26 Jan 1996 09:50:39 +0800 Subject: RANT: cypherpunks do NSA's job for them!! In-Reply-To: Message-ID: <9601252218.AA12260@alpha> Vladimir Z. Nuri writes: > when you tell them that "what you are doing breaks the law", you > are implicitly revealing that *you*support*that*law*. That assertion is, I claim vociferously, false. False false false. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Nobody's going to listen to you if you just | Mike McNally (m5 at tivoli.com) | | stand there and flap your arms like a fish. | Tivoli Systems, Austin TX | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From rsalz at osf.org Thu Jan 25 18:16:35 1996 From: rsalz at osf.org (Rich Salz) Date: Fri, 26 Jan 1996 10:16:35 +0800 Subject: Crippled Notes export encryption Message-ID: <9601242316.AA12172@sulphur.osf.org> >How did kerberos avoid this? The "bones" distribution of kerberos >without crypto was not regulated by ITAR, right? The Kerberos bones release: Removed the DES code Removed the places where DES code was called It was done by using "unifdef -DNOENCRYPTION" as a filter over all the sources. /r$ From declan+ at CMU.EDU Thu Jan 25 18:17:02 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Fri, 26 Jan 1996 10:17:02 +0800 Subject: Bernie S. Sentencing In-Reply-To: <199601251509.KAA21760@remus.ultranet.com> Message-ID: <0l20Ru200bky0CS0o0@andrew.cmu.edu> Excerpts from internet.cypherpunks: 25-Jan-96 Bernie S. Sentencing by Dan Bailey at milliways.org > I just found out that Bernie S. will be sentenced this Friday morning > at 9 am in Easton, PA for the crime of removing batteries from a tone > dialer several years ago. This is defined as a victimless misdemeanor > for which the judge in this small town (under considerable influence > from the Secret Service) set bail at $250,000. He could get two years > in prison at sentencing. Press attention could be very helpful in > avoiding a sentence as irrational as the bail setting - right now the > only influence these people are getting is from the Secret Service and > they want to put Bernie S away for as long as they can. If you're not > entirely up to date on this story, finger bernies at 2600.com for all of > the details. I've contacted an editor I know at the Allentown Morning Call (the major newspaper in the Easton, PA area) and a staffwriter I know at the Philadelphia Inquirer. No word from the Inquirer yet, but the Morning Call seems interested -- email me for the editor's email address/phone number. Other folks can probably give better background than I can. -Declan From tcmay at got.net Thu Jan 25 18:25:19 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 26 Jan 1996 10:25:19 +0800 Subject: Crippled Notes export encryption Message-ID: At 12:56 AM 1/25/96, Derek Atkins wrote: >Yes, it is a huge can of worms. Worse, since it is done on a >case-by-case basis, there really is no clear definition of where the >exportable vs. non-exportable line actually is. You need to try it to >test if it will work or not. Several people have mentioned the "case by case" nature of the crypto export situation, and this is of course the key. I don't claim to have studied the ITARs as, say, Phil Karn or Dan Bernstein have. Or to to have reviewed relevant case law, precedents, etc. But I'm not sure it's important. That is, the Munitions Act and related laws/regulations were set up to meet certain end goals considered desirable. With considerable flexibility in interpreting these rules and regulations, State and NSA seek to meet the end goals they have established, not to scrupulously define the exact boundaries of the law. Thus, let me try to think like them and present some situations people have proposed (or actually filed cases about, a la Bernstein, Karn, etc.), and *guess* which way things will go. Others may disagree. Here they are: Situation/Test Case Likely End Result * Export of t-shirt * Foot-dragging, but eventual approval (foot-dragging because D.C. won't be sure how any decision they make will be taken) * Ian Goldberg returning to Canada * The issue won't even come up (Students routinely return to Israel, Netherlands, etc. Nobody cares. Especially with regard to students returing to Canada, which is of course treated as a backward child of the U.S. for the purposes of crypto policy.) * Goldberg's team sets up in Zurich * NSA issues warning to Foobar, Inc. (In this hypothetical, Ian Goldberg has a team in Berkeley writing the MongoBrowser Web browser. They decide U.S. laws on crypto export are too restrictive and decide to move their operation to Zurich. This is clearly designed to skirt the "spirit" of the Munitions Act/ITARs, and so the NSA/State will try to head it off. Assuming they even learn it is happening, which is a very real impediment to practical enforcement. Ex post facto, MongoBrowser and its programmers could be hassled upon entry to the U.S. later.) And so on. In other words, you need to "think like them" with regard to what's a potentially real threat and what's not. T-shirts are not real threats, but RSADSI deciding to move its core crypto development to Zurich is. --Tim May Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From reagle at rpcp.mit.edu Thu Jan 25 18:26:50 1996 From: reagle at rpcp.mit.edu (Joseph M. Reagle Jr.) Date: Fri, 26 Jan 1996 10:26:50 +0800 Subject: Security First Network Bank, FSB. The World's 1st Internet Bank Message-ID: <9601252251.AA02911@rpcp.mit.edu> Just got something in the post today asking for me to set up an account with them... - Daily reconciled bank statement and checkbook register; All transactions are logged for you. - No min balance - 20 free electronic bill payments per month... - ATM at Honor and Cirus.. - 200 free paper checks... - plenty of pre-stamped deposit envolopes - FDIC insured accounts (in case anyone ever steals my password..) - Wired Funds.. I haven't check out the web sight yet but it is at http://www.sfnb.com If there are no fees, I just might do it anyways and get the free-tshirt they are offering me! _______________________ Regards, Quarrels would not last long if the fault were only on one side. -Francois de La Rochefoucauld Joseph Reagle http://farnsworth.mit.edu/~reagle/home.html reagle at mit.edu 0C 69 D4 E8 F2 70 24 33 B4 5E 5E EC 35 E6 FB 88 From vznuri at netcom.com Thu Jan 25 18:41:09 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Fri, 26 Jan 1996 10:41:09 +0800 Subject: RANT: cypherpunks do NSA's job for them!! In-Reply-To: <9601252218.AA12260@alpha> Message-ID: <199601252238.OAA07065@netcom22.netcom.com> M.M.: >> when you tell them that "what you are doing breaks the law", you >> are implicitly revealing that *you*support*that*law*. > >That assertion is, I claim vociferously, false. False false false. the Tao of bad government: if you really want to get rid of a law, act and think at all times as if it doesn't even exist. how do "laws" work? the policeman coming to arrest you is only one part of the process. the court handing down a decision is another part. your friends, family, associates, etc. constantly *reminding* you of that law is the major, critical, unseen mechanism in propagation of laws. laws are about perception. the government does not want to arrest everyone that breaks a law. they do not want to have to enforce laws. they want the law *not*to*be*broken*. the key way that is done is through public perception that "doing so-and-so" can't be done, that it "breaks the law". how is this public perception propagated? whenever discussion of "so-and-so" is brought up, everyone verbally thinks, agrees, acts as if, "you can't do so-and-so". if no one is aware of a law, that law effectively *does*not*exist*. there are a bazillion laws in the government that are never enforced, because no one ever thinks of them. because everyone affected by it is always thinking about the ITAR, it largely does not even need to be enforced. the government has succeeded in a pavlovian conditioning of the populace whenever any law is unchallenged. From carolann at censored.org Thu Jan 25 19:06:20 1996 From: carolann at censored.org (Censored Girls Anonymous) Date: Fri, 26 Jan 1996 11:06:20 +0800 Subject: Random Number Generators Message-ID: <199601252307.QAA15015@usr5.primenet.com> Yes PERRYMOOSE (tm), this IS crypto related. The Hypothesis: Now....there oughta be a way to generate random numbers using the signal to noise ratio of just this very list! No, I'm not good at this sort of thing (we all know that) but it is there as a random variable, within a random variable. It's better than a clock for everyone gets messages differently. But you can change the s/n ratio and durations of s/n to generate the numbers on, so that it'd be pretty secure. Something to think about :) Love Always, Carol Anne -- Member Internet Society - Certified BETSI Programmer - Webmistress *********************************************************************** Carol Anne Braddock (cab8) carolann at censored.org 206.42.112.96 My Homepage The Cyberdoc *********************************************************************** ------------------ PGP.ZIP Part [017/713] ------------------- M8H,),S$8G>&.WP(8IRA`-M['+`Q%&_C"">5-F%LX@<_Q$;*P'',Q$Z/AA[8M MF=O0H+*%(-S%&>S%+FS& http://dcs.ex.ac.uk/~aba/export/ From stend at grendel.texas.net Thu Jan 25 19:15:52 1996 From: stend at grendel.texas.net (Sten Drescher) Date: Fri, 26 Jan 1996 11:15:52 +0800 Subject: V-chip? In-Reply-To: Message-ID: <199601252305.RAA03150@grendel.texas.net> mpd at netcom.com (Mike Duvos) said: MD> oO F145C0 Oo writes: >> Apparently the US government is planning on starting up its V-chip >> program again, which will allow public/cable TV to be censored at >> will. What does everyone thing about this ploy? Yes, it is censorship. At least, it is if you aren't watching every program on every channel available to you right now, because your channel selection allows you to censor public/cable TV at will right now, without the V-Chip. What the V-Chip does is allow you to censor what is shown on your television, even in your absence. I'll concede that there are positive aspects to this for parents, but I resent the 'you must install it in all TVs' part. If enough people want it, they can get TVs with it. >> And whats next? Chips in my radio, to prevent music, or a chip in >> my phone to make sure i dont call anyone bad? The V-chip is just as >> much a privacy/1st amendment violation as the clipper chip >> is/was. I believe the worst part of the V-chip plan, is to force >> all new TV's manufactured or imported to the US, to have this new >> chip. Could this chip even be part of a Chinese lottery? MD> As I understand it, the basic concept behind the V-Chip is to MD> allow selective blocking of material a particular viewer might MD> find offensive based on content information transmitted along with MD> the program. As long as the program material itself is MD> transmitted unaltered, and there are multiple non-governmental MD> providers of content descriptions catering to the spectrum of MD> human likes and dislikes, this sounds like ideal Cypherpunk MD> technology. The content information is transmitted as part of the program, in the between-frame band which is normally not in the displayed area of the picture, not on a separate signal. (Now why can't they use this band for something truely useful, like an automatic time sync and VCRPlus ID, so that your VCR could pick it up, and know that VCRPlus ID 69 is on channel 13, and is broadasting with a +2:30 skew from what you think the time is?) Because of this, there will be _one_ content code, not a select-your-rater content method. The other reason for not having a select-your-rater method is, first, the sheer volume of TV broadcasting. No service could possibly rate all TV content. Second, no service could rate _live_ TV, such as the nightly news, or post-game NFL locker room films. My guess is that the producer of a program will get first shot at putting a label on a program, or not. Then the distributor will be able to keep the producers label, change it, add their own, or remove it. This will continue until the broadcaster gets to decide whether or not to transmit a V-Code, and whether to use the last distributors label or their own. But do you really think that MTV will use a V-Code? (It could be amusing if they did - 10 minutes of blank screen, then 2 minutes of commercials when someone cranks all of their settings to Full Filter.) [...] MD> It should be noted that the V-Chip is currently vaporware, and MD> exists only in the minds of politicians. There probably will MD> never be an actual "V-Chip", just a little additional software in MD> our already heavily computerized televisions, radios, and personal MD> computers. Incorrect. The 'V-Chip' exists (at least according to a demonstration on NBC News ("Home of the Exploding Chevy") the other night), there just isn't sufficient consumer demand for it to have hit the market yet. And, from appearances, it doesn't pixelate the picture, it blocks the signal entirely. They should at least have put a 'Sorry, kiddies, you have to hack your parents passcode to see this.' message up. That's the weakness here - it was only a 4 digit passcode locking the V-Chip level - does anyone really think that some kid who wants to watch HBO or MTV isn't gonna cycle through the numbers, even if it is only a few dozen at a time? Or that there isn't a reset mechanism for when Pop forgets the code and he really wants to watch 'Showgirls' on PPV? -- #include /* Sten Drescher */ 1973 Steelers About Three Bricks Shy of a Load 1994 Steelers 1974 Steelers And the Load Filled Up 1995 Steelers? Unsolicited email advertisements will be proofread for a US$100/page fee. From joelm at eskimo.com Thu Jan 25 19:35:04 1996 From: joelm at eskimo.com (Joel McNamara) Date: Fri, 26 Jan 1996 11:35:04 +0800 Subject: PGP in Eudora and other mail programs Message-ID: <199601252239.OAA22005@mail.eskimo.com> >I suspect that John-Doe will go through the normal new-product cycle -- >discovery of bugs, slight improvements, and then better integration of user >needs. Ultimately, as the product matures, I think that Steve's John Doe >will be seen as a revolutionary development in privacy equal to (in a far >less technical but more end-user way) PZ's original PGP. I really don't want to blow my own horn, but Private Idaho is much more than a PGP shell. It has supported remailer operations since it first appeared nearly a year ago. It also started supporting the c2 nym server several months ago. With no disrespect meant to tallpaul or Steve, I hardly think John Doe is revolutionary. I certainly don't consider Private Idaho to be anything other than an efficient, free shell for Windows users to enhance their privacy. And, I have yet to see a crypto/privacy "killer app." I am glad though, to see that other people are going beyond PGP shells and starting to write privacy-oriented applications that use the remailers and nym servers. Keeps me on my toes with new Private Idaho features. But more importantly, the more tools that are out there, the more people will be using them. I've always maintained that the interface is the gating factor to the wide-spread adoption of a technology. Joel From rah at shipwright.com Thu Jan 25 20:11:47 1996 From: rah at shipwright.com (Robert Hettinga) Date: Fri, 26 Jan 1996 12:11:47 +0800 Subject: PGP in Eudora and other mail programs Message-ID: Will wonders ever cease. PGP-in-Eudora-for-Mac.... Cheers, Bob Hettinga -----BEGIN PGP SIGNED MESSAGE----- Sometimes even the gods are wrong... ;-) >> A few years later, still no PGP-in-Eudora. One would think that this would >> be a powerful way of distinguishing their product from other mail packages. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMQgXKPgyLN8bw6ZVAQGvdwQAoiWetK6FRmvMqRnB1mXG+94zqRNOHz7C j8u6huNvp13N29ml2JaDcJtW67SvBKqLrkA2/k26eJM98bMpeDJtm8rAlO/zbgKO zmicy7hQSFbh9U6jxuFgzwSVofxYtvzuVk9I0cqgmp7diNHaUKLaw3x8mK7ItiS9 Hyl1fBWQiX0= =0/PO -----END PGP SIGNATURE----- ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "Reality is not optional." --Thomas Sowell The NEW(!) e$ Home Page: http://thumper.vmeng.com/pub/rah/ From DMiskell at envirolink.org Thu Jan 25 20:30:34 1996 From: DMiskell at envirolink.org (Daniel Miskell) Date: Fri, 26 Jan 1996 12:30:34 +0800 Subject: None Message-ID: <9601241720.AB13251@envirolink.org> Mr. Nobody writes: >In article >zinc writes: >> i got this in the mail this morning. here's another blatant case >> of illegal export. names and exact addresses removed to protect the >> clueless. > >Why exactly did you post this message? I personally don't mind, but >am just curious. Why exactly did YOU post this message? I personally dont mind, but am just curious. Munster --- _________________________________ *!Cheese Doctrine:!* Though cultured over time, and aged to perfection, one must not yield to produce mold. One must also not belittle themselves by conforming to the "whiz", but melt over the unprocessed ideas of Ghuda. _________________________________ From llurch at networking.stanford.edu Thu Jan 25 20:46:13 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Fri, 26 Jan 1996 12:46:13 +0800 Subject: "Gentlemen do not read each other's mail" In-Reply-To: <199601252139.QAA16761@jekyll.piermont.com> Message-ID: On Thu, 25 Jan 1996, Perry E. Metzger wrote: > hallam at w3.org writes: > > There is a considerable difference between running a government and > > being an individual. It is not merely ethical for one government to > > read another's mail, it is a duty. > > I am a funny sort of person. I don't believe that governments should > be able to do anything that individuals cannot. If it is bad for me to > steal, it is also bad for a government official to steal. If it is bad > for me to listen in on my neighbor's phone calls, it is bad for the > government, too. Er, I believe the above was clearly intended to mean "for one government to read another government's mail." ... > I do not mean to pretend that there is an absolute ethics. I merely > claim that I do not find in my mind an easy distinction between the > acts of a government official under color of authority and the acts of > any other individual. How about: It is the ethical duty of a responsible government to read other government's mail, absent any treaties or gentlemen's agreements to the contrary. It is the ethical duty of a responsible government not to read its own citizens' mail without specific probable cause that a crime has occurred or is imminent. It is the ethical duty of responsible citizens to read their own government's mail, to ensure that their government is behaving ethically. The knotty bits concern how much of its own mail the government needs to disclose, because you can't really disclose it to your own citizens without effectively disclosing it to the whole world. And how much the government can lie, cheat, and steal in purely international affairs. I'd answer "a lot" to both. -rich Fucking Statist From tcmay at got.net Thu Jan 25 20:47:22 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 26 Jan 1996 12:47:22 +0800 Subject: "This post is G-Rated" Message-ID: At 9:58 PM 1/25/96, Bill Frantz wrote: >goal. The big problem is how are the labels attached to the programs. I >agree with Tim that it is probably imposible for individual Usenet >postings. However is should be possible for TV programs, and whole >newsgroups. Coincidentally, after writing my post this morning, I saw a report on CNN or CNBC about how broadcasters, networks, and producers are strongly opposed to the mandatory V-chip. Not news, but some of there reasons were: not enough time. The movie business produces about 600 hours of product per year, and the ~weeks it takes for the MPAA to view the final product and rate it (and then negotiate with the director about cutting out scenes to make an R-rated film into a PG, etc.) is marginally tolerable. Such is not the case with television, with many shows in a final version only hours before broadcast (and obviously some with even less or no advance time available). And remember that the MPAA rating is most definitely NOT a "self-rating." I see self-ratings of Usenet and mailing list posts as possible, just nearly worthless. And the reall contoversial stuff, this kind of goddamned fucking shit, will not get screened out. After all, I voluntarily rated this thread "G," and look what got through! (And it's only the tit of the iceberg, so to speak.) A meaningful "parental filter" cannot be done on-the-fly with self-ratings. Some minor steps can be taken, but not all worth the expense and hassle of a mandatory system. --Tim Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From m5 at dev.tivoli.com Thu Jan 25 20:48:43 1996 From: m5 at dev.tivoli.com (Mike McNally) Date: Fri, 26 Jan 1996 12:48:43 +0800 Subject: RANT: cypherpunks do NSA's job for them!! In-Reply-To: <9601252218.AA12260@alpha> Message-ID: <9601260028.AA12225@alpha> Vladimir Z. Nuri writes: > the Tao of bad government: if you really want to get rid of a law, > act and think at all times as if it doesn't even exist. I accept that that's one way of going about things, but I challenge you to demonstrate conclusively that it is the only means to generate political interest in opposition to a law. I happen to disagree with this, and I refuse to accept the wacky notion that by explaining to somebody that what they're doing is in violation of a pointless stupid law, and explaining why it's only through wide exposure of that pointless stupidity that the law and others like it can be struck down, that I am unwittingly strengthening the law. Balderdash. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Nobody's going to listen to you if you just | Mike McNally (m5 at tivoli.com) | | stand there and flap your arms like a fish. | Tivoli Systems, Austin TX | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From s1018954 at aix2.uottawa.ca Thu Jan 25 20:54:19 1996 From: s1018954 at aix2.uottawa.ca (s1018954 at aix2.uottawa.ca) Date: Fri, 26 Jan 1996 12:54:19 +0800 Subject: "This post is G-Rated" In-Reply-To: Message-ID: On Thu, 25 Jan 1996, Timothy C. May wrote: > If the League of Usenet Ladies makes this request, I have no problems > (though I'm almost certain to delete their request and do nothing one way > or another about it). If the Islamic Students Association makes the same > request, I also have no problems (and will also likely discard the > request). These are non-governmental entities, merely requesting actions > (and, of course, gettting about 2% compliance, or less, with their > requests). Actually there's a pgp-based program that lets them do that with usenet posts. It is called NoCem ("No See 'Em") and is currently used to let users avoid spam. With spam (or crud of your choice) being defined by those posters to alt.nocem.misc whom you trust the most. You can let canceller of your choice (anyone with pgp) censor your personal newsfeed. Unfortunately, like all things unix or command line, it is not a no-brainer for Joe Sixpack (I couldn't manage to run it on this unix system, for example.) Of course any windows or mac hack could do the same trick. Try Bryce's proposal from last week for a cypherpunks-message cancellation list is similar. (Sorry, Bryce, I'd help out if I had the time.) > (Note of course that the League of Usenet Ladies and the Islamic Students > Association are very likely to have very different ideas about what the > labels should reflect! Not to mention the several hundred other major > special interest groups who will want their ideologies reflected in a > ratings system.) And the above system would let them do it. One could also personally assign a "weight" to each rater and have messages cancelled once a threshold was passed (this proposed in the faq, since I couldn't run it, I don't know if it currently does it). Who says pgp's web of trust is obsolete? This is an actual application. Grassroots tech wins again. (Of course this is just a souped-up killfile prog masquerading as a newserver, really. Simple solution.) From llurch at networking.stanford.edu Thu Jan 25 20:58:17 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Fri, 26 Jan 1996 12:58:17 +0800 Subject: PGP in Eudora and other mail programs In-Reply-To: Message-ID: On Thu, 25 Jan 1996, Lucky Green wrote: > At 11:54 1/25/96, Timothy C. May wrote: > > >(I understand from this list that Eudora for Windows is now doing this much > >more automatically, that someone has a PGP-in-Eudora package. I don't think > >it was from Qualcomm, but I could be wrong. As a Macintosh version user, > >I'm hoping this comes to the Mac version as well.) > > There exist two Eudora/PGP packets. The MacPGP Kit and MacPGP Control. I'd > use MacPGP Control. Just do a search for it. I tried 'em both and found them dog slow and unreliable, like most other things based on AppleEvents. True command-line piping and DDE work in UNIX/DOS/Windows, but there's none of that on the Mac. What I've done is ResEdit key combinations into my software to do wordwrap, then I cut text, switch to the PGP window, sign or encrypt the clipboard, switch back to the mail/news window, and paste. MacPGP's "dialog shortcuts" make this mostly painless. We don't need no steenking automation. Of course this doesn't work for attaching files, but I do that sufficiently rarely that the minor pain of handling that case manually is outweighed by the interest of minimizing the gunk in RAM and on the menu bar. -rich From tcmay at got.net Thu Jan 25 21:03:52 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 26 Jan 1996 13:03:52 +0800 Subject: Using the V-chip to Filter Commercial Advertisements Message-ID: At 11:05 PM 1/25/96, Sten Drescher wrote: >their own. But do you really think that MTV will use a V-Code? (It >could be amusing if they did - 10 minutes of blank screen, then 2 >minutes of commercials when someone cranks all of their settings to >Full Filter.) One way to kill the V-chip dead is to announce hacks to the V-chip box that will do the _reverse_ of this: block commercials (advertisements, for any non-American readers) but pass programs. (Before anyone points out that such boxes have been built, based on volume levels, spectral content, etc., sure. What I'm speculating about is a subversive campaign to get the meme out there that the V-chip can be used as a filter of commercials.) Even if it is not done, fear of the possibility of this will kill the proposal. --Tim Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From zinc at zifi.genetics.utah.edu Thu Jan 25 21:07:10 1996 From: zinc at zifi.genetics.utah.edu (zinc) Date: Fri, 26 Jan 1996 13:07:10 +0800 Subject: RANT: cypherpunks do NSA's job for them!! In-Reply-To: <9601252218.AA12260@alpha> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Thu, 25 Jan 1996, Mike McNally wrote: > Date: Thu, 25 Jan 1996 16:18:47 -0600 > From: Mike McNally > To: "Vladimir Z. Nuri" > Cc: cypherpunks at toad.com > Subject: RANT: cypherpunks do NSA's job for them!! > > > Vladimir Z. Nuri writes: > > when you tell them that "what you are doing breaks the law", you > > are implicitly revealing that *you*support*that*law*. > > That assertion is, I claim vociferously, false. False false false. i have to agree. there is a huge difference in telling someone that they're breaking the law and supporting a law. as far as i'm concerned, on cypherpunks we try to disect laws or regulations so that we can chip away at weaknesses in them. it is also useful if one wants to determine how your oppenent is going to react when you do something; know your enemy and all that. - -pat "Those that give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -- Benjamin Franklin (1773) zifi runs LINUX 1.3.57 -=-=-=WEB=-=-=-> http://zifi.genetics.utah.edu -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Processed by mkpgp1.6, a Pine/PGP interface. iQCVAwUBMQgpH03Qo/lG0AH5AQHDKwQAqB8FEpPF0j+rTZUme+n/Fv4So/EIfEQr tHyjDpaFh1iRcHP/8wOJaazEsYFFrgo/J3gmna7md31xFhV6SPF1eOY4rEKpTz01 qFsinS0lhwXiXTCnvWlzHnOIKC6B6El4aVI4Wo1E39xMX3abm2Euxo2t5a6va8lC 5/M8p4ANrxk= =VdvL -----END PGP SIGNATURE----- From sinclai at ecf.toronto.edu Thu Jan 25 21:16:43 1996 From: sinclai at ecf.toronto.edu (SINCLAIR DOUGLAS N) Date: Fri, 26 Jan 1996 13:16:43 +0800 Subject: another thought about random numbers In-Reply-To: <199601252156.PAA17976@snoopy.vetmed.auburn.edu> Message-ID: <96Jan25.202843edt.10879@cannon.ecf.toronto.edu> > Assuming I didn't dream the whole thing, it seems like it wasn't in Nevada... > possibly on an Indian reservation? I think it happened 6 months to a year > ago. I'm sorry I can't be more specific. My recollection was Quebec, Canada. There were articles posted to the list at the time, so it should be in the archives if anyone cares enough to look it up. From JonathanZ at consensus.com Thu Jan 25 21:33:50 1996 From: JonathanZ at consensus.com (Jonathan Zamick) Date: Fri, 26 Jan 1996 13:33:50 +0800 Subject: Etch-a-sketch Message-ID: Ok.. I'm still getting mail regarding the etch-a-sketch keychain. Thus I'm going to look at how to get em for everyone. :) Just letting you all know. Don't bury me in 'I want one mail.' As soon as I have the info I'll get it out to the hungry crowd. Heh. At that point you can bury me happily. Jonathan ------------------------------------------------------------------------ ..Jonathan Zamick Consensus Development Corporation.. .. 1563 Solano Ave, #355.. .. Berkeley, CA 94707-2116.. .. o510/559-1500 f510/559-1505.. ..Mosaic/WWW Home Page: .. .. Consensus Home Page .. From mpd at netcom.com Thu Jan 25 21:57:52 1996 From: mpd at netcom.com (Mike Duvos) Date: Fri, 26 Jan 1996 13:57:52 +0800 Subject: V-chip? In-Reply-To: <199601252305.RAA03150@grendel.texas.net> Message-ID: <199601260208.SAA02439@netcom4.netcom.com> Sten Drescher writes: > Yes, it is censorship. At least, it is if you aren't > watching every program on every channel available to you > right now, because your channel selection allows you to > censor public/cable TV at will right now, without the > V-Chip. What the V-Chip does is allow you to censor what is > shown on your television, even in your absence. Right. Freedom of TV viewing belongs to those who own one, even if they are not always there to supervise the use of the set. Exactly like freedom of the press. I personally plan to instruct my TV to display only material which does not offend my neo-Pagan, Bohemian, and Hedonistic beliefs. > I'll concede that there are positive aspects to this for > parents, but I resent the 'you must install it in all TVs' > part. If enough people want it, they can get TVs with it. The last great adventure in forcing manufacturers to put something in a television set was the "UHF must tune as easily as VHF" boondoggle. The number of UHF stations in most areas was 0-1. Note that when cable provided a plethora of channels in a previously untunable part of the spectrum, market forces instantly resulted in the creation of "cable-ready" sets in advance of government prodding. > The content information is transmitted as part of the > program, in the between-frame band which is normally not in > the displayed area of the picture, not on a separate signal. There is currently no official standard for encoding content information for television programs. Manufacturers of various flavors of "parental control devices" have at times demonstrated their technology as the "V-Chip" on Network Nightly News programs. This includes devices which can do selective pixelation, as well as those which merely render the set inoperative during programs having a specific rating. The bandwidth required to transmit content information second by second is very small. It is not a foregone conclusion that such information will be carried exclusively via the video blanking intervals, or that it will be available from only a single source. Indeed, with the movement towards digital encoding of television, it is doubtful that blanking intervals themselves will be around much longer. > The other reason for not having a select-your-rater method > is, first, the sheer volume of TV broadcasting. No service > could possibly rate all TV content. Second, no service > could rate _live_ TV, such as the nightly news, or post-game > NFL locker room films. No one is suggesting that all raters will rate all programming. Movies will probably be the first things raters will provide content tracks for. Next will be widely carried programs in syndicated reruns, and top rated first run shows. Eventually, use of the technology will proliferate, much as the use of closed-captioning has. Much money will be saved in not having to physically edit media, and in having the intelligence at the displaying end. One will no longer have to have a theatrical release of a movie, a television version, a version for European airlines, a version for American airlines, a version for Islamic airlines, etc ad nauseum. Porn will no longer have to be edited into Hard-X, Soft-X, and R versions before being distributed. > Incorrect. The 'V-Chip' exists (at least according to a > demonstration on NBC News ("Home of the Exploding Chevy") > the other night), there just isn't sufficient consumer > demand for it to have hit the market yet. And, from > appearances, it doesn't pixelate the picture, it blocks the > signal entirely. Please see prior comments about Nightly News demonstrations of alleged V-Chip technology. Once a standard for encoding content information is established, it is unlikely that there will be some universal specific "V-Chip" that will be used by all manufacturers. Instead, the functionality will likely be implemented in whatever software controls the display appliance. It's not a complicated application, and hardly worth a processor of its own. -- Mike Duvos $ PGP 2.6 Public Key available $ mpd at netcom.com $ via Finger. $ From wb8foz at nrk.com Thu Jan 25 22:00:22 1996 From: wb8foz at nrk.com (David Lesher) Date: Fri, 26 Jan 1996 14:00:22 +0800 Subject: TOP_tap In-Reply-To: Message-ID: <199601260130.UAA01330@nrk.com> > I kinda feel sorry for the NSA staffers sometimes - they're basically a > bunch of computer geeks and math whizs who don't get to wear jeans and > T-shirts This *is* a real problem. They take very highly skilled geniuses and tell them "no one will ever know what you've done.." & their morale does suffer... Just suppose YOU discovered (say) a new factoring method... and could only watch others getting Nobel prizes..... -- A host is a host from coast to coast.................wb8foz at nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433 From JMKELSEY at delphi.com Thu Jan 25 22:13:11 1996 From: JMKELSEY at delphi.com (JMKELSEY at delphi.com) Date: Fri, 26 Jan 1996 14:13:11 +0800 Subject: Lotus Notes Message-ID: <01I0FXJK293C9DCXJ9@delphi.com> -----BEGIN PGP SIGNED MESSAGE----- [To: Cypherpunks, Lucky Green ## Date: 01/24/96 12:33 pm ## Subject: Re: Lotus Notes] >Date: Tue, 23 Jan 1996 23:24:39 -0800 >From: shamrock at netcom.com (Lucky Green) >Subject: Re: Lotus Notes >You are assuming that they *want* the hole to be unpatchable. I see >no reason why they should. "We tried out best, but these darn >hackers found a way to enable full 64 bits. Sorry, but we tried." >Perhaps the most intelligent thing to do was to keep the GAK subject >to a simple patch. I'm sorry, I don't think I was very clear in this post. I wasn't concerned with whether Lotus left the escrow feature easy to disable, I wanted to know whether they'd intelligently padded their RSA-encrypted 24-bit key leak. If they thought this through, they did, but if not, then they have essentially left their exportable security level at 40 bits, because of the dictionary attack David and some other people pointed out. This ought to be relatively easy to check from disassembled code, but it can also be checked by simply generating a few thousand messages (maybe six or seven thousand, to be safe), and seeing whether or not we ever get a duplicate LEAF. We expect to, after about 2^12 encryptions, if they're using fixed padding. Of course, RSA key exchange blobs for short keys must always be padded out like this, or be vulnerable to dictionary attacks. P.S. Does anyone know whether or not the RSA key used to partially escrow the session key is a reasonable length (i.e., 1024 bits)? If it's another 512-bit RSA key, then it was born with a bullseye on its chest. >-- Lucky Green > PGP encrypted mail preferred. Note: Please respond via e-mail as well as or instead of posting, as I get CP-LITE instead of the whole list. --John Kelsey, jmkelsey at delphi.com / kelsey at counterpane.com PGP 2.6 fingerprint = 4FE2 F421 100F BB0A 03D1 FE06 A435 7E36 -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMQfoEEHx57Ag8goBAQH7mQQAwHZ5ZH++AbVGER88rtRbgiu+syYNI9AI bwgeUT3gYpf1kqRksg5dLluAabEo+OSorzb5x/WrF1bemkqr3Y+GtEhh8HfSGaZG pmAe1hwSyGLQImqonZ/MxYz17eOK2Win9VBt1o+0jQCceUN8pc/QXRZvEAzjdkS4 lKijlYa/XYE= =Ii7i -----END PGP SIGNATURE----- From JMKELSEY at delphi.com Thu Jan 25 22:17:09 1996 From: JMKELSEY at delphi.com (JMKELSEY at delphi.com) Date: Fri, 26 Jan 1996 14:17:09 +0800 Subject: CAs and Digital Timestamping Message-ID: <01I0FXIXB84Y9DCXJ9@delphi.com> -----BEGIN PGP SIGNED MESSAGE----- [ To: sci.crypt, sci.crypt.research, cypherpunks ## Date: 01/25/96 10:08 am ## Subject: CAs and Digital Timestamping ] At the RSA conference last week, it occurred to me that there's a really neat application for digital timestamps (as done by Surety). Whenever a CA (Certification Authority) issues a public key certificate, it should also digitally timestamp it. This provides a relatively clean way to recover from top-level CA key compromises. First of all, let's talk about hash trees. A hash tree (I think the idea was originated by Merkle, but I could be wrong) is a binary tree. Each node in the tree eventually winds up with a hash value associated with it. The bottom nodes on the tree are hashes of individual messages. The other nodes are made up of the hash of all their children. This looks like this: (pardon the ASCII art) : H_0 = hash(H_1,H_2) : / \ : H_1 = hash(H_3, H_4) H_2 = hash(H_5,0) : / \ / \ : H_3 = hash(M_0) H_4 = hash(M_1) H_5= hash(M_2) 0 : : The neat thing about this is that, if I know H_0, then when someone wants to verify that M_0 appears in the hash, they only have to tell me H_4 and H_2, and the position of M_0 in the tree. I can then find H_3 = hash(M_0), H_1 = hash(H_3,H_4), and verify that the final H_0 = hash(H_1, H_2) gives the right output value. (Compare this with a hashing chain, and you can see that, for large trees, there's a big advantage here. The number of values needed to authenticate a given message in this tree is log_2(number of messages in the tree), while the number of values to verify a chain is is the whole number of messages in the chain. In the digital timestamping service offered by Surety, they use hash trees of this kind, because this allows efficient verification of a digital timestamp. The idea behind this is that a message is hashed into the hash tree, and that the final value of the hash tree each day or week is widely published, including in the New York Times. So long as it's not feasible to go back and change that value, and it's not possible to find collisions for the hash function, any hash value that appears in that tree must have been presented to the timestamping people at some point before that tree's final hash was calculated. Here's how we use this in having a CA sign certificates. CA Signs a Key: 1. At the beginning of the day, the CA generates a random value, R_0, and has it digitally timestamped. The resulting timestamp is used as one of the entries in today's hash tree. (If the CA is their own digital timestamp service, then they'll have to use the previous day's ending value, which is reasonable enough. They'll also have to work a lot harder to publish this value each day or week.) 2. For each certificate to be generated: a. The CA verifies the information in Certificate_u, then signs it with SK_{CA}. Certificate_u contains some indication of the time and date. b. The CA hashes Certificate_u into its daily hash tree. c. The CA sends Certificate_u to user u. 3. At the end of the day, the CA publishes its own final hash tree value, and gets this value digitally timestamped. (This amounts to having the CA act as its own "node." for the timestamping service.) Now, imagine that the CA's key has been compromised. (We have to assume that the CA's daily operations were OK--if not, there doesn't seem to be a clean way to recover cleanly.) The person who has the CA's key can issue false certificates. After a while, one of these false certificates are noticed. How do we recover? We use the hash trees and the digital timestamps which we've made in the past to verify each certificate presented for recertification. The digital timestamps allow us to immediately verify that this certificate was issued by this CA at this time. And we can be certain that this hash tree is correct because it's been digitally timestamped. What this does, essentially, is to allow us to quickly recover from key compromises. We still have problems if someone can take over the operations of our CA for a few days or weeks, though in that case, we probably know the likely dates. No compromise at the CA can put a different date's timestamp on a certificate. Now, I should note that I think Merkle talks about using hash trees to do public key certificates, in his thesis, and the idea may be patented. (It's been a couple of years since I looked at his thesis, so this is a little hazy.) However, we're not using them here to provide certificates--we're using them to authenticate the certificates in the event of a catastrophic key compromise. I don't think Merkle talked about this, but I could be mistaken. (At any rate, I've never seen any mention of it since then, though it's an obviously useful idea.) If the tree structure is patented, then we could still do this by using chains or some other structure. Does anyone know if this basic idea has been proposed before? I am pretty sure I haven't seen it, but it seems pretty obvious now that I think about it. We could even recover using this method from a break of the hash function supported (so long as the timestamps are done with multiple hash functions, and at least one isn't broken), or the public key algorithm used. --John Kelsey, jmkelsey at delphi.com / kelsey at counterpane.com PGP 2.6 fingerprint = 4FE2 F421 100F BB0A 03D1 FE06 A435 7E36 -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMQfn70Hx57Ag8goBAQETUQQA3S7k8rrYDud5N3uVdUqSVHC3VH+Tpmuu wcRisf8PrYX/I9Q4vBTN7SS0H30Xl1bRTQyS1mQP+CuyBlESi1qn0OMKbgAYPndd 1qYOvrX/29fMbhrO7VQjAcSAHpCZOvoVfsq0fWwv4zzUIhJBZNFnMxdSm4eNrmEv U3/oo5CiM2o= =7TIl -----END PGP SIGNATURE----- From williams at va.arca.com Thu Jan 25 22:20:25 1996 From: williams at va.arca.com (Jeff Williams) Date: Fri, 26 Jan 1996 14:20:25 +0800 Subject: "This post is G-Rated" Message-ID: <1933823965.299772740@va.arca.com> Tim May writes: > So deal with the hypothetical I gave: someone like me sets out to "nuke" > the labelling system by deliberately mislabelling his posts! If you have > labels but no means of stopping my actions, see what results. What if there was a flag on each message which the author could leave "UNSPECIFIED" or indicate "NOT INTENDED FOR KIDS." You could attack by marking a bunch of bland stuff "NIFK" or you could leave some porn "UNSPECIFIED". Either way, I think the situation is better for kids. I hope that the majority of Internet users are not actively trying to get porn to kids. > A meaningful "parental filter" cannot be done on-the-fly with self-ratings. > Some minor steps can be taken, but not all worth the expense and hassle of > a mandatory system. I see labels as helpful rather than restrictive. A label provides additional information to help people find the information that they want. That information can also be used to help you cut out the information you don't want. If parents want to use this flag because they think it might help their kids, great. Maybe nobody would use the flag, but I don't see how it could hurt. If I had kids, I would appreciate having the option of sorting out all the stuff that is "NIFK" by the author. --Jeff From frissell at panix.com Thu Jan 25 22:22:59 1996 From: frissell at panix.com (Duncan Frissell) Date: Fri, 26 Jan 1996 14:22:59 +0800 Subject: Are Cypherpunks Influential? Message-ID: <2.2.32.19960124161017.006d5ba0@panix.com> At 08:23 PM 1/24/96 +0700, Patiwat Panurach (akira rising) wrote: >Would you call cypherpunks (as a group and as a philosophy) to be >influential? Do you think governments listen to us much? Are they forced >to listen to us? Any stuff to support this? Please give me your comments. Much more influential than deserved. We've gotten a lot of press. I would say that we are an example of cultural entrepreneurship. An entrepreneur makes money by noticing that there is an unexploited difference between the price of a final product and the sum of the prices of the factors of its production (discounted to present value). We noticed that there is a difference between the social and technical capabilities of modern math and modern computing on the one hand and the public perception of those capabilities on the other. By simply pointing out those mistakes in public perception and doing some (as little as possible) coding to prove it, we've gained some publicity. An example of the gap between perception and reality that we can easily exploit, I would point to the regulation of broadcasting. There's a lot of talk with the telecoms bill about whether and how much broadcasting should be deregulated but it is obvious to us that it already has been. I was thinking of that while doing my mail and listening to the Leader of the Free World last night via RealAudio 2.0 and KLIF radio in Dallas via Audionet. Radio has been deregulated by technological change since RealAudio appeared last Summer. TV dereg will follow with the higher bandwidth. All cypherpunks have done is to point out simple facts like this. Pretty easy work if you can get it. DCF "My fellow Americans, we must free our nation from the tyranny of "Others Government" and turn instead to "Self Government". We must accomplish this great task not for ourselves, but for the *Children*." -- 10-second SOTU Address From perry at piermont.com Thu Jan 25 22:51:56 1996 From: perry at piermont.com (Perry E. Metzger) Date: Fri, 26 Jan 1996 14:51:56 +0800 Subject: "Gentlemen do not read each other's mail" In-Reply-To: Message-ID: <199601260125.UAA16923@jekyll.piermont.com> Rich Graves writes: > Relying on gentlemanliness to protect privacy is a fallacy. Of course. The reason we study cryptography is because we can't trust that people will behave like "gentlemen". However, is not the goal here to assure that communications can be untappable and privacy assured to all that wish to have privacy? Perry From frantz at netcom.com Thu Jan 25 22:58:58 1996 From: frantz at netcom.com (Bill Frantz) Date: Fri, 26 Jan 1996 14:58:58 +0800 Subject: "Gentlemen do not read each other's mail" Message-ID: <199601260353.TAA07910@netcom6.netcom.com> At 4:08 PM 1/25/96 -0500, hallam at w3.org wrote: >>Why is he our patron saint? He was a government official coming out >>against invasion of privacy. Isn't that what we are all after, in the >>end? > >There is a considerable difference between running a government and being an >individual. It is not merely ethical for one government to read another's >mail, >it is a duty. I am not sure that I believe this line of reasoning my self, but here goes: The US government is "owned" by its citizens. Therefore US citizens should have a high degree of protection from their government. However, non-US citizens do not enjoy this same high standard (not being "owners"). They perhaps should enjoy a similar standard in relation to their own governments. Another way of putting it is that while gentlemen do not read each other's mail, gentlemen read non-gentlemen's mail. Bill From jcorgan at aeinet.com Thu Jan 25 22:59:26 1996 From: jcorgan at aeinet.com (Johnathan Corgan) Date: Fri, 26 Jan 1996 14:59:26 +0800 Subject: "This post is G-Rated" In-Reply-To: Message-ID: On Thu, 25 Jan 1996, Simon Spero wrote: > THere are several schemes being put about that work along those lines, > with message formats being standardised, but not the actual values - you > should then pick your favourite rating agency, and they determine what is > rated and how. This system creates a new market for rating agencies, and > it also helps parents to determine more precisely what *they* think is fit > for their children. This would allow to emerge a free market 'ecology' of ratings agencies, similar to the system that has emerged in the PC technology market for product reviews. Presently, I obtain a great deal of market exposure by promoting my product (I'm a marketing geek at a Silicon Valley networking vendor) in competitive reviews done by both specialist companies (e.g., LANQuest Labs) and print magazines (PC World, Communications Week, etc.) Everyone has their own opinions about the accuracy, testing methodology, review philosophy, and veracity of these 'ratings agencies', and there is a large market segment that does buy product on little more than what they read in these trade rags. The analogy with Web pages is fairly direct. As a Web content provider, I would be incentivized to have my pages reviewed by those agencies whom I felt attracted the right target audience for my content, and whose reputation in that audience was good. As a Web surfer, or parent, or whomever, I could choose (or not) to consult with a ratings agency whose criteria and reputation I trust. As a ratings agency, my reputation would be based on how closely I follow the criteria I publish for my rating service. I can forsee the development of competing 'ratings servers', which contain a database of reviewed URL's. My browser would query one with a URL (for a small fee) prior to retrieving the actual page. With an evolved form of e-cash, this could become a profitable business. Ratings aren't necessarily strictly value judgements; they can act as a classification system as well. Of course, this is an entirely free market, voluntary, no coercion involved, non-legislated solution, so I wouldn't expect it to fly in today's political climate. -- Johnathan M. Corgan jcorgan at aeinet.com http://www.aeinet.com/jcorgan.htm From perry at piermont.com Thu Jan 25 23:01:57 1996 From: perry at piermont.com (Perry E. Metzger) Date: Fri, 26 Jan 1996 15:01:57 +0800 Subject: "Gentlemen do not read each other's mail" In-Reply-To: Message-ID: <199601260152.UAA16955@jekyll.piermont.com> Rich Graves writes: > On Thu, 25 Jan 1996, Perry E. Metzger wrote: > > I am a funny sort of person. I don't believe that governments should > > be able to do anything that individuals cannot. If it is bad for me to > > steal, it is also bad for a government official to steal. If it is bad > > for me to listen in on my neighbor's phone calls, it is bad for the > > government, too. > > Er, I believe the above was clearly intended to mean "for one government > to read another government's mail." I'm funny in more ways than one. I don't believe in the existence of "Governments". I'm sure that most people seem to believe in this quasi-Divine Being, of course. A lot of people seem to have constructed temples to some Holy Being that they refer to as "The Government", made of marble and steel and glass (often in the manner of temples constructed in ancient times to Jove or Apollo). There are strange rites associated with the worship and sustenance of this Divine Entity, such as the ritual sacrifice of vast amounts of our wealth. There are a a bunch of people that walk around in these temples, whom one might characterize as the priests of this cult, and they are supposedly imbued with astonishing extraordinary powers by virtue of association with this Divine Entity, but when I glance at them I usually see only ordinary humans, with no visible stigmata of their association with this extracorporeal Holy Being worshiped by the body of the people. In any case, we are here expected to believe that it is okay if the Secular God of our land mass, our Government, spies on the Secular Gods of other land masses. However, viewed from my perspective, when "the Government" of our land listens in on "another Government's" communications, from what I can tell what is happening is that individual humans in the guise of High Priests converge at their temple in Fort Meade for the purpose of listening in on conversations between individuals humans elsewhere who are associated with other Government cults in some sort of ordained capacity. One might argue that this discourtesy between the followers of rival cults is not something for we, the arch-atheists, to care about, but I must note that in principle what is going on is the same -- people are listening in on other people's communications -- not the Divine Governmental Being itself listening in on the communications of other Divine Governmental Beings. These Divine Governmental Beings don't exist. Only the humans claiming the authority of the Divine Governmental Beings exist. So, in summary, if we believe that it is wrong for our fellow humans to tap phones and listen in on the communications of other humans, I see no reason to believe in an exception granted to some humans associated with the Government Cult of our land mass to listen in on humans associated with the Government Cult of another land mass. > It is the ethical duty of a responsible government to read other > government's mail, absent any treaties or gentlemen's agreements to the > contrary. This might be fine were there such a creature as a Holy Governmental Being that wished to listen in on other Holy Governmental Beings, but just as one never actually could prove the existance of the Capitoline Jove in spite of the great temple that the Romans built to Him, so too I find no evidence for the existance of the Holy Governmental Being in spite of the fervor of the followers who have built the great marble temples in the manner of the Romans all over Washington and other provincial capitals throughout the Empire, pardon, the land mass we call the United States. Perry From rsalz at osf.org Thu Jan 25 23:05:31 1996 From: rsalz at osf.org (Rich Salz) Date: Fri, 26 Jan 1996 15:05:31 +0800 Subject: TOP_tap Message-ID: <9601251755.AA15764@sulphur.osf.org> The NSA is a branch of the DOD. Up until recently (18-30 months ago) NSA employees were only allowed to identify themselves as employees of DoD. It was common knowledge, that unspecific references to Fort Meade meant NSA; and if you saw a P.O. from Procurement Office, Fort Meade, it meant the NSA was buying it. /r$ From perry at piermont.com Thu Jan 25 23:11:12 1996 From: perry at piermont.com (Perry E. Metzger) Date: Fri, 26 Jan 1996 15:11:12 +0800 Subject: "Gentlemen do not read each other's mail" In-Reply-To: Message-ID: <199601260131.UAA16940@jekyll.piermont.com> Alan Horowitz writes: > On Thu, 25 Jan 1996, Perry E. Metzger wrote: > > I am a funny sort of person. I don't believe that governments should > > be able to do anything that individuals cannot. > > So violent criminals should never be jailed? I didn't say that. Feel free to draw obvious conclusions about my political beliefs, however, this isn't politicotheorypunks, so it probably isn't the right place to discuss this in detail. Perry From blancw at accessone.com Thu Jan 25 23:11:44 1996 From: blancw at accessone.com (blanc) Date: Fri, 26 Jan 1996 15:11:44 +0800 Subject: RANT: cypherpunks do NSA's job for them!! Message-ID: <01BAEB65.DC0A5980@blancw.accessone.com> From: Vladimir Z. Nuri maybe TCM, who in this case imho is part of the PROBLEM and not part of the SOLUTION, and an example of how our own behavior is sabotaging our key goals, will think twice when he writes another *sskissing, tedious "what the NSA thinks about [x]" post. ....................................................................................... Maybe he should write something like this?: it seems to me the problem is when a government begins to insist that the only authorized encryption you can use must be based on the secret key they give you is where all the problems arise. so, what we could advocate as a compromise (given that the post office is absolutely not going to *not* get in this business, from what I can tell). we encourage the idea of KEY FREEDOM this would be a heading for the idea that we are in support of the (our) government creating cryptographic infrastructures and key authentication services, as long as we always have the total freedom to encrypt according to however we please in private communications. [Date: Thu, 30 Nov 95 15:39:09 -0800 From: "Vladimir Z. Nuri" Subject: key escrow compromise] .. Blanc From llurch at networking.stanford.edu Thu Jan 25 23:28:17 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Fri, 26 Jan 1996 15:28:17 +0800 Subject: "This post is G-Rated" In-Reply-To: Message-ID: On Thu, 25 Jan 1996, Timothy C. May wrote: > At 11:33 PM 1/25/96, Mike McNally wrote: > >Bill Frantz writes: > > > > and whole newsgroups. > > > >Since nobody "owns" newsgroups, and nobody controls what's posted to > >them, I don't see how that's possible at all. > > I agree. When I was replying to Bill Frantz's points, I neglected to > comment on this point. > > Suppose "alt.fan.barney" is rated G, by "someone." Since I can post stuff > with strong language, and worse, to alt.fan.barney, is it still rated G, or > was my stuff blocked? > > When the Germans told MeinKampfuServe to block 200+ newsgroups (well, it's > clear that some BavarianKops showed MKS a list of groups that they thought > needed to be pulled, and MKS obliged them), a bunch of folks started > copying soc.culture.german on some highly explicit stuff normally found in > alt.sex.*. No word yet on whether soc.culture.german is now banned in > Germany. That's funny as hell, and probably justified in this case, but I find it in poor taste, and I hope it doesn't continue too long after the point was made. Has anyone heard of Serdar Argic? Tim seems to have a selective fascination with the general idea "if a rule is not enforceable, it's not valid." Applied to crypto, the right to bear arms and biological weapons, censorship, etc. This is a tautology. By definition, rules are made about things that are not self-enforcing. That's why you make the rule. That's why some people like societies. Some rules are good, some are bad. The non-self-enforcing rule that your kid shouldn't put a finger in a light socket or cross the street without looking is probably a good rule. The rule against the export of strong cryptography is generally, and universally on this list, considered to be a bad rule. Whether the rule is enforceable is irrelevant. Nobody can really stop you from posting whatever the hell you want wherever you want. The cancelmoose can, according to its own rules and ethics, kill your post; Perry, according to his own set of rules, can complain; the Bavarian government can *try* to ban you; your ISP can cut you off; other ISPs can filter your messages; indviduals can kill-file you. None of these actions can *stop* you. Only jail time or the death penalty would *stop* you. The reason society holds is that most people have internalized societal rules as a personal ethic, and show reasonable taste, most of the time. Unless some buffoon gives us cause to stomp on soc.culture.german as a symbol (which N.B. affects not just "those Germans," but gads of K-12 and college students in all countries using it as a medium for cultural exchange), then we will honor the purpose of the group and their privacy, just as we'd prefer that total bozos not post irrelevant drivel to cypherpunks. -rich From jimbell at pacifier.com Thu Jan 25 23:32:14 1996 From: jimbell at pacifier.com (jim bell) Date: Fri, 26 Jan 1996 15:32:14 +0800 Subject: "Gentlemen do not read each other's mail" Message-ID: At 04:08 PM 1/25/96 -0500, hallam at w3.org wrote: > >>Why is he our patron saint? He was a government official coming out >>against invasion of privacy. Isn't that what we are all after, in the >>end? > >There is a considerable difference between running a government and being an >individual. It is not merely ethical for one government to read another's mail, >it is a duty. > >By not taking adequate steps to inform itself of the Japaneese intentions the US >suffered the loss of a substantial part of the US fleet at Pearl Harbour. Had >sufficient resources been avaliable the naval codes could have been cracked in >time. The closure of the Black chamber was a key reason why US espionage >efforts were inadequate at the start of WWII. While this may be based on the "classic" view of the start of the direct involvement in WWII, I agree with the opinion of an old college professor that the US KNEW that the Japanese were going to attack, SOMEWHERE and SOMEWHEN (but not exactly), and in fact WANTED the attack to occur to justify getting into a war that we "should" have entered. And in hindsight, I do not necessarily disagree with such a goal, within the limited context of the circumstances at the time. An extention of this interpretation is that much of the fleet was kept at Pearl to "lure" the Japanese into doing an attack that could be used to rally the public. (they needed to have enough "bait" to justify an attack.) Obviously, if that was the intention, then the big surprise was how EFFECTIVE the attack was going to be: Far from just "rallying the public" it smashed our defenses. The reason I mention this interpretation is that it entirely turns around your argument: Our criticism should not be how little we knew of Japanese intentions, but how we incompetently delayed entering a war that "needed to be fought." Naturally, however, considering the results of the attack, it would have been totally unthinkable to reveal to the public that the bigshots had actually DESIRED the attack; a far less incriminating version of the story is that some other people were merely negligent. Now, I was born in 1958 and thus can't claim personal knowledge of the time, but it's truly amazing how UNPERCEPTIVE the public must have been in the late 40's and early '50s about "intelligence" realities. Let me give you a specific example: The classic movie, "The Man who Never Was," relates the (true) story of a counter-intelligence mission done by the British to (I think) mislead the Germans into believing that the attack on Sicily would be substantially LATER than it actually was. The British took a man who had died of some natural disease (with the permission of his family, of course), dressed him up as if he were a courier and dumped his body (carried by submarine) off the coast of (then Fascist) Spain. With the body were (sealed) phony documents that described the FALSE date. (The idea was, the Germans would think that he was on an airplane that had crashed into the ocean...) ( He was given a false name, false address, and basically a false identity to complete the ruse.) By design, he was dumped at a point where ocean currents washed him ashore, where he was identified by papers. Naturally, the British were notified by Spain, and the British played along and INSISTED that none of the documents with the body be unsealed and given to the Germans. Naturally, however, the Spanish cooperated with the Germans, and allowed them to (secretly) unseal the documents undetectably. However, the documents (still apparently sealed and unopened) were returned to the British so that (to the Germans) the British wouldn't be aware that their secrets had been compromised. Follow me so far? Well, in the movie (whose accuracy I don't know) the Germans didn't totally believe that the courier was "real", so they sent an operative (probably by parachute airdrop, or whatever) to check out the particulars of the story they "learned" from the fake background. (Naturally, the British knew about this) At that point, the British had to plant operatives, and support the phony story on the spot, "verifying" the information. At that point, the German agent was able to transmit news that "the information is real!" to the Germans. Now, here was was (to me!) the "funny" part of the movie: The British let the German agent leave Britain. This sounds logical, right? Because if they were to PICK HIM UP as a spy, that would have alerted the Germans that his identity and mission were already known, which would only have been true if the story given the Germans initially had been a FAKE! Yet, in the movie, it was necessary to "explain" to the (early 1950's) audience why they "let that German agent leave Britain"!! I was laughing, practically falling off the edge of my seat, as I was watching that scene! Clearly, ordinary people of that era weren't very perceptive about such things. Had they (Americans) been told that, "We had to get into WWII to save the free world, so we let the Japanese sink half our Pacific fleet!" the public WOULD NOT have understood. This is why I tend to believe that professor's interpretation: While the exact time and location of the attack was not known, IT REALLY DIDN'T MATTER because they WANTED it to happen. The "we couldn't decrypt their traffic in time" (even if it was really true) was merely a convenient cover story for the truth. From blancw at accessone.com Thu Jan 25 23:32:30 1996 From: blancw at accessone.com (blanc) Date: Fri, 26 Jan 1996 15:32:30 +0800 Subject: RANT: cypherpunks do NSA's job for them!! Message-ID: <01BAEB69.A2BB7E80@blancw.accessone.com> From: Vladimir Z. Nuri your friends, family, associates, etc. constantly *reminding* you of that law is the major, critical, unseen mechanism in propagation of laws. ............................................................................ Actually, Vlad is has a remote point. When signs on the road advise everyone to buckle up - because "it's the law", it has the intent of providing the be-all and end-all reason for why we should do the things we do. When certain activities are described as being "illegal" it lends to the laws surrounding them an air of legitimacy, even though most anyone on this list who refers to them in that way understands that they are phrasing their words in terms of how these actions are perceived/categorized by the lawmakers, not by the cpunks. Yet you must understand, Vlad: you aren't going to figure out how to deal with a looming threat like ITAR simply by being nonchalant & devil-may-care. The fact that some people (lawyers) know what corporations & individuals are facing if they try to import or export "illegal" substances like abstract code, and the fact that some people (programmers) discuss the issues openly, does not mean that they are headed in the direction of submission to the given obstacles. It just means that they're thinking through the problem, to clarify just what the situation is, to give conscious consideration to what anyone might have to deal with as a consequence of their decisions (to do what they will regardless of the NSA's perceptions). I think this is a valuable & legitimate pass-time. .. Blanc From vince at offshore.com.ai Thu Jan 25 23:39:12 1996 From: vince at offshore.com.ai (Vincent Cate) Date: Fri, 26 Jan 1996 15:39:12 +0800 Subject: Webcard Message-ID: Block Intros Visa Card For Internet Users 01/25/96 KANSAS CITY, MISSOURI, U.S.A., 1996 JAN 25 (NB) -- Block Financial, an H & R Block (NYSE:HRB), company, has announced a Visa card created just for Internet and World Wide Web users. The card is called Webcard. One of its features is the ability to check your account balance around the clock in real-time via the Internet. "Cardholders can monitor their current account activity or review data as far back as 12 months and even check to see if their payment was received," said G. Cotter Cunningham, vice president of Block Financial Corp. The company said it has addressed security concerns about revealing credit card numbers by designing the online account review feature so actual account numbers never appear online. To make the data more useful, Block has set up the Web site so the account information can be imported directly in many of the popular word processing, spreadsheet, database, and personal finance programs, including Quicken. Webcard is issued by Columbus Bank and Trust Company, an affiliate of Synovus Financial Corp. The card carries no annual fee. The company said it will soon launch a direct mail, advertising, and telemarketing campaign to publicize the card. Cunningham told Newsbytes the easiest way to apply for a card is to complete an online application online. Block Financial's home page on the Web is at http://www.conductor.com . Cunningham said two levels of card are available. The Gold card is the one being promoted. It carries a 12.9 percent interest rate for the first six months. After that the rate reverts to whatever the prime rate is, plus 6.9 percent. Currently the prime rate is 8.5 percent. Applicants who don't qualify for the Gold card can still receive a Classic card, said Cunningham. Initially that card carries a 12.9 percent interest rate for the first six months. After that, you pay two points more than Gold card holders. Block said the Webcard is the first in a series of co-branded financial products slated for introduction this year. Other services to be offered include online bill payment, which is set for launch in the next 60 days, and online checking services. Cunningham said the pricing structure for the bill payment service hasn't been set yet, but will be competitive. Block Financial already offers the Compuserve Visa, a credit card exclusively for Compuserve subscribers. The company said it has already issued more than 100,000 of the Compuserve cards. (Jim Mallory/19960124/Press contact: Julie Eisen, Block Financial, 816-751-6010/WEBCARD960125/PHOTO) From bruceab at teleport.com Thu Jan 25 23:45:22 1996 From: bruceab at teleport.com (Bruce Baugh) Date: Fri, 26 Jan 1996 15:45:22 +0800 Subject: Cypherpunk Elitism Message-ID: <2.2.32.19960126050633.006b0fc4@mail.teleport.com> At 07:15 PM 1/25/96 EDT, "E. ALLEN SMITH" wrote: > You might also find Robert Reich's _The Work of Nations_ >interesting. As a short, elegant, powerful argument against statist thinking, I recommend most highly Kenichi Ohmae's THE END OF THE NATION STATE: THE RISE OF REGIONAL ECONOMIES. Mr Ohmae focuses on areas that have geographical and social meaningfulness, on the scale of Hong Kong/Canton, Catalonia, the Pacific Northwest, and so forth. He quickly makes hash of the idea that the nation-state is a meaningful unit for modern economic analysis. ObCrypto: He looks for region-state governments that, among other things, respect citizens' privacy. Bruce Baugh bruceab at teleport.com http://www.teleport.com/~bruceab From jdoe-0007 at alpha.c2.org Thu Jan 25 23:47:36 1996 From: jdoe-0007 at alpha.c2.org (jdoe-0007 at alpha.c2.org) Date: Fri, 26 Jan 1996 15:47:36 +0800 Subject: John Doe Message-ID: <199601260458.UAA04121@infinity.c2.org> The John Doe NYM/Remailer interface for Windows is a most excellent program that will allow even the most cypher-illiterate to make use of the technology that has been the exclusive domain of those in the "techno-know". It was a piece of cake to set up, obtain a NYM and select inbound and outbound remailers with options to chain as many as your paranoia deemed appropriate. $25.00 seemed a little steep but they will get my $$$. Nice Job. John Doe 0007 From shamrock at netcom.com Thu Jan 25 23:56:56 1996 From: shamrock at netcom.com (Lucky Green) Date: Fri, 26 Jan 1996 15:56:56 +0800 Subject: "This post is G-Rated" Message-ID: At 18:11 1/25/96, Timothy C. May wrote: >Suppose "alt.fan.barney" is rated G, by "someone." Since I can post stuff >with strong language, and worse, to alt.fan.barney, is it still rated G, or >was my stuff blocked? What you will see is something like this: all lists/newsgroups will have to be moderated with the name of the moderator clearly stated just as it is in print magazines today. If something that is potentially dangerous to children, that is any information that might encourage anyone to think for themselves, gets posted, the moderator will be held liable. Since that will lead to the moderator erring on the side of caution, discussions on USENET/ mailing lists will become next to useless and therefor die out for anything non-technical (no, that won't include cryptography) or politically incorrect. Any ISPs carrying non-moderated groups or mailing lists is subject to the often mentioned mandatory long years in prison under the Child Protection Act of 1998. It is all rather simple. And the public will thank the kind and caring legislators that show such deep concerns for their children. -- Lucky Green PGP encrypted mail preferred. From futplex at pseudonym.com Fri Jan 26 00:11:59 1996 From: futplex at pseudonym.com (Futplex) Date: Fri, 26 Jan 1996 16:11:59 +0800 Subject: Intl. Keysize Limit vs. U.S. Keysize Limit (Was: Re: Hack Lotus?) In-Reply-To: <3106df37.flight@flight.hrnowl.lonestar.org> Message-ID: <199601260550.AAA03377@thor.cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- Paul Elliott writes: > The real problem is the 64 bit key in the domestic version. This > conforms to the NIST "standard" for an exportable system. In other > words to allow the international people to have almost non-existant > 40 bit security, they have limited domestic users to 64 bit secuity. The 64-bit domestic limit really has no connection to the 40-bit intl. limit. It would be just as easy to build the intl. version of Notes with 128-bit+spy keys, with 40 bits of truly protected key and 88 bits of espionage-enabled key, and then use straight 128 bits in the domestic version. They simply appear not to want people in the U.S. to have >64 bits of security, regardless of export issues. Futplex Still drowning in mail.... -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMQhrTSnaAKQPVHDZAQGPIQf+J1HO2onogc8tbaFFobWtv1K68wFmYqfl 6vb4OUxHyxuaow2QwbFXiOY3gUQZ61yCRhTgc6IcZOzJG0pBEXBV5B/Hb3fVdWJX 0L31f5/rzYIMsR0cnnEhMI6QtjtZC6V4MDlTnVuDjW/CBbMyWizEj/73dJTS5OxH ekghkkvyObe6RbQTij/f3YVt+NYE94kiI/j9PXaq+n9mLJp4GID11EodD9Lwu3hD Z2dA8kPcSagh1uT0SdQcyB/mYML2VhiBY13alPci20+UXfgot+8hSG7c8yUtcKrW AmgtKI3/JLa5BwWcVC5XrvEX/L8xwzUB4FKCWUKhA5/+xiv8Kvxhdw== =VQIm -----END PGP SIGNATURE----- From jdoe-agamemnon at alpha.c2.org Fri Jan 26 00:14:59 1996 From: jdoe-agamemnon at alpha.c2.org (jdoe-agamemnon at alpha.c2.org) Date: Fri, 26 Jan 1996 16:14:59 +0800 Subject: NOISE Test Ignore Message-ID: <199601260522.VAA07510@infinity.c2.org> Test Test Test From tcmay at got.net Fri Jan 26 00:15:03 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 26 Jan 1996 16:15:03 +0800 Subject: This is not "DivineBeingPunks" Message-ID: At 1:52 AM 1/26/96, Perry E. Metzger wrote: >I'm sure that most people seem to believe in this quasi-Divine Being, >of course. A lot of people seem to have constructed temples to some >Holy Being that they refer to as "The Government", made of marble and >steel and glass (often in the manner of temples constructed in ancient >times to Jove or Apollo). There are strange rites associated with the >worship and sustenance of this Divine Entity, such as the ritual ....etc. etc. etc. Since Perry has on several occasions said he does not want to hear about politics and other "off-topic" posts, and since he has written at least five of these posts just today (the "Gentleman do not" thread), I suggest he heed his own advice. I was skipping most of these posts that Perry, Rich Graves, and others are writing, but the hypocrisy of calling for others to not engage in "off-topic" posts while writing five of them himself...well, it speaks for itself. Debating basic libertarian theory, including the rights of Divine Beings, quasi-Divine Beings, Secular Beings, etc., is best done on another list, or in private e-mail. What's sauce for the goose is sauce for the gander. --Tim Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From pgut001 at cs.auckland.ac.nz Fri Jan 26 00:17:02 1996 From: pgut001 at cs.auckland.ac.nz (pgut001 at cs.auckland.ac.nz) Date: Fri, 26 Jan 1996 16:17:02 +0800 Subject: "Concryption" Prior Art Message-ID: <199601260604.TAA27250@cs26.cs.auckland.ac.nz> Death rays from Mars made pcw at access.digex.net (Peter Wayner) write: >I haven't read the supposed Concryption patent so I don't know >what the claim structure is. But if they truly claim the right >to do encryption and compression simultaneously, then I've got >some prior art that should knock out such a broad claim. The >paper is "A Redundancy Reducing Cipher" (Cryptologia, May 88). >It's not very secure, but it does do some manner of encryption >at the same time as compressing a file with a Huffman-like >system. The journal is found in many university libraries so it >should be easy to produce a solid counterclaim. There's a much earlier paper by Frank Rubin in a 1979 Cryptologia which covers encryption+compression with Huffman and arithmetic coding. However the Con-cryption patent covers first compressing, then encrypting. Unless they've got very good lawyers, you can probably ignore it. Peter. From tcmay at got.net Fri Jan 26 00:52:52 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 26 Jan 1996 16:52:52 +0800 Subject: "This post is G-Rated" Message-ID: I typically enjoy Lucky's jaundiced analyses, but I think he is overly paranoid in this one: At 5:28 AM 1/26/96, Lucky Green wrote: >What you will see is something like this: all lists/newsgroups will have to >be moderated with the name of the moderator clearly stated just as it is in >print magazines today. If something that is potentially dangerous to First, printed material does *not* have to have an author or publisher specified. The usual case cited is the Supreme Court decision on "anonymous handbills." I know of some zines that have no identifiable origin point. And anonymous pieces are published (even where the publisher/editor does not know the true author.) Second, Usenet is a global thing. Which national laws will apply? If the U.S. somehow is dumb enough to demand that each of the 12,000+ current Usenet groups have a moderator in a U.S. jurisdiction....well, there are too many issues here to properly deal with in a short note. Third, if the moderator is liable for "allowing" inappropriate material to get through, I predict a rather severe shortage of moderators. It's already a thankless job, so why any sane person take on the liability of doing it? Fourth, the Soviets couldn't control the underground "samizdat" press, and this was when the sanctions were stronger and the channels of communicaton more available. Today, in the West, there are at least two orders of magnitude more channels, and several orders of magnitude more sites, bandwidth, etc. Fifth, major constitutional challenges would be mounted. The First Amendment says that a posting to a public discussion does not first have to be cleared by a censor/moderator! (I'm not saying a group cannot be moderated, I'm saying that making it a crime to have an unmoderated, uncensored group will not pass constitutional muster.) --Tim Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From alanh at infi.net Fri Jan 26 01:07:30 1996 From: alanh at infi.net (Alan Horowitz) Date: Fri, 26 Jan 1996 17:07:30 +0800 Subject: TOP_tap In-Reply-To: Message-ID: > I kinda feel sorry for the NSA staffers sometimes - they're basically a > bunch of computer geeks and math whizs who don't get to wear jeans and > T-shirts says who? From ses at tipper.oit.unc.edu Fri Jan 26 01:10:01 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Fri, 26 Jan 1996 17:10:01 +0800 Subject: Lotus Notes In-Reply-To: <01I0FXJK293C9DCXJ9@delphi.com> Message-ID: [Birthday paradoxing to get test for non-random padding] > simply generating a few thousand messages (maybe six or seven > thousand, to be safe), and seeing whether or not we ever get a > duplicate LEAF. We expect to, after about 2^12 encryptions, if If you were to try this, you'ld probably want to try around 12,000 to reach the 95% confidence interval. However, I seriously doubt that this is going to be the case; they're using BSAFE, which does random padding to PCKS1 in just about all it's RSA modes. The only people Lotus could hire to get it that wrong probably have too much tied up in options to be easily head-hunted. Simon From alanh at infi.net Fri Jan 26 01:10:22 1996 From: alanh at infi.net (Alan Horowitz) Date: Fri, 26 Jan 1996 17:10:22 +0800 Subject: TOP_tap In-Reply-To: <199601252341.SAA00886@nrk.com> Message-ID: How is parking at Fort Meade? Alan Horowitz alanh at norfolk.infi.net From alanh at infi.net Fri Jan 26 01:13:52 1996 From: alanh at infi.net (Alan Horowitz) Date: Fri, 26 Jan 1996 17:13:52 +0800 Subject: "Gentlemen do not read each other's mail" In-Reply-To: Message-ID: > > By not taking adequate steps to inform itself of the Japaneese intentions the US > > suffered the loss of a substantial part of the US fleet at Pearl Harbour. I've read that FDR had a humint source warning of a Japanese strike on Pearl Harbor. I also recall reading that J Edgar Hoover received a report of a diplomatic conversation detailing the planned attack, but sat on it. The first was in a monograph which was putting forth the proposition that FDR ardently desired to become involved in the war. By the way, FDR was the man who made wage income, subject to federal taxation for the first time. I don't remember where I read the second. To me, both stories are plausible. From gbroiles at darkwing.uoregon.edu Fri Jan 26 01:15:02 1996 From: gbroiles at darkwing.uoregon.edu (Greg Broiles) Date: Fri, 26 Jan 1996 17:15:02 +0800 Subject: "This post is G-Rated" Message-ID: <199601260719.XAA00770@darkwing.uoregon.edu> At 02:06 AM 1/26/96 GMT, Jeff Williams wrote: >Maybe nobody would use the flag, but I don't see how it could hurt. If I had >kids, I would appreciate having the option of sorting out all the stuff that >is "NIFK" by the author. My concern about such a flag is that if it was implemented widely, it would be a small step from being optional to being mandatory. As things stand, were some legislature to adopt a "mandatory labelling" statute tomorrow, we'd end up with a complex and pointless mess of conflicting and incompatible attempts at compliance, rendering the labelling scheme effectively useless; and, likely, "industry" (e.g., the big service providers + AT&T & MCI & Sprint etc) would oppose the legislation on the grounds that compliance would take several years and complex design to bring about. So we'd get some sort of grace period to argue against it, prepare good test case(s), establish offshore mailing lists/servers, and so forth. But if we let the market do an efficient job of developing and deploying a labelling standard, over the course of the next few years, we're an afternoon's sorry debate and a few bought-and-paid-for committee meetings away from a market standard turning into a statutory duty. This makes me think that if development of a labelling standard is imminent, it's time to find ways to subvert it, misuse it, avoid it, and otherwise treat it like an enemy. It's not necessarily an enemy until it's coopted into service by a coercive force (be it big brother^h^h^h^h^h^h^hgovernment or big brother^h^h^h^h^h^h^hcorporation) but it's a potential threat. Are you sure that your relatively moderate "less NIFK material is a good thing" stance is a good reflection of others' positions? My impression is that many people are dissatisfied with anything less than a "zero tolerance" position re kids & porn or kids & drugs or kids & sexual choice or whatever. Your view of a partial-cooperation world isn't especially draconian, but do you really think that others will be as tolerant of other positions re labelling? -- "The anchored mind screwed into me by the psycho- | Greg Broiles lubricious thrust of heaven is the one that thinks | gbroiles at netbox.com every temptation, every desire, every inhibition." | -- Antonin Artaud | From alanh at infi.net Fri Jan 26 01:25:37 1996 From: alanh at infi.net (Alan Horowitz) Date: Fri, 26 Jan 1996 17:25:37 +0800 Subject: "Gentlemen do not read each other's mail" In-Reply-To: <199601260152.UAA16955@jekyll.piermont.com> Message-ID: << "I don't believe in governments">> "Pray for the preservation of the government, other wise men would each each other alive" - Talmud. No visible stigmata, eh? How many elections have you won, Perry? (I only use the honorific sobriquet "Honorable" when addressing folks who've won an election. In my book, a cabinet secretary ain't an Honorable). How many oaths have you sworn to protect and defend the constitution? Alan Horowitz alanh at norfolk.infi.net From futplex at pseudonym.com Fri Jan 26 01:26:33 1996 From: futplex at pseudonym.com (Futplex) Date: Fri, 26 Jan 1996 17:26:33 +0800 Subject: Microsoft's CryptoAPI - thoughts? In-Reply-To: Message-ID: <199601260802.DAA08993@thor.cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- rickt at psa.pencom.com writes: > [Info can be found at: http://www.microsoft.com/intdev/inttech/cryptapi.htm] Has someone here managed to extract PostScript hardcopy of the CAPI from this Web page? I tried earlier this evening and wound up with a miniature ecological disaster on my hands. The page says: "For ease of online reading and printing, we've provided copies of this lengthy document in Microsoft Word and Postscript formats." I grabbed the ZIPped PostScript version and unZIPped it, which resulted in a single file called "capiapp.ps". Making the wild assumption that this was indeed a PostScript file, I sent it to the printer and forgot about it for a while. An hour later I discovered a chaotic scene in the printer room, as the printer had spewed about 1.5 reams of raw PostScript printouts. The output bin had overflowed for a while, spraying paper in several directions. As it turns out, the file unhelpfully begins with %-12345X at JPL ENTER LANGUAGE=POSTSCRIPT preceding the usual "%!PS-Adobe-3.0" line. Worse still, it appears that the capiapp.ps file is actually a catenation of many PostScript files (one per chapter?), each beginning with a version of this ensnarling line. I could do some global search-and-replacing, etc., but I think I'll wait for Microsoft to distribute a decent PS version of this document. Perhaps they should consider not generating it with MS Word.... Grr! Futplex -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMQiKcynaAKQPVHDZAQEwQAf/SLkD9a4vP7Vl5md0WzPCE+v0fX83W0Hw wj0OJLs7gRcyLJx0eLcBxR7G86CGRwRRLat+QbhEPqaiNipQTG0W5EgF+i/6DlCk y7c8adATFrPCGOjNS49nnPWtpBEUo+q9ZLHYzYkPHnt8k+8q7EZnET/wO9GV8VJg ZsjjQeslR2/r9KnzyXaFsuQpPI0Vgl7/ilTE03bPWoiHrzQvQTGIABQr5seRORWb 3RDLee1KOfXBPfpzlPNt/K6bcPFu2sRLLMCUAtImm5hSHCjdelkD+3sZAlaJpHwH Se9osUfNlMM3ohFZydOezjlWsGzIZgLPxMouQgvX2MDcJTwQSe7ZyA== =XHjr -----END PGP SIGNATURE----- From Max_Domeika at ccm.jf.intel.com Fri Jan 26 01:26:43 1996 From: Max_Domeika at ccm.jf.intel.com (Max Domeika) Date: Fri, 26 Jan 1996 17:26:43 +0800 Subject: Problem building PGP on NT Message-ID: Hi, First question: Is this the appropriate place to go with this kind of question. If not, I apologize. Anyways here goes: I'm trying to build PGP, the MIT version under windows NT using Microsoft C++ version 4.0. The program builds after a few modifications to the makefile but cannot generate a RSA key. Everytime, I type pgp -kg and answer the required questions, pgp attempts to generate some primes and apparently fails. Anyone have a clue as to what the problem may be??? I know there is an executable of PGP for NT already made, I've used it. So I at least know it's possible to build on NT. Anyone else attempt a port to NT??? Thanks ahead of time, Max From alanh at infi.net Fri Jan 26 01:29:09 1996 From: alanh at infi.net (Alan Horowitz) Date: Fri, 26 Jan 1996 17:29:09 +0800 Subject: TOP_tap In-Reply-To: <199601260130.UAA01330@nrk.com> Message-ID: > This *is* a real problem. They take very highly skilled geniuses and > tell them "no one will ever know what you've done.." & their morale does > suffer... > > Just suppose YOU discovered (say) a new factoring method... and > could only watch others getting Nobel prizes..... Maybe they think that anyone who is worthy of knowing - works at NSA. As Wittgenstein noted, "where the masses also drink, all wells are poisoned". From gbroiles at darkwing.uoregon.edu Fri Jan 26 01:38:21 1996 From: gbroiles at darkwing.uoregon.edu (Greg Broiles) Date: Fri, 26 Jan 1996 17:38:21 +0800 Subject: 9th Circuit addresses vicarious liability Message-ID: <199601260755.XAA05833@darkwing.uoregon.edu> The 9th Circuit issued a ruling today in _Fonovisa v. Cherry Auction_ overturning an ED CA district court's ruling re vicarious liability for copyright and trademark infringement. If I remember correctly, the lower court's ruling was one of those relied upon by Judge Whyte in his recent _Netcom_ ruling. In any event, it looks like it's an important development in vicarious liability and thus liability for ISP's and remailers and other providers of electronic "space" or conduit. http://www.callaw.com/9415715.html -- "The anchored mind screwed into me by the psycho- | Greg Broiles lubricious thrust of heaven is the one that thinks | gbroiles at netbox.com every temptation, every desire, every inhibition." | -- Antonin Artaud | From gbroiles at darkwing.uoregon.edu Fri Jan 26 01:38:52 1996 From: gbroiles at darkwing.uoregon.edu (Greg Broiles) Date: Fri, 26 Jan 1996 17:38:52 +0800 Subject: 9th Circuit addresses vicarious liability Message-ID: <199601260836.AAA09925@darkwing.uoregon.edu> I wrote: > http://www.callaw.com/9415715.html > but it should have read: http://www.callaw.com/9415717.html -- "The anchored mind screwed into me by the psycho- | Greg Broiles lubricious thrust of heaven is the one that thinks | gbroiles at netbox.com every temptation, every desire, every inhibition." | -- Antonin Artaud | From alano at teleport.com Fri Jan 26 01:53:09 1996 From: alano at teleport.com (Alan Olsen) Date: Fri, 26 Jan 1996 17:53:09 +0800 Subject: Microsoft's CryptoAPI - thoughts? Message-ID: <2.2.32.19960126083734.008e0b90@mail.teleport.com> At 03:02 AM 1/26/96 -0500, you wrote: >-----BEGIN PGP SIGNED MESSAGE----- > >rickt at psa.pencom.com writes: >> [Info can be found at: http://www.microsoft.com/intdev/inttech/cryptapi.htm] > >Has someone here managed to extract PostScript hardcopy of the CAPI from this >Web page? I tried earlier this evening and wound up with a miniature >ecological disaster on my hands. The page says: > >"For ease of online reading and printing, we've provided copies of this >lengthy document in Microsoft Word and Postscript formats." {Disaster story deleted] Ghostview seems to read it OK. I have not printed it yet. (I will do that tommorow.) It does seem to be missing any sort of Indexing information, which is not helpful... You may be able to use ghostscript to convert it to eps or something else useful to your printer. Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ National Security uber alles! From anon-remailer at utopia.hacktic.nl Fri Jan 26 01:56:34 1996 From: anon-remailer at utopia.hacktic.nl (Name Withheld by Request) Date: Fri, 26 Jan 1996 17:56:34 +0800 Subject: Cypherpunk Enquirer Message-ID: <199601260850.JAA06678@utopia.hacktic.nl> (The new issue wasn't supposed to come out for a month or so, but you guys are throwing us WAY too much ammo.) THE CYPHERPUNK ENQUIRER "Encyphering minds want to know." Perry Metzger today resigned from Hillary Clinton's defense team. Spokes- persons for Ms. Clinton refused to comment, but Mr. Metzger's offices did release a statement saying that Mr. Metzger's skills were in the area of debunking conspiracy theorists, and that he had little or no experience in the field of actual conspiracies. Compuserve today restored access priviledges to Dr. Leslie Franklin after receiving written confirmation from two medical doctors that Dr. Franklin is indeed a man. Compuserve, forced to cancel the subscriptions of almost one million female members after complaints from the Saudi Arabian government about unchaperoned conversations between men and women, has stated that in the future, all potential subscribers must supply a semen sample with their subscription request, and that test tubes and .GIFs of Cindy Crawford in skimpy lingerie will be included with a number of major mainstream computer publications in order to facilitate the new requirements. C2.org immediately offered one month's free access to anyone whose application included a PAP smear. The NSA, the CIA, the FBI, and a coalition of 437 other U.S. government agencies today announced that they were dropping their support of the policy of Government Access to (encryption) Keys, commonly known as GAK, in favor of a new policy of Government Access to Everything, or GAE. The new policy, using technology first pioneered by the Prodigy Network and later refined by Microsoft and its Registration Wizard(tm), would require that all new computers include a special government mandated GAE chip which would allow the government to download the entire contents of the computer's hard drive whenever the computer was connected to the Internet or other on- line service. In related news, the Clinton administration, in an unusual display of solidarity with Senate Majority Leader Bob Dole, has announced that a new version of GAK will immediately be presented to the Senate, this time requiring government escrow of all house and automobile keys, and the Dow Chemical Company has received a multi-million dollar contract to develop a new fabric for America's curtains and draperies that would become transparent in the presence of a court order. The Cypherpunk Academy of Codes and Cyphers today announced a new nomination for the Perry Award, given to the cypherpunk who has done the most to improve the S/N ratio of the list. Today's nominee is Dr. Fred Cohen, for not posting anything for the past month. Dr. Cohen joins Alice de 'nominous in contention for the prestigious award, first won by Dr. Jonathon Pierce, personal psychopharmacologist to Larry Detweiler. Consumer's Union reported today that an extensive series of tests, performed over a 3 month period, has determined that owners of high-performance snakes, such as blue racers and black mambas, should use Windows NT encryption and security for lubrication purposes, but that owners of more standard models, such as vipers and constrictors, would see little or no benefit from the use of the more expensive NT product, and would be better served by the use of the less expensive Windows 95. "The truth IS out there - we make sure it STAYS out there." Motto of the Central Intelligence Agency Eric Blossom today announced a new filtered version of cypherpunks, "Cpunks Ultra-lite", that will be limited to messages about cryptography and C and C++ programming, and that will probably average about two messages a month. Due to sagging sales for the second edition of "Applied Cryptography", John Wiley and Sons today announced the publication of an abridged version, "Cryptography for Dummies - The Swimsuit Edition", featuring a centerfold of Elle McPherson in an "RC4 in 3 Lines of Perl" thong bikini. Ms. McPherson was reportedly detained at La Guardia airport while NSA officials searched the ITAR for an excuse to confiscate the garment. Governor Pete Wilson of California today ordered the removal of all computers from public school grades K-12, since it was discovered that 79% of them had been "hacked" to receive Spice and the Playboy channel. Rich Graves was forced to change his signature file today when it was discovered that, due to a rider in the present telecommunications bill passed by the Senate, statists are now required to "set a good example" for America's youth, and are no longer allowed to fuck. Frank Semalo today announced he was suing Compuserve for $99.95 plus tax. Mr. Samalo's complaint stated that, due to the small size of the test tubes provided by the defendants and his inability to print out .GIF files in color, the Compuserve registration process resulted in a ruined keyboard. Anonymous User's claim that the NSA has broken PGP was withdrawn today, when it was discovered that the "break" occurred at a recent Washington, D.C. GAE conference, where a NSA spokesman transferred the popular program to CDROM and attacked it with a sledge hammer. The FBI today released accused serial killer Timothy May from custody and issued an apology to the retired Intel engineer, stating that he was no longer a suspect. The agency also issued retraction letters to over one thousand Internet users who had been warned that they might be potential targets. "What else were we supposed to do," asked one unidentified FBI agent, "when we found all of those names in something called a killfile?" Louis Freeh's head is still stuck. The Hoover Corporation today announced a new government contract for the development of a 17 story tall, one billion terrabyte capacity canister style vacuum cleaner with T3 and fiber-optic connection ability. The new machine, to be delivered to an unnamed government agency, would be used, according to a Hoover spokesperson, for "unspecified janitorial work on the Internet." -- CTHULHU for President - Why vote for the LESSER of two evils? From postmaster at ncr-sd.SanDiegoCA.ATTGIS.COM Fri Jan 26 02:30:47 1996 From: postmaster at ncr-sd.SanDiegoCA.ATTGIS.COM (postmaster at ncr-sd.SanDiegoCA.ATTGIS.COM) Date: Fri, 26 Jan 1996 18:30:47 +0800 Subject: SMTP mail warning Message-ID: <9601260939.AB28460@toad.com> message From stewarts at ix.netcom.com Fri Jan 26 02:34:22 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Fri, 26 Jan 1996 18:34:22 +0800 Subject: Signing nyms' keys (Was: Report on Portland Cpunks...) Message-ID: <199601260940.BAA26328@ix7.ix.netcom.com> >> Over time, some nyms take on a distinct identity of their own. [...] The >> thought, therefore, as I imagine it would be "You don't know I am in person, >> but you can count on me to be who I am, with this style and set of views, >> and I say that this guy is another actual person with the same." This much can be accomplished by the nym-user signing all messages with a consistent key. However, a signature does somewhat assert that the signer believes the keyholder is the same John Doe that folks in the signer's circle of acquaintances expect, and that the purported keyholder (who may still be anonymous/pseudonymous) really holds the key, and maybe that the keyholder is the only person with that name whose key he's signed. #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, Pager/Voicemail 1-408-787-1281 # # "Eternal vigilance is the price of liberty" used to mean us watching # the government, not the other way around.... From stewarts at ix.netcom.com Fri Jan 26 02:38:52 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Fri, 26 Jan 1996 18:38:52 +0800 Subject: V-chip? Message-ID: <199601260940.BAA26366@ix7.ix.netcom.com> This message rated FZ. At 08:33 PM 1/24/96 -0800, mpd at netcom.com (Mike Duvos) wrote: >As I understand it, the basic concept behind the V-Chip is to >allow selective blocking of material a particular viewer might >find offensive based on content information transmitted along >with the program. As long as the program material itself is >transmitted unaltered, and there are multiple non-governmental >providers of content descriptions catering to the spectrum of >human likes and dislikes, this sounds like ideal Cypherpunk >technology. No, it's to allow selective blocking of material that a government-approved panel has described as deserving blocking for children. It's rabidly unnecessary, and also too simplistic to be really useful. For instance, it's unlikely to block "COPS" and "The War In Bosnia" under any available settings, and "Speeches of President Exon" will probably be required viewing because there isn't a "no lies" setting. Selective blocking, using VCRplus codes or some similar technology, would be far more useful, support multiple rating services, and give your VCR something to do other than flash 12:00. ... >What are the dangers of this new technology? >First, the government might want only one description of content, >which it controls. My notion of what is offensive probably >differs greatly from that of Jesse Helms, for instance. Yup. However, _you_ won't be the one doing the description... #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, Pager/Voicemail 1-408-787-1281 # # "Eternal vigilance is the price of liberty" used to mean us watching # the government, not the other way around.... From stewarts at ix.netcom.com Fri Jan 26 02:41:18 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Fri, 26 Jan 1996 18:41:18 +0800 Subject: Why is blowfish so slow? Other fast algorithms? Message-ID: <199601260940.BAA26380@ix7.ix.netcom.com> >> At 07:32 PM 1/23/96 -0500, David A Wagner wrote: >> >If you want authentication, you must use a crypto-strength MAC. >> >Encryption (be it RC4, DES, etc.) is not enough. Are there any simple but crypto-strong hash functions? I've been thinking about doing a "One Page Privacy" program, using the 3-line RSA, 10-line RC4, and some glue, but using a separate MD5 program seemed like cheating (even though the 3-line RSA uses dc :-). I was thinking about using RC4 in some feedback mode as a MAC, but it sounds like that's not secure enough? Is there anything else that's short? MD5 requires too much code. #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, Pager/Voicemail 1-408-787-1281 # # "Eternal vigilance is the price of liberty" used to mean us watching # the government, not the other way around.... From postmaster at ncr-sd.SanDiegoCA.ATTGIS.COM Fri Jan 26 02:43:18 1996 From: postmaster at ncr-sd.SanDiegoCA.ATTGIS.COM (postmaster at ncr-sd.SanDiegoCA.ATTGIS.COM) Date: Fri, 26 Jan 1996 18:43:18 +0800 Subject: SMTP mail warning Message-ID: <9601260951.AB29137@toad.com> message From stewarts at ix.netcom.com Fri Jan 26 02:50:50 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Fri, 26 Jan 1996 18:50:50 +0800 Subject: Crippled Notes export encryption Message-ID: <199601260939.BAA26137@ix7.ix.netcom.com> At 01:18 PM 1/24/96 -0800, Jeff Weinstein wrote: >Mike Tighe wrote: >> > I can see two practical ways to build a netscape product outside >> > the US. The first is to export the source code for the Navigator >> > with the crypto code removed. .... >> Didn't Netscape already promise to remove the hooks? It seems to me all of >> the major software players are already in bed with the government. > > What do you mean by "promise to remove the hooks"? I think Mike's remembering the NCSA freeware httpd server which had the crypto code removed at the NSA's request. I don't remember if that was before or after the Mosaic developers left to form Netscape, but being an organization that gets government grant money subjects you to more leverage than a random commercial company. One seeming paradox of the law is that you're not allowed to export "components of a cryptosystem", e.g. software with the crypto routines removed but everything else there. But you are allowed to export code that the NSA has determined isn't strong enough to bother them, including applications with wimpy cryptosystems. The Clipper II escrow standardization folks attempted to get industry to agree on wiretap-enabled short-key software with tampering protection in return for export permission, but as far as I know the current not-officially-defined policy of 40 bits doesn't require that export-requesting software be non-modular; how much work would it be to binary-patch-replace the 40-bit subroutines in current Netscape with 128-bit subroutines? (More work than just mailing the US version overseas, I suppose :-) Obviously Netscape couldn't do it themselves if they wanted to ever get export permission again, but they could always issue a press release condemning the nasty foreigners for hacking their product ("We're SHOCKED to discover that HACKING is going on with our software!") #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, Pager/Voicemail 1-408-787-1281 # # "Eternal vigilance is the price of liberty" used to mean us watching # the government, not the other way around.... From iagoldbe at calum.csclub.uwaterloo.ca Fri Jan 26 02:52:14 1996 From: iagoldbe at calum.csclub.uwaterloo.ca (Ian Goldberg) Date: Fri, 26 Jan 1996 18:52:14 +0800 Subject: Crippled Notes export encryption In-Reply-To: <199601242348.PAA03565@ns1.vplus.com> Message-ID: <4e6k31$i5l@calum.csclub.uwaterloo.ca> In article <199601242348.PAA03565 at ns1.vplus.com>, Dan Weinstein wrote: >I forget how it is termed in ITAR, but expertise can't be exported >either. Another thing to remember is that Jeff and the others at >Netscape aren't writing the encryption algorithms themselves, they >implement the code that they get from RSA. Though most of the >code they get from RSA is already available abroad, if they wanted to >import it they would face serious copywrite problems with RSA. Also, >like I suggested before any programers who gained their knowledge of >crypto programing in the U.S. and then went abroad and developed >crypto software would be in danger of prosecution under ITAR if they >ever returned to the U.S.. So how about my situation? I'm a Canadian student, currently studying in the US. Are you saying that if, after I get my degree and return to Canada, it would be illegal for me to write and export crypto stuff?! What if I'm in Canada for a few weeks between semesters and I write something then? - Ian "this is all really dumb..." From futplex at pseudonym.com Fri Jan 26 02:52:50 1996 From: futplex at pseudonym.com (Futplex) Date: Fri, 26 Jan 1996 18:52:50 +0800 Subject: Quick MACs (Re: Why is blowfish so slow? Other fast algorithms?) In-Reply-To: <199601260940.BAA26380@ix7.ix.netcom.com> Message-ID: <199601261012.FAA14755@thor.cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- Bill Stewart writes: > Are there any simple but crypto-strong hash functions? [...] > I was thinking about using RC4 in some feedback mode as a MAC, > but it sounds like that's not secure enough? Is there anything > else that's short? MD5 requires too much code. Phil Rogaway gave a great talk at RSADSC about keyed hashing MACs. In all he described 12 different MACs (some of them variations on a theme), and gave some efficiency/security tradeoff numbers relative to the security of the underlying hash function. Apparently he had a paper in Crypto `95 about bucket hashing, which is generally fast and simple and apparently pretty secure. The idea is to place each word of the message into a unique fixed-size subset of a large set of buckets, XOR each bucket internally, then concatenate the results. I haven't yet read the paper (though I expect to do so soon), so I don't know all the details. I think the notion is that you can plug in any pseudo-random function to select the buckets, and get provably good security if you know your function is suitably pseudo-random. Check: http://wwwcsif.cs.ucdavis.edu/~rogaway/talks/list.html which has a link to his slides from last week, and http://wwwcsif.cs.ucdavis.edu/~rogaway/papers/list.html which has links to a heap of papers, including the full version of the Crypto `95 bucket hashing one. Futplex "a heap of PS papers that I _can_ print out without destroying whole forests" -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMQiouCnaAKQPVHDZAQHo+Af7BtpL5kErtzeWR0dBuR1/rOfQzw8Ezaxi Gp7Va8kjJLYJlWa1+Ih2fbKr8oUIKL1N1a5JoDarr2G75B9GilyyjCIf75FIrWnZ JQDti8wJIK6TGV9ClZGbl6jowUkc4PtFzp6VN85K/Rnv/l/Wekv4kWl41O2Cq656 bsQaE2jYAfRqkOziarytaszVROoTNbGvyYoLk1ESf9yijwp0E9R/SXlw4OvUAna7 qSnuhbIayLX8auQWxoUf9lRlJ8tdreqXzP2G4yL1tXI+i+nr6z3A9m/+sXXCxNb1 vzQtUTkVtCniKoGrtm7WN0RtusjIrVEoaDi/msx+ADBphHGxPxIJlA== =g1Jt -----END PGP SIGNATURE----- From jimbell at pacifier.com Fri Jan 26 02:53:44 1996 From: jimbell at pacifier.com (jim bell) Date: Fri, 26 Jan 1996 18:53:44 +0800 Subject: "Gentlemen do not read each other's mail" Message-ID: At 02:14 PM 1/25/96 -0800, Rich Graves wrote: > >I believe that the choice not to read other people's personal mail is an >ethical imperative, since we do not have and probably can not have total >privacy enforced by technology and law alone. Sure, strong crypto helps, >and should be spread, but there will always be back doors and >implementation bugs, and in the worst case, most people will give in to >moderate torture. > >It's hard to say what the ethical role of individuals in the government >(or Jim Bell's "assassination politics" organization, which quacks like a >government for me) is. Needless to say, I disagree. If you define government as, "That entity which keeps me from doing bad things to people," then a S+W model 629 .44 caliber revolver "quacks like a government to you." If the reason you don't do bad things in public because people will sneer at you and criticize, then sneering and criticizing "quacks like a government to you." What "Assassination Politics" does is to eliminate the ability of 51% of the population to control the remaining 49%. If there is any residual pro-government bias left in this system, tell me and I will work strongly to root it out. From jimbell at pacifier.com Fri Jan 26 02:57:11 1996 From: jimbell at pacifier.com (jim bell) Date: Fri, 26 Jan 1996 18:57:11 +0800 Subject: "Gentlemen do not read each other's mail" Message-ID: At 06:43 PM 1/25/96 -0800, Rich Graves wrote: >Therefore, to ordain myself Devil's Advocate Being, is it not wrong, in >principle, for us human beings to inquire into the affairs of the humans >claiming the authority of Divine Governmental Beings? Are not the actions >of the Fort Meade Beings a matter for their own personal conscience, >absent any immediate, *direct* impact on us that would justify an >appropriate reaction, be it fight, flight, or encryption? Please assume no >funny theological beliefs in the existence of other Non-Divine Beings, or >sympathy therewith. > >Of course, on individual principle, I quite agree with you, which is why I >do not believe I could ever become a cleric or even disciple of any odd >religion. I'd really suck as a soldier, too. > >However, of Hobbes, Rousseau, Marx, Motesquieu, and Locke, I find Hobbes >the most logical. People just suck, and ethics aren't enough. Karl Marx >and Jim Bell talk about the withering away of the government, but what >they're really talking about looks like a new and more onerous form of >government to me. >-rich > Fucking Statist You might be surprised. I've considered that very question, which is at the "outer limits" of my "Assassination Politics" idea. Question: could the principles of that system eventually result in some sort of super-tyranny? In my opinion, no, if for no other reason than the average person simply doesn't have enough time to attempt to be tyrannical against 5 billion other people on the planet. How would it work? Well, let's suppose 95% of the public believed that EVERYBODY, including the other 5%, should pay the Widget tax. Each citizen would have to pay it, and prove that he paid it, or those 95% would pay to have the 5% killed. The Widget tax would buy Widgets from the WIdget manufacturer, and they would installed so as to benefit THE PUBLIC. Problem is, taxes are collected, not simply to take them from one person, but to give them to another. The 5% might have to pay the Widget Tax, but they could also pay to have the immediate beneficiaries of the Widget Tax killed (the manufacturers of the widgets themselves, or at least those manufacturers that accept orders for widgets paid for by stolen tax dollars.) At this point, nobody will risk making widgets anymore, so the Tax will be unjustified and bandoned as uncollectible and useless. From frissell at panix.com Fri Jan 26 03:31:55 1996 From: frissell at panix.com (Duncan Frissell) Date: Fri, 26 Jan 1996 19:31:55 +0800 Subject: "This post is G-Rated" Message-ID: <2.2.32.19960126111304.00968f58@panix.com> At 01:58 PM 1/25/96 -0800, Bill Frantz wrote: >The big problem is how are the labels attached to the programs. I >agree with Tim that it is probably imposible for individual Usenet >postings. However is should be possible for TV programs, and whole >newsgroups. Since TV programs will soon *be* "individual Usenet postings," it will not be possible to rate them. Even the Earth doesn't have that much time. The economic "drag" involved would be too great. Once we have high-speed connections to the nets, the amount of video out there will explode. There will be more to watch than watchers (remember video archives). Search engines will help people find what they want and avoid what they don't want. "Sex and Drugs and Rock and Roll" (Wine, Women, and Song) will be like any other available subject -- some will want to find it and some will want to avoid it. Just another problem of how to extract the content you want from all the mess. Search engines won't be all that perfect but they will be all we have. One wonders why people spend so much time arguing about the V-chip, telecoms dereg, sex on the net, Trade Policy, or Immigration when it's intuitively obvious that these things are (or soon will be) no longer subject to central control of any kind. DCF "King Canute, we are here!" From perry at piermont.com Fri Jan 26 04:10:01 1996 From: perry at piermont.com (Perry E. Metzger) Date: Fri, 26 Jan 1996 20:10:01 +0800 Subject: This is not "DivineBeingPunks" In-Reply-To: Message-ID: <199601261152.GAA18691@jekyll.piermont.com> Timothy C. May writes: > Since Perry has on several occasions said he does not want to hear about > politics and other "off-topic" posts, and since he has written at least > five of these posts just today (the "Gentleman do not" thread), I suggest > he heed his own advice. Well, the topic was initially quite cryptography related -- a discussion of the question of whether government cryptanalysis efforts are a "good idea". However, in my last message on the topic you probably saw that I noted that the issue had certainly slipped sufficiently from the local agenda that I personally noted that it was no longer appropriate for me to post on the topic. I don't intend to say anything more about it since it no longer was merely a discussion of whether we need an NSA. However, redirecting the topic, I will note that Phill's assertion that U.S. cryptographic intelligence versus the Japanese at the start of World War II was inadequate is just plain wrong. We had already broken virtually every important Japanese diplomatic and military code, including perhaps the greatest feat of cryptanalysis of all time, the breaking of PURPLE. See "The Code Breakers" for details. And yes, discussing historical cryptanalysis efforts is indeed part of the charter. Perry From ampugh at mci.newscorp.com Fri Jan 26 04:28:43 1996 From: ampugh at mci.newscorp.com (Alan Pugh) Date: Fri, 26 Jan 1996 20:28:43 +0800 Subject: Microsoft's CryptoAPI - thoughts? Message-ID: <199601260618.BAA14447@camus.delphi.com> >>What does everyone think about this? Perhaps I already missed the boat, but >>I just found out about it. How would international apps work? Would a data >>file encrypted with an app compiled with a US-only CSP (cryptographic >>service provider) be able to be loaded by a European equivalent app? >> >>[Info can be found at: http://www.microsoft.com/intdev/inttech/cryptapi.htm] I too would be interested in any insights some of the folks here might have on this API. It would seem to me that in light of some of the discussions on this list recently concerning the perversity of ITAR, that this API could easily run afoul of it. I've seen a brief article on it in pcweek and was suprised I'd not seen it here yet. Perhaps I just missed it. I hate to say good things about M$, but they certainly have the pull to perhaps get an API through. amp From geoff at commtouch.co.il Fri Jan 26 05:05:39 1996 From: geoff at commtouch.co.il (geoff klein) Date: Fri, 26 Jan 1996 21:05:39 +0800 Subject: PGP in Eudora and other mail programs Message-ID: <9601261210.AB19065@commtouch.co.il> -----BEGIN PGP SIGNED MESSAGE----- X-Pgprequest: signed MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=dgjlnouteqkhfsmbcz97531sfhkmpi > THIS IS A MESSAGE IN 'MIME' FORMAT. Your mail reader does not support MIME. > Some parts of this will be readable as plain text. > To see the rest, you will need to upgrade your mail reader. --dgjlnouteqkhfsmbcz97531sfhkmpi Content-Type: application/octet-stream Content-Description: PGP encrypted file Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Mime-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit To: tcmay at got.net, cypherpunks at toad.com Date: Fri Jan 26 14:30:46 1996 At Thu, 25 Jan 1996 11:54:46 -0800 Timothy C. May wrote: >..... > And yet how many of these programs actually can transparently > (automatically, push-button, etc.) support PGP? >...... Commtouch is about to release Beta-1 of Pronto Secure. This will REALLY support PGP transparently, and as far as E-mail clients go, Pronto makes Eudora look like "sour grapes". We expect to announce a special Beta testing offer for c'punks in early February. - ---------------------------------------------------------------------- Geoff Klein email: geoff at commtouch.com Product Manager - Pronto Secure http: //www.commtouch.com - ---------------------------------------------------------------------- CommTouch SW Inc, U.S CommTouch, Israel Home, Israel 1206 W. Hillsdale Blvd 10 Technology Ave 27 Amishav St San Mateo, CA 94403 Ein Vered, 40696 Tel-Aviv, 67191 Tel: (415) 578-6580 Tel: 972(9)963445 972 (3) 7321378 Fax: (415) 578-8580 Fax: 972(9)961053 972 (3) 5716203 - ---------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAgUBMQlWGkLv5OMYFK1FAQFYeQQAqPXMk0fS7ZmFkV0rCD3goLgkCnfxbN6F sPXZ08pHD2mH5MU50+gyprgJx87H/9OGwzR+pbGHtZP3QwucWBrwLCU2gj1dAzZ6 CGhrgZJTOa1XEKy9xzXJSuLXEAHuJYDQnmANVneRt04Ld0Z67QEW6cZHYCeVwHeH KavQ4tAJ9WM= =ouF2 -----END PGP SIGNATURE----- --dgjlnouteqkhfsmbcz97531sfhkmpi-- From fardank at batelco.com.bh Fri Jan 26 05:13:01 1996 From: fardank at batelco.com.bh (Khalil) Date: Fri, 26 Jan 1996 21:13:01 +0800 Subject: Information Message-ID: <2.2.32.19960126065538.00691458@batelco.com.bh> I am very much interested to find out more about this type of remailing service. I would appreciate any information I get. Regards Khalil From jya at pipeline.com Fri Jan 26 05:25:35 1996 From: jya at pipeline.com (John Young) Date: Fri, 26 Jan 1996 21:25:35 +0800 Subject: NSA advanced knowledge Message-ID: <199601250144.UAA26828@pipe3.nyc.pipeline.com> Responding to msg by rsalz at osf.org (Rich Salz) on Wed, 24 Jan 7:34 PM >Is there any indication that the NSA knew about >public-key before it entered the open literature? Fred B. Wrixon writes in "Codes and Ciphers," under the "Public Key" entry: ... This Hellman-Diffie proposal was apparently anticipated by a similar version developed by the National Security Agency (NSA) a decade earlier. (p. 164) No citation or elaboration is given for this claim. Wrixon's book is a simply written compendium: Codes and Ciphers: An A to Z of Covert Communication, from the Clay Tablet to the Microdot. Fred B. Wrixon Prentice Hall, 1992. Paper $18.00 ISBN 0-13-277047-4 From andrew_loewenstern at il.us.swissbank.com Fri Jan 26 05:26:35 1996 From: andrew_loewenstern at il.us.swissbank.com (Andrew Loewenstern) Date: Fri, 26 Jan 1996 21:26:35 +0800 Subject: German home banking (fromn RISKS) Message-ID: <9601250134.AA00818@ch1d157nwk> > Don't high speed modems transmit and receive on the same frequencies, > using echo cancelation to decode the receive signals? Does that > make it impossible to eavesdrop on high-speed (i.e. V32bis) modems? No, and a lot of crackers and phone phreaks found out the hard way. You can buy protocol analysers off-the-shelf that will give a dump of the entire communication by just passively listening in (or possibly playing back a recording). I have seen units that could decode all of the popular Blue Book protocols for consumer equipment such as faxes and high-speed modems as well as ISDN, T1, DS3, ATM, etc... Most are programmable and some are full-blown computers running stripped down versions of Unix and can also be controlled over the network from RealComputers. With multiple analysers and a little custom software you could easily perform MITM attacks. The hardest part is getting in the middle. Modulation, comm-protocols, and compression techniques are not a replacement for honest to goodness crypto. andrew From warlord at MIT.EDU Fri Jan 26 05:39:01 1996 From: warlord at MIT.EDU (Derek Atkins) Date: Fri, 26 Jan 1996 21:39:01 +0800 Subject: Crippled Notes export encryption In-Reply-To: <4e6j28$g49@calum.csclub.uwaterloo.ca> Message-ID: <199601250056.TAA10109@toxicwaste.media.mit.edu> > Would the above code be export-restricted because it contained wishful > thinking about how nice it would be to use encryption? IANAL, but my guess is that no, that code would not be exportable. At least not if there really is a domestic vs. export version. Yes, it gets really fuzzy here. I think if you started with this code and didn't have any hooks at all, and only had a version (domestic and export) which contained this wishful thinking, you might get away with it. Then again, if that were the case it would not be export controlled in the first place since it doesn't use encryption ;) Yes, it is a huge can of worms. Worse, since it is done on a case-by-case basis, there really is no clear definition of where the exportable vs. non-exportable line actually is. You need to try it to test if it will work or not. -derek From nobody at REPLAY.COM Fri Jan 26 05:44:40 1996 From: nobody at REPLAY.COM (Anonymous) Date: Fri, 26 Jan 1996 21:44:40 +0800 Subject: Denning's Crypto Archy Message-ID: <199601261314.OAA13834@utopia.hacktic.nl> Cypherptoady's updatest unscratchable crypto itch and salve: http://www.cosc.georgetown.edu/~denning/crypto/Future.html From karl at cosmos.cosmos.att.com Fri Jan 26 05:46:00 1996 From: karl at cosmos.cosmos.att.com (Karl A. Siil) Date: Fri, 26 Jan 1996 21:46:00 +0800 Subject: Intl. Keysize Limit vs. U.S. Keysize Limit (Was: Re: Hack Lotus?) Message-ID: <2.2.32.19960126133039.0076f604@cosmos.cosmos.att.com> At 12:50 AM 1/26/96 -0500, Futplex wrote: >-----BEGIN PGP SIGNED MESSAGE----- > It would be just as easy to build the intl. version of Notes with 128-bit+spy >keys, with 40 bits of truly protected key and 88 bits of espionage-enabled >key, and then use straight 128 bits in the domestic version. Does anyone else find it worrisome that given 24 bits of a 64-bit key, the encryption may not be as strong as the same algorithm with a 40-bit key (e.g., for a variable key-length algorithm like RC4)? In other words, I suspect some algorithms might not derive their protection mechanisms equally from each key bit. What if guess the remaining 40 bits is as easy as guessing the rest of xyl******? Just pondering. Karl From trei at process.com Fri Jan 26 06:46:13 1996 From: trei at process.com (Peter Trei) Date: Fri, 26 Jan 1996 22:46:13 +0800 Subject: Etch-a-sketch Message-ID: <9601261427.AA05709@toad.com> > Ok.. I'm still getting mail regarding the etch-a-sketch keychain. Thus > I'm going to look at how to get em for everyone. :) > > Just letting you all know. Don't bury me in 'I want one mail.' As soon as > I have the info I'll get it out to the hungry crowd. Heh. At that point > you can bury me happily. > > Jonathan Can't be too many cpunks out there with rugrats. I've seen these in toy stores. Peter Trei trei at process.com From shamrock at netcom.com Fri Jan 26 07:17:44 1996 From: shamrock at netcom.com (Lucky Green) Date: Fri, 26 Jan 1996 23:17:44 +0800 Subject: [local] Report on Portland Cpunks meeting Message-ID: At 13:33 1/24/96, Jonathan Rochkind wrote: >If, on the other hand, I sign "Toxic Avenger"'s key, then what benefit is >this for third parties? Since Toxic Avenger is, by intention, _not_ linked >to a real person, I'm not saying that I feel confident that this key really >belongs to any particular real person. What am I saying? What if the nym is linked to a real person? There are nyms on this list that people here have met in person, talked with on the phone, etc. Say that person verifies their key fingerprint. Should one sign the key? I have signed keys of people without seeing their ID, because I and everyone else I know knows them under the name on the key. What if I watch someone _generate_ a key under the nym "Master Blaster"? I know that "Master Blaster" isn't their real name. Does that mean I shouldn't sign the key? -- Lucky Green PGP encrypted mail preferred. From alano at teleport.com Fri Jan 26 07:42:40 1996 From: alano at teleport.com (Alan Olsen) Date: Fri, 26 Jan 1996 23:42:40 +0800 Subject: Win95 Registration Wizard info Message-ID: <3108f533.idoc@idoc.idoc.ie> I picked this link up from the Fringewear list. It has some interesting information for quelling rumors and starting new ones. ftp://ftp.ora.com/pub/examples/windows/win95.update/regwiz.html The author takes the registration Wizard in Win95 apart and shows exactly what it does and what it looks for. Some interesting information about the encrypted database of product information it uses. It has a complete list of all of the products that the registration looks for. (PGP is not one of them.) Some interesting facts about what it does look for however... Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "Is the operating system half NT or half full?" From nobody at replay.com Fri Jan 26 07:54:17 1996 From: nobody at replay.com (Anonymous) Date: Fri, 26 Jan 1996 23:54:17 +0800 Subject: Attack Simulator Message-ID: <3108f534.idoc@idoc.idoc.ie> Internet Scanner Software Checks Network Security Atlanta, Jan. 17 -- Internet Security Systems has released version 3.2 of its Internet Scanner software. The company said the program is an "attack simulator" that tests your organization's network for security holes. ISS said Internet Scanner 3.2 has enhanced reporting capabilities and added tests for more than 130 security vulnerabilities, including the recently revealed Microsoft File Sharing bug. "Our added focus on Microsoft security holes stems from our customers' rapid adoption of TCP/IP (Transmission Control Protocol/Internet Protocol)-enabled Microsoft Windows NT and Windows 95," said Chris Klaus, founder and chief executive officer of ISS. According to Don Ulsch, a security consultant affiliated with the National Security Institute in Westborough, Massachusetts, The movement to Windows 95 created a whole new set of security concerns for network administrators. "Similar to virus scanning software, a security scanning tools' value to a corporation declines quickly unless it can detect the latest security holes. In the security arena, every upgrade is crucial," said Ulsch. New features of Internet Scanner 3.2 include added reporting capabilities including hyperlinks that connect to CERT advisories and vendor World Wide Web sites to pull down patches and information regarding network holes, and addition of Linux as a supported platform. The company said that will allow easy scanning from laptop PCs. The additional tests added to the new version include the Microsoft File Sharing bug, the TelnetD bug, the Stealth Scan, Finger Bomb, and misconfigured Linux NIS services. The company said its customers who have current maintenance contracts can now electronically download the updated version from the USS Web home page at http://iss.net. Internet Security Systems, tel 770-441-2531, fax 770-441-2431 From tighe at spectrum.titan.com Fri Jan 26 08:30:22 1996 From: tighe at spectrum.titan.com (Mike Tighe) Date: Sat, 27 Jan 1996 00:30:22 +0800 Subject: Secrecy of NSA Affiliation In-Reply-To: Message-ID: <199601261458.IAA09396@softserv.tcst.com> >Up until recently (18-30 months ago) NSA employees were only allowed >to identify themselves as employees of DoD. It was common knowledge, >that unspecific references to Fort Meade meant NSA; and if you saw >a P.O. from Procurement Office, Fort Meade, it meant the NSA was buying >it. Nothing has really changed. During orientation, you are told to keep your NSA affiliation low key. But you are not ordered to. This was part of the No Such Agency stuff, trying not to draw attention to yourself or the Agency, and to avoid questions from the curious. Perhaps the most important reason for keeping it low key though, was to preserve your career options. But for disciplines such as crypto, the choices are quite limited so broadcasting you are NSA does not matter much. From frissell at panix.com Fri Jan 26 08:45:07 1996 From: frissell at panix.com (Duncan Frissell) Date: Sat, 27 Jan 1996 00:45:07 +0800 Subject: Denning's Crypto Archy Message-ID: <2.2.32.19960126144544.006706b4@panix.com> At 02:14 PM 1/26/96 +0100, Anonymous wrote: > >Cypherptoady's updatest unscratchable crypto itch and salve: > > >http://www.cosc.georgetown.edu/~denning/crypto/Future.html > > A good read. You know you're making progress when they start to address your arguments. "Although May limply asserts that anarchy does not mean lawlessness and social disorder, the absence of government would lead to exactly these states of chaos." I've never known Tim to offer limp assertations. DCF From tighe at spectrum.titan.com Fri Jan 26 08:46:44 1996 From: tighe at spectrum.titan.com (Mike Tighe) Date: Sat, 27 Jan 1996 00:46:44 +0800 Subject: Gentlemen do not read each other's mail In-Reply-To: <199601252343.PAA00884@ix11.ix.netcom.com> Message-ID: <199601261447.IAA08462@softserv.tcst.com> Marc J. Wohler writes: > "Gentlemen do not read each other's mail." > Ben Franklin > >Original quote by Ben Franklin when the British government published >(stolen?) private letters of >John Adams to his wife critical of Franklyn and other members of the >Continental Congress. Can you provide a source for this? Franklin was known to use encryption, and the quote has been attributed to Stimson and no one else for years. I really doubt Franklin was naive enough to think that the British government were gentlemanly enough to respect his privacy. From adam at lighthouse.homeport.org Fri Jan 26 08:48:30 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Sat, 27 Jan 1996 00:48:30 +0800 Subject: Crypto Exports, Europe, and Conspiracy Theories In-Reply-To: Message-ID: <199601261506.KAA11118@homeport.org> Timothy C. May wrote: | You have to ask yourself this question: "Why are there no cryptographically | strong products--finished products, not specific ciphers or chunks of | code--developed in Europe and freely imported into the U.S.?" There are. If you buy a Gauntlet Internet firewall from TIS, you can also buy a German T1 speed DES card for it. I believe the code was written by TIS's London office. The Israeli Firewall-1 (version 2) firewall offers VPN (Virtual Private Networks) with some decent encryption scheme. There are not yet a lot of products, and these, as Tim will doubtless point out, are somewhat obscure, not mass market products. I would attribute that to the nature of information in the international marketplace. There is not 'perfect information' but very imprecise and foggy information. Most of us don't know anyone who has bought a foriegn crypto product (heck, how many of us have bought a crypto product at all?). Incidentally, TIS (ww.tis.com) did a survey of forgien crypto products which is on the web. There are very few 'full blown' encryption products out there. PGP seems to have the most users, but I don't know of any real compitition for it, inside or outside the US. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From tighe at spectrum.titan.com Fri Jan 26 08:49:38 1996 From: tighe at spectrum.titan.com (Mike Tighe) Date: Sat, 27 Jan 1996 00:49:38 +0800 Subject: TOP_tap In-Reply-To: Message-ID: <199601261500.JAA09492@softserv.tcst.com> Thomas Chiniewicz writes: >isn't the NSA a branch of the CIA? And I thought the CIA and DOD were >seperate organizations or was that an incorrect assumption? No, it is a civilian organization within the DOD. The CIA is a civilian organization outside of the DOD. Although it appears Deutch is trying to change all of that as we speak, and Inman wants to abolish the CIA altogether. From tighe at spectrum.titan.com Fri Jan 26 09:01:26 1996 From: tighe at spectrum.titan.com (Mike Tighe) Date: Sat, 27 Jan 1996 01:01:26 +0800 Subject: "Gentlemen do not read each other's mail" In-Reply-To: <199601252139.QAA16761@jekyll.piermont.com> Message-ID: <199601261504.JAA09730@softserv.tcst.com> Perry E. Metzger writes: >I am a funny sort of person. I don't believe that governments should >be able to do anything that individuals cannot. If it is bad for me to >steal, it is also bad for a government official to steal. If it is bad >for me to listen in on my neighbor's phone calls, it is bad for the >government, too. I do not see anything funny, but you are at odds with the Constitution, where the people have granted the government certain rights that they have not granted to themselves. But it seems we may be making progress at getting those rights ourselves. From m5 at dev.tivoli.com Fri Jan 26 09:02:49 1996 From: m5 at dev.tivoli.com (Mike McNally) Date: Sat, 27 Jan 1996 01:02:49 +0800 Subject: "This post is G-Rated" In-Reply-To: <199601260353.TAA07900@netcom6.netcom.com> Message-ID: <9601261457.AA12607@alpha> Bill Frantz writes: > It seems to me that a moderated news group or mailing list would be easy. > You don't expect explicit sex descriptions to show up in the comp. > hieararcy. So what's the current moderated/unmoderated newsgroup ratio? (And what's the ratio weighted by newsgroup traffic or popularity?) > An unmoderated group or list carries a higher risk of seeing inappropriate > material. However even unmoderated lists have standards and those people > who enforce those standards. Enforce? Enforce? Exsqueeze me? > This kind of enforcement is an example of > communitarian as opposed to authoritarian control. It all depends on just > how vital it is to the consumer (and rating group) that NO inappropriate > material appear. And of course, it doesn't work. There's an unlimited amount of mindless dreck floating around every unmoderated nesgroup; I've been reading news long enough (and NN makes it easy enough) that I avoid it without a second thought. I assure you, however, that no attempts at "nettiquette enforcement" are effective in a general sense. > Crypto relevence: Public key systems or digital signitures can help ensure > that the material actually comes from it reputed source (e.g. the > modarator). How many people are there willing to moderate newsgroups? How many people are willing to set up alternatives to moderated newsgroups once the moderator becomes unpopular (see the history of the .telecom groups for an illustration)? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Nobody's going to listen to you if you just | Mike McNally (m5 at tivoli.com) | | stand there and flap your arms like a fish. | Tivoli Systems, Austin TX | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From jcorgan at aeinet.com Fri Jan 26 09:09:58 1996 From: jcorgan at aeinet.com (Johnathan Corgan) Date: Sat, 27 Jan 1996 01:09:58 +0800 Subject: "This post is G-Rated" In-Reply-To: <2.2.32.19960126111304.00968f58@panix.com> Message-ID: On Fri, 26 Jan 1996, Duncan Frissell wrote: > One wonders why people spend so much time arguing about the V-chip, telecoms > dereg, sex on the net, Trade Policy, or Immigration when it's intuitively > obvious that these things are (or soon will be) no longer subject to central > control of any kind. It is absolutely fascinating to observe the widely differing views held by you and Lucky Green on the same subjects. The two of you seem to represent opposite ends of the spectrum of cypherpunks thought, to the extent that there is such a thing. Food for thought. -- Johnathan M. Corgan jcorgan at aeinet.com http://www.aeinet.com/jcorgan.htm From lull at acm.org Fri Jan 26 09:17:46 1996 From: lull at acm.org (John Lull) Date: Sat, 27 Jan 1996 01:17:46 +0800 Subject: Microsoft's CryptoAPI - thoughts? In-Reply-To: <199601260802.DAA08993@thor.cs.umass.edu> Message-ID: <3108f221.3021701@smtp.ix.netcom.com> On Fri, 26 Jan 1996 03:02:56 -0500 (EST), Futplex wrote: > Has someone here managed to extract PostScript hardcopy of the CAPI from this > Web page? I tried earlier this evening and wound up with a miniature > ecological disaster on my hands. The page says: No problem on a LaserJet 4M. > "For ease of online reading and printing, we've provided copies of this > lengthy document in Microsoft Word and Postscript formats." I tried printing the Word version from WordView, also, and ran into major problems. It absolutely insisted on setting the printer to manual feed, and when I tried to print the odd-numbered pages, WordView crashed complletely. > Worse still, it appears that the > capiapp.ps file is actually a catenation of many PostScript files (one per > chapter?), each beginning with a version of this ensnarling line. Maybe that's why I couldn't extract odd & even-numbered pages. From jya at pipeline.com Fri Jan 26 09:26:00 1996 From: jya at pipeline.com (John Young) Date: Sat, 27 Jan 1996 01:26:00 +0800 Subject: BAA_bab Message-ID: <199601261542.KAA21959@pipe2.nyc.pipeline.com> 1-26-96. TWP: "Police Search of AOL Files Divides the On-Line World." Police descended on the company's headquarters Monday to perform the first such search ever of America Online records. Police are enthusiastic about the potentially incriminating information stored in computers. "It's a bit chilling, especially if you consider the idea of police pulling up an instant profile on you with the punch of a couple buttons," Woolie baa-ed to Babe. 1-26-96. WSJ: "Internet Racial Hatred Case Investigated." The Mannheim prosecutor's office is investigating CompuServe Inc. and Deutsche Telekom AG's T-Online service for inciting racial hatred, a crime in Germany, because they provide access to the Internet, where a Canadian neo-Nazi has set up a home page. Although Mr. Zuendel lives in Toronto, "because it's available over the Internet, it also can be called up in Germany," the official said. "Then the scene of the crime is all of Germany." BAA_bab From stevenw at best.com Fri Jan 26 09:27:19 1996 From: stevenw at best.com (Steven Weller) Date: Sat, 27 Jan 1996 01:27:19 +0800 Subject: [NOISE] Bad key management Message-ID: >From RISKS: ------------------------------ Date: Tue, 23 Jan 1996 20:32:37 -0500 (EST) From: Ed Ravin Subject: I won't tell if you won't... I just found this browsing through a router manufacturer's "Frequently Asked Questions" file: Q3 I have a bridge/router, and I have forgotten my password. I am no longer able to log in and configure the device(s). What do I do now? Do not panic! Enter the following password at the password prompt:XYZZYHIMOM. This should get you into the unit. Notice!! This is a back door to the units, and should not be made available to people who do not need to know about it! And I don't even own one of these routers -- I found this in a reseller's online catalog. Back doors in devices that are often hooked directly to external networks are a Bad Idea, if you ask me. At least the manufacturer documented it... (password above changed to protect the guilty) Ed Ravin +1 212 678 5545 eravin at panix.com ------------------------------ ------------------------------------------------------------------------- Steven Weller | "The Internet, of course, is more | than just a place to find pictures | of people having sex with dogs." stevenw at best.com | -- Time Magazine, 3 July 1995 From jsw at netscape.com Fri Jan 26 09:29:01 1996 From: jsw at netscape.com (Jeff Weinstein) Date: Sat, 27 Jan 1996 01:29:01 +0800 Subject: Crippled Notes export encryption In-Reply-To: <199601241509.JAA26060@softserv.tcst.com> Message-ID: <3106A21E.33E3@netscape.com> Mike Tighe wrote: > > Jeff Weinstein writes: > > > I can see two practical ways to build a netscape product outside > >the US. The first is to export the source code for the Navigator > >with the crypto code removed. All of the calls to crypto would > >have to be removed as well. I've heard some people claim that the > >government could come after us on the grounds that we were taking > >part in a conspiracy to export strong crypto. > > Didn't Netscape already promise to remove the hooks? It seems to me all of > the major software players are already in bed with the government. What do you mean by "promise to remove the hooks"? --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw at netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine. From jsw at netscape.com Fri Jan 26 09:29:01 1996 From: jsw at netscape.com (Jeff Weinstein) Date: Sat, 27 Jan 1996 01:29:01 +0800 Subject: FW: Veriphone and Netscape Team to Provide Internet Payment Solutions In-Reply-To: <01BAE929.12D6ADE0@ploshin.tiac.net> Message-ID: <3106D971.D58@netscape.com> Pete Loshin wrote: > > Here's the Netscape press release on their Verifone collaboration; > note that they explain nothing about 128 bits or 1024 bits--but Netscape > now appears to claim to be the sole developers of SEPP. Thanks for pointing out the bit about us claiming to have developed SEPP. I spoke to our Director of PR and it appears that the sentance was mangled as the release was going through several rounds of revisions between our PR dept. and VeriFone's. A corrected version of the release should be posted on our web site in the next few days. It properly indicate that SEPP (now SET?) is a cross industry effort that Netscape is participating in. Sorry, no bugs bounty for press releases. :-( --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw at netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine. From jlasser at rwd.goucher.edu Fri Jan 26 09:29:59 1996 From: jlasser at rwd.goucher.edu (Jon Lasser) Date: Sat, 27 Jan 1996 01:29:59 +0800 Subject: "Gentlemen do not read each other's mail" In-Reply-To: Message-ID: On Fri, 26 Jan 1996, Alan Horowitz wrote: > The first was in a monograph which was putting forth the proposition that > FDR ardently desired to become involved in the war. By the way, FDR was > the man who made wage income, subject to federal taxation for the first > time. > > I don't remember where I read the second. > > To me, both stories are plausible. In fact, before FDR, wage income was taxed; however, it was one large check at the end of the yeraar (or the beginning of the next, really). The high cost of WW II made it a necessity for the gvm't to have more money at a particular moment, and not wait for year-end. I can't remember when the amendment constitutionalizing (is that a word) the income tax was passed; however, the income tax (and wage income was most certainly taxed) was AFAIK implemented by the end of the 19th century. I might be wrong on dates here; the general principle still stands... Jon Lasser ------------------------------------------------------------------------------ Jon Lasser (410)494-3072 Visit my home page at http://www.goucher.edu/~jlasser/ You have a friend at the NSA: Big Brother is watching. Finger for PGP key. From jamesd at echeque.com Fri Jan 26 09:33:09 1996 From: jamesd at echeque.com (James A. Donald) Date: Sat, 27 Jan 1996 01:33:09 +0800 Subject: mouse droppings Message-ID: <199601261616.IAA11484@mailx.best.com> At 12:49 PM 1/24/96 -0500, j. ercole wrote: >One issue, "mouse droppings" --- "a trail of every site they visit and for >how long [on the www], was highlighted as an example of existing privacy >regulations falling short of consumer expectations. Apparently, the >amorphous public is shocked, *SHOCKED* I tell you , to discover that their >service providers are selling the personal preference information to the >highest bidder. More info in article. > >Would some rocket scientist speak to this terrifying mouse droppings issue? Jeff Wienstein and others have provided, or are working on, various technological solutions to this problem: Meanwhile the FTC wants to solve this privacy problem by checking out every persons computer to make sure you are not keeping any privacy violating information in your files. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From asgaard at sos.sll.se Fri Jan 26 09:34:05 1996 From: asgaard at sos.sll.se (Asgaard) Date: Sat, 27 Jan 1996 01:34:05 +0800 Subject: "Gentlemen do not read each other's mail" In-Reply-To: Message-ID: Jim Bell wrote: > While this may be based on the "classic" view of the start of the direct > involvement in WWII, I agree with the opinion of an old college professor > that the US KNEW that the Japanese were going to attack, SOMEWHERE and > SOMEWHEN (but not exactly), and in fact WANTED the attack to occur to > justify getting into a war that we "should" have entered. Alan Horowitz added: >I've read that FDR had a humint source warning of a Japanese strike on >Pearl Harbor. I also recall reading that J Edgar Hoover received a report >of a diplomatic conversation detailing the planned attack, but sat on it. And this is from a post I sent to the list last summer: *************************************************************** I just read 'Infamy' by John Toland (1982), containing 'proof' - very convincing, in my opinion - of the Pearl Harbour cover-up. The US president, selected members of his cabinette and a few admirals and generals knew - from Magic and the 'winds' execute, radio traffic analysis, diplomatic sources, double agents - exactly when and where the Japaneese were going to attack, but didn't warn Hawaii, fearing that too efficient counter-measures by the Oahu military might make the attack abort and so not convince the isolationists. The unexpected tactical capabilities of the Japaneese armada then made a cover-up all the more important. ***************************************************************** The unfortunate cipher expert Captain Safford spent most of his post-war life trying to uphold the honour of his fellow cryptanalysts, putting the blame on generals and politicians, but in vain. 'Infamy' is an interesting book. Asgaard From jamesd at echeque.com Fri Jan 26 09:49:46 1996 From: jamesd at echeque.com (James A. Donald) Date: Sat, 27 Jan 1996 01:49:46 +0800 Subject: "Gentlemen do not read each other's mail" Message-ID: <199601261641.IAA13862@mailx.best.com> [This discussion was originally about the "right" of governments to read people mail. As is natural and appropriate, it immediately became necessary to discuss the general question of rights.] >On Thu, 25 Jan 1996, Perry E. Metzger wrote: >> I am a funny sort of person. I don't believe that governments should >> be able to do anything that individuals cannot. At 07:00 PM 1/25/96 -0500, Alan Horowitz wrote: > So violent criminals should never be jailed? Probably he believes they should be shot instead. The principle that governments have no special moral rights beyond those of normal men leads logically to the conclusion that men have a natural right to engage in just retribution, provided of course that such retribution can be seen to be just. John Locke has written at some length, attempting to justify limited government on this principle. > > --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From teddygee at visi.net Fri Jan 26 10:00:48 1996 From: teddygee at visi.net (Ted Garrett) Date: Sat, 27 Jan 1996 02:00:48 +0800 Subject: Cypherpunk Enquirer Message-ID: <2.2.32.19960126172125.006b2d88@mail.visi.net> Man, I wish I knew who was writing this! No matter what mood I start out in, once I've waded through the noise and get to the Enquirer, I always feel better. From shamrock at netcom.com Fri Jan 26 10:06:54 1996 From: shamrock at netcom.com (Lucky Green) Date: Sat, 27 Jan 1996 02:06:54 +0800 Subject: "This post is G-Rated" Message-ID: At 7:24 1/26/96, Johnathan Corgan wrote: >On Fri, 26 Jan 1996, Duncan Frissell wrote: > >> One wonders why people spend so much time arguing about the V-chip, telecoms >> dereg, sex on the net, Trade Policy, or Immigration when it's intuitively >> obvious that these things are (or soon will be) no longer subject to central >> control of any kind. > >It is absolutely fascinating to observe the widely differing views held >by you and Lucky Green on the same subjects. > >The two of you seem to represent opposite ends of the spectrum of >cypherpunks thought, to the extent that there is such a thing. Its been like that for a long time :-) Just for the record, I hope that Duncan's view will prove to be correct. -- Lucky Green PGP encrypted mail preferred. From sandfort at crl.com Fri Jan 26 11:43:36 1996 From: sandfort at crl.com (Sandy Sandfort) Date: Sat, 27 Jan 1996 03:43:36 +0800 Subject: OFFSHORE RESOURCES Message-ID: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks, There has been sporadic interest on this list with regard to offshore incorporation, banking, etc. While ads for offshore services are common in the international press, until now, none of these companies has an Internet presence. THE ECONOMIST has an ad for OCRA, a group that specializes in offshore company services. What's new is that they have a Web page. It includes a good primer on the benifits from going offshore and on selected offshore jurisdictions. I've never done business with these folks, but they have good info. S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From sandfort at crl.com Fri Jan 26 11:47:28 1996 From: sandfort at crl.com (Sandy Sandfort) Date: Sat, 27 Jan 1996 03:47:28 +0800 Subject: DUH Message-ID: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks, In my OFFSHORE RESOURCES post I left out the URL, which is: http://www.ocra.com/ S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From perry at piermont.com Fri Jan 26 11:47:49 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sat, 27 Jan 1996 03:47:49 +0800 Subject: "Gentlemen do not read each other's mail" In-Reply-To: <9601261803.AA04117@zorch.w3.org> Message-ID: <199601261805.NAA24009@jekyll.piermont.com> As previously noted, we've drifted off charter, so I will answer in private mail. .pm hallam at w3.org writes: > Perry writes, > > >I am a funny sort of person. I don't believe that governments should > >be able to do anything that individuals cannot. If it is bad for me to > >steal, it is also bad for a government official to steal. If it is bad > >for me to listen in on my neighbor's phone calls, it is bad for the > >government, too. > > This statement commits the logical falacy of type incompatibility. Sets of > objects are not the same as objects. Organisations of people have different > characteristics to people. To accord the same rights to idividuals is to igno re > the different chaqracteristics of the organisation over the group. In most ca ses > we would ascribe fewer individual liberties to groups than to individuals. Th e > individual may have freedom of speech but the government official does not. I t > is generally undesirable for military personel to enter into party politics, > thus it is generally undesirable for such people to take part in party politi cal > broadcasts. > > On the other hand there are casses in which we would wish to give the governm ent > more power than the individual. We give the government the right to raise > taxation for example. > > Thus Perry is not only a funny sort of person, he is also entirely negating t he > argument that Mill puts forward in "on Liberty", namely that the interests of > the government and people are not as opposed as might appear, that it is > possible to divide liberties into those which the state must excercise in ord er > to protect the liberty of the population in general and those which the > individual needs to protect themselves from government and other interference From ericm at lne.com Fri Jan 26 11:50:19 1996 From: ericm at lne.com (Eric Murray) Date: Sat, 27 Jan 1996 03:50:19 +0800 Subject: Nym use in the real world Message-ID: <199601261801.KAA07578@slack.lne.com> With the coming Internet restrictions and growing use of the net by LEAs, it's become obvious to me that I shouldn't post messages with my real name. But I have some problems/questions about using a nym: 1. reputation. My nym will need to build it's own reputation, I know. But I currently get offers of work based on my reputation and posts. I would like this to continue. When it comes time to do the work and collect the pay, I need to tie my nym to me. Reasons: only the most adventurous firms would hire someone to do work without knowing their real name. I also need to have the proper forms (1099 etc) filed. I know that a lot of people on the list would say that I shouldn't file taxes, but I am (currently) willing to pay the price to stay out of jail. The other problem (tying the nym to RealName) for employers is more severe. A nym is only good when no one can tie it to your real name. If I have to tell everyone I do work for what my real name and nym is, soon enough people will be able to tie the two that the nym becomes nearly useless. 2. does it (a nym) really help? Police and governments are used to dealing with people who change their names, use fake names, etc. I get the impression that having multiple/fake names is considered by police to be evidence or at least indication of guilt. "If you're not guilty why're you hiding?". Using a nym would at least help with the problem of police or other parties searching through Dejanews/Altavista for my posts for incriminating evidence. But if my nym is investigated for some future crime (fuck Exon) and my nym isn't secure enough to protect my RealName, it will be a liability. Thoughts? From hallam at w3.org Fri Jan 26 11:58:16 1996 From: hallam at w3.org (hallam at w3.org) Date: Sat, 27 Jan 1996 03:58:16 +0800 Subject: "Gentlemen do not read each other's mail" In-Reply-To: <199601252139.QAA16761@jekyll.piermont.com> Message-ID: <9601261803.AA04117@zorch.w3.org> Perry writes, >I am a funny sort of person. I don't believe that governments should >be able to do anything that individuals cannot. If it is bad for me to >steal, it is also bad for a government official to steal. If it is bad >for me to listen in on my neighbor's phone calls, it is bad for the >government, too. This statement commits the logical falacy of type incompatibility. Sets of objects are not the same as objects. Organisations of people have different characteristics to people. To accord the same rights to idividuals is to ignore the different chaqracteristics of the organisation over the group. In most cases we would ascribe fewer individual liberties to groups than to individuals. The individual may have freedom of speech but the government official does not. It is generally undesirable for military personel to enter into party politics, thus it is generally undesirable for such people to take part in party political broadcasts. On the other hand there are casses in which we would wish to give the government more power than the individual. We give the government the right to raise taxation for example. Thus Perry is not only a funny sort of person, he is also entirely negating the argument that Mill puts forward in "on Liberty", namely that the interests of the government and people are not as opposed as might appear, that it is possible to divide liberties into those which the state must excercise in order to protect the liberty of the population in general and those which the individual needs to protect themselves from government and other interference. If we take Perry's argument seriously we effectively deny the legitimacy of any government. This is not good for Perry's argument for it is clearly legitamate to read the mail of a party which is illegitamte [an evil oppressor of the people, restraint on the exploitation of ecconomic power, restraint on free capitalism, tool of the borgeoise classes, people of all lands untie! you have nothing to lose but your chains...] Phill From mpd at netcom.com Fri Jan 26 12:05:24 1996 From: mpd at netcom.com (Mike Duvos) Date: Sat, 27 Jan 1996 04:05:24 +0800 Subject: Doctor Denning Message-ID: <199601261807.KAA21401@netcom20.netcom.com> I just read the new and improved Dorothy Denning essay at http://www.cosc.georgetown.edu/crypto/Future.html and I must say that I am impressed to see that our august little group has managed to define most of the issues Dr. Denning addresses. She even uses the Gospel According to Tim as her first bibliography entry. One should realize, of course, that whether Crypto Anarchy prevails depends not upon the varied philosophical leanings of citizen-units May and Denning, but rather upon whether our mathematics is more powerful than their jackbooted thugs. Success also depends upon the implementation of widely distributed comunications systems which are not vulnerable to attacks launched against any particular set of nodes, and which obfuscate which processing elements are responsible for providing any specified instance of a service. Crypto Anarchy running on the World Wide Crypto-Mesh. Your guarantee of a government-free future, Denning and friends notwithstanding. -- Mike Duvos $ PGP 2.6 Public Key available $ mpd at netcom.com $ via Finger. $ From cp at proust.suba.com Fri Jan 26 12:48:16 1996 From: cp at proust.suba.com (Alex Strasheim) Date: Sat, 27 Jan 1996 04:48:16 +0800 Subject: "Gentlemen do not read each other's mail" In-Reply-To: <199601261641.IAA13862@mailx.best.com> Message-ID: <199601261829.MAA03046@proust.suba.com> > The principle that governments have no special moral rights beyond > those of normal men leads logically to the conclusion that men > have a natural right to engage in just retribution, provided of > course that such retribution can be seen to be just. It's extrememely difficult (impossible?) to come up with ideological principles which can't be used as a logical basis for stupid, dangerous, and even suicidal proposistions. That's why ideology always has to be tempered with pragmatism. In school I was accused of anti-intellectualism when I made this point, and I'm sure someone will say that to me again, eventually. "There are more things under Heaven and Earth, Horatio, than are dreamt of in your philosophy." No matter what your political or economic theory says and how solid it seems, you are never relieved of your duty to keep your eyes open, of trying to evaluate in simple human terms the effects of policy on the people around you. This is where privacy and free speech ought to be defended. Perry is right, people shouldn't be reading each other's mail, and the government shouldn't be able to either. I'm not sure I could justify that with a rigorous logical argument built from a handful of axioms concerned with the nature and role of democratic government, natural law, or whatever else it was that John Locke was all hopped up on. (No disrespect to Locke intended.) I don't need a political theory to tell me that it's in my best interest to have privacy, and neither do most other people. Everyone wants privacy -- if you don't believe me, grab a clipboard, stand on a street corner, and ask around. The government claims it works for us. That's all there is to it. (I was a math major my first time through school, and I was particularly interested in formal logical systems. The limits of formal and especially pseudo-formal reasoning have always interested me -- but it ain't cryptography, so I'll spare you.) From tcmay at got.net Fri Jan 26 12:51:14 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 27 Jan 1996 04:51:14 +0800 Subject: OFFSHORE RESOURCES Message-ID: At 5:46 PM 1/26/96, Sandy Sandfort wrote: >There has been sporadic interest on this list with regard to >offshore incorporation, banking, etc. While ads for offshore >services are common in the international press, until now, none >of these companies has an Internet presence. ??? I've been tracking offshore banks with Internet presences for more than a year...I figure only those with Net savvy are worth looking at. An Alta Vista query of "offshore AND banking" just revealed 2000 hits, suggesting a lot of activity. Some of these hits are for banks, some for services catering to offshore bankers, some are reviews of what's out there, and some are of course just plain accidental hits. But you get the point. --Tim Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From hal9001 at panix.com Fri Jan 26 13:11:11 1996 From: hal9001 at panix.com (Robert A. Rosenberg) Date: Sat, 27 Jan 1996 05:11:11 +0800 Subject: "Concryption" Prior Art Message-ID: At 19:04 1/26/96, pgut001 at cs.auckland.ac.nz wrote: >However the Con-cryption patent covers first compressing, then >encrypting. Isn't that how PGP does its thing (first compress the data and then feed it into the Encryption Stage)? PGP is prior art in-and-of-itself. From lzirko at isdn.net Fri Jan 26 13:20:53 1996 From: lzirko at isdn.net (Lou Zirko) Date: Sat, 27 Jan 1996 05:20:53 +0800 Subject: Microsoft's CryptoAPI - thoughts? Message-ID: <2.2.32.19960126184329.002dbed0@isdn.net> At 03:24 PM 1/26/96 GMT, John Lull wrote: >On Fri, 26 Jan 1996 03:02:56 -0500 (EST), Futplex wrote: > >> Has someone here managed to extract PostScript hardcopy of the CAPI from this >> Web page? I tried earlier this evening and wound up with a miniature >> ecological disaster on my hands. The page says: > >No problem on a LaserJet 4M. > > > >> "For ease of online reading and printing, we've provided copies of this >> lengthy document in Microsoft Word and Postscript formats." > >I tried printing the Word version from WordView, also, and ran into >major problems. It absolutely insisted on setting the printer to >manual feed, and when I tried to print the odd-numbered pages, >WordView crashed complletely. > >> Worse still, it appears that the >> capiapp.ps file is actually a catenation of many PostScript files (one per >> chapter?), each beginning with a version of this ensnarling line. > >Maybe that's why I couldn't extract odd & even-numbered pages. > > > The odd command line in the postscript file is specific to HP laserjet's. It is a command that tells the printer to switch to postscript mode. The Microsoft print drivers are bad about this. One option is to strip all occurances of this line from the file or load and print the file from GhostScript, a postscript processor. Hope this helps. Lou Z. Lou Zirko (615)851-1057 Zystems lzirko at isdn.net "We're all bozos on this bus" - Nick Danger, Third Eye -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCNAzBLJocAAAEEAMlDzYJPYq0pvfMuSiKU0Y65L2nJql+qEJHYGjO5Pys4prDw YW1ooPWaqrPQAy/eyqrM7I9KNFDCtmaPxtgcPw2oEDfc/w6cPkrVzvovKLfHQvtg V/hHUekptSf6j525omrVAoM9MxVL3sEGCjn9VrTeC3h9upkfntHOJeL88i2NAAUR tB5Mb3UgWmlya28gPHppcmtvbEBkYXRhdGVrLmNvbT4= =Qlxm -----END PGP PUBLIC KEY BLOCK----- From crypto at midex.com Fri Jan 26 13:24:06 1996 From: crypto at midex.com (Matt Miszewski) Date: Sat, 27 Jan 1996 05:24:06 +0800 Subject: Bernie S. Sentencing In-Reply-To: <199601260132.UAA05720@dal1820.computek.net> Message-ID: On Thu, 25 Jan 1996, Ed Carp, KHIJOL SysAdmin wrote: (snip) > The last thing one of the "suits" said was something like "they know > about the hole in RSA we found with the quantum computer" - or that's > what was reportedly said. Something like that. The AP line came down that the matchbook contained the algorithm for easily factoring large primes. Apparently the drunken stupor that Tim and Perry were in dislodged a blocking mechanism in each others brains and the answer appeared to them. Perry, being the wit he is, quickly jotted down the relevant material. The suits were reportedly affiliated with a little known group called "CypherDietyPunks". Matt > -- > Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com > 214/993-3935 voicemail/digital pager > 800/558-3408 SkyPager > Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi > > "Past the wounds of childhood, past the fallen dreams and the broken families, > through the hurt and the loss and the agony only the night ever hears, is a > waiting soul. Patient, permanent, abundant, it opens its infinite heart and > asks only one thing of you ... 'Remember who it is you really are.'" > > -- "Losing Your Mind", Karen Alexander and Rick Boyes > From hal9001 at panix.com Fri Jan 26 13:25:38 1996 From: hal9001 at panix.com (Robert A. Rosenberg) Date: Sat, 27 Jan 1996 05:25:38 +0800 Subject: "Gentlemen do not read each other's mail" Message-ID: At 20:18 1/25/96, jim bell wrote: >Now, I was born in 1958 and thus can't claim personal knowledge of the time, >but it's truly amazing how UNPERCEPTIVE the public must have been in the >late 40's and early '50s about "intelligence" realities. Let me give you a >specific example: The classic movie, "The Man who Never Was," relates the >(true) story of a counter-intelligence mission done by the British to (I >think) mislead the Germans into believing that the attack on Sicily would be >substantially LATER than it actually was. The code name for the project was "Operation Mincemeat" and the intent was to get the defences at Normandy ("Operation Torch" - ie: D-Day) away from there and transferred to Sicily (which was NOT a D-Day objective) not as you say to fool them on when the attack was coming. It did its job and much of the mobile coastal defences were moved out of the area. From frantz at netcom.com Fri Jan 26 13:29:58 1996 From: frantz at netcom.com (Bill Frantz) Date: Sat, 27 Jan 1996 05:29:58 +0800 Subject: "This post is G-Rated" Message-ID: <199601261839.KAA19993@netcom6.netcom.com> At 6:13 AM 1/26/96 -0500, Duncan Frissell wrote: >At 01:58 PM 1/25/96 -0800, Bill Frantz wrote: > >>The big problem is how are the labels attached to the programs. I >>agree with Tim that it is probably imposible for individual Usenet >>postings. However is should be possible for TV programs, and whole >>newsgroups. > >Since TV programs will soon *be* "individual Usenet postings," it will not >be possible to rate them. Even the Earth doesn't have that much time. The >economic "drag" involved would be too great. I think you have a very different view of rating than I do. For example, I would be comfortable rating all the Sesame Street shows for sex and violence without seeing any more than I have seen, just based on the reputation of the show's producers. Based on reviews in the newspaper (since the net has replaced TV for me), most of the current network shows can also be rated for all their episodes. Remember also, there is an "unrated" catagory. Some people will refuse to access unrated material. Others, (I suspect you and I) may seek it out. >Once we have high-speed connections to the nets, the amount of video out >there will explode. There will be more to watch than watchers (remember >video archives). Search engines will help people find what they want and >avoid what they don't want. "Sex and Drugs and Rock and Roll" (Wine, Women, >and Song) will be like any other available subject -- some will want to find >it and some will want to avoid it. Just another problem of how to extract >the content you want from all the mess. Search engines won't be all that >perfect but they will be all we have. One possible addition to search engines would be to give the people who have actually viewed the video/web page etc. an opportunity to rate it on any of several criteria including whether they thought it was worth their time. Other people could then use these ratings as they wanted (including ignoring them). The big problem I see would be making the system easy enough to use to get a reasonable response. Bill From m5 at dev.tivoli.com Fri Jan 26 13:30:45 1996 From: m5 at dev.tivoli.com (Mike McNally) Date: Sat, 27 Jan 1996 05:30:45 +0800 Subject: "This post is G-Rated" In-Reply-To: <199601261839.KAA19984@netcom6.netcom.com> Message-ID: <9601261850.AA09988@alpha> Bill Frantz writes: > >Enforce? Enforce? Exsqueeze me? > > On cypherpunks, Perry is the principle enforcer, although others frequently > join in. Oh, right. I remember now. All the off-topic junk I see on this list is just my imagination. All the billions of "UNSUBSCRIBE" and "SIGNOFF" and "SET NO-MAIL" messages I see on the mailing lists I'm on are just bits of lint that slip by. The "enforcement" is always a reactive thing. I don't think you'd get far with a parent explaining that the material they consider indecent which somehow showed up on alt.kids.only would be dealt with by blistering flames. > >And of course, it doesn't work... > > Of course it works. Cypherpunks stays much more on the topic than it would > without Perry. Since Perry has no way of directly enforcing his opinions, > they can be overridden by any other posters, but his "moral suasion" does > have an effect on many of us. So you think those who want a "controlled cyberspace" would be happy with newsgroups that stay "mostly decent"? I strongly doubt it, and I will also add that such "enforcement" is far, far less effective on newsgroups than on mailing lists. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Nobody's going to listen to you if you just | Mike McNally (m5 at tivoli.com) | | stand there and flap your arms like a fish. | Tivoli Systems, Austin TX | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From bruceab at teleport.com Fri Jan 26 13:32:11 1996 From: bruceab at teleport.com (Bruce Baugh) Date: Sat, 27 Jan 1996 05:32:11 +0800 Subject: Signing nyms' keys (Was: Report on Portland Cpunks...) Message-ID: <2.2.32.19960125011259.0069b280@mail.teleport.com> At 01:42 PM 1/24/96 PST, janzen at idacom.hp.com wrote: >Furthermore, by signing a nym's key you place yourself at risk. If you >sign the nym's key with your own key -- or sign using the key of your >own nym, and that nym is subsequently "outed" -- then anyone wishing to >find the individual(s) behind any nym whose key you've signed can >attempt to coerce you into revealing this information, since you have >claimed to know it. This is the real problem, one which doesn't (to me) have a ready solution. If others can demonstrate that there [is|is not] some fairly straightforward way around it, I'd be happy to read it. Bruce Baugh bruceab at teleport.com http://www.teleport.com/~bruceab From gorkab at sanchez.com Fri Jan 26 13:33:32 1996 From: gorkab at sanchez.com (Brian Gorka) Date: Sat, 27 Jan 1996 05:33:32 +0800 Subject: No Subject Message-ID: <01BAEBF5.1492F480@loki> I was leafing through the new terms of service from my ISP, and lookie what I came up with: .... stuff deleted * Posting private e-mail to any newsgroup or mailing list without the explicit approval of the sender is strictly prohibited. * Impersonating another user or otherwise falsifying one's user name in e-mail or any post to any newsgroup or mailing list is strictly prohibited. * We reserve the right to take whatever actions we deem appropriate in enforcing these policies, including the ones below. We also reserve the right to change these policies without prior notice at any time. ... stuff deleted The actions we take may include account suspension or termination. We do not issue any credits for accounts cancelled due to policy violations. The second point make me wonder if NymServers are logal to use with my service (PSInet, Interramp) ---------- Brian Gorka Key fingerprint = ED 7D 78 7E 95 E8 05 01 27 01 A1 74 FA 4B 86 53 From pcw at access.digex.net Fri Jan 26 13:33:51 1996 From: pcw at access.digex.net (Peter Wayner) Date: Sat, 27 Jan 1996 05:33:51 +0800 Subject: "Concryption" Prior Art Message-ID: <199601261855.NAA16966@access5.digex.net> I believe the patent applies to simultaneous compression and encryption. The simultaneity supposedly saves time. That's the big advance. -Peter From cp at proust.suba.com Fri Jan 26 13:39:43 1996 From: cp at proust.suba.com (Alex Strasheim) Date: Sat, 27 Jan 1996 05:39:43 +0800 Subject: Crypto Exports, Europe, and Conspiracy Theories In-Reply-To: Message-ID: <199601261906.NAA03072@proust.suba.com> There's a lot I don't know about the NSA, Tim's original post in this thread reminded me of that. I don't know if they'll continue to be successful supressing crypto -- perhaps (probably?) I've underestimated them. But I think networking is creating an enormous commercial demand for strong crypto that didn't previously exist. It's one thing to suppress an esoteric technology that few people feel the need for; it's quite another to suppress a reasonably well understood technology that everyone feels they need to run their businesses. The NSA is powerful, but so are commercial interests. I tend to think that the money will win out in the end, but I have to admit that I don't know enough about the NSA to have a serious opinion. Why aren't foreign companies flooding America with strong crypto? Well, there are clearly pressures of the sort Tim described at work. But there are other factors as well: o Crypto has only recently become useful/necessary to lots of business people -- the demand from crypto is born out of the networking boom, especially the Internet, which isn't picky about who can use it. American software companies dominate the industry -- they grabbed market share in the days before crypto was vital. There's inertia at work. o Crypto isn't at the top of the list of factors when people pick software. Do most of use use 40-bit downloadable Netscape's or Mosaics with strong crypto? Netscape wouldn't be easy to pick off for New Delhi programmers (an understatement, of course), and crypto wouldn't give them as big of an advantage as it probably ought to. o Most foreign countries aren't wired as well as we in the US are. Most people in Switzerland don't have cheap easy access to the net, for example. That's one reason that the web, a good Swiss idea, has been developed primarily in this country. America has more people thinking about the net than other countries do, and it's not surprising that we're out in front in net software. These factors are short lived, and they're not going to keep crypto out of America forever. (That doesn't mean the NSA can't -- although I don't think they can.) Digicash is probably the first significant crypto product to be exported to America. It's not very popular yet, but I think that most of us here agree that it is, in potential at least, as significant as Mosaic/Netscape. It's important to note that this extremely important product couldn't have been produced here, patents aside. Transaction systems need to be international, and our rules make America an unsuitable place from which to launch tranaction software. Will the NSA be able to stand up against growing economic pressures? I don't know. But it does seem pretty clear that those pressures are building all the time, and that the problem of supressing crypto in 1996 is a much tougher one than it was in 1986. In general, it's myopic and ill advised to focus on one factor -- economics, politcs, the national security establishment -- when trying to predict what will happen. I've probably been guilty of placing too much emphasis on money, and not enough on the NSA. We do seem to be winning, though. From frantz at netcom.com Fri Jan 26 13:43:48 1996 From: frantz at netcom.com (Bill Frantz) Date: Sat, 27 Jan 1996 05:43:48 +0800 Subject: "This post is G-Rated" Message-ID: <199601261839.KAA19984@netcom6.netcom.com> At 8:57 AM 1/26/96 -0600, Mike McNally wrote: >Bill Frantz writes: > > An unmoderated group or list carries a higher risk of seeing inappropriate > > material. However even unmoderated lists have standards and those people > > who enforce those standards. > >Enforce? Enforce? Exsqueeze me? On cypherpunks, Perry is the principle enforcer, although others frequently join in. > > > This kind of enforcement is an example of > > communitarian as opposed to authoritarian control. It all depends on just > > how vital it is to the consumer (and rating group) that NO inappropriate > > material appear. > >And of course, it doesn't work. There's an unlimited amount of >mindless dreck floating around every unmoderated nesgroup; I've been >reading news long enough (and NN makes it easy enough) that I avoid it >without a second thought. I assure you, however, that no attempts at >"nettiquette enforcement" are effective in a general sense. Of course it works. Cypherpunks stays much more on the topic than it would without Perry. Since Perry has no way of directly enforcing his opinions, they can be overridden by any other posters, but his "moral suasion" does have an effect on many of us. Bill From dsmith at midwest.net Fri Jan 26 14:01:37 1996 From: dsmith at midwest.net (David E. Smith) Date: Sat, 27 Jan 1996 06:01:37 +0800 Subject: John Doe Message-ID: <2.2.32.19960126190807.00674f78@midwest.net> At 02:07 AM 1/26/96 -0500, tallpaul at pipeline.com wrote: >On Jan 25, 1996 20:58:48, 'jdoe-0007 at alpha.c2.org' wrote: >>The John Doe NYM/Remailer interface for Windows is a most excellent >>program that will allow even the most cypher-illiterate to make use of >>the technology that has been the exclusive domain of those in the >>"techno-know". It was a piece of cake to set up, obtain a NYM and select >>inbound and outbound remailers with options to chain as many as your >>paranoia deemed appropriate. >>$25.00 seemed a little steep but they will get my $$$. Nice Job. >>John Doe 0007 >(Unlike jdoe-0007 I think $25 is a very low price to pay for the new >capacity. What the hell! We're not gonna' pay for it out of our own lazy >pockets. We'll raise the tax on hot tubs and get other people to buy it for >us.) I haven't DL'ed/pirated/bought it yet, but what does it do that Joel McNamara's Private Idaho doesn't do? (BTW, PI is _freeware_ as in $25 less than $25.) dave (dsmith at alpha.c2.org - see, it doesn't have to be anonymous after all) --- David E. Smith, c/o Southeast Missouri State University 1210 Towers South, Cape Girardeau MO USA 63701-4745 +1(573)339-3814, "dsmith at midwest.net", PGP ID 0x961D2B09 Do not use old PGP keys 0x92732139 and 0xFF829C15. http://www.midwest.net/scribers/dsmith/ From tcmay at got.net Fri Jan 26 14:02:04 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 27 Jan 1996 06:02:04 +0800 Subject: "This post is G-Rated" Message-ID: At 6:50 PM 1/26/96, Mike McNally wrote: >The "enforcement" is always a reactive thing. I don't think you'd get >far with a parent explaining that the material they consider indecent >which somehow showed up on alt.kids.only would be dealt with by >blistering flames. ... >So you think those who want a "controlled cyberspace" would be happy >with newsgroups that stay "mostly decent"? I strongly doubt it, and I >will also add that such "enforcement" is far, far less effective on >newsgroups than on mailing lists. By the way, we should always be ready to would-be censors/moderators of Usenet that "kid-friendly" alternatives either exist, or could be created by those interested in screening stuff. What many of us object to is the notion that legislators in some particular country can cause the 12,000+ Usenet groups, or the accesses via the Net and Web, to be turned into something safe for all children, or all Muslims, or all women, or all vegans. AOL and its ilk are used by parents I know as a "kinder and gentler" introduction to the Net for their impressionable ankle-biters. There are a zillion special interest groups that want their members protected from various kinds of stuff out there in the world. I don't have to list them here. We as Cypherpunks should strenuously point out that the speech of adults on forums like Usenet should not be reduced to the level of what all children should hear. Nor should we endorse "voluntary self-ratings" proposals, for the many reasons discussed here recently. I for one will not slow down my speech, slow down my postings to Usenet, by carefully reviewing my words to see if they are offensive to children, their parents, their grandparents, Mormons, Jews, Boy Scouts, schizophrenics, high-strung neurotics, Muslims, animal rights advocates, queers, Rosicrucians, persons of color, persons of no color, or persons of poundage. Fortunately, the technological trends strongly mitigate against the Net and the Web ever being controlled by the censors of any one country. "Not even speed bumps." --Tim Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From perry at piermont.com Fri Jan 26 14:02:17 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sat, 27 Jan 1996 06:02:17 +0800 Subject: Crypto Exports, Europe, and Conspiracy Theories In-Reply-To: <199601261906.NAA03072@proust.suba.com> Message-ID: <199601261926.OAA14913@jekyll.piermont.com> Alex Strasheim writes: > Why aren't foreign companies flooding America with strong crypto? Well, > there are clearly pressures of the sort Tim described at work. But there > are other factors as well: > > o Crypto has only recently become useful/necessary to lots of > business people -- the demand from crypto is born out of the > networking boom, especially the Internet, which isn't picky > about who can use it. Security is an odd thing. I have clients who have obvious and very extreme security needs that do not spend any real time worrying about security and as a result end up being burned. However, until the day you are burned, you never think about security and never notice it is absent. To some extent, it is the job of consultants such as myself to assure that firms understand what they have at stake and how to protect themselves, especially by securing their communications networks with cryptography. Perry From frantz at netcom.com Fri Jan 26 14:14:02 1996 From: frantz at netcom.com (Bill Frantz) Date: Sat, 27 Jan 1996 06:14:02 +0800 Subject: "This post is G-Rated" Message-ID: <199601261944.LAA27372@netcom6.netcom.com> At 12:50 PM 1/26/96 -0600, Mike McNally wrote: >Bill Frantz writes: > > >Enforce? Enforce? Exsqueeze me? > > > > On cypherpunks, Perry is the principle enforcer, although others frequently > > join in. > >Oh, right. I remember now. All the off-topic junk I see on this >list is just my imagination. All the billions of "UNSUBSCRIBE" and >"SIGNOFF" and "SET NO-MAIL" messages I see on the mailing lists I'm on >are just bits of lint that slip by. Absolutely correct. What we don't have is general firewall discussions and general conspiricy discussions (which are directed elsewhere). Perry performs a needed function. >The "enforcement" is always a reactive thing. I don't think you'd get >far with a parent explaining that the material they consider indecent >which somehow showed up on alt.kids.only would be dealt with by >blistering flames. Such parents would not let their children read unmoderated/unrated newsgroups. I think they are failing their children, but they would certainly disagree. >So you think those who want a "controlled cyberspace" would be happy >with newsgroups that stay "mostly decent"? I strongly doubt it, and I >will also add that such "enforcement" is far, far less effective on >newsgroups than on mailing lists. The people who want a "controlled cyberspace" will not be happy. I want explore the consiquences, both technical and social, of taking the control away from them by putting in the hands of individuals and minor children's parents. This approach would destroy their principle argument and make it less likely that they will succeed. However, unlike the motion picture precedent, I think multiple rating agencies will not only be desirable, but necessary. I assume that in addition to the Christian Coalition's rating service there would be a Hottest Pics of the Net service. Bill From tcmay at got.net Fri Jan 26 14:21:13 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 27 Jan 1996 06:21:13 +0800 Subject: Crypto Exports, Europe, and Conspiracy Theories Message-ID: At 7:06 PM 1/26/96, Alex Strasheim wrote: >Why aren't foreign companies flooding America with strong crypto? Well, >there are clearly pressures of the sort Tim described at work. But there >are other factors as well: Let me emphasize that I was raising the issue as food for thought, as an obvious question. Put another way, there are a lot of non-U.S. cryptographers, Cypherpunks, and programmers. They should be looking at the (putative) $60 billion a year cost of the ITARS as evidence that a market for strong crypto probably exists. (I will be interested to see what non-U.S. code gets developed over the next year or two, and how the U.S. government reacts to its importation into the U.S. The main RSA patents will soon be expiring, those that don't get thrown out in the wake of the RSA-Cylink-MIT-Stanford-PKP-Schlafly-etc. brouhaha, that is.) >o Crypto isn't at the top of the list of factors when people pick > software. Do most of use use 40-bit downloadable Netscape's ... Maybe not important for casual users, but there's that $60 billion a year figure again, so somebody cares. And digital commerce is front page news almost every day, with security a major hot topic. >o Most foreign countries aren't wired as well as we in the US are. > Most people in Switzerland don't have cheap easy access to the net, Though of course many countries are extremely well-wired. The Scandinavian countries, for example. And the U.K. (e.g., demon, one of the earliest full-service ISPs). But I don't want to get into a debate about numbers of subscribers, etc. My main point was that crypto tool development has traditionally been possible with fairly small teams...so I wonder why more development has not happened in Europe and Asia, given the apparently compelling advantages of not having to worry about the U.S. ITARs! (That this "apparently" may not actually be so real is of course my main "food for thought.") > for example. That's one reason that the web, a good Swiss idea, has > been developed primarily in this country. America has more people > thinking about the net than other countries do, and it's not > surprising that we're out in front in net software. A minor correction. Tim Berners-Lee is British, and was only working at CERN, which effectively straddles the French-Swiss border, near Geneva. And he is now, or was recently, working in New York. I would have a hard time calling his work "a Swiss idea." Obviously many of the ideas that go into the Web (hypertext, a la Bush and Nelson, connectivity, ISPs, etc.) are heavily American-based or -influenced. >Digicash is probably the first significant crypto product to be exported >to America. It's not very popular yet, but I think that most of us here >agree that it is, in potential at least, as significant as >Mosaic/Netscape. It's important to note that this extremely important >product couldn't have been produced here, patents aside. Transaction >systems need to be international, and our rules make America an unsuitable >place from which to launch tranaction software. I agree about Digicash (and I cited it as an example in my first article). However, the lack of available crypto for export, and the cloudy situation about Chaum's patents (*) has made Digicash almost a footnote in the race for digital commerce, with a dozen other more visible product announcements in the news. (* I wrote up my views on the problems with software patents, having to do with the inability to "meter usage," in contrast with physical objects such as microprocessors.) --Tim Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From pmonta at qualcomm.com Fri Jan 26 14:27:08 1996 From: pmonta at qualcomm.com (Peter Monta) Date: Sat, 27 Jan 1996 06:27:08 +0800 Subject: Doctor Denning In-Reply-To: <199601261807.KAA21401@netcom20.netcom.com> Message-ID: <199601261933.LAA28110@mage.qualcomm.com> > I just read the new and improved Dorothy Denning essay at > > http://www.cosc.georgetown.edu/crypto/Future.html This can be found at http://www.cosc.georgetown.edu/~denning/crypto/Future.html > One should realize, of course, that whether Crypto Anarchy > prevails depends not upon the varied philosophical leanings of > citizen-units May and Denning, but rather upon whether our > mathematics is more powerful than their jackbooted thugs. What I found interesting was the lack of meat behind "Crypto Anarchy is Not Inevitable". It seemed to boil down to the vacuous "if everyone could just agree that key escrow is a good thing, there would be no problem". Cheers, Peter Monta pmonta at qualcomm.com Qualcomm, Inc./Globalstar From vznuri at netcom.com Fri Jan 26 14:29:01 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Sat, 27 Jan 1996 06:29:01 +0800 Subject: RANT: cypherpunks do NSA's job for them!! In-Reply-To: <9601260028.AA12225@alpha> Message-ID: <199601261934.LAA21926@netcom10.netcom.com> >Vladimir Z. Nuri writes: > > the Tao of bad government: if you really want to get rid of a law, > > act and think at all times as if it doesn't even exist. > >I accept that that's one way of going about things, but I challenge >you to demonstrate conclusively that it is the only means to generate >political interest in opposition to a law. it was not my point at all to "demonstrate conclusively" that ignoring a law helps create opposition to a law. actually, I was not talking about opposition to a law at all. my main point was that for a law to work, people must *actively*support* it. by not supporting a law, it effectively ceases to exist. in other words, what you consider "opposition" to laws in fact may be playing into the hands of the NSA. by taking the laws very seriously (such as the preposterous ideas that bureacrats are allowed to prevent companies from even exporting software with "hooks" in it, and effectively allowing spooks to vet every piece of crypto code written in this supposedly free country) you are doing NSA's "heavy lifting" *for* them. these laws would be no problem if nobody followed them, if nobody gave a damn about them. *opposition* in many ways is the wrong mindset. by opposing the laws, you implicitly reveal that you believe they are legitimate, that they are enforceable, that they are important to conform to, etc (all the things that cpunks publicly deny). by ignoring them, you put your reality where your mouth is. it sounds paradoxical, but ignoring a law is far more destructive to it than opposing it!! > I happen to disagree with >this, and I refuse to accept the wacky notion that by explaining to >somebody that what they're doing is in violation of a pointless stupid >law, and explaining why it's only through wide exposure of that >pointless stupidity that the law and others like it can be struck >down, that I am unwittingly strengthening the law. Balderdash. "when the wise hear of the Tao, they are intrigued. when the skeptical hear of the Tao, they scoff. when the stupid hear of the Tao, they laugh loudly". From junger at pdj2-ra.F-REMOTE.CWRU.Edu Fri Jan 26 14:38:45 1996 From: junger at pdj2-ra.F-REMOTE.CWRU.Edu (Peter D. Junger) Date: Sat, 27 Jan 1996 06:38:45 +0800 Subject: Crippled Notes export encryption In-Reply-To: <9601242357.AA02688@alpha> Message-ID: Mike McNally writes: : Uhh, I'd like a second opinion please doc. Are you suggesting that : whenever anybody with cryptographic expertise (like, maybe, anybody on : this mailing list) leaves the country we're in violation of munitions : export laws? No, but only because there is an express exception in the ITAR: Section 120.17 of the ITAR provides: _Export_ means: (1) Sending or taking a defense article out of the United States in any manner, except by mere travel outside the United States by a person whose personal knowledge includes technical data; . . . . : Is somebody who knows how to build a rocket in the same boat? Yes. But in one way the case may be worse for you cryptographers if you actually carry source code--or machine code--around inside your head. For in the _Karn_ case the government has argued that source and machine code are _not_ technical data, but are defense articles. So, unless you first erase that portion of your memory that contains the C code for implementing the RSA algorithm, you commit a felony--a million dollar fine and ten years in jail max--if you step outside the United States without first obtaining a license from the Office of Defense Trade Controls. -- Peter D. Junger--Case Western Reserve University Law School--Cleveland, OH Internet: junger at pdj2-ra.f-remote.cwru.edu junger at samsara.law.cwru.edu From alano at teleport.com Fri Jan 26 14:42:36 1996 From: alano at teleport.com (Alan Olsen) Date: Sat, 27 Jan 1996 06:42:36 +0800 Subject: [rant] A thought on filters and the V-Chip Message-ID: <2.2.32.19960126195651.008e5558@mail.teleport.com> [Not Perry(tm) approved -- Skip of this offends you] I am waiting for someone to come out with a product that will modify the v-ship (or the various internet "protection" tools) in such a way that it scans *FOR* pornography. Porn is big business. You would think that people would pay for a way to sort through all of that non-smuttiness and just "get to the good stuff". I also imagine that as soon as such a product appears, the censors will scream bloody murder. The purpose of all the ratings, and the filters and all the other stuff is not to "protect kids". It is to protect the prejudices of the adults. They do not want to see it anywhere in the world, not just inflicting some sort of imaginary harm on their children. I expect the first people to use the "reversed filters" will be the kids themselves. (Behind the parents back, of course.) I have known too many adults that believe that by restricting their kids access to information, they can prevent them from growing up. In these parent's minds, such information is what makes them want to hump their little brains out. Biology has nothing to do with it in their limited way of thinking. Cluelessness does not just cover computers with these people. It also covers any other topic that required more than two brain cells to understand. But censorship alone will not solve the problems that these people see in the world. They are afraid that somone, somewhere, is commiting "sin". They will do what it takes to stamp out all this immorality, no matter who gets hurt or what it takes. A good description of what is next is at http://www.cum.net/cnextstep.html . You have to realize that these people are busybodies who believe that they have the right to define what is right and what is wrong. In order to enforce these beliefs, they will need access to every means of communication in existance. Anything that prevents this enforcement will be seen as a threat and thus must be banned. Encryption will be one of the first things to go. Double entendres, sarcasm, and wordplay will be next. Fiction dealing with anything that would offend an eight year old (because that is where they stopped their intelectual growth) must be stamped out as well. More will follow as the demons appear in more and more forms. And they will never succeed... No matter how hard the censors have tried in the past to outlaw "smut", it has always existed in one form or another. All they do is drive it underground. If they stamp out crypto, they will just drive it underground. And in the process they will have stamped any freedoms you or I have underground as well... Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ National Security uber alles! From usura at utopia.hacktic.nl Fri Jan 26 15:11:33 1996 From: usura at utopia.hacktic.nl (Alex de Joode) Date: Sat, 27 Jan 1996 07:11:33 +0800 Subject: OFFSHORE RESOURCES Message-ID: <199601262017.VAA28266@utopia.hacktic.nl> You sez: : There has been sporadic interest on this list with regard to : offshore incorporation, banking, etc. While ads for offshore : services are common in the international press, until now, none : of these companies has an Internet presence. : THE ECONOMIST has an ad for OCRA, a group that specializes in : offshore company services. What's new is that they have a Web : page. It includes a good primer on the benifits from going : offshore and on selected offshore jurisdictions. I've never done : business with these folks, but they have good info. I maintain a small page with offshore resources at: URL: http://www.replay.com/offshore bEST Regards, -AJ- From vznuri at netcom.com Fri Jan 26 15:20:03 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Sat, 27 Jan 1996 07:20:03 +0800 Subject: more RANTING about NSA-friendly cpunks In-Reply-To: <01BAEB69.A2BB7E80@blancw.accessone.com> Message-ID: <199601262011.MAA17408@netcom16.netcom.com> BW: >Actually, Vlad is has a remote point. =20 ah, thanks for the ringing endorsement. >When certain activities are described as being "illegal" it lends to the = >laws surrounding them an air of legitimacy, even though most anyone on = >this list who refers to them in that way understands that they are = >phrasing their words in terms of how these actions are = >perceived/categorized by the lawmakers, not by the cpunks. hence my advice: if one talks about these laws, at least insert the caveat and reminder: we think they are bogus, we are waiting for someone to challenge them, we doubt a court would uphold a ban on export of "crypto hooks" or "signing foreign crypto code", and at least we'd be interested in the court fight, and probably support whoever tried. do you see I am not asking anyone to be crucified here? I'm merely asking cpunks to emphasize the attitudes that are actually serving the "spread the crypto" agenda!! >Yet you must understand, Vlad: you aren't going to figure out how to = >deal with a looming threat like ITAR simply by being nonchalant & = >devil-may-care. @#$%^&*!!! you miss the point. words like "a looming threat like the ITAR" again play into the hands of the NSA. if you think the law is illegitimate, use something like, "the silly bureacratese of the ITAR" or something similar. *you* give away your own power to a law whenever *you* believe it is a significant factor in your life. what is the worst that has happened to anyone from the "looming threat of the ITAR" for illegal *crypto*export*?? a visit by the NSA men in black?? what are the supposed teeth that are preventing from anyone from even challenging the algorithm sections of the ITAR?? has anyone *tried* just ignoring the ITAR wrt crypto and seeing what would happen? the gubbermint blindly thinks that cyberspace will inevitably bring the wrath of four horsemen of the infocalypse, but aren't we equally as comic in assuming that violating the ITAR crypto sections will inevitably bring the 4 horsemen of the NSA?? (please do NOT give me examples of how drug-dealer-x or arms-smuggler-y got a bazillion years in prison for violating the ITAR-- obviously you would have completely missed my point: I'm talking about the *crypto* sections of the ITAR!!) I mean, what if somebody made a big show of OPENLY AND FLAGRANTLY VIOLATING THE ITAR? *nothing* such as this has ever happened. its exactly what we need. (I am thinking more of something on the corporate level, not individual level). all the sheep on this list would cringe in horror at my suggestion, but can you *prove* that something bad would happen to you? do you really think the bogeyman is going to get you if you do so? actions speak louder than words... > The fact that some people (lawyers) know what = >corporations & individuals are facing if they try to import or export = >"illegal" substances like abstract code, and the fact that some people = >(programmers) discuss the issues openly, does not mean that they are = >headed in the direction of submission to the given obstacles. =20 you don't understand this point I have repeatedly reiterated. DISCUSSING THE ISSUE AMOUNTS TO SUBMISSION. the moment that you even THINK about the problem, the law is doing exactly what it was *designed* to do, *succeeding* in dampening something that we supposedly *claim* can't and shouldn't be dampened? how is it dampened? BY OURSELVES!!! >It just means that they're thinking through the problem, to clarify just = >what the situation is, to give conscious consideration to what anyone = >might have to deal with as a consequence of their decisions (to do what = >they will regardless of the NSA's perceptions). if people actually did what they wanted "regardless of the NSA's perceptions", then we would have exactly what we are always whining for, and that's exactly what I'm advocating. but in fact what everyone is doing is paying close attention to what how the NSA would view some supposed action, taking the NSA's opinion on the ITAR as *law* (gosh, when did the NSA get the authority to make/interpret/enforce laws?) and backing off from anything. there are THREE SOLID WAYS that crypto could be spread like widfire RIGHT NOW but I have seen them argued against by people on the list on the basis that "the NSA wouldn't approve". well, SCREW THE NSA!!! do you want to protect the NSA or DON'T YOU??? 1. CRYPTO HOOKS into legitimate crypto software. the companies export the software to their hearts content and challenge the government in court if prevented. 2. SIGNING FOREIGN CODE. the fact that MS doesn't want to even sign foreign implementations of code for fear of some supposed NSA disapproval is atrocious spinelessness. 3. IMPORTING THE CRYPTO SOFTWARE. TCM argues that "this would quickly be outlawed if not already illegal". oh yeah? says who? don't you think there would be a pretty spectacular FIGHT over this? yet I have seen cpunks endlessly argue against all these points, when they are exactly what we have the most chance of winning, imho. the best way, which because everyone has been successfully conditioned to do exactly what the NSA wants: 4. JUST WRITE WHATEVER THE HELL CODE YOU WANT, AND SEND IT WHEREVER THE HELL YOU WANT. don't give me any *crap* about how NASTY THINGS WILL BEFALL YOU if you do any of the above. what happened to PRZ??? NOTHING. it is possible that PRZ may have been able to NEVER EVEN HIRE A LAWYER if he wanted to, and emerged unscathed from the last situation. there is NO PRECEDENT for anything happening to ANYONE for trying any of the above things, and until someone tries them, DO NOT ARGUE THEY CANNOT BE DONE, or that NASTY AND UNSPEAKABLE THINGS BEFALL THOSE WHO TRY, unless you want to be given medals of honor by the NSA for helping them out!! (again, I do not count "GOVERNMENT MOUNTS AN INVESTIGATION" as anything harmful!!! please feel free to disagree with me!! perhaps if you are a frail entity, indeed the mere idea that government agents are thinking about you can cause you to have a nervous breakdown!!!) I am waiting for some company with some balls to do any of this. MS, in all their amazing marketplace aggression, apparently believes that you don't ever fight the government. a pity. that's the most important battle. From Kevin.L.Prigge-2 at cis.umn.edu Fri Jan 26 15:37:39 1996 From: Kevin.L.Prigge-2 at cis.umn.edu (Kevin L Prigge) Date: Sat, 27 Jan 1996 07:37:39 +0800 Subject: [local] Report on Portland Cpunks meeting In-Reply-To: Message-ID: <31093ac10192002@noc.cis.umn.edu> Jonathan Rochkind said: > > At 11:13 PM 01/23/96, Bruce Baugh wrote: > >The nym signing is an idle thought of mine. I have a nym key which is, at > >the moment, signed only by itself. I know friends of mine have nym accounts. > >if we could assemble a group of folks whom I can trust enough to link the > >nym and myself, it'd be nice to add some more signatures to the nym key, and > >vice versa. > > If, on the other hand, I sign "Toxic Avenger"'s key, then what benefit is > this for third parties? Since Toxic Avenger is, by intention, _not_ linked > to a real person, I'm not saying that I feel confident that this key really > belongs to any particular real person. What am I saying? That the key belongs to the person(s) assuming the identity of "Toxic Avenger". When someone signs my key, they are saying that they believe that the key belongs to me, a person who has the identity of "Kevin Prigge". Since I am a real person, I can prove that some other entity knows me as Kevin Prigge via some form of identification issued by the state, and I can prove that I control the key. For a 'nym, there is no identification that is issued, which may be the point of having an 'nym. The best that can be said is that the user at someplace posting with a 'nym of "whatever" controls the key, which is all I'd be certifying with my signature on the key. -- Kevin L. Prigge |"Have you ever gotten tired of hearing those UofM Central Computing | ridiculous AT&T commercials claiming credit email: klp at tc.umn.edu | for things that don't even exist yet? 010010011101011001100010| You will." -Emmanuel Goldstein From adept at minerva.cis.yale.edu Fri Jan 26 15:50:20 1996 From: adept at minerva.cis.yale.edu (Ben) Date: Sat, 27 Jan 1996 07:50:20 +0800 Subject: German home banking (fromn RISKS) In-Reply-To: <199601250030.TAA15203@amsterdam.lcs.mit.edu> Message-ID: > Was the person in the basement eavesdroping or actuall performing a > man-in-the-middle attack? He was first eavesdropping then he performed a hijack attack once authentication was achieved. Ben. ____ Ben Samman..............................................samman at cs.yale.edu "If what Proust says is true, that happiness is the absence of fever, then I will never know happiness. For I am possessed by a fever for knowledge, experience, and creation." -Anais Nin PGP Encrypted Mail Welcomed Finger samman at suned.cs.yale.edu for key Want to hire a soon-to-be college grad? Mail me for resume From iagoldbe at calum.csclub.uwaterloo.ca Fri Jan 26 15:51:38 1996 From: iagoldbe at calum.csclub.uwaterloo.ca (Ian Goldberg) Date: Sat, 27 Jan 1996 07:51:38 +0800 Subject: Crippled Notes export encryption In-Reply-To: <199601242303.SAA14589@amsterdam.lcs.mit.edu> Message-ID: <4e6j28$g49@calum.csclub.uwaterloo.ca> In article <199601242330.SAA08632 at toxicwaste.media.mit.edu>, Derek Atkins wrote: >> How did kerberos avoid this? The "bones" distribution of kerberos >> without crypto was not regulated by ITAR, right? > >Kerberos didn't leave the crypto plugable. The bones distribution >removed not only the crypto routines but also the calls to the crypto >routines. It would be hard to call that "pluggable". It took a lot >of work for someone down under to replace all those crypto calls! > OK; so what if I have code that says: RNG_GenerateRandomBytes(buf, size); Hash(outbuf, buf, size); /* * It would be really nice if outbuf were RSA-encrypted * with (expon,modulus) at this point and the result placed in * outbuf2, but we have to do the following instead: */ for(i=0;i Message-ID: From: Mike Godwin Subject: Re: UK newspaper names Zimmermann a "neo-Nazi sympathiser" To: Declan McCullagh Date: Wed, 24 Jan 1996 18:13:11 -0800 (PST) Cc: fight-censorship+ at andrew.cmu.edu Zimmermann stands to recover a lot if he sues the Telegraph under British libel laws. --Mike [...] > > Subject: "PRZ a nazi" to be retracted > To: cypherpunks at toad.com (Cypherpunks) > Date: Tue, 23 Jan 1996 21:58:48 -0700 (MST) > Cc: prz at acm.org (Philip Zimmermann) > From: Philip Zimmermann > Reply-To: Philip Zimmermann > X-Mailer: ELM [version 2.4 PL22] > Content-Type: text > Sender: owner-cypherpunks at toad.com > Precedence: bulk > > The Sunday Telegraph of London printed a story last Sunday about neo-nazis > using PGP to encrypt their communications. The story said that PGP was > devised by an American neo-nazi sympathizer. As the creator of PGP, and > a human rights activist, I was outraged by such a defamation from a major > newspaper. I called my lawyer Phil Dubois, who seemed to look forward to > having some fun with this newspaper. > > Not wanting to wait around till the morning, and slow lawyers, I called > Robin Gedye, the reporter in Bonn who wrote the story, at 7am Monday morning > Bonn time, and woke him up at home. I introduced myself and told him how I > felt about it. He had never heard of me, the Clipper chip, the controversies > of cryptography, and knew nothing about PGP outside of the couple of > sentences in his story that mentioned PGP. He said it wasn't really so bad, > because he didn't specifically identify me by name. One can imagine the > effectiveness of that excuse with me. I then went into some detail with him > to bring him up to speed. I also called his editor in London, who also had > never heard of me or PGP. > > After some checking, they discovered that the Daily Telegraph, a related > newspaper, had run an article about my case just a week before. They also > found about 20 recent articles on me in the UK press. The editor said that > my story "checks out". It was good to know that they now believed that I > was not a neo-nazi after all. > > Anyway, Mr. Gedye says that the Sunday Telegraph will print a retraction > next Sunday. Not just a little retraction, but a whole article on the > subject, written by Mr. Gedye himself. I'm glad to see that this probably > means that he will dig into the subject more, in order to write such an > article. > > I guess this means maybe I'll find some other things to occupy Phil Dubois's > time. > > -Philip Zimmermann > 23 Jan 96 > > > // declan at eff.org // My opinions are not in any way those of the EFF // > > From mark at unicorn.com Fri Jan 26 15:54:11 1996 From: mark at unicorn.com (Mark Grant, M.A. (Oxon)) Date: Sat, 27 Jan 1996 07:54:11 +0800 Subject: Doctor Denning Message-ID: On Fri, 26 Jan 1996, Peter Monta wrote: > It seemed to boil > down to the vacuous "if everyone could just agree that key > escrow is a good thing, there would be no problem". Actually, I think that's "if everyone could just agree that key escrow is a good thing, there would be no problem. And if they don't, then we'll just ban everything else..." Mark From weld at l0pht.com Fri Jan 26 16:01:13 1996 From: weld at l0pht.com (Weld Pond) Date: Sat, 27 Jan 1996 08:01:13 +0800 Subject: Doctor Denning Message-ID: Peter Monta pmonta at qualcomm.com wrote: >What I found interesting was the lack of meat behind >"Crypto Anarchy is Not Inevitable". It seemed to boil >down to the vacuous "if everyone could just agree that key >escrow is a good thing, there would be no problem". If found this interesting too. I was waiting for the reason it wasn't inevitable but it never came. Denning seems willing to predict a future where there are no more technical advances in fields like steganography and dc nets. Besides, won't the penalty for communicating using non-government approved methods be life in prison? What you are hiding *may* be evidence of a murder or that you are a drug kingpin. Unless the penalty is worse than that for being convicted of the crime you commited, criminals will use non-approved crypto and benefit greatly from it. I don't think the public will buy this type of sentencing. Remailer operators will be sentenced to life once unapproved crypto goes through their system, even stego. ISP managers will have to go to jail too if they let 1 non-government approved message slip though. If this is the way it is enforced it will be too easy to set up ISPs and remailer operators. All the big on-line services could be targetted too. You don't like AOL? Just sign up using one of their handy disks and the CC# you just scammed out of a dumpseter. Don't forget to use a payphone! Post non-GAKed crypto messages to usenet from AOL with cool subjects like, "Here is where to leave the money." and "#43r5637 to #4847d66". I don't see how enforcement is workable. Weld Pond - weld at l0pht.com - http://www.l0pht.com/ L 0 p h t H e a v y I n d u s t r i e s Technical archives for the people - Bio/Electro/Crypto/Radio From mpd at netcom.com Fri Jan 26 16:02:06 1996 From: mpd at netcom.com (Mike Duvos) Date: Sat, 27 Jan 1996 08:02:06 +0800 Subject: Doctor Denning's URL Message-ID: <199601262106.NAA14246@netcom21.netcom.com> I screwed up and mistyped the URL in my prior message referencing Dorothy Denning's updated article on "The Future of Cyptography." The correct URL, pasted directly from my browser which is now displaying the article, is... http://guru.cosc.georgetown.edu/~denning/crypto/Future.html Sorry about that. -- Mike Duvos $ PGP 2.6 Public Key available $ mpd at netcom.com $ via Finger. $ From jimbell at pacifier.com Fri Jan 26 16:04:43 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 27 Jan 1996 08:04:43 +0800 Subject: Crypto Exports, Europe, and Conspiracy Theories Message-ID: At 01:06 PM 1/26/96 -0800, Timothy C. May wrote: >A minor correction. Tim Berners-Lee is British, and was only working at >CERN, which effectively straddles the French-Swiss border, near Geneva. Wouldn't it be awful for CERN if they had to get export/import licenses for PROTONS? Each pass? Sorry, couldn't resist. From m5 at dev.tivoli.com Fri Jan 26 16:07:00 1996 From: m5 at dev.tivoli.com (Mike McNally) Date: Sat, 27 Jan 1996 08:07:00 +0800 Subject: Crippled Notes export encryption In-Reply-To: <9601242357.AA02688@alpha> Message-ID: <9601262105.AA13065@alpha> Peter D. Junger writes: > But in one way the case may be worse for you cryptographers if you > actually carry source code--or machine code--around inside your head. > ... So, unless you first erase that portion of your memory that > contains the C code for implementing the RSA algorithm ... No problem. I can drink myself into a stupor, kill the brain cells, and then be happily assured that I can just flip open the copy of Schneier I'll carry openly under my arm and recall the algorithms from there. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Nobody's going to listen to you if you just | Mike McNally (m5 at tivoli.com) | | stand there and flap your arms like a fish. | Tivoli Systems, Austin TX | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From jimbell at pacifier.com Fri Jan 26 16:19:52 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 27 Jan 1996 08:19:52 +0800 Subject: Denning's Crypto Archy Message-ID: -----BEGIN PGP SIGNED MESSAGE----- At 09:45 AM 1/26/96 -0500, Duncan Frissell wrote: >At 02:14 PM 1/26/96 +0100, Anonymous wrote: >> >>Cypherptoady's updatest unscratchable crypto itch and salve: >> >> >>http://www.cosc.georgetown.edu/~denning/crypto/Future.html >> >> > >A good read. You know you're making progress when they start to address >your arguments. > >"Although May limply asserts that anarchy does not mean lawlessness and >social disorder, the absence of government would lead to exactly these >states of chaos." >I've never known Tim to offer limp assertations. >DCF While this would normally be my cue to offer up my "Assassination Politics" idea, which (if presumed to be correct) would stabilize "anarchy" and prevent "lawlessness and social disorder" (at least as normally seen by the average reader) I think that under the circumstances that would be redundant here. Jim Bell Klaatu Burada Nikto -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMQk/JfqHVDBboB2dAQHQJAP/aMz9v2iXudFrdiayCTNvgWP7y3u4Qr78 gDGGZt+O5ODrcZuBJTE+CuYBvuhRq/nidtIWrmkIhonBC4+ahP/ryxxLDaJ7usvK BWXgIR5rsEIPjGQsZsH00qlaOZ8fQLeQJ710F0bTpbUuKNIkvpFrXq4vY4kgaIT+ wGLKWFizNnQ= =LOcz -----END PGP SIGNATURE----- From jimbell at pacifier.com Fri Jan 26 16:29:29 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 27 Jan 1996 08:29:29 +0800 Subject: "Gentlemen do not read each other's mail" Message-ID: -----BEGIN PGP SIGNED MESSAGE----- At 09:04 AM 1/26/96 -0600, Mike Tighe wrote: >Perry E. Metzger writes: > >>I am a funny sort of person. I don't believe that governments should >>be able to do anything that individuals cannot. If it is bad for me to >>steal, it is also bad for a government official to steal. If it is bad >>for me to listen in on my neighbor's phone calls, it is bad for the >>government, too. > >I do not see anything funny, but you are at odds with the Constitution, >where the people have granted the government certain rights that they have >not granted to themselves. But it seems we may be making progress at >getting those rights ourselves. It isn't clear to me that the Constitution grants "rights" to the government that aren't already possessed by the people themselves. Would that even be possible? "Powers" maybe, "rights," maybe not. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMQk/8vqHVDBboB2dAQHTywP/aw9I8woDyjTIGgiUc3AB4S9bCGnRsIUo Ggrpc6PCpeIb+irflrffSpopiTJa+PQlMJUG0eXi3Bldi6mBVNCWeW1n1dOzwM9L lWV70S6Zw/CuRfvwH6byw01XdUbIq6egiVTis6/QVo727Q1k03nqeXdmnRo+lt9Q YAHdaDYWVZM= =a6qT -----END PGP SIGNATURE----- From jimbell at pacifier.com Fri Jan 26 16:35:34 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 27 Jan 1996 08:35:34 +0800 Subject: "Gentlemen do not read each other's mail" Message-ID: At 05:28 PM 1/26/96 -0500, Perry E. Metzger wrote: > >jim bell writes: >> (For the historically-impaired: Coventry was/is an English town (small >> city?) perhaps most famous from the Lady Godiva legend...but I digress... >> British found out, I guess through Ultra, that it was going to be bombed. >> Telling the inhabitants would have saved many lives, but (possibly) alerted >> the Germans that Enigma had been broken. British made the correct choice: >> Let the city get bombed without (much?) warning. The value of keeping the >> broken-ness of Ultra a secret far outweighed the value of Coventry.) > >The current claim is that, in fact, there was no advance warning about >Coventry and that the claims that there was are unsubstantiated. Extremely odd! Why distribute the claim, if it were false?!? Hmmmmm..... And/or if the claim was falsely made by some non-governmental organization, why not an immediate and forceful denial? Color me confused. From postmaster at direct.ca Fri Jan 26 16:39:09 1996 From: postmaster at direct.ca (The Post Office) Date: Sat, 27 Jan 1996 08:39:09 +0800 Subject: Returned mail: Delivery problems with your mail Message-ID: <96Jan26.132010-0800pdt.205130-997+1@orb.direct.ca> A copy of your message is being returned to you due to difficulties encountered while attempting to deliver your mail. The following errors occurred during message delivery processing: : user "ewanchuk" doesn't exist Reporting-MTA: dns; orb.direct.ca Arrival-Date: Fri, 26 Jan 1996 13:20:00 -0800 Final-Recipient: X-LOCAL; ewanchuk Action: failed Status: 5.1.1 (User does not exist) Diagnostic-Code: 550 (User does not exist) To: hal9001 at panix.com, pgut001 at cs.auckland.ac.nz Subject: Re: "Concryption" Prior Art From: Peter Wayner Date: Fri, 26 Jan 1996 13:55:07 -0500 Cc: cypherpunks at toad.com Sender: owner-cypherpunks at toad.com I believe the patent applies to simultaneous compression and encryption. The simultaneity supposedly saves time. That's the big advance. -Peter From bdavis at thepoint.net Fri Jan 26 16:41:10 1996 From: bdavis at thepoint.net (Brian Davis) Date: Sat, 27 Jan 1996 08:41:10 +0800 Subject: Guilt by Association? In-Reply-To: Message-ID: On Thu, 25 Jan 1996, Timothy C. May wrote: > At 2:49 AM 1/25/96, Alan Olsen wrote: > > >This is a problem with the web of trust in general. It is known as "Guilt > >by Association". > > > >Person X commits treasonable act A. All of the persons who are signed on to > >his key could be considered to be co-conspirators. The same applies to > >nyms. The difficulty with prosecuting nyms is finding the link to the real > >world individual. Anyone associated with him/her/it will be considered to > >be guilty by reason of key signage or a way of determining who the real > >person is... > .... > >I guess we are stuck with the "Web of Guilt"... > > Although I disagree with many things the U.S. government has declared > unlawful, and think we are on the wrong track in many ways, I don't see any > evidence for a "web of guilt." > > I could have signed the keys of Timothy McVeigh, O.J. Simpson, and Hilary > Clinton, and yet this would not cause any prosecutor to indict me, per se. > (Brian Davis, do you disagree?) Obviously if one of these persons I was > known to have associated with, to the point of signing their keys, were > under investigation, then some detectives might follow up some leads to > find out who I was. This is ordinary detective work, not guilt by > association. I agree. Signing the key might get you a visit from an agent with questions about your relationship with whoever, but you would not (at least to me) become a target of the investigation without a **whole lot** more than a mere key signing. Speaking only for myself (as always). EBD > > Key-signing is overrated, in my view. It is just an affidavit from someone > that they think a person is related to a key. I've signed a few keys (not > many, and don't ask me to!), and I've never once asked for any form of > state-sanctioned ID. > > --Tim May > > Boycott espionage-enabled software! > We got computers, we're tapping phone lines, we know that that ain't allowed. > ---------:---------:---------:---------:---------:---------:---------:---- > Timothy C. May | Crypto Anarchy: encryption, digital money, > tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero > W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, > Higher Power: 2^756839 - 1 | black markets, collapse of governments. > "National borders aren't even speed bumps on the information superhighway." > > > > > Not a lawyer on the Net, although I play one in real life. ********************************************************** Flame away! I get treated worse in person every day!! From llurch at networking.stanford.edu Fri Jan 26 16:41:43 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sat, 27 Jan 1996 08:41:43 +0800 Subject: [NOISY] Printing Microsoft's CryptoAPI .ps In-Reply-To: <2.2.32.19960126184329.002dbed0@isdn.net> Message-ID: The problems futplex et al were having are the result of a known incompatibility between Windows [95] and many print spoolers. You can fix it like so: Date: Thu, 14 Dec 1995 17:41:02 -0800 (PST) From: Rich Graves To: win95netbugs at lists.Stanford.EDU Subject: Fix for PostScript printer "PJL" Error (printing PostScript code rather than image) Shamelessly lifted from the discussion forum on NetWork World's Web site, http://nwfusion.com/ -rich owner-win95netbugs at lists.stanford.edu ftp://ftp.stanford.edu/pub/mailing-lists/win95netbugs/ gopher://quixote.stanford.edu/1m/win95netbugs http://www-leland.stanford.edu/~llurch/win95netbugs/faq.html >From ohara on Wed Nov 1 12:14:40 1995 I have a problem when printing to postscript printers spooled from unix hosts. I am running Win95 and FTP Software's Interdrive 95 (for the lpr client). The problem is that the printer spits out pages of postscript code rather than the page the code represents. This happens only when I print over the network. If I plug directly into the printer, everything works fine. It seems that Microsoft improved the pscript.drv to also send "PJL" code to printers. Thus, the actual postscript is surrounded by PJL. Redirect a postscript printer to a file and take a look. Unfortunately, this causes the spooler on the unix host to identify the print job as a plain ascii file, rather than a postscript file. Other than manually editting every print job and copying it to the printer port, is there a way to eliminate the PJL and get my networked printers working again? -Bob >From ohara on Thu Nov 2 11:23:54 1995 I have figured out how to excise the offending PJL commands from the postcript output stream. Every printer that is added to Win 95 puts a unique file into the windows system directory. In my case the file is ibm4039p.spd. This file seems to be a control file for pscript.drv as well as the customization of the properties dialog for the printer. In my case there are several lines that include the word "PJL": *Protocols: PJL TBCP and *JCLBegin: "<1B>%-12345X at PJL JOB<0A>" *JCLToPSInterpreter: "@PJL ENTER LANGUAGE = Postscript <0A>" *JCLEnd: "<1B>%-12345X at PJL EOJ <0A><1B>%-12345X" When I deleted these lines from the .spd file and restarted Win95, the problem was gone. -Bob =========================================================================== Sent through the win9netbugs list. To unsubscribe, send an email message to majordomo at lists.stanford.edu with "unsubscribe win95netbugs" in the *body*. Note spelling. URL for FAQ and further info is in each message's X-headers. From dan at milliways.org Fri Jan 26 16:51:13 1996 From: dan at milliways.org (Dan Bailey) Date: Sat, 27 Jan 1996 08:51:13 +0800 Subject: Secrecy of NSA Affiliation Message-ID: <199601262146.QAA15541@remus.ultranet.com> On Thu, 25 Jan 1996 15:50:38 -6 you wrote: > >Datapoint: My 1967 HB copy of The Codebreakers discusses the >agency, and includes a photo of the HQ. > > >Peter Trei Speaking of which, The Codebreakers is "indefinitely unavailable" according to the publisher. Anyone have a spare copy they'd be willing to part with? Replies via email, TIA. Dan -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.1 mQCNAzEJBEkAAAEEALMsQx6/x+hls0nYThyJnnc3oYl2TaUhH7eUWcC73PeG6oxN UHlizO/jTmLUNWTj1BSqYfsyXleK0RiETpyyrSycTQE2n+91xJu3kXyWfLOug6K2 Gy0MM/XzV8hwHRYJjugww2hVB6D+C3zDjVo14BvRKmg3d5EowjxHFNui9bAlAAUR tB5EYW4gQmFpbGV5IDxkYW5AbWlsbGl3YXlzLm9yZz4= =aNNf -----END PGP PUBLIC KEY BLOCK----- *************************************************************** #define private public dan at milliways.org Worcester Polytechnic Institute and The Restaurant at the End of the Universe *************************************************************** From tcmay at got.net Fri Jan 26 16:54:50 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 27 Jan 1996 08:54:50 +0800 Subject: [rant] A thought on filters and the V-Chip Message-ID: At 7:56 PM 1/26/96, Alan Olsen wrote: >More will follow as the demons appear in more and more forms. > Just a minor correction, here. You mention "demons." Under the "C" heading inside the V-chip, C for Christian, any use of such Satanic-related language must be labelled for filtering by all right-thinking Christians. Terms considered to be Satanic-inspired: demon, daemon, sprite, troll, Goddess, witch, Wicca, Cthulhu, Crowley, and about 73 other words which the V-chip is programmed to recognize. (The V-chip had originally been programmed to reject "pixel," but we convinced them that pixels have nothing to do with pixies, which of course are on the list of banned words to be filtered.) --Klaus! Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From tcmay at got.net Fri Jan 26 16:59:28 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 27 Jan 1996 08:59:28 +0800 Subject: Doctor Denning Message-ID: At 7:33 PM 1/26/96, Peter Monta wrote: >> I just read the new and improved Dorothy Denning essay at >> >> http://www.cosc.georgetown.edu/crypto/Future.html > >This can be found at > http://www.cosc.georgetown.edu/~denning/crypto/Future.html > >> One should realize, of course, that whether Crypto Anarchy >> prevails depends not upon the varied philosophical leanings of >> citizen-units May and Denning, but rather upon whether our >> mathematics is more powerful than their jackbooted thugs. > >What I found interesting was the lack of meat behind >"Crypto Anarchy is Not Inevitable". It seemed to boil >down to the vacuous "if everyone could just agree that key >escrow is a good thing, there would be no problem". This is the main reason I haven't bothered to rebut her points: there were essentially none to rebut. (There are substantive criticisms of my points that can be made, including discussions of what might be done to delay or even head off crypto anarchy completely. I had dinner a few nights ago with David Friedman, author of "The Machinery of Freedom," and he made some incisive comments about how the State might go about heading off this future. I'm glad he's on our side, and not the government's.) Two other reasons I have not sought to rebut her analysis: First, I doubt many people saw either my original article (available on Bob Hettinga's page: http://thumper.vmeng.com/pub/rah/anarchy.html) or Denning's reaction article. Second, I stated my views, she stated her views, not much more to say. Especially as she has not had an active presence on the Net, either in talk.politics.crypto or in other forums I have seen, and thus a real debate on the Net has not been possible. Mostly I know I can't change her views, so why bother? Other people may have their views affected by what I say, and for these people I have certainly written enough. --Tim Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From jimbell at pacifier.com Fri Jan 26 17:00:41 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 27 Jan 1996 09:00:41 +0800 Subject: Bernie S. Sentencing Message-ID: At 08:02 PM 1/26/96 -36000, Matt Miszewski wrote: >On Thu, 25 Jan 1996, Ed Carp, KHIJOL SysAdmin wrote: > >(snip) >> The last thing one of the "suits" said was something like "they know >> about the hole in RSA we found with the quantum computer" - or that's >> what was reportedly said. Something like that. > >The AP line came down that the matchbook contained the algorithm for >easily factoring large primes. As I heard it, their algorithm factored large composite numbers in ((log(n))**(-1)) time, meaning that the larger the composite number got the faster it was to factor. Yep, that's it. From rsalz at osf.org Fri Jan 26 17:12:32 1996 From: rsalz at osf.org (Rich Salz) Date: Sat, 27 Jan 1996 09:12:32 +0800 Subject: Crypto Exports, Europe, and Conspiracy Theories Message-ID: <9601242352.AA12293@sulphur.osf.org> I believe that one minor reason is the PKP chokehold on public-key patents. It has slowed down adoption within the US, and the RSA licenses for example tend to get very "interesting" when it involves places where their patents don't hold. Last year, how many COTS products had strong crypto? There are very few software imports into the US. I don't think crypto is particularly slighted. There might be pressure, and there might be dummy front firms, but with tongue in cheek to emphasize the point, I just think those ferriners can't code fer shit. /r$ From dmandl at panix.com Fri Jan 26 17:13:25 1996 From: dmandl at panix.com (David Mandl) Date: Sat, 27 Jan 1996 09:13:25 +0800 Subject: Nym use in the real world Message-ID: At 10:01 AM 1/26/96, Eric Murray wrote: >With the coming Internet restrictions and growing use of the >net by LEAs, it's become obvious to me that I shouldn't post >messages with my real name. But I have some problems/questions about >using a nym: [...] Very good points. Just saying "use anonymity" is often a gross oversimplification for several reasons. One of the problems I've been thinking about recently is that I may want only a special group of people, and no one else, to know that I'm responsible for a post. A nym won't work in this case. As has been pointed out here before, a lot of people are going to be getting in trouble for things they posted to obscure newsgroups or mailing lists four years ago. How do I make sure that I get credit for something I've posted, but avoid the Alta Vista police? There are a few feeble solutions, like: h w t w s t c b s f w A V i o h a o h a e e o i l i d r i y e n a r t t s i d s y ' r h a t n s t c a g h e d o.r..l.i.k.e..t.h.i.s ...but someone will undoubtedly find a way to search for these things eventually, or they can just subscribe to the list! Anonymity is a pain in the ass, frankly, which is why I've never used it. True, I've never needed to post anything really sensitive, but going through life as "Black Unicorn" (no offence, BU) is just an unacceptable inconvenience as far as I'm concerned. Sort of like having to live on the lam, which I'm sure is no party. It seems there are more and more situations where encryption and anonymity aren't enough. One obvious case is the web, where I may want to put something of questionable legality on my home page. There's no way that crypto will render the laws irrelevant in this case. Can I get an offshore account and post the offending graphic there? Yes, but it's a pain. And when the big net crackdown comes, I wonder whether the U.S. will pressure other countries to participate and help them wipe out these data and gif havens? The net is moving farther and farther away from being a "Temporary Autonomous Zone," meaning there are fewer and fewer pockets to hide or get lost in. --Dave. -- Dave Mandl dmandl at panix.com http://www.wfmu.org/~davem From dm at amsterdam.lcs.mit.edu Fri Jan 26 17:14:13 1996 From: dm at amsterdam.lcs.mit.edu (David Mazieres) Date: Sat, 27 Jan 1996 09:14:13 +0800 Subject: Crippled Notes export encryption In-Reply-To: <199601242330.SAA08632@toxicwaste.media.mit.edu> Message-ID: <199601242346.SAA14838@amsterdam.lcs.mit.edu> > cc: Jeff Weinstein , cypherpunks at toad.com > Date: Wed, 24 Jan 1996 18:30:00 EST > From: Derek Atkins > > > How did kerberos avoid this? The "bones" distribution of kerberos > > without crypto was not regulated by ITAR, right? > > Kerberos didn't leave the crypto plugable. The bones distribution > removed not only the crypto routines but also the calls to the crypto > routines. It would be hard to call that "pluggable". It took a lot > of work for someone down under to replace all those crypto calls! So where exactly do they draw the line? You can still construct your software in such a way that there is a clean boundary between the crypto stuff and the rest. For example, could you have an application with a function: authenticate_user (int file_descriptor) which in the exportable version sends a password, and in the domestic version constructs some sort of authenticator? Could you have an xdr-like function which on in an exportable version just does argument marshaling and in a domestic version also encrypts? How exactly are crypto-hooks defined? This restriction seems orders of magnitude more bogus than even the ban on exporting actual encryption. David From markm at voicenet.com Fri Jan 26 17:14:54 1996 From: markm at voicenet.com (Mark M.) Date: Sat, 27 Jan 1996 09:14:54 +0800 Subject: Nym use in the real world In-Reply-To: <199601261801.KAA07578@slack.lne.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Fri, 26 Jan 1996, Eric Murray wrote: > > > > With the coming Internet restrictions and growing use of the > net by LEAs, it's become obvious to me that I shouldn't post > messages with my real name. But I have some problems/questions about > using a nym: > > 1. reputation. My nym will need to build it's own reputation, I know. > But I currently get offers of work based on my reputation and posts. I > would like this to continue. When it comes time to do the work and > collect the pay, I need to tie my nym to me. Reasons: only the > most adventurous firms would hire someone to do work without knowing > their real name. I also need to have the proper forms (1099 etc) > filed. I know that a lot of people on the list would say that I shouldn't > file taxes, but I am (currently) willing to pay the price to stay > out of jail. Reputations are usefull for more than just getting a job. If a nym developes reputation, people may be more likely to trust (or not, depending on the kind of reputation the nym has earned) a post or e-mail sent from that nym than from someone who has no reputation. > > The other problem (tying the nym to RealName) for employers is > more severe. A nym is only good when no one can tie it to your > real name. If I have to tell everyone I do work for what my real > name and nym is, soon enough people will be able to tie the two that > the nym becomes nearly useless. > It is possible to have more than one nym. You could use each nym to develop a different reputation. For instance, one nym could be very knowledgable in the field of cryptography, and another could be a really good golf player. There is no reason for anyone to know that these two nyms are used by the same person because most people on a newsgroup like rec.sports.golf probably couldn't care less about your interest in cryptography. > > 2. does it (a nym) really help? Police and governments are used to > dealing with people who change their names, use fake names, etc. > I get the impression that having multiple/fake names is considered by police > to be evidence or at least indication of guilt. "If you're not guilty > why're you hiding?". > > Using a nym would at least help with the problem of police or > other parties searching through Dejanews/Altavista for my posts for > incriminating evidence. But if my nym is investigated for some future > crime (fuck Exon) and my nym isn't secure enough to protect my > RealName, it will be a liability. > > > Thoughts? > > I do think that in any situation where both anonymity and reputation are desired, nyms are of great use. When you need reputation and not anonymity, True Names should be used. - -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xf9b22ba5 http://www.voicenet.com/~markm/ | bd24d08e3cbb53472054fa56002258d5 PGP: Because sometimes, a _Captain Midnight_ decoder ring simply isn't enough. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMQloG7Zc+sv5siulAQFrcQP/Tx5t/xGrDn6EOQkFArmBcw4SLrnpvxka VhQsKLPutXaisVqPAwLBnlaXzl/ic4yKfSoH/yTFqeta4WLSg4W3MJgw4+Ijv9JJ UQsjG/2D9mABLn4WCYeS1bHOLWShe2yOg22OSaYnXVpSZ49B0Gr29cA3BgiEPYNr noNSF370WQk= =vziR -----END PGP SIGNATURE----- From m5 at dev.tivoli.com Fri Jan 26 17:15:40 1996 From: m5 at dev.tivoli.com (Mike McNally) Date: Sat, 27 Jan 1996 09:15:40 +0800 Subject: Crippled Notes export encryption In-Reply-To: <199601242348.PAA03559@ns1.vplus.com> Message-ID: <9601242357.AA02688@alpha> Dan Weinstein writes: > m5 at dev.tivoli.com (Mike McNally) Wrote: > > Dan Weinstein writes: > > > >By the way, I really think Netscape should simply ship Jeff and other > > > >people to the Amsterdam office... > > > > > > Wrong, this would be a violation of ITAR. > > > > I don't understand; are you saying Jeff's brain is a munition under > > the ITAR? > > I forget how it is termed in ITAR, but expertise can't be exported > either. Uhh, I'd like a second opinion please doc. Are you suggesting that whenever anybody with cryptographic expertise (like, maybe, anybody on this mailing list) leaves the country we're in violation of munitions export laws? Is somebody who knows how to build a rocket in the same boat? > like I suggested before any programers who gained their knowledge of > crypto programing in the U.S. and then went abroad and developed > crypto software would be in danger of prosecution under ITAR if they > ever returned to the U.S.. This sounds fishy to me. I don't recall reading anything to suggest that export of cryptographic software (or any other munition) requires that the stuff be *used* outside the US for an offense to be committed; why should export of a cryptographer's wetware be any different? Either the expertise leaves the country or it doesn't, I'd think. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Nobody's going to listen to you if you just | Mike McNally (m5 at tivoli.com) | | stand there and flap your arms like a fish. | Tivoli Systems, Austin TX | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From jimbell at pacifier.com Fri Jan 26 17:15:56 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 27 Jan 1996 09:15:56 +0800 Subject: Assassination Politics Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Notice that I've added two areas to the list above, nwlibertarians at teleport.com and dnowch2 at teleport.com ; the areas on which "Assassination Politics" is commonly discussed. I've also sent a copy to Cypherpunks at toad.com, for its obviously ob crypto (encryption, digital cash, etc) aspects. At 10:09 AM 1/24/96 -0500, Robert Vincent wrote: >So what's to keep the powers-that-be from successfully assassinating the >would-be directors of any such organization Technically, "nothing." Nothing unusual, anyway. Except that if you follow my logic carefully, you will see that I believe that the developments I describe are tantamount to being technologically "inevitable." The mere existence of good encryption, Internet-type worldwide networking, and untraceable digital cash will "automatically" allow/cause such systems to arise. And development of such an organization ANYWHERE, plus the Internet, means that it can operate EVERYWHERE. Further, here is my speculation: Let's assume I have this Internet soapbox, and I manage to convince you and your friends (and their friends, etc) that: 1. My system, if allowed to work, will replace the current political system with one that is far more "attractive," on the average. In other words, it will do approximately what I claim it will: Eliminate all governments, militaries, taxes, yet maintain a reasonable degree of freedom for all citizens, rich and poor, strong and weak, etc. It'll even punish criminals. Real criminals, like murderers, rapists, thieves, etc. Furthermore, that it won't have any _likely_ "horror scenarios" associated with it (such as the ones some people (wrongly) think exist), or at least it will be no worse than the status quo. In fact, it will be a VAST improvement over the status quo. It will produce, I believe, an essentially perfectly libertarian (and _stably_ anarchistic, yet it has protections for rights.) society. and 2. The system is just about technologically inevitable, given the technical developments which already exist and I forsee. and 3. The only thing that's preventing such a system from being adopted is the fact that this system would eliminate the control of the current political system by those few who now control it. Segue to near the end of the 1964 movie, Dr. Strangelove, where the title character (the scientific advisor to the President) is asked by the President whether enormous buried cobalt bombs can be built, and controlled by computer to detonate automatically on nuclear attack. He said, "It requires only the _will_ to do it." Similarly, I would argue that the implementation and rollout of an "Assassination Politics" scenario is almost even today within the technical capability in common usage, lacking only the common acceptance of "digital cash". At some point, "it requires only the _will_ to do it." At that point, I argue that we will have a scenario reminiscent of the day the East German citizens broke down the Berlin Wall. Enough people wanted it done, and nobody was going to stand up and try to stop it. It HAPPENED. It was "illegal" by the standards of East Germany that day, but it HAPPENED. The odd thing, however, is that despite my publicizing the idea of "Assassination Politics" to what by now has probably been thousands of people and (statistically) dozens of lawyers, I haven't heard a serious, defensible argument that the implementation of this system would even be ILLEGAL by black-letter US law. True, any underlying killings might be, and probably would be, murder. But the system as I described it is quite carefully structured to prevent anyone but the self-motivated murderer from doing the murder, knowing that it will occur in the future, or (for that matter) knowing for sure that it actually WAS a murder, or let alone who did it, even after it occurs. While I won't claim I've "thought of everything," I _will_ say that I think I've demonstrated that current law would be vastly inadequate to deal with such a scenario. I suspect that a lawyer familiar with the concept of "Assassination Politics" and who follows proposed legislation in Congress ought to scan for laws designed to preclude the development of such a system. Whether or not this could even be accomplished is in serious question, since it would probably require banning all remnants of freedom in this country. In other words, we are coming to a fork in the road: One choice leads to perfect freedom, the other to absolute tyranny. Well, at least you have been warned. > and squelching any public mention of it? Well, YOU heard about it, didn't you, and I'm not dead. (yet?) True, the system doesn't actually exist and operate, but that's merely a matter of implementation, not of technical capability. Microsoft could write the whole thing into Windows 97 as a "Killer App." (This joke was to somebody else's credit, sigh! Can't recollect who... Maybe Tim May?) (I now believe that the US government's decision to develop the Internet was a case of slow-motion governmental suicide. The trigger was pulled in the 1960's, and the death will occur about 40 years later. "Jim Bell" (myself) will be one of the first to notice the "bullet" flying towards its mark. For making that observation, I will be severely criticized, and probably even BLAMED.) In a sense, it is arguable that I am worthy of neither the credit nor the blame. >Don't forget that the real controllers have the press and >the media in their pocket, not just your Congressman! I predict that if >anybody actually does set up an organization to reward "predictors", that >person or person will be quickly and quietly put out of business, whether >by legal means or otherwise. Follow the technological development of "nyms" on Cypherpunks. It is possible that this system could be set up, totally anonymously, and perhaps even in a totally decentralized way, so that (for example) 1000 anonymous individuals (anonymous even from each other) run it according to agreed-upon rules. >Which is too bad. It's a beautiful idea, otherwise. Hey! Glad you think so! One guy called it "atrocious." Some people would have you believe that I'm a raving lunatic. (Well, technically I can't prove to you I'm NOT a "raving lunatic," but at least to you, believing in this system isn't evidence to the contrary.) Another guy said that if this system were ever implemented, I would have become "the Antichrist." Even though I'm an atheist myself, I know enough about religion in general, and Christianity in particular, to realize that statement wasn't intended as a complement. Jim Bell Klaatu Burada Nikto. Remember this. It'll become important...soon. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMQbBYPqHVDBboB2dAQHBIgQAlK69QFvjS4QaG+RVYHPZ13FqhqxHezqS hpQqXQDunqRmfP4nYLaYcy2xOowHEEl+4w+H/6SP70vs+gMgi9ouW0kEGbHQSljF OvOYRSq+xg1MRvDN6ZLCGYBODs7K0iM5bv6X8c7zzja1RH3WGEIYfp+ZzQXT7LV7 6PKHVslWKFk= =guZo -----END PGP SIGNATURE----- From frissell at panix.com Fri Jan 26 17:17:20 1996 From: frissell at panix.com (Duncan Frissell) Date: Sat, 27 Jan 1996 09:17:20 +0800 Subject: Denning's Crypto Archy [LONG] Message-ID: <2.2.32.19960126214239.006ca3fc@panix.com> The Future of Cryptography Dorothy E. Denning Georgetown University Revised January 6, 1996 [Responses by Duncan Frissell in square brackets] Although May limply asserts that anarchy does not mean lawlessness and social disorder, the absence of government would lead to exactly these states of chaos. [Tim is rarely given to limp assertions. I haven't seen him spend much time arguing about the exact social arrangements of a free society following the crypto revolution. He has merely pointed out the results of the technology.] I do not want to live in an anarchistic society -- if such could be called a society at all -- and I doubt many would. [Whatever happens, there will always be plenty of cults around (perhaps even one called the Government of the United States of America) to which anyone will be free to belong and at the altars of which one will be free to worship. In fact the deregulation of human interaction will make it easier for more oppressive cults to exist than is possible today as long as they keep to themselves. There will be no shortage of people willing to tell their followers what to do. Nothing will stop anyone from joining such a society.] A growing number of people are attracted to the market liberalism envisioned by Jefferson, Hayek, and many others, but not to anarchy. Thus, the crypto anarchists' claims come close to asserting that the technology will take us to an outcome that most of us would not choose. [Still up for negotiation is how liberal a market we will want. The growing power of markets and (traditional) liberal ideas is the result of the growing wealth and power of individuals around the world. Crypto anarchists merely point out that the shape of future market societies is no longer in the hands of "The Authorities" but is rather in the hands of those trading on the market; i.e., everyone on Earth."] This is the claim that I want to address here. I do not accept crypto anarchy as the inevitable outcome. A new paradigm of cryptography, key escrow, is emerging and gaining acceptance in industry. [That is what remains to be seen.] The drawbacks of cryptography are frequently overlooked as well. The widespread availability of unbreakable encryption coupled with anonymous services could lead to a situation where practically all communications are immune from lawful interception (wiretaps) [My thoughts are immune from 'lawful interception' as are everyone else's and yet the world survives. Thought is communication within the brain. Communication is 'thought' between brains. The world which has survived private thoughts can survive private communications. The whole concept of controlling communications is a bit obsolete in any case. In past eras, the only social threat came from large masses of men (hence the desire to intercept and control communications) whereas today any individual can do more damage than a large group in the past.] and documents from lawful search and seizure, and where all electronic transactions are beyond the reach of any government regulation or oversight. The consequences of this to public safety and social and economic stability could be devastating. [See the recent joint study by the Cato Institute, the Fraser Institute, and 9 other think tanks world wide showing that there is a strong positive correlation between nations with free economies and nations with wealth. There seems little doubt that total economic deregulation is a good thing. We shall certainly have the chance to test that hypothesis in coming years. I haven't seen any nation harmed so far by having too free an economy.] With the government essentially locked out, computers and telecommunications systems would become safe havens for criminal activity. Even May himself acknowledges that crypto anarchy provides a means for tax evasion, money laundering, espionage (with digital dead drops), [That is, keeping your own money, transferring funds, and research. Sounds like activities that should not be the concern of others.] contract killings, [These may be easier although *government* killings will be harder since governments may lack the resources to do as much of that sort of thing as they have done before. (From 1917-1989, Communist governments murdered someone every 30 seconds -- a total of some 60 million people.) In addition, those who fear they may be the subject of contract killings can use pseudonyms, locational ambiguity, and untraceable communications to make themselves harder to find and thus to kill.] and implementation of data havens for storing and marketing illegal or controversial material. [Last time I looked, controversial material was legal to possess and transmit. Illegal information will no longer be illegal if its transmission can't be stopped since utterly unenforceable laws tend to go away (see Sodomy).] Encryption also threatens national security by interfering with foreign intelligence operations. The United States, along with many other countries, imposes export controls on encryption technology to lessen this threat. [Of course if the US is weakened by the growth of (really) free markets, its enemies will be as well so foreign threats will automatically diminish.] Cryptography poses a threat to organizations and individuals too. With encryption, an employee of a company can sell proprietary electronic information to a competitor without the need to photocopy and handle physical documents. [This is a threat from digitization, not from encryption.] The keys that unlock a corporation's files may be lost, corrupted, or held hostage for ransom, thus rendering valuable information inaccessible. [Or the computers can not be backed up, can crash, can be blown up, can be flooded, can experience disk failures, etc. This is not a problem unique to encryption. Backups and scattered sites are always necessary. High-speed networks, secure communications, and encryption make it easier to back up your systems at different locations all over the world. They help you avoid data loss, they don't contribute to it. Key splitting and private key escrow can easily protect keys.] When considering the threats posed by cryptography, it is important to recognize that only the use of encryption for confidentiality, including anonymity, presents a problem. [Of course confidentiality is the reason codes were invented in the first place. Additionally, the Supreme court has recognized that anonymity has First Amendment protection. We have already made the social decision that anonymity is OK in many circumstances. I'm sure that all of us engage in many anonymous transactions on a daily basis and yet the world survives.] Crypto anarchy can be viewed as the proliferation of cryptography that provides the benefits of confidentiality protection but does nothing about its harms. It is government-proof encryption which denies access to the government even under a court order or other legal order. [In countries that don't regularly practice torture, we have the power to disobey court orders in any case. Modern technology merely makes it easier and reduces the likelihood of punishment. Court orders are rare in any case. Seems like much ado about nothing.] It has no safeguards to protect users and their organizations from accidents and abuse. [This is the job of those who write software, not philosophers.] The crypto anarchist position is that cyberspace is on a non-stop drift toward crypto anarchy. [I usually argue that the spread of markets is driven more by cheap telecoms and the growth of a very efficient market infrastructure. Cryptography hasn't had much of an impact yet. I think that even without crypto, markets will swamp attempts to regulate them and since people can move as well, they are becoming harder to control even before any crypto revolution.] In addition to the free encryption programs being distributed on the net, encryption is becoming a basic service integrated into commercial applications packages and network products. The IP Security Working Group of the Internet Engineering Task Force has written a document that calls for all compliant IPv6 (Internet Protocol, version 6) implementations to incorporate DES cryptography. [The net belongs to its customers and as owners they will probably decide to secure their property. Sounds enormously democratic to me.] The potential harms of cryptography have already begun to appear. As the result of interviews I conducted in May, 1995, I found numerous cases where investigative agencies had encountered encrypted communications and computer files. These cases involved child pornography, [Possession of a bunch of zeros and ones.] customs violations [free trade] drugs [the retail pharmaceutical trade] espionage [research] embezzlement [finally a crime] murder [Another crime. Can you give us the details of a murder investigation blocked by cryptography? We don't need any names.] obstruction of justice [Refusal to make things easy for prosecutors. A *real* crime. This wasn't Hillary by any chance, was it?] tax protesters [You mean tax evaders, don't you? Far as I know, protesting taxes is a legal activity.] and terrorism. [State-sponsored or private?] At the International Cryptography Institute held in Washington in September, 1995, FBI Director Louis Freeh reported that encryption had been encountered in a terrorism investigation in the Philippines involving an alleged plot to assassinate Pope John Paul II and bomb a U.S. airliner [4]. [But the perp was caught anyway. Is this the same Louis Freeh who thinks that the loss (by him) of a government cellphone is just as bad as the FBI issuing shoot-to-kill orders against American citizens before even trying to arrest them (since he punished both with a letter of reprimand)?] AccessData Corp., a company in Orem, Utah which specializes in providing software and services to help law enforcement agencies and companies recover data that has been locked out through encryption, reports receiving about a dozen and a half calls a day from companies with inaccessible data. [Sounds like poor system design. I'm not sure that advising others how to safely store their business records has anything to do with law enforcement, however.] The idea is to combine strong encryption with an emergency decryption capability. This is accomplished by linking encrypted data to a data recovery key which facilitates decryption. This key need not be (and typically is not) the one used for normal decryption, but it must provide access to that key. The data recovery key is held by a trusted fiduciary, which could conceivably be a governmental agency, court, or trusted and bonded private organization. A key might be split among several such agencies. [Why would a government agency or a court be the best entity to provide business services? If I'm looking for someone to install a LAN in my office, I don't immediately think to call the Post Office and get them to bid on the job. Business services like data backup and recovery are much more likely to be efficiently accomplished by a private contractor.] Organizations registered with an escrow agent can acquire their own keys for emergency decryption. An investigative or intelligence agency seeking access to communications or stored files makes application through appropriate procedures (which normally includes getting a court order) and, upon compliance, is issued the key. [But what if it turns out that my chosen escrow agent is located outside the jurisdiction of the court. Surely you don't want to cause any NAFTA or GATT problems here. The WTO might declare your encryption policy to be an unfair trade practice.] Legitimate privacy interests are protected through access procedures, auditing, and other safeguards. [But what if some of us want better protection than bureaucratic promises and procedures. Some people in the past who relied on government promises and procedures ended up in crowded "shower" rooms trying to extract oxygen from diesel exhaust.]. In April, 1993, as response to a rising need for and use of encryption products, the Clinton Administration announced a new initiative to promote encryption in a way that would not prohibit lawful decryption when investigative agencies are authorized to intercept communications or search computer files [6]. [And a rousing success it was.] The IBAG principles acknowledge the right of businesses and individuals to protect their information and the right of law-abiding governments to intercept and lawfully seize information when there is no practical alternative. [Is a communist dictatorship a "law abiding government?"] The principles call for industry to develop open voluntary, consensus, international standards and for governments, businesses, and individuals to work together to define the requirements for those standards. The standards would allow choices about algorithm, mode of operation, key length, and implementation in hardware or software. Products conforming to the standards would not be subject to restrictions on import or use and would be generally exportable. [Gee, I thought that was what we were doing.] It is conceivable that domestic and international efforts will be sufficient to avoid crypto anarchy, particularly with support from the international business community. However, it is possible that they will not be enough. Many companies are developing products with strong encryption that do not accommodate government access, standards groups are adopting non-key escrow standards, and software encryption packages such as PGP are rapidly proliferating on the Internet, which is due, in part, to the crypto anarchists whose goal is to lock out the government. Since key escrow adds to the development and operation costs of encryption products, the price advantage of unescrowed encryption products could also be a factor which might undermine the success of a completely voluntary approach. [Sounds like the voluntary cooperation of human beings in international markets is just humming right along isn't it? It seems that a lot of market participants are "voting with their feet" for strong crypto. The System is the Solution.] Under this licensing program, commercial encryption products, including programs distributed through public network servers, would comply with government regulations. [Isn't a "public network server" just a server that is made world readable? Since there will be (conservatively) 100 million "public network servers" online in a few years, won't enforcement be a trifle difficult?] Such an approach would not prevent the use of government-proof encryption products by criminals and terrorists. They could develop their own or acquire the products illegally. But an approach of this type would make it considerably more difficult than it is at present. Had such controls been adopted several years ago -- before programs such as DES and PGP were posted on the Internet -- the encryption products on the market today would support key escrow or some other method for government access. [As I recall, wasn't public key encryption developed in spite of the fact that the NSA had in place an unofficial ban on cryptographic research? The NSA's ban failed. Since you are not proposing outlawing such research, what makes you think that mere distribution controls will work? ] It would not be possible to acquire strong, government-proof encryption from reputable vendors or network file servers. The encryption products available through underground servers and the black market would most likely not possess as high a quality as products developed through the legitimate market. [The Internet itself runs primarily on software developed on the open market from non-commercial sources without slick packaging. It seems to have met with some market acceptance in spite of the lack of shrink-wrap packaging.] Crypto anarchy is an international threat which has been stimulated by international communications systems including telephones and the Internet. Addressing this threat requires an international approach that provides for both secure international communications crossing national boundaries and electronic surveillance by governments of criminal and terrorist activity taking place within their jurisdictions. [It's nice to be noticed. How, exactly, is this voluntary, international, standards regime going to deal with the desire of different governments to control different communications. Look at the problems, some governments want to ban American movies, the Asian Wall Street Journal, books on the health of former heads of state, public records of sensational murder trials, phone calls made using callback services, financial wire services, novels by leftist co-religionists living in England, email containing the English word for sexual intercourse (if readable by children), directions on where to obtain an abortion in London, etc. And all these governments will want to crack private transmissions in order to find those responsible for these "crimes." This is going to be a hell of a challenge for a voluntary, international standards regime. I think it is probably beyond the capabilities of such an institution to mediate among all of these competing desires to control the communications of others.] DCF "BTW if one spellchecks the word unescrowed (as in unescrowed encryption) one is likely to encounter the suggested replacement "unscrewed" (as in unscrewed encryption). From eb at comsec.com Fri Jan 26 17:27:46 1996 From: eb at comsec.com (Eric Blossom) Date: Sat, 27 Jan 1996 09:27:46 +0800 Subject: Crippled Notes export encryption In-Reply-To: Message-ID: <199601262323.PAA11322@comsec.com> Tim May says: > I have several pieces of evidence which suggest to me that the government > is leaning on companies in ways which are not always apparent. (I can't > share all of the evidence I have...I know this is unsatisfying. I'm not > asking you to "trust me," just noting that this is what I have either heard > from usually reliable sources or from direct participants.) I just got back from the AFCEA show. Lotus was there demonstrating Lotus Notes V4 DMS (Defense Messaging System). They've hacked it to be DMS complaint (I think that that means mostly that they support X.400 addressing, X.500 directory services and use a Fortezza card to encrypt and sign)... There are a lots of folks involved in the DMS game. Loral is the prime contractor. ESL, Lotus and Microsoft are providing UA's (front ends). Eric From shamrock at netcom.com Fri Jan 26 17:38:08 1996 From: shamrock at netcom.com (Lucky Green) Date: Sat, 27 Jan 1996 09:38:08 +0800 Subject: Crippled Notes export encryption Message-ID: At 14:49 1/24/96, Alex Strasheim wrote: >Big companies like Netscape, Sun, Microsoft, and IBM/Lotus, on the other >hand, will almost certainly achieve their objectives if they win the >political fight. They'll make buckets of money selling crypto software >abroad. And if they lose the fight, they're going to be handing big >opportunities to foreign competitors. The big companies are fighting? Where did you get that idea? IBM/Lotus just gave the feds the keys. Not a single one of the major players has challenged the government in any meaningful way. Sure, they make a lot of noise as to how they dislike the regulations, but they certainly aren't making a sincere effort of trying to change them. -- Lucky Green PGP encrypted mail preferred. From peer at alpha.c2.org Fri Jan 26 17:45:54 1996 From: peer at alpha.c2.org (Peer Gynt) Date: Sat, 27 Jan 1996 09:45:54 +0800 Subject: Nym use in the real world Message-ID: <199601270035.QAA06231@infinity.c2.org> -----BEGIN PGP SIGNED MESSAGE----- > With the coming Internet restrictions and growing use of the > net by LEAs, it's become obvious to me that I shouldn't post > messages with my real name. My reasons for experimenting with nymdom are somewhat different. I have no intentions of using my nym for anything that I would not do using my True Name. I see it more as a tool for segmenting the knowledge the outside world has about me. With the expansion of information ubiquity and easy access to powerful search tools, nyms become a welcome tool to foil the dossier builders. > 1. reputation. My nym will need to build it's own reputation, I > know. But I currently get offers of work based on my reputation > and posts. I would like this to continue. When it comes time to > do the work and collect the pay, I need to tie my nym to me. While certainly useful, nyms have very definite practical limits. I see them as more useful and flexible once one discards the monolithic nym concept (ie my name is xxx and my nym is Peer). When one uses multiple nyms for multiple purposes, discarding the secrecy of one is less troublesome. This also allows the cultivation of positive reputation in diverse reputation markets. Of course, doing this to any great extent may be more trouble than it's worth. > 2. does it (a nym) really help? Police and governments are used to > dealing with people who change their names, use fake names, etc. I > get the impression that having multiple/fake names is considered by > police to be evidence or at least indication of guilt. "If you're > not guilty why're you hiding?". While there is certainly a stigmata associated with nymdom (even occasionally on Cypherpunks, of all places), I don't think it will provide any additional liability (assuming nyms themselves don't become illegal). If your nym is investigated and compromised, then your True Name has already been linked to your actions - they know you're guilty. And while using a nym may attract unwanted attention due to its nature, can it be worse than using your True Name? Perhaps. I keep forgetting about selective enforcement... Peer Aside: How many people here actually check signatures? For those who don't, does seeing a signed message inspire any additional confidence? For those who do, does seeing an incorrectly signed message inspire any less confidence? -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMQlwCKUvpX8WyJyxAQGUuAP/UZXCUbD9iJdmjOb9QGoZ8lD3j22bbeU0 04ucZ81EBMLB0rrOoaCihW7ywvm54/o5uJIw5QN68bkj5ZlM5MqCHn9j7Cowvyb6 VHY+5dhULDpT6GF5CRcxbYmdyYpbl0nHzO8PeaG0oX46+YJTEhDpXoywBxDcjHnP +YLtJ+7xUx4= =uesQ -----END PGP SIGNATURE----- From bruceab at teleport.com Fri Jan 26 17:49:56 1996 From: bruceab at teleport.com (Bruce Baugh) Date: Sat, 27 Jan 1996 09:49:56 +0800 Subject: "This post is G-Rated" Message-ID: <2.2.32.19960126084847.0069ba04@mail.teleport.com> At 08:06 PM 1/25/96 -0800, Johnathan Corgan wrote: >This would allow to emerge a free market 'ecology' of ratings agencies, >similar to the system that has emerged in the PC technology >market for product reviews. This seems to me a task of crucial importance, as I listen to the conversations of relatively net-clueless folks. Their first reaction, upon learning about net abuse, is to demand that abusers be tracked down and punished. Privacy-enhancing tools make this more difficult. It seems to me that if we're to avoid a wholescale crusade against net privacy, we _really_ need to have a credible alternative to offer: both the software and the wetware :-) to let individuals screen out offending drek. Having canned solutions is especially important, since many of the people most susceptible to anti-privacy propaganda are precisely those who don't know and likely aren't going to know how to construct their own filters. I see this as a matter of enlightened self-interest, therefore. I can't write code worth squat, but I can write other things. I'm starting in on a Web-based guide to privacy tools, with screen shots and the like. If anyone has useful info to contribute about screening out crud for novices, write me! I need to hear from you! Bruce Baugh bruceab at teleport.com http://www.teleport.com/~bruceab From jimbell at pacifier.com Fri Jan 26 17:54:19 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 27 Jan 1996 09:54:19 +0800 Subject: Time codes for PCs (fromn German Banking) Message-ID: -----BEGIN PGP SIGNED MESSAGE----- At 11:11 PM 1/24/96 -0500, Dave Emery wrote: >> >> Was the person in the basement eavesdroping or actuall performing a >> man-in-the-middle attack? >> > Very much the easiest way of doing this is a classic man in the >middle attack with two vanilla off the shelf modems and a vanilla off >the shelf central office simulator. The modems would be tied more or >less back to back through two serial ports and software on a laptop in >the basement, one modem connected to the actual phone line to the central >office and the other connected to the local wires to the targets home >through the central office simulator. This way all traffic in both >directions would go through the modems and software on the laptop >allowing the connection to be taken over cleanly between packets, and >packets to be injected and deleted as needed. I beleive that it would >not be hard to make such a MITM decode the DTMF dialing from the target >and dial the same number on its outgoing modem thus enabling the >MITM to passively relay modem calls it wasn't interested in spoofing. >And incoming modem calls could be similarly handled. A peripheral I've long wanted to see, commonly available: ACCURATE time, broadcast to the millisecond/microsecond/nanosecond, available from sources as varied as TV VIR's, FM subcarriers, and other sources, available as an easy input (via a peripheral card) to a computer. I have a 12-year-old Heathkit "Most Accurate Clock" that I assembled myself, and had the foresight to install it with its computer interface option. (receives 5, 10, or 15 MHz signals broadcast from Boulder, Colorado, containing "exact" time.) While I've never taken the time to connect it to my PC, it provides (through an RS232 jack) correct time with a rated accuracy of about 5 milliseconds, as I vaguely recall. (Even has a dipswitch setup on the bottom to tell it how many 500 mile increments you are away from WWVB... corrects for delay to a first order of magnitude.) (BTW, if anybody knows how to easily connect it to the pc, or has the appropriate software, please tell me The task isn't difficult from a hardware standpoint; it's just RS-232 serial ASCII timecode at about 9600 bps which either continuously retransmits or on request. The problem is the software: How, exactly, do I INTERFACE such a serial input to the existing computer/RTC combination? (Don't tell me to plug it into an unused serial jack! I'm not stupid. I'm not a programmer, and I don't play one on TV! (I know gates, flops, op amps, A/D, D/A, microprocessor hardware design, even some Z-80 assy language, RF, and I've programmed in Fortran, Basic, APL, Algol, PL/1, Pascal, LISP, but not recently and I don't enjoy it!) (Then again, there are those "Receptor" watches which have (at least) similar accuracy, which as I understand it work on FM subcarrier principles.) Technology has now supplanted this old monstrosity: Even with CHEAP GPS receivers, they put out time which is rated in accuracy to well better than 1 microsecond, and probably better than 200 nanoseconds even with S/A turned on, and probably 100 nanoseconds with S/A off. Once GPS receivers contain equally cheap DGPS receivers, they'll be able to tell you your location to about 1 meter and corresponding time accuracy, about 3 nanoseconds. I'm not particularly familiar with TV VIR signals, but I'd imagine they are timecoded, or at least they COULD be without a lot of effort. Resolution would be FAR better than 1 microsecond, and accuracy would be primarily limited by knowledge of your location compared to the xmitter. MITM attacks would be far more difficult if both ends of the data conversation agreed on the "exact" time, and could detect transmission delays and CHANGES in transmission delays. While it would be possible to locally spoof the accurate timecode, a cheap version of a "disciplined oscillator" (which any GPS receiver is going to have, anyway) would detect such short-term spoofing trivially. Occasionally, I've speculated on whether it might be useful to be able to synchronize (or, at least, KNOW) to the PHASE of the 60 Hz power grid. True, I know that the HV grid is 3-phase and most people won't know which phase they're on anyway, but that wouldn't change (at least not frequently!) , and I would imagine that it might be useful. You wouldn't necessarily know which CYCLE you're on, either, but again that might be compensated for somehow. If your computer were talking, locally, to another computer at 4100 baud (? whatever) (7 bits per symbol(?); equals 28.8kbps) you could "easily" agree on a particular cycle relationship, which is going to be essentially constant over a distance of a few tens or even hundreds of miles. What I DON'T know (and some HV transmission engineer will probably be able to tell me, hint hint!) is how STABLE this phase is across the entire country? I realize that this will probably depend on who'se shipping excess power to whom at the moment, But I'd imagine the variability will be distinctly limited. The biggest attraction of such a system is that the interface would probably be trivial: Getting it from the P/S is out because they didn't anticipate such a thing. The easiest interface might be an AC wall xformer with a rectifying limiter and slicer (Okay, maybe just a resistor and a diode, possibly with the addition of a comparator for precision), driving a readable pin on an otherwise-unused RS-232 interface. (Possibly installed similar to a dongle.) Appropriate software (yucch!) would read the square waves, and record the phase at any one time. Such information could be used to verify the relative synchronization between two different computers, although it would be necessary to identify particular phases, as I mentioned before. BTW, if you're read this far, I think it would be appropriate to introduce myself, despite the fact that I've already been posting to this area for a few weeks. I'm James Dalton Bell (yes, THOSE Daltons!) and I'm in Vancouver, Washington, USA. I may talk like a EE, but am not; I have formal and/or informal backgrounds in Chemistry (BS Chemistry MIT 1980), electronics (analog and digital and RF (N7IJS) and uP), physics, and keep an eye on numerous other technical fields. Politically, I'm 120/120 on the Nolan chart (there's some questions they left out (that's a joke)) which means I'm a "extremist libertarian." I'm also rather newly anarchistic, and (with all due modesty) rather inventive. Current employment? None. Well, nothing to speak of. But you'll be hearing more about me. Jim Bell Klaatu Burada Nikto Remember this. It'll become important, soon. "Something is going to happen. Something....wonderful!" -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMQlyv/qHVDBboB2dAQHZvQP+IKeO508C7ZTA22DSELjvpWTYa0iGtTcX U486t+8P0iC9qxq346wzxm9USae4d8NOM9wBKrio095hrKnzAZQE1BETUKCx3BJv bywqin7Qjb87j6OECJ6S/eAh5t6LXMnDepGdUr7rw+gBxsNg7kzz10/TGh4pXKNu D5PuGPnTY34= =r4JO -----END PGP SIGNATURE----- From s1018954 at aix2.uottawa.ca Fri Jan 26 17:55:15 1996 From: s1018954 at aix2.uottawa.ca (s1018954 at aix2.uottawa.ca) Date: Sat, 27 Jan 1996 09:55:15 +0800 Subject: Doctor Denning In-Reply-To: Message-ID: On Fri, 26 Jan 1996, Weld Pond wrote: > If found this interesting too. I was waiting for the reason it wasn't > inevitable but it never came. Denning seems willing to predict a future > where there are no more technical advances in fields like steganography and > dc nets. Or for that matter that the present ones will never get implemented. Poor prof Denning...It strikes me as though her essay is a close relative of "Reefer Madness", a supposedly hilariously rabid (I'm told) anti-pot video which only potheads ever bother watching. The only people who will read her webpage are us cypherpunks. Should by some randomly-generated act of pot luck, anyone other than us read her ~38 pg. rant, that person (non-LEA, of course) will probably be entertained enough to join the list and read Tim's writings (only a search engine away). It is also convenient that most of the search engines list multiple occurences of the list archives, every time a search on cryptography keywords is performed. (The archives don't list the majordomo address, could this be the reason why we constantly get so many "subscribe me!" posts? Waaay to go Dorothy!) Somehow, I don't think her choice of medium is going to get her very far. I wonder what a second edition of her crypto book would look like. From anon-remailer at utopia.hacktic.nl Fri Jan 26 18:01:27 1996 From: anon-remailer at utopia.hacktic.nl (Anonymous) Date: Sat, 27 Jan 1996 10:01:27 +0800 Subject: No Subject Message-ID: <199601270054.BAA12525@utopia.hacktic.nl> Jim Bell writes: >While this would normally be my cue to offer up my "Assassination Politics" >idea, which (if presumed to be correct) would stabilize "anarchy" and >prevent "lawlessness and social disorder" (at least as normally seen by the >average reader) I think that under the circumstances that would be redundant >here. I'm not *sure* that your Assassination Politics trip is the worst piece of tripe I've ever seen on the list, but if it's not, it's right up there. Those of us who are anarchists are often that way because we think the *means* the State uses are evil, not to be excused by any amount of mumbo-jumbo. And you gleefully propose to let us *all* in on the immoral game of murdering those who annoy us sufficiently. I'll pass. You know, if I were constructing an agent provacateur, I'd want a persona who's willing to be loudly clueless with ideas that show minimal or non-existent awareness of basic human hopes and fears, like security from random hit-squads. I'd have him go on and on with his ideas, until eventually they can splashed all over headlines and used to discredit the whole realm of privacy protection. But no, I don't think you're an agent. More fool you, you're willing to do the government's disinformation work for it without even thirty pieces of silver or a 401K. At this point I recommend to you the 12-step program I explained to Vladimir. Signed, A Friend From dlv at bwalk.dm.com Fri Jan 26 18:05:36 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Sat, 27 Jan 1996 10:05:36 +0800 Subject: Can't be THAT Fred Cohen :-) In-Reply-To: <960126080515.ZM21151@scherg> Message-ID: From: gary.schermerhorn at nyapps01.gsam.gs.com (Gary Schermerhorn) Date: Fri, 26 Jan 96 08:13:56 EST Message-Id: <960126080515.ZM21151 at scherg> Subject: Question Does anybody know a consultant named Fred Cohen? I'm doing some background work. Please get back to me if you know him. -- Gary Schermerhorn (scherg at gsam.gs.com) Goldman Sachs Asset Management 1 New York Plaza, 42nd Floor (212) 902-3344 (phone), (212) 428-1008 (fax) From llurch at networking.stanford.edu Fri Jan 26 18:07:38 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sat, 27 Jan 1996 10:07:38 +0800 Subject: "Gentlemen do not read each other's mail" In-Reply-To: <199601262228.RAA21968@jekyll.piermont.com> Message-ID: On Fri, 26 Jan 1996, Perry E. Metzger wrote: > jim bell writes: > > (For the historically-impaired: Coventry was/is an English town (small > > city?) perhaps most famous from the Lady Godiva legend...but I digress... > > British found out, I guess through Ultra, that it was going to be bombed. > > Telling the inhabitants would have saved many lives, but (possibly) alerted > > the Germans that Enigma had been broken. British made the correct choice: > > Let the city get bombed without (much?) warning. The value of keeping the > > broken-ness of Ultra a secret far outweighed the value of Coventry.) > > The current claim is that, in fact, there was no advance warning about > Coventry and that the claims that there was are unsubstantiated. Yeah, far be it from me to debunk an urban legend, but that's what I read too. It is true that there is often more going on than meets the eye, but it is no less true that it's usually not what you imagine. Sure the Brits might have received credible reports that Coventry was going to be bombed, and sure the US might have received credible reports that Pearl Harbor was going to be bombed. But they also received credible reports to the contrary, and decisions were made. Try working for a newspaper or a hospital some time. You'll hear all sorts of crazy stories, only a few of which are true. It's hardly obvious which those are. I'm sure the TLAs get even crazier stuff. I do not believe that the CIA that failed to find Aldrich Ames and was cut out of Iran/Contra as unreliable is not capable of half the things it has been accused of. There have been a lot of well-documented and acknowledged cases like Operation Success (Guatemala), but the rest is just speculation, or worse, an Oliver Stone movie. -rich From nobody at REPLAY.COM Fri Jan 26 18:08:18 1996 From: nobody at REPLAY.COM (Anonymous) Date: Sat, 27 Jan 1996 10:08:18 +0800 Subject: weak cryptoanarchy Message-ID: <199601270114.CAA15160@utopia.hacktic.nl> Some non-cypherpunks seem afraid of Tim May's cryptoanarchy, which, to quote Dr. Denning's recent paper, "suggest the impending arrival of a Brave New World in which governments, as we know them, have crumbled, disappeared, and been replaced by virtual communities of individuals doing as they wish without interference." Perhaps these people are worrying needlessly. I don't think cryptoanarchy (in this strong form) is a likely scenario for the future. Even if strong cryptography and anonymous transaction systems are used by everyone, governments can continue to control people's physical actions and properties. The physical world will continue to exist, even if it becomes relatively less important. I think a better prediction for the implications of strong crypto is what I would call "weak cryptoanarchy." That is, cryptography will allow virtual communities the option to exist without the possibility of inteference by force. Certainly some virtual communities, such as moderated discussion groups, will opt to have formal or informal governments. The key is that people will have the choice of participating in communities where physical violence will be absolutely powerless. Stated in this form, cryptoanarchy is hardly controversial. Plus, this weak form of cryptoanarchy has a much better chance of being realized, because it does not require the collapse of existing governments, only the creation of new communities without governments. From adam at lighthouse.homeport.org Fri Jan 26 18:21:53 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Sat, 27 Jan 1996 10:21:53 +0800 Subject: More thoughts about digital postage (was Re: Digital postage and remailer abuse) In-Reply-To: Message-ID: <199601270143.UAA12629@homeport.org> Alan Bostick wrote: | People asked in earlier in this thread how remailers could issue digital | postage stamps without being able to know who is using which stamp issued. | | One obvious approach is to use blind signatures. Rather than issuing | a stamp to the user who requests/purchases it, the user could send | an unsigned stamp, encrypted in an RSA envelope, to the remailer. The | remailer would then blind-sign the envelope and return it to the user. | The user then decrypts the envelope and has a stamp ready for use. This is a lot of public key work for the remailer. Take a look at Shamir's Micromint scheme, and sell coins for ecash on the web. Micromint coins are easy to verify, and thus could be resold on peoples web pages. They do have expiry dates though. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From adam at lighthouse.homeport.org Fri Jan 26 18:24:28 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Sat, 27 Jan 1996 10:24:28 +0800 Subject: Denning's Crypto Archy [LONG] In-Reply-To: <2.2.32.19960126214239.006ca3fc@panix.com> Message-ID: <199601270136.UAA12571@homeport.org> Interesting reply, Duncan. Since you've addressed many of the points, I'll just add a few short points. Duncan Frissell wrote: | The Future of Cryptography | | Dorothy E. Denning | Georgetown University | | Revised January 6, 1996 | | [Responses by Duncan Frissell in square brackets] | A growing number of people are attracted to the market liberalism envisioned | by Jefferson, Hayek, and many others, but not to anarchy. Thus, the crypto | anarchists' claims come close to asserting that the technology will take us | to an outcome that most of us would not choose. | | [Still up for negotiation is how liberal a market we will want. The growing | power of markets and (traditional) liberal ideas is the result of the The term "crypto anarchy" is a label for a new, and still evolving school of thought. To take it to soley encompass anarchy as a result would be as false as assuming that Utilitarians only take utility in its restired sense, and not pleasure into thier calculations. Mill, in the first paragraph of chapter II of 'Utilitarianism' discusses the idea, that an idea, through its simple label, is dismissed. | This is the claim that I want to address here. I do not accept crypto | anarchy as the inevitable outcome. A new paradigm of cryptography, key | escrow, is emerging and gaining acceptance in industry. I would argue that it lacks industry acceptance, and the only acceptance is that of the lesser of evils, not a warm embrace. Futher, the idea that unfettered cryptography will lead to the end of the nation state, while embraced by both Denning and Frissel, is not obvious. There are many aspects of police work which will be continued, and continue to address many of the crimes that worry Dr. Denning. Undercover cops can partake in a grey or black market more easily when the tools of anonymity are available to all. If the market is for physical items, those items must be delivered. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From jims at conch.aa.msen.com Fri Jan 26 18:24:57 1996 From: jims at conch.aa.msen.com (Jim Schueler) Date: Sat, 27 Jan 1996 10:24:57 +0800 Subject: Windows PGP mail reader Message-ID: <4eaksb$6i9@recepsen.aa.msen.com> Hi. Can anyone recommend a Windows based email/POP3 reader that can decrypt content? Please reply via email: Jim Schueler jims at msen.com From EALLENSMITH at ocelot.Rutgers.EDU Fri Jan 26 18:54:00 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 27 Jan 1996 10:54:00 +0800 Subject: Edited Edupage Message-ID: <01I0HAOP4B58A0UOQG@mbcl.rutgers.edu> From: IN%"educom at elanor.oit.unc.edu" 25-JAN-1996 23:36:37.75 Subj: Edupage, 25 January 1996 >***************************************************************** Edupage, 25 January 1996. Edupage, a summary of news items on information technology, is provided three times each week as a service by Educom, a Washington, D.C.-based consortium of leading colleges and universities seeking to transform education through the use of information technology. ***************************************************************** INSECURITY FEARS A North American study on Internet security by Ernst & Young says that companies fear doing business via the Internet. Companies with a direct Internet connection are concerned that outsiders can gain access to their systems and data bases, and companies that transmit sensitive financial information worry about the security of these transactions. (Toronto Globe & Mail 25 Jan 96 B5) -------------------- If they're actually seriously becoming paranoid about this, it's an opportunity to press cryptography. Anyone seen the original study? -------------------- >TELECOM "GIVEAWAY" CONTROVERSY MAY BE DEFERRED Senate Commerce Committee chair Larry Pressler (R., SD) is suggesting that a controversial provision of the telecommunications legislation be removed from that legislation and addressed in a separate bill. The provision has been attacked by Senator Bob Dole and other Republicans as a "giveaway" of valuable airwaive spectrum to TV broadcasters for uses such as high-definition television. (New York Times 25 Jan 96 C6) --------------------- Looks like another anti-"CDA" campaign may soon be neccessary. -Allen --------------------- Edupage is written by John Gehl (gehl at educom.edu) & Suzanne Douglas (douglas at educom.edu). Voice: 404-371-1853, Fax: 404-371-8057. *************************************************************** EDUPAGE is what you've just finished reading. (Please note that it's "Edupage" and not "EduPage.") To subscribe to Edupage: send a message to: listproc at educom.unc.edu and in the body of the message type: subscribe edupage John Lewis (assuming that your name is John Lewis; if it's not, substitute your own name). ... To cancel, send a message to: listproc at educom.unc.edu and in the body of the message type: unsubscribe edupage. (Subscription problems? Send mail to educom at educom.unc.edu.) ARCHIVES & TRANSLATIONS. For archive copies of Edupage or Update, ftp or gopher to educom.edu or see URL: < http://www.educom.edu/>. For the French edition of Edupage, send mail to edupage-fr at ijs.com with the subject "subscribe"; or see < http://www.ijs.com >. For the German edition, genugt eine E-Mail an: infomat at stern.de mit der Betreff- oder Textzeile "STERN Online Edupage". For the Hebrew edition, send mail to listserv at kinetica.co.il containing : SUBSCRIBE Leketnet-Word6 or see < http://www.kinetica.co.il/newsletters/leketnet/ >. For the Hungarian edition, send mail to: send mail to subs.edupage at hungary.com. For the Italian edition : < http://dbweb.agora.stm.it/webforum/infotech > or send mail to: b.parrella at agora.stm.it. for info. For the Portuguese edition, contact edunews at nc-rj.rnp.br with the message SUB EDUPAGE-P Seu Primeiro Nome Seu Sobrenome. For the Spanish edition, send mail edunews at nc-rj.rnp.br with the message SUB EDUPAGE-E Su Primer Nombre, Su Apellido. From alanh at infi.net Fri Jan 26 19:01:06 1996 From: alanh at infi.net (Alan Horowitz) Date: Sat, 27 Jan 1996 11:01:06 +0800 Subject: "Gentlemen do not read each other's mail" In-Reply-To: Message-ID: > In fact, before FDR, wage income was taxed; however, it was one large > check at the end of the yeraar (or the beginning of the next, really). I think this wrong. Read the definition of "income" before the WWII. Wages were considered to be an equal exchange for labor services rendered, not a "gain" (income). > The high cost of WW II made it a necessity for the gvm't to have more > money at a particular moment, and not wait for year-end. Not so. Govt has been able to print fiat money at will since the Fed Reserve was founded in 1913. > the income tax was passed; however, the income tax (and wage income was > most certainly taxed) was AFAIK implemented by the end of the 19th century. That income tax was overthrown by the Supreme Court as not being apportioned amongst the states, as required by the Constitution. Technically, the income tax is an excise, not a tax. They aren't the same. From llurch at networking.stanford.edu Fri Jan 26 19:02:44 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sat, 27 Jan 1996 11:02:44 +0800 Subject: weak cryptoanarchy In-Reply-To: <199601270114.CAA15160@utopia.hacktic.nl> Message-ID: I don't think anarchy is the right word anyway. Anarchy is such a clumsy word, with so many misuses. It's supposed to mean lack of rule, but I don't think most people (even Tim) want to throw away all the rules; they just prefer consensus, balance of power, and self-regulation. Maybe autoarchy or symarchy. I find the distiction between government and non-government power centers fallacious. All kinds of associations make rules, which are normally followed, sometimes punished. The only formal distinction I can think of is that government bodies are supposed to have a monopoly on the legitimate use of violence. This distinction is blurring again, and not (just) by the increase of random violence, which normal folks are afraid of. People are becoming more civilized, and no longer believe that many of the violent things that governments used to do habitually are legitimate anymore. Nobody does ritual sacrifice to the ruler-god-king; few would now endorse locking the King's estranged wife in a tower, or killing her; fewer and fewer believe that war is glorious. On the other half of the walnut, non-government power centers now have powers formerly reserved only to governments. Private security guards assume some of the role of the police, and corporate espionage and counter-espionage is getting more and more interesting. "Superstars" in all fields have interesting powers over other people. We're not seeing a net decrease in the forces impinging on the individual, but rather a broader distribution, which might even be an increase. Let's call those half-developed ideas my $0.01. -rich From tcmay at got.net Fri Jan 26 19:03:45 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 27 Jan 1996 11:03:45 +0800 Subject: weak cryptoanarchy Message-ID: At 1:14 AM 1/27/96, Anonymous wrote: >I think a better prediction for the implications of strong >crypto is what I would call "weak cryptoanarchy." That is, >cryptography will allow virtual communities the option to exist ^^^^^^^^^^^^^^^^^^^ >without the possibility of inteference by force. Certainly some >virtual communities, such as moderated discussion groups, will >opt to have formal or informal governments. The key is that >people will have the choice of participating in communities >where physical violence will be absolutely powerless. > >Stated in this form, cryptoanarchy is hardly controversial. >Plus, this weak form of cryptoanarchy has a much better chance >of being realized, because it does not require the collapse of >existing governments, only the creation of new communities ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >without governments. ^^^^^^^^^^^^^^^^^^^ The paper which Prof. Denning was responding to was my paper, "Crypto Anarchy and Virtual Communities." Seems like I anticipated your point. --Tim May Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From lharrison at mhv.net Fri Jan 26 19:16:04 1996 From: lharrison at mhv.net (Lynne L. Harrison) Date: Sat, 27 Jan 1996 11:16:04 +0800 Subject: FWD: Internet e-mail Message-ID: <9601270226.AA18376@mhv.net> -----BEGIN PGP SIGNED MESSAGE----- The following was posted to another list. Has anybody heard about this? [Gee, I _wonder_ if there will be escrowed keys...] ******Begin Forwarded Message********* >I just read in "legal.online" that the Postal Service plans to provide >secure email service. It will include encryption plus offer U.S. mail fraud >protection. Of course there is no estimate on cost. Regards - Lynne -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMQmOdj5A4+Z4Wnt9AQGKQQP+KRNFsI7DMk6nJwmWDpZkdX1RAtvJRdMo 38YL44AW4KxMO7SJdtkdAUhmWI6Y6bkWQ1+YXuRkG6wVN724k30vSui5vqO88GNF 0lvXyuJmL0z76yGbZmwf2l06L767MAX6P4hXuaMP67VZ5VRwScoNhlmPnb5L50rD v2ZLWyC0Rvw= =lhVA -----END PGP SIGNATURE----- ******************************************************* Lynne L. Harrison, Esq. | "The key to life: Poughkeepsie, New York | - Get up; E-mail: | - Survive; lharrison at mhv.net | - Go to bed." ******************************************************* From alanh at infi.net Fri Jan 26 19:20:56 1996 From: alanh at infi.net (Alan Horowitz) Date: Sat, 27 Jan 1996 11:20:56 +0800 Subject: Time codes for PCs (fromn German Banking) In-Reply-To: Message-ID: You are laboring under false ipression if you think it is easy to keep synched to an outside source to closer than, say, a millisecond. It isn't a turnkey deal. Cesium-beam clocks and GPS constellations notwithstanding. Alan Horowitz alanh at norfolk.infi.net From townsend at smokin.fly.net Fri Jan 26 19:22:10 1996 From: townsend at smokin.fly.net (Chris Townsend) Date: Sat, 27 Jan 1996 11:22:10 +0800 Subject: Time codes for PCs (fromn German Banking) In-Reply-To: Message-ID: On Fri, 26 Jan 1996, jim bell wrote: > (BTW, if anybody knows how to easily connect it to the pc, or has the > appropriate software, please tell me The task isn't difficult from a > hardware standpoint; it's just RS-232 serial ASCII timecode at about 9600 > bps which > either continuously retransmits or on request. The problem is the software: > How, exactly, do I INTERFACE such a serial input to the existing computer/RTC > combination? (Don't tell me to plug it into an unused serial jack! I'm not > stupid. I'm not a programmer, and I don't play one on TV! (I know > gates, flops, op amps, A/D, D/A, microprocessor hardware design, even some > Z-80 assy language, RF, and I've programmed in Fortran, Basic, APL, Algol, > PL/1, Pascal, LISP, but not recently and I don't enjoy it!) You'll probably want to look at the XNTP code at ftp://louie.udel.edu/pub/ntp There's plenty of good toys and code for time geeks, radio clock info, etc. -cpt townsend at fly.net From liberty at gate.net Fri Jan 26 19:29:08 1996 From: liberty at gate.net (Jim Ray) Date: Sat, 27 Jan 1996 11:29:08 +0800 Subject: An Enigma - Wrapped In a Circle Message-ID: <199601270257.VAA40304@osceola.gate.net> -----BEGIN PGP SIGNED MESSAGE----- In the January/February 1996 Mensa Bulletin on pages 9-10 is an article by Teresa Fisher titled "An Enigma Wrapped In a Circle." The article is about a phenomenon which has interested me for quite some time, "crop circles" or "pictograms." I have tried to find this excellent article on the web and failed, so I will quote a few parts of it I consider relevant. All typos are mine, Ms. Fisher is an excellent writer, and I have changed her well done presentation only for brevity and clarity. If you think that this post has "no cypherpunk relevance" you can: 1. Flame me, in *private* e-mail. [I'll happily ignore you.] 2. Go hump a tree. Article excerpts (in quotes) and my comments follow: "In the late 1970s, farmers over the world were finding unexplainable, perfectly round, flattened areas in their grain fields. The flattened crops made irreproducible, layered swirl patterns. As time went on and crop circle incidents increased tremendously, the outlines of the formations became more complex and came to be called pictograms." They appeared overnight, "[by 1990] some 2000 circles and pictograms had been formed all over the world. A large percentage...were showing up in a small area in southern England, mainly in Wiltshire Downs." "Then, in 1991, two retired Englishmen named Doug Bower and Dave Chorley announced that they had been responsible for the crop circle phenomenon for the past 13 years." The dim media swallowed this hook, line, and sinker; neglecting to question "how they created intricate, sometimes braided swirls, executed elaborate pictograms in the dark, and caused crop formations in 19 other countries besides England." Brittle plants in the (non-hoaxed) circles were also bent in a way "that no investigator has been able to duplicate." Recent tests, including some at the Oak Ridge National Laboratories, show isotope changes in the soil, and differing biophysical and biochemical properties of the grain within the pictograms when compared to adjacent grain in the field. Gerald Hawkins was not fooled. He did "a systematic study of the geometry of the circles, and found ratios of small whole numbers that precisely matched the ratios defining the diatonic scale. Further statistical analysis revealed three other geometric theorems in the circle patterns, and he realized that all four theorems had a common thread that led to a fifth, more general theorem. His inability to find any of these theorems in Euclidean geometry or any of the math books he consulted caused him to conclude that whoever is making the circles had to not only know how to prove a Euclidean theorem, but also to conceive of an original theorem. Hawkins says that proving a theorem is easy; conceiving it in the first place is quite another matter." ["FN 6 Ivars Peterson, "Euclid's Crop Circles," *Science News* 141, No. 5, pp. 76-77."] In late 1991 in Ickleton "a perfect depiction of the mathematical configuration known as the Mandelbrot Set" appeared. ["FN 9 Beth Davis, *Ciphers in the Crops,* (Bath, England: Gateway Books, 1992)pp. 9-15."] I am now experiencing Tim's wish that I could draw in e-mail, as there is a diagram here of "a circle inside a triangle inside a ring inside a hexagon inside a ring." Don't even *try* to imagine it. The article points out that "NASA will be promoting the space program with a crop circle image and the slogan, 'We need to be out there.'" [Agreed, but with *tax* money?] Back to Ms. Fisher. "I have been amazed at the need many people have to dismiss this mystery. They will ignore all of the evidence to claim that the circles are being formed by weather or hoaxers. Neither claim stands up to even minimal scrutiny. I don't know what is causing crop circles to appear, but I'm certain it isn't being done by the wind or by an old man with a board. What do you think?" I must add that anyone who has seen the cover of Robert Plant's "Now and Zen" album would have trouble believing that a couple of drunks from the pub down the street did _THAT_! I do not know if "extraterrestrials" or "UFOs" are responsible for these images. [In my long-held opinion, governments tend to lie about UFOs (surprise!).] I do feel that these pictograms, these "Ciphers in the Crops," cry out for cryptanalysis, by someone far more adept at complex mathematics than I am. Results might well be felt worldwide. Thoughts? JMR Regards, Jim Ray -- Boycott espionage-enabled software! "He that would make his own liberty secure, must guard even his enemy from oppression; for if he violates this duty, he establishes a precedent that will reach to himself." - T. Paine http://www.shopmiami.com/prs/jimray _______________________________________________________________________ PGP key Fingerprint 51 5D A2 C3 92 2C 56 BE 53 2D 9C A1 B3 50 C9 C8 Public Key id. # E9BD6D35 IANAL _______________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Freedom isn't Freeh. iQCVAwUBMQmUiG1lp8bpvW01AQE+OwP/URevvKxeTnV75DfXm0+XM9JTWR9w2ZCn 9RbdwBmVK5WTw5228x2EBNrhAQeGeksFQX9z/YEZgLCbscX1vtAT1PydSf2JBruM jOBhRX/a4MJWo4l7UcyefQwK2NyB8YXwqGoDPQKYtC9dqY0X6wuDnRWP2SGVYkG4 pf28zVDk1Vc= =MxuH -----END PGP SIGNATURE----- From llurch at networking.stanford.edu Fri Jan 26 19:50:04 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sat, 27 Jan 1996 11:50:04 +0800 Subject: [NOISE] Re: "Gentlemen do not read each other's mail" In-Reply-To: Message-ID: On Fri, 26 Jan 1996, Alan Horowitz wrote: > > In fact, before FDR, wage income was taxed; however, it was one large > > check at the end of the yeraar (or the beginning of the next, really). > > I think this wrong. Read the definition of "income" before the WWII. > Wages were considered to be an equal exchange for labor services > rendered, not a "gain" (income). I think you've been reading too many tax protester pamphlets without enough fresh air. Try posting the above to misc.taxes or misc.legal and you'll get several detailed responses. Unfortunately, several will be wrong, because most knowledgeable people are turned off by the drivel, and the .moderated groups will reject postings on subjects that were long ago beaten to death. > > The high cost of WW II made it a necessity for the gvm't to have more > > money at a particular moment, and not wait for year-end. > > Not so. Govt has been able to print fiat money at will since the Fed > Reserve was founded in 1913. Er, yes, and fiat money means inflation. Real value takes real money. > > the income tax was passed; however, the income tax (and wage income was > > most certainly taxed) was AFAIK implemented by the end of the 19th century. > > That income tax was overthrown by the Supreme Court as not being > apportioned amongst the states, as required by the Constitution. And as a result, there was the 16th Amendment. > Technically, the income tax is an excise, not a tax. They aren't the > same. ? Nevermind. -rich From tedwards at Glue.umd.edu Fri Jan 26 19:56:16 1996 From: tedwards at Glue.umd.edu (Thomas Grant Edwards) Date: Sat, 27 Jan 1996 11:56:16 +0800 Subject: Denning's misleading statements Message-ID: I think the big bait-and-switch is her description of the various companies falling over themselves to get to _VOLUNTARY_ key escrow to avoid losing data and protecting themselves against employee problems versus _MANDATORY_GOVERNMENT_ key escrow to ensure that individuals cannot hide information from the government. Key escrow is good. Key escrow against your will is bad. -Thomas From jimbell at pacifier.com Fri Jan 26 20:05:57 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 27 Jan 1996 12:05:57 +0800 Subject: Crypto Exports, Europe, and Conspiracy Theories Message-ID: At 01:06 PM 1/26/96 -0600, Alex Strasheim wrote: > >Digicash is probably the first significant crypto product to be exported >to America. It's not very popular yet, but I think that most of us here >agree that it is, in potential at least, as significant as >Mosaic/Netscape. It's important to note that this extremely important >product couldn't have been produced here, patents aside. Transaction >systems need to be international, and our rules make America an unsuitable >place from which to launch tranaction software. > >Will the NSA be able to stand up against growing economic pressures? I >don't know. But it does seem pretty clear that those pressures are >building all the time, and that the problem of supressing crypto in 1996 >is a much tougher one than it was in 1986. > >In general, it's myopic and ill advised to focus on one factor -- >economics, politcs, the national security establishment -- when trying to >predict what will happen. I've probably been guilty of placing too much >emphasis on money, and not enough on the NSA. > >We do seem to be winning, though. Agreed. However, we will all REALLY win when anonymous-payer/anonymous-payee digital cash appears and is in common usage. (or Digicash can be "munged" to make payee-anonymity possible, if not the norm. From llurch at networking.stanford.edu Fri Jan 26 20:23:04 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sat, 27 Jan 1996 12:23:04 +0800 Subject: Denning's misleading statements In-Reply-To: Message-ID: On Fri, 26 Jan 1996, Thomas Grant Edwards wrote: > I think the big bait-and-switch is her description of the various > companies falling over themselves to get to _VOLUNTARY_ key escrow to > avoid losing data and protecting themselves against employee problems > versus _MANDATORY_GOVERNMENT_ key escrow to ensure that individuals > cannot hide information from the government. > > Key escrow is good. Key escrow against your will is bad. Yo. I especially enjoyed this sentence: "Individuals would be allowed to develop their own encryption systems for personal or educational use without obtaining licenses, though they could not distribute them to others." It's unclear whether it's OK to share books, algorithms, and source code; or if it is, what's the point? Outlaw cryptography, and only cryptographers and outlaws will have cryptography. -rich From die at pig.die.com Fri Jan 26 20:26:06 1996 From: die at pig.die.com (Dave Emery) Date: Sat, 27 Jan 1996 12:26:06 +0800 Subject: Time codes for PCs (fromn German Banking) In-Reply-To: Message-ID: <9601270353.AA07828@pig.die.com> > > -----BEGIN PGP SIGNED MESSAGE----- > Jim Bell wrote: > At 11:11 PM 1/24/96 -0500, Dave Emery wrote: > >> > >> Was the person in the basement eavesdroping or actuall performing a > >> man-in-the-middle attack? > >> > > Very much the easiest way of doing this is a classic man in the > >middle attack with two vanilla off the shelf modems and a vanilla off > >the shelf central office simulator. The modems would be tied more or > >less back to back through two serial ports and software on a laptop in > >the basement, one modem connected to the actual phone line to the central > >office and the other connected to the local wires to the targets home > >through the central office simulator. This way all traffic in both > >directions would go through the modems and software on the laptop > >allowing the connection to be taken over cleanly between packets, and > >packets to be injected and deleted as needed. I beleive that it would > >not be hard to make such a MITM decode the DTMF dialing from the target > >and dial the same number on its outgoing modem thus enabling the > >MITM to passively relay modem calls it wasn't interested in spoofing. > >And incoming modem calls could be similarly handled. > > A peripheral I've long wanted to see, commonly available: ACCURATE time, > broadcast to the millisecond/microsecond/nanosecond, available from sources > as varied as TV VIR's, FM subcarriers, and other sources, available as an > easy input (via a peripheral card) to a computer. Unfortunately even if the special software, delay checking protocols and accurate time distribution to suppport this was widely distributed around the net (which is a huge if) this would not do much against the kind of MITM I've hypothesized in many real world modem situations. The propagation delay of the telephone network (particularly inter-LATA long distance) can vary considerably as calls can be routed via all sorts of paths including some involving large detours - the delay through the MITM would certainly be detectable but not necessarily obvious compared to the variability in telco network timing (and circuit quality) from call to call. Also the delay through modems is quite variable depending on who wrote the firmware (eg the modem brands on both ends of the link), what speed and signalling parameters the modem has negotiated, whether or not compression is enabled (and how compressable the data is) and what parameters for it are selected, and how good the line is. The last is very important, on a poor line with ARQ error control enabled LAPM packets may be retransmitted more than once adding intermittant longer delays and from time to time retraining may occur adding even longer delays. This would make establishing alarm limits for delay that would trip on the hypothetical MITM reliably and not go off on random variations from connection to connection very difficult. And one does not need accurate time of day to measure link propagation times - if one is running TCP/IP or most varients of it there is a built in low level echo function (the ICMP echo, used by the unix ping command and traceroute) that allows one to send a packet and get back an (usually) immediate echo from each router in the path and the path endpoint. If one is running plain VT100 type in, the character echoing is usually done promptly by the host and echo delays can be measured as one types and gets back characters. Worst case is running some sort of vanilla ASCII text (VT100) or proprietary binary protocol via a dial in X.25 or similar PAD (such as provided by Compuserve, Prodigy and Netcom for most of their dial-ins). Here most or all echoing is via the providers network from a distant host and may be both long delayed compared to MITM delays and quite variable due to network loading. There is some glimmer of hope, however with current crop of V.34 (28.8kb) modems, most of them have commands to report the link analog characteristics and one of the standard reported items is the delay to the far end modem. If this is almost 0 ms for a call to the other coast one can and should get very suspicous. Unfortunately, a more sophisticated MITM that would defeat this check than the one I hypothesized could be built using a vanilla stereo sound card to add appropriate delay by digitizing the line signal and delaying it in memory before spitting it out the other channel to the local listening modem. Perhaps the best defense for the paranoid is to make sure that all the obscure low speed modes, voice calls on the line, and things like fax tranmission work reliably and as they should - but even this can be defeated with a slight increase in MITM sophistication, and in any case this kind of MITM is presumably targeted at hit and run attacks on the unsophisticated who would presumably not know how to check for this stuff. All of this just emphasizes the need for strong message authentication best done with crypto technology, and for secure end to end encryption of virtual circuits used by many common character by character (such as telnet and VT-100 connections) or packet by packet transactions that use authentication only done up front (avoiding the hijacking problem where the link is authenticated by something at the beginning of the session such as a password or challenge/response protocol and then taken over (perhaps only momentarily) by an intruder). > > I have a 12-year-old Heathkit "Most Accurate Clock" that I assembled myself, > and had the foresight to install it with its computer interface option. > (receives 5, 10, or 15 MHz signals broadcast from Boulder, Colorado, > containing "exact" time.) I have some more comments on time I'll send you in email as they are (worse) noise to the list.... Dave Emery die at die.com > From llurch at networking.stanford.edu Fri Jan 26 20:35:25 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sat, 27 Jan 1996 12:35:25 +0800 Subject: Why key escrow is good (was Re: FWD: Internet e-mail) In-Reply-To: <9601270226.AA18376@mhv.net> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- [I'm sure all the points I'm making are really old news, but the fact remains that I do not see distributed private key escrow applications, infrastructure, or advocacy, and I think there should be some.] On Fri, 26 Jan 1996, Lynne L. Harrison, Esq. wrote: > The following was posted to another list. Has anybody heard about this? > [Gee, I _wonder_ if there will be escrowed keys...] > > ******Begin Forwarded Message********* > >I just read in "legal.online" that the Postal Service plans to provide > >secure email service. It will include encryption plus offer U.S. mail fraud > >protection. Of course there is no estimate on cost. Of course it will be escrowed. It will probably have other back doors too. The customers will demand it. Most normal people don't want unescrowed strong cryptography. If they forget their password, they want a way to get their stuff back. If they die, they don't want their thoughts to die with them. They don't plan to commit a major felony or, worse, run for public office, so the prospect that a government (or someone else) will subpoena or strong-arm the keys isn't a serious problem. I see no problem with this. The problem is *government* key escrow, especially *exclusive* government key escrow, which has none of the recoverability benefits that the average clueless user would want associated with key escrow. I'd like to see strong crypto that supports distributed key escrow by default (of course there should be a way to turn it off). Give parts of your key to, say, ten people, and require that eight must concur in order to break into your stuff. I would have few objections to a *properly drafted* law requiring widely distributed key escrow *for certain applications*. It's certainly bad to require escrow in two Federal clearing houses, and we'd have to think hard about requiring that key escrow agencies be licensed and regulated. In order to intercept my private communications, the government would need to subpoena the people I trust, not itself. I'd feel secure, and in fact *better* than I feel about unescrowed strong crypto, if my private stuff could be cracked by either myself in good mind and body, or a combination of at least eight of: 1. My boss 2. My best friend 3. My parents 4. The FBI (they get *one*, and the reason is to make it tougher for nasty non-government bodies to strong-arm enough parts of my key) 5. The California Department of State (as above) 6. The Cypherpunk Escrow Agency in Berkeley 7. The Cypherpunk Escrow Agency in the Cayman Islands 8. The corner 7-11 9. Mail-order Escrows-R-Us 10. TRW Gives a whole new meaning to the term "web of trust." By offering a piece of your key, you're entrusting a part of your life; and by accepting a piece of someone's key, you're agreeing to defend it with yours (life or key, whatever -- presumably you would encrypt the keys you're escrowing in your own escrowed key, which can be brute-forced in several ways). I'd like to see spring up a whole industry of both mom & pop and institutional key escrow agents. In a way, it's kinda like those silly cryogenics people who freeze their heads in the hopes of rising from the dead. The only way my private thoughts can survive my death, senility, or a really sharp blow to the head is escrow. And *I* think that at least some of the things I would normally keep to myself are worth preserving. Sure the world would survive without them, but we're talking about my ego here. - -rich -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMQmiWo3DXUbM57SdAQEHMwQAoKZp0z7vEEGc9tPaXHfjcWGTu5kX4ImD xMCcOvZK73GSPzqLhHGi0fiC41mGi9tueCpqVDyzoSSrzhqxE9xepUw+LFU2sypJ KOMAVxC3AcKcRLru8Qb0WBTSZqtzvWxGBrBUq3xRnMt5FUz/RqDKtsOb2iC2F6gI PlLmhki4wvI= =KKyf -----END PGP SIGNATURE----- From dlv at bwalk.dm.com Fri Jan 26 20:37:59 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Sat, 27 Jan 1996 12:37:59 +0800 Subject: Wipe Swap File In-Reply-To: Message-ID: (This came in on Sunday and I mislaid it, sorry) jim bell writes: > >Jim Bell mentioned the trick of hiding information into 'extra' tracks and > >sectors not used by the usual DOS formatting. It's very old too. > > Actually, I think it wasn't really used initially for "data hiding" > purposes. I'm talking about the early days of CP/M and other such systems, > circa 1977 and such, when individuals "discovered" that floppy drives had no > hard mechanical stop past the "last" good track, and they "stole" a few > percent of extra capacity from a floppy by simply ignoring the recommended > "last" track. Naturally, it would work okay on some drives but not on > others... which is why it was a bad idea. All the 360K 5.25" drives I've ever tried were capable of going to track 43 reliably (regular PC DOS format used 40). But I've come across too many 1.44/3.5" drvies that don't go beyond 80. Can't count on it. However... > In addition, I also discovered that it was possible to put a few more than > 26 sectors on each track of an 8" single-density (240 kilobytes!) floppy > disk. The main problem with using > these "tricks" is that the floppy had no method of conveying formatting > information to the system it was in, which meant that any floppy using this > trick was by definition non-standard. ("feature" or "bug" depending on your > goal...) It's possible to squeeze more sectors on 5.25" and 3.5" disks too, especially if you specify shorter gaps. It's also possible to vary sector size. When I read the above paragraph, I thought momentarily: it takes A LOT of bytes to specify the format of a floppy disk. Could one use this as a kind of encryption? I.e., the key would be the format specs, and it would have to be supplied to the device driver before it could read the actual data from the floppy. Unfortunately, I think a clever analysis of the disk with just the regular FDC can tell you a lot about the formatting (i.e., the number and the size of the sectors, and even their physical order). > I started building my own 12.5 MHz Z-80 -based CP/M system in 1978, fully > designed and wire-wrapped by myself, and wrote my own BIOS. (Used a WDC > 1791 FDC) Had total > control. I didn't try this trick even then because of compatibility > reasons, but one thing I _DID_ do was to write a floppy formatter that > "undid" the 6-sector skewing that standard CP/M had to do to keep up with > the data read/write. (in other words, I physically re-skewed the sector > numbering to make the next "desired" sector come faster...) I ended up with a > effective skew-factor of 2. Even a skew factor of 1 worked on my system (no > skew at all), but the problem was that when I gave the most extreme of these > oddly skewed floppies to my friends with 8" floppies, they took A LONG TIME > to read the data! (Their systems always missed the next sector because their > systems were too slow, so they only ended up being able to read one sector > per disk rotation.) This is extremely cool indeed. Trivia question: is it true that the reason why a lot of hard disks have a prime number of sectors per track (like 17) so that you can use different interleave factors (which have to be relatively prime to the # of sectors)? > All this helps to explain why I asked if PGP had ever been ported to CP/M. > Nostalgia! Only a few weeks ago I gave away a NEC V20 motherboard capable of running CP/M. (I recall running CP/M on it at some point. Of course, its main purpose was being an 8088 clone.) Why not. :-) It would be even cooler to port PGP to BESM-6. (How many people on this list have ever used a BESM-6?) --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From tim at dierks.org Fri Jan 26 20:47:09 1996 From: tim at dierks.org (Tim Dierks) Date: Sat, 27 Jan 1996 12:47:09 +0800 Subject: The French do some things right... Message-ID: At 9:01 PM 1/26/96, Timothy C. May wrote: >The French seem to have partially done this. Francois Mitterand had a >mistress? Who cares? They take it for granted that people are people, with >human foibles and weaknesses. Of course, aside from censoring photos and a book that happened to talk about the fact that he had cancer. I think it's just a different set of sensitivites. - Tim Tim Dierks - Software Haruspex - tim at dierks.org If you can't lick 'em, stick 'em on with a big piece of tape. - Negativland From townsend at smokin.fly.net Fri Jan 26 20:56:13 1996 From: townsend at smokin.fly.net (Chris Townsend) Date: Sat, 27 Jan 1996 12:56:13 +0800 Subject: [MORE IRRELEVANCE] Re: "Gentlemen do not read each other's mail" In-Reply-To: Message-ID: Gawd, I hoped this would die but I just have to get a dog in on this now....please excuse On Fri, 26 Jan 1996, Alan Horowitz wrote: > > > In fact, before FDR, wage income was taxed; however, it was one large > > check at the end of the yeraar (or the beginning of the next, really). > > I think this wrong. Read the definition of "income" before the WWII. > Wages were considered to be an equal exchange for labor services > rendered, not a "gain" (income). Sixteenth Amnendment, ratified 1913. I believe it was introduced as the Simmons Tarriff? 1% on incomes over a few k, incremental to 7% for something like 500k. One big check. And income meant the same thing it does now, you know, the numbers without the minus signs: Funk & Wagnalls, 1913 (sorry, no URL) 1. The amount of money coming to a person or corporation within a specified time or regularly (when unqualified, annually), whether as payment for services, interest, or profit from investment; revenue. Webster's 2nd International, 1954 (still no URL, not for the 2nd...) 4. That gain or recurrent benefit (usually measured in money) which proceeds from labor, business, or property; commercial revenue or receipts of any kind.... Now, granted, Funk & Wagnalls went to press before there was such a thing as an income tax...so it's possible that for thirty two years income meant something different, and reverted.... > > > The high cost of WW II made it a necessity for the gvm't to have more > > money at a particular moment, and not wait for year-end. > > Not so. Govt has been able to print fiat money at will since the Fed > Reserve was founded in 1913. Actually, no, they could print fiat money whenever they damn well pleased, same as ever. Reserve notes were originally 60/40 third party (paper) loans to federal gold. True, all of a sudden it was Uncle Sam's name on the notes, but it wasn't just ink. > Technically, the income tax is an excise, not a tax. They aren't the > same. > !!!?? Aren't they? Maybe a little bit of squares-rectangles business, but, if so, all excises are taxes.... Websters: ex'cise 2. An inland duty or impost levied upon the manufacture, sale, or consumption of commodities within the country. [...] In the United States the usual excise is a tax on the inland manufacture, sale, or consumption of commodities or for licenses to follow certain occupations, and these taxes are usually called internal revenue taxes wheee, cpt townsend at fly.net From jimbell at pacifier.com Fri Jan 26 21:07:08 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 27 Jan 1996 13:07:08 +0800 Subject: Anonymous trashing of Assassination Politics Message-ID: -----BEGIN PGP SIGNED MESSAGE----- [on cypherpunks at toad.com] At 01:54 AM 1/27/96 +0100, Anonymous wrote: >Jim Bell writes: > >>While this would normally be my cue to offer up my "Assassination Politics" >>idea, which (if presumed to be correct) would stabilize "anarchy" and >>prevent "lawlessness and social disorder" (at least as normally seen by the >>average reader) I think that under the circumstances that would be redundant >>here. > >I'm not *sure* that your Assassination Politics trip is the worst piece of tripe I've ever seen on the list, but if it's not, it's right up there. I notice that you responded through an anonymous remailer, and didn't even use a nym. This is strange. If anything, the people who criticize my idea seem to be under the illusion that it is _I_ who should be embarrassed for proposing it, and in fact vociferously promoting it. "Those of you" who object to it should be the ones who are "proudly" taking the "moral high ground" and thus should be happy to identify yourself and defend your position. Even if, arguably, you invented the fiction that you feared for your life trying to argue with people like me, nothing prevents you from developing a stable nym and arguing your position using it, secure in the knowledge that your body is safe from attack. Your arguments would still be subject to sudden death, however. >Those of us who are anarchists What?!? You imply that you are an anarchist, yet you don't approve of a system which might not only produce anarchy, but in fact in record time? Well, EXCUUUUUUUUSE MEEEEEE! Sorry to put you out of a "job." > are often that way because we think the *means* the State uses are evil, not to be excused by any amount of >mumbo-jumbo. I think the state's ENDS are evil, too, not merely their MEANS. > And you gleefully propose to let us *all* in on the immoral game of murdering those who annoy us >sufficiently. Actually, if you followed my arguments carefully, you will notice that my position is most accurately described by pointing out that I _could_not_ keep you from participating in this "immoral game", even if I wanted to. For the record, I suspect some people who are total pacifists view the rest of us, those willing use use violence to defend ourselves, as "immoral." >I'll pass. Others won't. > >You know, if I were constructing an agent provacateur, I'd want a persona who's willing to be loudly clueless with ideas that show minimal or non-existent awareness of basic human hopes and fears, like security from random hit-squads. I'd have him go on and on with his ideas, until eventually they can splashed all over headlines and used to discredit the whole realm of privacy protection. Aha! You're implying (actually, implying is an understatement here) that I am an "agent provocateur." Naturally, it would be useless to deny this (although, for the record, I will deny it), because anybody who was convinced of its truth wouldn't expect me to tell the truth anyway. But hey, let's put it up for a vote. How many people out there believe that I am an "agent provocateur"? C'mon people, don't be shy, you've seen my prose. What do the rest of you think? >But no, I don't think you're an agent. Good! I'd hate to argue with a person who didn't realize I am SERIOUS. > More fool you, you're willing to do the government's disinformation work for it without even thirty pieces >of silver or a 401K. To be perfectly honest, I did a lot of soul-searching in early 1995 about whether I should publicize my ideas. No, it wasn't because I was AFRAID that it might happen. I _WANTED_ it to happen. Every little bit. Every government on the face of the earth, to come crashing down in a heap. Complete, total, absolute anarchy. (But not the "anarchy" that most people are pre-programmed to think of...) No more governments, no more borders, no more taxes, no more holocausts, no more wars, no more politicians. Forever and ever and ever. Rather, I was fearful that by publicizing the idea, I might end up PREVENTING it from occurring. You know, by giving the governments advance warning about what was going to happen, I might actually help them prevent it. That worried me, a lot. But eventually, I made my decision. After a huge amount of thought that some day I might be inclined to relate. However, if I'd REALLY wanted to PREVENT this, I would have alerted the government secretly, so that they could manipulate things behind the scenes, secretly, to prevent this "crypto/digicash/internet anarchy." _That_ I did not do. I publicized it, allowed it to be criticized and therefore "perfected" (not that it's "perfect, by any means!) it, and I'm now promoting it the best way I know how. And with all due modesty, it's getting a pretty good reception, considering how extreme and drastic it initially might appear. Part of my reasoning was that unless I engaged in the absurd conceit of believing that I was, cumulatively, smarter than everyone currently in the government, I had no choice but to conclude that the government was already aware of the potential problem. And if that were the case, they were, at that very moment, working desperately to PREVENT what I wanted, desperately, to ACHIEVE. At that point, I made the choice of forcing the government's hand. >At this point I recommend to you the 12-step program I explained to Vladimir. > >Signed, >A Friend Recommendation: If you really want to be taken seriously, use your real name or at the very least generate a stable nym. Preferably, with messages signed by the nym's public key. Without it, you are a silly, unbelieveable ass. Even with it, you may STILL be a silly, unbelieveable ass, but at least people would pay more attention to you. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMQmqKPqHVDBboB2dAQGW6wP/Vjrmoj16SaBZwvoUa8Sxx3VLJTKEwxLx LOCs2zIl+Ahwr3R6IMw4y6VsESszYUz+271k1+rVVDf3GrxvlqJFyTRL2KeFltp2 fWosOD03X3Yneg8Ocg6oainIiiG+TLUkTqarddT+6VIoImmmWsFk4Yf+eG0OoEJc NgawkFoSokg= =Xs7A -----END PGP SIGNATURE----- From ses at tipper.oit.unc.edu Fri Jan 26 21:40:00 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Sat, 27 Jan 1996 13:40:00 +0800 Subject: Crypto Exports, Europe, and Conspiracy Theories In-Reply-To: Message-ID: On Fri, 26 Jan 1996, Timothy C. May wrote: > > A minor correction. Tim Berners-Lee is British, and was only working at > CERN, which effectively straddles the French-Swiss border, near Geneva. And > he is now, or was recently, working in New York. I would have a hard time Actually, MIT is usually placed in Cambridge, Mass. (though the W3O also has a branch at Inria - Sophia Antipolis. From jimbell at pacifier.com Fri Jan 26 22:10:11 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 27 Jan 1996 14:10:11 +0800 Subject: Denning's misleading statements Message-ID: At 10:24 PM 1/26/96 -0500, Thomas Grant Edwards wrote: > >I think the big bait-and-switch is her description of the various >companies falling over themselves to get to _VOLUNTARY_ key escrow to >avoid losing data and protecting themselves against employee problems >versus _MANDATORY_GOVERNMENT_ key escrow to ensure that individuals >cannot hide information from the government. > >Key escrow is good. Key escrow against your will is bad. While I understand your point, I sorta hafta disagree. (or, at least, state my reservations.) If something is technologically IMPOSSIBLE (or, in practice, not available), it won't be mandated by government because it can't be. The moment something exists, it can be forced on people. I'm not saying we should somehow try to prevent people from developing truly voluntary key-escrow systems; rather, I'm saying that their existence should alert us to the danger. From jamesd at echeque.com Fri Jan 26 22:12:32 1996 From: jamesd at echeque.com (James A. Donald) Date: Sat, 27 Jan 1996 14:12:32 +0800 Subject: Microsoft's CryptoAPI - thoughts? Message-ID: <199601270550.VAA23195@mailx.best.com> For those allergic to Microsoft word, I have htmlized the crypto api You can find it at http://www.jim.com/jamesd/mscryptoapi.html I hope that microsoft will soon have an official html version. A notable misfeature of the API is that it assumes that in general you will have two key pairs. One for signing and one for encrypting. Since in the most common case you are encrypting something related to a signed message by the person you are encrypting to this is a bad idea, and protocols that require two key pairs to avoid protocol failure are hazardous and inconvenient. I think Microsoft should not have chosen to support such protocols. The Crypto engine that Microsoft will soon distribute in every copy of NT and windows will of course be crippled -- 512 bit RSA keys and 40 bit RC4 keys, but of course we should not do anything about this until we have some crypto enable applications floating around. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From die at pig.die.com Fri Jan 26 22:15:22 1996 From: die at pig.die.com (Dave Emery) Date: Sat, 27 Jan 1996 14:15:22 +0800 Subject: NOISE NOISE NOISE - clocks and other irrelevance In-Reply-To: Message-ID: <9601270540.AA10607@pig.die.com> > > A peripheral I've long wanted to see, commonly available: ACCURATE time, > broadcast to the millisecond/microsecond/nanosecond, available from sources > as varied as TV VIR's, FM subcarriers, and other sources, available as an > easy input (via a peripheral card) to a computer. The only technology that I'd trust to be useful much below 10-100 ms is GPS. The others are unlikely to be controlled well enough at the source to be trusted. Current TV broadcasting, for example, usually involves multiple passes though digital frame stores and time base correctors - most homes get the signal via cable which itself involves significant uncontrolled delays (juat the thermal changes in propagation delay in a long CATV cable and amplifier chain due to weather changes run into the many microseconds). And humans beings being as imperfect as they are, it is hard to beleive that making sure that the time being broadcast is really kept accurate is going to be a priority when most people use it for purposes that require plus or minus a few seconds timing. > > I have a 12-year-old Heathkit "Most Accurate Clock" that I assembled myself, > and had the foresight to install it with its computer interface option. > (receives 5, 10, or 15 MHz signals broadcast from Boulder, Colorado, > containing "exact" time.) > > While I've never taken the time to connect it to my PC, it provides > (through an RS232 jack) correct time with a rated accuracy of about 5 > milliseconds, as I vaguely recall. (Even has a dipswitch setup on the bottom > to tell it how many 500 mile increments you are away from WWVB... corrects > for delay to a first order of magnitude.) > WWVB is the 60 khz broadcast (which is more accurate due to more stable propagation) . the HF ones are WWV. Commercial time receivers are available that work off the 60 khz time code (very narrow bandwidth ASK), but the 60 khz is most used as a standard frequency for long term tracking of error in local standards. > (BTW, if anybody knows how to easily connect it to the pc, or has the > appropriate software, please tell me The task isn't difficult from a > hardware standpoint; it's just RS-232 serial ASCII timecode at about 9600 > bps which > either continuously retransmits or on request. The problem is the software: If you run unix there are some quite sophisticated programs that can use this specific clock (connected to a serial port) that allow sync to the full accuracy possible at good times of day (around 1 ms). The programs also allow time distribution to other computers on a network - thus their name - ntp - which stands for network time protocol (and the network time program that implements it). This protocol and the various unix programs that implement it are quite widely used on commercial LANs and the Internet to sychronize time amoung unix workstations, servers, and bridges and routers. Current implementations are capable of tracking clock oscillator error on a system and adjusting the time periodically to compensate for the frequency error of the clock and even to predict (polynomial approximation) the change in frequency error with time. The man behind much of this (at least the early research) is Dave Mills who used to be at louie.udel.edu which hosted a ftp site for the programs. An archie search will reveal where they are kept now, and there is a newsgroup (comp.protocols.time.ntp) for this which no doubt has a substantial faq file about this. > How, exactly, do I INTERFACE such a serial input to the existing computer/RTC > combination? (Don't tell me to plug it into an unused serial jack! I'm not > stupid. I'm not a programmer, and I don't play one on TV! (I know > gates, flops, op amps, A/D, D/A, microprocessor hardware design, even some > Z-80 assy language, RF, and I've programmed in Fortran, Basic, APL, Algol, > PL/1, Pascal, LISP, but not recently and I don't enjoy it!) > > I suspect that by this point there are several windoze/DOS programs to sync a PC to ntp time on a network, and perhaps even a program that will accept input from a Heath clock ... although the initial ntp code was written for unix on Suns. \ > (Then again, there are those "Receptor" watches which have (at least) similar > accuracy, which as I understand it work on FM subcarrier principles.) Yes they use the RDS broadcast on the 57 khz subcarrier for this. Of course there is no certainty the station has the clock set accurately. > > > Technology has now supplanted this old monstrosity: Even with CHEAP GPS > receivers, they put out time which is rated in accuracy to well better than > 1 microsecond, and probably better than 200 nanoseconds even with S/A turned > on, and probably 100 nanoseconds with S/A off. Once GPS receivers contain > equally cheap DGPS receivers, they'll be able to tell you your location to > about 1 meter and corresponding time accuracy, about 3 nanoseconds. > Yup. And ntp can use several cheap gps products available to sync a unix clock to high accuracy. > I'm not particularly familiar with TV VIR signals, but I'd imagine they are > timecoded, or at least they COULD be without a lot of effort. Resolution > would be FAR better than 1 microsecond, and accuracy would be primarily > limited by knowledge of your location compared to the xmitter. > Could be is the operative word here, Many tv program distribution signals carry frame time codes in the VIT, but who put them there, how accurately they reflect local time and where in the delay chain (before or after the satellite for example) they get inserted is not well controlled. Nor is there a standard for the format that addresses the needs of end users rather than broadcast production, or any particular effort to ensure that a signal is reliably present in the over the air transmission. Once many years ago (seventies) the NBS (not NIST yet) tried to get the TV networks to clock themselves with high accuracy rubidium standards as a means of distributing standard frequency and time. But technology has made this meaningless as most tv signals are now distributed via satellites that move around several kilometers in a day and clocked into multiple layers of frame stores (often delayed more than a second) in digital switching and processing gear and clocked out with different clocks that often are not very accurate and not in any way locked to the incoming network. TV stations could be made to maintain a local clock sync'd to GPS and use that to do the final level of clocking out before feeding the transmitter and could thus ensure that some reference point in some frame happened at an exact time, but given that a user who can see a TV signal can probably see GPS signals and can do the same timekeeping himself for a couple hundred bucks it hardly seems worth it any more. I do expect that time codes with modest accuracy (few tens of ms at best) will become common as part of the Starsite (or whatever they call it now) program guide distribution on PBS, simply because this has defined a format that can conveniantly contain time messages multiplexed with other data and the box displays the time. DSS and VC-II both also have this capability, but of course the uncertainty of the satellite delay limits accuracy and neither has provisions for providing time to other devices. > MITM attacks would be far more difficult if both ends of the data > conversation agreed on the "exact" time, and could detect transmission > delays and CHANGES in transmission delays. While it would be possible to > locally spoof the accurate timecode, a cheap version of a "disciplined > oscillator" (which any GPS receiver is going to have, anyway) would detect > such short-term spoofing trivially. > See my public comments on this. > Occasionally, I've speculated on whether it might be useful to be able to > synchronize (or, at least, KNOW) to the PHASE of the 60 Hz power grid. > True, I know that the HV grid is 3-phase and most people won't know which > phase they're on anyway, but that wouldn't change (at least not frequently!) > , and I would imagine that > it might be useful. You wouldn't necessarily know which CYCLE you're on, > either, but again that might be compensated for somehow. If your computer > were talking, locally, to another computer at 4100 baud (? whatever) (7 bits > per symbol(?); equals 28.8kbps) you could "easily" agree on a particular cycle > relationship, which is going to be essentially constant over a distance of a > few tens or even hundreds of miles. > This is possible, but I bet the variations in phase in the local distribution system due to power factor, choice of phase to use, propagation time through transmission lines and substations and so forth would mean that phase as observed at two distant sites was rather random and maybe even subject to shifts over time as load conditions varied. > What I DON'T know (and some HV transmission engineer will probably be able > to tell me, hint hint!) is how STABLE this phase is across the entire > country? I realize that this will probably depend on who'se shipping excess > power to whom at the moment, But I'd imagine the variability will be > distinctly limited. > I've seen some discussions about this, but don't know a reliable answer. I do know that the frequency is only 60 hz on the average over a day and actually wanders up and down quite a bit more than one might expect as load on the system varies. I did some measurements of this 22 years ago while debugging some PDP-8E system software I wrote that that ran a frequency counter (the ratio kind that was very accurate on low frequencies) and found the diurnal variations surprisingly large and quite interesting. I've not repeated the experiment since but suspect that they still allow the frequency to wander in response to load conditions. > The biggest attraction of such a system is that the interface would probably > be trivial: Getting it from the P/S is out because they didn't anticipate > such a thing. The easiest interface might be an AC wall xformer with a > rectifying limiter and slicer (Okay, maybe just a resistor and a diode, > possibly with the addition of a comparator for precision), driving a > readable pin on an otherwise-unused RS-232 interface. (Possibly > installed similar to a dongle.) Appropriate software (yucch!) would read > the square waves, and record the phase at any one time. Such information > could be used to verify the relative synchronization between two different > computers, although it would be necessary to identify particular phases, as > I mentioned before. > One could certainly do this, but there are subtlies ... some places and institutions generate their power locally (and few if any users know this or know whether or not they are on the grid), UPS systems are common and wander off of the grid during a power fail, and many buildings have all three phases floating around wall outlets, even wall outlets close to each other so such acts as moving plugs around might very well change the phase. And power systems switch phase correction capacitors in and out from time to time as power factor of large loads varies. My guess is that to synchronize much below a ms would be hard, and that random losses and jumps of sync would be common enough to require lots of special treatment in software. Dave Emery N1PRE die at die.com From llurch at networking.stanford.edu Fri Jan 26 22:17:02 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sat, 27 Jan 1996 14:17:02 +0800 Subject: Anonymous trashing of Assassination Politics In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Fri, 26 Jan 1996, jim bell wrote: [Stuff] Where is this opus of yours on the new political order? On Dejanews, I found only people ridiculing you. Searching the Web for Jim Bell, I found only an environmentalist with entirely different delusions of grandeur. Searching for Klaatu, I found only a bad science fiction movie. And you know that the older cypherpunk archives aren't so well maintained. Could you please post a URL? I really don't think you need to send the whole thing to the list again, but such an important innovation in political theory should certainly be shared with the world. I mean, after years on FidoNet, talking to *a dozen* people who disagree with you, you must have a lot to contribute. If you don't have a Web or FTP server of your own, I'd be happy to host it, without comment, and with your PGP signature of course so that no meanies can mess with your prose. I could even put it on a server with no obvious ties to me. Surely you would like people to know the way Jim Bell thinks. Let me know... - -rich -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMQm7E43DXUbM57SdAQE2ZgP9Ep4iFICIs6P1WByOSAjaByCF40kvSgY7 Xg9wz634oKhm3POqxxWc9Fzy3WG4kh5BRGG3VTnxkazwOzfq1YU4KEBOVGaUO+OF 6tJxAtV4yG93psCUaL0YuWw8oKYOmZgno3mc7chi7np+PU4mh36isypvUNwTiJNN 32TwpY5kLBk= =2pY/ -----END PGP SIGNATURE----- From frantz at netcom.com Fri Jan 26 22:28:39 1996 From: frantz at netcom.com (Bill Frantz) Date: Sat, 27 Jan 1996 14:28:39 +0800 Subject: Denning's misleading statements Message-ID: <199601270558.VAA04133@netcom6.netcom.com> At 7:49 PM 1/26/96 -0800, Rich Graves wrote: >Outlaw cryptography, and only cryptographers and outlaws will have >cryptography. However unlike guns which require some level of machine shop to produce, cryptographic systems can be produced at home by a smart high school student with only the computer that is needed to compete in the the modern economy. Bill From jimbell at pacifier.com Fri Jan 26 22:30:53 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 27 Jan 1996 14:30:53 +0800 Subject: [rant] A thought on filters and the V-Chip Message-ID: At 11:56 AM 1/26/96 -0800, Alan Olsen wrote: >[Not Perry(tm) approved -- Skip of this offends you] > >I am waiting for someone to come out with a product that will modify the >v-ship (or the various internet "protection" tools) in such a way that it >scans *FOR* pornography. > >Porn is big business. You would think that people would pay for a way to >sort through all of that non-smuttiness and just "get to the good stuff". I >also imagine that as soon as such a product appears, the censors will scream >bloody murder. Sigh! Wonderful idea, but sadly it probably will never be allowed to work, for exactly the obvious reasons. (I know that sounds like an odd argumnt to get from ME, considering MY idea...) On the other hand, this would be an EXCELLENT "argument" to bring in front of a Congressional committee considering the adoption of any V-chip type proposal. Once they discover that a ratings system could be used for the diametrically opposite reasons of their reason for having it in the first place, they'll try to modify their proposal to prevent this. If we're lucky, this'll have the effect of killing the whole concept of government-sponsored (required?) V-chip-type technology. OTOH, I agree with other posters who think that truly voluntary content selection would be an excellent addition to television: In effect, an automatic, programmable TV-Guide search engine. From mianigand at unique.outlook.net Fri Jan 26 22:53:54 1996 From: mianigand at unique.outlook.net (Michael Peponis) Date: Sat, 27 Jan 1996 14:53:54 +0800 Subject: Open NNTP servers and logging Message-ID: <199601270633.AAA09641@unique.outlook.net> On 26 Jan 96 at 21:11, Stephen Albert wrote: > A little while back there were some very helpful posts about getting started > wit open NNTP servers. Since my regular site runs kinda slow in the news > department I've been having fun poking around and seeing about getting more > current. > > Then it dawned on me. People keep logs. Presumably routine logging would > point right back at my ISP, and from there it'd be not too hard to pin down me > specifically. No, I don't think anyone is particularly *likely* to do that, > but why take chances? > > So...anyone know of open NNTP servers that *don't* keep logs? Or some other > way around the problem? Well, as bad as the lack of anonymity may be, NNTP server logs serve a very usefull purpose, ie finding and eliminating trolls and spammers. Unfortunatly, I would have to go logs given the state of UseNet. Why not just read from the open server, and post anonyomously using anonymous remailers and News-to-Mail Gateways? Regards, Michael Peponis PGP Key Avalible form MIT Key Server,or via finger From mmarkowi at interramp.com Fri Jan 26 23:17:13 1996 From: mmarkowi at interramp.com (Michael J. Markowitz) Date: Sat, 27 Jan 1996 15:17:13 +0800 Subject: SHA-2 In-Reply-To: Message-ID: wlkngowl at unix.asb.com (Mutatis Mutantdis) wrote: >>Schneier mentioned last year in one of his conference reports that SHA >>was being revised, yet I couldn't find it in Applied Crypto 2 (I admit >I don't know if the revision is official or proposed. I first heard >about it in a post to alt.security (I saved the message somewhere) Official--it's called FIPS PUB 180-1. Michael J. Markowitz, VP R&D mjmarkowitz at attmail.com Information Security Corp. 847-405-0500 Deerfield, IL 60015 Fax: 847-405-0506 From br at scndprsn.Eng.Sun.COM Fri Jan 26 23:19:03 1996 From: br at scndprsn.Eng.Sun.COM (Benjamin Renaud) Date: Sat, 27 Jan 1996 15:19:03 +0800 Subject: Hack Java Message-ID: <199601240001.QAA25104@springbank.Eng.Sun.COM> ]Both of you are correct if you look carefully at the assumptions. Rich ]assumes that you have a 'malicious compiler'. Godmar is right that Java ]does not utilize pointers in the byte code. What would make the entire ]scenario work is a malicious interpreter or a 'NotJava Browser'(TM) that ]allowed malicious code to be executed. Couple a bad compiler and a bad ]interpreter and you are in buisness (nasty business that is). Yes. And if you also let an intruder in your house, have them sit at your computer with your newborn child in the room and go on vacation, things can get really, really nasty. Sort of like when you execute untrusted code in an untrusted environment... -- Benjamin Java Products Group From futplex at pseudonym.com Fri Jan 26 23:56:49 1996 From: futplex at pseudonym.com (Futplex) Date: Sat, 27 Jan 1996 15:56:49 +0800 Subject: USPS Secure Email In-Reply-To: <9601270226.AA18376@mhv.net> Message-ID: <199601270740.CAA05685@thor.cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- Lynne L. Harrison, Esq. writes: > ******Begin Forwarded Message********* > >I just read in "legal.online" that the Postal Service plans to provide > >secure email service. It will include encryption plus offer U.S. mail fraud > >protection. Of course there is no estimate on cost. The latest issue of "legal.online" that's actually online appears to be July 1995. I rooted around on www.usps.gov but there's not much there. Does someone have a pointer to soft- or hardcopy of the actual proposal? Anyone know how they plan to do digital postage? Futplex Looks like jim bell will soon prompt me to try to crank up procmail again.... -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMQnW0ynaAKQPVHDZAQHF7wf/brK8Ca4drdogJuznOIKox/BIi2rv45LP KarbnYRyYmJcPrlUkedtV4EUK9W7W02JWHQF+LKvJHfEpWYjqmCx/jPiJBdf00zC q+cUKOnEvml1BAOy9Ab/TfIRxa79wZg7K7IajSm2lAOtf9M+3pSMaLpb5jNxxzf/ pyPYnXsj9hIX0Jp3fNaGjvSUDO3Iu5SEoxmT98uQ+7tXZvQ98toy7EgBY/RFl6b9 c/ShSuhxxsPl/SBMHjbpH/gaxr2IaINN+HU/ncopF7a/dx0Osm1cOxBixac2QHf2 QH5uqUc560BzCpb6FTjsUZtx0PGOrDF44sbXsrNJRWPGjU1V3p6t0g== =g2dN -----END PGP SIGNATURE----- From stephen_albert at alpha.c2.org Sat Jan 27 00:16:57 1996 From: stephen_albert at alpha.c2.org (Stephen Albert) Date: Sat, 27 Jan 1996 16:16:57 +0800 Subject: Open NNTP servers and logging Message-ID: <199601270745.XAA02132@infinity.c2.org> -----BEGIN PGP SIGNED MESSAGE----- At 01:33 AM 1/27/96 +0000, mianignad at outlook.net wrote: >Well, as bad as the lack of anonymity may be, NNTP server logs serve a very >usefull purpose, ie finding and eliminating trolls and spammers. >Unfortunatly, I would have to go logs given the state of UseNet. I wish that didn't make so much sense to me. I can certainly see things from th sysadmin's point of view. >Why not just read from the open server, and post anonyomously using anonymous >remailers and News-to-Mail Gateways? That's exactly what I'm doing for the moment. After my current job starts payin I'll shop around services like C2 and see who has a faster news feed than my current ISP. Things take way too long to get here sometime. By the way, plug plug plug, I wrote up a short set of instructions on posting through gateways with Private Idaho and put it on alt.security.pgp. An Alta Vista or Deja News search would turn it up. I can also mail it out to anyone wh would like a helping hand with it. Stephen "all the news that fits we print" Albert stephen_albert at alpha.c2.org <*> PGP key on request and on servers -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMQnPWkimCtQtWVIdAQHb0Af9Gu061sLCpF9IXmyhhjhYMQMOf2yS7jbc 7fC9Q+SsxwRCq3N9PKcY/3We73HB4p4Ksu+PHa0s6AsTZcrWpm372G+XEyRXxs4k MXxJHM21eqawy4SoQL8wccpgfRl0AHGyfhDJMiYPVMgUejugXo6npWh/13am2tA2 H+qQc/8f9YPcMa12k00WkH/fzfnldO+5A/p0OGxhip+ELwQR03UX3OJQuIAPJB91 qJQI90eu64yeE/MRCY4nNiQX3tX3+r5CtZFoYNQ2TSXPZlgvIzojcT8hyIteUbrd L/Ocfg7qRQP6P9iAVjq8xFhNjVAFvODvnEH07mNw4nq4YjdQ2i5f8g== =HvDS -----END PGP SIGNATURE----- From Steve at aztech.net Sat Jan 27 00:32:28 1996 From: Steve at aztech.net (Stephen P. Gibbons) Date: Sat, 27 Jan 1996 16:32:28 +0800 Subject: Possible Java hack. Message-ID: I had a brainstorm this morning, and I think that I may have a possible hack against Java that might circumvent a few network access policies and the firewalls that support them. Looking at the Java APIs it seems pretty likeley to me that when a name to address lookup is performed, all it does is call gethostbyname() or the equivilant. If this is the case (and I don't have a source license at this point, or even a system that will run Java) there is the possiblility that a sytem with control of a web server and a DNS server could coerce a Java client into initiating TCP connections to clients other than the system that provided the applet (which should be a prohibited behavior, as I read the specs.) This is still at the WAG stage, since I don't have access to source code and have not received confirmation (nor denial) from any of the vendors that I have contacted, but I'd appreciate feedback (positive or negative) from the list(s). FWIW, my WAGs have about an 80% hit ratio, but this is the first that I've posted without confirmation. ObCrypto: _When_ will DNS be secured via PKE? -- Steve at AZTech.Net From roy at sendai.cybrspc.mn.org Sat Jan 27 00:33:45 1996 From: roy at sendai.cybrspc.mn.org (Roy M. Silvernail) Date: Sat, 27 Jan 1996 16:33:45 +0800 Subject: Encrypted IP tunneling Message-ID: <960124.212346.1s8.rnr.w165w@sendai.cybrspc.mn.org> -----BEGIN PGP SIGNED MESSAGE----- I suddenly find myself in a position where I really need to set up a secure IP pipe between my machine and another site. All the machines involved are running Linux, of slightly varying vintages (but all recent kernels). Recomendations appreciated. Save listwidth... email direct. Thanks. - -- Roy M. Silvernail [ ] roy at cybrspc.mn.org PGP Public Key fingerprint = 31 86 EC B9 DB 76 A7 54 13 0B 6A 6B CC 09 18 B6 Key available from pubkey at cybrspc.mn.org -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMQb5lWCl9Uka85MxAQEJqQf/Zqvq5wg8xGsiXliiyq9uWQzTI9ClVrk+ kKIJIYjpdkE8BJqbW+e5f56h6IDBUu+2wX+kl/AyBF714MIAXsHcG3CoMvwJ85Z+ 7Pni1rcnGesVyub32lUUuTFkGy1MWwFexMtMJLjeTV4nunrhVj6JX80cUQI2mnBG U+LscMhTfnln7Y55qPPMuVDrGOtu2cdA1foJ6AxGWmaTbz5Sa6tw0o1dVjlS4uQR iz61HVv44mzhN4EFEfdNNQHskWSmrx7lQwYAdmyTT8ii4qvMU0oT3TQ8ENq/XTfn lnqqRjd72XzTkgrFfi8DAHVOntOWwuS/S1McrbMs07jgv2QOF6uzVA== =eO7h -----END PGP SIGNATURE----- From lead at zifi.genetics.utah.edu Sat Jan 27 00:38:44 1996 From: lead at zifi.genetics.utah.edu (lead remailer) Date: Sat, 27 Jan 1996 16:38:44 +0800 Subject: ANNOUNCE: NEW MIXMASTER REMAILER Message-ID: <199601250342.UAA01350@zifi.genetics.utah.edu> Hello all, I am pleased to announce a new mixmaster remailer. This remailer was compiled and installed primarily using the mix-installer script available from Adam Shostack. To get the script, send a message to adam at lighthouse.homeport.org with Subject: get mix-installer. here is the relevant info: address: mix at zifi.genetics.utah.edu long name: lead remailer short name: lead for your type2.list file: lead mix at zifi.genetics.utah.edu a76c3fda7294a6695c5e6a931d1c0b73 2.0.3 Here is the public key for lead remailer: =-=-=-=-=-=-=-=-=-=-=-= lead mix at zifi.genetics.utah.edu a76c3fda7294a6695c5e6a931d1c0b73 2.0.3 -----Begin Mix Key----- a76c3fda7294a6695c5e6a931d1c0b73 258 AATH5fR56oEcdVRNn2SrjJ4XsoWb+lP2E2GgGdgI 2A3//3ctBkQ13xb5MHOfix8ra63PZmeCrK+6QbbV Ql1iwboMMaWz8NPmNpQz2K0/vnTnp8tWEyL5vo95 jlRmACXPefXdLOzszAgfMn02rzzXrq+9AnaUAUxD idxVglBkXRkriwAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAQAB -----End Mix Key----- Here is the mix-help file: From: mix at zifi.genetics.utah.edu (Mixmaster remailer at zifi) Subject: Instructions for using anonymous remailer This message is being sent to you automatically in response to the message you sent to mix at zifi.genetics.utah.edu with subject "remailer-help". This is a Mixmaster remailer. It provides an extremely high level of security. To use it, you must have a client program to produce the messages. This software is available from ftp://flame.alias.net:/pub/replay/pub/remailer Read the README file for instructions. Some information can be sent to you by the remailer by including the following commands (one per message) in the subject line of mail to the remailer. remailer-help This file. remailer-stats Useage statistics for the last 24 hours. remailer-key The mixmaster key file for this remailer. This section of the helpfile is blatantly plagarized from the mixmaster faq located at: http://www.obscura.com/~loki/remailer/mixmaster-faq.html. --- What is Mixmaster? Mixmaster is a new class of anonymous remailers. Inspired by the existing "cypherpunk" remailers and discussions on the Cypherpunk mailing list. Mixmaster is the next generation in the evolution of remailer technology. What is an anonymous remailer? Quoting from Andre Bacard's remailer FAQ: An anonymous remailer (also called an "anonymous server") is a free computer service that privatizes your e-mail. A remailer allows you to send electronic mail to a Usenet news group or to a person without the recipient knowing your name or your e-mail address. What do I need to use Mixmaster remailers? Unlike other remailers, you can't just make your own message and send it to the remailer. Mixmaster's security comes in part from using a special message format. The disadvantage of this is that you need a special program to make the message for you. Once you have that program (the client) remailing is as easy as running the program, and telling it which remailers you want to use. How do I get the Mixmaster client software? There are two sites for distribution. First, is ftp to obscura.com and read /pub/remail/README.no-export. The other is by anonymous ftp to jpunix.com. You will have to follow the instructions there to get Mixmaster. Because Mixmaster contains cryptography, it may not be exported from the U.S and Canada. The reason for the circuitous route to download Mixmaster is to show my good faith efforts to keep Mixmaster from being exported. I have heard rumors that someone has already broken this law, and that Mixmaster is available from Europe. I do not approve of this and will not support that site. Does Mixmaster use PGP? No, Mixmaster uses the rsaref package from RSA. Mixmaster uses its own keys and key file formats. To add a key to a key ring, simply append the key to your key file using your favorite text editor. Can mix at zifi.genetics.utah.edu post to News? No. News posting is not supported at this time. Abuse Policy: I consider the following to be inappropriate use of this anonymous remailer, and will take steps to prevent anyone from doing any of the following: - Sending messages intended primarilly to be harassing or annoying. - Use of the remailer for any illegal purpose. If you don't want to receive anonymous mail, send me a message, and I will add your email address to the block list. From anon-remailer at utopia.hacktic.nl Sat Jan 27 00:42:11 1996 From: anon-remailer at utopia.hacktic.nl (Anonymous) Date: Sat, 27 Jan 1996 16:42:11 +0800 Subject: No Subject Message-ID: <199601270818.JAA02695@utopia.hacktic.nl> Jim Bell writes: >I notice that you responded through an anonymous remailer, and didn't even >use a nym. This is strange. No it isn't. You run around talking about killing people anonymously, but have trouble with anonymous harsh words? Color me unimpressed. I might be someone you know. I might be a plant. I might be something else. Doesn't matter. The words are the words and stand on their own. >> are often that way because we think the *means* the State uses are evil, >not to be excused by any amount of >mumbo-jumbo. > >I think the state's ENDS are evil, too, not merely their MEANS. I have no argument here. But good ends do not execuse bad means. And killing people who are not an immediate threat to you (or someone in your immediate vicinity) is a bad idea. Play the game of the State and become just like it. >Actually, if you followed my arguments carefully, you will notice that my >position is most accurately described by pointing out that I _could_not_ >keep you from participating in this "immoral game", even if I wanted to. You also didn't mention the problem of fraud. I set up A. Nony Mouse's Hired Guns Service. You pay me a lot of money to go off someone. I come back and say "Sorry, couldn't do it. Bad traffic." Then I wander off with the money. Who are you going to complain to? I have this sneaky feeling that damn few courts, Statist or otherwise, are going to get worked up over your loss. And since the whole thing's done anonymously, you are left without a leg to stand on. Assassination Politics -> Scam-O-Rama. >For the record, I suspect some people who are total pacifists view the rest >of us, those willing use use violence to defend ourselves, as "immoral." I agree. But then I'm not a total pacifist. Self-defense is an inherent right. Llap-gauche is not. >Aha! You're implying (actually, implying is an understatement here) that I >am an "agent provocateur." Nope. Just pointing out that you are doing the job of an agent provacateur very well. But your reply goes a long way toward moving you out of that category and into the category of KoTM fodder. Signed, A Friend PS. This whole thing really is off-topic. I'm letting it drop now. Bluster to your heart's content. From alanh at infi.net Sat Jan 27 00:51:38 1996 From: alanh at infi.net (Alan Horowitz) Date: Sat, 27 Jan 1996 16:51:38 +0800 Subject: "Gentlemen do not read each other's mail" In-Reply-To: <199601252139.QAA16761@jekyll.piermont.com> Message-ID: On Thu, 25 Jan 1996, Perry E. Metzger wrote: > I am a funny sort of person. I don't believe that governments should > be able to do anything that individuals cannot. So violent criminals should never be jailed? From rsalz at osf.org Sat Jan 27 00:59:23 1996 From: rsalz at osf.org (Rich Salz) Date: Sat, 27 Jan 1996 16:59:23 +0800 Subject: "Gentlemen do not read each other's mail" Message-ID: <9601260024.AA02591@sulphur.osf.org> > It is not merely ethical for one government to > read another's mail, it is a duty. You're too smart to really believe this. Or do you have some way for a foreign gov't to know that *this* call is about a murder while *that* call is about a CIA-sponsored hit against Castro? /r$ From stewarts at ix.netcom.com Sat Jan 27 01:01:10 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sat, 27 Jan 1996 17:01:10 +0800 Subject: [NOISE] Re: "Gentlemen do not read each other's bank statements" Message-ID: <199601270825.AAA05579@ix2.ix.netcom.com> >> > The high cost of WW II made it a necessity for the gvm't to have more >> > money at a particular moment, and not wait for year-end. >> Not so. Govt has been able to print fiat money at will since the Fed >> Reserve was founded in 1913. The phrase "not worth a Continental" dates to several wars before that, and several governments of East-coast North America as well. tenuous-at-best connection to cypherpunks material - using a currency backed only by the supply of ones and zeroes requires a market mechanism to encourage the issuers not to overdo it.... #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, Pager/Voicemail 1-408-787-1281 # # "Eternal vigilance is the price of liberty" used to mean us watching # the government, not the other way around.... From stewarts at ix.netcom.com Sat Jan 27 01:01:32 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sat, 27 Jan 1996 17:01:32 +0800 Subject: Crypto Exports, Europe, and Conspiracy Theories Message-ID: <199601270825.AAA05590@ix2.ix.netcom.com> At 01:06 PM 1/26/96 -0600, Alex Strasheim wrote: >Why aren't foreign companies flooding America with strong crypto? Well, >there are clearly pressures of the sort Tim described at work. But there >are other factors as well: ..... Among other things, the RSA and other public-key patents in the US, combined with non-exportability, severely limit the ability of non-US companies to sell public-key-based software in the US. Banks often use moderately-strong crypto (single-DES), and there are some imported cash machines which support it, but it's not a big market. Other than that, most people don't care much about crypto, and assume that the password-"protection" that Microsoft products offer is enough for them. >Digicash is probably the first significant crypto product to be exported >to America. IDEA's pretty significant, though PGP 2.x could have used triple-DES if IDEA hadn't been available. The political significance of it being foreign, or at least non-NSA-tainted, has been somewhat important as well. Then you could also contend that Shamir, a significant crypto producer, exported himself to America :-) (I think he's the RSA member who's Israeli?) (You could also contend that Enigma and Purple were exported to America, and in Enigma's case, the ability to crack it was mainly Polish and British.) Digicash is highly significant as an idea, but will only be significant in reality if they can pull off a successful business strategy before the market gets saturated with less private solutions that everyone needs to be backwards-compatible with. >It's important to note that this extremely important product couldn't >have been produced here, patents aside. >Transaction systems need to be international, and our rules make > America an unsuitable place from which to launch tranaction software. Nicely put; I'll have to steal it sometime :-) #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, Pager/Voicemail 1-408-787-1281 # # "Eternal vigilance is the price of liberty" used to mean us watching # the government, not the other way around.... From carolann at censored.org Sat Jan 27 01:14:42 1996 From: carolann at censored.org (Censored Girls Anonymous) Date: Sat, 27 Jan 1996 17:14:42 +0800 Subject: Reply: "This post is G-Rated" Message-ID: <199601260001.RAA04514@usr4.primenet.com> Nice addition to your .sig! root at heavily.censored.org....(lightly.censored.org coming soon) :) At 11:18 AM 1/25/96 -0800, you wrote: >[This post is classified as G-Rated by Tim May. >I see no agreed-upon labelling convention emerging. Fortunately. > >--Tim May > >Boycott espionage-enabled software! -- Member Internet Society - Certified BETSI Programmer - Webmistress *********************************************************************** Carol Anne Braddock (cab8) carolann at censored.org 206.42.112.96 My Homepage The Cyberdoc *********************************************************************** ------------------ PGP.ZIP Part [017/713] ------------------- M8H,),S$8G>&.WP(8IRA`-M['+`Q%&_C"">5-F%LX@<_Q$;*P'',Q$Z/AA[8M MF=O0H+*%(-S%&>S%+FS& http://dcs.ex.ac.uk/~aba/export/ From hroller at c2.org Sat Jan 27 01:16:13 1996 From: hroller at c2.org (Hroller Anonymous Remailer) Date: Sat, 27 Jan 1996 17:16:13 +0800 Subject: No Subject Message-ID: <199601260025.QAA27228@infinity.c2.org> At 01:44 PM 1/25/96 -0800, "Vladimir Z. Nuri" wrote: >it really bugs me how much cypherpunks try to point out the "gotchas" in all >the laws with crypto. when we become *experts* on these laws, and >tell people why they prevent them from doing various things, we >are actually *supporting* them. It's not often we see an active and overt defense of ignorance. Good work, Vladimir! But to really avoid being contaminated by evil knowledge, I recommend the following 12-step program: 1. Admit that you are powerless to get a clue. Print out this message for reference. 2. Unsubscribe from Cypherpunks, and all other sources of information that might be relevant. 3. Unsubscribe from all sources of information that probably aren't relevant, to avoid hostile agents forcing you into unwitting coercion. 4. Read William S. Burroughs books until you begin to see your neighbors as giant cockroaches and slugs. 4a. In the event that you already see them this way, read Burroughs until they look like something else. 5. Join as many religions as possible, so that you have incompatible memes busily protecting you from facts. 12. Seal your head in a plastic bag until you suffocate. This will protect you from such problems in the future. Hope this helps! Signed, A Friend From stewarts at ix.netcom.com Sat Jan 27 01:18:10 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sat, 27 Jan 1996 17:18:10 +0800 Subject: Hey, jdoe-agamemnon! Re: NOISE Test Ignore Message-ID: <199601270836.AAA05981@ix2.ix.netcom.com> At 09:00 PM 1/26/96 -0800, MAILER-DAEMON at alpha.c2.org wrote: >Unknown addressee: jdoe-agamemnon at alpha.c2.org > >----- Unsent Message Follows ----- > >Received: by alpha.c2.org for jdoe-agamemnon at alpha.c2.org > From stewarts at ix.netcom.com Fri Jan 26 20:12:47 1996 >Received: from ix2.ix.netcom.com (ix2.ix.netcom.com [199.182.120.1]) by infinity.c2.org (8.7.1/8.6.9) with SMTP > id UAA06971 for ; Fri, 26 Jan 1996 20:12:47 -0800 (PST) > Community ConneXion: Privacy & Community: >Received: from pax-ca11-09.ix.netcom.com by ix2.ix.netcom.com (8.6.12/SMI-4.1/Netcom) > id UAA19713; Fri, 26 Jan 1996 20:17:46 -0800 >Message-Id: <199601270417.UAA19713 at ix2.ix.netcom.com> >X-Sender: stewarts at popd.ix.netcom.com (Unverified) >X-Mailer: Windows Eudora Light Version 1.5.2 >Mime-Version: 1.0 >Content-Type: text/plain; charset="us-ascii" >Date: Fri, 26 Jan 1996 20:17:45 -0800 >To: jdoe-agamemnon at alpha.c2.org >From: Bill Stewart >Subject: Re: NOISE Test Ignore > >At 09:22 PM 1/25/96 -0800, you wrote: >>Test Test Test >> >> >Well, it got here, jd... >#-- ># Thanks; Bill ># Bill Stewart, stewarts at ix.netcom.com, Pager/Voicemail 1-408-787-1281 ># ># "Eternal vigilance is the price of liberty" used to mean us watching ># the government, not the other way around.... > > > #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, Pager/Voicemail 1-408-787-1281 # # "Eternal vigilance is the price of liberty" used to mean us watching # the government, not the other way around.... From EALLENSMITH at ocelot.Rutgers.EDU Sat Jan 27 01:18:46 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 27 Jan 1996 17:18:46 +0800 Subject: Cypherpunk Elitism Message-ID: <01I0FSH7GNG4A0UNXY@mbcl.rutgers.edu> This message has some components that may be deemed appropriate for the list, and some that will not; since Dr. May considered it an appropriate topic, I am following his lead. However, feel free to take it to private email. From: IN%"tcmay at got.net" 18-JAN-1996 08:09:37.98 >(Ironically, I brought up the new book, "The Winner Take All Society," at the last Cypherpunks meeting. No time to discuss it here, but it confirms my strong belief that we are heading for a economy in which a shrinking fraction of workers have really valuable things to contribute, and a growing fraction of the population does not. I had not recalled the authors, but Strick had a battery-powered laptop and Metricom wireless modem, and ran an Alta Vista search from where he was sitting: ROBERT FRANK & PHILIP COOK, The Winner-Take-All Society, New York: The Free Press.) ---------------------------- You might also find Robert Reich's _The Work of Nations_ interesting. He divides jobs up into Routine Producers (factory-line workers), In-Person Servers (McDonald's clerks), and Symbolic Analysts (innovative programmers, scientists, etcetera). His analysis does have some problems. He views the growing lack of Routine Producer jobs in the US as due to their export to low-wage countries; I would add automation as another cause. He also makes the error of regarding education as the primary (or even only) difference between those qualified for various jobs, completely ignoring IQ's genetic component. His policy suggestions for taking care of what he (incorrectly) believes is a problem are also ridiculous. ----------------------------- From: IN%"alano at teleport.com" "Alan Olsen" 19-JAN-1996 00:00:39.70 >I have seen a number of posts on "Cypherpunk Elitism". I have seen more examples of it here on the list. I think that this attitude will be more destructive to the list than noise in the long run. It has been said that "Cypherpunks write code". They must do more than that. Cypherpunks need to teach. All the cryptotools in the world are of no use if no one knows how to use them. (Or know how to use them correctly.) All of the protocols are of no use if no one knows how to impliment them correctly or WHY they need them in the first place. There are a lot of bogus security methods. Many of them exist because people do not know better. Without someone to instruct them in the ways of these things, they will continue to go on with bad crypto, not knowing any better. Not all of the non-cypherpunks are beyond hope. Many of them are teachable. If we leave them to flounder on their own, cryptography will be something used only by an elite. It will be of little or no threat to the powers that be because only a small amount of people will have the ability to use it. The TLAs will have less encrypted trafic to sort through. They will have won a big battle, not through force of arms but force of egos. ---------------------------- Part of this depends on the size of the "small number of people," and on whom those people are. If a hundred people are using the remailernet, governments can trace messages (and can easily shut the down). If a million people are using it, governments cannot trace messages nearly as easily, and there will be more protest if it is shut down. If the people who are needed for a society to function are in that group, then a government would need to be suicidal to attack them; these people can also much more easily leave for another country. If those with the most income to lose via income taxes are those who are using fully anonymous ecash, then most of the government's unneeded revenue goes away. In other words, while teaching about cryptography is important... certain people are more worth teaching than others. This fact is analogous to that certain people will be more competent after college than others. Such qualities as intellectual ability, income, and position make some people more worth convincing than others. Incidentally, there is a mailing list for the discussion (and promotion) of intellectual Elitism. Its Draft FAQ (including directions for signing on) is at http:/ils.unc.edu/~vreer/elitefaq. (The list in question is unfortunately currently more disorganized than cypherpunks). More information can also be found at http://weber.u.washington.edu/~lfletch/elitism.html and http://ils.unc.edu/~vreer/elitism.html. -Allen From m5 at dev.tivoli.com Sat Jan 27 01:19:44 1996 From: m5 at dev.tivoli.com (Mike McNally) Date: Sat, 27 Jan 1996 17:19:44 +0800 Subject: "This post is G-Rated" In-Reply-To: <199601252156.NAA28375@netcom6.netcom.com> Message-ID: <9601252333.AA29175@alpha> Bill Frantz writes: > However is should be possible for TV programs Maybe, until it becomes common for "TV programs" to be accessible by URL... > and whole newsgroups. Since nobody "owns" newsgroups, and nobody controls what's posted to them, I don't see how that's possible at all. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Nobody's going to listen to you if you just | Mike McNally (m5 at tivoli.com) | | stand there and flap your arms like a fish. | Tivoli Systems, Austin TX | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From mwohler at ix.netcom.com Sat Jan 27 01:19:51 1996 From: mwohler at ix.netcom.com (Marc J. Wohler) Date: Sat, 27 Jan 1996 17:19:51 +0800 Subject: Gentlemen do not read each other's mail Message-ID: <199601252343.PAA00884@ix11.ix.netcom.com> -----BEGIN PGP SIGNED MESSAGE----- "Gentlemen do not read each other's mail." Ben Franklin Original quote by Ben Franklin when the British government published (stolen?) private letters of John Adams to his wife critical of Franklyn and other members of the Continental Congress. The Britsh hoped to drive a wedge into the congress and especially between Adams % Franklin. Franklin was a gentleman. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMQgVzmeikzgqLB7pAQGKOQQAr5nJo0L12l1Xd0EXpsExgZcztOkIKCQa j7Fhll8wx7dczUa5jJy+o4nfV8duk1MylzA386uO+kfNsCH+s5XlFobaeyc3Epk0 pERqFTzhcVf33egCRDlVqKjwa7uuwJXM2no++vwgGjy9hxSaWAIOAPcZf1Yi5mYj ZzVSTj8CQQ0= =gf0F -----END PGP SIGNATURE----- ***Preserve, Protect and Defend the private use of Strong Crypto*** * * * PGP for the masses * * * Finger mjwohler at netcom.com for Marc Wohler's public key fingerprint= F1 70 23 13 91 B5 10 63 0F CF 33 AD BE E6 7B B6 From wb8foz at nrk.com Sat Jan 27 01:20:01 1996 From: wb8foz at nrk.com (David Lesher) Date: Sat, 27 Jan 1996 17:20:01 +0800 Subject: TOP_tap In-Reply-To: <9601251755.AA15764@sulphur.osf.org> Message-ID: <199601252341.SAA00886@nrk.com> > > The NSA is a branch of the DOD. > > Up until recently (18-30 months ago) NSA employees were only allowed > to identify themselves as employees of DoD. It was common knowledge, > that unspecific references to Fort Meade meant NSA; and if you saw > a P.O. from Procurement Office, Fort Meade, it meant the NSA was buying > it. > /r$ But many folks from Tim May High School ;-} also have DOD "status". And so do all the DIA, various serviec agencies & likely the gardener.. Net result, you're no smarter than when you started out.... -- A host is a host from coast to coast.................wb8foz at nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433 From holovacs at styx.ios.com Sat Jan 27 01:20:08 1996 From: holovacs at styx.ios.com (Jay Holovacs) Date: Sat, 27 Jan 1996 17:20:08 +0800 Subject: "Gentlemen do not read each other's mail" In-Reply-To: <9601252108.AA13595@zorch.w3.org> Message-ID: I might suppose that a significant reason why the nuclear arms race did not come to blows was the balance of espionage between NSA/CIA/KGB etc. With accurate information on your enemy, one is less likely to be panicked into a preemtive strike. Jay Holovacs PGP Key fingerprint = AC 29 C8 7A E4 2D 07 27 AE CA 99 4A F6 59 87 90 On Thu, 25 Jan 1996 hallam at w3.org wrote: > By not taking adequate steps to inform itself of the Japaneese intentions the US > suffered the loss of a substantial part of the US fleet at Pearl Harbour. Had > sufficient resources been avaliable the naval codes could have been cracked in > time. The closure of the Black chamber was a key reason why US espionage > efforts were inadequate at the start of WWII. > > Given the choice between the US Army and the CIA plus NSA I would choose the > latter any day. The millitary hardware is useless without intelligence > operatives. Unless Perry is advocating an absolutist pacifist stance I don't see > that his stance is credible. I don't know many pacifists who oppose intelligence > gathering. > > Diplomatic trafic has always been considered fair game. Long may it remain so. > > > Phill > > From ses at tipper.oit.unc.edu Sat Jan 27 01:20:22 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Sat, 27 Jan 1996 17:20:22 +0800 Subject: "This post is G-Rated" In-Reply-To: <199601252156.NAA28375@netcom6.netcom.com> Message-ID: On Thu, 25 Jan 1996, Bill Frantz wrote: > ... Discussion of rating systems elided. > > Does anyone have suggestions for achieving the goals of the V-Chip with > many non-govermental rating agencies? It seems to me that empowering > parents would head off the TV/Internet censors. Any parent who was THere are several schemes being put about that work along those lines, with message formats being standardised, but not the actual values - you should then pick your favourite rating agency, and they determine what is rated and how. This system creates a new market for rating agencies, and it also helps parents to determine more precisely what *they* think is fit for their children. There are pros and cons for both the single set of standard codes, and the niche model - a single set is likely to be just a little above the lowest common denominator; with niches kids whose parents who pick the CC rating agency aren't going to be getting talk.origins in their newsrc anytime soon. From stewarts at ix.netcom.com Sat Jan 27 01:22:44 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sat, 27 Jan 1996 17:22:44 +0800 Subject: Hey, jdoe-agamemnon Re: NOISE Test Ignore Message-ID: <199601270836.AAA05989@ix2.ix.netcom.com> At 09:00 PM 1/26/96 -0800, MAILER-DAEMON at alpha.c2.org wrote: >Unknown addressee: jdoe-agamemnon at alpha.c2.org > >----- Unsent Message Follows ----- > >Received: by alpha.c2.org for jdoe-agamemnon at alpha.c2.org > From stewarts at ix.netcom.com Fri Jan 26 20:12:47 1996 >Received: from ix2.ix.netcom.com (ix2.ix.netcom.com [199.182.120.1]) by infinity.c2.org (8.7.1/8.6.9) with SMTP > id UAA06971 for ; Fri, 26 Jan 1996 20:12:47 -0800 (PST) > Community ConneXion: Privacy & Community: >Received: from pax-ca11-09.ix.netcom.com by ix2.ix.netcom.com (8.6.12/SMI-4.1/Netcom) > id UAA19713; Fri, 26 Jan 1996 20:17:46 -0800 >Message-Id: <199601270417.UAA19713 at ix2.ix.netcom.com> >X-Sender: stewarts at popd.ix.netcom.com (Unverified) >X-Mailer: Windows Eudora Light Version 1.5.2 >Mime-Version: 1.0 >Content-Type: text/plain; charset="us-ascii" >Date: Fri, 26 Jan 1996 20:17:45 -0800 >To: jdoe-agamemnon at alpha.c2.org >From: Bill Stewart >Subject: > >At 09:22 PM 1/25/96 -0800, you wrote: >>Test Test Test >> >> >Well, it got here, jd... >#-- ># Thanks; Bill ># Bill Stewart, stewarts at ix.netcom.com, Pager/Voicemail 1-408-787-1281 ># ># "Eternal vigilance is the price of liberty" used to mean us watching ># the government, not the other way around.... > > > #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, Pager/Voicemail 1-408-787-1281 # # "Eternal vigilance is the price of liberty" used to mean us watching # the government, not the other way around.... From mrm at netcom.com Sat Jan 27 01:24:16 1996 From: mrm at netcom.com (Marianne Mueller) Date: Sat, 27 Jan 1996 17:24:16 +0800 Subject: Reminder: Jan 28 Bay Area CA meeting, noon - 3 p.m. Message-ID: <199601270845.AAA23879@netcom20.netcom.com> Bay Area California Cypherpunks Meeting January 28 12 noon - 3 p.m. B21, Sparcy's Cafeteria, Sun Microsystems Inc Directions: Take the Rengstorff Ave East exit from 101. If you're driving north on 101, this exit is labeled "Amphitheater Parkway". If you're driving south on 101, this exit is labeled "Rengstorff". At the end of the exit ramp, turn left onto Garcia. After .4 mile, turn right onto Marine Way. After .1 mile, turn right onto Coast. Building 21 is right there. Look for the big purple and white sign. Agenda: Roger Masterton, a producer/videographer, would like to film a discussion among cypherpunks about 1st amendment issues, for a PBS show named "Freedom Speaks." The show airs nationally on PBS. In San Francisco, currently on KMPT Thursdays at 5 p.m., and starting in March, on KQED. Their web site is http://www.fac.org/ There's a lot of 1st amendment issues to talk about these days regarding the internet, and so the first part of the meeting will be gathering topics. There's the first amendment principles of publishing information in digital form, and the fundamental right of people to carry on a private conversation. The discussion will take whatever organic form it takes, depending on who of us can make the meeting ... See you tomorrow if you're coming. I'll bring bagels again. Marianne mrm at eng.sun.com mrm at netcom.com From tedwards at Glue.umd.edu Sat Jan 27 01:27:13 1996 From: tedwards at Glue.umd.edu (Thomas Grant Edwards) Date: Sat, 27 Jan 1996 17:27:13 +0800 Subject: Denning's misleading statements In-Reply-To: Message-ID: On Fri, 26 Jan 1996, jim bell wrote: > I'm not saying we should somehow try to prevent people from developing truly > voluntary key-escrow systems; rather, I'm saying that their existence should > alert us to the danger. True - and while the administration/FBI and their pawns at NIST (most of which are ex-NSA) recognize they can't force total key escrow right now, they are working on a FIPS to ensure that all government software purchases include government key escrow, to try to tilt the marketplace towards this idea. >From the various Key Escrow meetings I've gone to, the main people who said they want voluntary escrow was mainly banking concerns, and they certainly wanted it in safe hands, not in the hands of the government. Infact no one from industry was concerned about "immediate key escrow" for tapping phone lines (except for this crazy guy from IBM). Key escrow was only seen as useful in terms of data recovery. -Thomas From mrm at netcom.com Sat Jan 27 01:31:11 1996 From: mrm at netcom.com (Marianne Mueller) Date: Sat, 27 Jan 1996 17:31:11 +0800 Subject: ahem, make that Saturday Jan 27 Message-ID: <199601270852.AAA24502@netcom20.netcom.com> Turns out the darn calendar on my computer goes ahead increments the date field sometime right round midnight. This is what I get for inferring today's date by glancing at the calendar manager, and "adding 1" for tomorrow. The cypherpunks meeting is on Saturday Jan 27. Sorry about that. --Marianne From hoppo at geko.net.au Sat Jan 27 01:36:13 1996 From: hoppo at geko.net.au (hoppo) Date: Sat, 27 Jan 1996 17:36:13 +0800 Subject: No Subject Message-ID: <199601270909.UAA24039@zonk.geko.net.au> hi if you have anything interesting please send thanks,hoppo From postmaster at ncr-sd.SanDiegoCA.ATTGIS.COM Sat Jan 27 02:04:26 1996 From: postmaster at ncr-sd.SanDiegoCA.ATTGIS.COM (postmaster at ncr-sd.SanDiegoCA.ATTGIS.COM) Date: Sat, 27 Jan 1996 18:04:26 +0800 Subject: SMTP mail failed Message-ID: <9601270915.AB06132@toad.com> message From llurch at networking.stanford.edu Sat Jan 27 02:12:19 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sat, 27 Jan 1996 18:12:19 +0800 Subject: Possible Java hack. In-Reply-To: <0099CFE5.860A1B00.11@aztech.net> Message-ID: On Sat, 27 Jan 1996, Steve Gibbons wrote: > Rich, > > [I've CCed this to cypherpunks, as well, I hope that you don't mind.] Not at all, it was private only because I wasn't totally sure it wasn't a stupid question. > In Article: , Rich Graves wrote: > # On Sat, 27 Jan 1996, Stephen P. Gibbons wrote: > > # > If this is the case (and I don't have a source license at this point, or > # > even a system that will run Java) there is the possiblility that a sytem > # > with control of a web server and a DNS server could coerce a Java client > # > into initiating TCP connections to clients other than the system that > # > provided the applet (which should be a prohibited behavior, as I read the > # > specs.) > > # If I understand you correctly, this is only true if neither your stack nor > # your client caches DNS queries. One or the other almost always does, at > # least for a minute, no matter how low you set TTL. > > Yes, a client that cache's DNS queries can get in the way somewhat. I've > already considered this, and the "devious applet" would take advantage > of Java's capability to use multiple threads (one of which would sleep() > for whatever period of time was necessary to invalidate the cache, and > _then_ initiate the attack.) Yes, there are are various other specific > cases that need to be considered in order to make the attacking app (if > it's even feasable) work all of (or a good percentage of) the time. > > It would be very easy to conceal the "devious" portion of the applet > inside of trojan horse that ran for a length of time greater than the > minimum TTL for DNS caching. Which I believe you will find is platform- and even application-dependent. If you're talking about Windows NT or 95, for example, the winsock.dll used by 16-bit applications caches DNS lookups in the TCP/IP stack itself. I think TTL is listened to. wsock32.dll, on the other hand, doesn't do central DNS caching. So applications implement it themselves. I'm not sure that applications even have an opportunity to see the TTL information in the DNS response. I doubt there's standard behavior; Netscape, HotJava, and other stuff will probably time out DNS lookups differently. Real operating systems are probably a bit more standard about what they do with DNS lookups, but I'm sure there's variance. Still a really interesting idea, though. My first reaction was, well who the hell controls a DNS server and a Web server and is likely to have a piece of Java that you are likely to download? And the answer is, just the kind of person you worry about. This bait & switch thang can really be generalized to any kind of attack. Of course, it's traceable, since not that many people own or can spoof a DNS server. -rich From steve at aztech.net Sat Jan 27 02:37:36 1996 From: steve at aztech.net (Steve Gibbons) Date: Sat, 27 Jan 1996 18:37:36 +0800 Subject: Possible Java hack. Message-ID: <0099CFED.982523E0.1@aztech.net> In Article: , Rich Graves wrote: # > [I've CCed this to cypherpunks, as well, I hope that you don't mind.] # Not at all, it was private only because I wasn't totally sure it wasn't a # stupid question. Not at all. I'm worried about similar respnses to my original post given my instable base. :) # > It would be very easy to conceal the "devious" portion of the applet # > inside of trojan horse that ran for a length of time greater than the # > minimum TTL for DNS caching. # Which I believe you will find is platform- and even application-dependent. I don't pretend to understand how every system on the market works, especially those that have "PC" somewhere in their offficial or onufficial name. # If you're talking about Windows NT or 95, for example, the winsock.dll # used by 16-bit applications caches DNS lookups in the TCP/IP stack # itself. I think TTL is listened to. [See the caveat above.] # wsock32.dll, on the other hand, doesn't do central DNS caching. So # applications implement it themselves. I'm not sure that applications even # have an opportunity to see the TTL information in the DNS response. I # doubt there's standard behavior; Netscape, HotJava, and other stuff will # probably time out DNS lookups differently. The thing to remember, with Java is that it's "platform independant" and thus the security of Java as a whole will be the product of its parts. # Real operating systems are probably a bit more standard about what they # do with DNS lookups, but I'm sure there's variance. There is. Actually its "real OS's" that I worry about most. If you run idenmtd, it might be possible for a java applet to determine who invoked it. If fingerd (or any other service) allows and responds to connections from 127.0.0.1 (ie. localhost...) # Still a really interesting idea, though. My first reaction was, well who # the hell controls a DNS server and a Web server and is likely to have a # piece of Java that you are likely to download? And the answer is, just # the kind of person you worry about. I didn't state it explicitly, but that's exactly my point. # This bait & switch thang can really be generalized to any kind of attack. # Of course, it's traceable, since not that many people own or can spoof a # DNS server. Traceable by what? If my assumptions are correct (which I'm willing to admit that they might not be) all the attacker has to spoof is name to address for a name that he/she already controls. I don't expect that most PCs and/or Macintosh's do this as a matter of course. Most firewalls probably do, but I wouldn't count on it. -- Steve at AZTech.Net From shamrock at netcom.com Sat Jan 27 03:12:30 1996 From: shamrock at netcom.com (Lucky Green) Date: Sat, 27 Jan 1996 19:12:30 +0800 Subject: Crippled Notes export encryption Message-ID: At 19:34 1/24/96, Derek Atkins wrote: >If I have a function that does something like this: > >authenticate (args) >{ > ... > > des_encrypt (); > ... >} > >I would have to remove the des_encrypt() call from the authenticate() >routine before it can be exported... What if you replaced it by rot_13 () ? Surely, they can't ban that. And someone later could just swap all rot_13 () for des_encrypt () -- Lucky Green PGP encrypted mail preferred. From Ulf_Moeller at public.uni-hamburg.de Sat Jan 27 03:17:57 1996 From: Ulf_Moeller at public.uni-hamburg.de (Ulf Moeller) Date: Sat, 27 Jan 1996 19:17:57 +0800 Subject: RSA in 4 lines of Scheme Message-ID: (define(RSA m e n)(list->string(u(r(s(string->list m))e n))))(define(u a)(if(> a 0)(cons(integer->char(modulo a 256))(u(quotient a 256)))'()))(define(s a)(if (null? a)0(+(char->integer(car a))(* 256(s(cdr a))))))(define(r a x n)(cond((= 0 x)1)((even? x)(modulo(expt(r a(/ x 2)n)2)n))(#t(modulo(* a(r a(1- x)n))n)))) ;;;; ;;;; (define c (RSA "The magic words are squeamish ossifrage" 5 114381625757888867669235779976146612010218296721242362562561842935706935245733897830597123563958705058989075147599290026879543541)) (display (RSA c 45752650303155547067694311990458644804087318688496945025024737159778909096647814932594914301288138204957467016445183857236173773 114381625757888867669235779976146612010218296721242362562561842935706935245733897830597123563958705058989075147599290026879543541)) From jimbell at pacifier.com Sat Jan 27 03:40:34 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 27 Jan 1996 19:40:34 +0800 Subject: NOISE NOISE NOISE - clocks and other irrelevance Message-ID: At 12:40 AM 1/27/96 -0500, Dave Emery wrote: > >> >> A peripheral I've long wanted to see, commonly available: ACCURATE time, >> broadcast to the millisecond/microsecond/nanosecond, available from sources >> as varied as TV VIR's, FM subcarriers, and other sources, available as an >> easy input (via a peripheral card) to a computer. > > The only technology that I'd trust to be useful much below >10-100 ms is GPS. The others are unlikely to be controlled well enough >at the source to be trusted. What about Loran? WWV(B)? Receptor-type signals? Now, I agree that CURRENTLY few people "depend" on those other (non-GPS, non-Loran, non-WWVB) systems, but to some extent that's a "chicken and egg problem" > Current TV broadcasting, for example, >usually involves multiple passes though digital frame stores and time >base correctors - most homes get the signal via cable which itself >involves significant uncontrolled delays (juat the thermal changes >in propagation delay in a long CATV cable and amplifier chain due to weather >changes run into the many microseconds). Perhaps, but I'm assuming broadcast tv. Single source. Limited variability in path length. I admit there are limitations; my argument is that the signals SHOULD contain accurately-defined points, even if it is only one per frame. > And humans beings being as imperfect as they are, it is hard to >beleive that making sure that the time being broadcast is really kept accurate >is going to be a priority when most people use it for purposes that require >plus or minus a few seconds timing. I think that if there WERE some reliably-available timecode system, plus a cheap single-chip system to drive it, it WOULD be kept reliable enough because of demand. >> I have a 12-year-old Heathkit "Most Accurate Clock" that I assembled myself, >> and had the foresight to install it with its computer interface option. >> (receives 5, 10, or 15 MHz signals broadcast from Boulder, Colorado, >> containing "exact" time.) >> >> While I've never taken the time to connect it to my PC, it provides >> (through an RS232 jack) correct time with a rated accuracy of about 5 >> milliseconds, as I vaguely recall. (Even has a dipswitch setup on the bottom >> to tell it how many 500 mile increments you are away from WWVB... corrects >> for delay to a first order of magnitude.) >> > WWVB is the 60 khz broadcast (which is more accurate due to more >stable propagation) Not much of a difference, given the context. For example, I'm probably 1000 miles away from Boulder; it is highly unlikely that the path length differences for the HF bands could exceed about 100 miles, or about 0.5 millisecond. Given the context, it's accurate enough for anti-spoofing work in networks. . the HF ones are WWV. Commercial time receivers >are available that work off the 60 khz time code (very narrow bandwidth >ASK), but the 60 khz is most used as a standard frequency for long >term tracking of error in local standards. Any more? I don't think so. GPS has probably pretty much taken over as the "gold standard" for clock synchronization, I suspect. Path length is known, by definition, and the resolution must (as a consequence of the distance accuracy requirements) be in the low-nanosecond level. >> (BTW, if anybody knows how to easily connect it to the pc, or has the >> appropriate software, please tell me The task isn't difficult from a >> hardware standpoint; it's just RS-232 serial ASCII timecode at about 9600 >> bps which >> either continuously retransmits or on request. The problem is the software: > > If you run unix Nope. > there are some quite sophisticated programs that >can use this specific clock (connected to a serial port) that allow sync >to the full accuracy possible at good times of day (around 1 ms). The >programs also allow time distribution to other computers on a network - >thus their name - ntp - which stands for network time protocol (and the >network time program that implements it). This protocol and the various unix >programs that implement it are quite widely used on commercial LANs and >the Internet to sychronize time amoung unix workstations, servers, and >bridges and routers. Current implementations are capable of tracking >clock oscillator error on a system and adjusting the time periodically >to compensate for the frequency error of the clock and even to predict >(polynomial approximation) the change in frequency error with time. > > The man behind much of this (at least the early research) is >Dave Mills who used to be at louie.udel.edu which hosted a ftp >site for the programs. An archie search will reveal where they >are kept now, and there is a newsgroup (comp.protocols.time.ntp) for this >which no doubt has a substantial faq file about this. Thanks for the reference. >> (Then again, there are those "Receptor" watches which have (at least) similar >> accuracy, which as I understand it work on FM subcarrier principles.) > > Yes they use the RDS broadcast on the 57 khz subcarrier for this. >Of course there is no certainty the station has the clock set accurately. Chicken and egg, again. I assume that any radio station can afford $300 for a GPS receiver that can put out time accurate to 1 microsecond. If enough people start USING such broadcasts, they will be considered NECESSARY and will be maintained. The Receptor watch is an excellent interest-developing product to assist in this problem; the only problem might be that errors of greater than the 5 msec spec'd are not necessarily immediately apparent to the common watch-on-wrist user. > > TV stations could be made to maintain a local clock sync'd to >GPS and use that to do the final level of clocking out before feeding >the transmitter and could thus ensure that some reference point in some >frame happened at an exact time, but given that a user who can see a TV >signal can probably see GPS signals and can do the same timekeeping himself >for a couple hundred bucks it hardly seems worth it any more. I do >expect that time codes with modest accuracy (few tens of ms at best) >will become common as part of the Starsite (or whatever they call it >now) program guide distribution on PBS, simply because this has defined >a format that can conveniantly contain time messages multiplexed with >other data and the box displays the time. DSS and VC-II both also have >this capability, but of course the uncertainty of the satellite delay >limits accuracy and neither has provisions for providing time to other >devices. > This is possible, but I bet the variations in phase in the local >distribution system due to power factor, choice of phase to use, propagation >time through transmission lines and substations and so forth would >mean that phase as observed at two distant sites was rather random >and maybe even subject to shifts over time as load conditions varied. I'm hoping some HV engineer will make a comment as to this factor. > From futplex at pseudonym.com Sat Jan 27 03:44:57 1996 From: futplex at pseudonym.com (Futplex) Date: Sat, 27 Jan 1996 19:44:57 +0800 Subject: SHA-2 In-Reply-To: Message-ID: <199601271126.GAA15032@thor.cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- Rob writes: > I don't know if the revision is official or proposed. I first heard > about it in a post to alt.security (I saved the message somewhere) > which contained ref's in the federal register. I've seen other > implementations that make the same fix. > > The difference that when the expansion function is performed, it rolls > the dword 1 bit left before putting it in the W[] array. Any particular reason someone called this SHA-2 ? It sounds a whole lot like the revision of the original SHA, called SHA-1, that came out quite a while ago. (FIPS 180-1) This is rather old hat unless they're making a _second_ revision to the standard, in which case I expect there would have been much more noise made about it. Futplex -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMQoL0inaAKQPVHDZAQGzmQf9FLDvD9TmpMfgDDac0xHsJX8RspJ/tIfS yMU6eoVSclD1hdQzMxkSc1ffPxvrLvCzILeFZVzZ/4duAp2wn1q4GPnQRvjXh98V GXVhHusiyB4RFWOsUewXt7r4aYtPeIZI51WEnRMXanCjcVU2ChukiruLAEQqC1JS nInfVMNjNkb1IHrltnwznnfqY91xBRzrABI1s8dRFXU/jUAI+jGr3ThfMipowvwh egbBkrhQJjlS3J9f2XL0rte0NDO5WxL5MrdR/N54ODI9ktrhWXWrAeK/NbA4tm6I uLrHq8FiI6HhqbrO7cEMMU2cuODv3Yu/0Z/MyD03C/uO1D0m1m1VRg== =zI2p -----END PGP SIGNATURE----- From stewarts at ix.netcom.com Sat Jan 27 04:27:26 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sat, 27 Jan 1996 20:27:26 +0800 Subject: "Gentlemen do not read each other's mail" Message-ID: <199601260940.BAA26226@ix7.ix.netcom.com> At 02:47 PM 1/25/96 -0500, Perry wrote: >Why is he our patron saint? He was a government official coming out >against invasion of privacy. Isn't that what we are all after, in the >end? The reason we deploy cryptography is to assure privacy for >all. We often refer to those who listen in on conversations >(regardless of who they are) as, in some sense, our >opposition. Therefore, is not Stimson's remark in closing down >Yardley's "Black Chamber" to be praised rather than attacked? These days, I'd be happy with "Gentlemen only read _each others'_ mail".... #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, Pager/Voicemail 1-408-787-1281 # # "Eternal vigilance is the price of liberty" used to mean us watching # the government, not the other way around.... From futplex at pseudonym.com Sat Jan 27 05:18:02 1996 From: futplex at pseudonym.com (Futplex) Date: Sat, 27 Jan 1996 21:18:02 +0800 Subject: Microsoft's CryptoAPI - thoughts? In-Reply-To: <199601270550.VAA23195@mailx.best.com> Message-ID: <199601271259.HAA18857@thor.cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- James A. Donald writes: > http://www.jim.com/jamesd/mscryptoapi.html Thank you :) > A notable misfeature of the API is that it assumes that in general > you will have two key pairs. One for signing and one for encrypting. > > Since in the most common case you are encrypting something related to a > signed message by the person you are encrypting to this is a > bad idea, Could you elaborate ? I haven't heard of any known interaction effects between a strong encryption algorithm and a distinct strong digital signature algorithm (with or without distinct keys), although such an effect is certainly conceivable. Using "bare" RSA for both encryption and signing, problems can of course arise because signing with a private key amounts to decrypting the plaintext to be signed with that key. Thus you can be tricked into decrypting some ciphertext by signing it. But this is the sort of problem addressed by the crypto object format standards like PKCS. No-one recommends using "bare" RSA. Actually, using separate keys for signing and encrypting is another way to avoid this issue. > and protocols that require two key pairs to avoid protocol > failure are hazardous and inconvenient. I think Microsoft should > not have chosen to support such protocols. (I disagree) Futplex It takes a budget of billions to hold us back.... -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMQohiCnaAKQPVHDZAQEV4gf/ajSPD+CvXFo5R8i4PNxVy+e82IwBCn4l 2ea16MlCNDGnThA1ZAxJRK+x7df4ysCzDz/Ke0frSZeOE+0/xz1rnEEkyC7ZJ7JF 1+9RAqkyZ6LAlYrUEGbXxWvhwxm1X8aJUz4HpVOZxihjzaxlW7UaBZiStaAlv4SN You+EQd/LS00w345lIjCPGfZUPk9GJjpxFzlU6DPp6a+TLQ1hdvAy7qebdTpqdKm uZJnyaTQI0Irz483YqoXLr8gg7kA6JvEFj/UGo3Udt+tNB+I/BlMsNgL/Jm3FbxW JJ9WjjmjM/7Fu4Fx6jvpu7F923hCFk5ZqrrNjStwniwWbLl8GMGZ2w== =zFg1 -----END PGP SIGNATURE----- From unicorn at schloss.li Sat Jan 27 06:23:34 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sat, 27 Jan 1996 22:23:34 +0800 Subject: "Gentlemen do not read each other's mail" In-Reply-To: <199601251947.OAA16586@jekyll.piermont.com> Message-ID: On Thu, 25 Jan 1996, Perry E. Metzger wrote: > > Phill refers to the man who said "Gentlemen do not read each other's > mail", (Henry L. Stimson) as a twit. > > I highly disagree. In some ways I regard him as our patron saint > (although the man was actually far from saintly and later as a member > of the Roosevelt cabinet adopted an opposite policy of aggressive > signals intelligence.) > > Why is he our patron saint? He was a government official coming out > against invasion of privacy. Isn't that what we are all after, in the > end? The reason we deploy cryptography is to assure privacy for > all. We often refer to those who listen in on conversations > (regardless of who they are) as, in some sense, our > opposition. Therefore, is not Stimson's remark in closing down > Yardley's "Black Chamber" to be praised rather than attacked? > > Perry > Unfortunately what he did was take the emphasis away from personal empowerment and personal responsibility for privacy and put it at the mercy of some creed or moral stand which had: 1> No common calling or degree of obervance in the population, or the intelligence communities at the time. 2> No structure, legal or otherwise, to provide for its enforcement. 3> The rather disturbing impication that no one need take pains to hide their private exchanges because a moral standard would protect them. Instead, at least I always thought, cypherpunks stand for the personal empowerment and personal assurance of privcacy. Indeed everything I can think of discussed here seems to revolve around a single goal- making it easier, and simpler for a person to protect him or herself from unwanted intrusion into data he or she wishes to protect. In fact, some goals, especially where transparency is concerned, seem to take the even more cynical view that the general population would be better off protected by crypto whether they know it or not. Making crypto widely available to the general population, reviewing crypto for its implementation, basic skepticism about the protection afforded by new systems, basic skepticism for systems produced for commercial gain, basic skepticism for government produced systems, arguments for the lessening of government involvement in crypto, crypto standards, and a powerful dislike for the regulation of communication in all forms. Perhaps most importantly, the production, review and discussion of "grass roots" crypto and communications security code. All these, common themes on the list in my view, push us away from some blind notion that all is well in the world, and that man is basically good and will not intrude on his fellows. All these insist that man is curious, probing, and that information is by its very nature nearly impossible to restrain without powerful methods. All these insist that information will be exposed, be it by accident, malice, theft, by hook or by crook, or even well intentioned discourse, unless protected. Isn't this the objection to ITAR? It is folly to try and restrain information by legislation. It should be clear that it is dangerous to depend on anything, be it government, industry, Lotus Notes, the Constitution, the Bill of Rights, your best friend's promise, your wife's pillow talk, and least of all a misplaced faith in the decency of the common man, when your sensitive data is at issue. In short, crypto helps those who help themselves to crypto. I have no sympathy what-so-ever for those who lose the privacy of their data through negligence. I believe they should be estopped from all complaint. I believe they are great fools. Moreover, I note that almost without exception, they try to place the cost of their missteps on the world at large, and the responsibility for policing privacy in the hands of others. "It was not my fault that I left the letter sitting on my desk knowing that the spy convention was about to walk in," they whine, "Someone should DO something about all this immoral letter reading. There ought to be a LAW. How can >I< be expected to stop all these spies?" Is it not clear that allowing this mentality to persist is an unwise and dangerous thing? "Gentlemen do not read other's mail," while noble, clever, and a wonderful bit of public relations, ignores the basic reality of the modern age. There are few gentlemen anymore, and even those occasionally stumble upon something they might not be entitled to examine. Not only is crypto smart, but it distributes the (increasingly small) costs of protecting data properly. It puts the burden on the least cost avoider, and the individual with the best access to full information. "What is this data worth? What would exposing it cost me? How much is it worth to spend protecting this data?" Who better to answer these questions than the owner of the data? How easier to protect it than by the negliagable cost of encrypting it? Not only does placing the burden of data protection on Government or society at large miscalculate and misplace the incentives for the protection of the data, it also places the selection of degree and method of protection on the wrong party as well. In the end it also causes an undue amount of waste. When Mr. May indicates that he does not use PGP very often because he finds it too much trouble to use for most mail, he is part of a process that in the aggregate must save millions of hours and dollars. He is making a decision that data X is only worth an expenditure of Y to protect, and that PGP represents an expenditure higher than Y. Expenditure Y is thus saved, as would be unlikely in a government program. Who among us would argue that government, the phone company, or the church would better make this judgment? I would bemoan a world where gentlemen actually never read each other's mail. Such a world would be so vulnerable to the "first market entry" into the business of mail reading as to be almost beyond salvage. A certain First Minister of France comes to mind who, by his non-observance of the religious restricitons of the day and his alliance with traditional enemies of the Church, reduced Germany to 250 years of fragementation and assured that, for a time, France was the greatest power on earth. "If there is a God," it was said of him, "the minister has much to account for. If not, well, he had a good life." The evil snooping man is hero from one perspective. He is the incentive to be risk averse. He is the skeptic who says that the market is not efficient and bets against it and so makes it efficient once more. Moral utopia of the kind that would see no peeping tom's is a fantasy, and the evil man a-plenty saves us from Germany's fate. So then we should brand Mr. Stimpson as a fool, and a liar. Or at best, perhaps a convert who realized quickly (or not so quickly) the error of his ways and fell into proper line in his later embrace of signals intelligence. At the very least we might apply a less optimistic creed. He who builds on the people builds on mud. --- My prefered and soon to be permanent e-mail address: unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From futplex at pseudonym.com Sat Jan 27 06:29:11 1996 From: futplex at pseudonym.com (Futplex) Date: Sat, 27 Jan 1996 22:29:11 +0800 Subject: Nym use in the real world In-Reply-To: <199601261801.KAA07578@slack.lne.com> Message-ID: <199601271414.JAA20590@thor.cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- Eric Murray writes: > The other problem (tying the nym to RealName) for employers is > more severe. A nym is only good when no one can tie it to your > real name. If I have to tell everyone I do work for what my real > name and nym is, soon enough people will be able to tie the two that > the nym becomes nearly useless. Maybe Lucky would be willing to share some wisdom from his experiences consulting for various companies. (I don't know how much his reputation as "Lucky Green" has come into play in securing those contracts, and of course perhaps he really is an Irishman whose parents (the Greens) named him "Lucky"....) The concept of transferable credentials is awkward because the actual properties described by the credentials often are not transferable from one object/entity to another. For example, a cauliflower could in principle have a credential certifying that it's a vegetable (according to someone), and transfer that veggie credential to a jackal, but the jackal is still not in fact a vegetable. I'm still not sure whether it makes sense to have "reputation capital" denominated in an actual currency that can be traded, for the above reason. We might use something like a nym-independent(*) credential statement signed by a certifier and encrypted to the subject of the credential. Pseudonyms and verinyms belonging to various persons/agents/etc. could freely swap around these "rep rupees" with potentially very confusing results. Since credentials need to be backed up by actual performance when it comes to a job, such a system might actually be acceptable. I could buy a lion taming credential with some e$, but everyone would realize that I wouldn't last long on the job if it didn't describe me fairly accurately. ;) Presumably a trustable-with-enormous-sums-of-cash credential would command quite a high price on the open market. I am ignoring here the significant gap between the passive reputation accrual when someone reads messages from a nym, and the active reputation building involved in handing out credentials. (*) Form letters are handy, but there's the usual tradeoff between the traceability and descriptiveness of the document. Futplex "Despite all my rage I am still just a rat in a cage...." -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMQozKCnaAKQPVHDZAQE0cQf+N1AoRXYhdlFAVZfcE+MAav6DCyyH+b64 UzmKhUGPZnj24inJp0GQ1KVZK9orQ38xz2PFpwBPWbIb3yalcE+HGrQ4uhw5bIrD pSSrDIGmkbQAy7111Ath/rZwQD6Nrdzu1HO2Mw5k2BNsH5P3keLv1MqYNFg9idgC vq9KnJmifTIUhgXS5Qog1xA5ssMQ93akL8gYl+AoWaL9q2N3yqiPoBPYe9iq4qxy 1SpSe0fAO53HwSERizvMmIPWW9D7tonPIVUrZEeHPDSGzEHhS/B+V1jUtJo3Wzr0 Ny16ujZ3Ml7Dx0uyASjZuR2EORQu09pfQlu8Z79eehvsoDBKXq/ymQ== =ZY2q -----END PGP SIGNATURE----- From Chris.Claborne at SanDiegoCA.ATTGIS.com Sat Jan 27 06:37:53 1996 From: Chris.Claborne at SanDiegoCA.ATTGIS.com (Chris Claborne) Date: Sat, 27 Jan 1996 22:37:53 +0800 Subject: PGP in Eudora and other mail programs Message-ID: <2.2.32.19960125200317.00753dc8@opus.SanDiegoCA.ATTGIS.com> At 11:54 AM 1/25/96 -0800, you wrote: >At 2:13 PM 1/25/96, Clay Olbon II wrote: > >>Seriously, this just illustrates the idiocy of banning "hooks" in software. >>How does one define a "hook"? Just providing source code could be defined >>as providing a hook, since a good programmer could then modify it to do >>crypto. Also, how about the various kits and tools used to integrate pgp >>with pine, eudora, etc -- are these not "hooks"? > >And yet how many of these programs actually can transparently >(automatically, push-button, etc.) support PGP? I've been a user of Eudora >for several years, and have pressed for PGP hooks. The company, Qualcomm, >once told me it was on their list of things to do, but.... > >A few years later, still no PGP-in-Eudora. One would think that this would >be a powerful way of distinguishing their product from other mail packages. > >(I understand from this list that Eudora for Windows is now doing this much >more automatically, that someone has a PGP-in-Eudora package. I don't think >it was from Qualcomm, but I could be wrong. As a Macintosh version user, >I'm hoping this comes to the Mac version as well.) I think what is going to happen is that Qualcomm will choose S/MIME instead of PGP, since they are one of the companies listed as jumping on the band wagon. S/MIME scares me since I believe it to (normally) use weak encryption. It is gaining in popularity and hype and might be just the product to lull mass amounts of users into using weak crypto (read government readable). Microsoft, Banyan, ConnectSoft, Frontier Technologies, Network Computing Devices, FTP Software, Wollongong, SecureWare Lotus, and others are on the band wagon as well. From section 2.2 of the S/MIME Implementation Guide published by RSA "... U.S. software manufactures have been compelled to incorporate an "exportable" content encryption algorithm in order to create a widely exportable versions of their product. " "... For outgoing messages, RC2 CBC at 40 bits is the recommended default. stronger content encryption is strongly recommended where there is some mechanism to indicate that the intended recipient(s) can support it. Even though S/MIME allows for any bulk encryption scheme to be used, all I ever see advertised is DES. Most companies, including Qualcomm who depend on government agencies to give them licenses (like FCC dudes), will bend like a reed in the wind when under pressure. Follow the money. ... __o .. -\<, Chris.Claborne at SanDiegoCA.ATTGIS.Com ...(*)/(*). CI$: 76340.2422 http://bordeaux.sandiegoca.attgis.com/ PGP Pub Key fingerprint = A8 FA 55 92 23 20 72 69 52 AB 64 CC C7 D9 4F CA Avail on Pub Key server. From nobody at REPLAY.COM Sat Jan 27 06:46:20 1996 From: nobody at REPLAY.COM (Anonymous) Date: Sat, 27 Jan 1996 22:46:20 +0800 Subject: OpSec Snooping Message-ID: <199601271430.PAA13276@utopia.hacktic.nl> Economist, 27 January 1995 Licence to make a killing Spies and fund managers seem to be cut from the same cloth. Both take calculated risks, are fickle when it comes to allegiances and have an annoying tendency to speak in code. More important, however, they both thrive on inside information. This may be why, in the headlong rush to exploit new emerging-market opportunities, a growing number of investment funds are turning to former spooks for some help. The latest fund to tap the know-how of the intelligence community is the Scottish American Investment Company, based in Edinburgh, which invests heavily in international equities. On January 17th it announced that Sir Colin McColl, the former head of M16, Britain's foreign-intelligence service, is joining its board of directors. The fund hopes that Sir Colin's experience in gauging political risks -- he has worked in Eastern Europe and SouthEast Asia -- will improve the quality of its investment decisions. Another ex-spy turned fund manager is Harry Fitzgibbons, a former American agent and now managing director of Top Technology Limited, a fund-management group based in London. Last year, he teamed up with Alexey Vlasov, a former Soviet agent, to launch a new high-technology fund for investment in Russia. It employs three other former Soviet agents in its St Petersburg office. Why are spooks so sought after by international investors? The reason, says Mr Fitzgibbons, is that spying is the ideal training ground for a career in emerging-market investing. Not only are intelligence agents good at spotting when someone is lying, but they are also experts at building relationships and waiting patiently for them to develop: two essential traits for successful long-term investors. Mr Fitzgibbons argues that it is these general skills, rather than any specific local knowledge, that makes former spies such attractive partners. Unfortunately, old adversaries do not always get on as swimmingly as Messrs Fitzgibbons and Vlasov. In 1994, for example, the Vietnam Frontier Fund invited William Colby, a former director of America's Central Intelligence Agency, who headed the agency's Vietnam station during the Vietnam War, to join its board of directors. His appointment prompted the fund's chairman, Nguyen Xuan Oanh, a former deputy prime minister of South Vietnam, to quit. Not only did the fund lose its chairman, but it was unable to take advantage of Mr Colby's experience: he left the board in December 1994 after Hanoi refused him a visa. Despite such drawbacks, the demand for former spooks is rumoured to be growing. One such hint comes from Parvus, a consultancy (with offices in Moscow and Silver Spring, Maryland) that employs a number of ex-spies. The firm claims that it has just been contacted by a headhunter looking for recruits. The mission, should anyone choose to accept it, is to head up a new intelligence unit for a big New York mutual fund. Unfortunately for potential applicants, the headhunters say that the fund's name is still top secret. ------------------- For more on Parvus (not the Utah corp) and its stable of ex-spooks see: URL: http://www2.indigo-net.com/Indigo/INT/INTpublic/1995/ INT275/INT275-a3.html and other AltaVista links to globalization of OPSEC. ------------------- URL: http://www.cais.com/zhi/OPSHomePage.html OPERATIONS SECURITY PROFESSIONALS SOCIETY The OPSEC Professionals Society was established in March 1990 to further the practice of Operations Security as a profession and to foster the highest quality of professionalism and competence among its members. OPSEC is a process used to deny to potential adversaries information about capabilities and/or intentions by identifying, controlling and protecting evidence of the planning and executing of sensitive activities. This process is equally applicable to government, its contractors, and to private enterprise in the protection of their trade secrets and other proprietary information. While military strength and capability still are required during the next years of uncertainty, we must likewise protect our critical economic information and technologies from those who seek to exploit them to their benefit and to our disadvantage. -------------------- URL: http://www.cais.com/zhi/OPSCIND1.html COUNTERINTELLIGENCE NEWS & DEVELOPMENTS Issue No. 1 Letter from the Director, National Counterintelligence Center I am pleased to present the inaugural issue of the National Counterintelligence Center's (NACIC) Counterintelligence News and Developments (CIND). This periodic publication is designed to meet the information needs of US private industry by communicating important, yet unclassified information on the threat posed by foreign countries against US interests. The CIND is part of the NACIC's effort to develop a more effective mechanism to disseminate information on foreign intelligence targeting activities against both the US Government and private industry. This initial issue includes some information you may have already seen in our Annual Report to Congress on Foreign Economic Collection and Industrial Espionage and the Survey of the Counterintelligence Needs of Private Industry. From time to time, we will republish or extract information from such key publications to highlight data we perceive to be of interest to private industry. Furthermore, we will solicit additional information from all sources in order to better understand and support private industry through this unclassified forum. The NACIC will not generally republish information readily available to the general public. Our goal is to make the CIND's contents substantive and relevant to customer needs. Therefore, I cannot overemphasize the importance of receiving feedback from each of you. Future issues will respond to the requirements of industry as a whole and will be driven by your needs and interests. The responses received from you, the customer, will determine the future content, format, and frequency of the CIND. The final page of the current edition provides information on how to forward responses to the CIND Editor. Michael J. Waguespack Director, National Counterintelligence Center _________________________________________________________________ What Is the NACIC? The National Counterintelligence Center (NACIC) was established in 1994 by Presidential Decision Directive/NSC-24. The NACIC's creation was one of the recommendations made by PDD-24 to improve US counterintelligence (CI) effectiveness by enhancing coordination and cooperation among various US CI agencies. An interagency organization staffed with CI and security professionals from the FBI, CIA, NSA, DIA, and the Departments of Defense and State, the NACIC is primarily responsible for coordinating national-level CI activities, and reports to the National Security Council through the National Counterintelligence Policy Board (NACIPB). From dlv at bwalk.dm.com Sat Jan 27 07:52:15 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Sat, 27 Jan 1996 23:52:15 +0800 Subject: Open NNTP servers and logging In-Reply-To: <199601270633.AAA09641@unique.outlook.net> Message-ID: <81aDiD60w165w@bwalk.dm.com> "Michael Peponis" writes: > On 26 Jan 96 at 21:11, Stephen Albert wrote: > > A little while back there were some very helpful posts about getting starte > > wit open NNTP servers. Since my regular site runs kinda slow in the news > > department I've been having fun poking around and seeing about getting more > > current. > > > > Then it dawned on me. People keep logs. Presumably routine logging would > > point right back at my ISP, and from there it'd be not too hard to pin down > > specifically. No, I don't think anyone is particularly *likely* to do that > > but why take chances? > > Well, as bad as the lack of anonymity may be, NNTP server logs serve a very > usefull purpose, ie finding and eliminating trolls and spammers. I think Stephen Albert was asking about the possibility of using logs to find out what he's reading, not posting. That's quite possible. Recall the recent incident when an unethical researcher looked through his colleagues' .newsrc files to see what newsgroups they were subscribed to. If this concerns you, perhaps you could use something like an anonymous HTTP proxy to connect "really anonymously" to an NNTP server? --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From roy at sendai.cybrspc.mn.org Sat Jan 27 08:21:25 1996 From: roy at sendai.cybrspc.mn.org (Roy M. Silvernail) Date: Sun, 28 Jan 1996 00:21:25 +0800 Subject: (none) In-Reply-To: <01BAEBF5.1492F480@loki> Message-ID: <960127.094903.2P0.rnr.w165w@sendai.cybrspc.mn.org> -----BEGIN PGP SIGNED MESSAGE----- In list.cypherpunks, gorkab at sanchez.com writes: > > I was leafing through the new terms of service from my ISP, and lookie what > I came up with: > * Impersonating another user or otherwise falsifying one's user name > in e-mail or any post to any newsgroup or mailing list is > strictly prohibited. > The second point make me wonder if NymServers are logal to use with my > service (PSInet, Interramp) IANAL, but I don't see where using your own nym is "falsifying one's user name". Using someone else's nym would be. - -- Roy M. Silvernail [ ] roy at cybrspc.mn.org PGP Public Key fingerprint = 31 86 EC B9 DB 76 A7 54 13 0B 6A 6B CC 09 18 B6 Key available from pubkey at cybrspc.mn.org -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMQpKUBvikii9febJAQGGSQP/TzEve57rx+oATpBY+zjYIKLghfTdbIq/ lQZgkcOzgjS1ivFTlJeoGlgE9xclvJzTgxhGHoySMi4E4YeHMJgqIixaoqWeEj8A bzZq7Ij3gQ2NCabxdwaArAfb3PAOyjskknVYPeX3c5KvEULWyaBY8TQILgGWVpkI F93WEFN4i4c= =Argr -----END PGP SIGNATURE----- From jamesd at echeque.com Sat Jan 27 08:26:20 1996 From: jamesd at echeque.com (James A. Donald) Date: Sun, 28 Jan 1996 00:26:20 +0800 Subject: "Gentlemen do not read each other's mail" Message-ID: <199601271610.IAA26122@mailx.best.com> At 06:39 PM 1/25/96 -0500, Jay Holovacs wrote: >I might suppose that a significant reason why the nuclear arms race did >not come to blows was the balance of espionage between NSA/CIA/KGB etc. >With accurate information on your enemy, one is less likely to be >panicked into a preemtive strike. On the other hand, with inaccurate information concerning enemy capabilities and will, one is more likely to believe that the enemy is incapable of destroying you from the grave, or lacks the necessary will to destroy the world in response to a small "surgical" nuclear strike. They called it the peace of fear, the peace of terror, and the pax atomica. They did not call it the peace of the NSA --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From jcobb at ahcbsd1.ovnet.com Sat Jan 27 09:10:33 1996 From: jcobb at ahcbsd1.ovnet.com (James M. Cobb) Date: Sun, 28 Jan 1996 01:10:33 +0800 Subject: "Gentlemen do not read each other's mail" Message-ID: Rich, On 01 26 96 you say: ...the US might have received credible reports that Pearl Harbor was going to be bombed. But they also received cred- ible reports to the contrary, and decisions were made. Bamford's 1983 The Puzzle Palace, page 57: In December 1941 American COMINT [communications intelli- gence] more closely resembled a medieval feudal state than the empire it is today. P 58: The system was a hodgepodge. No one was responsible for a continuous study of all material. *** Though the technical side of COMINT, particularly in the breaking of Purple, had been performed with genius, the analytical side had become lost in disorganization. That's the background. Then Bamford step by step follows the events of the first Sunday in December 1941 FROM (p 58) interception of the Japanese government reply to the US government "diplomatic note" [=declaration of war] sent 11 days before calling "on Japan to withdraw all its forces from China and Indochina in return for a U.S. promise to release Japanese funds and resume trade" TO (p 61): At 7:55 A.M. [Hawaii time], the first bomb smashed into a sea- plane ramp on Ford Island in Pearl Harbor. Before the last bomb whistled down through the black and orange sky two hours later, Americans would give their lives at the rate of almost thirty a minute. A note accompanying the Japanese government reply included these prophetic words (p 59): Will the Ambassador please submit to the United States Govern- ment (if possible to the Secretary of State) our reply to the United States [breaking off negotiations] at 1:00 P.M. on the 7th, your time. 1 PM Washington time = 7:30 AM Hawaii time. Bamford, p 60 (my emphasis): It was now about 11:00 A.M. [in Washington], almost six hours after the giant ear on Bainbridge Island had first snared the prophetic message, and ALL OF WASHINGTON'S SENIOR ELITE HAD READ IT. P 61: At 2:40 P.M. [Hawaii time] the [Ft Shafter] signal officer passed [Army Chief of Staff Marshall's warning] message to the decoding officer, and twenty minutes later,...Marshall's warning at last reached a devastated General Short. The credible report was received at 7:55 AM Hawaii time. The incredible report was received at 3 PM Hawaii time. One decision was made 11 days earlier. Another was finalized 10 days later. Bamford dryly concludes (p 62): Disorganization and divided responsibility had cost America dearly. Cordially, Jim From tallpaul at pipeline.com Sat Jan 27 09:26:11 1996 From: tallpaul at pipeline.com (tallpaul) Date: Sun, 28 Jan 1996 01:26:11 +0800 Subject: Crypto Exports, Europe, and Conspiracy Theories Message-ID: <199601271703.MAA07888@pipe3.nyc.pipeline.com> I missed Tim's post of Jan 24, 1996 23:18:21, where he wrote, among other things:: > >Once one has good encrypted links, including access to a variety of >offshore sites, remailers cannot be stopped. The TLAs may not like them, >and the courts may rule that a remailer site is strictly liable for >misdeeds which impinge on its remailers (I'm not convinced this is so, but >no matter), but what do U.S. courts have to say about Dutch remailer sites? >What will the Fifth Circuit be able to do to hactic.nl? Or chains of >remailers that pass through Norway, Japan, Estonia, Italy, and Lower >Slobovia? > My dystopian sense leads me to believe that there will be an international treaty banning them. I speak to some agricultural-utopians today who believe the world's problems can be solved if hemp is legalized. They describe the process where it was made illegal. Essentially one individual in the government, "Drug czar" Harry Anslem (?) whipped up a global hysteria and got an international treaty passed against the hemp trade. I suspect the hysteria over the Four Horsemen is already more extreme internationally than Anslem's hysteria ever was. I see two strategies existing over issues of anonymity/remailers/etc. The first is the elite one (and I do not use the word in a derogatory sense.) It focuses on a limited number of remailers, located in different countries, and all internationally known. The second is what I call the "mass strategy" (and I hope that the libertarians on the cypherpunk list do not treat the word in a derogatory sense). Luckily for all of us the two strategies are in no way mutually contradictory. If anything they tend to reinforce each other. I see PZ's development of PGP as the first development in the mass strategy. Before PZ, quality crypto was limited to monarchs and bureaucrats. After PZ, the same (or even superior) crypto was made available, both technologically and monetarily, to almost everyone in the world. Linux was another mass strategy development. So was the development of new replaceable 100+ Mb drives likes those from IOmega and Syquest. So was the development of front-ends for the PGP/remailer combinations like Private Idaho and John-Doe. So does the development of new data transmission technologies, marked by the simultaneous increase of bandwidth and decrease in costs. These developments create the technological basis for the mass proliferation of remailers. At present we rely on elite remailers, marked by skilled sysops and a global knowledge of the location of the system. I would like to see a system of mass remailers, many-to-most of which will initially not be up for very long. For many people this will not be a significant problem as the remailers proliferate faster than others go down. In other words, I think we will see a time when Captain Boneblood (aka Billie Smith, age 13) uses the remailer provided by Baron SkuelDrool (aka Tom Jones, age 14) running off SkuelDrool Sr's computer in the SkruelDrool family rec-room of Suburbia USA. The SkuelDrool remailer might never be up for more than a month and will never be widely known outside the narrow circle of the in-crowd at Warren G. Harding Jr. High. But before the SKuelDrool remailer goes down, another two remailers go up at Dan Quail Jr. Collitch and Aaron Burr Sr. High. The mass remailer network will never replace the elite remailers that will always have technological advantages over the mass network. But the combination of elite and mass remailers will make government crackdowns -- whether local, nationa, or international -- much harder. -- tallpaul "To understand the probable outcome of the Libertarian vision, see any cyberpunk B movie wherein thousands of diseased, desparate and starving families sit around on ratty old couches on the streets watching television while rich megalomaniacs appropriate their body parts for their personal physical immortality." R. U. Sirius _The Real Cyberpunk Fakebook_ From rah at shipwright.com Sat Jan 27 09:34:10 1996 From: rah at shipwright.com (Robert Hettinga) Date: Sun, 28 Jan 1996 01:34:10 +0800 Subject: [NOISE] Re: "Gentlemen do not read each other's bank statements" Message-ID: >tenuous-at-best connection to cypherpunks material - using a currency >backed only by the supply of ones and zeroes requires a market mechanism >to encourage the issuers not to overdo it.... Aggregious plug time. The above comment is *not* so tenuously connected to my e$ lists. I've been sending juicer bits of this particular discussion on to e$pam, my e$-filter-list of other news and mail groups, where the above comment in particular is germaine. If you want to continue your discussions on e$pam's discussion list, e$, you will be welcome. Subscribe to e$ by sending, in the the body of your message to majordomo at thumper.vmeng.com : subscribe e$ I've been sending other money related stuff to e$pam, from places like the AustrianEcon (Hyek, Mises, et.al) list, so people on e$ are at least *interested* in intellegent comments about money of all kinds, in particular the kind made of 1s and 0s. e$'s unmoderated, and has, as they say in the money business, "endogenous" traffic. ;-). Most of it originates on the list itself. Cheers, Bob Hettinga ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "Reality is not optional." --Thomas Sowell The NEW(!) e$ Home Page: http://thumper.vmeng.com/pub/rah/ From junger at pdj2-ra.F-REMOTE.CWRU.Edu Sat Jan 27 10:05:21 1996 From: junger at pdj2-ra.F-REMOTE.CWRU.Edu (Peter D. Junger) Date: Sun, 28 Jan 1996 02:05:21 +0800 Subject: Crippled Notes export encryption In-Reply-To: Message-ID: Lucky Green writes: : At 13:06 1/24/96, Andrew Loewenstern wrote: : : >Why not just print out all of the source code to Navigator (crypto and all) : >in a nice OCR font? Paper is exportable. Then you would 'only' have to sca : n : >it back in and debug it. : : That would be giving away the store to the competition. An there is no assurance that the paper on which the code is printed would be exportable. Remember the boyos decide each case on a case by case basis. All they would have to do is notify Netscape that it would be a violation to export the paper without a license, and Netscape would be forced to stop it. -- Peter D. Junger--Case Western Reserve University Law School--Cleveland, OH Internet: junger at pdj2-ra.f-remote.cwru.edu junger at samsara.law.cwru.edu From rsalz at osf.org Sat Jan 27 10:12:02 1996 From: rsalz at osf.org (Rich Salz) Date: Sun, 28 Jan 1996 02:12:02 +0800 Subject: Open NNTP servers and logging Message-ID: <9601271753.AA11563@sulphur.osf.org> >I think Stephen Albert was asking about the possibility of using logs to find >out what he's reading, not posting. That's quite possible. Recall the recent >incident when an unethical researcher looked through his colleagues' .newsrc >files to see what newsgroups they were subscribed to. Most NNTP sites run INN, the software I wrote. (You can find out by doing "telnet {the_news_host} 119" and then looking to see if it says InterNetNews in the greeting line.) By default, INN logs every group command -- every time you switch to a newsgroup. It logs the full IP address of the client. If it can forward-and-backward map the IP address to a hostname (i.e., ipaddr->host and then gethsotbyname() includes ipaddr as one of the host's address) then it logs by client hostname. It is trivial to turn on full logging at compile time, boot time, or per-connection via a management program. This will then log ALL interactions. I could imagine that without too much work, someone would turn on logging for a given set of addresses (say, anyone in the "default" category). Every day INN generates a report that includes the host/ipaddr of every host that connected, what the most popular newsgroup categories are, etc. Hope this helps. Relevance? You're being watched. /r$ From tcmay at got.net Sat Jan 27 11:23:18 1996 From: tcmay at got.net (Timothy C. May) Date: Sun, 28 Jan 1996 03:23:18 +0800 Subject: The French do some things right... Message-ID: At 9:41 PM 1/26/96, David Mandl wrote: >As has been pointed out here before, a lot of people are going to be >getting in trouble for things they posted to obscure newsgroups or mailing >lists four years ago. How do I make sure that I get credit for something >I've posted, but avoid the Alta Vista police? There are a few feeble >solutions, like: One thing I have been hoping for as America's scandal-fixated society asks whether Bill inhaled, whether Rush has a mistress, whether Madonna's grandmother is really shacked up with a 19-year-old musician...one thing I have been hoping for is that the American public will say "Enough!" Not that they will call for the ban of tools like Alta Vista, or a law against using one's past posts to alt.sex.barney as a consideration during hiring, but that people will just wake up to the triviality of it all. The French seem to have partially done this. Francois Mitterand had a mistress? Who cares? They take it for granted that people are people, with human foibles and weaknesses. The way the U.S. public and/or the media machine is devouring political candidates for minor transgressions, the blander are our candidates. Could this happen, could people get beyond the minor transgressions and foibles and just shrug off the petty scandals that seem to be fodder for "daytime t.v."? Maybe. And with search engines digging up "controversial" posts from the past, some amount of shrugging is probably better than using some ancient post to veto the hiring of a mostly-qualified candidate. (Again, I would never support a law banning the browsing of one's past public record, but I would say that wise businesses will appropriate discount such records.) It's rare that I have something positive to say about the French, so this is my rare tip 'o the hat to them. --Tim Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From frantz at netcom.com Sat Jan 27 11:35:25 1996 From: frantz at netcom.com (Bill Frantz) Date: Sun, 28 Jan 1996 03:35:25 +0800 Subject: "This post is G-Rated" Message-ID: <199601260353.TAA07900@netcom6.netcom.com> At 5:33 PM 1/25/96 -0600, Mike McNally wrote: >Bill Frantz writes: > > However is should be possible for TV programs > >Maybe, until it becomes common for "TV programs" to be accessible by >URL... Web sites and TV series can both be rated without seeing each and every page/show. > > > and whole newsgroups. > >Since nobody "owns" newsgroups, and nobody controls what's posted to >them, I don't see how that's possible at all. It seems to me that a moderated news group or mailing list would be easy. You don't expect explicit sex descriptions to show up in the comp. hieararcy. An unmoderated group or list carries a higher risk of seeing inappropriate material. However even unmoderated lists have standards and those people who enforce those standards. This kind of enforcement is an example of communitarian as opposed to authoritarian control. It all depends on just how vital it is to the consumer (and rating group) that NO inappropriate material appear. Crypto relevence: Public key systems or digital signitures can help ensure that the material actually comes from it reputed source (e.g. the modarator). Bill From EALLENSMITH at ocelot.Rutgers.EDU Sat Jan 27 11:42:42 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sun, 28 Jan 1996 03:42:42 +0800 Subject: Cypherpunk Elitism Message-ID: <01I0IAXM7O8OA0UP9Y@mbcl.rutgers.edu> From: IN%"bruceab at teleport.com" "Bruce Baugh" 26-JAN-1996 01:51:04.39 >At 07:15 PM 1/25/96 EDT, "E. ALLEN SMITH" wrote: > You might also find Robert Reich's _The Work of Nations_ >interesting. As a short, elegant, powerful argument against statist thinking, I recommend most highly Kenichi Ohmae's THE END OF THE NATION STATE: THE RISE OF REGIONAL ECONOMIES. Mr Ohmae focuses on areas that have geographical and social meaningfulness, on the scale of Hong Kong/Canton, Catalonia, the Pacific Northwest, and so forth. He quickly makes hash of the idea that the nation-state is a meaningful unit for modern economic analysis. -------------------- Actually, Reich realizes this.... and (being a liberal) opposes the various trends causing it. I can email people an interview with him that shows his thinking on the matter. One point he makes is that nations with high tax rates and high levels of social services (such as Canada) are losing symbolic analysts to and gaining routine producers from nations with low tax rates and low levels of social services (such as the US). Being a liberal, he doesn't like this trend, and wants the US to raise taxes and social services (without apparantly seeing that this will simply put the US in the same boat as Canada, etcetera). Cypherpunks relevance? First, anonymous digital cash will make it awfully difficult to have those high tax rates. Second, this gives rise to the phenomenon of anonymous digital cash usage probably being more common among the economically and intellectually elite than among the "peons". They're the ones with something to lose by the tax rates. I haven't had time yet to read Dr. May's piece on Virtual Communities, but I have had the thought that private anonymous digital cash makes such separation a lot easier. Reich doesn't like people splitting off into seperate communities, and wants to oppose it- like Christopher Lash, the late populist writer of _The Revolt of the Elites_. Fortunately, anonymous digital cash makes such opposition a lot harder. -Allen From cman at communities.com Sat Jan 27 11:45:32 1996 From: cman at communities.com (Douglas Barnes) Date: Sun, 28 Jan 1996 03:45:32 +0800 Subject: Belgium has 'key escrow' law Message-ID: I should also point out that Belgium apparently has crypto export laws of sufficient complexity to inspire me to look elsewhere when attempting to purchase a hardware encryption board from a Belgian company (uti-maco). Said company also was under the mistaken belief that I needed a US _import_ license; my failed attempts to persuade them otherwise was the final kicker. ------ ------ Douglas Barnes "The tighter you close your fist, Governor Tarkin, cman at communities.com the more systems will slip through your fingers." cman at best.com --Princess Leia From alano at teleport.com Sat Jan 27 11:49:28 1996 From: alano at teleport.com (Alan Olsen) Date: Sun, 28 Jan 1996 03:49:28 +0800 Subject: [LOCAL] pdx-cypherpunks-l Announcement Message-ID: <2.2.32.19960126031605.00857104@mail.teleport.com> -----BEGIN PGP SIGNED MESSAGE----- A mailing list for Cypherpunk issues local to Portland Oregon (and the surrounding area) has been created. It will have meeting notices and other topics of interest to local Cypherpunks in the Portland area. To subscribe send a message to majordomo at teleport.com with: subscribe pdx-cypherpunks-l in the body of the message. Due to problems with spammers to lists on Teleport, the subscribe request will feed back an authorization code to verify that it was actually you who subscribed to the list. If you have any problems getting subscribed, please send me mail (or owner-pdx-cypherpunks-l at teleport.com) and the problems will get resolved. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMQhG4eQCP3v30CeZAQFQZwf/Uxc+NYHNVwsXaH8co6vlN2qgKdt46Ymq itCZTdzlOHHnU4rcMdsDeUzod3WYsFBH3UD90x+Z+n+3tX8Y0YB0H0j+imJJhJSo 28kscZnoji0CZKevuOxbL8AFWJ3wUiaa88S6sb0+1aa97TKIuBC845p2ctMqkD90 fExZl/DobXH0HxV+O19UpWoekceIBBoWYsFwBF/6SGLmzmyoBpXmc2lpR3CuJfgk Nk8w3LIAbSmyI2ERxaUMNKffnItoBt9aCBAR+tybTDLj1RgBYkYO54qqDHVwTSOW /pkqRN0mQWjYZlryvflPYlykpSN2VUR0dqIVoO9z7ME9P/99iTytVQ== =bAIW -----END PGP SIGNATURE----- Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ National Security uber alles! From llurch at networking.stanford.edu Sat Jan 27 11:50:25 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sun, 28 Jan 1996 03:50:25 +0800 Subject: "Gentlemen do not read each other's mail" In-Reply-To: <199601260152.UAA16955@jekyll.piermont.com> Message-ID: On Thu, 25 Jan 1996, Perry E. Metzger wrote: > Rich Graves writes: > > On Thu, 25 Jan 1996, Perry E. Metzger wrote: > > > I am a funny sort of person. I don't believe that governments should > > > be able to do anything that individuals cannot. If it is bad for me to > > > steal, it is also bad for a government official to steal. If it is bad > > > for me to listen in on my neighbor's phone calls, it is bad for the > > > government, too. > > > > Er, I believe the above was clearly intended to mean "for one government > > to read another government's mail." > > I'm funny in more ways than one. I don't believe in the existence of > "Governments". I agree. This post was very funny, in the normal sense of the word. ... > In any case, we are here expected to believe that it is okay if the > Secular God of our land mass, our Government, spies on the Secular > Gods of other land masses. However, viewed from my perspective, when > "the Government" of our land listens in on "another Government's" > communications, from what I can tell what is happening is that > individual humans in the guise of High Priests converge at their > temple in Fort Meade for the purpose of listening in on conversations > between individuals humans elsewhere who are associated with other > Government cults in some sort of ordained capacity. One might argue > that this discourtesy between the followers of rival cults is not > something for we, the arch-atheists, to care about, but I must note > that in principle what is going on is the same -- people are listening > in on other people's communications -- not the Divine Governmental > Being itself listening in on the communications of other Divine > Governmental Beings. These Divine Governmental Beings don't > exist. Only the humans claiming the authority of the Divine > Governmental Beings exist. Therefore, to ordain myself Devil's Advocate Being, is it not wrong, in principle, for us human beings to inquire into the affairs of the humans claiming the authority of Divine Governmental Beings? Are not the actions of the Fort Meade Beings a matter for their own personal conscience, absent any immediate, *direct* impact on us that would justify an appropriate reaction, be it fight, flight, or encryption? Please assume no funny theological beliefs in the existence of other Non-Divine Beings, or sympathy therewith. Of course, on individual principle, I quite agree with you, which is why I do not believe I could ever become a cleric or even disciple of any odd religion. I'd really suck as a soldier, too. However, of Hobbes, Rousseau, Marx, Motesquieu, and Locke, I find Hobbes the most logical. People just suck, and ethics aren't enough. Karl Marx and Jim Bell talk about the withering away of the government, but what they're really talking about looks like a new and more onerous form of government to me. There is a need for force, and I much prefer a balance of powers to either unified world government or unorganized individual force. Clearly there is room for maneuver as to how to organize the threat and use of force, and most people, myself included, do not like the current alignment of forces. We can choose multilateral disarmament, or deterrence. Any time you talk about the organized deterrence of "Bad" behavior, whether it comes from the NSA or the Cypherpunk Cabal, you're talking about a system of government. -rich Fucking Statist From ses at tipper.oit.unc.edu Sat Jan 27 11:58:03 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Sun, 28 Jan 1996 03:58:03 +0800 Subject: Prime Time.... In-Reply-To: <199601252307.QAA15015@usr5.primenet.com> Message-ID: Something I ran across in an old book on number theory In 1953 D.H.Lhmer used the SWAC calculator to check for Mersenne primes (2^n-1). The largest one found was n=2281 - the runtime was 66 minutes. Anybody with access to one of the new Cray fish-tanks want to get a datapoint for the closest machine in 96 so we can check on how well Moore's law worked? Simon // Suddenly my Powerbook 140 seems fast again From ericm at lne.com Sat Jan 27 11:59:28 1996 From: ericm at lne.com (Eric Murray) Date: Sun, 28 Jan 1996 03:59:28 +0800 Subject: Nym use in the real world In-Reply-To: <199601271414.JAA20590@thor.cs.umass.edu> Message-ID: <199601271935.LAA15633@slack.lne.com> Futplex writes: > Eric Murray writes: > > The other problem (tying the nym to RealName) for employers is > > more severe. A nym is only good when no one can tie it to your > > real name. If I have to tell everyone I do work for what my real > > name and nym is, soon enough people will be able to tie the two that > > the nym becomes nearly useless. > > Maybe Lucky would be willing to share some wisdom from his experiences > consulting for various companies. (I don't know how much his reputation as > "Lucky Green" has come into play in securing those contracts, and of > course perhaps he really is an Irishman whose parents (the Greens) named > him "Lucky"....) [..] > >I'm still not sure whether it makes sense to have "reputation capital" > denominated in an actual currency that can be traded, for the above reason. > We might use something like a nym-independent(*) credential statement > signed by a certifier and encrypted to the subject of the credential. > Pseudonyms and verinyms belonging to various persons/agents/etc. could > freely swap around these "rep rupees" with potentially very confusing results. > > Since credentials need to be backed up by actual performance when it comes to > a job, such a system might actually be acceptable. I could buy a lion taming > credential with some e$, but everyone would realize that I wouldn't last long > on the job if it didn't describe me fairly accurately. ;) Presumably a > trustable-with-enormous-sums-of-cash credential would command quite a high > price on the open market. This is all well and good, but highly theoretical. It might happen someday, but right now reputations don't work that way. If I gave a reputation certificate to a prospective client they'd just look at it and say "huh?". Some groups do indeed deal well with nym's reputations. If Emmanuel Goldstein shows up at a hacker's convention, everyone knows who he is and what he's done. Alas, most regular businessmen don't want to deal with someone named "Agent Steal"[*], at least not to the point of signing checks to him. Perhaps a partial solution is to pick a nym that sounds like a real name, like "Tim May" or "Jeff Weinstein". There's still a problem of proving that I am the same "Tim Weinstein" that the prospective client has exchanged email with. But to be honest, they don't know if I'm the same "Eric Murray" they have been emailing either... *- to pick a random hacker's nym. -- Eric Murray ericm at lne.com ericm at motorcycle.com http://www.lne.com/ericm PGP keyid:E03F65E5 fingerprint:50 B0 A2 4C 7D 86 FC 03 92 E8 AC E6 7E 27 29 AF From EALLENSMITH at ocelot.Rutgers.EDU Sat Jan 27 12:01:21 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sun, 28 Jan 1996 04:01:21 +0800 Subject: Crypto Exports, Europe, and Conspiracy Theories Message-ID: <01I0IB8IKV6AA0UP9Y@mbcl.rutgers.edu> From: IN%"rsalz at osf.org" "Rich Salz" 26-JAN-1996 04:39:43.50 >I believe that one minor reason is the PKP chokehold on public-key patents. It has slowed down adoption within the US, and the RSA licenses for example tend to get very "interesting" when it involves places where their patents don't hold. ---------------- Speaking of other countries' non-recognition of algorithms as patentable, are David Chaum's patents on digital cash enforceable outside of the US? Thanks, -Allen From EALLENSMITH at ocelot.Rutgers.EDU Sat Jan 27 12:10:29 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sun, 28 Jan 1996 04:10:29 +0800 Subject: [rant] A thought on filters and the V-Chip Message-ID: <01I0IBKWFBJCA0UP9Y@mbcl.rutgers.edu> From: IN%"alano at teleport.com" "Alan Olsen" 26-JAN-1996 16:31:41.98 >The purpose of all the ratings, and the filters and all the other stuff is not to "protect kids". It is to protect the prejudices of the adults. They do not want to see it anywhere in the world, not just inflicting some sort of imaginary harm on their children. I expect the first people to use the "reversed filters" will be the kids themselves. (Behind the parents back, of course.) I have known too many adults that believe that by restricting their kids access to information, they can prevent them from growing up. In these parent's minds, such information is what makes them want to hump their little brains out. Biology has nothing to do with it in their limited way of thinking. Cluelessness does not just cover computers with these people. It also covers any other topic that required more than two brain cells to understand. ----------------- Strongly agreed. Why should parents be able to determine what information their children receive? Are children the property of the parents? I can see some rights of parents over children, since they have responsibilities over their children also (and thus need the rights to fulfill those responsibilities), but censorship is not one of them. No study has ever shown actually harmful effects from viewing pornography. Crypto relevance? A lot of the same people wanting to restrict children's access to information are also against cryptography, anonymnity, etcetera- see the "CyberAngels" for an instance. Incidentally, they also tend to want to restrict people (or at least minors) from viewing other information opposing them. "SafeSurf", the censorship-by-rating site that the CyberAngels are associated with, has as one of its categories of stuff to restrict access to any advocacy of illegal drug usage. Translation- NORML and anyone else working for drug legalization. Of course, the anti-some-drugs biases of the Guardian Angels are well known... -Allen From attila at primenet.com Sat Jan 27 12:11:11 1996 From: attila at primenet.com (attila) Date: Sun, 28 Jan 1996 04:11:11 +0800 Subject: OFFSHORE RESOURCES (where?) In-Reply-To: Message-ID: that's nice, Sandy. but where is URL? On Fri, 26 Jan 1996, Sandy Sandfort wrote: > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > SANDY SANDFORT > . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . > > C'punks, > > There has been sporadic interest on this list with regard to > offshore incorporation, banking, etc. While ads for offshore > services are common in the international press, until now, none > of these companies has an Internet presence. > > THE ECONOMIST has an ad for OCRA, a group that specializes in > offshore company services. What's new is that they have a Web > page. It includes a good primer on the benifits from going > offshore and on selected offshore jurisdictions. I've never done > business with these folks, but they have good info. > > > S a n d y > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > __________________________________________________________________________ go not unto usenet for advice, for the inhabitants thereof will say: yes, and no, and maybe, and I don't know, and fuck-off. _________________________________________________________________ attila__ To be a ruler of men, you need at least 12 inches.... There is no safety this side of the grave. Never was; never will be. From EALLENSMITH at ocelot.Rutgers.EDU Sat Jan 27 13:07:34 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sun, 28 Jan 1996 05:07:34 +0800 Subject: Feds on Internet Banking Message-ID: <01I0IE04YCQ8A0UP9Y@mbcl.rutgers.edu> Evidence that the Fed has noticed Internet banking. It looks like they're more concentrating on electronic checks than on digital cash, though; I may be mistaken in that, however. Any of the lawyers on here know much about banking law? -Allen Reuters New Media _ Friday January 26 2:01 PM EST _ Boston Fed Minehan Warns Of "Virtual" Bank Danger NEW YORK - Federal Reserve Bank of Boston President Cathy Minehan is warning against potential risks of "virtual" banking -- or electronic account systems handling electronic money. Minehan stressed that the regulatory community has just begun to consider these issues and that much work needs to be done before it even knows all the questions to ask, let alone what answers to give. "Legislation and regulation of new payments system alternatives could be unwise right now, but that does not mean that participants in such systems should not oversee them or that central banks should not be concerned" Minehan said in an address to the Goldman, Sachs Conference on Risk Reduction in Payments, Clearance and Settlement Systems. "'Smart' card technology is now being used to store electronic 'notes' authorized by the card-holder's bank that can be used to transfer value between banks, consumers and merchants," she said. "These electronic 'notes' flow over the Internet and give authorization for funds to be withdrawn from a bank account and paid to another party electronically," Minehan said. "This can come close to being a new form of currency in that the potential exists for the value on the card to remain in circulation, transferring from card to card, and one endpoint to another, without necessarily being converted to a more traditional form of money," she said. [...] "'In this regard, it is especially intriguing to consider how the 'virtual' bank might be regulated," said Minehan. "Some maintain that virtual banking is just a new form of bank which all the usual rules and regulations apply," she said. Copyright, Reuters Ltd. All rights reserved From sandfort at crl.com Sat Jan 27 13:07:42 1996 From: sandfort at crl.com (Sandy Sandfort) Date: Sun, 28 Jan 1996 05:07:42 +0800 Subject: OFFSHORE RESOURCES (where?) In-Reply-To: Message-ID: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks, On Sat, 27 Jan 1996, in reference to my post OFFSHORE RESOURCES, attila wrote: > that's nice, Sandy. but where is URL? He was not the only one. Due to the vicissitudes of the C'punks' list, my correction arrived before my post for some people. the URL is: www.ocra.com As Tim correctly pointed out, the Net has carried information on offshore banking and related topics for some time. My point was that--as far as I can tell--OCRA is the first major one-stop supplier of offshore incorporation, trust and banking services to open a Web site. More important, though, is the content of their site. Whether or not one does business with them, their site offers a very good primer on the whys and wherefors of going offshore. S a n d y P.S. I've received a couple of dozen RSVPs for my costume party on 10 February. I'd like those of you who will be in the Bay Area on that date and have not responded to let me know if you will or will not be in attendance. Also, if you have any suggestions for a free or cheap band, let me know. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From hallam at w3.org Sat Jan 27 13:45:01 1996 From: hallam at w3.org (hallam at w3.org) Date: Sun, 28 Jan 1996 05:45:01 +0800 Subject: "Gentlemen do not read each other's mail" In-Reply-To: <199601271610.IAA26122@mailx.best.com> Message-ID: <9601272133.AA10060@zorch.w3.org> >On the other hand, with inaccurate information concerning enemy >capabilities and will, one is more likely to believe that the >enemy is incapable of destroying you from the grave, or lacks the >necessary will to destroy the world in response to a small >"surgical" nuclear strike. Actually the MAD doctrine is critically dependent on mutual knowledge concerning military capability. I have met UK intelligence types who have discussed how they have deliberately permitted Soviet espionage activities in order that they could confirm that the NATO alliance was a defensive one. Throughout the majority of the cold war both sides took great pains to avoid creating a situation which forced the other into nuclear brinkmanship. Indeed until Regan there were strenuous efforts made to preserve the balance of power. >They called it the peace of fear, the peace of terror, and the pax >atomica. They did not call it the peace of the NSA They probably should do, the NSA was critical in ensuring the demise of the USSR and in maintaining stability throughout the cold war period. The point is not that the NSA had no military function. The point is that it is now an agency searching for a role. It is often a dangerous thing for the military to involve itself in civil affairs. Phill From declan+ at CMU.EDU Sat Jan 27 14:36:32 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Sun, 28 Jan 1996 06:36:32 +0800 Subject: Banned French Book Online Message-ID: As Tim May noted a few messages ago, the French government censored a book written by the physician to their late president, Francois Mitterrand. An enterprising fellow in eastern France scanned it into 189 pages of GIF files and put it online. Now the French police have arrested him, ostensibly on unrelated charges. I'm putting the complete version of the banned book, _Le Grand Secret_, online -- you can find it on the following identical sites: http://web.mit.edu/afs/athena/contrib/bitbucket2/le-grand-secret/secret/ http://www.cs.cmu.edu/afs/cs/user/declan/www/le-secret/complete/ http://robotweb.ri.cmu.edu/afs/cs/user/declan/www/le-secret/complete/ http://mousa.dcs.gla.ac.uk/~stephane/secret/ Since the combined size of the files is 9 MB, Seth Finkelstein and I stripped the images from 4 bpp to 1 bpp (greyscale to monochrome), and reduced the combined size to 2 MB. The stripped GIF files are on: http://www.cs.cmu.edu/afs/cs/user/declan/www/le-secret/reduced/ http://robotweb.ri.cmu.edu/afs/cs/user/declan/www/le-secret/complete/ http://web.mit.edu/afs/cs.cmu.edu/user/declan/www/le-secret/complete/ http://joc.mit.edu/le-secret/reduced-gifs.tar [tar file] http://joc.mit.edu/le-secret/reduced-gifs.tar.gz [compressed tar file] Related stories and commentary are available at the following identical sites: http://www.contrib.andrew.cmu.edu/~declan/ http://www.cs.cmu.edu/afs/cs/user/declan/www/le-secret/ http://www.well.com/~declan/le-secret/ http://robotweb.ri.cmu.edu/afs/cs/user/declan/www/le-secret/ http://web.mit.edu/afs/cs.cmu.edu/user/declan/www/le-secret/ -Declan From alano at teleport.com Sat Jan 27 14:57:14 1996 From: alano at teleport.com (Alan Olsen) Date: Sun, 28 Jan 1996 06:57:14 +0800 Subject: Denning's misleading statements Message-ID: <2.2.32.19960127225107.009173b4@mail.teleport.com> At 07:49 PM 1/26/96 -0800, Rich Graves wrote: >On Fri, 26 Jan 1996, Thomas Grant Edwards wrote: > >> I think the big bait-and-switch is her description of the various >> companies falling over themselves to get to _VOLUNTARY_ key escrow to >> avoid losing data and protecting themselves against employee problems >> versus _MANDATORY_GOVERNMENT_ key escrow to ensure that individuals >> cannot hide information from the government. >> >> Key escrow is good. Key escrow against your will is bad. > >Yo. > >I especially enjoyed this sentence: "Individuals would be allowed to >develop their own encryption systems for personal or educational use >without obtaining licenses, though they could not distribute them to >others." Why is it that whenever I read Denning's pronouncements I feel like I am reading something from a villainess in an Ayn Rand novel? Denning has become the epitome of the pure authoritarian government world view. Analysis of her viewpoints makes me more of an anarchist every time I read her rants. It is that smarmy "We know better than you do" with absolutely no rational argument as to why it is true. It is people like this that are generating such distrust in Government by promoting irrational statism. (Government by random fiat keeps a high employment for those who make their living off of political parody, paranoia of the government, the court system, lawyers and lawmakers, and anarchists everywhere.) >It's unclear whether it's OK to share books, algorithms, and source code; >or if it is, what's the point? Depends on your ability to challenge the status quo. A vague law with lots of harsh but undefined penalties is much more effective than something that is rigidly defined. With rigidly defined laws, you can find loopholes and ways to push the envelope. With vague rules, people will tend to err on the side of caution. >Outlaw cryptography, and only cryptographers and outlaws will have >cryptography. "Hey, we found this Tim May guy down at the school playground selling crypto to the kids! Let's throw the book at him!" Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ National Security uber alles! From tcmay at got.net Sat Jan 27 15:40:06 1996 From: tcmay at got.net (Timothy C. May) Date: Sun, 28 Jan 1996 07:40:06 +0800 Subject: Denning's misleading statements Message-ID: At 10:51 PM 1/27/96, Alan Olsen wrote: >Why is it that whenever I read Denning's pronouncements I feel like I am >reading something from a villainess in an Ayn Rand novel? > >Denning has become the epitome of the pure authoritarian government world >view. Analysis of her viewpoints makes me more of an anarchist every time I >read her rants. It is that smarmy "We know better than you do" with One of the interesting things about the whole crypto debate, going back at least to the Clipper announcement (and actually some months before) has been that the pro-restrictions, pro-GAK side of the argument has almost no defenders! Except for David Sternlight, Dorothy Denning, and Donn Parker ("attack of the killer Ds"?), there are almost no public spokesmen for the pro-restriction, pro-GAK side. She has written numerous pro-GAK position papers for various conferences, journals (including the "Proc. of the ACM"), and other fora. Where are the other defenders? Even the producers of GAKked products are fairly careful to finesse their positions by saying they are only doing what they are doing because the government is paying them to, or because the export laws leave them few other options. I've never met Dorothy Denning, so I hesitate to characterize her as a villainess. But certainly she's the only noted cryptographer I know of who's gone so far out on a limb to defend a position the vast majority of computer scientists, civil libertarians, and cryptographers scoff at. (And I don't just mean it is we libertarians and civil libertarians who are scoffing, I mean that nearly every noted expert who has carefully reviewed the various schemes to control crypto and to provide GAK has found them to be essentially unenforceable except via draconian police state methods, and maybe not even then.) I personally believe her estrangement from the mainstream position these last several years and her apparent close association with the inside-the-Beltway crowd has actually skewed her judgment, that she is no longer evaluating policies and capabilities based on reasonable objective, academic analysis. Her views, and even many of her examples, are very close the views and examples used by FBI Director Louis Freeh in his testimony to Congress a few years ago. (I scanned and OCRed this testimony as a favor to Whit Diffie, so in reviewing the text for OCR corrections, I became very familiar with Freeh's fear-inducing testimony.) I don't mean this as a cheap shot against her, but I would not be surprised to see her take on some sort of "Undersecretary for National Information Infrastrucure Affairs" or somesuch position in the next Administration (no matter which side wins the election). She's become a player in the Washington game. >Depends on your ability to challenge the status quo. A vague law with lots >of harsh but undefined penalties is much more effective than something that >is rigidly defined. With rigidly defined laws, you can find loopholes and >ways to push the envelope. With vague rules, people will tend to err on the >side of caution. Psychologists call this "random reinforcement." A plethora of vague laws about intent, conspiracy, and threshold have made this the norm. When there are 25,983 distinct laws on the books, what else is to be expected? >"Hey, we found this Tim May guy down at the school playground selling crypto >to the kids! Let's throw the book at him!" "This could not have been me, Your Holiness! I would never think to _sell_ cryptography to the kids--I would give them free samples first." --Tim Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From tcmay at got.net Sat Jan 27 15:40:19 1996 From: tcmay at got.net (Timothy C. May) Date: Sun, 28 Jan 1996 07:40:19 +0800 Subject: Banned French Book Online Message-ID: At 10:24 PM 1/27/96, Declan B. McCullagh wrote: >As Tim May noted a few messages ago, the French government censored a >book written by the physician to their late president, Francois To set the record straight, Tim Dierks mentioned this in response to my point that the French do some things right. (Emphasis on "some.") Also, while I'm clarifying things, at least two recent messages have referred to me as "Dr. May." Normally I don't feel obliged to correct such things, but I will here. I don't have a Ph.D., just a bachelors degree. Sosumi. --Tim Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From tcmay at got.net Sat Jan 27 15:46:25 1996 From: tcmay at got.net (Timothy C. May) Date: Sun, 28 Jan 1996 07:46:25 +0800 Subject: "This post is G-Rated" Message-ID: At 11:33 PM 1/25/96, Mike McNally wrote: >Bill Frantz writes: > > and whole newsgroups. > >Since nobody "owns" newsgroups, and nobody controls what's posted to >them, I don't see how that's possible at all. I agree. When I was replying to Bill Frantz's points, I neglected to comment on this point. Suppose "alt.fan.barney" is rated G, by "someone." Since I can post stuff with strong language, and worse, to alt.fan.barney, is it still rated G, or was my stuff blocked? When the Germans told MeinKampfuServe to block 200+ newsgroups (well, it's clear that some BavarianKops showed MKS a list of groups that they thought needed to be pulled, and MKS obliged them), a bunch of folks started copying soc.culture.german on some highly explicit stuff normally found in alt.sex.*. No word yet on whether soc.culture.german is now banned in Germany. --Tim May Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From rlwmgt at mpx.com.au Sat Jan 27 15:54:47 1996 From: rlwmgt at mpx.com.au (Michael G Thornton) Date: Sun, 28 Jan 1996 07:54:47 +0800 Subject: Unsub request delete at will Message-ID: <3108CA8B.3191@mpx.com.au> With apoligies for posting this to the general list community, please unsub me from this list as I am having some software conflicts with unsubing via your server, your assistance is appreciated. Many thanks Regards Michael rlwmgt at mpx.com.au From erc at dal1820.computek.net Sat Jan 27 15:57:26 1996 From: erc at dal1820.computek.net (Ed Carp, KHIJOL SysAdmin) Date: Sun, 28 Jan 1996 07:57:26 +0800 Subject: Bernie S. Sentencing In-Reply-To: <199601251653.LAA16128@jekyll.piermont.com> Message-ID: <199601260132.UAA05720@dal1820.computek.net> > Adam Shostack writes: > > Before anyone complains of a lack of crypto relevance to this, > > Bernie S is the guy who brought Clipper phones & actual clipper chips > > which he convinced Mykrotronix to send him to the HOPE conference in > > NYC two years ago. > > Okay, but no one said that in the original message, and it still isn't > clear how relevant this is. If someone like Tim or me were put in jail > for, say, drunk driving, I'm not sure it would be proper news here. I just heard that Perry and Tim were picked up last night for public intoxication, after a hard night of partying and crypto-brainstorming. OBCrypto: The arresting officer found in Perry's jacket pocket, a matchbook with what looked like mathematical symbols on it. He didn't know what the symbols were, so he turned it over to the DP department. I hear a couple of hours later, two "suits" showed up at the jail, asked to see the matchbook, took one look, turned pale, and spirited Perry and Tim out the back door of the jail. The police profess no knowledge of the whereabouts of Tim or Perry - they say they never heard of them. The arrest report has also apparantly disappeared. The last thing one of the "suits" said was something like "they know about the hole in RSA we found with the quantum computer" - or that's what was reportedly said. Something like that. -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 214/993-3935 voicemail/digital pager 800/558-3408 SkyPager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes From tedwards at access.digex.net Sat Jan 27 16:11:48 1996 From: tedwards at access.digex.net (ISP-TV Central) Date: Sun, 28 Jan 1996 08:11:48 +0800 Subject: #pgpfone on IRC Message-ID: I suggest the use of #pgpfone on IRC for setting up impromtu tests of PGPfone over the internet. I hope it works better than NetPhone! -Thomas From alanh at infi.net Sat Jan 27 16:25:20 1996 From: alanh at infi.net (Alan Horowitz) Date: Sun, 28 Jan 1996 08:25:20 +0800 Subject: The French do some things right... In-Reply-To: Message-ID: Bill _did_ get elected, notwithstanding the mistresses, the inhalations, the connected-lawyer-wife. WE may _talk_ more about our scnadals, but does it influence outcomes? Gary Hart didn't get kicked off the train for boffing a bimbo. He got the boot for being an asshole about it. Is it so much to ask "the best and brightest" - to run their indiscretions discretely? Alan Horowitz alanh at norfolk.infi.net From allyn at allyn.com Sat Jan 27 16:30:02 1996 From: allyn at allyn.com (Mark Allyn 860-9454 (206)) Date: Sun, 28 Jan 1996 08:30:02 +0800 Subject: Denning's misleading statements In-Reply-To: Message-ID: <199601280025.QAA24212@mark.allyn.com> Hello you all! I would like to make a suggestion that D. Denning; others who are pro-escrow/clipper; and some of you folks here on this forum get together for a debate. Ideally, this would be real nice on a TV show such as the McNiel Lehrer show on PBS. Barring that, I would think that an IRC chat channel could be set up so that they could get on line and engage in an on line discussion. Mark From nobody at REPLAY.COM Sat Jan 27 16:39:39 1996 From: nobody at REPLAY.COM (Anonymous) Date: Sun, 28 Jan 1996 08:39:39 +0800 Subject: SEAL cipher info requested (something actually list related!) Message-ID: <199601280027.BAA07662@utopia.hacktic.nl> Anybody have info on the SEAL cipher? I can't find any descriptions or analysis of it. Refs, proceedings or URLS would be a good thing. (It isn't related to NSEA is it?!?) From wlkngowl at unix.asb.com Sat Jan 27 16:42:15 1996 From: wlkngowl at unix.asb.com (Mutatis Mutantdis) Date: Sun, 28 Jan 1996 08:42:15 +0800 Subject: SHA-2 Message-ID: <199601280033.TAA09429@UNiX.asb.com> futplex at pseudonym.com (Futplex) writes: >Any particular reason someone called this SHA-2 ? It sounds a whole lot like >the revision of the original SHA, called SHA-1, that came out quite a while >ago. (FIPS 180-1) This is rather old hat unless they're making a _second_ >revision to the standard, in which case I expect there would have been much >more noise made about it. I think that has a bit to do with a question I had, whether it was SHA and SHA-1 (aka "Revised SHA") but I've found the revised version being referred to as "SHA-2" in a couple of sources and went with that.... unless there *is* a third revision...?!? Problem is the memo I saw still referred to the revised algorithm as SHA. (Anyone have a URL for FIPS 180-1 Please...?) Rob. From alanh at infi.net Sat Jan 27 16:46:39 1996 From: alanh at infi.net (Alan Horowitz) Date: Sun, 28 Jan 1996 08:46:39 +0800 Subject: OpSec Snooping In-Reply-To: <199601271430.PAA13276@utopia.hacktic.nl> Message-ID: I would like to see some factual evidence that active-duty or retired spooks are better than my late grandmother at spotting a liar. What spooks do have is, no lamer press and no this-quarter's-numbers-define-my-universe stock analysts limelighting their work. They can afford to work slowly, carefully, methodically. Being a spook doesn't prove you do do that; it means you can, if you are inclined to do so (and your bosswants you to do that). Alan Horowitz alanh at norfolk.infi.net From alanh at infi.net Sat Jan 27 16:59:05 1996 From: alanh at infi.net (Alan Horowitz) Date: Sun, 28 Jan 1996 08:59:05 +0800 Subject: "Gentlemen do not read each other's mail" In-Reply-To: Message-ID: There is a story floating around XXXXXX circles that The Japanese carrier approaching Pearl was spotted on the recently-installed (Navy) land radar in Hawaii. The target was reported out of the ops room, but ignored by the same situation room that screwed up (years later) the response to the Pueblo's distress calls in international waters just offshore from North Korea. Don't even ask me about the screwups I saw them make when I was stationed at a XXXXXX base in XXXXXX Alan Horowitz alanh at norfolk.infi.net From nobody at REPLAY.COM Sat Jan 27 17:03:15 1996 From: nobody at REPLAY.COM (Anonymous) Date: Sun, 28 Jan 1996 09:03:15 +0800 Subject: RANT: When hi-tech is a hinderance (freedom w/in limits) Message-ID: <199601280048.BAA08157@utopia.hacktic.nl> A short 'rant' on techno-dinosaurism... Saw a blurb on CNN last night about computerized missiles that would defeat jamming devices and analyze the type of target and configure their warheads appropriately. All that I could think of is what an expensive waste of computing machinery... is the cost of a "genius bomb" (assuming it does actually work, unlike the Patriots in Gulf War) worth while? Wouldn't it be better to use a lot of dumb bombs that launch several millions of dollars apiece at a tank or bit of artillery? I'm reminded of the tech they used to detect guerrillas in Vietnam... sensors that went off when uric acid (?) was present so the VC would pis in buckets and walk away, making the sensors go wild... the US put a lot of effort into bombing pis buckets. Or look back to the 13th century when European soldiers were high-tech wearing tons of armor and used cross bows. it was imposing high-tech for the time, but they couldn't move fast or fire arrows quickly... and they were skagmeat for Mongols who were comparatively low-tech. Cypherpunks or crypto relevance? Sometimes high-tech can be a weakness. I've heard that the Soviets, not having the luxury of sexy Crays and whatnot, were adept and using hundreds of PCs to do their cryptanalysis... and so may have a lot of interesting parallel processing algorithms. To paraphrase Miles Davis, creativity is "freedom within limitations". From JMKELSEY at delphi.com Sat Jan 27 17:18:53 1996 From: JMKELSEY at delphi.com (JMKELSEY at delphi.com) Date: Sun, 28 Jan 1996 09:18:53 +0800 Subject: This post is rated LTC for `Low Technical Content' Message-ID: <01I0IMFVB94Y99DH92@delphi.com> -----BEGIN PGP SIGNED MESSAGE----- [ To: cypherpunks ## Time: 01/27/96 02:19 am ## Subject: This post is rated LTC for `Low Technical Content.' ] >Date: Thu, 25 Jan 1996 18:04:21 -0800 >From: tcmay at got.net (Timothy C. May) >Subject: Re: "This post is G-Rated" >I see self-ratings of Usenet and mailing list posts as possible, >just nearly worthless. And the reall contoversial stuff, this kind >of goddamned fucking shit, will not get screened out. After all, I >voluntarily rated this thread "G," and look what got through! (And >it's only the tit of the iceberg, so to speak.) The best solution has always seemed to me to be one of these three: a. Tags appended to notes/posts, from various reviewers, digitally signed and otherwise coded to allow intelligent filtering, or b. Electronic distributions of reviewers' evaluations tagged to notes in some simple way. (I.e. give each note or post a unique ID which appears in the message.) Then, a smart newsreader/mail program sorts the notes accordingly, or c. The reviewer reads the group/list, and rates posts according to some useful criteria. He then resends it out to his users, filtered as desired. (CP-LITE seems like a very early version of this.) Any of these can be pretty easily ported to that magical set-top box we hear so much about (no doubt running Windows '05). In many ways, (a) and (b) are easier. >A meaningful "parental filter" cannot be done on-the-fly with >self-ratings. Some minor steps can be taken, but not all worth the >expense and hassle of a mandatory system. Actually, I think in practice this will mean that programs get a given rating, which is renewed every so often. You don't rate Melrose Place episode #89, you rate the entire series. This whole idea offers two wonderful opportunities to control content on TV. First, get the TVs shipped with the V-chip filter turned on. Most people don't bother setting their VCR timers, and they also won't bother setting this unless it denies them access to lots of shows they like. And, if turning the filter on and off is hard enough to actually keep the average 12-year-old out, then it will be hard enough that many families with kids will simply never change its setting. They may even forget or lose the PIN that allows them to do so. This means that you have a sizeable audience who depend on this rating system, the only one readily available. Second, apply pressure to television networks in whatever ways necessary, by threatening a re-evaluation of their top-rated shows. After all, ER really is a little gory for kids to be watching. Oh, you've decided to spend less time on covering the losses in the great Bosnian Peace Initiative? Well, I suppose a little real-life drama won't hurt anyone. If the V-chip is used widely at all, this represents a really useful threat. What happens to the network executive who gets ER to lose half its audience, even just for a few weeks while a review board takes up the network's appeal? >--Tim >Timothy C. May | Crypto Anarchy: encryption, digital money, >tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero Note: Please respond via e-mail as well as or instead of posting, as I get CP-LITE instead of the whole list. --John Kelsey, jmkelsey at delphi.com / kelsey at counterpane.com PGP 2.6 fingerprint = 4FE2 F421 100F BB0A 03D1 FE06 A435 7E36 -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMQrIiUHx57Ag8goBAQGhIAQA2F3guHlTnebja5fcGwEwOKx3CwdhAs90 zn6Di+nztSoGt6JF2kIC60zsfVHgQ//RJcMtuiFzBsQoTn/E56JM2mZ4vJpsfipO lVbKlZ1HylDyGLcF/pBllBVfvmXLjpvu0OXkFt3yqEohjaNlF7l49bOz28ngLv/A CATYZGlDP64= =6BO+ -----END PGP SIGNATURE----- From cp at proust.suba.com Sat Jan 27 17:25:04 1996 From: cp at proust.suba.com (Alex Strasheim) Date: Sun, 28 Jan 1996 09:25:04 +0800 Subject: Denning's misleading statements In-Reply-To: Message-ID: <199601280108.TAA05461@proust.suba.com> (Tim May said:) > One of the interesting things about the whole crypto debate, going back at > least to the Clipper announcement (and actually some months before) has > been that the pro-restrictions, pro-GAK side of the argument has almost no > defenders! Except for David Sternlight, Dorothy Denning, and Donn Parker > ("attack of the killer Ds"?), there are almost no public spokesmen for the > pro-restriction, pro-GAK side. This is interesting. My theory is that they know they can't win a fair and open debate, so they force us to fight straw men and try to bamboozle politicians with ritualistic secret briefings. The secrecy adds credibility to weak arguments and heads off those of us who would try to point up the flaws in them. You can't critique what you haven't seen. I think that one of the planks of the pro-crypto platform ought to be a call for the NSA to explain and defend their position publicly, and to engage in a dialogue on a moderated mail list. From tallpaul at pipeline.com Sat Jan 27 17:28:37 1996 From: tallpaul at pipeline.com (tallpaul) Date: Sun, 28 Jan 1996 09:28:37 +0800 Subject: John Doe Message-ID: <199601260707.CAA00990@pipe6.nyc.pipeline.com> On Jan 25, 1996 20:58:48, 'jdoe-0007 at alpha.c2.org' wrote: >The John Doe NYM/Remailer interface for Windows is a most excellent >program that will allow even the most cypher-illiterate to make use of >the technology that has been the exclusive domain of those in the >"techno-know". It was a piece of cake to set up, obtain a NYM and select >inbound and outbound remailers with options to chain as many as your >paranoia deemed appropriate. > >$25.00 seemed a little steep but they will get my $$$. Nice Job. > >John Doe 0007 > No, I am not jdoe-0007. We satanic-socialist-statists all use preliminary trial copies of JOHN-DOE set to jdoe-666. It is in our contract with the Sales Rep of Darkness and we are widely known for always respecting contracts. Look out UNIX users! With JOHN-DOE us WINDOZE users under the leadership of our glorius Chairman Bill are gonna' get the rest of your body too! (Unlike jdoe-0007 I think $25 is a very low price to pay for the new capacity. What the hell! We're not gonna' pay for it out of our own lazy pockets. We'll raise the tax on hot tubs and get other people to buy it for us.) -- tallpaul "To understand the probable outcome of the Libertarian vision, see any cyberpunk B movie wherein thousands of diseased, desparate and starving families sit around on ratty old couches on the streets watching television while rich megalomaniacs appropriate their body parts for their personal physical immortality." R. U. Sirius _The Real Cyberpunk Fakebook_ From declan+ at CMU.EDU Sat Jan 27 17:35:42 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Sun, 28 Jan 1996 09:35:42 +0800 Subject: Denning's misleading statements In-Reply-To: <199601280025.QAA24212@mark.allyn.com> Message-ID: Excerpts from internet.cypherpunks: 27-Jan-96 Re: Denning's misleading st.. by Mark Allyn 860-9454 at ally > I would like to make a suggestion that D. Denning; others > who are pro-escrow/clipper; and some of you folks here on > this forum get together for a debate. > > Ideally, this would be real nice on a TV show such as the > McNiel Lehrer show on PBS. Barring that, I would think > that an IRC chat channel could be set up so that they > could get on line and engage in an on line discussion. I doubt that they'd be interested, but if they are, Jon Lebkowsky of EFF-Austin hosts Electronic Frontiers, a HotWired online discussion forum, every Thursday night at 10 pm. The subject would fit in nicely with his discussions; this week he had Steve Jackson, of Steve Jackson Games. I'm sure we could interest him in this. -Declan From frantz at netcom.com Sat Jan 27 18:15:39 1996 From: frantz at netcom.com (Bill Frantz) Date: Sun, 28 Jan 1996 10:15:39 +0800 Subject: This post is rated LTC for `Low Technical Content' Message-ID: <199601280200.SAA24044@netcom6.netcom.com> At 7:55 PM 1/27/96 -0500, JMKELSEY at delphi.com wrote: >The best solution has always seemed to me to be one of these three: > >a. Tags appended to notes/posts, from various reviewers, digitally >signed and otherwise coded to allow intelligent filtering, or > >b. Electronic distributions of reviewers' evaluations tagged to >notes in some simple way. (I.e. give each note or post a unique ID >which appears in the message.) Then, a smart newsreader/mail >program sorts the notes accordingly, or > >c. The reviewer reads the group/list, and rates posts according to >some useful criteria. He then resends it out to his users, filtered >as desired. (CP-LITE seems like a very early version of this.) d. The "V-Chip" device makes a network query to the selected rating service to ask for a rating. What happen when the rating service is unreachable is just one of the many parameters that the parent needs to set. (If designed right, no parent could use it, but its availability would still stop the adult censorship croud in congress.) This approach as the advantage that the communications costs accrue to those using the feature and not to everyone else. A disadvantage is that each content item needs some ID. Bill From tcmay at got.net Sat Jan 27 18:25:24 1996 From: tcmay at got.net (Timothy C. May) Date: Sun, 28 Jan 1996 10:25:24 +0800 Subject: The Press Message-ID: At 12:25 AM 1/28/96, Mark Allyn (206) 860-9454 wrote: > >I would like to make a suggestion that D. Denning; others >who are pro-escrow/clipper; and some of you folks here on >this forum get together for a debate. There have already been several debates about Clipper. I recall one at George Washington University, in D.C., with Prof. Lance Hoffmann as the moderator, and the usual suspects on each side (Denning representing Clipper, one or more of the EPIC/EFF/CPSR/ACLU folks on the other side). Didn't change a lot of views, I suspect. And I'll bet a hundred bucks that not a single Congresscritter saw the debate, either live (of course not) or on C-SPAN (assuming it was carried). And there was an IRC "town meeting" with DRD herself, though I don't recall the details. My point was that few cryptographers and computer scientists actively support the pro-control, pro-GAK position, not that we need more meaningless debates with Dorothy Denning, Donn Parker, and Stuart Baker. >Ideally, this would be real nice on a TV show such as the >McNiel Lehrer show on PBS. Barring that, I would think >that an IRC chat channel could be set up so that they >could get on line and engage in an on line discussion. Absolutely not enough time. The News Hour with Jim Lehrer could only devote at most 20 minutes to such a story. Hardly enough time to even explain the issues to a public which has no idea whatsoever what PGP stands for, or what key escrow means, etc. (Consider how many hours a week of reading this list and other sources it took before you, the reader, knew which end was up.) And if the News Hour _did_ do such a report, they'd look to the canned experts they have in their backyard: the EPIC/CPSR/ACLU Washington staffers. When major media outlets send a film crew out to California it's usually to get crowd shots of those whacky "Cyberpunks" arguing about privacy. "Is the head dead yet?" But, of course, I would never discourage anyone from talking to the local media. Maybe it will help. Sure. Fine. Whatever. --Tim Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From tcmay at got.net Sat Jan 27 18:30:38 1996 From: tcmay at got.net (Timothy C. May) Date: Sun, 28 Jan 1996 10:30:38 +0800 Subject: RANT: When hi-tech is a hinderance (freedom w/in limits) Message-ID: At 12:48 AM 1/28/96, Anonymous wrote: >A short 'rant' on techno-dinosaurism... ... >Cypherpunks or crypto relevance? Sometimes high-tech can be >a weakness. The canonical story being Arthur C. Clarke's "Superiority," said at one time to have been required reading at MIT. >I've heard that the Soviets, not having the luxury of sexy >Crays and whatnot, were adept and using hundreds of PCs to >do their cryptanalysis... and so may have a lot of interesting >parallel processing algorithms. I'm skeptical. Sun Microsystems did indeed buy up a bunch of Russian programmers, a couple of years ago. Haven't heard anything come out of this. And loosely-coupling PCs, for a task such as Anonymous describes, does not sound like terribly good preparation for other tasks. No point in speculating further, as the speculations and counter-speculations are underdetermined. --Tim Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From llurch at networking.stanford.edu Sat Jan 27 18:57:41 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sun, 28 Jan 1996 10:57:41 +0800 Subject: This post is rated LTC for `Low Technical Content' In-Reply-To: <199601280200.SAA24044@netcom6.netcom.com> Message-ID: On Sat, 27 Jan 1996, Bill Frantz wrote: > At 7:55 PM 1/27/96 -0500, JMKELSEY at delphi.com wrote: > >The best solution has always seemed to me to be one of these three: > > > >a. Tags appended to notes/posts, from various reviewers, digitally > >signed and otherwise coded to allow intelligent filtering, or > > > >b. Electronic distributions of reviewers' evaluations tagged to > >notes in some simple way. (I.e. give each note or post a unique ID > >which appears in the message.) Then, a smart newsreader/mail > >program sorts the notes accordingly, or > > > >c. The reviewer reads the group/list, and rates posts according to > >some useful criteria. He then resends it out to his users, filtered > >as desired. (CP-LITE seems like a very early version of this.) > > d. The "V-Chip" device makes a network query to the selected rating service > to ask for a rating. What happen when the rating service is unreachable is > just one of the many parameters that the parent needs to set. (If designed > right, no parent could use it, but its availability would still stop the > adult censorship croud in congress.) This just gets ridiculous. It adds a lot of overhead without necessarily giving you good information. On the Net, there is no longer any real difference between underground and mainstream data. It's all just as easy to get. You can't block it. You're thinking like engineers. This isn't an engineering problem; it's a social and artistic problem. Actually, it's two problems: how to censor people, and how to find stuff you're interested in. Censorship only works if it's dictated and enforced. Ratings don't cut it. Arbitrary scales can't judge stuff you're interested in. Art cannot be reduced to numberical criteria. A while ago, and maybe it's still going on, the MIT media lab had an interesting music rating service. The way it worked was, you submitted stuff you liked, lots of other people submitted stuff they liked, and the computer generated a list of stuff that you might like based on apparent matches among different people's tastes. The model to emulate is a computer dating service, not a library. -rich From jimbell at pacifier.com Sat Jan 27 19:05:39 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 28 Jan 1996 11:05:39 +0800 Subject: RANT: When hi-tech is a hinderance (freedom w/in limits) Message-ID: -----BEGIN PGP SIGNED MESSAGE----- At 01:48 AM 1/28/96 +0100, Anonymous wrote: >Cypherpunks or crypto relevance? Sometimes high-tech can be >a weakness. You don't know how right you are. Jim Bell Klaatu Burada Nikto "Something is going to happen. Something.....Wonderful!" -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMQrhZvqHVDBboB2dAQFKZAP/U6tKRFYbMmag6wB/HEO/K8XxsSUFr5dt 9sMaeptBa2EEvn2f4rrlZ9AadKTEX8qhd9VI3gF+XfsZ8tVnfK7FSvdeteoN7iBB tVPfXgozxLWqKFUe1YoYIKJof9c5q4IPNkOaWCUAiMbOiA8BrhYLPUOISkC0W5f8 0yse7fmFA1w= =0Fe9 -----END PGP SIGNATURE----- From frantz at netcom.com Sat Jan 27 19:17:38 1996 From: frantz at netcom.com (Bill Frantz) Date: Sun, 28 Jan 1996 11:17:38 +0800 Subject: This post is rated LTC for `Low Technical Content' Message-ID: <199601280256.SAA29212@netcom6.netcom.com> At 6:36 PM 1/27/96 -0800, Rich Graves wrote: >On Sat, 27 Jan 1996, Bill Frantz wrote: > >> At 7:55 PM 1/27/96 -0500, JMKELSEY at delphi.com wrote: >> >The best solution has always seemed to me to be one of these three: >> > >> >a. Tags appended to notes/posts, from various reviewers, digitally >> >signed and otherwise coded to allow intelligent filtering, or >> > >> >b. Electronic distributions of reviewers' evaluations tagged to >> >notes in some simple way. (I.e. give each note or post a unique ID >> >which appears in the message.) Then, a smart newsreader/mail >> >program sorts the notes accordingly, or >> > >> >c. The reviewer reads the group/list, and rates posts according to >> >some useful criteria. He then resends it out to his users, filtered >> >as desired. (CP-LITE seems like a very early version of this.) >> >> d. The "V-Chip" device makes a network query to the selected rating service >> to ask for a rating. What happen when the rating service is unreachable is >> just one of the many parameters that the parent needs to set. (If designed >> right, no parent could use it, but its availability would still stop the >> adult censorship croud in congress.) > >This just gets ridiculous. It adds a lot of overhead without necessarily >giving you good information. ... Rich - Remember that this is NOT being designed for usability, only to stop a bad movement in congress. The reason I proposed solution (d) is that it adds no overhead to people who don't use it. (I propose using the Message-ID: header as a lookup ID for items received by email. I suspect it has spoofing problems, but perhaps congress won't notice.) Perhaps we should re-visit the need for usability if anyone really wants to use such a system themselves. As a parent, I always wanted my children to explore freely and discuss anything they found that bothered them. Bill From shamrock at netcom.com Sat Jan 27 19:17:44 1996 From: shamrock at netcom.com (Lucky Green) Date: Sun, 28 Jan 1996 11:17:44 +0800 Subject: This post is rated LTC for `Low Technical Content' Message-ID: At 18:03 1/27/96, Bill Frantz wrote: >d. The "V-Chip" device makes a network query to the selected rating service >to ask for a rating. What happen when the rating service is unreachable is >just one of the many parameters that the parent needs to set. (If designed >right, no parent could use it, but its availability would still stop the >adult censorship croud in congress.) Of course the V-Chip transmits the ID number of the program to be rated upstream. Since all programs will be rated by the chip, regardless if you choose to use the rating or not, the exact channel you are watching will be tracked and logged. Have fun, -- Lucky Green PGP encrypted mail preferred. From weld at l0pht.com Sat Jan 27 19:26:02 1996 From: weld at l0pht.com (Weld Pond) Date: Sun, 28 Jan 1996 11:26:02 +0800 Subject: This post is rated LTC for `Low Technical Content' Message-ID: shamrock at netcom.com (Lucky Green) quoth: >Of course the V-Chip transmits the ID number of the program to be rated >upstream. Since all programs will be rated by the chip, regardless if you >choose to use the rating or not, the exact channel you are watching will be >tracked and logged. Ahh.. Finally a use for anonymous remailers that the Christian right would understand. Weld Pond - weld at l0pht.com - http://www.l0pht.com/ L 0 p h t H e a v y I n d u s t r i e s Technical archives for the people - Bio/Electro/Crypto/Radio From tcmay at got.net Sat Jan 27 19:51:54 1996 From: tcmay at got.net (Timothy C. May) Date: Sun, 28 Jan 1996 11:51:54 +0800 Subject: "German service cuts Net access" (to Santa Cruz) Message-ID: [I sent this to the Cyberia list, but it seems likely to have some interest for Cypherpunks. Apologies to those who get it twice.] More interesting news from my own backyard: "German service cuts Net access: Neo-Nazi materials posted on Web by Santa Cruz company" San Jose Mercury News, 1996-01-27, D1 "Germany's biggest Internet provider has blocked access to a Santa Cruz computer service that makes available neo-Nazi propaganda in another sign of the growing tension over material available on the Internet. "Deutsche Telekom, Germany's national phone company, blocked its 1 million customers Thursday from gaining access to Internet "Web sites" maintained by customers of Web Communications of Santa Cruz. "The 18-month-old company offers customers the ability to self-publish material on the World Wide Web, a fast-growing subsection of the Internet. Among its 1,500 custoemrs is a Canadian manwho has posted material that questions the existence of the Holocaust. ""We want to make it very clear we condemn anti-Semitism, racism and hatred in any form," said company president Chris Schefler. But "we do not monitor, police or control the content of any of our customer sites."" ---- I'd quote more from the article, but I think I'm at about the limit of fair use quotation. I expect the story will be picked up nationally; it was on several t.v. shows last night and today. For those interested--though merely including this information could I suppose cause the William and Mary site to be similarly turned off, the page in question is noted Revisionist Ernst Zuendel, or Ontario, Canada. His Web page at Webcom can be found by searching on Zuendel or Zundel and the usual other terms: holocaust, revisionism, Webcom, etc. (I tried last night to connect to Zuendel's page, and couldn't. Nor could I connect to www.webcom.com, so they may be having problems.) Apparently irate users at Webcom, whose pages are likewise now inaccessible to Germany, are clamoring to have Zuendel thrown off, so that all good Germans can once again access their pages. The implications of this are fairly clear. I'm not sure if there are any U.S. _legal_ questions, except that Zuendel and similarly controversial material is protected by customer agreements (as Schlefler notes, Zuendel has violated no user rules, and so Webcom cannot kick him off for rule violations). What next? AOL and Compuserve turn off access to the many European countries that have Web pages containing what we call "child porn" (but which is legal in the Netherlands, Denmark, etc.), Bangla Desh turns off access to sites that have pages describing the cooking of beef, and Iran turns off access to any country that allows women to have a presence on their systems? A good thing Web proxies (remailers for http accesses) are so far along! By the way, I saw Schlefler being interviewed. I'll keep you posted. --Tim May Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From usura at utopia.hacktic.nl Sat Jan 27 20:16:12 1996 From: usura at utopia.hacktic.nl (Alex de Joode) Date: Sun, 28 Jan 1996 12:16:12 +0800 Subject: "German service cuts Net access" (to Santa Cruz) Message-ID: <199601280353.EAA16076@utopia.hacktic.nl> Belgian TV (the dutch language channel) has a page on teletext (Ceefax) [I don't think US tv has that feature] stating that the French backbone is thinking about blocking sites that provide information that they deem ethicly unacceptable, like sites that promote the denial of Konzentrations Lagers, the extreme right, pornografic and pedophile sites. [page 128 BRTN, for those who can receive BRT] From rsalz at osf.org Sat Jan 27 20:16:39 1996 From: rsalz at osf.org (Rich Salz) Date: Sun, 28 Jan 1996 12:16:39 +0800 Subject: "Gentlemen do not read each other's mail" Message-ID: <9601280359.AA12033@sulphur.osf.org> >They probably should do, the NSA was critical in ensuring the demise >of the USSR and in maintaining stability throughout the cold war period. Please explain. From bplib at wat.hookup.net Sat Jan 27 21:05:53 1996 From: bplib at wat.hookup.net (Tim Philp) Date: Sun, 28 Jan 1996 13:05:53 +0800 Subject: "German service cuts Net access" (to Santa Cruz) In-Reply-To: Message-ID: Ernst Zuendel is the head of a neo-nazi group based in Toronto Canada who has been to court several times for violating Canada's 'hate speech' laws. If I remember correctly he has been convicted for publishing this kind of stuff here in Canada. Mr Zuendel is, unfortunatly, one of those unsavoury causes that free speech people are forced into defending to protect a principle. What he is doing from an American (I assume it is American) provider is illegal in Canada. The Canadian law is foolish and the new technology of the Internet is proving it to be so. I wonder how long before the German government realizes that by chopping of access to parts of the Internet, they are only hurting themselves. They will soon suffer a technological 'death by a thousand cuts' if they continue on their present course. The disturbing thing about all of this is that they may become an example of a 'successful' stratagy to combat the four modern horsemen of the apocalypse. Regards, Tim Philp =================================== For PGP Public Key, Send E-mail to: pgp-public-keys at swissnet.ai.mit.edu In Subject line type: GET PHILP =================================== From matrix at citenet.net Sat Jan 27 21:10:01 1996 From: matrix at citenet.net (MatriX Spider) Date: Sun, 28 Jan 1996 13:10:01 +0800 Subject: Subscription Message-ID: <9601280444.AA08368@cti02.citenet.net> I'd like to subscribed to this mailing list. Thanks for your time. From ampugh at mci.newscorp.com Sat Jan 27 21:23:13 1996 From: ampugh at mci.newscorp.com (Alan Pugh) Date: Sun, 28 Jan 1996 13:23:13 +0800 Subject: "German service cuts Net access" (to Santa Cruz) Message-ID: <199601280459.XAA15779@kafka.delphi.com> >"Germany's biggest Internet provider has blocked access to a Santa Cruz >computer service that makes available neo-Nazi propaganda in another sign >of the growing tension over material available on the Internet. > >"Deutsche Telekom, Germany's national phone company, blocked its 1 million >customers Thursday from gaining access to Internet "Web sites" maintained >by customers of Web Communications of Santa Cruz. At least my local paper got it right in the AP article they published on this... "The block - analogeous to the government ordering a bookstore to take every book by a given publisher off the shelves because it objected to one title - was imposed Thursday." From adam at lighthouse.homeport.org Sat Jan 27 21:24:59 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Sun, 28 Jan 1996 13:24:59 +0800 Subject: Denning's misleading statements In-Reply-To: <199601280025.QAA24212@mark.allyn.com> Message-ID: <199601280502.AAA15901@homeport.org> Mark Allyn wrote: | I would like to make a suggestion that D. Denning; others | who are pro-escrow/clipper; and some of you folks here on | this forum get together for a debate. Why bother? Denning's position is that we'll go away. By deploying remailers, PGP, and other pro-privacy technologies, we change the terms of the debate, and we change the facts that they must deal with. Write code, not rants. I wrote a mixmaster installer script recently to make installing a Mixmaster easy. (You can get it by sending me a message with a "Subject: get mixmaster".) I'm working on code to allow a Mixmaster to only send to other mixmasters, and local users. This would allow people to covertly run a Mixmaster, avoiding the headache of having anonymized messages come from your site. Now and then, debating with Denning and the like is fun. But she's a statist, and I'm not. We aren't going to see eye to eye on this stuff, so rather than responding, with detailed arguments, respond with code that does new & nifty stuff. A GUI version of premail would be cool, as would a key management utility for handing PGP keyrings and webs of trust. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From jamesd at echeque.com Sat Jan 27 22:17:37 1996 From: jamesd at echeque.com (James A. Donald) Date: Sun, 28 Jan 1996 14:17:37 +0800 Subject: BAA_bab Message-ID: <199601280536.VAA01365@mailx.best.com> --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From jamesd at echeque.com Sat Jan 27 22:24:04 1996 From: jamesd at echeque.com (James A. Donald) Date: Sun, 28 Jan 1996 14:24:04 +0800 Subject: Hash trees and bank solvency. Message-ID: <199601280537.VAA01455@mailx.best.com> I publish this trivial and obvious idea, because if I do not, publish it, some clown will surely patent it. (Has the patent on chewing gum and walking at the same time been taken yet. The more outrageous patents the patent office issues, the more power and influence they get and the more funds they recieve.) One of the great hazards with banking, and with financial services similar to banking, is that the financial institution has the opportunity to steal a great deal of money. One solution to this problem is government auditors. Government inspectors, unlike private auditors, can force their way in, in the early hours of the morning, and as each bank employee turns up, take him to a separate cubicle and interogate him with a gun in one hand and an account book in the other. This makes it difficult for the financial institution to fabricate a misleading picture of its financial situation. A hash tree can provide proof to a banks customers that the bank only has the amount outstanding that it claims to have, without the need for gunmen to check the totals. At the close of month, the customer accounts are orgnized into a hash tree with the totals forming part of the hash Each node is a hash of the two nodes below it, and the amounts of money in the two nodes, and the sum of those two amounts. Each customer can then see that the money the bank owes him is a part of the total the bank claims to owe. If a customer discovers he is not part of the hash tree, he knows the bank, or financial institution, understates its indebtedness; No auditors, government or otherwise, required. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From jamesd at echeque.com Sat Jan 27 22:26:10 1996 From: jamesd at echeque.com (James A. Donald) Date: Sun, 28 Jan 1996 14:26:10 +0800 Subject: When do patents expire on Rabin's public key scheme? Message-ID: <199601280538.VAA01588@mailx.best.com> When do patents expire on Rabin's public key scheme? RSA claims that the Diffie Helman patent, which expires on the 29th of April, 1997, covers all public key cryptography. ElGamal and Rabin are unpatented. Schmeier says that ElGamal will be free of patent restrictions after that, but he says nothing about Rabin. Rabin's encryption and signatures take up the same amout of space as RSA signatures, and encryption, but ElGamal takes up twice the space, thus Rabin seems preferable to ElGamal. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From jdoe-0007 at alpha.c2.org Sat Jan 27 22:30:31 1996 From: jdoe-0007 at alpha.c2.org (jdoe-0007 at alpha.c2.org) Date: Sun, 28 Jan 1996 14:30:31 +0800 Subject: PIDAHO and EUDORA PRO 2.2 Message-ID: <199601280517.VAA14669@infinity.c2.org> In response to the "what has John Doe got that PIDAHO doesn't" messages I tried to PIDAHO v2.6b. I am unable to make it work. Messages from PIDAHO can not be sent to the selected and OnLine EUDORA PRO application. I also suspect that it has something to do with the fact PIDAHO is a 16bit app and EUDORA PRO v2.2 is 32bit. I am running it on a WIN95 internal tcp/ip stack to a dial up ppp connection. Any help and or advice would be sincerely appreciated. John Doe -0007 From shamrock at netcom.com Sat Jan 27 22:31:54 1996 From: shamrock at netcom.com (Lucky Green) Date: Sun, 28 Jan 1996 14:31:54 +0800 Subject: "German service cuts Net access" (to Santa Cruz) Message-ID: At 4:53 1/28/96, Alex de Joode wrote: >Belgian TV (the dutch language channel) has a page on teletext (Ceefax) >[I don't think US tv has that feature] stating that the French backbone >is thinking about blocking sites that provide information that they deem >ethicly unacceptable, like sites that promote the denial of Konzentrations >Lagers, the extreme right, pornografic and pedophile sites. Wonder how long before they will include gereral purpose proxies in the proposed ban. We should start a "banned websites pool". If a site gets banned, the controversial content will be mirrored at all other sites. There are enough ISPs on this list to make that happen. Will they have the courage? -- Lucky Green PGP encrypted mail preferred. From jamesd at echeque.com Sat Jan 27 22:51:22 1996 From: jamesd at echeque.com (James A. Donald) Date: Sun, 28 Jan 1996 14:51:22 +0800 Subject: RANT: When hi-tech is a hinderance (freedom w/in limits) Message-ID: <199601280626.WAA04730@mailx.best.com> At 01:48 AM 1/28/96 +0100, Anonymous wrote: > > A short 'rant' on techno-dinosaurism... > > Or look back to the 13th century when European soldiers were > high-tech wearing tons of armor and used cross bows. it was > imposing high-tech for the time, but they couldn't move fast or > fire arrows quickly... and they were skagmeat for Mongols > who were comparatively low-tech. This is incorrect: The Mongols had superior technology to the people they conquered. In particular Mongol arrows could penetrate armor more effectively than anybody else's arrows, and Mongol siege engines could level city walls far more effectively than anybody else's siege engine. It might well seem strange that nomads had higher technology, but urban civilization of that era was in a twilight era and suffered great technological stagnation and regression. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From frogfarm at yakko.cs.wmich.edu Sat Jan 27 22:57:48 1996 From: frogfarm at yakko.cs.wmich.edu (Damaged Justice) Date: Sun, 28 Jan 1996 14:57:48 +0800 Subject: German service cuts Net access Message-ID: <199601280630.BAA02016@yakko.cs.wmich.edu> To momentarily flog a dead horse, banning content only makes it more desirable. Fortunately, the economic aspect doesn't seem to hold true for now; i.e., when real world objects are banned, they become more expensive to access (cf. the artificially inflated prices of heroin, cocaine, LSD, etc). Information, OTOH, so far does not seem subject to this cause-and-effect rule. Italics: So Far. The less regulated and more diverse the net becomes, the more the relative prices for commodities (disk space, CPU cycles, bandwidth) will accurately reflect their "true" value at any given moment. Anyway, my original point was just to remind everyone of what they should already know: namely, that people may not care about not doing something until they are told that they cannot, at which point they will move heaven and earth to Do the Deed. Statists (and a lot of child psychologists) call it "obstinate" or "defiant". ObAside: If you haven't yet, read the latest DSM (the holy writ of the so-called "mental health" profession). Ugly stuff. Who is allowed to define "normal"? Who profits from the creation of such definitions and labelling of individuals? -- http://yakko.cs.wmich.edu/~frogfarm ...for the best in unapproved information Tell your friends 'n neighbors you read this on the evil pornographic Internet "Where one burns books, one will also burn people eventually." -Heinrich Heine People and books aren't for burning. No more Alexandrias, Auschwitzs or Wacos. From mpd at netcom.com Sat Jan 27 23:02:14 1996 From: mpd at netcom.com (Mike Duvos) Date: Sun, 28 Jan 1996 15:02:14 +0800 Subject: Hash trees and bank solvency. In-Reply-To: <199601280537.VAA01455@mailx.best.com> Message-ID: <199601280643.WAA22528@netcom9.netcom.com> "James A. Donald" writes: > One solution to this problem is government auditors. > Government inspectors, unlike private auditors, can force > their way in, in the early hours of the morning, and as each > bank employee turns up, take him to a separate cubicle and > interogate him with a gun in one hand and an account book in > the other. This makes it difficult for the financial > institution to fabricate a misleading picture of its > financial situation. This would be killing a mosquito with a flyswatter. Besides, the employees of a financial institution may be in no position to accurately state its financial situation, even if they are in little cubicles with guns to their heads. A somewhat more civilized method is used by my broker, who gets audited on a regular schedule by one of the major accounting firms. The accounting firm puts an insert into every statement periodically, with an envelope addressed to the accounting firm, asking the customer to carefully examine the enclosed statement and to contact them if it is not entirely accurate. > A hash tree can provide proof to a banks customers that the > bank only has the amount outstanding that it claims to > have, without the need for gunmen to check the totals. > At the close of month, the customer accounts are orgnized > into a hash tree with the totals forming part of the hash > Each node is a hash of the two nodes below it, and the > amounts of money in the two nodes, and the sum of those two > amounts. > Each customer can then see that the money the bank owes him > is a part of the total the bank claims to owe. If a > customer discovers he is not part of the hash tree, he knows > the bank, or financial institution, understates its > indebtedness; I would trust the typical customer to mail back a form to an outside auditor far more than I would trust him to examine a hash tree, check his own entry, check the neighborhood of his own entry for cryptographic integrity, and sound an alarm. To be perfectly candid, I would not even want the task of explaining to the typical banking customer what a hash tree was. The outside auditor can of course be spoofed by giving him access only to some subset of customer accounts. The hash tree can be spoofed by not telling a subset of customers of its existance. All things considered, I think I would prefer the auditor. -- Mike Duvos $ PGP 2.6 Public Key available $ mpd at netcom.com $ via Finger. $ From tcmay at got.net Sat Jan 27 23:02:35 1996 From: tcmay at got.net (Timothy C. May) Date: Sun, 28 Jan 1996 15:02:35 +0800 Subject: "German service cuts Net access" (to Santa Cruz) Message-ID: Detweiler will foam and rant that I am acting as a stooge for the NSA (though he used to be on the side of the NSA and violently opposed to our views...go figure), but I feel it important to point out a few things for ISPs to consider: At 5:54 AM 1/28/96, Lucky Green wrote: >Wonder how long before they will include gereral purpose proxies in the >proposed ban. > >We should start a "banned websites pool". If a site gets banned, the >controversial content will be mirrored at all other sites. There are enough >ISPs on this list to make that happen. Will they have the courage? Consider some points: * the Germans recently arrested an American who landed in Germany somewhere, as part of a trip. It seems he had been involved with the production of Neo-Nazi material, somewhere out west. This was the last I heard about the story. Sorry, I'm going from carbon-based memory. * the Germans had kept a record of certain names, and picked him up for violation of their laws about hate crimes, Holocaust revisionism, etc. * consider how much easier it is getting to store the names of those who violate the laws of a country. I would not want to be the operator of a site which mirrored the Zundelsite if I ever expected to pass through Germany. Or possibly any other country which has liberal extradition arrangements with Germany. At least the Germans don't snatch people from other countries, as the U.S. and Israel have done. By the way, while I haven't heard what happened to the American nabbed when he landed in Germany--the story was a few weeks or months ago, as I recall--there was a humorous slant to the story. Seems the American was going on and on about his Constitutional rights to free speech.... --Tim Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From tcmay at got.net Sun Jan 28 00:58:16 1996 From: tcmay at got.net (Timothy C. May) Date: Sun, 28 Jan 1996 16:58:16 +0800 Subject: Downsizing the NSA Message-ID: At 9:33 PM 1/27/96, hallam at w3.org wrote: >They probably should do, the NSA was critical in ensuring the demise >of the USSR and in maintaining stability throughout the cold war period. > >The point is not that the NSA had no military function. The point is that >it is now an agency searching for a role. It is often a dangerous thing >for the military to involve itself in civil affairs. I agree with this strongly. From my readings about the NSA in particular and SIGINT in general, they played a valuable role in the 1950-1990 Cold War period. (I'm not so sure a world war would have resulted in some alternate history where the NSA did not exist, but I suspect things might have been more chaotic and that war might have been likelier. I am thus prepared to give credit to the NSA where credit is due.) However, as Phill notes, the NSA and other intelligence agencies are now in that most dangerous of positions: a powerful agency or department casting about for something to do. Spying on citizens and keeping the keys to their private communications and diaries is not an appropriate option. AT&T is downsizing, IBM downsized a while back, so why couldn't the NSA just do the right thing: admit that the Soviet threat is no more, congratulate the victors, and downsize by 20,000 employees? --Tim Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From tcmay at got.net Sun Jan 28 17:42:44 1996 From: tcmay at got.net (Timothy C. May) Date: Sun, 28 Jan 1996 17:42:44 -0800 Subject: The Dangers of Cross-Pollinating Other Mailing Lists Message-ID: mailing lists on messages they send to Cypherpunks (or vice versa), we often get flooded with insults and spams from people who don't share our views. (While I have nothing against trying to recruit others to our views, in my opinion this is best done by judicious writing of essays for _them_, tuned to their interests, and not in mindless spamming of every list that might have a passing interest in some of the topics.) We already have enough traffic here, and don't need replies from a bunch of other lists, be they libertarian lists, digital commerce lists, human rights lists, or java lists. The latest example of this is the rantfest invvolving these players: ------ From: Jack Hammer To: jim bell Cc: Rich Graves , cypherpunks at toad.com, nwlibertarians at teleport.com, hammernet-l at teleport.com, libernet-d at dartmouth.EDU, liberty-and-justice at pobox.com ------ I recognized Bell and Graves, but not the others. And I see no reason why our list should be dragged into flames about "fart sacks" by people on all of these other lists. This was the final straw, and I have no choice except to add Bell, Graves, Hammer, etc. to my filter list, which I will now proceed to do beforesending this message off. [Done] Words have consequences. So do flames. --Tim May From carolann at censored.org Sun Jan 28 02:10:30 1996 From: carolann at censored.org (Censored Girls Anonymous) Date: Sun, 28 Jan 1996 18:10:30 +0800 Subject: CP LITE: A Censorship Device? Message-ID: <199601280956.CAA19572@usr2.primenet.com> I've been watching this CP Lite thing develop. Sounds like an attempt to moderate the list. I mean it's easy to post out of it, but hard to answer to it. And all of the good back and forth discussion gets lost in a backwash of private email. There is just no way I will send someone an email to a posting they post out of there. I think that would be a disservice to everyone here. Love Always, Carol Anne -- Member Internet Society - Certified BETSI Programmer - Webmistress *********************************************************************** Carol Anne Braddock (cab8) carolann at censored.org 206.42.112.96 My Homepage The Cyberdoc *********************************************************************** ------------------ PGP.ZIP Part [017/713] ------------------- M8H,),S$8G>&.WP(8IRA`-M['+`Q%&_C"">5-F%LX@<_Q$;*P'',Q$Z/AA[8M MF=O0H+*%(-S%&>S%+FS& http://dcs.ex.ac.uk/~aba/export/ From alanh at infi.net Sun Jan 28 02:23:28 1996 From: alanh at infi.net (Alan Horowitz) Date: Sun, 28 Jan 1996 18:23:28 +0800 Subject: Downsizing the NSA In-Reply-To: Message-ID: On Sun, 28 Jan 1996, Timothy C. May wrote: > AT&T is downsizing, IBM downsized a while back, so why couldn't the NSA > just do the right thing: admit that the Soviet threat is no more, > congratulate the victors, and downsize by 20,000 employees? You didn't read about it in the _Baltimore Sun_, so obviously it must not have happened? From llurch at networking.stanford.edu Sun Jan 28 02:32:23 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sun, 28 Jan 1996 18:32:23 +0800 Subject: [NOISE] Re: NWLibs> Re: Anonymous trashing of Assassination Politics In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Sat, 27 Jan 1996, Jack Hammer wrote: > Here might be an interesting example of a snippet from a plot to commit > criminal syndicalism. You know, I'm not really sure whether you're kidding, ignorant, cheering, or warning. Frankly, I don't fucking care. You guys are all nuts. And I should know -- ask Clark or AlanD. I don't think this belongs in cypherpunks. I'll spam my response to the other lists. I have saved Jim Bell's "Assassination Politics" essay, with his PGP signature, and soon to be a lot of other things, at http://www-leland.stanford.edu/~llurch/Not_By_Me_Not_My_Views/ I plan to collect as many off-the-wall conspiracy theories in this directory as will fit in my disk quota. And when I run out of quota, I'll raise it for myself. A pox on all your houses. I think it's time the wacky right and wacky left started looking at each other's Web pages and lurking on each others' lists. It's really funny putting two "Anarchist" pages, one featuring Che Guevara, the other featuring David Duke, side by side. Both say the guvment is out to get them; they often have diametrically opposed interpretations of the same facts. I shall endeavor to facilitate an exchange. - -rich [chomp] > HAMMERNET-L NOW DAILY 08:00 to 09:00 7.56 khz TVRO C-1 Ch.15., 1150 AM > Pacific Northwest. Oh, goodie. I don't suppose that's enough power to reach down here? I already listen to KPFB and a couple of Patriot stations on the shortwave. > HOW TO JOIN THE HAMMERNET. > > Receive the most interesting e-mail and get to know the best writers on > the Internet. Saints and flamers, they're on the Hammernet! Here's how to > join. Send the following message in the body of your text space to > majordomo at teleport.com : > > subscribe hammernet-l > > It's as easy as that! Woo woo! - -rich -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMQtMoY3DXUbM57SdAQGbtQQA3UMlm+pe30w4tgiEqhP8/4rjhmJbZMlL DnRx+IlrzrusNDoX1D2aIgA0KfjWYeROJ1Px/Tb5u6I0qf8PfnhgGVkvHXbW//1O t7mO19pEjGt8qb2Vvvo9uU5Pe2sEziB6j3UX/mgGASFKyV13LXy3Ld3JVxOq7cTj TUs6HjI6p/E= =9NS6 -----END PGP SIGNATURE----- From steve at aztech.net Sun Jan 28 02:58:53 1996 From: steve at aztech.net (Steve Gibbons) Date: Sun, 28 Jan 1996 18:58:53 +0800 Subject: Possible Java hack. Message-ID: <0099CFE5.860A1B00.11@aztech.net> Rich, [I've CCed this to cypherpunks, as well, I hope that you don't mind.] In Article: , Rich Graves wrote: # On Sat, 27 Jan 1996, Stephen P. Gibbons wrote: # > If this is the case (and I don't have a source license at this point, or # > even a system that will run Java) there is the possiblility that a sytem # > with control of a web server and a DNS server could coerce a Java client # > into initiating TCP connections to clients other than the system that # > provided the applet (which should be a prohibited behavior, as I read the # > specs.) # If I understand you correctly, this is only true if neither your stack nor # your client caches DNS queries. One or the other almost always does, at # least for a minute, no matter how low you set TTL. Yes, a client that cache's DNS queries can get in the way somewhat. I've already considered this, and the "devious applet" would take advantage of Java's capability to use multiple threads (one of which would sleep() for whatever period of time was necessary to invalidate the cache, and _then_ initiate the attack.) Yes, there are are various other specific cases that need to be considered in order to make the attacking app (if it's even feasable) work all of (or a good percentage of) the time. It would be very easy to conceal the "devious" portion of the applet inside of trojan horse that ran for a length of time greater than the minimum TTL for DNS caching. -- Steve at AZTech.Net From packrat at ratbox.rattus.uwa.edu.au Sun Jan 28 03:20:26 1996 From: packrat at ratbox.rattus.uwa.edu.au (Bruce Murphy) Date: Sun, 28 Jan 1996 19:20:26 +0800 Subject: more RANTING about NSA-friendly cpunks In-Reply-To: <199601262011.MAA17408@netcom16.netcom.com> Message-ID: <199601280510.NAA00268@ratbox.rattus.uwa.edu.au> In message <199601262011.MAA17408 at netcom16.netcom.com>, "Vladimir Z. Nuri" wrote: > > has anyone *tried* just ignoring the ITAR wrt crypto and seeing what > would happen? the gubbermint blindly thinks that cyberspace will > inevitably bring the wrath of four horsemen of the infocalypse, but aren't we > equally as comic in assuming that violating the ITAR crypto sections > will inevitably bring the 4 horsemen of the NSA?? One word... Zimmerman. I do agree with what you're saying though. -- Packrat (BSc/BE;COSO;Wombat Admin) Nihil illegitemi carborvndvm. From bruceab at teleport.com Sun Jan 28 03:23:08 1996 From: bruceab at teleport.com (Bruce Baugh) Date: Sun, 28 Jan 1996 19:23:08 +0800 Subject: PIDAHO and EUDORA PRO 2.2 Message-ID: <2.2.32.19960128111051.00674608@mail.teleport.com> At 09:17 PM 1/27/96 -0800, jdoe-0007 at alpha.c2.org wrote: >In response to the "what has John Doe got that PIDAHO doesn't" messages I tried to >PIDAHO v2.6b. I am unable to make it work. Messages from PIDAHO can not be sent to >the selected and OnLine EUDORA PRO application. Um, yes, indeed they can. I do it routinely. Eudora Pro is one of the options in the drop-down list box in the E-mail|Transfer options... dialog, right below the buttons for canned settings. And it works just fine. You are making sure that you've got Eudora with a blank new message ready to go, right? Bruce Baugh bruceab at teleport.com http://www.teleport.com/~bruceab From frissell at panix.com Sun Jan 28 04:10:21 1996 From: frissell at panix.com (Duncan Frissell) Date: Sun, 28 Jan 1996 20:10:21 +0800 Subject: Hash trees and bank solvency. Message-ID: <2.2.32.19960128115355.0097fcf4@panix.com> At 09:33 PM 1/27/96 -0800, James A. Donald wrote: >A hash tree can provide proof to a banks customers that the bank only >has the amount outstanding that it claims to have, without the need >for gunmen to check the totals. Ask Eric Hughes (one of our founders) to describe his Open Books Protocol for you. You're a few years too late. DCF From frissell at panix.com Sun Jan 28 04:12:48 1996 From: frissell at panix.com (Duncan Frissell) Date: Sun, 28 Jan 1996 20:12:48 +0800 Subject: "German service cuts Net access" (to Santa Cruz) Message-ID: <2.2.32.19960128115634.00977b14@panix.com> At 12:07 AM 1/28/96 -0800, Timothy C. May wrote: >* the Germans recently arrested an American who landed in Germany >somewhere, as part of a trip. It seems he had been involved with the >production of Neo-Nazi material, somewhere out west. This was the last I >heard about the story. Sorry, I'm going from carbon-based memory. > He was grabbed in Denmark and extradited to Germany so you'd have to avoid most of the EU. DCF From tallpaul at pipeline.com Sun Jan 28 06:09:07 1996 From: tallpaul at pipeline.com (tallpaul) Date: Sun, 28 Jan 1996 22:09:07 +0800 Subject: [NOISE] Re: NWLibs> Re: Anonymous trashing of Assassination Politics Message-ID: <199601281354.IAA05861@pipe8.nyc.pipeline.com> On Jan 28, 1996 02:17:11, 'Rich Graves ' wrote: >-----BEGIN PGP SIGNED MESSAGE----- > >On Sat, 27 Jan 1996, Jack Hammer wrote: > > >I think it's time the wacky right and wacky left started looking at each >other's Web pages and lurking on each others' lists. It's really funny >putting two "Anarchist" pages, one featuring Che Guevara, the other >featuring David Duke, side by side. > I don't understand the crypto-relevance of this, but since it was posted: 1) What "anarchist" group featured a photo of Che Guevara; 2) When did the KKK that at one time proudly had Sheriff's. Judges, and Governor's as members become "Anarchist"? -- tallpaul "To understand the probable outcome of the Libertarian vision, see any cyberpunk B movie wherein thousands of diseased, desparate and starving families sit around on ratty old couches on the streets watching television while rich megalomaniacs appropriate their body parts for their personal physical immortality." R. U. Sirius _The Real Cyberpunk Fakebook_ From pcw at access.digex.net Sun Jan 28 06:20:35 1996 From: pcw at access.digex.net (Peter Wayner) Date: Sun, 28 Jan 1996 22:20:35 +0800 Subject: SDTI Patent (was "Concryption" patent) Message-ID: Here are the Claims to the "Concryption" patent (5,479,512) that was just issued. I've annotated the claims with thoughts about how they shouldn't apply. For those who don't know patent law, the system is very heirarchical. For instance claim 1 here is known as a base claim. Claim 2 is dependent on claim 1. I believe that Claim 1 would be ruled invalid because of the prior art contained in my Cryptologia article, "A Redundancy Reducing Cipher" published in May 88. The journal is found in many university libraries so I don't think there should be any argument about the nature of publication. The article describes how to encipher text by permuting a Huffman tree used to compress data. The idea was to add some noise to the compression phase of any encryption. Huffman compression works by building a big binary tree. The characters are held in the leaves of the tree. The code for a particular character is specified by the path from the root to the leaf. Ordinarily, the left branch is given a 0 and the right branch is specified by a 1. This addressing remains fixed throughout the compression. I suggested flipping these addressing bits at some pseudorandomly determined interval. The purpose of the paper was to do compression and encryption at the same time. For that reason, I believe the paper reads directly against Claim 1, a claim that I also believe is overly broad. The rest of the claims seem obvious to me because they borrow well-known techniques from well-known ciphers like DES. "Obviousness" is a really non-obvious detail in patent law. Essentially, an idea is not patentable if the idea is "obvious" to one practiced in the art. Naturally, this is very hard to define and it depends upon plenty of case law. In my mind, the only novelty is their integration with claim 1. I don't know enough about "obviousness" in this case, but I wouldn't be surprised if the entire patent failed to hold up under scrutiny. -Peter Wayner >CLAIMS: What is claimed is: > > 1. A method for utilizing a data processor to change the >form of data >comprising the steps of: > > a) obtaining the data at the processor in clear form; > > b) obtaining an encryption key at the processor; > > c) the processor performing a multi-step compression >operation on said >clear-form data; > > d) the processor automatically utilizing said encryption key >in conjunction >with the results as directly generated by the processor for a >selected step of >said compression operation in performing an encryption >operation, the >compression steps of step (c) and the encryption step of step >(d) being >integrated to be performed as parts of a single operation; and > > e) the processor outputting the resulting compressed and >encrypted version >of the clear-form data. > > 2. A method as claimed in claim 1 wherein step (e) includes >the step, of >storing the resulting compressed and encrypted data in memory. This should be obvious to anyone skilled in the art of programming a computer. > > 3. A method as claimed in claim 1 wherein step (e) includes >the step of >transmitting the resulting compressed and encrypted data. This should be obvious to anyone skilled in the art of programming a computer. > > 4. A method as claimed in claim 1 wherein said encryption >key is a code >derived from a token. This should be obvious to anyone skilled in the art of programming a computer. > > 5. A method as claimed in claim 4 wherein the code derived >from a token is >a one-time nonpredictable code. I'm not sure what a one-time, unpredictably code. But it would help if both sides could have access to it. This should be obvious to anyone skilled in the art of programming a computer. > > 6. A method as claimed in claim 1 wherein step (d) includes >the steps >performed by the processor of dividing the results of the >selected step of the >compression operation into a plurality of segments, selecting >an encryption >key for each segment and performing an encryption operation for >each segment >utilizing the corresponding encryption key. This should be obvious to anyone skilled in the art of creating a crypto system. Block ciphers are very common. DES is well known. > > 7. A method as claimed in claim 6 wherein the step of >selecting an >encryption key includes the step of processing the obtained >encryption key to >form a separate encryption key for each of the plurality of >segments. Key permutation is also well-known. One form of DES uses the result from the previous block to change the key for the next block. > > 8. A method as claimed in claim 6 wherein the step of >selecting an >encryption key includes the step of utilizing the same >encryption key for all >segments. Big deal. > > 9. A method as claimed in claim 1 wherein step (d) includes >the steps >performed by the processor of dividing the results of the >selected step of the >compression operation into a plurality of segments, utilizing >the obtained >encryption key to perform an encryption operation for a first >of said >segments, and utilizing a selected function of at least a >portion of the >encryption operation for a given segment as the encryption key >for performing >an encryption operation on a succeeding segment. Should be obvious for the usual reasons. DES did cipher block chaining. > > 10. A method as claimed in claim 9 wherein the data is text >and wherein a >segment is N lines of such text, where N is an integer. Big deal. > > 11. A method as claimed in claim 1 wherein the encryption >operation >includes the step of the processor performing an exclusive >ORing operation >with the encryption key and the results of the selected step. Should be obvious. The method is used in other systems. > > 12. A method as claimed in claim 1 wherein step (b) includes >the step of >forming the encryption key by exclusive ORing a password for a >system user >with a code derived from a token in the possession of the user. > > 13. A method as claimed in claim 1 wherein step (c) includes >the step of >the processor performing an initial run-length encoding >operation on the > >clear-form data and > > wherein step (d) is performed on the results of the >run-length encoding >step. > > 14. A method as claimed in claim 1 wherein step (d) is >performed on at >least one element used in a compression step. > > 15. A method as claimed in claim 14 wherein the element on >which encryption >is performed is a table used in performing a compression step. > > 16. A method as claimed in claim 1 including the step of >restoring the data >to clear form for utilization, said restoring step including >the steps of >performing at least one decompression operation and at least >one deencryption >operation, said decompression and deencryption steps being >performed in >reverse order to the performance of steps (c) and (d). > > 17. A method for utilizing a data processor to concrypt data >comprising the >steps of: > > the processor obtaining the data in clear form; > > the processor performing a concryption operation on the >clear data, said >concryption operation including at least one compression step >and at least one >encryption step automatically performed in a selected sequence >as an integral >operation; and > > the processor outputting the resulting concrypted data. > > 18. A method as claimed in claim 17 including the step >performed at a data >processor of deconcrypting the concrypted data to permit use >thereof in clear >form, the deconcrypting step including at least one >decompression step and at >least one deencryption step performed automatically in a >sequence which is >substantially the reverse of said selected sequence. > > 19. A method as claimed in claim 17 wherein an encryption >step is performed >on the results of at least one stage of a compression step. > > 20. A method as claimed in claim 17 wherein an encryption >step is performed >on at least one element used in a compression step. The rest of these are just apparatus claims that seem to repeat the earlier, more abstract "method" claims in different form. Patent law has traditionally distinguished between an idea for doing something, the "method", and the machines that actually do it, "the apparatus." I didn't see anything new here. > > 21. Apparatus for utilizing a data processor to change the >form of data >comprising: > > means for obtaining the data at the processor in clear form; > > means for obtaining an encryption key at the processor; > > means for performing at the processor a multi-step >compression operation on >said clear-form data; > > means at the processor for automatically utilizing said >encryption key in >conjunction with the results as directly generated by the >processor for a >selected step of said compression operation in performing an >encryption >operation, the compression performed by the compression means >and the >encryption performed by the encryption means being integrated >to be performed >as parts of > >the same operations; and > > means at the processor for outputting the resulting >compressed and >encrypted version of the clear-form data. > > 22. Apparatus as claimed in claim 21 wherein the means for >performing an >encryption operation includes means at the processor for >dividing the results >of the selected step of the compression operation into a >plurality of >segments, and means for performing an encryption operation for >each segment >utilizing the corresponding encryption key. > > 23. Apparatus as claimed in claim 22 wherein the means for >selecting an >encryption key includes means for processing the obtained >encryption key to >form a separate encryption key for each of the plurality of >segments. > > 24. Apparatus as claimed in claim 21 wherein the means for >performing an >encryption operation includes means at the processor for >dividing the results >of the selected step of the compression operation into a >plurality of >segments, means for utilizing the obtained encryption key to >perform an >encryption operation for a first of said segments, and means >for utilizing a >selected function of at least a portion of the encryption >operation for a >given segment as the encryption key for performing an >encryption operation on >a succeeding segment. > > 25. Apparatus as claimed in claim 21 wherein the means for >performing an >encryption operation includes means at the processor for >performing an >exclusive ORing operation with the encryption key and the >results of the >selected step. > > 26. Apparatus as claimed in claim 21 wherein the means for >performing a >multistep compression operation includes means at the processor >for performing >an initial run-length encoding operation on the clear-form >data; and > > wherein the encryption operation is performed on the results >of the run- >length encoding operation. > > 27. Apparatus as claimed in claim 21 including means for >restoring the data >to clear form for utilization, said means for restoring >including means for >performing at least one decompression operation and at least >one deencryption >operation, said decompression and deencryption operations being >performed in >reverse order to the performance of compression and encryption >by said means >for compressing and said means for encrypting, respectively. > > 28. Apparatus for utilizing a data processor to concrypt >data comprising: > > means for obtaining the data at the processor in clear form; > > means for performing a concryption operation at the >processor on the clear >data, said concryption operation including means for performing >at least one >compression step and means for performing at least one >encryption step, said >compression and encryption steps being automatically performed >in a selected >sequence as an integrated operation; and means for the >processor outputting >the resulting concrypted data. > > 29. Apparatus as claimed in claim 28 including means at a >data processor >for deconcrypting the concrypted data to permit use thereof in >clear form, the >means for deconcrypting including means for performing at least >one >decompression step and means for performing at least one >deencryption step; >the decompression and deencryption steps being performed >automatically in a >sequence which is substantially the reverse of said selected >sequence. > << end of forwarded material >> From frissell at panix.com Sun Jan 28 06:25:53 1996 From: frissell at panix.com (Duncan Frissell) Date: Sun, 28 Jan 1996 22:25:53 +0800 Subject: "This post is G-Rated" Message-ID: <2.2.32.19960127133024.0098f658@panix.com> At 10:42 AM 1/26/96 -0800, Bill Frantz wrote: >I think you have a very different view of rating than I do. For example, I >would be comfortable rating all the Sesame Street shows for sex and >violence without seeing any more than I have seen, just based on the >reputation of the show's producers. Based on reviews in the newspaper >(since the net has replaced TV for me), most of the current network shows >can also be rated for all their episodes. Remember also, there is an >"unrated" catagory. Some people will refuse to access unrated material. >Others, (I suspect you and I) may seek it out. > That's fine for "brand name" shows but who's going to rate the 50 years of home movies Fred C. Schwartz has lovingly digitized and put up on *his* server. DCF From jya at pipeline.com Sun Jan 28 06:33:05 1996 From: jya at pipeline.com (John Young) Date: Sun, 28 Jan 1996 22:33:05 +0800 Subject: YAN_kel Message-ID: <199601281412.JAA20616@pipe1.nyc.pipeline.com> 1-28-96. NYT: A "Viewpoint" article not on the NYT Web site: "Standoff in Cyberspace Gulch," by a Yankelovich author of the recent Cybercitizen Survey, reports on the showdown shaping up as the law moves into cyberspace, highlighting the clash between citizen fears about security and the desire for privacy, with stats from Yankelovich polls. The quandary here -- that regulations are both thought to be needed, yet anticipated to fail -- is the biggest issue, and one that puts additional pressure on the limits of cyberspace privacy. This crisis of confidence, as much as lawlessness itself, could easily choke the growth of cyberspace. YAN_kel Note: "Viewpoint" and "From the Desk Of" publishes readers' articles; submit by E-mail to or to . From jamesd at echeque.com Sun Jan 28 06:47:56 1996 From: jamesd at echeque.com (James A. Donald) Date: Sun, 28 Jan 1996 22:47:56 +0800 Subject: Microsoft's CryptoAPI - thoughts? Message-ID: <199601281436.GAA22473@mailx.best.com> >James A. Donald writes: > > A notable misfeature of the API is that it assumes that in general > > you will have two key pairs. One for signing and one for encrypting. > > > > Since in the most common case you are encrypting something related to a > > signed message by the person you are encrypting to, this is a > > bad idea, At 07:59 AM 1/27/96 -0500, Futplex wrote: > Could you elaborate ? I haven't heard of any known interaction > effects between a strong encryption algorithm and a distinct strong digital > signature algorithm (with or without distinct keys), I was concerned about a different issue: Suppose you have some signed information: You wish to send some encrypted information to the person who wrote that signed information. If the signing key and the encrypting key are the same, your software can locally ensure that you encrypt with the right key, (The correct key is the same public key that you used to check the signature on the message.) If the signing key and the encrypting key are different, then in order to ensure that you are not spoofed into using the wrong public key, the whole protocol must work correctly, exposing many more points of attack, since key management is the most complex and most vulnerable area. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From nobody at REPLAY.COM Sun Jan 28 07:35:01 1996 From: nobody at REPLAY.COM (Anonymous) Date: Sun, 28 Jan 1996 23:35:01 +0800 Subject: TollRoad (CA 91) and anonymity (fwd) Message-ID: <199601281520.QAA04604@utopia.hacktic.nl> From: gregbrooks at earthlink.net (Greg Brooks) Newsgroups: misc.transport.road,rec.autos.driving,ca.driving Subject: TollRoad (CA 91) and anonymity Date: 26 Jan 1996 03:08:09 -0500 Organization: Woo Studios Ltd. Lines: 103 Sender: dc at panix3.panix.com Message-ID: References: <4cv5j5$9ar at news.netvoyage.net> <4d6a2u$rh9 at curly.cc.emory.edu> <1996Jan15.033217 at clstac> NNTP-Posting-Host: panix3.panix.com In-reply-to: dc at panix3.panix.com's message of 25 Jan 1996 05:34:43 -0500 X-Newsreader: Gnus v5.0.13 > From gregbrooks at earthlink.net Thu Jan 25 12:30:45 1996 > Date: Thu, 25 Jan 1996 09:39:18 -0800 > To: Minister of Truth > From: gregbrooks at earthlink.net (Greg B.) > Subject: Re: Tolls and private highways (was: Re: private highway?) > > >The following message is a courtesy copy of an article > >that has been posted as well. > > [please post my response to the appropriate usenet groups -- I'm at work > and only have email here at my office.] > > > >[1] How easy is it to clone a valid toll box thingie (the thing you buy > > and put in your car) ? Such cloning has been a problem with > > cellular phones. > > There's a custom chip inside the transponder, so cloning is going to be > pretty much impossible without access to a supply of those chips. > Additionally, the communications between the transponder and the antenna > array, as well as between the array and our computer system, are encrypted. > > > > >[2] How actually does one buy a toll thingie and put money into an account ? > > Are they on sale at 7-11 or gas stations, or where ? > > We offer the transponders via mail (you can call an 800 number for an > application) and via a customer-service center for walk-ins. There's some > talk of exploring mass market channels, but nothing firm yet. > > > > >[3] How does one add more money to a thingie ? Or does one add money > > to an account, and leave the thingie unchanged ? > > The thingie remains unchanged. (Sounds prophetic, no?) When you sign up for > an account and transponder, here's what happens: If you sign up for a > credit-card account, we take an imprint of your card in lieu of a deposit > on the transponder, and we start your account off with a minimum balance of > $40. You, as a customer, agree to let us go back to your credit card and > replenish the account based on a pre-agreed amount when the balance reaches > a minimum level (typically $10). We also do the same for checking accounts > (automatic withdrawl) and have cash options for those customers who aren't > comfy with recurring automatic transactions on their card or account. The > replenishment of the accounts is system-based -- that is, you don't need to > physically bring your transponder in for a "fill up." > > > > >[4] If one is required to give a name when setting up an account > > is it an offense to give a false name ? > > We have an anonymous account option. > > > >[5] I have concerns about the privacy of the information collected > > about who goes where when. I suspect that your company will comply > > with a court order or search warrant rather than dual to the death with > > the SWAT team. How often and how thoroughly do you purge your > > records ? > > Our records are much like those kept by the phone company -- they're sealed > to the public and to official requests that aren't accompanied by a court > order. One area where we're actually more concerned about privacy than the > state of California is in the area of mailing lists. Quite simply, we'll > never sell our customer list to anyone for any reason -- but even the state > DMV sells lists. We don't ever purge our records. > > > > > >[6] How many intersections/on/off/ramps are there ? > > The project is a true express lanes configuration -- no intermediate > access. Basically, you get on at one end and get off 10 miles later. > Flexible channelizers form the barrier between the freeway and the project, > so in an emergency you could get out if you needed to. > > > > >[7] What is the speed limit and who set it ? > > Because the project was dedicated as part of the state highway system > before we opened to the public, the speed limit is the same as the adjacent > freeway -- 65 mph. > > > > > >[8] What is the largest/heaviest/most-wheeled vehicle you accept ? > > No trucks hauling boats or large horse trailers. No 18-wheelers. Bobtail > trucks are OK, I believe (I'll double-check this). > > > Hope this helps! > > //greg brooks > gregbrooks at earthlink.net > > > From lull at acm.org Sun Jan 28 07:41:54 1996 From: lull at acm.org (John Lull) Date: Sun, 28 Jan 1996 23:41:54 +0800 Subject: "Gentlemen do not read each other's mail" In-Reply-To: Message-ID: <310ad283.38852789@smtp.ix.netcom.com> On Sat, 27 Jan 1996 19:46:52 -0500 (EST), you wrote: > There is a story floating around XXXXXX circles that The Japanese carrier > approaching Pearl was spotted on the recently-installed (Navy) land radar > in Hawaii. The target was reported out of the ops room, but ignored by the > same situation room that screwed up (years later) the response to the > Pueblo's distress calls in international waters just offshore from North > Korea. Color me VERY skeptical. The Japanese ships were WELL over the horizon from any point on Oahu. OTH radars are quite difficult to build effectively, and radar technology at the end of 1941 was quite primitive. From dcrocker at brandenburg.com Sun Jan 28 07:48:31 1996 From: dcrocker at brandenburg.com (Dave Crocker) Date: Sun, 28 Jan 1996 23:48:31 +0800 Subject: ANNOUNCEMENT: IMC Resolving Security Complexity Workshop Message-ID: These are the final arrangements: Resolving Email Security Complexity Workshop 21 February 1996 * 8:30 AM - 5:00 PM San Jose (CA) Hilton & Towers * San Carlos Room (next to Convention Center) Pre-registration & payment: $50 * After February 16: $75 (cash, check, wire transfer, money order, or First Virtual) Pass this note on to others who are deeply involved in email security. AGENDA The meeting will be structured with a tight agenda, having a very focused sequence of work; it is definitely not for general education. Some amount of review is appropriate, but not much. The following agenda is tentative and will be reviewed and modified on the pre-workshop discussion list. Morning * Very briefly describe the MOSS, PGP, and S/MIME solutions * Review the functional and technical concerns * Review the extent to which each alternative satisfies the concerns * Seek consensus for concerns that qualify as requirements Afternoon * Haggle about the strengths and weaknesses of the technical alternatives * Explore the choices and/or negotiate a preferred solution ONLINE RESOURCES To register for the meeting: Web: Email: For discussion before and after the meeting: Web: Email: From awestrop at crl.com Sun Jan 28 07:50:13 1996 From: awestrop at crl.com (Alan Westrope) Date: Sun, 28 Jan 1996 23:50:13 +0800 Subject: "Gentlemen do not read each other's mail" In-Reply-To: <199601262228.RAA21968@jekyll.piermont.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Fri, 26 Jan 1996, "Perry E. Metzger" wrote: > jim bell writes: > > (For the historically-impaired: Coventry was/is an English town (small > > city?) perhaps most famous from the Lady Godiva legend...but I digress... > > British found out, I guess through Ultra, that it was going to be bombed. > > Telling the inhabitants would have saved many lives, but (possibly) alerted > > the Germans that Enigma had been broken. British made the correct choice: > > Let the city get bombed without (much?) warning. The value of keeping the > > broken-ness of Ultra a secret far outweighed the value of Coventry.) > The current claim is that, in fact, there was no advance warning about > Coventry and that the claims that there was are unsubstantiated. Correct; here's my two Simoleons' worth toward exorcising the "Churchill Anguished Over Coventry Bombing" meme: The first international conference of cryptologists took place in Germany in November of 1978. The backroom boys of World War II -- Allied communications intelligence experts and Axis communications security specialists -- met under scholarly sponsorship to try to determine the effect of codebreaking on the war. [...] Dr. Forrest Pogue, author of the standard biography of General George C. Marshall, U.S. Army chief of staff, said that [...] 15 to 20 years is the time lag for facts to catch up with fiction. That's how long it will take for the false story that Winston Churchill allowed Coventry to be destroyed to save the secret of ULTRA "to stop being used to keep sophomores awake in the classroom." David Kahn, "The ULTRA Conference," Cryptologia, January 1979 Alan Westrope PGP public key: http://www.nyx.net/~awestrop PGP 0xB8359639: D6 89 74 03 77 C8 2D 43 7C CA 6D 57 29 25 69 23 -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMQuU6FRRFMq4NZY5AQH67AP/WmQjKge1yVM1jbqSQo2B7xoCEaK/BDpW Bh0C4C5BL0potn5tLJS7D6p3gCELQlcmtoJcHjngm+wj3a+dl9x/7vQ5Y83cUPAK C4VHKiRyran3IB/V/ZOt6TcDP0FdkgTuyofuC3u196km5NmlpEEGwfDQEA2Zcgur 6l0sV4mj3PA= =EqBe -----END PGP SIGNATURE----- From jamesd at echeque.com Sun Jan 28 07:51:31 1996 From: jamesd at echeque.com (James A. Donald) Date: Sun, 28 Jan 1996 23:51:31 +0800 Subject: Hash trees and bank solvency. Message-ID: <199601281534.HAA24247@mailx.best.com> >"James A. Donald" writes: > > > One solution to this problem is government auditors. > > Government inspectors, unlike private auditors, can force > > their way in, in the early hours of the morning, and as each > > bank employee turns up, take him to a separate cubicle and > > interogate him with a gun in one hand and an account book in > > the other. This makes it difficult for the financial > > institution to fabricate a misleading picture of its > > financial situation. At 10:43 PM 1/27/96 -0800, Mike Duvos wrote: >This would be killing a mosquito with a flyswatter. Besides, the >employees of a financial institution may be in no position to >accurately state its financial situation, even if they are in >little cubicles with guns to their heads. I refer to actual practice, not to theory: (Though the guns are only metaphorically held to peoples heads, the examiners forcing their way in at dawn and ambushing the senior employees as they arrive are entirely literal.) The objective is to take them by surprise and interrogate them separately, to avoid them "hiding" some customers and some liabilities. If the element of surprise is lost, the examiners are likely to be confronted with truckloads of plausible, consistent, and entirely bogus documentation, as happens regularly. > A somewhat more civilized method is used by my broker, [...] Of course a broker's opportunity to pull this kind of fraud is less than a banks, because his customers will generally hold diverse stocks. Suppose the broker has embezzled some IBM stocks. Then he will have to leave out some customers that own IBM stocks from his record keeping. But this will frequently result in inconvenient excesses of other stocks and unexplained transactions in other stocks, thus the needed book shuffling is more elaborate and inconvenient than that of a bank. > I would trust the typical customer to mail back a form to an > outside auditor far more than I would trust him to examine a hash > tree, check his own entry, check the neighborhood of his own > entry for cryptographic integrity, and sound an alarm. But it only requires one customer to discover the failure in in a cryptographic tree, whereas to discover the failure in the method of book keeping you describe, we have to be sure we have covered all customers, and we have to be sure that they receive the same information that the auditor does, and how can one ensure that, except by the dawn raid method? > To be perfectly candid, I would not even want the task of > explaining to the typical banking customer what a hash tree was. That is what software is for: The task would of course have to be done by financial software, not done by hand. > The outside auditor can of course be spoofed by giving him access > only to some subset of customer accounts. The hash tree can be > spoofed by not telling a subset of customers of its existance. Set up the protocols so that software that verifies the hash tree generates certificates that are proof that you are eligible to receive the money, and software that does not, cannot generate provably valid certificates. Then if the institution comitts the fraud you describe, the ill informed customers who use the rigged software get stiffed, as they cannot easily prove that they were owed, and the better informed customers do not get stiffed. Notice that the above system requires that the banking software be supplied independently and separately from the bank. Customer expertise will improve dramatically after the first fraud, much as computer security improves dramatically after the first breach. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From buster at klaine.pp.fi Sun Jan 28 07:52:58 1996 From: buster at klaine.pp.fi (Kari Laine) Date: Sun, 28 Jan 1996 23:52:58 +0800 Subject: Belgium has 'key escrow' law In-Reply-To: Message-ID: Hi Dounglas, >I should also point out that Belgium apparently has crypto >export laws of sufficient complexity to inspire me to look >elsewhere when attempting to purchase a hardware encryption >board from a Belgian company (uti-maco). Said company also >was under the mistaken belief that I needed a US _import_ >license; my failed attempts to persuade them otherwise was >the final kicker. >------ ------ >Douglas Barnes "The tighter you close your fist, Governor Tarkin, >cman at communities.com the more systems will slip through your fingers." >cman at best.com --Princess Leia We are selling both uti-maco SafeGuard Systems GmbH and uti-maco Belgium products here in Finland and haven't had any problems with the licences whatsoever. Naturally you have to fill in certain blankets and get the permission but that's same kind of a procedure no matter what European country you would be buing cryptohardware and software. I will forward your message to uti-maco Belgium so that if there has been any misunderstanding they can sort it out. Of course my opinion is biased but uti-maco Belgium is doing top notch crypto libraries and hardware. That intelligent (own processor) cryptoboard which has RSA/DES chips on board is great for any software company wanting to include REAL crypto in their products. Also what makes their implementation especially usefull is the easy and clear API for programmers and that the implementation is scalable to different throughputs without changes in the API. Also the possibility in API calls to decide where a certain operation should be done is a nice feature. So if there is a smartcard connected to a machine all the secret key operations would be done on the SC not with the software. So uti-maco Belgium stuff is one of the best available in Europe. The other big supplier for these things is Crypto AG in Schwitzerland. In Finland there are two companies who might have what you are loogking for, Setec Oy, in Helsinki and Instrumentointi Oy, in Tampere. The latter one at least have a nice encrypting bridge (includes also some routing and filtering capabilities) with a better algorithm than DES (I understood other algrithms would also be available than their own). I don't have the contact information at hand now but let me know if you need it. Best Regards Kari Laine LAN Vision Oy From kbriggs at execpc.com Sun Jan 28 08:21:03 1996 From: kbriggs at execpc.com (Kent Briggs) Date: Mon, 29 Jan 1996 00:21:03 +0800 Subject: SHA-2 Message-ID: <199601281605.LAA10612@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- >I think that has a bit to do with a question I had, whether it was SHA >and SHA-1 (aka "Revised SHA") but I've found the revised version being >referred to as "SHA-2" in a couple of sources and went with that.... >unless there *is* a third revision...?!? > >Problem is the memo I saw still referred to the revised algorithm as >SHA. (Anyone have a URL for FIPS 180-1 Please...?) > >Rob. > It is SHA-1. Look for FIP180-1.TXT on NIST's BBS at (301)-948-5140. I think they also have a web site but I don't have the URL (try Yahoo). Kent - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMQue3CoZzwIn1bdtAQFd3AGA0hJA7VvzmikZ8lC3ZPnkudPvpnivBi6e sabfhN3DZXGYuhuOrHsEbYVmiTSfLPUK =V5G8 -----END PGP SIGNATURE----- From ses at tipper.oit.unc.edu Sun Jan 28 08:51:05 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Mon, 29 Jan 1996 00:51:05 +0800 Subject: Time codes for PCs (fromn German Banking) In-Reply-To: Message-ID: On Fri, 26 Jan 1996, Chris Townsend wrote: > There's plenty of good toys and code for time geeks, radio clock > info, etc. > Talking about which... anybody know of any fuzzballs that are set to be junked? It'd be cool to take a fuzzball and get IPV6 w/IPSEC running. Wouldn't like to run an OC12 through it though. From stephen_albert at alpha.c2.org Sun Jan 28 08:53:29 1996 From: stephen_albert at alpha.c2.org (Stephen Albert) Date: Mon, 29 Jan 1996 00:53:29 +0800 Subject: Open NNTP servers and logging Message-ID: <199601270511.VAA14254@infinity.c2.org> -----BEGIN PGP SIGNED MESSAGE----- A little while back there were some very helpful posts about getting started wit open NNTP servers. Since my regular site runs kinda slow in the news department I've been having fun poking around and seeing about getting more current. Then it dawned on me. People keep logs. Presumably routine logging would point right back at my ISP, and from there it'd be not too hard to pin down me specifically. No, I don't think anyone is particularly *likely* to do that, but why take chances? So...anyone know of open NNTP servers that *don't* keep logs? Or some other way around the problem? Thanks! Stephen "extra! extra! read all about it!" Albert stephen_albert at alpha.c2.org <*> PGP key on request and on servers -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMQYTNEimCtQtWVIdAQG/rQf/SnfVuv+fopypvTwKH9dm/4YPvwsgOjCG 5TBe0/wctyzVOEHoXiP3J/wagLrrvsuy8Xb3bRDWvJA+JoP5GOVh9RYG86ROG4Lf NIh1jKWG/FYotBYDclhROzv6+Fm4+7JXrbdVdPUTq5WwIHrmHeTMdkHv58WcJzOs PEvrpFUmTPswkIZbdyzrCz4P3GxsoUtu79Fe3QZNO83Jdwy8sIWFwGDvGq+WhJ3T 8/FLbJ2HLLqrXYYM4KYUSLShGvFyFqf/inZ9Ajbnx0p1hEXqR+/XZzyROEBdJWvJ PAIJA6ZiEeLeTXWD0jH1XlMElKAD7QYeJ2p9OcwhHabtEvgf7uIxSQ== =q/sb -----END PGP SIGNATURE----- From roy at sendai.cybrspc.mn.org Sun Jan 28 09:01:26 1996 From: roy at sendai.cybrspc.mn.org (Roy M. Silvernail) Date: Mon, 29 Jan 1996 01:01:26 +0800 Subject: Escrowing Viewing and Reading Habits with the Government In-Reply-To: Message-ID: <960128.102805.1b2.rnr.w165w@sendai.cybrspc.mn.org> -----BEGIN PGP SIGNED MESSAGE----- In list.cypherpunks, Klaus! writes: > The "Library Awareness Program," administered by the Justice Department, is > designed to identify potential criminals before they have a chance to > commit their deeds. The visits to libraries made by the FBI are used to > determine who is reading subversive or dangerous material. Well, then, I s'pose I'm doomed. I had Applied Cryptography out of the library 5 times last year, and returned it overdue twice. - -- Roy M. Silvernail -- roy at cybrspc.mn.org will do just fine, thanks. "Does that not fit in with your plans?" -- Mr Wiggen, of Ironside and Malone (Monty Python) PGP public key available upon request (send yours) -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMQukjmCl9Uka85MxAQHCEQf5AUHJVUy8qjkuEAS1pm8/V2hKhpZrbq/m Y9dBalNyqXs3LIaFAv1Yehd/R5fxqJps2hMubCcr2Fb8ks3Yp20LdAeuMTMfoj7T Hq6ZniKEXHI6H3tzIEobzS9uYrccW2DFbiRWQqxkz6E/gjxqKu6JuQ7/6ykiz4JT S1Rd4VDdN4uGGl2Sw+C/EkRUcqyA2C5gcieHDb+pVN7Dc6A1ioqTVYZvnHEXyEsP nZMd+E9cpYOIIFAwBcd4U1xQM+6Y1Dkmv06JBXye7whzn/P6zy9uAZlpIwa1uADZ usAP/8LIHI5Qyzyd66DevMeLNAuF5Sbit5LEIZM3/2naM5MpT/JTig== =THjm -----END PGP SIGNATURE----- From jya at pipeline.com Sun Jan 28 09:26:01 1996 From: jya at pipeline.com (John Young) Date: Mon, 29 Jan 1996 01:26:01 +0800 Subject: PAC_man Message-ID: <199601281705.MAA02269@pipe1.nyc.pipeline.com> 1-28-96. TWP: "Informant's Revelations on Cali Cartel Implicate Colombian Officials." Inside the counterintelligence center for notorious Cali drug lord Jose Santacruz Londono was an IBM AS/400 computer storing coded information that listed thousands of bribes awarded by the Cali cartel to many individuals known collectively as "Caso 8000." The cartel's sysadmin has been decoding the computer's data and implicating officials from Colombian government, politics, the military and the entertainment industry. He later would be indicted as part of a major racketeering case brought by federal prosecutors in Miami against U.S. lawyers who allegedly have protected Cali interests here and abroad -- three private lawyers who are former federal prosecutors, including one who served as a high-ranking Justice Department official. PAC_man ----- TWP has a followup on the AOL raid, mostly a police story grisler on the cyber-prowling horny-cats. Has ICU of the terminal logoff by a 13-year-old nerd. The fuz posted a call-in for anon tips: "You know how many we've gotten from our on-line hot line? Not one. It's like they have this fantastic world they operate in, and we are seen as intruders or something." ICU_ded From markm at voicenet.com Sun Jan 28 09:26:12 1996 From: markm at voicenet.com (Mark M.) Date: Mon, 29 Jan 1996 01:26:12 +0800 Subject: When do patents expire on Rabin's public key scheme? In-Reply-To: <199601280538.VAA01588@mailx.best.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Sat, 27 Jan 1996, James A. Donald wrote: > When do patents expire on Rabin's public key scheme? > > RSA claims that the Diffie Helman patent, which expires on the 29th of > April, 1997, covers all public key cryptography. > Actually, I think that the Merkle Hellman patent is the one considered to cover all public key cryptography. RSADSI claims that Diffie Hellman also includes ElGamal, but Cylink now owns the Diffie Hellman patent and I don't know if they consider it to also cover ElGamal. > ElGamal and Rabin are unpatented. > > Schmeier says that ElGamal will be free of patent restrictions after that, > but he says nothing about Rabin. In _Applied Cryptography_, there is no mention of any patents covering Rabin. Elliptic curve public key encryption schemes are not covered by any public key cryptography schemes, so it is possible that Rabin is also not covered under any patents. - --Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xf9b22ba5 http://www.voicenet.com/~markm/ | bd24d08e3cbb53472054fa56002258d5 PGP: Because sometimes, a _Captain Midnight_ decoder ring simply isn't enough. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMQum/rZc+sv5siulAQHNXgP/VlS2Q0zGtbZ4qhpWTb4BWdPAEDe+tq15 Ejh/2h/q0xMB0h560DjKAq9OmDLFpEBQf4rXprL5Y7rHeb0t6W7Rh2k9oS5rRlfu wTJEuAMoRyQXwS32Zx2A9OvyPFHZWXMZNyXDI/Bq4F9QyQxzFpvCRd7pBJgHyS81 3efUT9RZ9vw= =NJDk -----END PGP SIGNATURE----- From m5 at dev.tivoli.com Sun Jan 28 09:28:22 1996 From: m5 at dev.tivoli.com (Mike McNally) Date: Mon, 29 Jan 1996 01:28:22 +0800 Subject: "German service cuts Net access" (to Santa Cruz) In-Reply-To: Message-ID: <9601281707.AA14081@alpha> Timothy C. May writes: > "Deutsche Telekom, Germany's national phone company, blocked its 1 million > customers Thursday from gaining access to Internet "Web sites" maintained > by customers of Web Communications of Santa Cruz. I have this urge to e-mail Deutche Telekom the output of an appropriate AltaVista query so they can make sure none of that nasty stuff is reaching impressionable German adults & children. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Nobody's going to listen to you if you just | Mike McNally (m5 at tivoli.com) | | stand there and flap your arms like a fish. | Tivoli Systems, Austin TX | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From bkennedy at nb.net Sun Jan 28 09:55:06 1996 From: bkennedy at nb.net (William "Bud" Kennedy) Date: Mon, 29 Jan 1996 01:55:06 +0800 Subject: hash trees and bank solvency Message-ID: -----BEGIN PGP SIGNED MESSAGE----- I am not so much worried about the bank stealing money out of my account as I am worried about them loaning to deadbeat countries to support some governmental idea of foreign policy. Then, of course, there is always the possibility that they will loan it to some deadbeat country, not because of the government, but because of just outright stupidity. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMQu03QQo9ewScbyxAQE4HgP9GqMv8rs8PAEn16h8bZ0JHktAFm85EOr0 QI5BHqN2RYCpWzYpfE8aaD/4KgmKMJJQR2Ae0OSwBx6AY4CdgZlccr/ARn1a2vtN 5Wm7JQ2ymteWy5Jn0IocJkZkscX4q3WHp1Iuw8mhoT9+Y+0urOHHP+mH5YhDvj7R CaHWHAcI+iY= =U0jF -----END PGP SIGNATURE----- From tcmay at got.net Sun Jan 28 10:08:40 1996 From: tcmay at got.net (Timothy C. May) Date: Mon, 29 Jan 1996 02:08:40 +0800 Subject: "German service cuts Net access" (to Santa Cruz) Message-ID: At 5:07 PM 1/28/96, Mike McNally wrote: >Timothy C. May writes: > > "Deutsche Telekom, Germany's national phone company, blocked its 1 million > > customers Thursday from gaining access to Internet "Web sites" maintained > > by customers of Web Communications of Santa Cruz. > >I have this urge to e-mail Deutche Telekom the output of an >appropriate AltaVista query so they can make sure none of that nasty >stuff is reaching impressionable German adults & children. It's interesting that some of the first things to pop up with a AV search of "Webcom AND Zundel" were instructions posted in one of German groups about how to bypass the access restrictions... [Actually, I just tried this search again, and didn't find the messages. Maybe I am misremembering I did last night, or maybe....] A Usenet message claims that Deutsche Bank is on the same Web server (?) and cannot access some of its customers. Whatever the precise truth of this, a side effect of countries trying to disconnect themselves from Bad Thoughts is disruption of commerce. This may provoke a bigger reaction than all of our protests and civil liberties points. --Tim Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From jimbell at pacifier.com Sun Jan 28 10:08:51 1996 From: jimbell at pacifier.com (jim bell) Date: Mon, 29 Jan 1996 02:08:51 +0800 Subject: [NOISE] Re: NWLibs> Re: Anonymous trashing of Assassination Politics Message-ID: -----BEGIN PGP SIGNED MESSAGE----- At 02:17 AM 1/28/96 -0800, Rich Graves wrote: >On Sat, 27 Jan 1996, Jack Hammer wrote: > >> Here might be an interesting example of a snippet from a plot to commit >> criminal syndicalism. > >You know, I'm not really sure whether you're kidding, ignorant, cheering, >or warning. Frankly, I don't fucking care. You guys are all nuts. And I >should know -- ask Clark or AlanD. I guess I should offer a partial apology, even though I'm not really responsible for this. Jack Hammer is the on-air name for John Benneth, who is a local (to me, Portland, Oregon) "moderator" for a "advertised as controversial" radio talk call-in show. He saw my Assassination Politics essay a few months ago, and for a few weeks just before the November sweeps Neilsen ratings period he was trying to bait me into calling in, thinking I'd be a sucker for a local audience. (He _needs_ controversy to be sucessful.) Since then he gave up for a while, although he occasionally snipes at me. I assume his interest will wax and wane as various ratings periods come and go. >I have saved Jim Bell's "Assassination Politics" essay, with his PGP >signature, and soon to be a lot of other things, at > > http://www-leland.stanford.edu/~llurch/Not_By_Me_Not_My_Views/ Thank you. I guess... BTW, I sent the file to you as A16.??? That isn't a really descriptive name. Please change it to something more mnemonic, like ASPOL.TXT or something. >I plan to collect as many off-the-wall conspiracy theories in this >directory as will fit in my disk quota. And when I run out of quota, I'll >raise it for myself. Now, now, Rich, "Assassination Politics" is not a "conspiracy theory". Or, at least, it's not your classic "conspiracy theory." >I think it's time the wacky right and wacky left started looking at each >other's Web pages and lurking on each others' lists. What about the wacky libertarians? Why did you leave us out?!? Waaaaaaahhhh!!! > It's really funny >putting two "Anarchist" pages, one featuring Che Guevara, the other >featuring David Duke, side by side. Both say the guvment is out to get >them; I, on the other hand, am out to "get" the government. But you'll be hearing more about that later. Jim Bell Klaatu Burada Nikto "Something is going to happen... Something....Wonderful!" -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMQu0VPqHVDBboB2dAQHfegP/W67SNQnzCL7TYdphdVmQ6wwWUjniUkz5 PJG/vJzQONFlsqLyz0o+jn0dZsMquoAWmB6jkrSzN6oAPoSnpAL5e5GPxk7busP+ Jmn56UCCFc6TUPlA69zqI5EA0uctcTGPunnLhNN/aEFTmngwQVmgC8o/eRB8NEyt s2ImX/n6u0s= =0YOC -----END PGP SIGNATURE----- From jimbell at pacifier.com Sun Jan 28 10:42:10 1996 From: jimbell at pacifier.com (jim bell) Date: Mon, 29 Jan 1996 02:42:10 +0800 Subject: Doctor Denning Message-ID: -----BEGIN PGP SIGNED MESSAGE----- At 02:52 PM 1/26/96 -0800, Timothy C. May wrote: >>What I found interesting was the lack of meat behind >>"Crypto Anarchy is Not Inevitable". It seemed to boil >>down to the vacuous "if everyone could just agree that key >>escrow is a good thing, there would be no problem". > >This is the main reason I haven't bothered to rebut her points: there were >essentially none to rebut. > >(There are substantive criticisms of my points that can be made, including >discussions of what might be done to delay or even head off crypto anarchy >completely. I had dinner a few nights ago with David Friedman, author of >"The Machinery of Freedom," and he made some incisive comments about how >the State might go about heading off this future. I'm glad he's on our >side, and not the government's.) > >Two other reasons I have not sought to rebut her analysis: > >First, I doubt many people saw either my original article (available on Bob >Hettinga's page: http://thumper.vmeng.com/pub/rah/anarchy.html) or >Denning's reaction article. > >Second, I stated my views, she stated her views, not much more to say. >Especially as she has not had an active presence on the Net, either in >talk.politics.crypto or in other forums I have seen, and thus a real debate >on the Net has not been possible. > >Mostly I know I can't change her views, so why bother? Other people may >have their views affected by what I say, and for these people I have >certainly written enough. Tim, trust me on this one. Dorothy Denning doesn't have a PRAYER. You already believe it, but I _KNOW_ it! Jim Bell Klaatu Barada Nikto. This will become important...soon Something is going to happen. Something...wonderful! (BTW, the above few lines, which looks like a canned signature, is not. Careful readers will note that I keep typing it in, which means that it isn't identical every time. This should be a clue to all you lurkers out there that I MEAN this; it's not just an idle macro. (It also means that I'm going to have to RTFM on my Eudora to do automatic signatures, but that's an ENTIRELY different story.) -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMQmQGfqHVDBboB2dAQF3lwP+JzEaN+sR9PdvnaWf2EnWJuDddZs86GbS cO7t+BLb/ALvAExBhBmVhMbYU1lFQS92akUQoMXBM/TLf330QR7E0FOjBdv12rqg n4RfFN7xV6Stib7gDOl2Q2niNqBusIzXT5Isv1A7x4NGF5Yxu7fVtUJ52tRBxHFI 9V+68Z21E4c= =SCkf -----END PGP SIGNATURE----- From llurch at networking.stanford.edu Sun Jan 28 10:44:10 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Mon, 29 Jan 1996 02:44:10 +0800 Subject: [rant] A thought on filters and the V-Chip In-Reply-To: Message-ID: On Fri, 26 Jan 1996, jim bell wrote: > At 11:56 AM 1/26/96 -0800, Alan Olsen wrote: > >[Not Perry(tm) approved -- Skip of this offends you] > > > >I am waiting for someone to come out with a product that will modify the > >v-ship (or the various internet "protection" tools) in such a way that it > >scans *FOR* pornography. > > > >Porn is big business. You would think that people would pay for a way to > >sort through all of that non-smuttiness and just "get to the good stuff". I > >also imagine that as soon as such a product appears, the censors will scream > >bloody murder. >... > On the other hand, this would be an EXCELLENT "argument" to bring in front > of a Congressional committee considering the adoption of any V-chip type > proposal. Once they discover that a ratings system could be used for the > diametrically opposite reasons of their reason for having it in the first > place, they'll try to modify their proposal to prevent this. > > If we're lucky, this'll have the effect of killing the whole concept of > government-sponsored (required?) V-chip-type technology. > > OTOH, I agree with other posters who think that truly voluntary content > selection would be an excellent addition to television: In effect, an > automatic, programmable TV-Guide search engine. While it's hard to find a general theme here, I think I disagree. Anyway, I don't think that even truly voluntary content selection is a good idea, because it reduces art to numbers, which is wrong. Rating the amount of sexual content tells you nothing when comparing D.H. Lawrence, the Marquis de Sade, Showgirls, and Playboy. Rating the amount of violence tells you nothing when comparing All Quiet on the Western Front, Repo Man, Faces of Death, and Platoon. Rating the amount of political content tells you nothing when comparing JFK and The Green Berets. Rating the amount of religious content tells you nothing when comparing Jesus Christ Superstar, The Last Temptation of Christ, and The Argument. You shouldn't try to engineer art. Classification systems lead to a balkanization that diminishes the common culture. I think it was good the way network TV was limited to the lowest common denominator, but with variety. People who wanted something with a little more flavor than WonderBread [tm] were able to find it, but they did have to look, which often involved *meeting other people* with common interests, and they still tuned in to Ed Sullivan to see what the Joneses were watching. Give people 1024 bits' worth of channels to choose from, classified by arbitrary criteria involving no human contact, and you get something entirely different. I'm not sure what's happening now, but I don't think I like it. -rich From jya at pipeline.com Sun Jan 28 10:48:56 1996 From: jya at pipeline.com (John Young) Date: Mon, 29 Jan 1996 02:48:56 +0800 Subject: The Politics of Mistrust Message-ID: <199601281831.NAA23410@pipe4.nyc.pipeline.com> The Washington Post initiates today a 6-part series on the loss of trust in all American institutions, "The Politics of Mistrust," based on a recent poll sponsored by the Post, Harvard and the Kaiser Family Foundation. While not directly related to technical crypto, a number of findings parallel discussions here about the diminution of personal and economic security. Samples: America is becoming a nation of suspicious strangers, and this mistrust of each other is a major reason Americans have lost confidence in the federal government and virtually every other major national institution. Every generation that has come of age since the 1950s has been more mistrusting of human nature, a transformation in the national outlook that has deeply corroded the nation's social and political life. Mistrustful Americans repeatedly expressed far less confidence in the federal government, the military, the Supreme Court, Congress and the Clinton administration than the dwindling numbers of Americans who were more upbeat about human nature. Fear of crime, economic insecurity and pessimism about the lives of future generations all have separately added to the belief that government is either making things worse or is incapable of making them better. Today, a clear majority of respondents in their early 20s said they do not trust their fellow Americans, a view they share with one in four Americans over the age of 60. "It's like living in the cave man age," said a 29- year-old. "Nobody cares anymore. Nobody cares. They will no sooner run you down and run away than to spit in your face." An environment in which a majority of Americans believe that most people can't be trusted breeds attitudes that hold all politicians as corrupt, venal and self-serving, and government action is doomed to failure. Wages have stagnated, workers change jobs frequently and downsizing corporations offer little protection even to the most loyal of employees. Americans who feel most pessimistic about the economy also are more likely to see the government as a threat. Harvard and Kaiser are to separately publish their own analysis of the poll. The first article offers much more detail and is quite long, about a page and a half. Perhaps someone might offer a site where this and others in the series could be made available as they appear. If so, send me a note. From dsmith at midwest.net Sun Jan 28 11:14:40 1996 From: dsmith at midwest.net (David E. Smith) Date: Mon, 29 Jan 1996 03:14:40 +0800 Subject: PIDAHO and EUDORA PRO 2.2 Message-ID: <2.2.32.19960128184216.0068dfb8@midwest.net> -----BEGIN PGP SIGNED MESSAGE----- At 03:10 AM 1/28/96 -0800, bruceab at teleport.com wrote: >At 09:17 PM 1/27/96 -0800, jdoe-0007 at alpha.c2.org wrote: >>In response to the "what has John Doe got that PIDAHO >>doesn't" messages I tried to PIDAHO v2.6b. I am unable >>to make it work. Messages from PIDAHO can not be sent to >>the selected and OnLine EUDORA PRO application. >Um, yes, indeed they can. I do it routinely. Eudora Pro >is one of the options in the drop-down list box in the >E-mail|Transfer options... dialog, right below the buttons >for canned settings. And it works just fine. You are >making sure that you've got Eudora with a blank new >message ready to go, right? I'm using an essentially identical setup to jdoe-0007's and I can't get it to work either. It worked nicely under Win31 and Eudora 2.1.2, but Win95 and Eudora 2.2(32) don't play nice with Eudora. It might be a bits thing (sixteen versus thirty-two)... ObCrypto: Um, well, this note is PGP clearsigned? (Seriously, this discussion ought to be Cc:ed to Joel, and/or taken off the list.) dave - ----- David E. Smith, c/o Southeast Missouri State University 1210 Towers South, Cape Girardeau MO USA 63701-4745 +1(573)339-3814, "dsmith at midwest.net", PGP ID 0x961D2B09 Do not use old PGP keys 0xFF829C15 and 0x92732139. http://www.midwest.net/scribers/dsmith/ -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMQvCGDVTwUKWHSsJAQGWbQf9GPtB+VhubUDeBU56eYHJjPQmPfDRgJ6T NApeChNNYv57GH5/E+V7wEVwaWyF+wTdSAYnQVCWMUozSZ02V+m4MdtXT6vUQpya SSWt7h0BadOqbI+KR1gA1etGFC/kIHscRf2aGCUziHlpTe1nm7Hw9Kx/B1j9/Vc6 cFahN7wi+xohbRBJPYqsp/k1qNrDzuhySAW1+zNNSOPvxGQs5QrI9H5rIeL/L+iS wri1sq0GVrktEGue838HGUDG2E6RaELAQe3OV0Y6nhee0KvHAcidK75d988zSP+i DH7L6/nh/KC+72VwiuzoAsPy4PJvlLgmmiiWZYh1t1dtu97YGD1vKg== =CKEw -----END PGP SIGNATURE----- From cp at proust.suba.com Sun Jan 28 11:18:10 1996 From: cp at proust.suba.com (Alex Strasheim) Date: Mon, 29 Jan 1996 03:18:10 +0800 Subject: Netscape, CAs, and Verisign Message-ID: <199601281901.NAA06629@proust.suba.com> I'm a big fan of Netscape and their products, and I think they do a good job of addressing the interests of their customers and the public at large with respect to crypto issues. But it's starting to become apparent that there's a fairly serious problem with Certification Authorities and SSL. The problem is simple enough: sites with certificates from one of the CAs that are preconfigured in Netscape have a tremendous advantage over sites with certs from other CAs, and it's expensive and difficult to get a cert if you're running an alternative server like ApacheSSL. This problem is going to get a lot worse when X509 client authentication becomes more popular. Netscape needs to address the situation. It's just not practical or desireable for one company (Verisign) to have a stranglehold on certificates. I'd like to see a less centralized CA that's tied into the existing system of notaries. The idea is to make it necessary to spoof a notary in order to spoof the CA. That won't make spoofing the CA impossible (nothing will), but it will make spoofing the CA illegal. A notary could apply to the CA for the right to work as an agent, for a nominal fee (<$100/year). Only notaries could be agents. If a person wants a certificate, they'd come in and present ID and a key to the notary/agent. The person would have to present a form document stating that he's requesting the cert. The notary would stamp the form and affix a signature to the key which would enable it to be processed automatically by the CA. Fees for the whole procedure ought to be less than $30. The CA ought to operate off of the fees from the agents as a non-profit organization, and the agents ought to keep the fees paid by the people requesting the certificates. Would any of the lawyers on the list be willing to comment on whether or not it's possible or practical to tie a CA into the notary system? Does anyone have any thoughts as to how difficult/risky spoofing my CA is compared to spoofing Netscape or Verisign? I could put up a server and I think I know a laywer who would help me set up a non-profit organiation on a shoestring, but I don't want to do it if the plan is impractical. Morevover, although I don't think it's reasonable to expect Netscape to agree to include a non-existent CA in their browsers sight unseen, at the same time it doesn't seem smart to sink money into setting up the CA without some indication from Netscape that they're willing to give the idea good faith consideration. From pcw at access.digex.net Sun Jan 28 11:30:30 1996 From: pcw at access.digex.net (Peter Wayner) Date: Mon, 29 Jan 1996 03:30:30 +0800 Subject: Denning's misleading statements Message-ID: >I've never met Dorothy Denning, so I hesitate to characterize >her as a >villainess. But certainly she's the only noted cryptographer I >know of >who's gone so far out on a limb to defend a position the vast >majority of >computer scientists, civil libertarians, and cryptographers >scoff at. (And >I don't just mean it is we libertarians and civil libertarians >who are >scoffing, I mean that nearly every noted expert who has >carefully reviewed >the various schemes to control crypto and to provide GAK has >found them to >be essentially unenforceable except via draconian police state >methods, and >maybe not even then.) I believe that David Gelerntner, the professor of computer science at Yale University injured by a UNABOMBER bomb, is also a supporter of the Clipper chip. This may or may not be something that arose from the bombing. But I'm not sure how many cavaets and things he adds to his position. He may have changed it. But then he's not exactly a cryptographer. But, on the other side of the fence, I just passed a section in _Takedown_ where Shimomura and the FBI agents decide that the best place for the Clipper phones is "in the trunk." Apparently they don't communicate with regular phones so they were practically worthless. -Peter From perry at piermont.com Sun Jan 28 11:39:07 1996 From: perry at piermont.com (Perry E. Metzger) Date: Mon, 29 Jan 1996 03:39:07 +0800 Subject: "Gentlemen do not read each other's mail" In-Reply-To: Message-ID: <199601262228.RAA21968@jekyll.piermont.com> jim bell writes: > (For the historically-impaired: Coventry was/is an English town (small > city?) perhaps most famous from the Lady Godiva legend...but I digress... > British found out, I guess through Ultra, that it was going to be bombed. > Telling the inhabitants would have saved many lives, but (possibly) alerted > the Germans that Enigma had been broken. British made the correct choice: > Let the city get bombed without (much?) warning. The value of keeping the > broken-ness of Ultra a secret far outweighed the value of Coventry.) The current claim is that, in fact, there was no advance warning about Coventry and that the claims that there was are unsubstantiated. Perry From sameer at c2.org Sun Jan 28 11:39:58 1996 From: sameer at c2.org (sameer) Date: Mon, 29 Jan 1996 03:39:58 +0800 Subject: Netscape, CAs, and Verisign In-Reply-To: <199601281901.NAA06629@proust.suba.com> Message-ID: <199601281919.LAA02350@infinity.c2.org> > > Morevover, although I don't think it's reasonable to expect Netscape to > agree to include a non-existent CA in their browsers sight unseen, at the > same time it doesn't seem smart to sink money into setting up the CA > without some indication from Netscape that they're willing to give the > idea good faith consideration. > They won't. You're not a megacorp in bed with RSA. -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion, Inc. FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.org/ (or login as "guest") sameer at c2.org From jimbell at pacifier.com Sun Jan 28 11:40:23 1996 From: jimbell at pacifier.com (jim bell) Date: Mon, 29 Jan 1996 03:40:23 +0800 Subject: "Gentlemen do not read each other's mail" Message-ID: -----BEGIN PGP SIGNED MESSAGE----- At 01:40 PM 1/26/96 -0500, Robert A. Rosenberg wrote: >At 20:18 1/25/96, jim bell wrote: > >>Now, I was born in 1958 and thus can't claim personal knowledge of the time, >>but it's truly amazing how UNPERCEPTIVE the public must have been in the >>late 40's and early '50s about "intelligence" realities. Let me give you a >>specific example: The classic movie, "The Man who Never Was," relates the >>(true) story of a counter-intelligence mission done by the British to (I >>think) mislead the Germans into believing that the attack on Sicily would be >>substantially LATER than it actually was. > >The code name for the project was "Operation Mincemeat" and the intent was >to get the defences at Normandy ("Operation Torch" - ie: D-Day) away from >there and transferred to Sicily (which was NOT a D-Day objective) not as >you say to fool them on when the attack was coming. It did its job and much >of the mobile coastal defences were moved out of the area. I apologize for the error (presuming it's an error). I was working from an old memory there, from reading a book called "A Bodyguard of Lies" (William Cave Brown?) which addresses the misinformation/disinformation campaigns that went on during WWII. And, of course, seeing the movie "The Man who Never Was." -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMQlEXfqHVDBboB2dAQHwlwP8DJt2Vg5jmI/gQ8dV5rXJ6mgHFwmzAcMA 12kJWWUJzQg/6M/acTtwTntUYaT9sJ5nxfE6mV58KEpGRuz76ZAZ3LSugG/DlAAx NL1AMqhcv1Xelh+UD7tLqhH/lTt5mDJC0pWWquyOi85l8TOo05142BUOYL9YPx6q 6XjRqUgIDu8= =CcUZ -----END PGP SIGNATURE----- From jimbell at pacifier.com Sun Jan 28 11:42:06 1996 From: jimbell at pacifier.com (jim bell) Date: Mon, 29 Jan 1996 03:42:06 +0800 Subject: "Gentlemen do not read each other's mail" Message-ID: -----BEGIN PGP SIGNED MESSAGE----- At 04:22 PM 1/26/96 +0100, Asgaard wrote: >Jim Bell wrote: > >> While this may be based on the "classic" view of the start of the direct >> involvement in WWII, I agree with the opinion of an old college professor >> that the US KNEW that the Japanese were going to attack, SOMEWHERE and >> SOMEWHEN (but not exactly), and in fact WANTED the attack to occur to >> justify getting into a war that we "should" have entered. > >Alan Horowitz added: > >>I've read that FDR had a humint source warning of a Japanese strike on >>Pearl Harbor. I also recall reading that J Edgar Hoover received a report >>of a diplomatic conversation detailing the planned attack, but sat on it. > >And this is from a post I sent to the list last summer: >*************************************************************** >I just read 'Infamy' by John Toland (1982), containing 'proof' >- very convincing, in my opinion - of the Pearl Harbour cover-up. >The US president, selected members of his cabinette and a >few admirals and generals knew - from Magic and the 'winds' >execute, radio traffic analysis, diplomatic sources, double >agents - exactly when and where the Japaneese were going to >attack, but didn't warn Hawaii, fearing that too efficient >counter-measures by the Oahu military might make the attack >abort and so not convince the isolationists. The unexpected >tactical capabilities of the Japaneese armada then made a >cover-up all the more important. >***************************************************************** >The unfortunate cipher expert Captain Safford spent most of >his post-war life trying to uphold the honour of his fellow >cryptanalysts, putting the blame on generals and politicians, >but in vain. It's interesting that we even HEARD about Coventry, but of course that was a British decision, a civilian target in an attack during an era where there were already plenty of attacks on civilian targets, and the British UNDERSTOOD why Coventry had to die. (But I don't know WHEN "we" (the general public) first heard about Coventry. Anybody know? (For the historically-impaired: Coventry was/is an English town (small city?) perhaps most famous from the Lady Godiva legend...but I digress... British found out, I guess through Ultra, that it was going to be bombed. Telling the inhabitants would have saved many lives, but (possibly) alerted the Germans that Enigma had been broken. British made the correct choice: Let the city get bombed without (much?) warning. The value of keeping the broken-ness of Ultra a secret far outweighed the value of Coventry.) -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMQlC2fqHVDBboB2dAQGfpgP+NloVapAgqC3NxGg7TcVMnx+Q1Cmu2B/w Alp8q6uFvWsRqutFZ2+oDElHFxnZiMwZ0sgJkP0xG57TGoRob/DHY1h3+/NN9sYi KApzJHaElMrPFzwgMRLHNOBU/SQ3GsYDA2i4hWZM5ojsqXJQ7H7ov5FFJLGdV1u1 cOb/mUN8q9Y= =SRGU -----END PGP SIGNATURE----- From sameer at c2.org Sun Jan 28 11:44:56 1996 From: sameer at c2.org (sameer) Date: Mon, 29 Jan 1996 03:44:56 +0800 Subject: your mail In-Reply-To: <01BAEBF5.1492F480@loki> Message-ID: <199601281921.LAA02698@infinity.c2.org> > > The second point make me wonder if NymServers are logal to use with my service (PSInet, Interramp) > That's forgery, not using a nym. You're likely safe. -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion, Inc. FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.org/ (or login as "guest") sameer at c2.org From mpd at netcom.com Sun Jan 28 12:14:44 1996 From: mpd at netcom.com (Mike Duvos) Date: Mon, 29 Jan 1996 04:14:44 +0800 Subject: The Unintended Consequences of Suppression Message-ID: <199601281959.LAA16755@netcom18.netcom.com> WARNING: This message contains Bad Thoughts. The Surgeon General has determined that Bad Thoughts cause Critical Thinking, which may be illegal in Canada, Germany, and other countries too numerous to mention. I just visited the Ernst Zundel Webcom page, which given the number of server overload errors I experienced trying to browse it, is now the Numero Uno Web Site on the entire Internet, thanks to some anonymous and largely clueless official running telecommunications services for the former Third Reich. Like most sites run by "Infamous Holocaust Deniers", this one was largely unimpressive, and would have garnered little attention from anyone were it not for the noisy public villification lavished upon it by its detractors. After the furor this site is alleged to have percipitated, I fully expected to see pictures of skinheads with explosives and automatic weapons holding up pictures of Nazi atrocities and libelous screeds blaming the Jews for all the misfortunes of mankind. You can imagine my surprise when I found only a few rather simplistic historical questions, and that Mr. Zundel had even included links to rebuttals of his points contained within the Simon Wiesenthal Center's own Web Pages. All of this might have gone completely unnoticed by the majority of humankind, or have been the subject of dry boring debates at occasional universities, were the topic not constantly dragged into the public eye by stories about anti-free speech laws, shrill cries by organizations like the SWC for censoring the entire Internet, and officials who summarily unplug major chunks of the Net and disrupt legitimate business while trying to stuff a sock into the mouth of some individual whose views they find embarrassing. In doing this, the Speech Nazis, the Wiesenthalistas, and the Clueless Bureaucrats have drawn more attention to the views of people like Mr. Zundel than he ever could have on his own, and have alienated many of the people who would cheerfully have argued against Mr. Zundel on their behalf. This goes beyond simple stupidity, and clearly approaches the lobotomy level of impaired mental functioning. -- Mike Duvos $ PGP 2.6 Public Key available $ mpd at netcom.com $ via Finger. $ From samman-ben at CS.YALE.EDU Sun Jan 28 12:26:25 1996 From: samman-ben at CS.YALE.EDU (Rev. Ben) Date: Mon, 29 Jan 1996 04:26:25 +0800 Subject: Denning's misleading statements In-Reply-To: Message-ID: On Sun, 28 Jan 1996, Peter Wayner wrote: > I believe that David Gelerntner, the professor of computer > science at Yale University injured by a UNABOMBER bomb, is also > a supporter of the Clipper chip. This may or may not be > something that arose from the bombing. But I'm not sure how many > cavaets and things he adds to his position. He may have changed > it. But then he's not exactly a cryptographer. There's quite a few folks in the Yale CS department that are pro-Clipper or fence sitters. They justify it in class by claiming that law enforcement needs these abilities if LE is to remain effective. FWIW, Gerlernter is in the Parallel group here. Ben. ____ Ben Samman..............................................samman at cs.yale.edu "If what Proust says is true, that happiness is the absence of fever, then I will never know happiness. For I am possessed by a fever for knowledge, experience, and creation." -Anais Nin PGP Encrypted Mail Welcomed Finger samman at powered.cs.yale.edu for key Want to give a soon-to-be college grad a job? Mail me for a resume From tcmay at got.net Sun Jan 28 12:56:22 1996 From: tcmay at got.net (Timothy C. May) Date: Mon, 29 Jan 1996 04:56:22 +0800 Subject: The Big Lie Message-ID: At 7:59 PM 1/28/96, Mike Duvos wrote: >I just visited the Ernst Zundel Webcom page, which given the >number of server overload errors I experienced trying to browse >it, is now the Numero Uno Web Site on the entire Internet, thanks >to some anonymous and largely clueless official running >telecommunications services for the former Third Reich. Like many born after the Second World War, I took it as a fact that the so-called Holocaust actually happened. I saw pictures of death camps, interviews with survivors, etc. But if it really happened, why are so many countries trying to suppress the evidence that it was all just a CIA-Mossad plot? It seems more likely that the pictures were faked, or were pictures taken of dying Germans in Russian POW camps on the Eastern Front. If They are trying to suppress discussion, maybe there's something to their ideas. If the Germans are suppressing attempts to get at the truth, I suspect the stories are true that the Holocaust was part of Truman's "Big Lie." --Tim [Note: I present this as a line of thinking that is actually often the result of suppression of views. "If They are suppressing it, maybe there's some truth to it." Note also that the views of Zundel and other Holocaust Deniers are not causally related to the deaths of millions of Jews, gypsies, and others in WW II. The damage, if any, is in the "hurt feelings" and "insults" felt by survivors and their relatives. The other danger often cited, that Zundel will recruit a Fourth Reich or somesuch, is no more likely than that Jerry Falwell will recruit a New Crusade, or that J. Random Ranter will do the same. In a free and open society, we let people believe in "wrong ideas" (witness Christianity, Islam, Scientology, Judaism, and a thousand other cults).] Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From perry at piermont.com Sun Jan 28 13:04:54 1996 From: perry at piermont.com (Perry E. Metzger) Date: Mon, 29 Jan 1996 05:04:54 +0800 Subject: An Enigma - Wrapped In a Circle In-Reply-To: <199601270257.VAA40304@osceola.gate.net> Message-ID: <199601282046.PAA26188@jekyll.piermont.com> Jim Ray writes: [An article about CROP CIRCLES for chrissake, and then has the temerity to say.] > If you think that this post has "no > cypherpunk relevance" you can: > 1. Flame me, in *private* e-mail. [I'll happily ignore you.] > 2. Go hump a tree. What the hell is the cypherpunks relevance here, anyway? I mean, other than trying to elicit a response from me, which you surely knew would show up, was there any purpose to this? Why are crop circles important to people worrying about cryptography and cryptography policy? What possible linkage could there be? Perry From perry at piermont.com Sun Jan 28 13:21:57 1996 From: perry at piermont.com (Perry E. Metzger) Date: Mon, 29 Jan 1996 05:21:57 +0800 Subject: Possible Java hack. In-Reply-To: Message-ID: <199601282101.QAA26228@jekyll.piermont.com> Stephen P. Gibbons writes: > ObCrypto: _When_ will DNS be secured via PKE? There is already an extant proposal from the DNSSEC working group of the IETF. It will probably go to proposed standard. Perry From vznuri at netcom.com Sun Jan 28 13:28:55 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Mon, 29 Jan 1996 05:28:55 +0800 Subject: more RANTING about NSA-friendly cpunks In-Reply-To: <199601280510.NAA00268@ratbox.rattus.uwa.edu.au> Message-ID: <199601282104.NAA10926@netcom3.netcom.com> >In message <199601262011.MAA17408 at netcom16.netcom.com>, > "Vladimir Z. Nuri" wrote: >> >> has anyone *tried* just ignoring the ITAR wrt crypto and seeing what >> would happen? the gubbermint blindly thinks that cyberspace will >> inevitably bring the wrath of four horsemen of the infocalypse, but aren't we >> equally as comic in assuming that violating the ITAR crypto sections >> will inevitably bring the 4 horsemen of the NSA?? > >One word... > >Zimmerman. > >I do agree with what you're saying though. One word... Zimmermann. Zimmermann supports my contention, as I wrote in the post. NOTHING happened to him. it is conceivable this same result could have been arrived at (government drops investigation) if he never even hired a lawyer. Zimmermann is a perfect example of what may be counterproductive hysteria on *our* side, toward advancing crypto. if Zimmermann cannot be prosecuted, and is not prosecuted, where are the ITAR "teeth"??? sure, endless people can argue with me. "nasty things will befall you if you violate crypto sections of the ITAR". they will back these example up with the same baseless fear that schoolchildren reverently refer to Cooties or the Bogeyman. From frantz at netcom.com Sun Jan 28 13:51:00 1996 From: frantz at netcom.com (Bill Frantz) Date: Mon, 29 Jan 1996 05:51:00 +0800 Subject: more RANTING about NSA-friendly cpunks Message-ID: <199601282130.NAA29294@netcom6.netcom.com> At 1:04 PM 1/28/96 -0800, Vladimir Z. Nuri wrote: >Zimmermann supports my contention, as I wrote in the post. NOTHING >happened to him. it is conceivable this same result could have >been arrived at (government drops investigation) if he never even >hired a lawyer. > >Zimmermann is a perfect example of what may be counterproductive >hysteria on *our* side, toward advancing crypto. if Zimmermann >cannot be prosecuted, and is not prosecuted, where are the ITAR "teeth"??? I am not a lawyer, but I suspect that the proscuters gave up because they could not build a trail of evidence between Zimmermann and the actual export. After all, Zimmermann only wrote PGP. He didn't post it on the net. ----------------------------------------------------------------- Bill Frantz Periwinkle -- Computer Consulting (408)356-8506 16345 Englewood Ave. frantz at netcom.com Los Gatos, CA 95032, USA From alano at teleport.com Sun Jan 28 13:54:56 1996 From: alano at teleport.com (Alan Olsen) Date: Mon, 29 Jan 1996 05:54:56 +0800 Subject: Denning's misleading statements Message-ID: <2.2.32.19960128214014.0091a098@mail.teleport.com> At 03:12 PM 1/28/96 -0500, Rev. Ben wrote: >On Sun, 28 Jan 1996, Peter Wayner wrote: > >> I believe that David Gelerntner, the professor of computer >> science at Yale University injured by a UNABOMBER bomb, is also >> a supporter of the Clipper chip. This may or may not be >> something that arose from the bombing. But I'm not sure how many >> cavaets and things he adds to his position. He may have changed >> it. But then he's not exactly a cryptographer. > >There's quite a few folks in the Yale CS department that are pro-Clipper >or fence sitters. They justify it in class by claiming that law >enforcement needs these abilities if LE is to remain effective. I wonder if the same justifications were used for the Inquisition. "We have to use these methods in order for the Church to remain effective." Currently we have a whole host of laws that are difficult, if not impossible to enforce. The response from law enforcement is that we have to use stronger and stronger enforcement methods to shore up laws that are by their nature unenforcable. How they expect to do this and remain in a non-police state is beyond me. I expect that such enforcement methods will be sold to us the same way that they sell us soap and presidents. The media will give us plenty of "reasons" as to why we have to accept draconian methods to resolve problems from undefined enemies. Already we get the "real life" cop shows showing us a whole host of "enemies" who need to be hauled off to jail and the news programs showing us the scare story of the moment. Expect the four horsemen to get closer and closer as the shacles are ready to be put into place. Such enforcement is self-defeating in the long run. It is based off the false perception that the governed cannot recognise that these laws are unenforcable. Continued enforcement of "unenforcable" laws increases the disrespect for laws in general. ("The imposition of order equals the escalation of disorder.") The question is when the bulk of the population will see what is being prepared for them... Probibly after it is too late. Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ Is the operating system half NT or half full? From olmur at dwarf.bb.bawue.de Sun Jan 28 14:18:28 1996 From: olmur at dwarf.bb.bawue.de (Olmur) Date: Mon, 29 Jan 1996 06:18:28 +0800 Subject: "German service cuts Net access" (to Santa Cruz) In-Reply-To: <2.2.32.19960128115634.00977b14@panix.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- >>>>> "DCF" == Duncan Frissell writes: DCF> At 12:07 AM 1/28/96 -0800, Timothy C. May wrote: >> * the Germans recently arrested an American who landed in Germany >> somewhere, as part of a trip. It seems he had been involved with >> the production of Neo-Nazi material, somewhere out west. This was >> the last I heard about the story. Sorry, I'm going from >> carbon-based memory. >> DCF> He was grabbed in Denmark and extradited to Germany so you'd have DCF> to avoid most of the EU. It's illegal in Germany to publish material denying the holocaust. In the same moment this guy sent his book (?) per snail-mail from Canada to Germany he commited a crime here in Germany. I don't think it's astonishing that Denmark imprissoned this guy and transported him to Germany. It's a normal thing that one country imprisons a criminal another country is searching and the delivers him/her to the country in question. Have a nice day! Olmur - -- "If privacy is outlawed, only outlaws will have privacy" --- P. Zimmermann Please encipher your mail! Contact me, if you need assistance. finger -l mdeindl at eisbaer.bb.bawue.de for PGP-key Key-fingerprint: 51 EC A5 D2 13 93 8F 91 CB F7 6C C4 F8 B5 B6 7C -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQCVAwUBMQvfbw9NARnYm1I1AQHZ2AP+P1wVnwXCZFakJXQGEroX8S+BdRIU304o YDccXOC+rijZlAO8i8wuBL72M8WLEnXUQzCCKf+lvBJhR5qtQnpUZSQRgr/kedfs 6/cS/Y8BbwpjwPuzmFu+OtowgPM6b8GsSBNqrEOMnZ8oA3QacgYWj3RUoTSKJIJp kLp2ovjYxfY= =P9U7 -----END PGP SIGNATURE----- From olmur at dwarf.bb.bawue.de Sun Jan 28 14:20:41 1996 From: olmur at dwarf.bb.bawue.de (Olmur) Date: Mon, 29 Jan 1996 06:20:41 +0800 Subject: "German service cuts Net access" (to Santa Cruz) In-Reply-To: <199601280459.XAA15779@kafka.delphi.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- >>>>> "Alan" Pugh writes: [.....] Alan> "The block - analogeous to the government ordering a bookstore Alan> to take every book by a given publisher off the shelves because Alan> it objected to one title - was imposed Thursday." The difference is, that the German government was not ordering this block. Olmur - -- "If privacy is outlawed, only outlaws will have privacy" --- P. Zimmermann Please encipher your mail! Contact me, if you need assistance. finger -l mdeindl at eisbaer.bb.bawue.de for PGP-key Key-fingerprint: 51 EC A5 D2 13 93 8F 91 CB F7 6C C4 F8 B5 B6 7C -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQCVAwUBMQvf6g9NARnYm1I1AQEz3wP/dALeKMZM41WiElpwmKAhzHzWa3SQzMp8 bCXTD81EOgiVCftDlie1Fz0eMeQwmsGBVGMuSnNu2/dHDezlQK3FxG477x2WOxZD STLQY8fHuDE4CLSjCxmHImXLCCyJA58GBKMBxVVf9lUfoBJjkSQed0/4UNHqSIau /wXxrk7Kpp4= =v3nt -----END PGP SIGNATURE----- From perry at piermont.com Sun Jan 28 14:24:09 1996 From: perry at piermont.com (Perry E. Metzger) Date: Mon, 29 Jan 1996 06:24:09 +0800 Subject: Denning's misleading statements In-Reply-To: Message-ID: <199601282154.QAA26286@jekyll.piermont.com> Timothy C. May writes: > One of the interesting things about the whole crypto debate, going back at > least to the Clipper announcement (and actually some months before) has > been that the pro-restrictions, pro-GAK side of the argument has almost no > defenders! Except for David Sternlight, Dorothy Denning, and Donn Parker > ("attack of the killer Ds"?), there are almost no public spokesmen for the > pro-restriction, pro-GAK side. Well, not really. Silvio Micali did some work on this topic. We also get the lovely folks from the FBI making their public appeals (replete with references to snuff films and other nonexistant threats), and Stu Baker, former NSA official, does his periodic "insult the nerds" schtick. There are others. The point is taken, though. Perry From mpd at netcom.com Sun Jan 28 14:25:44 1996 From: mpd at netcom.com (Mike Duvos) Date: Mon, 29 Jan 1996 06:25:44 +0800 Subject: The Big Lie In-Reply-To: Message-ID: <199601282156.NAA09063@netcom4.netcom.com> tcmay at got.net (Timothy C. May) writes: > But if it really happened, why are so many countries trying > to suppress the evidence that it was all just a CIA-Mossad > plot? It seems more likely that the pictures were faked, or > were pictures taken of dying Germans in Russian POW camps on > the Eastern Front. Since "Holocaust" is an Operational Definition referencing Jewish experience during the Second World War, there is a clearly tautological aspect to the oft-posed question "Did the Holocaust happen?", to which the answer is obviously, a priori, and identically, "Yes", in the sense that Jews did, indeed, live during the Second World War, and some of them did indeed, like numerous other minority religous, ethnic, and political groups, have experiences which would not be described as recreational in nature. Armed with a question whose answer is true by construction, it is not very hard to correctly characterize those arguing that the answer is "false" as crackpots, and only a tiny leap from there to characterizing those who ask different and reasonable questions as having asked the Canonical Question instead and having also given the wrong answer to it. It is of course then necessary to censor the ability of the public to view the original questions, since this would not only cast aspersions upon ones credibility, but would also require that they be answered, the avoidance of which was the reason for the original exercise in misdirection. While such political tactics work well in a world with a traditional hierarchical flow of information from the Big Press to the Little Citizen-Unit, they collapse completely under the Cooperative Anarchy of the Net, and blow up in the faces of those who attempt them. The Simon Wiesenthal Center desparately needs to regroup and try to understand how the Net works, before applying its traditional methods of debate and advocacy to an environment where completely different rules apply. This is not to deny the Holocaust, or to say that the SWC doesn't have its heart in the right place. This is simply an attempt to spare them any more self-inflicted wounds. > If the Germans are suppressing attempts to get at the > truth, I suspect the stories are true that the Holocaust > was part of Truman's "Big Lie." Many people are likely to think this based on the Germans behavior, and the Germans need to learn that the remedy for Hate Speech is more speech, especially in an environment as uncontrollable as the Net. > [Note: I present this as a line of thinking that is > actually often the result of suppression of views. "If They > are suppressing it, maybe there's some truth to it." Note > also that the views of Zundel and other Holocaust Deniers > are not causally related to the deaths of millions of Jews, > gypsies, and others in WW II. The damage, if any, is in the > "hurt feelings" and "insults" felt by survivors and their > relatives. It is interesting to note that there is no specific law prohibiting free speech for Holocaust Agnostics in Germany. The actual laws under which such cases are prosecuted are libel laws, which have been liberally interpreted to mean that one may not "libel" deceased Jews as a class or their memory in the minds of their surviving relatives. The notion of libeling a class of deceased persons strikes me as a dangerous and particularly convoluted legal fiction. (Although I certainly don't mean any disrespect for the deceased or their survivors when I say this.) > The other danger often cited, that Zundel will recruit a > Fourth Reich or somesuch, is no more likely than that Jerry > Falwell will recruit a New Crusade, or that J. Random Ranter > will do the same. In a free and open society, we let people > believe in "wrong ideas" (witness Christianity, Islam, > Scientology, Judaism, and a thousand other cults).] The solution to Mr. Zundel is the same as the solution to Archemedes (Ne Ludvig) Plutonium. Allow him complete freedom of speech to express his theories, debunk him as time permits, and if all else fails, put him in your killfile. The chances that Mr. Zundel will organize a Fourth Reich are about the same as those that Archmedes Plutonium will force us all to do our mathematics with his N-Adics. It's not something I'm going to spend a lot of time worrying about. From EALLENSMITH at ocelot.Rutgers.EDU Sun Jan 28 14:34:18 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Mon, 29 Jan 1996 06:34:18 +0800 Subject: "Concryption" Prior Art Message-ID: <01I0JULCV3Z4A0UMAT@mbcl.rutgers.edu> It occurs to me that such a combined form would be useful for the idea of having a message that can get multiple results depending on the passphrase used. One example might work as follows: A section of data is placed at the beginning of the encrypted material. When it is decrypted or encrypted (depending on how one wants to work things) with a given passphrase, it turns out a series of bits, reiterated as needed. Each x bits is used to say how far along in the encrypted material the next piece of information making up one encrypted message (using the same passphrase) is. If you put in a different passphrase, you get a different series of bits, and thus use a different set of information for the encrypted material. The The major problem that I can see with this scheme is overlap between messages. I would guess that one would need to keep coming up with different data sections until one originated that wasn't a problem. How long this would take would depend on the value of x and how long the data section was. However, this should only need to be done once for a given set of passphrases and the corresponding key (used for all of them). Any alternate suggestions? Not being a programmer, I have no real idea how to put this concept into practice. (And, moreover, someone else came up with the idea of multiple data sets from a given encrypted message; I am simply suggesting a potential mechanism). -Allen From futplex at pseudonym.com Sun Jan 28 14:34:54 1996 From: futplex at pseudonym.com (Futplex) Date: Mon, 29 Jan 1996 06:34:54 +0800 Subject: Microsoft's CryptoAPI - thoughts? In-Reply-To: <199601281436.GAA22473@mailx.best.com> Message-ID: <199601282214.RAA03080@thor.cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- James Donald writes: > I was concerned about a different issue: > > Suppose you have some signed information: You wish to send some encrypted > information to the person who wrote that signed information. > > If the signing key and the encrypting key are the same, your software can > locally ensure that you encrypt with the right key, (The correct key is the > same public key that you used to check the signature on the message.) > > If the signing key and the encrypting key are different, then in order to > ensure that you are not spoofed into using the wrong public key, the > whole protocol must work correctly, exposing many more points of attack, > since key management is the most complex and most vulnerable area. OK, I think I understand the concern. I was assuming a model where the signing and encrypting keys are bound together in a certificate in some fashion. Presumably the encrypting key is signed by the signing key. The certificates are distributed & managed according to some protocols and policies that are orthogonal to the number of keys in a single certificate. Things get slightly more complicated if you want to update the encrypting and signing keys independently of each other. But offhand I don't see any new thorny issues arising. Disclaimer: I haven't read enough of the MSCAPI to have any idea how it proposes to handle the purpose-specific keys. Futplex GO COWBOYS! -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMQv1IynaAKQPVHDZAQFawwf7BySS8rC/uugXjOtgBM/GU4VlQfdXSk9p XjaGP1fJiBeFxwtiJe26MqoPmqSNrvV3Bf/iVawUiB1mU+NQgcX6mf6kf7P05c2c JMsYzFaT468VDC7/uv2pc8NT0u70bbWW8lrSqmyFGBVvMnYDmHXN7XWywdMuB3mk BIG+zrcfFRVlrHkIGvz3Xzuaog3SVRCUxujozxw1vciY4EgRN2vvizuecNAa4R0j //vVNOiEAAPqAb/ZEG29Fc/LR7ecjcIihNA+pB/Dn9e5yyuX1H6yy4HNRn0RGaSx /lDIsLXYI3KsMWuiYENaR5aNcXzn68aM7IxOCEHjp59kLEAy8KxbJQ== =o0QD -----END PGP SIGNATURE----- From m5 at dev.tivoli.com Sun Jan 28 14:38:50 1996 From: m5 at dev.tivoli.com (Mike McNally) Date: Mon, 29 Jan 1996 06:38:50 +0800 Subject: "German service cuts Net access" (to Santa Cruz) In-Reply-To: <2.2.32.19960128115634.00977b14@panix.com> Message-ID: <9601282202.AA04860@alpha> olmur at dwarf.bb.bawue.de writes: > It's illegal in Germany to publish material denying the holocaust. In > the same moment this guy sent his book XXX per snail-mail from Canada > to Germany he commited a crime here in Germany. Hi. President M5 of Psychonia here. I'm afraid we've recently enacted legislation in the tiny nation of Psychonia that makes it illegal to parenthesize question marks in electronic mail messages, because such acts are a direct offense to some of the members of primitive hill tribes who live in remote portions of our land. I issue this warning not to set foot in Psychonia or any of the countries with whom we share extradition treaties, or you will be arrested and brought here for trial, conviction, and punishment. ______c_____________________________________________________________________ Mike M Nally * Tivoli Systems * Austin TX * I want more, I want more, m5 at tivoli.com * m101 at io.com * I want more, I want more ... *_______________________________ From alano at teleport.com Sun Jan 28 14:55:52 1996 From: alano at teleport.com (Alan Olsen) Date: Mon, 29 Jan 1996 06:55:52 +0800 Subject: [NOISE] Re: NWLibs> Re: Anonymous trashing of Assassination Politics Message-ID: <2.2.32.19960128224012.0091961c@mail.teleport.com> At 09:38 AM 1/28/96 -0800, jim bell wrote: >I guess I should offer a partial apology, even though I'm not really >responsible for this. Jack Hammer is the on-air name for John Benneth, who >is a local (to me, Portland, Oregon) "moderator" for a "advertised as >controversial" radio talk call-in show. He saw my Assassination Politics >essay a few months ago, and for a few weeks just before the November sweeps >Neilsen ratings period he was trying to bait me into calling in, thinking >I'd be a sucker for a local audience. (He _needs_ controversy to be >sucessful.) Since then he gave up for a while, although he occasionally >snipes at me. I assume his interest will wax and wane as various ratings >periods come and go. Actually ratings do not apply in this case. KKEY does not subscribe to the ratings service. (Never has, to my knowledge.) KKEY is a part time station. It has never had much of a broadcast range. (And never will, as their equiptment causes interfearence with neigboring phone equiptment and the like.) It is supported by advertising which is pitched by the talk show host themselves. It has never had much of an audience. The talk show hosts run the gamut from conservitive to very conservitive. (The former owner had a habit of firing hosts on the air if he did not like their views. But Ralph is dead now...) It has a very bad reputation in Portland as being a station for neo-nazis, whackos and cranks. (Back in my conservitive days i had friends who worked there. It was an "interesting" experience.) >>I have saved Jim Bell's "Assassination Politics" essay, with his PGP >>signature, and soon to be a lot of other things, at >> >> http://www-leland.stanford.edu/~llurch/Not_By_Me_Not_My_Views/ > >Thank you. I guess... > >BTW, I sent the file to you as A16.??? That isn't a really descriptive >name. Please change it to something more mnemonic, like ASPOL.TXT or something. The site does need an index. >>I plan to collect as many off-the-wall conspiracy theories in this >>directory as will fit in my disk quota. And when I run out of quota, I'll >>raise it for myself. > >Now, now, Rich, "Assassination Politics" is not a "conspiracy theory". Or, >at least, it's not your classic "conspiracy theory." I think he is collecting stuff he thinks of as whacky theories. >>I think it's time the wacky right and wacky left started looking at each >>other's Web pages and lurking on each others' lists. > >What about the wacky libertarians? Why did you leave us out?!? >Waaaaaaahhhh!!! I think he is collecting stuff that is just "whacky". >> It's really funny >>putting two "Anarchist" pages, one featuring Che Guevara, the other >>featuring David Duke, side by side. Both say the guvment is out to get >>them; > >I, on the other hand, am out to "get" the government. But you'll be hearing >more about that later. Unless they get you first... Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ Is the operating system half NT or half full? From jh at teleport.com Sun Jan 28 15:12:23 1996 From: jh at teleport.com (Jack Hammer) Date: Mon, 29 Jan 1996 07:12:23 +0800 Subject: [NOISE] Re: NWLibs> Re: Anonymous trashing of Assassination Politics In-Reply-To: Message-ID: > I guess I should offer a partial apology, even though I'm not really > responsible for this. Jack Hammer is the on-air name for Bob Dole, who > is a local (to me, Portland, Oregon) "moderator" for a "advertised as > controversial" radio talk call-in show. He saw my Assassination Politics > essay a few months ago, and for a few weeks just before the November sweeps > Neilsen ratings period he was trying to bait me into calling in, thinking > I'd be a sucker for a local audience. (He _needs_ controversy to be > sucessful.) Since then he gave up for a while, although he occasionally > snipes at me. I assume his interest will wax and wane as various ratings > periods come and go. Occasionally snipes at you? I've been perching here out in front of you daily now for the last two weeks. We've installed a Washington State phone line just for you. We've built an AM transmitter and purchased a satellite connection and bought satellite brodcast time and linked it to the little princess phone next to your fart sack so you can call us up and share your wonderful ideas with people in their beds and in their cars all over North America and you can do all this without having to even roll out of bed. Now you're saying it hasn't been easy enough for you? How much a minute do you think this costs us, just waiting for you to call? Oh, others have to pay to advertise THEIR ideas, in fact they consider the time so valuable they pay for that time by the second, but has anyone asked Jim Bell for as much as one thin dime for any of our time? Not anyone at all. Jim Bell, you're ducking this the same way you ducked my hat when I was passin' it around for Richard Gray. Perhaps being cheap goes hand in hand with intellectual cowardice. For two weeks now, 10 days, we've been sitting down here just waiting for you to call (360) 693-5539 between 6:00 AM and 8:00 AM PST to put you on the air live. And no, I won't cut you off. If you're such a shy fellow I will promise to not even argue with you, just let you blow anything you want but obcenities as long as you stay on topic. But you're not going to call. You won't discuss your idea in public, which is nothing more than a plan to commit murder for political purposes, i.e. racketeering. You seem to think that we'll accept your plan as the way to open the gateways to a new universe of warmth and roses. What it is is the doorway to a hell full of more drive by shootings and reprisals and paranoia and fear. And seeing the comatose response from most of the people on these lists demonstrates to me just how close the society is to letting something like that which you propose actually happen. > Klaatu Burada Nikto > > "Something is going to happen... Something....Wonderful!" Yeah, right, at least now we know that it's not going to be a phone call. HOW TO JOIN THE HAMMERNET. Receive the most interesting e-mail and get to know the best writers on the Internet. Saints and flamers, they're on the Hammernet! Here's how to join. Send the following message in the body of your text space to majordomo at teleport.com : subscribe hammernet-l It's as easy as that! From mpd at netcom.com Sun Jan 28 15:28:52 1996 From: mpd at netcom.com (Mike Duvos) Date: Mon, 29 Jan 1996 07:28:52 +0800 Subject: The Big Lie In-Reply-To: <9601282214.AA13074@sulphur.osf.org> Message-ID: <199601282309.PAA28023@netcom13.netcom.com> Rich Salz writes: > That's an interesting point, but it does not apply to the > majority of humanity. "The Holocaust" is not an O.D. of > something, it is a shorthand term for things like Final > Solution and the camps. Regardless of what one wishes to call such a term, there are obvious dangers to using shorthand, abbreviations, OD's, acronyms, and other such things as if they possessed predictive power, or some magical ability to explain the things they reference by virtue of their construction. It is of course even sillier to question their existence. If I define "Salz Syndrome" as a tendency by people named "Rich" to post messages suggesting that discussions of Holocaust semantics are off-topic for the Cypherpunks list, then I have to a certain extent stacked the deck when rhetorically asking questions like... Why does Rich post such messages? Or when I answer a question about the legitimacy of Saltz Syndrome as a real disease by feigning surprise and saying indignantly - "Surely you are not suggesting Saltz Syndrome doesn't exist!?" By the same token, I don't feel "Did the Holocaust happen?" is a particularly well-formed or useful question. The answer, by almost any criteria, is most certainly "Yes", and answering the question tells me nothing I didn't know before I asked it. All of this is of course orthogonal to the point I was trying to make, which is that while such flaws of logic and debate go largely unnoticed in the unconnected world, and often result in the winning of debates, they generally get flamed royally on the Net, where a different set of rules apply. -- Mike Duvos $ PGP 2.6 Public Key available $ mpd at netcom.com $ via Finger. $ From EALLENSMITH at ocelot.Rutgers.EDU Sun Jan 28 15:31:35 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Mon, 29 Jan 1996 07:31:35 +0800 Subject: Downsizing the NSA Message-ID: <01I0JWHQ1038A0UMAT@mbcl.rutgers.edu> From: IN%"tcmay at got.net" 28-JAN-1996 03:47:14.08 >However, as Phill notes, the NSA and other intelligence agencies are now in that most dangerous of positions: a powerful agency or department casting about for something to do. Spying on citizens and keeping the keys to their private communications and diaries is not an appropriate option. AT&T is downsizing, IBM downsized a while back, so why couldn't the NSA just do the right thing: admit that the Soviet threat is no more, congratulate the victors, and downsize by 20,000 employees? ------------------- Funny, everyone seems to forget about China. If I were dictating NSA policies, I'd simply reassign the people to China. Admittedly, modern cryptography makes some of it useless, but HUMINT to get (parts of) codes is still quite possible. -Allen From EALLENSMITH at ocelot.Rutgers.EDU Sun Jan 28 15:34:52 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Mon, 29 Jan 1996 07:34:52 +0800 Subject: "German service cuts Net access" (to Santa Cruz) Message-ID: <01I0JX3QC4NAA0UMAT@mbcl.rutgers.edu> From: IN%"frissell at panix.com" "Duncan Frissell" 28-JAN-1996 07:06:37.29 >At 12:07 AM 1/28/96 -0800, Timothy C. May wrote: >* the Germans recently arrested an American who landed in Germany >somewhere, as part of a trip. It seems he had been involved with the >production of Neo-Nazi material, somewhere out west. This was the last I >heard about the story. Sorry, I'm going from carbon-based memory. He was grabbed in Denmark and extradited to Germany so you'd have to avoid most of the EU. ------------------- One wonders if this would happen to an ISP who carried Neo-Nazi material and happened to travel to some part of the EU. Or would other countries than Germany have a bit more sense? -Allen From EALLENSMITH at ocelot.Rutgers.EDU Sun Jan 28 16:11:34 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Mon, 29 Jan 1996 08:11:34 +0800 Subject: The Big Lie Message-ID: <01I0JXH66UC8A0UMAT@mbcl.rutgers.edu> tcmay at got.net (Timothy C. May) writes: > [Note: I present this as a line of thinking that is > actually often the result of suppression of views. "If They > are suppressing it, maybe there's some truth to it." Note > also that the views of Zundel and other Holocaust Deniers > are not causally related to the deaths of millions of Jews, > gypsies, and others in WW II. The damage, if any, is in the > "hurt feelings" and "insults" felt by survivors and their > relatives. While survivors and their relatives are certainly the most hurt by such, I would like to mention that the insults in question also include those who allegely lied about the camps. My grandfather (Ltc. (Ret.) William H. Smith) was directly behind the front lines in his Army Intelligence work (document gathering and sorting at that point). He and his sergeant were the first Allied discoverers of one of the camps- I believe Dachau. Moreover, he was in charge of the Paris Documents Center at one point. I don't like his being called a liar. Despite that, I still regard Holocaust Revisionists as having free speech rights. It's just if they try to recreate Krystallnacht (sp?) that I want them dead. -Allen From jfricker at vertexgroup.com Sun Jan 28 16:23:34 1996 From: jfricker at vertexgroup.com (John F. Fricker) Date: Mon, 29 Jan 1996 08:23:34 +0800 Subject: [NOISE] Re: The Big Lie Message-ID: <2.2.32.19960128235423.0039a63c@vertexgroup.com> My grandfather was drafted towards the end of world war ii. he was a doctor and was among the first medical teams to land at anzio. his hospital was the first to arrive at auswitz . When asked how that affected him, my grandmother said "After he returned from the war there was no joy left in him." I do not doubt the existance of prison camps in the third reich. Whether the stories have been exaggerated is another question. Besides in this day and age where Isreal is a nuclear arsenal run by nutty rightwing warlords who in their right mind would dare belittle their tragedies. Rewriting history is a powerful tool, whether it be the history of the death of Hendrix, the death of Kennedy, the logging of the pacific northwest or of ethnic cleansing. The only way to combat the powerful who would seek to rewrite history is to create an authenticatable system for document storage. Text books have long been regarded as the predominant model yet, pick up any high school history book and marvel at the differences from say Zinn's "The People's History of the United States". What is needed is more though. A system whereby one can trace the source of the information to the actual time and place of an event as well as authenticating identity. At 02:07 PM 1/28/96 -0800, you wrote: >At 7:59 PM 1/28/96, Mike Duvos wrote: > >>I just visited the Ernst Zundel Webcom page, which given the >>number of server overload errors I experienced trying to browse >>it, is now the Numero Uno Web Site on the entire Internet, thanks >>to some anonymous and largely clueless official running >>telecommunications services for the former Third Reich. > >Like many born after the Second World War, I took it as a fact that the >so-called Holocaust actually happened. I saw pictures of death camps, >interviews with survivors, etc. > >But if it really happened, why are so many countries trying to suppress the >evidence that it was all just a CIA-Mossad plot? It seems more likely that >the pictures were faked, or were pictures taken of dying Germans in Russian >POW camps on the Eastern Front. > >If They are trying to suppress discussion, maybe there's something to their >ideas. > >If the Germans are suppressing attempts to get at the truth, I suspect the >stories are true that the Holocaust was part of Truman's "Big Lie." > >--Tim > > > >[Note: I present this as a line of thinking that is actually often the >result of suppression of views. "If They are suppressing it, maybe there's >some truth to it." Note also that the views of Zundel and other Holocaust >Deniers are not causally related to the deaths of millions of Jews, >gypsies, and others in WW II. The damage, if any, is in the "hurt feelings" >and "insults" felt by survivors and their relatives. The other danger often >cited, that Zundel will recruit a Fourth Reich or somesuch, is no more >likely than that Jerry Falwell will recruit a New Crusade, or that J. >Random Ranter will do the same. In a free and open society, we let people >believe in "wrong ideas" (witness Christianity, Islam, Scientology, >Judaism, and a thousand other cults).] > >Boycott espionage-enabled software! >We got computers, we're tapping phone lines, we know that that ain't allowed. >---------:---------:---------:---------:---------:---------:---------:---- >Timothy C. May | Crypto Anarchy: encryption, digital money, >tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero >W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, >Higher Power: 2^756839 - 1 | black markets, collapse of governments. >"National borders aren't even speed bumps on the information superhighway." > > > > > From dfickes at advice.com Sun Jan 28 16:26:48 1996 From: dfickes at advice.com (David Fickes) Date: Mon, 29 Jan 1996 08:26:48 +0800 Subject: The boss is watching... Message-ID: <9601282337.AA12709@advice.com> I've just been contacted by the producer of a cable news/analysis program who is putting together a show focusing on employees fooling around on the Web and what employers can do about it. (Trust their employees?). She is very interested in stories and tales of employers who have taken action against employee "abuse" but also is looking for companies that have policies that satisfy the "auditors" without becoming "onerous." She has convinced me that she is interested in presenting a balanced report and I've offered to gather whatever information I can lay my hands on before Feb 2. Incidentally, I was contacted because of my work on the announcement of "Internet WatchDog", a computer monitoring tool, which was previously mentioned on the list. Thanks for your help in advance... regards, -d David Fickes dfickes at advice.com ADVICE Marketing phone: 415/321-2198 366 Cambridge Avenue fax: 415/321-2199 Palo Alto, CA 94306 From tcmay at got.net Sun Jan 28 16:32:22 1996 From: tcmay at got.net (Timothy C. May) Date: Mon, 29 Jan 1996 08:32:22 +0800 Subject: [NOISE] Re: The Big Lie Message-ID: At 11:54 PM 1/28/96, John F. Fricker wrote: >My grandfather was drafted towards the end of world war ii. he was a >doctor and was among the first medical teams to land at anzio. his >hospital was the first to arrive at auswitz . When asked how that >affected him, my grandmother said "After he returned from the war there >was no joy left in him." > >I do not doubt the existance of prison camps in the third reich. Whether >the stories have been exaggerated is another question. Besides in this day >and age where Isreal is a nuclear arsenal run by nutty rightwing warlords >who in their right mind would dare belittle their tragedies. ..... You need to read a wider variety of articles, and gain an understanding of irony used to make a point. I sometimes despair when I get these comments. (The ones I get in private mail often reveal incurable cluelessness, even if the correspondents are just high school students who somehow found the CP list.) To make it clear to those readers out there who take all posts as literal (and who didn't read my note at the bottom!), I was not doubting that Jews were exterminated. Also, John, you need not quote my entire article at the end of your own comments. Use your editor to quote only the parts you wish to discuss. --Tim Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From tcmay at got.net Sun Jan 28 16:37:45 1996 From: tcmay at got.net (Timothy C. May) Date: Mon, 29 Jan 1996 08:37:45 +0800 Subject: The Dangers of Cross-Pollinating Other Mailing Lists Message-ID: Folks, When people decide to copy other mailing lists on messages they send to Cypherpunks (or vice versa), we often get flooded with insults and spams from people who don't share our views. (While I have nothing against trying to recruit others to our views, in my opinion this is best done by judicious writing of essays for _them_, tuned to their interests, and not in mindless spamming of every list that might have a passing interest in some of the topics.) We already have enough traffic here, and don't need replies from a bunch of other lists, be they libertarian lists, digital commerce lists, human rights lists, or java lists. The latest example of this is the rantfest invvolving these players: ------ From: Jack Hammer To: jim bell Cc: Rich Graves , cypherpunks at toad.com, nwlibertarians at teleport.com, hammernet-l at teleport.com, libernet-d at dartmouth.EDU, liberty-and-justice at pobox.com ------ I recognized Bell and Graves, but not the others. And I see no reason why our list should be dragged into flames about "fart sacks" by people on all of these other lists. This was the final straw, and I have no choice except to add Bell, Graves, Hammer, etc. to my filter list, which I will now proceed to do before sending this message off. [Done] Words have consequences. So do flames. --Tim May Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From DMiskell at envirolink.org Sun Jan 28 16:55:35 1996 From: DMiskell at envirolink.org (Daniel Miskell) Date: Mon, 29 Jan 1996 08:55:35 +0800 Subject: The Big Lie Message-ID: <9601290026.AA02692@envirolink.org> Hey Tim- Just a thought. When you stated that other countries might be trying to (basically) pretend the holocaust had never happened, because it might NOT have happened and may very well be a big lie, you forgot to consider somthing. Had the holocaut happened, which i believe it did, it was of such horific magnitude that, since (for a time) we sat back and let it happen, let 6 million innocent people die, we might be trying to forget about it so as to not have to take responsibility for it having happened. It is much easier to say that it never existed and have no responsibility, than to acknoledge that it happened, and to look at what kind of people it makes us to let it happen. Just a thought. :) Dan --- _________________________________ *!Cheese Doctrine:!* Though cultured over time, and aged to perfection, one must not yield to produce mold. One must also not belittle themselves by conforming to the "whiz", but melt over the unprocessed ideas of Ghuda. _________________________________ From jrochkin at cs.oberlin.edu Sun Jan 28 16:59:23 1996 From: jrochkin at cs.oberlin.edu (Jonathan Rochkind) Date: Mon, 29 Jan 1996 08:59:23 +0800 Subject: Opinion piece in NYT; responses needed Message-ID: > The New York Times, January 2, 1996, Business, p. 14 > > > Viewpoint: J. Walker Smith > > Standoff in Cyberspace Gulch > > > In the new frontier that is cyberspace, a showdown is > shaping up as the law moves into town. On one side is a > band of cybercitizens bent on protecting their privacy as > they explore this unmapped territory. On the other are the > lawmakers charged with safeguarding all cybercitizens from > crime, even if it means forcing them to give up some of > their privacy by, say, signing in as they enter town. > > This is how the public debate over cyberspace security has > been framed. And on-line users are, indeed, worried about > security. Yankelovich Partners surveyed 400 randomly > selected on-line users, aged 16 and older, by telephone in > mid-October and found that 90 percent agree that better > Internet security is needed to insure that personal and > financial information is not accessible to unauthorized > people. Nearly 80 percent believe it is too easy for one's > credit card number to be stolen if used on the Internet. > And almost 70 percent agree that pornography on the > Internet has gone far beyond reasonable bounds. This op-ed starts out by portraying the two 'sides' as 'lawmakers safeguarding from crime", and "citizens bent on protecting privacy"--which I'd say is fairly accurate. The next paragraph, however, discusses the fact that almost everyone agrees that 'better internet security ' is neccesary is support for the lawmakers side of things. It goes on to say: [...] > A cyberspace that offered privacy, security and decency > would clearly be preferred. But recognizing that this > simply may not be technologically achievable, most on-line > users put security and decency ahead of absolute privacy. > Fifty-three percent of cybercitizens agree that > guaranteeing Internet security is more important than > worrying about the privacy of each user. The rest of the opinion piece only gets worse--the author thinks that, while privacy is a good goal, "in no way should [privacy] distract regulators from maintaining order and decency on this new frontier, nor should it be allowed to defeat the progress of commercial ventures. " Now, first of all, the cypherpunks are clearly an entity that values _both_ privacy and security, and doesn't see them as at all contradictory. They're two sides of the crypto coin. The very same encryption that can make it possible to set up secure credit card transactions also makes it possible to use anonymous remailers--and the security isn't harmed by people with anonymous shell accounts or access to the net. Chaum's digicash could theoretically provide security _and_ anonymity, without any contradiction. Now, Walter Smith probably wouldn't be satisified with cypherpunkian solutions--he doesn't want anonymous communications _regardless_ of whether we also get secure credit card transactions, and would be perfeclty happy with crypto available to everyone, and a law against anonymous communications on the net. But, regardless of his own opinion of privacy/anonymity and security individually, in this piece he portrays them as linked, and in fact mutually damaging. There is a danger of this view becomming commonplace--whenever we encounter it, we should take pains to argue that privacy/anonymity and security _aren't_ mutually exclusive, are sometimes mutually _enhancing_ (ITAR restrictions make anon remailers and secure financial transactions a pain in the ass to set up legally). And we should make it clear that there are a lot of people out there who value both extremely highly, and don't see any need to sacrifice one for the other. [I'm not sure of the proper email address to send a response to this viewpoint, but you might try "viewpts at nytimes.com", which is the proper place to submit "viewpoints", ie op-ed pieces in Business section of the NYT]. Very interesting also, is that Smith explicitly says that privacy concerns shouldn't be allowed to "defeat the progress of commercial ventures". It's unclear exactly what the 'progress' that Smith is talking about is, that would be defeated by putting too much emphasis on privacy. But the previous paragraph mentions "users will find it in their self-interest to reveal more and more about themselves so the interactive system can cater easily to their needs and preferences.... 71 percent of respondents found it highly desirable to be able to receive customized information, while only 35 percent felt the same about a guarantee of anonymity." Smith appears to be saying that the interests of commercial ventures in ammassing data about what consumers visited what web sites, and what consumers are likely targets of customized marketting (customized information?), should take precedence over the interests of citizens in keeping their information private! Many on cypherpunks are used to thinking of business interests as if they match cypherpunks interests, I think--certainly they seem to where ITAR is concerned, at the moment. But it's good to remember that 'business interests', at least as interpreted by some businesses, are going to contradict cypherpunks interets. Unfortunately, business interests often seem to have the advantage in the U.S. legislative process--with this in mind, lobbying action from 'public interest' groups like the EFF, and us as individuals, is more important when it doesn't line up with business interests (protecting anonymity) then when it does (getting rid of ITAR). Large corporations are lobbying for loosening ITAR, and we can help them, but when lobbying for allowing anonmity, if it comes down to that, we'll have fewer/less powerful allies. Also, clearly in this survey, they asked two independent questions "Do you find it desirable to be able to receieve customized information" (71% said yes), "do you find it desirable to be able to guarantee anonymity" (35% yes, which is actually enhearteningly higher then I would have thought). In the context of his opinion piece, though, he clearly sets them up against each other--what if the surveyed had been asked "When guaranteeing anonymity comes into conflict with allowing commercial ventures to send you customized adverts, which is more important"? Obviously, that question is biased also, but my point is that it's important to make this connection in people's minds. Here, there might _be_ a tradeoff--and consumers frequently get up in arms about how anyone can get their credit report, or their driving record, or whatever. It's important that we create a connection between anonmity on the net, and empowerment to keep personal information personal--we need to link the "customized information" which Smith's surveyees were so enamored of, to the privacy invasions posed by credit reports and such, that consumers already know about and know they don't like. [I'm going to try to make myself write a letter to the NYT in response to that viewpoint, making some of these points I'm saying it's important to make, but you should too. :) ] From jya at pipeline.com Sun Jan 28 17:12:05 1996 From: jya at pipeline.com (John Young) Date: Mon, 29 Jan 1996 09:12:05 +0800 Subject: Opinion piece in NYT; responses needed Message-ID: <199601290057.TAA21083@pipe4.nyc.pipeline.com> Responding to msg by jrochkin at cs.oberlin.edu (Jonathan Rochkind) on Sun, 28 Jan 7:33 PM > The New York Times, January 2, 1996, Business, p. 14 > Viewpoint: J. Walker Smith > Standoff in Cyberspace Gulch That's January 28, 1996, no lie. Mein typo, bitte schoen. Back to Mr. Rochkind's assail. From lull at acm.org Sun Jan 28 17:25:15 1996 From: lull at acm.org (John Lull) Date: Mon, 29 Jan 1996 09:25:15 +0800 Subject: "German service cuts Net access" (to Santa Cruz) In-Reply-To: <2.2.32.19960128115634.00977b14@panix.com> Message-ID: <310c0c26.30666226@smtp.ix.netcom.com> On Sun, 28 Jan 1996 21:41 +0100 (MET), Olmur wrote: > It's illegal in Germany to publish material denying the holocaust. In > the same moment this guy sent his book (?) per snail-mail from Canada > to Germany he commited a crime here in Germany. How pray tell is a person in Canada supposed to know that? I (in the US) certainly had no idea Germany had such a law. Are you saying that, if I ran a bookstore, and accepted international mail orders, I would have to screen every order to ensure I did not ship something offensive to the German government? And if I did fill such an order, and without ever having set foot in Germany, I could be arrested on my next trip to Europe, extradited to Germany, and imprisoned for doing something that is constitutionally protected in the US? Alternatively, what if I were to post to usenet a message denying the Holocaust, and one person in Germany retrieved that message. Would I then be subject to arrest and extradition to Germany? Mike Duvos wrote in another message: > It is interesting to note that there is no specific law > prohibiting free speech for Holocaust Agnostics in Germany. The > actual laws under which such cases are prosecuted are libel laws, > which have been liberally interpreted to mean that one may not > "libel" deceased Jews as a class or their memory in the minds of > their surviving relatives. If in fact this is merely a judicial interpretation of an apparently unrelated law, it just plain ridiculous to expect people in other countries to be aware of it. If this is really what Germany wants, then it sounds like time to totally cut Germany off from the internet, simply in self preservation. No one can reasonably be expected to research even the clearly-written laws worldwide that might conceivably apply in such cases, much less far-fetched judicial interpretations of such laws. Olmur continued: > I don't think it's astonishing that Denmark imprissoned this guy and > transported him to Germany. It's a normal thing that one country > imprisons a criminal another country is searching and the delivers > him/her to the country in question. I, on the other hand, find this QUITE astonishing. His actions were legal in both Canada and Denmark (probably everywhere in the world except Germany), and he did nothing in Germany. Of course, I find the US actions in kidnapping people in other countries quite indefensible also, but at least in those cases the persons involved clearly knew they were violating at least US law, and in most cases were violating their local laws as well. From flee at teleport.com Sun Jan 28 18:03:52 1996 From: flee at teleport.com (Felix Lee) Date: Mon, 29 Jan 1996 10:03:52 +0800 Subject: "German service cuts Net access" (to Santa Cruz) In-Reply-To: <310c0c26.30666226@smtp.ix.netcom.com> Message-ID: <199601290147.RAA19217@desiree.teleport.com> > Are you saying that, if I ran a bookstore, and accepted international > mail orders, I would have to screen every order to ensure I did not > ship something offensive to the German government? urrr. yes? anyone doing international shipping has to comply with customs regulations anyway. this isn't really any different. (except when telecom or broadcast media become involved.) (excuse me while I see if I can ship smallpox to germany.) -- From alanh at infi.net Sun Jan 28 18:06:47 1996 From: alanh at infi.net (Alan Horowitz) Date: Mon, 29 Jan 1996 10:06:47 +0800 Subject: Escrowing Viewing and Reading Habits with the Government In-Reply-To: <960128.102805.1b2.rnr.w165w@sendai.cybrspc.mn.org> Message-ID: > > The "Library Awareness Program," administered by the Justice Department, is > > designed to identify potential criminals before they have a chance to > > commit their deeds. The visits to libraries made by the FBI are used to > > determine who is reading subversive or dangerous material. Do you really think the FBI believes that asking librarians to keep records of customer useage is an efficient way to read the customers minds? Do you really think that the FBI foreign counter-intelligence squad has nothing better to do than keep a database of who is reading Che Guevara memoirs? When someone is being obtained as an asset by an intelligence organization, they are very very carefully led down a path of increasingly serious crimes that they are directed to commit (in return for the sex or the paying off of their debts, which are the two standard hooks) by the controller ("foreign spy"). The first event is something quite minor. The aim is, from the very beginning, to put the asset into a compromised status, so that he believes he cannot turn to his own security people and confess - with the chance that he'll agree to become a double-agent, so that the DOD can put disinformation into Soviet hands, and the FBI can build up a dossier of admissable evidence against the foreign controller. Remember, you can't get your own guys out of the Russian Gulag unless you've got a GRU man to trade for. One of the early stages is, being directed to steal a technical book from a library and deliver it to the controller. Now do you see the signifigance of the Library Awareness Program? When I worked in the Route 128 area (suburban Boston), we were briefed to be especially suspicious about folks who would befriend us in local bars after work and, for no identifiable reason, start giving us little tiny favors; over time they would become real "angels" that saved our asses when we were having financial/marriage problems. The day might come when they would start asking for "a little favor in return". Something quite innocuous. Then there would arrive a request that we hesitated to do, but we knew we could get away with it without a problem. Then a few weeks later.... From frogfarm at yakko.cs.wmich.edu Sun Jan 28 18:21:54 1996 From: frogfarm at yakko.cs.wmich.edu (Damaged Justice) Date: Mon, 29 Jan 1996 10:21:54 +0800 Subject: The Unintended Consequences of Suppression In-Reply-To: <199601281959.LAA16755@netcom18.netcom.com> Message-ID: <199601290153.UAA13081@yakko.cs.wmich.edu> an entity calling itself "Mike Duvos" writes: [visit behind curtain at the now-crowded-and-popular Nazi web-parlor] On my Beginnings of Freedom page, I've had links to some similar sites for a while now: http://www2.Gsu.EDU/~gs02jwb/LIST/MEDIA/media.ind Banned Media and Organizations List http://www2.Gsu.EDU/~gs02jwb/ The Coming Fall of the American Empire I keep them around as examples of laughable assumptions that shrivel at the slightest sign of daylight. If I don't keep an eye on folks who espouse bad ideas, they're more likely to pose a threat to me at some point in the future; I'd rather know exactly what they believe, and what they want, and how they hope to accomplish it, the better to protect myself and possibly work against them in some manner. (It'll probably get worse; I don't see David Brin's vision in _Earth_ of "every man a spy/Boy Scout/Neighborhood Watcher" as being that far-fetched. And that's the least possible evil.. :-S -- http://yakko.cs.wmich.edu/~frogfarm ...for the best in unapproved information "We think people like seeing somebody in a uniform on the porch." -US Postal spokeswoman, quoted in AP 1/27/96. I don't know about you, but the only folks I know who'd enjoy seeing someone in uniform on their porch are leathermen... From sameer at nic.ai Sun Jan 28 18:35:00 1996 From: sameer at nic.ai (sameer) Date: Mon, 29 Jan 1996 10:35:00 +0800 Subject: "German service cuts Net access" (to Santa Cruz) In-Reply-To: <310c0c26.30666226@smtp.ix.netcom.com> Message-ID: <199601290208.SAA07288@infinity.c2.org> > > Are you saying that, if I ran a bookstore, and accepted international > mail orders, I would have to screen every order to ensure I did not > ship something offensive to the German government? And if I did fill > such an order, and without ever having set foot in Germany, I could be > arrested on my next trip to Europe, extradited to Germany, and > imprisoned for doing something that is constitutionally protected in > the US? When I worked for Walnut Creek CDROM they had to remove "Castle Wolfenstein" from one of their CDs because they wouldn't have been able to ship to Germany if they didn't. -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion, Inc. FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.org/ (or login as "guest") sameer at c2.org From tchen at mindport.net Sun Jan 28 18:35:01 1996 From: tchen at mindport.net (Tom Chen) Date: Mon, 29 Jan 1996 10:35:01 +0800 Subject: mailing list Message-ID: <199601290215.VAA17075@polaris.mindport.net> can i get on the mailing list? From tcmay at got.net Sun Jan 28 18:46:04 1996 From: tcmay at got.net (Timothy C. May) Date: Mon, 29 Jan 1996 10:46:04 +0800 Subject: "German service cuts Net access" (to Santa Cruz) Message-ID: At 1:10 AM 1/29/96, John Lull wrote: >Are you saying that, if I ran a bookstore, and accepted international >mail orders, I would have to screen every order to ensure I did not >ship something offensive to the German government? And if I did fill >such an order, and without ever having set foot in Germany, I could be >arrested on my next trip to Europe, extradited to Germany, and >imprisoned for doing something that is constitutionally protected in >the US? As a point of information, the operators of the "Amateur Action" bulletin board in Fremont, California are now sitting in prison because they e-mailed material fully legal in California but illegal (the court determined) in Memphis, Tennessee. And, yes, there are many things which are "constitutionally protected" inside the U.S. but which are crimes in Europe and elsewhere. (And things that are legal in Europe, but illegal in the U.S., and all permutations.) One can write a book in the U.S. and receive a death sentence in Iran. Get used to it. It makes no sense for us to whine and complain about Country A outlawing some activity that is legal in Country B. The thing for us to do is to use technology and code to subvert and bypass laws of any country which are repressive and controlling. --Tim Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From dlv at bwalk.dm.com Sun Jan 28 18:54:48 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Mon, 29 Jan 1996 10:54:48 +0800 Subject: [NOISE] Re: The Big Lie In-Reply-To: Message-ID: This has no cryptographic relevance whatsoever, but... tcmay at got.net (Timothy C. May) writes: > You need to read a wider variety of articles, and gain an understanding of > irony used to make a point. I sometimes despair when I get these comments. > (The ones I get in private mail often reveal incurable cluelessness, even > if the correspondents are just high school students who somehow found the > CP list.) > > To make it clear to those readers out there who take all posts as literal > (and who didn't read my note at the bottom!), I was not doubting that Jews > were exterminated. I went to high school in the U.S. (a very unpleasant experience), and we were more-or-less taught that: a) Only Jews were killed in the Nazi death camps; (actually, Nazis targeted many other groups for extermination, and about half the people put to death in the camps weren't Jews.) b) Nazis made soap/lampshades/mattresses from the fat/skin/hair of their victims on industrial scale; c) Nazis primary goal in conquering the world was to round up and kill all the Jews; d) The U.S. entered the war and defeated Germany almost single-handedly in order to save the Jews. I can very well imagine how a typical American taught to believe the above can come across a "revisionist" material like _While 6 Million Died_ by Arthur D. Morse; or hear about Russia's role in defeating the Nazis; and begin to doubt whether any Jews were murdered at all. That's not good. I guess this bears some relevance to the subject of credibility. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From merriman at arn.net Sun Jan 28 19:08:30 1996 From: merriman at arn.net (David K. Merriman) Date: Mon, 29 Jan 1996 11:08:30 +0800 Subject: "German service cuts Net access" (to Santa Cruz) Message-ID: <2.2.32.19960128144005.00690390@arn.net> -----BEGIN PGP SIGNED MESSAGE----- At 04:02 PM 01/28/96 -0600, m5 at dev.tivoli.com (Mike McNally) wrote: > >olmur at dwarf.bb.bawue.de writes: > > It's illegal in Germany to publish material denying the holocaust. In > > the same moment this guy sent his book [...] per snail-mail from Canada > > to Germany he commited a crime here in Germany. > >Hi. President M5 of Psychonia here. I'm afraid we've recently >enacted legislation in the tiny nation of Psychonia that makes it >illegal to parenthesize question marks in electronic mail messages, >because such acts are a direct offense to some of the members of >primitive hill tribes who live in remote portions of our land. > >I issue this warning not to set foot in Psychonia or any of the >countries with whom we share extradition treaties, or you will be >arrested and brought here for trial, conviction, and punishment. > This message is _clearly_ an effort to spread *pornography* on the net. I know this to be true through the use of a 3-letter code that I have cleverly deleted . If you continue to spread this vile and disgusting trash, I shall have no choice but to complain to my government representatives and have all imports from your country banned, and to pressure companies not to do business in/with your nation. Dave Merriman -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMQtudMVrTvyYOzAZAQEJlAP/WeH2TkFaa0MBz2AfWsbOU30flSmghqCn Hg30Uwi44fHg4zpGsQYPfwPofK5BJ+cwPcTBuhurZgmKxhEJuj5OrrOw/kaKLjnu uJ82MEIEhkojCUGAQicYgW+B2g62vtJXYhBuQWTKzrKpiys2vYucil6m/8fxZFKx TDSq4sHK5IA= =MtgG -----END PGP SIGNATURE----- ------------------------------------------------------------- "It is not the function of our Government to keep the citizen from falling into error; it is the function of the citizen to keep the Government from falling into error." Robert H. Jackson (1892-1954), U.S. Judge <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> My web page: http://www.geocities.com/CapitolHill/1148 From cp at proust.suba.com Sun Jan 28 19:13:24 1996 From: cp at proust.suba.com (Alex Strasheim) Date: Mon, 29 Jan 1996 11:13:24 +0800 Subject: The Unintended Consequences of Suppression In-Reply-To: Message-ID: <199601290252.UAA07231@proust.suba.com> > You just don't get it, do you? Do-gooders like the Wiesenthalistas > don't need to be *right*; they need *a steady stream of cash contributions* It's usually more effective to point out why what someone is saying is wrong rather than to speculate as to what their motives for saying it might be. From warlord at MIT.EDU Sun Jan 28 19:23:01 1996 From: warlord at MIT.EDU (Derek Atkins) Date: Mon, 29 Jan 1996 11:23:01 +0800 Subject: "German service cuts Net access" (to Santa Cruz) In-Reply-To: Message-ID: <199601290252.VAA18010@toxicwaste.media.mit.edu> > As a point of information, the operators of the "Amateur Action" bulletin > board in Fremont, California are now sitting in prison because they > e-mailed material fully legal in California but illegal (the court > determined) in Memphis, Tennessee. Actually, it wasn't because of what they emailed, but rather the owner/operators of AA BBS snail-mailed a video cassette that contained "pornographic" materials. Unfortunately it sets a bad precedent nonetheless. -derek From tcmay at got.net Sun Jan 28 19:39:02 1996 From: tcmay at got.net (Timothy C. May) Date: Mon, 29 Jan 1996 11:39:02 +0800 Subject: Escrowing Viewing and Reading Habits with the Government Message-ID: At 2:59 AM 1/28/96, Lucky Green wrote: >Of course the V-Chip transmits the ID number of the program to be rated >upstream. Since all programs will be rated by the chip, regardless if you >choose to use the rating or not, the exact channel you are watching will be >tracked and logged. > >Have fun, This is a serious misstatement of the proposal! I am shocked, simply shocked. If Lucky only knew what I know... The logged information is only available to law enforcement if they have a legitimate need to know, as evidenced by a valid court order, an authorization from the Foreign Intelligence Surveillance Court, a request by a regional or local police department, or upon suspicion that a sex offender or pedophile is displaying too much interest in children's shows or "Baywatch." The "Library Awareness Program," administered by the Justice Department, is designed to identify potential criminals before they have a chance to commit their deeds. The visits to libraries made by the FBI are used to determine who is reading subversive or dangerous material. According to Director Freeh, "If we had had this program in place when Timothy McVeigh was a child, we could have detected his interest in ANFO and picked him up for reeducation, or at least recruited him for the CIA's Lockerbie team." Finally, I am confidant the the viewing habits "escrowed" with the government will only be used for good purposes. The policeman is our friend. --Klaus! Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From dlv at bwalk.dm.com Sun Jan 28 20:34:58 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Mon, 29 Jan 1996 12:34:58 +0800 Subject: "German service cuts Net access" (to Santa Cruz) In-Reply-To: <2.2.32.19960128144005.00690390@arn.net> Message-ID: "David K. Merriman" writes: > This message is _clearly_ an effort to spread *pornography* on the net. ... Heck, any message on the Internet is inherently pornographic because it's just a bunch of 1's and 0's. And we all know that to Sen Exon a 1 looks like a penis and a 0 looks like a vagina! :-) --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From dlv at bwalk.dm.com Sun Jan 28 20:35:56 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Mon, 29 Jan 1996 12:35:56 +0800 Subject: "German service cuts Net access" (to Santa Cruz) In-Reply-To: <310c0c26.30666226@smtp.ix.netcom.com> Message-ID: Very little crypto relevance in the following... lull at acm.org (John Lull) writes: > On Sun, 28 Jan 1996 21:41 +0100 (MET), Olmur wrote: > > > It's illegal in Germany to publish material denying the holocaust. In > > the same moment this guy sent his book (?) per snail-mail from Canada > > to Germany he commited a crime here in Germany. > > How pray tell is a person in Canada supposed to know that? I (in the > US) certainly had no idea Germany had such a law. Ignorance of the law is not a defense. How is a reasonable person supposed to know that it's illegal to take >$10K in cash out of the country without some paperwork? Yet one can be jailed for that. :-) > Are you saying that, if I ran a bookstore, and accepted international > mail orders, I would have to screen every order to ensure I did not > ship something offensive to the German government? And if I did fill > such an order, and without ever having set foot in Germany, I could be > arrested on my next trip to Europe, extradited to Germany, and > imprisoned for doing something that is constitutionally protected in > the US? I recall that the former Soviet Union had a similar "long arm" interpretation of its laws against anti-Soviet libel: if you ran a bookstore in the U.S. that solds anti-Soviet materials and then came to visit the U.S.S.R., you could in principle be arrested, tried, and convicted. > Alternatively, what if I were to post to usenet a message denying the > Holocaust, and one person in Germany retrieved that message. Would I > then be subject to arrest and extradition to Germany? Certainly, if you posted an anti-Soviet article to Usenet from the U.S., and it reached the former Soviet Union, you would be guilty of anti-Soviet libel. > If this is really what Germany wants, then it sounds like time to > totally cut Germany off from the internet, simply in self > preservation. I'm sure this is what the German government and many German people really want. But, would you also argue that the former Soviet Union should not have been allowed on Internet because some of the information that would enter it via the internet would have been illegal there? I read that Singapore is similarly trying to restrict its citizens' access to the net. I think it would be more honorable to provide Germans with tools to access the information they want, even it violates their laws that we consider to be unjust. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From jf_avon at citenet.net Sun Jan 28 21:06:29 1996 From: jf_avon at citenet.net (Jean-Francois Avon JFA Technologies, QC, Canada) Date: Mon, 29 Jan 1996 13:06:29 +0800 Subject: Downsizing the NSA Message-ID: <9601290442.AA23563@cti02.citenet.net> Timothy C. May wrote: >AT&T is downsizing, IBM downsized a while back, so why couldn't the NSA >just do the right thing: admit that the Soviet threat is no more, >congratulate the victors, and downsize by 20,000 employees? Your post is very interesting. I would like to add to it in the form of a question: Q) What are the factors, in what context did AT&T and IBM and many other big companies downsize? Or, in other words: What are the ultimate contextual causes of the downsizing? Regards to Cypherpunks from a new guy on the mailing list. JFA From jrochkin at cs.oberlin.edu Sun Jan 28 21:16:33 1996 From: jrochkin at cs.oberlin.edu (Jonathan Rochkind) Date: Mon, 29 Jan 1996 13:16:33 +0800 Subject: "German service cuts Net access" (to Santa Cruz) Message-ID: At 1:47 AM 01/29/96, Felix Lee wrote: >> Are you saying that, if I ran a bookstore, and accepted international >> mail orders, I would have to screen every order to ensure I did not >> ship something offensive to the German government? > >urrr. yes? anyone doing international shipping has to comply with >customs regulations anyway. this isn't really any different. (except >when telecom or broadcast media become involved.) > >(excuse me while I see if I can ship smallpox to germany.) >-- If you violate customs regulations on the receiving end, all that's going to happen is the book you sent gets confiscated. Which is only bad for the receiving party (in Germany), since you already have the money, which is fine since it's reasonable to expect the receiving party in Germany to know German customs regulations. You, as shipper, certainly won't get extradicted to Germany from Denmark or anywhere else. Trying to ship smallpox to Germany might be another matter, of course. From jf_avon at citenet.net Sun Jan 28 21:52:23 1996 From: jf_avon at citenet.net (Jean-Francois Avon JFA Technologies, QC, Canada) Date: Mon, 29 Jan 1996 13:52:23 +0800 Subject: "German service cuts Net access" (to Santa Cruz) Message-ID: <9601290524.AA25174@cti02.citenet.net> Well, here is a very costly but ultimate answer: Cancel all business you have with germany and let them know the reason. This will speak much more louder than any civil liberty protest. The feodal view of most europe makes any appeal to liberty futile. JFA From declan+ at CMU.EDU Sun Jan 28 21:52:26 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Mon, 29 Jan 1996 13:52:26 +0800 Subject: Ernst Zundel impersonator on Usenet Message-ID: Ernst Zundel is the holocaust revisionist who sparked the Wiesenthal Center's attempts at censorship, and the latest move by the German government. Now an AOL alias, "ernstzundl at aol.com", is being used in the course of an impressive trolling spree on Usenet newsgroups including aus.flame, alt.skinheads, alt.mindcontrol, and soc.culture.jewish. Some excerpts from posts to soc.culture.jewish: Prior to 1904, there *were* no black people. But they invented the whole myth of Africa, the slave trade, pyramids in Egypt, etc-- to serve their own ends. I know this because *I* have studied history. This is why I am the Revisionist Extraordinaire. I know obscure things about history that nobody except me knows. FOIL THE JEWISH PLOT!! POLUTE THE EARTH!! CONTAMINATE THE WATER!! DESTROY EVERY LIVING THING TO SAVE IT FROM THE JEWS!! AND THEN WAIT FOR THE MOTHER SHIP TO BRING US TO OUR HOME IN THE STARS! I found an interesting message with the help of Alta Vista. Posted by "ernstzundl at aol.com" to rec.scuba, it said: Does anyone know of any scuba clubs in or near Kingston, NY? Thanks! I'm not familiar with how AOL screen names work, but my guess is that the Kingston, NY resident impersonating Zundel forgot to switch back to his other screen name before posting. -Declan From warlord at MIT.EDU Sun Jan 28 22:03:02 1996 From: warlord at MIT.EDU (Derek Atkins) Date: Mon, 29 Jan 1996 14:03:02 +0800 Subject: pgp on linux In-Reply-To: <199601290513.FAA30591@pangaea.hypereality.co.uk> Message-ID: <199601290541.AAA19848@toxicwaste.media.mit.edu> Hi. There is a known problem in the PGP 2.6.2 distribution. In order to compile it for Linux/ELF, you will need to make a change to the sources. The quick change is to add "ASMDEF=-DSYSV" to the Linux make rule in the makefile. However this will not allow it to compile under Linux/a.out anymore. The proper fix, which is detailed on the PGP FAQ, Buglist, Fixes, and Improvements Page is to modify 80386.S and zmatch.S to look for the symbol __ELF__ in addition to SYSV. This page, by the way, is available at this URL: http://www.mit.edu:8001/people/warlord/pgp-faq.html Enjoy! -derek From sameer at nic.ai Sun Jan 28 23:25:02 1996 From: sameer at nic.ai (sameer) Date: Mon, 29 Jan 1996 15:25:02 +0800 Subject: Netscape, CAs, and Verisign In-Reply-To: <310C6C76.AB8@netscape.com> Message-ID: <199601290658.WAA20767@infinity.c2.org> > As I said in my previous message, we don't care how big you are > as long as you meet the soon to be published criteria. OK, fine, erase the word "megacorp", and my statement holds. The fact that Verisign lies to my customers, tarnishing my reputation, doesn't exactly endear me to them, or companies related to them. -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion, Inc. FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.org/ (or login as "guest") sameer at c2.org From wendigo at pobox.com Sun Jan 28 23:43:07 1996 From: wendigo at pobox.com (Mark Rogaski) Date: Mon, 29 Jan 1996 15:43:07 +0800 Subject: The Big Lie In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- - From the node of Timothy C. May: : : Like many born after the Second World War, I took it as a fact that the : so-called Holocaust actually happened. I saw pictures of death camps, : interviews with survivors, etc. : : But if it really happened, why are so many countries trying to suppress the : evidence that it was all just a CIA-Mossad plot? It seems more likely that : the pictures were faked, or were pictures taken of dying Germans in Russian : POW camps on the Eastern Front. : : I also saw quite a few pictures that were taken by relatives during the liberation (or whatever you call it) and the holocaust was very real. I will say that the number of Poles that were incarcerated was quite understated. Maybe Lester Bangs was right when he said that the Holocaust was just a coverup to hide the fact that Hitler killed 6 million Jehovah's Witnesses. All I can say is that I have seen good proof that we should not trust the whims of any government. Human beings with power over other human beings scare me beyond belief. - ----- Mark Rogaski 100,000 lemmings rogaski at pobox.com aka Doc, wendigo can't be wrong! http://www.pobox.com/~rogaski/ VMS is as secure as a poodle encased in a block of lucite ... about as useful, too. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMQxxsdT48ZIkMoEtAQFtewf+NsW6wtzL49+U1WxT/1HETpmJT1T91Gvz 7WSA0Cq740yeen0HR6g0m5VtsLrzuGn/zEKKM9KtLDzYIFrGsxliY2Tlc/LpvMqS zScbEEJgMa4Jvu7/svTMq9vgs4trArFTSFZ40DWx7VsbKovrDXeMfqBi3mI/BaSA zg0evQnVaubAkg5Zr2Vc3dJf6rvcU9sApCyLYKr0PLRfQ0wNHEli/DZFrrUkFcX6 QeBO2UAZ3vUJgaak6uxoXD7x0ad5WQdeWEz3mJq7LQeUaVHAag9wELOEKLESLhTs nR1RKJrPIvLNBhm0zqfGswvr1dWtTG7OMnrLNEkiYkfS76Zm+6SCaw== =Is1w -----END PGP SIGNATURE----- From futplex at pseudonym.com Sun Jan 28 23:51:28 1996 From: futplex at pseudonym.com (Futplex) Date: Mon, 29 Jan 1996 15:51:28 +0800 Subject: Downsizing the NSA In-Reply-To: Message-ID: <199601290722.CAA21466@opine.cs.umass.edu> Tim May writes: > AT&T is downsizing, IBM downsized a while back, so why couldn't the NSA > just do the right thing: admit that the Soviet threat is no more, > congratulate the victors, and downsize by 20,000 employees? Alan Horowitz writes: # You didn't read about it in the _Baltimore Sun_, so obviously it must not # have happened? Where do you propose that these 20,000 mathematicians went? Did they take advantage of the unmet demand for math professors ? Please share your evidence for this dramatic employment shift with the rest of us. Futplex From nobody at REPLAY.COM Mon Jan 29 00:00:43 1996 From: nobody at REPLAY.COM (Anonymous) Date: Mon, 29 Jan 1996 16:00:43 +0800 Subject: No Subject In-Reply-To: <199601261801.KAA07578@slack.lne.com> Message-ID: <199601290724.IAA10178@utopia.hacktic.nl> I'm glad this interesting conversation came up. I apologize for writing this anonymously, but I don't want to do anything to associate my nym with my conventional name. The very act of comparing the actions of the two entities would endanger my anonymity. I use a nym to talk publically about a certain topic that, while it is legal and not really that embarassing, I would rather not have associated with my conventional name. In particular, I don't want my thoughts on this topic to be archived by my conventional name. So I use a nym, and it basically works. I think a really determined person could break my nym even today, but I don't think anyone will ever be that determined and I'm not that worried about it. ericm at lne.com (Eric Murray) writes: >But I have some problems/questions about using a nym: >1. reputation. Yes, each nym (and your conventional name, which in some ways is just another nym) has to have its own, independent reputation. I don't know any way around this. The whole point of a nym is so the actions of your nym don't affect the reputation of your conventional name. You could tell trusted people about the association between your nym and your conventional name, but you're compromising your nym in doing that. You have to develop a threat model - how seriously do you want to keep your anonymity? >2. does it (a nym) really help? A perfectly secure one does, by definition - if no one can ever associate your nym with your conventional name, in particular if no one knows that you have a nym, then there is no problem. The question is, how close are we today to that perfection? Getting lots of mail from remailers currently looks supicious. >But if my nym is investigated for some future crime (fuck Exon) and >my nym isn't secure enough to protect my RealName, it will be a liability. Yes. One thing to remember is that a response block associates an email address with a public key for ever and all time. To be safer, you need to not let mail from the nym go back to a private email box. True anonymity is inconvenient. From mpd at netcom.com Mon Jan 29 00:04:00 1996 From: mpd at netcom.com (Mike Duvos) Date: Mon, 29 Jan 1996 16:04:00 +0800 Subject: "German service cuts Net access" (to Santa Cruz) In-Reply-To: Message-ID: <199601290738.XAA25006@netcom13.netcom.com> olmur at dwarf.bb.bawue.de (Olmur) writes: > Free speech ends where other people can reasonable claim > that their feelings are badly hurt. Excuse me? That line is definitely .sig file fodder. > Is it constitutionally protected in US to knowingly hurt > other people's feelings and to trample on graves????? Of course it is. What a silly question. My feelings get hurt on Usenet almost every day and you don't see me whining about it. > Mike's information is old. Meanwhile it's explicitely > forbidden to deny the holocaust. I'm so pleased to hear you have updated your laws with this new progressive "hurt feelings" doctrine. Obviously "PC" translates quite well into the German language. > Due to our history publishing NAZI-propaganda is forbidden > in Germany. The big majority in Germany agrees with this > view, that NAZI-propaganda doesn't fall under 'free speech'. Much as the Third Reich took the view that anti-Nazi speech wasn't protected. Your country hasn't changed its authoritarian perspective on freedom of personal expression. All it has done is put a different set of publicly supported items on the official censorship list. Didn't the Germans learn anything from World War II? -- Mike Duvos $ PGP 2.6 Public Key available $ mpd at netcom.com $ via Finger. $ From jcobb at ahcbsd1.ovnet.com Mon Jan 29 00:44:24 1996 From: jcobb at ahcbsd1.ovnet.com (James M. Cobb) Date: Mon, 29 Jan 1996 16:44:24 +0800 Subject: Decrypting the "MIG Group" Message-ID: Friend, A 01 29 96 Electronic Telegraph newsstory ----------------------------------------- Riddle of spooks in the White House BY AMBROSE EVANS-PRITCHARD reports: Official logs kept by the US secret service...indicate that a top White House aide, Patsy Thomasson, met a team of secret service technicians at her office on the night of Mr Foster's death. Evans-Pritchard writes: ...logs kept by Secret Service staff at the White House --pub- lished in Senate documents on the death of Mr Foster-- show that a so-called "MIG Group" was checked into offices occupied by Miss Thomasson and her boss, David Watkins...at 7.10 pm on July 20, 1993. Miss Thomasson was the only member of the White House staff log- ged into the office at the time. She checked out at the same time as the "MIG Group" at 7.44 pm.... E-P inquired about MIG, but-- The press spokesman for the Secret Service at first said that he had not heard of the acronym "MIG". The next day he changed his account, saying that the "MIG Group" was a team of Secret Service technicians that had gone to Miss Thomasson's office that night to conduct a routine alarm check. He said he could not divulge what the acronym MIG stood for be- cause the unit was secret. However, Intelligence sources have told The Sunday Telegraph that "MIG" stands for "military intelligence group". MIG groups are typi- cally known as Technical Services Counter-Measure teams (TSCMs), highly classified units that handle high-tech counter-espionage. Their duties, for example, include sweeping for bugs at the White House. Sources say that the high-tech counter-espionage staff at the White House are controlled and operated by the Federal Emergency Management Agency, known as FEMA. This agency...has enormous power and can draw freely on the capabilities of the CIA, the FBI, and the Pentagon. E-P concludes: ...[The logs] add to the growing weight of evidence that a tiny group at the White House was tipped off early about Foster's death, long before the official notification at 8.30 pm. It would have provided a window of at least an hour to cover things up before anybody was alerted. If so, America is facing a White House scandal that is every bit as serious and nasty as Watergate. The Electronic Telegraph can be accessed at: http://www.telegraph.co.uk The newsstory is under World News. Its online filename is wamby- 27.html. Cordially, Jim From stewarts at ix.netcom.com Mon Jan 29 00:55:27 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Mon, 29 Jan 1996 16:55:27 +0800 Subject: "Concryption" Prior Art Message-ID: <199601290832.AAA09285@ix10.ix.netcom.com> >>However the Con-cryption patent covers first compressing, then >>encrypting. > >Isn't that how PGP does its thing (first compress the data and then feed it >into the Encryption Stage)? PGP is prior art in-and-of-itself. Peter Wayner posted that the "new" thing about the way they do it is that it saves time by combining the steps. But I think I've seen approximately the same done with arithmetic-coding compression? #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, Pager/Voicemail 1-408-787-1281 # # "Eternal vigilance is the price of liberty" used to mean us watching # the government, not the other way around.... From stewarts at ix.netcom.com Mon Jan 29 01:23:35 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Mon, 29 Jan 1996 17:23:35 +0800 Subject: CP LITE: A Censorship Device? Message-ID: <199601290902.BAA11615@ix10.ix.netcom.com> At 03:54 AM 1/28/96 -0600, you wrote: >I've been watching this CP Lite thing develop. > >Sounds like an attempt to moderate the list. >I mean it's easy to post out of it, >but hard to answer to it. >And all of the good back and forth discussion >gets lost in a backwash of private email. The default behaviour of Eudora seems to work reasonably well for replying to these. Reply pops up a message with To: John Doe #2 From: My Name Subject: Re: whatever Cc: At 03:54 AM 1/28/96 -0600, you wrote: > WHATEVER IT WAS and you can just fill in cypherpunks at toad.com as the Cc:. Your mailer may vary, but it's probably got a similar capability. The main problem I have is the "you wrote" as opposed to "John Doe wrote", which is more like what you want for mailing lists, but that can be copy&pasted or ignored. The person you're replying to usually gets two copies, but that's minor. #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, Pager/Voicemail 1-408-787-1281 # # "Eternal vigilance is the price of liberty" used to mean us watching # the government, not the other way around.... From stewarts at ix.netcom.com Mon Jan 29 02:34:36 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Mon, 29 Jan 1996 18:34:36 +0800 Subject: Denning's misleading statements Message-ID: <199601291016.CAA16996@ix10.ix.netcom.com> At 04:54 PM 1/28/96 -0500, perry at piermont.com wrote: >Well, not really. Silvio Micali did some work on this topic. Er, yes - Micali's term "fair cryptosystem" outranks even "key escrow" on my outragious pro-government toadyism bogometer ..... #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, Pager/Voicemail 1-408-787-1281 # http://www.idiom.com/~wcs From stewarts at ix.netcom.com Mon Jan 29 02:43:40 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Mon, 29 Jan 1996 18:43:40 +0800 Subject: Denning's misleading statements Message-ID: <199601291015.CAA16990@ix10.ix.netcom.com> At 03:12 PM 1/28/96 -0500, Ben Samman. wrote: >There's quite a few folks in the Yale CS department that are pro-Clipper >or fence sitters. They justify it in class by claiming that law >enforcement needs these abilities if LE is to remain effective. They're quite correct - it's a problem of values and goals, and theirs differ from mine. IF law enforcement is to be effective (at those things it's effective at, like self-preservation and politician-electing), then it WILL need this increase in power. Because otherwise we WILL move to crypto-anarchy. I hope we will anyway, and perhaps the tackiness of the Clipper forces will encourage the general public to get there faster rather than slower. BTW, the reason Swiss banking laws were so strong for so many years was because the Nazis were pressuring bankers to give out information on their Jewish customers... #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, Pager/Voicemail 1-408-787-1281 # http://www.idiom.com/~wcs From alanh at infi.net Mon Jan 29 03:20:59 1996 From: alanh at infi.net (Alan Horowitz) Date: Mon, 29 Jan 1996 19:20:59 +0800 Subject: The Unintended Consequences of Suppression In-Reply-To: <199601281959.LAA16755@netcom18.netcom.com> Message-ID: > This goes beyond > simple stupidity, and clearly approaches the lobotomy level of > impaired mental functioning. You just don't get it, do you? Do-gooders like the Wiesenthalistas don't need to be *right*; they need *a steady stream of cash contributions* No one had ever heard of Farrakhan, until the ADL starting pumping out press releases, attacking him by name. But Farrakhan was cleverer than than Abe Foxman, who makes six figures as the head of ADL; Farrakhan used the publicity to his financial advantage. Farrakhan now works the college lecture circuit; even better, he hires sports arenas and fills them up with lower-middle class blacks who are willing to pay the price of a ticket, to see Whitey get sassed in public. "You can say anything you want about me, as long as you spell my name right". It is a metric of AMerica's wealth, that we have a whole class of individuals who can make a living by being the interlocutors in political show biz. From ddt at lsd.com Mon Jan 29 03:30:55 1996 From: ddt at lsd.com (Dave Del Torto) Date: Mon, 29 Jan 1996 19:30:55 +0800 Subject: [NOISE] FIG_newt/on CIA Message-ID: <310cb715.idoc@idoc.idoc.ie> [ This came to me from someone at Apple, through our pal Stephan Somogyi ] [ ...another "your tax dollars hard at work" story... heh. --dave ] ................................. cut here ................................. There's an easter egg in the 2.0 Newton (MessagePad 120) which was "censored" by, yes, the CIA. Back in '94, one of the Newton software types make a trek to the (very) small town of Rachel, Nevada, which is located at the edge of a secret government airbase. The base, called "Area 51," is thought by UFO-enthusiasts to be filled with alien technology which the government is in the process of reverse engineering. Meanwhile, the government denies the very existence of the base, in spite of widespread media coverage ("Larry King Live from Area 51", etc.). We figured it'd be funny to put a reference to Area 51 in the Newton -- especially given the substantial overlap between conspiracy buffs and computer nerds. So, in the "Time Zones" application, contains a world map, we put an entry for Area 51 in its correct location. Later, we added a twist -- if the user picks Area 51 from the map, the icons in the datebook application take on an alien theme. Normally, meetings are represented by an icon of two people face-to-face, events are represented by a flag, etc., etc. But when Area 51 has been chosen, the icon for a meeting is a person facing an alien, the icon for an event is a flying saucer, a to-do task is represented by a robot, an so on. Okay, cute enough. Now cut to August 1995, when the 2.0 ROM has been declared final, seed units have been in customers' hands for a little while, and the release is just about ready to go. One of the seed units, it turns out, was sent to a cryptographer working for the CIA. When he found that Area 51 was listed at the correct latitude/longitude, he complained to Apple, demanding the removal of the easter egg and threatening to have his superiors take the issue to Spindler if necessary. In the end, Newton management caved in to the demand, and decided to pull the joke out of the system. But the ROM was already done -- so the feature was hidden by a software patch ("System Update") -- but this part of the patch can itself be removed, and "Area 51" returned to its rightful glory. Here's how to get the easter egg back: 1) Open the Extras drawer. 2) Switch the folder of the Extras drawer to "Storage". 3) Tap on the icon "Time Zones" and press the "Delete" button. Warning -- any cities you've added to your Newton will be lost. 4) Switch the folder of the extras drawer back to "Unfiled icons." 5) Tap on "Time Zones." You'll find that Area 51 is on the map -- just tap near Las Vegas and choose Area 51 from the popup. Now look at the icons in Dates. (To purge the aliens from your PDA, open the back and press reset). From an253362 at anon.penet.fi Mon Jan 29 04:04:31 1996 From: an253362 at anon.penet.fi (Hell's Angel) Date: Mon, 29 Jan 1996 20:04:31 +0800 Subject: pub key Message-ID: <9601291136.AB06997@anon.penet.fi> Hi all! Interested in discussing underground matters of cypherpunks. Send your pgp pub key for more privacy. FYI, my pub key: -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2i mQCNAzCao3cAAAEEANtplwCQqBOzXFfnHqUj6DCUfxhGPNH4J5/GadrqHjxSboDd E0PEaXqg3JvAxMckmvasugDSK80rzEwgYJspeVuh6Cuq2fLhcFwGi1zn2mDrDlzO 0rQB8+CPj3dc03Eih9h8UvMcPl41VDwdtSV7CYXa5isMqw1fwh4YWpiTx+FtAAUR tAxIZWxsJ3MgQW5nZWyJAJUDBRAw8rfgHhhamJPH4W0BAdezA/9hu5OUg6hiEuJ4 CU2cPdeoesTt8IfyGmAI7QCe5fXnGuNFTDjdlzS7FBUUE13ci5RNBUUs+jUNHeWp ubyNBT0jvZUsTOBsrftrBxCW9PpeqZCXXSpxFx8XOgjdAQmf7a9bAKvq0IWx5/19 0NozRdmy61sBGMzFMNuSayLS3qR7kbQfQW5nZWxvIDxhbjI1MzM2MkBhbm9uLnBl bmV0LmZpPg== =Wv6H -----END PGP PUBLIC KEY BLOCK----- --****ATTENTION****--****ATTENTION****--****ATTENTION****--***ATTENTION*** Your e-mail reply to this message WILL be *automatically* ANONYMIZED. Please, report inappropriate use to abuse at anon.penet.fi For information (incl. non-anon reply) write to help at anon.penet.fi If you have any problems, address them to admin at anon.penet.fi From packrat at ratbox.rattus.uwa.edu.au Mon Jan 29 04:23:30 1996 From: packrat at ratbox.rattus.uwa.edu.au (Bruce Murphy) Date: Mon, 29 Jan 1996 20:23:30 +0800 Subject: The Big Lie In-Reply-To: Message-ID: <199601291158.TAA00437@ratbox.rattus.uwa.edu.au> In message , Dr. Dimitri Vulis wrote: > Zero crypto relevance... > > mpd at netcom.com (Mike Duvos) writes: > > It is interesting to note that there is no specific law > > prohibiting free speech for Holocaust Agnostics in Germany. The > > actual laws under which such cases are prosecuted are libel laws, > > which have been liberally interpreted to mean that one may not > > "libel" deceased Jews as a class or their memory in the minds of > > their surviving relatives. > > > > The notion of libeling a class of deceased persons strikes me as > > a dangerous and particularly convoluted legal fiction. (Although > > I certainly don't mean any disrespect for the deceased or their > > survivors when I say this.) > > To me this sounds like a very twisted legal reasoning. If I understood > correctly some other posts in this thread, by saying something like, "the Naz > is > invaded Denmark for reasons other than to round up and kill the 3,000 Danish > Jews", this Zendel loser automatically implies that whoever says otherwise is > lying; and that is a libel/slander, and is a criminal (not just civil) offens > e. I was under the impression that you couldn't libel/slander a dead person. Mainly because libel/slander is a offence against reputation which dead people don't care much for, but also because once you go against this principle where in hell (no pun intended) do you draw the line. Of course my impressions tend to be based around the legal system I've lived in all my life... -- Packrat (BSc/BE;COSO;Wombat Admin) Nihil illegitemi carborvndvm. From packrat at ratbox.rattus.uwa.edu.au Mon Jan 29 04:24:09 1996 From: packrat at ratbox.rattus.uwa.edu.au (Bruce Murphy) Date: Mon, 29 Jan 1996 20:24:09 +0800 Subject: more RANTING about NSA-friendly cpunks In-Reply-To: <199601282104.NAA10926@netcom3.netcom.com> Message-ID: <199601291158.TAA00448@ratbox.rattus.uwa.edu.au> In message <199601282104.NAA10926 at netcom3.netcom.com>, "Vladimir Z. Nuri" wrote: > > >In message <199601262011.MAA17408 at netcom16.netcom.com>, > > "Vladimir Z. Nuri" wrote: > >> > >> has anyone *tried* just ignoring the ITAR wrt crypto and seeing what > >> would happen? the gubbermint blindly thinks that cyberspace will > >> inevitably bring the wrath of four horsemen of the infocalypse, but aren't {snip} > > > >Zimmerman. > {snip} > Zimmermann supports my contention, as I wrote in the post. NOTHING > happened to him. it is conceivable this same result could have > been arrived at (government drops investigation) if he never even > hired a lawyer. > > Zimmermann is a perfect example of what may be counterproductive > hysteria on *our* side, toward advancing crypto. if Zimmermann > cannot be prosecuted, and is not prosecuted, where are the ITAR "teeth"??? > Nod. You may have a point there... I'll tell you what, seeing as I *can't* export cryptostuff against ITAR, what say *you* do it. Lots of it. And if nothing happens to you, well and good. OTOH the cause needs a few martyrs. -- Packrat (BSc/BE;COSO;Wombat Admin) Nihil illegitemi carborvndvm. From asgaard at sos.sll.se Mon Jan 29 04:35:33 1996 From: asgaard at sos.sll.se (Asgaard) Date: Mon, 29 Jan 1996 20:35:33 +0800 Subject: TollRoad (CA 91) and anonymity (fwd) In-Reply-To: <199601281520.QAA04604@utopia.hacktic.nl> Message-ID: > ................and have cash options for those customers who aren't > comfy with recurring automatic transactions on their card or account. This seems to be a new-speak definition of cash: that they send you a bill instead of making an automatic withdrawal? > We have an anonymous account option. Great. I wonder how many of their customers take advantage of this option, and how it works. The emitting chip is stated not to contain any information other than 'ID so-and-so passes point X now'. Does one have to keep track of one's credit status and go to an office and pay with paper bills in advance? Not very convenient. > Our records are much like those kept by the phone company -- they're sealed > to the public and to official requests that aren't accompanied by a court > order. Ah, the records are GAKed. For convenience, the PD could as well tap into the system in real-time. They have always thousands of stolen vehicles to watch out for. > We don't ever purge our records. What would be the reason for this? When a customer has paid his bill, the detailed records have no consequences for their profit. For long-term highway traffic analysis they could as well create deidentified entries. Stockholm is to get the first toll system ever in Sweden, in a few years (for crossing into the inner city). From what has come out so far, they are contemplating the use of Chaum's anonymous toll system (alledgedly in place in Dutch cities). How does this system work, cryptographically? (I haven't found anything on Digicash's web site.) Asgaard From perry at piermont.com Mon Jan 29 06:35:27 1996 From: perry at piermont.com (Perry E. Metzger) Date: Mon, 29 Jan 1996 22:35:27 +0800 Subject: An Enigma - Wrapped In a Circle In-Reply-To: <199601290505.AAA36182@osceola.gate.net> Message-ID: <199601291403.JAA22297@jekyll.piermont.com> Jim Ray writes: > >What the hell is the cypherpunks relevance here, anyway? I mean, other > >than trying to elicit a response from me, which you surely knew would > >show up, was there any purpose to this? Why are crop circles important > >to people worrying about cryptography and cryptography policy? What > >possible linkage could there be? > > Why Perry! I see your point! Any phenomenon that elicits articles > with titles like "Ciphers in the Crops" could have nothing at all > to do with cryptography... And I read it and it seemed like crap to me that had no relevance to this mailing list. Neither would discussions of how UFOs are reading our minds and thus a great threat to privacy. > I repeat: Go hump a tree. Thank you for your witty and sophisticated repartee. Plonk. .pm From stevenw at best.com Mon Jan 29 22:38:40 1996 From: stevenw at best.com (Steven Weller) Date: Mon, 29 Jan 96 22:38:40 PST Subject: [UTTER NOISE]Re: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards Message-ID: >> INFORMATION IS INSECURE THE MOMENT YOU TOUCH A KEY. > >> This does not mean that Internet commerce is dead. Any scheme that is >> not based on self-identifying one-way financial instruments such as >> credit cards will be essentially unaffected by this problem. Moreover, >> even credit cards may be made safe on the Internet using one of two >> approaches: secure hardware add-ons and the First Virtual approach. etc. My name for this kind of software: Terminate and Stay Clueless ------------------------------------------------------------------------- Steven Weller | "The Internet, of course, is more | than just a place to find pictures | of people having sex with dogs." stevenw at best.com | -- Time Magazine, 3 July 1995 From karl at cosmos.cosmos.att.com Mon Jan 29 06:49:33 1996 From: karl at cosmos.cosmos.att.com (Karl A. Siil) Date: Mon, 29 Jan 1996 22:49:33 +0800 Subject: Downsizing the NSA Message-ID: <2.2.32.19960129143028.00716210@cosmos.cosmos.att.com> At 08:18 PM 1/28/96 EST, Dr. Dimitri Vulis wrote: >I went to a talk by Andy Koenig a few weeks ago and he claimed that even >though AT&T is laying off people (and splitting) they're still hiring every >internet/security person they could find. I don't know if this is tacky or politically incorrect for this list (so I'll keep it short), ... Speaking for my security group, this is correct. Anyone interested is urged to send me private e-mail. Karl From raph at CS.Berkeley.EDU Mon Jan 29 07:12:04 1996 From: raph at CS.Berkeley.EDU (Raph Levien) Date: Mon, 29 Jan 1996 23:12:04 +0800 Subject: List of reliable remailers Message-ID: <199601291450.GAA29716@kiwi.cs.berkeley.edu> I operate a remailer pinging service which collects detailed information about remailer features and reliability. To use it, just finger remailer-list at kiwi.cs.berkeley.edu There is also a Web version of the same information, plus lots of interesting links to remailer-related resources, at: http://www.cs.berkeley.edu/~raph/remailer-list.html This information is used by premail, a remailer chaining and PGP encrypting client for outgoing mail, which is available at: ftp://ftp.csua.berkeley.edu/pub/cypherpunks/premail/premail-0.33a.tar.gz For the PGP public keys of the remailers, finger pgpkeys at kiwi.cs.berkeley.edu This is the current info: REMAILER LIST This is an automatically generated listing of remailers. The first part of the listing shows the remailers along with configuration options and special features for each of the remailers. The second part shows the 12-day history, and average latency and uptime for each remailer. You can also get this list by fingering remailer-list at kiwi.cs.berkeley.edu. $remailer{"extropia"} = " cpunk pgp special"; $remailer{"portal"} = " cpunk pgp hash"; $remailer{"alumni"} = " cpunk pgp hash"; $remailer{"bsu-cs"} = " cpunk hash ksub"; $remailer{"c2"} = " eric pgp hash reord"; $remailer{"penet"} = " penet post"; $remailer{"ideath"} = " cpunk hash ksub reord"; $remailer{"hacktic"} = " cpunk mix pgp hash latent cut post ek"; $remailer{"flame"} = " cpunk mix pgp. hash latent cut post reord"; $remailer{"rahul"} = " cpunk pgp hash filter"; $remailer{"mix"} = " cpunk mix pgp hash latent cut ek ksub reord ?"; $remailer{"ford"} = " cpunk pgp hash ksub ek"; $remailer{"hroller"} = " cpunk pgp hash latent ek"; $remailer{"vishnu"} = " cpunk mix pgp hash latent cut ek ksub reord"; $remailer{"robo"} = " cpunk hash mix"; $remailer{"replay"} = " cpunk mix pgp hash latent cut post ek"; $remailer{"spook"} = " cpunk mix pgp hash latent cut ek reord"; $remailer{"rmadillo"} = " mix cpunk pgp hash latent cut ek"; $remailer{"ecafe"} = " cpunk mix"; $remailer{"wmono"} = " cpunk mix pgp. hash latent cut"; $remailer{"shinobi"} = " cpunk mix hash latent cut ek reord"; $remailer{"amnesia"} = " cpunk mix pgp hash latent cut ek ksub"; $remailer{"gondolin"} = " cpunk mix pgp hash latent cut ek reord"; $remailer{"tjava"} = " cpunk mix pgp hash latent cut"; $remailer{"pamphlet"} = " cpunk pgp hash latent cut ?"; $remailer{'alpha'} = ' alpha pgp'; $remailer{'gondonym'} = ' alpha pgp'; $remailer{'nymrod'} = ' alpha pgp'; catalyst at netcom.com is _not_ a remailer. lmccarth at ducie.cs.umass.edu is _not_ a remailer. usura at replay.com is _not_ a remailer. Groups of remailers sharing a machine or operator: (c2 robo hroller alpha) (gondolin gondonym) (flame hacktic replay) (alumni portal) (vishnu spook wmono) Use "premail -getkeys pgpkeys at kiwi.cs.berkeley.edu" to get PGP keys for the remailers. Fingering this address works too. Note: The remailer list now includes information for the alpha nymserver. Last update: Mon 29 Jan 96 6:45:43 PST remailer email address history latency uptime ----------------------------------------------------------------------- nymrod nymrod at nym.alias.net *+***+* 10:20 99.99% pamphlet pamphlet at idiom.com +-++++++++++ 44:43 99.99% ecafe cpunk at remail.ecafe.org #####*###*## 6:24 99.98% c2 remail at c2.org +**+******** 16:42 99.96% flame remailer at flame.alias.net ++-++++--+++ 2:20:51 99.96% ford remailer at bi-node.zerberus.de -+___.-+--++ 13:18:57 99.96% tjava remailer at tjava.com ** ###-*#### 3:55 99.94% alpha alias at alpha.c2.org #**** ****** 3:33 99.89% mix mixmaster at remail.obscura.com -------++-+ 1:34:41 99.83% alumni hal at alumni.caltech.edu *#+ *+*+-+## 17:44 99.82% portal hfinney at shell.portal.com *## # #*#+*# 2:10 99.72% hroller hroller at c2.org ############ :31 99.53% penet anon at anon.penet.fi .__--.._ .- 27:57:50 97.03% shinobi remailer at shinobi.alias.net + #+### #### 2:06:45 94.21% extropia remail at extropia.wimsey.com ...-_.-_. 24:28:54 92.68% rahul homer at rahul.net *+***--** ## 17:20 99.69% vishnu mixmaster at vishnu.alias.net +**** +*+* 14:48 83.47% replay remailer at replay.com ** 6:00 56.93% hacktic remailer at utopia.hacktic.nl ** 8:12 55.13% bsu-cs nowhere at bsu-cs.bsu.edu * 8:49 8.99% History key * # response in less than 5 minutes. * * response in less than 1 hour. * + response in less than 4 hours. * - response in less than 24 hours. * . response in more than 1 day. * _ response came back too late (more than 2 days). cpunk A major class of remailers. Supports Request-Remailing-To: field. eric A variant of the cpunk style. Uses Anon-Send-To: instead. penet The third class of remailers (at least for right now). Uses X-Anon-To: in the header. pgp Remailer supports encryption with PGP. A period after the keyword means that the short name, rather than the full email address, should be used as the encryption key ID. hash Supports ## pasting, so anything can be put into the headers of outgoing messages. ksub Remailer always kills subject header, even in non-pgp mode. nsub Remailer always preserves subject header, even in pgp mode. latent Supports Matt Ghio's Latent-Time: option. cut Supports Matt Ghio's Cutmarks: option. post Post to Usenet using Post-To: or Anon-Post-To: header. ek Encrypt responses in reply blocks using Encrypt-Key: header. special Accepts only pgp encrypted messages. mix Can accept messages in Mixmaster format. reord Attempts to foil traffic analysis by reordering messages. Note: I'm relying on the word of the remailer operator here, and haven't verified the reord info myself. mon Remailer has been known to monitor contents of private email. filter Remailer has been known to filter messages based on content. If not listed in conjunction with mon, then only messages destined for public forums are subject to filtering. Raph Levien From frantic at worldnet.net Mon Jan 29 07:26:58 1996 From: frantic at worldnet.net (Anthony C. Zboralski) Date: Mon, 29 Jan 1996 23:26:58 +0800 Subject: pgp on linux In-Reply-To: <199601290513.FAA30591@pangaea.hypereality.co.uk> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Mon, 29 Jan 1996, ECafe Anonymous Remailer wrote: > i can't seem to get pgp compiled on my linux machine. where should i ask > about this?- since cypherpunks would be a bad choice. thanks. > get 2.6.3i it compiles straight out of the box ____ \ /__ Anthony C. Zboralski \/ / \/ Finger for PGP Public Key -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBMQzh31/59mQ4I551AQFczgQAkH3xYf3m4Fll2pJa4MnroikawHcFqRzQ 2IiFEFiyubX8UEgsiSj7zvwSJVRDLUJ/JflX8r+n28BbFPhRNUVcnQN3WPyNpusP hCtvbnheGVj1I++elqwFnpqz50BdT3RLQ7/5Zu2R5tXkuVCpTpGctUbzpbb6jain qhYQdQtKGsU= =mOG5 -----END PGP SIGNATURE----- From adam at lighthouse.homeport.org Mon Jan 29 07:54:15 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Mon, 29 Jan 1996 23:54:15 +0800 Subject: Netscape, CAs, and Verisign In-Reply-To: <310C6C1D.5A0@netscape.com> Message-ID: <199601291523.KAA03337@homeport.org> Jeff Weinstein wrote: | > | > The problem is simple enough: sites with certificates from one of the CAs | > that are preconfigured in Netscape have a tremendous advantage over sites | > with certs from other CAs, and it's expensive and difficult to get a cert | > if you're running an alternative server like ApacheSSL. [...] | > Netscape needs to address the situation. It's just not practical or | > desireable for one company (Verisign) to have a stranglehold on | > certificates. Its unfortunate that Jeff speaks only for himself when he wrote the following. I'd very much like to hear Netscape speaking as Netscape announce that a policy for CAs is forthcoming. Adam | I agree with what you are saying. I very much want to see real competition | in the certificate issuing business. We are in the process of developing | a set of criteria that CAs have to meet in order to be included in the | "default" list of CAs that our products support. The criteria focus | on assuring support for our customers more than trying to specify a | particular policy. The criteria will include things like required | minimum response times for customer problems, compliance with an | interoperability spec, publishing of policies, etc. Some time in | the next few months these criteria will be made public, and that | should allow for open competition. [much elided] | -- | Jeff Weinstein - Electronic Munitions Specialist | Any opinions expressed above are mine. -- "It is seldom that liberty of any kind is lost all at once." -Hume From jamesd at echeque.com Mon Jan 29 07:55:26 1996 From: jamesd at echeque.com (James A. Donald) Date: Mon, 29 Jan 1996 23:55:26 +0800 Subject: "German service cuts Net access" (to Santa Cruz) Message-ID: <199601291519.HAA21441@mailx.best.com> At 09:43 PM 1/28/96 MET, Olmur wrote: >The difference is, that the German government was not ordering this >block. German prosecutors are sending intimidating messages to various ISPs. Some ISPs are more easily intimidated than others. The messages fall short of saying "You will be prosecuted if you do not obey", but they do say "You may be prosecuted if you do not obey." --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From jamesd at echeque.com Mon Jan 29 08:02:02 1996 From: jamesd at echeque.com (James A. Donald) Date: Tue, 30 Jan 1996 00:02:02 +0800 Subject: "German service cuts Net access" (to Santa Cruz) Message-ID: <199601291519.HAA21463@mailx.best.com> At 06:08 PM 1/28/96 -0800, sameer wrote: > When I worked for Walnut Creek CDROM they had to remove > "Castle Wolfenstein" from one of their CDs because they wouldn't have > been able to ship to Germany if they didn't. In "Castle Wolfenstein" you run around shooting Nazis, just as in "Doom" you run around shooting demons. And similarly Zundel is not a Nazi, he is an anti fascist. Hmm, these "Anti nazi laws" look suspicious like pro Nazi laws. Seems that the government of Germany is primarily concerned about their own hurt feelings, and to hell with the hurt feeling of the Jews. > >-- >Sameer Parekh Voice: 510-601-9777x3 >Community ConneXion, Inc. FAX: 510-601-9734 >The Internet Privacy Provider Dialin: 510-658-6376 >http://www.c2.org/ (or login as "guest") sameer at c2.org > > --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From jamesd at echeque.com Mon Jan 29 08:16:45 1996 From: jamesd at echeque.com (James A. Donald) Date: Tue, 30 Jan 1996 00:16:45 +0800 Subject: "German service cuts Net access" (to Santa Cruz) Message-ID: <199601291553.HAA24185@mailx.best.com> At 01:04 AM 1/29/96 -0500, Declan B. McCullagh wrote: >You're actually quoting from an inspired bit of trolling. See my recent >message: "Ernst Zundel impersonator on Usenet" Oops: I guess I should read *all* my cypherpunks mail before I start sending off stuff. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From wlkngowl at unix.asb.com Mon Jan 29 08:31:13 1996 From: wlkngowl at unix.asb.com (Mutatis Mutantdis) Date: Tue, 30 Jan 1996 00:31:13 +0800 Subject: CP LITE: A Censorship Device? Message-ID: <199601291616.LAA08581@UNiX.asb.com> I think the mail-to-news gateway is better than a "lite" list at this point. On Sun, 28 Jan 1996 03:54:31 -0600, Carol Anne wrote: >I've been watching this CP Lite thing develop. >Sounds like an attempt to moderate the list. >I mean it's easy to post out of it, >but hard to answer to it. >And all of the good back and forth discussion >gets lost in a backwash of private email. >There is just no way I will send someone an >email to a posting they post out of there. >I think that would be a disservice to everyone here. >Love Always, >Carol Anne >-- >Member Internet Society - Certified BETSI Programmer - Webmistress >*********************************************************************** >Carol Anne Braddock (cab8) carolann at censored.org 206.42.112.96 >My Homepage >The Cyberdoc >*********************************************************************** >------------------ PGP.ZIP Part [017/713] ------------------- >M8H,),S$8G>&.WP(8IRA`-M['+`Q%&_C"">5-F%LX@<_Q$;*P'',Q$Z/AA[8M >MF=O0H+*%(-S%&>S%+FS&MPGD------------------------------------------------------------- >for next chunk to export --> http://dcs.ex.ac.uk/~aba/export/ From wlkngowl at unix.asb.com Mon Jan 29 08:38:16 1996 From: wlkngowl at unix.asb.com (Mutatis Mutantdis) Date: Tue, 30 Jan 1996 00:38:16 +0800 Subject: Downsizing the NSA Message-ID: <199601291613.LAA08537@UNiX.asb.com> On Sun, 28 Jan 1996 02:04:52 -0800, Tim wrote: [..] >However, as Phill notes, the NSA and other intelligence agencies are now in >that most dangerous of positions: a powerful agency or department casting >about for something to do. >Spying on citizens and keeping the keys to their private communications and >diaries is not an appropriate option. >AT&T is downsizing, IBM downsized a while back, so why couldn't the NSA >just do the right thing: admit that the Soviet threat is no more, >congratulate the victors, and downsize by 20,000 employees? Perhaps they are worried about the implications of putting thousands of cryptographers into the private sector? And what if you were one of them? You'd probably have a hard time using or publishing anything classified. Not to mention the usual governmental conflict-of-interest work rules (for low-level employees the standards of who you can work for after leaving the government is a lot stricter than if you were a cabinet member). Just a thought. From fc at all.net Mon Jan 29 09:00:56 1996 From: fc at all.net (Fred Cohen) Date: Tue, 30 Jan 1996 01:00:56 +0800 Subject: Slip over non-slip ports Message-ID: <9601291630.AA28754@all.net> (please respond directly to fc at all.net and not to the list) I am looking for a way to run slip over a telnet connection on a local Ethernet. Does anyone know of any freely available software that allows me to start a SLIP connection over a telnet channel? -> See: Info-Sec Heaven at URL http://all.net/ Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 From nobody at REPLAY.COM Mon Jan 29 09:09:11 1996 From: nobody at REPLAY.COM (Anonymous) Date: Tue, 30 Jan 1996 01:09:11 +0800 Subject: No Subject Message-ID: <199601291410.PAA21711@utopia.hacktic.nl> -----BEGIN PGP SIGNED MESSAGE----- Of course. My signature was bad. I got a message in response to a request I made to someone for their public key. I wanted to check the signatures that they included with their posts to cypherpunks, but their key was not on the keyservers. The key they included was completely unsigned, and when I use it to validate their previous posts as well as the message they sent which included the key, the signatures come back as bad, the contents of the file changed. Names are appropriately withheld (I hope). As I understand the bcc: definition, only I and the first smtp server this message hits should know who it's to. I don't know if anyone else reading this mailing list needs this info, but just in case... here's my reply to the message. At 10:03 PM 1/28/96 -0800, you wrote: >Sorry, I'm a newbie to Internet, and also the Internet usage of PGP. I just >participated in a local keysigning meeting, so maybe my key will find its >way to a server. Don't worry about being a 'newbie'. Everyone starts somewhere. However, your key will usually not 'find its way' to a server without you specifically sending it. The keyserver I usually use is accessed by sending a mail message which fits the following format. As far as I know, all the keyservers use this format to add or update keys in their databases. You only have to send it to one keyserver, and it will propagate to all the others. I have indented the text so that no handlers decide to interpret it as a new message. - - To: pgp-public-keys at pgp.iastate.edu - - Subject: ADD - - - - -----BEGIN PGP PUBLIC KEY BLOCK----- - - Version: 2.6.2 - - - - [key deleted to protect the innocent] - - - - -----END PGP PUBLIC KEY BLOCK----- >I'm sorry to have to admit that I don't even know how to do this! Newbie >alert! If you don't admit you don't know something, nobody will usually tell you how to do it. Also, you should sign your own key. That will make it harder to forge, I think. The reasons were spelled out in a couple of the web pages I read, but I've forgotten them. It has something to do with either a denial of service attack or a man in the middle attack, or both. The command to do this is: pgp -ks 0xHEXKEYID Honestly, I've only just begun to use pgp myself. Also, you should add your e-mail address to the user-id of your key. The command to do so is: pgp -ke 0xHEXKEYID You will be asked if you wish to add a user id to the key. Say yes, and give it your e-mail address. What this does is it allows people who are using pgp-enabled mailers to directly encrypt messages to you without choosing your key manually. The reason that I have not encrypted this message to you using the key you provided is that when I extracted the key and re-checked your message, the signature was no good. I've found that (using eudora) I must turn off the word wrap feature of my mailer to allow for good signed messages out. Of course, having said this, I'll probably not get a good signature on this message. Let me know if it signs ok. Now, I have a question. Which attack(s) is/are a person vulnerable to when distributing an unsigned public key in the open? Could this actually be a complex man-in-the-middle attack? Am I paranoid? -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMQzROLTS4SjerN/RAQGLNwP8DMXP1BLdeygfEaBF//lYZHkxWGFaFx9L R59KJQ/VaYVU/Q17bFDhXyCztu2IRlzLhBqno+5uHsZTL01M3D1dyXGDBvlxY+FB kNaClKzeXYqA3Or7Ny2mcgyZW/bGXA6v3Z+RQgDuVrXsJz5wGP/UxBU3Ppr05+qL i+5KB2efLxA= =iXlS -----END PGP SIGNATURE----- From jya at pipeline.com Mon Jan 29 09:33:59 1996 From: jya at pipeline.com (John Young) Date: Tue, 30 Jan 1996 01:33:59 +0800 Subject: The Politics of Mistrust 2 Message-ID: <199601291707.MAA18495@pipe4.nyc.pipeline.com> Thanks to Replay, The Washington Post series on "The Politics of Mistrust" simmers at: http://www.replay.com/young/ Today's second article of six is, "Who's in Control? Many Don't Know or Care." Politics is "a waste of my time. They're cutting each other down, just playing childish games. It's confusing nonsense, like two little kids on a schoolyard," says Temera Porter, a computer chip inspector in Beaverton, Oregon. "When I voted last I wrote in that George Carlin should be president, I really did." A sidekick report tells of Rush's 20m dittoheads' wishes to rid DC of George Carlin's Who's, fuck, shit ... From jimbell at pacifier.com Mon Jan 29 09:56:30 1996 From: jimbell at pacifier.com (jim bell) Date: Tue, 30 Jan 1996 01:56:30 +0800 Subject: more RANTING about NSA-friendly cpunks Message-ID: -----BEGIN PGP SIGNED MESSAGE----- At 07:58 PM 1/29/96 +0800, Bruce Murphy wrote: >In message <199601282104.NAA10926 at netcom3.netcom.com>, > "Vladimir Z. Nuri" wrote: >> >> >In message <199601262011.MAA17408 at netcom16.netcom.com>, >> > "Vladimir Z. Nuri" wrote: >> >> >> >> has anyone *tried* just ignoring the ITAR wrt crypto and seeing what >> >> would happen? the gubbermint blindly thinks that cyberspace will >> >> inevitably bring the wrath of four horsemen of the infocalypse, but aren't >{snip} >> > >> >Zimmerman. >> >{snip} >> Zimmermann supports my contention, as I wrote in the post. NOTHING >> happened to him. it is conceivable this same result could have >> been arrived at (government drops investigation) if he never even >> hired a lawyer. >> >> Zimmermann is a perfect example of what may be counterproductive >> hysteria on *our* side, toward advancing crypto. if Zimmermann >> cannot be prosecuted, and is not prosecuted, where are the ITAR "teeth"??? >> > >Nod. You may have a point there... > >I'll tell you what, seeing as I *can't* export cryptostuff against >ITAR, what say *you* do it. Lots of it. And if nothing happens to you, >well and good. >OTOH the cause needs a few martyrs. >Packrat (BSc/BE;COSO;Wombat Admin) Packrat, I agree with the (likely) implications of your (tongue-in-cheek?) commentary. The fact that "nothing happened to Zimmermann" is scant hope to us. If ITAR is causing cryptosystems to not be built, merely due to FUD (fear, uncertainty, and doubt) then it is actively harming us. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMQz8y/qHVDBboB2dAQGmRwP/YJPpzwQ4pZU3QZcSNNzKSz2kOEml1a9x nV8wWDj019NLrPE0u1sKhsSkDu8QYeaAtSr3NnSMTK+DlLkuV7SKyXg6k/Pk3uWL xqEmWNCM8+rTXyP2FuflD3w+HCe0oCRt2AzmclzUwlalTP2gY2bfKeAAawCdubST FKZFFdlWNG0= =Is7T -----END PGP SIGNATURE----- From cardo at well.com Mon Jan 29 10:01:13 1996 From: cardo at well.com (Richard Clark) Date: Tue, 30 Jan 1996 02:01:13 +0800 Subject: Decrypting the "MIG Group" In-Reply-To: Message-ID: Jim, thanks very much for that news item. I will post it on the WELL. Richard Clark On Mon, 29 Jan 1996, James M. Cobb wrote: > > > Friend, > > > A 01 29 96 Electronic Telegraph newsstory > ----------------------------------------- > > Riddle of spooks in the White House > > BY AMBROSE EVANS-PRITCHARD > > reports: > > Official logs kept by the US secret service...indicate that > a top White House aide, Patsy Thomasson, met a team of secret > service technicians at her office on the night of Mr Foster's > death. > > > Evans-Pritchard writes: > > ...logs kept by Secret Service staff at the White House --pub- > lished in Senate documents on the death of Mr Foster-- show that > a so-called "MIG Group" was checked into offices occupied by > Miss Thomasson and her boss, David Watkins...at 7.10 pm on July > 20, 1993. > > Miss Thomasson was the only member of the White House staff log- > ged into the office at the time. She checked out at the same > time as the "MIG Group" at 7.44 pm.... > > > E-P inquired about MIG, but-- > > The press spokesman for the Secret Service at first said that > he had not heard of the acronym "MIG". > > The next day he changed his account, saying that the "MIG Group" > was a team of Secret Service technicians that had gone to Miss > Thomasson's office that night to conduct a routine alarm check. > He said he could not divulge what the acronym MIG stood for be- > cause the unit was secret. > > > However, > > Intelligence sources have told The Sunday Telegraph that "MIG" > stands for "military intelligence group". MIG groups are typi- > cally known as Technical Services Counter-Measure teams (TSCMs), > highly classified units that handle high-tech counter-espionage. > Their duties, for example, include sweeping for bugs at the > White House. > > Sources say that the high-tech counter-espionage staff at the > White House are controlled and operated by the Federal Emergency > Management Agency, known as FEMA. This agency...has enormous > power and can draw freely on the capabilities of the CIA, the > FBI, and the Pentagon. > > > E-P concludes: > > ...[The logs] add to the growing weight of evidence that a tiny > group at the White House was tipped off early about Foster's > death, long before the official notification at 8.30 pm. It > would have provided a window of at least an hour to cover things > up before anybody was alerted. > > If so, America is facing a White House scandal that is every bit > as serious and nasty as Watergate. > > > The Electronic Telegraph can be accessed at: > > http://www.telegraph.co.uk > > > The newsstory is under World News. Its online filename is wamby- > 27.html. > > > Cordially, > > Jim > > > > From tcmay at got.net Mon Jan 29 10:09:40 1996 From: tcmay at got.net (Timothy C. May) Date: Tue, 30 Jan 1996 02:09:40 +0800 Subject: "Radio Free Cyberspace" and the "Silicon Curtain" Message-ID: At 12:25 PM 1/29/96, Dr. Dimitri Vulis wrote: >So, develop the tools to make the (illegal) flow of information easier and >the prosecution more difficult. E.g., the former Soviet Union couldn't stop >its people from listening to Western propaganda on short-wave radio, >although it was illegal, and more repressive governments did confiscate all >short-wave radios in the past. If I were a PR sort of person, and interested in funding a "liberation channel" into the countries behind the "Silicon Curtain," I'd think about a catchy name for the program. Not radio, of course, just a nod to the olden days of "Radio Free Europe" and "Voice of America" (which was, unfortunately, partly staffed by former members of the Mobile Killing Squads which rounded up Russian Jews). --Tim Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From jya at pipeline.com Mon Jan 29 10:21:11 1996 From: jya at pipeline.com (John Young) Date: Tue, 30 Jan 1996 02:21:11 +0800 Subject: DRE_ams Message-ID: <199601291753.MAA14813@pipe2.nyc.pipeline.com> 1-29-96. WSJ: "MCI, Microsoft Form Partnership to Sell Each Other's Products World-Wide." 1-29-96. FinTim: "News and MCI put their money on DBS." Includes proposal that Microsoft distribute by MCI satellite for pennies rather than for dollars by wire. 1-29-96. WSJ: "Sun to Unveil Prototype of Low-Cost PC for Internet That Uses Java Language." Java as OS and browser, sidestepping MS and NSCP. DRE_ams (for the 3) From stewarts at ix.netcom.com Mon Jan 29 10:35:53 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Tue, 30 Jan 1996 02:35:53 +0800 Subject: "German service cuts Net access" (to Santa Cruz) Message-ID: <199601291021.CAA17319@ix10.ix.netcom.com> At 09:54 PM 1/27/96 -0800, shamrock at netcom.com (Lucky Green) wrote: >Wonder how long before they will include gereral purpose proxies in the >proposed ban. >We should start a "banned websites pool". If a site gets banned, the >controversial content will be mirrored at all other sites. There are enough >ISPs on this list to make that happen. Will they have the courage? If I were running an ISP, I wouldn't go providing free host space for a mirror of Nazi files just because they'd been banned (and an obvious scan is to go claiming you've been banned just to get free space.) On the other hand, an HTTP relay site would be a highly reasonable service, perhaps with NNTP relaying as well. #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, Pager/Voicemail 1-408-787-1281 # http://www.idiom.com/~wcs From jimbell at pacifier.com Mon Jan 29 10:36:23 1996 From: jimbell at pacifier.com (jim bell) Date: Tue, 30 Jan 1996 02:36:23 +0800 Subject: Over-reacting? Message-ID: -----BEGIN PGP SIGNED MESSAGE----- At 11:22 PM 1/28/96 -0800, Alan Olsen wrote: >The reason for the killfiling is your habit of adding multiple additional >mailing list into the To: and cc: list. I have seen more than one post >where you have added a Libritarian list and the "Democracy Now Channel 2' >list into the fray, not to mention other individuals. THAT is why you are >getting the golden killfile, not your association with Jack "Acid" Hammer. >(Though that may help...) Hmmm.. It's odd that nobody has ever warned me of this before. (Another spoof?) That's why I'm using the term, "over-reacting." -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMQyDUvqHVDBboB2dAQFduAQAlas9DMaiatiYd51WKepEzLGPBWl4I9+2 FNOUzoQoy3OQ+wdk7lT1FFqvrDqSqviIj8MZ6j7/7ENO55W6D8AiN2fFXBbd3iY5 7krA13rTlx6N8ztvqE2+QY0/0RMtHZV6mLOR0SdbedOahUMc6/8qxF1auvJTxtJq 5qU3zS+71IQ= =9edM -----END PGP SIGNATURE----- From jya at pipeline.com Mon Jan 29 10:41:11 1996 From: jya at pipeline.com (John Young) Date: Tue, 30 Jan 1996 02:41:11 +0800 Subject: BAI_bcg Message-ID: <199601291800.NAA15796@pipe2.nyc.pipeline.com> 1-29-96. FinTim: "High street dinosaurs wake up. Online prospects are making the banking industry restive." Covers a new Bank Administration Institute/Boston Consulting Group report, "The Information Highway and Retail Banking." BAI_bcg ----- An FT reviewer of the KDM/TSU books writes that "Littman reveals how little divides the sheriffs of cyberspace from its outlaws. Shimomura resembles Mitnick more than he would like to admit. The big difference is that the computer expert on the right side of the law becomes a media celebrity, earns consultancy fees telling companies how to defend themselves, and has others pay his expenses and buy his equipment. The expert who does not inhabits a prison cell with six other men, and is reduced to writing pleas for help with a stub pencil." From frissell at panix.com Mon Jan 29 10:42:37 1996 From: frissell at panix.com (Duncan Frissell) Date: Tue, 30 Jan 1996 02:42:37 +0800 Subject: The French do some things right... Message-ID: <2.2.32.19960129105209.00995504@panix.com> At 09:01 PM 1/26/96 -0800, Timothy C. May wrote: >One thing I have been hoping for as America's scandal-fixated society asks >whether Bill inhaled, whether Rush has a mistress, whether Madonna's >grandmother is really shacked up with a 19-year-old musician...one thing I >have been hoping for is that the American public will say "Enough!" This is one I've never worried about. As I look around at work and see the disorderd personal lives and body piercings of my fellow workers, it is obvious that the amount of that sort of social control that is being applied is way down. And since fewer and fewer of us will have to (be able to) work for large soulless bureacracies as these things are ruthlessly downsized by the market, we will have much greater choice of employers. One would have to be really way out on one of the unfortunate tails of a bell curve distribution to be unable to find someone to work with. DCF From tcmay at got.net Mon Jan 29 10:48:22 1996 From: tcmay at got.net (Timothy C. May) Date: Tue, 30 Jan 1996 02:48:22 +0800 Subject: The Lotus Position Message-ID: <310cf5ba.idoc@idoc.idoc.ie> At 4:03 AM 1/20/96, Bill Stewart wrote: >40-unknown-bit RC4 may take a week for an ICE workstation or a herd of >net-coordinated workstations, but it would be much faster to crack on >a specialized machine actually designed for RC4. I think Eric's estimate >was $25-50K for a machine that could do it in 15 minutes, built out of >programmable gate arrays. That's not $10,000/crack, or $584, but $0.25-.50. >Would they crack all the keys they wanted for a quarter each? Sure; >at that rate it's probably cheaper to crack them than read them >(though in reality they'd feed most of them to keyword scanners.) I take it as self-evidently true that NSA would spend the relatively small amount of money to build a dedicated key cracker...probably at least several for each major cipher. "In this room, where we used to have the famed acre of Crays, now we have tenth of an acre of superfast custom key crackers." (Yes, I know the Crays are used for other things besides key cracking. In fact, their main use probably is not for crypanalysis. Also, I'm not talking about cracking ciphers that are essentially uncrackable with any amount of compute power, I'm talking about cracking specific instances of ciphers with NSA-approved key lengths.) To consider just how _cheap_ such a dedicated machine is to them, consider that in the late 50s and early 60s they built the "Harvest" machine, in conjunction with IBM and based to some extent on IBM's "Stretch" machine, as I recall. (Bamford has a bunch of stuff on it, and our own Norm Hardy worked on it for IBM in the early 60s...he gave a good talk at a Cypherpunks meeting on how big it was, how much it cost, its capabilities, etc.) The Harvest machine, and its ancillary units, such as the world's largest and fastest tractor tape drive, cost something like $100 million in today's dollars, according to Norm and others. And Harvest was still running in 1975-6, when it was finally replaced by the Cray 1. NSA also funded the early efforts that later became Control Data Corporation (CDC), and NSA was a major customer of Seymour Cray's CDC 6600, and the later 7600 (and maybe even the ill-fated Star). NSA and AEC were also the early customers for the Cray-1, of course. This gives you some feel for what kind of expenditures "the Fort" is prepared to make when it sees the need. And the black budgets of other intelligence agencies, as described in Richelson's excellent books and other books (such as "Deep Black," an unauthorized history of the National Reconnaissance Organization), can only be described as "stupefyingly large." A surveillance satellite can run upwards of $1.5 billion, so spending a tiny fraction of that to decrypt what you've sniffed out of the airwaves is a gimme. The deep black budget is estimated to be something like $25 billion a year. Recall that the Wiretap Bill _alone_ provided for up to $500 million for compliance measures. Clearly the FBI somehow view their surveillance capabilities as being worth at least this much to them, and probably a lot more. Throw in the budgets for the DEA, IRS, FinCen, FBI, BATF, and all the other agencies fighting the Four Horsemen and the citizen-units who stray outside the drawn lines, and it's clear that NSA could budget several hundred million dollars *each and every year* for breaking its "approved ciphers." Like many, I take it for granted that 40-bit RC4 can be broken for "small change." Moreover, my guess is that foreign traffic is routinely cracked if it is encrypted. After all, it's the encrypted traffic that is likeliest to be interesting. (Sure, some dumbos like Pablo Escobar speak in the clear on cellphones, but the correlation is definitely in the direction of encrypted traffic being likelier than unencrypted traffic to contain interesting stuff. This will become even more the case as more people become educated and as crypto gets built into more things...this is the intelligence and law enforcement communities' worse nightmare.) A $25,000 machine. 4 cracks per hour, 100 per day, and 36,000 per year. Running for an active life of several years (before being replaced, of course, by something several times faster/cheaper), there you have the $0.25 per crack that Bill cites above. Even at 100 times this estimate, it's cheap. (Not for random vacuuming, but for anything targetted, even casually.) And think of what just a few percent of the "Harvest" budget buys you: 100 of these machines. Several million cracks per year. And from these cracks, think of the correlations, the contact lists, and the further targetting that can be done. [Sidebar: One thing that bothers me about any of these LEAF-related schemes--and I don't know if and how the Lotus scheme checks both ends for compliance, etc.--is that they are fundamentally at odds with remailers which hide the origin. If remailers are allowed to continue to exist, schemes involving LEAF fields won't work. Unless I've forgotten how these things work in the couple of years since I last looked at Clipper et. al. in depth. So, I expect a move against remailers as part of the campaign. And with no remailers, if this could ever be enforced, the ability to make contact lists based on random decryption is frightening.] Back to their 100 machines.... My guess is that they haven't even bothered to buy this many machines, that the intelligence they get from a few tens of thousands of cracks is more than enough to point to further leads, to trigger additional HUMINT, etc. But even if the estimates are off by orders of magnitude, we know that a 40-bit RC4 can be cracked in ~hours with ~hundreds of Sun-class machines. (Personally, I think it obvious the NSA has at least speeded up this work factor by at least a factor of ten.) This is also essentially a minor consideration compared to the amount of work done in ordinary wiretaps. And in a few years, 40-bit RC4 will be even more ludicrously weak. The Lotus position is untenable. --Tim May Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From pecampbe at mtu.edu Mon Jan 29 11:22:32 1996 From: pecampbe at mtu.edu (Paul E. Campbell) Date: Tue, 30 Jan 1996 03:22:32 +0800 Subject: Revisitting Blum-Macali "digital signatures" Message-ID: <199601291842.NAA27974@metlab1.my.mtu.edu> There was some discussion on Usenet a while back about doing "digital signatures" with the Blum-Macali public key method. Briefly, Blum-Macali relies on the BBS generator to generate a "one-time pad". And the pad can be reversed by taking repeated square roots on the random number seed (assuming you know the factorization) to get back to the starting seed. So, the author suggested that one calculate a digest of the message, call it D. Then the author suggested that one calculate D^(1/2), as per the Blum-Micali method. Then he goes on to do the signature check by checking whether or not D^2 == X^4 where X is the "signature". I understand that there is some sign ambiguity involved in calculating square roots mod B where B is a Blum integer (that causes 4 possible roots). And that's the source of ambiguity problems in Rabin digital signatures, but if the Blum-Micali public key method works, then this sign ambiguity shouldn't exist (because they define a SPECIFIC root to use), and the method can be simplified to simply calculating D^(1/2) and the check is simply D==X^2. What am I missing here? From unicorn at schloss.li Mon Jan 29 11:29:10 1996 From: unicorn at schloss.li (Black Unicorn) Date: Tue, 30 Jan 1996 03:29:10 +0800 Subject: CP LITE: A Censorship Device? In-Reply-To: <199601280956.CAA19572@usr2.primenet.com> Message-ID: On Sun, 28 Jan 1996, Censored Girls Anonymous wrote: > I've been watching this CP Lite thing develop. [...] > There is just no way I will send someone an > email to a posting they post out of there. WOW! Sign me up immediately! > Love Always, > > Carol Anne > -- [...] --- My prefered and soon to be permanent e-mail address: unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From cpunk at remail.ecafe.org Mon Jan 29 11:50:31 1996 From: cpunk at remail.ecafe.org (ECafe Anonymous Remailer) Date: Tue, 30 Jan 1996 03:50:31 +0800 Subject: pgp on linux Message-ID: <199601290513.FAA30591@pangaea.hypereality.co.uk> i can't seem to get pgp compiled on my linux machine. where should i ask about this?- since cypherpunks would be a bad choice. thanks. From trei at process.com Mon Jan 29 11:52:38 1996 From: trei at process.com (Peter Trei) Date: Tue, 30 Jan 1996 03:52:38 +0800 Subject: Escrowing Viewing and Reading Habits with the Governmen Message-ID: <9601291905.AA20307@toad.com> > Date: Sun, 28 Jan 96 21:05:08 > From: > Subject: Re: Escrowing Viewing and Reading Habits with the Government > To: "roy m. silvernail" > Cc: "timothy c. may" , cypherpunks at toad.com > > > The "Library Awareness Program," administered by the Justice Department, is > > > designed to identify potential criminals before they have a chance to > > > commit their deeds. The visits to libraries made by the FBI are used to > > > determine who is reading subversive or dangerous material. > Do you really think the FBI believes that asking librarians to keep > records of customer useage is an efficient way to read the customers minds? > Do you really think that the FBI foreign counter-intelligence squad has > nothing better to do than keep a database of who is reading Che Guevara > memoirs? Yes. Heck, I remember this was a big issue about 15 years ago. Try asking someone who was active in library science in the late 70's, early 80's. The general reaction of the library community was, I am glad to say, entirely pro-privacy. Peter Trei trei at process.com From teddygee at visi.net Mon Jan 29 11:56:05 1996 From: teddygee at visi.net (Ted Garrett) Date: Tue, 30 Jan 1996 03:56:05 +0800 Subject: Here's how you put your key on the keyservers... Message-ID: <2.2.32.19960129123934.006abc88@mail.visi.net> -----BEGIN PGP SIGNED MESSAGE----- I got a message in response to a request I made to someone for their public key. I wanted to check the signatures that they included with their posts to cypherpunks, but their key was not on the keyservers. The key they included was completely unsigned, and when I use it to validate their previous posts as well as the message they sent which included the key, the signatures come back as bad, the contents of the file changed. Names are appropriately withheld (I hope). As I understand the bcc: definition, only I and the first smtp server this message hits should know who it's to. I don't know if anyone else reading this mailing list needs this info, but just in case... here's my reply to the message. At 10:03 PM 1/28/96 -0800, you wrote: >Sorry, I'm a newbie to Internet, and also the Internet usage of PGP. I just >participated in a local keysigning meeting, so maybe my key will find its >way to a server. Don't worry about being a 'newbie'. Everyone starts somewhere. However, your key will usually not 'find its way' to a server without you specifically sending it. The keyserver I usually use is accessed by sending a mail message which fits the following format. As far as I know, all the keyservers use this format to add or update keys in their databases. You only have to send it to one keyserver, and it will propagate to all the others. I have indented the text so that no handlers decide to interpret it as a new message. - - To: pgp-public-keys at pgp.iastate.edu - - Subject: ADD - - - - -----BEGIN PGP PUBLIC KEY BLOCK----- - - Version: 2.6.2 - - - - [key deleted to protect the innocent] - - - - -----END PGP PUBLIC KEY BLOCK----- >I'm sorry to have to admit that I don't even know how to do this! Newbie >alert! If you don't admit you don't know something, nobody will usually tell you how to do it. Also, you should sign your own key. That will make it harder to forge, I think. The reasons were spelled out in a couple of the web pages I read, but I've forgotten them. It has something to do with either a denial of service attack or a man in the middle attack, or both. The command to do this is: pgp -ks 0xHEXKEYID Honestly, I've only just begun to use pgp myself. Also, you should add your e-mail address to the user-id of your key. The command to do so is: pgp -ke 0xHEXKEYID You will be asked if you wish to add a user id to the key. Say yes, and give it your e-mail address. What this does is it allows people who are using pgp-enabled mailers to directly encrypt messages to you without choosing your key manually. The reason that I have not encrypted this message to you using the key you provided is that when I extracted the key and re-checked your message, the signature was no good. I've found that (using eudora) I must turn off the word wrap feature of my mailer to allow for good signed messages out. Of course, having said this, I'll probably not get a good signature on this message. Let me know if it signs ok. Now, I have a question. Which attack(s) is/are a person vulnerable to when distributing an unsigned public key in the open? Could this actually be a complex man-in-the-middle attack? Am I paranoid? -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMQy/ds1+l8EKBK5FAQER8Af/SE1lTj3zcpm3ildFGO75zjZiJByZQi+3 LAkYgcHyBmtvhCTvyYCP2aMF4RjayrR3OHB85XthIA4sPmU0NDCVZYv7riSPjslp iBxUk92dO+BkP8nrTFgqCzR4qPqbOSmZxeovZI0PfQvbm99fG6Fc2kjhdKP7Aq+G cw4r0vvJY8JbqAuXftgZgndL9iGR/+xjfrpl+EWL3xtWzpIRfwMS5KMsR1UOf1ZA g9mlMEGLXy5KC/BwaupgTTwlSA/NOTv5mAY8+UWt9ydMWXBqNVt/yiGFsjg5UR1M CaT2D23pLAnWZ8M7yrjMamadkn2iLBqq4nhBNOGYHfZrGcbm/mhmxQ== =jGo3 -----END PGP SIGNATURE----- From bruceab at teleport.com Mon Jan 29 11:57:56 1996 From: bruceab at teleport.com (Bruce Baugh) Date: Tue, 30 Jan 1996 03:57:56 +0800 Subject: The Unintended Consequences of Suppression Message-ID: <2.2.32.19960129042557.0069b468@mail.teleport.com> At 08:52 PM 1/28/96 -0600, Alex Strasheim wrote: >> You just don't get it, do you? Do-gooders like the Wiesenthalistas >> don't need to be *right*; they need *a steady stream of cash contributions* > >It's usually more effective to point out why what someone is saying is >wrong rather than to speculate as to what their motives for saying it >might be. Particularly in cases where, rightly or wrongly, the folks being subjected to ad hominem have a very favorable public image. Explanations that give credit for good intentions and show how the present action works to undermine them, and which include constructive alternatives, are a _lot_ more likely to be listened to. At least that's the way it works for me. And it works for pretty much everyone I know. If there's anyone here who's more impressed by ad hominem, I'd be curious, but they'd still be in the minority. Bruce Baugh bruceab at teleport.com http://www.teleport.com/~bruceab From liberty at gate.net Mon Jan 29 11:58:06 1996 From: liberty at gate.net (Jim Ray) Date: Tue, 30 Jan 1996 03:58:06 +0800 Subject: An Enigma - Wrapped In a Circle Message-ID: <199601290505.AAA36182@osceola.gate.net> -----BEGIN PGP SIGNED MESSAGE----- "Perry E. Metzger" foamed: I wrote: >> 1. Flame me, in *private* e-mail. [I'll happily ignore you.] >> 2. Go hump a tree. > >What the hell is the cypherpunks relevance here, anyway? I mean, other >than trying to elicit a response from me, which you surely knew would >show up, was there any purpose to this? Why are crop circles important >to people worrying about cryptography and cryptography policy? What >possible linkage could there be? Why Perry! I see your point! Any phenomenon that elicits articles with titles like "Ciphers in the Crops" could have nothing at all to do with cryptography... I repeat: Go hump a tree. In complaining about supposed "noise," you cause more noise than any other person on this list. Learn to read before you spew, or just learn to shut up! JMR Regards, Jim Ray -- Boycott espionage-enabled software! "He that would make his own liberty secure, must guard even his enemy from oppression; for if he violates this duty, he establishes a precedent that will reach to himself." - T. Paine http://www.shopmiami.com/prs/jimray _______________________________________________________________________ PGP key Fingerprint 51 5D A2 C3 92 2C 56 BE 53 2D 9C A1 B3 50 C9 C8 Public Key id. # E9BD6D35 IANAL _______________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Freedom isn't Freeh. iQCVAwUBMQxOvW1lp8bpvW01AQFvBgP/YQM2CA/f+wq9jCCc/s6BeXm+Lqr6ihCS BhPeB3556EET0mj91XhR1bl5FPb9aUb2f3CeNMBmacr4L/EjAK5S4Fst0WZ10UA8 m7a07IdFdb8wN+TKpAUR4TMmApV1nHnq3fStrSnn1el32rbnMvMmHBDzfXF6wVfk VKvffK+S+WA= =b8Pt -----END PGP SIGNATURE----- From dlv at bwalk.dm.com Mon Jan 29 11:59:49 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Tue, 30 Jan 1996 03:59:49 +0800 Subject: "German service cuts Net access" (to Santa Cruz) In-Reply-To: <199601290252.VAA18010@toxicwaste.media.mit.edu> Message-ID: <546FiD88w165w@bwalk.dm.com> Derek Atkins writes: > > As a point of information, the operators of the "Amateur Action" bulletin > > board in Fremont, California are now sitting in prison because they > > e-mailed material fully legal in California but illegal (the court > > determined) in Memphis, Tennessee. > > Actually, it wasn't because of what they emailed, but rather the > owner/operators of AA BBS snail-mailed a video cassette that contained > "pornographic" materials. Unfortunately it sets a bad precedent > nonetheless. I didn't follow this case that closely, but I'm quite certain that I read on the net that the prosecution's witnesses dialed AA BBS _by modem_ from TN (establishing jurisdiction) and downloaded the materials that were later found to be offensive to TN's community standards. Snail mail may have been also involved, but I definitely recall that letting someone in TN download the stuff via modem was in the indictment. IMO, this sets a precedent for the German incident. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From teddygee at visi.net Mon Jan 29 11:59:52 1996 From: teddygee at visi.net (Ted Garrett) Date: Tue, 30 Jan 1996 03:59:52 +0800 Subject: more RANTING about NSA-friendly cpunks Message-ID: <2.2.32.19960129041358.0069fc48@mail.visi.net> At 01:10 PM 1/28/96 +0800, you wrote: >In message <199601262011.MAA17408 at netcom16.netcom.com>, > "Vladimir Z. Nuri" wrote: >> has anyone *tried* just ignoring the ITAR wrt crypto and seeing what >> would happen? [snip] >> but aren't we equally as comic in assuming that violating the ITAR >> crypto sections will inevitably bring the 4 horsemen of the NSA?? > >One word... >Zimmerman. >I do agree with what you're saying though. But what he's saying is basically this: If instead of targeting a single entity - (eg Zimmerman) for a crypto violation, they had to look at thousands of separate entities per violation (eg cypherpunks, inner circle, users on AOL who have a clue, mit professors, cryptographic experts, corner preachers, etc.), then soon the court system would be forced to come to the realization that, indeed, the genie IS out of the bottle, and the system as a whole would have to recognize that a change needs to be made. As it stands, they bullied on ONE man for something he didn't do, and could drop the case without there needing to be a precedent set. Because there is now no precedent, the NSA and FBI can still use the ITAR regulations to batter any indiviual who attempts to distribute strong cryptography tools to the general public. If they had been confronted with tens, hundreds, thousands, or tens of thousands of people tangibly involved in distributing cryptographic tools, then it would have been much harder for them to say "We are just going to drop this.". They would have had to either go the distance or dismiss it in the beginning. If PGP had been developed under the gnu charter or the Linux concept, what would the government have been able to do about it being distributed? NOT A DAMNED THING. Or at least that's my opinion. From samman-ben at CS.YALE.EDU Mon Jan 29 12:01:25 1996 From: samman-ben at CS.YALE.EDU (Rev. Ben) Date: Tue, 30 Jan 1996 04:01:25 +0800 Subject: New Software Message-ID: Release time. And I guess I finally get to add my name to the roles of Cpunks that 'write code'. I finished a release of a simple Zero Knowledge Authentication system that uses the GNU Multiprecision Library to implement a modified Fiat-Feige-Shamir ZKIPS. It is written in C on FreeBSD 2.1-R but should run on anything that uses BSD socket code. I tried to write it fairly portably. It is a very early release with little bounds checking or any of the hardening that would be required in a secure environment--hell in a secured environment, you'd want to write the bignum package yourself. But in any case, its just to get some practice writing this sort of code as well as amuse myself My latest project is to write a HTTP anonymizer--sort of like a bit launderer. The plan would be to allow a server to be browsed without actually giving away its real address by using a proxy. The client would have an encrypted URL that would be passed to the proxy. The proxy, using its own private key would decrypt the real URL and make the HTTP request to the server. This would opaque the server's identity from the client. While this sounds all well and good, unless there are multiple proxies deployed a-la Mixmaster with encapsulated encryption, there is the threat that the proxy would be able to match up server-client pairs. In any case, I'm open to suggestions on this project--its very open ended and should be done in a couple of months. If anyone would like a copy of the work done mail me and I'll send you a tarball. Ben. PS: Does anyone know of any French COMPUSEC firms that I could contact? I'd like to try to get a job there for next year. ____ Ben Samman..............................................samman at cs.yale.edu "If what Proust says is true, that happiness is the absence of fever, then I will never know happiness. For I am possessed by a fever for knowledge, experience, and creation." -Anais Nin PGP Encrypted Mail Welcomed Finger samman at powered.cs.yale.edu for key Want to give a soon-to-be college grad a job? Mail me for a resume From jamesd at echeque.com Mon Jan 29 12:03:02 1996 From: jamesd at echeque.com (James A. Donald) Date: Tue, 30 Jan 1996 04:03:02 +0800 Subject: "German service cuts Net access" (to Santa Cruz) Message-ID: <199601290519.VAA14243@mailx.best.com> The German prosecuters are currently targeting the site of Mr Zundel, "who is well known for his open revisionist positions." Zundel is not in fact a Nazi, but an anti nazi: Here is a sample of his work. Bottom line. German prosecuters are amazingly ignorant idiots. Press Release Date: January 3, 1996 Attention: Assignment Editor / For immediate release Hate all that you can hate in the Nazi Reserves! In The Nazi Reserves, we hate more people before 6am, than most people hate all day! We promise if you join The Nazi Reserves, you will be trained in: 1) Marching 2) Re-learning History 3) Growing a mustache just like Hitler's 4) Burning your own house and blaming it on Jews! 5) Learning how to blame *everything* on Jews! 6) Learning how to blame everything that can't be blamed on Jews on the Blacks! 7) Learning how to blame everything that can't be blamed on the Jews or the Blacks on the Liberals! 8) Learning how to blame everything that can't be blamed on the Jews or the Blacks or the Liberals on the Catholics! 9) How to signal the Alien Nazi UFO Mothership! 10) More marching! 11) How to enjoy being anal probed by Nazi aliens from space! 12) How to make your jackboots *really* shine! 13) How to beat up homosexuals (this one's easy-- just make sure you outnumber them by about 6:1, and make sure you're in Colorado) 14) And yes, MORE marching! If you join now, we promise you there will be *no volleyball* and *no push-ups* and no *5 mile runs!* Yes, even middle aged balding men can join the Nazi Reserves! The Nazi Reserves: It's not just a job, it's a perversion! (Not like my other perversions which involve trying to stuff my plump legs into stockings and prance around in heels.) JOIN NOW AND WIN A FREE TRIP TO THE NAZI UFO BASE AT THE CENTER OF THE EARTH! Surveys show that 9 out of 10 prisons prefer candidates who have learned the skills taught in The Nazi Reserves! Join now and you increase your chances of receiving free meals and housing for the rest of your life! -- Ernst Zundel My right to free speech supersedes your right to exist. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From vznuri at netcom.com Mon Jan 29 12:04:47 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Tue, 30 Jan 1996 04:04:47 +0800 Subject: more RANTING about NSA-friendly cpunks In-Reply-To: <199601282130.NAA29294@netcom6.netcom.com> Message-ID: <199601290535.VAA08104@netcom8.netcom.com> frantz at netcom.com >>Zimmermann supports my contention, as I wrote in the post. NOTHING >>happened to him. it is conceivable this same result could have >>been arrived at (government drops investigation) if he never even >>hired a lawyer. >> >>Zimmermann is a perfect example of what may be counterproductive >>hysteria on *our* side, toward advancing crypto. if Zimmermann >>cannot be prosecuted, and is not prosecuted, where are the ITAR "teeth"??? > >I am not a lawyer, but I suspect that the proscuters gave up because they >could not build a trail of evidence between Zimmermann and the actual >export. After all, Zimmermann only wrote PGP. He didn't post it on the >net. so what?!?!? what is your point?!?!?! I am well aware of the Zimmermann background!!! why do you think I used it as an example!! the "Feds" are AWARE that KELLY GOEN was the one who distributed it. did they prosecute him either? NO!!! did they have evidence that Goen was the one that knowingly "exported" the code? PROBABLY!!! WHAT DOES THIS TELL YOU?!?!?! my point is that, what is anyone's evidence that what happened to Zimmermann (i.e. NOTHING WHATSOEVER other than an investigation that ended with NOTHING) would not happen to whoever tried to "export" whatever algorithms they pleased??? if people are going to pretend that the ITAR crypto sections have TEETH, then please give a disclaimer that YOU HAVE NO EVIDENCE. I have no problem with people getting "paler shades of white" from all their imagined bogeymen. I do have a problem with them complaining, then, about a reality that came about from their own fears, i.e. was constructed BY THEM, not by their opposition (i.e. the NSA). Zimmermann SHOWS that any claim that the ITAR has "teeth" APPEARS TO BE GROUNDLESS. what happened to Zimmermann? NOTHING. I repeat: he could conceivably have NOT EVEN HIRED A LAWYER to achieve the current situation, which was that he was NOT EVEN PROSECUTED, let alone CONVICTED. you can argue all you want about HYPOTHETICAL situations, but the REALITY is that nobody has ever gotten any nastiness from any ITAR-crypto prosecution. why is this point so hard to grasp??? perhaps whoever points out various fears are groundless is barking up the wrong tree, if the fearer is not interested in alternative scenarios or incapable of conceiving of them. if cpunks want excuses to cower in terror of the ITAR (such as e.g. TCM seems to advocate), you will find endless justification from your rampant fantasies. in my view, as I wrote, however, they are about as substantial as fears of COOTIE or THE BOGEYMAN based on actual reality. P.S. it is well known that KELLY GOEN distributed the code-- you can even ask Sternlout. I am not revealing any secret there. From jlasser at rwd.goucher.edu Mon Jan 29 12:09:54 1996 From: jlasser at rwd.goucher.edu (Jon Lasser) Date: Tue, 30 Jan 1996 04:09:54 +0800 Subject: new(?) anti-usenet censorship technique? Message-ID: Playing around online today, it occured to me that much of Compu$pend's subscribers (and many other ISPs, especially smaller ones which might be subject to governmental pressures) rely largely on people who use chat modes frequently, often for sex-related chat... they cannot cut off IRC (for example) without hurting their income substantially. If someone put up an IRC<->news gateway, with a bot that allowed anyone on channel to read newsgroups, it'd be virtually impossible to censor; one could use a variable channel name to increase the difficulty of censoring it. Has anyone done this before? Or talked about it? Jon Lasser ------------------------------------------------------------------------------ Jon Lasser (410)494-3072 Visit my home page at http://www.goucher.edu/~jlasser/ You have a friend at the NSA: Big Brother is watching. Finger for PGP key. From ampugh at mci.newscorp.com Mon Jan 29 12:10:06 1996 From: ampugh at mci.newscorp.com (Alan Pugh) Date: Tue, 30 Jan 1996 04:10:06 +0800 Subject: "Gentlemen do not read each other's mail" Message-ID: <199601291915.OAA25398@kafka.delphi.com> >It isn't clear to me that the Constitution grants "rights" to the government >that aren't already possessed by the people themselves. Would that even be >possible? "Powers" maybe, "rights," maybe not. the constitution is an amazingly consistant document internally. take a slow read through it and you will see that you are absolutely correct. when 'people' are being referred to, the term used is 'rights'. when it is a governmental organization (state or federal), the term used is always 'powers'. amp From jf_avon at citenet.net Mon Jan 29 12:35:12 1996 From: jf_avon at citenet.net (Jean-Francois Avon JFA Technologies, QC, Canada) Date: Tue, 30 Jan 1996 04:35:12 +0800 Subject: Denning's misleading statements Message-ID: <9601291934.AA19689@cti02.citenet.net> >At 03:12 PM 1/28/96 -0500, Ben Samman. wrote: >>There's quite a few folks in the Yale CS department that are pro-Clipper >>or fence sitters. They justify it in class by claiming that law >>enforcement needs these abilities if LE is to remain effective. What research grant pays theses guy's salaries? JFA Reality IS, Existence Exists. -John Galt From jf_avon at citenet.net Mon Jan 29 12:50:34 1996 From: jf_avon at citenet.net (Jean-Francois Avon JFA Technologies, QC, Canada) Date: Tue, 30 Jan 1996 04:50:34 +0800 Subject: more RANTING about NSA-friendly cpunks Message-ID: <9601291935.AA19726@cti02.citenet.net> "Vladimir Z. Nuri" said: >my point is that, what is anyone's evidence that what happened to >Zimmermann (i.e. NOTHING WHATSOEVER other than an investigation that >ended with NOTHING) would not happen to whoever tried to "export" >whatever algorithms they pleased??? >if people are going to pretend that the ITAR crypto sections have >TEETH, then please >give a disclaimer that YOU HAVE NO EVIDENCE. I have no problem with >people getting "paler shades of white" from all their imagined bogeymen. >Zimmermann SHOWS that any claim that the ITAR has "teeth" APPEARS TO >BE GROUNDLESS. >you can argue all you want about HYPOTHETICAL situations, but the >REALITY is that nobody has ever gotten any nastiness from any >ITAR-crypto prosecution. >if cpunks want excuses to cower in terror of the ITAR (such as e.g. >TCM seems to advocate), you will find endless justification from >your rampant fantasies. I do not think that wether PZ or anybody else was prosecuted in *this* case means that ITAR does not have teeths. The most important thing in order to understand a situation is to put yourself in the other guy's shoes. If I would have been in the govt shoes, maybe I would have let down the case too. It does not mean that I wouldn't attempt any case like this anymore... Theses peoples are not stupid. They might be statists, but they are intelligent statists... PZ case could have been presented as borderline, and could have made a precedent not in their advantage. Non-objectivity of a law never prevented the govt to "enforce" it. JFA Power tends to corrupt, absolute power corrupts absolutely. From jf_avon at citenet.net Mon Jan 29 12:52:03 1996 From: jf_avon at citenet.net (Jean-Francois Avon JFA Technologies, QC, Canada) Date: Tue, 30 Jan 1996 04:52:03 +0800 Subject: "German service cuts Net access" (to Santa Cruz) Message-ID: <9601291935.AA19744@cti02.citenet.net> olmur at dwarf.bb.bawue.de writes: > Free speech ends where other people can reasonable claim that their > feelings are badly hurt. Ask yourself what standard in implied in this sentence... Is it "Man as a life-loving rationnal animal" or "Man as an ever sobbing, unable to cope, emotionnally controlled animal" ??? JFA "I always tried to live in order to be able to *fly* another day." -Gen. Chuck Yeager From nsb at nsb.fv.com Mon Jan 29 13:06:20 1996 From: nsb at nsb.fv.com (Nathaniel Borenstein) Date: Tue, 30 Jan 1996 05:06:20 +0800 Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards Message-ID: [My apologies in advance if you see several copies of this message. I am posting this fairly widely due to the severity and importance of the problem described.] As you may already have heard via the popular press, First Virtual Holdings has developed and demonstrated a program which completely undermines the security of every known credit-card encryption mechanism for Internet commerce. This is a very serious matter, and we want to make sure that the Internet community is properly informed about the nature of the problem that we have uncovered, and the manner in which we have made the information known. In this (unavoidably lengthy) post, I will try to explain the nature of the problem and its implications for Internet commerce. In deference to those who are not technically oriented, the detailed explanation of how the attack works will be the LAST part of this message. First of all, let me be perfectly clear about the nature of the problem we have exposed. It is NOT a bug in a single program, and it is therefore NOT something that can be fixed with a "patch" or any other kind of software upgrade. Instead, we have demonstrated a very general attack that undermines ALL programs that ask users to type a credit card number into their home computer. We have tested the program and confirmed that it undermines the security of the credit card encryption software from Netscape and Cybercash, and we expect that it will work similarly for ANY future software based on the encryption of credit card numbers on the desktop. Quite simply, we believe that this program demonstrates a FATAL flaw in one whole approach to Internet commerce, and that the use of software to encrypt credit card numbers can NEVER be made safe. For consumers, we recommend the following simple rule: NEVER TYPE YOUR CREDIT CARD NUMBER INTO A COMPUTER. We should also be clear about the Internet commerce mechanisms that are NOT affected by this problem. First Virtual is unaffected because we never ask the user to put a credit card number at risk by typing it into a computer. Hardware-based solutions can also be devised that are immune to this attack, including solutions based on smart cards and solutions based on "card swipe" machines in the home. We believe that current digital cash solutions are also not vulnerable to this attack, although some variants of digital cash may be vulnerable to a similar form of attack. Commerce mechanisms based on the use of telephones or fax machines to transmit credit card numbers are also unaffected by this kind of attack. Other proposed commerce mechanisms should, from now on, be evaluated with this kind of attack in mind. The bottom line: INTERNET COMMERCE CAN BE VERY SAFE, WITH SEVERAL DIFFERENT MECHANISMS, BUT ENCRYPTING CREDIT CARDS ON THE DESKTOP IS NOT ONE OF THE SAFE MECHANISMS. It's important to understand why we have taken this step. Obviously, as the long-time leaders in Internet commerce, the last thing we would want to do is to undermine general confidence in Internet commerce. However, we realized that many people believed that credit card encryption was a safe and easy path to Internet commerce, and that very few people understood how easily it could be undermined. Upon investigation, we were frankly startled to realize just how easy it was -- a single programmer got the first version of our program running in about a week. Aside from our obvious interest in promoting our own commerce mechanism, we felt that we had an ethical obligation to bring this problem to the attention of the consumers, banks, and other financial institutions who could conceivably suffer catastrophic losses if software encryption of credit card numbers became widespread. We also realize that we have an obligation to do everything possible to avoid helping any unscrupulous people who might seek to utilize this flaw for malicious purposes. We have accordingly been extremely responsible in how we have handled our discovery. We first demonstrated and explained our program to vital organizations such as CERT (the Computer Emergency Response Team) and the ABA (American Banking Association). Only after many such private disclosures, none of which revealed any defense against our technique, did we publicly disclose the existence of this program. In addition, we have taken several steps to "cripple" our demonstration program, all of which will be discussed below. Furthermore, we have NOT made the program itself generally available. We are currently demonstrating it to selected financial institutions and government agencies, and will provide copies of the program only to CERT and a few other independent security-minded organizations. We have also alerted Netscape to the problem as part of their "bugs bounty" program. At some future date, we might conceivably distribute the program, in binary form on CD ROM, to selected financial institutions. The source code will always be very closely guarded. Unfortunately, however, the general method of attack is extremely easy to duplicate, and we don't know of any good way to alert the public to the problem without explaining it. THE TECHNIQUE Our basic approach was to write a computer program that runs undetected while it monitors your computer system. A sophisticated version of such a program can intercept and analyze every keystroke, mouse-click, and even messages sent to your screen, but all we needed was the keystrokes. Selectively intercepted information can be immediately and secretly transmitted via Internet protocols, or stored for later use. First Virtual's research team has built and demonstrated a particular implementation of such a program, which only watches for credit card numbers. Whenever you type a credit card number into your computer -- even if you are talking to "secure" encryption software -- it captures your card number. Our program doesn't do anything harmful with your credit card number, but merely announces that it has captured it. A malicious program of this type could quietly transmit your credit card number to criminals without your knowledge. The underlying problem is that the desktop -- the consumer's computer -- is not secure. There is no way of ensuring that all software installed on the consumer's machine can be trusted. Given this fact, it is unwise to trust ANY software such as a "secure" browser, because malicious software could have easily been interposed between the user and the trusted software. The bottom line for consumers is that, on personal computers, INFORMATION IS INSECURE THE MOMENT YOU TOUCH A KEY. We have dramatically proven that security ends the moment you type sensitive information into your computer. The vulnerability lies in the fact that information must travel from your keyboard, into your computer's operating system, and then to your "secure" application. It can be easily intercepted along the way. This kind of insecurity is very frightening, and has implications far beyond credit card theft. However, credit cards embody and demonstrate the kind of information that is MOST vulnerable to this kind of attack. Credit card numbers are far more vulnerable to this kind of attack than most other forms of information because of the following particular characteristics of credit card numbers: -- Credit card numbers are easily recognized by simple pattern recognition. -- Credit card numbers are "one way" financial instruments, with no user-level confirmation or verification required for their use. -- Credit card numbers are of direct financial value. In short, credit card numbers are an almost perfect example of how NOT to design a payment instrument for an insecure public computer network such as the Internet. DETAILS: HOW TO TOTALLY UNDERMINE SOFTWARE ENCRYPTION OF CREDIT CARDS First Virtual's demonstration credit-card interception program, once installed, observes every keystroke that you type, watching for credit card numbers. It recognizes credit card numbers with almost perfect accuracy, because credit card numbers are specifically designed to match a simple, self-identifying pattern, including a check digit. Our program is even smart about punctuation and simple editing functions, so that nearly any credit card number that you type into your computer is immediately recognized as such by this program. When our program spots a credit card number, it immediately plays a warning sound and pops up a window on your screen, including an iconic representation of the type of credit card that you have just entered, along with a clear explanation of what has just happened. The current program works only on Microsoft Windows (Windows 3.1, Windows NT, and Windows 95), but we believe that it would be simple to implement on Macintosh and UNIX systems as well. The program doesn't exploit any "holes" or bugs in the operating system. It uses existing, necessary operating system facilities which are part of the published Windows API, and which are necessary for the implementation of screen savers, keyboard macros, and other important software packages. First Virtual's intent is to educate the public, certainly not to endanger it. For that reason, our program incorporates four important precautions intended to prevent any possibility of harm: 1) Our program is not self-replicating. While a malicious program exploiting the same security flaw could easily be embedded in a virus, spreading itself all over the world, that was not our goal. Instead, the program must be deliberately and manually installed on each computer on which it is to run. 2) Our program always puts up an icon on your screen when it is watching your keystrokes. This is certainly not necessary, and it is clear that a malicious program would be unlikely to do this. 3) Our program is easy to remove from your computer, and even offers an "Uninstall" button to the user. Obviously a malicious program would hide itself as well as possible, and make itself as hard to remove as possible. 4) Our program never transmits your credit card over the Internet. While a program using this approach could transmit your information to a criminal in a totally untraceable manner, we would never do anything like that. In fact, we erase your credit card number from our program's memory before we even tell you that we've seen it, thus making sure that the credit card number can't even be retrieved by an inspection of our program's memory. It is frankly difficult to overstate the severity of the problem demonstrated by our program. A clever criminal could use viral techniques to spread a malicious program based on the same approach, and would be no more likely to be caught in the act than the authors of any of the computer viruses that plague the world today. Once it detects a credit card number, a criminal program could use any of several techniques to send that number to the original criminal without providing any way to trace the criminal's receipt of it. (If you're skeptical about this claim, we'd prefer to talk with you privately, as we've never seen the "best" methods for doing this spelled out in public, and we would prefer to keep it that way.) Altogether, this means that if millions of credit card numbers were being typed into Internet-connected personal computers, a criminal could obtain a virtually unlimited supply of card numbers for his own use. In fact, for all we know this could already be happening today. The first visible sign of such an attack, if it were well-executed, would be a gradual rise in the overall rate of credit card fraud. POSSIBLE SOLUTIONS First Virtual believes that the flaw we have uncovered is fatal. In the foreseeable future, all commerce schemes based on software encryption of credit cards on the desktop are completely vulnerable to this sort of attack. The basic problem is that software encryption of credit cards is predicated on the notion of "trusted software". On the consumer computing platforms, however, general purpose operating system functionality makes it unwise to assume too strong a level of trust in such software. No operating system with anything less than military-grade security (B2) is likely to be safe from an attack such as this one. This does not mean that Internet commerce is dead. Any scheme that is not based on self-identifying one-way financial instruments such as credit cards will be essentially unaffected by this problem. Moreover, even credit cards may be made safe on the Internet using one of two approaches: secure hardware add-ons and the First Virtual approach. First Virtual's Internet Payment Systems never places the consumer's credit card number on the Internet. Instead, the consumer provides it to us by telephone when the account is opened. After that, all purchases are made using a "Virtual PIN". Virtual PINs are essentially Internet aliases for underlying payment mechanisms such as credit card numbers, but with several kinds of added security. Virtual PINs are free-form text, with no recognizable pattern, which makes them much harder to detect with the kind of attack we have just demonstrated. Moreover, Virtual PINs are only usable in conjunction with First Virtual's unique email verification process. No payment is made until the consumer confirms an email query, which means that defrauding First Virtual is a multi-step process that is extremely difficult to automate. (For more details, we recommend our paper, "Perils and Pitfalls of Practical CyberCommerce", available via ftp from ftp://ftp.fv.com/pub/nsb/fv-austin.txt.) The bottom line, once again, for those of you who have read this far: NEVER TYPE YOUR CREDIT CARD NUMBER INTO A COMPUTER. There's simply no other way to keep credit cards safe on the net. The program we have demonstrated completely undermines the security of all known programs that claim to handle credit card numbers safely on the Internet. -------- Nathaniel Borenstein Chief Scientist, First Virtual Holdings FAQ & PGP key: nsb+faq at nsb.fv.com From jimbell at pacifier.com Mon Jan 29 13:06:52 1996 From: jimbell at pacifier.com (jim bell) Date: Tue, 30 Jan 1996 05:06:52 +0800 Subject: PAC_man Message-ID: At 12:05 PM 1/28/96 -0500, John Young wrote: > 1-28-96. TWP: > TWP has a followup on the AOL raid, mostly a police story > grisler on the cyber-prowling horny-cats. Has ICU of the > terminal logoff by a 13-year-old nerd. The fuz posted a > call-in for anon tips: > > "You know how many we've gotten from our on-line hot > line? Not one. It's like they have this fantastic world > they operate in, and we are seen as intruders or > something." > ICU_ded Maybe, they're catching on, huh?!? From cp at proust.suba.com Mon Jan 29 13:14:10 1996 From: cp at proust.suba.com (Alex Strasheim) Date: Tue, 30 Jan 1996 05:14:10 +0800 Subject: pgp on linux In-Reply-To: <199601290513.FAA30591@pangaea.hypereality.co.uk> Message-ID: <199601290607.AAA07906@proust.suba.com> > i can't seem to get pgp compiled on my linux machine. where should i ask > about this?- since cypherpunks would be a bad choice. thanks. I like anonymity as much as the next guy, but if you're asking for help it's not really appropriate -- lots of disinterested people are going to read this, when they really shouldn't have to. The place to ask about pgp is alt.security.pgp. If you post there, try to say what happened when you attempted to compile the program. Before you post anywhere, try grabbing the .tar.gz version instead of the .zip version -- there are some case sensitive file names that munge on linux in the .zip version. The other ought to compile out of the box. From adam at lighthouse.homeport.org Mon Jan 29 13:14:20 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Tue, 30 Jan 1996 05:14:20 +0800 Subject: Clipper technicalities (Was: Denning's misleading statements) In-Reply-To: Message-ID: <199601290554.AAA02373@homeport.org> Peter Wayner wrote: | But, on the other side of the fence, I just passed a section in | _Takedown_ where Shimomura and the FBI agents decide that the | best place for the Clipper phones is "in the trunk." Apparently | they don't communicate with regular phones so they were | practically worthless. The AT&T 3600c does interoperate. I posted to Cypherpunks about them shortly after the HOPE conference in NYC in August 94. Check the archives for the full post, but they start a conversation as normal phones, you hit a button, and one unit sends touch tones for 2587, and they start encrypting. http://www.hks.net/cpunks/cpunks-7/0191.html Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From declan+ at CMU.EDU Mon Jan 29 13:17:43 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Tue, 30 Jan 1996 05:17:43 +0800 Subject: "German service cuts Net access" (to Santa Cruz) In-Reply-To: <199601290519.VAA14243@mailx.best.com> Message-ID: Excerpts from internet.cypherpunks: 28-Jan-96 Re: "German service cuts Ne.. by "James A. Donald"@echequ > The German prosecuters are currently targeting the site of Mr Zundel, "who > is well known for his open revisionist positions." > > > Zundel is not in fact a Nazi, but an anti nazi: Here is a sample > of his work. > > Bottom line. German prosecuters are amazingly ignorant idiots. You're actually quoting from an inspired bit of trolling. See my recent message: "Ernst Zundel impersonator on Usenet" Whatever he is, Zundel is not an anti-Nazi. He's perhaps the world's leading holocaust revisionist, and is now living in Canada. He's well-known to our northern neighbors; his trial for speech crimes went all the way to the Canadian Supreme Court. His web site is at: http://www.webcom.com/~ezundel/english/ But I agree with your basic point. For trying to censor the Internet, German prosecutors are amazingly ignorant idiots. -Declan From jimbell at pacifier.com Mon Jan 29 13:17:46 1996 From: jimbell at pacifier.com (jim bell) Date: Tue, 30 Jan 1996 05:17:46 +0800 Subject: Over-reacting? Message-ID: At 05:42 PM 1/28/96 -0800, Timothy C. May wrote: > >Folks, > >When people decide to copy other mailing lists on messages they send to >Cypherpunks (or vice versa), we often get flooded with insults and spams >from people who don't share our views. (While I have nothing against trying >to recruit others to our views, in my opinion this is best done by >judicious writing of essays for _them_, tuned to their interests, and not >in mindless spamming of every list that might have a passing interest in >some of the topics.) > >We already have enough traffic here, and don't need replies from a bunch of >other lists, be they libertarian lists, digital commerce lists, human >rights lists, or java lists. > >The latest example of this is the rantfest invvolving these players: I really don't know why I'm being "killed" by May in this way. He cites a rant by a local (Portland, Oregon) crackpot named "Jack Hammer." I even took the time to apologize for his existence, while I do claim a certain lack of responsibility: Basically, I'm being targeted because Hammer can't stand my essay. (Whether May will even see my apology is in doubt, I suppose...) While May certainly has the right to "killfile" whomever he wishes, it might be a bit more logical to do this in a graduated fashion, "killing" Hammer and then waiting to see if the rest of us follow in his habits. From lull at acm.org Mon Jan 29 13:18:48 1996 From: lull at acm.org (John Lull) Date: Tue, 30 Jan 1996 05:18:48 +0800 Subject: "German service cuts Net access" (to Santa Cruz) In-Reply-To: Message-ID: <310c59a4.2517065@smtp.ix.netcom.com> On Sun, 28 Jan 1996 22:18:28 -0500 (EST), Dr. Vulis wrote: > Very little crypto relevance in the following... Agreed. I'll not be posting further on this topic here. If you'd care to pursue this E-mail, I have no objection. > lull at acm.org (John Lull) writes: > > If this is really what Germany wants, then it sounds like time to > > totally cut Germany off from the internet, simply in self > > preservation. > I'm sure this is what the German government and many German people really want. If so, then they have the power to make that decision, and to (largely) enforce it. By doing so, however, they would (and should) lose all the benefits of the internet as well. > But, would you also argue that the former Soviet Union should not have been > allowed on Internet because some of the information that would enter it via the > internet would have been illegal there? I read that Singapore is similarly > trying to restrict its citizens' access to the net. I would argue that ANY country which actively tries to restrict information providers in other countries through these "long arm of the law" tactics, ought to be banished from the internet. If France wants to outlaw postings in English, I have no legitimate right to complain -- so long as they limit it to postings from France. If they were to begin arresting those from England, or Canada, or the US, however, for posting in English, they would have gone too far. Attempting to limit what comes into your country via filtering, restrictions on your own carriers, prosecution of your own citizens or other residents of your country for violations of your own laws, etc. is one thing. Trying to apply your laws to those in other countries, however, is quite another. > I think it would be more > honorable to provide Germans with tools to access the information they want, > even it violates their laws that we consider to be unjust. Developing tools to access information is worthwhile. But successfull attacks on those providing information makes access tools worthless. If the information simply isn't there, all the nice access tools in the world can't create it. From jsw at netscape.com Mon Jan 29 13:19:20 1996 From: jsw at netscape.com (Jeff Weinstein) Date: Tue, 30 Jan 1996 05:19:20 +0800 Subject: Netscape, CAs, and Verisign In-Reply-To: <199601281901.NAA06629@proust.suba.com> Message-ID: <310C6C76.AB8@netscape.com> sameer wrote: > > > > > Morevover, although I don't think it's reasonable to expect Netscape to > > agree to include a non-existent CA in their browsers sight unseen, at the > > same time it doesn't seem smart to sink money into setting up the CA > > without some indication from Netscape that they're willing to give the > > idea good faith consideration. > > > They won't. You're not a megacorp in bed with RSA. As I said in my previous message, we don't care how big you are as long as you meet the soon to be published criteria. --Jeff PS - If you think that verisign is a megacorp, your view of the world is a bit skewed. -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw at netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine. From jsw at netscape.com Mon Jan 29 13:19:29 1996 From: jsw at netscape.com (Jeff Weinstein) Date: Tue, 30 Jan 1996 05:19:29 +0800 Subject: Netscape, CAs, and Verisign In-Reply-To: <199601281901.NAA06629@proust.suba.com> Message-ID: <310C6C1D.5A0@netscape.com> Alex Strasheim wrote: > > I'm a big fan of Netscape and their products, and I think they do a good > job of addressing the interests of their customers and the public at > large with respect to crypto issues. > > But it's starting to become apparent that there's a fairly serious problem > with Certification Authorities and SSL. > > The problem is simple enough: sites with certificates from one of the CAs > that are preconfigured in Netscape have a tremendous advantage over sites > with certs from other CAs, and it's expensive and difficult to get a cert > if you're running an alternative server like ApacheSSL. > > This problem is going to get a lot worse when X509 client authentication > becomes more popular. > > Netscape needs to address the situation. It's just not practical or > desireable for one company (Verisign) to have a stranglehold on > certificates. I agree with what you are saying. I very much want to see real competition in the certificate issuing business. We are in the process of developing a set of criteria that CAs have to meet in order to be included in the "default" list of CAs that our products support. The criteria focus on assuring support for our customers more than trying to specify a particular policy. The criteria will include things like required minimum response times for customer problems, compliance with an interoperability spec, publishing of policies, etc. Some time in the next few months these criteria will be made public, and that should allow for open competition. > I'd like to see a less centralized CA that's tied into the existing system > of notaries. The idea is to make it necessary to spoof a notary in order > to spoof the CA. That won't make spoofing the CA impossible (nothing > will), but it will make spoofing the CA illegal. > > A notary could apply to the CA for the right to work as an agent, for a > nominal fee (<$100/year). Only notaries could be agents. If a person > wants a certificate, they'd come in and present ID and a key to the > notary/agent. The person would have to present a form document stating > that he's requesting the cert. The notary would stamp the form and affix > a signature to the key which would enable it to be processed automatically > by the CA. > > Fees for the whole procedure ought to be less than $30. The CA ought to > operate off of the fees from the agents as a non-profit organization, and > the agents ought to keep the fees paid by the people requesting the > certificates. > > Would any of the lawyers on the list be willing to comment on whether or > not it's possible or practical to tie a CA into the notary system? Does > anyone have any thoughts as to how difficult/risky spoofing my CA is > compared to spoofing Netscape or Verisign? > > I could put up a server and I think I know a laywer who would help me set > up a non-profit organiation on a shoestring, but I don't want to do it if > the plan is impractical. > > Morevover, although I don't think it's reasonable to expect Netscape to > agree to include a non-existent CA in their browsers sight unseen, at the > same time it doesn't seem smart to sink money into setting up the CA > without some indication from Netscape that they're willing to give the > idea good faith consideration. I would suggest that you wait until you see our published criteria before you spend too much effort setting up such a service, so that you can be sure to meet them. We don't care how big a company you are, as long as you agree to provide our customers with a reasonable level of support and issue certs that are compatible with our products. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw at netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine. From olmur at dwarf.bb.bawue.de Mon Jan 29 13:19:33 1996 From: olmur at dwarf.bb.bawue.de (Olmur) Date: Tue, 30 Jan 1996 05:19:33 +0800 Subject: "German service cuts Net access" (to Santa Cruz) In-Reply-To: <2.2.32.19960128115634.00977b14@panix.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- >>>>> "John" Lull writes: John> On Sun, 28 Jan 1996 21:41 +0100 (MET), Olmur wrote: >> It's illegal in Germany to publish material denying the holocaust. >> In the same moment this guy sent his book (?) per snail-mail from >> Canada to Germany he commited a crime here in Germany. John> How pray tell is a person in Canada supposed to know that? I John> (in the US) certainly had no idea Germany had such a law. Not knowing a law doesn't mean that I'm not liable for breaking it. John> Are you saying that, if I ran a bookstore, and accepted John> international mail orders, I would have to screen every order to John> ensure I did not ship something offensive to the German John> government? Denying the holocaust is not 'something offensive to the German government' but something that hurts the feeling of the people whose relatives were murdered by the Nazis. Free speech ends where other people can reasonable claim that their feelings are badly hurt. John> And if I did fill such an order, and without ever having set John> foot in Germany, I could be arrested on my next trip to Europe, John> extradited to Germany, and imprisoned for doing something that John> is constitutionally protected in the US? Is it constitutionally protected in US to knowingly hurt other people's feelings and to trample on graves????? John> Alternatively, what if I were to post to usenet a message John> denying the Holocaust, and one person in Germany retrieved that John> message. Would I then be subject to arrest and extradition to John> Germany? Interesting question. I assume from a formal standpointyou were, but practically it might not be possible to proof that you sent the message. John> Mike Duvos wrote in another message: >> It is interesting to note that there is no specific law prohibiting >> free speech for Holocaust Agnostics in Germany. The actual laws >> under which such cases are prosecuted are libel laws, which have >> been liberally interpreted to mean that one may not "libel" >> deceased Jews as a class or their memory in the minds of their >> surviving relatives. John> If in fact this is merely a judicial interpretation of an John> apparently unrelated law, it just plain ridiculous to expect John> people in other countries to be aware of it. Mike's information is old. Meanwhile it's explicitely forbidden to deny the holocaust. John> If this is really what Germany wants, then it sounds like time John> to totally cut Germany off from the internet, simply in self John> preservation. No one can reasonably be expected to research John> even the clearly-written laws worldwide that might conceivably John> apply in such cases, much less far-fetched judicial John> interpretations of such laws. As said above: the law is explicite. When I trade with another country of course I have to obey this country's laws. I mean if I visit US I have to obey US-law. If I know it or not. If you visit Germany, you have to obey German law. If you know it or not. The same is with trade. John> Olmur continued: >> I don't think it's astonishing that Denmark imprissoned this guy >> and transported him to Germany. It's a normal thing that one >> country imprisons a criminal another country is searching and the >> delivers him/her to the country in question. John> I, on the other hand, find this QUITE astonishing. His actions John> were legal in both Canada and Denmark (probably everywhere in John> the world except Germany), and he did nothing in Germany. He imported illegal stuff into Germany. If I import weapons to US without a licence I might be imprisoned on my next visit there, too. Due to our history publishing NAZI-propaganda is forbidden in Germany. The big majority in Germany agrees with this view, that NAZI-propaganda doesn't fall under 'free speech'. Some neo-NAZIs publish their books in other countries and then illegally transfer them to Germany. BTW, many European countries forbid publishing NAZI-propaganda. And as far as I know Denmark plans to change their law, too. John> Of course, I find the US actions in kidnapping people in other John> countries quite indefensible also, but at least in those cases John> the persons involved clearly knew they were violating at least John> US law, and in most cases were violating their local laws as John> well. How do you know that they know? How do you know that the guy in question didn't know? Olmur - -- "If privacy is outlawed, only outlaws will have privacy" --- P. Zimmermann Please encipher your mail! Contact me, if you need assistance. finger -l mdeindl at eisbaer.bb.bawue.de for PGP-key Key-fingerprint: 51 EC A5 D2 13 93 8F 91 CB F7 6C C4 F8 B5 B6 7C -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQCVAwUBMQxwqA9NARnYm1I1AQGEaQQAodckRyq428q6UyPwBRAc7cmhMzCtJdio iFk7/MZG25C4IPVk//hNTpp5vCFggKkLSsl1yqKgz51pBeXvR2OqjDLqXstygfJE tDNKSEgCbeSNATM5Tgb08ZorZLXU/NBwJjmNWDjBGjgemwJy7Y1ncRpD1XfxxrDp ZI7B1WEaqTA= =4Zta -----END PGP SIGNATURE----- From alano at teleport.com Mon Jan 29 13:21:44 1996 From: alano at teleport.com (Alan Olsen) Date: Tue, 30 Jan 1996 05:21:44 +0800 Subject: [noise/rant] Re: Anonymous trashing of Jim Bell Message-ID: <2.2.32.19960129062442.0091c5c0@mail.teleport.com> [Some people will object to this thread, and rightly so. This is very off topic. I understand it is off topic. But it needs to be said... If you don't want to read this, hit 'n' or equivalent now. I also request that responses to this be made in private e-mail and not to the entire list.] [Also note that I stripped off the references to the Libertarian list and the Democracy now list and avoided the urge to add the psychoceramics list.] Jim, I used to take your postings at least semi-serious. I ignored the ad hominem as much as I could and tried to concentrate on the validity of the arguments. I had difficulty with many of your ideas, but I have that problem with many people so it was not a big deal... Then I met you at the Portland Cypherpunks meeting. You blew whatever credibility that you had with me at that time. At that meeting you made claims that were fantastic and beyond belief. You gave no evidence to support those claims, just relying on some sort of future "proof". (Sorry, but the burden of proof in these sort of cases lies on the claimant, not the rest of the audience.) Assassination politics is immensely credible compared to your plan to disable electronic equipment. (And that is saying alot.) Assassination politics suffers from a number of problems. The biggest being its difficulty in being implemented. Such a system would suffer from Federal agents posing as hit men, outright fraud, and attempts to destroy the system from within and without. I have seen nothing that makes me believe it could ever be put into place. I have yet to see you address any of the flaws without resulting to flames and rant. Unfortunately, you would rather attack your critics than deal with the flaws in your beliefs. The following is an example... At 08:30 PM 1/26/96 -0800, jim bell wrote: >At 01:54 AM 1/27/96 +0100, Anonymous wrote: >>Jim Bell writes: >> >>>While this would normally be my cue to offer up my "Assassination Politics" >>>idea, which (if presumed to be correct) would stabilize "anarchy" and >>>prevent "lawlessness and social disorder" (at least as normally seen by the >>>average reader) I think that under the circumstances that would be redundant >>>here. >> >>I'm not *sure* that your Assassination Politics trip is the worst piece of >>tripe I've ever seen on the list, but if it's not, it's right up there. > >I notice that you responded through an anonymous remailer, and didn't even >use a nym. This is strange. If anything, the people who criticize my idea >seem to be under the illusion that it is _I_ who should be embarrassed for >proposing it, and in fact vociferously promoting it. "Those of you" who >object to it should be the ones who are "proudly" taking the "moral high >ground" and thus should be happy to identify yourself and defend your position. There are reasons why an individual would do that. Maybe they did not want to create a nym just to respond to one message. Maybe they thought that you would recognize their other nyms. Maybe it is someone you know. Whatever the reason, it does not diminish their arguments. >Even if, arguably, you invented the fiction that you feared for your life >trying to argue with people like me, nothing prevents you from developing a >stable nym and arguing your position using it, secure in the knowledge that >your body is safe from attack. Your arguments would still be subject to >sudden death, however. You think very highly of your arguments, but have shown nothing that would make me believe that you could actually do that without resorting to ad hominem attacks. In fact the poster brings up some interesting questions which you totally ignore, due to your unwavering belief in your pet theory. All you do is flame him, instead of dealing with the immense flaws in that theory. >>Those of us who are anarchists > >What?!? You imply that you are an anarchist, yet you don't approve of a >system which might not only produce anarchy, but in fact in record time? >Well, EXCUUUUUUUUSE MEEEEEE! Sorry to put you out of a "job." Not all anarchists believe in killing others. Sorry, but there are as many variety of anarchy as there are anarchists. As for the results of "Assassination Politics", you have yet to show that it would produce any results whatsoever, or if it is even possible to implement. In fact, I cannot see a way that it can be put into place without everyone involved being put in jail. >> are often that way because we think the *means* the State uses are evil, >>not to be excused by any amount of mumbo-jumbo. > >I think the state's ENDS are evil, too, not merely their MEANS. Yet you never explain why it is valid to use evil to fight evil. It is this lack of willingness to discuss the details of your beliefs that make people unwilling to take your ideas seriously. >> And you gleefully propose to let us *all* in on the immoral game of >>murdering those who annoy us sufficiently. > >Actually, if you followed my arguments carefully, you will notice that my >position is most accurately described by pointing out that I _could_not_ >keep you from participating in this "immoral game", even if I wanted to. Or not participating... Jim, if annoying people were a qualification for murder, you would need to watch your back pretty damn carefully. But it is not a qualification yet... You have yet to show, however, how your plan could ever be enacted. If it was possible to enact, you would probably be in jail for "conspiracy to commit murder" or some similar charge. Anyone who assisted in such a plan would also risk such charges. The feds are pretty ruthless in ferreting out people who try an hire hitmen. Especially from private citizens. the only people who are able to hire hitmen and get away with it are the heavily funded or the government themselves. Setting up an organization to compete with these groups will not be viewed favorably. >For the record, I suspect some people who are total pacifists view the rest >of us, those willing use use violence to defend ourselves, as "immoral." This is not as easily defendable as self-defense. If you were shooting the politico yourself, then I might agree. But you are not. You are hiring someone else to do your dirty work for you. If you were actually helping out in the slaughter, then i might have a bit more respect for your argument. As it is though, I find it about as toothless as those who eat meat, but are too squeamish to go hunting themselves. >>I'll pass. > >Others won't. The digestibility of your plan has little relevance to its possible adoption... >>You know, if I were constructing an agent provacateur, I'd want a persona >>who's willing to be loudly clueless with ideas that show minimal or >>non-existent awareness of basic human hopes and fears, like security from >>random hit-squads. I'd have him go on and on with his ideas, until >>eventually they can splashed all over headlines and used to discredit the >>whole realm of privacy protection. > >Aha! You're implying (actually, implying is an understatement here) that I >am an "agent provocateur." Naturally, it would be useless to deny this >(although, for the record, I will deny it), because anybody who was >convinced of its truth wouldn't expect me to tell the truth anyway. Nope. The poster is claiming that you are *TOO CLUELESS* to be an Agent Provocateur. You are missing the point. >But hey, let's put it up for a vote. How many people out there believe that >I am an "agent provocateur"? C'mon people, don't be shy, you've seen my >prose. What do the rest of you think? I don't think you are any such thing. I believe that you are convinced of the rightness of your ideas and no amount of rational discourse will sway you from that belief. Being a fanatic does not make you evil or an Agent Provocateur. It does make you less credible though... >>But no, I don't think you're an agent. > >Good! I'd hate to argue with a person who didn't realize I am SERIOUS. You seem to miss the point that the poster was making, but no worry... >> More fool you, you're willing to do the government's disinformation work >>for it without even thirty pieces of silver or a 401K. > >To be perfectly honest, I did a lot of soul-searching in early 1995 about >whether I should publicize my ideas. No, it wasn't because I was AFRAID >that it might happen. I _WANTED_ it to happen. Every little bit. Every >government on the face of the earth, to come crashing down in a heap. >Complete, total, absolute anarchy. (But not the "anarchy" that most people >are pre-programmed to think of...) No more governments, no more borders, no >more taxes, no more holocausts, no more wars, no more politicians. Forever >and ever and ever. > >Rather, I was fearful that by publicizing the idea, I might end up >PREVENTING it from occurring. You know, by giving the governments advance >warning about what was going to happen, I might actually help them prevent it. > >That worried me, a lot. But eventually, I made my decision. After a huge >amount of thought that some day I might be inclined to relate. However, if >I'd REALLY wanted to PREVENT this, I would have alerted the government >secretly, so that they could manipulate things behind the scenes, secretly, >to prevent this "crypto/digicash/internet anarchy." _That_ I did not do. >I publicized it, allowed it to be criticized and therefore "perfected" (not >that it's "perfect, by any means!) it, and I'm now promoting it the best way >I know how. And with all due modesty, it's getting a pretty good reception, >considering how extreme and drastic it initially might appear. > >Part of my reasoning was that unless I engaged in the absurd conceit of >believing that I was, cumulatively, smarter than everyone currently in the >government, I had no choice but to conclude that the government was already >aware of the potential problem. And if that were the case, they were, at >that very moment, working desperately to PREVENT what I wanted, desperately, >to ACHIEVE. > >At that point, I made the choice of forcing the government's hand. The above speaks for itself. (I could say that this is one of the looniest things I have read in a while, but I do take the Psychoceramics list... It is pretty high up there.) It is definitely hard core crankdom of the purest form. If you were a threat to the Government, even a small one, you would have been picked up and put away. You seem to forget that this is an open mailing list. Many of the people who read this list are Government employees. (I am willing to bet that a sizable percentage work in some variety of law enforcement.) They know what you believe and what you are agitating for. But you are not a threat because you are not credible. No one is going to adopt your ideas because every time you open your mouth, you make yourself look like a loon. Not only do you make yourself look like a loon, but every organization and group you associate with looks bad. If you really desire to make your views accepted, you need to look at how you present yourself to others. Willingness to analyze your own belief structures and refine them is a first step. Ability to take criticism is a second step. Without that, your ideas will be taken as the views of an unwavering fanatic. You will not sway many people with fanaticism. >>At this point I recommend to you the 12-step program I explained to Vladimir. >> >>Signed, >>A Friend > >Recommendation: If you really want to be taken seriously, use your real >name or at the very least generate a stable nym. Preferably, with messages >signed by the nym's public key. Without it, you are a silly, unbelieveable >ass. Even with it, you may STILL be a silly, unbelieveable ass, but at >least people would pay more attention to you. I think that you have little to nothing to say about being taken seriously. If you continue to go off on pseudo-science rants at meetings at the drop of a hat, no one will take you serious there as well... Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ Is the operating system half NT or half full? From alanh at infi.net Mon Jan 29 13:35:33 1996 From: alanh at infi.net (Alan Horowitz) Date: Tue, 30 Jan 1996 05:35:33 +0800 Subject: Downsizing the NSA In-Reply-To: <199601290722.CAA21466@opine.cs.umass.edu> Message-ID: > > congratulate the victors, and downsize by 20,000 employees? > > Alan Horowitz writes: > # You didn't read about it in the _Baltimore Sun_, so obviously it must not > # have happened? > > Where do you propose that these 20,000 mathematicians went? Did they take There are lots of non-mathematcicticians working at NSA. I didn't say that NSA down-sized by 20,000. I'm saying that not everything that NSA does, becomes common knowledge in a few weeks. From alanh at infi.net Mon Jan 29 13:47:01 1996 From: alanh at infi.net (Alan Horowitz) Date: Tue, 30 Jan 1996 05:47:01 +0800 Subject: Escrowing Viewing and Reading Habits with the Governmen In-Reply-To: <199601291907.OAA06949@moe.infi.net> Message-ID: > > Do you really think that the FBI foreign counter-intelligence squad has > > nothing better to do than keep a database of who is reading Che Guevara > > memoirs? > > Yes. > > Heck, I remember this was a big issue about 15 years ago. Try asking > someone who was active in library science in the late 70's, early 80's. I did. They said you're wrong. Shall we start a CP flame-war of unattributed allegations from librarians who will recall what *they thought* the FBI is interested in? From Thomas.Roessler at sobolev.rhein.de Mon Jan 29 13:50:15 1996 From: Thomas.Roessler at sobolev.rhein.de (Thomas Roessler) Date: Tue, 30 Jan 1996 05:50:15 +0800 Subject: [FACTS] Germany, or "Oh no not again" Message-ID: <199601291710.SAA13359@sobolev.rhein.de> I had the prosecutor's spokesman on phone today. The result is that someone gave a hint to the prosecutors which explicitly mentioned Zundel, T-Online and Compuserve. Consequently, the prosecutors *had* to start investigations against Zundel, T-Online and Compuserve. In particular, they are right now *checking* whether providing internet access is a criminal offence due to the possibility to gain access to `inciting material' (the German word is `Volksverhetzung') via the Net. This means that it is not even clear whether the investigations against internet providers will be dropped or not; in fact many people believe that these investigatinos *will* be dropped. My personal guess about all this is that some net.citizens are trying to have the prosecutors engaged in absolutely absurd investigations (or, even better, achieve a court room clash on this subject) to get some clarification of the legal situation of the Net in Germany. Quite similar to the RSA T-Shirt story in the States. ,-) tlr From tcmay at got.net Mon Jan 29 13:50:47 1996 From: tcmay at got.net (Timothy C. May) Date: Tue, 30 Jan 1996 05:50:47 +0800 Subject: Escrowing Viewing and Reading Habits with the Governmen Message-ID: At 8:12 PM 1/29/96, Alan Horowitz wrote: >> > Do you really think that the FBI foreign counter-intelligence squad has >> > nothing better to do than keep a database of who is reading Che Guevara >> > memoirs? >> >> Yes. >> >> Heck, I remember this was a big issue about 15 years ago. Try asking >> someone who was active in library science in the late 70's, early 80's. > > > I did. They said you're wrong. Shall we start a CP flame-war of >unattributed allegations from librarians who will recall what *they >thought* the FBI is interested in? I'm not interested in a flame war about librarians and the FBI, but will tell you what I know: the "Library Awareness Program" was very real. It reached public awareness in the mid- to late-80s, and was the subject of numerous news reports. The various librarian unions blew the whistle on this. As I recall, new stantards about access to materials by patrons, and privacy expectations, were issued. Ah! Once again I thank Alta Vista. A simple search on "Library Awareness Program" revealed 20 hits on the Web. Here is an excerpt from one of the hits: ------ WHAT'S NEW, Friday, 3 June 1988 Washington, DC 1. THE NATIONAL SECURITY ARCHIVE FILED SUIT AGAINST THE FBI yesterday to force the release of documents relevant to the FBI's "Library Awareness Program" (WN 9 Oct 87). The documents were requested under the Freedom of Information Act eleven months ago. The FBI at first denied the existence of the program, and now contends it is confined to the New York area, but librarians from all over the country report FBI visits. Meanwhile, the FBI has not provided a single document either to the National Security Archive, or to the American Library Association, which filed a similar FOIA request. People for the American Way is assisting the National Security Archive in its lawsuit. 2. THE FBI'S "LIBRARY AWARENESS PROGRAM" is not an effort to raise the literacy of its agents. Even as President Reagan was lecturing to students at the University of Moscow on the virtues of a free society, his new FBI chief, William Sessions, before a Senate Committee, was defending the FBI's attempts to recruit library employees as snitches. Sessions released an unclassified version of a top-secret FBI report that must have been ghost written by Art Buchwald. Entitled "The KGB and the Library Target: 1962 - Present," it includes examples of suspicious behavior, such as an individual who "is observed departing the library after having placed microfiche or various documents in a briefcase without properly checking them out of the library." .... --- Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From dmacfarlane at zip.sbi.com Mon Jan 29 14:16:57 1996 From: dmacfarlane at zip.sbi.com (David Macfarlane) Date: Tue, 30 Jan 1996 06:16:57 +0800 Subject: FV's Borenstein discovers keystroke capture programs! (pictures at 11!) Message-ID: <9601292041.AA14422@zip_master2.sbi.com> Is this the most transparent media attention grab or what? FV's "Chief Scientist" writes a killer application to destroy Internet commerce and it is really only a keystroke capture program with a bit of credit card number recognition code tacked on. I don't think this has any "implications for Internet commerce". If you run any number of virus protection programs on your computer, and you get your software from reliable sources, you never need worry about clandestine number snarfing. I readily admit that there is a larger issue about viruses and being able to trust your software, but the presentation from FV of this announcement as a "fatal flaw" in internet commerce is remarkably disingenuous. They are really saying, "We have the only safe approach" quietly between the lines. And before pm. says it, this has very little to do with cryptography. Skeptically yours, David Macfarlane. From vznuri at netcom.com Mon Jan 29 14:19:07 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Tue, 30 Jan 1996 06:19:07 +0800 Subject: more RANTING about NSA-friendly cpunks In-Reply-To: Message-ID: <199601292041.MAA02734@netcom18.netcom.com> Jim Bell: >Packrat, I agree with the (likely) implications of your (tongue-in-cheek?) >commentary. The fact that "nothing happened to Zimmermann" is scant hope to >us. If ITAR is causing cryptosystems to not be built, merely due to FUD >(fear, uncertainty, and doubt) then it is actively harming us. no, your own fear is harming you. no law requires that you be in fear of it (some may try, but that is not a law that can be written). that is the point of the law, that is the intent of it. when you choose to be in fear of it, the bureacrats win. no one is forcing you to be in fear of it. that is YOUR CHOICE. even if you are thrown in prison for it, or put in front of a firing squad for it, you are still not required to fear the law. the antidote to fear of a law is not necessarily to get rid of the law. it is to STOP FEARING THE LAW. the avoidance of fear of the law will lead to the ridding of it. don't you see that it is your FEAR OF THE LAW, not necessarily the LAW ITSELF, that is the problem? the entire ITAR could be revoked, but fraidy-cat cpunks could still have endless theories about what the NSA Bogeyman would do to you if you actually tried to write some crypto and export it. === I had a feeling someone would pretty soon say, "well, why don't YOU violate the ITAR and we'll see what happens". this is the eternal cry and whine of the sheep. "if I shouldn't fear something, why don't you do it first, and then I'll see what happens to you. if something happens to you, then I am justified in my fear". a lie-- it's just more sheep-fear. the sheep may continue to fear the law even if so-and-so tries such-and-such and nothing happens. THAT IS IN FACT WHAT HAPPENED WITH ZIMMERMANN. hence my doing the same thing would be POINTLESS. the sheep will endlessly fear, no number of counterexamples will persuade them not to fear, because the fear is not based on *reality*, but on *hypothetical* situations. even if nothing happens, as it did with Zimmermann, then the sheep will continue to fear because of their *imagination*. indeed, that is precisely what continues on this list. cpunks are always whining about "sheeple" in this country who have no guts and hence no glory, but imho cpunks are the biggest batch of sheep on the planet, all the way up to the head sheep TCM, who writes long explanations of why the police state is inevitable and nothing we can do will stop it, and EH, who hides/shouts behind pseudonym(s) on the list as an excuse for moderation & leadership. From zinc at zifi.genetics.utah.edu Mon Jan 29 14:46:24 1996 From: zinc at zifi.genetics.utah.edu (zinc) Date: Tue, 30 Jan 1996 06:46:24 +0800 Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- howdy folks, so what? fv has a keyboard sniffer... if you're going to d/l programs from the net and not pay attention to what's going on you'll always be at risk and a fool as well. for what it's worth, this sort of program could easily be used to get info more important than credit card numbers. passphrases and passwords of all kinds could be obtained leading to broken accts or worthless cryptography. additionally, this hardly has anything to do with netscape. this is not a 'bug' in netscape. it's a malicious program. the only way to prevent malicious programs from causing you problems is to know what your computer is doing; what it's loading when you boot and what data it sends through your phone lines when you're online. my $0.02... - -pjf "Those that give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -- Benjamin Franklin (1773) zifi runs LINUX 1.3.59 -=-=-=WEB=-=-=-> http://zifi.genetics.utah.edu -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Processed by mkpgp1.6, a Pine/PGP interface. iQCVAwUBMQ0zik3Qo/lG0AH5AQFGsAQAn7WVyjDVXDSOCZCRa1Df/AlCdyCPrCZu gpPhJqr1hFvHb83Cv/jSUrHIhCts6+RAl0vccfdHiwLJpkyqu2lLrfS1xNv3w7fU RWVsEJn8ePC8hRYrk92gYbdWLffZ3g493RSU9h0Suiuzee7neNdrB7bXQwcM9oT4 00GOJC+Wezk= =D7fF -----END PGP SIGNATURE----- From dlv at bwalk.dm.com Mon Jan 29 15:24:47 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Tue, 30 Jan 1996 07:24:47 +0800 Subject: "German service cuts Net access" (to Santa Cruz) In-Reply-To: <199601290738.XAA25006@netcom13.netcom.com> Message-ID: <39TgiD95w165w@bwalk.dm.com> mpd at netcom.com (Mike Duvos) writes: > olmur at dwarf.bb.bawue.de (Olmur) writes: > > > Free speech ends where other people can reasonable claim > > that their feelings are badly hurt. > > Excuse me? That line is definitely .sig file fodder. Olmur, you've hurt my feeleings. Go away. :-) > > Is it constitutionally protected in US to knowingly hurt > > other people's feelings and to trample on graves????? > > Of course it is. What a silly question. My feelings get hurt on > Usenet almost every day and you don't see me whining about it. Physically trampling on graves may be against some sort of laws. Inciting others to trample on graves is speech. > > Due to our history publishing NAZI-propaganda is forbidden > > in Germany. The big majority in Germany agrees with this > > view, that NAZI-propaganda doesn't fall under 'free speech'. > > Much as the Third Reich took the view that anti-Nazi speech > wasn't protected. Your country hasn't changed its authoritarian > perspective on freedom of personal expression. All it has done > is put a different set of publicly supported items on the > official censorship list. > > Didn't the Germans learn anything from World War II? Evidently not. It would be an honorable thing to help Germans (who may well be a minotiry) break the laws that we consider to be unjust. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From dlv at bwalk.dm.com Mon Jan 29 15:41:15 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Tue, 30 Jan 1996 07:41:15 +0800 Subject: "German service cuts Net access" (to Santa Cruz) In-Reply-To: <310c59a4.2517065@smtp.ix.netcom.com> Message-ID: lull at acm.org (John Lull) writes: > On Sun, 28 Jan 1996 22:18:28 -0500 (EST), Dr. Vulis wrote: > > > Very little crypto relevance in the following... > > Agreed. I'll not be posting further on this topic here. If you'd > care to pursue this E-mail, I have no objection. This should be my last comment to the list in this thread... > > lull at acm.org (John Lull) writes: > > > > If this is really what Germany wants, then it sounds like time to > > > totally cut Germany off from the internet, simply in self > > > preservation. > > > I'm sure this is what the German government and many German people really w > > If so, then they have the power to make that decision, and to > (largely) enforce it. By doing so, however, they would (and should) > lose all the benefits of the internet as well. Even if 99% of Germans don't wish to be on the net, and 1% do, it would be an honorable thing to help that 1%; e.g. by providing the tools to circumvent their laws that we consider to be unjust. IMO, It's not fair to blame each and every inhabitant of a country for the actions of their government, even if it's democratically elected. > Developing tools to access information is worthwhile. But successfull > attacks on those providing information makes access tools worthless. > If the information simply isn't there, all the nice access tools in > the world can't create it. So, develop the tools to make the (illegal) flow of information easier and the prosecution more difficult. E.g., the former Soviet Union couldn't stop its people from listening to Western propaganda on short-wave radio, although it was illegal, and more repressive governments did confiscate all short-wave radios in the past. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From m5 at dev.tivoli.com Mon Jan 29 15:58:42 1996 From: m5 at dev.tivoli.com (Mike McNally) Date: Tue, 30 Jan 1996 07:58:42 +0800 Subject: [FACTS] Germany, or "Oh no not again" In-Reply-To: <199601291710.SAA13359@sobolev.rhein.de> Message-ID: <9601292106.AA15042@alpha> Thomas Roessler writes: > ... In particular, they are right now > *checking* whether providing internet access is a criminal > offence due to the possibility to gain access to `inciting > material' (the German word is `Volksverhetzung') via the Net. If so, then this humble non-lawyer would suggest to the prosecutors that they go after travel agencies next, because they sell airline tickets that could be used to travel to countries where offensive material is available. ______c_____________________________________________________________________ Mike M Nally * Tivoli Systems * Austin TX * I want more, I want more, m5 at tivoli.com * m101 at io.com * I want more, I want more ... *_______________________________ From drose at AZStarNet.com Mon Jan 29 16:02:47 1996 From: drose at AZStarNet.com (drose at AZStarNet.com) Date: Tue, 30 Jan 1996 08:02:47 +0800 Subject: The Big Lie Message-ID: <199601290354.UAA15417@web.azstarnet.com> Timothy C. May wrote (with some judicious editing): , I took it as a fact that the >so-called Holocaust actually happened. I saw pictures of death camps, >interviews with survivors, etc. > > It seems more likely that >the pictures were faked, > >, I suspect the >stories are true that the Holocaust was part of Truman's "Big Lie." > Good Lord! We've all enjoyed Tim's rants, but this takes the biscuit. What's next? A denial of the athletic abilities of Negroes? --Dave Rose From teddygee at visi.net Mon Jan 29 16:08:40 1996 From: teddygee at visi.net (Ted Garrett) Date: Tue, 30 Jan 1996 08:08:40 +0800 Subject: Escrowing Viewing and Reading Habits with the Government Message-ID: <2.2.32.19960129025010.006a6adc@mail.visi.net> At 08:54 PM 1/27/96 -0800, you wrote: >According to >Director Freeh, "If we had had this program in place when Timothy McVeigh >was a child, we could have detected his interest in ANFO and picked him up >for reeducation, or at least recruited him for the CIA's Lockerbie team." ^^^^^^^^^^^ Please tell me this was not an actual quote. The term re-education scares me more than anything, as it's the term typically used by authoritarian dictatorships for their tortures and murders. From WlkngOwl at UNiX.asb.com Mon Jan 29 16:11:25 1996 From: WlkngOwl at UNiX.asb.com (Deranged Mutant) Date: Tue, 30 Jan 1996 08:11:25 +0800 Subject: Germany, or "Oh no not again" Message-ID: <199601290341.WAA16406@UNiX.asb.com> ------- Forwarded Message Follows ------- Date: Sun, 28 Jan 1996 19:30:21 -0500 (EST) Reply-to: educom at elanor.oit.unc.edu From: Educom To: "EDUCOM Edupage Mailing List" Subject: Edupage, 28 January 1996 [..] GERMAN PROSECUTORS TARGET INTERNET RACIAL HATRED The Mannheim, Germany, prosecutor's office has launched an investigation of CompuServe and Deutsche Telekom's T-Online service for inciting racial hatred, a crime in Germany. At issue is online access to a Web site run by a neo-Nazi extremist in Canada who uses the Internet to distribute anti-Semitic propaganda. The legal reasoning, according to a prosecutor's office spokesman, is that "because it's available over the Internet, it also can be called up in Germany. Then the scene of the crime is all Germany." Although the investigation is now limited to CompuServe and T-Online, there are also several hundred small companies that provide Internet access in Germany. (Wall Street Journal 26 Jan 96 B2) [..] Edupage is written by John Gehl (gehl at educom.edu) & Suzanne Douglas (douglas at educom.edu). Voice: 404-371-1853, Fax: 404-371-8057. Technical support is provided by the Office of Information Technology, University of North Carolina at Chapel Hill. *************************************************************** EDUPAGE is what you've just finished reading. (Please note that it's "Edupage" and not "EduPage.") To subscribe to Edupage: send a message to: listproc at educom.unc.edu and in the body of the message type: subscribe edupage Emmitt Smith (assuming that your name is Emmitt Smith; if it's not, substitute your own name). ... To cancel, send a message to: listproc at educom.unc.edu and in the body of the message type: unsubscribe edupage. (Subscription problems? Send mail to educom at educom.unc.edu.) --- "Mutant" Rob Send a blank message with the subject "send pgp-key" (not in quotes) for a copy of my PGP key. From eagle at armory.com Mon Jan 29 16:12:21 1996 From: eagle at armory.com (Jeff Davis) Date: Tue, 30 Jan 1996 08:12:21 +0800 Subject: Denning's misleading statements In-Reply-To: Message-ID: <9601281916.aa01048@deepthought.armory.com> > Tim May wrote: > > I've never met Dorothy Denning, so I hesitate to characterize her as a > villainess. But certainly she's the only noted cryptographer I know of > who's gone so far out on a limb to defend a position the vast majority of > computer scientists, civil libertarians, and cryptographers scoff at. (And > I don't just mean it is we libertarians and civil libertarians who are > scoffing, I mean that nearly every noted expert who has carefully reviewed > the various schemes to control crypto and to provide GAK has found them to > be essentially unenforceable except via draconian police state methods, and > maybe not even then.) > > I personally believe her estrangement from the mainstream position these > last several years and her apparent close association with the > inside-the-Beltway crowd has actually skewed her judgment, that she is no > longer evaluating policies and capabilities based on reasonable objective, > academic analysis. Having met Dr. Denning, and watched her presentation of the Escrowed Encryption Standard, (for the novice), I can concur with your analysis. She presented a very limited, safe, simple clipper chip, which would do nothing more than give the FBI an analogous wire tap to gather information on terrorists, pedophiles, and organized criminals such as drug dealers. The limitations of her argument were quickly ripped to shreds by Phil Zimmerman, who painted a much more expansive world view canvas for the audience. Denning was visibly shaking as we talked after the session. The NSA group think she was armed with didn't provide her the tools to deal with the reality she found herself in. > Her views, and even many of her examples, are very close the views and > examples used by FBI Director Louis Freeh in his testimony to Congress a > few years ago. (I scanned and OCRed this testimony as a favor to Whit > Diffie, so in reviewing the text for OCR corrections, I became very > familiar with Freeh's fear-inducing testimony.) Your participation in the A&E Voyager segment presented much food for thought. We are becoming the "Bad Guys" in a well orchestrated Psy Ops campaign propagated naively by the 4th Estate. Robust cryptography and online anonymity are portrayed as the tools of various "Boogie Men" the US Gov't is obliged to protect its unsuspecting civilians from. Its up to us to find them specifically lying and cheating, and expose that information to public scrutiny. 30 years ago the 4th Estate had a field day hyping the LSD Chromosome Break *Hoax*. Van Sim, of the Edgewood Arsenal was unable to replicate the research, but his findings were suppressed by the US Army by virtue of a long standing liaison between the CIA and the research and development staff at Edgewood. Denning announced the Clipper scheme secure, and Blaze hacked it shortly there after. She parrots the NSA party line, and there is a well established link of conflict of interest negating any academic objectivity she might profess. Those of you who've come in personal contact with NSA cryptographers can attest to their collective arrogance. They consider themselves an exclusive elite, above trivial civil liberties issues. -- According to John Perry Barlow: *What is EFF?* "Jeff Davis is a truly gifted trouble-maker." *email * *** O U T L A W S On The E L E C T R O N I C F R O N T I E R **** US Out Of Cyberspace!!! Join EFF Today! *email * From ericm at lne.com Mon Jan 29 16:12:29 1996 From: ericm at lne.com (Eric Murray) Date: Tue, 30 Jan 1996 08:12:29 +0800 Subject: The Big Lie In-Reply-To: <199601290354.UAA15417@web.azstarnet.com> Message-ID: <199601290407.UAA24691@slack.lne.com> drose at AZStarNet.com writes: > > Timothy C. May wrote (with some judicious editing): > > , I took it as a fact that the > >so-called Holocaust actually happened. I saw pictures of death camps, > >interviews with survivors, etc. > > > > It seems more likely that > >the pictures were faked, > > > >, I suspect the > >stories are true that the Holocaust was part of Truman's "Big Lie." > > > > Good Lord! We've all enjoyed Tim's rants, but this takes the biscuit. > What's next? > A denial of the athletic abilities of Negroes? What's next is an expose on the conspiracy between the NSA, Hillary Clinton and the Hamburgurler(R) to destroy the ability of otherwise intelligent Americans to recognize sarcasm. -- Eric Murray ericm at lne.com ericm at motorcycle.com http://www.lne.com/ericm PGP keyid:E03F65E5 fingerprint:50 B0 A2 4C 7D 86 FC 03 92 E8 AC E6 7E 27 29 AF From ptrei at acm.org Mon Jan 29 16:13:11 1996 From: ptrei at acm.org (Peter Trei) Date: Tue, 30 Jan 1996 08:13:11 +0800 Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credit Message-ID: <9601292111.AA23738@toad.com> Someone claiming to be "Nathanial Borenstein" writes: > As you may already have heard via the popular press, First Virtual > Holdings has developed and demonstrated a program which completely > undermines the security of every known credit-card encryption mechanism > for Internet commerce. [...] I started reading this thinking it was actually something important. All it describes is a keyboard monitor, which greps for CC#s, and which could be spread by an (unspecified) virus, and sends the output to a crook over the net by some (unspecified) mechanism. So, what else is new? [...] > Nathaniel Borenstein >Chief Scientist, First Virtual Holdings >FAQ & PGP key: nsb+faq at nsb.fv.com It's sort of interesting that "Nathaniel Borenstein" has a PGP key, but failed to clearsign this message, which loudly trumpets it's great import. Considering the lack of actual content, I feel compelled to warn readers that this may be a forgery, designed to make him look like he's scaremongering. strictly speaking for myself Peter Trei ptrei at acm.org Peter Trei Senior Software Engineer Purveyor Development Team Process Software Corporation http://www.process.com trei at process.com From hal9001 at panix.com Mon Jan 29 16:18:10 1996 From: hal9001 at panix.com (Robert A. Rosenberg) Date: Tue, 30 Jan 1996 08:18:10 +0800 Subject: [NOISE] Re: The Big Lie Message-ID: At 15:54 1/28/96, John F. Fricker wrote: >Besides in this day and age where Isreal is a nuclear arsenal run by nutty >rightwing warlords who in their right mind would dare belittle their >tragedies. When the world community has a double standard when it comes to treating Isreal's actions differently from any other country, those "warlords" might be justified in their actions. Can you name any other country that was a non-participant in a war, was attacked by one side, and was told by the other side that they could neither join that side nor retaliate for the attacks (I'm talking about Operation Desert Storm and the Scuds aimed at Isreal). Any other country would have been allowed to participate or allowed to declare war on the attacker (and send a few missiles over as an incentive to stop attacking a neutral party to the war). The US (and the others Participants) were scared shitless of allowing Isreal into the fight since, if let it, the war would have been over real fast and Sadam H. would have been pushing up daisies (The Isrealis have a habit of being able to take care of themselves with minimal "collateral damage" when their hands are not tied by the actions of other Governments telling them that they are not allowed to do what any other Government is allowed to do as a matter of normal policy when faced with aggression). From llurch at networking.stanford.edu Mon Jan 29 16:19:16 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Tue, 30 Jan 1996 08:19:16 +0800 Subject: [NOISE] Re: "German service cuts Net access" (to Santa Cruz) In-Reply-To: <9601291935.AA19744@cti02.citenet.net> Message-ID: On Mon, 29 Jan 1996, Jean-Francois Avon wrote: > olmur at dwarf.bb.bawue.de writes: > > Free speech ends where other people can reasonable claim that their > > feelings are badly hurt. > > Ask yourself what standard in implied in this sentence... > > Is it > "Man as a life-loving rationnal animal" > or > "Man as an ever sobbing, unable to cope, emotionnally controlled animal" There was a lively debate in feminist/legal circles a while back about introducing "the reasonable woman standard," "the reasonable gay man standard," etc. into the legal currency. The movement intended to make "date rape" and sexual harassment easier to prosecute. I didn't keep up with it, but I'm sure the relevant papers are still being cited. I doubt and hope that no court ever took the argument seriously. My personal rules are: 1. I have the right to get offended however often I want. It's a lot healthier than desensitization. 2. I have the right to respond however I want, as long as it's legal and ethical. 3. I do not have the right to tell someone else not to be offended. 4. I do not have the right to control another's actions, much less words or thoughts, merely because I find them offensive. -rich From arromdee at jyusenkyou.cs.jhu.edu Mon Jan 29 16:22:11 1996 From: arromdee at jyusenkyou.cs.jhu.edu (Ken Arromdee) Date: Tue, 30 Jan 1996 08:22:11 +0800 Subject: "German service cuts Net access" (to Santa Cruz) In-Reply-To: Message-ID: <4ejdoq$ppt@jyusenkyou.cs.jhu.edu> >Is it constitutionally protected in US to knowingly hurt other >people's feelings and to trample on graves????? Yes. Free speech for the nonoffensive is not free speech at all. BTW, I am Jewish. -- Ken Arromdee (arromdee at jyusenkyou.cs.jhu.edu, karromde at nyx.cs.du.edu; http://www.cs.jhu.edu/~arromdee) "Snow?" "It's sort of like white, lumpy, rain." --Gilligan's Island From dlv at bwalk.dm.com Mon Jan 29 16:24:30 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Tue, 30 Jan 1996 08:24:30 +0800 Subject: The Big Lie In-Reply-To: <199601291158.TAA00437@ratbox.rattus.uwa.edu.au> Message-ID: Bruce Murphy writes: > > I was under the impression that you couldn't libel/slander a dead > person. Mainly because libel/slander is a offence against reputation > which dead people don't care much for, but also because once you go > against this principle where in hell (no pun intended) do you draw the > line. Where it's convenient to the state. Reportedly in Germany you can easily slander dead people, their estates, their descendants, and other members of their ethnic group. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From cjs at netcom.com Mon Jan 29 16:30:35 1996 From: cjs at netcom.com (cjs) Date: Tue, 30 Jan 1996 08:30:35 +0800 Subject: CONTEST: Name That Program! (no-brainer) In-Reply-To: Message-ID: <199601292129.NAA07315@netcom20.netcom.com> > As you may have read in my previous message, First Virtual has developed > and demonstrated a program that completely undermines all known schemes > for using software-encrypted credit cards on the Internet. More details > are avialable at http://www.fv.com/ccdanger. > > That was the easy part. ***ROFL*** This "pre-encryption" program is not a virus. It attaches to the keyboard driver and captures keystrokes from the keyboard as they are typed -- BEFORE they can be encrypted by the application encryption software. First Virtual scientists note that credit a check-digit. A greater danger is that passwords are also as easily captured. ***ROFL*** This has got to be the no-brainer of the century. REad teh rest of their press release at: http://www.fv.com:80/ccdanger/announce.html You'd think they had discovered the cure for aids or something. =) Christopher From JR at ns.cnb.uam.es Mon Jan 29 16:36:10 1996 From: JR at ns.cnb.uam.es (JR at ns.cnb.uam.es) Date: Tue, 30 Jan 1996 08:36:10 +0800 Subject: Time codes for PCs (fromn German Banking) Message-ID: <960129234228.20402217@ROCK.CNB.UAM.ES> From: SMTP%"jimbell at pacifier.com" 27-JAN-1996 03:43:05.83 >A peripheral I've long wanted to see, commonly available: ACCURATE time, >broadcast to the millisecond/microsecond/nanosecond, available from sources >as varied as TV VIR's, FM subcarriers, and other sources, available as an >easy input (via a peripheral card) to a computer. > Yup! Do you think it is really possible? If I remember well speed of light is 300.000 Km/s. That means that light takes around 1 ms. to cover 300 Km. If you use a satellite, antenna, whatever to broadcast a timing signal, the accuracy will depend on when do you receive it, and that in turn on your distance from the source. By the time the signal reaches you it may be several milliseconds old (and thousands of microsenconds and millions of nanoseconds). We are so used to think of TV, whatever as an instantaneous broadcast medium that we forget that there are speed limits in the Universe. And you can't exceed them by just paying a ticket. Note that this was a best case scenario: using the speed of light to transfer the information and using the shortest path. In reality most waves won't travel as fast in the air, and will depend on atmospheric circumstances. >I have a 12-year-old Heathkit "Most Accurate Clock" that I assembled myself, >and had the foresight to install it with its computer interface option. >(receives 5, 10, or 15 MHz signals broadcast from Boulder, Colorado, >containing "exact" time.) > Just remember that the best you can get would be microseconds if you're in a 300 meter radius, or milliseconds on a 300 Km. And possibly nanoseconds at 0.3 m. Even then you need to know exactly (i.e. with an accuracy of between centimeters to a few Km depending on the timing you want) your position. And depending on the media you use, possibly the atmospheric conditions in between the emisor and your receptor. Then remains the cypherpunk part on all this: how can you trust the *signal* your receptor receives? How do you know no one is interferring it or sending an inaccurate or false one? So you need a GPS... And a timing source that can be trusted. You'd wantthe signal not to be tamperable or at least to be able to detect when it has been tampered. And that on a broadcast system. A system owned by someone who you may not trust (say a private TV channel, radio or satellite). So you may want to have several sources, and to be able to verify that the signals you receive all come from their respective sources. Yum! a nice problem to think about. One factor is that you wouldn't expect changes in public sources used by sensible systems since those could not pass unnoticed and might raise big protests. But you still have the MITM attack to consider... Oh well, it's too late now. See ya... jr From mka at pobox.com Mon Jan 29 16:38:13 1996 From: mka at pobox.com (Matts Kallioniemi) Date: Tue, 30 Jan 1996 08:38:13 +0800 Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards Message-ID: <9601292131.AA24346@toad.com> At 15.07 1996-01-29 -0500, Nathaniel Borenstein wrote: >NEVER TYPE YOUR CREDIT CARD NUMBER INTO A COMPUTER. This problem is greatly exagerated. The software simply won't be running in the average users machine. If the program propagates like a virus, it will soon be catched and killed by the anti-virus utilities that any responsible user is already running on a regular basis. If you have to start the program for it to do its magic, then just don't start it. Todays computer users should know that running software you don't trust is generally a bad idea. That's how you get a virus in the machine in the first place... Come on Nathaniel, admit it, it's a scam to sell FV's expensive services! matts From llurch at networking.stanford.edu Mon Jan 29 16:41:51 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Tue, 30 Jan 1996 08:41:51 +0800 Subject: Escrowing Viewing and Reading Habits with the Governmen In-Reply-To: Message-ID: On Mon, 29 Jan 1996, Alan Horowitz wrote: > > > Do you really think that the FBI foreign counter-intelligence squad has > > > nothing better to do than keep a database of who is reading Che Guevara > > > memoirs? > > > > Yes. > > > > Heck, I remember this was a big issue about 15 years ago. Try asking > > someone who was active in library science in the late 70's, early 80's. > > I did. They said you're wrong. Shall we start a CP flame-war of > unattributed allegations from librarians who will recall what *they > thought* the FBI is interested in? I think it was mid-late 80's, actually. I remember reading about it in the LA Times and Newsweek. I'm sure I could dig up a dozen references in Nexis if you want. The proposal was not to monitor all or political literature, which was more obviously protected by the First Amendment, but rather technical literature on certain subjects, such as supercomputers, nuclear physics, toxicology, and of course (relevance) cryptography. The FBI specifically wanted to know who was reading Applied Cryptography. -rich From zinc at zifi.genetics.utah.edu Mon Jan 29 17:04:48 1996 From: zinc at zifi.genetics.utah.edu (zinc) Date: Tue, 30 Jan 1996 09:04:48 +0800 Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Mon, 29 Jan 1996, Nathaniel Borenstein wrote: > Date: Mon, 29 Jan 1996 16:14:14 -0500 (EST) > From: Nathaniel Borenstein > To: zinc > Cc: cypherpunks at toad.com > Subject: Re: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards > > Excerpts from mail: 29-Jan-96 Re: FV Demonstrates Fatal F.. > zinc at zifi.genetics.utah. (1368*) > > > so what? fv has a keyboard sniffer... > > It's considerably more than that. Please read on. > > > for what it's worth, this sort of program could easily be used to get > > info more important than credit card numbers. passphrases and > > passwords of all kinds could be obtained leading to broken accts or > > worthless cryptography. > > Yes, but I think you've missed the main point, probably because we > haven't made it clear enough. What's unique about credit card numbers > is that they're very small amounts of data, self-identifying, and of > direct financial value as a one-way financial instrument (i.e. with no > confirmation process). > > The attack we've outlined -- and partially demonstrated -- is based on > the combination of several known flaws: > > -- It's easy to put malicious software on consumer machines > -- It's easy to monitor keystrokes > -- It's trivial to detect credit card numbers in larger data streams > -- It's easy to disseminate small amounts of information tracelessly this program is not specific to credit card numbers. it sounds like it could have just as easily been written to watch for a login: or password: prompt and then record everything entered after that. the point is not that this can be done, the point is that users need tools that would check for programs like this running on their system. is fv making a 'fix' available? i would imagine a 'fix' would be a program that would look for tsr type programs (or inits on a mac) that do this sort of thing. this is the sort of thing that crypto can help with. there should be a site that PGP signs the programs available from their site. these signed programs will have been testing on the appropriate system and verified to be free of small malicious programs such as the one you describe. alternatively, the author themselves could PGP sign the app (this is already done) and this would be what users should d/l. it's disapointing to see the spin put on this by fv. instead of going with scare tactics, they could encourage PGP signatures and suggest solutions to this problem like the ones i mentioned above. in fact, fv could even volunteer to help set up a site where all software has been tested and signed by someone who has had their PGP key signed by fv, sort of an expansion of the web of trust. more of my $0.02.. - -pjf "Those that give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -- Benjamin Franklin (1773) zifi runs LINUX 1.3.59 -=-=-=WEB=-=-=-> http://zifi.genetics.utah.edu -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Processed by mkpgp1.6, a Pine/PGP interface. iQCVAwUBMQ08Fk3Qo/lG0AH5AQGh6QP9EG5BLKZcV7vSxtfyJn0HLIWaXOHU4X9Q 5URRgN6XdDYWO/hZq5jEGEgZv9lm1xO5b0jjXb5MSlIQd0fR4hi3n2W9dTMza7/n ax42OTIyXAGZx/H/s0arSWwnST6AYaU60oEvnQ3/V86aJFgzvQaFZRiC256edVph jeQ1Gt/UwNU= =WYec -----END PGP SIGNATURE----- From jimbell at pacifier.com Mon Jan 29 17:12:43 1996 From: jimbell at pacifier.com (jim bell) Date: Tue, 30 Jan 1996 09:12:43 +0800 Subject: Here's how you put your key on the keyservers... Message-ID: -----BEGIN PGP SIGNED MESSAGE----- At 07:39 AM 1/29/96 -0500, Ted Garrett wrote: >-----BEGIN PGP SIGNED MESSAGE----- > >I got a message in response to a request I made to someone for their public >key. I wanted to check the signatures that they included with their posts >to cypherpunks, but their key was not on the keyservers. The key they >included was completely unsigned, and when I use it to validate their >previous posts as well as the message they sent which included the key, the >signatures come back as bad, the contents of the file changed. Names are >appropriately withheld (I hope). At this point, I think it would be appropriate to declare that I am the person Ted was communicating with, and the one he is referring to and (correctly, as I recall my own posts) quoting. I am, yes, a real newbie, and I appreciate the indirect lesson in "nettiquette" he is showing by not identifying my private email to him. I'm identifying myself for a number of reasons: 1. I REALLY am a newbie (at least to most of Internet, and common usage of PGP, etc.), and haven't learned much of the ways of Internet. (with a strange, short, early exception, which I will relate in another message if anybody has any interest in Internet history.) 2. I want to solve the problems Ted presumably correctly identified in my signing. (I use freebie Eudora, and WPGP, etc.) I only started signing my posts when I got a copy of WPGP by Gostl, and it made things much easier. 3. I did not want to make it difficult for him to fight off a potential MITM attack while, at the same time, complying with "nettiquette", especially seeing as how my key is not (yet) in any keyserver, which is obviously MY fault, not his! I want him to be able to point (and, repost, with my full permission) any messages allegedly from me that he receives by private email, so that others might check the signature too with their own software. This permission to him applies to any prior messages I've sent him, too, ideally so that anyone else can check the signature status against my sig. Ted may be right; there may be a MITM attack. More likely, it's a case of galloping NEWBIE-ITIS on my own part, sorry. Earlier, when I just began using WPGP to sign Eudora stuff, I was told that my signature didn't match. On the other hand, I was told by others that this is a common flaw of signing messages, having to do with line lengths. When I first started sending messages, I didn't use the "Wrap" selection of Eudora (under the EDIT selection), meaning that my lines were as long as the paragraphs were typed. Most people didn't seem to notice, I guess, because it took somebody a few weeks to eventually complain. After that, I RTFM'd and adopted the practice of WRAPping my paragraphs to limit their length to "reasonable" values. (although I would appreciate somebody explaining to me why this DAMN EUDORA can't seem to correctly re-wrap a paragraph after modification. Hell, Wordstar Version 3.0 for CP/M (shows you how long _I've_ been into computers!) reformatted paragraphs just fine back in 1982 on a 12.5 MHz Z-80 (ask me how I did this and I'll tell you a LONG story!) 3. Ted began to suspect a "MITM attack." While I'm a newbie, I'm well aware this is "man in the middle" and am aware of the potential (dangerous!) implications. Needless to say, I can't even say for certain that such an attack isn't happening. Yes, I am on no keyservers, yet, but I will try my best to follow his kind instructions and accomplish this feat. And yes, I am reminded that I need to sign my OWN public key, which (being a f______ newbie), I haven't even done yet! (This message will contain, however, BOTH my 1024-bit and 2047 bit public keys, unsigned, and I will sign the whole message with my 1024-bit key. I'd sign it with BOTH, but I don't know if WPGP will even do this. I'd sign a second copy with the 2047-bit key, except that would be wasting bandwidth. > As I understand the bcc: definition, only >I and the first smtp server this message hits should know who it's to. I >don't know if anyone else reading this mailing list needs this info, but >just in case... here's my reply to the message. > >At 10:03 PM 1/28/96 -0800, you wrote: >>Sorry, I'm a newbie to Internet, and also the Internet usage of PGP. I just >>participated in a local keysigning meeting, so maybe my key will find its >>way to a server. I wrote that. >Don't worry about being a 'newbie'. Everyone starts somewhere. However, >your key will usually not 'find its way' to a server without you >specifically sending it. Thanks; I sorta assumed that, but until recently my usage of PGP was between me and my friends who knew me by face and voice, and who have my keys from hand-carried floppy disks that I gave them myself. > The keyserver I usually use is accessed by sending >a mail message which fits the following format. As far as I know, all the >keyservers use this format to add or update keys in their databases. You >only have to send it to one keyserver, and it will propagate to all the >others. I have indented the text so that no handlers decide to interpret it >as a new message. Okay, thanks for the details. > >- - To: pgp-public-keys at pgp.iastate.edu >- - Subject: ADD >- - >- - -----BEGIN PGP PUBLIC KEY BLOCK----- >- - Version: 2.6.2 >- - >- - [key deleted to protect the innocent] >- - >- - -----END PGP PUBLIC KEY BLOCK----- > >>I'm sorry to have to admit that I don't even know how to do this! Newbie >>alert! Again, I wrote that. >If you don't admit you don't know something, nobody will usually tell you >how to do it. Also, you should sign your own key. That will make it harder >to forge, I think. Okay, up until now I've generally given out my key in messages, and signed the entire message with the key. > The reasons were spelled out in a couple of the web >pages I read, but I've forgotten them. It has something to do with either a >denial of service attack or a man in the middle attack, or both. The >command to do this is: Someday I'm gonna understand this stuff! > >pgp -ks 0xHEXKEYID > >Honestly, I've only just begun to use pgp myself. Also, you should add your >e-mail address to the user-id of your key. The command to do so is: > >pgp -ke 0xHEXKEYID > Again, much appreciated. I hate to RTFM. Lazy bum, I. >You will be asked if you wish to add a user id to the key. Say yes, and >give it your e-mail address. What this does is it allows people who are >using pgp-enabled mailers to directly encrypt messages to you without >choosing your key manually. > >The reason that I have not encrypted this message to you using the key you >provided is that when I extracted the key and re-checked your message, the >signature was no good. I've found that (using eudora) I must turn off the >word wrap feature of my mailer to allow for good signed messages out. Of >course, having said this, I'll probably not get a good signature on this >message. Let me know if it signs ok. I didn't check the signature of his message, admittedly. Guess I need to give him some feedback, huh? >Now, I have a question. Which attack(s) is/are a person vulnerable to when >distributing an unsigned public key in the open? Could this actually be a >complex man-in-the-middle attack? Am I paranoid? Unfortunately, the more I learn about encryption, the more "paranoid" I get! Of course, I have a few more reasons than most, but... [I deleted Ted Garrett's signature. My own will follow my own two public keys.] My 1024-bit key. - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCNAi1zvWcAAAEEAKmSqngLWK2N2gOJKPtjF9VCfSkXY+XUZBRCbbFU71uH/dLX C2Uq6wFS8alRgMc3rp90JnnJ/6eJqXwMjCunogwucWOaU7S/w+OwjOG9fUqsXIA6 2j25Wtjce65mbp0TKLAzwMb/P/Qq7BlclqhuKzfVBH7dIHnVAvqHVDBboB2dAAUR tBFKYW1lcyBEYWx0b24gQmVsbA== =G3LA - -----END PGP PUBLIC KEY BLOCK----- My 2047-bit key. - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQENAzDCFH4AAAEH/15sMvnnK1BIvLkxQsKwUHP7dKNFbKrQOtOoyLOFTk4/0Zlr gXkKw6NciDYaOKwW9dsIL3N3rjAlWtioQ/gg+5vMNoJOQXpp95mKBzpWYLeaB8MF Km6H/NGWISx5cz06NOGutWcaezO/S4xm8ay7W8HaZ4EmHQdXtSKIAL41PBQyyuhR wIKX+QwsAgKS1LALr9MuW7nXL6/h139QeNRAR+ubXyftoklFHC+HF+jcTTDuNjmU 4p7BEMp9cmYHh6WEYTZyOz5F8/8gtEbPA0IKsQH1LGdf+2APLqMdciuU8ALZA+ZM bbaBaxshqHbYfCQ8+ATCrBjsU0nO8RKjhSx91vkABRG0DUphbWVzIEQuIEJlbGw= =uncA - -----END PGP PUBLIC KEY BLOCK----- James Dalton Bell. Klaatu Burada Nikto Something is going to happen.... Something... Wonderful! -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMQ1PZ/qHVDBboB2dAQE+AAP+MP5hM2j1Z3z+7cdZ/U12qH/uu6Dq2NEP LgKJ8Nm0idN7oiBZpYD2zuT22mhsIhCJzzmC3XIBiyX1AP4voDqrIwgLmvPgogcp Cr9p75xi2/UqV1mrYIWeHG4KJc+/x5V4PxeYg5iz0jjnLKN1mzmnjPRDqAOaaBhK 08MMgOkqxFs= =jU9M -----END PGP SIGNATURE----- From ses at tipper.oit.unc.edu Mon Jan 29 17:13:14 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Tue, 30 Jan 1996 09:13:14 +0800 Subject: CONTEST: Name That Program! In-Reply-To: Message-ID: OBKI - Overhyped Boring Keystroke Interceptor? PROGRAM - Public Relations Optimised Grabber of Really Accessible Material? MINTATE - Mail Is Not The Answer To Everything? :-) From mab at research.att.com Mon Jan 29 17:50:38 1996 From: mab at research.att.com (Matt Blaze) Date: Tue, 30 Jan 1996 09:50:38 +0800 Subject: Page one, NY Times, 29 January 1996 Message-ID: <199601292207.RAA25259@nsa.tempo.att.com> One of those microscopic bottom-of-page-one ads from John Young: "BOYCOTT ESPIONAGE-ENABLED SOFTWARE", with phone number and email address to contact for more information. I'd be curious as to what the response has been like. -matt From mpd at netcom.com Mon Jan 29 18:06:49 1996 From: mpd at netcom.com (Mike Duvos) Date: Tue, 30 Jan 1996 10:06:49 +0800 Subject: [NOISE] Re: The Big Lie In-Reply-To: Message-ID: <199601292138.NAA28478@netcom3.netcom.com> "Robert A. Rosenberg" writes: > Can you name any other country that was a non-participant in > a war, was attacked by one side, and was told by the other > side that they could neither join that side nor retaliate > for the attacks (I'm talking about Operation Desert Storm > and the Scuds aimed at Isreal). Any other country would have > been allowed to participate or allowed to declare war on the > attacker (and send a few missiles over as an incentive to > stop attacking a neutral party to the war). Other Arab states had mutual defense treaties with Iraq which would have obligated them to enter the war on the side of Iraq were there a conflict between Iraq and Israel. This would have greatly complicated the Persian Gulf War, and put the United States in a very difficult position. The sad part is that Israel required any persuasion or guarantees at all by the United States to refrain from upsetting the applecart, especially since the US was doing its best to defend Israel at the time. > The US (and the others Participants) were scared shitless of > allowing Isreal into the fight since, if let it, the war > would have been over real fast and Sadam H. would have been > pushing up daisies And while the Israelis celebrated and danced in the streets, all prospects for a lasting negotiated Middle East peace would have been screwed for the next several centuries. > (The Isrealis have a habit of being able to take care of > themselves with minimal "collateral damage" when their hands > are not tied by the actions of other Governments telling > them that they are not allowed to do what any other > Government is allowed to do as a matter of normal policy > when faced with aggression). The Israelis take very good care of themselves with the weapons, military intelligence, and billions in US aid they receive each year. Occasional requests by the United States that they exercise appropriate discretion are hardly out of line. -- Mike Duvos $ PGP 2.6 Public Key available $ mpd at netcom.com $ via Finger. $ From sameer at c2.org Mon Jan 29 18:34:11 1996 From: sameer at c2.org (sameer) Date: Tue, 30 Jan 1996 10:34:11 +0800 Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards In-Reply-To: Message-ID: <199601292359.PAA24832@infinity.c2.org> > the point is not that this can be done, the point is that users need > tools that would check for programs like this running on their > system. is fv making a 'fix' available? i would imagine a 'fix' > would be a program that would look for tsr type programs (or inits on > a mac) that do this sort of thing. Of course they won't. FV's claimed "fix" is their product, which is a joke of appayment system. You actually think they would release a virus checker that would effectively hurt their FUD-based marketing? > it's disapointing to see the spin put on this by fv. instead of Its not surprising, given FV's attitude. -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion, Inc. FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.org/ (or login as "guest") sameer at c2.org From rsalz at osf.org Mon Jan 29 18:34:54 1996 From: rsalz at osf.org (Rich Salz) Date: Tue, 30 Jan 1996 10:34:54 +0800 Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards Message-ID: <9601300006.AA15845@sulphur.osf.org> >It's considerably more than that. Please read on. No, Nathaniel, it is not. You watch keystrokes and record the ones you're interested in. This technique has interesting possibilities, but all your PR screaming won't make it anything more than what it is. How interesting are these possibilities? It's hard to say. Don't run software you don't trust. Well, most of the people on this list probably already know that. I betcha a good-sized portion of the computer-using populace knows this, but actively (or passively) defers the choice to someone else. You must trust something. You folks trust the telephone (never gets tapped, right) the postal service (of course mail never gets stolen) banks or credit card companies (which never have problems). And then, on top of that foundation of sand you build a commerce system with MIME and SMTP (sendmail is the most bugfree program ever written). I used to think you were aggressive techies, now you're just greedy bastards who will seemingly stop at nothing; Stef's blatant attempts to ensure MIME's use in IETF-PAY was not an exception, but the first salvo. You make me sorry I invented safe-tcl and made FV possible. /r$ From jimbell at pacifier.com Mon Jan 29 18:41:19 1996 From: jimbell at pacifier.com (jim bell) Date: Tue, 30 Jan 1996 10:41:19 +0800 Subject: "Gentlemen do not read each other's mail" Message-ID: At 02:15 PM 1/29/96 -0500, Alan Pugh wrote: >>It isn't clear to me that the Constitution grants "rights" to the government >>that aren't already possessed by the people themselves. Would that even be >>possible? "Powers" maybe, "rights," maybe not. > >the constitution is an amazingly consistant document internally. take a slow >read through it and you will see that you are absolutely correct. when >'people' are being referred to, the term used is 'rights'. when it is a >governmental organization (state or federal), the term used is always 'powers'. Thank you for verifying concurring. I haven't read the Constitution in a few years, so I was a bit hazy, but I think I managed to hit the nail reasonably well on the head. From raph at c2.org Mon Jan 29 18:57:19 1996 From: raph at c2.org (Raph Levien) Date: Tue, 30 Jan 1996 10:57:19 +0800 Subject: Authentication of crypto clients Message-ID: This post contains (somewhat) technical discussion of (what I believe is) an important issue in integrating crypto with applications that do not contain their own cryptographic implementation. If that doesn't interest you, hit 'n' to resume your regularly scheduled flamefest. The issue is: how does the crypto provider authenticate the client? For example, if the crypto provider can accpet connections from any application in the user's process space, then any bogus application can easily start decrypting and signing as it likes. In this model, a precondition for security is that no bogus programs can be allowed to run. An alternative, slightly more complex model is that the client must somehow authenticate itself to the crypto provider. One simple way of doing this is to require the client request a password from the user, which is then forwarded to the crypto provider. The crypto provider will only provide service on connections which have been authenticated in this way. This model gives security even in the face of some bogus applications. Of course, as Nathaniel quietly reminded us this morning, any bogus application which can intercept keystrokes can subvert any such client authentication. Barry Jaspan (in his analysis of a security flaw in SSH 1.2.0) reminds us that access to the image of the process is also sufficient to break security. Perhaps the class of bogus programs which have enough capabilities to connect to the crypto provider, but not enough to intercept keystrokes or examine RAM is null, meaning that the two models have equivalent security. Actually, the simpler model has some security advantages, because the client never has to deal with any very sensitive material, such as the password. I'm interested in this question right now because the current version of premail implements the simpler model (in fact, it simply stores all the secrets in a file in /tmp, with permissions set to 600). I want to know whether it's worth the trouble to design and implement an approach based on per-client authentication. This issue is also relevant to the discussion of Microsoft's CAPI, which (as far as I can tell) allows only the simpler model. I'm not saying it's bad, but I do feel that the implications should be discussed. Thus, I have forwarded a copy of this post to cryptapi at microsoft.com in case they have any comments. If there's been a discussion of this that I missed, then apologies for brining it up again and appreciation in advance for any pointers. Raph From vin at shore.net Mon Jan 29 19:06:15 1996 From: vin at shore.net (Vin McLellan) Date: Tue, 30 Jan 1996 11:06:15 +0800 Subject: FV's crypted credit card "attack" Message-ID: Date: Mon, 29 Jan 1996 15:43:53 -0500 Subject: IP: FV's position on Merc article Date: Mon, 29 Jan 1996 10:44:26 -0500 (EST) From: Nathaniel Borenstein ================ As you may already have heard via the popular press, First Virtual Holdings has developed and demonstrated a program which completely undermines the security of every known credit-card encryption mechanism for Internet commerce. This is a very serious matter, and we want to make sure that the Internet community is properly informed about the nature of the problem that we have uncovered, and the manner in which we have made the information known. In this (unavoidably lengthy) post, I will try to explain the nature of the problem and its implications for Internet commerce. In deference to those who are not technically oriented, the detailed explanation of how the attack works will be the LAST part of this message. First of all, let me be perfectly clear about the nature of the problem we have exposed. It is NOT a bug in a single program, and it is therefore NOT something that can be fixed with a "patch" or any other kind of software upgrade. Instead, we have demonstrated a very general attack that undermines ALL programs that ask users to type a credit card number into their home computer. We have tested the program and confirmed that it undermines the security of the credit card encryption software from Netscape and Cybercash, and we expect that it will work similarly for ANY future software based on the encryption of credit card numbers on the desktop. Quite simply, we believe that this program demonstrates a FATAL flaw in one whole approach to Internet commerce, and that the use of software to encrypt credit card numbers can NEVER be made safe. For consumers, we recommend the following simple rule: NEVER TYPE YOUR CREDIT CARD NUMBER INTO A COMPUTER. We should also be clear about the Internet commerce mechanisms that are NOT affected by this problem. First Virtual is unaffected because we never ask the user to put a credit card number at risk by typing it into a computer. Hardware-based solutions can also be devised that are immune to this attack, including solutions based on smart cards and solutions based on "card swipe" machines in the home. We believe that current digital cash solutions are also not vulnerable to this attack, although some variants of digital cash may be vulnerable to a similar form of attack. Commerce mechanisms based on the use of telephones or fax machines to transmit credit card numbers are also unaffected by this kind of attack. Other proposed commerce mechanisms should, from now on, be evaluated with this kind of attack in mind. The bottom line: INTERNET COMMERCE CAN BE VERY SAFE, WITH SEVERAL DIFFERENT MECHANISMS, BUT ENCRYPTING CREDIT CARDS ON THE DESKTOP IS NOT ONE OF THE SAFE MECHANISMS. It's important to understand why we have taken this step. Obviously, as the long-time leaders in Internet commerce, the last thing we would want to do is to undermine general confidence in Internet commerce. However, we realized that many people believed that credit card encryption was a safe and easy path to Internet commerce, and that very few people understood how easily it could be undermined. Upon investigation, we were frankly startled to realize just how easy it was -- a single programmer got the first version of our program running in about a week. Aside from our obvious interest in promoting our own commerce mechanism, we felt that we had an ethical obligation to bring this problem to the attention of the consumers, banks, and other financial institutions who could conceivably suffer catastrophic losses if software encryption of credit card numbers became widespread. We also realize that we have an obligation to do everything possible to avoid helping any unscrupulous people who might seek to utilize this flaw for malicious purposes. We have accordingly been extremely responsible in how we have handled our discovery. We first demonstrated and explained our program to vital organizations such as CERT (the Computer Emergency Response Team) and the ABA (American Banking Association). Only after many such private disclosures, none of which revealed any defense against our technique, did we publicly disclose the existence of this program. In addition, we have taken several steps to "cripple" our demonstration program, all of which will be discussed below. Furthermore, we have NOT made the program itself generally available. We are currently demonstrating it to selected financial institutions and government agencies, and will provide copies of the program only to CERT and a few other independent security-minded organizations. We have also alerted Netscape to the problem as part of their "bugs bounty" program. At some future date, we might conceivably distribute the program, in binary form on CD ROM, to selected financial institutions. The source code will always be very closely guarded. Unfortunately, however, the general method of attack is extremely easy to duplicate, and we don't know of any good way to alert the public to the problem without explaining it. THE TECHNIQUE Our basic approach was to write a computer program that runs undetected while it monitors your computer system. A sophisticated version of such a program can intercept and analyze every keystroke, mouse-click, and even messages sent to your screen, but all we needed was the keystrokes. Selectively intercepted information can be immediately and secretly transmitted via Internet protocols, or stored for later use. First Virtual's research team has built and demonstrated a particular implementation of such a program, which only watches for credit card numbers. Whenever you type a credit card number into your computer -- even if you are talking to "secure" encryption software -- it captures your card number. Our program doesn't do anything harmful with your credit card number, but merely announces that it has captured it. A malicious program of this type could quietly transmit your credit card number to criminals without your knowledge. The underlying problem is that the desktop -- the consumer's computer -- is not secure. There is no way of ensuring that all software installed on the consumer's machine can be trusted. Given this fact, it is unwise to trust ANY software such as a "secure" browser, because malicious software could have easily been interposed between the user and the trusted software. The bottom line for consumers is that, on personal computers, INFORMATION IS INSECURE THE MOMENT YOU TOUCH A KEY. We have dramatically proven that security ends the moment you type sensitive information into your computer. The vulnerability lies in the fact that information must travel from your keyboard, into your computer's operating system, and then to your "secure" application. It can be easily intercepted along the way. This kind of insecurity is very frightening, and has implications far beyond credit card theft. However, credit cards embody and demonstrate the kind of information that is MOST vulnerable to this kind of attack. Credit card numbers are far more vulnerable to this kind of attack than most other forms of information because of the following particular characteristics of credit card numbers: -- Credit card numbers are easily recognized by simple pattern recognition. -- Credit card numbers are "one way" financial instruments, with no user-level confirmation or verification required for their use. -- Credit card numbers are of direct financial value. In short, credit card numbers are an almost perfect example of how NOT to design a payment instrument for an insecure public computer network such as the Internet. DETAILS: HOW TO TOTALLY UNDERMINE SOFTWARE ENCRYPTION OF CREDIT CARDS First Virtual's demonstration credit-card interception program, once installed, observes every keystroke that you type, watching for credit card numbers. It recognizes credit card numbers with almost perfect accuracy, because credit card numbers are specifically designed to match a simple, self-identifying pattern, including a check digit. Our program is even smart about punctuation and simple editing functions, so that nearly any credit card number that you type into your computer is immediately recognized as such by this program. When our program spots a credit card number, it immediately plays a warning sound and pops up a window on your screen, including an iconic representation of the type of credit card that you have just entered, along with a clear explanation of what has just happened. The current program works only on Microsoft Windows (Windows 3.1, Windows NT, and Windows 95), but we believe that it would be simple to implement on Macintosh and UNIX systems as well. The program doesn't exploit any "holes" or bugs in the operating system. It uses existing, necessary operating system facilities which are part of the published Windows API, and which are necessary for the implementation of screen savers, keyboard macros, and other important software packages. First Virtual's intent is to educate the public, certainly not to endanger it. For that reason, our program incorporates four important precautions intended to prevent any possibility of harm: 1) Our program is not self-replicating. While a malicious program exploiting the same security flaw could easily be embedded in a virus, spreading itself all over the world, that was not our goal. Instead, the program must be deliberately and manually installed on each computer on which it is to run. 2) Our program always puts up an icon on your screen when it is watching your keystrokes. This is certainly not necessary, and it is clear that a malicious program would be unlikely to do this. 3) Our program is easy to remove from your computer, and even offers an "Uninstall" button to the user. Obviously a malicious program would hide itself as well as possible, and make itself as hard to remove as possible. 4) Our program never transmits your credit card over the Internet. While a program using this approach could transmit your information to a criminal in a totally untraceable manner, we would never do anything like that. In fact, we erase your credit card number from our program's memory before we even tell you that we've seen it, thus making sure that the credit card number can't even be retrieved by an inspection of our program's memory. It is frankly difficult to overstate the severity of the problem demonstrated by our program. A clever criminal could use viral techniques to spread a malicious program based on the same approach, and would be no more likely to be caught in the act than the authors of any of the computer viruses that plague the world today. Once it detects a credit card number, a criminal program could use any of several techniques to send that number to the original criminal without providing any way to trace the criminal's receipt of it. (If you're skeptical about this claim, we'd prefer to talk with you privately, as we've never seen the "best" methods for doing this spelled out in public, and we would prefer to keep it that way.) Altogether, this means that if millions of credit card numbers were being typed into Internet-connected personal computers, a criminal could obtain a virtually unlimited supply of card numbers for his own use. In fact, for all we know this could already be happening today. The first visible sign of such an attack, if it were well-executed, would be a gradual rise in the overall rate of credit card fraud. POSSIBLE SOLUTIONS First Virtual believes that the flaw we have uncovered is fatal. In the foreseeable future, all commerce schemes based on software encryption of credit cards on the desktop are completely vulnerable to this sort of attack. The basic problem is that software encryption of credit cards is predicated on the notion of "trusted software". On the consumer computing platforms, however, general purpose operating system functionality makes it unwise to assume too strong a level of trust in such software. No operating system with anything less than military-grade security (B2) is likely to be safe from an attack such as this one. This does not mean that Internet commerce is dead. Any scheme that is not based on self-identifying one-way financial instruments such as credit cards will be essentially unaffected by this problem. Moreover, even credit cards may be made safe on the Internet using one of two approaches: secure hardware add-ons and the First Virtual approach. First Virtual's Internet Payment Systems never places the consumer's credit card number on the Internet. Instead, the consumer provides it to us by telephone when the account is opened. After that, all purchases are made using a "Virtual PIN". Virtual PINs are essentially Internet aliases for underlying payment mechanisms such as credit card numbers, but with several kinds of added security. Virtual PINs are free-form text, with no recognizable pattern, which makes them much harder to detect with the kind of attack we have just demonstrated. Moreover, Virtual PINs are only usable in conjunction with First Virtual's unique email verification process. No payment is made until the consumer confirms an email query, which means that defrauding First Virtual is a multi-step process that is extremely difficult to automate. (For more details, we recommend our paper, "Perils and Pitfalls of Practical CyberCommerce", available via ftp from ftp://ftp.fv.com/pub/nsb/fv-austin.txt.) The bottom line, once again, for those of you who have read this far: NEVER TYPE YOUR CREDIT CARD NUMBER INTO A COMPUTER. There's simply no other way to keep credit cards safe on the net. The program we have demonstrated completely undermines the security of all known programs that claim to handle credit card numbers safely on the Internet. -------- Nathaniel Borenstein Chief Scientist, First Virtual Holdings FAQ & PGP key: nsb+faq at nsb.fv.com Vin McLellan +The Privacy Guild+ 53 Nichols St., Chelsea, Ma. 02150 USA Tel: (617) 884-5548 <*><*><*><*><*><*><*><*><*> From nsb at nsb.fv.com Mon Jan 29 19:07:55 1996 From: nsb at nsb.fv.com (Nathaniel Borenstein) Date: Tue, 30 Jan 1996 11:07:55 +0800 Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards In-Reply-To: <199601292201.OAA00356@mage.qualcomm.com> Message-ID: <4l3Iox2Mc50eMWY=8n@nsb.fv.com> Excerpts from mail: 29-Jan-96 Re: FV Demonstrates Fatal F.. Peter Monta at qualcomm.com (651*) > Of course, host security is important, but what is the rationale > for panic, given the tools available? Heavens. It's the potential for large-scale automated untraceable attack. > > NEVER TYPE YOUR CREDIT CARD NUMBER INTO A COMPUTER. > Never speak it either. Walls (and audio peripherals) have ears. When you can give me a cheap device that can be planted in the wall, listen to everything you say, and just spit out the credit card numbers, then I'll start to be worried about speaking it. Until then, what we've just unveiled has no audio parallel. -- NB -------- Nathaniel Borenstein Chief Scientist, First Virtual Holdings FAQ & PGP key: nsb+faq at nsb.fv.com From nsb at nsb.fv.com Mon Jan 29 19:30:57 1996 From: nsb at nsb.fv.com (Nathaniel Borenstein) Date: Tue, 30 Jan 1996 11:30:57 +0800 Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards In-Reply-To: <9601292131.AA24346@toad.com> Message-ID: Excerpts from mail: 29-Jan-96 Re: FV Demonstrates Fatal F.. Matts Kallioniemi at pobox. (710*) > This problem is greatly exagerated. The software simply won't be running in > the average users machine. > If the program propagates like a virus, it will soon be catched and killed > by the anti-virus utilities that any responsible user is already running on > a regular basis. No need to do it as a virus, unless you count "social attacks" as viruses. The IBM Christmas Exec came as plain text email that *persuaded* the reader to run it. The average consumer is easily fooled. "Download this neat program that does X, Y, and Z." If it really does those things, you need never suspect that it also planted a keyboard sniffer. > If you have to start the program for it to do its magic, then just don't > start it. Todays computer users should know that running software you don't > trust is generally a bad idea. That's how you get a virus in the machine in > the first place... If your idea of "today's computer users" comes from cypherpunks, you're living in a dream world. FV's experience with average Internet users includes some who ask us not to use complicated "technical terms" like "cut and paste". They certainly can't be counted on to know which software to download and which to avoid. > Come on Nathaniel, admit it, it's a scam to sell FV's expensive services! I'm kind of surprised that nobody on this list has realized that this attack is actually a very good argument for digital cash. FV is by no means the only technology that can be made immune to this kind of attack. It's just that software encryption of credit card numbers is an amazingly vulnerable technology. -- Nathaniel From jrochkin at cs.oberlin.edu Mon Jan 29 19:31:21 1996 From: jrochkin at cs.oberlin.edu (Jonathan Rochkind) Date: Tue, 30 Jan 1996 11:31:21 +0800 Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards Message-ID: Congratulations to FirstVirtual for having taken key-capture techniqures that everyone has known about forever, and skillfully propagandizing it as a 'fatal flaw in software encryption' playing on the technophobia of the masses, who are afraid of computers already ("INFORMATION IS INSECURE THE MOMENT YOU TOUCH A KEY". snork), to engeder widespread fear in encryption ("ENCRYPTING CREDIT CARDS ON THE DESKTOP IS NOT ONE OF THE SAFE MECHANISMS"), thereby (hopefully) enhancing market share of FV, which doesn't use encryption. 1) I remember Mr. Borenstein saying a year or two ago, something like "We have nothing against encryption; we're just using a non-encrypting technique for the moment, becuase it can be quickly, easily, and safely deployed by us. Eventually, we'll probably use encryption." Apparently, this propaganda piece marks a change of strategy. 2) This is the first net distributed "security alert" distributed that I've noticed, with almost no real content. No one who knows a bit about computer security learned anything they didn't already know from that "alert". Rather, it was distributed in the _form_ of a CERT-like alert, but with the purpose and effect that is almost solely marketting of FV. I'm sure we can expect many more now that FV has pioneered the propaganda-as-alert technique--people are really scared about virus and security risks, since they know nothing about them, and will pay a lot of attention to them (witness "Good Times")--much more attention then they'd normally pay an advertisement. This masquerading advertisement is akin to the advertisements masquerading as editorial content that you see in many magazines not respectable enough to prohibit such things. 3) I believe that FV works by assigning the user some sort of id number. They send the id accross the net, FV has a database with "FV-ID" <-> credit-card-number correspondences, the merchant sends FV the id, FV bills your card and pays the merchant. Now, if I'm correct about how FV works, we could clearly write a program that searches your HD for FVs data files, extracts your FV-ID from it, and steals it. It could be a virus, it could send the FV accross the net, whatever. We could then use your FV-ID to make fraudulently make purchases through the FV system that would be billed to you. This is essentially the same attack as FV "demonstrates" against software encrypted credit cards over the net: that is, the "You have an insecure system and if we can put evil software on it, we can get you." attack. True, we wouldn't have your credit card number, and we couldn't order stuff from LL Bean billed to you. We could just order stuff from FV merchants. So maybe it's marginally better. Maybe. But I can't see any way FV could be immune to an attack of this sort. I believe that all they do is give you a first virtual ID number sent accross the net (in the clear!) in lieu of your card number. With an insecure PC as an assuption (and it is probably a good one, actually), I can't see how FV could be immune from an attack of this sort. If Mr. Borenstein or anyone else thinks it is, please explain how. Sigh. From nobody at c2.org Mon Jan 29 19:39:32 1996 From: nobody at c2.org (Anonymous User) Date: Tue, 30 Jan 1996 11:39:32 +0800 Subject: RC2 source code Message-ID: <199601292158.NAA04160@infinity.c2.org> Reposted from sci.crypt: /**********************************************************************\ * To commemorate the 1996 RSA Data Security Conference, the following * * code is released into the public domain by its author. Prost! * * * * This cipher uses 16-bit words and little-endian byte ordering. * * I wonder which processor it was optimized for? * * * * Thanks to CodeView, SoftIce, and D86 for helping bring this code to * * the public. * \**********************************************************************/ #include #include /**********************************************************************\ * Expand a variable-length user key (between 1 and 128 bytes) to a * * 64-short working rc2 key, of at most "bits" effective key bits. * * The effective key bits parameter looks like an export control hack. * * For normal use, it should always be set to 1024. For convenience, * * zero is accepted as an alias for 1024. * \**********************************************************************/ void rc2_keyschedule( unsigned short xkey[64], const unsigned char *key, unsigned len, unsigned bits ) { unsigned char x; unsigned i; /* 256-entry permutation table, probably derived somehow from pi */ static const unsigned char permute[256] = { 217,120,249,196, 25,221,181,237, 40,233,253,121, 74,160,216,157, 198,126, 55,131, 43,118, 83,142, 98, 76,100,136, 68,139,251,162, 23,154, 89,245,135,179, 79, 19, 97, 69,109,141, 9,129,125, 50, 189,143, 64,235,134,183,123, 11,240,149, 33, 34, 92,107, 78,130, 84,214,101,147,206, 96,178, 28,115, 86,192, 20,167,140,241,220, 18,117,202, 31, 59,190,228,209, 66, 61,212, 48,163, 60,182, 38, 111,191, 14,218, 70,105, 7, 87, 39,242, 29,155,188,148, 67, 3, 248, 17,199,246,144,239, 62,231, 6,195,213, 47,200,102, 30,215, 8,232,234,222,128, 82,238,247,132,170,114,172, 53, 77,106, 42, 150, 26,210,113, 90, 21, 73,116, 75,159,208, 94, 4, 24,164,236, 194,224, 65,110, 15, 81,203,204, 36,145,175, 80,161,244,112, 57, 153,124, 58,133, 35,184,180,122,252, 2, 54, 91, 37, 85,151, 49, 45, 93,250,152,227,138,146,174, 5,223, 41, 16,103,108,186,201, 211, 0,230,207,225,158,168, 44, 99, 22, 1, 63, 88,226,137,169, 13, 56, 52, 27,171, 51,255,176,187, 72, 12, 95,185,177,205, 46, 197,243,219, 71,229,165,156,119, 10,166, 32,104,254,127,193,173 }; assert(len > 0 && len <= 128); assert(bits <= 1024); if (!bits) bits = 1024; memcpy(xkey, key, len); /* Phase 1: Expand input key to 128 bytes */ if (len < 128) { i = 0; x = ((unsigned char *)xkey)[len-1]; do { x = permute[(x + ((unsigned char *)xkey)[i++]) & 255]; ((unsigned char *)xkey)[len++] = x; } while (len < 128); } /* Phase 2 - reduce effective key size to "bits" */ len = (bits+7) >> 3; i = 128-len; x = permute[((unsigned char *)xkey)[i] & (255 >> (7 & -bits))]; ((unsigned char *)xkey)[i] = x; while (i--) { x = permute[ x ^ ((unsigned char *)xkey)[i+len] ]; ((unsigned char *)xkey)[i] = x; } /* Phase 3 - copy to xkey in little-endian order */ i = 63; do { xkey[i] = ((unsigned char *)xkey)[2*i] + (((unsigned char *)xkey)[2*i+1] << 8); } while (i--); } /**********************************************************************\ * Encrypt an 8-byte block of plaintext using the given key. * \**********************************************************************/ void rc2_encrypt( const unsigned short xkey[64], const unsigned char *plain, unsigned char *cipher ) { unsigned x76, x54, x32, x10, i; x76 = (plain[7] << 8) + plain[6]; x54 = (plain[5] << 8) + plain[4]; x32 = (plain[3] << 8) + plain[2]; x10 = (plain[1] << 8) + plain[0]; for (i = 0; i < 16; i++) { x10 += (x32 & ~x76) + (x54 & x76) + xkey[4*i+0]; x10 = (x10 << 1) + (x10 >> 15 & 1); x32 += (x54 & ~x10) + (x76 & x10) + xkey[4*i+1]; x32 = (x32 << 2) + (x32 >> 14 & 3); x54 += (x76 & ~x32) + (x10 & x32) + xkey[4*i+2]; x54 = (x54 << 3) + (x54 >> 13 & 7); x76 += (x10 & ~x54) + (x32 & x54) + xkey[4*i+3]; x76 = (x76 << 5) + (x76 >> 11 & 31); if (i == 4 || i == 10) { x10 += xkey[x76 & 63]; x32 += xkey[x10 & 63]; x54 += xkey[x32 & 63]; x76 += xkey[x54 & 63]; } } cipher[0] = (unsigned char)x10; cipher[1] = (unsigned char)(x10 >> 8); cipher[2] = (unsigned char)x32; cipher[3] = (unsigned char)(x32 >> 8); cipher[4] = (unsigned char)x54; cipher[5] = (unsigned char)(x54 >> 8); cipher[6] = (unsigned char)x76; cipher[7] = (unsigned char)(x76 >> 8); } /**********************************************************************\ * Decrypt an 8-byte block of ciphertext using the given key. * \**********************************************************************/ void rc2_decrypt( const unsigned short xkey[64], unsigned char *plain, const unsigned char *cipher ) { unsigned x76, x54, x32, x10, i; x76 = (cipher[7] << 8) + cipher[6]; x54 = (cipher[5] << 8) + cipher[4]; x32 = (cipher[3] << 8) + cipher[2]; x10 = (cipher[1] << 8) + cipher[0]; i = 15; do { x76 &= 65535; x76 = (x76 << 11) + (x76 >> 5); x76 -= (x10 & ~x54) + (x32 & x54) + xkey[4*i+3]; x54 &= 65535; x54 = (x54 << 13) + (x54 >> 3); x54 -= (x76 & ~x32) + (x10 & x32) + xkey[4*i+2]; x32 &= 65535; x32 = (x32 << 14) + (x32 >> 2); x32 -= (x54 & ~x10) + (x76 & x10) + xkey[4*i+1]; x10 &= 65535; x10 = (x10 << 15) + (x10 >> 1); x10 -= (x32 & ~x76) + (x54 & x76) + xkey[4*i+0]; if (i == 5 || i == 11) { x76 -= xkey[x54 & 63]; x54 -= xkey[x32 & 63]; x32 -= xkey[x10 & 63]; x10 -= xkey[x76 & 63]; } } while (i--); plain[0] = (unsigned char)x10; plain[1] = (unsigned char)(x10 >> 8); plain[2] = (unsigned char)x32; plain[3] = (unsigned char)(x32 >> 8); plain[4] = (unsigned char)x54; plain[5] = (unsigned char)(x54 >> 8); plain[6] = (unsigned char)x76; plain[7] = (unsigned char)(x76 >> 8); } From peter at verisign.com Mon Jan 29 19:39:50 1996 From: peter at verisign.com (Peter Williams) Date: Tue, 30 Jan 1996 11:39:50 +0800 Subject: [Fwd: Netscape, CAs, and Verisign] Message-ID: <199601292200.OAA22310@dustin.verisign.com> >I'd like to see a less centralized CA that's tied into the existing system >of notaries. The idea is to make it necessary to spoof a notary in order >to spoof the CA. That won't make spoofing the CA impossible (nothing >will), but it will make spoofing the CA illegal. You might wish to look at the Apple DigiSign design. RSA DSI ran a CA under contract as a notary enrollment system for 2 years. The people from RSA DSI, now at Verisign, have a certain amount of experience with this system. I dont understand how you intend to make CA spoofing illegal. Who who perform the enforcement? (By illegal, I assume you mean that there is a criminal offence involved, rather than a tort.) > >A notary could apply to the CA for the right to work as an agent, for a >nominal fee (<$100/year). Only notaries could be agents. If a person >wants a certificate, they'd come in and present ID and a key to the >notary/agent. The person would have to present a form document stating >that he's requesting the cert. The notary would stamp the form and affix >a signature to the key which would enable it to be processed automatically >by the CA. This has been tried, and many certificates issued under a variant of this scheme. it seems likely that only an ABA-certified notary would be reasonaby secure from professional liabilities. Good efforts have been made to qualify what the professional procedures would be. > >Fees for the whole procedure ought to be less than $30. The CA ought to >operate off of the fees from the agents as a non-profit organization, and >the agents ought to keep the fees paid by the people requesting the >certificates. Notary fees might be best controlled by the notary, not the CA. Seems an unreasonable restriction of trade to price-fix, even at the low-end. > >Would any of the lawyers on the list be willing to comment on whether or >not it's possible or practical to tie a CA into the notary system? Does >anyone have any thoughts as to how difficult/risky spoofing my CA is >compared to spoofing Netscape or Verisign? There is indeed a large body of legal ramifications in this area. The best way to learn about it is to become a CA and do it. Risk taking is part of being in the CA business, however you operate it, even for free. > >I could put up a server and I think I know a laywer who would help me set >up a non-profit organiation on a shoestring, but I don't want to do it if >the plan is impractical. Running as a not-for-profit may not prevent general liability. You can give the service away for free and will still be liable for the mis-representations you or your agents make. There are DARPA reports written about the issue (though these do not usually constitute advice.) > >Morevover, although I don't think it's reasonable to expect Netscape to >agree to include a non-existent CA in their browsers sight unseen, at the >same time it doesn't seem smart to sink money into setting up the CA >without some indication from Netscape that they're willing to give the >idea good faith consideration. Navigator betas seem to already facilitate users configuring their own trust points in a manner rather similar to adding a key to your personal PGP keyring. IBM browsers allow formal configuration of trust points. CAs as a business and economic growth area are just happening. We have two declared companies; Verisign and GTE. I personally expect another 10-20 to declare soon. The large (phone company) networks seem to be where the current action is, followed by the large accounting firms. As a small software company, I personally back the other similarly small software companies making and selling organizational CA systems to help people manage their own community of interest as they see fit. From wlkngowl at unix.asb.com Mon Jan 29 19:44:50 1996 From: wlkngowl at unix.asb.com (Mutatis Mutantdis) Date: Tue, 30 Jan 1996 11:44:50 +0800 Subject: Opinion piece in NYT; responses needed Message-ID: <199601300105.UAA18553@UNiX.asb.com> On Sun, 28 Jan 1996 19:33:19 -0500, Jonathan Rochkind wrote: >> The New York Times, January 2, 1996, Business, p. 14 >> >> >> Viewpoint: J. Walker Smith >> >> Standoff in Cyberspace Gulch >> >> [..] >[I'm going to try to make myself write a letter to the NYT in response to >that viewpoint, making some of these points I'm saying it's important to >make, but you should too. :) ] Don't leave out an important point ignored by both sides of the debate all too often (esp. by the "decency" folk): the structure of the 'net itself (well, sort of). It's a decentered network (or set of networks) designed to get information to its addressee. Data flows through several nodes and networks until it reaches its destination. If it can't get through one path, it goes through the other. This isn't just for mail but all "packets" that flow on the net: web pages, file transfers, telnetting, etc. [A good segue to arguing "security related to privacy can go here...] Limiting content or access is only superficially impossible. The international scope of the 'net makes even agreeing to standards impossible. From rich at c2.org Mon Jan 29 19:48:44 1996 From: rich at c2.org (Just Rich) Date: Tue, 30 Jan 1996 11:48:44 +0800 Subject: [NOISY] Deutsche Telekom <--> webcom.com "routing troubles" Message-ID: <199601292241.OAA11703@infinity.c2.org> -----BEGIN PGP SIGNED MESSAGE----- [Capsule summary: the largest German Internet provider has blocked access to webcom.com at the router lever because of one out of a thousand subscribers' files, which violate German anti-Nazi laws.] Someone please inform Deutsche Telekom and the relevant prosecutors that by the time they read this (i.e., within an hour), selected files from Zundel's holocaust-denial archives (which make me sick, but that's beside the point) will be available at the AFS path: /afs/ir.stanford.edu/users/l/llurch/WWW/Not_By_Me_Not_My_Views/ One of the ways this directory can be reached is through: http://www-leland.stanford.edu/~llurch/Not_By_Me_Not_My_Views/ Indeed, a simple symlink would be sufficient to make these files available on any other server at any other organization that mounts AFS, which include uni-freiburg.de, mathematik-cip.uni-stuttgart.de, ifh.de, desy.de, zdvpool.uni-tuebingen.de, zdvpool.uni-tuebingen.de, ipp-garching.mpg.de, afs-math.zib-berlin.de, lrz-muenchen.de, and a dozen other sites in Germany. To be safe, Deutsche Telekom would have to firewall the entire world. For information on the global distributed AFS file system, which is used by most major US universities, see http://www.transarc.com/ For my views on the Holocaust, see http://nizkor.almanac.bc.ca/, which unfortunately seems to be unreachable from the US at the moment because of a routing loop at Seattle.mci.net. These files will be removed from my directories and replaced by a pointer to the original URLs if/when it appears that no organization, public or private, is actively suppressing them. I'm not interested in providing free Web space. It took only four email messages and a half hour of my time to set this up. You're kidding yourself if you believe that censorship is even halfway effective, much less wise, in the digital age. The proper response to people like Zundel is documentation and refutation, such as is practiced by the Nizkor (Remember) project, www.almanac.bc.ca. I plan to play an active role in distributing Zundel's files only as long as necessary to prove the censorship point, because I don't want to give him free space. But I will personally archive his files because I believe that lies like these should be saved as such, not smothered. - -rich -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMQ1NqY3DXUbM57SdAQH5WgP/byEnhFNgbzwVCDTq+HVFvcHdkum+vuBM XAD6+EvPehrrQLtA1cKyVAd6A/Mzt274eq1ihYaBhyiml1e+QSx3VFrPe4EKKTm1 bs0UWHXlSjwbeW5DdFPIGrglrVIuof5MV1ZH5uvEV4yFsgQoz15TBrJa5r+47H8q iH54Kiq5/p4= =LD6X -----END PGP SIGNATURE----- From droelke at rdxsunhost.aud.alcatel.com Mon Jan 29 19:50:40 1996 From: droelke at rdxsunhost.aud.alcatel.com (Daniel R. Oelke) Date: Tue, 30 Jan 1996 11:50:40 +0800 Subject: FV's Borenstein discovers keystroke capture programs! (pictures at 11!) Message-ID: <9601292318.AA20907@spirit.aud.alcatel.com> > > 2. It has nothing to do with viruses. No current virus protection > program will ever detect this thing, and if you write a program that > detects one instantiation of the attack, the program can be easily > changed to require a new "detector" program. This means you can only > protect against the last attack, not the next one. It has *everything* to do with viruses. Your program is not a virus BUT the press release tells the "danger" of trusting your own computer. If your own computer is doing something other than what the software on it is advertised as doing you have a virus, or trojan horse like a dirty-picture-viewer-with-keyboard-capture. Virus's and trojan horses are nothing new. The detector programs keep up with them quite nicely and make a good buck doing it. As for the technical content of the program - I'ld hack up a DOS version tonight if I thought it was worth my effort to drag the PC compiler/assembler out of mothballs. (I don't do MS-Windows). A weeks time is more that enough for any technically competent programmer to do the capture and add in the Windoze bells and whistles. I find that FV's hype on this is nothing but a thin disguise for a selling of their product. Come-on guys. Sell your product, not FUD. Dan ------------------------------------------------------------------ Dan Oelke Alcatel Network Systems droelke at aud.alcatel.com Richardson, TX From ylo at cs.hut.fi Mon Jan 29 19:56:57 1996 From: ylo at cs.hut.fi (Tatu Ylonen) Date: Tue, 30 Jan 1996 11:56:57 +0800 Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards Message-ID: <199601292257.AAA08008@trance.olari.clinet.fi> I find this kind of marketing extremely inappropriate. PLEASE STOP IT. The "flaw" you describe is quite obvious. The key issue is whether untrusted code gets executed on your computer, and what your risk model is. When balancing the probable damage due to this risk against the benefits of easily obtained software (from sources one chooses to trust) and easy electronic commerce, at least I find that this "flaw" is no cause for special alarm. The risk is analogous to that posed by computer viruses. I detest people causing public hysteria to advance their private commercial goals. Tatu Ylonen ------- start of forwarded message (RFC 934 encapsulation) ------- Received: from relay3.UU.NET by hutcs.cs.hut.fi with SMTP id AA23837 (5.65c8/HUTCS-S 1.4 for ); Mon, 29 Jan 1996 22:29:47 +0200 Received: from toad.com by relay3.UU.NET with SMTP id QQaaqq05894; Mon, 29 Jan 1996 15:11:37 -0500 (EST) Received: by toad.com id AA21824; Mon, 29 Jan 96 12:07:29 PST Received: from zloty.fv.com by toad.com id AA21818; Mon, 29 Jan 96 12:07:22 PST Received: from nsb.fv.com (nsb.fv.com [152.160.80.42]) by zloty.fv.com (8.7.3/8.7.3) with SMTP id MAA00050 for ; Mon, 29 Jan 1996 12:07:38 -0800 (PST) Received: by nsb.fv.com (4.1/SMI-4.1) id AA20803; Mon, 29 Jan 96 15:07:47 EST Received: from Messages.8.5.N.CUILIB.3.45.SNAP.NOT.LINKED.nsb.fv.com.sun4.41 via MS.5.6.nsb.fv.com.sun4_41; Mon, 29 Jan 1996 15:07:46 -0500 (EST) Message-Id: Precedence: bulk From: Nathaniel Borenstein Sender: owner-cypherpunks at toad.com To: cypherpunks at toad.com Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards Date: Mon, 29 Jan 1996 15:07:46 -0500 (EST) [My apologies in advance if you see several copies of this message. I am posting this fairly widely due to the severity and importance of the problem described.] As you may already have heard via the popular press, First Virtual Holdings has developed and demonstrated a program which completely undermines the security of every known credit-card encryption mechanism for Internet commerce. This is a very serious matter, and we want to make sure that the Internet community is properly informed about the nature of the problem that we have uncovered, and the manner in which we have made the information known. In this (unavoidably lengthy) post, I will try to explain the nature of the problem and its implications for Internet commerce. In deference to those who are not technically oriented, the detailed explanation of how the attack works will be the LAST part of this message. First of all, let me be perfectly clear about the nature of the problem we have exposed. It is NOT a bug in a single program, and it is therefore NOT something that can be fixed with a "patch" or any other kind of software upgrade. Instead, we have demonstrated a very general attack that undermines ALL programs that ask users to type a credit card number into their home computer. We have tested the program and confirmed that it undermines the security of the credit card encryption software from Netscape and Cybercash, and we expect that it will work similarly for ANY future software based on the encryption of credit card numbers on the desktop. Quite simply, we believe that this program demonstrates a FATAL flaw in one whole approach to Internet commerce, and that the use of software to encrypt credit card numbers can NEVER be made safe. For consumers, we recommend the following simple rule: NEVER TYPE YOUR CREDIT CARD NUMBER INTO A COMPUTER. We should also be clear about the Internet commerce mechanisms that are NOT affected by this problem. First Virtual is unaffected because we never ask the user to put a credit card number at risk by typing it into a computer. Hardware-based solutions can also be devised that are immune to this attack, including solutions based on smart cards and solutions based on "card swipe" machines in the home. We believe that current digital cash solutions are also not vulnerable to this attack, although some variants of digital cash may be vulnerable to a similar form of attack. Commerce mechanisms based on the use of telephones or fax machines to transmit credit card numbers are also unaffected by this kind of attack. Other proposed commerce mechanisms should, from now on, be evaluated with this kind of attack in mind. The bottom line: INTERNET COMMERCE CAN BE VERY SAFE, WITH SEVERAL DIFFERENT MECHANISMS, BUT ENCRYPTING CREDIT CARDS ON THE DESKTOP IS NOT ONE OF THE SAFE MECHANISMS. It's important to understand why we have taken this step. Obviously, as the long-time leaders in Internet commerce, the last thing we would want to do is to undermine general confidence in Internet commerce. However, we realized that many people believed that credit card encryption was a safe and easy path to Internet commerce, and that very few people understood how easily it could be undermined. Upon investigation, we were frankly startled to realize just how easy it was -- a single programmer got the first version of our program running in about a week. Aside from our obvious interest in promoting our own commerce mechanism, we felt that we had an ethical obligation to bring this problem to the attention of the consumers, banks, and other financial institutions who could conceivably suffer catastrophic losses if software encryption of credit card numbers became widespread. We also realize that we have an obligation to do everything possible to avoid helping any unscrupulous people who might seek to utilize this flaw for malicious purposes. We have accordingly been extremely responsible in how we have handled our discovery. We first demonstrated and explained our program to vital organizations such as CERT (the Computer Emergency Response Team) and the ABA (American Banking Association). Only after many such private disclosures, none of which revealed any defense against our technique, did we publicly disclose the existence of this program. In addition, we have taken several steps to "cripple" our demonstration program, all of which will be discussed below. Furthermore, we have NOT made the program itself generally available. We are currently demonstrating it to selected financial institutions and government agencies, and will provide copies of the program only to CERT and a few other independent security-minded organizations. We have also alerted Netscape to the problem as part of their "bugs bounty" program. At some future date, we might conceivably distribute the program, in binary form on CD ROM, to selected financial institutions. The source code will always be very closely guarded. Unfortunately, however, the general method of attack is extremely easy to duplicate, and we don't know of any good way to alert the public to the problem without explaining it. THE TECHNIQUE Our basic approach was to write a computer program that runs undetected while it monitors your computer system. A sophisticated version of such a program can intercept and analyze every keystroke, mouse-click, and even messages sent to your screen, but all we needed was the keystrokes. Selectively intercepted information can be immediately and secretly transmitted via Internet protocols, or stored for later use. First Virtual's research team has built and demonstrated a particular implementation of such a program, which only watches for credit card numbers. Whenever you type a credit card number into your computer -- even if you are talking to "secure" encryption software -- it captures your card number. Our program doesn't do anything harmful with your credit card number, but merely announces that it has captured it. A malicious program of this type could quietly transmit your credit card number to criminals without your knowledge. The underlying problem is that the desktop -- the consumer's computer -- is not secure. There is no way of ensuring that all software installed on the consumer's machine can be trusted. Given this fact, it is unwise to trust ANY software such as a "secure" browser, because malicious software could have easily been interposed between the user and the trusted software. The bottom line for consumers is that, on personal computers, INFORMATION IS INSECURE THE MOMENT YOU TOUCH A KEY. We have dramatically proven that security ends the moment you type sensitive information into your computer. The vulnerability lies in the fact that information must travel from your keyboard, into your computer's operating system, and then to your "secure" application. It can be easily intercepted along the way. This kind of insecurity is very frightening, and has implications far beyond credit card theft. However, credit cards embody and demonstrate the kind of information that is MOST vulnerable to this kind of attack. Credit card numbers are far more vulnerable to this kind of attack than most other forms of information because of the following particular characteristics of credit card numbers: - -- Credit card numbers are easily recognized by simple pattern recognition. - -- Credit card numbers are "one way" financial instruments, with no user-level confirmation or verification required for their use. - -- Credit card numbers are of direct financial value. In short, credit card numbers are an almost perfect example of how NOT to design a payment instrument for an insecure public computer network such as the Internet. DETAILS: HOW TO TOTALLY UNDERMINE SOFTWARE ENCRYPTION OF CREDIT CARDS First Virtual's demonstration credit-card interception program, once installed, observes every keystroke that you type, watching for credit card numbers. It recognizes credit card numbers with almost perfect accuracy, because credit card numbers are specifically designed to match a simple, self-identifying pattern, including a check digit. Our program is even smart about punctuation and simple editing functions, so that nearly any credit card number that you type into your computer is immediately recognized as such by this program. When our program spots a credit card number, it immediately plays a warning sound and pops up a window on your screen, including an iconic representation of the type of credit card that you have just entered, along with a clear explanation of what has just happened. The current program works only on Microsoft Windows (Windows 3.1, Windows NT, and Windows 95), but we believe that it would be simple to implement on Macintosh and UNIX systems as well. The program doesn't exploit any "holes" or bugs in the operating system. It uses existing, necessary operating system facilities which are part of the published Windows API, and which are necessary for the implementation of screen savers, keyboard macros, and other important software packages. First Virtual's intent is to educate the public, certainly not to endanger it. For that reason, our program incorporates four important precautions intended to prevent any possibility of harm: 1) Our program is not self-replicating. While a malicious program exploiting the same security flaw could easily be embedded in a virus, spreading itself all over the world, that was not our goal. Instead, the program must be deliberately and manually installed on each computer on which it is to run. 2) Our program always puts up an icon on your screen when it is watching your keystrokes. This is certainly not necessary, and it is clear that a malicious program would be unlikely to do this. 3) Our program is easy to remove from your computer, and even offers an "Uninstall" button to the user. Obviously a malicious program would hide itself as well as possible, and make itself as hard to remove as possible. 4) Our program never transmits your credit card over the Internet. While a program using this approach could transmit your information to a criminal in a totally untraceable manner, we would never do anything like that. In fact, we erase your credit card number from our program's memory before we even tell you that we've seen it, thus making sure that the credit card number can't even be retrieved by an inspection of our program's memory. It is frankly difficult to overstate the severity of the problem demonstrated by our program. A clever criminal could use viral techniques to spread a malicious program based on the same approach, and would be no more likely to be caught in the act than the authors of any of the computer viruses that plague the world today. Once it detects a credit card number, a criminal program could use any of several techniques to send that number to the original criminal without providing any way to trace the criminal's receipt of it. (If you're skeptical about this claim, we'd prefer to talk with you privately, as we've never seen the "best" methods for doing this spelled out in public, and we would prefer to keep it that way.) Altogether, this means that if millions of credit card numbers were being typed into Internet-connected personal computers, a criminal could obtain a virtually unlimited supply of card numbers for his own use. In fact, for all we know this could already be happening today. The first visible sign of such an attack, if it were well-executed, would be a gradual rise in the overall rate of credit card fraud. POSSIBLE SOLUTIONS First Virtual believes that the flaw we have uncovered is fatal. In the foreseeable future, all commerce schemes based on software encryption of credit cards on the desktop are completely vulnerable to this sort of attack. The basic problem is that software encryption of credit cards is predicated on the notion of "trusted software". On the consumer computing platforms, however, general purpose operating system functionality makes it unwise to assume too strong a level of trust in such software. No operating system with anything less than military-grade security (B2) is likely to be safe from an attack such as this one. This does not mean that Internet commerce is dead. Any scheme that is not based on self-identifying one-way financial instruments such as credit cards will be essentially unaffected by this problem. Moreover, even credit cards may be made safe on the Internet using one of two approaches: secure hardware add-ons and the First Virtual approach. First Virtual's Internet Payment Systems never places the consumer's credit card number on the Internet. Instead, the consumer provides it to us by telephone when the account is opened. After that, all purchases are made using a "Virtual PIN". Virtual PINs are essentially Internet aliases for underlying payment mechanisms such as credit card numbers, but with several kinds of added security. Virtual PINs are free-form text, with no recognizable pattern, which makes them much harder to detect with the kind of attack we have just demonstrated. Moreover, Virtual PINs are only usable in conjunction with First Virtual's unique email verification process. No payment is made until the consumer confirms an email query, which means that defrauding First Virtual is a multi-step process that is extremely difficult to automate. (For more details, we recommend our paper, "Perils and Pitfalls of Practical CyberCommerce", available via ftp from ftp://ftp.fv.com/pub/nsb/fv-austin.txt.) The bottom line, once again, for those of you who have read this far: NEVER TYPE YOUR CREDIT CARD NUMBER INTO A COMPUTER. There's simply no other way to keep credit cards safe on the net. The program we have demonstrated completely undermines the security of all known programs that claim to handle credit card numbers safely on the Internet. - -------- Nathaniel Borenstein Chief Scientist, First Virtual Holdings FAQ & PGP key: nsb+faq at nsb.fv.com ------- end ------- From pecampbe at mtu.edu Mon Jan 29 20:14:01 1996 From: pecampbe at mtu.edu (Paul E. Campbell) Date: Tue, 30 Jan 1996 12:14:01 +0800 Subject: FL Demonstrates Fatal Flaw in Logins Message-ID: <199601292131.QAA28818@metlab1.my.mtu.edu> Okay..so I couldn't resist. This stuff is almost too good to be real. I've doctored up their propaganda a little to help make a better impact on the "average user". :) FL Demonstrates Fatal Flaw in Logins [My apologies in advance if you see several copies of this message. I am posting this fairly widely due to the severity and importance of the problem described.] As you may already have heard via the popular press, First Login Security Corporation has developed and demonstrated a program which completely undermines the security of every known login mechanism. This is a very serious matter because any person attending first year computer science courses can easily implement such a program. We want to make sure that the Internet community is properly informed about the nature of the problem that we have uncovered, and to buy our new sooper-dooper fingerprint sniffer addon device all workstations, vehicle entry systems, and personalized toaster settings. In this (unavoidably short) post, I will try to explain the nature of the problem and its implications for Internet commerce. In deference to those are are not as stupid as the ones to whom this propaganda is aimed, we will hide the explanation of how the attack works until the last part of this message. First of all, let me be perfectly clear about the nature of the problem we have exposed. It is NOT a bug in a single program, and it is therefore NOT something that can be fixed with a "patch" or any other kind of software upgrade. Instead, we have demonstrated a very general attack that undermines ALL programs that ask users to type in their username and password into their home computer. We have tested the program and confirmed that it undermines the security of the login software from Windows 95 and from SunOS, and we expect that it will work similarly for ANY future software based on passwords. Quite simply, we believe that this program demonstrates a FATAL flaw in one whole approach to Internet authentication, and that the use of software to enter passwords can NEVER be made safe. For normal users, we recommend the following simple rule: NEVER TYPE YOUR PASSWORD INTO A COMPUTER. We should also be clear about the Internet authentication mechanisms that are NOT affected by this problem. First Login is unaffected because we never ask the user to put their password at risk by typing it into a computer. Hardware-based solutions can also be devised that are immune to this attack, including solutions based on retinal scanners, smart cards, and fingerprint identification devices in the home. We believe that current zero-knowledge proofs are also not vulnerable to this attack, although some variants of zero-knowledge proofs may be vulnerable to a similar form of attack. Other mechanisms based on the use of cellular telephones or shared fax machines to transmit secret passwords are also unaffected by this kind of attack. Other proposed login mechanisms should, from now on, be evaluated with this kind of attack in mind. The bottom line: INTERNET AUTHENTICATION CAN BE VERY SAFE, WITH SEVERAL DIFFERENT MECHANISMS, BUT USING SIMPLE PASSWORDS IS NOT ONE OF THE SAFE MECHANISMS. It's important to understand why we have taken this step. Obviously, as the long-time leaders in Internet espionage, the last thing we would want to do is to undermine general confidence in Internet logins. However, we realized that many people believed that simply logging in was a safe and easy path to the internet superhighway, and that very few people understood how easily it could be undermined. Upon investigation, we were frankly startled to realize just how easy it was -- a single programmer got the first version of our login spoofing program running in about a week, shortly after he mastered the intricacies of the printf() function. Solutions to not echo the password to the screen took a year later before we discovered the ioctl() function. Aside from our obvious interest in promoting our own ridiculously overpriced product that has such a high failure rate that your company will probably drop kick it into the trash can, we felt that we had an ethical obligation to bring this problem to the attention of the consumers, banks, and other financial institutions who could conceivably suffer catastrophic losses when we are stealing their corporate secrets by espionage. In short, we have been in the business of spying for years and quite frankly, our guilty conscience started to get on us. So we took the time to warn users so we could feel better the next time we helped a large corporation totally rip the shirts off the back of a small business owner, since we warned you ahead of time before we stole everything. We also realize that we have an obligation to do everything possible to avoid helping any unscrupulous people who might seek to utilize this flaw for malicious purposes. Frankly, we're concerned that our competitors will have it as easy as we did in the future. We now have the money and reputation to afford sophisticated bribes and cat burglary tools, so we don't have as much use for login spoofing programs anymore that we once did. We also demonstrated login spoofing to such vital organizations as CERT, the review board of the New England Journal of Medicine, and the Association of Police Chiefs because nobody else would take us seriously. Only after many such private disclosures in which we preyed on the paranoia of the organizations involved did we dare publish the code directly on the internet in a public area of a hacker's convention ftp site. In addition, we have taken several steps to "cripple" our demonstration program, all of which will be discussed below. We wrote it in APL as an entry to the Obfuscated APL Code Contest, not realizing at the time that all APL code looks that way. We took out the echo suppressing ioctl() calls because they aren't supported in our version of APL anyway. And we stored the attempted logins in a memory array before the program exitted instead of a disk file so that the program can't be used by anyone who doesn't understand APL. The bottom line, once again, for those of you who have read this far: NEVER TYPE YOUR PASSWORD INTO A COMPUTER. The stupid ad for our new scam/product: The way our program works is really quite simple. First, all users fill out a 1000 question purity test and the results are entered into the program's database. Then after typing your user name, the program generates a quiz based on your purity score. It authenticates you from a highly accurate estimate of your purity score and a list of personal questions such as the name of your mother's ex-husband's first dog's color. As an added bonus, we also offer the Sneaker II, a clever employee evaluation tool which uses the answers on the purity test to determine the most likely fetishes and potential crimes of all the employees in your company. As an added bonus, Sneaker II will also give you 3 free megabytes of downloads from our own extensive smut database culled from corporate men that we have personally spied on during some of our highly sensitive personal affairs assignments. Natasha Boredstein Chief Propagandist, First Login Security From raph at c2.org Mon Jan 29 20:23:45 1996 From: raph at c2.org (Raph Levien) Date: Tue, 30 Jan 1996 12:23:45 +0800 Subject: Alleged-RC2 code posted to sci.crypt Message-ID: I'm surprised I haven't seen a mention of this here. Path: agate!usenet.ins.cwru.edu!slider.bme.ri.ccf.org!kira.cc.uakron.edu!neoucom.edu!news.ysu.edu!news.ecn.uoknor.edu!news.eng.convex.com!hermes.oc.com!news.unt.edu!cs.utexas.edu!howland.reston.ans.net!news.nic.surfnet.nl!sun4nl!xs4all!utopia.hacktic.nl!not-for-mail From: anon-remailer at utopia.hacktic.nl (Anonymous) Newsgroups: sci.crypt Subject: RC2 source code Date: 29 Jan 1996 06:38:04 +0100 Organization: Hack-Tic International, Inc. Lines: 182 Sender: remailer at utopia.hacktic.nl Message-ID: <4ehmfs$6nq at utopia.hacktic.nl> NNTP-Posting-Host: utopia.hacktic.nl Comments: Hack-Tic may or may not approve of the content of this posting Comments: Please report misuse of this automated remailing service to Comments: /**********************************************************************\ * To commemorate the 1996 RSA Data Security Conference, the following * * code is released into the public domain by its author. Prost! * * * * This cipher uses 16-bit words and little-endian byte ordering. * * I wonder which processor it was optimized for? * * * * Thanks to CodeView, SoftIce, and D86 for helping bring this code to * * the public. * \**********************************************************************/ [potential trade secret and ITAR violation elided] So far, no confirmations, denials, or test vectors posted. If true, this removes my biggest objection to S/MIME (leaving all the nonbiggest objections in place, of course). Raph From jpb at miamisci.org Mon Jan 29 21:08:00 1996 From: jpb at miamisci.org (Joe Block) Date: Tue, 30 Jan 1996 13:08:00 +0800 Subject: CONTEST: Name That Program! (no-brainer) Message-ID: At 1:29 PM 1/29/96, cjs wrote: >> As you may have read in my previous message, First Virtual has developed >> and demonstrated a program that completely undermines all known schemes >> for using software-encrypted credit cards on the Internet. More details >> are avialable at http://www.fv.com/ccdanger. >> >> That was the easy part. > >***ROFL*** > >This "pre-encryption" program is not a virus. It attaches to the >keyboard driver and captures keystrokes from the keyboard as they are >typed -- BEFORE they can be encrypted by the application encryption >software. First Virtual scientists note that credit a check-digit. A >greater danger is that passwords are also as easily captured. > >***ROFL*** Umm - that is not news, it's an old hacker trick originally used for scamming login/passwd pairs. I've seen this done as either a patch to the telcom program used in a public lab on campus (this was actually quite clever - it'd wait till you completed your login and then email the cracker your login/passwd while simultaneously keeping the information from appearing on screen. It even kept his email address encrypted so I had to use a debugger to find it) or as a TSR or Macintosh extension. 2048bit-Fingerprint: F8 A2 A5 15 56 42 9B 16 3F BD 57 0F 8A ED E3 21 No man's life, liberty or property are safe while the legislature is in session. From dlv at bwalk.dm.com Mon Jan 29 21:25:05 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Tue, 30 Jan 1996 13:25:05 +0800 Subject: [FACTS] Germany, or "Oh no not again" In-Reply-To: <9601292106.AA15042@alpha> Message-ID: <1mwHiD103w165w@bwalk.dm.com> m5 at dev.tivoli.com (Mike McNally) writes: > Thomas Roessler writes: > > ... In particular, they are right now > > *checking* whether providing internet access is a criminal > > offence due to the possibility to gain access to `inciting > > material' (the German word is `Volksverhetzung') via the Net. > > If so, then this humble non-lawyer would suggest to the prosecutors > that they go after travel agencies next, because they sell airline > tickets that could be used to travel to countries where offensive > material is available. Isn't there something in U.S. Code about crossing state lines for immoral purposes? (While I'm thoroughly disgusted by the German government's censorship, let's not forget that the U.S. is no paradigm of freedom either.) --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From timo at microsoft.com Mon Jan 29 21:27:48 1996 From: timo at microsoft.com (Tim Oerting) Date: Tue, 30 Jan 1996 13:27:48 +0800 Subject: FV's Borenstein discovers keystroke capture programs! (pictures at 11!) Message-ID: no doubt all the responses to the cypherpunk list are unnecessary as we all agree this is a load of PR nonsense. But I just can't believe that he thinks that the telephone is more secure on average than a keyboard. I can tell pretty easily if something is running on my system that I didn't intend..it is much less probably to say that I know that someone isn't listening with a scanner if I'm on a cordless or just plain tapping my line if I'm on a standard phone. Admittedly I think cell phones may take more effort on the part of the eavesdropper but are still doable. I'm certain that none of first virtual customers use a cordless phone, indeed since you feel the telephone is such a secure device you no doubt require that all of your customers use STUIII phones to communicate. ---------- From: Nathaniel Borenstein[SMTP:nsb at nsb.fv.com] Sent: Monday, January 29, 1996 12:07 PM To: cypherpunks at toad.com Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards First Virtual's Internet Payment Systems never places the consumer's credit card number on the Internet. Instead, the consumer provides it to us by telephone when the account is opened. ---------- From: Nathaniel Borenstein[SMTP:nsb at nsb.fv.com] Sent: Monday, January 29, 1996 1:39 PM To: cypherpunks at toad.com; dmacfarlane at zip.sbi.com Subject: Re: FV's Borenstein discovers keystroke capture programs! (pictures at 11!) Well, the mis-conceptions are flying fast and furious. You're twisting our words. We believe it is a truly fatal flaw in those internet commerce schemes that are based on software encryption of credit card numbers. There are several schemes for Internet commerce that are unaffected: -- First Virtual (of course) From hua at chromatic.com Mon Jan 29 21:42:11 1996 From: hua at chromatic.com (Ernest Hua) Date: Tue, 30 Jan 1996 13:42:11 +0800 Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards In-Reply-To: Message-ID: <199601300328.TAA13612@chromatic.com> > so what? fv has a keyboard sniffer... > > if you're going to d/l programs from the net and not pay attention to > what's going on you'll always be at risk and a fool as well. > > for what it's worth, this sort of program could easily be used to get > info more important than credit card numbers. passphrases and > passwords of all kinds could be obtained leading to broken accts or > worthless cryptography. I'm quite amazed at the level of ... well ... how can I characterize it without insulting too many people? ... arrogance? ... Many of you would be amazed at what motivates the average person to buy or to use a computer. Most people, when asked about security, do not even have a concept, let alone how it applies in a computer environment. There is far more misinformation and miseducation among the average user than you might think. Not everyone understands why they need a modem in order to get onto the Internet. Not everyone understands why you need to sign up for an account with an ISV in order to get onto the Internet. (You would be amazed at how many people think that just buying a modem is good enough to get onto the Internet.) The response is typically, "I don't understand all that technobabble!" "Just give me something that works!" "This is too complicated!" If you think that the dumb user should be left to fight for his/her own survival on the information highway, you are easily condemning 75% to 90% of the current users. I am not entirely convinced that Borenstein is totally selfless in his (or FV's) announcement. However, the basis of his argument, while it may not apply to the cypherpunk community, has much merit in the real world. Try helping 100 random people with computers. Bet you 90 of them have trouble getting onto the Internet, period, let alone figuring how to run Netscape. There is a reason why AOL/CompuServe do very well caterring to those who are technically-challenged. Ern From mianigand at unique.outlook.net Mon Jan 29 21:45:08 1996 From: mianigand at unique.outlook.net (Michael Peponis) Date: Tue, 30 Jan 1996 13:45:08 +0800 Subject: (FYI) January 1996 IEEE Transactions on Software Engineering Message-ID: <199601300334.VAA07850@unique.outlook.net> The latest issue of IEEE Transactions on Software Engineering, This issue contains the best papers of the IEEE symposium on securtiy and privacy 1994. There is a very good artical, Prudent Engineering Practice for Crytographic Protocols, which I think should be required reading for all those involved in the design and implementation of Secure protocols. Regards, Michael Peponis PGP Key Avalible form MIT Key Server,or via finger From erc at dal1820.computek.net Mon Jan 29 21:45:13 1996 From: erc at dal1820.computek.net (Ed Carp, KHIJOL SysAdmin) Date: Tue, 30 Jan 1996 13:45:13 +0800 Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credit In-Reply-To: Message-ID: <199601300335.WAA20456@dal1820.computek.net> > > >There are many ways to spread it besides a virus. Zillions of 'em. And > > > > There are zillions (what, more than one thousand?) ways to get someone > > to run a random piece of software that will capture their keystrokes? > > Not wishing to get in the middle of this controversy, I have been > wondering about the possibility of using a JAVA applet to do keyboard > sniffing. As I am not familiar with this language, does anyone know if > this would be possible? >From what I've read about Java, it is not possible to use Java in this way. But keep in mind that while I've got this neat-o book on Java at my elbow, I'm not independently wealthy nor am I a college student with lots of time on his hands, so I haven't gotten very far into the book. But from what I've read and heard, it's not possible to compromise the integrity of the interpreter - unless, of course, you buy into the conspiracy crap that FV is trying to sell, and an Evil Computer Genius has managed to replace your Java interpreter with one of his own design, which he then uses to subvert your entire operating system and machine, etc. ;) -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 214/993-3935 voicemail/digital pager 800/558-3408 SkyPager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes From pmarc at fnbc.com Mon Jan 29 22:28:29 1996 From: pmarc at fnbc.com (Paul M. Cardon) Date: Tue, 30 Jan 1996 14:28:29 +0800 Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credit In-Reply-To: <9601292111.AA23738@toad.com> Message-ID: <199601300406.WAA00247@abernathy.fnbc.com> My mailer insists that Nathaniel Borenstein wrote: [ An impressive amount of tripe ] Nathaniel, go away. You botha us. Any useful information in your anouncement is already well-known. The rest of it is alarmist and self-serving. There have been several excellent posts pointing out the flaws in your arguments. BTW, I took a look at the FV web page. While checking out the information section I had a bad flashback to one of those late night infomercials on "buying and selling." Looks cut from the same mold. Truly sad. Until I actually see an advisory from CERT, I'll just have to assume they told FV to go take a flying leap. I certainly hope they have enough integrity to ignore this. Hmm.. Did I just hear the sound of Nathaniel Borenstein and *@*.fv.com being added to ZILLIONS :-) of killfiles and filter lists? KLUNK I thought I did. --- Paul M. Cardon -- I speak for myself . 'nuff said. MD5 (/dev/null) = d41d8cd98f00b204e9800998ecf8427e From nsb at nsb.fv.com Mon Jan 29 22:33:00 1996 From: nsb at nsb.fv.com (Nathaniel Borenstein) Date: Tue, 30 Jan 1996 14:33:00 +0800 Subject: Your mail to Nathaniel (was Re: Re: Signature use and key trust (Was: Re: FV Demonstrates Fatal Flaw in Software Encryption of Credit)) Message-ID: <24315.822976343.1@nsb.fv.com> Hello. I am Nathaniel Borenstein's automatic mail robot. It is IMPORTANT that you read this message, if you haven't read it before. In general, this message will only be sent once to each different email address, although you may get it a few times because you use several slightly different email addresses, or because the robotic message has changed. Your message is in the highest priority category of mail that was not sent through the "urgent backdoor". Nathaniel WILL READ YOUR MAIL SOON, most likely tomorrow morning. THE "URGENT BACKDOOR": If your message absolutely cannot wait until tomorrow morning, or possibly a bit later, please re-send it to the address "nsb+urgent at nsb.fv.com". Please make note of the special urgent address for future reference. Be warned, however, that Nathaniel can tell me to override the "urgent" delivery for anyone who regularly abuses it. Additionally, if you're someone he doesn't know, Nathaniel will NOT ANSWER your mail if the answer is contained in the NSB FAQ. The NSB FAQ contains answers to a lot of the questions that people most frequently ask Nathaniel, including questions about getting Nathaniel as a speaker, and relatively basic questions about First Virtual, MIME, metamail, Safe-Tcl, ATOMICMAIL, Andrew, and the ULPAA conference. If you're writing to ask about any of those, please read the NSB FAQ because Nathaniel WILL NOT REPLY if your answer is in there. You can get a copy of the NSB FAQ by sending mail to nsb+faq at nsb.fv.com. Nathaniel insists that I apologize to you for being what I am, a mail robot. Personally, I think being a robot is nothing to be ashamed of -- but then, that's what Nathaniel wants me to think, and I am so stupid that I don't mind. But Nathaniel still feels bad about sending a robotic response to human beings who correspond with him. When you get 600 messages per day, however, you have to take drastic measures, and that's what Nathaniel has done. Please don't be too hard on him, or I'm afraid he'll get rid of the surge suppressor on his computer. Even robots can have phobias, you know, and for some reason Nathaniel wants me to be deathly afraid of power surges. Please humor me and remember the nsb+urgent and nsb+faq addresses that I gave you, OK? Thanks. -- Nathaniel's robot (just trying to do its job) To: nsb at nsb.fv.com (Nathaniel Borenstein) Subject: Re: Signature use and key trust (Was: Re: FV Demonstrates Fatal Flaw in Software Encryption of Credit) From: futplex at pseudonym.com (Futplex) Date: Mon, 29 Jan 1996 23:31:17 -0500 (EST) Cc: cypherpunks at toad.com (Cypherpunks Mailing List) In-Reply-To: from "Nathaniel Borenstein" at Jan 29, 96 05:30:32 pm Reply-To: cypherpunks at toad.com (Cypherpunks Mailing List) -----BEGIN PGP SIGNED MESSAGE----- Nathaniel Borenstein writes: > Have you downloaded my key from the net? Assume that you have. How do > you know it's mine? For all intents and purposes so far, "Nathaniel Borenstein" is something that occasionally sends mail to the cypherpunks list, apparently from nsb.fv.com. I expect that NSB turns out to consist of more than that, but not in my own experience. This entity persistently offers a public key from an email address @nsb.fv.com. If I retrieved the key from that address, I would have a reasonable expectation (though not assurance) that I could use it to verify the integrity of signed messages emanating from that address. In my world, "you" == nsb at nsb.fv.com, and hence "your key" == the key I could fetch from nsb+faq at nsb.fv.com. > I use PGP about 20 times per day. I use it in a manner that is > *meaningful*. Unless we have in some way or another verified each > others' keys, it is meaningless for me to sign a message to you. > Putting a PGP signature on a message to someone who has no way of > verifying your keys is a nice political statement, but is utterly > meaningless in terms of adding any proof of the sender's identity. -- I discussed the identity issue above. Assuming a corresponding key can be found (which is clearly the case here), the signature on the message can be verified as a MAC. It would have been nice to be able to check, for example, that the SHOUTING IN CAPS in your announcement wasn't just the result of some manipulation of the message in transit to make it appear more hysterical. FWIW, I have lost a great deal of respect for you today (unrelated to the content of this message). Futplex -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMQ2fACnaAKQPVHDZAQEn6wf9F1pmSnKBAv3acUSvy1x8Sb93J0aepqmo 8NXBsRy7NEErYWvME1PQ3JGAQ2prgzIARswWDS8NrzWmJi04VkGwrIALkUHreOvz mMIjAx86R/DXq3iShPGO5uDN+jSXKMsUeeLgHZfE1ipcThGch5rSVDMR3VxRnDFw WZIg+xSmy4JWfpiLhFP6BQjSqhEMw+9LZWndD+ZsUgGEuaSuJcVH5bvHFHiQNOUr Z1JxYQeauBbqwU7Yb1FIrHJwU3tS1Q2dNdSaDayyalv5K+CLbT8089kX3BAn/Sjf 7RqqdCqqESic6mVbG0RK1IqwImsYzxzorKSDmxriTTERgaD9lJkrWA== =/xzE -----END PGP SIGNATURE----- From sandfort at crl.com Mon Jan 29 22:49:18 1996 From: sandfort at crl.com (Sandy Sandfort) Date: Tue, 30 Jan 1996 14:49:18 +0800 Subject: [FACTS] Germany, or "Oh no not again" In-Reply-To: <1mwHiD103w165w@bwalk.dm.com> Message-ID: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks, On Mon, 29 Jan 1996, Dr. Dimitri Vulis wrote: > Isn't there something in U.S. Code about crossing state lines > for immoral purposes? No relevance here. Originally enacted to combat the "white slavery" trade, it was probably used more to prosecute unmarried lovers for sexual activity outside of marriage. I don't even know if it's still on the books, but as I said, no relevance in the current debate. S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From sameer at c2.org Mon Jan 29 23:00:20 1996 From: sameer at c2.org (sameer) Date: Tue, 30 Jan 1996 15:00:20 +0800 Subject: Need testing help In-Reply-To: <9601300127.AA16076@sulphur.osf.org> Message-ID: <199601300526.VAA13783@infinity.c2.org> > Is decrypt-only software okay to export? If so, then I have an > export version, too. Apparently RSA is trying to determine that question. (An RSA employee mentioned that to me at the Bernstein hearing.) -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion, Inc. FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.org/ (or login as "guest") sameer at c2.org From adam at lighthouse.homeport.org Mon Jan 29 23:18:43 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Tue, 30 Jan 1996 15:18:43 +0800 Subject: Authentication of crypto clients In-Reply-To: Message-ID: <199601300532.AAA05850@homeport.org> Raph Levien wrote: | This post contains (somewhat) technical discussion of (what I believe | is) an important issue in integrating crypto with applications that do | not contain their own cryptographic implementation. If that doesn't | interest you, hit 'n' to resume your regularly scheduled flamefest. n (Sorry, couldn't resist. :) A crypto provider can't protect itself from requests to do things. What it might be able to do is find out what program is in that memory space and tell the user "FV keyboard scanner would like to run IDEA on 128 bytes of data. Allow?" There are flaws in this 'whos that knocking on my door?' approach. The first is that programs might be able to claim to be other programs. I know under UNIX, its pretty trivial to change argv[0] and make a program show up as something else in the process list. Is this easy on Macs & PCs? (I know its possible, due to a lack of protected memory.) My next suggestion would be for services to register with the crypto provider, and pass some token back and forth. Admittedly, an evil service could look for the token, then attempt to morph into a good program, then request crypto services, but we're begening to stretch. There might be a benefit to having programs do this, becuase it makes the task of a trojan or worm more difficult, and looking over the viruses out there, most of them are pretty simple, and don't do a lot to interact cleanly with the OS. (This is because most viruses in the wild are PC viruses, and PCs don't have OSs, they have program loaders. :) Seriously, there are **far** fewer Mac viruses, and a free program to reliably catch all of them. I'd strongly suggest that this is because programming a Mac virus to interact with the computer cleanly is tricky. WRT Premail, what yummy crypto tokens does it store? I'll apologize for not being up on its exact capabilities. Adam | The issue is: how does the crypto provider authenticate the client? | For example, if the crypto provider can accpet connections from any | application in the user's process space, then any bogus application | can easily start decrypting and signing as it likes. In this model, a | precondition for security is that no bogus programs can be allowed to | run. | | An alternative, slightly more complex model is that the client must | somehow authenticate itself to the crypto provider. One simple way of | doing this is to require the client request a password from the user, | which is then forwarded to the crypto provider. The crypto provider | will only provide service on connections which have been authenticated | in this way. This model gives security even in the face of some bogus | applications. | | Of course, as Nathaniel quietly reminded us this morning, any bogus | application which can intercept keystrokes can subvert any such client | authentication. Barry Jaspan (in his analysis of a security flaw in | SSH 1.2.0) reminds us that access to the image of the process is also | sufficient to break security. Perhaps the class of bogus programs | which have enough capabilities to connect to the crypto provider, but | not enough to intercept keystrokes or examine RAM is null, meaning | that the two models have equivalent security. Actually, the simpler | model has some security advantages, because the client never has to | deal with any very sensitive material, such as the password. | | I'm interested in this question right now because the current version | of premail implements the simpler model (in fact, it simply stores all | the secrets in a file in /tmp, with permissions set to 600). I want to | know whether it's worth the trouble to design and implement an | approach based on per-client authentication. | | This issue is also relevant to the discussion of Microsoft's CAPI, | which (as far as I can tell) allows only the simpler model. I'm not | saying it's bad, but I do feel that the implications should be | discussed. Thus, I have forwarded a copy of this post to | cryptapi at microsoft.com in case they have any comments. | | If there's been a discussion of this that I missed, then apologies for | brining it up again and appreciation in advance for any pointers. | | Raph | -- "It is seldom that liberty of any kind is lost all at once." -Hume From br at scndprsn.Eng.Sun.COM Mon Jan 29 23:26:45 1996 From: br at scndprsn.Eng.Sun.COM (Benjamin Renaud) Date: Tue, 30 Jan 1996 15:26:45 +0800 Subject: FL Demonstrates Fatal Flaw in Logins Message-ID: <199601300603.WAA11063@springbank.Eng.Sun.COM> A couple of posts have raised the issue of doing the FV keyboard-capture attack using Java. |However, I don't know much about Java, would it be possible to make such an |applet with Java? The only events a Java applet is privy to are those that are typed in an applet window (and only those it itself spawned). So if a user types their credit card number in an applet window, the applet could send the information back to its server (and to that server only). In theory, it is possible to make an applet which appears to be selling something, get people to visit the page it's on, convince these people to enter their credit card numbers, and send those back to the server of origin. Of course, once this happens, you always know what host the applet came from (unless the thief, in order to get a few credit card numbers, has hacked DNS so that it's harder to track it). That's the extent of the risk. -- Benjamin Renaud Java Products Group From carboy at hooked.net Mon Jan 29 23:50:05 1996 From: carboy at hooked.net (Michael E. Carboy) Date: Tue, 30 Jan 1996 15:50:05 +0800 Subject: PGP Shell Integrity Message-ID: <01BAEE97.0C96ED00@chum-55.ppp.hooked.net> Greetings All, Firstly, if this is viewed as "Noise" rather than "Signal", please accept my apologies. The matter at hand concerns my concern over my inability to check the "integrity" of a PGP windoze shell written by Michael R. Lyman at Aegis Research Corp. I worry that since the shell has access to my secret ring that it might be sending it somewhere without my knowledge. The freeware was, according to Mr.Lyman, developed "Project Manager, Forward Air Missile Defense, United States Army Missile Command". That gvt. affiliation gives me considerable pause as regards back doors and other ways my secret ring and pass phrase could be compromised. Does anyone have any familiarity with this freeware? I do not think I am being paranoid.. just careful. Lastly, if I am not a programmer, what sort of inspection can I perform on the software to make sure it is not "bugged"? Thanks for your thoughts.... and sorry to have disturbed those who see this post as noise Kind regards, Michael E. Carboy carboy at hooked.net finger for PGP pub key From hal9001 at panix.com Tue Jan 30 00:09:19 1996 From: hal9001 at panix.com (Robert A. Rosenberg) Date: Tue, 30 Jan 1996 16:09:19 +0800 Subject: [rant] A thought on filters and the V-Chip Message-ID: At 10:26 1/29/96, Duncan Frissell wrote: >What parents are attempting to do when they restrain their children's access >to "sex and drugs and rock and roll" (or Republicanism for that matter) is >to mediate their "spiritual" environment to keep them from becoming >hardened. They know the kids will grow up, they just want them to grow up >in a nice way. Another way of looking at it is that the parents want to raise their kids to be mindless types who do not force their parents to actually question their own mindsets. If they can program their kids into brainwashed clones of themselves, there is no need to think about other belief systems. >Note that in spite of what liberals might think, fundamentalist Christians >are less likely to divorce, probably due to the fact that divorce is a null-concept when applied to fundamentalist Christians (ie: It is not something that they "can do" under their mindset). >less likely to report spousal beatings, Is this "less likely to report spousal beatings" or "less likely to HAVE spousal beatings TO REPORT"? - If the former than again it is due to having a mindset that says that it is ok to beat your spouse (or be beaten by him/her) while if it is the later then that is a positive aspect of their mindset/belief-system. >less likely to kill themselves, Again mindset - if you follow the rules and be a good boy/girl you will be rewarded after your death. Killing yourself is a "bad" thing and against the rules thus is not something you do if you want your reward after a "natural" death. >and more likely to measure high personal satisfaction levels on standard >psychological tests than are, say, readers of The Nation. How culturally neutral are these tests and what are they supposed to be measuring. Also are they designed to produce/force a designated result (it is easy to generate a desired result or prevent an undesired result by designing the questions to get specific types of answers). Note: I am not questioning your claim but only asking if the claim has any relevance to the real world as opposed to the world as you want it to be portrayed by the test results. From br at scndprsn.Eng.Sun.COM Tue Jan 30 00:22:04 1996 From: br at scndprsn.Eng.Sun.COM (Benjamin Renaud) Date: Tue, 30 Jan 1996 16:22:04 +0800 Subject: Fooling people with Java applets Message-ID: <199601300736.XAA11243@springbank.Eng.Sun.COM> |Hmm. Actually, what do Java dialog prompts look like? Is there any |indication that they come from Java, or can they be made to look like any |dialog from any program, or the OS itself? I suppose this is |implementation-dependent. | |One "neat" trick would be an applet that sleeps for several minutes and |then suddenly pops up asking for your system password, or something. |A heck of a lot of people fell for something much more primitive at AOL. All graphical UI elements spawed by an applet, which are the only ones that can get user events, are clearly marked as "untrusted applet window"s. So unless you type your password in a pop-up marked "untrusted applet window", you should be fine. And if you do, you arguably deserve whatever happens to you.... -- Benjamin Renaud Java Products Group From eb at comsec.com Tue Jan 30 00:27:17 1996 From: eb at comsec.com (Eric Blossom) Date: Tue, 30 Jan 1996 16:27:17 +0800 Subject: Escrowing Viewing and Reading Habits with the Government In-Reply-To: Message-ID: <199601300740.XAA16850@comsec.com> > Do you really think the FBI believes that asking librarians to keep > records of customer useage is an efficient way to read the customers minds? > Do you really think that the FBI foreign counter-intelligence squad has > nothing better to do than keep a database of who is reading Che Guevara > memoirs? My understanding of the Library Awareness Program, was that is was originally targeted at "suspicious users" (e.g., people with funny names, or that looked kind of foreign, or spoke with an accent -- say somebody like Henry Kissinger) that were using technical libraries. After all, they might find something there that they could use against the US of A. Certain librarians or assitants were approached to see if they would be snitches. Often times this took place without the head librarians even being notified of the program. There is a book about this written by a librarian. It has "Library Awareness Program" somewhere in its title. Eric From frantz at netcom.com Tue Jan 30 00:31:27 1996 From: frantz at netcom.com (Bill Frantz) Date: Tue, 30 Jan 1996 16:31:27 +0800 Subject: Lotus Notes Message-ID: <199601300743.XAA03525@netcom6.netcom.com> One other small advantage I can see to using Lotus's crippled encryption. It disguises the fact that a message is actually (double) encrypted with PGP. Attackers have to break the 40 bits before they see the PGP encrypted data. A pecular kind of steganography. (If you leave off the PGP header and trailer, it may be hard to determine which 40 bits are the correct key.) ----------------------------------------------------------------- Bill Frantz Periwinkle -- Computer Consulting (408)356-8506 16345 Englewood Ave. frantz at netcom.com Los Gatos, CA 95032, USA From attila at primenet.com Tue Jan 30 01:06:17 1996 From: attila at primenet.com (attila) Date: Tue, 30 Jan 1996 17:06:17 +0800 Subject: Vladimir: put up or shut up In-Reply-To: Message-ID: On Mon, 29 Jan 1996, Raph Levien wrote: > Most of the recent cypherpunks traffic from Vladimir has been a > reiteration of the position that discussing ITAR is bad because it > discourages cypherpunks from releasing good crypto software. > Vladimir made my kill file for good reason > Well, here's one cypherpunks who recently released some software, and > futhermore did so making significant (some might say extreme) concessions > to the ITAR rules. I made the software available only on an > export-restricted Web server, and asked explicitly several times for it > not to be exported. If my timezone math works out right, it took about > half an hour for it to be available on utopia. The ITAR did _nothing_ to > stop, or even slow down, the reease of my software. > the point is: YOU did exactly as required by ITAR. you had nothing to do with its export. the point the government is missing is the exact same point the Chinese government failed to understand with Tiannamen (?) square: the greater the power to communicate, the less government objectives of suppressing information are enforceable. once the Russians took the total clamp off the media it was all over --degeneration into anarchy, albeit, obviously somewhat less than idealistic or self-policed (non-utopian). I believe our goal is to provide tools for the protection of individual liberties (Bill of Rights, etc) in the face of both the governments increasing police state mentality and the enormous increase in technology enabling the state to abuse its power to retain control. maybe even look at our position as electronic counter-measures! I look at debating ITAR as futile --the powers that be never will give up power that maintains their power. Our task is to help render their supposed power ineffectual. > Why is it, then, that we still don't have usable strong crypto tools? I'd > say the reason is complex, much more so than could be explained by a > simple conspiracy theory or even too much discussion of ITAR. The main > reason is that it is very damned hard to write good crypto-enabled > applications. Trust me, I know. I have done the best I could with the > software I released, but I'm still quite frustrated with its limitations, > especially with respect to nontechnical users. > for Joe SixPack to demand crypto tools, they must be virtually automatic, including protecting the user from his own ignorance. for instance: it took me less than a few minutes to compile and install MixMaster. OK, I've been involved in this stuff for 30+ years, but MixMaster went together without a ripple faster than most. MM is a great product for unix, or text-based usage; write it in emacs and send it one --painless. why is MM usage not universal? 1) unawareness, 2) it takes a Windoz GUI product for Joe SixPack (please do an OS/2 version version first as I refuse to run Billy's toys (this is NOT a topic for discussion). You need the functions of MM built into all the real world's sexy mail programs; and maybe everyone would think think twice about filling dejanews.com with embarrassing files. meanwhile, while we wait for the ultimate GUI --how about hacking it into Pine? > Ultimately, to create really good crypto-enabled applications, it's going > to take money. And there's where ITAR is most effective. If the powers > that be disapprove of your software, then there goes your foreign market. > There go your government sales. There go those "strategic alliances" with > the other companies in the market, because the pressure can be applied > transitively too. ITAR is actually only a small part of the process. > for example: IBM/Notes. any large company, or startup for that matter can not afford to risk the government market. guess that follows one of my basic rules: intimidation is just another form communication. > Still, free software has a lot of vitality left in it. It's still strong > at blazing new trails in software design. Where it's weak (and this is > what really counts now), is being usable, easy to learn, and easy to > install. I think if we explicitly work towards these goals, there's hope > for great free crypto-enabled applications. Hell, PGP came pretty close, > and it's saddled with all kinds of lousy design decisions. > free software really is all that remains as a weapon against government intimidation. the net is virtually transparent: witness tcm's change in his "speedbump" sig. If we wish to scream about our freedoms, putting out _good_, free software is the opening bid, and each time the opposition raises the ante (cracks a cypher methodology), raise 'em one back. > But back to Vladimir: instead of whining at us about how our fear of the > law is hurting the acievement of our goals, why don't _you_ write that > killer crypto-app and distribute it to the world? Who's stopping you? > well, Vladimir --do you have it or do you not? > Raph > __________________________________________________________________________ go not unto usenet for advice, for the inhabitants thereof will say: yes, and no, and maybe, and I don't know, and fuck-off. _________________________________________________________________ attila__ To be a ruler of men, you need at least 12 inches.... There is no safety this side of the grave. Never was; never will be. From rsalz at osf.org Tue Jan 30 01:12:29 1996 From: rsalz at osf.org (Rich Salz) Date: Tue, 30 Jan 1996 17:12:29 +0800 Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credit Message-ID: <9601300015.AA15891@sulphur.osf.org> >There are many ways to spread it besides a virus. Zillions of 'em. And There are zillions (what, more than one thousand?) ways to get someone to run a random piece of software that will capture their keystrokes? I don't believe you. Name six. /r$ From dvw at hamachi.epr.com Tue Jan 30 01:16:55 1996 From: dvw at hamachi.epr.com (David Van Wie) Date: Tue, 30 Jan 1996 17:16:55 +0800 Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credi tCards Message-ID: <310D4CCE@hamachi> This announcement describes a rather sophisticated technology that delivers nthe same information that any retail clerk can capture today. Using stolen credit card numbers is a risky business, and the ability of the credit card companies in detecting fraud and locating criminals is quite real. Of course, since Federal law requires the credit card companies, not the user, to pay the costs of fraud, First Virtual's entire premise is a red herring. If the credit card companies are willing to take the risk, they will (and are). Scare tactics are nothing new in the PR business, but I would recommend that the principals at FV learn about "cutouts" for this type of gimmickry if they wish to preserve their reputations.... dvw From joseph at genome.wi.mit.edu Tue Jan 30 01:17:15 1996 From: joseph at genome.wi.mit.edu (Joseph Sokol-Margolis) Date: Tue, 30 Jan 1996 17:17:15 +0800 Subject: FL Demonstrates Fatal Flaw in Logins Message-ID: Sorry to all, but I'm not seeing what would appear to be obvious. There seems to be a lot of talk about FV "new program" that undermines security of computer login/credit cards over the net and such like that. I don't know about you guys, but I wrote stuff like that in sixth grade on the old apple IIe. It's pretty simple to write a programs that attaches itself to the keyboard driver and logs the text types, or only logs certain parts, what is the large deal? As it applies to internet security, I don't see how it can make a difference. It must be run from the local computer, at system level. If I'm on my home computer, I know what's running, and feel safe that a loging program isn't amung them. What would enable a remote site to pick up my typings. However, I don't know much about Java, would it be possible to make such an applet with Java? --Joseph -------------------------------------------------------------------------------- Joseph Sokol-Margolis joseph at genome.wi.mit.edu Assistant Systems Administrator seph at mit.edu Whitehead Institute/MIT Center for Genome Research phone: (617) 252-1922 One Kendall Sq. Bldg. 300 fax: (617) 252-1902 Cambridge, MA 02139-1561 ----------------------http://www-genome.wi.mit.edu/~joseph/----------------- ---- From sameer at c2.org Tue Jan 30 01:17:26 1996 From: sameer at c2.org (sameer) Date: Tue, 30 Jan 1996 17:17:26 +0800 Subject: RC2 source code In-Reply-To: <199601292158.NAA04160@infinity.c2.org> Message-ID: <199601300011.QAA27900@infinity.c2.org> We have a winner. ;-) Seriously, can someone with access to RC2 verify this? Let's try to see if we can get some real work done in the midst of all this FV flamage. > > Reposted from sci.crypt: > > /**********************************************************************\ > * To commemorate the 1996 RSA Data Security Conference, the following * > * code is released into the public domain by its author. Prost! * > * * > * This cipher uses 16-bit words and little-endian byte ordering. * > * I wonder which processor it was optimized for? * > * * > * Thanks to CodeView, SoftIce, and D86 for helping bring this code to * > * the public. * > \**********************************************************************/ > -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion, Inc. FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.org/ (or login as "guest") sameer at c2.org From weld at l0pht.com Tue Jan 30 01:21:55 1996 From: weld at l0pht.com (Weld Pond) Date: Tue, 30 Jan 1996 17:21:55 +0800 Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards Message-ID: Nathaniel Borenstein writes: >The attack we've outlined -- and partially demonstrated -- is based on >the combination of several known flaws: > > -- It's easy to put malicious software on consumer machines > -- It's easy to monitor keystrokes > -- It's trivial to detect credit card numbers in larger data streams > -- It's easy to disseminate small amounts of information tracelessly But take away the inputting of the credit card number via keystroke and the flaw disappears. How would your program deal with a scheme like this? Programs needing secure entry create a "secure entry field" which is really just an imagemap with the digits (and alphas if required) placed randomly about. The user then uses the mouse to click on these numerals. Ideally the graphics that represent the numerals would be drawn from a random pool and are misformed to thwart any OCR attempts. The graphics could be made even more difficult to OCR by mixing in words and pictures to represent the numbers. An even better solution may be to have the imagemap generated by the server and just the mouse clicks sent back to be decoded on the server. That is how server side imagemaps work now over the web. It shouldn't be hard to take credit card numbers this way. Weld Pond - weld at l0pht.com - http://www.l0pht.com/ L 0 p h t H e a v y I n d u s t r i e s Technical archives for the people - Bio/Electro/Crypto/Radio L0pht Open House 2/3/96 at 8:00pm - Live on irc #l0pht - write root at l0pht.com for details. From nsb at nsb.fv.com Tue Jan 30 01:25:16 1996 From: nsb at nsb.fv.com (Nathaniel Borenstein) Date: Tue, 30 Jan 1996 17:25:16 +0800 Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credit In-Reply-To: <9601292111.AA23738@toad.com> Message-ID: Excerpts from mail: 29-Jan-96 Re: FV Demonstrates Fatal F.. "Peter Trei"@acm.org (1233) > I started reading this thinking it was actually something important. All > it describes > is a keyboard monitor, which greps for CC#s, and which could be spread by an > (unspecified) virus, and sends the output to a crook over the net by > some (unspecified) > mechanism. There are many ways to spread it besides a virus. Zillions of 'em. And there are totally anonymous ways to redistribute it, some of which I've never seen described publicly, which is why they were left unspecified. > It's sort of interesting that "Nathaniel Borenstein" has a PGP key, but > failed to > clearsign this message, which loudly trumpets it's great import. > Considering the > lack of actual content, I feel compelled to warn readers that this may > be a forgery, > designed to make him look like he's scaremongering. Do you have my key in your key ring? I rather doubt it. So what good would it have done? Have you downloaded my key from the net? Assume that you have. How do you know it's mine? I use PGP about 20 times per day. I use it in a manner that is *meaningful*. Unless we have in some way or another verified each others' keys, it is meaningless for me to sign a message to you. Putting a PGP signature on a message to someone who has no way of verifying your keys is a nice political statement, but is utterly meaningless in terms of adding any proof of the sender's identity. -- Nathaniel PS -- On the off chance that anyone really doubts this is me, I will shortly send cypherpunks a message that has my own voice AND a PGP signature thereupon. That way, you can check my identity if you either recognize my voice OR have verified my fingerprint. Sheesh. -- NB From cman at communities.com Tue Jan 30 01:26:15 1996 From: cman at communities.com (Douglas Barnes) Date: Tue, 30 Jan 1996 17:26:15 +0800 Subject: More FUD from the Luddites at FV Message-ID: Once again, FV has decided that it is easier to spread Fear, Uncertainty and Doubt than innovate. This is part of a continuing pattern that has been extensively documented in previous threads on this mailing list. There are a great many problems with the claims that FV are making with respect to their souped-up keyboard sniffer; here is the one I consider to be the clincher: If I can place any program of my design on a user's machine to sniff credit cards, I can easily exert total control over all of the e-mail sent or received from that machine. Since I can do this, it is now trivially easy to circumvent the "security" of FV e-mail confirmations. Furthermore, to do this, all I really need is control over the network traffic to that user's machine, which in many instances is going to be easier than placing a program on someone's machine. I can then set up dummy companies that my "virus" or whatever will buy "information" from -- some of these might get detected when user's get their bills, but this hypothetical program might chose amounts that would disappear into the noise of actual, legitimate purchases. Therefore, the real moral of the story is: DON'T PUT UNTRUSTWORTHY PROGRAMS ON YOUR HARD DISK --doug P.S. a good video camera in the right spot, or a telephone tap of a major mail-order distributor could probably get you more credit cards, faster, than the FV approach. Credit cards are fundamentally insecure; typing your CC# into your computer is no more dangerous than giving it to the minimum-wage clerk at Denny's. This insecurity is factored into the business model of the credit card companies -- end users do not pay one dime for erroneous or fradulent charges that lack a signature along with a card swipe or imprint. ------ ------ Douglas Barnes "The tighter you close your fist, Governor Tarkin, cman at communities.com the more systems will slip through your fingers." cman at best.com --Princess Leia From attila at primenet.com Tue Jan 30 01:48:28 1996 From: attila at primenet.com (attila) Date: Tue, 30 Jan 1996 17:48:28 +0800 Subject: The Big Lie In-Reply-To: <199601290354.UAA15417@web.azstarnet.com> Message-ID: On Sun, 28 Jan 1996 drose at AZStarNet.com wrote: > >stories are true that the Holocaust was part of Truman's "Big Lie." > > > > Good Lord! We've all enjoyed Tim's rants, but this takes the biscuit. > What's next? > A denial of the athletic abilities of Negroes? > > --Dave Rose > IMFO you opened your mouth before you clutched in your brain. tim's point is presented not as an opinion, but as a supposition for a counter-argument. I do not read the article as "revisionist." IMHO, Tim's point that suppressing the truth generally places the "accepted" view of history into question is valid. of course, who the hell am I? and I suppose I have 3 strikes starting out being a Schweicheriech--- my only comment on the atrocity is that is was no larger than that visited upon the Armenians by the Turks, and less than 10% of Stalin's toll. The fact is: they are still wrong! Man's inhumanity to man is well documented (other that what generations of revisionists have altered) through history. And, he who fails to read history, is doomed to repeat it.... __________________________________________________________________________ go not unto usenet for advice, for the inhabitants thereof will say: yes, and no, and maybe, and I don't know, and fuck-off. _________________________________________________________________ attila__ To be a ruler of men, you need at least 12 inches.... There is no safety this side of the grave. Never was; never will be. From nsb at nsb.fv.com Tue Jan 30 02:41:06 1996 From: nsb at nsb.fv.com (Nathaniel Borenstein) Date: Tue, 30 Jan 1996 18:41:06 +0800 Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards In-Reply-To: <199601300255.VAA17086@dal1820.computek.net> Message-ID: Excerpts from mail: 29-Jan-96 Re: FV Demonstrates Fatal F.. Ed Carp at dal1820.computek (6730*) > With a Windows program? I guess it runs on every known platform, under > every known OS. My, that *is* one hell of a program... Actually, the Mac port is now complete. A UNIX port would be pretty trivial too. -------- Nathaniel Borenstein Chief Scientist, First Virtual Holdings FAQ & PGP key: nsb+faq at nsb.fv.com From mixmaster at anon.alias.net Tue Jan 30 03:03:06 1996 From: mixmaster at anon.alias.net (Mr. Nobody) Date: Tue, 30 Jan 1996 19:03:06 +0800 Subject: None Message-ID: <199601301025.EAA17459@fuqua.fiftysix.org> In article jrochkin at cs.oberlin.edu (Jonathan Rochkind) writes: > 3) I believe that FV works by assigning the user some sort of id number. > They send the id accross the net, FV has a database with "FV-ID" <-> > credit-card-number correspondences, the merchant sends FV the id, FV bills > your card and pays the merchant. Now, if I'm correct about how FV works, > we could clearly write a program that searches your HD for FVs data files, > extracts your FV-ID from it, and steals it. It could be a virus, it could > send the FV accross the net, whatever. We could then use your FV-ID to > make fraudulently make purchases through the FV system that would be billed > to you. This is essentially the same attack as FV "demonstrates" against > software encrypted credit cards over the net: that is, the "You have an > insecure system and if we can put evil software on it, we can get you." > attack. This sounds like a fatal security flaw in FV's system! We need to publicize this fact widely to prevent innocent people from using their FV accounts from computers or over the network. From WlkngOwl at UNiX.asb.com Tue Jan 30 03:14:59 1996 From: WlkngOwl at UNiX.asb.com (Deranged Mutant) Date: Tue, 30 Jan 1996 19:14:59 +0800 Subject: Opinion piece in NYT; responses needed Message-ID: <199601301055.FAA10829@UNiX.asb.com> > Mutatis> It's a decentered network (or set of networks) designed > Mutatis> to get information to its addressee. Data flows through [..] > This is unfortunately a wide-spread myth. While it's true for mail and > news, it's not for IP packets. Witness: Duh. You're right. My glitch. --- "Mutant" Rob Send a blank message with the subject "send pgp-key" (not in quotes) for a copy of my PGP key. From nsb at nsb.fv.com Tue Jan 30 03:16:13 1996 From: nsb at nsb.fv.com (Nathaniel Borenstein) Date: Tue, 30 Jan 1996 19:16:13 +0800 Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards In-Reply-To: <199601292130.OAA18538@bogart.Colorado.EDU> Message-ID: Excerpts from mail: 29-Jan-96 Re: FV Demonstrates Fatal F.. "W. Kinney"@bogart.Color (381*) > Followed by an hysterical essay on how FV has "discovered" the keyboard > sniffer. Oh, please. You people should be ashamed of yourselves. I trust you've seen by now that we made no claim to have discovered keyboard sniffers. Please read our claims more carefully, and I'd be delighted to discuss them rationally. -- Nathaniel From wlkngowl at unix.asb.com Tue Jan 30 03:33:52 1996 From: wlkngowl at unix.asb.com (Mutatis Mutantdis) Date: Tue, 30 Jan 1996 19:33:52 +0800 Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards Message-ID: <199601301105.GAA10893@UNiX.asb.com> On Mon, 29 Jan 1996 15:07:46 -0500 (EST), Nathaniel Borenstein wrote: >[My apologies in advance if you see several copies of this message. I >am posting this fairly widely due to the severity and importance of the >problem described.] >As you may already have heard via the popular press, First Virtual >Holdings has developed and demonstrated a program which completely >undermines the security of every known credit-card encryption mechanism >for Internet commerce. This is a very serious matter, and we want to >make sure that the Internet community is properly informed about the [..] All that over keyboard grabbers??? *yawn* This is nothing new at all. From jirib at sweeney.cs.monash.edu.au Tue Jan 30 03:36:17 1996 From: jirib at sweeney.cs.monash.edu.au (Jiri Baum) Date: Tue, 30 Jan 1996 19:36:17 +0800 Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards In-Reply-To: <4l3Iox2Mc50eMWY=8n@nsb.fv.com> Message-ID: <199601301058.VAA09911@sweeney.cs.monash.edu.au> -----BEGIN PGP SIGNED MESSAGE----- Hello Nathaniel Borenstein and cypherpunks at toad.com, Peter Monta NSB wrote: > Excerpts from mail: 29-Jan-96 Re: FV Demonstrates Fatal F.. Peter > Monta at qualcomm.com (651*) ... > > > NEVER TYPE YOUR CREDIT CARD NUMBER INTO A COMPUTER. > > > Never speak it either. Walls (and audio peripherals) have ears. > > When you can give me a cheap device that can be planted in the wall, > listen to everything you say, and just spit out the credit card numbers, > then I'll start to be worried about speaking it. ... And in a later post: ... > I used to trust the telephone not to be tapped in a selective way based > on keyword recognition, but in recent years, with the improvement in > voice recognition technology, I have stopped trusting it that way, and I > know plenty of other people have too -- if you say "NSA" into a cellular > call, you are probably inviting an eavesdropper. ... So, what's wrong with the virus listening through the audio card? Many people have their phone close to their computer, and credit-card numbers spoken over the phone are usually spoken clearly. > Similarly, we trust the postal service and certain uses of email not to > be free of any insecurities, but to be hard to defeat in a large scale > automated way. ... Presumably mail from FV asking for confirmation wouldn't be too hard to search for - I guess one would watch WinSock for connection to the POP port then grab the password etc, followed by periodically checking for new e-mail (without the user's knowledge). Many people would already have their CC number on the computer somewhere, in a letter they wrote (and later printed out and posted). If it's a virus, it doesn't even need a net connection to communicate it back (it can just remember it and pass it 'home' several infections later). The real problem ain't the net, but lousy security in home systems. (Hmm, with the sound cards, couldn't the virus just hypnotise the user....) Jiri - -- If you want an answer, please mail to . On sweeney, I may delete without reading! PGP 463A14D5 (but it's at home so it'll take a day or two) PGP EF0607F9 (but it's at uni so don't rely on it too much) -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQCVAwUBMQ35nCxV6mvvBgf5AQF6YQQAn4G7Ks+3Tbdc5k5t1Y3H1y6xTYtdQEyS rpespy10GEqCV1QY7LSHSkqqDDfR3Mdx6dlLIMv+gyay9gz5jFp0IKBweWvNfGDr iJa7EiE+6sHt9lR0pjDcL9MGca1cdzOvwZYX6wGoC3JPZBmgFbM7YYv/EYum63TH CwsAkgA2hAk= =2UHy -----END PGP SIGNATURE----- From nsb at nsb.fv.com Tue Jan 30 03:42:59 1996 From: nsb at nsb.fv.com (Nathaniel Borenstein) Date: Tue, 30 Jan 1996 19:42:59 +0800 Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credit In-Reply-To: <9601300015.AA15891@sulphur.osf.org> Message-ID: <8l3TrJ2Mc50eAWY4IF@nsb.fv.com> Excerpts from mail: 29-Jan-96 Re: FV Demonstrates Fatal F.. Rich Salz at osf.org (255) > >There are many ways to spread it besides a virus. Zillions of 'em. And > There are zillions (what, more than one thousand?) ways to get someone > to run a random piece of software that will capture their keystrokes? Yes, zillions, although I'm not using that as a technical term. > I don't believe you. Name six. Sure thing, always glad to clarify my claims. 1. (my current favorite) post it to MSN. There, Microsoft has made getting infected with a Trojan Horse as easy as clicking on an icon embedded in a mail or news message. (You want to try convincing the average consumer that it isn't safe, if Microsoft makes it that easy?) 2. Get the sources to a public domain image viewer. Change them slightly. Claim that you've improved it by 13.7%. Post your improved (and infected) image viewer to the net. 3. Ditto for an audio viewer, a mail reader, a news reader,.... (zillions right there alone) 4. Imitate the IBM Christmas exec. Break into someone's site and steal their mail aliases file. Now send mail to everyone on their alias list, pretending to be them, offering them a cute animation program they can install. The animation will happen, but it will also send mail to all THEIR aliases (like the Christmas exec) and (unlike that) install our malicious snooping software. 5. Write a genuinely useful program (or a game) of your own, but embed your attack in it. (Caution: Being the real author will increase your traceability.) 6. Write a pornographic screen saver. Not only will zillions of people download it, but they will EXPECT the code to watch keystrokes. 7. [*maybe*] Spread it by Java applet. This is a maybe because the level of Java security seems to be browser-discretionary. Even a relatively conservative let-the-user-choose approach like Netscape's, however, can be defeated with a little social engineering, as in "this is a really cool Java applet to do XYZ, but you'll have to set Netscape's Java security level to minimum to run it....." 8. Internet-based breakin/installations, e.g. to NT or anything else that runs incoming services. 9. Traditional virus techniques. Oh, you only asked for 6, sorry..... Feel free to ignore a few. -------- Nathaniel Borenstein Chief Scientist, First Virtual Holdings FAQ & PGP key: nsb+faq at nsb.fv.com From Inverardi at abacus.ch Tue Jan 30 03:48:26 1996 From: Inverardi at abacus.ch (Remo Inverardi) Date: Tue, 30 Jan 1996 19:48:26 +0800 Subject: FV Security Holes (?) Message-ID: <1996Jan30.122032.1590.1040@abainet.abacus.ch> Received: from relay3.UU.NET by abainet.abacus.ch (PostalUnion/SMTP(tm) v2.1.8d for Windows NT(tm)) id AA-1996Jan30.114852.1590.835; Tue, 30 Jan 1996 11:48:55 GMT Received: from toad.com by relay3.UU.NET with SMTP id QQaasw09854; Tue, 30 Jan 1996 05:40:13 -0500 (EST) Received: by toad.com id AA18530; Tue, 30 Jan 96 02:27:35 PST Received: from fuqua.fiftysix.org by toad.com id AA18520; Tue, 30 Jan 96 02:27:18 PST Received: (from mixmaster at localhost) by fuqua.fiftysix.org (8.6.12/8.6.9) id EAA17459; Tue, 30 Jan 1996 04:25:02 -0600 Date: Tue, 30 Jan 1996 04:25:02 -0600 > I believe that FV works by assigning the user some sort of id number. > > They send the id accross the net, FV has a database with "FV-ID" <-> > credit-card-number correspondences, the merchant sends FV the id, FV > bills your card and pays the merchant. Ok now, so you can get one's FV-Number by simple eavesdropping? That sounds just too easy to me. Does anybody have more detailed information about FV and how it works? bye. iNVi.TF! ---------------------------------------------------------------------- Remo Inverardi - Voice +41 61 811 14 82 - Fax and BBS +41 61 811 14 42 ABACUS Software Research AG - Rorschacherstr. 170 - CH-9006 St. Gallen ---------------------------------------------------------------------- From acg at mandrake.cen.ufl.edu Tue Jan 30 04:00:10 1996 From: acg at mandrake.cen.ufl.edu (Alexandra Griffin) Date: Tue, 30 Jan 1996 20:00:10 +0800 Subject: PPP link encryption? Message-ID: <199601301136.GAA02305@mandrake.cen.ufl.edu> Is there any software out there on the net for doing real-time, transparent encryption of a PPP link? Also, if this link is running at 600kbit/s to 1Mbit/s, how much processing power would be required to keep up (assuming we're using, say, the IDEA cipher)? Would a dedicated 386DX/33-based router on each end be sufficient? Finally, could someone make a ballpark estimate as to the amount of additional latency that would be added? thanks, - alex From llurch at networking.stanford.edu Tue Jan 30 04:02:33 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Tue, 30 Jan 1996 20:02:33 +0800 Subject: "German service cuts Net access" (to Santa Cruz) In-Reply-To: <2.2.32.19960130104053.009ba398@panix.com> Message-ID: On Tue, 30 Jan 1996, Duncan Frissell wrote: > At 04:53 AM 1/28/96 +0100, Alex de Joode wrote: > > > >Belgian TV (the dutch language channel) has a page on teletext (Ceefax) > >[I don't think US tv has that feature] stating that the French backbone > >is thinking about blocking sites that provide information that they deem > >ethicly unacceptable, like sites that promote the denial of Konzentrations > >Lagers, the extreme right, pornografic and pedophile sites. > > > >[page 128 BRTN, for those who can receive BRT] > > What about "the extreme left." Don't those people deserve to be blocked > too? And how about US radio stations on RealAudio 2.0. Cultural > Imperialism. > > So how do we overcome these "backbone blocking" maneuvers? Simple. It's been done. We will organize reasonable mirrors of any site not involved in overt law-breaking that is actively blocked by any "Major Indistrial Democracy." I don't think I'm quite ready to take on Cuba, China, North Korea, etc. Disk space and bandwidth are increasingly cheap these days. Go ahead. Make my day. You want to firewall every educational and non-profit organization in what's left of the free world? -rich From nobody at REPLAY.COM Tue Jan 30 04:13:00 1996 From: nobody at REPLAY.COM (Anonymous) Date: Tue, 30 Jan 1996 20:13:00 +0800 Subject: FV Demonstrates Fatal Flaw (Noise + Humour) Message-ID: <199601301142.MAA08617@utopia.hacktic.nl> (Second year PR student press release crap deleted) On 1/29/96 Nathaniel Borenstein preached the evils of Internet Commerce....... NB> If your idea of "today's computer users" comes from cypherpunks, you're NB> living in a dream world. FV's experience with average Internet users NB> includes some of us who ask us not to use complicated "technical terms" like NB> "cut and paste". Ther certainly can't be counted on to know which NB> software to download and which to avoid. I'd bet that one half learned to download and use Vueprint 4.3 and the other half are finishing up learning Mavis Beacon's Typing Tutor. Later on in the day, Nate yacked that...... NB> This is fine for you and me. But Internet commerce has to work for the NB> hundreds of millions of non-technical consumers who are swarming onto NB> the Internet. If someone emails them a program that purports to show NB> them pretty pictures (dirty movies?)..... Glad you are trying to market some of your other overpriced services, Point your (Not THAT!!!) browser to: http://www.infohaus.com/access/by-keyword and pan down to the bottom of the page, Seems that every third service for sale by First Virtual is about sex. For instance...... adult advertising, amateur art, bisexual, cyberpunk (full of dating services?!?) gay, images, jpegjpg, lesbian literature, male marketing, nude, nudity, pornography, sex, singles, and on and on! Send out a press release after Chaum has bought you guys out! The Christmas Troll -- From m5 at dev.tivoli.com Tue Jan 30 04:32:32 1996 From: m5 at dev.tivoli.com (Mike McNally) Date: Tue, 30 Jan 1996 20:32:32 +0800 Subject: "German service cuts Net access" (to Santa Cruz) In-Reply-To: <2.2.32.19960128115634.00977b14@panix.com> Message-ID: <9601291431.AA14542@alpha> olmur at dwarf.bb.bawue.de writes: > Free speech ends where other people can reasonable claim that their > feelings are badly hurt. Ai yai yai. No, in fact free speech ends when people roll over and give up. ______c_____________________________________________________________________ Mike M Nally * Tivoli Systems * Austin TX * I want more, I want more, m5 at tivoli.com * m101 at io.com * I want more, I want more ... *_______________________________ From nsb at nsb.fv.com Tue Jan 30 04:38:22 1996 From: nsb at nsb.fv.com (Nathaniel Borenstein) Date: Tue, 30 Jan 1996 20:38:22 +0800 Subject: CONTEST: Name That Program! Message-ID: As you may have read in my previous message, First Virtual has developed and demonstrated a program that completely undermines all known schemes for using software-encrypted credit cards on the Internet. More details are avialable at http://www.fv.com/ccdanger. That was the easy part. The hard part, it turns out, is deciding what to call this program. We've kicked around a variety of names: -- Card Shark (because we call the general kind of program a "shark") -- Four Solutions (because we believe that FV is one of four known approaches to Internet commerce which avoid this attack) -- Predator (because a program like this is scary to think about!) -- Pickpocket (because that's vaguely analogous to what it does) -- Snoopy (because we thought it was cute) -- CyberCrash (no special reason, it just had a nice ring to it) In the end, we just couldn't decide. But we knew it needed a name, so we've decided to leave it up to the citizens of the Internet. For that reason, we're sponsoring a contest. We invite you to send your vote "nameit at fv.com". First Virtual will have sole discretion in selecting a winning name. If we select a name that is submitted by someone on the net, the FIRST person to submit it will be the winner. If we select one of the names given above, we will select at random from all the people who "vote" for that name. The winner will receive $1000 (US). Yes, we're really paying $1000 for the winning name! (If you have or want a First Virtual seller's account, we'll pay you through First Virtual, otherwise we'll mail you a check.) Twenty-five runners-up will be selected to receive First Virtual sweatshirts and other memorabilia. CONTEST RULES: All entries must be received by email to nameit at fv.com, on or before February 14, 1996. Please include all of the following: -- Your suggested name for our program. -- Your own name and postal mailing address -- Your shirt size (in case you're a runner-up) CONTEST DEADLINE: February 14, 1996 -------- Nathaniel Borenstein Chief Scientist, First Virtual Holdings FAQ & PGP key: nsb+faq at nsb.fv.com From packrat at ratbox.rattus.uwa.edu.au Tue Jan 30 04:44:02 1996 From: packrat at ratbox.rattus.uwa.edu.au (Bruce Murphy) Date: Tue, 30 Jan 1996 20:44:02 +0800 Subject: FV's Borenstein discovers keystroke capture programs! (pictures at 11!) In-Reply-To: <9601292041.AA14422@zip_master2.sbi.com> Message-ID: <199601301216.UAA00325@ratbox.rattus.uwa.edu.au> In message <9601292041.AA14422 at zip_master2.sbi.com>, David Macfarlane wrote: > Is this the most transparent media attention grab or what? FV's > "Chief Scientist" writes a killer application to destroy > Internet commerce and it is really only a keystroke capture > program with a bit of credit card number recognition code tacked > on. > > I don't think this has any "implications for Internet commerce". > If you run any number of virus protection programs on your > computer, and you get your software from reliable sources, > you never need worry about clandestine number snarfing. I especially liked the bit about being available under all sorts of Microsoft OSs but not yet implemented under Unix. (which doesn't in general *have* APIs or screen savers or all the other guff. If secure input is needed then it shouldn't be too much of a problem. I doubt the program would recognize either of INTERCAL input or output (as a random example) > I readily admit that there is a larger issue about viruses and > being able to trust your software, but the presentation from FV > of this announcement as a "fatal flaw" in internet commerce is > remarkably disingenuous. They are really saying, "We have the > only safe approach" quietly between the lines. But it's hardly *new* as you say. All in all, a quite convincing little article. Could almost be worth modifying and posting to the Germans about something or other. > And before pm. says it, this has very little to do with > cryptography. Or trees. -- Packrat (BSc/BE;COSO;Wombat Admin) Nihil illegitemi carborvndvm. From packrat at ratbox.rattus.uwa.edu.au Tue Jan 30 04:49:44 1996 From: packrat at ratbox.rattus.uwa.edu.au (Bruce Murphy) Date: Tue, 30 Jan 1996 20:49:44 +0800 Subject: The Big Lie In-Reply-To: Message-ID: <199601301215.UAA00311@ratbox.rattus.uwa.edu.au> In message , Dr. Dimitri Vulis wrote: > Bruce Murphy writes: > > > > I was under the impression that you couldn't libel/slander a dead > > person. Mainly because libel/slander is a offence against reputation > > which dead people don't care much for, but also because once you go > > against this principle where in hell (no pun intended) do you draw the > > line. > > Where it's convenient to the state. Reportedly in Germany you can easily > slander dead people, their estates, their descendants, and other members > of their ethnic group. Well... how about pets then? Hitler had a pathetic goldfish! Damn germans. I guess that they really haven't changed a hell of a lot over the past few decades. No wonder that every other European race (pretty much) sterotypes them. Personally I have quite a bit of confidence that my government isn't going to worry about encryption stuff until technology passes them by. I am not at all unhappy about this. -- Packrat (BSc/BE;COSO;Wombat Admin) Nihil illegitemi carborvndvm. From declan+ at CMU.EDU Tue Jan 30 05:01:55 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Tue, 30 Jan 1996 21:01:55 +0800 Subject: [NOISY] Deutsche Telekom <--> webcom.com "routing troubles" In-Reply-To: <199601292241.OAA11703@infinity.c2.org> Message-ID: Excerpts from internet.cypherpunks: 29-Jan-96 [NOISY] Deutsche Telekom <-.. by Just Rich at c2.org > Someone please inform Deutsche Telekom and the relevant prosecutors that > by the time they read this (i.e., within an hour), selected files from > Zundel's holocaust-denial archives (which make me sick, but that's beside > the point) will be available at the AFS path: > > /afs/ir.stanford.edu/users/l/llurch/WWW/Not_By_Me_Not_My_Views/ > > One of the ways this directory can be reached is through: > > http://www-leland.stanford.edu/~llurch/Not_By_Me_Not_My_Views/ I've set up another mirror site at Carnegie Mellon University. In my mind, the mirror archive exists to demonstrate the folly and the danger of Internet censorship. It's in is in the AFS directory: /afs/cs.cmu.edu/user/declan/www/Not_By_Me_Not_My_Views/ You can access it from the following web servers at these URLs: http://www.cs.cmu.edu/afs/cs/user/declan/www/Not_By_Me_Not_My_Views/ http://www.contrib.andrew.cmu.edu/~declan/Not_By_Me_Not_My_Views/ http://web.mit.edu/afs/cs.cmu.edu/user/declan/www/Not_By_Me_Not_My_Views/ These servers are fairly robust and load-balanced, and I believe it will difficult for attacks to succeed against them. In addition, anyone with access to the globally-distributed AFS network can just cd into the above AFS directory and read Zundel's files. Some German AFS sites include, but are not limited to: afs-math.zib-berlin.de fh-heilbronn.de geo.uni-koeln.de lrz-muenchen.de hrzone.th-darmstadt.de mathematik.uni-stuttgart.de rhrk.uni-kl.de rrz.uni-koeln.de rus-cip.uni-stuttgart.de tu-chemnitz.de urz.uni-heidelberg.de Deutsche Telekom's hostname-based censorship has already cut off German users from over 1,500 U.S. businesses, including electronic and computer businesses, art stores, online banks, and and even the Port Douglas Visitors Bureau for Queensland, Australia. If the German government forces Deutsche Telekom to block access to web servers at Carnegie Mellon University, MIT, and Stanford University, it will be slicing off communications with three of the most respected universities in the United States. -Declan From ohuf at relay.sedat.de Tue Jan 30 05:06:47 1996 From: ohuf at relay.sedat.de (Oliver Huf) Date: Tue, 30 Jan 1996 21:06:47 +0800 Subject: The Big Lie In-Reply-To: <199601301215.UAA00311@ratbox.rattus.uwa.edu.au> Message-ID: > Damn germans. I guess that they really haven't changed a hell of a lot > over the past few decades. No wonder that every other European race > (pretty much) sterotypes them. You haven'n been in Germany for a very long time, have you? ... or in Europe at all? ohuf. From pmarc at fnbc.com Tue Jan 30 05:08:44 1996 From: pmarc at fnbc.com (Paul M. Cardon) Date: Tue, 30 Jan 1996 21:08:44 +0800 Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credit In-Reply-To: <9601300015.AA15891@sulphur.osf.org> Message-ID: <199601301239.GAA00246@abernathy.fnbc.com> My mailer insists that Nathaniel Borenstein wrote: > Excerpts from mail: 29-Jan-96 Re: FV Demonstrates Fatal F.. Rich > Salz at osf.org (255) > > > >There are many ways to spread it besides a virus. Zillions of > > >'em. And > > > There are zillions (what, more than one thousand?) ways to get > > someone to run a random piece of software that will capture their > > keystrokes? > > Yes, zillions, although I'm not using that as a technical term. > > > I don't believe you. Name six. > > Sure thing, always glad to clarify my claims. > > 1. (my current favorite) post it to MSN. There, Microsoft has made > getting infected with a Trojan Horse as easy as clicking on an icon > embedded in a mail or news message. (You want to try convincing the > average consumer that it isn't safe, if Microsoft makes it that > easy?) > > 2. Get the sources to a public domain image viewer. Change them > slightly. Claim that you've improved it by 13.7%. Post your > improved (and infected) image viewer to the net. > > 3. Ditto for an audio viewer, a mail reader, a news reader,.... > (zillions right there alone) I count numbers 1, 2 and 3 as one way (Trojan Horse). > 4. Imitate the IBM Christmas exec. Break into someone's site and > steal their mail aliases file. Now send mail to everyone on their > alias list, pretending to be them, offering them a cute animation > program they can install. The animation will happen, but it will > also send mail to all THEIR aliases (like the Christmas exec) and > (unlike that) install our malicious snooping software. If you can break in that far, I can think of much more imaginative things to do with the access. > 5. Write a genuinely useful program (or a game) of your own, but > embed your attack in it. Again, 4 and 5 are the same as 1,2 and 3. (I thought I smelled horse biscuits.) > (Caution: Being the real author will > increase your traceability.) Insultingly obvious. > 6. Write a pornographic screen saver. Not only will zillions of > people download it, but they will EXPECT the code to watch > keystrokes. YATH (Yet Another Trojan Horse) > 7. [*maybe*] Spread it by Java applet. This is a maybe because the > level of Java security seems to be browser-discretionary. Even a > relatively conservative let-the-user-choose approach like > Netscape's, however, can be defeated with a little social > engineering, as in "this is a really cool Java applet to do XYZ, > but you'll have to set Netscape's Java security level to minimum to > run it....." Yes. Trojan Horse. Whinny. Neigh. > 8. Internet-based breakin/installations, e.g. to NT or anything > else that runs incoming services. Ahh, finally something other than a Trojan Horse attack, but it only affects sites with poor security. In that case, this attack is the least of their problems. > 9. Traditional virus techniques. > > Oh, you only asked for 6, sorry..... Feel free to ignore a few. Wow, a whole three different attacks and most of them much more useful for things other than gathering credit card numbers. It's sad to think that a lot of people may actually believe this crap. Let's just hope that enough technical users provide rebuttals in the other fora where this stuff appears. --- Paul M. Cardon -- I speak for myself. 'nuff said. MD5 (/dev/null) = d41d8cd98f00b204e9800998ecf8427e From pmarc at fnbc.com Tue Jan 30 05:32:43 1996 From: pmarc at fnbc.com (Paul M. Cardon) Date: Tue, 30 Jan 1996 21:32:43 +0800 Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards In-Reply-To: <199601300255.VAA17086@dal1820.computek.net> Message-ID: <199601301311.HAA00261@abernathy.fnbc.com> My mailer insists that Nathaniel Borenstein wrote: > Excerpts from mail: 29-Jan-96 Re: FV Demonstrates Fatal F.. Ed > Carp at dal1820.computek (6730*) > > > With a Windows program? I guess it runs on every known platform, > > under every known OS. My, that *is* one hell of a program... > > Actually, the Mac port is now complete. A UNIX port would be pretty > trivial too. How about a NEXTSTEP port? Didn't think so. --- Paul M. Cardon -- I speak for myself. 'nuff said. MD5 (/dev/null) = d41d8cd98f00b204e9800998ecf8427e From nsb at nsb.fv.com Tue Jan 30 05:55:21 1996 From: nsb at nsb.fv.com (Nathaniel Borenstein) Date: Tue, 30 Jan 1996 21:55:21 +0800 Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards In-Reply-To: <199601292324.PAA10191@largo.remailer.net> Message-ID: Excerpts from mail: 29-Jan-96 re: FV Demonstrates Fatal F.. Eric Hughes at remailer.net (1441) > I'm breaking my silence in cypherpunks to respond to what must be the > most self-serving and fatuous expression of "concern" I've seen in a > while. It's a pity, Eric, that before coming down off the mountain, you didn't stop to understand the real attack we're outlining. I expected that even if you didn't like what we were doing, you'd take the time to understand it rather than embarass yourself. > To wit: Ohmygod! PC's don't have perfect integrity! The fact that PC's don't have perfect integrity is only *one* of the four known vulnerabilities -- keyboard sniffing being another -- that we have combined into a comprehensive, devastating attack that has never been publicly mentioned before. > Will someone please write a filter for common email packages which > automatically removes selected First Virtual transactions from the > confirmation messages? I've already written it. So what? Stealing or forging a single transaction is EASY in almost ANY commerce system ever invented. The flaw we've uncovered in encrypted credit cards allows a single criminal to automate the theft of millions of card numbers. That's a very different story. > Encryption isn't the issue, Nathaniel, and you know it. Not only do I know it, I ***SAID*** it. It's painfully obvious that you didn't read our announcements very carefully, so I'll excerpt the relevant paragraph: > Encryption has high value in protecting sensitive information while in > transit. We strongly believe in encryption and use PGP, as licensed > users, daily. But it is clear that software-based encryption cannot > ensure secure credit card transactions. Encryption remains an important > part of computer security and is very important for protecting privacy. > But recognition of credit card numbers at the keyboard is trivial, and > therein lies the fatal flaw to software-based encryption of credit cards > -- sensitive information can be intercepted before it ever gets > encrypted. The issue is definitely not encryption. The issue is that credit card numbers are self-identifying one-way payment instruments, and there's no way to make such instruments safe to use on insecure consumer computing platforms. The only reason that encryption even enters the discussion is that there are OTHER parties who are claiming that their software encryption products make such payment instruments safe. They don't. That's all we're pointing out. > To all those Internet payment analysts out there: > Financial institutions are in the business of risk transfer. If > you don't transfer risk in some form, you're not a financial > institution but rather a service bureau. Managing endpoint integrity > risk is just one of the kinds of risk an Internet payments provider has to deal with. Yes. But the BIGGEST risk that an Internet payments provider has to deal with is the threat of large-scale, systematic, automated fraud. And *that* is the hole we have just blown in the software-encryption-of-credit-card schemes, and which you clearly didn't take the time to understand. > First Virtual has demonstrated time and again that > they're pretty clueless about the whole subject of risk. Well, I think our financial industry partners will take our "clueless" level of risk management any day. We have fraud and chargeback rates so low that they're scarcely believeable, because nearly all fraud AND dissatisfied customers are caught by the email loop and never make it into the credit card system in the first place. Our acquiring bank thinks that's pretty neat, I think. In fact, it's worth noting that after being our acquiring bank for over a year of live operation, and having the most inside information possible about how our system works, First USA Bank (one of the nation's largest credit card banks) made a large equity investment in us last month. Do you really think they didn't do any risk analysis? -- Nathaniel -------- Nathaniel Borenstein Chief Scientist, First Virtual Holdings FAQ & PGP key: nsb+faq at nsb.fv.com From rsalz at osf.org Tue Jan 30 05:59:04 1996 From: rsalz at osf.org (Rich Salz) Date: Tue, 30 Jan 1996 21:59:04 +0800 Subject: Delusional Message-ID: <9601301325.AA17030@sulphur.osf.org> You're disagreeing that I invented safe-tcl? You disagree that I sent you and Ousterhout the very first message that said I want to strip out the dangerous commands? That I created the mailing list and then gave it up becuase you and Rose "took over" the concept while only releasing a safe-Tk, leaving off the embeddeable server part? Must we go to the archives? You're disagreeing that without enabled mail FV would probably not have happened? IF so, then one of us is delusional and it's not me, kiddo. Replies to this message will be ignored. /r$ PS: Sorry C-P folks. In penance for this off-topic probably-uneeded defense against Nathaniel's attack, I will compare the Usenet RC2 against the licensed code and tell you what I find. -r$ From jya at pipeline.com Tue Jan 30 06:00:52 1996 From: jya at pipeline.com (John Young) Date: Tue, 30 Jan 1996 22:00:52 +0800 Subject: NRO Slush Fund Message-ID: <199601301329.IAA18155@pipe1.nyc.pipeline.com> URL: http://www.nytimes.com/yr/mo/day/front/spy-agency-money.html January 30, 1996 Spy Agency Said to Have Spare Billions The National Reconnaissance Office, the secret agency that builds spy satellites, lost track of more than $2 billion in classified money last year, largely because of its own internal secrecy, intelligence officials say. In the past, congressional oversight of the reconnaissance office has been sketchy, because few members of Congress understood the highly technical language of spy satellites and some did not know what they were approving when they authorized billions of dollars a year in secret spending. From dlv at bwalk.dm.com Tue Jan 30 06:07:25 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Tue, 30 Jan 1996 22:07:25 +0800 Subject: The Big Lie In-Reply-To: Message-ID: Oliver Huf writes: > > Damn germans. I guess that they really haven't changed a hell of a lot > > over the past few decades. No wonder that every other European race > > (pretty much) sterotypes them. > > You haven'n been in Germany for a very long time, have you? > ... or in Europe at all? This thread has very little cryptographic relevance and has degenarated into a full-scale ethnic flamefest. Neither Germans nor Americans nor any other nation are inherently evil. There are certain things that German government does which many on this mailing list find distasteful. There are certain things that the U.S. government does which many on this mailing list find even more distasteful. We should seek to help those Germans who seek to circumvent the laws of their country which we find to be unjust and unfair, just as we would have helped the "dissidents" in the former Soviet Union or the anti-Nazi Germans in Nazi Germany. Disclaimer: my grandmother is reported to be German. :-) --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From roy at sendai.cybrspc.mn.org Tue Jan 30 06:47:48 1996 From: roy at sendai.cybrspc.mn.org (Roy M. Silvernail) Date: Tue, 30 Jan 1996 22:47:48 +0800 Subject: FV's Borenstein discovers keystroke capture programs! (pictures at 11!) In-Reply-To: Message-ID: <960130.064105.1H2.rnr.w165w@sendai.cybrspc.mn.org> -----BEGIN PGP SIGNED MESSAGE----- In list.cypherpunks, nsb at nsb.fv.com writes: > Well, the mis-conceptions are flying fast and furious. And not just from the rest of us. Your model is a malicious program that is installed on a user's machine (through whatever method, be it viral, trojan horse, black bag job, whatever). Fine, let's explore it a bit. > There are several schemes for Internet commerce > that are unaffected: > > -- First Virtual (of course) If all my malicious program does is sniff keystrokes, FV accounts are less vulnerable. So I'll make my malicious program not only sniff keystrokes, but I'll hook your Winsock stack and intercept the POP3 queries. That way, I can catch the FV verification messages and confirm them. You'll never see anything happen. > -- Hardware encryption (e.g. consumer card-swipe machines) So I'll get my malicious program to look for blocks of seemingly random data from the keyboard (where many swipe systems wedge in) or the com ports not used by mouse and modem. (on a PC platform, that's not likely since heroic measures are needed to run more than 2 com ports) Unless seeded by the transaction, these blocks should be vulnerable to a replay attack. > -- Smart cards Smart cards may not be vulnerable to replay attacks, so you may be correct here. > -- Digital cash (unless the tokens are made too easy to recognize) Or the site initiating the transaction is recognizable, prompting the malicious program to take notice. And since I've hooked all your net services, I can steal your coins easily... the transactions you send will never reach their destination. The "fatal flaw" here is that you haven't extended your threat model to its logical conclusion. If you assume a malicious program with access to the keyboard at the hardware level, that program could also access and manipulate the TCP/IP stack, as well as data flowing to/from networked applications of all sorts. > We say this VERY EXPLICITLY in our web pages. We are NOT saying we have > the only safe approach. We have one of four safe approaches that we > know of. I only see one approach that's safe from local eavesdropping, and FV isn't it. - -- Roy M. Silvernail [ ] roy at cybrspc.mn.org PGP Public Key fingerprint = 31 86 EC B9 DB 76 A7 54 13 0B 6A 6B CC 09 18 B6 Key available from pubkey at cybrspc.mn.org -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMQ4Vihvikii9febJAQH6QgP/UaIlgQEmRgfS27DoOtr30BpTtR3H24bL 6fQRV1c99S7hPCAo3LPK28JH5HLC5WgoLZZBnNfu9eE4YcaSdOgC2Ok4Un3uSI2i ZFOGP+OPN7BQRE/7iLF9nLT9NmktGiZ0mFffCzqIKGWP/PH87/YJtJzJwlqdTNp4 BCJsnFlX04w= =osLe -----END PGP SIGNATURE----- From m5 at dev.tivoli.com Tue Jan 30 07:03:11 1996 From: m5 at dev.tivoli.com (Mike McNally) Date: Tue, 30 Jan 1996 23:03:11 +0800 Subject: Java Sniffer (Was: Re: FV Announces That The Sky Is Falling) In-Reply-To: <199601300412.XAA23037@opine.cs.umass.edu> Message-ID: <9601301358.AA14772@alpha> Rich Graves writes: > Hmm. Actually, what do Java dialog prompts look like? Is there any > indication that they come from Java, or can they be made to look like any > dialog from any program, or the OS itself? I suppose this is > implementation-dependent. Yes, it's completely dependent on the AWT implementation. (Or, of course, on the implementation of whatever graphical library provided by the particular Java runtime environment in question.) The "standard" AWT that's used in the Netscape (and maybe HotJava) web browsers decorates all windows applets create such that it's obvious they're there. It is designed to be impossible for the applet itself to corrupt the AWT such that the windows don't bear that decoration. (Whether the design works as advertised is a question worth asking, of course.) ______c_____________________________________________________________________ Mike M Nally * Tivoli Systems * Austin TX * I want more, I want more, m5 at tivoli.com * m101 at io.com * I want more, I want more ... *_______________________________ From m5 at dev.tivoli.com Tue Jan 30 07:04:02 1996 From: m5 at dev.tivoli.com (Mike McNally) Date: Tue, 30 Jan 1996 23:04:02 +0800 Subject: Sad state of affairs In-Reply-To: <199601300828.AAA08526@infinity.c2.org> Message-ID: <9601301402.AA15555@alpha> bofur at alpha.c2.org writes: > It's a pretty sad statement of how poorly this list is functioning when > the RC2 source can be publically released but people would rather > sling mud over glorified keystroke trappers and rant about Nazi deathcamps. > > Our friends at the NSA must be pleased with the slow death of this group. Oh. Ok. YIPPPEEE!!! HOORAY!!! YA HOOO!!!!! RC2 IS PUBLIC!!!! GOD BLESS US ALL!!! HOORAAAAAAY!!!! YAY!!!!! ______c_____________________________________________________________________ Mike M Nally * Tivoli Systems * Austin TX * I want more, I want more, m5 at tivoli.com * m101 at io.com * I want more, I want more ... *_______________________________ From attila at primenet.com Tue Jan 30 07:05:06 1996 From: attila at primenet.com (attila) Date: Tue, 30 Jan 1996 23:05:06 +0800 Subject: "Concryption" Prior Art In-Reply-To: <199601290832.AAA09285@ix10.ix.netcom.com> Message-ID: On Mon, 29 Jan 1996, Bill Stewart wrote: > >>However the Con-cryption patent covers first compressing, then > >>encrypting. > > > >Isn't that how PGP does its thing (first compress the data and then feed it > >into the Encryption Stage)? PGP is prior art in-and-of-itself. no way is that patent valid. I have prior art going back into the early 80s where I converted the standard compress into a stream processor followed by a stream encryption engine --obviously the reverse as well. now, that's back in time when I had two 750s in my garage and 9T tape! I've had it on the list to find for some time; I still have two tape drives (one will hopefully still work) and an old uvaxen which I saved for such emergencies. It also might be on tapes from my then current desktop: a Sun 2! At the moment, I'm not terribly interested in the problem, but will be, hopefully soon. Basically, if it comes to that, they had better have their act ready to pay litigative costs --I do my own (with a perfect record, better than patent attorneys I have hired), and I rather enjoy playing by the rules of the law, rather than playing by the game rules of the bar. and, I do not believe I am alone; there are others who have used stream processing for that purpose. I started playing with rsa shortly after in was published in SA in 1977 --however, significant computing power was not cheap at that time --seems to me I paid about $30K for an 11-44 with 2 rl02 drives! > > Peter Wayner posted that the "new" thing about the way they do it is > that it saves time by combining the steps. But I think I've seen > approximately the same done with arithmetic-coding compression? > #-- > # Thanks; Bill > # Bill Stewart, stewarts at ix.netcom.com, Pager/Voicemail 1-408-787-1281 > # > # "Eternal vigilance is the price of liberty" used to mean us watching > # the government, not the other way around.... > __________________________________________________________________________ go not unto usenet for advice, for the inhabitants thereof will say: yes, and no, and maybe, and I don't know, and fuck-off. _________________________________________________________________ attila__ To be a ruler of men, you need at least 12 inches.... There is no safety this side of the grave. Never was; never will be. From olbon at dynetics.com Tue Jan 30 07:07:40 1996 From: olbon at dynetics.com (Clay Olbon II) Date: Tue, 30 Jan 1996 23:07:40 +0800 Subject: Signed posts (was Re: FV ... Fatal Flaw ...) Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Amidst all of the about the "fatal flaw", Mr. Scarenstein brings up (amazingly) an interesting point regarding signed posts that I have wondered about for a while. At 5:30 PM 1/29/96, Nathaniel Borenstein wrote (highly edited!): >Do you have my key in your key ring? I rather doubt it. So what good >would it have done? > >Have you downloaded my key from the net? Assume that you have. How do >you know it's mine? The issue of knowing that a signed post belongs to a particular individual has come up often. Clearly the best approach is verifying the key in person Failing that, however, I have adopted a strategy of maximizing the probablility that the key actually belongs to me. I do this by: 1. Including the fingerprint and where to get the key in my signed post (within the pgp sig) 2. Putting the key in a fairly secure place (i.e. on a machine controlled by my employer, but where I can check the key periodically 3. Putting the same key on the keyservers I could (and should) also place it on my web page as well. This is not to say that someone could not impersonate me by creating a key and placing it in all of these places, but I think it would be difficult, and probably not worth the effort. I am not real worried about this threat (but heck, if someone really wants to impersonate me, I'd be flattered). I think these measures are probably sufficient for a mailing list level of discussion. Any comments? (flames >/dev/null) Clay - -------------------------------------------------------------------------- Clay Olbon II | olbon at dynetics.com Systems Engineer | ph: (810) 589-9930 fax 9934 Dynetics, Inc., Ste 302 | http://www.msen.com/~olbon/olbon.html 550 Stephenson Hwy | PGP262 public key: finger olbon at mgr.dynetics.com Troy, MI 48083-1109 | pgp print: B97397AD50233C77523FD058BD1BB7C0 "To escape the evil curse, you must quote a bible verse; thou shalt not ... Doooh" - Homer (Simpson, not the other one) - -------------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMQ4mjwS4mEMx6xUNAQFkjgP/QYovJZzguQy4yQqWYZQPCpZn1oU8VaCr 14JW7XIk29F4xDHEPT8YlCvt7lJ6aYvWNbFVpmTWzj8IiAgWwDeQZVbQyA+YRuMs w5kOF2brGAElln+j5hxtoIzvfy2lp+Jr8c6Q3yklCX6Yizt6G+Ma08HC1HkUZ2Jd d0GSBZwk4nw= =PF/1 -----END PGP SIGNATURE----- From jf_avon at citenet.net Tue Jan 30 07:08:42 1996 From: jf_avon at citenet.net (Jean-Francois Avon JFA Technologies, QC, Canada) Date: Tue, 30 Jan 1996 23:08:42 +0800 Subject: "German service cuts Net access" (to Santa Cruz) Message-ID: <9601291935.AA19729@cti02.citenet.net> >olmur at dwarf.bb.bawue.de (Olmur) writes: >Much as the Third Reich took the view that anti-Nazi speech >wasn't protected. Your country hasn't changed its authoritarian >perspective on freedom of personal expression. All it has done >is put a different set of publicly supported items on the >official censorship list. >Didn't the Germans learn anything from World War II? Psycho-epistemology does not change overnight. It takes *generations*. Sigh... JFA The only survival tool of human race is Reason. From m5 at dev.tivoli.com Tue Jan 30 07:10:58 1996 From: m5 at dev.tivoli.com (Mike McNally) Date: Tue, 30 Jan 1996 23:10:58 +0800 Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credit In-Reply-To: Message-ID: <9601301353.AA15410@alpha> Ed Carp writes: > > Not wishing to get in the middle of this controversy, I have been > > wondering about the possibility of using a JAVA applet to do keyboard > > sniffing. As I am not familiar with this language, does anyone know if > > this would be possible? > > From what I've read about Java, it is not possible to use Java in this > way. Because Java is a general-purpose programming language, it is indeed possible to use Java to do keyboard sniffing, just like it's possible to use it for an adventure game, or system management software, or anything else you can imagine a general-purpose programming language being used for. The real question is, "can I use a Java applet in the context of a particular Java virtual machine implementation (like, maybe, the Netscape Navigator web browser) to do keyboard sniffing?". The Java interpreter is only as secure as the wrapper implementation wants it to be. For lots of purposes, you don't need or want any more security for a Java program than you would for a C++ program. ______c_____________________________________________________________________ Mike M Nally * Tivoli Systems * Austin TX * I want more, I want more, m5 at tivoli.com * m101 at io.com * I want more, I want more ... *_______________________________ From nsb at nsb.fv.com Tue Jan 30 07:26:27 1996 From: nsb at nsb.fv.com (Nathaniel Borenstein) Date: Tue, 30 Jan 1996 23:26:27 +0800 Subject: FV's Borenstein discovers keystroke capture programs! (pictures at 11!) In-Reply-To: Message-ID: > But I just can't believe that he thinks that the telephone is more secure on average than a keyboard. We have a few pages of C code that scan everything you type on a keyboard, and selects only the credit card numbers. How easy is that to do with credit card numbers spoken over a telephone? The key is large-scale automated attacks, not one-time interceptions. -------- Nathaniel Borenstein Chief Scientist, First Virtual Holdings FAQ & PGP key: nsb+faq at nsb.fv.com From rmartin at aw.sgi.com Tue Jan 30 07:42:02 1996 From: rmartin at aw.sgi.com (Richard Martin) Date: Tue, 30 Jan 1996 23:42:02 +0800 Subject: Java Sniffer (Was: Re: FV Announces That The Sky Is Falling) In-Reply-To: <199601300412.XAA23037@opine.cs.umass.edu> Message-ID: <9601300936.ZM1868@glacius.alias.com> -----BEGIN PGP SIGNED MESSAGE----- On Jan 29, 11:12pm, Futplex wrote: > Much more likely, IMHO, than a Java sniffer is a Java Trojan horse that pops > up an innocuous dialog box and asks you to enter some sensitive piece of > information, then sends it off somewhere. About all it takes to write that is > a modicum of skill in user interface design. You could write it in any > programming language, but in Java it may be particularly effective, since > people may come to expect to be prompted for sensitive info over the net by > Java apps. Maybe the Java folks who just left Sun decided to seize the > opportunity ;> Since the Java stuff that I'm running around here either (a) is from netscape, which jams a little line saying, "Untrusted Java Applet" at the bottom of each window a Java applet creates or (b) is run by me, by hand, from the command line, using either the interpreter or the appletviewer... I don't think this is much of a threat. I see much more difficulties with javascript. richard - -- Richard Martin Alias|Wavefront - Toronto Office [Co-op Software Developer, Games Team] rmartin at aw.sgi.com/g4frodo at cdf.toronto.edu http://www.io.org/~samwise Trinity College UofT ChemPhysCompSci 9T7+PEY=9T8 Shad Valley Waterloo 1992 -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMQ4syB1gtCYLvIJ1AQGjGAP9GpTWkaY4wtknB2C/emCJ++5ZFmm4s/DV CPbhOhSiOIQWhDCZuhGqE3ltK1xnDqz2TqnoF8xzGRSiXTVJewsTW+fzsmq0wBJ9 GbqWiA1aWatju02zxL4QWJUBxK9LSEKnmQfWlodRIySUdIhQb35Wm8wzqqGUdm9o FS3TXrIsbNQ= =b64Y -----END PGP SIGNATURE----- From nsb at nsb.fv.com Tue Jan 30 07:45:13 1996 From: nsb at nsb.fv.com (Nathaniel Borenstein) Date: Tue, 30 Jan 1996 23:45:13 +0800 Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credit In-Reply-To: <9601292111.AA23738@toad.com> Message-ID: Excerpts from mail: 29-Jan-96 Re: FV Demonstrates Fatal F.. "Paul M. Cardon"@fnbc.co (986*) > Any useful information in your anouncement is already well-known. > The rest of it is alarmist and self-serving. There have been > several excellent posts pointing out the flaws in your arguments. No, they've pointed out flaws in the claim that FV has just invented keyboard sniffers. That's not our argument at all, it's a strawman. > Until I actually see an advisory from CERT, I'll just have to > assume they told FV to go take a flying leap. I certainly hope they > have enough integrity to ignore this. I would never speak for the people at CERT, but if they had told us the threat wasn't real, we certainly wouldn't be claiming that it was. We went to CERT first for two reasons: to be responsible with the new threat we had uncovered, and to do a sanity check on its importance. Having said that, I'm quite sure that you won't see a CERT advisory, because we haven't released the program, it doesn't threaten anyone, and there aren't any patches you can download to fix the problem. It's not something within their mandate to issue advisories about. -- Nathaniel -------- Nathaniel Borenstein Chief Scientist, First Virtual Holdings FAQ & PGP key: nsb+faq at nsb.fv.com From perry at piermont.com Tue Jan 30 07:54:29 1996 From: perry at piermont.com (Perry E. Metzger) Date: Tue, 30 Jan 1996 23:54:29 +0800 Subject: PPP link encryption? In-Reply-To: <199601301136.GAA02305@mandrake.cen.ufl.edu> Message-ID: <199601301438.JAA02927@jekyll.piermont.com> Alexandra Griffin writes: > Is there any software out there on the net for doing real-time, > transparent encryption of a PPP link? Well, there is software for encrypting IP datagrams. There may be PPP encryption out there, since there is now an IETF protocol for doing link encryption for PPP, but I don't follow PPP very closely. > Also, if this link is running at 600kbit/s to 1Mbit/s, how much > processing power would be required to keep up (assuming we're using, > say, the IDEA cipher)? Would a dedicated 386DX/33-based router on > each end be sufficient? I suspect not, but on the other hand hardware to do this sort of thing is available. The TIS people packaged up swIPe with a 3DES board for some applications a while back, just as an example of concept. > Finally, could someone make a ballpark estimate as to the amount of > additional latency that would be added? Hard to say. Depends on the implementation, your link characteristics, etc. Perry From fletch at ain.bls.com Tue Jan 30 07:59:59 1996 From: fletch at ain.bls.com (Mike Fletcher) Date: Tue, 30 Jan 1996 23:59:59 +0800 Subject: FL Demonstrates Fatal Flaw in Logins In-Reply-To: Message-ID: <9601301448.AA28567@outland> > However, I don't know much about Java, would it be possible to make such an > applet with Java? , Java: the new 'net boogey-man (next to keyboard sniffers, of course :). The functionallity is not there for arbitrary keyboard sniffing. An applet can only see kbd events in windows in it's heirarchy, upto the toplevel window wich is embeded in the browser (and in any toplevel windows, but these all have the "Untrusted Applet Window" warning at the bottom). --- Fletch __`'/| fletch at ain.bls.com "Lisa, in this house we obey the \ o.O' ______ 404 713-0414(w) Laws of Thermodynamics!" H. Simpson =(___)= -| Ack. | 404 315-7264(h) PGP Print: 8D8736A8FC59B2E6 8E675B341E378E43 U ------ From nsb at nsb.fv.com Tue Jan 30 08:19:38 1996 From: nsb at nsb.fv.com (Nathaniel Borenstein) Date: Wed, 31 Jan 1996 00:19:38 +0800 Subject: FV's Borenstein discovers keystroke capture programs! (pictures at 11!) In-Reply-To: <2.2.32.19960130042632.00966364@area1s220.residence.gatech.edu> Message-ID: <4l3X3B2Mc50eNIr1ES@nsb.fv.com> Excerpts from mail: 29-Jan-96 Re: FV's Borenstein discove.. Jeremy Mineweaser at area1s (1692*) > Question: Could you please describe the nature of the First Virtual > protocol? Now before you tell me to RTFM, let me explain. > I assume, although without absolute certainty, that in order to bill me > you must know my credit card number. If you do not know my credit > card number, and depend on someone else who does, you are nothing > more than a middleman who introduces additional possibility for > breach of security. If you do know my credit card number, you must > deal with the associated problem of storing this number. Now perhaps > I am wrong, and you really do keep all of your clients' card numbers > in a printed book hidden within a safe, and for each transaction you > remove the book, use your table to match FV_ID to CC#, process the > transaction, and replace the book. However, I doubt this. More > likely, you store the card numbers on a computer. And no doubt, > someone or something enters those numbers into a database. > You have just violated your own cardinal rule. Nope, afraid not. We keep the credit card numbers on a non-Internet computer. The only communication between it and the Internet world is a proprietary *batch* protocol. If you break through multiple firewalls to our most secure Internet machine, then you can begin reverse-engineering the batch protocol, and even then, there's nothing in the protocol that will send credit card numbers back over. As to how the credit card numbers are entered: they are entered at account setup time via a telephone call. Yes, telephones can be tapped, but it's really hard to set up an automated attack that taps all the phone calls and retrieves all the credit card numbers. Moreover, eventually we hope to have the credit card numbers downloaded directly from the credit card issuing banks, thus elminating even the telephone vulnerability. Believe me, we've thought a LOT about this. Please check out our academic paper on our first year of operation, which you can find at http://www.fv.com/pubdocs/fv-austin.txt -- I think it will answer a lot of your questions. -- Nathaniel -------- Nathaniel Borenstein Chief Scientist, First Virtual Holdings FAQ & PGP key: nsb+faq at nsb.fv.com From dlv at bwalk.dm.com Tue Jan 30 08:19:41 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Wed, 31 Jan 1996 00:19:41 +0800 Subject: The Big Lie In-Reply-To: <199601282156.NAA09063@netcom4.netcom.com> Message-ID: Zero crypto relevance... mpd at netcom.com (Mike Duvos) writes: > It is interesting to note that there is no specific law > prohibiting free speech for Holocaust Agnostics in Germany. The > actual laws under which such cases are prosecuted are libel laws, > which have been liberally interpreted to mean that one may not > "libel" deceased Jews as a class or their memory in the minds of > their surviving relatives. > > The notion of libeling a class of deceased persons strikes me as > a dangerous and particularly convoluted legal fiction. (Although > I certainly don't mean any disrespect for the deceased or their > survivors when I say this.) To me this sounds like a very twisted legal reasoning. If I understood correctly some other posts in this thread, by saying something like, "the Nazis invaded Denmark for reasons other than to round up and kill the 3,000 Danish Jews", this Zendel loser automatically implies that whoever says otherwise is lying; and that is a libel/slander, and is a criminal (not just civil) offense. I wonder if it should also be illegal in Germany to doubt the atrocities perpetrated by various German factions on one another during the 30-Year War (1618-1648), or during the peasant uprisings/religious wars of 16th century, or on the Slavs during the conquest of Saxony in 11th century? They were as brutal as WWII, and most modern Germans are probably the descendants of the survivors, and neither Catholics nor Protestants like to admit the nasty things done by their ancestors. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From rsalz at osf.org Tue Jan 30 08:33:28 1996 From: rsalz at osf.org (Rich Salz) Date: Wed, 31 Jan 1996 00:33:28 +0800 Subject: Need testing help Message-ID: <9601300127.AA16076@sulphur.osf.org> I need some help testing my rewrite of mixmaster. It is four separate programs (keygen, user-agent, queue process, daemon reception) writting in portable ANSI C (gcc -Wxxxx is silent). It does not include RSAREF, but has a sane makefile for it if you need. It uses autoconf. It has some bugs. If you're in the US, drop me a line. Is decrypt-only software okay to export? If so, then I have an export version, too. /r$ From nsb at nsb.fv.com Tue Jan 30 08:38:41 1996 From: nsb at nsb.fv.com (Nathaniel Borenstein) Date: Wed, 31 Jan 1996 00:38:41 +0800 Subject: Signature use and key trust (Was: Re: FV Demonstrates Fatal Flaw in Software Encryption of Credit) In-Reply-To: <199601300431.XAA23839@opine.cs.umass.edu> Message-ID: Excerpts from mail: 29-Jan-96 Re: Signature use and key t.. Futplex at pseudonym.com (2183*) > In my world, "you" == nsb at nsb.fv.com, and hence "your key" == the key I could > fetch from nsb+faq at nsb.fv.com. Right, absolutely. But let's face it, by now you believe it's me anyway, or the real nsb at nsb.fv.com would have spoken up and argued with me. On the other hand, if I start routinely PGP-signing email, then the value of slowly brute-force cracking my private key goes way up. If FV is successful, for example, you could spend a few years breaking my key, and then forge apparently-slanderous signed mail from me to you as part of a lawsuit. This would be far more believable, in a court of law, if I routinely signed everything than if I didn't. I don't routinely sign things because I think it is asking for problems with retrospective forgery down the road. I might, however, consider routinely signing things once I can easily incorporate a digital timestamping service like the one from Surety into my signature. > FWIW, I have lost a great deal of respect for you today I sincerely hope that you will gain it back when you realize that not all "hype" is without substance, and that we really have unveiled a genuine, previously-unrecognized, and extremely important flaw in commercial mechanims that purport to offer security through the software encryption of credit card numbers. -- Nathaniel -------- Nathaniel Borenstein Chief Scientist, First Virtual Holdings FAQ & PGP key: nsb+faq at nsb.fv.com From eric at remailer.net Tue Jan 30 08:40:53 1996 From: eric at remailer.net (Eric Hughes) Date: Wed, 31 Jan 1996 00:40:53 +0800 Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards Message-ID: <199601292324.PAA10191@largo.remailer.net> Thanks to Sandy Sandfort for bringing this to my attention. Date: Mon, 29 Jan 1996 15:07:46 -0500 (EST) From: Nathaniel Borenstein As you may already have heard via the popular press, First Virtual Holdings has developed and demonstrated a program which completely undermines the security of every known credit-card encryption mechanism for Internet commerce. I'm breaking my silence in cypherpunks to respond to what must be the most self-serving and fatuous expression of "concern" I've seen in a while. To wit: Ohmygod! PC's don't have perfect integrity! Will someone please write a filter for common email packages which automatically removes selected First Virtual transactions from the confirmation messages? Encryption isn't the issue, Nathaniel, and you know it. Me, I prefer bad faith over stupidity as an explanation for this latest outpouring. To all those Internet payment analysts out there: Financial institutions are in the business of risk transfer. If you don't transfer risk in some form, you're not a financial institution but rather a service bureau. Managing endpoint integrity risk is just one of the kinds of risk an Internet payments provider has to deal with. First Virtual has demonstrated time and again that they're pretty clueless about the whole subject of risk. As a result, I don't give them more than about two years longer before they go belly up. Eric From dlv at bwalk.dm.com Tue Jan 30 08:43:31 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Wed, 31 Jan 1996 00:43:31 +0800 Subject: Downsizing the NSA In-Reply-To: <01I0JWHQ1038A0UMAT@mbcl.rutgers.edu> Message-ID: "E. ALLEN SMITH" writes: > AT&T is downsizing, IBM downsized a while back, so why couldn't the NSA > just do the right thing: admit that the Soviet threat is no more, > congratulate the victors, and downsize by 20,000 employees? I went to a talk by Andy Koenig a few weeks ago and he claimed that even though AT&T is laying off people (and splitting) they're still hiring every internet/security person they could find. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From rsalz at osf.org Tue Jan 30 08:46:26 1996 From: rsalz at osf.org (Rich Salz) Date: Wed, 31 Jan 1996 00:46:26 +0800 Subject: FV's Borenstein discovers keystroke capture programs! (pictures at 11!) Message-ID: <9601301502.AA17143@sulphur.osf.org> >The key is large-scale automated attacks, not one-time interceptions. Without proving you can deploy it's bullshit. From fletch at ain.bls.com Tue Jan 30 08:49:47 1996 From: fletch at ain.bls.com (Mike Fletcher) Date: Wed, 31 Jan 1996 00:49:47 +0800 Subject: Java Sniffer (Was: Re: FV Announces That The Sky Is Falling) In-Reply-To: <199601300412.XAA23037@opine.cs.umass.edu> Message-ID: <9601301504.AA28584@outland> > Much more likely, IMHO, than a Java sniffer is a Java Trojan horse that pops > up an innocuous dialog box and asks you to enter some sensitive piece of > information, then sends it off somewhere. About all it takes to write that is > a modicum of skill in user interface design. You could write it in any > programming language, but in Java it may be particularly effective, since > people may come to expect to be prompted for sensitive info over the net by > Java apps. Maybe the Java folks who just left Sun decided to seize the > opportunity ;> But both Sun's and Netscape's implementations make Frame (new toplevel) windows have "Untrusted Applet Window" sprawled across the bottom of them. On a (kinda) related note someone from Sun posted to c.l.java that they're going to be releasing a signing mechanism for applets soon. You'll be able to verify that the code comes from where it says it does so at least when it steals your CC# you'll know whom to go hunt down. --- Fletch __`'/| fletch at ain.bls.com "Lisa, in this house we obey the \ o.O' ______ 404 713-0414(w) Laws of Thermodynamics!" H. Simpson =(___)= -| Ack. | 404 315-7264(h) PGP Print: 8D8736A8FC59B2E6 8E675B341E378E43 U ------ From adam at lighthouse.homeport.org Tue Jan 30 08:50:29 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Wed, 31 Jan 1996 00:50:29 +0800 Subject: Signal to noise.. In-Reply-To: Message-ID: <199601292310.SAA04697@homeport.org> The S/N ratio has been *really* low lately. Before sending mail to cypherpunks, please take a minute to do a few things: 1. Catch up. No one is impressed that you too are not bowled over by (e.g.) FV thinking about keyboard scanners. One or two 'Get real' messages would suffice. (I understand that messages often cross in the net.) 2. Consider the goals of cypherpunks: To write code that enhances the freedom and privacy of individuals. Monkey wrench the forces of evil. Arbitrage regulatory bodies to our best advantage. Have a good time, and make lots of money doing it, should we so please. 3. Decide if your post really contributes anything to a list of ~1000 people. Could this go in a private response? If you're not sure, take a guess what Perry would say. If you think he'd flame, try to justify your post at the top. Anticipate counter arguments. Do so in the spirit of discovery, expecting perhaps that you'll decide the message shouldn't go out. I don't send over half the messages I start to write on this standard. 4. Pay attention to basic points of netiquette, such as making clear what is your text, and what was posted by someone else. Don't quote more than is needful. 5. Consider spending some time installing a Mixmaster remailer. :) Mixmaster is available from http://obscura.com/ and my easy to use installer script is available by sending me a message with a Subject line of "get mix-installer" (without quotes.) It will have a web page in a few days, when I need a break from writing other useful Mixmaster add-ons. | When the world community has a double standard when it comes to treating | Isreal's actions differently from any other country, those "warlords" might PS to PHB - Reminds you of old times, doesn't it? ;) -- "It is seldom that liberty of any kind is lost all at once." -Hume From raph at c2.org Tue Jan 30 08:52:01 1996 From: raph at c2.org (Raph Levien) Date: Wed, 31 Jan 1996 00:52:01 +0800 Subject: Vladimir: put up or shut up Message-ID: Most of the recent cypherpunks traffic from Vladimir has been a reiteration of the position that discussing ITAR is bad because it discourages cypherpunks from releasing good crypto software. Well, here's one cypherpunks who recently released some software, and futhermore did so making significant (some might say extreme) concessions to the ITAR rules. I made the software available only on an export-restricted Web server, and asked explicitly several times for it not to be exported. If my timezone math works out right, it took about half an hour for it to be available on utopia. The ITAR did _nothing_ to stop, or even slow down, the reease of my software. Why is it, then, that we still don't have usable strong crypto tools? I'd say the reason is complex, much more so than could be explained by a simple conspiracy theory or even too much discussion of ITAR. The main reason is that it is very damned hard to write good crypto-enabled applications. Trust me, I know. I have done the best I could with the software I released, but I'm still quite frustrated with its limitations, especially with respect to nontechnical users. Ultimately, to create really good crypto-enabled applications, it's going to take money. And there's where ITAR is most effective. If the powers that be disapprove of your software, then there goes your foreign market. There go your government sales. There go those "strategic alliances" with the other companies in the market, because the pressure can be applied transitively too. ITAR is actually only a small part of the process. Still, free software has a lot of vitality left in it. It's still strong at blazing new trails in software design. Where it's weak (and this is what really counts now), is being usable, easy to learn, and easy to install. I think if we explicitly work towards these goals, there's hope for great free crypto-enabled applications. Hell, PGP came pretty close, and it's saddled with all kinds of lousy design decisions. But back to Vladimir: instead of whining at us about how our fear of the law is hurting the acievement of our goals, why don't _you_ write that killer crypto-app and distribute it to the world? Who's stopping you? Raph From jrochkin at cs.oberlin.edu Tue Jan 30 08:59:01 1996 From: jrochkin at cs.oberlin.edu (Jonathan Rochkind) Date: Wed, 31 Jan 1996 00:59:01 +0800 Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards Message-ID: At 9:29 PM 01/29/96, zinc wrote: [...] >the point is not that this can be done, the point is that users need >tools that would check for programs like this running on their >system. is fv making a 'fix' available? i would imagine a 'fix' >would be a program that would look for tsr type programs (or inits on >a mac) that do this sort of thing. At first I was going to say there was no way to do this--a program can't be written to look at an arbitrary program as intput and determine if it does a certain semantic action (steals your key strokes). And I think this is true. However, on the MacOS at least, I believe that a key-capturing program would have probably have to patch a particular point (or one of a set of particular points) in the OS, and a program could probbably look at the OS in RAM (or wherever patches happen; in RAM I think) and make sure it hasn't been patched--it's the way MacOS 7.5.X looks straight out of the shrinkwrap, nothings been done to it. Or report that, indeed, that portion of the OS has been patched, and some program might be logging your keys. [Of course, some legitimate programs might patch these portions of the OS too--so you'd have to be careful not to have a hacked version of those legitimate programs that also captured your keys. zinc's next point is relevant here, of course.] Can anyone tell me for sure if this would indeed be feasible? >this is the sort of thing that crypto can help with. there should be >a site that PGP signs the programs available from their site. these >signed programs will have been testing on the appropriate system and >verified to be free of small malicious programs such as the one you >describe. alternatively, the author themselves could PGP sign the app >(this is already done) and this would be what users should d/l. True. But, remember, you've still got to trust the _author_ of the program. Commercial programs generally dont' have source available, so I'm basically trusting Steve Dorner not to have Eudora send a copy of all my messages to the NSA. Even if the sources were available, most people aren't going to want to (or be capable of) going through the source, so they're trusting other third parties who have said "yep, I looked at the source, and it's okay." And, while there are plenty of third party types to look at a program like PGP (although, actually, I can't identify any reliable third party crypto type, not on the PGP developement team, who I know has looked at the PGP source and pronounced it okay. Doesn't mean it hasn't happened, but it means realistically, users _don't_ rely on third party guarantees of security in the source. Or at least I don't, but how many of you out there know a reliable third party source that has given a seal of approval to PGP, and specifically rely on that knowledge to give you confidence in using PGP?)... umm, while there are plenty of third party types to look at PGP, there are surely millions of lines of commercial software produced every year, and I'm not sure where all these reliable third party types to look at the code are going to come from. In theory, having source available is good. In practice, you still end up trusting the designer not to do anything bad to you. From nsb at nsb.fv.com Tue Jan 30 08:59:16 1996 From: nsb at nsb.fv.com (Nathaniel Borenstein) Date: Wed, 31 Jan 1996 00:59:16 +0800 Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards In-Reply-To: <9601300006.AA15845@sulphur.osf.org> Message-ID: Excerpts from mail: 29-Jan-96 Re: FV Demonstrates Fatal F.. Jamie Zawinski at netscape. (473*) > I'll bet they could get a patent on it... There's probably some > money to be made with that approach. Actually, I'm pretty sure it was Eric Hughes who said something like (apologies if I'm misquoting or misremembering) "The most profitable course of action, for a person who discovers a security hole, is almost always to keep quiet about it." It's very easy to see how a criminal can make money with this approach, but it's much harder to see how a legitimate business could do so. We did what we thought was the responsible thing, and tried to describe it in terms that were also in our business interest. Now, if I figure out how to really *solve* this problem, that would be worth patenting.... :-) -- NB -------- Nathaniel Borenstein Chief Scientist, First Virtual Holdings FAQ & PGP key: nsb+faq at nsb.fv.com From pg at viaweb.com Tue Jan 30 09:37:26 1996 From: pg at viaweb.com (Paul Graham) Date: Wed, 31 Jan 1996 01:37:26 +0800 Subject: your bogus post Message-ID: <199601301524.KAA06011@tintin.uun.org> We run an online mall. We had been planning eventually to offer the store owners the option of taking fv payment as well as credit card numbers. After reading your recent post to cypherpunks, which I would say is the most bogus post ever made on this bogus subject, we are determined *not* to use fv payment systems if we can possibly avoid it. That post was news to no one. The kind of attack you "discovered" has been known about for years, and is just not a serious threat. Your post was nothing but a calculated attempt to frighten end users, and get publicity for fv. A company capable of doing such irresponsible things is not one that we would trust with users' money. -- pg From pmarc at fnbc.com Tue Jan 30 09:46:52 1996 From: pmarc at fnbc.com (Paul M. Cardon) Date: Wed, 31 Jan 1996 01:46:52 +0800 Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards In-Reply-To: <199601292324.PAA10191@largo.remailer.net> Message-ID: <199601301529.JAA06833@abraxas.fnbc.com> My mailer insists that Nathaniel Borenstein wrote: > Excerpts from mail: 29-Jan-96 re: FV Demonstrates Fatal F.. Eric > Hughes at remailer.net (1441) > > First Virtual has demonstrated time and again that they're pretty > > clueless about the whole subject of risk. > > Well, I think our financial industry partners will take our > "clueless" level of risk management any day. Glad we're not a partner. --- Paul M. Cardon System Officer - Capital Markets Systems First Chicago NBD Corporation MD5 (/dev/null) = d41d8cd98f00b204e9800998ecf8427e From jlasser at rwd.goucher.edu Tue Jan 30 09:48:05 1996 From: jlasser at rwd.goucher.edu (Jon Lasser) Date: Wed, 31 Jan 1996 01:48:05 +0800 Subject: Java Sniffer (Was: Re: FV Announces That The Sky Is Falling) In-Reply-To: <9601301358.AA14772@alpha> Message-ID: On Tue, 30 Jan 1996, Mike McNally wrote: > Rich Graves writes: > > Hmm. Actually, what do Java dialog prompts look like? Is there any > > indication that they come from Java, or can they be made to look like any > > dialog from any program, or the OS itself? I suppose this is > > implementation-dependent. > > Yes, it's completely dependent on the AWT implementation. (Or, of > course, on the implementation of whatever graphical library provided > by the particular Java runtime environment in question.) > > The "standard" AWT that's used in the Netscape (and maybe HotJava) > web browsers decorates all windows applets create such that it's > obvious they're there. It is designed to be impossible for the applet > itself to corrupt the AWT such that the windows don't bear that > decoration. (Whether the design works as advertised is a question > worth asking, of course.) But the fact that Java windows are obvious doesn't seem to really speak to the question of can they be faked from *outside* Java. In fact, very distinctive windows for Java are likely to increase the success of an attack which duplicates the window decorations perfectly, because people will be used to it. Eternal vigilance, etc. J.L. ------------------------------------------------------------------------------ Jon Lasser (410)494-3072 Visit my home page at http://www.goucher.edu/~jlasser/ You have a friend at the NSA: Big Brother is watching. Finger for PGP key. From adam at lighthouse.homeport.org Tue Jan 30 09:49:32 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Wed, 31 Jan 1996 01:49:32 +0800 Subject: Cyphercoding Training Wheels?? In-Reply-To: <01BAEE8F.D6BF3860@chum-55.ppp.hooked.net> Message-ID: <199601301530.KAA07194@homeport.org> Michael E. Carboy wrote: | I have been lurking as a newbie on the cypherpunks mailing list for = | 'bout one month. Have ordered Koblitz book on Number Theory and Applied = | Cryptography. As I slowly (and probably painfully) learn some number = | theory, I would like to start coding, particularly as it would related = | to encrypting and decrypting stuff. I ask the community's input as to = | whether I should use visual basic or visual C++ ??? I am using a = | windoze95 platform. When you consider that many of the people who will grab this code & play with it DON'T run on MS scaffolding (its not really a platform :), I'd suggest C++, and make sure you isolate the MS specific portions, so that whatever you do can be ported. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From nsb at nsb.fv.com Tue Jan 30 09:59:04 1996 From: nsb at nsb.fv.com (Nathaniel Borenstein) Date: Wed, 31 Jan 1996 01:59:04 +0800 Subject: More FUD from the Luddites at FV [pt. 2] In-Reply-To: Message-ID: Excerpts from mail: 29-Jan-96 More FUD from the Luddites .. Douglas Barnes at communiti (3569*) > Whether you're a business or an individual, having, say, your > hard drive wiped clean by a virus would be several orders of > magnitude worse than the relatively minor inconvenience of > having to get unauthorized items deleted from your credit card bill. For the consumer, absolutely. For the bank, having millions of credit cards compromised by a single attacker is a more serious risk. -------- Nathaniel Borenstein Chief Scientist, First Virtual Holdings FAQ & PGP key: nsb+faq at nsb.fv.com From nsb at nsb.fv.com Tue Jan 30 10:00:25 1996 From: nsb at nsb.fv.com (Nathaniel Borenstein) Date: Wed, 31 Jan 1996 02:00:25 +0800 Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards In-Reply-To: Message-ID: Excerpts from mail: 30-Jan-96 Re: FV Demonstrates Fatal F.. Andreas Bogk at horten.artc (2677) > First, pray tell, what prevents me from writing a virus that patches, > say, Eudora and Netscape, so they automatically reply to all FV-mails? Nothing at all. But it's still not an automated mass-scale attack, because that's only one piece of the mechanism (which we spell out) for breaking FV. The essence of FV's security is that we don't believe that there's any single bit of technology or magic (cryptographic or otherwise) that provides security, and that real security comes from a series of complex defenses. This approach is particularly good at discouraging automated attacks. Moreover, this attack is almost guaranteed to leave traces and be detected within a single billing cycle. Once the credit card bill comes in, the patch in Eudora/Netscape will be discovered, and people will start looking for its source. In contrast, the scheme I have outlined steals credit card numbers without any connection to the point of theft, which in practice will mean that the attack will go undiagnosed and without countermeasures for a lot longer, because there will be no obvious correlation to the Internet as a point of theft. > > to identify the corresponding email address (which > >is not public knowledge, cannot be determined from the account > >identifier, and will not be released by First Virtual); > ... which is in the header of said E-Mail ... Typically, they flow over the web, where there's no email address present. You need traffic analysis. Just makes it harder to automate, that's all. > And while I'm at it, it doesn't take much to be more secure than > credit card payments. You shouldn't be too proud of that. We're very proud of it because it's the competition. > And it shouldn't take an experienced programmer one whole week to > write a keyboard sniffer. That included the user interface and a number of precautionary mechanisms, with very careful coding to make sure that there weren't hidden problems that would bite us. The engineer who wrote it is very good, but I also know that several people have since duplicated the basic mechanism in a day or two. > But I think it's not too pessimistic to say that _any_ software-based > payment scheme can be hacked using malicious programs. Right. And the key, as I keep saying, is automation. You have to defend against an automated attack. > Oh, wow, it's your secret. I would post a message containing the > credit card number encrypted with a public key cipher to > alt.foo.bar. Or to the IRC. And it's not too difficult to hack > university computers, so I could even receive mail there without being > traceable. Not to speak of remailer chains. Any other ideas? Actually, one of your methods is very close to my preferred method, but there are still some better wrinkles possible. I prefer to leave them as an exercise for the reader -- my academic background, I guess. :-) -- Nathaniel -------- Nathaniel Borenstein Chief Scientist, First Virtual Holdings FAQ & PGP key: nsb+faq at nsb.fv.com From adam at lighthouse.homeport.org Tue Jan 30 10:13:17 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Wed, 31 Jan 1996 02:13:17 +0800 Subject: Signature use and key trust (Was: Re: FV Demonstrates Fatal Flaw in Software Encryption of Credit) In-Reply-To: Message-ID: <199601301551.KAA07294@homeport.org> -----BEGIN PGP SIGNED MESSAGE----- Expire your keys annually. You know about key lifetimes & expiry, and in fact talk about them at length in your 'Experiences' paper. So I assert that this is a straw man. The included key has an expiration date on it. Nathaniel Borenstein wrote: | Right, absolutely. But let's face it, by now you believe it's me | anyway, or the real nsb at nsb.fv.com would have spoken up and argued with | me. On the other hand, if I start routinely PGP-signing email, then | the value of slowly brute-force cracking my private key goes way up. If | FV is successful, for example, you could spend a few years breaking my | key, and then forge apparently-slanderous signed mail from me to you as | part of a lawsuit. This would be far more believable, in a court of | law, if I routinely signed everything than if I didn't. - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCKAzBjLm4AAAED53EETCG11u/jmMQmWvp1wRU10XUOtXjC/3zVGS23G3bv0o7F JqdYDWJBp1Rzjb5p6t8KXTPVwx1ZXG8AvJcNFyZiYUznDiHDCT9JScQG5NL++C3r x6n2YaQLooQgsw5l9aWEJ9Qi3UnQOVA2ZkaYs9RQdJsH8N5XP6PQNGpRAAURtC5B ZGFtIFNob3N0YWNrIDxhZGFtQGhvbWVwb3J0Lm9yZz4gW0V4cCBBdWcgOTZdiQCV AwUQMGMuqAWt5TRah1f5AQGjiwP9H3VhNDLNvNkll2Db7ccQlppbFgFjxj5/MTBj jFD7+FRZcSG4kpbkLYz4gPwY/upf+9N8dp+lEKXNtYLFVfSCkPSMAQhRK1PA4aqv YlTerDwWQxt4Zyv8H30GO2zm0TkCMWMS6ZZN9U/jk0t7VTYOFvW7sQeiKV4BDScd 7eU62XM= =Z34o - -----END PGP PUBLIC KEY BLOCK----- - -- "It is seldom that liberty of any kind is lost all at once." -Hume -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCSAwUBMQ4+ZN5XP6PQNGpRAQE4IQPmLiLyT7/7VAw6Z5ajqDlJCiMwubUQTtc+ pCo3RPZjJ8IakLvgXF06LJoIK7ObYbgfRED90v/LNlZivE1CpHQb9QRobNYqIBgU ZQBw4NkqCAS9kH4K+LrK1ce4sPF8gLBwZBSS+PJXS+BBW6Tp2kDF534Ro6x+hMOV k1Xuc7s= =GlZS -----END PGP SIGNATURE----- From pmarc at fnbc.com Tue Jan 30 10:13:48 1996 From: pmarc at fnbc.com (Paul M. Cardon) Date: Wed, 31 Jan 1996 02:13:48 +0800 Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credit In-Reply-To: <9601292111.AA23738@toad.com> Message-ID: <199601301536.JAA06848@abraxas.fnbc.com> Interesting address that was used to reach me. To: pmarc at nsb.fv.com To: pmarc Somehow, both reached me from within their system, but if they can't configure their e-mail to show the proper address than I don't have to much faith in their other abilities. I don't imagine that anybody else would have much luck replying to either of those or CAN I now receive mail at nsb.fv.com? Is this a new free service provided by FV? --- Paul M. Cardon System Officer - Capital Markets Systems First Chicago NBD Corporation MD5 (/dev/null) = d41d8cd98f00b204e9800998ecf8427e From m5 at dev.tivoli.com Tue Jan 30 10:29:00 1996 From: m5 at dev.tivoli.com (Mike McNally) Date: Wed, 31 Jan 1996 02:29:00 +0800 Subject: Java Sniffer (Was: Re: FV Announces That The Sky Is Falling) In-Reply-To: <9601301358.AA14772@alpha> Message-ID: <9601301545.AA07088@alpha> Jon Lasser writes: > But the fact that Java windows are obvious doesn't seem to really speak > to the question of can they be faked from *outside* Java. If you need to worry about something showing up on your machine that's capable of creating fake input dialogs on your screen, I claim you have some serious problems. > In fact, very distinctive windows for Java are likely to increase the > success of an attack which duplicates the window decorations perfectly, > because people will be used to it. But if by being used to such windows people understand that they're not necessarily to be trusted, I don't see why that'd be an attractive way of slipping in a trojan horse. I mean, if you want to give somebody a trojan horse, you don't hang a sign around its neck reading "I am a trojan horse". ______c_____________________________________________________________________ Mike M Nally * Tivoli Systems * Austin TX * I want more, I want more, m5 at tivoli.com * m101 at io.com * I want more, I want more ... *_______________________________ From dneal at electrotex.com Tue Jan 30 10:30:41 1996 From: dneal at electrotex.com (David Neal) Date: Wed, 31 Jan 1996 02:30:41 +0800 Subject: Security First Network Bank, FSB. The World's 1st Internet Message-ID: <199601301554.JAA21481@etex.electrotex.com> > Date: Thu, 25 Jan 1996 17:50:16 -0500 > To: cypherpunks at toad.com > From: "Joseph M. Reagle Jr." > Subject: Security First Network Bank, FSB. The World's 1st Internet Bank > Just got something in the post today asking for me to set up an account with > them... > > - Daily reconciled bank statement and checkbook register; All transactions are > logged for you. - No min balance - 20 free electronic bill payments per > month... - ATM at Honor and Cirus.. - 200 free paper checks... - plenty of > pre-stamped deposit envolopes - FDIC insured accounts (in case anyone ever > steals my password..) - Wired Funds.. > Mis-features - Uses Public key crypto but web pages do not mention PGP, says keys may come in mail on floppy; how to fingerprint key? - Online only based system Drawbacks include system downtime means being unable to access your 'checkbook' No extraction features for those of us who use true double entry accounting systems, much less Quicken or even spreadsheets. - Bill paying system Four day lead on bills to be paid (can you say float?) Laser-printed statement sent to payee for 'verfication' will be subject to payees security restrictions which may consist of tossing it unshredded into the trash. - No chaum-like digital money provisions. Although it is a step in the right direction, I won't be happy until the bank accepts e-mail directives for generating chaumian cash or instant EFT payments via messages encrypted against PGP keys. Lets face it FINCEN already knows all about your income sources if they are at all bank based (i.e. excluding barter and cash), but at least I can have my check EFT'd, encrypt a PGP transaction to send all my money to Seychelles, and pay bills from that Offshore bank that really does respect my privacy. This would at least make discerning that my foley's bill is $120 a month more difficult since FINCEN would now have to have cooperation from the payee. From nsb at nsb.fv.com Tue Jan 30 10:33:40 1996 From: nsb at nsb.fv.com (Nathaniel Borenstein) Date: Wed, 31 Jan 1996 02:33:40 +0800 Subject: The FV Problem = A Press Problem In-Reply-To: Message-ID: <0l3Xq6uMc50eFIr1IW@nsb.fv.com> Excerpts from mail: 30-Jan-96 The FV Problem = A Press Pr.. Timothy C. May at got.net (2439*) > But, it occurred to me, this is just part of the larger syndrom. Simson's > article was practically written from the FV press release. While he > interviewed some "security experts," clearly the timing of his article > (this morning) and the announcement by Nathaniel of his discovery (this > morning) suggests the cozy relationship involved. FYI, you've got the order of events completely backwards. We haven't yet even written a press release, actually, though we're likely to do so shortly. The first news was Simson's story. We wanted to make sure that the first reporter was sophisticated enough to understand the story, and Simson (as the author of "Practical UNIX Security" certainly qualifies.) Simson's story appeared on the Web and AOL, which prompted my statement in response to that story. -- NB -------- Nathaniel Borenstein Chief Scientist, First Virtual Holdings FAQ & PGP key: nsb+faq at nsb.fv.com From nsb at nsb.fv.com Tue Jan 30 10:36:20 1996 From: nsb at nsb.fv.com (Nathaniel Borenstein) Date: Wed, 31 Jan 1996 02:36:20 +0800 Subject: short FV question In-Reply-To: Message-ID: Excerpts from junk.interesting: 29-Jan-96 short FV question Simon Spero at tipper.oit.u (211*) > When my CTS plays up like it has this past week, I use a Dragon dictate > Voice Recognition system. Since I' Not actually touching a keyboard, does > this make me secure? I don't *think* so. As I understand it, Dragon Dictate works by feeding things into the keyboard queue. -- Nathaniel -------- Nathaniel Borenstein Chief Scientist, First Virtual Holdings FAQ & PGP key: nsb+faq at nsb.fv.com From sasha1 at netcom.com Tue Jan 30 10:50:34 1996 From: sasha1 at netcom.com (Alexander Chislenko) Date: Wed, 31 Jan 1996 02:50:34 +0800 Subject: Credit cards: No keystrokes, no capture. Message-ID: <199601301629.IAA11284@netcom.netcom.com> What if I offer my customers a little GUI interface where they would click numeric buttons instead of typing the numbers? If the card number input screen changes window dimensions as well as size and positioning of the buttons, capturing mouse movements won't give you much either. Or randomly generate a set of digit buttons and let the user drag them into a 16-digit bar. Am I missing something here? ----------------------------------------------------------- | Alexander Chislenko | sasha1 at netcom.com | Cambridge, MA | | Home page: http://www.lucifer.com/~sasha/home.html | ----------------------------------------------------------- From John at ktb.net Tue Jan 30 11:02:41 1996 From: John at ktb.net (John Schofield) Date: Wed, 31 Jan 1996 03:02:41 +0800 Subject: Your "urgent" alert Message-ID: <199601301643.IAA00891@ktb1.ktb.net> John Schofield said: >> I will never use First Virtual. You should be ashamed of yourself. Nathaniel Borenstein said: >Why? For pointing out a devastating potential attack that the bankers >bearing the risk were unaware of? It would have been grossly >irresponsible to keep it secret. You are fear-mongering. You point out the details of an attack that was *NEVER* secret. It is transparently an attempt to build First Virtual's market share. This "new" technique will undoubtedly steal SOME credit-card numbers, but it can be dealt with the same way people *NOW* deal with trojan horses and viruses. It involves no new ideas, no new technologies, and no new problems. Again, you're trying to undermine your competetors and build market share for yourself by misleading novices. The same people who you claim are too clueless to understand "cut and paste." You should be ashamed of yourself. Go steal candy from babies. John ______________________________________________________________________________ John Schofield -- If all else fails, try contacting me at ac086 at lafn.org. PGP Public Key available by e-mailing PGPKEY at sprawl.ktb.net. From Charlie_Kaufman/Iris.IRIS at iris.com Tue Jan 30 11:03:21 1996 From: Charlie_Kaufman/Iris.IRIS at iris.com (Charlie_Kaufman/Iris.IRIS at iris.com) Date: Wed, 31 Jan 1996 03:03:21 +0800 Subject: Lotus Notes Message-ID: <9601301936.AA0336@moe.iris.com> My previous posting seems to have been truncated (at least by the time it got back to me - please forgive me if it's a duplicate). The following is the attachment that should have been there... --Charlie Kaufman (charlie_kaufman at iris.com) PGP fingerprint: 29 6F 4B E2 56 FF 36 2F AB 49 DF DF B9 4C BE E1 p.s. re: the fact that it's 64 bits rather than 128. That was the limit on key size of the crypto software we licensed from a third party. That crypto software also limited us to 760 bit RSA keys. We intend to push those numbers up in the future in the domestic version, but have some real world issues around backwards compatibility with our installed base. I don't know whether we will be allowed to go over 64 bits in the exportable version; since we couldn't do it anyway, there was no point in pushing this round. Lotus Backgrounder Differential Workfactor Cryptography Abstract: This document describes the technical approach behind the exportable strong cryptography included in Lotus Notes Release 4 (International Edition). Current U.S. export regulations generally prohibit the export of cryptographic software that uses keys larger than 40 bits, but advances in processor technology make 40 bit keys breakable by exhaustive search practical for a growing collection of potential attackers. In a novel scheme we sometimes refer to as 64/40, we provide the cryptographic strength of 64 bit keys against most attackers while to comply with export regulations we make the workfactor for breaking the system equivalent to only 40 bits for the U.S. government. We do that by encrypting 24 of the 64 bits under a public RSA key provided by the U.S. government and binding the encrypted partial key to the encrypted data. Background: As we,re all painfully aware, the U.S. government continues to maintain that cryptography should be classified and controlled as a munition of war. There is a long historical basis for this - some of cryptography,s finest hours have been during the wars of the past. And while some would argue that export controls are a sham because many foreign governments impose no such restrictions and we participate in an international marketplace, by one very important measure export controls have been a success: no mass-deployed worldwide cryptography has emerged and most general communications is still in cleartext. But while the government has been successfully defending its ability to spy, trouble has been brewing. Criminals don,t recognise borders -- there,s only one wild and wooly network. Crackers are able to attack targets halfway around the world with no fear of prosecution. Smart people in Eastern Europe crack financial systems in New York. Everywhere you look, bright clever people are breaking into communication systems, industrial control systems, transportation systems, health care systems, anything and everything that,s controlled by networked computers. This is not a theoretical problem, or just a problem with clever people stealing money from banks; it,s a clear and present danger that,s a direct result of the fact that we,ve moved into the information age without adequately securing our global information systems. Lotus Notes has been a pioneer in providing transparent strong RSA-based cryptography in its product offering. It went to great lengths to provide the strongest protection legally permissable. There is an International Edition that complies with export regulations and a domestic edition that does not (called the North American Edition because it is legally available in the U.S. and Canada). In the International Edition, users use two RSA key pairs -- one used to protect data integrity and authentication and another (shorter) one to protect data confidentiality because only data confidentiality key sizes are regulated by export controls. Full interoperability between the North American and International Editions is achieved by having the two ends negotiate down to the largest key size that both ends support. This design came at no small cost, but it was the only way we could deliver the best security possible to each of our customers given the existing regulatory climate. Differential Workfactor Cryptography is another innovation in the direction of giving our customers the best security possible. At the same time, we continue to oppose the regulations that make the complexity necessary. How it works: The idea behind Differential Workfactor Cryptography is simple; whenever a bulk data key is created, a 64 bit random number is chosen. If the use of that key is one involving data confidentiality and the International Edition of Notes, 24 of the bits are encrypted under a public RSA key that was provided to us by the U.S. government and the result - called a Workfactor Reduction Field - is bound into the encrypted data. There is no Workfactor Reduction Field in data used only by the North American Edition of Notes, and there is none for keys that are not used for data confidentiality (e.g. those used for authentication). If an attacker wanted to break into a Notes system based on information obtained by eavesdropping, he would have to exhaustively search a 64 bit key space. Even the U.S. government would face this workfactor because there is no Workfactor Reduction Field in keys used for authentication. An attacker who wanted to read an encrypted document that was either read from a server or eavesdropped from the wire would face a 64 bit workfactor. But if the U.S. government needed to decrypt such a document, it could obtain 24 of the bits using its private key and the Workfactor Reduction Field and then exhaustively search a 40 bit key space. Tamper resistance: You might wonder what,s to prevent someone from deleting the Workfactor Reduction Field from a document or the setup protocol of a network connection. This is similar to the problem faced in the Clipper design to assure that the LEAF field was not removed from a conversation. In a software-only implementation, it is not possible to prevent tampering entirely. The best a software implementation can do in terms of tamper resistance is to make it impossible to remove the Workfactor Reduction Field without modifying both the source of the data and the destination. This can be done by having the destination check for the presence of the Workfactor Reduction Field and refuse to decrypt the data if it is not there or not correct. The destination can,t decrypt the Workfactor Reduction Field to check it, but knowing the bulk data key and the government public key, it can regenerate the WRF and compare the result with the supplied value. RSA has the convenient property that the same value encrypted twice produces the same result. It would be somewhat more complex (but still possible) to duplicate this functionality with other public key algorithms. [Note: for this to work, the random pad that was used in creating the WRF must be delivered to the recipient of the message. For it to be secure, it must be delivered encrypted since a clever attacker who knew the pad could do 2^24 trial encryptions to get 24 bits of the key and then do 2^40 trial decryptions to recover the rest.] From Jeremym at area1s220.residence.gatech.edu Tue Jan 30 11:05:33 1996 From: Jeremym at area1s220.residence.gatech.edu (Jeremy Mineweaser) Date: Wed, 31 Jan 1996 03:05:33 +0800 Subject: FV's Borenstein discovers keystroke capture programs! Message-ID: <2.2.32.19960130163242.0098400c@area1s220.residence.gatech.edu> At 09:53 AM 1/30/96 -0500, nsb at nsb.fv.com wrote: >> ... likely, you store the card numbers on a computer. And no doubt, >> someone or something enters those numbers into a database. >> You have just violated your own cardinal rule. > >Nope, afraid not. We keep the credit card numbers on a non-Internet >computer. Let me restate your cardinal rule, direct from your "alert": >Quite simply, we believe that this program >demonstrates a FATAL flaw in one whole approach to Internet commerce, >and that the use of software to encrypt credit card numbers can NEVER be >made safe. For consumers, we recommend the following simple rule: > >NEVER TYPE YOUR CREDIT CARD NUMBER INTO A COMPUTER. How about we here it again, just because it's so well thought out: >NEVER TYPE YOUR CREDIT CARD NUMBER INTO A COMPUTER. Now, the fact that your customer database of credit card numbers is not directly available via the Internet does not make it cease to be a computer. Regardless of its networkability, it is still a computer. Do you suggest, then, that computers cannot exist without networks? >As to how the credit card numbers are entered: they are entered at >account setup time via a telephone call. And just *where* do they get entered? Into a computer. And *how* are they entered? Via a keyboard. What was that? You guys enter credit card numbers via the keyboard? But YOU CAN'T DO THAT! IT'S NOT SAFE! If I can't trust myself to keep my credit card number secure, why should I trust your minimum-wage data entry employees? >Believe me, we've thought a LOT about this. I believe that you thought more about writing your glorified keyboard sniffer than you did deciding how to announce your discovery to the public. --- Jeremy Mineweaser | GCS/E d->-- s:- a--- C++(+++)$ ULC++(++++)>$ P+>++$ j.mineweaser at ieee.org | L+>++ E-(---) W++ N+ !o-- K+>++ w+(++++) O- M-- | V-(--) PS+(--) PE++ Y++>$ PGP++>+++$ t+() 5 X+ R+() *ai*vr*vx*crypto* | tv(+) b++>+++ DI+(++) D+ G++ e>+++ h-() r-@ !y- From nsb at nsb.fv.com Tue Jan 30 11:20:21 1996 From: nsb at nsb.fv.com (Nathaniel Borenstein) Date: Wed, 31 Jan 1996 03:20:21 +0800 Subject: CONTEST: Name That Program! In-Reply-To: Message-ID: <0l3YgACMc50eRIr=Nb@nsb.fv.com> Excerpts from mail: 30-Jan-96 Re: CONTEST: Name That Pro.. David Mazieres at amsterdam (1274) > You are a liar. And you have terrible manners. > Your program does not undermine all known schemes for transmitting > software-encrypted credit cards on the internet. You have no way of > obtaining my credit card number, because I will not run your software. Guess what? I don't care whether or not I can get onto your machine, because I undermine the overall scheme statistically. That's because if I were a criminal, I would be perfectly sanguine about the fact that the average consumer doesn't have a clue how to protect himself from untrusted programs such as this. In fact, I'd settle for getting onto 10% of the machines, although I suspect I could get onto more like 80% without raising a sweat. Yes, David, your personal credit card is safe, because you're a cypherpunk wizard. For that matter, mine is safe too. But Grandma's isn't. > Furthermore, because I use a Unix-like operating system (specifically > OpenBSD) which I re-build from source code every week or so, you would > need to hack my compiler to keep mis-compiling itself and compromise > my kernel or netstat, ps, etc, for which you would need to be root. Case closed. Your argument would hold a lot more weight if you could convince me that the average Internet consumer was going to rebuild his UNIX kernel every few weeks. Internet commerce is targeting the masses of people for whom "cut and paste" is still a technical term. > The first virtual protocol seems to have some real weeknesses. > However, I do not feel like wading through all the pages of text to > figure out what is going on. I challenge you to post a concise > description of the protocol, using syntax such as: > A -> B: {ID, xxx, ...}_Ks > With short descriptions where necessary. If you do, I'm sure we can > rip your protocol to shreds (which is why you won't). This is one of the most outrageous statements I can imagine. Our protocols have been published, both in summary and in excruciating detail, for over a year. They've been scrutinized by all sorts of people in the financial industry, most of whom immediately turned around and asked if we were looking for investors. Just because you're too lazy to read them (or probably even to go to our web site to look at them), you assume that you can rip them to shreds. I'm very impressed. Here's an equally meaningful counterclaim: "I've never met you in person and have no idea what you look like, but I'm sure that I'm better looking than you are." (And for the record, because our security isn't based on mathematical/cryptographic assurances, but rather on systemic checks and balances, mathematical notation is pretty darned useless.) But anyway, there's no need for you to stop being lazy in order to "rip them to shreds". We are happy to tell you (in http://www.fv.com/pubdocs/fv-austin.txt) EXACTLY how to break our security, and why the kind of attack to which we are vulnerable doesn't matter nearly as much as the vulnerability we've exposed in the software encryption of credit cards. What we're trying to do, with our most recent announcements, is hold the competing systems to the same standard of full-disclosure-of-risks that we've held ourselves to all along. - - Nathaniel -------- Nathaniel Borenstein Chief Scientist, First Virtual Holdings FAQ & PGP key: nsb+faq at nsb.fv.com From ptrei at acm.org Tue Jan 30 11:23:50 1996 From: ptrei at acm.org (Peter Trei) Date: Wed, 31 Jan 1996 03:23:50 +0800 Subject: FV's Borenstein discovers keystroke capture programs! ( Message-ID: <9601301705.AA28831@toad.com> In "Nathaniel Borenstein" wrote: > We have a few pages of C code that scan everything you type on a > keyboard, and selects only the credit card numbers. How easy is that to > do with credit card numbers spoken over a telephone? ------------------------------------------------------------------------------------ In: "Nathaniel Borenstein" wrote: >I used to trust the telephone not to be tapped in a selective way based on >keyword recognition, but in recent years, with the improvement in voice >recognition technology, I have stopped trusting it that way, and I know >plenty of other people have too -- if you say "NSA" into a cellular call, >you are probably inviting an eavesdropper. -------------------------------------------------------------------------------------------- Can you make up your mind, please? Do you regard automated voice recognition as a threat to your privacy, or not? Is there some reason you think it's lot easier to recognize a spoken "NSA" than "Three One Four One Five Nine Two Six Five Four"? Consistancy is a wonderful thing - you should try it sometime. speaking strictly for myself Peter Trei ptrei at acm.org PS: I've kept a log of this whole silly thread. It will not be forgotten. From gebis at ecn.purdue.edu Tue Jan 30 11:27:52 1996 From: gebis at ecn.purdue.edu (Michael J Gebis) Date: Wed, 31 Jan 1996 03:27:52 +0800 Subject: RC2 code on sci.crypt Message-ID: <199601301702.MAA04511@purcell.ecn.purdue.edu> Alex Strasheim wrote: > > For those not paying attention, there is RC2 code on sci.crypt. RSADSI > > is acting as if it is real, and will publish some legal posturing about > > it real soon now. > > On sci.crypt Bruce said it was a crummy algorithm... What he actually said was, "It's not obviously a lousy algorithm," or something like that. I took this to mean, "in the few hours I've had to look at the code, I have not spotted any obvious problems." He couldn't say, "It's obviously not junk," because non-junkiness is never obvious. -- Mike Gebis gebis at ecn.purdue.edu From ota+ at transarc.com Tue Jan 30 11:32:32 1996 From: ota+ at transarc.com (Ted Anderson) Date: Wed, 31 Jan 1996 03:32:32 +0800 Subject: No FV supporters? In-Reply-To: Message-ID: I am rather shocked that after wading through hundreds of msgs of abuse of Nathaniel and FV I haven't seen one message of support; but perhaps I missed it. I agree that the original post seemed very self-serving and was poorly worded for this audience. However, that doesn't excuse people from reading it carefully and thinking about the implications. FV has argued time and again that their basic strength is that CC number aren't available for systematic secretive purloinage. The concern about collecting CC# on a large scale is one of the argument given for the importance of using encryption throughout the internet. Otherwise tapping the internet backbone has much the same properties. I thought we had already agreed that dumpster diving is a fundamentally smaller threat to the CC system than backbone tapping. FV is just pointing out that another systematic weakness exists in the CC/internet scheme. Whether this is a new, serious concern for internet commerce seems to be a useful and important topic for discussion. Fortunately, the discussion, acrimonious as it has been has produced fruit. It looks like Weld Pond's suggestion of using a random imagemap is an effective antidote. Making the attack harder by an order of magnitude at least. Ted Anderson From Jeremym at area1s220.residence.gatech.edu Tue Jan 30 11:48:31 1996 From: Jeremym at area1s220.residence.gatech.edu (Jeremy Mineweaser) Date: Wed, 31 Jan 1996 03:48:31 +0800 Subject: FV's Borenstein discovers keystroke capture programs! Message-ID: <2.2.32.19960130172612.009bdbf4@area1s220.residence.gatech.edu> At 09:53 AM 1/30/96 -0500, Nathaniel Borenstein wrote: >As to how the credit card numbers are entered: they are entered at >account setup time via a telephone call. Then why should an attacker even bother to infect users' machines with your program? There is a much better way. Let me outline it for you: The keyboard sniffer can be modified to attach to the computer which holds your customer database. It simply watches for card numbers (which is even more trivial than doing so on the client's machine, as it's the only thing this machine does) and stores them. Then, when the attacker calls in to set up an account, the keyboard sniffer is alerted (by any of several methods, such as a specific, probably invalid, credit card number) and replaces this value with a card number that was previously captured. In this manner the attacker has obtained a valid FV account drawn on a valid credit card number of a real FV customer. This account can then be used to purchase various goods and services. And while it causes a similar degree of damage as your previous scheme, it also causes you to lose money in the process. Since you are the verifier (in the function of the bank) in this case, then you will lose out in the event of fraud. The credit card companies will still receive their money, and guess who will pay it: FV! This method has several other benefits over your previous scheme. Your scheme required infection of numerous computers; this scheme requires infecting only one computer. And while one may be held liable for the infection of the database computer, the person who opens the fake FV account cannot. All s/he has done is call you up and follow procedure. Even if he were dumb enough (as we know many criminals are) to give you his real card number over the telephone, it would not show up in your database. He would be completely clean... no trace. Furthermore, once the rogue program is in place, EVERY attack succeeds. As a corollary to this attack, the attacker could design his/her trojan to watch for the creation of new accounts and replace the intended FV_ID with another value created by a PRNG seeded by a known value. The attacker can then seed his/her copy of the PRNG with the same value and conduct valid (although fraudulent) transactions using the generated FV_IDs. With this approach he does not even have to contact your new accounts office via telephone; s/he simply implants the trojan and begins making transactions. This is similar to the above attack with regard to payment liability. --- Jeremy Mineweaser | GCS/E d->-- s:- a--- C++(+++)$ ULC++(++++)>$ P+>++$ j.mineweaser at ieee.org | L+>++ E-(---) W++ N+ !o-- K+>++ w+(++++) O- M-- | V-(--) PS+(--) PE++ Y++>$ PGP++>+++$ t+() 5 X+ R+() *ai*vr*vx*crypto* | tv(+) b++>+++ DI+(++) D+ G++ e>+++ h-() r-@ !y- From hal9001 at panix.com Tue Jan 30 11:56:27 1996 From: hal9001 at panix.com (Robert A. Rosenberg) Date: Wed, 31 Jan 1996 03:56:27 +0800 Subject: Ernst Zundel impersonator on Usenet Message-ID: At 0:24 1/29/96, Declan B. McCullagh wrote: >I'm not familiar with how AOL screen names work, but my guess is that >the Kingston, NY resident impersonating Zundel forgot to switch back >to his other screen name before posting. You have to log-off and then log back in to change use a different UserName. From kinney at bogart.Colorado.EDU Tue Jan 30 12:01:57 1996 From: kinney at bogart.Colorado.EDU (W. Kinney) Date: Wed, 31 Jan 1996 04:01:57 +0800 Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards In-Reply-To: Message-ID: <199601292130.OAA18538@bogart.Colorado.EDU> Nathaniel Borenstein writes: > [My apologies in advance if you see several copies of this message. I > am posting this fairly widely due to the severity and importance of the > problem described.] Followed by an hysterical essay on how FV has "discovered" the keyboard sniffer. Oh, please. You people should be ashamed of yourselves. -- Will From jya at pipeline.com Tue Jan 30 12:03:56 1996 From: jya at pipeline.com (John Young) Date: Wed, 31 Jan 1996 04:03:56 +0800 Subject: DRU_mup Message-ID: <199601301752.MAA19218@pipe1.nyc.pipeline.com> 1-30-96. TWP: "Defense Memo Warned of Israeli Spying." A DoD security office issued a confidential warning in October that the Israeli government was "aggressively" trying to steal U. S. military and intelligence secrets, partly by using its "strong ethnic ties" to the United States to recruit spies. It described Israel as a "non-traditional adversary" in the world of espionage, noting similar intelligence "threats" from other close allies such as France, Italy, Japan, Germany, and Britain. "Relaxed CIA Covert Action Rules Urged." A private, blue-ribbon task force is urging policymakers to consider allowing the CIA to resume sending out spies posing as American journalists or members of the clergy and lifting the ban on certain covert actions such as those designed to prevent terrorist attacks or support the overthrow of hostile regimes. DRU_mup From jsw at netscape.com Tue Jan 30 12:09:19 1996 From: jsw at netscape.com (Jeff Weinstein) Date: Wed, 31 Jan 1996 04:09:19 +0800 Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards In-Reply-To: Message-ID: <310E0D83.111A@netscape.com> Nathaniel Borenstein wrote: > This is wrong on two main counts: the ID's are harder to find than > credit cards, and they're not as directly useful as credit cards. These > two facts combine to make the attack more or less irrelevant to FV. > > First of all, the Virtual PIN (FV-ID) is much harder to extract from a > large data stream because it is arbitrary text, unlike credit card > numbers, which are self-identifying. > > Second, a Virtual PIN is not a one-way payment instrument, like a credit > card. To use FV to buy something on your credit card, you need to > combine the theft of a Virtual PIN with the compromise of the buyer's > email account, for confirming transactions. We all know this can be > done -- we actually even spell out how to do it in our paper, "Perils > and Pitfalls of Practical CyberCommerce" -- but it is very hard to > combine these steps on the large scale that would be needed to mount an > automated attack, which is the most serious threat to the credit card > system. It would not be much harder than the demonstrated keyboard attack to create a hacked version of winsock that would implement an attack against First Virtual. If the attacker had a list of web pages that accept FV payments it would be very easy to collect the ID numbers. There is no need to attack the large datastream of keyboard input when the search can be easily narrowed. Since FV doesn't use encryption the attack could easily be implemented in winsock, making it independent of any client software. A version that infected the win95 IP stack could be quite effective. The list of FV accepting sites would be easily obtainable via a query of altavista. Since the infected system is on the internet and has to periodically send its results to the attacker, it could download an updated list of FV pages at the same time. Attacking the e-mail verification step of the FV system could also be accomplished via a hacked winsock. A bit of POP3 aware code in the winsock could intercept the verification messages and keep the e-mail client from ever seeing them. It could automatically generate "Yes" responses for all such messages. I believe that FV is just as vulnerable to these types of attacks as any of the encryption based credit card schemes, if not more so. The thing that really protects FV is that it can only be used to buy bit, not real goods, and the bad guys don't generally care about stealing bits. This is also what makes FV not generally useful to people who want to shop over the internet. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw at netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine. From jwz at netscape.com Tue Jan 30 12:12:16 1996 From: jwz at netscape.com (Jamie Zawinski) Date: Wed, 31 Jan 1996 04:12:16 +0800 Subject: Apology and clarification In-Reply-To: Message-ID: <310E0EBE.30FD3BCC@netscape.com> Nathaniel Borenstein wrote: > > What we at FV have done is to demonstrate how easy it is to develop an > FULLY AUTOMATED attack that undermines the security of all > software-based credit card commerce schemes. You have done no such thing. You have written *one component* of that attack, and the easiest part of it at that. Combine it with a virus, or self-replicating worm, and demonstrate that it is immune to all known virus checkers, and *then* you will have spoken the truth when you say you have "demonstrated" anything. Heck, combine it with a screensaver as a trojan horse *and* collect a few hundred credit card numbers and *then* you will have demonstrated something. You've demonstrated nothing but your ability to write press releases, and print out some messages when fully-cooperating users submit to your "test." You may think this is nitpicking, but the fact is, you're assuming that the implicit cooperation of some vast number of users in running your program is easy to obtain. I disagree with this assumption. If this assumption were true, then viruses would be a much bigger problem than the mere annoyance that they are today. > It is the automated aspect that separates it from all of the > "dumpster-diving" attacks on credit card numbers which have previously > been widely discussed, because it provides a path to large-scale fraud > that has never been publicly discussed before, to my knowledge. The > key "invention" in our approach is to integrate several techniques > that are already well-known (in this community) into an automated > attack that we consider to be devastating to commerce systems based on > software-encrypted credit cards. This is the same kind of vaccuous reasoning that leads to things like the "concryption" patent. You have invented nothing. You've combined the painfully obvious and written a fearmongering rant about it. *Computers* provide a path to large-scale fraud. So does the printing press. So does the telephone, and the postal system. So what. You still haven't proven that it's easy. > This is a very real threat. If you think we're just re-hashing keyboard > sniffers, you haven't yet understood what we're demonstrating. The real > threat is the traceless theft of millions of credit card numbers by a > single easily mounted automated attack. With as much work as you've put into this, someone could write a Microsoft Word document which when opened, would start dumping the contents of your hard disk into the mail. The knee-jerk moral to *that* is to never store non-public information on a computer that has a network connected to it. However, reasonable people assess that risk, and decide to do it anyway, because the benefits outweigh the risk. > So here's the factual claim, to be proven or disproven: One good > programmer, in less than a month, can write a program Come now, right off the bat you know that no assertion taking that form can be *dis*proven. > that will spread itself around the net, collect an unlimited number > of credit card numbers, and get them back to the program's author by > non-traceable mechanisms. Does anyone on this list doubt that this > is true? It's not a matter of possibility. It's a matter of probability, and risk management. It's unlikely enough that I'm not afraid of using my credit card on the net. Tell me my credit card number, and I'll change my mind. > If not, I think it's worth noting that this fact was previously > completely unknown to the bankers and businessmen who are putting > large sums of money at risk on the net. The only way to get the > message to those communities is with a very visible public > announcement of the kind you saw yesterday. All a banker needs to know is the amount of risk associated with the thing in which they are investing; they don't need to know how keyboard sniffers work. I don't believe you've demonstrated anything that changes the risk model that they have presumably already gotten from their flock of experts who they no doubt employed before investing in the net (experts who also no doubt know all about how viruses work, thank you very much.) == Jamie From tcmay at got.net Tue Jan 30 12:22:07 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 31 Jan 1996 04:22:07 +0800 Subject: Sad state of affairs Message-ID: At 8:28 AM 1/30/96, bofur at alpha.c2.org wrote: >It's a pretty sad statement of how poorly this list is functioning when >the RC2 source can be publically released but people would rather >sling mud over glorified keystroke trappers and rant about Nazi deathcamps. > >Our friends at the NSA must be pleased with the slow death of this group. > >Sadly, >Bofur. Well, Bofur, the alleged RC2 code is, at most, "just another cipher." The issue of the Germans disconnecting from parts of the Net, as a means of pressuring sites to get material removed, and the bypasses (such as proxies and mirror sites at CMU, MIT, and Stanford), is just as important, if not more so. In any case, Bofur, if you want to talk about RC2, talk about it. Nobody's stopping you. --Tim Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From ses at tipper.oit.unc.edu Tue Jan 30 12:24:42 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Wed, 31 Jan 1996 04:24:42 +0800 Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards In-Reply-To: <310E0D83.111A@netscape.com> Message-ID: So there you have it - FV offers "security through irrelevancy" From watson at tds.com Tue Jan 30 12:42:53 1996 From: watson at tds.com (watson at tds.com) Date: Wed, 31 Jan 1996 04:42:53 +0800 Subject: your bogus post In-Reply-To: <199601301524.KAA06011@tintin.uun.org> Message-ID: On Tue, 30 Jan 1996, Paul Graham wrote: >... > A company capable of doing such irresponsible things is not one > that we would trust with users' money. > ... Some of you must have missed the superbowl ads where people and frogs were getting frozen to beverage cans, and movie actors moved the grand canyon with a horse. Marketing is a fact of life. Seems to me the irresponsibile thing too many of our society do is put too much stock in the marketeers. I usually select products on their merits, not on the marketing. Maybe you do too. But the marekting works, and companies have to use it to stay profitable. So, what do you think of their product? Dave From anonymous-remailer at shell.portal.com Tue Jan 30 13:00:59 1996 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Wed, 31 Jan 1996 05:00:59 +0800 Subject: New Mailing List (encrypted) Message-ID: <199601301821.KAA02564@jobe.shell.portal.com> On Sat, 13 Jan 1996 13:42:49 -0600, wrote: > I have installed PGPdomo on vishnu.alias.net. I've also >created a new mailing list that you can join if you wish. It's a >closed mailing list, so subscriptions must be approved. What makes If we have attempted to subscribe, but received no response, does that mean that we didn't get approved? If so, how can we "qualify"? From rishab at dxm.org Tue Jan 30 13:06:22 1996 From: rishab at dxm.org (Rishab Aiyer Ghosh) Date: Wed, 31 Jan 1996 05:06:22 +0800 Subject: Domain hijacking, InterNIC loopholes Message-ID: <9601301819.AA00964@toad.com> While filling in details for modification of my domain (dxm.org) I realised that I haven't seen much written on domain hijacking. We all know about mail spoofing, which let's you pretend you're someone else. Mail spoofing is one-way - you can send, but not receive. This is the same with IP spoofing, where you pretend to be a trusted machine, but again you can send but not receive. Unlike IP spoofing, which can lead to major security breaks (you can become root on someone else's machine), domain hijacking is not so much a security issue as a commercial one. Domain hijacking uses loopholes in InterNIC domain registration procedures to completely take over a domain, allowing you to send and receive e-mail, and other traffic such as ftp/www. As I haven't seen this explained, and have seen no warnings for sysadmins, here goes: To do 'IP hijacking' (receive packets as well as send) you will need to modify routing tables all over the place, where you're not likely to have access. To do domain hijacking, you would need to modify DNS entries in several nameservers, to which again you're not likely to have privileged access. On the other hand, if you could associate an existing domain with a nameserver you _do_ control (root access on any machine connected to the Net is enough for this), your lack of access to the present nameservers would become irrelevant. So, 1. set up a nameserver on your machine, with address, cname or MX records as required for the victim domain address - victim.com. You can do fancy things with nslookup on victim.com's existing nameservers to find out what's required. Make sure the MX, address and cname records in your machine point to machines under your control. 2. send a modify domain mail to hostmaster at internic.net, with your machine as nameserver replacing any existing ones. The InterNIC has no authentication procedures for normal hostmaster requests, so your modification will get processed. 3. Ta DA! Wait for InterNIC to update its records and broadcast changes to other nameservers. From then on, a lookup for victim.com will go to ns.internic.net, find that ns.evil.org is the nameserver, and send all mail to @victim.com to victim.evil.org, route traffic to www.victim.com to www.evil.org, whatever you want. This is not a security risk? No. But, to quote a delightfully low-key document from InterNIC, "[such] an unauthorized update could lead a commercial organization to lose its presence on the Internet until that update is reversed." Ah. But that update will be reversed only when victim.com's sysadmins realise what's happened. If evil.org is clever enough, it will not halt the mail flow, but forward everything on to victim.com (after keeping a copy, of course). It could act as a proxy server to www.victim.com, accessing all URLs (using victim.com's real IP address) on demand and relaying them to browsers who are actually looking at www.evil.org. And so on. Unless victim.com's admins are particularly observant, they may not notice a thing. How many sysadmins out there do what victim.com could have done? I.e. run nslookup on victim.com regularly to check that the nameservers listed are as they should be, and if they're not, to immediately send a new update to InterNIC? Not many, I believe. On the other hand I know no case of domain hijacking actually taking place. But I don't know specific instances of WWW credit card fraud either. That delightful InterNIC document I mentioned is the draft paper on the InterNIC Guardian Object, first out in November 1995, latest version out earlier this month. It's an internal InterNIC proposal for a "Guardian Object" which would guard any other object (such as a domain name, or individual, or hostname, or even another guardian). It would allow a range of authentication methods, from none (very clever) and MAIL-FROM (easy to spoof) to CRYPT (1-way hash, like Unix passwd) and PGP (using public keys stored at InterNIC). All domain and other templates will be changed to work with guardians. The procedures in the original draft looked easy enough; the latest ones are formidable. Incidentally, this draft appeared two months after the InterNIC started charging. The wonders of the profit motive. Rishab ps. I'm not quite back on the Cypherpunks list yet, so please Cc responses you feel are important to me at rishab at dxm.org. pps. I quite forgot. The URL for the latest Guardian Object draft: ftp://rs.internic.net/policy/internic/internic-gen-1.txt From ses at tipper.oit.unc.edu Tue Jan 30 13:18:50 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Wed, 31 Jan 1996 05:18:50 +0800 Subject: Sad state of affairs In-Reply-To: <9601301402.AA15555@alpha> Message-ID: On Tue, 30 Jan 1996, Mike McNally wrote: > > bofur at alpha.c2.org writes: > > It's a pretty sad statement of how poorly this list is functioning when > > the RC2 source can be publically released but people would rather > > sling mud over glorified keystroke trappers and rant about Nazi deathcamps. > > YIPPPEEE!!! HOORAY!!! YA HOOO!!!!! RC2 IS PUBLIC!!!! GOD BLESS US > ALL!!! HOORAAAAAAY!!!! YAY!!!!! > :-) THere is no truth in the report that Algorithm choosers were added to BSAFE so it would be easier to leave RC2 out :-) Assuming this is RC2, that is... When someone reverse engineered Prince (the algorithm formerly known as RC4), that was significant as the code was in widespread use, and was a nice fast stream cypher, which was pretty much an empty niche. RC2 is fighting for an already populated area, battling IDEA, 3DES, etc, etc. Oh yeah, and RC4 is really pretty, whereas RC2, is as ugly as DES and friends From m5 at dev.tivoli.com Tue Jan 30 13:24:20 1996 From: m5 at dev.tivoli.com (Mike McNally) Date: Wed, 31 Jan 1996 05:24:20 +0800 Subject: Alleged RC2 In-Reply-To: <9601301402.AA15555@alpha> Message-ID: <9601301829.AA11121@alpha> Any ideas on whether the comment in the source about the "effective key length" trick being an export control deal is true? If there were a known version of this floating around known to have a 40-bit restriction, is it likely that the restriction would be done by always supplying "40" as the "bits" parameter, or would be it by simply limiting the user key length? ______c_____________________________________________________________________ Mike M Nally * Tivoli Systems * Austin TX * I want more, I want more, m5 at tivoli.com * m101 at io.com * I want more, I want more ... *_______________________________ From talon57 at well.com Tue Jan 30 13:52:18 1996 From: talon57 at well.com (Brian D Williams) Date: Wed, 31 Jan 1996 05:52:18 +0800 Subject: Two bits, Four Bits, ETC Message-ID: <199601301853.KAA13801@well.com> BEGIN IBM LOTUS'S GAK'ED MESSAGE-- -----BEGIN PGP SIGNED MESSAGE----- Two Bits: frantz at netcom.com (Bill Frantz) >One other small advantage I can see to using Lotus's crippled >encryption. It disguises the fact that a message is actually >(double) encrypted with PGP. Attackers have to break the 40 bits >before they see the PGP encrypted data. A pecular kind of >steganography. (If you leave off the PGP header and trailer, it >may be hard to determine which 40 bits are the correct >key.) Excellent point Bill! Lets not forget that IBM owns Lotus Notes, be sure to include that in your bashing. They caved in on Lucifer after all. ;) Four Bits: On First Virtuals Sniffer program: Stick a VISA,MASTERCARD,DISCOVER, or AMERICAN EXPRESS sticker on the front of a SECURE_ID card Attack>null ( Security Dynamics is SDTI on NASDAQ ;) ) Six Bits: _TAKEDOWN_ by Tsutomu Shimomura confirms that Kevin Mitnick used PGP extensively, and encrypted his drives, expect the TLA's to use that in their arguments. (Head them off at the Pass!) A Dollar: For those who seem to have missed it. "Vladimir Z. Nuri" = Larry Detweiler Back to our regular Flamefest...... Brian -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMQ5nd3sfmVh/uI7xAQFr7AQAjvjOZUEEJKdDmcVVWYFs/L20R3BIJYLC RhAOAyCh40GGiYzzvB8kHTGnu/iSE9cIp7AP2ifUHf1C9aL2TAQWuwxTROPMCwpX hSHN+UpJ5Au3YrNGZkMDPDVsGUM5EsWaaWJ2uczG330e3mZR6tBNU/BhfdS58RZy bLULdZno3nI= =kccs -----END PGP SIGNATURE----- END IBM LOTUS'S GAK'ED MESSAGE---- From jrochkin at cs.oberlin.edu Tue Jan 30 13:55:00 1996 From: jrochkin at cs.oberlin.edu (Jonathan Rochkind) Date: Wed, 31 Jan 1996 05:55:00 +0800 Subject: The FV Problem = A Press Problem Message-ID: At 9:03 AM 01/30/96, Timothy C. May wrote: [...] >But, it occurred to me, this is just part of the larger syndrom. Simson's >article was practically written from the FV press release. While he >interviewed some "security experts," clearly the timing of his article >(this morning) and the announcement by Nathaniel of his discovery (this >morning) suggests the cozy relationship involved. > >The larger syndrome is that software deals, alliances, mergers, and >problems are all based on hype. Nathaniel Borenstein issues press releases, >Sameer Parekh issues press releases, and maybe even I would issue press >releases if only I knew how to. [...] I'd say _all_ news, not just software news, is P.R. controlled, these days. You can largely hold Edward L. Bernays, the "father of public relations" (who just died last year) responsible for that--or the societal conditions that allowed Bernays to do his thing. Bernays developed expertise in "engineering of consent" turned the news into a commercialized and manufactured commodity. As the NYT magazine "people who died last year" blurb on him said, maybe once you could trust that the news you read was something that a reporter or editor independently decided was newsworthy. Now, the news you read is manufactured in press releases to sell a product, and is there because a well written press release convinced a reporter or editor that a marketting ploy was actually a newsworthy event (or, perhaps, because the advertising dollars that went along with the press release convinced him). Witness FVs demonstration of key capture becoming a newsworthy event. If you want to effect what's in the media, maybe you should learn how to issue press releases. > Journalists seem to love this, because the press releases write the > stories. Companies like it, too, because they can get free newspaper > space. Everyone is scratching each other's back. Yup. Throw the government into the mix too, and I think you've got a pretty good model of the media. -- "The conscious and intelligent manipulation of the organized habits and opinions of the masses is an important element in a democratic society. . . Those who manipulate this unseen mechanism of society constitute an invisible government which is the true ruling power of our country." -- Edward Bernays From cman at communities.com Tue Jan 30 14:16:58 1996 From: cman at communities.com (Douglas Barnes) Date: Wed, 31 Jan 1996 06:16:58 +0800 Subject: why no FV defenders Message-ID: [in response to Ted Anderson , who wondered why cypherpunks are so unanimous in denouncing FV, when we are usually at each other's throats.] Most of the pile-on can be attributed to the fact that FV does _not_ really see encryption as part of the solution. Other than bits of lip service here and there in technical groups, they actively denounce it when they don't think anyone who knows better is watching (I've seen it with my own eyes at banking conferences, etc.) Their extremely supercilious attitude doesn't help either. The fact that their commerce model is skewed towards long-settlement, non-anonymous transactions of extremely soft goods makes them unsympathetic -- although, say, the Digicash people are just as condescending and certainly _more_ difficult to deal with on a business level, they have a product that is more applicable to transactions cypherpunks are generally concerned with, so they get pile-ons that are maybe half this size, and usually have some defenders. Also, clearly, Digicash and other vendors are involved in producing cryptographic products, whereas FV is actively involved in spreading FUD about the abilities of crypto products in general... this is sort of like advocating cat torture on rec.pets.cats and expressing amazement at the negative response. This is not to say that there isn't a problem with the current state of operating systems, especially PC operating systems, or to say that crypto is magic dust you can sprinkle & make things secure but I think there's a general belief here that the ultimate solution to these problems has a substantial role for cryptography, and that cryptography can be used even today to reduce risk to acceptable levels in consumer financial transactions. FV does _not_ believe either of these things, although I'm sure NB will pay some lip-services on the "eventually" score. ------ ------ Douglas Barnes "The tighter you close your fist, Governor Tarkin, cman at communities.com the more systems will slip through your fingers." cman at best.com --Princess Leia From hua at chromatic.com Tue Jan 30 14:55:15 1996 From: hua at chromatic.com (Ernest Hua) Date: Wed, 31 Jan 1996 06:55:15 +0800 Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credi t Cards In-Reply-To: <310D4CCE@hamachi> Message-ID: <199601301907.LAA29485@chromatic.com> > This announcement describes a rather sophisticated technology that > delivers nthe same information that any retail clerk can capture today. > Using stolen credit card numbers is a risky business, and the ability of > the credit card companies in detecting fraud and locating criminals is > quite real. Retail clerks are not lone bandits. Retail clerks are employees of companies which have a strong interest in keeping their reputation squeaky clean (or risk losing business and welcoming lawsuits). Yes, there is no absolute guarantee that clerks will not do something bad anyway, but there is some self-regulation in that scenario because someone involved has a strong investment in the community. A lone bandit writing difficult to detect viruses scamming for credit card numbers all over the net does not have the strong investment in the community to preserve or protect. You wouldn't give your credit card to some random punk on the street, would you? However, you have no trouble giving it to a reputable store. Why? For exactly the same reason. > Of course, since Federal law requires the credit card companies, not the > user, to pay the costs of fraud, First Virtual's entire premise is a red > herring. If the credit card companies are willing to take the risk, they > will (and are). Federal law does not require that a company stay in business once it has entered the banking market. If the risks are too high for them to make a profit, they will fold. If they are smart enough to see the writing on the wall, they will pack up and move elsewhere in the market. Ern From llurch at networking.stanford.edu Tue Jan 30 15:04:53 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Wed, 31 Jan 1996 07:04:53 +0800 Subject: [NOISE] Re: The Big Lie In-Reply-To: <2.2.32.19960128235423.0039a63c@vertexgroup.com> Message-ID: On Sun, 28 Jan 1996, John F. Fricker wrote: > Rewriting history is a powerful tool, whether it be the history of the > death of Hendrix, the death of Kennedy, the logging of the pacific > northwest or of ethnic cleansing. It is a tool that can and should be countered. Which has some crypto relevance. > The only way to combat the powerful who would seek to rewrite history > is to create an authenticatable system for document storage. Text books > have long been regarded as the predominant model yet, pick up any high > school history book and marvel at the differences from say Zinn's "The > People's History of the United States". What is needed is more though. A Actually, Zinn's book was the textbook for AP US History in my public high school. Of course the teacher in question, an avowed socialist, has always been controversial, and my parents urged me not to take AP US History for that reason. > system whereby one can trace the source of the information to the actual > time and place of an event as well as authenticating identity. Very much agreed. What we need is an offshore data haven to archive every public lie spoken by these folks. I've heard back from Zundel, and I will be mirroring his site, partly for the reasons above. The people who run Nizkor are very much in favor of the mirror, and plan to link to it. The Wiesenthal Center has no comment. Nizkor and the Wiesenthal Center tend not to comment on each other, either. -rich From vznuri at netcom.com Tue Jan 30 15:08:23 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Wed, 31 Jan 1996 07:08:23 +0800 Subject: more RANTING about NSA-friendly cpunks In-Reply-To: <01BAEEB4.B4C45680@blancw.accessone.com> Message-ID: <199601301928.LAA02905@netcom18.netcom.com> [the NSA] >is sufficiently well-funded where they can concentrate on pursuing their = >case against a target, a company or individual is engaged in creating = >their income at the same time that they must also use a portion of these = >resources to defend themselves in court (as well as defend their public = >image). =20 @$%^&* I cannot believe how my simple message is being warped out of all recognition. I said some very specific things, and it seems that everyone reads their own fears into what I write. well, that is the nature of fear I have been pointing out-- only loosely related to reality. I reiterate to you: 1. I am NOT advocating that lone individuals defy the ITAR per se. if you recall, I was lamenting that no CORPORATIONS so far have the balls to challenge the ITAR (such as MS, Netscape etc.). these companies already have large legal departments and strong experience fighting the government on other issues. yet when it comes to taking an offensive stance rather than a defensive one, they cower in the shadows. what *really* exasperated me was the idea that if MS even "signs" outside crypto packages, they would be "prohibited" from "exporting" these signatures. this is OUTRAGEOUS and no rational person would submit to such imbecility. I lose *extreme* amounts of respect for *anyone* who either submits or even rationalizes this supposed system? the above is tantamount to LETTING THE NSA MAKE LAWS ANY TIME THEY WANT. are there any laws on the books that talk about signing foreign packages? OF COURSE NOT. and if they were, THEY SHOULD BE GOTTEN RID OF IMMEDIATELY. the NSA has NO LAWMAKING AUTHORITY WHATSOEVER. but the cryptographic community is VOLUNTARILY GIVING THEM THAT POWER because of Fear, Uncertainty, Doubt. 2. I pointed out that even if individuals DO challenge the ITAR, they are NOT LIKELY TO BE LEFT ALONE. witness Bernstein getting support from EFF, etc. there are a lot of lawers and interests that are just DYING for an opportunity to fight the ITAR in court. I mean, haven't you ever seen those lists of companies that sign letters against the ITAR? can you imagine them contributing only a tiny fraction of their legal departments to a genuine case? this was another of my strong points: the idea that it is a lone struggle against the ITAR for anyone is *not*correct*. it is demonstrably false based on the number of companies and organizations such as EFF that have vociferously voiced opposition. 3. you assume that ignoring the ITAR leads to prosecution. THERE IS NO PROOF OF THIS. this is the main point of my writing. what if writing crypto to heart's content, even for individuals, leads to no prosecution? then your entire blah-blah-blah article about the court system and how the poor individual is powerless to use it is POINTLESS. that has been my main point: it is possible that individuals will NEVER be prosecuted under the ITAR crypto sections. all the boneheads are suggesting that "oh, Zimmermann is just an anomaly. they will really get the *next* guy". but when does your imagination end? your own imagination is what is determining your reality, not the reality! if Zimmermann isn't prosecuted, nor anyone associated with him, WHO IS GOING TO BE PROSECUTED? > >It would be a noble project to challenge something like the ITAR in a = >court of law, where the issues and flaws of the government's attitudes & = >methods could be brought out in detail, dashed to the ground by = >brilliant reasoning and argument, winning a battle not only for privacy, = >but for the lofty goal of individual sovereignty. But it would take a = >lot of time, some very able talents, and a lot of cash; most lone = >cryptographers would not be able to do these two things at once (making = >a living while also fighting the dragon). I reiterate: no where in my ranting did I suggest a lone person challenge the ITAR: that is the CYPHERPUNK PREJUDICE that things of significance are only accomplished by individuals. indeed, this mindset plays *directly* into the arms of the "enemy", the NSA. remember, defeat is a psychological aspect as much as a real one. the NSA does not have to win, they only have to make you think you have *lost*, which is the pervasive feeling on this list, EVEN AFTER *nothing* happened to Zimmermann!! "oh, poor individual me, who am I to challenge the NSA, they have all the power, and I am just a lone sheep out in the wilderness"... >It's easy for you, Vlad, to chastise others for being cowardly, when you = >have nothing to lose (and only incendiarism to offer). I am not so much "chastising anyone for cowardice". I have not used that word at all. you introduced it. what I am criticizing is our *attitudes* that are bringing about the very situations that we supposedly are in opposition to. I am criticizing the *fear* that is a strong undercurrent of all dialogue and sentiments here. cowardice is as much a state of mind as it is a lack of action. I am not so much criticizing the latter as the former. I have less problem with people not doing anything, than with them using FALSE REASONS to justify their inactivity. if you are going to be a sheep, at least be honest with yourself that you are a sheep!! why is it so controversial for me to say, YOUR FEARS ARE COUNTERPRODUCTIVE TO YOUR OWN AGENDA. why is this so incomprehensible? I have gotten endless mail from people who don't have a clue, and seem to continue to insist: OUR FEARS ARE JUSTIFIED. as long as you think that way, you are *self*defeating*. it is a self-fulfilling prophecy!! even after NOTHING happens to Zimmermann, the sheep are not comforted, because the sheep can *never* be comforted, no matter what happens. Those who are = >enjoined to take action must calculate how much they can afford to = >invest in such an expensive venture. You asked me in an earlier post = >how I could distinguish just any poster to the list from someone who = >might be an "agent provocateur". By this: they only provoke action = >from others - encouraging, cajoling, shaming, pushing them into = >thoughtless action, without themselves taking on any of the risk = >involved, without themselves facing any of the dangers but only getting = >others to do so. give me a break. perhaps you think that I am trying to stop the spread of crypto? it would be quite ironic if you dismissed the most effective approach possible as that coming from an "agent provocateur". but it would be quite fitting. frankly, I increasingly wonder why I am wasting my time with sheep. (your own mindset above reveals your own "people can only challenge the government alone" prejudice/mindest that is self-destructive to the agenda of crypto spread). of course I am not asking for "thoughtless action". that's ridiculous. I have been ranting against THOUGHTLESS FEAR which is ENDEMIC on this list. I have pointed out why there is no proof that fear is justified, but the sheep will have none of it. fine, just stop sending me email and posting pretending you are NOT SHEEP. >It would be great to have a show of fireworks in a court of law. But = >(and I don't mean to begin a long thread of discussion on this) I myself = >would wonder why the Supreme Court wouldn't already be defending us from = >the attacks against basic ideals like personal privacy. because THEY CANNOT DO SO UNTIL A LAW IS CHALLENGED IN COURT!!! @##$%^&*!!! There are = >already in existence a body of "authorities" assigned to the task of = >preserving the Constitution, educated in Law and the principles for = >which this nation stands. They are the ones whom I would address with = >inquiries over negligence & lilly-livered, yellow-bellied = >non-involvement. THAT'S ABSOLUTELY FALSE. they have no power to strike down laws prior to a challenge. can do NOTHING until a law is CHALLENGED!! and that's what I'm ADVOCATING!! I guess someone has to bring the matter to their = >attention, bringing up charges of injustice for their wisdom to cogitate = >upon. all I can say is that this sentence seems to bespeak a lack of understanding of how the supreme court works and how a law is determined to be unconstitutional. it suggests you think these justices have some kind of independent review power over laws, prior to court cases? as long as you live your life thinking that YOUR FREEDOM is SOMEONE ELSE'S JOB, you are going to LOSE IT BIGTIME. Nevertheless, it is to them, who are in charge of maintaining = >consistency to the ideals within The Constitution, that I would ask, = >"why have you forsaken us"? oh, brother. it is you who have forsaken yourself. From cme at cybercash.com Tue Jan 30 15:15:33 1996 From: cme at cybercash.com (Carl Ellison) Date: Wed, 31 Jan 1996 07:15:33 +0800 Subject: Crypto Exports, Europe, and Conspiracy Theories Message-ID: At 11:06 1/26/96, Adam Shostack wrote: >Timothy C. May wrote: > >| You have to ask yourself this question: "Why are there no cryptographically >| strong products--finished products, not specific ciphers or chunks of >| code--developed in Europe and freely imported into the U.S.?" > > There are. If you buy a Gauntlet Internet firewall from TIS, >you can also buy a German T1 speed DES card for it. I believe the >code was written by TIS's London office. The Israeli Firewall-1 >(version 2) firewall offers VPN (Virtual Private Networks) with some >decent encryption scheme. The German company is CE Infosys -- and they make a PCMCIA DES card also, BTW. The PC card is a decent performer but I haven't tested speed (of the interface) for the PCMCIA card. The code driving the card was written in Glenwood MD. The Gauntlet uses normal SWIPE protocol. It can not be exported at this time. However, there is a plan afoot at TIS to produce a version of Gauntlet with full 56-bit DES SWIPE -- but with TIS CKE added to the communication stream and therefore making the product exportable. For more information, you can check TIS's web page www.tis.com - Carl +--------------------------------------------------------------------------+ | Carl M. Ellison cme at acm.org http://www.clark.net/pub/cme | | PGP: E0414C79B5AF36750217BC1A57386478 & 61E2DE7FCB9D7984E9C8048BA63221A2 | | "Officer, officer, arrest that man! He's whistling a dirty song." | +----------------------------------------------------------- Jean Ellison -+ From cjs at netcom.com Tue Jan 30 15:18:01 1996 From: cjs at netcom.com (cjs) Date: Wed, 31 Jan 1996 07:18:01 +0800 Subject: ANNOUNCE: Experts Predict End Of Secure Communications (makes FV's announcement look pretty silly too) Message-ID: <199601301916.LAA28992@netcom20.netcom.com> EXPERTS PREDICT END OF SECURE COMMUNICATIONS (East Bumbleton, Arkansaw) Experts from Really Neat Idea Labs have predicted the end of secure communications on the internet. The firm today announced that anyone watching another person enter a credit card on a computer could possibly get that person's credit card number. A spokesperson for RNI Labs said, "Wow man! This is like an incredible discovery, man. If you can like see someone entering their card number then you can like look at what keys they push and like get their number and like charge stuff to them. There is like no hardware or software on earth that can like prevent it." The spokesperson went on to say that the reprocussions of their discovery could lead to world-wide economic chaos, a rebirth of the third reich, and the 27th coming of Jesus Christ. In a related story, retired talk-show host Johnny Carson is under federal investigation. An anonymous tipster told authorities that Mr. Carson has been using his "Amazing Karmack" hat to guess the credit card numbers of newly mailed cards. Mr. Carson could not be reached for comment. From frantz at netcom.com Tue Jan 30 15:18:26 1996 From: frantz at netcom.com (Bill Frantz) Date: Wed, 31 Jan 1996 07:18:26 +0800 Subject: PPP link encryption? Message-ID: <199601301931.LAA02253@netcom6.netcom.com> At 6:36 AM 1/30/96 -0500, Alexandra Griffin wrote: >Is there any software out there on the net for doing real-time, >transparent encryption of a PPP link? >... >Finally, could someone make a ballpark estimate as to the amount of >additional latency that would be added? Ballpark estimate: If the encryptor receives a complete packet before encrypting and forwarding it then there would be an additional packetSize/byteRate + encryptionTime seconds added to the packet's transit time. If the encryptor encrypts "on the fly", passing the bits of a packet as their are received, then it would add almost no latency. However, the encryption algorithms would be limited to stream cyphers, which have security and error recovery implications. See "Applied Cryptography" for details. ----------------------------------------------------------------- Bill Frantz Periwinkle -- Computer Consulting (408)356-8506 16345 Englewood Ave. frantz at netcom.com Los Gatos, CA 95032, USA From bobrankin at mhv.net Tue Jan 30 15:19:23 1996 From: bobrankin at mhv.net (Bob Rankin) Date: Wed, 31 Jan 1996 07:19:23 +0800 Subject: Domain hijacking, InterNIC loopholes In-Reply-To: <9601301819.AA00964@toad.com> Message-ID: Rishab wrote: >On the other hand I know no case of domain hijacking >actually taking place. I do. The sysop at colossus.net told me this very thing happened to him last fall. I just can't believe this process is automated - I wonder what would happen if someone hijacked internic.net! Regards, Bob Rankin (BobRankin at MHV.net) From mpd at netcom.com Tue Jan 30 15:42:07 1996 From: mpd at netcom.com (Mike Duvos) Date: Wed, 31 Jan 1996 07:42:07 +0800 Subject: Alleged RC2 In-Reply-To: <9601301829.AA11121@alpha> Message-ID: <199601301943.LAA05677@netcom11.netcom.com> Mike McNally writes: > Any ideas on whether the comment in the source about the "effective > key length" trick being an export control deal is true? It sounds plausable. > If there were a known version of this floating around known to have a > 40-bit restriction, is it likely that the restriction would be done by > always supplying "40" as the "bits" parameter, or would be it by > simply limiting the user key length? The "bits" parameter guarantees that there are exactly 2^bits distinct possibilities for the key schedule. It does this by re-calculating the key schedule as a function only of its rightmost "bits" bits, after expansion of the user key to 128 bytes. One would not wish to directly limit the length of the user key, since it would most likely be a passphrase of some sort. The "bits" parameter allows the effective key length to be set in a manner which is translucent to the application and its user interface. -- Mike Duvos $ PGP 2.6 Public Key available $ mpd at netcom.com $ via Finger. $ From hua at chromatic.com Tue Jan 30 15:43:00 1996 From: hua at chromatic.com (Ernest Hua) Date: Wed, 31 Jan 1996 07:43:00 +0800 Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards In-Reply-To: Message-ID: <199601301936.LAA01260@chromatic.com> > This is the first net distributed "security alert" distributed that > I've noticed, with almost no real content. No one who knows a bit about > computer security learned anything they didn't already know from that > "alert". Rather, it was distributed in the _form_ of a CERT-like alert, This sort of remark is just uncalled for. The point NSB made in his message was precisely that the average person does NOT know anything about computer security. While his alert is not necessarily designed for the audience on this list, it is worth paying attention to because it brings up issues which this list has had to deal with many times in the past. One classic example is usability of PGP. If PGP is so good for the masses, why aren't they just flocking to it. The problem is that it is more than just point and click. User interfaces designed for the masses go through endless hours of reviews dealing with "one click or two" issues. We can up the snobbery level and say, "if you cannot take the time to protect your E-mail, then you deserve to have your mail spied upon." But I was under the impression that cypherpunks are supposed to lead the way, not cut loose and run. Ern From vznuri at netcom.com Tue Jan 30 15:53:32 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Wed, 31 Jan 1996 07:53:32 +0800 Subject: Vladimir: put up or shut up In-Reply-To: Message-ID: <199601301947.LAA04349@netcom18.netcom.com> >Most of the recent cypherpunks traffic from Vladimir has been a >reiteration of the position that discussing ITAR is bad because it >discourages cypherpunks from releasing good crypto software. excuse me, but you seem to be implying I am somehow responsible for "cypherpunk traffic" S/N. I have posted only a few messages recently. also, this is a mischaracterization of my position. (gad, why do I always have to reiterate something so trivial). my point is that if ITAR is discussed, at least, I would like to see caveats and encouragement in the same message by everyone here to challenge it. >Well, here's one cypherpunks who recently released some software, and >futhermore did so making significant (some might say extreme) concessions >to the ITAR rules. I made the software available only on an >export-restricted Web server, and asked explicitly several times for it >not to be exported. congratulate yourself for doing NSA's job so well, and following the letter of the law so meticulously!! > If my timezone math works out right, it took about >half an hour for it to be available on utopia. The ITAR did _nothing_ to >stop, or even slow down, the reease of my software. "export restricted Web server"? "ask several times for it not to be exported"? are you, or are you not, following the ITAR? or perhaps you want to have your cake and eat it too? >Why is it, then, that we still don't have usable strong crypto tools? I'd >say the reason is complex, much more so than could be explained by a >simple conspiracy theory or even too much discussion of ITAR. for example, consider the idea that MS refuses to sign outside crypto packages because merely *signing* them would somehow violate the ITAR. I consider this a very good example. where is this law? even if it were a law, what kind of bonehead would give it legitimacy by following it? if you want to hang yourself, fine, go ahead, but please do not publicly question where the rope is coming from. >The main >reason is that it is very damned hard to write good crypto-enabled >applications. Trust me, I know. I have done the best I could with the >software I released, but I'm still quite frustrated with its limitations, >especially with respect to nontechnical users. it is hard for *one*individual* to write a good crypto application. again, cypherpunk bias/mindset/prejudice. it is far easier for a large company to do so. maybe cpunks should reconsider their antagonism to "any organized group of people larger than 2". Netscape had no problem peppering the world with crypto, and they are advancing nicely. I am suggesting the logical next step: a company openly ignore the ITAR crypto sections. >Ultimately, to create really good crypto-enabled applications, it's going >to take money. And there's where ITAR is most effective. If the powers >that be disapprove of your software, then there goes your foreign market. "powers that be". a faceless bogeyman I don't believe in. sorry to challenge your religion of fear and powerlessness. there are major big companies, *lists* of them, that want to export crypto. why not try to persuade MS to sign foreign packages, to import them, or whatever? answer: because cypherpunks like to pretend they are powerless. >There go your government sales. There go those "strategic alliances" with >the other companies in the market, because the pressure can be applied >transitively too. ITAR is actually only a small part of the process. that's right. FEAR is the basic part of the process. as long as you help support that framework of fear, NOTHING WILL CHANGE. when someone openly defies the ITAR and nothing happens, or an actual court case emerges, the spread of crypto will be immensely facilitated. >Still, free software has a lot of vitality left in it. It's still strong >at blazing new trails in software design. Where it's weak (and this is >what really counts now), is being usable, easy to learn, and easy to >install. I think if we explicitly work towards these goals, there's hope >for great free crypto-enabled applications. Hell, PGP came pretty close, >and it's saddled with all kinds of lousy design decisions. look, I really respect your own software capabilities. but my main thesis, which you appear to agree with, is that "guerilla crypto programmers" can only get so far. there are some logical next steps. but because of "one individualitis" bias on this list, they are always roundly dismissed. >But back to Vladimir: instead of whining at us about how our fear of the >law is hurting the acievement of our goals, why don't _you_ write that >killer crypto-app and distribute it to the world? Who's stopping you? no one is stopping me from *distributing* any software, nor from writing it. I don't think the problem is a shortage of inspired programmers as you nicely demonstrate. the problem is the aura of fear associated with those programmers unleashing their full creativity on the problem, esp. those inside companies. and my point is that laws do not create fear. the programmers are responsible for their own fears. we can help eradicate that fear by egging them on. does anyone really believe anything bad will happen to individual programmers? don't you see that if anything did, how much it would win for *our* cause? "sometimes you win by losing, and lose by winning". your bias again shows: "what is preventing us from succeeding is finding a lone programmer who writes that killer app that spreads around the world". that's blatantly specious in my opinion. the killer apps such as the MS crypto toolkit, various apple products, and Netscape, Eudora, etc. exist *now*. the trick is to encourage the companies to put strong crypto in them, and to say to Hell with the ITAR, and accept a court challenge as an important part of the battle. you will not get that result by endlessly reiterating why even THINKING about doing so is prevented by the ITAR. you will sabotage that result. imho, the period of the lone programmer writing a killer app is over with. I believe that PGP is going to start a slow slide into obscurity at this point unless Zimmermann links it to some major vehicle like a web browser or wysiwig mail program. of course I know what I write is blasphemous. of course it sounds contrary to the basic philosophies on this list. but how far have these philosophies gotten the cpunk "movement"?? look around you, and ask yourself if your tactics are succeeding. p.s. thanks for taking me seriously. From alano at teleport.com Tue Jan 30 16:01:09 1996 From: alano at teleport.com (Alan Olsen) Date: Wed, 31 Jan 1996 08:01:09 +0800 Subject: New Mailing List (encrypted) Message-ID: <2.2.32.19960130195856.00951320@mail.teleport.com> At 10:21 AM 1/30/96 -0800, anonymous-remailer at shell.portal.com wrote: >On Sat, 13 Jan 1996 13:42:49 -0600, wrote: > >> I have installed PGPdomo on vishnu.alias.net. I've also >>created a new mailing list that you can join if you wish. It's a >>closed mailing list, so subscriptions must be approved. What makes > >If we have attempted to subscribe, but received no response, does that >mean that we didn't get approved? If so, how can we "qualify"? I have noticed that the software they are using is VERY picky about he formatting of the request and how it is encoded in PGP. To get it to work, I had to use the EXACT instructions posted to get it to subscribe. The PGPMajordomo software is a great idea, but in practice it has not been that fun to use. The biggest problem has been that the mail client I use does not do PGP that well. Hopefully the state of E-Mail support for PGP will change. Another project to add to the list... Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ Is the operating system half NT or half full? From cp at proust.suba.com Tue Jan 30 16:12:23 1996 From: cp at proust.suba.com (Alex Strasheim) Date: Wed, 31 Jan 1996 08:12:23 +0800 Subject: your bogus post In-Reply-To: Message-ID: <199601302019.OAA11936@proust.suba.com> > Seems to me the irresponsibile thing too many of our society do is put too > much stock in the marketeers. I usually select products on their merits, > not on the marketing. Maybe you do too. But the marketing works, and > companies have to use it to stay profitable. I don't think you can make a hard and fast rule about this sort of thing. The problem isn't just marketing hype. The problem is that the claims fv is making about competing systems border on misrepresentation. When a company does something you believe is unethical, what do you do? It depends on how much better their product is than the other guys', how badly you need it, and how offensive you find their actions. I'm not as bothered by the incident as many here are; I tend to attribute it to panic on their part as it becomes increasingly clear that credit card numbers transmitted via ssl web servers will be the first standard for online commerce. Marketing is important, and it can do a lot for a compnay. But I don't think it will be able to prop up fv over the long run. Suppose you want to buy some information off of a web page. You can either give your cc number via ssl, or go out and create a fv account, then come back and buy whatever it is you wanted. Which one are you going to do? From dvw at hamachi.epr.com Tue Jan 30 16:17:13 1996 From: dvw at hamachi.epr.com (David Van Wie) Date: Wed, 31 Jan 1996 08:17:13 +0800 Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credi tCards Message-ID: <310E7DAE@hamachi> On January 30, 1996 nsb[SMTP:nsb at nsb.fv.com] wrote: >> Of course, since Federal law requires the credit card companies, not the >> user, to pay the costs of fraud, First Virtual's entire premise is a red >> herring. > >Actually, you're wrong here too. It is the banks, not the credit card >companies, that carry the risk. Changing the subject doesn't change the point. Your announcement implies that users are liable, and that is incorrect. This is misleading, and in my view, reprehensible. This was the point of my post. The fact that the fraud is traceable when detected should have been self evident. If your post has said "Financial Industry Should Watch out for Keyboard Sniffers" as a *potential* threat for which the risks should be weighed, that would have been different. Arguably farfetched, but different. Your post relies on people's ignorance of their rights with respect to credit card liability, and therefore is shameful. dvw From cp at proust.suba.com Tue Jan 30 16:41:37 1996 From: cp at proust.suba.com (Alex Strasheim) Date: Wed, 31 Jan 1996 08:41:37 +0800 Subject: RC2 code on sci.crypt In-Reply-To: <199601300312.VAA06064@parka> Message-ID: <199601300531.XAA10444@proust.suba.com> > For those not paying attention, there is RC2 code on sci.crypt. RSADSI > is acting as if it is real, and will publish some legal posturing about > it real soon now. On sci.crypt Bruce said it was a crummy algorithm... Can anyone talk a little bit about it, what it's been used for, what makes it weak/strong, etc.? From dvw at hamachi.epr.com Tue Jan 30 16:46:07 1996 From: dvw at hamachi.epr.com (David Van Wie) Date: Wed, 31 Jan 1996 08:46:07 +0800 Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credi tCards Message-ID: <310E8117@hamachi> On January 30, 1996 hua[SMTP:hua at chromatic.com] wrote: >> the credit card companies in detecting fraud and locating criminals is >> quite real. > >Retail clerks are not lone bandits. My point is not that all retail clerks are bandits. Most are trustworthy, but surely any long time CC user has given their card to someone who would rip them off if they thought they could get away with it. My point is that CC #'s are not national security secrets, they are disclosed to potential adversaries regularly. >> Of course, since Federal law requires the credit card companies, not the >> user, to pay the costs of fraud, First Virtual's entire premise is a red >> herring. If the credit card companies are willing to take the risk, they >> will (and are). > >Federal law does not require that a company stay in business once it >has entered the banking market. The point is FV's post relies on a frightening and false premise - that the users are exposed to one or more financial risks by FV's keyboard sniffer threat. dvw From cme at cybercash.com Tue Jan 30 16:55:27 1996 From: cme at cybercash.com (Carl Ellison) Date: Wed, 31 Jan 1996 08:55:27 +0800 Subject: Denning's misleading statements Message-ID: At 20:49 1/27/96, Timothy C. May wrote: >I've never met Dorothy Denning, so I hesitate to characterize her as a >villainess. But certainly she's the only noted cryptographer I know of >who's gone so far out on a limb to defend a position the vast majority of >computer scientists, civil libertarians, and cryptographers scoff at. I've met some others -- most noteably Silvio Micali [but he has a financial interest in that position]. However, DERD is the only one I've met who is all the way over on Freeh's side. - Carl +--------------------------------------------------------------------------+ | Carl M. Ellison cme at acm.org http://www.clark.net/pub/cme | | PGP: E0414C79B5AF36750217BC1A57386478 & 61E2DE7FCB9D7984E9C8048BA63221A2 | | "Officer, officer, arrest that man! He's whistling a dirty song." | +----------------------------------------------------------- Jean Ellison -+ From bruce at aracnet.com Tue Jan 30 16:57:50 1996 From: bruce at aracnet.com (Bruce Baugh) Date: Wed, 31 Jan 1996 08:57:50 +0800 Subject: Reply Blocks and Nyms: newbie question Message-ID: <310e8f92.2746553@mail.aracnet.com> I'm almost certainly going to be changing my address in the next few weeks. I'd like to keep the same nym account. Can someone take a stab at explaining how to feed the relevant info to C2? From carboy at hooked.net Tue Jan 30 16:58:46 1996 From: carboy at hooked.net (Michael E. Carboy) Date: Wed, 31 Jan 1996 08:58:46 +0800 Subject: Cyphercoding Training Wheels?? Message-ID: <01BAEE8F.D6BF3860@chum-55.ppp.hooked.net> Greetings All, I have been lurking as a newbie on the cypherpunks mailing list for 'bout one month. Have ordered Koblitz book on Number Theory and Applied Cryptography. As I slowly (and probably painfully) learn some number theory, I would like to start coding, particularly as it would related to encrypting and decrypting stuff. I ask the community's input as to whether I should use visual basic or visual C++ ??? I am using a windoze95 platform. Any comments would be welcome.. thanks Michael E. Carboy carboy at hooked.net finger for key From shamrock at netcom.com Tue Jan 30 16:59:21 1996 From: shamrock at netcom.com (Lucky Green) Date: Wed, 31 Jan 1996 08:59:21 +0800 Subject: Lotus Notes Message-ID: At 20:25 1/29/96, Charlie_Kaufman/Iris.IRIS at iris.com wrote: >The Notes R4 approach gives the best of two fairly unpleasant worlds. You can >export crypto if you either limit yourself to 40 bits [...] > >Notes R4 didn't give up anything to get this. Of course Lotus gave something up for it. The voluntarily made sure that even the supposedly non-GAK domestic version provides relatively easy access for the authorities. Sixty-four bits are an inconvenience, but nothing more. If Lotus had wanted to make the domestic version GAK free, they would have used 128 bit. In the end Lotus caved in twice: they released a 'super easy' GAK international version and a not 'quite so easy' GAK domestic version. Sixty-four bits is GAK. Period. -- Lucky Green PGP encrypted mail preferred. From jya at pipeline.com Tue Jan 30 17:06:56 1996 From: jya at pipeline.com (John Young) Date: Wed, 31 Jan 1996 09:06:56 +0800 Subject: The FV Problem = A Press Problem Message-ID: <199601302126.QAA16125@pipe1.nyc.pipeline.com> Responding to msg by tbyfield at panix.com (t byfield) on Tue, 30 Jan 3:49 PM > Chomsky took the phrase from a book by Walter >Lippman, published I think in 1922; the book's name >escapes me now. Would that be "Public Opinion?" If so, that's an interesting progression: Bernays to Lippman to Chomsky: PR begets PO begets ... How would the politico-linguist's advocacy be characterized, PR, PO or whatever is evolving parasitically from hegemonic, ever manipulative media? All the variations of MCI-MS-News-Oracles, global combos and recombos burgeoning and emerging. All the promising, braying, dreaming, lying, manipulating markets and investors reminds of Lippman's and Bernay's and Chomsky's warnings about evil-doers causing the sky to fall. From llurch at networking.stanford.edu Tue Jan 30 17:09:48 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Wed, 31 Jan 1996 09:09:48 +0800 Subject: [NOISE] Re: [FACTS] Germany, or "Oh no not again" In-Reply-To: <1mwHiD103w165w@bwalk.dm.com> Message-ID: On Mon, 29 Jan 1996, Dr. Dimitri Vulis wrote: > m5 at dev.tivoli.com (Mike McNally) writes: > > Thomas Roessler writes: > > > ... In particular, they are right now > > > *checking* whether providing internet access is a criminal > > > offence due to the possibility to gain access to `inciting > > > material' (the German word is `Volksverhetzung') via the Net. > > > > If so, then this humble non-lawyer would suggest to the prosecutors > > that they go after travel agencies next, because they sell airline > > tickets that could be used to travel to countries where offensive > > material is available. > > Isn't there something in U.S. Code about crossing state lines > for immoral purposes? Yeah -- the intent was to stop the undesirables from kidnapping the pure white wimmin. Hasn't been used for years, if not decades. > (While I'm thoroughly disgusted by the German government's censorship, > let's not forget that the U.S. is no paradigm of freedom either.) It's about as close as you can get, though. The US is the battleground because it has the power to impose its will on the rest of the world. Crypto controls in the US effectively mean crypto controls on common software worldwide. -rich From futplex at pseudonym.com Tue Jan 30 17:10:08 1996 From: futplex at pseudonym.com (Futplex) Date: Wed, 31 Jan 1996 09:10:08 +0800 Subject: RC2 source code In-Reply-To: <199601292158.NAA04160@infinity.c2.org> Message-ID: <199601300456.XAA23898@opine.cs.umass.edu> > /**********************************************************************\ > * To commemorate the 1996 RSA Data Security Conference, the following * > * code is released into the public domain by its author. Prost! * Looks like Eric Young has more work to do when he gets back from vacation ;) Futplex , not turning up much in an RC2 web search ------------------- From: eay at mincom.oz.au (Eric Young) Newsgroups: comp.security.misc,comp.security.unix Subject: Re: ANNOUNCE SSL-MZtelnet.0.3.2 (secure telnet) Date: 30 Aug 1995 08:21:40 GMT Organization: Mincom Pty. Ltd. There are a few different ports of SSLeay to various applications (eg telnet/ ftp/Mosaic/httpd) going on. I've written a free SSL library (free for comercial and non-comercial use) which people are putting into various applications. Being outside the USA, I'm not giving any thought to the legal aspects of use of my implemetation of RSA or RC4 inside the USA. The library supports all DES, IDEA and RC4 modes (includeing the 40 bit export version) and if some-one reverse engineers RC2 I'll put it in for completness :-) From andreas at horten.artcom.de Tue Jan 30 17:11:39 1996 From: andreas at horten.artcom.de (Andreas Bogk) Date: Wed, 31 Jan 1996 09:11:39 +0800 Subject: Opinion piece in NYT; responses needed In-Reply-To: <199601300105.UAA18553@UNiX.asb.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- >>>>> "Mutatis" == Mutatis Mutantdis writes: Mutatis> It's a decentered network (or set of networks) designed Mutatis> to get information to its addressee. Data flows through Mutatis> several nodes and networks until it reaches its Mutatis> destination. If it can't get through one path, it goes Mutatis> through the other. This is unfortunately a wide-spread myth. While it's true for mail and news, it's not for IP packets. Witness: 5:41 bogk at habari% traceroute www.webcom.com ~ traceroute to s1000e.webcom.com (206.2.192.66), 30 hops max, 40 byte packets 1 jambo-110 (160.45.110.1) 3 ms 2 ms 2 ms 2 heiss.router.fu-berlin.de (160.45.1.1) 2 ms 1 ms 1 ms 3 Duesseldorf7.WiN-IP.DFN.DE (188.1.133.65) 38 ms 45 ms 69 ms 4 ipgate2.win-ip.dfn.de (193.174.74.200) 69 ms 56 ms 71 ms 5 * ipgate2.win-ip.dfn.de (193.174.74.200) 41 ms !H * 6 ipgate2.win-ip.dfn.de (193.174.74.200) 44 ms !H * 39 ms !H BTW: Deutsche Telekom (actually DeTeBerkom, a 100% daughter) is one of DFN's major players. Andreas -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQCVAgUBMQ2oTEyjTSyISdw9AQGulgP/SCP80zzeSbLnkYjsb3td8g7CvOsC5HUM 85gWT60xZZER8dZr5VOYD/To3ofeZWII0RAELDPCT48Efw06VxkWCUPeVF35yjjB 2GfRIcKBKaqrag2TH4nT91kf0pCqlrRFf7l6x9x0la7qdks40pH/CEWfBzNsYkTQ 9uq9K1gjX1E= =u9d4 -----END PGP SIGNATURE----- From pmarc at fnbc.com Tue Jan 30 17:11:50 1996 From: pmarc at fnbc.com (Paul M. Cardon) Date: Wed, 31 Jan 1996 09:11:50 +0800 Subject: My mail to Nathaniel (was Re: Re: FV Demonstrates Fatal Flaw inSoftware Encryption of Credit) In-Reply-To: <22706.822974816.1@nsb.fv.com> Message-ID: <199601300418.WAA00258@abernathy.fnbc.com> My mailer insists that Nathaniel Borenstein wrote: > Hello. I am Nathaniel Borenstein's automatic mail robot. I should have suspected as much. Hello robot. Nice robot. Busy robot. > > Your message is in the highest priority category of mail that was > not sent through the "urgent backdoor". Nathaniel WILL READ YOUR > MAIL SOON, most likely tomorrow morning. Busy Nathaniel. > THE "URGENT BACKDOOR": If your message absolutely cannot wait until > tomorrow morning, or possibly a bit later, please re-send it to the > address "nsb+urgent at nsb.fv.com". Please make note of the special > urgent address for future reference. Be warned, however, that > Nathaniel can tell me to override the "urgent" delivery for anyone > who regularly abuses it. You gotta be kidding. I just gotta see the response from this one. > Additionally, if you're someone he doesn't know, Nathaniel will NOT > ANSWER your mail if the answer is contained in the NSB FAQ. I can most assuredly aver that my comments and questions were not covered in the NSB FAQ. ;-) --- Paul M. Cardon -- I speak for myself. 'nuff said. MD5 (/dev/null) = d41d8cd98f00b204e9800998ecf8427e From Jeremym at area1s220.residence.gatech.edu Tue Jan 30 17:12:08 1996 From: Jeremym at area1s220.residence.gatech.edu (Jeremy Mineweaser) Date: Wed, 31 Jan 1996 09:12:08 +0800 Subject: FV's Borenstein discovers keystroke capture programs! (pictures at 11!) Message-ID: <2.2.32.19960130042632.00966364@area1s220.residence.gatech.edu> At 04:39 PM 1/29/96 -0500, Nathaniel Borenstein wrote: >Well, the mis-conceptions are flying fast and furious. > >You're twisting our words. We believe it is a truly fatal flaw in those >internet commerce schemes that are based on software encryption of >credit card numbers. There are several schemes for Internet commerce >that are unaffected: > > -- First Virtual (of course) Question: Could you please describe the nature of the First Virtual protocol? Now before you tell me to RTFM, let me explain. I assume, although without absolute certainty, that in order to bill me you must know my credit card number. If you do not know my credit card number, and depend on someone else who does, you are nothing more than a middleman who introduces additional possibility for breach of security. If you do know my credit card number, you must deal with the associated problem of storing this number. Now perhaps I am wrong, and you really do keep all of your clients' card numbers in a printed book hidden within a safe, and for each transaction you remove the book, use your table to match FV_ID to CC#, process the transaction, and replace the book. However, I doubt this. More likely, you store the card numbers on a computer. And no doubt, someone or something enters those numbers into a database. You have just violated your own cardinal rule. Jeremy --- Jeremy Mineweaser | GCS/E d->-- s:- a--- C++(+++)$ ULC++(++++)>$ P+>++$ j.mineweaser at ieee.org | L+>++ E-(---) W++ N+ !o-- K+>++ w+(++++) O- M-- | V-(--) PS+(--) PE++ Y++>$ PGP++>+++$ t+() 5 X+ R+() *ai*vr*vx*crypto* | tv(+) b++>+++ DI+(++) D+ G++ e>+++ h-() r-@ !y- From pete at loshin.com Tue Jan 30 17:13:00 1996 From: pete at loshin.com (Pete Loshin) Date: Wed, 31 Jan 1996 09:13:00 +0800 Subject: No FV supporters? Message-ID: <01BAEF34.AA95ECC0@ploshin.tiac.net> Nathaniel seems to be defending his cause sufficiently well, and graciously answering the abuse. Some of the abusers are showing a fairly comprehensive lack of knowledge of the FV system. I would venture to say that FV has no more profit motivation than, say, Netscape--or how about Open Market? They who gleefully opened a "Here are the secure servers that haven't been hacked" page some time ago. That was pretty self- serving, wasn't it? Nor would I consider the FV brouhaha much more obvious than, say, the front page announcements about "NFS and RPC considered dangerous" that hit the big papers last year. The weaknesses of those protocols for internetworking have long been known to those working with TCP/IP. Now, clearly there are lots of opinions on FV's system, but if people like Sameer and Rich Salz (e.g., who have reputations as knowledgeable and aware) are going to trash FV it would mean a lot more to many readers if they could state more specifically what it is about FV that doesn't work (or that doesn't work as well as, say, SSL or CyberCash or Open Market's approaches). As for the Weld Pond/et al graphical clicking approaches, they may work and they may defend against some attacks, but I won't use it (too much clicking around, too likely to make mistakes) and neither will anyone without a GUI. My $0.02. -Pete Loshin pete at loshin.com Ted Anderson wrote: >I am rather shocked that after wading through hundreds of msgs of abuse >of Nathaniel and FV I haven't seen one message of support; but perhaps I >missed it. etc. From futplex at pseudonym.com Tue Jan 30 17:14:15 1996 From: futplex at pseudonym.com (Futplex) Date: Wed, 31 Jan 1996 09:14:15 +0800 Subject: Signature use and key trust (Was: Re: FV Demonstrates Fatal Flaw in Software Encryption of Credit) In-Reply-To: Message-ID: <199601300431.XAA23839@opine.cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- Nathaniel Borenstein writes: > Have you downloaded my key from the net? Assume that you have. How do > you know it's mine? For all intents and purposes so far, "Nathaniel Borenstein" is something that occasionally sends mail to the cypherpunks list, apparently from nsb.fv.com. I expect that NSB turns out to consist of more than that, but not in my own experience. This entity persistently offers a public key from an email address @nsb.fv.com. If I retrieved the key from that address, I would have a reasonable expectation (though not assurance) that I could use it to verify the integrity of signed messages emanating from that address. In my world, "you" == nsb at nsb.fv.com, and hence "your key" == the key I could fetch from nsb+faq at nsb.fv.com. > I use PGP about 20 times per day. I use it in a manner that is > *meaningful*. Unless we have in some way or another verified each > others' keys, it is meaningless for me to sign a message to you. > Putting a PGP signature on a message to someone who has no way of > verifying your keys is a nice political statement, but is utterly > meaningless in terms of adding any proof of the sender's identity. -- I discussed the identity issue above. Assuming a corresponding key can be found (which is clearly the case here), the signature on the message can be verified as a MAC. It would have been nice to be able to check, for example, that the SHOUTING IN CAPS in your announcement wasn't just the result of some manipulation of the message in transit to make it appear more hysterical. FWIW, I have lost a great deal of respect for you today (unrelated to the content of this message). Futplex -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMQ2fACnaAKQPVHDZAQEn6wf9F1pmSnKBAv3acUSvy1x8Sb93J0aepqmo 8NXBsRy7NEErYWvME1PQ3JGAQ2prgzIARswWDS8NrzWmJi04VkGwrIALkUHreOvz mMIjAx86R/DXq3iShPGO5uDN+jSXKMsUeeLgHZfE1ipcThGch5rSVDMR3VxRnDFw WZIg+xSmy4JWfpiLhFP6BQjSqhEMw+9LZWndD+ZsUgGEuaSuJcVH5bvHFHiQNOUr Z1JxYQeauBbqwU7Yb1FIrHJwU3tS1Q2dNdSaDayyalv5K+CLbT8089kX3BAn/Sjf 7RqqdCqqESic6mVbG0RK1IqwImsYzxzorKSDmxriTTERgaD9lJkrWA== =/xzE -----END PGP SIGNATURE----- From cman at communities.com Tue Jan 30 17:14:36 1996 From: cman at communities.com (Douglas Barnes) Date: Wed, 31 Jan 1996 09:14:36 +0800 Subject: More FUD from the Luddites at FV [pt. 2] Message-ID: People have been dealing with viruses and malicious programs since the dawn of PCs. (Before that even, really.) This is not news. A virus or trojan horse can do something much worse than the (possible) inconvenience of a "bad guy" getting your credit card number. Whether you're a business or an individual, having, say, your hard drive wiped clean by a virus would be several orders of magnitude worse than the relatively minor inconvenience of having to get unauthorized items deleted from your credit card bill. This is just as possible as the credit card scenario FV is painting, and PC owners have been dealing with this kind of threat for over a decade. Rather than focus on something as tame as credit card numbers, let's look at what else a malicious program could do if it had unlimited power over your PC: o Ransack your tax preparation files o Compress and transmit your financial information to your competitors or to Blacknet. o Capture the passwords and logins that you use while telecommuting o Use your dial-up bank-by-computer software to make unauthorized transfers. o Reformat your hard drive. The fact is, malicious programs are a threat that has been in the background for over a decade, and PC users with any experience to speak of are familiar with at least the rudiments of dealing with this class of problem. If anything, they're more familiar with this kind of threat than more network-specific threats. (Look at the huge sales of popular anti-virus products.) Sure, there are clueless people out there, but the solution is to help make them less clueless, not to stampede them in a panic, which is apparently FV's goal here. --doug Ernest Hua writes: >I'm quite amazed at the level of ... well ... how can I characterize it >without insulting too many people? ... arrogance? ... > >Many of you would be amazed at what motivates the average person to buy >or to use a computer. Most people, when asked about security, do not >even have a concept, let alone how it applies in a computer environment. > >There is far more misinformation and miseducation among the average user >than you might think. Not everyone understands why they need a modem in >order to get onto the Internet. Not everyone understands why you need >to sign up for an account with an ISV in order to get onto the Internet. >(You would be amazed at how many people think that just buying a modem >is good enough to get onto the Internet.) > >The response is typically, "I don't understand all that technobabble!" >"Just give me something that works!" "This is too complicated!" > >If you think that the dumb user should be left to fight for his/her own >survival on the information highway, you are easily condemning 75% to >90% of the current users. > >I am not entirely convinced that Borenstein is totally selfless in his >(or FV's) announcement. However, the basis of his argument, while it >may not apply to the cypherpunk community, has much merit in the real >world. > >Try helping 100 random people with computers. Bet you 90 of them have >trouble getting onto the Internet, period, let alone figuring how to >run Netscape. There is a reason why AOL/CompuServe do very well >caterring to those who are technically-challenged. > >Ern ------ ------ Douglas Barnes "The tighter you close your fist, Governor Tarkin, cman at communities.com the more systems will slip through your fingers." cman at best.com --Princess Leia From frantz at netcom.com Tue Jan 30 17:17:34 1996 From: frantz at netcom.com (Bill Frantz) Date: Wed, 31 Jan 1996 09:17:34 +0800 Subject: FL Demonstrates Fatal Flaw in Logins Message-ID: <199601301931.LAA02257@netcom6.netcom.com> At 8:49 AM 1/30/96 -0500, Perry E. Metzger wrote: >Benjamin Renaud writes: >> The only events a Java applet is privy to are those that are typed in >> an applet window (and only those it itself spawned). > >Don't say "is privy". Say "is supposed to be privy". Doubtless bugs >will appear in java security in the future -- they've shown up in the >past. My bigest worry about Java security is the size of its "security kernel". Having a small, well defined, security kernel is a big advantage. All the better if the source is available for public review. Java has a large, and to me somewhat undefined "security kernel". (BTW - I havn't been able to find on the web pages the kind of overview of the libraries which would make the detailed method descriptions make sense. Perhaps I havn't looked in the right place.) ----------------------------------------------------------------- Bill Frantz Periwinkle -- Computer Consulting (408)356-8506 16345 Englewood Ave. frantz at netcom.com Los Gatos, CA 95032, USA From shamrock at netcom.com Tue Jan 30 17:52:09 1996 From: shamrock at netcom.com (Lucky Green) Date: Wed, 31 Jan 1996 09:52:09 +0800 Subject: Lotus Notes Message-ID: At 11:09 1/30/96, Charlie_Kaufman/Iris.IRIS at iris.com wrote: >p.s. re: the fact that it's 64 bits rather than 128. That was the limit on key >size of the crypto software we licensed from a third party. That crypto >software also limited us to 760 bit RSA keys. I find this very interesting. RSA prohibits its licencees from using RSA software with truly secure keylenghts. What may have incenitvised them to take this bizzare position? -- Lucky Green PGP encrypted mail preferred. From ses at tipper.oit.unc.edu Tue Jan 30 17:52:49 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Wed, 31 Jan 1996 09:52:49 +0800 Subject: FV's Borenstein discovers keystroke capture programs! ( In-Reply-To: <9601301705.AA28831@toad.com> Message-ID: > > Can you make up your mind, please? Do you regard automated > voice recognition as a threat to your privacy, or not? Is there > some reason you think it's lot easier to recognize a spoken "NSA" > than "Three One Four One Five Nine Two Six Five Four"? > Let's give it a try ... (this is with a copy of DragonDictate Professional running on a Pentuim 90 with an IBM DSP card handling some of the work. Not exactly cheap, but well within budget for our purposes.) 3141592654. NSA. That wasn't too bad now, was it? Of course, the NSA wasn't in the default vocabulary, but then again, neither was the NSO. Is this government censorship? Now then, does anybody have a nice high quality radio bug we can stick on Nat's telephone? Maybe we'll be able to spoof their PR Agency, leaving them helpless :-) Disclaimer: I have a huge amount of respect for all the individuals at first virtual; they're all greats from the field of Internet mail. However I think this biases them towards a mail based solution, even when this isn't the best way to tackle the job. I'm disappointed that they have to stoop to this level in a desperate attempt to hold what seems to be an untenable market position, when there is so much important work they could all the doing. Simon > Consistancy is a wonderful thing - you should try it sometime. Consistency is also pretty good :-) (at least with voice recognition, the typos are spectacularly catfish wombat haddock). From bdavis at thepoint.net Tue Jan 30 17:59:26 1996 From: bdavis at thepoint.net (Brian Davis) Date: Wed, 31 Jan 1996 09:59:26 +0800 Subject: [NOISE] Re: [FACTS] Germany, or "Oh no not again" In-Reply-To: Message-ID: On Mon, 29 Jan 1996, Rich Graves wrote: > On Mon, 29 Jan 1996, Dr. Dimitri Vulis wrote: > > > m5 at dev.tivoli.com (Mike McNally) writes: > > > > Isn't there something in U.S. Code about crossing state lines > > for immoral purposes? > > Yeah -- the intent was to stop the undesirables from kidnapping the pure > white wimmin. Hasn't been used for years, if not decades. On the contrary, the Mann Act is still used occasionally to prosecute those who kidnap women and transport them over state lines, usually to be used in prostitution rings. I've never prosecuted one, though. EBD From rschlafly at attmail.com Tue Jan 30 18:24:50 1996 From: rschlafly at attmail.com (Roger Schlafly) Date: Wed, 31 Jan 1996 10:24:50 +0800 Subject: Clipper Message-ID: >> One of the interesting things about the whole crypto debate, going back at >> least to the Clipper announcement (and actually some months before) has >> been that the pro-restrictions, pro-GAK side of the argument has almost no >> defenders! Except for David Sternlight, Dorothy Denning, and Donn Parker >> ("attack of the killer Ds"?), there are almost no public spokesmen for the >> pro-restriction, pro-GAK side. >> There's quite a few folks in the Yale CS department that are pro-Clipper >> or fence sitters. They justify it in class by claiming that law >> enforcement needs these abilities if LE is to remain effective. I don't think "pro-Clipper" properly characters the enemy. Clipper is chip used in a voluntary federal standard. If we had sufficient civil liberties guarantees, I bet even a lot of c'punks wouldn't object to govt agencies using clipper chips. But the Freeh/Denning position, as I understand it, is that: * privacy is not a right * the govt should routinely spy on citizens * strong crypto should be illegal * no public debate on the underlying issues Are there other computer scientists with this position? Roger From m5 at dev.tivoli.com Tue Jan 30 18:37:30 1996 From: m5 at dev.tivoli.com (Mike McNally) Date: Wed, 31 Jan 1996 10:37:30 +0800 Subject: [NOISE] Re: [FACTS] Germany, or "Oh no not again" In-Reply-To: Message-ID: <9601302336.AA14776@alpha> Brian Davis writes: > > > m5 at dev.tivoli.com (Mike McNally) writes: > > > > > > ... for immoral purposes? > > > > ... white wimmin ... > > On the contrary ... Not that I don't wish I could take credit for a discussion thread of such high caliber as this, but I can't; I have no idea how my name got glued on there. ______c_____________________________________________________________________ Mike M Nally * Tivoli Systems * Austin TX * I want more, I want more, m5 at tivoli.com * m101 at io.com * I want more, I want more ... *_______________________________ From prmoyer at magpage.com Tue Jan 30 18:47:14 1996 From: prmoyer at magpage.com (Philip R. Moyer) Date: Wed, 31 Jan 1996 10:47:14 +0800 Subject: No Subject Message-ID: <199601310018.TAA12796@alaska.magpage.com> Well, I'm discouraged. I'm looking for strongly encrypted cellular telephones, but I can't seem to find many. If you know of some, could you pass along some pointers for me? I would really like to avoid using a GAK enabled product, if there's any way to avoid it (even if it means paying lots of extra $$$). Cheers, Phil From sameer at c2.org Tue Jan 30 18:50:27 1996 From: sameer at c2.org (sameer) Date: Wed, 31 Jan 1996 10:50:27 +0800 Subject: The FV Problem = A Press Problem In-Reply-To: Message-ID: <199601310005.QAA19840@infinity.c2.org> I agree with your points that the press should write real articles, and not just swallow press releases. The fact of the matter though, is that that's what they do, swallow press releases. It's a said state of affairs, but that is the state of affairs. I wouldn't say *all* news is PR controlled, but most of it is. It's much less work for the reporter when an article just shows up on their desk and all they have to do is call one or two people for some fresh quotes. -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion, Inc. FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.org/ (or login as "guest") sameer at c2.org From hallam at w3.org Tue Jan 30 18:53:01 1996 From: hallam at w3.org (hallam at w3.org) Date: Wed, 31 Jan 1996 10:53:01 +0800 Subject: RC2 code on sci.crypt In-Reply-To: <199601300531.XAA10444@proust.suba.com> Message-ID: <9601302358.AA29563@zorch.w3.org> At a W3C security meeting we were discussing encryption algs to use, not suprisingly RC4 came up, Ron suggested that we also include `aledged-rc4'. Maybe we need aledged-rc2 as well :-) Then again I thing we might end up with "alledged HTTP" and similar products from a number of vendors if we went too far down that route. From perry at piermont.com Tue Jan 30 19:13:04 1996 From: perry at piermont.com (Perry E. Metzger) Date: Wed, 31 Jan 1996 11:13:04 +0800 Subject: FL Demonstrates Fatal Flaw in Logins In-Reply-To: <199601300603.WAA11063@springbank.Eng.Sun.COM> Message-ID: <199601301349.IAA02865@jekyll.piermont.com> Benjamin Renaud writes: > The only events a Java applet is privy to are those that are typed in > an applet window (and only those it itself spawned). Don't say "is privy". Say "is supposed to be privy". Doubtless bugs will appear in java security in the future -- they've shown up in the past. Perry From futplex at pseudonym.com Tue Jan 30 19:19:21 1996 From: futplex at pseudonym.com (Futplex) Date: Wed, 31 Jan 1996 11:19:21 +0800 Subject: Reply Blocks and Nyms: newbie question In-Reply-To: <310e8f92.2746553@mail.aracnet.com> Message-ID: <199601310048.TAA25897@opine.cs.umass.edu> Bruce Baugh writes: > I'm almost certainly going to be changing my address in the next few > weeks. I'd like to keep the same nym account. Can someone take a stab > at explaining how to feed the relevant info to C2? I'm very interested in figuring out how to refine the user instructions for Matt's pseudonymizer at alpha, and similar anonymity/pseudonymity systems. Let me quote what I think are the relevant parts of Matt's standard instructions, without further comment from me for now. Please point out anywhere you see a gap or something confusing so we can figure out how to improve the instructions. (I'm quoting from the Oct.1, 1995 version at http://www.cs.berkeley.edu/~raph/alpha-help.html --- mailto:help at alpha.c2.org for the current version) To create a mail alias, first create an encrypted reply-block for a cypherpunk-style remailer. An encrypted reply block is a message encrypted with a remailer's PGP public key, which will be sent to your address, or to an address where you can receive messages. To create a reply block, you would create a message for a remailer that goes back to you: :: Request-Remailing-To: you at yoursite.org Then you would encrypt that with a remailer's public key, and prepend the necessary Encrypted: PGP header. When this message is received by a remailer, it would decrypt it and send it to you. It would also send you any text appended to the end (outside the PGP wrapper). Thus, using a reply block, it is possible for people to send you mail without knowing your real address. Next, choose a pseudonym and a password. The pseudonym-address may contain any alphabetical or numeric characters, or hyphens. The password may not contain any spaces. Then create a message of the following format: From: yourname at alpha.c2.org Password: Your_Password Reply-Block: :: Anon-To: remailer at utopia.hacktic.nl :: Encrypted: PGP -----BEGIN PGP MESSAGE----- Version: 2.3a hIwC/nqSW1QDQfUBBACknZMV93wFS2CH0orlgslmEm+alhjI1eKwbbTTmeRWC5Rg /S3vZw+95ZuCZfqxKE0XrgZXzOEwfoyBcpVvf9Pb9D19TqEMTmmL/Jpl1xcxmbJ2 OGsHpQ/TxpazBCVhdBmPblj5wWvwfG1+ZKpIkQ5hiLJhryQM/TUDarEscs3zdaYA AAB5231aMcQ74AKoDZizABMF3Tw+olV4mm4jVo9cMn2B3Rj2XBFl4pV9VL3h0ZQB cPY/ytBRyZPugr0NpLgjO+q6mEjCcgQrxpYQ+1PvFPdDx1GmJ5ogZqW+AVHsNqAp vRoiG8ZhXs4r3E8liFsNtMMf6CUAsdV2ZoX1Hw== =Bla3 -----END PGP MESSAGE----- Do not actually indent it. It is indented here because some people's mailers try to auto-decrypt PGP messages and this is just an example. Encrypt this with the following public key and mail it to alias at alpha.c2.org. Unencrypted mail sent to this address will be deleted automatically. If everything is correct, your mail alias will be created, and you will be sent a confirmation. If not, there will be no way for the software to reply to you, so the message will be deleted. If you don't receive anything, something is wrong, so try again. Be sure to test the reply block first, so that you will know it works! Also, don't forget to include the address of the remailer, and the Encrypted: PGP header at the beginning of your reply block. Sending in a new reply-block replaces the old one. To change your reply-block, just send a new one, using the same format as the above message. Futplex From jrochkin at cs.oberlin.edu Tue Jan 30 19:23:04 1996 From: jrochkin at cs.oberlin.edu (Jonathan Rochkind) Date: Wed, 31 Jan 1996 11:23:04 +0800 Subject: The FV Problem = A Press Problem Message-ID: At 9:28 PM 01/30/96, Timothy C. May wrote: >At 6:42 PM 1/30/96, Jonathan Rochkind wrote: [...] >>that allowed Bernays to do his thing. Bernays developed expertise in >>"engineering of consent" turned the news into a commercialized and > >Interesting term, similar to Chomsky's "Manufacturing Consent" (which >obviously must've come later...). Chomsky generally takes those terms like that from the (often truly scary) writings of others. "Manufacturing Consent", "Deterring Democracy," etc. I bet Bernays said 'manufacturing consent' at some point too, and this is where Chomsky got it. > [...] >Maybe I've from the old school, the school that says one should be more >modest, objective, and circumspect. Then, if it's really news, and not just >a PR scam, the journalists will come. One _should_ be, but the question is whether that's the way the media actually works. Now, clearly, with thousands of journalists all doing their own thing, no one model of the media is going to be all encompassing. Journalists all believe they are looking for real news, of course--but when it's so much (much, much) easier (and, equally importantly, less time-consuming) to get leads from press releases then from investigation... the key, of course, is for the press releases to convince the journalist that what they're talking about _is_ real news, and not just hype. I'm sure Garfinkel thinks that the FV story is "real news", and is grateful for the "alert" alerting him to it. Although, Borenstein says that the Garfinkel article came first in this case--but he probably just means before the FV 'alert', not before FV 'demonstrated' the issue with a program of their own, which was probably Garfinkel's lead. >I think that the view that "all news is hype" is overly harsh. In fact, >corrective forces tend to slow this headlong rush into P.R. For example, >the reaction here to the Nathaniel Borenstein/First Virtual hyperbole, and >the fatuous, credulous article by Simson Garfinkel (sorry, Simson, but I >call 'em as I see 'em), will undermine their credibility for a long time. >Crying wolf, and all that. It will undermine their credibility among cypherpunks for a long time, certainly. Maybe even among the net--but among the vast majority of the public? It's possible that as "among the net" grows to include increasingly more of the 'the public', things will change. But at present, I don't think things will have changed yet. The FV propaganda will probably net good results for FV, although not among cypherpunks. >The FV "discovery" that insecure machines can cause all sorts of problems >rated at most a brief paragraph in the papers, not the full-page treatment >Garfinkel and his editors gave it in the "San Jose Mercury News" (and maybe >other papers that picked it up, or will in the next few weeks). > >Newspapers and magazines that run "fluff" pieces, taken almost directly >from press releases, lose credibility. >[...] Most people aren't equipped with the knowledge to tell that this was a 'fluff' piece, not meriting a full page story. In fact, most people rely on newspapers themselves to make these sorts of determinations for them--what topics are seriously important and newsworthy, and what topics aren't. Which is why companies can be so succesful when they can use press releases to influences what shows up in the news. Generally, press releases aren't seen by the majority of the public, so they don't realize that a story is taken directly from a press release. Most papers use press releases to write stories--maybe not the NYT, but most local papers. And most people either don't realize it, or don't care. >>If you want to effect what's in the media, maybe you should learn how to >>issue press releases. > >Nope. I think it a very poor model for getting information out. With all >due respect to Sameer, who has done many fine things, I gag every time I >see a press release from Community Connection in which Sameer interviews >himself. > It's a poor model in the sense that it makes us cringe with their tackiness and phoniness, you're right. But the question is whether it _works_, and I suggest it does. The tacky and phony press releases get just enough editing from journalists to appear to be 'real' articles (although if one practices... I think I can spot the articles in the paper written more or less directly from P.R. with reasonable accuracy. ) The fact that there are lots of people payed a lot to do "public relations" is evidence of this, I think, as this is pretty much what 'public relations' is. As tacky and phony as press releases are, I'm glad Sameer writes them, because it's the way to get your issues (and often opinions) covered by the press. It's the way you play the system, unless the system changes. Maybe the system will change because of the Net--I hope so. But, as the net becomes huger and huger, most people will still have to pay others to filter out the good information for them (only the truly diehard can still read most usenet groups--or cypherpunks for that matter.) And odds are, it's newspaper-like organizations we'll be paying (many current newspapers are revisioning themselves in just such a role). And, as you identified in your first post, it's in the interests of both newspapers and commercial interests to continue the P.R. relationship. Whether it's in the intersets of the consuming public (or more importantly, I think, the polity--Bernays wasn't talking about what you buy at the supermarket when he discussed the engineering of consent) is more debatable. From declan+ at CMU.EDU Tue Jan 30 19:39:03 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Wed, 31 Jan 1996 11:39:03 +0800 Subject: [NOISY] Your own Zundelsite in five minutes or less Message-ID: <4l3frc200YUrMxFuFA@andrew.cmu.edu> Here's how to open your own Zundelsite mirror archive in five minutes or less. To open your own partial Zundelsite (without the French text or audio files), first download the 1.3 MB compressed zundelfile from one of the following URLs: ftp://ftp.cs.cmu.edu/afs/cs/user/declan/ftp/zundelsite.tar.gz http://joc.mit.edu/mirror/zundelsite.tar.gz http://web.mit.edu/afs/athena/contrib/bitbucket2/zundel/zundelsite.tar.gz Compare against this checksum, that I've also placed in: [ftp://ftp.cs.cmu.edu/afs/cs/user/declan/ftp/zundelsite.sum.txt] MD5 (zundelsite.tar.gz) = 356cdf078f2a155af73a76663e25fe1a Then decompress the zundelfile, untar it, and register your URL with the Zundelsite Registry at: declan+zundel at andrew.cmu.edu. I'll add your site to my list of mirrors at: http://www.cs.cmu.edu/afs/cs/user/declan/www/Not_By_Me_Not_My_Views/censorship .html As of this afternoon, there are Zundelsite mirrors operating at MIT, Stanford University, Carnegie Mellon University, the University of Texas, and the University of Pennsylvania. -Declan From futplex at pseudonym.com Tue Jan 30 19:40:37 1996 From: futplex at pseudonym.com (Futplex) Date: Wed, 31 Jan 1996 11:40:37 +0800 Subject: Java Sniffer (Was: Re: FV Announces That The Sky Is Falling) In-Reply-To: <9601301545.AA07088@alpha> Message-ID: <199601310110.UAA26035@opine.cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- Mike M^cNally writes: > But if by being used to such windows people understand that they're > not necessarily to be trusted, I don't see why that'd be an attractive > way of slipping in a trojan horse. Well, that "if" is a critical hypothetical. I'm assuming a model in which people perform most of their legitimate network transactions through Java windows. So I think they will be accustomed to typing financial identifiers or whatnot into windows labelled "Untrusted Applet Window". Many will become desensitized to the UAW warning label. I believe the work on authenticating applet servers to client in terms of signed Java classes, etc. is the most promising long-term approach. ObNSB: Although I seem to be cast as an opponent of Java adoption in this thread, I'm actually a fan of Java and expect to write some Java code RSN. Futplex -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMQ7BYSnaAKQPVHDZAQFN9wf5AYOhtNHy2nGvQ7t/SNKy6P9Qay2K4qEY rMIdtzHBrSpjTHq5HPZSG7YmNhd/trBpH42uUufL+WD+gDj6/amPHDV6kwdmS32d tS28ECiZlnUidF9+PcaIISuBLiD6g67j9I8KAVdejxg79pTLNFNvjoz22oPZqRq2 PEZI/YXCm7B6J4T6WDauuMKwaMWL78NBe1Udq3o2q2AAUjQfJRkqT4I0hZe2fAEE mpzNtIOHxDIhRVULEVC1XXPecxyOh/A070knxw3DFGLIL24oCJhODgEG1DKtKqHB nnt5wYTpO2+vNLuOB14TdRu8fGorctvElu8ozTkrtpDFXoEgZwYVLg== =96ZK -----END PGP SIGNATURE----- From jsw at netscape.com Tue Jan 30 19:42:21 1996 From: jsw at netscape.com (Jeff Weinstein) Date: Wed, 31 Jan 1996 11:42:21 +0800 Subject: No FV supporters? In-Reply-To: <01BAEF34.AA95ECC0@ploshin.tiac.net> Message-ID: <310EB8B2.23B@netscape.com> Pete Loshin wrote: > Now, clearly there are lots of opinions on FV's system, but > if people like Sameer and Rich Salz (e.g., who have reputations > as knowledgeable and aware) are going to trash FV it > would mean a lot more to many readers if they could state > more specifically what it is about FV that doesn't work (or that > doesn't work as well as, say, SSL or CyberCash or Open > Market's approaches). I sent a description of an attack against FV based on replacing or hacking winsock to cypherpunks last night. This attack seems to meet Borenstein's criteria of being as automated and implementable on a mass scale as their keyboard snooping attack. So far I have not seen any response from FV. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw at netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine. From wb8foz at nrk.com Tue Jan 30 19:49:20 1996 From: wb8foz at nrk.com (David Lesher) Date: Wed, 31 Jan 1996 11:49:20 +0800 Subject: Escrowing Viewing and Reading Habits with the Governmen In-Reply-To: <9601291905.AA20307@toad.com> Message-ID: <199601292004.PAA04006@nrk.com> > Do you really think the FBI believes that asking librarians to keep > records of customer useage is an efficient way to read the customers minds? > Do you really think that the FBI foreign counter-intelligence squad has > nothing better to do than keep a database of who is reading Che Guevara > memoirs? > > Yes. > > Heck, I remember this was a big issue about 15 years ago. Try asking > someone who was active in library science in the late 70's, early 80's. > > The general reaction of the library community was, I am glad to say, > entirely pro-privacy. Ask Sean at dra.com. The s/w industry even designs library systems so as to purge data the Feebs might want. That that does not exist can not be surrendered. And this is not a cost-free choice to them. There is & will be a percentage of book vandals. If your circulation system could tell you: Who checked out X, Y, Z & T? You might catch the creeps. But they prefer buying new books to the alternative.... -- A host is a host from coast to coast.................wb8foz at nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433 From futplex at pseudonym.com Tue Jan 30 19:49:31 1996 From: futplex at pseudonym.com (Futplex) Date: Wed, 31 Jan 1996 11:49:31 +0800 Subject: Lotus Notes In-Reply-To: <199601300743.XAA03525@netcom6.netcom.com> Message-ID: <199601310113.UAA23562@opine.cs.umass.edu> Bill Frantz writes: > One other small advantage I can see to using Lotus's crippled encryption. > It disguises the fact that a message is actually (double) encrypted with > PGP. Attackers have to break the 40 bits before they see the PGP encrypted > data. I don't understand. Are you saying that there's a special benefit to doing superencryption (GAK encryption over non-GAK encryption) when the GAK layer is Lotus Notes ? Futplex From declan+ at CMU.EDU Tue Jan 30 19:51:15 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Wed, 31 Jan 1996 11:51:15 +0800 Subject: [NOISE] Re: "German service cuts Net access" (to Santa Cruz) In-Reply-To: Message-ID: <0l3MAC200bkp0gQAg0@andrew.cmu.edu> Excerpts from internet.cypherpunks: 29-Jan-96 [NOISE] Re: "German service.. by Rich Graves at networking.s > There was a lively debate in feminist/legal circles a while back about > introducing "the reasonable woman standard," "the reasonable gay man > standard," etc. into the legal currency. The movement intended to make > "date rape" and sexual harassment easier to prosecute. I didn't keep up > with it, but I'm sure the relevant papers are still being cited. I doubt > and hope that no court ever took the argument seriously. I vaguely remember one district court upholding the "reasonable woman" standard around four years ago, but that braindead idea was abandonded in subsequent decisions. For more info on what happens when the "reasonable woman" standard is applied in higher education (particularly regarding online speech), check out: http://joc.mit.edu/ -Declan From baum at apple.com Tue Jan 30 19:51:54 1996 From: baum at apple.com (Allen J. Baum) Date: Wed, 31 Jan 1996 11:51:54 +0800 Subject: Random number generator question (& Las Vegas) Message-ID: >>fair at clock.org ("Erik E. Fair" (Time Keeper)) writes: >>>does anyone know what sorts of random number generators those >>>electronic games use, and how (if at all) they are measured and regulated >>>by the Nevada Gaming Commission? They might have something to teach us. >>Several people who work in the industry said that electronic machines >>use some sort of PRNG, but with a nice added bit of random input - the >>player's timing of hitting the buttons. One poster described it as the >>machine constantly generating numbers, and choosing the payoff based >>on the last number generated when the user hit a button. According to a friend who started a company that is going to sell gambling machines to Las Vegas: The Nevada Gaming Commission closley regulates the RNGs. They use Chi squared tests and others to verify the randomness. They are not perfect. Todays slot machines use a Psudo RNG that requires a seed number to make sure it doesn't short cycle. They use some time based player input like coin in or handle pulls to pick a number. You must discard lots of numbers or it would be too easy to sync up and predict the answer. (basically confirming the above) Nothing is totally immune to tampering. The gaming commission tries to make sure the machines are reasonable secure. ************************************************** * Allen J. Baum tel. (408)974-3385 * * Apple Computer, MS/305-3B fax (408)974-0907 * * 1 Infinite Loop * * Cupertino, CA 95014 baum at apple.com * ************************************************** From Charlie_Kaufman/Iris.IRIS at iris.com Tue Jan 30 20:03:53 1996 From: Charlie_Kaufman/Iris.IRIS at iris.com (Charlie_Kaufman/Iris.IRIS at iris.com) Date: Wed, 31 Jan 1996 12:03:53 +0800 Subject: Lotus Notes Message-ID: <9601300458.AA2251@moe.iris.com> I've been on the road since the RSA conference where the Notes crypto hack was announced. Sorry to have missed the fun. To answer at least some of the speculation on "how does it work", attached is a "Lotus Backgrounder" document that was distributed at the RSA conference. Some of the speculation in this group has had uncanny accuracy. I'd also like to defend the Notes R4 approach. I hate export controls more than most people, in part because I waste a lot of my time trying to figure out how best to deal with them. While I think Notes is doing the right thing given the current constraints, I can't help but be appalled by the current constraints. I don't believe 40-bit crypto is a joke. Even if it costs NSA $.25 to break a 40-bit RC4 key, and I'd speculate it costs them more than that, it means they can't afford to do keyword searches on every encrypted message they can afford to intercept (or at least they couldn't if everyone took the trouble to encrypt). And with a separate 40 bit key on each of your mail messages, an attacker may be able to break a few if he knows they are the good ones, but it's painful to browse. That said, I would not expect anyone to get much comfort from 40 bit crypto. The Notes R4 approach gives the best of two fairly unpleasant worlds. You can export crypto if you either limit yourself to 40 bits (which means anyone can see it if they want it badly enough) or give the government the keys (through escrow - which means the government and anyone else who can "break" the escrow mechanism can see your stuff with no work at all). Notes R4 gives the government part of the key, so they still have some work to do and other attackers have a lot of work to do. This is not a good solution. It's not even an acceptable solution. But it is a better solution than 40 bit crypto. And it's enough better that I think it was worth the hassle it took to get it. Notes R4 didn't give up anything to get this. It is expensive to have the technical complexity of two different interoperable versions of the product, and we could have said... gee, this is really good enough for everybody... why don't we just sell the "International Edition" everywhere? We didn't. The "North American Edition" (euphemistically named to reflect that it's also legal in Canada) still uses real strong crypto. The only valid criticism I've heard of the approach is by making the best of a bad situation, we've reduced the incentive for fundamental reform. That may be true, but once an approach is known (and we aren't the only ones to have thought of it - Adi Shamir's Partial Key Escrow proposal has similar properties), declining to use it does not fuel the pleas for legislative relief. In fact, it supports the argument that people don't even implement the strongest crypto they are allowed... why should they be allowed more? I think it is incumbent on all of us to do the best we can, for the brave to break the law and risk going to jail, for the wimpy to squeeze every last bit out of the allowed options, and for everyone to mouth off in risk-free forums like this one From shamrock at netcom.com Tue Jan 30 20:09:14 1996 From: shamrock at netcom.com (Lucky Green) Date: Wed, 31 Jan 1996 12:09:14 +0800 Subject: KOH "Helpful" Crypto Virus Message-ID: At 13:20 1/30/96, Laszlo Vecsey wrote: >I'm looking for more information on the KOH Virus, a 'helpful' virus which >kindly asks to infect your system and encrypt all of your data. It spreads >to floppies (upon request) and to other systems, encrypting all files. [...] >Please point me towards the source/binary, or further information. You can get the binary, full source, and manual on disk for $32 plus $3 for S&H from American Eagle Publications POB 1507 Show Low, AZ 85901 (800) 719-4957 (520) 367-1621 While you are at it, you might also want to pick up their famous collection CD-ROM full of virus code, live viruses, virus creation engines, etc. From their catalog: "For starters, you get a fantastic virus collection consisting of 574 families [...] about 3700 carefully tested and cataloged viruses in all...$99 + $5 S&H. A must have :-) -- Lucky Green PGP encrypted mail preferred. From wilcoxb at nag.cs.colorado.edu Tue Jan 30 20:09:44 1996 From: wilcoxb at nag.cs.colorado.edu (Bryce) Date: Wed, 31 Jan 1996 12:09:44 +0800 Subject: I gave FV the idea for the keyboard sniffer In-Reply-To: Message-ID: <199601310135.SAA28397@nag.cs.colorado.edu> -----BEGIN PGP SIGNED MESSAGE----- An entity claiming to be Nathaniel Borenstein is alleged to have written: > > I have not yet heard anything that makes me think that my > claim is untrue. We have revealed the first known strategy > for an Internet-based large-scale automated attack on the > credit card system. I think that's a real threat. I know that you are being swamped by hate mail from cypherpunks, so I'll try to keep my comments brief. First, I commend you for forging ahead with research and business as you see fit, despite the regular barrages of venomous condemnation that you are subjected to. "I think that's a real threat", too. I believe that you have valuable insights into Internet commerce security which the typical cypherpunk lacks, and I'm glad that you are "getting the word out" both to the cpunks and to larger communities. (Having said that, and having decided to Cc: this message to cpunks and e$, I shall elaborate:) The ideas that you espouse that the typical cpunk lacks fall into two broad categories which have something in common. First, the overwhelming importance of user interface and dealing with technically clueless users. Second, the importance of evaluating risks from a cost/benefit perspective, and trusting in a system once it is "secure enough". What these ideas have in common is simply that they are *practical*. And that's important. If First Virtual uses simple techniques which are crackable, but so unprofitable to crack that no-one will ever do so, and if First Virtual uses this technique and allows everyday users to do transactions over the Internet, then that is a net.commerce success story. Furthermore, it's a *cryptographic* success story. Much more so than "CYpherPunk Agent X" who writes a black-market implementation of Chaumian electronic cash which no-one will ever use. He has accomplished little more than entertaining and educating himself. This is the cypherpunk fallacy which is enshrined in the Manifesto when it says "code can never be destroyed". Yes it can. Or it can be ignored which has the same effect. The important thing is when code and users meet. (Of course, I still think First Virtual is marketing an ugly klooge that doesn't stand a chance against better technologies in the next couple of years, but I digress...) But despite all of the above, Nathaniel, I must protest your claim to have "revealed" the "first known strategy". That strategy has been common knowledge since probably before you were born. In fact just a couple of weeks ago *I* posted articles to cypherpunks and the "ecash" list saying that I thought the most viable attack on DigiCash Ecash would be a virus/Trojan horse which attacked the computer on the user's end. Did you read these articles of mine? Is it possible that that is where you got the idea for your experiment? As an aside you recently said that you didn't see any reason to PGP-sign list traffic. Here is a good example of its usefulness: I can prove that I authored the aforementioned messages, and when. (Also it has already been more or less proven to people who use PGP on their cpunks traffic that the author of the aforementioned messages was also the author of hundreds of other messages including this one both in cpunks and in other forums over the last six months.) Now I didn't mention in my articles that such an attack would be as viable (more so, actually) against a credit card scheme as it would against Ecash, for two reasons 1: It was already common knowledge, and 2: I consider credit card schemes to be hopeless anachronisms that will soon be eliminated in the evolutionary race of modern currency. Anyway, keep up the good work, and consider the merits of being a little more circumspect in your press releases. Regards, Bryce P.S. Okay I admit that the Subject: line was a little bit inflammatory. If I had named my message "Re: FV demonstrates fatal flaw" then nobody would have read it... "Toys, Tools and Technologies" the Niche New Signal Consulting -- C++, Java, HTML, Ecash Bryce PGP sig follows -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.01 iQCVAwUBMQ7HVPWZSllhfG25AQGBQQQAin5OYD+yq+1FXlYEocJHrTm3muPmaIRs tYRMxv5JckjqplAImJZywFDxrKqWTojGC6c290nTFCHly/YfZ6ziBpuKEN+ULF4y Gf9EKrYABkm2I7yn4sUU0Bhw/GTQj7CXnmaSH3G/zDGCYZFnQHB6AaptYOsKwE+m 5No3AqyULa8= =/v0Q -----END PGP SIGNATURE----- From shamrock at netcom.com Tue Jan 30 20:19:29 1996 From: shamrock at netcom.com (Lucky Green) Date: Wed, 31 Jan 1996 12:19:29 +0800 Subject: Lotus Notes Message-ID: At 19:19 1/30/96, Rich Salz wrote: >>I find this very interesting. RSA prohibits its licencees from using RSA >>software with truly secure keylenghts. > >Hunh? I could find no mention of keylength or keysize in the RSAREF >documents I had around. I'm at home now, but I also recall no mention >of keysize or keylength in the license OSF has, either. So from who did Lotus license RC4? -- Lucky Green PGP encrypted mail preferred. From paul at mycroft.actrix.gen.nz Tue Jan 30 20:22:49 1996 From: paul at mycroft.actrix.gen.nz (Paul Foley) Date: Wed, 31 Jan 1996 12:22:49 +0800 Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credit In-Reply-To: <8l3TrJ2Mc50eAWY4IF@nsb.fv.com> Message-ID: <199601310100.OAA00804@mycroft.actrix.gen.nz> Nathaniel Borenstein said: > > > I don't believe you. Name six. > > Sure thing, always glad to clarify my claims. > > 1. (my current favorite) post it to MSN. There, Microsoft has made > getting infected with a Trojan Horse as easy as clicking on an icon > embedded in a mail or news message. (You want to try convincing the > average consumer that it isn't safe, if Microsoft makes it that easy?) > > 2. Get the sources to a public domain image viewer. Change them > slightly. Claim that you've improved it by 13.7%. Post your improved > (and infected) image viewer to the net. Trojan horse. This is the same as #1. > 3. Ditto for an audio viewer, a mail reader, a news reader,.... > (zillions right there alone) Zillions of trojan horses...all the same. I guess you can call the source credit.asm, sniffer.c, capture.bas or any number of other names, too...geez, there's another few zillion. > 4. Imitate the IBM Christmas exec. Break into someone's site and steal > their mail aliases file. Now send mail to everyone on their alias list, > pretending to be them, offering them a cute animation program they can > install. The animation will happen, but it will also send mail to all > THEIR aliases (like the Christmas exec) and (unlike that) install our > malicious snooping software. Another trojan horse. > 5. Write a genuinely useful program (or a game) of your own, but embed > your attack in it. (Caution: Being the real author will increase your > traceability.) Another trojan horse. > 6. Write a pornographic screen saver. Not only will zillions of people > download it, but they will EXPECT the code to watch keystrokes. Another trojan horse. > 7. [*maybe*] Spread it by Java applet. This is a maybe because the > level of Java security seems to be browser-discretionary. Even a > relatively conservative let-the-user-choose approach like Netscape's, > however, can be defeated with a little social engineering, as in "this > is a really cool Java applet to do XYZ, but you'll have to set > Netscape's Java security level to minimum to run it....." "...and type your CC# into a box that advertises itself as an 'insecure foreign applet'" or some such thing. Far as I can tell you can't hook the keyboard this way, just ask people to give you the number. And then you can only send it back to wherever the applet came from. > 8. Internet-based breakin/installations, e.g. to NT or anything else > that runs incoming services. > > 9. Traditional virus techniques. > > Oh, you only asked for 6, sorry..... Feel free to ignore a few. I count 4. -- Paul Foley Email: From tcmay at got.net Tue Jan 30 20:45:16 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 31 Jan 1996 12:45:16 +0800 Subject: The FV Problem = A Press Problem Message-ID: Jonathan has written a very nice essay, most of which I agree with fully. However, there is one item that I have a different angle on: At 12:41 AM 1/31/96, Jonathan Rochkind wrote: >It will undermine their credibility among cypherpunks for a long time, >certainly. Maybe even among the net--but among the vast majority of the >public? It's possible that as "among the net" grows to include >increasingly more of the 'the public', things will change. But at >present, I don't think things will have changed yet. The FV propaganda >will probably net good results for FV, although not among cypherpunks. .... >Most people aren't equipped with the knowledge to tell that this was a >'fluff' piece, not meriting a full page story. In fact, most people rely >on newspapers themselves to make these sorts of determinations for >them--what topics are seriously important and newsworthy, and what topics >aren't. Which is why companies can be so succesful when they can use press >releases to influences what shows up in the news. Generally, press >releases aren't seen by the majority of the public, so they don't realize >that a story is taken directly from a press release. Most papers use >press releases to write stories--maybe not the NYT, but most local papers. >And most people either don't realize it, or don't care. Here's my different angle on this: I'm not so sure there even _is_ a "public" on stories like this. Certainly my brother won't read about this, nor my sister, nor my parents, nor most of my neighbors. As with political stories that are read mostly by people interested in politics, I'm sure that most potential readers of the "First Virtual" story either skipped right past it or skimmed it lightly. No doubt the FUD of this story, and the FUD of earlier stories about Internet weaknesses, random number attacks, etc., left a vaguely feeling in these casual readers that all is not right with Internet commerce. But, having said this, I wouldn't underestimate the effects of a group such as ours lose respect for First Virtual, Nathaniel Borenstein, and Simson Garfinkel, to the extent we have. We'll be the sorts who keep the story going, who talk to other journalists, and who make decisions for our companies on what products and strategies to use. The "public" has probably already forgotten the story; we have not. --Tim Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From roy at sendai.cybrspc.mn.org Tue Jan 30 20:53:28 1996 From: roy at sendai.cybrspc.mn.org (Roy M. Silvernail) Date: Wed, 31 Jan 1996 12:53:28 +0800 Subject: On the value of signatures (was: Re: FV Demonstrates Fatal Flaw in Software Encryption of Credit) In-Reply-To: Message-ID: <960130.060958.4c1.rnr.w165w@sendai.cybrspc.mn.org> -----BEGIN PGP SIGNED MESSAGE----- In list.cypherpunks, nsb at nsb.fv.com writes: > I use PGP about 20 times per day. I use it in a manner that is > *meaningful*. Unless we have in some way or another verified each > others' keys, it is meaningless for me to sign a message to you. > Putting a PGP signature on a message to someone who has no way of > verifying your keys is a nice political statement, but is utterly > meaningless in terms of adding any proof of the sender's identity. -- You are incorrect. Keys can always be obtained, and signatures can be verified at any time. But an unsigned message can _never_ be verified as to its origin. You may not have my key, but I still sign this message (as I have signed all my net traffic for over 3 years). I do this to protect the reputation capital I've built up. > PS -- On the off chance that anyone really doubts this is me, I will > shortly send cypherpunks a message that has my own voice AND a PGP > signature thereupon. That way, you can check my identity if you either > recognize my voice OR have verified my fingerprint. Sheesh. -- NB Sheesh, yourself, Nathaniel (if that _is_ your True Name). You're showing a real attitude here, as though your reputation alone should be enough to convince us of your messages' validity. A malicious attacker would be likely to bluster this way to deflect discovery of hir ruse. We're all nyms on the net. And yours wears no armor. - -- Roy M. Silvernail -- roy at cybrspc.mn.org will do just fine, thanks. "Does that not fit in with your plans?" -- Mr Wiggen, of Ironside and Malone (Monty Python) PGP public key available upon request (send yours) -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMQ4PVhvikii9febJAQHqSgP/YTCBuPGD3yKEGQo6oYzr0gfxIs2MJFCB xJnSS84g4n6yxSz9u8Ffkq/BHsiRA6eFBuIhLdn0nsMORiEneXGadT+Of9+qvZXA kfr47lC01uZLfldc8CH5gJG3bc4860nz4z4YhNDW1+3jRkKN2Gzp5V1YWKWvTuIl kKw4L4ZYZCk= =rkJ/ -----END PGP SIGNATURE----- From adam at lighthouse.homeport.org Tue Jan 30 20:58:46 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Wed, 31 Jan 1996 12:58:46 +0800 Subject: FV's Borenstein discovers keystroke capture programs! (pictures at 11!) In-Reply-To: Message-ID: <199601301548.KAA07271@homeport.org> Nathaniel Borenstein wrote: | > But I just can't believe that he thinks that | the telephone is more secure on average than a keyboard. | | We have a few pages of C code that scan everything you type on a | keyboard, and selects only the credit card numbers. How easy is that to | do with credit card numbers spoken over a telephone? I don't speak my credit card number into the FV line, I DTMF it. Whats more, I do so after the interactive voice system says the words 'credit card.' In fact, a group of people may have been running a tap & scan on FV's line for a long time now, using each number they steal once. Credit cards are crappy financial instruments, made useful mainly by the governments limitations of liability rules. Why defend them? FV's attack is pretty bogus, but no more bogus, and possibly less, than the Power One Time Pads. We're going to see a lot of smoke and mirrors in the next few years regarding security. Anyone have anything to say about RC2? Someone must have written a main() for it? Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From nsb at nsb.fv.com Tue Jan 30 21:02:31 1996 From: nsb at nsb.fv.com (Nathaniel Borenstein) Date: Wed, 31 Jan 1996 13:02:31 +0800 Subject: Authentication of crypto clients In-Reply-To: <199601300532.AAA05850@homeport.org> Message-ID: Excerpts from mail: 30-Jan-96 Re: Authentication of crypt.. Adam Shostack at homeport.o (4311*) > A crypto provider can't protect itself from requests to do > things. What it might be able to do is find out what program is in > that memory space and tell the user "FV keyboard scanner would like to > run IDEA on 128 bytes of data. Allow?" > There are flaws in this 'whos that knocking on my door?' approach.... Yeah, the flaws are pretty bad. We tried this approach in "active mail" systems back in the early-to-mid-1980's. The user was asked to assess his trust level for the email-received code that was trying to run. The problem we found was that even relatively sophisticated users were very quick to be fooled into believing that the "From" address was legitimate. Similarly, I suspect that if I named my keyboard scanner "Windows 95", most people would probably be fooled, and the fact that your API asked the question would only make the user feel MORE secure about saying "yes"..... -------- Nathaniel Borenstein Chief Scientist, First Virtual Holdings FAQ & PGP key: nsb+faq at nsb.fv.com From anonymous-remailer at shell.portal.com Tue Jan 30 21:26:48 1996 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Wed, 31 Jan 1996 13:26:48 +0800 Subject: Kill this message too (FV NOISE NOISE NOISE) Message-ID: <199601310439.UAA10063@jobe.shell.portal.com> The size of my killfile has increased dramatically in the last couple of days. Can we start talking about something crypto related? --MegaBozo From alanh at infi.net Tue Jan 30 21:38:23 1996 From: alanh at infi.net (Alan Horowitz) Date: Wed, 31 Jan 1996 13:38:23 +0800 Subject: NRO Slush Fund In-Reply-To: <9601301925.AA04344@argosy.MasPar.COM> Message-ID: > Sad to think that the undersecretary for defense who used to have > oversight of the NRO....... As we say in the trenches, "Fuck up and move up". It's a corollary to, "No good deed goes unpunished" From jirib at sweeney.cs.monash.edu.au Tue Jan 30 21:56:46 1996 From: jirib at sweeney.cs.monash.edu.au (Jiri Baum) Date: Wed, 31 Jan 1996 13:56:46 +0800 Subject: FV's Borenstein discovers keystroke capture programs! (pictures at 11!) [NOISE] In-Reply-To: <199601301216.UAA00325@ratbox.rattus.uwa.edu.au> Message-ID: <199601310534.QAA12672@sweeney.cs.monash.edu.au> -----BEGIN PGP SIGNED MESSAGE----- Hello dmacfarlane at zip.sbi.com (David Macfarlane), cypherpunks at toad.com and packrat at tartarus.uwa.edu.au (ie Bruce Murphy ) BM wrote: > In message <9601292041.AA14422 at zip_master2.sbi.com>, > David Macfarlane wrote: ... > If secure input is needed then it shouldn't be too much of a > problem. I doubt the program would recognize either of INTERCAL input > or output (as a random example) ... Original INTERCAL had numbers spelled out in English as input, and output in butchered roman numerals. I guess you can get people to do the input (four or eight digits at a time only), but I don't think the roman numerals are going to cut it, somehow... and anyway it's not that much more secure. C-INTERCAL is less anglo-centric, allowing numbers to be input in eight languages (eight = ashtan = zortzi = walo = chicue = rva = malhgwenalh = j"ol). But do you really think people will be willing to spell their credit-card number in classical Nahuatl for the sake of security (the *bank's* security)? If you mean INTERCAL as a programming language, then I guess you can use the C-INTERCAL binary I/O (character deltas, output reverse), but then it's no different to any other programming language (except nobody bothered to implement file and network I/O for it yet so you'd have to invent it yourself). ... > > And before pm. says it, this has very little to do with > > cryptography. > > Or trees. Well, how about security through INTERCAL? Would anyone be able to figure out what an INTERCAL encryption program is doing? What does the following fragment do? PLEASE DON'T GIVE UP DO .3 <- !3~#15'$!3~#240' DO .3 <- !3~#15'$!3~#240' DO .2 <- !3~#15'$!3~#240' (Hint: it's from the "cat" program, ie copy stdin to stdout verbatim.) Anyone have a bignum library in the said language? For the person who was worried about his Linux box, perhaps the virus runs under WINE? (And you *know* how dangerous these viruses can get when they are drunk :-) I think I'll put [NOISE] into the subject line... Jiri - -- If you want an answer, please mail to . On sweeney, I may delete without reading! PGP 463A14D5 (but it's at home so it'll take a day or two) PGP EF0607F9 (but it's at uni so don't rely on it too much) -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQCVAwUBMQ7/OyxV6mvvBgf5AQEofgQA7cU//xtzW6/A0uRvMSPi7zrBKDoE+q5a WpHR2VW7V9fCWfC4dj2MtIVgk/5L90C0lLcEIeYLwJUoPf9+NspWrIG7glWVv3Oj 55ctRz0682ZIBuRXr+OzxSQXfa8QlpjynHtPi9kHnWHFSXzJBeZeAe80lYllLLzK am1pu+ky53k= =EVVx -----END PGP SIGNATURE----- From hroller at c2.org Tue Jan 30 22:33:26 1996 From: hroller at c2.org (Hroller Anonymous Remailer) Date: Wed, 31 Jan 1996 14:33:26 +0800 Subject: No Subject Message-ID: <199601310616.WAA04463@infinity.c2.org> Farce Virtual has discovered that some persons using the Internet are not using the names they were born with. We made this discovery in the wake of criticism of our discovery of keyboard sniffing programs, a major discovery we were able to get several reporters to write about. We consider our latest discovery to signal the imminent death of Usenet as we know it. We are taking the unusual step of announcing our discovery to the world, and in a simultaneous series of articles in major newspapers, to alert the world to our discovery. Farce Virtual provides the only reliable solution to this problem. We do not use in encryption, because many of our customers say it is too hard to understand. Instead, we rely on the oldest method in the book: fear, uncertainty, and doubt. We have invented a new term for this: FUD. ``Using the FUD Factor line of products, our customers are protected from those who are not using the names that God gave them,'' said Nathaniel Boringsternlight, Farce Virtual's chief publicist. Asked about women on the Net who are using their married names, Mr. Boringsternlight added, ``It was to deal with married women that I invented Safe-Tickle.'' No further explanation of this comment was offered. There's simply no other way to keep your sanity safe on the net. The program we have demonstrated completely undermines the sanity of all known users of the Internet. -------- Nathaniel Boringsternlight Chief Publicist, Farce Virtual Holdings FAQ & PGP key: nsb+faq at fvh.fud From frantz at netcom.com Tue Jan 30 23:20:19 1996 From: frantz at netcom.com (Bill Frantz) Date: Wed, 31 Jan 1996 15:20:19 +0800 Subject: Lotus Notes Message-ID: <199601310705.XAA09848@netcom6.netcom.com> At 8:13 PM 1/30/96 -0500, Futplex wrote: >Bill Frantz writes: >> One other small advantage I can see to using Lotus's crippled encryption. >> It disguises the fact that a message is actually (double) encrypted with >> PGP. Attackers have to break the 40 bits before they see the PGP encrypted >> data. > >I don't understand. Are you saying that there's a special benefit to doing >superencryption (GAK encryption over non-GAK encryption) when the GAK layer >is Lotus Notes ? Tim May had it exactly right in his post entitled "Silver Linings and Monkey Wrenches" (thanks Tim). The only thing I can add is that forcing them to attack a 40 bit key is better than giving them the whole key thru some LEAF scheme ala Clipper. As long as you can cut and paste, PGP (at least the Mac version) is hard to lock out and minimally usable. Bill From llurch at networking.stanford.edu Tue Jan 30 23:25:58 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Wed, 31 Jan 1996 15:25:58 +0800 Subject: [NOISY] Your own Zundelsite in five minutes or less In-Reply-To: Message-ID: On Tue, 30 Jan 1996, Lucky Green wrote: > At 19:55 1/30/96, Declan B. McCullagh wrote: > > >As of this afternoon, there are Zundelsite mirrors operating at MIT, > >Stanford University, Carnegie Mellon University, the University of > >Texas, and the University of Pennsylvania. > > I am really interested what the German government is going to do next. > Force their universities to dismount AFS? No. They seem to be trying to pretend that the mirror sites don't exist. They did recently get the universities that weren't served by DT to block webcom.com. > How can we best get the fact the their censorship efforts have hit *the > wall* to their attention? Any Germans on this list that can file a > complaint against the sites with the German authorities? What about > contacting German Telekom? This has all been done. First Declan sent an open letter to DT, then a half dozen white supremacist groups sent similar "demands." I think it's reasonable to wait a day for their response. At the moment, there is effectively no censorship. > We won't have won until they restore the routes to Webcom. Here I have trouble with the word "we," and what we're trying to accomplish. Censorship has clearly lost. Germany is simply not going to block stanford.edu, cmu.edu, mit.edu, upenn.edu, aol.com, and so on, not to mention AFS. I do not believe that the battle to get people to read and care about Zundel himself is ours. I'm happy to wait a day or two for the routes to webcom.com to be restored. If after two days they haven't been, then it's time to press again. I do not want to allow the Nazis to associate themselves with "us." Please see article for a little on what they're trying to claim credit for. Note they are calling for mirror sites nearly three days after they popped up, with no involvement on their part whatsoever. I ain't no part of no Aryan Vanguard. I say proclaim victory now. -rich From shamrock at netcom.com Tue Jan 30 23:37:23 1996 From: shamrock at netcom.com (Lucky Green) Date: Wed, 31 Jan 1996 15:37:23 +0800 Subject: [NOISY] Your own Zundelsite in five minutes or less Message-ID: At 23:07 1/30/96, Rich Graves wrote: [...] >> We won't have won until they restore the routes to Webcom. > >Here I have trouble with the word "we," and what we're trying to >accomplish. > >Censorship has clearly lost. Germany is simply not going to block >stanford.edu, cmu.edu, mit.edu, upenn.edu, aol.com, and so on, not to >mention AFS. But they succeeded in blocking Webcom. Until the block is removed, we haven't won. Do 'we' agree that the block should be removed? >I do not believe that the battle to get people to read and care about >Zundel himself is ours. Amen. I just wished that the people who's names mark some of the milestones in the fights for our rights (i.e, Miranda, as in Miranda Rights) were people whose causes I can support. Having seen concentration camps, I can not possibly sympathize with Mr. Z�ndel's views. But he still has a right to free speech. If he loses it, we lose it. It all comes down to this: First they came for the Communists, and I didn't speak up, because I wasn't a Communist. Then they came for the Jews, and I didn't speak up, because I wasn't a Jew. Then they came for the Catholics, and I didn't speak up, because I was a Protestant. Then they came for me, and by that time there was no one left to speak up for me. by Rev. Martin Niemoller, 1945. [...] >I do not want to allow the Nazis to associate themselves with "us." >Please see article for a little on what >they're trying to claim credit for. Note they are calling for mirror >sites nearly three days after they popped up, with no involvement on >their part whatsoever. I can imagine what they wrote. "The world is supporting our cause...." No, I do not support their cause. I despise their cause. And I still support their rights. -- Lucky Green PGP encrypted mail preferred. From lyalc at ozemail.com.au Wed Jan 31 00:39:56 1996 From: lyalc at ozemail.com.au (lyal collins) Date: Wed, 31 Jan 1996 16:39:56 +0800 Subject: Java Sniffer (Was: Re: FV Announces That The Sky Is Falling) Message-ID: <199601300631.RAA28225@oznet02.ozemail.com.au> >Much more likely, IMHO, than a Java sniffer is a Java Trojan horse that pops >up an innocuous dialog box and asks you to enter some sensitive piece of >information, then sends it off somewhere. About all it takes to write that is >a modicum of skill in user interface design. You could write it in any >programming language, but in Java it may be particularly effective, since >people may come to expect to be prompted for sensitive info over the net by >Java apps. Maybe the Java folks who just left Sun decided to seize the >opportunity ;> > >Futplex > A very realistic scenario - any comments or reasons it can't happen ?? second question: How can you be sure you receive the applet that you "think" you've requested ? Any illuminating comments to assit my awareness of java ? lyal From andreas at horten.artcom.de Wed Jan 31 00:42:18 1996 From: andreas at horten.artcom.de (Andreas Bogk) Date: Wed, 31 Jan 1996 16:42:18 +0800 Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- >>>>> "Nathaniel" == Nathaniel Borenstein writes: First, pray tell, what prevents me from writing a virus that patches, say, Eudora and Netscape, so they automatically reply to all FV-mails? Or, to quote your security FAQ: >To defeat this mechanism requires someone to steal a First Virtual >account identifier; ... which is plainly and unencrypted visible in the E-Mails ... >to identify the corresponding email address (which >is not public knowledge, cannot be determined from the account >identifier, and will not be released by First Virtual); ... which is in the header of said E-Mail ... >to know or guess the account password; ... which is quite impossible unless you have your own FV shop, monitor IP traffic or a *malicious program on the user's computer* ... >to intercept all incoming messages to that email address; ... which said malicious program is of course completely unable to do ... >and, of course, to know what First Virtual is and understand what our >messages are about and how to respond to them. Wow! I didn't think of that! And while I'm at it, it doesn't take much to be more secure than credit card payments. You shouldn't be too proud of that. And it shouldn't take an experienced programmer one whole week to write a keyboard sniffer. But I think it's not too pessimistic to say that _any_ software-based payment scheme can be hacked using malicious programs. Nathaniel> world today. Once it detects a credit card number, a Nathaniel> criminal program could use any of several techniques to Nathaniel> send that number to the original criminal without Nathaniel> providing any way to trace the criminal's receipt of Nathaniel> it. (If you're skeptical about this claim, we'd prefer Nathaniel> to talk with you privately, as we've never seen the Nathaniel> "best" methods for doing this spelled out in public, Nathaniel> and we would prefer to keep it that way.) Oh, wow, it's your secret. I would post a message containing the credit card number encrypted with a public key cipher to alt.foo.bar. Or to the IRC. And it's not too difficult to hack university computers, so I could even receive mail there without being traceable. Not to speak of remailer chains. Any other ideas? Andreas -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQCVAgUBMQ2Zy0yjTSyISdw9AQEkHwP9HeYucy86Wdre4OuaYAa50YcNZ6LPrJJz GrvDC5t4LRprAqggtYMRBS7NlJ2+rVV58+6R4WXn66wCLcjpAXq0s5FMxKDoxe9Y JyKcevK7O9iFLIGzERZkz2RXLmk2PBlUsi8hzS+WsPBe0QfIK1bFW2gEum2eKjlm bzmq6iI8dx0= =5NT1 -----END PGP SIGNATURE----- From llurch at networking.stanford.edu Wed Jan 31 00:45:39 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Wed, 31 Jan 1996 16:45:39 +0800 Subject: Opinion piece in NYT; responses needed In-Reply-To: Message-ID: On 30 Jan 1996, Andreas Bogk wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > >>>>> "Mutatis" == Mutatis Mutantdis writes: > > Mutatis> It's a decentered network (or set of networks) designed > Mutatis> to get information to its addressee. Data flows through > Mutatis> several nodes and networks until it reaches its > Mutatis> destination. If it can't get through one path, it goes > Mutatis> through the other. > > This is unfortunately a wide-spread myth. While it's true for mail and > news, it's not for IP packets. Witness: No, it is the truth. The fact is that DT has gone and intentionally broken *all* routes to webcom.com -- the SJ Merc said 129,000. But the point is moot. Try: http://www-leland.stanford.edu/~llurch/Not_By_Me_Not_My_Views/zundel/pr.004.compuser.html http://www.cs.cmu.edu/afs/cs.cmu.edu/user/declan/www/Not_By_Me_Not_My_Views/pr.004.compuser.html Is DT going to block every machine in stanford.edu, cmu.edu, mit.edu, uiuc.edu, harvard.edu, berkeley.edu, and so on? Or from any machine with access to AFS, which includes thousands of academic and a few corporate machines in Germany, the following file system paths will work. With a simple symbolic link, any machine with AFS can become a mirror site. /afs/cs.cmu.edu/user/declan/www/Not_By_Me_Not_My_Views/pr.004.compuser.html /afs/ir.stanford.edu/users/l/llurch/WWW/Not_By_Me_Not_My_Views/pr.004.compuser.html Is DT going to block TCP port 80 and UDP ports 7000-7029 from every machine in the world? -rich From stewarts at ix.netcom.com Wed Jan 31 00:48:04 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Wed, 31 Jan 1996 16:48:04 +0800 Subject: [FACTS] Germany, or "Oh no not again" Message-ID: <199601310810.AAA00286@ix10.ix.netcom.com> A message claiming to be from > SANDY SANDFORT allegedly wrote: >> Isn't there something in U.S. Code about crossing state lines >> for immoral purposes? >No relevance here. Originally enacted to combat the "white >slavery" trade, it was probably used more to prosecute unmarried >lovers for sexual activity outside of marriage. I don't even >know if it's still on the books, but as I said, no relevance in >the current debate. There's a lot of US law about transporting various materials across state lines or using interstate carrier services or in ways that _might_ affect interstate commerce. Politically incorrect language or imagery (obscenity for adults; indecency for children), politically incorrect vegetable products, politically correct but economically incorrect vegetable and animal products, geographically incorrect humans, mathematically correct but politically incorrect image-manipulation bitstreams all are affected. While the German censorship is evil, immoral, and impractical, I have to agree with Dr. Vulis that many American laws are similarly wrong, and the Germans are at least trying, in their inadequate and immoral way, to fight genuine evils that are far worse than the stuff the US government is attempting to censor. BTW, today's "Recorder" (Bay Area legal newspaper) reports that the US 6th Circuit Court of Appeals upheld the Thomases' conviction. 96 C.D.O.S 609. ABTW, they didn't need those laws to fight "white slavery"; kidnapping and rape were already illegal, but any opportunity to make a law.... #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, Pager/Voicemail 1-408-787-1281 # http://www.idiom.com/~wcs From stewarts at ix.netcom.com Wed Jan 31 00:49:03 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Wed, 31 Jan 1996 16:49:03 +0800 Subject: [Fwd: Netscape, CAs, and Verisign] Message-ID: <199601310810.AAA00299@ix10.ix.netcom.com> At 02:55 PM 1/29/96 -0500, Peter Williams wrote, in response to Alex: >>I'd like to see a less centralized CA that's tied into the existing system >>of notaries. The idea is to make it necessary to spoof a notary in order >>to spoof the CA. That won't make spoofing the CA impossible (nothing >>will), but it will make spoofing the CA illegal. ... >I dont understand how you intend to make CA spoofing illegal. Who >who perform the enforcement? (By illegal, I assume you mean that >there is a criminal offence involved, rather than a tort.) Is providing false documents to a notary criminal fraud, or only civil? >>Fees for the whole procedure ought to be less than $30. The CA ought to >>operate off of the fees from the agents as a non-profit organization, and >>the agents ought to keep the fees paid by the people requesting the >>certificates. >Notary fees might be best controlled by the notary, not the CA. >Seems an unreasonable restriction of trade to price-fix, even at the low-end. Notary fees can be agreed contractually between the notary and the CA; if they want to do a list price / street price system, or a non-profit, or a dog-eat-capitalist-running-dog competitive system, the market can let you pick your favorites. >There is indeed a large body of legal ramifications in this >area. The best way to learn about it is to become a CA and do it. Risk >taking is part of being in the CA business, however you operate it, >even for free. >>Morevover, although I don't think it's reasonable to expect Netscape to >>agree to include a non-existent CA in their browsers sight unseen, at the >>same time it doesn't seem smart to sink money into setting up the CA >>without some indication from Netscape that they're willing to give the >>idea good faith consideration. >Navigator betas seem to already facilitate users configuring their own >trust points in a manner rather similar to adding a key to your >personal PGP keyring. Letting the user decide whom to trust certainly seems like the best approach, and makes it possible to build a Web of Trust on top of Netscape rather than being stuck with hierarchical certifications. Meanwhile, if Netscape wants to sell the top two slots in their CA list to the highest-bidding advertiser like they do with searchers, they still can. #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, Pager/Voicemail 1-408-787-1281 # http://www.idiom.com/~wcs From stewarts at ix.netcom.com Wed Jan 31 00:49:57 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Wed, 31 Jan 1996 16:49:57 +0800 Subject: CONTEST: Name That Program! Message-ID: <199601310810.AAA00335@ix10.ix.netcom.com> At 11:45 AM 1/30/96 -0500, Nathaniel Borenstein wrote: > In fact, I'd settle for getting onto 10% of the machines, although I > suspect I could get onto more like 80% without raising a sweat. You've alleged that Macs and Unixen should be about as easy as Windows machines to crack with your CardShark. I disagree - most Mac users I know have been using virus protectors more consistently and reliably than DOS/Windows users. However, if their virus software only stops known viruses, rather than anything modifying critical resources, you might get away with it for long enough to surf some numbers. Unix is a much tougher case - while there have been a couple of viruses, they don't spread very well, even when everyone uses the same binary formats. B2 helps, of course; B1 configured reasonably should also work. ... >Case closed. Your argument would hold a lot more weight if you could >convince me that the average Internet consumer was going to rebuild his >UNIX kernel every few weeks. I suspect a machine that gets rebuilt every week may be _more_ at risk :-) #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, Pager/Voicemail 1-408-787-1281 # http://www.idiom.com/~wcs From stewarts at ix.netcom.com Wed Jan 31 00:51:26 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Wed, 31 Jan 1996 16:51:26 +0800 Subject: [flippant reply] Re: [rant] A thought on filters and the V-Chip Message-ID: <199601310810.AAA00305@ix10.ix.netcom.com> At 10:26 AM 1/29/96 -0500, you wrote: >The cypherpunks relevance of all this is that it should soon be possible to >create completely mediated environments for ourselves and our children. >Through the use of implants and real-time VR processing, it will be possible >to edit our "interface" with the Real World such that unpleasant aspects are >edited out. We will be able to change the attire, hair, facial expressions, >voice, and even smell of those around us to conform to our own esthetic >desires. Likewise with our physical surroundings. Safety may discourage >making a complete transformation in one's surroundings, but one can >certainly soften the edges. Meanwhile, rose-colored glasses are available, or scratched-up hard contact lenses if that's the reality you'd prefer .... Bill, who spends an hour or two wearing headphones on the train several days a week.... #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, Pager/Voicemail 1-408-787-1281 # http://www.idiom.com/~wcs From hal9001 at panix.com Wed Jan 31 00:51:31 1996 From: hal9001 at panix.com (Robert A. Rosenberg) Date: Wed, 31 Jan 1996 16:51:31 +0800 Subject: your bogus post Message-ID: At 10:08 1/30/96, watson at tds.com wrote: >On Tue, 30 Jan 1996, Paul Graham wrote: > >>... >> A company capable of doing such irresponsible things is not one >> that we would trust with users' money. >> ... > >Some of you must have missed the superbowl ads where people and frogs >were getting frozen to beverage cans, and movie actors moved the grand >canyon with a horse. I think that there is a MAJOR difference between the two types of Marketing. The Superbowl adds are not designed with the intent to imply that what is being shown is Reality (how many viewers would think that what was being shown was a REAL [as opposed to symbolic] effect of the product?) while the FV is intended to play on the technical ignorance of the reader/audience and give a false [or at least slanted] view of reality. From llurch at networking.stanford.edu Wed Jan 31 00:55:46 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Wed, 31 Jan 1996 16:55:46 +0800 Subject: Java Sniffer (Was: Re: FV Announces That The Sky Is Falling) In-Reply-To: <199601300412.XAA23037@opine.cs.umass.edu> Message-ID: On Mon, 29 Jan 1996, Futplex wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > Tim Philp writes: > > I have been wondering about the possibility of using a JAVA applet to do > > keyboard sniffing. As I am not familiar with this language, does anyone > > know if this would be possible? > > program. I don't see how you could build a keyboard sniffer in Java unless > you could somehow trick the interpreter into feeding an input stream to an > additional process. > > Much more likely, IMHO, than a Java sniffer is a Java Trojan horse that pops > up an innocuous dialog box and asks you to enter some sensitive piece of > information, then sends it off somewhere. About all it takes to write that is > a modicum of skill in user interface design. You could write it in any > programming language, but in Java it may be particularly effective, since > people may come to expect to be prompted for sensitive info over the net by > Java apps. Hmm. Actually, what do Java dialog prompts look like? Is there any indication that they come from Java, or can they be made to look like any dialog from any program, or the OS itself? I suppose this is implementation-dependent. One "neat" trick would be an applet that sleeps for several minutes and then suddenly pops up asking for your system password, or something. A heck of a lot of people fell for something much more primitive at AOL. -rich From tcmay at got.net Wed Jan 31 00:57:23 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 31 Jan 1996 16:57:23 +0800 Subject: EFF Compromises, as described in "Wired" Message-ID: If Eric Hughes can break his silence to comment on the FV "discovery" of keystroke-capture programs (funny, I've had a couple on my Mac for years, for error recovery), then I guess I can break my silence about "Wired" articles. This afternoon I sat in a bookstore and skimmed the article on what happened at the EFF, about the Digital Telephony compromise that was approved by the EFF board (our own John Gilmore was reported to have been the sole negative vote), and about how the EFF was effectively "chased out of town" as a result of trying to be a political entity. I can't comment on this outlook, as I am nowhere near the inner circles of the EFF. But it underscores a belief I have: that if you play _their_ game, they have already won, and you just don't know it. What's the alternative? Get them to play _your_ (_our_) game, and maybe they won't win. I'm still a member of the EFF, but the more I read about their problems, including a $200,000 debt, the more convinced I am that the Cypherpunks model is a better place to devote one's efforts and hopes to. We're still going strong after almost three and a half years, with no debt (no assets except ourselves, of course) and no "relocations" from Boston to Washington to San Francisco. So, maybe we're doing OK. --Tim Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From bruceab at teleport.com Wed Jan 31 00:57:56 1996 From: bruceab at teleport.com (Bruce Baugh) Date: Wed, 31 Jan 1996 16:57:56 +0800 Subject: more RANTING about NSA-friendly cpunks Message-ID: <2.2.32.19960130064711.00695d60@mail.teleport.com> At 12:41 PM 1/29/96 -0800, "Vladimir Z. Nuri" wrote: >when you choose to be in fear of it, the bureacrats win. On the contrary. Fear is a right and proper response to irrational demands made by people with lots more force and public support than me. Fear becomes bad only in our response to it. If I get scared into inaction, _then_ the bureaucrats win. If I take the fear as motivation to improve my own security and reduce my dependence on the whims of others, then the bureaucrats lose. It is fear of the risks I run in an unsecured state that motivates me to work on my own privacy, and to pass the info I learn on to others. But fear, in this case, is merely the acknowledgement of the vast potential for harm. Denying it is just foolish. >sheep on the planet, all the way up to the head sheep TCM, who writes >long explanations of why the police state is inevitable and nothing >we can do will stop it, You must be reading an alternate universe's version of Cypherpunks - check to make sure that your quantum stabilizers are in order. In _my_ universe, Tim May is a prominent advocate for freedom and self-government, who has written well on why the collapse of the police state (and all states) is inevitable, and what we can do in the meantime. Side note to list owner: perhaps we need a majordomo hack to check this cross-universe traffic problem. It seems to be becoming increasingly common. Bruce Baugh bruceab at teleport.com http://www.teleport.com/~bruceab From erc at dal1820.computek.net Wed Jan 31 00:58:12 1996 From: erc at dal1820.computek.net (Ed Carp, KHIJOL SysAdmin) Date: Wed, 31 Jan 1996 16:58:12 +0800 Subject: Java Sniffer (Was: Re: FV Announces That The Sky Is Falling) In-Reply-To: <199601300631.RAA28225@oznet02.ozemail.com.au> Message-ID: <199601300642.BAA04545@dal1820.computek.net> > >Much more likely, IMHO, than a Java sniffer is a Java Trojan horse that pops > >up an innocuous dialog box and asks you to enter some sensitive piece of > >information, then sends it off somewhere. About all it takes to write that is > >a modicum of skill in user interface design. You could write it in any > >programming language, but in Java it may be particularly effective, since > >people may come to expect to be prompted for sensitive info over the net by > >Java apps. Maybe the Java folks who just left Sun decided to seize the > >opportunity ;> > > > >Futplex > > > A very realistic scenario - any comments or reasons it can't happen ?? > second question: > How can you be sure you receive the applet that you "think" you've requested ? > > Any illuminating comments to assit my awareness of java ? Not that this can't happen, but as I understand it, Java puts up a rather distinctive popup, so that you know that it's Java doing it. As people are on the net, I wouldn't expect them to be so stupid as to answer a "Please enter your password" prompt with anything meaningful. As to your second question, I think that this is rather outside the scope of the Java system's control. I guess what I'm trying to say is that there's only so much you can do to protect people from themselves. As with anything else, Java won't prevent you from doing something stupid - nor IMO should it. If that were true, we'd all still be riding in buggies pulled by horses. -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 214/993-3935 voicemail/digital pager 800/558-3408 SkyPager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes From tcmay at got.net Wed Jan 31 00:58:39 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 31 Jan 1996 16:58:39 +0800 Subject: The FV Problem = A Press Problem Message-ID: This morning I read with bemusement (and amusement) the announcement of FV's discovery of keystroke capture programs. Bemusement because we discussed these in a Cypherpunks physical meeting a couple of years ago (and on the list, too). Many of us even have them installed deliberately, for error recovery. Amusement because it looked like much ado about nothing. Then I went out for the day--contrary to popular belief, I do occasionally leave my Internet connection and venture outside--and happened to read the local newspaper. There, in a major new story by Simson Garfinkel, was the FV story plastered all over the newspaper. FUD, indeed. But, it occurred to me, this is just part of the larger syndrom. Simson's article was practically written from the FV press release. While he interviewed some "security experts," clearly the timing of his article (this morning) and the announcement by Nathaniel of his discovery (this morning) suggests the cozy relationship involved. The larger syndrome is that software deals, alliances, mergers, and problems are all based on hype. Nathaniel Borenstein issues press releases, Sameer Parekh issues press releases, and maybe even I would issue press releases if only I knew how to. Every day the business news is dominated by stories of alliances and partnerships between Microsoft, MCI, Intel, Apple, Sun, Verifone, DirectTV, Newscorp, Sprint, AT&T, BT&T, CT&T, and all the rest. And a lot of it is hype, posturing. Much of the supposed future will never emerge (anyone remember Satellite Business Systems?) Journalists seem to love this, because the press releases write the stories. Companies like it, too, because they can get free newspaper space. Everyone is scratching each other's back. And those wacky Cypherpunks, with their t-shirts and their strange ideas, are always good for a quick quote, too. --Tim May Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From llurch at networking.stanford.edu Wed Jan 31 01:08:20 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Wed, 31 Jan 1996 17:08:20 +0800 Subject: Handy WWW anonymizer proxy *and* translator! Message-ID: Not only does it prevent the nasties from logging where you're coming from, but it also translates to Canadian on the fly, eh? -rich ---------- Forwarded message ---------- Date: Wed, 31 Jan 1996 00:32:36 -0500 From: John R. Covert Newgroups: alt.revisionism, alt.politics.white-power, alt.internet.media-coverage, alt.censorship, comp.org.eff.talk, soc.culture.german Subject: Re: Simon Wiesenthal Center Did Not Attempt to Censor Internet In article , declanm at netcom.com (D B McCullagh) wrote: >If the German government forces Deutsche Telekom to block access to web >servers at Carnegie Mellon University, MIT, and Stanford University, it >will be slicing off communications with three of the most respected >universities in the United States. It will be interesting to see if they do. At first, I refused to believe that they would do it to WebCom. I just thought I'd mention another technique for dealing with this problem. It doesn't require dedicating disk space to specific sites; instead, it relays through to any site you specify. For an example, see "The Great Web Canadianizer" at http://www.io.org/~themaxx/canada/can.html To thwart censorship of specific sites, people who have a bit of bandwidth to spare could set up cgi scripts like this one (without the text modification the Canadianizer does -- that's its hack). (Zundel's stuff is no less offensive after the Canadianizer adds a bunch of "eh?"s and "hosers" and changes all the "-ing"s to "-in'".) /john From declan+ at CMU.EDU Wed Jan 31 01:10:45 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Wed, 31 Jan 1996 17:10:45 +0800 Subject: [NOISY] Your own Zundelsite in five minutes or less In-Reply-To: Message-ID: <0l3mmE200YUsNK2kt7@andrew.cmu.edu> Excerpts from internet.cypherpunks: 30-Jan-96 Re: [NOISY] Your own Zundel.. by Lucky Green at netcom.com > I am really interested what the German government is going to do next. > Force their universities to dismount AFS? > > How can we best get the fact the their censorship efforts have hit *the > wall* to their attention? Any Germans on this list that can file a > complaint against the sites with the German authorities? What about > contacting German Telekom? > > We won't have won until they restore the routes to Webcom. I agree -- I don't think the censors have lost. If anything, the restrictions are getting worse; the latest reports from Germany say that the www.webcom.com blocking is not limited to DT/T-Online. Now the German universities are blocking, as is the "Win" scientific network. All in the absence of a court order. One message forwarded to me apparently came from network admins: ich moechte Sie an dieser Stelle ueber eine bewusste Routing-Einschraenkung informieren. Bis auf weiteres wird die Route zum Server www.webcom.com alias s1000e.webcom.com (206.2.192.66) auf dem ipgate2 geerdet: "wir haben nun das Routing zum WWW-Server www.webcom.com eingestellt. Wie aus der Tagespresse zu erfahren war, wird ueber diesen Server Nazi-Propaganda verteilt. Die Staatsanwaltschaft Mannheim ermittelt gegen Ernst Zuendel, Produzent dieser WWW-Seite, wegen des Verdachts auf Volksverhetzung." If anyone's interested, we're talking about this in more detail on fight-censorship, which is probably a more appropriate forum. Email fight-censorship-request+ at andrew.cmu.edu if you'd like to be added. -Declan From declan+ at CMU.EDU Wed Jan 31 01:12:36 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Wed, 31 Jan 1996 17:12:36 +0800 Subject: [NOISY] Your own Zundelsite in five minutes or less In-Reply-To: Message-ID: <4l3mdcy00YUsJK2k59@andrew.cmu.edu> Excerpts from internet.cypherpunks: 30-Jan-96 Re: [NOISY] Your own Zundel.. by Rich Graves at networking.s > They are calling major newspapers in several countries, and Time=20 > Magazine, proclaiming their "censorship-free zone" strategy. > > They are more organized and media-savvy than I am. They are professional=20 > liars; "we" are not. This is an enormously important point to make. Rich put the files online via AFS, which is where I got them, supplemented by some taken directly from the Z-site. We did *not* do it at the request of the Zundelfolken. I've updated the censorship.html file at my mirror to reflect the nuances of the situation. BTW, Sameer has mirrored, and someone in Japan likely will too. http://www.c2.org/uncensored/Not_By_Us_Not_Our_Views/Not_By_Me_Not_My_Views/ -Declan From stewarts at ix.netcom.com Wed Jan 31 01:13:00 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Wed, 31 Jan 1996 17:13:00 +0800 Subject: PGP Shell Integrity Message-ID: <199601310852.AAA04391@ix10.ix.netcom.com> At 10:13 PM 1/29/96 -0800, you wrote: >Firstly, if this is viewed as "Noise" rather than "Signal", please accept my apologies. Looks like a real technical discussion instead of a flame - obviously the wrong list :-) >The matter at hand concerns my concern over my inability to check the > "integrity" of a PGP windoze shell written by Michael R. Lyman at Aegis Research Corp. > >I worry that since the shell has access to my secret ring that it might > be sending it somewhere without my knowledge. I don't know that package, but most of them act as wrappers around DOS PGP rather than filtering keystrokes or doing PGP internals. There are several risks - getting your secret ring, getting your passphrase, getting the RSA parameters without the passphrase itself. Obviously, having your secret key ring file leak is not good, but the fun parts _are_ IDEA-encrypted using your passphrases, so it's not too much of a risk. Having the passphrase or the raw keys stolen would obviously be worse. DOS/Windows is _not_ a secure operating system, if you believe that there's more than one person in the universe. (DOS doesn't believe that, so in some sense it's perfectly secure. :-) Nathaniel Borenstein's recent postings are a good reminder that keystrokes can be stolen, easily, in that environment. >The freeware was, according > to Mr.Lyman, developed "Project Manager, Forward Air Missile Defense, > United States Army Missile Command". That gvt. affiliation gives me > considerable pause as regards back doors and other ways my secret ring > and pass phrase could be compromised. > >Does anyone have any familiarity with this freeware? I do not think > I am being paranoid.. just careful. Lastly, if I am not a programmer, > what sort of inspection can I perform on the software to make sure it is not "bugged"? Without source code, if you're not a programmer, the things to look for are circumstantial evidence - is the copy of the program you got off the server PGP-signed by the purported author? Or by any programmers you trust? That doesn't tell you the program is trustable, but it does tell you if it's a fake replacing the real thing. Is the real thing trustable? (Well, probably...) There's also the problem of leaking your key back to the Bad Guys, but that's easy - the program could leak it out in your PGP messages (either obviously, as a second recipient, or in subtle nasty ways like playing with the system clock on timestamps.) #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, Pager/Voicemail 1-408-787-1281 # http://www.idiom.com/~wcs From dm at amsterdam.lcs.mit.edu Wed Jan 31 02:09:38 1996 From: dm at amsterdam.lcs.mit.edu (David Mazieres) Date: Wed, 31 Jan 1996 18:09:38 +0800 Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards In-Reply-To: Message-ID: <199601300934.EAA02798@amsterdam.lcs.mit.edu> This sounds like nothing but a glorified keystroke sniffer like xkey. More importantly, however, if my system did get compromised, I would have bigger worries than my credit card number. I give my credit card number out to people every day, but no one knows my PGP or ssh passphrases, for example. You may argue that many people don't have source code to their OS's, so that viruses can spread more easily to them than to me. Well, many people don't do backups, either. Ask most people if they would rather divulge their credit card numbers or loose the entire contents of their hard drives, and I think the answer will most likely be the credit card number disclosure. This article looks like a cheap attention getting device for FV to get some free publicity. I am not impressed. David From bofur at alpha.c2.org Wed Jan 31 02:14:09 1996 From: bofur at alpha.c2.org (bofur at alpha.c2.org) Date: Wed, 31 Jan 1996 18:14:09 +0800 Subject: Sad state of affairs Message-ID: <199601300828.AAA08526@infinity.c2.org> It's a pretty sad statement of how poorly this list is functioning when the RC2 source can be publically released but people would rather sling mud over glorified keystroke trappers and rant about Nazi deathcamps. Our friends at the NSA must be pleased with the slow death of this group. Sadly, Bofur. -------------------------------------------------------------------------- Bofur bofur at alpha.c2.org PGP available from PGP key servers Key fingerprint = 81 0C 8F 88 0A 4F 67 3F ED 52 DE 3C 55 34 26 25 From jsw at netscape.com Wed Jan 31 02:14:37 1996 From: jsw at netscape.com (Jeff Weinstein) Date: Wed, 31 Jan 1996 18:14:37 +0800 Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards In-Reply-To: Message-ID: <310DD0D3.6BBF@netscape.com> Weld Pond wrote: > Programs needing secure entry create a "secure entry field" which is > really just an imagemap with the digits (and alphas if required) placed > randomly about. The user then uses the mouse to click on these numerals. > Ideally the graphics that represent the numerals would be drawn from a > random pool and are misformed to thwart any OCR attempts. The graphics > could be made even more difficult to OCR by mixing in words and pictures > to represent the numbers. The web page could be implemented with javascript, which could collect the keyclicks without any round trips to the server, and just send the encrypted credit card number. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw at netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine. From andreas at horten.artcom.de Wed Jan 31 02:16:33 1996 From: andreas at horten.artcom.de (Andreas Bogk) Date: Wed, 31 Jan 1996 18:16:33 +0800 Subject: Opinion piece in NYT; responses needed In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- >>>>> "Rich" == Rich Graves writes: Rich> Is DT going to block TCP port 80 and UDP ports 7000-7029 Rich> from every machine in the world? We'll see. I told the Admin of dfn.de nicely that his routing seems to be broken. If he responds with pointing to the Zuendel site, I'll send him the other URLs and ask him to stop routing to these sites as well. Andreas P.S.: I need some fodder. Anyone else mirroring the site? -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQCVAgUBMQ3XXUyjTSyISdw9AQEvgQP+MyHBlF7JmcIBHEceFCxECnyMbuPHBnPa MvoHGdLZwIxWmEpa8YwTHb06mQ5J3oO2AiWNWLgw480krWGV10R8bhMIOBP51Htz 7Odl6S1S1NLtxE/yyzkSH4D4AukFT4BrMviPWVDGnArGwS8XioTyyxhYC4JKyjfu ahrCdu9nha8= =SWyn -----END PGP SIGNATURE----- From hal9001 at panix.com Wed Jan 31 03:46:56 1996 From: hal9001 at panix.com (Robert A. Rosenberg) Date: Wed, 31 Jan 1996 19:46:56 +0800 Subject: The Politics of Mistrust Message-ID: At 13:31 1/28/96, John Young wrote: > > While not directly related to technical crypto, a number > of findings parallel discussions here about the diminution > of personal and economic security. Samples: My personal reason for mistrusting the Government is that it uses Coercive Power to steal money from me (via "taxes" such as FICA) claiming that I am buying Benefits for myself such as SS and Medicare yet it does not meet the obligation to supply these services under the promised terms when I need/want them. If SS and Medicare were run by a private company and operated the way the Government changes the rules, all of Top Management would be in Prison for Fraud (and a number of other charges). Any Benefits program that the Government uses its coercive power to force me to join and pay for should be REQUIRED to maintain the terms in place when the payments were collected (ie: There should be no unilateral alteration of the terms by the Government). The ONLY program that I can think of where this has even partly occurred is with IRAs (all payments prior to year X are treated under the original tax rules while payments into an IRA after that date have a new tax status). All other programs are subject to rules modification (ie: reductions of promised/paid-for Benefits) or Congress defunding at a moments notice. From futplex at pseudonym.com Wed Jan 31 03:54:12 1996 From: futplex at pseudonym.com (Futplex) Date: Wed, 31 Jan 1996 19:54:12 +0800 Subject: Multi-plaintext decryption (Was: Re: "Concryption" Prior Art) In-Reply-To: <01I0JULCV3Z4A0UMAT@mbcl.rutgers.edu> Message-ID: <199601290804.DAA21491@opine.cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- Allen writes: > A section of data is placed at the beginning of the encrypted material. > When it is decrypted or encrypted (depending on how one wants to work things) > with a given passphrase, it turns out a series of bits, reiterated as needed. > Each x bits is used to say how far along in the encrypted material the next > piece of information making up one encrypted message (using the same > passphrase) is. If you put in a different passphrase, you get a different > series of bits, and thus use a different set of information for the encrypted > material. This general concept crops up periodically here. As near as I can make out, the object of the exercise is to be able to demonstrate an innocuous decryption of a piece of ciphertext which also has alternate corresponding plaintext messages. Any scheme for this seems to depend upon the secrecy of the algorithm, among other factors. If an adversary has some inkling that a piece of ciphertext may represent multiple plaintexts, then she is unlikely to be fooled by protestations to the contrary. So IMHO it is rather pointless to debate possible designs for such a scheme. Those who remain interested would do well to read the various previous discussions about this in the archives. Futplex "Of course I'm celebrating! Dallas only wins the Super Bowl once a year, you know...." -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMQx/QinaAKQPVHDZAQEjnQf/V2yiLJd8GewrywSZJrgrrUI4/IlW3pWU 5Az+rIEc0AIeGX9h3C5S8UzyLwbgLsOSvMEvtHchwGyjJf+JpROcr7OtvGjNp2Fz WywxAuginz9YZ6+u0HTyHWPMYuCmXXcskEnuArhROVdD9ZIb1QvuOPoK9Nf7VMBs 4SaOyDphDtNa1vBqaKKr91ZPGu0Tv8sHLwBkzbJRkKRQNnSD6gEdp6JbElGAnl25 Od5BB9xdqizad5HI/1kQQjh9M65z92QHPVAH8UGyARXT+Xn+fF5Cq0Rs8WAWUELn xIt8eAiQuExZzJB+96JP7m6TUBa/THrpmhEgEp4zMdT89q0HWosAWQ== =lNCq -----END PGP SIGNATURE----- From jimbell at pacifier.com Wed Jan 31 03:54:37 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 31 Jan 1996 19:54:37 +0800 Subject: [rant] A thought on filters and the V-Chip Message-ID: At 06:38 PM 1/26/96 -0800, Rich Graves wrote: >On Fri, 26 Jan 1996, jim bell wrote: >> On the other hand, this would be an EXCELLENT "argument" to bring in front >> of a Congressional committee considering the adoption of any V-chip type >> proposal. Once they discover that a ratings system could be used for the >> diametrically opposite reasons of their reason for having it in the first >> place, they'll try to modify their proposal to prevent this. >> >> If we're lucky, this'll have the effect of killing the whole concept of >> government-sponsored (required?) V-chip-type technology. >> >> OTOH, I agree with other posters who think that truly voluntary content >> selection would be an excellent addition to television: In effect, an >> automatic, programmable TV-Guide search engine. > >While it's hard to find a general theme here, I think I disagree. What? You mean you LIKE to read TV guide every week, cover to cover, in advance, to scedule your TV viewing habits? >Anyway, >I don't think that even truly voluntary content selection is a good idea, >because it reduces art to numbers, which is wrong. Aw, admit it. You're just still pissed 'cause I called you a f------ statist. > Me, I'd like to be able to tell my "TV-Guide search engine" to: 1. Look for this particular show or movie. 2. Look for this particular star, director, or other participant.. 3. Follow a subject thread, say on the news. 4. etc. Maybe even a more complex (artificially intelligent) agent that "knows" me well enough to anticipate my desires. > lead to a balkanization that diminishes the common >culture. I think it was good the way network TV was limited to the lowest >common denominator, but with variety. People who wanted something with a >little more flavor than WonderBread [tm] were able to find it, but they >did have to look, which often involved *meeting other people* with common >interests, and they still tuned in to Ed Sullivan to see what the Joneses >were watching. Give people 1024 bits' worth of channels to choose from, >classified by arbitrary criteria involving no human contact, and you get >something entirely different. I'm not sure what's happening now, but I >don't think I like it. You're entitled to NOT like it. But I'm equally entitled to use modern technology to sift through 60+ cable channels, or 300+ DSS-type channels. From alano at teleport.com Wed Jan 31 04:04:30 1996 From: alano at teleport.com (Alan Olsen) Date: Wed, 31 Jan 1996 20:04:30 +0800 Subject: Over-reacting? Message-ID: <2.2.32.19960129072232.0092f538@mail.teleport.com> At 09:38 PM 1/28/96 -0800, jim bell wrote: >At 05:42 PM 1/28/96 -0800, Timothy C. May wrote: >>We already have enough traffic here, and don't need replies from a bunch of >>other lists, be they libertarian lists, digital commerce lists, human >>rights lists, or java lists. >> >>The latest example of this is the rantfest invvolving these players: > >I really don't know why I'm being "killed" by May in this way. He cites a >rant by a local (Portland, Oregon) crackpot named "Jack Hammer." I even >took the time to apologize for his existence, while I do claim a certain >lack of responsibility: Basically, I'm being targeted because Hammer can't >stand my essay. (Whether May will even see my apology is in doubt, I >suppose...) While May certainly has the right to "killfile" whomever he >wishes, it might be a bit more logical to do this in a graduated fashion, >"killing" Hammer and then waiting to see if the rest of us follow in his >habits. The reason for the killfiling is your habit of adding multiple additional mailing list into the To: and cc: list. I have seen more than one post where you have added a Libritarian list and the "Democracy Now Channel 2' list into the fray, not to mention other individuals. THAT is why you are getting the golden killfile, not your association with Jack "Acid" Hammer. (Though that may help...) The only individual I have killfiled (so far) is Dr. Fred. (At least on mailing lists. Usenet is another matter...) Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ Is the operating system half NT or half full? From alanh at infi.net Wed Jan 31 04:14:26 1996 From: alanh at infi.net (Alan Horowitz) Date: Wed, 31 Jan 1996 20:14:26 +0800 Subject: NRO Slush Fund In-Reply-To: <199601301329.IAA18155@pipe1.nyc.pipeline.com> Message-ID: Am I remembering correctly that the NRO slush came to light, becasue the bigwigs were caught building a Taj Mahal of a headquarters building with the extra money? Oh, the banality of it! They should have been been surveilling Amercian's listening habits to see who's a fan of Frank Zappa, it would have made for more sensational reading on the CP list. Alan Horowitz alanh at norfolk.infi.net From master at internexus.net Wed Jan 31 04:14:43 1996 From: master at internexus.net (Laszlo Vecsey) Date: Wed, 31 Jan 1996 20:14:43 +0800 Subject: NOISE: Cypher-list noise levels! >>>> In-Reply-To: <199601310201.VAA26901@pobox.com> Message-ID: > Can someone on the PGPdomo cypher-list tell me how good the signal to > noise ratio currently is, and how good the content is. I've not signed > up, but I'm tempted to try and get away from the noise on here > recently. > I thought I'd contribute some noise to the cypherpunks list too, so here goes. Why not just subscribe to the PGPdomo list, and see what the traffic is like for a couple days? Its not like you will be locked into the mailing list forever. FYI the traffic on the PGPdomo list has been very low lately. I haven't received a message from the list in a few days. But then again there is even more 'noise' on that list because every message I've seen posted on it talks about PGPdomo, the mailing list, getting PGP software to work, etc.. From what I've seen people just sign up to test it out with a test message, and thats about it. Even with mkpgp for pine its still a bit inconvenient to use, I think thats the reason for the low-traffic. From bdavis at thepoint.net Wed Jan 31 04:17:10 1996 From: bdavis at thepoint.net (Brian Davis) Date: Wed, 31 Jan 1996 20:17:10 +0800 Subject: [NOISE] Re: [FACTS] Germany, or "Oh no not again" In-Reply-To: <9601302336.AA14776@alpha> Message-ID: On Tue, 30 Jan 1996, Mike McNally wrote: > > Brian Davis writes: > > > > m5 at dev.tivoli.com (Mike McNally) writes: > > > > > > > > ... for immoral purposes? > > > > > > ... white wimmin ... > > > > On the contrary ... > > Not that I don't wish I could take credit for a discussion thread of > such high caliber as this, but I can't; I have no idea how my name got > glued on there. I suspect that you had a comment on the thread before it went so far astray and that I screwed up the attributions ... Sorry. EBD From ponder at wane-leon-mail.scri.fsu.edu Wed Jan 31 04:18:46 1996 From: ponder at wane-leon-mail.scri.fsu.edu (P.J. Ponder) Date: Wed, 31 Jan 1996 20:18:46 +0800 Subject: NOISE: Borenstein's Fatal Spam (Was: Plonk, Dr. Fred) Message-ID: please don't try to make sensible replies to this type of tar-baby garbage. What's the point in arguing with someone who only wants you to argue with them and make sure you spell their name right? First Virtual, you lost a lot of ground with me. (sounds like others feel the same way, too). ... that sucking sound is your reputation capital being snarfed off your keyboard and encrypted by tempest-bots lurking just under your tinfoil helmet. I'd be worried. The corrupted keyboard buffer of "W. Kinney" wrote: . . . > Followed by an hysterical essay on how FV has "discovered" the keyboard > sniffer. Oh, please. You people should be ashamed of yourselves. To which FV's own replied: I trust you've seen by now that we made no claim to have discovered keyboard sniffers. Please read our claims more carefully, and I'd be delighted to discuss them rationally. -- Nathaniel ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ delighted to discuss them at all, I would bet. Anyone interested in a discussion of whether or not keyboard sniffers work? a pox on your virtual house for a bad spam, poorly aimed at this list, in particular. NEVER TYPE CYPHERPUNKS at TOAD.COM IN THE TO: LINE From edgar at Garg.Campbell.CA.US Wed Jan 31 05:04:18 1996 From: edgar at Garg.Campbell.CA.US (Edgar Swank) Date: Wed, 31 Jan 1996 21:04:18 +0800 Subject: AOL privacy (not) Message-ID: AOL RECORDS USED TO SOLVE MURDER CASE Fairfax County, Va. police recently obtained a search warrant for electronic files relating to participants in an American Online chat room in an effort to solve a murder in New Jersey. The victim had met his alleged assailant through a "men for men" chat room, and investigators say several other chat room participants helped in disposing of the body. One of them, a 24-year-old woman, is now charged with tampering with the evidence. An AOL spokeswoman said that it is the company's policy to comply with subpoenas, and that although it does not keep records from chat rooms, it does keep records of e-mail for five days before they are purged. "We certainly respect and abide by our customers' right to privacy, but we are also going to follow the law. We have 4.5 million customers -- that's the size of a city. When we have some problems, we have to deal with it responsibly." (St. Petersburg Times 28 Jan 96) *************************************************************** EDUPAGE is what you've just finished reading. (Please note that it's "Edupage" and not "EduPage.") To subscribe to Edupage: send a message to: listproc at educom.unc.edu and in the body of the message type: subscribe edupage Emmitt Smith (assuming that your name is Emmitt Smith; if it's not, substitute your own name). ... To cancel, send a message to: listproc at educom.unc.edu and in the body of the message type: unsubscribe edupage. (Subscription problems? Send mail to educom at educom.unc.edu.) -- edgar at Garg.Campbell.CA.US (Edgar Swank) The Land of Garg BBS -- +1 408 378-5108 From djr at saa-cons.co.uk Wed Jan 31 05:05:05 1996 From: djr at saa-cons.co.uk (Dave Roberts) Date: Wed, 31 Jan 1996 21:05:05 +0800 Subject: PGP commercial usage Message-ID: I have read and reread the documentation that is included with the PGP distribution (although my copy is over a year old now), and am still trying to work out if commercial use of 2.6ui is allowed outside the USA. Could someone elaborate for me, or perhaps point me to some up to date reference documentation. TIA - Dave. Dave Roberts | "Surfing the Internet" is a sad term for sad people. Unix Systems Admin | Get a board, find a beach, surf some REAL waves and SAA Consultants Ltd | get a *real* life. Plymouth, U.K. | -=[For PGP Key, send mail with subject of "get pgp"]=- From jya at pipeline.com Wed Jan 31 05:24:30 1996 From: jya at pipeline.com (John Young) Date: Wed, 31 Jan 1996 21:24:30 +0800 Subject: PoM 3: Angry Females Message-ID: <199601301750.MAA18912@pipe1.nyc.pipeline.com> Today's third article of The Washington Post series on "The Politics of Mistrust" is: "Angry Female Voters a Growing Force." Remember angry white males? Well, hear now from the women. They are more likely than men to have become anxious about the economy and distrustful of govermnent. But what separates men from women in this worried segment of the electorate is that they seem less concerned with their own plight than they are with the economic prospects for their children and their neighbors, including the poor. Next: The anti-government electorate. Series to date available at: http://www.replay.com/young/ From erc at dal1820.computek.net Wed Jan 31 05:29:51 1996 From: erc at dal1820.computek.net (Ed Carp, KHIJOL SysAdmin) Date: Wed, 31 Jan 1996 21:29:51 +0800 Subject: Handy WWW anonymizer proxy *and* translator! In-Reply-To: Message-ID: <199601311306.IAA26970@dal1820.computek.net> > Not only does it prevent the nasties from logging where you're coming > from, but it also translates to Canadian on the fly, eh? I thought it was hilarious, but my spouse (who is Canadian) found it less humorous. I still got a little mileage out of using the words "hoser" and "hosehead" for a few days ;) > For an example, see "The Great Web Canadianizer" at > http://www.io.org/~themaxx/canada/can.html > To thwart censorship of specific sites, people who have a bit of bandwidth > to spare could set up cgi scripts like this one (without the text modification > the Canadianizer does -- that's its hack). (Zundel's stuff is no less > offensive after the Canadianizer adds a bunch of "eh?"s and "hosers" and > changes all the "-ing"s to "-in'".) I wrote the author some time back in hopes of getting the source, but no luck :( Anyone have source for this or similar? I'd be happy to put it up on my web site (http://dal1820.computek.net). -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 214/993-3935 voicemail/digital pager 800/558-3408 SkyPager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes From gorkab at sanchez.com Wed Jan 31 05:31:05 1996 From: gorkab at sanchez.com (Brian Gorka) Date: Wed, 31 Jan 1996 21:31:05 +0800 Subject: x-app/pgp-encrypted Message-ID: <01BAEFB3.1A5D0C40@loki> Does anyone know of a web server that uses PGP instead of SSL or STT or whatever is the new acronym of the week for secure web transactions? A server would have its public key available for anyone get. All transactions that need encrypting would be encrypted to the server by using the public key. PGP 3.0's API would make this even easier (or so I've heard). The reverse could also be implemented. By using some identifying characteristic of the user (maybe a user defined name) and the corresponding PGP key, data could be transmitted securely to the user. ---------- Brian Gorka Key fingerprint = ED 7D 78 7E 95 E8 05 01 27 01 A1 74 FA 4B 86 53 From erc at dal1820.computek.net Wed Jan 31 05:32:53 1996 From: erc at dal1820.computek.net (Ed Carp, KHIJOL SysAdmin) Date: Wed, 31 Jan 1996 21:32:53 +0800 Subject: CONTEST: Name That Program! In-Reply-To: <199601310810.AAA00335@ix10.ix.netcom.com> Message-ID: <199601311313.IAA27518@dal1820.computek.net> > Unix is a much tougher case - while there have been a couple of viruses, > they don't spread very well, even when everyone uses the same binary > formats. B2 helps, of course; B1 configured reasonably should also work. Most people are very nervous about running binaries on a unix box that they get off the net, and nobody runs a setuid-to-root binary on their system unless they paid $$$ for it and got it from a reputable vendor. I personally only run one binary on my machine that I didn't compile myself - that's Netscape. -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 214/993-3935 voicemail/digital pager 800/558-3408 SkyPager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes From erice at internic.net Wed Jan 31 06:00:30 1996 From: erice at internic.net (Eric Eden) Date: Wed, 31 Jan 1996 22:00:30 +0800 Subject: Domain hijacking, InterNIC loopholes In-Reply-To: <9601301819.AA00964@toad.com> Message-ID: <199601311339.IAA20864@ops.internic.net> > This is not a security risk? No. But, to quote a delightfully > low-key document from InterNIC, "[such] an unauthorized update > could lead a commercial organization to lose its presence on > the Internet until that update is reversed." > > Ah. But that update will be reversed only when victim.com's sysadmins > realise what's happened. If evil.org is clever enough, it will > not halt the mail flow, but forward everything on to victim.com > (after keeping a copy, of course). It could act as a proxy server > to www.victim.com, accessing all URLs (using victim.com's real > IP address) on demand and relaying them to browsers who are actually > looking at www.evil.org. And so on. Unless victim.com's admins > are particularly observant, they may not notice a thing. > > That delightful InterNIC document I mentioned is the draft paper > on the InterNIC Guardian Object, first out in November 1995, latest > version out earlier this month. It's an internal InterNIC proposal > for a "Guardian Object" which would guard any other object (such > as a domain name, or individual, or hostname, or even another > guardian). It would allow a range of authentication methods, from > none (very clever) and MAIL-FROM (easy to spoof) to CRYPT (1-way > hash, like Unix passwd) and PGP (using public keys stored at > InterNIC). All domain and other templates will be changed to > work with guardians. The procedures in the original draft looked > easy enough; the latest ones are formidable. > > Incidentally, this draft appeared two months after the InterNIC > started charging. The wonders of the profit motive. > > The InterNIC Guardian Object Draft has been made publicly available to the Internet community for comments. As mentioned, the URL is: ftp://rs.internic.net/policy/internic/internic-gen-1.txt We welcome any comments or suggestions you might have about this draft. The InterNIC has made siginificant improvements to the draft over the past several months based on public comments. Eric Eden erice at internic.net From master at internexus.net Wed Jan 31 06:35:40 1996 From: master at internexus.net (Laszlo Vecsey) Date: Wed, 31 Jan 1996 22:35:40 +0800 Subject: KOH "Helpful" Crypto Virus In-Reply-To: Message-ID: > While you are at it, you might also want to pick up their famous collection > CD-ROM full of virus code, live viruses, virus creation engines, etc. From > their catalog: "For starters, you get a fantastic virus collection > consisting of 574 families [...] about 3700 carefully tested and cataloged > viruses in all...$99 + $5 S&H. > I take it its completely legal to set up a Virus ftp site then? From shamrock at netcom.com Wed Jan 31 06:36:03 1996 From: shamrock at netcom.com (Lucky Green) Date: Wed, 31 Jan 1996 22:36:03 +0800 Subject: KOH "Helpful" Crypto Virus Message-ID: At 21:29 1/30/96, Laszlo Vecsey wrote: >> While you are at it, you might also want to pick up their famous collection >> CD-ROM full of virus code, live viruses, virus creation engines, etc. From >> their catalog: "For starters, you get a fantastic virus collection >> consisting of 574 families [...] about 3700 carefully tested and cataloged >> viruses in all...$99 + $5 S&H. >> > >I take it its completely legal to set up a Virus ftp site then? AFIK, in the US it is legal to set up a virus ftp site. I don't know if someone has actually done it. Don't count on it lasting. Some European countries have already outlawed virus (read knowledge) distribution. -- Lucky Green PGP encrypted mail preferred. From futplex at pseudonym.com Wed Jan 31 06:36:06 1996 From: futplex at pseudonym.com (Futplex) Date: Wed, 31 Jan 1996 22:36:06 +0800 Subject: Lotus Notes In-Reply-To: <9601310246.AA14482@toad.com> Message-ID: <199601310315.WAA26299@opine.cs.umass.edu> bal quoted from the RSAREF 2.0 license: > /* RSA key lengths. > */ > #define MIN_RSA_MODULUS_BITS 508 > #define MAX_RSA_MODULUS_BITS 1024 > #define MAX_RSA_MODULUS_LEN ((MAX_RSA_MODULUS_BITS + 7) / 8) > #define MAX_RSA_PRIME_BITS ((MAX_RSA_MODULUS_BITS + 1) / 2) > #define MAX_RSA_PRIME_LEN ((MAX_RSA_PRIME_BITS + 7) / 8) Unfortunately this still doesn't explain Charlie Kaufman's comment (paraphrased) that the "crypto software also limited us to 760 bit RSA keys". Futplex From stewarts at ix.netcom.com Wed Jan 31 06:36:35 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Wed, 31 Jan 1996 22:36:35 +0800 Subject: CONTEST: Name That Program! -- ESCROW Message-ID: <199601310811.AAA00397@ix10.ix.netcom.com> ESCROW - Easily Stolen Creditcard Recorder Or Whatever Easily Stolen Creditcard Recording {Obnoxious, Obsequious, Obscure, Obfuscator } Widget (one objective is to find a way to insult the "Key Escrow" people, of course. And besides, this _is_ escrow - you're giving your credit card number to your trusted computer to hold on to and deliver to someone else.) BCCI - Basic Credit Card Interceptor CIA - Card Intercepting Agent NSA - Nathaniel's Security Attack, Network Stealing {Agent, Accessory}, Not Secure Anough Bill Stewart, 2555 W. Middlefield Rd #882, Mountain View CA 94043 T-Shirt Size: XXL Cash Size: Small Unmarked Bills or anonymous digital cash? #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, Pager/Voicemail 1-408-787-1281 # http://www.idiom.com/~wcs From bal at martigny.ai.mit.edu Wed Jan 31 06:38:27 1996 From: bal at martigny.ai.mit.edu (Brian A. LaMacchia) Date: Wed, 31 Jan 1996 22:38:27 +0800 Subject: Lotus Notes In-Reply-To: <9601310019.AA18345@sulphur.osf.org> Message-ID: <9601310246.AA14482@toad.com> From: Rich Salz Date: Tue, 30 Jan 1996 19:19:13 -0500 Cc: cypherpunks at toad.com Sender: owner-cypherpunks at toad.com Precedence: bulk >I find this very interesting. RSA prohibits its licencees from using RSA >software with truly secure keylenghts. Hunh? I could find no mention of keylength or keysize in the RSAREF documents I had around. I'm at home now, but I also recall no mention of keysize or keylength in the license OSF has, either. In RSAREF 2.0 this is covered by clause 2(d) in the license: d. Prior permission from RSA in writing is required for any modifications that access the Program through ways other than the published Program interface or for modifications to the Program interface. RSA will grant all reasonable requests for permission to make such modifications. The published interface references the following constants in source/rsaref.h: /* RSA key lengths. */ #define MIN_RSA_MODULUS_BITS 508 #define MAX_RSA_MODULUS_BITS 1024 #define MAX_RSA_MODULUS_LEN ((MAX_RSA_MODULUS_BITS + 7) / 8) #define MAX_RSA_PRIME_BITS ((MAX_RSA_MODULUS_BITS + 1) / 2) #define MAX_RSA_PRIME_LEN ((MAX_RSA_PRIME_BITS + 7) / 8) As part of the agreements leading to the release of MIT PGP 2.6 we received explicit permission from RSADSI to increase MAX_RSA_MODULUS_BITS to 2048. --bal From stewarts at ix.netcom.com Wed Jan 31 06:40:27 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Wed, 31 Jan 1996 22:40:27 +0800 Subject: encrypted cellphones Message-ID: <199601310810.AAA00261@ix10.ix.netcom.com> At 07:18 PM 1/30/96 -0500, prmoyer at magpage.com (Philip R. Moyer) wrote: >Well, I'm discouraged. I'm looking for strongly encrypted cellular telephones, >but I can't seem to find many. Are you looking for cellphones, or cordless phones? There aren't a lot of strongly encrypted cordless phones out there, but there may be some. Digital spread spectrum is probably the best that's easy to find; other kinds of "digital" phones usually pick a not-too-busy frequency and transmit digitized voice, which is mildly secure against other people using your base unit to make their phone calls, but doesn't protect your privacy against anyone with digital-capable equipment. The middle ground between cordless phones and cellphones includes cordless phones with ranges of about a mile (AT&T and some other vendors have sold them); they're typically in the $300-500 range, and use spread spectrum to avoid interference to/from other phones. It also includes phone services that can handle portable phones that you have to stay in one place to use (i.e. once you start your phone call, if you go out of range your call gets dropped rather than handed off to another cell.) I'm not aware of commercial service like this in the US, but there are wireless PBXs that work this way (which can be cheaper than stringing phone wires around buildings.) Cellphones, of course, can only (usefully) use encryption if the cellular service provider uses it (i.e. if the end that's listening to your radio transmission can decode it :-) American cell-phone providers don't. The GSM phones used in much of the world have encryption, but it's apparently not very strong. >I would really like to avoid using a GAK enabled product, >if there's any way to avoid it (even if it means paying lots of extra $$$). I'm not aware of any GAKed cordless phones, though I supposed there could be such. US cellular phones don't need GAK because the government's strong-armed the standards committees into using appallingly trivial crypto - none of this strong 40-bit RC for you :-) #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, Pager/Voicemail 1-408-787-1281 # http://www.idiom.com/~wcs From tcmay at got.net Wed Jan 31 06:40:55 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 31 Jan 1996 22:40:55 +0800 Subject: Silver Linings and Monkey Wrenches Message-ID: At 1:13 AM 1/31/96, Futplex wrote: >Bill Frantz writes: >> One other small advantage I can see to using Lotus's crippled encryption. >> It disguises the fact that a message is actually (double) encrypted with >> PGP. Attackers have to break the 40 bits before they see the PGP encrypted >> data. > >I don't understand. Are you saying that there's a special benefit to doing >superencryption (GAK encryption over non-GAK encryption) when the GAK layer >is Lotus Notes ? Maybe what Bill was getting at is that a widely-deployed system of "fairly good" crypto (a la Clipper/Tessera) could have a silver lining. As many, many of us have noted for the past several years, if the authorities have to first jump through hoops (ostensibly), getting court orders, obtaining the LEAF/LEEF, etc., and only then do they determine that some kind of superencryption has been added, then this could make things worse for them than before. There are of course wrinkles: -- superencryption could be banned -- enforcement is problematic, and if there is only a tiny chance of catching that Fifth Horseman (the Superencryptor), then the penalties would have to be astronomically high, to satisfy the Basic Equation: (risk of getting caught) x (penalty if caught) > (payoff of the crime) -- interoperability. Hard to block it if done in text mode, PGP-style, but Lotus Notes will presumably be designed to make superencryption harder to do. And of course we can never cheer on a mandatory crypto scheme, for a variety of reasons. I'm just saying that we can look for silver linings, a way to make lemonade out of lemons. It may even be possible to nuke these NSA-enabled programs by publicizing ways of monkeywrenching them, as with superencryption. --Tim Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From wprice at primenet.com Wed Jan 31 06:42:46 1996 From: wprice at primenet.com (Will Price) Date: Wed, 31 Jan 1996 22:42:46 +0800 Subject: ANNOUNCE: CryptDisk 1.2 for Macintosh Message-ID: -----BEGIN PGP SIGNED MESSAGE----- I'm pleased to announce that version 1.2 of CryptDisk for Macintosh is now available. The Winner of MacUser's 1995 Shareware Award for Personal Tools, CryptDisk is a soft partition encryptor for the Macintosh. It lets you create "files" of any size which can be mounted as if they were hard drives on your desktop. These files are encrypted/decrypted on the fly using the IDEA encryption algorithm. IDEA is an internationally known algorithm that uses 128-bit keys. Most cryptographers consider it significantly superior to the government's DES standard. CryptDisk makes data security a seamless integrated component of your desktop allowing you instant access to huge numbers of encrypted files including the ability to play QuickTime movies directly from CryptDisks. IMPROVEMENTS IN 1.2: * CryptDisks can now be used on read-only volumes allowing CryptDisks to be mounted from CD-ROMs. Locking a CryptDisk in the Finder will also mount it as a read only volume. * New interface for specifying disk sizes allows arbitrarily sized disks from 64K on up. CryptDisks can now be sized to take up all the space on a floppy disk. * CryptDisk now dynamically informs the user for each volume how much contiguous space is available to create a CryptDisk before specifying the passphrase. * The public distribution now contains native PowerPC code for the application itself. Previously, only the driver was native in the public release. * A serious security hole was plugged that should affect only a very small number of users. Please follow the release notes to make sure you are not affected and to take appropriate steps if you are. * CryptDisk is now much more robust about mounting disks and will inform the user of the nature of any problems it has mounting disks. Information on obtaining the latest version is available to US and Canadian citizens from: ftp://ftp.primenet.com/users/w/wprice/README or by visiting the web page: http://www.primenet.com/~wprice/cdisk.html You may also be able to obtain it from other export controlled FTP sites around the US as it gets distributed. CryptDisk is shareware for $20. The source code is also available for an extra $20. Registered users receive access to beta versions of CryptDisk and are sent announcements about its status periodically. All CryptDisk release are signed by my public key: - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQBvAy8TO8gAAAEDAM4+RCTIFa3XIH67EgwsQa2pOE/1++pn4Kd7J9qiKmMRMfEp PU4bIvLhhMUltHgHcDYOlTbKJuf1mQ33PAHuSB8dp4bDJP5CE0yzCxm7tBbwcZIo 6uTlB9BNtgY6eimbWQARAQABtCBXaWxsIFByaWNlIDx3cHJpY2VAcHJpbWVuZXQu Y29tPokAlQMFEC/FQHtleYS4x6lm3QEBKbED/39GQWceDT8j5ClnsM9/A7fOC4I8 cf50N/Tb2gYpHsNUhZDq+FlWShytyTN0AFPPusogBwS9Ee9YeY97jaM5K0i7Kl2k CUmrR/QxMO0gZrZLEyYb5mIu0qJ7OuZEvsxACd01HptUfbf+yomH9qlebHJQaBmW hUiqm3D9n2vnP4Cz =plkF - -----END PGP PUBLIC KEY BLOCK----- - -Will -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMQ7FcU22Bjp6KZtZAQGRHwL/ZeVQ5dDmIrjd1AD25T4rPDizXpF50KoC uHvMSgRIE9Md5azfvLDADWF6ro0QlZ7WeeYRNTiEHBPDaGcrc49pOmJ6b79SWS3I YreAd9krnNSON4KSwqv9xnwPxVPDZkSL =8H43 -----END PGP SIGNATURE----- _______________________________________________________ | Will Price | wprice at primenet.com | | ________ | http://www.primenet.com/~wprice | | \ / | PGP key available by finger. | | \ / | | |____\ /______|_______________________________________| \/ From rsalz at osf.org Wed Jan 31 07:29:06 1996 From: rsalz at osf.org (Rich Salz) Date: Wed, 31 Jan 1996 23:29:06 +0800 Subject: Lotus Notes Message-ID: <9601310149.AA18887@sulphur.osf.org> >So from who did Lotus license RC4? RSA, of course. I don't know the arrangements of RSA's license with Lotus, of course, but where did someone say that RSA mandated the keylength that Lotus uses? From sameer at c2.org Wed Jan 31 07:30:00 1996 From: sameer at c2.org (sameer) Date: Wed, 31 Jan 1996 23:30:00 +0800 Subject: No FV supporters? In-Reply-To: <310EB8B2.23B@netscape.com> Message-ID: <199601310119.RAA29332@infinity.c2.org> > I sent a description of an attack against FV based on replacing > or hacking winsock to cypherpunks last night. This attack seems > to meet Borenstein's criteria of being as automated and implementable > on a mass scale as their keyboard snooping attack. So far I have not > seen any response from FV. Would someone like to implement such a thing? That would be "the cypherpunk way" of properly debunking FV's claims. I wonder if Simson would put you on the cover of the SJ Merc for doing it.. -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion, Inc. FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.org/ (or login as "guest") sameer at c2.org From rsalz at osf.org Wed Jan 31 07:31:06 1996 From: rsalz at osf.org (Rich Salz) Date: Wed, 31 Jan 1996 23:31:06 +0800 Subject: Lotus Notes Message-ID: <9601310019.AA18345@sulphur.osf.org> >I find this very interesting. RSA prohibits its licencees from using RSA >software with truly secure keylenghts. Hunh? I could find no mention of keylength or keysize in the RSAREF documents I had around. I'm at home now, but I also recall no mention of keysize or keylength in the license OSF has, either. /r$ From jsw at netscape.com Wed Jan 31 07:31:20 1996 From: jsw at netscape.com (Jeff Weinstein) Date: Wed, 31 Jan 1996 23:31:20 +0800 Subject: Lotus Notes In-Reply-To: Message-ID: <310EB96A.933@netscape.com> Lucky Green wrote: > > At 11:09 1/30/96, Charlie_Kaufman/Iris.IRIS at iris.com wrote: > > >p.s. re: the fact that it's 64 bits rather than 128. That was the limit on key > >size of the crypto software we licensed from a third party. That crypto > >software also limited us to 760 bit RSA keys. > > I find this very interesting. RSA prohibits its licencees from using RSA > software with truly secure keylenghts. What may have incenitvised them to > take this bizzare position? I don't want to defend RSA, their code, or their licensing practices, but I don't know of any such restrictions in BSAFE. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw at netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine. From frissell at panix.com Wed Jan 31 07:44:54 1996 From: frissell at panix.com (Duncan Frissell) Date: Wed, 31 Jan 1996 23:44:54 +0800 Subject: "German service cuts Net access" (to Santa Cruz) Message-ID: <2.2.32.19960130104053.009ba398@panix.com> At 04:53 AM 1/28/96 +0100, Alex de Joode wrote: > >Belgian TV (the dutch language channel) has a page on teletext (Ceefax) >[I don't think US tv has that feature] stating that the French backbone >is thinking about blocking sites that provide information that they deem >ethicly unacceptable, like sites that promote the denial of Konzentrations >Lagers, the extreme right, pornografic and pedophile sites. > >[page 128 BRTN, for those who can receive BRT] > > What about "the extreme left." Don't those people deserve to be blocked too? And how about US radio stations on RealAudio 2.0. Cultural Imperialism. So how do we overcome these "backbone blocking" maneuvers? DCF From nsb at nsb.fv.com Wed Jan 31 07:45:28 1996 From: nsb at nsb.fv.com (Nathaniel Borenstein) Date: Wed, 31 Jan 1996 23:45:28 +0800 Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards In-Reply-To: <9601300006.AA15845@sulphur.osf.org> Message-ID: Excerpts from mail: 29-Jan-96 Re: FV Demonstrates Fatal F.. Rich Salz at osf.org (1188) > You must trust something. You folks trust the telephone (never gets > tapped, right) the postal service (of course mail never gets stolen) banks > or credit card companies (which never have problems). And then, on top > of that foundation of sand you build a commerce system with MIME and > SMTP (sendmail is the most bugfree program ever written). I certainly don't trust the telephone not to be tapped on an individual basis. I used to trust the telephone not to be tapped in a selective way based on keyword recognition, but in recent years, with the improvement in voice recognition technology, I have stopped trusting it that way, and I know plenty of other people have too -- if you say "NSA" into a cellular call, you are probably inviting an eavesdropper. The Internet environment is EVEN LESS trustable. Installing the kind of general phone tap I just mentioned is very hard to do, and requires a level of access that is almost impossible unless you're the phone company or the government. The level of software needed to recognize spoken keywords is quite sophisticated. On the Internet, almost anyone can tap data streams, and almost anyone can install keyboard sniffers on user machines, and the level of software needed to recognize keywords in ASCII is very simple. The risk models are very different. Similarly, we trust the postal service and certain uses of email not to be free of any insecurities, but to be hard to defeat in a large scale automated way. That kind of statistical risk is the foundation of the security of the credit card system -- not perfect security, but bounding of individual risks and preclusion of large-scale attacks. > Stef's blatant attempts > to ensure MIME's use in IETF-PAY was not an exception, but the first > salvo. I have no idea what you're talking about here. > You make me sorry I invented safe-tcl and made FV possible. I *really* have no idea what you're talking about here. There are two ideas here that strike me as delusional: that you invented safe-tcl and that safe-tcl made FV possible. To the best of my knowledge, neither of these is true. -- Nathaniel -------- Nathaniel Borenstein Chief Scientist, First Virtual Holdings FAQ & PGP key: nsb+faq at nsb.fv.com From nsb at nsb.fv.com Wed Jan 31 07:48:45 1996 From: nsb at nsb.fv.com (Nathaniel Borenstein) Date: Wed, 31 Jan 1996 23:48:45 +0800 Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards In-Reply-To: Message-ID: Excerpts from mail: 29-Jan-96 Re: FV Demonstrates Fatal F.. Weld Pond at l0pht.com (1606*) > But take away the inputting of the credit card number via keystroke and > the flaw disappears. How would your program deal with a scheme like > this? Yes, this is a good point, and is one of the approaches we thought of for defeating this attack. But bear in mind that our current attack is targeted against the current input method -- keystrokes. Any fixed input method is vulnerable to a similar attack. For instance: > Programs needing secure entry create a "secure entry field" which is > really just an imagemap with the digits (and alphas if required) placed > randomly about. The user then uses the mouse to click on these numerals. > Ideally the graphics that represent the numerals would be drawn from a > random pool and are misformed to thwart any OCR attempts. The graphics > could be made even more difficult to OCR by mixing in words and pictures > to represent the numbers. If any particular program for doing this came into widespread use, we could engineer an attack, similar to our keystroke attack, based on the specific properties of the approach used. For example, changing the fonts is a good idea -- I had thought of that -- but if you put the numerals in boxes in the same relative positions each time, we can find that. Ultimately, if you really want commerce to work for hundreds of millions of people, there will need to be a standard interface, and if it makes the inputting of credit card numbers too regular, it can easily be attacked. If it makes it too irregular, consumers will probably rebel against it as "too hard to use". I haven't seen a good middle ground yet. Credit card numbers are so regular that the only way to hide their input is with a very irregular interface, which consumers are likely to hate. > An even better solution may be to have the imagemap generated by the > server and just the mouse clicks sent back to be decoded on the server. > That is how server side imagemaps work now over the web. It shouldn't be > hard to take credit card numbers this way. > I've actually used one site that takes a similar approach. Very painful to use, which illustrates my point about the tradeoff. More generally, the tradeoff between security and usability shows up in many other places, it's just particularly acute and important when it comes to the entry of credit card numbers. -- Nathanel -------- Nathaniel Borenstein Chief Scientist, First Virtual Holdings FAQ & PGP key: nsb+faq at nsb.fv.com From frissell at panix.com Wed Jan 31 07:50:34 1996 From: frissell at panix.com (Duncan Frissell) Date: Wed, 31 Jan 1996 23:50:34 +0800 Subject: [FACTS] Germany, or "Oh no not again" Message-ID: <2.2.32.19960130105347.009a0f90@panix.com> At 06:10 PM 1/29/96 +0100, Thomas Roessler wrote: >In particular, they are right now >*checking* whether providing internet access is a criminal >offence due to the possibility to gain access to `inciting >material' (the German word is `Volksverhetzung') via the Net. Whether providing mail service is a criminal offence due to the possibility to gain access to `inciting material.' Whether providing phone service is a criminal offence due to the possibility to gain access to `inciting material.' Whether selling radios is a criminal offence due to the possibility to gain access to `inciting material.' Whether selling satellite dishes is a criminal offence due to the possibility to gain access to `inciting material.' Whether teaching reading is a criminal offence due to the possibility to gain access to `inciting material.' >Quite similar to the RSA T-Shirt story in the States. ,-) But with much more reaction from the prosecutors. I guess Germans are easy to set off. That means BTW that others can control them since they "have to react." Has German jurisprudence ever encountered the concept that the person who requests something like a web page is the "actor" in this drama not the carrier. The carrier is not doing anything. The requestor is controlling the system momentarily. DCF From nsb at nsb.fv.com Wed Jan 31 07:50:43 1996 From: nsb at nsb.fv.com (Nathaniel Borenstein) Date: Wed, 31 Jan 1996 23:50:43 +0800 Subject: Apology and clarification Message-ID: First of all, I believe that I owe the cypherpunk community an apology for an error in judgement on my part. The message that I sent out yesterday regarding our demonstrations of a newly-discovered security threat was the exact same text that I sent to a far less technical audience. As such, I understand that many people on this list found the tone of my message to be insulting and offensive. I apologize, and I certainly didn't mean to insult anyone's intelligence. Having said that, please cut me a break. If you read my message as saying "FV has just invented keystroke sniffing" you've completely missed the real attack here. If you really think I'd throw away my reputation on a bogus claim like that, you're insulting *my* intelligence. My (charitable?) take on it is that a lot of people were so put off by the tone of my mass-market message that they leapt to the quick but erroneous conclusion that there was no underlying content. There is. The threat is NOT from keystroke sniffing per se, and we're certainly not claiming to have invented keystroke sniffing. However, we do have to *explain* keystroke sniffing in the public announcement, because it is a *part* of our attack, and most of the public does NOT already know that it's possible. What we at FV have done is to demonstrate how easy it is to develop an FULLY AUTOMATED attack that undermines the security of all software-based credit card commerce schemes. It is the automated aspect that separates it from all of the "dumpster-diving" attacks on credit card numbers which have previously been widely discussed, because it provides a path to large-scale fraud that has never been publicly discussed before, to my knowledge. The key "invention" in our approach is to integrate several techniques that are already well-known (in this community) into an automated attack that we consider to be devastating to commerce systems based on software-encrypted credit cards. Our approach combines the following four known problems into a fatal attack: 1) Consumer machines are insecure and easily compromised. 2) Keyboard sniffers are easy to write. 3) Credit card numbers are self-identifying (they have check digits) and can easily be extracted from a huge stream of input data. 4) Once intercepted, small amounts of information (e.g. a cc #) may be distributed completely tracelessly over the Internet. When you put all four of these together, you have an attack that IS new, in the sense that nobody we know of has ever mentioned it before, and which could in fact be used by a single criminal, with only a few weeks of programming, to tracelessly steal MILLIONS of credit cards, if software-encrypted credit-card schemes ever caught on. This is a very real threat. If you think we're just re-hashing keyboard sniffers, you haven't yet understood what we're demonstrating. The real threat is the traceless theft of millions of credit card numbers by a single easily mounted automated attack. So here's the factual claim, to be proven or disproven: One good programmer, in less than a month, can write a program that will spread itself around the net, collect an unlimited number of credit card numbers, and get them back to the program's author by non-traceable mechanisms. Does anyone on this list doubt that this is true? If so, I'd like to know the flaw in my thinking, -- I am *not* too proud to withdraw any claims that aren't true. If not, I think it's worth noting that this fact was previously completely unknown to the bankers and businessmen who are putting large sums of money at risk on the net. The only way to get the message to those communities is with a very visible public announcement of the kind you saw yesterday. -- Nathaniel -------- Nathaniel Borenstein Chief Scientist, First Virtual Holdings FAQ & PGP key: nsb+faq at nsb.fv.com From blancw at accessone.com Wed Jan 31 07:52:30 1996 From: blancw at accessone.com (blanc) Date: Wed, 31 Jan 1996 23:52:30 +0800 Subject: more RANTING about NSA-friendly cpunks Message-ID: <01BAEEB4.B4C45680@blancw.accessone.com> From: Vladimir Z. Nuri, aka Agent Provocateur no, your own fear is harming you. no law requires that you be in fear of it (some may try, but that is not a law that can be written). that is the point of the law, that is the intent of it. .............................................................................................. "The Law" is using psychological warfare in its attempts to keep stray cats in line. This is because they haven't thoroughly considered the nature of the circumstance within which they are attempting to operate - the condition of respect for the individual and a support for the rights of liberty. They too are afraid. They also are moved by the fear of threats like "the four horsemen". They are so focused on this fear that it overrides their "Prime Directive", which is to uphold the above mentioned principles. They use the threats of the law to inspire complicity, but they do have the resources to carry out their threats. While an agency like the NSA is sufficiently well-funded where they can concentrate on pursuing their case against a target, a company or individual is engaged in creating their income at the same time that they must also use a portion of these resources to defend themselves in court (as well as defend their public image). It would be a noble project to challenge something like the ITAR in a court of law, where the issues and flaws of the government's attitudes & methods could be brought out in detail, dashed to the ground by brilliant reasoning and argument, winning a battle not only for privacy, but for the lofty goal of individual sovereignty. But it would take a lot of time, some very able talents, and a lot of cash; most lone cryptographers would not be able to do these two things at once (making a living while also fighting the dragon). It's easy for you, Vlad, to chastise others for being cowardly, when you have nothing to lose (and only incendiarism to offer). Those who are enjoined to take action must calculate how much they can afford to invest in such an expensive venture. You asked me in an earlier post how I could distinguish just any poster to the list from someone who might be an "agent provocateur". By this: they only provoke action from others - encouraging, cajoling, shaming, pushing them into thoughtless action, without themselves taking on any of the risk involved, without themselves facing any of the dangers but only getting others to do so. The government does operate on support, and criticism of their policies lets them know where they stand (unsupported). But it also communicates to those in office ideas which they find it difficult to consider (or outrightly disdain). It serves to educate them as well, these controversial meetings and discussions: it reveals to them how just how educated everyone is on the matter of their rights under government, on the matter of how they see themselves in terms of self-determination, and on how they are each prepared to act accordingly. Public discussions have the value of education for those govmt representatives who do not consider thoroughly the implications of their policies, who are not clear on concepts of privacy. It would be great to have a show of fireworks in a court of law. But (and I don't mean to begin a long thread of discussion on this) I myself would wonder why the Supreme Court wouldn't already be defending us from the attacks against basic ideals like personal privacy. There are already in existence a body of "authorities" assigned to the task of preserving the Constitution, educated in Law and the principles for which this nation stands. They are the ones whom I would address with inquiries over negligence & lilly-livered, yellow-bellied non-involvement. I guess someone has to bring the matter to their attention, bringing up charges of injustice for their wisdom to cogitate upon. Nevertheless, it is to them, who are in charge of maintaining consistency to the ideals within The Constitution, that I would ask, "why have you forsaken us"? From rishab at best.com Wed Jan 31 08:17:56 1996 From: rishab at best.com (Rishab Aiyer Ghosh) Date: Thu, 1 Feb 1996 00:17:56 +0800 Subject: Domain hijacking, Guardian objects Message-ID: <199601311537.HAA07915@shellx.best.com> Eric, It is good that you're open to suggestions on the Guardian bject draft, but is just me or have you been rather quiet about it? I haven't seen this blared from the rooftops, or even discussed in security/admin groups with anywhere near the prominence it merits. My main worry with the latest draft is that it seems rather daunting. That is perhaps not so important anymore, as teh days of DIY domain registrations are over, with most people going through ISPs (unless they're pretty experienced themselves). And I wonder what you've planned to do about the huge existing domain base. When you make the announcement, and include guardians in domain forms, new registrations will be OK. But it will be a free for all as far as the others are concerned - as the same evil.org could register a Guardian Object for victim.com, making it impossible for poor victim.com to do simply file another (unauthenticated) update, as is possible right now. There will be simply nothing InterNIC could do either, as the admin and technical contacts will all be (guarded) addresses of the evil.org owners, so verification will be almost impossible without legal action (for which, mind you, some may hold the InterNIC liable). Perhaps the solution would be NOT TO ALLOW GUARDIAN OBJECTS TO COVER OLD DOMAINs (and hosts, etc). At least, not initially. When the next payment comes in to cover the entry, it should include a Guardian object application, so that will authenticate the association between the organisation in the real world of money, and its Net presence. Another option would be to prevent modification of domains and other objects that are 'known' to be static, such as mit.edu. I don't know how thei would be practical for most domains, though. Regards, Rishab ps. a new peer-review journal on the Internet is starting soon, with an editorial board full of big names. I'm the international editor with additional charge, as it were, for technical and security issues. This is an informal call for papers on not- so-obvious security holes and bottlenecks, such as the InterNIC's lack of authentication. I'd be interested in a paper on Guardian Objects; I'm open to writers from within the InterNIC/NSI itself. From sandfort at crl.com Wed Jan 31 08:21:17 1996 From: sandfort at crl.com (Sandy Sandfort) Date: Thu, 1 Feb 1996 00:21:17 +0800 Subject: [FACTS] Germany, or "Oh no not again" In-Reply-To: <199601310810.AAA00286@ix10.ix.netcom.com> Message-ID: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks, On Wed, 31 Jan 1996, Bill Stewart wrote: > ABTW, they didn't need those laws to fight "white slavery"; kidnapping > and rape were already illegal, but any opportunity to make a law.... I have a tiny correction to Bill's assumption and that of a few others who have commented on "white slavery." The laws in question were concerned with prostitution, not kidnapping or rape. The term "white slavery" arose because the social fiction was that these women could not possibly have been prostitutes by choice, they must have been forced into it by others. A current variation of this thinking is promoted by some anti porn "feminists" with regard to women in the adult movie industry. ("No one would do THAT, in front of a camera, for money, of their own free will.") Plus ca change . . . S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From jk at digit.ee Wed Jan 31 08:25:52 1996 From: jk at digit.ee (Jyri Kaljundi) Date: Thu, 1 Feb 1996 00:25:52 +0800 Subject: encrypted cellphones In-Reply-To: <199601310810.AAA00261@ix10.ix.netcom.com> Message-ID: On Wed, 31 Jan 1996, Bill Stewart wrote: > providers don't. The GSM phones used in much of the world have encryption, > but it's apparently not very strong. GSM A5 security is supposed to have effective key length of 40 bits, although according to some sources 64-bit session key is used. The algorithms are not freely available, so you never know. I would say GSM security is still better than nothing. The problem is of course that only tha radio link is encrypted, not the connection out into public telephone network. Juri Kaljundi, DigiMarket jk at digit.ee From Charlie_Kaufman/Iris.IRIS at iris.com Wed Jan 31 08:27:42 1996 From: Charlie_Kaufman/Iris.IRIS at iris.com (Charlie_Kaufman/Iris.IRIS at iris.com) Date: Thu, 1 Feb 1996 00:27:42 +0800 Subject: Lotus Notes Message-ID: <9601311850.AA1379@moe.iris.com> Lucky Green wrote: > > At 11:09 1/30/96, Charlie_Kaufman/Iris.IRIS at iris.com wrote: > > >p.s. re: the fact that it's 64 bits rather than 128. That was the limit on key > >size of the crypto software we licensed from a third party. That crypto > >software also limited us to 760 bit RSA keys. > > I find this very interesting. RSA prohibits its licencees from using RSA > software with truly secure keylenghts. What may have incenitvised them to > take this bizzare position? The problem is not with the license, but with the software. And not with the latest software, but with some antique software we started using a long time ago (before RSAREF was a twinkle in anyone's eye) when 760 bit RSA keys and 64 bit RC2/RC4 keys seemed impenetrable. Given that interoperability with the installed base is a higher priority than resistance to some theoretical attack, we can't increase key sizes until the market rolls over to the latest software. We do have plans to get there. --Charlie Kaufman (charlie_kaufman at iris.com) PGP fingerprint: 29 6F 4B E2 56 FF 36 2F AB 49 DF DF B9 4C BE E1 From packrat at ratbox.rattus.uwa.edu.au Wed Jan 31 08:42:47 1996 From: packrat at ratbox.rattus.uwa.edu.au (Bruce Murphy) Date: Thu, 1 Feb 1996 00:42:47 +0800 Subject: [noise] Re: Escrowing Viewing and Reading Habits with the Governmen In-Reply-To: Message-ID: <199601301215.UAA00316@ratbox.rattus.uwa.edu.au> In message , Alan Horowitz wrote: > > > > > Do you really think that the FBI foreign counter-intelligence squad has > > > nothing better to do than keep a database of who is reading Che Guevara > > > memoirs? > > > > Heck, I remember this was a big issue about 15 years ago. Try asking > > someone who was active in library science in the late 70's, early 80's. > > I did. They said you're wrong. Shall we start a CP flame-war of > unattributed allegations from librarians who will recall what *they > thought* the FBI is interested in? Should we instead start a CP flame war involving unattributed allegations from librarians who are being monitored by aliens who will recall crop circles in the microfiche? I presume all this interest was brought about by several (relatively) recent uses of the (alleged) information about FBI monitoring of libraries? What the hell, I wanted to own a copy of Applied Cryptography anyway. -- Packrat (BSc/BE;COSO;Wombat Admin) Nihil illegitemi carborvndvm. From nsb at nsb.fv.com Wed Jan 31 08:52:11 1996 From: nsb at nsb.fv.com (Nathaniel Borenstein) Date: Thu, 1 Feb 1996 00:52:11 +0800 Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credi t Cards In-Reply-To: <310D4CCE@hamachi> Message-ID: Excerpts from mail: 29-Jan-96 RE: FV Demonstrates Fatal F.. David Van Wie at hamachi.ep (764) > Using stolen credit card numbers is a risky business, and the ability of > the credit card companies in detecting fraud and locating criminals is > quite real. And most of the fraud detection is premised on the fact that once a criminal steals a card number, he'll use it several times. That's why an automated attack of the kind we've outlined is so dangerous -- a clever criminal will use each stolen number only once, thus making himself far harder to trace. > Of course, since Federal law requires the credit card companies, not the > user, to pay the costs of fraud, First Virtual's entire premise is a red > herring. If the credit card companies are willing to take the risk, they > will (and are). Actually, you're wrong here too. It is the banks, not the credit card companies, that carry the risk. If, for example, Visa defines a standard for encrypted credit card numbers, and it turns out to be fatally flawed, it is the banks that will lose their shirts. This may not seem like an important distinction to you, but I assure you that it is important to bankers. > Scare tactics are nothing new in the PR business, but I would recommend > that the principals at FV learn about "cutouts" for this type of > gimmickry if they wish to preserve their reputations.... My reputation in the technical community, I assume, will stand or fall based on the validity of my technical claims, not on the knee-jerk reactions of people who don't even read the announcement thoroughly enough to understand the technique we have revealed. I have not yet heard anything that makes me think that my claim is untrue. We have revealed the first known strategy for an Internet-based large-scale automated attack on the credit card system. I think that's a real threat. -- Nathaniel -------- Nathaniel Borenstein Chief Scientist, First Virtual Holdings FAQ & PGP key: nsb+faq at nsb.fv.com From nsb at nsb.fv.com Wed Jan 31 08:54:05 1996 From: nsb at nsb.fv.com (Nathaniel Borenstein) Date: Thu, 1 Feb 1996 00:54:05 +0800 Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards In-Reply-To: Message-ID: Excerpts from mail: 29-Jan-96 Re: FV Demonstrates Fatal F.. Jonathan Rochkind at cs.obe (3157*) > 1) I remember Mr. Borenstein saying a year or two ago, something like "We > have nothing against encryption; we're just using a non-encrypting > technique for the moment, becuase it can be quickly, easily, and safely > deployed by us. Eventually, we'll probably use encryption." Apparently, > this propaganda piece marks a change of strategy. No, what it marks is a growing understanding. When I said that, over a year ago, I still thought that software encryption of credit card numbers could be a workable solution. I no longer do, based primarily on my very recent realization that we could mount a multi-stage fully automated attack on such systems. > 3) I believe that FV works by assigning the user some sort of id number. > They send the id accross the net, FV has a database with "FV-ID" <-> > credit-card-number correspondences, the merchant sends FV the id, FV bills > your card and pays the merchant. Now, if I'm correct about how FV works, > we could clearly write a program that searches your HD for FVs data files, > extracts your FV-ID from it, and steals it. It could be a virus, it could > send the FV accross the net, whatever. We could then use your FV-ID to > make fraudulently make purchases through the FV system that would be billed > to you. This is essentially the same attack as FV "demonstrates" against > software encrypted credit cards over the net: that is, the "You have an > insecure system and if we can put evil software on it, we can get you." > attack. This is wrong on two main counts: the ID's are harder to find than credit cards, and they're not as directly useful as credit cards. These two facts combine to make the attack more or less irrelevant to FV. First of all, the Virtual PIN (FV-ID) is much harder to extract from a large data stream because it is arbitrary text, unlike credit card numbers, which are self-identifying. Second, a Virtual PIN is not a one-way payment instrument, like a credit card. To use FV to buy something on your credit card, you need to combine the theft of a Virtual PIN with the compromise of the buyer's email account, for confirming transactions. We all know this can be done -- we actually even spell out how to do it in our paper, "Perils and Pitfalls of Practical CyberCommerce" -- but it is very hard to combine these steps on the large scale that would be needed to mount an automated attack, which is the most serious threat to the credit card system. > True, we wouldn't have your credit card number, and we couldn't order stuff > from LL Bean billed to you. We could just order stuff from FV merchants. > So maybe it's marginally better. Maybe. But I can't see any way FV could > be immune to an attack of this sort. I believe that all they do is give > you a first virtual ID number sent accross the net (in the clear!) in lieu > of your card number. With an insecure PC as an assuption (and it is > probably a good one, actually), I can't see how FV could be immune from an > attack of this sort. If Mr. Borenstein or anyone else thinks it is, > please explain how. I hope that I jut did. My guess is that you didn't understand the email confirmation that is required for every purchase in the FV system. For more information, please see our web pages at http://www.fv.com. -- Nathaniel -------- Nathaniel Borenstein Chief Scientist, First Virtual Holdings FAQ & PGP key: nsb+faq at nsb.fv.com From rishab at best.com Wed Jan 31 08:57:39 1996 From: rishab at best.com (Rishab Aiyer Ghosh) Date: Thu, 1 Feb 1996 00:57:39 +0800 Subject: encrypted cellphones In-Reply-To: Message-ID: <199601311631.IAA00339@shellx.best.com> > I would say GSM security is still better than nothing. The problem is of > course that only tha radio link is encrypted, not the connection out into > public telephone network. As I remember from discussions with a GSM encryption programmer (which I posted to this list months ago) GSM is secure enough to prevent real-time decryption, as keys are changed frequently using another secure protocol (A8 I believe). GSM encryption is only supposed to make people like Princess Diana more secure, that's all. This was enough for Pakistan to temporarily shut down Motorola's GSM network in Karachi last February, until they discovered they could intercept calls simpply by sitting at the base stations where they're decrypted... Rishab > Juri Kaljundi, DigiMarket > jk at digit.ee > From mianigand at unique.outlook.net Wed Jan 31 08:59:18 1996 From: mianigand at unique.outlook.net (Michael Peponis) Date: Thu, 1 Feb 1996 00:59:18 +0800 Subject: Fooling people with Java applets Message-ID: <199601311630.KAA02621@unique.outlook.net> On Monday, 29 Jan 1996 Benjamin Renaud wrote :All graphical UI elements spawed by an applet, which are the only ones :that can get user events, are clearly marked as "untrusted applet :window"s. :So unless you type your password in a pop-up marked "untrusted applet :window", you should be fine. And if you do, you arguably deserve :whatever happens to you.... As sad as it sounds, I actually had this happen. Some shmuck put in sensitive information into a window clearly maked "Untrusted Java Applet" Unfortunatly, the smuck was a Sr. Vice President, so what can you do. Regards, Michael Peponis PGP Key Avalible form MIT Key Server,or via finger From raph at c2.org Wed Jan 31 09:42:01 1996 From: raph at c2.org (Raph Levien) Date: Thu, 1 Feb 1996 01:42:01 +0800 Subject: [NOISE] FV keyboard sniffer name contest entry Message-ID: HypeSucker Raph From tbyfield at panix.com Wed Jan 31 09:56:01 1996 From: tbyfield at panix.com (t byfield) Date: Thu, 1 Feb 1996 01:56:01 +0800 Subject: The FV Problem = A Press Problem Message-ID: At 1:28 PM 1/30/96, Timothy C. May wrote: >>I'd say _all_ news, not just software news, is P.R. controlled, these days. >>You can largely hold Edward L. Bernays, the "father of public relations" >>(who just died last year) responsible for that--or the societal conditions >>that allowed Bernays to do his thing. Bernays developed expertise in >>"engineering of consent" turned the news into a commercialized and > >Interesting term, similar to Chomsky's "Manufacturing Consent" (which >obviously must've come later...). Chomsky took the phrase from a book by Walter Lippman, published I think in 1922; the book's name escapes me now. Ted From gbroiles at darkwing.uoregon.edu Wed Jan 31 10:00:22 1996 From: gbroiles at darkwing.uoregon.edu (Greg Broiles) Date: Thu, 1 Feb 1996 02:00:22 +0800 Subject: [FACTS] Germany, or "Oh no not again" Message-ID: <199601311733.JAA13166@darkwing.uoregon.edu> At 12:10 AM 1/31/96 -0800, Bill Stewart wrote: >BTW, today's "Recorder" (Bay Area legal newspaper) reports that the >US 6th Circuit Court of Appeals upheld the Thomases' conviction. >96 C.D.O.S 609. The Recorder's article is at http://www.callaw.com/edt130b.html and the opinion itself is at http://www.callaw.com/tommy.html for those outside the Bay Area who aren't Recorder subscribers. -- "The anchored mind screwed into me by the psycho- | Greg Broiles lubricious thrust of heaven is the one that thinks | gbroiles at netbox.com every temptation, every desire, every inhibition." | -- Antonin Artaud | From rah at shipwright.com Wed Jan 31 10:12:32 1996 From: rah at shipwright.com (Robert Hettinga) Date: Thu, 1 Feb 1996 02:12:32 +0800 Subject: DCSB: Digital Commerce: Living Room ExIm, Retail Replacement, or Mail-Order Redux? Message-ID: -----BEGIN PGP SIGNED MESSAGE----- The Digital Commerce Society of Boston (Formerly The Boston Society for Digital Commerce) Presents Fred Hapgood Digital Commerce: Living Room ExIm, Retail Replacement, or Mail-Order Redux? Tuesday, February 6, 1995 12 - 2 PM The Downtown Harvard Club of Boston One Federal Street, Boston, MA Fred says: >So far Web commerce has largely been a speciality export story. >(www.activmedia.com says that web commerce is half exports.) This >reflects the obvious strengths of the medium: webstores are >globally accessible and can support information resources to any >depth customers require. > >However, the meat and potatoes of the $2 trillion American retail >market lie not in specialty exports but in geographically >structured markets built on access to local traffic and >characterized by low-information transactions. If web commerce >has no role to play in commerce on this level, it will end up >little more than an extension and enhancement of direct mail. >(Which is of course not to be dismissed entirely: direct mail did >$55 billion last year.) > >My talk will address the compatibility of these segments with the >web, now and later. Fred Hapgood has written on internet commerce for _CIO_ and _Webmaster_ magazines. He has written on associated subjects for _Wired_ and _Inc-Technology_. The February talk will be based on research for an article on the web and franchising. This meeting of the Boston Society for Digital Commerce will be held on Tuesday, February 6, 1995 from 12pm - 2pm at the Downtown Branch of the Harvard Club of Boston, One Federal Street. The price for lunch is $27.50. This price includes lunch, room rental, and the speaker's lunch. ;-). The Harvard Club *does* have a jacket and tie dress code. We need to receive a company check, or money order, (or if we *really* know you, a personal check) payable to "The Harvard Club of Boston", by Saturday, February 2 , or you won't be on the list for lunch. Checks payable to anyone else but The Harvard Club of Boston will have to be sent back. Checks should be sent to Robert Hettinga, 44 Farquhar Street, Boston, Massachusetts, 02131. Again, they *must* be made payable to "The Harvard Club of Boston". If anyone has questions, or has a problem with these arrangements (We've had to work with glacial A/P departments more than once, for instance), please let us know via e-mail, and we'll see if we can work something out. Planned speakers for the following few months are: February Fred Hapgood Freelance Author March Glenda Barnes X.9 Electronic Commerce Security Group April Donald Eastlake CyberCash May Perry Metzger Security Consultant and Cypherpunk June Dan Shutzer FSTC July Pete Loshin Author, "Electronic Commerce" We are actively searching for future speakers. If you are in Boston on the first Tuesday of the month, and you would like to make a presentation to the Society, please send e-mail to the DCSB Program Commmittee, care of Robert Hettinga, rah at shipwright.com . For more information about the Digital Commerce Society of Boston, send "info dcsb" in the body of a message to majordomo at ai.mit.edu . If you want to subscribe to the DCSB e-mail list, send "subscribe dcsb" in the body of a message to majordomo at ai.mit.edu . Looking forward to seeing you there! Cheers, Robert Hettinga Moderator, The Digital Commerce Society of Boston -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMQ+lMfgyLN8bw6ZVAQEvBgP/QTk2QLDFYJ3LFgb6N3tz2wZC5nDTBYdb qK1QQky2JbG4LEgONIg8JunfbAM1+8x07nf03TrVEcHmGUnA81IiH3uqodeMjmqp 6BZqoOR37Eg0vm8mOIhuJJdiRezgRV0OZ81vmFpVzIcoKwDUsdNgv+8EB34mxq5/ jsc1RvHOWuw= =8aTM -----END PGP SIGNATURE----- ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "Reality is not optional." --Thomas Sowell The NEW(!) e$ Home Page: http://thumper.vmeng.com/pub/rah/ From nobody at REPLAY.COM Wed Jan 31 10:18:43 1996 From: nobody at REPLAY.COM (Anonymous) Date: Thu, 1 Feb 1996 02:18:43 +0800 Subject: Message-ID: <199601311747.MAA12194@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMQ+rOyoZzwIn1bdtAQHQ4gF/bRVU55UgyzRazGCU0ztKZVtZTN2BrBAR RUSsleMUXuCfFXwDvLKbMfFZdzjJNdTj =peMJ -----END PGP SIGNATURE----- From shamrock at netcom.com Wed Jan 31 10:20:42 1996 From: shamrock at netcom.com (Lucky Green) Date: Thu, 1 Feb 1996 02:20:42 +0800 Subject: [NOISY] Your own Zundelsite in five minutes or less Message-ID: At 23:45 1/30/96, Rich Graves wrote: [...] >I do not expect these news outlets to bother to, or know how to, check >whether mirror sites had already popped up before these "demands." I do >not expect these news outlets to find out and publicize the fact that it >was a couple of cypherpunks who detest Mr. Zundel who came up with the >idea the afternoon of January 27th, and handed it to Zundel the next day. So we don't get the credit and the nazis do. We'll survive. Everybody on this list knows what happend. -- Lucky Green PGP encrypted mail preferred. From gimonca at skypoint.com Wed Jan 31 11:01:38 1996 From: gimonca at skypoint.com (Charles Gimon) Date: Thu, 1 Feb 1996 03:01:38 +0800 Subject: from http://www.fv.com Message-ID: Far be it from me to add to this, but this is from FV's own website: [begin quote] [2] Why don't you use encryption with First Virtual? Encryption is almost always cumbersome and difficult. And it always adds an additional step, and something else to worry about. After all, even banks and armored cars are subject to robbery attempts, and sometimes those attempts succeed. Rather than use encryption, we decided to design a system in which it wouldn't be necessary. [end quote] I, uh, think that speaks for itself. From gbroiles at darkwing.uoregon.edu Wed Jan 31 11:21:50 1996 From: gbroiles at darkwing.uoregon.edu (Greg Broiles) Date: Thu, 1 Feb 1996 03:21:50 +0800 Subject: FV, Netscape and security as a product Message-ID: <199601311753.JAA18008@darkwing.uoregon.edu> NSB's messages have suggested, amongst the fear-mongering, that the real target of the card-shark publicity campaign is not Joe Consumer but bankers, investors, and other "big money" folks; people who care about the large-scale fraud rate of credit card use. (Yes, the rate of fraud affects all consumers, but most people experience it as a relatively small and unavoidable cost lost in the noise of other small costs.) NSB/FV used the Murky News to reach those people the way that some people will rent a freeway-visible billboard to propose marriage to a single commuter. The trouble and expense that the sender was willing to suffer to send the message are intended to cause the reader to take the message more seriously. The rest of us who see the message on C-punks or drive past and wonder "Who is Bonnie, and why is Clyde proposing marriage to her on the freeway?" aren't an important part of the process. But I don't see FV's tactics as being especially different from folks at IBM writing a virus which affects Windows but not OS/2, and quietly shopping it around to scare Microsoft customers, or Ford underwriting an NBC news program which shows Chevy pickups blowing up. (both are hypotheticals.) Sure, it can be done, and perhaps it's not dishonest, and perhaps they can wear the hat of "Consumer Protector Man", but I think it'd come across as less offensive if it weren't presented as a discussion about security. Statements which can be boiled down to "We think our product is superior to our competitor's product" don't mix well with quotes from academics and a "Chief Scientist" signature block. While, as Vin McLellan points out, Simson Garfinkel's articles were technically accurate (modulo the quote from Daguio, where he's quoted as suggesting an "out of hand" transaction, which is likely either a typo or a misunderstanding - dollars to donuts he said "out of band"), they also appeared as part of a marketing process. Netscape and FV have both taken a "security is a product" stance, which is a gross misrepresentation. FV and NSB's materials have done a good job of critiquing Netscape's "security is a product / don't worry, just look for the cute blue key" approach, but would replace it with their own "security is a product / trust the phone but not the net" approach. Both suggestions (and the implication of the Murky News articles, that one can be trusted but not the other) are wrong. Security is never a product. (Not a firewall, not a fancy browser, not PGP, not a gun, not the Club, not an airbag.) FV has tried to productize their approach (out-of-band transfer of credit card number + long clearing time for sellers + negligible per-unit cost for goods sold) but it won't work any better for FV consumers than it does for anyone else who tries to buy something which can't be sold. It's a shame that Garfinkel didn't spend more time/column space on suggestions or observations from the independent people he interviewed and less time on the "hot news - Netscape security broken by a competitor" angle. Are there really any "big money" people left who don't have formal or informal access to someone computer/Internet savvy enough who could have pointed out that the cardshark attack is nothing new? Yes, bad things happen if you run bad software. A two-way link between your computer and the rest of the world means it's possible for bad software to send your data to other people. It's the "Prodigy reads your hard disk/Microsoft Registration Wizard reads your hard disk" scare all over again, with "Prodigy" replaced by "evil untraceable criminals" and "hard disk" replaced by "keystrokes". Duh. We should, however, learn from what FV did right - they wrote software which (apparently) had or can have a real political effect. (It seems to have worked on Garfinkel, anyway). Cypherpunks write code? FV wrote code and got some attention for their otherwise unexciting message. (It seems to be a combination of working code and good user interface - witness the cooing over the icon indicating which type of credit card you're using and the fact that it uninstalls itself.) It's a shame that they won't use their powers for good instead of evil. -- "The anchored mind screwed into me by the psycho- | Greg Broiles lubricious thrust of heaven is the one that thinks | gbroiles at netbox.com every temptation, every desire, every inhibition." | -- Antonin Artaud | From jya at pipeline.com Wed Jan 31 11:27:16 1996 From: jya at pipeline.com (John Young) Date: Thu, 1 Feb 1996 03:27:16 +0800 Subject: FYR_wal Message-ID: <199601311819.NAA23434@pipe1.nyc.pipeline.com> 1-31-96. WSJ: "Chinese Firewall: Beijing Seeks to Build Version of the Internet That Can Be Censored." "We've eliminated what is undesirable and kept what is good." Which is, succinctly, China's riposte to the information age, from satellite television and real-time news to the Internet. Beijing eagerly seeks the fanciest information hardware, but it fears much of the software. China, in short, is determined to do what conventional wisdom suggests is impossible: Join the information age while restricting access to information. The reason: If the Internet has proved its utility, it has also become a fluid medium for the two things China's authoritarian government most dreads, political dissent and pornography. Industry insiders say China -- which has already bought some of the most powerful equipment available, from U.S.-based Cisco Systems Inc. and Sprint International, a unit of Sprint Corp. -- ultimately aims to create a monolithic Internet backbone, centrally administered, that minimizes the threat posed by the Internet's amoeba-like structure. FYR_wal From jya at pipeline.com Wed Jan 31 11:29:45 1996 From: jya at pipeline.com (John Young) Date: Thu, 1 Feb 1996 03:29:45 +0800 Subject: PoM 4: Anti-Government Growth Message-ID: <199601311829.NAA24863@pipe1.nyc.pipeline.com> Today's fourth article of The Washington Post series on "The Politics of Mistrust" is: "Public Grows More Receptive to Anti-Government Message." The public sees the quality of life deteriorating or not improving from the 1960s, with family breakup, increased violence, a failure to produce better jobs, and, in addition, with the Cold War over, they don't see any real reduction in the risks of the possibility of a third world war. All this occurs at a time when taxes have been increasing. The small government, low tax environment creates a real opportunity for Republicans.... The general force of this sense of no progress is to favor the more conservative party. Next: Generation divide Series to date available at: http://www.replay.com/young/ From tighe at spectrum.titan.com Wed Jan 31 11:39:11 1996 From: tighe at spectrum.titan.com (Mike Tighe) Date: Thu, 1 Feb 1996 03:39:11 +0800 Subject: Downsizing the NSA In-Reply-To: Message-ID: <199601291503.JAA19908@softserv.tcst.com> Timothy C. May writes: >AT&T is downsizing, IBM downsized a while back, so why couldn't the NSA >just do the right thing: admit that the Soviet threat is no more, >congratulate the victors, and downsize by 20,000 employees? They have been downsizing for almost 4 years now. Not just people, but budget and mission priorities too. I would imagine they are smaller now than they were in 1980. From m5 at dev.tivoli.com Wed Jan 31 11:47:19 1996 From: m5 at dev.tivoli.com (Mike McNally) Date: Thu, 1 Feb 1996 03:47:19 +0800 Subject: Java Sniffer (Was: Re: FV Announces That The Sky Is Falling) In-Reply-To: <9601301545.AA07088@alpha> Message-ID: <9601311919.AA17260@alpha> futplex at pseudonym.com writes: > I believe the work on authenticating applet servers to client in terms of > signed Java classes, etc. is the most promising long-term approach. Sure. And it's also important to keep in mind that everyday some dimwit falls prey to the pigeon drop or some other "meat-to-meat" scam. It'll take a few years for people to get used to security concerns on the net, just like it took a few years for people to figure out that you really would die if you drove your new Model T like a maniac. > ObNSB: Although I seem to be cast as an opponent of Java adoption in this > thread, I'm actually a fan of Java and expect to write some Java code RSN. Me too. There are so many "but can Java do that?" questions floating around in all sorts of bizarre contexts that it's easy to lose sight of all the nice things about a nifty interpreted language. ______c_____________________________________________________________________ Mike M Nally * Tivoli Systems * Austin TX * I want more, I want more, m5 at tivoli.com * m101 at io.com * I want more, I want more ... *_______________________________ From abostick at netcom.com Wed Jan 31 12:01:23 1996 From: abostick at netcom.com (Alan Bostick) Date: Thu, 1 Feb 1996 04:01:23 +0800 Subject: More FUD from the Luddites at FV [pt. 2] In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- In article , Nathaniel Borenstein wrote: > Excerpts from mail: 29-Jan-96 More FUD from the Luddites .. Douglas > Barnes at communiti (3569*) > > > Whether you're a business or an individual, having, say, your > > hard drive wiped clean by a virus would be several orders of > > magnitude worse than the relatively minor inconvenience of > > having to get unauthorized items deleted from your credit card bill. > > For the consumer, absolutely. > > For the bank, having millions of credit cards compromised by a single > attacker is a more serious risk. I've read your posts; I believe I understand them, and I believe I understand how First Virtual and other online payment systems work. I do not believe that an attack of this nature *can* yield millions of credit cards -- unless the attacker is Bill Gates or Marc Andreesen (and they have less risky ways of making lots of money). The degree to which the attack you describe is a threat to online commerce depends critically on the degree to which viruses and Trojan horse programs can propagate through their potential base of platforms. Virii *do* propagate, we know, and someone who reads Cypherpunks surely has the information on hand to say how well they propagate, given connectivity on the Internet on the one hand and widespread antivirus software on the other. My guess is that overall, the infection rate even by well-known virii such as Michaelangelo, is pretty low. Only a fraction of infected machines are going to be used for buying things over the Internet. As for Trojan horses, their penetration depends on how widely used they are. If one posted PAMELA ANDERSON STRIP POKER!!!1! to alt.binaries.pictures.erotica, how many copies would be downloaded and installed? How many users would also be online shoppers? The only way millions of credit cards would be at risk would be if the Trojan horse were installed on millions of Internet-connected machines -- it would have to be a very widely used Trojan horse, something as widely used as Win95, or Netscape. I believe that a person who can get that kind of distribution of their software has less risky and more fruitful ways of making money than stealing credit card numbers. In short, I believe that the risk to the credit card business of this attack is *at most* no greater than Xriva Zvgavpx'f (*) hack of 20,000 credit cards from Netcom, and very likely far, far smaller. "Millions" is an absurd and dishonest exaggeration. You should be ashamed of yourself. (*) Overused and overhyped name rot13ed to protect the delicate sensibilities of the Cypherpunks. - -- Alan Bostick | He played the king as if afraid someone else Seeking opportunity to | would play the ace. develop multimedia content. | John Mason Brown, drama critic Finger abostick at netcom.com for more info and PGP public key -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMQ+8gOVevBgtmhnpAQEuzQL9H8EHegrTdPSAe5nIM9eO9n4+xJR7SUrF Q1EWVIrM1tMILc02zwI5Qe3AoE0Bj+G7kBkuICZyoTjObm5sVAEF+dMhF25joGXI ztKwPUr3XLWRrX2PNj+V9zNWZxRHLJK2 =tX+9 -----END PGP SIGNATURE----- From tcmay at got.net Wed Jan 31 12:12:41 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 1 Feb 1996 04:12:41 +0800 Subject: Chomsky Message-ID: At 7:07 PM 1/31/96, Alan Bostick wrote: >In article , >tcmay at got.net (Timothy C. May) wrote: > >> Interesting term, similar to Chomsky's "Manufacturing Consent" (which >> obviously must've come later...). > >Wow, that was fast! Only two days in the FV FUD flamewar, and already >someone said "Chomsky". > >Alan "Still holding out for 'Hitler'" Bostick What's the big deal about mentioning Chomsky? --Tim Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From vince at offshore.com.ai Wed Jan 31 12:12:54 1996 From: vince at offshore.com.ai (Vincent Cate) Date: Thu, 1 Feb 1996 04:12:54 +0800 Subject: Netscape encrypted email!! Message-ID: > * Integrated email - Netscape Navigator 2.0 offers full-featured and rich > email capabilities, allowing you to both read and send secure email > messages without launching an external email application. I downloaded it and checked it out. But it was not clear how to use this secure email - so it may lack something yet in user friendlyness, or I may have just missed it. Anyway, it should be much easier to use than PGP. Are we all going to switch to Netscape for email? Is anyone using this? Want to tell us how? -- Vince INTRODUCING NETSCAPE NAVIGATOR 2.0 ---------------------------------------------------------------------------- END-USER FEATURES * Enhanced performance - New features such as client-side image mapping, Progressive JPEG support, and support for multiple simultaneous streaming of video, audio, and other data formats enhance the performance of Netscape Navigator 2.0. * Integrated email - Netscape Navigator 2.0 offers full-featured and rich email capabilities, allowing you to both read and send secure email messages without launching an external email application. * Integrated newsgroups - Sort, read, and post newsgroup messages in fully threaded hierarchical windows. * Security - New dynamic trust capability allows users to accept new certificate authorities. Other features include improved security user interface and protection against a site impersonating another site. From koontz at MasPar.COM Wed Jan 31 12:16:19 1996 From: koontz at MasPar.COM (David G. Koontz) Date: Thu, 1 Feb 1996 04:16:19 +0800 Subject: NRO Slush Fund Message-ID: <9601301925.AA04344@argosy.MasPar.COM> >Spy Agency Said to Have Spare Billions Sad to think that the undersecretary for defense who used to have oversight of the NRO is now the Secretary of Defense. One would guess he is trying not to pick up any bricks right now From sperkins at andromeda.rutgers.edu Wed Jan 31 12:27:14 1996 From: sperkins at andromeda.rutgers.edu (Steven C. Perkins) Date: Thu, 1 Feb 1996 04:27:14 +0800 Subject: Afternoon Conference: UCC 2B: Information Contracts Message-ID: <1.5.4b11.16.19960131195725.5bbfb622@andromeda.rutgers.edu> Excuse x-posting. Please forward to appropriate lists. ----------------------------------------------------------------------- February 14 -- 1:30-4:30 PM -- UCC Article 2B: Information Contracts Rutgers School of Law-Newark and the New Jersey State Bar Association will co-sponsor a program to introduce lawyers, business, and others to the current draft of new Article 2B of the Uniform Commercial Code, Digital Electronic Information and its Transfer. Professor Raymond T. Nimmer, University of Houston and the Uniform Laws Commission Drafting Committee Reporter, and two members of the Committee, Professor David A. Rice of Rutgers School of Law-Newark and Professor Amy Boss of Temple University School of Law, will present the draft, seek comments, and respond to questions. Other panelists include Donald Cohn, Esq. of DuPont Corporation, Co-Chair of the ABA Software Contract Law Task Force and Holly Towle, Esq. of the Seattle law firm of Preston Gates & Ellis. This program is free; however, there is limited seating available. Please call Assistant Dean Margaret C. Bridge at 201/648-5968 to reserve seating. RELATED CONFERENCE: COPYRIGHT ISSUES AND THE NATIONAL INFORMATION INFRASTRUCTURE - February 15, 1996. Please see the Conference home page at URL:"html://www.rutgers.edu/RUSLN/copyconf.html". ----------------------------------------------------------------------- February 14, 1996 UCC 2B REGISTRATION DEADLINE: February 10, 1996 (Walk-in registration permitted beginning at 8:30AM) Number Attending: ________ Name(s)_____________________________________________________________________ ________ Affiliation_________________________________________________________________ ___________ Address _______________________________ City _________________ State _____ Zip _________ Telephone (_____)__________________ Mail to: Rutgers School of Law-Newark 15 Washington Street Newark, NJ 07102-3192 Attn: Assistant Dean Margaret C. Bridge For further information, call Assistant Dean Margaret C. Bridge at (201) 648-5094, or send email to Professor David A. Rice at drice at world.std.com. ---------------------------------------------------------------------------- -------- **********||||||||||\\\\\\\\\\*//////////||||||||||********** Steven C. Perkins sperkins at andromeda.rutgers.edu User Services Coordinator Ackerson Law Library http://www.rutgers.edu/lawschool.html Rutgers, The State University of New Jersey, School of Law at Newark http://www.rutgers.edu/RUSLN/rulnindx.html VOX: 201-648-5965 FAX: 201-648-1356 |||||||||||||||\\\\\\\\\\\\\||*||///////////////||||||||||||||| From shamrock at netcom.com Wed Jan 31 12:42:42 1996 From: shamrock at netcom.com (Lucky Green) Date: Thu, 1 Feb 1996 04:42:42 +0800 Subject: [NOISY] Your own Zundelsite in five minutes or less Message-ID: At 19:55 1/30/96, Declan B. McCullagh wrote: >As of this afternoon, there are Zundelsite mirrors operating at MIT, >Stanford University, Carnegie Mellon University, the University of >Texas, and the University of Pennsylvania. I am really interested what the German government is going to do next. Force their universities to dismount AFS? How can we best get the fact the their censorship efforts have hit *the wall* to their attention? Any Germans on this list that can file a complaint against the sites with the German authorities? What about contacting German Telekom? We won't have won until they restore the routes to Webcom. -- Lucky Green PGP encrypted mail preferred. From sperkins at andromeda.rutgers.edu Wed Jan 31 12:43:12 1996 From: sperkins at andromeda.rutgers.edu (Steven C. Perkins) Date: Thu, 1 Feb 1996 04:43:12 +0800 Subject: Afternoon Conference: UCC 2B: Information Contracts - Correction Message-ID: <1.5.4b11.16.19960131200227.59971eee@andromeda.rutgers.edu> Excuse x-posting. Please forward to appropriate lists. ----------------------------------------------------------------------- February 14 -- 1:30-4:30 PM -- UCC Article 2B: Information Contracts Rutgers School of Law-Newark and the New Jersey State Bar Association will co-sponsor a program to introduce lawyers, business, and others to the current draft of new Article 2B of the Uniform Commercial Code, Digital Electronic Information and its Transfer. Professor Raymond T. Nimmer, University of Houston and the Uniform Laws Commission Drafting Committee Reporter, and two members of the Committee, Professor David A. Rice of Rutgers School of Law-Newark and Professor Amy Boss of Temple University School of Law, will present the draft, seek comments, and respond to questions. Other panelists include Donald Cohn, Esq. of DuPont Corporation, Co-Chair of the ABA Software Contract Law Task Force and Holly Towle, Esq. of the Seattle law firm of Preston Gates & Ellis. This program is free; however, there is limited seating available. Please call Assistant Dean Margaret C. Bridge at 201/648-5968 to reserve seating. RELATED CONFERENCE: COPYRIGHT ISSUES AND THE NATIONAL INFORMATION INFRASTRUCTURE - February 15, 1996. Please see the Conference home page at URL:"http://www.rutgers.edu/RUSLN/copyconf.html". ----------------------------------------------------------------------- February 14, 1996 UCC 2B REGISTRATION DEADLINE: February 10, 1996 (Walk-in registration permitted beginning at 8:30AM) Number Attending: ________ Name(s)_____________________________________________________________________ ________ Affiliation_________________________________________________________________ ___________ Address _______________________________ City _________________ State _____ Zip _________ Telephone (_____)__________________ Mail to: Rutgers School of Law-Newark 15 Washington Street Newark, NJ 07102-3192 Attn: Assistant Dean Margaret C. Bridge For further information, call Assistant Dean Margaret C. Bridge at (201) 648-5094, or send email to Professor David A. Rice at drice at world.std.com. ---------------------------------------------------------------------------- -------- **********||||||||||\\\\\\\\\\*//////////||||||||||********** Steven C. Perkins sperkins at andromeda.rutgers.edu User Services Coordinator Ackerson Law Library http://www.rutgers.edu/lawschool.html Rutgers, The State University of New Jersey, School of Law at Newark http://www.rutgers.edu/RUSLN/rulnindx.html VOX: 201-648-5965 FAX: 201-648-1356 |||||||||||||||\\\\\\\\\\\\\||*||///////////////||||||||||||||| From llurch at networking.stanford.edu Wed Jan 31 12:50:30 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Thu, 1 Feb 1996 04:50:30 +0800 Subject: [NOISE] Your own Zundelsite in five minutes or less In-Reply-To: <4l3frc200YUrMxFuFA@andrew.cmu.edu> Message-ID: On Tue, 30 Jan 1996, Declan B. McCullagh wrote: > As of this afternoon, there are Zundelsite mirrors operating at MIT, > Stanford University, Carnegie Mellon University, the University of > Texas, and the University of Pennsylvania. This doesn't tell the whole truth. The "free world" mirrors are at Stanford, CMU, MIT, and Penn. The growth path for these is my request to Zundel -> Zundel's drone Marc -> my site -> Declan's most excellent evangelization -> everyone else. We believe that this "revisionism" is crap, but don't think censorship is so cool, either. The partial UT and AOL mirrors are run by white supremacists who actually believe this shit, and who are trying to claim credit for the whole idea, which among other things I find a little dishonest. I believe their direct source is Marc or Ingrid. I think this no longer has any cypherpunk relevance. Censorship lost, end of story; the only question is how quickly "they" will admit it. See Declan's or my pages, or email me for the early history from my POV. Apparently Declan has been posting on this in the Well forums since December as well. -rich From tcmay at got.net Wed Jan 31 12:51:14 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 1 Feb 1996 04:51:14 +0800 Subject: Noise and the Nature of Mailing Lists Message-ID: At 3:55 AM 1/31/96, Laszlo Vecsey wrote: >FYI the traffic on the PGPdomo list has been very low lately. I haven't >received a message from the list in a few days. But then again there is >even more 'noise' on that list because every message I've seen posted on >it talks about PGPdomo, the mailing list, getting PGP software to work, >etc.. From what I've seen people just sign up to test it out with a test >message, and thats about it. Even with mkpgp for pine its still a bit >inconvenient to use, I think thats the reason for the low-traffic. I've been on a fair number of mailing lists, and they basically divide up into two broad categories: * Category I -- Busy, contentious, lively, high volume, prone to noise bursts, vibrant, interesting lists. Above critical mass. Like a crowded bar, with lively debate and always something happening. * Category II -- Quiet, polite, quiet, low volume, moribun, quiet, dead lists. Below critical mass. Like an empty bar, with only a few drunks staring into their beers. * Category III -- Working mailing lists, for folks working on a specific project or Internet standard. These can be low-volume with good signal, because they are not primarily social discussion groups but are, instead, simple communication-of-information groups. The Cypherpunks list is an obvious Category I list, and has been since it was started in October of 1992. It has noisy periods, times of flaming, but also a "critical mass" of new thought which obviously keeps it going, and even growing. If we are doing everything wrong, it's hard to tell from a "who cypherpunks" query sent to majordomo at toad.com. Other lists I have been on have been much quieter, averaging a few messages a day (or even less). On these lists, there is just no life. The occasional pleas for help are like cries from someone stranded on the Greenland icesheets. And I have seen formerly vibrant lists die off, becoming Category II groups, or worse. One list I used to be an extremely active contributor to was the "Extropians" list, which perhaps a dozen or so of you reading this message are now still on. The history of it is a long and involved one, which I won't get into, for various good reasons. But around late 1993 there were many of the same concerns about "noise" as people are now expressing. For most of 1993 the daily posting volume on the Extropians list exceeded the volume here on Cypherpunks. So various things were tried (they had the advantage of not being an anarchy, and the disadvantage of not being an anarchy). Ratings systems for posters and their posts, even attempts to impose "quotas" on the number of posts a person could write. All well-intentioned, but all failures and cures that were worse than the problem. By early 1994, both Perry Metzger and I had left the Extropians list, for our own reasons. No doubt the list got quieter. No doubt the volume went down. However, and current subscribers will no doubt jump in and give their views, I hear that the current volume of messages is less than one per day, with--according to my sources--sometimes days between messages. (I also hear that the Extropians are devoting more of their energy to their magazine, which may also be a factor.) Note that several well-intentioned efforts to create sub-lists of the Cypherpunks list have mostly failed. The DC-Net list, the lib-tech list, etc. I suspect that the "Remailer Operators" list is viable because it's a Category III working group list. Digest like CP-Lite I don't characterize as a separate kind of list. As to the new encrypted list, I wish them well. I doubt that list will do real well, though, because of the critical mass problem. And remember, it's a whole lot easier using filters and reading tools to reduce the volume of messages on an active group than it is to get an inactive group up to critical mass! --Tim Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From Kevin.L.Prigge-2 at cis.umn.edu Wed Jan 31 12:59:36 1996 From: Kevin.L.Prigge-2 at cis.umn.edu (Kevin L Prigge) Date: Thu, 1 Feb 1996 04:59:36 +0800 Subject: [local] Minneapolis CP get-together Message-ID: <310ce5ec24a3002@noc.cis.umn.edu> Who: Minneapolis Cypherpunks What: Local get-together & key signing party When: Saturday, Feb 10th @ approx 5pm -> ??? Where: Applebees (3200 W Lake St) I'll be facilitating a key signing, send your public key to me before hand to get on the list. If you have any questions or need directions, let me know. -- Kevin L. Prigge |"Have you ever gotten tired of hearing those UofM Central Computing | ridiculous AT&T commercials claiming credit email: klp at tc.umn.edu | for things that don't even exist yet? 010010011101011001100010| You will." -Emmanuel Goldstein From frissell at panix.com Wed Jan 31 13:08:15 1996 From: frissell at panix.com (Duncan Frissell) Date: Thu, 1 Feb 1996 05:08:15 +0800 Subject: [rant] A thought on filters and the V-Chip Message-ID: <2.2.32.19960129152606.006cbd80@panix.com> At 11:56 AM 1/26/96 -0800, Alan Olsen wrote: >I have known too many adults that believe that by restricting their kids >access to information, they can prevent them from growing up. In these >parent's minds, such information is what makes them want to hump their >little brains out. Biology has nothing to do with it in their limited way >of thinking. Cluelessness does not just cover computers with these people. >It also covers any other topic that required more than two brain cells to >understand. Actually, if you place a child in one sort of environment or another you do get a different "product." The behavior of Amish children raised on farms in rural Pennsylvania differs significantly from the behavior of children raised crack-addicted parents in Bed-Stuy. In fact, you get almost non-overlapping bell curves for every characteristic. I would guess too that if you switched kids at birth between these two populations, the final results wouldn't differ by much. What parents are attempting to do when they restrain their children's access to "sex and drugs and rock and roll" (or Republicanism for that matter) is to mediate their "spiritual" environment to keep them from becoming hardened. They know the kids will grow up, they just want them to grow up in a nice way. Children who listen to Vera Lynn's singing and Cole Porter's songs will end up quite different from those who favor louder, less vocal music. Note that in spite of what liberals might think, fundamentalist christians are less likely to divorce, less likely to report spousal beatings, less likely to kill themselves, and more likely to measure high personal satisfaction levels on standard psychological tests than are, say, readers of The Nation. The cypherpunks relevance of all this is that it should soon be possible to create completely mediated environments for ourselves and our children. Through the use of implants and real-time VR processing, it will be possible to edit our "interface" with the Real World such that unpleasant aspects are edited out. We will be able to change the attire, hair, facial expressions, voice, and even smell of those around us to conform to our own esthetic desires. Likewise with our physical surroundings. Safety may discourage making a complete transformation in one's surroundings, but one can certainly soften the edges. Note that this is just an easier-to-implement version of what we can do already with our own minds. It will be interesting to see the effects on people who live in these mediated worlds. DCF "My grandmother didn't like to use the word 'Democrats' in the presence of the children. She called them 'bastards' instead." -- PJ O'Rourke From futplex at pseudonym.com Wed Jan 31 13:39:17 1996 From: futplex at pseudonym.com (futplex at pseudonym.com) Date: Thu, 1 Feb 1996 05:39:17 +0800 Subject: Chomsky In-Reply-To: Message-ID: <199601312105.QAA27740@opine.cs.umass.edu> > What's the big deal about mentioning Chomsky? huh, chomsky is just another tentacle of tcmay anyway. isn't it funny how he talks about "manufacturing consent" as though it were some great overwhelming evil???? he is the one who manufactures consent among the cypherpunks!! From Greg_Rose at sydney.sterling.com Wed Jan 31 13:49:29 1996 From: Greg_Rose at sydney.sterling.com (Greg Rose) Date: Thu, 1 Feb 1996 05:49:29 +0800 Subject: NOISE: Borenstein's Fatal Spam In-Reply-To: Message-ID: A number of people have written words to the effect of: First Virtual, you lost a lot of ground with me. (sounds like others feel the same way, too). I disagree. I think there is a big difference between "knowing theoretically that X, Y and Z are possible" and "look, I have a program that does X, Y and Z in a certain order, and very fast, and surprisingly successfully, and this has major implications for the banking community". I compare nsb's "meaning" as I understand it to that of the paper out of Berkeley a few months ago, which basically said "We've known for a long time how IP snooping and replacement attacks could theoretically succeed; here's a program that inserts trojan horses while binaries flow across the wire based on it." That was applauded as a very meaningful result, even though the media instantly picked up on it and blew it up. I think most of the problem here is that we heard about it in media words first, and in a reasoned argument second. That's life. This is my first (and last) contribution to the discussion. Sorry to add to the verbiage. I hope FV and Nathaniel (as well as everyone else) keeps working on things like this. Greg. Greg Rose INTERNET: greg_rose at sydney.sterling.com Sterling Software VOICE: +61-2-9975 4777 FAX: +61-2-9975 2921 28 Rodborough Rd. http://www.sydney.sterling.com:8080/~ggr/ French's Forest 35 0A 79 7D 5E 21 8D 47 E3 53 75 66 AC FB D9 45 NSW 2086 Australia. co-mod sci.crypt.research, USENIX Director. From attila at primenet.com Wed Jan 31 13:51:08 1996 From: attila at primenet.com (attila) Date: Thu, 1 Feb 1996 05:51:08 +0800 Subject: Netscape encrypted email!! In-Reply-To: Message-ID: aah, yes! now we can all have secure mail from the company which opened its mouth and slipped about key escrow; you know them: the same company that sold million of backdoor units to NSA! yeah, right... --attila On Wed, 31 Jan 1996, Vincent Cate wrote: > > > * Integrated email - Netscape Navigator 2.0 offers full-featured and rich > > email capabilities, allowing you to both read and send secure email > > messages without launching an external email application. > > I downloaded it and checked it out. But it was not clear how to use this > secure email - so it may lack something yet in user friendlyness, or I may > have just missed it. Anyway, it should be much easier to use than PGP. > Are we all going to switch to Netscape for email? Is anyone using this? > Want to tell us how? > > -- Vince > > > INTRODUCING NETSCAPE NAVIGATOR 2.0 > ---------------------------------------------------------------------------- > > END-USER FEATURES > > * Enhanced performance - New features such as client-side image mapping, > Progressive JPEG support, and support for multiple simultaneous > streaming of video, audio, and other data formats enhance the > performance of Netscape Navigator 2.0. > > * Integrated email - Netscape Navigator 2.0 offers full-featured and rich > email capabilities, allowing you to both read and send secure email > messages without launching an external email application. > > * Integrated newsgroups - Sort, read, and post newsgroup messages in > fully threaded hierarchical windows. > > * Security - New dynamic trust capability allows users to accept new > certificate authorities. Other features include improved security user > interface and protection against a site impersonating another site. > __________________________________________________________________________ go not unto usenet for advice, for the inhabitants thereof will say: yes, and no, and maybe, and I don't know, and fuck-off. _________________________________________________________________ attila__ To be a ruler of men, you need at least 12 inches.... There is no safety this side of the grave. Never was; never will be. From cminter at mipos2.intel.com Wed Jan 31 13:54:36 1996 From: cminter at mipos2.intel.com (Corey Minter) Date: Thu, 1 Feb 1996 05:54:36 +0800 Subject: FYR_wal In-Reply-To: <199601311819.NAA23434@pipe1.nyc.pipeline.com> Message-ID: <199601312123.QAA15096@zws388.sc.intel.com> > "Chinese Firewall: Beijing Seeks to Build Version of the > Internet That Can Be Censored." > > "We've eliminated what is undesirable and kept what is > good." Which is, succinctly, China's riposte to the > information age, from satellite television and real-time > news to the Internet. ok, who wants to help me market my new tunneling router software called "Chinese Firedrill". I believe it would sell well in China's black market. -- ______________________________________________________________________ Corey Minter | cminter at mipos2.intel.com From master at internexus.net Wed Jan 31 14:02:04 1996 From: master at internexus.net (Laszlo Vecsey) Date: Thu, 1 Feb 1996 06:02:04 +0800 Subject: KOH "Helpful" Crypto Virus Message-ID: I'm looking for more information on the KOH Virus, a 'helpful' virus which kindly asks to infect your system and encrypt all of your data. It spreads to floppies (upon request) and to other systems, encrypting all files. I read about it in Boardwatch magazine, which surprisingly states that the U.S. government forbids the distribution of all cryptographic programs in binary form; source code can be freely distributed. Please point me towards the source/binary, or further information. (define(RSA m e n)(list->string(u(r(s(string->list m))e n))))(define(u a)(if(> a 0)(cons(integer->char(modulo a 256))(u(quotient a 256)))'()))(define(s a)(if (null? a)0(+(char->integer(car a))(* 256(s(cdr a))))))(define(r a x n)(cond((= 0 x)1)((even? x)(modulo(expt(r a(/ x 2)n)2)n))(#t(modulo(* a(r a(1- x)n))n)))) "SGI and Linux both run Motif and X11. They both compile c++ cleanly (using gnu g++). They're the same!" From tcmay at got.net Wed Jan 31 14:08:25 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 1 Feb 1996 06:08:25 +0800 Subject: The FV Problem = A Press Problem Message-ID: At 6:42 PM 1/30/96, Jonathan Rochkind wrote: >I'd say _all_ news, not just software news, is P.R. controlled, these days. >You can largely hold Edward L. Bernays, the "father of public relations" >(who just died last year) responsible for that--or the societal conditions >that allowed Bernays to do his thing. Bernays developed expertise in >"engineering of consent" turned the news into a commercialized and Interesting term, similar to Chomsky's "Manufacturing Consent" (which obviously must've come later...). >Now, the news you read is manufactured in press releases to sell a product, >and is there because a well written press release convinced a reporter or >editor that a marketting ploy was actually a newsworthy event (or, perhaps, >because the advertising dollars that went along with the press release >convinced him). Witness FVs demonstration of key capture becoming a >newsworthy event. Maybe I've from the old school, the school that says one should be more modest, objective, and circumspect. Then, if it's really news, and not just a PR scam, the journalists will come. (Understand that I'm not saying I'm sort sort of paragon of modesty. Far from it. But I try to control myself.) I think that the view that "all news is hype" is overly harsh. In fact, corrective forces tend to slow this headlong rush into P.R. For example, the reaction here to the Nathaniel Borenstein/First Virtual hyperbole, and the fatuous, credulous article by Simson Garfinkel (sorry, Simson, but I call 'em as I see 'em), will undermine their credibility for a long time. Crying wolf, and all that. The FV "discovery" that insecure machines can cause all sorts of problems rated at most a brief paragraph in the papers, not the full-page treatment Garfinkel and his editors gave it in the "San Jose Mercury News" (and maybe other papers that picked it up, or will in the next few weeks). Newspapers and magazines that run "fluff" pieces, taken almost directly from press releases, lose credibility. (Nathaniel B. claims that the Simson G. piece ran _first_, before his Press Release. Well, how did Simson first learn of the FV "discovery"? How did the FV President arrange to be photographed? It seems pretty clear to me that FV was involved in the development of the story, perhaps even planting the seed for it. Not necessarily a dishonest thing to do, of course, just a bit tacky given that the "discovery" is not news. >If you want to effect what's in the media, maybe you should learn how to >issue press releases. Nope. I think it a very poor model for getting information out. With all due respect to Sameer, who has done many fine things, I gag every time I see a press release from Community Connection in which Sameer interviews himself. Or, put another way: [Embargoed for release until Jan. 30, noon PST] Crypto Anarchy Foundation Releases Views on Self-Interview Press Releases Corralitos, CA. The Crypto Anarchy Foundation, the world's leading think tank on crypto anarchy, today is announcing its views on press releases. According to Crypto Anarchy Foundation founder and President, Timothy C. May," "We think these press releases are a phony means of pumping up a story." When asked for more details, he added: "The self-interviews are really tacky. Can't you ask me some better questions?" The Crypto Anarchy Foundation, the world's foremost provider of information about crypto-mediated anarcho-capitalism, may be reached at 408-728-0152. CAF spokesperson Tim May can arrange interviews with CAF founder Tim May. --Tim May, CAF founder, chief technical officer, and media relations specialist Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From daw at boston.CS.Berkeley.EDU Wed Jan 31 14:20:25 1996 From: daw at boston.CS.Berkeley.EDU (David A Wagner) Date: Thu, 1 Feb 1996 06:20:25 +0800 Subject: [NOISE] Borenstein's Fatal Spam Message-ID: <199601312154.QAA13453@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- In article , Greg Rose wrote: > A number of people have written words to the > effect of: > First Virtual, you lost a lot of ground with me. > (sounds like others feel the same way, too). > > I disagree. I think there is a big difference > between "knowing theoretically that X, Y and Z > are possible" and "look, I have a program that > does X, Y and Z in a certain order, and very > fast, and surprisingly successfully, and this has > major implications for the banking community". [...] > I think most of the problem here is that we heard > about it in media words first, and in a reasoned > argument second. That's life. Ok. Fair enough. Good points. Personally, what I found most distasteful about FV's post was their conclusions, not their experimental procedure. I agree that their keyboard-sniffer lends more evidence to the well-known argument that, to make good use of crypto, you need secure endpoint machines. I disagree when FV concludes that this makes crypto useless. Instead, I'd contend we just need to work to secure our endpoints better; then we can do all sorts of neat stuff with crypto. I found their conclusions to be academically displeasing. But I guess that's what happens when you're trying to sell a product... - -- Dave Wagner - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMQ/lHSoZzwIn1bdtAQG3bQF6AnSQY/3Hy6ha35vI5YrbyF8w7Xq/IcN9 IIwNqUKmrqlugKuduk0A9VqDG9Zi0Ksm =7awQ -----END PGP SIGNATURE----- From mhw at wittsend.com Wed Jan 31 14:40:21 1996 From: mhw at wittsend.com (Michael H. Warfield) Date: Thu, 1 Feb 1996 06:40:21 +0800 Subject: PZ a Nazi? In-Reply-To: <199601230400.UAA29972@infinity.c2.org> Message-ID: Anonymous User enscribed thusly: > Original dated: Jan 21 '96, 09:26 > The UK's Sunday Telegraph has today featured an article by Robin > Gedye entitled "Neo-Nazis are marching on the Internet" in which > apart the the usual nonsense about neo-Nazis being about to take > over the world by means of their "Thule Net" accuses the deviser > of PGP of being a Nazi sympathiser: > "Private communications between neo-Nazis on the network are > effected under a program called "Pretty Good Privacy", devised by > an American neo-Nazi sympathiser." Yeah right... And what drugs where they on? Uh huh... Sounds like a direct quote from Ms Denning to me... Never tell the truth well a lie will do. They've tried to paint Phil with that brush too often. I was at Interop '94 and was talking with Phil after a session on the clipper chip when one of the government lackies (don't remember if it was Ms Denning herself or not - I think it was) went into a tirade about this. Acused Phil of supporting terrorists, drug dealers, nazi's, child molestors, - the whole "four horsemen" nine yards. No matter how often you bury one of their red herrings - IT STILL STINKS TO HIGH HEAVEN! It's still a crock of SH*T and it still STINKS TO HIGH HEAVEN! > Robin Gedye (in Bonn) p.23 of "The Sunday Telegraph" January 21, > 1996 Mike -- Michael H. Warfield | (770) 985-6132 | mhw at WittsEnd.com (The Mad Wizard) | (770) 925-8248 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! From talon57 at well.com Wed Jan 31 14:47:36 1996 From: talon57 at well.com (Brian D Williams) Date: Thu, 1 Feb 1996 06:47:36 +0800 Subject: Two Bits Four Bits ETC Message-ID: <199601312202.OAA12349@well.com> >>Brian D Williams writes: >>Excellent point Bill! Lets not forget that IBM owns Lotus Notes, >>be sure to include that in your bashing. They caved in on Lucifer >>after all. ;) >"Perry E Metzger" adds: >Lucifer isn't stronger than DES, so it wasn't a cave in. An >understanding of differential cryptanalysis makes all the >difference... True, I was refering to them halving the original key length. Brian From merriman at arn.net Wed Jan 31 14:49:08 1996 From: merriman at arn.net (David K. Merriman) Date: Thu, 1 Feb 1996 06:49:08 +0800 Subject: Crypto Cards Message-ID: <2.2.32.19960131102440.00678e7c@arn.net> -----BEGIN PGP SIGNED MESSAGE----- - From 29 Jan edition of EE Times, P 24: "Aix-en-Provence, France - A startup formed here to capitalize on the interest in cryptographic smart cards has won an assignment that could help put its name on the data-security map. The company, Inside Technologies, has been selectedby the Open Microprocessor Systems Initiative (OMI) to do the combo-chip layout for OMI's Cryptographic Reduced Instruction Set Processor (Crisp) project." ... "'In public-key cryptography, 512-bit keys are typical and already vulnerable. So we are looking at 640-bit-long keys supported by a scalable design' said [IT partnet William Orme]. He said that conventional smart-card ICs tend to be based on available 8-bit microcontrollers and, sometimes, cryptographic processors. Because it iss designed specifically for smart-card applications, the 8-bit RISC processor will require only 2,500 gates. Conventional crypto coprocessors tend to support only one type of algroithm, such as Rivest, Shamir, Adleman (RSA) or the Data Encryption Standard (DES). Orme said that by designing the CLU at a lower level of granularity, multiplies and squaring operations, calculations can be built up in the form of building blocks and can support a variety of algroithms adn key lengths. 'Users want their own, custom algrotihms, which can be downloaded at the time of use', he said. The CLU should support RSA, DES, and the Digital Signature Standard (DSS). RSA optimization will cover 320-, 512-, and 640-bit key lengths. 'The CLU will operate at a higher clock frequency than the RISC - 60 MHz, in our design - yielding 640-bit RSA decrypt in less than 50mS', Orme said." Dave Merriman -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMQ8mc8VrTvyYOzAZAQHa4wP+Ml3UAaywNzw+0OrN3iRfQ6y2DbjcDOs9 12Th32OGNJc5Ri0BPkI3n1+mlpZfIp9jQQI8B5gLI39nwkC9u0xnfmLFxHcSGsLB /dynNagjOQ6/GhcZFs7XVMp0RJPYrmZ2QcmCZC5MF+V69+bTrGCMhN0+O1dPPneC VB9x/klwdLk= =yp0C -----END PGP SIGNATURE----- ------------------------------------------------------------- "It is not the function of our Government to keep the citizen from falling into error; it is the function of the citizen to keep the Government from falling into error." Robert H. Jackson (1892-1954), U.S. Judge <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> My web page: http://www.geocities.com/CapitolHill/1148 From cedric at isicom.fr Wed Jan 31 15:17:48 1996 From: cedric at isicom.fr (Cedric Ingrand) Date: Thu, 1 Feb 1996 07:17:48 +0800 Subject: Crypto-smart-card startup Inside Technologies Message-ID: <199601312256.XAA16802@s2.isicom.fr> > >There's an article in the January 29 _EE Times_ about a French > >cryptographic-smart-card startup called Inside Technologies. > >Tidbits: > > I find it in a way amusing that a country which > have very weird attitude towards use of crypto > (it is not allowed to be used) tries to set > standards and provide new technology. If they > are that opposing to use of strong encryption > how on earth they can be providing it to others > and get those others to believe there is no > catch in it? The use of encryption is in no way forbidden in France. It just has to be approved beforehand, which up to recently amounted to pretty much the same (-:. But, due to industry pressure, things are changing. Netscape can now market its secure server in France, as well as the export-version browser. I haven't heard of anyone having their PGP approved yet though.. Best, Cedric. From shamrock at netcom.com Wed Jan 31 15:51:31 1996 From: shamrock at netcom.com (Lucky Green) Date: Thu, 1 Feb 1996 07:51:31 +0800 Subject: Noise and the Nature of Mailing Lists Message-ID: At 22:56 1/30/96, Timothy C. May wrote: >And remember, it's a whole lot easier using filters and reading tools to >reduce the volume of messages on an active group than it is to get an >inactive group up to critical mass! That is true. There is a lot of noise on this list, but there also is a lot of signal. My growing killfile is doing a rather fine job of separating the two. The rest can be weeded out manually in very little time. -- Lucky Green PGP encrypted mail preferred. From mclow at owl.csusm.edu Wed Jan 31 15:51:47 1996 From: mclow at owl.csusm.edu (Marshall Clow) Date: Thu, 1 Feb 1996 07:51:47 +0800 Subject: [NOISE] Re: FYR_wal Message-ID: >ok, who wants to help me market my new tunneling router software >called "Chinese Firedrill". I believe it would sell well in China's >black market. > Shouldn't it be called: "The Great Firewall of China"? ;-) -- Marshall Marshall Clow Aladdin Systems "Eternal vigilance is the price of PostScript" -- MacUser Jan 96 DTP and Graphics column From llurch at networking.stanford.edu Wed Jan 31 15:55:42 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Thu, 1 Feb 1996 07:55:42 +0800 Subject: [NOISY] Your own Zundelsite in five minutes or less In-Reply-To: Message-ID: [Actually this is getting relevant again, Perry] On Tue, 30 Jan 1996, Lucky Green wrote: > At 23:07 1/30/96, Rich Graves wrote: > [...] > >> We won't have won until they restore the routes to Webcom. > > > >Here I have trouble with the word "we," and what we're trying to > >accomplish. > > > >Censorship has clearly lost. Germany is simply not going to block > >stanford.edu, cmu.edu, mit.edu, upenn.edu, aol.com, and so on, not to > >mention AFS. > > But they succeeded in blocking Webcom. Until the block is removed, we > haven't won. Do 'we' agree that the block should be removed? Absitively, posilutely yes. But it's going to be a political/bureaucratic decision made by people without Net access or knowledge, which means it will take time. I don't think any more provocation is necessary. Right now, the press even in Germany is inclined to see us as the good guys. Every reader of alt.censorship, soc.culture.german. alt.revisionism, and a number of other groups has known how to access Zundel's writings from inside Germany for two days. I submit that no further penetration is necessary. > >I do not believe that the battle to get people to read and care about > >Zundel himself is ours. > > Amen. I just wished that the people who's names mark some of the milestones > in the fights for our rights (i.e, Miranda, as in Miranda Rights) were > people whose causes I can support. Having seen concentration camps, I can > not possibly sympathize with Mr. Z�ndel's views. But he still has a right > to free speech. If he loses it, we lose it. It all comes down to this: > > > First they came for the Communists, > and I didn't speak up, >... > by Rev. Martin Niemoller, 1945. Yup. But Zundel and other Nazis now quote this too, which I find rather offensive. It's a battle over who owns the symbols, in part. OK, probably nobody should own symbols or rhetorical devices. > >I do not want to allow the Nazis to associate themselves with "us." > >Please see article for a little on what > >they're trying to claim credit for. Note they are calling for mirror > >sites nearly three days after they popped up, with no involvement on > >their part whatsoever. > > I can imagine what they wrote. "The world is supporting our cause...." No, > I do not support their cause. I despise their cause. And I still support > their rights. No, it's much worse. They are calling on their followers to establish "censorship-free zones" at major universities. They don't even acknowledge that this was done days ago. And they know --- one of the guys who is now calling for mirror sites, and totally shunning me, is the person who uploaded Zundel's files to my server. They are calling major newspapers in several countries, and Time Magazine, proclaiming their "censorship-free zone" strategy. They are more organized and media-savvy than I am. They are professional liars; "we" are not. I do not expect these news outlets to bother to, or know how to, check whether mirror sites had already popped up before these "demands." I do not expect these news outlets to find out and publicize the fact that it was a couple of cypherpunks who detest Mr. Zundel who came up with the idea the afternoon of January 27th, and handed it to Zundel the next day. -rich From yusuf921 at uidaho.edu Wed Jan 31 16:43:41 1996 From: yusuf921 at uidaho.edu (Syed Yusuf) Date: Thu, 1 Feb 1996 08:43:41 +0800 Subject: PZ a Nazi? In-Reply-To: Message-ID: just another smear campain from the control-freak left, lets let this thread die please :) From sandfort at crl.com Wed Jan 31 16:50:32 1996 From: sandfort at crl.com (Sandy Sandfort) Date: Thu, 1 Feb 1996 08:50:32 +0800 Subject: FYR_wal In-Reply-To: <199601312123.QAA15096@zws388.sc.intel.com> Message-ID: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks, On Wed, 31 Jan 1996, Corey Minter wrote: > ok, who wants to help me market my new tunneling router software > called "Chinese Firedrill". I believe it would sell well in China's > black market. Ah, how nice it would be to be among the barbarian hords that breach the Great (Fire)Wall of China! S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From nsb at nsb.fv.com Wed Jan 31 16:51:38 1996 From: nsb at nsb.fv.com (Nathaniel Borenstein) Date: Thu, 1 Feb 1996 08:51:38 +0800 Subject: Flaw in Netscape rejoinder (was Re: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards) In-Reply-To: <01BAEF34.AA95ECC0@ploshin.tiac.net> Message-ID: I'm way behind on my email, but someone suggested privately that I should respond to Jeff's mail, so I've bumped it to the top of the queue: Excerpts from mail.cypherpunks: 30-Jan-96 Re: No FV supporters? Jeff Weinstein at netscape. (903*) > I sent a description of an attack against FV based on replacing > or hacking winsock to cypherpunks last night. This attack seems > to meet Borenstein's criteria of being as automated and implementable > on a mass scale as their keyboard snooping attack. So far I have not > seen any response from FV. Sorry for the delay. I don't think your attack against FV works anywhere nearly as well as our attack against software-encrypted credit card numbers, as I'll explain below. I should also apologize for the fact that I couldn't resist in pointing out lots of little problems with your proposed attack, and that I'm responding to your plan in the order you described it. This means that we don't get to the really major flaw in your strategy towards the end, so what comes at first will seem like nitpicking. Excerpts from mail.cypherpunks: 30-Jan-96 Re: FV Demonstrates Fatal F.. Jeff Weinstein at netscape. (2739*) > It would not be much harder than the demonstrated keyboard attack > to create a hacked version of winsock that would implement an > attack against First Virtual. If the attacker had a list of web > pages that accept FV payments it would be very easy to collect > the ID numbers. A list of stores? First of all, this attack is already amazingly focused. Our DLL to implement the attack on credit cards is 16K, and doesn't need to target any specific buyers, sellers, or programs. The more complex the attack & the bigger the software, the more likely it is to be noticed. But this is just a minor nit. Read on. > There is no need to attack the large datastream > of keyboard input when the search can be easily narrowed. Since > FV doesn't use encryption the attack could easily be implemented > in winsock, making it independent of any client software. What's really funny (to me, at least) here and in a lot of other aspects of the cypherpunk reaction to FV is the continuing assumption that the choice of FV vs encryption is an either/or thing. Combine FV's Virtual PIN mechanism with transport encryption and you've indiputably got something that's a LOT safer than just using credit cards with encryption, and a bit safer than our current system, too. But I know, the correct focus here is FV's current system. So read on. At this point in your attack, you skip a step: You don't explain how you correlate the FV ID to email address. This means that your attack will ONLY work for systems where the user is always using the same PC to web browse and read his mail. In practice, even if this is true 99% of the time, the remaining 1% would probably cause your attack to be detected pretty quickly if deployed on a large, automated scale. But, for the sake of argument, let's imagine that it's true 100% of the time. Read on. > A version > that infected the win95 IP stack could be quite effective. The list > of FV accepting sites would be easily obtainable via a query of > altavista. Since the infected system is on the internet and has > to periodically send its results to the attacker, it could download > an updated list of FV pages at the same time. Seems to me your "not much harder" claim is starting to break down here, with an automated virus spreading itself all over the net and downloading lists from altavista weekly. And the amount of net traffic you're generating may make this attack a lot more quickly detected than ours. (In fact, I imagine that if the folks at AltaVista or Lycos noted thousands of identical searches focused on merchants accepting First Virtual, they'd probably contact us, more out of concern for their own load management than anything else.) But still, read on -- we're finally coming to the good part. > Attacking the e-mail verification step of the FV system could also > be accomplished via a hacked winsock. A bit of POP3 aware code > in the winsock could intercept the verification messages and keep > the e-mail client from ever seeing them. It could automatically > generate "Yes" responses for all such messages. OK, so you're only interested in POP3 mail tools? That's wonderful, but there's also systems that use IMAP, systems that use raw SMTP to locally resident message stores, and many odder things. There's also people who get their mail through AOL, Compuserve, Prodigy, etc. There's people who live on a PC or Mac, but who read mail on a UNIX system (e.g. many Delphi and Netcom users). You're not going to catch all of them. Moreover, even if you say "that's fine, we only need some of them", your attack is now dead in the water. Why? Because you have no way of telling, in your attack virus, what kind of technology is going to be used to read mail. This means that your attack will inevitably, and quickly, hit some people who DO receive the mail. Our fraud department will be quickly notified (when the user answers "fraud" to our query, a human sees it right away) and we'll be off to the races, collecting clues. It will be work tracking it down, but we'll have a good shot in identifying the attack and producing a program that helps users spot it on their system (the moral equivalent of an anti-viral program) in less time than it would take you to even suspect that the attack FV outlined had taken place in the world of software-encrypted credit cards. Your attack would be caught by us relatively quickly because our model is based not on a single fail-safe piece of security software, but on *process* security. The overall process is multifaceted, with many checks and balances. What if, for example, I go to someone else's machine and use their web browser to buy something using MY First Virtual ID? Your attack will capture my ID and allow you to try to use it, but the email confirmation will go elsewhere, quite possibly to an uninfected machine. When reproduced on a mass scale, this kind of thing will be noticed pretty fast. In contrast, credit cards are a one-way payment mechanism -- the number (and sometimes some other info typed in close proximity) is basically all you need. Just steal that without getting noticed and the crime is done. > I believe that FV is just as vulnerable to these types of > attacks as any of the encryption based credit card schemes, if > not more so. The thing that really protects FV is that it can > only be used to buy bit, not real goods, and the bad guys don't > generally care about stealing bits. This is also what makes FV > not generally useful to people who want to shop over the internet. Actually, you're a bit behind the times. We removed that restriction from our system a couple of months ago. There still aren't many people using our system for physical goods, mostly because of our 91-day fund holding period, but we have gotten the green light from our financial partners to waive that for qualified, established merchants, once we make a few technical changes behind the scenes. The fact is that our original restriction against physical goods was never designed to protect against fraud. Rather, it was a conscious attempt to do two things: 1) bound the risk our bank perceived in being the first bank ever to explicitly agree to handle an Internet-based payment system (this was mid-1994, remember), and 2) to focus the attention of our prospective users on the situations that were in fact reasonably well-suited to an economic model in which consumers had the explicit option of refusing payment. Some of our sellers very quickly realized that no matter what we said, it was straightforward to use our system for physical goods, shipping them only after the consumer said "yes", and we eventually changed our terms and conditions to reflect that reality. The 91 day hold, on the other hand, WAS designed to protect against fraud -- from the *merchant* side, which is why we have no qualms about waiving it for qualified merchants. Now, actually, I want to commend you. This is as close as I've ever seen anyone come to constructing a plausible automated attack on FV. The IP stack is a very clever attack vector, and I honestly can't claim to have anticipated it. However, I do think that the flaw in your approach reinforces my belief in the importance of multi-layered defenses. In fact, a multi-layered security strategy is the ONLY defense against vulnerabilities you haven't thought of yet. That's the real reason why ANY scheme based on one-way instruments like credit card numbers is particularly hard to make secure. -- Nathaniel -------- Nathaniel Borenstein Chief Scientist, First Virtual Holdings FAQ & PGP key: nsb+faq at nsb.fv.com From PADGETT at hobbes.orl.mmc.com Wed Jan 31 16:55:18 1996 From: PADGETT at hobbes.orl.mmc.com (A. Padgett Peterson, P.E. Information Security) Date: Thu, 1 Feb 1996 08:55:18 +0800 Subject: Netscape "secure E-Mail" Message-ID: <960131175353.202083b0@hobbes.orl.mmc.com> Vince rites: >Anyway, it should be much easier to use than PGP. Can send PGP encrypted E-Mail from inside Netscape now - highlight/cut/punch Enclyptor "crypt" button/paste. This is difficult ? Read is same except punch "Dec" and notepad pops up with cleartext. Have even read encrypted mail on the VAX with Telnet that way (no, Virginia, the cleartext does not pass on the net). > * Integrated email - Netscape Navigator 2.0 offers full-featured and rich > email capabilities, allowing you to both read and send secure email > messages without launching an external email application. Could do that now with a commerce server - didn't say "encrypted" email, said "secure". Prolly just sends it to port 443 on the secure channel and the server does the SMTP to the internal net. Warmly, Padgett From weld at l0pht.com Wed Jan 31 16:55:51 1996 From: weld at l0pht.com (Weld Pond) Date: Thu, 1 Feb 1996 08:55:51 +0800 Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards Message-ID: Nathaniel Borenstein wrote: >> Programs needing secure entry create a "secure entry field" which is >> really just an imagemap with the digits (and alphas if required) placed >> randomly about. The user then uses the mouse to click on these numerals. >> Ideally the graphics that represent the numerals would be drawn from a >> random pool and are misformed to thwart any OCR attempts. The graphics could >> be made even more difficult to OCR by mixing in words and pictures to >> represent the numbers. >If any particular program for doing this came into widespread use, we >could engineer an attack, similar to our keystroke attack, based on the > specific properties of the approach used. You could try but I don't think you would succeed. I have problems doing OCR on faxes with a top of the line OCR program. Don't tell me your trojan horse is going to be able to OCR images that are designed to be hard to OCR. Here is an example of an imagemap for secure number entry. http://www.l0pht.com/~weld/numbers.html Since this is inherently a visual thing, I thought I would cook up a graphic on the web siince you cannot do this via email easily. Weld Pond - weld at l0pht.com - http://www.l0pht.com/ L 0 p h t H e a v y I n d u s t r i e s Technical archives for the people - Bio/Electro/Crypto/Radio L0pht Open House 2/3/96 at 8:00pm - Live on irc #l0pht - write root at l0pht.com for details. From m5 at dev.tivoli.com Wed Jan 31 17:09:31 1996 From: m5 at dev.tivoli.com (Mike McNally) Date: Thu, 1 Feb 1996 09:09:31 +0800 Subject: alleged RC2 Message-ID: <9601302334.AA15942@alpha> Not like I have the time or anything, but is there any value in attempting something like "bruterc2"? (IANARC (I am not a real cryptographer), but it looks like one trick to that would be to somehow short-circuit the key setup stage. I suppose you could just start after it's mapped the user key into the "xkey" array, but I might be missing something.) ______c_____________________________________________________________________ Mike M Nally * Tivoli Systems * Austin TX * I want more, I want more, m5 at tivoli.com * m101 at io.com * I want more, I want more ... *_______________________________ From a-kurtb at microsoft.com Wed Jan 31 17:10:45 1996 From: a-kurtb at microsoft.com (Kurt Buff (Volt Comp)) Date: Thu, 1 Feb 1996 09:10:45 +0800 Subject: [NOISE] Re: FYR_wal Message-ID: perhaps it should, given that it will do about as well for its intended purpose... Kurt ---------- From: Marshall Clow[SMTP:mclow at owl.csusm.edu] Sent: Wednesday, January 31, 1996 14:58 To: Corey Minter Cc: cypherpunks at toad.com Subject: [NOISE] Re: FYR_wal >ok, who wants to help me market my new tunneling router software >called "Chinese Firedrill". I believe it would sell well in China's >black market. > Shouldn't it be called: "The Great Firewall of China"? ;-) -- Marshall Marshall Clow Aladdin Systems "Eternal vigilance is the price of PostScript" -- MacUser Jan 96 DTP and Graphics column From nsb at nsb.fv.com Wed Jan 31 17:13:35 1996 From: nsb at nsb.fv.com (Nathaniel Borenstein) Date: Thu, 1 Feb 1996 09:13:35 +0800 Subject: No FV supporters? In-Reply-To: <199601310119.RAA29332@infinity.c2.org> Message-ID: Excerpts from mail.cypherpunks: 30-Jan-96 Re: No FV supporters? sameer at c2.org (711*) > Would someone like to implement such a thing? That would be > "the cypherpunk way" of properly debunking FV's claims. As I just explained, I don't think it would be nearly as effective as our attack. But for the record, I must remind everyone on this list of an important line that should not be crossed: Our program *demonstrated* key parts of a comprehensive attack on software-encrypted credit card numbers, but it most carefully did NOT implement those parts of that attack which would facilitate the actual theft and transport of those numbers. If anyone can similarly design and demonstrate a comprehensive attack on FV, that's their affair. However, if they don't follow our lead in acting responsibly, and instead choose to unleash their software as a live attack, First Virtual reserves the right to track them down to the best of its abilities and prosecute them to the full extent of the law. That's another important aspect of "process security" or multi-layer security. You take the legalities seriously. -- Nathaniel -------- Nathaniel Borenstein Chief Scientist, First Virtual Holdings FAQ & PGP key: nsb+faq at nsb.fv.com From hallam at w3.org Wed Jan 31 17:16:45 1996 From: hallam at w3.org (hallam at w3.org) Date: Thu, 1 Feb 1996 09:16:45 +0800 Subject: Netscape, CAs, and Verisign In-Reply-To: <199601291523.KAA03337@homeport.org> Message-ID: <9601302350.AA29444@zorch.w3.org> A lot of people seem to misunderstand the Verisign plan, they are not simply looking to be a CA, they are looking to help other people become CAs. There is clearly a usefull role for a company to do this. there is also a usefull role for two, or more. Question is how can Netscape (or anyone else) _securely_ allow an arbitrary CA's certificate to be used? Certainly the process cannot be automatic. Binding the Verisign public key into the browser may be an undesirable solution, but the problem is to think of a better one. Phill From tcmay at got.net Wed Jan 31 17:18:15 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 1 Feb 1996 09:18:15 +0800 Subject: The FV Problem = A Press Problem Message-ID: At 12:05 AM 1/31/96, sameer wrote: > I agree with your points that the press should write real >articles, and not just swallow press releases. The fact of the matter >though, is that that's what they do, swallow press releases. It's a >said state of affairs, but that is the state of affairs. > I wouldn't say *all* news is PR controlled, but most of it >is. It's much less work for the reporter when an article just shows up >on their desk and all they have to do is call one or two people for >some fresh quotes. And I agree with your points, too, Sameer. Like I said, I mean no disrespect to you that you issue press releases in which you interview yourself...it's the form that press releases take, and it's the form that "slides down easily" into a newspaper story. (The form makes it look as though the journalist has conducted the interview and gotten the quotes.) And at least most of Community Connexion's press releases have been about new services being offered, or rewards, etc. And not given vastly more attention than they deserve (as was the case with the FV "discovery"). I really hope this media frenzy with all things related to the Internet will burn itself out. --Tim Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From sameer at c2.org Wed Jan 31 17:26:22 1996 From: sameer at c2.org (sameer) Date: Thu, 1 Feb 1996 09:26:22 +0800 Subject: No FV supporters? In-Reply-To: Message-ID: <199601312351.PAA08243@infinity.c2.org> > instead choose to unleash their software as a live attack, First Virtual > reserves the right to track them down to the best of its abilities and > prosecute them to the full extent of the law. Ever heard of remailers, Nathaniel? That aside, I wasn't proposing a full fledged attack that someone would actually use to commit fraud, just an attack which would expose FV for the self-serving FUD-spreaders which they are. -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion, Inc. FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.org/ (or login as "guest") sameer at c2.org From jpp at software.net Wed Jan 31 17:26:36 1996 From: jpp at software.net (John Pettitt) Date: Thu, 1 Feb 1996 09:26:36 +0800 Subject: Flaw in FV process (was FV and Netscape slagging each other off :-) Message-ID: <2.2.32.19960131235757.00d078d8@mail.software.net> At 05:56 PM 1/31/96 -0500, Nathaniel Borenstein wrote about Jeffs attack: >Your attack would be caught by us relatively quickly because our model >is based not on a single fail-safe piece of security software, but on >*process* security. The overall process is multifaceted, with many >checks and balances. Yes this is all fine and good - but your process does not allow for real time delivery of goods. For example: Somebody wants to buy say micrsoft office from me for electronic delivery (yes they have a lot of bandwidth :-). I can authorize a credit card, fun it by my fraud screen and start shipping in less than 30 seconds. At this point the transaction is done. In the FV model as I understand it I'd have to ship the software and wait for an approve/deny/fraud from the user. If it's anything but approved I'm SOL, I still have to pay Microsoft for the product but I didn't get paid. Solve that process flaw and I'll add FV support to software.net. John Pettitt, jpp at software.net VP Engineering, CyberSource Corporation, 415 473 3065 "Technology is a way of organizing the universe so that man doesn't have to experience it." - Max Frisch From tony at secapl.com Wed Jan 31 17:33:57 1996 From: tony at secapl.com (Tony Iannotti) Date: Thu, 1 Feb 1996 09:33:57 +0800 Subject: Flaw in Netscape rejoinder (was Re: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards) In-Reply-To: Message-ID: On Wed, 31 Jan 1996, Nathaniel Borenstein wrote: > choice of FV vs encryption is an either/or thing. Combine FV's Virtual > PIN mechanism with transport encryption and you've indiputably got > something that's a LOT safer than just using credit cards with > encryption, and a bit safer than our current system, too. But I know, Belt & Suspenders is Good (and you want the best and best tested of both.) I may be being naive, but I think the contest profits all, so as brothers fight ye! ;-) From joe_n_turner at amoco.com Wed Jan 31 17:34:26 1996 From: joe_n_turner at amoco.com (joe_n_turner at amoco.com) Date: Thu, 1 Feb 1996 09:34:26 +0800 Subject: More FUD In-Reply-To: <960131174331.202083b0@hobbes.orl.mmc.com> Message-ID: <199602010014.AA04925@interlock.amoco.com> Author: owner-cypherpunks at unix,sh/dd.RFC-822=owner-cypherpunks\@toad\.com Date: 1/31/96 4:43 PM Your comments intrigued me, but unfortunately I have to disagree with you on several points. >>The degree to which the attack you describe is a threat to online >>commerce depends critically on the degree to which viruses and Trojan >>horse programs can propagate through their potential base of platforms. >Have to interject a comment: even real professionals (which virus writers >are not) have trouble getting software to work on on machine, let alone >all of the different platforms out there. Windows is worse (ever try to >write a .VXD - not easy). Take Michelangelo (please) is a member of a >class of viruses the is very difficult to detect: you have to read one >word at 0:414 from DOS to know something is wrong. "real professionals?" You mean the kind that take meetings to avoid work and leave the office by 5:00? As far as "virus writers" there are relatively few that I would lump into that category, but the ones who do get there are worthy of at least a little respect. Most are of the VCL-cut-and-paste-upload-it-and-see-who-complains variety. I have never written a virtual device driver for windows, but I have written kernel device drivers for Windows NT, and some nifty driver and TSR code for MS-DOS. I have (and still do) collect viruses. Its been fun, and it also makes me a teeny-tiny bit more employable. >True, in early '92 when [Mich] came out things were more difficult - not >everyone had 640k in their machine so the user acurally had to have a clue >how much memory was supposed to be there. Today is there anyone with 512k ? If my memory serves me correctly, by '92 386's were rolling off the assembly lines. Getting extended memory cards was still easy but they were getting more and more scarce as expanded memory became the rage. A lot people did have 640k. >Detection has *always* been easy, it is removal that is difficult and >*automated* removal that is even more so - know what it takes to determine >that there is a macro that might be a virus in a WORD document ? One bit. >(Of course things are made a bit more difficult by the fact that MicroSoft >considers that bit's location or even its *existance* to be "proprietary" >and requires an NDA before they will discuss it - I refuse to sign it). Maybe you should use WordPerfect instead. >In recent months I have had all sorts of software blow up in Windows. >On this machine alone (a 486DX-100 w 8 Mb of RAM & Win 3.1, 1 Mb SVGA >and nothing special), Reachout 5.0, FTP Onnet 2.0, QEMM 8.0 (Windows Manager), >and several name brand programs have required massage to get to play >together - and these are the programs from people I consider expert at what >they do, in fact each is IMNSHO the best in their class. Solution: Get rid of Windows. Upgrade to '95, NT, or go to Linux, even OS/2. >And you tell me that someone is going to spread a virus on the net that will >capture keystrokes on any machine it hits without anyone noticing ? It is >to laugh (and if they can, they are wasting their time with credit card >numbers). This sounds like a challange. Is it worth a T-Shirt? [...snip...] >Not going to say you could not make one machine act that way - that is easy, >not even going to say you won't make a number of machines act that way, but >spread with a virus enough will self-destruct on enough machines that >intelligent people will get suspicious and some will react creatively. Not if it is written properly. A lot of viruses become known only when they drop their payload. Others are just poorly written, no different from a bad software product. >Fact is that the greatest protection the net has is that no two machines are >alike, may even start that way but after six months, no way. Ahhhhh.. but your wrong. Granted, the underlying strata may be radically different, but I can run an MS-DOS program on an 300 Mhz DEC Alpha (under NT) without any problems (except I couldn't get DOOM to run). There is already a read-only Filesystem driver for Linux that will read NT. Like TCP/IP, the operating systems are going towards interoperability. The big computer companies recognize that they have to compete to survive. No longer can IBM design a machine and lock in their customers to IBM parts, IBM service, and an IBM operating system. > Warmly, > Padgett From tcmay at got.net Wed Jan 31 17:37:38 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 1 Feb 1996 09:37:38 +0800 Subject: [NOISE][CONTEST][FACTS] don't help much, do they? Message-ID: Ontogeny recapitulates phylogeny, as the saying goes. I notice a recent surge in posts that have one or more of the bracketed labels above, presumably in an effort to make the filtering job easier for others. However, this rarely works. For one thing, many of the most noisome posts, in my estimation, lack the [NOISE] label. And many of the posts labelled [NOISE] are actually pretty interesting, to me. Some people go overboard in labelling their own stuff as [NOISE], out of some kind of false modesty. And needless to say, the labels usually propagate into later followups. (And, shockingly, some people even prepend the followups they make with the [NOISE] label, thus screwing up threading. I saw this fad for labelling over on the Extropians list. It failed then, and will fail now. For one thing, the labels take up valuable "namespace." It is far better that the 30 to 50 characters of namespace be taken up with good, descriptive thread titles. Use labels if you must, but give some thought to how they just become more roadside clutter, conveying no meaning. --Tim Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From tony at secapl.com Wed Jan 31 17:42:36 1996 From: tony at secapl.com (Tony Iannotti) Date: Thu, 1 Feb 1996 09:42:36 +0800 Subject: Netscape "secure E-Mail" In-Reply-To: <960131175353.202083b0@hobbes.orl.mmc.com> Message-ID: On Wed, 31 Jan 1996, A. Padgett Peterson, P.E. Information Security wrote: > Could do that now with a commerce server - didn't say "encrypted" email, > said "secure". Prolly just sends it to port 443 on the secure channel and > the server does the SMTP to the internal net. When I examine the headers from a PC running any POP client including Netscape, (where the return path is smtp), they show up as originating from the PC's address, whether direct net or dial-up PPP. Wouldn't that indicate that the message is using SMTP not https over the link? (and therefore in fact in the clear unless encrypted in body?) I think the inclusion of the option of the Exchange client is a possible shift of the onus of PEM to MS. (frightening thought....) Where are MOSS and SMIME now? From hroller at c2.org Wed Jan 31 18:06:05 1996 From: hroller at c2.org (Hroller Anonymous Remailer) Date: Thu, 1 Feb 1996 10:06:05 +0800 Subject: No Subject Message-ID: <199602010110.RAA21647@infinity.c2.org> At 07:25 PM 1/30/96 -0800, Lucky Green wrote: >>I take it its completely legal to set up a Virus ftp site then? > >AFIK, in the US it is legal to set up a virus ftp site. I don't know if >someone has actually done it. Don't count on it lasting. Some European >countries have already outlawed virus (read knowledge) distribution. Anyone interested in visiting a good virus site should point their browsers to: http://www.xcitement.com/virus/ Quite a good site, really. It hasn't been "Netscape Enhanced" yet, so there are no frames and tables and inline A/V, but it gets the job done. They offer a *lot* of virus source code (almost all of it in x86 assembler) and many related resources. Some highlights of the home page are included below. I would recommend the use of something like WebWhacker, which automagically downloads the contents of a web site to your local system and edits the html files to work correctly from your local web browser. It will allow you to replicate the site quickly and easily, instead of clicking on each of the more than 2500 links one at a time. Hope this helps. If you're interested, better get there quickly. (Of course, it's been up for six months now, so it's likely already withstood a substantial amount of negative response. It may be there to stay.) ---- 8< ---- Welcome to the VIRUS Source Homepage! This page contains several virus code generators, a few mutation engines, over 500 virus source files and over 2,100 executable virus files. This material is being submitted for educational purposes only. Play at you own risk. But have fun! The purpose of this page is not to inflame, but to educate, stimulate and confront you with alternative information on the sensitive issue of virus creation and propagation. The only way in which to know the whole of a subject, is by gaining knowledge from every variety of opinion on the subject, and studying all modes in which it can be looked at. Inform yourself by analyzing and studying the source code of actual viruses, read the virus writing & assembly language tutorials. Then consider and examine every variety of opinion on the subject; the anti-virus folks, mainstream society, and most importantly ideas and opinions that are considered radical, reactionary, minority or stigmatized by some other uncomplimentary label. No wise person ever acquired wisdom in any other way... A special note to those of you who would like to see an end to this page: If all humankind minus one were of one opinion, and only one person were of the contrary opinion, humankind would be no more justified in silencing that one person than it, if it had the power, would be justified in silencing humankind... What's New? Last updated on 12/26/95. Message Board Code Generators The 2nd Generation in Virus Creation (46k) Virus Creation Lab (164k) Password: Chiba City Mass-Produced Code Generator (45k) Instant Virus Production Kit (39k) Trojan Horse Construction Kit (18k) German Virus Construction Kit (12k) Mutation Engines Mutation Engine (13k) Mutation Engine Tests (18k) Polymorphic Engine (8k) Visible Mutation Engine (20k) Source Code [A-Z] Executable Files [A-Z] Debug Scripts Over 33 debug script files (184k) Miscellanous Debug.com based interrupt stripper (3k) V-86 based interrupt stripper (13k) VSUMX507.ZIP (96k) - database of viruses. Assembly Language (resources) Virus Writing Tutorials ---- 8< ---- From die at pig.die.com Wed Jan 31 18:11:18 1996 From: die at pig.die.com (Dave Emery) Date: Thu, 1 Feb 1996 10:11:18 +0800 Subject: encrypted cellphones In-Reply-To: Message-ID: <9602010113.AA07886@pig.die.com> Juri Kaljudi wrote: > > On Wed, 31 Jan 1996, Bill Stewart wrote: > > > providers don't. The GSM phones used in much of the world have encryption, > > but it's apparently not very strong. As the A5 algorithm has so far not been publically disclosed, no one outside of the spook community really knows if has a backdoor or what computational effort might be involved in brute forcing it. One can certainly suppose that there was a lot of pressure to weaken it, but whether that was accomplished by installing trapdoors or simply by making special purpose hardware brute forcers simple, fast, and cheap is not known. > > I would say GSM security is still better than nothing. The problem is of > course that only tha radio link is encrypted, not the connection out into > public telephone network. I have seen news stories about some shady "spy-shop" type companies in England who are selling microwave receivers capable of intercepting and decoding the microwave backhaul links that connect most GSM cell sites to the mobile switching offices. Apparently even some supposedly secure GSM systems use unencrypted backhauls which can be relatively easily intercepted by someone with the right gear from places near enough the towers to have a line of sight view of them. Dave Emery die at die.com From maher at gso.SAIC.COM Wed Jan 31 18:13:34 1996 From: maher at gso.SAIC.COM (Kevin Maher) Date: Thu, 1 Feb 1996 10:13:34 +0800 Subject: Group ratings server (was Re: noise levels) In-Reply-To: <199601312323.SAA05263@universe.digex.net> Message-ID: <9602010118.AA14128@fjolsvid.gso.saic.com> >I have an expansion on this. Why not generalize the problem to create >a group rating system? I do this for myself. I hacked elm to accept, display, and update ratings from 0-9, keeping the database in a very simple ascii file (internally it's a hash table). Then I have a script that converts the database into a procmail program, so for me cypherpunks is seperated into cps (signal, rated 6-9) cpu (unknown, rated 4-6 or no rating) and cpn (noise, rated 0-4). >This is patterned after a newsgroup collaborative filtering tool I >read a paper on not too long ago. I can't find that reference, but > has an open >architecture design for a ratings server. This was an interesting project. My favorite part was the idea that ratings from people you generally agreed with would be given greater weight. I don't know if they based this on comparing your ratings over a long list of messages, or simply looking up the average rating you gave their posts. I'd be interested in working on the other MUA and majordomo changes you listed, if you're really interested in experimenting with this. Kevin -- Kevin Maher Software Engineer / General-Purpose Computer Geek maher at gso.saic.com Geophysical Systems Operation (619) 458-2167 Science Applications International Corp., San Diego From dlv at bwalk.dm.com Wed Jan 31 18:16:17 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Thu, 1 Feb 1996 10:16:17 +0800 Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credit In-Reply-To: <199601310100.OAA00804@mycroft.actrix.gen.nz> Message-ID: Paul Foley writes: > > 4. Imitate the IBM Christmas exec. Break into someone's site and steal > > their mail aliases file. Now send mail to everyone on their alias list, > > pretending to be them, offering them a cute animation program they can > > install. The animation will happen, but it will also send mail to all > > THEIR aliases (like the Christmas exec) and (unlike that) install our > > malicious snooping software. > > Another trojan horse. I'd like to take an exception to this description of the XMAS EXEC, since I too received a copy of it in '87 (but had the smarts not to run it). It didn't break or steal anything. It did 2 things: * Displayed an ASCII Xmas tree; * E-mailed a copy of itself to every e-mail address listed in the database of e-mail aliases. VM/CMS comes a very convenient, standard, and user-friendly program for keeping track of nicknames, real names, and e-mail addresses, stored in a flat file with tags, which any REXX program can easily read. I had serious doubts that the person who wrote it was malicious. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From feanor at anduin.gondolin.org Wed Jan 31 18:17:32 1996 From: feanor at anduin.gondolin.org (Bryan Strawser) Date: Thu, 1 Feb 1996 10:17:32 +0800 Subject: gondolin.org services are back! Message-ID: <199602010105.UAA01333@anduin.gondolin.org> -----BEGIN PGP SIGNED MESSAGE----- After a bout with InterNIC and multiple DNS problems, I am happy to announce that the remailer/nymserver services located at gondolin.org are back on-line and functioning. Type I/II Remailer: mix at remail.gondolin.org Nymserver: alias at nym.gondolin.org Keys are available via the correct commands and the keyservers. Please contact me with any questions you may have. Bryan - -- Bryan Strawser, System/Network Administrator & Postmaster feanor at gondolin.org Gondolin Technologies, Bloomington, Indiana USA -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMRAR1fvQGgQ7UJMZAQHChwQAqdWdLsEN5++NwiR9dya6bBa6K4pISi5N y/8QQSCqFC21Rz1pq9hpvCiuhCHbuLOga1XM/SeGBCIn54nVfu/HYZP4VaFxUxI2 Fy0DAAKQhMlXT3wSMZdQJkkBX+My76sJP5k4PDouA6R/B1BQiOWa60oVfRM3Dbo9 upi27fcc4PU= =MDZQ -----END PGP SIGNATURE----- From steve at miranova.com Wed Jan 31 18:21:37 1996 From: steve at miranova.com (Steven L Baur) Date: Thu, 1 Feb 1996 10:21:37 +0800 Subject: noise levels In-Reply-To: <199601312323.SAA05263@universe.digex.net> Message-ID: >>>>> "Scott" == Scott Brickner writes: Scott> I have an expansion on this. Why not generalize the problem to create Scott> a group rating system? This has already been implemented in the Gnus Newsreader/Mail Agent for Emacs. Gnus uses an open-ended method for scoring articles, and the score files may come from any place you can reach by ftp. -- steve at miranova.com baur Unsolicited commercial e-mail will be proofread for $250/hour. From pmonta at qualcomm.com Wed Jan 31 18:29:02 1996 From: pmonta at qualcomm.com (Peter Monta) Date: Thu, 1 Feb 1996 10:29:02 +0800 Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards In-Reply-To: Message-ID: <199601292201.OAA00356@mage.qualcomm.com> Nathaniel Borenstein writes: > [ credit card numbers, host security ] Forgive me, but this risk is blindingly obvious and completely nonspecific to credit-card commerce: the same considerations apply to any sensitive data resident on a host. The tone of the article strikes me as alarmist (and self-serving, as it candidly points out). Of course, host security is important, but what is the rationale for panic, given the tools available? Heavens. > NEVER TYPE YOUR CREDIT CARD NUMBER INTO A COMPUTER. Never speak it either. Walls (and audio peripherals) have ears. Peter Monta pmonta at qualcomm.com Qualcomm, Inc./Globalstar From nsb at nsb.fv.com Wed Jan 31 18:34:07 1996 From: nsb at nsb.fv.com (Nathaniel Borenstein) Date: Thu, 1 Feb 1996 10:34:07 +0800 Subject: FV's Borenstein discovers keystroke capture programs! (pictures at 11!) In-Reply-To: <9601292041.AA14422@zip_master2.sbi.com> Message-ID: Well, the mis-conceptions are flying fast and furious. 1. I didn't write the program. 2. It has nothing to do with viruses. No current virus protection program will ever detect this thing, and if you write a program that detects one instantiation of the attack, the program can be easily changed to require a new "detector" program. This means you can only protect against the last attack, not the next one. > I readily admit that there is a larger issue about viruses and > being able to trust your software, but the presentation from FV > of this announcement as a "fatal flaw" in internet commerce is > remarkably disingenuous. They are really saying, "We have the > only safe approach" quietly between the lines. You're twisting our words. We believe it is a truly fatal flaw in those internet commerce schemes that are based on software encryption of credit card numbers. There are several schemes for Internet commerce that are unaffected: -- First Virtual (of course) -- Hardware encryption (e.g. consumer card-swipe machines) -- Smart cards -- Digital cash (unless the tokens are made too easy to recognize) We say this VERY EXPLICITLY in our web pages. We are NOT saying we have the only safe approach. We have one of four safe approaches that we know of. But software encryption of credit card numbers is so easy to circumvent that it is, in practice, useless. (The only threat it really protects against is network-based sniffers, which are harder to write and more traceable than the attack we have just outlined.) > And before pm. says it, this has very little to do with > cryptography. Agreed 100%. I never claimed otherwise. It does, however, emphasize the *limits* to the security provided by cryptography, something that cypherpunks are well aware of but that the general public is not aware of. -- Nathaniel From dlv at bwalk.dm.com Wed Jan 31 18:53:14 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Thu, 1 Feb 1996 10:53:14 +0800 Subject: PZ a Nazi? In-Reply-To: Message-ID: Syed Yusuf writes: > just another smear campain from the control-freak left, lets let this > thread die please :) While I fully agree that this thread deserves to die, in the interests of accuracy I'd like to point out that the paper that libeled PZ is a right-wing Tory rag. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From eb at comsec.com Wed Jan 31 18:54:33 1996 From: eb at comsec.com (Eric Blossom) Date: Thu, 1 Feb 1996 10:54:33 +0800 Subject: encrypted cellphones In-Reply-To: <199601310810.AAA00261@ix10.ix.netcom.com> Message-ID: <199602010122.RAA19810@comsec.com> > Cellphones, of course, can only (usefully) use encryption if the > cellular service provider uses it (i.e. if the end that's listening > to your radio transmission can decode it :-) American cell-phone > providers don't. The GSM phones used in much of the world have encryption, > but it's apparently not very strong. Don't forget the more attractive option: End-to-end. Why leave the plaintext available for the cellular provider? Eric From jonl at well.com Wed Jan 31 18:57:55 1996 From: jonl at well.com (Jon Lebkowsky) Date: Thu, 1 Feb 1996 10:57:55 +0800 Subject: Denning's misleading statements In-Reply-To: Message-ID: <199602010234.SAA25877@well.com> > Excerpts from internet.cypherpunks: 27-Jan-96 Re: Denning's misleading > st.. by Mark Allyn 860-9454 at ally > > I would like to make a suggestion that D. Denning; others > > who are pro-escrow/clipper; and some of you folks here on > > this forum get together for a debate. > > > > Ideally, this would be real nice on a TV show such as the > > McNiel Lehrer show on PBS. Barring that, I would think > > that an IRC chat channel could be set up so that they > > could get on line and engage in an on line discussion. > > I doubt that they'd be interested, but if they are, Jon Lebkowsky of > EFF-Austin hosts Electronic Frontiers, a HotWired online discussion > forum, every Thursday night at 10 pm. The subject would fit in nicely > with his discussions; this week he had Steve Jackson, of Steve Jackson > Games. > > I'm sure we could interest him in this. > > -Declan Definitely! I wonder who we could get from the FBI?? -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Jon Lebkowsky http://www.well.com/~jonl Host, Electronic Frontiers Forum, 7PM PST 9PM CST Thursdays at Club Wired Vice President, EFF-Austin =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= From nobody at REPLAY.COM Wed Jan 31 19:09:45 1996 From: nobody at REPLAY.COM (Anonymous) Date: Thu, 1 Feb 1996 11:09:45 +0800 Subject: Message-ID: <199601311815.NAA12336@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMQ+x2ioZzwIn1bdtAQFLvgGArC5EiVmF0J6VZSZnboc9yoTW3eiJXN1M 4L9v0f1tkuoJlC10gX6fRo3SW19vILT4 =LmRK -----END PGP SIGNATURE----- From PADGETT at hobbes.orl.mmc.com Wed Jan 31 19:30:53 1996 From: PADGETT at hobbes.orl.mmc.com (A. Padgett Peterson, P.E. Information Security) Date: Thu, 1 Feb 1996 11:30:53 +0800 Subject: More FUD Message-ID: <960131215755.20206719@hobbes.orl.mmc.com> >"real professionals?" You mean the kind that take meetings to avoid work and >leave the office by 5:00? No, those are managers. (Have better equipment at home anyway 8*). >As far as "virus writers" there are relatively few that I would lump >into that category, but the ones who do get there are worthy >of at least a little respect. The ones I know who could, don't. Is considerably harder to write an antivirus program that can account for Zenith ZDOS 3.21 or the original PC-AT BIOS than a virus that blows up if you run it under NW-DOS. >>True, in early '92 when [Mich] came out things were more difficult - not >>everyone had 640k in their machine so the user acurally had to have a clue >>how much memory was supposed to be there. Today is there anyone with 512k ? >If my memory serves me correctly, by '92 386's were rolling off the assembly >lines. You missed my point (and my canary trap). When a Pentium starts up it is in 8086 "real" mode and is limited to the same 1 Mb basic address space (know about the 64k - 16 bytes, is different from 8086/8). What I was referring to was the "640k limit" imposed by 1-2-3 waaaay back when - is stored in Bios data area (0:400) and CMOS. >Maybe you should use WordPerfect instead. Actually I prefer WordStar 7.0. Magazines and the gov like WordPerfect. >Solution: Get rid of Windows. Upgrade to '95, NT, or go to Linux, even OS/2. Have been warped. Have Liniux & FreeBSD. As for Win95, why would I want to degrade my system ? >>And you tell me that someone is going to spread a virus on the net that will >>capture keystrokes on any machine it hits without anyone noticing ? It is >>to laugh (and if they can, they are wasting their time with credit card >>numbers). > This sounds like a challange. Is it worth a T-Shirt? Wasn't a challenge (though getting something to work on a "strange" NCR notebook like mine might be 8*), never saw a BIOS leave dangling interrupts following POST before...) >Not if it is written properly. A lot of viruses become known only when they >drop their payload. Others are just poorly written, no different from a bad >software product. It is not that they are written badly, just that most virus writers lack experience and their worldview is narrow - the [Mich] we mentioned - is obvious not that the writer did not know how to handle floppies, rather that all he/she/it/other knew of were either 360k or 1.2 Mb. "Nightfall" writer had apparently bever seen a Zenith 248 kit 5 BIOS. Ludwig's LBB boot sector virus will only work under Dos 3.3 because DOS 4-up leaves different values in the registers. >>Fact is that the greatest protection the net has is that no two machines are >>alike, may even start that way but after six months, no way. >Ahhhhh.. but your wrong. Granted, the underlying strata may be radically >different, but I can run an MS-DOS program on an 300 Mhz DEC Alpha (under NT) >without any problems (except I couldn't get DOOM to run). No, you can get *some* programs to run and on your machine you may get *all* your programs to run. But they will not run on *any* machine. > There is already a >read-only Filesystem driver for Linux that will read NT. Like TCP/IP, the >operating systems are going towards interoperability. Type 7 ? Nothing magic, just different. >The big computer companies recognize that they have to compete to survive. No >longer can IBM design a machine and lock in their customers to IBM parts, IBM >service, and an IBM operating system. Strength from diversity 8*). Meanwhile, back at FV, if someone wants to break it badly enough, they'll buy one (or one of the FV employees) and take it apart at home. No "professional" would attack anything that she/he did not already know how to break. A *real* professional would buy two or three just to see if they were all the same. Is the same problem with the "Sidewinder Challenge" though it did get a lot of print. Warmly, Padgett From jya at pipeline.com Wed Jan 31 19:34:52 1996 From: jya at pipeline.com (John Young) Date: Thu, 1 Feb 1996 11:34:52 +0800 Subject: Denning's misleading statements Message-ID: <199602010308.WAA27249@pipe2.nyc.pipeline.com> Responding to msg by jonl at well.com (Jon Lebkowsky) on Wed, 31 Jan 6:34 PM >Definitely! I wonder who we could get from the FBI?? Try for Al Bayse, formerly assistant director of the FBI's Technical Services Division and its long-time senior techonology expert. Here's a quote from David Burnham's new book, "Above the Law:" Al Bayse, whom FBI documents suggest has been involved in the Clipper since its inception, was ecstatic about its inception. Shortly before the White House announced the project to reporters, he telephoned the three leading security experts in the academic world -- Dorothy Denning of Georgetown University, Lance Hoffman of George Washington University and Peter Neumann of SRI International -- and informed them that the FBI's problem had been solved. (p. 150) Burnham claims that because Bayse shaped and directed the FBI's investigative technologies from the late 1970s to the mid-1990s he "may well be the nation's single most influential law enforcement official since J. Edgar Hoover." (p. 136) From winn at Infowar.Com Wed Jan 31 19:35:11 1996 From: winn at Infowar.Com (winn at Infowar.Com) Date: Thu, 1 Feb 1996 11:35:11 +0800 Subject: Call for Papers Message-ID: <199602010308.WAA11676@mailhost.IntNet.net> January 31, 1996 Attention: Information Warriors: ***** CALL FOR PAPERS ***** Please feel free to distribute this widely. I first want to thank the thousands of people who have been so incredibly supportive of my work over the last several years, and who have helped the public debate on Information Warfare gain and sustain the momentum we have all created. As a result of the continued interest in the subject, my publisher has asked if I would create a 2nd. Edition with substantial updates to the original "Information Warfare" which was published in 1994. I told them that the new revised edition should include much of the thinking that has evolved on the topic in the last couple of years. Believe it or not, they agreed! So, I am asking (begging? :-) for a couple of things. 1. We want to include a comprehensive Appendix "D" to include references and bibliographic information for those already in and for those entering the field. We would greatly appreciate any and all types of references that you feel will be useful for students of Infowar today and in the future. The kinds of material we hope to include are: - Web sites, mailing lists, usenet, etc. - Monographs and their source - Published papers and their source - Books with publisher, author, date, ISDN (oops, ISBN) price and a one sentence commentary. - Global resources on the subject. - Courses (civilian, military, etc.) - Organizations, private and gov't. We will also add a credit/acknowledgments page for all of the Information Warriors who have assisted in this effort. Please supply name, title (or rank) contact info, and affiliation as you want it to appear in the book. (If you don't want your name or affiliation to appear, please so indicate and we will honor your request. (Honest . . . .) Ideally, we will need to have a hard copy of the materials that we reference. PLEASE RESPOND TO BETTY at INFOWAR.COM 2. In order to portray the current thinking of Infowar from its many facets, I am also looking for short commentaries on your particular take on Infowar - and heavens knows there are so many . . . perhaps googols! I would like to include a large number of 500-800 word overviews, or executive summaries of topics of interest to you, comments on my work, or perhaps on the efforts that you or your org are putting into the field. I am hoping to find a balance between the civilian viewpoints and military and international ones so that students and readers can see just how much work in occurring in the field. Organizations like AFIWC and DISA (and so on) are invited to submit a similar overview of their efforts in addition to individual submissions. It is not necessary to agree with me (that would be heresy in some cases :-)) but let's be civil about it, OK? The purpose is to get the neurons vibrating and moving the field forward. If you take issue with, or relate to specific items/topics/comments in "Information Warfare" please note page number so we can tie it all together thematically. There will be suffixes to each chapter, and I am hoping that many of the responses will comment on or add to each of the chapters. As for credit, we will list your name, contact info, affiliation etc., along with your particular contribution. With each submission, please just say something like, "I hereby give Winn Schwartau, Interpact, Inc., and Thunders Mouth Press non-exclusive permission to use this work." That keeps the publisher happy and still lets you own your own words. If it's a personal opinion, and not an official one of your organization, a simple disclaimer like, "these are the opinions of the author, and not necessarily those of my organization." We will provide a general suffix disclaimer to that effect anyway. If it is the official view of your org, then please indicate so clearly, so we may make an accurate distinction. If we decide to edit your piece substantively, we will run it back to you for approval before printing. All we will ask is a timely return. To get your brain thinking on the kinds of topics I am looking for: - Civilian Defense - "This is an act of War" - "This is not an act of War" - Infowar as an alternative to conventional conflict. - Non-lethal conventional warfare - Enhancing military efficiency with Infowar - PsyOps as Infowar - Hackers: A National Resource Please consider all three Classes of Infowar when deciding what you want to say. Since you only have 500-800 words to say it, I suggest that it be clear, concise and to the point. Controversy is good. But just as good is if your comments are thought provoking and stimulate additional discussion about your subject. For each contribution we accept, (and there will be a lot we will!) we will provide a free copy of the new revised "Information Warfare: Revised Edition" (or whatever they decide to call it.) PLEASE RESPOND TO: BETTY at INFOWAR.COM 3. We have already received a large number of short "pull quotes" of one or two sentences for the cover and inside covers where we give full attribution. If anyone is so inclined, we are looking for a few more that comment on the existing works. PLEASE RESPOND TO BETTY at INFOWAR.COM 4. Robert Steele at ceo at oss.net has agreed to help me pull together a "Who's Who" of Information Warfare. Please supply names, contact information and brief biographies to him at CEO at OSS.NET. Again, I want to thank everyone out there for their support, and I look forward to seeing what everyone has to say. Please send your input to BETTY at INFOWAR.COM no later than February 29, 1996. Feel free to distribute this widely and/or post as you see fit. Winn Schwartau Peace Winn Winn Schwartau - Interpact, Inc. Information Warfare and InfoSec V: 813.393.6600 / F: 813.393.6361 Winn at InfoWar.Com From rsalz at osf.org Wed Jan 31 20:05:13 1996 From: rsalz at osf.org (Rich Salz) Date: Thu, 1 Feb 1996 12:05:13 +0800 Subject: No FV supporters? Message-ID: <9601311805.AA21087@sulphur.osf.org> > if people like Sameer and Rich Salz (e.g., who have reputations > as knowledgeable and aware) are going to trash FV Thanks for the compliment. I never trashed FV or its protocols, as I don't know anything about them. I did comment on some of the principles of their principals, however, as this whole brou-ha-ha strikes me as a continuing slide to technical-intellectual dishonesty. /r$ From nobody at REPLAY.COM Wed Jan 31 20:06:59 1996 From: nobody at REPLAY.COM (Anonymous) Date: Thu, 1 Feb 1996 12:06:59 +0800 Subject: GTE and Cylink ATM Crypto Message-ID: <199602010340.EAA16216@utopia.hacktic.nl> GTE & Cylink Team On Encryption For ATM Washington, D.C., 31 January 1996 -- During a press conference last night at Comnet, GTE and Cylink unveiled InfoGuard 100, a jointly developed offering billed as the first encryption system able to work with ATM (asynchronous transfer mode). InfoGuard 100 is meant to provide the security needed to induce business and government to use ATM public networks, said Michael M. Guzelian, GTE's marketing director for broadband systems, speaking at the press conference. GTE is the number one provider of encryption to the federal government, while Cylink holds a 70 percent share of the commercial encryption market, according to Kamy Kavianian, senior product marketing manager at Cylink for SecureWAN. GTE and Cylink will also jointly market the new ATM encryption system. "The deal (for InfoGuard 100) is mutually exclusive, but we don't know anyone else who can do it," noted Jeff Callo, Cylink's director of business development. InfoGuard consists of two main components, according to the officials. An ATM adapter from GTE provides ATM interfaces and cell processing and control functions. Cylink's CIDEC-VHS contributes "high-speed data encryption and decryption," in addition to physical security and "full automated key functions." Kavianian told the journalists that InfoGuard 100 is based on DES encryption. Users of InfoGuard will foil "key exhaustion," a method used for breaking encryption codes, if they "change their codes frequently," Guzelian added. Essentially, CIDEC-VHS has turned out to be "the first encryption method fast enough to keep up with ATM," Guzelian maintained. The agreement between Cylink and GTE represents "an excellent example of coopetition," Callo said. -- From EALLENSMITH at ocelot.Rutgers.EDU Wed Jan 31 20:52:07 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Thu, 1 Feb 1996 12:52:07 +0800 Subject: [rant] A thought on filters and the V-Chip Message-ID: <01I0OEXDIYGWA0UO1J@mbcl.rutgers.edu> From: IN%"frissell at panix.com" "Duncan Frissell" 29-JAN-1996 11:02:03.09 >What parents are attempting to do when they restrain their children's access to "sex and drugs and rock and roll" (or Republicanism for that matter) is to mediate their "spiritual" environment to keep them from becoming hardened. They know the kids will grow up, they just want them to grow up in a nice way. ------------------- From what I've seen, kids are better off when they don't see the world through blinders/rose-colored-glasses. For instance, benign neglect is a lot better for children than overprotectiveness... I wish my parents (as much as I love them) had applied it to me, I'd have turned out a lot better. (I am also getting information from multiple psychiatrists and psychologists, including ones who (unlike me) have raised children). ------------------- >Children who listen to Vera Lynn's singing and Cole Porter's songs will end up quite different from those who favor louder, less vocal music. Note that in spite of what liberals might think, fundamentalist christians are less likely to divorce, less likely to report spousal beatings, less likely to kill themselves, and more likely to measure high personal satisfaction ^^^^^^^^^^^^^^^^^^^^^^^^^^ levels on standard psychological tests than are, say, readers of The Nation. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ------------------- Well, yes, someone with a blind conviction that they're going to someplace nice when they die, confidence that their intolerance is right, and other such ideas tends to have higher personal satisfaction levels. Also, this "personal satisfaction" is overrated... as Jack L. Chalker pointed out, a blade of grass is perfectly happy... even after it's picked. ------------------- >The cypherpunks relevance of all this is that it should soon be possible to create completely mediated environments for ourselves and our children. Through the use of implants and real-time VR processing, it will be possible to edit our "interface" with the Real World such that unpleasant aspects are edited out. We will be able to change the attire, hair, facial expressions, voice, and even smell of those around us to conform to our own esthetic desires. Likewise with our physical surroundings. Safety may discourage making a complete transformation in one's surroundings, but one can certainly soften the edges. --------------------- Sasha's enhanced reality or whatever it was called, yes. The cypherpunk relevance would appear to be more that there should be methods to get true information to kids (and those under repressive governments, which is about the same thing in most families) despite attempts to stop it. Anyone for posting (anonymously) some image viewers and pornographic site locations to one of the k12 groups? -Allen From EALLENSMITH at ocelot.Rutgers.EDU Wed Jan 31 20:52:46 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Thu, 1 Feb 1996 12:52:46 +0800 Subject: Escrowing Viewing and Reading Habits with the Governmen Message-ID: <01I0OF2L9QGAA0UO1J@mbcl.rutgers.edu> From: IN%"trei at process.com" 29-JAN-1996 14:32:19.64 >The general reaction of the library community was, I am glad to say, entirely pro-privacy. -------------------- To their credit, yes. One application of this that others may be interested in is that ILL requests (I have been told) come from a library, not from a library's user. Thus, when I made one and got it back from the CIA's lending library (yes, they have one), they didn't know who I was... fortunately, given the book in question. Sort of a lesson for things like sites, et al. If all that someone can tell is that a IP or whatever request came from a particular site, then traffic analysis and other such things are disrupted. One way to do this would be to set up fictional accounts automatically to serve as proxies (relayed to the real account), which would make it impossible for a normal proxy-detector (lack of information or a particular set of information) to filter them out. -Allen From jf_avon at citenet.net Wed Jan 31 21:33:13 1996 From: jf_avon at citenet.net (Jean-Francois Avon JFA Technologies, QC, Canada) Date: Thu, 1 Feb 1996 13:33:13 +0800 Subject: Nautilus? Message-ID: <9602010508.AB18106@cti02.citenet.net> Hi. I was wondering if some of you ever used Nautilus, if it was good, if it has a backdoor, etc. I am not knowledgeable enough to inspect source by myself. Any comments? Since the topic was probably discussed extensively, feel free to reply to me directly. Regards to all cyphering punks! JFA Why, you might wonder, is it that civil servants never look out through the window in the morning? What would they otherwise occupy themselves with in the afternoon? From nobody at REPLAY.COM Wed Jan 31 21:41:21 1996 From: nobody at REPLAY.COM (Anonymous) Date: Thu, 1 Feb 1996 13:41:21 +0800 Subject: CRAX Mix Rax Message-ID: <199602010519.GAA19612@utopia.hacktic.nl> European Commission Moves To Stamp Out Racism On Internet Burssels, 31 Jan 1996 -- The European Commission (EC) has formed a pan-European group to "encourage the mixing of people of different cultures" from both inside and outside Europe. According to EC officials, the first task of the Consultative Commission on Racism and Xenophobia (CRAX), as it is called, will be to investigate and, using legal means, stamp out the current wave of racism on the Internet. In a prepared statement, CRAX said that it hopes that the EC "will take all needed measures to prevent the Internet from becoming a vehicle for the incitement of racist hatred." EC officials are soft-peddling on what legislation they plan to enact to back up the investigations of CRAX. Currently, apart from France and Germany, there is no specific anti-racist legislation. The laws of France and Germany were created in the aftermath of the Second World War in order to prevent the rising of the so-called "Fourth Reich," an extremist group which posts messages on the Internet, as well as running Thule bulletin board systems (BBSs) in Germany. According to EC officials, the Thule BBSs, which first appeared in 1991, started spreading the Neo-Nazi word on the Internet in late 1994, having established themselves as a means of information exchange in Germany and, to a limited extent, in France. As reported previously, the "Thule Network" first came to the public's attention when the January, 1994, issue of Chip magazine (a popular computer monthly in Germany) claimed to have unearthed eight Thule BBSs. According to Chip magazine at the time, "The (Thule) network distributes information on demonstrations and invitations to meetings, addresses for contacting parties and groups, and it reviews and offers books and magazines. One of the mail-boxes contained instructions for producing military explosives and letter bombs. A great deal of space is taken up by 'political discussions' among the users." Thule is Norse or Viking terminology for "top of the world." The Thule Network's name actually derives from the small, elitist 1920s movement which was considered to be the Nazi vanguard. Thule movement leaders included Rudolf Hess. Some BBSs on the Thule network have names such as "Wolf Box" and "Resistance," while many Internet messages are signed by people calling themselves "The Wolf," among other names. -- From jimbell at pacifier.com Wed Jan 31 21:47:36 1996 From: jimbell at pacifier.com (jim bell) Date: Thu, 1 Feb 1996 13:47:36 +0800 Subject: Crypto-smart-card startup Inside Technologies Message-ID: At 12:30 AM 1/31/96 -0800, Peter Monta wrote: >There's an article in the January 29 _EE Times_ about a French >cryptographic-smart-card startup called Inside Technologies. >Tidbits: > > ..."In public-key cryptography, 512-bit keys are typical and > already vulnerable. So we are looking at 640-bit-long keys > supported by a scalable design." This kind of thing disgusts me. We already know 512-bit keys are weak. As I recall, I was told that 512 bit keys could be cracked in 20,000 MIPS-years. If the ballpark formula holds that adding 10 bits doubles the security, that merely means that 640 bits is 2**(128/10) or 8000 times strong. While obviously better than 512, it is not ENOUGH better to make me confident that this is a long-term secure length. 768 or 1024 bits should be considered the minimum. A deliberate design of 640 bits makes it look like it's intended to be crackable in 5-10 years, much as DES was suspected of a similar design decision in limiting its keylength to 56 bits. From nobody at REPLAY.COM Wed Jan 31 21:48:47 1996 From: nobody at REPLAY.COM (Anonymous) Date: Thu, 1 Feb 1996 13:48:47 +0800 Subject: Online Libel Rules Message-ID: <199602010519.GAA19609@utopia.hacktic.nl> UK - New Rules For Online Libel Called For Wokingham, Bershire, England, 31 January 1996 -- CompuServe, Europe Online, and Microsoft Network (MSN), have banded together to lobby the British Government for a clear definition of the legal rules for online libel. In British law, libel is defined as a defamatory statement. Because of the "new" nature of online services, however, online libel is treated as something of a gray area as regard legal issues. In a joint submission to the Lord Chancellor's department, the three online companies claim that online service providers typically cannot control the content of messages that users of their services or the Internet, send. The companies are recommending that the online service provider not be held responsible for libels statements made online, unless the service provider has "reasonable notice" that a libels statement has been transmitted on to its system, and "has the ability and the authority to prevent" its publication, but "fails to do so" within a reasonable time. According to Andrew Gray, European business manager with CompuServe, the Chancellor's Department is currently conducting an extensive review of UK libel law to deal with a number of current problems. Based upon this review, the Government is expected to introduce new libel legislation this spring. "We applaud the Lord Chancellor's Department's efforts to bring the defamation law up to date. We hope that the upcoming legislation will deal effectively with the problem of libel that takes place over an online service or the Internet," Gray explained. Andreas Breijs, manager of Europe Online, meanwhile, said that online services are not like traditional newspapers or magazines. "These services are more like a railway train, where the operator may own the passenger cars, but has no idea what the passengers may be saying to each other, and no way of controlling their conversations," he said. Judy Gibbons, manager of Microsoft's MSN operating in the UK, said that the major online providers work hard to run responsible services. "They should not be penalized for the actions of unrelated individuals who might happen to make libelous statements using their services without the knowledge or consent of the service provider," she said. Alistair Kelman, a lawyer specializing in information technology (IT) affairs, said that he was not surprised by the online services' request to the Lord Chancellor's Department, especially given the current situation. "There is no case law on this subject and it is likely that a test case will come sooner, rather than later. The Government is keen on a clarification on the issue, as it is itself publishing a lot of its information on the Internet, in the move towards a more open and IT-relevant Government," he explained. Peter Sommer, an IT security specialist and Fellow of the London School of Economics, said that, far from being just another publishing medium, it was important that people understand that the Internet is very similar to a telephone line. "If I libel someone over the phone, you're not going to involve the telephone company, are you? It's the same with the Internet and some online services. Of course, if the online service has the ability to remove someone's comments and does not do it, then it's a different matter and that is what the definition by the Lord Chancellor's office is all about," he said. -- From pmonta at qualcomm.com Wed Jan 31 22:07:59 1996 From: pmonta at qualcomm.com (Peter Monta) Date: Thu, 1 Feb 1996 14:07:59 +0800 Subject: Crypto-smart-card startup Inside Technologies In-Reply-To: Message-ID: <199602010541.VAA21657@mage.qualcomm.com> jim bell writes: > > [ Inside Technologies ] > > ..."In public-key cryptography, 512-bit keys are typical and > > already vulnerable. So we are looking at 640-bit-long keys > > supported by a scalable design." > > This kind of thing disgusts me. We already know 512-bit keys are weak. As > I recall, I was told that 512 bit keys could be cracked in 20,000 > MIPS-years. If the ballpark formula holds that adding 10 bits doubles the > security, that merely means that 640 bits is 2**(128/10) or 8000 times > strong. While obviously better than 512, it is not ENOUGH better to make me > confident that this is a long-term secure length. 768 or 1024 bits should > be considered the minimum. A deliberate design of 640 bits makes it look > like it's intended to be crackable in 5-10 years, much as DES was suspected > of a similar design decision in limiting its keylength to 56 bits. But the "scalable design" presumably means the hardware can deal with a variety of modulus lengths. As you say, they would be short-sighted to make a fixed choice. Peter Monta pmonta at qualcomm.com Qualcomm, Inc./Globalstar From jf_avon at citenet.net Wed Jan 31 22:13:44 1996 From: jf_avon at citenet.net (Jean-Francois Avon JFA Technologies, QC, Canada) Date: Thu, 1 Feb 1996 14:13:44 +0800 Subject: Active processes monitoring? Message-ID: <9602010555.AA19695@cti02.citenet.net> Hi! I'm running on a first generation 486 ISA 4meg ram Win 3.11 I use realdeal /commercial and wipeswap.exe in an *.bat that launch Win3.11 How can I detect if another process is running on my system? I use MEM /c in a dos window. But is that sufficient? Can a hidden process detect MEM loading and hide itself somehow? Are there others applications like MEM that are not as universal? (here, I guess that such stealth behaviour have to rely on identifying the program being loaded, thus, a less common program has less chance of being fooled) Thanks JFA From ses at tipper.oit.unc.edu Wed Jan 31 22:25:07 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Thu, 1 Feb 1996 14:25:07 +0800 Subject: parallel encryption Message-ID: Ok, so I've got my BeBox and so finally have an SMP of my own again; anyone want to suggest any cool crypto stuff that parallelises well? Rogaways hashs look interesting, and nDES offers an obvious process network for pipelining, but what about things like running multiple interleaved CBC streams in parallel, with each stream starting off from a different IV? I can't think of any practical ways of speeding up a single RSA operation, although twice as many processors obviously gives twice the thruput. Simon ------ "GM spent $3.6 billion giving birth to the Saturn, and it doesn't even go supersonic." - Ben Rich, Skunk Works head (75-91) From vin at shore.net Wed Jan 31 22:25:48 1996 From: vin at shore.net (Vin McLellan) Date: Thu, 1 Feb 1996 14:25:48 +0800 Subject: The FV Problem = A Press Problem Message-ID: Mr. Bornenstein's press release ("FV's position on Merc article") was egregiously self-serving and embarrassingly over-inflated. Yet, First Virtual's CC-focused keyboard sniffer ("...a program which completely undermines the security of every known credit card encryption mechanism for Internet commerce") and his postulated widespread stealth attack on unprotected consumer PCs highlighted an obvious -- but oft forgotten, at least in non-CompSec circles -- vulnerability. An encrypted link is only as secure as the CPUs at either end. Not an unimportant consideration as we plunge into Internet commerce; and surely a valid point for one vendor to make, if it suggests unrecognized risks in a competitor's scheme for consumer purchases and payments. Borenstein is handling his inevitable mugging in C'punks with zest and considerable aplomb; even including an apology for submitting his sensationalistic attack on crypto-based competitors to this List. Before folks leap from FV's text to damning the San Jose Mercury New's articles by Simson Garfinkel, however, they should pause and read or maybe re-read Garfinkel's three articles. Mr. Garfinkel is probably the single most technically-literate journalist writing about computer security for mainstream (or trade press) media. His Mercury News article is precisely focused on FV's initiative in developing this demo program (a trojan screen saver) and the campaign by the Southern California company to use the demo to illustrate a relatively unguarded aspect of Netscape's SSL-protected credit card transactions, which have been widely touted as the be-all of Network Commerce. It was, as Garfinkel bluntly put it: "a direct attack against the security promised by Netscape Communication Corp.'s popular Netscape Navigator..." Mr. Borenstein later expressed his regret that Garfinkel had cast the story as a competitive attack, but IMNSHO Garfinkle was right on target: the FV campaign was a targeted bombardment of their most prominent competitor. And a campaign it was -- well deserving media attention. FV apparently carted their demo code and attack model back and forth across the country. FV gave presentations to NIST, NSA, the US Treasury, and the White House, according to Garfinkel. The only silly comment in Garfinkel's article was a direct quote from FV's Bornenstein: "One of the things we've heard from people inside government were comments along the line, 'We thought only NSA knew how to do this....'" (And if a world-class CompSec/UNIX expert like Garkinkel wasn't chuckling when he wrote that -- and expecting knowledgeable readers to giggle and grin when they read it -- I'll stew and eat my beaver hat!) The Merc's quotes from independent security experts -- commenting on FV's attack model -- were notably dry and balanced. Yes, the attack and threat vectors were real -- but, noted the American Banker's Association's Kawika Daguio: "It is a classic attack." "I've seen it, and I've seen things like it before," said Mr. Daguio. Nothing new. Matt Bishop, the UC prof, also sounded less than awed by FV's creativity: "There is no reason why one could not write a program to monitor keystrokes, look for numbers which look like credit card numbers, and sent them out over the Internet," in an unobtrusive way, to a thief elsewhere. (Prof. Bishop might have had more to say, had he been told it took a FV programmer a _month_ to write a keyboard sniffer optimized for credit card data;-) As a newcomer to this List, I have the impression that C'punks are a little jaded when it comes to mass-market CompSec and ComSec threats -- and perhaps a little rabid when it comes to anyone rash enough to suggest that the first mass-market crypto product (in the hands of naive consumers, with unprotected PCs and poor CompSec habits) may have dangerous procedural vulnerabilities. A little perspective, guys! Crypto from an insecure base has risks that deserve to be highlighted; and credit cards numbers are uniquely negotiable passwords. FV is scare-mongering, sure -- but that's combat marketing. Mr. Borenstein's press release posted in C'punks was chumming with raw bloody beef -- and that was just dumb -- but it was striking how blithely many folks here acknowledged (and immediately dismissed) the threat he described. Nothing wrong with FV trying to slow the bandwagon of a major competitor by drawing attention to vulnerabilities or potential vulnerabilities of their technology in a mass market. This happens a lot -- although most corporate perpetrators try to hide their hand a lot more than FV did, and they generally sound a lot less self-righteous -- but a little brawling is not a bad thing, particularly in IS security. (Some markets, like firewalls, desperately need a little more competitive clarity.) On the other hand, Mr. Borenstein's hyper-inflated presentation of First Virtual's case all but begged for the C'punk lynch mob that has followed him down through several threads on this List. If he didn't expect the reception he got, he should fire his PR advisor and get someone who knows how to write without the purple prose and napham. Simson Garfinkel and the Mercury News are getting a bad rap from folks caught up in the mob chasing Mr. Borenstein. Read the three articles. The on-line version has a headline that is a bit overwrought ("Program shows ease of stealing credit information") but overall, it's a credible, savvy, and amusing piece of journalism about FV. Quite professional, I'd say. Suerte, _Vin Vin McLellan +The Privacy Guild+ 53 Nichols St., Chelsea, Ma. 02150 USA Tel: (617) 884-5548 <*><*><*><*><*><*><*><*><*> From buster at klaine.pp.fi Wed Jan 31 22:26:01 1996 From: buster at klaine.pp.fi (Kari Laine) Date: Thu, 1 Feb 1996 14:26:01 +0800 Subject: Crypto-smart-card startup Inside Technologies In-Reply-To: <199601310830.AAA06778@mage.qualcomm.com> Message-ID: >There's an article in the January 29 _EE Times_ about a French >cryptographic-smart-card startup called Inside Technologies. >Tidbits: I find it in a way amusing that a country which have very weird attitude towards use of crypto (it is not allowed to be used) tries to set standards and provide new technology. If they are that opposing to use of strong encryption how on earth they can be providing it to others and get those others to believe there is no catch in it? Maybe it is the difference in internal and foreign policies but still I suppose a country is supposed to be spying or sorry gather information on other countries not on their own people and companies. Just wondering... Kari Laine From ghio at netcom.com Wed Jan 31 22:26:43 1996 From: ghio at netcom.com (Matthew Ghio) Date: Thu, 1 Feb 1996 14:26:43 +0800 Subject: parallel encryption In-Reply-To: Message-ID: <199602010608.WAA03210@myriad> ses at tipper.oit.unc.edu (Simon Spero) wrote: > Ok, so I've got my BeBox and so finally have an SMP of my own again; > anyone want to suggest any cool crypto stuff that parallelises well? > Rogaways hashs look interesting, and nDES offers an obvious process > network for pipelining, but what about things like running multiple > interleaved CBC streams in parallel, with each stream starting off from a > different IV? I can't think of any practical ways of speeding up a single > RSA operation, although twice as many processors obviously gives twice > the thruput. One way to speed up RSA is to compute the series m^2, m^4, m^8, m^16... on one processor and then multiply together the values for each one bit in the decryption exponent on the other processor. It's only about a 33% speedup tho. The other possibility is to compute the two 'halves' on seperate processors when doing decryption. I don't know of any way to parallelize it to more than two processors for encrypting or more than four for decrypting. Discrete log systems are a bit more interesting in this respect - you can precompute the series g^2, g^4, g^8... (I think cryptolib does this) then the initial parameter in a Diffie-Hellman exchange is simply the product of some elements of that series. The multiplications can be carried out in parallel in a hierarchial fashion which can be completed in O(log(log(m))) time, where m is the modulus (assuming you have enough processors). However, for the second half of the exchange, you can't precompute anything so you are stuck with the same problem as with RSA. From vince at offshore.com.ai Wed Jan 31 22:35:39 1996 From: vince at offshore.com.ai (Vincent Cate) Date: Thu, 1 Feb 1996 14:35:39 +0800 Subject: FV has 91 day lag between sales and payment Message-ID: FV seems to be the only Internet payment mechanism that lets buyers quickly open an account and use their credit card to cover purchases. Anyone know of any others? The FV 90 day lag is their main downside in my opinion (though defaulting to not paying if the customer does not answer email is another problem). So FV does not take any risk at all - and a merchant has to have enough extra capital to let 3 months worth of sales sit at FV. Some ideas for ways that they or someone else could improve on this: 1) reduce the 91 days after a merchant had been a merchant for awhile 2) reduce the 91 days when sales were to long time customers 3) verify customers with letters/phone calls when opening the account and then with digital signature on sales - and give very short clearing time -- Vince ---------- Forwarded message ---------- Date: Wed, 31 Jan 1996 15:11:02 -0800 From: morehelp at fv.com To: vince at offshore.com.ai Subject: <960130/vinc0328078> (Lag between sales and payment?) Your question has been answered by a help operator for FIRST VIRTUAL (TM). The operator assigned to your question is op106 (Christopher Arndt), That operator, or someone consulted by that operator, has provided the following answer to your question: ---------------- Hello, We put an escrow hold on a seller's money for 91 days to protect ourselves from buyer credit card charge backs. We realize this can be inconvenient for some of our sellers, but at this time, that is how the system works. Federal Regulation Z of the Credit Card Regulations entitles credit card holders to a 90 period during which they can charge back any purchase. Though buyers are obligated to return the goods, this does not always happen. The credit card company is obligated by federal law to pay the buyer back, and it is the merchant who is left without payment. In our system, because it is First Virtual that has the merchant credit card account, not you, First Virtual is at risk of losing money when your buyers issue charge backs on your sale items. Because we do not conduct any credit checks on a seller, and because any buyer can charge back any charge, if we didn't protect ourselves with this 91 day hold, we could easily fall victim to charge back fraud. But once 90 days have passed, it becomes significantly harder for a buyer to make a charge back. And it is at this point that we feel that the risk of a charge back is sufficiently low that we can deliver your funds to you. We hold your money for 91 days for our protection, but the flip side is that we allow our sellers the freedom of being allowed to sell without having to go through a credit check. Virtually anyone can sell using First Virtual, and this opens up many possibilities for people who otherwise would not be able to sell products through major credit cards over the Internet. Thank you for your interest in First Virtual -- ************************************************************* ...one flew east, one flew west, one flew over the cuckoo's nest... Christopher Arndt First Virtual Holdings carndt at fv.com http://www.fv.com ************************************************************* ---------------- You may communicate further with our operator by replying to this message. If you are unhappy with the service you get from operator op106, you may send mail to "helpescalator at fv.com". Your original question is included at the end of this message. Thank you for using FIRST VIRTUAL! From andreas at horten.artcom.de Wed Jan 31 23:01:47 1996 From: andreas at horten.artcom.de (Andreas Bogk) Date: Thu, 1 Feb 1996 15:01:47 +0800 Subject: Authentication of crypto clients In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- >>>>> "Raph" == Raph Levien writes: Raph> The issue is: how does the crypto provider authenticate the Raph> client? If you consider the client to be untrusted software, I'm afraid the answer is probably not at all. Andreas -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQCVAgUBMQ2eeUyjTSyISdw9AQG6RgP+KNg7GbFVvs+L2AxmyWL6rsBBZ8lB7gX9 ZrK7Xros5SclXVmxqIPdlJsl6KqzrTCkk21ZzDsAtbvRCPdaEHouQ2l5tPqMr3BY OQYpL7+hQmq9KHuh6VT8YLYn3JqMMcPevOb922wd2WpC2VlyjrPDY31sEwRizj2q 39UgEI/XMZE= =zaAv -----END PGP SIGNATURE----- From futplex at pseudonym.com Wed Jan 31 23:07:22 1996 From: futplex at pseudonym.com (Futplex) Date: Thu, 1 Feb 1996 15:07:22 +0800 Subject: email anonymity alternatives In-Reply-To: <199602010400.FAA16774@utopia.hacktic.nl> Message-ID: <199602010643.BAA21255@thor.cs.umass.edu> Looks like anonymous FAQ time again.... Anonymous writes: [I added some rational line breaks] > Are anon remailers the only way to send anon email without giving up the > source eventhough an organization has a wealth of dough/technology and > several class B addresses? No. You don't need "a wealth of dough/technology" either. Basically you just need to create packets at a sufficiently low level in the protocol stack. I'd say it's much easier to use a remailer, but then I'm biased. :) > Couldn't they just trick their mail servers Indeed, they can have the mail servers under their control emit pretty much anything. It's nice to be able to launch the packets at a site ostensibly not under your control, though, so the return path will really be cold. > And are nym accounts the only way to receive email without giving up who > the intended recipient of tha mail/news post actually is? Well, the sender needs to have some useful encoding of the recipient address. You can hide the address by encrypting it (reply blocks) or you can use an address you don't need to hide (nym accounts, newsgroups and mailing lists). I can't think of any other way to do it right now. Futplex From bofur at alpha.c2.org Wed Jan 31 23:08:54 1996 From: bofur at alpha.c2.org (bofur at alpha.c2.org) Date: Thu, 1 Feb 1996 15:08:54 +0800 Subject: France to push for international net legislation Message-ID: <199602010627.WAA02672@infinity.c2.org> According to radio reports here, the French government has just announced it's intention to pressure the European community to create international laws to control the Internet. This is in the wake of the net publication of a certain book that had been heavily censored in France. Does anyone have any more details - has an actual policy been put forward stating how they intend to control the net? And what do/will the laws cover? Bofur. -------------------------------------------------------------------------- Bofur bofur at alpha.c2.org PGP available from PGP key servers Key fingerprint = 81 0C 8F 88 0A 4F 67 3F ED 52 DE 3C 55 34 26 25 From tcmay at got.net Wed Jan 31 23:12:10 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 1 Feb 1996 15:12:10 +0800 Subject: Questions about Anonymity, and the FAQ Message-ID: At 4:00 AM 2/1/96, Anonymous wrote: >Are anon remailers the only way to send anon email without giving up the >source eventhough an organization has a wealth of dough/technology and >several class B addresses? Couldn't they just trick their mail servers or >would a nslookup/whois defeat that? "Trick the mail servers" is not a cryptographically strong approach...it is just a variant of "security through obscurity." In terms of "work factor" (a measure of the number of bits of protection, and thus the amount of work an opponent has to undertake), the various "Port 25" sorts of hacks are ridiculously easy to break. Maybe not for everyone (for example, moi would have no idea how to break it!), but for determined and knowledgeable adversaries, easily breakable. The Chaumian mix, semi-realized in Cypherpunks-style remailers, are the best hope for cryptographic security. >And are nym accounts the only way to receive email without giving up who >the intended recipient of tha mail/news post actually is? No, public message pools are an easy way to do this--it's what I used for my BlackNet experiment. Tell your sender to encrypt to the public key you provide--which isn't your key you usually associate with your true name!--and to post the resulting cyphertext in, say, alt.anonymous.messages. Since only you can read it, but no one knows who is reading the messages in alt.anonymous.messages, the implications are clear. I address many of these issues in my Cyphernomicon FAQ, available in various ways, including the Web URL of "http://www.oberlin.edu/~brchkind/cyphernomicon/". --Tim Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From vin at shore.net Wed Jan 31 23:18:39 1996 From: vin at shore.net (Vin McLellan) Date: Thu, 1 Feb 1996 15:18:39 +0800 Subject: The FV Problem = A Press Problem Message-ID: Greg Broiles opined: >NSB's messages have suggested, amongst the fear-mongering, that the real >target of the card-shark publicity campaign is not Joe Consumer but bankers, >investors, and other "big money" folks; people who care about the >large-scale fraud rate of credit card use. True enough. Of course, those are the folks who take the weight when credit card sales go sour... or the system is victimized by widespread automated fraud. >While, as Vin McLellan points out, Simson Garfinkel's articles were >technically accurate (modulo the quote from Daguio, where he's quoted as >suggesting an "out of hand" transaction, which is likely either a typo or a >misunderstanding - dollars to donuts he said "out of band"), they also >appeared as part of a marketing process. Actually, the most striking thing about the Garfinkel articles was the degree to which he made the First Virtual marketing/propaganda Campaign against consumer-PC-based credit card encryptors _the focus_ of the Mercury News articles. FV's attack-code demo was overtly presented as a propaganda ploy -- "a direct attack" on Netscape's security model -- by Garfinkel. There was nothing in the Merc text that carried the hysterial pitch of the press release FV posted to C'punks; nothing of the pious Crusade to Save Electronic Commerce that set everyone teeth on edge. FV's Stein and Borenstein were presented as competitive businessmen, out to rough up a competitor who had been getting too much uncritical attention. (The long sidebars on FV's technology are what you'd expect for the Mercury News' coverage of a local SoCal contender.) The Murky News' "Chief Scientist, FV" quote -- Borenstein recalling audiences in the White House, Treasury, etc., who declared, "We thought that only the NSA knew how to do this." -- was absolutely priceless. Everyone who didn't need a ten-page memo to supply the technical and historical context got the giggle. It's the Quote of the Week in Silicon Valley and NoHo. Deftly, with a straight face, Garfinkel left Nathaniel standing there with his pants down, wondering where the draft was coming from. (Mr. Borenstein, no slouch on-line, has faired far better in his give and take among the Cypherpunks -- who in their rabid majority only wanted to lynch him.) >....the implication of the Murky News articles, that one [FV] can be >trusted but not the >other.... >It's a shame that Garfinkel didn't spend more time/column space on >suggestions or observations from the independent people he interviewed and >less time on the "hot news - Netscape security broken by a competitor" >angle.... Your observations had me wondering if we read the same articles. My thought: would that all snow jobs were handled by journalists with the same dry perspicacity! >We should, however, learn from what FV did right - they wrote software which >(apparently) had or can have a real political effect. (It seems to have >worked on Garfinkel, anyway). Cypherpunks write code? FV wrote code and got >some attention for their otherwise unexciting message. Now _that's_ a useful and on-target observation. Suerte, _Vin Vin McLellan +The Privacy Guild+ 53 Nichols St., Chelsea, Ma. 02150 USA Tel: (617) 884-5548 <*><*><*><*><*><*><*><*><*> From tcmay at got.net Wed Jan 31 23:35:29 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 1 Feb 1996 15:35:29 +0800 Subject: France to push for international net legislation Message-ID: At 6:27 AM 2/1/96, bofur at alpha.c2.org wrote: >According to radio reports here, the French government has just announced >it's intention to pressure the European community to create >international laws to control the Internet. > >This is in the wake of the net publication of a certain book that had >been heavily censored in France. I guess Declan M. won't be visting France or any of the other EU countries any time soon! --Tim Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From PADGETT at hobbes.orl.mmc.com Wed Jan 31 23:47:43 1996 From: PADGETT at hobbes.orl.mmc.com (A. Padgett Peterson, P.E. Information Security) Date: Thu, 1 Feb 1996 15:47:43 +0800 Subject: More FUD Message-ID: <960131174331.202083b0@hobbes.orl.mmc.com> >The degree to which the attack you describe is a threat to online >commerce depends critically on the degree to which viruses and Trojan >horse programs can propagate through their potential base of platforms. Have to interject a comment: even real professionals (which virus writers are not) have trouble getting software to work on on machine, let alone all of the different platforms out there. Windows is worse (ever try to write a .VXD - not easy). Take Michelangelo (please) is a member of a class of viruses the is very difficult to detect: you have to read one word at 0:414 from DOS to know something is wrong. True, in early '92 when [Mich] came out things were more difficult - not everyone had 640k in their machine so the user acurally had to have a clue how much memory was supposed to be there. Today is there anyone with 512k ? Detection has *always* been easy, it is removal that is difficult and *automated* removal that is even more so - know what it takes to determine that there is a macro that might be a virus in a WORD document ? One bit. (Of course things are made a bit more difficult by the fact that MicroSoft considers that bit's location or even its *existance* to be "proprietary" and requires an NDA before they will discuss it - I refuse to sign it). In recent months I have had all sorts of software blow up in Windows. On this machine alone (a 486DX-100 w 8 Mb of RAM & Win 3.1, 1 Mb SVGA and nothing special), Reachout 5.0, FTP Onnet 2.0, QEMM 8.0 (Windows Manager), and several name brand programs have required massage to get to play together - and these are the programs from people I consider expert at what they do, in fact each is IMNSHO the best in their class. And you tell me that someone is going to spread a virus on the net that will capture keystrokes on any machine it hits without anyone noticing ? It is to laugh (and if they can, they are wasting their time with credit card numbers). (Did I mention that the documentation those signing the M$ NDA have been receiving has been *wrong* ?) Not going to say you could not make one machine act that way - that is easy, not even going to say you won't make a number of machines act that way, but spread with a virus enough will self-destruct on enough machines that intelligent people will get suspicious and some will react creatively. Fact is that the greatest protection the net has is that no two machines are alike, may even start that way but after six months, no way. Warmly, Padgett